| blob | b4e811bb45070d6212843c12cb6c5def12113c2e |
1 /*
2 * Simplified MAC Kernel (smack) security module
3 *
4 * This file contains the smack hook function implementations.
5 *
6 * Author:
7 * Casey Schaufler <casey@schaufler-ca.com>
8 *
9 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
10 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
11 * Paul Moore <paul.moore@hp.com>
12 *
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License version 2,
15 * as published by the Free Software Foundation.
16 */
18 #include <linux/xattr.h>
19 #include <linux/pagemap.h>
20 #include <linux/mount.h>
21 #include <linux/stat.h>
22 #include <linux/ext2_fs.h>
23 #include <linux/kd.h>
24 #include <asm/ioctls.h>
25 #include <linux/ip.h>
26 #include <linux/tcp.h>
27 #include <linux/udp.h>
28 #include <linux/mutex.h>
29 #include <linux/pipe_fs_i.h>
30 #include <net/netlabel.h>
31 #include <net/cipso_ipv4.h>
32 #include <linux/audit.h>
36 #define task_security(task) (task_cred_xxx((task), security))
38 /*
39 * I hope these are the hokeyist lines of code in the module. Casey.
40 */
41 #define DEVPTS_SUPER_MAGIC 0x1cd1
42 #define SOCKFS_MAGIC 0x534F434B
43 #define TMPFS_MAGIC 0x01021994
45 /**
46 * smk_fetch - Fetch the smack label from a file.
47 * @ip: a pointer to the inode
48 * @dp: a pointer to the dentry
49 *
50 * Returns a pointer to the master list entry for the Smack label
51 * or NULL if there was no label to fetch.
52 */
54 {
66 }
68 /**
69 * new_inode_smack - allocate an inode security blob
70 * @smack: a pointer to the Smack label to use in the blob
71 *
72 * Returns the new blob or NULL if there's no memory available
73 */
75 {
87 }
89 /*
90 * LSM hooks.
91 * We he, that is fun!
92 */
94 /**
95 * smack_ptrace_may_access - Smack approval on PTRACE_ATTACH
96 * @ctp: child task pointer
97 *
98 * Returns 0 if access is OK, an error code otherwise
99 *
100 * Do the capability checks, and require read and write.
101 */
103 {
114 }
116 /**
117 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME
118 * @ptp: parent task pointer
119 *
120 * Returns 0 if access is OK, an error code otherwise
121 *
122 * Do the capability checks, and require read and write.
123 */
125 {
136 }
138 /**
139 * smack_syslog - Smack approval on syslog
140 * @type: message type
141 *
142 * Require that the task has the floor label
143 *
144 * Returns 0 on success, error code otherwise.
145 */
147 {
162 }
165 /*
166 * Superblock Hooks.
167 */
169 /**
170 * smack_sb_alloc_security - allocate a superblock blob
171 * @sb: the superblock getting the blob
172 *
173 * Returns 0 on success or -ENOMEM on error.
174 */
176 {
194 }
196 /**
197 * smack_sb_free_security - free a superblock blob
198 * @sb: the superblock getting the blob
199 *
200 */
202 {
205 }
207 /**
208 * smack_sb_copy_data - copy mount options data for processing
209 * @type: file system type
210 * @orig: where to start
211 * @smackopts
212 *
213 * Returns 0 on success or -ENOMEM on error.
214 *
215 * Copy the Smack specific mount options out of the mount
216 * options list.
217 */
219 {
235 else
245 }
251 }
253 /**
254 * smack_sb_kern_mount - Smack specific mount processing
255 * @sb: the file system superblock
256 * @flags: the mount flags
257 * @data: the smack mount options
258 *
259 * Returns 0 on success, an error code on failure
260 */
262 {
275 }
305 }
306 }
308 /*
309 * Initialize the root inode.
310 */
314 else
318 }
320 /**
321 * smack_sb_statfs - Smack check on statfs
322 * @dentry: identifies the file system in question
323 *
324 * Returns 0 if current can read the floor of the filesystem,
325 * and error code otherwise
326 */
328 {
332 }
334 /**
335 * smack_sb_mount - Smack check for mounting
336 * @dev_name: unused
337 * @nd: mount point
338 * @type: unused
339 * @flags: unused
340 * @data: unused
341 *
342 * Returns 0 if current can write the floor of the filesystem
343 * being mounted on, an error code otherwise.
344 */
347 {
351 }
353 /**
354 * smack_sb_umount - Smack check for unmounting
355 * @mnt: file system to unmount
356 * @flags: unused
357 *
358 * Returns 0 if current can write the floor of the filesystem
359 * being unmounted, an error code otherwise.
360 */
362 {
368 }
370 /*
371 * Inode hooks
372 */
374 /**
375 * smack_inode_alloc_security - allocate an inode blob
376 * @inode - the inode in need of a blob
377 *
378 * Returns 0 if it gets a blob, -ENOMEM otherwise
379 */
381 {
386 }
388 /**
389 * smack_inode_free_security - free an inode blob
390 * @inode - the inode with a blob
391 *
392 * Clears the blob pointer in inode
393 */
395 {
398 }
400 /**
401 * smack_inode_init_security - copy out the smack from an inode
402 * @inode: the inode
403 * @dir: unused
404 * @name: where to put the attribute name
405 * @value: where to put the attribute value
406 * @len: where to put the length of the attribute
407 *
408 * Returns 0 if it all works out, -ENOMEM if there's no memory
409 */
412 {
419 }
425 }
431 }
433 /**
434 * smack_inode_link - Smack check on link
435 * @old_dentry: the existing object
436 * @dir: unused
437 * @new_dentry: the new object
438 *
439 * Returns 0 if access is permitted, an error code otherwise
440 */
443 {
453 }
456 }
458 /**
459 * smack_inode_unlink - Smack check on inode deletion
460 * @dir: containing directory object
461 * @dentry: file to unlink
462 *
463 * Returns 0 if current can write the containing directory
464 * and the object, error code otherwise
465 */
467 {
471 /*
472 * You need write access to the thing you're unlinking
473 */
476 /*
477 * You also need write access to the containing directory
478 */
482 }
484 /**
485 * smack_inode_rmdir - Smack check on directory deletion
486 * @dir: containing directory object
487 * @dentry: directory to unlink
488 *
489 * Returns 0 if current can write the containing directory
490 * and the directory, error code otherwise
491 */
493 {
496 /*
497 * You need write access to the thing you're removing
498 */
501 /*
502 * You also need write access to the containing directory
503 */
507 }
509 /**
510 * smack_inode_rename - Smack check on rename
511 * @old_inode: the old directory
512 * @old_dentry: unused
513 * @new_inode: the new directory
514 * @new_dentry: unused
515 *
516 * Read and write access is required on both the old and
517 * new directories.
518 *
519 * Returns 0 if access is permitted, an error code otherwise
520 */
525 {
535 }
538 }
540 /**
541 * smack_inode_permission - Smack version of permission()
542 * @inode: the inode in question
543 * @mask: the access requested
544 * @nd: unused
545 *
546 * This is the important Smack hook.
547 *
548 * Returns 0 if access is permitted, -EACCES otherwise
549 */
551 {
552 /*
553 * No permission to check. Existence test. Yup, it's there.
554 */
559 }
561 /**
562 * smack_inode_setattr - Smack check for setting attributes
563 * @dentry: the object
564 * @iattr: for the force flag
565 *
566 * Returns 0 if access is permitted, an error code otherwise
567 */
569 {
570 /*
571 * Need to allow for clearing the setuid bit.
572 */
577 }
579 /**
580 * smack_inode_getattr - Smack check for getting attributes
581 * @mnt: unused
582 * @dentry: the object
583 *
584 * Returns 0 if access is permitted, an error code otherwise
585 */
587 {
589 }
591 /**
592 * smack_inode_setxattr - Smack check for setting xattrs
593 * @dentry: the object
594 * @name: name of the attribute
595 * @value: unused
596 * @size: unused
597 * @flags: unused
598 *
599 * This protects the Smack attribute explicitly.
600 *
601 * Returns 0 if access is permitted, an error code otherwise
602 */
605 {
622 }
624 /**
625 * smack_inode_post_setxattr - Apply the Smack update approved above
626 * @dentry: object
627 * @name: attribute name
628 * @value: attribute value
629 * @size: attribute size
630 * @flags: unused
631 *
632 * Set the pointer in the inode blob to the entry found
633 * in the master label list.
634 */
637 {
641 /*
642 * Not SMACK
643 */
652 /*
653 * No locking is done here. This is a pointer
654 * assignment.
655 */
659 else
663 }
665 /*
666 * smack_inode_getxattr - Smack check on getxattr
667 * @dentry: the object
668 * @name: unused
669 *
670 * Returns 0 if access is permitted, an error code otherwise
671 */
673 {
675 }
677 /*
678 * smack_inode_removexattr - Smack check on removexattr
679 * @dentry: the object
680 * @name: name of the attribute
681 *
682 * Removing the Smack attribute requires CAP_MAC_ADMIN
683 *
684 * Returns 0 if access is permitted, an error code otherwise
685 */
687 {
702 }
704 /**
705 * smack_inode_getsecurity - get smack xattrs
706 * @inode: the object
707 * @name: attribute name
708 * @buffer: where to put the result
709 * @size: size of the buffer
710 * @err: unused
711 *
712 * Returns the size of the attribute or an error code
713 */
717 {
731 }
733 /*
734 * The rest of the Smack xattrs are only on sockets.
735 */
750 else
757 }
760 }
763 /**
764 * smack_inode_listsecurity - list the Smack attributes
765 * @inode: the object
766 * @buffer: where they go
767 * @buffer_size: size of buffer
768 *
769 * Returns 0 on success, -EINVAL otherwise
770 */
773 {
779 }
781 }
783 /**
784 * smack_inode_getsecid - Extract inode's security id
785 * @inode: inode to extract the info from
786 * @secid: where result will be saved
787 */
789 {
793 }
795 /*
796 * File Hooks
797 */
799 /**
800 * smack_file_permission - Smack check on file operations
801 * @file: unused
802 * @mask: unused
803 *
804 * Returns 0
805 *
806 * Should access checks be done on each read or write?
807 * UNICOS and SELinux say yes.
808 * Trusted Solaris, Trusted Irix, and just about everyone else says no.
809 *
810 * I'll say no for now. Smack does not do the frequent
811 * label changing that SELinux does.
812 */
814 {
816 }
818 /**
819 * smack_file_alloc_security - assign a file security blob
820 * @file: the object
821 *
822 * The security blob for a file is a pointer to the master
823 * label list, so no allocation is done.
824 *
825 * Returns 0
826 */
828 {
831 }
833 /**
834 * smack_file_free_security - clear a file security blob
835 * @file: the object
836 *
837 * The security blob for a file is a pointer to the master
838 * label list, so no memory is freed.
839 */
841 {
843 }
845 /**
846 * smack_file_ioctl - Smack check on ioctls
847 * @file: the object
848 * @cmd: what to do
849 * @arg: unused
850 *
851 * Relies heavily on the correct use of the ioctl command conventions.
852 *
853 * Returns 0 if allowed, error code otherwise
854 */
857 {
867 }
869 /**
870 * smack_file_lock - Smack check on file locking
871 * @file: the object
872 * @cmd unused
873 *
874 * Returns 0 if current has write access, error code otherwise
875 */
877 {
879 }
881 /**
882 * smack_file_fcntl - Smack check on fcntl
883 * @file: the object
884 * @cmd: what action to check
885 * @arg: unused
886 *
887 * Returns 0 if current has access, error code otherwise
888 */
891 {
913 }
916 }
918 /**
919 * smack_file_set_fowner - set the file security blob value
920 * @file: object in question
921 *
922 * Returns 0
923 * Further research may be required on this one.
924 */
926 {
929 }
931 /**
932 * smack_file_send_sigiotask - Smack on sigio
933 * @tsk: The target task
934 * @fown: the object the signal come from
935 * @signum: unused
936 *
937 * Allow a privileged task to get signals even if it shouldn't
938 *
939 * Returns 0 if a subject with the object's smack could
940 * write to the task, an error code otherwise.
941 */
944 {
948 /*
949 * struct fown_struct is never outside the context of a struct file
950 */
956 }
958 /**
959 * smack_file_receive - Smack file receive check
960 * @file: the object
961 *
962 * Returns 0 if current has access, error code otherwise
963 */
965 {
968 /*
969 * This code relies on bitmasks.
970 */
977 }
979 /*
980 * Task hooks
981 */
983 /**
984 * smack_cred_free - "free" task-level security credentials
985 * @cred: the credentials in question
986 *
987 * Smack isn't using copies of blobs. Everyone
988 * points to an immutable list. The blobs never go away.
989 * There is no leak here.
990 */
992 {
994 }
996 /**
997 * smack_cred_prepare - prepare new set of credentials for modification
998 * @new: the new credentials
999 * @old: the original credentials
1000 * @gfp: the atomicity of any memory allocations
1001 *
1002 * Prepare a new set of credentials for modification.
1003 */
1005 gfp_t gfp)
1006 {
1009 }
1011 /*
1012 * commit new credentials
1013 * @new: the new credentials
1014 * @old: the original credentials
1015 */
1017 {
1018 }
1020 /**
1021 * smack_kernel_act_as - Set the subjective context in a set of credentials
1022 * @new points to the set of credentials to be modified.
1023 * @secid specifies the security ID to be set
1024 *
1025 * Set the security data for a kernel service.
1026 */
1028 {
1036 }
1038 /**
1039 * smack_kernel_create_files_as - Set the file creation label in a set of creds
1040 * @new points to the set of credentials to be modified
1041 * @inode points to the inode to use as a reference
1042 *
1043 * Set the file creation context in a set of credentials to the same
1044 * as the objective context of the specified inode
1045 */
1048 {
1053 }
1055 /**
1056 * smack_task_setpgid - Smack check on setting pgid
1057 * @p: the task object
1058 * @pgid: unused
1059 *
1060 * Return 0 if write access is permitted
1061 */
1063 {
1065 }
1067 /**
1068 * smack_task_getpgid - Smack access check for getpgid
1069 * @p: the object task
1070 *
1071 * Returns 0 if current can read the object task, error code otherwise
1072 */
1074 {
1076 }
1078 /**
1079 * smack_task_getsid - Smack access check for getsid
1080 * @p: the object task
1081 *
1082 * Returns 0 if current can read the object task, error code otherwise
1083 */
1085 {
1087 }
1089 /**
1090 * smack_task_getsecid - get the secid of the task
1091 * @p: the object task
1092 * @secid: where to put the result
1093 *
1094 * Sets the secid to contain a u32 version of the smack label.
1095 */
1097 {
1099 }
1101 /**
1102 * smack_task_setnice - Smack check on setting nice
1103 * @p: the task object
1104 * @nice: unused
1105 *
1106 * Return 0 if write access is permitted
1107 */
1109 {
1116 }
1118 /**
1119 * smack_task_setioprio - Smack check on setting ioprio
1120 * @p: the task object
1121 * @ioprio: unused
1122 *
1123 * Return 0 if write access is permitted
1124 */
1126 {
1133 }
1135 /**
1136 * smack_task_getioprio - Smack check on reading ioprio
1137 * @p: the task object
1138 *
1139 * Return 0 if read access is permitted
1140 */
1142 {
1144 }
1146 /**
1147 * smack_task_setscheduler - Smack check on setting scheduler
1148 * @p: the task object
1149 * @policy: unused
1150 * @lp: unused
1151 *
1152 * Return 0 if read access is permitted
1153 */
1156 {
1163 }
1165 /**
1166 * smack_task_getscheduler - Smack check on reading scheduler
1167 * @p: the task object
1168 *
1169 * Return 0 if read access is permitted
1170 */
1172 {
1174 }
1176 /**
1177 * smack_task_movememory - Smack check on moving memory
1178 * @p: the task object
1179 *
1180 * Return 0 if write access is permitted
1181 */
1183 {
1185 }
1187 /**
1188 * smack_task_kill - Smack check on signal delivery
1189 * @p: the task object
1190 * @info: unused
1191 * @sig: unused
1192 * @secid: identifies the smack to use in lieu of current's
1193 *
1194 * Return 0 if write access is permitted
1195 *
1196 * The secid behavior is an artifact of an SELinux hack
1197 * in the USB code. Someday it may go away.
1198 */
1201 {
1202 /*
1203 * Sending a signal requires that the sender
1204 * can write the receiver.
1205 */
1208 /*
1209 * If the secid isn't 0 we're dealing with some USB IO
1210 * specific behavior. This is not clean. For one thing
1211 * we can't take privilege into account.
1212 */
1214 }
1216 /**
1217 * smack_task_wait - Smack access check for waiting
1218 * @p: task to wait for
1219 *
1220 * Returns 0 if current can wait for p, error code otherwise
1221 */
1223 {
1230 /*
1231 * Allow the operation to succeed if either task
1232 * has privilege to perform operations that might
1233 * account for the smack labels having gotten to
1234 * be different in the first place.
1235 *
1236 * This breaks the strict subject/object access
1237 * control ideal, taking the object's privilege
1238 * state into account in the decision as well as
1239 * the smack value.
1240 */
1245 }
1247 /**
1248 * smack_task_to_inode - copy task smack into the inode blob
1249 * @p: task to copy from
1250 * inode: inode to copy to
1251 *
1252 * Sets the smack pointer in the inode security blob
1253 */
1255 {
1258 }
1260 /*
1261 * Socket hooks.
1262 */
1264 /**
1265 * smack_sk_alloc_security - Allocate a socket blob
1266 * @sk: the socket
1267 * @family: unused
1268 * @priority: memory allocation priority
1269 *
1270 * Assign Smack pointers to current
1271 *
1272 * Returns 0 on success, -ENOMEM is there's no memory
1273 */
1275 {
1290 }
1292 /**
1293 * smack_sk_free_security - Free a socket blob
1294 * @sk: the socket
1295 *
1296 * Clears the blob pointer
1297 */
1299 {
1301 }
1303 /**
1304 * smack_set_catset - convert a capset to netlabel mls categories
1305 * @catset: the Smack categories
1306 * @sap: where to put the netlabel categories
1307 *
1308 * Allocates and fills attr.mls.cat
1309 */
1311 {
1331 }
1332 }
1334 /**
1335 * smack_to_secattr - fill a secattr from a smack value
1336 * @smack: the smack value
1337 * @nlsp: where the result goes
1338 *
1339 * Casey says that CIPSO is good enough for now.
1340 * It can be used to effect.
1341 * It can also be abused to effect when necessary.
1342 * Appologies to the TSIG group in general and GW in particular.
1343 */
1345 {
1359 }
1360 }
1362 /**
1363 * smack_netlabel - Set the secattr on a socket
1364 * @sk: the socket
1365 * @labeled: socket label scheme
1366 *
1367 * Convert the outbound smack value (smk_out) to a
1368 * secattr and attach it to the socket.
1369 *
1370 * Returns 0 on success or an error code
1371 */
1373 {
1379 /*
1380 * Usually the netlabel code will handle changing the
1381 * packet labeling based on the label.
1382 * The case of a single label host is different, because
1383 * a single label host should never get a labeled packet
1384 * even though the label is usually associated with a packet
1385 * label.
1386 */
1398 }
1404 }
1406 /**
1407 * smack_inode_setsecurity - set smack xattrs
1408 * @inode: the object
1409 * @name: attribute name
1410 * @value: attribute value
1411 * @size: size of the attribute
1412 * @flags: unused
1413 *
1414 * Sets the named attribute in the appropriate blob
1415 *
1416 * Returns 0 on success, or an error code
1417 */
1420 {
1437 }
1438 /*
1439 * The rest of the Smack xattrs are only on sockets.
1440 */
1462 }
1464 /**
1465 * smack_socket_post_create - finish socket setup
1466 * @sock: the socket
1467 * @family: protocol family
1468 * @type: unused
1469 * @protocol: unused
1470 * @kern: unused
1471 *
1472 * Sets the netlabel information on the socket
1473 *
1474 * Returns 0 on success, and error code otherwise
1475 */
1478 {
1481 /*
1482 * Set the outbound netlbl.
1483 */
1485 }
1488 /**
1489 * smack_host_label - check host based restrictions
1490 * @sip: the object end
1491 *
1492 * looks for host based access restrictions
1493 *
1494 * This version will only be appropriate for really small
1495 * sets of single label hosts.
1496 *
1497 * Returns the label of the far end or NULL if it's not special.
1498 */
1500 {
1508 /*
1509 * we break after finding the first match because
1510 * the list is sorted from longest to shortest mask
1511 * so we have found the most specific match
1512 */
1516 }
1517 }
1520 }
1522 /**
1523 * smack_socket_connect - connect access check
1524 * @sock: the socket
1525 * @sap: the other end
1526 * @addrlen: size of sap
1527 *
1528 * Verifies that a connection may be possible
1529 *
1530 * Returns 0 on success, and error code otherwise
1531 */
1534 {
1554 }
1556 /**
1557 * smack_flags_to_may - convert S_ to MAY_ values
1558 * @flags: the S_ value
1559 *
1560 * Returns the equivalent MAY_ value
1561 */
1563 {
1574 }
1576 /**
1577 * smack_msg_msg_alloc_security - Set the security blob for msg_msg
1578 * @msg: the object
1579 *
1580 * Returns 0
1581 */
1583 {
1586 }
1588 /**
1589 * smack_msg_msg_free_security - Clear the security blob for msg_msg
1590 * @msg: the object
1591 *
1592 * Clears the blob pointer
1593 */
1595 {
1597 }
1599 /**
1600 * smack_of_shm - the smack pointer for the shm
1601 * @shp: the object
1602 *
1603 * Returns a pointer to the smack value
1604 */
1606 {
1608 }
1610 /**
1611 * smack_shm_alloc_security - Set the security blob for shm
1612 * @shp: the object
1613 *
1614 * Returns 0
1615 */
1617 {
1622 }
1624 /**
1625 * smack_shm_free_security - Clear the security blob for shm
1626 * @shp: the object
1627 *
1628 * Clears the blob pointer
1629 */
1631 {
1635 }
1637 /**
1638 * smack_shm_associate - Smack access check for shm
1639 * @shp: the object
1640 * @shmflg: access requested
1641 *
1642 * Returns 0 if current has the requested access, error code otherwise
1643 */
1645 {
1651 }
1653 /**
1654 * smack_shm_shmctl - Smack access check for shm
1655 * @shp: the object
1656 * @cmd: what it wants to do
1657 *
1658 * Returns 0 if current has the requested access, error code otherwise
1659 */
1661 {
1678 /*
1679 * System level information.
1680 */
1684 }
1688 }
1690 /**
1691 * smack_shm_shmat - Smack access for shmat
1692 * @shp: the object
1693 * @shmaddr: unused
1694 * @shmflg: access requested
1695 *
1696 * Returns 0 if current has the requested access, error code otherwise
1697 */
1700 {
1706 }
1708 /**
1709 * smack_of_sem - the smack pointer for the sem
1710 * @sma: the object
1711 *
1712 * Returns a pointer to the smack value
1713 */
1715 {
1717 }
1719 /**
1720 * smack_sem_alloc_security - Set the security blob for sem
1721 * @sma: the object
1722 *
1723 * Returns 0
1724 */
1726 {
1731 }
1733 /**
1734 * smack_sem_free_security - Clear the security blob for sem
1735 * @sma: the object
1736 *
1737 * Clears the blob pointer
1738 */
1740 {
1744 }
1746 /**
1747 * smack_sem_associate - Smack access check for sem
1748 * @sma: the object
1749 * @semflg: access requested
1750 *
1751 * Returns 0 if current has the requested access, error code otherwise
1752 */
1754 {
1760 }
1762 /**
1763 * smack_sem_shmctl - Smack access check for sem
1764 * @sma: the object
1765 * @cmd: what it wants to do
1766 *
1767 * Returns 0 if current has the requested access, error code otherwise
1768 */
1770 {
1792 /*
1793 * System level information
1794 */
1798 }
1802 }
1804 /**
1805 * smack_sem_semop - Smack checks of semaphore operations
1806 * @sma: the object
1807 * @sops: unused
1808 * @nsops: unused
1809 * @alter: unused
1810 *
1811 * Treated as read and write in all cases.
1812 *
1813 * Returns 0 if access is allowed, error code otherwise
1814 */
1817 {
1821 }
1823 /**
1824 * smack_msg_alloc_security - Set the security blob for msg
1825 * @msq: the object
1826 *
1827 * Returns 0
1828 */
1830 {
1835 }
1837 /**
1838 * smack_msg_free_security - Clear the security blob for msg
1839 * @msq: the object
1840 *
1841 * Clears the blob pointer
1842 */
1844 {
1848 }
1850 /**
1851 * smack_of_msq - the smack pointer for the msq
1852 * @msq: the object
1853 *
1854 * Returns a pointer to the smack value
1855 */
1857 {
1859 }
1861 /**
1862 * smack_msg_queue_associate - Smack access check for msg_queue
1863 * @msq: the object
1864 * @msqflg: access requested
1865 *
1866 * Returns 0 if current has the requested access, error code otherwise
1867 */
1869 {
1875 }
1877 /**
1878 * smack_msg_queue_msgctl - Smack access check for msg_queue
1879 * @msq: the object
1880 * @cmd: what it wants to do
1881 *
1882 * Returns 0 if current has the requested access, error code otherwise
1883 */
1885 {
1900 /*
1901 * System level information
1902 */
1906 }
1910 }
1912 /**
1913 * smack_msg_queue_msgsnd - Smack access check for msg_queue
1914 * @msq: the object
1915 * @msg: unused
1916 * @msqflg: access requested
1917 *
1918 * Returns 0 if current has the requested access, error code otherwise
1919 */
1922 {
1928 }
1930 /**
1931 * smack_msg_queue_msgsnd - Smack access check for msg_queue
1932 * @msq: the object
1933 * @msg: unused
1934 * @target: unused
1935 * @type: unused
1936 * @mode: unused
1937 *
1938 * Returns 0 if current has read and write access, error code otherwise
1939 */
1942 {
1946 }
1948 /**
1949 * smack_ipc_permission - Smack access for ipc_permission()
1950 * @ipp: the object permissions
1951 * @flag: access requested
1952 *
1953 * Returns 0 if current has read and write access, error code otherwise
1954 */
1956 {
1962 }
1964 /**
1965 * smack_ipc_getsecid - Extract smack security id
1966 * @ipcp: the object permissions
1967 * @secid: where result will be saved
1968 */
1970 {
1974 }
1976 /**
1977 * smack_d_instantiate - Make sure the blob is correct on an inode
1978 * @opt_dentry: unused
1979 * @inode: the object
1980 *
1981 * Set the inode's security blob if it hasn't been done already.
1982 */
1984 {
1999 /*
2000 * If the inode is already instantiated
2001 * take the quick way out
2002 */
2008 /*
2009 * We're going to use the superblock default label
2010 * if there's no label on the file.
2011 */
2014 /*
2015 * If this is the root inode the superblock
2016 * may be in the process of initialization.
2017 * If that is the case use the root value out
2018 * of the superblock.
2019 */
2024 }
2026 /*
2027 * This is pretty hackish.
2028 * Casey says that we shouldn't have to do
2029 * file system specific code, but it does help
2030 * with keeping it simple.
2031 */
2034 /*
2035 * Casey says that it's a little embarassing
2036 * that the smack file system doesn't do
2037 * extended attributes.
2038 */
2042 /*
2043 * Casey says pipes are easy (?)
2044 */
2048 /*
2049 * devpts seems content with the label of the task.
2050 * Programs that change smack have to treat the
2051 * pty with respect.
2052 */
2056 /*
2057 * Casey says sockets get the smack of the task.
2058 */
2062 /*
2063 * Casey says procfs appears not to care.
2064 * The superblock default suffices.
2065 */
2068 /*
2069 * Device labels should come from the filesystem,
2070 * but watch out, because they're volitile,
2071 * getting recreated on every reboot.
2072 */
2074 /*
2075 * No break.
2076 *
2077 * If a smack value has been set we want to use it,
2078 * but since tmpfs isn't giving us the opportunity
2079 * to set mount options simulate setting the
2080 * superblock default.
2081 */
2083 /*
2084 * This isn't an understood special case.
2085 * Get the value from the xattr.
2086 *
2087 * No xattr support means, alas, no SMACK label.
2088 * Use the aforeapplied default.
2089 * It would be curious if the label of the task
2090 * does not match that assigned.
2091 */
2094 /*
2095 * Get the dentry for xattr.
2096 */
2105 }
2113 }
2117 else
2122 unlockandout:
2125 }
2127 /**
2128 * smack_getprocattr - Smack process attribute access
2129 * @p: the object task
2130 * @name: the name of the attribute in /proc/.../attr
2131 * @value: where to put the result
2132 *
2133 * Places a copy of the task Smack into value
2134 *
2135 * Returns the length of the smack label or an error code
2136 */
2138 {
2152 }
2154 /**
2155 * smack_setprocattr - Smack process attribute setting
2156 * @p: the object task
2157 * @name: the name of the attribute in /proc/.../attr
2158 * @value: the value to set
2159 * @size: the size of the value
2160 *
2161 * Sets the Smack value of the task. Only setting self
2162 * is permitted and only with privilege
2163 *
2164 * Returns the length of the smack label or an error code
2165 */
2168 {
2172 /*
2173 * Changing another process' Smack value is too dangerous
2174 * and supports no sane use case.
2175 */
2192 /*
2193 * No process is ever allowed the web ("@") label.
2194 */
2204 }
2206 /**
2207 * smack_unix_stream_connect - Smack access on UDS
2208 * @sock: one socket
2209 * @other: the other socket
2210 * @newsk: unused
2211 *
2212 * Return 0 if a subject with the smack of sock could access
2213 * an object with the smack of other, otherwise an error code
2214 */
2217 {
2222 }
2224 /**
2225 * smack_unix_may_send - Smack access on UDS
2226 * @sock: one socket
2227 * @other: the other socket
2228 *
2229 * Return 0 if a subject with the smack of sock could access
2230 * an object with the smack of other, otherwise an error code
2231 */
2233 {
2238 }
2240 /**
2241 * smack_socket_sendmsg - Smack check based on destination host
2242 * @sock: the socket
2243 * @msghdr: the message
2244 * @size: the size of the message
2245 *
2246 * Return 0 if the current subject can write to the destination
2247 * host. This is only a question if the destination is a single
2248 * label host.
2249 */
2252 {
2258 /*
2259 * Perfectly reasonable for this to be NULL
2260 */
2273 }
2276 /**
2277 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat
2278 * pair to smack
2279 * @sap: netlabel secattr
2280 * @sip: where to put the result
2281 *
2282 * Copies a smack label into sip
2283 */
2285 {
2291 /*
2292 * Looks like a CIPSO packet.
2293 * If there are flags but no level netlabel isn't
2294 * behaving the way we expect it to.
2295 *
2296 * Get the categories, if any
2297 * Without guidance regarding the smack value
2298 * for the packet fall back on the network
2299 * ambient value.
2300 */
2309 }
2310 /*
2311 * If it is CIPSO using smack direct mapping
2312 * we are already done. WeeHee.
2313 */
2317 }
2318 /*
2319 * Look it up in the supplied table if it is not
2320 * a direct mapping.
2321 */
2324 }
2326 /*
2327 * Looks like a fallback, which gives us a secid.
2328 */
2330 /*
2331 * This has got to be a bug because it is
2332 * impossible to specify a fallback without
2333 * specifying the label, which will ensure
2334 * it has a secid, and the only way to get a
2335 * secid is from a fallback.
2336 */
2340 }
2341 /*
2342 * Without guidance regarding the smack value
2343 * for the packet fall back on the network
2344 * ambient value.
2345 */
2348 }
2350 /**
2351 * smack_socket_sock_rcv_skb - Smack packet delivery access check
2352 * @sk: socket
2353 * @skb: packet
2354 *
2355 * Returns 0 if the packet should be delivered, an error code otherwise
2356 */
2358 {
2368 /*
2369 * Translate what netlabel gave us.
2370 */
2382 /*
2383 * Receiving a packet requires that the other end
2384 * be able to write here. Read access is not required.
2385 * This is the simplist possible security model
2386 * for networking.
2387 */
2392 }
2394 /**
2395 * smack_socket_getpeersec_stream - pull in packet label
2396 * @sock: the socket
2397 * @optval: user's destination
2398 * @optlen: size thereof
2399 * @len: max thereoe
2400 *
2401 * returns zero on success, an error code otherwise
2402 */
2406 {
2423 }
2426 /**
2427 * smack_socket_getpeersec_dgram - pull in packet label
2428 * @sock: the socket
2429 * @skb: packet data
2430 * @secid: pointer to where to put the secid of the packet
2431 *
2432 * Sets the netlabel socket state on sk from parent
2433 */
2437 {
2442 u32 s;
2445 /*
2446 * Only works for families with packets.
2447 */
2453 }
2454 /*
2455 * Translate what netlabel gave us.
2456 */
2463 /*
2464 * Give up if we couldn't get anything
2465 */
2475 }
2477 /**
2478 * smack_sock_graft - graft access state between two sockets
2479 * @sk: fresh sock
2480 * @parent: donor socket
2481 *
2482 * Sets the netlabel socket state on sk from parent
2483 */
2485 {
2494 /* cssp->smk_packet is already set in smack_inet_csk_clone() */
2495 }
2497 /**
2498 * smack_inet_conn_request - Smack access check on connect
2499 * @sk: socket involved
2500 * @skb: packet
2501 * @req: unused
2502 *
2503 * Returns 0 if a task with the packet label could write to
2504 * the socket, otherwise an error code
2505 */
2508 {
2517 /* handle mapped IPv4 packets arriving via IPv6 sockets */
2525 else
2529 /*
2530 * Receiving a packet requires that the other end be able to write
2531 * here. Read access is not required.
2532 */
2537 /*
2538 * Save the peer's label in the request_sock so we can later setup
2539 * smk_packet in the child socket so that SO_PEERCRED can report it.
2540 */
2543 /*
2544 * We need to decide if we want to label the incoming connection here
2545 * if we do we only need to label the request_sock and the stack will
2546 * propogate the wire-label to the sock when it is created.
2547 */
2560 }
2563 }
2565 /**
2566 * smack_inet_csk_clone - Copy the connection information to the new socket
2567 * @sk: the new socket
2568 * @req: the connection's request_sock
2569 *
2570 * Transfer the connection's peer label to the newly created socket.
2571 */
2574 {
2583 }
2585 /*
2586 * Key management security hooks
2587 *
2588 * Casey has not tested key support very heavily.
2589 * The permission check is most likely too restrictive.
2590 * If you care about keys please have a look.
2591 */
2592 #ifdef CONFIG_KEYS
2594 /**
2595 * smack_key_alloc - Set the key security blob
2596 * @key: object
2597 * @cred: the credentials to use
2598 * @flags: unused
2599 *
2600 * No allocation required
2601 *
2602 * Returns 0
2603 */
2606 {
2609 }
2611 /**
2612 * smack_key_free - Clear the key security blob
2613 * @key: the object
2614 *
2615 * Clear the blob pointer
2616 */
2618 {
2620 }
2622 /*
2623 * smack_key_permission - Smack access on a key
2624 * @key_ref: gets to the object
2625 * @cred: the credentials to use
2626 * @perm: unused
2627 *
2628 * Return 0 if the task has read and write to the object,
2629 * an error code otherwise
2630 */
2633 {
2639 /*
2640 * If the key hasn't been initialized give it access so that
2641 * it may do so.
2642 */
2645 /*
2646 * This should not occur
2647 */
2652 }
2655 /*
2656 * Smack Audit hooks
2657 *
2658 * Audit requires a unique representation of each Smack specific
2659 * rule. This unique representation is used to distinguish the
2660 * object to be audited from remaining kernel objects and also
2661 * works as a glue between the audit hooks.
2662 *
2663 * Since repository entries are added but never deleted, we'll use
2664 * the smack_known label address related to the given audit rule as
2665 * the needed unique representation. This also better fits the smack
2666 * model where nearly everything is a label.
2667 */
2668 #ifdef CONFIG_AUDIT
2670 /**
2671 * smack_audit_rule_init - Initialize a smack audit rule
2672 * @field: audit rule fields given from user-space (audit.h)
2673 * @op: required testing operator (=, !=, >, <, ...)
2674 * @rulestr: smack label to be audited
2675 * @vrule: pointer to save our own audit rule representation
2676 *
2677 * Prepare to audit cases where (@field @op @rulestr) is true.
2678 * The label to be audited is created if necessay.
2679 */
2681 {
2694 }
2696 /**
2697 * smack_audit_rule_known - Distinguish Smack audit rules
2698 * @krule: rule of interest, in Audit kernel representation format
2699 *
2700 * This is used to filter Smack rules from remaining Audit ones.
2701 * If it's proved that this rule belongs to us, the
2702 * audit_rule_match hook will be called to do the final judgement.
2703 */
2705 {
2714 }
2717 }
2719 /**
2720 * smack_audit_rule_match - Audit given object ?
2721 * @secid: security id for identifying the object to test
2722 * @field: audit rule flags given from user-space
2723 * @op: required testing operator
2724 * @vrule: smack internal rule presentation
2725 * @actx: audit context associated with the check
2726 *
2727 * The core Audit hook. It's used to take the decision of
2728 * whether to audit or not to audit a given object.
2729 */
2732 {
2740 }
2747 /*
2748 * No need to do string comparisons. If a match occurs,
2749 * both pointers will point to the same smack_known
2750 * label.
2751 */
2758 }
2760 /**
2761 * smack_audit_rule_free - free smack rule representation
2762 * @vrule: rule to be freed.
2763 *
2764 * No memory was allocated.
2765 */
2767 {
2768 /* No-op */
2769 }
2773 /*
2774 * smack_secid_to_secctx - return the smack label for a secid
2775 * @secid: incoming integer
2776 * @secdata: destination
2777 * @seclen: how long it is
2778 *
2779 * Exists for networking code.
2780 */
2782 {
2788 }
2790 /*
2791 * smack_secctx_to_secid - return the secid for a smack label
2792 * @secdata: smack label
2793 * @seclen: how long result is
2794 * @secid: outgoing integer
2795 *
2796 * Exists for audit and networking code.
2797 */
2799 {
2802 }
2804 /*
2805 * smack_release_secctx - don't do anything.
2806 * @key_ref: unused
2807 * @context: unused
2808 * @perm: unused
2809 *
2810 * Exists to make sure nothing gets done, and properly
2811 */
2813 {
2814 }
2939 /* key management security hooks */
2940 #ifdef CONFIG_KEYS
2946 /* Audit hooks */
2947 #ifdef CONFIG_AUDIT
2957 };
2959 /**
2960 * smack_init - initialize the smack system
2961 *
2962 * Returns 0
2963 */
2965 {
2973 /*
2974 * Set the security state for the initial task.
2975 */
2979 /*
2980 * Initialize locks
2981 */
2988 /*
2989 * Register with LSM
2990 */
2995 }
2997 /*
2998 * Smack requires early initialization in order to label
2999 * all processes and objects when they are created.
3000 */