Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.19 / 03a0dc546be3fa6091214bd2c05d678d3e8d67df / . / security / smack / smackfs.c
blob: 94bd9e41c9ecb39ce3d432f9c3734a5db7e1b353 [file] [log] [blame]
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1/*
2 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License as published by
6 * the Free Software Foundation, version 2.
7 *
8 * Authors:
9 * Casey Schaufler <casey@schaufler-ca.com>
10 * Ahmed S. Darwish <darwish.07@gmail.com>
11 *
12 * Special thanks to the authors of selinuxfs.
13 *
14 * Karl MacMillan <kmacmillan@tresys.com>
15 * James Morris <jmorris@redhat.com>
16 *
17 */
18
19#include <linux/kernel.h>
20#include <linux/vmalloc.h>
21#include <linux/security.h>
22#include <linux/mutex.h>
Tejun Heo5a0e3ad2010-03-24 17:04:11 +0900[diff] [blame]23#include <linux/slab.h>
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]24#include <net/net_namespace.h>
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]25#include <net/cipso_ipv4.h>
26#include <linux/seq_file.h>
27#include <linux/ctype.h>
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]28#include <linux/audit.h>
Casey Schaufler958d2c22013-04-02 11:41:18 -0700[diff] [blame]29#include <linux/magic.h>
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]30#include "smack.h"
31
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]32#define BEBITS (sizeof(__be32) * 8)
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]33/*
34 * smackfs pseudo filesystem.
35 */
36
37enum smk_inos {
38 SMK_ROOT_INO = 2,
39 SMK_LOAD = 3, /* load policy */
40 SMK_CIPSO = 4, /* load label -> CIPSO mapping */
41 SMK_DOI = 5, /* CIPSO DOI */
42 SMK_DIRECT = 6, /* CIPSO level indicating direct label */
43 SMK_AMBIENT = 7, /* internet ambient label */
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]44 SMK_NET4ADDR = 8, /* single label hosts */
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]45 SMK_ONLYCAP = 9, /* the only "capable" label */
Etienne Bassetecfcc532009-04-08 20:40:06 +0200[diff] [blame]46 SMK_LOGGING = 10, /* logging */
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]47 SMK_LOAD_SELF = 11, /* task specific rules */
Jarkko Sakkinen828716c2011-09-08 10:12:01 +0300[diff] [blame]48 SMK_ACCESSES = 12, /* access policy */
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]49 SMK_MAPPED = 13, /* CIPSO level indicating mapped label */
50 SMK_LOAD2 = 14, /* load policy with long labels */
51 SMK_LOAD_SELF2 = 15, /* load task specific rules with long labels */
52 SMK_ACCESS2 = 16, /* make an access check with long labels */
53 SMK_CIPSO2 = 17, /* load long label -> CIPSO mapping */
Rafal Krypa449543b2012-07-11 17:49:30 +0200[diff] [blame]54 SMK_REVOKE_SUBJ = 18, /* set rules with subject label to '-' */
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]55 SMK_CHANGE_RULE = 19, /* change or add rules (long labels) */
Casey Schaufler00f84f32013-12-23 11:07:10 -0800[diff] [blame]56 SMK_SYSLOG = 20, /* change syslog label) */
Lukasz Pawelczyk66867812014-03-11 17:07:06 +0100[diff] [blame]57 SMK_PTRACE = 21, /* set ptrace rule */
Casey Schauflerbf4b2fe2015-03-21 18:26:40 -0700[diff] [blame]58#ifdef CONFIG_SECURITY_SMACK_BRINGUP
59 SMK_UNCONFINED = 22, /* define an unconfined label */
60#endif
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]61#if IS_ENABLED(CONFIG_IPV6)
62 SMK_NET6ADDR = 23, /* single label IPv6 hosts */
63#endif /* CONFIG_IPV6 */
Zbigniew Jasinski38416e52015-10-19 18:23:53 +0200[diff] [blame]64 SMK_RELABEL_SELF = 24, /* relabel possible without CAP_MAC_ADMIN */
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]65};
66
67/*
68 * List locks
69 */
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]70static DEFINE_MUTEX(smack_cipso_lock);
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]71static DEFINE_MUTEX(smack_ambient_lock);
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]72static DEFINE_MUTEX(smk_net4addr_lock);
73#if IS_ENABLED(CONFIG_IPV6)
74static DEFINE_MUTEX(smk_net6addr_lock);
75#endif /* CONFIG_IPV6 */
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]76
77/*
78 * This is the "ambient" label for network traffic.
79 * If it isn't somehow marked, use this.
80 * It can be reset via smackfs/ambient
81 */
Casey Schaufler2f823ff2013-05-22 18:43:03 -0700[diff] [blame]82struct smack_known *smack_net_ambient;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]83
84/*
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]85 * This is the level in a CIPSO header that indicates a
86 * smack label is contained directly in the category set.
87 * It can be reset via smackfs/direct
88 */
89int smack_cipso_direct = SMACK_CIPSO_DIRECT_DEFAULT;
90
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]91/*
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]92 * This is the level in a CIPSO header that indicates a
93 * secid is contained directly in the category set.
94 * It can be reset via smackfs/mapped
95 */
96int smack_cipso_mapped = SMACK_CIPSO_MAPPED_DEFAULT;
97
Casey Schauflerbf4b2fe2015-03-21 18:26:40 -0700[diff] [blame]98#ifdef CONFIG_SECURITY_SMACK_BRINGUP
99/*
100 * Allow one label to be unconfined. This is for
101 * debugging and application bring-up purposes only.
102 * It is bad and wrong, but everyone seems to expect
103 * to have it.
104 */
105struct smack_known *smack_unconfined;
106#endif
107
Casey Schaufler00f84f32013-12-23 11:07:10 -0800[diff] [blame]108/*
109 * If this value is set restrict syslog use to the label specified.
110 * It can be reset via smackfs/syslog
111 */
112struct smack_known *smack_syslog_label;
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]113
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]114/*
Lukasz Pawelczyk66867812014-03-11 17:07:06 +0100[diff] [blame]115 * Ptrace current rule
116 * SMACK_PTRACE_DEFAULT regular smack ptrace rules (/proc based)
117 * SMACK_PTRACE_EXACT labels must match, but can be overriden with
118 * CAP_SYS_PTRACE
119 * SMACK_PTRACE_DRACONIAN lables must match, CAP_SYS_PTRACE has no effect
120 */
121int smack_ptrace_rule = SMACK_PTRACE_DEFAULT;
122
123/*
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]124 * Certain IP addresses may be designated as single label hosts.
125 * Packets are sent there unlabeled, but only from tasks that
126 * can write to the specified label.
127 */
Etienne Basset7198e2e2009-03-24 20:53:24 +0100[diff] [blame]128
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]129LIST_HEAD(smk_net4addr_list);
130#if IS_ENABLED(CONFIG_IPV6)
131LIST_HEAD(smk_net6addr_list);
132#endif /* CONFIG_IPV6 */
Casey Schaufler272cd7a2011-09-20 12:24:36 -0700[diff] [blame]133
134/*
135 * Rule lists are maintained for each label.
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]136 * This master list is just for reading /smack/load and /smack/load2.
Casey Schaufler272cd7a2011-09-20 12:24:36 -0700[diff] [blame]137 */
138struct smack_master_list {
139 struct list_head list;
140 struct smack_rule *smk_rule;
141};
142
Casey Schaufler1eddfe82015-07-30 14:35:14 -0700[diff] [blame]143static LIST_HEAD(smack_rule_list);
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]144
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]145struct smack_parsed_rule {
Casey Schaufler2f823ff2013-05-22 18:43:03 -0700[diff] [blame]146 struct smack_known *smk_subject;
Lukasz Pawelczyk21c7eae2014-08-29 17:02:55 +0200[diff] [blame]147 struct smack_known *smk_object;
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]148 int smk_access1;
149 int smk_access2;
150};
151
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]152static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]153
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]154/*
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]155 * Values for parsing cipso rules
156 * SMK_DIGITLEN: Length of a digit field in a rule.
Ahmed S. Darwishb500ce82008-03-13 12:32:34 -0700[diff] [blame]157 * SMK_CIPSOMIN: Minimum possible cipso rule length.
158 * SMK_CIPSOMAX: Maximum possible cipso rule length.
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]159 */
160#define SMK_DIGITLEN 4
Ahmed S. Darwishb500ce82008-03-13 12:32:34 -0700[diff] [blame]161#define SMK_CIPSOMIN (SMK_LABELLEN + 2 * SMK_DIGITLEN)
162#define SMK_CIPSOMAX (SMK_CIPSOMIN + SMACK_CIPSO_MAXCATNUM * SMK_DIGITLEN)
163
164/*
165 * Values for parsing MAC rules
166 * SMK_ACCESS: Maximum possible combination of access permissions
167 * SMK_ACCESSLEN: Maximum length for a rule access field
168 * SMK_LOADLEN: Smack rule length
169 */
Jarkko Sakkinen5c6d1122010-12-07 13:34:01 +0200[diff] [blame]170#define SMK_OACCESS "rwxa"
Casey Schauflerc0ab6e52013-10-11 18:06:39 -0700[diff] [blame]171#define SMK_ACCESS "rwxatl"
Jarkko Sakkinen5c6d1122010-12-07 13:34:01 +0200[diff] [blame]172#define SMK_OACCESSLEN (sizeof(SMK_OACCESS) - 1)
173#define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1)
174#define SMK_OLOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN)
175#define SMK_LOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN)
Ahmed S. Darwishb500ce82008-03-13 12:32:34 -0700[diff] [blame]176
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]177/*
178 * Stricly for CIPSO level manipulation.
179 * Set the category bit number in a smack label sized buffer.
180 */
181static inline void smack_catset_bit(unsigned int cat, char *catsetp)
182{
183 if (cat == 0 || cat > (SMK_CIPSOLEN * 8))
184 return;
185
186 catsetp[(cat - 1) / 8] |= 0x80 >> ((cat - 1) % 8);
187}
188
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]189/**
190 * smk_netlabel_audit_set - fill a netlbl_audit struct
191 * @nap: structure to fill
192 */
193static void smk_netlabel_audit_set(struct netlbl_audit *nap)
194{
Casey Schaufler2f823ff2013-05-22 18:43:03 -0700[diff] [blame]195 struct smack_known *skp = smk_of_current();
196
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]197 nap->loginuid = audit_get_loginuid(current);
198 nap->sessionid = audit_get_sessionid(current);
Casey Schaufler2f823ff2013-05-22 18:43:03 -0700[diff] [blame]199 nap->secid = skp->smk_secid;
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]200}
201
202/*
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]203 * Value for parsing single label host rules
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]204 * "1.2.3.4 X"
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]205 */
206#define SMK_NETLBLADDRMIN 9
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]207
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]208/**
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]209 * smk_set_access - add a rule to the rule list or replace an old rule
210 * @srp: the rule to add or replace
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]211 * @rule_list: the list of rules
212 * @rule_lock: the rule list lock
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]213 * @global: if non-zero, indicates a global rule
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]214 *
215 * Looks through the current subject/object/access list for
216 * the subject/object pair and replaces the access that was
217 * there. If the pair isn't found add it with the specified
218 * access.
Sergio Luis81ea7142008-12-22 01:16:15 -0300[diff] [blame]219 *
220 * Returns 0 if nothing goes wrong or -ENOMEM if it fails
221 * during the allocation of the new pair to add.
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]222 */
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]223static int smk_set_access(struct smack_parsed_rule *srp,
224 struct list_head *rule_list,
225 struct mutex *rule_lock, int global)
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]226{
Etienne Basset7198e2e2009-03-24 20:53:24 +0100[diff] [blame]227 struct smack_rule *sp;
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]228 struct smack_master_list *smlp;
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]229 int found = 0;
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]230 int rc = 0;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]231
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]232 mutex_lock(rule_lock);
233
Casey Schaufler272cd7a2011-09-20 12:24:36 -0700[diff] [blame]234 /*
235 * Because the object label is less likely to match
236 * than the subject label check it first
237 */
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]238 list_for_each_entry_rcu(sp, rule_list, list) {
Casey Schaufler272cd7a2011-09-20 12:24:36 -0700[diff] [blame]239 if (sp->smk_object == srp->smk_object &&
240 sp->smk_subject == srp->smk_subject) {
Etienne Basset7198e2e2009-03-24 20:53:24 +0100[diff] [blame]241 found = 1;
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]242 sp->smk_access |= srp->smk_access1;
243 sp->smk_access &= ~srp->smk_access2;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]244 break;
245 }
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]246 }
247
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]248 if (found == 0) {
249 sp = kzalloc(sizeof(*sp), GFP_KERNEL);
250 if (sp == NULL) {
251 rc = -ENOMEM;
252 goto out;
253 }
254
255 sp->smk_subject = srp->smk_subject;
256 sp->smk_object = srp->smk_object;
257 sp->smk_access = srp->smk_access1 & ~srp->smk_access2;
258
259 list_add_rcu(&sp->list, rule_list);
260 /*
261 * If this is a global as opposed to self and a new rule
262 * it needs to get added for reporting.
263 */
264 if (global) {
265 smlp = kzalloc(sizeof(*smlp), GFP_KERNEL);
266 if (smlp != NULL) {
267 smlp->smk_rule = sp;
268 list_add_rcu(&smlp->list, &smack_rule_list);
269 } else
270 rc = -ENOMEM;
271 }
272 }
273
274out:
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]275 mutex_unlock(rule_lock);
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]276 return rc;
277}
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]278
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]279/**
280 * smk_perm_from_str - parse smack accesses from a text string
281 * @string: a text string that contains a Smack accesses code
282 *
283 * Returns an integer with respective bits set for specified accesses.
284 */
285static int smk_perm_from_str(const char *string)
286{
287 int perm = 0;
288 const char *cp;
289
290 for (cp = string; ; cp++)
291 switch (*cp) {
292 case '-':
293 break;
294 case 'r':
295 case 'R':
296 perm |= MAY_READ;
297 break;
298 case 'w':
299 case 'W':
300 perm |= MAY_WRITE;
301 break;
302 case 'x':
303 case 'X':
304 perm |= MAY_EXEC;
305 break;
306 case 'a':
307 case 'A':
308 perm |= MAY_APPEND;
309 break;
310 case 't':
311 case 'T':
312 perm |= MAY_TRANSMUTE;
313 break;
Casey Schauflerc0ab6e52013-10-11 18:06:39 -0700[diff] [blame]314 case 'l':
315 case 'L':
316 perm |= MAY_LOCK;
317 break;
Casey Schauflerd166c802014-08-27 14:51:27 -0700[diff] [blame]318 case 'b':
319 case 'B':
320 perm |= MAY_BRINGUP;
321 break;
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]322 default:
323 return perm;
324 }
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]325}
326
327/**
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]328 * smk_fill_rule - Fill Smack rule from strings
329 * @subject: subject label string
330 * @object: object label string
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]331 * @access1: access string
332 * @access2: string with permissions to be removed
Jarkko Sakkinen0e94ae12011-10-18 21:21:36 +0300[diff] [blame]333 * @rule: Smack rule
334 * @import: if non-zero, import labels
Casey Schaufler35187212012-06-18 19:01:36 -0700[diff] [blame]335 * @len: label length limit
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]336 *
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]337 * Returns 0 on success, appropriate error code on failure.
Jarkko Sakkinen828716c2011-09-08 10:12:01 +0300[diff] [blame]338 */
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]339static int smk_fill_rule(const char *subject, const char *object,
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]340 const char *access1, const char *access2,
341 struct smack_parsed_rule *rule, int import,
342 int len)
Jarkko Sakkinen828716c2011-09-08 10:12:01 +0300[diff] [blame]343{
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]344 const char *cp;
Jarkko Sakkinen0e94ae12011-10-18 21:21:36 +0300[diff] [blame]345 struct smack_known *skp;
Jarkko Sakkinen828716c2011-09-08 10:12:01 +0300[diff] [blame]346
Jarkko Sakkinen0e94ae12011-10-18 21:21:36 +0300[diff] [blame]347 if (import) {
Casey Schaufler2f823ff2013-05-22 18:43:03 -0700[diff] [blame]348 rule->smk_subject = smk_import_entry(subject, len);
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]349 if (IS_ERR(rule->smk_subject))
350 return PTR_ERR(rule->smk_subject);
Jarkko Sakkinen0e94ae12011-10-18 21:21:36 +0300[diff] [blame]351
Lukasz Pawelczyk21c7eae2014-08-29 17:02:55 +0200[diff] [blame]352 rule->smk_object = smk_import_entry(object, len);
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]353 if (IS_ERR(rule->smk_object))
354 return PTR_ERR(rule->smk_object);
Jarkko Sakkinen0e94ae12011-10-18 21:21:36 +0300[diff] [blame]355 } else {
Casey Schaufler35187212012-06-18 19:01:36 -0700[diff] [blame]356 cp = smk_parse_smack(subject, len);
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]357 if (IS_ERR(cp))
358 return PTR_ERR(cp);
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]359 skp = smk_find_entry(cp);
360 kfree(cp);
Jarkko Sakkinen0e94ae12011-10-18 21:21:36 +0300[diff] [blame]361 if (skp == NULL)
Jarkko Sakkinen398ce072013-11-28 19:16:46 +0200[diff] [blame]362 return -ENOENT;
Casey Schaufler2f823ff2013-05-22 18:43:03 -0700[diff] [blame]363 rule->smk_subject = skp;
Jarkko Sakkinen0e94ae12011-10-18 21:21:36 +0300[diff] [blame]364
Casey Schaufler35187212012-06-18 19:01:36 -0700[diff] [blame]365 cp = smk_parse_smack(object, len);
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]366 if (IS_ERR(cp))
367 return PTR_ERR(cp);
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]368 skp = smk_find_entry(cp);
369 kfree(cp);
Jarkko Sakkinen0e94ae12011-10-18 21:21:36 +0300[diff] [blame]370 if (skp == NULL)
Jarkko Sakkinen398ce072013-11-28 19:16:46 +0200[diff] [blame]371 return -ENOENT;
Lukasz Pawelczyk21c7eae2014-08-29 17:02:55 +0200[diff] [blame]372 rule->smk_object = skp;
Jarkko Sakkinen0e94ae12011-10-18 21:21:36 +0300[diff] [blame]373 }
Jarkko Sakkinen828716c2011-09-08 10:12:01 +0300[diff] [blame]374
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]375 rule->smk_access1 = smk_perm_from_str(access1);
376 if (access2)
377 rule->smk_access2 = smk_perm_from_str(access2);
378 else
379 rule->smk_access2 = ~rule->smk_access1;
Jarkko Sakkinen828716c2011-09-08 10:12:01 +0300[diff] [blame]380
Casey Schaufler35187212012-06-18 19:01:36 -0700[diff] [blame]381 return 0;
Jarkko Sakkinen828716c2011-09-08 10:12:01 +0300[diff] [blame]382}
383
384/**
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]385 * smk_parse_rule - parse Smack rule from load string
386 * @data: string to be parsed whose size is SMK_LOADLEN
387 * @rule: Smack rule
388 * @import: if non-zero, import labels
389 *
390 * Returns 0 on success, -1 on errors.
391 */
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]392static int smk_parse_rule(const char *data, struct smack_parsed_rule *rule,
393 int import)
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]394{
395 int rc;
396
397 rc = smk_fill_rule(data, data + SMK_LABELLEN,
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]398 data + SMK_LABELLEN + SMK_LABELLEN, NULL, rule,
399 import, SMK_LABELLEN);
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]400 return rc;
401}
402
403/**
404 * smk_parse_long_rule - parse Smack rule from rule string
405 * @data: string to be parsed, null terminated
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]406 * @rule: Will be filled with Smack parsed rule
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]407 * @import: if non-zero, import labels
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]408 * @tokens: numer of substrings expected in data
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]409 *
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]410 * Returns number of processed bytes on success, -ERRNO on failure.
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]411 */
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]412static ssize_t smk_parse_long_rule(char *data, struct smack_parsed_rule *rule,
413 int import, int tokens)
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]414{
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]415 ssize_t cnt = 0;
416 char *tok[4];
Jarkko Sakkinen398ce072013-11-28 19:16:46 +0200[diff] [blame]417 int rc;
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]418 int i;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]419
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]420 /*
421 * Parsing the rule in-place, filling all white-spaces with '\0'
422 */
423 for (i = 0; i < tokens; ++i) {
424 while (isspace(data[cnt]))
425 data[cnt++] = '\0';
Alan Cox3b9fc372012-07-26 14:47:11 -0700[diff] [blame]426
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]427 if (data[cnt] == '\0')
428 /* Unexpected end of data */
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]429 return -EINVAL;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]430
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]431 tok[i] = data + cnt;
432
433 while (data[cnt] && !isspace(data[cnt]))
434 ++cnt;
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]435 }
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]436 while (isspace(data[cnt]))
437 data[cnt++] = '\0';
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]438
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]439 while (i < 4)
440 tok[i++] = NULL;
441
Jarkko Sakkinen398ce072013-11-28 19:16:46 +0200[diff] [blame]442 rc = smk_fill_rule(tok[0], tok[1], tok[2], tok[3], rule, import, 0);
443 return rc == 0 ? cnt : rc;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]444}
445
446#define SMK_FIXED24_FMT 0 /* Fixed 24byte label format */
447#define SMK_LONG_FMT 1 /* Variable long label format */
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]448#define SMK_CHANGE_FMT 2 /* Rule modification format */
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]449/**
450 * smk_write_rules_list - write() for any /smack rule file
Randy Dunlap251a2a92009-02-18 11:42:33 -0800[diff] [blame]451 * @file: file pointer, not actually used
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]452 * @buf: where to get the data from
453 * @count: bytes sent
454 * @ppos: where to start - must be 0
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]455 * @rule_list: the list of rules to write to
456 * @rule_lock: lock for the rule list
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]457 * @format: /smack/load or /smack/load2 or /smack/change-rule format.
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]458 *
459 * Get one smack access rule from above.
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]460 * The format for SMK_LONG_FMT is:
461 * "subject<whitespace>object<whitespace>access[<whitespace>...]"
462 * The format for SMK_FIXED24_FMT is exactly:
463 * "subject object rwxat"
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]464 * The format for SMK_CHANGE_FMT is:
465 * "subject<whitespace>object<whitespace>
466 * acc_enable<whitespace>acc_disable[<whitespace>...]"
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]467 */
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]468static ssize_t smk_write_rules_list(struct file *file, const char __user *buf,
469 size_t count, loff_t *ppos,
470 struct list_head *rule_list,
471 struct mutex *rule_lock, int format)
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]472{
Tomasz Stanislawski470043b2013-06-06 09:30:50 +0200[diff] [blame]473 struct smack_parsed_rule rule;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]474 char *data;
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]475 int rc;
476 int trunc = 0;
477 int tokens;
478 ssize_t cnt = 0;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]479
480 /*
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]481 * No partial writes.
482 * Enough data must be present.
483 */
Jarkko Sakkinen5c6d1122010-12-07 13:34:01 +0200[diff] [blame]484 if (*ppos != 0)
485 return -EINVAL;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]486
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]487 if (format == SMK_FIXED24_FMT) {
488 /*
489 * Minor hack for backward compatibility
490 */
Casey Schauflerc0ab6e52013-10-11 18:06:39 -0700[diff] [blame]491 if (count < SMK_OLOADLEN || count > SMK_LOADLEN)
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]492 return -EINVAL;
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]493 } else {
494 if (count >= PAGE_SIZE) {
495 count = PAGE_SIZE - 1;
496 trunc = 1;
497 }
498 }
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]499
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]500 data = kmalloc(count + 1, GFP_KERNEL);
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]501 if (data == NULL)
502 return -ENOMEM;
503
504 if (copy_from_user(data, buf, count) != 0) {
505 rc = -EFAULT;
506 goto out;
507 }
508
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]509 /*
510 * In case of parsing only part of user buf,
511 * avoid having partial rule at the data buffer
512 */
513 if (trunc) {
514 while (count > 0 && (data[count - 1] != '\n'))
515 --count;
516 if (count == 0) {
517 rc = -EINVAL;
Tomasz Stanislawski470043b2013-06-06 09:30:50 +0200[diff] [blame]518 goto out;
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]519 }
520 }
521
522 data[count] = '\0';
523 tokens = (format == SMK_CHANGE_FMT ? 4 : 3);
524 while (cnt < count) {
525 if (format == SMK_FIXED24_FMT) {
526 rc = smk_parse_rule(data, &rule, 1);
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]527 if (rc < 0)
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]528 goto out;
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]529 cnt = count;
530 } else {
531 rc = smk_parse_long_rule(data + cnt, &rule, 1, tokens);
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]532 if (rc < 0)
533 goto out;
534 if (rc == 0) {
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]535 rc = -EINVAL;
536 goto out;
537 }
538 cnt += rc;
539 }
540
541 if (rule_list == NULL)
542 rc = smk_set_access(&rule, &rule.smk_subject->smk_rules,
543 &rule.smk_subject->smk_rules_lock, 1);
544 else
545 rc = smk_set_access(&rule, rule_list, rule_lock, 0);
546
547 if (rc)
Tomasz Stanislawski470043b2013-06-06 09:30:50 +0200[diff] [blame]548 goto out;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]549 }
550
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]551 rc = cnt;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]552out:
553 kfree(data);
554 return rc;
555}
556
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]557/*
Casey Schaufler40809562011-11-10 15:02:22 -0800[diff] [blame]558 * Core logic for smackfs seq list operations.
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]559 */
560
Casey Schaufler40809562011-11-10 15:02:22 -0800[diff] [blame]561static void *smk_seq_start(struct seq_file *s, loff_t *pos,
562 struct list_head *head)
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]563{
Casey Schaufler272cd7a2011-09-20 12:24:36 -0700[diff] [blame]564 struct list_head *list;
Rafal Krypa01fa8472015-05-21 18:24:31 +0200[diff] [blame]565 int i = *pos;
Casey Schaufler272cd7a2011-09-20 12:24:36 -0700[diff] [blame]566
Rafal Krypa01fa8472015-05-21 18:24:31 +0200[diff] [blame]567 rcu_read_lock();
568 for (list = rcu_dereference(list_next_rcu(head));
569 list != head;
570 list = rcu_dereference(list_next_rcu(list))) {
571 if (i-- == 0)
572 return list;
573 }
Casey Schaufler272cd7a2011-09-20 12:24:36 -0700[diff] [blame]574
Rafal Krypa01fa8472015-05-21 18:24:31 +0200[diff] [blame]575 return NULL;
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]576}
577
Casey Schaufler40809562011-11-10 15:02:22 -0800[diff] [blame]578static void *smk_seq_next(struct seq_file *s, void *v, loff_t *pos,
579 struct list_head *head)
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]580{
581 struct list_head *list = v;
582
Rafal Krypa01fa8472015-05-21 18:24:31 +0200[diff] [blame]583 ++*pos;
584 list = rcu_dereference(list_next_rcu(list));
585
586 return (list == head) ? NULL : list;
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]587}
588
Casey Schaufler40809562011-11-10 15:02:22 -0800[diff] [blame]589static void smk_seq_stop(struct seq_file *s, void *v)
590{
Rafal Krypa01fa8472015-05-21 18:24:31 +0200[diff] [blame]591 rcu_read_unlock();
Casey Schaufler40809562011-11-10 15:02:22 -0800[diff] [blame]592}
593
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]594static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max)
Casey Schaufler40809562011-11-10 15:02:22 -0800[diff] [blame]595{
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]596 /*
597 * Don't show any rules with label names too long for
598 * interface file (/smack/load or /smack/load2)
599 * because you should expect to be able to write
600 * anything you read back.
601 */
Casey Schaufler2f823ff2013-05-22 18:43:03 -0700[diff] [blame]602 if (strlen(srp->smk_subject->smk_known) >= max ||
Lukasz Pawelczyk21c7eae2014-08-29 17:02:55 +0200[diff] [blame]603 strlen(srp->smk_object->smk_known) >= max)
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]604 return;
Casey Schaufler40809562011-11-10 15:02:22 -0800[diff] [blame]605
Rafal Krypa65ee7f42012-07-09 19:36:34 +0200[diff] [blame]606 if (srp->smk_access == 0)
607 return;
608
Lukasz Pawelczyk21c7eae2014-08-29 17:02:55 +0200[diff] [blame]609 seq_printf(s, "%s %s",
610 srp->smk_subject->smk_known,
611 srp->smk_object->smk_known);
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]612
613 seq_putc(s, ' ');
614
615 if (srp->smk_access & MAY_READ)
616 seq_putc(s, 'r');
617 if (srp->smk_access & MAY_WRITE)
618 seq_putc(s, 'w');
619 if (srp->smk_access & MAY_EXEC)
620 seq_putc(s, 'x');
621 if (srp->smk_access & MAY_APPEND)
622 seq_putc(s, 'a');
623 if (srp->smk_access & MAY_TRANSMUTE)
624 seq_putc(s, 't');
Casey Schauflerc0ab6e52013-10-11 18:06:39 -0700[diff] [blame]625 if (srp->smk_access & MAY_LOCK)
626 seq_putc(s, 'l');
Casey Schauflerd166c802014-08-27 14:51:27 -0700[diff] [blame]627 if (srp->smk_access & MAY_BRINGUP)
628 seq_putc(s, 'b');
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]629
630 seq_putc(s, '\n');
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]631}
632
633/*
634 * Seq_file read operations for /smack/load
635 */
636
637static void *load2_seq_start(struct seq_file *s, loff_t *pos)
638{
639 return smk_seq_start(s, pos, &smack_rule_list);
640}
641
642static void *load2_seq_next(struct seq_file *s, void *v, loff_t *pos)
643{
644 return smk_seq_next(s, v, pos, &smack_rule_list);
645}
646
647static int load_seq_show(struct seq_file *s, void *v)
648{
649 struct list_head *list = v;
650 struct smack_master_list *smlp =
Rafal Krypa01fa8472015-05-21 18:24:31 +0200[diff] [blame]651 list_entry_rcu(list, struct smack_master_list, list);
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]652
653 smk_rule_show(s, smlp->smk_rule, SMK_LABELLEN);
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]654
655 return 0;
656}
657
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]658static const struct seq_operations load_seq_ops = {
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]659 .start = load2_seq_start,
660 .next = load2_seq_next,
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]661 .show = load_seq_show,
Casey Schaufler40809562011-11-10 15:02:22 -0800[diff] [blame]662 .stop = smk_seq_stop,
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]663};
664
665/**
666 * smk_open_load - open() for /smack/load
667 * @inode: inode structure representing file
668 * @file: "load" file pointer
669 *
670 * For reading, use load_seq_* seq_file reading operations.
671 */
672static int smk_open_load(struct inode *inode, struct file *file)
673{
674 return seq_open(file, &load_seq_ops);
675}
676
677/**
678 * smk_write_load - write() for /smack/load
679 * @file: file pointer, not actually used
680 * @buf: where to get the data from
681 * @count: bytes sent
682 * @ppos: where to start - must be 0
683 *
684 */
685static ssize_t smk_write_load(struct file *file, const char __user *buf,
686 size_t count, loff_t *ppos)
687{
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]688 /*
689 * Must have privilege.
690 * No partial writes.
691 * Enough data must be present.
692 */
Casey Schaufler1880eff2012-06-05 15:28:30 -0700[diff] [blame]693 if (!smack_privileged(CAP_MAC_ADMIN))
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]694 return -EPERM;
695
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]696 return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
697 SMK_FIXED24_FMT);
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]698}
699
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]700static const struct file_operations smk_load_ops = {
701 .open = smk_open_load,
702 .read = seq_read,
703 .llseek = seq_lseek,
704 .write = smk_write_load,
Ahmed S. Darwishcb622bb2008-03-24 12:29:49 -0700[diff] [blame]705 .release = seq_release,
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]706};
707
708/**
709 * smk_cipso_doi - initialize the CIPSO domain
710 */
Casey Schaufler30aa4fa2008-04-28 02:13:43 -0700[diff] [blame]711static void smk_cipso_doi(void)
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]712{
713 int rc;
714 struct cipso_v4_doi *doip;
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]715 struct netlbl_audit nai;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]716
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]717 smk_netlabel_audit_set(&nai);
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]718
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]719 rc = netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai);
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]720 if (rc != 0)
721 printk(KERN_WARNING "%s:%d remove rc = %d\n",
722 __func__, __LINE__, rc);
723
724 doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL);
725 if (doip == NULL)
726 panic("smack: Failed to initialize cipso DOI.\n");
727 doip->map.std = NULL;
728 doip->doi = smk_cipso_doi_value;
729 doip->type = CIPSO_V4_MAP_PASS;
730 doip->tags[0] = CIPSO_V4_TAG_RBITMAP;
731 for (rc = 1; rc < CIPSO_V4_TAG_MAXCNT; rc++)
732 doip->tags[rc] = CIPSO_V4_TAG_INVALID;
733
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]734 rc = netlbl_cfg_cipsov4_add(doip, &nai);
Paul Mooreb1edeb12008-10-10 10:16:31 -0400[diff] [blame]735 if (rc != 0) {
Paul Moore6c2e8ac2008-12-31 12:54:11 -0500[diff] [blame]736 printk(KERN_WARNING "%s:%d cipso add rc = %d\n",
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]737 __func__, __LINE__, rc);
Paul Mooreb1edeb12008-10-10 10:16:31 -0400[diff] [blame]738 kfree(doip);
Paul Moore6c2e8ac2008-12-31 12:54:11 -0500[diff] [blame]739 return;
740 }
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]741 rc = netlbl_cfg_cipsov4_map_add(doip->doi, NULL, NULL, NULL, &nai);
Paul Moore6c2e8ac2008-12-31 12:54:11 -0500[diff] [blame]742 if (rc != 0) {
743 printk(KERN_WARNING "%s:%d map add rc = %d\n",
744 __func__, __LINE__, rc);
745 kfree(doip);
746 return;
Paul Mooreb1edeb12008-10-10 10:16:31 -0400[diff] [blame]747 }
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]748}
749
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]750/**
751 * smk_unlbl_ambient - initialize the unlabeled domain
Randy Dunlap251a2a92009-02-18 11:42:33 -0800[diff] [blame]752 * @oldambient: previous domain string
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]753 */
Casey Schaufler30aa4fa2008-04-28 02:13:43 -0700[diff] [blame]754static void smk_unlbl_ambient(char *oldambient)
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]755{
756 int rc;
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]757 struct netlbl_audit nai;
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]758
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]759 smk_netlabel_audit_set(&nai);
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]760
761 if (oldambient != NULL) {
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]762 rc = netlbl_cfg_map_del(oldambient, PF_INET, NULL, NULL, &nai);
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]763 if (rc != 0)
764 printk(KERN_WARNING "%s:%d remove rc = %d\n",
765 __func__, __LINE__, rc);
766 }
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]767 if (smack_net_ambient == NULL)
Casey Schaufler2f823ff2013-05-22 18:43:03 -0700[diff] [blame]768 smack_net_ambient = &smack_known_floor;
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]769
Casey Schaufler2f823ff2013-05-22 18:43:03 -0700[diff] [blame]770 rc = netlbl_cfg_unlbl_map_add(smack_net_ambient->smk_known, PF_INET,
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]771 NULL, NULL, &nai);
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]772 if (rc != 0)
773 printk(KERN_WARNING "%s:%d add rc = %d\n",
774 __func__, __LINE__, rc);
775}
776
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]777/*
778 * Seq_file read operations for /smack/cipso
779 */
780
781static void *cipso_seq_start(struct seq_file *s, loff_t *pos)
782{
Casey Schaufler40809562011-11-10 15:02:22 -0800[diff] [blame]783 return smk_seq_start(s, pos, &smack_known_list);
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]784}
785
786static void *cipso_seq_next(struct seq_file *s, void *v, loff_t *pos)
787{
Casey Schaufler40809562011-11-10 15:02:22 -0800[diff] [blame]788 return smk_seq_next(s, v, pos, &smack_known_list);
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]789}
790
791/*
792 * Print cipso labels in format:
793 * label level[/cat[,cat]]
794 */
795static int cipso_seq_show(struct seq_file *s, void *v)
796{
Etienne Basset7198e2e2009-03-24 20:53:24 +0100[diff] [blame]797 struct list_head *list = v;
798 struct smack_known *skp =
Rafal Krypa01fa8472015-05-21 18:24:31 +0200[diff] [blame]799 list_entry_rcu(list, struct smack_known, list);
Paul Moore4fbe63d2014-08-01 11:17:37 -0400[diff] [blame]800 struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]801 char sep = '/';
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]802 int i;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]803
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]804 /*
805 * Don't show a label that could not have been set using
806 * /smack/cipso. This is in support of the notion that
807 * anything read from /smack/cipso ought to be writeable
808 * to /smack/cipso.
809 *
810 * /smack/cipso2 should be used instead.
811 */
812 if (strlen(skp->smk_known) >= SMK_LABELLEN)
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]813 return 0;
814
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]815 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]816
Paul Moore4fbe63d2014-08-01 11:17:37 -0400[diff] [blame]817 for (i = netlbl_catmap_walk(cmp, 0); i >= 0;
818 i = netlbl_catmap_walk(cmp, i + 1)) {
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]819 seq_printf(s, "%c%d", sep, i);
820 sep = ',';
821 }
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]822
823 seq_putc(s, '\n');
824
825 return 0;
826}
827
James Morris88e9d342009-09-22 16:43:43 -0700[diff] [blame]828static const struct seq_operations cipso_seq_ops = {
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]829 .start = cipso_seq_start,
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]830 .next = cipso_seq_next,
831 .show = cipso_seq_show,
Casey Schaufler40809562011-11-10 15:02:22 -0800[diff] [blame]832 .stop = smk_seq_stop,
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]833};
834
835/**
836 * smk_open_cipso - open() for /smack/cipso
837 * @inode: inode structure representing file
838 * @file: "cipso" file pointer
839 *
840 * Connect our cipso_seq_* operations with /smack/cipso
841 * file_operations
842 */
843static int smk_open_cipso(struct inode *inode, struct file *file)
844{
845 return seq_open(file, &cipso_seq_ops);
846}
847
848/**
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]849 * smk_set_cipso - do the work for write() for cipso and cipso2
Randy Dunlap251a2a92009-02-18 11:42:33 -0800[diff] [blame]850 * @file: file pointer, not actually used
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]851 * @buf: where to get the data from
852 * @count: bytes sent
853 * @ppos: where to start
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]854 * @format: /smack/cipso or /smack/cipso2
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]855 *
856 * Accepts only one cipso rule per write call.
857 * Returns number of bytes written or error code, as appropriate
858 */
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]859static ssize_t smk_set_cipso(struct file *file, const char __user *buf,
860 size_t count, loff_t *ppos, int format)
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]861{
862 struct smack_known *skp;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]863 struct netlbl_lsm_secattr ncats;
864 char mapcatset[SMK_CIPSOLEN];
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]865 int maplevel;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]866 unsigned int cat;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]867 int catlen;
868 ssize_t rc = -EINVAL;
869 char *data = NULL;
870 char *rule;
871 int ret;
872 int i;
873
874 /*
875 * Must have privilege.
876 * No partial writes.
877 * Enough data must be present.
878 */
Casey Schaufler1880eff2012-06-05 15:28:30 -0700[diff] [blame]879 if (!smack_privileged(CAP_MAC_ADMIN))
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]880 return -EPERM;
881 if (*ppos != 0)
882 return -EINVAL;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]883 if (format == SMK_FIXED24_FMT &&
884 (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX))
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]885 return -EINVAL;
886
887 data = kzalloc(count + 1, GFP_KERNEL);
888 if (data == NULL)
889 return -ENOMEM;
890
891 if (copy_from_user(data, buf, count) != 0) {
892 rc = -EFAULT;
893 goto unlockedout;
894 }
895
896 data[count] = '\0';
897 rule = data;
898 /*
899 * Only allow one writer at a time. Writes should be
900 * quite rare and small in any case.
901 */
902 mutex_lock(&smack_cipso_lock);
903
904 skp = smk_import_entry(rule, 0);
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]905 if (IS_ERR(skp)) {
906 rc = PTR_ERR(skp);
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]907 goto out;
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]908 }
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]909
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]910 if (format == SMK_FIXED24_FMT)
911 rule += SMK_LABELLEN;
912 else
Passion,Zhao0fcfee62013-06-03 11:42:24 +0800[diff] [blame]913 rule += strlen(skp->smk_known) + 1;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]914
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]915 ret = sscanf(rule, "%d", &maplevel);
916 if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL)
917 goto out;
918
919 rule += SMK_DIGITLEN;
920 ret = sscanf(rule, "%d", &catlen);
921 if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM)
922 goto out;
923
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]924 if (format == SMK_FIXED24_FMT &&
925 count != (SMK_CIPSOMIN + catlen * SMK_DIGITLEN))
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]926 goto out;
927
928 memset(mapcatset, 0, sizeof(mapcatset));
929
930 for (i = 0; i < catlen; i++) {
931 rule += SMK_DIGITLEN;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]932 ret = sscanf(rule, "%u", &cat);
Casey Schaufler677264e2013-06-28 13:47:07 -0700[diff] [blame]933 if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM)
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]934 goto out;
935
936 smack_catset_bit(cat, mapcatset);
937 }
938
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]939 rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN);
940 if (rc >= 0) {
Paul Moore4fbe63d2014-08-01 11:17:37 -0400[diff] [blame]941 netlbl_catmap_free(skp->smk_netlabel.attr.mls.cat);
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]942 skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat;
943 skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl;
944 rc = count;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]945 }
946
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]947out:
948 mutex_unlock(&smack_cipso_lock);
949unlockedout:
950 kfree(data);
951 return rc;
952}
953
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]954/**
955 * smk_write_cipso - write() for /smack/cipso
956 * @file: file pointer, not actually used
957 * @buf: where to get the data from
958 * @count: bytes sent
959 * @ppos: where to start
960 *
961 * Accepts only one cipso rule per write call.
962 * Returns number of bytes written or error code, as appropriate
963 */
964static ssize_t smk_write_cipso(struct file *file, const char __user *buf,
965 size_t count, loff_t *ppos)
966{
967 return smk_set_cipso(file, buf, count, ppos, SMK_FIXED24_FMT);
968}
969
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]970static const struct file_operations smk_cipso_ops = {
971 .open = smk_open_cipso,
972 .read = seq_read,
973 .llseek = seq_lseek,
974 .write = smk_write_cipso,
975 .release = seq_release,
976};
977
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]978/*
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]979 * Seq_file read operations for /smack/cipso2
980 */
981
982/*
983 * Print cipso labels in format:
984 * label level[/cat[,cat]]
985 */
986static int cipso2_seq_show(struct seq_file *s, void *v)
987{
988 struct list_head *list = v;
989 struct smack_known *skp =
Rafal Krypa01fa8472015-05-21 18:24:31 +0200[diff] [blame]990 list_entry_rcu(list, struct smack_known, list);
Paul Moore4fbe63d2014-08-01 11:17:37 -0400[diff] [blame]991 struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]992 char sep = '/';
993 int i;
994
995 seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl);
996
Paul Moore4fbe63d2014-08-01 11:17:37 -0400[diff] [blame]997 for (i = netlbl_catmap_walk(cmp, 0); i >= 0;
998 i = netlbl_catmap_walk(cmp, i + 1)) {
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]999 seq_printf(s, "%c%d", sep, i);
1000 sep = ',';
1001 }
1002
1003 seq_putc(s, '\n');
1004
1005 return 0;
1006}
1007
1008static const struct seq_operations cipso2_seq_ops = {
1009 .start = cipso_seq_start,
1010 .next = cipso_seq_next,
1011 .show = cipso2_seq_show,
1012 .stop = smk_seq_stop,
1013};
1014
1015/**
1016 * smk_open_cipso2 - open() for /smack/cipso2
1017 * @inode: inode structure representing file
1018 * @file: "cipso2" file pointer
1019 *
1020 * Connect our cipso_seq_* operations with /smack/cipso2
1021 * file_operations
1022 */
1023static int smk_open_cipso2(struct inode *inode, struct file *file)
1024{
1025 return seq_open(file, &cipso2_seq_ops);
1026}
1027
1028/**
1029 * smk_write_cipso2 - write() for /smack/cipso2
1030 * @file: file pointer, not actually used
1031 * @buf: where to get the data from
1032 * @count: bytes sent
1033 * @ppos: where to start
1034 *
1035 * Accepts only one cipso rule per write call.
1036 * Returns number of bytes written or error code, as appropriate
1037 */
1038static ssize_t smk_write_cipso2(struct file *file, const char __user *buf,
1039 size_t count, loff_t *ppos)
1040{
1041 return smk_set_cipso(file, buf, count, ppos, SMK_LONG_FMT);
1042}
1043
1044static const struct file_operations smk_cipso2_ops = {
1045 .open = smk_open_cipso2,
1046 .read = seq_read,
1047 .llseek = seq_lseek,
1048 .write = smk_write_cipso2,
1049 .release = seq_release,
1050};
1051
1052/*
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1053 * Seq_file read operations for /smack/netlabel
1054 */
1055
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1056static void *net4addr_seq_start(struct seq_file *s, loff_t *pos)
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1057{
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1058 return smk_seq_start(s, pos, &smk_net4addr_list);
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1059}
1060
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1061static void *net4addr_seq_next(struct seq_file *s, void *v, loff_t *pos)
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1062{
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1063 return smk_seq_next(s, v, pos, &smk_net4addr_list);
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1064}
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1065
1066/*
1067 * Print host/label pairs
1068 */
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1069static int net4addr_seq_show(struct seq_file *s, void *v)
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1070{
Etienne Basset7198e2e2009-03-24 20:53:24 +0100[diff] [blame]1071 struct list_head *list = v;
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1072 struct smk_net4addr *skp =
1073 list_entry_rcu(list, struct smk_net4addr, list);
1074 char *kp = SMACK_CIPSO_OPTION;
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1075
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1076 if (skp->smk_label != NULL)
1077 kp = skp->smk_label->smk_known;
1078 seq_printf(s, "%pI4/%d %s\n", &skp->smk_host.s_addr,
1079 skp->smk_masks, kp);
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1080
1081 return 0;
1082}
1083
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1084static const struct seq_operations net4addr_seq_ops = {
1085 .start = net4addr_seq_start,
1086 .next = net4addr_seq_next,
1087 .show = net4addr_seq_show,
Casey Schaufler40809562011-11-10 15:02:22 -0800[diff] [blame]1088 .stop = smk_seq_stop,
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1089};
1090
1091/**
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1092 * smk_open_net4addr - open() for /smack/netlabel
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1093 * @inode: inode structure representing file
1094 * @file: "netlabel" file pointer
1095 *
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1096 * Connect our net4addr_seq_* operations with /smack/netlabel
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1097 * file_operations
1098 */
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1099static int smk_open_net4addr(struct inode *inode, struct file *file)
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1100{
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1101 return seq_open(file, &net4addr_seq_ops);
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1102}
1103
1104/**
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1105 * smk_net4addr_insert
etienne113a0e42009-03-04 07:33:51 +0100[diff] [blame]1106 * @new : netlabel to insert
1107 *
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1108 * This helper insert netlabel in the smack_net4addrs list
etienne113a0e42009-03-04 07:33:51 +0100[diff] [blame]1109 * sorted by netmask length (longest to smallest)
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1110 * locked by &smk_net4addr_lock in smk_write_net4addr
Etienne Basset7198e2e2009-03-24 20:53:24 +0100[diff] [blame]1111 *
etienne113a0e42009-03-04 07:33:51 +0100[diff] [blame]1112 */
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1113static void smk_net4addr_insert(struct smk_net4addr *new)
etienne113a0e42009-03-04 07:33:51 +0100[diff] [blame]1114{
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1115 struct smk_net4addr *m;
1116 struct smk_net4addr *m_next;
etienne113a0e42009-03-04 07:33:51 +0100[diff] [blame]1117
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1118 if (list_empty(&smk_net4addr_list)) {
1119 list_add_rcu(&new->list, &smk_net4addr_list);
etienne113a0e42009-03-04 07:33:51 +0100[diff] [blame]1120 return;
1121 }
1122
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1123 m = list_entry_rcu(smk_net4addr_list.next,
1124 struct smk_net4addr, list);
Etienne Basset7198e2e2009-03-24 20:53:24 +0100[diff] [blame]1125
etienne113a0e42009-03-04 07:33:51 +0100[diff] [blame]1126 /* the comparison '>' is a bit hacky, but works */
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1127 if (new->smk_masks > m->smk_masks) {
1128 list_add_rcu(&new->list, &smk_net4addr_list);
etienne113a0e42009-03-04 07:33:51 +0100[diff] [blame]1129 return;
1130 }
Etienne Basset7198e2e2009-03-24 20:53:24 +0100[diff] [blame]1131
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1132 list_for_each_entry_rcu(m, &smk_net4addr_list, list) {
1133 if (list_is_last(&m->list, &smk_net4addr_list)) {
Etienne Basset7198e2e2009-03-24 20:53:24 +0100[diff] [blame]1134 list_add_rcu(&new->list, &m->list);
etienne113a0e42009-03-04 07:33:51 +0100[diff] [blame]1135 return;
1136 }
Jiri Pirko05725f72009-04-14 20:17:16 +0200[diff] [blame]1137 m_next = list_entry_rcu(m->list.next,
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1138 struct smk_net4addr, list);
1139 if (new->smk_masks > m_next->smk_masks) {
Etienne Basset7198e2e2009-03-24 20:53:24 +0100[diff] [blame]1140 list_add_rcu(&new->list, &m->list);
etienne113a0e42009-03-04 07:33:51 +0100[diff] [blame]1141 return;
1142 }
1143 }
1144}
1145
1146
1147/**
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1148 * smk_write_net4addr - write() for /smack/netlabel
Randy Dunlap251a2a92009-02-18 11:42:33 -0800[diff] [blame]1149 * @file: file pointer, not actually used
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1150 * @buf: where to get the data from
1151 * @count: bytes sent
1152 * @ppos: where to start
1153 *
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1154 * Accepts only one net4addr per write call.
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1155 * Returns number of bytes written or error code, as appropriate
1156 */
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1157static ssize_t smk_write_net4addr(struct file *file, const char __user *buf,
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1158 size_t count, loff_t *ppos)
1159{
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1160 struct smk_net4addr *snp;
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1161 struct sockaddr_in newname;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1162 char *smack;
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1163 struct smack_known *skp = NULL;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1164 char *data;
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1165 char *host = (char *)&newname.sin_addr.s_addr;
1166 int rc;
1167 struct netlbl_audit audit_info;
1168 struct in_addr mask;
1169 unsigned int m;
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1170 unsigned int masks;
Etienne Basset7198e2e2009-03-24 20:53:24 +0100[diff] [blame]1171 int found;
etienne113a0e42009-03-04 07:33:51 +0100[diff] [blame]1172 u32 mask_bits = (1<<31);
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1173 __be32 nsa;
etienne113a0e42009-03-04 07:33:51 +0100[diff] [blame]1174 u32 temp_mask;
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1175
1176 /*
1177 * Must have privilege.
1178 * No partial writes.
1179 * Enough data must be present.
1180 * "<addr/mask, as a.b.c.d/e><space><label>"
1181 * "<addr, as a.b.c.d><space><label>"
1182 */
Casey Schaufler1880eff2012-06-05 15:28:30 -0700[diff] [blame]1183 if (!smack_privileged(CAP_MAC_ADMIN))
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1184 return -EPERM;
1185 if (*ppos != 0)
1186 return -EINVAL;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1187 if (count < SMK_NETLBLADDRMIN)
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1188 return -EINVAL;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1189
1190 data = kzalloc(count + 1, GFP_KERNEL);
1191 if (data == NULL)
1192 return -ENOMEM;
1193
1194 if (copy_from_user(data, buf, count) != 0) {
1195 rc = -EFAULT;
1196 goto free_data_out;
1197 }
1198
1199 smack = kzalloc(count + 1, GFP_KERNEL);
1200 if (smack == NULL) {
1201 rc = -ENOMEM;
1202 goto free_data_out;
1203 }
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1204
1205 data[count] = '\0';
1206
Toralf Försterec554fa2014-04-27 19:33:34 +0200[diff] [blame]1207 rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%u %s",
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1208 &host[0], &host[1], &host[2], &host[3], &masks, smack);
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1209 if (rc != 6) {
1210 rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd %s",
1211 &host[0], &host[1], &host[2], &host[3], smack);
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1212 if (rc != 5) {
1213 rc = -EINVAL;
1214 goto free_out;
1215 }
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1216 m = BEBITS;
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1217 masks = 32;
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1218 }
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1219 if (masks > BEBITS) {
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1220 rc = -EINVAL;
1221 goto free_out;
1222 }
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1223
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1224 /*
1225 * If smack begins with '-', it is an option, don't import it
1226 */
Etienne Basset43031542009-03-27 17:11:01 -0400[diff] [blame]1227 if (smack[0] != '-') {
Lukasz Pawelczyk21c7eae2014-08-29 17:02:55 +0200[diff] [blame]1228 skp = smk_import_entry(smack, 0);
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]1229 if (IS_ERR(skp)) {
1230 rc = PTR_ERR(skp);
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1231 goto free_out;
1232 }
Etienne Basset43031542009-03-27 17:11:01 -0400[diff] [blame]1233 } else {
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1234 /*
1235 * Only the -CIPSO option is supported for IPv4
1236 */
1237 if (strcmp(smack, SMACK_CIPSO_OPTION) != 0) {
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1238 rc = -EINVAL;
1239 goto free_out;
1240 }
Etienne Basset43031542009-03-27 17:11:01 -0400[diff] [blame]1241 }
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1242
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1243 for (m = masks, temp_mask = 0; m > 0; m--) {
etienne113a0e42009-03-04 07:33:51 +0100[diff] [blame]1244 temp_mask |= mask_bits;
1245 mask_bits >>= 1;
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1246 }
etienne113a0e42009-03-04 07:33:51 +0100[diff] [blame]1247 mask.s_addr = cpu_to_be32(temp_mask);
1248
1249 newname.sin_addr.s_addr &= mask.s_addr;
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1250 /*
1251 * Only allow one writer at a time. Writes should be
1252 * quite rare and small in any case.
1253 */
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1254 mutex_lock(&smk_net4addr_lock);
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1255
1256 nsa = newname.sin_addr.s_addr;
etienne113a0e42009-03-04 07:33:51 +0100[diff] [blame]1257 /* try to find if the prefix is already in the list */
Etienne Basset7198e2e2009-03-24 20:53:24 +0100[diff] [blame]1258 found = 0;
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1259 list_for_each_entry_rcu(snp, &smk_net4addr_list, list) {
1260 if (snp->smk_host.s_addr == nsa && snp->smk_masks == masks) {
Etienne Basset7198e2e2009-03-24 20:53:24 +0100[diff] [blame]1261 found = 1;
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1262 break;
Etienne Basset7198e2e2009-03-24 20:53:24 +0100[diff] [blame]1263 }
1264 }
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1265 smk_netlabel_audit_set(&audit_info);
1266
Etienne Basset7198e2e2009-03-24 20:53:24 +0100[diff] [blame]1267 if (found == 0) {
Lukasz Pawelczyk21c7eae2014-08-29 17:02:55 +0200[diff] [blame]1268 snp = kzalloc(sizeof(*snp), GFP_KERNEL);
1269 if (snp == NULL)
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1270 rc = -ENOMEM;
1271 else {
1272 rc = 0;
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1273 snp->smk_host.s_addr = newname.sin_addr.s_addr;
Lukasz Pawelczyk21c7eae2014-08-29 17:02:55 +0200[diff] [blame]1274 snp->smk_mask.s_addr = mask.s_addr;
1275 snp->smk_label = skp;
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1276 snp->smk_masks = masks;
1277 smk_net4addr_insert(snp);
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1278 }
1279 } else {
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1280 /*
1281 * Delete the unlabeled entry, only if the previous label
1282 * wasn't the special CIPSO option
1283 */
1284 if (snp->smk_label != NULL)
Etienne Basset43031542009-03-27 17:11:01 -0400[diff] [blame]1285 rc = netlbl_cfg_unlbl_static_del(&init_net, NULL,
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1286 &snp->smk_host, &snp->smk_mask,
Etienne Basset43031542009-03-27 17:11:01 -0400[diff] [blame]1287 PF_INET, &audit_info);
1288 else
1289 rc = 0;
Lukasz Pawelczyk21c7eae2014-08-29 17:02:55 +0200[diff] [blame]1290 snp->smk_label = skp;
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1291 }
1292
1293 /*
1294 * Now tell netlabel about the single label nature of
1295 * this host so that incoming packets get labeled.
Etienne Basset43031542009-03-27 17:11:01 -0400[diff] [blame]1296 * but only if we didn't get the special CIPSO option
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1297 */
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1298 if (rc == 0 && skp != NULL)
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1299 rc = netlbl_cfg_unlbl_static_add(&init_net, NULL,
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1300 &snp->smk_host, &snp->smk_mask, PF_INET,
Lukasz Pawelczyk21c7eae2014-08-29 17:02:55 +0200[diff] [blame]1301 snp->smk_label->smk_secid, &audit_info);
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1302
1303 if (rc == 0)
1304 rc = count;
1305
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1306 mutex_unlock(&smk_net4addr_lock);
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1307
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1308free_out:
1309 kfree(smack);
1310free_data_out:
1311 kfree(data);
1312
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1313 return rc;
1314}
1315
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1316static const struct file_operations smk_net4addr_ops = {
1317 .open = smk_open_net4addr,
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1318 .read = seq_read,
1319 .llseek = seq_lseek,
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1320 .write = smk_write_net4addr,
Casey Schaufler6d3dc072008-12-31 12:54:12 -0500[diff] [blame]1321 .release = seq_release,
1322};
1323
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1324#if IS_ENABLED(CONFIG_IPV6)
1325/*
1326 * Seq_file read operations for /smack/netlabel6
1327 */
1328
1329static void *net6addr_seq_start(struct seq_file *s, loff_t *pos)
1330{
1331 return smk_seq_start(s, pos, &smk_net6addr_list);
1332}
1333
1334static void *net6addr_seq_next(struct seq_file *s, void *v, loff_t *pos)
1335{
1336 return smk_seq_next(s, v, pos, &smk_net6addr_list);
1337}
1338
1339/*
1340 * Print host/label pairs
1341 */
1342static int net6addr_seq_show(struct seq_file *s, void *v)
1343{
1344 struct list_head *list = v;
1345 struct smk_net6addr *skp =
1346 list_entry(list, struct smk_net6addr, list);
1347
1348 if (skp->smk_label != NULL)
1349 seq_printf(s, "%pI6/%d %s\n", &skp->smk_host, skp->smk_masks,
1350 skp->smk_label->smk_known);
1351
1352 return 0;
1353}
1354
1355static const struct seq_operations net6addr_seq_ops = {
1356 .start = net6addr_seq_start,
1357 .next = net6addr_seq_next,
1358 .show = net6addr_seq_show,
1359 .stop = smk_seq_stop,
1360};
1361
1362/**
1363 * smk_open_net6addr - open() for /smack/netlabel
1364 * @inode: inode structure representing file
1365 * @file: "netlabel" file pointer
1366 *
1367 * Connect our net6addr_seq_* operations with /smack/netlabel
1368 * file_operations
1369 */
1370static int smk_open_net6addr(struct inode *inode, struct file *file)
1371{
1372 return seq_open(file, &net6addr_seq_ops);
1373}
1374
1375/**
1376 * smk_net6addr_insert
1377 * @new : entry to insert
1378 *
1379 * This inserts an entry in the smack_net6addrs list
1380 * sorted by netmask length (longest to smallest)
1381 * locked by &smk_net6addr_lock in smk_write_net6addr
1382 *
1383 */
1384static void smk_net6addr_insert(struct smk_net6addr *new)
1385{
1386 struct smk_net6addr *m_next;
1387 struct smk_net6addr *m;
1388
1389 if (list_empty(&smk_net6addr_list)) {
1390 list_add_rcu(&new->list, &smk_net6addr_list);
1391 return;
1392 }
1393
1394 m = list_entry_rcu(smk_net6addr_list.next,
1395 struct smk_net6addr, list);
1396
1397 if (new->smk_masks > m->smk_masks) {
1398 list_add_rcu(&new->list, &smk_net6addr_list);
1399 return;
1400 }
1401
1402 list_for_each_entry_rcu(m, &smk_net6addr_list, list) {
1403 if (list_is_last(&m->list, &smk_net6addr_list)) {
1404 list_add_rcu(&new->list, &m->list);
1405 return;
1406 }
1407 m_next = list_entry_rcu(m->list.next,
1408 struct smk_net6addr, list);
1409 if (new->smk_masks > m_next->smk_masks) {
1410 list_add_rcu(&new->list, &m->list);
1411 return;
1412 }
1413 }
1414}
1415
1416
1417/**
1418 * smk_write_net6addr - write() for /smack/netlabel
1419 * @file: file pointer, not actually used
1420 * @buf: where to get the data from
1421 * @count: bytes sent
1422 * @ppos: where to start
1423 *
1424 * Accepts only one net6addr per write call.
1425 * Returns number of bytes written or error code, as appropriate
1426 */
1427static ssize_t smk_write_net6addr(struct file *file, const char __user *buf,
1428 size_t count, loff_t *ppos)
1429{
1430 struct smk_net6addr *snp;
1431 struct in6_addr newname;
1432 struct in6_addr fullmask;
1433 struct smack_known *skp = NULL;
1434 char *smack;
1435 char *data;
1436 int rc = 0;
1437 int found = 0;
1438 int i;
1439 unsigned int scanned[8];
1440 unsigned int m;
1441 unsigned int mask = 128;
1442
1443 /*
1444 * Must have privilege.
1445 * No partial writes.
1446 * Enough data must be present.
1447 * "<addr/mask, as a:b:c:d:e:f:g:h/e><space><label>"
1448 * "<addr, as a:b:c:d:e:f:g:h><space><label>"
1449 */
1450 if (!smack_privileged(CAP_MAC_ADMIN))
1451 return -EPERM;
1452 if (*ppos != 0)
1453 return -EINVAL;
1454 if (count < SMK_NETLBLADDRMIN)
1455 return -EINVAL;
1456
1457 data = kzalloc(count + 1, GFP_KERNEL);
1458 if (data == NULL)
1459 return -ENOMEM;
1460
1461 if (copy_from_user(data, buf, count) != 0) {
1462 rc = -EFAULT;
1463 goto free_data_out;
1464 }
1465
1466 smack = kzalloc(count + 1, GFP_KERNEL);
1467 if (smack == NULL) {
1468 rc = -ENOMEM;
1469 goto free_data_out;
1470 }
1471
1472 data[count] = '\0';
1473
1474 i = sscanf(data, "%x:%x:%x:%x:%x:%x:%x:%x/%u %s",
1475 &scanned[0], &scanned[1], &scanned[2], &scanned[3],
1476 &scanned[4], &scanned[5], &scanned[6], &scanned[7],
1477 &mask, smack);
1478 if (i != 10) {
1479 i = sscanf(data, "%x:%x:%x:%x:%x:%x:%x:%x %s",
1480 &scanned[0], &scanned[1], &scanned[2],
1481 &scanned[3], &scanned[4], &scanned[5],
1482 &scanned[6], &scanned[7], smack);
1483 if (i != 9) {
1484 rc = -EINVAL;
1485 goto free_out;
1486 }
1487 }
1488 if (mask > 128) {
1489 rc = -EINVAL;
1490 goto free_out;
1491 }
1492 for (i = 0; i < 8; i++) {
1493 if (scanned[i] > 0xffff) {
1494 rc = -EINVAL;
1495 goto free_out;
1496 }
1497 newname.s6_addr16[i] = htons(scanned[i]);
1498 }
1499
1500 /*
1501 * If smack begins with '-', it is an option, don't import it
1502 */
1503 if (smack[0] != '-') {
1504 skp = smk_import_entry(smack, 0);
Lukasz Pawelczyk5f2bfe22015-08-25 12:39:46 +0200[diff] [blame]1505 if (IS_ERR(skp)) {
1506 rc = PTR_ERR(skp);
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]1507 goto free_out;
1508 }
1509 } else {
1510 /*
1511 * Only -DELETE is supported for IPv6
1512 */
1513 if (strcmp(smack, SMACK_DELETE_OPTION) != 0) {
1514 rc = -EINVAL;
1515 goto free_out;
1516 }
1517 }
1518
1519 for (i = 0, m = mask; i < 8; i++) {
1520 if (m >= 16) {
1521 fullmask.s6_addr16[i] = 0xffff;
1522 m -= 16;
1523 } else if (m > 0) {
1524 fullmask.s6_addr16[i] = (1 << m) - 1;
1525 m = 0;
1526 } else
1527 fullmask.s6_addr16[i] = 0;
1528 newname.s6_addr16[i] &= fullmask.s6_addr16[i];
1529 }
1530
1531 /*
1532 * Only allow one writer at a time. Writes should be
1533 * quite rare and small in any case.
1534 */
1535 mutex_lock(&smk_net6addr_lock);
1536 /*
1537 * Try to find the prefix in the list
1538 */
1539 list_for_each_entry_rcu(snp, &smk_net6addr_list, list) {
1540 if (mask != snp->smk_masks)
1541 continue;
1542 for (found = 1, i = 0; i < 8; i++) {
1543 if (newname.s6_addr16[i] !=
1544 snp->smk_host.s6_addr16[i]) {
1545 found = 0;
1546 break;
1547 }
1548 }
1549 if (found == 1)
1550 break;
1551 }
1552 if (found == 0) {
1553 snp = kzalloc(sizeof(*snp), GFP_KERNEL);
1554 if (snp == NULL)
1555 rc = -ENOMEM;
1556 else {
1557 snp->smk_host = newname;
1558 snp->smk_mask = fullmask;
1559 snp->smk_masks = mask;
1560 snp->smk_label = skp;
1561 smk_net6addr_insert(snp);
1562 }
1563 } else {
1564 snp->smk_label = skp;
1565 }
1566
1567 if (rc == 0)
1568 rc = count;
1569
1570 mutex_unlock(&smk_net6addr_lock);
1571
1572free_out:
1573 kfree(smack);
1574free_data_out:
1575 kfree(data);
1576
1577 return rc;
1578}
1579
1580static const struct file_operations smk_net6addr_ops = {
1581 .open = smk_open_net6addr,
1582 .read = seq_read,
1583 .llseek = seq_lseek,
1584 .write = smk_write_net6addr,
1585 .release = seq_release,
1586};
1587#endif /* CONFIG_IPV6 */
1588
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1589/**
1590 * smk_read_doi - read() for /smack/doi
1591 * @filp: file pointer, not actually used
1592 * @buf: where to put the result
1593 * @count: maximum to send along
1594 * @ppos: where to start
1595 *
1596 * Returns number of bytes read or error code, as appropriate
1597 */
1598static ssize_t smk_read_doi(struct file *filp, char __user *buf,
1599 size_t count, loff_t *ppos)
1600{
1601 char temp[80];
1602 ssize_t rc;
1603
1604 if (*ppos != 0)
1605 return 0;
1606
1607 sprintf(temp, "%d", smk_cipso_doi_value);
1608 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1609
1610 return rc;
1611}
1612
1613/**
1614 * smk_write_doi - write() for /smack/doi
Randy Dunlap251a2a92009-02-18 11:42:33 -0800[diff] [blame]1615 * @file: file pointer, not actually used
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1616 * @buf: where to get the data from
1617 * @count: bytes sent
1618 * @ppos: where to start
1619 *
1620 * Returns number of bytes written or error code, as appropriate
1621 */
1622static ssize_t smk_write_doi(struct file *file, const char __user *buf,
1623 size_t count, loff_t *ppos)
1624{
1625 char temp[80];
1626 int i;
1627
Casey Schaufler1880eff2012-06-05 15:28:30 -0700[diff] [blame]1628 if (!smack_privileged(CAP_MAC_ADMIN))
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1629 return -EPERM;
1630
1631 if (count >= sizeof(temp) || count == 0)
1632 return -EINVAL;
1633
1634 if (copy_from_user(temp, buf, count) != 0)
1635 return -EFAULT;
1636
1637 temp[count] = '\0';
1638
1639 if (sscanf(temp, "%d", &i) != 1)
1640 return -EINVAL;
1641
1642 smk_cipso_doi_value = i;
1643
1644 smk_cipso_doi();
1645
1646 return count;
1647}
1648
1649static const struct file_operations smk_doi_ops = {
1650 .read = smk_read_doi,
1651 .write = smk_write_doi,
Arnd Bergmann6038f372010-08-15 18:52:59 +0200[diff] [blame]1652 .llseek = default_llseek,
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1653};
1654
1655/**
1656 * smk_read_direct - read() for /smack/direct
1657 * @filp: file pointer, not actually used
1658 * @buf: where to put the result
1659 * @count: maximum to send along
1660 * @ppos: where to start
1661 *
1662 * Returns number of bytes read or error code, as appropriate
1663 */
1664static ssize_t smk_read_direct(struct file *filp, char __user *buf,
1665 size_t count, loff_t *ppos)
1666{
1667 char temp[80];
1668 ssize_t rc;
1669
1670 if (*ppos != 0)
1671 return 0;
1672
1673 sprintf(temp, "%d", smack_cipso_direct);
1674 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1675
1676 return rc;
1677}
1678
1679/**
1680 * smk_write_direct - write() for /smack/direct
Randy Dunlap251a2a92009-02-18 11:42:33 -0800[diff] [blame]1681 * @file: file pointer, not actually used
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1682 * @buf: where to get the data from
1683 * @count: bytes sent
1684 * @ppos: where to start
1685 *
1686 * Returns number of bytes written or error code, as appropriate
1687 */
1688static ssize_t smk_write_direct(struct file *file, const char __user *buf,
1689 size_t count, loff_t *ppos)
1690{
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1691 struct smack_known *skp;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1692 char temp[80];
1693 int i;
1694
Casey Schaufler1880eff2012-06-05 15:28:30 -0700[diff] [blame]1695 if (!smack_privileged(CAP_MAC_ADMIN))
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1696 return -EPERM;
1697
1698 if (count >= sizeof(temp) || count == 0)
1699 return -EINVAL;
1700
1701 if (copy_from_user(temp, buf, count) != 0)
1702 return -EFAULT;
1703
1704 temp[count] = '\0';
1705
1706 if (sscanf(temp, "%d", &i) != 1)
1707 return -EINVAL;
1708
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1709 /*
1710 * Don't do anything if the value hasn't actually changed.
1711 * If it is changing reset the level on entries that were
1712 * set up to be direct when they were created.
1713 */
1714 if (smack_cipso_direct != i) {
1715 mutex_lock(&smack_known_lock);
1716 list_for_each_entry_rcu(skp, &smack_known_list, list)
1717 if (skp->smk_netlabel.attr.mls.lvl ==
1718 smack_cipso_direct)
1719 skp->smk_netlabel.attr.mls.lvl = i;
1720 smack_cipso_direct = i;
1721 mutex_unlock(&smack_known_lock);
1722 }
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1723
1724 return count;
1725}
1726
1727static const struct file_operations smk_direct_ops = {
1728 .read = smk_read_direct,
1729 .write = smk_write_direct,
Arnd Bergmann6038f372010-08-15 18:52:59 +0200[diff] [blame]1730 .llseek = default_llseek,
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1731};
1732
1733/**
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1734 * smk_read_mapped - read() for /smack/mapped
1735 * @filp: file pointer, not actually used
1736 * @buf: where to put the result
1737 * @count: maximum to send along
1738 * @ppos: where to start
1739 *
1740 * Returns number of bytes read or error code, as appropriate
1741 */
1742static ssize_t smk_read_mapped(struct file *filp, char __user *buf,
1743 size_t count, loff_t *ppos)
1744{
1745 char temp[80];
1746 ssize_t rc;
1747
1748 if (*ppos != 0)
1749 return 0;
1750
1751 sprintf(temp, "%d", smack_cipso_mapped);
1752 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
1753
1754 return rc;
1755}
1756
1757/**
1758 * smk_write_mapped - write() for /smack/mapped
1759 * @file: file pointer, not actually used
1760 * @buf: where to get the data from
1761 * @count: bytes sent
1762 * @ppos: where to start
1763 *
1764 * Returns number of bytes written or error code, as appropriate
1765 */
1766static ssize_t smk_write_mapped(struct file *file, const char __user *buf,
1767 size_t count, loff_t *ppos)
1768{
1769 struct smack_known *skp;
1770 char temp[80];
1771 int i;
1772
Casey Schaufler1880eff2012-06-05 15:28:30 -0700[diff] [blame]1773 if (!smack_privileged(CAP_MAC_ADMIN))
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1774 return -EPERM;
1775
1776 if (count >= sizeof(temp) || count == 0)
1777 return -EINVAL;
1778
1779 if (copy_from_user(temp, buf, count) != 0)
1780 return -EFAULT;
1781
1782 temp[count] = '\0';
1783
1784 if (sscanf(temp, "%d", &i) != 1)
1785 return -EINVAL;
1786
1787 /*
1788 * Don't do anything if the value hasn't actually changed.
1789 * If it is changing reset the level on entries that were
1790 * set up to be mapped when they were created.
1791 */
1792 if (smack_cipso_mapped != i) {
1793 mutex_lock(&smack_known_lock);
1794 list_for_each_entry_rcu(skp, &smack_known_list, list)
1795 if (skp->smk_netlabel.attr.mls.lvl ==
1796 smack_cipso_mapped)
1797 skp->smk_netlabel.attr.mls.lvl = i;
1798 smack_cipso_mapped = i;
1799 mutex_unlock(&smack_known_lock);
1800 }
1801
1802 return count;
1803}
1804
1805static const struct file_operations smk_mapped_ops = {
1806 .read = smk_read_mapped,
1807 .write = smk_write_mapped,
1808 .llseek = default_llseek,
1809};
1810
1811/**
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1812 * smk_read_ambient - read() for /smack/ambient
1813 * @filp: file pointer, not actually used
1814 * @buf: where to put the result
1815 * @cn: maximum to send along
1816 * @ppos: where to start
1817 *
1818 * Returns number of bytes read or error code, as appropriate
1819 */
1820static ssize_t smk_read_ambient(struct file *filp, char __user *buf,
1821 size_t cn, loff_t *ppos)
1822{
1823 ssize_t rc;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1824 int asize;
1825
1826 if (*ppos != 0)
1827 return 0;
1828 /*
1829 * Being careful to avoid a problem in the case where
1830 * smack_net_ambient gets changed in midstream.
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1831 */
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]1832 mutex_lock(&smack_ambient_lock);
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1833
Casey Schaufler2f823ff2013-05-22 18:43:03 -0700[diff] [blame]1834 asize = strlen(smack_net_ambient->smk_known) + 1;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1835
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]1836 if (cn >= asize)
1837 rc = simple_read_from_buffer(buf, cn, ppos,
Casey Schaufler2f823ff2013-05-22 18:43:03 -0700[diff] [blame]1838 smack_net_ambient->smk_known,
1839 asize);
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]1840 else
1841 rc = -EINVAL;
1842
1843 mutex_unlock(&smack_ambient_lock);
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1844
1845 return rc;
1846}
1847
1848/**
1849 * smk_write_ambient - write() for /smack/ambient
Randy Dunlap251a2a92009-02-18 11:42:33 -0800[diff] [blame]1850 * @file: file pointer, not actually used
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1851 * @buf: where to get the data from
1852 * @count: bytes sent
1853 * @ppos: where to start
1854 *
1855 * Returns number of bytes written or error code, as appropriate
1856 */
1857static ssize_t smk_write_ambient(struct file *file, const char __user *buf,
1858 size_t count, loff_t *ppos)
1859{
Casey Schaufler2f823ff2013-05-22 18:43:03 -0700[diff] [blame]1860 struct smack_known *skp;
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]1861 char *oldambient;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1862 char *data;
1863 int rc = count;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1864
Casey Schaufler1880eff2012-06-05 15:28:30 -0700[diff] [blame]1865 if (!smack_privileged(CAP_MAC_ADMIN))
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1866 return -EPERM;
1867
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1868 data = kzalloc(count + 1, GFP_KERNEL);
1869 if (data == NULL)
1870 return -ENOMEM;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1871
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1872 if (copy_from_user(data, buf, count) != 0) {
1873 rc = -EFAULT;
1874 goto out;
1875 }
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1876
Casey Schaufler2f823ff2013-05-22 18:43:03 -0700[diff] [blame]1877 skp = smk_import_entry(data, count);
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]1878 if (IS_ERR(skp)) {
1879 rc = PTR_ERR(skp);
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1880 goto out;
1881 }
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1882
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]1883 mutex_lock(&smack_ambient_lock);
1884
Casey Schaufler2f823ff2013-05-22 18:43:03 -0700[diff] [blame]1885 oldambient = smack_net_ambient->smk_known;
1886 smack_net_ambient = skp;
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]1887 smk_unlbl_ambient(oldambient);
1888
1889 mutex_unlock(&smack_ambient_lock);
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1890
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]1891out:
1892 kfree(data);
1893 return rc;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1894}
1895
1896static const struct file_operations smk_ambient_ops = {
1897 .read = smk_read_ambient,
1898 .write = smk_write_ambient,
Arnd Bergmann6038f372010-08-15 18:52:59 +0200[diff] [blame]1899 .llseek = default_llseek,
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]1900};
1901
Rafal Krypac0d77c82015-06-02 11:23:48 +0200[diff] [blame]1902/*
1903 * Seq_file operations for /smack/onlycap
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]1904 */
Rafal Krypac0d77c82015-06-02 11:23:48 +0200[diff] [blame]1905static void *onlycap_seq_start(struct seq_file *s, loff_t *pos)
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]1906{
Rafal Krypac0d77c82015-06-02 11:23:48 +0200[diff] [blame]1907 return smk_seq_start(s, pos, &smack_onlycap_list);
1908}
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]1909
Rafal Krypac0d77c82015-06-02 11:23:48 +0200[diff] [blame]1910static void *onlycap_seq_next(struct seq_file *s, void *v, loff_t *pos)
1911{
1912 return smk_seq_next(s, v, pos, &smack_onlycap_list);
1913}
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]1914
Rafal Krypac0d77c82015-06-02 11:23:48 +0200[diff] [blame]1915static int onlycap_seq_show(struct seq_file *s, void *v)
1916{
1917 struct list_head *list = v;
Zbigniew Jasinski38416e52015-10-19 18:23:53 +0200[diff] [blame]1918 struct smack_known_list_elem *sklep =
1919 list_entry_rcu(list, struct smack_known_list_elem, list);
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]1920
Zbigniew Jasinski38416e52015-10-19 18:23:53 +0200[diff] [blame]1921 seq_puts(s, sklep->smk_label->smk_known);
Rafal Krypac0d77c82015-06-02 11:23:48 +0200[diff] [blame]1922 seq_putc(s, ' ');
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]1923
Rafal Krypac0d77c82015-06-02 11:23:48 +0200[diff] [blame]1924 return 0;
1925}
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]1926
Rafal Krypac0d77c82015-06-02 11:23:48 +0200[diff] [blame]1927static const struct seq_operations onlycap_seq_ops = {
1928 .start = onlycap_seq_start,
1929 .next = onlycap_seq_next,
1930 .show = onlycap_seq_show,
1931 .stop = smk_seq_stop,
1932};
1933
1934static int smk_open_onlycap(struct inode *inode, struct file *file)
1935{
1936 return seq_open(file, &onlycap_seq_ops);
1937}
1938
1939/**
1940 * smk_list_swap_rcu - swap public list with a private one in RCU-safe way
1941 * The caller must hold appropriate mutex to prevent concurrent modifications
1942 * to the public list.
1943 * Private list is assumed to be not accessible to other threads yet.
1944 *
1945 * @public: public list
1946 * @private: private list
1947 */
1948static void smk_list_swap_rcu(struct list_head *public,
1949 struct list_head *private)
1950{
1951 struct list_head *first, *last;
1952
1953 if (list_empty(public)) {
1954 list_splice_init_rcu(private, public, synchronize_rcu);
1955 } else {
1956 /* Remember public list before replacing it */
1957 first = public->next;
1958 last = public->prev;
1959
1960 /* Publish private list in place of public in RCU-safe way */
1961 private->prev->next = public;
1962 private->next->prev = public;
1963 rcu_assign_pointer(public->next, private->next);
1964 public->prev = private->prev;
1965
1966 synchronize_rcu();
1967
1968 /* When all readers are done with the old public list,
1969 * attach it in place of private */
1970 private->next = first;
1971 private->prev = last;
1972 first->prev = private;
1973 last->next = private;
1974 }
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]1975}
1976
1977/**
Zbigniew Jasinski38416e52015-10-19 18:23:53 +0200[diff] [blame]1978 * smk_parse_label_list - parse list of Smack labels, separated by spaces
1979 *
1980 * @data: the string to parse
1981 * @private: destination list
1982 *
1983 * Returns zero on success or error code, as appropriate
1984 */
1985static int smk_parse_label_list(char *data, struct list_head *list)
1986{
1987 char *tok;
1988 struct smack_known *skp;
1989 struct smack_known_list_elem *sklep;
1990
1991 while ((tok = strsep(&data, " ")) != NULL) {
1992 if (!*tok)
1993 continue;
1994
1995 skp = smk_import_entry(tok, 0);
1996 if (IS_ERR(skp))
1997 return PTR_ERR(skp);
1998
1999 sklep = kzalloc(sizeof(*sklep), GFP_KERNEL);
2000 if (sklep == NULL)
2001 return -ENOMEM;
2002
2003 sklep->smk_label = skp;
2004 list_add(&sklep->list, list);
2005 }
2006
2007 return 0;
2008}
2009
2010/**
2011 * smk_destroy_label_list - destroy a list of smack_known_list_elem
2012 * @head: header pointer of the list to destroy
2013 */
2014void smk_destroy_label_list(struct list_head *list)
2015{
2016 struct smack_known_list_elem *sklep;
2017 struct smack_known_list_elem *sklep2;
2018
2019 list_for_each_entry_safe(sklep, sklep2, list, list)
2020 kfree(sklep);
2021
2022 INIT_LIST_HEAD(list);
2023}
2024
2025/**
Casey Schaufler00f84f32013-12-23 11:07:10 -0800[diff] [blame]2026 * smk_write_onlycap - write() for smackfs/onlycap
Randy Dunlap251a2a92009-02-18 11:42:33 -0800[diff] [blame]2027 * @file: file pointer, not actually used
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]2028 * @buf: where to get the data from
2029 * @count: bytes sent
2030 * @ppos: where to start
2031 *
2032 * Returns number of bytes written or error code, as appropriate
2033 */
2034static ssize_t smk_write_onlycap(struct file *file, const char __user *buf,
2035 size_t count, loff_t *ppos)
2036{
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2037 char *data;
Rafal Krypac0d77c82015-06-02 11:23:48 +0200[diff] [blame]2038 LIST_HEAD(list_tmp);
Zbigniew Jasinski38416e52015-10-19 18:23:53 +0200[diff] [blame]2039 int rc;
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]2040
Casey Schaufler1880eff2012-06-05 15:28:30 -0700[diff] [blame]2041 if (!smack_privileged(CAP_MAC_ADMIN))
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]2042 return -EPERM;
2043
Konstantin Khlebnikovb862e562014-08-07 20:52:43 +0400[diff] [blame]2044 data = kzalloc(count + 1, GFP_KERNEL);
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2045 if (data == NULL)
2046 return -ENOMEM;
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]2047
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]2048 if (copy_from_user(data, buf, count) != 0) {
Rafal Krypac0d77c82015-06-02 11:23:48 +0200[diff] [blame]2049 kfree(data);
2050 return -EFAULT;
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]2051 }
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]2052
Zbigniew Jasinski38416e52015-10-19 18:23:53 +0200[diff] [blame]2053 rc = smk_parse_label_list(data, &list_tmp);
Rafal Krypac0d77c82015-06-02 11:23:48 +0200[diff] [blame]2054 kfree(data);
2055
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]2056 /*
2057 * Clear the smack_onlycap on invalid label errors. This means
2058 * that we can pass a null string to unset the onlycap value.
2059 *
2060 * Importing will also reject a label beginning with '-',
2061 * so "-usecapabilities" will also work.
2062 *
2063 * But do so only on invalid label, not on system errors.
Rafal Krypac0d77c82015-06-02 11:23:48 +0200[diff] [blame]2064 * The invalid label must be first to count as clearing attempt.
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]2065 */
Zbigniew Jasinski38416e52015-10-19 18:23:53 +0200[diff] [blame]2066 if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) {
Rafal Krypac0d77c82015-06-02 11:23:48 +0200[diff] [blame]2067 mutex_lock(&smack_onlycap_lock);
2068 smk_list_swap_rcu(&smack_onlycap_list, &list_tmp);
2069 mutex_unlock(&smack_onlycap_lock);
Zbigniew Jasinski38416e52015-10-19 18:23:53 +0200[diff] [blame]2070 rc = count;
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]2071 }
2072
Zbigniew Jasinski38416e52015-10-19 18:23:53 +0200[diff] [blame]2073 smk_destroy_label_list(&list_tmp);
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]2074
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2075 return rc;
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]2076}
2077
2078static const struct file_operations smk_onlycap_ops = {
Rafal Krypac0d77c82015-06-02 11:23:48 +0200[diff] [blame]2079 .open = smk_open_onlycap,
2080 .read = seq_read,
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]2081 .write = smk_write_onlycap,
Rafal Krypac0d77c82015-06-02 11:23:48 +0200[diff] [blame]2082 .llseek = seq_lseek,
2083 .release = seq_release,
Casey Schaufler15446232008-07-30 15:37:11 -0700[diff] [blame]2084};
2085
Casey Schauflerbf4b2fe2015-03-21 18:26:40 -0700[diff] [blame]2086#ifdef CONFIG_SECURITY_SMACK_BRINGUP
2087/**
2088 * smk_read_unconfined - read() for smackfs/unconfined
2089 * @filp: file pointer, not actually used
2090 * @buf: where to put the result
2091 * @cn: maximum to send along
2092 * @ppos: where to start
2093 *
2094 * Returns number of bytes read or error code, as appropriate
2095 */
2096static ssize_t smk_read_unconfined(struct file *filp, char __user *buf,
2097 size_t cn, loff_t *ppos)
2098{
2099 char *smack = "";
2100 ssize_t rc = -EINVAL;
2101 int asize;
2102
2103 if (*ppos != 0)
2104 return 0;
2105
2106 if (smack_unconfined != NULL)
2107 smack = smack_unconfined->smk_known;
2108
2109 asize = strlen(smack) + 1;
2110
2111 if (cn >= asize)
2112 rc = simple_read_from_buffer(buf, cn, ppos, smack, asize);
2113
2114 return rc;
2115}
2116
2117/**
2118 * smk_write_unconfined - write() for smackfs/unconfined
2119 * @file: file pointer, not actually used
2120 * @buf: where to get the data from
2121 * @count: bytes sent
2122 * @ppos: where to start
2123 *
2124 * Returns number of bytes written or error code, as appropriate
2125 */
2126static ssize_t smk_write_unconfined(struct file *file, const char __user *buf,
2127 size_t count, loff_t *ppos)
2128{
2129 char *data;
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]2130 struct smack_known *skp;
Casey Schauflerbf4b2fe2015-03-21 18:26:40 -0700[diff] [blame]2131 int rc = count;
2132
2133 if (!smack_privileged(CAP_MAC_ADMIN))
2134 return -EPERM;
2135
2136 data = kzalloc(count + 1, GFP_KERNEL);
2137 if (data == NULL)
2138 return -ENOMEM;
2139
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]2140 if (copy_from_user(data, buf, count) != 0) {
Casey Schauflerbf4b2fe2015-03-21 18:26:40 -0700[diff] [blame]2141 rc = -EFAULT;
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]2142 goto freeout;
2143 }
Casey Schauflerbf4b2fe2015-03-21 18:26:40 -0700[diff] [blame]2144
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]2145 /*
2146 * Clear the smack_unconfined on invalid label errors. This means
2147 * that we can pass a null string to unset the unconfined value.
2148 *
2149 * Importing will also reject a label beginning with '-',
2150 * so "-confine" will also work.
2151 *
2152 * But do so only on invalid label, not on system errors.
2153 */
2154 skp = smk_import_entry(data, count);
2155 if (PTR_ERR(skp) == -EINVAL)
2156 skp = NULL;
2157 else if (IS_ERR(skp)) {
2158 rc = PTR_ERR(skp);
2159 goto freeout;
2160 }
2161
2162 smack_unconfined = skp;
2163
2164freeout:
Casey Schauflerbf4b2fe2015-03-21 18:26:40 -0700[diff] [blame]2165 kfree(data);
2166 return rc;
2167}
2168
2169static const struct file_operations smk_unconfined_ops = {
2170 .read = smk_read_unconfined,
2171 .write = smk_write_unconfined,
2172 .llseek = default_llseek,
2173};
2174#endif /* CONFIG_SECURITY_SMACK_BRINGUP */
2175
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]2176/**
Etienne Bassetecfcc532009-04-08 20:40:06 +0200[diff] [blame]2177 * smk_read_logging - read() for /smack/logging
2178 * @filp: file pointer, not actually used
2179 * @buf: where to put the result
2180 * @cn: maximum to send along
2181 * @ppos: where to start
2182 *
2183 * Returns number of bytes read or error code, as appropriate
2184 */
2185static ssize_t smk_read_logging(struct file *filp, char __user *buf,
2186 size_t count, loff_t *ppos)
2187{
2188 char temp[32];
2189 ssize_t rc;
2190
2191 if (*ppos != 0)
2192 return 0;
2193
2194 sprintf(temp, "%d\n", log_policy);
2195 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
2196 return rc;
2197}
2198
2199/**
2200 * smk_write_logging - write() for /smack/logging
2201 * @file: file pointer, not actually used
2202 * @buf: where to get the data from
2203 * @count: bytes sent
2204 * @ppos: where to start
2205 *
2206 * Returns number of bytes written or error code, as appropriate
2207 */
2208static ssize_t smk_write_logging(struct file *file, const char __user *buf,
2209 size_t count, loff_t *ppos)
2210{
2211 char temp[32];
2212 int i;
2213
Casey Schaufler1880eff2012-06-05 15:28:30 -0700[diff] [blame]2214 if (!smack_privileged(CAP_MAC_ADMIN))
Etienne Bassetecfcc532009-04-08 20:40:06 +0200[diff] [blame]2215 return -EPERM;
2216
2217 if (count >= sizeof(temp) || count == 0)
2218 return -EINVAL;
2219
2220 if (copy_from_user(temp, buf, count) != 0)
2221 return -EFAULT;
2222
2223 temp[count] = '\0';
2224
2225 if (sscanf(temp, "%d", &i) != 1)
2226 return -EINVAL;
2227 if (i < 0 || i > 3)
2228 return -EINVAL;
2229 log_policy = i;
2230 return count;
2231}
2232
2233
2234
2235static const struct file_operations smk_logging_ops = {
2236 .read = smk_read_logging,
2237 .write = smk_write_logging,
Arnd Bergmann6038f372010-08-15 18:52:59 +0200[diff] [blame]2238 .llseek = default_llseek,
Etienne Bassetecfcc532009-04-08 20:40:06 +0200[diff] [blame]2239};
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]2240
2241/*
2242 * Seq_file read operations for /smack/load-self
2243 */
2244
2245static void *load_self_seq_start(struct seq_file *s, loff_t *pos)
2246{
2247 struct task_smack *tsp = current_security();
2248
Casey Schaufler40809562011-11-10 15:02:22 -0800[diff] [blame]2249 return smk_seq_start(s, pos, &tsp->smk_rules);
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]2250}
2251
2252static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
2253{
2254 struct task_smack *tsp = current_security();
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]2255
Casey Schaufler40809562011-11-10 15:02:22 -0800[diff] [blame]2256 return smk_seq_next(s, v, pos, &tsp->smk_rules);
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]2257}
2258
2259static int load_self_seq_show(struct seq_file *s, void *v)
2260{
2261 struct list_head *list = v;
2262 struct smack_rule *srp =
Rafal Krypa01fa8472015-05-21 18:24:31 +0200[diff] [blame]2263 list_entry_rcu(list, struct smack_rule, list);
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]2264
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2265 smk_rule_show(s, srp, SMK_LABELLEN);
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]2266
2267 return 0;
2268}
2269
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]2270static const struct seq_operations load_self_seq_ops = {
2271 .start = load_self_seq_start,
2272 .next = load_self_seq_next,
2273 .show = load_self_seq_show,
Casey Schaufler40809562011-11-10 15:02:22 -0800[diff] [blame]2274 .stop = smk_seq_stop,
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]2275};
2276
2277
2278/**
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2279 * smk_open_load_self - open() for /smack/load-self2
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]2280 * @inode: inode structure representing file
2281 * @file: "load" file pointer
2282 *
2283 * For reading, use load_seq_* seq_file reading operations.
2284 */
2285static int smk_open_load_self(struct inode *inode, struct file *file)
2286{
2287 return seq_open(file, &load_self_seq_ops);
2288}
2289
2290/**
2291 * smk_write_load_self - write() for /smack/load-self
2292 * @file: file pointer, not actually used
2293 * @buf: where to get the data from
2294 * @count: bytes sent
2295 * @ppos: where to start - must be 0
2296 *
2297 */
2298static ssize_t smk_write_load_self(struct file *file, const char __user *buf,
2299 size_t count, loff_t *ppos)
2300{
2301 struct task_smack *tsp = current_security();
2302
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2303 return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
2304 &tsp->smk_rules_lock, SMK_FIXED24_FMT);
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]2305}
2306
2307static const struct file_operations smk_load_self_ops = {
2308 .open = smk_open_load_self,
2309 .read = seq_read,
2310 .llseek = seq_lseek,
2311 .write = smk_write_load_self,
2312 .release = seq_release,
2313};
Jarkko Sakkinen828716c2011-09-08 10:12:01 +0300[diff] [blame]2314
2315/**
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2316 * smk_user_access - handle access check transaction
2317 * @file: file pointer
2318 * @buf: data from user space
2319 * @count: bytes sent
2320 * @ppos: where to start - must be 0
2321 */
2322static ssize_t smk_user_access(struct file *file, const char __user *buf,
2323 size_t count, loff_t *ppos, int format)
2324{
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]2325 struct smack_parsed_rule rule;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2326 char *data;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2327 int res;
2328
2329 data = simple_transaction_get(file, buf, count);
2330 if (IS_ERR(data))
2331 return PTR_ERR(data);
2332
2333 if (format == SMK_FIXED24_FMT) {
2334 if (count < SMK_LOADLEN)
2335 return -EINVAL;
2336 res = smk_parse_rule(data, &rule, 0);
2337 } else {
2338 /*
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]2339 * simple_transaction_get() returns null-terminated data
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2340 */
Rafal Krypa10289b02013-08-09 11:47:07 +0200[diff] [blame]2341 res = smk_parse_long_rule(data, &rule, 0, 3);
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2342 }
2343
Jarkko Sakkinen398ce072013-11-28 19:16:46 +0200[diff] [blame]2344 if (res >= 0)
2345 res = smk_access(rule.smk_subject, rule.smk_object,
2346 rule.smk_access1, NULL);
2347 else if (res != -ENOENT)
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]2348 return res;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2349
Casey Schauflerd166c802014-08-27 14:51:27 -0700[diff] [blame]2350 /*
2351 * smk_access() can return a value > 0 in the "bringup" case.
2352 */
2353 data[0] = res >= 0 ? '1' : '0';
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2354 data[1] = '\0';
2355
2356 simple_transaction_set(file, 2);
2357
2358 if (format == SMK_FIXED24_FMT)
2359 return SMK_LOADLEN;
2360 return count;
2361}
2362
2363/**
Jarkko Sakkinen828716c2011-09-08 10:12:01 +0300[diff] [blame]2364 * smk_write_access - handle access check transaction
2365 * @file: file pointer
2366 * @buf: data from user space
2367 * @count: bytes sent
2368 * @ppos: where to start - must be 0
2369 */
2370static ssize_t smk_write_access(struct file *file, const char __user *buf,
2371 size_t count, loff_t *ppos)
2372{
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2373 return smk_user_access(file, buf, count, ppos, SMK_FIXED24_FMT);
Jarkko Sakkinen828716c2011-09-08 10:12:01 +0300[diff] [blame]2374}
2375
2376static const struct file_operations smk_access_ops = {
2377 .write = smk_write_access,
2378 .read = simple_transaction_read,
2379 .release = simple_transaction_release,
2380 .llseek = generic_file_llseek,
2381};
2382
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2383
2384/*
2385 * Seq_file read operations for /smack/load2
2386 */
2387
2388static int load2_seq_show(struct seq_file *s, void *v)
2389{
2390 struct list_head *list = v;
2391 struct smack_master_list *smlp =
Rafal Krypa01fa8472015-05-21 18:24:31 +0200[diff] [blame]2392 list_entry_rcu(list, struct smack_master_list, list);
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2393
2394 smk_rule_show(s, smlp->smk_rule, SMK_LONGLABEL);
2395
2396 return 0;
2397}
2398
2399static const struct seq_operations load2_seq_ops = {
2400 .start = load2_seq_start,
2401 .next = load2_seq_next,
2402 .show = load2_seq_show,
2403 .stop = smk_seq_stop,
2404};
2405
2406/**
2407 * smk_open_load2 - open() for /smack/load2
2408 * @inode: inode structure representing file
2409 * @file: "load2" file pointer
2410 *
2411 * For reading, use load2_seq_* seq_file reading operations.
2412 */
2413static int smk_open_load2(struct inode *inode, struct file *file)
2414{
2415 return seq_open(file, &load2_seq_ops);
2416}
2417
2418/**
2419 * smk_write_load2 - write() for /smack/load2
2420 * @file: file pointer, not actually used
2421 * @buf: where to get the data from
2422 * @count: bytes sent
2423 * @ppos: where to start - must be 0
2424 *
2425 */
2426static ssize_t smk_write_load2(struct file *file, const char __user *buf,
2427 size_t count, loff_t *ppos)
2428{
2429 /*
2430 * Must have privilege.
2431 */
Casey Schaufler1880eff2012-06-05 15:28:30 -0700[diff] [blame]2432 if (!smack_privileged(CAP_MAC_ADMIN))
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2433 return -EPERM;
2434
2435 return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
2436 SMK_LONG_FMT);
2437}
2438
2439static const struct file_operations smk_load2_ops = {
2440 .open = smk_open_load2,
2441 .read = seq_read,
2442 .llseek = seq_lseek,
2443 .write = smk_write_load2,
2444 .release = seq_release,
2445};
2446
2447/*
2448 * Seq_file read operations for /smack/load-self2
2449 */
2450
2451static void *load_self2_seq_start(struct seq_file *s, loff_t *pos)
2452{
2453 struct task_smack *tsp = current_security();
2454
2455 return smk_seq_start(s, pos, &tsp->smk_rules);
2456}
2457
2458static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos)
2459{
2460 struct task_smack *tsp = current_security();
2461
2462 return smk_seq_next(s, v, pos, &tsp->smk_rules);
2463}
2464
2465static int load_self2_seq_show(struct seq_file *s, void *v)
2466{
2467 struct list_head *list = v;
2468 struct smack_rule *srp =
Rafal Krypa01fa8472015-05-21 18:24:31 +0200[diff] [blame]2469 list_entry_rcu(list, struct smack_rule, list);
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2470
2471 smk_rule_show(s, srp, SMK_LONGLABEL);
2472
2473 return 0;
2474}
2475
2476static const struct seq_operations load_self2_seq_ops = {
2477 .start = load_self2_seq_start,
2478 .next = load_self2_seq_next,
2479 .show = load_self2_seq_show,
2480 .stop = smk_seq_stop,
2481};
2482
2483/**
2484 * smk_open_load_self2 - open() for /smack/load-self2
2485 * @inode: inode structure representing file
2486 * @file: "load" file pointer
2487 *
2488 * For reading, use load_seq_* seq_file reading operations.
2489 */
2490static int smk_open_load_self2(struct inode *inode, struct file *file)
2491{
2492 return seq_open(file, &load_self2_seq_ops);
2493}
2494
2495/**
2496 * smk_write_load_self2 - write() for /smack/load-self2
2497 * @file: file pointer, not actually used
2498 * @buf: where to get the data from
2499 * @count: bytes sent
2500 * @ppos: where to start - must be 0
2501 *
2502 */
2503static ssize_t smk_write_load_self2(struct file *file, const char __user *buf,
2504 size_t count, loff_t *ppos)
2505{
2506 struct task_smack *tsp = current_security();
2507
2508 return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules,
2509 &tsp->smk_rules_lock, SMK_LONG_FMT);
2510}
2511
2512static const struct file_operations smk_load_self2_ops = {
2513 .open = smk_open_load_self2,
2514 .read = seq_read,
2515 .llseek = seq_lseek,
2516 .write = smk_write_load_self2,
2517 .release = seq_release,
2518};
2519
2520/**
2521 * smk_write_access2 - handle access check transaction
2522 * @file: file pointer
2523 * @buf: data from user space
2524 * @count: bytes sent
2525 * @ppos: where to start - must be 0
2526 */
2527static ssize_t smk_write_access2(struct file *file, const char __user *buf,
2528 size_t count, loff_t *ppos)
2529{
2530 return smk_user_access(file, buf, count, ppos, SMK_LONG_FMT);
2531}
2532
2533static const struct file_operations smk_access2_ops = {
2534 .write = smk_write_access2,
2535 .read = simple_transaction_read,
2536 .release = simple_transaction_release,
2537 .llseek = generic_file_llseek,
2538};
2539
Etienne Bassetecfcc532009-04-08 20:40:06 +0200[diff] [blame]2540/**
Rafal Krypa449543b2012-07-11 17:49:30 +0200[diff] [blame]2541 * smk_write_revoke_subj - write() for /smack/revoke-subject
2542 * @file: file pointer
2543 * @buf: data from user space
2544 * @count: bytes sent
2545 * @ppos: where to start - must be 0
2546 */
2547static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf,
2548 size_t count, loff_t *ppos)
2549{
Dan Carpenter54302092015-06-11 11:51:16 +0300[diff] [blame]2550 char *data;
2551 const char *cp;
Rafal Krypa449543b2012-07-11 17:49:30 +0200[diff] [blame]2552 struct smack_known *skp;
2553 struct smack_rule *sp;
2554 struct list_head *rule_list;
2555 struct mutex *rule_lock;
2556 int rc = count;
2557
2558 if (*ppos != 0)
2559 return -EINVAL;
2560
2561 if (!smack_privileged(CAP_MAC_ADMIN))
2562 return -EPERM;
2563
2564 if (count == 0 || count > SMK_LONGLABEL)
2565 return -EINVAL;
2566
2567 data = kzalloc(count, GFP_KERNEL);
2568 if (data == NULL)
2569 return -ENOMEM;
2570
2571 if (copy_from_user(data, buf, count) != 0) {
2572 rc = -EFAULT;
Dan Carpenter54302092015-06-11 11:51:16 +0300[diff] [blame]2573 goto out_data;
Rafal Krypa449543b2012-07-11 17:49:30 +0200[diff] [blame]2574 }
2575
2576 cp = smk_parse_smack(data, count);
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]2577 if (IS_ERR(cp)) {
2578 rc = PTR_ERR(cp);
Dan Carpenter54302092015-06-11 11:51:16 +0300[diff] [blame]2579 goto out_data;
Rafal Krypa449543b2012-07-11 17:49:30 +0200[diff] [blame]2580 }
2581
2582 skp = smk_find_entry(cp);
Rafal Krypad15d9fa2012-11-27 16:28:11 +0100[diff] [blame]2583 if (skp == NULL)
Dan Carpenter54302092015-06-11 11:51:16 +0300[diff] [blame]2584 goto out_cp;
Rafal Krypa449543b2012-07-11 17:49:30 +0200[diff] [blame]2585
2586 rule_list = &skp->smk_rules;
2587 rule_lock = &skp->smk_rules_lock;
2588
2589 mutex_lock(rule_lock);
2590
2591 list_for_each_entry_rcu(sp, rule_list, list)
2592 sp->smk_access = 0;
2593
2594 mutex_unlock(rule_lock);
2595
Dan Carpenter54302092015-06-11 11:51:16 +0300[diff] [blame]2596out_cp:
Rafal Krypa449543b2012-07-11 17:49:30 +0200[diff] [blame]2597 kfree(cp);
Dan Carpenter54302092015-06-11 11:51:16 +0300[diff] [blame]2598out_data:
2599 kfree(data);
2600
Rafal Krypa449543b2012-07-11 17:49:30 +0200[diff] [blame]2601 return rc;
2602}
2603
2604static const struct file_operations smk_revoke_subj_ops = {
2605 .write = smk_write_revoke_subj,
2606 .read = simple_transaction_read,
2607 .release = simple_transaction_release,
2608 .llseek = generic_file_llseek,
2609};
2610
Casey Schauflere9307232012-11-01 18:14:32 -0700[diff] [blame]2611/**
2612 * smk_init_sysfs - initialize /sys/fs/smackfs
2613 *
2614 */
2615static int smk_init_sysfs(void)
2616{
kbuild test robotca70d272015-06-24 07:41:07 +0800[diff] [blame]2617 return sysfs_create_mount_point(fs_kobj, "smackfs");
Casey Schauflere9307232012-11-01 18:14:32 -0700[diff] [blame]2618}
2619
Rafal Krypa449543b2012-07-11 17:49:30 +0200[diff] [blame]2620/**
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]2621 * smk_write_change_rule - write() for /smack/change-rule
2622 * @file: file pointer
2623 * @buf: data from user space
2624 * @count: bytes sent
2625 * @ppos: where to start - must be 0
2626 */
2627static ssize_t smk_write_change_rule(struct file *file, const char __user *buf,
2628 size_t count, loff_t *ppos)
2629{
2630 /*
2631 * Must have privilege.
2632 */
Casey Schaufler4afde482013-12-19 13:23:26 -0800[diff] [blame]2633 if (!smack_privileged(CAP_MAC_ADMIN))
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]2634 return -EPERM;
2635
2636 return smk_write_rules_list(file, buf, count, ppos, NULL, NULL,
2637 SMK_CHANGE_FMT);
2638}
2639
2640static const struct file_operations smk_change_rule_ops = {
2641 .write = smk_write_change_rule,
2642 .read = simple_transaction_read,
2643 .release = simple_transaction_release,
2644 .llseek = generic_file_llseek,
2645};
2646
2647/**
Casey Schaufler00f84f32013-12-23 11:07:10 -0800[diff] [blame]2648 * smk_read_syslog - read() for smackfs/syslog
2649 * @filp: file pointer, not actually used
2650 * @buf: where to put the result
2651 * @cn: maximum to send along
2652 * @ppos: where to start
2653 *
2654 * Returns number of bytes read or error code, as appropriate
2655 */
2656static ssize_t smk_read_syslog(struct file *filp, char __user *buf,
2657 size_t cn, loff_t *ppos)
2658{
2659 struct smack_known *skp;
2660 ssize_t rc = -EINVAL;
2661 int asize;
2662
2663 if (*ppos != 0)
2664 return 0;
2665
2666 if (smack_syslog_label == NULL)
2667 skp = &smack_known_star;
2668 else
2669 skp = smack_syslog_label;
2670
2671 asize = strlen(skp->smk_known) + 1;
2672
2673 if (cn >= asize)
2674 rc = simple_read_from_buffer(buf, cn, ppos, skp->smk_known,
2675 asize);
2676
2677 return rc;
2678}
2679
2680/**
2681 * smk_write_syslog - write() for smackfs/syslog
2682 * @file: file pointer, not actually used
2683 * @buf: where to get the data from
2684 * @count: bytes sent
2685 * @ppos: where to start
2686 *
2687 * Returns number of bytes written or error code, as appropriate
2688 */
2689static ssize_t smk_write_syslog(struct file *file, const char __user *buf,
2690 size_t count, loff_t *ppos)
2691{
2692 char *data;
2693 struct smack_known *skp;
2694 int rc = count;
2695
2696 if (!smack_privileged(CAP_MAC_ADMIN))
2697 return -EPERM;
2698
Konstantin Khlebnikovb862e562014-08-07 20:52:43 +0400[diff] [blame]2699 data = kzalloc(count + 1, GFP_KERNEL);
Casey Schaufler00f84f32013-12-23 11:07:10 -0800[diff] [blame]2700 if (data == NULL)
2701 return -ENOMEM;
2702
2703 if (copy_from_user(data, buf, count) != 0)
2704 rc = -EFAULT;
2705 else {
2706 skp = smk_import_entry(data, count);
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]2707 if (IS_ERR(skp))
2708 rc = PTR_ERR(skp);
Casey Schaufler00f84f32013-12-23 11:07:10 -0800[diff] [blame]2709 else
Lukasz Pawelczyke774ad62015-04-20 17:12:54 +0200[diff] [blame]2710 smack_syslog_label = skp;
Casey Schaufler00f84f32013-12-23 11:07:10 -0800[diff] [blame]2711 }
2712
2713 kfree(data);
2714 return rc;
2715}
2716
2717static const struct file_operations smk_syslog_ops = {
2718 .read = smk_read_syslog,
2719 .write = smk_write_syslog,
2720 .llseek = default_llseek,
2721};
2722
Zbigniew Jasinski38416e52015-10-19 18:23:53 +0200[diff] [blame]2723/*
2724 * Seq_file read operations for /smack/relabel-self
2725 */
2726
2727static void *relabel_self_seq_start(struct seq_file *s, loff_t *pos)
2728{
2729 struct task_smack *tsp = current_security();
2730
2731 return smk_seq_start(s, pos, &tsp->smk_relabel);
2732}
2733
2734static void *relabel_self_seq_next(struct seq_file *s, void *v, loff_t *pos)
2735{
2736 struct task_smack *tsp = current_security();
2737
2738 return smk_seq_next(s, v, pos, &tsp->smk_relabel);
2739}
2740
2741static int relabel_self_seq_show(struct seq_file *s, void *v)
2742{
2743 struct list_head *list = v;
2744 struct smack_known_list_elem *sklep =
2745 list_entry(list, struct smack_known_list_elem, list);
2746
2747 seq_puts(s, sklep->smk_label->smk_known);
2748 seq_putc(s, ' ');
2749
2750 return 0;
2751}
2752
2753static const struct seq_operations relabel_self_seq_ops = {
2754 .start = relabel_self_seq_start,
2755 .next = relabel_self_seq_next,
2756 .show = relabel_self_seq_show,
2757 .stop = smk_seq_stop,
2758};
2759
2760/**
2761 * smk_open_relabel_self - open() for /smack/relabel-self
2762 * @inode: inode structure representing file
2763 * @file: "relabel-self" file pointer
2764 *
2765 * Connect our relabel_self_seq_* operations with /smack/relabel-self
2766 * file_operations
2767 */
2768static int smk_open_relabel_self(struct inode *inode, struct file *file)
2769{
2770 return seq_open(file, &relabel_self_seq_ops);
2771}
2772
2773/**
2774 * smk_write_relabel_self - write() for /smack/relabel-self
2775 * @file: file pointer, not actually used
2776 * @buf: where to get the data from
2777 * @count: bytes sent
2778 * @ppos: where to start - must be 0
2779 *
2780 */
2781static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf,
2782 size_t count, loff_t *ppos)
2783{
2784 struct task_smack *tsp = current_security();
2785 char *data;
2786 int rc;
2787 LIST_HEAD(list_tmp);
2788
2789 /*
2790 * Must have privilege.
2791 */
2792 if (!smack_privileged(CAP_MAC_ADMIN))
2793 return -EPERM;
2794
2795 /*
2796 * Enough data must be present.
2797 */
2798 if (*ppos != 0)
2799 return -EINVAL;
2800
2801 data = kzalloc(count + 1, GFP_KERNEL);
2802 if (data == NULL)
2803 return -ENOMEM;
2804
2805 if (copy_from_user(data, buf, count) != 0) {
2806 kfree(data);
2807 return -EFAULT;
2808 }
2809
2810 rc = smk_parse_label_list(data, &list_tmp);
2811 kfree(data);
2812
2813 if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) {
2814 smk_destroy_label_list(&tsp->smk_relabel);
2815 list_splice(&list_tmp, &tsp->smk_relabel);
2816 return count;
2817 }
2818
2819 smk_destroy_label_list(&list_tmp);
2820 return rc;
2821}
2822
2823static const struct file_operations smk_relabel_self_ops = {
2824 .open = smk_open_relabel_self,
2825 .read = seq_read,
2826 .llseek = seq_lseek,
2827 .write = smk_write_relabel_self,
2828 .release = seq_release,
2829};
Casey Schaufler00f84f32013-12-23 11:07:10 -0800[diff] [blame]2830
2831/**
Lukasz Pawelczyk66867812014-03-11 17:07:06 +0100[diff] [blame]2832 * smk_read_ptrace - read() for /smack/ptrace
2833 * @filp: file pointer, not actually used
2834 * @buf: where to put the result
2835 * @count: maximum to send along
2836 * @ppos: where to start
2837 *
2838 * Returns number of bytes read or error code, as appropriate
2839 */
2840static ssize_t smk_read_ptrace(struct file *filp, char __user *buf,
2841 size_t count, loff_t *ppos)
2842{
2843 char temp[32];
2844 ssize_t rc;
2845
2846 if (*ppos != 0)
2847 return 0;
2848
2849 sprintf(temp, "%d\n", smack_ptrace_rule);
2850 rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp));
2851 return rc;
2852}
2853
2854/**
2855 * smk_write_ptrace - write() for /smack/ptrace
2856 * @file: file pointer
2857 * @buf: data from user space
2858 * @count: bytes sent
2859 * @ppos: where to start - must be 0
2860 */
2861static ssize_t smk_write_ptrace(struct file *file, const char __user *buf,
2862 size_t count, loff_t *ppos)
2863{
2864 char temp[32];
2865 int i;
2866
2867 if (!smack_privileged(CAP_MAC_ADMIN))
2868 return -EPERM;
2869
2870 if (*ppos != 0 || count >= sizeof(temp) || count == 0)
2871 return -EINVAL;
2872
2873 if (copy_from_user(temp, buf, count) != 0)
2874 return -EFAULT;
2875
2876 temp[count] = '\0';
2877
2878 if (sscanf(temp, "%d", &i) != 1)
2879 return -EINVAL;
2880 if (i < SMACK_PTRACE_DEFAULT || i > SMACK_PTRACE_MAX)
2881 return -EINVAL;
2882 smack_ptrace_rule = i;
2883
2884 return count;
2885}
2886
2887static const struct file_operations smk_ptrace_ops = {
2888 .write = smk_write_ptrace,
2889 .read = smk_read_ptrace,
2890 .llseek = default_llseek,
2891};
2892
2893/**
Casey Schaufler00f84f32013-12-23 11:07:10 -0800[diff] [blame]2894 * smk_fill_super - fill the smackfs superblock
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]2895 * @sb: the empty superblock
2896 * @data: unused
2897 * @silent: unused
2898 *
Casey Schaufler00f84f32013-12-23 11:07:10 -0800[diff] [blame]2899 * Fill in the well known entries for the smack filesystem
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]2900 *
2901 * Returns 0 on success, an error code on failure
2902 */
2903static int smk_fill_super(struct super_block *sb, void *data, int silent)
2904{
2905 int rc;
2906 struct inode *root_inode;
2907
2908 static struct tree_descr smack_files[] = {
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]2909 [SMK_LOAD] = {
2910 "load", &smk_load_ops, S_IRUGO|S_IWUSR},
2911 [SMK_CIPSO] = {
2912 "cipso", &smk_cipso_ops, S_IRUGO|S_IWUSR},
2913 [SMK_DOI] = {
2914 "doi", &smk_doi_ops, S_IRUGO|S_IWUSR},
2915 [SMK_DIRECT] = {
2916 "direct", &smk_direct_ops, S_IRUGO|S_IWUSR},
2917 [SMK_AMBIENT] = {
2918 "ambient", &smk_ambient_ops, S_IRUGO|S_IWUSR},
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]2919 [SMK_NET4ADDR] = {
2920 "netlabel", &smk_net4addr_ops, S_IRUGO|S_IWUSR},
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]2921 [SMK_ONLYCAP] = {
2922 "onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR},
2923 [SMK_LOGGING] = {
2924 "logging", &smk_logging_ops, S_IRUGO|S_IWUSR},
2925 [SMK_LOAD_SELF] = {
2926 "load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO},
Jarkko Sakkinen828716c2011-09-08 10:12:01 +0300[diff] [blame]2927 [SMK_ACCESSES] = {
Jarkko Sakkinen0e94ae12011-10-18 21:21:36 +0300[diff] [blame]2928 "access", &smk_access_ops, S_IRUGO|S_IWUGO},
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]2929 [SMK_MAPPED] = {
2930 "mapped", &smk_mapped_ops, S_IRUGO|S_IWUSR},
2931 [SMK_LOAD2] = {
2932 "load2", &smk_load2_ops, S_IRUGO|S_IWUSR},
2933 [SMK_LOAD_SELF2] = {
2934 "load-self2", &smk_load_self2_ops, S_IRUGO|S_IWUGO},
2935 [SMK_ACCESS2] = {
2936 "access2", &smk_access2_ops, S_IRUGO|S_IWUGO},
2937 [SMK_CIPSO2] = {
2938 "cipso2", &smk_cipso2_ops, S_IRUGO|S_IWUSR},
Rafal Krypa449543b2012-07-11 17:49:30 +0200[diff] [blame]2939 [SMK_REVOKE_SUBJ] = {
2940 "revoke-subject", &smk_revoke_subj_ops,
2941 S_IRUGO|S_IWUSR},
Rafal Krypae05b6f92013-01-10 19:42:00 +0100[diff] [blame]2942 [SMK_CHANGE_RULE] = {
2943 "change-rule", &smk_change_rule_ops, S_IRUGO|S_IWUSR},
Casey Schaufler00f84f32013-12-23 11:07:10 -0800[diff] [blame]2944 [SMK_SYSLOG] = {
2945 "syslog", &smk_syslog_ops, S_IRUGO|S_IWUSR},
Lukasz Pawelczyk66867812014-03-11 17:07:06 +0100[diff] [blame]2946 [SMK_PTRACE] = {
2947 "ptrace", &smk_ptrace_ops, S_IRUGO|S_IWUSR},
Casey Schauflerbf4b2fe2015-03-21 18:26:40 -0700[diff] [blame]2948#ifdef CONFIG_SECURITY_SMACK_BRINGUP
2949 [SMK_UNCONFINED] = {
2950 "unconfined", &smk_unconfined_ops, S_IRUGO|S_IWUSR},
2951#endif
Casey Schaufler21abb1e2015-07-22 14:25:31 -0700[diff] [blame]2952#if IS_ENABLED(CONFIG_IPV6)
2953 [SMK_NET6ADDR] = {
2954 "ipv6host", &smk_net6addr_ops, S_IRUGO|S_IWUSR},
2955#endif /* CONFIG_IPV6 */
Zbigniew Jasinski38416e52015-10-19 18:23:53 +0200[diff] [blame]2956 [SMK_RELABEL_SELF] = {
2957 "relabel-self", &smk_relabel_self_ops,
2958 S_IRUGO|S_IWUGO},
Casey Schaufler7898e1f2011-01-17 08:05:27 -0800[diff] [blame]2959 /* last one */
2960 {""}
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]2961 };
2962
2963 rc = simple_fill_super(sb, SMACK_MAGIC, smack_files);
2964 if (rc != 0) {
2965 printk(KERN_ERR "%s failed %d while creating inodes\n",
2966 __func__, rc);
2967 return rc;
2968 }
2969
David Howellsce0b16d2015-02-19 10:47:02 +0000[diff] [blame]2970 root_inode = d_inode(sb->s_root);
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]2971
2972 return 0;
2973}
2974
2975/**
Al Virofc14f2f2010-07-25 01:48:30 +0400[diff] [blame]2976 * smk_mount - get the smackfs superblock
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]2977 * @fs_type: passed along without comment
2978 * @flags: passed along without comment
2979 * @dev_name: passed along without comment
2980 * @data: passed along without comment
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]2981 *
2982 * Just passes everything along.
2983 *
2984 * Returns what the lower level code does.
2985 */
Al Virofc14f2f2010-07-25 01:48:30 +0400[diff] [blame]2986static struct dentry *smk_mount(struct file_system_type *fs_type,
2987 int flags, const char *dev_name, void *data)
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]2988{
Al Virofc14f2f2010-07-25 01:48:30 +0400[diff] [blame]2989 return mount_single(fs_type, flags, data, smk_fill_super);
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]2990}
2991
2992static struct file_system_type smk_fs_type = {
2993 .name = "smackfs",
Al Virofc14f2f2010-07-25 01:48:30 +0400[diff] [blame]2994 .mount = smk_mount,
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]2995 .kill_sb = kill_litter_super,
2996};
2997
2998static struct vfsmount *smackfs_mount;
2999
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]3000static int __init smk_preset_netlabel(struct smack_known *skp)
3001{
3002 skp->smk_netlabel.domain = skp->smk_known;
3003 skp->smk_netlabel.flags =
3004 NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL;
3005 return smk_netlbl_mls(smack_cipso_direct, skp->smk_known,
3006 &skp->smk_netlabel, strlen(skp->smk_known));
3007}
3008
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]3009/**
3010 * init_smk_fs - get the smackfs superblock
3011 *
3012 * register the smackfs
3013 *
Ahmed S. Darwish076c54c2008-03-06 18:09:10 +0200[diff] [blame]3014 * Do not register smackfs if Smack wasn't enabled
3015 * on boot. We can not put this method normally under the
3016 * smack_init() code path since the security subsystem get
3017 * initialized before the vfs caches.
3018 *
3019 * Returns true if we were not chosen on boot or if
3020 * we were chosen and filesystem registration succeeded.
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]3021 */
3022static int __init init_smk_fs(void)
3023{
3024 int err;
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]3025 int rc;
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]3026
José Bollod21b7b02015-10-02 15:15:56 +0200[diff] [blame]3027 if (smack_enabled == 0)
Ahmed S. Darwish076c54c2008-03-06 18:09:10 +0200[diff] [blame]3028 return 0;
3029
Casey Schauflere9307232012-11-01 18:14:32 -0700[diff] [blame]3030 err = smk_init_sysfs();
3031 if (err)
3032 printk(KERN_ERR "smackfs: sysfs mountpoint problem.\n");
3033
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]3034 err = register_filesystem(&smk_fs_type);
3035 if (!err) {
3036 smackfs_mount = kern_mount(&smk_fs_type);
3037 if (IS_ERR(smackfs_mount)) {
3038 printk(KERN_ERR "smackfs: could not mount!\n");
3039 err = PTR_ERR(smackfs_mount);
3040 smackfs_mount = NULL;
3041 }
3042 }
3043
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]3044 smk_cipso_doi();
Casey Schaufler4bc87e62008-02-15 15:24:25 -0800[diff] [blame]3045 smk_unlbl_ambient(NULL);
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]3046
Casey Schauflerf7112e62012-05-06 15:22:02 -0700[diff] [blame]3047 rc = smk_preset_netlabel(&smack_known_floor);
3048 if (err == 0 && rc < 0)
3049 err = rc;
3050 rc = smk_preset_netlabel(&smack_known_hat);
3051 if (err == 0 && rc < 0)
3052 err = rc;
3053 rc = smk_preset_netlabel(&smack_known_huh);
3054 if (err == 0 && rc < 0)
3055 err = rc;
3056 rc = smk_preset_netlabel(&smack_known_invalid);
3057 if (err == 0 && rc < 0)
3058 err = rc;
3059 rc = smk_preset_netlabel(&smack_known_star);
3060 if (err == 0 && rc < 0)
3061 err = rc;
3062 rc = smk_preset_netlabel(&smack_known_web);
3063 if (err == 0 && rc < 0)
3064 err = rc;
3065
Casey Schauflere114e472008-02-04 22:29:50 -0800[diff] [blame]3066 return err;
3067}
3068
3069__initcall(init_smk_fs);