Lines Matching +full:sig +full:- +full:dir +full:- +full:cmd
1 // SPDX-License-Identifier: GPL-2.0-only
8 * Casey Schaufler <casey@schaufler-ca.com>
11 * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com>
12 * Copyright (C) 2009 Hewlett-Packard Development Company, L.P.
13 * Paul Moore <paul@paul-moore.com>
46 #include <linux/io_uring/cmd.h>
59 * SMACK64 - for access control,
60 * SMACK64TRANSMUTE - label initialization,
61 * Not saved on files - SMACK64IPIN and SMACK64IPOUT,
62 * Must be set explicitly - SMACK64EXEC and SMACK64MMAP
73 #define A(s) {"smack"#s, sizeof("smack"#s) - 1, Opt_##s}
79 {"smackfsdef", sizeof("smackfsdef") - 1, Opt_fsdefault},
127 sskp->smk_known, oskp->smk_known, acc, note); in smk_bu_note()
148 tsp->smk_task->smk_known, oskp->smk_known, in smk_bu_current()
149 acc, current->comm, note); in smk_bu_current()
170 tsp->smk_task->smk_known, smk_task->smk_known, acc, in smk_bu_task()
171 current->comm, otp->comm); in smk_bu_task()
185 if (isp->smk_flags & SMK_INODE_IMPURE) in smk_bu_inode()
187 inode->i_sb->s_id, inode->i_ino, current->comm); in smk_bu_inode()
195 isp->smk_flags |= SMK_INODE_IMPURE; in smk_bu_inode()
200 tsp->smk_task->smk_known, isp->smk_inode->smk_known, acc, in smk_bu_inode()
201 inode->i_sb->s_id, inode->i_ino, current->comm); in smk_bu_inode()
212 struct smack_known *sskp = tsp->smk_task; in smk_bu_file()
217 if (isp->smk_flags & SMK_INODE_IMPURE) in smk_bu_file()
219 inode->i_sb->s_id, inode->i_ino, current->comm); in smk_bu_file()
228 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, in smk_bu_file()
229 inode->i_sb->s_id, inode->i_ino, file, in smk_bu_file()
230 current->comm); in smk_bu_file()
242 struct smack_known *sskp = tsp->smk_task; in smk_bu_credfile()
247 if (isp->smk_flags & SMK_INODE_IMPURE) in smk_bu_credfile()
249 inode->i_sb->s_id, inode->i_ino, current->comm); in smk_bu_credfile()
258 sskp->smk_known, smk_of_inode(inode)->smk_known, acc, in smk_bu_credfile()
259 inode->i_sb->s_id, inode->i_ino, file, in smk_bu_credfile()
260 current->comm); in smk_bu_credfile()
268 * smk_fetch - Fetch the smack label from a file.
283 if (!(ip->i_opflags & IOP_XATTR)) in smk_fetch()
284 return ERR_PTR(-EOPNOTSUPP); in smk_fetch()
288 return ERR_PTR(-ENOMEM); in smk_fetch()
304 * init_inode_smack - initialize an inode security blob
313 isp->smk_inode = skp; in init_inode_smack()
314 isp->smk_flags = 0; in init_inode_smack()
318 * init_task_smack - initialize a task security blob
327 tsp->smk_task = task; in init_task_smack()
328 tsp->smk_forked = forked; in init_task_smack()
329 INIT_LIST_HEAD(&tsp->smk_rules); in init_task_smack()
330 INIT_LIST_HEAD(&tsp->smk_relabel); in init_task_smack()
331 mutex_init(&tsp->smk_rules_lock); in init_task_smack()
335 * smk_copy_rules - copy a rule set
340 * Returns 0 on success, -ENOMEM on error
352 rc = -ENOMEM; in smk_copy_rules()
356 list_add_rcu(&nrp->list, nhead); in smk_copy_rules()
362 * smk_copy_relabel - copy smk_relabel labels list
367 * Returns 0 on success, -ENOMEM on error
379 return -ENOMEM; in smk_copy_relabel()
381 nklep->smk_label = oklep->smk_label; in smk_copy_relabel()
382 list_add(&nklep->list, nhead); in smk_copy_relabel()
389 * smk_ptrace_mode - helper function for converting PTRACE_MODE_* into MAY_*
405 * smk_ptrace_rule_check - helper for ptrace access
411 * Returns 0 on access granted, -error on error
437 if (tracer_known->smk_known == tracee_known->smk_known) in smk_ptrace_rule_check()
440 rc = -EACCES; in smk_ptrace_rule_check()
444 rc = -EACCES; in smk_ptrace_rule_check()
447 smack_log(tracer_known->smk_known, in smk_ptrace_rule_check()
448 tracee_known->smk_known, in smk_ptrace_rule_check()
468 * smack_ptrace_access_check - Smack approval on PTRACE_ATTACH
486 * smack_ptrace_traceme - Smack approval on PTRACE_TRACEME
503 * smack_syslog - Smack approval on syslog
517 rc = -EACCES; in smack_syslog()
527 * smack_sb_alloc_security - allocate a superblock blob
530 * Returns 0 on success or -ENOMEM on error.
536 sbsp->smk_root = &smack_known_floor; in smack_sb_alloc_security()
537 sbsp->smk_default = &smack_known_floor; in smack_sb_alloc_security()
538 sbsp->smk_floor = &smack_known_floor; in smack_sb_alloc_security()
539 sbsp->smk_hat = &smack_known_hat; in smack_sb_alloc_security()
568 return -ENOMEM; in smack_add_opt()
572 return -ENOMEM; in smack_add_opt()
580 if (opts->fsdefault) in smack_add_opt()
582 opts->fsdefault = skp->smk_known; in smack_add_opt()
585 if (opts->fsfloor) in smack_add_opt()
587 opts->fsfloor = skp->smk_known; in smack_add_opt()
590 if (opts->fshat) in smack_add_opt()
592 opts->fshat = skp->smk_known; in smack_add_opt()
595 if (opts->fsroot) in smack_add_opt()
597 opts->fsroot = skp->smk_known; in smack_add_opt()
600 if (opts->fstransmute) in smack_add_opt()
602 opts->fstransmute = skp->smk_known; in smack_add_opt()
609 return -EINVAL; in smack_add_opt()
613 * smack_fs_context_submount - Initialise security data for a filesystem context
617 * Returns 0 on success or -ENOMEM on error.
628 return -ENOMEM; in smack_fs_context_submount()
629 fc->security = ctx; in smack_fs_context_submount()
632 isp = smack_inode(reference->s_root->d_inode); in smack_fs_context_submount()
634 if (sbsp->smk_default) { in smack_fs_context_submount()
635 ctx->fsdefault = kstrdup(sbsp->smk_default->smk_known, GFP_KERNEL); in smack_fs_context_submount()
636 if (!ctx->fsdefault) in smack_fs_context_submount()
637 return -ENOMEM; in smack_fs_context_submount()
640 if (sbsp->smk_floor) { in smack_fs_context_submount()
641 ctx->fsfloor = kstrdup(sbsp->smk_floor->smk_known, GFP_KERNEL); in smack_fs_context_submount()
642 if (!ctx->fsfloor) in smack_fs_context_submount()
643 return -ENOMEM; in smack_fs_context_submount()
646 if (sbsp->smk_hat) { in smack_fs_context_submount()
647 ctx->fshat = kstrdup(sbsp->smk_hat->smk_known, GFP_KERNEL); in smack_fs_context_submount()
648 if (!ctx->fshat) in smack_fs_context_submount()
649 return -ENOMEM; in smack_fs_context_submount()
652 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { in smack_fs_context_submount()
653 if (sbsp->smk_root) { in smack_fs_context_submount()
654 ctx->fstransmute = kstrdup(sbsp->smk_root->smk_known, GFP_KERNEL); in smack_fs_context_submount()
655 if (!ctx->fstransmute) in smack_fs_context_submount()
656 return -ENOMEM; in smack_fs_context_submount()
663 * smack_fs_context_dup - Duplicate the security data on fs_context duplication
667 * Returns 0 on success or -ENOMEM on error.
672 struct smack_mnt_opts *dst, *src = src_fc->security; in smack_fs_context_dup()
677 fc->security = kzalloc(sizeof(struct smack_mnt_opts), GFP_KERNEL); in smack_fs_context_dup()
678 if (!fc->security) in smack_fs_context_dup()
679 return -ENOMEM; in smack_fs_context_dup()
681 dst = fc->security; in smack_fs_context_dup()
682 dst->fsdefault = src->fsdefault; in smack_fs_context_dup()
683 dst->fsfloor = src->fsfloor; in smack_fs_context_dup()
684 dst->fshat = src->fshat; in smack_fs_context_dup()
685 dst->fsroot = src->fsroot; in smack_fs_context_dup()
686 dst->fstransmute = src->fstransmute; in smack_fs_context_dup()
702 * smack_fs_context_parse_param - Parse a single mount parameter
706 * Returns 0 on success, -ENOPARAM to pass the parameter on or anything else on
719 rc = smack_add_opt(opt, param->string, &fc->security); in smack_fs_context_parse_param()
721 param->string = NULL; in smack_fs_context_parse_param()
736 len = next - from; in smack_sb_eat_lsm_opts()
742 arg = kmemdup_nul(arg, from + len - arg, GFP_KERNEL); in smack_sb_eat_lsm_opts()
753 from--; in smack_sb_eat_lsm_opts()
770 * smack_set_mnt_opts - set Smack specific mount options
786 struct dentry *root = sb->s_root; in smack_set_mnt_opts()
794 if (sp->smk_flags & SMK_SB_INITIALIZED) in smack_set_mnt_opts()
802 return -EPERM; in smack_set_mnt_opts()
807 sp->smk_root = skp; in smack_set_mnt_opts()
808 sp->smk_default = skp; in smack_set_mnt_opts()
810 * For a handful of fs types with no user-controlled in smack_set_mnt_opts()
814 if (sb->s_user_ns != &init_user_ns && in smack_set_mnt_opts()
815 sb->s_magic != SYSFS_MAGIC && sb->s_magic != TMPFS_MAGIC && in smack_set_mnt_opts()
816 sb->s_magic != RAMFS_MAGIC) { in smack_set_mnt_opts()
818 sp->smk_flags |= SMK_SB_UNTRUSTED; in smack_set_mnt_opts()
822 sp->smk_flags |= SMK_SB_INITIALIZED; in smack_set_mnt_opts()
825 if (opts->fsdefault) { in smack_set_mnt_opts()
826 skp = smk_import_entry(opts->fsdefault, 0); in smack_set_mnt_opts()
829 sp->smk_default = skp; in smack_set_mnt_opts()
831 if (opts->fsfloor) { in smack_set_mnt_opts()
832 skp = smk_import_entry(opts->fsfloor, 0); in smack_set_mnt_opts()
835 sp->smk_floor = skp; in smack_set_mnt_opts()
837 if (opts->fshat) { in smack_set_mnt_opts()
838 skp = smk_import_entry(opts->fshat, 0); in smack_set_mnt_opts()
841 sp->smk_hat = skp; in smack_set_mnt_opts()
843 if (opts->fsroot) { in smack_set_mnt_opts()
844 skp = smk_import_entry(opts->fsroot, 0); in smack_set_mnt_opts()
847 sp->smk_root = skp; in smack_set_mnt_opts()
849 if (opts->fstransmute) { in smack_set_mnt_opts()
850 skp = smk_import_entry(opts->fstransmute, 0); in smack_set_mnt_opts()
853 sp->smk_root = skp; in smack_set_mnt_opts()
861 init_inode_smack(inode, sp->smk_root); in smack_set_mnt_opts()
865 isp->smk_flags |= SMK_INODE_TRANSMUTE; in smack_set_mnt_opts()
872 * smack_sb_statfs - Smack check on statfs
880 struct superblock_smack *sbp = smack_superblock(dentry->d_sb); in smack_sb_statfs()
887 rc = smk_curacc(sbp->smk_floor, MAY_READ, &ad); in smack_sb_statfs()
888 rc = smk_bu_current("statfs", sbp->smk_floor, MAY_READ, rc); in smack_sb_statfs()
897 * smack_bprm_creds_for_exec - Update bprm->cred if needed for exec
900 * Returns 0 if it gets a blob, -EPERM if exec forbidden and -ENOMEM otherwise
904 struct inode *inode = file_inode(bprm->file); in smack_bprm_creds_for_exec()
905 struct task_smack *bsp = smack_cred(bprm->cred); in smack_bprm_creds_for_exec()
911 if (isp->smk_task == NULL || isp->smk_task == bsp->smk_task) in smack_bprm_creds_for_exec()
914 sbsp = smack_superblock(inode->i_sb); in smack_bprm_creds_for_exec()
915 if ((sbsp->smk_flags & SMK_SB_UNTRUSTED) && in smack_bprm_creds_for_exec()
916 isp->smk_task != sbsp->smk_root) in smack_bprm_creds_for_exec()
919 if (bprm->unsafe & LSM_UNSAFE_PTRACE) { in smack_bprm_creds_for_exec()
927 isp->smk_task, in smack_bprm_creds_for_exec()
935 if (bprm->unsafe & ~LSM_UNSAFE_PTRACE) in smack_bprm_creds_for_exec()
936 return -EPERM; in smack_bprm_creds_for_exec()
938 bsp->smk_task = isp->smk_task; in smack_bprm_creds_for_exec()
939 bprm->per_clear |= PER_CLEAR_ON_SETID; in smack_bprm_creds_for_exec()
942 if (bsp->smk_task != bsp->smk_forked) in smack_bprm_creds_for_exec()
943 bprm->secureexec = 1; in smack_bprm_creds_for_exec()
953 * smack_inode_alloc_security - allocate an inode blob
967 * smack_inode_init_security - copy out the smack from an inode
969 * @dir: containing directory object
972 * @xattr_count: current number of LSM-provided xattrs (updated)
974 * Returns 0 if it all works out, -ENOMEM if there's no memory
976 static int smack_inode_init_security(struct inode *inode, struct inode *dir, in smack_inode_init_security() argument
984 struct smack_known *dsp = smk_of_inode(dir); in smack_inode_init_security()
992 if (tsp->smk_task != tsp->smk_transmuted) { in smack_inode_init_security()
994 may = smk_access_entry(skp->smk_known, dsp->smk_known, in smack_inode_init_security()
995 &skp->smk_rules); in smack_inode_init_security()
1005 if ((tsp->smk_task == tsp->smk_transmuted) || in smack_inode_init_security()
1007 smk_inode_transmutable(dir))) { in smack_inode_init_security()
1016 if (tsp->smk_task != tsp->smk_transmuted) in smack_inode_init_security()
1017 isp = issp->smk_inode = dsp; in smack_inode_init_security()
1019 issp->smk_flags |= SMK_INODE_TRANSMUTE; in smack_inode_init_security()
1023 xattr_transmute->value = kmemdup(TRANS_TRUE, in smack_inode_init_security()
1026 if (!xattr_transmute->value) in smack_inode_init_security()
1027 return -ENOMEM; in smack_inode_init_security()
1029 xattr_transmute->value_len = TRANS_TRUE_SIZE; in smack_inode_init_security()
1030 xattr_transmute->name = XATTR_SMACK_TRANSMUTE; in smack_inode_init_security()
1034 issp->smk_flags |= SMK_INODE_INSTANT; in smack_inode_init_security()
1037 xattr->value = kstrdup(isp->smk_known, GFP_NOFS); in smack_inode_init_security()
1038 if (!xattr->value) in smack_inode_init_security()
1039 return -ENOMEM; in smack_inode_init_security()
1041 xattr->value_len = strlen(isp->smk_known); in smack_inode_init_security()
1042 xattr->name = XATTR_SMACK_SUFFIX; in smack_inode_init_security()
1049 * smack_inode_link - Smack check on link
1051 * @dir: unused
1056 static int smack_inode_link(struct dentry *old_dentry, struct inode *dir, in smack_inode_link() argument
1081 * smack_inode_unlink - Smack check on inode deletion
1082 * @dir: containing directory object
1088 static int smack_inode_unlink(struct inode *dir, struct dentry *dentry) in smack_inode_unlink() argument
1107 smk_ad_setfield_u_fs_inode(&ad, dir); in smack_inode_unlink()
1108 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); in smack_inode_unlink()
1109 rc = smk_bu_inode(dir, MAY_WRITE, rc); in smack_inode_unlink()
1115 * smack_inode_rmdir - Smack check on directory deletion
1116 * @dir: containing directory object
1122 static int smack_inode_rmdir(struct inode *dir, struct dentry *dentry) in smack_inode_rmdir() argument
1140 smk_ad_setfield_u_fs_inode(&ad, dir); in smack_inode_rmdir()
1141 rc = smk_curacc(smk_of_inode(dir), MAY_WRITE, &ad); in smack_inode_rmdir()
1142 rc = smk_bu_inode(dir, MAY_WRITE, rc); in smack_inode_rmdir()
1149 * smack_inode_rename - Smack check on rename
1186 * smack_inode_permission - Smack version of permission()
1196 struct superblock_smack *sbsp = smack_superblock(inode->i_sb); in smack_inode_permission()
1208 if (sbsp->smk_flags & SMK_SB_UNTRUSTED) { in smack_inode_permission()
1209 if (smk_of_inode(inode) != sbsp->smk_root) in smack_inode_permission()
1210 return -EACCES; in smack_inode_permission()
1215 return -ECHILD; in smack_inode_permission()
1224 * smack_inode_setattr - Smack check for setting attributes
1240 if (iattr->ia_valid & ATTR_FORCE) in smack_inode_setattr()
1251 * smack_inode_getattr - Smack check for getting attributes
1259 struct inode *inode = d_backing_inode(path->dentry); in smack_inode_getattr()
1270 * smack_inode_xattr_skipcap - Skip the xattr capability checks?
1297 * smack_inode_setxattr - Smack check for setting xattrs
1335 if (!S_ISDIR(d_backing_inode(dentry)->i_mode) || in smack_inode_setxattr()
1338 rc = -EINVAL; in smack_inode_setxattr()
1342 rc = -EPERM; in smack_inode_setxattr()
1350 rc = -EINVAL; in smack_inode_setxattr()
1365 * smack_inode_post_setxattr - Apply the Smack update approved above
1382 isp->smk_flags |= SMK_INODE_TRANSMUTE; in smack_inode_post_setxattr()
1389 isp->smk_inode = skp; in smack_inode_post_setxattr()
1393 isp->smk_task = skp; in smack_inode_post_setxattr()
1397 isp->smk_mmap = skp; in smack_inode_post_setxattr()
1404 * smack_inode_getxattr - Smack check on getxattr
1424 * smack_inode_removexattr - Smack check on removexattr
1447 rc = -EPERM; in smack_inode_removexattr()
1468 struct super_block *sbp = dentry->d_sb; in smack_inode_removexattr()
1471 isp->smk_inode = sbsp->smk_default; in smack_inode_removexattr()
1473 isp->smk_task = NULL; in smack_inode_removexattr()
1475 isp->smk_mmap = NULL; in smack_inode_removexattr()
1477 isp->smk_flags &= ~SMK_INODE_TRANSMUTE; in smack_inode_removexattr()
1483 * smack_inode_set_acl - Smack check for setting posix acls
1507 * smack_inode_get_acl - Smack check for getting posix acls
1529 * smack_inode_remove_acl - Smack check for getting posix acls
1551 * smack_inode_getsecurity - get smack xattrs
1577 if (ispp->smk_flags & SMK_INODE_TRANSMUTE) in smack_inode_getsecurity()
1585 sbp = ip->i_sb; in smack_inode_getsecurity()
1586 if (sbp->s_magic != SOCKFS_MAGIC) in smack_inode_getsecurity()
1587 return -EOPNOTSUPP; in smack_inode_getsecurity()
1590 if (sock == NULL || sock->sk == NULL) in smack_inode_getsecurity()
1591 return -EOPNOTSUPP; in smack_inode_getsecurity()
1593 ssp = smack_sock(sock->sk); in smack_inode_getsecurity()
1596 isp = ssp->smk_in; in smack_inode_getsecurity()
1598 isp = ssp->smk_out; in smack_inode_getsecurity()
1600 return -EOPNOTSUPP; in smack_inode_getsecurity()
1604 label = isp->smk_known; in smack_inode_getsecurity()
1611 return -ENOMEM; in smack_inode_getsecurity()
1619 * smack_inode_listsecurity - list the Smack attributes
1636 * smack_inode_getlsmprop - Extract inode's security id
1642 prop->smack.skp = smk_of_inode(inode); in smack_inode_getlsmprop()
1661 * smack_file_alloc_security - assign a file security blob
1681 * smack_file_ioctl - Smack check on ioctls
1683 * @cmd: what to do
1690 static int smack_file_ioctl(struct file *file, unsigned int cmd, in smack_file_ioctl() argument
1701 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_ioctl()
1703 if (_IOC_DIR(cmd) & _IOC_WRITE) { in smack_file_ioctl()
1708 if (rc == 0 && (_IOC_DIR(cmd) & _IOC_READ)) { in smack_file_ioctl()
1717 * smack_file_lock - Smack check on file locking
1719 * @cmd: unused
1723 static int smack_file_lock(struct file *file, unsigned int cmd) in smack_file_lock() argument
1733 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_lock()
1740 * smack_file_fcntl - Smack check on fcntl
1742 * @cmd: what action to check
1751 static int smack_file_fcntl(struct file *file, unsigned int cmd, in smack_file_fcntl() argument
1761 switch (cmd) { in smack_file_fcntl()
1767 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_fcntl()
1774 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_fcntl()
1786 * smack_mmap_file - Check permissions for a mmap operation.
1819 if (isp->smk_mmap == NULL) in smack_mmap_file()
1821 sbsp = smack_superblock(file_inode(file)->i_sb); in smack_mmap_file()
1822 if (sbsp->smk_flags & SMK_SB_UNTRUSTED && in smack_mmap_file()
1823 isp->smk_mmap != sbsp->smk_root) in smack_mmap_file()
1824 return -EACCES; in smack_mmap_file()
1825 mkp = isp->smk_mmap; in smack_mmap_file()
1837 list_for_each_entry_rcu(srp, &skp->smk_rules, list) { in smack_mmap_file()
1838 okp = srp->smk_object; in smack_mmap_file()
1842 if (mkp->smk_known == okp->smk_known) in smack_mmap_file()
1848 may = smk_access_entry(srp->smk_subject->smk_known, in smack_mmap_file()
1849 okp->smk_known, in smack_mmap_file()
1850 &tsp->smk_rules); in smack_mmap_file()
1851 if (may == -ENOENT) in smack_mmap_file()
1852 may = srp->smk_access; in smack_mmap_file()
1854 may &= srp->smk_access; in smack_mmap_file()
1867 mmay = smk_access_entry(mkp->smk_known, okp->smk_known, in smack_mmap_file()
1868 &mkp->smk_rules); in smack_mmap_file()
1869 if (mmay == -ENOENT) { in smack_mmap_file()
1870 rc = -EACCES; in smack_mmap_file()
1877 tmay = smk_access_entry(mkp->smk_known, okp->smk_known, in smack_mmap_file()
1878 &tsp->smk_rules); in smack_mmap_file()
1879 if (tmay != -ENOENT) in smack_mmap_file()
1888 rc = -EACCES; in smack_mmap_file()
1899 * smack_file_set_fowner - set the file security blob value
1911 * smack_file_send_sigiotask - Smack on sigio
1926 struct smack_known *tkp = smk_of_task(smack_cred(tsk->cred)); in smack_file_send_sigiotask()
1935 file = fown->file; in smack_file_send_sigiotask()
1951 smack_log(skp->smk_known, tkp->smk_known, MAY_DELIVER, rc, &ad); in smack_file_send_sigiotask()
1956 * smack_file_receive - Smack file receive check
1975 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_receive()
1977 if (inode->i_sb->s_magic == SOCKFS_MAGIC) { in smack_file_receive()
1979 ssp = smack_sock(sock->sk); in smack_file_receive()
1987 rc = smk_access(tsp->smk_task, ssp->smk_out, MAY_WRITE, &ad); in smack_file_receive()
1991 rc = smk_access(ssp->smk_in, tsp->smk_task, MAY_WRITE, &ad); in smack_file_receive()
1998 if (file->f_mode & FMODE_READ) in smack_file_receive()
2000 if (file->f_mode & FMODE_WRITE) in smack_file_receive()
2009 * smack_file_open - Smack dentry open processing
2015 * fd even if you have the file open write-only.
2021 struct task_smack *tsp = smack_cred(file->f_cred); in smack_file_open()
2027 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_file_open()
2029 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); in smack_file_open()
2039 * smack_cred_alloc_blank - "allocate" blank task-level security credentials
2055 * smack_cred_free - "free" task-level security credentials
2066 smk_destroy_label_list(&tsp->smk_relabel); in smack_cred_free()
2068 list_for_each_safe(l, n, &tsp->smk_rules) { in smack_cred_free()
2070 list_del(&rp->list); in smack_cred_free()
2076 * smack_cred_prepare - prepare new set of credentials for modification
2090 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); in smack_cred_prepare()
2092 rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp); in smack_cred_prepare()
2096 rc = smk_copy_relabel(&new_tsp->smk_relabel, &old_tsp->smk_relabel, in smack_cred_prepare()
2102 * smack_cred_transfer - Transfer the old credentials to the new credentials
2113 init_task_smack(new_tsp, old_tsp->smk_task, old_tsp->smk_task); in smack_cred_transfer()
2117 * smack_cred_getsecid - get the secid corresponding to a creds structure
2129 *secid = skp->smk_secid; in smack_cred_getsecid()
2134 * smack_cred_getlsmprop - get the Smack label for a creds structure
2144 prop->smack.skp = smk_of_task(smack_cred(cred)); in smack_cred_getlsmprop()
2149 * smack_kernel_act_as - Set the subjective context in a set of credentials
2159 new_tsp->smk_task = smack_from_secid(secid); in smack_kernel_act_as()
2164 * smack_kernel_create_files_as - Set the file creation label in a set of creds
2177 tsp->smk_forked = isp->smk_inode; in smack_kernel_create_files_as()
2178 tsp->smk_task = tsp->smk_forked; in smack_kernel_create_files_as()
2183 * smk_curacc_on_task - helper to log task related access
2205 * smack_task_setpgid - Smack check on setting pgid
2217 * smack_task_getpgid - Smack access check for getpgid
2228 * smack_task_getsid - Smack access check for getsid
2239 * smack_current_getlsmprop_subj - get the subjective secid of the current task
2246 prop->smack.skp = smk_of_current(); in smack_current_getlsmprop_subj()
2250 * smack_task_getlsmprop_obj - get the objective data of the task
2259 prop->smack.skp = smk_of_task_struct_obj(p); in smack_task_getlsmprop_obj()
2263 * smack_task_setnice - Smack check on setting nice
2275 * smack_task_setioprio - Smack check on setting ioprio
2287 * smack_task_getioprio - Smack check on reading ioprio
2298 * smack_task_setscheduler - Smack check on setting scheduler
2309 * smack_task_getscheduler - Smack check on reading scheduler
2320 * smack_task_movememory - Smack check on moving memory
2331 * smack_task_kill - Smack check on signal delivery
2334 * @sig: unused
2341 int sig, const struct cred *cred) in smack_task_kill() argument
2348 if (!sig) in smack_task_kill()
2374 * smack_task_to_inode - copy task smack into the inode blob
2385 isp->smk_inode = skp; in smack_task_to_inode()
2386 isp->smk_flags |= SMK_INODE_INSTANT; in smack_task_to_inode()
2394 * smack_sk_alloc_security - Allocate a socket blob
2401 * Returns 0 on success, -ENOMEM is there's no memory
2411 if (unlikely(current->flags & PF_KTHREAD)) { in smack_sk_alloc_security()
2412 ssp->smk_in = &smack_known_web; in smack_sk_alloc_security()
2413 ssp->smk_out = &smack_known_web; in smack_sk_alloc_security()
2415 ssp->smk_in = skp; in smack_sk_alloc_security()
2416 ssp->smk_out = skp; in smack_sk_alloc_security()
2418 ssp->smk_packet = NULL; in smack_sk_alloc_security()
2425 * smack_sk_free_security - Free a socket blob
2434 if (sk->sk_family == PF_INET6) { in smack_sk_free_security()
2437 if (spp->smk_sock != sk) in smack_sk_free_security()
2439 spp->smk_can_reuse = 1; in smack_sk_free_security()
2448 * smack_sk_clone_security - Copy security context
2463 * smack_ipv4host_label - check host based restrictions
2477 struct in_addr *siap = &sip->sin_addr; in smack_ipv4host_label()
2479 if (siap->s_addr == 0) in smack_ipv4host_label()
2488 if (snp->smk_host.s_addr == in smack_ipv4host_label()
2489 (siap->s_addr & snp->smk_mask.s_addr)) in smack_ipv4host_label()
2490 return snp->smk_label; in smack_ipv4host_label()
2497 * smk_ipv6_localhost - Check for local ipv6 host address
2504 __be16 *be16p = (__be16 *)&sip->sin6_addr; in smk_ipv6_localhost()
2505 __be32 *be32p = (__be32 *)&sip->sin6_addr; in smk_ipv6_localhost()
2514 * smack_ipv6host_label - check host based restrictions
2528 struct in6_addr *sap = &sip->sin6_addr; in smack_ipv6host_label()
2543 if (snp->smk_label == NULL) in smack_ipv6host_label()
2551 if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) != in smack_ipv6host_label()
2552 snp->smk_host.s6_addr16[i]) { in smack_ipv6host_label()
2558 return snp->smk_label; in smack_ipv6host_label()
2566 * smack_netlbl_add - Set the secattr on a socket
2576 struct smack_known *skp = ssp->smk_out; in smack_netlbl_add()
2582 rc = netlbl_sock_setattr(sk, sk->sk_family, &skp->smk_netlabel, in smack_netlbl_add()
2586 ssp->smk_state = SMK_NETLBL_LABELED; in smack_netlbl_add()
2588 case -EDESTADDRREQ: in smack_netlbl_add()
2589 ssp->smk_state = SMK_NETLBL_REQSKB; in smack_netlbl_add()
2601 * smack_netlbl_delete - Remove the secattr from a socket
2613 if (ssp->smk_state != SMK_NETLBL_LABELED) in smack_netlbl_delete()
2621 ssp->smk_state = SMK_NETLBL_UNLABELED; in smack_netlbl_delete()
2625 * smk_ipv4_check - Perform IPv4 host access checks
2650 ad.a.u.net->family = sap->sin_family; in smk_ipv4_check()
2651 ad.a.u.net->dport = sap->sin_port; in smk_ipv4_check()
2652 ad.a.u.net->v4info.daddr = sap->sin_addr.s_addr; in smk_ipv4_check()
2654 skp = ssp->smk_out; in smk_ipv4_check()
2670 * smk_ipv6_check - check Smack access
2690 ad.a.u.net->family = PF_INET6; in smk_ipv6_check()
2691 ad.a.u.net->dport = address->sin6_port; in smk_ipv6_check()
2693 ad.a.u.net->v6info.saddr = address->sin6_addr; in smk_ipv6_check()
2695 ad.a.u.net->v6info.daddr = address->sin6_addr; in smk_ipv6_check()
2705 * smk_ipv6_port_label - Smack port access table management
2713 struct sock *sk = sock->sk; in smk_ipv6_port_label()
2715 struct socket_smack *ssp = smack_sock(sock->sk); in smk_ipv6_port_label()
2727 if (sk != spp->smk_sock) in smk_ipv6_port_label()
2729 spp->smk_in = ssp->smk_in; in smk_ipv6_port_label()
2730 spp->smk_out = ssp->smk_out; in smk_ipv6_port_label()
2743 port = ntohs(addr6->sin6_port); in smk_ipv6_port_label()
2756 if (spp->smk_port != port || spp->smk_sock_type != sock->type) in smk_ipv6_port_label()
2758 if (spp->smk_can_reuse != 1) { in smk_ipv6_port_label()
2762 spp->smk_port = port; in smk_ipv6_port_label()
2763 spp->smk_sock = sk; in smk_ipv6_port_label()
2764 spp->smk_in = ssp->smk_in; in smk_ipv6_port_label()
2765 spp->smk_out = ssp->smk_out; in smk_ipv6_port_label()
2766 spp->smk_can_reuse = 0; in smk_ipv6_port_label()
2778 spp->smk_port = port; in smk_ipv6_port_label()
2779 spp->smk_sock = sk; in smk_ipv6_port_label()
2780 spp->smk_in = ssp->smk_in; in smk_ipv6_port_label()
2781 spp->smk_out = ssp->smk_out; in smk_ipv6_port_label()
2782 spp->smk_sock_type = sock->type; in smk_ipv6_port_label()
2783 spp->smk_can_reuse = 0; in smk_ipv6_port_label()
2786 list_add_rcu(&spp->list, &smk_ipv6_port_list); in smk_ipv6_port_label()
2792 * smk_ipv6_port_check - check Smack port access
2810 object = ssp->smk_in; in smk_ipv6_port_check()
2812 skp = ssp->smk_out; in smk_ipv6_port_check()
2838 port = ntohs(address->sin6_port); in smk_ipv6_port_check()
2841 if (spp->smk_port != port || spp->smk_sock_type != sk->sk_type) in smk_ipv6_port_check()
2843 object = spp->smk_in; in smk_ipv6_port_check()
2845 ssp->smk_packet = spp->smk_out; in smk_ipv6_port_check()
2855 * smack_inode_setsecurity - set smack xattrs
2876 return -EINVAL; in smack_inode_setsecurity()
2879 if (!S_ISDIR(inode->i_mode) || size != TRANS_TRUE_SIZE || in smack_inode_setsecurity()
2881 return -EINVAL; in smack_inode_setsecurity()
2883 nsp->smk_flags |= SMK_INODE_TRANSMUTE; in smack_inode_setsecurity()
2892 nsp->smk_inode = skp; in smack_inode_setsecurity()
2893 nsp->smk_flags |= SMK_INODE_INSTANT; in smack_inode_setsecurity()
2899 if (inode->i_sb->s_magic != SOCKFS_MAGIC) in smack_inode_setsecurity()
2900 return -EOPNOTSUPP; in smack_inode_setsecurity()
2903 if (sock == NULL || sock->sk == NULL) in smack_inode_setsecurity()
2904 return -EOPNOTSUPP; in smack_inode_setsecurity()
2906 ssp = smack_sock(sock->sk); in smack_inode_setsecurity()
2909 ssp->smk_in = skp; in smack_inode_setsecurity()
2911 ssp->smk_out = skp; in smack_inode_setsecurity()
2912 if (sock->sk->sk_family == PF_INET) { in smack_inode_setsecurity()
2913 rc = smack_netlbl_add(sock->sk); in smack_inode_setsecurity()
2917 __func__, -rc); in smack_inode_setsecurity()
2920 return -EOPNOTSUPP; in smack_inode_setsecurity()
2923 if (sock->sk->sk_family == PF_INET6) in smack_inode_setsecurity()
2931 * smack_socket_post_create - finish socket setup
2947 if (sock->sk == NULL) in smack_socket_post_create()
2953 if (unlikely(current->flags & PF_KTHREAD)) { in smack_socket_post_create()
2954 ssp = smack_sock(sock->sk); in smack_socket_post_create()
2955 ssp->smk_in = &smack_known_web; in smack_socket_post_create()
2956 ssp->smk_out = &smack_known_web; in smack_socket_post_create()
2964 return smack_netlbl_add(sock->sk); in smack_socket_post_create()
2968 * smack_socket_socketpair - create socket pair
2979 struct socket_smack *asp = smack_sock(socka->sk); in smack_socket_socketpair()
2980 struct socket_smack *bsp = smack_sock(sockb->sk); in smack_socket_socketpair()
2982 asp->smk_packet = bsp->smk_out; in smack_socket_socketpair()
2983 bsp->smk_packet = asp->smk_out; in smack_socket_socketpair()
2990 * smack_socket_bind - record port binding information.
3002 if (sock->sk != NULL && sock->sk->sk_family == PF_INET6) { in smack_socket_bind()
3004 address->sa_family != AF_INET6) in smack_socket_bind()
3005 return -EINVAL; in smack_socket_bind()
3013 * smack_socket_connect - connect access check
3027 if (sock->sk == NULL) in smack_socket_connect()
3029 if (sock->sk->sk_family != PF_INET && in smack_socket_connect()
3030 (!IS_ENABLED(CONFIG_IPV6) || sock->sk->sk_family != PF_INET6)) in smack_socket_connect()
3036 if (sap->sa_family == AF_INET6) { in smack_socket_connect()
3045 struct socket_smack *ssp = smack_sock(sock->sk); in smack_socket_connect()
3047 rc = smk_ipv6_check(ssp->smk_out, rsp, sip, in smack_socket_connect()
3051 rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING); in smack_socket_connect()
3058 if (sap->sa_family != AF_INET || addrlen < sizeof(struct sockaddr_in)) in smack_socket_connect()
3060 rc = smk_ipv4_check(sock->sk, (struct sockaddr_in *)sap); in smack_socket_connect()
3065 * smack_flags_to_may - convert S_ to MAY_ values
3085 * smack_msg_msg_alloc_security - Set the security blob for msg_msg
3099 * smack_of_ipc - the smack pointer for the ipc
3112 * smack_ipc_alloc_security - Set the security blob for ipc
3140 ad.a.u.ipc_id = isp->id; in smk_curacc_shm()
3148 * smack_shm_associate - Smack access check for shm
3163 * smack_shm_shmctl - Smack access check for shm
3165 * @cmd: what it wants to do
3169 static int smack_shm_shmctl(struct kern_ipc_perm *isp, int cmd) in smack_shm_shmctl() argument
3173 switch (cmd) { in smack_shm_shmctl()
3192 return -EINVAL; in smack_shm_shmctl()
3198 * smack_shm_shmat - Smack access for shmat
3229 ad.a.u.ipc_id = isp->id; in smk_curacc_sem()
3237 * smack_sem_associate - Smack access check for sem
3252 * smack_sem_semctl - Smack access check for sem
3254 * @cmd: what it wants to do
3258 static int smack_sem_semctl(struct kern_ipc_perm *isp, int cmd) in smack_sem_semctl() argument
3262 switch (cmd) { in smack_sem_semctl()
3286 return -EINVAL; in smack_sem_semctl()
3293 * smack_sem_semop - Smack checks of semaphore operations
3324 ad.a.u.ipc_id = isp->id; in smk_curacc_msq()
3332 * smack_msg_queue_associate - Smack access check for msg_queue
3347 * smack_msg_queue_msgctl - Smack access check for msg_queue
3349 * @cmd: what it wants to do
3353 static int smack_msg_queue_msgctl(struct kern_ipc_perm *isp, int cmd) in smack_msg_queue_msgctl() argument
3357 switch (cmd) { in smack_msg_queue_msgctl()
3374 return -EINVAL; in smack_msg_queue_msgctl()
3381 * smack_msg_queue_msgsnd - Smack access check for msg_queue
3398 * smack_msg_queue_msgrcv - Smack access check for msg_queue
3416 * smack_ipc_permission - Smack access for ipc_permission()
3432 ad.a.u.ipc_id = ipp->id; in smack_ipc_permission()
3440 * smack_ipc_getlsmprop - Extract smack security data
3448 prop->smack.skp = *iskpp; in smack_ipc_getlsmprop()
3452 * smack_d_instantiate - Make sure the blob is correct on an inode
3480 if (isp->smk_flags & SMK_INODE_INSTANT) in smack_d_instantiate()
3483 sbp = inode->i_sb; in smack_d_instantiate()
3489 final = sbsp->smk_default; in smack_d_instantiate()
3497 if (opt_dentry->d_parent == opt_dentry) { in smack_d_instantiate()
3498 switch (sbp->s_magic) { in smack_d_instantiate()
3506 sbsp->smk_root = &smack_known_star; in smack_d_instantiate()
3507 sbsp->smk_default = &smack_known_star; in smack_d_instantiate()
3508 isp->smk_inode = sbsp->smk_root; in smack_d_instantiate()
3515 isp->smk_inode = smk_of_current(); in smack_d_instantiate()
3518 isp->smk_inode = smk_of_current(); in smack_d_instantiate()
3525 isp->smk_inode = &smack_known_star; in smack_d_instantiate()
3528 isp->smk_inode = sbsp->smk_root; in smack_d_instantiate()
3531 isp->smk_flags |= SMK_INODE_INSTANT; in smack_d_instantiate()
3541 switch (sbp->s_magic) { in smack_d_instantiate()
3591 if (S_ISSOCK(inode->i_mode)) { in smack_d_instantiate()
3601 if (!(inode->i_opflags & IOP_XATTR)) in smack_d_instantiate()
3614 if (S_ISDIR(inode->i_mode)) { in smack_d_instantiate()
3629 rc = -EINVAL; in smack_d_instantiate()
3640 isp->smk_task = skp; in smack_d_instantiate()
3646 isp->smk_mmap = skp; in smack_d_instantiate()
3653 isp->smk_inode = ckp; in smack_d_instantiate()
3655 isp->smk_inode = final; in smack_d_instantiate()
3657 isp->smk_flags |= (SMK_INODE_INSTANT | transflag); in smack_d_instantiate()
3663 * smack_getselfattr - Smack current process attribute
3682 return -EOPNOTSUPP; in smack_getselfattr()
3686 skp->smk_known, strlen(skp->smk_known) + 1, in smack_getselfattr()
3692 * smack_getprocattr - Smack process attribute access
3708 return -EINVAL; in smack_getprocattr()
3710 cp = kstrdup(skp->smk_known, GFP_KERNEL); in smack_getprocattr()
3712 return -ENOMEM; in smack_getprocattr()
3720 * do_setattr - Smack process attribute setting
3738 if (!smack_privileged(CAP_MAC_ADMIN) && list_empty(&tsp->smk_relabel)) in do_setattr()
3739 return -EPERM; in do_setattr()
3742 return -EINVAL; in do_setattr()
3745 return -EOPNOTSUPP; in do_setattr()
3756 return -EINVAL; in do_setattr()
3759 rc = -EPERM; in do_setattr()
3760 list_for_each_entry(sklep, &tsp->smk_relabel, list) in do_setattr()
3761 if (sklep->smk_label == skp) { in do_setattr()
3771 return -ENOMEM; in do_setattr()
3774 tsp->smk_task = skp; in do_setattr()
3778 smk_destroy_label_list(&tsp->smk_relabel); in do_setattr()
3785 * smack_setselfattr - Set a Smack process attribute
3801 rc = do_setattr(attr, ctx->ctx, ctx->ctx_len); in smack_setselfattr()
3808 * smack_setprocattr - Smack process attribute setting
3824 return -EINVAL; in smack_setprocattr()
3828 * smack_unix_stream_connect - Smack access on UDS
3851 skp = ssp->smk_out; in smack_unix_stream_connect()
3852 okp = osp->smk_in; in smack_unix_stream_connect()
3860 okp = osp->smk_out; in smack_unix_stream_connect()
3861 skp = ssp->smk_in; in smack_unix_stream_connect()
3872 nsp->smk_packet = ssp->smk_out; in smack_unix_stream_connect()
3873 ssp->smk_packet = osp->smk_out; in smack_unix_stream_connect()
3878 nsp->smk_out = osp->smk_out; in smack_unix_stream_connect()
3879 nsp->smk_in = osp->smk_in; in smack_unix_stream_connect()
3886 * smack_unix_may_send - Smack access on UDS
3895 struct socket_smack *ssp = smack_sock(sock->sk); in smack_unix_may_send()
3896 struct socket_smack *osp = smack_sock(other->sk); in smack_unix_may_send()
3904 smk_ad_setfield_u_net_sk(&ad, other->sk); in smack_unix_may_send()
3910 rc = smk_access(ssp->smk_out, osp->smk_in, MAY_WRITE, &ad); in smack_unix_may_send()
3911 rc = smk_bu_note("UDS send", ssp->smk_out, osp->smk_in, MAY_WRITE, rc); in smack_unix_may_send()
3916 * smack_socket_sendmsg - Smack check based on destination host
3928 struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name; in smack_socket_sendmsg()
3930 struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name; in smack_socket_sendmsg()
3933 struct socket_smack *ssp = smack_sock(sock->sk); in smack_socket_sendmsg()
3944 switch (sock->sk->sk_family) { in smack_socket_sendmsg()
3946 if (msg->msg_namelen < sizeof(struct sockaddr_in) || in smack_socket_sendmsg()
3947 sip->sin_family != AF_INET) in smack_socket_sendmsg()
3948 return -EINVAL; in smack_socket_sendmsg()
3949 rc = smk_ipv4_check(sock->sk, sip); in smack_socket_sendmsg()
3953 if (msg->msg_namelen < SIN6_LEN_RFC2133 || in smack_socket_sendmsg()
3954 sap->sin6_family != AF_INET6) in smack_socket_sendmsg()
3955 return -EINVAL; in smack_socket_sendmsg()
3959 rc = smk_ipv6_check(ssp->smk_out, rsp, sap, in smack_socket_sendmsg()
3963 rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING); in smack_socket_sendmsg()
3972 * smack_from_secattr - Convert a netlabel attr.mls.lvl/attr.mls.cat pair to smack
3989 if ((sap->flags & NETLBL_SECATTR_CACHE) != 0) in smack_from_secattr()
3990 return (struct smack_known *)sap->cache->data; in smack_from_secattr()
3992 if ((sap->flags & NETLBL_SECATTR_SECID) != 0) in smack_from_secattr()
3996 return smack_from_secid(sap->attr.secid); in smack_from_secattr()
3998 if ((sap->flags & NETLBL_SECATTR_MLS_LVL) != 0) { in smack_from_secattr()
4011 if (sap->attr.mls.lvl != skp->smk_netlabel.attr.mls.lvl) in smack_from_secattr()
4016 if ((sap->flags & NETLBL_SECATTR_MLS_CAT) == 0) { in smack_from_secattr()
4017 if ((skp->smk_netlabel.flags & in smack_from_secattr()
4022 for (acat = -1, kcat = -1; acat == kcat; ) { in smack_from_secattr()
4023 acat = netlbl_catmap_walk(sap->attr.mls.cat, in smack_from_secattr()
4026 skp->smk_netlabel.attr.mls.cat, in smack_from_secattr()
4041 if (ssp != NULL && ssp->smk_in == &smack_known_star) in smack_from_secattr()
4058 int proto = -EINVAL; in smk_skb_to_addr_ipv6()
4066 sip->sin6_port = 0; in smk_skb_to_addr_ipv6()
4071 return -EINVAL; in smk_skb_to_addr_ipv6()
4072 sip->sin6_addr = ip6->saddr; in smk_skb_to_addr_ipv6()
4074 nexthdr = ip6->nexthdr; in smk_skb_to_addr_ipv6()
4078 return -EINVAL; in smk_skb_to_addr_ipv6()
4085 sip->sin6_port = th->source; in smk_skb_to_addr_ipv6()
4091 sip->sin6_port = uh->source; in smk_skb_to_addr_ipv6()
4096 sip->sin6_port = dh->dccph_sport; in smk_skb_to_addr_ipv6()
4104 * smack_from_skb - Smack data from the secmark in an skb
4112 if (skb == NULL || skb->secmark == 0) in smack_from_skb()
4115 return smack_from_secid(skb->secmark); in smack_from_skb()
4125 * smack_from_netlbl - Smack data from the IP options in an skb
4150 netlbl_cache_add(skb, family, &skp->smk_netlabel); in smack_from_netlbl()
4159 * smack_socket_sock_rcv_skb - Smack packet delivery access check
4171 u16 family = sk->sk_family; in smack_socket_sock_rcv_skb()
4179 if (family == PF_INET6 && skb->protocol == htons(ETH_P_IP)) in smack_socket_sock_rcv_skb()
4199 ad.a.u.net->family = family; in smack_socket_sock_rcv_skb()
4200 ad.a.u.net->netif = skb->skb_iif; in smack_socket_sock_rcv_skb()
4209 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); in smack_socket_sock_rcv_skb()
4210 rc = smk_bu_note("IPv4 delivery", skp, ssp->smk_in, in smack_socket_sock_rcv_skb()
4232 ad.a.u.net->family = family; in smack_socket_sock_rcv_skb()
4233 ad.a.u.net->netif = skb->skb_iif; in smack_socket_sock_rcv_skb()
4236 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); in smack_socket_sock_rcv_skb()
4237 rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in, in smack_socket_sock_rcv_skb()
4254 * smack_socket_getpeersec_stream - pull in packet label
4271 ssp = smack_sock(sock->sk); in smack_socket_getpeersec_stream()
4272 if (ssp->smk_packet != NULL) { in smack_socket_getpeersec_stream()
4273 rcp = ssp->smk_packet->smk_known; in smack_socket_getpeersec_stream()
4277 rc = -ERANGE; in smack_socket_getpeersec_stream()
4282 rc = -EFAULT; in smack_socket_getpeersec_stream()
4285 rc = -EFAULT; in smack_socket_getpeersec_stream()
4291 * smack_socket_getpeersec_dgram - pull in packet label
4309 if (skb->protocol == htons(ETH_P_IP)) in smack_socket_getpeersec_dgram()
4312 else if (skb->protocol == htons(ETH_P_IPV6)) in smack_socket_getpeersec_dgram()
4317 family = sock->sk->sk_family; in smack_socket_getpeersec_dgram()
4321 ssp = smack_sock(sock->sk); in smack_socket_getpeersec_dgram()
4322 s = ssp->smk_out->smk_secid; in smack_socket_getpeersec_dgram()
4327 s = skp->smk_secid; in smack_socket_getpeersec_dgram()
4334 sk = sock->sk; in smack_socket_getpeersec_dgram()
4337 s = skp->smk_secid; in smack_socket_getpeersec_dgram()
4343 s = skp->smk_secid; in smack_socket_getpeersec_dgram()
4349 return -EINVAL; in smack_socket_getpeersec_dgram()
4354 * smack_inet_conn_request - Smack access check on connect
4365 u16 family = sk->sk_family; in smack_inet_conn_request()
4384 if (skb->protocol == htons(ETH_P_IP)) in smack_inet_conn_request()
4405 ad.a.u.net->family = family; in smack_inet_conn_request()
4406 ad.a.u.net->netif = skb->skb_iif; in smack_inet_conn_request()
4413 rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad); in smack_inet_conn_request()
4414 rc = smk_bu_note("IPv4 connect", skp, ssp->smk_in, MAY_WRITE, rc); in smack_inet_conn_request()
4422 req->peer_secid = skp->smk_secid; in smack_inet_conn_request()
4427 * propagate the wire-label to the sock when it is created. in smack_inet_conn_request()
4430 addr.sin_addr.s_addr = hdr->saddr; in smack_inet_conn_request()
4436 rc = netlbl_req_setattr(req, &ssp->smk_out->smk_netlabel); in smack_inet_conn_request()
4444 * smack_inet_csk_clone - Copy the connection information to the new socket
4456 if (req->peer_secid != 0) { in smack_inet_csk_clone()
4457 skp = smack_from_secid(req->peer_secid); in smack_inet_csk_clone()
4458 ssp->smk_packet = skp; in smack_inet_csk_clone()
4460 ssp->smk_packet = NULL; in smack_inet_csk_clone()
4473 * smack_key_alloc - Set the key security blob
4493 * smack_key_permission - Smack access on a key
4534 return -EINVAL; in smack_key_permission()
4539 return -EINVAL; in smack_key_permission()
4552 return -EACCES; in smack_key_permission()
4559 ad.a.u.key_struct.key = keyp->serial; in smack_key_permission()
4560 ad.a.u.key_struct.key_desc = keyp->description; in smack_key_permission()
4568 * smack_key_getsecurity - Smack label tagging the key
4572 * Return the length of the string (including terminating NUL) or -ve if
4588 copy = kstrdup(skp->smk_known, GFP_KERNEL); in smack_key_getsecurity()
4590 return -ENOMEM; in smack_key_getsecurity()
4600 * smack_watch_key - Smack access to watch a key for notifications.
4603 * Return 0 if the @watch->cred has permission to read from the key object and
4617 return -EACCES; in smack_watch_key()
4624 ad.a.u.key_struct.key = key->serial; in smack_watch_key()
4625 ad.a.u.key_struct.key_desc = key->description; in smack_watch_key()
4636 * smack_post_notification - Smack access to post a notification to a queue
4650 if (n->type == WATCH_TYPE_META) in smack_post_notification()
4681 * smack_audit_rule_init - Initialize a smack audit rule
4682 * @field: audit rule fields given from user-space (audit.h)
4699 return -EINVAL; in smack_audit_rule_init()
4702 return -EINVAL; in smack_audit_rule_init()
4708 *rule = skp->smk_known; in smack_audit_rule_init()
4714 * smack_audit_rule_known - Distinguish Smack audit rules
4726 for (i = 0; i < krule->field_count; i++) { in smack_audit_rule_known()
4727 f = &krule->fields[i]; in smack_audit_rule_known()
4729 if (f->type == AUDIT_SUBJ_USER || f->type == AUDIT_OBJ_USER) in smack_audit_rule_known()
4737 * smack_audit_rule_match - Audit given object ?
4739 * @field: audit rule flags given from user-space
4749 struct smack_known *skp = prop->smack.skp; in smack_audit_rule_match()
4754 return -ENOENT; in smack_audit_rule_match()
4766 return (rule == skp->smk_known); in smack_audit_rule_match()
4768 return (rule != skp->smk_known); in smack_audit_rule_match()
4781 * smack_ismaclabel - check if xattr @name references a smack MAC label
4790 * smack_to_secctx - fill a lsm_context
4798 int len = strlen(skp->smk_known); in smack_to_secctx()
4801 cp->context = skp->smk_known; in smack_to_secctx()
4802 cp->len = len; in smack_to_secctx()
4803 cp->id = LSM_ID_SMACK; in smack_to_secctx()
4809 * smack_secid_to_secctx - return the smack label for a secid
4821 * smack_lsmprop_to_secctx - return the smack label
4830 return smack_to_secctx(prop->smack.skp, cp); in smack_lsmprop_to_secctx()
4834 * smack_secctx_to_secid - return the secid for a smack label
4846 *secid = skp->smk_secid; in smack_secctx_to_secid()
4874 cp->context = skp->smk_known; in smack_inode_getsecctx()
4875 cp->len = strlen(skp->smk_known); in smack_inode_getsecctx()
4876 cp->id = LSM_ID_SMACK; in smack_inode_getsecctx()
4891 return -ENOMEM; in smack_inode_copy_up()
4900 skp = isp->smk_inode; in smack_inode_copy_up()
4901 tsp->smk_task = skp; in smack_inode_copy_up()
4909 * Return -ECANCELED if this is the smack access Smack attribute. in smack_inode_copy_up_xattr()
4912 return -ECANCELED; in smack_inode_copy_up_xattr()
4914 return -EOPNOTSUPP; in smack_inode_copy_up_xattr()
4931 ntsp->smk_task = otsp->smk_task; in smack_dentry_create_files_as()
4936 isp = smack_inode(d_inode(dentry->d_parent)); in smack_dentry_create_files_as()
4938 if (isp->smk_flags & SMK_INODE_TRANSMUTE) { in smack_dentry_create_files_as()
4940 may = smk_access_entry(otsp->smk_task->smk_known, in smack_dentry_create_files_as()
4941 isp->smk_inode->smk_known, in smack_dentry_create_files_as()
4942 &otsp->smk_task->smk_rules); in smack_dentry_create_files_as()
4951 ntsp->smk_task = isp->smk_inode; in smack_dentry_create_files_as()
4952 ntsp->smk_transmuted = ntsp->smk_task; in smack_dentry_create_files_as()
4960 * smack_uring_override_creds - Is io_uring cred override allowed?
4975 if (tsp->smk_task == nsp->smk_task) in smack_uring_override_creds()
4981 return -EPERM; in smack_uring_override_creds()
4985 * smack_uring_sqpoll - check if a io_uring polling thread can be created
4995 return -EPERM; in smack_uring_sqpoll()
4999 * smack_uring_cmd - check on file operations for io_uring
5008 struct file *file = ioucmd->file; in smack_uring_cmd()
5015 return -EINVAL; in smack_uring_cmd()
5017 tsp = smack_cred(file->f_cred); in smack_uring_cmd()
5021 smk_ad_setfield_u_fs_path(&ad, file->f_path); in smack_uring_cmd()
5023 rc = smk_bu_credfile(file->f_cred, file, MAY_READ, rc); in smack_uring_cmd()
5238 * smack_init - initialize the smack system
5240 * Returns 0 on success, -ENOMEM is there's no memory
5244 struct cred *cred = (struct cred *) current->cred; in smack_init()
5249 return -ENOMEM; in smack_init()