| /* |
| * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> |
| * |
| * This program is free software; you can redistribute it and/or modify |
| * it under the terms of the GNU General Public License as published by |
| * the Free Software Foundation, version 2. |
| * |
| * Author: |
| * Casey Schaufler <casey@schaufler-ca.com> |
| * |
| */ |
| |
| #ifndef _SECURITY_SMACK_H |
| #define _SECURITY_SMACK_H |
| |
| #include <linux/capability.h> |
| #include <linux/spinlock.h> |
| #include <linux/security.h> |
| #include <linux/in.h> |
| #include <net/netlabel.h> |
| #include <linux/list.h> |
| #include <linux/rculist.h> |
| #include <linux/lsm_audit.h> |
| |
| /* |
| * Smack labels were limited to 23 characters for a long time. |
| */ |
| #define SMK_LABELLEN 24 |
| #define SMK_LONGLABEL 256 |
| |
| /* |
| * Maximum number of bytes for the levels in a CIPSO IP option. |
| * Why 23? CIPSO is constrained to 30, so a 32 byte buffer is |
| * bigger than can be used, and 24 is the next lower multiple |
| * of 8, and there are too many issues if there isn't space set |
| * aside for the terminating null byte. |
| */ |
| #define SMK_CIPSOLEN 24 |
| |
| struct superblock_smack { |
| char *smk_root; |
| char *smk_floor; |
| char *smk_hat; |
| char *smk_default; |
| int smk_initialized; |
| }; |
| |
| struct socket_smack { |
| char *smk_out; /* outbound label */ |
| char *smk_in; /* inbound label */ |
| char *smk_packet; /* TCP peer label */ |
| }; |
| |
| /* |
| * Inode smack data |
| */ |
| struct inode_smack { |
| char *smk_inode; /* label of the fso */ |
| char *smk_task; /* label of the task */ |
| char *smk_mmap; /* label of the mmap domain */ |
| struct mutex smk_lock; /* initialization lock */ |
| int smk_flags; /* smack inode flags */ |
| }; |
| |
| struct task_smack { |
| char *smk_task; /* label for access control */ |
| char *smk_forked; /* label when forked */ |
| struct list_head smk_rules; /* per task access rules */ |
| struct mutex smk_rules_lock; /* lock for the rules */ |
| }; |
| |
| #define SMK_INODE_INSTANT 0x01 /* inode is instantiated */ |
| #define SMK_INODE_TRANSMUTE 0x02 /* directory is transmuting */ |
| #define SMK_INODE_CHANGED 0x04 /* smack was transmuted */ |
| |
| /* |
| * A label access rule. |
| */ |
| struct smack_rule { |
| struct list_head list; |
| char *smk_subject; |
| char *smk_object; |
| int smk_access; |
| }; |
| |
| /* |
| * An entry in the table identifying hosts. |
| */ |
| struct smk_netlbladdr { |
| struct list_head list; |
| struct sockaddr_in smk_host; /* network address */ |
| struct in_addr smk_mask; /* network mask */ |
| char *smk_label; /* label */ |
| }; |
| |
| /* |
| * This is the repository for labels seen so that it is |
| * not necessary to keep allocating tiny chuncks of memory |
| * and so that they can be shared. |
| * |
| * Labels are never modified in place. Anytime a label |
| * is imported (e.g. xattrset on a file) the list is checked |
| * for it and it is added if it doesn't exist. The address |
| * is passed out in either case. Entries are added, but |
| * never deleted. |
| * |
| * Since labels are hanging around anyway it doesn't |
| * hurt to maintain a secid for those awkward situations |
| * where kernel components that ought to use LSM independent |
| * interfaces don't. The secid should go away when all of |
| * these components have been repaired. |
| * |
| * The cipso value associated with the label gets stored here, too. |
| * |
| * Keep the access rules for this subject label here so that |
| * the entire set of rules does not need to be examined every |
| * time. |
| */ |
| struct smack_known { |
| struct list_head list; |
| char *smk_known; |
| u32 smk_secid; |
| struct netlbl_lsm_secattr smk_netlabel; /* on wire labels */ |
| struct list_head smk_rules; /* access rules */ |
| struct mutex smk_rules_lock; /* lock for rules */ |
| }; |
| |
| /* |
| * Mount options |
| */ |
| #define SMK_FSDEFAULT "smackfsdef=" |
| #define SMK_FSFLOOR "smackfsfloor=" |
| #define SMK_FSHAT "smackfshat=" |
| #define SMK_FSROOT "smackfsroot=" |
| |
| #define SMACK_CIPSO_OPTION "-CIPSO" |
| |
| /* |
| * How communications on this socket are treated. |
| * Usually it's determined by the underlying netlabel code |
| * but there are certain cases, including single label hosts |
| * and potentially single label interfaces for which the |
| * treatment can not be known in advance. |
| * |
| * The possibility of additional labeling schemes being |
| * introduced in the future exists as well. |
| */ |
| #define SMACK_UNLABELED_SOCKET 0 |
| #define SMACK_CIPSO_SOCKET 1 |
| |
| /* |
| * CIPSO defaults. |
| */ |
| #define SMACK_CIPSO_DOI_DEFAULT 3 /* Historical */ |
| #define SMACK_CIPSO_DOI_INVALID -1 /* Not a DOI */ |
| #define SMACK_CIPSO_DIRECT_DEFAULT 250 /* Arbitrary */ |
| #define SMACK_CIPSO_MAPPED_DEFAULT 251 /* Also arbitrary */ |
| #define SMACK_CIPSO_MAXCATVAL 63 /* Bigger gets harder */ |
| #define SMACK_CIPSO_MAXLEVEL 255 /* CIPSO 2.2 standard */ |
| #define SMACK_CIPSO_MAXCATNUM 239 /* CIPSO 2.2 standard */ |
| |
| /* |
| * Flag for transmute access |
| */ |
| #define MAY_TRANSMUTE 64 |
| /* |
| * Just to make the common cases easier to deal with |
| */ |
| #define MAY_ANYREAD (MAY_READ | MAY_EXEC) |
| #define MAY_READWRITE (MAY_READ | MAY_WRITE) |
| #define MAY_NOT 0 |
| |
| /* |
| * Number of access types used by Smack (rwxat) |
| */ |
| #define SMK_NUM_ACCESS_TYPE 5 |
| |
| /* SMACK data */ |
| struct smack_audit_data { |
| const char *function; |
| char *subject; |
| char *object; |
| char *request; |
| int result; |
| }; |
| |
| /* |
| * Smack audit data; is empty if CONFIG_AUDIT not set |
| * to save some stack |
| */ |
| struct smk_audit_info { |
| #ifdef CONFIG_AUDIT |
| struct common_audit_data a; |
| struct smack_audit_data sad; |
| #endif |
| }; |
| /* |
| * These functions are in smack_lsm.c |
| */ |
| struct inode_smack *new_inode_smack(char *); |
| |
| /* |
| * These functions are in smack_access.c |
| */ |
| int smk_access_entry(char *, char *, struct list_head *); |
| int smk_access(char *, char *, int, struct smk_audit_info *); |
| int smk_curacc(char *, u32, struct smk_audit_info *); |
| char *smack_from_secid(const u32); |
| char *smk_parse_smack(const char *string, int len); |
| int smk_netlbl_mls(int, char *, struct netlbl_lsm_secattr *, int); |
| char *smk_import(const char *, int); |
| struct smack_known *smk_import_entry(const char *, int); |
| struct smack_known *smk_find_entry(const char *); |
| u32 smack_to_secid(const char *); |
| |
| /* |
| * Shared data. |
| */ |
| extern int smack_cipso_direct; |
| extern int smack_cipso_mapped; |
| extern char *smack_net_ambient; |
| extern char *smack_onlycap; |
| extern const char *smack_cipso_option; |
| |
| extern struct smack_known smack_known_floor; |
| extern struct smack_known smack_known_hat; |
| extern struct smack_known smack_known_huh; |
| extern struct smack_known smack_known_invalid; |
| extern struct smack_known smack_known_star; |
| extern struct smack_known smack_known_web; |
| |
| extern struct mutex smack_known_lock; |
| extern struct list_head smack_known_list; |
| extern struct list_head smk_netlbladdr_list; |
| |
| extern struct security_operations smack_ops; |
| |
| /* |
| * Is the directory transmuting? |
| */ |
| static inline int smk_inode_transmutable(const struct inode *isp) |
| { |
| struct inode_smack *sip = isp->i_security; |
| return (sip->smk_flags & SMK_INODE_TRANSMUTE) != 0; |
| } |
| |
| /* |
| * Present a pointer to the smack label in an inode blob. |
| */ |
| static inline char *smk_of_inode(const struct inode *isp) |
| { |
| struct inode_smack *sip = isp->i_security; |
| return sip->smk_inode; |
| } |
| |
| /* |
| * Present a pointer to the smack label in an task blob. |
| */ |
| static inline char *smk_of_task(const struct task_smack *tsp) |
| { |
| return tsp->smk_task; |
| } |
| |
| /* |
| * Present a pointer to the forked smack label in an task blob. |
| */ |
| static inline char *smk_of_forked(const struct task_smack *tsp) |
| { |
| return tsp->smk_forked; |
| } |
| |
| /* |
| * Present a pointer to the smack label in the current task blob. |
| */ |
| static inline char *smk_of_current(void) |
| { |
| return smk_of_task(current_security()); |
| } |
| |
| /* |
| * Is the task privileged and allowed to be privileged |
| * by the onlycap rule. |
| */ |
| static inline int smack_privileged(int cap) |
| { |
| if (!capable(cap)) |
| return 0; |
| if (smack_onlycap == NULL || smack_onlycap == smk_of_current()) |
| return 1; |
| return 0; |
| } |
| |
| /* |
| * logging functions |
| */ |
| #define SMACK_AUDIT_DENIED 0x1 |
| #define SMACK_AUDIT_ACCEPT 0x2 |
| extern int log_policy; |
| |
| void smack_log(char *subject_label, char *object_label, |
| int request, |
| int result, struct smk_audit_info *auditdata); |
| |
| #ifdef CONFIG_AUDIT |
| |
| /* |
| * some inline functions to set up audit data |
| * they do nothing if CONFIG_AUDIT is not set |
| * |
| */ |
| static inline void smk_ad_init(struct smk_audit_info *a, const char *func, |
| char type) |
| { |
| memset(&a->sad, 0, sizeof(a->sad)); |
| a->a.type = type; |
| a->a.smack_audit_data = &a->sad; |
| a->a.smack_audit_data->function = func; |
| } |
| |
| static inline void smk_ad_init_net(struct smk_audit_info *a, const char *func, |
| char type, struct lsm_network_audit *net) |
| { |
| smk_ad_init(a, func, type); |
| memset(net, 0, sizeof(*net)); |
| a->a.u.net = net; |
| } |
| |
| static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a, |
| struct task_struct *t) |
| { |
| a->a.u.tsk = t; |
| } |
| static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a, |
| struct dentry *d) |
| { |
| a->a.u.dentry = d; |
| } |
| static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a, |
| struct inode *i) |
| { |
| a->a.u.inode = i; |
| } |
| static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a, |
| struct path p) |
| { |
| a->a.u.path = p; |
| } |
| static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a, |
| struct sock *sk) |
| { |
| a->a.u.net->sk = sk; |
| } |
| |
| #else /* no AUDIT */ |
| |
| static inline void smk_ad_init(struct smk_audit_info *a, const char *func, |
| char type) |
| { |
| } |
| static inline void smk_ad_setfield_u_tsk(struct smk_audit_info *a, |
| struct task_struct *t) |
| { |
| } |
| static inline void smk_ad_setfield_u_fs_path_dentry(struct smk_audit_info *a, |
| struct dentry *d) |
| { |
| } |
| static inline void smk_ad_setfield_u_fs_path_mnt(struct smk_audit_info *a, |
| struct vfsmount *m) |
| { |
| } |
| static inline void smk_ad_setfield_u_fs_inode(struct smk_audit_info *a, |
| struct inode *i) |
| { |
| } |
| static inline void smk_ad_setfield_u_fs_path(struct smk_audit_info *a, |
| struct path p) |
| { |
| } |
| static inline void smk_ad_setfield_u_net_sk(struct smk_audit_info *a, |
| struct sock *sk) |
| { |
| } |
| #endif |
| |
| #endif /* _SECURITY_SMACK_H */ |