Commit | Line | Data |
---|---|---|
a10e763b | 1 | // SPDX-License-Identifier: GPL-2.0-only |
e114e473 CS |
2 | /* |
3 | * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> | |
4 | * | |
e114e473 CS |
5 | * Author: |
6 | * Casey Schaufler <casey@schaufler-ca.com> | |
e114e473 CS |
7 | */ |
8 | ||
9 | #include <linux/types.h> | |
5a0e3ad6 | 10 | #include <linux/slab.h> |
e114e473 CS |
11 | #include <linux/fs.h> |
12 | #include <linux/sched.h> | |
13 | #include "smack.h" | |
14 | ||
e114e473 | 15 | struct smack_known smack_known_huh = { |
e114e473 CS |
16 | .smk_known = "?", |
17 | .smk_secid = 2, | |
e114e473 CS |
18 | }; |
19 | ||
20 | struct smack_known smack_known_hat = { | |
e114e473 CS |
21 | .smk_known = "^", |
22 | .smk_secid = 3, | |
e114e473 CS |
23 | }; |
24 | ||
25 | struct smack_known smack_known_star = { | |
e114e473 CS |
26 | .smk_known = "*", |
27 | .smk_secid = 4, | |
e114e473 CS |
28 | }; |
29 | ||
30 | struct smack_known smack_known_floor = { | |
e114e473 CS |
31 | .smk_known = "_", |
32 | .smk_secid = 5, | |
e114e473 CS |
33 | }; |
34 | ||
6d3dc07c | 35 | struct smack_known smack_known_web = { |
6d3dc07c CS |
36 | .smk_known = "@", |
37 | .smk_secid = 7, | |
6d3dc07c CS |
38 | }; |
39 | ||
7198e2ee | 40 | LIST_HEAD(smack_known_list); |
e114e473 CS |
41 | |
42 | /* | |
43 | * The initial value needs to be bigger than any of the | |
44 | * known values above. | |
45 | */ | |
46 | static u32 smack_next_secid = 10; | |
47 | ||
ecfcc53f EB |
48 | /* |
49 | * what events do we log | |
50 | * can be overwritten at run-time by /smack/logging | |
51 | */ | |
52 | int log_policy = SMACK_AUDIT_DENIED; | |
53 | ||
5c6d1125 JS |
54 | /** |
55 | * smk_access_entry - look up matching access rule | |
56 | * @subject_label: a pointer to the subject's Smack label | |
57 | * @object_label: a pointer to the object's Smack label | |
7898e1f8 | 58 | * @rule_list: the list of rules to search |
5c6d1125 JS |
59 | * |
60 | * This function looks up the subject/object pair in the | |
7898e1f8 CS |
61 | * access rule list and returns the access mode. If no |
62 | * entry is found returns -ENOENT. | |
5c6d1125 JS |
63 | * |
64 | * NOTE: | |
5c6d1125 | 65 | * |
272cd7a8 CS |
66 | * Earlier versions of this function allowed for labels that |
67 | * were not on the label list. This was done to allow for | |
68 | * labels to come over the network that had never been seen | |
69 | * before on this host. Unless the receiving socket has the | |
70 | * star label this will always result in a failure check. The | |
71 | * star labeled socket case is now handled in the networking | |
72 | * hooks so there is no case where the label is not on the | |
73 | * label list. Checking to see if the address of two labels | |
74 | * is the same is now a reliable test. | |
75 | * | |
76 | * Do the object check first because that is more | |
77 | * likely to differ. | |
c0ab6e56 CS |
78 | * |
79 | * Allowing write access implies allowing locking. | |
5c6d1125 | 80 | */ |
7898e1f8 CS |
81 | int smk_access_entry(char *subject_label, char *object_label, |
82 | struct list_head *rule_list) | |
5c6d1125 | 83 | { |
5c6d1125 JS |
84 | struct smack_rule *srp; |
85 | ||
7898e1f8 | 86 | list_for_each_entry_rcu(srp, rule_list, list) { |
21c7eae2 | 87 | if (srp->smk_object->smk_known == object_label && |
2f823ff8 | 88 | srp->smk_subject->smk_known == subject_label) { |
6d14f5c7 TZ |
89 | int may = srp->smk_access; |
90 | /* | |
91 | * MAY_WRITE implies MAY_LOCK. | |
92 | */ | |
93 | if ((may & MAY_WRITE) == MAY_WRITE) | |
94 | may |= MAY_LOCK; | |
95 | return may; | |
5c6d1125 JS |
96 | } |
97 | } | |
5c6d1125 | 98 | |
6d14f5c7 | 99 | return -ENOENT; |
5c6d1125 JS |
100 | } |
101 | ||
e114e473 CS |
102 | /** |
103 | * smk_access - determine if a subject has a specific access to an object | |
21c7eae2 LP |
104 | * @subject: a pointer to the subject's Smack label entry |
105 | * @object: a pointer to the object's Smack label entry | |
e114e473 | 106 | * @request: the access requested, in "MAY" format |
ecfcc53f | 107 | * @a : a pointer to the audit data |
e114e473 CS |
108 | * |
109 | * This function looks up the subject/object pair in the | |
110 | * access rule list and returns 0 if the access is permitted, | |
111 | * non zero otherwise. | |
112 | * | |
272cd7a8 | 113 | * Smack labels are shared on smack_list |
e114e473 | 114 | */ |
21c7eae2 LP |
115 | int smk_access(struct smack_known *subject, struct smack_known *object, |
116 | int request, struct smk_audit_info *a) | |
e114e473 | 117 | { |
7898e1f8 | 118 | int may = MAY_NOT; |
ecfcc53f | 119 | int rc = 0; |
e114e473 CS |
120 | |
121 | /* | |
122 | * Hardcoded comparisons. | |
bf4b2fee CS |
123 | */ |
124 | /* | |
e114e473 CS |
125 | * A star subject can't access any object. |
126 | */ | |
21c7eae2 | 127 | if (subject == &smack_known_star) { |
ecfcc53f EB |
128 | rc = -EACCES; |
129 | goto out_audit; | |
130 | } | |
6d3dc07c CS |
131 | /* |
132 | * An internet object can be accessed by any subject. | |
133 | * Tasks cannot be assigned the internet label. | |
134 | * An internet subject can access any object. | |
135 | */ | |
6c892df2 | 136 | if (object == &smack_known_web || subject == &smack_known_web) |
ecfcc53f | 137 | goto out_audit; |
e114e473 CS |
138 | /* |
139 | * A star object can be accessed by any subject. | |
140 | */ | |
21c7eae2 | 141 | if (object == &smack_known_star) |
ecfcc53f | 142 | goto out_audit; |
e114e473 CS |
143 | /* |
144 | * An object can be accessed in any way by a subject | |
145 | * with the same label. | |
146 | */ | |
21c7eae2 | 147 | if (subject->smk_known == object->smk_known) |
ecfcc53f | 148 | goto out_audit; |
e114e473 | 149 | /* |
6c892df2 CS |
150 | * A hat subject can read or lock any object. |
151 | * A floor object can be read or locked by any subject. | |
e114e473 | 152 | */ |
6c892df2 CS |
153 | if ((request & MAY_ANYREAD) == request || |
154 | (request & MAY_LOCK) == request) { | |
21c7eae2 | 155 | if (object == &smack_known_floor) |
ecfcc53f | 156 | goto out_audit; |
21c7eae2 | 157 | if (subject == &smack_known_hat) |
ecfcc53f | 158 | goto out_audit; |
e114e473 CS |
159 | } |
160 | /* | |
161 | * Beyond here an explicit relationship is required. | |
162 | * If the requested access is contained in the available | |
163 | * access (e.g. read is included in readwrite) it's | |
7898e1f8 CS |
164 | * good. A negative response from smk_access_entry() |
165 | * indicates there is no entry for this pair. | |
e114e473 | 166 | */ |
7898e1f8 | 167 | rcu_read_lock(); |
21c7eae2 LP |
168 | may = smk_access_entry(subject->smk_known, object->smk_known, |
169 | &subject->smk_rules); | |
7898e1f8 CS |
170 | rcu_read_unlock(); |
171 | ||
d166c802 CS |
172 | if (may <= 0 || (request & may) != request) { |
173 | rc = -EACCES; | |
ecfcc53f | 174 | goto out_audit; |
d166c802 CS |
175 | } |
176 | #ifdef CONFIG_SECURITY_SMACK_BRINGUP | |
177 | /* | |
178 | * Return a positive value if using bringup mode. | |
179 | * This allows the hooks to identify checks that | |
180 | * succeed because of "b" rules. | |
181 | */ | |
182 | if (may & MAY_BRINGUP) | |
bf4b2fee | 183 | rc = SMACK_BRINGUP_ALLOW; |
d166c802 | 184 | #endif |
e114e473 | 185 | |
ecfcc53f | 186 | out_audit: |
bf4b2fee CS |
187 | |
188 | #ifdef CONFIG_SECURITY_SMACK_BRINGUP | |
189 | if (rc < 0) { | |
190 | if (object == smack_unconfined) | |
191 | rc = SMACK_UNCONFINED_OBJECT; | |
192 | if (subject == smack_unconfined) | |
193 | rc = SMACK_UNCONFINED_SUBJECT; | |
194 | } | |
195 | #endif | |
196 | ||
ecfcc53f EB |
197 | #ifdef CONFIG_AUDIT |
198 | if (a) | |
21c7eae2 LP |
199 | smack_log(subject->smk_known, object->smk_known, |
200 | request, rc, a); | |
ecfcc53f | 201 | #endif |
d166c802 | 202 | |
ecfcc53f | 203 | return rc; |
e114e473 CS |
204 | } |
205 | ||
206 | /** | |
959e6c7f | 207 | * smk_tskacc - determine if a task has a specific access to an object |
21c7eae2 LP |
208 | * @tsp: a pointer to the subject's task |
209 | * @obj_known: a pointer to the object's label entry | |
251a2a95 | 210 | * @mode: the access requested, in "MAY" format |
ecfcc53f | 211 | * @a : common audit data |
e114e473 | 212 | * |
959e6c7f | 213 | * This function checks the subject task's label/object label pair |
e114e473 | 214 | * in the access rule list and returns 0 if the access is permitted, |
959e6c7f | 215 | * non zero otherwise. It allows that the task may have the capability |
e114e473 CS |
216 | * to override the rules. |
217 | */ | |
21c7eae2 | 218 | int smk_tskacc(struct task_smack *tsp, struct smack_known *obj_known, |
959e6c7f | 219 | u32 mode, struct smk_audit_info *a) |
e114e473 | 220 | { |
21c7eae2 | 221 | struct smack_known *sbj_known = smk_of_task(tsp); |
7898e1f8 | 222 | int may; |
e114e473 CS |
223 | int rc; |
224 | ||
7898e1f8 CS |
225 | /* |
226 | * Check the global rule list | |
227 | */ | |
21c7eae2 | 228 | rc = smk_access(sbj_known, obj_known, mode, NULL); |
d166c802 | 229 | if (rc >= 0) { |
7898e1f8 CS |
230 | /* |
231 | * If there is an entry in the task's rule list | |
232 | * it can further restrict access. | |
233 | */ | |
21c7eae2 LP |
234 | may = smk_access_entry(sbj_known->smk_known, |
235 | obj_known->smk_known, | |
236 | &tsp->smk_rules); | |
7898e1f8 CS |
237 | if (may < 0) |
238 | goto out_audit; | |
239 | if ((mode & may) == mode) | |
240 | goto out_audit; | |
241 | rc = -EACCES; | |
242 | } | |
e114e473 | 243 | |
15446235 | 244 | /* |
1880eff7 | 245 | * Allow for priviliged to override policy. |
15446235 | 246 | */ |
1880eff7 | 247 | if (rc != 0 && smack_privileged(CAP_MAC_OVERRIDE)) |
7898e1f8 | 248 | rc = 0; |
e114e473 | 249 | |
ecfcc53f EB |
250 | out_audit: |
251 | #ifdef CONFIG_AUDIT | |
252 | if (a) | |
21c7eae2 LP |
253 | smack_log(sbj_known->smk_known, obj_known->smk_known, |
254 | mode, rc, a); | |
ecfcc53f | 255 | #endif |
e114e473 CS |
256 | return rc; |
257 | } | |
258 | ||
959e6c7f LP |
259 | /** |
260 | * smk_curacc - determine if current has a specific access to an object | |
21c7eae2 | 261 | * @obj_known: a pointer to the object's Smack label entry |
959e6c7f LP |
262 | * @mode: the access requested, in "MAY" format |
263 | * @a : common audit data | |
264 | * | |
265 | * This function checks the current subject label/object label pair | |
266 | * in the access rule list and returns 0 if the access is permitted, | |
267 | * non zero otherwise. It allows that current may have the capability | |
268 | * to override the rules. | |
269 | */ | |
21c7eae2 LP |
270 | int smk_curacc(struct smack_known *obj_known, |
271 | u32 mode, struct smk_audit_info *a) | |
959e6c7f | 272 | { |
b17103a8 | 273 | struct task_smack *tsp = smack_cred(current_cred()); |
959e6c7f | 274 | |
21c7eae2 | 275 | return smk_tskacc(tsp, obj_known, mode, a); |
959e6c7f LP |
276 | } |
277 | ||
ecfcc53f EB |
278 | #ifdef CONFIG_AUDIT |
279 | /** | |
280 | * smack_str_from_perm : helper to transalate an int to a | |
281 | * readable string | |
282 | * @string : the string to fill | |
283 | * @access : the int | |
284 | * | |
285 | */ | |
286 | static inline void smack_str_from_perm(char *string, int access) | |
287 | { | |
288 | int i = 0; | |
c0ab6e56 | 289 | |
ecfcc53f EB |
290 | if (access & MAY_READ) |
291 | string[i++] = 'r'; | |
292 | if (access & MAY_WRITE) | |
293 | string[i++] = 'w'; | |
294 | if (access & MAY_EXEC) | |
295 | string[i++] = 'x'; | |
296 | if (access & MAY_APPEND) | |
297 | string[i++] = 'a'; | |
a87d79ad RK |
298 | if (access & MAY_TRANSMUTE) |
299 | string[i++] = 't'; | |
c0ab6e56 CS |
300 | if (access & MAY_LOCK) |
301 | string[i++] = 'l'; | |
ecfcc53f EB |
302 | string[i] = '\0'; |
303 | } | |
304 | /** | |
305 | * smack_log_callback - SMACK specific information | |
306 | * will be called by generic audit code | |
307 | * @ab : the audit_buffer | |
308 | * @a : audit_data | |
309 | * | |
310 | */ | |
311 | static void smack_log_callback(struct audit_buffer *ab, void *a) | |
312 | { | |
313 | struct common_audit_data *ad = a; | |
3b3b0e4f | 314 | struct smack_audit_data *sad = ad->smack_audit_data; |
ed5215a2 | 315 | audit_log_format(ab, "lsm=SMACK fn=%s action=%s", |
3b3b0e4f | 316 | ad->smack_audit_data->function, |
ecfcc53f EB |
317 | sad->result ? "denied" : "granted"); |
318 | audit_log_format(ab, " subject="); | |
319 | audit_log_untrustedstring(ab, sad->subject); | |
320 | audit_log_format(ab, " object="); | |
321 | audit_log_untrustedstring(ab, sad->object); | |
66867818 LP |
322 | if (sad->request[0] == '\0') |
323 | audit_log_format(ab, " labels_differ"); | |
324 | else | |
325 | audit_log_format(ab, " requested=%s", sad->request); | |
ecfcc53f EB |
326 | } |
327 | ||
328 | /** | |
329 | * smack_log - Audit the granting or denial of permissions. | |
330 | * @subject_label : smack label of the requester | |
331 | * @object_label : smack label of the object being accessed | |
332 | * @request: requested permissions | |
333 | * @result: result from smk_access | |
fe6bde73 | 334 | * @ad: auxiliary audit data |
ecfcc53f EB |
335 | * |
336 | * Audit the granting or denial of permissions in accordance | |
337 | * with the policy. | |
338 | */ | |
339 | void smack_log(char *subject_label, char *object_label, int request, | |
340 | int result, struct smk_audit_info *ad) | |
341 | { | |
bf4b2fee CS |
342 | #ifdef CONFIG_SECURITY_SMACK_BRINGUP |
343 | char request_buffer[SMK_NUM_ACCESS_TYPE + 5]; | |
344 | #else | |
ecfcc53f | 345 | char request_buffer[SMK_NUM_ACCESS_TYPE + 1]; |
bf4b2fee | 346 | #endif |
ecfcc53f EB |
347 | struct smack_audit_data *sad; |
348 | struct common_audit_data *a = &ad->a; | |
349 | ||
350 | /* check if we have to log the current event */ | |
bf4b2fee | 351 | if (result < 0 && (log_policy & SMACK_AUDIT_DENIED) == 0) |
ecfcc53f EB |
352 | return; |
353 | if (result == 0 && (log_policy & SMACK_AUDIT_ACCEPT) == 0) | |
354 | return; | |
355 | ||
3b3b0e4f EP |
356 | sad = a->smack_audit_data; |
357 | ||
358 | if (sad->function == NULL) | |
359 | sad->function = "unknown"; | |
ecfcc53f EB |
360 | |
361 | /* end preparing the audit data */ | |
ecfcc53f EB |
362 | smack_str_from_perm(request_buffer, request); |
363 | sad->subject = subject_label; | |
364 | sad->object = object_label; | |
bf4b2fee CS |
365 | #ifdef CONFIG_SECURITY_SMACK_BRINGUP |
366 | /* | |
367 | * The result may be positive in bringup mode. | |
368 | * A positive result is an allow, but not for normal reasons. | |
369 | * Mark it as successful, but don't filter it out even if | |
370 | * the logging policy says to do so. | |
371 | */ | |
372 | if (result == SMACK_UNCONFINED_SUBJECT) | |
373 | strcat(request_buffer, "(US)"); | |
374 | else if (result == SMACK_UNCONFINED_OBJECT) | |
375 | strcat(request_buffer, "(UO)"); | |
376 | ||
377 | if (result > 0) | |
378 | result = 0; | |
379 | #endif | |
ecfcc53f EB |
380 | sad->request = request_buffer; |
381 | sad->result = result; | |
ecfcc53f | 382 | |
b61c37f5 | 383 | common_lsm_audit(a, smack_log_callback, NULL); |
ecfcc53f EB |
384 | } |
385 | #else /* #ifdef CONFIG_AUDIT */ | |
386 | void smack_log(char *subject_label, char *object_label, int request, | |
387 | int result, struct smk_audit_info *ad) | |
388 | { | |
389 | } | |
390 | #endif | |
391 | ||
f7112e6c | 392 | DEFINE_MUTEX(smack_known_lock); |
e114e473 | 393 | |
4d7cf4a1 TS |
394 | struct hlist_head smack_known_hash[SMACK_HASH_SLOTS]; |
395 | ||
396 | /** | |
397 | * smk_insert_entry - insert a smack label into a hash map, | |
fe6bde73 | 398 | * @skp: smack label |
4d7cf4a1 TS |
399 | * |
400 | * this function must be called under smack_known_lock | |
401 | */ | |
402 | void smk_insert_entry(struct smack_known *skp) | |
403 | { | |
404 | unsigned int hash; | |
405 | struct hlist_head *head; | |
406 | ||
8387ff25 | 407 | hash = full_name_hash(NULL, skp->smk_known, strlen(skp->smk_known)); |
4d7cf4a1 TS |
408 | head = &smack_known_hash[hash & (SMACK_HASH_SLOTS - 1)]; |
409 | ||
410 | hlist_add_head_rcu(&skp->smk_hashed, head); | |
411 | list_add_rcu(&skp->list, &smack_known_list); | |
412 | } | |
413 | ||
272cd7a8 CS |
414 | /** |
415 | * smk_find_entry - find a label on the list, return the list entry | |
416 | * @string: a text string that might be a Smack label | |
417 | * | |
418 | * Returns a pointer to the entry in the label list that | |
e774ad68 | 419 | * matches the passed string or NULL if not found. |
272cd7a8 CS |
420 | */ |
421 | struct smack_known *smk_find_entry(const char *string) | |
422 | { | |
4d7cf4a1 TS |
423 | unsigned int hash; |
424 | struct hlist_head *head; | |
272cd7a8 CS |
425 | struct smack_known *skp; |
426 | ||
8387ff25 | 427 | hash = full_name_hash(NULL, string, strlen(string)); |
4d7cf4a1 TS |
428 | head = &smack_known_hash[hash & (SMACK_HASH_SLOTS - 1)]; |
429 | ||
430 | hlist_for_each_entry_rcu(skp, head, smk_hashed) | |
f7112e6c | 431 | if (strcmp(skp->smk_known, string) == 0) |
272cd7a8 | 432 | return skp; |
272cd7a8 CS |
433 | |
434 | return NULL; | |
435 | } | |
436 | ||
e114e473 | 437 | /** |
0e94ae17 JS |
438 | * smk_parse_smack - parse smack label from a text string |
439 | * @string: a text string that might contain a Smack label | |
e114e473 | 440 | * @len: the maximum size, or zero if it is NULL terminated. |
f7112e6c | 441 | * |
e774ad68 | 442 | * Returns a pointer to the clean label or an error code. |
e114e473 | 443 | */ |
f7112e6c | 444 | char *smk_parse_smack(const char *string, int len) |
e114e473 | 445 | { |
f7112e6c | 446 | char *smack; |
e114e473 CS |
447 | int i; |
448 | ||
f7112e6c CS |
449 | if (len <= 0) |
450 | len = strlen(string) + 1; | |
451 | ||
452 | /* | |
453 | * Reserve a leading '-' as an indicator that | |
454 | * this isn't a label, but an option to interfaces | |
455 | * including /smack/cipso and /smack/cipso2 | |
456 | */ | |
457 | if (string[0] == '-') | |
e774ad68 | 458 | return ERR_PTR(-EINVAL); |
f7112e6c CS |
459 | |
460 | for (i = 0; i < len; i++) | |
461 | if (string[i] > '~' || string[i] <= ' ' || string[i] == '/' || | |
462 | string[i] == '"' || string[i] == '\\' || string[i] == '\'') | |
463 | break; | |
464 | ||
465 | if (i == 0 || i >= SMK_LONGLABEL) | |
e774ad68 | 466 | return ERR_PTR(-EINVAL); |
f7112e6c | 467 | |
63c3b5d2 GR |
468 | smack = kstrndup(string, i, GFP_NOFS); |
469 | if (!smack) | |
e774ad68 | 470 | return ERR_PTR(-ENOMEM); |
f7112e6c CS |
471 | return smack; |
472 | } | |
473 | ||
474 | /** | |
475 | * smk_netlbl_mls - convert a catset to netlabel mls categories | |
fe6bde73 | 476 | * @level: MLS sensitivity level |
f7112e6c CS |
477 | * @catset: the Smack categories |
478 | * @sap: where to put the netlabel categories | |
fe6bde73 | 479 | * @len: number of bytes for the levels in a CIPSO IP option |
f7112e6c CS |
480 | * |
481 | * Allocates and fills attr.mls | |
482 | * Returns 0 on success, error code on failure. | |
483 | */ | |
484 | int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap, | |
485 | int len) | |
486 | { | |
487 | unsigned char *cp; | |
488 | unsigned char m; | |
489 | int cat; | |
490 | int rc; | |
491 | int byte; | |
492 | ||
493 | sap->flags |= NETLBL_SECATTR_MLS_CAT; | |
494 | sap->attr.mls.lvl = level; | |
4b8feff2 | 495 | sap->attr.mls.cat = NULL; |
f7112e6c CS |
496 | |
497 | for (cat = 1, cp = catset, byte = 0; byte < len; cp++, byte++) | |
498 | for (m = 0x80; m != 0; m >>= 1, cat++) { | |
499 | if ((m & *cp) == 0) | |
500 | continue; | |
4fbe63d1 | 501 | rc = netlbl_catmap_setbit(&sap->attr.mls.cat, |
e5bfad3d | 502 | cat, GFP_NOFS); |
f7112e6c | 503 | if (rc < 0) { |
4fbe63d1 | 504 | netlbl_catmap_free(sap->attr.mls.cat); |
f7112e6c CS |
505 | return rc; |
506 | } | |
507 | } | |
508 | ||
509 | return 0; | |
0e94ae17 JS |
510 | } |
511 | ||
322dd63c CS |
512 | /** |
513 | * smack_populate_secattr - fill in the smack_known netlabel information | |
514 | * @skp: pointer to the structure to fill | |
515 | * | |
516 | * Populate the netlabel secattr structure for a Smack label. | |
517 | * | |
518 | * Returns 0 unless creating the category mapping fails | |
519 | */ | |
520 | int smack_populate_secattr(struct smack_known *skp) | |
521 | { | |
522 | int slen; | |
523 | ||
524 | skp->smk_netlabel.attr.secid = skp->smk_secid; | |
525 | skp->smk_netlabel.domain = skp->smk_known; | |
526 | skp->smk_netlabel.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); | |
527 | if (skp->smk_netlabel.cache != NULL) { | |
528 | skp->smk_netlabel.flags |= NETLBL_SECATTR_CACHE; | |
529 | skp->smk_netlabel.cache->free = NULL; | |
530 | skp->smk_netlabel.cache->data = skp; | |
531 | } | |
532 | skp->smk_netlabel.flags |= NETLBL_SECATTR_SECID | | |
533 | NETLBL_SECATTR_MLS_LVL | | |
534 | NETLBL_SECATTR_DOMAIN; | |
535 | /* | |
536 | * If direct labeling works use it. | |
537 | * Otherwise use mapped labeling. | |
538 | */ | |
539 | slen = strlen(skp->smk_known); | |
540 | if (slen < SMK_CIPSOLEN) | |
541 | return smk_netlbl_mls(smack_cipso_direct, skp->smk_known, | |
542 | &skp->smk_netlabel, slen); | |
543 | ||
544 | return smk_netlbl_mls(smack_cipso_mapped, (char *)&skp->smk_secid, | |
545 | &skp->smk_netlabel, sizeof(skp->smk_secid)); | |
546 | } | |
547 | ||
0e94ae17 JS |
548 | /** |
549 | * smk_import_entry - import a label, return the list entry | |
550 | * @string: a text string that might be a Smack label | |
551 | * @len: the maximum size, or zero if it is NULL terminated. | |
552 | * | |
553 | * Returns a pointer to the entry in the label list that | |
e774ad68 LP |
554 | * matches the passed string, adding it if necessary, |
555 | * or an error code. | |
0e94ae17 JS |
556 | */ |
557 | struct smack_known *smk_import_entry(const char *string, int len) | |
558 | { | |
559 | struct smack_known *skp; | |
f7112e6c | 560 | char *smack; |
f7112e6c | 561 | int rc; |
e114e473 | 562 | |
f7112e6c | 563 | smack = smk_parse_smack(string, len); |
e774ad68 LP |
564 | if (IS_ERR(smack)) |
565 | return ERR_CAST(smack); | |
e114e473 CS |
566 | |
567 | mutex_lock(&smack_known_lock); | |
568 | ||
272cd7a8 | 569 | skp = smk_find_entry(smack); |
f7112e6c CS |
570 | if (skp != NULL) |
571 | goto freeout; | |
e114e473 | 572 | |
e5bfad3d | 573 | skp = kzalloc(sizeof(*skp), GFP_NOFS); |
e774ad68 LP |
574 | if (skp == NULL) { |
575 | skp = ERR_PTR(-ENOMEM); | |
f7112e6c | 576 | goto freeout; |
e774ad68 | 577 | } |
e114e473 | 578 | |
f7112e6c CS |
579 | skp->smk_known = smack; |
580 | skp->smk_secid = smack_next_secid++; | |
f7112e6c | 581 | |
322dd63c | 582 | rc = smack_populate_secattr(skp); |
f7112e6c CS |
583 | if (rc >= 0) { |
584 | INIT_LIST_HEAD(&skp->smk_rules); | |
585 | mutex_init(&skp->smk_rules_lock); | |
586 | /* | |
587 | * Make sure that the entry is actually | |
588 | * filled before putting it on the list. | |
589 | */ | |
4d7cf4a1 | 590 | smk_insert_entry(skp); |
f7112e6c CS |
591 | goto unlockout; |
592 | } | |
f7112e6c | 593 | kfree(skp); |
e774ad68 | 594 | skp = ERR_PTR(rc); |
f7112e6c CS |
595 | freeout: |
596 | kfree(smack); | |
597 | unlockout: | |
e114e473 CS |
598 | mutex_unlock(&smack_known_lock); |
599 | ||
600 | return skp; | |
601 | } | |
602 | ||
e114e473 CS |
603 | /** |
604 | * smack_from_secid - find the Smack label associated with a secid | |
605 | * @secid: an integer that might be associated with a Smack label | |
606 | * | |
2f823ff8 | 607 | * Returns a pointer to the appropriate Smack label entry if there is one, |
e114e473 CS |
608 | * otherwise a pointer to the invalid Smack label. |
609 | */ | |
2f823ff8 | 610 | struct smack_known *smack_from_secid(const u32 secid) |
e114e473 CS |
611 | { |
612 | struct smack_known *skp; | |
613 | ||
7198e2ee EB |
614 | rcu_read_lock(); |
615 | list_for_each_entry_rcu(skp, &smack_known_list, list) { | |
616 | if (skp->smk_secid == secid) { | |
617 | rcu_read_unlock(); | |
2f823ff8 | 618 | return skp; |
7198e2ee EB |
619 | } |
620 | } | |
e114e473 CS |
621 | |
622 | /* | |
623 | * If we got this far someone asked for the translation | |
624 | * of a secid that is not on the list. | |
625 | */ | |
7198e2ee | 626 | rcu_read_unlock(); |
152f91d4 | 627 | return &smack_known_huh; |
e114e473 | 628 | } |
c0d77c88 RK |
629 | |
630 | /* | |
631 | * Unless a process is running with one of these labels | |
632 | * even having CAP_MAC_OVERRIDE isn't enough to grant | |
633 | * privilege to violate MAC policy. If no labels are | |
634 | * designated (the empty list case) capabilities apply to | |
635 | * everyone. | |
636 | */ | |
637 | LIST_HEAD(smack_onlycap_list); | |
638 | DEFINE_MUTEX(smack_onlycap_lock); | |
639 | ||
d19dfe58 CS |
640 | /** |
641 | * smack_privileged_cred - are all privilege requirements met by cred | |
642 | * @cap: The requested capability | |
643 | * @cred: the credential to use | |
644 | * | |
c0d77c88 RK |
645 | * Is the task privileged and allowed to be privileged |
646 | * by the onlycap rule. | |
647 | * | |
f28e783f | 648 | * Returns true if the task is allowed to be privileged, false if it's not. |
c0d77c88 | 649 | */ |
d19dfe58 | 650 | bool smack_privileged_cred(int cap, const struct cred *cred) |
c0d77c88 | 651 | { |
b17103a8 | 652 | struct task_smack *tsp = smack_cred(cred); |
d19dfe58 | 653 | struct smack_known *skp = tsp->smk_task; |
38416e53 | 654 | struct smack_known_list_elem *sklep; |
f28e783f | 655 | int rc; |
c0d77c88 | 656 | |
c1a85a00 | 657 | rc = cap_capable(cred, &init_user_ns, cap, CAP_OPT_NONE); |
f28e783f CS |
658 | if (rc) |
659 | return false; | |
c0d77c88 RK |
660 | |
661 | rcu_read_lock(); | |
662 | if (list_empty(&smack_onlycap_list)) { | |
663 | rcu_read_unlock(); | |
f28e783f | 664 | return true; |
c0d77c88 RK |
665 | } |
666 | ||
38416e53 ZJ |
667 | list_for_each_entry_rcu(sklep, &smack_onlycap_list, list) { |
668 | if (sklep->smk_label == skp) { | |
c0d77c88 | 669 | rcu_read_unlock(); |
f28e783f | 670 | return true; |
c0d77c88 RK |
671 | } |
672 | } | |
673 | rcu_read_unlock(); | |
674 | ||
f28e783f | 675 | return false; |
c0d77c88 | 676 | } |
d19dfe58 CS |
677 | |
678 | /** | |
679 | * smack_privileged - are all privilege requirements met | |
680 | * @cap: The requested capability | |
681 | * | |
682 | * Is the task privileged and allowed to be privileged | |
683 | * by the onlycap rule. | |
684 | * | |
685 | * Returns true if the task is allowed to be privileged, false if it's not. | |
686 | */ | |
687 | bool smack_privileged(int cap) | |
688 | { | |
689 | /* | |
0169d8f3 | 690 | * All kernel tasks are privileged |
d19dfe58 | 691 | */ |
0169d8f3 | 692 | if (unlikely(current->flags & PF_KTHREAD)) |
d19dfe58 CS |
693 | return true; |
694 | ||
695 | return smack_privileged_cred(cap, current_cred()); | |
696 | } |