2 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation, version 2.
9 * Casey Schaufler <casey@schaufler-ca.com>
13 #include <linux/types.h>
14 #include <linux/slab.h>
16 #include <linux/sched.h>
19 struct smack_known smack_known_huh
= {
24 struct smack_known smack_known_hat
= {
29 struct smack_known smack_known_star
= {
34 struct smack_known smack_known_floor
= {
39 struct smack_known smack_known_web
= {
44 LIST_HEAD(smack_known_list
);
47 * The initial value needs to be bigger than any of the
50 static u32 smack_next_secid
= 10;
53 * what events do we log
54 * can be overwritten at run-time by /smack/logging
56 int log_policy
= SMACK_AUDIT_DENIED
;
59 * smk_access_entry - look up matching access rule
60 * @subject_label: a pointer to the subject's Smack label
61 * @object_label: a pointer to the object's Smack label
62 * @rule_list: the list of rules to search
64 * This function looks up the subject/object pair in the
65 * access rule list and returns the access mode. If no
66 * entry is found returns -ENOENT.
70 * Earlier versions of this function allowed for labels that
71 * were not on the label list. This was done to allow for
72 * labels to come over the network that had never been seen
73 * before on this host. Unless the receiving socket has the
74 * star label this will always result in a failure check. The
75 * star labeled socket case is now handled in the networking
76 * hooks so there is no case where the label is not on the
77 * label list. Checking to see if the address of two labels
78 * is the same is now a reliable test.
80 * Do the object check first because that is more
83 * Allowing write access implies allowing locking.
85 int smk_access_entry(char *subject_label
, char *object_label
,
86 struct list_head
*rule_list
)
89 struct smack_rule
*srp
;
91 list_for_each_entry_rcu(srp
, rule_list
, list
) {
92 if (srp
->smk_object
->smk_known
== object_label
&&
93 srp
->smk_subject
->smk_known
== subject_label
) {
94 may
= srp
->smk_access
;
100 * MAY_WRITE implies MAY_LOCK.
102 if ((may
& MAY_WRITE
) == MAY_WRITE
)
108 * smk_access - determine if a subject has a specific access to an object
109 * @subject: a pointer to the subject's Smack label entry
110 * @object: a pointer to the object's Smack label entry
111 * @request: the access requested, in "MAY" format
112 * @a : a pointer to the audit data
114 * This function looks up the subject/object pair in the
115 * access rule list and returns 0 if the access is permitted,
116 * non zero otherwise.
118 * Smack labels are shared on smack_list
120 int smk_access(struct smack_known
*subject
, struct smack_known
*object
,
121 int request
, struct smk_audit_info
*a
)
127 * Hardcoded comparisons.
130 * A star subject can't access any object.
132 if (subject
== &smack_known_star
) {
137 * An internet object can be accessed by any subject.
138 * Tasks cannot be assigned the internet label.
139 * An internet subject can access any object.
141 if (object
== &smack_known_web
|| subject
== &smack_known_web
)
144 * A star object can be accessed by any subject.
146 if (object
== &smack_known_star
)
149 * An object can be accessed in any way by a subject
150 * with the same label.
152 if (subject
->smk_known
== object
->smk_known
)
155 * A hat subject can read or lock any object.
156 * A floor object can be read or locked by any subject.
158 if ((request
& MAY_ANYREAD
) == request
||
159 (request
& MAY_LOCK
) == request
) {
160 if (object
== &smack_known_floor
)
162 if (subject
== &smack_known_hat
)
166 * Beyond here an explicit relationship is required.
167 * If the requested access is contained in the available
168 * access (e.g. read is included in readwrite) it's
169 * good. A negative response from smk_access_entry()
170 * indicates there is no entry for this pair.
173 may
= smk_access_entry(subject
->smk_known
, object
->smk_known
,
174 &subject
->smk_rules
);
177 if (may
<= 0 || (request
& may
) != request
) {
181 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
183 * Return a positive value if using bringup mode.
184 * This allows the hooks to identify checks that
185 * succeed because of "b" rules.
187 if (may
& MAY_BRINGUP
)
188 rc
= SMACK_BRINGUP_ALLOW
;
193 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
195 if (object
== smack_unconfined
)
196 rc
= SMACK_UNCONFINED_OBJECT
;
197 if (subject
== smack_unconfined
)
198 rc
= SMACK_UNCONFINED_SUBJECT
;
204 smack_log(subject
->smk_known
, object
->smk_known
,
212 * smk_tskacc - determine if a task has a specific access to an object
213 * @tsp: a pointer to the subject's task
214 * @obj_known: a pointer to the object's label entry
215 * @mode: the access requested, in "MAY" format
216 * @a : common audit data
218 * This function checks the subject task's label/object label pair
219 * in the access rule list and returns 0 if the access is permitted,
220 * non zero otherwise. It allows that the task may have the capability
221 * to override the rules.
223 int smk_tskacc(struct task_smack
*tsp
, struct smack_known
*obj_known
,
224 u32 mode
, struct smk_audit_info
*a
)
226 struct smack_known
*sbj_known
= smk_of_task(tsp
);
231 * Check the global rule list
233 rc
= smk_access(sbj_known
, obj_known
, mode
, NULL
);
236 * If there is an entry in the task's rule list
237 * it can further restrict access.
239 may
= smk_access_entry(sbj_known
->smk_known
,
240 obj_known
->smk_known
,
244 if ((mode
& may
) == mode
)
250 * Allow for priviliged to override policy.
252 if (rc
!= 0 && smack_privileged(CAP_MAC_OVERRIDE
))
258 smack_log(sbj_known
->smk_known
, obj_known
->smk_known
,
265 * smk_curacc - determine if current has a specific access to an object
266 * @obj_known: a pointer to the object's Smack label entry
267 * @mode: the access requested, in "MAY" format
268 * @a : common audit data
270 * This function checks the current subject label/object label pair
271 * in the access rule list and returns 0 if the access is permitted,
272 * non zero otherwise. It allows that current may have the capability
273 * to override the rules.
275 int smk_curacc(struct smack_known
*obj_known
,
276 u32 mode
, struct smk_audit_info
*a
)
278 struct task_smack
*tsp
= current_security();
280 return smk_tskacc(tsp
, obj_known
, mode
, a
);
285 * smack_str_from_perm : helper to transalate an int to a
287 * @string : the string to fill
291 static inline void smack_str_from_perm(char *string
, int access
)
295 if (access
& MAY_READ
)
297 if (access
& MAY_WRITE
)
299 if (access
& MAY_EXEC
)
301 if (access
& MAY_APPEND
)
303 if (access
& MAY_TRANSMUTE
)
305 if (access
& MAY_LOCK
)
310 * smack_log_callback - SMACK specific information
311 * will be called by generic audit code
312 * @ab : the audit_buffer
316 static void smack_log_callback(struct audit_buffer
*ab
, void *a
)
318 struct common_audit_data
*ad
= a
;
319 struct smack_audit_data
*sad
= ad
->smack_audit_data
;
320 audit_log_format(ab
, "lsm=SMACK fn=%s action=%s",
321 ad
->smack_audit_data
->function
,
322 sad
->result
? "denied" : "granted");
323 audit_log_format(ab
, " subject=");
324 audit_log_untrustedstring(ab
, sad
->subject
);
325 audit_log_format(ab
, " object=");
326 audit_log_untrustedstring(ab
, sad
->object
);
327 if (sad
->request
[0] == '\0')
328 audit_log_format(ab
, " labels_differ");
330 audit_log_format(ab
, " requested=%s", sad
->request
);
334 * smack_log - Audit the granting or denial of permissions.
335 * @subject_label : smack label of the requester
336 * @object_label : smack label of the object being accessed
337 * @request: requested permissions
338 * @result: result from smk_access
339 * @a: auxiliary audit data
341 * Audit the granting or denial of permissions in accordance
344 void smack_log(char *subject_label
, char *object_label
, int request
,
345 int result
, struct smk_audit_info
*ad
)
347 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
348 char request_buffer
[SMK_NUM_ACCESS_TYPE
+ 5];
350 char request_buffer
[SMK_NUM_ACCESS_TYPE
+ 1];
352 struct smack_audit_data
*sad
;
353 struct common_audit_data
*a
= &ad
->a
;
355 /* check if we have to log the current event */
356 if (result
< 0 && (log_policy
& SMACK_AUDIT_DENIED
) == 0)
358 if (result
== 0 && (log_policy
& SMACK_AUDIT_ACCEPT
) == 0)
361 sad
= a
->smack_audit_data
;
363 if (sad
->function
== NULL
)
364 sad
->function
= "unknown";
366 /* end preparing the audit data */
367 smack_str_from_perm(request_buffer
, request
);
368 sad
->subject
= subject_label
;
369 sad
->object
= object_label
;
370 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
372 * The result may be positive in bringup mode.
373 * A positive result is an allow, but not for normal reasons.
374 * Mark it as successful, but don't filter it out even if
375 * the logging policy says to do so.
377 if (result
== SMACK_UNCONFINED_SUBJECT
)
378 strcat(request_buffer
, "(US)");
379 else if (result
== SMACK_UNCONFINED_OBJECT
)
380 strcat(request_buffer
, "(UO)");
385 sad
->request
= request_buffer
;
386 sad
->result
= result
;
388 common_lsm_audit(a
, smack_log_callback
, NULL
);
390 #else /* #ifdef CONFIG_AUDIT */
391 void smack_log(char *subject_label
, char *object_label
, int request
,
392 int result
, struct smk_audit_info
*ad
)
397 DEFINE_MUTEX(smack_known_lock
);
399 struct hlist_head smack_known_hash
[SMACK_HASH_SLOTS
];
402 * smk_insert_entry - insert a smack label into a hash map,
404 * this function must be called under smack_known_lock
406 void smk_insert_entry(struct smack_known
*skp
)
409 struct hlist_head
*head
;
411 hash
= full_name_hash(NULL
, skp
->smk_known
, strlen(skp
->smk_known
));
412 head
= &smack_known_hash
[hash
& (SMACK_HASH_SLOTS
- 1)];
414 hlist_add_head_rcu(&skp
->smk_hashed
, head
);
415 list_add_rcu(&skp
->list
, &smack_known_list
);
419 * smk_find_entry - find a label on the list, return the list entry
420 * @string: a text string that might be a Smack label
422 * Returns a pointer to the entry in the label list that
423 * matches the passed string or NULL if not found.
425 struct smack_known
*smk_find_entry(const char *string
)
428 struct hlist_head
*head
;
429 struct smack_known
*skp
;
431 hash
= full_name_hash(NULL
, string
, strlen(string
));
432 head
= &smack_known_hash
[hash
& (SMACK_HASH_SLOTS
- 1)];
434 hlist_for_each_entry_rcu(skp
, head
, smk_hashed
)
435 if (strcmp(skp
->smk_known
, string
) == 0)
442 * smk_parse_smack - parse smack label from a text string
443 * @string: a text string that might contain a Smack label
444 * @len: the maximum size, or zero if it is NULL terminated.
446 * Returns a pointer to the clean label or an error code.
448 char *smk_parse_smack(const char *string
, int len
)
454 len
= strlen(string
) + 1;
457 * Reserve a leading '-' as an indicator that
458 * this isn't a label, but an option to interfaces
459 * including /smack/cipso and /smack/cipso2
461 if (string
[0] == '-')
462 return ERR_PTR(-EINVAL
);
464 for (i
= 0; i
< len
; i
++)
465 if (string
[i
] > '~' || string
[i
] <= ' ' || string
[i
] == '/' ||
466 string
[i
] == '"' || string
[i
] == '\\' || string
[i
] == '\'')
469 if (i
== 0 || i
>= SMK_LONGLABEL
)
470 return ERR_PTR(-EINVAL
);
472 smack
= kzalloc(i
+ 1, GFP_KERNEL
);
474 return ERR_PTR(-ENOMEM
);
476 strncpy(smack
, string
, i
);
482 * smk_netlbl_mls - convert a catset to netlabel mls categories
483 * @catset: the Smack categories
484 * @sap: where to put the netlabel categories
486 * Allocates and fills attr.mls
487 * Returns 0 on success, error code on failure.
489 int smk_netlbl_mls(int level
, char *catset
, struct netlbl_lsm_secattr
*sap
,
498 sap
->flags
|= NETLBL_SECATTR_MLS_CAT
;
499 sap
->attr
.mls
.lvl
= level
;
500 sap
->attr
.mls
.cat
= NULL
;
502 for (cat
= 1, cp
= catset
, byte
= 0; byte
< len
; cp
++, byte
++)
503 for (m
= 0x80; m
!= 0; m
>>= 1, cat
++) {
506 rc
= netlbl_catmap_setbit(&sap
->attr
.mls
.cat
,
509 netlbl_catmap_free(sap
->attr
.mls
.cat
);
518 * smk_import_entry - import a label, return the list entry
519 * @string: a text string that might be a Smack label
520 * @len: the maximum size, or zero if it is NULL terminated.
522 * Returns a pointer to the entry in the label list that
523 * matches the passed string, adding it if necessary,
526 struct smack_known
*smk_import_entry(const char *string
, int len
)
528 struct smack_known
*skp
;
533 smack
= smk_parse_smack(string
, len
);
535 return ERR_CAST(smack
);
537 mutex_lock(&smack_known_lock
);
539 skp
= smk_find_entry(smack
);
543 skp
= kzalloc(sizeof(*skp
), GFP_KERNEL
);
545 skp
= ERR_PTR(-ENOMEM
);
549 skp
->smk_known
= smack
;
550 skp
->smk_secid
= smack_next_secid
++;
551 skp
->smk_netlabel
.domain
= skp
->smk_known
;
552 skp
->smk_netlabel
.flags
=
553 NETLBL_SECATTR_DOMAIN
| NETLBL_SECATTR_MLS_LVL
;
555 * If direct labeling works use it.
556 * Otherwise use mapped labeling.
558 slen
= strlen(smack
);
559 if (slen
< SMK_CIPSOLEN
)
560 rc
= smk_netlbl_mls(smack_cipso_direct
, skp
->smk_known
,
561 &skp
->smk_netlabel
, slen
);
563 rc
= smk_netlbl_mls(smack_cipso_mapped
, (char *)&skp
->smk_secid
,
564 &skp
->smk_netlabel
, sizeof(skp
->smk_secid
));
567 INIT_LIST_HEAD(&skp
->smk_rules
);
568 mutex_init(&skp
->smk_rules_lock
);
570 * Make sure that the entry is actually
571 * filled before putting it on the list.
573 smk_insert_entry(skp
);
577 * smk_netlbl_mls failed.
584 mutex_unlock(&smack_known_lock
);
590 * smack_from_secid - find the Smack label associated with a secid
591 * @secid: an integer that might be associated with a Smack label
593 * Returns a pointer to the appropriate Smack label entry if there is one,
594 * otherwise a pointer to the invalid Smack label.
596 struct smack_known
*smack_from_secid(const u32 secid
)
598 struct smack_known
*skp
;
601 list_for_each_entry_rcu(skp
, &smack_known_list
, list
) {
602 if (skp
->smk_secid
== secid
) {
609 * If we got this far someone asked for the translation
610 * of a secid that is not on the list.
613 return &smack_known_huh
;
617 * Unless a process is running with one of these labels
618 * even having CAP_MAC_OVERRIDE isn't enough to grant
619 * privilege to violate MAC policy. If no labels are
620 * designated (the empty list case) capabilities apply to
623 LIST_HEAD(smack_onlycap_list
);
624 DEFINE_MUTEX(smack_onlycap_lock
);
627 * Is the task privileged and allowed to be privileged
628 * by the onlycap rule.
630 * Returns 1 if the task is allowed to be privileged, 0 if it's not.
632 int smack_privileged(int cap
)
634 struct smack_known
*skp
= smk_of_current();
635 struct smack_known_list_elem
*sklep
;
638 * All kernel tasks are privileged
640 if (unlikely(current
->flags
& PF_KTHREAD
))
647 if (list_empty(&smack_onlycap_list
)) {
652 list_for_each_entry_rcu(sklep
, &smack_onlycap_list
, list
) {
653 if (sklep
->smk_label
== skp
) {