// SPDX-License-Identifier: GPL-2.0-only1/*2* Copyright (C) 2007 Casey Schaufler <[email protected]>3*4* Author:5* Casey Schaufler <[email protected]>6*/78#include <linux/types.h>9#include <linux/slab.h>10#include <linux/fs.h>11#include <linux/sched.h>12#include "smack.h"1314struct smack_known smack_known_huh = {15.smk_known = "?",16.smk_secid = 2,17};1819struct smack_known smack_known_hat = {20.smk_known = "^",21.smk_secid = 3,22};2324struct smack_known smack_known_star = {25.smk_known = "*",26.smk_secid = 4,27};2829struct smack_known smack_known_floor = {30.smk_known = "_",31.smk_secid = 5,32};3334struct smack_known smack_known_web = {35.smk_known = "@",36.smk_secid = 7,37};3839LIST_HEAD(smack_known_list);4041/*42* The initial value needs to be bigger than any of the43* known values above.44*/45static u32 smack_next_secid = 10;4647#ifdef CONFIG_AUDIT48/*49* what events do we log50* can be overwritten at run-time by /smack/logging51*/52int log_policy = SMACK_AUDIT_DENIED;53#endif /* CONFIG_AUDIT */5455/**56* smk_access_entry - look up matching access rule57* @subject_label: a pointer to the subject's Smack label58* @object_label: a pointer to the object's Smack label59* @rule_list: the list of rules to search60*61* This function looks up the subject/object pair in the62* access rule list and returns the access mode. If no63* entry is found returns -ENOENT.64*65* NOTE:66*67* Earlier versions of this function allowed for labels that68* were not on the label list. This was done to allow for69* labels to come over the network that had never been seen70* before on this host. Unless the receiving socket has the71* star label this will always result in a failure check. The72* star labeled socket case is now handled in the networking73* hooks so there is no case where the label is not on the74* label list. Checking to see if the address of two labels75* is the same is now a reliable test.76*77* Do the object check first because that is more78* likely to differ.79*80* Allowing write access implies allowing locking.81*/82int smk_access_entry(char *subject_label, char *object_label,83struct list_head *rule_list)84{85struct smack_rule *srp;8687list_for_each_entry_rcu(srp, rule_list, list) {88if (srp->smk_object->smk_known == object_label &&89srp->smk_subject->smk_known == subject_label) {90int may = srp->smk_access;91/*92* MAY_WRITE implies MAY_LOCK.93*/94if ((may & MAY_WRITE) == MAY_WRITE)95may |= MAY_LOCK;96return may;97}98}99100return -ENOENT;101}102103/**104* smk_access - determine if a subject has a specific access to an object105* @subject: a pointer to the subject's Smack label entry106* @object: a pointer to the object's Smack label entry107* @request: the access requested, in "MAY" format108* @a : a pointer to the audit data109*110* This function looks up the subject/object pair in the111* access rule list and returns 0 if the access is permitted,112* non zero otherwise.113*114* Smack labels are shared on smack_list115*/116int smk_access(struct smack_known *subject, struct smack_known *object,117int request, struct smk_audit_info *a)118{119int may = MAY_NOT;120int rc = 0;121122/*123* Hardcoded comparisons.124*/125/*126* A star subject can't access any object.127*/128if (subject == &smack_known_star) {129rc = -EACCES;130goto out_audit;131}132/*133* An internet object can be accessed by any subject.134* Tasks cannot be assigned the internet label.135* An internet subject can access any object.136*/137if (object == &smack_known_web || subject == &smack_known_web)138goto out_audit;139/*140* A star object can be accessed by any subject.141*/142if (object == &smack_known_star)143goto out_audit;144/*145* An object can be accessed in any way by a subject146* with the same label.147*/148if (subject->smk_known == object->smk_known)149goto out_audit;150/*151* A hat subject can read or lock any object.152* A floor object can be read or locked by any subject.153*/154if ((request & MAY_ANYREAD) == request ||155(request & MAY_LOCK) == request) {156if (object == &smack_known_floor)157goto out_audit;158if (subject == &smack_known_hat)159goto out_audit;160}161/*162* Beyond here an explicit relationship is required.163* If the requested access is contained in the available164* access (e.g. read is included in readwrite) it's165* good. A negative response from smk_access_entry()166* indicates there is no entry for this pair.167*/168rcu_read_lock();169may = smk_access_entry(subject->smk_known, object->smk_known,170&subject->smk_rules);171rcu_read_unlock();172173if (may <= 0 || (request & may) != request) {174rc = -EACCES;175goto out_audit;176}177#ifdef CONFIG_SECURITY_SMACK_BRINGUP178/*179* Return a positive value if using bringup mode.180* This allows the hooks to identify checks that181* succeed because of "b" rules.182*/183if (may & MAY_BRINGUP)184rc = SMACK_BRINGUP_ALLOW;185#endif186187out_audit:188189#ifdef CONFIG_SECURITY_SMACK_BRINGUP190if (rc < 0) {191if (object == smack_unconfined)192rc = SMACK_UNCONFINED_OBJECT;193if (subject == smack_unconfined)194rc = SMACK_UNCONFINED_SUBJECT;195}196#endif197198#ifdef CONFIG_AUDIT199if (a)200smack_log(subject->smk_known, object->smk_known,201request, rc, a);202#endif203204return rc;205}206207/**208* smk_tskacc - determine if a task has a specific access to an object209* @tsp: a pointer to the subject's task210* @obj_known: a pointer to the object's label entry211* @mode: the access requested, in "MAY" format212* @a : common audit data213*214* This function checks the subject task's label/object label pair215* in the access rule list and returns 0 if the access is permitted,216* non zero otherwise. It allows that the task may have the capability217* to override the rules.218*/219int smk_tskacc(struct task_smack *tsp, struct smack_known *obj_known,220u32 mode, struct smk_audit_info *a)221{222struct smack_known *sbj_known = smk_of_task(tsp);223int may;224int rc;225226/*227* Check the global rule list228*/229rc = smk_access(sbj_known, obj_known, mode, NULL);230if (rc >= 0) {231/*232* If there is an entry in the task's rule list233* it can further restrict access.234*/235may = smk_access_entry(sbj_known->smk_known,236obj_known->smk_known,237&tsp->smk_rules);238if (may < 0)239goto out_audit;240if ((mode & may) == mode)241goto out_audit;242rc = -EACCES;243}244245/*246* Allow for privileged to override policy.247*/248if (rc != 0 && smack_privileged(CAP_MAC_OVERRIDE))249rc = 0;250251out_audit:252#ifdef CONFIG_AUDIT253if (a)254smack_log(sbj_known->smk_known, obj_known->smk_known,255mode, rc, a);256#endif257return rc;258}259260/**261* smk_curacc - determine if current has a specific access to an object262* @obj_known: a pointer to the object's Smack label entry263* @mode: the access requested, in "MAY" format264* @a : common audit data265*266* This function checks the current subject label/object label pair267* in the access rule list and returns 0 if the access is permitted,268* non zero otherwise. It allows that current may have the capability269* to override the rules.270*/271int smk_curacc(struct smack_known *obj_known,272u32 mode, struct smk_audit_info *a)273{274struct task_smack *tsp = smack_cred(current_cred());275276return smk_tskacc(tsp, obj_known, mode, a);277}278279/**280* smack_str_from_perm : helper to translate an int to a281* readable string282* @string : the string to fill283* @access : the int284*285*/286int smack_str_from_perm(char *string, int access)287{288int i = 0;289290if (access & MAY_READ)291string[i++] = 'r';292if (access & MAY_WRITE)293string[i++] = 'w';294if (access & MAY_EXEC)295string[i++] = 'x';296if (access & MAY_APPEND)297string[i++] = 'a';298if (access & MAY_TRANSMUTE)299string[i++] = 't';300if (access & MAY_LOCK)301string[i++] = 'l';302if (access & MAY_BRINGUP)303string[i++] = 'b';304if (i == 0)305string[i++] = '-';306string[i] = '\0';307return i;308}309310#ifdef CONFIG_AUDIT311/**312* smack_log_callback - SMACK specific information313* will be called by generic audit code314* @ab : the audit_buffer315* @a : audit_data316*317*/318static void smack_log_callback(struct audit_buffer *ab, void *a)319{320struct common_audit_data *ad = a;321struct smack_audit_data *sad = ad->smack_audit_data;322audit_log_format(ab, "lsm=SMACK fn=%s action=%s",323ad->smack_audit_data->function,324sad->result ? "denied" : "granted");325audit_log_format(ab, " subject=");326audit_log_untrustedstring(ab, sad->subject);327audit_log_format(ab, " object=");328audit_log_untrustedstring(ab, sad->object);329if (sad->request[0] == '\0')330audit_log_format(ab, " labels_differ");331else332audit_log_format(ab, " requested=%s", sad->request);333}334335/**336* smack_log - Audit the granting or denial of permissions.337* @subject_label : smack label of the requester338* @object_label : smack label of the object being accessed339* @request: requested permissions340* @result: result from smk_access341* @ad: auxiliary audit data342*343* Audit the granting or denial of permissions in accordance344* with the policy.345*/346void smack_log(char *subject_label, char *object_label, int request,347int result, struct smk_audit_info *ad)348{349#ifdef CONFIG_SECURITY_SMACK_BRINGUP350char request_buffer[SMK_NUM_ACCESS_TYPE + 5];351#else352char request_buffer[SMK_NUM_ACCESS_TYPE + 1];353#endif354struct smack_audit_data *sad;355struct common_audit_data *a = &ad->a;356357/* check if we have to log the current event */358if (result < 0 && (log_policy & SMACK_AUDIT_DENIED) == 0)359return;360if (result == 0 && (log_policy & SMACK_AUDIT_ACCEPT) == 0)361return;362363sad = a->smack_audit_data;364365if (sad->function == NULL)366sad->function = "unknown";367368/* end preparing the audit data */369smack_str_from_perm(request_buffer, request);370sad->subject = subject_label;371sad->object = object_label;372#ifdef CONFIG_SECURITY_SMACK_BRINGUP373/*374* The result may be positive in bringup mode.375* A positive result is an allow, but not for normal reasons.376* Mark it as successful, but don't filter it out even if377* the logging policy says to do so.378*/379if (result == SMACK_UNCONFINED_SUBJECT)380strcat(request_buffer, "(US)");381else if (result == SMACK_UNCONFINED_OBJECT)382strcat(request_buffer, "(UO)");383384if (result > 0)385result = 0;386#endif387sad->request = request_buffer;388sad->result = result;389390common_lsm_audit(a, smack_log_callback, NULL);391}392#else /* #ifdef CONFIG_AUDIT */393void smack_log(char *subject_label, char *object_label, int request,394int result, struct smk_audit_info *ad)395{396}397#endif398399DEFINE_MUTEX(smack_known_lock);400401struct hlist_head smack_known_hash[SMACK_HASH_SLOTS];402403/**404* smk_insert_entry - insert a smack label into a hash map,405* @skp: smack label406*407* this function must be called under smack_known_lock408*/409void smk_insert_entry(struct smack_known *skp)410{411unsigned int hash;412struct hlist_head *head;413414hash = full_name_hash(NULL, skp->smk_known, strlen(skp->smk_known));415head = &smack_known_hash[hash & (SMACK_HASH_SLOTS - 1)];416417hlist_add_head_rcu(&skp->smk_hashed, head);418list_add_rcu(&skp->list, &smack_known_list);419}420421/**422* smk_find_entry - find a label on the list, return the list entry423* @string: a text string that might be a Smack label424*425* Returns a pointer to the entry in the label list that426* matches the passed string or NULL if not found.427*/428struct smack_known *smk_find_entry(const char *string)429{430unsigned int hash;431struct hlist_head *head;432struct smack_known *skp;433434hash = full_name_hash(NULL, string, strlen(string));435head = &smack_known_hash[hash & (SMACK_HASH_SLOTS - 1)];436437hlist_for_each_entry_rcu(skp, head, smk_hashed)438if (strcmp(skp->smk_known, string) == 0)439return skp;440441return NULL;442}443444/**445* smk_parse_smack - parse smack label from a text string446* @string: a text string that might contain a Smack label447* @len: the maximum size, or zero if it is NULL terminated.448*449* Returns a pointer to the clean label or an error code.450*/451char *smk_parse_smack(const char *string, int len)452{453char *smack;454int i;455456if (len <= 0)457len = strlen(string) + 1;458459/*460* Reserve a leading '-' as an indicator that461* this isn't a label, but an option to interfaces462* including /smack/cipso and /smack/cipso2463*/464if (string[0] == '-')465return ERR_PTR(-EINVAL);466467for (i = 0; i < len; i++)468if (string[i] > '~' || string[i] <= ' ' || string[i] == '/' ||469string[i] == '"' || string[i] == '\\' || string[i] == '\'')470break;471472if (i == 0 || i >= SMK_LONGLABEL)473return ERR_PTR(-EINVAL);474475smack = kstrndup(string, i, GFP_NOFS);476if (!smack)477return ERR_PTR(-ENOMEM);478return smack;479}480481/**482* smk_netlbl_mls - convert a catset to netlabel mls categories483* @level: MLS sensitivity level484* @catset: the Smack categories485* @sap: where to put the netlabel categories486* @len: number of bytes for the levels in a CIPSO IP option487*488* Allocates and fills attr.mls489* Returns 0 on success, error code on failure.490*/491int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap,492int len)493{494unsigned char *cp;495unsigned char m;496int cat;497int rc;498int byte;499500sap->flags |= NETLBL_SECATTR_MLS_CAT;501sap->attr.mls.lvl = level;502sap->attr.mls.cat = NULL;503504for (cat = 1, cp = catset, byte = 0; byte < len; cp++, byte++)505for (m = 0x80; m != 0; m >>= 1, cat++) {506if ((m & *cp) == 0)507continue;508rc = netlbl_catmap_setbit(&sap->attr.mls.cat,509cat, GFP_NOFS);510if (rc < 0) {511netlbl_catmap_free(sap->attr.mls.cat);512return rc;513}514}515516return 0;517}518519/**520* smack_populate_secattr - fill in the smack_known netlabel information521* @skp: pointer to the structure to fill522*523* Populate the netlabel secattr structure for a Smack label.524*525* Returns 0 unless creating the category mapping fails526*/527int smack_populate_secattr(struct smack_known *skp)528{529int slen;530531skp->smk_netlabel.attr.secid = skp->smk_secid;532skp->smk_netlabel.domain = skp->smk_known;533skp->smk_netlabel.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC);534if (skp->smk_netlabel.cache != NULL) {535skp->smk_netlabel.flags |= NETLBL_SECATTR_CACHE;536skp->smk_netlabel.cache->free = NULL;537skp->smk_netlabel.cache->data = skp;538}539skp->smk_netlabel.flags |= NETLBL_SECATTR_SECID |540NETLBL_SECATTR_MLS_LVL |541NETLBL_SECATTR_DOMAIN;542/*543* If direct labeling works use it.544* Otherwise use mapped labeling.545*/546slen = strlen(skp->smk_known);547if (slen < SMK_CIPSOLEN)548return smk_netlbl_mls(smack_cipso_direct, skp->smk_known,549&skp->smk_netlabel, slen);550551return smk_netlbl_mls(smack_cipso_mapped, (char *)&skp->smk_secid,552&skp->smk_netlabel, sizeof(skp->smk_secid));553}554555/**556* smk_import_entry - import a label, return the list entry557* @string: a text string that might be a Smack label558* @len: the maximum size, or zero if it is NULL terminated.559*560* Returns a pointer to the entry in the label list that561* matches the passed string, adding it if necessary,562* or an error code.563*/564struct smack_known *smk_import_entry(const char *string, int len)565{566struct smack_known *skp;567char *smack;568int rc;569570smack = smk_parse_smack(string, len);571if (IS_ERR(smack))572return ERR_CAST(smack);573574mutex_lock(&smack_known_lock);575576skp = smk_find_entry(smack);577if (skp != NULL)578goto freeout;579580skp = kzalloc(sizeof(*skp), GFP_NOFS);581if (skp == NULL) {582skp = ERR_PTR(-ENOMEM);583goto freeout;584}585586skp->smk_known = smack;587skp->smk_secid = smack_next_secid++;588589rc = smack_populate_secattr(skp);590if (rc >= 0) {591INIT_LIST_HEAD(&skp->smk_rules);592mutex_init(&skp->smk_rules_lock);593/*594* Make sure that the entry is actually595* filled before putting it on the list.596*/597smk_insert_entry(skp);598goto unlockout;599}600kfree(skp);601skp = ERR_PTR(rc);602freeout:603kfree(smack);604unlockout:605mutex_unlock(&smack_known_lock);606607return skp;608}609610/**611* smack_from_secid - find the Smack label associated with a secid612* @secid: an integer that might be associated with a Smack label613*614* Returns a pointer to the appropriate Smack label entry if there is one,615* otherwise a pointer to the invalid Smack label.616*/617struct smack_known *smack_from_secid(const u32 secid)618{619struct smack_known *skp;620621rcu_read_lock();622list_for_each_entry_rcu(skp, &smack_known_list, list) {623if (skp->smk_secid == secid) {624rcu_read_unlock();625return skp;626}627}628629/*630* If we got this far someone asked for the translation631* of a secid that is not on the list.632*/633rcu_read_unlock();634return &smack_known_huh;635}636637/*638* Unless a process is running with one of these labels639* even having CAP_MAC_OVERRIDE isn't enough to grant640* privilege to violate MAC policy. If no labels are641* designated (the empty list case) capabilities apply to642* everyone.643*/644LIST_HEAD(smack_onlycap_list);645DEFINE_MUTEX(smack_onlycap_lock);646647/**648* smack_privileged_cred - are all privilege requirements met by cred649* @cap: The requested capability650* @cred: the credential to use651*652* Is the task privileged and allowed to be privileged653* by the onlycap rule.654*655* Returns true if the task is allowed to be privileged, false if it's not.656*/657bool smack_privileged_cred(int cap, const struct cred *cred)658{659struct task_smack *tsp = smack_cred(cred);660struct smack_known *skp = tsp->smk_task;661struct smack_known_list_elem *sklep;662int rc;663664rc = cap_capable(cred, &init_user_ns, cap, CAP_OPT_NONE);665if (rc)666return false;667668rcu_read_lock();669if (list_empty(&smack_onlycap_list)) {670rcu_read_unlock();671return true;672}673674list_for_each_entry_rcu(sklep, &smack_onlycap_list, list) {675if (sklep->smk_label == skp) {676rcu_read_unlock();677return true;678}679}680rcu_read_unlock();681682return false;683}684685/**686* smack_privileged - are all privilege requirements met687* @cap: The requested capability688*689* Is the task privileged and allowed to be privileged690* by the onlycap rule.691*692* Returns true if the task is allowed to be privileged, false if it's not.693*/694bool smack_privileged(int cap)695{696/*697* All kernel tasks are privileged698*/699if (unlikely(current->flags & PF_KTHREAD))700return true;701702return smack_privileged_cred(cap, current_cred());703}704705706