1
2
3
4
5
6
7
8
9
10
11
12
13#ifndef _SECURITY_SMACK_H
14#define _SECURITY_SMACK_H
15
16#include <linux/capability.h>
17#include <linux/spinlock.h>
18#include <linux/security.h>
19#include <linux/in.h>
20#include <net/netlabel.h>
21#include <linux/list.h>
22#include <linux/rculist.h>
23#include <linux/lsm_audit.h>
24
25
26
27
28#define SMK_LABELLEN 24
29#define SMK_LONGLABEL 256
30
31
32
33
34
35
36
37
38#define SMK_CIPSOLEN 24
39
40struct superblock_smack {
41 char *smk_root;
42 char *smk_floor;
43 char *smk_hat;
44 char *smk_default;
45 int smk_initialized;
46};
47
48struct socket_smack {
49 char *smk_out;
50 char *smk_in;
51 char *smk_packet;
52};
53
54
55
56
57struct inode_smack {
58 char *smk_inode;
59 char *smk_task;
60 char *smk_mmap;
61 struct mutex smk_lock;
62 int smk_flags;
63};
64
65struct task_smack {
66 char *smk_task;
67 char *smk_forked;
68 struct list_head smk_rules;
69 struct mutex smk_rules_lock;
70};
71
72#define SMK_INODE_INSTANT 0x01
73#define SMK_INODE_TRANSMUTE 0x02
74#define SMK_INODE_CHANGED 0x04
75
76
77
78
79struct smack_rule {
80 struct list_head list;
81 char *smk_subject;
82 char *smk_object;
83 int smk_access;
84};
85
86
87
88
89struct smk_netlbladdr {
90 struct list_head list;
91 struct sockaddr_in smk_host;
92 struct in_addr smk_mask;
93 char *smk_label;
94};
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119struct smack_known {
120 struct list_head list;
121 char *smk_known;
122 u32 smk_secid;
123 struct netlbl_lsm_secattr smk_netlabel;
124 struct list_head smk_rules;
125 struct mutex smk_rules_lock;
126};
127
128
129
130
131#define SMK_FSDEFAULT "smackfsdef="
132#define SMK_FSFLOOR "smackfsfloor="
133#define SMK_FSHAT "smackfshat="
134#define SMK_FSROOT "smackfsroot="
135
136#define SMACK_CIPSO_OPTION "-CIPSO"
137
138
139
140
141
142
143
144
145
146
147
148#define SMACK_UNLABELED_SOCKET 0
149#define SMACK_CIPSO_SOCKET 1
150
151
152
153
154#define SMACK_CIPSO_DOI_DEFAULT 3
155#define SMACK_CIPSO_DOI_INVALID -1
156#define SMACK_CIPSO_DIRECT_DEFAULT 250
157#define SMACK_CIPSO_MAPPED_DEFAULT 251
158#define SMACK_CIPSO_MAXCATVAL 63
159#define SMACK_CIPSO_MAXLEVEL 255
160#define SMACK_CIPSO_MAXCATNUM 239
161
162
163
164
165#define MAY_TRANSMUTE 64
166
167
168
169#define MAY_ANYREAD (MAY_READ | MAY_EXEC)
170#define MAY_READWRITE (MAY_READ | MAY_WRITE)
171#define MAY_NOT 0
172
173
174
175
176#define SMK_NUM_ACCESS_TYPE 5
177
178
179struct smack_audit_data {
180 const char *function;
181 char *subject;
182 char *object;
183 char *request;
184 int result;
185};
186
187
188
189
190
191struct smk_audit_info {
192#ifdef CONFIG_AUDIT
193 struct common_audit_data a;
194 struct smack_audit_data sad;
195#endif
196};
197
198
199
200struct inode_smack *new_inode_smack(char *);
201
202
203
204
205int smk_access_entry(char *, char *, struct list_head *);
206int smk_access(char *, char *, int, struct smk_audit_info *);
207int smk_curacc(char *, u32, struct smk_audit_info *);
208char *smack_from_secid(const u32);
209char *smk_parse_smack(const char *string, int len);
210int smk_netlbl_mls(int, char *, struct netlbl_lsm_secattr *, int);
211char *smk_import(const char *, int);
212struct smack_known *smk_import_entry(const char *, int);
213struct smack_known *smk_find_entry(const char *);
214u32 smack_to_secid(const char *);
215
216
217
218
219extern int smack_cipso_direct;
220extern int smack_cipso_mapped;
221extern char *smack_net_ambient;
222extern char *smack_onlycap;
223extern const char *smack_cipso_option;
224
225extern struct smack_known smack_known_floor;
226extern struct smack_known smack_known_hat;
227extern struct smack_known smack_known_huh;
228extern struct smack_known smack_known_invalid;
229extern struct smack_known smack_known_star;
230extern struct smack_known smack_known_web;
231
232extern struct mutex smack_known_lock;
233extern struct list_head smack_known_list;
234extern struct list_head smk_netlbladdr_list;
235
236extern struct security_operations smack_ops;
237
238
239
240
241static inline int smk_inode_transmutable(const struct inode *isp)
242{
243 struct inode_smack *sip = isp->i_security;
244 return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0;
245}
246
247
248
249
250static inline char *smk_of_inode(const struct inode *isp)
251{
252 struct inode_smack *sip = isp->i_security;
253 return sip->smk_inode;
254}
255
256
257
258
259static inline char *smk_of_task(const struct task_smack *tsp)
260{
261 return tsp->smk_task;
262}
263
264
265
266
267static inline char *smk_of_forked(const struct task_smack *tsp)
268{
269 return tsp->smk_forked;
270}
271
272
273
274
275static inline char *smk_of_current(void)
276{
277 return smk_of_task(current_security());
278}
279
280
281
282
283
284static inline int smack_privileged(int cap)
285{
286 if (!capable(cap))
287 return 0;
288 if (smack_onlycap == NULL || smack_onlycap == smk_of_current())
289 return 1;
290 return 0;
291}
292
293
294
295
296#define SMACK_AUDIT_DENIED 0x1
297#define SMACK_AUDIT_ACCEPT 0x2
298extern int log_policy;
299
300void smack_log(char *subject_label, char *object_label,
301 int request,
302 int result, struct smk_audit_info *auditdata);
303
304#ifdef CONFIG_AUDIT
305
306
307
308
309
310
311static inline void smk_ad_init(struct smk_audit_info *a, const char *func,
312 char type)
313{
314 memset(&a->sad, 0, sizeof(a->sad));
315 a->a.type = type;
316 a->a.smack_audit_data = &a->sad;
317 a->a.smack_audit_data->function = func;
318}
319
320static inline void smk_ad_init_net(struct smk_audit_info *a, const char *func,
321 char type, struct lsm_network_audit *net)
322{
323 smk_ad_init(a, func, type);
324 memset(net, 0, sizeof(*net));
325 a->a.u.net = net;
326}
327
328static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
329 struct task_struct *t)
330{
331 a->a.u.tsk = t;
332}
333static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a,
334 struct dentry *d)
335{
336 a->a.u.dentry = d;
337}
338static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,
339 struct inode *i)
340{
341 a->a.u.inode = i;
342}
343static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
344 struct path p)
345{
346 a->a.u.path = p;
347}
348static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
349 struct sock *sk)
350{
351 a->a.u.net->sk = sk;
352}
353
354#else
355
356static inline void smk_ad_init(struct smk_audit_info *a, const char *func,
357 char type)
358{
359}
360static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
361 struct task_struct *t)
362{
363}
364static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a,
365 struct dentry *d)
366{
367}
368static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a,
369 struct vfsmount *m)
370{
371}
372static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,
373 struct inode *i)
374{
375}
376static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
377 struct path p)
378{
379}
380static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
381 struct sock *sk)
382{
383}
384#endif
385
386#endif
387