linux/security/smack/smack_access.c
<<
>>
Prefs
   1/*
   2 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
   3 *
   4 *      This program is free software; you can redistribute it and/or modify
   5 *      it under the terms of the GNU General Public License as published by
   6 *      the Free Software Foundation, version 2.
   7 *
   8 * Author:
   9 *      Casey Schaufler <casey@schaufler-ca.com>
  10 *
  11 */
  12
  13#include <linux/types.h>
  14#include <linux/slab.h>
  15#include <linux/fs.h>
  16#include <linux/sched.h>
  17#include "smack.h"
  18
  19struct smack_known smack_known_huh = {
  20        .smk_known      = "?",
  21        .smk_secid      = 2,
  22};
  23
  24struct smack_known smack_known_hat = {
  25        .smk_known      = "^",
  26        .smk_secid      = 3,
  27};
  28
  29struct smack_known smack_known_star = {
  30        .smk_known      = "*",
  31        .smk_secid      = 4,
  32};
  33
  34struct smack_known smack_known_floor = {
  35        .smk_known      = "_",
  36        .smk_secid      = 5,
  37};
  38
  39struct smack_known smack_known_invalid = {
  40        .smk_known      = "",
  41        .smk_secid      = 6,
  42};
  43
  44struct smack_known smack_known_web = {
  45        .smk_known      = "@",
  46        .smk_secid      = 7,
  47};
  48
  49LIST_HEAD(smack_known_list);
  50
  51/*
  52 * The initial value needs to be bigger than any of the
  53 * known value8 abokecess.c#L28" id="L28" class="line" name="L28">  283option>544" class="line" name="544"> 5 4 */
 554stati>  smacknextk_secib =10);
 560
 5 7/*
 5 8 *what evtent do we log*
 5 9 * can bebokrwuritean t run-timbe y y/smackloggriny
 610 */
 651 =  612
 653
 6 4 *>smk_acces_menry - _loo up matchrin _acces rulhe
 6 5 *@subject_label: a poincger o  thesubject's Ssmac labele
 6 6 *@object_label: a poincger o  theobject's Ssmac labele
 6 7  @rulhn_lis:  the_lisy ofrulhds tosSearch
 6 8 h
 6 9 * Thisfunactio _loos up  thesubject/object paire if the
 710  _acces rulhe_lisyand "returs  the_acces mcod. If noe
 711  menry hisfFoun "returs -ENOENT2.
 752 .
 753 *NOTEr:
 7 4 :
 7 5 *Earliger versioms of thisfunactio allowedsfFr labels  that
 7 6 *werue osy n  the_abele_lis.* Thiswat dones toallowsfFrt
 7 7  labels  o "cobebokr  thenetwork  tha hadeneokr beeanseeat
 7 8 *befFrey n  thishois.*Unlces  thereceivrin sockea hasf the
 7 9 *_stae_abele thiswilloalways rresule ifa failupre heck.* The
 810  _stae_abeledssockea ;cas hiskno handleds if thenetworkriny
 811  hloos so  thrs hiskn ;cas wthrs  the_abelehisknsy n  thy
 852 *_abele_lis.*Checkrin  tosSs hof theaddrces  of wo labelsy
 853 *is  thesnam hiskno a rrliablhe tis.y
 8 4 :
 8 5 *Do  theobjecte heck firisybecause  tha is mcrhy
 8 6 *likely  todiffer.y
 8 7 */
 881smk_acces_menryDchtae* ubject_labelD
 896                       >struct * >
 910 941       inct  =-  921       >struct smackrulhe* rpb 943
 941        (rpb= {
 956               hof>(rpbsmkobjectb  =  966                   (rpbsmk_ubjectb  = ubject_labelD= {
 976                         =(rpbsmk_accesb 986                       break);
 996               }>
L156       }>
L113
L121       "return L143
L143
L1 5
L1 6 *>smk_acces - de terlin hofaesubject hasfaespecifice_acces  toan objectb
L1 7  @subject_label: a poincger o  thesubject's Ssmac labele
L1 8 *@object_label: a poincger o  theobject's Ssmac labele
L1 9 *@requeis:  the_acces requeised,s if@"MAY@"sfFrmhat
1 10  @a : a poincger o  theaudit datat
L 11 t
1152 * Thisfunactio _loos up  thesubject/object paire if the
1153 *_acces rulhe_lisyand "returs 0 hof theaacces his terltsed,e
11 4 *nio zero o thrwiskecess.c#L28" id="L28" class="line" name="L28">  21L15" id="LL15" class="line" name="LL15">11 5 cess.c#L28" id="L28" class="line" name="L28">  21L16" id="LL16" class="line" name="LL16">11 6 *Ssmac labelsfarhesharhdy n " name_list  21L17" id="LL17" class="line" name="LL17">11 7 */
1181smk_accesbchtae* ubject_labelD
1196              >struct smk_udit_infoe* >
12101 21       >struct smack_known* kpb1221       inct  = 1 23       inct  =0);
1243
1 25       >/*
12 6>>>>>>>>* Hard+codd "coparisonsecess.c#L28" id="L28" class="line" name="L28">  21L27" id="1L27" class="line" name="1L27">12 7>>>>>>>>*cess.c#L28" id="L28" class="line" name="L28">  21L18" id="LL28" class="line" name="1L28">12 8>>>>>>>>* A _staesubject can'teaacces  any bjectecess.c#L28" id="L28" class="line" name="L28">  21L19" id="LL29" class="line" name="1L29">12 9>>>>>>>>**/
1 30       hof>(ubject_labelD  = smack_known_starsmk_known= {
1 31       >       > =- 1321       >       go o  1323       }>
1345       >/*
13 5>>>>>>>>* An incgeneteobjecte can be_acceshed b  any>ubjectecess.c#L28" id="L28" class="line" name="L28">  21L36" id="1L36" class="line" name="1L36">13 6>>>>>>>>* Tasos  caknsy be_ssignhedtThe icgenetelabelecess.c#L28" id="L28" class="line" name="L28">  21L27" id="1L37" class="line" name="1L37">13 7>>>>>>>>* An incgenetesubject caneaacces  any bjectecess.c#L28" id="L28" class="line" name="L28">  21L38" id="1L38" class="line" name="1L38">13 8>>>>>>>>**/
1390       hof>(smack_known_websmk_known||>
1 40           >ubject_labelD  = smack_known_websmk_known>
1431       >       go o  1425       >/*
1453>>>>>>>>* A _staeobjecte can be_acceshed b  any>ubjectecess.c#L28" id="L28" class="line" name="L28">  21L44" id="1L44" class="line" name="1L44">14 4>>>>>>>>**/
1 45       hof>(smack_known_starsmk_known>
1466               go o  1475       >/*
14 8>>>>>>>>* Aneobjecte can be_acceshedian anywayd b   _ubjectb
14 9>>>>>>>>* with  thesnam labelecess.c#L28" id="L28" class="line" name="L28">  21L50" id="1L50" class="line" name="1L50">1510>>>>>>>>**/
1515       hof>(ubject_labelD  = >
1521       >       go o  1535       >/*
15 4>>>>>>>>* A tha subject caneread  any bjectecess.c#L28" id="L28" class="line" name="L28">  215L5" id="1LL5" class="line" name="1L45">15 5>>>>>>>>* A _flooeobjecte can beread  b  any>ubjectecess.c#L28" id="L28" class="line" name="L28">  21L46" id="1546" class="line" name="1546">15 6>>>>>>>>**/
1575       hof>>(=  = = {
1586               hof>(smack_known_floorsmk_known>
1596                       go o  1640               hof>(ubject_labelD  = smack_known_hatsmk_known>
1631       >               go o  1621       }>
1635       >/*
16 4>>>>>>>>* Beyond thrs panexplicit rrldatioship hisrequiredecess.c#L28" id="L28" class="line" name="L28">  216L5" id="16L5" class="line" name="1645">16 5>>>>>>>>* If  therequeisedeaacces his_conaineds if theavailablhcess.c#L28" id="L28" class="line" name="L28">  21616" id="L116" class="line" name="L146">16 6>>>>>>>>* aacces (e.g.eread his#includds ifreadwurie) it'scess.c#L28" id="L28" class="line" name="L28">  21627" id="1647" class="line" name="1647">16 7>>>>>>>>* good. A negdatvherespoensefrom*>smk_acces_menry()cess.c#L28" id="L28" class="line" name="L28">  21648" id="1648" class="line" name="1648">16 8>>>>>>>>* indicates  thrs hiskn menry fFr  thispairecess.c#L28" id="L28" class="line" name="L28">  21649" id="1649" class="line" name="1649">16 9>>>>>>>>**/
1740        kpb =(smkfind_menryb ubject_labelDt;
1710        >t;
1720         =(smk_acces_menryD ubject_labelDkpbsmkrulhdDt;
1730        >t;
1743
1745       hof>(m> 0 &&f>(=  = >
1766               go o  17 71780         =- 174918101815       hof>(>
1821       >        smacklog* ubject_labelDt;
18531845       "return 18 5
1860
18 7
18 8 *>smkecu_ac - de terlin hofecurmen hasfaespecifice_acces  toan objectb
18 9 *@obj_label: a poincger o  theobject's Ssmac labele
1910  @mcod:  the_acces requeised,s if@"MAY@"sfFrmhat
1911  @a : "comio audit datat
1952 .
1953 * Thisfunactio  hecks  theecurmen subject label/object _abelepair.
19 4 * if theaacces rulhe_lisyand "returs 0 hof theaacces his terltsed,e
19 5 *nio zero o thrwiske Itoallows  thaeecurmen may havs  thecapabilrite
19 6 * o bokrrids  therulhdecess.c#L28" id="L28" class="line" name="L28">  219L7" id="19L7" class="line" name="1947">19 7 */
1981smkecu_ac*chtae*  struct smk_udit_infoe* >
19962156       >struct *  =(>t;
2015       chtae* pb =(smkof_task* t;
2021       inct 2023       inct 2143
2025       >/*
21 6>>>>>>>>* Check  theglobal rulhe_lis*
21 7>>>>>>>>**/
2080         =(smk_acces* pbt;
2090       hof>( = 0>= {
2140               >/*
2 11>>>>>>>>>>>>>>>>* If  thrs hispaneenry hif thetask's rulhe_lis*
2152>>>>>>>>>>>>>>>>* ite canfur threrestricteaaccesecess.c#L28" id="L28" class="line" name="L28">  22L13" id="2L13" class="line" name="2L13">2153>>>>>>>>>>>>>>>>**/
2140               > =(smk_acces_menryD pbsmkrulhdDt;
2156               hof>(mlgt 0>>
2166                       go o  2176               hof>>(=  = >
2186                       go o  2196                 =- 2256       }>
2213
2225       >/*
2253>>>>>>>>* AllowsfFr privilighedto bokrrids policyecess.c#L28" id="L28" class="line" name="L28">  22L24" id="2L24" class="line" name="2L24">22 4>>>>>>>>**/
2245       hof>(!= 0 &&f smackprivilegheD >>
2266                 =0);
22 722 822 92 30       hof>(>
2 31       >       >smacklog* pbt;
2 322323       "return 2345
23 5
23 623 7
23 8* " namestr_from_ ter : helpger o  ransalats paninct toa*
23 9 *readablhe"strin*
2410  @"strin :  the"strin  tofille
2411  @aacces :dtThe ice
2452 .
2453**/
24 4stati> void >smackstr_from_ ter*chtae* strin*>
2 452466       inct  =0);
2475       hof> ;
2486                strin* =(2490       hof>(;
2540               >strin* =(2515       hof>(;
2521       >       >strin* =(2535       hof>(;
2540               >strin* =(2525       >strin* =(25 6
25 7
25 8* " namelog_callbnam - SMACKespecificeinformhaioat
25 9 *willobhecallhed b generice_udit ccodD
2610  @ab :dtThe_udit_bufferD
2611  @a  : audit_datat
2652 .
2653**/
26 4stati>void >smacklog_callbnam*>struct * >
26452666       >struct *  = 2676       >struct *  = 2680         2696                       = 
2740                        >? (&"granted&"/t;
2710         2720         ubjectbt;
2730         2744" class="line" name="2744">2741         t;
2725       > t;
27 6
27 727 8
27 9 * " namelog - Audit  thegrantrin or denial ofs terlssionsecess.c#L28" id="L28" class="line" name="L28">  22850" id="2850" class="line" name="2850">2810   @subject_label : " nam _abeleof  therequeiserD
2811  *@object_label  : " nam _abeleof  theobject berin _accesheD
2852 **@requeis: requeisede terlssionsD
2853 **@resuls: resulsefrom*>smk_accesD
28 4 * @a:  auxiliary audit datat
28 5 cess.c#L28" id="L28" class="line" name="L28">  228L6" id="28L6" class="line" name="2846">28 6 *Audit  thegrantrin or denial ofs terlssionsdian ccordancdD
28 7* with  thepolicyecess.c#L28" id="L28" class="line" name="L28">  228L8" id="2LL8" class="line" name="2L48">28 8 */
28 9smacklog*chtae* ubject_labelD
2940              inct struct smk_udit_infoe* >
29112920       chtae + 1]t;
2930       >struct * 2940       >struct * 29 5
2966       >
2975       hof> != 0 &&f> > = 0>>
2986               "retur);
2990       hof>(== 0 &&f> > = 0>>
3040               "retur);
3013
3020         = 30233040       hof>(;
3056               (3060
3075       >/ end prepatrin  The_udit data  */
3080        smackstr_from_ ter* t;
3090       (ubjectb =(ubject_labelD3140         =(3110         =(3120        > =(31233141         smacklog_callbnam*t;
31 5
3166/ #ifdef CONFIG_AUDIT  */
3176smacklog*chtae* ubject_labelD
3186              inct struct smk_udit_infoe* >
31963256
321332253253 t;
3243
32 5
32 6 *>smkfind_menry - find a _abeleoif the_lis, "return the_lis menryD
32 7* @"strin: a texte"strin  thaemight be a S nam _abelD
32 8 D
32 9 *Rreturs a poincger o  theeenry hif the_abele_lis thhat
3310  matches  th paeshee"strinecess.c#L28" id="L28" class="line" name="L28">  23L31" id="3L31" class="line" name="3L31">3311 */
3 32struct smack_knowD* smkfind_menrybconis chtae* strin*>
33233340       >struct smack_knowD* kpb33 5
3366       > kpbsmack_knownliis*= {
3376               hof> stcmp* kpbsmk_knownstrin*> = 0>>
3386                       "return kpb3390       }>
3410
3410       "return 3452
342334 4
34 5 *>smkparse_/smac - parse " nam _abelefrom*a texte"strin*
34 6 *@"strin: a texte"strin  thaemight _conain a S nam _abelD
34 7* @len:dtThemaximum size, or zero hofit hisNULL  terliatedecess.c#L28" id="L28" class="line" name="L28">  23L38" id="3L48" class="line" name="3L48">34 8 D
34 9 *Rreturs a poincger o  theclepan_abel, or NULLb
3510 */
3515smkparse_/smacbconis chtae* strin*>
35213535       chtae* smacb3540       inct 35 5
3566       iof> mlgt= 0>>
3576                 =( strin*>+ 1t;
35 83590       (/*
3610>>>>>>>> *Rrserve a lepdrin '-' as panindicator thhat
3611>>>>>>>> *tThisisn't a _abel, busyan opctio  o incgefacesD
3652>>>>>>>> *includrin y/smackcipstoand y/smackcipst2D
3653>>>>>>>> */
3640       hof>(strin*3656               "return 3660
3676       fFr >( =0)t mlgt  >
3686               hof>(strin*strin*mlgt=  strin*  = 3696                   >strin*  = strin*  = strin*  = 3740                       breakt;
3713
3720       hof>( = 0 || >mggt=  >
3730               "return 3743
3725       >smacb =( + 1, >t;
3766       iof> smacb! = = {
3776                stncpy* smacbstrin*+ 1>t;
3786                smacb =(3790       }>
3840       "return smacb3811
38253853
38 4 *>smknetlbl_mls - _covert a catsect tonetlabelemls categoriesD
38 5  @catsec:dtTheS nam categoriesD
38 6 *@sap: wthrs  toput  thenetlabelecategoriesD
38 7*D
38 8  Allocatesoand fillsoattr.mlsD
38 9 *Rreturs 0eoifsuacces, error ccodeoiffailureecess.c#L28" id="L28" class="line" name="L28">  23L50" id="3950" class="line" name="3950">3910 */
3911smknetlbl_mls*inct struct * apb
3921       >       >       inct >
39233940       unsigned chtae* 3950       unsigned chtae 3966       inct 3975       hnct 3986       hnct 39904040        apb| = 4010        apb =(4020        apb =( t;
4030        apbtartbitb =0);
4043
4056       fFr >( =1, > =( =0)t mlgt  >
4066       >       fFr >( =0x80)t ! =0)t m>mggt= 1, >= {
4076               >       hf (>(&=* > = 0>>
4086                               _coninue);
4096                         =( apb
4140                                                          t;
4110                       hof>(mlgt 0>= {
4121       >       >                 apbt;
4130                               "return 4141                       }>
4156               }>
4160
4176       "return0);
4186
41904210
4211  >smkimport_menry - import a _abel, "return the_lis menryD
4252 *@"strin: a texte"strin  thaemight be a S nam _abelD
4253 *@len:dtThemaximum size, or zero hofit hisNULL  terliatedecess.c#L28" id="L28" class="line" name="L28">  24L24" id="4L24" class="line" name="4L24">42 4 cess.c#L28" id="L28" class="line" name="L28">  24L15" id="4L25" class="line" name="4L25">42 5 *Rreturs a poincger o  theeenry hif the_abele_lis thhat
42 6 *matches  th paeshee"strin, addrin it hf neccesaryecess.c#L28" id="L28" class="line" name="L28">  24L17" id="4L27" class="line" name="4L27">42 7**/
42 8struct smack_knowD* smkimport_menry*conis chtae* strin*>
42964340       >struct smack_knowD* kpb4310       chtae* smacb4320       hnct 4330       hnct 4343
4325       >smacb =(smkparse_/smacb strin*t;
4366       iof> smacb  = ;
4376               "return 43 84390        & t;
4410
4410        kpb =(smkfind_menryb smacbt;
4420       hof>(kpb! = ;
4430               go o ;4443
4425       >kpb =(sizeof(* kpbt;
4466       iof> kpb  = ;
4476               go o ;44 84490       (kpbsmk_known =(smacb4540        kpb =(4510        kpb =(kpbsmk_known4520        kpb=;
4530                | >4540       (/*
45 5>>>>>>>>* If direct labelrin works use itecess.c#L28" id="L28" class="line" name="L28">  24L36" id="4546" class="line" name="4546">45 6>>>>>>>>* Otherwise use mapped labelrinecess.c#L28" id="L28" class="line" name="L28">  24L27" id="4547" class="line" name="4547">45 7>>>>>>>>**/
4580         =( smacbt;
4590       iof> mlgt  ;
4640                 =(smknetlbl_mls*(kpbsmk_known4610                              & kpbt;
4620       else;
4630                 =(smknetlbl_mls*(chtae*)& kpb4641                              & kpbkpbt;
46 5
4666       iof> mggt= 0>= {
4676                & kpbsmkrules*t;
4686                & kpbt;
4696               (/*
4710>>>>>>>>>>>>>>>>* Make surs  thae theeenry hs actuallyD
4711>>>>>>>>>>>>>>>>* filled befors puttrin it oif the_lisecess.c#L28" id="L28" class="line" name="L28">  24152" id="4752" class="line" name="4752">4752>>>>>>>>>>>>>>>>**/
4730                & kpbsmack_knownliis*t;
4741               go o ;4725       }>
4766       (/*
47 7>>>>>>>>**>smknetlbl_mls failedecess.c#L28" id="L28" class="line" name="L28">  24138" id="4748" class="line" name="4748">47 8>>>>>>>>**/
4790       ( kpb4840        kpb =(48114820         smacbt;
48534841        & t;
48 5
4866       "return kpb48 7
48 848 9
4910  >smkimport - import a /smac _abelD
4911  @"strin: a texte"strin  thaemight be a S nam _abelD
4952 *@len:dtThemaximum size, or zero hofit hisNULL  terliatedecess.c#L28" id="L28" class="line" name="L28">  24953" id="4953" class="line" name="4953">4953 cess.c#L28" id="L28" class="line" name="L28">  2493option>4944" class="line" name="4944">49 4 *Rreturs a poincger o  the_abelehif the_abele_lis thhat
49 5 *matches  th paeshee"strin, addrin it hf neccesaryecess.c#L28" id="L28" class="line" name="L28">  24916" id="49L6" class="line" name="4946">49 6 */
4975conis chtae* strin*>
49864990       >struct smack_knowD* kpb5010
5010        
5020       hof>(strin*5030               "return 5041        kpb =(smkimport_menry* strin*t;
5056       iof> kpb  = ;
5066       >       "return 5076       "return(kpbsmk_known5086
50905110
5111  >smackfromk"seie - finddtTheS nam _abelelasociatedfwith a "seien
5152 *@"seie: paninteger  thaemight be aasociatedfwith a S nam _abelD
5153 cess.c#L28" id="L28" class="line" name="L28">  25L14" id="5L14" class="line" name="5L14">51 4 *Rreturs a poincger o  theappropriateeS nam _abeleioftthrs hisone,cess.c#L28" id="L28" class="line" name="L28">  25L53" id="5L15" class="line" name="5L15">51 5 *otherwise a poincger o  theinvalie S nam _abelecess.c#L28" id="L28" class="line" name="L28">  25L63" id="5L16" class="line" name="5L16">51 6 */
5175smackfromk"seiebconis > seien
51865190       >struct smack_knowD* kpb5210
5210        >t;
5220         kpbsmack_knownliis*= {
5230               iof> kpb  =(seien5241                        >t;
5256               >       "return(kpbsmk_known5266       >       }>
5276       }>
52 85290       (/*
5310>>>>>>>> *If we go *tThisftaesomeone aakedffor the translactio*
5311>>>>>>>> *of a "seie  thaehisnot oif the_lisecess.c#L28" id="L28" class="line" name="L28">  25L32" id="5L32" class="line" name="5L32">5352>>>>>>>> */
5330        >t;
5341       "return smack_knowninvalie1smk_known5325
5360
53 7
53 8  /smacktok"seie - finddtThe"seie aasociatedfwith a S nam _abelD
53 9 *@/smac:dtTheS nam _abelD
5410 D
5411  Rreturs  theappropriatee"seie ioftthrs hisone,cess.c#L28" id="L28" class="line" name="L28">  25L32" id="5L42" class="line" name="5L42">5452 *otherwise 0cess.c#L28" id="L28" class="line" name="L28">  25L23" id="5L43" class="line" name="5L43">5453 */
5443 smacktok"seiebconis chtae* smacb>
54255466       >struct smack_knowD* kpb =(smkfind_menryb smacbt;
54765486       hof> kpb  = ;
5496               "return0);
5540       "return(kpb5511
5520


Ttheoriginal LXResoftwars by the LXRe"comunrit*lxr@"liux.no1 lxr."liux.no kindly hostedfby Redpill Llipro AS*