| blob | 489a85afa477bbd4d833fb167b3c6e71be049d86 |
1 /*
2 * Simplified MAC Kernel (smack) security module
3 *
4 * This file contains the smack hook function implementations.
5 *
6 * Author:
7 * Casey Schaufler <casey@schaufler-ca.com>
8 *
9 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
10 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
11 * Paul Moore <paul.moore@hp.com>
12 *
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License version 2,
15 * as published by the Free Software Foundation.
16 */
18 #include <linux/xattr.h>
19 #include <linux/pagemap.h>
20 #include <linux/mount.h>
21 #include <linux/stat.h>
22 #include <linux/kd.h>
23 #include <asm/ioctls.h>
24 #include <linux/ip.h>
25 #include <linux/tcp.h>
26 #include <linux/udp.h>
27 #include <linux/slab.h>
28 #include <linux/mutex.h>
29 #include <linux/pipe_fs_i.h>
30 #include <net/netlabel.h>
31 #include <net/cipso_ipv4.h>
32 #include <linux/audit.h>
33 #include <linux/magic.h>
36 #define task_security(task) (task_cred_xxx((task), security))
38 /**
39 * smk_fetch - Fetch the smack label from a file.
40 * @ip: a pointer to the inode
41 * @dp: a pointer to the dentry
42 *
43 * Returns a pointer to the master list entry for the Smack label
44 * or NULL if there was no label to fetch.
45 */
47 {
59 }
61 /**
62 * new_inode_smack - allocate an inode security blob
63 * @smack: a pointer to the Smack label to use in the blob
64 *
65 * Returns the new blob or NULL if there's no memory available
66 */
68 {
80 }
82 /*
83 * LSM hooks.
84 * We he, that is fun!
85 */
87 /**
88 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH
89 * @ctp: child task pointer
90 * @mode: ptrace attachment mode
91 *
92 * Returns 0 if access is OK, an error code otherwise
93 *
94 * Do the capability checks, and require read and write.
95 */
97 {
111 /* we won't log here, because rc can be overriden */
118 }
120 /**
121 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME
122 * @ptp: parent task pointer
123 *
124 * Returns 0 if access is OK, an error code otherwise
125 *
126 * Do the capability checks, and require read and write.
127 */
129 {
143 /* we won't log here, because rc can be overriden */
150 }
152 /**
153 * smack_syslog - Smack approval on syslog
154 * @type: message type
155 *
156 * Require that the task has the floor label
157 *
158 * Returns 0 on success, error code otherwise.
159 */
161 {
172 }
175 /*
176 * Superblock Hooks.
177 */
179 /**
180 * smack_sb_alloc_security - allocate a superblock blob
181 * @sb: the superblock getting the blob
182 *
183 * Returns 0 on success or -ENOMEM on error.
184 */
186 {
204 }
206 /**
207 * smack_sb_free_security - free a superblock blob
208 * @sb: the superblock getting the blob
209 *
210 */
212 {
215 }
217 /**
218 * smack_sb_copy_data - copy mount options data for processing
219 * @orig: where to start
220 * @smackopts: mount options string
221 *
222 * Returns 0 on success or -ENOMEM on error.
223 *
224 * Copy the Smack specific mount options out of the mount
225 * options list.
226 */
228 {
244 else
254 }
260 }
262 /**
263 * smack_sb_kern_mount - Smack specific mount processing
264 * @sb: the file system superblock
265 * @flags: the mount flags
266 * @data: the smack mount options
267 *
268 * Returns 0 on success, an error code on failure
269 */
271 {
284 }
314 }
315 }
317 /*
318 * Initialize the root inode.
319 */
323 else
327 }
329 /**
330 * smack_sb_statfs - Smack check on statfs
331 * @dentry: identifies the file system in question
332 *
333 * Returns 0 if current can read the floor of the filesystem,
334 * and error code otherwise
335 */
337 {
347 }
349 /**
350 * smack_sb_mount - Smack check for mounting
351 * @dev_name: unused
352 * @path: mount point
353 * @type: unused
354 * @flags: unused
355 * @data: unused
356 *
357 * Returns 0 if current can write the floor of the filesystem
358 * being mounted on, an error code otherwise.
359 */
362 {
370 }
372 /**
373 * smack_sb_umount - Smack check for unmounting
374 * @mnt: file system to unmount
375 * @flags: unused
376 *
377 * Returns 0 if current can write the floor of the filesystem
378 * being unmounted, an error code otherwise.
379 */
381 {
391 }
393 /*
394 * Inode hooks
395 */
397 /**
398 * smack_inode_alloc_security - allocate an inode blob
399 * @inode: the inode in need of a blob
400 *
401 * Returns 0 if it gets a blob, -ENOMEM otherwise
402 */
404 {
409 }
411 /**
412 * smack_inode_free_security - free an inode blob
413 * @inode: the inode with a blob
414 *
415 * Clears the blob pointer in inode
416 */
418 {
421 }
423 /**
424 * smack_inode_init_security - copy out the smack from an inode
425 * @inode: the inode
426 * @dir: unused
427 * @name: where to put the attribute name
428 * @value: where to put the attribute value
429 * @len: where to put the length of the attribute
430 *
431 * Returns 0 if it all works out, -ENOMEM if there's no memory
432 */
435 {
442 }
448 }
454 }
456 /**
457 * smack_inode_link - Smack check on link
458 * @old_dentry: the existing object
459 * @dir: unused
460 * @new_dentry: the new object
461 *
462 * Returns 0 if access is permitted, an error code otherwise
463 */
466 {
481 }
484 }
486 /**
487 * smack_inode_unlink - Smack check on inode deletion
488 * @dir: containing directory object
489 * @dentry: file to unlink
490 *
491 * Returns 0 if current can write the containing directory
492 * and the object, error code otherwise
493 */
495 {
503 /*
504 * You need write access to the thing you're unlinking
505 */
508 /*
509 * You also need write access to the containing directory
510 */
514 }
516 }
518 /**
519 * smack_inode_rmdir - Smack check on directory deletion
520 * @dir: containing directory object
521 * @dentry: directory to unlink
522 *
523 * Returns 0 if current can write the containing directory
524 * and the directory, error code otherwise
525 */
527 {
534 /*
535 * You need write access to the thing you're removing
536 */
539 /*
540 * You also need write access to the containing directory
541 */
545 }
548 }
550 /**
551 * smack_inode_rename - Smack check on rename
552 * @old_inode: the old directory
553 * @old_dentry: unused
554 * @new_inode: the new directory
555 * @new_dentry: unused
556 *
557 * Read and write access is required on both the old and
558 * new directories.
559 *
560 * Returns 0 if access is permitted, an error code otherwise
561 */
566 {
581 }
583 }
585 /**
586 * smack_inode_permission - Smack version of permission()
587 * @inode: the inode in question
588 * @mask: the access requested
589 *
590 * This is the important Smack hook.
591 *
592 * Returns 0 if access is permitted, -EACCES otherwise
593 */
595 {
599 /*
600 * No permission to check. Existence test. Yup, it's there.
601 */
607 }
609 /**
610 * smack_inode_setattr - Smack check for setting attributes
611 * @dentry: the object
612 * @iattr: for the force flag
613 *
614 * Returns 0 if access is permitted, an error code otherwise
615 */
617 {
619 /*
620 * Need to allow for clearing the setuid bit.
621 */
628 }
630 /**
631 * smack_inode_getattr - Smack check for getting attributes
632 * @mnt: unused
633 * @dentry: the object
634 *
635 * Returns 0 if access is permitted, an error code otherwise
636 */
638 {
645 }
647 /**
648 * smack_inode_setxattr - Smack check for setting xattrs
649 * @dentry: the object
650 * @name: name of the attribute
651 * @value: unused
652 * @size: unused
653 * @flags: unused
654 *
655 * This protects the Smack attribute explicitly.
656 *
657 * Returns 0 if access is permitted, an error code otherwise
658 */
661 {
670 /*
671 * check label validity here so import wont fail on
672 * post_setxattr
673 */
687 }
689 /**
690 * smack_inode_post_setxattr - Apply the Smack update approved above
691 * @dentry: object
692 * @name: attribute name
693 * @value: attribute value
694 * @size: attribute size
695 * @flags: unused
696 *
697 * Set the pointer in the inode blob to the entry found
698 * in the master label list.
699 */
702 {
706 /*
707 * Not SMACK
708 */
714 /*
715 * No locking is done here. This is a pointer
716 * assignment.
717 */
721 else
725 }
727 /*
728 * smack_inode_getxattr - Smack check on getxattr
729 * @dentry: the object
730 * @name: unused
731 *
732 * Returns 0 if access is permitted, an error code otherwise
733 */
735 {
742 }
744 /*
745 * smack_inode_removexattr - Smack check on removexattr
746 * @dentry: the object
747 * @name: name of the attribute
748 *
749 * Removing the Smack attribute requires CAP_MAC_ADMIN
750 *
751 * Returns 0 if access is permitted, an error code otherwise
752 */
754 {
772 }
774 /**
775 * smack_inode_getsecurity - get smack xattrs
776 * @inode: the object
777 * @name: attribute name
778 * @buffer: where to put the result
779 * @alloc: unused
780 *
781 * Returns the size of the attribute or an error code
782 */
786 {
800 }
802 /*
803 * The rest of the Smack xattrs are only on sockets.
804 */
819 else
826 }
829 }
832 /**
833 * smack_inode_listsecurity - list the Smack attributes
834 * @inode: the object
835 * @buffer: where they go
836 * @buffer_size: size of buffer
837 *
838 * Returns 0 on success, -EINVAL otherwise
839 */
842 {
848 }
850 }
852 /**
853 * smack_inode_getsecid - Extract inode's security id
854 * @inode: inode to extract the info from
855 * @secid: where result will be saved
856 */
858 {
862 }
864 /*
865 * File Hooks
866 */
868 /**
869 * smack_file_permission - Smack check on file operations
870 * @file: unused
871 * @mask: unused
872 *
873 * Returns 0
874 *
875 * Should access checks be done on each read or write?
876 * UNICOS and SELinux say yes.
877 * Trusted Solaris, Trusted Irix, and just about everyone else says no.
878 *
879 * I'll say no for now. Smack does not do the frequent
880 * label changing that SELinux does.
881 */
883 {
885 }
887 /**
888 * smack_file_alloc_security - assign a file security blob
889 * @file: the object
890 *
891 * The security blob for a file is a pointer to the master
892 * label list, so no allocation is done.
893 *
894 * Returns 0
895 */
897 {
900 }
902 /**
903 * smack_file_free_security - clear a file security blob
904 * @file: the object
905 *
906 * The security blob for a file is a pointer to the master
907 * label list, so no memory is freed.
908 */
910 {
912 }
914 /**
915 * smack_file_ioctl - Smack check on ioctls
916 * @file: the object
917 * @cmd: what to do
918 * @arg: unused
919 *
920 * Relies heavily on the correct use of the ioctl command conventions.
921 *
922 * Returns 0 if allowed, error code otherwise
923 */
926 {
940 }
942 /**
943 * smack_file_lock - Smack check on file locking
944 * @file: the object
945 * @cmd: unused
946 *
947 * Returns 0 if current has write access, error code otherwise
948 */
950 {
956 }
958 /**
959 * smack_file_fcntl - Smack check on fcntl
960 * @file: the object
961 * @cmd: what action to check
962 * @arg: unused
963 *
964 * Returns 0 if current has access, error code otherwise
965 */
968 {
994 }
997 }
999 /**
1000 * smack_file_set_fowner - set the file security blob value
1001 * @file: object in question
1002 *
1003 * Returns 0
1004 * Further research may be required on this one.
1005 */
1007 {
1010 }
1012 /**
1013 * smack_file_send_sigiotask - Smack on sigio
1014 * @tsk: The target task
1015 * @fown: the object the signal come from
1016 * @signum: unused
1017 *
1018 * Allow a privileged task to get signals even if it shouldn't
1019 *
1020 * Returns 0 if a subject with the object's smack could
1021 * write to the task, an error code otherwise.
1022 */
1025 {
1031 /*
1032 * struct fown_struct is never outside the context of a struct file
1033 */
1035 /* we don't log here as rc can be overriden */
1044 }
1046 /**
1047 * smack_file_receive - Smack file receive check
1048 * @file: the object
1049 *
1050 * Returns 0 if current has access, error code otherwise
1051 */
1053 {
1059 /*
1060 * This code relies on bitmasks.
1061 */
1068 }
1070 /*
1071 * Task hooks
1072 */
1074 /**
1075 * smack_cred_alloc_blank - "allocate" blank task-level security credentials
1076 * @new: the new credentials
1077 * @gfp: the atomicity of any memory allocations
1078 *
1079 * Prepare a blank set of credentials for modification. This must allocate all
1080 * the memory the LSM module might require such that cred_transfer() can
1081 * complete without error.
1082 */
1084 {
1087 }
1090 /**
1091 * smack_cred_free - "free" task-level security credentials
1092 * @cred: the credentials in question
1093 *
1094 * Smack isn't using copies of blobs. Everyone
1095 * points to an immutable list. The blobs never go away.
1096 * There is no leak here.
1097 */
1099 {
1101 }
1103 /**
1104 * smack_cred_prepare - prepare new set of credentials for modification
1105 * @new: the new credentials
1106 * @old: the original credentials
1107 * @gfp: the atomicity of any memory allocations
1108 *
1109 * Prepare a new set of credentials for modification.
1110 */
1112 gfp_t gfp)
1113 {
1116 }
1118 /**
1119 * smack_cred_transfer - Transfer the old credentials to the new credentials
1120 * @new: the new credentials
1121 * @old: the original credentials
1122 *
1123 * Fill in a set of blank credentials from another set of credentials.
1124 */
1126 {
1128 }
1130 /**
1131 * smack_kernel_act_as - Set the subjective context in a set of credentials
1132 * @new: points to the set of credentials to be modified.
1133 * @secid: specifies the security ID to be set
1134 *
1135 * Set the security data for a kernel service.
1136 */
1138 {
1146 }
1148 /**
1149 * smack_kernel_create_files_as - Set the file creation label in a set of creds
1150 * @new: points to the set of credentials to be modified
1151 * @inode: points to the inode to use as a reference
1152 *
1153 * Set the file creation context in a set of credentials to the same
1154 * as the objective context of the specified inode
1155 */
1158 {
1163 }
1165 /**
1166 * smk_curacc_on_task - helper to log task related access
1167 * @p: the task object
1168 * @access : the access requested
1169 *
1170 * Return 0 if access is permitted
1171 */
1173 {
1179 }
1181 /**
1182 * smack_task_setpgid - Smack check on setting pgid
1183 * @p: the task object
1184 * @pgid: unused
1185 *
1186 * Return 0 if write access is permitted
1187 */
1189 {
1191 }
1193 /**
1194 * smack_task_getpgid - Smack access check for getpgid
1195 * @p: the object task
1196 *
1197 * Returns 0 if current can read the object task, error code otherwise
1198 */
1200 {
1202 }
1204 /**
1205 * smack_task_getsid - Smack access check for getsid
1206 * @p: the object task
1207 *
1208 * Returns 0 if current can read the object task, error code otherwise
1209 */
1211 {
1213 }
1215 /**
1216 * smack_task_getsecid - get the secid of the task
1217 * @p: the object task
1218 * @secid: where to put the result
1219 *
1220 * Sets the secid to contain a u32 version of the smack label.
1221 */
1223 {
1225 }
1227 /**
1228 * smack_task_setnice - Smack check on setting nice
1229 * @p: the task object
1230 * @nice: unused
1231 *
1232 * Return 0 if write access is permitted
1233 */
1235 {
1242 }
1244 /**
1245 * smack_task_setioprio - Smack check on setting ioprio
1246 * @p: the task object
1247 * @ioprio: unused
1248 *
1249 * Return 0 if write access is permitted
1250 */
1252 {
1259 }
1261 /**
1262 * smack_task_getioprio - Smack check on reading ioprio
1263 * @p: the task object
1264 *
1265 * Return 0 if read access is permitted
1266 */
1268 {
1270 }
1272 /**
1273 * smack_task_setscheduler - Smack check on setting scheduler
1274 * @p: the task object
1275 * @policy: unused
1276 * @lp: unused
1277 *
1278 * Return 0 if read access is permitted
1279 */
1281 {
1288 }
1290 /**
1291 * smack_task_getscheduler - Smack check on reading scheduler
1292 * @p: the task object
1293 *
1294 * Return 0 if read access is permitted
1295 */
1297 {
1299 }
1301 /**
1302 * smack_task_movememory - Smack check on moving memory
1303 * @p: the task object
1304 *
1305 * Return 0 if write access is permitted
1306 */
1308 {
1310 }
1312 /**
1313 * smack_task_kill - Smack check on signal delivery
1314 * @p: the task object
1315 * @info: unused
1316 * @sig: unused
1317 * @secid: identifies the smack to use in lieu of current's
1318 *
1319 * Return 0 if write access is permitted
1320 *
1321 * The secid behavior is an artifact of an SELinux hack
1322 * in the USB code. Someday it may go away.
1323 */
1326 {
1331 /*
1332 * Sending a signal requires that the sender
1333 * can write the receiver.
1334 */
1337 /*
1338 * If the secid isn't 0 we're dealing with some USB IO
1339 * specific behavior. This is not clean. For one thing
1340 * we can't take privilege into account.
1341 */
1344 }
1346 /**
1347 * smack_task_wait - Smack access check for waiting
1348 * @p: task to wait for
1349 *
1350 * Returns 0 if current can wait for p, error code otherwise
1351 */
1353 {
1359 /* we don't log here, we can be overriden */
1364 /*
1365 * Allow the operation to succeed if either task
1366 * has privilege to perform operations that might
1367 * account for the smack labels having gotten to
1368 * be different in the first place.
1369 *
1370 * This breaks the strict subject/object access
1371 * control ideal, taking the object's privilege
1372 * state into account in the decision as well as
1373 * the smack value.
1374 */
1377 /* we log only if we didn't get overriden */
1378 out_log:
1383 }
1385 /**
1386 * smack_task_to_inode - copy task smack into the inode blob
1387 * @p: task to copy from
1388 * @inode: inode to copy to
1389 *
1390 * Sets the smack pointer in the inode security blob
1391 */
1393 {
1396 }
1398 /*
1399 * Socket hooks.
1400 */
1402 /**
1403 * smack_sk_alloc_security - Allocate a socket blob
1404 * @sk: the socket
1405 * @family: unused
1406 * @gfp_flags: memory allocation flags
1407 *
1408 * Assign Smack pointers to current
1409 *
1410 * Returns 0 on success, -ENOMEM is there's no memory
1411 */
1413 {
1428 }
1430 /**
1431 * smack_sk_free_security - Free a socket blob
1432 * @sk: the socket
1433 *
1434 * Clears the blob pointer
1435 */
1437 {
1439 }
1441 /**
1442 * smack_host_label - check host based restrictions
1443 * @sip: the object end
1444 *
1445 * looks for host based access restrictions
1446 *
1447 * This version will only be appropriate for really small sets of single label
1448 * hosts. The caller is responsible for ensuring that the RCU read lock is
1449 * taken before calling this function.
1450 *
1451 * Returns the label of the far end or NULL if it's not special.
1452 */
1454 {
1462 /*
1463 * we break after finding the first match because
1464 * the list is sorted from longest to shortest mask
1465 * so we have found the most specific match
1466 */
1469 /* we have found the special CIPSO option */
1473 }
1476 }
1478 /**
1479 * smack_set_catset - convert a capset to netlabel mls categories
1480 * @catset: the Smack categories
1481 * @sap: where to put the netlabel categories
1482 *
1483 * Allocates and fills attr.mls.cat
1484 */
1486 {
1506 }
1507 }
1509 /**
1510 * smack_to_secattr - fill a secattr from a smack value
1511 * @smack: the smack value
1512 * @nlsp: where the result goes
1513 *
1514 * Casey says that CIPSO is good enough for now.
1515 * It can be used to effect.
1516 * It can also be abused to effect when necessary.
1517 * Appologies to the TSIG group in general and GW in particular.
1518 */
1520 {
1534 }
1535 }
1537 /**
1538 * smack_netlabel - Set the secattr on a socket
1539 * @sk: the socket
1540 * @labeled: socket label scheme
1541 *
1542 * Convert the outbound smack value (smk_out) to a
1543 * secattr and attach it to the socket.
1544 *
1545 * Returns 0 on success or an error code
1546 */
1548 {
1553 /*
1554 * Usually the netlabel code will handle changing the
1555 * packet labeling based on the label.
1556 * The case of a single label host is different, because
1557 * a single label host should never get a labeled packet
1558 * even though the label is usually associated with a packet
1559 * label.
1560 */
1572 }
1578 }
1580 /**
1581 * smack_netlbel_send - Set the secattr on a socket and perform access checks
1582 * @sk: the socket
1583 * @sap: the destination address
1584 *
1585 * Set the correct secattr for the given socket based on the destination
1586 * address and perform any outbound access checks needed.
1587 *
1588 * Returns 0 on success or an error code.
1589 *
1590 */
1592 {
1603 #ifdef CONFIG_AUDIT
1608 #endif
1613 }
1619 }
1621 /**
1622 * smack_inode_setsecurity - set smack xattrs
1623 * @inode: the object
1624 * @name: attribute name
1625 * @value: attribute value
1626 * @size: size of the attribute
1627 * @flags: unused
1628 *
1629 * Sets the named attribute in the appropriate blob
1630 *
1631 * Returns 0 on success, or an error code
1632 */
1635 {
1653 }
1654 /*
1655 * The rest of the Smack xattrs are only on sockets.
1656 */
1678 }
1680 /**
1681 * smack_socket_post_create - finish socket setup
1682 * @sock: the socket
1683 * @family: protocol family
1684 * @type: unused
1685 * @protocol: unused
1686 * @kern: unused
1687 *
1688 * Sets the netlabel information on the socket
1689 *
1690 * Returns 0 on success, and error code otherwise
1691 */
1694 {
1697 /*
1698 * Set the outbound netlbl.
1699 */
1701 }
1703 /**
1704 * smack_socket_connect - connect access check
1705 * @sock: the socket
1706 * @sap: the other end
1707 * @addrlen: size of sap
1708 *
1709 * Verifies that a connection may be possible
1710 *
1711 * Returns 0 on success, and error code otherwise
1712 */
1715 {
1722 }
1724 /**
1725 * smack_flags_to_may - convert S_ to MAY_ values
1726 * @flags: the S_ value
1727 *
1728 * Returns the equivalent MAY_ value
1729 */
1731 {
1742 }
1744 /**
1745 * smack_msg_msg_alloc_security - Set the security blob for msg_msg
1746 * @msg: the object
1747 *
1748 * Returns 0
1749 */
1751 {
1754 }
1756 /**
1757 * smack_msg_msg_free_security - Clear the security blob for msg_msg
1758 * @msg: the object
1759 *
1760 * Clears the blob pointer
1761 */
1763 {
1765 }
1767 /**
1768 * smack_of_shm - the smack pointer for the shm
1769 * @shp: the object
1770 *
1771 * Returns a pointer to the smack value
1772 */
1774 {
1776 }
1778 /**
1779 * smack_shm_alloc_security - Set the security blob for shm
1780 * @shp: the object
1781 *
1782 * Returns 0
1783 */
1785 {
1790 }
1792 /**
1793 * smack_shm_free_security - Clear the security blob for shm
1794 * @shp: the object
1795 *
1796 * Clears the blob pointer
1797 */
1799 {
1803 }
1805 /**
1806 * smk_curacc_shm : check if current has access on shm
1807 * @shp : the object
1808 * @access : access requested
1809 *
1810 * Returns 0 if current has the requested access, error code otherwise
1811 */
1813 {
1817 #ifdef CONFIG_AUDIT
1820 #endif
1822 }
1824 /**
1825 * smack_shm_associate - Smack access check for shm
1826 * @shp: the object
1827 * @shmflg: access requested
1828 *
1829 * Returns 0 if current has the requested access, error code otherwise
1830 */
1832 {
1837 }
1839 /**
1840 * smack_shm_shmctl - Smack access check for shm
1841 * @shp: the object
1842 * @cmd: what it wants to do
1843 *
1844 * Returns 0 if current has the requested access, error code otherwise
1845 */
1847 {
1863 /*
1864 * System level information.
1865 */
1869 }
1871 }
1873 /**
1874 * smack_shm_shmat - Smack access for shmat
1875 * @shp: the object
1876 * @shmaddr: unused
1877 * @shmflg: access requested
1878 *
1879 * Returns 0 if current has the requested access, error code otherwise
1880 */
1883 {
1888 }
1890 /**
1891 * smack_of_sem - the smack pointer for the sem
1892 * @sma: the object
1893 *
1894 * Returns a pointer to the smack value
1895 */
1897 {
1899 }
1901 /**
1902 * smack_sem_alloc_security - Set the security blob for sem
1903 * @sma: the object
1904 *
1905 * Returns 0
1906 */
1908 {
1913 }
1915 /**
1916 * smack_sem_free_security - Clear the security blob for sem
1917 * @sma: the object
1918 *
1919 * Clears the blob pointer
1920 */
1922 {
1926 }
1928 /**
1929 * smk_curacc_sem : check if current has access on sem
1930 * @sma : the object
1931 * @access : access requested
1932 *
1933 * Returns 0 if current has the requested access, error code otherwise
1934 */
1936 {
1940 #ifdef CONFIG_AUDIT
1943 #endif
1945 }
1947 /**
1948 * smack_sem_associate - Smack access check for sem
1949 * @sma: the object
1950 * @semflg: access requested
1951 *
1952 * Returns 0 if current has the requested access, error code otherwise
1953 */
1955 {
1960 }
1962 /**
1963 * smack_sem_shmctl - Smack access check for sem
1964 * @sma: the object
1965 * @cmd: what it wants to do
1966 *
1967 * Returns 0 if current has the requested access, error code otherwise
1968 */
1970 {
1991 /*
1992 * System level information
1993 */
1997 }
2000 }
2002 /**
2003 * smack_sem_semop - Smack checks of semaphore operations
2004 * @sma: the object
2005 * @sops: unused
2006 * @nsops: unused
2007 * @alter: unused
2008 *
2009 * Treated as read and write in all cases.
2010 *
2011 * Returns 0 if access is allowed, error code otherwise
2012 */
2015 {
2017 }
2019 /**
2020 * smack_msg_alloc_security - Set the security blob for msg
2021 * @msq: the object
2022 *
2023 * Returns 0
2024 */
2026 {
2031 }
2033 /**
2034 * smack_msg_free_security - Clear the security blob for msg
2035 * @msq: the object
2036 *
2037 * Clears the blob pointer
2038 */
2040 {
2044 }
2046 /**
2047 * smack_of_msq - the smack pointer for the msq
2048 * @msq: the object
2049 *
2050 * Returns a pointer to the smack value
2051 */
2053 {
2055 }
2057 /**
2058 * smk_curacc_msq : helper to check if current has access on msq
2059 * @msq : the msq
2060 * @access : access requested
2061 *
2062 * return 0 if current has access, error otherwise
2063 */
2065 {
2069 #ifdef CONFIG_AUDIT
2072 #endif
2074 }
2076 /**
2077 * smack_msg_queue_associate - Smack access check for msg_queue
2078 * @msq: the object
2079 * @msqflg: access requested
2080 *
2081 * Returns 0 if current has the requested access, error code otherwise
2082 */
2084 {
2089 }
2091 /**
2092 * smack_msg_queue_msgctl - Smack access check for msg_queue
2093 * @msq: the object
2094 * @cmd: what it wants to do
2095 *
2096 * Returns 0 if current has the requested access, error code otherwise
2097 */
2099 {
2113 /*
2114 * System level information
2115 */
2119 }
2122 }
2124 /**
2125 * smack_msg_queue_msgsnd - Smack access check for msg_queue
2126 * @msq: the object
2127 * @msg: unused
2128 * @msqflg: access requested
2129 *
2130 * Returns 0 if current has the requested access, error code otherwise
2131 */
2134 {
2139 }
2141 /**
2142 * smack_msg_queue_msgsnd - Smack access check for msg_queue
2143 * @msq: the object
2144 * @msg: unused
2145 * @target: unused
2146 * @type: unused
2147 * @mode: unused
2148 *
2149 * Returns 0 if current has read and write access, error code otherwise
2150 */
2153 {
2155 }
2157 /**
2158 * smack_ipc_permission - Smack access for ipc_permission()
2159 * @ipp: the object permissions
2160 * @flag: access requested
2161 *
2162 * Returns 0 if current has read and write access, error code otherwise
2163 */
2165 {
2170 #ifdef CONFIG_AUDIT
2173 #endif
2175 }
2177 /**
2178 * smack_ipc_getsecid - Extract smack security id
2179 * @ipp: the object permissions
2180 * @secid: where result will be saved
2181 */
2183 {
2187 }
2189 /**
2190 * smack_d_instantiate - Make sure the blob is correct on an inode
2191 * @opt_dentry: dentry where inode will be attached
2192 * @inode: the object
2193 *
2194 * Set the inode's security blob if it hasn't been done already.
2195 */
2197 {
2212 /*
2213 * If the inode is already instantiated
2214 * take the quick way out
2215 */
2221 /*
2222 * We're going to use the superblock default label
2223 * if there's no label on the file.
2224 */
2227 /*
2228 * If this is the root inode the superblock
2229 * may be in the process of initialization.
2230 * If that is the case use the root value out
2231 * of the superblock.
2232 */
2237 }
2239 /*
2240 * This is pretty hackish.
2241 * Casey says that we shouldn't have to do
2242 * file system specific code, but it does help
2243 * with keeping it simple.
2244 */
2247 /*
2248 * Casey says that it's a little embarassing
2249 * that the smack file system doesn't do
2250 * extended attributes.
2251 */
2255 /*
2256 * Casey says pipes are easy (?)
2257 */
2261 /*
2262 * devpts seems content with the label of the task.
2263 * Programs that change smack have to treat the
2264 * pty with respect.
2265 */
2269 /*
2270 * Casey says sockets get the smack of the task.
2271 */
2275 /*
2276 * Casey says procfs appears not to care.
2277 * The superblock default suffices.
2278 */
2281 /*
2282 * Device labels should come from the filesystem,
2283 * but watch out, because they're volitile,
2284 * getting recreated on every reboot.
2285 */
2287 /*
2288 * No break.
2289 *
2290 * If a smack value has been set we want to use it,
2291 * but since tmpfs isn't giving us the opportunity
2292 * to set mount options simulate setting the
2293 * superblock default.
2294 */
2296 /*
2297 * This isn't an understood special case.
2298 * Get the value from the xattr.
2299 *
2300 * No xattr support means, alas, no SMACK label.
2301 * Use the aforeapplied default.
2302 * It would be curious if the label of the task
2303 * does not match that assigned.
2304 */
2307 /*
2308 * Get the dentry for xattr.
2309 */
2316 }
2320 else
2325 unlockandout:
2328 }
2330 /**
2331 * smack_getprocattr - Smack process attribute access
2332 * @p: the object task
2333 * @name: the name of the attribute in /proc/.../attr
2334 * @value: where to put the result
2335 *
2336 * Places a copy of the task Smack into value
2337 *
2338 * Returns the length of the smack label or an error code
2339 */
2341 {
2355 }
2357 /**
2358 * smack_setprocattr - Smack process attribute setting
2359 * @p: the object task
2360 * @name: the name of the attribute in /proc/.../attr
2361 * @value: the value to set
2362 * @size: the size of the value
2363 *
2364 * Sets the Smack value of the task. Only setting self
2365 * is permitted and only with privilege
2366 *
2367 * Returns the length of the smack label or an error code
2368 */
2371 {
2375 /*
2376 * Changing another process' Smack value is too dangerous
2377 * and supports no sane use case.
2378 */
2395 /*
2396 * No process is ever allowed the web ("@") label.
2397 */
2407 }
2409 /**
2410 * smack_unix_stream_connect - Smack access on UDS
2411 * @sock: one socket
2412 * @other: the other socket
2413 * @newsk: unused
2414 *
2415 * Return 0 if a subject with the smack of sock could access
2416 * an object with the smack of other, otherwise an error code
2417 */
2420 {
2429 }
2431 /**
2432 * smack_unix_may_send - Smack access on UDS
2433 * @sock: one socket
2434 * @other: the other socket
2435 *
2436 * Return 0 if a subject with the smack of sock could access
2437 * an object with the smack of other, otherwise an error code
2438 */
2440 {
2448 }
2450 /**
2451 * smack_socket_sendmsg - Smack check based on destination host
2452 * @sock: the socket
2453 * @msg: the message
2454 * @size: the size of the message
2455 *
2456 * Return 0 if the current subject can write to the destination
2457 * host. This is only a question if the destination is a single
2458 * label host.
2459 */
2462 {
2465 /*
2466 * Perfectly reasonable for this to be NULL
2467 */
2472 }
2475 /**
2476 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack
2477 * @sap: netlabel secattr
2478 * @sip: where to put the result
2479 *
2480 * Copies a smack label into sip
2481 */
2483 {
2489 /*
2490 * Looks like a CIPSO packet.
2491 * If there are flags but no level netlabel isn't
2492 * behaving the way we expect it to.
2493 *
2494 * Get the categories, if any
2495 * Without guidance regarding the smack value
2496 * for the packet fall back on the network
2497 * ambient value.
2498 */
2507 }
2508 /*
2509 * If it is CIPSO using smack direct mapping
2510 * we are already done. WeeHee.
2511 */
2515 }
2516 /*
2517 * Look it up in the supplied table if it is not
2518 * a direct mapping.
2519 */
2522 }
2524 /*
2525 * Looks like a fallback, which gives us a secid.
2526 */
2528 /*
2529 * This has got to be a bug because it is
2530 * impossible to specify a fallback without
2531 * specifying the label, which will ensure
2532 * it has a secid, and the only way to get a
2533 * secid is from a fallback.
2534 */
2538 }
2539 /*
2540 * Without guidance regarding the smack value
2541 * for the packet fall back on the network
2542 * ambient value.
2543 */
2546 }
2548 /**
2549 * smack_socket_sock_rcv_skb - Smack packet delivery access check
2550 * @sk: socket
2551 * @skb: packet
2552 *
2553 * Returns 0 if the packet should be delivered, an error code otherwise
2554 */
2556 {
2566 /*
2567 * Translate what netlabel gave us.
2568 */
2580 #ifdef CONFIG_AUDIT
2585 #endif
2586 /*
2587 * Receiving a packet requires that the other end
2588 * be able to write here. Read access is not required.
2589 * This is the simplist possible security model
2590 * for networking.
2591 */
2596 }
2598 /**
2599 * smack_socket_getpeersec_stream - pull in packet label
2600 * @sock: the socket
2601 * @optval: user's destination
2602 * @optlen: size thereof
2603 * @len: max thereof
2604 *
2605 * returns zero on success, an error code otherwise
2606 */
2610 {
2627 }
2630 /**
2631 * smack_socket_getpeersec_dgram - pull in packet label
2632 * @sock: the socket
2633 * @skb: packet data
2634 * @secid: pointer to where to put the secid of the packet
2635 *
2636 * Sets the netlabel socket state on sk from parent
2637 */
2641 {
2646 u32 s;
2649 /*
2650 * Only works for families with packets.
2651 */
2657 }
2658 /*
2659 * Translate what netlabel gave us.
2660 */
2667 /*
2668 * Give up if we couldn't get anything
2669 */
2679 }
2681 /**
2682 * smack_sock_graft - Initialize a newly created socket with an existing sock
2683 * @sk: child sock
2684 * @parent: parent socket
2685 *
2686 * Set the smk_{in,out} state of an existing sock based on the process that
2687 * is creating the new socket.
2688 */
2690 {
2699 /* cssp->smk_packet is already set in smack_inet_csk_clone() */
2700 }
2702 /**
2703 * smack_inet_conn_request - Smack access check on connect
2704 * @sk: socket involved
2705 * @skb: packet
2706 * @req: unused
2707 *
2708 * Returns 0 if a task with the packet label could write to
2709 * the socket, otherwise an error code
2710 */
2713 {
2723 /* handle mapped IPv4 packets arriving via IPv6 sockets */
2731 else
2735 #ifdef CONFIG_AUDIT
2740 #endif
2741 /*
2742 * Receiving a packet requires that the other end be able to write
2743 * here. Read access is not required.
2744 */
2749 /*
2750 * Save the peer's label in the request_sock so we can later setup
2751 * smk_packet in the child socket so that SO_PEERCRED can report it.
2752 */
2755 /*
2756 * We need to decide if we want to label the incoming connection here
2757 * if we do we only need to label the request_sock and the stack will
2758 * propogate the wire-label to the sock when it is created.
2759 */
2772 }
2775 }
2777 /**
2778 * smack_inet_csk_clone - Copy the connection information to the new socket
2779 * @sk: the new socket
2780 * @req: the connection's request_sock
2781 *
2782 * Transfer the connection's peer label to the newly created socket.
2783 */
2786 {
2795 }
2797 /*
2798 * Key management security hooks
2799 *
2800 * Casey has not tested key support very heavily.
2801 * The permission check is most likely too restrictive.
2802 * If you care about keys please have a look.
2803 */
2804 #ifdef CONFIG_KEYS
2806 /**
2807 * smack_key_alloc - Set the key security blob
2808 * @key: object
2809 * @cred: the credentials to use
2810 * @flags: unused
2811 *
2812 * No allocation required
2813 *
2814 * Returns 0
2815 */
2818 {
2821 }
2823 /**
2824 * smack_key_free - Clear the key security blob
2825 * @key: the object
2826 *
2827 * Clear the blob pointer
2828 */
2830 {
2832 }
2834 /*
2835 * smack_key_permission - Smack access on a key
2836 * @key_ref: gets to the object
2837 * @cred: the credentials to use
2838 * @perm: unused
2839 *
2840 * Return 0 if the task has read and write to the object,
2841 * an error code otherwise
2842 */
2845 {
2852 /*
2853 * If the key hasn't been initialized give it access so that
2854 * it may do so.
2855 */
2858 /*
2859 * This should not occur
2860 */
2863 #ifdef CONFIG_AUDIT
2867 #endif
2870 }
2873 /*
2874 * Smack Audit hooks
2875 *
2876 * Audit requires a unique representation of each Smack specific
2877 * rule. This unique representation is used to distinguish the
2878 * object to be audited from remaining kernel objects and also
2879 * works as a glue between the audit hooks.
2880 *
2881 * Since repository entries are added but never deleted, we'll use
2882 * the smack_known label address related to the given audit rule as
2883 * the needed unique representation. This also better fits the smack
2884 * model where nearly everything is a label.
2885 */
2886 #ifdef CONFIG_AUDIT
2888 /**
2889 * smack_audit_rule_init - Initialize a smack audit rule
2890 * @field: audit rule fields given from user-space (audit.h)
2891 * @op: required testing operator (=, !=, >, <, ...)
2892 * @rulestr: smack label to be audited
2893 * @vrule: pointer to save our own audit rule representation
2894 *
2895 * Prepare to audit cases where (@field @op @rulestr) is true.
2896 * The label to be audited is created if necessay.
2897 */
2899 {
2912 }
2914 /**
2915 * smack_audit_rule_known - Distinguish Smack audit rules
2916 * @krule: rule of interest, in Audit kernel representation format
2917 *
2918 * This is used to filter Smack rules from remaining Audit ones.
2919 * If it's proved that this rule belongs to us, the
2920 * audit_rule_match hook will be called to do the final judgement.
2921 */
2923 {
2932 }
2935 }
2937 /**
2938 * smack_audit_rule_match - Audit given object ?
2939 * @secid: security id for identifying the object to test
2940 * @field: audit rule flags given from user-space
2941 * @op: required testing operator
2942 * @vrule: smack internal rule presentation
2943 * @actx: audit context associated with the check
2944 *
2945 * The core Audit hook. It's used to take the decision of
2946 * whether to audit or not to audit a given object.
2947 */
2950 {
2958 }
2965 /*
2966 * No need to do string comparisons. If a match occurs,
2967 * both pointers will point to the same smack_known
2968 * label.
2969 */
2976 }
2978 /**
2979 * smack_audit_rule_free - free smack rule representation
2980 * @vrule: rule to be freed.
2981 *
2982 * No memory was allocated.
2983 */
2985 {
2986 /* No-op */
2987 }
2991 /**
2992 * smack_secid_to_secctx - return the smack label for a secid
2993 * @secid: incoming integer
2994 * @secdata: destination
2995 * @seclen: how long it is
2996 *
2997 * Exists for networking code.
2998 */
3000 {
3007 }
3009 /**
3010 * smack_secctx_to_secid - return the secid for a smack label
3011 * @secdata: smack label
3012 * @seclen: how long result is
3013 * @secid: outgoing integer
3014 *
3015 * Exists for audit and networking code.
3016 */
3018 {
3021 }
3023 /**
3024 * smack_release_secctx - don't do anything.
3025 * @secdata: unused
3026 * @seclen: unused
3027 *
3028 * Exists to make sure nothing gets done, and properly
3029 */
3031 {
3032 }
3035 {
3037 }
3040 {
3042 }
3045 {
3053 }
3164 /* key management security hooks */
3165 #ifdef CONFIG_KEYS
3171 /* Audit hooks */
3172 #ifdef CONFIG_AUDIT
3185 };
3189 {
3196 }
3198 /**
3199 * smack_init - initialize the smack system
3200 *
3201 * Returns 0
3202 */
3204 {
3212 /*
3213 * Set the security state for the initial task.
3214 */
3218 /* initialize the smack_know_list */
3220 /*
3221 * Initialize locks
3222 */
3229 /*
3230 * Register with LSM
3231 */
3236 }
3238 /*
3239 * Smack requires early initialization in order to label
3240 * all processes and objects when they are created.
3241 */