aboutsummaryrefslogtreecommitdiff
path: root/security/smack/smack_lsm.c
diff options
context:
space:
mode:
Diffstat (limited to 'security/smack/smack_lsm.c')
-rw-r--r--security/smack/smack_lsm.c282
1 files changed, 165 insertions, 117 deletions
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index 84b62b5e9e2..921514902ec 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -7,6 +7,8 @@
* Casey Schaufler <casey@schaufler-ca.com>
*
* Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
+ * Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
+ * Paul Moore <paul.moore@hp.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2,
@@ -20,6 +22,7 @@
#include <linux/ext2_fs.h>
#include <linux/kd.h>
#include <asm/ioctls.h>
+#include <linux/ip.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/mutex.h>
@@ -606,6 +609,9 @@ static int smack_inode_setxattr(struct dentry *dentry, const char *name,
strcmp(name, XATTR_NAME_SMACKIPOUT) == 0) {
if (!capable(CAP_MAC_ADMIN))
rc = -EPERM;
+ /* a label cannot be void and cannot begin with '-' */
+ if (size == 0 || (size > 0 && ((char *)value)[0] == '-'))
+ rc = -EINVAL;
} else
rc = cap_inode_setxattr(dentry, name, value, size, flags);
@@ -1275,7 +1281,6 @@ static int smack_sk_alloc_security(struct sock *sk, int family, gfp_t gfp_flags)
ssp->smk_in = csp;
ssp->smk_out = csp;
- ssp->smk_labeled = SMACK_CIPSO_SOCKET;
ssp->smk_packet[0] = '\0';
sk->sk_security = ssp;
@@ -1295,6 +1300,43 @@ static void smack_sk_free_security(struct sock *sk)
}
/**
+* smack_host_label - check host based restrictions
+* @sip: the object end
+*
+* looks for host based access restrictions
+*
+* This version will only be appropriate for really small sets of single label
+* hosts. The caller is responsible for ensuring that the RCU read lock is
+* taken before calling this function.
+*
+* Returns the label of the far end or NULL if it's not special.
+*/
+static char *smack_host_label(struct sockaddr_in *sip)
+{
+ struct smk_netlbladdr *snp;
+ struct in_addr *siap = &sip->sin_addr;
+
+ if (siap->s_addr == 0)
+ return NULL;
+
+ list_for_each_entry_rcu(snp, &smk_netlbladdr_list, list)
+ /*
+ * we break after finding the first match because
+ * the list is sorted from longest to shortest mask
+ * so we have found the most specific match
+ */
+ if ((&snp->smk_host.sin_addr)->s_addr ==
+ (siap->s_addr & (&snp->smk_mask)->s_addr)) {
+ /* we have found the special CIPSO option */
+ if (snp->smk_label == smack_cipso_option)
+ return NULL;
+ return snp->smk_label;
+ }
+
+ return NULL;
+}
+
+/**
* smack_set_catset - convert a capset to netlabel mls categories
* @catset: the Smack categories
* @sap: where to put the netlabel categories
@@ -1365,11 +1407,10 @@ static void smack_to_secattr(char *smack, struct netlbl_lsm_secattr *nlsp)
*/
static int smack_netlabel(struct sock *sk, int labeled)
{
- struct socket_smack *ssp;
+ struct socket_smack *ssp = sk->sk_security;
struct netlbl_lsm_secattr secattr;
int rc = 0;
- ssp = sk->sk_security;
/*
* Usually the netlabel code will handle changing the
* packet labeling based on the label.
@@ -1387,27 +1428,51 @@ static int smack_netlabel(struct sock *sk, int labeled)
else {
netlbl_secattr_init(&secattr);
smack_to_secattr(ssp->smk_out, &secattr);
- rc = netlbl_sock_setattr(sk, &secattr);
+ rc = netlbl_sock_setattr(sk, sk->sk_family, &secattr);
netlbl_secattr_destroy(&secattr);
}
bh_unlock_sock(sk);
local_bh_enable();
- /*
- * Remember the label scheme used so that it is not
- * necessary to do the netlabel setting if it has not
- * changed the next time through.
- *
- * The -EDESTADDRREQ case is an indication that there's
- * a single level host involved.
- */
- if (rc == 0)
- ssp->smk_labeled = labeled;
return rc;
}
/**
+ * smack_netlbel_send - Set the secattr on a socket and perform access checks
+ * @sk: the socket
+ * @sap: the destination address
+ *
+ * Set the correct secattr for the given socket based on the destination
+ * address and perform any outbound access checks needed.
+ *
+ * Returns 0 on success or an error code.
+ *
+ */
+static int smack_netlabel_send(struct sock *sk, struct sockaddr_in *sap)
+{
+ int rc;
+ int sk_lbl;
+ char *hostsp;
+ struct socket_smack *ssp = sk->sk_security;
+
+ rcu_read_lock();
+ hostsp = smack_host_label(sap);
+ if (hostsp != NULL) {
+ sk_lbl = SMACK_UNLABELED_SOCKET;
+ rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE);
+ } else {
+ sk_lbl = SMACK_CIPSO_SOCKET;
+ rc = 0;
+ }
+ rcu_read_unlock();
+ if (rc != 0)
+ return rc;
+
+ return smack_netlabel(sk, sk_lbl);
+}
+
+/**
* smack_inode_setsecurity - set smack xattrs
* @inode: the object
* @name: attribute name
@@ -1428,7 +1493,7 @@ static int smack_inode_setsecurity(struct inode *inode, const char *name,
struct socket *sock;
int rc = 0;
- if (value == NULL || size > SMK_LABELLEN)
+ if (value == NULL || size > SMK_LABELLEN || size == 0)
return -EACCES;
sp = smk_import(value, size);
@@ -1488,41 +1553,6 @@ static int smack_socket_post_create(struct socket *sock, int family,
return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
}
-
-/**
- * smack_host_label - check host based restrictions
- * @sip: the object end
- *
- * looks for host based access restrictions
- *
- * This version will only be appropriate for really small
- * sets of single label hosts.
- *
- * Returns the label of the far end or NULL if it's not special.
- */
-static char *smack_host_label(struct sockaddr_in *sip)
-{
- struct smk_netlbladdr *snp;
- struct in_addr *siap = &sip->sin_addr;
-
- if (siap->s_addr == 0)
- return NULL;
-
- for (snp = smack_netlbladdrs; snp != NULL; snp = snp->smk_next) {
- /*
- * we break after finding the first match because
- * the list is sorted from longest to shortest mask
- * so we have found the most specific match
- */
- if ((&snp->smk_host.sin_addr)->s_addr ==
- (siap->s_addr & (&snp->smk_mask)->s_addr)) {
- return snp->smk_label;
- }
- }
-
- return NULL;
-}
-
/**
* smack_socket_connect - connect access check
* @sock: the socket
@@ -1536,30 +1566,12 @@ static char *smack_host_label(struct sockaddr_in *sip)
static int smack_socket_connect(struct socket *sock, struct sockaddr *sap,
int addrlen)
{
- struct socket_smack *ssp = sock->sk->sk_security;
- char *hostsp;
- int rc;
-
if (sock->sk == NULL || sock->sk->sk_family != PF_INET)
return 0;
-
if (addrlen < sizeof(struct sockaddr_in))
return -EINVAL;
- hostsp = smack_host_label((struct sockaddr_in *)sap);
- if (hostsp == NULL) {
- if (ssp->smk_labeled != SMACK_CIPSO_SOCKET)
- return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
- return 0;
- }
-
- rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE);
- if (rc != 0)
- return rc;
-
- if (ssp->smk_labeled != SMACK_UNLABELED_SOCKET)
- return smack_netlabel(sock->sk, SMACK_UNLABELED_SOCKET);
- return 0;
+ return smack_netlabel_send(sock->sk, (struct sockaddr_in *)sap);
}
/**
@@ -2260,9 +2272,6 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
int size)
{
struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name;
- struct socket_smack *ssp = sock->sk->sk_security;
- char *hostsp;
- int rc;
/*
* Perfectly reasonable for this to be NULL
@@ -2270,22 +2279,7 @@ static int smack_socket_sendmsg(struct socket *sock, struct msghdr *msg,
if (sip == NULL || sip->sin_family != PF_INET)
return 0;
- hostsp = smack_host_label(sip);
- if (hostsp == NULL) {
- if (ssp->smk_labeled != SMACK_CIPSO_SOCKET)
- return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);
- return 0;
- }
-
- rc = smk_access(ssp->smk_out, hostsp, MAY_WRITE);
- if (rc != 0)
- return rc;
-
- if (ssp->smk_labeled != SMACK_UNLABELED_SOCKET)
- return smack_netlabel(sock->sk, SMACK_UNLABELED_SOCKET);
-
- return 0;
-
+ return smack_netlabel_send(sock->sk, sip);
}
@@ -2490,31 +2484,24 @@ static int smack_socket_getpeersec_dgram(struct socket *sock,
}
/**
- * smack_sock_graft - graft access state between two sockets
- * @sk: fresh sock
- * @parent: donor socket
+ * smack_sock_graft - Initialize a newly created socket with an existing sock
+ * @sk: child sock
+ * @parent: parent socket
*
- * Sets the netlabel socket state on sk from parent
+ * Set the smk_{in,out} state of an existing sock based on the process that
+ * is creating the new socket.
*/
static void smack_sock_graft(struct sock *sk, struct socket *parent)
{
struct socket_smack *ssp;
- int rc;
- if (sk == NULL)
- return;
-
- if (sk->sk_family != PF_INET && sk->sk_family != PF_INET6)
+ if (sk == NULL ||
+ (sk->sk_family != PF_INET && sk->sk_family != PF_INET6))
return;
ssp = sk->sk_security;
ssp->smk_in = ssp->smk_out = current_security();
- ssp->smk_packet[0] = '\0';
-
- rc = smack_netlabel(sk, SMACK_CIPSO_SOCKET);
- if (rc != 0)
- printk(KERN_WARNING "Smack: \"%s\" netlbl error %d.\n",
- __func__, -rc);
+ /* cssp->smk_packet is already set in smack_inet_csk_clone() */
}
/**
@@ -2529,35 +2516,82 @@ static void smack_sock_graft(struct sock *sk, struct socket *parent)
static int smack_inet_conn_request(struct sock *sk, struct sk_buff *skb,
struct request_sock *req)
{
- struct netlbl_lsm_secattr skb_secattr;
+ u16 family = sk->sk_family;
struct socket_smack *ssp = sk->sk_security;
+ struct netlbl_lsm_secattr secattr;
+ struct sockaddr_in addr;
+ struct iphdr *hdr;
char smack[SMK_LABELLEN];
int rc;
- if (skb == NULL)
- return -EACCES;
+ /* handle mapped IPv4 packets arriving via IPv6 sockets */
+ if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP))
+ family = PF_INET;
- netlbl_secattr_init(&skb_secattr);
- rc = netlbl_skbuff_getattr(skb, sk->sk_family, &skb_secattr);
+ netlbl_secattr_init(&secattr);
+ rc = netlbl_skbuff_getattr(skb, family, &secattr);
if (rc == 0)
- smack_from_secattr(&skb_secattr, smack);
+ smack_from_secattr(&secattr, smack);
else
strncpy(smack, smack_known_huh.smk_known, SMK_MAXLEN);
- netlbl_secattr_destroy(&skb_secattr);
+ netlbl_secattr_destroy(&secattr);
+
/*
- * Receiving a packet requires that the other end
- * be able to write here. Read access is not required.
- *
- * If the request is successful save the peer's label
- * so that SO_PEERCRED can report it.
+ * Receiving a packet requires that the other end be able to write
+ * here. Read access is not required.
*/
rc = smk_access(smack, ssp->smk_in, MAY_WRITE);
- if (rc == 0)
- strncpy(ssp->smk_packet, smack, SMK_MAXLEN);
+ if (rc != 0)
+ return rc;
+
+ /*
+ * Save the peer's label in the request_sock so we can later setup
+ * smk_packet in the child socket so that SO_PEERCRED can report it.
+ */
+ req->peer_secid = smack_to_secid(smack);
+
+ /*
+ * We need to decide if we want to label the incoming connection here
+ * if we do we only need to label the request_sock and the stack will
+ * propogate the wire-label to the sock when it is created.
+ */
+ hdr = ip_hdr(skb);
+ addr.sin_addr.s_addr = hdr->saddr;
+ rcu_read_lock();
+ if (smack_host_label(&addr) == NULL) {
+ rcu_read_unlock();
+ netlbl_secattr_init(&secattr);
+ smack_to_secattr(smack, &secattr);
+ rc = netlbl_req_setattr(req, &secattr);
+ netlbl_secattr_destroy(&secattr);
+ } else {
+ rcu_read_unlock();
+ netlbl_req_delattr(req);
+ }
return rc;
}
+/**
+ * smack_inet_csk_clone - Copy the connection information to the new socket
+ * @sk: the new socket
+ * @req: the connection's request_sock
+ *
+ * Transfer the connection's peer label to the newly created socket.
+ */
+static void smack_inet_csk_clone(struct sock *sk,
+ const struct request_sock *req)
+{
+ struct socket_smack *ssp = sk->sk_security;
+ char *smack;
+
+ if (req->peer_secid != 0) {
+ smack = smack_from_secid(req->peer_secid);
+ strncpy(ssp->smk_packet, smack, SMK_MAXLEN);
+ } else
+ ssp->smk_packet[0] = '\0';
+}
+
/*
* Key management security hooks
*
@@ -2909,6 +2943,7 @@ struct security_operations smack_ops = {
.sk_free_security = smack_sk_free_security,
.sock_graft = smack_sock_graft,
.inet_conn_request = smack_inet_conn_request,
+ .inet_csk_clone = smack_inet_csk_clone,
/* key management security hooks */
#ifdef CONFIG_KEYS
@@ -2930,6 +2965,17 @@ struct security_operations smack_ops = {
.release_secctx = smack_release_secctx,
};
+
+static __init void init_smack_know_list(void)
+{
+ list_add(&smack_known_huh.list, &smack_known_list);
+ list_add(&smack_known_hat.list, &smack_known_list);
+ list_add(&smack_known_star.list, &smack_known_list);
+ list_add(&smack_known_floor.list, &smack_known_list);
+ list_add(&smack_known_invalid.list, &smack_known_list);
+ list_add(&smack_known_web.list, &smack_known_list);
+}
+
/**
* smack_init - initialize the smack system
*
@@ -2950,6 +2996,8 @@ static __init int smack_init(void)
cred = (struct cred *) current->cred;
cred->security = &smack_known_floor.smk_known;
+ /* initilize the smack_know_list */
+ init_smack_know_list();
/*
* Initialize locks
*/