18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> 48c2ecf20Sopenharmony_ci * 58c2ecf20Sopenharmony_ci * Authors: 68c2ecf20Sopenharmony_ci * Casey Schaufler <casey@schaufler-ca.com> 78c2ecf20Sopenharmony_ci * Ahmed S. Darwish <darwish.07@gmail.com> 88c2ecf20Sopenharmony_ci * 98c2ecf20Sopenharmony_ci * Special thanks to the authors of selinuxfs. 108c2ecf20Sopenharmony_ci * 118c2ecf20Sopenharmony_ci * Karl MacMillan <kmacmillan@tresys.com> 128c2ecf20Sopenharmony_ci * James Morris <jmorris@redhat.com> 138c2ecf20Sopenharmony_ci */ 148c2ecf20Sopenharmony_ci 158c2ecf20Sopenharmony_ci#include <linux/kernel.h> 168c2ecf20Sopenharmony_ci#include <linux/vmalloc.h> 178c2ecf20Sopenharmony_ci#include <linux/security.h> 188c2ecf20Sopenharmony_ci#include <linux/mutex.h> 198c2ecf20Sopenharmony_ci#include <linux/slab.h> 208c2ecf20Sopenharmony_ci#include <net/net_namespace.h> 218c2ecf20Sopenharmony_ci#include <net/cipso_ipv4.h> 228c2ecf20Sopenharmony_ci#include <linux/seq_file.h> 238c2ecf20Sopenharmony_ci#include <linux/ctype.h> 248c2ecf20Sopenharmony_ci#include <linux/audit.h> 258c2ecf20Sopenharmony_ci#include <linux/magic.h> 268c2ecf20Sopenharmony_ci#include <linux/fs_context.h> 278c2ecf20Sopenharmony_ci#include "smack.h" 288c2ecf20Sopenharmony_ci 298c2ecf20Sopenharmony_ci#define BEBITS (sizeof(__be32) * 8) 308c2ecf20Sopenharmony_ci/* 318c2ecf20Sopenharmony_ci * smackfs pseudo filesystem. 328c2ecf20Sopenharmony_ci */ 338c2ecf20Sopenharmony_ci 348c2ecf20Sopenharmony_cienum smk_inos { 358c2ecf20Sopenharmony_ci SMK_ROOT_INO = 2, 368c2ecf20Sopenharmony_ci SMK_LOAD = 3, /* load policy */ 378c2ecf20Sopenharmony_ci SMK_CIPSO = 4, /* load label -> CIPSO mapping */ 388c2ecf20Sopenharmony_ci SMK_DOI = 5, /* CIPSO DOI */ 398c2ecf20Sopenharmony_ci SMK_DIRECT = 6, /* CIPSO level indicating direct label */ 408c2ecf20Sopenharmony_ci SMK_AMBIENT = 7, /* internet ambient label */ 418c2ecf20Sopenharmony_ci SMK_NET4ADDR = 8, /* single label hosts */ 428c2ecf20Sopenharmony_ci SMK_ONLYCAP = 9, /* the only "capable" label */ 438c2ecf20Sopenharmony_ci SMK_LOGGING = 10, /* logging */ 448c2ecf20Sopenharmony_ci SMK_LOAD_SELF = 11, /* task specific rules */ 458c2ecf20Sopenharmony_ci SMK_ACCESSES = 12, /* access policy */ 468c2ecf20Sopenharmony_ci SMK_MAPPED = 13, /* CIPSO level indicating mapped label */ 478c2ecf20Sopenharmony_ci SMK_LOAD2 = 14, /* load policy with long labels */ 488c2ecf20Sopenharmony_ci SMK_LOAD_SELF2 = 15, /* load task specific rules with long labels */ 498c2ecf20Sopenharmony_ci SMK_ACCESS2 = 16, /* make an access check with long labels */ 508c2ecf20Sopenharmony_ci SMK_CIPSO2 = 17, /* load long label -> CIPSO mapping */ 518c2ecf20Sopenharmony_ci SMK_REVOKE_SUBJ = 18, /* set rules with subject label to '-' */ 528c2ecf20Sopenharmony_ci SMK_CHANGE_RULE = 19, /* change or add rules (long labels) */ 538c2ecf20Sopenharmony_ci SMK_SYSLOG = 20, /* change syslog label) */ 548c2ecf20Sopenharmony_ci SMK_PTRACE = 21, /* set ptrace rule */ 558c2ecf20Sopenharmony_ci#ifdef CONFIG_SECURITY_SMACK_BRINGUP 568c2ecf20Sopenharmony_ci SMK_UNCONFINED = 22, /* define an unconfined label */ 578c2ecf20Sopenharmony_ci#endif 588c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 598c2ecf20Sopenharmony_ci SMK_NET6ADDR = 23, /* single label IPv6 hosts */ 608c2ecf20Sopenharmony_ci#endif /* CONFIG_IPV6 */ 618c2ecf20Sopenharmony_ci SMK_RELABEL_SELF = 24, /* relabel possible without CAP_MAC_ADMIN */ 628c2ecf20Sopenharmony_ci}; 638c2ecf20Sopenharmony_ci 648c2ecf20Sopenharmony_ci/* 658c2ecf20Sopenharmony_ci * List locks 668c2ecf20Sopenharmony_ci */ 678c2ecf20Sopenharmony_cistatic DEFINE_MUTEX(smack_cipso_lock); 688c2ecf20Sopenharmony_cistatic DEFINE_MUTEX(smack_ambient_lock); 698c2ecf20Sopenharmony_cistatic DEFINE_MUTEX(smk_net4addr_lock); 708c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 718c2ecf20Sopenharmony_cistatic DEFINE_MUTEX(smk_net6addr_lock); 728c2ecf20Sopenharmony_ci#endif /* CONFIG_IPV6 */ 738c2ecf20Sopenharmony_ci 748c2ecf20Sopenharmony_ci/* 758c2ecf20Sopenharmony_ci * This is the "ambient" label for network traffic. 768c2ecf20Sopenharmony_ci * If it isn't somehow marked, use this. 778c2ecf20Sopenharmony_ci * It can be reset via smackfs/ambient 788c2ecf20Sopenharmony_ci */ 798c2ecf20Sopenharmony_cistruct smack_known *smack_net_ambient; 808c2ecf20Sopenharmony_ci 818c2ecf20Sopenharmony_ci/* 828c2ecf20Sopenharmony_ci * This is the level in a CIPSO header that indicates a 838c2ecf20Sopenharmony_ci * smack label is contained directly in the category set. 848c2ecf20Sopenharmony_ci * It can be reset via smackfs/direct 858c2ecf20Sopenharmony_ci */ 868c2ecf20Sopenharmony_ciint smack_cipso_direct = SMACK_CIPSO_DIRECT_DEFAULT; 878c2ecf20Sopenharmony_ci 888c2ecf20Sopenharmony_ci/* 898c2ecf20Sopenharmony_ci * This is the level in a CIPSO header that indicates a 908c2ecf20Sopenharmony_ci * secid is contained directly in the category set. 918c2ecf20Sopenharmony_ci * It can be reset via smackfs/mapped 928c2ecf20Sopenharmony_ci */ 938c2ecf20Sopenharmony_ciint smack_cipso_mapped = SMACK_CIPSO_MAPPED_DEFAULT; 948c2ecf20Sopenharmony_ci 958c2ecf20Sopenharmony_ci#ifdef CONFIG_SECURITY_SMACK_BRINGUP 968c2ecf20Sopenharmony_ci/* 978c2ecf20Sopenharmony_ci * Allow one label to be unconfined. This is for 988c2ecf20Sopenharmony_ci * debugging and application bring-up purposes only. 998c2ecf20Sopenharmony_ci * It is bad and wrong, but everyone seems to expect 1008c2ecf20Sopenharmony_ci * to have it. 1018c2ecf20Sopenharmony_ci */ 1028c2ecf20Sopenharmony_cistruct smack_known *smack_unconfined; 1038c2ecf20Sopenharmony_ci#endif 1048c2ecf20Sopenharmony_ci 1058c2ecf20Sopenharmony_ci/* 1068c2ecf20Sopenharmony_ci * If this value is set restrict syslog use to the label specified. 1078c2ecf20Sopenharmony_ci * It can be reset via smackfs/syslog 1088c2ecf20Sopenharmony_ci */ 1098c2ecf20Sopenharmony_cistruct smack_known *smack_syslog_label; 1108c2ecf20Sopenharmony_ci 1118c2ecf20Sopenharmony_ci/* 1128c2ecf20Sopenharmony_ci * Ptrace current rule 1138c2ecf20Sopenharmony_ci * SMACK_PTRACE_DEFAULT regular smack ptrace rules (/proc based) 1148c2ecf20Sopenharmony_ci * SMACK_PTRACE_EXACT labels must match, but can be overriden with 1158c2ecf20Sopenharmony_ci * CAP_SYS_PTRACE 1168c2ecf20Sopenharmony_ci * SMACK_PTRACE_DRACONIAN lables must match, CAP_SYS_PTRACE has no effect 1178c2ecf20Sopenharmony_ci */ 1188c2ecf20Sopenharmony_ciint smack_ptrace_rule = SMACK_PTRACE_DEFAULT; 1198c2ecf20Sopenharmony_ci 1208c2ecf20Sopenharmony_ci/* 1218c2ecf20Sopenharmony_ci * Certain IP addresses may be designated as single label hosts. 1228c2ecf20Sopenharmony_ci * Packets are sent there unlabeled, but only from tasks that 1238c2ecf20Sopenharmony_ci * can write to the specified label. 1248c2ecf20Sopenharmony_ci */ 1258c2ecf20Sopenharmony_ci 1268c2ecf20Sopenharmony_ciLIST_HEAD(smk_net4addr_list); 1278c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 1288c2ecf20Sopenharmony_ciLIST_HEAD(smk_net6addr_list); 1298c2ecf20Sopenharmony_ci#endif /* CONFIG_IPV6 */ 1308c2ecf20Sopenharmony_ci 1318c2ecf20Sopenharmony_ci/* 1328c2ecf20Sopenharmony_ci * Rule lists are maintained for each label. 1338c2ecf20Sopenharmony_ci */ 1348c2ecf20Sopenharmony_cistruct smack_parsed_rule { 1358c2ecf20Sopenharmony_ci struct smack_known *smk_subject; 1368c2ecf20Sopenharmony_ci struct smack_known *smk_object; 1378c2ecf20Sopenharmony_ci int smk_access1; 1388c2ecf20Sopenharmony_ci int smk_access2; 1398c2ecf20Sopenharmony_ci}; 1408c2ecf20Sopenharmony_ci 1418c2ecf20Sopenharmony_cistatic int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT; 1428c2ecf20Sopenharmony_ci 1438c2ecf20Sopenharmony_ci/* 1448c2ecf20Sopenharmony_ci * Values for parsing cipso rules 1458c2ecf20Sopenharmony_ci * SMK_DIGITLEN: Length of a digit field in a rule. 1468c2ecf20Sopenharmony_ci * SMK_CIPSOMIN: Minimum possible cipso rule length. 1478c2ecf20Sopenharmony_ci * SMK_CIPSOMAX: Maximum possible cipso rule length. 1488c2ecf20Sopenharmony_ci */ 1498c2ecf20Sopenharmony_ci#define SMK_DIGITLEN 4 1508c2ecf20Sopenharmony_ci#define SMK_CIPSOMIN (SMK_LABELLEN + 2 * SMK_DIGITLEN) 1518c2ecf20Sopenharmony_ci#define SMK_CIPSOMAX (SMK_CIPSOMIN + SMACK_CIPSO_MAXCATNUM * SMK_DIGITLEN) 1528c2ecf20Sopenharmony_ci 1538c2ecf20Sopenharmony_ci/* 1548c2ecf20Sopenharmony_ci * Values for parsing MAC rules 1558c2ecf20Sopenharmony_ci * SMK_ACCESS: Maximum possible combination of access permissions 1568c2ecf20Sopenharmony_ci * SMK_ACCESSLEN: Maximum length for a rule access field 1578c2ecf20Sopenharmony_ci * SMK_LOADLEN: Smack rule length 1588c2ecf20Sopenharmony_ci */ 1598c2ecf20Sopenharmony_ci#define SMK_OACCESS "rwxa" 1608c2ecf20Sopenharmony_ci#define SMK_ACCESS "rwxatl" 1618c2ecf20Sopenharmony_ci#define SMK_OACCESSLEN (sizeof(SMK_OACCESS) - 1) 1628c2ecf20Sopenharmony_ci#define SMK_ACCESSLEN (sizeof(SMK_ACCESS) - 1) 1638c2ecf20Sopenharmony_ci#define SMK_OLOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_OACCESSLEN) 1648c2ecf20Sopenharmony_ci#define SMK_LOADLEN (SMK_LABELLEN + SMK_LABELLEN + SMK_ACCESSLEN) 1658c2ecf20Sopenharmony_ci 1668c2ecf20Sopenharmony_ci/* 1678c2ecf20Sopenharmony_ci * Stricly for CIPSO level manipulation. 1688c2ecf20Sopenharmony_ci * Set the category bit number in a smack label sized buffer. 1698c2ecf20Sopenharmony_ci */ 1708c2ecf20Sopenharmony_cistatic inline void smack_catset_bit(unsigned int cat, char *catsetp) 1718c2ecf20Sopenharmony_ci{ 1728c2ecf20Sopenharmony_ci if (cat == 0 || cat > (SMK_CIPSOLEN * 8)) 1738c2ecf20Sopenharmony_ci return; 1748c2ecf20Sopenharmony_ci 1758c2ecf20Sopenharmony_ci catsetp[(cat - 1) / 8] |= 0x80 >> ((cat - 1) % 8); 1768c2ecf20Sopenharmony_ci} 1778c2ecf20Sopenharmony_ci 1788c2ecf20Sopenharmony_ci/** 1798c2ecf20Sopenharmony_ci * smk_netlabel_audit_set - fill a netlbl_audit struct 1808c2ecf20Sopenharmony_ci * @nap: structure to fill 1818c2ecf20Sopenharmony_ci */ 1828c2ecf20Sopenharmony_cistatic void smk_netlabel_audit_set(struct netlbl_audit *nap) 1838c2ecf20Sopenharmony_ci{ 1848c2ecf20Sopenharmony_ci struct smack_known *skp = smk_of_current(); 1858c2ecf20Sopenharmony_ci 1868c2ecf20Sopenharmony_ci nap->loginuid = audit_get_loginuid(current); 1878c2ecf20Sopenharmony_ci nap->sessionid = audit_get_sessionid(current); 1888c2ecf20Sopenharmony_ci nap->secid = skp->smk_secid; 1898c2ecf20Sopenharmony_ci} 1908c2ecf20Sopenharmony_ci 1918c2ecf20Sopenharmony_ci/* 1928c2ecf20Sopenharmony_ci * Value for parsing single label host rules 1938c2ecf20Sopenharmony_ci * "1.2.3.4 X" 1948c2ecf20Sopenharmony_ci */ 1958c2ecf20Sopenharmony_ci#define SMK_NETLBLADDRMIN 9 1968c2ecf20Sopenharmony_ci 1978c2ecf20Sopenharmony_ci/** 1988c2ecf20Sopenharmony_ci * smk_set_access - add a rule to the rule list or replace an old rule 1998c2ecf20Sopenharmony_ci * @srp: the rule to add or replace 2008c2ecf20Sopenharmony_ci * @rule_list: the list of rules 2018c2ecf20Sopenharmony_ci * @rule_lock: the rule list lock 2028c2ecf20Sopenharmony_ci * 2038c2ecf20Sopenharmony_ci * Looks through the current subject/object/access list for 2048c2ecf20Sopenharmony_ci * the subject/object pair and replaces the access that was 2058c2ecf20Sopenharmony_ci * there. If the pair isn't found add it with the specified 2068c2ecf20Sopenharmony_ci * access. 2078c2ecf20Sopenharmony_ci * 2088c2ecf20Sopenharmony_ci * Returns 0 if nothing goes wrong or -ENOMEM if it fails 2098c2ecf20Sopenharmony_ci * during the allocation of the new pair to add. 2108c2ecf20Sopenharmony_ci */ 2118c2ecf20Sopenharmony_cistatic int smk_set_access(struct smack_parsed_rule *srp, 2128c2ecf20Sopenharmony_ci struct list_head *rule_list, 2138c2ecf20Sopenharmony_ci struct mutex *rule_lock) 2148c2ecf20Sopenharmony_ci{ 2158c2ecf20Sopenharmony_ci struct smack_rule *sp; 2168c2ecf20Sopenharmony_ci int found = 0; 2178c2ecf20Sopenharmony_ci int rc = 0; 2188c2ecf20Sopenharmony_ci 2198c2ecf20Sopenharmony_ci mutex_lock(rule_lock); 2208c2ecf20Sopenharmony_ci 2218c2ecf20Sopenharmony_ci /* 2228c2ecf20Sopenharmony_ci * Because the object label is less likely to match 2238c2ecf20Sopenharmony_ci * than the subject label check it first 2248c2ecf20Sopenharmony_ci */ 2258c2ecf20Sopenharmony_ci list_for_each_entry_rcu(sp, rule_list, list) { 2268c2ecf20Sopenharmony_ci if (sp->smk_object == srp->smk_object && 2278c2ecf20Sopenharmony_ci sp->smk_subject == srp->smk_subject) { 2288c2ecf20Sopenharmony_ci found = 1; 2298c2ecf20Sopenharmony_ci sp->smk_access |= srp->smk_access1; 2308c2ecf20Sopenharmony_ci sp->smk_access &= ~srp->smk_access2; 2318c2ecf20Sopenharmony_ci break; 2328c2ecf20Sopenharmony_ci } 2338c2ecf20Sopenharmony_ci } 2348c2ecf20Sopenharmony_ci 2358c2ecf20Sopenharmony_ci if (found == 0) { 2368c2ecf20Sopenharmony_ci sp = kmem_cache_zalloc(smack_rule_cache, GFP_KERNEL); 2378c2ecf20Sopenharmony_ci if (sp == NULL) { 2388c2ecf20Sopenharmony_ci rc = -ENOMEM; 2398c2ecf20Sopenharmony_ci goto out; 2408c2ecf20Sopenharmony_ci } 2418c2ecf20Sopenharmony_ci 2428c2ecf20Sopenharmony_ci sp->smk_subject = srp->smk_subject; 2438c2ecf20Sopenharmony_ci sp->smk_object = srp->smk_object; 2448c2ecf20Sopenharmony_ci sp->smk_access = srp->smk_access1 & ~srp->smk_access2; 2458c2ecf20Sopenharmony_ci 2468c2ecf20Sopenharmony_ci list_add_rcu(&sp->list, rule_list); 2478c2ecf20Sopenharmony_ci } 2488c2ecf20Sopenharmony_ci 2498c2ecf20Sopenharmony_ciout: 2508c2ecf20Sopenharmony_ci mutex_unlock(rule_lock); 2518c2ecf20Sopenharmony_ci return rc; 2528c2ecf20Sopenharmony_ci} 2538c2ecf20Sopenharmony_ci 2548c2ecf20Sopenharmony_ci/** 2558c2ecf20Sopenharmony_ci * smk_perm_from_str - parse smack accesses from a text string 2568c2ecf20Sopenharmony_ci * @string: a text string that contains a Smack accesses code 2578c2ecf20Sopenharmony_ci * 2588c2ecf20Sopenharmony_ci * Returns an integer with respective bits set for specified accesses. 2598c2ecf20Sopenharmony_ci */ 2608c2ecf20Sopenharmony_cistatic int smk_perm_from_str(const char *string) 2618c2ecf20Sopenharmony_ci{ 2628c2ecf20Sopenharmony_ci int perm = 0; 2638c2ecf20Sopenharmony_ci const char *cp; 2648c2ecf20Sopenharmony_ci 2658c2ecf20Sopenharmony_ci for (cp = string; ; cp++) 2668c2ecf20Sopenharmony_ci switch (*cp) { 2678c2ecf20Sopenharmony_ci case '-': 2688c2ecf20Sopenharmony_ci break; 2698c2ecf20Sopenharmony_ci case 'r': 2708c2ecf20Sopenharmony_ci case 'R': 2718c2ecf20Sopenharmony_ci perm |= MAY_READ; 2728c2ecf20Sopenharmony_ci break; 2738c2ecf20Sopenharmony_ci case 'w': 2748c2ecf20Sopenharmony_ci case 'W': 2758c2ecf20Sopenharmony_ci perm |= MAY_WRITE; 2768c2ecf20Sopenharmony_ci break; 2778c2ecf20Sopenharmony_ci case 'x': 2788c2ecf20Sopenharmony_ci case 'X': 2798c2ecf20Sopenharmony_ci perm |= MAY_EXEC; 2808c2ecf20Sopenharmony_ci break; 2818c2ecf20Sopenharmony_ci case 'a': 2828c2ecf20Sopenharmony_ci case 'A': 2838c2ecf20Sopenharmony_ci perm |= MAY_APPEND; 2848c2ecf20Sopenharmony_ci break; 2858c2ecf20Sopenharmony_ci case 't': 2868c2ecf20Sopenharmony_ci case 'T': 2878c2ecf20Sopenharmony_ci perm |= MAY_TRANSMUTE; 2888c2ecf20Sopenharmony_ci break; 2898c2ecf20Sopenharmony_ci case 'l': 2908c2ecf20Sopenharmony_ci case 'L': 2918c2ecf20Sopenharmony_ci perm |= MAY_LOCK; 2928c2ecf20Sopenharmony_ci break; 2938c2ecf20Sopenharmony_ci case 'b': 2948c2ecf20Sopenharmony_ci case 'B': 2958c2ecf20Sopenharmony_ci perm |= MAY_BRINGUP; 2968c2ecf20Sopenharmony_ci break; 2978c2ecf20Sopenharmony_ci default: 2988c2ecf20Sopenharmony_ci return perm; 2998c2ecf20Sopenharmony_ci } 3008c2ecf20Sopenharmony_ci} 3018c2ecf20Sopenharmony_ci 3028c2ecf20Sopenharmony_ci/** 3038c2ecf20Sopenharmony_ci * smk_fill_rule - Fill Smack rule from strings 3048c2ecf20Sopenharmony_ci * @subject: subject label string 3058c2ecf20Sopenharmony_ci * @object: object label string 3068c2ecf20Sopenharmony_ci * @access1: access string 3078c2ecf20Sopenharmony_ci * @access2: string with permissions to be removed 3088c2ecf20Sopenharmony_ci * @rule: Smack rule 3098c2ecf20Sopenharmony_ci * @import: if non-zero, import labels 3108c2ecf20Sopenharmony_ci * @len: label length limit 3118c2ecf20Sopenharmony_ci * 3128c2ecf20Sopenharmony_ci * Returns 0 on success, appropriate error code on failure. 3138c2ecf20Sopenharmony_ci */ 3148c2ecf20Sopenharmony_cistatic int smk_fill_rule(const char *subject, const char *object, 3158c2ecf20Sopenharmony_ci const char *access1, const char *access2, 3168c2ecf20Sopenharmony_ci struct smack_parsed_rule *rule, int import, 3178c2ecf20Sopenharmony_ci int len) 3188c2ecf20Sopenharmony_ci{ 3198c2ecf20Sopenharmony_ci const char *cp; 3208c2ecf20Sopenharmony_ci struct smack_known *skp; 3218c2ecf20Sopenharmony_ci 3228c2ecf20Sopenharmony_ci if (import) { 3238c2ecf20Sopenharmony_ci rule->smk_subject = smk_import_entry(subject, len); 3248c2ecf20Sopenharmony_ci if (IS_ERR(rule->smk_subject)) 3258c2ecf20Sopenharmony_ci return PTR_ERR(rule->smk_subject); 3268c2ecf20Sopenharmony_ci 3278c2ecf20Sopenharmony_ci rule->smk_object = smk_import_entry(object, len); 3288c2ecf20Sopenharmony_ci if (IS_ERR(rule->smk_object)) 3298c2ecf20Sopenharmony_ci return PTR_ERR(rule->smk_object); 3308c2ecf20Sopenharmony_ci } else { 3318c2ecf20Sopenharmony_ci cp = smk_parse_smack(subject, len); 3328c2ecf20Sopenharmony_ci if (IS_ERR(cp)) 3338c2ecf20Sopenharmony_ci return PTR_ERR(cp); 3348c2ecf20Sopenharmony_ci skp = smk_find_entry(cp); 3358c2ecf20Sopenharmony_ci kfree(cp); 3368c2ecf20Sopenharmony_ci if (skp == NULL) 3378c2ecf20Sopenharmony_ci return -ENOENT; 3388c2ecf20Sopenharmony_ci rule->smk_subject = skp; 3398c2ecf20Sopenharmony_ci 3408c2ecf20Sopenharmony_ci cp = smk_parse_smack(object, len); 3418c2ecf20Sopenharmony_ci if (IS_ERR(cp)) 3428c2ecf20Sopenharmony_ci return PTR_ERR(cp); 3438c2ecf20Sopenharmony_ci skp = smk_find_entry(cp); 3448c2ecf20Sopenharmony_ci kfree(cp); 3458c2ecf20Sopenharmony_ci if (skp == NULL) 3468c2ecf20Sopenharmony_ci return -ENOENT; 3478c2ecf20Sopenharmony_ci rule->smk_object = skp; 3488c2ecf20Sopenharmony_ci } 3498c2ecf20Sopenharmony_ci 3508c2ecf20Sopenharmony_ci rule->smk_access1 = smk_perm_from_str(access1); 3518c2ecf20Sopenharmony_ci if (access2) 3528c2ecf20Sopenharmony_ci rule->smk_access2 = smk_perm_from_str(access2); 3538c2ecf20Sopenharmony_ci else 3548c2ecf20Sopenharmony_ci rule->smk_access2 = ~rule->smk_access1; 3558c2ecf20Sopenharmony_ci 3568c2ecf20Sopenharmony_ci return 0; 3578c2ecf20Sopenharmony_ci} 3588c2ecf20Sopenharmony_ci 3598c2ecf20Sopenharmony_ci/** 3608c2ecf20Sopenharmony_ci * smk_parse_rule - parse Smack rule from load string 3618c2ecf20Sopenharmony_ci * @data: string to be parsed whose size is SMK_LOADLEN 3628c2ecf20Sopenharmony_ci * @rule: Smack rule 3638c2ecf20Sopenharmony_ci * @import: if non-zero, import labels 3648c2ecf20Sopenharmony_ci * 3658c2ecf20Sopenharmony_ci * Returns 0 on success, -1 on errors. 3668c2ecf20Sopenharmony_ci */ 3678c2ecf20Sopenharmony_cistatic int smk_parse_rule(const char *data, struct smack_parsed_rule *rule, 3688c2ecf20Sopenharmony_ci int import) 3698c2ecf20Sopenharmony_ci{ 3708c2ecf20Sopenharmony_ci int rc; 3718c2ecf20Sopenharmony_ci 3728c2ecf20Sopenharmony_ci rc = smk_fill_rule(data, data + SMK_LABELLEN, 3738c2ecf20Sopenharmony_ci data + SMK_LABELLEN + SMK_LABELLEN, NULL, rule, 3748c2ecf20Sopenharmony_ci import, SMK_LABELLEN); 3758c2ecf20Sopenharmony_ci return rc; 3768c2ecf20Sopenharmony_ci} 3778c2ecf20Sopenharmony_ci 3788c2ecf20Sopenharmony_ci/** 3798c2ecf20Sopenharmony_ci * smk_parse_long_rule - parse Smack rule from rule string 3808c2ecf20Sopenharmony_ci * @data: string to be parsed, null terminated 3818c2ecf20Sopenharmony_ci * @rule: Will be filled with Smack parsed rule 3828c2ecf20Sopenharmony_ci * @import: if non-zero, import labels 3838c2ecf20Sopenharmony_ci * @tokens: numer of substrings expected in data 3848c2ecf20Sopenharmony_ci * 3858c2ecf20Sopenharmony_ci * Returns number of processed bytes on success, -ERRNO on failure. 3868c2ecf20Sopenharmony_ci */ 3878c2ecf20Sopenharmony_cistatic ssize_t smk_parse_long_rule(char *data, struct smack_parsed_rule *rule, 3888c2ecf20Sopenharmony_ci int import, int tokens) 3898c2ecf20Sopenharmony_ci{ 3908c2ecf20Sopenharmony_ci ssize_t cnt = 0; 3918c2ecf20Sopenharmony_ci char *tok[4]; 3928c2ecf20Sopenharmony_ci int rc; 3938c2ecf20Sopenharmony_ci int i; 3948c2ecf20Sopenharmony_ci 3958c2ecf20Sopenharmony_ci /* 3968c2ecf20Sopenharmony_ci * Parsing the rule in-place, filling all white-spaces with '\0' 3978c2ecf20Sopenharmony_ci */ 3988c2ecf20Sopenharmony_ci for (i = 0; i < tokens; ++i) { 3998c2ecf20Sopenharmony_ci while (isspace(data[cnt])) 4008c2ecf20Sopenharmony_ci data[cnt++] = '\0'; 4018c2ecf20Sopenharmony_ci 4028c2ecf20Sopenharmony_ci if (data[cnt] == '\0') 4038c2ecf20Sopenharmony_ci /* Unexpected end of data */ 4048c2ecf20Sopenharmony_ci return -EINVAL; 4058c2ecf20Sopenharmony_ci 4068c2ecf20Sopenharmony_ci tok[i] = data + cnt; 4078c2ecf20Sopenharmony_ci 4088c2ecf20Sopenharmony_ci while (data[cnt] && !isspace(data[cnt])) 4098c2ecf20Sopenharmony_ci ++cnt; 4108c2ecf20Sopenharmony_ci } 4118c2ecf20Sopenharmony_ci while (isspace(data[cnt])) 4128c2ecf20Sopenharmony_ci data[cnt++] = '\0'; 4138c2ecf20Sopenharmony_ci 4148c2ecf20Sopenharmony_ci while (i < 4) 4158c2ecf20Sopenharmony_ci tok[i++] = NULL; 4168c2ecf20Sopenharmony_ci 4178c2ecf20Sopenharmony_ci rc = smk_fill_rule(tok[0], tok[1], tok[2], tok[3], rule, import, 0); 4188c2ecf20Sopenharmony_ci return rc == 0 ? cnt : rc; 4198c2ecf20Sopenharmony_ci} 4208c2ecf20Sopenharmony_ci 4218c2ecf20Sopenharmony_ci#define SMK_FIXED24_FMT 0 /* Fixed 24byte label format */ 4228c2ecf20Sopenharmony_ci#define SMK_LONG_FMT 1 /* Variable long label format */ 4238c2ecf20Sopenharmony_ci#define SMK_CHANGE_FMT 2 /* Rule modification format */ 4248c2ecf20Sopenharmony_ci/** 4258c2ecf20Sopenharmony_ci * smk_write_rules_list - write() for any /smack rule file 4268c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 4278c2ecf20Sopenharmony_ci * @buf: where to get the data from 4288c2ecf20Sopenharmony_ci * @count: bytes sent 4298c2ecf20Sopenharmony_ci * @ppos: where to start - must be 0 4308c2ecf20Sopenharmony_ci * @rule_list: the list of rules to write to 4318c2ecf20Sopenharmony_ci * @rule_lock: lock for the rule list 4328c2ecf20Sopenharmony_ci * @format: /smack/load or /smack/load2 or /smack/change-rule format. 4338c2ecf20Sopenharmony_ci * 4348c2ecf20Sopenharmony_ci * Get one smack access rule from above. 4358c2ecf20Sopenharmony_ci * The format for SMK_LONG_FMT is: 4368c2ecf20Sopenharmony_ci * "subject<whitespace>object<whitespace>access[<whitespace>...]" 4378c2ecf20Sopenharmony_ci * The format for SMK_FIXED24_FMT is exactly: 4388c2ecf20Sopenharmony_ci * "subject object rwxat" 4398c2ecf20Sopenharmony_ci * The format for SMK_CHANGE_FMT is: 4408c2ecf20Sopenharmony_ci * "subject<whitespace>object<whitespace> 4418c2ecf20Sopenharmony_ci * acc_enable<whitespace>acc_disable[<whitespace>...]" 4428c2ecf20Sopenharmony_ci */ 4438c2ecf20Sopenharmony_cistatic ssize_t smk_write_rules_list(struct file *file, const char __user *buf, 4448c2ecf20Sopenharmony_ci size_t count, loff_t *ppos, 4458c2ecf20Sopenharmony_ci struct list_head *rule_list, 4468c2ecf20Sopenharmony_ci struct mutex *rule_lock, int format) 4478c2ecf20Sopenharmony_ci{ 4488c2ecf20Sopenharmony_ci struct smack_parsed_rule rule; 4498c2ecf20Sopenharmony_ci char *data; 4508c2ecf20Sopenharmony_ci int rc; 4518c2ecf20Sopenharmony_ci int trunc = 0; 4528c2ecf20Sopenharmony_ci int tokens; 4538c2ecf20Sopenharmony_ci ssize_t cnt = 0; 4548c2ecf20Sopenharmony_ci 4558c2ecf20Sopenharmony_ci /* 4568c2ecf20Sopenharmony_ci * No partial writes. 4578c2ecf20Sopenharmony_ci * Enough data must be present. 4588c2ecf20Sopenharmony_ci */ 4598c2ecf20Sopenharmony_ci if (*ppos != 0) 4608c2ecf20Sopenharmony_ci return -EINVAL; 4618c2ecf20Sopenharmony_ci 4628c2ecf20Sopenharmony_ci if (format == SMK_FIXED24_FMT) { 4638c2ecf20Sopenharmony_ci /* 4648c2ecf20Sopenharmony_ci * Minor hack for backward compatibility 4658c2ecf20Sopenharmony_ci */ 4668c2ecf20Sopenharmony_ci if (count < SMK_OLOADLEN || count > SMK_LOADLEN) 4678c2ecf20Sopenharmony_ci return -EINVAL; 4688c2ecf20Sopenharmony_ci } else { 4698c2ecf20Sopenharmony_ci if (count >= PAGE_SIZE) { 4708c2ecf20Sopenharmony_ci count = PAGE_SIZE - 1; 4718c2ecf20Sopenharmony_ci trunc = 1; 4728c2ecf20Sopenharmony_ci } 4738c2ecf20Sopenharmony_ci } 4748c2ecf20Sopenharmony_ci 4758c2ecf20Sopenharmony_ci data = memdup_user_nul(buf, count); 4768c2ecf20Sopenharmony_ci if (IS_ERR(data)) 4778c2ecf20Sopenharmony_ci return PTR_ERR(data); 4788c2ecf20Sopenharmony_ci 4798c2ecf20Sopenharmony_ci /* 4808c2ecf20Sopenharmony_ci * In case of parsing only part of user buf, 4818c2ecf20Sopenharmony_ci * avoid having partial rule at the data buffer 4828c2ecf20Sopenharmony_ci */ 4838c2ecf20Sopenharmony_ci if (trunc) { 4848c2ecf20Sopenharmony_ci while (count > 0 && (data[count - 1] != '\n')) 4858c2ecf20Sopenharmony_ci --count; 4868c2ecf20Sopenharmony_ci if (count == 0) { 4878c2ecf20Sopenharmony_ci rc = -EINVAL; 4888c2ecf20Sopenharmony_ci goto out; 4898c2ecf20Sopenharmony_ci } 4908c2ecf20Sopenharmony_ci } 4918c2ecf20Sopenharmony_ci 4928c2ecf20Sopenharmony_ci data[count] = '\0'; 4938c2ecf20Sopenharmony_ci tokens = (format == SMK_CHANGE_FMT ? 4 : 3); 4948c2ecf20Sopenharmony_ci while (cnt < count) { 4958c2ecf20Sopenharmony_ci if (format == SMK_FIXED24_FMT) { 4968c2ecf20Sopenharmony_ci rc = smk_parse_rule(data, &rule, 1); 4978c2ecf20Sopenharmony_ci if (rc < 0) 4988c2ecf20Sopenharmony_ci goto out; 4998c2ecf20Sopenharmony_ci cnt = count; 5008c2ecf20Sopenharmony_ci } else { 5018c2ecf20Sopenharmony_ci rc = smk_parse_long_rule(data + cnt, &rule, 1, tokens); 5028c2ecf20Sopenharmony_ci if (rc < 0) 5038c2ecf20Sopenharmony_ci goto out; 5048c2ecf20Sopenharmony_ci if (rc == 0) { 5058c2ecf20Sopenharmony_ci rc = -EINVAL; 5068c2ecf20Sopenharmony_ci goto out; 5078c2ecf20Sopenharmony_ci } 5088c2ecf20Sopenharmony_ci cnt += rc; 5098c2ecf20Sopenharmony_ci } 5108c2ecf20Sopenharmony_ci 5118c2ecf20Sopenharmony_ci if (rule_list == NULL) 5128c2ecf20Sopenharmony_ci rc = smk_set_access(&rule, &rule.smk_subject->smk_rules, 5138c2ecf20Sopenharmony_ci &rule.smk_subject->smk_rules_lock); 5148c2ecf20Sopenharmony_ci else 5158c2ecf20Sopenharmony_ci rc = smk_set_access(&rule, rule_list, rule_lock); 5168c2ecf20Sopenharmony_ci 5178c2ecf20Sopenharmony_ci if (rc) 5188c2ecf20Sopenharmony_ci goto out; 5198c2ecf20Sopenharmony_ci } 5208c2ecf20Sopenharmony_ci 5218c2ecf20Sopenharmony_ci rc = cnt; 5228c2ecf20Sopenharmony_ciout: 5238c2ecf20Sopenharmony_ci kfree(data); 5248c2ecf20Sopenharmony_ci return rc; 5258c2ecf20Sopenharmony_ci} 5268c2ecf20Sopenharmony_ci 5278c2ecf20Sopenharmony_ci/* 5288c2ecf20Sopenharmony_ci * Core logic for smackfs seq list operations. 5298c2ecf20Sopenharmony_ci */ 5308c2ecf20Sopenharmony_ci 5318c2ecf20Sopenharmony_cistatic void *smk_seq_start(struct seq_file *s, loff_t *pos, 5328c2ecf20Sopenharmony_ci struct list_head *head) 5338c2ecf20Sopenharmony_ci{ 5348c2ecf20Sopenharmony_ci struct list_head *list; 5358c2ecf20Sopenharmony_ci int i = *pos; 5368c2ecf20Sopenharmony_ci 5378c2ecf20Sopenharmony_ci rcu_read_lock(); 5388c2ecf20Sopenharmony_ci for (list = rcu_dereference(list_next_rcu(head)); 5398c2ecf20Sopenharmony_ci list != head; 5408c2ecf20Sopenharmony_ci list = rcu_dereference(list_next_rcu(list))) { 5418c2ecf20Sopenharmony_ci if (i-- == 0) 5428c2ecf20Sopenharmony_ci return list; 5438c2ecf20Sopenharmony_ci } 5448c2ecf20Sopenharmony_ci 5458c2ecf20Sopenharmony_ci return NULL; 5468c2ecf20Sopenharmony_ci} 5478c2ecf20Sopenharmony_ci 5488c2ecf20Sopenharmony_cistatic void *smk_seq_next(struct seq_file *s, void *v, loff_t *pos, 5498c2ecf20Sopenharmony_ci struct list_head *head) 5508c2ecf20Sopenharmony_ci{ 5518c2ecf20Sopenharmony_ci struct list_head *list = v; 5528c2ecf20Sopenharmony_ci 5538c2ecf20Sopenharmony_ci ++*pos; 5548c2ecf20Sopenharmony_ci list = rcu_dereference(list_next_rcu(list)); 5558c2ecf20Sopenharmony_ci 5568c2ecf20Sopenharmony_ci return (list == head) ? NULL : list; 5578c2ecf20Sopenharmony_ci} 5588c2ecf20Sopenharmony_ci 5598c2ecf20Sopenharmony_cistatic void smk_seq_stop(struct seq_file *s, void *v) 5608c2ecf20Sopenharmony_ci{ 5618c2ecf20Sopenharmony_ci rcu_read_unlock(); 5628c2ecf20Sopenharmony_ci} 5638c2ecf20Sopenharmony_ci 5648c2ecf20Sopenharmony_cistatic void smk_rule_show(struct seq_file *s, struct smack_rule *srp, int max) 5658c2ecf20Sopenharmony_ci{ 5668c2ecf20Sopenharmony_ci /* 5678c2ecf20Sopenharmony_ci * Don't show any rules with label names too long for 5688c2ecf20Sopenharmony_ci * interface file (/smack/load or /smack/load2) 5698c2ecf20Sopenharmony_ci * because you should expect to be able to write 5708c2ecf20Sopenharmony_ci * anything you read back. 5718c2ecf20Sopenharmony_ci */ 5728c2ecf20Sopenharmony_ci if (strlen(srp->smk_subject->smk_known) >= max || 5738c2ecf20Sopenharmony_ci strlen(srp->smk_object->smk_known) >= max) 5748c2ecf20Sopenharmony_ci return; 5758c2ecf20Sopenharmony_ci 5768c2ecf20Sopenharmony_ci if (srp->smk_access == 0) 5778c2ecf20Sopenharmony_ci return; 5788c2ecf20Sopenharmony_ci 5798c2ecf20Sopenharmony_ci seq_printf(s, "%s %s", 5808c2ecf20Sopenharmony_ci srp->smk_subject->smk_known, 5818c2ecf20Sopenharmony_ci srp->smk_object->smk_known); 5828c2ecf20Sopenharmony_ci 5838c2ecf20Sopenharmony_ci seq_putc(s, ' '); 5848c2ecf20Sopenharmony_ci 5858c2ecf20Sopenharmony_ci if (srp->smk_access & MAY_READ) 5868c2ecf20Sopenharmony_ci seq_putc(s, 'r'); 5878c2ecf20Sopenharmony_ci if (srp->smk_access & MAY_WRITE) 5888c2ecf20Sopenharmony_ci seq_putc(s, 'w'); 5898c2ecf20Sopenharmony_ci if (srp->smk_access & MAY_EXEC) 5908c2ecf20Sopenharmony_ci seq_putc(s, 'x'); 5918c2ecf20Sopenharmony_ci if (srp->smk_access & MAY_APPEND) 5928c2ecf20Sopenharmony_ci seq_putc(s, 'a'); 5938c2ecf20Sopenharmony_ci if (srp->smk_access & MAY_TRANSMUTE) 5948c2ecf20Sopenharmony_ci seq_putc(s, 't'); 5958c2ecf20Sopenharmony_ci if (srp->smk_access & MAY_LOCK) 5968c2ecf20Sopenharmony_ci seq_putc(s, 'l'); 5978c2ecf20Sopenharmony_ci if (srp->smk_access & MAY_BRINGUP) 5988c2ecf20Sopenharmony_ci seq_putc(s, 'b'); 5998c2ecf20Sopenharmony_ci 6008c2ecf20Sopenharmony_ci seq_putc(s, '\n'); 6018c2ecf20Sopenharmony_ci} 6028c2ecf20Sopenharmony_ci 6038c2ecf20Sopenharmony_ci/* 6048c2ecf20Sopenharmony_ci * Seq_file read operations for /smack/load 6058c2ecf20Sopenharmony_ci */ 6068c2ecf20Sopenharmony_ci 6078c2ecf20Sopenharmony_cistatic void *load2_seq_start(struct seq_file *s, loff_t *pos) 6088c2ecf20Sopenharmony_ci{ 6098c2ecf20Sopenharmony_ci return smk_seq_start(s, pos, &smack_known_list); 6108c2ecf20Sopenharmony_ci} 6118c2ecf20Sopenharmony_ci 6128c2ecf20Sopenharmony_cistatic void *load2_seq_next(struct seq_file *s, void *v, loff_t *pos) 6138c2ecf20Sopenharmony_ci{ 6148c2ecf20Sopenharmony_ci return smk_seq_next(s, v, pos, &smack_known_list); 6158c2ecf20Sopenharmony_ci} 6168c2ecf20Sopenharmony_ci 6178c2ecf20Sopenharmony_cistatic int load_seq_show(struct seq_file *s, void *v) 6188c2ecf20Sopenharmony_ci{ 6198c2ecf20Sopenharmony_ci struct list_head *list = v; 6208c2ecf20Sopenharmony_ci struct smack_rule *srp; 6218c2ecf20Sopenharmony_ci struct smack_known *skp = 6228c2ecf20Sopenharmony_ci list_entry_rcu(list, struct smack_known, list); 6238c2ecf20Sopenharmony_ci 6248c2ecf20Sopenharmony_ci list_for_each_entry_rcu(srp, &skp->smk_rules, list) 6258c2ecf20Sopenharmony_ci smk_rule_show(s, srp, SMK_LABELLEN); 6268c2ecf20Sopenharmony_ci 6278c2ecf20Sopenharmony_ci return 0; 6288c2ecf20Sopenharmony_ci} 6298c2ecf20Sopenharmony_ci 6308c2ecf20Sopenharmony_cistatic const struct seq_operations load_seq_ops = { 6318c2ecf20Sopenharmony_ci .start = load2_seq_start, 6328c2ecf20Sopenharmony_ci .next = load2_seq_next, 6338c2ecf20Sopenharmony_ci .show = load_seq_show, 6348c2ecf20Sopenharmony_ci .stop = smk_seq_stop, 6358c2ecf20Sopenharmony_ci}; 6368c2ecf20Sopenharmony_ci 6378c2ecf20Sopenharmony_ci/** 6388c2ecf20Sopenharmony_ci * smk_open_load - open() for /smack/load 6398c2ecf20Sopenharmony_ci * @inode: inode structure representing file 6408c2ecf20Sopenharmony_ci * @file: "load" file pointer 6418c2ecf20Sopenharmony_ci * 6428c2ecf20Sopenharmony_ci * For reading, use load_seq_* seq_file reading operations. 6438c2ecf20Sopenharmony_ci */ 6448c2ecf20Sopenharmony_cistatic int smk_open_load(struct inode *inode, struct file *file) 6458c2ecf20Sopenharmony_ci{ 6468c2ecf20Sopenharmony_ci return seq_open(file, &load_seq_ops); 6478c2ecf20Sopenharmony_ci} 6488c2ecf20Sopenharmony_ci 6498c2ecf20Sopenharmony_ci/** 6508c2ecf20Sopenharmony_ci * smk_write_load - write() for /smack/load 6518c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 6528c2ecf20Sopenharmony_ci * @buf: where to get the data from 6538c2ecf20Sopenharmony_ci * @count: bytes sent 6548c2ecf20Sopenharmony_ci * @ppos: where to start - must be 0 6558c2ecf20Sopenharmony_ci * 6568c2ecf20Sopenharmony_ci */ 6578c2ecf20Sopenharmony_cistatic ssize_t smk_write_load(struct file *file, const char __user *buf, 6588c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 6598c2ecf20Sopenharmony_ci{ 6608c2ecf20Sopenharmony_ci /* 6618c2ecf20Sopenharmony_ci * Must have privilege. 6628c2ecf20Sopenharmony_ci * No partial writes. 6638c2ecf20Sopenharmony_ci * Enough data must be present. 6648c2ecf20Sopenharmony_ci */ 6658c2ecf20Sopenharmony_ci if (!smack_privileged(CAP_MAC_ADMIN)) 6668c2ecf20Sopenharmony_ci return -EPERM; 6678c2ecf20Sopenharmony_ci 6688c2ecf20Sopenharmony_ci return smk_write_rules_list(file, buf, count, ppos, NULL, NULL, 6698c2ecf20Sopenharmony_ci SMK_FIXED24_FMT); 6708c2ecf20Sopenharmony_ci} 6718c2ecf20Sopenharmony_ci 6728c2ecf20Sopenharmony_cistatic const struct file_operations smk_load_ops = { 6738c2ecf20Sopenharmony_ci .open = smk_open_load, 6748c2ecf20Sopenharmony_ci .read = seq_read, 6758c2ecf20Sopenharmony_ci .llseek = seq_lseek, 6768c2ecf20Sopenharmony_ci .write = smk_write_load, 6778c2ecf20Sopenharmony_ci .release = seq_release, 6788c2ecf20Sopenharmony_ci}; 6798c2ecf20Sopenharmony_ci 6808c2ecf20Sopenharmony_ci/** 6818c2ecf20Sopenharmony_ci * smk_cipso_doi - initialize the CIPSO domain 6828c2ecf20Sopenharmony_ci */ 6838c2ecf20Sopenharmony_cistatic void smk_cipso_doi(void) 6848c2ecf20Sopenharmony_ci{ 6858c2ecf20Sopenharmony_ci int rc; 6868c2ecf20Sopenharmony_ci struct cipso_v4_doi *doip; 6878c2ecf20Sopenharmony_ci struct netlbl_audit nai; 6888c2ecf20Sopenharmony_ci 6898c2ecf20Sopenharmony_ci smk_netlabel_audit_set(&nai); 6908c2ecf20Sopenharmony_ci 6918c2ecf20Sopenharmony_ci rc = netlbl_cfg_map_del(NULL, PF_INET, NULL, NULL, &nai); 6928c2ecf20Sopenharmony_ci if (rc != 0) 6938c2ecf20Sopenharmony_ci printk(KERN_WARNING "%s:%d remove rc = %d\n", 6948c2ecf20Sopenharmony_ci __func__, __LINE__, rc); 6958c2ecf20Sopenharmony_ci 6968c2ecf20Sopenharmony_ci doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL | __GFP_NOFAIL); 6978c2ecf20Sopenharmony_ci doip->map.std = NULL; 6988c2ecf20Sopenharmony_ci doip->doi = smk_cipso_doi_value; 6998c2ecf20Sopenharmony_ci doip->type = CIPSO_V4_MAP_PASS; 7008c2ecf20Sopenharmony_ci doip->tags[0] = CIPSO_V4_TAG_RBITMAP; 7018c2ecf20Sopenharmony_ci for (rc = 1; rc < CIPSO_V4_TAG_MAXCNT; rc++) 7028c2ecf20Sopenharmony_ci doip->tags[rc] = CIPSO_V4_TAG_INVALID; 7038c2ecf20Sopenharmony_ci 7048c2ecf20Sopenharmony_ci rc = netlbl_cfg_cipsov4_add(doip, &nai); 7058c2ecf20Sopenharmony_ci if (rc != 0) { 7068c2ecf20Sopenharmony_ci printk(KERN_WARNING "%s:%d cipso add rc = %d\n", 7078c2ecf20Sopenharmony_ci __func__, __LINE__, rc); 7088c2ecf20Sopenharmony_ci kfree(doip); 7098c2ecf20Sopenharmony_ci return; 7108c2ecf20Sopenharmony_ci } 7118c2ecf20Sopenharmony_ci rc = netlbl_cfg_cipsov4_map_add(doip->doi, NULL, NULL, NULL, &nai); 7128c2ecf20Sopenharmony_ci if (rc != 0) { 7138c2ecf20Sopenharmony_ci printk(KERN_WARNING "%s:%d map add rc = %d\n", 7148c2ecf20Sopenharmony_ci __func__, __LINE__, rc); 7158c2ecf20Sopenharmony_ci netlbl_cfg_cipsov4_del(doip->doi, &nai); 7168c2ecf20Sopenharmony_ci return; 7178c2ecf20Sopenharmony_ci } 7188c2ecf20Sopenharmony_ci} 7198c2ecf20Sopenharmony_ci 7208c2ecf20Sopenharmony_ci/** 7218c2ecf20Sopenharmony_ci * smk_unlbl_ambient - initialize the unlabeled domain 7228c2ecf20Sopenharmony_ci * @oldambient: previous domain string 7238c2ecf20Sopenharmony_ci */ 7248c2ecf20Sopenharmony_cistatic void smk_unlbl_ambient(char *oldambient) 7258c2ecf20Sopenharmony_ci{ 7268c2ecf20Sopenharmony_ci int rc; 7278c2ecf20Sopenharmony_ci struct netlbl_audit nai; 7288c2ecf20Sopenharmony_ci 7298c2ecf20Sopenharmony_ci smk_netlabel_audit_set(&nai); 7308c2ecf20Sopenharmony_ci 7318c2ecf20Sopenharmony_ci if (oldambient != NULL) { 7328c2ecf20Sopenharmony_ci rc = netlbl_cfg_map_del(oldambient, PF_INET, NULL, NULL, &nai); 7338c2ecf20Sopenharmony_ci if (rc != 0) 7348c2ecf20Sopenharmony_ci printk(KERN_WARNING "%s:%d remove rc = %d\n", 7358c2ecf20Sopenharmony_ci __func__, __LINE__, rc); 7368c2ecf20Sopenharmony_ci } 7378c2ecf20Sopenharmony_ci if (smack_net_ambient == NULL) 7388c2ecf20Sopenharmony_ci smack_net_ambient = &smack_known_floor; 7398c2ecf20Sopenharmony_ci 7408c2ecf20Sopenharmony_ci rc = netlbl_cfg_unlbl_map_add(smack_net_ambient->smk_known, PF_INET, 7418c2ecf20Sopenharmony_ci NULL, NULL, &nai); 7428c2ecf20Sopenharmony_ci if (rc != 0) 7438c2ecf20Sopenharmony_ci printk(KERN_WARNING "%s:%d add rc = %d\n", 7448c2ecf20Sopenharmony_ci __func__, __LINE__, rc); 7458c2ecf20Sopenharmony_ci} 7468c2ecf20Sopenharmony_ci 7478c2ecf20Sopenharmony_ci/* 7488c2ecf20Sopenharmony_ci * Seq_file read operations for /smack/cipso 7498c2ecf20Sopenharmony_ci */ 7508c2ecf20Sopenharmony_ci 7518c2ecf20Sopenharmony_cistatic void *cipso_seq_start(struct seq_file *s, loff_t *pos) 7528c2ecf20Sopenharmony_ci{ 7538c2ecf20Sopenharmony_ci return smk_seq_start(s, pos, &smack_known_list); 7548c2ecf20Sopenharmony_ci} 7558c2ecf20Sopenharmony_ci 7568c2ecf20Sopenharmony_cistatic void *cipso_seq_next(struct seq_file *s, void *v, loff_t *pos) 7578c2ecf20Sopenharmony_ci{ 7588c2ecf20Sopenharmony_ci return smk_seq_next(s, v, pos, &smack_known_list); 7598c2ecf20Sopenharmony_ci} 7608c2ecf20Sopenharmony_ci 7618c2ecf20Sopenharmony_ci/* 7628c2ecf20Sopenharmony_ci * Print cipso labels in format: 7638c2ecf20Sopenharmony_ci * label level[/cat[,cat]] 7648c2ecf20Sopenharmony_ci */ 7658c2ecf20Sopenharmony_cistatic int cipso_seq_show(struct seq_file *s, void *v) 7668c2ecf20Sopenharmony_ci{ 7678c2ecf20Sopenharmony_ci struct list_head *list = v; 7688c2ecf20Sopenharmony_ci struct smack_known *skp = 7698c2ecf20Sopenharmony_ci list_entry_rcu(list, struct smack_known, list); 7708c2ecf20Sopenharmony_ci struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat; 7718c2ecf20Sopenharmony_ci char sep = '/'; 7728c2ecf20Sopenharmony_ci int i; 7738c2ecf20Sopenharmony_ci 7748c2ecf20Sopenharmony_ci /* 7758c2ecf20Sopenharmony_ci * Don't show a label that could not have been set using 7768c2ecf20Sopenharmony_ci * /smack/cipso. This is in support of the notion that 7778c2ecf20Sopenharmony_ci * anything read from /smack/cipso ought to be writeable 7788c2ecf20Sopenharmony_ci * to /smack/cipso. 7798c2ecf20Sopenharmony_ci * 7808c2ecf20Sopenharmony_ci * /smack/cipso2 should be used instead. 7818c2ecf20Sopenharmony_ci */ 7828c2ecf20Sopenharmony_ci if (strlen(skp->smk_known) >= SMK_LABELLEN) 7838c2ecf20Sopenharmony_ci return 0; 7848c2ecf20Sopenharmony_ci 7858c2ecf20Sopenharmony_ci seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl); 7868c2ecf20Sopenharmony_ci 7878c2ecf20Sopenharmony_ci for (i = netlbl_catmap_walk(cmp, 0); i >= 0; 7888c2ecf20Sopenharmony_ci i = netlbl_catmap_walk(cmp, i + 1)) { 7898c2ecf20Sopenharmony_ci seq_printf(s, "%c%d", sep, i); 7908c2ecf20Sopenharmony_ci sep = ','; 7918c2ecf20Sopenharmony_ci } 7928c2ecf20Sopenharmony_ci 7938c2ecf20Sopenharmony_ci seq_putc(s, '\n'); 7948c2ecf20Sopenharmony_ci 7958c2ecf20Sopenharmony_ci return 0; 7968c2ecf20Sopenharmony_ci} 7978c2ecf20Sopenharmony_ci 7988c2ecf20Sopenharmony_cistatic const struct seq_operations cipso_seq_ops = { 7998c2ecf20Sopenharmony_ci .start = cipso_seq_start, 8008c2ecf20Sopenharmony_ci .next = cipso_seq_next, 8018c2ecf20Sopenharmony_ci .show = cipso_seq_show, 8028c2ecf20Sopenharmony_ci .stop = smk_seq_stop, 8038c2ecf20Sopenharmony_ci}; 8048c2ecf20Sopenharmony_ci 8058c2ecf20Sopenharmony_ci/** 8068c2ecf20Sopenharmony_ci * smk_open_cipso - open() for /smack/cipso 8078c2ecf20Sopenharmony_ci * @inode: inode structure representing file 8088c2ecf20Sopenharmony_ci * @file: "cipso" file pointer 8098c2ecf20Sopenharmony_ci * 8108c2ecf20Sopenharmony_ci * Connect our cipso_seq_* operations with /smack/cipso 8118c2ecf20Sopenharmony_ci * file_operations 8128c2ecf20Sopenharmony_ci */ 8138c2ecf20Sopenharmony_cistatic int smk_open_cipso(struct inode *inode, struct file *file) 8148c2ecf20Sopenharmony_ci{ 8158c2ecf20Sopenharmony_ci return seq_open(file, &cipso_seq_ops); 8168c2ecf20Sopenharmony_ci} 8178c2ecf20Sopenharmony_ci 8188c2ecf20Sopenharmony_ci/** 8198c2ecf20Sopenharmony_ci * smk_set_cipso - do the work for write() for cipso and cipso2 8208c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 8218c2ecf20Sopenharmony_ci * @buf: where to get the data from 8228c2ecf20Sopenharmony_ci * @count: bytes sent 8238c2ecf20Sopenharmony_ci * @ppos: where to start 8248c2ecf20Sopenharmony_ci * @format: /smack/cipso or /smack/cipso2 8258c2ecf20Sopenharmony_ci * 8268c2ecf20Sopenharmony_ci * Accepts only one cipso rule per write call. 8278c2ecf20Sopenharmony_ci * Returns number of bytes written or error code, as appropriate 8288c2ecf20Sopenharmony_ci */ 8298c2ecf20Sopenharmony_cistatic ssize_t smk_set_cipso(struct file *file, const char __user *buf, 8308c2ecf20Sopenharmony_ci size_t count, loff_t *ppos, int format) 8318c2ecf20Sopenharmony_ci{ 8328c2ecf20Sopenharmony_ci struct netlbl_lsm_catmap *old_cat; 8338c2ecf20Sopenharmony_ci struct smack_known *skp; 8348c2ecf20Sopenharmony_ci struct netlbl_lsm_secattr ncats; 8358c2ecf20Sopenharmony_ci char mapcatset[SMK_CIPSOLEN]; 8368c2ecf20Sopenharmony_ci int maplevel; 8378c2ecf20Sopenharmony_ci unsigned int cat; 8388c2ecf20Sopenharmony_ci int catlen; 8398c2ecf20Sopenharmony_ci ssize_t rc = -EINVAL; 8408c2ecf20Sopenharmony_ci char *data = NULL; 8418c2ecf20Sopenharmony_ci char *rule; 8428c2ecf20Sopenharmony_ci int ret; 8438c2ecf20Sopenharmony_ci int i; 8448c2ecf20Sopenharmony_ci 8458c2ecf20Sopenharmony_ci /* 8468c2ecf20Sopenharmony_ci * Must have privilege. 8478c2ecf20Sopenharmony_ci * No partial writes. 8488c2ecf20Sopenharmony_ci * Enough data must be present. 8498c2ecf20Sopenharmony_ci */ 8508c2ecf20Sopenharmony_ci if (!smack_privileged(CAP_MAC_ADMIN)) 8518c2ecf20Sopenharmony_ci return -EPERM; 8528c2ecf20Sopenharmony_ci if (*ppos != 0) 8538c2ecf20Sopenharmony_ci return -EINVAL; 8548c2ecf20Sopenharmony_ci if (format == SMK_FIXED24_FMT && 8558c2ecf20Sopenharmony_ci (count < SMK_CIPSOMIN || count > SMK_CIPSOMAX)) 8568c2ecf20Sopenharmony_ci return -EINVAL; 8578c2ecf20Sopenharmony_ci if (count > PAGE_SIZE) 8588c2ecf20Sopenharmony_ci return -EINVAL; 8598c2ecf20Sopenharmony_ci 8608c2ecf20Sopenharmony_ci data = memdup_user_nul(buf, count); 8618c2ecf20Sopenharmony_ci if (IS_ERR(data)) 8628c2ecf20Sopenharmony_ci return PTR_ERR(data); 8638c2ecf20Sopenharmony_ci 8648c2ecf20Sopenharmony_ci rule = data; 8658c2ecf20Sopenharmony_ci /* 8668c2ecf20Sopenharmony_ci * Only allow one writer at a time. Writes should be 8678c2ecf20Sopenharmony_ci * quite rare and small in any case. 8688c2ecf20Sopenharmony_ci */ 8698c2ecf20Sopenharmony_ci mutex_lock(&smack_cipso_lock); 8708c2ecf20Sopenharmony_ci 8718c2ecf20Sopenharmony_ci skp = smk_import_entry(rule, 0); 8728c2ecf20Sopenharmony_ci if (IS_ERR(skp)) { 8738c2ecf20Sopenharmony_ci rc = PTR_ERR(skp); 8748c2ecf20Sopenharmony_ci goto out; 8758c2ecf20Sopenharmony_ci } 8768c2ecf20Sopenharmony_ci 8778c2ecf20Sopenharmony_ci if (format == SMK_FIXED24_FMT) 8788c2ecf20Sopenharmony_ci rule += SMK_LABELLEN; 8798c2ecf20Sopenharmony_ci else 8808c2ecf20Sopenharmony_ci rule += strlen(skp->smk_known) + 1; 8818c2ecf20Sopenharmony_ci 8828c2ecf20Sopenharmony_ci if (rule > data + count) { 8838c2ecf20Sopenharmony_ci rc = -EOVERFLOW; 8848c2ecf20Sopenharmony_ci goto out; 8858c2ecf20Sopenharmony_ci } 8868c2ecf20Sopenharmony_ci 8878c2ecf20Sopenharmony_ci ret = sscanf(rule, "%d", &maplevel); 8888c2ecf20Sopenharmony_ci if (ret != 1 || maplevel < 0 || maplevel > SMACK_CIPSO_MAXLEVEL) 8898c2ecf20Sopenharmony_ci goto out; 8908c2ecf20Sopenharmony_ci 8918c2ecf20Sopenharmony_ci rule += SMK_DIGITLEN; 8928c2ecf20Sopenharmony_ci if (rule > data + count) { 8938c2ecf20Sopenharmony_ci rc = -EOVERFLOW; 8948c2ecf20Sopenharmony_ci goto out; 8958c2ecf20Sopenharmony_ci } 8968c2ecf20Sopenharmony_ci 8978c2ecf20Sopenharmony_ci ret = sscanf(rule, "%d", &catlen); 8988c2ecf20Sopenharmony_ci if (ret != 1 || catlen < 0 || catlen > SMACK_CIPSO_MAXCATNUM) 8998c2ecf20Sopenharmony_ci goto out; 9008c2ecf20Sopenharmony_ci 9018c2ecf20Sopenharmony_ci if (format == SMK_FIXED24_FMT && 9028c2ecf20Sopenharmony_ci count != (SMK_CIPSOMIN + catlen * SMK_DIGITLEN)) 9038c2ecf20Sopenharmony_ci goto out; 9048c2ecf20Sopenharmony_ci 9058c2ecf20Sopenharmony_ci memset(mapcatset, 0, sizeof(mapcatset)); 9068c2ecf20Sopenharmony_ci 9078c2ecf20Sopenharmony_ci for (i = 0; i < catlen; i++) { 9088c2ecf20Sopenharmony_ci rule += SMK_DIGITLEN; 9098c2ecf20Sopenharmony_ci if (rule > data + count) { 9108c2ecf20Sopenharmony_ci rc = -EOVERFLOW; 9118c2ecf20Sopenharmony_ci goto out; 9128c2ecf20Sopenharmony_ci } 9138c2ecf20Sopenharmony_ci ret = sscanf(rule, "%u", &cat); 9148c2ecf20Sopenharmony_ci if (ret != 1 || cat > SMACK_CIPSO_MAXCATNUM) 9158c2ecf20Sopenharmony_ci goto out; 9168c2ecf20Sopenharmony_ci 9178c2ecf20Sopenharmony_ci smack_catset_bit(cat, mapcatset); 9188c2ecf20Sopenharmony_ci } 9198c2ecf20Sopenharmony_ci 9208c2ecf20Sopenharmony_ci rc = smk_netlbl_mls(maplevel, mapcatset, &ncats, SMK_CIPSOLEN); 9218c2ecf20Sopenharmony_ci if (rc >= 0) { 9228c2ecf20Sopenharmony_ci old_cat = skp->smk_netlabel.attr.mls.cat; 9238c2ecf20Sopenharmony_ci skp->smk_netlabel.attr.mls.cat = ncats.attr.mls.cat; 9248c2ecf20Sopenharmony_ci skp->smk_netlabel.attr.mls.lvl = ncats.attr.mls.lvl; 9258c2ecf20Sopenharmony_ci synchronize_rcu(); 9268c2ecf20Sopenharmony_ci netlbl_catmap_free(old_cat); 9278c2ecf20Sopenharmony_ci rc = count; 9288c2ecf20Sopenharmony_ci /* 9298c2ecf20Sopenharmony_ci * This mapping may have been cached, so clear the cache. 9308c2ecf20Sopenharmony_ci */ 9318c2ecf20Sopenharmony_ci netlbl_cache_invalidate(); 9328c2ecf20Sopenharmony_ci } 9338c2ecf20Sopenharmony_ci 9348c2ecf20Sopenharmony_ciout: 9358c2ecf20Sopenharmony_ci mutex_unlock(&smack_cipso_lock); 9368c2ecf20Sopenharmony_ci kfree(data); 9378c2ecf20Sopenharmony_ci return rc; 9388c2ecf20Sopenharmony_ci} 9398c2ecf20Sopenharmony_ci 9408c2ecf20Sopenharmony_ci/** 9418c2ecf20Sopenharmony_ci * smk_write_cipso - write() for /smack/cipso 9428c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 9438c2ecf20Sopenharmony_ci * @buf: where to get the data from 9448c2ecf20Sopenharmony_ci * @count: bytes sent 9458c2ecf20Sopenharmony_ci * @ppos: where to start 9468c2ecf20Sopenharmony_ci * 9478c2ecf20Sopenharmony_ci * Accepts only one cipso rule per write call. 9488c2ecf20Sopenharmony_ci * Returns number of bytes written or error code, as appropriate 9498c2ecf20Sopenharmony_ci */ 9508c2ecf20Sopenharmony_cistatic ssize_t smk_write_cipso(struct file *file, const char __user *buf, 9518c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 9528c2ecf20Sopenharmony_ci{ 9538c2ecf20Sopenharmony_ci return smk_set_cipso(file, buf, count, ppos, SMK_FIXED24_FMT); 9548c2ecf20Sopenharmony_ci} 9558c2ecf20Sopenharmony_ci 9568c2ecf20Sopenharmony_cistatic const struct file_operations smk_cipso_ops = { 9578c2ecf20Sopenharmony_ci .open = smk_open_cipso, 9588c2ecf20Sopenharmony_ci .read = seq_read, 9598c2ecf20Sopenharmony_ci .llseek = seq_lseek, 9608c2ecf20Sopenharmony_ci .write = smk_write_cipso, 9618c2ecf20Sopenharmony_ci .release = seq_release, 9628c2ecf20Sopenharmony_ci}; 9638c2ecf20Sopenharmony_ci 9648c2ecf20Sopenharmony_ci/* 9658c2ecf20Sopenharmony_ci * Seq_file read operations for /smack/cipso2 9668c2ecf20Sopenharmony_ci */ 9678c2ecf20Sopenharmony_ci 9688c2ecf20Sopenharmony_ci/* 9698c2ecf20Sopenharmony_ci * Print cipso labels in format: 9708c2ecf20Sopenharmony_ci * label level[/cat[,cat]] 9718c2ecf20Sopenharmony_ci */ 9728c2ecf20Sopenharmony_cistatic int cipso2_seq_show(struct seq_file *s, void *v) 9738c2ecf20Sopenharmony_ci{ 9748c2ecf20Sopenharmony_ci struct list_head *list = v; 9758c2ecf20Sopenharmony_ci struct smack_known *skp = 9768c2ecf20Sopenharmony_ci list_entry_rcu(list, struct smack_known, list); 9778c2ecf20Sopenharmony_ci struct netlbl_lsm_catmap *cmp = skp->smk_netlabel.attr.mls.cat; 9788c2ecf20Sopenharmony_ci char sep = '/'; 9798c2ecf20Sopenharmony_ci int i; 9808c2ecf20Sopenharmony_ci 9818c2ecf20Sopenharmony_ci seq_printf(s, "%s %3d", skp->smk_known, skp->smk_netlabel.attr.mls.lvl); 9828c2ecf20Sopenharmony_ci 9838c2ecf20Sopenharmony_ci for (i = netlbl_catmap_walk(cmp, 0); i >= 0; 9848c2ecf20Sopenharmony_ci i = netlbl_catmap_walk(cmp, i + 1)) { 9858c2ecf20Sopenharmony_ci seq_printf(s, "%c%d", sep, i); 9868c2ecf20Sopenharmony_ci sep = ','; 9878c2ecf20Sopenharmony_ci } 9888c2ecf20Sopenharmony_ci 9898c2ecf20Sopenharmony_ci seq_putc(s, '\n'); 9908c2ecf20Sopenharmony_ci 9918c2ecf20Sopenharmony_ci return 0; 9928c2ecf20Sopenharmony_ci} 9938c2ecf20Sopenharmony_ci 9948c2ecf20Sopenharmony_cistatic const struct seq_operations cipso2_seq_ops = { 9958c2ecf20Sopenharmony_ci .start = cipso_seq_start, 9968c2ecf20Sopenharmony_ci .next = cipso_seq_next, 9978c2ecf20Sopenharmony_ci .show = cipso2_seq_show, 9988c2ecf20Sopenharmony_ci .stop = smk_seq_stop, 9998c2ecf20Sopenharmony_ci}; 10008c2ecf20Sopenharmony_ci 10018c2ecf20Sopenharmony_ci/** 10028c2ecf20Sopenharmony_ci * smk_open_cipso2 - open() for /smack/cipso2 10038c2ecf20Sopenharmony_ci * @inode: inode structure representing file 10048c2ecf20Sopenharmony_ci * @file: "cipso2" file pointer 10058c2ecf20Sopenharmony_ci * 10068c2ecf20Sopenharmony_ci * Connect our cipso_seq_* operations with /smack/cipso2 10078c2ecf20Sopenharmony_ci * file_operations 10088c2ecf20Sopenharmony_ci */ 10098c2ecf20Sopenharmony_cistatic int smk_open_cipso2(struct inode *inode, struct file *file) 10108c2ecf20Sopenharmony_ci{ 10118c2ecf20Sopenharmony_ci return seq_open(file, &cipso2_seq_ops); 10128c2ecf20Sopenharmony_ci} 10138c2ecf20Sopenharmony_ci 10148c2ecf20Sopenharmony_ci/** 10158c2ecf20Sopenharmony_ci * smk_write_cipso2 - write() for /smack/cipso2 10168c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 10178c2ecf20Sopenharmony_ci * @buf: where to get the data from 10188c2ecf20Sopenharmony_ci * @count: bytes sent 10198c2ecf20Sopenharmony_ci * @ppos: where to start 10208c2ecf20Sopenharmony_ci * 10218c2ecf20Sopenharmony_ci * Accepts only one cipso rule per write call. 10228c2ecf20Sopenharmony_ci * Returns number of bytes written or error code, as appropriate 10238c2ecf20Sopenharmony_ci */ 10248c2ecf20Sopenharmony_cistatic ssize_t smk_write_cipso2(struct file *file, const char __user *buf, 10258c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 10268c2ecf20Sopenharmony_ci{ 10278c2ecf20Sopenharmony_ci return smk_set_cipso(file, buf, count, ppos, SMK_LONG_FMT); 10288c2ecf20Sopenharmony_ci} 10298c2ecf20Sopenharmony_ci 10308c2ecf20Sopenharmony_cistatic const struct file_operations smk_cipso2_ops = { 10318c2ecf20Sopenharmony_ci .open = smk_open_cipso2, 10328c2ecf20Sopenharmony_ci .read = seq_read, 10338c2ecf20Sopenharmony_ci .llseek = seq_lseek, 10348c2ecf20Sopenharmony_ci .write = smk_write_cipso2, 10358c2ecf20Sopenharmony_ci .release = seq_release, 10368c2ecf20Sopenharmony_ci}; 10378c2ecf20Sopenharmony_ci 10388c2ecf20Sopenharmony_ci/* 10398c2ecf20Sopenharmony_ci * Seq_file read operations for /smack/netlabel 10408c2ecf20Sopenharmony_ci */ 10418c2ecf20Sopenharmony_ci 10428c2ecf20Sopenharmony_cistatic void *net4addr_seq_start(struct seq_file *s, loff_t *pos) 10438c2ecf20Sopenharmony_ci{ 10448c2ecf20Sopenharmony_ci return smk_seq_start(s, pos, &smk_net4addr_list); 10458c2ecf20Sopenharmony_ci} 10468c2ecf20Sopenharmony_ci 10478c2ecf20Sopenharmony_cistatic void *net4addr_seq_next(struct seq_file *s, void *v, loff_t *pos) 10488c2ecf20Sopenharmony_ci{ 10498c2ecf20Sopenharmony_ci return smk_seq_next(s, v, pos, &smk_net4addr_list); 10508c2ecf20Sopenharmony_ci} 10518c2ecf20Sopenharmony_ci 10528c2ecf20Sopenharmony_ci/* 10538c2ecf20Sopenharmony_ci * Print host/label pairs 10548c2ecf20Sopenharmony_ci */ 10558c2ecf20Sopenharmony_cistatic int net4addr_seq_show(struct seq_file *s, void *v) 10568c2ecf20Sopenharmony_ci{ 10578c2ecf20Sopenharmony_ci struct list_head *list = v; 10588c2ecf20Sopenharmony_ci struct smk_net4addr *skp = 10598c2ecf20Sopenharmony_ci list_entry_rcu(list, struct smk_net4addr, list); 10608c2ecf20Sopenharmony_ci char *kp = SMACK_CIPSO_OPTION; 10618c2ecf20Sopenharmony_ci 10628c2ecf20Sopenharmony_ci if (skp->smk_label != NULL) 10638c2ecf20Sopenharmony_ci kp = skp->smk_label->smk_known; 10648c2ecf20Sopenharmony_ci seq_printf(s, "%pI4/%d %s\n", &skp->smk_host.s_addr, 10658c2ecf20Sopenharmony_ci skp->smk_masks, kp); 10668c2ecf20Sopenharmony_ci 10678c2ecf20Sopenharmony_ci return 0; 10688c2ecf20Sopenharmony_ci} 10698c2ecf20Sopenharmony_ci 10708c2ecf20Sopenharmony_cistatic const struct seq_operations net4addr_seq_ops = { 10718c2ecf20Sopenharmony_ci .start = net4addr_seq_start, 10728c2ecf20Sopenharmony_ci .next = net4addr_seq_next, 10738c2ecf20Sopenharmony_ci .show = net4addr_seq_show, 10748c2ecf20Sopenharmony_ci .stop = smk_seq_stop, 10758c2ecf20Sopenharmony_ci}; 10768c2ecf20Sopenharmony_ci 10778c2ecf20Sopenharmony_ci/** 10788c2ecf20Sopenharmony_ci * smk_open_net4addr - open() for /smack/netlabel 10798c2ecf20Sopenharmony_ci * @inode: inode structure representing file 10808c2ecf20Sopenharmony_ci * @file: "netlabel" file pointer 10818c2ecf20Sopenharmony_ci * 10828c2ecf20Sopenharmony_ci * Connect our net4addr_seq_* operations with /smack/netlabel 10838c2ecf20Sopenharmony_ci * file_operations 10848c2ecf20Sopenharmony_ci */ 10858c2ecf20Sopenharmony_cistatic int smk_open_net4addr(struct inode *inode, struct file *file) 10868c2ecf20Sopenharmony_ci{ 10878c2ecf20Sopenharmony_ci return seq_open(file, &net4addr_seq_ops); 10888c2ecf20Sopenharmony_ci} 10898c2ecf20Sopenharmony_ci 10908c2ecf20Sopenharmony_ci/** 10918c2ecf20Sopenharmony_ci * smk_net4addr_insert 10928c2ecf20Sopenharmony_ci * @new : netlabel to insert 10938c2ecf20Sopenharmony_ci * 10948c2ecf20Sopenharmony_ci * This helper insert netlabel in the smack_net4addrs list 10958c2ecf20Sopenharmony_ci * sorted by netmask length (longest to smallest) 10968c2ecf20Sopenharmony_ci * locked by &smk_net4addr_lock in smk_write_net4addr 10978c2ecf20Sopenharmony_ci * 10988c2ecf20Sopenharmony_ci */ 10998c2ecf20Sopenharmony_cistatic void smk_net4addr_insert(struct smk_net4addr *new) 11008c2ecf20Sopenharmony_ci{ 11018c2ecf20Sopenharmony_ci struct smk_net4addr *m; 11028c2ecf20Sopenharmony_ci struct smk_net4addr *m_next; 11038c2ecf20Sopenharmony_ci 11048c2ecf20Sopenharmony_ci if (list_empty(&smk_net4addr_list)) { 11058c2ecf20Sopenharmony_ci list_add_rcu(&new->list, &smk_net4addr_list); 11068c2ecf20Sopenharmony_ci return; 11078c2ecf20Sopenharmony_ci } 11088c2ecf20Sopenharmony_ci 11098c2ecf20Sopenharmony_ci m = list_entry_rcu(smk_net4addr_list.next, 11108c2ecf20Sopenharmony_ci struct smk_net4addr, list); 11118c2ecf20Sopenharmony_ci 11128c2ecf20Sopenharmony_ci /* the comparison '>' is a bit hacky, but works */ 11138c2ecf20Sopenharmony_ci if (new->smk_masks > m->smk_masks) { 11148c2ecf20Sopenharmony_ci list_add_rcu(&new->list, &smk_net4addr_list); 11158c2ecf20Sopenharmony_ci return; 11168c2ecf20Sopenharmony_ci } 11178c2ecf20Sopenharmony_ci 11188c2ecf20Sopenharmony_ci list_for_each_entry_rcu(m, &smk_net4addr_list, list) { 11198c2ecf20Sopenharmony_ci if (list_is_last(&m->list, &smk_net4addr_list)) { 11208c2ecf20Sopenharmony_ci list_add_rcu(&new->list, &m->list); 11218c2ecf20Sopenharmony_ci return; 11228c2ecf20Sopenharmony_ci } 11238c2ecf20Sopenharmony_ci m_next = list_entry_rcu(m->list.next, 11248c2ecf20Sopenharmony_ci struct smk_net4addr, list); 11258c2ecf20Sopenharmony_ci if (new->smk_masks > m_next->smk_masks) { 11268c2ecf20Sopenharmony_ci list_add_rcu(&new->list, &m->list); 11278c2ecf20Sopenharmony_ci return; 11288c2ecf20Sopenharmony_ci } 11298c2ecf20Sopenharmony_ci } 11308c2ecf20Sopenharmony_ci} 11318c2ecf20Sopenharmony_ci 11328c2ecf20Sopenharmony_ci 11338c2ecf20Sopenharmony_ci/** 11348c2ecf20Sopenharmony_ci * smk_write_net4addr - write() for /smack/netlabel 11358c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 11368c2ecf20Sopenharmony_ci * @buf: where to get the data from 11378c2ecf20Sopenharmony_ci * @count: bytes sent 11388c2ecf20Sopenharmony_ci * @ppos: where to start 11398c2ecf20Sopenharmony_ci * 11408c2ecf20Sopenharmony_ci * Accepts only one net4addr per write call. 11418c2ecf20Sopenharmony_ci * Returns number of bytes written or error code, as appropriate 11428c2ecf20Sopenharmony_ci */ 11438c2ecf20Sopenharmony_cistatic ssize_t smk_write_net4addr(struct file *file, const char __user *buf, 11448c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 11458c2ecf20Sopenharmony_ci{ 11468c2ecf20Sopenharmony_ci struct smk_net4addr *snp; 11478c2ecf20Sopenharmony_ci struct sockaddr_in newname; 11488c2ecf20Sopenharmony_ci char *smack; 11498c2ecf20Sopenharmony_ci struct smack_known *skp = NULL; 11508c2ecf20Sopenharmony_ci char *data; 11518c2ecf20Sopenharmony_ci char *host = (char *)&newname.sin_addr.s_addr; 11528c2ecf20Sopenharmony_ci int rc; 11538c2ecf20Sopenharmony_ci struct netlbl_audit audit_info; 11548c2ecf20Sopenharmony_ci struct in_addr mask; 11558c2ecf20Sopenharmony_ci unsigned int m; 11568c2ecf20Sopenharmony_ci unsigned int masks; 11578c2ecf20Sopenharmony_ci int found; 11588c2ecf20Sopenharmony_ci u32 mask_bits = (1<<31); 11598c2ecf20Sopenharmony_ci __be32 nsa; 11608c2ecf20Sopenharmony_ci u32 temp_mask; 11618c2ecf20Sopenharmony_ci 11628c2ecf20Sopenharmony_ci /* 11638c2ecf20Sopenharmony_ci * Must have privilege. 11648c2ecf20Sopenharmony_ci * No partial writes. 11658c2ecf20Sopenharmony_ci * Enough data must be present. 11668c2ecf20Sopenharmony_ci * "<addr/mask, as a.b.c.d/e><space><label>" 11678c2ecf20Sopenharmony_ci * "<addr, as a.b.c.d><space><label>" 11688c2ecf20Sopenharmony_ci */ 11698c2ecf20Sopenharmony_ci if (!smack_privileged(CAP_MAC_ADMIN)) 11708c2ecf20Sopenharmony_ci return -EPERM; 11718c2ecf20Sopenharmony_ci if (*ppos != 0) 11728c2ecf20Sopenharmony_ci return -EINVAL; 11738c2ecf20Sopenharmony_ci if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1) 11748c2ecf20Sopenharmony_ci return -EINVAL; 11758c2ecf20Sopenharmony_ci 11768c2ecf20Sopenharmony_ci data = memdup_user_nul(buf, count); 11778c2ecf20Sopenharmony_ci if (IS_ERR(data)) 11788c2ecf20Sopenharmony_ci return PTR_ERR(data); 11798c2ecf20Sopenharmony_ci 11808c2ecf20Sopenharmony_ci smack = kzalloc(count + 1, GFP_KERNEL); 11818c2ecf20Sopenharmony_ci if (smack == NULL) { 11828c2ecf20Sopenharmony_ci rc = -ENOMEM; 11838c2ecf20Sopenharmony_ci goto free_data_out; 11848c2ecf20Sopenharmony_ci } 11858c2ecf20Sopenharmony_ci 11868c2ecf20Sopenharmony_ci rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd/%u %s", 11878c2ecf20Sopenharmony_ci &host[0], &host[1], &host[2], &host[3], &masks, smack); 11888c2ecf20Sopenharmony_ci if (rc != 6) { 11898c2ecf20Sopenharmony_ci rc = sscanf(data, "%hhd.%hhd.%hhd.%hhd %s", 11908c2ecf20Sopenharmony_ci &host[0], &host[1], &host[2], &host[3], smack); 11918c2ecf20Sopenharmony_ci if (rc != 5) { 11928c2ecf20Sopenharmony_ci rc = -EINVAL; 11938c2ecf20Sopenharmony_ci goto free_out; 11948c2ecf20Sopenharmony_ci } 11958c2ecf20Sopenharmony_ci m = BEBITS; 11968c2ecf20Sopenharmony_ci masks = 32; 11978c2ecf20Sopenharmony_ci } 11988c2ecf20Sopenharmony_ci if (masks > BEBITS) { 11998c2ecf20Sopenharmony_ci rc = -EINVAL; 12008c2ecf20Sopenharmony_ci goto free_out; 12018c2ecf20Sopenharmony_ci } 12028c2ecf20Sopenharmony_ci 12038c2ecf20Sopenharmony_ci /* 12048c2ecf20Sopenharmony_ci * If smack begins with '-', it is an option, don't import it 12058c2ecf20Sopenharmony_ci */ 12068c2ecf20Sopenharmony_ci if (smack[0] != '-') { 12078c2ecf20Sopenharmony_ci skp = smk_import_entry(smack, 0); 12088c2ecf20Sopenharmony_ci if (IS_ERR(skp)) { 12098c2ecf20Sopenharmony_ci rc = PTR_ERR(skp); 12108c2ecf20Sopenharmony_ci goto free_out; 12118c2ecf20Sopenharmony_ci } 12128c2ecf20Sopenharmony_ci } else { 12138c2ecf20Sopenharmony_ci /* 12148c2ecf20Sopenharmony_ci * Only the -CIPSO option is supported for IPv4 12158c2ecf20Sopenharmony_ci */ 12168c2ecf20Sopenharmony_ci if (strcmp(smack, SMACK_CIPSO_OPTION) != 0) { 12178c2ecf20Sopenharmony_ci rc = -EINVAL; 12188c2ecf20Sopenharmony_ci goto free_out; 12198c2ecf20Sopenharmony_ci } 12208c2ecf20Sopenharmony_ci } 12218c2ecf20Sopenharmony_ci 12228c2ecf20Sopenharmony_ci for (m = masks, temp_mask = 0; m > 0; m--) { 12238c2ecf20Sopenharmony_ci temp_mask |= mask_bits; 12248c2ecf20Sopenharmony_ci mask_bits >>= 1; 12258c2ecf20Sopenharmony_ci } 12268c2ecf20Sopenharmony_ci mask.s_addr = cpu_to_be32(temp_mask); 12278c2ecf20Sopenharmony_ci 12288c2ecf20Sopenharmony_ci newname.sin_addr.s_addr &= mask.s_addr; 12298c2ecf20Sopenharmony_ci /* 12308c2ecf20Sopenharmony_ci * Only allow one writer at a time. Writes should be 12318c2ecf20Sopenharmony_ci * quite rare and small in any case. 12328c2ecf20Sopenharmony_ci */ 12338c2ecf20Sopenharmony_ci mutex_lock(&smk_net4addr_lock); 12348c2ecf20Sopenharmony_ci 12358c2ecf20Sopenharmony_ci nsa = newname.sin_addr.s_addr; 12368c2ecf20Sopenharmony_ci /* try to find if the prefix is already in the list */ 12378c2ecf20Sopenharmony_ci found = 0; 12388c2ecf20Sopenharmony_ci list_for_each_entry_rcu(snp, &smk_net4addr_list, list) { 12398c2ecf20Sopenharmony_ci if (snp->smk_host.s_addr == nsa && snp->smk_masks == masks) { 12408c2ecf20Sopenharmony_ci found = 1; 12418c2ecf20Sopenharmony_ci break; 12428c2ecf20Sopenharmony_ci } 12438c2ecf20Sopenharmony_ci } 12448c2ecf20Sopenharmony_ci smk_netlabel_audit_set(&audit_info); 12458c2ecf20Sopenharmony_ci 12468c2ecf20Sopenharmony_ci if (found == 0) { 12478c2ecf20Sopenharmony_ci snp = kzalloc(sizeof(*snp), GFP_KERNEL); 12488c2ecf20Sopenharmony_ci if (snp == NULL) 12498c2ecf20Sopenharmony_ci rc = -ENOMEM; 12508c2ecf20Sopenharmony_ci else { 12518c2ecf20Sopenharmony_ci rc = 0; 12528c2ecf20Sopenharmony_ci snp->smk_host.s_addr = newname.sin_addr.s_addr; 12538c2ecf20Sopenharmony_ci snp->smk_mask.s_addr = mask.s_addr; 12548c2ecf20Sopenharmony_ci snp->smk_label = skp; 12558c2ecf20Sopenharmony_ci snp->smk_masks = masks; 12568c2ecf20Sopenharmony_ci smk_net4addr_insert(snp); 12578c2ecf20Sopenharmony_ci } 12588c2ecf20Sopenharmony_ci } else { 12598c2ecf20Sopenharmony_ci /* 12608c2ecf20Sopenharmony_ci * Delete the unlabeled entry, only if the previous label 12618c2ecf20Sopenharmony_ci * wasn't the special CIPSO option 12628c2ecf20Sopenharmony_ci */ 12638c2ecf20Sopenharmony_ci if (snp->smk_label != NULL) 12648c2ecf20Sopenharmony_ci rc = netlbl_cfg_unlbl_static_del(&init_net, NULL, 12658c2ecf20Sopenharmony_ci &snp->smk_host, &snp->smk_mask, 12668c2ecf20Sopenharmony_ci PF_INET, &audit_info); 12678c2ecf20Sopenharmony_ci else 12688c2ecf20Sopenharmony_ci rc = 0; 12698c2ecf20Sopenharmony_ci snp->smk_label = skp; 12708c2ecf20Sopenharmony_ci } 12718c2ecf20Sopenharmony_ci 12728c2ecf20Sopenharmony_ci /* 12738c2ecf20Sopenharmony_ci * Now tell netlabel about the single label nature of 12748c2ecf20Sopenharmony_ci * this host so that incoming packets get labeled. 12758c2ecf20Sopenharmony_ci * but only if we didn't get the special CIPSO option 12768c2ecf20Sopenharmony_ci */ 12778c2ecf20Sopenharmony_ci if (rc == 0 && skp != NULL) 12788c2ecf20Sopenharmony_ci rc = netlbl_cfg_unlbl_static_add(&init_net, NULL, 12798c2ecf20Sopenharmony_ci &snp->smk_host, &snp->smk_mask, PF_INET, 12808c2ecf20Sopenharmony_ci snp->smk_label->smk_secid, &audit_info); 12818c2ecf20Sopenharmony_ci 12828c2ecf20Sopenharmony_ci if (rc == 0) 12838c2ecf20Sopenharmony_ci rc = count; 12848c2ecf20Sopenharmony_ci 12858c2ecf20Sopenharmony_ci mutex_unlock(&smk_net4addr_lock); 12868c2ecf20Sopenharmony_ci 12878c2ecf20Sopenharmony_cifree_out: 12888c2ecf20Sopenharmony_ci kfree(smack); 12898c2ecf20Sopenharmony_cifree_data_out: 12908c2ecf20Sopenharmony_ci kfree(data); 12918c2ecf20Sopenharmony_ci 12928c2ecf20Sopenharmony_ci return rc; 12938c2ecf20Sopenharmony_ci} 12948c2ecf20Sopenharmony_ci 12958c2ecf20Sopenharmony_cistatic const struct file_operations smk_net4addr_ops = { 12968c2ecf20Sopenharmony_ci .open = smk_open_net4addr, 12978c2ecf20Sopenharmony_ci .read = seq_read, 12988c2ecf20Sopenharmony_ci .llseek = seq_lseek, 12998c2ecf20Sopenharmony_ci .write = smk_write_net4addr, 13008c2ecf20Sopenharmony_ci .release = seq_release, 13018c2ecf20Sopenharmony_ci}; 13028c2ecf20Sopenharmony_ci 13038c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 13048c2ecf20Sopenharmony_ci/* 13058c2ecf20Sopenharmony_ci * Seq_file read operations for /smack/netlabel6 13068c2ecf20Sopenharmony_ci */ 13078c2ecf20Sopenharmony_ci 13088c2ecf20Sopenharmony_cistatic void *net6addr_seq_start(struct seq_file *s, loff_t *pos) 13098c2ecf20Sopenharmony_ci{ 13108c2ecf20Sopenharmony_ci return smk_seq_start(s, pos, &smk_net6addr_list); 13118c2ecf20Sopenharmony_ci} 13128c2ecf20Sopenharmony_ci 13138c2ecf20Sopenharmony_cistatic void *net6addr_seq_next(struct seq_file *s, void *v, loff_t *pos) 13148c2ecf20Sopenharmony_ci{ 13158c2ecf20Sopenharmony_ci return smk_seq_next(s, v, pos, &smk_net6addr_list); 13168c2ecf20Sopenharmony_ci} 13178c2ecf20Sopenharmony_ci 13188c2ecf20Sopenharmony_ci/* 13198c2ecf20Sopenharmony_ci * Print host/label pairs 13208c2ecf20Sopenharmony_ci */ 13218c2ecf20Sopenharmony_cistatic int net6addr_seq_show(struct seq_file *s, void *v) 13228c2ecf20Sopenharmony_ci{ 13238c2ecf20Sopenharmony_ci struct list_head *list = v; 13248c2ecf20Sopenharmony_ci struct smk_net6addr *skp = 13258c2ecf20Sopenharmony_ci list_entry(list, struct smk_net6addr, list); 13268c2ecf20Sopenharmony_ci 13278c2ecf20Sopenharmony_ci if (skp->smk_label != NULL) 13288c2ecf20Sopenharmony_ci seq_printf(s, "%pI6/%d %s\n", &skp->smk_host, skp->smk_masks, 13298c2ecf20Sopenharmony_ci skp->smk_label->smk_known); 13308c2ecf20Sopenharmony_ci 13318c2ecf20Sopenharmony_ci return 0; 13328c2ecf20Sopenharmony_ci} 13338c2ecf20Sopenharmony_ci 13348c2ecf20Sopenharmony_cistatic const struct seq_operations net6addr_seq_ops = { 13358c2ecf20Sopenharmony_ci .start = net6addr_seq_start, 13368c2ecf20Sopenharmony_ci .next = net6addr_seq_next, 13378c2ecf20Sopenharmony_ci .show = net6addr_seq_show, 13388c2ecf20Sopenharmony_ci .stop = smk_seq_stop, 13398c2ecf20Sopenharmony_ci}; 13408c2ecf20Sopenharmony_ci 13418c2ecf20Sopenharmony_ci/** 13428c2ecf20Sopenharmony_ci * smk_open_net6addr - open() for /smack/netlabel 13438c2ecf20Sopenharmony_ci * @inode: inode structure representing file 13448c2ecf20Sopenharmony_ci * @file: "netlabel" file pointer 13458c2ecf20Sopenharmony_ci * 13468c2ecf20Sopenharmony_ci * Connect our net6addr_seq_* operations with /smack/netlabel 13478c2ecf20Sopenharmony_ci * file_operations 13488c2ecf20Sopenharmony_ci */ 13498c2ecf20Sopenharmony_cistatic int smk_open_net6addr(struct inode *inode, struct file *file) 13508c2ecf20Sopenharmony_ci{ 13518c2ecf20Sopenharmony_ci return seq_open(file, &net6addr_seq_ops); 13528c2ecf20Sopenharmony_ci} 13538c2ecf20Sopenharmony_ci 13548c2ecf20Sopenharmony_ci/** 13558c2ecf20Sopenharmony_ci * smk_net6addr_insert 13568c2ecf20Sopenharmony_ci * @new : entry to insert 13578c2ecf20Sopenharmony_ci * 13588c2ecf20Sopenharmony_ci * This inserts an entry in the smack_net6addrs list 13598c2ecf20Sopenharmony_ci * sorted by netmask length (longest to smallest) 13608c2ecf20Sopenharmony_ci * locked by &smk_net6addr_lock in smk_write_net6addr 13618c2ecf20Sopenharmony_ci * 13628c2ecf20Sopenharmony_ci */ 13638c2ecf20Sopenharmony_cistatic void smk_net6addr_insert(struct smk_net6addr *new) 13648c2ecf20Sopenharmony_ci{ 13658c2ecf20Sopenharmony_ci struct smk_net6addr *m_next; 13668c2ecf20Sopenharmony_ci struct smk_net6addr *m; 13678c2ecf20Sopenharmony_ci 13688c2ecf20Sopenharmony_ci if (list_empty(&smk_net6addr_list)) { 13698c2ecf20Sopenharmony_ci list_add_rcu(&new->list, &smk_net6addr_list); 13708c2ecf20Sopenharmony_ci return; 13718c2ecf20Sopenharmony_ci } 13728c2ecf20Sopenharmony_ci 13738c2ecf20Sopenharmony_ci m = list_entry_rcu(smk_net6addr_list.next, 13748c2ecf20Sopenharmony_ci struct smk_net6addr, list); 13758c2ecf20Sopenharmony_ci 13768c2ecf20Sopenharmony_ci if (new->smk_masks > m->smk_masks) { 13778c2ecf20Sopenharmony_ci list_add_rcu(&new->list, &smk_net6addr_list); 13788c2ecf20Sopenharmony_ci return; 13798c2ecf20Sopenharmony_ci } 13808c2ecf20Sopenharmony_ci 13818c2ecf20Sopenharmony_ci list_for_each_entry_rcu(m, &smk_net6addr_list, list) { 13828c2ecf20Sopenharmony_ci if (list_is_last(&m->list, &smk_net6addr_list)) { 13838c2ecf20Sopenharmony_ci list_add_rcu(&new->list, &m->list); 13848c2ecf20Sopenharmony_ci return; 13858c2ecf20Sopenharmony_ci } 13868c2ecf20Sopenharmony_ci m_next = list_entry_rcu(m->list.next, 13878c2ecf20Sopenharmony_ci struct smk_net6addr, list); 13888c2ecf20Sopenharmony_ci if (new->smk_masks > m_next->smk_masks) { 13898c2ecf20Sopenharmony_ci list_add_rcu(&new->list, &m->list); 13908c2ecf20Sopenharmony_ci return; 13918c2ecf20Sopenharmony_ci } 13928c2ecf20Sopenharmony_ci } 13938c2ecf20Sopenharmony_ci} 13948c2ecf20Sopenharmony_ci 13958c2ecf20Sopenharmony_ci 13968c2ecf20Sopenharmony_ci/** 13978c2ecf20Sopenharmony_ci * smk_write_net6addr - write() for /smack/netlabel 13988c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 13998c2ecf20Sopenharmony_ci * @buf: where to get the data from 14008c2ecf20Sopenharmony_ci * @count: bytes sent 14018c2ecf20Sopenharmony_ci * @ppos: where to start 14028c2ecf20Sopenharmony_ci * 14038c2ecf20Sopenharmony_ci * Accepts only one net6addr per write call. 14048c2ecf20Sopenharmony_ci * Returns number of bytes written or error code, as appropriate 14058c2ecf20Sopenharmony_ci */ 14068c2ecf20Sopenharmony_cistatic ssize_t smk_write_net6addr(struct file *file, const char __user *buf, 14078c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 14088c2ecf20Sopenharmony_ci{ 14098c2ecf20Sopenharmony_ci struct smk_net6addr *snp; 14108c2ecf20Sopenharmony_ci struct in6_addr newname; 14118c2ecf20Sopenharmony_ci struct in6_addr fullmask; 14128c2ecf20Sopenharmony_ci struct smack_known *skp = NULL; 14138c2ecf20Sopenharmony_ci char *smack; 14148c2ecf20Sopenharmony_ci char *data; 14158c2ecf20Sopenharmony_ci int rc = 0; 14168c2ecf20Sopenharmony_ci int found = 0; 14178c2ecf20Sopenharmony_ci int i; 14188c2ecf20Sopenharmony_ci unsigned int scanned[8]; 14198c2ecf20Sopenharmony_ci unsigned int m; 14208c2ecf20Sopenharmony_ci unsigned int mask = 128; 14218c2ecf20Sopenharmony_ci 14228c2ecf20Sopenharmony_ci /* 14238c2ecf20Sopenharmony_ci * Must have privilege. 14248c2ecf20Sopenharmony_ci * No partial writes. 14258c2ecf20Sopenharmony_ci * Enough data must be present. 14268c2ecf20Sopenharmony_ci * "<addr/mask, as a:b:c:d:e:f:g:h/e><space><label>" 14278c2ecf20Sopenharmony_ci * "<addr, as a:b:c:d:e:f:g:h><space><label>" 14288c2ecf20Sopenharmony_ci */ 14298c2ecf20Sopenharmony_ci if (!smack_privileged(CAP_MAC_ADMIN)) 14308c2ecf20Sopenharmony_ci return -EPERM; 14318c2ecf20Sopenharmony_ci if (*ppos != 0) 14328c2ecf20Sopenharmony_ci return -EINVAL; 14338c2ecf20Sopenharmony_ci if (count < SMK_NETLBLADDRMIN || count > PAGE_SIZE - 1) 14348c2ecf20Sopenharmony_ci return -EINVAL; 14358c2ecf20Sopenharmony_ci 14368c2ecf20Sopenharmony_ci data = memdup_user_nul(buf, count); 14378c2ecf20Sopenharmony_ci if (IS_ERR(data)) 14388c2ecf20Sopenharmony_ci return PTR_ERR(data); 14398c2ecf20Sopenharmony_ci 14408c2ecf20Sopenharmony_ci smack = kzalloc(count + 1, GFP_KERNEL); 14418c2ecf20Sopenharmony_ci if (smack == NULL) { 14428c2ecf20Sopenharmony_ci rc = -ENOMEM; 14438c2ecf20Sopenharmony_ci goto free_data_out; 14448c2ecf20Sopenharmony_ci } 14458c2ecf20Sopenharmony_ci 14468c2ecf20Sopenharmony_ci i = sscanf(data, "%x:%x:%x:%x:%x:%x:%x:%x/%u %s", 14478c2ecf20Sopenharmony_ci &scanned[0], &scanned[1], &scanned[2], &scanned[3], 14488c2ecf20Sopenharmony_ci &scanned[4], &scanned[5], &scanned[6], &scanned[7], 14498c2ecf20Sopenharmony_ci &mask, smack); 14508c2ecf20Sopenharmony_ci if (i != 10) { 14518c2ecf20Sopenharmony_ci i = sscanf(data, "%x:%x:%x:%x:%x:%x:%x:%x %s", 14528c2ecf20Sopenharmony_ci &scanned[0], &scanned[1], &scanned[2], 14538c2ecf20Sopenharmony_ci &scanned[3], &scanned[4], &scanned[5], 14548c2ecf20Sopenharmony_ci &scanned[6], &scanned[7], smack); 14558c2ecf20Sopenharmony_ci if (i != 9) { 14568c2ecf20Sopenharmony_ci rc = -EINVAL; 14578c2ecf20Sopenharmony_ci goto free_out; 14588c2ecf20Sopenharmony_ci } 14598c2ecf20Sopenharmony_ci } 14608c2ecf20Sopenharmony_ci if (mask > 128) { 14618c2ecf20Sopenharmony_ci rc = -EINVAL; 14628c2ecf20Sopenharmony_ci goto free_out; 14638c2ecf20Sopenharmony_ci } 14648c2ecf20Sopenharmony_ci for (i = 0; i < 8; i++) { 14658c2ecf20Sopenharmony_ci if (scanned[i] > 0xffff) { 14668c2ecf20Sopenharmony_ci rc = -EINVAL; 14678c2ecf20Sopenharmony_ci goto free_out; 14688c2ecf20Sopenharmony_ci } 14698c2ecf20Sopenharmony_ci newname.s6_addr16[i] = htons(scanned[i]); 14708c2ecf20Sopenharmony_ci } 14718c2ecf20Sopenharmony_ci 14728c2ecf20Sopenharmony_ci /* 14738c2ecf20Sopenharmony_ci * If smack begins with '-', it is an option, don't import it 14748c2ecf20Sopenharmony_ci */ 14758c2ecf20Sopenharmony_ci if (smack[0] != '-') { 14768c2ecf20Sopenharmony_ci skp = smk_import_entry(smack, 0); 14778c2ecf20Sopenharmony_ci if (IS_ERR(skp)) { 14788c2ecf20Sopenharmony_ci rc = PTR_ERR(skp); 14798c2ecf20Sopenharmony_ci goto free_out; 14808c2ecf20Sopenharmony_ci } 14818c2ecf20Sopenharmony_ci } else { 14828c2ecf20Sopenharmony_ci /* 14838c2ecf20Sopenharmony_ci * Only -DELETE is supported for IPv6 14848c2ecf20Sopenharmony_ci */ 14858c2ecf20Sopenharmony_ci if (strcmp(smack, SMACK_DELETE_OPTION) != 0) { 14868c2ecf20Sopenharmony_ci rc = -EINVAL; 14878c2ecf20Sopenharmony_ci goto free_out; 14888c2ecf20Sopenharmony_ci } 14898c2ecf20Sopenharmony_ci } 14908c2ecf20Sopenharmony_ci 14918c2ecf20Sopenharmony_ci for (i = 0, m = mask; i < 8; i++) { 14928c2ecf20Sopenharmony_ci if (m >= 16) { 14938c2ecf20Sopenharmony_ci fullmask.s6_addr16[i] = 0xffff; 14948c2ecf20Sopenharmony_ci m -= 16; 14958c2ecf20Sopenharmony_ci } else if (m > 0) { 14968c2ecf20Sopenharmony_ci fullmask.s6_addr16[i] = (1 << m) - 1; 14978c2ecf20Sopenharmony_ci m = 0; 14988c2ecf20Sopenharmony_ci } else 14998c2ecf20Sopenharmony_ci fullmask.s6_addr16[i] = 0; 15008c2ecf20Sopenharmony_ci newname.s6_addr16[i] &= fullmask.s6_addr16[i]; 15018c2ecf20Sopenharmony_ci } 15028c2ecf20Sopenharmony_ci 15038c2ecf20Sopenharmony_ci /* 15048c2ecf20Sopenharmony_ci * Only allow one writer at a time. Writes should be 15058c2ecf20Sopenharmony_ci * quite rare and small in any case. 15068c2ecf20Sopenharmony_ci */ 15078c2ecf20Sopenharmony_ci mutex_lock(&smk_net6addr_lock); 15088c2ecf20Sopenharmony_ci /* 15098c2ecf20Sopenharmony_ci * Try to find the prefix in the list 15108c2ecf20Sopenharmony_ci */ 15118c2ecf20Sopenharmony_ci list_for_each_entry_rcu(snp, &smk_net6addr_list, list) { 15128c2ecf20Sopenharmony_ci if (mask != snp->smk_masks) 15138c2ecf20Sopenharmony_ci continue; 15148c2ecf20Sopenharmony_ci for (found = 1, i = 0; i < 8; i++) { 15158c2ecf20Sopenharmony_ci if (newname.s6_addr16[i] != 15168c2ecf20Sopenharmony_ci snp->smk_host.s6_addr16[i]) { 15178c2ecf20Sopenharmony_ci found = 0; 15188c2ecf20Sopenharmony_ci break; 15198c2ecf20Sopenharmony_ci } 15208c2ecf20Sopenharmony_ci } 15218c2ecf20Sopenharmony_ci if (found == 1) 15228c2ecf20Sopenharmony_ci break; 15238c2ecf20Sopenharmony_ci } 15248c2ecf20Sopenharmony_ci if (found == 0) { 15258c2ecf20Sopenharmony_ci snp = kzalloc(sizeof(*snp), GFP_KERNEL); 15268c2ecf20Sopenharmony_ci if (snp == NULL) 15278c2ecf20Sopenharmony_ci rc = -ENOMEM; 15288c2ecf20Sopenharmony_ci else { 15298c2ecf20Sopenharmony_ci snp->smk_host = newname; 15308c2ecf20Sopenharmony_ci snp->smk_mask = fullmask; 15318c2ecf20Sopenharmony_ci snp->smk_masks = mask; 15328c2ecf20Sopenharmony_ci snp->smk_label = skp; 15338c2ecf20Sopenharmony_ci smk_net6addr_insert(snp); 15348c2ecf20Sopenharmony_ci } 15358c2ecf20Sopenharmony_ci } else { 15368c2ecf20Sopenharmony_ci snp->smk_label = skp; 15378c2ecf20Sopenharmony_ci } 15388c2ecf20Sopenharmony_ci 15398c2ecf20Sopenharmony_ci if (rc == 0) 15408c2ecf20Sopenharmony_ci rc = count; 15418c2ecf20Sopenharmony_ci 15428c2ecf20Sopenharmony_ci mutex_unlock(&smk_net6addr_lock); 15438c2ecf20Sopenharmony_ci 15448c2ecf20Sopenharmony_cifree_out: 15458c2ecf20Sopenharmony_ci kfree(smack); 15468c2ecf20Sopenharmony_cifree_data_out: 15478c2ecf20Sopenharmony_ci kfree(data); 15488c2ecf20Sopenharmony_ci 15498c2ecf20Sopenharmony_ci return rc; 15508c2ecf20Sopenharmony_ci} 15518c2ecf20Sopenharmony_ci 15528c2ecf20Sopenharmony_cistatic const struct file_operations smk_net6addr_ops = { 15538c2ecf20Sopenharmony_ci .open = smk_open_net6addr, 15548c2ecf20Sopenharmony_ci .read = seq_read, 15558c2ecf20Sopenharmony_ci .llseek = seq_lseek, 15568c2ecf20Sopenharmony_ci .write = smk_write_net6addr, 15578c2ecf20Sopenharmony_ci .release = seq_release, 15588c2ecf20Sopenharmony_ci}; 15598c2ecf20Sopenharmony_ci#endif /* CONFIG_IPV6 */ 15608c2ecf20Sopenharmony_ci 15618c2ecf20Sopenharmony_ci/** 15628c2ecf20Sopenharmony_ci * smk_read_doi - read() for /smack/doi 15638c2ecf20Sopenharmony_ci * @filp: file pointer, not actually used 15648c2ecf20Sopenharmony_ci * @buf: where to put the result 15658c2ecf20Sopenharmony_ci * @count: maximum to send along 15668c2ecf20Sopenharmony_ci * @ppos: where to start 15678c2ecf20Sopenharmony_ci * 15688c2ecf20Sopenharmony_ci * Returns number of bytes read or error code, as appropriate 15698c2ecf20Sopenharmony_ci */ 15708c2ecf20Sopenharmony_cistatic ssize_t smk_read_doi(struct file *filp, char __user *buf, 15718c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 15728c2ecf20Sopenharmony_ci{ 15738c2ecf20Sopenharmony_ci char temp[80]; 15748c2ecf20Sopenharmony_ci ssize_t rc; 15758c2ecf20Sopenharmony_ci 15768c2ecf20Sopenharmony_ci if (*ppos != 0) 15778c2ecf20Sopenharmony_ci return 0; 15788c2ecf20Sopenharmony_ci 15798c2ecf20Sopenharmony_ci sprintf(temp, "%d", smk_cipso_doi_value); 15808c2ecf20Sopenharmony_ci rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); 15818c2ecf20Sopenharmony_ci 15828c2ecf20Sopenharmony_ci return rc; 15838c2ecf20Sopenharmony_ci} 15848c2ecf20Sopenharmony_ci 15858c2ecf20Sopenharmony_ci/** 15868c2ecf20Sopenharmony_ci * smk_write_doi - write() for /smack/doi 15878c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 15888c2ecf20Sopenharmony_ci * @buf: where to get the data from 15898c2ecf20Sopenharmony_ci * @count: bytes sent 15908c2ecf20Sopenharmony_ci * @ppos: where to start 15918c2ecf20Sopenharmony_ci * 15928c2ecf20Sopenharmony_ci * Returns number of bytes written or error code, as appropriate 15938c2ecf20Sopenharmony_ci */ 15948c2ecf20Sopenharmony_cistatic ssize_t smk_write_doi(struct file *file, const char __user *buf, 15958c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 15968c2ecf20Sopenharmony_ci{ 15978c2ecf20Sopenharmony_ci char temp[80]; 15988c2ecf20Sopenharmony_ci int i; 15998c2ecf20Sopenharmony_ci 16008c2ecf20Sopenharmony_ci if (!smack_privileged(CAP_MAC_ADMIN)) 16018c2ecf20Sopenharmony_ci return -EPERM; 16028c2ecf20Sopenharmony_ci 16038c2ecf20Sopenharmony_ci if (count >= sizeof(temp) || count == 0) 16048c2ecf20Sopenharmony_ci return -EINVAL; 16058c2ecf20Sopenharmony_ci 16068c2ecf20Sopenharmony_ci if (copy_from_user(temp, buf, count) != 0) 16078c2ecf20Sopenharmony_ci return -EFAULT; 16088c2ecf20Sopenharmony_ci 16098c2ecf20Sopenharmony_ci temp[count] = '\0'; 16108c2ecf20Sopenharmony_ci 16118c2ecf20Sopenharmony_ci if (sscanf(temp, "%d", &i) != 1) 16128c2ecf20Sopenharmony_ci return -EINVAL; 16138c2ecf20Sopenharmony_ci 16148c2ecf20Sopenharmony_ci smk_cipso_doi_value = i; 16158c2ecf20Sopenharmony_ci 16168c2ecf20Sopenharmony_ci smk_cipso_doi(); 16178c2ecf20Sopenharmony_ci 16188c2ecf20Sopenharmony_ci return count; 16198c2ecf20Sopenharmony_ci} 16208c2ecf20Sopenharmony_ci 16218c2ecf20Sopenharmony_cistatic const struct file_operations smk_doi_ops = { 16228c2ecf20Sopenharmony_ci .read = smk_read_doi, 16238c2ecf20Sopenharmony_ci .write = smk_write_doi, 16248c2ecf20Sopenharmony_ci .llseek = default_llseek, 16258c2ecf20Sopenharmony_ci}; 16268c2ecf20Sopenharmony_ci 16278c2ecf20Sopenharmony_ci/** 16288c2ecf20Sopenharmony_ci * smk_read_direct - read() for /smack/direct 16298c2ecf20Sopenharmony_ci * @filp: file pointer, not actually used 16308c2ecf20Sopenharmony_ci * @buf: where to put the result 16318c2ecf20Sopenharmony_ci * @count: maximum to send along 16328c2ecf20Sopenharmony_ci * @ppos: where to start 16338c2ecf20Sopenharmony_ci * 16348c2ecf20Sopenharmony_ci * Returns number of bytes read or error code, as appropriate 16358c2ecf20Sopenharmony_ci */ 16368c2ecf20Sopenharmony_cistatic ssize_t smk_read_direct(struct file *filp, char __user *buf, 16378c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 16388c2ecf20Sopenharmony_ci{ 16398c2ecf20Sopenharmony_ci char temp[80]; 16408c2ecf20Sopenharmony_ci ssize_t rc; 16418c2ecf20Sopenharmony_ci 16428c2ecf20Sopenharmony_ci if (*ppos != 0) 16438c2ecf20Sopenharmony_ci return 0; 16448c2ecf20Sopenharmony_ci 16458c2ecf20Sopenharmony_ci sprintf(temp, "%d", smack_cipso_direct); 16468c2ecf20Sopenharmony_ci rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); 16478c2ecf20Sopenharmony_ci 16488c2ecf20Sopenharmony_ci return rc; 16498c2ecf20Sopenharmony_ci} 16508c2ecf20Sopenharmony_ci 16518c2ecf20Sopenharmony_ci/** 16528c2ecf20Sopenharmony_ci * smk_write_direct - write() for /smack/direct 16538c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 16548c2ecf20Sopenharmony_ci * @buf: where to get the data from 16558c2ecf20Sopenharmony_ci * @count: bytes sent 16568c2ecf20Sopenharmony_ci * @ppos: where to start 16578c2ecf20Sopenharmony_ci * 16588c2ecf20Sopenharmony_ci * Returns number of bytes written or error code, as appropriate 16598c2ecf20Sopenharmony_ci */ 16608c2ecf20Sopenharmony_cistatic ssize_t smk_write_direct(struct file *file, const char __user *buf, 16618c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 16628c2ecf20Sopenharmony_ci{ 16638c2ecf20Sopenharmony_ci struct smack_known *skp; 16648c2ecf20Sopenharmony_ci char temp[80]; 16658c2ecf20Sopenharmony_ci int i; 16668c2ecf20Sopenharmony_ci 16678c2ecf20Sopenharmony_ci if (!smack_privileged(CAP_MAC_ADMIN)) 16688c2ecf20Sopenharmony_ci return -EPERM; 16698c2ecf20Sopenharmony_ci 16708c2ecf20Sopenharmony_ci if (count >= sizeof(temp) || count == 0) 16718c2ecf20Sopenharmony_ci return -EINVAL; 16728c2ecf20Sopenharmony_ci 16738c2ecf20Sopenharmony_ci if (copy_from_user(temp, buf, count) != 0) 16748c2ecf20Sopenharmony_ci return -EFAULT; 16758c2ecf20Sopenharmony_ci 16768c2ecf20Sopenharmony_ci temp[count] = '\0'; 16778c2ecf20Sopenharmony_ci 16788c2ecf20Sopenharmony_ci if (sscanf(temp, "%d", &i) != 1) 16798c2ecf20Sopenharmony_ci return -EINVAL; 16808c2ecf20Sopenharmony_ci 16818c2ecf20Sopenharmony_ci /* 16828c2ecf20Sopenharmony_ci * Don't do anything if the value hasn't actually changed. 16838c2ecf20Sopenharmony_ci * If it is changing reset the level on entries that were 16848c2ecf20Sopenharmony_ci * set up to be direct when they were created. 16858c2ecf20Sopenharmony_ci */ 16868c2ecf20Sopenharmony_ci if (smack_cipso_direct != i) { 16878c2ecf20Sopenharmony_ci mutex_lock(&smack_known_lock); 16888c2ecf20Sopenharmony_ci list_for_each_entry_rcu(skp, &smack_known_list, list) 16898c2ecf20Sopenharmony_ci if (skp->smk_netlabel.attr.mls.lvl == 16908c2ecf20Sopenharmony_ci smack_cipso_direct) 16918c2ecf20Sopenharmony_ci skp->smk_netlabel.attr.mls.lvl = i; 16928c2ecf20Sopenharmony_ci smack_cipso_direct = i; 16938c2ecf20Sopenharmony_ci mutex_unlock(&smack_known_lock); 16948c2ecf20Sopenharmony_ci } 16958c2ecf20Sopenharmony_ci 16968c2ecf20Sopenharmony_ci return count; 16978c2ecf20Sopenharmony_ci} 16988c2ecf20Sopenharmony_ci 16998c2ecf20Sopenharmony_cistatic const struct file_operations smk_direct_ops = { 17008c2ecf20Sopenharmony_ci .read = smk_read_direct, 17018c2ecf20Sopenharmony_ci .write = smk_write_direct, 17028c2ecf20Sopenharmony_ci .llseek = default_llseek, 17038c2ecf20Sopenharmony_ci}; 17048c2ecf20Sopenharmony_ci 17058c2ecf20Sopenharmony_ci/** 17068c2ecf20Sopenharmony_ci * smk_read_mapped - read() for /smack/mapped 17078c2ecf20Sopenharmony_ci * @filp: file pointer, not actually used 17088c2ecf20Sopenharmony_ci * @buf: where to put the result 17098c2ecf20Sopenharmony_ci * @count: maximum to send along 17108c2ecf20Sopenharmony_ci * @ppos: where to start 17118c2ecf20Sopenharmony_ci * 17128c2ecf20Sopenharmony_ci * Returns number of bytes read or error code, as appropriate 17138c2ecf20Sopenharmony_ci */ 17148c2ecf20Sopenharmony_cistatic ssize_t smk_read_mapped(struct file *filp, char __user *buf, 17158c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 17168c2ecf20Sopenharmony_ci{ 17178c2ecf20Sopenharmony_ci char temp[80]; 17188c2ecf20Sopenharmony_ci ssize_t rc; 17198c2ecf20Sopenharmony_ci 17208c2ecf20Sopenharmony_ci if (*ppos != 0) 17218c2ecf20Sopenharmony_ci return 0; 17228c2ecf20Sopenharmony_ci 17238c2ecf20Sopenharmony_ci sprintf(temp, "%d", smack_cipso_mapped); 17248c2ecf20Sopenharmony_ci rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); 17258c2ecf20Sopenharmony_ci 17268c2ecf20Sopenharmony_ci return rc; 17278c2ecf20Sopenharmony_ci} 17288c2ecf20Sopenharmony_ci 17298c2ecf20Sopenharmony_ci/** 17308c2ecf20Sopenharmony_ci * smk_write_mapped - write() for /smack/mapped 17318c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 17328c2ecf20Sopenharmony_ci * @buf: where to get the data from 17338c2ecf20Sopenharmony_ci * @count: bytes sent 17348c2ecf20Sopenharmony_ci * @ppos: where to start 17358c2ecf20Sopenharmony_ci * 17368c2ecf20Sopenharmony_ci * Returns number of bytes written or error code, as appropriate 17378c2ecf20Sopenharmony_ci */ 17388c2ecf20Sopenharmony_cistatic ssize_t smk_write_mapped(struct file *file, const char __user *buf, 17398c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 17408c2ecf20Sopenharmony_ci{ 17418c2ecf20Sopenharmony_ci struct smack_known *skp; 17428c2ecf20Sopenharmony_ci char temp[80]; 17438c2ecf20Sopenharmony_ci int i; 17448c2ecf20Sopenharmony_ci 17458c2ecf20Sopenharmony_ci if (!smack_privileged(CAP_MAC_ADMIN)) 17468c2ecf20Sopenharmony_ci return -EPERM; 17478c2ecf20Sopenharmony_ci 17488c2ecf20Sopenharmony_ci if (count >= sizeof(temp) || count == 0) 17498c2ecf20Sopenharmony_ci return -EINVAL; 17508c2ecf20Sopenharmony_ci 17518c2ecf20Sopenharmony_ci if (copy_from_user(temp, buf, count) != 0) 17528c2ecf20Sopenharmony_ci return -EFAULT; 17538c2ecf20Sopenharmony_ci 17548c2ecf20Sopenharmony_ci temp[count] = '\0'; 17558c2ecf20Sopenharmony_ci 17568c2ecf20Sopenharmony_ci if (sscanf(temp, "%d", &i) != 1) 17578c2ecf20Sopenharmony_ci return -EINVAL; 17588c2ecf20Sopenharmony_ci 17598c2ecf20Sopenharmony_ci /* 17608c2ecf20Sopenharmony_ci * Don't do anything if the value hasn't actually changed. 17618c2ecf20Sopenharmony_ci * If it is changing reset the level on entries that were 17628c2ecf20Sopenharmony_ci * set up to be mapped when they were created. 17638c2ecf20Sopenharmony_ci */ 17648c2ecf20Sopenharmony_ci if (smack_cipso_mapped != i) { 17658c2ecf20Sopenharmony_ci mutex_lock(&smack_known_lock); 17668c2ecf20Sopenharmony_ci list_for_each_entry_rcu(skp, &smack_known_list, list) 17678c2ecf20Sopenharmony_ci if (skp->smk_netlabel.attr.mls.lvl == 17688c2ecf20Sopenharmony_ci smack_cipso_mapped) 17698c2ecf20Sopenharmony_ci skp->smk_netlabel.attr.mls.lvl = i; 17708c2ecf20Sopenharmony_ci smack_cipso_mapped = i; 17718c2ecf20Sopenharmony_ci mutex_unlock(&smack_known_lock); 17728c2ecf20Sopenharmony_ci } 17738c2ecf20Sopenharmony_ci 17748c2ecf20Sopenharmony_ci return count; 17758c2ecf20Sopenharmony_ci} 17768c2ecf20Sopenharmony_ci 17778c2ecf20Sopenharmony_cistatic const struct file_operations smk_mapped_ops = { 17788c2ecf20Sopenharmony_ci .read = smk_read_mapped, 17798c2ecf20Sopenharmony_ci .write = smk_write_mapped, 17808c2ecf20Sopenharmony_ci .llseek = default_llseek, 17818c2ecf20Sopenharmony_ci}; 17828c2ecf20Sopenharmony_ci 17838c2ecf20Sopenharmony_ci/** 17848c2ecf20Sopenharmony_ci * smk_read_ambient - read() for /smack/ambient 17858c2ecf20Sopenharmony_ci * @filp: file pointer, not actually used 17868c2ecf20Sopenharmony_ci * @buf: where to put the result 17878c2ecf20Sopenharmony_ci * @cn: maximum to send along 17888c2ecf20Sopenharmony_ci * @ppos: where to start 17898c2ecf20Sopenharmony_ci * 17908c2ecf20Sopenharmony_ci * Returns number of bytes read or error code, as appropriate 17918c2ecf20Sopenharmony_ci */ 17928c2ecf20Sopenharmony_cistatic ssize_t smk_read_ambient(struct file *filp, char __user *buf, 17938c2ecf20Sopenharmony_ci size_t cn, loff_t *ppos) 17948c2ecf20Sopenharmony_ci{ 17958c2ecf20Sopenharmony_ci ssize_t rc; 17968c2ecf20Sopenharmony_ci int asize; 17978c2ecf20Sopenharmony_ci 17988c2ecf20Sopenharmony_ci if (*ppos != 0) 17998c2ecf20Sopenharmony_ci return 0; 18008c2ecf20Sopenharmony_ci /* 18018c2ecf20Sopenharmony_ci * Being careful to avoid a problem in the case where 18028c2ecf20Sopenharmony_ci * smack_net_ambient gets changed in midstream. 18038c2ecf20Sopenharmony_ci */ 18048c2ecf20Sopenharmony_ci mutex_lock(&smack_ambient_lock); 18058c2ecf20Sopenharmony_ci 18068c2ecf20Sopenharmony_ci asize = strlen(smack_net_ambient->smk_known) + 1; 18078c2ecf20Sopenharmony_ci 18088c2ecf20Sopenharmony_ci if (cn >= asize) 18098c2ecf20Sopenharmony_ci rc = simple_read_from_buffer(buf, cn, ppos, 18108c2ecf20Sopenharmony_ci smack_net_ambient->smk_known, 18118c2ecf20Sopenharmony_ci asize); 18128c2ecf20Sopenharmony_ci else 18138c2ecf20Sopenharmony_ci rc = -EINVAL; 18148c2ecf20Sopenharmony_ci 18158c2ecf20Sopenharmony_ci mutex_unlock(&smack_ambient_lock); 18168c2ecf20Sopenharmony_ci 18178c2ecf20Sopenharmony_ci return rc; 18188c2ecf20Sopenharmony_ci} 18198c2ecf20Sopenharmony_ci 18208c2ecf20Sopenharmony_ci/** 18218c2ecf20Sopenharmony_ci * smk_write_ambient - write() for /smack/ambient 18228c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 18238c2ecf20Sopenharmony_ci * @buf: where to get the data from 18248c2ecf20Sopenharmony_ci * @count: bytes sent 18258c2ecf20Sopenharmony_ci * @ppos: where to start 18268c2ecf20Sopenharmony_ci * 18278c2ecf20Sopenharmony_ci * Returns number of bytes written or error code, as appropriate 18288c2ecf20Sopenharmony_ci */ 18298c2ecf20Sopenharmony_cistatic ssize_t smk_write_ambient(struct file *file, const char __user *buf, 18308c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 18318c2ecf20Sopenharmony_ci{ 18328c2ecf20Sopenharmony_ci struct smack_known *skp; 18338c2ecf20Sopenharmony_ci char *oldambient; 18348c2ecf20Sopenharmony_ci char *data; 18358c2ecf20Sopenharmony_ci int rc = count; 18368c2ecf20Sopenharmony_ci 18378c2ecf20Sopenharmony_ci if (!smack_privileged(CAP_MAC_ADMIN)) 18388c2ecf20Sopenharmony_ci return -EPERM; 18398c2ecf20Sopenharmony_ci 18408c2ecf20Sopenharmony_ci /* Enough data must be present */ 18418c2ecf20Sopenharmony_ci if (count == 0 || count > PAGE_SIZE) 18428c2ecf20Sopenharmony_ci return -EINVAL; 18438c2ecf20Sopenharmony_ci 18448c2ecf20Sopenharmony_ci data = memdup_user_nul(buf, count); 18458c2ecf20Sopenharmony_ci if (IS_ERR(data)) 18468c2ecf20Sopenharmony_ci return PTR_ERR(data); 18478c2ecf20Sopenharmony_ci 18488c2ecf20Sopenharmony_ci skp = smk_import_entry(data, count); 18498c2ecf20Sopenharmony_ci if (IS_ERR(skp)) { 18508c2ecf20Sopenharmony_ci rc = PTR_ERR(skp); 18518c2ecf20Sopenharmony_ci goto out; 18528c2ecf20Sopenharmony_ci } 18538c2ecf20Sopenharmony_ci 18548c2ecf20Sopenharmony_ci mutex_lock(&smack_ambient_lock); 18558c2ecf20Sopenharmony_ci 18568c2ecf20Sopenharmony_ci oldambient = smack_net_ambient->smk_known; 18578c2ecf20Sopenharmony_ci smack_net_ambient = skp; 18588c2ecf20Sopenharmony_ci smk_unlbl_ambient(oldambient); 18598c2ecf20Sopenharmony_ci 18608c2ecf20Sopenharmony_ci mutex_unlock(&smack_ambient_lock); 18618c2ecf20Sopenharmony_ci 18628c2ecf20Sopenharmony_ciout: 18638c2ecf20Sopenharmony_ci kfree(data); 18648c2ecf20Sopenharmony_ci return rc; 18658c2ecf20Sopenharmony_ci} 18668c2ecf20Sopenharmony_ci 18678c2ecf20Sopenharmony_cistatic const struct file_operations smk_ambient_ops = { 18688c2ecf20Sopenharmony_ci .read = smk_read_ambient, 18698c2ecf20Sopenharmony_ci .write = smk_write_ambient, 18708c2ecf20Sopenharmony_ci .llseek = default_llseek, 18718c2ecf20Sopenharmony_ci}; 18728c2ecf20Sopenharmony_ci 18738c2ecf20Sopenharmony_ci/* 18748c2ecf20Sopenharmony_ci * Seq_file operations for /smack/onlycap 18758c2ecf20Sopenharmony_ci */ 18768c2ecf20Sopenharmony_cistatic void *onlycap_seq_start(struct seq_file *s, loff_t *pos) 18778c2ecf20Sopenharmony_ci{ 18788c2ecf20Sopenharmony_ci return smk_seq_start(s, pos, &smack_onlycap_list); 18798c2ecf20Sopenharmony_ci} 18808c2ecf20Sopenharmony_ci 18818c2ecf20Sopenharmony_cistatic void *onlycap_seq_next(struct seq_file *s, void *v, loff_t *pos) 18828c2ecf20Sopenharmony_ci{ 18838c2ecf20Sopenharmony_ci return smk_seq_next(s, v, pos, &smack_onlycap_list); 18848c2ecf20Sopenharmony_ci} 18858c2ecf20Sopenharmony_ci 18868c2ecf20Sopenharmony_cistatic int onlycap_seq_show(struct seq_file *s, void *v) 18878c2ecf20Sopenharmony_ci{ 18888c2ecf20Sopenharmony_ci struct list_head *list = v; 18898c2ecf20Sopenharmony_ci struct smack_known_list_elem *sklep = 18908c2ecf20Sopenharmony_ci list_entry_rcu(list, struct smack_known_list_elem, list); 18918c2ecf20Sopenharmony_ci 18928c2ecf20Sopenharmony_ci seq_puts(s, sklep->smk_label->smk_known); 18938c2ecf20Sopenharmony_ci seq_putc(s, ' '); 18948c2ecf20Sopenharmony_ci 18958c2ecf20Sopenharmony_ci return 0; 18968c2ecf20Sopenharmony_ci} 18978c2ecf20Sopenharmony_ci 18988c2ecf20Sopenharmony_cistatic const struct seq_operations onlycap_seq_ops = { 18998c2ecf20Sopenharmony_ci .start = onlycap_seq_start, 19008c2ecf20Sopenharmony_ci .next = onlycap_seq_next, 19018c2ecf20Sopenharmony_ci .show = onlycap_seq_show, 19028c2ecf20Sopenharmony_ci .stop = smk_seq_stop, 19038c2ecf20Sopenharmony_ci}; 19048c2ecf20Sopenharmony_ci 19058c2ecf20Sopenharmony_cistatic int smk_open_onlycap(struct inode *inode, struct file *file) 19068c2ecf20Sopenharmony_ci{ 19078c2ecf20Sopenharmony_ci return seq_open(file, &onlycap_seq_ops); 19088c2ecf20Sopenharmony_ci} 19098c2ecf20Sopenharmony_ci 19108c2ecf20Sopenharmony_ci/** 19118c2ecf20Sopenharmony_ci * smk_list_swap_rcu - swap public list with a private one in RCU-safe way 19128c2ecf20Sopenharmony_ci * The caller must hold appropriate mutex to prevent concurrent modifications 19138c2ecf20Sopenharmony_ci * to the public list. 19148c2ecf20Sopenharmony_ci * Private list is assumed to be not accessible to other threads yet. 19158c2ecf20Sopenharmony_ci * 19168c2ecf20Sopenharmony_ci * @public: public list 19178c2ecf20Sopenharmony_ci * @private: private list 19188c2ecf20Sopenharmony_ci */ 19198c2ecf20Sopenharmony_cistatic void smk_list_swap_rcu(struct list_head *public, 19208c2ecf20Sopenharmony_ci struct list_head *private) 19218c2ecf20Sopenharmony_ci{ 19228c2ecf20Sopenharmony_ci struct list_head *first, *last; 19238c2ecf20Sopenharmony_ci 19248c2ecf20Sopenharmony_ci if (list_empty(public)) { 19258c2ecf20Sopenharmony_ci list_splice_init_rcu(private, public, synchronize_rcu); 19268c2ecf20Sopenharmony_ci } else { 19278c2ecf20Sopenharmony_ci /* Remember public list before replacing it */ 19288c2ecf20Sopenharmony_ci first = public->next; 19298c2ecf20Sopenharmony_ci last = public->prev; 19308c2ecf20Sopenharmony_ci 19318c2ecf20Sopenharmony_ci /* Publish private list in place of public in RCU-safe way */ 19328c2ecf20Sopenharmony_ci private->prev->next = public; 19338c2ecf20Sopenharmony_ci private->next->prev = public; 19348c2ecf20Sopenharmony_ci rcu_assign_pointer(public->next, private->next); 19358c2ecf20Sopenharmony_ci public->prev = private->prev; 19368c2ecf20Sopenharmony_ci 19378c2ecf20Sopenharmony_ci synchronize_rcu(); 19388c2ecf20Sopenharmony_ci 19398c2ecf20Sopenharmony_ci /* When all readers are done with the old public list, 19408c2ecf20Sopenharmony_ci * attach it in place of private */ 19418c2ecf20Sopenharmony_ci private->next = first; 19428c2ecf20Sopenharmony_ci private->prev = last; 19438c2ecf20Sopenharmony_ci first->prev = private; 19448c2ecf20Sopenharmony_ci last->next = private; 19458c2ecf20Sopenharmony_ci } 19468c2ecf20Sopenharmony_ci} 19478c2ecf20Sopenharmony_ci 19488c2ecf20Sopenharmony_ci/** 19498c2ecf20Sopenharmony_ci * smk_parse_label_list - parse list of Smack labels, separated by spaces 19508c2ecf20Sopenharmony_ci * 19518c2ecf20Sopenharmony_ci * @data: the string to parse 19528c2ecf20Sopenharmony_ci * @private: destination list 19538c2ecf20Sopenharmony_ci * 19548c2ecf20Sopenharmony_ci * Returns zero on success or error code, as appropriate 19558c2ecf20Sopenharmony_ci */ 19568c2ecf20Sopenharmony_cistatic int smk_parse_label_list(char *data, struct list_head *list) 19578c2ecf20Sopenharmony_ci{ 19588c2ecf20Sopenharmony_ci char *tok; 19598c2ecf20Sopenharmony_ci struct smack_known *skp; 19608c2ecf20Sopenharmony_ci struct smack_known_list_elem *sklep; 19618c2ecf20Sopenharmony_ci 19628c2ecf20Sopenharmony_ci while ((tok = strsep(&data, " ")) != NULL) { 19638c2ecf20Sopenharmony_ci if (!*tok) 19648c2ecf20Sopenharmony_ci continue; 19658c2ecf20Sopenharmony_ci 19668c2ecf20Sopenharmony_ci skp = smk_import_entry(tok, 0); 19678c2ecf20Sopenharmony_ci if (IS_ERR(skp)) 19688c2ecf20Sopenharmony_ci return PTR_ERR(skp); 19698c2ecf20Sopenharmony_ci 19708c2ecf20Sopenharmony_ci sklep = kzalloc(sizeof(*sklep), GFP_KERNEL); 19718c2ecf20Sopenharmony_ci if (sklep == NULL) 19728c2ecf20Sopenharmony_ci return -ENOMEM; 19738c2ecf20Sopenharmony_ci 19748c2ecf20Sopenharmony_ci sklep->smk_label = skp; 19758c2ecf20Sopenharmony_ci list_add(&sklep->list, list); 19768c2ecf20Sopenharmony_ci } 19778c2ecf20Sopenharmony_ci 19788c2ecf20Sopenharmony_ci return 0; 19798c2ecf20Sopenharmony_ci} 19808c2ecf20Sopenharmony_ci 19818c2ecf20Sopenharmony_ci/** 19828c2ecf20Sopenharmony_ci * smk_destroy_label_list - destroy a list of smack_known_list_elem 19838c2ecf20Sopenharmony_ci * @head: header pointer of the list to destroy 19848c2ecf20Sopenharmony_ci */ 19858c2ecf20Sopenharmony_civoid smk_destroy_label_list(struct list_head *list) 19868c2ecf20Sopenharmony_ci{ 19878c2ecf20Sopenharmony_ci struct smack_known_list_elem *sklep; 19888c2ecf20Sopenharmony_ci struct smack_known_list_elem *sklep2; 19898c2ecf20Sopenharmony_ci 19908c2ecf20Sopenharmony_ci list_for_each_entry_safe(sklep, sklep2, list, list) 19918c2ecf20Sopenharmony_ci kfree(sklep); 19928c2ecf20Sopenharmony_ci 19938c2ecf20Sopenharmony_ci INIT_LIST_HEAD(list); 19948c2ecf20Sopenharmony_ci} 19958c2ecf20Sopenharmony_ci 19968c2ecf20Sopenharmony_ci/** 19978c2ecf20Sopenharmony_ci * smk_write_onlycap - write() for smackfs/onlycap 19988c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 19998c2ecf20Sopenharmony_ci * @buf: where to get the data from 20008c2ecf20Sopenharmony_ci * @count: bytes sent 20018c2ecf20Sopenharmony_ci * @ppos: where to start 20028c2ecf20Sopenharmony_ci * 20038c2ecf20Sopenharmony_ci * Returns number of bytes written or error code, as appropriate 20048c2ecf20Sopenharmony_ci */ 20058c2ecf20Sopenharmony_cistatic ssize_t smk_write_onlycap(struct file *file, const char __user *buf, 20068c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 20078c2ecf20Sopenharmony_ci{ 20088c2ecf20Sopenharmony_ci char *data; 20098c2ecf20Sopenharmony_ci LIST_HEAD(list_tmp); 20108c2ecf20Sopenharmony_ci int rc; 20118c2ecf20Sopenharmony_ci 20128c2ecf20Sopenharmony_ci if (!smack_privileged(CAP_MAC_ADMIN)) 20138c2ecf20Sopenharmony_ci return -EPERM; 20148c2ecf20Sopenharmony_ci 20158c2ecf20Sopenharmony_ci if (count > PAGE_SIZE) 20168c2ecf20Sopenharmony_ci return -EINVAL; 20178c2ecf20Sopenharmony_ci 20188c2ecf20Sopenharmony_ci data = memdup_user_nul(buf, count); 20198c2ecf20Sopenharmony_ci if (IS_ERR(data)) 20208c2ecf20Sopenharmony_ci return PTR_ERR(data); 20218c2ecf20Sopenharmony_ci 20228c2ecf20Sopenharmony_ci rc = smk_parse_label_list(data, &list_tmp); 20238c2ecf20Sopenharmony_ci kfree(data); 20248c2ecf20Sopenharmony_ci 20258c2ecf20Sopenharmony_ci /* 20268c2ecf20Sopenharmony_ci * Clear the smack_onlycap on invalid label errors. This means 20278c2ecf20Sopenharmony_ci * that we can pass a null string to unset the onlycap value. 20288c2ecf20Sopenharmony_ci * 20298c2ecf20Sopenharmony_ci * Importing will also reject a label beginning with '-', 20308c2ecf20Sopenharmony_ci * so "-usecapabilities" will also work. 20318c2ecf20Sopenharmony_ci * 20328c2ecf20Sopenharmony_ci * But do so only on invalid label, not on system errors. 20338c2ecf20Sopenharmony_ci * The invalid label must be first to count as clearing attempt. 20348c2ecf20Sopenharmony_ci */ 20358c2ecf20Sopenharmony_ci if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) { 20368c2ecf20Sopenharmony_ci mutex_lock(&smack_onlycap_lock); 20378c2ecf20Sopenharmony_ci smk_list_swap_rcu(&smack_onlycap_list, &list_tmp); 20388c2ecf20Sopenharmony_ci mutex_unlock(&smack_onlycap_lock); 20398c2ecf20Sopenharmony_ci rc = count; 20408c2ecf20Sopenharmony_ci } 20418c2ecf20Sopenharmony_ci 20428c2ecf20Sopenharmony_ci smk_destroy_label_list(&list_tmp); 20438c2ecf20Sopenharmony_ci 20448c2ecf20Sopenharmony_ci return rc; 20458c2ecf20Sopenharmony_ci} 20468c2ecf20Sopenharmony_ci 20478c2ecf20Sopenharmony_cistatic const struct file_operations smk_onlycap_ops = { 20488c2ecf20Sopenharmony_ci .open = smk_open_onlycap, 20498c2ecf20Sopenharmony_ci .read = seq_read, 20508c2ecf20Sopenharmony_ci .write = smk_write_onlycap, 20518c2ecf20Sopenharmony_ci .llseek = seq_lseek, 20528c2ecf20Sopenharmony_ci .release = seq_release, 20538c2ecf20Sopenharmony_ci}; 20548c2ecf20Sopenharmony_ci 20558c2ecf20Sopenharmony_ci#ifdef CONFIG_SECURITY_SMACK_BRINGUP 20568c2ecf20Sopenharmony_ci/** 20578c2ecf20Sopenharmony_ci * smk_read_unconfined - read() for smackfs/unconfined 20588c2ecf20Sopenharmony_ci * @filp: file pointer, not actually used 20598c2ecf20Sopenharmony_ci * @buf: where to put the result 20608c2ecf20Sopenharmony_ci * @cn: maximum to send along 20618c2ecf20Sopenharmony_ci * @ppos: where to start 20628c2ecf20Sopenharmony_ci * 20638c2ecf20Sopenharmony_ci * Returns number of bytes read or error code, as appropriate 20648c2ecf20Sopenharmony_ci */ 20658c2ecf20Sopenharmony_cistatic ssize_t smk_read_unconfined(struct file *filp, char __user *buf, 20668c2ecf20Sopenharmony_ci size_t cn, loff_t *ppos) 20678c2ecf20Sopenharmony_ci{ 20688c2ecf20Sopenharmony_ci char *smack = ""; 20698c2ecf20Sopenharmony_ci ssize_t rc = -EINVAL; 20708c2ecf20Sopenharmony_ci int asize; 20718c2ecf20Sopenharmony_ci 20728c2ecf20Sopenharmony_ci if (*ppos != 0) 20738c2ecf20Sopenharmony_ci return 0; 20748c2ecf20Sopenharmony_ci 20758c2ecf20Sopenharmony_ci if (smack_unconfined != NULL) 20768c2ecf20Sopenharmony_ci smack = smack_unconfined->smk_known; 20778c2ecf20Sopenharmony_ci 20788c2ecf20Sopenharmony_ci asize = strlen(smack) + 1; 20798c2ecf20Sopenharmony_ci 20808c2ecf20Sopenharmony_ci if (cn >= asize) 20818c2ecf20Sopenharmony_ci rc = simple_read_from_buffer(buf, cn, ppos, smack, asize); 20828c2ecf20Sopenharmony_ci 20838c2ecf20Sopenharmony_ci return rc; 20848c2ecf20Sopenharmony_ci} 20858c2ecf20Sopenharmony_ci 20868c2ecf20Sopenharmony_ci/** 20878c2ecf20Sopenharmony_ci * smk_write_unconfined - write() for smackfs/unconfined 20888c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 20898c2ecf20Sopenharmony_ci * @buf: where to get the data from 20908c2ecf20Sopenharmony_ci * @count: bytes sent 20918c2ecf20Sopenharmony_ci * @ppos: where to start 20928c2ecf20Sopenharmony_ci * 20938c2ecf20Sopenharmony_ci * Returns number of bytes written or error code, as appropriate 20948c2ecf20Sopenharmony_ci */ 20958c2ecf20Sopenharmony_cistatic ssize_t smk_write_unconfined(struct file *file, const char __user *buf, 20968c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 20978c2ecf20Sopenharmony_ci{ 20988c2ecf20Sopenharmony_ci char *data; 20998c2ecf20Sopenharmony_ci struct smack_known *skp; 21008c2ecf20Sopenharmony_ci int rc = count; 21018c2ecf20Sopenharmony_ci 21028c2ecf20Sopenharmony_ci if (!smack_privileged(CAP_MAC_ADMIN)) 21038c2ecf20Sopenharmony_ci return -EPERM; 21048c2ecf20Sopenharmony_ci 21058c2ecf20Sopenharmony_ci if (count > PAGE_SIZE) 21068c2ecf20Sopenharmony_ci return -EINVAL; 21078c2ecf20Sopenharmony_ci 21088c2ecf20Sopenharmony_ci data = memdup_user_nul(buf, count); 21098c2ecf20Sopenharmony_ci if (IS_ERR(data)) 21108c2ecf20Sopenharmony_ci return PTR_ERR(data); 21118c2ecf20Sopenharmony_ci 21128c2ecf20Sopenharmony_ci /* 21138c2ecf20Sopenharmony_ci * Clear the smack_unconfined on invalid label errors. This means 21148c2ecf20Sopenharmony_ci * that we can pass a null string to unset the unconfined value. 21158c2ecf20Sopenharmony_ci * 21168c2ecf20Sopenharmony_ci * Importing will also reject a label beginning with '-', 21178c2ecf20Sopenharmony_ci * so "-confine" will also work. 21188c2ecf20Sopenharmony_ci * 21198c2ecf20Sopenharmony_ci * But do so only on invalid label, not on system errors. 21208c2ecf20Sopenharmony_ci */ 21218c2ecf20Sopenharmony_ci skp = smk_import_entry(data, count); 21228c2ecf20Sopenharmony_ci if (PTR_ERR(skp) == -EINVAL) 21238c2ecf20Sopenharmony_ci skp = NULL; 21248c2ecf20Sopenharmony_ci else if (IS_ERR(skp)) { 21258c2ecf20Sopenharmony_ci rc = PTR_ERR(skp); 21268c2ecf20Sopenharmony_ci goto freeout; 21278c2ecf20Sopenharmony_ci } 21288c2ecf20Sopenharmony_ci 21298c2ecf20Sopenharmony_ci smack_unconfined = skp; 21308c2ecf20Sopenharmony_ci 21318c2ecf20Sopenharmony_cifreeout: 21328c2ecf20Sopenharmony_ci kfree(data); 21338c2ecf20Sopenharmony_ci return rc; 21348c2ecf20Sopenharmony_ci} 21358c2ecf20Sopenharmony_ci 21368c2ecf20Sopenharmony_cistatic const struct file_operations smk_unconfined_ops = { 21378c2ecf20Sopenharmony_ci .read = smk_read_unconfined, 21388c2ecf20Sopenharmony_ci .write = smk_write_unconfined, 21398c2ecf20Sopenharmony_ci .llseek = default_llseek, 21408c2ecf20Sopenharmony_ci}; 21418c2ecf20Sopenharmony_ci#endif /* CONFIG_SECURITY_SMACK_BRINGUP */ 21428c2ecf20Sopenharmony_ci 21438c2ecf20Sopenharmony_ci/** 21448c2ecf20Sopenharmony_ci * smk_read_logging - read() for /smack/logging 21458c2ecf20Sopenharmony_ci * @filp: file pointer, not actually used 21468c2ecf20Sopenharmony_ci * @buf: where to put the result 21478c2ecf20Sopenharmony_ci * @cn: maximum to send along 21488c2ecf20Sopenharmony_ci * @ppos: where to start 21498c2ecf20Sopenharmony_ci * 21508c2ecf20Sopenharmony_ci * Returns number of bytes read or error code, as appropriate 21518c2ecf20Sopenharmony_ci */ 21528c2ecf20Sopenharmony_cistatic ssize_t smk_read_logging(struct file *filp, char __user *buf, 21538c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 21548c2ecf20Sopenharmony_ci{ 21558c2ecf20Sopenharmony_ci char temp[32]; 21568c2ecf20Sopenharmony_ci ssize_t rc; 21578c2ecf20Sopenharmony_ci 21588c2ecf20Sopenharmony_ci if (*ppos != 0) 21598c2ecf20Sopenharmony_ci return 0; 21608c2ecf20Sopenharmony_ci 21618c2ecf20Sopenharmony_ci sprintf(temp, "%d\n", log_policy); 21628c2ecf20Sopenharmony_ci rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); 21638c2ecf20Sopenharmony_ci return rc; 21648c2ecf20Sopenharmony_ci} 21658c2ecf20Sopenharmony_ci 21668c2ecf20Sopenharmony_ci/** 21678c2ecf20Sopenharmony_ci * smk_write_logging - write() for /smack/logging 21688c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 21698c2ecf20Sopenharmony_ci * @buf: where to get the data from 21708c2ecf20Sopenharmony_ci * @count: bytes sent 21718c2ecf20Sopenharmony_ci * @ppos: where to start 21728c2ecf20Sopenharmony_ci * 21738c2ecf20Sopenharmony_ci * Returns number of bytes written or error code, as appropriate 21748c2ecf20Sopenharmony_ci */ 21758c2ecf20Sopenharmony_cistatic ssize_t smk_write_logging(struct file *file, const char __user *buf, 21768c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 21778c2ecf20Sopenharmony_ci{ 21788c2ecf20Sopenharmony_ci char temp[32]; 21798c2ecf20Sopenharmony_ci int i; 21808c2ecf20Sopenharmony_ci 21818c2ecf20Sopenharmony_ci if (!smack_privileged(CAP_MAC_ADMIN)) 21828c2ecf20Sopenharmony_ci return -EPERM; 21838c2ecf20Sopenharmony_ci 21848c2ecf20Sopenharmony_ci if (count >= sizeof(temp) || count == 0) 21858c2ecf20Sopenharmony_ci return -EINVAL; 21868c2ecf20Sopenharmony_ci 21878c2ecf20Sopenharmony_ci if (copy_from_user(temp, buf, count) != 0) 21888c2ecf20Sopenharmony_ci return -EFAULT; 21898c2ecf20Sopenharmony_ci 21908c2ecf20Sopenharmony_ci temp[count] = '\0'; 21918c2ecf20Sopenharmony_ci 21928c2ecf20Sopenharmony_ci if (sscanf(temp, "%d", &i) != 1) 21938c2ecf20Sopenharmony_ci return -EINVAL; 21948c2ecf20Sopenharmony_ci if (i < 0 || i > 3) 21958c2ecf20Sopenharmony_ci return -EINVAL; 21968c2ecf20Sopenharmony_ci log_policy = i; 21978c2ecf20Sopenharmony_ci return count; 21988c2ecf20Sopenharmony_ci} 21998c2ecf20Sopenharmony_ci 22008c2ecf20Sopenharmony_ci 22018c2ecf20Sopenharmony_ci 22028c2ecf20Sopenharmony_cistatic const struct file_operations smk_logging_ops = { 22038c2ecf20Sopenharmony_ci .read = smk_read_logging, 22048c2ecf20Sopenharmony_ci .write = smk_write_logging, 22058c2ecf20Sopenharmony_ci .llseek = default_llseek, 22068c2ecf20Sopenharmony_ci}; 22078c2ecf20Sopenharmony_ci 22088c2ecf20Sopenharmony_ci/* 22098c2ecf20Sopenharmony_ci * Seq_file read operations for /smack/load-self 22108c2ecf20Sopenharmony_ci */ 22118c2ecf20Sopenharmony_ci 22128c2ecf20Sopenharmony_cistatic void *load_self_seq_start(struct seq_file *s, loff_t *pos) 22138c2ecf20Sopenharmony_ci{ 22148c2ecf20Sopenharmony_ci struct task_smack *tsp = smack_cred(current_cred()); 22158c2ecf20Sopenharmony_ci 22168c2ecf20Sopenharmony_ci return smk_seq_start(s, pos, &tsp->smk_rules); 22178c2ecf20Sopenharmony_ci} 22188c2ecf20Sopenharmony_ci 22198c2ecf20Sopenharmony_cistatic void *load_self_seq_next(struct seq_file *s, void *v, loff_t *pos) 22208c2ecf20Sopenharmony_ci{ 22218c2ecf20Sopenharmony_ci struct task_smack *tsp = smack_cred(current_cred()); 22228c2ecf20Sopenharmony_ci 22238c2ecf20Sopenharmony_ci return smk_seq_next(s, v, pos, &tsp->smk_rules); 22248c2ecf20Sopenharmony_ci} 22258c2ecf20Sopenharmony_ci 22268c2ecf20Sopenharmony_cistatic int load_self_seq_show(struct seq_file *s, void *v) 22278c2ecf20Sopenharmony_ci{ 22288c2ecf20Sopenharmony_ci struct list_head *list = v; 22298c2ecf20Sopenharmony_ci struct smack_rule *srp = 22308c2ecf20Sopenharmony_ci list_entry_rcu(list, struct smack_rule, list); 22318c2ecf20Sopenharmony_ci 22328c2ecf20Sopenharmony_ci smk_rule_show(s, srp, SMK_LABELLEN); 22338c2ecf20Sopenharmony_ci 22348c2ecf20Sopenharmony_ci return 0; 22358c2ecf20Sopenharmony_ci} 22368c2ecf20Sopenharmony_ci 22378c2ecf20Sopenharmony_cistatic const struct seq_operations load_self_seq_ops = { 22388c2ecf20Sopenharmony_ci .start = load_self_seq_start, 22398c2ecf20Sopenharmony_ci .next = load_self_seq_next, 22408c2ecf20Sopenharmony_ci .show = load_self_seq_show, 22418c2ecf20Sopenharmony_ci .stop = smk_seq_stop, 22428c2ecf20Sopenharmony_ci}; 22438c2ecf20Sopenharmony_ci 22448c2ecf20Sopenharmony_ci 22458c2ecf20Sopenharmony_ci/** 22468c2ecf20Sopenharmony_ci * smk_open_load_self - open() for /smack/load-self2 22478c2ecf20Sopenharmony_ci * @inode: inode structure representing file 22488c2ecf20Sopenharmony_ci * @file: "load" file pointer 22498c2ecf20Sopenharmony_ci * 22508c2ecf20Sopenharmony_ci * For reading, use load_seq_* seq_file reading operations. 22518c2ecf20Sopenharmony_ci */ 22528c2ecf20Sopenharmony_cistatic int smk_open_load_self(struct inode *inode, struct file *file) 22538c2ecf20Sopenharmony_ci{ 22548c2ecf20Sopenharmony_ci return seq_open(file, &load_self_seq_ops); 22558c2ecf20Sopenharmony_ci} 22568c2ecf20Sopenharmony_ci 22578c2ecf20Sopenharmony_ci/** 22588c2ecf20Sopenharmony_ci * smk_write_load_self - write() for /smack/load-self 22598c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 22608c2ecf20Sopenharmony_ci * @buf: where to get the data from 22618c2ecf20Sopenharmony_ci * @count: bytes sent 22628c2ecf20Sopenharmony_ci * @ppos: where to start - must be 0 22638c2ecf20Sopenharmony_ci * 22648c2ecf20Sopenharmony_ci */ 22658c2ecf20Sopenharmony_cistatic ssize_t smk_write_load_self(struct file *file, const char __user *buf, 22668c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 22678c2ecf20Sopenharmony_ci{ 22688c2ecf20Sopenharmony_ci struct task_smack *tsp = smack_cred(current_cred()); 22698c2ecf20Sopenharmony_ci 22708c2ecf20Sopenharmony_ci return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules, 22718c2ecf20Sopenharmony_ci &tsp->smk_rules_lock, SMK_FIXED24_FMT); 22728c2ecf20Sopenharmony_ci} 22738c2ecf20Sopenharmony_ci 22748c2ecf20Sopenharmony_cistatic const struct file_operations smk_load_self_ops = { 22758c2ecf20Sopenharmony_ci .open = smk_open_load_self, 22768c2ecf20Sopenharmony_ci .read = seq_read, 22778c2ecf20Sopenharmony_ci .llseek = seq_lseek, 22788c2ecf20Sopenharmony_ci .write = smk_write_load_self, 22798c2ecf20Sopenharmony_ci .release = seq_release, 22808c2ecf20Sopenharmony_ci}; 22818c2ecf20Sopenharmony_ci 22828c2ecf20Sopenharmony_ci/** 22838c2ecf20Sopenharmony_ci * smk_user_access - handle access check transaction 22848c2ecf20Sopenharmony_ci * @file: file pointer 22858c2ecf20Sopenharmony_ci * @buf: data from user space 22868c2ecf20Sopenharmony_ci * @count: bytes sent 22878c2ecf20Sopenharmony_ci * @ppos: where to start - must be 0 22888c2ecf20Sopenharmony_ci */ 22898c2ecf20Sopenharmony_cistatic ssize_t smk_user_access(struct file *file, const char __user *buf, 22908c2ecf20Sopenharmony_ci size_t count, loff_t *ppos, int format) 22918c2ecf20Sopenharmony_ci{ 22928c2ecf20Sopenharmony_ci struct smack_parsed_rule rule; 22938c2ecf20Sopenharmony_ci char *data; 22948c2ecf20Sopenharmony_ci int res; 22958c2ecf20Sopenharmony_ci 22968c2ecf20Sopenharmony_ci data = simple_transaction_get(file, buf, count); 22978c2ecf20Sopenharmony_ci if (IS_ERR(data)) 22988c2ecf20Sopenharmony_ci return PTR_ERR(data); 22998c2ecf20Sopenharmony_ci 23008c2ecf20Sopenharmony_ci if (format == SMK_FIXED24_FMT) { 23018c2ecf20Sopenharmony_ci if (count < SMK_LOADLEN) 23028c2ecf20Sopenharmony_ci return -EINVAL; 23038c2ecf20Sopenharmony_ci res = smk_parse_rule(data, &rule, 0); 23048c2ecf20Sopenharmony_ci } else { 23058c2ecf20Sopenharmony_ci /* 23068c2ecf20Sopenharmony_ci * simple_transaction_get() returns null-terminated data 23078c2ecf20Sopenharmony_ci */ 23088c2ecf20Sopenharmony_ci res = smk_parse_long_rule(data, &rule, 0, 3); 23098c2ecf20Sopenharmony_ci } 23108c2ecf20Sopenharmony_ci 23118c2ecf20Sopenharmony_ci if (res >= 0) 23128c2ecf20Sopenharmony_ci res = smk_access(rule.smk_subject, rule.smk_object, 23138c2ecf20Sopenharmony_ci rule.smk_access1, NULL); 23148c2ecf20Sopenharmony_ci else if (res != -ENOENT) 23158c2ecf20Sopenharmony_ci return res; 23168c2ecf20Sopenharmony_ci 23178c2ecf20Sopenharmony_ci /* 23188c2ecf20Sopenharmony_ci * smk_access() can return a value > 0 in the "bringup" case. 23198c2ecf20Sopenharmony_ci */ 23208c2ecf20Sopenharmony_ci data[0] = res >= 0 ? '1' : '0'; 23218c2ecf20Sopenharmony_ci data[1] = '\0'; 23228c2ecf20Sopenharmony_ci 23238c2ecf20Sopenharmony_ci simple_transaction_set(file, 2); 23248c2ecf20Sopenharmony_ci 23258c2ecf20Sopenharmony_ci if (format == SMK_FIXED24_FMT) 23268c2ecf20Sopenharmony_ci return SMK_LOADLEN; 23278c2ecf20Sopenharmony_ci return count; 23288c2ecf20Sopenharmony_ci} 23298c2ecf20Sopenharmony_ci 23308c2ecf20Sopenharmony_ci/** 23318c2ecf20Sopenharmony_ci * smk_write_access - handle access check transaction 23328c2ecf20Sopenharmony_ci * @file: file pointer 23338c2ecf20Sopenharmony_ci * @buf: data from user space 23348c2ecf20Sopenharmony_ci * @count: bytes sent 23358c2ecf20Sopenharmony_ci * @ppos: where to start - must be 0 23368c2ecf20Sopenharmony_ci */ 23378c2ecf20Sopenharmony_cistatic ssize_t smk_write_access(struct file *file, const char __user *buf, 23388c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 23398c2ecf20Sopenharmony_ci{ 23408c2ecf20Sopenharmony_ci return smk_user_access(file, buf, count, ppos, SMK_FIXED24_FMT); 23418c2ecf20Sopenharmony_ci} 23428c2ecf20Sopenharmony_ci 23438c2ecf20Sopenharmony_cistatic const struct file_operations smk_access_ops = { 23448c2ecf20Sopenharmony_ci .write = smk_write_access, 23458c2ecf20Sopenharmony_ci .read = simple_transaction_read, 23468c2ecf20Sopenharmony_ci .release = simple_transaction_release, 23478c2ecf20Sopenharmony_ci .llseek = generic_file_llseek, 23488c2ecf20Sopenharmony_ci}; 23498c2ecf20Sopenharmony_ci 23508c2ecf20Sopenharmony_ci 23518c2ecf20Sopenharmony_ci/* 23528c2ecf20Sopenharmony_ci * Seq_file read operations for /smack/load2 23538c2ecf20Sopenharmony_ci */ 23548c2ecf20Sopenharmony_ci 23558c2ecf20Sopenharmony_cistatic int load2_seq_show(struct seq_file *s, void *v) 23568c2ecf20Sopenharmony_ci{ 23578c2ecf20Sopenharmony_ci struct list_head *list = v; 23588c2ecf20Sopenharmony_ci struct smack_rule *srp; 23598c2ecf20Sopenharmony_ci struct smack_known *skp = 23608c2ecf20Sopenharmony_ci list_entry_rcu(list, struct smack_known, list); 23618c2ecf20Sopenharmony_ci 23628c2ecf20Sopenharmony_ci list_for_each_entry_rcu(srp, &skp->smk_rules, list) 23638c2ecf20Sopenharmony_ci smk_rule_show(s, srp, SMK_LONGLABEL); 23648c2ecf20Sopenharmony_ci 23658c2ecf20Sopenharmony_ci return 0; 23668c2ecf20Sopenharmony_ci} 23678c2ecf20Sopenharmony_ci 23688c2ecf20Sopenharmony_cistatic const struct seq_operations load2_seq_ops = { 23698c2ecf20Sopenharmony_ci .start = load2_seq_start, 23708c2ecf20Sopenharmony_ci .next = load2_seq_next, 23718c2ecf20Sopenharmony_ci .show = load2_seq_show, 23728c2ecf20Sopenharmony_ci .stop = smk_seq_stop, 23738c2ecf20Sopenharmony_ci}; 23748c2ecf20Sopenharmony_ci 23758c2ecf20Sopenharmony_ci/** 23768c2ecf20Sopenharmony_ci * smk_open_load2 - open() for /smack/load2 23778c2ecf20Sopenharmony_ci * @inode: inode structure representing file 23788c2ecf20Sopenharmony_ci * @file: "load2" file pointer 23798c2ecf20Sopenharmony_ci * 23808c2ecf20Sopenharmony_ci * For reading, use load2_seq_* seq_file reading operations. 23818c2ecf20Sopenharmony_ci */ 23828c2ecf20Sopenharmony_cistatic int smk_open_load2(struct inode *inode, struct file *file) 23838c2ecf20Sopenharmony_ci{ 23848c2ecf20Sopenharmony_ci return seq_open(file, &load2_seq_ops); 23858c2ecf20Sopenharmony_ci} 23868c2ecf20Sopenharmony_ci 23878c2ecf20Sopenharmony_ci/** 23888c2ecf20Sopenharmony_ci * smk_write_load2 - write() for /smack/load2 23898c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 23908c2ecf20Sopenharmony_ci * @buf: where to get the data from 23918c2ecf20Sopenharmony_ci * @count: bytes sent 23928c2ecf20Sopenharmony_ci * @ppos: where to start - must be 0 23938c2ecf20Sopenharmony_ci * 23948c2ecf20Sopenharmony_ci */ 23958c2ecf20Sopenharmony_cistatic ssize_t smk_write_load2(struct file *file, const char __user *buf, 23968c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 23978c2ecf20Sopenharmony_ci{ 23988c2ecf20Sopenharmony_ci /* 23998c2ecf20Sopenharmony_ci * Must have privilege. 24008c2ecf20Sopenharmony_ci */ 24018c2ecf20Sopenharmony_ci if (!smack_privileged(CAP_MAC_ADMIN)) 24028c2ecf20Sopenharmony_ci return -EPERM; 24038c2ecf20Sopenharmony_ci 24048c2ecf20Sopenharmony_ci return smk_write_rules_list(file, buf, count, ppos, NULL, NULL, 24058c2ecf20Sopenharmony_ci SMK_LONG_FMT); 24068c2ecf20Sopenharmony_ci} 24078c2ecf20Sopenharmony_ci 24088c2ecf20Sopenharmony_cistatic const struct file_operations smk_load2_ops = { 24098c2ecf20Sopenharmony_ci .open = smk_open_load2, 24108c2ecf20Sopenharmony_ci .read = seq_read, 24118c2ecf20Sopenharmony_ci .llseek = seq_lseek, 24128c2ecf20Sopenharmony_ci .write = smk_write_load2, 24138c2ecf20Sopenharmony_ci .release = seq_release, 24148c2ecf20Sopenharmony_ci}; 24158c2ecf20Sopenharmony_ci 24168c2ecf20Sopenharmony_ci/* 24178c2ecf20Sopenharmony_ci * Seq_file read operations for /smack/load-self2 24188c2ecf20Sopenharmony_ci */ 24198c2ecf20Sopenharmony_ci 24208c2ecf20Sopenharmony_cistatic void *load_self2_seq_start(struct seq_file *s, loff_t *pos) 24218c2ecf20Sopenharmony_ci{ 24228c2ecf20Sopenharmony_ci struct task_smack *tsp = smack_cred(current_cred()); 24238c2ecf20Sopenharmony_ci 24248c2ecf20Sopenharmony_ci return smk_seq_start(s, pos, &tsp->smk_rules); 24258c2ecf20Sopenharmony_ci} 24268c2ecf20Sopenharmony_ci 24278c2ecf20Sopenharmony_cistatic void *load_self2_seq_next(struct seq_file *s, void *v, loff_t *pos) 24288c2ecf20Sopenharmony_ci{ 24298c2ecf20Sopenharmony_ci struct task_smack *tsp = smack_cred(current_cred()); 24308c2ecf20Sopenharmony_ci 24318c2ecf20Sopenharmony_ci return smk_seq_next(s, v, pos, &tsp->smk_rules); 24328c2ecf20Sopenharmony_ci} 24338c2ecf20Sopenharmony_ci 24348c2ecf20Sopenharmony_cistatic int load_self2_seq_show(struct seq_file *s, void *v) 24358c2ecf20Sopenharmony_ci{ 24368c2ecf20Sopenharmony_ci struct list_head *list = v; 24378c2ecf20Sopenharmony_ci struct smack_rule *srp = 24388c2ecf20Sopenharmony_ci list_entry_rcu(list, struct smack_rule, list); 24398c2ecf20Sopenharmony_ci 24408c2ecf20Sopenharmony_ci smk_rule_show(s, srp, SMK_LONGLABEL); 24418c2ecf20Sopenharmony_ci 24428c2ecf20Sopenharmony_ci return 0; 24438c2ecf20Sopenharmony_ci} 24448c2ecf20Sopenharmony_ci 24458c2ecf20Sopenharmony_cistatic const struct seq_operations load_self2_seq_ops = { 24468c2ecf20Sopenharmony_ci .start = load_self2_seq_start, 24478c2ecf20Sopenharmony_ci .next = load_self2_seq_next, 24488c2ecf20Sopenharmony_ci .show = load_self2_seq_show, 24498c2ecf20Sopenharmony_ci .stop = smk_seq_stop, 24508c2ecf20Sopenharmony_ci}; 24518c2ecf20Sopenharmony_ci 24528c2ecf20Sopenharmony_ci/** 24538c2ecf20Sopenharmony_ci * smk_open_load_self2 - open() for /smack/load-self2 24548c2ecf20Sopenharmony_ci * @inode: inode structure representing file 24558c2ecf20Sopenharmony_ci * @file: "load" file pointer 24568c2ecf20Sopenharmony_ci * 24578c2ecf20Sopenharmony_ci * For reading, use load_seq_* seq_file reading operations. 24588c2ecf20Sopenharmony_ci */ 24598c2ecf20Sopenharmony_cistatic int smk_open_load_self2(struct inode *inode, struct file *file) 24608c2ecf20Sopenharmony_ci{ 24618c2ecf20Sopenharmony_ci return seq_open(file, &load_self2_seq_ops); 24628c2ecf20Sopenharmony_ci} 24638c2ecf20Sopenharmony_ci 24648c2ecf20Sopenharmony_ci/** 24658c2ecf20Sopenharmony_ci * smk_write_load_self2 - write() for /smack/load-self2 24668c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 24678c2ecf20Sopenharmony_ci * @buf: where to get the data from 24688c2ecf20Sopenharmony_ci * @count: bytes sent 24698c2ecf20Sopenharmony_ci * @ppos: where to start - must be 0 24708c2ecf20Sopenharmony_ci * 24718c2ecf20Sopenharmony_ci */ 24728c2ecf20Sopenharmony_cistatic ssize_t smk_write_load_self2(struct file *file, const char __user *buf, 24738c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 24748c2ecf20Sopenharmony_ci{ 24758c2ecf20Sopenharmony_ci struct task_smack *tsp = smack_cred(current_cred()); 24768c2ecf20Sopenharmony_ci 24778c2ecf20Sopenharmony_ci return smk_write_rules_list(file, buf, count, ppos, &tsp->smk_rules, 24788c2ecf20Sopenharmony_ci &tsp->smk_rules_lock, SMK_LONG_FMT); 24798c2ecf20Sopenharmony_ci} 24808c2ecf20Sopenharmony_ci 24818c2ecf20Sopenharmony_cistatic const struct file_operations smk_load_self2_ops = { 24828c2ecf20Sopenharmony_ci .open = smk_open_load_self2, 24838c2ecf20Sopenharmony_ci .read = seq_read, 24848c2ecf20Sopenharmony_ci .llseek = seq_lseek, 24858c2ecf20Sopenharmony_ci .write = smk_write_load_self2, 24868c2ecf20Sopenharmony_ci .release = seq_release, 24878c2ecf20Sopenharmony_ci}; 24888c2ecf20Sopenharmony_ci 24898c2ecf20Sopenharmony_ci/** 24908c2ecf20Sopenharmony_ci * smk_write_access2 - handle access check transaction 24918c2ecf20Sopenharmony_ci * @file: file pointer 24928c2ecf20Sopenharmony_ci * @buf: data from user space 24938c2ecf20Sopenharmony_ci * @count: bytes sent 24948c2ecf20Sopenharmony_ci * @ppos: where to start - must be 0 24958c2ecf20Sopenharmony_ci */ 24968c2ecf20Sopenharmony_cistatic ssize_t smk_write_access2(struct file *file, const char __user *buf, 24978c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 24988c2ecf20Sopenharmony_ci{ 24998c2ecf20Sopenharmony_ci return smk_user_access(file, buf, count, ppos, SMK_LONG_FMT); 25008c2ecf20Sopenharmony_ci} 25018c2ecf20Sopenharmony_ci 25028c2ecf20Sopenharmony_cistatic const struct file_operations smk_access2_ops = { 25038c2ecf20Sopenharmony_ci .write = smk_write_access2, 25048c2ecf20Sopenharmony_ci .read = simple_transaction_read, 25058c2ecf20Sopenharmony_ci .release = simple_transaction_release, 25068c2ecf20Sopenharmony_ci .llseek = generic_file_llseek, 25078c2ecf20Sopenharmony_ci}; 25088c2ecf20Sopenharmony_ci 25098c2ecf20Sopenharmony_ci/** 25108c2ecf20Sopenharmony_ci * smk_write_revoke_subj - write() for /smack/revoke-subject 25118c2ecf20Sopenharmony_ci * @file: file pointer 25128c2ecf20Sopenharmony_ci * @buf: data from user space 25138c2ecf20Sopenharmony_ci * @count: bytes sent 25148c2ecf20Sopenharmony_ci * @ppos: where to start - must be 0 25158c2ecf20Sopenharmony_ci */ 25168c2ecf20Sopenharmony_cistatic ssize_t smk_write_revoke_subj(struct file *file, const char __user *buf, 25178c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 25188c2ecf20Sopenharmony_ci{ 25198c2ecf20Sopenharmony_ci char *data; 25208c2ecf20Sopenharmony_ci const char *cp; 25218c2ecf20Sopenharmony_ci struct smack_known *skp; 25228c2ecf20Sopenharmony_ci struct smack_rule *sp; 25238c2ecf20Sopenharmony_ci struct list_head *rule_list; 25248c2ecf20Sopenharmony_ci struct mutex *rule_lock; 25258c2ecf20Sopenharmony_ci int rc = count; 25268c2ecf20Sopenharmony_ci 25278c2ecf20Sopenharmony_ci if (*ppos != 0) 25288c2ecf20Sopenharmony_ci return -EINVAL; 25298c2ecf20Sopenharmony_ci 25308c2ecf20Sopenharmony_ci if (!smack_privileged(CAP_MAC_ADMIN)) 25318c2ecf20Sopenharmony_ci return -EPERM; 25328c2ecf20Sopenharmony_ci 25338c2ecf20Sopenharmony_ci if (count == 0 || count > SMK_LONGLABEL) 25348c2ecf20Sopenharmony_ci return -EINVAL; 25358c2ecf20Sopenharmony_ci 25368c2ecf20Sopenharmony_ci data = memdup_user(buf, count); 25378c2ecf20Sopenharmony_ci if (IS_ERR(data)) 25388c2ecf20Sopenharmony_ci return PTR_ERR(data); 25398c2ecf20Sopenharmony_ci 25408c2ecf20Sopenharmony_ci cp = smk_parse_smack(data, count); 25418c2ecf20Sopenharmony_ci if (IS_ERR(cp)) { 25428c2ecf20Sopenharmony_ci rc = PTR_ERR(cp); 25438c2ecf20Sopenharmony_ci goto out_data; 25448c2ecf20Sopenharmony_ci } 25458c2ecf20Sopenharmony_ci 25468c2ecf20Sopenharmony_ci skp = smk_find_entry(cp); 25478c2ecf20Sopenharmony_ci if (skp == NULL) 25488c2ecf20Sopenharmony_ci goto out_cp; 25498c2ecf20Sopenharmony_ci 25508c2ecf20Sopenharmony_ci rule_list = &skp->smk_rules; 25518c2ecf20Sopenharmony_ci rule_lock = &skp->smk_rules_lock; 25528c2ecf20Sopenharmony_ci 25538c2ecf20Sopenharmony_ci mutex_lock(rule_lock); 25548c2ecf20Sopenharmony_ci 25558c2ecf20Sopenharmony_ci list_for_each_entry_rcu(sp, rule_list, list) 25568c2ecf20Sopenharmony_ci sp->smk_access = 0; 25578c2ecf20Sopenharmony_ci 25588c2ecf20Sopenharmony_ci mutex_unlock(rule_lock); 25598c2ecf20Sopenharmony_ci 25608c2ecf20Sopenharmony_ciout_cp: 25618c2ecf20Sopenharmony_ci kfree(cp); 25628c2ecf20Sopenharmony_ciout_data: 25638c2ecf20Sopenharmony_ci kfree(data); 25648c2ecf20Sopenharmony_ci 25658c2ecf20Sopenharmony_ci return rc; 25668c2ecf20Sopenharmony_ci} 25678c2ecf20Sopenharmony_ci 25688c2ecf20Sopenharmony_cistatic const struct file_operations smk_revoke_subj_ops = { 25698c2ecf20Sopenharmony_ci .write = smk_write_revoke_subj, 25708c2ecf20Sopenharmony_ci .read = simple_transaction_read, 25718c2ecf20Sopenharmony_ci .release = simple_transaction_release, 25728c2ecf20Sopenharmony_ci .llseek = generic_file_llseek, 25738c2ecf20Sopenharmony_ci}; 25748c2ecf20Sopenharmony_ci 25758c2ecf20Sopenharmony_ci/** 25768c2ecf20Sopenharmony_ci * smk_init_sysfs - initialize /sys/fs/smackfs 25778c2ecf20Sopenharmony_ci * 25788c2ecf20Sopenharmony_ci */ 25798c2ecf20Sopenharmony_cistatic int smk_init_sysfs(void) 25808c2ecf20Sopenharmony_ci{ 25818c2ecf20Sopenharmony_ci return sysfs_create_mount_point(fs_kobj, "smackfs"); 25828c2ecf20Sopenharmony_ci} 25838c2ecf20Sopenharmony_ci 25848c2ecf20Sopenharmony_ci/** 25858c2ecf20Sopenharmony_ci * smk_write_change_rule - write() for /smack/change-rule 25868c2ecf20Sopenharmony_ci * @file: file pointer 25878c2ecf20Sopenharmony_ci * @buf: data from user space 25888c2ecf20Sopenharmony_ci * @count: bytes sent 25898c2ecf20Sopenharmony_ci * @ppos: where to start - must be 0 25908c2ecf20Sopenharmony_ci */ 25918c2ecf20Sopenharmony_cistatic ssize_t smk_write_change_rule(struct file *file, const char __user *buf, 25928c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 25938c2ecf20Sopenharmony_ci{ 25948c2ecf20Sopenharmony_ci /* 25958c2ecf20Sopenharmony_ci * Must have privilege. 25968c2ecf20Sopenharmony_ci */ 25978c2ecf20Sopenharmony_ci if (!smack_privileged(CAP_MAC_ADMIN)) 25988c2ecf20Sopenharmony_ci return -EPERM; 25998c2ecf20Sopenharmony_ci 26008c2ecf20Sopenharmony_ci return smk_write_rules_list(file, buf, count, ppos, NULL, NULL, 26018c2ecf20Sopenharmony_ci SMK_CHANGE_FMT); 26028c2ecf20Sopenharmony_ci} 26038c2ecf20Sopenharmony_ci 26048c2ecf20Sopenharmony_cistatic const struct file_operations smk_change_rule_ops = { 26058c2ecf20Sopenharmony_ci .write = smk_write_change_rule, 26068c2ecf20Sopenharmony_ci .read = simple_transaction_read, 26078c2ecf20Sopenharmony_ci .release = simple_transaction_release, 26088c2ecf20Sopenharmony_ci .llseek = generic_file_llseek, 26098c2ecf20Sopenharmony_ci}; 26108c2ecf20Sopenharmony_ci 26118c2ecf20Sopenharmony_ci/** 26128c2ecf20Sopenharmony_ci * smk_read_syslog - read() for smackfs/syslog 26138c2ecf20Sopenharmony_ci * @filp: file pointer, not actually used 26148c2ecf20Sopenharmony_ci * @buf: where to put the result 26158c2ecf20Sopenharmony_ci * @cn: maximum to send along 26168c2ecf20Sopenharmony_ci * @ppos: where to start 26178c2ecf20Sopenharmony_ci * 26188c2ecf20Sopenharmony_ci * Returns number of bytes read or error code, as appropriate 26198c2ecf20Sopenharmony_ci */ 26208c2ecf20Sopenharmony_cistatic ssize_t smk_read_syslog(struct file *filp, char __user *buf, 26218c2ecf20Sopenharmony_ci size_t cn, loff_t *ppos) 26228c2ecf20Sopenharmony_ci{ 26238c2ecf20Sopenharmony_ci struct smack_known *skp; 26248c2ecf20Sopenharmony_ci ssize_t rc = -EINVAL; 26258c2ecf20Sopenharmony_ci int asize; 26268c2ecf20Sopenharmony_ci 26278c2ecf20Sopenharmony_ci if (*ppos != 0) 26288c2ecf20Sopenharmony_ci return 0; 26298c2ecf20Sopenharmony_ci 26308c2ecf20Sopenharmony_ci if (smack_syslog_label == NULL) 26318c2ecf20Sopenharmony_ci skp = &smack_known_star; 26328c2ecf20Sopenharmony_ci else 26338c2ecf20Sopenharmony_ci skp = smack_syslog_label; 26348c2ecf20Sopenharmony_ci 26358c2ecf20Sopenharmony_ci asize = strlen(skp->smk_known) + 1; 26368c2ecf20Sopenharmony_ci 26378c2ecf20Sopenharmony_ci if (cn >= asize) 26388c2ecf20Sopenharmony_ci rc = simple_read_from_buffer(buf, cn, ppos, skp->smk_known, 26398c2ecf20Sopenharmony_ci asize); 26408c2ecf20Sopenharmony_ci 26418c2ecf20Sopenharmony_ci return rc; 26428c2ecf20Sopenharmony_ci} 26438c2ecf20Sopenharmony_ci 26448c2ecf20Sopenharmony_ci/** 26458c2ecf20Sopenharmony_ci * smk_write_syslog - write() for smackfs/syslog 26468c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 26478c2ecf20Sopenharmony_ci * @buf: where to get the data from 26488c2ecf20Sopenharmony_ci * @count: bytes sent 26498c2ecf20Sopenharmony_ci * @ppos: where to start 26508c2ecf20Sopenharmony_ci * 26518c2ecf20Sopenharmony_ci * Returns number of bytes written or error code, as appropriate 26528c2ecf20Sopenharmony_ci */ 26538c2ecf20Sopenharmony_cistatic ssize_t smk_write_syslog(struct file *file, const char __user *buf, 26548c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 26558c2ecf20Sopenharmony_ci{ 26568c2ecf20Sopenharmony_ci char *data; 26578c2ecf20Sopenharmony_ci struct smack_known *skp; 26588c2ecf20Sopenharmony_ci int rc = count; 26598c2ecf20Sopenharmony_ci 26608c2ecf20Sopenharmony_ci if (!smack_privileged(CAP_MAC_ADMIN)) 26618c2ecf20Sopenharmony_ci return -EPERM; 26628c2ecf20Sopenharmony_ci 26638c2ecf20Sopenharmony_ci /* Enough data must be present */ 26648c2ecf20Sopenharmony_ci if (count == 0 || count > PAGE_SIZE) 26658c2ecf20Sopenharmony_ci return -EINVAL; 26668c2ecf20Sopenharmony_ci 26678c2ecf20Sopenharmony_ci data = memdup_user_nul(buf, count); 26688c2ecf20Sopenharmony_ci if (IS_ERR(data)) 26698c2ecf20Sopenharmony_ci return PTR_ERR(data); 26708c2ecf20Sopenharmony_ci 26718c2ecf20Sopenharmony_ci skp = smk_import_entry(data, count); 26728c2ecf20Sopenharmony_ci if (IS_ERR(skp)) 26738c2ecf20Sopenharmony_ci rc = PTR_ERR(skp); 26748c2ecf20Sopenharmony_ci else 26758c2ecf20Sopenharmony_ci smack_syslog_label = skp; 26768c2ecf20Sopenharmony_ci 26778c2ecf20Sopenharmony_ci kfree(data); 26788c2ecf20Sopenharmony_ci return rc; 26798c2ecf20Sopenharmony_ci} 26808c2ecf20Sopenharmony_ci 26818c2ecf20Sopenharmony_cistatic const struct file_operations smk_syslog_ops = { 26828c2ecf20Sopenharmony_ci .read = smk_read_syslog, 26838c2ecf20Sopenharmony_ci .write = smk_write_syslog, 26848c2ecf20Sopenharmony_ci .llseek = default_llseek, 26858c2ecf20Sopenharmony_ci}; 26868c2ecf20Sopenharmony_ci 26878c2ecf20Sopenharmony_ci/* 26888c2ecf20Sopenharmony_ci * Seq_file read operations for /smack/relabel-self 26898c2ecf20Sopenharmony_ci */ 26908c2ecf20Sopenharmony_ci 26918c2ecf20Sopenharmony_cistatic void *relabel_self_seq_start(struct seq_file *s, loff_t *pos) 26928c2ecf20Sopenharmony_ci{ 26938c2ecf20Sopenharmony_ci struct task_smack *tsp = smack_cred(current_cred()); 26948c2ecf20Sopenharmony_ci 26958c2ecf20Sopenharmony_ci return smk_seq_start(s, pos, &tsp->smk_relabel); 26968c2ecf20Sopenharmony_ci} 26978c2ecf20Sopenharmony_ci 26988c2ecf20Sopenharmony_cistatic void *relabel_self_seq_next(struct seq_file *s, void *v, loff_t *pos) 26998c2ecf20Sopenharmony_ci{ 27008c2ecf20Sopenharmony_ci struct task_smack *tsp = smack_cred(current_cred()); 27018c2ecf20Sopenharmony_ci 27028c2ecf20Sopenharmony_ci return smk_seq_next(s, v, pos, &tsp->smk_relabel); 27038c2ecf20Sopenharmony_ci} 27048c2ecf20Sopenharmony_ci 27058c2ecf20Sopenharmony_cistatic int relabel_self_seq_show(struct seq_file *s, void *v) 27068c2ecf20Sopenharmony_ci{ 27078c2ecf20Sopenharmony_ci struct list_head *list = v; 27088c2ecf20Sopenharmony_ci struct smack_known_list_elem *sklep = 27098c2ecf20Sopenharmony_ci list_entry(list, struct smack_known_list_elem, list); 27108c2ecf20Sopenharmony_ci 27118c2ecf20Sopenharmony_ci seq_puts(s, sklep->smk_label->smk_known); 27128c2ecf20Sopenharmony_ci seq_putc(s, ' '); 27138c2ecf20Sopenharmony_ci 27148c2ecf20Sopenharmony_ci return 0; 27158c2ecf20Sopenharmony_ci} 27168c2ecf20Sopenharmony_ci 27178c2ecf20Sopenharmony_cistatic const struct seq_operations relabel_self_seq_ops = { 27188c2ecf20Sopenharmony_ci .start = relabel_self_seq_start, 27198c2ecf20Sopenharmony_ci .next = relabel_self_seq_next, 27208c2ecf20Sopenharmony_ci .show = relabel_self_seq_show, 27218c2ecf20Sopenharmony_ci .stop = smk_seq_stop, 27228c2ecf20Sopenharmony_ci}; 27238c2ecf20Sopenharmony_ci 27248c2ecf20Sopenharmony_ci/** 27258c2ecf20Sopenharmony_ci * smk_open_relabel_self - open() for /smack/relabel-self 27268c2ecf20Sopenharmony_ci * @inode: inode structure representing file 27278c2ecf20Sopenharmony_ci * @file: "relabel-self" file pointer 27288c2ecf20Sopenharmony_ci * 27298c2ecf20Sopenharmony_ci * Connect our relabel_self_seq_* operations with /smack/relabel-self 27308c2ecf20Sopenharmony_ci * file_operations 27318c2ecf20Sopenharmony_ci */ 27328c2ecf20Sopenharmony_cistatic int smk_open_relabel_self(struct inode *inode, struct file *file) 27338c2ecf20Sopenharmony_ci{ 27348c2ecf20Sopenharmony_ci return seq_open(file, &relabel_self_seq_ops); 27358c2ecf20Sopenharmony_ci} 27368c2ecf20Sopenharmony_ci 27378c2ecf20Sopenharmony_ci/** 27388c2ecf20Sopenharmony_ci * smk_write_relabel_self - write() for /smack/relabel-self 27398c2ecf20Sopenharmony_ci * @file: file pointer, not actually used 27408c2ecf20Sopenharmony_ci * @buf: where to get the data from 27418c2ecf20Sopenharmony_ci * @count: bytes sent 27428c2ecf20Sopenharmony_ci * @ppos: where to start - must be 0 27438c2ecf20Sopenharmony_ci * 27448c2ecf20Sopenharmony_ci */ 27458c2ecf20Sopenharmony_cistatic ssize_t smk_write_relabel_self(struct file *file, const char __user *buf, 27468c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 27478c2ecf20Sopenharmony_ci{ 27488c2ecf20Sopenharmony_ci char *data; 27498c2ecf20Sopenharmony_ci int rc; 27508c2ecf20Sopenharmony_ci LIST_HEAD(list_tmp); 27518c2ecf20Sopenharmony_ci 27528c2ecf20Sopenharmony_ci /* 27538c2ecf20Sopenharmony_ci * Must have privilege. 27548c2ecf20Sopenharmony_ci */ 27558c2ecf20Sopenharmony_ci if (!smack_privileged(CAP_MAC_ADMIN)) 27568c2ecf20Sopenharmony_ci return -EPERM; 27578c2ecf20Sopenharmony_ci 27588c2ecf20Sopenharmony_ci /* 27598c2ecf20Sopenharmony_ci * No partial write. 27608c2ecf20Sopenharmony_ci * Enough data must be present. 27618c2ecf20Sopenharmony_ci */ 27628c2ecf20Sopenharmony_ci if (*ppos != 0) 27638c2ecf20Sopenharmony_ci return -EINVAL; 27648c2ecf20Sopenharmony_ci if (count == 0 || count > PAGE_SIZE) 27658c2ecf20Sopenharmony_ci return -EINVAL; 27668c2ecf20Sopenharmony_ci 27678c2ecf20Sopenharmony_ci data = memdup_user_nul(buf, count); 27688c2ecf20Sopenharmony_ci if (IS_ERR(data)) 27698c2ecf20Sopenharmony_ci return PTR_ERR(data); 27708c2ecf20Sopenharmony_ci 27718c2ecf20Sopenharmony_ci rc = smk_parse_label_list(data, &list_tmp); 27728c2ecf20Sopenharmony_ci kfree(data); 27738c2ecf20Sopenharmony_ci 27748c2ecf20Sopenharmony_ci if (!rc || (rc == -EINVAL && list_empty(&list_tmp))) { 27758c2ecf20Sopenharmony_ci struct cred *new; 27768c2ecf20Sopenharmony_ci struct task_smack *tsp; 27778c2ecf20Sopenharmony_ci 27788c2ecf20Sopenharmony_ci new = prepare_creds(); 27798c2ecf20Sopenharmony_ci if (!new) { 27808c2ecf20Sopenharmony_ci rc = -ENOMEM; 27818c2ecf20Sopenharmony_ci goto out; 27828c2ecf20Sopenharmony_ci } 27838c2ecf20Sopenharmony_ci tsp = smack_cred(new); 27848c2ecf20Sopenharmony_ci smk_destroy_label_list(&tsp->smk_relabel); 27858c2ecf20Sopenharmony_ci list_splice(&list_tmp, &tsp->smk_relabel); 27868c2ecf20Sopenharmony_ci commit_creds(new); 27878c2ecf20Sopenharmony_ci return count; 27888c2ecf20Sopenharmony_ci } 27898c2ecf20Sopenharmony_ciout: 27908c2ecf20Sopenharmony_ci smk_destroy_label_list(&list_tmp); 27918c2ecf20Sopenharmony_ci return rc; 27928c2ecf20Sopenharmony_ci} 27938c2ecf20Sopenharmony_ci 27948c2ecf20Sopenharmony_cistatic const struct file_operations smk_relabel_self_ops = { 27958c2ecf20Sopenharmony_ci .open = smk_open_relabel_self, 27968c2ecf20Sopenharmony_ci .read = seq_read, 27978c2ecf20Sopenharmony_ci .llseek = seq_lseek, 27988c2ecf20Sopenharmony_ci .write = smk_write_relabel_self, 27998c2ecf20Sopenharmony_ci .release = seq_release, 28008c2ecf20Sopenharmony_ci}; 28018c2ecf20Sopenharmony_ci 28028c2ecf20Sopenharmony_ci/** 28038c2ecf20Sopenharmony_ci * smk_read_ptrace - read() for /smack/ptrace 28048c2ecf20Sopenharmony_ci * @filp: file pointer, not actually used 28058c2ecf20Sopenharmony_ci * @buf: where to put the result 28068c2ecf20Sopenharmony_ci * @count: maximum to send along 28078c2ecf20Sopenharmony_ci * @ppos: where to start 28088c2ecf20Sopenharmony_ci * 28098c2ecf20Sopenharmony_ci * Returns number of bytes read or error code, as appropriate 28108c2ecf20Sopenharmony_ci */ 28118c2ecf20Sopenharmony_cistatic ssize_t smk_read_ptrace(struct file *filp, char __user *buf, 28128c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 28138c2ecf20Sopenharmony_ci{ 28148c2ecf20Sopenharmony_ci char temp[32]; 28158c2ecf20Sopenharmony_ci ssize_t rc; 28168c2ecf20Sopenharmony_ci 28178c2ecf20Sopenharmony_ci if (*ppos != 0) 28188c2ecf20Sopenharmony_ci return 0; 28198c2ecf20Sopenharmony_ci 28208c2ecf20Sopenharmony_ci sprintf(temp, "%d\n", smack_ptrace_rule); 28218c2ecf20Sopenharmony_ci rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); 28228c2ecf20Sopenharmony_ci return rc; 28238c2ecf20Sopenharmony_ci} 28248c2ecf20Sopenharmony_ci 28258c2ecf20Sopenharmony_ci/** 28268c2ecf20Sopenharmony_ci * smk_write_ptrace - write() for /smack/ptrace 28278c2ecf20Sopenharmony_ci * @file: file pointer 28288c2ecf20Sopenharmony_ci * @buf: data from user space 28298c2ecf20Sopenharmony_ci * @count: bytes sent 28308c2ecf20Sopenharmony_ci * @ppos: where to start - must be 0 28318c2ecf20Sopenharmony_ci */ 28328c2ecf20Sopenharmony_cistatic ssize_t smk_write_ptrace(struct file *file, const char __user *buf, 28338c2ecf20Sopenharmony_ci size_t count, loff_t *ppos) 28348c2ecf20Sopenharmony_ci{ 28358c2ecf20Sopenharmony_ci char temp[32]; 28368c2ecf20Sopenharmony_ci int i; 28378c2ecf20Sopenharmony_ci 28388c2ecf20Sopenharmony_ci if (!smack_privileged(CAP_MAC_ADMIN)) 28398c2ecf20Sopenharmony_ci return -EPERM; 28408c2ecf20Sopenharmony_ci 28418c2ecf20Sopenharmony_ci if (*ppos != 0 || count >= sizeof(temp) || count == 0) 28428c2ecf20Sopenharmony_ci return -EINVAL; 28438c2ecf20Sopenharmony_ci 28448c2ecf20Sopenharmony_ci if (copy_from_user(temp, buf, count) != 0) 28458c2ecf20Sopenharmony_ci return -EFAULT; 28468c2ecf20Sopenharmony_ci 28478c2ecf20Sopenharmony_ci temp[count] = '\0'; 28488c2ecf20Sopenharmony_ci 28498c2ecf20Sopenharmony_ci if (sscanf(temp, "%d", &i) != 1) 28508c2ecf20Sopenharmony_ci return -EINVAL; 28518c2ecf20Sopenharmony_ci if (i < SMACK_PTRACE_DEFAULT || i > SMACK_PTRACE_MAX) 28528c2ecf20Sopenharmony_ci return -EINVAL; 28538c2ecf20Sopenharmony_ci smack_ptrace_rule = i; 28548c2ecf20Sopenharmony_ci 28558c2ecf20Sopenharmony_ci return count; 28568c2ecf20Sopenharmony_ci} 28578c2ecf20Sopenharmony_ci 28588c2ecf20Sopenharmony_cistatic const struct file_operations smk_ptrace_ops = { 28598c2ecf20Sopenharmony_ci .write = smk_write_ptrace, 28608c2ecf20Sopenharmony_ci .read = smk_read_ptrace, 28618c2ecf20Sopenharmony_ci .llseek = default_llseek, 28628c2ecf20Sopenharmony_ci}; 28638c2ecf20Sopenharmony_ci 28648c2ecf20Sopenharmony_ci/** 28658c2ecf20Sopenharmony_ci * smk_fill_super - fill the smackfs superblock 28668c2ecf20Sopenharmony_ci * @sb: the empty superblock 28678c2ecf20Sopenharmony_ci * @fc: unused 28688c2ecf20Sopenharmony_ci * 28698c2ecf20Sopenharmony_ci * Fill in the well known entries for the smack filesystem 28708c2ecf20Sopenharmony_ci * 28718c2ecf20Sopenharmony_ci * Returns 0 on success, an error code on failure 28728c2ecf20Sopenharmony_ci */ 28738c2ecf20Sopenharmony_cistatic int smk_fill_super(struct super_block *sb, struct fs_context *fc) 28748c2ecf20Sopenharmony_ci{ 28758c2ecf20Sopenharmony_ci int rc; 28768c2ecf20Sopenharmony_ci 28778c2ecf20Sopenharmony_ci static const struct tree_descr smack_files[] = { 28788c2ecf20Sopenharmony_ci [SMK_LOAD] = { 28798c2ecf20Sopenharmony_ci "load", &smk_load_ops, S_IRUGO|S_IWUSR}, 28808c2ecf20Sopenharmony_ci [SMK_CIPSO] = { 28818c2ecf20Sopenharmony_ci "cipso", &smk_cipso_ops, S_IRUGO|S_IWUSR}, 28828c2ecf20Sopenharmony_ci [SMK_DOI] = { 28838c2ecf20Sopenharmony_ci "doi", &smk_doi_ops, S_IRUGO|S_IWUSR}, 28848c2ecf20Sopenharmony_ci [SMK_DIRECT] = { 28858c2ecf20Sopenharmony_ci "direct", &smk_direct_ops, S_IRUGO|S_IWUSR}, 28868c2ecf20Sopenharmony_ci [SMK_AMBIENT] = { 28878c2ecf20Sopenharmony_ci "ambient", &smk_ambient_ops, S_IRUGO|S_IWUSR}, 28888c2ecf20Sopenharmony_ci [SMK_NET4ADDR] = { 28898c2ecf20Sopenharmony_ci "netlabel", &smk_net4addr_ops, S_IRUGO|S_IWUSR}, 28908c2ecf20Sopenharmony_ci [SMK_ONLYCAP] = { 28918c2ecf20Sopenharmony_ci "onlycap", &smk_onlycap_ops, S_IRUGO|S_IWUSR}, 28928c2ecf20Sopenharmony_ci [SMK_LOGGING] = { 28938c2ecf20Sopenharmony_ci "logging", &smk_logging_ops, S_IRUGO|S_IWUSR}, 28948c2ecf20Sopenharmony_ci [SMK_LOAD_SELF] = { 28958c2ecf20Sopenharmony_ci "load-self", &smk_load_self_ops, S_IRUGO|S_IWUGO}, 28968c2ecf20Sopenharmony_ci [SMK_ACCESSES] = { 28978c2ecf20Sopenharmony_ci "access", &smk_access_ops, S_IRUGO|S_IWUGO}, 28988c2ecf20Sopenharmony_ci [SMK_MAPPED] = { 28998c2ecf20Sopenharmony_ci "mapped", &smk_mapped_ops, S_IRUGO|S_IWUSR}, 29008c2ecf20Sopenharmony_ci [SMK_LOAD2] = { 29018c2ecf20Sopenharmony_ci "load2", &smk_load2_ops, S_IRUGO|S_IWUSR}, 29028c2ecf20Sopenharmony_ci [SMK_LOAD_SELF2] = { 29038c2ecf20Sopenharmony_ci "load-self2", &smk_load_self2_ops, S_IRUGO|S_IWUGO}, 29048c2ecf20Sopenharmony_ci [SMK_ACCESS2] = { 29058c2ecf20Sopenharmony_ci "access2", &smk_access2_ops, S_IRUGO|S_IWUGO}, 29068c2ecf20Sopenharmony_ci [SMK_CIPSO2] = { 29078c2ecf20Sopenharmony_ci "cipso2", &smk_cipso2_ops, S_IRUGO|S_IWUSR}, 29088c2ecf20Sopenharmony_ci [SMK_REVOKE_SUBJ] = { 29098c2ecf20Sopenharmony_ci "revoke-subject", &smk_revoke_subj_ops, 29108c2ecf20Sopenharmony_ci S_IRUGO|S_IWUSR}, 29118c2ecf20Sopenharmony_ci [SMK_CHANGE_RULE] = { 29128c2ecf20Sopenharmony_ci "change-rule", &smk_change_rule_ops, S_IRUGO|S_IWUSR}, 29138c2ecf20Sopenharmony_ci [SMK_SYSLOG] = { 29148c2ecf20Sopenharmony_ci "syslog", &smk_syslog_ops, S_IRUGO|S_IWUSR}, 29158c2ecf20Sopenharmony_ci [SMK_PTRACE] = { 29168c2ecf20Sopenharmony_ci "ptrace", &smk_ptrace_ops, S_IRUGO|S_IWUSR}, 29178c2ecf20Sopenharmony_ci#ifdef CONFIG_SECURITY_SMACK_BRINGUP 29188c2ecf20Sopenharmony_ci [SMK_UNCONFINED] = { 29198c2ecf20Sopenharmony_ci "unconfined", &smk_unconfined_ops, S_IRUGO|S_IWUSR}, 29208c2ecf20Sopenharmony_ci#endif 29218c2ecf20Sopenharmony_ci#if IS_ENABLED(CONFIG_IPV6) 29228c2ecf20Sopenharmony_ci [SMK_NET6ADDR] = { 29238c2ecf20Sopenharmony_ci "ipv6host", &smk_net6addr_ops, S_IRUGO|S_IWUSR}, 29248c2ecf20Sopenharmony_ci#endif /* CONFIG_IPV6 */ 29258c2ecf20Sopenharmony_ci [SMK_RELABEL_SELF] = { 29268c2ecf20Sopenharmony_ci "relabel-self", &smk_relabel_self_ops, 29278c2ecf20Sopenharmony_ci S_IRUGO|S_IWUGO}, 29288c2ecf20Sopenharmony_ci /* last one */ 29298c2ecf20Sopenharmony_ci {""} 29308c2ecf20Sopenharmony_ci }; 29318c2ecf20Sopenharmony_ci 29328c2ecf20Sopenharmony_ci rc = simple_fill_super(sb, SMACK_MAGIC, smack_files); 29338c2ecf20Sopenharmony_ci if (rc != 0) { 29348c2ecf20Sopenharmony_ci printk(KERN_ERR "%s failed %d while creating inodes\n", 29358c2ecf20Sopenharmony_ci __func__, rc); 29368c2ecf20Sopenharmony_ci return rc; 29378c2ecf20Sopenharmony_ci } 29388c2ecf20Sopenharmony_ci 29398c2ecf20Sopenharmony_ci return 0; 29408c2ecf20Sopenharmony_ci} 29418c2ecf20Sopenharmony_ci 29428c2ecf20Sopenharmony_ci/** 29438c2ecf20Sopenharmony_ci * smk_get_tree - get the smackfs superblock 29448c2ecf20Sopenharmony_ci * @fc: The mount context, including any options 29458c2ecf20Sopenharmony_ci * 29468c2ecf20Sopenharmony_ci * Just passes everything along. 29478c2ecf20Sopenharmony_ci * 29488c2ecf20Sopenharmony_ci * Returns what the lower level code does. 29498c2ecf20Sopenharmony_ci */ 29508c2ecf20Sopenharmony_cistatic int smk_get_tree(struct fs_context *fc) 29518c2ecf20Sopenharmony_ci{ 29528c2ecf20Sopenharmony_ci return get_tree_single(fc, smk_fill_super); 29538c2ecf20Sopenharmony_ci} 29548c2ecf20Sopenharmony_ci 29558c2ecf20Sopenharmony_cistatic const struct fs_context_operations smk_context_ops = { 29568c2ecf20Sopenharmony_ci .get_tree = smk_get_tree, 29578c2ecf20Sopenharmony_ci}; 29588c2ecf20Sopenharmony_ci 29598c2ecf20Sopenharmony_ci/** 29608c2ecf20Sopenharmony_ci * smk_init_fs_context - Initialise a filesystem context for smackfs 29618c2ecf20Sopenharmony_ci * @fc: The blank mount context 29628c2ecf20Sopenharmony_ci */ 29638c2ecf20Sopenharmony_cistatic int smk_init_fs_context(struct fs_context *fc) 29648c2ecf20Sopenharmony_ci{ 29658c2ecf20Sopenharmony_ci fc->ops = &smk_context_ops; 29668c2ecf20Sopenharmony_ci return 0; 29678c2ecf20Sopenharmony_ci} 29688c2ecf20Sopenharmony_ci 29698c2ecf20Sopenharmony_cistatic struct file_system_type smk_fs_type = { 29708c2ecf20Sopenharmony_ci .name = "smackfs", 29718c2ecf20Sopenharmony_ci .init_fs_context = smk_init_fs_context, 29728c2ecf20Sopenharmony_ci .kill_sb = kill_litter_super, 29738c2ecf20Sopenharmony_ci}; 29748c2ecf20Sopenharmony_ci 29758c2ecf20Sopenharmony_cistatic struct vfsmount *smackfs_mount; 29768c2ecf20Sopenharmony_ci 29778c2ecf20Sopenharmony_ci/** 29788c2ecf20Sopenharmony_ci * init_smk_fs - get the smackfs superblock 29798c2ecf20Sopenharmony_ci * 29808c2ecf20Sopenharmony_ci * register the smackfs 29818c2ecf20Sopenharmony_ci * 29828c2ecf20Sopenharmony_ci * Do not register smackfs if Smack wasn't enabled 29838c2ecf20Sopenharmony_ci * on boot. We can not put this method normally under the 29848c2ecf20Sopenharmony_ci * smack_init() code path since the security subsystem get 29858c2ecf20Sopenharmony_ci * initialized before the vfs caches. 29868c2ecf20Sopenharmony_ci * 29878c2ecf20Sopenharmony_ci * Returns true if we were not chosen on boot or if 29888c2ecf20Sopenharmony_ci * we were chosen and filesystem registration succeeded. 29898c2ecf20Sopenharmony_ci */ 29908c2ecf20Sopenharmony_cistatic int __init init_smk_fs(void) 29918c2ecf20Sopenharmony_ci{ 29928c2ecf20Sopenharmony_ci int err; 29938c2ecf20Sopenharmony_ci int rc; 29948c2ecf20Sopenharmony_ci 29958c2ecf20Sopenharmony_ci if (smack_enabled == 0) 29968c2ecf20Sopenharmony_ci return 0; 29978c2ecf20Sopenharmony_ci 29988c2ecf20Sopenharmony_ci err = smk_init_sysfs(); 29998c2ecf20Sopenharmony_ci if (err) 30008c2ecf20Sopenharmony_ci printk(KERN_ERR "smackfs: sysfs mountpoint problem.\n"); 30018c2ecf20Sopenharmony_ci 30028c2ecf20Sopenharmony_ci err = register_filesystem(&smk_fs_type); 30038c2ecf20Sopenharmony_ci if (!err) { 30048c2ecf20Sopenharmony_ci smackfs_mount = kern_mount(&smk_fs_type); 30058c2ecf20Sopenharmony_ci if (IS_ERR(smackfs_mount)) { 30068c2ecf20Sopenharmony_ci printk(KERN_ERR "smackfs: could not mount!\n"); 30078c2ecf20Sopenharmony_ci err = PTR_ERR(smackfs_mount); 30088c2ecf20Sopenharmony_ci smackfs_mount = NULL; 30098c2ecf20Sopenharmony_ci } 30108c2ecf20Sopenharmony_ci } 30118c2ecf20Sopenharmony_ci 30128c2ecf20Sopenharmony_ci smk_cipso_doi(); 30138c2ecf20Sopenharmony_ci smk_unlbl_ambient(NULL); 30148c2ecf20Sopenharmony_ci 30158c2ecf20Sopenharmony_ci rc = smack_populate_secattr(&smack_known_floor); 30168c2ecf20Sopenharmony_ci if (err == 0 && rc < 0) 30178c2ecf20Sopenharmony_ci err = rc; 30188c2ecf20Sopenharmony_ci rc = smack_populate_secattr(&smack_known_hat); 30198c2ecf20Sopenharmony_ci if (err == 0 && rc < 0) 30208c2ecf20Sopenharmony_ci err = rc; 30218c2ecf20Sopenharmony_ci rc = smack_populate_secattr(&smack_known_huh); 30228c2ecf20Sopenharmony_ci if (err == 0 && rc < 0) 30238c2ecf20Sopenharmony_ci err = rc; 30248c2ecf20Sopenharmony_ci rc = smack_populate_secattr(&smack_known_star); 30258c2ecf20Sopenharmony_ci if (err == 0 && rc < 0) 30268c2ecf20Sopenharmony_ci err = rc; 30278c2ecf20Sopenharmony_ci rc = smack_populate_secattr(&smack_known_web); 30288c2ecf20Sopenharmony_ci if (err == 0 && rc < 0) 30298c2ecf20Sopenharmony_ci err = rc; 30308c2ecf20Sopenharmony_ci 30318c2ecf20Sopenharmony_ci return err; 30328c2ecf20Sopenharmony_ci} 30338c2ecf20Sopenharmony_ci 30348c2ecf20Sopenharmony_ci__initcall(init_smk_fs); 3035