| blob | 3f7682a387b730b9c75fc6e547de98d512b46dbb |
1 /*
2 * Simplified MAC Kernel (smack) security module
3 *
4 * This file contains the smack hook function implementations.
5 *
6 * Authors:
7 * Casey Schaufler <casey@schaufler-ca.com>
8 * Jarkko Sakkinen <jarkko.sakkinen@intel.com>
9 *
10 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
11 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
12 * Paul Moore <paul@paul-moore.com>
13 * Copyright (C) 2010 Nokia Corporation
14 * Copyright (C) 2011 Intel Corporation.
15 *
16 * This program is free software; you can redistribute it and/or modify
17 * it under the terms of the GNU General Public License version 2,
18 * as published by the Free Software Foundation.
19 */
21 #include <linux/xattr.h>
22 #include <linux/pagemap.h>
23 #include <linux/mount.h>
24 #include <linux/stat.h>
25 #include <linux/kd.h>
26 #include <asm/ioctls.h>
27 #include <linux/ip.h>
28 #include <linux/tcp.h>
29 #include <linux/udp.h>
30 #include <linux/dccp.h>
31 #include <linux/slab.h>
32 #include <linux/mutex.h>
33 #include <linux/pipe_fs_i.h>
34 #include <net/cipso_ipv4.h>
35 #include <net/ip.h>
36 #include <net/ipv6.h>
37 #include <linux/audit.h>
38 #include <linux/magic.h>
39 #include <linux/dcache.h>
40 #include <linux/personality.h>
41 #include <linux/msg.h>
42 #include <linux/shm.h>
43 #include <linux/binfmts.h>
46 #define task_security(task) (task_cred_xxx((task), security))
49 #define TRANS_TRUE_SIZE 4
51 #define SMK_CONNECTING 0
52 #define SMK_RECEIVING 1
53 #define SMK_SENDING 2
57 /**
58 * smk_fetch - Fetch the smack label from a file.
59 * @ip: a pointer to the inode
60 * @dp: a pointer to the dentry
61 *
62 * Returns a pointer to the master list entry for the Smack label
63 * or NULL if there was no label to fetch.
64 */
67 {
86 }
88 /**
89 * new_inode_smack - allocate an inode security blob
90 * @smack: a pointer to the Smack label to use in the blob
91 *
92 * Returns the new blob or NULL if there's no memory available
93 */
95 {
107 }
109 /**
110 * new_task_smack - allocate a task security blob
111 * @smack: a pointer to the Smack label to use in the blob
112 *
113 * Returns the new blob or NULL if there's no memory available
114 */
117 {
130 }
132 /**
133 * smk_copy_rules - copy a rule set
134 * @nhead - new rules header pointer
135 * @ohead - old rules header pointer
136 *
137 * Returns 0 on success, -ENOMEM on error
138 */
140 gfp_t gfp)
141 {
153 }
156 }
158 }
160 /*
161 * LSM hooks.
162 * We he, that is fun!
163 */
165 /**
166 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH
167 * @ctp: child task pointer
168 * @mode: ptrace attachment mode
169 *
170 * Returns 0 if access is OK, an error code otherwise
171 *
172 * Do the capability checks, and require read and write.
173 */
175 {
190 }
192 /**
193 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME
194 * @ptp: parent task pointer
195 *
196 * Returns 0 if access is OK, an error code otherwise
197 *
198 * Do the capability checks, and require read and write.
199 */
201 {
216 }
218 /**
219 * smack_syslog - Smack approval on syslog
220 * @type: message type
221 *
222 * Require that the task has the floor label
223 *
224 * Returns 0 on success, error code otherwise.
225 */
227 {
238 }
241 /*
242 * Superblock Hooks.
243 */
245 /**
246 * smack_sb_alloc_security - allocate a superblock blob
247 * @sb: the superblock getting the blob
248 *
249 * Returns 0 on success or -ENOMEM on error.
250 */
252 {
264 /*
265 * smk_initialized will be zero from kzalloc.
266 */
270 }
272 /**
273 * smack_sb_free_security - free a superblock blob
274 * @sb: the superblock getting the blob
275 *
276 */
278 {
281 }
283 /**
284 * smack_sb_copy_data - copy mount options data for processing
285 * @orig: where to start
286 * @smackopts: mount options string
287 *
288 * Returns 0 on success or -ENOMEM on error.
289 *
290 * Copy the Smack specific mount options out of the mount
291 * options list.
292 */
294 {
312 else
322 }
328 }
330 /**
331 * smack_sb_kern_mount - Smack specific mount processing
332 * @sb: the file system superblock
333 * @flags: the mount flags
334 * @data: the smack mount options
335 *
336 * Returns 0 on success, an error code on failure
337 */
339 {
386 }
387 }
388 }
390 /*
391 * Initialize the root inode.
392 */
404 }
406 /**
407 * smack_sb_statfs - Smack check on statfs
408 * @dentry: identifies the file system in question
409 *
410 * Returns 0 if current can read the floor of the filesystem,
411 * and error code otherwise
412 */
414 {
424 }
426 /**
427 * smack_sb_mount - Smack check for mounting
428 * @dev_name: unused
429 * @path: mount point
430 * @type: unused
431 * @flags: unused
432 * @data: unused
433 *
434 * Returns 0 if current can write the floor of the filesystem
435 * being mounted on, an error code otherwise.
436 */
439 {
447 }
449 /**
450 * smack_sb_umount - Smack check for unmounting
451 * @mnt: file system to unmount
452 * @flags: unused
453 *
454 * Returns 0 if current can write the floor of the filesystem
455 * being unmounted, an error code otherwise.
456 */
458 {
471 }
473 /*
474 * BPRM hooks
475 */
477 /**
478 * smack_bprm_set_creds - set creds for exec
479 * @bprm: the exec information
480 *
481 * Returns 0 if it gets a blob, -ENOMEM otherwise
482 */
484 {
508 }
510 /**
511 * smack_bprm_committing_creds - Prepare to install the new credentials
512 * from bprm.
513 *
514 * @bprm: binprm for exec
515 */
517 {
522 }
524 /**
525 * smack_bprm_secureexec - Return the decision to use secureexec.
526 * @bprm: binprm for exec
527 *
528 * Returns 0 on success.
529 */
531 {
539 }
541 /*
542 * Inode hooks
543 */
545 /**
546 * smack_inode_alloc_security - allocate an inode blob
547 * @inode: the inode in need of a blob
548 *
549 * Returns 0 if it gets a blob, -ENOMEM otherwise
550 */
552 {
559 }
561 /**
562 * smack_inode_free_security - free an inode blob
563 * @inode: the inode with a blob
564 *
565 * Clears the blob pointer in inode
566 */
568 {
571 }
573 /**
574 * smack_inode_init_security - copy out the smack from an inode
575 * @inode: the inode
576 * @dir: unused
577 * @qstr: unused
578 * @name: where to put the attribute name
579 * @value: where to put the attribute value
580 * @len: where to put the length of the attribute
581 *
582 * Returns 0 if it all works out, -ENOMEM if there's no memory
583 */
587 {
598 }
605 /*
606 * If the access rule allows transmutation and
607 * the directory requests transmutation then
608 * by all means transmute.
609 * Mark the inode as changed.
610 */
615 }
620 }
626 }
628 /**
629 * smack_inode_link - Smack check on link
630 * @old_dentry: the existing object
631 * @dir: unused
632 * @new_dentry: the new object
633 *
634 * Returns 0 if access is permitted, an error code otherwise
635 */
638 {
653 }
656 }
658 /**
659 * smack_inode_unlink - Smack check on inode deletion
660 * @dir: containing directory object
661 * @dentry: file to unlink
662 *
663 * Returns 0 if current can write the containing directory
664 * and the object, error code otherwise
665 */
667 {
675 /*
676 * You need write access to the thing you're unlinking
677 */
680 /*
681 * You also need write access to the containing directory
682 */
686 }
688 }
690 /**
691 * smack_inode_rmdir - Smack check on directory deletion
692 * @dir: containing directory object
693 * @dentry: directory to unlink
694 *
695 * Returns 0 if current can write the containing directory
696 * and the directory, error code otherwise
697 */
699 {
706 /*
707 * You need write access to the thing you're removing
708 */
711 /*
712 * You also need write access to the containing directory
713 */
717 }
720 }
722 /**
723 * smack_inode_rename - Smack check on rename
724 * @old_inode: the old directory
725 * @old_dentry: unused
726 * @new_inode: the new directory
727 * @new_dentry: unused
728 *
729 * Read and write access is required on both the old and
730 * new directories.
731 *
732 * Returns 0 if access is permitted, an error code otherwise
733 */
738 {
753 }
755 }
757 /**
758 * smack_inode_permission - Smack version of permission()
759 * @inode: the inode in question
760 * @mask: the access requested
761 *
762 * This is the important Smack hook.
763 *
764 * Returns 0 if access is permitted, -EACCES otherwise
765 */
767 {
772 /*
773 * No permission to check. Existence test. Yup, it's there.
774 */
778 /* May be droppable after audit */
784 }
786 /**
787 * smack_inode_setattr - Smack check for setting attributes
788 * @dentry: the object
789 * @iattr: for the force flag
790 *
791 * Returns 0 if access is permitted, an error code otherwise
792 */
794 {
796 /*
797 * Need to allow for clearing the setuid bit.
798 */
805 }
807 /**
808 * smack_inode_getattr - Smack check for getting attributes
809 * @mnt: unused
810 * @dentry: the object
811 *
812 * Returns 0 if access is permitted, an error code otherwise
813 */
815 {
825 }
827 /**
828 * smack_inode_setxattr - Smack check for setting xattrs
829 * @dentry: the object
830 * @name: name of the attribute
831 * @value: unused
832 * @size: unused
833 * @flags: unused
834 *
835 * This protects the Smack attribute explicitly.
836 *
837 * Returns 0 if access is permitted, an error code otherwise
838 */
841 {
852 /*
853 * check label validity here so import wont fail on
854 * post_setxattr
855 */
875 }
877 /**
878 * smack_inode_post_setxattr - Apply the Smack update approved above
879 * @dentry: object
880 * @name: attribute name
881 * @value: attribute value
882 * @size: attribute size
883 * @flags: unused
884 *
885 * Set the pointer in the inode blob to the entry found
886 * in the master label list.
887 */
890 {
897 }
903 else
908 else
913 else
915 }
918 }
920 /**
921 * smack_inode_getxattr - Smack check on getxattr
922 * @dentry: the object
923 * @name: unused
924 *
925 * Returns 0 if access is permitted, an error code otherwise
926 */
928 {
935 }
937 /**
938 * smack_inode_removexattr - Smack check on removexattr
939 * @dentry: the object
940 * @name: name of the attribute
941 *
942 * Removing the Smack attribute requires CAP_MAC_ADMIN
943 *
944 * Returns 0 if access is permitted, an error code otherwise
945 */
947 {
972 }
975 }
977 /**
978 * smack_inode_getsecurity - get smack xattrs
979 * @inode: the object
980 * @name: attribute name
981 * @buffer: where to put the result
982 * @alloc: unused
983 *
984 * Returns the size of the attribute or an error code
985 */
989 {
1003 }
1005 /*
1006 * The rest of the Smack xattrs are only on sockets.
1007 */
1022 else
1029 }
1032 }
1035 /**
1036 * smack_inode_listsecurity - list the Smack attributes
1037 * @inode: the object
1038 * @buffer: where they go
1039 * @buffer_size: size of buffer
1040 *
1041 * Returns 0 on success, -EINVAL otherwise
1042 */
1045 {
1051 }
1053 }
1055 /**
1056 * smack_inode_getsecid - Extract inode's security id
1057 * @inode: inode to extract the info from
1058 * @secid: where result will be saved
1059 */
1061 {
1065 }
1067 /*
1068 * File Hooks
1069 */
1071 /**
1072 * smack_file_permission - Smack check on file operations
1073 * @file: unused
1074 * @mask: unused
1075 *
1076 * Returns 0
1077 *
1078 * Should access checks be done on each read or write?
1079 * UNICOS and SELinux say yes.
1080 * Trusted Solaris, Trusted Irix, and just about everyone else says no.
1081 *
1082 * I'll say no for now. Smack does not do the frequent
1083 * label changing that SELinux does.
1084 */
1086 {
1088 }
1090 /**
1091 * smack_file_alloc_security - assign a file security blob
1092 * @file: the object
1093 *
1094 * The security blob for a file is a pointer to the master
1095 * label list, so no allocation is done.
1096 *
1097 * Returns 0
1098 */
1100 {
1105 }
1107 /**
1108 * smack_file_free_security - clear a file security blob
1109 * @file: the object
1110 *
1111 * The security blob for a file is a pointer to the master
1112 * label list, so no memory is freed.
1113 */
1115 {
1117 }
1119 /**
1120 * smack_file_ioctl - Smack check on ioctls
1121 * @file: the object
1122 * @cmd: what to do
1123 * @arg: unused
1124 *
1125 * Relies heavily on the correct use of the ioctl command conventions.
1126 *
1127 * Returns 0 if allowed, error code otherwise
1128 */
1131 {
1145 }
1147 /**
1148 * smack_file_lock - Smack check on file locking
1149 * @file: the object
1150 * @cmd: unused
1151 *
1152 * Returns 0 if current has write access, error code otherwise
1153 */
1155 {
1161 }
1163 /**
1164 * smack_file_fcntl - Smack check on fcntl
1165 * @file: the object
1166 * @cmd: what action to check
1167 * @arg: unused
1168 *
1169 * Generally these operations are harmless.
1170 * File locking operations present an obvious mechanism
1171 * for passing information, so they require write access.
1172 *
1173 * Returns 0 if current has access, error code otherwise
1174 */
1177 {
1194 }
1197 }
1199 /**
1200 * smack_mmap_file :
1201 * Check permissions for a mmap operation. The @file may be NULL, e.g.
1202 * if mapping anonymous memory.
1203 * @file contains the file structure for file to map (may be NULL).
1204 * @reqprot contains the protection requested by the application.
1205 * @prot contains the protection that will be applied by the kernel.
1206 * @flags contains the operational flags.
1207 * Return 0 if permission is granted.
1208 */
1212 {
1237 /*
1238 * For each Smack rule associated with the subject
1239 * label verify that the SMACK64MMAP also has access
1240 * to that rule's object label.
1241 */
1244 /*
1245 * Matching labels always allows access.
1246 */
1249 /*
1250 * If there is a matching local rule take
1251 * that into account as well.
1252 */
1257 else
1259 /*
1260 * If may is zero the SMACK64MMAP subject can't
1261 * possibly have less access.
1262 */
1266 /*
1267 * Fetch the global list entry.
1268 * If there isn't one a SMACK64MMAP subject
1269 * can't have as much access as current.
1270 */
1276 }
1277 /*
1278 * If there is a local entry it modifies the
1279 * potential access, too.
1280 */
1286 /*
1287 * If there is any access available to current that is
1288 * not available to a SMACK64MMAP subject
1289 * deny access.
1290 */
1294 }
1295 }
1300 }
1302 /**
1303 * smack_file_set_fowner - set the file security blob value
1304 * @file: object in question
1305 *
1306 * Returns 0
1307 * Further research may be required on this one.
1308 */
1310 {
1315 }
1317 /**
1318 * smack_file_send_sigiotask - Smack on sigio
1319 * @tsk: The target task
1320 * @fown: the object the signal come from
1321 * @signum: unused
1322 *
1323 * Allow a privileged task to get signals even if it shouldn't
1324 *
1325 * Returns 0 if a subject with the object's smack could
1326 * write to the task, an error code otherwise.
1327 */
1330 {
1337 /*
1338 * struct fown_struct is never outside the context of a struct file
1339 */
1342 /* we don't log here as rc can be overriden */
1352 }
1354 /**
1355 * smack_file_receive - Smack file receive check
1356 * @file: the object
1357 *
1358 * Returns 0 if current has access, error code otherwise
1359 */
1361 {
1367 /*
1368 * This code relies on bitmasks.
1369 */
1376 }
1378 /**
1379 * smack_file_open - Smack dentry open processing
1380 * @file: the object
1381 * @cred: unused
1382 *
1383 * Set the security blob in the file structure.
1384 *
1385 * Returns 0
1386 */
1388 {
1394 }
1396 /*
1397 * Task hooks
1398 */
1400 /**
1401 * smack_cred_alloc_blank - "allocate" blank task-level security credentials
1402 * @new: the new credentials
1403 * @gfp: the atomicity of any memory allocations
1404 *
1405 * Prepare a blank set of credentials for modification. This must allocate all
1406 * the memory the LSM module might require such that cred_transfer() can
1407 * complete without error.
1408 */
1410 {
1420 }
1423 /**
1424 * smack_cred_free - "free" task-level security credentials
1425 * @cred: the credentials in question
1426 *
1427 */
1429 {
1443 }
1445 }
1447 /**
1448 * smack_cred_prepare - prepare new set of credentials for modification
1449 * @new: the new credentials
1450 * @old: the original credentials
1451 * @gfp: the atomicity of any memory allocations
1452 *
1453 * Prepare a new set of credentials for modification.
1454 */
1456 gfp_t gfp)
1457 {
1472 }
1474 /**
1475 * smack_cred_transfer - Transfer the old credentials to the new credentials
1476 * @new: the new credentials
1477 * @old: the original credentials
1478 *
1479 * Fill in a set of blank credentials from another set of credentials.
1480 */
1482 {
1492 /* cbs copy rule list */
1493 }
1495 /**
1496 * smack_kernel_act_as - Set the subjective context in a set of credentials
1497 * @new: points to the set of credentials to be modified.
1498 * @secid: specifies the security ID to be set
1499 *
1500 * Set the security data for a kernel service.
1501 */
1503 {
1512 }
1514 /**
1515 * smack_kernel_create_files_as - Set the file creation label in a set of creds
1516 * @new: points to the set of credentials to be modified
1517 * @inode: points to the inode to use as a reference
1518 *
1519 * Set the file creation context in a set of credentials to the same
1520 * as the objective context of the specified inode
1521 */
1524 {
1531 }
1533 /**
1534 * smk_curacc_on_task - helper to log task related access
1535 * @p: the task object
1536 * @access: the access requested
1537 * @caller: name of the calling function for audit
1538 *
1539 * Return 0 if access is permitted
1540 */
1543 {
1550 }
1552 /**
1553 * smack_task_setpgid - Smack check on setting pgid
1554 * @p: the task object
1555 * @pgid: unused
1556 *
1557 * Return 0 if write access is permitted
1558 */
1560 {
1562 }
1564 /**
1565 * smack_task_getpgid - Smack access check for getpgid
1566 * @p: the object task
1567 *
1568 * Returns 0 if current can read the object task, error code otherwise
1569 */
1571 {
1573 }
1575 /**
1576 * smack_task_getsid - Smack access check for getsid
1577 * @p: the object task
1578 *
1579 * Returns 0 if current can read the object task, error code otherwise
1580 */
1582 {
1584 }
1586 /**
1587 * smack_task_getsecid - get the secid of the task
1588 * @p: the object task
1589 * @secid: where to put the result
1590 *
1591 * Sets the secid to contain a u32 version of the smack label.
1592 */
1594 {
1598 }
1600 /**
1601 * smack_task_setnice - Smack check on setting nice
1602 * @p: the task object
1603 * @nice: unused
1604 *
1605 * Return 0 if write access is permitted
1606 */
1608 {
1615 }
1617 /**
1618 * smack_task_setioprio - Smack check on setting ioprio
1619 * @p: the task object
1620 * @ioprio: unused
1621 *
1622 * Return 0 if write access is permitted
1623 */
1625 {
1632 }
1634 /**
1635 * smack_task_getioprio - Smack check on reading ioprio
1636 * @p: the task object
1637 *
1638 * Return 0 if read access is permitted
1639 */
1641 {
1643 }
1645 /**
1646 * smack_task_setscheduler - Smack check on setting scheduler
1647 * @p: the task object
1648 * @policy: unused
1649 * @lp: unused
1650 *
1651 * Return 0 if read access is permitted
1652 */
1654 {
1661 }
1663 /**
1664 * smack_task_getscheduler - Smack check on reading scheduler
1665 * @p: the task object
1666 *
1667 * Return 0 if read access is permitted
1668 */
1670 {
1672 }
1674 /**
1675 * smack_task_movememory - Smack check on moving memory
1676 * @p: the task object
1677 *
1678 * Return 0 if write access is permitted
1679 */
1681 {
1683 }
1685 /**
1686 * smack_task_kill - Smack check on signal delivery
1687 * @p: the task object
1688 * @info: unused
1689 * @sig: unused
1690 * @secid: identifies the smack to use in lieu of current's
1691 *
1692 * Return 0 if write access is permitted
1693 *
1694 * The secid behavior is an artifact of an SELinux hack
1695 * in the USB code. Someday it may go away.
1696 */
1699 {
1706 /*
1707 * Sending a signal requires that the sender
1708 * can write the receiver.
1709 */
1712 /*
1713 * If the secid isn't 0 we're dealing with some USB IO
1714 * specific behavior. This is not clean. For one thing
1715 * we can't take privilege into account.
1716 */
1719 }
1721 /**
1722 * smack_task_wait - Smack access check for waiting
1723 * @p: task to wait for
1724 *
1725 * Returns 0
1726 */
1728 {
1729 /*
1730 * Allow the operation to succeed.
1731 * Zombies are bad.
1732 * In userless environments (e.g. phones) programs
1733 * get marked with SMACK64EXEC and even if the parent
1734 * and child shouldn't be talking the parent still
1735 * may expect to know when the child exits.
1736 */
1738 }
1740 /**
1741 * smack_task_to_inode - copy task smack into the inode blob
1742 * @p: task to copy from
1743 * @inode: inode to copy to
1744 *
1745 * Sets the smack pointer in the inode security blob
1746 */
1748 {
1753 }
1755 /*
1756 * Socket hooks.
1757 */
1759 /**
1760 * smack_sk_alloc_security - Allocate a socket blob
1761 * @sk: the socket
1762 * @family: unused
1763 * @gfp_flags: memory allocation flags
1764 *
1765 * Assign Smack pointers to current
1766 *
1767 * Returns 0 on success, -ENOMEM is there's no memory
1768 */
1770 {
1785 }
1787 /**
1788 * smack_sk_free_security - Free a socket blob
1789 * @sk: the socket
1790 *
1791 * Clears the blob pointer
1792 */
1794 {
1796 }
1798 /**
1799 * smack_host_label - check host based restrictions
1800 * @sip: the object end
1801 *
1802 * looks for host based access restrictions
1803 *
1804 * This version will only be appropriate for really small sets of single label
1805 * hosts. The caller is responsible for ensuring that the RCU read lock is
1806 * taken before calling this function.
1807 *
1808 * Returns the label of the far end or NULL if it's not special.
1809 */
1811 {
1819 /*
1820 * we break after finding the first match because
1821 * the list is sorted from longest to shortest mask
1822 * so we have found the most specific match
1823 */
1826 /* we have found the special CIPSO option */
1830 }
1833 }
1835 /**
1836 * smack_netlabel - Set the secattr on a socket
1837 * @sk: the socket
1838 * @labeled: socket label scheme
1839 *
1840 * Convert the outbound smack value (smk_out) to a
1841 * secattr and attach it to the socket.
1842 *
1843 * Returns 0 on success or an error code
1844 */
1846 {
1851 /*
1852 * Usually the netlabel code will handle changing the
1853 * packet labeling based on the label.
1854 * The case of a single label host is different, because
1855 * a single label host should never get a labeled packet
1856 * even though the label is usually associated with a packet
1857 * label.
1858 */
1868 }
1874 }
1876 /**
1877 * smack_netlbel_send - Set the secattr on a socket and perform access checks
1878 * @sk: the socket
1879 * @sap: the destination address
1880 *
1881 * Set the correct secattr for the given socket based on the destination
1882 * address and perform any outbound access checks needed.
1883 *
1884 * Returns 0 on success or an error code.
1885 *
1886 */
1888 {
1899 #ifdef CONFIG_AUDIT
1906 #endif
1913 }
1919 }
1921 /**
1922 * smk_ipv6_port_label - Smack port access table management
1923 * @sock: socket
1924 * @address: address
1925 *
1926 * Create or update the port list entry
1927 */
1929 {
1937 /*
1938 * This operation is changing the Smack information
1939 * on the bound socket. Take the changes to the port
1940 * as well.
1941 */
1948 }
1949 /*
1950 * A NULL address is only used for updating existing
1951 * bound entries. If there isn't one, it's OK.
1952 */
1954 }
1958 /*
1959 * This is a special case that is safely ignored.
1960 */
1964 /*
1965 * Look for an existing port list entry.
1966 * This is an indication that a port is getting reused.
1967 */
1976 }
1978 /*
1979 * A new port entry is required.
1980 */
1992 }
1994 /**
1995 * smk_ipv6_port_check - check Smack port access
1996 * @sock: socket
1997 * @address: address
1998 *
1999 * Create or update the port list entry
2000 */
2003 {
2013 #ifdef CONFIG_AUDIT
2015 #endif
2023 }
2025 /*
2026 * Get the IP address and port from the address.
2027 */
2033 /*
2034 * It's remote, so port lookup does no good.
2035 */
2039 /*
2040 * It's local so the send check has to have passed.
2041 */
2045 }
2054 }
2056 auditout:
2058 #ifdef CONFIG_AUDIT
2064 else
2066 #endif
2068 }
2070 /**
2071 * smack_inode_setsecurity - set smack xattrs
2072 * @inode: the object
2073 * @name: attribute name
2074 * @value: attribute value
2075 * @size: size of the attribute
2076 * @flags: unused
2077 *
2078 * Sets the named attribute in the appropriate blob
2079 *
2080 * Returns 0 on success, or an error code
2081 */
2084 {
2102 }
2103 /*
2104 * The rest of the Smack xattrs are only on sockets.
2105 */
2125 }
2133 }
2135 /**
2136 * smack_socket_post_create - finish socket setup
2137 * @sock: the socket
2138 * @family: protocol family
2139 * @type: unused
2140 * @protocol: unused
2141 * @kern: unused
2142 *
2143 * Sets the netlabel information on the socket
2144 *
2145 * Returns 0 on success, and error code otherwise
2146 */
2149 {
2152 /*
2153 * Set the outbound netlbl.
2154 */
2156 }
2158 /**
2159 * smack_socket_bind - record port binding information.
2160 * @sock: the socket
2161 * @address: the port address
2162 * @addrlen: size of the address
2163 *
2164 * Records the label bound to a port.
2165 *
2166 * Returns 0
2167 */
2170 {
2175 }
2177 /**
2178 * smack_socket_connect - connect access check
2179 * @sock: the socket
2180 * @sap: the other end
2181 * @addrlen: size of sap
2182 *
2183 * Verifies that a connection may be possible
2184 *
2185 * Returns 0 on success, and error code otherwise
2186 */
2189 {
2206 }
2208 }
2210 /**
2211 * smack_flags_to_may - convert S_ to MAY_ values
2212 * @flags: the S_ value
2213 *
2214 * Returns the equivalent MAY_ value
2215 */
2217 {
2228 }
2230 /**
2231 * smack_msg_msg_alloc_security - Set the security blob for msg_msg
2232 * @msg: the object
2233 *
2234 * Returns 0
2235 */
2237 {
2242 }
2244 /**
2245 * smack_msg_msg_free_security - Clear the security blob for msg_msg
2246 * @msg: the object
2247 *
2248 * Clears the blob pointer
2249 */
2251 {
2253 }
2255 /**
2256 * smack_of_shm - the smack pointer for the shm
2257 * @shp: the object
2258 *
2259 * Returns a pointer to the smack value
2260 */
2262 {
2264 }
2266 /**
2267 * smack_shm_alloc_security - Set the security blob for shm
2268 * @shp: the object
2269 *
2270 * Returns 0
2271 */
2273 {
2279 }
2281 /**
2282 * smack_shm_free_security - Clear the security blob for shm
2283 * @shp: the object
2284 *
2285 * Clears the blob pointer
2286 */
2288 {
2292 }
2294 /**
2295 * smk_curacc_shm : check if current has access on shm
2296 * @shp : the object
2297 * @access : access requested
2298 *
2299 * Returns 0 if current has the requested access, error code otherwise
2300 */
2302 {
2306 #ifdef CONFIG_AUDIT
2309 #endif
2311 }
2313 /**
2314 * smack_shm_associate - Smack access check for shm
2315 * @shp: the object
2316 * @shmflg: access requested
2317 *
2318 * Returns 0 if current has the requested access, error code otherwise
2319 */
2321 {
2326 }
2328 /**
2329 * smack_shm_shmctl - Smack access check for shm
2330 * @shp: the object
2331 * @cmd: what it wants to do
2332 *
2333 * Returns 0 if current has the requested access, error code otherwise
2334 */
2336 {
2352 /*
2353 * System level information.
2354 */
2358 }
2360 }
2362 /**
2363 * smack_shm_shmat - Smack access for shmat
2364 * @shp: the object
2365 * @shmaddr: unused
2366 * @shmflg: access requested
2367 *
2368 * Returns 0 if current has the requested access, error code otherwise
2369 */
2372 {
2377 }
2379 /**
2380 * smack_of_sem - the smack pointer for the sem
2381 * @sma: the object
2382 *
2383 * Returns a pointer to the smack value
2384 */
2386 {
2388 }
2390 /**
2391 * smack_sem_alloc_security - Set the security blob for sem
2392 * @sma: the object
2393 *
2394 * Returns 0
2395 */
2397 {
2403 }
2405 /**
2406 * smack_sem_free_security - Clear the security blob for sem
2407 * @sma: the object
2408 *
2409 * Clears the blob pointer
2410 */
2412 {
2416 }
2418 /**
2419 * smk_curacc_sem : check if current has access on sem
2420 * @sma : the object
2421 * @access : access requested
2422 *
2423 * Returns 0 if current has the requested access, error code otherwise
2424 */
2426 {
2430 #ifdef CONFIG_AUDIT
2433 #endif
2435 }
2437 /**
2438 * smack_sem_associate - Smack access check for sem
2439 * @sma: the object
2440 * @semflg: access requested
2441 *
2442 * Returns 0 if current has the requested access, error code otherwise
2443 */
2445 {
2450 }
2452 /**
2453 * smack_sem_shmctl - Smack access check for sem
2454 * @sma: the object
2455 * @cmd: what it wants to do
2456 *
2457 * Returns 0 if current has the requested access, error code otherwise
2458 */
2460 {
2481 /*
2482 * System level information
2483 */
2487 }
2490 }
2492 /**
2493 * smack_sem_semop - Smack checks of semaphore operations
2494 * @sma: the object
2495 * @sops: unused
2496 * @nsops: unused
2497 * @alter: unused
2498 *
2499 * Treated as read and write in all cases.
2500 *
2501 * Returns 0 if access is allowed, error code otherwise
2502 */
2505 {
2507 }
2509 /**
2510 * smack_msg_alloc_security - Set the security blob for msg
2511 * @msq: the object
2512 *
2513 * Returns 0
2514 */
2516 {
2522 }
2524 /**
2525 * smack_msg_free_security - Clear the security blob for msg
2526 * @msq: the object
2527 *
2528 * Clears the blob pointer
2529 */
2531 {
2535 }
2537 /**
2538 * smack_of_msq - the smack pointer for the msq
2539 * @msq: the object
2540 *
2541 * Returns a pointer to the smack value
2542 */
2544 {
2546 }
2548 /**
2549 * smk_curacc_msq : helper to check if current has access on msq
2550 * @msq : the msq
2551 * @access : access requested
2552 *
2553 * return 0 if current has access, error otherwise
2554 */
2556 {
2560 #ifdef CONFIG_AUDIT
2563 #endif
2565 }
2567 /**
2568 * smack_msg_queue_associate - Smack access check for msg_queue
2569 * @msq: the object
2570 * @msqflg: access requested
2571 *
2572 * Returns 0 if current has the requested access, error code otherwise
2573 */
2575 {
2580 }
2582 /**
2583 * smack_msg_queue_msgctl - Smack access check for msg_queue
2584 * @msq: the object
2585 * @cmd: what it wants to do
2586 *
2587 * Returns 0 if current has the requested access, error code otherwise
2588 */
2590 {
2604 /*
2605 * System level information
2606 */
2610 }
2613 }
2615 /**
2616 * smack_msg_queue_msgsnd - Smack access check for msg_queue
2617 * @msq: the object
2618 * @msg: unused
2619 * @msqflg: access requested
2620 *
2621 * Returns 0 if current has the requested access, error code otherwise
2622 */
2625 {
2630 }
2632 /**
2633 * smack_msg_queue_msgsnd - Smack access check for msg_queue
2634 * @msq: the object
2635 * @msg: unused
2636 * @target: unused
2637 * @type: unused
2638 * @mode: unused
2639 *
2640 * Returns 0 if current has read and write access, error code otherwise
2641 */
2644 {
2646 }
2648 /**
2649 * smack_ipc_permission - Smack access for ipc_permission()
2650 * @ipp: the object permissions
2651 * @flag: access requested
2652 *
2653 * Returns 0 if current has read and write access, error code otherwise
2654 */
2656 {
2661 #ifdef CONFIG_AUDIT
2664 #endif
2666 }
2668 /**
2669 * smack_ipc_getsecid - Extract smack security id
2670 * @ipp: the object permissions
2671 * @secid: where result will be saved
2672 */
2674 {
2678 }
2680 /**
2681 * smack_d_instantiate - Make sure the blob is correct on an inode
2682 * @opt_dentry: dentry where inode will be attached
2683 * @inode: the object
2684 *
2685 * Set the inode's security blob if it hasn't been done already.
2686 */
2688 {
2706 /*
2707 * If the inode is already instantiated
2708 * take the quick way out
2709 */
2715 /*
2716 * We're going to use the superblock default label
2717 * if there's no label on the file.
2718 */
2721 /*
2722 * If this is the root inode the superblock
2723 * may be in the process of initialization.
2724 * If that is the case use the root value out
2725 * of the superblock.
2726 */
2731 }
2733 /*
2734 * This is pretty hackish.
2735 * Casey says that we shouldn't have to do
2736 * file system specific code, but it does help
2737 * with keeping it simple.
2738 */
2741 /*
2742 * Casey says that it's a little embarrassing
2743 * that the smack file system doesn't do
2744 * extended attributes.
2745 */
2749 /*
2750 * Casey says pipes are easy (?)
2751 */
2755 /*
2756 * devpts seems content with the label of the task.
2757 * Programs that change smack have to treat the
2758 * pty with respect.
2759 */
2763 /*
2764 * Socket access is controlled by the socket
2765 * structures associated with the task involved.
2766 */
2770 /*
2771 * Casey says procfs appears not to care.
2772 * The superblock default suffices.
2773 */
2776 /*
2777 * Device labels should come from the filesystem,
2778 * but watch out, because they're volitile,
2779 * getting recreated on every reboot.
2780 */
2782 /*
2783 * No break.
2784 *
2785 * If a smack value has been set we want to use it,
2786 * but since tmpfs isn't giving us the opportunity
2787 * to set mount options simulate setting the
2788 * superblock default.
2789 */
2791 /*
2792 * This isn't an understood special case.
2793 * Get the value from the xattr.
2794 */
2796 /*
2797 * UNIX domain sockets use lower level socket data.
2798 */
2802 }
2803 /*
2804 * No xattr support means, alas, no SMACK label.
2805 * Use the aforeapplied default.
2806 * It would be curious if the label of the task
2807 * does not match that assigned.
2808 */
2811 /*
2812 * Get the dentry for xattr.
2813 */
2819 /*
2820 * Transmuting directory
2821 */
2823 /*
2824 * If this is a new directory and the label was
2825 * transmuted when the inode was initialized
2826 * set the transmute attribute on the directory
2827 * and mark the inode.
2828 *
2829 * If there is a transmute attribute on the
2830 * directory mark the inode.
2831 */
2835 XATTR_NAME_SMACKTRANSMUTE,
2841 TRANS_TRUE_SIZE);
2845 }
2848 }
2854 }
2858 else
2863 unlockandout:
2866 }
2868 /**
2869 * smack_getprocattr - Smack process attribute access
2870 * @p: the object task
2871 * @name: the name of the attribute in /proc/.../attr
2872 * @value: where to put the result
2873 *
2874 * Places a copy of the task Smack into value
2875 *
2876 * Returns the length of the smack label or an error code
2877 */
2879 {
2894 }
2896 /**
2897 * smack_setprocattr - Smack process attribute setting
2898 * @p: the object task
2899 * @name: the name of the attribute in /proc/.../attr
2900 * @value: the value to set
2901 * @size: the size of the value
2902 *
2903 * Sets the Smack value of the task. Only setting self
2904 * is permitted and only with privilege
2905 *
2906 * Returns the length of the smack label or an error code
2907 */
2910 {
2915 /*
2916 * Changing another process' Smack value is too dangerous
2917 * and supports no sane use case.
2918 */
2935 /*
2936 * No process is ever allowed the web ("@") label.
2937 */
2950 }
2952 /**
2953 * smack_unix_stream_connect - Smack access on UDS
2954 * @sock: one sock
2955 * @other: the other sock
2956 * @newsk: unused
2957 *
2958 * Return 0 if a subject with the smack of sock could access
2959 * an object with the smack of other, otherwise an error code
2960 */
2963 {
2971 #ifdef CONFIG_AUDIT
2976 #endif
2981 }
2983 /*
2984 * Cross reference the peer labels for SO_PEERSEC.
2985 */
2989 }
2992 }
2994 /**
2995 * smack_unix_may_send - Smack access on UDS
2996 * @sock: one socket
2997 * @other: the other socket
2998 *
2999 * Return 0 if a subject with the smack of sock could access
3000 * an object with the smack of other, otherwise an error code
3001 */
3003 {
3009 #ifdef CONFIG_AUDIT
3014 #endif
3021 }
3023 /**
3024 * smack_socket_sendmsg - Smack check based on destination host
3025 * @sock: the socket
3026 * @msg: the message
3027 * @size: the size of the message
3028 *
3029 * Return 0 if the current subject can write to the destination host.
3030 * For IPv4 this is only a question if the destination is a single label host.
3031 * For IPv6 this is a check against the label of the port.
3032 */
3035 {
3040 /*
3041 * Perfectly reasonable for this to be NULL
3042 */
3053 }
3055 }
3057 /**
3058 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack
3059 * @sap: netlabel secattr
3060 * @ssp: socket security information
3061 *
3062 * Returns a pointer to a Smack label entry found on the label list.
3063 */
3066 {
3071 /*
3072 * Looks like a CIPSO packet.
3073 * If there are flags but no level netlabel isn't
3074 * behaving the way we expect it to.
3075 *
3076 * Look it up in the label table
3077 * Without guidance regarding the smack value
3078 * for the packet fall back on the network
3079 * ambient value.
3080 */
3091 }
3100 }
3102 /*
3103 * Looks like a fallback, which gives us a secid.
3104 */
3106 /*
3107 * This has got to be a bug because it is
3108 * impossible to specify a fallback without
3109 * specifying the label, which will ensure
3110 * it has a secid, and the only way to get a
3111 * secid is from a fallback.
3112 */
3115 }
3116 /*
3117 * Without guidance regarding the smack value
3118 * for the packet fall back on the network
3119 * ambient value.
3120 */
3122 }
3125 {
3127 u8 nexthdr;
3132 __be16 frag_off;
3168 }
3170 }
3172 /**
3173 * smack_socket_sock_rcv_skb - Smack packet delivery access check
3174 * @sk: socket
3175 * @skb: packet
3176 *
3177 * Returns 0 if the packet should be delivered, an error code otherwise
3178 */
3180 {
3187 #ifdef CONFIG_AUDIT
3189 #endif
3192 /*
3193 * Translate what netlabel gave us.
3194 */
3200 else
3205 #ifdef CONFIG_AUDIT
3210 #endif
3211 /*
3212 * Receiving a packet requires that the other end
3213 * be able to write here. Read access is not required.
3214 * This is the simplist possible security model
3215 * for networking.
3216 */
3225 else
3228 }
3230 }
3232 /**
3233 * smack_socket_getpeersec_stream - pull in packet label
3234 * @sock: the socket
3235 * @optval: user's destination
3236 * @optlen: size thereof
3237 * @len: max thereof
3238 *
3239 * returns zero on success, an error code otherwise
3240 */
3244 {
3254 }
3265 }
3268 /**
3269 * smack_socket_getpeersec_dgram - pull in packet label
3270 * @sock: the peer socket
3271 * @skb: packet data
3272 * @secid: pointer to where to put the secid of the packet
3273 *
3274 * Sets the netlabel socket state on sk from parent
3275 */
3279 {
3292 }
3300 /*
3301 * Translate what netlabel gave us.
3302 */
3310 }
3312 }
3317 }
3319 /**
3320 * smack_sock_graft - Initialize a newly created socket with an existing sock
3321 * @sk: child sock
3322 * @parent: parent socket
3323 *
3324 * Set the smk_{in,out} state of an existing sock based on the process that
3325 * is creating the new socket.
3326 */
3328 {
3339 /* cssp->smk_packet is already set in smack_inet_csk_clone() */
3340 }
3342 /**
3343 * smack_inet_conn_request - Smack access check on connect
3344 * @sk: socket involved
3345 * @skb: packet
3346 * @req: unused
3347 *
3348 * Returns 0 if a task with the packet label could write to
3349 * the socket, otherwise an error code
3350 */
3353 {
3363 #ifdef CONFIG_AUDIT
3365 #endif
3368 /*
3369 * Handle mapped IPv4 packets arriving
3370 * via IPv6 sockets. Don't set up netlabel
3371 * processing on IPv6.
3372 */
3375 else
3377 }
3383 else
3387 #ifdef CONFIG_AUDIT
3392 #endif
3393 /*
3394 * Receiving a packet requires that the other end be able to write
3395 * here. Read access is not required.
3396 */
3401 /*
3402 * Save the peer's label in the request_sock so we can later setup
3403 * smk_packet in the child socket so that SO_PEERCRED can report it.
3404 */
3407 /*
3408 * We need to decide if we want to label the incoming connection here
3409 * if we do we only need to label the request_sock and the stack will
3410 * propagate the wire-label to the sock when it is created.
3411 */
3420 else
3424 }
3426 /**
3427 * smack_inet_csk_clone - Copy the connection information to the new socket
3428 * @sk: the new socket
3429 * @req: the connection's request_sock
3430 *
3431 * Transfer the connection's peer label to the newly created socket.
3432 */
3435 {
3444 }
3446 /*
3447 * Key management security hooks
3448 *
3449 * Casey has not tested key support very heavily.
3450 * The permission check is most likely too restrictive.
3451 * If you care about keys please have a look.
3452 */
3453 #ifdef CONFIG_KEYS
3455 /**
3456 * smack_key_alloc - Set the key security blob
3457 * @key: object
3458 * @cred: the credentials to use
3459 * @flags: unused
3460 *
3461 * No allocation required
3462 *
3463 * Returns 0
3464 */
3467 {
3472 }
3474 /**
3475 * smack_key_free - Clear the key security blob
3476 * @key: the object
3477 *
3478 * Clear the blob pointer
3479 */
3481 {
3483 }
3485 /*
3486 * smack_key_permission - Smack access on a key
3487 * @key_ref: gets to the object
3488 * @cred: the credentials to use
3489 * @perm: unused
3490 *
3491 * Return 0 if the task has read and write to the object,
3492 * an error code otherwise
3493 */
3496 {
3504 /*
3505 * If the key hasn't been initialized give it access so that
3506 * it may do so.
3507 */
3510 /*
3511 * This should not occur
3512 */
3515 #ifdef CONFIG_AUDIT
3519 #endif
3521 }
3524 /*
3525 * Smack Audit hooks
3526 *
3527 * Audit requires a unique representation of each Smack specific
3528 * rule. This unique representation is used to distinguish the
3529 * object to be audited from remaining kernel objects and also
3530 * works as a glue between the audit hooks.
3531 *
3532 * Since repository entries are added but never deleted, we'll use
3533 * the smack_known label address related to the given audit rule as
3534 * the needed unique representation. This also better fits the smack
3535 * model where nearly everything is a label.
3536 */
3537 #ifdef CONFIG_AUDIT
3539 /**
3540 * smack_audit_rule_init - Initialize a smack audit rule
3541 * @field: audit rule fields given from user-space (audit.h)
3542 * @op: required testing operator (=, !=, >, <, ...)
3543 * @rulestr: smack label to be audited
3544 * @vrule: pointer to save our own audit rule representation
3545 *
3546 * Prepare to audit cases where (@field @op @rulestr) is true.
3547 * The label to be audited is created if necessay.
3548 */
3550 {
3563 }
3565 /**
3566 * smack_audit_rule_known - Distinguish Smack audit rules
3567 * @krule: rule of interest, in Audit kernel representation format
3568 *
3569 * This is used to filter Smack rules from remaining Audit ones.
3570 * If it's proved that this rule belongs to us, the
3571 * audit_rule_match hook will be called to do the final judgement.
3572 */
3574 {
3583 }
3586 }
3588 /**
3589 * smack_audit_rule_match - Audit given object ?
3590 * @secid: security id for identifying the object to test
3591 * @field: audit rule flags given from user-space
3592 * @op: required testing operator
3593 * @vrule: smack internal rule presentation
3594 * @actx: audit context associated with the check
3595 *
3596 * The core Audit hook. It's used to take the decision of
3597 * whether to audit or not to audit a given object.
3598 */
3601 {
3609 }
3616 /*
3617 * No need to do string comparisons. If a match occurs,
3618 * both pointers will point to the same smack_known
3619 * label.
3620 */
3627 }
3629 /**
3630 * smack_audit_rule_free - free smack rule representation
3631 * @vrule: rule to be freed.
3632 *
3633 * No memory was allocated.
3634 */
3636 {
3637 /* No-op */
3638 }
3642 /**
3643 * smack_ismaclabel - check if xattr @name references a smack MAC label
3644 * @name: Full xattr name to check.
3645 */
3647 {
3649 }
3652 /**
3653 * smack_secid_to_secctx - return the smack label for a secid
3654 * @secid: incoming integer
3655 * @secdata: destination
3656 * @seclen: how long it is
3657 *
3658 * Exists for networking code.
3659 */
3661 {
3668 }
3670 /**
3671 * smack_secctx_to_secid - return the secid for a smack label
3672 * @secdata: smack label
3673 * @seclen: how long result is
3674 * @secid: outgoing integer
3675 *
3676 * Exists for audit and networking code.
3677 */
3679 {
3682 }
3684 /**
3685 * smack_release_secctx - don't do anything.
3686 * @secdata: unused
3687 * @seclen: unused
3688 *
3689 * Exists to make sure nothing gets done, and properly
3690 */
3692 {
3693 }
3696 {
3698 }
3701 {
3703 }
3706 {
3714 }
3834 /* key management security hooks */
3835 #ifdef CONFIG_KEYS
3841 /* Audit hooks */
3842 #ifdef CONFIG_AUDIT
3856 };
3860 {
3861 /*
3862 * Initialize rule list locks
3863 */
3870 /*
3871 * Initialize rule lists
3872 */
3879 /*
3880 * Create the known labels list
3881 */
3888 }
3890 /**
3891 * smack_init - initialize the smack system
3892 *
3893 * Returns 0
3894 */
3896 {
3904 GFP_KERNEL);
3910 /*
3911 * Set the security state for the initial task.
3912 */
3916 /* initialize the smack_known_list */
3919 /*
3920 * Register with LSM
3921 */
3926 }
3928 /*
3929 * Smack requires early initialization in order to label
3930 * all processes and objects when they are created.
3931 */