1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21#include <linux/xattr.h>
22#include <linux/pagemap.h>
23#include <linux/mount.h>
24#include <linux/stat.h>
25#include <linux/kd.h>
26#include <asm/ioctls.h>
27#include <linux/ip.h>
28#include <linux/tcp.h>
29#include <linux/udp.h>
30#include <linux/dccp.h>
31#include <linux/slab.h>
32#include <linux/mutex.h>
33#include <linux/pipe_fs_i.h>
34#include <net/cipso_ipv4.h>
35#include <net/ip.h>
36#include <net/ipv6.h>
37#include <linux/audit.h>
38#include <linux/magic.h>
39#include <linux/dcache.h>
40#include <linux/personality.h>
41#include <linux/msg.h>
42#include <linux/shm.h>
43#include <linux/binfmts.h>
44#include <linux/parser.h>
45#include "smack.h"
46
47#define TRANS_TRUE "TRUE"
48#define TRANS_TRUE_SIZE 4
49
50#define SMK_CONNECTING 0
51#define SMK_RECEIVING 1
52#define SMK_SENDING 2
53
54#ifdef SMACK_IPV6_PORT_LABELING
55static LIST_HEAD(smk_ipv6_port_list);
56#endif
57static struct kmem_cache *smack_inode_cache;
58int smack_enabled;
59
60static const match_table_t smk_mount_tokens = {
61 {Opt_fsdefault, SMK_FSDEFAULT "%s"},
62 {Opt_fsfloor, SMK_FSFLOOR "%s"},
63 {Opt_fshat, SMK_FSHAT "%s"},
64 {Opt_fsroot, SMK_FSROOT "%s"},
65 {Opt_fstransmute, SMK_FSTRANS "%s"},
66 {Opt_error, NULL},
67};
68
69#ifdef CONFIG_SECURITY_SMACK_BRINGUP
70static char *smk_bu_mess[] = {
71 "Bringup Error",
72 "Bringup",
73 "Unconfined Subject",
74 "Unconfined Object",
75};
76
77static void smk_bu_mode(int mode, char *s)
78{
79 int i = 0;
80
81 if (mode & MAY_READ)
82 s[i++] = 'r';
83 if (mode & MAY_WRITE)
84 s[i++] = 'w';
85 if (mode & MAY_EXEC)
86 s[i++] = 'x';
87 if (mode & MAY_APPEND)
88 s[i++] = 'a';
89 if (mode & MAY_TRANSMUTE)
90 s[i++] = 't';
91 if (mode & MAY_LOCK)
92 s[i++] = 'l';
93 if (i == 0)
94 s[i++] = '-';
95 s[i] = '\0';
96}
97#endif
98
99#ifdef CONFIG_SECURITY_SMACK_BRINGUP
100static int smk_bu_note(char *note, struct smack_known *sskp,
101 struct smack_known *oskp, int mode, int rc)
102{
103 char acc[SMK_NUM_ACCESS_TYPE + 1];
104
105 if (rc <= 0)
106 return rc;
107 if (rc > SMACK_UNCONFINED_OBJECT)
108 rc = 0;
109
110 smk_bu_mode(mode, acc);
111 pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc],
112 sskp->smk_known, oskp->smk_known, acc, note);
113 return 0;
114}
115#else
116#define smk_bu_note(note, sskp, oskp, mode, RC) (RC)
117#endif
118
119#ifdef CONFIG_SECURITY_SMACK_BRINGUP
120static int smk_bu_current(char *note, struct smack_known *oskp,
121 int mode, int rc)
122{
123 struct task_smack *tsp = current_security();
124 char acc[SMK_NUM_ACCESS_TYPE + 1];
125
126 if (rc <= 0)
127 return rc;
128 if (rc > SMACK_UNCONFINED_OBJECT)
129 rc = 0;
130
131 smk_bu_mode(mode, acc);
132 pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc],
133 tsp->smk_task->smk_known, oskp->smk_known,
134 acc, current->comm, note);
135 return 0;
136}
137#else
138#define smk_bu_current(note, oskp, mode, RC) (RC)
139#endif
140
141#ifdef CONFIG_SECURITY_SMACK_BRINGUP
142static int smk_bu_task(struct task_struct *otp, int mode, int rc)
143{
144 struct task_smack *tsp = current_security();
145 struct smack_known *smk_task = smk_of_task_struct(otp);
146 char acc[SMK_NUM_ACCESS_TYPE + 1];
147
148 if (rc <= 0)
149 return rc;
150 if (rc > SMACK_UNCONFINED_OBJECT)
151 rc = 0;
152
153 smk_bu_mode(mode, acc);
154 pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc],
155 tsp->smk_task->smk_known, smk_task->smk_known, acc,
156 current->comm, otp->comm);
157 return 0;
158}
159#else
160#define smk_bu_task(otp, mode, RC) (RC)
161#endif
162
163#ifdef CONFIG_SECURITY_SMACK_BRINGUP
164static int smk_bu_inode(struct inode *inode, int mode, int rc)
165{
166 struct task_smack *tsp = current_security();
167 struct inode_smack *isp = inode->i_security;
168 char acc[SMK_NUM_ACCESS_TYPE + 1];
169
170 if (isp->smk_flags & SMK_INODE_IMPURE)
171 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n",
172 inode->i_sb->s_id, inode->i_ino, current->comm);
173
174 if (rc <= 0)
175 return rc;
176 if (rc > SMACK_UNCONFINED_OBJECT)
177 rc = 0;
178 if (rc == SMACK_UNCONFINED_SUBJECT &&
179 (mode & (MAY_WRITE | MAY_APPEND)))
180 isp->smk_flags |= SMK_INODE_IMPURE;
181
182 smk_bu_mode(mode, acc);
183
184 pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc],
185 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc,
186 inode->i_sb->s_id, inode->i_ino, current->comm);
187 return 0;
188}
189#else
190#define smk_bu_inode(inode, mode, RC) (RC)
191#endif
192
193#ifdef CONFIG_SECURITY_SMACK_BRINGUP
194static int smk_bu_file(struct file *file, int mode, int rc)
195{
196 struct task_smack *tsp = current_security();
197 struct smack_known *sskp = tsp->smk_task;
198 struct inode *inode = file_inode(file);
199 struct inode_smack *isp = inode->i_security;
200 char acc[SMK_NUM_ACCESS_TYPE + 1];
201
202 if (isp->smk_flags & SMK_INODE_IMPURE)
203 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n",
204 inode->i_sb->s_id, inode->i_ino, current->comm);
205
206 if (rc <= 0)
207 return rc;
208 if (rc > SMACK_UNCONFINED_OBJECT)
209 rc = 0;
210
211 smk_bu_mode(mode, acc);
212 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc],
213 sskp->smk_known, smk_of_inode(inode)->smk_known, acc,
214 inode->i_sb->s_id, inode->i_ino, file,
215 current->comm);
216 return 0;
217}
218#else
219#define smk_bu_file(file, mode, RC) (RC)
220#endif
221
222#ifdef CONFIG_SECURITY_SMACK_BRINGUP
223static int smk_bu_credfile(const struct cred *cred, struct file *file,
224 int mode, int rc)
225{
226 struct task_smack *tsp = cred->security;
227 struct smack_known *sskp = tsp->smk_task;
228 struct inode *inode = file->f_inode;
229 struct inode_smack *isp = inode->i_security;
230 char acc[SMK_NUM_ACCESS_TYPE + 1];
231
232 if (isp->smk_flags & SMK_INODE_IMPURE)
233 pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n",
234 inode->i_sb->s_id, inode->i_ino, current->comm);
235
236 if (rc <= 0)
237 return rc;
238 if (rc > SMACK_UNCONFINED_OBJECT)
239 rc = 0;
240
241 smk_bu_mode(mode, acc);
242 pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc],
243 sskp->smk_known, smk_of_inode(inode)->smk_known, acc,
244 inode->i_sb->s_id, inode->i_ino, file,
245 current->comm);
246 return 0;
247}
248#else
249#define smk_bu_credfile(cred, file, mode, RC) (RC)
250#endif
251
252
253
254
255
256
257
258
259
260
261static struct smack_known *smk_fetch(const char *name, struct inode *ip,
262 struct dentry *dp)
263{
264 int rc;
265 char *buffer;
266 struct smack_known *skp = NULL;
267
268 if (ip->i_op->getxattr == NULL)
269 return ERR_PTR(-EOPNOTSUPP);
270
271 buffer = kzalloc(SMK_LONGLABEL, GFP_KERNEL);
272 if (buffer == NULL)
273 return ERR_PTR(-ENOMEM);
274
275 rc = ip->i_op->getxattr(dp, name, buffer, SMK_LONGLABEL);
276 if (rc < 0)
277 skp = ERR_PTR(rc);
278 else if (rc == 0)
279 skp = NULL;
280 else
281 skp = smk_import_entry(buffer, rc);
282
283 kfree(buffer);
284
285 return skp;
286}
287
288
289
290
291
292
293
294static struct inode_smack *new_inode_smack(struct smack_known *skp)
295{
296 struct inode_smack *isp;
297
298 isp = kmem_cache_zalloc(smack_inode_cache, GFP_NOFS);
299 if (isp == NULL)
300 return NULL;
301
302 isp->smk_inode = skp;
303 isp->smk_flags = 0;
304 mutex_init(&isp->smk_lock);
305
306 return isp;
307}
308
309
310
311
312
313
314
315
316
317static struct task_smack *new_task_smack(struct smack_known *task,
318 struct smack_known *forked, gfp_t gfp)
319{
320 struct task_smack *tsp;
321
322 tsp = kzalloc(sizeof(struct task_smack), gfp);
323 if (tsp == NULL)
324 return NULL;
325
326 tsp->smk_task = task;
327 tsp->smk_forked = forked;
328 INIT_LIST_HEAD(&tsp->smk_rules);
329 INIT_LIST_HEAD(&tsp->smk_relabel);
330 mutex_init(&tsp->smk_rules_lock);
331
332 return tsp;
333}
334
335
336
337
338
339
340
341
342
343static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead,
344 gfp_t gfp)
345{
346 struct smack_rule *nrp;
347 struct smack_rule *orp;
348 int rc = 0;
349
350 INIT_LIST_HEAD(nhead);
351
352 list_for_each_entry_rcu(orp, ohead, list) {
353 nrp = kzalloc(sizeof(struct smack_rule), gfp);
354 if (nrp == NULL) {
355 rc = -ENOMEM;
356 break;
357 }
358 *nrp = *orp;
359 list_add_rcu(&nrp->list, nhead);
360 }
361 return rc;
362}
363
364
365
366
367
368
369
370
371
372static int smk_copy_relabel(struct list_head *nhead, struct list_head *ohead,
373 gfp_t gfp)
374{
375 struct smack_known_list_elem *nklep;
376 struct smack_known_list_elem *oklep;
377
378 INIT_LIST_HEAD(nhead);
379
380 list_for_each_entry(oklep, ohead, list) {
381 nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp);
382 if (nklep == NULL) {
383 smk_destroy_label_list(nhead);
384 return -ENOMEM;
385 }
386 nklep->smk_label = oklep->smk_label;
387 list_add(&nklep->list, nhead);
388 }
389
390 return 0;
391}
392
393
394
395
396
397
398
399static inline unsigned int smk_ptrace_mode(unsigned int mode)
400{
401 if (mode & PTRACE_MODE_ATTACH)
402 return MAY_READWRITE;
403 if (mode & PTRACE_MODE_READ)
404 return MAY_READ;
405
406 return 0;
407}
408
409
410
411
412
413
414
415
416
417
418static int smk_ptrace_rule_check(struct task_struct *tracer,
419 struct smack_known *tracee_known,
420 unsigned int mode, const char *func)
421{
422 int rc;
423 struct smk_audit_info ad, *saip = NULL;
424 struct task_smack *tsp;
425 struct smack_known *tracer_known;
426
427 if ((mode & PTRACE_MODE_NOAUDIT) == 0) {
428 smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK);
429 smk_ad_setfield_u_tsk(&ad, tracer);
430 saip = &ad;
431 }
432
433 rcu_read_lock();
434 tsp = __task_cred(tracer)->security;
435 tracer_known = smk_of_task(tsp);
436
437 if ((mode & PTRACE_MODE_ATTACH) &&
438 (smack_ptrace_rule == SMACK_PTRACE_EXACT ||
439 smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) {
440 if (tracer_known->smk_known == tracee_known->smk_known)
441 rc = 0;
442 else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
443 rc = -EACCES;
444 else if (capable(CAP_SYS_PTRACE))
445 rc = 0;
446 else
447 rc = -EACCES;
448
449 if (saip)
450 smack_log(tracer_known->smk_known,
451 tracee_known->smk_known,
452 0, rc, saip);
453
454 rcu_read_unlock();
455 return rc;
456 }
457
458
459 rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip);
460
461 rcu_read_unlock();
462 return rc;
463}
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
480{
481 struct smack_known *skp;
482
483 skp = smk_of_task_struct(ctp);
484
485 return smk_ptrace_rule_check(current, skp, mode, __func__);
486}
487
488
489
490
491
492
493
494
495
496static int smack_ptrace_traceme(struct task_struct *ptp)
497{
498 int rc;
499 struct smack_known *skp;
500
501 skp = smk_of_task(current_security());
502
503 rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__);
504 return rc;
505}
506
507
508
509
510
511
512
513static int smack_syslog(int typefrom_file)
514{
515 int rc = 0;
516 struct smack_known *skp = smk_of_current();
517
518 if (smack_privileged(CAP_MAC_OVERRIDE))
519 return 0;
520
521 if (smack_syslog_label != NULL && smack_syslog_label != skp)
522 rc = -EACCES;
523
524 return rc;
525}
526
527
528
529
530
531
532
533
534
535
536
537
538static int smack_sb_alloc_security(struct super_block *sb)
539{
540 struct superblock_smack *sbsp;
541
542 sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL);
543
544 if (sbsp == NULL)
545 return -ENOMEM;
546
547 sbsp->smk_root = &smack_known_floor;
548 sbsp->smk_default = &smack_known_floor;
549 sbsp->smk_floor = &smack_known_floor;
550 sbsp->smk_hat = &smack_known_hat;
551
552
553
554 sb->s_security = sbsp;
555
556 return 0;
557}
558
559
560
561
562
563
564static void smack_sb_free_security(struct super_block *sb)
565{
566 kfree(sb->s_security);
567 sb->s_security = NULL;
568}
569
570
571
572
573
574
575
576
577
578
579
580static int smack_sb_copy_data(char *orig, char *smackopts)
581{
582 char *cp, *commap, *otheropts, *dp;
583
584 otheropts = (char *)get_zeroed_page(GFP_KERNEL);
585 if (otheropts == NULL)
586 return -ENOMEM;
587
588 for (cp = orig, commap = orig; commap != NULL; cp = commap + 1) {
589 if (strstr(cp, SMK_FSDEFAULT) == cp)
590 dp = smackopts;
591 else if (strstr(cp, SMK_FSFLOOR) == cp)
592 dp = smackopts;
593 else if (strstr(cp, SMK_FSHAT) == cp)
594 dp = smackopts;
595 else if (strstr(cp, SMK_FSROOT) == cp)
596 dp = smackopts;
597 else if (strstr(cp, SMK_FSTRANS) == cp)
598 dp = smackopts;
599 else
600 dp = otheropts;
601
602 commap = strchr(cp, ',');
603 if (commap != NULL)
604 *commap = '\0';
605
606 if (*dp != '\0')
607 strcat(dp, ",");
608 strcat(dp, cp);
609 }
610
611 strcpy(orig, otheropts);
612 free_page((unsigned long)otheropts);
613
614 return 0;
615}
616
617
618
619
620
621
622
623
624
625
626static int smack_parse_opts_str(char *options,
627 struct security_mnt_opts *opts)
628{
629 char *p;
630 char *fsdefault = NULL;
631 char *fsfloor = NULL;
632 char *fshat = NULL;
633 char *fsroot = NULL;
634 char *fstransmute = NULL;
635 int rc = -ENOMEM;
636 int num_mnt_opts = 0;
637 int token;
638
639 opts->num_mnt_opts = 0;
640
641 if (!options)
642 return 0;
643
644 while ((p = strsep(&options, ",")) != NULL) {
645 substring_t args[MAX_OPT_ARGS];
646
647 if (!*p)
648 continue;
649
650 token = match_token(p, smk_mount_tokens, args);
651
652 switch (token) {
653 case Opt_fsdefault:
654 if (fsdefault)
655 goto out_opt_err;
656 fsdefault = match_strdup(&args[0]);
657 if (!fsdefault)
658 goto out_err;
659 break;
660 case Opt_fsfloor:
661 if (fsfloor)
662 goto out_opt_err;
663 fsfloor = match_strdup(&args[0]);
664 if (!fsfloor)
665 goto out_err;
666 break;
667 case Opt_fshat:
668 if (fshat)
669 goto out_opt_err;
670 fshat = match_strdup(&args[0]);
671 if (!fshat)
672 goto out_err;
673 break;
674 case Opt_fsroot:
675 if (fsroot)
676 goto out_opt_err;
677 fsroot = match_strdup(&args[0]);
678 if (!fsroot)
679 goto out_err;
680 break;
681 case Opt_fstransmute:
682 if (fstransmute)
683 goto out_opt_err;
684 fstransmute = match_strdup(&args[0]);
685 if (!fstransmute)
686 goto out_err;
687 break;
688 default:
689 rc = -EINVAL;
690 pr_warn("Smack: unknown mount option\n");
691 goto out_err;
692 }
693 }
694
695 opts->mnt_opts = kcalloc(NUM_SMK_MNT_OPTS, sizeof(char *), GFP_ATOMIC);
696 if (!opts->mnt_opts)
697 goto out_err;
698
699 opts->mnt_opts_flags = kcalloc(NUM_SMK_MNT_OPTS, sizeof(int),
700 GFP_ATOMIC);
701 if (!opts->mnt_opts_flags) {
702 kfree(opts->mnt_opts);
703 goto out_err;
704 }
705
706 if (fsdefault) {
707 opts->mnt_opts[num_mnt_opts] = fsdefault;
708 opts->mnt_opts_flags[num_mnt_opts++] = FSDEFAULT_MNT;
709 }
710 if (fsfloor) {
711 opts->mnt_opts[num_mnt_opts] = fsfloor;
712 opts->mnt_opts_flags[num_mnt_opts++] = FSFLOOR_MNT;
713 }
714 if (fshat) {
715 opts->mnt_opts[num_mnt_opts] = fshat;
716 opts->mnt_opts_flags[num_mnt_opts++] = FSHAT_MNT;
717 }
718 if (fsroot) {
719 opts->mnt_opts[num_mnt_opts] = fsroot;
720 opts->mnt_opts_flags[num_mnt_opts++] = FSROOT_MNT;
721 }
722 if (fstransmute) {
723 opts->mnt_opts[num_mnt_opts] = fstransmute;
724 opts->mnt_opts_flags[num_mnt_opts++] = FSTRANS_MNT;
725 }
726
727 opts->num_mnt_opts = num_mnt_opts;
728 return 0;
729
730out_opt_err:
731 rc = -EINVAL;
732 pr_warn("Smack: duplicate mount options\n");
733
734out_err:
735 kfree(fsdefault);
736 kfree(fsfloor);
737 kfree(fshat);
738 kfree(fsroot);
739 kfree(fstransmute);
740 return rc;
741}
742
743
744
745
746
747
748
749
750
751
752
753
754
755static int smack_set_mnt_opts(struct super_block *sb,
756 struct security_mnt_opts *opts,
757 unsigned long kern_flags,
758 unsigned long *set_kern_flags)
759{
760 struct dentry *root = sb->s_root;
761 struct inode *inode = d_backing_inode(root);
762 struct superblock_smack *sp = sb->s_security;
763 struct inode_smack *isp;
764 struct smack_known *skp;
765 int i;
766 int num_opts = opts->num_mnt_opts;
767 int transmute = 0;
768
769 if (sp->smk_initialized)
770 return 0;
771
772 sp->smk_initialized = 1;
773
774 for (i = 0; i < num_opts; i++) {
775 switch (opts->mnt_opts_flags[i]) {
776 case FSDEFAULT_MNT:
777 skp = smk_import_entry(opts->mnt_opts[i], 0);
778 if (IS_ERR(skp))
779 return PTR_ERR(skp);
780 sp->smk_default = skp;
781 break;
782 case FSFLOOR_MNT:
783 skp = smk_import_entry(opts->mnt_opts[i], 0);
784 if (IS_ERR(skp))
785 return PTR_ERR(skp);
786 sp->smk_floor = skp;
787 break;
788 case FSHAT_MNT:
789 skp = smk_import_entry(opts->mnt_opts[i], 0);
790 if (IS_ERR(skp))
791 return PTR_ERR(skp);
792 sp->smk_hat = skp;
793 break;
794 case FSROOT_MNT:
795 skp = smk_import_entry(opts->mnt_opts[i], 0);
796 if (IS_ERR(skp))
797 return PTR_ERR(skp);
798 sp->smk_root = skp;
799 break;
800 case FSTRANS_MNT:
801 skp = smk_import_entry(opts->mnt_opts[i], 0);
802 if (IS_ERR(skp))
803 return PTR_ERR(skp);
804 sp->smk_root = skp;
805 transmute = 1;
806 break;
807 default:
808 break;
809 }
810 }
811
812 if (!smack_privileged(CAP_MAC_ADMIN)) {
813
814
815
816 if (num_opts)
817 return -EPERM;
818
819
820
821 skp = smk_of_current();
822 sp->smk_root = skp;
823 sp->smk_default = skp;
824 }
825
826
827
828
829 isp = inode->i_security;
830 if (isp == NULL) {
831 isp = new_inode_smack(sp->smk_root);
832 if (isp == NULL)
833 return -ENOMEM;
834 inode->i_security = isp;
835 } else
836 isp->smk_inode = sp->smk_root;
837
838 if (transmute)
839 isp->smk_flags |= SMK_INODE_TRANSMUTE;
840
841 return 0;
842}
843
844
845
846
847
848
849
850
851
852static int smack_sb_kern_mount(struct super_block *sb, int flags, void *data)
853{
854 int rc = 0;
855 char *options = data;
856 struct security_mnt_opts opts;
857
858 security_init_mnt_opts(&opts);
859
860 if (!options)
861 goto out;
862
863 rc = smack_parse_opts_str(options, &opts);
864 if (rc)
865 goto out_err;
866
867out:
868 rc = smack_set_mnt_opts(sb, &opts, 0, NULL);
869
870out_err:
871 security_free_mnt_opts(&opts);
872 return rc;
873}
874
875
876
877
878
879
880
881
882static int smack_sb_statfs(struct dentry *dentry)
883{
884 struct superblock_smack *sbp = dentry->d_sb->s_security;
885 int rc;
886 struct smk_audit_info ad;
887
888 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
889 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
890
891 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad);
892 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc);
893 return rc;
894}
895
896
897
898
899
900
901
902
903
904
905
906static int smack_bprm_set_creds(struct linux_binprm *bprm)
907{
908 struct inode *inode = file_inode(bprm->file);
909 struct task_smack *bsp = bprm->cred->security;
910 struct inode_smack *isp;
911 int rc;
912
913 if (bprm->cred_prepared)
914 return 0;
915
916 isp = inode->i_security;
917 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task)
918 return 0;
919
920 if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
921 struct task_struct *tracer;
922 rc = 0;
923
924 rcu_read_lock();
925 tracer = ptrace_parent(current);
926 if (likely(tracer != NULL))
927 rc = smk_ptrace_rule_check(tracer,
928 isp->smk_task,
929 PTRACE_MODE_ATTACH,
930 __func__);
931 rcu_read_unlock();
932
933 if (rc != 0)
934 return rc;
935 } else if (bprm->unsafe)
936 return -EPERM;
937
938 bsp->smk_task = isp->smk_task;
939 bprm->per_clear |= PER_CLEAR_ON_SETID;
940
941 return 0;
942}
943
944
945
946
947
948
949
950static void smack_bprm_committing_creds(struct linux_binprm *bprm)
951{
952 struct task_smack *bsp = bprm->cred->security;
953
954 if (bsp->smk_task != bsp->smk_forked)
955 current->pdeath_signal = 0;
956}
957
958
959
960
961
962
963
964static int smack_bprm_secureexec(struct linux_binprm *bprm)
965{
966 struct task_smack *tsp = current_security();
967
968 if (tsp->smk_task != tsp->smk_forked)
969 return 1;
970
971 return 0;
972}
973
974
975
976
977
978
979
980
981
982
983
984static int smack_inode_alloc_security(struct inode *inode)
985{
986 struct smack_known *skp = smk_of_current();
987
988 inode->i_security = new_inode_smack(skp);
989 if (inode->i_security == NULL)
990 return -ENOMEM;
991 return 0;
992}
993
994
995
996
997
998
999
1000static void smack_inode_free_security(struct inode *inode)
1001{
1002 kmem_cache_free(smack_inode_cache, inode->i_security);
1003 inode->i_security = NULL;
1004}
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017static int smack_inode_init_security(struct inode *inode, struct inode *dir,
1018 const struct qstr *qstr, const char **name,
1019 void **value, size_t *len)
1020{
1021 struct inode_smack *issp = inode->i_security;
1022 struct smack_known *skp = smk_of_current();
1023 struct smack_known *isp = smk_of_inode(inode);
1024 struct smack_known *dsp = smk_of_inode(dir);
1025 int may;
1026
1027 if (name)
1028 *name = XATTR_SMACK_SUFFIX;
1029
1030 if (value && len) {
1031 rcu_read_lock();
1032 may = smk_access_entry(skp->smk_known, dsp->smk_known,
1033 &skp->smk_rules);
1034 rcu_read_unlock();
1035
1036
1037
1038
1039
1040
1041
1042 if (may > 0 && ((may & MAY_TRANSMUTE) != 0) &&
1043 smk_inode_transmutable(dir)) {
1044 isp = dsp;
1045 issp->smk_flags |= SMK_INODE_CHANGED;
1046 }
1047
1048 *value = kstrdup(isp->smk_known, GFP_NOFS);
1049 if (*value == NULL)
1050 return -ENOMEM;
1051
1052 *len = strlen(isp->smk_known);
1053 }
1054
1055 return 0;
1056}
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066static int smack_inode_link(struct dentry *old_dentry, struct inode *dir,
1067 struct dentry *new_dentry)
1068{
1069 struct smack_known *isp;
1070 struct smk_audit_info ad;
1071 int rc;
1072
1073 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1074 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);
1075
1076 isp = smk_of_inode(d_backing_inode(old_dentry));
1077 rc = smk_curacc(isp, MAY_WRITE, &ad);
1078 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc);
1079
1080 if (rc == 0 && d_is_positive(new_dentry)) {
1081 isp = smk_of_inode(d_backing_inode(new_dentry));
1082 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry);
1083 rc = smk_curacc(isp, MAY_WRITE, &ad);
1084 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc);
1085 }
1086
1087 return rc;
1088}
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098static int smack_inode_unlink(struct inode *dir, struct dentry *dentry)
1099{
1100 struct inode *ip = d_backing_inode(dentry);
1101 struct smk_audit_info ad;
1102 int rc;
1103
1104 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1105 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
1106
1107
1108
1109
1110 rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad);
1111 rc = smk_bu_inode(ip, MAY_WRITE, rc);
1112 if (rc == 0) {
1113
1114
1115
1116 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE);
1117 smk_ad_setfield_u_fs_inode(&ad, dir);
1118 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad);
1119 rc = smk_bu_inode(dir, MAY_WRITE, rc);
1120 }
1121 return rc;
1122}
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry)
1133{
1134 struct smk_audit_info ad;
1135 int rc;
1136
1137 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1138 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
1139
1140
1141
1142
1143 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
1144 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
1145 if (rc == 0) {
1146
1147
1148
1149 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE);
1150 smk_ad_setfield_u_fs_inode(&ad, dir);
1151 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad);
1152 rc = smk_bu_inode(dir, MAY_WRITE, rc);
1153 }
1154
1155 return rc;
1156}
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170static int smack_inode_rename(struct inode *old_inode,
1171 struct dentry *old_dentry,
1172 struct inode *new_inode,
1173 struct dentry *new_dentry)
1174{
1175 int rc;
1176 struct smack_known *isp;
1177 struct smk_audit_info ad;
1178
1179 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1180 smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);
1181
1182 isp = smk_of_inode(d_backing_inode(old_dentry));
1183 rc = smk_curacc(isp, MAY_READWRITE, &ad);
1184 rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc);
1185
1186 if (rc == 0 && d_is_positive(new_dentry)) {
1187 isp = smk_of_inode(d_backing_inode(new_dentry));
1188 smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry);
1189 rc = smk_curacc(isp, MAY_READWRITE, &ad);
1190 rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc);
1191 }
1192 return rc;
1193}
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204static int smack_inode_permission(struct inode *inode, int mask)
1205{
1206 struct smk_audit_info ad;
1207 int no_block = mask & MAY_NOT_BLOCK;
1208 int rc;
1209
1210 mask &= (MAY_READ|MAY_WRITE|MAY_EXEC|MAY_APPEND);
1211
1212
1213
1214 if (mask == 0)
1215 return 0;
1216
1217
1218 if (no_block)
1219 return -ECHILD;
1220 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE);
1221 smk_ad_setfield_u_fs_inode(&ad, inode);
1222 rc = smk_curacc(smk_of_inode(inode), mask, &ad);
1223 rc = smk_bu_inode(inode, mask, rc);
1224 return rc;
1225}
1226
1227
1228
1229
1230
1231
1232
1233
1234static int smack_inode_setattr(struct dentry *dentry, struct iattr *iattr)
1235{
1236 struct smk_audit_info ad;
1237 int rc;
1238
1239
1240
1241
1242 if (iattr->ia_valid & ATTR_FORCE)
1243 return 0;
1244 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1245 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
1246
1247 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
1248 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
1249 return rc;
1250}
1251
1252
1253
1254
1255
1256
1257
1258
1259static int smack_inode_getattr(const struct path *path)
1260{
1261 struct smk_audit_info ad;
1262 struct inode *inode = d_backing_inode(path->dentry);
1263 int rc;
1264
1265 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1266 smk_ad_setfield_u_fs_path(&ad, *path);
1267 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad);
1268 rc = smk_bu_inode(inode, MAY_READ, rc);
1269 return rc;
1270}
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284static int smack_inode_setxattr(struct dentry *dentry, const char *name,
1285 const void *value, size_t size, int flags)
1286{
1287 struct smk_audit_info ad;
1288 struct smack_known *skp;
1289 int check_priv = 0;
1290 int check_import = 0;
1291 int check_star = 0;
1292 int rc = 0;
1293
1294
1295
1296
1297 if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
1298 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||
1299 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
1300 check_priv = 1;
1301 check_import = 1;
1302 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
1303 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
1304 check_priv = 1;
1305 check_import = 1;
1306 check_star = 1;
1307 } else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
1308 check_priv = 1;
1309 if (size != TRANS_TRUE_SIZE ||
1310 strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0)
1311 rc = -EINVAL;
1312 } else
1313 rc = cap_inode_setxattr(dentry, name, value, size, flags);
1314
1315 if (check_priv && !smack_privileged(CAP_MAC_ADMIN))
1316 rc = -EPERM;
1317
1318 if (rc == 0 && check_import) {
1319 skp = size ? smk_import_entry(value, size) : NULL;
1320 if (IS_ERR(skp))
1321 rc = PTR_ERR(skp);
1322 else if (skp == NULL || (check_star &&
1323 (skp == &smack_known_star || skp == &smack_known_web)))
1324 rc = -EINVAL;
1325 }
1326
1327 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1328 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
1329
1330 if (rc == 0) {
1331 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
1332 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
1333 }
1334
1335 return rc;
1336}
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349static void smack_inode_post_setxattr(struct dentry *dentry, const char *name,
1350 const void *value, size_t size, int flags)
1351{
1352 struct smack_known *skp;
1353 struct inode_smack *isp = d_backing_inode(dentry)->i_security;
1354
1355 if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
1356 isp->smk_flags |= SMK_INODE_TRANSMUTE;
1357 return;
1358 }
1359
1360 if (strcmp(name, XATTR_NAME_SMACK) == 0) {
1361 skp = smk_import_entry(value, size);
1362 if (!IS_ERR(skp))
1363 isp->smk_inode = skp;
1364 else
1365 isp->smk_inode = &smack_known_invalid;
1366 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) {
1367 skp = smk_import_entry(value, size);
1368 if (!IS_ERR(skp))
1369 isp->smk_task = skp;
1370 else
1371 isp->smk_task = &smack_known_invalid;
1372 } else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
1373 skp = smk_import_entry(value, size);
1374 if (!IS_ERR(skp))
1375 isp->smk_mmap = skp;
1376 else
1377 isp->smk_mmap = &smack_known_invalid;
1378 }
1379
1380 return;
1381}
1382
1383
1384
1385
1386
1387
1388
1389
1390static int smack_inode_getxattr(struct dentry *dentry, const char *name)
1391{
1392 struct smk_audit_info ad;
1393 int rc;
1394
1395 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1396 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
1397
1398 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad);
1399 rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc);
1400 return rc;
1401}
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412static int smack_inode_removexattr(struct dentry *dentry, const char *name)
1413{
1414 struct inode_smack *isp;
1415 struct smk_audit_info ad;
1416 int rc = 0;
1417
1418 if (strcmp(name, XATTR_NAME_SMACK) == 0 ||
1419 strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||
1420 strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 ||
1421 strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||
1422 strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 ||
1423 strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
1424 if (!smack_privileged(CAP_MAC_ADMIN))
1425 rc = -EPERM;
1426 } else
1427 rc = cap_inode_removexattr(dentry, name);
1428
1429 if (rc != 0)
1430 return rc;
1431
1432 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
1433 smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
1434
1435 rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
1436 rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
1437 if (rc != 0)
1438 return rc;
1439
1440 isp = d_backing_inode(dentry)->i_security;
1441
1442
1443
1444
1445
1446 if (strcmp(name, XATTR_NAME_SMACK) == 0) {
1447 struct super_block *sbp = d_backing_inode(dentry)->i_sb;
1448 struct superblock_smack *sbsp = sbp->s_security;
1449
1450 isp->smk_inode = sbsp->smk_default;
1451 } else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0)
1452 isp->smk_task = NULL;
1453 else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0)
1454 isp->smk_mmap = NULL;
1455 else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0)
1456 isp->smk_flags &= ~SMK_INODE_TRANSMUTE;
1457
1458 return 0;
1459}
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470static int smack_inode_getsecurity(struct inode *inode,
1471 const char *name, void **buffer,
1472 bool alloc)
1473{
1474 struct socket_smack *ssp;
1475 struct socket *sock;
1476 struct super_block *sbp;
1477 struct inode *ip = (struct inode *)inode;
1478 struct smack_known *isp;
1479 int ilen;
1480 int rc = 0;
1481
1482 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
1483 isp = smk_of_inode(inode);
1484 ilen = strlen(isp->smk_known);
1485 *buffer = isp->smk_known;
1486 return ilen;
1487 }
1488
1489
1490
1491
1492 sbp = ip->i_sb;
1493 if (sbp->s_magic != SOCKFS_MAGIC)
1494 return -EOPNOTSUPP;
1495
1496 sock = SOCKET_I(ip);
1497 if (sock == NULL || sock->sk == NULL)
1498 return -EOPNOTSUPP;
1499
1500 ssp = sock->sk->sk_security;
1501
1502 if (strcmp(name, XATTR_SMACK_IPIN) == 0)
1503 isp = ssp->smk_in;
1504 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
1505 isp = ssp->smk_out;
1506 else
1507 return -EOPNOTSUPP;
1508
1509 ilen = strlen(isp->smk_known);
1510 if (rc == 0) {
1511 *buffer = isp->smk_known;
1512 rc = ilen;
1513 }
1514
1515 return rc;
1516}
1517
1518
1519
1520
1521
1522
1523
1524
1525static int smack_inode_listsecurity(struct inode *inode, char *buffer,
1526 size_t buffer_size)
1527{
1528 int len = sizeof(XATTR_NAME_SMACK);
1529
1530 if (buffer != NULL && len <= buffer_size)
1531 memcpy(buffer, XATTR_NAME_SMACK, len);
1532
1533 return len;
1534}
1535
1536
1537
1538
1539
1540
1541static void smack_inode_getsecid(struct inode *inode, u32 *secid)
1542{
1543 struct inode_smack *isp = inode->i_security;
1544
1545 *secid = isp->smk_inode->smk_secid;
1546}
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575static int smack_file_alloc_security(struct file *file)
1576{
1577 struct smack_known *skp = smk_of_current();
1578
1579 file->f_security = skp;
1580 return 0;
1581}
1582
1583
1584
1585
1586
1587
1588
1589
1590static void smack_file_free_security(struct file *file)
1591{
1592 file->f_security = NULL;
1593}
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605static int smack_file_ioctl(struct file *file, unsigned int cmd,
1606 unsigned long arg)
1607{
1608 int rc = 0;
1609 struct smk_audit_info ad;
1610 struct inode *inode = file_inode(file);
1611
1612 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1613 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1614
1615 if (_IOC_DIR(cmd) & _IOC_WRITE) {
1616 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad);
1617 rc = smk_bu_file(file, MAY_WRITE, rc);
1618 }
1619
1620 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) {
1621 rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad);
1622 rc = smk_bu_file(file, MAY_READ, rc);
1623 }
1624
1625 return rc;
1626}
1627
1628
1629
1630
1631
1632
1633
1634
1635static int smack_file_lock(struct file *file, unsigned int cmd)
1636{
1637 struct smk_audit_info ad;
1638 int rc;
1639 struct inode *inode = file_inode(file);
1640
1641 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1642 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1643 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad);
1644 rc = smk_bu_file(file, MAY_LOCK, rc);
1645 return rc;
1646}
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660static int smack_file_fcntl(struct file *file, unsigned int cmd,
1661 unsigned long arg)
1662{
1663 struct smk_audit_info ad;
1664 int rc = 0;
1665 struct inode *inode = file_inode(file);
1666
1667 switch (cmd) {
1668 case F_GETLK:
1669 break;
1670 case F_SETLK:
1671 case F_SETLKW:
1672 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1673 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1674 rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad);
1675 rc = smk_bu_file(file, MAY_LOCK, rc);
1676 break;
1677 case F_SETOWN:
1678 case F_SETSIG:
1679 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1680 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1681 rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad);
1682 rc = smk_bu_file(file, MAY_WRITE, rc);
1683 break;
1684 default:
1685 break;
1686 }
1687
1688 return rc;
1689}
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701static int smack_mmap_file(struct file *file,
1702 unsigned long reqprot, unsigned long prot,
1703 unsigned long flags)
1704{
1705 struct smack_known *skp;
1706 struct smack_known *mkp;
1707 struct smack_rule *srp;
1708 struct task_smack *tsp;
1709 struct smack_known *okp;
1710 struct inode_smack *isp;
1711 int may;
1712 int mmay;
1713 int tmay;
1714 int rc;
1715
1716 if (file == NULL)
1717 return 0;
1718
1719 isp = file_inode(file)->i_security;
1720 if (isp->smk_mmap == NULL)
1721 return 0;
1722 mkp = isp->smk_mmap;
1723
1724 tsp = current_security();
1725 skp = smk_of_current();
1726 rc = 0;
1727
1728 rcu_read_lock();
1729
1730
1731
1732
1733
1734 list_for_each_entry_rcu(srp, &skp->smk_rules, list) {
1735 okp = srp->smk_object;
1736
1737
1738
1739 if (mkp->smk_known == okp->smk_known)
1740 continue;
1741
1742
1743
1744
1745 may = smk_access_entry(srp->smk_subject->smk_known,
1746 okp->smk_known,
1747 &tsp->smk_rules);
1748 if (may == -ENOENT)
1749 may = srp->smk_access;
1750 else
1751 may &= srp->smk_access;
1752
1753
1754
1755
1756 if (may == 0)
1757 continue;
1758
1759
1760
1761
1762
1763
1764 mmay = smk_access_entry(mkp->smk_known, okp->smk_known,
1765 &mkp->smk_rules);
1766 if (mmay == -ENOENT) {
1767 rc = -EACCES;
1768 break;
1769 }
1770
1771
1772
1773
1774 tmay = smk_access_entry(mkp->smk_known, okp->smk_known,
1775 &tsp->smk_rules);
1776 if (tmay != -ENOENT)
1777 mmay &= tmay;
1778
1779
1780
1781
1782
1783
1784 if ((may | mmay) != mmay) {
1785 rc = -EACCES;
1786 break;
1787 }
1788 }
1789
1790 rcu_read_unlock();
1791
1792 return rc;
1793}
1794
1795
1796
1797
1798
1799
1800static void smack_file_set_fowner(struct file *file)
1801{
1802 file->f_security = smk_of_current();
1803}
1804
1805
1806
1807
1808
1809
1810
1811
1812
1813
1814
1815
1816static int smack_file_send_sigiotask(struct task_struct *tsk,
1817 struct fown_struct *fown, int signum)
1818{
1819 struct smack_known *skp;
1820 struct smack_known *tkp = smk_of_task(tsk->cred->security);
1821 struct file *file;
1822 int rc;
1823 struct smk_audit_info ad;
1824
1825
1826
1827
1828 file = container_of(fown, struct file, f_owner);
1829
1830
1831 skp = file->f_security;
1832 rc = smk_access(skp, tkp, MAY_WRITE, NULL);
1833 rc = smk_bu_note("sigiotask", skp, tkp, MAY_WRITE, rc);
1834 if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))
1835 rc = 0;
1836
1837 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
1838 smk_ad_setfield_u_tsk(&ad, tsk);
1839 smack_log(skp->smk_known, tkp->smk_known, MAY_WRITE, rc, &ad);
1840 return rc;
1841}
1842
1843
1844
1845
1846
1847
1848
1849static int smack_file_receive(struct file *file)
1850{
1851 int rc;
1852 int may = 0;
1853 struct smk_audit_info ad;
1854 struct inode *inode = file_inode(file);
1855 struct socket *sock;
1856 struct task_smack *tsp;
1857 struct socket_smack *ssp;
1858
1859 if (unlikely(IS_PRIVATE(inode)))
1860 return 0;
1861
1862 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1863 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1864
1865 if (S_ISSOCK(inode->i_mode)) {
1866 sock = SOCKET_I(inode);
1867 ssp = sock->sk->sk_security;
1868 tsp = current_security();
1869
1870
1871
1872
1873
1874
1875 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad);
1876 rc = smk_bu_file(file, may, rc);
1877 if (rc < 0)
1878 return rc;
1879 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad);
1880 rc = smk_bu_file(file, may, rc);
1881 return rc;
1882 }
1883
1884
1885
1886 if (file->f_mode & FMODE_READ)
1887 may = MAY_READ;
1888 if (file->f_mode & FMODE_WRITE)
1889 may |= MAY_WRITE;
1890
1891 rc = smk_curacc(smk_of_inode(inode), may, &ad);
1892 rc = smk_bu_file(file, may, rc);
1893 return rc;
1894}
1895
1896
1897
1898
1899
1900
1901
1902
1903
1904
1905
1906
1907
1908static int smack_file_open(struct file *file, const struct cred *cred)
1909{
1910 struct task_smack *tsp = cred->security;
1911 struct inode *inode = file_inode(file);
1912 struct smk_audit_info ad;
1913 int rc;
1914
1915 if (smack_privileged(CAP_MAC_OVERRIDE))
1916 return 0;
1917
1918 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
1919 smk_ad_setfield_u_fs_path(&ad, file->f_path);
1920 rc = smk_access(tsp->smk_task, smk_of_inode(inode), MAY_READ, &ad);
1921 rc = smk_bu_credfile(cred, file, MAY_READ, rc);
1922
1923 return rc;
1924}
1925
1926
1927
1928
1929
1930
1931
1932
1933
1934
1935
1936
1937
1938
1939static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
1940{
1941 struct task_smack *tsp;
1942
1943 tsp = new_task_smack(NULL, NULL, gfp);
1944 if (tsp == NULL)
1945 return -ENOMEM;
1946
1947 cred->security = tsp;
1948
1949 return 0;
1950}
1951
1952
1953
1954
1955
1956
1957
1958static void smack_cred_free(struct cred *cred)
1959{
1960 struct task_smack *tsp = cred->security;
1961 struct smack_rule *rp;
1962 struct list_head *l;
1963 struct list_head *n;
1964
1965 if (tsp == NULL)
1966 return;
1967 cred->security = NULL;
1968
1969 smk_destroy_label_list(&tsp->smk_relabel);
1970
1971 list_for_each_safe(l, n, &tsp->smk_rules) {
1972 rp = list_entry(l, struct smack_rule, list);
1973 list_del(&rp->list);
1974 kfree(rp);
1975 }
1976 kfree(tsp);
1977}
1978
1979
1980
1981
1982
1983
1984
1985
1986
1987static int smack_cred_prepare(struct cred *new, const struct cred *old,
1988 gfp_t gfp)
1989{
1990 struct task_smack *old_tsp = old->security;
1991 struct task_smack *new_tsp;
1992 int rc;
1993
1994 new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp);
1995 if (new_tsp == NULL)
1996 return -ENOMEM;
1997
1998 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp);
1999 if (rc != 0)
2000 return rc;
2001
2002 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel,
2003 gfp);
2004 if (rc != 0)
2005 return rc;
2006
2007 new->security = new_tsp;
2008 return 0;
2009}
2010
2011
2012
2013
2014
2015
2016
2017
2018static void smack_cred_transfer(struct cred *new, const struct cred *old)
2019{
2020 struct task_smack *old_tsp = old->security;
2021 struct task_smack *new_tsp = new->security;
2022
2023 new_tsp->smk_task = old_tsp->smk_task;
2024 new_tsp->smk_forked = old_tsp->smk_task;
2025 mutex_init(&new_tsp->smk_rules_lock);
2026 INIT_LIST_HEAD(&new_tsp->smk_rules);
2027
2028
2029
2030}
2031
2032
2033
2034
2035
2036
2037
2038
2039static int smack_kernel_act_as(struct cred *new, u32 secid)
2040{
2041 struct task_smack *new_tsp = new->security;
2042 struct smack_known *skp = smack_from_secid(secid);
2043
2044 if (skp == NULL)
2045 return -EINVAL;
2046
2047 new_tsp->smk_task = skp;
2048 return 0;
2049}
2050
2051
2052
2053
2054
2055
2056
2057
2058
2059static int smack_kernel_create_files_as(struct cred *new,
2060 struct inode *inode)
2061{
2062 struct inode_smack *isp = inode->i_security;
2063 struct task_smack *tsp = new->security;
2064
2065 tsp->smk_forked = isp->smk_inode;
2066 tsp->smk_task = tsp->smk_forked;
2067 return 0;
2068}
2069
2070
2071
2072
2073
2074
2075
2076
2077
2078static int smk_curacc_on_task(struct task_struct *p, int access,
2079 const char *caller)
2080{
2081 struct smk_audit_info ad;
2082 struct smack_known *skp = smk_of_task_struct(p);
2083 int rc;
2084
2085 smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK);
2086 smk_ad_setfield_u_tsk(&ad, p);
2087 rc = smk_curacc(skp, access, &ad);
2088 rc = smk_bu_task(p, access, rc);
2089 return rc;
2090}
2091
2092
2093
2094
2095
2096
2097
2098
2099static int smack_task_setpgid(struct task_struct *p, pid_t pgid)
2100{
2101 return smk_curacc_on_task(p, MAY_WRITE, __func__);
2102}
2103
2104
2105
2106
2107
2108
2109
2110static int smack_task_getpgid(struct task_struct *p)
2111{
2112 return smk_curacc_on_task(p, MAY_READ, __func__);
2113}
2114
2115
2116
2117
2118
2119
2120
2121static int smack_task_getsid(struct task_struct *p)
2122{
2123 return smk_curacc_on_task(p, MAY_READ, __func__);
2124}
2125
2126
2127
2128
2129
2130
2131
2132
2133static void smack_task_getsecid(struct task_struct *p, u32 *secid)
2134{
2135 struct smack_known *skp = smk_of_task_struct(p);
2136
2137 *secid = skp->smk_secid;
2138}
2139
2140
2141
2142
2143
2144
2145
2146
2147static int smack_task_setnice(struct task_struct *p, int nice)
2148{
2149 return smk_curacc_on_task(p, MAY_WRITE, __func__);
2150}
2151
2152
2153
2154
2155
2156
2157
2158
2159static int smack_task_setioprio(struct task_struct *p, int ioprio)
2160{
2161 return smk_curacc_on_task(p, MAY_WRITE, __func__);
2162}
2163
2164
2165
2166
2167
2168
2169
2170static int smack_task_getioprio(struct task_struct *p)
2171{
2172 return smk_curacc_on_task(p, MAY_READ, __func__);
2173}
2174
2175
2176
2177
2178
2179
2180
2181
2182
2183static int smack_task_setscheduler(struct task_struct *p)
2184{
2185 return smk_curacc_on_task(p, MAY_WRITE, __func__);
2186}
2187
2188
2189
2190
2191
2192
2193
2194static int smack_task_getscheduler(struct task_struct *p)
2195{
2196 return smk_curacc_on_task(p, MAY_READ, __func__);
2197}
2198
2199
2200
2201
2202
2203
2204
2205static int smack_task_movememory(struct task_struct *p)
2206{
2207 return smk_curacc_on_task(p, MAY_WRITE, __func__);
2208}
2209
2210
2211
2212
2213
2214
2215
2216
2217
2218
2219
2220
2221
2222static int smack_task_kill(struct task_struct *p, struct siginfo *info,
2223 int sig, u32 secid)
2224{
2225 struct smk_audit_info ad;
2226 struct smack_known *skp;
2227 struct smack_known *tkp = smk_of_task_struct(p);
2228 int rc;
2229
2230 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
2231 smk_ad_setfield_u_tsk(&ad, p);
2232
2233
2234
2235
2236 if (secid == 0) {
2237 rc = smk_curacc(tkp, MAY_WRITE, &ad);
2238 rc = smk_bu_task(p, MAY_WRITE, rc);
2239 return rc;
2240 }
2241
2242
2243
2244
2245
2246 skp = smack_from_secid(secid);
2247 rc = smk_access(skp, tkp, MAY_WRITE, &ad);
2248 rc = smk_bu_note("USB signal", skp, tkp, MAY_WRITE, rc);
2249 return rc;
2250}
2251
2252
2253
2254
2255
2256
2257
2258static int smack_task_wait(struct task_struct *p)
2259{
2260
2261
2262
2263
2264
2265
2266
2267
2268 return 0;
2269}
2270
2271
2272
2273
2274
2275
2276
2277
2278static void smack_task_to_inode(struct task_struct *p, struct inode *inode)
2279{
2280 struct inode_smack *isp = inode->i_security;
2281 struct smack_known *skp = smk_of_task_struct(p);
2282
2283 isp->smk_inode = skp;
2284}
2285
2286
2287
2288
2289
2290
2291
2292
2293
2294
2295
2296
2297
2298
2299
2300static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
2301{
2302 struct smack_known *skp = smk_of_current();
2303 struct socket_smack *ssp;
2304
2305 ssp = kzalloc(sizeof(struct socket_smack), gfp_flags);
2306 if (ssp == NULL)
2307 return -ENOMEM;
2308
2309 ssp->smk_in = skp;
2310 ssp->smk_out = skp;
2311 ssp->smk_packet = NULL;
2312
2313 sk->sk_security = ssp;
2314
2315 return 0;
2316}
2317
2318
2319
2320
2321
2322
2323
2324static void smack_sk_free_security(struct sock *sk)
2325{
2326 kfree(sk->sk_security);
2327}
2328
2329
2330
2331
2332
2333
2334
2335
2336
2337
2338
2339
2340
2341static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip)
2342{
2343 struct smk_net4addr *snp;
2344 struct in_addr *siap = &sip->sin_addr;
2345
2346 if (siap->s_addr == 0)
2347 return NULL;
2348
2349 list_for_each_entry_rcu(snp, &smk_net4addr_list, list)
2350
2351
2352
2353
2354
2355 if (snp->smk_host.s_addr ==
2356 (siap->s_addr & snp->smk_mask.s_addr))
2357 return snp->smk_label;
2358
2359 return NULL;
2360}
2361
2362#if IS_ENABLED(CONFIG_IPV6)
2363
2364
2365
2366
2367
2368
2369static bool smk_ipv6_localhost(struct sockaddr_in6 *sip)
2370{
2371 __be16 *be16p = (__be16 *)&sip->sin6_addr;
2372 __be32 *be32p = (__be32 *)&sip->sin6_addr;
2373
2374 if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 &&
2375 ntohs(be16p[7]) == 1)
2376 return true;
2377 return false;
2378}
2379
2380
2381
2382
2383
2384
2385
2386
2387
2388
2389
2390
2391
2392static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip)
2393{
2394 struct smk_net6addr *snp;
2395 struct in6_addr *sap = &sip->sin6_addr;
2396 int i;
2397 int found = 0;
2398
2399
2400
2401
2402 if (smk_ipv6_localhost(sip))
2403 return NULL;
2404
2405 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) {
2406
2407
2408
2409
2410
2411 for (found = 1, i = 0; i < 8; i++) {
2412
2413
2414
2415
2416 if (snp->smk_label == NULL)
2417 continue;
2418 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) !=
2419 snp->smk_host.s6_addr16[i]) {
2420 found = 0;
2421 break;
2422 }
2423 }
2424 if (found)
2425 return snp->smk_label;
2426 }
2427
2428 return NULL;
2429}
2430#endif
2431
2432
2433
2434
2435
2436
2437
2438
2439
2440
2441
2442static int smack_netlabel(struct sock *sk, int labeled)
2443{
2444 struct smack_known *skp;
2445 struct socket_smack *ssp = sk->sk_security;
2446 int rc = 0;
2447
2448
2449
2450
2451
2452
2453
2454
2455
2456 local_bh_disable();
2457 bh_lock_sock_nested(sk);
2458
2459 if (ssp->smk_out == smack_net_ambient ||
2460 labeled == SMACK_UNLABELED_SOCKET)
2461 netlbl_sock_delattr(sk);
2462 else {
2463 skp = ssp->smk_out;
2464 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel);
2465 }
2466
2467 bh_unlock_sock(sk);
2468 local_bh_enable();
2469
2470 return rc;
2471}
2472
2473
2474
2475
2476
2477
2478
2479
2480
2481
2482
2483
2484static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
2485{
2486 struct smack_known *skp;
2487 int rc;
2488 int sk_lbl;
2489 struct smack_known *hkp;
2490 struct socket_smack *ssp = sk->sk_security;
2491 struct smk_audit_info ad;
2492
2493 rcu_read_lock();
2494 hkp = smack_ipv4host_label(sap);
2495 if (hkp != NULL) {
2496#ifdef CONFIG_AUDIT
2497 struct lsm_network_audit net;
2498
2499 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
2500 ad.a.u.net->family = sap->sin_family;
2501 ad.a.u.net->dport = sap->sin_port;
2502 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr;
2503#endif
2504 sk_lbl = SMACK_UNLABELED_SOCKET;
2505 skp = ssp->smk_out;
2506 rc = smk_access(skp, hkp, MAY_WRITE, &ad);
2507 rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc);
2508 } else {
2509 sk_lbl = SMACK_CIPSO_SOCKET;
2510 rc = 0;
2511 }
2512 rcu_read_unlock();
2513 if (rc != 0)
2514 return rc;
2515
2516 return smack_netlabel(sk, sk_lbl);
2517}
2518
2519#if IS_ENABLED(CONFIG_IPV6)
2520
2521
2522
2523
2524
2525
2526
2527
2528
2529static int smk_ipv6_check(struct smack_known *subject,
2530 struct smack_known *object,
2531 struct sockaddr_in6 *address, int act)
2532{
2533#ifdef CONFIG_AUDIT
2534 struct lsm_network_audit net;
2535#endif
2536 struct smk_audit_info ad;
2537 int rc;
2538
2539#ifdef CONFIG_AUDIT
2540 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
2541 ad.a.u.net->family = PF_INET6;
2542 ad.a.u.net->dport = ntohs(address->sin6_port);
2543 if (act == SMK_RECEIVING)
2544 ad.a.u.net->v6info.saddr = address->sin6_addr;
2545 else
2546 ad.a.u.net->v6info.daddr = address->sin6_addr;
2547#endif
2548 rc = smk_access(subject, object, MAY_WRITE, &ad);
2549 rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc);
2550 return rc;
2551}
2552#endif
2553
2554#ifdef SMACK_IPV6_PORT_LABELING
2555
2556
2557
2558
2559
2560
2561
2562static void smk_ipv6_port_label(struct socket *sock, struct sockaddr *address)
2563{
2564 struct sock *sk = sock->sk;
2565 struct sockaddr_in6 *addr6;
2566 struct socket_smack *ssp = sock->sk->sk_security;
2567 struct smk_port_label *spp;
2568 unsigned short port = 0;
2569
2570 if (address == NULL) {
2571
2572
2573
2574
2575
2576 list_for_each_entry(spp, &smk_ipv6_port_list, list) {
2577 if (sk != spp->smk_sock)
2578 continue;
2579 spp->smk_in = ssp->smk_in;
2580 spp->smk_out = ssp->smk_out;
2581 return;
2582 }
2583
2584
2585
2586
2587 return;
2588 }
2589
2590 addr6 = (struct sockaddr_in6 *)address;
2591 port = ntohs(addr6->sin6_port);
2592
2593
2594
2595 if (port == 0)
2596 return;
2597
2598
2599
2600
2601
2602 list_for_each_entry(spp, &smk_ipv6_port_list, list) {
2603 if (spp->smk_port != port)
2604 continue;
2605 spp->smk_port = port;
2606 spp->smk_sock = sk;
2607 spp->smk_in = ssp->smk_in;
2608 spp->smk_out = ssp->smk_out;
2609 return;
2610 }
2611
2612
2613
2614
2615 spp = kzalloc(sizeof(*spp), GFP_KERNEL);
2616 if (spp == NULL)
2617 return;
2618
2619 spp->smk_port = port;
2620 spp->smk_sock = sk;
2621 spp->smk_in = ssp->smk_in;
2622 spp->smk_out = ssp->smk_out;
2623
2624 list_add(&spp->list, &smk_ipv6_port_list);
2625 return;
2626}
2627
2628
2629
2630
2631
2632
2633
2634
2635static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,
2636 int act)
2637{
2638 struct smk_port_label *spp;
2639 struct socket_smack *ssp = sk->sk_security;
2640 struct smack_known *skp = NULL;
2641 unsigned short port;
2642 struct smack_known *object;
2643
2644 if (act == SMK_RECEIVING) {
2645 skp = smack_ipv6host_label(address);
2646 object = ssp->smk_in;
2647 } else {
2648 skp = ssp->smk_out;
2649 object = smack_ipv6host_label(address);
2650 }
2651
2652
2653
2654
2655 if (skp != NULL && object != NULL)
2656 return smk_ipv6_check(skp, object, address, act);
2657 if (skp == NULL)
2658 skp = smack_net_ambient;
2659 if (object == NULL)
2660 object = smack_net_ambient;
2661
2662
2663
2664
2665 if (!smk_ipv6_localhost(address))
2666 return smk_ipv6_check(skp, object, address, act);
2667
2668
2669
2670
2671 if (act == SMK_RECEIVING)
2672 return 0;
2673
2674 port = ntohs(address->sin6_port);
2675 list_for_each_entry(spp, &smk_ipv6_port_list, list) {
2676 if (spp->smk_port != port)
2677 continue;
2678 object = spp->smk_in;
2679 if (act == SMK_CONNECTING)
2680 ssp->smk_packet = spp->smk_out;
2681 break;
2682 }
2683
2684 return smk_ipv6_check(skp, object, address, act);
2685}
2686#endif
2687
2688
2689
2690
2691
2692
2693
2694
2695
2696
2697
2698
2699
2700static int smack_inode_setsecurity(struct inode *inode, const char *name,
2701 const void *value, size_t size, int flags)
2702{
2703 struct smack_known *skp;
2704 struct inode_smack *nsp = inode->i_security;
2705 struct socket_smack *ssp;
2706 struct socket *sock;
2707 int rc = 0;
2708
2709 if (value == NULL || size > SMK_LONGLABEL || size == 0)
2710 return -EINVAL;
2711
2712 skp = smk_import_entry(value, size);
2713 if (IS_ERR(skp))
2714 return PTR_ERR(skp);
2715
2716 if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
2717 nsp->smk_inode = skp;
2718 nsp->smk_flags |= SMK_INODE_INSTANT;
2719 return 0;
2720 }
2721
2722
2723
2724 if (inode->i_sb->s_magic != SOCKFS_MAGIC)
2725 return -EOPNOTSUPP;
2726
2727 sock = SOCKET_I(inode);
2728 if (sock == NULL || sock->sk == NULL)
2729 return -EOPNOTSUPP;
2730
2731 ssp = sock->sk->sk_security;
2732
2733 if (strcmp(name, XATTR_SMACK_IPIN) == 0)
2734 ssp->smk_in = skp;
2735 else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) {
2736 ssp->smk_out = skp;
2737 if (sock->sk->sk_family == PF_INET) {
2738 rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
2739 if (rc != 0)
2740 printk(KERN_WARNING
2741 "Smack: \"%s\" netlbl error %d.\n",
2742 __func__, -rc);
2743 }
2744 } else
2745 return -EOPNOTSUPP;
2746
2747#ifdef SMACK_IPV6_PORT_LABELING
2748 if (sock->sk->sk_family == PF_INET6)
2749 smk_ipv6_port_label(sock, NULL);
2750#endif
2751
2752 return 0;
2753}
2754
2755
2756
2757
2758
2759
2760
2761
2762
2763
2764
2765
2766
2767static int smack_socket_post_create(struct socket *sock, int family,
2768 int type, int protocol, int kern)
2769{
2770 struct socket_smack *ssp;
2771
2772 if (sock->sk == NULL)
2773 return 0;
2774
2775
2776
2777
2778 if (unlikely(current->flags & PF_KTHREAD)) {
2779 ssp = sock->sk->sk_security;
2780 ssp->smk_in = &smack_known_web;
2781 ssp->smk_out = &smack_known_web;
2782 }
2783
2784 if (family != PF_INET)
2785 return 0;
2786
2787
2788
2789 return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
2790}
2791
2792#ifdef SMACK_IPV6_PORT_LABELING
2793
2794
2795
2796
2797
2798
2799
2800
2801
2802
2803static int smack_socket_bind(struct socket *sock, struct sockaddr *address,
2804 int addrlen)
2805{
2806 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6)
2807 smk_ipv6_port_label(sock, address);
2808 return 0;
2809}
2810#endif
2811
2812
2813
2814
2815
2816
2817
2818
2819
2820
2821
2822static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
2823 int addrlen)
2824{
2825 int rc = 0;
2826#if IS_ENABLED(CONFIG_IPV6)
2827 struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap;
2828#endif
2829#ifdef SMACK_IPV6_SECMARK_LABELING
2830 struct smack_known *rsp;
2831 struct socket_smack *ssp = sock->sk->sk_security;
2832#endif
2833
2834 if (sock->sk == NULL)
2835 return 0;
2836
2837 switch (sock->sk->sk_family) {
2838 case PF_INET:
2839 if (addrlen < sizeof(struct sockaddr_in))
2840 return -EINVAL;
2841 rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap);
2842 break;
2843 case PF_INET6:
2844 if (addrlen < sizeof(struct sockaddr_in6))
2845 return -EINVAL;
2846#ifdef SMACK_IPV6_SECMARK_LABELING
2847 rsp = smack_ipv6host_label(sip);
2848 if (rsp != NULL)
2849 rc = smk_ipv6_check(ssp->smk_out, rsp, sip,
2850 SMK_CONNECTING);
2851#endif
2852#ifdef SMACK_IPV6_PORT_LABELING
2853 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING);
2854#endif
2855 break;
2856 }
2857 return rc;
2858}
2859
2860
2861
2862
2863
2864
2865
2866static int smack_flags_to_may(int flags)
2867{
2868 int may = 0;
2869
2870 if (flags & S_IRUGO)
2871 may |= MAY_READ;
2872 if (flags & S_IWUGO)
2873 may |= MAY_WRITE;
2874 if (flags & S_IXUGO)
2875 may |= MAY_EXEC;
2876
2877 return may;
2878}
2879
2880
2881
2882
2883
2884
2885
2886static int smack_msg_msg_alloc_security(struct msg_msg *msg)
2887{
2888 struct smack_known *skp = smk_of_current();
2889
2890 msg->security = skp;
2891 return 0;
2892}
2893
2894
2895
2896
2897
2898
2899
2900static void smack_msg_msg_free_security(struct msg_msg *msg)
2901{
2902 msg->security = NULL;
2903}
2904
2905
2906
2907
2908
2909
2910
2911static struct smack_known *smack_of_shm(struct shmid_kernel *shp)
2912{
2913 return (struct smack_known *)shp->shm_perm.security;
2914}
2915
2916
2917
2918
2919
2920
2921
2922static int smack_shm_alloc_security(struct shmid_kernel *shp)
2923{
2924 struct kern_ipc_perm *isp = &shp->shm_perm;
2925 struct smack_known *skp = smk_of_current();
2926
2927 isp->security = skp;
2928 return 0;
2929}
2930
2931
2932
2933
2934
2935
2936
2937static void smack_shm_free_security(struct shmid_kernel *shp)
2938{
2939 struct kern_ipc_perm *isp = &shp->shm_perm;
2940
2941 isp->security = NULL;
2942}
2943
2944
2945
2946
2947
2948
2949
2950
2951static int smk_curacc_shm(struct shmid_kernel *shp, int access)
2952{
2953 struct smack_known *ssp = smack_of_shm(shp);
2954 struct smk_audit_info ad;
2955 int rc;
2956
2957#ifdef CONFIG_AUDIT
2958 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
2959 ad.a.u.ipc_id = shp->shm_perm.id;
2960#endif
2961 rc = smk_curacc(ssp, access, &ad);
2962 rc = smk_bu_current("shm", ssp, access, rc);
2963 return rc;
2964}
2965
2966
2967
2968
2969
2970
2971
2972
2973static int smack_shm_associate(struct shmid_kernel *shp, int shmflg)
2974{
2975 int may;
2976
2977 may = smack_flags_to_may(shmflg);
2978 return smk_curacc_shm(shp, may);
2979}
2980
2981
2982
2983
2984
2985
2986
2987
2988static int smack_shm_shmctl(struct shmid_kernel *shp, int cmd)
2989{
2990 int may;
2991
2992 switch (cmd) {
2993 case IPC_STAT:
2994 case SHM_STAT:
2995 may = MAY_READ;
2996 break;
2997 case IPC_SET:
2998 case SHM_LOCK:
2999 case SHM_UNLOCK:
3000 case IPC_RMID:
3001 may = MAY_READWRITE;
3002 break;
3003 case IPC_INFO:
3004 case SHM_INFO:
3005
3006
3007
3008 return 0;
3009 default:
3010 return -EINVAL;
3011 }
3012 return smk_curacc_shm(shp, may);
3013}
3014
3015
3016
3017
3018
3019
3020
3021
3022
3023static int smack_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
3024 int shmflg)
3025{
3026 int may;
3027
3028 may = smack_flags_to_may(shmflg);
3029 return smk_curacc_shm(shp, may);
3030}
3031
3032
3033
3034
3035
3036
3037
3038static struct smack_known *smack_of_sem(struct sem_array *sma)
3039{
3040 return (struct smack_known *)sma->sem_perm.security;
3041}
3042
3043
3044
3045
3046
3047
3048
3049static int smack_sem_alloc_security(struct sem_array *sma)
3050{
3051 struct kern_ipc_perm *isp = &sma->sem_perm;
3052 struct smack_known *skp = smk_of_current();
3053
3054 isp->security = skp;
3055 return 0;
3056}
3057
3058
3059
3060
3061
3062
3063
3064static void smack_sem_free_security(struct sem_array *sma)
3065{
3066 struct kern_ipc_perm *isp = &sma->sem_perm;
3067
3068 isp->security = NULL;
3069}
3070
3071
3072
3073
3074
3075
3076
3077
3078static int smk_curacc_sem(struct sem_array *sma, int access)
3079{
3080 struct smack_known *ssp = smack_of_sem(sma);
3081 struct smk_audit_info ad;
3082 int rc;
3083
3084#ifdef CONFIG_AUDIT
3085 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
3086 ad.a.u.ipc_id = sma->sem_perm.id;
3087#endif
3088 rc = smk_curacc(ssp, access, &ad);
3089 rc = smk_bu_current("sem", ssp, access, rc);
3090 return rc;
3091}
3092
3093
3094
3095
3096
3097
3098
3099
3100static int smack_sem_associate(struct sem_array *sma, int semflg)
3101{
3102 int may;
3103
3104 may = smack_flags_to_may(semflg);
3105 return smk_curacc_sem(sma, may);
3106}
3107
3108
3109
3110
3111
3112
3113
3114
3115static int smack_sem_semctl(struct sem_array *sma, int cmd)
3116{
3117 int may;
3118
3119 switch (cmd) {
3120 case GETPID:
3121 case GETNCNT:
3122 case GETZCNT:
3123 case GETVAL:
3124 case GETALL:
3125 case IPC_STAT:
3126 case SEM_STAT:
3127 may = MAY_READ;
3128 break;
3129 case SETVAL:
3130 case SETALL:
3131 case IPC_RMID:
3132 case IPC_SET:
3133 may = MAY_READWRITE;
3134 break;
3135 case IPC_INFO:
3136 case SEM_INFO:
3137
3138
3139
3140 return 0;
3141 default:
3142 return -EINVAL;
3143 }
3144
3145 return smk_curacc_sem(sma, may);
3146}
3147
3148
3149
3150
3151
3152
3153
3154
3155
3156
3157
3158
3159static int smack_sem_semop(struct sem_array *sma, struct sembuf *sops,
3160 unsigned nsops, int alter)
3161{
3162 return smk_curacc_sem(sma, MAY_READWRITE);
3163}
3164
3165
3166
3167
3168
3169
3170
3171static int smack_msg_queue_alloc_security(struct msg_queue *msq)
3172{
3173 struct kern_ipc_perm *kisp = &msq->q_perm;
3174 struct smack_known *skp = smk_of_current();
3175
3176 kisp->security = skp;
3177 return 0;
3178}
3179
3180
3181
3182
3183
3184
3185
3186static void smack_msg_queue_free_security(struct msg_queue *msq)
3187{
3188 struct kern_ipc_perm *kisp = &msq->q_perm;
3189
3190 kisp->security = NULL;
3191}
3192
3193
3194
3195
3196
3197
3198
3199static struct smack_known *smack_of_msq(struct msg_queue *msq)
3200{
3201 return (struct smack_known *)msq->q_perm.security;
3202}
3203
3204
3205
3206
3207
3208
3209
3210
3211static int smk_curacc_msq(struct msg_queue *msq, int access)
3212{
3213 struct smack_known *msp = smack_of_msq(msq);
3214 struct smk_audit_info ad;
3215 int rc;
3216
3217#ifdef CONFIG_AUDIT
3218 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
3219 ad.a.u.ipc_id = msq->q_perm.id;
3220#endif
3221 rc = smk_curacc(msp, access, &ad);
3222 rc = smk_bu_current("msq", msp, access, rc);
3223 return rc;
3224}
3225
3226
3227
3228
3229
3230
3231
3232
3233static int smack_msg_queue_associate(struct msg_queue *msq, int msqflg)
3234{
3235 int may;
3236
3237 may = smack_flags_to_may(msqflg);
3238 return smk_curacc_msq(msq, may);
3239}
3240
3241
3242
3243
3244
3245
3246
3247
3248static int smack_msg_queue_msgctl(struct msg_queue *msq, int cmd)
3249{
3250 int may;
3251
3252 switch (cmd) {
3253 case IPC_STAT:
3254 case MSG_STAT:
3255 may = MAY_READ;
3256 break;
3257 case IPC_SET:
3258 case IPC_RMID:
3259 may = MAY_READWRITE;
3260 break;
3261 case IPC_INFO:
3262 case MSG_INFO:
3263
3264
3265
3266 return 0;
3267 default:
3268 return -EINVAL;
3269 }
3270
3271 return smk_curacc_msq(msq, may);
3272}
3273
3274
3275
3276
3277
3278
3279
3280
3281
3282static int smack_msg_queue_msgsnd(struct msg_queue *msq, struct msg_msg *msg,
3283 int msqflg)
3284{
3285 int may;
3286
3287 may = smack_flags_to_may(msqflg);
3288 return smk_curacc_msq(msq, may);
3289}
3290
3291
3292
3293
3294
3295
3296
3297
3298
3299
3300
3301static int smack_msg_queue_msgrcv(struct msg_queue *msq, struct msg_msg *msg,
3302 struct task_struct *target, long type, int mode)
3303{
3304 return smk_curacc_msq(msq, MAY_READWRITE);
3305}
3306
3307
3308
3309
3310
3311
3312
3313
3314static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
3315{
3316 struct smack_known *iskp = ipp->security;
3317 int may = smack_flags_to_may(flag);
3318 struct smk_audit_info ad;
3319 int rc;
3320
3321#ifdef CONFIG_AUDIT
3322 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
3323 ad.a.u.ipc_id = ipp->id;
3324#endif
3325 rc = smk_curacc(iskp, may, &ad);
3326 rc = smk_bu_current("svipc", iskp, may, rc);
3327 return rc;
3328}
3329
3330
3331
3332
3333
3334
3335static void smack_ipc_getsecid(struct kern_ipc_perm *ipp, u32 *secid)
3336{
3337 struct smack_known *iskp = ipp->security;
3338
3339 *secid = iskp->smk_secid;
3340}
3341
3342
3343
3344
3345
3346
3347
3348
3349static void smack_d_instantiate(struct dentry *opt_dentry, struct inode *inode)
3350{
3351 struct super_block *sbp;
3352 struct superblock_smack *sbsp;
3353 struct inode_smack *isp;
3354 struct smack_known *skp;
3355 struct smack_known *ckp = smk_of_current();
3356 struct smack_known *final;
3357 char trattr[TRANS_TRUE_SIZE];
3358 int transflag = 0;
3359 int rc;
3360 struct dentry *dp;
3361
3362 if (inode == NULL)
3363 return;
3364
3365 isp = inode->i_security;
3366
3367 mutex_lock(&isp->smk_lock);
3368
3369
3370
3371
3372 if (isp->smk_flags & SMK_INODE_INSTANT)
3373 goto unlockandout;
3374
3375 sbp = inode->i_sb;
3376 sbsp = sbp->s_security;
3377
3378
3379
3380
3381 final = sbsp->smk_default;
3382
3383
3384
3385
3386
3387
3388
3389 if (opt_dentry->d_parent == opt_dentry) {
3390 switch (sbp->s_magic) {
3391 case CGROUP_SUPER_MAGIC:
3392
3393
3394
3395
3396
3397 sbsp->smk_root = &smack_known_star;
3398 sbsp->smk_default = &smack_known_star;
3399 isp->smk_inode = sbsp->smk_root;
3400 break;
3401 case TMPFS_MAGIC:
3402
3403
3404
3405
3406 isp->smk_inode = smk_of_current();
3407 break;
3408 case PIPEFS_MAGIC:
3409 isp->smk_inode = smk_of_current();
3410 break;
3411 default:
3412 isp->smk_inode = sbsp->smk_root;
3413 break;
3414 }
3415 isp->smk_flags |= SMK_INODE_INSTANT;
3416 goto unlockandout;
3417 }
3418
3419
3420
3421
3422
3423
3424
3425 switch (sbp->s_magic) {
3426 case SMACK_MAGIC:
3427 case PIPEFS_MAGIC:
3428 case SOCKFS_MAGIC:
3429 case CGROUP_SUPER_MAGIC:
3430
3431
3432
3433
3434
3435
3436
3437
3438
3439
3440
3441
3442 final = &smack_known_star;
3443 break;
3444 case DEVPTS_SUPER_MAGIC:
3445
3446
3447
3448
3449
3450 final = ckp;
3451 break;
3452 case PROC_SUPER_MAGIC:
3453
3454
3455
3456
3457 break;
3458 case TMPFS_MAGIC:
3459
3460
3461
3462
3463
3464 final = &smack_known_star;
3465
3466
3467
3468
3469
3470
3471
3472
3473 default:
3474
3475
3476
3477
3478
3479
3480
3481
3482 if (S_ISSOCK(inode->i_mode)) {
3483 final = &smack_known_star;
3484 break;
3485 }
3486
3487
3488
3489
3490
3491
3492 if (inode->i_op->getxattr == NULL)
3493 break;
3494
3495
3496
3497 dp = dget(opt_dentry);
3498 skp = smk_fetch(XATTR_NAME_SMACK, inode, dp);
3499 if (!IS_ERR_OR_NULL(skp))
3500 final = skp;
3501
3502
3503
3504
3505 if (S_ISDIR(inode->i_mode)) {
3506
3507
3508
3509
3510
3511
3512
3513
3514
3515 if (isp->smk_flags & SMK_INODE_CHANGED) {
3516 isp->smk_flags &= ~SMK_INODE_CHANGED;
3517 rc = inode->i_op->setxattr(dp,
3518 XATTR_NAME_SMACKTRANSMUTE,
3519 TRANS_TRUE, TRANS_TRUE_SIZE,
3520 0);
3521 } else {
3522 rc = inode->i_op->getxattr(dp,
3523 XATTR_NAME_SMACKTRANSMUTE, trattr,
3524 TRANS_TRUE_SIZE);
3525 if (rc >= 0 && strncmp(trattr, TRANS_TRUE,
3526 TRANS_TRUE_SIZE) != 0)
3527 rc = -EINVAL;
3528 }
3529 if (rc >= 0)
3530 transflag = SMK_INODE_TRANSMUTE;
3531 }
3532
3533
3534
3535 skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
3536 if (IS_ERR(skp) || skp == &smack_known_star ||
3537 skp == &smack_known_web)
3538 skp = NULL;
3539 isp->smk_task = skp;
3540
3541 skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp);
3542 if (IS_ERR(skp) || skp == &smack_known_star ||
3543 skp == &smack_known_web)
3544 skp = NULL;
3545 isp->smk_mmap = skp;
3546
3547 dput(dp);
3548 break;
3549 }
3550
3551 if (final == NULL)
3552 isp->smk_inode = ckp;
3553 else
3554 isp->smk_inode = final;
3555
3556 isp->smk_flags |= (SMK_INODE_INSTANT | transflag);
3557
3558unlockandout:
3559 mutex_unlock(&isp->smk_lock);
3560 return;
3561}
3562
3563
3564
3565
3566
3567
3568
3569
3570
3571
3572
3573static int smack_getprocattr(struct task_struct *p, char *name, char **value)
3574{
3575 struct smack_known *skp = smk_of_task_struct(p);
3576 char *cp;
3577 int slen;
3578
3579 if (strcmp(name, "current") != 0)
3580 return -EINVAL;
3581
3582 cp = kstrdup(skp->smk_known, GFP_KERNEL);
3583 if (cp == NULL)
3584 return -ENOMEM;
3585
3586 slen = strlen(cp);
3587 *value = cp;
3588 return slen;
3589}
3590
3591
3592
3593
3594
3595
3596
3597
3598
3599
3600
3601
3602
3603static int smack_setprocattr(struct task_struct *p, char *name,
3604 void *value, size_t size)
3605{
3606 struct task_smack *tsp = current_security();
3607 struct cred *new;
3608 struct smack_known *skp;
3609 struct smack_known_list_elem *sklep;
3610 int rc;
3611
3612
3613
3614
3615
3616 if (p != current)
3617 return -EPERM;
3618
3619 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel))
3620 return -EPERM;
3621
3622 if (value == NULL || size == 0 || size >= SMK_LONGLABEL)
3623 return -EINVAL;
3624
3625 if (strcmp(name, "current") != 0)
3626 return -EINVAL;
3627
3628 skp = smk_import_entry(value, size);
3629 if (IS_ERR(skp))
3630 return PTR_ERR(skp);
3631
3632
3633
3634
3635 if (skp == &smack_known_web)
3636 return -EPERM;
3637
3638 if (!smack_privileged(CAP_MAC_ADMIN)) {
3639 rc = -EPERM;
3640 list_for_each_entry(sklep, &tsp->smk_relabel, list)
3641 if (sklep->smk_label == skp) {
3642 rc = 0;
3643 break;
3644 }
3645 if (rc)
3646 return rc;
3647 }
3648
3649 new = prepare_creds();
3650 if (new == NULL)
3651 return -ENOMEM;
3652
3653 tsp = new->security;
3654 tsp->smk_task = skp;
3655
3656
3657
3658 smk_destroy_label_list(&tsp->smk_relabel);
3659
3660 commit_creds(new);
3661 return size;
3662}
3663
3664
3665
3666
3667
3668
3669
3670
3671
3672
3673static int smack_unix_stream_connect(struct sock *sock,
3674 struct sock *other, struct sock *newsk)
3675{
3676 struct smack_known *skp;
3677 struct smack_known *okp;
3678 struct socket_smack *ssp = sock->sk_security;
3679 struct socket_smack *osp = other->sk_security;
3680 struct socket_smack *nsp = newsk->sk_security;
3681 struct smk_audit_info ad;
3682 int rc = 0;
3683#ifdef CONFIG_AUDIT
3684 struct lsm_network_audit net;
3685#endif
3686
3687 if (!smack_privileged(CAP_MAC_OVERRIDE)) {
3688 skp = ssp->smk_out;
3689 okp = osp->smk_in;
3690#ifdef CONFIG_AUDIT
3691 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3692 smk_ad_setfield_u_net_sk(&ad, other);
3693#endif
3694 rc = smk_access(skp, okp, MAY_WRITE, &ad);
3695 rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc);
3696 if (rc == 0) {
3697 okp = osp->smk_out;
3698 skp = ssp->smk_in;
3699 rc = smk_access(okp, skp, MAY_WRITE, &ad);
3700 rc = smk_bu_note("UDS connect", okp, skp,
3701 MAY_WRITE, rc);
3702 }
3703 }
3704
3705
3706
3707
3708 if (rc == 0) {
3709 nsp->smk_packet = ssp->smk_out;
3710 ssp->smk_packet = osp->smk_out;
3711 }
3712
3713 return rc;
3714}
3715
3716
3717
3718
3719
3720
3721
3722
3723
3724static int smack_unix_may_send(struct socket *sock, struct socket *other)
3725{
3726 struct socket_smack *ssp = sock->sk->sk_security;
3727 struct socket_smack *osp = other->sk->sk_security;
3728 struct smk_audit_info ad;
3729 int rc;
3730
3731#ifdef CONFIG_AUDIT
3732 struct lsm_network_audit net;
3733
3734 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3735 smk_ad_setfield_u_net_sk(&ad, other->sk);
3736#endif
3737
3738 if (smack_privileged(CAP_MAC_OVERRIDE))
3739 return 0;
3740
3741 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad);
3742 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc);
3743 return rc;
3744}
3745
3746
3747
3748
3749
3750
3751
3752
3753
3754
3755
3756static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
3757 int size)
3758{
3759 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name;
3760#if IS_ENABLED(CONFIG_IPV6)
3761 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name;
3762#endif
3763#ifdef SMACK_IPV6_SECMARK_LABELING
3764 struct socket_smack *ssp = sock->sk->sk_security;
3765 struct smack_known *rsp;
3766#endif
3767 int rc = 0;
3768
3769
3770
3771
3772 if (sip == NULL)
3773 return 0;
3774
3775 switch (sock->sk->sk_family) {
3776 case AF_INET:
3777 rc = smack_netlabel_send(sock->sk, sip);
3778 break;
3779 case AF_INET6:
3780#ifdef SMACK_IPV6_SECMARK_LABELING
3781 rsp = smack_ipv6host_label(sap);
3782 if (rsp != NULL)
3783 rc = smk_ipv6_check(ssp->smk_out, rsp, sap,
3784 SMK_CONNECTING);
3785#endif
3786#ifdef SMACK_IPV6_PORT_LABELING
3787 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING);
3788#endif
3789 break;
3790 }
3791 return rc;
3792}
3793
3794
3795
3796
3797
3798
3799
3800
3801static struct smack_known *smack_from_secattr(struct netlbl_lsm_secattr *sap,
3802 struct socket_smack *ssp)
3803{
3804 struct smack_known *skp;
3805 int found = 0;
3806 int acat;
3807 int kcat;
3808
3809 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) {
3810
3811
3812
3813
3814
3815
3816
3817
3818
3819
3820 rcu_read_lock();
3821 list_for_each_entry(skp, &smack_known_list, list) {
3822 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl)
3823 continue;
3824
3825
3826
3827 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) {
3828 if ((skp->smk_netlabel.flags &
3829 NETLBL_SECATTR_MLS_CAT) == 0)
3830 found = 1;
3831 break;
3832 }
3833 for (acat = -1, kcat = -1; acat == kcat; ) {
3834 acat = netlbl_catmap_walk(sap->attr.mls.cat,
3835 acat + 1);
3836 kcat = netlbl_catmap_walk(
3837 skp->smk_netlabel.attr.mls.cat,
3838 kcat + 1);
3839 if (acat < 0 || kcat < 0)
3840 break;
3841 }
3842 if (acat == kcat) {
3843 found = 1;
3844 break;
3845 }
3846 }
3847 rcu_read_unlock();
3848
3849 if (found)
3850 return skp;
3851
3852 if (ssp != NULL && ssp->smk_in == &smack_known_star)
3853 return &smack_known_web;
3854 return &smack_known_star;
3855 }
3856 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) {
3857
3858
3859
3860 skp = smack_from_secid(sap->attr.secid);
3861
3862
3863
3864
3865
3866
3867
3868 BUG_ON(skp == NULL);
3869 return skp;
3870 }
3871
3872
3873
3874
3875
3876 return smack_net_ambient;
3877}
3878
3879#if IS_ENABLED(CONFIG_IPV6)
3880static int smk_skb_to_addr_ipv6(struct sk_buff *skb, struct sockaddr_in6 *sip)
3881{
3882 u8 nexthdr;
3883 int offset;
3884 int proto = -EINVAL;
3885 struct ipv6hdr _ipv6h;
3886 struct ipv6hdr *ip6;
3887 __be16 frag_off;
3888 struct tcphdr _tcph, *th;
3889 struct udphdr _udph, *uh;
3890 struct dccp_hdr _dccph, *dh;
3891
3892 sip->sin6_port = 0;
3893
3894 offset = skb_network_offset(skb);
3895 ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
3896 if (ip6 == NULL)
3897 return -EINVAL;
3898 sip->sin6_addr = ip6->saddr;
3899
3900 nexthdr = ip6->nexthdr;
3901 offset += sizeof(_ipv6h);
3902 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
3903 if (offset < 0)
3904 return -EINVAL;
3905
3906 proto = nexthdr;
3907 switch (proto) {
3908 case IPPROTO_TCP:
3909 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
3910 if (th != NULL)
3911 sip->sin6_port = th->source;
3912 break;
3913 case IPPROTO_UDP:
3914 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
3915 if (uh != NULL)
3916 sip->sin6_port = uh->source;
3917 break;
3918 case IPPROTO_DCCP:
3919 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
3920 if (dh != NULL)
3921 sip->sin6_port = dh->dccph_sport;
3922 break;
3923 }
3924 return proto;
3925}
3926#endif
3927
3928
3929
3930
3931
3932
3933
3934
3935static int smack_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
3936{
3937 struct netlbl_lsm_secattr secattr;
3938 struct socket_smack *ssp = sk->sk_security;
3939 struct smack_known *skp = NULL;
3940 int rc = 0;
3941 struct smk_audit_info ad;
3942#ifdef CONFIG_AUDIT
3943 struct lsm_network_audit net;
3944#endif
3945#if IS_ENABLED(CONFIG_IPV6)
3946 struct sockaddr_in6 sadd;
3947 int proto;
3948#endif
3949
3950 switch (sk->sk_family) {
3951 case PF_INET:
3952#ifdef CONFIG_SECURITY_SMACK_NETFILTER
3953
3954
3955
3956
3957
3958 if (skb && skb->secmark != 0) {
3959 skp = smack_from_secid(skb->secmark);
3960 goto access_check;
3961 }
3962#endif
3963
3964
3965
3966 netlbl_secattr_init(&secattr);
3967
3968 rc = netlbl_skbuff_getattr(skb, sk->sk_family, &secattr);
3969 if (rc == 0)
3970 skp = smack_from_secattr(&secattr, ssp);
3971 else
3972 skp = smack_net_ambient;
3973
3974 netlbl_secattr_destroy(&secattr);
3975
3976#ifdef CONFIG_SECURITY_SMACK_NETFILTER
3977access_check:
3978#endif
3979#ifdef CONFIG_AUDIT
3980 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
3981 ad.a.u.net->family = sk->sk_family;
3982 ad.a.u.net->netif = skb->skb_iif;
3983 ipv4_skb_to_auditdata(skb, &ad.a, NULL);
3984#endif
3985
3986
3987
3988
3989
3990
3991 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
3992 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in,
3993 MAY_WRITE, rc);
3994 if (rc != 0)
3995 netlbl_skbuff_err(skb, rc, 0);
3996 break;
3997#if IS_ENABLED(CONFIG_IPV6)
3998 case PF_INET6:
3999 proto = smk_skb_to_addr_ipv6(skb, &sadd);
4000 if (proto != IPPROTO_UDP && proto != IPPROTO_TCP)
4001 break;
4002#ifdef SMACK_IPV6_SECMARK_LABELING
4003 if (skb && skb->secmark != 0)
4004 skp = smack_from_secid(skb->secmark);
4005 else
4006 skp = smack_ipv6host_label(&sadd);
4007 if (skp == NULL)
4008 skp = smack_net_ambient;
4009#ifdef CONFIG_AUDIT
4010 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
4011 ad.a.u.net->family = sk->sk_family;
4012 ad.a.u.net->netif = skb->skb_iif;
4013 ipv6_skb_to_auditdata(skb, &ad.a, NULL);
4014#endif
4015 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
4016 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in,
4017 MAY_WRITE, rc);
4018#endif
4019#ifdef SMACK_IPV6_PORT_LABELING
4020 rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
4021#endif
4022 break;
4023#endif
4024 }
4025
4026 return rc;
4027}
4028
4029
4030
4031
4032
4033
4034
4035
4036
4037
4038static int smack_socket_getpeersec_stream(struct socket *sock,
4039 char __user *optval,
4040 int __user *optlen, unsigned len)
4041{
4042 struct socket_smack *ssp;
4043 char *rcp = "";
4044 int slen = 1;
4045 int rc = 0;
4046
4047 ssp = sock->sk->sk_security;
4048 if (ssp->smk_packet != NULL) {
4049 rcp = ssp->smk_packet->smk_known;
4050 slen = strlen(rcp) + 1;
4051 }
4052
4053 if (slen > len)
4054 rc = -ERANGE;
4055 else if (copy_to_user(optval, rcp, slen) != 0)
4056 rc = -EFAULT;
4057
4058 if (put_user(slen, optlen) != 0)
4059 rc = -EFAULT;
4060
4061 return rc;
4062}
4063
4064
4065
4066
4067
4068
4069
4070
4071
4072
4073static int smack_socket_getpeersec_dgram(struct socket *sock,
4074 struct sk_buff *skb, u32 *secid)
4075
4076{
4077 struct netlbl_lsm_secattr secattr;
4078 struct socket_smack *ssp = NULL;
4079 struct smack_known *skp;
4080 int family = PF_UNSPEC;
4081 u32 s = 0;
4082 int rc;
4083
4084 if (skb != NULL) {
4085 if (skb->protocol == htons(ETH_P_IP))
4086 family = PF_INET;
4087#if IS_ENABLED(CONFIG_IPV6)
4088 else if (skb->protocol == htons(ETH_P_IPV6))
4089 family = PF_INET6;
4090#endif
4091 }
4092 if (family == PF_UNSPEC && sock != NULL)
4093 family = sock->sk->sk_family;
4094
4095 switch (family) {
4096 case PF_UNIX:
4097 ssp = sock->sk->sk_security;
4098 s = ssp->smk_out->smk_secid;
4099 break;
4100 case PF_INET:
4101#ifdef CONFIG_SECURITY_SMACK_NETFILTER
4102 s = skb->secmark;
4103 if (s != 0)
4104 break;
4105#endif
4106
4107
4108
4109 if (sock != NULL && sock->sk != NULL)
4110 ssp = sock->sk->sk_security;
4111 netlbl_secattr_init(&secattr);
4112 rc = netlbl_skbuff_getattr(skb, family, &secattr);
4113 if (rc == 0) {
4114 skp = smack_from_secattr(&secattr, ssp);
4115 s = skp->smk_secid;
4116 }
4117 netlbl_secattr_destroy(&secattr);
4118 break;
4119 case PF_INET6:
4120#ifdef SMACK_IPV6_SECMARK_LABELING
4121 s = skb->secmark;
4122#endif
4123 break;
4124 }
4125 *secid = s;
4126 if (s == 0)
4127 return -EINVAL;
4128 return 0;
4129}
4130
4131
4132
4133
4134
4135
4136
4137
4138
4139static void smack_sock_graft(struct sock *sk, struct socket *parent)
4140{
4141 struct socket_smack *ssp;
4142 struct smack_known *skp = smk_of_current();
4143
4144 if (sk == NULL ||
4145 (sk->sk_family != PF_INET && sk->sk_family != PF_INET6))
4146 return;
4147
4148 ssp = sk->sk_security;
4149 ssp->smk_in = skp;
4150 ssp->smk_out = skp;
4151
4152}
4153
4154
4155
4156
4157
4158
4159
4160
4161
4162
4163static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
4164 struct request_sock *req)
4165{
4166 u16 family = sk->sk_family;
4167 struct smack_known *skp;
4168 struct socket_smack *ssp = sk->sk_security;
4169 struct netlbl_lsm_secattr secattr;
4170 struct sockaddr_in addr;
4171 struct iphdr *hdr;
4172 struct smack_known *hskp;
4173 int rc;
4174 struct smk_audit_info ad;
4175#ifdef CONFIG_AUDIT
4176 struct lsm_network_audit net;
4177#endif
4178
4179#if IS_ENABLED(CONFIG_IPV6)
4180 if (family == PF_INET6) {
4181
4182
4183
4184
4185
4186 if (skb->protocol == htons(ETH_P_IP))
4187 family = PF_INET;
4188 else
4189 return 0;
4190 }
4191#endif
4192
4193#ifdef CONFIG_SECURITY_SMACK_NETFILTER
4194
4195
4196
4197
4198
4199 if (skb && skb->secmark != 0) {
4200 skp = smack_from_secid(skb->secmark);
4201 goto access_check;
4202 }
4203#endif
4204
4205 netlbl_secattr_init(&secattr);
4206 rc = netlbl_skbuff_getattr(skb, family, &secattr);
4207 if (rc == 0)
4208 skp = smack_from_secattr(&secattr, ssp);
4209 else
4210 skp = &smack_known_huh;
4211 netlbl_secattr_destroy(&secattr);
4212
4213#ifdef CONFIG_SECURITY_SMACK_NETFILTER
4214access_check:
4215#endif
4216
4217#ifdef CONFIG_AUDIT
4218 smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
4219 ad.a.u.net->family = family;
4220 ad.a.u.net->netif = skb->skb_iif;
4221 ipv4_skb_to_auditdata(skb, &ad.a, NULL);
4222#endif
4223
4224
4225
4226
4227 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
4228 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc);
4229 if (rc != 0)
4230 return rc;
4231
4232
4233
4234
4235
4236 req->peer_secid = skp->smk_secid;
4237
4238
4239
4240
4241
4242
4243 hdr = ip_hdr(skb);
4244 addr.sin_addr.s_addr = hdr->saddr;
4245 rcu_read_lock();
4246 hskp = smack_ipv4host_label(&addr);
4247 rcu_read_unlock();
4248
4249 if (hskp == NULL)
4250 rc = netlbl_req_setattr(req, &skp->smk_netlabel);
4251 else
4252 netlbl_req_delattr(req);
4253
4254 return rc;
4255}
4256
4257
4258
4259
4260
4261
4262
4263
4264static void smack_inet_csk_clone(struct sock *sk,
4265 const struct request_sock *req)
4266{
4267 struct socket_smack *ssp = sk->sk_security;
4268 struct smack_known *skp;
4269
4270 if (req->peer_secid != 0) {
4271 skp = smack_from_secid(req->peer_secid);
4272 ssp->smk_packet = skp;
4273 } else
4274 ssp->smk_packet = NULL;
4275}
4276
4277
4278
4279
4280
4281
4282
4283
4284#ifdef CONFIG_KEYS
4285
4286
4287
4288
4289
4290
4291
4292
4293
4294
4295
4296static int smack_key_alloc(struct key *key, const struct cred *cred,
4297 unsigned long flags)
4298{
4299 struct smack_known *skp = smk_of_task(cred->security);
4300
4301 key->security = skp;
4302 return 0;
4303}
4304
4305
4306
4307
4308
4309
4310
4311static void smack_key_free(struct key *key)
4312{
4313 key->security = NULL;
4314}
4315
4316
4317
4318
4319
4320
4321
4322
4323
4324
4325static int smack_key_permission(key_ref_t key_ref,
4326 const struct cred *cred, unsigned perm)
4327{
4328 struct key *keyp;
4329 struct smk_audit_info ad;
4330 struct smack_known *tkp = smk_of_task(cred->security);
4331 int request = 0;
4332 int rc;
4333
4334 keyp = key_ref_to_ptr(key_ref);
4335 if (keyp == NULL)
4336 return -EINVAL;
4337
4338
4339
4340
4341 if (keyp->security == NULL)
4342 return 0;
4343
4344
4345
4346 if (tkp == NULL)
4347 return -EACCES;
4348#ifdef CONFIG_AUDIT
4349 smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);
4350 ad.a.u.key_struct.key = keyp->serial;
4351 ad.a.u.key_struct.key_desc = keyp->description;
4352#endif
4353 if (perm & KEY_NEED_READ)
4354 request = MAY_READ;
4355 if (perm & (KEY_NEED_WRITE | KEY_NEED_LINK | KEY_NEED_SETATTR))
4356 request = MAY_WRITE;
4357 rc = smk_access(tkp, keyp->security, request, &ad);
4358 rc = smk_bu_note("key access", tkp, keyp->security, request, rc);
4359 return rc;
4360}
4361
4362
4363
4364
4365
4366
4367
4368
4369
4370
4371static int smack_key_getsecurity(struct key *key, char **_buffer)
4372{
4373 struct smack_known *skp = key->security;
4374 size_t length;
4375 char *copy;
4376
4377 if (key->security == NULL) {
4378 *_buffer = NULL;
4379 return 0;
4380 }
4381
4382 copy = kstrdup(skp->smk_known, GFP_KERNEL);
4383 if (copy == NULL)
4384 return -ENOMEM;
4385 length = strlen(copy) + 1;
4386
4387 *_buffer = copy;
4388 return length;
4389}
4390
4391#endif
4392
4393
4394
4395
4396
4397
4398
4399
4400
4401
4402
4403
4404
4405
4406#ifdef CONFIG_AUDIT
4407
4408
4409
4410
4411
4412
4413
4414
4415
4416
4417
4418static int smack_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
4419{
4420 struct smack_known *skp;
4421 char **rule = (char **)vrule;
4422 *rule = NULL;
4423
4424 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER)
4425 return -EINVAL;
4426
4427 if (op != Audit_equal && op != Audit_not_equal)
4428 return -EINVAL;
4429
4430 skp = smk_import_entry(rulestr, 0);
4431 if (IS_ERR(skp))
4432 return PTR_ERR(skp);
4433
4434 *rule = skp->smk_known;
4435
4436 return 0;
4437}
4438
4439
4440
4441
4442
4443
4444
4445
4446
4447static int smack_audit_rule_known(struct audit_krule *krule)
4448{
4449 struct audit_field *f;
4450 int i;
4451
4452 for (i = 0; i < krule->field_count; i++) {
4453 f = &krule->fields[i];
4454
4455 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER)
4456 return 1;
4457 }
4458
4459 return 0;
4460}
4461
4462
4463
4464
4465
4466
4467
4468
4469
4470
4471
4472
4473static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule,
4474 struct audit_context *actx)
4475{
4476 struct smack_known *skp;
4477 char *rule = vrule;
4478
4479 if (unlikely(!rule)) {
4480 WARN_ONCE(1, "Smack: missing rule\n");
4481 return -ENOENT;
4482 }
4483
4484 if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER)
4485 return 0;
4486
4487 skp = smack_from_secid(secid);
4488
4489
4490
4491
4492
4493
4494 if (op == Audit_equal)
4495 return (rule == skp->smk_known);
4496 if (op == Audit_not_equal)
4497 return (rule != skp->smk_known);
4498
4499 return 0;
4500}
4501
4502
4503
4504
4505
4506
4507#endif
4508
4509
4510
4511
4512
4513static int smack_ismaclabel(const char *name)
4514{
4515 return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
4516}
4517
4518
4519
4520
4521
4522
4523
4524
4525
4526
4527static int smack_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
4528{
4529 struct smack_known *skp = smack_from_secid(secid);
4530
4531 if (secdata)
4532 *secdata = skp->smk_known;
4533 *seclen = strlen(skp->smk_known);
4534 return 0;
4535}
4536
4537
4538
4539
4540
4541
4542
4543
4544
4545static int smack_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
4546{
4547 struct smack_known *skp = smk_find_entry(secdata);
4548
4549 if (skp)
4550 *secid = skp->smk_secid;
4551 else
4552 *secid = 0;
4553 return 0;
4554}
4555
4556
4557
4558
4559
4560
4561
4562static int smack_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen)
4563{
4564 return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0);
4565}
4566
4567static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
4568{
4569 return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0);
4570}
4571
4572static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
4573{
4574 int len = 0;
4575 len = smack_inode_getsecurity(inode, XATTR_SMACK_SUFFIX, ctx, true);
4576
4577 if (len < 0)
4578 return len;
4579 *ctxlen = len;
4580 return 0;
4581}
4582
4583static struct security_hook_list smack_hooks[] = {
4584 LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
4585 LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
4586 LSM_HOOK_INIT(syslog, smack_syslog),
4587
4588 LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security),
4589 LSM_HOOK_INIT(sb_free_security, smack_sb_free_security),
4590 LSM_HOOK_INIT(sb_copy_data, smack_sb_copy_data),
4591 LSM_HOOK_INIT(sb_kern_mount, smack_sb_kern_mount),
4592 LSM_HOOK_INIT(sb_statfs, smack_sb_statfs),
4593 LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts),
4594 LSM_HOOK_INIT(sb_parse_opts_str, smack_parse_opts_str),
4595
4596 LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds),
4597 LSM_HOOK_INIT(bprm_committing_creds, smack_bprm_committing_creds),
4598 LSM_HOOK_INIT(bprm_secureexec, smack_bprm_secureexec),
4599
4600 LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security),
4601 LSM_HOOK_INIT(inode_free_security, smack_inode_free_security),
4602 LSM_HOOK_INIT(inode_init_security, smack_inode_init_security),
4603 LSM_HOOK_INIT(inode_link, smack_inode_link),
4604 LSM_HOOK_INIT(inode_unlink, smack_inode_unlink),
4605 LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir),
4606 LSM_HOOK_INIT(inode_rename, smack_inode_rename),
4607 LSM_HOOK_INIT(inode_permission, smack_inode_permission),
4608 LSM_HOOK_INIT(inode_setattr, smack_inode_setattr),
4609 LSM_HOOK_INIT(inode_getattr, smack_inode_getattr),
4610 LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr),
4611 LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr),
4612 LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr),
4613 LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr),
4614 LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity),
4615 LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity),
4616 LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity),
4617 LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid),
4618
4619 LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security),
4620 LSM_HOOK_INIT(file_free_security, smack_file_free_security),
4621 LSM_HOOK_INIT(file_ioctl, smack_file_ioctl),
4622 LSM_HOOK_INIT(file_lock, smack_file_lock),
4623 LSM_HOOK_INIT(file_fcntl, smack_file_fcntl),
4624 LSM_HOOK_INIT(mmap_file, smack_mmap_file),
4625 LSM_HOOK_INIT(mmap_addr, cap_mmap_addr),
4626 LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner),
4627 LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask),
4628 LSM_HOOK_INIT(file_receive, smack_file_receive),
4629
4630 LSM_HOOK_INIT(file_open, smack_file_open),
4631
4632 LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank),
4633 LSM_HOOK_INIT(cred_free, smack_cred_free),
4634 LSM_HOOK_INIT(cred_prepare, smack_cred_prepare),
4635 LSM_HOOK_INIT(cred_transfer, smack_cred_transfer),
4636 LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as),
4637 LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as),
4638 LSM_HOOK_INIT(task_setpgid, smack_task_setpgid),
4639 LSM_HOOK_INIT(task_getpgid, smack_task_getpgid),
4640 LSM_HOOK_INIT(task_getsid, smack_task_getsid),
4641 LSM_HOOK_INIT(task_getsecid, smack_task_getsecid),
4642 LSM_HOOK_INIT(task_setnice, smack_task_setnice),
4643 LSM_HOOK_INIT(task_setioprio, smack_task_setioprio),
4644 LSM_HOOK_INIT(task_getioprio, smack_task_getioprio),
4645 LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler),
4646 LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler),
4647 LSM_HOOK_INIT(task_movememory, smack_task_movememory),
4648 LSM_HOOK_INIT(task_kill, smack_task_kill),
4649 LSM_HOOK_INIT(task_wait, smack_task_wait),
4650 LSM_HOOK_INIT(task_to_inode, smack_task_to_inode),
4651
4652 LSM_HOOK_INIT(ipc_permission, smack_ipc_permission),
4653 LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid),
4654
4655 LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security),
4656 LSM_HOOK_INIT(msg_msg_free_security, smack_msg_msg_free_security),
4657
4658 LSM_HOOK_INIT(msg_queue_alloc_security, smack_msg_queue_alloc_security),
4659 LSM_HOOK_INIT(msg_queue_free_security, smack_msg_queue_free_security),
4660 LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate),
4661 LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl),
4662 LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd),
4663 LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv),
4664
4665 LSM_HOOK_INIT(shm_alloc_security, smack_shm_alloc_security),
4666 LSM_HOOK_INIT(shm_free_security, smack_shm_free_security),
4667 LSM_HOOK_INIT(shm_associate, smack_shm_associate),
4668 LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl),
4669 LSM_HOOK_INIT(shm_shmat, smack_shm_shmat),
4670
4671 LSM_HOOK_INIT(sem_alloc_security, smack_sem_alloc_security),
4672 LSM_HOOK_INIT(sem_free_security, smack_sem_free_security),
4673 LSM_HOOK_INIT(sem_associate, smack_sem_associate),
4674 LSM_HOOK_INIT(sem_semctl, smack_sem_semctl),
4675 LSM_HOOK_INIT(sem_semop, smack_sem_semop),
4676
4677 LSM_HOOK_INIT(d_instantiate, smack_d_instantiate),
4678
4679 LSM_HOOK_INIT(getprocattr, smack_getprocattr),
4680 LSM_HOOK_INIT(setprocattr, smack_setprocattr),
4681
4682 LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect),
4683 LSM_HOOK_INIT(unix_may_send, smack_unix_may_send),
4684
4685 LSM_HOOK_INIT(socket_post_create, smack_socket_post_create),
4686#ifdef SMACK_IPV6_PORT_LABELING
4687 LSM_HOOK_INIT(socket_bind, smack_socket_bind),
4688#endif
4689 LSM_HOOK_INIT(socket_connect, smack_socket_connect),
4690 LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg),
4691 LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb),
4692 LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream),
4693 LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram),
4694 LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security),
4695 LSM_HOOK_INIT(sk_free_security, smack_sk_free_security),
4696 LSM_HOOK_INIT(sock_graft, smack_sock_graft),
4697 LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request),
4698 LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone),
4699
4700
4701#ifdef CONFIG_KEYS
4702 LSM_HOOK_INIT(key_alloc, smack_key_alloc),
4703 LSM_HOOK_INIT(key_free, smack_key_free),
4704 LSM_HOOK_INIT(key_permission, smack_key_permission),
4705 LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity),
4706#endif
4707
4708
4709#ifdef CONFIG_AUDIT
4710 LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init),
4711 LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known),
4712 LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match),
4713#endif
4714
4715 LSM_HOOK_INIT(ismaclabel, smack_ismaclabel),
4716 LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx),
4717 LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid),
4718 LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx),
4719 LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx),
4720 LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx),
4721};
4722
4723
4724static __init void init_smack_known_list(void)
4725{
4726
4727
4728
4729 mutex_init(&smack_known_huh.smk_rules_lock);
4730 mutex_init(&smack_known_hat.smk_rules_lock);
4731 mutex_init(&smack_known_floor.smk_rules_lock);
4732 mutex_init(&smack_known_star.smk_rules_lock);
4733 mutex_init(&smack_known_invalid.smk_rules_lock);
4734 mutex_init(&smack_known_web.smk_rules_lock);
4735
4736
4737
4738 INIT_LIST_HEAD(&smack_known_huh.smk_rules);
4739 INIT_LIST_HEAD(&smack_known_hat.smk_rules);
4740 INIT_LIST_HEAD(&smack_known_star.smk_rules);
4741 INIT_LIST_HEAD(&smack_known_floor.smk_rules);
4742 INIT_LIST_HEAD(&smack_known_invalid.smk_rules);
4743 INIT_LIST_HEAD(&smack_known_web.smk_rules);
4744
4745
4746
4747 smk_insert_entry(&smack_known_huh);
4748 smk_insert_entry(&smack_known_hat);
4749 smk_insert_entry(&smack_known_star);
4750 smk_insert_entry(&smack_known_floor);
4751 smk_insert_entry(&smack_known_invalid);
4752 smk_insert_entry(&smack_known_web);
4753}
4754
4755
4756
4757
4758
4759
4760static __init int smack_init(void)
4761{
4762 struct cred *cred;
4763 struct task_smack *tsp;
4764
4765 if (!security_module_enable("smack"))
4766 return 0;
4767
4768 smack_inode_cache = KMEM_CACHE(inode_smack, 0);
4769 if (!smack_inode_cache)
4770 return -ENOMEM;
4771
4772 tsp = new_task_smack(&smack_known_floor, &smack_known_floor,
4773 GFP_KERNEL);
4774 if (tsp == NULL) {
4775 kmem_cache_destroy(smack_inode_cache);
4776 return -ENOMEM;
4777 }
4778
4779 smack_enabled = 1;
4780
4781 pr_info("Smack: Initializing.\n");
4782#ifdef CONFIG_SECURITY_SMACK_NETFILTER
4783 pr_info("Smack: Netfilter enabled.\n");
4784#endif
4785#ifdef SMACK_IPV6_PORT_LABELING
4786 pr_info("Smack: IPv6 port labeling enabled.\n");
4787#endif
4788#ifdef SMACK_IPV6_SECMARK_LABELING
4789 pr_info("Smack: IPv6 Netfilter enabled.\n");
4790#endif
4791
4792
4793
4794
4795 cred = (struct cred *) current->cred;
4796 cred->security = tsp;
4797
4798
4799 init_smack_known_list();
4800
4801
4802
4803
4804 security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks));
4805
4806 return 0;
4807}
4808
4809
4810
4811
4812
4813security_initcall(smack_init);
4814