search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
call kthread_stop from workqueue, do not reset conn if connect cmd has been retransmitted
[cor.git] / security / smack / smack_lsm.c
blobecea41ce919b71101ed2d9ae81b477fa7ae5b577
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Simplified MAC Kernel (smack) security module
4 *
5 * This file contains the smack hook function implementations.
6 *
7 * Authors:
8 * Casey Schaufler <casey@schaufler-ca.com>
9 * Jarkko Sakkinen <jarkko.sakkinen@intel.com>
10 *
11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
13 * Paul Moore <paul@paul-moore.com>
14 * Copyright (C) 2010 Nokia Corporation
15 * Copyright (C) 2011 Intel Corporation.
16 */
17
18 #include <linux/xattr.h>
19 #include <linux/pagemap.h>
20 #include <linux/mount.h>
21 #include <linux/stat.h>
22 #include <linux/kd.h>
23 #include <asm/ioctls.h>
24 #include <linux/ip.h>
25 #include <linux/tcp.h>
26 #include <linux/udp.h>
27 #include <linux/dccp.h>
28 #include <linux/icmpv6.h>
29 #include <linux/slab.h>
30 #include <linux/mutex.h>
31 #include <net/cipso_ipv4.h>
32 #include <net/ip.h>
33 #include <net/ipv6.h>
34 #include <linux/audit.h>
35 #include <linux/magic.h>
36 #include <linux/dcache.h>
37 #include <linux/personality.h>
38 #include <linux/msg.h>
39 #include <linux/shm.h>
40 #include <linux/binfmts.h>
41 #include <linux/parser.h>
42 #include <linux/fs_context.h>
43 #include <linux/fs_parser.h>
44 #include "smack.h"
45
46 #define TRANS_TRUE "TRUE"
47 #define TRANS_TRUE_SIZE 4
48
49 #define SMK_CONNECTING 0
50 #define SMK_RECEIVING 1
51 #define SMK_SENDING 2
52
53 #ifdef SMACK_IPV6_PORT_LABELING
54 DEFINE_MUTEX(smack_ipv6_lock);
55 static LIST_HEAD(smk_ipv6_port_list);
56 #endif
57 static struct kmem_cache *smack_inode_cache;
58 struct kmem_cache *smack_rule_cache;
59 int smack_enabled;
60
61 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s}
62 static struct {
63 const char *name;
64 int len;
65 int opt;
66 } smk_mount_opts[] = {
67 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault},
68 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute)
69 };
70 #undef A
71
72 static int match_opt_prefix(char *s, int l, char **arg)
73 {
74 int i;
75
76 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) {
77 size_t len = smk_mount_opts[i].len;
78 if (len > l || memcmp(s, smk_mount_opts[i].name, len))
79 continue;
80 if (len == l || s[len] != '=')
81 continue;
82 *arg = s + len + 1;
83 return smk_mount_opts[i].opt;
84 }
85 return Opt_error;
86 }
87
88 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
89 static char *smk_bu_mess[] = {
90 "Bringup Error", /* Unused */
91 "Bringup", /* SMACK_BRINGUP_ALLOW */
92 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */
93 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */
94 };
95
96 static void smk_bu_mode(int mode, char *s)
97 {
98 int i = 0;
99
100 if (mode & MAY_READ)
101 s[i++] = 'r';
102 if (mode & MAY_WRITE)
103 s[i++] = 'w';
104 if (mode & MAY_EXEC)
105 s[i++] = 'x';
106 if (mode & MAY_APPEND)
107 s[i++] = 'a';
108 if (mode & MAY_TRANSMUTE)
109 s[i++] = 't';
110 if (mode & MAY_LOCK)
111 s[i++] = 'l';
112 if (i == 0)
113 s[i++] = '-';
114 s[i] = '\0';
115 }
116 #endif
117
118 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
119 static int smk_bu_note(char *note, struct smack_known *sskp,
120 struct smack_known *oskp, int mode, int rc)
121 {
122 char acc[SMK_NUM_ACCESS_TYPE + 1];
123
124 if (rc <= 0)
125 return rc;
126 if (rc > SMACK_UNCONFINED_OBJECT)
127 rc = 0;
128
129 smk_bu_mode(mode, acc);
130 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc],
131 sskp->smk_known, oskp->smk_known, acc, note);
132 return 0;
133 }
134 #else
135 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC)
136 #endif
137
138 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
139 static int smk_bu_current(char *note, struct smack_known *oskp,
140 int mode, int rc)
141 {
142 struct task_smack *tsp = smack_cred(current_cred());
143 char acc[SMK_NUM_ACCESS_TYPE + 1];
144
145 if (rc <= 0)
146 return rc;
147 if (rc > SMACK_UNCONFINED_OBJECT)
148 rc = 0;
149
150 smk_bu_mode(mode, acc);
151 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc],
152 tsp->smk_task->smk_known, oskp->smk_known,
153 acc, current->comm, note);
154 return 0;
155 }
156 #else
157 #define smk_bu_current(note, oskp, mode, RC) (RC)
158 #endif
159
160 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
161 static int smk_bu_task(struct task_struct *otp, int mode, int rc)
162 {
163 struct task_smack *tsp = smack_cred(current_cred());
164 struct smack_known *smk_task = smk_of_task_struct(otp);
165 char acc[SMK_NUM_ACCESS_TYPE + 1];
166
167 if (rc <= 0)
168 return rc;
169 if (rc > SMACK_UNCONFINED_OBJECT)
170 rc = 0;
171
172 smk_bu_mode(mode, acc);
173 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc],
174 tsp->smk_task->smk_known, smk_task->smk_known, acc,
175 current->comm, otp->comm);
176 return 0;
177 }
178 #else
179 #define smk_bu_task(otp, mode, RC) (RC)
180 #endif
181
182 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
183 static int smk_bu_inode(struct inode *inode, int mode, int rc)
184 {
185 struct task_smack *tsp = smack_cred(current_cred());
186 struct inode_smack *isp = smack_inode(inode);
187 char acc[SMK_NUM_ACCESS_TYPE + 1];
188
189 if (isp->smk_flags & SMK_INODE_IMPURE)
190 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n",
191 inode->i_sb->s_id, inode->i_ino, current->comm);
192
193 if (rc <= 0)
194 return rc;
195 if (rc > SMACK_UNCONFINED_OBJECT)
196 rc = 0;
197 if (rc == SMACK_UNCONFINED_SUBJECT &&
198 (mode & (MAY_WRITE | MAY_APPEND)))
199 isp->smk_flags |= SMK_INODE_IMPURE;
200
201 smk_bu_mode(mode, acc);
202
203 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc],
204 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc,
205 inode->i_sb->s_id, inode->i_ino, current->comm);
206 return 0;
207 }
208 #else
209 #define smk_bu_inode(inode, mode, RC) (RC)
210 #endif
211
212 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
213 static int smk_bu_file(struct file *file, int mode, int rc)
214 {
215 struct task_smack *tsp = smack_cred(current_cred());
216 struct smack_known *sskp = tsp->smk_task;
217 struct inode *inode = file_inode(file);
218 struct inode_smack *isp = smack_inode(inode);
219 char acc[SMK_NUM_ACCESS_TYPE + 1];
220
221 if (isp->smk_flags & SMK_INODE_IMPURE)
222 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n",
223 inode->i_sb->s_id, inode->i_ino, current->comm);
224
225 if (rc <= 0)
226 return rc;
227 if (rc > SMACK_UNCONFINED_OBJECT)
228 rc = 0;
229
230 smk_bu_mode(mode, acc);
231 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc],
232 sskp->smk_known, smk_of_inode(inode)->smk_known, acc,
233 inode->i_sb->s_id, inode->i_ino, file,
234 current->comm);
235 return 0;
236 }
237 #else
238 #define smk_bu_file(file, mode, RC) (RC)
239 #endif
240
241 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
242 static int smk_bu_credfile(const struct cred *cred, struct file *file,
243 int mode, int rc)
244 {
245 struct task_smack *tsp = smack_cred(cred);
246 struct smack_known *sskp = tsp->smk_task;
247 struct inode *inode = file_inode(file);
248 struct inode_smack *isp = smack_inode(inode);
249 char acc[SMK_NUM_ACCESS_TYPE + 1];
250
251 if (isp->smk_flags & SMK_INODE_IMPURE)
252 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n",
253 inode->i_sb->s_id, inode->i_ino, current->comm);
254
255 if (rc <= 0)
256 return rc;
257 if (rc > SMACK_UNCONFINED_OBJECT)
258 rc = 0;
259
260 smk_bu_mode(mode, acc);
261 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc],
262 sskp->smk_known, smk_of_inode(inode)->smk_known, acc,
263 inode->i_sb->s_id, inode->i_ino, file,
264 current->comm);
265 return 0;
266 }
267 #else
268 #define smk_bu_credfile(cred, file, mode, RC) (RC)
269 #endif
270
271 /**
272 * smk_fetch - Fetch the smack label from a file.
273 * @name: type of the label (attribute)
274 * @ip: a pointer to the inode
275 * @dp: a pointer to the dentry
276 *
277 * Returns a pointer to the master list entry for the Smack label,
278 * NULL if there was no label to fetch, or an error code.
279 */
280 static struct smack_known *smk_fetch(const char *name, struct inode *ip,
281 struct dentry *dp)
282 {
283 int rc;
284 char *buffer;
285 struct smack_known *skp = NULL;
286
287 if (!(ip->i_opflags & IOP_XATTR))
288 return ERR_PTR(-EOPNOTSUPP);
289
290 buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS);
291 if (buffer == NULL)
292 return ERR_PTR(-ENOMEM);
293
294 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL);
295 if (rc < 0)
296 skp = ERR_PTR(rc);
297 else if (rc == 0)
298 skp = NULL;
299 else
300 skp = smk_import_entry(buffer, rc);
301
302 kfree(buffer);
303
304 return skp;
305 }
306
307 /**
308 * init_inode_smack - initialize an inode security blob
309 * @inode: inode to extract the info from
310 * @skp: a pointer to the Smack label entry to use in the blob
311 *
312 */
313 static void init_inode_smack(struct inode *inode, struct smack_known *skp)
314 {
315 struct inode_smack *isp = smack_inode(inode);
316
317 isp->smk_inode = skp;
318 isp->smk_flags = 0;
319 mutex_init(&isp->smk_lock);
320 }
321
322 /**
323 * init_task_smack - initialize a task security blob
324 * @tsp: blob to initialize
325 * @task: a pointer to the Smack label for the running task
326 * @forked: a pointer to the Smack label for the forked task
327 *
328 */
329 static void init_task_smack(struct task_smack *tsp, struct smack_known *task,
330 struct smack_known *forked)
331 {
332 tsp->smk_task = task;
333 tsp->smk_forked = forked;
334 INIT_LIST_HEAD(&tsp->smk_rules);
335 INIT_LIST_HEAD(&tsp->smk_relabel);
336 mutex_init(&tsp->smk_rules_lock);
337 }
338
339 /**
340 * smk_copy_rules - copy a rule set
341 * @nhead: new rules header pointer
342 * @ohead: old rules header pointer
343 * @gfp: type of the memory for the allocation
344 *
345 * Returns 0 on success, -ENOMEM on error
346 */
347 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead,
348 gfp_t gfp)
349 {
350 struct smack_rule *nrp;
351 struct smack_rule *orp;
352 int rc = 0;
353
354 list_for_each_entry_rcu(orp, ohead, list) {
355 nrp = kmem_cache_zalloc(smack_rule_cache, gfp);
356 if (nrp == NULL) {
357 rc = -ENOMEM;
358 break;
359 }
360 *nrp = *orp;
361 list_add_rcu(&nrp->list, nhead);
362 }
363 return rc;
364 }
365
366 /**
367 * smk_copy_relabel - copy smk_relabel labels list
368 * @nhead: new rules header pointer
369 * @ohead: old rules header pointer
370 * @gfp: type of the memory for the allocation
371 *
372 * Returns 0 on success, -ENOMEM on error
373 */
374 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead,
375 gfp_t gfp)
376 {
377 struct smack_known_list_elem *nklep;
378 struct smack_known_list_elem *oklep;
379
380 list_for_each_entry(oklep, ohead, list) {
381 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp);
382 if (nklep == NULL) {
383 smk_destroy_label_list(nhead);
384 return -ENOMEM;
385 }
386 nklep->smk_label = oklep->smk_label;
387 list_add(&nklep->list, nhead);
388 }
389
390 return 0;
391 }
392
393 /**
394 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_*
395 * @mode - input mode in form of PTRACE_MODE_*
396 *
397 * Returns a converted MAY_* mode usable by smack rules
398 */
399 static inline unsigned int smk_ptrace_mode(unsigned int mode)
400 {
401 if (mode & PTRACE_MODE_ATTACH)
402 return MAY_READWRITE;
403 if (mode & PTRACE_MODE_READ)
404 return MAY_READ;
405
406 return 0;
407 }
408
409 /**
410 * smk_ptrace_rule_check - helper for ptrace access
411 * @tracer: tracer process
412 * @tracee_known: label entry of the process that's about to be traced
413 * @mode: ptrace attachment mode (PTRACE_MODE_*)
414 * @func: name of the function that called us, used for audit
415 *
416 * Returns 0 on access granted, -error on error
417 */
418 static int smk_ptrace_rule_check(struct task_struct *tracer,
419 struct smack_known *tracee_known,
420 unsigned int mode, const char *func)
421 {
422 int rc;
423 struct smk_audit_info ad, *saip = NULL;
424 struct task_smack *tsp;
425 struct smack_known *tracer_known;
426 const struct cred *tracercred;
427
428 if ((mode & PTRACE_MODE_NOAUDIT) == 0) {
429 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK);
430 smk_ad_setfield_u_tsk(&ad, tracer);
431 saip = &ad;
432 }
433
434 rcu_read_lock();
435 tracercred = __task_cred(tracer);
436 tsp = smack_cred(tracercred);
437 tracer_known = smk_of_task(tsp);
438
439 if ((mode & PTRACE_MODE_ATTACH) &&
440 (smack_ptrace_rule == SMACK_PTRACE_EXACT ||
441 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) {
442 if (tracer_known->smk_known == tracee_known->smk_known)
443 rc = 0;
444 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
445 rc = -EACCES;
446 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred))
447 rc = 0;
448 else
449 rc = -EACCES;
450
451 if (saip)
452 smack_log(tracer_known->smk_known,
453 tracee_known->smk_known,
454 0, rc, saip);
455
456 rcu_read_unlock();
457 return rc;
458 }
459
460 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */
461 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip);
462
463 rcu_read_unlock();
464 return rc;
465 }
466
467 /*
468 * LSM hooks.
469 * We he, that is fun!
470 */
471
472 /**
473 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH
474 * @ctp: child task pointer
475 * @mode: ptrace attachment mode (PTRACE_MODE_*)
476 *
477 * Returns 0 if access is OK, an error code otherwise
478 *
479 * Do the capability checks.
480 */
481 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
482 {
483 struct smack_known *skp;
484
485 skp = smk_of_task_struct(ctp);
486
487 return smk_ptrace_rule_check(current, skp, mode, __func__);
488 }
489
490 /**
491 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME
492 * @ptp: parent task pointer
493 *
494 * Returns 0 if access is OK, an error code otherwise
495 *
496 * Do the capability checks, and require PTRACE_MODE_ATTACH.
497 */
498 static int smack_ptrace_traceme(struct task_struct *ptp)
499 {
500 int rc;
501 struct smack_known *skp;
502
503 skp = smk_of_task(smack_cred(current_cred()));
504
505 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__);
506 return rc;
507 }
508
509 /**
510 * smack_syslog - Smack approval on syslog
511 * @typefrom_file: unused
512 *
513 * Returns 0 on success, error code otherwise.
514 */
515 static int smack_syslog(int typefrom_file)
516 {
517 int rc = 0;
518 struct smack_known *skp = smk_of_current();
519
520 if (smack_privileged(CAP_MAC_OVERRIDE))
521 return 0;
522
523 if (smack_syslog_label != NULL && smack_syslog_label != skp)
524 rc = -EACCES;
525
526 return rc;
527 }
528
529 /*
530 * Superblock Hooks.
531 */
532
533 /**
534 * smack_sb_alloc_security - allocate a superblock blob
535 * @sb: the superblock getting the blob
536 *
537 * Returns 0 on success or -ENOMEM on error.
538 */
539 static int smack_sb_alloc_security(struct super_block *sb)
540 {
541 struct superblock_smack *sbsp;
542
543 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL);
544
545 if (sbsp == NULL)
546 return -ENOMEM;
547
548 sbsp->smk_root = &smack_known_floor;
549 sbsp->smk_default = &smack_known_floor;
550 sbsp->smk_floor = &smack_known_floor;
551 sbsp->smk_hat = &smack_known_hat;
552 /*
553 * SMK_SB_INITIALIZED will be zero from kzalloc.
554 */
555 sb->s_security = sbsp;
556
557 return 0;
558 }
559
560 /**
561 * smack_sb_free_security - free a superblock blob
562 * @sb: the superblock getting the blob
563 *
564 */
565 static void smack_sb_free_security(struct super_block *sb)
566 {
567 kfree(sb->s_security);
568 sb->s_security = NULL;
569 }
570
571 struct smack_mnt_opts {
572 const char *fsdefault, *fsfloor, *fshat, *fsroot, *fstransmute;
573 };
574
575 static void smack_free_mnt_opts(void *mnt_opts)
576 {
577 struct smack_mnt_opts *opts = mnt_opts;
578 kfree(opts->fsdefault);
579 kfree(opts->fsfloor);
580 kfree(opts->fshat);
581 kfree(opts->fsroot);
582 kfree(opts->fstransmute);
583 kfree(opts);
584 }
585
586 static int smack_add_opt(int token, const char *s, void **mnt_opts)
587 {
588 struct smack_mnt_opts *opts = *mnt_opts;
589
590 if (!opts) {
591 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL);
592 if (!opts)
593 return -ENOMEM;
594 *mnt_opts = opts;
595 }
596 if (!s)
597 return -ENOMEM;
598
599 switch (token) {
600 case Opt_fsdefault:
601 if (opts->fsdefault)
602 goto out_opt_err;
603 opts->fsdefault = s;
604 break;
605 case Opt_fsfloor:
606 if (opts->fsfloor)
607 goto out_opt_err;
608 opts->fsfloor = s;
609 break;
610 case Opt_fshat:
611 if (opts->fshat)
612 goto out_opt_err;
613 opts->fshat = s;
614 break;
615 case Opt_fsroot:
616 if (opts->fsroot)
617 goto out_opt_err;
618 opts->fsroot = s;
619 break;
620 case Opt_fstransmute:
621 if (opts->fstransmute)
622 goto out_opt_err;
623 opts->fstransmute = s;
624 break;
625 }
626 return 0;
627
628 out_opt_err:
629 pr_warn("Smack: duplicate mount options\n");
630 return -EINVAL;
631 }
632
633 /**
634 * smack_fs_context_dup - Duplicate the security data on fs_context duplication
635 * @fc: The new filesystem context.
636 * @src_fc: The source filesystem context being duplicated.
637 *
638 * Returns 0 on success or -ENOMEM on error.
639 */
640 static int smack_fs_context_dup(struct fs_context *fc,
641 struct fs_context *src_fc)
642 {
643 struct smack_mnt_opts *dst, *src = src_fc->security;
644
645 if (!src)
646 return 0;
647
648 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL);
649 if (!fc->security)
650 return -ENOMEM;
651 dst = fc->security;
652
653 if (src->fsdefault) {
654 dst->fsdefault = kstrdup(src->fsdefault, GFP_KERNEL);
655 if (!dst->fsdefault)
656 return -ENOMEM;
657 }
658 if (src->fsfloor) {
659 dst->fsfloor = kstrdup(src->fsfloor, GFP_KERNEL);
660 if (!dst->fsfloor)
661 return -ENOMEM;
662 }
663 if (src->fshat) {
664 dst->fshat = kstrdup(src->fshat, GFP_KERNEL);
665 if (!dst->fshat)
666 return -ENOMEM;
667 }
668 if (src->fsroot) {
669 dst->fsroot = kstrdup(src->fsroot, GFP_KERNEL);
670 if (!dst->fsroot)
671 return -ENOMEM;
672 }
673 if (src->fstransmute) {
674 dst->fstransmute = kstrdup(src->fstransmute, GFP_KERNEL);
675 if (!dst->fstransmute)
676 return -ENOMEM;
677 }
678 return 0;
679 }
680
681 static const struct fs_parameter_spec smack_param_specs[] = {
682 fsparam_string("smackfsdef", Opt_fsdefault),
683 fsparam_string("smackfsdefault", Opt_fsdefault),
684 fsparam_string("smackfsfloor", Opt_fsfloor),
685 fsparam_string("smackfshat", Opt_fshat),
686 fsparam_string("smackfsroot", Opt_fsroot),
687 fsparam_string("smackfstransmute", Opt_fstransmute),
688 {}
689 };
690
691 static const struct fs_parameter_description smack_fs_parameters = {
692 .name = "smack",
693 .specs = smack_param_specs,
694 };
695
696 /**
697 * smack_fs_context_parse_param - Parse a single mount parameter
698 * @fc: The new filesystem context being constructed.
699 * @param: The parameter.
700 *
701 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on
702 * error.
703 */
704 static int smack_fs_context_parse_param(struct fs_context *fc,
705 struct fs_parameter *param)
706 {
707 struct fs_parse_result result;
708 int opt, rc;
709
710 opt = fs_parse(fc, &smack_fs_parameters, param, &result);
711 if (opt < 0)
712 return opt;
713
714 rc = smack_add_opt(opt, param->string, &fc->security);
715 if (!rc)
716 param->string = NULL;
717 return rc;
718 }
719
720 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts)
721 {
722 char *from = options, *to = options;
723 bool first = true;
724
725 while (1) {
726 char *next = strchr(from, ',');
727 int token, len, rc;
728 char *arg = NULL;
729
730 if (next)
731 len = next - from;
732 else
733 len = strlen(from);
734
735 token = match_opt_prefix(from, len, &arg);
736 if (token != Opt_error) {
737 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL);
738 rc = smack_add_opt(token, arg, mnt_opts);
739 if (unlikely(rc)) {
740 kfree(arg);
741 if (*mnt_opts)
742 smack_free_mnt_opts(*mnt_opts);
743 *mnt_opts = NULL;
744 return rc;
745 }
746 } else {
747 if (!first) { // copy with preceding comma
748 from--;
749 len++;
750 }
751 if (to != from)
752 memmove(to, from, len);
753 to += len;
754 first = false;
755 }
756 if (!from[len])
757 break;
758 from += len + 1;
759 }
760 *to = '\0';
761 return 0;
762 }
763
764 /**
765 * smack_set_mnt_opts - set Smack specific mount options
766 * @sb: the file system superblock
767 * @mnt_opts: Smack mount options
768 * @kern_flags: mount option from kernel space or user space
769 * @set_kern_flags: where to store converted mount opts
770 *
771 * Returns 0 on success, an error code on failure
772 *
773 * Allow filesystems with binary mount data to explicitly set Smack mount
774 * labels.
775 */
776 static int smack_set_mnt_opts(struct super_block *sb,
777 void *mnt_opts,
778 unsigned long kern_flags,
779 unsigned long *set_kern_flags)
780 {
781 struct dentry *root = sb->s_root;
782 struct inode *inode = d_backing_inode(root);
783 struct superblock_smack *sp = sb->s_security;
784 struct inode_smack *isp;
785 struct smack_known *skp;
786 struct smack_mnt_opts *opts = mnt_opts;
787 bool transmute = false;
788
789 if (sp->smk_flags & SMK_SB_INITIALIZED)
790 return 0;
791
792 if (inode->i_security == NULL) {
793 int rc = lsm_inode_alloc(inode);
794
795 if (rc)
796 return rc;
797 }
798
799 if (!smack_privileged(CAP_MAC_ADMIN)) {
800 /*
801 * Unprivileged mounts don't get to specify Smack values.
802 */
803 if (opts)
804 return -EPERM;
805 /*
806 * Unprivileged mounts get root and default from the caller.
807 */
808 skp = smk_of_current();
809 sp->smk_root = skp;
810 sp->smk_default = skp;
811 /*
812 * For a handful of fs types with no user-controlled
813 * backing store it's okay to trust security labels
814 * in the filesystem. The rest are untrusted.
815 */
816 if (sb->s_user_ns != &init_user_ns &&
817 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC &&
818 sb->s_magic != RAMFS_MAGIC) {
819 transmute = true;
820 sp->smk_flags |= SMK_SB_UNTRUSTED;
821 }
822 }
823
824 sp->smk_flags |= SMK_SB_INITIALIZED;
825
826 if (opts) {
827 if (opts->fsdefault) {
828 skp = smk_import_entry(opts->fsdefault, 0);
829 if (IS_ERR(skp))
830 return PTR_ERR(skp);
831 sp->smk_default = skp;
832 }
833 if (opts->fsfloor) {
834 skp = smk_import_entry(opts->fsfloor, 0);
835 if (IS_ERR(skp))
836 return PTR_ERR(skp);
837 sp->smk_floor = skp;
838 }
839 if (opts->fshat) {
840 skp = smk_import_entry(opts->fshat, 0);
841 if (IS_ERR(skp))
842 return PTR_ERR(skp);
843 sp->smk_hat = skp;
844 }
845 if (opts->fsroot) {
846 skp = smk_import_entry(opts->fsroot, 0);
847 if (IS_ERR(skp))
848 return PTR_ERR(skp);
849 sp->smk_root = skp;
850 }
851 if (opts->fstransmute) {
852 skp = smk_import_entry(opts->fstransmute, 0);
853 if (IS_ERR(skp))
854 return PTR_ERR(skp);
855 sp->smk_root = skp;
856 transmute = true;
857 }
858 }
859
860 /*
861 * Initialize the root inode.
862 */
863 init_inode_smack(inode, sp->smk_root);
864
865 if (transmute) {
866 isp = smack_inode(inode);
867 isp->smk_flags |= SMK_INODE_TRANSMUTE;
868 }
869
870 return 0;
871 }
872
873 /**
874 * smack_sb_statfs - Smack check on statfs
875 * @dentry: identifies the file system in question
876 *
877 * Returns 0 if current can read the floor of the filesystem,
878 * and error code otherwise
879 */
880 static int smack_sb_statfs(struct dentry *dentry)
881 {
882 struct superblock_smack *sbp = dentry->d_sb->s_security;
883 int rc;
884 struct smk_audit_info ad;
885
886 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
887 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
888
889 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad);
890 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc);
891 return rc;
892 }
893
894 /*
895 * BPRM hooks
896 */
897
898 /**
899 * smack_bprm_set_creds - set creds for exec
900 * @bprm: the exec information
901 *
902 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise
903 */
904 static int smack_bprm_set_creds(struct linux_binprm *bprm)
905 {
906 struct inode *inode = file_inode(bprm->file);
907 struct task_smack *bsp = smack_cred(bprm->cred);
908 struct inode_smack *isp;
909 struct superblock_smack *sbsp;
910 int rc;
911
912 if (bprm->called_set_creds)
913 return 0;
914
915 isp = smack_inode(inode);
916 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task)
917 return 0;
918
919 sbsp = inode->i_sb->s_security;
920 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) &&
921 isp->smk_task != sbsp->smk_root)
922 return 0;
923
924 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
925 struct task_struct *tracer;
926 rc = 0;
927
928 rcu_read_lock();
929 tracer = ptrace_parent(current);
930 if (likely(tracer != NULL))
931 rc = smk_ptrace_rule_check(tracer,
932 isp->smk_task,
933 PTRACE_MODE_ATTACH,
934 __func__);
935 rcu_read_unlock();
936
937 if (rc != 0)
938 return rc;
939 }
940 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE)
941 return -EPERM;
942
943 bsp->smk_task = isp->smk_task;
944 bprm->per_clear |= PER_CLEAR_ON_SETID;
945
946 /* Decide if this is a secure exec. */
947 if (bsp->smk_task != bsp->smk_forked)
948 bprm->secureexec = 1;
949
950 return 0;
951 }
952
953 /*
954 * Inode hooks
955 */
956
957 /**
958 * smack_inode_alloc_security - allocate an inode blob
959 * @inode: the inode in need of a blob
960 *
961 * Returns 0
962 */
963 static int smack_inode_alloc_security(struct inode *inode)
964 {
965 struct smack_known *skp = smk_of_current();
966
967 init_inode_smack(inode, skp);
968 return 0;
969 }
970
971 /**
972 * smack_inode_init_security - copy out the smack from an inode
973 * @inode: the newly created inode
974 * @dir: containing directory object
975 * @qstr: unused
976 * @name: where to put the attribute name
977 * @value: where to put the attribute value
978 * @len: where to put the length of the attribute
979 *
980 * Returns 0 if it all works out, -ENOMEM if there's no memory
981 */
982 static int smack_inode_init_security(struct inode *inode, struct inode *dir,
983 const struct qstr *qstr, const char **name,
984 void **value, size_t *len)
985 {
986 struct inode_smack *issp = smack_inode(inode);
987 struct smack_known *skp = smk_of_current();
988 struct smack_known *isp = smk_of_inode(inode);
989 struct smack_known *dsp = smk_of_inode(dir);
990 int may;
991
992 if (name)
993 *name = XATTR_SMACK_SUFFIX;
994
995 if (value && len) {
996 rcu_read_lock();
997 may = smk_access_entry(skp->smk_known, dsp->smk_known,
998 &skp->smk_rules);
999 rcu_read_unlock();
1000
1001 /*
1002 * If the access rule allows transmutation and
1003 * the directory requests transmutation then
1004 * by all means transmute.
1005 * Mark the inode as changed.
1006 */
1007 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) &&
1008 smk_inode_transmutable(dir)) {
1009 isp = dsp;
1010 issp->smk_flags |= SMK_INODE_CHANGED;
1011 }
1012
1013 *value = kstrdup(isp->smk_known, GFP_NOFS);
1014 if (*value == NULL)
1015 return -ENOMEM;
1016
1017 *len = strlen(isp->smk_known);
1018 }
1019
1020 return 0;
1021 }
1022
1023 /**
1024 * smack_inode_link - Smack check on link
1025 * @old_dentry: the existing object
1026 * @dir: unused
1027 * @new_dentry: the new object
1028 *
1029 * Returns 0 if access is permitted, an error code otherwise
1030 */
1031 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir,
1032 struct dentry *new_dentry)
1033 {
1034 struct smack_known *isp;
1035 struct smk_audit_info ad;
1036 int rc;
1037
1038 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1039 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);
1040
1041 isp = smk_of_inode(d_backing_inode(old_dentry));
1042 rc = smk_curacc(isp, MAY_WRITE, &ad);
1043 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc);
1044
1045 if (rc == 0 && d_is_positive(new_dentry)) {
1046 isp = smk_of_inode(d_backing_inode(new_dentry));
1047 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry);
1048 rc = smk_curacc(isp, MAY_WRITE, &ad);
1049 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc);
1050 }
1051
1052 return rc;
1053 }
1054
1055 /**
1056 * smack_inode_unlink - Smack check on inode deletion
1057 * @dir: containing directory object
1058 * @dentry: file to unlink
1059 *
1060 * Returns 0 if current can write the containing directory
1061 * and the object, error code otherwise
1062 */
1063 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry)
1064 {
1065 struct inode *ip = d_backing_inode(dentry);
1066 struct smk_audit_info ad;
1067 int rc;
1068
1069 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1070 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
1071
1072 /*
1073 * You need write access to the thing you're unlinking
1074 */
1075 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad);
1076 rc = smk_bu_inode(ip, MAY_WRITE, rc);
1077 if (rc == 0) {
1078 /*
1079 * You also need write access to the containing directory
1080 */
1081 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE);
1082 smk_ad_setfield_u_fs_inode(&ad, dir);
1083 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad);
1084 rc = smk_bu_inode(dir, MAY_WRITE, rc);
1085 }
1086 return rc;
1087 }
1088
1089 /**
1090 * smack_inode_rmdir - Smack check on directory deletion
1091 * @dir: containing directory object
1092 * @dentry: directory to unlink
1093 *
1094 * Returns 0 if current can write the containing directory
1095 * and the directory, error code otherwise
1096 */
1097 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry)
1098 {
1099 struct smk_audit_info ad;
1100 int rc;
1101
1102 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1103 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
1104
1105 /*
1106 * You need write access to the thing you're removing
1107 */
1108 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
1109 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
1110 if (rc == 0) {
1111 /*
1112 * You also need write access to the containing directory
1113 */
1114 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE);
1115 smk_ad_setfield_u_fs_inode(&ad, dir);
1116 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad);
1117 rc = smk_bu_inode(dir, MAY_WRITE, rc);
1118 }
1119
1120 return rc;
1121 }
1122
1123 /**
1124 * smack_inode_rename - Smack check on rename
1125 * @old_inode: unused
1126 * @old_dentry: the old object
1127 * @new_inode: unused
1128 * @new_dentry: the new object
1129 *
1130 * Read and write access is required on both the old and
1131 * new directories.
1132 *
1133 * Returns 0 if access is permitted, an error code otherwise
1134 */
1135 static int smack_inode_rename(struct inode *old_inode,
1136 struct dentry *old_dentry,
1137 struct inode *new_inode,
1138 struct dentry *new_dentry)
1139 {
1140 int rc;
1141 struct smack_known *isp;
1142 struct smk_audit_info ad;
1143
1144 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1145 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);
1146
1147 isp = smk_of_inode(d_backing_inode(old_dentry));
1148 rc = smk_curacc(isp, MAY_READWRITE, &ad);
1149 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc);
1150
1151 if (rc == 0 && d_is_positive(new_dentry)) {
1152 isp = smk_of_inode(d_backing_inode(new_dentry));
1153 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry);
1154 rc = smk_curacc(isp, MAY_READWRITE, &ad);
1155 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc);
1156 }
1157 return rc;
1158 }
1159
1160 /**
1161 * smack_inode_permission - Smack version of permission()
1162 * @inode: the inode in question
1163 * @mask: the access requested
1164 *
1165 * This is the important Smack hook.
1166 *
1167 * Returns 0 if access is permitted, an error code otherwise
1168 */
1169 static int smack_inode_permission(struct inode *inode, int mask)
1170 {
1171 struct superblock_smack *sbsp = inode->i_sb->s_security;
1172 struct smk_audit_info ad;
1173 int no_block = mask & MAY_NOT_BLOCK;
1174 int rc;
1175
1176 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
1177 /*
1178 * No permission to check. Existence test. Yup, it's there.
1179 */
1180 if (mask == 0)
1181 return 0;
1182
1183 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) {
1184 if (smk_of_inode(inode) != sbsp->smk_root)
1185 return -EACCES;
1186 }
1187
1188 /* May be droppable after audit */
1189 if (no_block)
1190 return -ECHILD;
1191 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE);
1192 smk_ad_setfield_u_fs_inode(&ad, inode);
1193 rc = smk_curacc(smk_of_inode(inode), mask, &ad);
1194 rc = smk_bu_inode(inode, mask, rc);
1195 return rc;
1196 }
1197
1198 /**
1199 * smack_inode_setattr - Smack check for setting attributes
1200 * @dentry: the object
1201 * @iattr: for the force flag
1202 *
1203 * Returns 0 if access is permitted, an error code otherwise
1204 */
1205 static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr)
1206 {
1207 struct smk_audit_info ad;
1208 int rc;
1209
1210 /*
1211 * Need to allow for clearing the setuid bit.
1212 */
1213 if (iattr->ia_valid & ATTR_FORCE)
1214 return 0;
1215 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1216 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
1217
1218 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
1219 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
1220 return rc;
1221 }
1222
1223 /**
1224 * smack_inode_getattr - Smack check for getting attributes
1225 * @path: path to extract the info from
1226 *
1227 * Returns 0 if access is permitted, an error code otherwise
1228 */
1229 static int smack_inode_getattr(const struct path *path)
1230 {
1231 struct smk_audit_info ad;
1232 struct inode *inode = d_backing_inode(path->dentry);
1233 int rc;
1234
1235 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1236 smk_ad_setfield_u_fs_path(&ad, *path);
1237 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad);
1238 rc = smk_bu_inode(inode, MAY_READ, rc);
1239 return rc;
1240 }
1241
1242 /**
1243 * smack_inode_setxattr - Smack check for setting xattrs
1244 * @dentry: the object
1245 * @name: name of the attribute
1246 * @value: value of the attribute
1247 * @size: size of the value
1248 * @flags: unused
1249 *
1250 * This protects the Smack attribute explicitly.
1251 *
1252 * Returns 0 if access is permitted, an error code otherwise
1253 */
1254 static int smack_inode_setxattr(struct dentry *dentry, const char *name,
1255 const void *value, size_t size, int flags)
1256 {
1257 struct smk_audit_info ad;
1258 struct smack_known *skp;
1259 int check_priv = 0;
1260 int check_import = 0;
1261 int check_star = 0;
1262 int rc = 0;
1263
1264 /*
1265 * Check label validity here so import won't fail in post_setxattr
1266 */
1267 if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
1268 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||
1269 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
1270 check_priv = 1;
1271 check_import = 1;
1272 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
1273 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
1274 check_priv = 1;
1275 check_import = 1;
1276 check_star = 1;
1277 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
1278 check_priv = 1;
1279 if (size != TRANS_TRUE_SIZE ||
1280 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0)
1281 rc = -EINVAL;
1282 } else
1283 rc = cap_inode_setxattr(dentry, name, value, size, flags);
1284
1285 if (check_priv && !smack_privileged(CAP_MAC_ADMIN))
1286 rc = -EPERM;
1287
1288 if (rc == 0 && check_import) {
1289 skp = size ? smk_import_entry(value, size) : NULL;
1290 if (IS_ERR(skp))
1291 rc = PTR_ERR(skp);
1292 else if (skp == NULL || (check_star &&
1293 (skp == &smack_known_star || skp == &smack_known_web)))
1294 rc = -EINVAL;
1295 }
1296
1297 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1298 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
1299
1300 if (rc == 0) {
1301 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
1302 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
1303 }
1304
1305 return rc;
1306 }
1307
1308 /**
1309 * smack_inode_post_setxattr - Apply the Smack update approved above
1310 * @dentry: object
1311 * @name: attribute name
1312 * @value: attribute value
1313 * @size: attribute size
1314 * @flags: unused
1315 *
1316 * Set the pointer in the inode blob to the entry found
1317 * in the master label list.
1318 */
1319 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
1320 const void *value, size_t size, int flags)
1321 {
1322 struct smack_known *skp;
1323 struct inode_smack *isp = smack_inode(d_backing_inode(dentry));
1324
1325 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
1326 isp->smk_flags |= SMK_INODE_TRANSMUTE;
1327 return;
1328 }
1329
1330 if (strcmp(name, XATTR_NAME_SMACK) == 0) {
1331 skp = smk_import_entry(value, size);
1332 if (!IS_ERR(skp))
1333 isp->smk_inode = skp;
1334 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) {
1335 skp = smk_import_entry(value, size);
1336 if (!IS_ERR(skp))
1337 isp->smk_task = skp;
1338 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
1339 skp = smk_import_entry(value, size);
1340 if (!IS_ERR(skp))
1341 isp->smk_mmap = skp;
1342 }
1343
1344 return;
1345 }
1346
1347 /**
1348 * smack_inode_getxattr - Smack check on getxattr
1349 * @dentry: the object
1350 * @name: unused
1351 *
1352 * Returns 0 if access is permitted, an error code otherwise
1353 */
1354 static int smack_inode_getxattr(struct dentry *dentry, const char *name)
1355 {
1356 struct smk_audit_info ad;
1357 int rc;
1358
1359 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1360 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
1361
1362 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad);
1363 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc);
1364 return rc;
1365 }
1366
1367 /**
1368 * smack_inode_removexattr - Smack check on removexattr
1369 * @dentry: the object
1370 * @name: name of the attribute
1371 *
1372 * Removing the Smack attribute requires CAP_MAC_ADMIN
1373 *
1374 * Returns 0 if access is permitted, an error code otherwise
1375 */
1376 static int smack_inode_removexattr(struct dentry *dentry, const char *name)
1377 {
1378 struct inode_smack *isp;
1379 struct smk_audit_info ad;
1380 int rc = 0;
1381
1382 if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
1383 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||
1384 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 ||
1385 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
1386 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 ||
1387 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
1388 if (!smack_privileged(CAP_MAC_ADMIN))
1389 rc = -EPERM;
1390 } else
1391 rc = cap_inode_removexattr(dentry, name);
1392
1393 if (rc != 0)
1394 return rc;
1395
1396 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1397 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
1398
1399 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
1400 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
1401 if (rc != 0)
1402 return rc;
1403
1404 isp = smack_inode(d_backing_inode(dentry));
1405 /*
1406 * Don't do anything special for these.
1407 * XATTR_NAME_SMACKIPIN
1408 * XATTR_NAME_SMACKIPOUT
1409 */
1410 if (strcmp(name, XATTR_NAME_SMACK) == 0) {
1411 struct super_block *sbp = dentry->d_sb;
1412 struct superblock_smack *sbsp = sbp->s_security;
1413
1414 isp->smk_inode = sbsp->smk_default;
1415 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0)
1416 isp->smk_task = NULL;
1417 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0)
1418 isp->smk_mmap = NULL;
1419 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0)
1420 isp->smk_flags &= ~SMK_INODE_TRANSMUTE;
1421
1422 return 0;
1423 }
1424
1425 /**
1426 * smack_inode_getsecurity - get smack xattrs
1427 * @inode: the object
1428 * @name: attribute name
1429 * @buffer: where to put the result
1430 * @alloc: duplicate memory
1431 *
1432 * Returns the size of the attribute or an error code
1433 */
1434 static int smack_inode_getsecurity(struct inode *inode,
1435 const char *name, void **buffer,
1436 bool alloc)
1437 {
1438 struct socket_smack *ssp;
1439 struct socket *sock;
1440 struct super_block *sbp;
1441 struct inode *ip = (struct inode *)inode;
1442 struct smack_known *isp;
1443
1444 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0)
1445 isp = smk_of_inode(inode);
1446 else {
1447 /*
1448 * The rest of the Smack xattrs are only on sockets.
1449 */
1450 sbp = ip->i_sb;
1451 if (sbp->s_magic != SOCKFS_MAGIC)
1452 return -EOPNOTSUPP;
1453
1454 sock = SOCKET_I(ip);
1455 if (sock == NULL || sock->sk == NULL)
1456 return -EOPNOTSUPP;
1457
1458 ssp = sock->sk->sk_security;
1459
1460 if (strcmp(name, XATTR_SMACK_IPIN) == 0)
1461 isp = ssp->smk_in;
1462 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
1463 isp = ssp->smk_out;
1464 else
1465 return -EOPNOTSUPP;
1466 }
1467
1468 if (alloc) {
1469 *buffer = kstrdup(isp->smk_known, GFP_KERNEL);
1470 if (*buffer == NULL)
1471 return -ENOMEM;
1472 }
1473
1474 return strlen(isp->smk_known);
1475 }
1476
1477
1478 /**
1479 * smack_inode_listsecurity - list the Smack attributes
1480 * @inode: the object
1481 * @buffer: where they go
1482 * @buffer_size: size of buffer
1483 */
1484 static int smack_inode_listsecurity(struct inode *inode, char *buffer,
1485 size_t buffer_size)
1486 {
1487 int len = sizeof(XATTR_NAME_SMACK);
1488
1489 if (buffer != NULL && len <= buffer_size)
1490 memcpy(buffer, XATTR_NAME_SMACK, len);
1491
1492 return len;
1493 }
1494
1495 /**
1496 * smack_inode_getsecid - Extract inode's security id
1497 * @inode: inode to extract the info from
1498 * @secid: where result will be saved
1499 */
1500 static void smack_inode_getsecid(struct inode *inode, u32 *secid)
1501 {
1502 struct smack_known *skp = smk_of_inode(inode);
1503
1504 *secid = skp->smk_secid;
1505 }
1506
1507 /*
1508 * File Hooks
1509 */
1510
1511 /*
1512 * There is no smack_file_permission hook
1513 *
1514 * Should access checks be done on each read or write?
1515 * UNICOS and SELinux say yes.
1516 * Trusted Solaris, Trusted Irix, and just about everyone else says no.
1517 *
1518 * I'll say no for now. Smack does not do the frequent
1519 * label changing that SELinux does.
1520 */
1521
1522 /**
1523 * smack_file_alloc_security - assign a file security blob
1524 * @file: the object
1525 *
1526 * The security blob for a file is a pointer to the master
1527 * label list, so no allocation is done.
1528 *
1529 * f_security is the owner security information. It
1530 * isn't used on file access checks, it's for send_sigio.
1531 *
1532 * Returns 0
1533 */
1534 static int smack_file_alloc_security(struct file *file)
1535 {
1536 struct smack_known **blob = smack_file(file);
1537
1538 *blob = smk_of_current();
1539 return 0;
1540 }
1541
1542 /**
1543 * smack_file_ioctl - Smack check on ioctls
1544 * @file: the object
1545 * @cmd: what to do
1546 * @arg: unused
1547 *
1548 * Relies heavily on the correct use of the ioctl command conventions.
1549 *
1550 * Returns 0 if allowed, error code otherwise
1551 */
1552 static int smack_file_ioctl(struct file *file, unsigned int cmd,
1553 unsigned long arg)
1554 {
1555 int rc = 0;
1556 struct smk_audit_info ad;
1557 struct inode *inode = file_inode(file);
1558
1559 if (unlikely(IS_PRIVATE(inode)))
1560 return 0;
1561
1562 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1563 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1564
1565 if (_IOC_DIR(cmd) & _IOC_WRITE) {
1566 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad);
1567 rc = smk_bu_file(file, MAY_WRITE, rc);
1568 }
1569
1570 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) {
1571 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad);
1572 rc = smk_bu_file(file, MAY_READ, rc);
1573 }
1574
1575 return rc;
1576 }
1577
1578 /**
1579 * smack_file_lock - Smack check on file locking
1580 * @file: the object
1581 * @cmd: unused
1582 *
1583 * Returns 0 if current has lock access, error code otherwise
1584 */
1585 static int smack_file_lock(struct file *file, unsigned int cmd)
1586 {
1587 struct smk_audit_info ad;
1588 int rc;
1589 struct inode *inode = file_inode(file);
1590
1591 if (unlikely(IS_PRIVATE(inode)))
1592 return 0;
1593
1594 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1595 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1596 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad);
1597 rc = smk_bu_file(file, MAY_LOCK, rc);
1598 return rc;
1599 }
1600
1601 /**
1602 * smack_file_fcntl - Smack check on fcntl
1603 * @file: the object
1604 * @cmd: what action to check
1605 * @arg: unused
1606 *
1607 * Generally these operations are harmless.
1608 * File locking operations present an obvious mechanism
1609 * for passing information, so they require write access.
1610 *
1611 * Returns 0 if current has access, error code otherwise
1612 */
1613 static int smack_file_fcntl(struct file *file, unsigned int cmd,
1614 unsigned long arg)
1615 {
1616 struct smk_audit_info ad;
1617 int rc = 0;
1618 struct inode *inode = file_inode(file);
1619
1620 if (unlikely(IS_PRIVATE(inode)))
1621 return 0;
1622
1623 switch (cmd) {
1624 case F_GETLK:
1625 break;
1626 case F_SETLK:
1627 case F_SETLKW:
1628 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1629 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1630 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad);
1631 rc = smk_bu_file(file, MAY_LOCK, rc);
1632 break;
1633 case F_SETOWN:
1634 case F_SETSIG:
1635 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1636 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1637 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad);
1638 rc = smk_bu_file(file, MAY_WRITE, rc);
1639 break;
1640 default:
1641 break;
1642 }
1643
1644 return rc;
1645 }
1646
1647 /**
1648 * smack_mmap_file :
1649 * Check permissions for a mmap operation. The @file may be NULL, e.g.
1650 * if mapping anonymous memory.
1651 * @file contains the file structure for file to map (may be NULL).
1652 * @reqprot contains the protection requested by the application.
1653 * @prot contains the protection that will be applied by the kernel.
1654 * @flags contains the operational flags.
1655 * Return 0 if permission is granted.
1656 */
1657 static int smack_mmap_file(struct file *file,
1658 unsigned long reqprot, unsigned long prot,
1659 unsigned long flags)
1660 {
1661 struct smack_known *skp;
1662 struct smack_known *mkp;
1663 struct smack_rule *srp;
1664 struct task_smack *tsp;
1665 struct smack_known *okp;
1666 struct inode_smack *isp;
1667 struct superblock_smack *sbsp;
1668 int may;
1669 int mmay;
1670 int tmay;
1671 int rc;
1672
1673 if (file == NULL)
1674 return 0;
1675
1676 if (unlikely(IS_PRIVATE(file_inode(file))))
1677 return 0;
1678
1679 isp = smack_inode(file_inode(file));
1680 if (isp->smk_mmap == NULL)
1681 return 0;
1682 sbsp = file_inode(file)->i_sb->s_security;
1683 if (sbsp->smk_flags & SMK_SB_UNTRUSTED &&
1684 isp->smk_mmap != sbsp->smk_root)
1685 return -EACCES;
1686 mkp = isp->smk_mmap;
1687
1688 tsp = smack_cred(current_cred());
1689 skp = smk_of_current();
1690 rc = 0;
1691
1692 rcu_read_lock();
1693 /*
1694 * For each Smack rule associated with the subject
1695 * label verify that the SMACK64MMAP also has access
1696 * to that rule's object label.
1697 */
1698 list_for_each_entry_rcu(srp, &skp->smk_rules, list) {
1699 okp = srp->smk_object;
1700 /*
1701 * Matching labels always allows access.
1702 */
1703 if (mkp->smk_known == okp->smk_known)
1704 continue;
1705 /*
1706 * If there is a matching local rule take
1707 * that into account as well.
1708 */
1709 may = smk_access_entry(srp->smk_subject->smk_known,
1710 okp->smk_known,
1711 &tsp->smk_rules);
1712 if (may == -ENOENT)
1713 may = srp->smk_access;
1714 else
1715 may &= srp->smk_access;
1716 /*
1717 * If may is zero the SMACK64MMAP subject can't
1718 * possibly have less access.
1719 */
1720 if (may == 0)
1721 continue;
1722
1723 /*
1724 * Fetch the global list entry.
1725 * If there isn't one a SMACK64MMAP subject
1726 * can't have as much access as current.
1727 */
1728 mmay = smk_access_entry(mkp->smk_known, okp->smk_known,
1729 &mkp->smk_rules);
1730 if (mmay == -ENOENT) {
1731 rc = -EACCES;
1732 break;
1733 }
1734 /*
1735 * If there is a local entry it modifies the
1736 * potential access, too.
1737 */
1738 tmay = smk_access_entry(mkp->smk_known, okp->smk_known,
1739 &tsp->smk_rules);
1740 if (tmay != -ENOENT)
1741 mmay &= tmay;
1742
1743 /*
1744 * If there is any access available to current that is
1745 * not available to a SMACK64MMAP subject
1746 * deny access.
1747 */
1748 if ((may | mmay) != mmay) {
1749 rc = -EACCES;
1750 break;
1751 }
1752 }
1753
1754 rcu_read_unlock();
1755
1756 return rc;
1757 }
1758
1759 /**
1760 * smack_file_set_fowner - set the file security blob value
1761 * @file: object in question
1762 *
1763 */
1764 static void smack_file_set_fowner(struct file *file)
1765 {
1766 struct smack_known **blob = smack_file(file);
1767
1768 *blob = smk_of_current();
1769 }
1770
1771 /**
1772 * smack_file_send_sigiotask - Smack on sigio
1773 * @tsk: The target task
1774 * @fown: the object the signal come from
1775 * @signum: unused
1776 *
1777 * Allow a privileged task to get signals even if it shouldn't
1778 *
1779 * Returns 0 if a subject with the object's smack could
1780 * write to the task, an error code otherwise.
1781 */
1782 static int smack_file_send_sigiotask(struct task_struct *tsk,
1783 struct fown_struct *fown, int signum)
1784 {
1785 struct smack_known **blob;
1786 struct smack_known *skp;
1787 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred));
1788 const struct cred *tcred;
1789 struct file *file;
1790 int rc;
1791 struct smk_audit_info ad;
1792
1793 /*
1794 * struct fown_struct is never outside the context of a struct file
1795 */
1796 file = container_of(fown, struct file, f_owner);
1797
1798 /* we don't log here as rc can be overriden */
1799 blob = smack_file(file);
1800 skp = *blob;
1801 rc = smk_access(skp, tkp, MAY_DELIVER, NULL);
1802 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc);
1803
1804 rcu_read_lock();
1805 tcred = __task_cred(tsk);
1806 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred))
1807 rc = 0;
1808 rcu_read_unlock();
1809
1810 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
1811 smk_ad_setfield_u_tsk(&ad, tsk);
1812 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad);
1813 return rc;
1814 }
1815
1816 /**
1817 * smack_file_receive - Smack file receive check
1818 * @file: the object
1819 *
1820 * Returns 0 if current has access, error code otherwise
1821 */
1822 static int smack_file_receive(struct file *file)
1823 {
1824 int rc;
1825 int may = 0;
1826 struct smk_audit_info ad;
1827 struct inode *inode = file_inode(file);
1828 struct socket *sock;
1829 struct task_smack *tsp;
1830 struct socket_smack *ssp;
1831
1832 if (unlikely(IS_PRIVATE(inode)))
1833 return 0;
1834
1835 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1836 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1837
1838 if (inode->i_sb->s_magic == SOCKFS_MAGIC) {
1839 sock = SOCKET_I(inode);
1840 ssp = sock->sk->sk_security;
1841 tsp = smack_cred(current_cred());
1842 /*
1843 * If the receiving process can't write to the
1844 * passed socket or if the passed socket can't
1845 * write to the receiving process don't accept
1846 * the passed socket.
1847 */
1848 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad);
1849 rc = smk_bu_file(file, may, rc);
1850 if (rc < 0)
1851 return rc;
1852 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad);
1853 rc = smk_bu_file(file, may, rc);
1854 return rc;
1855 }
1856 /*
1857 * This code relies on bitmasks.
1858 */
1859 if (file->f_mode & FMODE_READ)
1860 may = MAY_READ;
1861 if (file->f_mode & FMODE_WRITE)
1862 may |= MAY_WRITE;
1863
1864 rc = smk_curacc(smk_of_inode(inode), may, &ad);
1865 rc = smk_bu_file(file, may, rc);
1866 return rc;
1867 }
1868
1869 /**
1870 * smack_file_open - Smack dentry open processing
1871 * @file: the object
1872 *
1873 * Set the security blob in the file structure.
1874 * Allow the open only if the task has read access. There are
1875 * many read operations (e.g. fstat) that you can do with an
1876 * fd even if you have the file open write-only.
1877 *
1878 * Returns 0 if current has access, error code otherwise
1879 */
1880 static int smack_file_open(struct file *file)
1881 {
1882 struct task_smack *tsp = smack_cred(file->f_cred);
1883 struct inode *inode = file_inode(file);
1884 struct smk_audit_info ad;
1885 int rc;
1886
1887 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1888 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1889 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad);
1890 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc);
1891
1892 return rc;
1893 }
1894
1895 /*
1896 * Task hooks
1897 */
1898
1899 /**
1900 * smack_cred_alloc_blank - "allocate" blank task-level security credentials
1901 * @cred: the new credentials
1902 * @gfp: the atomicity of any memory allocations
1903 *
1904 * Prepare a blank set of credentials for modification. This must allocate all
1905 * the memory the LSM module might require such that cred_transfer() can
1906 * complete without error.
1907 */
1908 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
1909 {
1910 init_task_smack(smack_cred(cred), NULL, NULL);
1911 return 0;
1912 }
1913
1914
1915 /**
1916 * smack_cred_free - "free" task-level security credentials
1917 * @cred: the credentials in question
1918 *
1919 */
1920 static void smack_cred_free(struct cred *cred)
1921 {
1922 struct task_smack *tsp = smack_cred(cred);
1923 struct smack_rule *rp;
1924 struct list_head *l;
1925 struct list_head *n;
1926
1927 smk_destroy_label_list(&tsp->smk_relabel);
1928
1929 list_for_each_safe(l, n, &tsp->smk_rules) {
1930 rp = list_entry(l, struct smack_rule, list);
1931 list_del(&rp->list);
1932 kmem_cache_free(smack_rule_cache, rp);
1933 }
1934 }
1935
1936 /**
1937 * smack_cred_prepare - prepare new set of credentials for modification
1938 * @new: the new credentials
1939 * @old: the original credentials
1940 * @gfp: the atomicity of any memory allocations
1941 *
1942 * Prepare a new set of credentials for modification.
1943 */
1944 static int smack_cred_prepare(struct cred *new, const struct cred *old,
1945 gfp_t gfp)
1946 {
1947 struct task_smack *old_tsp = smack_cred(old);
1948 struct task_smack *new_tsp = smack_cred(new);
1949 int rc;
1950
1951 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task);
1952
1953 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp);
1954 if (rc != 0)
1955 return rc;
1956
1957 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel,
1958 gfp);
1959 return rc;
1960 }
1961
1962 /**
1963 * smack_cred_transfer - Transfer the old credentials to the new credentials
1964 * @new: the new credentials
1965 * @old: the original credentials
1966 *
1967 * Fill in a set of blank credentials from another set of credentials.
1968 */
1969 static void smack_cred_transfer(struct cred *new, const struct cred *old)
1970 {
1971 struct task_smack *old_tsp = smack_cred(old);
1972 struct task_smack *new_tsp = smack_cred(new);
1973
1974 new_tsp->smk_task = old_tsp->smk_task;
1975 new_tsp->smk_forked = old_tsp->smk_task;
1976 mutex_init(&new_tsp->smk_rules_lock);
1977 INIT_LIST_HEAD(&new_tsp->smk_rules);
1978
1979 /* cbs copy rule list */
1980 }
1981
1982 /**
1983 * smack_cred_getsecid - get the secid corresponding to a creds structure
1984 * @cred: the object creds
1985 * @secid: where to put the result
1986 *
1987 * Sets the secid to contain a u32 version of the smack label.
1988 */
1989 static void smack_cred_getsecid(const struct cred *cred, u32 *secid)
1990 {
1991 struct smack_known *skp;
1992
1993 rcu_read_lock();
1994 skp = smk_of_task(smack_cred(cred));
1995 *secid = skp->smk_secid;
1996 rcu_read_unlock();
1997 }
1998
1999 /**
2000 * smack_kernel_act_as - Set the subjective context in a set of credentials
2001 * @new: points to the set of credentials to be modified.
2002 * @secid: specifies the security ID to be set
2003 *
2004 * Set the security data for a kernel service.
2005 */
2006 static int smack_kernel_act_as(struct cred *new, u32 secid)
2007 {
2008 struct task_smack *new_tsp = smack_cred(new);
2009
2010 new_tsp->smk_task = smack_from_secid(secid);
2011 return 0;
2012 }
2013
2014 /**
2015 * smack_kernel_create_files_as - Set the file creation label in a set of creds
2016 * @new: points to the set of credentials to be modified
2017 * @inode: points to the inode to use as a reference
2018 *
2019 * Set the file creation context in a set of credentials to the same
2020 * as the objective context of the specified inode
2021 */
2022 static int smack_kernel_create_files_as(struct cred *new,
2023 struct inode *inode)
2024 {
2025 struct inode_smack *isp = smack_inode(inode);
2026 struct task_smack *tsp = smack_cred(new);
2027
2028 tsp->smk_forked = isp->smk_inode;
2029 tsp->smk_task = tsp->smk_forked;
2030 return 0;
2031 }
2032
2033 /**
2034 * smk_curacc_on_task - helper to log task related access
2035 * @p: the task object
2036 * @access: the access requested
2037 * @caller: name of the calling function for audit
2038 *
2039 * Return 0 if access is permitted
2040 */
2041 static int smk_curacc_on_task(struct task_struct *p, int access,
2042 const char *caller)
2043 {
2044 struct smk_audit_info ad;
2045 struct smack_known *skp = smk_of_task_struct(p);
2046 int rc;
2047
2048 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK);
2049 smk_ad_setfield_u_tsk(&ad, p);
2050 rc = smk_curacc(skp, access, &ad);
2051 rc = smk_bu_task(p, access, rc);
2052 return rc;
2053 }
2054
2055 /**
2056 * smack_task_setpgid - Smack check on setting pgid
2057 * @p: the task object
2058 * @pgid: unused
2059 *
2060 * Return 0 if write access is permitted
2061 */
2062 static int smack_task_setpgid(struct task_struct *p, pid_t pgid)
2063 {
2064 return smk_curacc_on_task(p, MAY_WRITE, __func__);
2065 }
2066
2067 /**
2068 * smack_task_getpgid - Smack access check for getpgid
2069 * @p: the object task
2070 *
2071 * Returns 0 if current can read the object task, error code otherwise
2072 */
2073 static int smack_task_getpgid(struct task_struct *p)
2074 {
2075 return smk_curacc_on_task(p, MAY_READ, __func__);
2076 }
2077
2078 /**
2079 * smack_task_getsid - Smack access check for getsid
2080 * @p: the object task
2081 *
2082 * Returns 0 if current can read the object task, error code otherwise
2083 */
2084 static int smack_task_getsid(struct task_struct *p)
2085 {
2086 return smk_curacc_on_task(p, MAY_READ, __func__);
2087 }
2088
2089 /**
2090 * smack_task_getsecid - get the secid of the task
2091 * @p: the object task
2092 * @secid: where to put the result
2093 *
2094 * Sets the secid to contain a u32 version of the smack label.
2095 */
2096 static void smack_task_getsecid(struct task_struct *p, u32 *secid)
2097 {
2098 struct smack_known *skp = smk_of_task_struct(p);
2099
2100 *secid = skp->smk_secid;
2101 }
2102
2103 /**
2104 * smack_task_setnice - Smack check on setting nice
2105 * @p: the task object
2106 * @nice: unused
2107 *
2108 * Return 0 if write access is permitted
2109 */
2110 static int smack_task_setnice(struct task_struct *p, int nice)
2111 {
2112 return smk_curacc_on_task(p, MAY_WRITE, __func__);
2113 }
2114
2115 /**
2116 * smack_task_setioprio - Smack check on setting ioprio
2117 * @p: the task object
2118 * @ioprio: unused
2119 *
2120 * Return 0 if write access is permitted
2121 */
2122 static int smack_task_setioprio(struct task_struct *p, int ioprio)
2123 {
2124 return smk_curacc_on_task(p, MAY_WRITE, __func__);
2125 }
2126
2127 /**
2128 * smack_task_getioprio - Smack check on reading ioprio
2129 * @p: the task object
2130 *
2131 * Return 0 if read access is permitted
2132 */
2133 static int smack_task_getioprio(struct task_struct *p)
2134 {
2135 return smk_curacc_on_task(p, MAY_READ, __func__);
2136 }
2137
2138 /**
2139 * smack_task_setscheduler - Smack check on setting scheduler
2140 * @p: the task object
2141 *
2142 * Return 0 if read access is permitted
2143 */
2144 static int smack_task_setscheduler(struct task_struct *p)
2145 {
2146 return smk_curacc_on_task(p, MAY_WRITE, __func__);
2147 }
2148
2149 /**
2150 * smack_task_getscheduler - Smack check on reading scheduler
2151 * @p: the task object
2152 *
2153 * Return 0 if read access is permitted
2154 */
2155 static int smack_task_getscheduler(struct task_struct *p)
2156 {
2157 return smk_curacc_on_task(p, MAY_READ, __func__);
2158 }
2159
2160 /**
2161 * smack_task_movememory - Smack check on moving memory
2162 * @p: the task object
2163 *
2164 * Return 0 if write access is permitted
2165 */
2166 static int smack_task_movememory(struct task_struct *p)
2167 {
2168 return smk_curacc_on_task(p, MAY_WRITE, __func__);
2169 }
2170
2171 /**
2172 * smack_task_kill - Smack check on signal delivery
2173 * @p: the task object
2174 * @info: unused
2175 * @sig: unused
2176 * @cred: identifies the cred to use in lieu of current's
2177 *
2178 * Return 0 if write access is permitted
2179 *
2180 */
2181 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info,
2182 int sig, const struct cred *cred)
2183 {
2184 struct smk_audit_info ad;
2185 struct smack_known *skp;
2186 struct smack_known *tkp = smk_of_task_struct(p);
2187 int rc;
2188
2189 if (!sig)
2190 return 0; /* null signal; existence test */
2191
2192 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
2193 smk_ad_setfield_u_tsk(&ad, p);
2194 /*
2195 * Sending a signal requires that the sender
2196 * can write the receiver.
2197 */
2198 if (cred == NULL) {
2199 rc = smk_curacc(tkp, MAY_DELIVER, &ad);
2200 rc = smk_bu_task(p, MAY_DELIVER, rc);
2201 return rc;
2202 }
2203 /*
2204 * If the cred isn't NULL we're dealing with some USB IO
2205 * specific behavior. This is not clean. For one thing
2206 * we can't take privilege into account.
2207 */
2208 skp = smk_of_task(smack_cred(cred));
2209 rc = smk_access(skp, tkp, MAY_DELIVER, &ad);
2210 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc);
2211 return rc;
2212 }
2213
2214 /**
2215 * smack_task_to_inode - copy task smack into the inode blob
2216 * @p: task to copy from
2217 * @inode: inode to copy to
2218 *
2219 * Sets the smack pointer in the inode security blob
2220 */
2221 static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
2222 {
2223 struct inode_smack *isp = smack_inode(inode);
2224 struct smack_known *skp = smk_of_task_struct(p);
2225
2226 isp->smk_inode = skp;
2227 isp->smk_flags |= SMK_INODE_INSTANT;
2228 }
2229
2230 /*
2231 * Socket hooks.
2232 */
2233
2234 /**
2235 * smack_sk_alloc_security - Allocate a socket blob
2236 * @sk: the socket
2237 * @family: unused
2238 * @gfp_flags: memory allocation flags
2239 *
2240 * Assign Smack pointers to current
2241 *
2242 * Returns 0 on success, -ENOMEM is there's no memory
2243 */
2244 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
2245 {
2246 struct smack_known *skp = smk_of_current();
2247 struct socket_smack *ssp;
2248
2249 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags);
2250 if (ssp == NULL)
2251 return -ENOMEM;
2252
2253 /*
2254 * Sockets created by kernel threads receive web label.
2255 */
2256 if (unlikely(current->flags & PF_KTHREAD)) {
2257 ssp->smk_in = &smack_known_web;
2258 ssp->smk_out = &smack_known_web;
2259 } else {
2260 ssp->smk_in = skp;
2261 ssp->smk_out = skp;
2262 }
2263 ssp->smk_packet = NULL;
2264
2265 sk->sk_security = ssp;
2266
2267 return 0;
2268 }
2269
2270 /**
2271 * smack_sk_free_security - Free a socket blob
2272 * @sk: the socket
2273 *
2274 * Clears the blob pointer
2275 */
2276 static void smack_sk_free_security(struct sock *sk)
2277 {
2278 #ifdef SMACK_IPV6_PORT_LABELING
2279 struct smk_port_label *spp;
2280
2281 if (sk->sk_family == PF_INET6) {
2282 rcu_read_lock();
2283 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) {
2284 if (spp->smk_sock != sk)
2285 continue;
2286 spp->smk_can_reuse = 1;
2287 break;
2288 }
2289 rcu_read_unlock();
2290 }
2291 #endif
2292 kfree(sk->sk_security);
2293 }
2294
2295 /**
2296 * smack_ipv4host_label - check host based restrictions
2297 * @sip: the object end
2298 *
2299 * looks for host based access restrictions
2300 *
2301 * This version will only be appropriate for really small sets of single label
2302 * hosts. The caller is responsible for ensuring that the RCU read lock is
2303 * taken before calling this function.
2304 *
2305 * Returns the label of the far end or NULL if it's not special.
2306 */
2307 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip)
2308 {
2309 struct smk_net4addr *snp;
2310 struct in_addr *siap = &sip->sin_addr;
2311
2312 if (siap->s_addr == 0)
2313 return NULL;
2314
2315 list_for_each_entry_rcu(snp, &smk_net4addr_list, list)
2316 /*
2317 * we break after finding the first match because
2318 * the list is sorted from longest to shortest mask
2319 * so we have found the most specific match
2320 */
2321 if (snp->smk_host.s_addr ==
2322 (siap->s_addr & snp->smk_mask.s_addr))
2323 return snp->smk_label;
2324
2325 return NULL;
2326 }
2327
2328 #if IS_ENABLED(CONFIG_IPV6)
2329 /*
2330 * smk_ipv6_localhost - Check for local ipv6 host address
2331 * @sip: the address
2332 *
2333 * Returns boolean true if this is the localhost address
2334 */
2335 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip)
2336 {
2337 __be16 *be16p = (__be16 *)&sip->sin6_addr;
2338 __be32 *be32p = (__be32 *)&sip->sin6_addr;
2339
2340 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 &&
2341 ntohs(be16p[7]) == 1)
2342 return true;
2343 return false;
2344 }
2345
2346 /**
2347 * smack_ipv6host_label - check host based restrictions
2348 * @sip: the object end
2349 *
2350 * looks for host based access restrictions
2351 *
2352 * This version will only be appropriate for really small sets of single label
2353 * hosts. The caller is responsible for ensuring that the RCU read lock is
2354 * taken before calling this function.
2355 *
2356 * Returns the label of the far end or NULL if it's not special.
2357 */
2358 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip)
2359 {
2360 struct smk_net6addr *snp;
2361 struct in6_addr *sap = &sip->sin6_addr;
2362 int i;
2363 int found = 0;
2364
2365 /*
2366 * It's local. Don't look for a host label.
2367 */
2368 if (smk_ipv6_localhost(sip))
2369 return NULL;
2370
2371 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) {
2372 /*
2373 * If the label is NULL the entry has
2374 * been renounced. Ignore it.
2375 */
2376 if (snp->smk_label == NULL)
2377 continue;
2378 /*
2379 * we break after finding the first match because
2380 * the list is sorted from longest to shortest mask
2381 * so we have found the most specific match
2382 */
2383 for (found = 1, i = 0; i < 8; i++) {
2384 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) !=
2385 snp->smk_host.s6_addr16[i]) {
2386 found = 0;
2387 break;
2388 }
2389 }
2390 if (found)
2391 return snp->smk_label;
2392 }
2393
2394 return NULL;
2395 }
2396 #endif /* CONFIG_IPV6 */
2397
2398 /**
2399 * smack_netlabel - Set the secattr on a socket
2400 * @sk: the socket
2401 * @labeled: socket label scheme
2402 *
2403 * Convert the outbound smack value (smk_out) to a
2404 * secattr and attach it to the socket.
2405 *
2406 * Returns 0 on success or an error code
2407 */
2408 static int smack_netlabel(struct sock *sk, int labeled)
2409 {
2410 struct smack_known *skp;
2411 struct socket_smack *ssp = sk->sk_security;
2412 int rc = 0;
2413
2414 /*
2415 * Usually the netlabel code will handle changing the
2416 * packet labeling based on the label.
2417 * The case of a single label host is different, because
2418 * a single label host should never get a labeled packet
2419 * even though the label is usually associated with a packet
2420 * label.
2421 */
2422 local_bh_disable();
2423 bh_lock_sock_nested(sk);
2424
2425 if (ssp->smk_out == smack_net_ambient ||
2426 labeled == SMACK_UNLABELED_SOCKET)
2427 netlbl_sock_delattr(sk);
2428 else {
2429 skp = ssp->smk_out;
2430 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel);
2431 }
2432
2433 bh_unlock_sock(sk);
2434 local_bh_enable();
2435
2436 return rc;
2437 }
2438
2439 /**
2440 * smack_netlbel_send - Set the secattr on a socket and perform access checks
2441 * @sk: the socket
2442 * @sap: the destination address
2443 *
2444 * Set the correct secattr for the given socket based on the destination
2445 * address and perform any outbound access checks needed.
2446 *
2447 * Returns 0 on success or an error code.
2448 *
2449 */
2450 static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
2451 {
2452 struct smack_known *skp;
2453 int rc;
2454 int sk_lbl;
2455 struct smack_known *hkp;
2456 struct socket_smack *ssp = sk->sk_security;
2457 struct smk_audit_info ad;
2458
2459 rcu_read_lock();
2460 hkp = smack_ipv4host_label(sap);
2461 if (hkp != NULL) {
2462 #ifdef CONFIG_AUDIT
2463 struct lsm_network_audit net;
2464
2465 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
2466 ad.a.u.net->family = sap->sin_family;
2467 ad.a.u.net->dport = sap->sin_port;
2468 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr;
2469 #endif
2470 sk_lbl = SMACK_UNLABELED_SOCKET;
2471 skp = ssp->smk_out;
2472 rc = smk_access(skp, hkp, MAY_WRITE, &ad);
2473 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc);
2474 } else {
2475 sk_lbl = SMACK_CIPSO_SOCKET;
2476 rc = 0;
2477 }
2478 rcu_read_unlock();
2479 if (rc != 0)
2480 return rc;
2481
2482 return smack_netlabel(sk, sk_lbl);
2483 }
2484
2485 #if IS_ENABLED(CONFIG_IPV6)
2486 /**
2487 * smk_ipv6_check - check Smack access
2488 * @subject: subject Smack label
2489 * @object: object Smack label
2490 * @address: address
2491 * @act: the action being taken
2492 *
2493 * Check an IPv6 access
2494 */
2495 static int smk_ipv6_check(struct smack_known *subject,
2496 struct smack_known *object,
2497 struct sockaddr_in6 *address, int act)
2498 {
2499 #ifdef CONFIG_AUDIT
2500 struct lsm_network_audit net;
2501 #endif
2502 struct smk_audit_info ad;
2503 int rc;
2504
2505 #ifdef CONFIG_AUDIT
2506 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
2507 ad.a.u.net->family = PF_INET6;
2508 ad.a.u.net->dport = ntohs(address->sin6_port);
2509 if (act == SMK_RECEIVING)
2510 ad.a.u.net->v6info.saddr = address->sin6_addr;
2511 else
2512 ad.a.u.net->v6info.daddr = address->sin6_addr;
2513 #endif
2514 rc = smk_access(subject, object, MAY_WRITE, &ad);
2515 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc);
2516 return rc;
2517 }
2518 #endif /* CONFIG_IPV6 */
2519
2520 #ifdef SMACK_IPV6_PORT_LABELING
2521 /**
2522 * smk_ipv6_port_label - Smack port access table management
2523 * @sock: socket
2524 * @address: address
2525 *
2526 * Create or update the port list entry
2527 */
2528 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address)
2529 {
2530 struct sock *sk = sock->sk;
2531 struct sockaddr_in6 *addr6;
2532 struct socket_smack *ssp = sock->sk->sk_security;
2533 struct smk_port_label *spp;
2534 unsigned short port = 0;
2535
2536 if (address == NULL) {
2537 /*
2538 * This operation is changing the Smack information
2539 * on the bound socket. Take the changes to the port
2540 * as well.
2541 */
2542 rcu_read_lock();
2543 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) {
2544 if (sk != spp->smk_sock)
2545 continue;
2546 spp->smk_in = ssp->smk_in;
2547 spp->smk_out = ssp->smk_out;
2548 rcu_read_unlock();
2549 return;
2550 }
2551 /*
2552 * A NULL address is only used for updating existing
2553 * bound entries. If there isn't one, it's OK.
2554 */
2555 rcu_read_unlock();
2556 return;
2557 }
2558
2559 addr6 = (struct sockaddr_in6 *)address;
2560 port = ntohs(addr6->sin6_port);
2561 /*
2562 * This is a special case that is safely ignored.
2563 */
2564 if (port == 0)
2565 return;
2566
2567 /*
2568 * Look for an existing port list entry.
2569 * This is an indication that a port is getting reused.
2570 */
2571 rcu_read_lock();
2572 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) {
2573 if (spp->smk_port != port || spp->smk_sock_type != sock->type)
2574 continue;
2575 if (spp->smk_can_reuse != 1) {
2576 rcu_read_unlock();
2577 return;
2578 }
2579 spp->smk_port = port;
2580 spp->smk_sock = sk;
2581 spp->smk_in = ssp->smk_in;
2582 spp->smk_out = ssp->smk_out;
2583 spp->smk_can_reuse = 0;
2584 rcu_read_unlock();
2585 return;
2586 }
2587 rcu_read_unlock();
2588 /*
2589 * A new port entry is required.
2590 */
2591 spp = kzalloc(sizeof(*spp), GFP_KERNEL);
2592 if (spp == NULL)
2593 return;
2594
2595 spp->smk_port = port;
2596 spp->smk_sock = sk;
2597 spp->smk_in = ssp->smk_in;
2598 spp->smk_out = ssp->smk_out;
2599 spp->smk_sock_type = sock->type;
2600 spp->smk_can_reuse = 0;
2601
2602 mutex_lock(&smack_ipv6_lock);
2603 list_add_rcu(&spp->list, &smk_ipv6_port_list);
2604 mutex_unlock(&smack_ipv6_lock);
2605 return;
2606 }
2607
2608 /**
2609 * smk_ipv6_port_check - check Smack port access
2610 * @sk: socket
2611 * @address: address
2612 * @act: the action being taken
2613 *
2614 * Create or update the port list entry
2615 */
2616 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
2617 int act)
2618 {
2619 struct smk_port_label *spp;
2620 struct socket_smack *ssp = sk->sk_security;
2621 struct smack_known *skp = NULL;
2622 unsigned short port;
2623 struct smack_known *object;
2624
2625 if (act == SMK_RECEIVING) {
2626 skp = smack_ipv6host_label(address);
2627 object = ssp->smk_in;
2628 } else {
2629 skp = ssp->smk_out;
2630 object = smack_ipv6host_label(address);
2631 }
2632
2633 /*
2634 * The other end is a single label host.
2635 */
2636 if (skp != NULL && object != NULL)
2637 return smk_ipv6_check(skp, object, address, act);
2638 if (skp == NULL)
2639 skp = smack_net_ambient;
2640 if (object == NULL)
2641 object = smack_net_ambient;
2642
2643 /*
2644 * It's remote, so port lookup does no good.
2645 */
2646 if (!smk_ipv6_localhost(address))
2647 return smk_ipv6_check(skp, object, address, act);
2648
2649 /*
2650 * It's local so the send check has to have passed.
2651 */
2652 if (act == SMK_RECEIVING)
2653 return 0;
2654
2655 port = ntohs(address->sin6_port);
2656 rcu_read_lock();
2657 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) {
2658 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type)
2659 continue;
2660 object = spp->smk_in;
2661 if (act == SMK_CONNECTING)
2662 ssp->smk_packet = spp->smk_out;
2663 break;
2664 }
2665 rcu_read_unlock();
2666
2667 return smk_ipv6_check(skp, object, address, act);
2668 }
2669 #endif /* SMACK_IPV6_PORT_LABELING */
2670
2671 /**
2672 * smack_inode_setsecurity - set smack xattrs
2673 * @inode: the object
2674 * @name: attribute name
2675 * @value: attribute value
2676 * @size: size of the attribute
2677 * @flags: unused
2678 *
2679 * Sets the named attribute in the appropriate blob
2680 *
2681 * Returns 0 on success, or an error code
2682 */
2683 static int smack_inode_setsecurity(struct inode *inode, const char *name,
2684 const void *value, size_t size, int flags)
2685 {
2686 struct smack_known *skp;
2687 struct inode_smack *nsp = smack_inode(inode);
2688 struct socket_smack *ssp;
2689 struct socket *sock;
2690 int rc = 0;
2691
2692 if (value == NULL || size > SMK_LONGLABEL || size == 0)
2693 return -EINVAL;
2694
2695 skp = smk_import_entry(value, size);
2696 if (IS_ERR(skp))
2697 return PTR_ERR(skp);
2698
2699 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
2700 nsp->smk_inode = skp;
2701 nsp->smk_flags |= SMK_INODE_INSTANT;
2702 return 0;
2703 }
2704 /*
2705 * The rest of the Smack xattrs are only on sockets.
2706 */
2707 if (inode->i_sb->s_magic != SOCKFS_MAGIC)
2708 return -EOPNOTSUPP;
2709
2710 sock = SOCKET_I(inode);
2711 if (sock == NULL || sock->sk == NULL)
2712 return -EOPNOTSUPP;
2713
2714 ssp = sock->sk->sk_security;
2715
2716 if (strcmp(name, XATTR_SMACK_IPIN) == 0)
2717 ssp->smk_in = skp;
2718 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) {
2719 ssp->smk_out = skp;
2720 if (sock->sk->sk_family == PF_INET) {
2721 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
2722 if (rc != 0)
2723 printk(KERN_WARNING
2724 "Smack: \"%s\" netlbl error %d.\n",
2725 __func__, -rc);
2726 }
2727 } else
2728 return -EOPNOTSUPP;
2729
2730 #ifdef SMACK_IPV6_PORT_LABELING
2731 if (sock->sk->sk_family == PF_INET6)
2732 smk_ipv6_port_label(sock, NULL);
2733 #endif
2734
2735 return 0;
2736 }
2737
2738 /**
2739 * smack_socket_post_create - finish socket setup
2740 * @sock: the socket
2741 * @family: protocol family
2742 * @type: unused
2743 * @protocol: unused
2744 * @kern: unused
2745 *
2746 * Sets the netlabel information on the socket
2747 *
2748 * Returns 0 on success, and error code otherwise
2749 */
2750 static int smack_socket_post_create(struct socket *sock, int family,
2751 int type, int protocol, int kern)
2752 {
2753 struct socket_smack *ssp;
2754
2755 if (sock->sk == NULL)
2756 return 0;
2757
2758 /*
2759 * Sockets created by kernel threads receive web label.
2760 */
2761 if (unlikely(current->flags & PF_KTHREAD)) {
2762 ssp = sock->sk->sk_security;
2763 ssp->smk_in = &smack_known_web;
2764 ssp->smk_out = &smack_known_web;
2765 }
2766
2767 if (family != PF_INET)
2768 return 0;
2769 /*
2770 * Set the outbound netlbl.
2771 */
2772 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
2773 }
2774
2775 /**
2776 * smack_socket_socketpair - create socket pair
2777 * @socka: one socket
2778 * @sockb: another socket
2779 *
2780 * Cross reference the peer labels for SO_PEERSEC
2781 *
2782 * Returns 0
2783 */
2784 static int smack_socket_socketpair(struct socket *socka,
2785 struct socket *sockb)
2786 {
2787 struct socket_smack *asp = socka->sk->sk_security;
2788 struct socket_smack *bsp = sockb->sk->sk_security;
2789
2790 asp->smk_packet = bsp->smk_out;
2791 bsp->smk_packet = asp->smk_out;
2792
2793 return 0;
2794 }
2795
2796 #ifdef SMACK_IPV6_PORT_LABELING
2797 /**
2798 * smack_socket_bind - record port binding information.
2799 * @sock: the socket
2800 * @address: the port address
2801 * @addrlen: size of the address
2802 *
2803 * Records the label bound to a port.
2804 *
2805 * Returns 0 on success, and error code otherwise
2806 */
2807 static int smack_socket_bind(struct socket *sock, struct sockaddr *address,
2808 int addrlen)
2809 {
2810 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) {
2811 if (addrlen < SIN6_LEN_RFC2133 ||
2812 address->sa_family != AF_INET6)
2813 return -EINVAL;
2814 smk_ipv6_port_label(sock, address);
2815 }
2816 return 0;
2817 }
2818 #endif /* SMACK_IPV6_PORT_LABELING */
2819
2820 /**
2821 * smack_socket_connect - connect access check
2822 * @sock: the socket
2823 * @sap: the other end
2824 * @addrlen: size of sap
2825 *
2826 * Verifies that a connection may be possible
2827 *
2828 * Returns 0 on success, and error code otherwise
2829 */
2830 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
2831 int addrlen)
2832 {
2833 int rc = 0;
2834 #if IS_ENABLED(CONFIG_IPV6)
2835 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap;
2836 #endif
2837 #ifdef SMACK_IPV6_SECMARK_LABELING
2838 struct smack_known *rsp;
2839 struct socket_smack *ssp;
2840 #endif
2841
2842 if (sock->sk == NULL)
2843 return 0;
2844
2845 #ifdef SMACK_IPV6_SECMARK_LABELING
2846 ssp = sock->sk->sk_security;
2847 #endif
2848
2849 switch (sock->sk->sk_family) {
2850 case PF_INET:
2851 if (addrlen < sizeof(struct sockaddr_in) ||
2852 sap->sa_family != AF_INET)
2853 return -EINVAL;
2854 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap);
2855 break;
2856 case PF_INET6:
2857 if (addrlen < SIN6_LEN_RFC2133 || sap->sa_family != AF_INET6)
2858 return -EINVAL;
2859 #ifdef SMACK_IPV6_SECMARK_LABELING
2860 rsp = smack_ipv6host_label(sip);
2861 if (rsp != NULL)
2862 rc = smk_ipv6_check(ssp->smk_out, rsp, sip,
2863 SMK_CONNECTING);
2864 #endif
2865 #ifdef SMACK_IPV6_PORT_LABELING
2866 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING);
2867 #endif
2868 break;
2869 }
2870 return rc;
2871 }
2872
2873 /**
2874 * smack_flags_to_may - convert S_ to MAY_ values
2875 * @flags: the S_ value
2876 *
2877 * Returns the equivalent MAY_ value
2878 */
2879 static int smack_flags_to_may(int flags)
2880 {
2881 int may = 0;
2882
2883 if (flags & S_IRUGO)
2884 may |= MAY_READ;
2885 if (flags & S_IWUGO)
2886 may |= MAY_WRITE;
2887 if (flags & S_IXUGO)
2888 may |= MAY_EXEC;
2889
2890 return may;
2891 }
2892
2893 /**
2894 * smack_msg_msg_alloc_security - Set the security blob for msg_msg
2895 * @msg: the object
2896 *
2897 * Returns 0
2898 */
2899 static int smack_msg_msg_alloc_security(struct msg_msg *msg)
2900 {
2901 struct smack_known **blob = smack_msg_msg(msg);
2902
2903 *blob = smk_of_current();
2904 return 0;
2905 }
2906
2907 /**
2908 * smack_of_ipc - the smack pointer for the ipc
2909 * @isp: the object
2910 *
2911 * Returns a pointer to the smack value
2912 */
2913 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp)
2914 {
2915 struct smack_known **blob = smack_ipc(isp);
2916
2917 return *blob;
2918 }
2919
2920 /**
2921 * smack_ipc_alloc_security - Set the security blob for ipc
2922 * @isp: the object
2923 *
2924 * Returns 0
2925 */
2926 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp)
2927 {
2928 struct smack_known **blob = smack_ipc(isp);
2929
2930 *blob = smk_of_current();
2931 return 0;
2932 }
2933
2934 /**
2935 * smk_curacc_shm : check if current has access on shm
2936 * @isp : the object
2937 * @access : access requested
2938 *
2939 * Returns 0 if current has the requested access, error code otherwise
2940 */
2941 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access)
2942 {
2943 struct smack_known *ssp = smack_of_ipc(isp);
2944 struct smk_audit_info ad;
2945 int rc;
2946
2947 #ifdef CONFIG_AUDIT
2948 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
2949 ad.a.u.ipc_id = isp->id;
2950 #endif
2951 rc = smk_curacc(ssp, access, &ad);
2952 rc = smk_bu_current("shm", ssp, access, rc);
2953 return rc;
2954 }
2955
2956 /**
2957 * smack_shm_associate - Smack access check for shm
2958 * @isp: the object
2959 * @shmflg: access requested
2960 *
2961 * Returns 0 if current has the requested access, error code otherwise
2962 */
2963 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg)
2964 {
2965 int may;
2966
2967 may = smack_flags_to_may(shmflg);
2968 return smk_curacc_shm(isp, may);
2969 }
2970
2971 /**
2972 * smack_shm_shmctl - Smack access check for shm
2973 * @isp: the object
2974 * @cmd: what it wants to do
2975 *
2976 * Returns 0 if current has the requested access, error code otherwise
2977 */
2978 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd)
2979 {
2980 int may;
2981
2982 switch (cmd) {
2983 case IPC_STAT:
2984 case SHM_STAT:
2985 case SHM_STAT_ANY:
2986 may = MAY_READ;
2987 break;
2988 case IPC_SET:
2989 case SHM_LOCK:
2990 case SHM_UNLOCK:
2991 case IPC_RMID:
2992 may = MAY_READWRITE;
2993 break;
2994 case IPC_INFO:
2995 case SHM_INFO:
2996 /*
2997 * System level information.
2998 */
2999 return 0;
3000 default:
3001 return -EINVAL;
3002 }
3003 return smk_curacc_shm(isp, may);
3004 }
3005
3006 /**
3007 * smack_shm_shmat - Smack access for shmat
3008 * @isp: the object
3009 * @shmaddr: unused
3010 * @shmflg: access requested
3011 *
3012 * Returns 0 if current has the requested access, error code otherwise
3013 */
3014 static int smack_shm_shmat(struct kern_ipc_perm *isp, char __user *shmaddr,
3015 int shmflg)
3016 {
3017 int may;
3018
3019 may = smack_flags_to_may(shmflg);
3020 return smk_curacc_shm(isp, may);
3021 }
3022
3023 /**
3024 * smk_curacc_sem : check if current has access on sem
3025 * @isp : the object
3026 * @access : access requested
3027 *
3028 * Returns 0 if current has the requested access, error code otherwise
3029 */
3030 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access)
3031 {
3032 struct smack_known *ssp = smack_of_ipc(isp);
3033 struct smk_audit_info ad;
3034 int rc;
3035
3036 #ifdef CONFIG_AUDIT
3037 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
3038 ad.a.u.ipc_id = isp->id;
3039 #endif
3040 rc = smk_curacc(ssp, access, &ad);
3041 rc = smk_bu_current("sem", ssp, access, rc);
3042 return rc;
3043 }
3044
3045 /**
3046 * smack_sem_associate - Smack access check for sem
3047 * @isp: the object
3048 * @semflg: access requested
3049 *
3050 * Returns 0 if current has the requested access, error code otherwise
3051 */
3052 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg)
3053 {
3054 int may;
3055
3056 may = smack_flags_to_may(semflg);
3057 return smk_curacc_sem(isp, may);
3058 }
3059
3060 /**
3061 * smack_sem_shmctl - Smack access check for sem
3062 * @isp: the object
3063 * @cmd: what it wants to do
3064 *
3065 * Returns 0 if current has the requested access, error code otherwise
3066 */
3067 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd)
3068 {
3069 int may;
3070
3071 switch (cmd) {
3072 case GETPID:
3073 case GETNCNT:
3074 case GETZCNT:
3075 case GETVAL:
3076 case GETALL:
3077 case IPC_STAT:
3078 case SEM_STAT:
3079 case SEM_STAT_ANY:
3080 may = MAY_READ;
3081 break;
3082 case SETVAL:
3083 case SETALL:
3084 case IPC_RMID:
3085 case IPC_SET:
3086 may = MAY_READWRITE;
3087 break;
3088 case IPC_INFO:
3089 case SEM_INFO:
3090 /*
3091 * System level information
3092 */
3093 return 0;
3094 default:
3095 return -EINVAL;
3096 }
3097
3098 return smk_curacc_sem(isp, may);
3099 }
3100
3101 /**
3102 * smack_sem_semop - Smack checks of semaphore operations
3103 * @isp: the object
3104 * @sops: unused
3105 * @nsops: unused
3106 * @alter: unused
3107 *
3108 * Treated as read and write in all cases.
3109 *
3110 * Returns 0 if access is allowed, error code otherwise
3111 */
3112 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops,
3113 unsigned nsops, int alter)
3114 {
3115 return smk_curacc_sem(isp, MAY_READWRITE);
3116 }
3117
3118 /**
3119 * smk_curacc_msq : helper to check if current has access on msq
3120 * @isp : the msq
3121 * @access : access requested
3122 *
3123 * return 0 if current has access, error otherwise
3124 */
3125 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access)
3126 {
3127 struct smack_known *msp = smack_of_ipc(isp);
3128 struct smk_audit_info ad;
3129 int rc;
3130
3131 #ifdef CONFIG_AUDIT
3132 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
3133 ad.a.u.ipc_id = isp->id;
3134 #endif
3135 rc = smk_curacc(msp, access, &ad);
3136 rc = smk_bu_current("msq", msp, access, rc);
3137 return rc;
3138 }
3139
3140 /**
3141 * smack_msg_queue_associate - Smack access check for msg_queue
3142 * @isp: the object
3143 * @msqflg: access requested
3144 *
3145 * Returns 0 if current has the requested access, error code otherwise
3146 */
3147 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg)
3148 {
3149 int may;
3150
3151 may = smack_flags_to_may(msqflg);
3152 return smk_curacc_msq(isp, may);
3153 }
3154
3155 /**
3156 * smack_msg_queue_msgctl - Smack access check for msg_queue
3157 * @isp: the object
3158 * @cmd: what it wants to do
3159 *
3160 * Returns 0 if current has the requested access, error code otherwise
3161 */
3162 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd)
3163 {
3164 int may;
3165
3166 switch (cmd) {
3167 case IPC_STAT:
3168 case MSG_STAT:
3169 case MSG_STAT_ANY:
3170 may = MAY_READ;
3171 break;
3172 case IPC_SET:
3173 case IPC_RMID:
3174 may = MAY_READWRITE;
3175 break;
3176 case IPC_INFO:
3177 case MSG_INFO:
3178 /*
3179 * System level information
3180 */
3181 return 0;
3182 default:
3183 return -EINVAL;
3184 }
3185
3186 return smk_curacc_msq(isp, may);
3187 }
3188
3189 /**
3190 * smack_msg_queue_msgsnd - Smack access check for msg_queue
3191 * @isp: the object
3192 * @msg: unused
3193 * @msqflg: access requested
3194 *
3195 * Returns 0 if current has the requested access, error code otherwise
3196 */
3197 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg,
3198 int msqflg)
3199 {
3200 int may;
3201
3202 may = smack_flags_to_may(msqflg);
3203 return smk_curacc_msq(isp, may);
3204 }
3205
3206 /**
3207 * smack_msg_queue_msgsnd - Smack access check for msg_queue
3208 * @isp: the object
3209 * @msg: unused
3210 * @target: unused
3211 * @type: unused
3212 * @mode: unused
3213 *
3214 * Returns 0 if current has read and write access, error code otherwise
3215 */
3216 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, struct msg_msg *msg,
3217 struct task_struct *target, long type, int mode)
3218 {
3219 return smk_curacc_msq(isp, MAY_READWRITE);
3220 }
3221
3222 /**
3223 * smack_ipc_permission - Smack access for ipc_permission()
3224 * @ipp: the object permissions
3225 * @flag: access requested
3226 *
3227 * Returns 0 if current has read and write access, error code otherwise
3228 */
3229 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
3230 {
3231 struct smack_known **blob = smack_ipc(ipp);
3232 struct smack_known *iskp = *blob;
3233 int may = smack_flags_to_may(flag);
3234 struct smk_audit_info ad;
3235 int rc;
3236
3237 #ifdef CONFIG_AUDIT
3238 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
3239 ad.a.u.ipc_id = ipp->id;
3240 #endif
3241 rc = smk_curacc(iskp, may, &ad);
3242 rc = smk_bu_current("svipc", iskp, may, rc);
3243 return rc;
3244 }
3245
3246 /**
3247 * smack_ipc_getsecid - Extract smack security id
3248 * @ipp: the object permissions
3249 * @secid: where result will be saved
3250 */
3251 static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
3252 {
3253 struct smack_known **blob = smack_ipc(ipp);
3254 struct smack_known *iskp = *blob;
3255
3256 *secid = iskp->smk_secid;
3257 }
3258
3259 /**
3260 * smack_d_instantiate - Make sure the blob is correct on an inode
3261 * @opt_dentry: dentry where inode will be attached
3262 * @inode: the object
3263 *
3264 * Set the inode's security blob if it hasn't been done already.
3265 */
3266 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
3267 {
3268 struct super_block *sbp;
3269 struct superblock_smack *sbsp;
3270 struct inode_smack *isp;
3271 struct smack_known *skp;
3272 struct smack_known *ckp = smk_of_current();
3273 struct smack_known *final;
3274 char trattr[TRANS_TRUE_SIZE];
3275 int transflag = 0;
3276 int rc;
3277 struct dentry *dp;
3278
3279 if (inode == NULL)
3280 return;
3281
3282 isp = smack_inode(inode);
3283
3284 mutex_lock(&isp->smk_lock);
3285 /*
3286 * If the inode is already instantiated
3287 * take the quick way out
3288 */
3289 if (isp->smk_flags & SMK_INODE_INSTANT)
3290 goto unlockandout;
3291
3292 sbp = inode->i_sb;
3293 sbsp = sbp->s_security;
3294 /*
3295 * We're going to use the superblock default label
3296 * if there's no label on the file.
3297 */
3298 final = sbsp->smk_default;
3299
3300 /*
3301 * If this is the root inode the superblock
3302 * may be in the process of initialization.
3303 * If that is the case use the root value out
3304 * of the superblock.
3305 */
3306 if (opt_dentry->d_parent == opt_dentry) {
3307 switch (sbp->s_magic) {
3308 case CGROUP_SUPER_MAGIC:
3309 case CGROUP2_SUPER_MAGIC:
3310 /*
3311 * The cgroup filesystem is never mounted,
3312 * so there's no opportunity to set the mount
3313 * options.
3314 */
3315 sbsp->smk_root = &smack_known_star;
3316 sbsp->smk_default = &smack_known_star;
3317 isp->smk_inode = sbsp->smk_root;
3318 break;
3319 case TMPFS_MAGIC:
3320 /*
3321 * What about shmem/tmpfs anonymous files with dentry
3322 * obtained from d_alloc_pseudo()?
3323 */
3324 isp->smk_inode = smk_of_current();
3325 break;
3326 case PIPEFS_MAGIC:
3327 isp->smk_inode = smk_of_current();
3328 break;
3329 case SOCKFS_MAGIC:
3330 /*
3331 * Socket access is controlled by the socket
3332 * structures associated with the task involved.
3333 */
3334 isp->smk_inode = &smack_known_star;
3335 break;
3336 default:
3337 isp->smk_inode = sbsp->smk_root;
3338 break;
3339 }
3340 isp->smk_flags |= SMK_INODE_INSTANT;
3341 goto unlockandout;
3342 }
3343
3344 /*
3345 * This is pretty hackish.
3346 * Casey says that we shouldn't have to do
3347 * file system specific code, but it does help
3348 * with keeping it simple.
3349 */
3350 switch (sbp->s_magic) {
3351 case SMACK_MAGIC:
3352 case CGROUP_SUPER_MAGIC:
3353 case CGROUP2_SUPER_MAGIC:
3354 /*
3355 * Casey says that it's a little embarrassing
3356 * that the smack file system doesn't do
3357 * extended attributes.
3358 *
3359 * Cgroupfs is special
3360 */
3361 final = &smack_known_star;
3362 break;
3363 case DEVPTS_SUPER_MAGIC:
3364 /*
3365 * devpts seems content with the label of the task.
3366 * Programs that change smack have to treat the
3367 * pty with respect.
3368 */
3369 final = ckp;
3370 break;
3371 case PROC_SUPER_MAGIC:
3372 /*
3373 * Casey says procfs appears not to care.
3374 * The superblock default suffices.
3375 */
3376 break;
3377 case TMPFS_MAGIC:
3378 /*
3379 * Device labels should come from the filesystem,
3380 * but watch out, because they're volitile,
3381 * getting recreated on every reboot.
3382 */
3383 final = &smack_known_star;
3384 /*
3385 * If a smack value has been set we want to use it,
3386 * but since tmpfs isn't giving us the opportunity
3387 * to set mount options simulate setting the
3388 * superblock default.
3389 */
3390 /* Fall through */
3391 default:
3392 /*
3393 * This isn't an understood special case.
3394 * Get the value from the xattr.
3395 */
3396
3397 /*
3398 * UNIX domain sockets use lower level socket data.
3399 */
3400 if (S_ISSOCK(inode->i_mode)) {
3401 final = &smack_known_star;
3402 break;
3403 }
3404 /*
3405 * No xattr support means, alas, no SMACK label.
3406 * Use the aforeapplied default.
3407 * It would be curious if the label of the task
3408 * does not match that assigned.
3409 */
3410 if (!(inode->i_opflags & IOP_XATTR))
3411 break;
3412 /*
3413 * Get the dentry for xattr.
3414 */
3415 dp = dget(opt_dentry);
3416 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp);
3417 if (!IS_ERR_OR_NULL(skp))
3418 final = skp;
3419
3420 /*
3421 * Transmuting directory
3422 */
3423 if (S_ISDIR(inode->i_mode)) {
3424 /*
3425 * If this is a new directory and the label was
3426 * transmuted when the inode was initialized
3427 * set the transmute attribute on the directory
3428 * and mark the inode.
3429 *
3430 * If there is a transmute attribute on the
3431 * directory mark the inode.
3432 */
3433 if (isp->smk_flags & SMK_INODE_CHANGED) {
3434 isp->smk_flags &= ~SMK_INODE_CHANGED;
3435 rc = __vfs_setxattr(dp, inode,
3436 XATTR_NAME_SMACKTRANSMUTE,
3437 TRANS_TRUE, TRANS_TRUE_SIZE,
3438 0);
3439 } else {
3440 rc = __vfs_getxattr(dp, inode,
3441 XATTR_NAME_SMACKTRANSMUTE, trattr,
3442 TRANS_TRUE_SIZE);
3443 if (rc >= 0 && strncmp(trattr, TRANS_TRUE,
3444 TRANS_TRUE_SIZE) != 0)
3445 rc = -EINVAL;
3446 }
3447 if (rc >= 0)
3448 transflag = SMK_INODE_TRANSMUTE;
3449 }
3450 /*
3451 * Don't let the exec or mmap label be "*" or "@".
3452 */
3453 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
3454 if (IS_ERR(skp) || skp == &smack_known_star ||
3455 skp == &smack_known_web)
3456 skp = NULL;
3457 isp->smk_task = skp;
3458
3459 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp);
3460 if (IS_ERR(skp) || skp == &smack_known_star ||
3461 skp == &smack_known_web)
3462 skp = NULL;
3463 isp->smk_mmap = skp;
3464
3465 dput(dp);
3466 break;
3467 }
3468
3469 if (final == NULL)
3470 isp->smk_inode = ckp;
3471 else
3472 isp->smk_inode = final;
3473
3474 isp->smk_flags |= (SMK_INODE_INSTANT | transflag);
3475
3476 unlockandout:
3477 mutex_unlock(&isp->smk_lock);
3478 return;
3479 }
3480
3481 /**
3482 * smack_getprocattr - Smack process attribute access
3483 * @p: the object task
3484 * @name: the name of the attribute in /proc/.../attr
3485 * @value: where to put the result
3486 *
3487 * Places a copy of the task Smack into value
3488 *
3489 * Returns the length of the smack label or an error code
3490 */
3491 static int smack_getprocattr(struct task_struct *p, char *name, char **value)
3492 {
3493 struct smack_known *skp = smk_of_task_struct(p);
3494 char *cp;
3495 int slen;
3496
3497 if (strcmp(name, "current") != 0)
3498 return -EINVAL;
3499
3500 cp = kstrdup(skp->smk_known, GFP_KERNEL);
3501 if (cp == NULL)
3502 return -ENOMEM;
3503
3504 slen = strlen(cp);
3505 *value = cp;
3506 return slen;
3507 }
3508
3509 /**
3510 * smack_setprocattr - Smack process attribute setting
3511 * @name: the name of the attribute in /proc/.../attr
3512 * @value: the value to set
3513 * @size: the size of the value
3514 *
3515 * Sets the Smack value of the task. Only setting self
3516 * is permitted and only with privilege
3517 *
3518 * Returns the length of the smack label or an error code
3519 */
3520 static int smack_setprocattr(const char *name, void *value, size_t size)
3521 {
3522 struct task_smack *tsp = smack_cred(current_cred());
3523 struct cred *new;
3524 struct smack_known *skp;
3525 struct smack_known_list_elem *sklep;
3526 int rc;
3527
3528 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel))
3529 return -EPERM;
3530
3531 if (value == NULL || size == 0 || size >= SMK_LONGLABEL)
3532 return -EINVAL;
3533
3534 if (strcmp(name, "current") != 0)
3535 return -EINVAL;
3536
3537 skp = smk_import_entry(value, size);
3538 if (IS_ERR(skp))
3539 return PTR_ERR(skp);
3540
3541 /*
3542 * No process is ever allowed the web ("@") label
3543 * and the star ("*") label.
3544 */
3545 if (skp == &smack_known_web || skp == &smack_known_star)
3546 return -EINVAL;
3547
3548 if (!smack_privileged(CAP_MAC_ADMIN)) {
3549 rc = -EPERM;
3550 list_for_each_entry(sklep, &tsp->smk_relabel, list)
3551 if (sklep->smk_label == skp) {
3552 rc = 0;
3553 break;
3554 }
3555 if (rc)
3556 return rc;
3557 }
3558
3559 new = prepare_creds();
3560 if (new == NULL)
3561 return -ENOMEM;
3562
3563 tsp = smack_cred(new);
3564 tsp->smk_task = skp;
3565 /*
3566 * process can change its label only once
3567 */
3568 smk_destroy_label_list(&tsp->smk_relabel);
3569
3570 commit_creds(new);
3571 return size;
3572 }
3573
3574 /**
3575 * smack_unix_stream_connect - Smack access on UDS
3576 * @sock: one sock
3577 * @other: the other sock
3578 * @newsk: unused
3579 *
3580 * Return 0 if a subject with the smack of sock could access
3581 * an object with the smack of other, otherwise an error code
3582 */
3583 static int smack_unix_stream_connect(struct sock *sock,
3584 struct sock *other, struct sock *newsk)
3585 {
3586 struct smack_known *skp;
3587 struct smack_known *okp;
3588 struct socket_smack *ssp = sock->sk_security;
3589 struct socket_smack *osp = other->sk_security;
3590 struct socket_smack *nsp = newsk->sk_security;
3591 struct smk_audit_info ad;
3592 int rc = 0;
3593 #ifdef CONFIG_AUDIT
3594 struct lsm_network_audit net;
3595 #endif
3596
3597 if (!smack_privileged(CAP_MAC_OVERRIDE)) {
3598 skp = ssp->smk_out;
3599 okp = osp->smk_in;
3600 #ifdef CONFIG_AUDIT
3601 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3602 smk_ad_setfield_u_net_sk(&ad, other);
3603 #endif
3604 rc = smk_access(skp, okp, MAY_WRITE, &ad);
3605 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc);
3606 if (rc == 0) {
3607 okp = osp->smk_out;
3608 skp = ssp->smk_in;
3609 rc = smk_access(okp, skp, MAY_WRITE, &ad);
3610 rc = smk_bu_note("UDS connect", okp, skp,
3611 MAY_WRITE, rc);
3612 }
3613 }
3614
3615 /*
3616 * Cross reference the peer labels for SO_PEERSEC.
3617 */
3618 if (rc == 0) {
3619 nsp->smk_packet = ssp->smk_out;
3620 ssp->smk_packet = osp->smk_out;
3621 }
3622
3623 return rc;
3624 }
3625
3626 /**
3627 * smack_unix_may_send - Smack access on UDS
3628 * @sock: one socket
3629 * @other: the other socket
3630 *
3631 * Return 0 if a subject with the smack of sock could access
3632 * an object with the smack of other, otherwise an error code
3633 */
3634 static int smack_unix_may_send(struct socket *sock, struct socket *other)
3635 {
3636 struct socket_smack *ssp = sock->sk->sk_security;
3637 struct socket_smack *osp = other->sk->sk_security;
3638 struct smk_audit_info ad;
3639 int rc;
3640
3641 #ifdef CONFIG_AUDIT
3642 struct lsm_network_audit net;
3643
3644 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3645 smk_ad_setfield_u_net_sk(&ad, other->sk);
3646 #endif
3647
3648 if (smack_privileged(CAP_MAC_OVERRIDE))
3649 return 0;
3650
3651 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad);
3652 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc);
3653 return rc;
3654 }
3655
3656 /**
3657 * smack_socket_sendmsg - Smack check based on destination host
3658 * @sock: the socket
3659 * @msg: the message
3660 * @size: the size of the message
3661 *
3662 * Return 0 if the current subject can write to the destination host.
3663 * For IPv4 this is only a question if the destination is a single label host.
3664 * For IPv6 this is a check against the label of the port.
3665 */
3666 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3667 int size)
3668 {
3669 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name;
3670 #if IS_ENABLED(CONFIG_IPV6)
3671 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name;
3672 #endif
3673 #ifdef SMACK_IPV6_SECMARK_LABELING
3674 struct socket_smack *ssp = sock->sk->sk_security;
3675 struct smack_known *rsp;
3676 #endif
3677 int rc = 0;
3678
3679 /*
3680 * Perfectly reasonable for this to be NULL
3681 */
3682 if (sip == NULL)
3683 return 0;
3684
3685 switch (sock->sk->sk_family) {
3686 case AF_INET:
3687 if (msg->msg_namelen < sizeof(struct sockaddr_in) ||
3688 sip->sin_family != AF_INET)
3689 return -EINVAL;
3690 rc = smack_netlabel_send(sock->sk, sip);
3691 break;
3692 #if IS_ENABLED(CONFIG_IPV6)
3693 case AF_INET6:
3694 if (msg->msg_namelen < SIN6_LEN_RFC2133 ||
3695 sap->sin6_family != AF_INET6)
3696 return -EINVAL;
3697 #ifdef SMACK_IPV6_SECMARK_LABELING
3698 rsp = smack_ipv6host_label(sap);
3699 if (rsp != NULL)
3700 rc = smk_ipv6_check(ssp->smk_out, rsp, sap,
3701 SMK_CONNECTING);
3702 #endif
3703 #ifdef SMACK_IPV6_PORT_LABELING
3704 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING);
3705 #endif
3706 #endif /* IS_ENABLED(CONFIG_IPV6) */
3707 break;
3708 }
3709 return rc;
3710 }
3711
3712 /**
3713 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack
3714 * @sap: netlabel secattr
3715 * @ssp: socket security information
3716 *
3717 * Returns a pointer to a Smack label entry found on the label list.
3718 */
3719 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
3720 struct socket_smack *ssp)
3721 {
3722 struct smack_known *skp;
3723 int found = 0;
3724 int acat;
3725 int kcat;
3726
3727 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) {
3728 /*
3729 * Looks like a CIPSO packet.
3730 * If there are flags but no level netlabel isn't
3731 * behaving the way we expect it to.
3732 *
3733 * Look it up in the label table
3734 * Without guidance regarding the smack value
3735 * for the packet fall back on the network
3736 * ambient value.
3737 */
3738 rcu_read_lock();
3739 list_for_each_entry_rcu(skp, &smack_known_list, list) {
3740 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl)
3741 continue;
3742 /*
3743 * Compare the catsets. Use the netlbl APIs.
3744 */
3745 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) {
3746 if ((skp->smk_netlabel.flags &
3747 NETLBL_SECATTR_MLS_CAT) == 0)
3748 found = 1;
3749 break;
3750 }
3751 for (acat = -1, kcat = -1; acat == kcat; ) {
3752 acat = netlbl_catmap_walk(sap->attr.mls.cat,
3753 acat + 1);
3754 kcat = netlbl_catmap_walk(
3755 skp->smk_netlabel.attr.mls.cat,
3756 kcat + 1);
3757 if (acat < 0 || kcat < 0)
3758 break;
3759 }
3760 if (acat == kcat) {
3761 found = 1;
3762 break;
3763 }
3764 }
3765 rcu_read_unlock();
3766
3767 if (found)
3768 return skp;
3769
3770 if (ssp != NULL && ssp->smk_in == &smack_known_star)
3771 return &smack_known_web;
3772 return &smack_known_star;
3773 }
3774 if ((sap->flags & NETLBL_SECATTR_SECID) != 0)
3775 /*
3776 * Looks like a fallback, which gives us a secid.
3777 */
3778 return smack_from_secid(sap->attr.secid);
3779 /*
3780 * Without guidance regarding the smack value
3781 * for the packet fall back on the network
3782 * ambient value.
3783 */
3784 return smack_net_ambient;
3785 }
3786
3787 #if IS_ENABLED(CONFIG_IPV6)
3788 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
3789 {
3790 u8 nexthdr;
3791 int offset;
3792 int proto = -EINVAL;
3793 struct ipv6hdr _ipv6h;
3794 struct ipv6hdr *ip6;
3795 __be16 frag_off;
3796 struct tcphdr _tcph, *th;
3797 struct udphdr _udph, *uh;
3798 struct dccp_hdr _dccph, *dh;
3799
3800 sip->sin6_port = 0;
3801
3802 offset = skb_network_offset(skb);
3803 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3804 if (ip6 == NULL)
3805 return -EINVAL;
3806 sip->sin6_addr = ip6->saddr;
3807
3808 nexthdr = ip6->nexthdr;
3809 offset += sizeof(_ipv6h);
3810 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3811 if (offset < 0)
3812 return -EINVAL;
3813
3814 proto = nexthdr;
3815 switch (proto) {
3816 case IPPROTO_TCP:
3817 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3818 if (th != NULL)
3819 sip->sin6_port = th->source;
3820 break;
3821 case IPPROTO_UDP:
3822 case IPPROTO_UDPLITE:
3823 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3824 if (uh != NULL)
3825 sip->sin6_port = uh->source;
3826 break;
3827 case IPPROTO_DCCP:
3828 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3829 if (dh != NULL)
3830 sip->sin6_port = dh->dccph_sport;
3831 break;
3832 }
3833 return proto;
3834 }
3835 #endif /* CONFIG_IPV6 */
3836
3837 /**
3838 * smack_socket_sock_rcv_skb - Smack packet delivery access check
3839 * @sk: socket
3840 * @skb: packet
3841 *
3842 * Returns 0 if the packet should be delivered, an error code otherwise
3843 */
3844 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3845 {
3846 struct netlbl_lsm_secattr secattr;
3847 struct socket_smack *ssp = sk->sk_security;
3848 struct smack_known *skp = NULL;
3849 int rc = 0;
3850 struct smk_audit_info ad;
3851 u16 family = sk->sk_family;
3852 #ifdef CONFIG_AUDIT
3853 struct lsm_network_audit net;
3854 #endif
3855 #if IS_ENABLED(CONFIG_IPV6)
3856 struct sockaddr_in6 sadd;
3857 int proto;
3858
3859 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
3860 family = PF_INET;
3861 #endif /* CONFIG_IPV6 */
3862
3863 switch (family) {
3864 case PF_INET:
3865 #ifdef CONFIG_SECURITY_SMACK_NETFILTER
3866 /*
3867 * If there is a secmark use it rather than the CIPSO label.
3868 * If there is no secmark fall back to CIPSO.
3869 * The secmark is assumed to reflect policy better.
3870 */
3871 if (skb && skb->secmark != 0) {
3872 skp = smack_from_secid(skb->secmark);
3873 goto access_check;
3874 }
3875 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */
3876 /*
3877 * Translate what netlabel gave us.
3878 */
3879 netlbl_secattr_init(&secattr);
3880
3881 rc = netlbl_skbuff_getattr(skb, family, &secattr);
3882 if (rc == 0)
3883 skp = smack_from_secattr(&secattr, ssp);
3884 else
3885 skp = smack_net_ambient;
3886
3887 netlbl_secattr_destroy(&secattr);
3888
3889 #ifdef CONFIG_SECURITY_SMACK_NETFILTER
3890 access_check:
3891 #endif
3892 #ifdef CONFIG_AUDIT
3893 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3894 ad.a.u.net->family = family;
3895 ad.a.u.net->netif = skb->skb_iif;
3896 ipv4_skb_to_auditdata(skb, &ad.a, NULL);
3897 #endif
3898 /*
3899 * Receiving a packet requires that the other end
3900 * be able to write here. Read access is not required.
3901 * This is the simplist possible security model
3902 * for networking.
3903 */
3904 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
3905 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in,
3906 MAY_WRITE, rc);
3907 if (rc != 0)
3908 netlbl_skbuff_err(skb, family, rc, 0);
3909 break;
3910 #if IS_ENABLED(CONFIG_IPV6)
3911 case PF_INET6:
3912 proto = smk_skb_to_addr_ipv6(skb, &sadd);
3913 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE &&
3914 proto != IPPROTO_TCP && proto != IPPROTO_DCCP)
3915 break;
3916 #ifdef SMACK_IPV6_SECMARK_LABELING
3917 if (skb && skb->secmark != 0)
3918 skp = smack_from_secid(skb->secmark);
3919 else if (smk_ipv6_localhost(&sadd))
3920 break;
3921 else
3922 skp = smack_ipv6host_label(&sadd);
3923 if (skp == NULL)
3924 skp = smack_net_ambient;
3925 if (skb == NULL)
3926 break;
3927 #ifdef CONFIG_AUDIT
3928 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3929 ad.a.u.net->family = family;
3930 ad.a.u.net->netif = skb->skb_iif;
3931 ipv6_skb_to_auditdata(skb, &ad.a, NULL);
3932 #endif /* CONFIG_AUDIT */
3933 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
3934 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in,
3935 MAY_WRITE, rc);
3936 #endif /* SMACK_IPV6_SECMARK_LABELING */
3937 #ifdef SMACK_IPV6_PORT_LABELING
3938 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
3939 #endif /* SMACK_IPV6_PORT_LABELING */
3940 if (rc != 0)
3941 icmpv6_send(skb, ICMPV6_DEST_UNREACH,
3942 ICMPV6_ADM_PROHIBITED, 0);
3943 break;
3944 #endif /* CONFIG_IPV6 */
3945 }
3946
3947 return rc;
3948 }
3949
3950 /**
3951 * smack_socket_getpeersec_stream - pull in packet label
3952 * @sock: the socket
3953 * @optval: user's destination
3954 * @optlen: size thereof
3955 * @len: max thereof
3956 *
3957 * returns zero on success, an error code otherwise
3958 */
3959 static int smack_socket_getpeersec_stream(struct socket *sock,
3960 char __user *optval,
3961 int __user *optlen, unsigned len)
3962 {
3963 struct socket_smack *ssp;
3964 char *rcp = "";
3965 int slen = 1;
3966 int rc = 0;
3967
3968 ssp = sock->sk->sk_security;
3969 if (ssp->smk_packet != NULL) {
3970 rcp = ssp->smk_packet->smk_known;
3971 slen = strlen(rcp) + 1;
3972 }
3973
3974 if (slen > len)
3975 rc = -ERANGE;
3976 else if (copy_to_user(optval, rcp, slen) != 0)
3977 rc = -EFAULT;
3978
3979 if (put_user(slen, optlen) != 0)
3980 rc = -EFAULT;
3981
3982 return rc;
3983 }
3984
3985
3986 /**
3987 * smack_socket_getpeersec_dgram - pull in packet label
3988 * @sock: the peer socket
3989 * @skb: packet data
3990 * @secid: pointer to where to put the secid of the packet
3991 *
3992 * Sets the netlabel socket state on sk from parent
3993 */
3994 static int smack_socket_getpeersec_dgram(struct socket *sock,
3995 struct sk_buff *skb, u32 *secid)
3996
3997 {
3998 struct netlbl_lsm_secattr secattr;
3999 struct socket_smack *ssp = NULL;
4000 struct smack_known *skp;
4001 int family = PF_UNSPEC;
4002 u32 s = 0; /* 0 is the invalid secid */
4003 int rc;
4004
4005 if (skb != NULL) {
4006 if (skb->protocol == htons(ETH_P_IP))
4007 family = PF_INET;
4008 #if IS_ENABLED(CONFIG_IPV6)
4009 else if (skb->protocol == htons(ETH_P_IPV6))
4010 family = PF_INET6;
4011 #endif /* CONFIG_IPV6 */
4012 }
4013 if (family == PF_UNSPEC && sock != NULL)
4014 family = sock->sk->sk_family;
4015
4016 switch (family) {
4017 case PF_UNIX:
4018 ssp = sock->sk->sk_security;
4019 s = ssp->smk_out->smk_secid;
4020 break;
4021 case PF_INET:
4022 #ifdef CONFIG_SECURITY_SMACK_NETFILTER
4023 s = skb->secmark;
4024 if (s != 0)
4025 break;
4026 #endif
4027 /*
4028 * Translate what netlabel gave us.
4029 */
4030 if (sock != NULL && sock->sk != NULL)
4031 ssp = sock->sk->sk_security;
4032 netlbl_secattr_init(&secattr);
4033 rc = netlbl_skbuff_getattr(skb, family, &secattr);
4034 if (rc == 0) {
4035 skp = smack_from_secattr(&secattr, ssp);
4036 s = skp->smk_secid;
4037 }
4038 netlbl_secattr_destroy(&secattr);
4039 break;
4040 case PF_INET6:
4041 #ifdef SMACK_IPV6_SECMARK_LABELING
4042 s = skb->secmark;
4043 #endif
4044 break;
4045 }
4046 *secid = s;
4047 if (s == 0)
4048 return -EINVAL;
4049 return 0;
4050 }
4051
4052 /**
4053 * smack_sock_graft - Initialize a newly created socket with an existing sock
4054 * @sk: child sock
4055 * @parent: parent socket
4056 *
4057 * Set the smk_{in,out} state of an existing sock based on the process that
4058 * is creating the new socket.
4059 */
4060 static void smack_sock_graft(struct sock *sk, struct socket *parent)
4061 {
4062 struct socket_smack *ssp;
4063 struct smack_known *skp = smk_of_current();
4064
4065 if (sk == NULL ||
4066 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6))
4067 return;
4068
4069 ssp = sk->sk_security;
4070 ssp->smk_in = skp;
4071 ssp->smk_out = skp;
4072 /* cssp->smk_packet is already set in smack_inet_csk_clone() */
4073 }
4074
4075 /**
4076 * smack_inet_conn_request - Smack access check on connect
4077 * @sk: socket involved
4078 * @skb: packet
4079 * @req: unused
4080 *
4081 * Returns 0 if a task with the packet label could write to
4082 * the socket, otherwise an error code
4083 */
4084 static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4085 struct request_sock *req)
4086 {
4087 u16 family = sk->sk_family;
4088 struct smack_known *skp;
4089 struct socket_smack *ssp = sk->sk_security;
4090 struct netlbl_lsm_secattr secattr;
4091 struct sockaddr_in addr;
4092 struct iphdr *hdr;
4093 struct smack_known *hskp;
4094 int rc;
4095 struct smk_audit_info ad;
4096 #ifdef CONFIG_AUDIT
4097 struct lsm_network_audit net;
4098 #endif
4099
4100 #if IS_ENABLED(CONFIG_IPV6)
4101 if (family == PF_INET6) {
4102 /*
4103 * Handle mapped IPv4 packets arriving
4104 * via IPv6 sockets. Don't set up netlabel
4105 * processing on IPv6.
4106 */
4107 if (skb->protocol == htons(ETH_P_IP))
4108 family = PF_INET;
4109 else
4110 return 0;
4111 }
4112 #endif /* CONFIG_IPV6 */
4113
4114 #ifdef CONFIG_SECURITY_SMACK_NETFILTER
4115 /*
4116 * If there is a secmark use it rather than the CIPSO label.
4117 * If there is no secmark fall back to CIPSO.
4118 * The secmark is assumed to reflect policy better.
4119 */
4120 if (skb && skb->secmark != 0) {
4121 skp = smack_from_secid(skb->secmark);
4122 goto access_check;
4123 }
4124 #endif /* CONFIG_SECURITY_SMACK_NETFILTER */
4125
4126 netlbl_secattr_init(&secattr);
4127 rc = netlbl_skbuff_getattr(skb, family, &secattr);
4128 if (rc == 0)
4129 skp = smack_from_secattr(&secattr, ssp);
4130 else
4131 skp = &smack_known_huh;
4132 netlbl_secattr_destroy(&secattr);
4133
4134 #ifdef CONFIG_SECURITY_SMACK_NETFILTER
4135 access_check:
4136 #endif
4137
4138 #ifdef CONFIG_AUDIT
4139 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
4140 ad.a.u.net->family = family;
4141 ad.a.u.net->netif = skb->skb_iif;
4142 ipv4_skb_to_auditdata(skb, &ad.a, NULL);
4143 #endif
4144 /*
4145 * Receiving a packet requires that the other end be able to write
4146 * here. Read access is not required.
4147 */
4148 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
4149 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc);
4150 if (rc != 0)
4151 return rc;
4152
4153 /*
4154 * Save the peer's label in the request_sock so we can later setup
4155 * smk_packet in the child socket so that SO_PEERCRED can report it.
4156 */
4157 req->peer_secid = skp->smk_secid;
4158
4159 /*
4160 * We need to decide if we want to label the incoming connection here
4161 * if we do we only need to label the request_sock and the stack will
4162 * propagate the wire-label to the sock when it is created.
4163 */
4164 hdr = ip_hdr(skb);
4165 addr.sin_addr.s_addr = hdr->saddr;
4166 rcu_read_lock();
4167 hskp = smack_ipv4host_label(&addr);
4168 rcu_read_unlock();
4169
4170 if (hskp == NULL)
4171 rc = netlbl_req_setattr(req, &skp->smk_netlabel);
4172 else
4173 netlbl_req_delattr(req);
4174
4175 return rc;
4176 }
4177
4178 /**
4179 * smack_inet_csk_clone - Copy the connection information to the new socket
4180 * @sk: the new socket
4181 * @req: the connection's request_sock
4182 *
4183 * Transfer the connection's peer label to the newly created socket.
4184 */
4185 static void smack_inet_csk_clone(struct sock *sk,
4186 const struct request_sock *req)
4187 {
4188 struct socket_smack *ssp = sk->sk_security;
4189 struct smack_known *skp;
4190
4191 if (req->peer_secid != 0) {
4192 skp = smack_from_secid(req->peer_secid);
4193 ssp->smk_packet = skp;
4194 } else
4195 ssp->smk_packet = NULL;
4196 }
4197
4198 /*
4199 * Key management security hooks
4200 *
4201 * Casey has not tested key support very heavily.
4202 * The permission check is most likely too restrictive.
4203 * If you care about keys please have a look.
4204 */
4205 #ifdef CONFIG_KEYS
4206
4207 /**
4208 * smack_key_alloc - Set the key security blob
4209 * @key: object
4210 * @cred: the credentials to use
4211 * @flags: unused
4212 *
4213 * No allocation required
4214 *
4215 * Returns 0
4216 */
4217 static int smack_key_alloc(struct key *key, const struct cred *cred,
4218 unsigned long flags)
4219 {
4220 struct smack_known *skp = smk_of_task(smack_cred(cred));
4221
4222 key->security = skp;
4223 return 0;
4224 }
4225
4226 /**
4227 * smack_key_free - Clear the key security blob
4228 * @key: the object
4229 *
4230 * Clear the blob pointer
4231 */
4232 static void smack_key_free(struct key *key)
4233 {
4234 key->security = NULL;
4235 }
4236
4237 /**
4238 * smack_key_permission - Smack access on a key
4239 * @key_ref: gets to the object
4240 * @cred: the credentials to use
4241 * @perm: requested key permissions
4242 *
4243 * Return 0 if the task has read and write to the object,
4244 * an error code otherwise
4245 */
4246 static int smack_key_permission(key_ref_t key_ref,
4247 const struct cred *cred, unsigned perm)
4248 {
4249 struct key *keyp;
4250 struct smk_audit_info ad;
4251 struct smack_known *tkp = smk_of_task(smack_cred(cred));
4252 int request = 0;
4253 int rc;
4254
4255 /*
4256 * Validate requested permissions
4257 */
4258 if (perm & ~KEY_NEED_ALL)
4259 return -EINVAL;
4260
4261 keyp = key_ref_to_ptr(key_ref);
4262 if (keyp == NULL)
4263 return -EINVAL;
4264 /*
4265 * If the key hasn't been initialized give it access so that
4266 * it may do so.
4267 */
4268 if (keyp->security == NULL)
4269 return 0;
4270 /*
4271 * This should not occur
4272 */
4273 if (tkp == NULL)
4274 return -EACCES;
4275
4276 if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred))
4277 return 0;
4278
4279 #ifdef CONFIG_AUDIT
4280 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);
4281 ad.a.u.key_struct.key = keyp->serial;
4282 ad.a.u.key_struct.key_desc = keyp->description;
4283 #endif
4284 if (perm & (KEY_NEED_READ | KEY_NEED_SEARCH | KEY_NEED_VIEW))
4285 request |= MAY_READ;
4286 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))
4287 request |= MAY_WRITE;
4288 rc = smk_access(tkp, keyp->security, request, &ad);
4289 rc = smk_bu_note("key access", tkp, keyp->security, request, rc);
4290 return rc;
4291 }
4292
4293 /*
4294 * smack_key_getsecurity - Smack label tagging the key
4295 * @key points to the key to be queried
4296 * @_buffer points to a pointer that should be set to point to the
4297 * resulting string (if no label or an error occurs).
4298 * Return the length of the string (including terminating NUL) or -ve if
4299 * an error.
4300 * May also return 0 (and a NULL buffer pointer) if there is no label.
4301 */
4302 static int smack_key_getsecurity(struct key *key, char **_buffer)
4303 {
4304 struct smack_known *skp = key->security;
4305 size_t length;
4306 char *copy;
4307
4308 if (key->security == NULL) {
4309 *_buffer = NULL;
4310 return 0;
4311 }
4312
4313 copy = kstrdup(skp->smk_known, GFP_KERNEL);
4314 if (copy == NULL)
4315 return -ENOMEM;
4316 length = strlen(copy) + 1;
4317
4318 *_buffer = copy;
4319 return length;
4320 }
4321
4322 #endif /* CONFIG_KEYS */
4323
4324 /*
4325 * Smack Audit hooks
4326 *
4327 * Audit requires a unique representation of each Smack specific
4328 * rule. This unique representation is used to distinguish the
4329 * object to be audited from remaining kernel objects and also
4330 * works as a glue between the audit hooks.
4331 *
4332 * Since repository entries are added but never deleted, we'll use
4333 * the smack_known label address related to the given audit rule as
4334 * the needed unique representation. This also better fits the smack
4335 * model where nearly everything is a label.
4336 */
4337 #ifdef CONFIG_AUDIT
4338
4339 /**
4340 * smack_audit_rule_init - Initialize a smack audit rule
4341 * @field: audit rule fields given from user-space (audit.h)
4342 * @op: required testing operator (=, !=, >, <, ...)
4343 * @rulestr: smack label to be audited
4344 * @vrule: pointer to save our own audit rule representation
4345 *
4346 * Prepare to audit cases where (@field @op @rulestr) is true.
4347 * The label to be audited is created if necessay.
4348 */
4349 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
4350 {
4351 struct smack_known *skp;
4352 char **rule = (char **)vrule;
4353 *rule = NULL;
4354
4355 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER)
4356 return -EINVAL;
4357
4358 if (op != Audit_equal && op != Audit_not_equal)
4359 return -EINVAL;
4360
4361 skp = smk_import_entry(rulestr, 0);
4362 if (IS_ERR(skp))
4363 return PTR_ERR(skp);
4364
4365 *rule = skp->smk_known;
4366
4367 return 0;
4368 }
4369
4370 /**
4371 * smack_audit_rule_known - Distinguish Smack audit rules
4372 * @krule: rule of interest, in Audit kernel representation format
4373 *
4374 * This is used to filter Smack rules from remaining Audit ones.
4375 * If it's proved that this rule belongs to us, the
4376 * audit_rule_match hook will be called to do the final judgement.
4377 */
4378 static int smack_audit_rule_known(struct audit_krule *krule)
4379 {
4380 struct audit_field *f;
4381 int i;
4382
4383 for (i = 0; i < krule->field_count; i++) {
4384 f = &krule->fields[i];
4385
4386 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER)
4387 return 1;
4388 }
4389
4390 return 0;
4391 }
4392
4393 /**
4394 * smack_audit_rule_match - Audit given object ?
4395 * @secid: security id for identifying the object to test
4396 * @field: audit rule flags given from user-space
4397 * @op: required testing operator
4398 * @vrule: smack internal rule presentation
4399 *
4400 * The core Audit hook. It's used to take the decision of
4401 * whether to audit or not to audit a given object.
4402 */
4403 static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule)
4404 {
4405 struct smack_known *skp;
4406 char *rule = vrule;
4407
4408 if (unlikely(!rule)) {
4409 WARN_ONCE(1, "Smack: missing rule\n");
4410 return -ENOENT;
4411 }
4412
4413 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER)
4414 return 0;
4415
4416 skp = smack_from_secid(secid);
4417
4418 /*
4419 * No need to do string comparisons. If a match occurs,
4420 * both pointers will point to the same smack_known
4421 * label.
4422 */
4423 if (op == Audit_equal)
4424 return (rule == skp->smk_known);
4425 if (op == Audit_not_equal)
4426 return (rule != skp->smk_known);
4427
4428 return 0;
4429 }
4430
4431 /*
4432 * There is no need for a smack_audit_rule_free hook.
4433 * No memory was allocated.
4434 */
4435
4436 #endif /* CONFIG_AUDIT */
4437
4438 /**
4439 * smack_ismaclabel - check if xattr @name references a smack MAC label
4440 * @name: Full xattr name to check.
4441 */
4442 static int smack_ismaclabel(const char *name)
4443 {
4444 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
4445 }
4446
4447
4448 /**
4449 * smack_secid_to_secctx - return the smack label for a secid
4450 * @secid: incoming integer
4451 * @secdata: destination
4452 * @seclen: how long it is
4453 *
4454 * Exists for networking code.
4455 */
4456 static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4457 {
4458 struct smack_known *skp = smack_from_secid(secid);
4459
4460 if (secdata)
4461 *secdata = skp->smk_known;
4462 *seclen = strlen(skp->smk_known);
4463 return 0;
4464 }
4465
4466 /**
4467 * smack_secctx_to_secid - return the secid for a smack label
4468 * @secdata: smack label
4469 * @seclen: how long result is
4470 * @secid: outgoing integer
4471 *
4472 * Exists for audit and networking code.
4473 */
4474 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
4475 {
4476 struct smack_known *skp = smk_find_entry(secdata);
4477
4478 if (skp)
4479 *secid = skp->smk_secid;
4480 else
4481 *secid = 0;
4482 return 0;
4483 }
4484
4485 /*
4486 * There used to be a smack_release_secctx hook
4487 * that did nothing back when hooks were in a vector.
4488 * Now that there's a list such a hook adds cost.
4489 */
4490
4491 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
4492 {
4493 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0);
4494 }
4495
4496 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
4497 {
4498 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0);
4499 }
4500
4501 static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
4502 {
4503 struct smack_known *skp = smk_of_inode(inode);
4504
4505 *ctx = skp->smk_known;
4506 *ctxlen = strlen(skp->smk_known);
4507 return 0;
4508 }
4509
4510 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new)
4511 {
4512
4513 struct task_smack *tsp;
4514 struct smack_known *skp;
4515 struct inode_smack *isp;
4516 struct cred *new_creds = *new;
4517
4518 if (new_creds == NULL) {
4519 new_creds = prepare_creds();
4520 if (new_creds == NULL)
4521 return -ENOMEM;
4522 }
4523
4524 tsp = smack_cred(new_creds);
4525
4526 /*
4527 * Get label from overlay inode and set it in create_sid
4528 */
4529 isp = smack_inode(d_inode(dentry->d_parent));
4530 skp = isp->smk_inode;
4531 tsp->smk_task = skp;
4532 *new = new_creds;
4533 return 0;
4534 }
4535
4536 static int smack_inode_copy_up_xattr(const char *name)
4537 {
4538 /*
4539 * Return 1 if this is the smack access Smack attribute.
4540 */
4541 if (strcmp(name, XATTR_NAME_SMACK) == 0)
4542 return 1;
4543
4544 return -EOPNOTSUPP;
4545 }
4546
4547 static int smack_dentry_create_files_as(struct dentry *dentry, int mode,
4548 struct qstr *name,
4549 const struct cred *old,
4550 struct cred *new)
4551 {
4552 struct task_smack *otsp = smack_cred(old);
4553 struct task_smack *ntsp = smack_cred(new);
4554 struct inode_smack *isp;
4555 int may;
4556
4557 /*
4558 * Use the process credential unless all of
4559 * the transmuting criteria are met
4560 */
4561 ntsp->smk_task = otsp->smk_task;
4562
4563 /*
4564 * the attribute of the containing directory
4565 */
4566 isp = smack_inode(d_inode(dentry->d_parent));
4567
4568 if (isp->smk_flags & SMK_INODE_TRANSMUTE) {
4569 rcu_read_lock();
4570 may = smk_access_entry(otsp->smk_task->smk_known,
4571 isp->smk_inode->smk_known,
4572 &otsp->smk_task->smk_rules);
4573 rcu_read_unlock();
4574
4575 /*
4576 * If the directory is transmuting and the rule
4577 * providing access is transmuting use the containing
4578 * directory label instead of the process label.
4579 */
4580 if (may > 0 && (may & MAY_TRANSMUTE))
4581 ntsp->smk_task = isp->smk_inode;
4582 }
4583 return 0;
4584 }
4585
4586 struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
4587 .lbs_cred = sizeof(struct task_smack),
4588 .lbs_file = sizeof(struct smack_known *),
4589 .lbs_inode = sizeof(struct inode_smack),
4590 .lbs_ipc = sizeof(struct smack_known *),
4591 .lbs_msg_msg = sizeof(struct smack_known *),
4592 };
4593
4594 static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
4595 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
4596 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
4597 LSM_HOOK_INIT(syslog, smack_syslog),
4598
4599 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup),
4600 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param),
4601
4602 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security),
4603 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security),
4604 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts),
4605 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts),
4606 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs),
4607 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts),
4608
4609 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds),
4610
4611 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security),
4612 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security),
4613 LSM_HOOK_INIT(inode_link, smack_inode_link),
4614 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink),
4615 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir),
4616 LSM_HOOK_INIT(inode_rename, smack_inode_rename),
4617 LSM_HOOK_INIT(inode_permission, smack_inode_permission),
4618 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr),
4619 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr),
4620 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr),
4621 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr),
4622 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr),
4623 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr),
4624 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity),
4625 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity),
4626 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity),
4627 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid),
4628
4629 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security),
4630 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl),
4631 LSM_HOOK_INIT(file_lock, smack_file_lock),
4632 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl),
4633 LSM_HOOK_INIT(mmap_file, smack_mmap_file),
4634 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr),
4635 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner),
4636 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask),
4637 LSM_HOOK_INIT(file_receive, smack_file_receive),
4638
4639 LSM_HOOK_INIT(file_open, smack_file_open),
4640
4641 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank),
4642 LSM_HOOK_INIT(cred_free, smack_cred_free),
4643 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare),
4644 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer),
4645 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid),
4646 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as),
4647 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as),
4648 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid),
4649 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid),
4650 LSM_HOOK_INIT(task_getsid, smack_task_getsid),
4651 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid),
4652 LSM_HOOK_INIT(task_setnice, smack_task_setnice),
4653 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio),
4654 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio),
4655 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler),
4656 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler),
4657 LSM_HOOK_INIT(task_movememory, smack_task_movememory),
4658 LSM_HOOK_INIT(task_kill, smack_task_kill),
4659 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode),
4660
4661 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission),
4662 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid),
4663
4664 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security),
4665
4666 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security),
4667 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate),
4668 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl),
4669 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd),
4670 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv),
4671
4672 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security),
4673 LSM_HOOK_INIT(shm_associate, smack_shm_associate),
4674 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl),
4675 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat),
4676
4677 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security),
4678 LSM_HOOK_INIT(sem_associate, smack_sem_associate),
4679 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl),
4680 LSM_HOOK_INIT(sem_semop, smack_sem_semop),
4681
4682 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate),
4683
4684 LSM_HOOK_INIT(getprocattr, smack_getprocattr),
4685 LSM_HOOK_INIT(setprocattr, smack_setprocattr),
4686
4687 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect),
4688 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send),
4689
4690 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create),
4691 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair),
4692 #ifdef SMACK_IPV6_PORT_LABELING
4693 LSM_HOOK_INIT(socket_bind, smack_socket_bind),
4694 #endif
4695 LSM_HOOK_INIT(socket_connect, smack_socket_connect),
4696 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg),
4697 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb),
4698 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream),
4699 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram),
4700 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security),
4701 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security),
4702 LSM_HOOK_INIT(sock_graft, smack_sock_graft),
4703 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request),
4704 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone),
4705
4706 /* key management security hooks */
4707 #ifdef CONFIG_KEYS
4708 LSM_HOOK_INIT(key_alloc, smack_key_alloc),
4709 LSM_HOOK_INIT(key_free, smack_key_free),
4710 LSM_HOOK_INIT(key_permission, smack_key_permission),
4711 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity),
4712 #endif /* CONFIG_KEYS */
4713
4714 /* Audit hooks */
4715 #ifdef CONFIG_AUDIT
4716 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init),
4717 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known),
4718 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match),
4719 #endif /* CONFIG_AUDIT */
4720
4721 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel),
4722 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx),
4723 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid),
4724 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx),
4725 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx),
4726 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx),
4727 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up),
4728 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr),
4729 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as),
4730 };
4731
4732
4733 static __init void init_smack_known_list(void)
4734 {
4735 /*
4736 * Initialize rule list locks
4737 */
4738 mutex_init(&smack_known_huh.smk_rules_lock);
4739 mutex_init(&smack_known_hat.smk_rules_lock);
4740 mutex_init(&smack_known_floor.smk_rules_lock);
4741 mutex_init(&smack_known_star.smk_rules_lock);
4742 mutex_init(&smack_known_web.smk_rules_lock);
4743 /*
4744 * Initialize rule lists
4745 */
4746 INIT_LIST_HEAD(&smack_known_huh.smk_rules);
4747 INIT_LIST_HEAD(&smack_known_hat.smk_rules);
4748 INIT_LIST_HEAD(&smack_known_star.smk_rules);
4749 INIT_LIST_HEAD(&smack_known_floor.smk_rules);
4750 INIT_LIST_HEAD(&smack_known_web.smk_rules);
4751 /*
4752 * Create the known labels list
4753 */
4754 smk_insert_entry(&smack_known_huh);
4755 smk_insert_entry(&smack_known_hat);
4756 smk_insert_entry(&smack_known_star);
4757 smk_insert_entry(&smack_known_floor);
4758 smk_insert_entry(&smack_known_web);
4759 }
4760
4761 /**
4762 * smack_init - initialize the smack system
4763 *
4764 * Returns 0 on success, -ENOMEM is there's no memory
4765 */
4766 static __init int smack_init(void)
4767 {
4768 struct cred *cred = (struct cred *) current->cred;
4769 struct task_smack *tsp;
4770
4771 smack_inode_cache = KMEM_CACHE(inode_smack, 0);
4772 if (!smack_inode_cache)
4773 return -ENOMEM;
4774
4775 smack_rule_cache = KMEM_CACHE(smack_rule, 0);
4776 if (!smack_rule_cache) {
4777 kmem_cache_destroy(smack_inode_cache);
4778 return -ENOMEM;
4779 }
4780
4781 /*
4782 * Set the security state for the initial task.
4783 */
4784 tsp = smack_cred(cred);
4785 init_task_smack(tsp, &smack_known_floor, &smack_known_floor);
4786
4787 /*
4788 * Register with LSM
4789 */
4790 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack");
4791 smack_enabled = 1;
4792
4793 pr_info("Smack: Initializing.\n");
4794 #ifdef CONFIG_SECURITY_SMACK_NETFILTER
4795 pr_info("Smack: Netfilter enabled.\n");
4796 #endif
4797 #ifdef SMACK_IPV6_PORT_LABELING
4798 pr_info("Smack: IPv6 port labeling enabled.\n");
4799 #endif
4800 #ifdef SMACK_IPV6_SECMARK_LABELING
4801 pr_info("Smack: IPv6 Netfilter enabled.\n");
4802 #endif
4803
4804 /* initialize the smack_known_list */
4805 init_smack_known_list();
4806
4807 return 0;
4808 }
4809
4810 /*
4811 * Smack requires early initialization in order to label
4812 * all processes and objects when they are created.
4813 */
4814 DEFINE_LSM(smack) = {
4815 .name = "smack",
4816 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
4817 .blobs = &smack_blob_sizes,
4818 .init = smack_init,
4819 };
connection oriented routing