1
2
3
4
5
6
7
8
9
10
11
12
13#ifndef _SECURITY_SMACK_H
14#define _SECURITY_SMACK_H
15
16#include <linux/capability.h>
17#include <linux/spinlock.h>
18#include <linux/lsm_hooks.h>
19#include <linux/in.h>
20#if IS_ENABLED(CONFIG_IPV6)
21#include <linux/in6.h>
22#endif
23#include <net/netlabel.h>
24#include <linux/list.h>
25#include <linux/rculist.h>
26#include <linux/lsm_audit.h>
27
28
29
30
31
32#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
33#define SMACK_IPV6_PORT_LABELING 1
34#endif
35
36#if IS_ENABLED(CONFIG_IPV6) && defined(CONFIG_SECURITY_SMACK_NETFILTER)
37#define SMACK_IPV6_SECMARK_LABELING 1
38#endif
39
40
41
42
43#define SMK_LABELLEN 24
44#define SMK_LONGLABEL 256
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69struct smack_known {
70 struct list_head list;
71 struct hlist_node smk_hashed;
72 char *smk_known;
73 u32 smk_secid;
74 struct netlbl_lsm_secattr smk_netlabel;
75 struct list_head smk_rules;
76 struct mutex smk_rules_lock;
77};
78
79
80
81
82
83
84
85
86#define SMK_CIPSOLEN 24
87
88struct superblock_smack {
89 struct smack_known *smk_root;
90 struct smack_known *smk_floor;
91 struct smack_known *smk_hat;
92 struct smack_known *smk_default;
93 int smk_initialized;
94};
95
96struct socket_smack {
97 struct smack_known *smk_out;
98 struct smack_known *smk_in;
99 struct smack_known *smk_packet;
100};
101
102
103
104
105struct inode_smack {
106 struct smack_known *smk_inode;
107 struct smack_known *smk_task;
108 struct smack_known *smk_mmap;
109 struct mutex smk_lock;
110 int smk_flags;
111};
112
113struct task_smack {
114 struct smack_known *smk_task;
115 struct smack_known *smk_forked;
116 struct list_head smk_rules;
117 struct mutex smk_rules_lock;
118 struct list_head smk_relabel;
119};
120
121#define SMK_INODE_INSTANT 0x01
122#define SMK_INODE_TRANSMUTE 0x02
123#define SMK_INODE_CHANGED 0x04
124#define SMK_INODE_IMPURE 0x08
125
126
127
128
129struct smack_rule {
130 struct list_head list;
131 struct smack_known *smk_subject;
132 struct smack_known *smk_object;
133 int smk_access;
134};
135
136
137
138
139struct smk_net4addr {
140 struct list_head list;
141 struct in_addr smk_host;
142 struct in_addr smk_mask;
143 int smk_masks;
144 struct smack_known *smk_label;
145};
146
147#if IS_ENABLED(CONFIG_IPV6)
148
149
150
151struct smk_net6addr {
152 struct list_head list;
153 struct in6_addr smk_host;
154 struct in6_addr smk_mask;
155 int smk_masks;
156 struct smack_known *smk_label;
157};
158#endif
159
160#ifdef SMACK_IPV6_PORT_LABELING
161
162
163
164struct smk_port_label {
165 struct list_head list;
166 struct sock *smk_sock;
167 unsigned short smk_port;
168 struct smack_known *smk_in;
169 struct smack_known *smk_out;
170};
171#endif
172
173struct smack_known_list_elem {
174 struct list_head list;
175 struct smack_known *smk_label;
176};
177
178
179#define FSDEFAULT_MNT 0x01
180#define FSFLOOR_MNT 0x02
181#define FSHAT_MNT 0x04
182#define FSROOT_MNT 0x08
183#define FSTRANS_MNT 0x10
184
185#define NUM_SMK_MNT_OPTS 5
186
187enum {
188 Opt_error = -1,
189 Opt_fsdefault = 1,
190 Opt_fsfloor = 2,
191 Opt_fshat = 3,
192 Opt_fsroot = 4,
193 Opt_fstransmute = 5,
194};
195
196
197
198
199#define SMK_FSDEFAULT "smackfsdef="
200#define SMK_FSFLOOR "smackfsfloor="
201#define SMK_FSHAT "smackfshat="
202#define SMK_FSROOT "smackfsroot="
203#define SMK_FSTRANS "smackfstransmute="
204
205#define SMACK_DELETE_OPTION "-DELETE"
206#define SMACK_CIPSO_OPTION "-CIPSO"
207
208
209
210
211
212
213
214
215
216
217
218#define SMACK_UNLABELED_SOCKET 0
219#define SMACK_CIPSO_SOCKET 1
220
221
222
223
224#define SMACK_CIPSO_DOI_DEFAULT 3
225#define SMACK_CIPSO_DOI_INVALID -1
226#define SMACK_CIPSO_DIRECT_DEFAULT 250
227#define SMACK_CIPSO_MAPPED_DEFAULT 251
228#define SMACK_CIPSO_MAXLEVEL 255
229
230
231
232
233
234#define SMACK_CIPSO_MAXCATNUM 184
235
236
237
238
239#define SMACK_PTRACE_DEFAULT 0
240#define SMACK_PTRACE_EXACT 1
241#define SMACK_PTRACE_DRACONIAN 2
242#define SMACK_PTRACE_MAX SMACK_PTRACE_DRACONIAN
243
244
245
246
247
248
249#define MAY_TRANSMUTE 0x00001000
250#define MAY_LOCK 0x00002000
251#define MAY_BRINGUP 0x00004000
252
253#define SMACK_BRINGUP_ALLOW 1
254#define SMACK_UNCONFINED_SUBJECT 2
255#define SMACK_UNCONFINED_OBJECT 3
256
257
258
259
260#define MAY_ANYREAD (MAY_READ | MAY_EXEC)
261#define MAY_READWRITE (MAY_READ | MAY_WRITE)
262#define MAY_NOT 0
263
264
265
266
267#define SMK_NUM_ACCESS_TYPE 7
268
269
270struct smack_audit_data {
271 const char *function;
272 char *subject;
273 char *object;
274 char *request;
275 int result;
276};
277
278
279
280
281
282struct smk_audit_info {
283#ifdef CONFIG_AUDIT
284 struct common_audit_data a;
285 struct smack_audit_data sad;
286#endif
287};
288
289
290
291
292int smk_access_entry(char *, char *, struct list_head *);
293int smk_access(struct smack_known *, struct smack_known *,
294 int, struct smk_audit_info *);
295int smk_tskacc(struct task_smack *, struct smack_known *,
296 u32, struct smk_audit_info *);
297int smk_curacc(struct smack_known *, u32, struct smk_audit_info *);
298struct smack_known *smack_from_secid(const u32);
299char *smk_parse_smack(const char *string, int len);
300int smk_netlbl_mls(int, char *, struct netlbl_lsm_secattr *, int);
301struct smack_known *smk_import_entry(const char *, int);
302void smk_insert_entry(struct smack_known *skp);
303struct smack_known *smk_find_entry(const char *);
304int smack_privileged(int cap);
305void smk_destroy_label_list(struct list_head *list);
306
307
308
309
310extern int smack_enabled;
311extern int smack_cipso_direct;
312extern int smack_cipso_mapped;
313extern struct smack_known *smack_net_ambient;
314extern struct smack_known *smack_syslog_label;
315#ifdef CONFIG_SECURITY_SMACK_BRINGUP
316extern struct smack_known *smack_unconfined;
317#endif
318extern int smack_ptrace_rule;
319
320extern struct smack_known smack_known_floor;
321extern struct smack_known smack_known_hat;
322extern struct smack_known smack_known_huh;
323extern struct smack_known smack_known_invalid;
324extern struct smack_known smack_known_star;
325extern struct smack_known smack_known_web;
326
327extern struct mutex smack_known_lock;
328extern struct list_head smack_known_list;
329extern struct list_head smk_net4addr_list;
330#if IS_ENABLED(CONFIG_IPV6)
331extern struct list_head smk_net6addr_list;
332#endif
333
334extern struct mutex smack_onlycap_lock;
335extern struct list_head smack_onlycap_list;
336
337#define SMACK_HASH_SLOTS 16
338extern struct hlist_head smack_known_hash[SMACK_HASH_SLOTS];
339
340
341
342
343static inline int smk_inode_transmutable(const struct inode *isp)
344{
345 struct inode_smack *sip = isp->i_security;
346 return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0;
347}
348
349
350
351
352static inline struct smack_known *smk_of_inode(const struct inode *isp)
353{
354 struct inode_smack *sip = isp->i_security;
355 return sip->smk_inode;
356}
357
358
359
360
361static inline struct smack_known *smk_of_task(const struct task_smack *tsp)
362{
363 return tsp->smk_task;
364}
365
366static inline struct smack_known *smk_of_task_struct(const struct task_struct *t)
367{
368 struct smack_known *skp;
369
370 rcu_read_lock();
371 skp = smk_of_task(__task_cred(t)->security);
372 rcu_read_unlock();
373 return skp;
374}
375
376
377
378
379static inline struct smack_known *smk_of_forked(const struct task_smack *tsp)
380{
381 return tsp->smk_forked;
382}
383
384
385
386
387static inline struct smack_known *smk_of_current(void)
388{
389 return smk_of_task(current_security());
390}
391
392
393
394
395#define SMACK_AUDIT_DENIED 0x1
396#define SMACK_AUDIT_ACCEPT 0x2
397extern int log_policy;
398
399void smack_log(char *subject_label, char *object_label,
400 int request,
401 int result, struct smk_audit_info *auditdata);
402
403#ifdef CONFIG_AUDIT
404
405
406
407
408
409
410static inline void smk_ad_init(struct smk_audit_info *a, const char *func,
411 char type)
412{
413 memset(&a->sad, 0, sizeof(a->sad));
414 a->a.type = type;
415 a->a.smack_audit_data = &a->sad;
416 a->a.smack_audit_data->function = func;
417}
418
419static inline void smk_ad_init_net(struct smk_audit_info *a, const char *func,
420 char type, struct lsm_network_audit *net)
421{
422 smk_ad_init(a, func, type);
423 memset(net, 0, sizeof(*net));
424 a->a.u.net = net;
425}
426
427static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
428 struct task_struct *t)
429{
430 a->a.u.tsk = t;
431}
432static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a,
433 struct dentry *d)
434{
435 a->a.u.dentry = d;
436}
437static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,
438 struct inode *i)
439{
440 a->a.u.inode = i;
441}
442static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
443 struct path p)
444{
445 a->a.u.path = p;
446}
447static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
448 struct sock *sk)
449{
450 a->a.u.net->sk = sk;
451}
452
453#else
454
455static inline void smk_ad_init(struct smk_audit_info *a, const char *func,
456 char type)
457{
458}
459static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
460 struct task_struct *t)
461{
462}
463static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a,
464 struct dentry *d)
465{
466}
467static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a,
468 struct vfsmount *m)
469{
470}
471static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,
472 struct inode *i)
473{
474}
475static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
476 struct path p)
477{
478}
479static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
480 struct sock *sk)
481{
482}
483#endif
484
485#endif
486