| blob | 921514902eca4cac7ca80eaa07622f487b2e51a0 |
1 /*
2 * Simplified MAC Kernel (smack) security module
3 *
4 * This file contains the smack hook function implementations.
5 *
6 * Author:
7 * Casey Schaufler <casey@schaufler-ca.com>
8 *
9 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
10 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
11 * Paul Moore <paul.moore@hp.com>
12 *
13 * This program is free software; you can redistribute it and/or modify
14 * it under the terms of the GNU General Public License version 2,
15 * as published by the Free Software Foundation.
16 */
18 #include <linux/xattr.h>
19 #include <linux/pagemap.h>
20 #include <linux/mount.h>
21 #include <linux/stat.h>
22 #include <linux/ext2_fs.h>
23 #include <linux/kd.h>
24 #include <asm/ioctls.h>
25 #include <linux/ip.h>
26 #include <linux/tcp.h>
27 #include <linux/udp.h>
28 #include <linux/mutex.h>
29 #include <linux/pipe_fs_i.h>
30 #include <net/netlabel.h>
31 #include <net/cipso_ipv4.h>
32 #include <linux/audit.h>
36 #define task_security(task) (task_cred_xxx((task), security))
38 /*
39 * I hope these are the hokeyist lines of code in the module. Casey.
40 */
41 #define DEVPTS_SUPER_MAGIC 0x1cd1
42 #define SOCKFS_MAGIC 0x534F434B
43 #define TMPFS_MAGIC 0x01021994
45 /**
46 * smk_fetch - Fetch the smack label from a file.
47 * @ip: a pointer to the inode
48 * @dp: a pointer to the dentry
49 *
50 * Returns a pointer to the master list entry for the Smack label
51 * or NULL if there was no label to fetch.
52 */
54 {
66 }
68 /**
69 * new_inode_smack - allocate an inode security blob
70 * @smack: a pointer to the Smack label to use in the blob
71 *
72 * Returns the new blob or NULL if there's no memory available
73 */
75 {
87 }
89 /*
90 * LSM hooks.
91 * We he, that is fun!
92 */
94 /**
95 * smack_ptrace_may_access - Smack approval on PTRACE_ATTACH
96 * @ctp: child task pointer
97 * @mode: ptrace attachment mode
98 *
99 * Returns 0 if access is OK, an error code otherwise
100 *
101 * Do the capability checks, and require read and write.
102 */
104 {
115 }
117 /**
118 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME
119 * @ptp: parent task pointer
120 *
121 * Returns 0 if access is OK, an error code otherwise
122 *
123 * Do the capability checks, and require read and write.
124 */
126 {
137 }
139 /**
140 * smack_syslog - Smack approval on syslog
141 * @type: message type
142 *
143 * Require that the task has the floor label
144 *
145 * Returns 0 on success, error code otherwise.
146 */
148 {
163 }
166 /*
167 * Superblock Hooks.
168 */
170 /**
171 * smack_sb_alloc_security - allocate a superblock blob
172 * @sb: the superblock getting the blob
173 *
174 * Returns 0 on success or -ENOMEM on error.
175 */
177 {
195 }
197 /**
198 * smack_sb_free_security - free a superblock blob
199 * @sb: the superblock getting the blob
200 *
201 */
203 {
206 }
208 /**
209 * smack_sb_copy_data - copy mount options data for processing
210 * @orig: where to start
211 * @smackopts: mount options string
212 *
213 * Returns 0 on success or -ENOMEM on error.
214 *
215 * Copy the Smack specific mount options out of the mount
216 * options list.
217 */
219 {
235 else
245 }
251 }
253 /**
254 * smack_sb_kern_mount - Smack specific mount processing
255 * @sb: the file system superblock
256 * @flags: the mount flags
257 * @data: the smack mount options
258 *
259 * Returns 0 on success, an error code on failure
260 */
262 {
275 }
305 }
306 }
308 /*
309 * Initialize the root inode.
310 */
314 else
318 }
320 /**
321 * smack_sb_statfs - Smack check on statfs
322 * @dentry: identifies the file system in question
323 *
324 * Returns 0 if current can read the floor of the filesystem,
325 * and error code otherwise
326 */
328 {
332 }
334 /**
335 * smack_sb_mount - Smack check for mounting
336 * @dev_name: unused
337 * @path: mount point
338 * @type: unused
339 * @flags: unused
340 * @data: unused
341 *
342 * Returns 0 if current can write the floor of the filesystem
343 * being mounted on, an error code otherwise.
344 */
347 {
351 }
353 /**
354 * smack_sb_umount - Smack check for unmounting
355 * @mnt: file system to unmount
356 * @flags: unused
357 *
358 * Returns 0 if current can write the floor of the filesystem
359 * being unmounted, an error code otherwise.
360 */
362 {
368 }
370 /*
371 * Inode hooks
372 */
374 /**
375 * smack_inode_alloc_security - allocate an inode blob
376 * @inode: the inode in need of a blob
377 *
378 * Returns 0 if it gets a blob, -ENOMEM otherwise
379 */
381 {
386 }
388 /**
389 * smack_inode_free_security - free an inode blob
390 * @inode: the inode with a blob
391 *
392 * Clears the blob pointer in inode
393 */
395 {
398 }
400 /**
401 * smack_inode_init_security - copy out the smack from an inode
402 * @inode: the inode
403 * @dir: unused
404 * @name: where to put the attribute name
405 * @value: where to put the attribute value
406 * @len: where to put the length of the attribute
407 *
408 * Returns 0 if it all works out, -ENOMEM if there's no memory
409 */
412 {
419 }
425 }
431 }
433 /**
434 * smack_inode_link - Smack check on link
435 * @old_dentry: the existing object
436 * @dir: unused
437 * @new_dentry: the new object
438 *
439 * Returns 0 if access is permitted, an error code otherwise
440 */
443 {
453 }
456 }
458 /**
459 * smack_inode_unlink - Smack check on inode deletion
460 * @dir: containing directory object
461 * @dentry: file to unlink
462 *
463 * Returns 0 if current can write the containing directory
464 * and the object, error code otherwise
465 */
467 {
471 /*
472 * You need write access to the thing you're unlinking
473 */
476 /*
477 * You also need write access to the containing directory
478 */
482 }
484 /**
485 * smack_inode_rmdir - Smack check on directory deletion
486 * @dir: containing directory object
487 * @dentry: directory to unlink
488 *
489 * Returns 0 if current can write the containing directory
490 * and the directory, error code otherwise
491 */
493 {
496 /*
497 * You need write access to the thing you're removing
498 */
501 /*
502 * You also need write access to the containing directory
503 */
507 }
509 /**
510 * smack_inode_rename - Smack check on rename
511 * @old_inode: the old directory
512 * @old_dentry: unused
513 * @new_inode: the new directory
514 * @new_dentry: unused
515 *
516 * Read and write access is required on both the old and
517 * new directories.
518 *
519 * Returns 0 if access is permitted, an error code otherwise
520 */
525 {
535 }
538 }
540 /**
541 * smack_inode_permission - Smack version of permission()
542 * @inode: the inode in question
543 * @mask: the access requested
544 *
545 * This is the important Smack hook.
546 *
547 * Returns 0 if access is permitted, -EACCES otherwise
548 */
550 {
551 /*
552 * No permission to check. Existence test. Yup, it's there.
553 */
558 }
560 /**
561 * smack_inode_setattr - Smack check for setting attributes
562 * @dentry: the object
563 * @iattr: for the force flag
564 *
565 * Returns 0 if access is permitted, an error code otherwise
566 */
568 {
569 /*
570 * Need to allow for clearing the setuid bit.
571 */
576 }
578 /**
579 * smack_inode_getattr - Smack check for getting attributes
580 * @mnt: unused
581 * @dentry: the object
582 *
583 * Returns 0 if access is permitted, an error code otherwise
584 */
586 {
588 }
590 /**
591 * smack_inode_setxattr - Smack check for setting xattrs
592 * @dentry: the object
593 * @name: name of the attribute
594 * @value: unused
595 * @size: unused
596 * @flags: unused
597 *
598 * This protects the Smack attribute explicitly.
599 *
600 * Returns 0 if access is permitted, an error code otherwise
601 */
604 {
612 /* a label cannot be void and cannot begin with '-' */
622 }
624 /**
625 * smack_inode_post_setxattr - Apply the Smack update approved above
626 * @dentry: object
627 * @name: attribute name
628 * @value: attribute value
629 * @size: attribute size
630 * @flags: unused
631 *
632 * Set the pointer in the inode blob to the entry found
633 * in the master label list.
634 */
637 {
641 /*
642 * Not SMACK
643 */
652 /*
653 * No locking is done here. This is a pointer
654 * assignment.
655 */
659 else
663 }
665 /*
666 * smack_inode_getxattr - Smack check on getxattr
667 * @dentry: the object
668 * @name: unused
669 *
670 * Returns 0 if access is permitted, an error code otherwise
671 */
673 {
675 }
677 /*
678 * smack_inode_removexattr - Smack check on removexattr
679 * @dentry: the object
680 * @name: name of the attribute
681 *
682 * Removing the Smack attribute requires CAP_MAC_ADMIN
683 *
684 * Returns 0 if access is permitted, an error code otherwise
685 */
687 {
702 }
704 /**
705 * smack_inode_getsecurity - get smack xattrs
706 * @inode: the object
707 * @name: attribute name
708 * @buffer: where to put the result
709 * @alloc: unused
710 *
711 * Returns the size of the attribute or an error code
712 */
716 {
730 }
732 /*
733 * The rest of the Smack xattrs are only on sockets.
734 */
749 else
756 }
759 }
762 /**
763 * smack_inode_listsecurity - list the Smack attributes
764 * @inode: the object
765 * @buffer: where they go
766 * @buffer_size: size of buffer
767 *
768 * Returns 0 on success, -EINVAL otherwise
769 */
772 {
778 }
780 }
782 /**
783 * smack_inode_getsecid - Extract inode's security id
784 * @inode: inode to extract the info from
785 * @secid: where result will be saved
786 */
788 {
792 }
794 /*
795 * File Hooks
796 */
798 /**
799 * smack_file_permission - Smack check on file operations
800 * @file: unused
801 * @mask: unused
802 *
803 * Returns 0
804 *
805 * Should access checks be done on each read or write?
806 * UNICOS and SELinux say yes.
807 * Trusted Solaris, Trusted Irix, and just about everyone else says no.
808 *
809 * I'll say no for now. Smack does not do the frequent
810 * label changing that SELinux does.
811 */
813 {
815 }
817 /**
818 * smack_file_alloc_security - assign a file security blob
819 * @file: the object
820 *
821 * The security blob for a file is a pointer to the master
822 * label list, so no allocation is done.
823 *
824 * Returns 0
825 */
827 {
830 }
832 /**
833 * smack_file_free_security - clear a file security blob
834 * @file: the object
835 *
836 * The security blob for a file is a pointer to the master
837 * label list, so no memory is freed.
838 */
840 {
842 }
844 /**
845 * smack_file_ioctl - Smack check on ioctls
846 * @file: the object
847 * @cmd: what to do
848 * @arg: unused
849 *
850 * Relies heavily on the correct use of the ioctl command conventions.
851 *
852 * Returns 0 if allowed, error code otherwise
853 */
856 {
866 }
868 /**
869 * smack_file_lock - Smack check on file locking
870 * @file: the object
871 * @cmd: unused
872 *
873 * Returns 0 if current has write access, error code otherwise
874 */
876 {
878 }
880 /**
881 * smack_file_fcntl - Smack check on fcntl
882 * @file: the object
883 * @cmd: what action to check
884 * @arg: unused
885 *
886 * Returns 0 if current has access, error code otherwise
887 */
890 {
912 }
915 }
917 /**
918 * smack_file_set_fowner - set the file security blob value
919 * @file: object in question
920 *
921 * Returns 0
922 * Further research may be required on this one.
923 */
925 {
928 }
930 /**
931 * smack_file_send_sigiotask - Smack on sigio
932 * @tsk: The target task
933 * @fown: the object the signal come from
934 * @signum: unused
935 *
936 * Allow a privileged task to get signals even if it shouldn't
937 *
938 * Returns 0 if a subject with the object's smack could
939 * write to the task, an error code otherwise.
940 */
943 {
947 /*
948 * struct fown_struct is never outside the context of a struct file
949 */
955 }
957 /**
958 * smack_file_receive - Smack file receive check
959 * @file: the object
960 *
961 * Returns 0 if current has access, error code otherwise
962 */
964 {
967 /*
968 * This code relies on bitmasks.
969 */
976 }
978 /*
979 * Task hooks
980 */
982 /**
983 * smack_cred_free - "free" task-level security credentials
984 * @cred: the credentials in question
985 *
986 * Smack isn't using copies of blobs. Everyone
987 * points to an immutable list. The blobs never go away.
988 * There is no leak here.
989 */
991 {
993 }
995 /**
996 * smack_cred_prepare - prepare new set of credentials for modification
997 * @new: the new credentials
998 * @old: the original credentials
999 * @gfp: the atomicity of any memory allocations
1000 *
1001 * Prepare a new set of credentials for modification.
1002 */
1004 gfp_t gfp)
1005 {
1008 }
1010 /**
1011 * smack_cred_commit - commit new credentials
1012 * @new: the new credentials
1013 * @old: the original credentials
1014 */
1016 {
1017 }
1019 /**
1020 * smack_kernel_act_as - Set the subjective context in a set of credentials
1021 * @new: points to the set of credentials to be modified.
1022 * @secid: specifies the security ID to be set
1023 *
1024 * Set the security data for a kernel service.
1025 */
1027 {
1035 }
1037 /**
1038 * smack_kernel_create_files_as - Set the file creation label in a set of creds
1039 * @new: points to the set of credentials to be modified
1040 * @inode: points to the inode to use as a reference
1041 *
1042 * Set the file creation context in a set of credentials to the same
1043 * as the objective context of the specified inode
1044 */
1047 {
1052 }
1054 /**
1055 * smack_task_setpgid - Smack check on setting pgid
1056 * @p: the task object
1057 * @pgid: unused
1058 *
1059 * Return 0 if write access is permitted
1060 */
1062 {
1064 }
1066 /**
1067 * smack_task_getpgid - Smack access check for getpgid
1068 * @p: the object task
1069 *
1070 * Returns 0 if current can read the object task, error code otherwise
1071 */
1073 {
1075 }
1077 /**
1078 * smack_task_getsid - Smack access check for getsid
1079 * @p: the object task
1080 *
1081 * Returns 0 if current can read the object task, error code otherwise
1082 */
1084 {
1086 }
1088 /**
1089 * smack_task_getsecid - get the secid of the task
1090 * @p: the object task
1091 * @secid: where to put the result
1092 *
1093 * Sets the secid to contain a u32 version of the smack label.
1094 */
1096 {
1098 }
1100 /**
1101 * smack_task_setnice - Smack check on setting nice
1102 * @p: the task object
1103 * @nice: unused
1104 *
1105 * Return 0 if write access is permitted
1106 */
1108 {
1115 }
1117 /**
1118 * smack_task_setioprio - Smack check on setting ioprio
1119 * @p: the task object
1120 * @ioprio: unused
1121 *
1122 * Return 0 if write access is permitted
1123 */
1125 {
1132 }
1134 /**
1135 * smack_task_getioprio - Smack check on reading ioprio
1136 * @p: the task object
1137 *
1138 * Return 0 if read access is permitted
1139 */
1141 {
1143 }
1145 /**
1146 * smack_task_setscheduler - Smack check on setting scheduler
1147 * @p: the task object
1148 * @policy: unused
1149 * @lp: unused
1150 *
1151 * Return 0 if read access is permitted
1152 */
1155 {
1162 }
1164 /**
1165 * smack_task_getscheduler - Smack check on reading scheduler
1166 * @p: the task object
1167 *
1168 * Return 0 if read access is permitted
1169 */
1171 {
1173 }
1175 /**
1176 * smack_task_movememory - Smack check on moving memory
1177 * @p: the task object
1178 *
1179 * Return 0 if write access is permitted
1180 */
1182 {
1184 }
1186 /**
1187 * smack_task_kill - Smack check on signal delivery
1188 * @p: the task object
1189 * @info: unused
1190 * @sig: unused
1191 * @secid: identifies the smack to use in lieu of current's
1192 *
1193 * Return 0 if write access is permitted
1194 *
1195 * The secid behavior is an artifact of an SELinux hack
1196 * in the USB code. Someday it may go away.
1197 */
1200 {
1201 /*
1202 * Sending a signal requires that the sender
1203 * can write the receiver.
1204 */
1207 /*
1208 * If the secid isn't 0 we're dealing with some USB IO
1209 * specific behavior. This is not clean. For one thing
1210 * we can't take privilege into account.
1211 */
1213 }
1215 /**
1216 * smack_task_wait - Smack access check for waiting
1217 * @p: task to wait for
1218 *
1219 * Returns 0 if current can wait for p, error code otherwise
1220 */
1222 {
1229 /*
1230 * Allow the operation to succeed if either task
1231 * has privilege to perform operations that might
1232 * account for the smack labels having gotten to
1233 * be different in the first place.
1234 *
1235 * This breaks the strict subject/object access
1236 * control ideal, taking the object's privilege
1237 * state into account in the decision as well as
1238 * the smack value.
1239 */
1244 }
1246 /**
1247 * smack_task_to_inode - copy task smack into the inode blob
1248 * @p: task to copy from
1249 * @inode: inode to copy to
1250 *
1251 * Sets the smack pointer in the inode security blob
1252 */
1254 {
1257 }
1259 /*
1260 * Socket hooks.
1261 */
1263 /**
1264 * smack_sk_alloc_security - Allocate a socket blob
1265 * @sk: the socket
1266 * @family: unused
1267 * @gfp_flags: memory allocation flags
1268 *
1269 * Assign Smack pointers to current
1270 *
1271 * Returns 0 on success, -ENOMEM is there's no memory
1272 */
1274 {
1289 }
1291 /**
1292 * smack_sk_free_security - Free a socket blob
1293 * @sk: the socket
1294 *
1295 * Clears the blob pointer
1296 */
1298 {
1300 }
1302 /**
1303 * smack_host_label - check host based restrictions
1304 * @sip: the object end
1305 *
1306 * looks for host based access restrictions
1307 *
1308 * This version will only be appropriate for really small sets of single label
1309 * hosts. The caller is responsible for ensuring that the RCU read lock is
1310 * taken before calling this function.
1311 *
1312 * Returns the label of the far end or NULL if it's not special.
1313 */
1315 {
1323 /*
1324 * we break after finding the first match because
1325 * the list is sorted from longest to shortest mask
1326 * so we have found the most specific match
1327 */
1330 /* we have found the special CIPSO option */
1334 }
1337 }
1339 /**
1340 * smack_set_catset - convert a capset to netlabel mls categories
1341 * @catset: the Smack categories
1342 * @sap: where to put the netlabel categories
1343 *
1344 * Allocates and fills attr.mls.cat
1345 */
1347 {
1367 }
1368 }
1370 /**
1371 * smack_to_secattr - fill a secattr from a smack value
1372 * @smack: the smack value
1373 * @nlsp: where the result goes
1374 *
1375 * Casey says that CIPSO is good enough for now.
1376 * It can be used to effect.
1377 * It can also be abused to effect when necessary.
1378 * Appologies to the TSIG group in general and GW in particular.
1379 */
1381 {
1395 }
1396 }
1398 /**
1399 * smack_netlabel - Set the secattr on a socket
1400 * @sk: the socket
1401 * @labeled: socket label scheme
1402 *
1403 * Convert the outbound smack value (smk_out) to a
1404 * secattr and attach it to the socket.
1405 *
1406 * Returns 0 on success or an error code
1407 */
1409 {
1414 /*
1415 * Usually the netlabel code will handle changing the
1416 * packet labeling based on the label.
1417 * The case of a single label host is different, because
1418 * a single label host should never get a labeled packet
1419 * even though the label is usually associated with a packet
1420 * label.
1421 */
1433 }
1439 }
1441 /**
1442 * smack_netlbel_send - Set the secattr on a socket and perform access checks
1443 * @sk: the socket
1444 * @sap: the destination address
1445 *
1446 * Set the correct secattr for the given socket based on the destination
1447 * address and perform any outbound access checks needed.
1448 *
1449 * Returns 0 on success or an error code.
1450 *
1451 */
1453 {
1467 }
1473 }
1475 /**
1476 * smack_inode_setsecurity - set smack xattrs
1477 * @inode: the object
1478 * @name: attribute name
1479 * @value: attribute value
1480 * @size: size of the attribute
1481 * @flags: unused
1482 *
1483 * Sets the named attribute in the appropriate blob
1484 *
1485 * Returns 0 on success, or an error code
1486 */
1489 {
1506 }
1507 /*
1508 * The rest of the Smack xattrs are only on sockets.
1509 */
1531 }
1533 /**
1534 * smack_socket_post_create - finish socket setup
1535 * @sock: the socket
1536 * @family: protocol family
1537 * @type: unused
1538 * @protocol: unused
1539 * @kern: unused
1540 *
1541 * Sets the netlabel information on the socket
1542 *
1543 * Returns 0 on success, and error code otherwise
1544 */
1547 {
1550 /*
1551 * Set the outbound netlbl.
1552 */
1554 }
1556 /**
1557 * smack_socket_connect - connect access check
1558 * @sock: the socket
1559 * @sap: the other end
1560 * @addrlen: size of sap
1561 *
1562 * Verifies that a connection may be possible
1563 *
1564 * Returns 0 on success, and error code otherwise
1565 */
1568 {
1575 }
1577 /**
1578 * smack_flags_to_may - convert S_ to MAY_ values
1579 * @flags: the S_ value
1580 *
1581 * Returns the equivalent MAY_ value
1582 */
1584 {
1595 }
1597 /**
1598 * smack_msg_msg_alloc_security - Set the security blob for msg_msg
1599 * @msg: the object
1600 *
1601 * Returns 0
1602 */
1604 {
1607 }
1609 /**
1610 * smack_msg_msg_free_security - Clear the security blob for msg_msg
1611 * @msg: the object
1612 *
1613 * Clears the blob pointer
1614 */
1616 {
1618 }
1620 /**
1621 * smack_of_shm - the smack pointer for the shm
1622 * @shp: the object
1623 *
1624 * Returns a pointer to the smack value
1625 */
1627 {
1629 }
1631 /**
1632 * smack_shm_alloc_security - Set the security blob for shm
1633 * @shp: the object
1634 *
1635 * Returns 0
1636 */
1638 {
1643 }
1645 /**
1646 * smack_shm_free_security - Clear the security blob for shm
1647 * @shp: the object
1648 *
1649 * Clears the blob pointer
1650 */
1652 {
1656 }
1658 /**
1659 * smack_shm_associate - Smack access check for shm
1660 * @shp: the object
1661 * @shmflg: access requested
1662 *
1663 * Returns 0 if current has the requested access, error code otherwise
1664 */
1666 {
1672 }
1674 /**
1675 * smack_shm_shmctl - Smack access check for shm
1676 * @shp: the object
1677 * @cmd: what it wants to do
1678 *
1679 * Returns 0 if current has the requested access, error code otherwise
1680 */
1682 {
1699 /*
1700 * System level information.
1701 */
1705 }
1709 }
1711 /**
1712 * smack_shm_shmat - Smack access for shmat
1713 * @shp: the object
1714 * @shmaddr: unused
1715 * @shmflg: access requested
1716 *
1717 * Returns 0 if current has the requested access, error code otherwise
1718 */
1721 {
1727 }
1729 /**
1730 * smack_of_sem - the smack pointer for the sem
1731 * @sma: the object
1732 *
1733 * Returns a pointer to the smack value
1734 */
1736 {
1738 }
1740 /**
1741 * smack_sem_alloc_security - Set the security blob for sem
1742 * @sma: the object
1743 *
1744 * Returns 0
1745 */
1747 {
1752 }
1754 /**
1755 * smack_sem_free_security - Clear the security blob for sem
1756 * @sma: the object
1757 *
1758 * Clears the blob pointer
1759 */
1761 {
1765 }
1767 /**
1768 * smack_sem_associate - Smack access check for sem
1769 * @sma: the object
1770 * @semflg: access requested
1771 *
1772 * Returns 0 if current has the requested access, error code otherwise
1773 */
1775 {
1781 }
1783 /**
1784 * smack_sem_shmctl - Smack access check for sem
1785 * @sma: the object
1786 * @cmd: what it wants to do
1787 *
1788 * Returns 0 if current has the requested access, error code otherwise
1789 */
1791 {
1813 /*
1814 * System level information
1815 */
1819 }
1823 }
1825 /**
1826 * smack_sem_semop - Smack checks of semaphore operations
1827 * @sma: the object
1828 * @sops: unused
1829 * @nsops: unused
1830 * @alter: unused
1831 *
1832 * Treated as read and write in all cases.
1833 *
1834 * Returns 0 if access is allowed, error code otherwise
1835 */
1838 {
1842 }
1844 /**
1845 * smack_msg_alloc_security - Set the security blob for msg
1846 * @msq: the object
1847 *
1848 * Returns 0
1849 */
1851 {
1856 }
1858 /**
1859 * smack_msg_free_security - Clear the security blob for msg
1860 * @msq: the object
1861 *
1862 * Clears the blob pointer
1863 */
1865 {
1869 }
1871 /**
1872 * smack_of_msq - the smack pointer for the msq
1873 * @msq: the object
1874 *
1875 * Returns a pointer to the smack value
1876 */
1878 {
1880 }
1882 /**
1883 * smack_msg_queue_associate - Smack access check for msg_queue
1884 * @msq: the object
1885 * @msqflg: access requested
1886 *
1887 * Returns 0 if current has the requested access, error code otherwise
1888 */
1890 {
1896 }
1898 /**
1899 * smack_msg_queue_msgctl - Smack access check for msg_queue
1900 * @msq: the object
1901 * @cmd: what it wants to do
1902 *
1903 * Returns 0 if current has the requested access, error code otherwise
1904 */
1906 {
1921 /*
1922 * System level information
1923 */
1927 }
1931 }
1933 /**
1934 * smack_msg_queue_msgsnd - Smack access check for msg_queue
1935 * @msq: the object
1936 * @msg: unused
1937 * @msqflg: access requested
1938 *
1939 * Returns 0 if current has the requested access, error code otherwise
1940 */
1943 {
1949 }
1951 /**
1952 * smack_msg_queue_msgsnd - Smack access check for msg_queue
1953 * @msq: the object
1954 * @msg: unused
1955 * @target: unused
1956 * @type: unused
1957 * @mode: unused
1958 *
1959 * Returns 0 if current has read and write access, error code otherwise
1960 */
1963 {
1967 }
1969 /**
1970 * smack_ipc_permission - Smack access for ipc_permission()
1971 * @ipp: the object permissions
1972 * @flag: access requested
1973 *
1974 * Returns 0 if current has read and write access, error code otherwise
1975 */
1977 {
1983 }
1985 /**
1986 * smack_ipc_getsecid - Extract smack security id
1987 * @ipp: the object permissions
1988 * @secid: where result will be saved
1989 */
1991 {
1995 }
1997 /**
1998 * smack_d_instantiate - Make sure the blob is correct on an inode
1999 * @opt_dentry: unused
2000 * @inode: the object
2001 *
2002 * Set the inode's security blob if it hasn't been done already.
2003 */
2005 {
2020 /*
2021 * If the inode is already instantiated
2022 * take the quick way out
2023 */
2029 /*
2030 * We're going to use the superblock default label
2031 * if there's no label on the file.
2032 */
2035 /*
2036 * If this is the root inode the superblock
2037 * may be in the process of initialization.
2038 * If that is the case use the root value out
2039 * of the superblock.
2040 */
2045 }
2047 /*
2048 * This is pretty hackish.
2049 * Casey says that we shouldn't have to do
2050 * file system specific code, but it does help
2051 * with keeping it simple.
2052 */
2055 /*
2056 * Casey says that it's a little embarassing
2057 * that the smack file system doesn't do
2058 * extended attributes.
2059 */
2063 /*
2064 * Casey says pipes are easy (?)
2065 */
2069 /*
2070 * devpts seems content with the label of the task.
2071 * Programs that change smack have to treat the
2072 * pty with respect.
2073 */
2077 /*
2078 * Casey says sockets get the smack of the task.
2079 */
2083 /*
2084 * Casey says procfs appears not to care.
2085 * The superblock default suffices.
2086 */
2089 /*
2090 * Device labels should come from the filesystem,
2091 * but watch out, because they're volitile,
2092 * getting recreated on every reboot.
2093 */
2095 /*
2096 * No break.
2097 *
2098 * If a smack value has been set we want to use it,
2099 * but since tmpfs isn't giving us the opportunity
2100 * to set mount options simulate setting the
2101 * superblock default.
2102 */
2104 /*
2105 * This isn't an understood special case.
2106 * Get the value from the xattr.
2107 *
2108 * No xattr support means, alas, no SMACK label.
2109 * Use the aforeapplied default.
2110 * It would be curious if the label of the task
2111 * does not match that assigned.
2112 */
2115 /*
2116 * Get the dentry for xattr.
2117 */
2126 }
2134 }
2138 else
2143 unlockandout:
2146 }
2148 /**
2149 * smack_getprocattr - Smack process attribute access
2150 * @p: the object task
2151 * @name: the name of the attribute in /proc/.../attr
2152 * @value: where to put the result
2153 *
2154 * Places a copy of the task Smack into value
2155 *
2156 * Returns the length of the smack label or an error code
2157 */
2159 {
2173 }
2175 /**
2176 * smack_setprocattr - Smack process attribute setting
2177 * @p: the object task
2178 * @name: the name of the attribute in /proc/.../attr
2179 * @value: the value to set
2180 * @size: the size of the value
2181 *
2182 * Sets the Smack value of the task. Only setting self
2183 * is permitted and only with privilege
2184 *
2185 * Returns the length of the smack label or an error code
2186 */
2189 {
2193 /*
2194 * Changing another process' Smack value is too dangerous
2195 * and supports no sane use case.
2196 */
2213 /*
2214 * No process is ever allowed the web ("@") label.
2215 */
2225 }
2227 /**
2228 * smack_unix_stream_connect - Smack access on UDS
2229 * @sock: one socket
2230 * @other: the other socket
2231 * @newsk: unused
2232 *
2233 * Return 0 if a subject with the smack of sock could access
2234 * an object with the smack of other, otherwise an error code
2235 */
2238 {
2243 }
2245 /**
2246 * smack_unix_may_send - Smack access on UDS
2247 * @sock: one socket
2248 * @other: the other socket
2249 *
2250 * Return 0 if a subject with the smack of sock could access
2251 * an object with the smack of other, otherwise an error code
2252 */
2254 {
2259 }
2261 /**
2262 * smack_socket_sendmsg - Smack check based on destination host
2263 * @sock: the socket
2264 * @msg: the message
2265 * @size: the size of the message
2266 *
2267 * Return 0 if the current subject can write to the destination
2268 * host. This is only a question if the destination is a single
2269 * label host.
2270 */
2273 {
2276 /*
2277 * Perfectly reasonable for this to be NULL
2278 */
2283 }
2286 /**
2287 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack
2288 * @sap: netlabel secattr
2289 * @sip: where to put the result
2290 *
2291 * Copies a smack label into sip
2292 */
2294 {
2300 /*
2301 * Looks like a CIPSO packet.
2302 * If there are flags but no level netlabel isn't
2303 * behaving the way we expect it to.
2304 *
2305 * Get the categories, if any
2306 * Without guidance regarding the smack value
2307 * for the packet fall back on the network
2308 * ambient value.
2309 */
2318 }
2319 /*
2320 * If it is CIPSO using smack direct mapping
2321 * we are already done. WeeHee.
2322 */
2326 }
2327 /*
2328 * Look it up in the supplied table if it is not
2329 * a direct mapping.
2330 */
2333 }
2335 /*
2336 * Looks like a fallback, which gives us a secid.
2337 */
2339 /*
2340 * This has got to be a bug because it is
2341 * impossible to specify a fallback without
2342 * specifying the label, which will ensure
2343 * it has a secid, and the only way to get a
2344 * secid is from a fallback.
2345 */
2349 }
2350 /*
2351 * Without guidance regarding the smack value
2352 * for the packet fall back on the network
2353 * ambient value.
2354 */
2357 }
2359 /**
2360 * smack_socket_sock_rcv_skb - Smack packet delivery access check
2361 * @sk: socket
2362 * @skb: packet
2363 *
2364 * Returns 0 if the packet should be delivered, an error code otherwise
2365 */
2367 {
2377 /*
2378 * Translate what netlabel gave us.
2379 */
2391 /*
2392 * Receiving a packet requires that the other end
2393 * be able to write here. Read access is not required.
2394 * This is the simplist possible security model
2395 * for networking.
2396 */
2401 }
2403 /**
2404 * smack_socket_getpeersec_stream - pull in packet label
2405 * @sock: the socket
2406 * @optval: user's destination
2407 * @optlen: size thereof
2408 * @len: max thereof
2409 *
2410 * returns zero on success, an error code otherwise
2411 */
2415 {
2432 }
2435 /**
2436 * smack_socket_getpeersec_dgram - pull in packet label
2437 * @sock: the socket
2438 * @skb: packet data
2439 * @secid: pointer to where to put the secid of the packet
2440 *
2441 * Sets the netlabel socket state on sk from parent
2442 */
2446 {
2451 u32 s;
2454 /*
2455 * Only works for families with packets.
2456 */
2462 }
2463 /*
2464 * Translate what netlabel gave us.
2465 */
2472 /*
2473 * Give up if we couldn't get anything
2474 */
2484 }
2486 /**
2487 * smack_sock_graft - Initialize a newly created socket with an existing sock
2488 * @sk: child sock
2489 * @parent: parent socket
2490 *
2491 * Set the smk_{in,out} state of an existing sock based on the process that
2492 * is creating the new socket.
2493 */
2495 {
2504 /* cssp->smk_packet is already set in smack_inet_csk_clone() */
2505 }
2507 /**
2508 * smack_inet_conn_request - Smack access check on connect
2509 * @sk: socket involved
2510 * @skb: packet
2511 * @req: unused
2512 *
2513 * Returns 0 if a task with the packet label could write to
2514 * the socket, otherwise an error code
2515 */
2518 {
2527 /* handle mapped IPv4 packets arriving via IPv6 sockets */
2535 else
2539 /*
2540 * Receiving a packet requires that the other end be able to write
2541 * here. Read access is not required.
2542 */
2547 /*
2548 * Save the peer's label in the request_sock so we can later setup
2549 * smk_packet in the child socket so that SO_PEERCRED can report it.
2550 */
2553 /*
2554 * We need to decide if we want to label the incoming connection here
2555 * if we do we only need to label the request_sock and the stack will
2556 * propogate the wire-label to the sock when it is created.
2557 */
2570 }
2573 }
2575 /**
2576 * smack_inet_csk_clone - Copy the connection information to the new socket
2577 * @sk: the new socket
2578 * @req: the connection's request_sock
2579 *
2580 * Transfer the connection's peer label to the newly created socket.
2581 */
2584 {
2593 }
2595 /*
2596 * Key management security hooks
2597 *
2598 * Casey has not tested key support very heavily.
2599 * The permission check is most likely too restrictive.
2600 * If you care about keys please have a look.
2601 */
2602 #ifdef CONFIG_KEYS
2604 /**
2605 * smack_key_alloc - Set the key security blob
2606 * @key: object
2607 * @cred: the credentials to use
2608 * @flags: unused
2609 *
2610 * No allocation required
2611 *
2612 * Returns 0
2613 */
2616 {
2619 }
2621 /**
2622 * smack_key_free - Clear the key security blob
2623 * @key: the object
2624 *
2625 * Clear the blob pointer
2626 */
2628 {
2630 }
2632 /*
2633 * smack_key_permission - Smack access on a key
2634 * @key_ref: gets to the object
2635 * @cred: the credentials to use
2636 * @perm: unused
2637 *
2638 * Return 0 if the task has read and write to the object,
2639 * an error code otherwise
2640 */
2643 {
2649 /*
2650 * If the key hasn't been initialized give it access so that
2651 * it may do so.
2652 */
2655 /*
2656 * This should not occur
2657 */
2662 }
2665 /*
2666 * Smack Audit hooks
2667 *
2668 * Audit requires a unique representation of each Smack specific
2669 * rule. This unique representation is used to distinguish the
2670 * object to be audited from remaining kernel objects and also
2671 * works as a glue between the audit hooks.
2672 *
2673 * Since repository entries are added but never deleted, we'll use
2674 * the smack_known label address related to the given audit rule as
2675 * the needed unique representation. This also better fits the smack
2676 * model where nearly everything is a label.
2677 */
2678 #ifdef CONFIG_AUDIT
2680 /**
2681 * smack_audit_rule_init - Initialize a smack audit rule
2682 * @field: audit rule fields given from user-space (audit.h)
2683 * @op: required testing operator (=, !=, >, <, ...)
2684 * @rulestr: smack label to be audited
2685 * @vrule: pointer to save our own audit rule representation
2686 *
2687 * Prepare to audit cases where (@field @op @rulestr) is true.
2688 * The label to be audited is created if necessay.
2689 */
2691 {
2704 }
2706 /**
2707 * smack_audit_rule_known - Distinguish Smack audit rules
2708 * @krule: rule of interest, in Audit kernel representation format
2709 *
2710 * This is used to filter Smack rules from remaining Audit ones.
2711 * If it's proved that this rule belongs to us, the
2712 * audit_rule_match hook will be called to do the final judgement.
2713 */
2715 {
2724 }
2727 }
2729 /**
2730 * smack_audit_rule_match - Audit given object ?
2731 * @secid: security id for identifying the object to test
2732 * @field: audit rule flags given from user-space
2733 * @op: required testing operator
2734 * @vrule: smack internal rule presentation
2735 * @actx: audit context associated with the check
2736 *
2737 * The core Audit hook. It's used to take the decision of
2738 * whether to audit or not to audit a given object.
2739 */
2742 {
2750 }
2757 /*
2758 * No need to do string comparisons. If a match occurs,
2759 * both pointers will point to the same smack_known
2760 * label.
2761 */
2768 }
2770 /**
2771 * smack_audit_rule_free - free smack rule representation
2772 * @vrule: rule to be freed.
2773 *
2774 * No memory was allocated.
2775 */
2777 {
2778 /* No-op */
2779 }
2783 /**
2784 * smack_secid_to_secctx - return the smack label for a secid
2785 * @secid: incoming integer
2786 * @secdata: destination
2787 * @seclen: how long it is
2788 *
2789 * Exists for networking code.
2790 */
2792 {
2798 }
2800 /**
2801 * smack_secctx_to_secid - return the secid for a smack label
2802 * @secdata: smack label
2803 * @seclen: how long result is
2804 * @secid: outgoing integer
2805 *
2806 * Exists for audit and networking code.
2807 */
2809 {
2812 }
2814 /**
2815 * smack_release_secctx - don't do anything.
2816 * @secdata: unused
2817 * @seclen: unused
2818 *
2819 * Exists to make sure nothing gets done, and properly
2820 */
2822 {
2823 }
2948 /* key management security hooks */
2949 #ifdef CONFIG_KEYS
2955 /* Audit hooks */
2956 #ifdef CONFIG_AUDIT
2966 };
2970 {
2977 }
2979 /**
2980 * smack_init - initialize the smack system
2981 *
2982 * Returns 0
2983 */
2985 {
2993 /*
2994 * Set the security state for the initial task.
2995 */
2999 /* initilize the smack_know_list */
3001 /*
3002 * Initialize locks
3003 */
3010 /*
3011 * Register with LSM
3012 */
3017 }
3019 /*
3020 * Smack requires early initialization in order to label
3021 * all processes and objects when they are created.
3022 */