Blame - security/smack/smack_lsm.c - yocto/kernel/common

blob: 14bf2f4aea3bc3aa0a52cc8b6bf8ca2e59926f36 [file] [log] [blame]

Thomas Gleixner	d2912cb	2019-06-04 10:11:33 +0200	[diff] [blame]	1	// SPDX-License-Identifier: GPL-2.0-only
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2	/*
				3	* Simplified MAC Kernel (smack) security module
				4	*
				5	* This file contains the smack hook function implementations.
				6	*
Jarkko Sakkinen	5c6d112	2010-12-07 13:34:01 +0200	[diff] [blame]	7	* Authors:
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	8	* Casey Schaufler <casey@schaufler-ca.com>
Jarkko Sakkinen	84088ba	2011-10-07 09:27:53 +0300	[diff] [blame]	9	* Jarkko Sakkinen <jarkko.sakkinen@intel.com>
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	10	*
				11	* Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	12	* Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
Paul Moore	82c21bf	2011-08-01 11:10:33 +0000	[diff] [blame]	13	* Paul Moore <paul@paul-moore.com>
Jarkko Sakkinen	5c6d112	2010-12-07 13:34:01 +0200	[diff] [blame]	14	* Copyright (C) 2010 Nokia Corporation
Jarkko Sakkinen	84088ba	2011-10-07 09:27:53 +0300	[diff] [blame]	15	* Copyright (C) 2011 Intel Corporation.
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	16	*/
				17
				18	#include <linux/xattr.h>
				19	#include <linux/pagemap.h>
				20	#include <linux/mount.h>
				21	#include <linux/stat.h>
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	22	#include <linux/kd.h>
				23	#include <asm/ioctls.h>
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	24	#include <linux/ip.h>
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	25	#include <linux/tcp.h>
				26	#include <linux/udp.h>
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	27	#include <linux/dccp.h>
Piotr Sawicki	d66a8ac	2018-07-19 11:47:31 +0200	[diff] [blame]	28	#include <linux/icmpv6.h>
Tejun Heo	5a0e3ad	2010-03-24 17:04:11 +0900	[diff] [blame]	29	#include <linux/slab.h>
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	30	#include <linux/mutex.h>
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	31	#include <net/cipso_ipv4.h>
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	32	#include <net/ip.h>
				33	#include <net/ipv6.h>
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	34	#include <linux/audit.h>
Nick Black	1fd7317d	2009-09-22 16:43:33 -0700	[diff] [blame]	35	#include <linux/magic.h>
Eric Paris	2a7dba3	2011-02-01 11:05:39 -0500	[diff] [blame]	36	#include <linux/dcache.h>
Jarkko Sakkinen	16014d8	2011-10-14 13:16:24 +0300	[diff] [blame]	37	#include <linux/personality.h>
Al Viro	4040153	2012-02-13 03:58:52 +0000	[diff] [blame]	38	#include <linux/msg.h>
				39	#include <linux/shm.h>
				40	#include <linux/binfmts.h>
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	41	#include <linux/parser.h>
David Howells	2febd25	2018-11-01 23:07:24 +0000	[diff] [blame]	42	#include <linux/fs_context.h>
				43	#include <linux/fs_parser.h>
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	44	#include "smack.h"
				45
Jarkko Sakkinen	5c6d112	2010-12-07 13:34:01 +0200	[diff] [blame]	46	#define TRANS_TRUE "TRUE"
				47	#define TRANS_TRUE_SIZE 4
				48
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	49	#define SMK_CONNECTING 0
				50	#define SMK_RECEIVING 1
				51	#define SMK_SENDING 2
				52
Arnd Bergmann	00720f0	2020-04-08 21:04:31 +0200	[diff] [blame]	53	static DEFINE_MUTEX(smack_ipv6_lock);
Geliang Tang	8b549ef	2015-09-27 23:10:25 +0800	[diff] [blame]	54	static LIST_HEAD(smk_ipv6_port_list);
Rohit	1a5b472	2014-10-15 17:40:41 +0530	[diff] [blame]	55	static struct kmem_cache *smack_inode_cache;
Casey Schaufler	4e328b0	2019-04-02 11:37:12 -0700	[diff] [blame]	56	struct kmem_cache *smack_rule_cache;
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	57	int smack_enabled;
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	58
Al Viro	c3300aa	2018-12-16 01:52:24 -0500	[diff] [blame]	59	#define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s}
				60	static struct {
				61	const char *name;
				62	int len;
				63	int opt;
				64	} smk_mount_opts[] = {
Casey Schaufler	6e7739f	2019-05-31 11:53:33 +0100	[diff] [blame]	65	{"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault},
Al Viro	c3300aa	2018-12-16 01:52:24 -0500	[diff] [blame]	66	A(fsdefault), A(fsfloor), A(fshat), A(fsroot), A(fstransmute)
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	67	};
Al Viro	c3300aa	2018-12-16 01:52:24 -0500	[diff] [blame]	68	#undef A
				69
				70	static int match_opt_prefix(char s, int l, char *arg)
				71	{
				72	int i;
				73
				74	for (i = 0; i < ARRAY_SIZE(smk_mount_opts); i++) {
				75	size_t len = smk_mount_opts[i].len;
				76	if (len > l \|\| memcmp(s, smk_mount_opts[i].name, len))
				77	continue;
				78	if (len == l \|\| s[len] != '=')
				79	continue;
				80	*arg = s + len + 1;
				81	return smk_mount_opts[i].opt;
				82	}
				83	return Opt_error;
				84	}
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	85
Casey Schaufler	3d04c92	2015-08-12 11:56:02 -0700	[diff] [blame]	86	#ifdef CONFIG_SECURITY_SMACK_BRINGUP
				87	static char *smk_bu_mess[] = {
				88	"Bringup Error", /* Unused */
				89	"Bringup", /* SMACK_BRINGUP_ALLOW */
				90	"Unconfined Subject", /* SMACK_UNCONFINED_SUBJECT */
				91	"Unconfined Object", /* SMACK_UNCONFINED_OBJECT */
				92	};
				93
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	94	static void smk_bu_mode(int mode, char *s)
				95	{
				96	int i = 0;
				97
				98	if (mode & MAY_READ)
				99	s[i++] = 'r';
				100	if (mode & MAY_WRITE)
				101	s[i++] = 'w';
				102	if (mode & MAY_EXEC)
				103	s[i++] = 'x';
				104	if (mode & MAY_APPEND)
				105	s[i++] = 'a';
				106	if (mode & MAY_TRANSMUTE)
				107	s[i++] = 't';
				108	if (mode & MAY_LOCK)
				109	s[i++] = 'l';
				110	if (i == 0)
				111	s[i++] = '-';
				112	s[i] = '\0';
				113	}
				114	#endif
				115
				116	#ifdef CONFIG_SECURITY_SMACK_BRINGUP
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	117	static int smk_bu_note(char note, struct smack_known sskp,
				118	struct smack_known *oskp, int mode, int rc)
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	119	{
				120	char acc[SMK_NUM_ACCESS_TYPE + 1];
				121
				122	if (rc <= 0)
				123	return rc;
Casey Schaufler	bf4b2fe	2015-03-21 18:26:40 -0700	[diff] [blame]	124	if (rc > SMACK_UNCONFINED_OBJECT)
				125	rc = 0;
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	126
				127	smk_bu_mode(mode, acc);
Casey Schaufler	bf4b2fe	2015-03-21 18:26:40 -0700	[diff] [blame]	128	pr_info("Smack %s: (%s %s %s) %s\n", smk_bu_mess[rc],
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	129	sskp->smk_known, oskp->smk_known, acc, note);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	130	return 0;
				131	}
				132	#else
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	133	#define smk_bu_note(note, sskp, oskp, mode, RC) (RC)
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	134	#endif
				135
				136	#ifdef CONFIG_SECURITY_SMACK_BRINGUP
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	137	static int smk_bu_current(char note, struct smack_known oskp,
				138	int mode, int rc)
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	139	{
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	140	struct task_smack *tsp = smack_cred(current_cred());
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	141	char acc[SMK_NUM_ACCESS_TYPE + 1];
				142
				143	if (rc <= 0)
				144	return rc;
Casey Schaufler	bf4b2fe	2015-03-21 18:26:40 -0700	[diff] [blame]	145	if (rc > SMACK_UNCONFINED_OBJECT)
				146	rc = 0;
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	147
				148	smk_bu_mode(mode, acc);
Casey Schaufler	bf4b2fe	2015-03-21 18:26:40 -0700	[diff] [blame]	149	pr_info("Smack %s: (%s %s %s) %s %s\n", smk_bu_mess[rc],
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	150	tsp->smk_task->smk_known, oskp->smk_known,
				151	acc, current->comm, note);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	152	return 0;
				153	}
				154	#else
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	155	#define smk_bu_current(note, oskp, mode, RC) (RC)
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	156	#endif
				157
				158	#ifdef CONFIG_SECURITY_SMACK_BRINGUP
				159	static int smk_bu_task(struct task_struct *otp, int mode, int rc)
				160	{
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	161	struct task_smack *tsp = smack_cred(current_cred());
Andrey Ryabinin	6d1cff2	2015-01-13 18:52:40 +0300	[diff] [blame]	162	struct smack_known *smk_task = smk_of_task_struct(otp);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	163	char acc[SMK_NUM_ACCESS_TYPE + 1];
				164
				165	if (rc <= 0)
				166	return rc;
Casey Schaufler	bf4b2fe	2015-03-21 18:26:40 -0700	[diff] [blame]	167	if (rc > SMACK_UNCONFINED_OBJECT)
				168	rc = 0;
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	169
				170	smk_bu_mode(mode, acc);
Casey Schaufler	bf4b2fe	2015-03-21 18:26:40 -0700	[diff] [blame]	171	pr_info("Smack %s: (%s %s %s) %s to %s\n", smk_bu_mess[rc],
Andrey Ryabinin	6d1cff2	2015-01-13 18:52:40 +0300	[diff] [blame]	172	tsp->smk_task->smk_known, smk_task->smk_known, acc,
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	173	current->comm, otp->comm);
				174	return 0;
				175	}
				176	#else
				177	#define smk_bu_task(otp, mode, RC) (RC)
				178	#endif
				179
				180	#ifdef CONFIG_SECURITY_SMACK_BRINGUP
				181	static int smk_bu_inode(struct inode *inode, int mode, int rc)
				182	{
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	183	struct task_smack *tsp = smack_cred(current_cred());
Casey Schaufler	fb4021b	2018-11-12 12:43:01 -0800	[diff] [blame]	184	struct inode_smack *isp = smack_inode(inode);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	185	char acc[SMK_NUM_ACCESS_TYPE + 1];
				186
Casey Schaufler	bf4b2fe	2015-03-21 18:26:40 -0700	[diff] [blame]	187	if (isp->smk_flags & SMK_INODE_IMPURE)
				188	pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n",
				189	inode->i_sb->s_id, inode->i_ino, current->comm);
				190
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	191	if (rc <= 0)
				192	return rc;
Casey Schaufler	bf4b2fe	2015-03-21 18:26:40 -0700	[diff] [blame]	193	if (rc > SMACK_UNCONFINED_OBJECT)
				194	rc = 0;
				195	if (rc == SMACK_UNCONFINED_SUBJECT &&
				196	(mode & (MAY_WRITE \| MAY_APPEND)))
				197	isp->smk_flags \|= SMK_INODE_IMPURE;
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	198
				199	smk_bu_mode(mode, acc);
Casey Schaufler	bf4b2fe	2015-03-21 18:26:40 -0700	[diff] [blame]	200
				201	pr_info("Smack %s: (%s %s %s) inode=(%s %ld) %s\n", smk_bu_mess[rc],
				202	tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc,
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	203	inode->i_sb->s_id, inode->i_ino, current->comm);
				204	return 0;
				205	}
				206	#else
				207	#define smk_bu_inode(inode, mode, RC) (RC)
				208	#endif
				209
				210	#ifdef CONFIG_SECURITY_SMACK_BRINGUP
				211	static int smk_bu_file(struct file *file, int mode, int rc)
				212	{
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	213	struct task_smack *tsp = smack_cred(current_cred());
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	214	struct smack_known *sskp = tsp->smk_task;
Casey Schaufler	5e7270a	2014-12-12 17:19:19 -0800	[diff] [blame]	215	struct inode *inode = file_inode(file);
Casey Schaufler	fb4021b	2018-11-12 12:43:01 -0800	[diff] [blame]	216	struct inode_smack *isp = smack_inode(inode);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	217	char acc[SMK_NUM_ACCESS_TYPE + 1];
				218
Casey Schaufler	bf4b2fe	2015-03-21 18:26:40 -0700	[diff] [blame]	219	if (isp->smk_flags & SMK_INODE_IMPURE)
				220	pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n",
				221	inode->i_sb->s_id, inode->i_ino, current->comm);
				222
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	223	if (rc <= 0)
				224	return rc;
Casey Schaufler	bf4b2fe	2015-03-21 18:26:40 -0700	[diff] [blame]	225	if (rc > SMACK_UNCONFINED_OBJECT)
				226	rc = 0;
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	227
				228	smk_bu_mode(mode, acc);
Casey Schaufler	bf4b2fe	2015-03-21 18:26:40 -0700	[diff] [blame]	229	pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc],
Casey Schaufler	5e7270a	2014-12-12 17:19:19 -0800	[diff] [blame]	230	sskp->smk_known, smk_of_inode(inode)->smk_known, acc,
Al Viro	a455589	2014-10-21 20:11:25 -0400	[diff] [blame]	231	inode->i_sb->s_id, inode->i_ino, file,
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	232	current->comm);
				233	return 0;
				234	}
				235	#else
				236	#define smk_bu_file(file, mode, RC) (RC)
				237	#endif
				238
				239	#ifdef CONFIG_SECURITY_SMACK_BRINGUP
				240	static int smk_bu_credfile(const struct cred cred, struct file file,
				241	int mode, int rc)
				242	{
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	243	struct task_smack *tsp = smack_cred(cred);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	244	struct smack_known *sskp = tsp->smk_task;
Al Viro	4506309	2016-12-04 18:24:56 -0500	[diff] [blame]	245	struct inode *inode = file_inode(file);
Casey Schaufler	fb4021b	2018-11-12 12:43:01 -0800	[diff] [blame]	246	struct inode_smack *isp = smack_inode(inode);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	247	char acc[SMK_NUM_ACCESS_TYPE + 1];
				248
Casey Schaufler	bf4b2fe	2015-03-21 18:26:40 -0700	[diff] [blame]	249	if (isp->smk_flags & SMK_INODE_IMPURE)
				250	pr_info("Smack Unconfined Corruption: inode=(%s %ld) %s\n",
				251	inode->i_sb->s_id, inode->i_ino, current->comm);
				252
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	253	if (rc <= 0)
				254	return rc;
Casey Schaufler	bf4b2fe	2015-03-21 18:26:40 -0700	[diff] [blame]	255	if (rc > SMACK_UNCONFINED_OBJECT)
				256	rc = 0;
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	257
				258	smk_bu_mode(mode, acc);
Casey Schaufler	bf4b2fe	2015-03-21 18:26:40 -0700	[diff] [blame]	259	pr_info("Smack %s: (%s %s %s) file=(%s %ld %pD) %s\n", smk_bu_mess[rc],
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	260	sskp->smk_known, smk_of_inode(inode)->smk_known, acc,
Al Viro	a455589	2014-10-21 20:11:25 -0400	[diff] [blame]	261	inode->i_sb->s_id, inode->i_ino, file,
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	262	current->comm);
				263	return 0;
				264	}
				265	#else
				266	#define smk_bu_credfile(cred, file, mode, RC) (RC)
				267	#endif
				268
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	269	/**
				270	* smk_fetch - Fetch the smack label from a file.
Lukasz Pawelczyk	1a28979	2014-11-26 15:31:06 +0100	[diff] [blame]	271	* @name: type of the label (attribute)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	272	* @ip: a pointer to the inode
				273	* @dp: a pointer to the dentry
				274	*
Lukasz Pawelczyk	e774ad6	2015-04-20 17:12:54 +0200	[diff] [blame]	275	* Returns a pointer to the master list entry for the Smack label,
				276	* NULL if there was no label to fetch, or an error code.
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	277	*/
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	278	static struct smack_known smk_fetch(const char name, struct inode *ip,
				279	struct dentry *dp)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	280	{
				281	int rc;
Casey Schaufler	f7112e6	2012-05-06 15:22:02 -0700	[diff] [blame]	282	char *buffer;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	283	struct smack_known *skp = NULL;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	284
Andreas Gruenbacher	5d6c319	2016-09-29 17:48:42 +0200	[diff] [blame]	285	if (!(ip->i_opflags & IOP_XATTR))
Lukasz Pawelczyk	e774ad6	2015-04-20 17:12:54 +0200	[diff] [blame]	286	return ERR_PTR(-EOPNOTSUPP);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	287
Eric Biggers	e5bfad3	2019-08-21 22:54:41 -0700	[diff] [blame]	288	buffer = kzalloc(SMK_LONGLABEL, GFP_NOFS);
Casey Schaufler	f7112e6	2012-05-06 15:22:02 -0700	[diff] [blame]	289	if (buffer == NULL)
Lukasz Pawelczyk	e774ad6	2015-04-20 17:12:54 +0200	[diff] [blame]	290	return ERR_PTR(-ENOMEM);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	291
Andreas Gruenbacher	5d6c319	2016-09-29 17:48:42 +0200	[diff] [blame]	292	rc = __vfs_getxattr(dp, ip, name, buffer, SMK_LONGLABEL);
Lukasz Pawelczyk	e774ad6	2015-04-20 17:12:54 +0200	[diff] [blame]	293	if (rc < 0)
				294	skp = ERR_PTR(rc);
				295	else if (rc == 0)
				296	skp = NULL;
				297	else
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	298	skp = smk_import_entry(buffer, rc);
Casey Schaufler	f7112e6	2012-05-06 15:22:02 -0700	[diff] [blame]	299
				300	kfree(buffer);
				301
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	302	return skp;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	303	}
				304
				305	/**
Casey Schaufler	afb1cbe3	2018-09-21 17:19:29 -0700	[diff] [blame]	306	* init_inode_smack - initialize an inode security blob
luanshi	a1a07f2	2019-07-05 10:35:20 +0800	[diff] [blame]	307	* @inode: inode to extract the info from
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	308	* @skp: a pointer to the Smack label entry to use in the blob
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	309	*
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	310	*/
Casey Schaufler	afb1cbe3	2018-09-21 17:19:29 -0700	[diff] [blame]	311	static void init_inode_smack(struct inode inode, struct smack_known skp)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	312	{
Casey Schaufler	afb1cbe3	2018-09-21 17:19:29 -0700	[diff] [blame]	313	struct inode_smack *isp = smack_inode(inode);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	314
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	315	isp->smk_inode = skp;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	316	isp->smk_flags = 0;
				317	mutex_init(&isp->smk_lock);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	318	}
				319
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	320	/**
Casey Schaufler	bbd3662	2018-11-12 09:30:56 -0800	[diff] [blame]	321	* init_task_smack - initialize a task security blob
				322	* @tsp: blob to initialize
Lukasz Pawelczyk	1a28979	2014-11-26 15:31:06 +0100	[diff] [blame]	323	* @task: a pointer to the Smack label for the running task
				324	* @forked: a pointer to the Smack label for the forked task
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	325	*
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	326	*/
Casey Schaufler	bbd3662	2018-11-12 09:30:56 -0800	[diff] [blame]	327	static void init_task_smack(struct task_smack tsp, struct smack_known task,
				328	struct smack_known *forked)
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	329	{
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	330	tsp->smk_task = task;
				331	tsp->smk_forked = forked;
				332	INIT_LIST_HEAD(&tsp->smk_rules);
Zbigniew Jasinski	38416e5	2015-10-19 18:23:53 +0200	[diff] [blame]	333	INIT_LIST_HEAD(&tsp->smk_relabel);
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	334	mutex_init(&tsp->smk_rules_lock);
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	335	}
				336
				337	/**
				338	* smk_copy_rules - copy a rule set
Lukasz Pawelczyk	1a28979	2014-11-26 15:31:06 +0100	[diff] [blame]	339	* @nhead: new rules header pointer
				340	* @ohead: old rules header pointer
				341	* @gfp: type of the memory for the allocation
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	342	*
				343	* Returns 0 on success, -ENOMEM on error
				344	*/
				345	static int smk_copy_rules(struct list_head nhead, struct list_head ohead,
				346	gfp_t gfp)
				347	{
				348	struct smack_rule *nrp;
				349	struct smack_rule *orp;
				350	int rc = 0;
				351
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	352	list_for_each_entry_rcu(orp, ohead, list) {
Casey Schaufler	4e328b0	2019-04-02 11:37:12 -0700	[diff] [blame]	353	nrp = kmem_cache_zalloc(smack_rule_cache, gfp);
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	354	if (nrp == NULL) {
				355	rc = -ENOMEM;
				356	break;
				357	}
				358	nrp = orp;
				359	list_add_rcu(&nrp->list, nhead);
				360	}
				361	return rc;
				362	}
				363
Lukasz Pawelczyk	5663884	2014-03-11 17:07:05 +0100	[diff] [blame]	364	/**
Zbigniew Jasinski	38416e5	2015-10-19 18:23:53 +0200	[diff] [blame]	365	* smk_copy_relabel - copy smk_relabel labels list
				366	* @nhead: new rules header pointer
				367	* @ohead: old rules header pointer
				368	* @gfp: type of the memory for the allocation
				369	*
				370	* Returns 0 on success, -ENOMEM on error
				371	*/
				372	static int smk_copy_relabel(struct list_head nhead, struct list_head ohead,
				373	gfp_t gfp)
				374	{
				375	struct smack_known_list_elem *nklep;
				376	struct smack_known_list_elem *oklep;
				377
Zbigniew Jasinski	38416e5	2015-10-19 18:23:53 +0200	[diff] [blame]	378	list_for_each_entry(oklep, ohead, list) {
				379	nklep = kzalloc(sizeof(struct smack_known_list_elem), gfp);
				380	if (nklep == NULL) {
				381	smk_destroy_label_list(nhead);
				382	return -ENOMEM;
				383	}
				384	nklep->smk_label = oklep->smk_label;
				385	list_add(&nklep->list, nhead);
				386	}
				387
				388	return 0;
				389	}
				390
				391	/**
Lukasz Pawelczyk	5663884	2014-03-11 17:07:05 +0100	[diff] [blame]	392	* smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_*
				393	* @mode - input mode in form of PTRACE_MODE_*
				394	*
				395	* Returns a converted MAY_* mode usable by smack rules
				396	*/
				397	static inline unsigned int smk_ptrace_mode(unsigned int mode)
				398	{
Jann Horn	3dfb7d8	2016-01-20 15:00:01 -0800	[diff] [blame]	399	if (mode & PTRACE_MODE_ATTACH)
Lukasz Pawelczyk	5663884	2014-03-11 17:07:05 +0100	[diff] [blame]	400	return MAY_READWRITE;
Jann Horn	3dfb7d8	2016-01-20 15:00:01 -0800	[diff] [blame]	401	if (mode & PTRACE_MODE_READ)
				402	return MAY_READ;
Lukasz Pawelczyk	5663884	2014-03-11 17:07:05 +0100	[diff] [blame]	403
				404	return 0;
				405	}
				406
				407	/**
				408	* smk_ptrace_rule_check - helper for ptrace access
				409	* @tracer: tracer process
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	410	* @tracee_known: label entry of the process that's about to be traced
Lukasz Pawelczyk	5663884	2014-03-11 17:07:05 +0100	[diff] [blame]	411	* @mode: ptrace attachment mode (PTRACE_MODE_*)
				412	* @func: name of the function that called us, used for audit
				413	*
				414	* Returns 0 on access granted, -error on error
				415	*/
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	416	static int smk_ptrace_rule_check(struct task_struct *tracer,
				417	struct smack_known *tracee_known,
Lukasz Pawelczyk	5663884	2014-03-11 17:07:05 +0100	[diff] [blame]	418	unsigned int mode, const char *func)
				419	{
				420	int rc;
				421	struct smk_audit_info ad, *saip = NULL;
				422	struct task_smack *tsp;
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	423	struct smack_known *tracer_known;
Casey Schaufler	dcb569c	2018-09-18 16:09:16 -0700	[diff] [blame]	424	const struct cred *tracercred;
Lukasz Pawelczyk	5663884	2014-03-11 17:07:05 +0100	[diff] [blame]	425
				426	if ((mode & PTRACE_MODE_NOAUDIT) == 0) {
				427	smk_ad_init(&ad, func, LSM_AUDIT_DATA_TASK);
				428	smk_ad_setfield_u_tsk(&ad, tracer);
				429	saip = &ad;
				430	}
				431
Andrey Ryabinin	6d1cff2	2015-01-13 18:52:40 +0300	[diff] [blame]	432	rcu_read_lock();
Casey Schaufler	dcb569c	2018-09-18 16:09:16 -0700	[diff] [blame]	433	tracercred = __task_cred(tracer);
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	434	tsp = smack_cred(tracercred);
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	435	tracer_known = smk_of_task(tsp);
Lukasz Pawelczyk	5663884	2014-03-11 17:07:05 +0100	[diff] [blame]	436
Lukasz Pawelczyk	6686781	2014-03-11 17:07:06 +0100	[diff] [blame]	437	if ((mode & PTRACE_MODE_ATTACH) &&
				438	(smack_ptrace_rule == SMACK_PTRACE_EXACT \|\|
				439	smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)) {
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	440	if (tracer_known->smk_known == tracee_known->smk_known)
Lukasz Pawelczyk	6686781	2014-03-11 17:07:06 +0100	[diff] [blame]	441	rc = 0;
				442	else if (smack_ptrace_rule == SMACK_PTRACE_DRACONIAN)
				443	rc = -EACCES;
Casey Schaufler	dcb569c	2018-09-18 16:09:16 -0700	[diff] [blame]	444	else if (smack_privileged_cred(CAP_SYS_PTRACE, tracercred))
Lukasz Pawelczyk	6686781	2014-03-11 17:07:06 +0100	[diff] [blame]	445	rc = 0;
				446	else
				447	rc = -EACCES;
				448
				449	if (saip)
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	450	smack_log(tracer_known->smk_known,
				451	tracee_known->smk_known,
				452	0, rc, saip);
Lukasz Pawelczyk	6686781	2014-03-11 17:07:06 +0100	[diff] [blame]	453
Andrey Ryabinin	6d1cff2	2015-01-13 18:52:40 +0300	[diff] [blame]	454	rcu_read_unlock();
Lukasz Pawelczyk	6686781	2014-03-11 17:07:06 +0100	[diff] [blame]	455	return rc;
				456	}
				457
				458	/* In case of rule==SMACK_PTRACE_DEFAULT or mode==PTRACE_MODE_READ */
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	459	rc = smk_tskacc(tsp, tracee_known, smk_ptrace_mode(mode), saip);
Andrey Ryabinin	6d1cff2	2015-01-13 18:52:40 +0300	[diff] [blame]	460
				461	rcu_read_unlock();
Lukasz Pawelczyk	5663884	2014-03-11 17:07:05 +0100	[diff] [blame]	462	return rc;
				463	}
				464
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	465	/*
				466	* LSM hooks.
				467	* We he, that is fun!
				468	*/
				469
				470	/**
Ingo Molnar	9e48858	2009-05-07 19:26:19 +1000	[diff] [blame]	471	* smack_ptrace_access_check - Smack approval on PTRACE_ATTACH
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	472	* @ctp: child task pointer
Lukasz Pawelczyk	5663884	2014-03-11 17:07:05 +0100	[diff] [blame]	473	* @mode: ptrace attachment mode (PTRACE_MODE_*)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	474	*
				475	* Returns 0 if access is OK, an error code otherwise
				476	*
Lukasz Pawelczyk	5663884	2014-03-11 17:07:05 +0100	[diff] [blame]	477	* Do the capability checks.
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	478	*/
Ingo Molnar	9e48858	2009-05-07 19:26:19 +1000	[diff] [blame]	479	static int smack_ptrace_access_check(struct task_struct *ctp, unsigned int mode)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	480	{
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	481	struct smack_known *skp;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	482
Andrey Ryabinin	6d1cff2	2015-01-13 18:52:40 +0300	[diff] [blame]	483	skp = smk_of_task_struct(ctp);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	484
Casey Schaufler	b1d9e6b	2015-05-02 15:11:42 -0700	[diff] [blame]	485	return smk_ptrace_rule_check(current, skp, mode, __func__);
David Howells	5cd9c58	2008-08-14 11:37:28 +0100	[diff] [blame]	486	}
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	487
David Howells	5cd9c58	2008-08-14 11:37:28 +0100	[diff] [blame]	488	/**
				489	* smack_ptrace_traceme - Smack approval on PTRACE_TRACEME
				490	* @ptp: parent task pointer
				491	*
				492	* Returns 0 if access is OK, an error code otherwise
				493	*
Lukasz Pawelczyk	5663884	2014-03-11 17:07:05 +0100	[diff] [blame]	494	* Do the capability checks, and require PTRACE_MODE_ATTACH.
David Howells	5cd9c58	2008-08-14 11:37:28 +0100	[diff] [blame]	495	*/
				496	static int smack_ptrace_traceme(struct task_struct *ptp)
				497	{
				498	int rc;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	499	struct smack_known *skp;
David Howells	5cd9c58	2008-08-14 11:37:28 +0100	[diff] [blame]	500
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	501	skp = smk_of_task(smack_cred(current_cred()));
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	502
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	503	rc = smk_ptrace_rule_check(ptp, skp, PTRACE_MODE_ATTACH, __func__);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	504	return rc;
				505	}
				506
				507	/**
				508	* smack_syslog - Smack approval on syslog
luanshi	a1a07f2	2019-07-05 10:35:20 +0800	[diff] [blame]	509	* @typefrom_file: unused
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	510	*
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	511	* Returns 0 on success, error code otherwise.
				512	*/
Eric Paris	12b3052	2010-11-15 18:36:29 -0500	[diff] [blame]	513	static int smack_syslog(int typefrom_file)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	514	{
Eric Paris	12b3052	2010-11-15 18:36:29 -0500	[diff] [blame]	515	int rc = 0;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	516	struct smack_known *skp = smk_of_current();
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	517
Casey Schaufler	1880eff	2012-06-05 15:28:30 -0700	[diff] [blame]	518	if (smack_privileged(CAP_MAC_OVERRIDE))
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	519	return 0;
				520
Casey Schaufler	24ea1b6	2013-12-30 09:38:00 -0800	[diff] [blame]	521	if (smack_syslog_label != NULL && smack_syslog_label != skp)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	522	rc = -EACCES;
				523
				524	return rc;
				525	}
				526
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	527	/*
				528	* Superblock Hooks.
				529	*/
				530
				531	/**
				532	* smack_sb_alloc_security - allocate a superblock blob
				533	* @sb: the superblock getting the blob
				534	*
				535	* Returns 0 on success or -ENOMEM on error.
				536	*/
				537	static int smack_sb_alloc_security(struct super_block *sb)
				538	{
				539	struct superblock_smack *sbsp;
				540
				541	sbsp = kzalloc(sizeof(struct superblock_smack), GFP_KERNEL);
				542
				543	if (sbsp == NULL)
				544	return -ENOMEM;
				545
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	546	sbsp->smk_root = &smack_known_floor;
				547	sbsp->smk_default = &smack_known_floor;
				548	sbsp->smk_floor = &smack_known_floor;
				549	sbsp->smk_hat = &smack_known_hat;
Casey Schaufler	e830b39	2013-05-22 18:43:07 -0700	[diff] [blame]	550	/*
Seth Forshee	9f50eda	2015-09-23 15:16:06 -0500	[diff] [blame]	551	* SMK_SB_INITIALIZED will be zero from kzalloc.
Casey Schaufler	e830b39	2013-05-22 18:43:07 -0700	[diff] [blame]	552	*/
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	553	sb->s_security = sbsp;
				554
				555	return 0;
				556	}
				557
				558	/**
				559	* smack_sb_free_security - free a superblock blob
				560	* @sb: the superblock getting the blob
				561	*
				562	*/
				563	static void smack_sb_free_security(struct super_block *sb)
				564	{
				565	kfree(sb->s_security);
				566	sb->s_security = NULL;
				567	}
				568
Al Viro	12085b1	2018-12-13 15:18:05 -0500	[diff] [blame]	569	struct smack_mnt_opts {
				570	const char fsdefault, fsfloor, fshat, fsroot, *fstransmute;
				571	};
				572
Al Viro	204cc0c	2018-12-13 13:41:47 -0500	[diff] [blame]	573	static void smack_free_mnt_opts(void *mnt_opts)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	574	{
Al Viro	12085b1	2018-12-13 15:18:05 -0500	[diff] [blame]	575	struct smack_mnt_opts *opts = mnt_opts;
				576	kfree(opts->fsdefault);
				577	kfree(opts->fsfloor);
				578	kfree(opts->fshat);
				579	kfree(opts->fsroot);
				580	kfree(opts->fstransmute);
Al Viro	204cc0c	2018-12-13 13:41:47 -0500	[diff] [blame]	581	kfree(opts);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	582	}
				583
Al Viro	55c0e5b	2018-12-16 01:09:45 -0500	[diff] [blame]	584	static int smack_add_opt(int token, const char s, void *mnt_opts)
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	585	{
Al Viro	55c0e5b	2018-12-16 01:09:45 -0500	[diff] [blame]	586	struct smack_mnt_opts opts = mnt_opts;
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	587
Al Viro	55c0e5b	2018-12-16 01:09:45 -0500	[diff] [blame]	588	if (!opts) {
				589	opts = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL);
				590	if (!opts)
				591	return -ENOMEM;
				592	*mnt_opts = opts;
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	593	}
Al Viro	55c0e5b	2018-12-16 01:09:45 -0500	[diff] [blame]	594	if (!s)
				595	return -ENOMEM;
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	596
Al Viro	55c0e5b	2018-12-16 01:09:45 -0500	[diff] [blame]	597	switch (token) {
				598	case Opt_fsdefault:
				599	if (opts->fsdefault)
				600	goto out_opt_err;
				601	opts->fsdefault = s;
				602	break;
				603	case Opt_fsfloor:
				604	if (opts->fsfloor)
				605	goto out_opt_err;
				606	opts->fsfloor = s;
				607	break;
				608	case Opt_fshat:
				609	if (opts->fshat)
				610	goto out_opt_err;
				611	opts->fshat = s;
				612	break;
				613	case Opt_fsroot:
				614	if (opts->fsroot)
				615	goto out_opt_err;
				616	opts->fsroot = s;
				617	break;
				618	case Opt_fstransmute:
				619	if (opts->fstransmute)
				620	goto out_opt_err;
				621	opts->fstransmute = s;
				622	break;
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	623	}
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	624	return 0;
				625
				626	out_opt_err:
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	627	pr_warn("Smack: duplicate mount options\n");
Al Viro	55c0e5b	2018-12-16 01:09:45 -0500	[diff] [blame]	628	return -EINVAL;
				629	}
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	630
Al Viro	0b52075	2018-12-23 16:02:47 -0500	[diff] [blame]	631	/**
				632	* smack_fs_context_dup - Duplicate the security data on fs_context duplication
				633	* @fc: The new filesystem context.
				634	* @src_fc: The source filesystem context being duplicated.
				635	*
				636	* Returns 0 on success or -ENOMEM on error.
				637	*/
				638	static int smack_fs_context_dup(struct fs_context *fc,
				639	struct fs_context *src_fc)
				640	{
				641	struct smack_mnt_opts dst, src = src_fc->security;
				642
				643	if (!src)
				644	return 0;
				645
				646	fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL);
				647	if (!fc->security)
				648	return -ENOMEM;
				649	dst = fc->security;
				650
				651	if (src->fsdefault) {
				652	dst->fsdefault = kstrdup(src->fsdefault, GFP_KERNEL);
				653	if (!dst->fsdefault)
				654	return -ENOMEM;
				655	}
				656	if (src->fsfloor) {
				657	dst->fsfloor = kstrdup(src->fsfloor, GFP_KERNEL);
				658	if (!dst->fsfloor)
				659	return -ENOMEM;
				660	}
				661	if (src->fshat) {
				662	dst->fshat = kstrdup(src->fshat, GFP_KERNEL);
				663	if (!dst->fshat)
				664	return -ENOMEM;
				665	}
				666	if (src->fsroot) {
				667	dst->fsroot = kstrdup(src->fsroot, GFP_KERNEL);
				668	if (!dst->fsroot)
				669	return -ENOMEM;
				670	}
				671	if (src->fstransmute) {
				672	dst->fstransmute = kstrdup(src->fstransmute, GFP_KERNEL);
				673	if (!dst->fstransmute)
				674	return -ENOMEM;
				675	}
				676	return 0;
				677	}
				678
Al Viro	d7167b1	2019-09-07 07:23:15 -0400	[diff] [blame]	679	static const struct fs_parameter_spec smack_fs_parameters[] = {
Casey Schaufler	6e7739f	2019-05-31 11:53:33 +0100	[diff] [blame]	680	fsparam_string("smackfsdef", Opt_fsdefault),
				681	fsparam_string("smackfsdefault", Opt_fsdefault),
				682	fsparam_string("smackfsfloor", Opt_fsfloor),
				683	fsparam_string("smackfshat", Opt_fshat),
				684	fsparam_string("smackfsroot", Opt_fsroot),
				685	fsparam_string("smackfstransmute", Opt_fstransmute),
David Howells	2febd25	2018-11-01 23:07:24 +0000	[diff] [blame]	686	{}
				687	};
				688
David Howells	2febd25	2018-11-01 23:07:24 +0000	[diff] [blame]	689	/**
				690	* smack_fs_context_parse_param - Parse a single mount parameter
				691	* @fc: The new filesystem context being constructed.
				692	* @param: The parameter.
				693	*
				694	* Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on
				695	* error.
				696	*/
				697	static int smack_fs_context_parse_param(struct fs_context *fc,
				698	struct fs_parameter *param)
				699	{
				700	struct fs_parse_result result;
				701	int opt, rc;
				702
Al Viro	d7167b1	2019-09-07 07:23:15 -0400	[diff] [blame]	703	opt = fs_parse(fc, smack_fs_parameters, param, &result);
David Howells	2febd25	2018-11-01 23:07:24 +0000	[diff] [blame]	704	if (opt < 0)
				705	return opt;
				706
				707	rc = smack_add_opt(opt, param->string, &fc->security);
				708	if (!rc)
				709	param->string = NULL;
				710	return rc;
				711	}
				712
Al Viro	d2497e1	2018-12-16 01:37:06 -0500	[diff] [blame]	713	static int smack_sb_eat_lsm_opts(char options, void *mnt_opts)
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	714	{
Al Viro	d2497e1	2018-12-16 01:37:06 -0500	[diff] [blame]	715	char from = options, to = options;
				716	bool first = true;
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	717
Al Viro	c3300aa	2018-12-16 01:52:24 -0500	[diff] [blame]	718	while (1) {
				719	char *next = strchr(from, ',');
				720	int token, len, rc;
				721	char *arg = NULL;
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	722
Al Viro	c3300aa	2018-12-16 01:52:24 -0500	[diff] [blame]	723	if (next)
				724	len = next - from;
				725	else
				726	len = strlen(from);
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	727
Al Viro	c3300aa	2018-12-16 01:52:24 -0500	[diff] [blame]	728	token = match_opt_prefix(from, len, &arg);
Al Viro	d2497e1	2018-12-16 01:37:06 -0500	[diff] [blame]	729	if (token != Opt_error) {
				730	arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL);
				731	rc = smack_add_opt(token, arg, mnt_opts);
				732	if (unlikely(rc)) {
				733	kfree(arg);
				734	if (*mnt_opts)
				735	smack_free_mnt_opts(*mnt_opts);
				736	*mnt_opts = NULL;
				737	return rc;
				738	}
				739	} else {
				740	if (!first) { // copy with preceding comma
				741	from--;
				742	len++;
				743	}
				744	if (to != from)
				745	memmove(to, from, len);
				746	to += len;
				747	first = false;
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	748	}
Al Viro	c3300aa	2018-12-16 01:52:24 -0500	[diff] [blame]	749	if (!from[len])
				750	break;
				751	from += len + 1;
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	752	}
Al Viro	d2497e1	2018-12-16 01:37:06 -0500	[diff] [blame]	753	*to = '\0';
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	754	return 0;
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	755	}
				756
				757	/**
				758	* smack_set_mnt_opts - set Smack specific mount options
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	759	* @sb: the file system superblock
luanshi	a1a07f2	2019-07-05 10:35:20 +0800	[diff] [blame]	760	* @mnt_opts: Smack mount options
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	761	* @kern_flags: mount option from kernel space or user space
				762	* @set_kern_flags: where to store converted mount opts
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	763	*
				764	* Returns 0 on success, an error code on failure
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	765	*
				766	* Allow filesystems with binary mount data to explicitly set Smack mount
				767	* labels.
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	768	*/
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	769	static int smack_set_mnt_opts(struct super_block *sb,
Al Viro	204cc0c	2018-12-13 13:41:47 -0500	[diff] [blame]	770	void *mnt_opts,
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	771	unsigned long kern_flags,
				772	unsigned long *set_kern_flags)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	773	{
				774	struct dentry *root = sb->s_root;
David Howells	c6f493d	2015-03-17 22:26:22 +0000	[diff] [blame]	775	struct inode *inode = d_backing_inode(root);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	776	struct superblock_smack *sp = sb->s_security;
				777	struct inode_smack *isp;
Casey Schaufler	24ea1b6	2013-12-30 09:38:00 -0800	[diff] [blame]	778	struct smack_known *skp;
Al Viro	12085b1	2018-12-13 15:18:05 -0500	[diff] [blame]	779	struct smack_mnt_opts *opts = mnt_opts;
				780	bool transmute = false;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	781
Seth Forshee	9f50eda	2015-09-23 15:16:06 -0500	[diff] [blame]	782	if (sp->smk_flags & SMK_SB_INITIALIZED)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	783	return 0;
Casey Schaufler	eb982cb	2012-05-23 17:46:58 -0700	[diff] [blame]	784
Casey Schaufler	afb1cbe3	2018-09-21 17:19:29 -0700	[diff] [blame]	785	if (inode->i_security == NULL) {
				786	int rc = lsm_inode_alloc(inode);
				787
				788	if (rc)
				789	return rc;
				790	}
				791
Himanshu Shukla	2097f59	2016-11-10 16:19:52 +0530	[diff] [blame]	792	if (!smack_privileged(CAP_MAC_ADMIN)) {
				793	/*
				794	* Unprivileged mounts don't get to specify Smack values.
				795	*/
Al Viro	12085b1	2018-12-13 15:18:05 -0500	[diff] [blame]	796	if (opts)
Himanshu Shukla	2097f59	2016-11-10 16:19:52 +0530	[diff] [blame]	797	return -EPERM;
				798	/*
				799	* Unprivileged mounts get root and default from the caller.
				800	*/
				801	skp = smk_of_current();
				802	sp->smk_root = skp;
				803	sp->smk_default = skp;
				804	/*
				805	* For a handful of fs types with no user-controlled
				806	* backing store it's okay to trust security labels
				807	* in the filesystem. The rest are untrusted.
				808	*/
				809	if (sb->s_user_ns != &init_user_ns &&
				810	sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC &&
				811	sb->s_magic != RAMFS_MAGIC) {
Al Viro	12085b1	2018-12-13 15:18:05 -0500	[diff] [blame]	812	transmute = true;
Himanshu Shukla	2097f59	2016-11-10 16:19:52 +0530	[diff] [blame]	813	sp->smk_flags \|= SMK_SB_UNTRUSTED;
				814	}
				815	}
				816
Seth Forshee	9f50eda	2015-09-23 15:16:06 -0500	[diff] [blame]	817	sp->smk_flags \|= SMK_SB_INITIALIZED;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	818
Al Viro	12085b1	2018-12-13 15:18:05 -0500	[diff] [blame]	819	if (opts) {
				820	if (opts->fsdefault) {
				821	skp = smk_import_entry(opts->fsdefault, 0);
Lukasz Pawelczyk	e774ad6	2015-04-20 17:12:54 +0200	[diff] [blame]	822	if (IS_ERR(skp))
				823	return PTR_ERR(skp);
				824	sp->smk_default = skp;
Al Viro	12085b1	2018-12-13 15:18:05 -0500	[diff] [blame]	825	}
				826	if (opts->fsfloor) {
				827	skp = smk_import_entry(opts->fsfloor, 0);
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	828	if (IS_ERR(skp))
				829	return PTR_ERR(skp);
				830	sp->smk_floor = skp;
Al Viro	12085b1	2018-12-13 15:18:05 -0500	[diff] [blame]	831	}
				832	if (opts->fshat) {
				833	skp = smk_import_entry(opts->fshat, 0);
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	834	if (IS_ERR(skp))
				835	return PTR_ERR(skp);
				836	sp->smk_hat = skp;
Al Viro	12085b1	2018-12-13 15:18:05 -0500	[diff] [blame]	837	}
				838	if (opts->fsroot) {
				839	skp = smk_import_entry(opts->fsroot, 0);
Lukasz Pawelczyk	e774ad6	2015-04-20 17:12:54 +0200	[diff] [blame]	840	if (IS_ERR(skp))
				841	return PTR_ERR(skp);
				842	sp->smk_root = skp;
Al Viro	12085b1	2018-12-13 15:18:05 -0500	[diff] [blame]	843	}
				844	if (opts->fstransmute) {
				845	skp = smk_import_entry(opts->fstransmute, 0);
Lukasz Pawelczyk	e774ad6	2015-04-20 17:12:54 +0200	[diff] [blame]	846	if (IS_ERR(skp))
				847	return PTR_ERR(skp);
				848	sp->smk_root = skp;
Al Viro	12085b1	2018-12-13 15:18:05 -0500	[diff] [blame]	849	transmute = true;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	850	}
				851	}
				852
				853	/*
				854	* Initialize the root inode.
				855	*/
Casey Schaufler	afb1cbe3	2018-09-21 17:19:29 -0700	[diff] [blame]	856	init_inode_smack(inode, sp->smk_root);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	857
Casey Schaufler	afb1cbe3	2018-09-21 17:19:29 -0700	[diff] [blame]	858	if (transmute) {
				859	isp = smack_inode(inode);
Casey Schaufler	e830b39	2013-05-22 18:43:07 -0700	[diff] [blame]	860	isp->smk_flags \|= SMK_INODE_TRANSMUTE;
Casey Schaufler	afb1cbe3	2018-09-21 17:19:29 -0700	[diff] [blame]	861	}
Casey Schaufler	e830b39	2013-05-22 18:43:07 -0700	[diff] [blame]	862
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	863	return 0;
				864	}
				865
				866	/**
				867	* smack_sb_statfs - Smack check on statfs
				868	* @dentry: identifies the file system in question
				869	*
				870	* Returns 0 if current can read the floor of the filesystem,
				871	* and error code otherwise
				872	*/
				873	static int smack_sb_statfs(struct dentry *dentry)
				874	{
				875	struct superblock_smack *sbp = dentry->d_sb->s_security;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	876	int rc;
				877	struct smk_audit_info ad;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	878
Eric Paris	a269434	2011-04-25 13:10:27 -0400	[diff] [blame]	879	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	880	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
				881
				882	rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	883	rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	884	return rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	885	}
				886
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	887	/*
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	888	* BPRM hooks
				889	*/
				890
Casey Schaufler	ce8a432	2011-09-29 18:21:01 -0700	[diff] [blame]	891	/**
				892	* smack_bprm_set_creds - set creds for exec
				893	* @bprm: the exec information
				894	*
Lukasz Pawelczyk	5663884	2014-03-11 17:07:05 +0100	[diff] [blame]	895	* Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise
Casey Schaufler	ce8a432	2011-09-29 18:21:01 -0700	[diff] [blame]	896	*/
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	897	static int smack_bprm_set_creds(struct linux_binprm *bprm)
				898	{
Al Viro	496ad9a	2013-01-23 17:07:38 -0500	[diff] [blame]	899	struct inode *inode = file_inode(bprm->file);
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	900	struct task_smack *bsp = smack_cred(bprm->cred);
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	901	struct inode_smack *isp;
Seth Forshee	809c02e	2016-04-26 14:36:22 -0500	[diff] [blame]	902	struct superblock_smack *sbsp;
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	903	int rc;
				904
Kees Cook	ddb4a14	2017-07-18 15:25:23 -0700	[diff] [blame]	905	if (bprm->called_set_creds)
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	906	return 0;
				907
Casey Schaufler	fb4021b	2018-11-12 12:43:01 -0800	[diff] [blame]	908	isp = smack_inode(inode);
Jarkko Sakkinen	84088ba	2011-10-07 09:27:53 +0300	[diff] [blame]	909	if (isp->smk_task == NULL \|\| isp->smk_task == bsp->smk_task)
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	910	return 0;
				911
Seth Forshee	809c02e	2016-04-26 14:36:22 -0500	[diff] [blame]	912	sbsp = inode->i_sb->s_security;
				913	if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) &&
				914	isp->smk_task != sbsp->smk_root)
				915	return 0;
				916
Eric W. Biederman	9227dd2	2017-01-23 17:26:31 +1300	[diff] [blame]	917	if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
Lukasz Pawelczyk	5663884	2014-03-11 17:07:05 +0100	[diff] [blame]	918	struct task_struct *tracer;
				919	rc = 0;
				920
				921	rcu_read_lock();
				922	tracer = ptrace_parent(current);
				923	if (likely(tracer != NULL))
				924	rc = smk_ptrace_rule_check(tracer,
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	925	isp->smk_task,
Lukasz Pawelczyk	5663884	2014-03-11 17:07:05 +0100	[diff] [blame]	926	PTRACE_MODE_ATTACH,
				927	__func__);
				928	rcu_read_unlock();
				929
				930	if (rc != 0)
				931	return rc;
Jann Horn	3675f05	2019-07-04 20:44:44 +0200	[diff] [blame]	932	}
				933	if (bprm->unsafe & ~LSM_UNSAFE_PTRACE)
Jarkko Sakkinen	84088ba	2011-10-07 09:27:53 +0300	[diff] [blame]	934	return -EPERM;
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	935
Jarkko Sakkinen	84088ba	2011-10-07 09:27:53 +0300	[diff] [blame]	936	bsp->smk_task = isp->smk_task;
				937	bprm->per_clear \|= PER_CLEAR_ON_SETID;
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	938
Kees Cook	ccbb6e1	2017-07-18 15:25:26 -0700	[diff] [blame]	939	/* Decide if this is a secure exec. */
				940	if (bsp->smk_task != bsp->smk_forked)
				941	bprm->secureexec = 1;
				942
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	943	return 0;
				944	}
				945
				946	/*
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	947	* Inode hooks
				948	*/
				949
				950	/**
				951	* smack_inode_alloc_security - allocate an inode blob
Randy Dunlap	251a2a9	2009-02-18 11:42:33 -0800	[diff] [blame]	952	* @inode: the inode in need of a blob
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	953	*
luanshi	a1a07f2	2019-07-05 10:35:20 +0800	[diff] [blame]	954	* Returns 0
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	955	*/
				956	static int smack_inode_alloc_security(struct inode *inode)
				957	{
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	958	struct smack_known *skp = smk_of_current();
				959
Casey Schaufler	afb1cbe3	2018-09-21 17:19:29 -0700	[diff] [blame]	960	init_inode_smack(inode, skp);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	961	return 0;
				962	}
				963
				964	/**
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	965	* smack_inode_init_security - copy out the smack from an inode
Lukasz Pawelczyk	e95ef49	2014-08-29 17:02:53 +0200	[diff] [blame]	966	* @inode: the newly created inode
				967	* @dir: containing directory object
Eric Paris	2a7dba3	2011-02-01 11:05:39 -0500	[diff] [blame]	968	* @qstr: unused
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	969	* @name: where to put the attribute name
				970	* @value: where to put the attribute value
				971	* @len: where to put the length of the attribute
				972	*
				973	* Returns 0 if it all works out, -ENOMEM if there's no memory
				974	*/
				975	static int smack_inode_init_security(struct inode inode, struct inode dir,
Tetsuo Handa	9548906	2013-07-25 05:44:02 +0900	[diff] [blame]	976	const struct qstr qstr, const char *name,
Eric Paris	2a7dba3	2011-02-01 11:05:39 -0500	[diff] [blame]	977	void *value, size_t len)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	978	{
Casey Schaufler	fb4021b	2018-11-12 12:43:01 -0800	[diff] [blame]	979	struct inode_smack *issp = smack_inode(inode);
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	980	struct smack_known *skp = smk_of_current();
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	981	struct smack_known *isp = smk_of_inode(inode);
				982	struct smack_known *dsp = smk_of_inode(dir);
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	983	int may;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	984
Tetsuo Handa	9548906	2013-07-25 05:44:02 +0900	[diff] [blame]	985	if (name)
				986	*name = XATTR_SMACK_SUFFIX;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	987
Lukasz Pawelczyk	68390cc	2014-11-26 15:31:07 +0100	[diff] [blame]	988	if (value && len) {
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	989	rcu_read_lock();
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	990	may = smk_access_entry(skp->smk_known, dsp->smk_known,
				991	&skp->smk_rules);
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	992	rcu_read_unlock();
Jarkko Sakkinen	5c6d112	2010-12-07 13:34:01 +0200	[diff] [blame]	993
				994	/*
				995	* If the access rule allows transmutation and
				996	* the directory requests transmutation then
				997	* by all means transmute.
Casey Schaufler	2267b13	2012-03-13 19:14:19 -0700	[diff] [blame]	998	* Mark the inode as changed.
Jarkko Sakkinen	5c6d112	2010-12-07 13:34:01 +0200	[diff] [blame]	999	*/
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1000	if (may > 0 && ((may & MAY_TRANSMUTE) != 0) &&
Casey Schaufler	2267b13	2012-03-13 19:14:19 -0700	[diff] [blame]	1001	smk_inode_transmutable(dir)) {
Jarkko Sakkinen	5c6d112	2010-12-07 13:34:01 +0200	[diff] [blame]	1002	isp = dsp;
Casey Schaufler	2267b13	2012-03-13 19:14:19 -0700	[diff] [blame]	1003	issp->smk_flags \|= SMK_INODE_CHANGED;
				1004	}
Jarkko Sakkinen	5c6d112	2010-12-07 13:34:01 +0200	[diff] [blame]	1005
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	1006	*value = kstrdup(isp->smk_known, GFP_NOFS);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1007	if (*value == NULL)
				1008	return -ENOMEM;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1009
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	1010	*len = strlen(isp->smk_known);
Lukasz Pawelczyk	68390cc	2014-11-26 15:31:07 +0100	[diff] [blame]	1011	}
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1012
				1013	return 0;
				1014	}
				1015
				1016	/**
				1017	* smack_inode_link - Smack check on link
				1018	* @old_dentry: the existing object
				1019	* @dir: unused
				1020	* @new_dentry: the new object
				1021	*
				1022	* Returns 0 if access is permitted, an error code otherwise
				1023	*/
				1024	static int smack_inode_link(struct dentry old_dentry, struct inode dir,
				1025	struct dentry *new_dentry)
				1026	{
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	1027	struct smack_known *isp;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1028	struct smk_audit_info ad;
				1029	int rc;
				1030
Eric Paris	a269434	2011-04-25 13:10:27 -0400	[diff] [blame]	1031	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1032	smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1033
David Howells	c6f493d	2015-03-17 22:26:22 +0000	[diff] [blame]	1034	isp = smk_of_inode(d_backing_inode(old_dentry));
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1035	rc = smk_curacc(isp, MAY_WRITE, &ad);
David Howells	c6f493d	2015-03-17 22:26:22 +0000	[diff] [blame]	1036	rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_WRITE, rc);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1037
David Howells	8802565	2015-01-29 12:02:32 +0000	[diff] [blame]	1038	if (rc == 0 && d_is_positive(new_dentry)) {
David Howells	c6f493d	2015-03-17 22:26:22 +0000	[diff] [blame]	1039	isp = smk_of_inode(d_backing_inode(new_dentry));
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1040	smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry);
				1041	rc = smk_curacc(isp, MAY_WRITE, &ad);
David Howells	c6f493d	2015-03-17 22:26:22 +0000	[diff] [blame]	1042	rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_WRITE, rc);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1043	}
				1044
				1045	return rc;
				1046	}
				1047
				1048	/**
				1049	* smack_inode_unlink - Smack check on inode deletion
				1050	* @dir: containing directory object
				1051	* @dentry: file to unlink
				1052	*
				1053	* Returns 0 if current can write the containing directory
				1054	* and the object, error code otherwise
				1055	*/
				1056	static int smack_inode_unlink(struct inode dir, struct dentry dentry)
				1057	{
David Howells	c6f493d	2015-03-17 22:26:22 +0000	[diff] [blame]	1058	struct inode *ip = d_backing_inode(dentry);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1059	struct smk_audit_info ad;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1060	int rc;
				1061
Eric Paris	a269434	2011-04-25 13:10:27 -0400	[diff] [blame]	1062	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1063	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
				1064
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1065	/*
				1066	* You need write access to the thing you're unlinking
				1067	*/
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1068	rc = smk_curacc(smk_of_inode(ip), MAY_WRITE, &ad);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1069	rc = smk_bu_inode(ip, MAY_WRITE, rc);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1070	if (rc == 0) {
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1071	/*
				1072	* You also need write access to the containing directory
				1073	*/
Igor Zhbanov	cdb56b6	2013-03-19 13:49:47 +0400	[diff] [blame]	1074	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1075	smk_ad_setfield_u_fs_inode(&ad, dir);
				1076	rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1077	rc = smk_bu_inode(dir, MAY_WRITE, rc);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1078	}
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1079	return rc;
				1080	}
				1081
				1082	/**
				1083	* smack_inode_rmdir - Smack check on directory deletion
				1084	* @dir: containing directory object
				1085	* @dentry: directory to unlink
				1086	*
				1087	* Returns 0 if current can write the containing directory
				1088	* and the directory, error code otherwise
				1089	*/
				1090	static int smack_inode_rmdir(struct inode dir, struct dentry dentry)
				1091	{
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1092	struct smk_audit_info ad;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1093	int rc;
				1094
Eric Paris	a269434	2011-04-25 13:10:27 -0400	[diff] [blame]	1095	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1096	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
				1097
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1098	/*
				1099	* You need write access to the thing you're removing
				1100	*/
David Howells	c6f493d	2015-03-17 22:26:22 +0000	[diff] [blame]	1101	rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
				1102	rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1103	if (rc == 0) {
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1104	/*
				1105	* You also need write access to the containing directory
				1106	*/
Igor Zhbanov	cdb56b6	2013-03-19 13:49:47 +0400	[diff] [blame]	1107	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1108	smk_ad_setfield_u_fs_inode(&ad, dir);
				1109	rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1110	rc = smk_bu_inode(dir, MAY_WRITE, rc);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1111	}
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1112
				1113	return rc;
				1114	}
				1115
				1116	/**
				1117	* smack_inode_rename - Smack check on rename
Lukasz Pawelczyk	e95ef49	2014-08-29 17:02:53 +0200	[diff] [blame]	1118	* @old_inode: unused
				1119	* @old_dentry: the old object
				1120	* @new_inode: unused
				1121	* @new_dentry: the new object
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1122	*
				1123	* Read and write access is required on both the old and
				1124	* new directories.
				1125	*
				1126	* Returns 0 if access is permitted, an error code otherwise
				1127	*/
				1128	static int smack_inode_rename(struct inode *old_inode,
				1129	struct dentry *old_dentry,
				1130	struct inode *new_inode,
				1131	struct dentry *new_dentry)
				1132	{
				1133	int rc;
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	1134	struct smack_known *isp;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1135	struct smk_audit_info ad;
				1136
Eric Paris	a269434	2011-04-25 13:10:27 -0400	[diff] [blame]	1137	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1138	smk_ad_setfield_u_fs_path_dentry(&ad, old_dentry);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1139
David Howells	c6f493d	2015-03-17 22:26:22 +0000	[diff] [blame]	1140	isp = smk_of_inode(d_backing_inode(old_dentry));
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1141	rc = smk_curacc(isp, MAY_READWRITE, &ad);
David Howells	c6f493d	2015-03-17 22:26:22 +0000	[diff] [blame]	1142	rc = smk_bu_inode(d_backing_inode(old_dentry), MAY_READWRITE, rc);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1143
David Howells	8802565	2015-01-29 12:02:32 +0000	[diff] [blame]	1144	if (rc == 0 && d_is_positive(new_dentry)) {
David Howells	c6f493d	2015-03-17 22:26:22 +0000	[diff] [blame]	1145	isp = smk_of_inode(d_backing_inode(new_dentry));
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1146	smk_ad_setfield_u_fs_path_dentry(&ad, new_dentry);
				1147	rc = smk_curacc(isp, MAY_READWRITE, &ad);
David Howells	c6f493d	2015-03-17 22:26:22 +0000	[diff] [blame]	1148	rc = smk_bu_inode(d_backing_inode(new_dentry), MAY_READWRITE, rc);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1149	}
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1150	return rc;
				1151	}
				1152
				1153	/**
				1154	* smack_inode_permission - Smack version of permission()
				1155	* @inode: the inode in question
				1156	* @mask: the access requested
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1157	*
				1158	* This is the important Smack hook.
				1159	*
luanshi	a1a07f2	2019-07-05 10:35:20 +0800	[diff] [blame]	1160	* Returns 0 if access is permitted, an error code otherwise
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1161	*/
Al Viro	e74f71e	2011-06-20 19:38:15 -0400	[diff] [blame]	1162	static int smack_inode_permission(struct inode *inode, int mask)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1163	{
Seth Forshee	9f50eda	2015-09-23 15:16:06 -0500	[diff] [blame]	1164	struct superblock_smack *sbsp = inode->i_sb->s_security;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1165	struct smk_audit_info ad;
Al Viro	e74f71e	2011-06-20 19:38:15 -0400	[diff] [blame]	1166	int no_block = mask & MAY_NOT_BLOCK;
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1167	int rc;
Eric Paris	d09ca73	2010-07-23 11:43:57 -0400	[diff] [blame]	1168
				1169	mask &= (MAY_READ\|MAY_WRITE\|MAY_EXEC\|MAY_APPEND);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1170	/*
				1171	* No permission to check. Existence test. Yup, it's there.
				1172	*/
				1173	if (mask == 0)
				1174	return 0;
Andi Kleen	8c9e80e	2011-04-21 17:23:19 -0700	[diff] [blame]	1175
Seth Forshee	9f50eda	2015-09-23 15:16:06 -0500	[diff] [blame]	1176	if (sbsp->smk_flags & SMK_SB_UNTRUSTED) {
				1177	if (smk_of_inode(inode) != sbsp->smk_root)
				1178	return -EACCES;
				1179	}
				1180
Andi Kleen	8c9e80e	2011-04-21 17:23:19 -0700	[diff] [blame]	1181	/* May be droppable after audit */
Al Viro	e74f71e	2011-06-20 19:38:15 -0400	[diff] [blame]	1182	if (no_block)
Andi Kleen	8c9e80e	2011-04-21 17:23:19 -0700	[diff] [blame]	1183	return -ECHILD;
Eric Paris	f48b739	2011-04-25 12:54:27 -0400	[diff] [blame]	1184	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_INODE);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1185	smk_ad_setfield_u_fs_inode(&ad, inode);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1186	rc = smk_curacc(smk_of_inode(inode), mask, &ad);
				1187	rc = smk_bu_inode(inode, mask, rc);
				1188	return rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1189	}
				1190
				1191	/**
				1192	* smack_inode_setattr - Smack check for setting attributes
				1193	* @dentry: the object
				1194	* @iattr: for the force flag
				1195	*
				1196	* Returns 0 if access is permitted, an error code otherwise
				1197	*/
				1198	static int smack_inode_setattr(struct dentry dentry, struct iattr iattr)
				1199	{
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1200	struct smk_audit_info ad;
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1201	int rc;
				1202
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1203	/*
				1204	* Need to allow for clearing the setuid bit.
				1205	*/
				1206	if (iattr->ia_valid & ATTR_FORCE)
				1207	return 0;
Eric Paris	a269434	2011-04-25 13:10:27 -0400	[diff] [blame]	1208	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1209	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1210
David Howells	c6f493d	2015-03-17 22:26:22 +0000	[diff] [blame]	1211	rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
				1212	rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1213	return rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1214	}
				1215
				1216	/**
				1217	* smack_inode_getattr - Smack check for getting attributes
luanshi	a1a07f2	2019-07-05 10:35:20 +0800	[diff] [blame]	1218	* @path: path to extract the info from
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1219	*
				1220	* Returns 0 if access is permitted, an error code otherwise
				1221	*/
Al Viro	3f7036a	2015-03-08 19:28:30 -0400	[diff] [blame]	1222	static int smack_inode_getattr(const struct path *path)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1223	{
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1224	struct smk_audit_info ad;
David Howells	c6f493d	2015-03-17 22:26:22 +0000	[diff] [blame]	1225	struct inode *inode = d_backing_inode(path->dentry);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1226	int rc;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1227
Eric Paris	f48b739	2011-04-25 12:54:27 -0400	[diff] [blame]	1228	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
Al Viro	3f7036a	2015-03-08 19:28:30 -0400	[diff] [blame]	1229	smk_ad_setfield_u_fs_path(&ad, *path);
				1230	rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad);
				1231	rc = smk_bu_inode(inode, MAY_READ, rc);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1232	return rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1233	}
				1234
				1235	/**
				1236	* smack_inode_setxattr - Smack check for setting xattrs
				1237	* @dentry: the object
				1238	* @name: name of the attribute
Lukasz Pawelczyk	e95ef49	2014-08-29 17:02:53 +0200	[diff] [blame]	1239	* @value: value of the attribute
				1240	* @size: size of the value
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1241	* @flags: unused
				1242	*
				1243	* This protects the Smack attribute explicitly.
				1244	*
				1245	* Returns 0 if access is permitted, an error code otherwise
				1246	*/
David Howells	8f0cfa5	2008-04-29 00:59:41 -0700	[diff] [blame]	1247	static int smack_inode_setxattr(struct dentry dentry, const char name,
				1248	const void *value, size_t size, int flags)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1249	{
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1250	struct smk_audit_info ad;
Casey Schaufler	19760ad	2013-12-16 16:27:26 -0800	[diff] [blame]	1251	struct smack_known *skp;
				1252	int check_priv = 0;
				1253	int check_import = 0;
				1254	int check_star = 0;
Casey Schaufler	bcdca22	2008-02-23 15:24:04 -0800	[diff] [blame]	1255	int rc = 0;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1256
Casey Schaufler	19760ad	2013-12-16 16:27:26 -0800	[diff] [blame]	1257	/*
				1258	* Check label validity here so import won't fail in post_setxattr
				1259	*/
Casey Schaufler	bcdca22	2008-02-23 15:24:04 -0800	[diff] [blame]	1260	if (strcmp(name, XATTR_NAME_SMACK) == 0 \|\|
				1261	strcmp(name, XATTR_NAME_SMACKIPIN) == 0 \|\|
Casey Schaufler	19760ad	2013-12-16 16:27:26 -0800	[diff] [blame]	1262	strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
				1263	check_priv = 1;
				1264	check_import = 1;
				1265	} else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0 \|\|
				1266	strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
				1267	check_priv = 1;
				1268	check_import = 1;
				1269	check_star = 1;
Jarkko Sakkinen	5c6d112	2010-12-07 13:34:01 +0200	[diff] [blame]	1270	} else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
Casey Schaufler	19760ad	2013-12-16 16:27:26 -0800	[diff] [blame]	1271	check_priv = 1;
Jarkko Sakkinen	5c6d112	2010-12-07 13:34:01 +0200	[diff] [blame]	1272	if (size != TRANS_TRUE_SIZE \|\|
				1273	strncmp(value, TRANS_TRUE, TRANS_TRUE_SIZE) != 0)
				1274	rc = -EINVAL;
Casey Schaufler	bcdca22	2008-02-23 15:24:04 -0800	[diff] [blame]	1275	} else
				1276	rc = cap_inode_setxattr(dentry, name, value, size, flags);
				1277
Casey Schaufler	19760ad	2013-12-16 16:27:26 -0800	[diff] [blame]	1278	if (check_priv && !smack_privileged(CAP_MAC_ADMIN))
				1279	rc = -EPERM;
				1280
				1281	if (rc == 0 && check_import) {
Konstantin Khlebnikov	b862e56	2014-08-07 20:52:43 +0400	[diff] [blame]	1282	skp = size ? smk_import_entry(value, size) : NULL;
Lukasz Pawelczyk	e774ad6	2015-04-20 17:12:54 +0200	[diff] [blame]	1283	if (IS_ERR(skp))
				1284	rc = PTR_ERR(skp);
				1285	else if (skp == NULL \|\| (check_star &&
Casey Schaufler	19760ad	2013-12-16 16:27:26 -0800	[diff] [blame]	1286	(skp == &smack_known_star \|\| skp == &smack_known_web)))
				1287	rc = -EINVAL;
				1288	}
				1289
Eric Paris	a269434	2011-04-25 13:10:27 -0400	[diff] [blame]	1290	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1291	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
				1292
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1293	if (rc == 0) {
David Howells	c6f493d	2015-03-17 22:26:22 +0000	[diff] [blame]	1294	rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
				1295	rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1296	}
Casey Schaufler	bcdca22	2008-02-23 15:24:04 -0800	[diff] [blame]	1297
				1298	return rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1299	}
				1300
				1301	/**
				1302	* smack_inode_post_setxattr - Apply the Smack update approved above
				1303	* @dentry: object
				1304	* @name: attribute name
				1305	* @value: attribute value
				1306	* @size: attribute size
				1307	* @flags: unused
				1308	*
				1309	* Set the pointer in the inode blob to the entry found
				1310	* in the master label list.
				1311	*/
David Howells	8f0cfa5	2008-04-29 00:59:41 -0700	[diff] [blame]	1312	static void smack_inode_post_setxattr(struct dentry dentry, const char name,
				1313	const void *value, size_t size, int flags)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1314	{
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	1315	struct smack_known *skp;
Casey Schaufler	fb4021b	2018-11-12 12:43:01 -0800	[diff] [blame]	1316	struct inode_smack *isp = smack_inode(d_backing_inode(dentry));
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	1317
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	1318	if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {
				1319	isp->smk_flags \|= SMK_INODE_TRANSMUTE;
				1320	return;
				1321	}
				1322
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	1323	if (strcmp(name, XATTR_NAME_SMACK) == 0) {
José Bollo	9598f4c	2014-04-03 13:48:41 +0200	[diff] [blame]	1324	skp = smk_import_entry(value, size);
Lukasz Pawelczyk	e774ad6	2015-04-20 17:12:54 +0200	[diff] [blame]	1325	if (!IS_ERR(skp))
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	1326	isp->smk_inode = skp;
Jarkko Sakkinen	5c6d112	2010-12-07 13:34:01 +0200	[diff] [blame]	1327	} else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0) {
José Bollo	9598f4c	2014-04-03 13:48:41 +0200	[diff] [blame]	1328	skp = smk_import_entry(value, size);
Lukasz Pawelczyk	e774ad6	2015-04-20 17:12:54 +0200	[diff] [blame]	1329	if (!IS_ERR(skp))
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	1330	isp->smk_task = skp;
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1331	} else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
José Bollo	9598f4c	2014-04-03 13:48:41 +0200	[diff] [blame]	1332	skp = smk_import_entry(value, size);
Lukasz Pawelczyk	e774ad6	2015-04-20 17:12:54 +0200	[diff] [blame]	1333	if (!IS_ERR(skp))
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	1334	isp->smk_mmap = skp;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	1335	}
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1336
				1337	return;
				1338	}
				1339
Casey Schaufler	ce8a432	2011-09-29 18:21:01 -0700	[diff] [blame]	1340	/**
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1341	* smack_inode_getxattr - Smack check on getxattr
				1342	* @dentry: the object
				1343	* @name: unused
				1344	*
				1345	* Returns 0 if access is permitted, an error code otherwise
				1346	*/
David Howells	8f0cfa5	2008-04-29 00:59:41 -0700	[diff] [blame]	1347	static int smack_inode_getxattr(struct dentry dentry, const char name)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1348	{
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1349	struct smk_audit_info ad;
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1350	int rc;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1351
Eric Paris	a269434	2011-04-25 13:10:27 -0400	[diff] [blame]	1352	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1353	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
				1354
David Howells	c6f493d	2015-03-17 22:26:22 +0000	[diff] [blame]	1355	rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_READ, &ad);
				1356	rc = smk_bu_inode(d_backing_inode(dentry), MAY_READ, rc);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1357	return rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1358	}
				1359
Casey Schaufler	ce8a432	2011-09-29 18:21:01 -0700	[diff] [blame]	1360	/**
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1361	* smack_inode_removexattr - Smack check on removexattr
				1362	* @dentry: the object
				1363	* @name: name of the attribute
				1364	*
				1365	* Removing the Smack attribute requires CAP_MAC_ADMIN
				1366	*
				1367	* Returns 0 if access is permitted, an error code otherwise
				1368	*/
David Howells	8f0cfa5	2008-04-29 00:59:41 -0700	[diff] [blame]	1369	static int smack_inode_removexattr(struct dentry dentry, const char name)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1370	{
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	1371	struct inode_smack *isp;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1372	struct smk_audit_info ad;
Casey Schaufler	bcdca22	2008-02-23 15:24:04 -0800	[diff] [blame]	1373	int rc = 0;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1374
Casey Schaufler	bcdca22	2008-02-23 15:24:04 -0800	[diff] [blame]	1375	if (strcmp(name, XATTR_NAME_SMACK) == 0 \|\|
				1376	strcmp(name, XATTR_NAME_SMACKIPIN) == 0 \|\|
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	1377	strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 \|\|
Jarkko Sakkinen	5c6d112	2010-12-07 13:34:01 +0200	[diff] [blame]	1378	strcmp(name, XATTR_NAME_SMACKEXEC) == 0 \|\|
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1379	strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 \|\|
Pankaj Kumar	5e9ab59	2013-12-13 15:12:22 +0530	[diff] [blame]	1380	strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {
Casey Schaufler	1880eff	2012-06-05 15:28:30 -0700	[diff] [blame]	1381	if (!smack_privileged(CAP_MAC_ADMIN))
Casey Schaufler	bcdca22	2008-02-23 15:24:04 -0800	[diff] [blame]	1382	rc = -EPERM;
				1383	} else
				1384	rc = cap_inode_removexattr(dentry, name);
				1385
Casey Schaufler	f59bdfb	2014-04-10 16:35:36 -0700	[diff] [blame]	1386	if (rc != 0)
				1387	return rc;
				1388
Eric Paris	a269434	2011-04-25 13:10:27 -0400	[diff] [blame]	1389	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_DENTRY);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1390	smk_ad_setfield_u_fs_path_dentry(&ad, dentry);
Casey Schaufler	bcdca22	2008-02-23 15:24:04 -0800	[diff] [blame]	1391
David Howells	c6f493d	2015-03-17 22:26:22 +0000	[diff] [blame]	1392	rc = smk_curacc(smk_of_inode(d_backing_inode(dentry)), MAY_WRITE, &ad);
				1393	rc = smk_bu_inode(d_backing_inode(dentry), MAY_WRITE, rc);
Casey Schaufler	f59bdfb	2014-04-10 16:35:36 -0700	[diff] [blame]	1394	if (rc != 0)
				1395	return rc;
				1396
Casey Schaufler	fb4021b	2018-11-12 12:43:01 -0800	[diff] [blame]	1397	isp = smack_inode(d_backing_inode(dentry));
Casey Schaufler	f59bdfb	2014-04-10 16:35:36 -0700	[diff] [blame]	1398	/*
				1399	* Don't do anything special for these.
				1400	* XATTR_NAME_SMACKIPIN
				1401	* XATTR_NAME_SMACKIPOUT
Casey Schaufler	f59bdfb	2014-04-10 16:35:36 -0700	[diff] [blame]	1402	*/
José Bollo	8012495	2016-01-12 21:23:40 +0100	[diff] [blame]	1403	if (strcmp(name, XATTR_NAME_SMACK) == 0) {
Al Viro	fc64005	2016-04-10 01:33:30 -0400	[diff] [blame]	1404	struct super_block *sbp = dentry->d_sb;
José Bollo	8012495	2016-01-12 21:23:40 +0100	[diff] [blame]	1405	struct superblock_smack *sbsp = sbp->s_security;
				1406
				1407	isp->smk_inode = sbsp->smk_default;
				1408	} else if (strcmp(name, XATTR_NAME_SMACKEXEC) == 0)
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	1409	isp->smk_task = NULL;
Casey Schaufler	f59bdfb	2014-04-10 16:35:36 -0700	[diff] [blame]	1410	else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0)
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1411	isp->smk_mmap = NULL;
Casey Schaufler	f59bdfb	2014-04-10 16:35:36 -0700	[diff] [blame]	1412	else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0)
				1413	isp->smk_flags &= ~SMK_INODE_TRANSMUTE;
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	1414
Casey Schaufler	f59bdfb	2014-04-10 16:35:36 -0700	[diff] [blame]	1415	return 0;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1416	}
				1417
				1418	/**
				1419	* smack_inode_getsecurity - get smack xattrs
				1420	* @inode: the object
				1421	* @name: attribute name
				1422	* @buffer: where to put the result
Casey Schaufler	57e7ba0	2017-09-19 09:39:08 -0700	[diff] [blame]	1423	* @alloc: duplicate memory
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1424	*
				1425	* Returns the size of the attribute or an error code
				1426	*/
Andreas Gruenbacher	ea861df	2015-12-24 11:09:39 -0500	[diff] [blame]	1427	static int smack_inode_getsecurity(struct inode *inode,
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1428	const char name, void *buffer,
				1429	bool alloc)
				1430	{
				1431	struct socket_smack *ssp;
				1432	struct socket *sock;
				1433	struct super_block *sbp;
				1434	struct inode ip = (struct inode )inode;
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	1435	struct smack_known *isp;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1436
Casey Schaufler	57e7ba0	2017-09-19 09:39:08 -0700	[diff] [blame]	1437	if (strcmp(name, XATTR_SMACK_SUFFIX) == 0)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1438	isp = smk_of_inode(inode);
Casey Schaufler	57e7ba0	2017-09-19 09:39:08 -0700	[diff] [blame]	1439	else {
				1440	/*
				1441	* The rest of the Smack xattrs are only on sockets.
				1442	*/
				1443	sbp = ip->i_sb;
				1444	if (sbp->s_magic != SOCKFS_MAGIC)
				1445	return -EOPNOTSUPP;
				1446
				1447	sock = SOCKET_I(ip);
				1448	if (sock == NULL \|\| sock->sk == NULL)
				1449	return -EOPNOTSUPP;
				1450
				1451	ssp = sock->sk->sk_security;
				1452
				1453	if (strcmp(name, XATTR_SMACK_IPIN) == 0)
				1454	isp = ssp->smk_in;
				1455	else if (strcmp(name, XATTR_SMACK_IPOUT) == 0)
				1456	isp = ssp->smk_out;
				1457	else
				1458	return -EOPNOTSUPP;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1459	}
				1460
Casey Schaufler	57e7ba0	2017-09-19 09:39:08 -0700	[diff] [blame]	1461	if (alloc) {
				1462	*buffer = kstrdup(isp->smk_known, GFP_KERNEL);
				1463	if (*buffer == NULL)
				1464	return -ENOMEM;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1465	}
				1466
Casey Schaufler	57e7ba0	2017-09-19 09:39:08 -0700	[diff] [blame]	1467	return strlen(isp->smk_known);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1468	}
				1469
				1470
				1471	/**
				1472	* smack_inode_listsecurity - list the Smack attributes
				1473	* @inode: the object
				1474	* @buffer: where they go
				1475	* @buffer_size: size of buffer
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1476	*/
				1477	static int smack_inode_listsecurity(struct inode inode, char buffer,
				1478	size_t buffer_size)
				1479	{
Konstantin Khlebnikov	fd5c9d2	2014-08-07 20:52:33 +0400	[diff] [blame]	1480	int len = sizeof(XATTR_NAME_SMACK);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1481
Konstantin Khlebnikov	fd5c9d2	2014-08-07 20:52:33 +0400	[diff] [blame]	1482	if (buffer != NULL && len <= buffer_size)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1483	memcpy(buffer, XATTR_NAME_SMACK, len);
Konstantin Khlebnikov	fd5c9d2	2014-08-07 20:52:33 +0400	[diff] [blame]	1484
				1485	return len;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1486	}
				1487
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	1488	/**
				1489	* smack_inode_getsecid - Extract inode's security id
				1490	* @inode: inode to extract the info from
				1491	* @secid: where result will be saved
				1492	*/
Andreas Gruenbacher	d6335d7	2015-12-24 11:09:39 -0500	[diff] [blame]	1493	static void smack_inode_getsecid(struct inode inode, u32 secid)
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	1494	{
Casey Schaufler	0f8983c	2018-06-01 10:45:12 -0700	[diff] [blame]	1495	struct smack_known *skp = smk_of_inode(inode);
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	1496
Casey Schaufler	0f8983c	2018-06-01 10:45:12 -0700	[diff] [blame]	1497	*secid = skp->smk_secid;
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	1498	}
				1499
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1500	/*
				1501	* File Hooks
				1502	*/
				1503
Casey Schaufler	491a0b0	2016-01-26 15:08:35 -0800	[diff] [blame]	1504	/*
				1505	* There is no smack_file_permission hook
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1506	*
				1507	* Should access checks be done on each read or write?
				1508	* UNICOS and SELinux say yes.
				1509	* Trusted Solaris, Trusted Irix, and just about everyone else says no.
				1510	*
				1511	* I'll say no for now. Smack does not do the frequent
				1512	* label changing that SELinux does.
				1513	*/
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1514
				1515	/**
				1516	* smack_file_alloc_security - assign a file security blob
				1517	* @file: the object
				1518	*
				1519	* The security blob for a file is a pointer to the master
				1520	* label list, so no allocation is done.
				1521	*
Casey Schaufler	5e7270a	2014-12-12 17:19:19 -0800	[diff] [blame]	1522	* f_security is the owner security information. It
				1523	* isn't used on file access checks, it's for send_sigio.
				1524	*
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1525	* Returns 0
				1526	*/
				1527	static int smack_file_alloc_security(struct file *file)
				1528	{
Casey Schaufler	f28952a	2018-11-12 09:38:53 -0800	[diff] [blame]	1529	struct smack_known **blob = smack_file(file);
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	1530
Casey Schaufler	f28952a	2018-11-12 09:38:53 -0800	[diff] [blame]	1531	*blob = smk_of_current();
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1532	return 0;
				1533	}
				1534
				1535	/**
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1536	* smack_file_ioctl - Smack check on ioctls
				1537	* @file: the object
				1538	* @cmd: what to do
				1539	* @arg: unused
				1540	*
				1541	* Relies heavily on the correct use of the ioctl command conventions.
				1542	*
				1543	* Returns 0 if allowed, error code otherwise
				1544	*/
				1545	static int smack_file_ioctl(struct file *file, unsigned int cmd,
				1546	unsigned long arg)
				1547	{
				1548	int rc = 0;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1549	struct smk_audit_info ad;
Casey Schaufler	5e7270a	2014-12-12 17:19:19 -0800	[diff] [blame]	1550	struct inode *inode = file_inode(file);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1551
Seung-Woo Kim	83a1e53	2016-12-12 17:35:26 +0900	[diff] [blame]	1552	if (unlikely(IS_PRIVATE(inode)))
				1553	return 0;
				1554
Eric Paris	f48b739	2011-04-25 12:54:27 -0400	[diff] [blame]	1555	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1556	smk_ad_setfield_u_fs_path(&ad, file->f_path);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1557
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1558	if (_IOC_DIR(cmd) & _IOC_WRITE) {
Casey Schaufler	5e7270a	2014-12-12 17:19:19 -0800	[diff] [blame]	1559	rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1560	rc = smk_bu_file(file, MAY_WRITE, rc);
				1561	}
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1562
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1563	if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) {
Casey Schaufler	5e7270a	2014-12-12 17:19:19 -0800	[diff] [blame]	1564	rc = smk_curacc(smk_of_inode(inode), MAY_READ, &ad);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1565	rc = smk_bu_file(file, MAY_READ, rc);
				1566	}
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1567
				1568	return rc;
				1569	}
				1570
				1571	/**
				1572	* smack_file_lock - Smack check on file locking
				1573	* @file: the object
Randy Dunlap	251a2a9	2009-02-18 11:42:33 -0800	[diff] [blame]	1574	* @cmd: unused
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1575	*
Casey Schaufler	c0ab6e5	2013-10-11 18:06:39 -0700	[diff] [blame]	1576	* Returns 0 if current has lock access, error code otherwise
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1577	*/
				1578	static int smack_file_lock(struct file *file, unsigned int cmd)
				1579	{
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1580	struct smk_audit_info ad;
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1581	int rc;
Casey Schaufler	5e7270a	2014-12-12 17:19:19 -0800	[diff] [blame]	1582	struct inode *inode = file_inode(file);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1583
Seung-Woo Kim	83a1e53	2016-12-12 17:35:26 +0900	[diff] [blame]	1584	if (unlikely(IS_PRIVATE(inode)))
				1585	return 0;
				1586
Eric Paris	92f4250	2011-04-25 13:15:55 -0400	[diff] [blame]	1587	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
				1588	smk_ad_setfield_u_fs_path(&ad, file->f_path);
Casey Schaufler	5e7270a	2014-12-12 17:19:19 -0800	[diff] [blame]	1589	rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1590	rc = smk_bu_file(file, MAY_LOCK, rc);
				1591	return rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1592	}
				1593
				1594	/**
				1595	* smack_file_fcntl - Smack check on fcntl
				1596	* @file: the object
				1597	* @cmd: what action to check
				1598	* @arg: unused
				1599	*
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	1600	* Generally these operations are harmless.
				1601	* File locking operations present an obvious mechanism
				1602	* for passing information, so they require write access.
				1603	*
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1604	* Returns 0 if current has access, error code otherwise
				1605	*/
				1606	static int smack_file_fcntl(struct file *file, unsigned int cmd,
				1607	unsigned long arg)
				1608	{
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1609	struct smk_audit_info ad;
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	1610	int rc = 0;
Casey Schaufler	5e7270a	2014-12-12 17:19:19 -0800	[diff] [blame]	1611	struct inode *inode = file_inode(file);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1612
Seung-Woo Kim	83a1e53	2016-12-12 17:35:26 +0900	[diff] [blame]	1613	if (unlikely(IS_PRIVATE(inode)))
				1614	return 0;
				1615
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1616	switch (cmd) {
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1617	case F_GETLK:
Casey Schaufler	c0ab6e5	2013-10-11 18:06:39 -0700	[diff] [blame]	1618	break;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1619	case F_SETLK:
				1620	case F_SETLKW:
Casey Schaufler	c0ab6e5	2013-10-11 18:06:39 -0700	[diff] [blame]	1621	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
				1622	smk_ad_setfield_u_fs_path(&ad, file->f_path);
Casey Schaufler	5e7270a	2014-12-12 17:19:19 -0800	[diff] [blame]	1623	rc = smk_curacc(smk_of_inode(inode), MAY_LOCK, &ad);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1624	rc = smk_bu_file(file, MAY_LOCK, rc);
Casey Schaufler	c0ab6e5	2013-10-11 18:06:39 -0700	[diff] [blame]	1625	break;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1626	case F_SETOWN:
				1627	case F_SETSIG:
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	1628	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
				1629	smk_ad_setfield_u_fs_path(&ad, file->f_path);
Casey Schaufler	5e7270a	2014-12-12 17:19:19 -0800	[diff] [blame]	1630	rc = smk_curacc(smk_of_inode(inode), MAY_WRITE, &ad);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1631	rc = smk_bu_file(file, MAY_WRITE, rc);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1632	break;
				1633	default:
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	1634	break;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1635	}
				1636
				1637	return rc;
				1638	}
				1639
				1640	/**
Al Viro	e546785	2012-05-30 13:30:51 -0400	[diff] [blame]	1641	* smack_mmap_file :
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1642	* Check permissions for a mmap operation. The @file may be NULL, e.g.
				1643	* if mapping anonymous memory.
				1644	* @file contains the file structure for file to map (may be NULL).
				1645	* @reqprot contains the protection requested by the application.
				1646	* @prot contains the protection that will be applied by the kernel.
				1647	* @flags contains the operational flags.
				1648	* Return 0 if permission is granted.
				1649	*/
Al Viro	e546785	2012-05-30 13:30:51 -0400	[diff] [blame]	1650	static int smack_mmap_file(struct file *file,
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1651	unsigned long reqprot, unsigned long prot,
Al Viro	e546785	2012-05-30 13:30:51 -0400	[diff] [blame]	1652	unsigned long flags)
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1653	{
Casey Schaufler	272cd7a	2011-09-20 12:24:36 -0700	[diff] [blame]	1654	struct smack_known *skp;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	1655	struct smack_known *mkp;
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1656	struct smack_rule *srp;
				1657	struct task_smack *tsp;
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	1658	struct smack_known *okp;
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1659	struct inode_smack *isp;
Seth Forshee	809c02e	2016-04-26 14:36:22 -0500	[diff] [blame]	1660	struct superblock_smack *sbsp;
Casey Schaufler	0e0a070	2011-02-08 16:36:24 -0800	[diff] [blame]	1661	int may;
				1662	int mmay;
				1663	int tmay;
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1664	int rc;
				1665
Al Viro	496ad9a	2013-01-23 17:07:38 -0500	[diff] [blame]	1666	if (file == NULL)
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1667	return 0;
				1668
Seung-Woo Kim	83a1e53	2016-12-12 17:35:26 +0900	[diff] [blame]	1669	if (unlikely(IS_PRIVATE(file_inode(file))))
				1670	return 0;
				1671
Casey Schaufler	fb4021b	2018-11-12 12:43:01 -0800	[diff] [blame]	1672	isp = smack_inode(file_inode(file));
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1673	if (isp->smk_mmap == NULL)
				1674	return 0;
Seth Forshee	809c02e	2016-04-26 14:36:22 -0500	[diff] [blame]	1675	sbsp = file_inode(file)->i_sb->s_security;
				1676	if (sbsp->smk_flags & SMK_SB_UNTRUSTED &&
				1677	isp->smk_mmap != sbsp->smk_root)
				1678	return -EACCES;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	1679	mkp = isp->smk_mmap;
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1680
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	1681	tsp = smack_cred(current_cred());
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	1682	skp = smk_of_current();
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1683	rc = 0;
				1684
				1685	rcu_read_lock();
				1686	/*
				1687	* For each Smack rule associated with the subject
				1688	* label verify that the SMACK64MMAP also has access
				1689	* to that rule's object label.
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1690	*/
Casey Schaufler	272cd7a	2011-09-20 12:24:36 -0700	[diff] [blame]	1691	list_for_each_entry_rcu(srp, &skp->smk_rules, list) {
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	1692	okp = srp->smk_object;
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1693	/*
				1694	* Matching labels always allows access.
				1695	*/
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	1696	if (mkp->smk_known == okp->smk_known)
Casey Schaufler	0e0a070	2011-02-08 16:36:24 -0800	[diff] [blame]	1697	continue;
				1698	/*
				1699	* If there is a matching local rule take
				1700	* that into account as well.
				1701	*/
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	1702	may = smk_access_entry(srp->smk_subject->smk_known,
				1703	okp->smk_known,
				1704	&tsp->smk_rules);
Casey Schaufler	0e0a070	2011-02-08 16:36:24 -0800	[diff] [blame]	1705	if (may == -ENOENT)
				1706	may = srp->smk_access;
				1707	else
				1708	may &= srp->smk_access;
				1709	/*
				1710	* If may is zero the SMACK64MMAP subject can't
				1711	* possibly have less access.
				1712	*/
				1713	if (may == 0)
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1714	continue;
				1715
Casey Schaufler	0e0a070	2011-02-08 16:36:24 -0800	[diff] [blame]	1716	/*
				1717	* Fetch the global list entry.
				1718	* If there isn't one a SMACK64MMAP subject
				1719	* can't have as much access as current.
				1720	*/
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	1721	mmay = smk_access_entry(mkp->smk_known, okp->smk_known,
				1722	&mkp->smk_rules);
Casey Schaufler	0e0a070	2011-02-08 16:36:24 -0800	[diff] [blame]	1723	if (mmay == -ENOENT) {
				1724	rc = -EACCES;
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1725	break;
Casey Schaufler	0e0a070	2011-02-08 16:36:24 -0800	[diff] [blame]	1726	}
				1727	/*
				1728	* If there is a local entry it modifies the
				1729	* potential access, too.
				1730	*/
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	1731	tmay = smk_access_entry(mkp->smk_known, okp->smk_known,
				1732	&tsp->smk_rules);
Casey Schaufler	0e0a070	2011-02-08 16:36:24 -0800	[diff] [blame]	1733	if (tmay != -ENOENT)
				1734	mmay &= tmay;
				1735
				1736	/*
				1737	* If there is any access available to current that is
				1738	* not available to a SMACK64MMAP subject
				1739	* deny access.
				1740	*/
Casey Schaufler	75a2563	2011-02-09 19:58:42 -0800	[diff] [blame]	1741	if ((may \| mmay) != mmay) {
Casey Schaufler	0e0a070	2011-02-08 16:36:24 -0800	[diff] [blame]	1742	rc = -EACCES;
				1743	break;
				1744	}
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1745	}
				1746
				1747	rcu_read_unlock();
				1748
				1749	return rc;
				1750	}
				1751
				1752	/**
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1753	* smack_file_set_fowner - set the file security blob value
				1754	* @file: object in question
				1755	*
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1756	*/
Jeff Layton	e0b93ed	2014-08-22 11:27:32 -0400	[diff] [blame]	1757	static void smack_file_set_fowner(struct file *file)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1758	{
Casey Schaufler	f28952a	2018-11-12 09:38:53 -0800	[diff] [blame]	1759	struct smack_known **blob = smack_file(file);
				1760
				1761	*blob = smk_of_current();
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1762	}
				1763
				1764	/**
				1765	* smack_file_send_sigiotask - Smack on sigio
				1766	* @tsk: The target task
				1767	* @fown: the object the signal come from
				1768	* @signum: unused
				1769	*
				1770	* Allow a privileged task to get signals even if it shouldn't
				1771	*
				1772	* Returns 0 if a subject with the object's smack could
				1773	* write to the task, an error code otherwise.
				1774	*/
				1775	static int smack_file_send_sigiotask(struct task_struct *tsk,
				1776	struct fown_struct *fown, int signum)
				1777	{
Casey Schaufler	f28952a	2018-11-12 09:38:53 -0800	[diff] [blame]	1778	struct smack_known **blob;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	1779	struct smack_known *skp;
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	1780	struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred));
Casey Schaufler	dcb569c	2018-09-18 16:09:16 -0700	[diff] [blame]	1781	const struct cred *tcred;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1782	struct file *file;
				1783	int rc;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1784	struct smk_audit_info ad;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1785
				1786	/*
				1787	* struct fown_struct is never outside the context of a struct file
				1788	*/
				1789	file = container_of(fown, struct file, f_owner);
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1790
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1791	/* we don't log here as rc can be overriden */
Casey Schaufler	f28952a	2018-11-12 09:38:53 -0800	[diff] [blame]	1792	blob = smack_file(file);
				1793	skp = *blob;
Casey Schaufler	c60b906	2016-08-30 10:31:39 -0700	[diff] [blame]	1794	rc = smk_access(skp, tkp, MAY_DELIVER, NULL);
				1795	rc = smk_bu_note("sigiotask", skp, tkp, MAY_DELIVER, rc);
Casey Schaufler	dcb569c	2018-09-18 16:09:16 -0700	[diff] [blame]	1796
				1797	rcu_read_lock();
				1798	tcred = __task_cred(tsk);
				1799	if (rc != 0 && smack_privileged_cred(CAP_MAC_OVERRIDE, tcred))
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1800	rc = 0;
Casey Schaufler	dcb569c	2018-09-18 16:09:16 -0700	[diff] [blame]	1801	rcu_read_unlock();
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1802
				1803	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
				1804	smk_ad_setfield_u_tsk(&ad, tsk);
Casey Schaufler	c60b906	2016-08-30 10:31:39 -0700	[diff] [blame]	1805	smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1806	return rc;
				1807	}
				1808
				1809	/**
				1810	* smack_file_receive - Smack file receive check
				1811	* @file: the object
				1812	*
				1813	* Returns 0 if current has access, error code otherwise
				1814	*/
				1815	static int smack_file_receive(struct file *file)
				1816	{
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1817	int rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1818	int may = 0;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1819	struct smk_audit_info ad;
Casey Schaufler	5e7270a	2014-12-12 17:19:19 -0800	[diff] [blame]	1820	struct inode *inode = file_inode(file);
Casey Schaufler	79be093	2015-12-07 14:34:32 -0800	[diff] [blame]	1821	struct socket *sock;
				1822	struct task_smack *tsp;
				1823	struct socket_smack *ssp;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1824
Seung-Woo Kim	9777582	2015-04-17 15:25:04 +0900	[diff] [blame]	1825	if (unlikely(IS_PRIVATE(inode)))
				1826	return 0;
				1827
Casey Schaufler	4482a44	2013-12-30 17:37:45 -0800	[diff] [blame]	1828	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	1829	smk_ad_setfield_u_fs_path(&ad, file->f_path);
Casey Schaufler	79be093	2015-12-07 14:34:32 -0800	[diff] [blame]	1830
Casey Schaufler	51d59af	2017-05-31 08:53:42 -0700	[diff] [blame]	1831	if (inode->i_sb->s_magic == SOCKFS_MAGIC) {
Casey Schaufler	79be093	2015-12-07 14:34:32 -0800	[diff] [blame]	1832	sock = SOCKET_I(inode);
				1833	ssp = sock->sk->sk_security;
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	1834	tsp = smack_cred(current_cred());
Casey Schaufler	79be093	2015-12-07 14:34:32 -0800	[diff] [blame]	1835	/*
				1836	* If the receiving process can't write to the
				1837	* passed socket or if the passed socket can't
				1838	* write to the receiving process don't accept
				1839	* the passed socket.
				1840	*/
				1841	rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad);
				1842	rc = smk_bu_file(file, may, rc);
				1843	if (rc < 0)
				1844	return rc;
				1845	rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad);
				1846	rc = smk_bu_file(file, may, rc);
				1847	return rc;
				1848	}
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1849	/*
				1850	* This code relies on bitmasks.
				1851	*/
				1852	if (file->f_mode & FMODE_READ)
				1853	may = MAY_READ;
				1854	if (file->f_mode & FMODE_WRITE)
				1855	may \|= MAY_WRITE;
				1856
Casey Schaufler	5e7270a	2014-12-12 17:19:19 -0800	[diff] [blame]	1857	rc = smk_curacc(smk_of_inode(inode), may, &ad);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	1858	rc = smk_bu_file(file, may, rc);
				1859	return rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1860	}
				1861
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	1862	/**
Eric Paris	83d4985	2012-04-04 13:45:40 -0400	[diff] [blame]	1863	* smack_file_open - Smack dentry open processing
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	1864	* @file: the object
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	1865	*
				1866	* Set the security blob in the file structure.
Casey Schaufler	a6834c0	2014-04-21 11:10:26 -0700	[diff] [blame]	1867	* Allow the open only if the task has read access. There are
				1868	* many read operations (e.g. fstat) that you can do with an
				1869	* fd even if you have the file open write-only.
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	1870	*
luanshi	a1a07f2	2019-07-05 10:35:20 +0800	[diff] [blame]	1871	* Returns 0 if current has access, error code otherwise
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	1872	*/
Al Viro	9481769	2018-07-10 14:13:18 -0400	[diff] [blame]	1873	static int smack_file_open(struct file *file)
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	1874	{
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	1875	struct task_smack *tsp = smack_cred(file->f_cred);
Casey Schaufler	5e7270a	2014-12-12 17:19:19 -0800	[diff] [blame]	1876	struct inode *inode = file_inode(file);
Casey Schaufler	a6834c0	2014-04-21 11:10:26 -0700	[diff] [blame]	1877	struct smk_audit_info ad;
				1878	int rc;
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	1879
Casey Schaufler	a6834c0	2014-04-21 11:10:26 -0700	[diff] [blame]	1880	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_PATH);
				1881	smk_ad_setfield_u_fs_path(&ad, file->f_path);
Himanshu Shukla	c9d238a	2016-11-23 11:59:45 +0530	[diff] [blame]	1882	rc = smk_tskacc(tsp, smk_of_inode(inode), MAY_READ, &ad);
Al Viro	9481769	2018-07-10 14:13:18 -0400	[diff] [blame]	1883	rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc);
Casey Schaufler	a6834c0	2014-04-21 11:10:26 -0700	[diff] [blame]	1884
				1885	return rc;
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	1886	}
				1887
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1888	/*
				1889	* Task hooks
				1890	*/
				1891
				1892	/**
David Howells	ee18d64	2009-09-02 09:14:21 +0100	[diff] [blame]	1893	* smack_cred_alloc_blank - "allocate" blank task-level security credentials
luanshi	a1a07f2	2019-07-05 10:35:20 +0800	[diff] [blame]	1894	* @cred: the new credentials
David Howells	ee18d64	2009-09-02 09:14:21 +0100	[diff] [blame]	1895	* @gfp: the atomicity of any memory allocations
				1896	*
				1897	* Prepare a blank set of credentials for modification. This must allocate all
				1898	* the memory the LSM module might require such that cred_transfer() can
				1899	* complete without error.
				1900	*/
				1901	static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)
				1902	{
Casey Schaufler	bbd3662	2018-11-12 09:30:56 -0800	[diff] [blame]	1903	init_task_smack(smack_cred(cred), NULL, NULL);
David Howells	ee18d64	2009-09-02 09:14:21 +0100	[diff] [blame]	1904	return 0;
				1905	}
				1906
				1907
				1908	/**
David Howells	f1752ee	2008-11-14 10:39:17 +1100	[diff] [blame]	1909	* smack_cred_free - "free" task-level security credentials
				1910	* @cred: the credentials in question
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1911	*
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1912	*/
David Howells	f1752ee	2008-11-14 10:39:17 +1100	[diff] [blame]	1913	static void smack_cred_free(struct cred *cred)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1914	{
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	1915	struct task_smack *tsp = smack_cred(cred);
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1916	struct smack_rule *rp;
				1917	struct list_head *l;
				1918	struct list_head *n;
				1919
Zbigniew Jasinski	38416e5	2015-10-19 18:23:53 +0200	[diff] [blame]	1920	smk_destroy_label_list(&tsp->smk_relabel);
				1921
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1922	list_for_each_safe(l, n, &tsp->smk_rules) {
				1923	rp = list_entry(l, struct smack_rule, list);
				1924	list_del(&rp->list);
Casey Schaufler	4e328b0	2019-04-02 11:37:12 -0700	[diff] [blame]	1925	kmem_cache_free(smack_rule_cache, rp);
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1926	}
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	1927	}
				1928
				1929	/**
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	1930	* smack_cred_prepare - prepare new set of credentials for modification
				1931	* @new: the new credentials
				1932	* @old: the original credentials
				1933	* @gfp: the atomicity of any memory allocations
				1934	*
				1935	* Prepare a new set of credentials for modification.
				1936	*/
				1937	static int smack_cred_prepare(struct cred new, const struct cred old,
				1938	gfp_t gfp)
				1939	{
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	1940	struct task_smack *old_tsp = smack_cred(old);
Casey Schaufler	bbd3662	2018-11-12 09:30:56 -0800	[diff] [blame]	1941	struct task_smack *new_tsp = smack_cred(new);
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1942	int rc;
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	1943
Casey Schaufler	bbd3662	2018-11-12 09:30:56 -0800	[diff] [blame]	1944	init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task);
Himanshu Shukla	b437aba	2016-11-10 16:17:02 +0530	[diff] [blame]	1945
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1946	rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp);
				1947	if (rc != 0)
				1948	return rc;
				1949
Zbigniew Jasinski	38416e5	2015-10-19 18:23:53 +0200	[diff] [blame]	1950	rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel,
				1951	gfp);
Casey Schaufler	bbd3662	2018-11-12 09:30:56 -0800	[diff] [blame]	1952	return rc;
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	1953	}
				1954
Randy Dunlap	251a2a9	2009-02-18 11:42:33 -0800	[diff] [blame]	1955	/**
David Howells	ee18d64	2009-09-02 09:14:21 +0100	[diff] [blame]	1956	* smack_cred_transfer - Transfer the old credentials to the new credentials
				1957	* @new: the new credentials
				1958	* @old: the original credentials
				1959	*
				1960	* Fill in a set of blank credentials from another set of credentials.
				1961	*/
				1962	static void smack_cred_transfer(struct cred new, const struct cred old)
				1963	{
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	1964	struct task_smack *old_tsp = smack_cred(old);
				1965	struct task_smack *new_tsp = smack_cred(new);
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	1966
				1967	new_tsp->smk_task = old_tsp->smk_task;
				1968	new_tsp->smk_forked = old_tsp->smk_task;
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1969	mutex_init(&new_tsp->smk_rules_lock);
				1970	INIT_LIST_HEAD(&new_tsp->smk_rules);
				1971
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	1972	/* cbs copy rule list */
David Howells	ee18d64	2009-09-02 09:14:21 +0100	[diff] [blame]	1973	}
				1974
				1975	/**
Matthew Garrett	3ec3011	2018-01-08 13:36:19 -0800	[diff] [blame]	1976	* smack_cred_getsecid - get the secid corresponding to a creds structure
luanshi	a1a07f2	2019-07-05 10:35:20 +0800	[diff] [blame]	1977	* @cred: the object creds
Matthew Garrett	3ec3011	2018-01-08 13:36:19 -0800	[diff] [blame]	1978	* @secid: where to put the result
				1979	*
				1980	* Sets the secid to contain a u32 version of the smack label.
				1981	*/
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	1982	static void smack_cred_getsecid(const struct cred cred, u32 secid)
Matthew Garrett	3ec3011	2018-01-08 13:36:19 -0800	[diff] [blame]	1983	{
				1984	struct smack_known *skp;
				1985
				1986	rcu_read_lock();
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	1987	skp = smk_of_task(smack_cred(cred));
Matthew Garrett	3ec3011	2018-01-08 13:36:19 -0800	[diff] [blame]	1988	*secid = skp->smk_secid;
				1989	rcu_read_unlock();
				1990	}
				1991
				1992	/**
David Howells	3a3b7ce	2008-11-14 10:39:28 +1100	[diff] [blame]	1993	* smack_kernel_act_as - Set the subjective context in a set of credentials
Randy Dunlap	251a2a9	2009-02-18 11:42:33 -0800	[diff] [blame]	1994	* @new: points to the set of credentials to be modified.
				1995	* @secid: specifies the security ID to be set
David Howells	3a3b7ce	2008-11-14 10:39:28 +1100	[diff] [blame]	1996	*
				1997	* Set the security data for a kernel service.
				1998	*/
				1999	static int smack_kernel_act_as(struct cred *new, u32 secid)
				2000	{
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	2001	struct task_smack *new_tsp = smack_cred(new);
David Howells	3a3b7ce	2008-11-14 10:39:28 +1100	[diff] [blame]	2002
Casey Schaufler	152f91d	2016-11-14 09:38:15 -0800	[diff] [blame]	2003	new_tsp->smk_task = smack_from_secid(secid);
David Howells	3a3b7ce	2008-11-14 10:39:28 +1100	[diff] [blame]	2004	return 0;
				2005	}
				2006
				2007	/**
				2008	* smack_kernel_create_files_as - Set the file creation label in a set of creds
Randy Dunlap	251a2a9	2009-02-18 11:42:33 -0800	[diff] [blame]	2009	* @new: points to the set of credentials to be modified
				2010	* @inode: points to the inode to use as a reference
David Howells	3a3b7ce	2008-11-14 10:39:28 +1100	[diff] [blame]	2011	*
				2012	* Set the file creation context in a set of credentials to the same
				2013	* as the objective context of the specified inode
				2014	*/
				2015	static int smack_kernel_create_files_as(struct cred *new,
				2016	struct inode *inode)
				2017	{
Casey Schaufler	fb4021b	2018-11-12 12:43:01 -0800	[diff] [blame]	2018	struct inode_smack *isp = smack_inode(inode);
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	2019	struct task_smack *tsp = smack_cred(new);
David Howells	3a3b7ce	2008-11-14 10:39:28 +1100	[diff] [blame]	2020
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	2021	tsp->smk_forked = isp->smk_inode;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	2022	tsp->smk_task = tsp->smk_forked;
David Howells	3a3b7ce	2008-11-14 10:39:28 +1100	[diff] [blame]	2023	return 0;
				2024	}
				2025
				2026	/**
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2027	* smk_curacc_on_task - helper to log task related access
				2028	* @p: the task object
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	2029	* @access: the access requested
				2030	* @caller: name of the calling function for audit
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2031	*
				2032	* Return 0 if access is permitted
				2033	*/
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	2034	static int smk_curacc_on_task(struct task_struct *p, int access,
				2035	const char *caller)
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2036	{
				2037	struct smk_audit_info ad;
Andrey Ryabinin	6d1cff2	2015-01-13 18:52:40 +0300	[diff] [blame]	2038	struct smack_known *skp = smk_of_task_struct(p);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	2039	int rc;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2040
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	2041	smk_ad_init(&ad, caller, LSM_AUDIT_DATA_TASK);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2042	smk_ad_setfield_u_tsk(&ad, p);
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	2043	rc = smk_curacc(skp, access, &ad);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	2044	rc = smk_bu_task(p, access, rc);
				2045	return rc;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2046	}
				2047
				2048	/**
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2049	* smack_task_setpgid - Smack check on setting pgid
				2050	* @p: the task object
				2051	* @pgid: unused
				2052	*
				2053	* Return 0 if write access is permitted
				2054	*/
				2055	static int smack_task_setpgid(struct task_struct *p, pid_t pgid)
				2056	{
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	2057	return smk_curacc_on_task(p, MAY_WRITE, __func__);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2058	}
				2059
				2060	/**
				2061	* smack_task_getpgid - Smack access check for getpgid
				2062	* @p: the object task
				2063	*
				2064	* Returns 0 if current can read the object task, error code otherwise
				2065	*/
				2066	static int smack_task_getpgid(struct task_struct *p)
				2067	{
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	2068	return smk_curacc_on_task(p, MAY_READ, __func__);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2069	}
				2070
				2071	/**
				2072	* smack_task_getsid - Smack access check for getsid
				2073	* @p: the object task
				2074	*
				2075	* Returns 0 if current can read the object task, error code otherwise
				2076	*/
				2077	static int smack_task_getsid(struct task_struct *p)
				2078	{
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	2079	return smk_curacc_on_task(p, MAY_READ, __func__);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2080	}
				2081
				2082	/**
				2083	* smack_task_getsecid - get the secid of the task
				2084	* @p: the object task
				2085	* @secid: where to put the result
				2086	*
				2087	* Sets the secid to contain a u32 version of the smack label.
				2088	*/
				2089	static void smack_task_getsecid(struct task_struct p, u32 secid)
				2090	{
Andrey Ryabinin	6d1cff2	2015-01-13 18:52:40 +0300	[diff] [blame]	2091	struct smack_known *skp = smk_of_task_struct(p);
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	2092
				2093	*secid = skp->smk_secid;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2094	}
				2095
				2096	/**
				2097	* smack_task_setnice - Smack check on setting nice
				2098	* @p: the task object
				2099	* @nice: unused
				2100	*
				2101	* Return 0 if write access is permitted
				2102	*/
				2103	static int smack_task_setnice(struct task_struct *p, int nice)
				2104	{
Casey Schaufler	b1d9e6b	2015-05-02 15:11:42 -0700	[diff] [blame]	2105	return smk_curacc_on_task(p, MAY_WRITE, __func__);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2106	}
				2107
				2108	/**
				2109	* smack_task_setioprio - Smack check on setting ioprio
				2110	* @p: the task object
				2111	* @ioprio: unused
				2112	*
				2113	* Return 0 if write access is permitted
				2114	*/
				2115	static int smack_task_setioprio(struct task_struct *p, int ioprio)
				2116	{
Casey Schaufler	b1d9e6b	2015-05-02 15:11:42 -0700	[diff] [blame]	2117	return smk_curacc_on_task(p, MAY_WRITE, __func__);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2118	}
				2119
				2120	/**
				2121	* smack_task_getioprio - Smack check on reading ioprio
				2122	* @p: the task object
				2123	*
				2124	* Return 0 if read access is permitted
				2125	*/
				2126	static int smack_task_getioprio(struct task_struct *p)
				2127	{
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	2128	return smk_curacc_on_task(p, MAY_READ, __func__);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2129	}
				2130
				2131	/**
				2132	* smack_task_setscheduler - Smack check on setting scheduler
				2133	* @p: the task object
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2134	*
				2135	* Return 0 if read access is permitted
				2136	*/
KOSAKI Motohiro	b0ae198	2010-10-15 04:21:18 +0900	[diff] [blame]	2137	static int smack_task_setscheduler(struct task_struct *p)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2138	{
Casey Schaufler	b1d9e6b	2015-05-02 15:11:42 -0700	[diff] [blame]	2139	return smk_curacc_on_task(p, MAY_WRITE, __func__);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2140	}
				2141
				2142	/**
				2143	* smack_task_getscheduler - Smack check on reading scheduler
				2144	* @p: the task object
				2145	*
				2146	* Return 0 if read access is permitted
				2147	*/
				2148	static int smack_task_getscheduler(struct task_struct *p)
				2149	{
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	2150	return smk_curacc_on_task(p, MAY_READ, __func__);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2151	}
				2152
				2153	/**
				2154	* smack_task_movememory - Smack check on moving memory
				2155	* @p: the task object
				2156	*
				2157	* Return 0 if write access is permitted
				2158	*/
				2159	static int smack_task_movememory(struct task_struct *p)
				2160	{
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	2161	return smk_curacc_on_task(p, MAY_WRITE, __func__);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2162	}
				2163
				2164	/**
				2165	* smack_task_kill - Smack check on signal delivery
				2166	* @p: the task object
				2167	* @info: unused
				2168	* @sig: unused
Stephen Smalley	6b4f3d0	2017-09-08 12:40:01 -0400	[diff] [blame]	2169	* @cred: identifies the cred to use in lieu of current's
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2170	*
				2171	* Return 0 if write access is permitted
				2172	*
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2173	*/
Eric W. Biederman	ae7795b	2018-09-25 11:27:20 +0200	[diff] [blame]	2174	static int smack_task_kill(struct task_struct p, struct kernel_siginfo info,
Stephen Smalley	6b4f3d0	2017-09-08 12:40:01 -0400	[diff] [blame]	2175	int sig, const struct cred *cred)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2176	{
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2177	struct smk_audit_info ad;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	2178	struct smack_known *skp;
Andrey Ryabinin	6d1cff2	2015-01-13 18:52:40 +0300	[diff] [blame]	2179	struct smack_known *tkp = smk_of_task_struct(p);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	2180	int rc;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2181
Rafal Krypa	18d872f	2016-04-04 11:14:53 +0200	[diff] [blame]	2182	if (!sig)
				2183	return 0; /* null signal; existence test */
				2184
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2185	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);
				2186	smk_ad_setfield_u_tsk(&ad, p);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2187	/*
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2188	* Sending a signal requires that the sender
				2189	* can write the receiver.
				2190	*/
Stephen Smalley	6b4f3d0	2017-09-08 12:40:01 -0400	[diff] [blame]	2191	if (cred == NULL) {
Casey Schaufler	c60b906	2016-08-30 10:31:39 -0700	[diff] [blame]	2192	rc = smk_curacc(tkp, MAY_DELIVER, &ad);
				2193	rc = smk_bu_task(p, MAY_DELIVER, rc);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	2194	return rc;
				2195	}
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2196	/*
Stephen Smalley	6b4f3d0	2017-09-08 12:40:01 -0400	[diff] [blame]	2197	* If the cred isn't NULL we're dealing with some USB IO
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2198	* specific behavior. This is not clean. For one thing
				2199	* we can't take privilege into account.
				2200	*/
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	2201	skp = smk_of_task(smack_cred(cred));
Casey Schaufler	c60b906	2016-08-30 10:31:39 -0700	[diff] [blame]	2202	rc = smk_access(skp, tkp, MAY_DELIVER, &ad);
				2203	rc = smk_bu_note("USB signal", skp, tkp, MAY_DELIVER, rc);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	2204	return rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2205	}
				2206
				2207	/**
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2208	* smack_task_to_inode - copy task smack into the inode blob
				2209	* @p: task to copy from
Randy Dunlap	251a2a9	2009-02-18 11:42:33 -0800	[diff] [blame]	2210	* @inode: inode to copy to
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2211	*
				2212	* Sets the smack pointer in the inode security blob
				2213	*/
				2214	static void smack_task_to_inode(struct task_struct p, struct inode inode)
				2215	{
Casey Schaufler	fb4021b	2018-11-12 12:43:01 -0800	[diff] [blame]	2216	struct inode_smack *isp = smack_inode(inode);
Andrey Ryabinin	6d1cff2	2015-01-13 18:52:40 +0300	[diff] [blame]	2217	struct smack_known *skp = smk_of_task_struct(p);
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	2218
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	2219	isp->smk_inode = skp;
Casey Schaufler	7b4e884	2018-06-22 10:54:45 -0700	[diff] [blame]	2220	isp->smk_flags \|= SMK_INODE_INSTANT;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2221	}
				2222
				2223	/*
				2224	* Socket hooks.
				2225	*/
				2226
				2227	/**
				2228	* smack_sk_alloc_security - Allocate a socket blob
				2229	* @sk: the socket
				2230	* @family: unused
Randy Dunlap	251a2a9	2009-02-18 11:42:33 -0800	[diff] [blame]	2231	* @gfp_flags: memory allocation flags
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2232	*
				2233	* Assign Smack pointers to current
				2234	*
				2235	* Returns 0 on success, -ENOMEM is there's no memory
				2236	*/
				2237	static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
				2238	{
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	2239	struct smack_known *skp = smk_of_current();
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2240	struct socket_smack *ssp;
				2241
				2242	ssp = kzalloc(sizeof(struct socket_smack), gfp_flags);
				2243	if (ssp == NULL)
				2244	return -ENOMEM;
				2245
jooseong lee	08382c9	2016-11-03 11:54:39 +0100	[diff] [blame]	2246	/*
				2247	* Sockets created by kernel threads receive web label.
				2248	*/
				2249	if (unlikely(current->flags & PF_KTHREAD)) {
				2250	ssp->smk_in = &smack_known_web;
				2251	ssp->smk_out = &smack_known_web;
				2252	} else {
				2253	ssp->smk_in = skp;
				2254	ssp->smk_out = skp;
				2255	}
Casey Schaufler	272cd7a	2011-09-20 12:24:36 -0700	[diff] [blame]	2256	ssp->smk_packet = NULL;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2257
				2258	sk->sk_security = ssp;
				2259
				2260	return 0;
				2261	}
				2262
				2263	/**
				2264	* smack_sk_free_security - Free a socket blob
				2265	* @sk: the socket
				2266	*
				2267	* Clears the blob pointer
				2268	*/
				2269	static void smack_sk_free_security(struct sock *sk)
				2270	{
Vishal Goel	0c96d1f	2016-11-23 10:32:54 +0530	[diff] [blame]	2271	#ifdef SMACK_IPV6_PORT_LABELING
				2272	struct smk_port_label *spp;
				2273
				2274	if (sk->sk_family == PF_INET6) {
				2275	rcu_read_lock();
				2276	list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) {
				2277	if (spp->smk_sock != sk)
				2278	continue;
				2279	spp->smk_can_reuse = 1;
				2280	break;
				2281	}
				2282	rcu_read_unlock();
				2283	}
				2284	#endif
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2285	kfree(sk->sk_security);
				2286	}
				2287
				2288	/**
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2289	* smack_ipv4host_label - check host based restrictions
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	2290	* @sip: the object end
				2291	*
				2292	* looks for host based access restrictions
				2293	*
				2294	* This version will only be appropriate for really small sets of single label
				2295	* hosts. The caller is responsible for ensuring that the RCU read lock is
				2296	* taken before calling this function.
				2297	*
				2298	* Returns the label of the far end or NULL if it's not special.
				2299	*/
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2300	static struct smack_known smack_ipv4host_label(struct sockaddr_in sip)
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	2301	{
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2302	struct smk_net4addr *snp;
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	2303	struct in_addr *siap = &sip->sin_addr;
				2304
				2305	if (siap->s_addr == 0)
				2306	return NULL;
				2307
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2308	list_for_each_entry_rcu(snp, &smk_net4addr_list, list)
				2309	/*
				2310	* we break after finding the first match because
				2311	* the list is sorted from longest to shortest mask
				2312	* so we have found the most specific match
				2313	*/
				2314	if (snp->smk_host.s_addr ==
				2315	(siap->s_addr & snp->smk_mask.s_addr))
				2316	return snp->smk_label;
				2317
				2318	return NULL;
				2319	}
				2320
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2321	/*
				2322	* smk_ipv6_localhost - Check for local ipv6 host address
				2323	* @sip: the address
				2324	*
				2325	* Returns boolean true if this is the localhost address
				2326	*/
				2327	static bool smk_ipv6_localhost(struct sockaddr_in6 *sip)
				2328	{
				2329	__be16 be16p = (__be16 )&sip->sin6_addr;
				2330	__be32 be32p = (__be32 )&sip->sin6_addr;
				2331
				2332	if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 &&
				2333	ntohs(be16p[7]) == 1)
				2334	return true;
				2335	return false;
				2336	}
				2337
				2338	/**
				2339	* smack_ipv6host_label - check host based restrictions
				2340	* @sip: the object end
				2341	*
				2342	* looks for host based access restrictions
				2343	*
				2344	* This version will only be appropriate for really small sets of single label
				2345	* hosts. The caller is responsible for ensuring that the RCU read lock is
				2346	* taken before calling this function.
				2347	*
				2348	* Returns the label of the far end or NULL if it's not special.
				2349	*/
				2350	static struct smack_known smack_ipv6host_label(struct sockaddr_in6 sip)
				2351	{
				2352	struct smk_net6addr *snp;
				2353	struct in6_addr *sap = &sip->sin6_addr;
				2354	int i;
				2355	int found = 0;
				2356
				2357	/*
				2358	* It's local. Don't look for a host label.
				2359	*/
				2360	if (smk_ipv6_localhost(sip))
				2361	return NULL;
				2362
				2363	list_for_each_entry_rcu(snp, &smk_net6addr_list, list) {
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	2364	/*
Casey Schaufler	2e4939f	2016-11-07 19:01:09 -0800	[diff] [blame]	2365	* If the label is NULL the entry has
				2366	* been renounced. Ignore it.
				2367	*/
				2368	if (snp->smk_label == NULL)
				2369	continue;
				2370	/*
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	2371	* we break after finding the first match because
				2372	* the list is sorted from longest to shortest mask
				2373	* so we have found the most specific match
				2374	*/
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2375	for (found = 1, i = 0; i < 8; i++) {
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2376	if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) !=
				2377	snp->smk_host.s6_addr16[i]) {
				2378	found = 0;
				2379	break;
				2380	}
Etienne Basset	4303154	2009-03-27 17:11:01 -0400	[diff] [blame]	2381	}
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2382	if (found)
				2383	return snp->smk_label;
				2384	}
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	2385
				2386	return NULL;
				2387	}
				2388
				2389	/**
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2390	* smack_netlabel - Set the secattr on a socket
				2391	* @sk: the socket
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	2392	* @labeled: socket label scheme
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2393	*
				2394	* Convert the outbound smack value (smk_out) to a
				2395	* secattr and attach it to the socket.
				2396	*
				2397	* Returns 0 on success or an error code
				2398	*/
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	2399	static int smack_netlabel(struct sock *sk, int labeled)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2400	{
Casey Schaufler	f7112e6	2012-05-06 15:22:02 -0700	[diff] [blame]	2401	struct smack_known *skp;
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	2402	struct socket_smack *ssp = sk->sk_security;
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	2403	int rc = 0;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2404
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	2405	/*
				2406	* Usually the netlabel code will handle changing the
				2407	* packet labeling based on the label.
				2408	* The case of a single label host is different, because
				2409	* a single label host should never get a labeled packet
				2410	* even though the label is usually associated with a packet
				2411	* label.
				2412	*/
				2413	local_bh_disable();
				2414	bh_lock_sock_nested(sk);
				2415
				2416	if (ssp->smk_out == smack_net_ambient \|\|
				2417	labeled == SMACK_UNLABELED_SOCKET)
				2418	netlbl_sock_delattr(sk);
				2419	else {
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	2420	skp = ssp->smk_out;
Casey Schaufler	f7112e6	2012-05-06 15:22:02 -0700	[diff] [blame]	2421	rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel);
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	2422	}
				2423
				2424	bh_unlock_sock(sk);
				2425	local_bh_enable();
Casey Schaufler	4bc87e6	2008-02-15 15:24:25 -0800	[diff] [blame]	2426
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2427	return rc;
				2428	}
				2429
				2430	/**
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	2431	* smack_netlbel_send - Set the secattr on a socket and perform access checks
				2432	* @sk: the socket
				2433	* @sap: the destination address
				2434	*
				2435	* Set the correct secattr for the given socket based on the destination
				2436	* address and perform any outbound access checks needed.
				2437	*
				2438	* Returns 0 on success or an error code.
				2439	*
				2440	*/
				2441	static int smack_netlabel_send(struct sock sk, struct sockaddr_in sap)
				2442	{
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	2443	struct smack_known *skp;
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	2444	int rc;
				2445	int sk_lbl;
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	2446	struct smack_known *hkp;
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	2447	struct socket_smack *ssp = sk->sk_security;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2448	struct smk_audit_info ad;
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	2449
				2450	rcu_read_lock();
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2451	hkp = smack_ipv4host_label(sap);
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	2452	if (hkp != NULL) {
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2453	#ifdef CONFIG_AUDIT
Kees Cook	923e9a1	2012-04-10 13:26:44 -0700	[diff] [blame]	2454	struct lsm_network_audit net;
				2455
Eric Paris	48c62af	2012-04-02 13:15:44 -0400	[diff] [blame]	2456	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
				2457	ad.a.u.net->family = sap->sin_family;
				2458	ad.a.u.net->dport = sap->sin_port;
				2459	ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2460	#endif
Kees Cook	923e9a1	2012-04-10 13:26:44 -0700	[diff] [blame]	2461	sk_lbl = SMACK_UNLABELED_SOCKET;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	2462	skp = ssp->smk_out;
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	2463	rc = smk_access(skp, hkp, MAY_WRITE, &ad);
				2464	rc = smk_bu_note("IPv4 host check", skp, hkp, MAY_WRITE, rc);
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	2465	} else {
				2466	sk_lbl = SMACK_CIPSO_SOCKET;
				2467	rc = 0;
				2468	}
				2469	rcu_read_unlock();
				2470	if (rc != 0)
				2471	return rc;
				2472
				2473	return smack_netlabel(sk, sk_lbl);
				2474	}
				2475
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2476	/**
				2477	* smk_ipv6_check - check Smack access
				2478	* @subject: subject Smack label
				2479	* @object: object Smack label
				2480	* @address: address
				2481	* @act: the action being taken
				2482	*
				2483	* Check an IPv6 access
				2484	*/
				2485	static int smk_ipv6_check(struct smack_known *subject,
				2486	struct smack_known *object,
				2487	struct sockaddr_in6 *address, int act)
				2488	{
				2489	#ifdef CONFIG_AUDIT
				2490	struct lsm_network_audit net;
				2491	#endif
				2492	struct smk_audit_info ad;
				2493	int rc;
				2494
				2495	#ifdef CONFIG_AUDIT
				2496	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
				2497	ad.a.u.net->family = PF_INET6;
				2498	ad.a.u.net->dport = ntohs(address->sin6_port);
				2499	if (act == SMK_RECEIVING)
				2500	ad.a.u.net->v6info.saddr = address->sin6_addr;
				2501	else
				2502	ad.a.u.net->v6info.daddr = address->sin6_addr;
				2503	#endif
				2504	rc = smk_access(subject, object, MAY_WRITE, &ad);
				2505	rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc);
				2506	return rc;
				2507	}
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2508
				2509	#ifdef SMACK_IPV6_PORT_LABELING
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	2510	/**
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2511	* smk_ipv6_port_label - Smack port access table management
				2512	* @sock: socket
				2513	* @address: address
				2514	*
				2515	* Create or update the port list entry
				2516	*/
				2517	static void smk_ipv6_port_label(struct socket sock, struct sockaddr address)
				2518	{
				2519	struct sock *sk = sock->sk;
				2520	struct sockaddr_in6 *addr6;
				2521	struct socket_smack *ssp = sock->sk->sk_security;
				2522	struct smk_port_label *spp;
				2523	unsigned short port = 0;
				2524
				2525	if (address == NULL) {
				2526	/*
				2527	* This operation is changing the Smack information
				2528	* on the bound socket. Take the changes to the port
				2529	* as well.
				2530	*/
Vishal Goel	3c7ce34	2016-11-23 10:31:08 +0530	[diff] [blame]	2531	rcu_read_lock();
				2532	list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) {
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2533	if (sk != spp->smk_sock)
				2534	continue;
				2535	spp->smk_in = ssp->smk_in;
				2536	spp->smk_out = ssp->smk_out;
Vishal Goel	3c7ce34	2016-11-23 10:31:08 +0530	[diff] [blame]	2537	rcu_read_unlock();
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2538	return;
				2539	}
				2540	/*
				2541	* A NULL address is only used for updating existing
				2542	* bound entries. If there isn't one, it's OK.
				2543	*/
Vishal Goel	3c7ce34	2016-11-23 10:31:08 +0530	[diff] [blame]	2544	rcu_read_unlock();
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2545	return;
				2546	}
				2547
				2548	addr6 = (struct sockaddr_in6 *)address;
				2549	port = ntohs(addr6->sin6_port);
				2550	/*
				2551	* This is a special case that is safely ignored.
				2552	*/
				2553	if (port == 0)
				2554	return;
				2555
				2556	/*
				2557	* Look for an existing port list entry.
				2558	* This is an indication that a port is getting reused.
				2559	*/
Vishal Goel	3c7ce34	2016-11-23 10:31:08 +0530	[diff] [blame]	2560	rcu_read_lock();
				2561	list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) {
Vishal Goel	9d44c97	2016-11-23 10:31:59 +0530	[diff] [blame]	2562	if (spp->smk_port != port \|\| spp->smk_sock_type != sock->type)
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2563	continue;
Vishal Goel	0c96d1f	2016-11-23 10:32:54 +0530	[diff] [blame]	2564	if (spp->smk_can_reuse != 1) {
				2565	rcu_read_unlock();
				2566	return;
				2567	}
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2568	spp->smk_port = port;
				2569	spp->smk_sock = sk;
				2570	spp->smk_in = ssp->smk_in;
				2571	spp->smk_out = ssp->smk_out;
Vishal Goel	0c96d1f	2016-11-23 10:32:54 +0530	[diff] [blame]	2572	spp->smk_can_reuse = 0;
Vishal Goel	3c7ce34	2016-11-23 10:31:08 +0530	[diff] [blame]	2573	rcu_read_unlock();
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2574	return;
				2575	}
Vishal Goel	3c7ce34	2016-11-23 10:31:08 +0530	[diff] [blame]	2576	rcu_read_unlock();
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2577	/*
				2578	* A new port entry is required.
				2579	*/
				2580	spp = kzalloc(sizeof(*spp), GFP_KERNEL);
				2581	if (spp == NULL)
				2582	return;
				2583
				2584	spp->smk_port = port;
				2585	spp->smk_sock = sk;
				2586	spp->smk_in = ssp->smk_in;
				2587	spp->smk_out = ssp->smk_out;
Vishal Goel	9d44c97	2016-11-23 10:31:59 +0530	[diff] [blame]	2588	spp->smk_sock_type = sock->type;
Vishal Goel	0c96d1f	2016-11-23 10:32:54 +0530	[diff] [blame]	2589	spp->smk_can_reuse = 0;
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2590
Vishal Goel	3c7ce34	2016-11-23 10:31:08 +0530	[diff] [blame]	2591	mutex_lock(&smack_ipv6_lock);
				2592	list_add_rcu(&spp->list, &smk_ipv6_port_list);
				2593	mutex_unlock(&smack_ipv6_lock);
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2594	return;
				2595	}
Arnd Bergmann	00720f0	2020-04-08 21:04:31 +0200	[diff] [blame]	2596	#endif
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2597
				2598	/**
				2599	* smk_ipv6_port_check - check Smack port access
luanshi	a1a07f2	2019-07-05 10:35:20 +0800	[diff] [blame]	2600	* @sk: socket
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2601	* @address: address
luanshi	a1a07f2	2019-07-05 10:35:20 +0800	[diff] [blame]	2602	* @act: the action being taken
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2603	*
				2604	* Create or update the port list entry
				2605	*/
Casey Schaufler	6ea0624	2013-08-05 13:21:22 -0700	[diff] [blame]	2606	static int smk_ipv6_port_check(struct sock sk, struct sockaddr_in6 address,
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2607	int act)
				2608	{
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2609	struct smk_port_label *spp;
				2610	struct socket_smack *ssp = sk->sk_security;
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2611	struct smack_known *skp = NULL;
				2612	unsigned short port;
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	2613	struct smack_known *object;
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2614
				2615	if (act == SMK_RECEIVING) {
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2616	skp = smack_ipv6host_label(address);
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	2617	object = ssp->smk_in;
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2618	} else {
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	2619	skp = ssp->smk_out;
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2620	object = smack_ipv6host_label(address);
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2621	}
				2622
				2623	/*
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2624	* The other end is a single label host.
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2625	*/
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2626	if (skp != NULL && object != NULL)
				2627	return smk_ipv6_check(skp, object, address, act);
				2628	if (skp == NULL)
				2629	skp = smack_net_ambient;
				2630	if (object == NULL)
				2631	object = smack_net_ambient;
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2632
				2633	/*
				2634	* It's remote, so port lookup does no good.
				2635	*/
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2636	if (!smk_ipv6_localhost(address))
				2637	return smk_ipv6_check(skp, object, address, act);
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2638
				2639	/*
				2640	* It's local so the send check has to have passed.
				2641	*/
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2642	if (act == SMK_RECEIVING)
				2643	return 0;
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2644
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2645	port = ntohs(address->sin6_port);
Vishal Goel	3c7ce34	2016-11-23 10:31:08 +0530	[diff] [blame]	2646	rcu_read_lock();
				2647	list_for_each_entry_rcu(spp, &smk_ipv6_port_list, list) {
Vishal Goel	9d44c97	2016-11-23 10:31:59 +0530	[diff] [blame]	2648	if (spp->smk_port != port \|\| spp->smk_sock_type != sk->sk_type)
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2649	continue;
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	2650	object = spp->smk_in;
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2651	if (act == SMK_CONNECTING)
Casey Schaufler	54e70ec	2014-04-10 16:37:08 -0700	[diff] [blame]	2652	ssp->smk_packet = spp->smk_out;
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2653	break;
				2654	}
Vishal Goel	3c7ce34	2016-11-23 10:31:08 +0530	[diff] [blame]	2655	rcu_read_unlock();
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2656
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2657	return smk_ipv6_check(skp, object, address, act);
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2658	}
				2659
				2660	/**
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2661	* smack_inode_setsecurity - set smack xattrs
				2662	* @inode: the object
				2663	* @name: attribute name
				2664	* @value: attribute value
				2665	* @size: size of the attribute
				2666	* @flags: unused
				2667	*
				2668	* Sets the named attribute in the appropriate blob
				2669	*
				2670	* Returns 0 on success, or an error code
				2671	*/
				2672	static int smack_inode_setsecurity(struct inode inode, const char name,
				2673	const void *value, size_t size, int flags)
				2674	{
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	2675	struct smack_known *skp;
Casey Schaufler	fb4021b	2018-11-12 12:43:01 -0800	[diff] [blame]	2676	struct inode_smack *nsp = smack_inode(inode);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2677	struct socket_smack *ssp;
				2678	struct socket *sock;
Casey Schaufler	4bc87e6	2008-02-15 15:24:25 -0800	[diff] [blame]	2679	int rc = 0;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2680
Casey Schaufler	f7112e6	2012-05-06 15:22:02 -0700	[diff] [blame]	2681	if (value == NULL \|\| size > SMK_LONGLABEL \|\| size == 0)
Pankaj Kumar	5e9ab59	2013-12-13 15:12:22 +0530	[diff] [blame]	2682	return -EINVAL;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2683
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	2684	skp = smk_import_entry(value, size);
Lukasz Pawelczyk	e774ad6	2015-04-20 17:12:54 +0200	[diff] [blame]	2685	if (IS_ERR(skp))
				2686	return PTR_ERR(skp);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2687
				2688	if (strcmp(name, XATTR_SMACK_SUFFIX) == 0) {
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	2689	nsp->smk_inode = skp;
David P. Quigley	ddd29ec	2009-09-09 14:25:37 -0400	[diff] [blame]	2690	nsp->smk_flags \|= SMK_INODE_INSTANT;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2691	return 0;
				2692	}
				2693	/*
				2694	* The rest of the Smack xattrs are only on sockets.
				2695	*/
				2696	if (inode->i_sb->s_magic != SOCKFS_MAGIC)
				2697	return -EOPNOTSUPP;
				2698
				2699	sock = SOCKET_I(inode);
Ahmed S. Darwish	2e1d146	2008-02-13 15:03:34 -0800	[diff] [blame]	2700	if (sock == NULL \|\| sock->sk == NULL)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2701	return -EOPNOTSUPP;
				2702
				2703	ssp = sock->sk->sk_security;
				2704
				2705	if (strcmp(name, XATTR_SMACK_IPIN) == 0)
Casey Schaufler	54e70ec	2014-04-10 16:37:08 -0700	[diff] [blame]	2706	ssp->smk_in = skp;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2707	else if (strcmp(name, XATTR_SMACK_IPOUT) == 0) {
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	2708	ssp->smk_out = skp;
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2709	if (sock->sk->sk_family == PF_INET) {
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	2710	rc = smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
				2711	if (rc != 0)
				2712	printk(KERN_WARNING
				2713	"Smack: \"%s\" netlbl error %d.\n",
				2714	__func__, -rc);
				2715	}
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2716	} else
				2717	return -EOPNOTSUPP;
				2718
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2719	#ifdef SMACK_IPV6_PORT_LABELING
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2720	if (sock->sk->sk_family == PF_INET6)
				2721	smk_ipv6_port_label(sock, NULL);
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2722	#endif
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2723
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2724	return 0;
				2725	}
				2726
				2727	/**
				2728	* smack_socket_post_create - finish socket setup
				2729	* @sock: the socket
				2730	* @family: protocol family
				2731	* @type: unused
				2732	* @protocol: unused
				2733	* @kern: unused
				2734	*
				2735	* Sets the netlabel information on the socket
				2736	*
				2737	* Returns 0 on success, and error code otherwise
				2738	*/
				2739	static int smack_socket_post_create(struct socket *sock, int family,
				2740	int type, int protocol, int kern)
				2741	{
Marcin Lis	7412301	2015-01-22 15:40:33 +0100	[diff] [blame]	2742	struct socket_smack *ssp;
				2743
				2744	if (sock->sk == NULL)
				2745	return 0;
				2746
				2747	/*
				2748	* Sockets created by kernel threads receive web label.
				2749	*/
				2750	if (unlikely(current->flags & PF_KTHREAD)) {
				2751	ssp = sock->sk->sk_security;
				2752	ssp->smk_in = &smack_known_web;
				2753	ssp->smk_out = &smack_known_web;
				2754	}
				2755
				2756	if (family != PF_INET)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2757	return 0;
				2758	/*
				2759	* Set the outbound netlbl.
				2760	*/
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	2761	return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
				2762	}
				2763
Tom Gundersen	5859cdf	2018-05-04 16:28:22 +0200	[diff] [blame]	2764	/**
				2765	* smack_socket_socketpair - create socket pair
				2766	* @socka: one socket
				2767	* @sockb: another socket
				2768	*
				2769	* Cross reference the peer labels for SO_PEERSEC
				2770	*
luanshi	a1a07f2	2019-07-05 10:35:20 +0800	[diff] [blame]	2771	* Returns 0
Tom Gundersen	5859cdf	2018-05-04 16:28:22 +0200	[diff] [blame]	2772	*/
				2773	static int smack_socket_socketpair(struct socket *socka,
				2774	struct socket *sockb)
				2775	{
				2776	struct socket_smack *asp = socka->sk->sk_security;
				2777	struct socket_smack *bsp = sockb->sk->sk_security;
				2778
				2779	asp->smk_packet = bsp->smk_out;
				2780	bsp->smk_packet = asp->smk_out;
				2781
				2782	return 0;
				2783	}
				2784
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2785	#ifdef SMACK_IPV6_PORT_LABELING
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	2786	/**
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2787	* smack_socket_bind - record port binding information.
				2788	* @sock: the socket
				2789	* @address: the port address
				2790	* @addrlen: size of the address
				2791	*
				2792	* Records the label bound to a port.
				2793	*
Tetsuo Handa	b9ef551	2019-04-12 19:59:35 +0900	[diff] [blame]	2794	* Returns 0 on success, and error code otherwise
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2795	*/
				2796	static int smack_socket_bind(struct socket sock, struct sockaddr address,
				2797	int addrlen)
				2798	{
Tetsuo Handa	b9ef551	2019-04-12 19:59:35 +0900	[diff] [blame]	2799	if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) {
				2800	if (addrlen < SIN6_LEN_RFC2133 \|\|
				2801	address->sa_family != AF_INET6)
				2802	return -EINVAL;
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2803	smk_ipv6_port_label(sock, address);
Tetsuo Handa	b9ef551	2019-04-12 19:59:35 +0900	[diff] [blame]	2804	}
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2805	return 0;
				2806	}
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2807	#endif /* SMACK_IPV6_PORT_LABELING */
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2808
				2809	/**
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	2810	* smack_socket_connect - connect access check
				2811	* @sock: the socket
				2812	* @sap: the other end
				2813	* @addrlen: size of sap
				2814	*
				2815	* Verifies that a connection may be possible
				2816	*
				2817	* Returns 0 on success, and error code otherwise
				2818	*/
				2819	static int smack_socket_connect(struct socket sock, struct sockaddr sap,
				2820	int addrlen)
				2821	{
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2822	int rc = 0;
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	2823
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2824	if (sock->sk == NULL)
				2825	return 0;
Casey Schaufler	87fbfff	2020-02-03 09:15:00 -0800	[diff] [blame]	2826	if (sock->sk->sk_family != PF_INET &&
				2827	(!IS_ENABLED(CONFIG_IPV6) \|\| sock->sk->sk_family != PF_INET6))
				2828	return 0;
				2829	if (addrlen < offsetofend(struct sockaddr, sa_family))
				2830	return 0;
				2831	if (IS_ENABLED(CONFIG_IPV6) && sap->sa_family == AF_INET6) {
				2832	struct sockaddr_in6 sip = (struct sockaddr_in6 )sap;
Arnd Bergmann	00720f0	2020-04-08 21:04:31 +0200	[diff] [blame]	2833	struct smack_known *rsp = NULL;
Vasyl Gomonovych	da49b5d	2017-12-21 16:57:52 +0100	[diff] [blame]	2834
Casey Schaufler	87fbfff	2020-02-03 09:15:00 -0800	[diff] [blame]	2835	if (addrlen < SIN6_LEN_RFC2133)
				2836	return 0;
Arnd Bergmann	00720f0	2020-04-08 21:04:31 +0200	[diff] [blame]	2837	if (__is_defined(SMACK_IPV6_SECMARK_LABELING))
				2838	rsp = smack_ipv6host_label(sip);
Casey Schaufler	87fbfff	2020-02-03 09:15:00 -0800	[diff] [blame]	2839	if (rsp != NULL) {
				2840	struct socket_smack *ssp = sock->sk->sk_security;
				2841
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	2842	rc = smk_ipv6_check(ssp->smk_out, rsp, sip,
Casey Schaufler	87fbfff	2020-02-03 09:15:00 -0800	[diff] [blame]	2843	SMK_CONNECTING);
				2844	}
Arnd Bergmann	00720f0	2020-04-08 21:04:31 +0200	[diff] [blame]	2845	if (__is_defined(SMACK_IPV6_PORT_LABELING))
				2846	rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING);
				2847
Casey Schaufler	87fbfff	2020-02-03 09:15:00 -0800	[diff] [blame]	2848	return rc;
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2849	}
Casey Schaufler	87fbfff	2020-02-03 09:15:00 -0800	[diff] [blame]	2850	if (sap->sa_family != AF_INET \|\| addrlen < sizeof(struct sockaddr_in))
				2851	return 0;
				2852	rc = smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap);
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	2853	return rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2854	}
				2855
				2856	/**
				2857	* smack_flags_to_may - convert S_ to MAY_ values
				2858	* @flags: the S_ value
				2859	*
				2860	* Returns the equivalent MAY_ value
				2861	*/
				2862	static int smack_flags_to_may(int flags)
				2863	{
				2864	int may = 0;
				2865
				2866	if (flags & S_IRUGO)
				2867	may \|= MAY_READ;
				2868	if (flags & S_IWUGO)
				2869	may \|= MAY_WRITE;
				2870	if (flags & S_IXUGO)
				2871	may \|= MAY_EXEC;
				2872
				2873	return may;
				2874	}
				2875
				2876	/**
				2877	* smack_msg_msg_alloc_security - Set the security blob for msg_msg
				2878	* @msg: the object
				2879	*
				2880	* Returns 0
				2881	*/
				2882	static int smack_msg_msg_alloc_security(struct msg_msg *msg)
				2883	{
Casey Schaufler	ecd5f82	2018-11-20 11:55:02 -0800	[diff] [blame]	2884	struct smack_known **blob = smack_msg_msg(msg);
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	2885
Casey Schaufler	ecd5f82	2018-11-20 11:55:02 -0800	[diff] [blame]	2886	*blob = smk_of_current();
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2887	return 0;
				2888	}
				2889
				2890	/**
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	2891	* smack_of_ipc - the smack pointer for the ipc
				2892	* @isp: the object
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2893	*
				2894	* Returns a pointer to the smack value
				2895	*/
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	2896	static struct smack_known smack_of_ipc(struct kern_ipc_perm isp)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2897	{
Casey Schaufler	019bcca	2018-09-21 17:19:54 -0700	[diff] [blame]	2898	struct smack_known **blob = smack_ipc(isp);
				2899
				2900	return *blob;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2901	}
				2902
				2903	/**
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	2904	* smack_ipc_alloc_security - Set the security blob for ipc
				2905	* @isp: the object
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2906	*
				2907	* Returns 0
				2908	*/
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	2909	static int smack_ipc_alloc_security(struct kern_ipc_perm *isp)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2910	{
Casey Schaufler	019bcca	2018-09-21 17:19:54 -0700	[diff] [blame]	2911	struct smack_known **blob = smack_ipc(isp);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2912
Casey Schaufler	019bcca	2018-09-21 17:19:54 -0700	[diff] [blame]	2913	*blob = smk_of_current();
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2914	return 0;
				2915	}
				2916
				2917	/**
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2918	* smk_curacc_shm : check if current has access on shm
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	2919	* @isp : the object
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2920	* @access : access requested
				2921	*
				2922	* Returns 0 if current has the requested access, error code otherwise
				2923	*/
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	2924	static int smk_curacc_shm(struct kern_ipc_perm *isp, int access)
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2925	{
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	2926	struct smack_known *ssp = smack_of_ipc(isp);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2927	struct smk_audit_info ad;
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	2928	int rc;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2929
				2930	#ifdef CONFIG_AUDIT
				2931	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	2932	ad.a.u.ipc_id = isp->id;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2933	#endif
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	2934	rc = smk_curacc(ssp, access, &ad);
				2935	rc = smk_bu_current("shm", ssp, access, rc);
				2936	return rc;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	2937	}
				2938
				2939	/**
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2940	* smack_shm_associate - Smack access check for shm
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	2941	* @isp: the object
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2942	* @shmflg: access requested
				2943	*
				2944	* Returns 0 if current has the requested access, error code otherwise
				2945	*/
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	2946	static int smack_shm_associate(struct kern_ipc_perm *isp, int shmflg)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2947	{
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2948	int may;
				2949
				2950	may = smack_flags_to_may(shmflg);
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	2951	return smk_curacc_shm(isp, may);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2952	}
				2953
				2954	/**
				2955	* smack_shm_shmctl - Smack access check for shm
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	2956	* @isp: the object
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2957	* @cmd: what it wants to do
				2958	*
				2959	* Returns 0 if current has the requested access, error code otherwise
				2960	*/
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	2961	static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2962	{
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2963	int may;
				2964
				2965	switch (cmd) {
				2966	case IPC_STAT:
				2967	case SHM_STAT:
Davidlohr Bueso	c21a697	2018-04-10 16:35:23 -0700	[diff] [blame]	2968	case SHM_STAT_ANY:
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2969	may = MAY_READ;
				2970	break;
				2971	case IPC_SET:
				2972	case SHM_LOCK:
				2973	case SHM_UNLOCK:
				2974	case IPC_RMID:
				2975	may = MAY_READWRITE;
				2976	break;
				2977	case IPC_INFO:
				2978	case SHM_INFO:
				2979	/*
				2980	* System level information.
				2981	*/
				2982	return 0;
				2983	default:
				2984	return -EINVAL;
				2985	}
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	2986	return smk_curacc_shm(isp, may);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2987	}
				2988
				2989	/**
				2990	* smack_shm_shmat - Smack access for shmat
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	2991	* @isp: the object
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2992	* @shmaddr: unused
				2993	* @shmflg: access requested
				2994	*
				2995	* Returns 0 if current has the requested access, error code otherwise
				2996	*/
luanshi	a1a07f2	2019-07-05 10:35:20 +0800	[diff] [blame]	2997	static int smack_shm_shmat(struct kern_ipc_perm isp, char __user shmaddr,
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	2998	int shmflg)
				2999	{
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3000	int may;
				3001
				3002	may = smack_flags_to_may(shmflg);
luanshi	a1a07f2	2019-07-05 10:35:20 +0800	[diff] [blame]	3003	return smk_curacc_shm(isp, may);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3004	}
				3005
				3006	/**
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3007	* smk_curacc_sem : check if current has access on sem
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3008	* @isp : the object
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3009	* @access : access requested
				3010	*
				3011	* Returns 0 if current has the requested access, error code otherwise
				3012	*/
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3013	static int smk_curacc_sem(struct kern_ipc_perm *isp, int access)
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3014	{
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3015	struct smack_known *ssp = smack_of_ipc(isp);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3016	struct smk_audit_info ad;
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	3017	int rc;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3018
				3019	#ifdef CONFIG_AUDIT
				3020	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3021	ad.a.u.ipc_id = isp->id;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3022	#endif
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	3023	rc = smk_curacc(ssp, access, &ad);
				3024	rc = smk_bu_current("sem", ssp, access, rc);
				3025	return rc;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3026	}
				3027
				3028	/**
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3029	* smack_sem_associate - Smack access check for sem
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3030	* @isp: the object
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3031	* @semflg: access requested
				3032	*
				3033	* Returns 0 if current has the requested access, error code otherwise
				3034	*/
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3035	static int smack_sem_associate(struct kern_ipc_perm *isp, int semflg)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3036	{
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3037	int may;
				3038
				3039	may = smack_flags_to_may(semflg);
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3040	return smk_curacc_sem(isp, may);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3041	}
				3042
				3043	/**
				3044	* smack_sem_shmctl - Smack access check for sem
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3045	* @isp: the object
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3046	* @cmd: what it wants to do
				3047	*
				3048	* Returns 0 if current has the requested access, error code otherwise
				3049	*/
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3050	static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3051	{
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3052	int may;
				3053
				3054	switch (cmd) {
				3055	case GETPID:
				3056	case GETNCNT:
				3057	case GETZCNT:
				3058	case GETVAL:
				3059	case GETALL:
				3060	case IPC_STAT:
				3061	case SEM_STAT:
Davidlohr Bueso	a280d6d	2018-04-10 16:35:26 -0700	[diff] [blame]	3062	case SEM_STAT_ANY:
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3063	may = MAY_READ;
				3064	break;
				3065	case SETVAL:
				3066	case SETALL:
				3067	case IPC_RMID:
				3068	case IPC_SET:
				3069	may = MAY_READWRITE;
				3070	break;
				3071	case IPC_INFO:
				3072	case SEM_INFO:
				3073	/*
				3074	* System level information
				3075	*/
				3076	return 0;
				3077	default:
				3078	return -EINVAL;
				3079	}
				3080
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3081	return smk_curacc_sem(isp, may);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3082	}
				3083
				3084	/**
				3085	* smack_sem_semop - Smack checks of semaphore operations
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3086	* @isp: the object
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3087	* @sops: unused
				3088	* @nsops: unused
				3089	* @alter: unused
				3090	*
				3091	* Treated as read and write in all cases.
				3092	*
				3093	* Returns 0 if access is allowed, error code otherwise
				3094	*/
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3095	static int smack_sem_semop(struct kern_ipc_perm isp, struct sembuf sops,
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3096	unsigned nsops, int alter)
				3097	{
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3098	return smk_curacc_sem(isp, MAY_READWRITE);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3099	}
				3100
				3101	/**
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3102	* smk_curacc_msq : helper to check if current has access on msq
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3103	* @isp : the msq
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3104	* @access : access requested
				3105	*
				3106	* return 0 if current has access, error otherwise
				3107	*/
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3108	static int smk_curacc_msq(struct kern_ipc_perm *isp, int access)
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3109	{
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3110	struct smack_known *msp = smack_of_ipc(isp);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3111	struct smk_audit_info ad;
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	3112	int rc;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3113
				3114	#ifdef CONFIG_AUDIT
				3115	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3116	ad.a.u.ipc_id = isp->id;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3117	#endif
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	3118	rc = smk_curacc(msp, access, &ad);
				3119	rc = smk_bu_current("msq", msp, access, rc);
				3120	return rc;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3121	}
				3122
				3123	/**
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3124	* smack_msg_queue_associate - Smack access check for msg_queue
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3125	* @isp: the object
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3126	* @msqflg: access requested
				3127	*
				3128	* Returns 0 if current has the requested access, error code otherwise
				3129	*/
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3130	static int smack_msg_queue_associate(struct kern_ipc_perm *isp, int msqflg)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3131	{
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3132	int may;
				3133
				3134	may = smack_flags_to_may(msqflg);
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3135	return smk_curacc_msq(isp, may);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3136	}
				3137
				3138	/**
				3139	* smack_msg_queue_msgctl - Smack access check for msg_queue
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3140	* @isp: the object
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3141	* @cmd: what it wants to do
				3142	*
				3143	* Returns 0 if current has the requested access, error code otherwise
				3144	*/
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3145	static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3146	{
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3147	int may;
				3148
				3149	switch (cmd) {
				3150	case IPC_STAT:
				3151	case MSG_STAT:
Davidlohr Bueso	23c8cec	2018-04-10 16:35:30 -0700	[diff] [blame]	3152	case MSG_STAT_ANY:
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3153	may = MAY_READ;
				3154	break;
				3155	case IPC_SET:
				3156	case IPC_RMID:
				3157	may = MAY_READWRITE;
				3158	break;
				3159	case IPC_INFO:
				3160	case MSG_INFO:
				3161	/*
				3162	* System level information
				3163	*/
				3164	return 0;
				3165	default:
				3166	return -EINVAL;
				3167	}
				3168
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3169	return smk_curacc_msq(isp, may);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3170	}
				3171
				3172	/**
				3173	* smack_msg_queue_msgsnd - Smack access check for msg_queue
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3174	* @isp: the object
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3175	* @msg: unused
				3176	* @msqflg: access requested
				3177	*
				3178	* Returns 0 if current has the requested access, error code otherwise
				3179	*/
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3180	static int smack_msg_queue_msgsnd(struct kern_ipc_perm isp, struct msg_msg msg,
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3181	int msqflg)
				3182	{
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3183	int may;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3184
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3185	may = smack_flags_to_may(msqflg);
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3186	return smk_curacc_msq(isp, may);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3187	}
				3188
				3189	/**
				3190	* smack_msg_queue_msgsnd - Smack access check for msg_queue
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3191	* @isp: the object
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3192	* @msg: unused
				3193	* @target: unused
				3194	* @type: unused
				3195	* @mode: unused
				3196	*
				3197	* Returns 0 if current has read and write access, error code otherwise
				3198	*/
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3199	static int smack_msg_queue_msgrcv(struct kern_ipc_perm isp, struct msg_msg msg,
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3200	struct task_struct *target, long type, int mode)
				3201	{
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	3202	return smk_curacc_msq(isp, MAY_READWRITE);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3203	}
				3204
				3205	/**
				3206	* smack_ipc_permission - Smack access for ipc_permission()
				3207	* @ipp: the object permissions
				3208	* @flag: access requested
				3209	*
				3210	* Returns 0 if current has read and write access, error code otherwise
				3211	*/
				3212	static int smack_ipc_permission(struct kern_ipc_perm *ipp, short flag)
				3213	{
Casey Schaufler	019bcca	2018-09-21 17:19:54 -0700	[diff] [blame]	3214	struct smack_known **blob = smack_ipc(ipp);
				3215	struct smack_known iskp = blob;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3216	int may = smack_flags_to_may(flag);
				3217	struct smk_audit_info ad;
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	3218	int rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3219
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3220	#ifdef CONFIG_AUDIT
				3221	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_IPC);
				3222	ad.a.u.ipc_id = ipp->id;
				3223	#endif
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	3224	rc = smk_curacc(iskp, may, &ad);
				3225	rc = smk_bu_current("svipc", iskp, may, rc);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	3226	return rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3227	}
				3228
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	3229	/**
				3230	* smack_ipc_getsecid - Extract smack security id
Randy Dunlap	251a2a9	2009-02-18 11:42:33 -0800	[diff] [blame]	3231	* @ipp: the object permissions
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	3232	* @secid: where result will be saved
				3233	*/
				3234	static void smack_ipc_getsecid(struct kern_ipc_perm ipp, u32 secid)
				3235	{
Casey Schaufler	019bcca	2018-09-21 17:19:54 -0700	[diff] [blame]	3236	struct smack_known **blob = smack_ipc(ipp);
				3237	struct smack_known iskp = blob;
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	3238
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	3239	*secid = iskp->smk_secid;
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	3240	}
				3241
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3242	/**
				3243	* smack_d_instantiate - Make sure the blob is correct on an inode
Dan Carpenter	3e62cbb	2010-06-01 09:14:04 +0200	[diff] [blame]	3244	* @opt_dentry: dentry where inode will be attached
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3245	* @inode: the object
				3246	*
				3247	* Set the inode's security blob if it hasn't been done already.
				3248	*/
				3249	static void smack_d_instantiate(struct dentry opt_dentry, struct inode inode)
				3250	{
				3251	struct super_block *sbp;
				3252	struct superblock_smack *sbsp;
				3253	struct inode_smack *isp;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3254	struct smack_known *skp;
				3255	struct smack_known *ckp = smk_of_current();
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	3256	struct smack_known *final;
Jarkko Sakkinen	5c6d112	2010-12-07 13:34:01 +0200	[diff] [blame]	3257	char trattr[TRANS_TRUE_SIZE];
				3258	int transflag = 0;
Casey Schaufler	2267b13	2012-03-13 19:14:19 -0700	[diff] [blame]	3259	int rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3260	struct dentry *dp;
				3261
				3262	if (inode == NULL)
				3263	return;
				3264
Casey Schaufler	fb4021b	2018-11-12 12:43:01 -0800	[diff] [blame]	3265	isp = smack_inode(inode);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3266
				3267	mutex_lock(&isp->smk_lock);
				3268	/*
				3269	* If the inode is already instantiated
				3270	* take the quick way out
				3271	*/
				3272	if (isp->smk_flags & SMK_INODE_INSTANT)
				3273	goto unlockandout;
				3274
				3275	sbp = inode->i_sb;
				3276	sbsp = sbp->s_security;
				3277	/*
				3278	* We're going to use the superblock default label
				3279	* if there's no label on the file.
				3280	*/
				3281	final = sbsp->smk_default;
				3282
				3283	/*
Casey Schaufler	e97dcb0	2008-06-02 10:04:32 -0700	[diff] [blame]	3284	* If this is the root inode the superblock
				3285	* may be in the process of initialization.
				3286	* If that is the case use the root value out
				3287	* of the superblock.
				3288	*/
				3289	if (opt_dentry->d_parent == opt_dentry) {
Łukasz Stelmach	1d8c232	2014-12-16 16:53:08 +0100	[diff] [blame]	3290	switch (sbp->s_magic) {
				3291	case CGROUP_SUPER_MAGIC:
José Bollo	58c442f	2018-02-27 17:06:21 +0100	[diff] [blame]	3292	case CGROUP2_SUPER_MAGIC:
Casey Schaufler	36ea735	2014-04-28 15:23:01 -0700	[diff] [blame]	3293	/*
				3294	* The cgroup filesystem is never mounted,
				3295	* so there's no opportunity to set the mount
				3296	* options.
				3297	*/
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	3298	sbsp->smk_root = &smack_known_star;
				3299	sbsp->smk_default = &smack_known_star;
Łukasz Stelmach	1d8c232	2014-12-16 16:53:08 +0100	[diff] [blame]	3300	isp->smk_inode = sbsp->smk_root;
				3301	break;
				3302	case TMPFS_MAGIC:
				3303	/*
				3304	* What about shmem/tmpfs anonymous files with dentry
				3305	* obtained from d_alloc_pseudo()?
				3306	*/
				3307	isp->smk_inode = smk_of_current();
				3308	break;
Roman Kubiak	8da4aba	2015-10-05 12:27:16 +0200	[diff] [blame]	3309	case PIPEFS_MAGIC:
				3310	isp->smk_inode = smk_of_current();
				3311	break;
Rafal Krypa	805b65a	2016-12-09 14:03:04 +0100	[diff] [blame]	3312	case SOCKFS_MAGIC:
				3313	/*
				3314	* Socket access is controlled by the socket
				3315	* structures associated with the task involved.
				3316	*/
				3317	isp->smk_inode = &smack_known_star;
				3318	break;
Łukasz Stelmach	1d8c232	2014-12-16 16:53:08 +0100	[diff] [blame]	3319	default:
				3320	isp->smk_inode = sbsp->smk_root;
				3321	break;
Casey Schaufler	36ea735	2014-04-28 15:23:01 -0700	[diff] [blame]	3322	}
Casey Schaufler	e97dcb0	2008-06-02 10:04:32 -0700	[diff] [blame]	3323	isp->smk_flags \|= SMK_INODE_INSTANT;
				3324	goto unlockandout;
				3325	}
				3326
				3327	/*
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3328	* This is pretty hackish.
				3329	* Casey says that we shouldn't have to do
				3330	* file system specific code, but it does help
				3331	* with keeping it simple.
				3332	*/
				3333	switch (sbp->s_magic) {
				3334	case SMACK_MAGIC:
Casey Schaufler	36ea735	2014-04-28 15:23:01 -0700	[diff] [blame]	3335	case CGROUP_SUPER_MAGIC:
José Bollo	58c442f	2018-02-27 17:06:21 +0100	[diff] [blame]	3336	case CGROUP2_SUPER_MAGIC:
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3337	/*
Lucas De Marchi	25985ed	2011-03-30 22:57:33 -0300	[diff] [blame]	3338	* Casey says that it's a little embarrassing
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3339	* that the smack file system doesn't do
				3340	* extended attributes.
Casey Schaufler	36ea735	2014-04-28 15:23:01 -0700	[diff] [blame]	3341	*
Casey Schaufler	36ea735	2014-04-28 15:23:01 -0700	[diff] [blame]	3342	* Cgroupfs is special
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3343	*/
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	3344	final = &smack_known_star;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3345	break;
				3346	case DEVPTS_SUPER_MAGIC:
				3347	/*
				3348	* devpts seems content with the label of the task.
				3349	* Programs that change smack have to treat the
				3350	* pty with respect.
				3351	*/
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	3352	final = ckp;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3353	break;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3354	case PROC_SUPER_MAGIC:
				3355	/*
				3356	* Casey says procfs appears not to care.
				3357	* The superblock default suffices.
				3358	*/
				3359	break;
				3360	case TMPFS_MAGIC:
				3361	/*
				3362	* Device labels should come from the filesystem,
				3363	* but watch out, because they're volitile,
				3364	* getting recreated on every reboot.
				3365	*/
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	3366	final = &smack_known_star;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3367	/*
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3368	* If a smack value has been set we want to use it,
				3369	* but since tmpfs isn't giving us the opportunity
				3370	* to set mount options simulate setting the
				3371	* superblock default.
				3372	*/
Gustavo A. R. Silva	09186e5	2019-02-08 14:54:53 -0600	[diff] [blame]	3373	/* Fall through */
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3374	default:
				3375	/*
				3376	* This isn't an understood special case.
				3377	* Get the value from the xattr.
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	3378	*/
				3379
				3380	/*
				3381	* UNIX domain sockets use lower level socket data.
				3382	*/
				3383	if (S_ISSOCK(inode->i_mode)) {
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	3384	final = &smack_known_star;
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	3385	break;
				3386	}
				3387	/*
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3388	* No xattr support means, alas, no SMACK label.
				3389	* Use the aforeapplied default.
				3390	* It would be curious if the label of the task
				3391	* does not match that assigned.
				3392	*/
Andreas Gruenbacher	5d6c319	2016-09-29 17:48:42 +0200	[diff] [blame]	3393	if (!(inode->i_opflags & IOP_XATTR))
				3394	break;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3395	/*
				3396	* Get the dentry for xattr.
				3397	*/
Dan Carpenter	3e62cbb	2010-06-01 09:14:04 +0200	[diff] [blame]	3398	dp = dget(opt_dentry);
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3399	skp = smk_fetch(XATTR_NAME_SMACK, inode, dp);
Lukasz Pawelczyk	e774ad6	2015-04-20 17:12:54 +0200	[diff] [blame]	3400	if (!IS_ERR_OR_NULL(skp))
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	3401	final = skp;
Casey Schaufler	2267b13	2012-03-13 19:14:19 -0700	[diff] [blame]	3402
				3403	/*
				3404	* Transmuting directory
				3405	*/
				3406	if (S_ISDIR(inode->i_mode)) {
				3407	/*
				3408	* If this is a new directory and the label was
				3409	* transmuted when the inode was initialized
				3410	* set the transmute attribute on the directory
				3411	* and mark the inode.
				3412	*
				3413	* If there is a transmute attribute on the
				3414	* directory mark the inode.
				3415	*/
				3416	if (isp->smk_flags & SMK_INODE_CHANGED) {
				3417	isp->smk_flags &= ~SMK_INODE_CHANGED;
Andreas Gruenbacher	5d6c319	2016-09-29 17:48:42 +0200	[diff] [blame]	3418	rc = __vfs_setxattr(dp, inode,
Jarkko Sakkinen	5c6d112	2010-12-07 13:34:01 +0200	[diff] [blame]	3419	XATTR_NAME_SMACKTRANSMUTE,
Casey Schaufler	2267b13	2012-03-13 19:14:19 -0700	[diff] [blame]	3420	TRANS_TRUE, TRANS_TRUE_SIZE,
				3421	0);
				3422	} else {
Andreas Gruenbacher	5d6c319	2016-09-29 17:48:42 +0200	[diff] [blame]	3423	rc = __vfs_getxattr(dp, inode,
Casey Schaufler	2267b13	2012-03-13 19:14:19 -0700	[diff] [blame]	3424	XATTR_NAME_SMACKTRANSMUTE, trattr,
				3425	TRANS_TRUE_SIZE);
				3426	if (rc >= 0 && strncmp(trattr, TRANS_TRUE,
				3427	TRANS_TRUE_SIZE) != 0)
				3428	rc = -EINVAL;
Jarkko Sakkinen	5c6d112	2010-12-07 13:34:01 +0200	[diff] [blame]	3429	}
Casey Schaufler	2267b13	2012-03-13 19:14:19 -0700	[diff] [blame]	3430	if (rc >= 0)
				3431	transflag = SMK_INODE_TRANSMUTE;
Jarkko Sakkinen	5c6d112	2010-12-07 13:34:01 +0200	[diff] [blame]	3432	}
Seth Forshee	809c02e	2016-04-26 14:36:22 -0500	[diff] [blame]	3433	/*
				3434	* Don't let the exec or mmap label be "*" or "@".
				3435	*/
				3436	skp = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);
				3437	if (IS_ERR(skp) \|\| skp == &smack_known_star \|\|
				3438	skp == &smack_known_web)
				3439	skp = NULL;
				3440	isp->smk_task = skp;
Lukasz Pawelczyk	e774ad6	2015-04-20 17:12:54 +0200	[diff] [blame]	3441
Casey Schaufler	19760ad	2013-12-16 16:27:26 -0800	[diff] [blame]	3442	skp = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp);
Lukasz Pawelczyk	e774ad6	2015-04-20 17:12:54 +0200	[diff] [blame]	3443	if (IS_ERR(skp) \|\| skp == &smack_known_star \|\|
				3444	skp == &smack_known_web)
Casey Schaufler	19760ad	2013-12-16 16:27:26 -0800	[diff] [blame]	3445	skp = NULL;
				3446	isp->smk_mmap = skp;
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	3447
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3448	dput(dp);
				3449	break;
				3450	}
				3451
				3452	if (final == NULL)
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	3453	isp->smk_inode = ckp;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3454	else
				3455	isp->smk_inode = final;
				3456
Jarkko Sakkinen	5c6d112	2010-12-07 13:34:01 +0200	[diff] [blame]	3457	isp->smk_flags \|= (SMK_INODE_INSTANT \| transflag);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3458
				3459	unlockandout:
				3460	mutex_unlock(&isp->smk_lock);
				3461	return;
				3462	}
				3463
				3464	/**
				3465	* smack_getprocattr - Smack process attribute access
				3466	* @p: the object task
				3467	* @name: the name of the attribute in /proc/.../attr
				3468	* @value: where to put the result
				3469	*
				3470	* Places a copy of the task Smack into value
				3471	*
				3472	* Returns the length of the smack label or an error code
				3473	*/
				3474	static int smack_getprocattr(struct task_struct p, char name, char **value)
				3475	{
Andrey Ryabinin	6d1cff2	2015-01-13 18:52:40 +0300	[diff] [blame]	3476	struct smack_known *skp = smk_of_task_struct(p);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3477	char *cp;
				3478	int slen;
				3479
				3480	if (strcmp(name, "current") != 0)
				3481	return -EINVAL;
				3482
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3483	cp = kstrdup(skp->smk_known, GFP_KERNEL);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3484	if (cp == NULL)
				3485	return -ENOMEM;
				3486
				3487	slen = strlen(cp);
				3488	*value = cp;
				3489	return slen;
				3490	}
				3491
				3492	/**
				3493	* smack_setprocattr - Smack process attribute setting
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3494	* @name: the name of the attribute in /proc/.../attr
				3495	* @value: the value to set
				3496	* @size: the size of the value
				3497	*
				3498	* Sets the Smack value of the task. Only setting self
				3499	* is permitted and only with privilege
				3500	*
				3501	* Returns the length of the smack label or an error code
				3502	*/
Stephen Smalley	b21507e	2017-01-09 10:07:31 -0500	[diff] [blame]	3503	static int smack_setprocattr(const char name, void value, size_t size)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3504	{
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	3505	struct task_smack *tsp = smack_cred(current_cred());
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	3506	struct cred *new;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3507	struct smack_known *skp;
Zbigniew Jasinski	38416e5	2015-10-19 18:23:53 +0200	[diff] [blame]	3508	struct smack_known_list_elem *sklep;
				3509	int rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3510
Zbigniew Jasinski	38416e5	2015-10-19 18:23:53 +0200	[diff] [blame]	3511	if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel))
David Howells	5cd9c58	2008-08-14 11:37:28 +0100	[diff] [blame]	3512	return -EPERM;
				3513
Casey Schaufler	f7112e6	2012-05-06 15:22:02 -0700	[diff] [blame]	3514	if (value == NULL \|\| size == 0 \|\| size >= SMK_LONGLABEL)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3515	return -EINVAL;
				3516
				3517	if (strcmp(name, "current") != 0)
				3518	return -EINVAL;
				3519
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3520	skp = smk_import_entry(value, size);
Lukasz Pawelczyk	e774ad6	2015-04-20 17:12:54 +0200	[diff] [blame]	3521	if (IS_ERR(skp))
				3522	return PTR_ERR(skp);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3523
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3524	/*
Himanshu Shukla	7128ea1	2016-11-10 16:17:49 +0530	[diff] [blame]	3525	* No process is ever allowed the web ("@") label
				3526	* and the star ("*") label.
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3527	*/
Himanshu Shukla	7128ea1	2016-11-10 16:17:49 +0530	[diff] [blame]	3528	if (skp == &smack_known_web \|\| skp == &smack_known_star)
				3529	return -EINVAL;
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3530
Zbigniew Jasinski	38416e5	2015-10-19 18:23:53 +0200	[diff] [blame]	3531	if (!smack_privileged(CAP_MAC_ADMIN)) {
				3532	rc = -EPERM;
				3533	list_for_each_entry(sklep, &tsp->smk_relabel, list)
				3534	if (sklep->smk_label == skp) {
				3535	rc = 0;
				3536	break;
				3537	}
				3538	if (rc)
				3539	return rc;
				3540	}
				3541
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	3542	new = prepare_creds();
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3543	if (new == NULL)
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	3544	return -ENOMEM;
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	3545
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	3546	tsp = smack_cred(new);
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3547	tsp->smk_task = skp;
Zbigniew Jasinski	38416e5	2015-10-19 18:23:53 +0200	[diff] [blame]	3548	/*
				3549	* process can change its label only once
				3550	*/
				3551	smk_destroy_label_list(&tsp->smk_relabel);
Casey Schaufler	7898e1f	2011-01-17 08:05:27 -0800	[diff] [blame]	3552
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	3553	commit_creds(new);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3554	return size;
				3555	}
				3556
				3557	/**
				3558	* smack_unix_stream_connect - Smack access on UDS
David S. Miller	3610cda	2011-01-05 15:38:53 -0800	[diff] [blame]	3559	* @sock: one sock
				3560	* @other: the other sock
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3561	* @newsk: unused
				3562	*
				3563	* Return 0 if a subject with the smack of sock could access
				3564	* an object with the smack of other, otherwise an error code
				3565	*/
David S. Miller	3610cda	2011-01-05 15:38:53 -0800	[diff] [blame]	3566	static int smack_unix_stream_connect(struct sock *sock,
				3567	struct sock other, struct sock newsk)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3568	{
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3569	struct smack_known *skp;
Casey Schaufler	54e70ec	2014-04-10 16:37:08 -0700	[diff] [blame]	3570	struct smack_known *okp;
James Morris	d2e7ad1	2011-01-10 09:46:24 +1100	[diff] [blame]	3571	struct socket_smack *ssp = sock->sk_security;
				3572	struct socket_smack *osp = other->sk_security;
Casey Schaufler	975d5e5	2011-09-26 14:43:39 -0700	[diff] [blame]	3573	struct socket_smack *nsp = newsk->sk_security;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3574	struct smk_audit_info ad;
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	3575	int rc = 0;
Kees Cook	923e9a1	2012-04-10 13:26:44 -0700	[diff] [blame]	3576	#ifdef CONFIG_AUDIT
				3577	struct lsm_network_audit net;
Kees Cook	923e9a1	2012-04-10 13:26:44 -0700	[diff] [blame]	3578	#endif
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	3579
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3580	if (!smack_privileged(CAP_MAC_OVERRIDE)) {
				3581	skp = ssp->smk_out;
Zbigniew Jasinski	96be7b5	2014-12-29 15:34:58 +0100	[diff] [blame]	3582	okp = osp->smk_in;
Casey Schaufler	54e70ec	2014-04-10 16:37:08 -0700	[diff] [blame]	3583	#ifdef CONFIG_AUDIT
				3584	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
				3585	smk_ad_setfield_u_net_sk(&ad, other);
				3586	#endif
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	3587	rc = smk_access(skp, okp, MAY_WRITE, &ad);
				3588	rc = smk_bu_note("UDS connect", skp, okp, MAY_WRITE, rc);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	3589	if (rc == 0) {
Zbigniew Jasinski	96be7b5	2014-12-29 15:34:58 +0100	[diff] [blame]	3590	okp = osp->smk_out;
				3591	skp = ssp->smk_in;
Rafal Krypa	138a868	2015-01-08 18:52:45 +0100	[diff] [blame]	3592	rc = smk_access(okp, skp, MAY_WRITE, &ad);
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	3593	rc = smk_bu_note("UDS connect", okp, skp,
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	3594	MAY_WRITE, rc);
				3595	}
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3596	}
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	3597
Casey Schaufler	975d5e5	2011-09-26 14:43:39 -0700	[diff] [blame]	3598	/*
				3599	* Cross reference the peer labels for SO_PEERSEC.
				3600	*/
				3601	if (rc == 0) {
Casey Schaufler	54e70ec	2014-04-10 16:37:08 -0700	[diff] [blame]	3602	nsp->smk_packet = ssp->smk_out;
				3603	ssp->smk_packet = osp->smk_out;
Casey Schaufler	975d5e5	2011-09-26 14:43:39 -0700	[diff] [blame]	3604	}
				3605
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	3606	return rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3607	}
				3608
				3609	/**
				3610	* smack_unix_may_send - Smack access on UDS
				3611	* @sock: one socket
				3612	* @other: the other socket
				3613	*
				3614	* Return 0 if a subject with the smack of sock could access
				3615	* an object with the smack of other, otherwise an error code
				3616	*/
				3617	static int smack_unix_may_send(struct socket sock, struct socket other)
				3618	{
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	3619	struct socket_smack *ssp = sock->sk->sk_security;
				3620	struct socket_smack *osp = other->sk->sk_security;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3621	struct smk_audit_info ad;
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	3622	int rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3623
Kees Cook	923e9a1	2012-04-10 13:26:44 -0700	[diff] [blame]	3624	#ifdef CONFIG_AUDIT
				3625	struct lsm_network_audit net;
				3626
Eric Paris	48c62af	2012-04-02 13:15:44 -0400	[diff] [blame]	3627	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3628	smk_ad_setfield_u_net_sk(&ad, other->sk);
Kees Cook	923e9a1	2012-04-10 13:26:44 -0700	[diff] [blame]	3629	#endif
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	3630
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3631	if (smack_privileged(CAP_MAC_OVERRIDE))
				3632	return 0;
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	3633
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	3634	rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad);
				3635	rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc);
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	3636	return rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3637	}
				3638
				3639	/**
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3640	* smack_socket_sendmsg - Smack check based on destination host
				3641	* @sock: the socket
Randy Dunlap	251a2a9	2009-02-18 11:42:33 -0800	[diff] [blame]	3642	* @msg: the message
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3643	* @size: the size of the message
				3644	*
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3645	* Return 0 if the current subject can write to the destination host.
				3646	* For IPv4 this is only a question if the destination is a single label host.
				3647	* For IPv6 this is a check against the label of the port.
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3648	*/
				3649	static int smack_socket_sendmsg(struct socket sock, struct msghdr msg,
				3650	int size)
				3651	{
				3652	struct sockaddr_in sip = (struct sockaddr_in ) msg->msg_name;
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	3653	#if IS_ENABLED(CONFIG_IPV6)
Casey Schaufler	6ea0624	2013-08-05 13:21:22 -0700	[diff] [blame]	3654	struct sockaddr_in6 sap = (struct sockaddr_in6 ) msg->msg_name;
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	3655	#endif
				3656	#ifdef SMACK_IPV6_SECMARK_LABELING
				3657	struct socket_smack *ssp = sock->sk->sk_security;
				3658	struct smack_known *rsp;
				3659	#endif
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3660	int rc = 0;
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3661
				3662	/*
				3663	* Perfectly reasonable for this to be NULL
				3664	*/
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3665	if (sip == NULL)
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3666	return 0;
				3667
Roman Kubiak	81bd0d5	2015-12-17 13:24:35 +0100	[diff] [blame]	3668	switch (sock->sk->sk_family) {
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3669	case AF_INET:
Tetsuo Handa	b9ef551	2019-04-12 19:59:35 +0900	[diff] [blame]	3670	if (msg->msg_namelen < sizeof(struct sockaddr_in) \|\|
				3671	sip->sin_family != AF_INET)
				3672	return -EINVAL;
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3673	rc = smack_netlabel_send(sock->sk, sip);
				3674	break;
Casey Schaufler	619ae03	2019-04-30 14:13:32 -0700	[diff] [blame]	3675	#if IS_ENABLED(CONFIG_IPV6)
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3676	case AF_INET6:
Tetsuo Handa	b9ef551	2019-04-12 19:59:35 +0900	[diff] [blame]	3677	if (msg->msg_namelen < SIN6_LEN_RFC2133 \|\|
				3678	sap->sin6_family != AF_INET6)
				3679	return -EINVAL;
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	3680	#ifdef SMACK_IPV6_SECMARK_LABELING
				3681	rsp = smack_ipv6host_label(sap);
				3682	if (rsp != NULL)
				3683	rc = smk_ipv6_check(ssp->smk_out, rsp, sap,
				3684	SMK_CONNECTING);
				3685	#endif
				3686	#ifdef SMACK_IPV6_PORT_LABELING
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3687	rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING);
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	3688	#endif
Casey Schaufler	619ae03	2019-04-30 14:13:32 -0700	[diff] [blame]	3689	#endif /* IS_ENABLED(CONFIG_IPV6) */
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3690	break;
				3691	}
				3692	return rc;
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3693	}
				3694
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3695	/**
Randy Dunlap	251a2a9	2009-02-18 11:42:33 -0800	[diff] [blame]	3696	* smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3697	* @sap: netlabel secattr
Casey Schaufler	272cd7a	2011-09-20 12:24:36 -0700	[diff] [blame]	3698	* @ssp: socket security information
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3699	*
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3700	* Returns a pointer to a Smack label entry found on the label list.
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3701	*/
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3702	static struct smack_known smack_from_secattr(struct netlbl_lsm_secattr sap,
				3703	struct socket_smack *ssp)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3704	{
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3705	struct smack_known *skp;
Casey Schaufler	f7112e6	2012-05-06 15:22:02 -0700	[diff] [blame]	3706	int found = 0;
Casey Schaufler	677264e	2013-06-28 13:47:07 -0700	[diff] [blame]	3707	int acat;
				3708	int kcat;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3709
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3710	if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) {
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3711	/*
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3712	* Looks like a CIPSO packet.
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3713	* If there are flags but no level netlabel isn't
				3714	* behaving the way we expect it to.
				3715	*
Casey Schaufler	f7112e6	2012-05-06 15:22:02 -0700	[diff] [blame]	3716	* Look it up in the label table
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3717	* Without guidance regarding the smack value
				3718	* for the packet fall back on the network
				3719	* ambient value.
				3720	*/
Casey Schaufler	f7112e6	2012-05-06 15:22:02 -0700	[diff] [blame]	3721	rcu_read_lock();
Vishal Goel	348dc28	2016-11-23 10:45:31 +0530	[diff] [blame]	3722	list_for_each_entry_rcu(skp, &smack_known_list, list) {
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3723	if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl)
Casey Schaufler	f7112e6	2012-05-06 15:22:02 -0700	[diff] [blame]	3724	continue;
Casey Schaufler	677264e	2013-06-28 13:47:07 -0700	[diff] [blame]	3725	/*
				3726	* Compare the catsets. Use the netlbl APIs.
				3727	*/
				3728	if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) {
				3729	if ((skp->smk_netlabel.flags &
				3730	NETLBL_SECATTR_MLS_CAT) == 0)
				3731	found = 1;
				3732	break;
				3733	}
				3734	for (acat = -1, kcat = -1; acat == kcat; ) {
Paul Moore	4fbe63d	2014-08-01 11:17:37 -0400	[diff] [blame]	3735	acat = netlbl_catmap_walk(sap->attr.mls.cat,
				3736	acat + 1);
				3737	kcat = netlbl_catmap_walk(
Casey Schaufler	677264e	2013-06-28 13:47:07 -0700	[diff] [blame]	3738	skp->smk_netlabel.attr.mls.cat,
				3739	kcat + 1);
				3740	if (acat < 0 \|\| kcat < 0)
				3741	break;
				3742	}
				3743	if (acat == kcat) {
				3744	found = 1;
				3745	break;
				3746	}
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3747	}
Casey Schaufler	f7112e6	2012-05-06 15:22:02 -0700	[diff] [blame]	3748	rcu_read_unlock();
				3749
				3750	if (found)
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3751	return skp;
Casey Schaufler	f7112e6	2012-05-06 15:22:02 -0700	[diff] [blame]	3752
Casey Schaufler	54e70ec	2014-04-10 16:37:08 -0700	[diff] [blame]	3753	if (ssp != NULL && ssp->smk_in == &smack_known_star)
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3754	return &smack_known_web;
				3755	return &smack_known_star;
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3756	}
Casey Schaufler	152f91d	2016-11-14 09:38:15 -0800	[diff] [blame]	3757	if ((sap->flags & NETLBL_SECATTR_SECID) != 0)
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3758	/*
				3759	* Looks like a fallback, which gives us a secid.
				3760	*/
Casey Schaufler	152f91d	2016-11-14 09:38:15 -0800	[diff] [blame]	3761	return smack_from_secid(sap->attr.secid);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3762	/*
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3763	* Without guidance regarding the smack value
				3764	* for the packet fall back on the network
				3765	* ambient value.
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3766	*/
Casey Schaufler	272cd7a	2011-09-20 12:24:36 -0700	[diff] [blame]	3767	return smack_net_ambient;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3768	}
				3769
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3770	#if IS_ENABLED(CONFIG_IPV6)
Casey Schaufler	6ea0624	2013-08-05 13:21:22 -0700	[diff] [blame]	3771	static int smk_skb_to_addr_ipv6(struct sk_buff skb, struct sockaddr_in6 sip)
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3772	{
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3773	u8 nexthdr;
				3774	int offset;
				3775	int proto = -EINVAL;
				3776	struct ipv6hdr _ipv6h;
				3777	struct ipv6hdr *ip6;
				3778	__be16 frag_off;
				3779	struct tcphdr _tcph, *th;
				3780	struct udphdr _udph, *uh;
				3781	struct dccp_hdr _dccph, *dh;
				3782
				3783	sip->sin6_port = 0;
				3784
				3785	offset = skb_network_offset(skb);
				3786	ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h);
				3787	if (ip6 == NULL)
				3788	return -EINVAL;
				3789	sip->sin6_addr = ip6->saddr;
				3790
				3791	nexthdr = ip6->nexthdr;
				3792	offset += sizeof(_ipv6h);
				3793	offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
				3794	if (offset < 0)
				3795	return -EINVAL;
				3796
				3797	proto = nexthdr;
				3798	switch (proto) {
				3799	case IPPROTO_TCP:
				3800	th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
				3801	if (th != NULL)
				3802	sip->sin6_port = th->source;
				3803	break;
				3804	case IPPROTO_UDP:
Piotr Sawicki	a07ef95	2018-07-19 11:45:16 +0200	[diff] [blame]	3805	case IPPROTO_UDPLITE:
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3806	uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
				3807	if (uh != NULL)
				3808	sip->sin6_port = uh->source;
				3809	break;
				3810	case IPPROTO_DCCP:
				3811	dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
				3812	if (dh != NULL)
				3813	sip->sin6_port = dh->dccph_sport;
				3814	break;
				3815	}
				3816	return proto;
				3817	}
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3818	#endif /* CONFIG_IPV6 */
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3819
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3820	/**
				3821	* smack_socket_sock_rcv_skb - Smack packet delivery access check
				3822	* @sk: socket
				3823	* @skb: packet
				3824	*
				3825	* Returns 0 if the packet should be delivered, an error code otherwise
				3826	*/
				3827	static int smack_socket_sock_rcv_skb(struct sock sk, struct sk_buff skb)
				3828	{
				3829	struct netlbl_lsm_secattr secattr;
				3830	struct socket_smack *ssp = sk->sk_security;
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3831	struct smack_known *skp = NULL;
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3832	int rc = 0;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3833	struct smk_audit_info ad;
Piotr Sawicki	129a998	2018-07-19 11:42:58 +0200	[diff] [blame]	3834	u16 family = sk->sk_family;
Kees Cook	923e9a1	2012-04-10 13:26:44 -0700	[diff] [blame]	3835	#ifdef CONFIG_AUDIT
Eric Paris	48c62af	2012-04-02 13:15:44 -0400	[diff] [blame]	3836	struct lsm_network_audit net;
Kees Cook	923e9a1	2012-04-10 13:26:44 -0700	[diff] [blame]	3837	#endif
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3838	#if IS_ENABLED(CONFIG_IPV6)
				3839	struct sockaddr_in6 sadd;
				3840	int proto;
Piotr Sawicki	129a998	2018-07-19 11:42:58 +0200	[diff] [blame]	3841
				3842	if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
				3843	family = PF_INET;
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3844	#endif /* CONFIG_IPV6 */
				3845
Piotr Sawicki	129a998	2018-07-19 11:42:58 +0200	[diff] [blame]	3846	switch (family) {
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3847	case PF_INET:
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3848	#ifdef CONFIG_SECURITY_SMACK_NETFILTER
				3849	/*
				3850	* If there is a secmark use it rather than the CIPSO label.
				3851	* If there is no secmark fall back to CIPSO.
				3852	* The secmark is assumed to reflect policy better.
				3853	*/
				3854	if (skb && skb->secmark != 0) {
				3855	skp = smack_from_secid(skb->secmark);
				3856	goto access_check;
				3857	}
				3858	#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3859	/*
				3860	* Translate what netlabel gave us.
				3861	*/
				3862	netlbl_secattr_init(&secattr);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3863
Piotr Sawicki	129a998	2018-07-19 11:42:58 +0200	[diff] [blame]	3864	rc = netlbl_skbuff_getattr(skb, family, &secattr);
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3865	if (rc == 0)
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3866	skp = smack_from_secattr(&secattr, ssp);
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3867	else
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3868	skp = smack_net_ambient;
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3869
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3870	netlbl_secattr_destroy(&secattr);
Casey Schaufler	6d3dc07	2008-12-31 12:54:12 -0500	[diff] [blame]	3871
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3872	#ifdef CONFIG_SECURITY_SMACK_NETFILTER
				3873	access_check:
				3874	#endif
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3875	#ifdef CONFIG_AUDIT
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3876	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
Piotr Sawicki	129a998	2018-07-19 11:42:58 +0200	[diff] [blame]	3877	ad.a.u.net->family = family;
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3878	ad.a.u.net->netif = skb->skb_iif;
				3879	ipv4_skb_to_auditdata(skb, &ad.a, NULL);
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	3880	#endif
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3881	/*
				3882	* Receiving a packet requires that the other end
				3883	* be able to write here. Read access is not required.
				3884	* This is the simplist possible security model
				3885	* for networking.
				3886	*/
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	3887	rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
				3888	rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in,
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	3889	MAY_WRITE, rc);
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3890	if (rc != 0)
Piotr Sawicki	129a998	2018-07-19 11:42:58 +0200	[diff] [blame]	3891	netlbl_skbuff_err(skb, family, rc, 0);
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3892	break;
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3893	#if IS_ENABLED(CONFIG_IPV6)
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3894	case PF_INET6:
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3895	proto = smk_skb_to_addr_ipv6(skb, &sadd);
Piotr Sawicki	a07ef95	2018-07-19 11:45:16 +0200	[diff] [blame]	3896	if (proto != IPPROTO_UDP && proto != IPPROTO_UDPLITE &&
				3897	proto != IPPROTO_TCP && proto != IPPROTO_DCCP)
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3898	break;
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	3899	#ifdef SMACK_IPV6_SECMARK_LABELING
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3900	if (skb && skb->secmark != 0)
				3901	skp = smack_from_secid(skb->secmark);
Casey Schaufler	f7450bc	2019-04-03 14:28:38 -0700	[diff] [blame]	3902	else if (smk_ipv6_localhost(&sadd))
				3903	break;
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3904	else
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	3905	skp = smack_ipv6host_label(&sadd);
				3906	if (skp == NULL)
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3907	skp = smack_net_ambient;
Jia-Ju Bai	3f4287e	2019-07-23 18:00:15 +0800	[diff] [blame]	3908	if (skb == NULL)
				3909	break;
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3910	#ifdef CONFIG_AUDIT
				3911	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
Piotr Sawicki	129a998	2018-07-19 11:42:58 +0200	[diff] [blame]	3912	ad.a.u.net->family = family;
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3913	ad.a.u.net->netif = skb->skb_iif;
				3914	ipv6_skb_to_auditdata(skb, &ad.a, NULL);
				3915	#endif /* CONFIG_AUDIT */
				3916	rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
				3917	rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in,
				3918	MAY_WRITE, rc);
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	3919	#endif /* SMACK_IPV6_SECMARK_LABELING */
				3920	#ifdef SMACK_IPV6_PORT_LABELING
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3921	rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	3922	#endif /* SMACK_IPV6_PORT_LABELING */
Piotr Sawicki	d66a8ac	2018-07-19 11:47:31 +0200	[diff] [blame]	3923	if (rc != 0)
				3924	icmpv6_send(skb, ICMPV6_DEST_UNREACH,
				3925	ICMPV6_ADM_PROHIBITED, 0);
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3926	break;
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3927	#endif /* CONFIG_IPV6 */
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	3928	}
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3929
Paul Moore	a813429	2008-10-10 10:16:31 -0400	[diff] [blame]	3930	return rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3931	}
				3932
				3933	/**
				3934	* smack_socket_getpeersec_stream - pull in packet label
				3935	* @sock: the socket
				3936	* @optval: user's destination
				3937	* @optlen: size thereof
Randy Dunlap	251a2a9	2009-02-18 11:42:33 -0800	[diff] [blame]	3938	* @len: max thereof
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3939	*
				3940	* returns zero on success, an error code otherwise
				3941	*/
				3942	static int smack_socket_getpeersec_stream(struct socket *sock,
				3943	char __user *optval,
				3944	int __user *optlen, unsigned len)
				3945	{
				3946	struct socket_smack *ssp;
Casey Schaufler	272cd7a	2011-09-20 12:24:36 -0700	[diff] [blame]	3947	char *rcp = "";
				3948	int slen = 1;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3949	int rc = 0;
				3950
				3951	ssp = sock->sk->sk_security;
Casey Schaufler	272cd7a	2011-09-20 12:24:36 -0700	[diff] [blame]	3952	if (ssp->smk_packet != NULL) {
Casey Schaufler	54e70ec	2014-04-10 16:37:08 -0700	[diff] [blame]	3953	rcp = ssp->smk_packet->smk_known;
Casey Schaufler	272cd7a	2011-09-20 12:24:36 -0700	[diff] [blame]	3954	slen = strlen(rcp) + 1;
				3955	}
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3956
				3957	if (slen > len)
				3958	rc = -ERANGE;
Casey Schaufler	272cd7a	2011-09-20 12:24:36 -0700	[diff] [blame]	3959	else if (copy_to_user(optval, rcp, slen) != 0)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3960	rc = -EFAULT;
				3961
				3962	if (put_user(slen, optlen) != 0)
				3963	rc = -EFAULT;
				3964
				3965	return rc;
				3966	}
				3967
				3968
				3969	/**
				3970	* smack_socket_getpeersec_dgram - pull in packet label
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	3971	* @sock: the peer socket
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3972	* @skb: packet data
				3973	* @secid: pointer to where to put the secid of the packet
				3974	*
				3975	* Sets the netlabel socket state on sk from parent
				3976	*/
				3977	static int smack_socket_getpeersec_dgram(struct socket *sock,
				3978	struct sk_buff skb, u32 secid)
				3979
				3980	{
				3981	struct netlbl_lsm_secattr secattr;
Casey Schaufler	272cd7a	2011-09-20 12:24:36 -0700	[diff] [blame]	3982	struct socket_smack *ssp = NULL;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	3983	struct smack_known *skp;
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	3984	int family = PF_UNSPEC;
				3985	u32 s = 0; /* 0 is the invalid secid */
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3986	int rc;
				3987
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	3988	if (skb != NULL) {
				3989	if (skb->protocol == htons(ETH_P_IP))
				3990	family = PF_INET;
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3991	#if IS_ENABLED(CONFIG_IPV6)
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	3992	else if (skb->protocol == htons(ETH_P_IPV6))
				3993	family = PF_INET6;
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3994	#endif /* CONFIG_IPV6 */
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3995	}
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	3996	if (family == PF_UNSPEC && sock != NULL)
				3997	family = sock->sk->sk_family;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	3998
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	3999	switch (family) {
				4000	case PF_UNIX:
Casey Schaufler	272cd7a	2011-09-20 12:24:36 -0700	[diff] [blame]	4001	ssp = sock->sk->sk_security;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4002	s = ssp->smk_out->smk_secid;
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	4003	break;
				4004	case PF_INET:
				4005	#ifdef CONFIG_SECURITY_SMACK_NETFILTER
				4006	s = skb->secmark;
				4007	if (s != 0)
				4008	break;
				4009	#endif
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	4010	/*
				4011	* Translate what netlabel gave us.
				4012	*/
Casey Schaufler	272cd7a	2011-09-20 12:24:36 -0700	[diff] [blame]	4013	if (sock != NULL && sock->sk != NULL)
				4014	ssp = sock->sk->sk_security;
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	4015	netlbl_secattr_init(&secattr);
				4016	rc = netlbl_skbuff_getattr(skb, family, &secattr);
				4017	if (rc == 0) {
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4018	skp = smack_from_secattr(&secattr, ssp);
				4019	s = skp->smk_secid;
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	4020	}
				4021	netlbl_secattr_destroy(&secattr);
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	4022	break;
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	4023	case PF_INET6:
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	4024	#ifdef SMACK_IPV6_SECMARK_LABELING
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	4025	s = skb->secmark;
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	4026	#endif
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	4027	break;
Casey Schaufler	b4e0d5f	2010-11-24 17:12:10 -0800	[diff] [blame]	4028	}
				4029	*secid = s;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4030	if (s == 0)
				4031	return -EINVAL;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4032	return 0;
				4033	}
				4034
				4035	/**
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	4036	* smack_sock_graft - Initialize a newly created socket with an existing sock
				4037	* @sk: child sock
				4038	* @parent: parent socket
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4039	*
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	4040	* Set the smk_{in,out} state of an existing sock based on the process that
				4041	* is creating the new socket.
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4042	*/
				4043	static void smack_sock_graft(struct sock sk, struct socket parent)
				4044	{
				4045	struct socket_smack *ssp;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4046	struct smack_known *skp = smk_of_current();
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4047
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	4048	if (sk == NULL \|\|
				4049	(sk->sk_family != PF_INET && sk->sk_family != PF_INET6))
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4050	return;
				4051
				4052	ssp = sk->sk_security;
Casey Schaufler	54e70ec	2014-04-10 16:37:08 -0700	[diff] [blame]	4053	ssp->smk_in = skp;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4054	ssp->smk_out = skp;
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	4055	/* cssp->smk_packet is already set in smack_inet_csk_clone() */
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4056	}
				4057
				4058	/**
				4059	* smack_inet_conn_request - Smack access check on connect
				4060	* @sk: socket involved
				4061	* @skb: packet
				4062	* @req: unused
				4063	*
				4064	* Returns 0 if a task with the packet label could write to
				4065	* the socket, otherwise an error code
				4066	*/
				4067	static int smack_inet_conn_request(struct sock sk, struct sk_buff skb,
				4068	struct request_sock *req)
				4069	{
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	4070	u16 family = sk->sk_family;
Casey Schaufler	f7112e6	2012-05-06 15:22:02 -0700	[diff] [blame]	4071	struct smack_known *skp;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4072	struct socket_smack *ssp = sk->sk_security;
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	4073	struct netlbl_lsm_secattr secattr;
				4074	struct sockaddr_in addr;
				4075	struct iphdr *hdr;
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	4076	struct smack_known *hskp;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4077	int rc;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	4078	struct smk_audit_info ad;
Kees Cook	923e9a1	2012-04-10 13:26:44 -0700	[diff] [blame]	4079	#ifdef CONFIG_AUDIT
Eric Paris	48c62af	2012-04-02 13:15:44 -0400	[diff] [blame]	4080	struct lsm_network_audit net;
Kees Cook	923e9a1	2012-04-10 13:26:44 -0700	[diff] [blame]	4081	#endif
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4082
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	4083	#if IS_ENABLED(CONFIG_IPV6)
Casey Schaufler	c673944	2013-05-22 18:42:56 -0700	[diff] [blame]	4084	if (family == PF_INET6) {
				4085	/*
				4086	* Handle mapped IPv4 packets arriving
				4087	* via IPv6 sockets. Don't set up netlabel
				4088	* processing on IPv6.
				4089	*/
				4090	if (skb->protocol == htons(ETH_P_IP))
				4091	family = PF_INET;
				4092	else
				4093	return 0;
				4094	}
Casey Schaufler	69f287a	2014-12-12 17:08:40 -0800	[diff] [blame]	4095	#endif /* CONFIG_IPV6 */
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4096
Casey Schaufler	7f368ad	2015-02-11 12:52:32 -0800	[diff] [blame]	4097	#ifdef CONFIG_SECURITY_SMACK_NETFILTER
				4098	/*
				4099	* If there is a secmark use it rather than the CIPSO label.
				4100	* If there is no secmark fall back to CIPSO.
				4101	* The secmark is assumed to reflect policy better.
				4102	*/
				4103	if (skb && skb->secmark != 0) {
				4104	skp = smack_from_secid(skb->secmark);
				4105	goto access_check;
				4106	}
				4107	#endif /* CONFIG_SECURITY_SMACK_NETFILTER */
				4108
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	4109	netlbl_secattr_init(&secattr);
				4110	rc = netlbl_skbuff_getattr(skb, family, &secattr);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4111	if (rc == 0)
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4112	skp = smack_from_secattr(&secattr, ssp);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4113	else
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4114	skp = &smack_known_huh;
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	4115	netlbl_secattr_destroy(&secattr);
				4116
Casey Schaufler	7f368ad	2015-02-11 12:52:32 -0800	[diff] [blame]	4117	#ifdef CONFIG_SECURITY_SMACK_NETFILTER
				4118	access_check:
				4119	#endif
				4120
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	4121	#ifdef CONFIG_AUDIT
Eric Paris	48c62af	2012-04-02 13:15:44 -0400	[diff] [blame]	4122	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);
				4123	ad.a.u.net->family = family;
				4124	ad.a.u.net->netif = skb->skb_iif;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	4125	ipv4_skb_to_auditdata(skb, &ad.a, NULL);
				4126	#endif
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4127	/*
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	4128	* Receiving a packet requires that the other end be able to write
				4129	* here. Read access is not required.
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4130	*/
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	4131	rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);
				4132	rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc);
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	4133	if (rc != 0)
				4134	return rc;
				4135
				4136	/*
				4137	* Save the peer's label in the request_sock so we can later setup
				4138	* smk_packet in the child socket so that SO_PEERCRED can report it.
				4139	*/
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4140	req->peer_secid = skp->smk_secid;
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	4141
				4142	/*
				4143	* We need to decide if we want to label the incoming connection here
				4144	* if we do we only need to label the request_sock and the stack will
Lucas De Marchi	25985ed	2011-03-30 22:57:33 -0300	[diff] [blame]	4145	* propagate the wire-label to the sock when it is created.
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	4146	*/
				4147	hdr = ip_hdr(skb);
				4148	addr.sin_addr.s_addr = hdr->saddr;
				4149	rcu_read_lock();
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	4150	hskp = smack_ipv4host_label(&addr);
Casey Schaufler	f7112e6	2012-05-06 15:22:02 -0700	[diff] [blame]	4151	rcu_read_unlock();
				4152
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	4153	if (hskp == NULL)
Casey Schaufler	f7112e6	2012-05-06 15:22:02 -0700	[diff] [blame]	4154	rc = netlbl_req_setattr(req, &skp->smk_netlabel);
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4155	else
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	4156	netlbl_req_delattr(req);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4157
				4158	return rc;
				4159	}
				4160
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	4161	/**
				4162	* smack_inet_csk_clone - Copy the connection information to the new socket
				4163	* @sk: the new socket
				4164	* @req: the connection's request_sock
				4165	*
				4166	* Transfer the connection's peer label to the newly created socket.
				4167	*/
				4168	static void smack_inet_csk_clone(struct sock *sk,
				4169	const struct request_sock *req)
				4170	{
				4171	struct socket_smack *ssp = sk->sk_security;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4172	struct smack_known *skp;
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	4173
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4174	if (req->peer_secid != 0) {
				4175	skp = smack_from_secid(req->peer_secid);
Casey Schaufler	54e70ec	2014-04-10 16:37:08 -0700	[diff] [blame]	4176	ssp->smk_packet = skp;
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4177	} else
Casey Schaufler	272cd7a	2011-09-20 12:24:36 -0700	[diff] [blame]	4178	ssp->smk_packet = NULL;
Paul Moore	07feee8	2009-03-27 17:10:54 -0400	[diff] [blame]	4179	}
				4180
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4181	/*
				4182	* Key management security hooks
				4183	*
				4184	* Casey has not tested key support very heavily.
				4185	* The permission check is most likely too restrictive.
				4186	* If you care about keys please have a look.
				4187	*/
				4188	#ifdef CONFIG_KEYS
				4189
				4190	/**
				4191	* smack_key_alloc - Set the key security blob
				4192	* @key: object
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	4193	* @cred: the credentials to use
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4194	* @flags: unused
				4195	*
				4196	* No allocation required
				4197	*
				4198	* Returns 0
				4199	*/
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	4200	static int smack_key_alloc(struct key key, const struct cred cred,
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4201	unsigned long flags)
				4202	{
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	4203	struct smack_known *skp = smk_of_task(smack_cred(cred));
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4204
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	4205	key->security = skp;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4206	return 0;
				4207	}
				4208
				4209	/**
				4210	* smack_key_free - Clear the key security blob
				4211	* @key: the object
				4212	*
				4213	* Clear the blob pointer
				4214	*/
				4215	static void smack_key_free(struct key *key)
				4216	{
				4217	key->security = NULL;
				4218	}
				4219
Lukasz Pawelczyk	1a28979	2014-11-26 15:31:06 +0100	[diff] [blame]	4220	/**
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4221	* smack_key_permission - Smack access on a key
				4222	* @key_ref: gets to the object
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	4223	* @cred: the credentials to use
Lukasz Pawelczyk	1a28979	2014-11-26 15:31:06 +0100	[diff] [blame]	4224	* @perm: requested key permissions
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4225	*
				4226	* Return 0 if the task has read and write to the object,
				4227	* an error code otherwise
				4228	*/
				4229	static int smack_key_permission(key_ref_t key_ref,
David Howells	f589594	2014-03-14 17:44:49 +0000	[diff] [blame]	4230	const struct cred *cred, unsigned perm)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4231	{
				4232	struct key *keyp;
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	4233	struct smk_audit_info ad;
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	4234	struct smack_known *tkp = smk_of_task(smack_cred(cred));
Dmitry Kasatkin	fffea21	2014-03-14 17:44:49 +0000	[diff] [blame]	4235	int request = 0;
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	4236	int rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4237
Zoran Markovic	5b841bf	2018-10-17 16:25:44 -0700	[diff] [blame]	4238	/*
				4239	* Validate requested permissions
				4240	*/
				4241	if (perm & ~KEY_NEED_ALL)
				4242	return -EINVAL;
				4243
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4244	keyp = key_ref_to_ptr(key_ref);
				4245	if (keyp == NULL)
				4246	return -EINVAL;
				4247	/*
				4248	* If the key hasn't been initialized give it access so that
				4249	* it may do so.
				4250	*/
				4251	if (keyp->security == NULL)
				4252	return 0;
				4253	/*
				4254	* This should not occur
				4255	*/
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4256	if (tkp == NULL)
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4257	return -EACCES;
Casey Schaufler	d19dfe5	2018-01-08 10:25:32 -0800	[diff] [blame]	4258
				4259	if (smack_privileged_cred(CAP_MAC_OVERRIDE, cred))
				4260	return 0;
				4261
Etienne Basset	ecfcc53	2009-04-08 20:40:06 +0200	[diff] [blame]	4262	#ifdef CONFIG_AUDIT
				4263	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_KEY);
				4264	ad.a.u.key_struct.key = keyp->serial;
				4265	ad.a.u.key_struct.key_desc = keyp->description;
				4266	#endif
Zoran Markovic	5b841bf	2018-10-17 16:25:44 -0700	[diff] [blame]	4267	if (perm & (KEY_NEED_READ \| KEY_NEED_SEARCH \| KEY_NEED_VIEW))
				4268	request \|= MAY_READ;
Dmitry Kasatkin	fffea21	2014-03-14 17:44:49 +0000	[diff] [blame]	4269	if (perm & (KEY_NEED_WRITE \| KEY_NEED_LINK \| KEY_NEED_SETATTR))
Zoran Markovic	5b841bf	2018-10-17 16:25:44 -0700	[diff] [blame]	4270	request \|= MAY_WRITE;
Casey Schaufler	d166c80	2014-08-27 14:51:27 -0700	[diff] [blame]	4271	rc = smk_access(tkp, keyp->security, request, &ad);
				4272	rc = smk_bu_note("key access", tkp, keyp->security, request, rc);
				4273	return rc;
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4274	}
José Bollo	7fc5f36	2015-02-17 15:41:22 +0100	[diff] [blame]	4275
				4276	/*
				4277	* smack_key_getsecurity - Smack label tagging the key
				4278	* @key points to the key to be queried
				4279	* @_buffer points to a pointer that should be set to point to the
				4280	* resulting string (if no label or an error occurs).
				4281	* Return the length of the string (including terminating NUL) or -ve if
				4282	* an error.
				4283	* May also return 0 (and a NULL buffer pointer) if there is no label.
				4284	*/
				4285	static int smack_key_getsecurity(struct key key, char *_buffer)
				4286	{
				4287	struct smack_known *skp = key->security;
				4288	size_t length;
				4289	char *copy;
				4290
				4291	if (key->security == NULL) {
				4292	*_buffer = NULL;
				4293	return 0;
				4294	}
				4295
				4296	copy = kstrdup(skp->smk_known, GFP_KERNEL);
				4297	if (copy == NULL)
				4298	return -ENOMEM;
				4299	length = strlen(copy) + 1;
				4300
				4301	*_buffer = copy;
				4302	return length;
				4303	}
				4304
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4305	#endif /* CONFIG_KEYS */
				4306
				4307	/*
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	4308	* Smack Audit hooks
				4309	*
				4310	* Audit requires a unique representation of each Smack specific
				4311	* rule. This unique representation is used to distinguish the
				4312	* object to be audited from remaining kernel objects and also
				4313	* works as a glue between the audit hooks.
				4314	*
				4315	* Since repository entries are added but never deleted, we'll use
				4316	* the smack_known label address related to the given audit rule as
				4317	* the needed unique representation. This also better fits the smack
				4318	* model where nearly everything is a label.
				4319	*/
				4320	#ifdef CONFIG_AUDIT
				4321
				4322	/**
				4323	* smack_audit_rule_init - Initialize a smack audit rule
				4324	* @field: audit rule fields given from user-space (audit.h)
				4325	* @op: required testing operator (=, !=, >, <, ...)
				4326	* @rulestr: smack label to be audited
				4327	* @vrule: pointer to save our own audit rule representation
				4328	*
				4329	* Prepare to audit cases where (@field @op @rulestr) is true.
				4330	* The label to be audited is created if necessay.
				4331	*/
				4332	static int smack_audit_rule_init(u32 field, u32 op, char rulestr, void *vrule)
				4333	{
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	4334	struct smack_known *skp;
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	4335	char rule = (char )vrule;
				4336	*rule = NULL;
				4337
				4338	if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER)
				4339	return -EINVAL;
				4340
Al Viro	5af75d8	2008-12-16 05:59:26 -0500	[diff] [blame]	4341	if (op != Audit_equal && op != Audit_not_equal)
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	4342	return -EINVAL;
				4343
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	4344	skp = smk_import_entry(rulestr, 0);
Lukasz Pawelczyk	e774ad6	2015-04-20 17:12:54 +0200	[diff] [blame]	4345	if (IS_ERR(skp))
				4346	return PTR_ERR(skp);
				4347
				4348	*rule = skp->smk_known;
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	4349
				4350	return 0;
				4351	}
				4352
				4353	/**
				4354	* smack_audit_rule_known - Distinguish Smack audit rules
				4355	* @krule: rule of interest, in Audit kernel representation format
				4356	*
				4357	* This is used to filter Smack rules from remaining Audit ones.
				4358	* If it's proved that this rule belongs to us, the
				4359	* audit_rule_match hook will be called to do the final judgement.
				4360	*/
				4361	static int smack_audit_rule_known(struct audit_krule *krule)
				4362	{
				4363	struct audit_field *f;
				4364	int i;
				4365
				4366	for (i = 0; i < krule->field_count; i++) {
				4367	f = &krule->fields[i];
				4368
				4369	if (f->type == AUDIT_SUBJ_USER \|\| f->type == AUDIT_OBJ_USER)
				4370	return 1;
				4371	}
				4372
				4373	return 0;
				4374	}
				4375
				4376	/**
				4377	* smack_audit_rule_match - Audit given object ?
				4378	* @secid: security id for identifying the object to test
				4379	* @field: audit rule flags given from user-space
				4380	* @op: required testing operator
				4381	* @vrule: smack internal rule presentation
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	4382	*
				4383	* The core Audit hook. It's used to take the decision of
				4384	* whether to audit or not to audit a given object.
				4385	*/
Richard Guy Briggs	90462a5	2019-01-31 11:52:11 -0500	[diff] [blame]	4386	static int smack_audit_rule_match(u32 secid, u32 field, u32 op, void *vrule)
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	4387	{
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4388	struct smack_known *skp;
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	4389	char *rule = vrule;
				4390
Richard Guy Briggs	4eb0f4a	2013-11-21 13:57:33 -0500	[diff] [blame]	4391	if (unlikely(!rule)) {
				4392	WARN_ONCE(1, "Smack: missing rule\n");
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	4393	return -ENOENT;
				4394	}
				4395
				4396	if (field != AUDIT_SUBJ_USER && field != AUDIT_OBJ_USER)
				4397	return 0;
				4398
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4399	skp = smack_from_secid(secid);
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	4400
				4401	/*
				4402	* No need to do string comparisons. If a match occurs,
				4403	* both pointers will point to the same smack_known
				4404	* label.
				4405	*/
Al Viro	5af75d8	2008-12-16 05:59:26 -0500	[diff] [blame]	4406	if (op == Audit_equal)
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4407	return (rule == skp->smk_known);
Al Viro	5af75d8	2008-12-16 05:59:26 -0500	[diff] [blame]	4408	if (op == Audit_not_equal)
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4409	return (rule != skp->smk_known);
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	4410
				4411	return 0;
				4412	}
				4413
Casey Schaufler	491a0b0	2016-01-26 15:08:35 -0800	[diff] [blame]	4414	/*
				4415	* There is no need for a smack_audit_rule_free hook.
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	4416	* No memory was allocated.
				4417	*/
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	4418
				4419	#endif /* CONFIG_AUDIT */
				4420
Randy Dunlap	251a2a9	2009-02-18 11:42:33 -0800	[diff] [blame]	4421	/**
David Quigley	746df9b	2013-05-22 12:50:35 -0400	[diff] [blame]	4422	* smack_ismaclabel - check if xattr @name references a smack MAC label
				4423	* @name: Full xattr name to check.
				4424	*/
				4425	static int smack_ismaclabel(const char *name)
				4426	{
				4427	return (strcmp(name, XATTR_SMACK_SUFFIX) == 0);
				4428	}
				4429
				4430
				4431	/**
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4432	* smack_secid_to_secctx - return the smack label for a secid
				4433	* @secid: incoming integer
				4434	* @secdata: destination
				4435	* @seclen: how long it is
				4436	*
				4437	* Exists for networking code.
				4438	*/
				4439	static int smack_secid_to_secctx(u32 secid, char *secdata, u32 seclen)
				4440	{
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4441	struct smack_known *skp = smack_from_secid(secid);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4442
Eric Paris	d5630b9	2010-10-13 16:24:48 -0400	[diff] [blame]	4443	if (secdata)
Casey Schaufler	2f823ff	2013-05-22 18:43:03 -0700	[diff] [blame]	4444	*secdata = skp->smk_known;
				4445	*seclen = strlen(skp->smk_known);
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4446	return 0;
				4447	}
				4448
Randy Dunlap	251a2a9	2009-02-18 11:42:33 -0800	[diff] [blame]	4449	/**
Casey Schaufler	4bc87e6	2008-02-15 15:24:25 -0800	[diff] [blame]	4450	* smack_secctx_to_secid - return the secid for a smack label
				4451	* @secdata: smack label
				4452	* @seclen: how long result is
				4453	* @secid: outgoing integer
				4454	*
				4455	* Exists for audit and networking code.
				4456	*/
David Howells	e52c1764	2008-04-29 20:52:51 +0100	[diff] [blame]	4457	static int smack_secctx_to_secid(const char secdata, u32 seclen, u32 secid)
Casey Schaufler	4bc87e6	2008-02-15 15:24:25 -0800	[diff] [blame]	4458	{
Lukasz Pawelczyk	21c7eae	2014-08-29 17:02:55 +0200	[diff] [blame]	4459	struct smack_known *skp = smk_find_entry(secdata);
				4460
				4461	if (skp)
				4462	*secid = skp->smk_secid;
				4463	else
				4464	*secid = 0;
Casey Schaufler	4bc87e6	2008-02-15 15:24:25 -0800	[diff] [blame]	4465	return 0;
				4466	}
				4467
Casey Schaufler	491a0b0	2016-01-26 15:08:35 -0800	[diff] [blame]	4468	/*
				4469	* There used to be a smack_release_secctx hook
				4470	* that did nothing back when hooks were in a vector.
				4471	* Now that there's a list such a hook adds cost.
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4472	*/
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4473
David P. Quigley	1ee65e3	2009-09-03 14:25:57 -0400	[diff] [blame]	4474	static int smack_inode_notifysecctx(struct inode inode, void ctx, u32 ctxlen)
				4475	{
				4476	return smack_inode_setsecurity(inode, XATTR_SMACK_SUFFIX, ctx, ctxlen, 0);
				4477	}
				4478
				4479	static int smack_inode_setsecctx(struct dentry dentry, void ctx, u32 ctxlen)
				4480	{
				4481	return __vfs_setxattr_noperm(dentry, XATTR_NAME_SMACK, ctx, ctxlen, 0);
				4482	}
				4483
				4484	static int smack_inode_getsecctx(struct inode inode, void ctx, u32 ctxlen)
				4485	{
Casey Schaufler	0f8983c	2018-06-01 10:45:12 -0700	[diff] [blame]	4486	struct smack_known *skp = smk_of_inode(inode);
David P. Quigley	1ee65e3	2009-09-03 14:25:57 -0400	[diff] [blame]	4487
Casey Schaufler	0f8983c	2018-06-01 10:45:12 -0700	[diff] [blame]	4488	*ctx = skp->smk_known;
				4489	*ctxlen = strlen(skp->smk_known);
David P. Quigley	1ee65e3	2009-09-03 14:25:57 -0400	[diff] [blame]	4490	return 0;
				4491	}
				4492
Casey Schaufler	d6d80cb	2017-09-28 14:54:50 -0700	[diff] [blame]	4493	static int smack_inode_copy_up(struct dentry dentry, struct cred *new)
				4494	{
				4495
				4496	struct task_smack *tsp;
				4497	struct smack_known *skp;
				4498	struct inode_smack *isp;
				4499	struct cred new_creds = new;
				4500
				4501	if (new_creds == NULL) {
				4502	new_creds = prepare_creds();
				4503	if (new_creds == NULL)
				4504	return -ENOMEM;
				4505	}
				4506
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	4507	tsp = smack_cred(new_creds);
Casey Schaufler	d6d80cb	2017-09-28 14:54:50 -0700	[diff] [blame]	4508
				4509	/*
				4510	* Get label from overlay inode and set it in create_sid
				4511	*/
Casey Schaufler	fb4021b	2018-11-12 12:43:01 -0800	[diff] [blame]	4512	isp = smack_inode(d_inode(dentry->d_parent));
Casey Schaufler	d6d80cb	2017-09-28 14:54:50 -0700	[diff] [blame]	4513	skp = isp->smk_inode;
				4514	tsp->smk_task = skp;
				4515	*new = new_creds;
				4516	return 0;
				4517	}
				4518
				4519	static int smack_inode_copy_up_xattr(const char *name)
				4520	{
				4521	/*
				4522	* Return 1 if this is the smack access Smack attribute.
				4523	*/
				4524	if (strcmp(name, XATTR_NAME_SMACK) == 0)
				4525	return 1;
				4526
				4527	return -EOPNOTSUPP;
				4528	}
				4529
				4530	static int smack_dentry_create_files_as(struct dentry *dentry, int mode,
				4531	struct qstr *name,
				4532	const struct cred *old,
				4533	struct cred *new)
				4534	{
Casey Schaufler	b17103a	2018-11-09 16:12:56 -0800	[diff] [blame]	4535	struct task_smack *otsp = smack_cred(old);
				4536	struct task_smack *ntsp = smack_cred(new);
Casey Schaufler	d6d80cb	2017-09-28 14:54:50 -0700	[diff] [blame]	4537	struct inode_smack *isp;
				4538	int may;
				4539
				4540	/*
				4541	* Use the process credential unless all of
				4542	* the transmuting criteria are met
				4543	*/
				4544	ntsp->smk_task = otsp->smk_task;
				4545
				4546	/*
				4547	* the attribute of the containing directory
				4548	*/
Casey Schaufler	fb4021b	2018-11-12 12:43:01 -0800	[diff] [blame]	4549	isp = smack_inode(d_inode(dentry->d_parent));
Casey Schaufler	d6d80cb	2017-09-28 14:54:50 -0700	[diff] [blame]	4550
				4551	if (isp->smk_flags & SMK_INODE_TRANSMUTE) {
				4552	rcu_read_lock();
				4553	may = smk_access_entry(otsp->smk_task->smk_known,
				4554	isp->smk_inode->smk_known,
				4555	&otsp->smk_task->smk_rules);
				4556	rcu_read_unlock();
				4557
				4558	/*
				4559	* If the directory is transmuting and the rule
				4560	* providing access is transmuting use the containing
				4561	* directory label instead of the process label.
				4562	*/
				4563	if (may > 0 && (may & MAY_TRANSMUTE))
				4564	ntsp->smk_task = isp->smk_inode;
				4565	}
				4566	return 0;
				4567	}
				4568
Casey Schaufler	bbd3662	2018-11-12 09:30:56 -0800	[diff] [blame]	4569	struct lsm_blob_sizes smack_blob_sizes __lsm_ro_after_init = {
				4570	.lbs_cred = sizeof(struct task_smack),
Casey Schaufler	33bf60c	2018-11-12 12:02:49 -0800	[diff] [blame]	4571	.lbs_file = sizeof(struct smack_known *),
Casey Schaufler	afb1cbe3	2018-09-21 17:19:29 -0700	[diff] [blame]	4572	.lbs_inode = sizeof(struct inode_smack),
Casey Schaufler	ecd5f82	2018-11-20 11:55:02 -0800	[diff] [blame]	4573	.lbs_ipc = sizeof(struct smack_known *),
				4574	.lbs_msg_msg = sizeof(struct smack_known *),
Casey Schaufler	bbd3662	2018-11-12 09:30:56 -0800	[diff] [blame]	4575	};
				4576
James Morris	ca97d93	2017-02-15 00:18:51 +1100	[diff] [blame]	4577	static struct security_hook_list smack_hooks[] __lsm_ro_after_init = {
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4578	LSM_HOOK_INIT(ptrace_access_check, smack_ptrace_access_check),
				4579	LSM_HOOK_INIT(ptrace_traceme, smack_ptrace_traceme),
				4580	LSM_HOOK_INIT(syslog, smack_syslog),
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4581
Al Viro	0b52075	2018-12-23 16:02:47 -0500	[diff] [blame]	4582	LSM_HOOK_INIT(fs_context_dup, smack_fs_context_dup),
David Howells	2febd25	2018-11-01 23:07:24 +0000	[diff] [blame]	4583	LSM_HOOK_INIT(fs_context_parse_param, smack_fs_context_parse_param),
				4584
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4585	LSM_HOOK_INIT(sb_alloc_security, smack_sb_alloc_security),
				4586	LSM_HOOK_INIT(sb_free_security, smack_sb_free_security),
Al Viro	204cc0c	2018-12-13 13:41:47 -0500	[diff] [blame]	4587	LSM_HOOK_INIT(sb_free_mnt_opts, smack_free_mnt_opts),
Al Viro	5b40023	2018-12-12 20:13:29 -0500	[diff] [blame]	4588	LSM_HOOK_INIT(sb_eat_lsm_opts, smack_sb_eat_lsm_opts),
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4589	LSM_HOOK_INIT(sb_statfs, smack_sb_statfs),
Vivek Trivedi	3bf2789	2015-06-22 15:36:06 +0530	[diff] [blame]	4590	LSM_HOOK_INIT(sb_set_mnt_opts, smack_set_mnt_opts),
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4591
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4592	LSM_HOOK_INIT(bprm_set_creds, smack_bprm_set_creds),
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	4593
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4594	LSM_HOOK_INIT(inode_alloc_security, smack_inode_alloc_security),
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4595	LSM_HOOK_INIT(inode_init_security, smack_inode_init_security),
				4596	LSM_HOOK_INIT(inode_link, smack_inode_link),
				4597	LSM_HOOK_INIT(inode_unlink, smack_inode_unlink),
				4598	LSM_HOOK_INIT(inode_rmdir, smack_inode_rmdir),
				4599	LSM_HOOK_INIT(inode_rename, smack_inode_rename),
				4600	LSM_HOOK_INIT(inode_permission, smack_inode_permission),
				4601	LSM_HOOK_INIT(inode_setattr, smack_inode_setattr),
				4602	LSM_HOOK_INIT(inode_getattr, smack_inode_getattr),
				4603	LSM_HOOK_INIT(inode_setxattr, smack_inode_setxattr),
				4604	LSM_HOOK_INIT(inode_post_setxattr, smack_inode_post_setxattr),
				4605	LSM_HOOK_INIT(inode_getxattr, smack_inode_getxattr),
				4606	LSM_HOOK_INIT(inode_removexattr, smack_inode_removexattr),
				4607	LSM_HOOK_INIT(inode_getsecurity, smack_inode_getsecurity),
				4608	LSM_HOOK_INIT(inode_setsecurity, smack_inode_setsecurity),
				4609	LSM_HOOK_INIT(inode_listsecurity, smack_inode_listsecurity),
				4610	LSM_HOOK_INIT(inode_getsecid, smack_inode_getsecid),
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4611
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4612	LSM_HOOK_INIT(file_alloc_security, smack_file_alloc_security),
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4613	LSM_HOOK_INIT(file_ioctl, smack_file_ioctl),
				4614	LSM_HOOK_INIT(file_lock, smack_file_lock),
				4615	LSM_HOOK_INIT(file_fcntl, smack_file_fcntl),
				4616	LSM_HOOK_INIT(mmap_file, smack_mmap_file),
				4617	LSM_HOOK_INIT(mmap_addr, cap_mmap_addr),
				4618	LSM_HOOK_INIT(file_set_fowner, smack_file_set_fowner),
				4619	LSM_HOOK_INIT(file_send_sigiotask, smack_file_send_sigiotask),
				4620	LSM_HOOK_INIT(file_receive, smack_file_receive),
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4621
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4622	LSM_HOOK_INIT(file_open, smack_file_open),
Casey Schaufler	531f1d4	2011-09-19 12:41:42 -0700	[diff] [blame]	4623
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4624	LSM_HOOK_INIT(cred_alloc_blank, smack_cred_alloc_blank),
				4625	LSM_HOOK_INIT(cred_free, smack_cred_free),
				4626	LSM_HOOK_INIT(cred_prepare, smack_cred_prepare),
				4627	LSM_HOOK_INIT(cred_transfer, smack_cred_transfer),
Matthew Garrett	3ec3011	2018-01-08 13:36:19 -0800	[diff] [blame]	4628	LSM_HOOK_INIT(cred_getsecid, smack_cred_getsecid),
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4629	LSM_HOOK_INIT(kernel_act_as, smack_kernel_act_as),
				4630	LSM_HOOK_INIT(kernel_create_files_as, smack_kernel_create_files_as),
				4631	LSM_HOOK_INIT(task_setpgid, smack_task_setpgid),
				4632	LSM_HOOK_INIT(task_getpgid, smack_task_getpgid),
				4633	LSM_HOOK_INIT(task_getsid, smack_task_getsid),
				4634	LSM_HOOK_INIT(task_getsecid, smack_task_getsecid),
				4635	LSM_HOOK_INIT(task_setnice, smack_task_setnice),
				4636	LSM_HOOK_INIT(task_setioprio, smack_task_setioprio),
				4637	LSM_HOOK_INIT(task_getioprio, smack_task_getioprio),
				4638	LSM_HOOK_INIT(task_setscheduler, smack_task_setscheduler),
				4639	LSM_HOOK_INIT(task_getscheduler, smack_task_getscheduler),
				4640	LSM_HOOK_INIT(task_movememory, smack_task_movememory),
				4641	LSM_HOOK_INIT(task_kill, smack_task_kill),
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4642	LSM_HOOK_INIT(task_to_inode, smack_task_to_inode),
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4643
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4644	LSM_HOOK_INIT(ipc_permission, smack_ipc_permission),
				4645	LSM_HOOK_INIT(ipc_getsecid, smack_ipc_getsecid),
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4646
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4647	LSM_HOOK_INIT(msg_msg_alloc_security, smack_msg_msg_alloc_security),
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4648
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	4649	LSM_HOOK_INIT(msg_queue_alloc_security, smack_ipc_alloc_security),
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4650	LSM_HOOK_INIT(msg_queue_associate, smack_msg_queue_associate),
				4651	LSM_HOOK_INIT(msg_queue_msgctl, smack_msg_queue_msgctl),
				4652	LSM_HOOK_INIT(msg_queue_msgsnd, smack_msg_queue_msgsnd),
				4653	LSM_HOOK_INIT(msg_queue_msgrcv, smack_msg_queue_msgrcv),
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4654
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	4655	LSM_HOOK_INIT(shm_alloc_security, smack_ipc_alloc_security),
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4656	LSM_HOOK_INIT(shm_associate, smack_shm_associate),
				4657	LSM_HOOK_INIT(shm_shmctl, smack_shm_shmctl),
				4658	LSM_HOOK_INIT(shm_shmat, smack_shm_shmat),
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4659
Eric W. Biederman	0d79cbf	2018-03-23 23:56:19 -0500	[diff] [blame]	4660	LSM_HOOK_INIT(sem_alloc_security, smack_ipc_alloc_security),
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4661	LSM_HOOK_INIT(sem_associate, smack_sem_associate),
				4662	LSM_HOOK_INIT(sem_semctl, smack_sem_semctl),
				4663	LSM_HOOK_INIT(sem_semop, smack_sem_semop),
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4664
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4665	LSM_HOOK_INIT(d_instantiate, smack_d_instantiate),
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4666
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4667	LSM_HOOK_INIT(getprocattr, smack_getprocattr),
				4668	LSM_HOOK_INIT(setprocattr, smack_setprocattr),
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4669
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4670	LSM_HOOK_INIT(unix_stream_connect, smack_unix_stream_connect),
				4671	LSM_HOOK_INIT(unix_may_send, smack_unix_may_send),
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4672
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4673	LSM_HOOK_INIT(socket_post_create, smack_socket_post_create),
Tom Gundersen	5859cdf	2018-05-04 16:28:22 +0200	[diff] [blame]	4674	LSM_HOOK_INIT(socket_socketpair, smack_socket_socketpair),
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	4675	#ifdef SMACK_IPV6_PORT_LABELING
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4676	LSM_HOOK_INIT(socket_bind, smack_socket_bind),
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	4677	#endif
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4678	LSM_HOOK_INIT(socket_connect, smack_socket_connect),
				4679	LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg),
				4680	LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb),
				4681	LSM_HOOK_INIT(socket_getpeersec_stream, smack_socket_getpeersec_stream),
				4682	LSM_HOOK_INIT(socket_getpeersec_dgram, smack_socket_getpeersec_dgram),
				4683	LSM_HOOK_INIT(sk_alloc_security, smack_sk_alloc_security),
				4684	LSM_HOOK_INIT(sk_free_security, smack_sk_free_security),
				4685	LSM_HOOK_INIT(sock_graft, smack_sock_graft),
				4686	LSM_HOOK_INIT(inet_conn_request, smack_inet_conn_request),
				4687	LSM_HOOK_INIT(inet_csk_clone, smack_inet_csk_clone),
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	4688
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4689	/* key management security hooks */
				4690	#ifdef CONFIG_KEYS
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4691	LSM_HOOK_INIT(key_alloc, smack_key_alloc),
				4692	LSM_HOOK_INIT(key_free, smack_key_free),
				4693	LSM_HOOK_INIT(key_permission, smack_key_permission),
				4694	LSM_HOOK_INIT(key_getsecurity, smack_key_getsecurity),
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4695	#endif /* CONFIG_KEYS */
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	4696
				4697	/* Audit hooks */
				4698	#ifdef CONFIG_AUDIT
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4699	LSM_HOOK_INIT(audit_rule_init, smack_audit_rule_init),
				4700	LSM_HOOK_INIT(audit_rule_known, smack_audit_rule_known),
				4701	LSM_HOOK_INIT(audit_rule_match, smack_audit_rule_match),
Ahmed S. Darwish	d20bdda	2008-04-30 08:34:10 +1000	[diff] [blame]	4702	#endif /* CONFIG_AUDIT */
				4703
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4704	LSM_HOOK_INIT(ismaclabel, smack_ismaclabel),
				4705	LSM_HOOK_INIT(secid_to_secctx, smack_secid_to_secctx),
				4706	LSM_HOOK_INIT(secctx_to_secid, smack_secctx_to_secid),
Casey Schaufler	e20b043	2015-05-02 15:11:36 -0700	[diff] [blame]	4707	LSM_HOOK_INIT(inode_notifysecctx, smack_inode_notifysecctx),
				4708	LSM_HOOK_INIT(inode_setsecctx, smack_inode_setsecctx),
				4709	LSM_HOOK_INIT(inode_getsecctx, smack_inode_getsecctx),
Casey Schaufler	d6d80cb	2017-09-28 14:54:50 -0700	[diff] [blame]	4710	LSM_HOOK_INIT(inode_copy_up, smack_inode_copy_up),
				4711	LSM_HOOK_INIT(inode_copy_up_xattr, smack_inode_copy_up_xattr),
				4712	LSM_HOOK_INIT(dentry_create_files_as, smack_dentry_create_files_as),
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4713	};
				4714
Etienne Basset	7198e2e	2009-03-24 20:53:24 +0100	[diff] [blame]	4715
Casey Schaufler	86812bb	2012-04-17 18:55:46 -0700	[diff] [blame]	4716	static __init void init_smack_known_list(void)
Etienne Basset	7198e2e	2009-03-24 20:53:24 +0100	[diff] [blame]	4717	{
Casey Schaufler	86812bb	2012-04-17 18:55:46 -0700	[diff] [blame]	4718	/*
Casey Schaufler	86812bb	2012-04-17 18:55:46 -0700	[diff] [blame]	4719	* Initialize rule list locks
				4720	*/
				4721	mutex_init(&smack_known_huh.smk_rules_lock);
				4722	mutex_init(&smack_known_hat.smk_rules_lock);
				4723	mutex_init(&smack_known_floor.smk_rules_lock);
				4724	mutex_init(&smack_known_star.smk_rules_lock);
Casey Schaufler	86812bb	2012-04-17 18:55:46 -0700	[diff] [blame]	4725	mutex_init(&smack_known_web.smk_rules_lock);
				4726	/*
				4727	* Initialize rule lists
				4728	*/
				4729	INIT_LIST_HEAD(&smack_known_huh.smk_rules);
				4730	INIT_LIST_HEAD(&smack_known_hat.smk_rules);
				4731	INIT_LIST_HEAD(&smack_known_star.smk_rules);
				4732	INIT_LIST_HEAD(&smack_known_floor.smk_rules);
Casey Schaufler	86812bb	2012-04-17 18:55:46 -0700	[diff] [blame]	4733	INIT_LIST_HEAD(&smack_known_web.smk_rules);
				4734	/*
				4735	* Create the known labels list
				4736	*/
Tomasz Stanislawski	4d7cf4a	2013-06-11 14:55:13 +0200	[diff] [blame]	4737	smk_insert_entry(&smack_known_huh);
				4738	smk_insert_entry(&smack_known_hat);
				4739	smk_insert_entry(&smack_known_star);
				4740	smk_insert_entry(&smack_known_floor);
Tomasz Stanislawski	4d7cf4a	2013-06-11 14:55:13 +0200	[diff] [blame]	4741	smk_insert_entry(&smack_known_web);
Etienne Basset	7198e2e	2009-03-24 20:53:24 +0100	[diff] [blame]	4742	}
				4743
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4744	/**
				4745	* smack_init - initialize the smack system
				4746	*
luanshi	a1a07f2	2019-07-05 10:35:20 +0800	[diff] [blame]	4747	* Returns 0 on success, -ENOMEM is there's no memory
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4748	*/
				4749	static __init int smack_init(void)
				4750	{
Casey Schaufler	bbd3662	2018-11-12 09:30:56 -0800	[diff] [blame]	4751	struct cred cred = (struct cred ) current->cred;
Casey Schaufler	676dac4	2010-12-02 06:43:39 -0800	[diff] [blame]	4752	struct task_smack *tsp;
David Howells	d84f4f9	2008-11-14 10:39:23 +1100	[diff] [blame]	4753
Rohit	1a5b472	2014-10-15 17:40:41 +0530	[diff] [blame]	4754	smack_inode_cache = KMEM_CACHE(inode_smack, 0);
				4755	if (!smack_inode_cache)
				4756	return -ENOMEM;
				4757
Casey Schaufler	4e328b0	2019-04-02 11:37:12 -0700	[diff] [blame]	4758	smack_rule_cache = KMEM_CACHE(smack_rule, 0);
				4759	if (!smack_rule_cache) {
				4760	kmem_cache_destroy(smack_inode_cache);
				4761	return -ENOMEM;
				4762	}
				4763
Casey Schaufler	bbd3662	2018-11-12 09:30:56 -0800	[diff] [blame]	4764	/*
				4765	* Set the security state for the initial task.
				4766	*/
				4767	tsp = smack_cred(cred);
				4768	init_task_smack(tsp, &smack_known_floor, &smack_known_floor);
				4769
				4770	/*
				4771	* Register with LSM
				4772	*/
				4773	security_add_hooks(smack_hooks, ARRAY_SIZE(smack_hooks), "smack");
José Bollo	d21b7b0	2015-10-02 15:15:56 +0200	[diff] [blame]	4774	smack_enabled = 1;
				4775
Casey Schaufler	21abb1e	2015-07-22 14:25:31 -0700	[diff] [blame]	4776	pr_info("Smack: Initializing.\n");
				4777	#ifdef CONFIG_SECURITY_SMACK_NETFILTER
				4778	pr_info("Smack: Netfilter enabled.\n");
				4779	#endif
				4780	#ifdef SMACK_IPV6_PORT_LABELING
				4781	pr_info("Smack: IPv6 port labeling enabled.\n");
				4782	#endif
				4783	#ifdef SMACK_IPV6_SECMARK_LABELING
				4784	pr_info("Smack: IPv6 Netfilter enabled.\n");
				4785	#endif
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4786
Casey Schaufler	86812bb	2012-04-17 18:55:46 -0700	[diff] [blame]	4787	/* initialize the smack_known_list */
				4788	init_smack_known_list();
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4789
Casey Schaufler	e114e47	2008-02-04 22:29:50 -0800	[diff] [blame]	4790	return 0;
				4791	}
				4792
				4793	/*
				4794	* Smack requires early initialization in order to label
				4795	* all processes and objects when they are created.
				4796	*/
Kees Cook	3d6e5f6	2018-10-10 17:18:23 -0700	[diff] [blame]	4797	DEFINE_LSM(smack) = {
Kees Cook	07aed2f	2018-10-10 17:18:24 -0700	[diff] [blame]	4798	.name = "smack",
Kees Cook	14bd99c	2018-09-19 19:57:06 -0700	[diff] [blame]	4799	.flags = LSM_FLAG_LEGACY_MAJOR \| LSM_FLAG_EXCLUSIVE,
Casey Schaufler	bbd3662	2018-11-12 09:30:56 -0800	[diff] [blame]	4800	.blobs = &smack_blob_sizes,
Kees Cook	3d6e5f6	2018-10-10 17:18:23 -0700	[diff] [blame]	4801	.init = smack_init,
				4802	};