| blob | 0f2fc480fc612f08e9701d319018efad76ded438 |
1 /*
2 * Simplified MAC Kernel (smack) security module
3 *
4 * This file contains the smack hook function implementations.
5 *
6 * Author:
7 * Casey Schaufler <casey@schaufler-ca.com>
8 *
9 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
10 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
11 * Paul Moore <paul.moore@hp.com>
12 *
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License version 2,
15 * as published by the Free Software Foundation.
16 */
18 #include <linux/xattr.h>
19 #include <linux/pagemap.h>
20 #include <linux/mount.h>
21 #include <linux/stat.h>
22 #include <linux/kd.h>
23 #include <asm/ioctls.h>
24 #include <linux/ip.h>
25 #include <linux/tcp.h>
26 #include <linux/udp.h>
27 #include <linux/slab.h>
28 #include <linux/mutex.h>
29 #include <linux/pipe_fs_i.h>
30 #include <net/netlabel.h>
31 #include <net/cipso_ipv4.h>
32 #include <linux/audit.h>
33 #include <linux/magic.h>
36 #define task_security(task) (task_cred_xxx((task), security))
38 /**
39 * smk_fetch - Fetch the smack label from a file.
40 * @ip: a pointer to the inode
41 * @dp: a pointer to the dentry
42 *
43 * Returns a pointer to the master list entry for the Smack label
44 * or NULL if there was no label to fetch.
45 */
47 {
59 }
61 /**
62 * new_inode_smack - allocate an inode security blob
63 * @smack: a pointer to the Smack label to use in the blob
64 *
65 * Returns the new blob or NULL if there's no memory available
66 */
68 {
80 }
82 /*
83 * LSM hooks.
84 * We he, that is fun!
85 */
87 /**
88 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH
89 * @ctp: child task pointer
90 * @mode: ptrace attachment mode
91 *
92 * Returns 0 if access is OK, an error code otherwise
93 *
94 * Do the capability checks, and require read and write.
95 */
97 {
111 /* we won't log here, because rc can be overriden */
118 }
120 /**
121 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME
122 * @ptp: parent task pointer
123 *
124 * Returns 0 if access is OK, an error code otherwise
125 *
126 * Do the capability checks, and require read and write.
127 */
129 {
143 /* we won't log here, because rc can be overriden */
150 }
152 /**
153 * smack_syslog - Smack approval on syslog
154 * @type: message type
155 *
156 * Require that the task has the floor label
157 *
158 * Returns 0 on success, error code otherwise.
159 */
161 {
176 }
179 /*
180 * Superblock Hooks.
181 */
183 /**
184 * smack_sb_alloc_security - allocate a superblock blob
185 * @sb: the superblock getting the blob
186 *
187 * Returns 0 on success or -ENOMEM on error.
188 */
190 {
208 }
210 /**
211 * smack_sb_free_security - free a superblock blob
212 * @sb: the superblock getting the blob
213 *
214 */
216 {
219 }
221 /**
222 * smack_sb_copy_data - copy mount options data for processing
223 * @orig: where to start
224 * @smackopts: mount options string
225 *
226 * Returns 0 on success or -ENOMEM on error.
227 *
228 * Copy the Smack specific mount options out of the mount
229 * options list.
230 */
232 {
248 else
258 }
264 }
266 /**
267 * smack_sb_kern_mount - Smack specific mount processing
268 * @sb: the file system superblock
269 * @flags: the mount flags
270 * @data: the smack mount options
271 *
272 * Returns 0 on success, an error code on failure
273 */
275 {
288 }
318 }
319 }
321 /*
322 * Initialize the root inode.
323 */
327 else
331 }
333 /**
334 * smack_sb_statfs - Smack check on statfs
335 * @dentry: identifies the file system in question
336 *
337 * Returns 0 if current can read the floor of the filesystem,
338 * and error code otherwise
339 */
341 {
351 }
353 /**
354 * smack_sb_mount - Smack check for mounting
355 * @dev_name: unused
356 * @path: mount point
357 * @type: unused
358 * @flags: unused
359 * @data: unused
360 *
361 * Returns 0 if current can write the floor of the filesystem
362 * being mounted on, an error code otherwise.
363 */
366 {
374 }
376 /**
377 * smack_sb_umount - Smack check for unmounting
378 * @mnt: file system to unmount
379 * @flags: unused
380 *
381 * Returns 0 if current can write the floor of the filesystem
382 * being unmounted, an error code otherwise.
383 */
385 {
395 }
397 /*
398 * Inode hooks
399 */
401 /**
402 * smack_inode_alloc_security - allocate an inode blob
403 * @inode: the inode in need of a blob
404 *
405 * Returns 0 if it gets a blob, -ENOMEM otherwise
406 */
408 {
413 }
415 /**
416 * smack_inode_free_security - free an inode blob
417 * @inode: the inode with a blob
418 *
419 * Clears the blob pointer in inode
420 */
422 {
425 }
427 /**
428 * smack_inode_init_security - copy out the smack from an inode
429 * @inode: the inode
430 * @dir: unused
431 * @name: where to put the attribute name
432 * @value: where to put the attribute value
433 * @len: where to put the length of the attribute
434 *
435 * Returns 0 if it all works out, -ENOMEM if there's no memory
436 */
439 {
446 }
452 }
458 }
460 /**
461 * smack_inode_link - Smack check on link
462 * @old_dentry: the existing object
463 * @dir: unused
464 * @new_dentry: the new object
465 *
466 * Returns 0 if access is permitted, an error code otherwise
467 */
470 {
485 }
488 }
490 /**
491 * smack_inode_unlink - Smack check on inode deletion
492 * @dir: containing directory object
493 * @dentry: file to unlink
494 *
495 * Returns 0 if current can write the containing directory
496 * and the object, error code otherwise
497 */
499 {
507 /*
508 * You need write access to the thing you're unlinking
509 */
512 /*
513 * You also need write access to the containing directory
514 */
518 }
520 }
522 /**
523 * smack_inode_rmdir - Smack check on directory deletion
524 * @dir: containing directory object
525 * @dentry: directory to unlink
526 *
527 * Returns 0 if current can write the containing directory
528 * and the directory, error code otherwise
529 */
531 {
538 /*
539 * You need write access to the thing you're removing
540 */
543 /*
544 * You also need write access to the containing directory
545 */
549 }
552 }
554 /**
555 * smack_inode_rename - Smack check on rename
556 * @old_inode: the old directory
557 * @old_dentry: unused
558 * @new_inode: the new directory
559 * @new_dentry: unused
560 *
561 * Read and write access is required on both the old and
562 * new directories.
563 *
564 * Returns 0 if access is permitted, an error code otherwise
565 */
570 {
585 }
587 }
589 /**
590 * smack_inode_permission - Smack version of permission()
591 * @inode: the inode in question
592 * @mask: the access requested
593 *
594 * This is the important Smack hook.
595 *
596 * Returns 0 if access is permitted, -EACCES otherwise
597 */
599 {
601 /*
602 * No permission to check. Existence test. Yup, it's there.
603 */
609 }
611 /**
612 * smack_inode_setattr - Smack check for setting attributes
613 * @dentry: the object
614 * @iattr: for the force flag
615 *
616 * Returns 0 if access is permitted, an error code otherwise
617 */
619 {
621 /*
622 * Need to allow for clearing the setuid bit.
623 */
630 }
632 /**
633 * smack_inode_getattr - Smack check for getting attributes
634 * @mnt: unused
635 * @dentry: the object
636 *
637 * Returns 0 if access is permitted, an error code otherwise
638 */
640 {
647 }
649 /**
650 * smack_inode_setxattr - Smack check for setting xattrs
651 * @dentry: the object
652 * @name: name of the attribute
653 * @value: unused
654 * @size: unused
655 * @flags: unused
656 *
657 * This protects the Smack attribute explicitly.
658 *
659 * Returns 0 if access is permitted, an error code otherwise
660 */
663 {
672 /*
673 * check label validity here so import wont fail on
674 * post_setxattr
675 */
689 }
691 /**
692 * smack_inode_post_setxattr - Apply the Smack update approved above
693 * @dentry: object
694 * @name: attribute name
695 * @value: attribute value
696 * @size: attribute size
697 * @flags: unused
698 *
699 * Set the pointer in the inode blob to the entry found
700 * in the master label list.
701 */
704 {
708 /*
709 * Not SMACK
710 */
716 /*
717 * No locking is done here. This is a pointer
718 * assignment.
719 */
723 else
727 }
729 /*
730 * smack_inode_getxattr - Smack check on getxattr
731 * @dentry: the object
732 * @name: unused
733 *
734 * Returns 0 if access is permitted, an error code otherwise
735 */
737 {
744 }
746 /*
747 * smack_inode_removexattr - Smack check on removexattr
748 * @dentry: the object
749 * @name: name of the attribute
750 *
751 * Removing the Smack attribute requires CAP_MAC_ADMIN
752 *
753 * Returns 0 if access is permitted, an error code otherwise
754 */
756 {
774 }
776 /**
777 * smack_inode_getsecurity - get smack xattrs
778 * @inode: the object
779 * @name: attribute name
780 * @buffer: where to put the result
781 * @alloc: unused
782 *
783 * Returns the size of the attribute or an error code
784 */
788 {
802 }
804 /*
805 * The rest of the Smack xattrs are only on sockets.
806 */
821 else
828 }
831 }
834 /**
835 * smack_inode_listsecurity - list the Smack attributes
836 * @inode: the object
837 * @buffer: where they go
838 * @buffer_size: size of buffer
839 *
840 * Returns 0 on success, -EINVAL otherwise
841 */
844 {
850 }
852 }
854 /**
855 * smack_inode_getsecid - Extract inode's security id
856 * @inode: inode to extract the info from
857 * @secid: where result will be saved
858 */
860 {
864 }
866 /*
867 * File Hooks
868 */
870 /**
871 * smack_file_permission - Smack check on file operations
872 * @file: unused
873 * @mask: unused
874 *
875 * Returns 0
876 *
877 * Should access checks be done on each read or write?
878 * UNICOS and SELinux say yes.
879 * Trusted Solaris, Trusted Irix, and just about everyone else says no.
880 *
881 * I'll say no for now. Smack does not do the frequent
882 * label changing that SELinux does.
883 */
885 {
887 }
889 /**
890 * smack_file_alloc_security - assign a file security blob
891 * @file: the object
892 *
893 * The security blob for a file is a pointer to the master
894 * label list, so no allocation is done.
895 *
896 * Returns 0
897 */
899 {
902 }
904 /**
905 * smack_file_free_security - clear a file security blob
906 * @file: the object
907 *
908 * The security blob for a file is a pointer to the master
909 * label list, so no memory is freed.
910 */
912 {
914 }
916 /**
917 * smack_file_ioctl - Smack check on ioctls
918 * @file: the object
919 * @cmd: what to do
920 * @arg: unused
921 *
922 * Relies heavily on the correct use of the ioctl command conventions.
923 *
924 * Returns 0 if allowed, error code otherwise
925 */
928 {
942 }
944 /**
945 * smack_file_lock - Smack check on file locking
946 * @file: the object
947 * @cmd: unused
948 *
949 * Returns 0 if current has write access, error code otherwise
950 */
952 {
958 }
960 /**
961 * smack_file_fcntl - Smack check on fcntl
962 * @file: the object
963 * @cmd: what action to check
964 * @arg: unused
965 *
966 * Returns 0 if current has access, error code otherwise
967 */
970 {
996 }
999 }
1001 /**
1002 * smack_file_set_fowner - set the file security blob value
1003 * @file: object in question
1004 *
1005 * Returns 0
1006 * Further research may be required on this one.
1007 */
1009 {
1012 }
1014 /**
1015 * smack_file_send_sigiotask - Smack on sigio
1016 * @tsk: The target task
1017 * @fown: the object the signal come from
1018 * @signum: unused
1019 *
1020 * Allow a privileged task to get signals even if it shouldn't
1021 *
1022 * Returns 0 if a subject with the object's smack could
1023 * write to the task, an error code otherwise.
1024 */
1027 {
1033 /*
1034 * struct fown_struct is never outside the context of a struct file
1035 */
1037 /* we don't log here as rc can be overriden */
1046 }
1048 /**
1049 * smack_file_receive - Smack file receive check
1050 * @file: the object
1051 *
1052 * Returns 0 if current has access, error code otherwise
1053 */
1055 {
1061 /*
1062 * This code relies on bitmasks.
1063 */
1070 }
1072 /*
1073 * Task hooks
1074 */
1076 /**
1077 * smack_cred_alloc_blank - "allocate" blank task-level security credentials
1078 * @new: the new credentials
1079 * @gfp: the atomicity of any memory allocations
1080 *
1081 * Prepare a blank set of credentials for modification. This must allocate all
1082 * the memory the LSM module might require such that cred_transfer() can
1083 * complete without error.
1084 */
1086 {
1089 }
1092 /**
1093 * smack_cred_free - "free" task-level security credentials
1094 * @cred: the credentials in question
1095 *
1096 * Smack isn't using copies of blobs. Everyone
1097 * points to an immutable list. The blobs never go away.
1098 * There is no leak here.
1099 */
1101 {
1103 }
1105 /**
1106 * smack_cred_prepare - prepare new set of credentials for modification
1107 * @new: the new credentials
1108 * @old: the original credentials
1109 * @gfp: the atomicity of any memory allocations
1110 *
1111 * Prepare a new set of credentials for modification.
1112 */
1114 gfp_t gfp)
1115 {
1118 }
1120 /**
1121 * smack_cred_transfer - Transfer the old credentials to the new credentials
1122 * @new: the new credentials
1123 * @old: the original credentials
1124 *
1125 * Fill in a set of blank credentials from another set of credentials.
1126 */
1128 {
1130 }
1132 /**
1133 * smack_kernel_act_as - Set the subjective context in a set of credentials
1134 * @new: points to the set of credentials to be modified.
1135 * @secid: specifies the security ID to be set
1136 *
1137 * Set the security data for a kernel service.
1138 */
1140 {
1148 }
1150 /**
1151 * smack_kernel_create_files_as - Set the file creation label in a set of creds
1152 * @new: points to the set of credentials to be modified
1153 * @inode: points to the inode to use as a reference
1154 *
1155 * Set the file creation context in a set of credentials to the same
1156 * as the objective context of the specified inode
1157 */
1160 {
1165 }
1167 /**
1168 * smk_curacc_on_task - helper to log task related access
1169 * @p: the task object
1170 * @access : the access requested
1171 *
1172 * Return 0 if access is permitted
1173 */
1175 {
1181 }
1183 /**
1184 * smack_task_setpgid - Smack check on setting pgid
1185 * @p: the task object
1186 * @pgid: unused
1187 *
1188 * Return 0 if write access is permitted
1189 */
1191 {
1193 }
1195 /**
1196 * smack_task_getpgid - Smack access check for getpgid
1197 * @p: the object task
1198 *
1199 * Returns 0 if current can read the object task, error code otherwise
1200 */
1202 {
1204 }
1206 /**
1207 * smack_task_getsid - Smack access check for getsid
1208 * @p: the object task
1209 *
1210 * Returns 0 if current can read the object task, error code otherwise
1211 */
1213 {
1215 }
1217 /**
1218 * smack_task_getsecid - get the secid of the task
1219 * @p: the object task
1220 * @secid: where to put the result
1221 *
1222 * Sets the secid to contain a u32 version of the smack label.
1223 */
1225 {
1227 }
1229 /**
1230 * smack_task_setnice - Smack check on setting nice
1231 * @p: the task object
1232 * @nice: unused
1233 *
1234 * Return 0 if write access is permitted
1235 */
1237 {
1244 }
1246 /**
1247 * smack_task_setioprio - Smack check on setting ioprio
1248 * @p: the task object
1249 * @ioprio: unused
1250 *
1251 * Return 0 if write access is permitted
1252 */
1254 {
1261 }
1263 /**
1264 * smack_task_getioprio - Smack check on reading ioprio
1265 * @p: the task object
1266 *
1267 * Return 0 if read access is permitted
1268 */
1270 {
1272 }
1274 /**
1275 * smack_task_setscheduler - Smack check on setting scheduler
1276 * @p: the task object
1277 * @policy: unused
1278 * @lp: unused
1279 *
1280 * Return 0 if read access is permitted
1281 */
1284 {
1291 }
1293 /**
1294 * smack_task_getscheduler - Smack check on reading scheduler
1295 * @p: the task object
1296 *
1297 * Return 0 if read access is permitted
1298 */
1300 {
1302 }
1304 /**
1305 * smack_task_movememory - Smack check on moving memory
1306 * @p: the task object
1307 *
1308 * Return 0 if write access is permitted
1309 */
1311 {
1313 }
1315 /**
1316 * smack_task_kill - Smack check on signal delivery
1317 * @p: the task object
1318 * @info: unused
1319 * @sig: unused
1320 * @secid: identifies the smack to use in lieu of current's
1321 *
1322 * Return 0 if write access is permitted
1323 *
1324 * The secid behavior is an artifact of an SELinux hack
1325 * in the USB code. Someday it may go away.
1326 */
1329 {
1334 /*
1335 * Sending a signal requires that the sender
1336 * can write the receiver.
1337 */
1340 /*
1341 * If the secid isn't 0 we're dealing with some USB IO
1342 * specific behavior. This is not clean. For one thing
1343 * we can't take privilege into account.
1344 */
1347 }
1349 /**
1350 * smack_task_wait - Smack access check for waiting
1351 * @p: task to wait for
1352 *
1353 * Returns 0 if current can wait for p, error code otherwise
1354 */
1356 {
1362 /* we don't log here, we can be overriden */
1367 /*
1368 * Allow the operation to succeed if either task
1369 * has privilege to perform operations that might
1370 * account for the smack labels having gotten to
1371 * be different in the first place.
1372 *
1373 * This breaks the strict subject/object access
1374 * control ideal, taking the object's privilege
1375 * state into account in the decision as well as
1376 * the smack value.
1377 */
1380 /* we log only if we didn't get overriden */
1381 out_log:
1386 }
1388 /**
1389 * smack_task_to_inode - copy task smack into the inode blob
1390 * @p: task to copy from
1391 * @inode: inode to copy to
1392 *
1393 * Sets the smack pointer in the inode security blob
1394 */
1396 {
1399 }
1401 /*
1402 * Socket hooks.
1403 */
1405 /**
1406 * smack_sk_alloc_security - Allocate a socket blob
1407 * @sk: the socket
1408 * @family: unused
1409 * @gfp_flags: memory allocation flags
1410 *
1411 * Assign Smack pointers to current
1412 *
1413 * Returns 0 on success, -ENOMEM is there's no memory
1414 */
1416 {
1431 }
1433 /**
1434 * smack_sk_free_security - Free a socket blob
1435 * @sk: the socket
1436 *
1437 * Clears the blob pointer
1438 */
1440 {
1442 }
1444 /**
1445 * smack_host_label - check host based restrictions
1446 * @sip: the object end
1447 *
1448 * looks for host based access restrictions
1449 *
1450 * This version will only be appropriate for really small sets of single label
1451 * hosts. The caller is responsible for ensuring that the RCU read lock is
1452 * taken before calling this function.
1453 *
1454 * Returns the label of the far end or NULL if it's not special.
1455 */
1457 {
1465 /*
1466 * we break after finding the first match because
1467 * the list is sorted from longest to shortest mask
1468 * so we have found the most specific match
1469 */
1472 /* we have found the special CIPSO option */
1476 }
1479 }
1481 /**
1482 * smack_set_catset - convert a capset to netlabel mls categories
1483 * @catset: the Smack categories
1484 * @sap: where to put the netlabel categories
1485 *
1486 * Allocates and fills attr.mls.cat
1487 */
1489 {
1509 }
1510 }
1512 /**
1513 * smack_to_secattr - fill a secattr from a smack value
1514 * @smack: the smack value
1515 * @nlsp: where the result goes
1516 *
1517 * Casey says that CIPSO is good enough for now.
1518 * It can be used to effect.
1519 * It can also be abused to effect when necessary.
1520 * Appologies to the TSIG group in general and GW in particular.
1521 */
1523 {
1537 }
1538 }
1540 /**
1541 * smack_netlabel - Set the secattr on a socket
1542 * @sk: the socket
1543 * @labeled: socket label scheme
1544 *
1545 * Convert the outbound smack value (smk_out) to a
1546 * secattr and attach it to the socket.
1547 *
1548 * Returns 0 on success or an error code
1549 */
1551 {
1556 /*
1557 * Usually the netlabel code will handle changing the
1558 * packet labeling based on the label.
1559 * The case of a single label host is different, because
1560 * a single label host should never get a labeled packet
1561 * even though the label is usually associated with a packet
1562 * label.
1563 */
1575 }
1581 }
1583 /**
1584 * smack_netlbel_send - Set the secattr on a socket and perform access checks
1585 * @sk: the socket
1586 * @sap: the destination address
1587 *
1588 * Set the correct secattr for the given socket based on the destination
1589 * address and perform any outbound access checks needed.
1590 *
1591 * Returns 0 on success or an error code.
1592 *
1593 */
1595 {
1606 #ifdef CONFIG_AUDIT
1611 #endif
1616 }
1622 }
1624 /**
1625 * smack_inode_setsecurity - set smack xattrs
1626 * @inode: the object
1627 * @name: attribute name
1628 * @value: attribute value
1629 * @size: size of the attribute
1630 * @flags: unused
1631 *
1632 * Sets the named attribute in the appropriate blob
1633 *
1634 * Returns 0 on success, or an error code
1635 */
1638 {
1656 }
1657 /*
1658 * The rest of the Smack xattrs are only on sockets.
1659 */
1681 }
1683 /**
1684 * smack_socket_post_create - finish socket setup
1685 * @sock: the socket
1686 * @family: protocol family
1687 * @type: unused
1688 * @protocol: unused
1689 * @kern: unused
1690 *
1691 * Sets the netlabel information on the socket
1692 *
1693 * Returns 0 on success, and error code otherwise
1694 */
1697 {
1700 /*
1701 * Set the outbound netlbl.
1702 */
1704 }
1706 /**
1707 * smack_socket_connect - connect access check
1708 * @sock: the socket
1709 * @sap: the other end
1710 * @addrlen: size of sap
1711 *
1712 * Verifies that a connection may be possible
1713 *
1714 * Returns 0 on success, and error code otherwise
1715 */
1718 {
1725 }
1727 /**
1728 * smack_flags_to_may - convert S_ to MAY_ values
1729 * @flags: the S_ value
1730 *
1731 * Returns the equivalent MAY_ value
1732 */
1734 {
1745 }
1747 /**
1748 * smack_msg_msg_alloc_security - Set the security blob for msg_msg
1749 * @msg: the object
1750 *
1751 * Returns 0
1752 */
1754 {
1757 }
1759 /**
1760 * smack_msg_msg_free_security - Clear the security blob for msg_msg
1761 * @msg: the object
1762 *
1763 * Clears the blob pointer
1764 */
1766 {
1768 }
1770 /**
1771 * smack_of_shm - the smack pointer for the shm
1772 * @shp: the object
1773 *
1774 * Returns a pointer to the smack value
1775 */
1777 {
1779 }
1781 /**
1782 * smack_shm_alloc_security - Set the security blob for shm
1783 * @shp: the object
1784 *
1785 * Returns 0
1786 */
1788 {
1793 }
1795 /**
1796 * smack_shm_free_security - Clear the security blob for shm
1797 * @shp: the object
1798 *
1799 * Clears the blob pointer
1800 */
1802 {
1806 }
1808 /**
1809 * smk_curacc_shm : check if current has access on shm
1810 * @shp : the object
1811 * @access : access requested
1812 *
1813 * Returns 0 if current has the requested access, error code otherwise
1814 */
1816 {
1820 #ifdef CONFIG_AUDIT
1823 #endif
1825 }
1827 /**
1828 * smack_shm_associate - Smack access check for shm
1829 * @shp: the object
1830 * @shmflg: access requested
1831 *
1832 * Returns 0 if current has the requested access, error code otherwise
1833 */
1835 {
1840 }
1842 /**
1843 * smack_shm_shmctl - Smack access check for shm
1844 * @shp: the object
1845 * @cmd: what it wants to do
1846 *
1847 * Returns 0 if current has the requested access, error code otherwise
1848 */
1850 {
1866 /*
1867 * System level information.
1868 */
1872 }
1874 }
1876 /**
1877 * smack_shm_shmat - Smack access for shmat
1878 * @shp: the object
1879 * @shmaddr: unused
1880 * @shmflg: access requested
1881 *
1882 * Returns 0 if current has the requested access, error code otherwise
1883 */
1886 {
1891 }
1893 /**
1894 * smack_of_sem - the smack pointer for the sem
1895 * @sma: the object
1896 *
1897 * Returns a pointer to the smack value
1898 */
1900 {
1902 }
1904 /**
1905 * smack_sem_alloc_security - Set the security blob for sem
1906 * @sma: the object
1907 *
1908 * Returns 0
1909 */
1911 {
1916 }
1918 /**
1919 * smack_sem_free_security - Clear the security blob for sem
1920 * @sma: the object
1921 *
1922 * Clears the blob pointer
1923 */
1925 {
1929 }
1931 /**
1932 * smk_curacc_sem : check if current has access on sem
1933 * @sma : the object
1934 * @access : access requested
1935 *
1936 * Returns 0 if current has the requested access, error code otherwise
1937 */
1939 {
1943 #ifdef CONFIG_AUDIT
1946 #endif
1948 }
1950 /**
1951 * smack_sem_associate - Smack access check for sem
1952 * @sma: the object
1953 * @semflg: access requested
1954 *
1955 * Returns 0 if current has the requested access, error code otherwise
1956 */
1958 {
1963 }
1965 /**
1966 * smack_sem_shmctl - Smack access check for sem
1967 * @sma: the object
1968 * @cmd: what it wants to do
1969 *
1970 * Returns 0 if current has the requested access, error code otherwise
1971 */
1973 {
1994 /*
1995 * System level information
1996 */
2000 }
2003 }
2005 /**
2006 * smack_sem_semop - Smack checks of semaphore operations
2007 * @sma: the object
2008 * @sops: unused
2009 * @nsops: unused
2010 * @alter: unused
2011 *
2012 * Treated as read and write in all cases.
2013 *
2014 * Returns 0 if access is allowed, error code otherwise
2015 */
2018 {
2020 }
2022 /**
2023 * smack_msg_alloc_security - Set the security blob for msg
2024 * @msq: the object
2025 *
2026 * Returns 0
2027 */
2029 {
2034 }
2036 /**
2037 * smack_msg_free_security - Clear the security blob for msg
2038 * @msq: the object
2039 *
2040 * Clears the blob pointer
2041 */
2043 {
2047 }
2049 /**
2050 * smack_of_msq - the smack pointer for the msq
2051 * @msq: the object
2052 *
2053 * Returns a pointer to the smack value
2054 */
2056 {
2058 }
2060 /**
2061 * smk_curacc_msq : helper to check if current has access on msq
2062 * @msq : the msq
2063 * @access : access requested
2064 *
2065 * return 0 if current has access, error otherwise
2066 */
2068 {
2072 #ifdef CONFIG_AUDIT
2075 #endif
2077 }
2079 /**
2080 * smack_msg_queue_associate - Smack access check for msg_queue
2081 * @msq: the object
2082 * @msqflg: access requested
2083 *
2084 * Returns 0 if current has the requested access, error code otherwise
2085 */
2087 {
2092 }
2094 /**
2095 * smack_msg_queue_msgctl - Smack access check for msg_queue
2096 * @msq: the object
2097 * @cmd: what it wants to do
2098 *
2099 * Returns 0 if current has the requested access, error code otherwise
2100 */
2102 {
2116 /*
2117 * System level information
2118 */
2122 }
2125 }
2127 /**
2128 * smack_msg_queue_msgsnd - Smack access check for msg_queue
2129 * @msq: the object
2130 * @msg: unused
2131 * @msqflg: access requested
2132 *
2133 * Returns 0 if current has the requested access, error code otherwise
2134 */
2137 {
2142 }
2144 /**
2145 * smack_msg_queue_msgsnd - Smack access check for msg_queue
2146 * @msq: the object
2147 * @msg: unused
2148 * @target: unused
2149 * @type: unused
2150 * @mode: unused
2151 *
2152 * Returns 0 if current has read and write access, error code otherwise
2153 */
2156 {
2158 }
2160 /**
2161 * smack_ipc_permission - Smack access for ipc_permission()
2162 * @ipp: the object permissions
2163 * @flag: access requested
2164 *
2165 * Returns 0 if current has read and write access, error code otherwise
2166 */
2168 {
2173 #ifdef CONFIG_AUDIT
2176 #endif
2178 }
2180 /**
2181 * smack_ipc_getsecid - Extract smack security id
2182 * @ipp: the object permissions
2183 * @secid: where result will be saved
2184 */
2186 {
2190 }
2192 /**
2193 * smack_d_instantiate - Make sure the blob is correct on an inode
2194 * @opt_dentry: unused
2195 * @inode: the object
2196 *
2197 * Set the inode's security blob if it hasn't been done already.
2198 */
2200 {
2215 /*
2216 * If the inode is already instantiated
2217 * take the quick way out
2218 */
2224 /*
2225 * We're going to use the superblock default label
2226 * if there's no label on the file.
2227 */
2230 /*
2231 * If this is the root inode the superblock
2232 * may be in the process of initialization.
2233 * If that is the case use the root value out
2234 * of the superblock.
2235 */
2240 }
2242 /*
2243 * This is pretty hackish.
2244 * Casey says that we shouldn't have to do
2245 * file system specific code, but it does help
2246 * with keeping it simple.
2247 */
2250 /*
2251 * Casey says that it's a little embarassing
2252 * that the smack file system doesn't do
2253 * extended attributes.
2254 */
2258 /*
2259 * Casey says pipes are easy (?)
2260 */
2264 /*
2265 * devpts seems content with the label of the task.
2266 * Programs that change smack have to treat the
2267 * pty with respect.
2268 */
2272 /*
2273 * Casey says sockets get the smack of the task.
2274 */
2278 /*
2279 * Casey says procfs appears not to care.
2280 * The superblock default suffices.
2281 */
2284 /*
2285 * Device labels should come from the filesystem,
2286 * but watch out, because they're volitile,
2287 * getting recreated on every reboot.
2288 */
2290 /*
2291 * No break.
2292 *
2293 * If a smack value has been set we want to use it,
2294 * but since tmpfs isn't giving us the opportunity
2295 * to set mount options simulate setting the
2296 * superblock default.
2297 */
2299 /*
2300 * This isn't an understood special case.
2301 * Get the value from the xattr.
2302 *
2303 * No xattr support means, alas, no SMACK label.
2304 * Use the aforeapplied default.
2305 * It would be curious if the label of the task
2306 * does not match that assigned.
2307 */
2310 /*
2311 * Get the dentry for xattr.
2312 */
2321 }
2329 }
2333 else
2338 unlockandout:
2341 }
2343 /**
2344 * smack_getprocattr - Smack process attribute access
2345 * @p: the object task
2346 * @name: the name of the attribute in /proc/.../attr
2347 * @value: where to put the result
2348 *
2349 * Places a copy of the task Smack into value
2350 *
2351 * Returns the length of the smack label or an error code
2352 */
2354 {
2368 }
2370 /**
2371 * smack_setprocattr - Smack process attribute setting
2372 * @p: the object task
2373 * @name: the name of the attribute in /proc/.../attr
2374 * @value: the value to set
2375 * @size: the size of the value
2376 *
2377 * Sets the Smack value of the task. Only setting self
2378 * is permitted and only with privilege
2379 *
2380 * Returns the length of the smack label or an error code
2381 */
2384 {
2388 /*
2389 * Changing another process' Smack value is too dangerous
2390 * and supports no sane use case.
2391 */
2408 /*
2409 * No process is ever allowed the web ("@") label.
2410 */
2420 }
2422 /**
2423 * smack_unix_stream_connect - Smack access on UDS
2424 * @sock: one socket
2425 * @other: the other socket
2426 * @newsk: unused
2427 *
2428 * Return 0 if a subject with the smack of sock could access
2429 * an object with the smack of other, otherwise an error code
2430 */
2433 {
2442 }
2444 /**
2445 * smack_unix_may_send - Smack access on UDS
2446 * @sock: one socket
2447 * @other: the other socket
2448 *
2449 * Return 0 if a subject with the smack of sock could access
2450 * an object with the smack of other, otherwise an error code
2451 */
2453 {
2461 }
2463 /**
2464 * smack_socket_sendmsg - Smack check based on destination host
2465 * @sock: the socket
2466 * @msg: the message
2467 * @size: the size of the message
2468 *
2469 * Return 0 if the current subject can write to the destination
2470 * host. This is only a question if the destination is a single
2471 * label host.
2472 */
2475 {
2478 /*
2479 * Perfectly reasonable for this to be NULL
2480 */
2485 }
2488 /**
2489 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack
2490 * @sap: netlabel secattr
2491 * @sip: where to put the result
2492 *
2493 * Copies a smack label into sip
2494 */
2496 {
2502 /*
2503 * Looks like a CIPSO packet.
2504 * If there are flags but no level netlabel isn't
2505 * behaving the way we expect it to.
2506 *
2507 * Get the categories, if any
2508 * Without guidance regarding the smack value
2509 * for the packet fall back on the network
2510 * ambient value.
2511 */
2520 }
2521 /*
2522 * If it is CIPSO using smack direct mapping
2523 * we are already done. WeeHee.
2524 */
2528 }
2529 /*
2530 * Look it up in the supplied table if it is not
2531 * a direct mapping.
2532 */
2535 }
2537 /*
2538 * Looks like a fallback, which gives us a secid.
2539 */
2541 /*
2542 * This has got to be a bug because it is
2543 * impossible to specify a fallback without
2544 * specifying the label, which will ensure
2545 * it has a secid, and the only way to get a
2546 * secid is from a fallback.
2547 */
2551 }
2552 /*
2553 * Without guidance regarding the smack value
2554 * for the packet fall back on the network
2555 * ambient value.
2556 */
2559 }
2561 /**
2562 * smack_socket_sock_rcv_skb - Smack packet delivery access check
2563 * @sk: socket
2564 * @skb: packet
2565 *
2566 * Returns 0 if the packet should be delivered, an error code otherwise
2567 */
2569 {
2579 /*
2580 * Translate what netlabel gave us.
2581 */
2593 #ifdef CONFIG_AUDIT
2598 #endif
2599 /*
2600 * Receiving a packet requires that the other end
2601 * be able to write here. Read access is not required.
2602 * This is the simplist possible security model
2603 * for networking.
2604 */
2609 }
2611 /**
2612 * smack_socket_getpeersec_stream - pull in packet label
2613 * @sock: the socket
2614 * @optval: user's destination
2615 * @optlen: size thereof
2616 * @len: max thereof
2617 *
2618 * returns zero on success, an error code otherwise
2619 */
2623 {
2640 }
2643 /**
2644 * smack_socket_getpeersec_dgram - pull in packet label
2645 * @sock: the socket
2646 * @skb: packet data
2647 * @secid: pointer to where to put the secid of the packet
2648 *
2649 * Sets the netlabel socket state on sk from parent
2650 */
2654 {
2659 u32 s;
2662 /*
2663 * Only works for families with packets.
2664 */
2670 }
2671 /*
2672 * Translate what netlabel gave us.
2673 */
2680 /*
2681 * Give up if we couldn't get anything
2682 */
2692 }
2694 /**
2695 * smack_sock_graft - Initialize a newly created socket with an existing sock
2696 * @sk: child sock
2697 * @parent: parent socket
2698 *
2699 * Set the smk_{in,out} state of an existing sock based on the process that
2700 * is creating the new socket.
2701 */
2703 {
2712 /* cssp->smk_packet is already set in smack_inet_csk_clone() */
2713 }
2715 /**
2716 * smack_inet_conn_request - Smack access check on connect
2717 * @sk: socket involved
2718 * @skb: packet
2719 * @req: unused
2720 *
2721 * Returns 0 if a task with the packet label could write to
2722 * the socket, otherwise an error code
2723 */
2726 {
2736 /* handle mapped IPv4 packets arriving via IPv6 sockets */
2744 else
2748 #ifdef CONFIG_AUDIT
2753 #endif
2754 /*
2755 * Receiving a packet requires that the other end be able to write
2756 * here. Read access is not required.
2757 */
2762 /*
2763 * Save the peer's label in the request_sock so we can later setup
2764 * smk_packet in the child socket so that SO_PEERCRED can report it.
2765 */
2768 /*
2769 * We need to decide if we want to label the incoming connection here
2770 * if we do we only need to label the request_sock and the stack will
2771 * propogate the wire-label to the sock when it is created.
2772 */
2785 }
2788 }
2790 /**
2791 * smack_inet_csk_clone - Copy the connection information to the new socket
2792 * @sk: the new socket
2793 * @req: the connection's request_sock
2794 *
2795 * Transfer the connection's peer label to the newly created socket.
2796 */
2799 {
2808 }
2810 /*
2811 * Key management security hooks
2812 *
2813 * Casey has not tested key support very heavily.
2814 * The permission check is most likely too restrictive.
2815 * If you care about keys please have a look.
2816 */
2817 #ifdef CONFIG_KEYS
2819 /**
2820 * smack_key_alloc - Set the key security blob
2821 * @key: object
2822 * @cred: the credentials to use
2823 * @flags: unused
2824 *
2825 * No allocation required
2826 *
2827 * Returns 0
2828 */
2831 {
2834 }
2836 /**
2837 * smack_key_free - Clear the key security blob
2838 * @key: the object
2839 *
2840 * Clear the blob pointer
2841 */
2843 {
2845 }
2847 /*
2848 * smack_key_permission - Smack access on a key
2849 * @key_ref: gets to the object
2850 * @cred: the credentials to use
2851 * @perm: unused
2852 *
2853 * Return 0 if the task has read and write to the object,
2854 * an error code otherwise
2855 */
2858 {
2865 /*
2866 * If the key hasn't been initialized give it access so that
2867 * it may do so.
2868 */
2871 /*
2872 * This should not occur
2873 */
2876 #ifdef CONFIG_AUDIT
2880 #endif
2883 }
2886 /*
2887 * Smack Audit hooks
2888 *
2889 * Audit requires a unique representation of each Smack specific
2890 * rule. This unique representation is used to distinguish the
2891 * object to be audited from remaining kernel objects and also
2892 * works as a glue between the audit hooks.
2893 *
2894 * Since repository entries are added but never deleted, we'll use
2895 * the smack_known label address related to the given audit rule as
2896 * the needed unique representation. This also better fits the smack
2897 * model where nearly everything is a label.
2898 */
2899 #ifdef CONFIG_AUDIT
2901 /**
2902 * smack_audit_rule_init - Initialize a smack audit rule
2903 * @field: audit rule fields given from user-space (audit.h)
2904 * @op: required testing operator (=, !=, >, <, ...)
2905 * @rulestr: smack label to be audited
2906 * @vrule: pointer to save our own audit rule representation
2907 *
2908 * Prepare to audit cases where (@field @op @rulestr) is true.
2909 * The label to be audited is created if necessay.
2910 */
2912 {
2925 }
2927 /**
2928 * smack_audit_rule_known - Distinguish Smack audit rules
2929 * @krule: rule of interest, in Audit kernel representation format
2930 *
2931 * This is used to filter Smack rules from remaining Audit ones.
2932 * If it's proved that this rule belongs to us, the
2933 * audit_rule_match hook will be called to do the final judgement.
2934 */
2936 {
2945 }
2948 }
2950 /**
2951 * smack_audit_rule_match - Audit given object ?
2952 * @secid: security id for identifying the object to test
2953 * @field: audit rule flags given from user-space
2954 * @op: required testing operator
2955 * @vrule: smack internal rule presentation
2956 * @actx: audit context associated with the check
2957 *
2958 * The core Audit hook. It's used to take the decision of
2959 * whether to audit or not to audit a given object.
2960 */
2963 {
2971 }
2978 /*
2979 * No need to do string comparisons. If a match occurs,
2980 * both pointers will point to the same smack_known
2981 * label.
2982 */
2989 }
2991 /**
2992 * smack_audit_rule_free - free smack rule representation
2993 * @vrule: rule to be freed.
2994 *
2995 * No memory was allocated.
2996 */
2998 {
2999 /* No-op */
3000 }
3004 /**
3005 * smack_secid_to_secctx - return the smack label for a secid
3006 * @secid: incoming integer
3007 * @secdata: destination
3008 * @seclen: how long it is
3009 *
3010 * Exists for networking code.
3011 */
3013 {
3019 }
3021 /**
3022 * smack_secctx_to_secid - return the secid for a smack label
3023 * @secdata: smack label
3024 * @seclen: how long result is
3025 * @secid: outgoing integer
3026 *
3027 * Exists for audit and networking code.
3028 */
3030 {
3033 }
3035 /**
3036 * smack_release_secctx - don't do anything.
3037 * @secdata: unused
3038 * @seclen: unused
3039 *
3040 * Exists to make sure nothing gets done, and properly
3041 */
3043 {
3044 }
3047 {
3049 }
3052 {
3054 }
3057 {
3065 }
3176 /* key management security hooks */
3177 #ifdef CONFIG_KEYS
3183 /* Audit hooks */
3184 #ifdef CONFIG_AUDIT
3197 };
3201 {
3208 }
3210 /**
3211 * smack_init - initialize the smack system
3212 *
3213 * Returns 0
3214 */
3216 {
3224 /*
3225 * Set the security state for the initial task.
3226 */
3230 /* initilize the smack_know_list */
3232 /*
3233 * Initialize locks
3234 */
3241 /*
3242 * Register with LSM
3243 */
3248 }
3250 /*
3251 * Smack requires early initialization in order to label
3252 * all processes and objects when they are created.
3253 */