// SPDX-License-Identifier: GPL-2.0-only1/*2* Copyright (C) 2007 Casey Schaufler <[email protected]>3*4* Author:5* Casey Schaufler <[email protected]>6*/78#include <linux/types.h>9#include <linux/slab.h>10#include <linux/fs.h>11#include <linux/sched.h>12#include "smack.h"1314struct smack_known smack_known_huh = {15.smk_known = "?",16.smk_secid = 2,17};1819struct smack_known smack_known_hat = {20.smk_known = "^",21.smk_secid = 3,22};2324struct smack_known smack_known_star = {25.smk_known = "*",26.smk_secid = 4,27};2829struct smack_known smack_known_floor = {30.smk_known = "_",31.smk_secid = 5,32};3334struct smack_known smack_known_web = {35.smk_known = "@",36.smk_secid = 7,37};3839LIST_HEAD(smack_known_list);4041/*42* The initial value needs to be bigger than any of the43* known values above.44*/45static u32 smack_next_secid = 10;4647#ifdef CONFIG_AUDIT48/*49* what events do we log50* can be overwritten at run-time by /smack/logging51*/52int log_policy = SMACK_AUDIT_DENIED;53#endif /* CONFIG_AUDIT */5455/**56* smk_access_entry - look up matching access rule57* @subject_label: a pointer to the subject's Smack label58* @object_label: a pointer to the object's Smack label59* @rule_list: the list of rules to search60*61* This function looks up the subject/object pair in the62* access rule list and returns the access mode. If no63* entry is found returns -ENOENT.64*65* NOTE:66*67* Earlier versions of this function allowed for labels that68* were not on the label list. This was done to allow for69* labels to come over the network that had never been seen70* before on this host. Unless the receiving socket has the71* star label this will always result in a failure check. The72* star labeled socket case is now handled in the networking73* hooks so there is no case where the label is not on the74* label list. Checking to see if the address of two labels75* is the same is now a reliable test.76*77* Do the object check first because that is more78* likely to differ.79*80* Allowing write access implies allowing locking.81*/82int smk_access_entry(char *subject_label, char *object_label,83struct list_head *rule_list)84{85struct smack_rule *srp;8687list_for_each_entry_rcu(srp, rule_list, list) {88if (srp->smk_object->smk_known == object_label &&89srp->smk_subject->smk_known == subject_label) {90int may = srp->smk_access;91/*92* MAY_WRITE implies MAY_LOCK.93*/94if ((may & MAY_WRITE) == MAY_WRITE)95may |= MAY_LOCK;96return may;97}98}99100return -ENOENT;101}102103/**104* smk_access - determine if a subject has a specific access to an object105* @subject: a pointer to the subject's Smack label entry106* @object: a pointer to the object's Smack label entry107* @request: the access requested, in "MAY" format108* @a : a pointer to the audit data109*110* This function looks up the subject/object pair in the111* access rule list and returns 0 if the access is permitted,112* non zero otherwise.113*114* Smack labels are shared on smack_list115*/116int smk_access(struct smack_known *subject, struct smack_known *object,117int request, struct smk_audit_info *a)118{119int may = MAY_NOT;120int rc = 0;121122/*123* Hardcoded comparisons.124*/125/*126* A star subject can't access any object.127*/128if (subject == &smack_known_star) {129rc = -EACCES;130goto out_audit;131}132/*133* An internet object can be accessed by any subject.134* Tasks cannot be assigned the internet label.135* An internet subject can access any object.136*/137if (object == &smack_known_web || subject == &smack_known_web)138goto out_audit;139/*140* A star object can be accessed by any subject.141*/142if (object == &smack_known_star)143goto out_audit;144/*145* An object can be accessed in any way by a subject146* with the same label.147*/148if (subject->smk_known == object->smk_known)149goto out_audit;150/*151* A hat subject can read or lock any object.152* A floor object can be read or locked by any subject.153*/154if ((request & MAY_ANYREAD) == request ||155(request & MAY_LOCK) == request) {156if (object == &smack_known_floor)157goto out_audit;158if (subject == &smack_known_hat)159goto out_audit;160}161/*162* Beyond here an explicit relationship is required.163* If the requested access is contained in the available164* access (e.g. read is included in readwrite) it's165* good. A negative response from smk_access_entry()166* indicates there is no entry for this pair.167*/168rcu_read_lock();169may = smk_access_entry(subject->smk_known, object->smk_known,170&subject->smk_rules);171rcu_read_unlock();172173if (may <= 0 || (request & may) != request) {174rc = -EACCES;175goto out_audit;176}177#ifdef CONFIG_SECURITY_SMACK_BRINGUP178/*179* Return a positive value if using bringup mode.180* This allows the hooks to identify checks that181* succeed because of "b" rules.182*/183if (may & MAY_BRINGUP)184rc = SMACK_BRINGUP_ALLOW;185#endif186187out_audit:188189#ifdef CONFIG_SECURITY_SMACK_BRINGUP190if (rc < 0) {191if (object == smack_unconfined)192rc = SMACK_UNCONFINED_OBJECT;193if (subject == smack_unconfined)194rc = SMACK_UNCONFINED_SUBJECT;195}196#endif197198#ifdef CONFIG_AUDIT199if (a)200smack_log(subject->smk_known, object->smk_known,201request, rc, a);202#endif203204return rc;205}206207/**208* smk_tskacc - determine if a task has a specific access to an object209* @tsp: a pointer to the subject's task210* @obj_known: a pointer to the object's label entry211* @mode: the access requested, in "MAY" format212* @a : common audit data213*214* This function checks the subject task's label/object label pair215* in the access rule list and returns 0 if the access is permitted,216* non zero otherwise. It allows that the task may have the capability217* to override the rules.218*/219int smk_tskacc(struct task_smack *tsp, struct smack_known *obj_known,220u32 mode, struct smk_audit_info *a)221{222struct smack_known *sbj_known = smk_of_task(tsp);223int may;224int rc;225226/*227* Check the global rule list228*/229rc = smk_access(sbj_known, obj_known, mode, NULL);230if (rc >= 0) {231/*232* If there is an entry in the task's rule list233* it can further restrict access.234*/235may = smk_access_entry(sbj_known->smk_known,236obj_known->smk_known,237&tsp->smk_rules);238if (may < 0)239goto out_audit;240if ((mode & may) == mode)241goto out_audit;242rc = -EACCES;243}244245/*246* Allow for privileged to override policy.247*/248if (rc != 0 && smack_privileged(CAP_MAC_OVERRIDE))249rc = 0;250251out_audit:252#ifdef CONFIG_AUDIT253if (a)254smack_log(sbj_known->smk_known, obj_known->smk_known,255mode, rc, a);256#endif257return rc;258}259260/**261* smk_curacc - determine if current has a specific access to an object262* @obj_known: a pointer to the object's Smack label entry263* @mode: the access requested, in "MAY" format264* @a : common audit data265*266* This function checks the current subject label/object label pair267* in the access rule list and returns 0 if the access is permitted,268* non zero otherwise. It allows that current may have the capability269* to override the rules.270*/271int smk_curacc(struct smack_known *obj_known,272u32 mode, struct smk_audit_info *a)273{274struct task_smack *tsp = smack_cred(current_cred());275276return smk_tskacc(tsp, obj_known, mode, a);277}278279/**280* smack_str_from_perm : helper to translate an int to a281* readable string282* @string : the string to fill283* @access : the int284*285*/286int smack_str_from_perm(char *string, int access)287{288int i = 0;289290if (access & MAY_READ)291string[i++] = 'r';292if (access & MAY_WRITE)293string[i++] = 'w';294if (access & MAY_EXEC)295string[i++] = 'x';296if (access & MAY_APPEND)297string[i++] = 'a';298if (access & MAY_TRANSMUTE)299string[i++] = 't';300if (access & MAY_LOCK)301string[i++] = 'l';302if (access & MAY_BRINGUP)303string[i++] = 'b';304if (i == 0)305string[i++] = '-';306string[i] = '\0';307return i;308}309310#ifdef CONFIG_AUDIT311/**312* smack_log_callback - SMACK specific information313* will be called by generic audit code314* @ab : the audit_buffer315* @a : audit_data316*317*/318static void smack_log_callback(struct audit_buffer *ab, void *a)319{320struct common_audit_data *ad = a;321struct smack_audit_data *sad = ad->smack_audit_data;322audit_log_format(ab, "lsm=SMACK fn=%s action=%s",323ad->smack_audit_data->function,324sad->result ? "denied" : "granted");325audit_log_format(ab, " subject=");326audit_log_untrustedstring(ab, sad->subject);327audit_log_format(ab, " object=");328audit_log_untrustedstring(ab, sad->object);329if (sad->request[0] == '\0')330audit_log_format(ab, " labels_differ");331else332audit_log_format(ab, " requested=%s", sad->request);333}334335/**336* smack_log - Audit the granting or denial of permissions.337* @subject_label : smack label of the requester338* @object_label : smack label of the object being accessed339* @request: requested permissions340* @result: result from smk_access341* @ad: auxiliary audit data342*343* Audit the granting or denial of permissions in accordance344* with the policy.345*/346void smack_log(char *subject_label, char *object_label, int request,347int result, struct smk_audit_info *ad)348{349#ifdef CONFIG_SECURITY_SMACK_BRINGUP350char request_buffer[SMK_NUM_ACCESS_TYPE + 5];351#else352char request_buffer[SMK_NUM_ACCESS_TYPE + 1];353#endif354struct smack_audit_data *sad;355struct common_audit_data *a = &ad->a;356357/* check if we have to log the current event */358if (result < 0 && (log_policy & SMACK_AUDIT_DENIED) == 0)359return;360if (result == 0 && (log_policy & SMACK_AUDIT_ACCEPT) == 0)361return;362363sad = a->smack_audit_data;364365if (sad->function == NULL)366sad->function = "unknown";367368/* end preparing the audit data */369smack_str_from_perm(request_buffer, request);370sad->subject = subject_label;371sad->object = object_label;372#ifdef CONFIG_SECURITY_SMACK_BRINGUP373/*374* The result may be positive in bringup mode.375* A positive result is an allow, but not for normal reasons.376* Mark it as successful, but don't filter it out even if377* the logging policy says to do so.378*/379if (result == SMACK_UNCONFINED_SUBJECT)380strcat(request_buffer, "(US)");381else if (result == SMACK_UNCONFINED_OBJECT)382strcat(request_buffer, "(UO)");383384if (result > 0)385result = 0;386#endif387sad->request = request_buffer;388sad->result = result;389390common_lsm_audit(a, smack_log_callback, NULL);391}392#else /* #ifdef CONFIG_AUDIT */393void smack_log(char *subject_label, char *object_label, int request,394int result, struct smk_audit_info *ad)395{396}397#endif398399DEFINE_MUTEX(smack_known_lock);400401struct hlist_head smack_known_hash[SMACK_HASH_SLOTS];402403/**404* smk_insert_entry - insert a smack label into a hash map,405* @skp: smack label406*407* this function must be called under smack_known_lock408*/409void smk_insert_entry(struct smack_known *skp)410{411unsigned int hash;412struct hlist_head *head;413414hash = full_name_hash(NULL, skp->smk_known, strlen(skp->smk_known));415head = &smack_known_hash[hash & (SMACK_HASH_SLOTS - 1)];416417hlist_add_head_rcu(&skp->smk_hashed, head);418list_add_rcu(&skp->list, &smack_known_list);419}420421/**422* smk_find_entry - find a label on the list, return the list entry423* @string: a text string that might be a Smack label424*425* Returns a pointer to the entry in the label list that426* matches the passed string or NULL if not found.427*/428struct smack_known *smk_find_entry(const char *string)429{430unsigned int hash;431struct hlist_head *head;432struct smack_known *skp;433434hash = full_name_hash(NULL, string, strlen(string));435head = &smack_known_hash[hash & (SMACK_HASH_SLOTS - 1)];436437hlist_for_each_entry_rcu(skp, head, smk_hashed)438if (strcmp(skp->smk_known, string) == 0)439return skp;440441return NULL;442}443444/**445* smk_parse_label_len - calculate the length of the starting segment446* in the string that constitutes a valid smack label447* @string: a text string that might contain a Smack label at the beginning448* @len: the maximum size to look into, may be zero if string is null-terminated449*450* Returns the length of the segment (0 < L < SMK_LONGLABEL) or an error code.451*/452int smk_parse_label_len(const char *string, int len)453{454int i;455456if (len <= 0 || len > SMK_LONGLABEL)457len = SMK_LONGLABEL;458459/*460* Reserve a leading '-' as an indicator that461* this isn't a label, but an option to interfaces462* including /smack/cipso and /smack/cipso2463*/464if (string[0] == '-')465return -EINVAL;466467for (i = 0; i < len; i++)468if (string[i] > '~' || string[i] <= ' ' || string[i] == '/' ||469string[i] == '"' || string[i] == '\\' || string[i] == '\'')470break;471472if (i == 0 || i >= SMK_LONGLABEL)473return -EINVAL;474475return i;476}477478/**479* smk_parse_smack - copy the starting segment in the string480* that constitutes a valid smack label481* @string: a text string that might contain a Smack label at the beginning482* @len: the maximum size to look into, may be zero if string is null-terminated483*484* Returns a pointer to the copy of the label or an error code.485*/486char *smk_parse_smack(const char *string, int len)487{488char *smack;489int i = smk_parse_label_len(string, len);490491if (i < 0)492return ERR_PTR(-EINVAL);493494smack = kstrndup(string, i, GFP_NOFS);495if (!smack)496return ERR_PTR(-ENOMEM);497return smack;498}499500/**501* smk_netlbl_mls - convert a catset to netlabel mls categories502* @level: MLS sensitivity level503* @catset: the Smack categories504* @sap: where to put the netlabel categories505* @len: number of bytes for the levels in a CIPSO IP option506*507* Allocates and fills attr.mls508* Returns 0 on success, error code on failure.509*/510int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap,511int len)512{513unsigned char *cp;514unsigned char m;515int cat;516int rc;517int byte;518519sap->flags |= NETLBL_SECATTR_MLS_CAT;520sap->attr.mls.lvl = level;521sap->attr.mls.cat = NULL;522523for (cat = 1, cp = catset, byte = 0; byte < len; cp++, byte++)524for (m = 0x80; m != 0; m >>= 1, cat++) {525if ((m & *cp) == 0)526continue;527rc = netlbl_catmap_setbit(&sap->attr.mls.cat,528cat, GFP_NOFS);529if (rc < 0) {530netlbl_catmap_free(sap->attr.mls.cat);531return rc;532}533}534535return 0;536}537538/**539* smack_populate_secattr - fill in the smack_known netlabel information540* @skp: pointer to the structure to fill541*542* Populate the netlabel secattr structure for a Smack label.543*544* Returns 0 unless creating the category mapping fails545*/546int smack_populate_secattr(struct smack_known *skp)547{548int slen;549550skp->smk_netlabel.attr.secid = skp->smk_secid;551skp->smk_netlabel.domain = skp->smk_known;552skp->smk_netlabel.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);553if (skp->smk_netlabel.cache != NULL) {554skp->smk_netlabel.flags |= NETLBL_SECATTR_CACHE;555skp->smk_netlabel.cache->free = NULL;556skp->smk_netlabel.cache->data = skp;557}558skp->smk_netlabel.flags |= NETLBL_SECATTR_SECID |559NETLBL_SECATTR_MLS_LVL |560NETLBL_SECATTR_DOMAIN;561/*562* If direct labeling works use it.563* Otherwise use mapped labeling.564*/565slen = strlen(skp->smk_known);566if (slen < SMK_CIPSOLEN)567return smk_netlbl_mls(smack_cipso_direct, skp->smk_known,568&skp->smk_netlabel, slen);569570return smk_netlbl_mls(smack_cipso_mapped, (char *)&skp->smk_secid,571&skp->smk_netlabel, sizeof(skp->smk_secid));572}573574/**575* smk_import_valid_allocated_label - import a label, return the list entry576* @smack: a text string that is a valid Smack label and may be kfree()ed.577* It is consumed: either becomes a part of the entry or kfree'ed.578* @gfp: Allocation type579*580* Returns: see description of smk_import_entry()581*/582static struct smack_known *583smk_import_allocated_label(char *smack, gfp_t gfp)584{585struct smack_known *skp;586int rc;587588mutex_lock(&smack_known_lock);589590skp = smk_find_entry(smack);591if (skp != NULL)592goto freeout;593594skp = kzalloc(sizeof(*skp), gfp);595if (skp == NULL) {596skp = ERR_PTR(-ENOMEM);597goto freeout;598}599600skp->smk_known = smack;601skp->smk_secid = smack_next_secid++;602603rc = smack_populate_secattr(skp);604if (rc >= 0) {605INIT_LIST_HEAD(&skp->smk_rules);606mutex_init(&skp->smk_rules_lock);607/*608* Make sure that the entry is actually609* filled before putting it on the list.610*/611smk_insert_entry(skp);612goto unlockout;613}614kfree(skp);615skp = ERR_PTR(rc);616freeout:617kfree(smack);618unlockout:619mutex_unlock(&smack_known_lock);620621return skp;622}623624/**625* smk_import_entry - import a label, return the list entry626* @string: a text string that might contain a Smack label at the beginning627* @len: the maximum size to look into, may be zero if string is null-terminated628*629* Returns a pointer to the entry in the label list that630* matches the passed string, adding it if necessary,631* or an error code.632*/633struct smack_known *smk_import_entry(const char *string, int len)634{635char *smack = smk_parse_smack(string, len);636637if (IS_ERR(smack))638return ERR_CAST(smack);639640return smk_import_allocated_label(smack, GFP_NOFS);641}642643/**644* smk_import_valid_label - import a label, return the list entry645* @label: a text string that is a valid Smack label, not null-terminated646* @label_len: the length of the text string in the @label647* @gfp: the GFP mask used for allocating memory for the @label text string copy648*649* Return: see description of smk_import_entry()650*/651struct smack_known *652smk_import_valid_label(const char *label, int label_len, gfp_t gfp)653{654char *smack = kstrndup(label, label_len, gfp);655656if (!smack)657return ERR_PTR(-ENOMEM);658659return smk_import_allocated_label(smack, gfp);660}661662/**663* smack_from_secid - find the Smack label associated with a secid664* @secid: an integer that might be associated with a Smack label665*666* Returns a pointer to the appropriate Smack label entry if there is one,667* otherwise a pointer to the invalid Smack label.668*/669struct smack_known *smack_from_secid(const u32 secid)670{671struct smack_known *skp;672673rcu_read_lock();674list_for_each_entry_rcu(skp, &smack_known_list, list) {675if (skp->smk_secid == secid) {676rcu_read_unlock();677return skp;678}679}680681/*682* If we got this far someone asked for the translation683* of a secid that is not on the list.684*/685rcu_read_unlock();686return &smack_known_huh;687}688689/*690* Unless a process is running with one of these labels691* even having CAP_MAC_OVERRIDE isn't enough to grant692* privilege to violate MAC policy. If no labels are693* designated (the empty list case) capabilities apply to694* everyone.695*/696LIST_HEAD(smack_onlycap_list);697DEFINE_MUTEX(smack_onlycap_lock);698699/**700* smack_privileged_cred - are all privilege requirements met by cred701* @cap: The requested capability702* @cred: the credential to use703*704* Is the task privileged and allowed to be privileged705* by the onlycap rule.706*707* Returns true if the task is allowed to be privileged, false if it's not.708*/709bool smack_privileged_cred(int cap, const struct cred *cred)710{711struct task_smack *tsp = smack_cred(cred);712struct smack_known *skp = tsp->smk_task;713struct smack_known_list_elem *sklep;714int rc;715716rc = cap_capable(cred, &init_user_ns, cap, CAP_OPT_NONE);717if (rc)718return false;719720rcu_read_lock();721if (list_empty(&smack_onlycap_list)) {722rcu_read_unlock();723return true;724}725726list_for_each_entry_rcu(sklep, &smack_onlycap_list, list) {727if (sklep->smk_label == skp) {728rcu_read_unlock();729return true;730}731}732rcu_read_unlock();733734return false;735}736737/**738* smack_privileged - are all privilege requirements met739* @cap: The requested capability740*741* Is the task privileged and allowed to be privileged742* by the onlycap rule.743*744* Returns true if the task is allowed to be privileged, false if it's not.745*/746bool smack_privileged(int cap)747{748/*749* All kernel tasks are privileged750*/751if (unlikely(current->flags & PF_KTHREAD))752return true;753754return smack_privileged_cred(cap, current_cred());755}756757758