security/smack/smack.h

0001 /* SPDX-License-Identifier: GPL-2.0-only */
0002 /*
0003  * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
0004  *
0005  * Author:
0006  *      Casey Schaufler <casey@schaufler-ca.com>
0007  */
0008
0009 #ifndef _SECURITY_SMACK_H
0010 #define _SECURITY_SMACK_H
0011
0012 #include <linux/capability.h>
0013 #include <linux/spinlock.h>
0014 #include <linux/lsm_hooks.h>
0015 #include <linux/in.h>
0016 #if IS_ENABLED(CONFIG_IPV6)
0017 #include <linux/in6.h>
0018 #endif /* CONFIG_IPV6 */
0019 #include <net/netlabel.h>
0020 #include <linux/list.h>
0021 #include <linux/rculist.h>
0022 #include <linux/lsm_audit.h>
0023 #include <linux/msg.h>
0024
0025 /*
0026  * Use IPv6 port labeling if IPv6 is enabled and secmarks
0027  * are not being used.
0028  */
0029 #if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)
0030 #define SMACK_IPV6_PORT_LABELING 1
0031 #endif
0032
0033 #if IS_ENABLED(CONFIG_IPV6) && defined(CONFIG_SECURITY_SMACK_NETFILTER)
0034 #define SMACK_IPV6_SECMARK_LABELING 1
0035 #endif
0036
0037 /*
0038  * Smack labels were limited to 23 characters for a long time.
0039  */
0040 #define SMK_LABELLEN    24
0041 #define SMK_LONGLABEL   256
0042
0043 /*
0044  * This is the repository for labels seen so that it is
0045  * not necessary to keep allocating tiny chuncks of memory
0046  * and so that they can be shared.
0047  *
0048  * Labels are never modified in place. Anytime a label
0049  * is imported (e.g. xattrset on a file) the list is checked
0050  * for it and it is added if it doesn't exist. The address
0051  * is passed out in either case. Entries are added, but
0052  * never deleted.
0053  *
0054  * Since labels are hanging around anyway it doesn't
0055  * hurt to maintain a secid for those awkward situations
0056  * where kernel components that ought to use LSM independent
0057  * interfaces don't. The secid should go away when all of
0058  * these components have been repaired.
0059  *
0060  * The cipso value associated with the label gets stored here, too.
0061  *
0062  * Keep the access rules for this subject label here so that
0063  * the entire set of rules does not need to be examined every
0064  * time.
0065  */
0066 struct smack_known {
0067     struct list_head        list;
0068     struct hlist_node       smk_hashed;
0069     char                *smk_known;
0070     u32             smk_secid;
0071     struct netlbl_lsm_secattr   smk_netlabel;   /* on wire labels */
0072     struct list_head        smk_rules;  /* access rules */
0073     struct mutex            smk_rules_lock; /* lock for rules */
0074 };
0075
0076 /*
0077  * Maximum number of bytes for the levels in a CIPSO IP option.
0078  * Why 23? CIPSO is constrained to 30, so a 32 byte buffer is
0079  * bigger than can be used, and 24 is the next lower multiple
0080  * of 8, and there are too many issues if there isn't space set
0081  * aside for the terminating null byte.
0082  */
0083 #define SMK_CIPSOLEN    24
0084
0085 struct superblock_smack {
0086     struct smack_known  *smk_root;
0087     struct smack_known  *smk_floor;
0088     struct smack_known  *smk_hat;
0089     struct smack_known  *smk_default;
0090     int         smk_flags;
0091 };
0092
0093 /*
0094  * Superblock flags
0095  */
0096 #define SMK_SB_INITIALIZED  0x01
0097 #define SMK_SB_UNTRUSTED    0x02
0098
0099 struct socket_smack {
0100     struct smack_known  *smk_out;   /* outbound label */
0101     struct smack_known  *smk_in;    /* inbound label */
0102     struct smack_known  *smk_packet;    /* TCP peer label */
0103     int         smk_state;  /* netlabel socket states */
0104 };
0105 #define SMK_NETLBL_UNSET    0
0106 #define SMK_NETLBL_UNLABELED    1
0107 #define SMK_NETLBL_LABELED  2
0108 #define SMK_NETLBL_REQSKB   3
0109
0110 /*
0111  * Inode smack data
0112  */
0113 struct inode_smack {
0114     struct smack_known  *smk_inode; /* label of the fso */
0115     struct smack_known  *smk_task;  /* label of the task */
0116     struct smack_known  *smk_mmap;  /* label of the mmap domain */
0117     int         smk_flags;  /* smack inode flags */
0118 };
0119
0120 struct task_smack {
0121     struct smack_known  *smk_task;  /* label for access control */
0122     struct smack_known  *smk_forked;    /* label when forked */
0123     struct list_head    smk_rules;  /* per task access rules */
0124     struct mutex        smk_rules_lock; /* lock for the rules */
0125     struct list_head    smk_relabel;    /* transit allowed labels */
0126 };
0127
0128 #define SMK_INODE_INSTANT   0x01    /* inode is instantiated */
0129 #define SMK_INODE_TRANSMUTE 0x02    /* directory is transmuting */
0130 #define SMK_INODE_CHANGED   0x04    /* smack was transmuted */
0131 #define SMK_INODE_IMPURE    0x08    /* involved in an impure transaction */
0132
0133 /*
0134  * A label access rule.
0135  */
0136 struct smack_rule {
0137     struct list_head    list;
0138     struct smack_known  *smk_subject;
0139     struct smack_known  *smk_object;
0140     int         smk_access;
0141 };
0142
0143 /*
0144  * An entry in the table identifying IPv4 hosts.
0145  */
0146 struct smk_net4addr {
0147     struct list_head    list;
0148     struct in_addr      smk_host;   /* network address */
0149     struct in_addr      smk_mask;   /* network mask */
0150     int         smk_masks;  /* mask size */
0151     struct smack_known  *smk_label; /* label */
0152 };
0153
0154 /*
0155  * An entry in the table identifying IPv6 hosts.
0156  */
0157 struct smk_net6addr {
0158     struct list_head    list;
0159     struct in6_addr     smk_host;   /* network address */
0160     struct in6_addr     smk_mask;   /* network mask */
0161     int         smk_masks;  /* mask size */
0162     struct smack_known  *smk_label; /* label */
0163 };
0164
0165 /*
0166  * An entry in the table identifying ports.
0167  */
0168 struct smk_port_label {
0169     struct list_head    list;
0170     struct sock     *smk_sock;  /* socket initialized on */
0171     unsigned short      smk_port;   /* the port number */
0172     struct smack_known  *smk_in;    /* inbound label */
0173     struct smack_known  *smk_out;   /* outgoing label */
0174     short           smk_sock_type;  /* Socket type */
0175     short           smk_can_reuse;
0176 };
0177
0178 struct smack_known_list_elem {
0179     struct list_head    list;
0180     struct smack_known  *smk_label;
0181 };
0182
0183 /* Super block security struct flags for mount options */
0184 #define FSDEFAULT_MNT   0x01
0185 #define FSFLOOR_MNT 0x02
0186 #define FSHAT_MNT   0x04
0187 #define FSROOT_MNT  0x08
0188 #define FSTRANS_MNT 0x10
0189
0190 #define NUM_SMK_MNT_OPTS    5
0191
0192 enum {
0193     Opt_error = -1,
0194     Opt_fsdefault = 0,
0195     Opt_fsfloor = 1,
0196     Opt_fshat = 2,
0197     Opt_fsroot = 3,
0198     Opt_fstransmute = 4,
0199 };
0200
0201 #define SMACK_DELETE_OPTION "-DELETE"
0202 #define SMACK_CIPSO_OPTION  "-CIPSO"
0203
0204 /*
0205  * CIPSO defaults.
0206  */
0207 #define SMACK_CIPSO_DOI_DEFAULT     3   /* Historical */
0208 #define SMACK_CIPSO_DOI_INVALID     -1  /* Not a DOI */
0209 #define SMACK_CIPSO_DIRECT_DEFAULT  250 /* Arbitrary */
0210 #define SMACK_CIPSO_MAPPED_DEFAULT  251 /* Also arbitrary */
0211 #define SMACK_CIPSO_MAXLEVEL            255     /* CIPSO 2.2 standard */
0212 /*
0213  * CIPSO 2.2 standard is 239, but Smack wants to use the
0214  * categories in a structured way that limits the value to
0215  * the bits in 23 bytes, hence the unusual number.
0216  */
0217 #define SMACK_CIPSO_MAXCATNUM           184     /* 23 * 8 */
0218
0219 /*
0220  * Ptrace rules
0221  */
0222 #define SMACK_PTRACE_DEFAULT    0
0223 #define SMACK_PTRACE_EXACT  1
0224 #define SMACK_PTRACE_DRACONIAN  2
0225 #define SMACK_PTRACE_MAX    SMACK_PTRACE_DRACONIAN
0226
0227 /*
0228  * Flags for untraditional access modes.
0229  * It shouldn't be necessary to avoid conflicts with definitions
0230  * in fs.h, but do so anyway.
0231  */
0232 #define MAY_TRANSMUTE   0x00001000  /* Controls directory labeling */
0233 #define MAY_LOCK    0x00002000  /* Locks should be writes, but ... */
0234 #define MAY_BRINGUP 0x00004000  /* Report use of this rule */
0235
0236 /*
0237  * The policy for delivering signals is configurable.
0238  * It is usually "write", but can be "append".
0239  */
0240 #ifdef CONFIG_SECURITY_SMACK_APPEND_SIGNALS
0241 #define MAY_DELIVER MAY_APPEND  /* Signal delivery requires append */
0242 #else
0243 #define MAY_DELIVER MAY_WRITE   /* Signal delivery requires write */
0244 #endif
0245
0246 #define SMACK_BRINGUP_ALLOW     1   /* Allow bringup mode */
0247 #define SMACK_UNCONFINED_SUBJECT    2   /* Allow unconfined label */
0248 #define SMACK_UNCONFINED_OBJECT     3   /* Allow unconfined label */
0249
0250 /*
0251  * Just to make the common cases easier to deal with
0252  */
0253 #define MAY_ANYREAD (MAY_READ | MAY_EXEC)
0254 #define MAY_READWRITE   (MAY_READ | MAY_WRITE)
0255 #define MAY_NOT     0
0256
0257 /*
0258  * Number of access types used by Smack (rwxatlb)
0259  */
0260 #define SMK_NUM_ACCESS_TYPE 7
0261
0262 /* SMACK data */
0263 struct smack_audit_data {
0264     const char *function;
0265     char *subject;
0266     char *object;
0267     char *request;
0268     int result;
0269 };
0270
0271 /*
0272  * Smack audit data; is empty if CONFIG_AUDIT not set
0273  * to save some stack
0274  */
0275 struct smk_audit_info {
0276 #ifdef CONFIG_AUDIT
0277     struct common_audit_data a;
0278     struct smack_audit_data sad;
0279 #endif
0280 };
0281
0282 /*
0283  * These functions are in smack_access.c
0284  */
0285 int smk_access_entry(char *, char *, struct list_head *);
0286 int smk_access(struct smack_known *, struct smack_known *,
0287            int, struct smk_audit_info *);
0288 int smk_tskacc(struct task_smack *, struct smack_known *,
0289            u32, struct smk_audit_info *);
0290 int smk_curacc(struct smack_known *, u32, struct smk_audit_info *);
0291 struct smack_known *smack_from_secid(const u32);
0292 char *smk_parse_smack(const char *string, int len);
0293 int smk_netlbl_mls(int, char *, struct netlbl_lsm_secattr *, int);
0294 struct smack_known *smk_import_entry(const char *, int);
0295 void smk_insert_entry(struct smack_known *skp);
0296 struct smack_known *smk_find_entry(const char *);
0297 bool smack_privileged(int cap);
0298 bool smack_privileged_cred(int cap, const struct cred *cred);
0299 void smk_destroy_label_list(struct list_head *list);
0300 int smack_populate_secattr(struct smack_known *skp);
0301
0302 /*
0303  * Shared data.
0304  */
0305 extern int smack_enabled __initdata;
0306 extern int smack_cipso_direct;
0307 extern int smack_cipso_mapped;
0308 extern struct smack_known *smack_net_ambient;
0309 extern struct smack_known *smack_syslog_label;
0310 #ifdef CONFIG_SECURITY_SMACK_BRINGUP
0311 extern struct smack_known *smack_unconfined;
0312 #endif
0313 extern int smack_ptrace_rule;
0314 extern struct lsm_blob_sizes smack_blob_sizes;
0315
0316 extern struct smack_known smack_known_floor;
0317 extern struct smack_known smack_known_hat;
0318 extern struct smack_known smack_known_huh;
0319 extern struct smack_known smack_known_star;
0320 extern struct smack_known smack_known_web;
0321
0322 extern struct mutex smack_known_lock;
0323 extern struct list_head smack_known_list;
0324 extern struct list_head smk_net4addr_list;
0325 extern struct list_head smk_net6addr_list;
0326
0327 extern struct mutex     smack_onlycap_lock;
0328 extern struct list_head smack_onlycap_list;
0329
0330 #define SMACK_HASH_SLOTS 16
0331 extern struct hlist_head smack_known_hash[SMACK_HASH_SLOTS];
0332 extern struct kmem_cache *smack_rule_cache;
0333
0334 static inline struct task_smack *smack_cred(const struct cred *cred)
0335 {
0336     return cred->security + smack_blob_sizes.lbs_cred;
0337 }
0338
0339 static inline struct smack_known **smack_file(const struct file *file)
0340 {
0341     return (struct smack_known **)(file->f_security +
0342                        smack_blob_sizes.lbs_file);
0343 }
0344
0345 static inline struct inode_smack *smack_inode(const struct inode *inode)
0346 {
0347     return inode->i_security + smack_blob_sizes.lbs_inode;
0348 }
0349
0350 static inline struct smack_known **smack_msg_msg(const struct msg_msg *msg)
0351 {
0352     return msg->security + smack_blob_sizes.lbs_msg_msg;
0353 }
0354
0355 static inline struct smack_known **smack_ipc(const struct kern_ipc_perm *ipc)
0356 {
0357     return ipc->security + smack_blob_sizes.lbs_ipc;
0358 }
0359
0360 static inline struct superblock_smack *smack_superblock(
0361                     const struct super_block *superblock)
0362 {
0363     return superblock->s_security + smack_blob_sizes.lbs_superblock;
0364 }
0365
0366 /*
0367  * Is the directory transmuting?
0368  */
0369 static inline int smk_inode_transmutable(const struct inode *isp)
0370 {
0371     struct inode_smack *sip = smack_inode(isp);
0372     return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0;
0373 }
0374
0375 /*
0376  * Present a pointer to the smack label entry in an inode blob.
0377  */
0378 static inline struct smack_known *smk_of_inode(const struct inode *isp)
0379 {
0380     struct inode_smack *sip = smack_inode(isp);
0381     return sip->smk_inode;
0382 }
0383
0384 /*
0385  * Present a pointer to the smack label entry in an task blob.
0386  */
0387 static inline struct smack_known *smk_of_task(const struct task_smack *tsp)
0388 {
0389     return tsp->smk_task;
0390 }
0391
0392 static inline struct smack_known *smk_of_task_struct_obj(
0393                         const struct task_struct *t)
0394 {
0395     struct smack_known *skp;
0396     const struct cred *cred;
0397
0398     rcu_read_lock();
0399
0400     cred = __task_cred(t);
0401     skp = smk_of_task(smack_cred(cred));
0402
0403     rcu_read_unlock();
0404
0405     return skp;
0406 }
0407
0408 /*
0409  * Present a pointer to the forked smack label entry in an task blob.
0410  */
0411 static inline struct smack_known *smk_of_forked(const struct task_smack *tsp)
0412 {
0413     return tsp->smk_forked;
0414 }
0415
0416 /*
0417  * Present a pointer to the smack label in the current task blob.
0418  */
0419 static inline struct smack_known *smk_of_current(void)
0420 {
0421     return smk_of_task(smack_cred(current_cred()));
0422 }
0423
0424 /*
0425  * logging functions
0426  */
0427 #define SMACK_AUDIT_DENIED 0x1
0428 #define SMACK_AUDIT_ACCEPT 0x2
0429 extern int log_policy;
0430
0431 void smack_log(char *subject_label, char *object_label,
0432         int request,
0433         int result, struct smk_audit_info *auditdata);
0434
0435 #ifdef CONFIG_AUDIT
0436
0437 /*
0438  * some inline functions to set up audit data
0439  * they do nothing if CONFIG_AUDIT is not set
0440  *
0441  */
0442 static inline void smk_ad_init(struct smk_audit_info *a, const char *func,
0443                    char type)
0444 {
0445     memset(&a->sad, 0, sizeof(a->sad));
0446     a->a.type = type;
0447     a->a.smack_audit_data = &a->sad;
0448     a->a.smack_audit_data->function = func;
0449 }
0450
0451 static inline void smk_ad_init_net(struct smk_audit_info *a, const char *func,
0452                    char type, struct lsm_network_audit *net)
0453 {
0454     smk_ad_init(a, func, type);
0455     memset(net, 0, sizeof(*net));
0456     a->a.u.net = net;
0457 }
0458
0459 static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
0460                      struct task_struct *t)
0461 {
0462     a->a.u.tsk = t;
0463 }
0464 static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a,
0465                             struct dentry *d)
0466 {
0467     a->a.u.dentry = d;
0468 }
0469 static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,
0470                           struct inode *i)
0471 {
0472     a->a.u.inode = i;
0473 }
0474 static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
0475                          struct path p)
0476 {
0477     a->a.u.path = p;
0478 }
0479 static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
0480                         struct sock *sk)
0481 {
0482     a->a.u.net->sk = sk;
0483 }
0484
0485 #else /* no AUDIT */
0486
0487 static inline void smk_ad_init(struct smk_audit_info *a, const char *func,
0488                    char type)
0489 {
0490 }
0491 static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a,
0492                      struct task_struct *t)
0493 {
0494 }
0495 static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a,
0496                             struct dentry *d)
0497 {
0498 }
0499 static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a,
0500                           struct inode *i)
0501 {
0502 }
0503 static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a,
0504                          struct path p)
0505 {
0506 }
0507 static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a,
0508                         struct sock *sk)
0509 {
0510 }
0511 #endif
0512
0513 #endif  /* _SECURITY_SMACK_H */