2 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation, version 2.
9 * Casey Schaufler <casey@schaufler-ca.com>
13 #include <linux/types.h>
14 #include <linux/slab.h>
16 #include <linux/sched.h>
19 struct smack_known smack_known_huh
= {
24 struct smack_known smack_known_hat
= {
29 struct smack_known smack_known_star
= {
34 struct smack_known smack_known_floor
= {
39 struct smack_known smack_known_invalid
= {
44 struct smack_known smack_known_web
= {
49 LIST_HEAD(smack_known_list
);
52 * The initial value needs to be bigger than any of the
55 static u32 smack_next_secid
= 10;
58 * what events do we log
59 * can be overwritten at run-time by /smack/logging
61 int log_policy
= SMACK_AUDIT_DENIED
;
64 * smk_access_entry - look up matching access rule
65 * @subject_label: a pointer to the subject's Smack label
66 * @object_label: a pointer to the object's Smack label
67 * @rule_list: the list of rules to search
69 * This function looks up the subject/object pair in the
70 * access rule list and returns the access mode. If no
71 * entry is found returns -ENOENT.
75 * Earlier versions of this function allowed for labels that
76 * were not on the label list. This was done to allow for
77 * labels to come over the network that had never been seen
78 * before on this host. Unless the receiving socket has the
79 * star label this will always result in a failure check. The
80 * star labeled socket case is now handled in the networking
81 * hooks so there is no case where the label is not on the
82 * label list. Checking to see if the address of two labels
83 * is the same is now a reliable test.
85 * Do the object check first because that is more
88 * Allowing write access implies allowing locking.
90 int smk_access_entry(char *subject_label
, char *object_label
,
91 struct list_head
*rule_list
)
94 struct smack_rule
*srp
;
96 list_for_each_entry_rcu(srp
, rule_list
, list
) {
97 if (srp
->smk_object
->smk_known
== object_label
&&
98 srp
->smk_subject
->smk_known
== subject_label
) {
99 may
= srp
->smk_access
;
105 * MAY_WRITE implies MAY_LOCK.
107 if ((may
& MAY_WRITE
) == MAY_WRITE
)
113 * smk_access - determine if a subject has a specific access to an object
114 * @subject: a pointer to the subject's Smack label entry
115 * @object: a pointer to the object's Smack label entry
116 * @request: the access requested, in "MAY" format
117 * @a : a pointer to the audit data
119 * This function looks up the subject/object pair in the
120 * access rule list and returns 0 if the access is permitted,
121 * non zero otherwise.
123 * Smack labels are shared on smack_list
125 int smk_access(struct smack_known
*subject
, struct smack_known
*object
,
126 int request
, struct smk_audit_info
*a
)
132 * Hardcoded comparisons.
135 * A star subject can't access any object.
137 if (subject
== &smack_known_star
) {
142 * An internet object can be accessed by any subject.
143 * Tasks cannot be assigned the internet label.
144 * An internet subject can access any object.
146 if (object
== &smack_known_web
|| subject
== &smack_known_web
)
149 * A star object can be accessed by any subject.
151 if (object
== &smack_known_star
)
154 * An object can be accessed in any way by a subject
155 * with the same label.
157 if (subject
->smk_known
== object
->smk_known
)
160 * A hat subject can read or lock any object.
161 * A floor object can be read or locked by any subject.
163 if ((request
& MAY_ANYREAD
) == request
||
164 (request
& MAY_LOCK
) == request
) {
165 if (object
== &smack_known_floor
)
167 if (subject
== &smack_known_hat
)
171 * Beyond here an explicit relationship is required.
172 * If the requested access is contained in the available
173 * access (e.g. read is included in readwrite) it's
174 * good. A negative response from smk_access_entry()
175 * indicates there is no entry for this pair.
178 may
= smk_access_entry(subject
->smk_known
, object
->smk_known
,
179 &subject
->smk_rules
);
182 if (may
<= 0 || (request
& may
) != request
) {
186 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
188 * Return a positive value if using bringup mode.
189 * This allows the hooks to identify checks that
190 * succeed because of "b" rules.
192 if (may
& MAY_BRINGUP
)
193 rc
= SMACK_BRINGUP_ALLOW
;
198 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
200 if (object
== smack_unconfined
)
201 rc
= SMACK_UNCONFINED_OBJECT
;
202 if (subject
== smack_unconfined
)
203 rc
= SMACK_UNCONFINED_SUBJECT
;
209 smack_log(subject
->smk_known
, object
->smk_known
,
217 * smk_tskacc - determine if a task has a specific access to an object
218 * @tsp: a pointer to the subject's task
219 * @obj_known: a pointer to the object's label entry
220 * @mode: the access requested, in "MAY" format
221 * @a : common audit data
223 * This function checks the subject task's label/object label pair
224 * in the access rule list and returns 0 if the access is permitted,
225 * non zero otherwise. It allows that the task may have the capability
226 * to override the rules.
228 int smk_tskacc(struct task_smack
*tsp
, struct smack_known
*obj_known
,
229 u32 mode
, struct smk_audit_info
*a
)
231 struct smack_known
*sbj_known
= smk_of_task(tsp
);
236 * Check the global rule list
238 rc
= smk_access(sbj_known
, obj_known
, mode
, NULL
);
241 * If there is an entry in the task's rule list
242 * it can further restrict access.
244 may
= smk_access_entry(sbj_known
->smk_known
,
245 obj_known
->smk_known
,
249 if ((mode
& may
) == mode
)
255 * Allow for priviliged to override policy.
257 if (rc
!= 0 && smack_privileged(CAP_MAC_OVERRIDE
))
263 smack_log(sbj_known
->smk_known
, obj_known
->smk_known
,
270 * smk_curacc - determine if current has a specific access to an object
271 * @obj_known: a pointer to the object's Smack label entry
272 * @mode: the access requested, in "MAY" format
273 * @a : common audit data
275 * This function checks the current subject label/object label pair
276 * in the access rule list and returns 0 if the access is permitted,
277 * non zero otherwise. It allows that current may have the capability
278 * to override the rules.
280 int smk_curacc(struct smack_known
*obj_known
,
281 u32 mode
, struct smk_audit_info
*a
)
283 struct task_smack
*tsp
= current_security();
285 return smk_tskacc(tsp
, obj_known
, mode
, a
);
290 * smack_str_from_perm : helper to transalate an int to a
292 * @string : the string to fill
296 static inline void smack_str_from_perm(char *string
, int access
)
300 if (access
& MAY_READ
)
302 if (access
& MAY_WRITE
)
304 if (access
& MAY_EXEC
)
306 if (access
& MAY_APPEND
)
308 if (access
& MAY_TRANSMUTE
)
310 if (access
& MAY_LOCK
)
315 * smack_log_callback - SMACK specific information
316 * will be called by generic audit code
317 * @ab : the audit_buffer
321 static void smack_log_callback(struct audit_buffer
*ab
, void *a
)
323 struct common_audit_data
*ad
= a
;
324 struct smack_audit_data
*sad
= ad
->smack_audit_data
;
325 audit_log_format(ab
, "lsm=SMACK fn=%s action=%s",
326 ad
->smack_audit_data
->function
,
327 sad
->result
? "denied" : "granted");
328 audit_log_format(ab
, " subject=");
329 audit_log_untrustedstring(ab
, sad
->subject
);
330 audit_log_format(ab
, " object=");
331 audit_log_untrustedstring(ab
, sad
->object
);
332 if (sad
->request
[0] == '\0')
333 audit_log_format(ab
, " labels_differ");
335 audit_log_format(ab
, " requested=%s", sad
->request
);
339 * smack_log - Audit the granting or denial of permissions.
340 * @subject_label : smack label of the requester
341 * @object_label : smack label of the object being accessed
342 * @request: requested permissions
343 * @result: result from smk_access
344 * @a: auxiliary audit data
346 * Audit the granting or denial of permissions in accordance
349 void smack_log(char *subject_label
, char *object_label
, int request
,
350 int result
, struct smk_audit_info
*ad
)
352 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
353 char request_buffer
[SMK_NUM_ACCESS_TYPE
+ 5];
355 char request_buffer
[SMK_NUM_ACCESS_TYPE
+ 1];
357 struct smack_audit_data
*sad
;
358 struct common_audit_data
*a
= &ad
->a
;
360 /* check if we have to log the current event */
361 if (result
< 0 && (log_policy
& SMACK_AUDIT_DENIED
) == 0)
363 if (result
== 0 && (log_policy
& SMACK_AUDIT_ACCEPT
) == 0)
366 sad
= a
->smack_audit_data
;
368 if (sad
->function
== NULL
)
369 sad
->function
= "unknown";
371 /* end preparing the audit data */
372 smack_str_from_perm(request_buffer
, request
);
373 sad
->subject
= subject_label
;
374 sad
->object
= object_label
;
375 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
377 * The result may be positive in bringup mode.
378 * A positive result is an allow, but not for normal reasons.
379 * Mark it as successful, but don't filter it out even if
380 * the logging policy says to do so.
382 if (result
== SMACK_UNCONFINED_SUBJECT
)
383 strcat(request_buffer
, "(US)");
384 else if (result
== SMACK_UNCONFINED_OBJECT
)
385 strcat(request_buffer
, "(UO)");
390 sad
->request
= request_buffer
;
391 sad
->result
= result
;
393 common_lsm_audit(a
, smack_log_callback
, NULL
);
395 #else /* #ifdef CONFIG_AUDIT */
396 void smack_log(char *subject_label
, char *object_label
, int request
,
397 int result
, struct smk_audit_info
*ad
)
402 DEFINE_MUTEX(smack_known_lock
);
404 struct hlist_head smack_known_hash
[SMACK_HASH_SLOTS
];
407 * smk_insert_entry - insert a smack label into a hash map,
409 * this function must be called under smack_known_lock
411 void smk_insert_entry(struct smack_known
*skp
)
414 struct hlist_head
*head
;
416 hash
= full_name_hash(skp
->smk_known
, strlen(skp
->smk_known
));
417 head
= &smack_known_hash
[hash
& (SMACK_HASH_SLOTS
- 1)];
419 hlist_add_head_rcu(&skp
->smk_hashed
, head
);
420 list_add_rcu(&skp
->list
, &smack_known_list
);
424 * smk_find_entry - find a label on the list, return the list entry
425 * @string: a text string that might be a Smack label
427 * Returns a pointer to the entry in the label list that
428 * matches the passed string or NULL if not found.
430 struct smack_known
*smk_find_entry(const char *string
)
433 struct hlist_head
*head
;
434 struct smack_known
*skp
;
436 hash
= full_name_hash(string
, strlen(string
));
437 head
= &smack_known_hash
[hash
& (SMACK_HASH_SLOTS
- 1)];
439 hlist_for_each_entry_rcu(skp
, head
, smk_hashed
)
440 if (strcmp(skp
->smk_known
, string
) == 0)
447 * smk_parse_smack - parse smack label from a text string
448 * @string: a text string that might contain a Smack label
449 * @len: the maximum size, or zero if it is NULL terminated.
451 * Returns a pointer to the clean label or an error code.
453 char *smk_parse_smack(const char *string
, int len
)
459 len
= strlen(string
) + 1;
462 * Reserve a leading '-' as an indicator that
463 * this isn't a label, but an option to interfaces
464 * including /smack/cipso and /smack/cipso2
466 if (string
[0] == '-')
467 return ERR_PTR(-EINVAL
);
469 for (i
= 0; i
< len
; i
++)
470 if (string
[i
] > '~' || string
[i
] <= ' ' || string
[i
] == '/' ||
471 string
[i
] == '"' || string
[i
] == '\\' || string
[i
] == '\'')
474 if (i
== 0 || i
>= SMK_LONGLABEL
)
475 return ERR_PTR(-EINVAL
);
477 smack
= kzalloc(i
+ 1, GFP_KERNEL
);
479 return ERR_PTR(-ENOMEM
);
481 strncpy(smack
, string
, i
);
487 * smk_netlbl_mls - convert a catset to netlabel mls categories
488 * @catset: the Smack categories
489 * @sap: where to put the netlabel categories
491 * Allocates and fills attr.mls
492 * Returns 0 on success, error code on failure.
494 int smk_netlbl_mls(int level
, char *catset
, struct netlbl_lsm_secattr
*sap
,
503 sap
->flags
|= NETLBL_SECATTR_MLS_CAT
;
504 sap
->attr
.mls
.lvl
= level
;
505 sap
->attr
.mls
.cat
= NULL
;
507 for (cat
= 1, cp
= catset
, byte
= 0; byte
< len
; cp
++, byte
++)
508 for (m
= 0x80; m
!= 0; m
>>= 1, cat
++) {
511 rc
= netlbl_catmap_setbit(&sap
->attr
.mls
.cat
,
514 netlbl_catmap_free(sap
->attr
.mls
.cat
);
523 * smk_import_entry - import a label, return the list entry
524 * @string: a text string that might be a Smack label
525 * @len: the maximum size, or zero if it is NULL terminated.
527 * Returns a pointer to the entry in the label list that
528 * matches the passed string, adding it if necessary,
531 struct smack_known
*smk_import_entry(const char *string
, int len
)
533 struct smack_known
*skp
;
538 smack
= smk_parse_smack(string
, len
);
540 return ERR_CAST(smack
);
542 mutex_lock(&smack_known_lock
);
544 skp
= smk_find_entry(smack
);
548 skp
= kzalloc(sizeof(*skp
), GFP_KERNEL
);
550 skp
= ERR_PTR(-ENOMEM
);
554 skp
->smk_known
= smack
;
555 skp
->smk_secid
= smack_next_secid
++;
556 skp
->smk_netlabel
.domain
= skp
->smk_known
;
557 skp
->smk_netlabel
.flags
=
558 NETLBL_SECATTR_DOMAIN
| NETLBL_SECATTR_MLS_LVL
;
560 * If direct labeling works use it.
561 * Otherwise use mapped labeling.
563 slen
= strlen(smack
);
564 if (slen
< SMK_CIPSOLEN
)
565 rc
= smk_netlbl_mls(smack_cipso_direct
, skp
->smk_known
,
566 &skp
->smk_netlabel
, slen
);
568 rc
= smk_netlbl_mls(smack_cipso_mapped
, (char *)&skp
->smk_secid
,
569 &skp
->smk_netlabel
, sizeof(skp
->smk_secid
));
572 INIT_LIST_HEAD(&skp
->smk_rules
);
573 mutex_init(&skp
->smk_rules_lock
);
575 * Make sure that the entry is actually
576 * filled before putting it on the list.
578 smk_insert_entry(skp
);
582 * smk_netlbl_mls failed.
589 mutex_unlock(&smack_known_lock
);
595 * smack_from_secid - find the Smack label associated with a secid
596 * @secid: an integer that might be associated with a Smack label
598 * Returns a pointer to the appropriate Smack label entry if there is one,
599 * otherwise a pointer to the invalid Smack label.
601 struct smack_known
*smack_from_secid(const u32 secid
)
603 struct smack_known
*skp
;
606 list_for_each_entry_rcu(skp
, &smack_known_list
, list
) {
607 if (skp
->smk_secid
== secid
) {
614 * If we got this far someone asked for the translation
615 * of a secid that is not on the list.
618 return &smack_known_invalid
;
622 * Unless a process is running with one of these labels
623 * even having CAP_MAC_OVERRIDE isn't enough to grant
624 * privilege to violate MAC policy. If no labels are
625 * designated (the empty list case) capabilities apply to
628 LIST_HEAD(smack_onlycap_list
);
629 DEFINE_MUTEX(smack_onlycap_lock
);
632 * Is the task privileged and allowed to be privileged
633 * by the onlycap rule.
635 * Returns 1 if the task is allowed to be privileged, 0 if it's not.
637 int smack_privileged(int cap
)
639 struct smack_known
*skp
= smk_of_current();
640 struct smack_known_list_elem
*sklep
;
643 * All kernel tasks are privileged
645 if (unlikely(current
->flags
& PF_KTHREAD
))
652 if (list_empty(&smack_onlycap_list
)) {
657 list_for_each_entry_rcu(sklep
, &smack_onlycap_list
, list
) {
658 if (sklep
->smk_label
== skp
) {