1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Simplified MAC Kernel (smack) security module 4 * 5 * This file contains the smack hook function implementations. 6 * 7 * Authors: 8 * Casey Schaufler <casey@schaufler-ca.com> 9 * Jarkko Sakkinen <jarkko.sakkinen@intel.com> 10 * 11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P. 13 * Paul Moore <paul@paul-moore.com> 14 * Copyright (C) 2010 Nokia Corporation 15 * Copyright (C) 2011 Intel Corporation. 16 */ 17 18 #include <linux/xattr.h> 19 #include <linux/pagemap.h> 20 #include <linux/mount.h> 21 #include <linux/stat.h> 22 #include <linux/kd.h> 23 #include <asm/ioctls.h> 24 #include <linux/ip.h> 25 #include <linux/tcp.h> 26 #include <linux/udp.h> 27 #include <linux/icmpv6.h> 28 #include <linux/slab.h> 29 #include <linux/mutex.h> 30 #include <net/cipso_ipv4.h> 31 #include <net/ip.h> 32 #include <net/ipv6.h> 33 #include <linux/audit.h> 34 #include <linux/magic.h> 35 #include <linux/dcache.h> 36 #include <linux/personality.h> 37 #include <linux/msg.h> 38 #include <linux/shm.h> 39 #include <uapi/linux/shm.h> 40 #include <linux/binfmts.h> 41 #include <linux/parser.h> 42 #include <linux/fs_context.h> 43 #include <linux/fs_parser.h> 44 #include <linux/watch_queue.h> 45 #include <linux/io_uring/cmd.h> 46 #include <uapi/linux/lsm.h> 47 #include "smack.h" 48 49 #define TRANS_TRUE "TRUE" 50 #define TRANS_TRUE_SIZE 4 51 52 #define SMK_CONNECTING 0 53 #define SMK_RECEIVING 1 54 #define SMK_SENDING 2 55 56 /* 57 * Smack uses multiple xattrs. 58 * SMACK64 - for access control, 59 * SMACK64TRANSMUTE - label initialization, 60 * Not saved on files - SMACK64IPIN and SMACK64IPOUT, 61 * Must be set explicitly - SMACK64EXEC and SMACK64MMAP 62 */ 63 #define SMACK_INODE_INIT_XATTRS 2 64 65 #ifdef SMACK_IPV6_PORT_LABELING 66 static DEFINE_MUTEX(smack_ipv6_lock); 67 static LIST_HEAD(smk_ipv6_port_list); 68 #endif 69 struct kmem_cache *smack_rule_cache; 70 int smack_enabled __initdata; 71 72 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s} 73 static struct { 74 const char *name; 75 int len; 76 int opt; 77 } smk_mount_opts[] = { 78 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault}, 79 A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute) 80 }; 81 #undef A 82 83 static int match_opt_prefix(char *s, int l, char **arg) 84 { 85 int i; 86 87 for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) { 88 size_t len = smk_mount_opts[i].len; 89 if (len > l || memcmp(s, smk_mount_opts[i].name, len)) 90 continue; 91 if (len == l || s[len] != '=') 92 continue; 93 *arg = s + len + 1; 94 return smk_mount_opts[i].opt; 95 } 96 return Opt_error; 97 } 98 99 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 100 static char *smk_bu_mess[] = { 101 "Bringup Error", /* Unused */ 102 "Bringup", /* SMACK_BRINGUP_ALLOW */ 103 "Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */ 104 "Unconfined Object", /* SMACK_UNCONFINED_OBJECT */ 105 }; 106 107 static void smk_bu_mode(int mode, char *s) 108 { 109 smack_str_from_perm(s, mode); 110 } 111 #endif 112 113 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 114 static int smk_bu_note(char *note, struct smack_known *sskp, 115 struct smack_known *oskp, int mode, int rc) 116 { 117 char acc[SMK_NUM_ACCESS_TYPE + 1]; 118 119 if (rc <= 0) 120 return rc; 121 if (rc > SMACK_UNCONFINED_OBJECT) 122 rc = 0; 123 124 smk_bu_mode(mode, acc); 125 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc], 126 sskp->smk_known, oskp->smk_known, acc, note); 127 return 0; 128 } 129 #else 130 #define smk_bu_note(note, sskp, oskp, mode, RC) (RC) 131 #endif 132 133 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 134 static int smk_bu_current(char *note, struct smack_known *oskp, 135 int mode, int rc) 136 { 137 struct task_smack *tsp = smack_cred(current_cred()); 138 char acc[SMK_NUM_ACCESS_TYPE + 1]; 139 140 if (rc <= 0) 141 return rc; 142 if (rc > SMACK_UNCONFINED_OBJECT) 143 rc = 0; 144 145 smk_bu_mode(mode, acc); 146 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc], 147 tsp->smk_task->smk_known, oskp->smk_known, 148 acc, current->comm, note); 149 return 0; 150 } 151 #else 152 #define smk_bu_current(note, oskp, mode, RC) (RC) 153 #endif 154 155 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 156 static int smk_bu_task(struct task_struct *otp, int mode, int rc) 157 { 158 struct task_smack *tsp = smack_cred(current_cred()); 159 struct smack_known *smk_task = smk_of_task_struct_obj(otp); 160 char acc[SMK_NUM_ACCESS_TYPE + 1]; 161 162 if (rc <= 0) 163 return rc; 164 if (rc > SMACK_UNCONFINED_OBJECT) 165 rc = 0; 166 167 smk_bu_mode(mode, acc); 168 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc], 169 tsp->smk_task->smk_known, smk_task->smk_known, acc, 170 current->comm, otp->comm); 171 return 0; 172 } 173 #else 174 #define smk_bu_task(otp, mode, RC) (RC) 175 #endif 176 177 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 178 static int smk_bu_inode(struct inode *inode, int mode, int rc) 179 { 180 struct task_smack *tsp = smack_cred(current_cred()); 181 struct inode_smack *isp = smack_inode(inode); 182 char acc[SMK_NUM_ACCESS_TYPE + 1]; 183 184 if (isp->smk_flags & SMK_INODE_IMPURE) 185 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 186 inode->i_sb->s_id, inode->i_ino, current->comm); 187 188 if (rc <= 0) 189 return rc; 190 if (rc > SMACK_UNCONFINED_OBJECT) 191 rc = 0; 192 if (rc == SMACK_UNCONFINED_SUBJECT && 193 (mode & (MAY_WRITE | MAY_APPEND))) 194 isp->smk_flags |= SMK_INODE_IMPURE; 195 196 smk_bu_mode(mode, acc); 197 198 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc], 199 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, 200 inode->i_sb->s_id, inode->i_ino, current->comm); 201 return 0; 202 } 203 #else 204 #define smk_bu_inode(inode, mode, RC) (RC) 205 #endif 206 207 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 208 static int smk_bu_file(struct file *file, int mode, int rc) 209 { 210 struct task_smack *tsp = smack_cred(current_cred()); 211 struct smack_known *sskp = tsp->smk_task; 212 struct inode *inode = file_inode(file); 213 struct inode_smack *isp = smack_inode(inode); 214 char acc[SMK_NUM_ACCESS_TYPE + 1]; 215 216 if (isp->smk_flags & SMK_INODE_IMPURE) 217 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 218 inode->i_sb->s_id, inode->i_ino, current->comm); 219 220 if (rc <= 0) 221 return rc; 222 if (rc > SMACK_UNCONFINED_OBJECT) 223 rc = 0; 224 225 smk_bu_mode(mode, acc); 226 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 227 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 228 inode->i_sb->s_id, inode->i_ino, file, 229 current->comm); 230 return 0; 231 } 232 #else 233 #define smk_bu_file(file, mode, RC) (RC) 234 #endif 235 236 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 237 static int smk_bu_credfile(const struct cred *cred, struct file *file, 238 int mode, int rc) 239 { 240 struct task_smack *tsp = smack_cred(cred); 241 struct smack_known *sskp = tsp->smk_task; 242 struct inode *inode = file_inode(file); 243 struct inode_smack *isp = smack_inode(inode); 244 char acc[SMK_NUM_ACCESS_TYPE + 1]; 245 246 if (isp->smk_flags & SMK_INODE_IMPURE) 247 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n", 248 inode->i_sb->s_id, inode->i_ino, current->comm); 249 250 if (rc <= 0) 251 return rc; 252 if (rc > SMACK_UNCONFINED_OBJECT) 253 rc = 0; 254 255 smk_bu_mode(mode, acc); 256 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc], 257 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, 258 inode->i_sb->s_id, inode->i_ino, file, 259 current->comm); 260 return 0; 261 } 262 #else 263 #define smk_bu_credfile(cred, file, mode, RC) (RC) 264 #endif 265 266 /** 267 * smk_fetch - Fetch the smack label from a file. 268 * @name: type of the label (attribute) 269 * @ip: a pointer to the inode 270 * @dp: a pointer to the dentry 271 * 272 * Returns a pointer to the master list entry for the Smack label, 273 * NULL if there was no label to fetch, or an error code. 274 */ 275 static struct smack_known *smk_fetch(const char *name, struct inode *ip, 276 struct dentry *dp) 277 { 278 int rc; 279 char *buffer; 280 struct smack_known *skp = NULL; 281 282 if (!(ip->i_opflags & IOP_XATTR)) 283 return ERR_PTR(-EOPNOTSUPP); 284 285 buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS); 286 if (buffer == NULL) 287 return ERR_PTR(-ENOMEM); 288 289 rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL); 290 if (rc < 0) 291 skp = ERR_PTR(rc); 292 else if (rc == 0) 293 skp = NULL; 294 else 295 skp = smk_import_entry(buffer, rc); 296 297 kfree(buffer); 298 299 return skp; 300 } 301 302 /** 303 * init_inode_smack - initialize an inode security blob 304 * @inode: inode to extract the info from 305 * @skp: a pointer to the Smack label entry to use in the blob 306 * 307 */ 308 static void init_inode_smack(struct inode *inode, struct smack_known *skp) 309 { 310 struct inode_smack *isp = smack_inode(inode); 311 312 isp->smk_inode = skp; 313 isp->smk_flags = 0; 314 } 315 316 /** 317 * init_task_smack - initialize a task security blob 318 * @tsp: blob to initialize 319 * @task: a pointer to the Smack label for the running task 320 * @forked: a pointer to the Smack label for the forked task 321 * 322 */ 323 static void init_task_smack(struct task_smack *tsp, struct smack_known *task, 324 struct smack_known *forked) 325 { 326 tsp->smk_task = task; 327 tsp->smk_forked = forked; 328 INIT_LIST_HEAD(&tsp->smk_rules); 329 INIT_LIST_HEAD(&tsp->smk_relabel); 330 mutex_init(&tsp->smk_rules_lock); 331 } 332 333 /** 334 * smk_copy_rules - copy a rule set 335 * @nhead: new rules header pointer 336 * @ohead: old rules header pointer 337 * @gfp: type of the memory for the allocation 338 * 339 * Returns 0 on success, -ENOMEM on error 340 */ 341 static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead, 342 gfp_t gfp) 343 { 344 struct smack_rule *nrp; 345 struct smack_rule *orp; 346 int rc = 0; 347 348 list_for_each_entry_rcu(orp, ohead, list) { 349 nrp = kmem_cache_zalloc(smack_rule_cache, gfp); 350 if (nrp == NULL) { 351 rc = -ENOMEM; 352 break; 353 } 354 *nrp = *orp; 355 list_add_rcu(&nrp->list, nhead); 356 } 357 return rc; 358 } 359 360 /** 361 * smk_copy_relabel - copy smk_relabel labels list 362 * @nhead: new rules header pointer 363 * @ohead: old rules header pointer 364 * @gfp: type of the memory for the allocation 365 * 366 * Returns 0 on success, -ENOMEM on error 367 */ 368 static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead, 369 gfp_t gfp) 370 { 371 struct smack_known_list_elem *nklep; 372 struct smack_known_list_elem *oklep; 373 374 list_for_each_entry(oklep, ohead, list) { 375 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp); 376 if (nklep == NULL) { 377 smk_destroy_label_list(nhead); 378 return -ENOMEM; 379 } 380 nklep->smk_label = oklep->smk_label; 381 list_add(&nklep->list, nhead); 382 } 383 384 return 0; 385 } 386 387 /** 388 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_* 389 * @mode: input mode in form of PTRACE_MODE_* 390 * 391 * Returns a converted MAY_* mode usable by smack rules 392 */ 393 static inline unsigned int smk_ptrace_mode(unsigned int mode) 394 { 395 if (mode & PTRACE_MODE_ATTACH) 396 return MAY_READWRITE; 397 if (mode & PTRACE_MODE_READ) 398 return MAY_READ; 399 400 return 0; 401 } 402 403 /** 404 * smk_ptrace_rule_check - helper for ptrace access 405 * @tracer: tracer process 406 * @tracee_known: label entry of the process that's about to be traced 407 * @mode: ptrace attachment mode (PTRACE_MODE_*) 408 * @func: name of the function that called us, used for audit 409 * 410 * Returns 0 on access granted, -error on error 411 */ 412 static int smk_ptrace_rule_check(struct task_struct *tracer, 413 struct smack_known *tracee_known, 414 unsigned int mode, const char *func) 415 { 416 int rc; 417 struct smk_audit_info ad, *saip = NULL; 418 struct task_smack *tsp; 419 struct smack_known *tracer_known; 420 const struct cred *tracercred; 421 422 if ((mode & PTRACE_MODE_NOAUDIT) == 0) { 423 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK); 424 smk_ad_setfield_u_tsk(&ad, tracer); 425 saip = &ad; 426 } 427 428 rcu_read_lock(); 429 tracercred = __task_cred(tracer); 430 tsp = smack_cred(tracercred); 431 tracer_known = smk_of_task(tsp); 432 433 if ((mode & PTRACE_MODE_ATTACH) && 434 (smack_ptrace_rule == SMACK_PTRACE_EXACT || 435 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) { 436 if (tracer_known->smk_known == tracee_known->smk_known) 437 rc = 0; 438 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN) 439 rc = -EACCES; 440 else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred)) 441 rc = 0; 442 else 443 rc = -EACCES; 444 445 if (saip) 446 smack_log(tracer_known->smk_known, 447 tracee_known->smk_known, 448 0, rc, saip); 449 450 rcu_read_unlock(); 451 return rc; 452 } 453 454 /* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */ 455 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip); 456 457 rcu_read_unlock(); 458 return rc; 459 } 460 461 /* 462 * LSM hooks. 463 * We he, that is fun! 464 */ 465 466 /** 467 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH 468 * @ctp: child task pointer 469 * @mode: ptrace attachment mode (PTRACE_MODE_*) 470 * 471 * Returns 0 if access is OK, an error code otherwise 472 * 473 * Do the capability checks. 474 */ 475 static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode) 476 { 477 struct smack_known *skp; 478 479 skp = smk_of_task_struct_obj(ctp); 480 481 return smk_ptrace_rule_check(current, skp, mode, __func__); 482 } 483 484 /** 485 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME 486 * @ptp: parent task pointer 487 * 488 * Returns 0 if access is OK, an error code otherwise 489 * 490 * Do the capability checks, and require PTRACE_MODE_ATTACH. 491 */ 492 static int smack_ptrace_traceme(struct task_struct *ptp) 493 { 494 struct smack_known *skp; 495 496 skp = smk_of_task(smack_cred(current_cred())); 497 498 return smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__); 499 } 500 501 /** 502 * smack_syslog - Smack approval on syslog 503 * @typefrom_file: unused 504 * 505 * Returns 0 on success, error code otherwise. 506 */ 507 static int smack_syslog(int typefrom_file) 508 { 509 int rc = 0; 510 struct smack_known *skp = smk_of_current(); 511 512 if (smack_privileged(CAP_MAC_OVERRIDE)) 513 return 0; 514 515 if (smack_syslog_label != NULL && smack_syslog_label != skp) 516 rc = -EACCES; 517 518 return rc; 519 } 520 521 /* 522 * Superblock Hooks. 523 */ 524 525 /** 526 * smack_sb_alloc_security - allocate a superblock blob 527 * @sb: the superblock getting the blob 528 * 529 * Returns 0 on success or -ENOMEM on error. 530 */ 531 static int smack_sb_alloc_security(struct super_block *sb) 532 { 533 struct superblock_smack *sbsp = smack_superblock(sb); 534 535 sbsp->smk_root = &smack_known_floor; 536 sbsp->smk_default = &smack_known_floor; 537 sbsp->smk_floor = &smack_known_floor; 538 sbsp->smk_hat = &smack_known_hat; 539 /* 540 * SMK_SB_INITIALIZED will be zero from kzalloc. 541 */ 542 543 return 0; 544 } 545 546 struct smack_mnt_opts { 547 const char *fsdefault; 548 const char *fsfloor; 549 const char *fshat; 550 const char *fsroot; 551 const char *fstransmute; 552 }; 553 554 static void smack_free_mnt_opts(void *mnt_opts) 555 { 556 kfree(mnt_opts); 557 } 558 559 static int smack_add_opt(int token, const char *s, void **mnt_opts) 560 { 561 struct smack_mnt_opts *opts = *mnt_opts; 562 struct smack_known *skp; 563 564 if (!opts) { 565 opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 566 if (!opts) 567 return -ENOMEM; 568 *mnt_opts = opts; 569 } 570 if (!s) 571 return -ENOMEM; 572 573 skp = smk_import_entry(s, 0); 574 if (IS_ERR(skp)) 575 return PTR_ERR(skp); 576 577 switch (token) { 578 case Opt_fsdefault: 579 if (opts->fsdefault) 580 goto out_opt_err; 581 opts->fsdefault = skp->smk_known; 582 break; 583 case Opt_fsfloor: 584 if (opts->fsfloor) 585 goto out_opt_err; 586 opts->fsfloor = skp->smk_known; 587 break; 588 case Opt_fshat: 589 if (opts->fshat) 590 goto out_opt_err; 591 opts->fshat = skp->smk_known; 592 break; 593 case Opt_fsroot: 594 if (opts->fsroot) 595 goto out_opt_err; 596 opts->fsroot = skp->smk_known; 597 break; 598 case Opt_fstransmute: 599 if (opts->fstransmute) 600 goto out_opt_err; 601 opts->fstransmute = skp->smk_known; 602 break; 603 } 604 return 0; 605 606 out_opt_err: 607 pr_warn("Smack: duplicate mount options\n"); 608 return -EINVAL; 609 } 610 611 /** 612 * smack_fs_context_submount - Initialise security data for a filesystem context 613 * @fc: The filesystem context. 614 * @reference: reference superblock 615 * 616 * Returns 0 on success or -ENOMEM on error. 617 */ 618 static int smack_fs_context_submount(struct fs_context *fc, 619 struct super_block *reference) 620 { 621 struct superblock_smack *sbsp; 622 struct smack_mnt_opts *ctx; 623 struct inode_smack *isp; 624 625 ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 626 if (!ctx) 627 return -ENOMEM; 628 fc->security = ctx; 629 630 sbsp = smack_superblock(reference); 631 isp = smack_inode(reference->s_root->d_inode); 632 633 if (sbsp->smk_default) { 634 ctx->fsdefault = kstrdup(sbsp->smk_default->smk_known, GFP_KERNEL); 635 if (!ctx->fsdefault) 636 return -ENOMEM; 637 } 638 639 if (sbsp->smk_floor) { 640 ctx->fsfloor = kstrdup(sbsp->smk_floor->smk_known, GFP_KERNEL); 641 if (!ctx->fsfloor) 642 return -ENOMEM; 643 } 644 645 if (sbsp->smk_hat) { 646 ctx->fshat = kstrdup(sbsp->smk_hat->smk_known, GFP_KERNEL); 647 if (!ctx->fshat) 648 return -ENOMEM; 649 } 650 651 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 652 if (sbsp->smk_root) { 653 ctx->fstransmute = kstrdup(sbsp->smk_root->smk_known, GFP_KERNEL); 654 if (!ctx->fstransmute) 655 return -ENOMEM; 656 } 657 } 658 return 0; 659 } 660 661 /** 662 * smack_fs_context_dup - Duplicate the security data on fs_context duplication 663 * @fc: The new filesystem context. 664 * @src_fc: The source filesystem context being duplicated. 665 * 666 * Returns 0 on success or -ENOMEM on error. 667 */ 668 static int smack_fs_context_dup(struct fs_context *fc, 669 struct fs_context *src_fc) 670 { 671 struct smack_mnt_opts *dst, *src = src_fc->security; 672 673 if (!src) 674 return 0; 675 676 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); 677 if (!fc->security) 678 return -ENOMEM; 679 680 dst = fc->security; 681 dst->fsdefault = src->fsdefault; 682 dst->fsfloor = src->fsfloor; 683 dst->fshat = src->fshat; 684 dst->fsroot = src->fsroot; 685 dst->fstransmute = src->fstransmute; 686 687 return 0; 688 } 689 690 static const struct fs_parameter_spec smack_fs_parameters[] = { 691 fsparam_string("smackfsdef", Opt_fsdefault), 692 fsparam_string("smackfsdefault", Opt_fsdefault), 693 fsparam_string("smackfsfloor", Opt_fsfloor), 694 fsparam_string("smackfshat", Opt_fshat), 695 fsparam_string("smackfsroot", Opt_fsroot), 696 fsparam_string("smackfstransmute", Opt_fstransmute), 697 {} 698 }; 699 700 /** 701 * smack_fs_context_parse_param - Parse a single mount parameter 702 * @fc: The new filesystem context being constructed. 703 * @param: The parameter. 704 * 705 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on 706 * error. 707 */ 708 static int smack_fs_context_parse_param(struct fs_context *fc, 709 struct fs_parameter *param) 710 { 711 struct fs_parse_result result; 712 int opt, rc; 713 714 opt = fs_parse(fc, smack_fs_parameters, param, &result); 715 if (opt < 0) 716 return opt; 717 718 rc = smack_add_opt(opt, param->string, &fc->security); 719 if (!rc) 720 param->string = NULL; 721 return rc; 722 } 723 724 static int smack_sb_eat_lsm_opts(char *options, void **mnt_opts) 725 { 726 char *from = options, *to = options; 727 bool first = true; 728 729 while (1) { 730 char *next = strchr(from, ','); 731 int token, len, rc; 732 char *arg = NULL; 733 734 if (next) 735 len = next - from; 736 else 737 len = strlen(from); 738 739 token = match_opt_prefix(from, len, &arg); 740 if (token != Opt_error) { 741 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); 742 rc = smack_add_opt(token, arg, mnt_opts); 743 kfree(arg); 744 if (unlikely(rc)) { 745 if (*mnt_opts) 746 smack_free_mnt_opts(*mnt_opts); 747 *mnt_opts = NULL; 748 return rc; 749 } 750 } else { 751 if (!first) { // copy with preceding comma 752 from--; 753 len++; 754 } 755 if (to != from) 756 memmove(to, from, len); 757 to += len; 758 first = false; 759 } 760 if (!from[len]) 761 break; 762 from += len + 1; 763 } 764 *to = '\0'; 765 return 0; 766 } 767 768 /** 769 * smack_set_mnt_opts - set Smack specific mount options 770 * @sb: the file system superblock 771 * @mnt_opts: Smack mount options 772 * @kern_flags: mount option from kernel space or user space 773 * @set_kern_flags: where to store converted mount opts 774 * 775 * Returns 0 on success, an error code on failure 776 * 777 * Allow filesystems with binary mount data to explicitly set Smack mount 778 * labels. 779 */ 780 static int smack_set_mnt_opts(struct super_block *sb, 781 void *mnt_opts, 782 unsigned long kern_flags, 783 unsigned long *set_kern_flags) 784 { 785 struct dentry *root = sb->s_root; 786 struct inode *inode = d_backing_inode(root); 787 struct superblock_smack *sp = smack_superblock(sb); 788 struct inode_smack *isp; 789 struct smack_known *skp; 790 struct smack_mnt_opts *opts = mnt_opts; 791 bool transmute = false; 792 793 if (sp->smk_flags & SMK_SB_INITIALIZED) 794 return 0; 795 796 if (!smack_privileged(CAP_MAC_ADMIN)) { 797 /* 798 * Unprivileged mounts don't get to specify Smack values. 799 */ 800 if (opts) 801 return -EPERM; 802 /* 803 * Unprivileged mounts get root and default from the caller. 804 */ 805 skp = smk_of_current(); 806 sp->smk_root = skp; 807 sp->smk_default = skp; 808 /* 809 * For a handful of fs types with no user-controlled 810 * backing store it's okay to trust security labels 811 * in the filesystem. The rest are untrusted. 812 */ 813 if (sb->s_user_ns != &init_user_ns && 814 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && 815 sb->s_magic != RAMFS_MAGIC) { 816 transmute = true; 817 sp->smk_flags |= SMK_SB_UNTRUSTED; 818 } 819 } 820 821 sp->smk_flags |= SMK_SB_INITIALIZED; 822 823 if (opts) { 824 if (opts->fsdefault) { 825 skp = smk_import_entry(opts->fsdefault, 0); 826 if (IS_ERR(skp)) 827 return PTR_ERR(skp); 828 sp->smk_default = skp; 829 } 830 if (opts->fsfloor) { 831 skp = smk_import_entry(opts->fsfloor, 0); 832 if (IS_ERR(skp)) 833 return PTR_ERR(skp); 834 sp->smk_floor = skp; 835 } 836 if (opts->fshat) { 837 skp = smk_import_entry(opts->fshat, 0); 838 if (IS_ERR(skp)) 839 return PTR_ERR(skp); 840 sp->smk_hat = skp; 841 } 842 if (opts->fsroot) { 843 skp = smk_import_entry(opts->fsroot, 0); 844 if (IS_ERR(skp)) 845 return PTR_ERR(skp); 846 sp->smk_root = skp; 847 } 848 if (opts->fstransmute) { 849 skp = smk_import_entry(opts->fstransmute, 0); 850 if (IS_ERR(skp)) 851 return PTR_ERR(skp); 852 sp->smk_root = skp; 853 transmute = true; 854 } 855 } 856 857 /* 858 * Initialize the root inode. 859 */ 860 init_inode_smack(inode, sp->smk_root); 861 862 if (transmute) { 863 isp = smack_inode(inode); 864 isp->smk_flags |= SMK_INODE_TRANSMUTE; 865 } 866 867 return 0; 868 } 869 870 /** 871 * smack_sb_statfs - Smack check on statfs 872 * @dentry: identifies the file system in question 873 * 874 * Returns 0 if current can read the floor of the filesystem, 875 * and error code otherwise 876 */ 877 static int smack_sb_statfs(struct dentry *dentry) 878 { 879 struct superblock_smack *sbp = smack_superblock(dentry->d_sb); 880 int rc; 881 struct smk_audit_info ad; 882 883 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 884 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 885 886 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); 887 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); 888 return rc; 889 } 890 891 /* 892 * BPRM hooks 893 */ 894 895 /** 896 * smack_bprm_creds_for_exec - Update bprm->cred if needed for exec 897 * @bprm: the exec information 898 * 899 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise 900 */ 901 static int smack_bprm_creds_for_exec(struct linux_binprm *bprm) 902 { 903 struct inode *inode = file_inode(bprm->file); 904 struct task_smack *bsp = smack_cred(bprm->cred); 905 struct inode_smack *isp; 906 struct superblock_smack *sbsp; 907 int rc; 908 909 isp = smack_inode(inode); 910 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) 911 return 0; 912 913 sbsp = smack_superblock(inode->i_sb); 914 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && 915 isp->smk_task != sbsp->smk_root) 916 return 0; 917 918 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { 919 struct task_struct *tracer; 920 rc = 0; 921 922 rcu_read_lock(); 923 tracer = ptrace_parent(current); 924 if (likely(tracer != NULL)) 925 rc = smk_ptrace_rule_check(tracer, 926 isp->smk_task, 927 PTRACE_MODE_ATTACH, 928 __func__); 929 rcu_read_unlock(); 930 931 if (rc != 0) 932 return rc; 933 } 934 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) 935 return -EPERM; 936 937 bsp->smk_task = isp->smk_task; 938 bprm->per_clear |= PER_CLEAR_ON_SETID; 939 940 /* Decide if this is a secure exec. */ 941 if (bsp->smk_task != bsp->smk_forked) 942 bprm->secureexec = 1; 943 944 return 0; 945 } 946 947 /* 948 * Inode hooks 949 */ 950 951 /** 952 * smack_inode_alloc_security - allocate an inode blob 953 * @inode: the inode in need of a blob 954 * 955 * Returns 0 956 */ 957 static int smack_inode_alloc_security(struct inode *inode) 958 { 959 struct smack_known *skp = smk_of_current(); 960 961 init_inode_smack(inode, skp); 962 return 0; 963 } 964 965 /** 966 * smack_inode_init_security - copy out the smack from an inode 967 * @inode: the newly created inode 968 * @dir: containing directory object 969 * @qstr: unused 970 * @xattrs: where to put the attributes 971 * @xattr_count: current number of LSM-provided xattrs (updated) 972 * 973 * Returns 0 if it all works out, -ENOMEM if there's no memory 974 */ 975 static int smack_inode_init_security(struct inode *inode, struct inode *dir, 976 const struct qstr *qstr, 977 struct xattr *xattrs, int *xattr_count) 978 { 979 struct task_smack *tsp = smack_cred(current_cred()); 980 struct inode_smack *issp = smack_inode(inode); 981 struct smack_known *skp = smk_of_task(tsp); 982 struct smack_known *isp = smk_of_inode(inode); 983 struct smack_known *dsp = smk_of_inode(dir); 984 struct xattr *xattr = lsm_get_xattr_slot(xattrs, xattr_count); 985 int may; 986 987 /* 988 * If equal, transmuting already occurred in 989 * smack_dentry_create_files_as(). No need to check again. 990 */ 991 if (tsp->smk_task != tsp->smk_transmuted) { 992 rcu_read_lock(); 993 may = smk_access_entry(skp->smk_known, dsp->smk_known, 994 &skp->smk_rules); 995 rcu_read_unlock(); 996 } 997 998 /* 999 * In addition to having smk_task equal to smk_transmuted, 1000 * if the access rule allows transmutation and the directory 1001 * requests transmutation then by all means transmute. 1002 * Mark the inode as changed. 1003 */ 1004 if ((tsp->smk_task == tsp->smk_transmuted) || 1005 (may > 0 && ((may & MAY_TRANSMUTE) != 0) && 1006 smk_inode_transmutable(dir))) { 1007 struct xattr *xattr_transmute; 1008 1009 /* 1010 * The caller of smack_dentry_create_files_as() 1011 * should have overridden the current cred, so the 1012 * inode label was already set correctly in 1013 * smack_inode_alloc_security(). 1014 */ 1015 if (tsp->smk_task != tsp->smk_transmuted) 1016 isp = issp->smk_inode = dsp; 1017 1018 issp->smk_flags |= SMK_INODE_TRANSMUTE; 1019 xattr_transmute = lsm_get_xattr_slot(xattrs, 1020 xattr_count); 1021 if (xattr_transmute) { 1022 xattr_transmute->value = kmemdup(TRANS_TRUE, 1023 TRANS_TRUE_SIZE, 1024 GFP_NOFS); 1025 if (!xattr_transmute->value) 1026 return -ENOMEM; 1027 1028 xattr_transmute->value_len = TRANS_TRUE_SIZE; 1029 xattr_transmute->name = XATTR_SMACK_TRANSMUTE; 1030 } 1031 } 1032 1033 issp->smk_flags |= SMK_INODE_INSTANT; 1034 1035 if (xattr) { 1036 xattr->value = kstrdup(isp->smk_known, GFP_NOFS); 1037 if (!xattr->value) 1038 return -ENOMEM; 1039 1040 xattr->value_len = strlen(isp->smk_known); 1041 xattr->name = XATTR_SMACK_SUFFIX; 1042 } 1043 1044 return 0; 1045 } 1046 1047 /** 1048 * smack_inode_link - Smack check on link 1049 * @old_dentry: the existing object 1050 * @dir: unused 1051 * @new_dentry: the new object 1052 * 1053 * Returns 0 if access is permitted, an error code otherwise 1054 */ 1055 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, 1056 struct dentry *new_dentry) 1057 { 1058 struct smack_known *isp; 1059 struct smk_audit_info ad; 1060 int rc; 1061 1062 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1063 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1064 1065 isp = smk_of_inode(d_backing_inode(old_dentry)); 1066 rc = smk_curacc(isp, MAY_WRITE, &ad); 1067 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc); 1068 1069 if (rc == 0 && d_is_positive(new_dentry)) { 1070 isp = smk_of_inode(d_backing_inode(new_dentry)); 1071 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1072 rc = smk_curacc(isp, MAY_WRITE, &ad); 1073 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc); 1074 } 1075 1076 return rc; 1077 } 1078 1079 /** 1080 * smack_inode_unlink - Smack check on inode deletion 1081 * @dir: containing directory object 1082 * @dentry: file to unlink 1083 * 1084 * Returns 0 if current can write the containing directory 1085 * and the object, error code otherwise 1086 */ 1087 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) 1088 { 1089 struct inode *ip = d_backing_inode(dentry); 1090 struct smk_audit_info ad; 1091 int rc; 1092 1093 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1094 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1095 1096 /* 1097 * You need write access to the thing you're unlinking 1098 */ 1099 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad); 1100 rc = smk_bu_inode(ip, MAY_WRITE, rc); 1101 if (rc == 0) { 1102 /* 1103 * You also need write access to the containing directory 1104 */ 1105 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1106 smk_ad_setfield_u_fs_inode(&ad, dir); 1107 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1108 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1109 } 1110 return rc; 1111 } 1112 1113 /** 1114 * smack_inode_rmdir - Smack check on directory deletion 1115 * @dir: containing directory object 1116 * @dentry: directory to unlink 1117 * 1118 * Returns 0 if current can write the containing directory 1119 * and the directory, error code otherwise 1120 */ 1121 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) 1122 { 1123 struct smk_audit_info ad; 1124 int rc; 1125 1126 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1127 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1128 1129 /* 1130 * You need write access to the thing you're removing 1131 */ 1132 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1133 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1134 if (rc == 0) { 1135 /* 1136 * You also need write access to the containing directory 1137 */ 1138 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1139 smk_ad_setfield_u_fs_inode(&ad, dir); 1140 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); 1141 rc = smk_bu_inode(dir, MAY_WRITE, rc); 1142 } 1143 1144 return rc; 1145 } 1146 1147 /** 1148 * smack_inode_rename - Smack check on rename 1149 * @old_inode: unused 1150 * @old_dentry: the old object 1151 * @new_inode: unused 1152 * @new_dentry: the new object 1153 * 1154 * Read and write access is required on both the old and 1155 * new directories. 1156 * 1157 * Returns 0 if access is permitted, an error code otherwise 1158 */ 1159 static int smack_inode_rename(struct inode *old_inode, 1160 struct dentry *old_dentry, 1161 struct inode *new_inode, 1162 struct dentry *new_dentry) 1163 { 1164 int rc; 1165 struct smack_known *isp; 1166 struct smk_audit_info ad; 1167 1168 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1169 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry); 1170 1171 isp = smk_of_inode(d_backing_inode(old_dentry)); 1172 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1173 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc); 1174 1175 if (rc == 0 && d_is_positive(new_dentry)) { 1176 isp = smk_of_inode(d_backing_inode(new_dentry)); 1177 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry); 1178 rc = smk_curacc(isp, MAY_READWRITE, &ad); 1179 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc); 1180 } 1181 return rc; 1182 } 1183 1184 /** 1185 * smack_inode_permission - Smack version of permission() 1186 * @inode: the inode in question 1187 * @mask: the access requested 1188 * 1189 * This is the important Smack hook. 1190 * 1191 * Returns 0 if access is permitted, an error code otherwise 1192 */ 1193 static int smack_inode_permission(struct inode *inode, int mask) 1194 { 1195 struct superblock_smack *sbsp = smack_superblock(inode->i_sb); 1196 struct smk_audit_info ad; 1197 int no_block = mask & MAY_NOT_BLOCK; 1198 int rc; 1199 1200 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND); 1201 /* 1202 * No permission to check. Existence test. Yup, it's there. 1203 */ 1204 if (mask == 0) 1205 return 0; 1206 1207 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { 1208 if (smk_of_inode(inode) != sbsp->smk_root) 1209 return -EACCES; 1210 } 1211 1212 /* May be droppable after audit */ 1213 if (no_block) 1214 return -ECHILD; 1215 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE); 1216 smk_ad_setfield_u_fs_inode(&ad, inode); 1217 rc = smk_curacc(smk_of_inode(inode), mask, &ad); 1218 rc = smk_bu_inode(inode, mask, rc); 1219 return rc; 1220 } 1221 1222 /** 1223 * smack_inode_setattr - Smack check for setting attributes 1224 * @idmap: idmap of the mount 1225 * @dentry: the object 1226 * @iattr: for the force flag 1227 * 1228 * Returns 0 if access is permitted, an error code otherwise 1229 */ 1230 static int smack_inode_setattr(struct mnt_idmap *idmap, struct dentry *dentry, 1231 struct iattr *iattr) 1232 { 1233 struct smk_audit_info ad; 1234 int rc; 1235 1236 /* 1237 * Need to allow for clearing the setuid bit. 1238 */ 1239 if (iattr->ia_valid & ATTR_FORCE) 1240 return 0; 1241 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1242 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1243 1244 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1245 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1246 return rc; 1247 } 1248 1249 /** 1250 * smack_inode_getattr - Smack check for getting attributes 1251 * @path: path to extract the info from 1252 * 1253 * Returns 0 if access is permitted, an error code otherwise 1254 */ 1255 static int smack_inode_getattr(const struct path *path) 1256 { 1257 struct smk_audit_info ad; 1258 struct inode *inode = d_backing_inode(path->dentry); 1259 int rc; 1260 1261 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1262 smk_ad_setfield_u_fs_path(&ad, *path); 1263 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1264 rc = smk_bu_inode(inode, MAY_READ, rc); 1265 return rc; 1266 } 1267 1268 /** 1269 * smack_inode_xattr_skipcap - Skip the xattr capability checks? 1270 * @name: name of the xattr 1271 * 1272 * Returns 1 to indicate that Smack "owns" the access control rights to xattrs 1273 * named @name; the LSM layer should avoid enforcing any traditional 1274 * capability based access controls on this xattr. Returns 0 to indicate that 1275 * Smack does not "own" the access control rights to xattrs named @name and is 1276 * deferring to the LSM layer for further access controls, including capability 1277 * based controls. 1278 */ 1279 static int smack_inode_xattr_skipcap(const char *name) 1280 { 1281 if (strncmp(name, XATTR_SMACK_SUFFIX, strlen(XATTR_SMACK_SUFFIX))) 1282 return 0; 1283 1284 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1285 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1286 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1287 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1288 strcmp(name, XATTR_NAME_SMACKMMAP) == 0 || 1289 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1290 return 1; 1291 1292 return 0; 1293 } 1294 1295 /** 1296 * smack_inode_setxattr - Smack check for setting xattrs 1297 * @idmap: idmap of the mount 1298 * @dentry: the object 1299 * @name: name of the attribute 1300 * @value: value of the attribute 1301 * @size: size of the value 1302 * @flags: unused 1303 * 1304 * This protects the Smack attribute explicitly. 1305 * 1306 * Returns 0 if access is permitted, an error code otherwise 1307 */ 1308 static int smack_inode_setxattr(struct mnt_idmap *idmap, 1309 struct dentry *dentry, const char *name, 1310 const void *value, size_t size, int flags) 1311 { 1312 struct smk_audit_info ad; 1313 struct smack_known *skp; 1314 int check_priv = 0; 1315 int check_import = 0; 1316 int check_star = 0; 1317 int rc = 0; 1318 1319 /* 1320 * Check label validity here so import won't fail in post_setxattr 1321 */ 1322 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1323 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1324 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) { 1325 check_priv = 1; 1326 check_import = 1; 1327 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1328 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1329 check_priv = 1; 1330 check_import = 1; 1331 check_star = 1; 1332 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1333 check_priv = 1; 1334 if (!S_ISDIR(d_backing_inode(dentry)->i_mode) || 1335 size != TRANS_TRUE_SIZE || 1336 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 1337 rc = -EINVAL; 1338 } 1339 1340 if (check_priv && !smack_privileged(CAP_MAC_ADMIN)) 1341 rc = -EPERM; 1342 1343 if (rc == 0 && check_import) { 1344 skp = size ? smk_import_entry(value, size) : NULL; 1345 if (IS_ERR(skp)) 1346 rc = PTR_ERR(skp); 1347 else if (skp == NULL || (check_star && 1348 (skp == &smack_known_star || skp == &smack_known_web))) 1349 rc = -EINVAL; 1350 } 1351 1352 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1353 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1354 1355 if (rc == 0) { 1356 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1357 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1358 } 1359 1360 return rc; 1361 } 1362 1363 /** 1364 * smack_inode_post_setxattr - Apply the Smack update approved above 1365 * @dentry: object 1366 * @name: attribute name 1367 * @value: attribute value 1368 * @size: attribute size 1369 * @flags: unused 1370 * 1371 * Set the pointer in the inode blob to the entry found 1372 * in the master label list. 1373 */ 1374 static void smack_inode_post_setxattr(struct dentry *dentry, const char *name, 1375 const void *value, size_t size, int flags) 1376 { 1377 struct smack_known *skp; 1378 struct inode_smack *isp = smack_inode(d_backing_inode(dentry)); 1379 1380 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) { 1381 isp->smk_flags |= SMK_INODE_TRANSMUTE; 1382 return; 1383 } 1384 1385 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1386 skp = smk_import_entry(value, size); 1387 if (!IS_ERR(skp)) 1388 isp->smk_inode = skp; 1389 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) { 1390 skp = smk_import_entry(value, size); 1391 if (!IS_ERR(skp)) 1392 isp->smk_task = skp; 1393 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1394 skp = smk_import_entry(value, size); 1395 if (!IS_ERR(skp)) 1396 isp->smk_mmap = skp; 1397 } 1398 1399 return; 1400 } 1401 1402 /** 1403 * smack_inode_getxattr - Smack check on getxattr 1404 * @dentry: the object 1405 * @name: unused 1406 * 1407 * Returns 0 if access is permitted, an error code otherwise 1408 */ 1409 static int smack_inode_getxattr(struct dentry *dentry, const char *name) 1410 { 1411 struct smk_audit_info ad; 1412 int rc; 1413 1414 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1415 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1416 1417 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1418 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1419 return rc; 1420 } 1421 1422 /** 1423 * smack_inode_removexattr - Smack check on removexattr 1424 * @idmap: idmap of the mount 1425 * @dentry: the object 1426 * @name: name of the attribute 1427 * 1428 * Removing the Smack attribute requires CAP_MAC_ADMIN 1429 * 1430 * Returns 0 if access is permitted, an error code otherwise 1431 */ 1432 static int smack_inode_removexattr(struct mnt_idmap *idmap, 1433 struct dentry *dentry, const char *name) 1434 { 1435 struct inode_smack *isp; 1436 struct smk_audit_info ad; 1437 int rc = 0; 1438 1439 if (strcmp(name, XATTR_NAME_SMACK) == 0 || 1440 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 || 1441 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 || 1442 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 || 1443 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 || 1444 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) { 1445 if (!smack_privileged(CAP_MAC_ADMIN)) 1446 rc = -EPERM; 1447 } 1448 1449 if (rc != 0) 1450 return rc; 1451 1452 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1453 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1454 1455 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1456 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1457 if (rc != 0) 1458 return rc; 1459 1460 isp = smack_inode(d_backing_inode(dentry)); 1461 /* 1462 * Don't do anything special for these. 1463 * XATTR_NAME_SMACKIPIN 1464 * XATTR_NAME_SMACKIPOUT 1465 */ 1466 if (strcmp(name, XATTR_NAME_SMACK) == 0) { 1467 struct super_block *sbp = dentry->d_sb; 1468 struct superblock_smack *sbsp = smack_superblock(sbp); 1469 1470 isp->smk_inode = sbsp->smk_default; 1471 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) 1472 isp->smk_task = NULL; 1473 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) 1474 isp->smk_mmap = NULL; 1475 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) 1476 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; 1477 1478 return 0; 1479 } 1480 1481 /** 1482 * smack_inode_set_acl - Smack check for setting posix acls 1483 * @idmap: idmap of the mnt this request came from 1484 * @dentry: the object 1485 * @acl_name: name of the posix acl 1486 * @kacl: the posix acls 1487 * 1488 * Returns 0 if access is permitted, an error code otherwise 1489 */ 1490 static int smack_inode_set_acl(struct mnt_idmap *idmap, 1491 struct dentry *dentry, const char *acl_name, 1492 struct posix_acl *kacl) 1493 { 1494 struct smk_audit_info ad; 1495 int rc; 1496 1497 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1498 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1499 1500 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1501 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1502 return rc; 1503 } 1504 1505 /** 1506 * smack_inode_get_acl - Smack check for getting posix acls 1507 * @idmap: idmap of the mnt this request came from 1508 * @dentry: the object 1509 * @acl_name: name of the posix acl 1510 * 1511 * Returns 0 if access is permitted, an error code otherwise 1512 */ 1513 static int smack_inode_get_acl(struct mnt_idmap *idmap, 1514 struct dentry *dentry, const char *acl_name) 1515 { 1516 struct smk_audit_info ad; 1517 int rc; 1518 1519 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1520 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1521 1522 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad); 1523 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc); 1524 return rc; 1525 } 1526 1527 /** 1528 * smack_inode_remove_acl - Smack check for getting posix acls 1529 * @idmap: idmap of the mnt this request came from 1530 * @dentry: the object 1531 * @acl_name: name of the posix acl 1532 * 1533 * Returns 0 if access is permitted, an error code otherwise 1534 */ 1535 static int smack_inode_remove_acl(struct mnt_idmap *idmap, 1536 struct dentry *dentry, const char *acl_name) 1537 { 1538 struct smk_audit_info ad; 1539 int rc; 1540 1541 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY); 1542 smk_ad_setfield_u_fs_path_dentry(&ad, dentry); 1543 1544 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad); 1545 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc); 1546 return rc; 1547 } 1548 1549 /** 1550 * smack_inode_getsecurity - get smack xattrs 1551 * @idmap: idmap of the mount 1552 * @inode: the object 1553 * @name: attribute name 1554 * @buffer: where to put the result 1555 * @alloc: duplicate memory 1556 * 1557 * Returns the size of the attribute or an error code 1558 */ 1559 static int smack_inode_getsecurity(struct mnt_idmap *idmap, 1560 struct inode *inode, const char *name, 1561 void **buffer, bool alloc) 1562 { 1563 struct socket_smack *ssp; 1564 struct socket *sock; 1565 struct super_block *sbp; 1566 struct inode *ip = inode; 1567 struct smack_known *isp; 1568 struct inode_smack *ispp; 1569 size_t label_len; 1570 char *label = NULL; 1571 1572 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 1573 isp = smk_of_inode(inode); 1574 } else if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 1575 ispp = smack_inode(inode); 1576 if (ispp->smk_flags & SMK_INODE_TRANSMUTE) 1577 label = TRANS_TRUE; 1578 else 1579 label = ""; 1580 } else { 1581 /* 1582 * The rest of the Smack xattrs are only on sockets. 1583 */ 1584 sbp = ip->i_sb; 1585 if (sbp->s_magic != SOCKFS_MAGIC) 1586 return -EOPNOTSUPP; 1587 1588 sock = SOCKET_I(ip); 1589 if (sock == NULL || sock->sk == NULL) 1590 return -EOPNOTSUPP; 1591 1592 ssp = smack_sock(sock->sk); 1593 1594 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 1595 isp = ssp->smk_in; 1596 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) 1597 isp = ssp->smk_out; 1598 else 1599 return -EOPNOTSUPP; 1600 } 1601 1602 if (!label) 1603 label = isp->smk_known; 1604 1605 label_len = strlen(label); 1606 1607 if (alloc) { 1608 *buffer = kstrdup(label, GFP_KERNEL); 1609 if (*buffer == NULL) 1610 return -ENOMEM; 1611 } 1612 1613 return label_len; 1614 } 1615 1616 1617 /** 1618 * smack_inode_listsecurity - list the Smack attributes 1619 * @inode: the object 1620 * @buffer: where they go 1621 * @buffer_size: size of buffer 1622 */ 1623 static int smack_inode_listsecurity(struct inode *inode, char *buffer, 1624 size_t buffer_size) 1625 { 1626 int len = sizeof(XATTR_NAME_SMACK); 1627 1628 if (buffer != NULL && len <= buffer_size) 1629 memcpy(buffer, XATTR_NAME_SMACK, len); 1630 1631 return len; 1632 } 1633 1634 /** 1635 * smack_inode_getlsmprop - Extract inode's security id 1636 * @inode: inode to extract the info from 1637 * @prop: where result will be saved 1638 */ 1639 static void smack_inode_getlsmprop(struct inode *inode, struct lsm_prop *prop) 1640 { 1641 prop->smack.skp = smk_of_inode(inode); 1642 } 1643 1644 /* 1645 * File Hooks 1646 */ 1647 1648 /* 1649 * There is no smack_file_permission hook 1650 * 1651 * Should access checks be done on each read or write? 1652 * UNICOS and SELinux say yes. 1653 * Trusted Solaris, Trusted Irix, and just about everyone else says no. 1654 * 1655 * I'll say no for now. Smack does not do the frequent 1656 * label changing that SELinux does. 1657 */ 1658 1659 /** 1660 * smack_file_alloc_security - assign a file security blob 1661 * @file: the object 1662 * 1663 * The security blob for a file is a pointer to the master 1664 * label list, so no allocation is done. 1665 * 1666 * f_security is the owner security information. It 1667 * isn't used on file access checks, it's for send_sigio. 1668 * 1669 * Returns 0 1670 */ 1671 static int smack_file_alloc_security(struct file *file) 1672 { 1673 struct smack_known **blob = smack_file(file); 1674 1675 *blob = smk_of_current(); 1676 return 0; 1677 } 1678 1679 /** 1680 * smack_file_ioctl - Smack check on ioctls 1681 * @file: the object 1682 * @cmd: what to do 1683 * @arg: unused 1684 * 1685 * Relies heavily on the correct use of the ioctl command conventions. 1686 * 1687 * Returns 0 if allowed, error code otherwise 1688 */ 1689 static int smack_file_ioctl(struct file *file, unsigned int cmd, 1690 unsigned long arg) 1691 { 1692 int rc = 0; 1693 struct smk_audit_info ad; 1694 struct inode *inode = file_inode(file); 1695 1696 if (unlikely(IS_PRIVATE(inode))) 1697 return 0; 1698 1699 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1700 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1701 1702 if (_IOC_DIR(cmd) & _IOC_WRITE) { 1703 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1704 rc = smk_bu_file(file, MAY_WRITE, rc); 1705 } 1706 1707 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { 1708 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad); 1709 rc = smk_bu_file(file, MAY_READ, rc); 1710 } 1711 1712 return rc; 1713 } 1714 1715 /** 1716 * smack_file_lock - Smack check on file locking 1717 * @file: the object 1718 * @cmd: unused 1719 * 1720 * Returns 0 if current has lock access, error code otherwise 1721 */ 1722 static int smack_file_lock(struct file *file, unsigned int cmd) 1723 { 1724 struct smk_audit_info ad; 1725 int rc; 1726 struct inode *inode = file_inode(file); 1727 1728 if (unlikely(IS_PRIVATE(inode))) 1729 return 0; 1730 1731 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1732 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1733 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1734 rc = smk_bu_file(file, MAY_LOCK, rc); 1735 return rc; 1736 } 1737 1738 /** 1739 * smack_file_fcntl - Smack check on fcntl 1740 * @file: the object 1741 * @cmd: what action to check 1742 * @arg: unused 1743 * 1744 * Generally these operations are harmless. 1745 * File locking operations present an obvious mechanism 1746 * for passing information, so they require write access. 1747 * 1748 * Returns 0 if current has access, error code otherwise 1749 */ 1750 static int smack_file_fcntl(struct file *file, unsigned int cmd, 1751 unsigned long arg) 1752 { 1753 struct smk_audit_info ad; 1754 int rc = 0; 1755 struct inode *inode = file_inode(file); 1756 1757 if (unlikely(IS_PRIVATE(inode))) 1758 return 0; 1759 1760 switch (cmd) { 1761 case F_GETLK: 1762 break; 1763 case F_SETLK: 1764 case F_SETLKW: 1765 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1766 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1767 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad); 1768 rc = smk_bu_file(file, MAY_LOCK, rc); 1769 break; 1770 case F_SETOWN: 1771 case F_SETSIG: 1772 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1773 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1774 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad); 1775 rc = smk_bu_file(file, MAY_WRITE, rc); 1776 break; 1777 default: 1778 break; 1779 } 1780 1781 return rc; 1782 } 1783 1784 /** 1785 * smack_mmap_file - Check permissions for a mmap operation. 1786 * @file: contains the file structure for file to map (may be NULL). 1787 * @reqprot: contains the protection requested by the application. 1788 * @prot: contains the protection that will be applied by the kernel. 1789 * @flags: contains the operational flags. 1790 * 1791 * The @file may be NULL, e.g. if mapping anonymous memory. 1792 * 1793 * Return 0 if permission is granted. 1794 */ 1795 static int smack_mmap_file(struct file *file, 1796 unsigned long reqprot, unsigned long prot, 1797 unsigned long flags) 1798 { 1799 struct smack_known *skp; 1800 struct smack_known *mkp; 1801 struct smack_rule *srp; 1802 struct task_smack *tsp; 1803 struct smack_known *okp; 1804 struct inode_smack *isp; 1805 struct superblock_smack *sbsp; 1806 int may; 1807 int mmay; 1808 int tmay; 1809 int rc; 1810 1811 if (file == NULL) 1812 return 0; 1813 1814 if (unlikely(IS_PRIVATE(file_inode(file)))) 1815 return 0; 1816 1817 isp = smack_inode(file_inode(file)); 1818 if (isp->smk_mmap == NULL) 1819 return 0; 1820 sbsp = smack_superblock(file_inode(file)->i_sb); 1821 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && 1822 isp->smk_mmap != sbsp->smk_root) 1823 return -EACCES; 1824 mkp = isp->smk_mmap; 1825 1826 tsp = smack_cred(current_cred()); 1827 skp = smk_of_current(); 1828 rc = 0; 1829 1830 rcu_read_lock(); 1831 /* 1832 * For each Smack rule associated with the subject 1833 * label verify that the SMACK64MMAP also has access 1834 * to that rule's object label. 1835 */ 1836 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { 1837 okp = srp->smk_object; 1838 /* 1839 * Matching labels always allows access. 1840 */ 1841 if (mkp->smk_known == okp->smk_known) 1842 continue; 1843 /* 1844 * If there is a matching local rule take 1845 * that into account as well. 1846 */ 1847 may = smk_access_entry(srp->smk_subject->smk_known, 1848 okp->smk_known, 1849 &tsp->smk_rules); 1850 if (may == -ENOENT) 1851 may = srp->smk_access; 1852 else 1853 may &= srp->smk_access; 1854 /* 1855 * If may is zero the SMACK64MMAP subject can't 1856 * possibly have less access. 1857 */ 1858 if (may == 0) 1859 continue; 1860 1861 /* 1862 * Fetch the global list entry. 1863 * If there isn't one a SMACK64MMAP subject 1864 * can't have as much access as current. 1865 */ 1866 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1867 &mkp->smk_rules); 1868 if (mmay == -ENOENT) { 1869 rc = -EACCES; 1870 break; 1871 } 1872 /* 1873 * If there is a local entry it modifies the 1874 * potential access, too. 1875 */ 1876 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, 1877 &tsp->smk_rules); 1878 if (tmay != -ENOENT) 1879 mmay &= tmay; 1880 1881 /* 1882 * If there is any access available to current that is 1883 * not available to a SMACK64MMAP subject 1884 * deny access. 1885 */ 1886 if ((may | mmay) != mmay) { 1887 rc = -EACCES; 1888 break; 1889 } 1890 } 1891 1892 rcu_read_unlock(); 1893 1894 return rc; 1895 } 1896 1897 /** 1898 * smack_file_set_fowner - set the file security blob value 1899 * @file: object in question 1900 * 1901 */ 1902 static void smack_file_set_fowner(struct file *file) 1903 { 1904 struct smack_known **blob = smack_file(file); 1905 1906 *blob = smk_of_current(); 1907 } 1908 1909 /** 1910 * smack_file_send_sigiotask - Smack on sigio 1911 * @tsk: The target task 1912 * @fown: the object the signal come from 1913 * @signum: unused 1914 * 1915 * Allow a privileged task to get signals even if it shouldn't 1916 * 1917 * Returns 0 if a subject with the object's smack could 1918 * write to the task, an error code otherwise. 1919 */ 1920 static int smack_file_send_sigiotask(struct task_struct *tsk, 1921 struct fown_struct *fown, int signum) 1922 { 1923 struct smack_known **blob; 1924 struct smack_known *skp; 1925 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); 1926 const struct cred *tcred; 1927 struct file *file; 1928 int rc; 1929 struct smk_audit_info ad; 1930 1931 /* 1932 * struct fown_struct is never outside the context of a struct file 1933 */ 1934 file = fown->file; 1935 1936 /* we don't log here as rc can be overridden */ 1937 blob = smack_file(file); 1938 skp = *blob; 1939 rc = smk_access(skp, tkp, MAY_DELIVER, NULL); 1940 rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc); 1941 1942 rcu_read_lock(); 1943 tcred = __task_cred(tsk); 1944 if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred)) 1945 rc = 0; 1946 rcu_read_unlock(); 1947 1948 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 1949 smk_ad_setfield_u_tsk(&ad, tsk); 1950 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); 1951 return rc; 1952 } 1953 1954 /** 1955 * smack_file_receive - Smack file receive check 1956 * @file: the object 1957 * 1958 * Returns 0 if current has access, error code otherwise 1959 */ 1960 static int smack_file_receive(struct file *file) 1961 { 1962 int rc; 1963 int may = 0; 1964 struct smk_audit_info ad; 1965 struct inode *inode = file_inode(file); 1966 struct socket *sock; 1967 struct task_smack *tsp; 1968 struct socket_smack *ssp; 1969 1970 if (unlikely(IS_PRIVATE(inode))) 1971 return 0; 1972 1973 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 1974 smk_ad_setfield_u_fs_path(&ad, file->f_path); 1975 1976 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { 1977 sock = SOCKET_I(inode); 1978 ssp = smack_sock(sock->sk); 1979 tsp = smack_cred(current_cred()); 1980 /* 1981 * If the receiving process can't write to the 1982 * passed socket or if the passed socket can't 1983 * write to the receiving process don't accept 1984 * the passed socket. 1985 */ 1986 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); 1987 rc = smk_bu_file(file, may, rc); 1988 if (rc < 0) 1989 return rc; 1990 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); 1991 rc = smk_bu_file(file, may, rc); 1992 return rc; 1993 } 1994 /* 1995 * This code relies on bitmasks. 1996 */ 1997 if (file->f_mode & FMODE_READ) 1998 may = MAY_READ; 1999 if (file->f_mode & FMODE_WRITE) 2000 may |= MAY_WRITE; 2001 2002 rc = smk_curacc(smk_of_inode(inode), may, &ad); 2003 rc = smk_bu_file(file, may, rc); 2004 return rc; 2005 } 2006 2007 /** 2008 * smack_file_open - Smack dentry open processing 2009 * @file: the object 2010 * 2011 * Set the security blob in the file structure. 2012 * Allow the open only if the task has read access. There are 2013 * many read operations (e.g. fstat) that you can do with an 2014 * fd even if you have the file open write-only. 2015 * 2016 * Returns 0 if current has access, error code otherwise 2017 */ 2018 static int smack_file_open(struct file *file) 2019 { 2020 struct task_smack *tsp = smack_cred(file->f_cred); 2021 struct inode *inode = file_inode(file); 2022 struct smk_audit_info ad; 2023 int rc; 2024 2025 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 2026 smk_ad_setfield_u_fs_path(&ad, file->f_path); 2027 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 2028 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 2029 2030 return rc; 2031 } 2032 2033 /* 2034 * Task hooks 2035 */ 2036 2037 /** 2038 * smack_cred_alloc_blank - "allocate" blank task-level security credentials 2039 * @cred: the new credentials 2040 * @gfp: the atomicity of any memory allocations 2041 * 2042 * Prepare a blank set of credentials for modification. This must allocate all 2043 * the memory the LSM module might require such that cred_transfer() can 2044 * complete without error. 2045 */ 2046 static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp) 2047 { 2048 init_task_smack(smack_cred(cred), NULL, NULL); 2049 return 0; 2050 } 2051 2052 2053 /** 2054 * smack_cred_free - "free" task-level security credentials 2055 * @cred: the credentials in question 2056 * 2057 */ 2058 static void smack_cred_free(struct cred *cred) 2059 { 2060 struct task_smack *tsp = smack_cred(cred); 2061 struct smack_rule *rp; 2062 struct list_head *l; 2063 struct list_head *n; 2064 2065 smk_destroy_label_list(&tsp->smk_relabel); 2066 2067 list_for_each_safe(l, n, &tsp->smk_rules) { 2068 rp = list_entry(l, struct smack_rule, list); 2069 list_del(&rp->list); 2070 kmem_cache_free(smack_rule_cache, rp); 2071 } 2072 } 2073 2074 /** 2075 * smack_cred_prepare - prepare new set of credentials for modification 2076 * @new: the new credentials 2077 * @old: the original credentials 2078 * @gfp: the atomicity of any memory allocations 2079 * 2080 * Prepare a new set of credentials for modification. 2081 */ 2082 static int smack_cred_prepare(struct cred *new, const struct cred *old, 2083 gfp_t gfp) 2084 { 2085 struct task_smack *old_tsp = smack_cred(old); 2086 struct task_smack *new_tsp = smack_cred(new); 2087 int rc; 2088 2089 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2090 2091 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); 2092 if (rc != 0) 2093 return rc; 2094 2095 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, 2096 gfp); 2097 return rc; 2098 } 2099 2100 /** 2101 * smack_cred_transfer - Transfer the old credentials to the new credentials 2102 * @new: the new credentials 2103 * @old: the original credentials 2104 * 2105 * Fill in a set of blank credentials from another set of credentials. 2106 */ 2107 static void smack_cred_transfer(struct cred *new, const struct cred *old) 2108 { 2109 struct task_smack *old_tsp = smack_cred(old); 2110 struct task_smack *new_tsp = smack_cred(new); 2111 2112 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); 2113 } 2114 2115 /** 2116 * smack_cred_getsecid - get the secid corresponding to a creds structure 2117 * @cred: the object creds 2118 * @secid: where to put the result 2119 * 2120 * Sets the secid to contain a u32 version of the smack label. 2121 */ 2122 static void smack_cred_getsecid(const struct cred *cred, u32 *secid) 2123 { 2124 struct smack_known *skp; 2125 2126 rcu_read_lock(); 2127 skp = smk_of_task(smack_cred(cred)); 2128 *secid = skp->smk_secid; 2129 rcu_read_unlock(); 2130 } 2131 2132 /** 2133 * smack_cred_getlsmprop - get the Smack label for a creds structure 2134 * @cred: the object creds 2135 * @prop: where to put the data 2136 * 2137 * Sets the Smack part of the ref 2138 */ 2139 static void smack_cred_getlsmprop(const struct cred *cred, 2140 struct lsm_prop *prop) 2141 { 2142 rcu_read_lock(); 2143 prop->smack.skp = smk_of_task(smack_cred(cred)); 2144 rcu_read_unlock(); 2145 } 2146 2147 /** 2148 * smack_kernel_act_as - Set the subjective context in a set of credentials 2149 * @new: points to the set of credentials to be modified. 2150 * @secid: specifies the security ID to be set 2151 * 2152 * Set the security data for a kernel service. 2153 */ 2154 static int smack_kernel_act_as(struct cred *new, u32 secid) 2155 { 2156 struct task_smack *new_tsp = smack_cred(new); 2157 2158 new_tsp->smk_task = smack_from_secid(secid); 2159 return 0; 2160 } 2161 2162 /** 2163 * smack_kernel_create_files_as - Set the file creation label in a set of creds 2164 * @new: points to the set of credentials to be modified 2165 * @inode: points to the inode to use as a reference 2166 * 2167 * Set the file creation context in a set of credentials to the same 2168 * as the objective context of the specified inode 2169 */ 2170 static int smack_kernel_create_files_as(struct cred *new, 2171 struct inode *inode) 2172 { 2173 struct inode_smack *isp = smack_inode(inode); 2174 struct task_smack *tsp = smack_cred(new); 2175 2176 tsp->smk_forked = isp->smk_inode; 2177 tsp->smk_task = tsp->smk_forked; 2178 return 0; 2179 } 2180 2181 /** 2182 * smk_curacc_on_task - helper to log task related access 2183 * @p: the task object 2184 * @access: the access requested 2185 * @caller: name of the calling function for audit 2186 * 2187 * Return 0 if access is permitted 2188 */ 2189 static int smk_curacc_on_task(struct task_struct *p, int access, 2190 const char *caller) 2191 { 2192 struct smk_audit_info ad; 2193 struct smack_known *skp = smk_of_task_struct_obj(p); 2194 int rc; 2195 2196 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK); 2197 smk_ad_setfield_u_tsk(&ad, p); 2198 rc = smk_curacc(skp, access, &ad); 2199 rc = smk_bu_task(p, access, rc); 2200 return rc; 2201 } 2202 2203 /** 2204 * smack_task_setpgid - Smack check on setting pgid 2205 * @p: the task object 2206 * @pgid: unused 2207 * 2208 * Return 0 if write access is permitted 2209 */ 2210 static int smack_task_setpgid(struct task_struct *p, pid_t pgid) 2211 { 2212 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2213 } 2214 2215 /** 2216 * smack_task_getpgid - Smack access check for getpgid 2217 * @p: the object task 2218 * 2219 * Returns 0 if current can read the object task, error code otherwise 2220 */ 2221 static int smack_task_getpgid(struct task_struct *p) 2222 { 2223 return smk_curacc_on_task(p, MAY_READ, __func__); 2224 } 2225 2226 /** 2227 * smack_task_getsid - Smack access check for getsid 2228 * @p: the object task 2229 * 2230 * Returns 0 if current can read the object task, error code otherwise 2231 */ 2232 static int smack_task_getsid(struct task_struct *p) 2233 { 2234 return smk_curacc_on_task(p, MAY_READ, __func__); 2235 } 2236 2237 /** 2238 * smack_current_getlsmprop_subj - get the subjective secid of the current task 2239 * @prop: where to put the result 2240 * 2241 * Sets the secid to contain a u32 version of the task's subjective smack label. 2242 */ 2243 static void smack_current_getlsmprop_subj(struct lsm_prop *prop) 2244 { 2245 prop->smack.skp = smk_of_current(); 2246 } 2247 2248 /** 2249 * smack_task_getlsmprop_obj - get the objective data of the task 2250 * @p: the task 2251 * @prop: where to put the result 2252 * 2253 * Sets the secid to contain a u32 version of the task's objective smack label. 2254 */ 2255 static void smack_task_getlsmprop_obj(struct task_struct *p, 2256 struct lsm_prop *prop) 2257 { 2258 prop->smack.skp = smk_of_task_struct_obj(p); 2259 } 2260 2261 /** 2262 * smack_task_setnice - Smack check on setting nice 2263 * @p: the task object 2264 * @nice: unused 2265 * 2266 * Return 0 if write access is permitted 2267 */ 2268 static int smack_task_setnice(struct task_struct *p, int nice) 2269 { 2270 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2271 } 2272 2273 /** 2274 * smack_task_setioprio - Smack check on setting ioprio 2275 * @p: the task object 2276 * @ioprio: unused 2277 * 2278 * Return 0 if write access is permitted 2279 */ 2280 static int smack_task_setioprio(struct task_struct *p, int ioprio) 2281 { 2282 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2283 } 2284 2285 /** 2286 * smack_task_getioprio - Smack check on reading ioprio 2287 * @p: the task object 2288 * 2289 * Return 0 if read access is permitted 2290 */ 2291 static int smack_task_getioprio(struct task_struct *p) 2292 { 2293 return smk_curacc_on_task(p, MAY_READ, __func__); 2294 } 2295 2296 /** 2297 * smack_task_setscheduler - Smack check on setting scheduler 2298 * @p: the task object 2299 * 2300 * Return 0 if read access is permitted 2301 */ 2302 static int smack_task_setscheduler(struct task_struct *p) 2303 { 2304 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2305 } 2306 2307 /** 2308 * smack_task_getscheduler - Smack check on reading scheduler 2309 * @p: the task object 2310 * 2311 * Return 0 if read access is permitted 2312 */ 2313 static int smack_task_getscheduler(struct task_struct *p) 2314 { 2315 return smk_curacc_on_task(p, MAY_READ, __func__); 2316 } 2317 2318 /** 2319 * smack_task_movememory - Smack check on moving memory 2320 * @p: the task object 2321 * 2322 * Return 0 if write access is permitted 2323 */ 2324 static int smack_task_movememory(struct task_struct *p) 2325 { 2326 return smk_curacc_on_task(p, MAY_WRITE, __func__); 2327 } 2328 2329 /** 2330 * smack_task_kill - Smack check on signal delivery 2331 * @p: the task object 2332 * @info: unused 2333 * @sig: unused 2334 * @cred: identifies the cred to use in lieu of current's 2335 * 2336 * Return 0 if write access is permitted 2337 * 2338 */ 2339 static int smack_task_kill(struct task_struct *p, struct kernel_siginfo *info, 2340 int sig, const struct cred *cred) 2341 { 2342 struct smk_audit_info ad; 2343 struct smack_known *skp; 2344 struct smack_known *tkp = smk_of_task_struct_obj(p); 2345 int rc; 2346 2347 if (!sig) 2348 return 0; /* null signal; existence test */ 2349 2350 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK); 2351 smk_ad_setfield_u_tsk(&ad, p); 2352 /* 2353 * Sending a signal requires that the sender 2354 * can write the receiver. 2355 */ 2356 if (cred == NULL) { 2357 rc = smk_curacc(tkp, MAY_DELIVER, &ad); 2358 rc = smk_bu_task(p, MAY_DELIVER, rc); 2359 return rc; 2360 } 2361 /* 2362 * If the cred isn't NULL we're dealing with some USB IO 2363 * specific behavior. This is not clean. For one thing 2364 * we can't take privilege into account. 2365 */ 2366 skp = smk_of_task(smack_cred(cred)); 2367 rc = smk_access(skp, tkp, MAY_DELIVER, &ad); 2368 rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc); 2369 return rc; 2370 } 2371 2372 /** 2373 * smack_task_to_inode - copy task smack into the inode blob 2374 * @p: task to copy from 2375 * @inode: inode to copy to 2376 * 2377 * Sets the smack pointer in the inode security blob 2378 */ 2379 static void smack_task_to_inode(struct task_struct *p, struct inode *inode) 2380 { 2381 struct inode_smack *isp = smack_inode(inode); 2382 struct smack_known *skp = smk_of_task_struct_obj(p); 2383 2384 isp->smk_inode = skp; 2385 isp->smk_flags |= SMK_INODE_INSTANT; 2386 } 2387 2388 /* 2389 * Socket hooks. 2390 */ 2391 2392 /** 2393 * smack_sk_alloc_security - Allocate a socket blob 2394 * @sk: the socket 2395 * @family: unused 2396 * @gfp_flags: memory allocation flags 2397 * 2398 * Assign Smack pointers to current 2399 * 2400 * Returns 0 on success, -ENOMEM is there's no memory 2401 */ 2402 static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags) 2403 { 2404 struct smack_known *skp = smk_of_current(); 2405 struct socket_smack *ssp = smack_sock(sk); 2406 2407 /* 2408 * Sockets created by kernel threads receive web label. 2409 */ 2410 if (unlikely(current->flags & PF_KTHREAD)) { 2411 ssp->smk_in = &smack_known_web; 2412 ssp->smk_out = &smack_known_web; 2413 } else { 2414 ssp->smk_in = skp; 2415 ssp->smk_out = skp; 2416 } 2417 ssp->smk_packet = NULL; 2418 2419 return 0; 2420 } 2421 2422 #ifdef SMACK_IPV6_PORT_LABELING 2423 /** 2424 * smack_sk_free_security - Free a socket blob 2425 * @sk: the socket 2426 * 2427 * Clears the blob pointer 2428 */ 2429 static void smack_sk_free_security(struct sock *sk) 2430 { 2431 struct smk_port_label *spp; 2432 2433 if (sk->sk_family == PF_INET6) { 2434 rcu_read_lock(); 2435 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2436 if (spp->smk_sock != sk) 2437 continue; 2438 spp->smk_can_reuse = 1; 2439 break; 2440 } 2441 rcu_read_unlock(); 2442 } 2443 } 2444 #endif 2445 2446 /** 2447 * smack_sk_clone_security - Copy security context 2448 * @sk: the old socket 2449 * @newsk: the new socket 2450 * 2451 * Copy the security context of the old socket pointer to the cloned 2452 */ 2453 static void smack_sk_clone_security(const struct sock *sk, struct sock *newsk) 2454 { 2455 struct socket_smack *ssp_old = smack_sock(sk); 2456 struct socket_smack *ssp_new = smack_sock(newsk); 2457 2458 *ssp_new = *ssp_old; 2459 } 2460 2461 /** 2462 * smack_ipv4host_label - check host based restrictions 2463 * @sip: the object end 2464 * 2465 * looks for host based access restrictions 2466 * 2467 * This version will only be appropriate for really small sets of single label 2468 * hosts. The caller is responsible for ensuring that the RCU read lock is 2469 * taken before calling this function. 2470 * 2471 * Returns the label of the far end or NULL if it's not special. 2472 */ 2473 static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip) 2474 { 2475 struct smk_net4addr *snp; 2476 struct in_addr *siap = &sip->sin_addr; 2477 2478 if (siap->s_addr == 0) 2479 return NULL; 2480 2481 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) 2482 /* 2483 * we break after finding the first match because 2484 * the list is sorted from longest to shortest mask 2485 * so we have found the most specific match 2486 */ 2487 if (snp->smk_host.s_addr == 2488 (siap->s_addr & snp->smk_mask.s_addr)) 2489 return snp->smk_label; 2490 2491 return NULL; 2492 } 2493 2494 #if IS_ENABLED(CONFIG_IPV6) 2495 /* 2496 * smk_ipv6_localhost - Check for local ipv6 host address 2497 * @sip: the address 2498 * 2499 * Returns boolean true if this is the localhost address 2500 */ 2501 static bool smk_ipv6_localhost(struct sockaddr_in6 *sip) 2502 { 2503 __be16 *be16p = (__be16 *)&sip->sin6_addr; 2504 __be32 *be32p = (__be32 *)&sip->sin6_addr; 2505 2506 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 && 2507 ntohs(be16p[7]) == 1) 2508 return true; 2509 return false; 2510 } 2511 2512 /** 2513 * smack_ipv6host_label - check host based restrictions 2514 * @sip: the object end 2515 * 2516 * looks for host based access restrictions 2517 * 2518 * This version will only be appropriate for really small sets of single label 2519 * hosts. The caller is responsible for ensuring that the RCU read lock is 2520 * taken before calling this function. 2521 * 2522 * Returns the label of the far end or NULL if it's not special. 2523 */ 2524 static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip) 2525 { 2526 struct smk_net6addr *snp; 2527 struct in6_addr *sap = &sip->sin6_addr; 2528 int i; 2529 int found = 0; 2530 2531 /* 2532 * It's local. Don't look for a host label. 2533 */ 2534 if (smk_ipv6_localhost(sip)) 2535 return NULL; 2536 2537 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 2538 /* 2539 * If the label is NULL the entry has 2540 * been renounced. Ignore it. 2541 */ 2542 if (snp->smk_label == NULL) 2543 continue; 2544 /* 2545 * we break after finding the first match because 2546 * the list is sorted from longest to shortest mask 2547 * so we have found the most specific match 2548 */ 2549 for (found = 1, i = 0; i < 8; i++) { 2550 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != 2551 snp->smk_host.s6_addr16[i]) { 2552 found = 0; 2553 break; 2554 } 2555 } 2556 if (found) 2557 return snp->smk_label; 2558 } 2559 2560 return NULL; 2561 } 2562 #endif /* CONFIG_IPV6 */ 2563 2564 /** 2565 * smack_netlbl_add - Set the secattr on a socket 2566 * @sk: the socket 2567 * 2568 * Attach the outbound smack value (smk_out) to the socket. 2569 * 2570 * Returns 0 on success or an error code 2571 */ 2572 static int smack_netlbl_add(struct sock *sk) 2573 { 2574 struct socket_smack *ssp = smack_sock(sk); 2575 struct smack_known *skp = ssp->smk_out; 2576 int rc; 2577 2578 local_bh_disable(); 2579 bh_lock_sock_nested(sk); 2580 2581 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel, 2582 netlbl_sk_lock_check(sk)); 2583 switch (rc) { 2584 case 0: 2585 ssp->smk_state = SMK_NETLBL_LABELED; 2586 break; 2587 case -EDESTADDRREQ: 2588 ssp->smk_state = SMK_NETLBL_REQSKB; 2589 rc = 0; 2590 break; 2591 } 2592 2593 bh_unlock_sock(sk); 2594 local_bh_enable(); 2595 2596 return rc; 2597 } 2598 2599 /** 2600 * smack_netlbl_delete - Remove the secattr from a socket 2601 * @sk: the socket 2602 * 2603 * Remove the outbound smack value from a socket 2604 */ 2605 static void smack_netlbl_delete(struct sock *sk) 2606 { 2607 struct socket_smack *ssp = smack_sock(sk); 2608 2609 /* 2610 * Take the label off the socket if one is set. 2611 */ 2612 if (ssp->smk_state != SMK_NETLBL_LABELED) 2613 return; 2614 2615 local_bh_disable(); 2616 bh_lock_sock_nested(sk); 2617 netlbl_sock_delattr(sk); 2618 bh_unlock_sock(sk); 2619 local_bh_enable(); 2620 ssp->smk_state = SMK_NETLBL_UNLABELED; 2621 } 2622 2623 /** 2624 * smk_ipv4_check - Perform IPv4 host access checks 2625 * @sk: the socket 2626 * @sap: the destination address 2627 * 2628 * Set the correct secattr for the given socket based on the destination 2629 * address and perform any outbound access checks needed. 2630 * 2631 * Returns 0 on success or an error code. 2632 * 2633 */ 2634 static int smk_ipv4_check(struct sock *sk, struct sockaddr_in *sap) 2635 { 2636 struct smack_known *skp; 2637 int rc = 0; 2638 struct smack_known *hkp; 2639 struct socket_smack *ssp = smack_sock(sk); 2640 struct smk_audit_info ad; 2641 2642 rcu_read_lock(); 2643 hkp = smack_ipv4host_label(sap); 2644 if (hkp != NULL) { 2645 #ifdef CONFIG_AUDIT 2646 struct lsm_network_audit net; 2647 2648 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2649 ad.a.u.net->family = sap->sin_family; 2650 ad.a.u.net->dport = sap->sin_port; 2651 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; 2652 #endif 2653 skp = ssp->smk_out; 2654 rc = smk_access(skp, hkp, MAY_WRITE, &ad); 2655 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc); 2656 /* 2657 * Clear the socket netlabel if it's set. 2658 */ 2659 if (!rc) 2660 smack_netlbl_delete(sk); 2661 } 2662 rcu_read_unlock(); 2663 2664 return rc; 2665 } 2666 2667 #if IS_ENABLED(CONFIG_IPV6) 2668 /** 2669 * smk_ipv6_check - check Smack access 2670 * @subject: subject Smack label 2671 * @object: object Smack label 2672 * @address: address 2673 * @act: the action being taken 2674 * 2675 * Check an IPv6 access 2676 */ 2677 static int smk_ipv6_check(struct smack_known *subject, 2678 struct smack_known *object, 2679 struct sockaddr_in6 *address, int act) 2680 { 2681 #ifdef CONFIG_AUDIT 2682 struct lsm_network_audit net; 2683 #endif 2684 struct smk_audit_info ad; 2685 int rc; 2686 2687 #ifdef CONFIG_AUDIT 2688 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 2689 ad.a.u.net->family = PF_INET6; 2690 ad.a.u.net->dport = address->sin6_port; 2691 if (act == SMK_RECEIVING) 2692 ad.a.u.net->v6info.saddr = address->sin6_addr; 2693 else 2694 ad.a.u.net->v6info.daddr = address->sin6_addr; 2695 #endif 2696 rc = smk_access(subject, object, MAY_WRITE, &ad); 2697 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc); 2698 return rc; 2699 } 2700 #endif /* CONFIG_IPV6 */ 2701 2702 #ifdef SMACK_IPV6_PORT_LABELING 2703 /** 2704 * smk_ipv6_port_label - Smack port access table management 2705 * @sock: socket 2706 * @address: address 2707 * 2708 * Create or update the port list entry 2709 */ 2710 static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address) 2711 { 2712 struct sock *sk = sock->sk; 2713 struct sockaddr_in6 *addr6; 2714 struct socket_smack *ssp = smack_sock(sock->sk); 2715 struct smk_port_label *spp; 2716 unsigned short port = 0; 2717 2718 if (address == NULL) { 2719 /* 2720 * This operation is changing the Smack information 2721 * on the bound socket. Take the changes to the port 2722 * as well. 2723 */ 2724 rcu_read_lock(); 2725 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2726 if (sk != spp->smk_sock) 2727 continue; 2728 spp->smk_in = ssp->smk_in; 2729 spp->smk_out = ssp->smk_out; 2730 rcu_read_unlock(); 2731 return; 2732 } 2733 /* 2734 * A NULL address is only used for updating existing 2735 * bound entries. If there isn't one, it's OK. 2736 */ 2737 rcu_read_unlock(); 2738 return; 2739 } 2740 2741 addr6 = (struct sockaddr_in6 *)address; 2742 port = ntohs(addr6->sin6_port); 2743 /* 2744 * This is a special case that is safely ignored. 2745 */ 2746 if (port == 0) 2747 return; 2748 2749 /* 2750 * Look for an existing port list entry. 2751 * This is an indication that a port is getting reused. 2752 */ 2753 rcu_read_lock(); 2754 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2755 if (spp->smk_port != port || spp->smk_sock_type != sock->type) 2756 continue; 2757 if (spp->smk_can_reuse != 1) { 2758 rcu_read_unlock(); 2759 return; 2760 } 2761 spp->smk_port = port; 2762 spp->smk_sock = sk; 2763 spp->smk_in = ssp->smk_in; 2764 spp->smk_out = ssp->smk_out; 2765 spp->smk_can_reuse = 0; 2766 rcu_read_unlock(); 2767 return; 2768 } 2769 rcu_read_unlock(); 2770 /* 2771 * A new port entry is required. 2772 */ 2773 spp = kzalloc(sizeof(*spp), GFP_KERNEL); 2774 if (spp == NULL) 2775 return; 2776 2777 spp->smk_port = port; 2778 spp->smk_sock = sk; 2779 spp->smk_in = ssp->smk_in; 2780 spp->smk_out = ssp->smk_out; 2781 spp->smk_sock_type = sock->type; 2782 spp->smk_can_reuse = 0; 2783 2784 mutex_lock(&smack_ipv6_lock); 2785 list_add_rcu(&spp->list, &smk_ipv6_port_list); 2786 mutex_unlock(&smack_ipv6_lock); 2787 return; 2788 } 2789 2790 /** 2791 * smk_ipv6_port_check - check Smack port access 2792 * @sk: socket 2793 * @address: address 2794 * @act: the action being taken 2795 * 2796 * Create or update the port list entry 2797 */ 2798 static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address, 2799 int act) 2800 { 2801 struct smk_port_label *spp; 2802 struct socket_smack *ssp = smack_sock(sk); 2803 struct smack_known *skp = NULL; 2804 unsigned short port; 2805 struct smack_known *object; 2806 2807 if (act == SMK_RECEIVING) { 2808 skp = smack_ipv6host_label(address); 2809 object = ssp->smk_in; 2810 } else { 2811 skp = ssp->smk_out; 2812 object = smack_ipv6host_label(address); 2813 } 2814 2815 /* 2816 * The other end is a single label host. 2817 */ 2818 if (skp != NULL && object != NULL) 2819 return smk_ipv6_check(skp, object, address, act); 2820 if (skp == NULL) 2821 skp = smack_net_ambient; 2822 if (object == NULL) 2823 object = smack_net_ambient; 2824 2825 /* 2826 * It's remote, so port lookup does no good. 2827 */ 2828 if (!smk_ipv6_localhost(address)) 2829 return smk_ipv6_check(skp, object, address, act); 2830 2831 /* 2832 * It's local so the send check has to have passed. 2833 */ 2834 if (act == SMK_RECEIVING) 2835 return 0; 2836 2837 port = ntohs(address->sin6_port); 2838 rcu_read_lock(); 2839 list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) { 2840 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) 2841 continue; 2842 object = spp->smk_in; 2843 if (act == SMK_CONNECTING) 2844 ssp->smk_packet = spp->smk_out; 2845 break; 2846 } 2847 rcu_read_unlock(); 2848 2849 return smk_ipv6_check(skp, object, address, act); 2850 } 2851 #endif 2852 2853 /** 2854 * smack_inode_setsecurity - set smack xattrs 2855 * @inode: the object 2856 * @name: attribute name 2857 * @value: attribute value 2858 * @size: size of the attribute 2859 * @flags: unused 2860 * 2861 * Sets the named attribute in the appropriate blob 2862 * 2863 * Returns 0 on success, or an error code 2864 */ 2865 static int smack_inode_setsecurity(struct inode *inode, const char *name, 2866 const void *value, size_t size, int flags) 2867 { 2868 struct smack_known *skp; 2869 struct inode_smack *nsp = smack_inode(inode); 2870 struct socket_smack *ssp; 2871 struct socket *sock; 2872 int rc = 0; 2873 2874 if (value == NULL || size > SMK_LONGLABEL || size == 0) 2875 return -EINVAL; 2876 2877 if (strcmp(name, XATTR_SMACK_TRANSMUTE) == 0) { 2878 if (!S_ISDIR(inode->i_mode) || size != TRANS_TRUE_SIZE || 2879 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0) 2880 return -EINVAL; 2881 2882 nsp->smk_flags |= SMK_INODE_TRANSMUTE; 2883 return 0; 2884 } 2885 2886 skp = smk_import_entry(value, size); 2887 if (IS_ERR(skp)) 2888 return PTR_ERR(skp); 2889 2890 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) { 2891 nsp->smk_inode = skp; 2892 nsp->smk_flags |= SMK_INODE_INSTANT; 2893 return 0; 2894 } 2895 /* 2896 * The rest of the Smack xattrs are only on sockets. 2897 */ 2898 if (inode->i_sb->s_magic != SOCKFS_MAGIC) 2899 return -EOPNOTSUPP; 2900 2901 sock = SOCKET_I(inode); 2902 if (sock == NULL || sock->sk == NULL) 2903 return -EOPNOTSUPP; 2904 2905 ssp = smack_sock(sock->sk); 2906 2907 if (strcmp(name, XATTR_SMACK_IPIN) == 0) 2908 ssp->smk_in = skp; 2909 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) { 2910 ssp->smk_out = skp; 2911 if (sock->sk->sk_family == PF_INET) { 2912 rc = smack_netlbl_add(sock->sk); 2913 if (rc != 0) 2914 printk(KERN_WARNING 2915 "Smack: \"%s\" netlbl error %d.\n", 2916 __func__, -rc); 2917 } 2918 } else 2919 return -EOPNOTSUPP; 2920 2921 #ifdef SMACK_IPV6_PORT_LABELING 2922 if (sock->sk->sk_family == PF_INET6) 2923 smk_ipv6_port_label(sock, NULL); 2924 #endif 2925 2926 return 0; 2927 } 2928 2929 /** 2930 * smack_socket_post_create - finish socket setup 2931 * @sock: the socket 2932 * @family: protocol family 2933 * @type: unused 2934 * @protocol: unused 2935 * @kern: unused 2936 * 2937 * Sets the netlabel information on the socket 2938 * 2939 * Returns 0 on success, and error code otherwise 2940 */ 2941 static int smack_socket_post_create(struct socket *sock, int family, 2942 int type, int protocol, int kern) 2943 { 2944 struct socket_smack *ssp; 2945 2946 if (sock->sk == NULL) 2947 return 0; 2948 2949 /* 2950 * Sockets created by kernel threads receive web label. 2951 */ 2952 if (unlikely(current->flags & PF_KTHREAD)) { 2953 ssp = smack_sock(sock->sk); 2954 ssp->smk_in = &smack_known_web; 2955 ssp->smk_out = &smack_known_web; 2956 } 2957 2958 if (family != PF_INET) 2959 return 0; 2960 /* 2961 * Set the outbound netlbl. 2962 */ 2963 return smack_netlbl_add(sock->sk); 2964 } 2965 2966 /** 2967 * smack_socket_socketpair - create socket pair 2968 * @socka: one socket 2969 * @sockb: another socket 2970 * 2971 * Cross reference the peer labels for SO_PEERSEC 2972 * 2973 * Returns 0 2974 */ 2975 static int smack_socket_socketpair(struct socket *socka, 2976 struct socket *sockb) 2977 { 2978 struct socket_smack *asp = smack_sock(socka->sk); 2979 struct socket_smack *bsp = smack_sock(sockb->sk); 2980 2981 asp->smk_packet = bsp->smk_out; 2982 bsp->smk_packet = asp->smk_out; 2983 2984 return 0; 2985 } 2986 2987 #ifdef SMACK_IPV6_PORT_LABELING 2988 /** 2989 * smack_socket_bind - record port binding information. 2990 * @sock: the socket 2991 * @address: the port address 2992 * @addrlen: size of the address 2993 * 2994 * Records the label bound to a port. 2995 * 2996 * Returns 0 on success, and error code otherwise 2997 */ 2998 static int smack_socket_bind(struct socket *sock, struct sockaddr *address, 2999 int addrlen) 3000 { 3001 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { 3002 if (addrlen < SIN6_LEN_RFC2133 || 3003 address->sa_family != AF_INET6) 3004 return -EINVAL; 3005 smk_ipv6_port_label(sock, address); 3006 } 3007 return 0; 3008 } 3009 #endif /* SMACK_IPV6_PORT_LABELING */ 3010 3011 /** 3012 * smack_socket_connect - connect access check 3013 * @sock: the socket 3014 * @sap: the other end 3015 * @addrlen: size of sap 3016 * 3017 * Verifies that a connection may be possible 3018 * 3019 * Returns 0 on success, and error code otherwise 3020 */ 3021 static int smack_socket_connect(struct socket *sock, struct sockaddr *sap, 3022 int addrlen) 3023 { 3024 int rc = 0; 3025 3026 if (sock->sk == NULL) 3027 return 0; 3028 if (sock->sk->sk_family != PF_INET && 3029 (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6)) 3030 return 0; 3031 if (addrlen < offsetofend(struct sockaddr, sa_family)) 3032 return 0; 3033 3034 #if IS_ENABLED(CONFIG_IPV6) 3035 if (sap->sa_family == AF_INET6) { 3036 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap; 3037 struct smack_known *rsp = NULL; 3038 3039 if (addrlen < SIN6_LEN_RFC2133) 3040 return 0; 3041 if (__is_defined(SMACK_IPV6_SECMARK_LABELING)) 3042 rsp = smack_ipv6host_label(sip); 3043 if (rsp != NULL) { 3044 struct socket_smack *ssp = smack_sock(sock->sk); 3045 3046 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, 3047 SMK_CONNECTING); 3048 } 3049 #ifdef SMACK_IPV6_PORT_LABELING 3050 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); 3051 #endif 3052 3053 return rc; 3054 } 3055 #endif /* CONFIG_IPV6 */ 3056 3057 if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) 3058 return 0; 3059 rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap); 3060 return rc; 3061 } 3062 3063 /** 3064 * smack_flags_to_may - convert S_ to MAY_ values 3065 * @flags: the S_ value 3066 * 3067 * Returns the equivalent MAY_ value 3068 */ 3069 static int smack_flags_to_may(int flags) 3070 { 3071 int may = 0; 3072 3073 if (flags & S_IRUGO) 3074 may |= MAY_READ; 3075 if (flags & S_IWUGO) 3076 may |= MAY_WRITE; 3077 if (flags & S_IXUGO) 3078 may |= MAY_EXEC; 3079 3080 return may; 3081 } 3082 3083 /** 3084 * smack_msg_msg_alloc_security - Set the security blob for msg_msg 3085 * @msg: the object 3086 * 3087 * Returns 0 3088 */ 3089 static int smack_msg_msg_alloc_security(struct msg_msg *msg) 3090 { 3091 struct smack_known **blob = smack_msg_msg(msg); 3092 3093 *blob = smk_of_current(); 3094 return 0; 3095 } 3096 3097 /** 3098 * smack_of_ipc - the smack pointer for the ipc 3099 * @isp: the object 3100 * 3101 * Returns a pointer to the smack value 3102 */ 3103 static struct smack_known *smack_of_ipc(struct kern_ipc_perm *isp) 3104 { 3105 struct smack_known **blob = smack_ipc(isp); 3106 3107 return *blob; 3108 } 3109 3110 /** 3111 * smack_ipc_alloc_security - Set the security blob for ipc 3112 * @isp: the object 3113 * 3114 * Returns 0 3115 */ 3116 static int smack_ipc_alloc_security(struct kern_ipc_perm *isp) 3117 { 3118 struct smack_known **blob = smack_ipc(isp); 3119 3120 *blob = smk_of_current(); 3121 return 0; 3122 } 3123 3124 /** 3125 * smk_curacc_shm : check if current has access on shm 3126 * @isp : the object 3127 * @access : access requested 3128 * 3129 * Returns 0 if current has the requested access, error code otherwise 3130 */ 3131 static int smk_curacc_shm(struct kern_ipc_perm *isp, int access) 3132 { 3133 struct smack_known *ssp = smack_of_ipc(isp); 3134 struct smk_audit_info ad; 3135 int rc; 3136 3137 #ifdef CONFIG_AUDIT 3138 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3139 ad.a.u.ipc_id = isp->id; 3140 #endif 3141 rc = smk_curacc(ssp, access, &ad); 3142 rc = smk_bu_current("shm", ssp, access, rc); 3143 return rc; 3144 } 3145 3146 /** 3147 * smack_shm_associate - Smack access check for shm 3148 * @isp: the object 3149 * @shmflg: access requested 3150 * 3151 * Returns 0 if current has the requested access, error code otherwise 3152 */ 3153 static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg) 3154 { 3155 int may; 3156 3157 may = smack_flags_to_may(shmflg); 3158 return smk_curacc_shm(isp, may); 3159 } 3160 3161 /** 3162 * smack_shm_shmctl - Smack access check for shm 3163 * @isp: the object 3164 * @cmd: what it wants to do 3165 * 3166 * Returns 0 if current has the requested access, error code otherwise 3167 */ 3168 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) 3169 { 3170 int may; 3171 3172 switch (cmd) { 3173 case IPC_STAT: 3174 case SHM_STAT: 3175 case SHM_STAT_ANY: 3176 may = MAY_READ; 3177 break; 3178 case IPC_SET: 3179 case SHM_LOCK: 3180 case SHM_UNLOCK: 3181 case IPC_RMID: 3182 may = MAY_READWRITE; 3183 break; 3184 case IPC_INFO: 3185 case SHM_INFO: 3186 /* 3187 * System level information. 3188 */ 3189 return 0; 3190 default: 3191 return -EINVAL; 3192 } 3193 return smk_curacc_shm(isp, may); 3194 } 3195 3196 /** 3197 * smack_shm_shmat - Smack access for shmat 3198 * @isp: the object 3199 * @shmaddr: unused 3200 * @shmflg: access requested 3201 * 3202 * Returns 0 if current has the requested access, error code otherwise 3203 */ 3204 static int smack_shm_shmat(struct kern_ipc_perm *isp, char __user *shmaddr, 3205 int shmflg) 3206 { 3207 int may; 3208 3209 may = smack_flags_to_may(shmflg); 3210 return smk_curacc_shm(isp, may); 3211 } 3212 3213 /** 3214 * smk_curacc_sem : check if current has access on sem 3215 * @isp : the object 3216 * @access : access requested 3217 * 3218 * Returns 0 if current has the requested access, error code otherwise 3219 */ 3220 static int smk_curacc_sem(struct kern_ipc_perm *isp, int access) 3221 { 3222 struct smack_known *ssp = smack_of_ipc(isp); 3223 struct smk_audit_info ad; 3224 int rc; 3225 3226 #ifdef CONFIG_AUDIT 3227 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3228 ad.a.u.ipc_id = isp->id; 3229 #endif 3230 rc = smk_curacc(ssp, access, &ad); 3231 rc = smk_bu_current("sem", ssp, access, rc); 3232 return rc; 3233 } 3234 3235 /** 3236 * smack_sem_associate - Smack access check for sem 3237 * @isp: the object 3238 * @semflg: access requested 3239 * 3240 * Returns 0 if current has the requested access, error code otherwise 3241 */ 3242 static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg) 3243 { 3244 int may; 3245 3246 may = smack_flags_to_may(semflg); 3247 return smk_curacc_sem(isp, may); 3248 } 3249 3250 /** 3251 * smack_sem_semctl - Smack access check for sem 3252 * @isp: the object 3253 * @cmd: what it wants to do 3254 * 3255 * Returns 0 if current has the requested access, error code otherwise 3256 */ 3257 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) 3258 { 3259 int may; 3260 3261 switch (cmd) { 3262 case GETPID: 3263 case GETNCNT: 3264 case GETZCNT: 3265 case GETVAL: 3266 case GETALL: 3267 case IPC_STAT: 3268 case SEM_STAT: 3269 case SEM_STAT_ANY: 3270 may = MAY_READ; 3271 break; 3272 case SETVAL: 3273 case SETALL: 3274 case IPC_RMID: 3275 case IPC_SET: 3276 may = MAY_READWRITE; 3277 break; 3278 case IPC_INFO: 3279 case SEM_INFO: 3280 /* 3281 * System level information 3282 */ 3283 return 0; 3284 default: 3285 return -EINVAL; 3286 } 3287 3288 return smk_curacc_sem(isp, may); 3289 } 3290 3291 /** 3292 * smack_sem_semop - Smack checks of semaphore operations 3293 * @isp: the object 3294 * @sops: unused 3295 * @nsops: unused 3296 * @alter: unused 3297 * 3298 * Treated as read and write in all cases. 3299 * 3300 * Returns 0 if access is allowed, error code otherwise 3301 */ 3302 static int smack_sem_semop(struct kern_ipc_perm *isp, struct sembuf *sops, 3303 unsigned nsops, int alter) 3304 { 3305 return smk_curacc_sem(isp, MAY_READWRITE); 3306 } 3307 3308 /** 3309 * smk_curacc_msq : helper to check if current has access on msq 3310 * @isp : the msq 3311 * @access : access requested 3312 * 3313 * return 0 if current has access, error otherwise 3314 */ 3315 static int smk_curacc_msq(struct kern_ipc_perm *isp, int access) 3316 { 3317 struct smack_known *msp = smack_of_ipc(isp); 3318 struct smk_audit_info ad; 3319 int rc; 3320 3321 #ifdef CONFIG_AUDIT 3322 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3323 ad.a.u.ipc_id = isp->id; 3324 #endif 3325 rc = smk_curacc(msp, access, &ad); 3326 rc = smk_bu_current("msq", msp, access, rc); 3327 return rc; 3328 } 3329 3330 /** 3331 * smack_msg_queue_associate - Smack access check for msg_queue 3332 * @isp: the object 3333 * @msqflg: access requested 3334 * 3335 * Returns 0 if current has the requested access, error code otherwise 3336 */ 3337 static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg) 3338 { 3339 int may; 3340 3341 may = smack_flags_to_may(msqflg); 3342 return smk_curacc_msq(isp, may); 3343 } 3344 3345 /** 3346 * smack_msg_queue_msgctl - Smack access check for msg_queue 3347 * @isp: the object 3348 * @cmd: what it wants to do 3349 * 3350 * Returns 0 if current has the requested access, error code otherwise 3351 */ 3352 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) 3353 { 3354 int may; 3355 3356 switch (cmd) { 3357 case IPC_STAT: 3358 case MSG_STAT: 3359 case MSG_STAT_ANY: 3360 may = MAY_READ; 3361 break; 3362 case IPC_SET: 3363 case IPC_RMID: 3364 may = MAY_READWRITE; 3365 break; 3366 case IPC_INFO: 3367 case MSG_INFO: 3368 /* 3369 * System level information 3370 */ 3371 return 0; 3372 default: 3373 return -EINVAL; 3374 } 3375 3376 return smk_curacc_msq(isp, may); 3377 } 3378 3379 /** 3380 * smack_msg_queue_msgsnd - Smack access check for msg_queue 3381 * @isp: the object 3382 * @msg: unused 3383 * @msqflg: access requested 3384 * 3385 * Returns 0 if current has the requested access, error code otherwise 3386 */ 3387 static int smack_msg_queue_msgsnd(struct kern_ipc_perm *isp, struct msg_msg *msg, 3388 int msqflg) 3389 { 3390 int may; 3391 3392 may = smack_flags_to_may(msqflg); 3393 return smk_curacc_msq(isp, may); 3394 } 3395 3396 /** 3397 * smack_msg_queue_msgrcv - Smack access check for msg_queue 3398 * @isp: the object 3399 * @msg: unused 3400 * @target: unused 3401 * @type: unused 3402 * @mode: unused 3403 * 3404 * Returns 0 if current has read and write access, error code otherwise 3405 */ 3406 static int smack_msg_queue_msgrcv(struct kern_ipc_perm *isp, 3407 struct msg_msg *msg, 3408 struct task_struct *target, long type, 3409 int mode) 3410 { 3411 return smk_curacc_msq(isp, MAY_READWRITE); 3412 } 3413 3414 /** 3415 * smack_ipc_permission - Smack access for ipc_permission() 3416 * @ipp: the object permissions 3417 * @flag: access requested 3418 * 3419 * Returns 0 if current has read and write access, error code otherwise 3420 */ 3421 static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag) 3422 { 3423 struct smack_known **blob = smack_ipc(ipp); 3424 struct smack_known *iskp = *blob; 3425 int may = smack_flags_to_may(flag); 3426 struct smk_audit_info ad; 3427 int rc; 3428 3429 #ifdef CONFIG_AUDIT 3430 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC); 3431 ad.a.u.ipc_id = ipp->id; 3432 #endif 3433 rc = smk_curacc(iskp, may, &ad); 3434 rc = smk_bu_current("svipc", iskp, may, rc); 3435 return rc; 3436 } 3437 3438 /** 3439 * smack_ipc_getlsmprop - Extract smack security data 3440 * @ipp: the object permissions 3441 * @prop: where result will be saved 3442 */ 3443 static void smack_ipc_getlsmprop(struct kern_ipc_perm *ipp, struct lsm_prop *prop) 3444 { 3445 struct smack_known **iskpp = smack_ipc(ipp); 3446 3447 prop->smack.skp = *iskpp; 3448 } 3449 3450 /** 3451 * smack_d_instantiate - Make sure the blob is correct on an inode 3452 * @opt_dentry: dentry where inode will be attached 3453 * @inode: the object 3454 * 3455 * Set the inode's security blob if it hasn't been done already. 3456 */ 3457 static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode) 3458 { 3459 struct super_block *sbp; 3460 struct superblock_smack *sbsp; 3461 struct inode_smack *isp; 3462 struct smack_known *skp; 3463 struct smack_known *ckp = smk_of_current(); 3464 struct smack_known *final; 3465 char trattr[TRANS_TRUE_SIZE]; 3466 int transflag = 0; 3467 int rc; 3468 struct dentry *dp; 3469 3470 if (inode == NULL) 3471 return; 3472 3473 isp = smack_inode(inode); 3474 3475 /* 3476 * If the inode is already instantiated 3477 * take the quick way out 3478 */ 3479 if (isp->smk_flags & SMK_INODE_INSTANT) 3480 return; 3481 3482 sbp = inode->i_sb; 3483 sbsp = smack_superblock(sbp); 3484 /* 3485 * We're going to use the superblock default label 3486 * if there's no label on the file. 3487 */ 3488 final = sbsp->smk_default; 3489 3490 /* 3491 * If this is the root inode the superblock 3492 * may be in the process of initialization. 3493 * If that is the case use the root value out 3494 * of the superblock. 3495 */ 3496 if (opt_dentry->d_parent == opt_dentry) { 3497 switch (sbp->s_magic) { 3498 case CGROUP_SUPER_MAGIC: 3499 case CGROUP2_SUPER_MAGIC: 3500 /* 3501 * The cgroup filesystem is never mounted, 3502 * so there's no opportunity to set the mount 3503 * options. 3504 */ 3505 sbsp->smk_root = &smack_known_star; 3506 sbsp->smk_default = &smack_known_star; 3507 isp->smk_inode = sbsp->smk_root; 3508 break; 3509 case TMPFS_MAGIC: 3510 /* 3511 * What about shmem/tmpfs anonymous files with dentry 3512 * obtained from d_alloc_pseudo()? 3513 */ 3514 isp->smk_inode = smk_of_current(); 3515 break; 3516 case PIPEFS_MAGIC: 3517 isp->smk_inode = smk_of_current(); 3518 break; 3519 case SOCKFS_MAGIC: 3520 /* 3521 * Socket access is controlled by the socket 3522 * structures associated with the task involved. 3523 */ 3524 isp->smk_inode = &smack_known_star; 3525 break; 3526 default: 3527 isp->smk_inode = sbsp->smk_root; 3528 break; 3529 } 3530 isp->smk_flags |= SMK_INODE_INSTANT; 3531 return; 3532 } 3533 3534 /* 3535 * This is pretty hackish. 3536 * Casey says that we shouldn't have to do 3537 * file system specific code, but it does help 3538 * with keeping it simple. 3539 */ 3540 switch (sbp->s_magic) { 3541 case SMACK_MAGIC: 3542 case CGROUP_SUPER_MAGIC: 3543 case CGROUP2_SUPER_MAGIC: 3544 /* 3545 * Casey says that it's a little embarrassing 3546 * that the smack file system doesn't do 3547 * extended attributes. 3548 * 3549 * Cgroupfs is special 3550 */ 3551 final = &smack_known_star; 3552 break; 3553 case DEVPTS_SUPER_MAGIC: 3554 /* 3555 * devpts seems content with the label of the task. 3556 * Programs that change smack have to treat the 3557 * pty with respect. 3558 */ 3559 final = ckp; 3560 break; 3561 case PROC_SUPER_MAGIC: 3562 /* 3563 * Casey says procfs appears not to care. 3564 * The superblock default suffices. 3565 */ 3566 break; 3567 case TMPFS_MAGIC: 3568 /* 3569 * Device labels should come from the filesystem, 3570 * but watch out, because they're volitile, 3571 * getting recreated on every reboot. 3572 */ 3573 final = &smack_known_star; 3574 /* 3575 * If a smack value has been set we want to use it, 3576 * but since tmpfs isn't giving us the opportunity 3577 * to set mount options simulate setting the 3578 * superblock default. 3579 */ 3580 fallthrough; 3581 default: 3582 /* 3583 * This isn't an understood special case. 3584 * Get the value from the xattr. 3585 */ 3586 3587 /* 3588 * UNIX domain sockets use lower level socket data. 3589 */ 3590 if (S_ISSOCK(inode->i_mode)) { 3591 final = &smack_known_star; 3592 break; 3593 } 3594 /* 3595 * No xattr support means, alas, no SMACK label. 3596 * Use the aforeapplied default. 3597 * It would be curious if the label of the task 3598 * does not match that assigned. 3599 */ 3600 if (!(inode->i_opflags & IOP_XATTR)) 3601 break; 3602 /* 3603 * Get the dentry for xattr. 3604 */ 3605 dp = dget(opt_dentry); 3606 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp); 3607 if (!IS_ERR_OR_NULL(skp)) 3608 final = skp; 3609 3610 /* 3611 * Transmuting directory 3612 */ 3613 if (S_ISDIR(inode->i_mode)) { 3614 /* 3615 * If this is a new directory and the label was 3616 * transmuted when the inode was initialized 3617 * set the transmute attribute on the directory 3618 * and mark the inode. 3619 * 3620 * If there is a transmute attribute on the 3621 * directory mark the inode. 3622 */ 3623 rc = __vfs_getxattr(dp, inode, 3624 XATTR_NAME_SMACKTRANSMUTE, trattr, 3625 TRANS_TRUE_SIZE); 3626 if (rc >= 0 && strncmp(trattr, TRANS_TRUE, 3627 TRANS_TRUE_SIZE) != 0) 3628 rc = -EINVAL; 3629 if (rc >= 0) 3630 transflag = SMK_INODE_TRANSMUTE; 3631 } 3632 /* 3633 * Don't let the exec or mmap label be "*" or "@". 3634 */ 3635 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp); 3636 if (IS_ERR(skp) || skp == &smack_known_star || 3637 skp == &smack_known_web) 3638 skp = NULL; 3639 isp->smk_task = skp; 3640 3641 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp); 3642 if (IS_ERR(skp) || skp == &smack_known_star || 3643 skp == &smack_known_web) 3644 skp = NULL; 3645 isp->smk_mmap = skp; 3646 3647 dput(dp); 3648 break; 3649 } 3650 3651 if (final == NULL) 3652 isp->smk_inode = ckp; 3653 else 3654 isp->smk_inode = final; 3655 3656 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); 3657 3658 return; 3659 } 3660 3661 /** 3662 * smack_getselfattr - Smack current process attribute 3663 * @attr: which attribute to fetch 3664 * @ctx: buffer to receive the result 3665 * @size: available size in, actual size out 3666 * @flags: unused 3667 * 3668 * Fill the passed user space @ctx with the details of the requested 3669 * attribute. 3670 * 3671 * Returns the number of attributes on success, an error code otherwise. 3672 * There will only ever be one attribute. 3673 */ 3674 static int smack_getselfattr(unsigned int attr, struct lsm_ctx __user *ctx, 3675 u32 *size, u32 flags) 3676 { 3677 int rc; 3678 struct smack_known *skp; 3679 3680 if (attr != LSM_ATTR_CURRENT) 3681 return -EOPNOTSUPP; 3682 3683 skp = smk_of_current(); 3684 rc = lsm_fill_user_ctx(ctx, size, 3685 skp->smk_known, strlen(skp->smk_known) + 1, 3686 LSM_ID_SMACK, 0); 3687 return (!rc ? 1 : rc); 3688 } 3689 3690 /** 3691 * smack_getprocattr - Smack process attribute access 3692 * @p: the object task 3693 * @name: the name of the attribute in /proc/.../attr 3694 * @value: where to put the result 3695 * 3696 * Places a copy of the task Smack into value 3697 * 3698 * Returns the length of the smack label or an error code 3699 */ 3700 static int smack_getprocattr(struct task_struct *p, const char *name, char **value) 3701 { 3702 struct smack_known *skp = smk_of_task_struct_obj(p); 3703 char *cp; 3704 int slen; 3705 3706 if (strcmp(name, "current") != 0) 3707 return -EINVAL; 3708 3709 cp = kstrdup(skp->smk_known, GFP_KERNEL); 3710 if (cp == NULL) 3711 return -ENOMEM; 3712 3713 slen = strlen(cp); 3714 *value = cp; 3715 return slen; 3716 } 3717 3718 /** 3719 * do_setattr - Smack process attribute setting 3720 * @attr: the ID of the attribute 3721 * @value: the value to set 3722 * @size: the size of the value 3723 * 3724 * Sets the Smack value of the task. Only setting self 3725 * is permitted and only with privilege 3726 * 3727 * Returns the length of the smack label or an error code 3728 */ 3729 static int do_setattr(u64 attr, void *value, size_t size) 3730 { 3731 struct task_smack *tsp = smack_cred(current_cred()); 3732 struct cred *new; 3733 struct smack_known *skp; 3734 struct smack_known_list_elem *sklep; 3735 int rc; 3736 3737 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) 3738 return -EPERM; 3739 3740 if (value == NULL || size == 0 || size >= SMK_LONGLABEL) 3741 return -EINVAL; 3742 3743 if (attr != LSM_ATTR_CURRENT) 3744 return -EOPNOTSUPP; 3745 3746 skp = smk_import_entry(value, size); 3747 if (IS_ERR(skp)) 3748 return PTR_ERR(skp); 3749 3750 /* 3751 * No process is ever allowed the web ("@") label 3752 * and the star ("*") label. 3753 */ 3754 if (skp == &smack_known_web || skp == &smack_known_star) 3755 return -EINVAL; 3756 3757 if (!smack_privileged(CAP_MAC_ADMIN)) { 3758 rc = -EPERM; 3759 list_for_each_entry(sklep, &tsp->smk_relabel, list) 3760 if (sklep->smk_label == skp) { 3761 rc = 0; 3762 break; 3763 } 3764 if (rc) 3765 return rc; 3766 } 3767 3768 new = prepare_creds(); 3769 if (new == NULL) 3770 return -ENOMEM; 3771 3772 tsp = smack_cred(new); 3773 tsp->smk_task = skp; 3774 /* 3775 * process can change its label only once 3776 */ 3777 smk_destroy_label_list(&tsp->smk_relabel); 3778 3779 commit_creds(new); 3780 return size; 3781 } 3782 3783 /** 3784 * smack_setselfattr - Set a Smack process attribute 3785 * @attr: which attribute to set 3786 * @ctx: buffer containing the data 3787 * @size: size of @ctx 3788 * @flags: unused 3789 * 3790 * Fill the passed user space @ctx with the details of the requested 3791 * attribute. 3792 * 3793 * Returns 0 on success, an error code otherwise. 3794 */ 3795 static int smack_setselfattr(unsigned int attr, struct lsm_ctx *ctx, 3796 u32 size, u32 flags) 3797 { 3798 int rc; 3799 3800 rc = do_setattr(attr, ctx->ctx, ctx->ctx_len); 3801 if (rc > 0) 3802 return 0; 3803 return rc; 3804 } 3805 3806 /** 3807 * smack_setprocattr - Smack process attribute setting 3808 * @name: the name of the attribute in /proc/.../attr 3809 * @value: the value to set 3810 * @size: the size of the value 3811 * 3812 * Sets the Smack value of the task. Only setting self 3813 * is permitted and only with privilege 3814 * 3815 * Returns the length of the smack label or an error code 3816 */ 3817 static int smack_setprocattr(const char *name, void *value, size_t size) 3818 { 3819 int attr = lsm_name_to_attr(name); 3820 3821 if (attr != LSM_ATTR_UNDEF) 3822 return do_setattr(attr, value, size); 3823 return -EINVAL; 3824 } 3825 3826 /** 3827 * smack_unix_stream_connect - Smack access on UDS 3828 * @sock: one sock 3829 * @other: the other sock 3830 * @newsk: unused 3831 * 3832 * Return 0 if a subject with the smack of sock could access 3833 * an object with the smack of other, otherwise an error code 3834 */ 3835 static int smack_unix_stream_connect(struct sock *sock, 3836 struct sock *other, struct sock *newsk) 3837 { 3838 struct smack_known *skp; 3839 struct smack_known *okp; 3840 struct socket_smack *ssp = smack_sock(sock); 3841 struct socket_smack *osp = smack_sock(other); 3842 struct socket_smack *nsp = smack_sock(newsk); 3843 struct smk_audit_info ad; 3844 int rc = 0; 3845 #ifdef CONFIG_AUDIT 3846 struct lsm_network_audit net; 3847 #endif 3848 3849 if (!smack_privileged(CAP_MAC_OVERRIDE)) { 3850 skp = ssp->smk_out; 3851 okp = osp->smk_in; 3852 #ifdef CONFIG_AUDIT 3853 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3854 smk_ad_setfield_u_net_sk(&ad, other); 3855 #endif 3856 rc = smk_access(skp, okp, MAY_WRITE, &ad); 3857 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc); 3858 if (rc == 0) { 3859 okp = osp->smk_out; 3860 skp = ssp->smk_in; 3861 rc = smk_access(okp, skp, MAY_WRITE, &ad); 3862 rc = smk_bu_note("UDS connect", okp, skp, 3863 MAY_WRITE, rc); 3864 } 3865 } 3866 3867 if (rc == 0) { 3868 /* 3869 * Cross reference the peer labels for SO_PEERSEC. 3870 */ 3871 nsp->smk_packet = ssp->smk_out; 3872 ssp->smk_packet = osp->smk_out; 3873 3874 /* 3875 * new/child/established socket must inherit listening socket labels 3876 */ 3877 nsp->smk_out = osp->smk_out; 3878 nsp->smk_in = osp->smk_in; 3879 } 3880 3881 return rc; 3882 } 3883 3884 /** 3885 * smack_unix_may_send - Smack access on UDS 3886 * @sock: one socket 3887 * @other: the other socket 3888 * 3889 * Return 0 if a subject with the smack of sock could access 3890 * an object with the smack of other, otherwise an error code 3891 */ 3892 static int smack_unix_may_send(struct socket *sock, struct socket *other) 3893 { 3894 struct socket_smack *ssp = smack_sock(sock->sk); 3895 struct socket_smack *osp = smack_sock(other->sk); 3896 struct smk_audit_info ad; 3897 int rc; 3898 3899 #ifdef CONFIG_AUDIT 3900 struct lsm_network_audit net; 3901 3902 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 3903 smk_ad_setfield_u_net_sk(&ad, other->sk); 3904 #endif 3905 3906 if (smack_privileged(CAP_MAC_OVERRIDE)) 3907 return 0; 3908 3909 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); 3910 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); 3911 return rc; 3912 } 3913 3914 /** 3915 * smack_socket_sendmsg - Smack check based on destination host 3916 * @sock: the socket 3917 * @msg: the message 3918 * @size: the size of the message 3919 * 3920 * Return 0 if the current subject can write to the destination host. 3921 * For IPv4 this is only a question if the destination is a single label host. 3922 * For IPv6 this is a check against the label of the port. 3923 */ 3924 static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg, 3925 int size) 3926 { 3927 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; 3928 #if IS_ENABLED(CONFIG_IPV6) 3929 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; 3930 #endif 3931 #ifdef SMACK_IPV6_SECMARK_LABELING 3932 struct socket_smack *ssp = smack_sock(sock->sk); 3933 struct smack_known *rsp; 3934 #endif 3935 int rc = 0; 3936 3937 /* 3938 * Perfectly reasonable for this to be NULL 3939 */ 3940 if (sip == NULL) 3941 return 0; 3942 3943 switch (sock->sk->sk_family) { 3944 case AF_INET: 3945 if (msg->msg_namelen < sizeof(struct sockaddr_in) || 3946 sip->sin_family != AF_INET) 3947 return -EINVAL; 3948 rc = smk_ipv4_check(sock->sk, sip); 3949 break; 3950 #if IS_ENABLED(CONFIG_IPV6) 3951 case AF_INET6: 3952 if (msg->msg_namelen < SIN6_LEN_RFC2133 || 3953 sap->sin6_family != AF_INET6) 3954 return -EINVAL; 3955 #ifdef SMACK_IPV6_SECMARK_LABELING 3956 rsp = smack_ipv6host_label(sap); 3957 if (rsp != NULL) 3958 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, 3959 SMK_CONNECTING); 3960 #endif 3961 #ifdef SMACK_IPV6_PORT_LABELING 3962 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); 3963 #endif 3964 #endif /* IS_ENABLED(CONFIG_IPV6) */ 3965 break; 3966 } 3967 return rc; 3968 } 3969 3970 /** 3971 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack 3972 * @sap: netlabel secattr 3973 * @ssp: socket security information 3974 * 3975 * Returns a pointer to a Smack label entry found on the label list. 3976 */ 3977 static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap, 3978 struct socket_smack *ssp) 3979 { 3980 struct smack_known *skp; 3981 int found = 0; 3982 int acat; 3983 int kcat; 3984 3985 /* 3986 * Netlabel found it in the cache. 3987 */ 3988 if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) 3989 return (struct smack_known *)sap->cache->data; 3990 3991 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) 3992 /* 3993 * Looks like a fallback, which gives us a secid. 3994 */ 3995 return smack_from_secid(sap->attr.secid); 3996 3997 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { 3998 /* 3999 * Looks like a CIPSO packet. 4000 * If there are flags but no level netlabel isn't 4001 * behaving the way we expect it to. 4002 * 4003 * Look it up in the label table 4004 * Without guidance regarding the smack value 4005 * for the packet fall back on the network 4006 * ambient value. 4007 */ 4008 rcu_read_lock(); 4009 list_for_each_entry_rcu(skp, &smack_known_list, list) { 4010 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) 4011 continue; 4012 /* 4013 * Compare the catsets. Use the netlbl APIs. 4014 */ 4015 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { 4016 if ((skp->smk_netlabel.flags & 4017 NETLBL_SECATTR_MLS_CAT) == 0) 4018 found = 1; 4019 break; 4020 } 4021 for (acat = -1, kcat = -1; acat == kcat; ) { 4022 acat = netlbl_catmap_walk(sap->attr.mls.cat, 4023 acat + 1); 4024 kcat = netlbl_catmap_walk( 4025 skp->smk_netlabel.attr.mls.cat, 4026 kcat + 1); 4027 if (acat < 0 || kcat < 0) 4028 break; 4029 } 4030 if (acat == kcat) { 4031 found = 1; 4032 break; 4033 } 4034 } 4035 rcu_read_unlock(); 4036 4037 if (found) 4038 return skp; 4039 4040 if (ssp != NULL && ssp->smk_in == &smack_known_star) 4041 return &smack_known_web; 4042 return &smack_known_star; 4043 } 4044 /* 4045 * Without guidance regarding the smack value 4046 * for the packet fall back on the network 4047 * ambient value. 4048 */ 4049 return smack_net_ambient; 4050 } 4051 4052 #if IS_ENABLED(CONFIG_IPV6) 4053 static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip) 4054 { 4055 u8 nexthdr; 4056 int offset; 4057 int proto = -EINVAL; 4058 struct ipv6hdr _ipv6h; 4059 struct ipv6hdr *ip6; 4060 __be16 frag_off; 4061 struct tcphdr _tcph, *th; 4062 struct udphdr _udph, *uh; 4063 4064 sip->sin6_port = 0; 4065 4066 offset = skb_network_offset(skb); 4067 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); 4068 if (ip6 == NULL) 4069 return -EINVAL; 4070 sip->sin6_addr = ip6->saddr; 4071 4072 nexthdr = ip6->nexthdr; 4073 offset += sizeof(_ipv6h); 4074 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 4075 if (offset < 0) 4076 return -EINVAL; 4077 4078 proto = nexthdr; 4079 switch (proto) { 4080 case IPPROTO_TCP: 4081 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 4082 if (th != NULL) 4083 sip->sin6_port = th->source; 4084 break; 4085 case IPPROTO_UDP: 4086 case IPPROTO_UDPLITE: 4087 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 4088 if (uh != NULL) 4089 sip->sin6_port = uh->source; 4090 break; 4091 } 4092 return proto; 4093 } 4094 #endif /* CONFIG_IPV6 */ 4095 4096 /** 4097 * smack_from_skb - Smack data from the secmark in an skb 4098 * @skb: packet 4099 * 4100 * Returns smack_known of the secmark or NULL if that won't work. 4101 */ 4102 #ifdef CONFIG_NETWORK_SECMARK 4103 static struct smack_known *smack_from_skb(struct sk_buff *skb) 4104 { 4105 if (skb == NULL || skb->secmark == 0) 4106 return NULL; 4107 4108 return smack_from_secid(skb->secmark); 4109 } 4110 #else 4111 static inline struct smack_known *smack_from_skb(struct sk_buff *skb) 4112 { 4113 return NULL; 4114 } 4115 #endif 4116 4117 /** 4118 * smack_from_netlbl - Smack data from the IP options in an skb 4119 * @sk: socket data came in on 4120 * @family: address family 4121 * @skb: packet 4122 * 4123 * Find the Smack label in the IP options. If it hasn't been 4124 * added to the netlabel cache, add it here. 4125 * 4126 * Returns smack_known of the IP options or NULL if that won't work. 4127 */ 4128 static struct smack_known *smack_from_netlbl(const struct sock *sk, u16 family, 4129 struct sk_buff *skb) 4130 { 4131 struct netlbl_lsm_secattr secattr; 4132 struct socket_smack *ssp = NULL; 4133 struct smack_known *skp = NULL; 4134 4135 netlbl_secattr_init(&secattr); 4136 4137 if (sk) 4138 ssp = smack_sock(sk); 4139 4140 if (netlbl_skbuff_getattr(skb, family, &secattr) == 0) { 4141 skp = smack_from_secattr(&secattr, ssp); 4142 if (secattr.flags & NETLBL_SECATTR_CACHEABLE) 4143 netlbl_cache_add(skb, family, &skp->smk_netlabel); 4144 } 4145 4146 netlbl_secattr_destroy(&secattr); 4147 4148 return skp; 4149 } 4150 4151 /** 4152 * smack_socket_sock_rcv_skb - Smack packet delivery access check 4153 * @sk: socket 4154 * @skb: packet 4155 * 4156 * Returns 0 if the packet should be delivered, an error code otherwise 4157 */ 4158 static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 4159 { 4160 struct socket_smack *ssp = smack_sock(sk); 4161 struct smack_known *skp = NULL; 4162 int rc = 0; 4163 struct smk_audit_info ad; 4164 u16 family = sk->sk_family; 4165 #ifdef CONFIG_AUDIT 4166 struct lsm_network_audit net; 4167 #endif 4168 #if IS_ENABLED(CONFIG_IPV6) 4169 struct sockaddr_in6 sadd; 4170 int proto; 4171 4172 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) 4173 family = PF_INET; 4174 #endif /* CONFIG_IPV6 */ 4175 4176 switch (family) { 4177 case PF_INET: 4178 /* 4179 * If there is a secmark use it rather than the CIPSO label. 4180 * If there is no secmark fall back to CIPSO. 4181 * The secmark is assumed to reflect policy better. 4182 */ 4183 skp = smack_from_skb(skb); 4184 if (skp == NULL) { 4185 skp = smack_from_netlbl(sk, family, skb); 4186 if (skp == NULL) 4187 skp = smack_net_ambient; 4188 } 4189 4190 #ifdef CONFIG_AUDIT 4191 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4192 ad.a.u.net->family = family; 4193 ad.a.u.net->netif = skb->skb_iif; 4194 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4195 #endif 4196 /* 4197 * Receiving a packet requires that the other end 4198 * be able to write here. Read access is not required. 4199 * This is the simplest possible security model 4200 * for networking. 4201 */ 4202 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4203 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, 4204 MAY_WRITE, rc); 4205 if (rc != 0) 4206 netlbl_skbuff_err(skb, family, rc, 0); 4207 break; 4208 #if IS_ENABLED(CONFIG_IPV6) 4209 case PF_INET6: 4210 proto = smk_skb_to_addr_ipv6(skb, &sadd); 4211 if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE && 4212 proto != IPPROTO_TCP) 4213 break; 4214 #ifdef SMACK_IPV6_SECMARK_LABELING 4215 skp = smack_from_skb(skb); 4216 if (skp == NULL) { 4217 if (smk_ipv6_localhost(&sadd)) 4218 break; 4219 skp = smack_ipv6host_label(&sadd); 4220 if (skp == NULL) 4221 skp = smack_net_ambient; 4222 } 4223 #ifdef CONFIG_AUDIT 4224 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4225 ad.a.u.net->family = family; 4226 ad.a.u.net->netif = skb->skb_iif; 4227 ipv6_skb_to_auditdata(skb, &ad.a, NULL); 4228 #endif /* CONFIG_AUDIT */ 4229 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4230 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, 4231 MAY_WRITE, rc); 4232 #endif /* SMACK_IPV6_SECMARK_LABELING */ 4233 #ifdef SMACK_IPV6_PORT_LABELING 4234 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING); 4235 #endif /* SMACK_IPV6_PORT_LABELING */ 4236 if (rc != 0) 4237 icmpv6_send(skb, ICMPV6_DEST_UNREACH, 4238 ICMPV6_ADM_PROHIBITED, 0); 4239 break; 4240 #endif /* CONFIG_IPV6 */ 4241 } 4242 4243 return rc; 4244 } 4245 4246 /** 4247 * smack_socket_getpeersec_stream - pull in packet label 4248 * @sock: the socket 4249 * @optval: user's destination 4250 * @optlen: size thereof 4251 * @len: max thereof 4252 * 4253 * returns zero on success, an error code otherwise 4254 */ 4255 static int smack_socket_getpeersec_stream(struct socket *sock, 4256 sockptr_t optval, sockptr_t optlen, 4257 unsigned int len) 4258 { 4259 struct socket_smack *ssp; 4260 char *rcp = ""; 4261 u32 slen = 1; 4262 int rc = 0; 4263 4264 ssp = smack_sock(sock->sk); 4265 if (ssp->smk_packet != NULL) { 4266 rcp = ssp->smk_packet->smk_known; 4267 slen = strlen(rcp) + 1; 4268 } 4269 if (slen > len) { 4270 rc = -ERANGE; 4271 goto out_len; 4272 } 4273 4274 if (copy_to_sockptr(optval, rcp, slen)) 4275 rc = -EFAULT; 4276 out_len: 4277 if (copy_to_sockptr(optlen, &slen, sizeof(slen))) 4278 rc = -EFAULT; 4279 return rc; 4280 } 4281 4282 4283 /** 4284 * smack_socket_getpeersec_dgram - pull in packet label 4285 * @sock: the peer socket 4286 * @skb: packet data 4287 * @secid: pointer to where to put the secid of the packet 4288 * 4289 * Sets the netlabel socket state on sk from parent 4290 */ 4291 static int smack_socket_getpeersec_dgram(struct socket *sock, 4292 struct sk_buff *skb, u32 *secid) 4293 4294 { 4295 struct socket_smack *ssp = NULL; 4296 struct smack_known *skp; 4297 struct sock *sk = NULL; 4298 int family = PF_UNSPEC; 4299 u32 s = 0; /* 0 is the invalid secid */ 4300 4301 if (skb != NULL) { 4302 if (skb->protocol == htons(ETH_P_IP)) 4303 family = PF_INET; 4304 #if IS_ENABLED(CONFIG_IPV6) 4305 else if (skb->protocol == htons(ETH_P_IPV6)) 4306 family = PF_INET6; 4307 #endif /* CONFIG_IPV6 */ 4308 } 4309 if (family == PF_UNSPEC && sock != NULL) 4310 family = sock->sk->sk_family; 4311 4312 switch (family) { 4313 case PF_UNIX: 4314 ssp = smack_sock(sock->sk); 4315 s = ssp->smk_out->smk_secid; 4316 break; 4317 case PF_INET: 4318 skp = smack_from_skb(skb); 4319 if (skp) { 4320 s = skp->smk_secid; 4321 break; 4322 } 4323 /* 4324 * Translate what netlabel gave us. 4325 */ 4326 if (sock != NULL) 4327 sk = sock->sk; 4328 skp = smack_from_netlbl(sk, family, skb); 4329 if (skp != NULL) 4330 s = skp->smk_secid; 4331 break; 4332 case PF_INET6: 4333 #ifdef SMACK_IPV6_SECMARK_LABELING 4334 skp = smack_from_skb(skb); 4335 if (skp) 4336 s = skp->smk_secid; 4337 #endif 4338 break; 4339 } 4340 *secid = s; 4341 if (s == 0) 4342 return -EINVAL; 4343 return 0; 4344 } 4345 4346 /** 4347 * smack_inet_conn_request - Smack access check on connect 4348 * @sk: socket involved 4349 * @skb: packet 4350 * @req: unused 4351 * 4352 * Returns 0 if a task with the packet label could write to 4353 * the socket, otherwise an error code 4354 */ 4355 static int smack_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 4356 struct request_sock *req) 4357 { 4358 u16 family = sk->sk_family; 4359 struct smack_known *skp; 4360 struct socket_smack *ssp = smack_sock(sk); 4361 struct sockaddr_in addr; 4362 struct iphdr *hdr; 4363 struct smack_known *hskp; 4364 int rc; 4365 struct smk_audit_info ad; 4366 #ifdef CONFIG_AUDIT 4367 struct lsm_network_audit net; 4368 #endif 4369 4370 #if IS_ENABLED(CONFIG_IPV6) 4371 if (family == PF_INET6) { 4372 /* 4373 * Handle mapped IPv4 packets arriving 4374 * via IPv6 sockets. Don't set up netlabel 4375 * processing on IPv6. 4376 */ 4377 if (skb->protocol == htons(ETH_P_IP)) 4378 family = PF_INET; 4379 else 4380 return 0; 4381 } 4382 #endif /* CONFIG_IPV6 */ 4383 4384 /* 4385 * If there is a secmark use it rather than the CIPSO label. 4386 * If there is no secmark fall back to CIPSO. 4387 * The secmark is assumed to reflect policy better. 4388 */ 4389 skp = smack_from_skb(skb); 4390 if (skp == NULL) { 4391 skp = smack_from_netlbl(sk, family, skb); 4392 if (skp == NULL) 4393 skp = &smack_known_huh; 4394 } 4395 4396 #ifdef CONFIG_AUDIT 4397 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net); 4398 ad.a.u.net->family = family; 4399 ad.a.u.net->netif = skb->skb_iif; 4400 ipv4_skb_to_auditdata(skb, &ad.a, NULL); 4401 #endif 4402 /* 4403 * Receiving a packet requires that the other end be able to write 4404 * here. Read access is not required. 4405 */ 4406 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); 4407 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); 4408 if (rc != 0) 4409 return rc; 4410 4411 /* 4412 * Save the peer's label in the request_sock so we can later setup 4413 * smk_packet in the child socket so that SO_PEERCRED can report it. 4414 */ 4415 req->peer_secid = skp->smk_secid; 4416 4417 /* 4418 * We need to decide if we want to label the incoming connection here 4419 * if we do we only need to label the request_sock and the stack will 4420 * propagate the wire-label to the sock when it is created. 4421 */ 4422 hdr = ip_hdr(skb); 4423 addr.sin_addr.s_addr = hdr->saddr; 4424 rcu_read_lock(); 4425 hskp = smack_ipv4host_label(&addr); 4426 rcu_read_unlock(); 4427 4428 if (hskp == NULL) 4429 rc = netlbl_req_setattr(req, &ssp->smk_out->smk_netlabel); 4430 else 4431 netlbl_req_delattr(req); 4432 4433 return rc; 4434 } 4435 4436 /** 4437 * smack_inet_csk_clone - Copy the connection information to the new socket 4438 * @sk: the new socket 4439 * @req: the connection's request_sock 4440 * 4441 * Transfer the connection's peer label to the newly created socket. 4442 */ 4443 static void smack_inet_csk_clone(struct sock *sk, 4444 const struct request_sock *req) 4445 { 4446 struct socket_smack *ssp = smack_sock(sk); 4447 struct smack_known *skp; 4448 4449 if (req->peer_secid != 0) { 4450 skp = smack_from_secid(req->peer_secid); 4451 ssp->smk_packet = skp; 4452 } else 4453 ssp->smk_packet = NULL; 4454 } 4455 4456 /* 4457 * Key management security hooks 4458 * 4459 * Casey has not tested key support very heavily. 4460 * The permission check is most likely too restrictive. 4461 * If you care about keys please have a look. 4462 */ 4463 #ifdef CONFIG_KEYS 4464 4465 /** 4466 * smack_key_alloc - Set the key security blob 4467 * @key: object 4468 * @cred: the credentials to use 4469 * @flags: unused 4470 * 4471 * No allocation required 4472 * 4473 * Returns 0 4474 */ 4475 static int smack_key_alloc(struct key *key, const struct cred *cred, 4476 unsigned long flags) 4477 { 4478 struct smack_known **blob = smack_key(key); 4479 struct smack_known *skp = smk_of_task(smack_cred(cred)); 4480 4481 *blob = skp; 4482 return 0; 4483 } 4484 4485 /** 4486 * smack_key_permission - Smack access on a key 4487 * @key_ref: gets to the object 4488 * @cred: the credentials to use 4489 * @need_perm: requested key permission 4490 * 4491 * Return 0 if the task has read and write to the object, 4492 * an error code otherwise 4493 */ 4494 static int smack_key_permission(key_ref_t key_ref, 4495 const struct cred *cred, 4496 enum key_need_perm need_perm) 4497 { 4498 struct smack_known **blob; 4499 struct smack_known *skp; 4500 struct key *keyp; 4501 struct smk_audit_info ad; 4502 struct smack_known *tkp = smk_of_task(smack_cred(cred)); 4503 int request = 0; 4504 int rc; 4505 4506 /* 4507 * Validate requested permissions 4508 */ 4509 switch (need_perm) { 4510 case KEY_NEED_READ: 4511 case KEY_NEED_SEARCH: 4512 case KEY_NEED_VIEW: 4513 request |= MAY_READ; 4514 break; 4515 case KEY_NEED_WRITE: 4516 case KEY_NEED_LINK: 4517 case KEY_NEED_SETATTR: 4518 request |= MAY_WRITE; 4519 break; 4520 case KEY_NEED_UNSPECIFIED: 4521 case KEY_NEED_UNLINK: 4522 case KEY_SYSADMIN_OVERRIDE: 4523 case KEY_AUTHTOKEN_OVERRIDE: 4524 case KEY_DEFER_PERM_CHECK: 4525 return 0; 4526 default: 4527 return -EINVAL; 4528 } 4529 4530 keyp = key_ref_to_ptr(key_ref); 4531 if (keyp == NULL) 4532 return -EINVAL; 4533 /* 4534 * If the key hasn't been initialized give it access so that 4535 * it may do so. 4536 */ 4537 blob = smack_key(keyp); 4538 skp = *blob; 4539 if (skp == NULL) 4540 return 0; 4541 /* 4542 * This should not occur 4543 */ 4544 if (tkp == NULL) 4545 return -EACCES; 4546 4547 if (smack_privileged(CAP_MAC_OVERRIDE)) 4548 return 0; 4549 4550 #ifdef CONFIG_AUDIT 4551 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4552 ad.a.u.key_struct.key = keyp->serial; 4553 ad.a.u.key_struct.key_desc = keyp->description; 4554 #endif 4555 rc = smk_access(tkp, skp, request, &ad); 4556 rc = smk_bu_note("key access", tkp, skp, request, rc); 4557 return rc; 4558 } 4559 4560 /* 4561 * smack_key_getsecurity - Smack label tagging the key 4562 * @key points to the key to be queried 4563 * @_buffer points to a pointer that should be set to point to the 4564 * resulting string (if no label or an error occurs). 4565 * Return the length of the string (including terminating NUL) or -ve if 4566 * an error. 4567 * May also return 0 (and a NULL buffer pointer) if there is no label. 4568 */ 4569 static int smack_key_getsecurity(struct key *key, char **_buffer) 4570 { 4571 struct smack_known **blob = smack_key(key); 4572 struct smack_known *skp = *blob; 4573 size_t length; 4574 char *copy; 4575 4576 if (skp == NULL) { 4577 *_buffer = NULL; 4578 return 0; 4579 } 4580 4581 copy = kstrdup(skp->smk_known, GFP_KERNEL); 4582 if (copy == NULL) 4583 return -ENOMEM; 4584 length = strlen(copy) + 1; 4585 4586 *_buffer = copy; 4587 return length; 4588 } 4589 4590 4591 #ifdef CONFIG_KEY_NOTIFICATIONS 4592 /** 4593 * smack_watch_key - Smack access to watch a key for notifications. 4594 * @key: The key to be watched 4595 * 4596 * Return 0 if the @watch->cred has permission to read from the key object and 4597 * an error otherwise. 4598 */ 4599 static int smack_watch_key(struct key *key) 4600 { 4601 struct smk_audit_info ad; 4602 struct smack_known *tkp = smk_of_current(); 4603 struct smack_known **blob = smack_key(key); 4604 int rc; 4605 4606 /* 4607 * This should not occur 4608 */ 4609 if (tkp == NULL) 4610 return -EACCES; 4611 4612 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4613 return 0; 4614 4615 #ifdef CONFIG_AUDIT 4616 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY); 4617 ad.a.u.key_struct.key = key->serial; 4618 ad.a.u.key_struct.key_desc = key->description; 4619 #endif 4620 rc = smk_access(tkp, *blob, MAY_READ, &ad); 4621 rc = smk_bu_note("key watch", tkp, *blob, MAY_READ, rc); 4622 return rc; 4623 } 4624 #endif /* CONFIG_KEY_NOTIFICATIONS */ 4625 #endif /* CONFIG_KEYS */ 4626 4627 #ifdef CONFIG_WATCH_QUEUE 4628 /** 4629 * smack_post_notification - Smack access to post a notification to a queue 4630 * @w_cred: The credentials of the watcher. 4631 * @cred: The credentials of the event source (may be NULL). 4632 * @n: The notification message to be posted. 4633 */ 4634 static int smack_post_notification(const struct cred *w_cred, 4635 const struct cred *cred, 4636 struct watch_notification *n) 4637 { 4638 struct smk_audit_info ad; 4639 struct smack_known *subj, *obj; 4640 int rc; 4641 4642 /* Always let maintenance notifications through. */ 4643 if (n->type == WATCH_TYPE_META) 4644 return 0; 4645 4646 if (!cred) 4647 return 0; 4648 subj = smk_of_task(smack_cred(cred)); 4649 obj = smk_of_task(smack_cred(w_cred)); 4650 4651 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_NOTIFICATION); 4652 rc = smk_access(subj, obj, MAY_WRITE, &ad); 4653 rc = smk_bu_note("notification", subj, obj, MAY_WRITE, rc); 4654 return rc; 4655 } 4656 #endif /* CONFIG_WATCH_QUEUE */ 4657 4658 /* 4659 * Smack Audit hooks 4660 * 4661 * Audit requires a unique representation of each Smack specific 4662 * rule. This unique representation is used to distinguish the 4663 * object to be audited from remaining kernel objects and also 4664 * works as a glue between the audit hooks. 4665 * 4666 * Since repository entries are added but never deleted, we'll use 4667 * the smack_known label address related to the given audit rule as 4668 * the needed unique representation. This also better fits the smack 4669 * model where nearly everything is a label. 4670 */ 4671 #ifdef CONFIG_AUDIT 4672 4673 /** 4674 * smack_audit_rule_init - Initialize a smack audit rule 4675 * @field: audit rule fields given from user-space (audit.h) 4676 * @op: required testing operator (=, !=, >, <, ...) 4677 * @rulestr: smack label to be audited 4678 * @vrule: pointer to save our own audit rule representation 4679 * @gfp: type of the memory for the allocation 4680 * 4681 * Prepare to audit cases where (@field @op @rulestr) is true. 4682 * The label to be audited is created if necessary. 4683 */ 4684 static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, 4685 gfp_t gfp) 4686 { 4687 struct smack_known *skp; 4688 char **rule = (char **)vrule; 4689 *rule = NULL; 4690 4691 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4692 return -EINVAL; 4693 4694 if (op != Audit_equal && op != Audit_not_equal) 4695 return -EINVAL; 4696 4697 skp = smk_import_entry(rulestr, 0); 4698 if (IS_ERR(skp)) 4699 return PTR_ERR(skp); 4700 4701 *rule = skp->smk_known; 4702 4703 return 0; 4704 } 4705 4706 /** 4707 * smack_audit_rule_known - Distinguish Smack audit rules 4708 * @krule: rule of interest, in Audit kernel representation format 4709 * 4710 * This is used to filter Smack rules from remaining Audit ones. 4711 * If it's proved that this rule belongs to us, the 4712 * audit_rule_match hook will be called to do the final judgement. 4713 */ 4714 static int smack_audit_rule_known(struct audit_krule *krule) 4715 { 4716 struct audit_field *f; 4717 int i; 4718 4719 for (i = 0; i < krule->field_count; i++) { 4720 f = &krule->fields[i]; 4721 4722 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) 4723 return 1; 4724 } 4725 4726 return 0; 4727 } 4728 4729 /** 4730 * smack_audit_rule_match - Audit given object ? 4731 * @prop: security id for identifying the object to test 4732 * @field: audit rule flags given from user-space 4733 * @op: required testing operator 4734 * @vrule: smack internal rule presentation 4735 * 4736 * The core Audit hook. It's used to take the decision of 4737 * whether to audit or not to audit a given object. 4738 */ 4739 static int smack_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op, 4740 void *vrule) 4741 { 4742 struct smack_known *skp = prop->smack.skp; 4743 char *rule = vrule; 4744 4745 if (unlikely(!rule)) { 4746 WARN_ONCE(1, "Smack: missing rule\n"); 4747 return -ENOENT; 4748 } 4749 4750 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER) 4751 return 0; 4752 4753 /* 4754 * No need to do string comparisons. If a match occurs, 4755 * both pointers will point to the same smack_known 4756 * label. 4757 */ 4758 if (op == Audit_equal) 4759 return (rule == skp->smk_known); 4760 if (op == Audit_not_equal) 4761 return (rule != skp->smk_known); 4762 4763 return 0; 4764 } 4765 4766 /* 4767 * There is no need for a smack_audit_rule_free hook. 4768 * No memory was allocated. 4769 */ 4770 4771 #endif /* CONFIG_AUDIT */ 4772 4773 /** 4774 * smack_ismaclabel - check if xattr @name references a smack MAC label 4775 * @name: Full xattr name to check. 4776 */ 4777 static int smack_ismaclabel(const char *name) 4778 { 4779 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0); 4780 } 4781 4782 /** 4783 * smack_to_secctx - fill a lsm_context 4784 * @skp: Smack label 4785 * @cp: destination 4786 * 4787 * Fill the passed @cp and return the length of the string 4788 */ 4789 static int smack_to_secctx(struct smack_known *skp, struct lsm_context *cp) 4790 { 4791 int len = strlen(skp->smk_known); 4792 4793 if (cp) { 4794 cp->context = skp->smk_known; 4795 cp->len = len; 4796 cp->id = LSM_ID_SMACK; 4797 } 4798 return len; 4799 } 4800 4801 /** 4802 * smack_secid_to_secctx - return the smack label for a secid 4803 * @secid: incoming integer 4804 * @cp: destination 4805 * 4806 * Exists for networking code. 4807 */ 4808 static int smack_secid_to_secctx(u32 secid, struct lsm_context *cp) 4809 { 4810 return smack_to_secctx(smack_from_secid(secid), cp); 4811 } 4812 4813 /** 4814 * smack_lsmprop_to_secctx - return the smack label 4815 * @prop: includes incoming Smack data 4816 * @cp: destination 4817 * 4818 * Exists for audit code. 4819 */ 4820 static int smack_lsmprop_to_secctx(struct lsm_prop *prop, 4821 struct lsm_context *cp) 4822 { 4823 return smack_to_secctx(prop->smack.skp, cp); 4824 } 4825 4826 /** 4827 * smack_secctx_to_secid - return the secid for a smack label 4828 * @secdata: smack label 4829 * @seclen: how long result is 4830 * @secid: outgoing integer 4831 * 4832 * Exists for audit and networking code. 4833 */ 4834 static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid) 4835 { 4836 struct smack_known *skp = smk_find_entry(secdata); 4837 4838 if (skp) 4839 *secid = skp->smk_secid; 4840 else 4841 *secid = 0; 4842 return 0; 4843 } 4844 4845 /* 4846 * There used to be a smack_release_secctx hook 4847 * that did nothing back when hooks were in a vector. 4848 * Now that there's a list such a hook adds cost. 4849 */ 4850 4851 static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen) 4852 { 4853 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, 4854 ctxlen, 0); 4855 } 4856 4857 static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen) 4858 { 4859 return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK, 4860 ctx, ctxlen, 0, NULL); 4861 } 4862 4863 static int smack_inode_getsecctx(struct inode *inode, struct lsm_context *cp) 4864 { 4865 struct smack_known *skp = smk_of_inode(inode); 4866 4867 cp->context = skp->smk_known; 4868 cp->len = strlen(skp->smk_known); 4869 cp->id = LSM_ID_SMACK; 4870 return 0; 4871 } 4872 4873 static int smack_inode_copy_up(struct dentry *dentry, struct cred **new) 4874 { 4875 4876 struct task_smack *tsp; 4877 struct smack_known *skp; 4878 struct inode_smack *isp; 4879 struct cred *new_creds = *new; 4880 4881 if (new_creds == NULL) { 4882 new_creds = prepare_creds(); 4883 if (new_creds == NULL) 4884 return -ENOMEM; 4885 } 4886 4887 tsp = smack_cred(new_creds); 4888 4889 /* 4890 * Get label from overlay inode and set it in create_sid 4891 */ 4892 isp = smack_inode(d_inode(dentry)); 4893 skp = isp->smk_inode; 4894 tsp->smk_task = skp; 4895 *new = new_creds; 4896 return 0; 4897 } 4898 4899 static int smack_inode_copy_up_xattr(struct dentry *src, const char *name) 4900 { 4901 /* 4902 * Return -ECANCELED if this is the smack access Smack attribute. 4903 */ 4904 if (!strcmp(name, XATTR_NAME_SMACK)) 4905 return -ECANCELED; 4906 4907 return -EOPNOTSUPP; 4908 } 4909 4910 static int smack_dentry_create_files_as(struct dentry *dentry, int mode, 4911 struct qstr *name, 4912 const struct cred *old, 4913 struct cred *new) 4914 { 4915 struct task_smack *otsp = smack_cred(old); 4916 struct task_smack *ntsp = smack_cred(new); 4917 struct inode_smack *isp; 4918 int may; 4919 4920 /* 4921 * Use the process credential unless all of 4922 * the transmuting criteria are met 4923 */ 4924 ntsp->smk_task = otsp->smk_task; 4925 4926 /* 4927 * the attribute of the containing directory 4928 */ 4929 isp = smack_inode(d_inode(dentry->d_parent)); 4930 4931 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { 4932 rcu_read_lock(); 4933 may = smk_access_entry(otsp->smk_task->smk_known, 4934 isp->smk_inode->smk_known, 4935 &otsp->smk_task->smk_rules); 4936 rcu_read_unlock(); 4937 4938 /* 4939 * If the directory is transmuting and the rule 4940 * providing access is transmuting use the containing 4941 * directory label instead of the process label. 4942 */ 4943 if (may > 0 && (may & MAY_TRANSMUTE)) { 4944 ntsp->smk_task = isp->smk_inode; 4945 ntsp->smk_transmuted = ntsp->smk_task; 4946 } 4947 } 4948 return 0; 4949 } 4950 4951 #ifdef CONFIG_IO_URING 4952 /** 4953 * smack_uring_override_creds - Is io_uring cred override allowed? 4954 * @new: the target creds 4955 * 4956 * Check to see if the current task is allowed to override it's credentials 4957 * to service an io_uring operation. 4958 */ 4959 static int smack_uring_override_creds(const struct cred *new) 4960 { 4961 struct task_smack *tsp = smack_cred(current_cred()); 4962 struct task_smack *nsp = smack_cred(new); 4963 4964 /* 4965 * Allow the degenerate case where the new Smack value is 4966 * the same as the current Smack value. 4967 */ 4968 if (tsp->smk_task == nsp->smk_task) 4969 return 0; 4970 4971 if (smack_privileged_cred(CAP_MAC_OVERRIDE, current_cred())) 4972 return 0; 4973 4974 return -EPERM; 4975 } 4976 4977 /** 4978 * smack_uring_sqpoll - check if a io_uring polling thread can be created 4979 * 4980 * Check to see if the current task is allowed to create a new io_uring 4981 * kernel polling thread. 4982 */ 4983 static int smack_uring_sqpoll(void) 4984 { 4985 if (smack_privileged_cred(CAP_MAC_ADMIN, current_cred())) 4986 return 0; 4987 4988 return -EPERM; 4989 } 4990 4991 /** 4992 * smack_uring_cmd - check on file operations for io_uring 4993 * @ioucmd: the command in question 4994 * 4995 * Make a best guess about whether a io_uring "command" should 4996 * be allowed. Use the same logic used for determining if the 4997 * file could be opened for read in the absence of better criteria. 4998 */ 4999 static int smack_uring_cmd(struct io_uring_cmd *ioucmd) 5000 { 5001 struct file *file = ioucmd->file; 5002 struct smk_audit_info ad; 5003 struct task_smack *tsp; 5004 struct inode *inode; 5005 int rc; 5006 5007 if (!file) 5008 return -EINVAL; 5009 5010 tsp = smack_cred(file->f_cred); 5011 inode = file_inode(file); 5012 5013 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH); 5014 smk_ad_setfield_u_fs_path(&ad, file->f_path); 5015 rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad); 5016 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); 5017 5018 return rc; 5019 } 5020 5021 #endif /* CONFIG_IO_URING */ 5022 5023 struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { 5024 .lbs_cred = sizeof(struct task_smack), 5025 .lbs_file = sizeof(struct smack_known *), 5026 .lbs_inode = sizeof(struct inode_smack), 5027 .lbs_ipc = sizeof(struct smack_known *), 5028 .lbs_key = sizeof(struct smack_known *), 5029 .lbs_msg_msg = sizeof(struct smack_known *), 5030 .lbs_sock = sizeof(struct socket_smack), 5031 .lbs_superblock = sizeof(struct superblock_smack), 5032 .lbs_xattr_count = SMACK_INODE_INIT_XATTRS, 5033 }; 5034 5035 static const struct lsm_id smack_lsmid = { 5036 .name = "smack", 5037 .id = LSM_ID_SMACK, 5038 }; 5039 5040 static struct security_hook_list smack_hooks[] __ro_after_init = { 5041 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check), 5042 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme), 5043 LSM_HOOK_INIT(syslog, smack_syslog), 5044 5045 LSM_HOOK_INIT(fs_context_submount, smack_fs_context_submount), 5046 LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup), 5047 LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param), 5048 5049 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security), 5050 LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts), 5051 LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts), 5052 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs), 5053 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts), 5054 5055 LSM_HOOK_INIT(bprm_creds_for_exec, smack_bprm_creds_for_exec), 5056 5057 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security), 5058 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security), 5059 LSM_HOOK_INIT(inode_link, smack_inode_link), 5060 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink), 5061 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir), 5062 LSM_HOOK_INIT(inode_rename, smack_inode_rename), 5063 LSM_HOOK_INIT(inode_permission, smack_inode_permission), 5064 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr), 5065 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr), 5066 LSM_HOOK_INIT(inode_xattr_skipcap, smack_inode_xattr_skipcap), 5067 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr), 5068 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr), 5069 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr), 5070 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr), 5071 LSM_HOOK_INIT(inode_set_acl, smack_inode_set_acl), 5072 LSM_HOOK_INIT(inode_get_acl, smack_inode_get_acl), 5073 LSM_HOOK_INIT(inode_remove_acl, smack_inode_remove_acl), 5074 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity), 5075 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity), 5076 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity), 5077 LSM_HOOK_INIT(inode_getlsmprop, smack_inode_getlsmprop), 5078 5079 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security), 5080 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl), 5081 LSM_HOOK_INIT(file_ioctl_compat, smack_file_ioctl), 5082 LSM_HOOK_INIT(file_lock, smack_file_lock), 5083 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl), 5084 LSM_HOOK_INIT(mmap_file, smack_mmap_file), 5085 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr), 5086 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner), 5087 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask), 5088 LSM_HOOK_INIT(file_receive, smack_file_receive), 5089 5090 LSM_HOOK_INIT(file_open, smack_file_open), 5091 5092 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank), 5093 LSM_HOOK_INIT(cred_free, smack_cred_free), 5094 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare), 5095 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer), 5096 LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid), 5097 LSM_HOOK_INIT(cred_getlsmprop, smack_cred_getlsmprop), 5098 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as), 5099 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as), 5100 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid), 5101 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid), 5102 LSM_HOOK_INIT(task_getsid, smack_task_getsid), 5103 LSM_HOOK_INIT(current_getlsmprop_subj, smack_current_getlsmprop_subj), 5104 LSM_HOOK_INIT(task_getlsmprop_obj, smack_task_getlsmprop_obj), 5105 LSM_HOOK_INIT(task_setnice, smack_task_setnice), 5106 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio), 5107 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio), 5108 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler), 5109 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler), 5110 LSM_HOOK_INIT(task_movememory, smack_task_movememory), 5111 LSM_HOOK_INIT(task_kill, smack_task_kill), 5112 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode), 5113 5114 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission), 5115 LSM_HOOK_INIT(ipc_getlsmprop, smack_ipc_getlsmprop), 5116 5117 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security), 5118 5119 LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security), 5120 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate), 5121 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl), 5122 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd), 5123 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv), 5124 5125 LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security), 5126 LSM_HOOK_INIT(shm_associate, smack_shm_associate), 5127 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl), 5128 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat), 5129 5130 LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security), 5131 LSM_HOOK_INIT(sem_associate, smack_sem_associate), 5132 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl), 5133 LSM_HOOK_INIT(sem_semop, smack_sem_semop), 5134 5135 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate), 5136 5137 LSM_HOOK_INIT(getselfattr, smack_getselfattr), 5138 LSM_HOOK_INIT(setselfattr, smack_setselfattr), 5139 LSM_HOOK_INIT(getprocattr, smack_getprocattr), 5140 LSM_HOOK_INIT(setprocattr, smack_setprocattr), 5141 5142 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect), 5143 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send), 5144 5145 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create), 5146 LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair), 5147 #ifdef SMACK_IPV6_PORT_LABELING 5148 LSM_HOOK_INIT(socket_bind, smack_socket_bind), 5149 #endif 5150 LSM_HOOK_INIT(socket_connect, smack_socket_connect), 5151 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg), 5152 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb), 5153 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream), 5154 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram), 5155 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security), 5156 #ifdef SMACK_IPV6_PORT_LABELING 5157 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security), 5158 #endif 5159 LSM_HOOK_INIT(sk_clone_security, smack_sk_clone_security), 5160 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request), 5161 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone), 5162 5163 /* key management security hooks */ 5164 #ifdef CONFIG_KEYS 5165 LSM_HOOK_INIT(key_alloc, smack_key_alloc), 5166 LSM_HOOK_INIT(key_permission, smack_key_permission), 5167 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity), 5168 #ifdef CONFIG_KEY_NOTIFICATIONS 5169 LSM_HOOK_INIT(watch_key, smack_watch_key), 5170 #endif 5171 #endif /* CONFIG_KEYS */ 5172 5173 #ifdef CONFIG_WATCH_QUEUE 5174 LSM_HOOK_INIT(post_notification, smack_post_notification), 5175 #endif 5176 5177 /* Audit hooks */ 5178 #ifdef CONFIG_AUDIT 5179 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init), 5180 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known), 5181 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match), 5182 #endif /* CONFIG_AUDIT */ 5183 5184 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel), 5185 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx), 5186 LSM_HOOK_INIT(lsmprop_to_secctx, smack_lsmprop_to_secctx), 5187 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid), 5188 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx), 5189 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx), 5190 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx), 5191 LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up), 5192 LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr), 5193 LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as), 5194 #ifdef CONFIG_IO_URING 5195 LSM_HOOK_INIT(uring_override_creds, smack_uring_override_creds), 5196 LSM_HOOK_INIT(uring_sqpoll, smack_uring_sqpoll), 5197 LSM_HOOK_INIT(uring_cmd, smack_uring_cmd), 5198 #endif 5199 }; 5200 5201 5202 static __init void init_smack_known_list(void) 5203 { 5204 /* 5205 * Initialize rule list locks 5206 */ 5207 mutex_init(&smack_known_huh.smk_rules_lock); 5208 mutex_init(&smack_known_hat.smk_rules_lock); 5209 mutex_init(&smack_known_floor.smk_rules_lock); 5210 mutex_init(&smack_known_star.smk_rules_lock); 5211 mutex_init(&smack_known_web.smk_rules_lock); 5212 /* 5213 * Initialize rule lists 5214 */ 5215 INIT_LIST_HEAD(&smack_known_huh.smk_rules); 5216 INIT_LIST_HEAD(&smack_known_hat.smk_rules); 5217 INIT_LIST_HEAD(&smack_known_star.smk_rules); 5218 INIT_LIST_HEAD(&smack_known_floor.smk_rules); 5219 INIT_LIST_HEAD(&smack_known_web.smk_rules); 5220 /* 5221 * Create the known labels list 5222 */ 5223 smk_insert_entry(&smack_known_huh); 5224 smk_insert_entry(&smack_known_hat); 5225 smk_insert_entry(&smack_known_star); 5226 smk_insert_entry(&smack_known_floor); 5227 smk_insert_entry(&smack_known_web); 5228 } 5229 5230 /** 5231 * smack_init - initialize the smack system 5232 * 5233 * Returns 0 on success, -ENOMEM is there's no memory 5234 */ 5235 static __init int smack_init(void) 5236 { 5237 struct cred *cred = (struct cred *) current->cred; 5238 struct task_smack *tsp; 5239 5240 smack_rule_cache = KMEM_CACHE(smack_rule, 0); 5241 if (!smack_rule_cache) 5242 return -ENOMEM; 5243 5244 /* 5245 * Set the security state for the initial task. 5246 */ 5247 tsp = smack_cred(cred); 5248 init_task_smack(tsp, &smack_known_floor, &smack_known_floor); 5249 5250 /* 5251 * Register with LSM 5252 */ 5253 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), &smack_lsmid); 5254 smack_enabled = 1; 5255 5256 pr_info("Smack: Initializing.\n"); 5257 #ifdef CONFIG_SECURITY_SMACK_NETFILTER 5258 pr_info("Smack: Netfilter enabled.\n"); 5259 #endif 5260 #ifdef SMACK_IPV6_PORT_LABELING 5261 pr_info("Smack: IPv6 port labeling enabled.\n"); 5262 #endif 5263 #ifdef SMACK_IPV6_SECMARK_LABELING 5264 pr_info("Smack: IPv6 Netfilter enabled.\n"); 5265 #endif 5266 5267 /* initialize the smack_known_list */ 5268 init_smack_known_list(); 5269 5270 return 0; 5271 } 5272 5273 /* 5274 * Smack requires early initialization in order to label 5275 * all processes and objects when they are created. 5276 */ 5277 DEFINE_LSM(smack) = { 5278 .name = "smack", 5279 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 5280 .blobs = &smack_blob_sizes, 5281 .init = smack_init, 5282 }; 5283