| blob | fdfeaa2f28ec641bc5b86f24c765d6ff49d2d702 |
1 /*
2 * Simplified MAC Kernel (smack) security module
3 *
4 * This file contains the smack hook function implementations.
5 *
6 * Author:
7 * Casey Schaufler <casey@schaufler-ca.com>
8 *
9 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
10 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
11 * Paul Moore <paul.moore@hp.com>
12 *
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License version 2,
15 * as published by the Free Software Foundation.
16 */
18 #include <linux/xattr.h>
19 #include <linux/pagemap.h>
20 #include <linux/mount.h>
21 #include <linux/stat.h>
22 #include <linux/ext2_fs.h>
23 #include <linux/kd.h>
24 #include <asm/ioctls.h>
25 #include <linux/ip.h>
26 #include <linux/tcp.h>
27 #include <linux/udp.h>
28 #include <linux/slab.h>
29 #include <linux/mutex.h>
30 #include <linux/pipe_fs_i.h>
31 #include <net/netlabel.h>
32 #include <net/cipso_ipv4.h>
33 #include <linux/audit.h>
34 #include <linux/magic.h>
37 #define task_security(task) (task_cred_xxx((task), security))
39 /**
40 * smk_fetch - Fetch the smack label from a file.
41 * @ip: a pointer to the inode
42 * @dp: a pointer to the dentry
43 *
44 * Returns a pointer to the master list entry for the Smack label
45 * or NULL if there was no label to fetch.
46 */
48 {
60 }
62 /**
63 * new_inode_smack - allocate an inode security blob
64 * @smack: a pointer to the Smack label to use in the blob
65 *
66 * Returns the new blob or NULL if there's no memory available
67 */
69 {
81 }
83 /*
84 * LSM hooks.
85 * We he, that is fun!
86 */
88 /**
89 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH
90 * @ctp: child task pointer
91 * @mode: ptrace attachment mode
92 *
93 * Returns 0 if access is OK, an error code otherwise
94 *
95 * Do the capability checks, and require read and write.
96 */
98 {
112 /* we won't log here, because rc can be overriden */
119 }
121 /**
122 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME
123 * @ptp: parent task pointer
124 *
125 * Returns 0 if access is OK, an error code otherwise
126 *
127 * Do the capability checks, and require read and write.
128 */
130 {
144 /* we won't log here, because rc can be overriden */
151 }
153 /**
154 * smack_syslog - Smack approval on syslog
155 * @type: message type
156 *
157 * Require that the task has the floor label
158 *
159 * Returns 0 on success, error code otherwise.
160 */
162 {
177 }
180 /*
181 * Superblock Hooks.
182 */
184 /**
185 * smack_sb_alloc_security - allocate a superblock blob
186 * @sb: the superblock getting the blob
187 *
188 * Returns 0 on success or -ENOMEM on error.
189 */
191 {
209 }
211 /**
212 * smack_sb_free_security - free a superblock blob
213 * @sb: the superblock getting the blob
214 *
215 */
217 {
220 }
222 /**
223 * smack_sb_copy_data - copy mount options data for processing
224 * @orig: where to start
225 * @smackopts: mount options string
226 *
227 * Returns 0 on success or -ENOMEM on error.
228 *
229 * Copy the Smack specific mount options out of the mount
230 * options list.
231 */
233 {
249 else
259 }
265 }
267 /**
268 * smack_sb_kern_mount - Smack specific mount processing
269 * @sb: the file system superblock
270 * @flags: the mount flags
271 * @data: the smack mount options
272 *
273 * Returns 0 on success, an error code on failure
274 */
276 {
289 }
319 }
320 }
322 /*
323 * Initialize the root inode.
324 */
328 else
332 }
334 /**
335 * smack_sb_statfs - Smack check on statfs
336 * @dentry: identifies the file system in question
337 *
338 * Returns 0 if current can read the floor of the filesystem,
339 * and error code otherwise
340 */
342 {
352 }
354 /**
355 * smack_sb_mount - Smack check for mounting
356 * @dev_name: unused
357 * @path: mount point
358 * @type: unused
359 * @flags: unused
360 * @data: unused
361 *
362 * Returns 0 if current can write the floor of the filesystem
363 * being mounted on, an error code otherwise.
364 */
367 {
375 }
377 /**
378 * smack_sb_umount - Smack check for unmounting
379 * @mnt: file system to unmount
380 * @flags: unused
381 *
382 * Returns 0 if current can write the floor of the filesystem
383 * being unmounted, an error code otherwise.
384 */
386 {
396 }
398 /*
399 * Inode hooks
400 */
402 /**
403 * smack_inode_alloc_security - allocate an inode blob
404 * @inode: the inode in need of a blob
405 *
406 * Returns 0 if it gets a blob, -ENOMEM otherwise
407 */
409 {
414 }
416 /**
417 * smack_inode_free_security - free an inode blob
418 * @inode: the inode with a blob
419 *
420 * Clears the blob pointer in inode
421 */
423 {
426 }
428 /**
429 * smack_inode_init_security - copy out the smack from an inode
430 * @inode: the inode
431 * @dir: unused
432 * @name: where to put the attribute name
433 * @value: where to put the attribute value
434 * @len: where to put the length of the attribute
435 *
436 * Returns 0 if it all works out, -ENOMEM if there's no memory
437 */
440 {
447 }
453 }
459 }
461 /**
462 * smack_inode_link - Smack check on link
463 * @old_dentry: the existing object
464 * @dir: unused
465 * @new_dentry: the new object
466 *
467 * Returns 0 if access is permitted, an error code otherwise
468 */
471 {
486 }
489 }
491 /**
492 * smack_inode_unlink - Smack check on inode deletion
493 * @dir: containing directory object
494 * @dentry: file to unlink
495 *
496 * Returns 0 if current can write the containing directory
497 * and the object, error code otherwise
498 */
500 {
508 /*
509 * You need write access to the thing you're unlinking
510 */
513 /*
514 * You also need write access to the containing directory
515 */
519 }
521 }
523 /**
524 * smack_inode_rmdir - Smack check on directory deletion
525 * @dir: containing directory object
526 * @dentry: directory to unlink
527 *
528 * Returns 0 if current can write the containing directory
529 * and the directory, error code otherwise
530 */
532 {
539 /*
540 * You need write access to the thing you're removing
541 */
544 /*
545 * You also need write access to the containing directory
546 */
550 }
553 }
555 /**
556 * smack_inode_rename - Smack check on rename
557 * @old_inode: the old directory
558 * @old_dentry: unused
559 * @new_inode: the new directory
560 * @new_dentry: unused
561 *
562 * Read and write access is required on both the old and
563 * new directories.
564 *
565 * Returns 0 if access is permitted, an error code otherwise
566 */
571 {
586 }
588 }
590 /**
591 * smack_inode_permission - Smack version of permission()
592 * @inode: the inode in question
593 * @mask: the access requested
594 *
595 * This is the important Smack hook.
596 *
597 * Returns 0 if access is permitted, -EACCES otherwise
598 */
600 {
602 /*
603 * No permission to check. Existence test. Yup, it's there.
604 */
610 }
612 /**
613 * smack_inode_setattr - Smack check for setting attributes
614 * @dentry: the object
615 * @iattr: for the force flag
616 *
617 * Returns 0 if access is permitted, an error code otherwise
618 */
620 {
622 /*
623 * Need to allow for clearing the setuid bit.
624 */
631 }
633 /**
634 * smack_inode_getattr - Smack check for getting attributes
635 * @mnt: unused
636 * @dentry: the object
637 *
638 * Returns 0 if access is permitted, an error code otherwise
639 */
641 {
648 }
650 /**
651 * smack_inode_setxattr - Smack check for setting xattrs
652 * @dentry: the object
653 * @name: name of the attribute
654 * @value: unused
655 * @size: unused
656 * @flags: unused
657 *
658 * This protects the Smack attribute explicitly.
659 *
660 * Returns 0 if access is permitted, an error code otherwise
661 */
664 {
673 /*
674 * check label validity here so import wont fail on
675 * post_setxattr
676 */
690 }
692 /**
693 * smack_inode_post_setxattr - Apply the Smack update approved above
694 * @dentry: object
695 * @name: attribute name
696 * @value: attribute value
697 * @size: attribute size
698 * @flags: unused
699 *
700 * Set the pointer in the inode blob to the entry found
701 * in the master label list.
702 */
705 {
709 /*
710 * Not SMACK
711 */
717 /*
718 * No locking is done here. This is a pointer
719 * assignment.
720 */
724 else
728 }
730 /*
731 * smack_inode_getxattr - Smack check on getxattr
732 * @dentry: the object
733 * @name: unused
734 *
735 * Returns 0 if access is permitted, an error code otherwise
736 */
738 {
745 }
747 /*
748 * smack_inode_removexattr - Smack check on removexattr
749 * @dentry: the object
750 * @name: name of the attribute
751 *
752 * Removing the Smack attribute requires CAP_MAC_ADMIN
753 *
754 * Returns 0 if access is permitted, an error code otherwise
755 */
757 {
775 }
777 /**
778 * smack_inode_getsecurity - get smack xattrs
779 * @inode: the object
780 * @name: attribute name
781 * @buffer: where to put the result
782 * @alloc: unused
783 *
784 * Returns the size of the attribute or an error code
785 */
789 {
803 }
805 /*
806 * The rest of the Smack xattrs are only on sockets.
807 */
822 else
829 }
832 }
835 /**
836 * smack_inode_listsecurity - list the Smack attributes
837 * @inode: the object
838 * @buffer: where they go
839 * @buffer_size: size of buffer
840 *
841 * Returns 0 on success, -EINVAL otherwise
842 */
845 {
851 }
853 }
855 /**
856 * smack_inode_getsecid - Extract inode's security id
857 * @inode: inode to extract the info from
858 * @secid: where result will be saved
859 */
861 {
865 }
867 /*
868 * File Hooks
869 */
871 /**
872 * smack_file_permission - Smack check on file operations
873 * @file: unused
874 * @mask: unused
875 *
876 * Returns 0
877 *
878 * Should access checks be done on each read or write?
879 * UNICOS and SELinux say yes.
880 * Trusted Solaris, Trusted Irix, and just about everyone else says no.
881 *
882 * I'll say no for now. Smack does not do the frequent
883 * label changing that SELinux does.
884 */
886 {
888 }
890 /**
891 * smack_file_alloc_security - assign a file security blob
892 * @file: the object
893 *
894 * The security blob for a file is a pointer to the master
895 * label list, so no allocation is done.
896 *
897 * Returns 0
898 */
900 {
903 }
905 /**
906 * smack_file_free_security - clear a file security blob
907 * @file: the object
908 *
909 * The security blob for a file is a pointer to the master
910 * label list, so no memory is freed.
911 */
913 {
915 }
917 /**
918 * smack_file_ioctl - Smack check on ioctls
919 * @file: the object
920 * @cmd: what to do
921 * @arg: unused
922 *
923 * Relies heavily on the correct use of the ioctl command conventions.
924 *
925 * Returns 0 if allowed, error code otherwise
926 */
929 {
943 }
945 /**
946 * smack_file_lock - Smack check on file locking
947 * @file: the object
948 * @cmd: unused
949 *
950 * Returns 0 if current has write access, error code otherwise
951 */
953 {
959 }
961 /**
962 * smack_file_fcntl - Smack check on fcntl
963 * @file: the object
964 * @cmd: what action to check
965 * @arg: unused
966 *
967 * Returns 0 if current has access, error code otherwise
968 */
971 {
997 }
1000 }
1002 /**
1003 * smack_file_set_fowner - set the file security blob value
1004 * @file: object in question
1005 *
1006 * Returns 0
1007 * Further research may be required on this one.
1008 */
1010 {
1013 }
1015 /**
1016 * smack_file_send_sigiotask - Smack on sigio
1017 * @tsk: The target task
1018 * @fown: the object the signal come from
1019 * @signum: unused
1020 *
1021 * Allow a privileged task to get signals even if it shouldn't
1022 *
1023 * Returns 0 if a subject with the object's smack could
1024 * write to the task, an error code otherwise.
1025 */
1028 {
1034 /*
1035 * struct fown_struct is never outside the context of a struct file
1036 */
1038 /* we don't log here as rc can be overriden */
1047 }
1049 /**
1050 * smack_file_receive - Smack file receive check
1051 * @file: the object
1052 *
1053 * Returns 0 if current has access, error code otherwise
1054 */
1056 {
1062 /*
1063 * This code relies on bitmasks.
1064 */
1071 }
1073 /*
1074 * Task hooks
1075 */
1077 /**
1078 * smack_cred_alloc_blank - "allocate" blank task-level security credentials
1079 * @new: the new credentials
1080 * @gfp: the atomicity of any memory allocations
1081 *
1082 * Prepare a blank set of credentials for modification. This must allocate all
1083 * the memory the LSM module might require such that cred_transfer() can
1084 * complete without error.
1085 */
1087 {
1090 }
1093 /**
1094 * smack_cred_free - "free" task-level security credentials
1095 * @cred: the credentials in question
1096 *
1097 * Smack isn't using copies of blobs. Everyone
1098 * points to an immutable list. The blobs never go away.
1099 * There is no leak here.
1100 */
1102 {
1104 }
1106 /**
1107 * smack_cred_prepare - prepare new set of credentials for modification
1108 * @new: the new credentials
1109 * @old: the original credentials
1110 * @gfp: the atomicity of any memory allocations
1111 *
1112 * Prepare a new set of credentials for modification.
1113 */
1115 gfp_t gfp)
1116 {
1119 }
1121 /**
1122 * smack_cred_commit - commit new credentials
1123 * @new: the new credentials
1124 * @old: the original credentials
1125 */
1127 {
1128 }
1130 /**
1131 * smack_cred_transfer - Transfer the old credentials to the new credentials
1132 * @new: the new credentials
1133 * @old: the original credentials
1134 *
1135 * Fill in a set of blank credentials from another set of credentials.
1136 */
1138 {
1140 }
1142 /**
1143 * smack_kernel_act_as - Set the subjective context in a set of credentials
1144 * @new: points to the set of credentials to be modified.
1145 * @secid: specifies the security ID to be set
1146 *
1147 * Set the security data for a kernel service.
1148 */
1150 {
1158 }
1160 /**
1161 * smack_kernel_create_files_as - Set the file creation label in a set of creds
1162 * @new: points to the set of credentials to be modified
1163 * @inode: points to the inode to use as a reference
1164 *
1165 * Set the file creation context in a set of credentials to the same
1166 * as the objective context of the specified inode
1167 */
1170 {
1175 }
1177 /**
1178 * smk_curacc_on_task - helper to log task related access
1179 * @p: the task object
1180 * @access : the access requested
1181 *
1182 * Return 0 if access is permitted
1183 */
1185 {
1191 }
1193 /**
1194 * smack_task_setpgid - Smack check on setting pgid
1195 * @p: the task object
1196 * @pgid: unused
1197 *
1198 * Return 0 if write access is permitted
1199 */
1201 {
1203 }
1205 /**
1206 * smack_task_getpgid - Smack access check for getpgid
1207 * @p: the object task
1208 *
1209 * Returns 0 if current can read the object task, error code otherwise
1210 */
1212 {
1214 }
1216 /**
1217 * smack_task_getsid - Smack access check for getsid
1218 * @p: the object task
1219 *
1220 * Returns 0 if current can read the object task, error code otherwise
1221 */
1223 {
1225 }
1227 /**
1228 * smack_task_getsecid - get the secid of the task
1229 * @p: the object task
1230 * @secid: where to put the result
1231 *
1232 * Sets the secid to contain a u32 version of the smack label.
1233 */
1235 {
1237 }
1239 /**
1240 * smack_task_setnice - Smack check on setting nice
1241 * @p: the task object
1242 * @nice: unused
1243 *
1244 * Return 0 if write access is permitted
1245 */
1247 {
1254 }
1256 /**
1257 * smack_task_setioprio - Smack check on setting ioprio
1258 * @p: the task object
1259 * @ioprio: unused
1260 *
1261 * Return 0 if write access is permitted
1262 */
1264 {
1271 }
1273 /**
1274 * smack_task_getioprio - Smack check on reading ioprio
1275 * @p: the task object
1276 *
1277 * Return 0 if read access is permitted
1278 */
1280 {
1282 }
1284 /**
1285 * smack_task_setscheduler - Smack check on setting scheduler
1286 * @p: the task object
1287 * @policy: unused
1288 * @lp: unused
1289 *
1290 * Return 0 if read access is permitted
1291 */
1294 {
1301 }
1303 /**
1304 * smack_task_getscheduler - Smack check on reading scheduler
1305 * @p: the task object
1306 *
1307 * Return 0 if read access is permitted
1308 */
1310 {
1312 }
1314 /**
1315 * smack_task_movememory - Smack check on moving memory
1316 * @p: the task object
1317 *
1318 * Return 0 if write access is permitted
1319 */
1321 {
1323 }
1325 /**
1326 * smack_task_kill - Smack check on signal delivery
1327 * @p: the task object
1328 * @info: unused
1329 * @sig: unused
1330 * @secid: identifies the smack to use in lieu of current's
1331 *
1332 * Return 0 if write access is permitted
1333 *
1334 * The secid behavior is an artifact of an SELinux hack
1335 * in the USB code. Someday it may go away.
1336 */
1339 {
1344 /*
1345 * Sending a signal requires that the sender
1346 * can write the receiver.
1347 */
1350 /*
1351 * If the secid isn't 0 we're dealing with some USB IO
1352 * specific behavior. This is not clean. For one thing
1353 * we can't take privilege into account.
1354 */
1357 }
1359 /**
1360 * smack_task_wait - Smack access check for waiting
1361 * @p: task to wait for
1362 *
1363 * Returns 0 if current can wait for p, error code otherwise
1364 */
1366 {
1372 /* we don't log here, we can be overriden */
1377 /*
1378 * Allow the operation to succeed if either task
1379 * has privilege to perform operations that might
1380 * account for the smack labels having gotten to
1381 * be different in the first place.
1382 *
1383 * This breaks the strict subject/object access
1384 * control ideal, taking the object's privilege
1385 * state into account in the decision as well as
1386 * the smack value.
1387 */
1390 /* we log only if we didn't get overriden */
1391 out_log:
1396 }
1398 /**
1399 * smack_task_to_inode - copy task smack into the inode blob
1400 * @p: task to copy from
1401 * @inode: inode to copy to
1402 *
1403 * Sets the smack pointer in the inode security blob
1404 */
1406 {
1409 }
1411 /*
1412 * Socket hooks.
1413 */
1415 /**
1416 * smack_sk_alloc_security - Allocate a socket blob
1417 * @sk: the socket
1418 * @family: unused
1419 * @gfp_flags: memory allocation flags
1420 *
1421 * Assign Smack pointers to current
1422 *
1423 * Returns 0 on success, -ENOMEM is there's no memory
1424 */
1426 {
1441 }
1443 /**
1444 * smack_sk_free_security - Free a socket blob
1445 * @sk: the socket
1446 *
1447 * Clears the blob pointer
1448 */
1450 {
1452 }
1454 /**
1455 * smack_host_label - check host based restrictions
1456 * @sip: the object end
1457 *
1458 * looks for host based access restrictions
1459 *
1460 * This version will only be appropriate for really small sets of single label
1461 * hosts. The caller is responsible for ensuring that the RCU read lock is
1462 * taken before calling this function.
1463 *
1464 * Returns the label of the far end or NULL if it's not special.
1465 */
1467 {
1475 /*
1476 * we break after finding the first match because
1477 * the list is sorted from longest to shortest mask
1478 * so we have found the most specific match
1479 */
1482 /* we have found the special CIPSO option */
1486 }
1489 }
1491 /**
1492 * smack_set_catset - convert a capset to netlabel mls categories
1493 * @catset: the Smack categories
1494 * @sap: where to put the netlabel categories
1495 *
1496 * Allocates and fills attr.mls.cat
1497 */
1499 {
1519 }
1520 }
1522 /**
1523 * smack_to_secattr - fill a secattr from a smack value
1524 * @smack: the smack value
1525 * @nlsp: where the result goes
1526 *
1527 * Casey says that CIPSO is good enough for now.
1528 * It can be used to effect.
1529 * It can also be abused to effect when necessary.
1530 * Appologies to the TSIG group in general and GW in particular.
1531 */
1533 {
1547 }
1548 }
1550 /**
1551 * smack_netlabel - Set the secattr on a socket
1552 * @sk: the socket
1553 * @labeled: socket label scheme
1554 *
1555 * Convert the outbound smack value (smk_out) to a
1556 * secattr and attach it to the socket.
1557 *
1558 * Returns 0 on success or an error code
1559 */
1561 {
1566 /*
1567 * Usually the netlabel code will handle changing the
1568 * packet labeling based on the label.
1569 * The case of a single label host is different, because
1570 * a single label host should never get a labeled packet
1571 * even though the label is usually associated with a packet
1572 * label.
1573 */
1585 }
1591 }
1593 /**
1594 * smack_netlbel_send - Set the secattr on a socket and perform access checks
1595 * @sk: the socket
1596 * @sap: the destination address
1597 *
1598 * Set the correct secattr for the given socket based on the destination
1599 * address and perform any outbound access checks needed.
1600 *
1601 * Returns 0 on success or an error code.
1602 *
1603 */
1605 {
1616 #ifdef CONFIG_AUDIT
1621 #endif
1626 }
1632 }
1634 /**
1635 * smack_inode_setsecurity - set smack xattrs
1636 * @inode: the object
1637 * @name: attribute name
1638 * @value: attribute value
1639 * @size: size of the attribute
1640 * @flags: unused
1641 *
1642 * Sets the named attribute in the appropriate blob
1643 *
1644 * Returns 0 on success, or an error code
1645 */
1648 {
1666 }
1667 /*
1668 * The rest of the Smack xattrs are only on sockets.
1669 */
1691 }
1693 /**
1694 * smack_socket_post_create - finish socket setup
1695 * @sock: the socket
1696 * @family: protocol family
1697 * @type: unused
1698 * @protocol: unused
1699 * @kern: unused
1700 *
1701 * Sets the netlabel information on the socket
1702 *
1703 * Returns 0 on success, and error code otherwise
1704 */
1707 {
1710 /*
1711 * Set the outbound netlbl.
1712 */
1714 }
1716 /**
1717 * smack_socket_connect - connect access check
1718 * @sock: the socket
1719 * @sap: the other end
1720 * @addrlen: size of sap
1721 *
1722 * Verifies that a connection may be possible
1723 *
1724 * Returns 0 on success, and error code otherwise
1725 */
1728 {
1735 }
1737 /**
1738 * smack_flags_to_may - convert S_ to MAY_ values
1739 * @flags: the S_ value
1740 *
1741 * Returns the equivalent MAY_ value
1742 */
1744 {
1755 }
1757 /**
1758 * smack_msg_msg_alloc_security - Set the security blob for msg_msg
1759 * @msg: the object
1760 *
1761 * Returns 0
1762 */
1764 {
1767 }
1769 /**
1770 * smack_msg_msg_free_security - Clear the security blob for msg_msg
1771 * @msg: the object
1772 *
1773 * Clears the blob pointer
1774 */
1776 {
1778 }
1780 /**
1781 * smack_of_shm - the smack pointer for the shm
1782 * @shp: the object
1783 *
1784 * Returns a pointer to the smack value
1785 */
1787 {
1789 }
1791 /**
1792 * smack_shm_alloc_security - Set the security blob for shm
1793 * @shp: the object
1794 *
1795 * Returns 0
1796 */
1798 {
1803 }
1805 /**
1806 * smack_shm_free_security - Clear the security blob for shm
1807 * @shp: the object
1808 *
1809 * Clears the blob pointer
1810 */
1812 {
1816 }
1818 /**
1819 * smk_curacc_shm : check if current has access on shm
1820 * @shp : the object
1821 * @access : access requested
1822 *
1823 * Returns 0 if current has the requested access, error code otherwise
1824 */
1826 {
1830 #ifdef CONFIG_AUDIT
1833 #endif
1835 }
1837 /**
1838 * smack_shm_associate - Smack access check for shm
1839 * @shp: the object
1840 * @shmflg: access requested
1841 *
1842 * Returns 0 if current has the requested access, error code otherwise
1843 */
1845 {
1850 }
1852 /**
1853 * smack_shm_shmctl - Smack access check for shm
1854 * @shp: the object
1855 * @cmd: what it wants to do
1856 *
1857 * Returns 0 if current has the requested access, error code otherwise
1858 */
1860 {
1876 /*
1877 * System level information.
1878 */
1882 }
1884 }
1886 /**
1887 * smack_shm_shmat - Smack access for shmat
1888 * @shp: the object
1889 * @shmaddr: unused
1890 * @shmflg: access requested
1891 *
1892 * Returns 0 if current has the requested access, error code otherwise
1893 */
1896 {
1901 }
1903 /**
1904 * smack_of_sem - the smack pointer for the sem
1905 * @sma: the object
1906 *
1907 * Returns a pointer to the smack value
1908 */
1910 {
1912 }
1914 /**
1915 * smack_sem_alloc_security - Set the security blob for sem
1916 * @sma: the object
1917 *
1918 * Returns 0
1919 */
1921 {
1926 }
1928 /**
1929 * smack_sem_free_security - Clear the security blob for sem
1930 * @sma: the object
1931 *
1932 * Clears the blob pointer
1933 */
1935 {
1939 }
1941 /**
1942 * smk_curacc_sem : check if current has access on sem
1943 * @sma : the object
1944 * @access : access requested
1945 *
1946 * Returns 0 if current has the requested access, error code otherwise
1947 */
1949 {
1953 #ifdef CONFIG_AUDIT
1956 #endif
1958 }
1960 /**
1961 * smack_sem_associate - Smack access check for sem
1962 * @sma: the object
1963 * @semflg: access requested
1964 *
1965 * Returns 0 if current has the requested access, error code otherwise
1966 */
1968 {
1973 }
1975 /**
1976 * smack_sem_shmctl - Smack access check for sem
1977 * @sma: the object
1978 * @cmd: what it wants to do
1979 *
1980 * Returns 0 if current has the requested access, error code otherwise
1981 */
1983 {
2004 /*
2005 * System level information
2006 */
2010 }
2013 }
2015 /**
2016 * smack_sem_semop - Smack checks of semaphore operations
2017 * @sma: the object
2018 * @sops: unused
2019 * @nsops: unused
2020 * @alter: unused
2021 *
2022 * Treated as read and write in all cases.
2023 *
2024 * Returns 0 if access is allowed, error code otherwise
2025 */
2028 {
2030 }
2032 /**
2033 * smack_msg_alloc_security - Set the security blob for msg
2034 * @msq: the object
2035 *
2036 * Returns 0
2037 */
2039 {
2044 }
2046 /**
2047 * smack_msg_free_security - Clear the security blob for msg
2048 * @msq: the object
2049 *
2050 * Clears the blob pointer
2051 */
2053 {
2057 }
2059 /**
2060 * smack_of_msq - the smack pointer for the msq
2061 * @msq: the object
2062 *
2063 * Returns a pointer to the smack value
2064 */
2066 {
2068 }
2070 /**
2071 * smk_curacc_msq : helper to check if current has access on msq
2072 * @msq : the msq
2073 * @access : access requested
2074 *
2075 * return 0 if current has access, error otherwise
2076 */
2078 {
2082 #ifdef CONFIG_AUDIT
2085 #endif
2087 }
2089 /**
2090 * smack_msg_queue_associate - Smack access check for msg_queue
2091 * @msq: the object
2092 * @msqflg: access requested
2093 *
2094 * Returns 0 if current has the requested access, error code otherwise
2095 */
2097 {
2102 }
2104 /**
2105 * smack_msg_queue_msgctl - Smack access check for msg_queue
2106 * @msq: the object
2107 * @cmd: what it wants to do
2108 *
2109 * Returns 0 if current has the requested access, error code otherwise
2110 */
2112 {
2126 /*
2127 * System level information
2128 */
2132 }
2135 }
2137 /**
2138 * smack_msg_queue_msgsnd - Smack access check for msg_queue
2139 * @msq: the object
2140 * @msg: unused
2141 * @msqflg: access requested
2142 *
2143 * Returns 0 if current has the requested access, error code otherwise
2144 */
2147 {
2152 }
2154 /**
2155 * smack_msg_queue_msgsnd - Smack access check for msg_queue
2156 * @msq: the object
2157 * @msg: unused
2158 * @target: unused
2159 * @type: unused
2160 * @mode: unused
2161 *
2162 * Returns 0 if current has read and write access, error code otherwise
2163 */
2166 {
2168 }
2170 /**
2171 * smack_ipc_permission - Smack access for ipc_permission()
2172 * @ipp: the object permissions
2173 * @flag: access requested
2174 *
2175 * Returns 0 if current has read and write access, error code otherwise
2176 */
2178 {
2183 #ifdef CONFIG_AUDIT
2186 #endif
2188 }
2190 /**
2191 * smack_ipc_getsecid - Extract smack security id
2192 * @ipp: the object permissions
2193 * @secid: where result will be saved
2194 */
2196 {
2200 }
2202 /**
2203 * smack_d_instantiate - Make sure the blob is correct on an inode
2204 * @opt_dentry: unused
2205 * @inode: the object
2206 *
2207 * Set the inode's security blob if it hasn't been done already.
2208 */
2210 {
2225 /*
2226 * If the inode is already instantiated
2227 * take the quick way out
2228 */
2234 /*
2235 * We're going to use the superblock default label
2236 * if there's no label on the file.
2237 */
2240 /*
2241 * If this is the root inode the superblock
2242 * may be in the process of initialization.
2243 * If that is the case use the root value out
2244 * of the superblock.
2245 */
2250 }
2252 /*
2253 * This is pretty hackish.
2254 * Casey says that we shouldn't have to do
2255 * file system specific code, but it does help
2256 * with keeping it simple.
2257 */
2260 /*
2261 * Casey says that it's a little embarassing
2262 * that the smack file system doesn't do
2263 * extended attributes.
2264 */
2268 /*
2269 * Casey says pipes are easy (?)
2270 */
2274 /*
2275 * devpts seems content with the label of the task.
2276 * Programs that change smack have to treat the
2277 * pty with respect.
2278 */
2282 /*
2283 * Casey says sockets get the smack of the task.
2284 */
2288 /*
2289 * Casey says procfs appears not to care.
2290 * The superblock default suffices.
2291 */
2294 /*
2295 * Device labels should come from the filesystem,
2296 * but watch out, because they're volitile,
2297 * getting recreated on every reboot.
2298 */
2300 /*
2301 * No break.
2302 *
2303 * If a smack value has been set we want to use it,
2304 * but since tmpfs isn't giving us the opportunity
2305 * to set mount options simulate setting the
2306 * superblock default.
2307 */
2309 /*
2310 * This isn't an understood special case.
2311 * Get the value from the xattr.
2312 *
2313 * No xattr support means, alas, no SMACK label.
2314 * Use the aforeapplied default.
2315 * It would be curious if the label of the task
2316 * does not match that assigned.
2317 */
2320 /*
2321 * Get the dentry for xattr.
2322 */
2331 }
2339 }
2343 else
2348 unlockandout:
2351 }
2353 /**
2354 * smack_getprocattr - Smack process attribute access
2355 * @p: the object task
2356 * @name: the name of the attribute in /proc/.../attr
2357 * @value: where to put the result
2358 *
2359 * Places a copy of the task Smack into value
2360 *
2361 * Returns the length of the smack label or an error code
2362 */
2364 {
2378 }
2380 /**
2381 * smack_setprocattr - Smack process attribute setting
2382 * @p: the object task
2383 * @name: the name of the attribute in /proc/.../attr
2384 * @value: the value to set
2385 * @size: the size of the value
2386 *
2387 * Sets the Smack value of the task. Only setting self
2388 * is permitted and only with privilege
2389 *
2390 * Returns the length of the smack label or an error code
2391 */
2394 {
2398 /*
2399 * Changing another process' Smack value is too dangerous
2400 * and supports no sane use case.
2401 */
2418 /*
2419 * No process is ever allowed the web ("@") label.
2420 */
2430 }
2432 /**
2433 * smack_unix_stream_connect - Smack access on UDS
2434 * @sock: one socket
2435 * @other: the other socket
2436 * @newsk: unused
2437 *
2438 * Return 0 if a subject with the smack of sock could access
2439 * an object with the smack of other, otherwise an error code
2440 */
2443 {
2452 }
2454 /**
2455 * smack_unix_may_send - Smack access on UDS
2456 * @sock: one socket
2457 * @other: the other socket
2458 *
2459 * Return 0 if a subject with the smack of sock could access
2460 * an object with the smack of other, otherwise an error code
2461 */
2463 {
2471 }
2473 /**
2474 * smack_socket_sendmsg - Smack check based on destination host
2475 * @sock: the socket
2476 * @msg: the message
2477 * @size: the size of the message
2478 *
2479 * Return 0 if the current subject can write to the destination
2480 * host. This is only a question if the destination is a single
2481 * label host.
2482 */
2485 {
2488 /*
2489 * Perfectly reasonable for this to be NULL
2490 */
2495 }
2498 /**
2499 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack
2500 * @sap: netlabel secattr
2501 * @sip: where to put the result
2502 *
2503 * Copies a smack label into sip
2504 */
2506 {
2512 /*
2513 * Looks like a CIPSO packet.
2514 * If there are flags but no level netlabel isn't
2515 * behaving the way we expect it to.
2516 *
2517 * Get the categories, if any
2518 * Without guidance regarding the smack value
2519 * for the packet fall back on the network
2520 * ambient value.
2521 */
2530 }
2531 /*
2532 * If it is CIPSO using smack direct mapping
2533 * we are already done. WeeHee.
2534 */
2538 }
2539 /*
2540 * Look it up in the supplied table if it is not
2541 * a direct mapping.
2542 */
2545 }
2547 /*
2548 * Looks like a fallback, which gives us a secid.
2549 */
2551 /*
2552 * This has got to be a bug because it is
2553 * impossible to specify a fallback without
2554 * specifying the label, which will ensure
2555 * it has a secid, and the only way to get a
2556 * secid is from a fallback.
2557 */
2561 }
2562 /*
2563 * Without guidance regarding the smack value
2564 * for the packet fall back on the network
2565 * ambient value.
2566 */
2569 }
2571 /**
2572 * smack_socket_sock_rcv_skb - Smack packet delivery access check
2573 * @sk: socket
2574 * @skb: packet
2575 *
2576 * Returns 0 if the packet should be delivered, an error code otherwise
2577 */
2579 {
2589 /*
2590 * Translate what netlabel gave us.
2591 */
2603 #ifdef CONFIG_AUDIT
2608 #endif
2609 /*
2610 * Receiving a packet requires that the other end
2611 * be able to write here. Read access is not required.
2612 * This is the simplist possible security model
2613 * for networking.
2614 */
2619 }
2621 /**
2622 * smack_socket_getpeersec_stream - pull in packet label
2623 * @sock: the socket
2624 * @optval: user's destination
2625 * @optlen: size thereof
2626 * @len: max thereof
2627 *
2628 * returns zero on success, an error code otherwise
2629 */
2633 {
2650 }
2653 /**
2654 * smack_socket_getpeersec_dgram - pull in packet label
2655 * @sock: the socket
2656 * @skb: packet data
2657 * @secid: pointer to where to put the secid of the packet
2658 *
2659 * Sets the netlabel socket state on sk from parent
2660 */
2664 {
2669 u32 s;
2672 /*
2673 * Only works for families with packets.
2674 */
2680 }
2681 /*
2682 * Translate what netlabel gave us.
2683 */
2690 /*
2691 * Give up if we couldn't get anything
2692 */
2702 }
2704 /**
2705 * smack_sock_graft - Initialize a newly created socket with an existing sock
2706 * @sk: child sock
2707 * @parent: parent socket
2708 *
2709 * Set the smk_{in,out} state of an existing sock based on the process that
2710 * is creating the new socket.
2711 */
2713 {
2722 /* cssp->smk_packet is already set in smack_inet_csk_clone() */
2723 }
2725 /**
2726 * smack_inet_conn_request - Smack access check on connect
2727 * @sk: socket involved
2728 * @skb: packet
2729 * @req: unused
2730 *
2731 * Returns 0 if a task with the packet label could write to
2732 * the socket, otherwise an error code
2733 */
2736 {
2746 /* handle mapped IPv4 packets arriving via IPv6 sockets */
2754 else
2758 #ifdef CONFIG_AUDIT
2763 #endif
2764 /*
2765 * Receiving a packet requires that the other end be able to write
2766 * here. Read access is not required.
2767 */
2772 /*
2773 * Save the peer's label in the request_sock so we can later setup
2774 * smk_packet in the child socket so that SO_PEERCRED can report it.
2775 */
2778 /*
2779 * We need to decide if we want to label the incoming connection here
2780 * if we do we only need to label the request_sock and the stack will
2781 * propogate the wire-label to the sock when it is created.
2782 */
2795 }
2798 }
2800 /**
2801 * smack_inet_csk_clone - Copy the connection information to the new socket
2802 * @sk: the new socket
2803 * @req: the connection's request_sock
2804 *
2805 * Transfer the connection's peer label to the newly created socket.
2806 */
2809 {
2818 }
2820 /*
2821 * Key management security hooks
2822 *
2823 * Casey has not tested key support very heavily.
2824 * The permission check is most likely too restrictive.
2825 * If you care about keys please have a look.
2826 */
2827 #ifdef CONFIG_KEYS
2829 /**
2830 * smack_key_alloc - Set the key security blob
2831 * @key: object
2832 * @cred: the credentials to use
2833 * @flags: unused
2834 *
2835 * No allocation required
2836 *
2837 * Returns 0
2838 */
2841 {
2844 }
2846 /**
2847 * smack_key_free - Clear the key security blob
2848 * @key: the object
2849 *
2850 * Clear the blob pointer
2851 */
2853 {
2855 }
2857 /*
2858 * smack_key_permission - Smack access on a key
2859 * @key_ref: gets to the object
2860 * @cred: the credentials to use
2861 * @perm: unused
2862 *
2863 * Return 0 if the task has read and write to the object,
2864 * an error code otherwise
2865 */
2868 {
2875 /*
2876 * If the key hasn't been initialized give it access so that
2877 * it may do so.
2878 */
2881 /*
2882 * This should not occur
2883 */
2886 #ifdef CONFIG_AUDIT
2890 #endif
2893 }
2896 /*
2897 * Smack Audit hooks
2898 *
2899 * Audit requires a unique representation of each Smack specific
2900 * rule. This unique representation is used to distinguish the
2901 * object to be audited from remaining kernel objects and also
2902 * works as a glue between the audit hooks.
2903 *
2904 * Since repository entries are added but never deleted, we'll use
2905 * the smack_known label address related to the given audit rule as
2906 * the needed unique representation. This also better fits the smack
2907 * model where nearly everything is a label.
2908 */
2909 #ifdef CONFIG_AUDIT
2911 /**
2912 * smack_audit_rule_init - Initialize a smack audit rule
2913 * @field: audit rule fields given from user-space (audit.h)
2914 * @op: required testing operator (=, !=, >, <, ...)
2915 * @rulestr: smack label to be audited
2916 * @vrule: pointer to save our own audit rule representation
2917 *
2918 * Prepare to audit cases where (@field @op @rulestr) is true.
2919 * The label to be audited is created if necessay.
2920 */
2922 {
2935 }
2937 /**
2938 * smack_audit_rule_known - Distinguish Smack audit rules
2939 * @krule: rule of interest, in Audit kernel representation format
2940 *
2941 * This is used to filter Smack rules from remaining Audit ones.
2942 * If it's proved that this rule belongs to us, the
2943 * audit_rule_match hook will be called to do the final judgement.
2944 */
2946 {
2955 }
2958 }
2960 /**
2961 * smack_audit_rule_match - Audit given object ?
2962 * @secid: security id for identifying the object to test
2963 * @field: audit rule flags given from user-space
2964 * @op: required testing operator
2965 * @vrule: smack internal rule presentation
2966 * @actx: audit context associated with the check
2967 *
2968 * The core Audit hook. It's used to take the decision of
2969 * whether to audit or not to audit a given object.
2970 */
2973 {
2981 }
2988 /*
2989 * No need to do string comparisons. If a match occurs,
2990 * both pointers will point to the same smack_known
2991 * label.
2992 */
2999 }
3001 /**
3002 * smack_audit_rule_free - free smack rule representation
3003 * @vrule: rule to be freed.
3004 *
3005 * No memory was allocated.
3006 */
3008 {
3009 /* No-op */
3010 }
3014 /**
3015 * smack_secid_to_secctx - return the smack label for a secid
3016 * @secid: incoming integer
3017 * @secdata: destination
3018 * @seclen: how long it is
3019 *
3020 * Exists for networking code.
3021 */
3023 {
3029 }
3031 /**
3032 * smack_secctx_to_secid - return the secid for a smack label
3033 * @secdata: smack label
3034 * @seclen: how long result is
3035 * @secid: outgoing integer
3036 *
3037 * Exists for audit and networking code.
3038 */
3040 {
3043 }
3045 /**
3046 * smack_release_secctx - don't do anything.
3047 * @secdata: unused
3048 * @seclen: unused
3049 *
3050 * Exists to make sure nothing gets done, and properly
3051 */
3053 {
3054 }
3057 {
3059 }
3062 {
3064 }
3067 {
3075 }
3187 /* key management security hooks */
3188 #ifdef CONFIG_KEYS
3194 /* Audit hooks */
3195 #ifdef CONFIG_AUDIT
3208 };
3212 {
3219 }
3221 /**
3222 * smack_init - initialize the smack system
3223 *
3224 * Returns 0
3225 */
3227 {
3235 /*
3236 * Set the security state for the initial task.
3237 */
3241 /* initilize the smack_know_list */
3243 /*
3244 * Initialize locks
3245 */
3252 /*
3253 * Register with LSM
3254 */
3259 }
3261 /*
3262 * Smack requires early initialization in order to label
3263 * all processes and objects when they are created.
3264 */