Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1 | /* |
| 2 | * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> |
| 3 | * |
| 4 | * This program is free software; you can redistribute it and/or modify |
| 5 | * it under the terms of the GNU General Public License as published by |
| 6 | * the Free Software Foundation, version 2. |
| 7 | * |
| 8 | * Authors: |
| 9 | * Casey Schaufler <casey@schaufler-ca.com> |
| 10 | * Ahmed S. Darwish <darwish.07@gmail.com> |
| 11 | * |
| 12 | * Special thanks to the authors of selinuxfs. |
| 13 | * |
| 14 | * Karl MacMillan <kmacmillan@tresys.com> |
| 15 | * James Morris <jmorris@redhat.com> |
| 16 | * |
| 17 | */ |
| 18 | |
| 19 | #include <linux/kernel.h> |
| 20 | #include <linux/vmalloc.h> |
| 21 | #include <linux/security.h> |
| 22 | #include <linux/mutex.h> |
Tejun Heo | 5a0e3ad | 2010-03-24 17:04:11 +0900 | [diff] [blame] | 23 | #include <linux/slab.h> |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 24 | #include <net/net_namespace.h> |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 25 | #include <net/cipso_ipv4.h> |
| 26 | #include <linux/seq_file.h> |
| 27 | #include <linux/ctype.h> |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 28 | #include <linux/audit.h> |
Casey Schaufler | 958d2c2 | 2013-04-02 11:41:18 -0700 | [diff] [blame] | 29 | #include <linux/magic.h> |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 30 | #include "smack.h" |
| 31 | |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 32 | #define BEBITS (sizeof(__be32) * 8) |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 33 | /* |
| 34 | * smackfs pseudo filesystem. |
| 35 | */ |
| 36 | |
| 37 | enum smk_inos { |
| 38 | SMK_ROOT_INO = 2, |
| 39 | SMK_LOAD = 3, /* load policy */ |
| 40 | SMK_CIPSO = 4, /* load label -> CIPSO mapping */ |
| 41 | SMK_DOI = 5, /* CIPSO DOI */ |
| 42 | SMK_DIRECT = 6, /* CIPSO level indicating direct label */ |
| 43 | SMK_AMBIENT = 7, /* internet ambient label */ |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 44 | SMK_NET4ADDR = 8, /* single label hosts */ |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 45 | SMK_ONLYCAP = 9, /* the only "capable" label */ |
Etienne Basset | ecfcc53 | 2009-04-08 20:40:06 +0200 | [diff] [blame] | 46 | SMK_LOGGING = 10, /* logging */ |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 47 | SMK_LOAD_SELF = 11, /* task specific rules */ |
Jarkko Sakkinen | 828716c | 2011-09-08 10:12:01 +0300 | [diff] [blame] | 48 | SMK_ACCESSES = 12, /* access policy */ |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 49 | SMK_MAPPED = 13, /* CIPSO level indicating mapped label */ |
| 50 | SMK_LOAD2 = 14, /* load policy with long labels */ |
| 51 | SMK_LOAD_SELF2 = 15, /* load task specific rules with long labels */ |
| 52 | SMK_ACCESS2 = 16, /* make an access check with long labels */ |
| 53 | SMK_CIPSO2 = 17, /* load long label -> CIPSO mapping */ |
Rafal Krypa | 449543b | 2012-07-11 17:49:30 +0200 | [diff] [blame] | 54 | SMK_REVOKE_SUBJ = 18, /* set rules with subject label to '-' */ |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 55 | SMK_CHANGE_RULE = 19, /* change or add rules (long labels) */ |
Casey Schaufler | 00f84f3 | 2013-12-23 11:07:10 -0800 | [diff] [blame] | 56 | SMK_SYSLOG = 20, /* change syslog label) */ |
Lukasz Pawelczyk | 6686781 | 2014-03-11 17:07:06 +0100 | [diff] [blame] | 57 | SMK_PTRACE = 21, /* set ptrace rule */ |
Casey Schaufler | bf4b2fe | 2015-03-21 18:26:40 -0700 | [diff] [blame] | 58 | #ifdef CONFIG_SECURITY_SMACK_BRINGUP |
| 59 | SMK_UNCONFINED = 22, /* define an unconfined label */ |
| 60 | #endif |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 61 | #if IS_ENABLED(CONFIG_IPV6) |
| 62 | SMK_NET6ADDR = 23, /* single label IPv6 hosts */ |
| 63 | #endif /* CONFIG_IPV6 */ |
Zbigniew Jasinski | 38416e5 | 2015-10-19 18:23:53 +0200 | [diff] [blame] | 64 | SMK_RELABEL_SELF = 24, /* relabel possible without CAP_MAC_ADMIN */ |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 65 | }; |
| 66 | |
| 67 | /* |
| 68 | * List locks |
| 69 | */ |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 70 | static DEFINE_MUTEX(smack_cipso_lock); |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 71 | static DEFINE_MUTEX(smack_ambient_lock); |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 72 | static DEFINE_MUTEX(smk_net4addr_lock); |
| 73 | #if IS_ENABLED(CONFIG_IPV6) |
| 74 | static DEFINE_MUTEX(smk_net6addr_lock); |
| 75 | #endif /* CONFIG_IPV6 */ |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 76 | |
| 77 | /* |
| 78 | * This is the "ambient" label for network traffic. |
| 79 | * If it isn't somehow marked, use this. |
| 80 | * It can be reset via smackfs/ambient |
| 81 | */ |
Casey Schaufler | 2f823ff | 2013-05-22 18:43:03 -0700 | [diff] [blame] | 82 | struct smack_known *smack_net_ambient; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 83 | |
| 84 | /* |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 85 | * This is the level in a CIPSO header that indicates a |
| 86 | * smack label is contained directly in the category set. |
| 87 | * It can be reset via smackfs/direct |
| 88 | */ |
| 89 | int smack_cipso_direct = SMACK_CIPSO_DIRECT_DEFAULT; |
| 90 | |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 91 | /* |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 92 | * This is the level in a CIPSO header that indicates a |
| 93 | * secid is contained directly in the category set. |
| 94 | * It can be reset via smackfs/mapped |
| 95 | */ |
| 96 | int smack_cipso_mapped = SMACK_CIPSO_MAPPED_DEFAULT; |
| 97 | |
Casey Schaufler | bf4b2fe | 2015-03-21 18:26:40 -0700 | [diff] [blame] | 98 | #ifdef CONFIG_SECURITY_SMACK_BRINGUP |
| 99 | /* |
| 100 | * Allow one label to be unconfined. This is for |
| 101 | * debugging and application bring-up purposes only. |
| 102 | * It is bad and wrong, but everyone seems to expect |
| 103 | * to have it. |
| 104 | */ |
| 105 | struct smack_known *smack_unconfined; |
| 106 | #endif |
| 107 | |
Casey Schaufler | 00f84f3 | 2013-12-23 11:07:10 -0800 | [diff] [blame] | 108 | /* |
| 109 | * If this value is set restrict syslog use to the label specified. |
| 110 | * It can be reset via smackfs/syslog |
| 111 | */ |
| 112 | struct smack_known *smack_syslog_label; |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 113 | |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 114 | /* |
Lukasz Pawelczyk | 6686781 | 2014-03-11 17:07:06 +0100 | [diff] [blame] | 115 | * Ptrace current rule |
| 116 | * SMACK_PTRACE_DEFAULT regular smack ptrace rules (/proc based) |
| 117 | * SMACK_PTRACE_EXACT labels must match, but can be overriden with |
| 118 | * CAP_SYS_PTRACE |
| 119 | * SMACK_PTRACE_DRACONIAN lables must match, CAP_SYS_PTRACE has no effect |
| 120 | */ |
| 121 | int smack_ptrace_rule = SMACK_PTRACE_DEFAULT; |
| 122 | |
| 123 | /* |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 124 | * Certain IP addresses may be designated as single label hosts. |
| 125 | * Packets are sent there unlabeled, but only from tasks that |
| 126 | * can write to the specified label. |
| 127 | */ |
Etienne Basset | 7198e2e | 2009-03-24 20:53:24 +0100 | [diff] [blame] | 128 | |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 129 | LIST_HEAD(smk_net4addr_list); |
| 130 | #if IS_ENABLED(CONFIG_IPV6) |
| 131 | LIST_HEAD(smk_net6addr_list); |
| 132 | #endif /* CONFIG_IPV6 */ |
Casey Schaufler | 272cd7a | 2011-09-20 12:24:36 -0700 | [diff] [blame] | 133 | |
| 134 | /* |
| 135 | * Rule lists are maintained for each label. |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 136 | * This master list is just for reading /smack/load and /smack/load2. |
Casey Schaufler | 272cd7a | 2011-09-20 12:24:36 -0700 | [diff] [blame] | 137 | */ |
| 138 | struct smack_master_list { |
| 139 | struct list_head list; |
| 140 | struct smack_rule *smk_rule; |
| 141 | }; |
| 142 | |
Casey Schaufler | 1eddfe8 | 2015-07-30 14:35:14 -0700 | [diff] [blame] | 143 | static LIST_HEAD(smack_rule_list); |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 144 | |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 145 | struct smack_parsed_rule { |
Casey Schaufler | 2f823ff | 2013-05-22 18:43:03 -0700 | [diff] [blame] | 146 | struct smack_known *smk_subject; |
Lukasz Pawelczyk | 21c7eae | 2014-08-29 17:02:55 +0200 | [diff] [blame] | 147 | struct smack_known *smk_object; |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 148 | int smk_access1; |
| 149 | int smk_access2; |
| 150 | }; |
| 151 | |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 152 | static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 153 | |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 154 | /* |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 155 | * Values for parsing cipso rules |
| 156 | * SMK_DIGITLEN: Length of a digit field in a rule. |
Ahmed S. Darwish | b500ce8 | 2008-03-13 12:32:34 -0700 | [diff] [blame] | 157 | * SMK_CIPSOMIN: Minimum possible cipso rule length. |
| 158 | * SMK_CIPSOMAX: Maximum possible cipso rule length. |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 159 | */ |
| 160 | #define SMK_DIGITLEN 4 |
Ahmed S. Darwish | b500ce8 | 2008-03-13 12:32:34 -0700 | [diff] [blame] | 161 | #define SMK_CIPSOMIN (SMK_LABELLEN + 2 * SMK_DIGITLEN) |
| 162 | #define SMK_CIPSOMAX (SMK_CIPSOMIN + SMACK_CIPSO_MAXCATNUM * SMK_DIGITLEN) |
| 163 | |
| 164 | /* |
| 165 | * Values for parsing MAC rules |
| 166 | * SMK_ACCESS: Maximum possible combination of access permissions |
| 167 | * SMK_ACCESSLEN: Maximum length for a rule access field |
| 168 | * SMK_LOADLEN: Smack rule length |
| 169 | */ |
Jarkko Sakkinen | 5c6d112 | 2010-12-07 13:34:01 +0200 | [diff] [blame] | 170 | #define SMK_OACCESS "rwxa" |
Casey Schaufler | c0ab6e5 | 2013-10-11 18:06:39 -0700 | [diff] [blame] | 171 | #define SMK_ACCESS "rwxatl" |
Jarkko Sakkinen | 5c6d112 | 2010-12-07 13:34:01 +0200 | [diff] [blame] | 172 | #define SMK_OACCESSLEN (sizeof(SMK_OACCESS) - 1) |
| 173 | #define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1) |
| 174 | #define SMK_OLOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN) |
| 175 | #define SMK_LOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN) |
Ahmed S. Darwish | b500ce8 | 2008-03-13 12:32:34 -0700 | [diff] [blame] | 176 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 177 | /* |
| 178 | * Stricly for CIPSO level manipulation. |
| 179 | * Set the category bit number in a smack label sized buffer. |
| 180 | */ |
| 181 | static inline void smack_catset_bit(unsigned int cat, char *catsetp) |
| 182 | { |
| 183 | if (cat == 0 || cat > (SMK_CIPSOLEN * 8)) |
| 184 | return; |
| 185 | |
| 186 | catsetp[(cat - 1) / 8] |= 0x80 >> ((cat - 1) % 8); |
| 187 | } |
| 188 | |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 189 | /** |
| 190 | * smk_netlabel_audit_set - fill a netlbl_audit struct |
| 191 | * @nap: structure to fill |
| 192 | */ |
| 193 | static void smk_netlabel_audit_set(struct netlbl_audit *nap) |
| 194 | { |
Casey Schaufler | 2f823ff | 2013-05-22 18:43:03 -0700 | [diff] [blame] | 195 | struct smack_known *skp = smk_of_current(); |
| 196 | |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 197 | nap->loginuid = audit_get_loginuid(current); |
| 198 | nap->sessionid = audit_get_sessionid(current); |
Casey Schaufler | 2f823ff | 2013-05-22 18:43:03 -0700 | [diff] [blame] | 199 | nap->secid = skp->smk_secid; |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 200 | } |
| 201 | |
| 202 | /* |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 203 | * Value for parsing single label host rules |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 204 | * "1.2.3.4 X" |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 205 | */ |
| 206 | #define SMK_NETLBLADDRMIN 9 |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 207 | |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 208 | /** |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 209 | * smk_set_access - add a rule to the rule list or replace an old rule |
| 210 | * @srp: the rule to add or replace |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 211 | * @rule_list: the list of rules |
| 212 | * @rule_lock: the rule list lock |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 213 | * @global: if non-zero, indicates a global rule |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 214 | * |
| 215 | * Looks through the current subject/object/access list for |
| 216 | * the subject/object pair and replaces the access that was |
| 217 | * there. If the pair isn't found add it with the specified |
| 218 | * access. |
Sergio Luis | 81ea714 | 2008-12-22 01:16:15 -0300 | [diff] [blame] | 219 | * |
| 220 | * Returns 0 if nothing goes wrong or -ENOMEM if it fails |
| 221 | * during the allocation of the new pair to add. |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 222 | */ |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 223 | static int smk_set_access(struct smack_parsed_rule *srp, |
| 224 | struct list_head *rule_list, |
| 225 | struct mutex *rule_lock, int global) |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 226 | { |
Etienne Basset | 7198e2e | 2009-03-24 20:53:24 +0100 | [diff] [blame] | 227 | struct smack_rule *sp; |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 228 | struct smack_master_list *smlp; |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 229 | int found = 0; |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 230 | int rc = 0; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 231 | |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 232 | mutex_lock(rule_lock); |
| 233 | |
Casey Schaufler | 272cd7a | 2011-09-20 12:24:36 -0700 | [diff] [blame] | 234 | /* |
| 235 | * Because the object label is less likely to match |
| 236 | * than the subject label check it first |
| 237 | */ |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 238 | list_for_each_entry_rcu(sp, rule_list, list) { |
Casey Schaufler | 272cd7a | 2011-09-20 12:24:36 -0700 | [diff] [blame] | 239 | if (sp->smk_object == srp->smk_object && |
| 240 | sp->smk_subject == srp->smk_subject) { |
Etienne Basset | 7198e2e | 2009-03-24 20:53:24 +0100 | [diff] [blame] | 241 | found = 1; |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 242 | sp->smk_access |= srp->smk_access1; |
| 243 | sp->smk_access &= ~srp->smk_access2; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 244 | break; |
| 245 | } |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 246 | } |
| 247 | |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 248 | if (found == 0) { |
| 249 | sp = kzalloc(sizeof(*sp), GFP_KERNEL); |
| 250 | if (sp == NULL) { |
| 251 | rc = -ENOMEM; |
| 252 | goto out; |
| 253 | } |
| 254 | |
| 255 | sp->smk_subject = srp->smk_subject; |
| 256 | sp->smk_object = srp->smk_object; |
| 257 | sp->smk_access = srp->smk_access1 & ~srp->smk_access2; |
| 258 | |
| 259 | list_add_rcu(&sp->list, rule_list); |
| 260 | /* |
| 261 | * If this is a global as opposed to self and a new rule |
| 262 | * it needs to get added for reporting. |
| 263 | */ |
| 264 | if (global) { |
| 265 | smlp = kzalloc(sizeof(*smlp), GFP_KERNEL); |
| 266 | if (smlp != NULL) { |
| 267 | smlp->smk_rule = sp; |
| 268 | list_add_rcu(&smlp->list, &smack_rule_list); |
| 269 | } else |
| 270 | rc = -ENOMEM; |
| 271 | } |
| 272 | } |
| 273 | |
| 274 | out: |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 275 | mutex_unlock(rule_lock); |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 276 | return rc; |
| 277 | } |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 278 | |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 279 | /** |
| 280 | * smk_perm_from_str - parse smack accesses from a text string |
| 281 | * @string: a text string that contains a Smack accesses code |
| 282 | * |
| 283 | * Returns an integer with respective bits set for specified accesses. |
| 284 | */ |
| 285 | static int smk_perm_from_str(const char *string) |
| 286 | { |
| 287 | int perm = 0; |
| 288 | const char *cp; |
| 289 | |
| 290 | for (cp = string; ; cp++) |
| 291 | switch (*cp) { |
| 292 | case '-': |
| 293 | break; |
| 294 | case 'r': |
| 295 | case 'R': |
| 296 | perm |= MAY_READ; |
| 297 | break; |
| 298 | case 'w': |
| 299 | case 'W': |
| 300 | perm |= MAY_WRITE; |
| 301 | break; |
| 302 | case 'x': |
| 303 | case 'X': |
| 304 | perm |= MAY_EXEC; |
| 305 | break; |
| 306 | case 'a': |
| 307 | case 'A': |
| 308 | perm |= MAY_APPEND; |
| 309 | break; |
| 310 | case 't': |
| 311 | case 'T': |
| 312 | perm |= MAY_TRANSMUTE; |
| 313 | break; |
Casey Schaufler | c0ab6e5 | 2013-10-11 18:06:39 -0700 | [diff] [blame] | 314 | case 'l': |
| 315 | case 'L': |
| 316 | perm |= MAY_LOCK; |
| 317 | break; |
Casey Schaufler | d166c80 | 2014-08-27 14:51:27 -0700 | [diff] [blame] | 318 | case 'b': |
| 319 | case 'B': |
| 320 | perm |= MAY_BRINGUP; |
| 321 | break; |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 322 | default: |
| 323 | return perm; |
| 324 | } |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 325 | } |
| 326 | |
| 327 | /** |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 328 | * smk_fill_rule - Fill Smack rule from strings |
| 329 | * @subject: subject label string |
| 330 | * @object: object label string |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 331 | * @access1: access string |
| 332 | * @access2: string with permissions to be removed |
Jarkko Sakkinen | 0e94ae1 | 2011-10-18 21:21:36 +0300 | [diff] [blame] | 333 | * @rule: Smack rule |
| 334 | * @import: if non-zero, import labels |
Casey Schaufler | 3518721 | 2012-06-18 19:01:36 -0700 | [diff] [blame] | 335 | * @len: label length limit |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 336 | * |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 337 | * Returns 0 on success, appropriate error code on failure. |
Jarkko Sakkinen | 828716c | 2011-09-08 10:12:01 +0300 | [diff] [blame] | 338 | */ |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 339 | static int smk_fill_rule(const char *subject, const char *object, |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 340 | const char *access1, const char *access2, |
| 341 | struct smack_parsed_rule *rule, int import, |
| 342 | int len) |
Jarkko Sakkinen | 828716c | 2011-09-08 10:12:01 +0300 | [diff] [blame] | 343 | { |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 344 | const char *cp; |
Jarkko Sakkinen | 0e94ae1 | 2011-10-18 21:21:36 +0300 | [diff] [blame] | 345 | struct smack_known *skp; |
Jarkko Sakkinen | 828716c | 2011-09-08 10:12:01 +0300 | [diff] [blame] | 346 | |
Jarkko Sakkinen | 0e94ae1 | 2011-10-18 21:21:36 +0300 | [diff] [blame] | 347 | if (import) { |
Casey Schaufler | 2f823ff | 2013-05-22 18:43:03 -0700 | [diff] [blame] | 348 | rule->smk_subject = smk_import_entry(subject, len); |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 349 | if (IS_ERR(rule->smk_subject)) |
| 350 | return PTR_ERR(rule->smk_subject); |
Jarkko Sakkinen | 0e94ae1 | 2011-10-18 21:21:36 +0300 | [diff] [blame] | 351 | |
Lukasz Pawelczyk | 21c7eae | 2014-08-29 17:02:55 +0200 | [diff] [blame] | 352 | rule->smk_object = smk_import_entry(object, len); |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 353 | if (IS_ERR(rule->smk_object)) |
| 354 | return PTR_ERR(rule->smk_object); |
Jarkko Sakkinen | 0e94ae1 | 2011-10-18 21:21:36 +0300 | [diff] [blame] | 355 | } else { |
Casey Schaufler | 3518721 | 2012-06-18 19:01:36 -0700 | [diff] [blame] | 356 | cp = smk_parse_smack(subject, len); |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 357 | if (IS_ERR(cp)) |
| 358 | return PTR_ERR(cp); |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 359 | skp = smk_find_entry(cp); |
| 360 | kfree(cp); |
Jarkko Sakkinen | 0e94ae1 | 2011-10-18 21:21:36 +0300 | [diff] [blame] | 361 | if (skp == NULL) |
Jarkko Sakkinen | 398ce07 | 2013-11-28 19:16:46 +0200 | [diff] [blame] | 362 | return -ENOENT; |
Casey Schaufler | 2f823ff | 2013-05-22 18:43:03 -0700 | [diff] [blame] | 363 | rule->smk_subject = skp; |
Jarkko Sakkinen | 0e94ae1 | 2011-10-18 21:21:36 +0300 | [diff] [blame] | 364 | |
Casey Schaufler | 3518721 | 2012-06-18 19:01:36 -0700 | [diff] [blame] | 365 | cp = smk_parse_smack(object, len); |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 366 | if (IS_ERR(cp)) |
| 367 | return PTR_ERR(cp); |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 368 | skp = smk_find_entry(cp); |
| 369 | kfree(cp); |
Jarkko Sakkinen | 0e94ae1 | 2011-10-18 21:21:36 +0300 | [diff] [blame] | 370 | if (skp == NULL) |
Jarkko Sakkinen | 398ce07 | 2013-11-28 19:16:46 +0200 | [diff] [blame] | 371 | return -ENOENT; |
Lukasz Pawelczyk | 21c7eae | 2014-08-29 17:02:55 +0200 | [diff] [blame] | 372 | rule->smk_object = skp; |
Jarkko Sakkinen | 0e94ae1 | 2011-10-18 21:21:36 +0300 | [diff] [blame] | 373 | } |
Jarkko Sakkinen | 828716c | 2011-09-08 10:12:01 +0300 | [diff] [blame] | 374 | |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 375 | rule->smk_access1 = smk_perm_from_str(access1); |
| 376 | if (access2) |
| 377 | rule->smk_access2 = smk_perm_from_str(access2); |
| 378 | else |
| 379 | rule->smk_access2 = ~rule->smk_access1; |
Jarkko Sakkinen | 828716c | 2011-09-08 10:12:01 +0300 | [diff] [blame] | 380 | |
Casey Schaufler | 3518721 | 2012-06-18 19:01:36 -0700 | [diff] [blame] | 381 | return 0; |
Jarkko Sakkinen | 828716c | 2011-09-08 10:12:01 +0300 | [diff] [blame] | 382 | } |
| 383 | |
| 384 | /** |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 385 | * smk_parse_rule - parse Smack rule from load string |
| 386 | * @data: string to be parsed whose size is SMK_LOADLEN |
| 387 | * @rule: Smack rule |
| 388 | * @import: if non-zero, import labels |
| 389 | * |
| 390 | * Returns 0 on success, -1 on errors. |
| 391 | */ |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 392 | static int smk_parse_rule(const char *data, struct smack_parsed_rule *rule, |
| 393 | int import) |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 394 | { |
| 395 | int rc; |
| 396 | |
| 397 | rc = smk_fill_rule(data, data + SMK_LABELLEN, |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 398 | data + SMK_LABELLEN + SMK_LABELLEN, NULL, rule, |
| 399 | import, SMK_LABELLEN); |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 400 | return rc; |
| 401 | } |
| 402 | |
| 403 | /** |
| 404 | * smk_parse_long_rule - parse Smack rule from rule string |
| 405 | * @data: string to be parsed, null terminated |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 406 | * @rule: Will be filled with Smack parsed rule |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 407 | * @import: if non-zero, import labels |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 408 | * @tokens: numer of substrings expected in data |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 409 | * |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 410 | * Returns number of processed bytes on success, -ERRNO on failure. |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 411 | */ |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 412 | static ssize_t smk_parse_long_rule(char *data, struct smack_parsed_rule *rule, |
| 413 | int import, int tokens) |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 414 | { |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 415 | ssize_t cnt = 0; |
| 416 | char *tok[4]; |
Jarkko Sakkinen | 398ce07 | 2013-11-28 19:16:46 +0200 | [diff] [blame] | 417 | int rc; |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 418 | int i; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 419 | |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 420 | /* |
| 421 | * Parsing the rule in-place, filling all white-spaces with '\0' |
| 422 | */ |
| 423 | for (i = 0; i < tokens; ++i) { |
| 424 | while (isspace(data[cnt])) |
| 425 | data[cnt++] = '\0'; |
Alan Cox | 3b9fc37 | 2012-07-26 14:47:11 -0700 | [diff] [blame] | 426 | |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 427 | if (data[cnt] == '\0') |
| 428 | /* Unexpected end of data */ |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 429 | return -EINVAL; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 430 | |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 431 | tok[i] = data + cnt; |
| 432 | |
| 433 | while (data[cnt] && !isspace(data[cnt])) |
| 434 | ++cnt; |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 435 | } |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 436 | while (isspace(data[cnt])) |
| 437 | data[cnt++] = '\0'; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 438 | |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 439 | while (i < 4) |
| 440 | tok[i++] = NULL; |
| 441 | |
Jarkko Sakkinen | 398ce07 | 2013-11-28 19:16:46 +0200 | [diff] [blame] | 442 | rc = smk_fill_rule(tok[0], tok[1], tok[2], tok[3], rule, import, 0); |
| 443 | return rc == 0 ? cnt : rc; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 444 | } |
| 445 | |
| 446 | #define SMK_FIXED24_FMT 0 /* Fixed 24byte label format */ |
| 447 | #define SMK_LONG_FMT 1 /* Variable long label format */ |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 448 | #define SMK_CHANGE_FMT 2 /* Rule modification format */ |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 449 | /** |
| 450 | * smk_write_rules_list - write() for any /smack rule file |
Randy Dunlap | 251a2a9 | 2009-02-18 11:42:33 -0800 | [diff] [blame] | 451 | * @file: file pointer, not actually used |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 452 | * @buf: where to get the data from |
| 453 | * @count: bytes sent |
| 454 | * @ppos: where to start - must be 0 |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 455 | * @rule_list: the list of rules to write to |
| 456 | * @rule_lock: lock for the rule list |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 457 | * @format: /smack/load or /smack/load2 or /smack/change-rule format. |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 458 | * |
| 459 | * Get one smack access rule from above. |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 460 | * The format for SMK_LONG_FMT is: |
| 461 | * "subject<whitespace>object<whitespace>access[<whitespace>...]" |
| 462 | * The format for SMK_FIXED24_FMT is exactly: |
| 463 | * "subject object rwxat" |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 464 | * The format for SMK_CHANGE_FMT is: |
| 465 | * "subject<whitespace>object<whitespace> |
| 466 | * acc_enable<whitespace>acc_disable[<whitespace>...]" |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 467 | */ |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 468 | static ssize_t smk_write_rules_list(struct file *file, const char __user *buf, |
| 469 | size_t count, loff_t *ppos, |
| 470 | struct list_head *rule_list, |
| 471 | struct mutex *rule_lock, int format) |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 472 | { |
Tomasz Stanislawski | 470043b | 2013-06-06 09:30:50 +0200 | [diff] [blame] | 473 | struct smack_parsed_rule rule; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 474 | char *data; |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 475 | int rc; |
| 476 | int trunc = 0; |
| 477 | int tokens; |
| 478 | ssize_t cnt = 0; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 479 | |
| 480 | /* |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 481 | * No partial writes. |
| 482 | * Enough data must be present. |
| 483 | */ |
Jarkko Sakkinen | 5c6d112 | 2010-12-07 13:34:01 +0200 | [diff] [blame] | 484 | if (*ppos != 0) |
| 485 | return -EINVAL; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 486 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 487 | if (format == SMK_FIXED24_FMT) { |
| 488 | /* |
| 489 | * Minor hack for backward compatibility |
| 490 | */ |
Casey Schaufler | c0ab6e5 | 2013-10-11 18:06:39 -0700 | [diff] [blame] | 491 | if (count < SMK_OLOADLEN || count > SMK_LOADLEN) |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 492 | return -EINVAL; |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 493 | } else { |
| 494 | if (count >= PAGE_SIZE) { |
| 495 | count = PAGE_SIZE - 1; |
| 496 | trunc = 1; |
| 497 | } |
| 498 | } |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 499 | |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 500 | data = kmalloc(count + 1, GFP_KERNEL); |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 501 | if (data == NULL) |
| 502 | return -ENOMEM; |
| 503 | |
| 504 | if (copy_from_user(data, buf, count) != 0) { |
| 505 | rc = -EFAULT; |
| 506 | goto out; |
| 507 | } |
| 508 | |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 509 | /* |
| 510 | * In case of parsing only part of user buf, |
| 511 | * avoid having partial rule at the data buffer |
| 512 | */ |
| 513 | if (trunc) { |
| 514 | while (count > 0 && (data[count - 1] != '\n')) |
| 515 | --count; |
| 516 | if (count == 0) { |
| 517 | rc = -EINVAL; |
Tomasz Stanislawski | 470043b | 2013-06-06 09:30:50 +0200 | [diff] [blame] | 518 | goto out; |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 519 | } |
| 520 | } |
| 521 | |
| 522 | data[count] = '\0'; |
| 523 | tokens = (format == SMK_CHANGE_FMT ? 4 : 3); |
| 524 | while (cnt < count) { |
| 525 | if (format == SMK_FIXED24_FMT) { |
| 526 | rc = smk_parse_rule(data, &rule, 1); |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 527 | if (rc < 0) |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 528 | goto out; |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 529 | cnt = count; |
| 530 | } else { |
| 531 | rc = smk_parse_long_rule(data + cnt, &rule, 1, tokens); |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 532 | if (rc < 0) |
| 533 | goto out; |
| 534 | if (rc == 0) { |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 535 | rc = -EINVAL; |
| 536 | goto out; |
| 537 | } |
| 538 | cnt += rc; |
| 539 | } |
| 540 | |
| 541 | if (rule_list == NULL) |
| 542 | rc = smk_set_access(&rule, &rule.smk_subject->smk_rules, |
| 543 | &rule.smk_subject->smk_rules_lock, 1); |
| 544 | else |
| 545 | rc = smk_set_access(&rule, rule_list, rule_lock, 0); |
| 546 | |
| 547 | if (rc) |
Tomasz Stanislawski | 470043b | 2013-06-06 09:30:50 +0200 | [diff] [blame] | 548 | goto out; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 549 | } |
| 550 | |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 551 | rc = cnt; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 552 | out: |
| 553 | kfree(data); |
| 554 | return rc; |
| 555 | } |
| 556 | |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 557 | /* |
Casey Schaufler | 4080956 | 2011-11-10 15:02:22 -0800 | [diff] [blame] | 558 | * Core logic for smackfs seq list operations. |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 559 | */ |
| 560 | |
Casey Schaufler | 4080956 | 2011-11-10 15:02:22 -0800 | [diff] [blame] | 561 | static void *smk_seq_start(struct seq_file *s, loff_t *pos, |
| 562 | struct list_head *head) |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 563 | { |
Casey Schaufler | 272cd7a | 2011-09-20 12:24:36 -0700 | [diff] [blame] | 564 | struct list_head *list; |
Rafal Krypa | 01fa847 | 2015-05-21 18:24:31 +0200 | [diff] [blame] | 565 | int i = *pos; |
Casey Schaufler | 272cd7a | 2011-09-20 12:24:36 -0700 | [diff] [blame] | 566 | |
Rafal Krypa | 01fa847 | 2015-05-21 18:24:31 +0200 | [diff] [blame] | 567 | rcu_read_lock(); |
| 568 | for (list = rcu_dereference(list_next_rcu(head)); |
| 569 | list != head; |
| 570 | list = rcu_dereference(list_next_rcu(list))) { |
| 571 | if (i-- == 0) |
| 572 | return list; |
| 573 | } |
Casey Schaufler | 272cd7a | 2011-09-20 12:24:36 -0700 | [diff] [blame] | 574 | |
Rafal Krypa | 01fa847 | 2015-05-21 18:24:31 +0200 | [diff] [blame] | 575 | return NULL; |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 576 | } |
| 577 | |
Casey Schaufler | 4080956 | 2011-11-10 15:02:22 -0800 | [diff] [blame] | 578 | static void *smk_seq_next(struct seq_file *s, void *v, loff_t *pos, |
| 579 | struct list_head *head) |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 580 | { |
| 581 | struct list_head *list = v; |
| 582 | |
Rafal Krypa | 01fa847 | 2015-05-21 18:24:31 +0200 | [diff] [blame] | 583 | ++*pos; |
| 584 | list = rcu_dereference(list_next_rcu(list)); |
| 585 | |
| 586 | return (list == head) ? NULL : list; |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 587 | } |
| 588 | |
Casey Schaufler | 4080956 | 2011-11-10 15:02:22 -0800 | [diff] [blame] | 589 | static void smk_seq_stop(struct seq_file *s, void *v) |
| 590 | { |
Rafal Krypa | 01fa847 | 2015-05-21 18:24:31 +0200 | [diff] [blame] | 591 | rcu_read_unlock(); |
Casey Schaufler | 4080956 | 2011-11-10 15:02:22 -0800 | [diff] [blame] | 592 | } |
| 593 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 594 | static void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max) |
Casey Schaufler | 4080956 | 2011-11-10 15:02:22 -0800 | [diff] [blame] | 595 | { |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 596 | /* |
| 597 | * Don't show any rules with label names too long for |
| 598 | * interface file (/smack/load or /smack/load2) |
| 599 | * because you should expect to be able to write |
| 600 | * anything you read back. |
| 601 | */ |
Casey Schaufler | 2f823ff | 2013-05-22 18:43:03 -0700 | [diff] [blame] | 602 | if (strlen(srp->smk_subject->smk_known) >= max || |
Lukasz Pawelczyk | 21c7eae | 2014-08-29 17:02:55 +0200 | [diff] [blame] | 603 | strlen(srp->smk_object->smk_known) >= max) |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 604 | return; |
Casey Schaufler | 4080956 | 2011-11-10 15:02:22 -0800 | [diff] [blame] | 605 | |
Rafal Krypa | 65ee7f4 | 2012-07-09 19:36:34 +0200 | [diff] [blame] | 606 | if (srp->smk_access == 0) |
| 607 | return; |
| 608 | |
Lukasz Pawelczyk | 21c7eae | 2014-08-29 17:02:55 +0200 | [diff] [blame] | 609 | seq_printf(s, "%s %s", |
| 610 | srp->smk_subject->smk_known, |
| 611 | srp->smk_object->smk_known); |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 612 | |
| 613 | seq_putc(s, ' '); |
| 614 | |
| 615 | if (srp->smk_access & MAY_READ) |
| 616 | seq_putc(s, 'r'); |
| 617 | if (srp->smk_access & MAY_WRITE) |
| 618 | seq_putc(s, 'w'); |
| 619 | if (srp->smk_access & MAY_EXEC) |
| 620 | seq_putc(s, 'x'); |
| 621 | if (srp->smk_access & MAY_APPEND) |
| 622 | seq_putc(s, 'a'); |
| 623 | if (srp->smk_access & MAY_TRANSMUTE) |
| 624 | seq_putc(s, 't'); |
Casey Schaufler | c0ab6e5 | 2013-10-11 18:06:39 -0700 | [diff] [blame] | 625 | if (srp->smk_access & MAY_LOCK) |
| 626 | seq_putc(s, 'l'); |
Casey Schaufler | d166c80 | 2014-08-27 14:51:27 -0700 | [diff] [blame] | 627 | if (srp->smk_access & MAY_BRINGUP) |
| 628 | seq_putc(s, 'b'); |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 629 | |
| 630 | seq_putc(s, '\n'); |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 631 | } |
| 632 | |
| 633 | /* |
| 634 | * Seq_file read operations for /smack/load |
| 635 | */ |
| 636 | |
| 637 | static void *load2_seq_start(struct seq_file *s, loff_t *pos) |
| 638 | { |
| 639 | return smk_seq_start(s, pos, &smack_rule_list); |
| 640 | } |
| 641 | |
| 642 | static void *load2_seq_next(struct seq_file *s, void *v, loff_t *pos) |
| 643 | { |
| 644 | return smk_seq_next(s, v, pos, &smack_rule_list); |
| 645 | } |
| 646 | |
| 647 | static int load_seq_show(struct seq_file *s, void *v) |
| 648 | { |
| 649 | struct list_head *list = v; |
| 650 | struct smack_master_list *smlp = |
Rafal Krypa | 01fa847 | 2015-05-21 18:24:31 +0200 | [diff] [blame] | 651 | list_entry_rcu(list, struct smack_master_list, list); |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 652 | |
| 653 | smk_rule_show(s, smlp->smk_rule, SMK_LABELLEN); |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 654 | |
| 655 | return 0; |
| 656 | } |
| 657 | |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 658 | static const struct seq_operations load_seq_ops = { |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 659 | .start = load2_seq_start, |
| 660 | .next = load2_seq_next, |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 661 | .show = load_seq_show, |
Casey Schaufler | 4080956 | 2011-11-10 15:02:22 -0800 | [diff] [blame] | 662 | .stop = smk_seq_stop, |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 663 | }; |
| 664 | |
| 665 | /** |
| 666 | * smk_open_load - open() for /smack/load |
| 667 | * @inode: inode structure representing file |
| 668 | * @file: "load" file pointer |
| 669 | * |
| 670 | * For reading, use load_seq_* seq_file reading operations. |
| 671 | */ |
| 672 | static int smk_open_load(struct inode *inode, struct file *file) |
| 673 | { |
| 674 | return seq_open(file, &load_seq_ops); |
| 675 | } |
| 676 | |
| 677 | /** |
| 678 | * smk_write_load - write() for /smack/load |
| 679 | * @file: file pointer, not actually used |
| 680 | * @buf: where to get the data from |
| 681 | * @count: bytes sent |
| 682 | * @ppos: where to start - must be 0 |
| 683 | * |
| 684 | */ |
| 685 | static ssize_t smk_write_load(struct file *file, const char __user *buf, |
| 686 | size_t count, loff_t *ppos) |
| 687 | { |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 688 | /* |
| 689 | * Must have privilege. |
| 690 | * No partial writes. |
| 691 | * Enough data must be present. |
| 692 | */ |
Casey Schaufler | 1880eff | 2012-06-05 15:28:30 -0700 | [diff] [blame] | 693 | if (!smack_privileged(CAP_MAC_ADMIN)) |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 694 | return -EPERM; |
| 695 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 696 | return smk_write_rules_list(file, buf, count, ppos, NULL, NULL, |
| 697 | SMK_FIXED24_FMT); |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 698 | } |
| 699 | |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 700 | static const struct file_operations smk_load_ops = { |
| 701 | .open = smk_open_load, |
| 702 | .read = seq_read, |
| 703 | .llseek = seq_lseek, |
| 704 | .write = smk_write_load, |
Ahmed S. Darwish | cb622bb | 2008-03-24 12:29:49 -0700 | [diff] [blame] | 705 | .release = seq_release, |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 706 | }; |
| 707 | |
| 708 | /** |
| 709 | * smk_cipso_doi - initialize the CIPSO domain |
| 710 | */ |
Casey Schaufler | 30aa4fa | 2008-04-28 02:13:43 -0700 | [diff] [blame] | 711 | static void smk_cipso_doi(void) |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 712 | { |
| 713 | int rc; |
| 714 | struct cipso_v4_doi *doip; |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 715 | struct netlbl_audit nai; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 716 | |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 717 | smk_netlabel_audit_set(&nai); |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 718 | |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 719 | rc = netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai); |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 720 | if (rc != 0) |
| 721 | printk(KERN_WARNING "%s:%d remove rc = %d\n", |
| 722 | __func__, __LINE__, rc); |
| 723 | |
| 724 | doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL); |
| 725 | if (doip == NULL) |
| 726 | panic("smack: Failed to initialize cipso DOI.\n"); |
| 727 | doip->map.std = NULL; |
| 728 | doip->doi = smk_cipso_doi_value; |
| 729 | doip->type = CIPSO_V4_MAP_PASS; |
| 730 | doip->tags[0] = CIPSO_V4_TAG_RBITMAP; |
| 731 | for (rc = 1; rc < CIPSO_V4_TAG_MAXCNT; rc++) |
| 732 | doip->tags[rc] = CIPSO_V4_TAG_INVALID; |
| 733 | |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 734 | rc = netlbl_cfg_cipsov4_add(doip, &nai); |
Paul Moore | b1edeb1 | 2008-10-10 10:16:31 -0400 | [diff] [blame] | 735 | if (rc != 0) { |
Paul Moore | 6c2e8ac | 2008-12-31 12:54:11 -0500 | [diff] [blame] | 736 | printk(KERN_WARNING "%s:%d cipso add rc = %d\n", |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 737 | __func__, __LINE__, rc); |
Paul Moore | b1edeb1 | 2008-10-10 10:16:31 -0400 | [diff] [blame] | 738 | kfree(doip); |
Paul Moore | 6c2e8ac | 2008-12-31 12:54:11 -0500 | [diff] [blame] | 739 | return; |
| 740 | } |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 741 | rc = netlbl_cfg_cipsov4_map_add(doip->doi, NULL, NULL, NULL, &nai); |
Paul Moore | 6c2e8ac | 2008-12-31 12:54:11 -0500 | [diff] [blame] | 742 | if (rc != 0) { |
| 743 | printk(KERN_WARNING "%s:%d map add rc = %d\n", |
| 744 | __func__, __LINE__, rc); |
| 745 | kfree(doip); |
| 746 | return; |
Paul Moore | b1edeb1 | 2008-10-10 10:16:31 -0400 | [diff] [blame] | 747 | } |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 748 | } |
| 749 | |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 750 | /** |
| 751 | * smk_unlbl_ambient - initialize the unlabeled domain |
Randy Dunlap | 251a2a9 | 2009-02-18 11:42:33 -0800 | [diff] [blame] | 752 | * @oldambient: previous domain string |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 753 | */ |
Casey Schaufler | 30aa4fa | 2008-04-28 02:13:43 -0700 | [diff] [blame] | 754 | static void smk_unlbl_ambient(char *oldambient) |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 755 | { |
| 756 | int rc; |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 757 | struct netlbl_audit nai; |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 758 | |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 759 | smk_netlabel_audit_set(&nai); |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 760 | |
| 761 | if (oldambient != NULL) { |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 762 | rc = netlbl_cfg_map_del(oldambient, PF_INET, NULL, NULL, &nai); |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 763 | if (rc != 0) |
| 764 | printk(KERN_WARNING "%s:%d remove rc = %d\n", |
| 765 | __func__, __LINE__, rc); |
| 766 | } |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 767 | if (smack_net_ambient == NULL) |
Casey Schaufler | 2f823ff | 2013-05-22 18:43:03 -0700 | [diff] [blame] | 768 | smack_net_ambient = &smack_known_floor; |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 769 | |
Casey Schaufler | 2f823ff | 2013-05-22 18:43:03 -0700 | [diff] [blame] | 770 | rc = netlbl_cfg_unlbl_map_add(smack_net_ambient->smk_known, PF_INET, |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 771 | NULL, NULL, &nai); |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 772 | if (rc != 0) |
| 773 | printk(KERN_WARNING "%s:%d add rc = %d\n", |
| 774 | __func__, __LINE__, rc); |
| 775 | } |
| 776 | |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 777 | /* |
| 778 | * Seq_file read operations for /smack/cipso |
| 779 | */ |
| 780 | |
| 781 | static void *cipso_seq_start(struct seq_file *s, loff_t *pos) |
| 782 | { |
Casey Schaufler | 4080956 | 2011-11-10 15:02:22 -0800 | [diff] [blame] | 783 | return smk_seq_start(s, pos, &smack_known_list); |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 784 | } |
| 785 | |
| 786 | static void *cipso_seq_next(struct seq_file *s, void *v, loff_t *pos) |
| 787 | { |
Casey Schaufler | 4080956 | 2011-11-10 15:02:22 -0800 | [diff] [blame] | 788 | return smk_seq_next(s, v, pos, &smack_known_list); |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 789 | } |
| 790 | |
| 791 | /* |
| 792 | * Print cipso labels in format: |
| 793 | * label level[/cat[,cat]] |
| 794 | */ |
| 795 | static int cipso_seq_show(struct seq_file *s, void *v) |
| 796 | { |
Etienne Basset | 7198e2e | 2009-03-24 20:53:24 +0100 | [diff] [blame] | 797 | struct list_head *list = v; |
| 798 | struct smack_known *skp = |
Rafal Krypa | 01fa847 | 2015-05-21 18:24:31 +0200 | [diff] [blame] | 799 | list_entry_rcu(list, struct smack_known, list); |
Paul Moore | 4fbe63d | 2014-08-01 11:17:37 -0400 | [diff] [blame] | 800 | struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 801 | char sep = '/'; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 802 | int i; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 803 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 804 | /* |
| 805 | * Don't show a label that could not have been set using |
| 806 | * /smack/cipso. This is in support of the notion that |
| 807 | * anything read from /smack/cipso ought to be writeable |
| 808 | * to /smack/cipso. |
| 809 | * |
| 810 | * /smack/cipso2 should be used instead. |
| 811 | */ |
| 812 | if (strlen(skp->smk_known) >= SMK_LABELLEN) |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 813 | return 0; |
| 814 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 815 | seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl); |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 816 | |
Paul Moore | 4fbe63d | 2014-08-01 11:17:37 -0400 | [diff] [blame] | 817 | for (i = netlbl_catmap_walk(cmp, 0); i >= 0; |
| 818 | i = netlbl_catmap_walk(cmp, i + 1)) { |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 819 | seq_printf(s, "%c%d", sep, i); |
| 820 | sep = ','; |
| 821 | } |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 822 | |
| 823 | seq_putc(s, '\n'); |
| 824 | |
| 825 | return 0; |
| 826 | } |
| 827 | |
James Morris | 88e9d34 | 2009-09-22 16:43:43 -0700 | [diff] [blame] | 828 | static const struct seq_operations cipso_seq_ops = { |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 829 | .start = cipso_seq_start, |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 830 | .next = cipso_seq_next, |
| 831 | .show = cipso_seq_show, |
Casey Schaufler | 4080956 | 2011-11-10 15:02:22 -0800 | [diff] [blame] | 832 | .stop = smk_seq_stop, |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 833 | }; |
| 834 | |
| 835 | /** |
| 836 | * smk_open_cipso - open() for /smack/cipso |
| 837 | * @inode: inode structure representing file |
| 838 | * @file: "cipso" file pointer |
| 839 | * |
| 840 | * Connect our cipso_seq_* operations with /smack/cipso |
| 841 | * file_operations |
| 842 | */ |
| 843 | static int smk_open_cipso(struct inode *inode, struct file *file) |
| 844 | { |
| 845 | return seq_open(file, &cipso_seq_ops); |
| 846 | } |
| 847 | |
| 848 | /** |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 849 | * smk_set_cipso - do the work for write() for cipso and cipso2 |
Randy Dunlap | 251a2a9 | 2009-02-18 11:42:33 -0800 | [diff] [blame] | 850 | * @file: file pointer, not actually used |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 851 | * @buf: where to get the data from |
| 852 | * @count: bytes sent |
| 853 | * @ppos: where to start |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 854 | * @format: /smack/cipso or /smack/cipso2 |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 855 | * |
| 856 | * Accepts only one cipso rule per write call. |
| 857 | * Returns number of bytes written or error code, as appropriate |
| 858 | */ |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 859 | static ssize_t smk_set_cipso(struct file *file, const char __user *buf, |
| 860 | size_t count, loff_t *ppos, int format) |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 861 | { |
| 862 | struct smack_known *skp; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 863 | struct netlbl_lsm_secattr ncats; |
| 864 | char mapcatset[SMK_CIPSOLEN]; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 865 | int maplevel; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 866 | unsigned int cat; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 867 | int catlen; |
| 868 | ssize_t rc = -EINVAL; |
| 869 | char *data = NULL; |
| 870 | char *rule; |
| 871 | int ret; |
| 872 | int i; |
| 873 | |
| 874 | /* |
| 875 | * Must have privilege. |
| 876 | * No partial writes. |
| 877 | * Enough data must be present. |
| 878 | */ |
Casey Schaufler | 1880eff | 2012-06-05 15:28:30 -0700 | [diff] [blame] | 879 | if (!smack_privileged(CAP_MAC_ADMIN)) |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 880 | return -EPERM; |
| 881 | if (*ppos != 0) |
| 882 | return -EINVAL; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 883 | if (format == SMK_FIXED24_FMT && |
| 884 | (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX)) |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 885 | return -EINVAL; |
| 886 | |
| 887 | data = kzalloc(count + 1, GFP_KERNEL); |
| 888 | if (data == NULL) |
| 889 | return -ENOMEM; |
| 890 | |
| 891 | if (copy_from_user(data, buf, count) != 0) { |
| 892 | rc = -EFAULT; |
| 893 | goto unlockedout; |
| 894 | } |
| 895 | |
| 896 | data[count] = '\0'; |
| 897 | rule = data; |
| 898 | /* |
| 899 | * Only allow one writer at a time. Writes should be |
| 900 | * quite rare and small in any case. |
| 901 | */ |
| 902 | mutex_lock(&smack_cipso_lock); |
| 903 | |
| 904 | skp = smk_import_entry(rule, 0); |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 905 | if (IS_ERR(skp)) { |
| 906 | rc = PTR_ERR(skp); |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 907 | goto out; |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 908 | } |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 909 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 910 | if (format == SMK_FIXED24_FMT) |
| 911 | rule += SMK_LABELLEN; |
| 912 | else |
Passion,Zhao | 0fcfee6 | 2013-06-03 11:42:24 +0800 | [diff] [blame] | 913 | rule += strlen(skp->smk_known) + 1; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 914 | |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 915 | ret = sscanf(rule, "%d", &maplevel); |
| 916 | if (ret != 1 || maplevel > SMACK_CIPSO_MAXLEVEL) |
| 917 | goto out; |
| 918 | |
| 919 | rule += SMK_DIGITLEN; |
| 920 | ret = sscanf(rule, "%d", &catlen); |
| 921 | if (ret != 1 || catlen > SMACK_CIPSO_MAXCATNUM) |
| 922 | goto out; |
| 923 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 924 | if (format == SMK_FIXED24_FMT && |
| 925 | count != (SMK_CIPSOMIN + catlen * SMK_DIGITLEN)) |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 926 | goto out; |
| 927 | |
| 928 | memset(mapcatset, 0, sizeof(mapcatset)); |
| 929 | |
| 930 | for (i = 0; i < catlen; i++) { |
| 931 | rule += SMK_DIGITLEN; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 932 | ret = sscanf(rule, "%u", &cat); |
Casey Schaufler | 677264e | 2013-06-28 13:47:07 -0700 | [diff] [blame] | 933 | if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM) |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 934 | goto out; |
| 935 | |
| 936 | smack_catset_bit(cat, mapcatset); |
| 937 | } |
| 938 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 939 | rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN); |
| 940 | if (rc >= 0) { |
Paul Moore | 4fbe63d | 2014-08-01 11:17:37 -0400 | [diff] [blame] | 941 | netlbl_catmap_free(skp->smk_netlabel.attr.mls.cat); |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 942 | skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat; |
| 943 | skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl; |
| 944 | rc = count; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 945 | } |
| 946 | |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 947 | out: |
| 948 | mutex_unlock(&smack_cipso_lock); |
| 949 | unlockedout: |
| 950 | kfree(data); |
| 951 | return rc; |
| 952 | } |
| 953 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 954 | /** |
| 955 | * smk_write_cipso - write() for /smack/cipso |
| 956 | * @file: file pointer, not actually used |
| 957 | * @buf: where to get the data from |
| 958 | * @count: bytes sent |
| 959 | * @ppos: where to start |
| 960 | * |
| 961 | * Accepts only one cipso rule per write call. |
| 962 | * Returns number of bytes written or error code, as appropriate |
| 963 | */ |
| 964 | static ssize_t smk_write_cipso(struct file *file, const char __user *buf, |
| 965 | size_t count, loff_t *ppos) |
| 966 | { |
| 967 | return smk_set_cipso(file, buf, count, ppos, SMK_FIXED24_FMT); |
| 968 | } |
| 969 | |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 970 | static const struct file_operations smk_cipso_ops = { |
| 971 | .open = smk_open_cipso, |
| 972 | .read = seq_read, |
| 973 | .llseek = seq_lseek, |
| 974 | .write = smk_write_cipso, |
| 975 | .release = seq_release, |
| 976 | }; |
| 977 | |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 978 | /* |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 979 | * Seq_file read operations for /smack/cipso2 |
| 980 | */ |
| 981 | |
| 982 | /* |
| 983 | * Print cipso labels in format: |
| 984 | * label level[/cat[,cat]] |
| 985 | */ |
| 986 | static int cipso2_seq_show(struct seq_file *s, void *v) |
| 987 | { |
| 988 | struct list_head *list = v; |
| 989 | struct smack_known *skp = |
Rafal Krypa | 01fa847 | 2015-05-21 18:24:31 +0200 | [diff] [blame] | 990 | list_entry_rcu(list, struct smack_known, list); |
Paul Moore | 4fbe63d | 2014-08-01 11:17:37 -0400 | [diff] [blame] | 991 | struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 992 | char sep = '/'; |
| 993 | int i; |
| 994 | |
| 995 | seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl); |
| 996 | |
Paul Moore | 4fbe63d | 2014-08-01 11:17:37 -0400 | [diff] [blame] | 997 | for (i = netlbl_catmap_walk(cmp, 0); i >= 0; |
| 998 | i = netlbl_catmap_walk(cmp, i + 1)) { |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 999 | seq_printf(s, "%c%d", sep, i); |
| 1000 | sep = ','; |
| 1001 | } |
| 1002 | |
| 1003 | seq_putc(s, '\n'); |
| 1004 | |
| 1005 | return 0; |
| 1006 | } |
| 1007 | |
| 1008 | static const struct seq_operations cipso2_seq_ops = { |
| 1009 | .start = cipso_seq_start, |
| 1010 | .next = cipso_seq_next, |
| 1011 | .show = cipso2_seq_show, |
| 1012 | .stop = smk_seq_stop, |
| 1013 | }; |
| 1014 | |
| 1015 | /** |
| 1016 | * smk_open_cipso2 - open() for /smack/cipso2 |
| 1017 | * @inode: inode structure representing file |
| 1018 | * @file: "cipso2" file pointer |
| 1019 | * |
| 1020 | * Connect our cipso_seq_* operations with /smack/cipso2 |
| 1021 | * file_operations |
| 1022 | */ |
| 1023 | static int smk_open_cipso2(struct inode *inode, struct file *file) |
| 1024 | { |
| 1025 | return seq_open(file, &cipso2_seq_ops); |
| 1026 | } |
| 1027 | |
| 1028 | /** |
| 1029 | * smk_write_cipso2 - write() for /smack/cipso2 |
| 1030 | * @file: file pointer, not actually used |
| 1031 | * @buf: where to get the data from |
| 1032 | * @count: bytes sent |
| 1033 | * @ppos: where to start |
| 1034 | * |
| 1035 | * Accepts only one cipso rule per write call. |
| 1036 | * Returns number of bytes written or error code, as appropriate |
| 1037 | */ |
| 1038 | static ssize_t smk_write_cipso2(struct file *file, const char __user *buf, |
| 1039 | size_t count, loff_t *ppos) |
| 1040 | { |
| 1041 | return smk_set_cipso(file, buf, count, ppos, SMK_LONG_FMT); |
| 1042 | } |
| 1043 | |
| 1044 | static const struct file_operations smk_cipso2_ops = { |
| 1045 | .open = smk_open_cipso2, |
| 1046 | .read = seq_read, |
| 1047 | .llseek = seq_lseek, |
| 1048 | .write = smk_write_cipso2, |
| 1049 | .release = seq_release, |
| 1050 | }; |
| 1051 | |
| 1052 | /* |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1053 | * Seq_file read operations for /smack/netlabel |
| 1054 | */ |
| 1055 | |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1056 | static void *net4addr_seq_start(struct seq_file *s, loff_t *pos) |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1057 | { |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1058 | return smk_seq_start(s, pos, &smk_net4addr_list); |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1059 | } |
| 1060 | |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1061 | static void *net4addr_seq_next(struct seq_file *s, void *v, loff_t *pos) |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1062 | { |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1063 | return smk_seq_next(s, v, pos, &smk_net4addr_list); |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1064 | } |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1065 | |
| 1066 | /* |
| 1067 | * Print host/label pairs |
| 1068 | */ |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1069 | static int net4addr_seq_show(struct seq_file *s, void *v) |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1070 | { |
Etienne Basset | 7198e2e | 2009-03-24 20:53:24 +0100 | [diff] [blame] | 1071 | struct list_head *list = v; |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1072 | struct smk_net4addr *skp = |
| 1073 | list_entry_rcu(list, struct smk_net4addr, list); |
| 1074 | char *kp = SMACK_CIPSO_OPTION; |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1075 | |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1076 | if (skp->smk_label != NULL) |
| 1077 | kp = skp->smk_label->smk_known; |
| 1078 | seq_printf(s, "%pI4/%d %s\n", &skp->smk_host.s_addr, |
| 1079 | skp->smk_masks, kp); |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1080 | |
| 1081 | return 0; |
| 1082 | } |
| 1083 | |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1084 | static const struct seq_operations net4addr_seq_ops = { |
| 1085 | .start = net4addr_seq_start, |
| 1086 | .next = net4addr_seq_next, |
| 1087 | .show = net4addr_seq_show, |
Casey Schaufler | 4080956 | 2011-11-10 15:02:22 -0800 | [diff] [blame] | 1088 | .stop = smk_seq_stop, |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1089 | }; |
| 1090 | |
| 1091 | /** |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1092 | * smk_open_net4addr - open() for /smack/netlabel |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1093 | * @inode: inode structure representing file |
| 1094 | * @file: "netlabel" file pointer |
| 1095 | * |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1096 | * Connect our net4addr_seq_* operations with /smack/netlabel |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1097 | * file_operations |
| 1098 | */ |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1099 | static int smk_open_net4addr(struct inode *inode, struct file *file) |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1100 | { |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1101 | return seq_open(file, &net4addr_seq_ops); |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1102 | } |
| 1103 | |
| 1104 | /** |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1105 | * smk_net4addr_insert |
etienne | 113a0e4 | 2009-03-04 07:33:51 +0100 | [diff] [blame] | 1106 | * @new : netlabel to insert |
| 1107 | * |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1108 | * This helper insert netlabel in the smack_net4addrs list |
etienne | 113a0e4 | 2009-03-04 07:33:51 +0100 | [diff] [blame] | 1109 | * sorted by netmask length (longest to smallest) |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1110 | * locked by &smk_net4addr_lock in smk_write_net4addr |
Etienne Basset | 7198e2e | 2009-03-24 20:53:24 +0100 | [diff] [blame] | 1111 | * |
etienne | 113a0e4 | 2009-03-04 07:33:51 +0100 | [diff] [blame] | 1112 | */ |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1113 | static void smk_net4addr_insert(struct smk_net4addr *new) |
etienne | 113a0e4 | 2009-03-04 07:33:51 +0100 | [diff] [blame] | 1114 | { |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1115 | struct smk_net4addr *m; |
| 1116 | struct smk_net4addr *m_next; |
etienne | 113a0e4 | 2009-03-04 07:33:51 +0100 | [diff] [blame] | 1117 | |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1118 | if (list_empty(&smk_net4addr_list)) { |
| 1119 | list_add_rcu(&new->list, &smk_net4addr_list); |
etienne | 113a0e4 | 2009-03-04 07:33:51 +0100 | [diff] [blame] | 1120 | return; |
| 1121 | } |
| 1122 | |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1123 | m = list_entry_rcu(smk_net4addr_list.next, |
| 1124 | struct smk_net4addr, list); |
Etienne Basset | 7198e2e | 2009-03-24 20:53:24 +0100 | [diff] [blame] | 1125 | |
etienne | 113a0e4 | 2009-03-04 07:33:51 +0100 | [diff] [blame] | 1126 | /* the comparison '>' is a bit hacky, but works */ |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1127 | if (new->smk_masks > m->smk_masks) { |
| 1128 | list_add_rcu(&new->list, &smk_net4addr_list); |
etienne | 113a0e4 | 2009-03-04 07:33:51 +0100 | [diff] [blame] | 1129 | return; |
| 1130 | } |
Etienne Basset | 7198e2e | 2009-03-24 20:53:24 +0100 | [diff] [blame] | 1131 | |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1132 | list_for_each_entry_rcu(m, &smk_net4addr_list, list) { |
| 1133 | if (list_is_last(&m->list, &smk_net4addr_list)) { |
Etienne Basset | 7198e2e | 2009-03-24 20:53:24 +0100 | [diff] [blame] | 1134 | list_add_rcu(&new->list, &m->list); |
etienne | 113a0e4 | 2009-03-04 07:33:51 +0100 | [diff] [blame] | 1135 | return; |
| 1136 | } |
Jiri Pirko | 05725f7 | 2009-04-14 20:17:16 +0200 | [diff] [blame] | 1137 | m_next = list_entry_rcu(m->list.next, |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1138 | struct smk_net4addr, list); |
| 1139 | if (new->smk_masks > m_next->smk_masks) { |
Etienne Basset | 7198e2e | 2009-03-24 20:53:24 +0100 | [diff] [blame] | 1140 | list_add_rcu(&new->list, &m->list); |
etienne | 113a0e4 | 2009-03-04 07:33:51 +0100 | [diff] [blame] | 1141 | return; |
| 1142 | } |
| 1143 | } |
| 1144 | } |
| 1145 | |
| 1146 | |
| 1147 | /** |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1148 | * smk_write_net4addr - write() for /smack/netlabel |
Randy Dunlap | 251a2a9 | 2009-02-18 11:42:33 -0800 | [diff] [blame] | 1149 | * @file: file pointer, not actually used |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1150 | * @buf: where to get the data from |
| 1151 | * @count: bytes sent |
| 1152 | * @ppos: where to start |
| 1153 | * |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1154 | * Accepts only one net4addr per write call. |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1155 | * Returns number of bytes written or error code, as appropriate |
| 1156 | */ |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1157 | static ssize_t smk_write_net4addr(struct file *file, const char __user *buf, |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1158 | size_t count, loff_t *ppos) |
| 1159 | { |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1160 | struct smk_net4addr *snp; |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1161 | struct sockaddr_in newname; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1162 | char *smack; |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1163 | struct smack_known *skp = NULL; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1164 | char *data; |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1165 | char *host = (char *)&newname.sin_addr.s_addr; |
| 1166 | int rc; |
| 1167 | struct netlbl_audit audit_info; |
| 1168 | struct in_addr mask; |
| 1169 | unsigned int m; |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1170 | unsigned int masks; |
Etienne Basset | 7198e2e | 2009-03-24 20:53:24 +0100 | [diff] [blame] | 1171 | int found; |
etienne | 113a0e4 | 2009-03-04 07:33:51 +0100 | [diff] [blame] | 1172 | u32 mask_bits = (1<<31); |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1173 | __be32 nsa; |
etienne | 113a0e4 | 2009-03-04 07:33:51 +0100 | [diff] [blame] | 1174 | u32 temp_mask; |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1175 | |
| 1176 | /* |
| 1177 | * Must have privilege. |
| 1178 | * No partial writes. |
| 1179 | * Enough data must be present. |
| 1180 | * "<addr/mask, as a.b.c.d/e><space><label>" |
| 1181 | * "<addr, as a.b.c.d><space><label>" |
| 1182 | */ |
Casey Schaufler | 1880eff | 2012-06-05 15:28:30 -0700 | [diff] [blame] | 1183 | if (!smack_privileged(CAP_MAC_ADMIN)) |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1184 | return -EPERM; |
| 1185 | if (*ppos != 0) |
| 1186 | return -EINVAL; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1187 | if (count < SMK_NETLBLADDRMIN) |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1188 | return -EINVAL; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1189 | |
| 1190 | data = kzalloc(count + 1, GFP_KERNEL); |
| 1191 | if (data == NULL) |
| 1192 | return -ENOMEM; |
| 1193 | |
| 1194 | if (copy_from_user(data, buf, count) != 0) { |
| 1195 | rc = -EFAULT; |
| 1196 | goto free_data_out; |
| 1197 | } |
| 1198 | |
| 1199 | smack = kzalloc(count + 1, GFP_KERNEL); |
| 1200 | if (smack == NULL) { |
| 1201 | rc = -ENOMEM; |
| 1202 | goto free_data_out; |
| 1203 | } |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1204 | |
| 1205 | data[count] = '\0'; |
| 1206 | |
Toralf Förster | ec554fa | 2014-04-27 19:33:34 +0200 | [diff] [blame] | 1207 | rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%u %s", |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1208 | &host[0], &host[1], &host[2], &host[3], &masks, smack); |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1209 | if (rc != 6) { |
| 1210 | rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd %s", |
| 1211 | &host[0], &host[1], &host[2], &host[3], smack); |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1212 | if (rc != 5) { |
| 1213 | rc = -EINVAL; |
| 1214 | goto free_out; |
| 1215 | } |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1216 | m = BEBITS; |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1217 | masks = 32; |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1218 | } |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1219 | if (masks > BEBITS) { |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1220 | rc = -EINVAL; |
| 1221 | goto free_out; |
| 1222 | } |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1223 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1224 | /* |
| 1225 | * If smack begins with '-', it is an option, don't import it |
| 1226 | */ |
Etienne Basset | 4303154 | 2009-03-27 17:11:01 -0400 | [diff] [blame] | 1227 | if (smack[0] != '-') { |
Lukasz Pawelczyk | 21c7eae | 2014-08-29 17:02:55 +0200 | [diff] [blame] | 1228 | skp = smk_import_entry(smack, 0); |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 1229 | if (IS_ERR(skp)) { |
| 1230 | rc = PTR_ERR(skp); |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1231 | goto free_out; |
| 1232 | } |
Etienne Basset | 4303154 | 2009-03-27 17:11:01 -0400 | [diff] [blame] | 1233 | } else { |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1234 | /* |
| 1235 | * Only the -CIPSO option is supported for IPv4 |
| 1236 | */ |
| 1237 | if (strcmp(smack, SMACK_CIPSO_OPTION) != 0) { |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1238 | rc = -EINVAL; |
| 1239 | goto free_out; |
| 1240 | } |
Etienne Basset | 4303154 | 2009-03-27 17:11:01 -0400 | [diff] [blame] | 1241 | } |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1242 | |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1243 | for (m = masks, temp_mask = 0; m > 0; m--) { |
etienne | 113a0e4 | 2009-03-04 07:33:51 +0100 | [diff] [blame] | 1244 | temp_mask |= mask_bits; |
| 1245 | mask_bits >>= 1; |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1246 | } |
etienne | 113a0e4 | 2009-03-04 07:33:51 +0100 | [diff] [blame] | 1247 | mask.s_addr = cpu_to_be32(temp_mask); |
| 1248 | |
| 1249 | newname.sin_addr.s_addr &= mask.s_addr; |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1250 | /* |
| 1251 | * Only allow one writer at a time. Writes should be |
| 1252 | * quite rare and small in any case. |
| 1253 | */ |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1254 | mutex_lock(&smk_net4addr_lock); |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1255 | |
| 1256 | nsa = newname.sin_addr.s_addr; |
etienne | 113a0e4 | 2009-03-04 07:33:51 +0100 | [diff] [blame] | 1257 | /* try to find if the prefix is already in the list */ |
Etienne Basset | 7198e2e | 2009-03-24 20:53:24 +0100 | [diff] [blame] | 1258 | found = 0; |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1259 | list_for_each_entry_rcu(snp, &smk_net4addr_list, list) { |
| 1260 | if (snp->smk_host.s_addr == nsa && snp->smk_masks == masks) { |
Etienne Basset | 7198e2e | 2009-03-24 20:53:24 +0100 | [diff] [blame] | 1261 | found = 1; |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1262 | break; |
Etienne Basset | 7198e2e | 2009-03-24 20:53:24 +0100 | [diff] [blame] | 1263 | } |
| 1264 | } |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1265 | smk_netlabel_audit_set(&audit_info); |
| 1266 | |
Etienne Basset | 7198e2e | 2009-03-24 20:53:24 +0100 | [diff] [blame] | 1267 | if (found == 0) { |
Lukasz Pawelczyk | 21c7eae | 2014-08-29 17:02:55 +0200 | [diff] [blame] | 1268 | snp = kzalloc(sizeof(*snp), GFP_KERNEL); |
| 1269 | if (snp == NULL) |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1270 | rc = -ENOMEM; |
| 1271 | else { |
| 1272 | rc = 0; |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1273 | snp->smk_host.s_addr = newname.sin_addr.s_addr; |
Lukasz Pawelczyk | 21c7eae | 2014-08-29 17:02:55 +0200 | [diff] [blame] | 1274 | snp->smk_mask.s_addr = mask.s_addr; |
| 1275 | snp->smk_label = skp; |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1276 | snp->smk_masks = masks; |
| 1277 | smk_net4addr_insert(snp); |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1278 | } |
| 1279 | } else { |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1280 | /* |
| 1281 | * Delete the unlabeled entry, only if the previous label |
| 1282 | * wasn't the special CIPSO option |
| 1283 | */ |
| 1284 | if (snp->smk_label != NULL) |
Etienne Basset | 4303154 | 2009-03-27 17:11:01 -0400 | [diff] [blame] | 1285 | rc = netlbl_cfg_unlbl_static_del(&init_net, NULL, |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1286 | &snp->smk_host, &snp->smk_mask, |
Etienne Basset | 4303154 | 2009-03-27 17:11:01 -0400 | [diff] [blame] | 1287 | PF_INET, &audit_info); |
| 1288 | else |
| 1289 | rc = 0; |
Lukasz Pawelczyk | 21c7eae | 2014-08-29 17:02:55 +0200 | [diff] [blame] | 1290 | snp->smk_label = skp; |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1291 | } |
| 1292 | |
| 1293 | /* |
| 1294 | * Now tell netlabel about the single label nature of |
| 1295 | * this host so that incoming packets get labeled. |
Etienne Basset | 4303154 | 2009-03-27 17:11:01 -0400 | [diff] [blame] | 1296 | * but only if we didn't get the special CIPSO option |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1297 | */ |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1298 | if (rc == 0 && skp != NULL) |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1299 | rc = netlbl_cfg_unlbl_static_add(&init_net, NULL, |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1300 | &snp->smk_host, &snp->smk_mask, PF_INET, |
Lukasz Pawelczyk | 21c7eae | 2014-08-29 17:02:55 +0200 | [diff] [blame] | 1301 | snp->smk_label->smk_secid, &audit_info); |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1302 | |
| 1303 | if (rc == 0) |
| 1304 | rc = count; |
| 1305 | |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1306 | mutex_unlock(&smk_net4addr_lock); |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1307 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1308 | free_out: |
| 1309 | kfree(smack); |
| 1310 | free_data_out: |
| 1311 | kfree(data); |
| 1312 | |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1313 | return rc; |
| 1314 | } |
| 1315 | |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1316 | static const struct file_operations smk_net4addr_ops = { |
| 1317 | .open = smk_open_net4addr, |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1318 | .read = seq_read, |
| 1319 | .llseek = seq_lseek, |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1320 | .write = smk_write_net4addr, |
Casey Schaufler | 6d3dc07 | 2008-12-31 12:54:12 -0500 | [diff] [blame] | 1321 | .release = seq_release, |
| 1322 | }; |
| 1323 | |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1324 | #if IS_ENABLED(CONFIG_IPV6) |
| 1325 | /* |
| 1326 | * Seq_file read operations for /smack/netlabel6 |
| 1327 | */ |
| 1328 | |
| 1329 | static void *net6addr_seq_start(struct seq_file *s, loff_t *pos) |
| 1330 | { |
| 1331 | return smk_seq_start(s, pos, &smk_net6addr_list); |
| 1332 | } |
| 1333 | |
| 1334 | static void *net6addr_seq_next(struct seq_file *s, void *v, loff_t *pos) |
| 1335 | { |
| 1336 | return smk_seq_next(s, v, pos, &smk_net6addr_list); |
| 1337 | } |
| 1338 | |
| 1339 | /* |
| 1340 | * Print host/label pairs |
| 1341 | */ |
| 1342 | static int net6addr_seq_show(struct seq_file *s, void *v) |
| 1343 | { |
| 1344 | struct list_head *list = v; |
| 1345 | struct smk_net6addr *skp = |
| 1346 | list_entry(list, struct smk_net6addr, list); |
| 1347 | |
| 1348 | if (skp->smk_label != NULL) |
| 1349 | seq_printf(s, "%pI6/%d %s\n", &skp->smk_host, skp->smk_masks, |
| 1350 | skp->smk_label->smk_known); |
| 1351 | |
| 1352 | return 0; |
| 1353 | } |
| 1354 | |
| 1355 | static const struct seq_operations net6addr_seq_ops = { |
| 1356 | .start = net6addr_seq_start, |
| 1357 | .next = net6addr_seq_next, |
| 1358 | .show = net6addr_seq_show, |
| 1359 | .stop = smk_seq_stop, |
| 1360 | }; |
| 1361 | |
| 1362 | /** |
| 1363 | * smk_open_net6addr - open() for /smack/netlabel |
| 1364 | * @inode: inode structure representing file |
| 1365 | * @file: "netlabel" file pointer |
| 1366 | * |
| 1367 | * Connect our net6addr_seq_* operations with /smack/netlabel |
| 1368 | * file_operations |
| 1369 | */ |
| 1370 | static int smk_open_net6addr(struct inode *inode, struct file *file) |
| 1371 | { |
| 1372 | return seq_open(file, &net6addr_seq_ops); |
| 1373 | } |
| 1374 | |
| 1375 | /** |
| 1376 | * smk_net6addr_insert |
| 1377 | * @new : entry to insert |
| 1378 | * |
| 1379 | * This inserts an entry in the smack_net6addrs list |
| 1380 | * sorted by netmask length (longest to smallest) |
| 1381 | * locked by &smk_net6addr_lock in smk_write_net6addr |
| 1382 | * |
| 1383 | */ |
| 1384 | static void smk_net6addr_insert(struct smk_net6addr *new) |
| 1385 | { |
| 1386 | struct smk_net6addr *m_next; |
| 1387 | struct smk_net6addr *m; |
| 1388 | |
| 1389 | if (list_empty(&smk_net6addr_list)) { |
| 1390 | list_add_rcu(&new->list, &smk_net6addr_list); |
| 1391 | return; |
| 1392 | } |
| 1393 | |
| 1394 | m = list_entry_rcu(smk_net6addr_list.next, |
| 1395 | struct smk_net6addr, list); |
| 1396 | |
| 1397 | if (new->smk_masks > m->smk_masks) { |
| 1398 | list_add_rcu(&new->list, &smk_net6addr_list); |
| 1399 | return; |
| 1400 | } |
| 1401 | |
| 1402 | list_for_each_entry_rcu(m, &smk_net6addr_list, list) { |
| 1403 | if (list_is_last(&m->list, &smk_net6addr_list)) { |
| 1404 | list_add_rcu(&new->list, &m->list); |
| 1405 | return; |
| 1406 | } |
| 1407 | m_next = list_entry_rcu(m->list.next, |
| 1408 | struct smk_net6addr, list); |
| 1409 | if (new->smk_masks > m_next->smk_masks) { |
| 1410 | list_add_rcu(&new->list, &m->list); |
| 1411 | return; |
| 1412 | } |
| 1413 | } |
| 1414 | } |
| 1415 | |
| 1416 | |
| 1417 | /** |
| 1418 | * smk_write_net6addr - write() for /smack/netlabel |
| 1419 | * @file: file pointer, not actually used |
| 1420 | * @buf: where to get the data from |
| 1421 | * @count: bytes sent |
| 1422 | * @ppos: where to start |
| 1423 | * |
| 1424 | * Accepts only one net6addr per write call. |
| 1425 | * Returns number of bytes written or error code, as appropriate |
| 1426 | */ |
| 1427 | static ssize_t smk_write_net6addr(struct file *file, const char __user *buf, |
| 1428 | size_t count, loff_t *ppos) |
| 1429 | { |
| 1430 | struct smk_net6addr *snp; |
| 1431 | struct in6_addr newname; |
| 1432 | struct in6_addr fullmask; |
| 1433 | struct smack_known *skp = NULL; |
| 1434 | char *smack; |
| 1435 | char *data; |
| 1436 | int rc = 0; |
| 1437 | int found = 0; |
| 1438 | int i; |
| 1439 | unsigned int scanned[8]; |
| 1440 | unsigned int m; |
| 1441 | unsigned int mask = 128; |
| 1442 | |
| 1443 | /* |
| 1444 | * Must have privilege. |
| 1445 | * No partial writes. |
| 1446 | * Enough data must be present. |
| 1447 | * "<addr/mask, as a:b:c:d:e:f:g:h/e><space><label>" |
| 1448 | * "<addr, as a:b:c:d:e:f:g:h><space><label>" |
| 1449 | */ |
| 1450 | if (!smack_privileged(CAP_MAC_ADMIN)) |
| 1451 | return -EPERM; |
| 1452 | if (*ppos != 0) |
| 1453 | return -EINVAL; |
| 1454 | if (count < SMK_NETLBLADDRMIN) |
| 1455 | return -EINVAL; |
| 1456 | |
| 1457 | data = kzalloc(count + 1, GFP_KERNEL); |
| 1458 | if (data == NULL) |
| 1459 | return -ENOMEM; |
| 1460 | |
| 1461 | if (copy_from_user(data, buf, count) != 0) { |
| 1462 | rc = -EFAULT; |
| 1463 | goto free_data_out; |
| 1464 | } |
| 1465 | |
| 1466 | smack = kzalloc(count + 1, GFP_KERNEL); |
| 1467 | if (smack == NULL) { |
| 1468 | rc = -ENOMEM; |
| 1469 | goto free_data_out; |
| 1470 | } |
| 1471 | |
| 1472 | data[count] = '\0'; |
| 1473 | |
| 1474 | i = sscanf(data, "%x:%x:%x:%x:%x:%x:%x:%x/%u %s", |
| 1475 | &scanned[0], &scanned[1], &scanned[2], &scanned[3], |
| 1476 | &scanned[4], &scanned[5], &scanned[6], &scanned[7], |
| 1477 | &mask, smack); |
| 1478 | if (i != 10) { |
| 1479 | i = sscanf(data, "%x:%x:%x:%x:%x:%x:%x:%x %s", |
| 1480 | &scanned[0], &scanned[1], &scanned[2], |
| 1481 | &scanned[3], &scanned[4], &scanned[5], |
| 1482 | &scanned[6], &scanned[7], smack); |
| 1483 | if (i != 9) { |
| 1484 | rc = -EINVAL; |
| 1485 | goto free_out; |
| 1486 | } |
| 1487 | } |
| 1488 | if (mask > 128) { |
| 1489 | rc = -EINVAL; |
| 1490 | goto free_out; |
| 1491 | } |
| 1492 | for (i = 0; i < 8; i++) { |
| 1493 | if (scanned[i] > 0xffff) { |
| 1494 | rc = -EINVAL; |
| 1495 | goto free_out; |
| 1496 | } |
| 1497 | newname.s6_addr16[i] = htons(scanned[i]); |
| 1498 | } |
| 1499 | |
| 1500 | /* |
| 1501 | * If smack begins with '-', it is an option, don't import it |
| 1502 | */ |
| 1503 | if (smack[0] != '-') { |
| 1504 | skp = smk_import_entry(smack, 0); |
Lukasz Pawelczyk | 5f2bfe2 | 2015-08-25 12:39:46 +0200 | [diff] [blame] | 1505 | if (IS_ERR(skp)) { |
| 1506 | rc = PTR_ERR(skp); |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 1507 | goto free_out; |
| 1508 | } |
| 1509 | } else { |
| 1510 | /* |
| 1511 | * Only -DELETE is supported for IPv6 |
| 1512 | */ |
| 1513 | if (strcmp(smack, SMACK_DELETE_OPTION) != 0) { |
| 1514 | rc = -EINVAL; |
| 1515 | goto free_out; |
| 1516 | } |
| 1517 | } |
| 1518 | |
| 1519 | for (i = 0, m = mask; i < 8; i++) { |
| 1520 | if (m >= 16) { |
| 1521 | fullmask.s6_addr16[i] = 0xffff; |
| 1522 | m -= 16; |
| 1523 | } else if (m > 0) { |
| 1524 | fullmask.s6_addr16[i] = (1 << m) - 1; |
| 1525 | m = 0; |
| 1526 | } else |
| 1527 | fullmask.s6_addr16[i] = 0; |
| 1528 | newname.s6_addr16[i] &= fullmask.s6_addr16[i]; |
| 1529 | } |
| 1530 | |
| 1531 | /* |
| 1532 | * Only allow one writer at a time. Writes should be |
| 1533 | * quite rare and small in any case. |
| 1534 | */ |
| 1535 | mutex_lock(&smk_net6addr_lock); |
| 1536 | /* |
| 1537 | * Try to find the prefix in the list |
| 1538 | */ |
| 1539 | list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { |
| 1540 | if (mask != snp->smk_masks) |
| 1541 | continue; |
| 1542 | for (found = 1, i = 0; i < 8; i++) { |
| 1543 | if (newname.s6_addr16[i] != |
| 1544 | snp->smk_host.s6_addr16[i]) { |
| 1545 | found = 0; |
| 1546 | break; |
| 1547 | } |
| 1548 | } |
| 1549 | if (found == 1) |
| 1550 | break; |
| 1551 | } |
| 1552 | if (found == 0) { |
| 1553 | snp = kzalloc(sizeof(*snp), GFP_KERNEL); |
| 1554 | if (snp == NULL) |
| 1555 | rc = -ENOMEM; |
| 1556 | else { |
| 1557 | snp->smk_host = newname; |
| 1558 | snp->smk_mask = fullmask; |
| 1559 | snp->smk_masks = mask; |
| 1560 | snp->smk_label = skp; |
| 1561 | smk_net6addr_insert(snp); |
| 1562 | } |
| 1563 | } else { |
| 1564 | snp->smk_label = skp; |
| 1565 | } |
| 1566 | |
| 1567 | if (rc == 0) |
| 1568 | rc = count; |
| 1569 | |
| 1570 | mutex_unlock(&smk_net6addr_lock); |
| 1571 | |
| 1572 | free_out: |
| 1573 | kfree(smack); |
| 1574 | free_data_out: |
| 1575 | kfree(data); |
| 1576 | |
| 1577 | return rc; |
| 1578 | } |
| 1579 | |
| 1580 | static const struct file_operations smk_net6addr_ops = { |
| 1581 | .open = smk_open_net6addr, |
| 1582 | .read = seq_read, |
| 1583 | .llseek = seq_lseek, |
| 1584 | .write = smk_write_net6addr, |
| 1585 | .release = seq_release, |
| 1586 | }; |
| 1587 | #endif /* CONFIG_IPV6 */ |
| 1588 | |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1589 | /** |
| 1590 | * smk_read_doi - read() for /smack/doi |
| 1591 | * @filp: file pointer, not actually used |
| 1592 | * @buf: where to put the result |
| 1593 | * @count: maximum to send along |
| 1594 | * @ppos: where to start |
| 1595 | * |
| 1596 | * Returns number of bytes read or error code, as appropriate |
| 1597 | */ |
| 1598 | static ssize_t smk_read_doi(struct file *filp, char __user *buf, |
| 1599 | size_t count, loff_t *ppos) |
| 1600 | { |
| 1601 | char temp[80]; |
| 1602 | ssize_t rc; |
| 1603 | |
| 1604 | if (*ppos != 0) |
| 1605 | return 0; |
| 1606 | |
| 1607 | sprintf(temp, "%d", smk_cipso_doi_value); |
| 1608 | rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); |
| 1609 | |
| 1610 | return rc; |
| 1611 | } |
| 1612 | |
| 1613 | /** |
| 1614 | * smk_write_doi - write() for /smack/doi |
Randy Dunlap | 251a2a9 | 2009-02-18 11:42:33 -0800 | [diff] [blame] | 1615 | * @file: file pointer, not actually used |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1616 | * @buf: where to get the data from |
| 1617 | * @count: bytes sent |
| 1618 | * @ppos: where to start |
| 1619 | * |
| 1620 | * Returns number of bytes written or error code, as appropriate |
| 1621 | */ |
| 1622 | static ssize_t smk_write_doi(struct file *file, const char __user *buf, |
| 1623 | size_t count, loff_t *ppos) |
| 1624 | { |
| 1625 | char temp[80]; |
| 1626 | int i; |
| 1627 | |
Casey Schaufler | 1880eff | 2012-06-05 15:28:30 -0700 | [diff] [blame] | 1628 | if (!smack_privileged(CAP_MAC_ADMIN)) |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1629 | return -EPERM; |
| 1630 | |
| 1631 | if (count >= sizeof(temp) || count == 0) |
| 1632 | return -EINVAL; |
| 1633 | |
| 1634 | if (copy_from_user(temp, buf, count) != 0) |
| 1635 | return -EFAULT; |
| 1636 | |
| 1637 | temp[count] = '\0'; |
| 1638 | |
| 1639 | if (sscanf(temp, "%d", &i) != 1) |
| 1640 | return -EINVAL; |
| 1641 | |
| 1642 | smk_cipso_doi_value = i; |
| 1643 | |
| 1644 | smk_cipso_doi(); |
| 1645 | |
| 1646 | return count; |
| 1647 | } |
| 1648 | |
| 1649 | static const struct file_operations smk_doi_ops = { |
| 1650 | .read = smk_read_doi, |
| 1651 | .write = smk_write_doi, |
Arnd Bergmann | 6038f37 | 2010-08-15 18:52:59 +0200 | [diff] [blame] | 1652 | .llseek = default_llseek, |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1653 | }; |
| 1654 | |
| 1655 | /** |
| 1656 | * smk_read_direct - read() for /smack/direct |
| 1657 | * @filp: file pointer, not actually used |
| 1658 | * @buf: where to put the result |
| 1659 | * @count: maximum to send along |
| 1660 | * @ppos: where to start |
| 1661 | * |
| 1662 | * Returns number of bytes read or error code, as appropriate |
| 1663 | */ |
| 1664 | static ssize_t smk_read_direct(struct file *filp, char __user *buf, |
| 1665 | size_t count, loff_t *ppos) |
| 1666 | { |
| 1667 | char temp[80]; |
| 1668 | ssize_t rc; |
| 1669 | |
| 1670 | if (*ppos != 0) |
| 1671 | return 0; |
| 1672 | |
| 1673 | sprintf(temp, "%d", smack_cipso_direct); |
| 1674 | rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); |
| 1675 | |
| 1676 | return rc; |
| 1677 | } |
| 1678 | |
| 1679 | /** |
| 1680 | * smk_write_direct - write() for /smack/direct |
Randy Dunlap | 251a2a9 | 2009-02-18 11:42:33 -0800 | [diff] [blame] | 1681 | * @file: file pointer, not actually used |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1682 | * @buf: where to get the data from |
| 1683 | * @count: bytes sent |
| 1684 | * @ppos: where to start |
| 1685 | * |
| 1686 | * Returns number of bytes written or error code, as appropriate |
| 1687 | */ |
| 1688 | static ssize_t smk_write_direct(struct file *file, const char __user *buf, |
| 1689 | size_t count, loff_t *ppos) |
| 1690 | { |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1691 | struct smack_known *skp; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1692 | char temp[80]; |
| 1693 | int i; |
| 1694 | |
Casey Schaufler | 1880eff | 2012-06-05 15:28:30 -0700 | [diff] [blame] | 1695 | if (!smack_privileged(CAP_MAC_ADMIN)) |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1696 | return -EPERM; |
| 1697 | |
| 1698 | if (count >= sizeof(temp) || count == 0) |
| 1699 | return -EINVAL; |
| 1700 | |
| 1701 | if (copy_from_user(temp, buf, count) != 0) |
| 1702 | return -EFAULT; |
| 1703 | |
| 1704 | temp[count] = '\0'; |
| 1705 | |
| 1706 | if (sscanf(temp, "%d", &i) != 1) |
| 1707 | return -EINVAL; |
| 1708 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1709 | /* |
| 1710 | * Don't do anything if the value hasn't actually changed. |
| 1711 | * If it is changing reset the level on entries that were |
| 1712 | * set up to be direct when they were created. |
| 1713 | */ |
| 1714 | if (smack_cipso_direct != i) { |
| 1715 | mutex_lock(&smack_known_lock); |
| 1716 | list_for_each_entry_rcu(skp, &smack_known_list, list) |
| 1717 | if (skp->smk_netlabel.attr.mls.lvl == |
| 1718 | smack_cipso_direct) |
| 1719 | skp->smk_netlabel.attr.mls.lvl = i; |
| 1720 | smack_cipso_direct = i; |
| 1721 | mutex_unlock(&smack_known_lock); |
| 1722 | } |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1723 | |
| 1724 | return count; |
| 1725 | } |
| 1726 | |
| 1727 | static const struct file_operations smk_direct_ops = { |
| 1728 | .read = smk_read_direct, |
| 1729 | .write = smk_write_direct, |
Arnd Bergmann | 6038f37 | 2010-08-15 18:52:59 +0200 | [diff] [blame] | 1730 | .llseek = default_llseek, |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1731 | }; |
| 1732 | |
| 1733 | /** |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1734 | * smk_read_mapped - read() for /smack/mapped |
| 1735 | * @filp: file pointer, not actually used |
| 1736 | * @buf: where to put the result |
| 1737 | * @count: maximum to send along |
| 1738 | * @ppos: where to start |
| 1739 | * |
| 1740 | * Returns number of bytes read or error code, as appropriate |
| 1741 | */ |
| 1742 | static ssize_t smk_read_mapped(struct file *filp, char __user *buf, |
| 1743 | size_t count, loff_t *ppos) |
| 1744 | { |
| 1745 | char temp[80]; |
| 1746 | ssize_t rc; |
| 1747 | |
| 1748 | if (*ppos != 0) |
| 1749 | return 0; |
| 1750 | |
| 1751 | sprintf(temp, "%d", smack_cipso_mapped); |
| 1752 | rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); |
| 1753 | |
| 1754 | return rc; |
| 1755 | } |
| 1756 | |
| 1757 | /** |
| 1758 | * smk_write_mapped - write() for /smack/mapped |
| 1759 | * @file: file pointer, not actually used |
| 1760 | * @buf: where to get the data from |
| 1761 | * @count: bytes sent |
| 1762 | * @ppos: where to start |
| 1763 | * |
| 1764 | * Returns number of bytes written or error code, as appropriate |
| 1765 | */ |
| 1766 | static ssize_t smk_write_mapped(struct file *file, const char __user *buf, |
| 1767 | size_t count, loff_t *ppos) |
| 1768 | { |
| 1769 | struct smack_known *skp; |
| 1770 | char temp[80]; |
| 1771 | int i; |
| 1772 | |
Casey Schaufler | 1880eff | 2012-06-05 15:28:30 -0700 | [diff] [blame] | 1773 | if (!smack_privileged(CAP_MAC_ADMIN)) |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1774 | return -EPERM; |
| 1775 | |
| 1776 | if (count >= sizeof(temp) || count == 0) |
| 1777 | return -EINVAL; |
| 1778 | |
| 1779 | if (copy_from_user(temp, buf, count) != 0) |
| 1780 | return -EFAULT; |
| 1781 | |
| 1782 | temp[count] = '\0'; |
| 1783 | |
| 1784 | if (sscanf(temp, "%d", &i) != 1) |
| 1785 | return -EINVAL; |
| 1786 | |
| 1787 | /* |
| 1788 | * Don't do anything if the value hasn't actually changed. |
| 1789 | * If it is changing reset the level on entries that were |
| 1790 | * set up to be mapped when they were created. |
| 1791 | */ |
| 1792 | if (smack_cipso_mapped != i) { |
| 1793 | mutex_lock(&smack_known_lock); |
| 1794 | list_for_each_entry_rcu(skp, &smack_known_list, list) |
| 1795 | if (skp->smk_netlabel.attr.mls.lvl == |
| 1796 | smack_cipso_mapped) |
| 1797 | skp->smk_netlabel.attr.mls.lvl = i; |
| 1798 | smack_cipso_mapped = i; |
| 1799 | mutex_unlock(&smack_known_lock); |
| 1800 | } |
| 1801 | |
| 1802 | return count; |
| 1803 | } |
| 1804 | |
| 1805 | static const struct file_operations smk_mapped_ops = { |
| 1806 | .read = smk_read_mapped, |
| 1807 | .write = smk_write_mapped, |
| 1808 | .llseek = default_llseek, |
| 1809 | }; |
| 1810 | |
| 1811 | /** |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1812 | * smk_read_ambient - read() for /smack/ambient |
| 1813 | * @filp: file pointer, not actually used |
| 1814 | * @buf: where to put the result |
| 1815 | * @cn: maximum to send along |
| 1816 | * @ppos: where to start |
| 1817 | * |
| 1818 | * Returns number of bytes read or error code, as appropriate |
| 1819 | */ |
| 1820 | static ssize_t smk_read_ambient(struct file *filp, char __user *buf, |
| 1821 | size_t cn, loff_t *ppos) |
| 1822 | { |
| 1823 | ssize_t rc; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1824 | int asize; |
| 1825 | |
| 1826 | if (*ppos != 0) |
| 1827 | return 0; |
| 1828 | /* |
| 1829 | * Being careful to avoid a problem in the case where |
| 1830 | * smack_net_ambient gets changed in midstream. |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1831 | */ |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 1832 | mutex_lock(&smack_ambient_lock); |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1833 | |
Casey Schaufler | 2f823ff | 2013-05-22 18:43:03 -0700 | [diff] [blame] | 1834 | asize = strlen(smack_net_ambient->smk_known) + 1; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1835 | |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 1836 | if (cn >= asize) |
| 1837 | rc = simple_read_from_buffer(buf, cn, ppos, |
Casey Schaufler | 2f823ff | 2013-05-22 18:43:03 -0700 | [diff] [blame] | 1838 | smack_net_ambient->smk_known, |
| 1839 | asize); |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 1840 | else |
| 1841 | rc = -EINVAL; |
| 1842 | |
| 1843 | mutex_unlock(&smack_ambient_lock); |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1844 | |
| 1845 | return rc; |
| 1846 | } |
| 1847 | |
| 1848 | /** |
| 1849 | * smk_write_ambient - write() for /smack/ambient |
Randy Dunlap | 251a2a9 | 2009-02-18 11:42:33 -0800 | [diff] [blame] | 1850 | * @file: file pointer, not actually used |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1851 | * @buf: where to get the data from |
| 1852 | * @count: bytes sent |
| 1853 | * @ppos: where to start |
| 1854 | * |
| 1855 | * Returns number of bytes written or error code, as appropriate |
| 1856 | */ |
| 1857 | static ssize_t smk_write_ambient(struct file *file, const char __user *buf, |
| 1858 | size_t count, loff_t *ppos) |
| 1859 | { |
Casey Schaufler | 2f823ff | 2013-05-22 18:43:03 -0700 | [diff] [blame] | 1860 | struct smack_known *skp; |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 1861 | char *oldambient; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1862 | char *data; |
| 1863 | int rc = count; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1864 | |
Casey Schaufler | 1880eff | 2012-06-05 15:28:30 -0700 | [diff] [blame] | 1865 | if (!smack_privileged(CAP_MAC_ADMIN)) |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1866 | return -EPERM; |
| 1867 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1868 | data = kzalloc(count + 1, GFP_KERNEL); |
| 1869 | if (data == NULL) |
| 1870 | return -ENOMEM; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1871 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1872 | if (copy_from_user(data, buf, count) != 0) { |
| 1873 | rc = -EFAULT; |
| 1874 | goto out; |
| 1875 | } |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1876 | |
Casey Schaufler | 2f823ff | 2013-05-22 18:43:03 -0700 | [diff] [blame] | 1877 | skp = smk_import_entry(data, count); |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 1878 | if (IS_ERR(skp)) { |
| 1879 | rc = PTR_ERR(skp); |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1880 | goto out; |
| 1881 | } |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1882 | |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 1883 | mutex_lock(&smack_ambient_lock); |
| 1884 | |
Casey Schaufler | 2f823ff | 2013-05-22 18:43:03 -0700 | [diff] [blame] | 1885 | oldambient = smack_net_ambient->smk_known; |
| 1886 | smack_net_ambient = skp; |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 1887 | smk_unlbl_ambient(oldambient); |
| 1888 | |
| 1889 | mutex_unlock(&smack_ambient_lock); |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1890 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 1891 | out: |
| 1892 | kfree(data); |
| 1893 | return rc; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1894 | } |
| 1895 | |
| 1896 | static const struct file_operations smk_ambient_ops = { |
| 1897 | .read = smk_read_ambient, |
| 1898 | .write = smk_write_ambient, |
Arnd Bergmann | 6038f37 | 2010-08-15 18:52:59 +0200 | [diff] [blame] | 1899 | .llseek = default_llseek, |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 1900 | }; |
| 1901 | |
Rafal Krypa | c0d77c8 | 2015-06-02 11:23:48 +0200 | [diff] [blame] | 1902 | /* |
| 1903 | * Seq_file operations for /smack/onlycap |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 1904 | */ |
Rafal Krypa | c0d77c8 | 2015-06-02 11:23:48 +0200 | [diff] [blame] | 1905 | static void *onlycap_seq_start(struct seq_file *s, loff_t *pos) |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 1906 | { |
Rafal Krypa | c0d77c8 | 2015-06-02 11:23:48 +0200 | [diff] [blame] | 1907 | return smk_seq_start(s, pos, &smack_onlycap_list); |
| 1908 | } |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 1909 | |
Rafal Krypa | c0d77c8 | 2015-06-02 11:23:48 +0200 | [diff] [blame] | 1910 | static void *onlycap_seq_next(struct seq_file *s, void *v, loff_t *pos) |
| 1911 | { |
| 1912 | return smk_seq_next(s, v, pos, &smack_onlycap_list); |
| 1913 | } |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 1914 | |
Rafal Krypa | c0d77c8 | 2015-06-02 11:23:48 +0200 | [diff] [blame] | 1915 | static int onlycap_seq_show(struct seq_file *s, void *v) |
| 1916 | { |
| 1917 | struct list_head *list = v; |
Zbigniew Jasinski | 38416e5 | 2015-10-19 18:23:53 +0200 | [diff] [blame] | 1918 | struct smack_known_list_elem *sklep = |
| 1919 | list_entry_rcu(list, struct smack_known_list_elem, list); |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 1920 | |
Zbigniew Jasinski | 38416e5 | 2015-10-19 18:23:53 +0200 | [diff] [blame] | 1921 | seq_puts(s, sklep->smk_label->smk_known); |
Rafal Krypa | c0d77c8 | 2015-06-02 11:23:48 +0200 | [diff] [blame] | 1922 | seq_putc(s, ' '); |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 1923 | |
Rafal Krypa | c0d77c8 | 2015-06-02 11:23:48 +0200 | [diff] [blame] | 1924 | return 0; |
| 1925 | } |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 1926 | |
Rafal Krypa | c0d77c8 | 2015-06-02 11:23:48 +0200 | [diff] [blame] | 1927 | static const struct seq_operations onlycap_seq_ops = { |
| 1928 | .start = onlycap_seq_start, |
| 1929 | .next = onlycap_seq_next, |
| 1930 | .show = onlycap_seq_show, |
| 1931 | .stop = smk_seq_stop, |
| 1932 | }; |
| 1933 | |
| 1934 | static int smk_open_onlycap(struct inode *inode, struct file *file) |
| 1935 | { |
| 1936 | return seq_open(file, &onlycap_seq_ops); |
| 1937 | } |
| 1938 | |
| 1939 | /** |
| 1940 | * smk_list_swap_rcu - swap public list with a private one in RCU-safe way |
| 1941 | * The caller must hold appropriate mutex to prevent concurrent modifications |
| 1942 | * to the public list. |
| 1943 | * Private list is assumed to be not accessible to other threads yet. |
| 1944 | * |
| 1945 | * @public: public list |
| 1946 | * @private: private list |
| 1947 | */ |
| 1948 | static void smk_list_swap_rcu(struct list_head *public, |
| 1949 | struct list_head *private) |
| 1950 | { |
| 1951 | struct list_head *first, *last; |
| 1952 | |
| 1953 | if (list_empty(public)) { |
| 1954 | list_splice_init_rcu(private, public, synchronize_rcu); |
| 1955 | } else { |
| 1956 | /* Remember public list before replacing it */ |
| 1957 | first = public->next; |
| 1958 | last = public->prev; |
| 1959 | |
| 1960 | /* Publish private list in place of public in RCU-safe way */ |
| 1961 | private->prev->next = public; |
| 1962 | private->next->prev = public; |
| 1963 | rcu_assign_pointer(public->next, private->next); |
| 1964 | public->prev = private->prev; |
| 1965 | |
| 1966 | synchronize_rcu(); |
| 1967 | |
| 1968 | /* When all readers are done with the old public list, |
| 1969 | * attach it in place of private */ |
| 1970 | private->next = first; |
| 1971 | private->prev = last; |
| 1972 | first->prev = private; |
| 1973 | last->next = private; |
| 1974 | } |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 1975 | } |
| 1976 | |
| 1977 | /** |
Zbigniew Jasinski | 38416e5 | 2015-10-19 18:23:53 +0200 | [diff] [blame] | 1978 | * smk_parse_label_list - parse list of Smack labels, separated by spaces |
| 1979 | * |
| 1980 | * @data: the string to parse |
| 1981 | * @private: destination list |
| 1982 | * |
| 1983 | * Returns zero on success or error code, as appropriate |
| 1984 | */ |
| 1985 | static int smk_parse_label_list(char *data, struct list_head *list) |
| 1986 | { |
| 1987 | char *tok; |
| 1988 | struct smack_known *skp; |
| 1989 | struct smack_known_list_elem *sklep; |
| 1990 | |
| 1991 | while ((tok = strsep(&data, " ")) != NULL) { |
| 1992 | if (!*tok) |
| 1993 | continue; |
| 1994 | |
| 1995 | skp = smk_import_entry(tok, 0); |
| 1996 | if (IS_ERR(skp)) |
| 1997 | return PTR_ERR(skp); |
| 1998 | |
| 1999 | sklep = kzalloc(sizeof(*sklep), GFP_KERNEL); |
| 2000 | if (sklep == NULL) |
| 2001 | return -ENOMEM; |
| 2002 | |
| 2003 | sklep->smk_label = skp; |
| 2004 | list_add(&sklep->list, list); |
| 2005 | } |
| 2006 | |
| 2007 | return 0; |
| 2008 | } |
| 2009 | |
| 2010 | /** |
| 2011 | * smk_destroy_label_list - destroy a list of smack_known_list_elem |
| 2012 | * @head: header pointer of the list to destroy |
| 2013 | */ |
| 2014 | void smk_destroy_label_list(struct list_head *list) |
| 2015 | { |
| 2016 | struct smack_known_list_elem *sklep; |
| 2017 | struct smack_known_list_elem *sklep2; |
| 2018 | |
| 2019 | list_for_each_entry_safe(sklep, sklep2, list, list) |
| 2020 | kfree(sklep); |
| 2021 | |
| 2022 | INIT_LIST_HEAD(list); |
| 2023 | } |
| 2024 | |
| 2025 | /** |
Casey Schaufler | 00f84f3 | 2013-12-23 11:07:10 -0800 | [diff] [blame] | 2026 | * smk_write_onlycap - write() for smackfs/onlycap |
Randy Dunlap | 251a2a9 | 2009-02-18 11:42:33 -0800 | [diff] [blame] | 2027 | * @file: file pointer, not actually used |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 2028 | * @buf: where to get the data from |
| 2029 | * @count: bytes sent |
| 2030 | * @ppos: where to start |
| 2031 | * |
| 2032 | * Returns number of bytes written or error code, as appropriate |
| 2033 | */ |
| 2034 | static ssize_t smk_write_onlycap(struct file *file, const char __user *buf, |
| 2035 | size_t count, loff_t *ppos) |
| 2036 | { |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2037 | char *data; |
Rafal Krypa | c0d77c8 | 2015-06-02 11:23:48 +0200 | [diff] [blame] | 2038 | LIST_HEAD(list_tmp); |
Zbigniew Jasinski | 38416e5 | 2015-10-19 18:23:53 +0200 | [diff] [blame] | 2039 | int rc; |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 2040 | |
Casey Schaufler | 1880eff | 2012-06-05 15:28:30 -0700 | [diff] [blame] | 2041 | if (!smack_privileged(CAP_MAC_ADMIN)) |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 2042 | return -EPERM; |
| 2043 | |
Konstantin Khlebnikov | b862e56 | 2014-08-07 20:52:43 +0400 | [diff] [blame] | 2044 | data = kzalloc(count + 1, GFP_KERNEL); |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2045 | if (data == NULL) |
| 2046 | return -ENOMEM; |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 2047 | |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 2048 | if (copy_from_user(data, buf, count) != 0) { |
Rafal Krypa | c0d77c8 | 2015-06-02 11:23:48 +0200 | [diff] [blame] | 2049 | kfree(data); |
| 2050 | return -EFAULT; |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 2051 | } |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 2052 | |
Zbigniew Jasinski | 38416e5 | 2015-10-19 18:23:53 +0200 | [diff] [blame] | 2053 | rc = smk_parse_label_list(data, &list_tmp); |
Rafal Krypa | c0d77c8 | 2015-06-02 11:23:48 +0200 | [diff] [blame] | 2054 | kfree(data); |
| 2055 | |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 2056 | /* |
| 2057 | * Clear the smack_onlycap on invalid label errors. This means |
| 2058 | * that we can pass a null string to unset the onlycap value. |
| 2059 | * |
| 2060 | * Importing will also reject a label beginning with '-', |
| 2061 | * so "-usecapabilities" will also work. |
| 2062 | * |
| 2063 | * But do so only on invalid label, not on system errors. |
Rafal Krypa | c0d77c8 | 2015-06-02 11:23:48 +0200 | [diff] [blame] | 2064 | * The invalid label must be first to count as clearing attempt. |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 2065 | */ |
Zbigniew Jasinski | 38416e5 | 2015-10-19 18:23:53 +0200 | [diff] [blame] | 2066 | if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) { |
Rafal Krypa | c0d77c8 | 2015-06-02 11:23:48 +0200 | [diff] [blame] | 2067 | mutex_lock(&smack_onlycap_lock); |
| 2068 | smk_list_swap_rcu(&smack_onlycap_list, &list_tmp); |
| 2069 | mutex_unlock(&smack_onlycap_lock); |
Zbigniew Jasinski | 38416e5 | 2015-10-19 18:23:53 +0200 | [diff] [blame] | 2070 | rc = count; |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 2071 | } |
| 2072 | |
Zbigniew Jasinski | 38416e5 | 2015-10-19 18:23:53 +0200 | [diff] [blame] | 2073 | smk_destroy_label_list(&list_tmp); |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 2074 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2075 | return rc; |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 2076 | } |
| 2077 | |
| 2078 | static const struct file_operations smk_onlycap_ops = { |
Rafal Krypa | c0d77c8 | 2015-06-02 11:23:48 +0200 | [diff] [blame] | 2079 | .open = smk_open_onlycap, |
| 2080 | .read = seq_read, |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 2081 | .write = smk_write_onlycap, |
Rafal Krypa | c0d77c8 | 2015-06-02 11:23:48 +0200 | [diff] [blame] | 2082 | .llseek = seq_lseek, |
| 2083 | .release = seq_release, |
Casey Schaufler | 1544623 | 2008-07-30 15:37:11 -0700 | [diff] [blame] | 2084 | }; |
| 2085 | |
Casey Schaufler | bf4b2fe | 2015-03-21 18:26:40 -0700 | [diff] [blame] | 2086 | #ifdef CONFIG_SECURITY_SMACK_BRINGUP |
| 2087 | /** |
| 2088 | * smk_read_unconfined - read() for smackfs/unconfined |
| 2089 | * @filp: file pointer, not actually used |
| 2090 | * @buf: where to put the result |
| 2091 | * @cn: maximum to send along |
| 2092 | * @ppos: where to start |
| 2093 | * |
| 2094 | * Returns number of bytes read or error code, as appropriate |
| 2095 | */ |
| 2096 | static ssize_t smk_read_unconfined(struct file *filp, char __user *buf, |
| 2097 | size_t cn, loff_t *ppos) |
| 2098 | { |
| 2099 | char *smack = ""; |
| 2100 | ssize_t rc = -EINVAL; |
| 2101 | int asize; |
| 2102 | |
| 2103 | if (*ppos != 0) |
| 2104 | return 0; |
| 2105 | |
| 2106 | if (smack_unconfined != NULL) |
| 2107 | smack = smack_unconfined->smk_known; |
| 2108 | |
| 2109 | asize = strlen(smack) + 1; |
| 2110 | |
| 2111 | if (cn >= asize) |
| 2112 | rc = simple_read_from_buffer(buf, cn, ppos, smack, asize); |
| 2113 | |
| 2114 | return rc; |
| 2115 | } |
| 2116 | |
| 2117 | /** |
| 2118 | * smk_write_unconfined - write() for smackfs/unconfined |
| 2119 | * @file: file pointer, not actually used |
| 2120 | * @buf: where to get the data from |
| 2121 | * @count: bytes sent |
| 2122 | * @ppos: where to start |
| 2123 | * |
| 2124 | * Returns number of bytes written or error code, as appropriate |
| 2125 | */ |
| 2126 | static ssize_t smk_write_unconfined(struct file *file, const char __user *buf, |
| 2127 | size_t count, loff_t *ppos) |
| 2128 | { |
| 2129 | char *data; |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 2130 | struct smack_known *skp; |
Casey Schaufler | bf4b2fe | 2015-03-21 18:26:40 -0700 | [diff] [blame] | 2131 | int rc = count; |
| 2132 | |
| 2133 | if (!smack_privileged(CAP_MAC_ADMIN)) |
| 2134 | return -EPERM; |
| 2135 | |
| 2136 | data = kzalloc(count + 1, GFP_KERNEL); |
| 2137 | if (data == NULL) |
| 2138 | return -ENOMEM; |
| 2139 | |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 2140 | if (copy_from_user(data, buf, count) != 0) { |
Casey Schaufler | bf4b2fe | 2015-03-21 18:26:40 -0700 | [diff] [blame] | 2141 | rc = -EFAULT; |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 2142 | goto freeout; |
| 2143 | } |
Casey Schaufler | bf4b2fe | 2015-03-21 18:26:40 -0700 | [diff] [blame] | 2144 | |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 2145 | /* |
| 2146 | * Clear the smack_unconfined on invalid label errors. This means |
| 2147 | * that we can pass a null string to unset the unconfined value. |
| 2148 | * |
| 2149 | * Importing will also reject a label beginning with '-', |
| 2150 | * so "-confine" will also work. |
| 2151 | * |
| 2152 | * But do so only on invalid label, not on system errors. |
| 2153 | */ |
| 2154 | skp = smk_import_entry(data, count); |
| 2155 | if (PTR_ERR(skp) == -EINVAL) |
| 2156 | skp = NULL; |
| 2157 | else if (IS_ERR(skp)) { |
| 2158 | rc = PTR_ERR(skp); |
| 2159 | goto freeout; |
| 2160 | } |
| 2161 | |
| 2162 | smack_unconfined = skp; |
| 2163 | |
| 2164 | freeout: |
Casey Schaufler | bf4b2fe | 2015-03-21 18:26:40 -0700 | [diff] [blame] | 2165 | kfree(data); |
| 2166 | return rc; |
| 2167 | } |
| 2168 | |
| 2169 | static const struct file_operations smk_unconfined_ops = { |
| 2170 | .read = smk_read_unconfined, |
| 2171 | .write = smk_write_unconfined, |
| 2172 | .llseek = default_llseek, |
| 2173 | }; |
| 2174 | #endif /* CONFIG_SECURITY_SMACK_BRINGUP */ |
| 2175 | |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 2176 | /** |
Etienne Basset | ecfcc53 | 2009-04-08 20:40:06 +0200 | [diff] [blame] | 2177 | * smk_read_logging - read() for /smack/logging |
| 2178 | * @filp: file pointer, not actually used |
| 2179 | * @buf: where to put the result |
| 2180 | * @cn: maximum to send along |
| 2181 | * @ppos: where to start |
| 2182 | * |
| 2183 | * Returns number of bytes read or error code, as appropriate |
| 2184 | */ |
| 2185 | static ssize_t smk_read_logging(struct file *filp, char __user *buf, |
| 2186 | size_t count, loff_t *ppos) |
| 2187 | { |
| 2188 | char temp[32]; |
| 2189 | ssize_t rc; |
| 2190 | |
| 2191 | if (*ppos != 0) |
| 2192 | return 0; |
| 2193 | |
| 2194 | sprintf(temp, "%d\n", log_policy); |
| 2195 | rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); |
| 2196 | return rc; |
| 2197 | } |
| 2198 | |
| 2199 | /** |
| 2200 | * smk_write_logging - write() for /smack/logging |
| 2201 | * @file: file pointer, not actually used |
| 2202 | * @buf: where to get the data from |
| 2203 | * @count: bytes sent |
| 2204 | * @ppos: where to start |
| 2205 | * |
| 2206 | * Returns number of bytes written or error code, as appropriate |
| 2207 | */ |
| 2208 | static ssize_t smk_write_logging(struct file *file, const char __user *buf, |
| 2209 | size_t count, loff_t *ppos) |
| 2210 | { |
| 2211 | char temp[32]; |
| 2212 | int i; |
| 2213 | |
Casey Schaufler | 1880eff | 2012-06-05 15:28:30 -0700 | [diff] [blame] | 2214 | if (!smack_privileged(CAP_MAC_ADMIN)) |
Etienne Basset | ecfcc53 | 2009-04-08 20:40:06 +0200 | [diff] [blame] | 2215 | return -EPERM; |
| 2216 | |
| 2217 | if (count >= sizeof(temp) || count == 0) |
| 2218 | return -EINVAL; |
| 2219 | |
| 2220 | if (copy_from_user(temp, buf, count) != 0) |
| 2221 | return -EFAULT; |
| 2222 | |
| 2223 | temp[count] = '\0'; |
| 2224 | |
| 2225 | if (sscanf(temp, "%d", &i) != 1) |
| 2226 | return -EINVAL; |
| 2227 | if (i < 0 || i > 3) |
| 2228 | return -EINVAL; |
| 2229 | log_policy = i; |
| 2230 | return count; |
| 2231 | } |
| 2232 | |
| 2233 | |
| 2234 | |
| 2235 | static const struct file_operations smk_logging_ops = { |
| 2236 | .read = smk_read_logging, |
| 2237 | .write = smk_write_logging, |
Arnd Bergmann | 6038f37 | 2010-08-15 18:52:59 +0200 | [diff] [blame] | 2238 | .llseek = default_llseek, |
Etienne Basset | ecfcc53 | 2009-04-08 20:40:06 +0200 | [diff] [blame] | 2239 | }; |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 2240 | |
| 2241 | /* |
| 2242 | * Seq_file read operations for /smack/load-self |
| 2243 | */ |
| 2244 | |
| 2245 | static void *load_self_seq_start(struct seq_file *s, loff_t *pos) |
| 2246 | { |
| 2247 | struct task_smack *tsp = current_security(); |
| 2248 | |
Casey Schaufler | 4080956 | 2011-11-10 15:02:22 -0800 | [diff] [blame] | 2249 | return smk_seq_start(s, pos, &tsp->smk_rules); |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 2250 | } |
| 2251 | |
| 2252 | static void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos) |
| 2253 | { |
| 2254 | struct task_smack *tsp = current_security(); |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 2255 | |
Casey Schaufler | 4080956 | 2011-11-10 15:02:22 -0800 | [diff] [blame] | 2256 | return smk_seq_next(s, v, pos, &tsp->smk_rules); |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 2257 | } |
| 2258 | |
| 2259 | static int load_self_seq_show(struct seq_file *s, void *v) |
| 2260 | { |
| 2261 | struct list_head *list = v; |
| 2262 | struct smack_rule *srp = |
Rafal Krypa | 01fa847 | 2015-05-21 18:24:31 +0200 | [diff] [blame] | 2263 | list_entry_rcu(list, struct smack_rule, list); |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 2264 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2265 | smk_rule_show(s, srp, SMK_LABELLEN); |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 2266 | |
| 2267 | return 0; |
| 2268 | } |
| 2269 | |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 2270 | static const struct seq_operations load_self_seq_ops = { |
| 2271 | .start = load_self_seq_start, |
| 2272 | .next = load_self_seq_next, |
| 2273 | .show = load_self_seq_show, |
Casey Schaufler | 4080956 | 2011-11-10 15:02:22 -0800 | [diff] [blame] | 2274 | .stop = smk_seq_stop, |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 2275 | }; |
| 2276 | |
| 2277 | |
| 2278 | /** |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2279 | * smk_open_load_self - open() for /smack/load-self2 |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 2280 | * @inode: inode structure representing file |
| 2281 | * @file: "load" file pointer |
| 2282 | * |
| 2283 | * For reading, use load_seq_* seq_file reading operations. |
| 2284 | */ |
| 2285 | static int smk_open_load_self(struct inode *inode, struct file *file) |
| 2286 | { |
| 2287 | return seq_open(file, &load_self_seq_ops); |
| 2288 | } |
| 2289 | |
| 2290 | /** |
| 2291 | * smk_write_load_self - write() for /smack/load-self |
| 2292 | * @file: file pointer, not actually used |
| 2293 | * @buf: where to get the data from |
| 2294 | * @count: bytes sent |
| 2295 | * @ppos: where to start - must be 0 |
| 2296 | * |
| 2297 | */ |
| 2298 | static ssize_t smk_write_load_self(struct file *file, const char __user *buf, |
| 2299 | size_t count, loff_t *ppos) |
| 2300 | { |
| 2301 | struct task_smack *tsp = current_security(); |
| 2302 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2303 | return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules, |
| 2304 | &tsp->smk_rules_lock, SMK_FIXED24_FMT); |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 2305 | } |
| 2306 | |
| 2307 | static const struct file_operations smk_load_self_ops = { |
| 2308 | .open = smk_open_load_self, |
| 2309 | .read = seq_read, |
| 2310 | .llseek = seq_lseek, |
| 2311 | .write = smk_write_load_self, |
| 2312 | .release = seq_release, |
| 2313 | }; |
Jarkko Sakkinen | 828716c | 2011-09-08 10:12:01 +0300 | [diff] [blame] | 2314 | |
| 2315 | /** |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2316 | * smk_user_access - handle access check transaction |
| 2317 | * @file: file pointer |
| 2318 | * @buf: data from user space |
| 2319 | * @count: bytes sent |
| 2320 | * @ppos: where to start - must be 0 |
| 2321 | */ |
| 2322 | static ssize_t smk_user_access(struct file *file, const char __user *buf, |
| 2323 | size_t count, loff_t *ppos, int format) |
| 2324 | { |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 2325 | struct smack_parsed_rule rule; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2326 | char *data; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2327 | int res; |
| 2328 | |
| 2329 | data = simple_transaction_get(file, buf, count); |
| 2330 | if (IS_ERR(data)) |
| 2331 | return PTR_ERR(data); |
| 2332 | |
| 2333 | if (format == SMK_FIXED24_FMT) { |
| 2334 | if (count < SMK_LOADLEN) |
| 2335 | return -EINVAL; |
| 2336 | res = smk_parse_rule(data, &rule, 0); |
| 2337 | } else { |
| 2338 | /* |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 2339 | * simple_transaction_get() returns null-terminated data |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2340 | */ |
Rafal Krypa | 10289b0 | 2013-08-09 11:47:07 +0200 | [diff] [blame] | 2341 | res = smk_parse_long_rule(data, &rule, 0, 3); |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2342 | } |
| 2343 | |
Jarkko Sakkinen | 398ce07 | 2013-11-28 19:16:46 +0200 | [diff] [blame] | 2344 | if (res >= 0) |
| 2345 | res = smk_access(rule.smk_subject, rule.smk_object, |
| 2346 | rule.smk_access1, NULL); |
| 2347 | else if (res != -ENOENT) |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 2348 | return res; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2349 | |
Casey Schaufler | d166c80 | 2014-08-27 14:51:27 -0700 | [diff] [blame] | 2350 | /* |
| 2351 | * smk_access() can return a value > 0 in the "bringup" case. |
| 2352 | */ |
| 2353 | data[0] = res >= 0 ? '1' : '0'; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2354 | data[1] = '\0'; |
| 2355 | |
| 2356 | simple_transaction_set(file, 2); |
| 2357 | |
| 2358 | if (format == SMK_FIXED24_FMT) |
| 2359 | return SMK_LOADLEN; |
| 2360 | return count; |
| 2361 | } |
| 2362 | |
| 2363 | /** |
Jarkko Sakkinen | 828716c | 2011-09-08 10:12:01 +0300 | [diff] [blame] | 2364 | * smk_write_access - handle access check transaction |
| 2365 | * @file: file pointer |
| 2366 | * @buf: data from user space |
| 2367 | * @count: bytes sent |
| 2368 | * @ppos: where to start - must be 0 |
| 2369 | */ |
| 2370 | static ssize_t smk_write_access(struct file *file, const char __user *buf, |
| 2371 | size_t count, loff_t *ppos) |
| 2372 | { |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2373 | return smk_user_access(file, buf, count, ppos, SMK_FIXED24_FMT); |
Jarkko Sakkinen | 828716c | 2011-09-08 10:12:01 +0300 | [diff] [blame] | 2374 | } |
| 2375 | |
| 2376 | static const struct file_operations smk_access_ops = { |
| 2377 | .write = smk_write_access, |
| 2378 | .read = simple_transaction_read, |
| 2379 | .release = simple_transaction_release, |
| 2380 | .llseek = generic_file_llseek, |
| 2381 | }; |
| 2382 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2383 | |
| 2384 | /* |
| 2385 | * Seq_file read operations for /smack/load2 |
| 2386 | */ |
| 2387 | |
| 2388 | static int load2_seq_show(struct seq_file *s, void *v) |
| 2389 | { |
| 2390 | struct list_head *list = v; |
| 2391 | struct smack_master_list *smlp = |
Rafal Krypa | 01fa847 | 2015-05-21 18:24:31 +0200 | [diff] [blame] | 2392 | list_entry_rcu(list, struct smack_master_list, list); |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2393 | |
| 2394 | smk_rule_show(s, smlp->smk_rule, SMK_LONGLABEL); |
| 2395 | |
| 2396 | return 0; |
| 2397 | } |
| 2398 | |
| 2399 | static const struct seq_operations load2_seq_ops = { |
| 2400 | .start = load2_seq_start, |
| 2401 | .next = load2_seq_next, |
| 2402 | .show = load2_seq_show, |
| 2403 | .stop = smk_seq_stop, |
| 2404 | }; |
| 2405 | |
| 2406 | /** |
| 2407 | * smk_open_load2 - open() for /smack/load2 |
| 2408 | * @inode: inode structure representing file |
| 2409 | * @file: "load2" file pointer |
| 2410 | * |
| 2411 | * For reading, use load2_seq_* seq_file reading operations. |
| 2412 | */ |
| 2413 | static int smk_open_load2(struct inode *inode, struct file *file) |
| 2414 | { |
| 2415 | return seq_open(file, &load2_seq_ops); |
| 2416 | } |
| 2417 | |
| 2418 | /** |
| 2419 | * smk_write_load2 - write() for /smack/load2 |
| 2420 | * @file: file pointer, not actually used |
| 2421 | * @buf: where to get the data from |
| 2422 | * @count: bytes sent |
| 2423 | * @ppos: where to start - must be 0 |
| 2424 | * |
| 2425 | */ |
| 2426 | static ssize_t smk_write_load2(struct file *file, const char __user *buf, |
| 2427 | size_t count, loff_t *ppos) |
| 2428 | { |
| 2429 | /* |
| 2430 | * Must have privilege. |
| 2431 | */ |
Casey Schaufler | 1880eff | 2012-06-05 15:28:30 -0700 | [diff] [blame] | 2432 | if (!smack_privileged(CAP_MAC_ADMIN)) |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2433 | return -EPERM; |
| 2434 | |
| 2435 | return smk_write_rules_list(file, buf, count, ppos, NULL, NULL, |
| 2436 | SMK_LONG_FMT); |
| 2437 | } |
| 2438 | |
| 2439 | static const struct file_operations smk_load2_ops = { |
| 2440 | .open = smk_open_load2, |
| 2441 | .read = seq_read, |
| 2442 | .llseek = seq_lseek, |
| 2443 | .write = smk_write_load2, |
| 2444 | .release = seq_release, |
| 2445 | }; |
| 2446 | |
| 2447 | /* |
| 2448 | * Seq_file read operations for /smack/load-self2 |
| 2449 | */ |
| 2450 | |
| 2451 | static void *load_self2_seq_start(struct seq_file *s, loff_t *pos) |
| 2452 | { |
| 2453 | struct task_smack *tsp = current_security(); |
| 2454 | |
| 2455 | return smk_seq_start(s, pos, &tsp->smk_rules); |
| 2456 | } |
| 2457 | |
| 2458 | static void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos) |
| 2459 | { |
| 2460 | struct task_smack *tsp = current_security(); |
| 2461 | |
| 2462 | return smk_seq_next(s, v, pos, &tsp->smk_rules); |
| 2463 | } |
| 2464 | |
| 2465 | static int load_self2_seq_show(struct seq_file *s, void *v) |
| 2466 | { |
| 2467 | struct list_head *list = v; |
| 2468 | struct smack_rule *srp = |
Rafal Krypa | 01fa847 | 2015-05-21 18:24:31 +0200 | [diff] [blame] | 2469 | list_entry_rcu(list, struct smack_rule, list); |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2470 | |
| 2471 | smk_rule_show(s, srp, SMK_LONGLABEL); |
| 2472 | |
| 2473 | return 0; |
| 2474 | } |
| 2475 | |
| 2476 | static const struct seq_operations load_self2_seq_ops = { |
| 2477 | .start = load_self2_seq_start, |
| 2478 | .next = load_self2_seq_next, |
| 2479 | .show = load_self2_seq_show, |
| 2480 | .stop = smk_seq_stop, |
| 2481 | }; |
| 2482 | |
| 2483 | /** |
| 2484 | * smk_open_load_self2 - open() for /smack/load-self2 |
| 2485 | * @inode: inode structure representing file |
| 2486 | * @file: "load" file pointer |
| 2487 | * |
| 2488 | * For reading, use load_seq_* seq_file reading operations. |
| 2489 | */ |
| 2490 | static int smk_open_load_self2(struct inode *inode, struct file *file) |
| 2491 | { |
| 2492 | return seq_open(file, &load_self2_seq_ops); |
| 2493 | } |
| 2494 | |
| 2495 | /** |
| 2496 | * smk_write_load_self2 - write() for /smack/load-self2 |
| 2497 | * @file: file pointer, not actually used |
| 2498 | * @buf: where to get the data from |
| 2499 | * @count: bytes sent |
| 2500 | * @ppos: where to start - must be 0 |
| 2501 | * |
| 2502 | */ |
| 2503 | static ssize_t smk_write_load_self2(struct file *file, const char __user *buf, |
| 2504 | size_t count, loff_t *ppos) |
| 2505 | { |
| 2506 | struct task_smack *tsp = current_security(); |
| 2507 | |
| 2508 | return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules, |
| 2509 | &tsp->smk_rules_lock, SMK_LONG_FMT); |
| 2510 | } |
| 2511 | |
| 2512 | static const struct file_operations smk_load_self2_ops = { |
| 2513 | .open = smk_open_load_self2, |
| 2514 | .read = seq_read, |
| 2515 | .llseek = seq_lseek, |
| 2516 | .write = smk_write_load_self2, |
| 2517 | .release = seq_release, |
| 2518 | }; |
| 2519 | |
| 2520 | /** |
| 2521 | * smk_write_access2 - handle access check transaction |
| 2522 | * @file: file pointer |
| 2523 | * @buf: data from user space |
| 2524 | * @count: bytes sent |
| 2525 | * @ppos: where to start - must be 0 |
| 2526 | */ |
| 2527 | static ssize_t smk_write_access2(struct file *file, const char __user *buf, |
| 2528 | size_t count, loff_t *ppos) |
| 2529 | { |
| 2530 | return smk_user_access(file, buf, count, ppos, SMK_LONG_FMT); |
| 2531 | } |
| 2532 | |
| 2533 | static const struct file_operations smk_access2_ops = { |
| 2534 | .write = smk_write_access2, |
| 2535 | .read = simple_transaction_read, |
| 2536 | .release = simple_transaction_release, |
| 2537 | .llseek = generic_file_llseek, |
| 2538 | }; |
| 2539 | |
Etienne Basset | ecfcc53 | 2009-04-08 20:40:06 +0200 | [diff] [blame] | 2540 | /** |
Rafal Krypa | 449543b | 2012-07-11 17:49:30 +0200 | [diff] [blame] | 2541 | * smk_write_revoke_subj - write() for /smack/revoke-subject |
| 2542 | * @file: file pointer |
| 2543 | * @buf: data from user space |
| 2544 | * @count: bytes sent |
| 2545 | * @ppos: where to start - must be 0 |
| 2546 | */ |
| 2547 | static ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf, |
| 2548 | size_t count, loff_t *ppos) |
| 2549 | { |
Dan Carpenter | 5430209 | 2015-06-11 11:51:16 +0300 | [diff] [blame] | 2550 | char *data; |
| 2551 | const char *cp; |
Rafal Krypa | 449543b | 2012-07-11 17:49:30 +0200 | [diff] [blame] | 2552 | struct smack_known *skp; |
| 2553 | struct smack_rule *sp; |
| 2554 | struct list_head *rule_list; |
| 2555 | struct mutex *rule_lock; |
| 2556 | int rc = count; |
| 2557 | |
| 2558 | if (*ppos != 0) |
| 2559 | return -EINVAL; |
| 2560 | |
| 2561 | if (!smack_privileged(CAP_MAC_ADMIN)) |
| 2562 | return -EPERM; |
| 2563 | |
| 2564 | if (count == 0 || count > SMK_LONGLABEL) |
| 2565 | return -EINVAL; |
| 2566 | |
| 2567 | data = kzalloc(count, GFP_KERNEL); |
| 2568 | if (data == NULL) |
| 2569 | return -ENOMEM; |
| 2570 | |
| 2571 | if (copy_from_user(data, buf, count) != 0) { |
| 2572 | rc = -EFAULT; |
Dan Carpenter | 5430209 | 2015-06-11 11:51:16 +0300 | [diff] [blame] | 2573 | goto out_data; |
Rafal Krypa | 449543b | 2012-07-11 17:49:30 +0200 | [diff] [blame] | 2574 | } |
| 2575 | |
| 2576 | cp = smk_parse_smack(data, count); |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 2577 | if (IS_ERR(cp)) { |
| 2578 | rc = PTR_ERR(cp); |
Dan Carpenter | 5430209 | 2015-06-11 11:51:16 +0300 | [diff] [blame] | 2579 | goto out_data; |
Rafal Krypa | 449543b | 2012-07-11 17:49:30 +0200 | [diff] [blame] | 2580 | } |
| 2581 | |
| 2582 | skp = smk_find_entry(cp); |
Rafal Krypa | d15d9fa | 2012-11-27 16:28:11 +0100 | [diff] [blame] | 2583 | if (skp == NULL) |
Dan Carpenter | 5430209 | 2015-06-11 11:51:16 +0300 | [diff] [blame] | 2584 | goto out_cp; |
Rafal Krypa | 449543b | 2012-07-11 17:49:30 +0200 | [diff] [blame] | 2585 | |
| 2586 | rule_list = &skp->smk_rules; |
| 2587 | rule_lock = &skp->smk_rules_lock; |
| 2588 | |
| 2589 | mutex_lock(rule_lock); |
| 2590 | |
| 2591 | list_for_each_entry_rcu(sp, rule_list, list) |
| 2592 | sp->smk_access = 0; |
| 2593 | |
| 2594 | mutex_unlock(rule_lock); |
| 2595 | |
Dan Carpenter | 5430209 | 2015-06-11 11:51:16 +0300 | [diff] [blame] | 2596 | out_cp: |
Rafal Krypa | 449543b | 2012-07-11 17:49:30 +0200 | [diff] [blame] | 2597 | kfree(cp); |
Dan Carpenter | 5430209 | 2015-06-11 11:51:16 +0300 | [diff] [blame] | 2598 | out_data: |
| 2599 | kfree(data); |
| 2600 | |
Rafal Krypa | 449543b | 2012-07-11 17:49:30 +0200 | [diff] [blame] | 2601 | return rc; |
| 2602 | } |
| 2603 | |
| 2604 | static const struct file_operations smk_revoke_subj_ops = { |
| 2605 | .write = smk_write_revoke_subj, |
| 2606 | .read = simple_transaction_read, |
| 2607 | .release = simple_transaction_release, |
| 2608 | .llseek = generic_file_llseek, |
| 2609 | }; |
| 2610 | |
Casey Schaufler | e930723 | 2012-11-01 18:14:32 -0700 | [diff] [blame] | 2611 | /** |
| 2612 | * smk_init_sysfs - initialize /sys/fs/smackfs |
| 2613 | * |
| 2614 | */ |
| 2615 | static int smk_init_sysfs(void) |
| 2616 | { |
kbuild test robot | ca70d27 | 2015-06-24 07:41:07 +0800 | [diff] [blame] | 2617 | return sysfs_create_mount_point(fs_kobj, "smackfs"); |
Casey Schaufler | e930723 | 2012-11-01 18:14:32 -0700 | [diff] [blame] | 2618 | } |
| 2619 | |
Rafal Krypa | 449543b | 2012-07-11 17:49:30 +0200 | [diff] [blame] | 2620 | /** |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 2621 | * smk_write_change_rule - write() for /smack/change-rule |
| 2622 | * @file: file pointer |
| 2623 | * @buf: data from user space |
| 2624 | * @count: bytes sent |
| 2625 | * @ppos: where to start - must be 0 |
| 2626 | */ |
| 2627 | static ssize_t smk_write_change_rule(struct file *file, const char __user *buf, |
| 2628 | size_t count, loff_t *ppos) |
| 2629 | { |
| 2630 | /* |
| 2631 | * Must have privilege. |
| 2632 | */ |
Casey Schaufler | 4afde48 | 2013-12-19 13:23:26 -0800 | [diff] [blame] | 2633 | if (!smack_privileged(CAP_MAC_ADMIN)) |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 2634 | return -EPERM; |
| 2635 | |
| 2636 | return smk_write_rules_list(file, buf, count, ppos, NULL, NULL, |
| 2637 | SMK_CHANGE_FMT); |
| 2638 | } |
| 2639 | |
| 2640 | static const struct file_operations smk_change_rule_ops = { |
| 2641 | .write = smk_write_change_rule, |
| 2642 | .read = simple_transaction_read, |
| 2643 | .release = simple_transaction_release, |
| 2644 | .llseek = generic_file_llseek, |
| 2645 | }; |
| 2646 | |
| 2647 | /** |
Casey Schaufler | 00f84f3 | 2013-12-23 11:07:10 -0800 | [diff] [blame] | 2648 | * smk_read_syslog - read() for smackfs/syslog |
| 2649 | * @filp: file pointer, not actually used |
| 2650 | * @buf: where to put the result |
| 2651 | * @cn: maximum to send along |
| 2652 | * @ppos: where to start |
| 2653 | * |
| 2654 | * Returns number of bytes read or error code, as appropriate |
| 2655 | */ |
| 2656 | static ssize_t smk_read_syslog(struct file *filp, char __user *buf, |
| 2657 | size_t cn, loff_t *ppos) |
| 2658 | { |
| 2659 | struct smack_known *skp; |
| 2660 | ssize_t rc = -EINVAL; |
| 2661 | int asize; |
| 2662 | |
| 2663 | if (*ppos != 0) |
| 2664 | return 0; |
| 2665 | |
| 2666 | if (smack_syslog_label == NULL) |
| 2667 | skp = &smack_known_star; |
| 2668 | else |
| 2669 | skp = smack_syslog_label; |
| 2670 | |
| 2671 | asize = strlen(skp->smk_known) + 1; |
| 2672 | |
| 2673 | if (cn >= asize) |
| 2674 | rc = simple_read_from_buffer(buf, cn, ppos, skp->smk_known, |
| 2675 | asize); |
| 2676 | |
| 2677 | return rc; |
| 2678 | } |
| 2679 | |
| 2680 | /** |
| 2681 | * smk_write_syslog - write() for smackfs/syslog |
| 2682 | * @file: file pointer, not actually used |
| 2683 | * @buf: where to get the data from |
| 2684 | * @count: bytes sent |
| 2685 | * @ppos: where to start |
| 2686 | * |
| 2687 | * Returns number of bytes written or error code, as appropriate |
| 2688 | */ |
| 2689 | static ssize_t smk_write_syslog(struct file *file, const char __user *buf, |
| 2690 | size_t count, loff_t *ppos) |
| 2691 | { |
| 2692 | char *data; |
| 2693 | struct smack_known *skp; |
| 2694 | int rc = count; |
| 2695 | |
| 2696 | if (!smack_privileged(CAP_MAC_ADMIN)) |
| 2697 | return -EPERM; |
| 2698 | |
Konstantin Khlebnikov | b862e56 | 2014-08-07 20:52:43 +0400 | [diff] [blame] | 2699 | data = kzalloc(count + 1, GFP_KERNEL); |
Casey Schaufler | 00f84f3 | 2013-12-23 11:07:10 -0800 | [diff] [blame] | 2700 | if (data == NULL) |
| 2701 | return -ENOMEM; |
| 2702 | |
| 2703 | if (copy_from_user(data, buf, count) != 0) |
| 2704 | rc = -EFAULT; |
| 2705 | else { |
| 2706 | skp = smk_import_entry(data, count); |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 2707 | if (IS_ERR(skp)) |
| 2708 | rc = PTR_ERR(skp); |
Casey Schaufler | 00f84f3 | 2013-12-23 11:07:10 -0800 | [diff] [blame] | 2709 | else |
Lukasz Pawelczyk | e774ad6 | 2015-04-20 17:12:54 +0200 | [diff] [blame] | 2710 | smack_syslog_label = skp; |
Casey Schaufler | 00f84f3 | 2013-12-23 11:07:10 -0800 | [diff] [blame] | 2711 | } |
| 2712 | |
| 2713 | kfree(data); |
| 2714 | return rc; |
| 2715 | } |
| 2716 | |
| 2717 | static const struct file_operations smk_syslog_ops = { |
| 2718 | .read = smk_read_syslog, |
| 2719 | .write = smk_write_syslog, |
| 2720 | .llseek = default_llseek, |
| 2721 | }; |
| 2722 | |
Zbigniew Jasinski | 38416e5 | 2015-10-19 18:23:53 +0200 | [diff] [blame] | 2723 | /* |
| 2724 | * Seq_file read operations for /smack/relabel-self |
| 2725 | */ |
| 2726 | |
| 2727 | static void *relabel_self_seq_start(struct seq_file *s, loff_t *pos) |
| 2728 | { |
| 2729 | struct task_smack *tsp = current_security(); |
| 2730 | |
| 2731 | return smk_seq_start(s, pos, &tsp->smk_relabel); |
| 2732 | } |
| 2733 | |
| 2734 | static void *relabel_self_seq_next(struct seq_file *s, void *v, loff_t *pos) |
| 2735 | { |
| 2736 | struct task_smack *tsp = current_security(); |
| 2737 | |
| 2738 | return smk_seq_next(s, v, pos, &tsp->smk_relabel); |
| 2739 | } |
| 2740 | |
| 2741 | static int relabel_self_seq_show(struct seq_file *s, void *v) |
| 2742 | { |
| 2743 | struct list_head *list = v; |
| 2744 | struct smack_known_list_elem *sklep = |
| 2745 | list_entry(list, struct smack_known_list_elem, list); |
| 2746 | |
| 2747 | seq_puts(s, sklep->smk_label->smk_known); |
| 2748 | seq_putc(s, ' '); |
| 2749 | |
| 2750 | return 0; |
| 2751 | } |
| 2752 | |
| 2753 | static const struct seq_operations relabel_self_seq_ops = { |
| 2754 | .start = relabel_self_seq_start, |
| 2755 | .next = relabel_self_seq_next, |
| 2756 | .show = relabel_self_seq_show, |
| 2757 | .stop = smk_seq_stop, |
| 2758 | }; |
| 2759 | |
| 2760 | /** |
| 2761 | * smk_open_relabel_self - open() for /smack/relabel-self |
| 2762 | * @inode: inode structure representing file |
| 2763 | * @file: "relabel-self" file pointer |
| 2764 | * |
| 2765 | * Connect our relabel_self_seq_* operations with /smack/relabel-self |
| 2766 | * file_operations |
| 2767 | */ |
| 2768 | static int smk_open_relabel_self(struct inode *inode, struct file *file) |
| 2769 | { |
| 2770 | return seq_open(file, &relabel_self_seq_ops); |
| 2771 | } |
| 2772 | |
| 2773 | /** |
| 2774 | * smk_write_relabel_self - write() for /smack/relabel-self |
| 2775 | * @file: file pointer, not actually used |
| 2776 | * @buf: where to get the data from |
| 2777 | * @count: bytes sent |
| 2778 | * @ppos: where to start - must be 0 |
| 2779 | * |
| 2780 | */ |
| 2781 | static ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, |
| 2782 | size_t count, loff_t *ppos) |
| 2783 | { |
| 2784 | struct task_smack *tsp = current_security(); |
| 2785 | char *data; |
| 2786 | int rc; |
| 2787 | LIST_HEAD(list_tmp); |
| 2788 | |
| 2789 | /* |
| 2790 | * Must have privilege. |
| 2791 | */ |
| 2792 | if (!smack_privileged(CAP_MAC_ADMIN)) |
| 2793 | return -EPERM; |
| 2794 | |
| 2795 | /* |
| 2796 | * Enough data must be present. |
| 2797 | */ |
| 2798 | if (*ppos != 0) |
| 2799 | return -EINVAL; |
| 2800 | |
| 2801 | data = kzalloc(count + 1, GFP_KERNEL); |
| 2802 | if (data == NULL) |
| 2803 | return -ENOMEM; |
| 2804 | |
| 2805 | if (copy_from_user(data, buf, count) != 0) { |
| 2806 | kfree(data); |
| 2807 | return -EFAULT; |
| 2808 | } |
| 2809 | |
| 2810 | rc = smk_parse_label_list(data, &list_tmp); |
| 2811 | kfree(data); |
| 2812 | |
| 2813 | if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) { |
| 2814 | smk_destroy_label_list(&tsp->smk_relabel); |
| 2815 | list_splice(&list_tmp, &tsp->smk_relabel); |
| 2816 | return count; |
| 2817 | } |
| 2818 | |
| 2819 | smk_destroy_label_list(&list_tmp); |
| 2820 | return rc; |
| 2821 | } |
| 2822 | |
| 2823 | static const struct file_operations smk_relabel_self_ops = { |
| 2824 | .open = smk_open_relabel_self, |
| 2825 | .read = seq_read, |
| 2826 | .llseek = seq_lseek, |
| 2827 | .write = smk_write_relabel_self, |
| 2828 | .release = seq_release, |
| 2829 | }; |
Casey Schaufler | 00f84f3 | 2013-12-23 11:07:10 -0800 | [diff] [blame] | 2830 | |
| 2831 | /** |
Lukasz Pawelczyk | 6686781 | 2014-03-11 17:07:06 +0100 | [diff] [blame] | 2832 | * smk_read_ptrace - read() for /smack/ptrace |
| 2833 | * @filp: file pointer, not actually used |
| 2834 | * @buf: where to put the result |
| 2835 | * @count: maximum to send along |
| 2836 | * @ppos: where to start |
| 2837 | * |
| 2838 | * Returns number of bytes read or error code, as appropriate |
| 2839 | */ |
| 2840 | static ssize_t smk_read_ptrace(struct file *filp, char __user *buf, |
| 2841 | size_t count, loff_t *ppos) |
| 2842 | { |
| 2843 | char temp[32]; |
| 2844 | ssize_t rc; |
| 2845 | |
| 2846 | if (*ppos != 0) |
| 2847 | return 0; |
| 2848 | |
| 2849 | sprintf(temp, "%d\n", smack_ptrace_rule); |
| 2850 | rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); |
| 2851 | return rc; |
| 2852 | } |
| 2853 | |
| 2854 | /** |
| 2855 | * smk_write_ptrace - write() for /smack/ptrace |
| 2856 | * @file: file pointer |
| 2857 | * @buf: data from user space |
| 2858 | * @count: bytes sent |
| 2859 | * @ppos: where to start - must be 0 |
| 2860 | */ |
| 2861 | static ssize_t smk_write_ptrace(struct file *file, const char __user *buf, |
| 2862 | size_t count, loff_t *ppos) |
| 2863 | { |
| 2864 | char temp[32]; |
| 2865 | int i; |
| 2866 | |
| 2867 | if (!smack_privileged(CAP_MAC_ADMIN)) |
| 2868 | return -EPERM; |
| 2869 | |
| 2870 | if (*ppos != 0 || count >= sizeof(temp) || count == 0) |
| 2871 | return -EINVAL; |
| 2872 | |
| 2873 | if (copy_from_user(temp, buf, count) != 0) |
| 2874 | return -EFAULT; |
| 2875 | |
| 2876 | temp[count] = '\0'; |
| 2877 | |
| 2878 | if (sscanf(temp, "%d", &i) != 1) |
| 2879 | return -EINVAL; |
| 2880 | if (i < SMACK_PTRACE_DEFAULT || i > SMACK_PTRACE_MAX) |
| 2881 | return -EINVAL; |
| 2882 | smack_ptrace_rule = i; |
| 2883 | |
| 2884 | return count; |
| 2885 | } |
| 2886 | |
| 2887 | static const struct file_operations smk_ptrace_ops = { |
| 2888 | .write = smk_write_ptrace, |
| 2889 | .read = smk_read_ptrace, |
| 2890 | .llseek = default_llseek, |
| 2891 | }; |
| 2892 | |
| 2893 | /** |
Casey Schaufler | 00f84f3 | 2013-12-23 11:07:10 -0800 | [diff] [blame] | 2894 | * smk_fill_super - fill the smackfs superblock |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 2895 | * @sb: the empty superblock |
| 2896 | * @data: unused |
| 2897 | * @silent: unused |
| 2898 | * |
Casey Schaufler | 00f84f3 | 2013-12-23 11:07:10 -0800 | [diff] [blame] | 2899 | * Fill in the well known entries for the smack filesystem |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 2900 | * |
| 2901 | * Returns 0 on success, an error code on failure |
| 2902 | */ |
| 2903 | static int smk_fill_super(struct super_block *sb, void *data, int silent) |
| 2904 | { |
| 2905 | int rc; |
| 2906 | struct inode *root_inode; |
| 2907 | |
| 2908 | static struct tree_descr smack_files[] = { |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 2909 | [SMK_LOAD] = { |
| 2910 | "load", &smk_load_ops, S_IRUGO|S_IWUSR}, |
| 2911 | [SMK_CIPSO] = { |
| 2912 | "cipso", &smk_cipso_ops, S_IRUGO|S_IWUSR}, |
| 2913 | [SMK_DOI] = { |
| 2914 | "doi", &smk_doi_ops, S_IRUGO|S_IWUSR}, |
| 2915 | [SMK_DIRECT] = { |
| 2916 | "direct", &smk_direct_ops, S_IRUGO|S_IWUSR}, |
| 2917 | [SMK_AMBIENT] = { |
| 2918 | "ambient", &smk_ambient_ops, S_IRUGO|S_IWUSR}, |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 2919 | [SMK_NET4ADDR] = { |
| 2920 | "netlabel", &smk_net4addr_ops, S_IRUGO|S_IWUSR}, |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 2921 | [SMK_ONLYCAP] = { |
| 2922 | "onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR}, |
| 2923 | [SMK_LOGGING] = { |
| 2924 | "logging", &smk_logging_ops, S_IRUGO|S_IWUSR}, |
| 2925 | [SMK_LOAD_SELF] = { |
| 2926 | "load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO}, |
Jarkko Sakkinen | 828716c | 2011-09-08 10:12:01 +0300 | [diff] [blame] | 2927 | [SMK_ACCESSES] = { |
Jarkko Sakkinen | 0e94ae1 | 2011-10-18 21:21:36 +0300 | [diff] [blame] | 2928 | "access", &smk_access_ops, S_IRUGO|S_IWUGO}, |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 2929 | [SMK_MAPPED] = { |
| 2930 | "mapped", &smk_mapped_ops, S_IRUGO|S_IWUSR}, |
| 2931 | [SMK_LOAD2] = { |
| 2932 | "load2", &smk_load2_ops, S_IRUGO|S_IWUSR}, |
| 2933 | [SMK_LOAD_SELF2] = { |
| 2934 | "load-self2", &smk_load_self2_ops, S_IRUGO|S_IWUGO}, |
| 2935 | [SMK_ACCESS2] = { |
| 2936 | "access2", &smk_access2_ops, S_IRUGO|S_IWUGO}, |
| 2937 | [SMK_CIPSO2] = { |
| 2938 | "cipso2", &smk_cipso2_ops, S_IRUGO|S_IWUSR}, |
Rafal Krypa | 449543b | 2012-07-11 17:49:30 +0200 | [diff] [blame] | 2939 | [SMK_REVOKE_SUBJ] = { |
| 2940 | "revoke-subject", &smk_revoke_subj_ops, |
| 2941 | S_IRUGO|S_IWUSR}, |
Rafal Krypa | e05b6f9 | 2013-01-10 19:42:00 +0100 | [diff] [blame] | 2942 | [SMK_CHANGE_RULE] = { |
| 2943 | "change-rule", &smk_change_rule_ops, S_IRUGO|S_IWUSR}, |
Casey Schaufler | 00f84f3 | 2013-12-23 11:07:10 -0800 | [diff] [blame] | 2944 | [SMK_SYSLOG] = { |
| 2945 | "syslog", &smk_syslog_ops, S_IRUGO|S_IWUSR}, |
Lukasz Pawelczyk | 6686781 | 2014-03-11 17:07:06 +0100 | [diff] [blame] | 2946 | [SMK_PTRACE] = { |
| 2947 | "ptrace", &smk_ptrace_ops, S_IRUGO|S_IWUSR}, |
Casey Schaufler | bf4b2fe | 2015-03-21 18:26:40 -0700 | [diff] [blame] | 2948 | #ifdef CONFIG_SECURITY_SMACK_BRINGUP |
| 2949 | [SMK_UNCONFINED] = { |
| 2950 | "unconfined", &smk_unconfined_ops, S_IRUGO|S_IWUSR}, |
| 2951 | #endif |
Casey Schaufler | 21abb1e | 2015-07-22 14:25:31 -0700 | [diff] [blame] | 2952 | #if IS_ENABLED(CONFIG_IPV6) |
| 2953 | [SMK_NET6ADDR] = { |
| 2954 | "ipv6host", &smk_net6addr_ops, S_IRUGO|S_IWUSR}, |
| 2955 | #endif /* CONFIG_IPV6 */ |
Zbigniew Jasinski | 38416e5 | 2015-10-19 18:23:53 +0200 | [diff] [blame] | 2956 | [SMK_RELABEL_SELF] = { |
| 2957 | "relabel-self", &smk_relabel_self_ops, |
| 2958 | S_IRUGO|S_IWUGO}, |
Casey Schaufler | 7898e1f | 2011-01-17 08:05:27 -0800 | [diff] [blame] | 2959 | /* last one */ |
| 2960 | {""} |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 2961 | }; |
| 2962 | |
| 2963 | rc = simple_fill_super(sb, SMACK_MAGIC, smack_files); |
| 2964 | if (rc != 0) { |
| 2965 | printk(KERN_ERR "%s failed %d while creating inodes\n", |
| 2966 | __func__, rc); |
| 2967 | return rc; |
| 2968 | } |
| 2969 | |
David Howells | ce0b16d | 2015-02-19 10:47:02 +0000 | [diff] [blame] | 2970 | root_inode = d_inode(sb->s_root); |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 2971 | |
| 2972 | return 0; |
| 2973 | } |
| 2974 | |
| 2975 | /** |
Al Viro | fc14f2f | 2010-07-25 01:48:30 +0400 | [diff] [blame] | 2976 | * smk_mount - get the smackfs superblock |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 2977 | * @fs_type: passed along without comment |
| 2978 | * @flags: passed along without comment |
| 2979 | * @dev_name: passed along without comment |
| 2980 | * @data: passed along without comment |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 2981 | * |
| 2982 | * Just passes everything along. |
| 2983 | * |
| 2984 | * Returns what the lower level code does. |
| 2985 | */ |
Al Viro | fc14f2f | 2010-07-25 01:48:30 +0400 | [diff] [blame] | 2986 | static struct dentry *smk_mount(struct file_system_type *fs_type, |
| 2987 | int flags, const char *dev_name, void *data) |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 2988 | { |
Al Viro | fc14f2f | 2010-07-25 01:48:30 +0400 | [diff] [blame] | 2989 | return mount_single(fs_type, flags, data, smk_fill_super); |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 2990 | } |
| 2991 | |
| 2992 | static struct file_system_type smk_fs_type = { |
| 2993 | .name = "smackfs", |
Al Viro | fc14f2f | 2010-07-25 01:48:30 +0400 | [diff] [blame] | 2994 | .mount = smk_mount, |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 2995 | .kill_sb = kill_litter_super, |
| 2996 | }; |
| 2997 | |
| 2998 | static struct vfsmount *smackfs_mount; |
| 2999 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 3000 | static int __init smk_preset_netlabel(struct smack_known *skp) |
| 3001 | { |
| 3002 | skp->smk_netlabel.domain = skp->smk_known; |
| 3003 | skp->smk_netlabel.flags = |
| 3004 | NETLBL_SECATTR_DOMAIN | NETLBL_SECATTR_MLS_LVL; |
| 3005 | return smk_netlbl_mls(smack_cipso_direct, skp->smk_known, |
| 3006 | &skp->smk_netlabel, strlen(skp->smk_known)); |
| 3007 | } |
| 3008 | |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 3009 | /** |
| 3010 | * init_smk_fs - get the smackfs superblock |
| 3011 | * |
| 3012 | * register the smackfs |
| 3013 | * |
Ahmed S. Darwish | 076c54c | 2008-03-06 18:09:10 +0200 | [diff] [blame] | 3014 | * Do not register smackfs if Smack wasn't enabled |
| 3015 | * on boot. We can not put this method normally under the |
| 3016 | * smack_init() code path since the security subsystem get |
| 3017 | * initialized before the vfs caches. |
| 3018 | * |
| 3019 | * Returns true if we were not chosen on boot or if |
| 3020 | * we were chosen and filesystem registration succeeded. |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 3021 | */ |
| 3022 | static int __init init_smk_fs(void) |
| 3023 | { |
| 3024 | int err; |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 3025 | int rc; |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 3026 | |
José Bollo | d21b7b0 | 2015-10-02 15:15:56 +0200 | [diff] [blame] | 3027 | if (smack_enabled == 0) |
Ahmed S. Darwish | 076c54c | 2008-03-06 18:09:10 +0200 | [diff] [blame] | 3028 | return 0; |
| 3029 | |
Casey Schaufler | e930723 | 2012-11-01 18:14:32 -0700 | [diff] [blame] | 3030 | err = smk_init_sysfs(); |
| 3031 | if (err) |
| 3032 | printk(KERN_ERR "smackfs: sysfs mountpoint problem.\n"); |
| 3033 | |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 3034 | err = register_filesystem(&smk_fs_type); |
| 3035 | if (!err) { |
| 3036 | smackfs_mount = kern_mount(&smk_fs_type); |
| 3037 | if (IS_ERR(smackfs_mount)) { |
| 3038 | printk(KERN_ERR "smackfs: could not mount!\n"); |
| 3039 | err = PTR_ERR(smackfs_mount); |
| 3040 | smackfs_mount = NULL; |
| 3041 | } |
| 3042 | } |
| 3043 | |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 3044 | smk_cipso_doi(); |
Casey Schaufler | 4bc87e6 | 2008-02-15 15:24:25 -0800 | [diff] [blame] | 3045 | smk_unlbl_ambient(NULL); |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 3046 | |
Casey Schaufler | f7112e6 | 2012-05-06 15:22:02 -0700 | [diff] [blame] | 3047 | rc = smk_preset_netlabel(&smack_known_floor); |
| 3048 | if (err == 0 && rc < 0) |
| 3049 | err = rc; |
| 3050 | rc = smk_preset_netlabel(&smack_known_hat); |
| 3051 | if (err == 0 && rc < 0) |
| 3052 | err = rc; |
| 3053 | rc = smk_preset_netlabel(&smack_known_huh); |
| 3054 | if (err == 0 && rc < 0) |
| 3055 | err = rc; |
| 3056 | rc = smk_preset_netlabel(&smack_known_invalid); |
| 3057 | if (err == 0 && rc < 0) |
| 3058 | err = rc; |
| 3059 | rc = smk_preset_netlabel(&smack_known_star); |
| 3060 | if (err == 0 && rc < 0) |
| 3061 | err = rc; |
| 3062 | rc = smk_preset_netlabel(&smack_known_web); |
| 3063 | if (err == 0 && rc < 0) |
| 3064 | err = rc; |
| 3065 | |
Casey Schaufler | e114e47 | 2008-02-04 22:29:50 -0800 | [diff] [blame] | 3066 | return err; |
| 3067 | } |
| 3068 | |
| 3069 | __initcall(init_smk_fs); |