1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 4 * 5 * Author: 6 * Casey Schaufler <casey@schaufler-ca.com> 7 */ 8 9 #include <linux/types.h> 10 #include <linux/slab.h> 11 #include <linux/fs.h> 12 #include <linux/sched.h> 13 #include "smack.h" 14 15 struct smack_known smack_known_huh = { 16 .smk_known = "?", 17 .smk_secid = 2, 18 }; 19 20 struct smack_known smack_known_hat = { 21 .smk_known = "^", 22 .smk_secid = 3, 23 }; 24 25 struct smack_known smack_known_star = { 26 .smk_known = "*", 27 .smk_secid = 4, 28 }; 29 30 struct smack_known smack_known_floor = { 31 .smk_known = "_", 32 .smk_secid = 5, 33 }; 34 35 struct smack_known smack_known_web = { 36 .smk_known = "@", 37 .smk_secid = 7, 38 }; 39 40 LIST_HEAD(smack_known_list); 41 42 /* 43 * The initial value needs to be bigger than any of the 44 * known values above. 45 */ 46 static u32 smack_next_secid = 10; 47 48 /* 49 * what events do we log 50 * can be overwritten at run-time by /smack/logging 51 */ 52 int log_policy = SMACK_AUDIT_DENIED; 53 54 /** 55 * smk_access_entry - look up matching access rule 56 * @subject_label: a pointer to the subject's Smack label 57 * @object_label: a pointer to the object's Smack label 58 * @rule_list: the list of rules to search 59 * 60 * This function looks up the subject/object pair in the 61 * access rule list and returns the access mode. If no 62 * entry is found returns -ENOENT. 63 * 64 * NOTE: 65 * 66 * Earlier versions of this function allowed for labels that 67 * were not on the label list. This was done to allow for 68 * labels to come over the network that had never been seen 69 * before on this host. Unless the receiving socket has the 70 * star label this will always result in a failure check. The 71 * star labeled socket case is now handled in the networking 72 * hooks so there is no case where the label is not on the 73 * label list. Checking to see if the address of two labels 74 * is the same is now a reliable test. 75 * 76 * Do the object check first because that is more 77 * likely to differ. 78 * 79 * Allowing write access implies allowing locking. 80 */ 81 int smk_access_entry(char *subject_label, char *object_label, 82 struct list_head *rule_list) 83 { 84 struct smack_rule *srp; 85 86 list_for_each_entry_rcu(srp, rule_list, list) { 87 if (srp->smk_object->smk_known == object_label && 88 srp->smk_subject->smk_known == subject_label) { 89 int may = srp->smk_access; 90 /* 91 * MAY_WRITE implies MAY_LOCK. 92 */ 93 if ((may & MAY_WRITE) == MAY_WRITE) 94 may |= MAY_LOCK; 95 return may; 96 } 97 } 98 99 return -ENOENT; 100 } 101 102 /** 103 * smk_access - determine if a subject has a specific access to an object 104 * @subject: a pointer to the subject's Smack label entry 105 * @object: a pointer to the object's Smack label entry 106 * @request: the access requested, in "MAY" format 107 * @a : a pointer to the audit data 108 * 109 * This function looks up the subject/object pair in the 110 * access rule list and returns 0 if the access is permitted, 111 * non zero otherwise. 112 * 113 * Smack labels are shared on smack_list 114 */ 115 int smk_access(struct smack_known *subject, struct smack_known *object, 116 int request, struct smk_audit_info *a) 117 { 118 int may = MAY_NOT; 119 int rc = 0; 120 121 /* 122 * Hardcoded comparisons. 123 */ 124 /* 125 * A star subject can't access any object. 126 */ 127 if (subject == &smack_known_star) { 128 rc = -EACCES; 129 goto out_audit; 130 } 131 /* 132 * An internet object can be accessed by any subject. 133 * Tasks cannot be assigned the internet label. 134 * An internet subject can access any object. 135 */ 136 if (object == &smack_known_web || subject == &smack_known_web) 137 goto out_audit; 138 /* 139 * A star object can be accessed by any subject. 140 */ 141 if (object == &smack_known_star) 142 goto out_audit; 143 /* 144 * An object can be accessed in any way by a subject 145 * with the same label. 146 */ 147 if (subject->smk_known == object->smk_known) 148 goto out_audit; 149 /* 150 * A hat subject can read or lock any object. 151 * A floor object can be read or locked by any subject. 152 */ 153 if ((request & MAY_ANYREAD) == request || 154 (request & MAY_LOCK) == request) { 155 if (object == &smack_known_floor) 156 goto out_audit; 157 if (subject == &smack_known_hat) 158 goto out_audit; 159 } 160 /* 161 * Beyond here an explicit relationship is required. 162 * If the requested access is contained in the available 163 * access (e.g. read is included in readwrite) it's 164 * good. A negative response from smk_access_entry() 165 * indicates there is no entry for this pair. 166 */ 167 rcu_read_lock(); 168 may = smk_access_entry(subject->smk_known, object->smk_known, 169 &subject->smk_rules); 170 rcu_read_unlock(); 171 172 if (may <= 0 || (request & may) != request) { 173 rc = -EACCES; 174 goto out_audit; 175 } 176 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 177 /* 178 * Return a positive value if using bringup mode. 179 * This allows the hooks to identify checks that 180 * succeed because of "b" rules. 181 */ 182 if (may & MAY_BRINGUP) 183 rc = SMACK_BRINGUP_ALLOW; 184 #endif 185 186 out_audit: 187 188 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 189 if (rc < 0) { 190 if (object == smack_unconfined) 191 rc = SMACK_UNCONFINED_OBJECT; 192 if (subject == smack_unconfined) 193 rc = SMACK_UNCONFINED_SUBJECT; 194 } 195 #endif 196 197 #ifdef CONFIG_AUDIT 198 if (a) 199 smack_log(subject->smk_known, object->smk_known, 200 request, rc, a); 201 #endif 202 203 return rc; 204 } 205 206 /** 207 * smk_tskacc - determine if a task has a specific access to an object 208 * @tsp: a pointer to the subject's task 209 * @obj_known: a pointer to the object's label entry 210 * @mode: the access requested, in "MAY" format 211 * @a : common audit data 212 * 213 * This function checks the subject task's label/object label pair 214 * in the access rule list and returns 0 if the access is permitted, 215 * non zero otherwise. It allows that the task may have the capability 216 * to override the rules. 217 */ 218 int smk_tskacc(struct task_smack *tsp, struct smack_known *obj_known, 219 u32 mode, struct smk_audit_info *a) 220 { 221 struct smack_known *sbj_known = smk_of_task(tsp); 222 int may; 223 int rc; 224 225 /* 226 * Check the global rule list 227 */ 228 rc = smk_access(sbj_known, obj_known, mode, NULL); 229 if (rc >= 0) { 230 /* 231 * If there is an entry in the task's rule list 232 * it can further restrict access. 233 */ 234 may = smk_access_entry(sbj_known->smk_known, 235 obj_known->smk_known, 236 &tsp->smk_rules); 237 if (may < 0) 238 goto out_audit; 239 if ((mode & may) == mode) 240 goto out_audit; 241 rc = -EACCES; 242 } 243 244 /* 245 * Allow for priviliged to override policy. 246 */ 247 if (rc != 0 && smack_privileged(CAP_MAC_OVERRIDE)) 248 rc = 0; 249 250 out_audit: 251 #ifdef CONFIG_AUDIT 252 if (a) 253 smack_log(sbj_known->smk_known, obj_known->smk_known, 254 mode, rc, a); 255 #endif 256 return rc; 257 } 258 259 /** 260 * smk_curacc - determine if current has a specific access to an object 261 * @obj_known: a pointer to the object's Smack label entry 262 * @mode: the access requested, in "MAY" format 263 * @a : common audit data 264 * 265 * This function checks the current subject label/object label pair 266 * in the access rule list and returns 0 if the access is permitted, 267 * non zero otherwise. It allows that current may have the capability 268 * to override the rules. 269 */ 270 int smk_curacc(struct smack_known *obj_known, 271 u32 mode, struct smk_audit_info *a) 272 { 273 struct task_smack *tsp = smack_cred(current_cred()); 274 275 return smk_tskacc(tsp, obj_known, mode, a); 276 } 277 278 #ifdef CONFIG_AUDIT 279 /** 280 * smack_str_from_perm : helper to transalate an int to a 281 * readable string 282 * @string : the string to fill 283 * @access : the int 284 * 285 */ 286 static inline void smack_str_from_perm(char *string, int access) 287 { 288 int i = 0; 289 290 if (access & MAY_READ) 291 string[i++] = 'r'; 292 if (access & MAY_WRITE) 293 string[i++] = 'w'; 294 if (access & MAY_EXEC) 295 string[i++] = 'x'; 296 if (access & MAY_APPEND) 297 string[i++] = 'a'; 298 if (access & MAY_TRANSMUTE) 299 string[i++] = 't'; 300 if (access & MAY_LOCK) 301 string[i++] = 'l'; 302 string[i] = '\0'; 303 } 304 /** 305 * smack_log_callback - SMACK specific information 306 * will be called by generic audit code 307 * @ab : the audit_buffer 308 * @a : audit_data 309 * 310 */ 311 static void smack_log_callback(struct audit_buffer *ab, void *a) 312 { 313 struct common_audit_data *ad = a; 314 struct smack_audit_data *sad = ad->smack_audit_data; 315 audit_log_format(ab, "lsm=SMACK fn=%s action=%s", 316 ad->smack_audit_data->function, 317 sad->result ? "denied" : "granted"); 318 audit_log_format(ab, " subject="); 319 audit_log_untrustedstring(ab, sad->subject); 320 audit_log_format(ab, " object="); 321 audit_log_untrustedstring(ab, sad->object); 322 if (sad->request[0] == '\0') 323 audit_log_format(ab, " labels_differ"); 324 else 325 audit_log_format(ab, " requested=%s", sad->request); 326 } 327 328 /** 329 * smack_log - Audit the granting or denial of permissions. 330 * @subject_label : smack label of the requester 331 * @object_label : smack label of the object being accessed 332 * @request: requested permissions 333 * @result: result from smk_access 334 * @ad: auxiliary audit data 335 * 336 * Audit the granting or denial of permissions in accordance 337 * with the policy. 338 */ 339 void smack_log(char *subject_label, char *object_label, int request, 340 int result, struct smk_audit_info *ad) 341 { 342 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 343 char request_buffer[SMK_NUM_ACCESS_TYPE + 5]; 344 #else 345 char request_buffer[SMK_NUM_ACCESS_TYPE + 1]; 346 #endif 347 struct smack_audit_data *sad; 348 struct common_audit_data *a = &ad->a; 349 350 /* check if we have to log the current event */ 351 if (result < 0 && (log_policy & SMACK_AUDIT_DENIED) == 0) 352 return; 353 if (result == 0 && (log_policy & SMACK_AUDIT_ACCEPT) == 0) 354 return; 355 356 sad = a->smack_audit_data; 357 358 if (sad->function == NULL) 359 sad->function = "unknown"; 360 361 /* end preparing the audit data */ 362 smack_str_from_perm(request_buffer, request); 363 sad->subject = subject_label; 364 sad->object = object_label; 365 #ifdef CONFIG_SECURITY_SMACK_BRINGUP 366 /* 367 * The result may be positive in bringup mode. 368 * A positive result is an allow, but not for normal reasons. 369 * Mark it as successful, but don't filter it out even if 370 * the logging policy says to do so. 371 */ 372 if (result == SMACK_UNCONFINED_SUBJECT) 373 strcat(request_buffer, "(US)"); 374 else if (result == SMACK_UNCONFINED_OBJECT) 375 strcat(request_buffer, "(UO)"); 376 377 if (result > 0) 378 result = 0; 379 #endif 380 sad->request = request_buffer; 381 sad->result = result; 382 383 common_lsm_audit(a, smack_log_callback, NULL); 384 } 385 #else /* #ifdef CONFIG_AUDIT */ 386 void smack_log(char *subject_label, char *object_label, int request, 387 int result, struct smk_audit_info *ad) 388 { 389 } 390 #endif 391 392 DEFINE_MUTEX(smack_known_lock); 393 394 struct hlist_head smack_known_hash[SMACK_HASH_SLOTS]; 395 396 /** 397 * smk_insert_entry - insert a smack label into a hash map, 398 * @skp: smack label 399 * 400 * this function must be called under smack_known_lock 401 */ 402 void smk_insert_entry(struct smack_known *skp) 403 { 404 unsigned int hash; 405 struct hlist_head *head; 406 407 hash = full_name_hash(NULL, skp->smk_known, strlen(skp->smk_known)); 408 head = &smack_known_hash[hash & (SMACK_HASH_SLOTS - 1)]; 409 410 hlist_add_head_rcu(&skp->smk_hashed, head); 411 list_add_rcu(&skp->list, &smack_known_list); 412 } 413 414 /** 415 * smk_find_entry - find a label on the list, return the list entry 416 * @string: a text string that might be a Smack label 417 * 418 * Returns a pointer to the entry in the label list that 419 * matches the passed string or NULL if not found. 420 */ 421 struct smack_known *smk_find_entry(const char *string) 422 { 423 unsigned int hash; 424 struct hlist_head *head; 425 struct smack_known *skp; 426 427 hash = full_name_hash(NULL, string, strlen(string)); 428 head = &smack_known_hash[hash & (SMACK_HASH_SLOTS - 1)]; 429 430 hlist_for_each_entry_rcu(skp, head, smk_hashed) 431 if (strcmp(skp->smk_known, string) == 0) 432 return skp; 433 434 return NULL; 435 } 436 437 /** 438 * smk_parse_smack - parse smack label from a text string 439 * @string: a text string that might contain a Smack label 440 * @len: the maximum size, or zero if it is NULL terminated. 441 * 442 * Returns a pointer to the clean label or an error code. 443 */ 444 char *smk_parse_smack(const char *string, int len) 445 { 446 char *smack; 447 int i; 448 449 if (len <= 0) 450 len = strlen(string) + 1; 451 452 /* 453 * Reserve a leading '-' as an indicator that 454 * this isn't a label, but an option to interfaces 455 * including /smack/cipso and /smack/cipso2 456 */ 457 if (string[0] == '-') 458 return ERR_PTR(-EINVAL); 459 460 for (i = 0; i < len; i++) 461 if (string[i] > '~' || string[i] <= ' ' || string[i] == '/' || 462 string[i] == '"' || string[i] == '\\' || string[i] == '\'') 463 break; 464 465 if (i == 0 || i >= SMK_LONGLABEL) 466 return ERR_PTR(-EINVAL); 467 468 smack = kzalloc(i + 1, GFP_NOFS); 469 if (smack == NULL) 470 return ERR_PTR(-ENOMEM); 471 472 strncpy(smack, string, i); 473 474 return smack; 475 } 476 477 /** 478 * smk_netlbl_mls - convert a catset to netlabel mls categories 479 * @level: MLS sensitivity level 480 * @catset: the Smack categories 481 * @sap: where to put the netlabel categories 482 * @len: number of bytes for the levels in a CIPSO IP option 483 * 484 * Allocates and fills attr.mls 485 * Returns 0 on success, error code on failure. 486 */ 487 int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap, 488 int len) 489 { 490 unsigned char *cp; 491 unsigned char m; 492 int cat; 493 int rc; 494 int byte; 495 496 sap->flags |= NETLBL_SECATTR_MLS_CAT; 497 sap->attr.mls.lvl = level; 498 sap->attr.mls.cat = NULL; 499 500 for (cat = 1, cp = catset, byte = 0; byte < len; cp++, byte++) 501 for (m = 0x80; m != 0; m >>= 1, cat++) { 502 if ((m & *cp) == 0) 503 continue; 504 rc = netlbl_catmap_setbit(&sap->attr.mls.cat, 505 cat, GFP_NOFS); 506 if (rc < 0) { 507 netlbl_catmap_free(sap->attr.mls.cat); 508 return rc; 509 } 510 } 511 512 return 0; 513 } 514 515 /** 516 * smack_populate_secattr - fill in the smack_known netlabel information 517 * @skp: pointer to the structure to fill 518 * 519 * Populate the netlabel secattr structure for a Smack label. 520 * 521 * Returns 0 unless creating the category mapping fails 522 */ 523 int smack_populate_secattr(struct smack_known *skp) 524 { 525 int slen; 526 527 skp->smk_netlabel.attr.secid = skp->smk_secid; 528 skp->smk_netlabel.domain = skp->smk_known; 529 skp->smk_netlabel.cache = netlbl_secattr_cache_alloc(GFP_ATOMIC); 530 if (skp->smk_netlabel.cache != NULL) { 531 skp->smk_netlabel.flags |= NETLBL_SECATTR_CACHE; 532 skp->smk_netlabel.cache->free = NULL; 533 skp->smk_netlabel.cache->data = skp; 534 } 535 skp->smk_netlabel.flags |= NETLBL_SECATTR_SECID | 536 NETLBL_SECATTR_MLS_LVL | 537 NETLBL_SECATTR_DOMAIN; 538 /* 539 * If direct labeling works use it. 540 * Otherwise use mapped labeling. 541 */ 542 slen = strlen(skp->smk_known); 543 if (slen < SMK_CIPSOLEN) 544 return smk_netlbl_mls(smack_cipso_direct, skp->smk_known, 545 &skp->smk_netlabel, slen); 546 547 return smk_netlbl_mls(smack_cipso_mapped, (char *)&skp->smk_secid, 548 &skp->smk_netlabel, sizeof(skp->smk_secid)); 549 } 550 551 /** 552 * smk_import_entry - import a label, return the list entry 553 * @string: a text string that might be a Smack label 554 * @len: the maximum size, or zero if it is NULL terminated. 555 * 556 * Returns a pointer to the entry in the label list that 557 * matches the passed string, adding it if necessary, 558 * or an error code. 559 */ 560 struct smack_known *smk_import_entry(const char *string, int len) 561 { 562 struct smack_known *skp; 563 char *smack; 564 int rc; 565 566 smack = smk_parse_smack(string, len); 567 if (IS_ERR(smack)) 568 return ERR_CAST(smack); 569 570 mutex_lock(&smack_known_lock); 571 572 skp = smk_find_entry(smack); 573 if (skp != NULL) 574 goto freeout; 575 576 skp = kzalloc(sizeof(*skp), GFP_NOFS); 577 if (skp == NULL) { 578 skp = ERR_PTR(-ENOMEM); 579 goto freeout; 580 } 581 582 skp->smk_known = smack; 583 skp->smk_secid = smack_next_secid++; 584 585 rc = smack_populate_secattr(skp); 586 if (rc >= 0) { 587 INIT_LIST_HEAD(&skp->smk_rules); 588 mutex_init(&skp->smk_rules_lock); 589 /* 590 * Make sure that the entry is actually 591 * filled before putting it on the list. 592 */ 593 smk_insert_entry(skp); 594 goto unlockout; 595 } 596 kfree(skp); 597 skp = ERR_PTR(rc); 598 freeout: 599 kfree(smack); 600 unlockout: 601 mutex_unlock(&smack_known_lock); 602 603 return skp; 604 } 605 606 /** 607 * smack_from_secid - find the Smack label associated with a secid 608 * @secid: an integer that might be associated with a Smack label 609 * 610 * Returns a pointer to the appropriate Smack label entry if there is one, 611 * otherwise a pointer to the invalid Smack label. 612 */ 613 struct smack_known *smack_from_secid(const u32 secid) 614 { 615 struct smack_known *skp; 616 617 rcu_read_lock(); 618 list_for_each_entry_rcu(skp, &smack_known_list, list) { 619 if (skp->smk_secid == secid) { 620 rcu_read_unlock(); 621 return skp; 622 } 623 } 624 625 /* 626 * If we got this far someone asked for the translation 627 * of a secid that is not on the list. 628 */ 629 rcu_read_unlock(); 630 return &smack_known_huh; 631 } 632 633 /* 634 * Unless a process is running with one of these labels 635 * even having CAP_MAC_OVERRIDE isn't enough to grant 636 * privilege to violate MAC policy. If no labels are 637 * designated (the empty list case) capabilities apply to 638 * everyone. 639 */ 640 LIST_HEAD(smack_onlycap_list); 641 DEFINE_MUTEX(smack_onlycap_lock); 642 643 /** 644 * smack_privileged_cred - are all privilege requirements met by cred 645 * @cap: The requested capability 646 * @cred: the credential to use 647 * 648 * Is the task privileged and allowed to be privileged 649 * by the onlycap rule. 650 * 651 * Returns true if the task is allowed to be privileged, false if it's not. 652 */ 653 bool smack_privileged_cred(int cap, const struct cred *cred) 654 { 655 struct task_smack *tsp = smack_cred(cred); 656 struct smack_known *skp = tsp->smk_task; 657 struct smack_known_list_elem *sklep; 658 int rc; 659 660 rc = cap_capable(cred, &init_user_ns, cap, CAP_OPT_NONE); 661 if (rc) 662 return false; 663 664 rcu_read_lock(); 665 if (list_empty(&smack_onlycap_list)) { 666 rcu_read_unlock(); 667 return true; 668 } 669 670 list_for_each_entry_rcu(sklep, &smack_onlycap_list, list) { 671 if (sklep->smk_label == skp) { 672 rcu_read_unlock(); 673 return true; 674 } 675 } 676 rcu_read_unlock(); 677 678 return false; 679 } 680 681 /** 682 * smack_privileged - are all privilege requirements met 683 * @cap: The requested capability 684 * 685 * Is the task privileged and allowed to be privileged 686 * by the onlycap rule. 687 * 688 * Returns true if the task is allowed to be privileged, false if it's not. 689 */ 690 bool smack_privileged(int cap) 691 { 692 /* 693 * All kernel tasks are privileged 694 */ 695 if (unlikely(current->flags & PF_KTHREAD)) 696 return true; 697 698 return smack_privileged_cred(cap, current_cred()); 699 } 700