diff options
Diffstat (limited to '')
-rw-r--r-- | security/smack/smack_access.c | 681 |
1 files changed, 681 insertions, 0 deletions
diff --git a/security/smack/smack_access.c b/security/smack/smack_access.c new file mode 100644 index 000000000..07d23b4f7 --- /dev/null +++ b/security/smack/smack_access.c @@ -0,0 +1,681 @@ +/* + * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2. + * + * Author: + * Casey Schaufler <casey@schaufler-ca.com> + * + */ + +#include <linux/types.h> +#include <linux/slab.h> +#include <linux/fs.h> +#include <linux/sched.h> +#include "smack.h" + +struct smack_known smack_known_huh = { + .smk_known = "?", + .smk_secid = 2, +}; + +struct smack_known smack_known_hat = { + .smk_known = "^", + .smk_secid = 3, +}; + +struct smack_known smack_known_star = { + .smk_known = "*", + .smk_secid = 4, +}; + +struct smack_known smack_known_floor = { + .smk_known = "_", + .smk_secid = 5, +}; + +struct smack_known smack_known_web = { + .smk_known = "@", + .smk_secid = 7, +}; + +LIST_HEAD(smack_known_list); + +/* + * The initial value needs to be bigger than any of the + * known values above. + */ +static u32 smack_next_secid = 10; + +/* + * what events do we log + * can be overwritten at run-time by /smack/logging + */ +int log_policy = SMACK_AUDIT_DENIED; + +/** + * smk_access_entry - look up matching access rule + * @subject_label: a pointer to the subject's Smack label + * @object_label: a pointer to the object's Smack label + * @rule_list: the list of rules to search + * + * This function looks up the subject/object pair in the + * access rule list and returns the access mode. If no + * entry is found returns -ENOENT. + * + * NOTE: + * + * Earlier versions of this function allowed for labels that + * were not on the label list. This was done to allow for + * labels to come over the network that had never been seen + * before on this host. Unless the receiving socket has the + * star label this will always result in a failure check. The + * star labeled socket case is now handled in the networking + * hooks so there is no case where the label is not on the + * label list. Checking to see if the address of two labels + * is the same is now a reliable test. + * + * Do the object check first because that is more + * likely to differ. + * + * Allowing write access implies allowing locking. + */ +int smk_access_entry(char *subject_label, char *object_label, + struct list_head *rule_list) +{ + struct smack_rule *srp; + + list_for_each_entry_rcu(srp, rule_list, list) { + if (srp->smk_object->smk_known == object_label && + srp->smk_subject->smk_known == subject_label) { + int may = srp->smk_access; + /* + * MAY_WRITE implies MAY_LOCK. + */ + if ((may & MAY_WRITE) == MAY_WRITE) + may |= MAY_LOCK; + return may; + } + } + + return -ENOENT; +} + +/** + * smk_access - determine if a subject has a specific access to an object + * @subject: a pointer to the subject's Smack label entry + * @object: a pointer to the object's Smack label entry + * @request: the access requested, in "MAY" format + * @a : a pointer to the audit data + * + * This function looks up the subject/object pair in the + * access rule list and returns 0 if the access is permitted, + * non zero otherwise. + * + * Smack labels are shared on smack_list + */ +int smk_access(struct smack_known *subject, struct smack_known *object, + int request, struct smk_audit_info *a) +{ + int may = MAY_NOT; + int rc = 0; + + /* + * Hardcoded comparisons. + */ + /* + * A star subject can't access any object. + */ + if (subject == &smack_known_star) { + rc = -EACCES; + goto out_audit; + } + /* + * An internet object can be accessed by any subject. + * Tasks cannot be assigned the internet label. + * An internet subject can access any object. + */ + if (object == &smack_known_web || subject == &smack_known_web) + goto out_audit; + /* + * A star object can be accessed by any subject. + */ + if (object == &smack_known_star) + goto out_audit; + /* + * An object can be accessed in any way by a subject + * with the same label. + */ + if (subject->smk_known == object->smk_known) + goto out_audit; + /* + * A hat subject can read or lock any object. + * A floor object can be read or locked by any subject. + */ + if ((request & MAY_ANYREAD) == request || + (request & MAY_LOCK) == request) { + if (object == &smack_known_floor) + goto out_audit; + if (subject == &smack_known_hat) + goto out_audit; + } + /* + * Beyond here an explicit relationship is required. + * If the requested access is contained in the available + * access (e.g. read is included in readwrite) it's + * good. A negative response from smk_access_entry() + * indicates there is no entry for this pair. + */ + rcu_read_lock(); + may = smk_access_entry(subject->smk_known, object->smk_known, + &subject->smk_rules); + rcu_read_unlock(); + + if (may <= 0 || (request & may) != request) { + rc = -EACCES; + goto out_audit; + } +#ifdef CONFIG_SECURITY_SMACK_BRINGUP + /* + * Return a positive value if using bringup mode. + * This allows the hooks to identify checks that + * succeed because of "b" rules. + */ + if (may & MAY_BRINGUP) + rc = SMACK_BRINGUP_ALLOW; +#endif + +out_audit: + +#ifdef CONFIG_SECURITY_SMACK_BRINGUP + if (rc < 0) { + if (object == smack_unconfined) + rc = SMACK_UNCONFINED_OBJECT; + if (subject == smack_unconfined) + rc = SMACK_UNCONFINED_SUBJECT; + } +#endif + +#ifdef CONFIG_AUDIT + if (a) + smack_log(subject->smk_known, object->smk_known, + request, rc, a); +#endif + + return rc; +} + +/** + * smk_tskacc - determine if a task has a specific access to an object + * @tsp: a pointer to the subject's task + * @obj_known: a pointer to the object's label entry + * @mode: the access requested, in "MAY" format + * @a : common audit data + * + * This function checks the subject task's label/object label pair + * in the access rule list and returns 0 if the access is permitted, + * non zero otherwise. It allows that the task may have the capability + * to override the rules. + */ +int smk_tskacc(struct task_smack *tsp, struct smack_known *obj_known, + u32 mode, struct smk_audit_info *a) +{ + struct smack_known *sbj_known = smk_of_task(tsp); + int may; + int rc; + + /* + * Check the global rule list + */ + rc = smk_access(sbj_known, obj_known, mode, NULL); + if (rc >= 0) { + /* + * If there is an entry in the task's rule list + * it can further restrict access. + */ + may = smk_access_entry(sbj_known->smk_known, + obj_known->smk_known, + &tsp->smk_rules); + if (may < 0) + goto out_audit; + if ((mode & may) == mode) + goto out_audit; + rc = -EACCES; + } + + /* + * Allow for priviliged to override policy. + */ + if (rc != 0 && smack_privileged(CAP_MAC_OVERRIDE)) + rc = 0; + +out_audit: +#ifdef CONFIG_AUDIT + if (a) + smack_log(sbj_known->smk_known, obj_known->smk_known, + mode, rc, a); +#endif + return rc; +} + +/** + * smk_curacc - determine if current has a specific access to an object + * @obj_known: a pointer to the object's Smack label entry + * @mode: the access requested, in "MAY" format + * @a : common audit data + * + * This function checks the current subject label/object label pair + * in the access rule list and returns 0 if the access is permitted, + * non zero otherwise. It allows that current may have the capability + * to override the rules. + */ +int smk_curacc(struct smack_known *obj_known, + u32 mode, struct smk_audit_info *a) +{ + struct task_smack *tsp = current_security(); + + return smk_tskacc(tsp, obj_known, mode, a); +} + +#ifdef CONFIG_AUDIT +/** + * smack_str_from_perm : helper to transalate an int to a + * readable string + * @string : the string to fill + * @access : the int + * + */ +static inline void smack_str_from_perm(char *string, int access) +{ + int i = 0; + + if (access & MAY_READ) + string[i++] = 'r'; + if (access & MAY_WRITE) + string[i++] = 'w'; + if (access & MAY_EXEC) + string[i++] = 'x'; + if (access & MAY_APPEND) + string[i++] = 'a'; + if (access & MAY_TRANSMUTE) + string[i++] = 't'; + if (access & MAY_LOCK) + string[i++] = 'l'; + string[i] = '\0'; +} +/** + * smack_log_callback - SMACK specific information + * will be called by generic audit code + * @ab : the audit_buffer + * @a : audit_data + * + */ +static void smack_log_callback(struct audit_buffer *ab, void *a) +{ + struct common_audit_data *ad = a; + struct smack_audit_data *sad = ad->smack_audit_data; + audit_log_format(ab, "lsm=SMACK fn=%s action=%s", + ad->smack_audit_data->function, + sad->result ? "denied" : "granted"); + audit_log_format(ab, " subject="); + audit_log_untrustedstring(ab, sad->subject); + audit_log_format(ab, " object="); + audit_log_untrustedstring(ab, sad->object); + if (sad->request[0] == '\0') + audit_log_format(ab, " labels_differ"); + else + audit_log_format(ab, " requested=%s", sad->request); +} + +/** + * smack_log - Audit the granting or denial of permissions. + * @subject_label : smack label of the requester + * @object_label : smack label of the object being accessed + * @request: requested permissions + * @result: result from smk_access + * @a: auxiliary audit data + * + * Audit the granting or denial of permissions in accordance + * with the policy. + */ +void smack_log(char *subject_label, char *object_label, int request, + int result, struct smk_audit_info *ad) +{ +#ifdef CONFIG_SECURITY_SMACK_BRINGUP + char request_buffer[SMK_NUM_ACCESS_TYPE + 5]; +#else + char request_buffer[SMK_NUM_ACCESS_TYPE + 1]; +#endif + struct smack_audit_data *sad; + struct common_audit_data *a = &ad->a; + + /* check if we have to log the current event */ + if (result < 0 && (log_policy & SMACK_AUDIT_DENIED) == 0) + return; + if (result == 0 && (log_policy & SMACK_AUDIT_ACCEPT) == 0) + return; + + sad = a->smack_audit_data; + + if (sad->function == NULL) + sad->function = "unknown"; + + /* end preparing the audit data */ + smack_str_from_perm(request_buffer, request); + sad->subject = subject_label; + sad->object = object_label; +#ifdef CONFIG_SECURITY_SMACK_BRINGUP + /* + * The result may be positive in bringup mode. + * A positive result is an allow, but not for normal reasons. + * Mark it as successful, but don't filter it out even if + * the logging policy says to do so. + */ + if (result == SMACK_UNCONFINED_SUBJECT) + strcat(request_buffer, "(US)"); + else if (result == SMACK_UNCONFINED_OBJECT) + strcat(request_buffer, "(UO)"); + + if (result > 0) + result = 0; +#endif + sad->request = request_buffer; + sad->result = result; + + common_lsm_audit(a, smack_log_callback, NULL); +} +#else /* #ifdef CONFIG_AUDIT */ +void smack_log(char *subject_label, char *object_label, int request, + int result, struct smk_audit_info *ad) +{ +} +#endif + +DEFINE_MUTEX(smack_known_lock); + +struct hlist_head smack_known_hash[SMACK_HASH_SLOTS]; + +/** + * smk_insert_entry - insert a smack label into a hash map, + * + * this function must be called under smack_known_lock + */ +void smk_insert_entry(struct smack_known *skp) +{ + unsigned int hash; + struct hlist_head *head; + + hash = full_name_hash(NULL, skp->smk_known, strlen(skp->smk_known)); + head = &smack_known_hash[hash & (SMACK_HASH_SLOTS - 1)]; + + hlist_add_head_rcu(&skp->smk_hashed, head); + list_add_rcu(&skp->list, &smack_known_list); +} + +/** + * smk_find_entry - find a label on the list, return the list entry + * @string: a text string that might be a Smack label + * + * Returns a pointer to the entry in the label list that + * matches the passed string or NULL if not found. + */ +struct smack_known *smk_find_entry(const char *string) +{ + unsigned int hash; + struct hlist_head *head; + struct smack_known *skp; + + hash = full_name_hash(NULL, string, strlen(string)); + head = &smack_known_hash[hash & (SMACK_HASH_SLOTS - 1)]; + + hlist_for_each_entry_rcu(skp, head, smk_hashed) + if (strcmp(skp->smk_known, string) == 0) + return skp; + + return NULL; +} + +/** + * smk_parse_smack - parse smack label from a text string + * @string: a text string that might contain a Smack label + * @len: the maximum size, or zero if it is NULL terminated. + * + * Returns a pointer to the clean label or an error code. + */ +char *smk_parse_smack(const char *string, int len) +{ + char *smack; + int i; + + if (len <= 0) + len = strlen(string) + 1; + + /* + * Reserve a leading '-' as an indicator that + * this isn't a label, but an option to interfaces + * including /smack/cipso and /smack/cipso2 + */ + if (string[0] == '-') + return ERR_PTR(-EINVAL); + + for (i = 0; i < len; i++) + if (string[i] > '~' || string[i] <= ' ' || string[i] == '/' || + string[i] == '"' || string[i] == '\\' || string[i] == '\'') + break; + + if (i == 0 || i >= SMK_LONGLABEL) + return ERR_PTR(-EINVAL); + + smack = kzalloc(i + 1, GFP_NOFS); + if (smack == NULL) + return ERR_PTR(-ENOMEM); + + strncpy(smack, string, i); + + return smack; +} + +/** + * smk_netlbl_mls - convert a catset to netlabel mls categories + * @catset: the Smack categories + * @sap: where to put the netlabel categories + * + * Allocates and fills attr.mls + * Returns 0 on success, error code on failure. + */ +int smk_netlbl_mls(int level, char *catset, struct netlbl_lsm_secattr *sap, + int len) +{ + unsigned char *cp; + unsigned char m; + int cat; + int rc; + int byte; + + sap->flags |= NETLBL_SECATTR_MLS_CAT; + sap->attr.mls.lvl = level; + sap->attr.mls.cat = NULL; + + for (cat = 1, cp = catset, byte = 0; byte < len; cp++, byte++) + for (m = 0x80; m != 0; m >>= 1, cat++) { + if ((m & *cp) == 0) + continue; + rc = netlbl_catmap_setbit(&sap->attr.mls.cat, + cat, GFP_NOFS); + if (rc < 0) { + netlbl_catmap_free(sap->attr.mls.cat); + return rc; + } + } + + return 0; +} + +/** + * smk_import_entry - import a label, return the list entry + * @string: a text string that might be a Smack label + * @len: the maximum size, or zero if it is NULL terminated. + * + * Returns a pointer to the entry in the label list that + * matches the passed string, adding it if necessary, + * or an error code. + */ +struct smack_known *smk_import_entry(const char *string, int len) +{ + struct smack_known *skp; + char *smack; + int slen; + int rc; + + smack = smk_parse_smack(string, len); + if (IS_ERR(smack)) + return ERR_CAST(smack); + + mutex_lock(&smack_known_lock); + + skp = smk_find_entry(smack); + if (skp != NULL) + goto freeout; + + skp = kzalloc(sizeof(*skp), GFP_NOFS); + if (skp == NULL) { + skp = ERR_PTR(-ENOMEM); + goto freeout; + } + + skp->smk_known = smack; + skp->smk_secid = smack_next_secid++; + skp->smk_netlabel.domain = skp->smk_known; + skp->smk_netlabel.flags = + NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL; + /* + * If direct labeling works use it. + * Otherwise use mapped labeling. + */ + slen = strlen(smack); + if (slen < SMK_CIPSOLEN) + rc = smk_netlbl_mls(smack_cipso_direct, skp->smk_known, + &skp->smk_netlabel, slen); + else + rc = smk_netlbl_mls(smack_cipso_mapped, (char *)&skp->smk_secid, + &skp->smk_netlabel, sizeof(skp->smk_secid)); + + if (rc >= 0) { + INIT_LIST_HEAD(&skp->smk_rules); + mutex_init(&skp->smk_rules_lock); + /* + * Make sure that the entry is actually + * filled before putting it on the list. + */ + smk_insert_entry(skp); + goto unlockout; + } + /* + * smk_netlbl_mls failed. + */ + kfree(skp); + skp = ERR_PTR(rc); +freeout: + kfree(smack); +unlockout: + mutex_unlock(&smack_known_lock); + + return skp; +} + +/** + * smack_from_secid - find the Smack label associated with a secid + * @secid: an integer that might be associated with a Smack label + * + * Returns a pointer to the appropriate Smack label entry if there is one, + * otherwise a pointer to the invalid Smack label. + */ +struct smack_known *smack_from_secid(const u32 secid) +{ + struct smack_known *skp; + + rcu_read_lock(); + list_for_each_entry_rcu(skp, &smack_known_list, list) { + if (skp->smk_secid == secid) { + rcu_read_unlock(); + return skp; + } + } + + /* + * If we got this far someone asked for the translation + * of a secid that is not on the list. + */ + rcu_read_unlock(); + return &smack_known_huh; +} + +/* + * Unless a process is running with one of these labels + * even having CAP_MAC_OVERRIDE isn't enough to grant + * privilege to violate MAC policy. If no labels are + * designated (the empty list case) capabilities apply to + * everyone. + */ +LIST_HEAD(smack_onlycap_list); +DEFINE_MUTEX(smack_onlycap_lock); + +/** + * smack_privileged_cred - are all privilege requirements met by cred + * @cap: The requested capability + * @cred: the credential to use + * + * Is the task privileged and allowed to be privileged + * by the onlycap rule. + * + * Returns true if the task is allowed to be privileged, false if it's not. + */ +bool smack_privileged_cred(int cap, const struct cred *cred) +{ + struct task_smack *tsp = cred->security; + struct smack_known *skp = tsp->smk_task; + struct smack_known_list_elem *sklep; + int rc; + + rc = cap_capable(cred, &init_user_ns, cap, CAP_OPT_NONE); + if (rc) + return false; + + rcu_read_lock(); + if (list_empty(&smack_onlycap_list)) { + rcu_read_unlock(); + return true; + } + + list_for_each_entry_rcu(sklep, &smack_onlycap_list, list) { + if (sklep->smk_label == skp) { + rcu_read_unlock(); + return true; + } + } + rcu_read_unlock(); + + return false; +} + +/** + * smack_privileged - are all privilege requirements met + * @cap: The requested capability + * + * Is the task privileged and allowed to be privileged + * by the onlycap rule. + * + * Returns true if the task is allowed to be privileged, false if it's not. + */ +bool smack_privileged(int cap) +{ + /* + * All kernel tasks are privileged + */ + if (unlikely(current->flags & PF_KTHREAD)) + return true; + + return smack_privileged_cred(cap, current_cred()); +} |