Smack: IPv6 host labeling

configurations are intolerant of IP options and can impede

access to systems that use them as Smack does.

Smack is used in the Tizen operating system. Please

go to http://wiki.tizen.org for information about how

Smack is used in Tizen.

The current git repository for Smack user space is:

	git://github.com/smack-team/smack.git

on /sys/fs/smackfs.

access

	Provided for backward compatibility. The access2 interface

	is preferred and should be used instead.

	This interface reports whether a subject with the specified

	Smack label has a particular access to an object with a

	specified Smack label. Write a fixed format access rule to

	those in the fourth string. If there is no such rule it will be

	created using the access specified in the third and the fourth strings.

cipso

	Provided for backward compatibility. The cipso2 interface

	is preferred and should be used instead.

	This interface allows a specific CIPSO header to be assigned

	to a Smack label. The format accepted on write is:

		"%24s%4d%4d"["%4d"]...

doi

	This contains the CIPSO domain of interpretation used in

	network packets.

ipv6host

	This interface allows specific IPv6 internet addresses to be

	treated as single label hosts. Packets are sent to single

	label hosts only from processes that have Smack write access

	to the host label. All packets received from single label hosts

	are given the specified label. The format accepted on write is:

		"%h:%h:%h:%h:%h:%h:%h:%h label" or

		"%h:%h:%h:%h:%h:%h:%h:%h/%d label".

	The "::" address shortcut is not supported.

	If label is "-DELETE" a matched entry will be deleted.

load

	Provided for backward compatibility. The load2 interface

	is preferred and should be used instead.

	This interface allows access control rules in addition to

	the system defined rules to be specified. The format accepted

	on write is:

	permissions that are not allowed. The string "r-x--" would

	specify read and execute access.

load-self

	Provided for backward compatibility. The load-self2 interface

	is preferred and should be used instead.

	This interface allows process specific access rules to be

	defined. These rules are only consulted if access would

	otherwise be permitted, and are intended to provide additional

	received from single label hosts are given the specified

	label. The format accepted on write is:

		"%d.%d.%d.%d label" or "%d.%d.%d.%d/%d label".

	If the label specified is "-CIPSO" the address is treated

	as a host that supports CIPSO headers.

onlycap

	This contains labels processes must have for CAP_MAC_ADMIN

	and CAP_MAC_OVERRIDE to be effective. If this file is empty

	is dangerous and can ruin the proper labeling of your system.

	It should never be used in production.

You can add access rules in /etc/smack/accesses. They take the form:

If you are using the smackload utility

you can add access rules in /etc/smack/accesses. They take the form:

    subjectlabel objectlabel access

#include <linux/spinlock.h>

#include <linux/lsm_hooks.h>

#include <linux/in.h>

#if IS_ENABLED(CONFIG_IPV6)

#include <linux/in6.h>

#endif /* CONFIG_IPV6 */

#include <net/netlabel.h>

#include <linux/list.h>

#include <linux/rculist.h>

#include <linux/lsm_audit.h>

/*

 * Use IPv6 port labeling if IPv6 is enabled and secmarks

 * are not being used.

 */

#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)

#define SMACK_IPV6_PORT_LABELING 1

#endif

#if IS_ENABLED(CONFIG_IPV6) && defined(CONFIG_SECURITY_SMACK_NETFILTER)

#define SMACK_IPV6_SECMARK_LABELING 1

#endif

/*

 * Smack labels were limited to 23 characters for a long time.

 */

};

/*

 * An entry in the table identifying hosts.

 * An entry in the table identifying IPv4 hosts.

 */

struct smk_netlbladdr {

struct smk_net4addr {

	struct list_head	list;

	struct sockaddr_in	smk_host;	/* network address */

	struct in_addr		smk_host;	/* network address */

	struct in_addr		smk_mask;	/* network mask */

	int			smk_masks;	/* mask size */

	struct smack_known	*smk_label;	/* label */

};

#if IS_ENABLED(CONFIG_IPV6)

/*

 * An entry in the table identifying IPv6 hosts.

 */

struct smk_net6addr {

	struct list_head	list;

	struct in6_addr		smk_host;	/* network address */

	struct in6_addr		smk_mask;	/* network mask */

	int			smk_masks;	/* mask size */

	struct smack_known	*smk_label;	/* label */

};

#endif /* CONFIG_IPV6 */

#ifdef SMACK_IPV6_PORT_LABELING

/*

 * An entry in the table identifying ports.

 */

	struct smack_known	*smk_in;	/* inbound label */

	struct smack_known	*smk_out;	/* outgoing label */

};

#endif /* SMACK_IPV6_PORT_LABELING */

struct smack_onlycap {

	struct list_head	list;

#define SMK_FSROOT	"smackfsroot="

#define SMK_FSTRANS	"smackfstransmute="

#define SMACK_DELETE_OPTION	"-DELETE"

#define SMACK_CIPSO_OPTION 	"-CIPSO"

/*

	struct smack_audit_data sad;

#endif

};

/*

 * These functions are in smack_lsm.c

 */

struct inode_smack *new_inode_smack(struct smack_known *);

/*

 * These functions are in smack_access.c

#ifdef CONFIG_SECURITY_SMACK_BRINGUP

extern struct smack_known *smack_unconfined;

#endif

extern struct smack_known smack_cipso_option;

extern int smack_ptrace_rule;

extern struct smack_known smack_known_floor;

extern struct mutex	smack_known_lock;

extern struct list_head smack_known_list;

extern struct list_head smk_netlbladdr_list;

extern struct list_head smk_net4addr_list;

#if IS_ENABLED(CONFIG_IPV6)

extern struct list_head smk_net6addr_list;

#endif /* CONFIG_IPV6 */

extern struct mutex     smack_onlycap_lock;

extern struct list_head smack_onlycap_list;

#define SMK_RECEIVING	1

#define SMK_SENDING	2

#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)

#ifdef SMACK_IPV6_PORT_LABELING

LIST_HEAD(smk_ipv6_port_list);

#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */

#endif

static struct kmem_cache *smack_inode_cache;

int smack_enabled;

}

/**

* smack_host_label - check host based restrictions

* smack_ipv4host_label - check host based restrictions

* @sip: the object end

*

* looks for host based access restrictions

*

* Returns the label of the far end or NULL if it's not special.

*/

static struct smack_known *smack_host_label(struct sockaddr_in *sip)

static struct smack_known *smack_ipv4host_label(struct sockaddr_in *sip)

{

	struct smk_netlbladdr *snp;

	struct smk_net4addr *snp;

	struct in_addr *siap = &sip->sin_addr;

	if (siap->s_addr == 0)

		return NULL;

	list_for_each_entry_rcu(snp, &smk_netlbladdr_list, list)

	list_for_each_entry_rcu(snp, &smk_net4addr_list, list)

		/*

		 * we break after finding the first match because

		 * the list is sorted from longest to shortest mask

		 * so we have found the most specific match

		 */

		if ((&snp->smk_host.sin_addr)->s_addr ==

		    (siap->s_addr & (&snp->smk_mask)->s_addr)) {

			/* we have found the special CIPSO option */

			if (snp->smk_label == &smack_cipso_option)

		if (snp->smk_host.s_addr ==

		    (siap->s_addr & snp->smk_mask.s_addr))

			return snp->smk_label;

	return NULL;

}

#if IS_ENABLED(CONFIG_IPV6)

/*

 * smk_ipv6_localhost - Check for local ipv6 host address

 * @sip: the address

 *

 * Returns boolean true if this is the localhost address

 */

static bool smk_ipv6_localhost(struct sockaddr_in6 *sip)

{

	__be16 *be16p = (__be16 *)&sip->sin6_addr;

	__be32 *be32p = (__be32 *)&sip->sin6_addr;

	if (be32p[0] == 0 && be32p[1] == 0 && be32p[2] == 0 && be16p[6] == 0 &&

	    ntohs(be16p[7]) == 1)

		return true;

	return false;

}

/**

* smack_ipv6host_label - check host based restrictions

* @sip: the object end

*

* looks for host based access restrictions

*

* This version will only be appropriate for really small sets of single label

* hosts.  The caller is responsible for ensuring that the RCU read lock is

* taken before calling this function.

*

* Returns the label of the far end or NULL if it's not special.

*/

static struct smack_known *smack_ipv6host_label(struct sockaddr_in6 *sip)

{

	struct smk_net6addr *snp;

	struct in6_addr *sap = &sip->sin6_addr;

	int i;

	int found = 0;

	/*

	 * It's local. Don't look for a host label.

	 */

	if (smk_ipv6_localhost(sip))

		return NULL;

	list_for_each_entry_rcu(snp, &smk_net6addr_list, list) {

		/*

		* we break after finding the first match because

		* the list is sorted from longest to shortest mask

		* so we have found the most specific match

		*/

		for (found = 1, i = 0; i < 8; i++) {

			/*

			 * If the label is NULL the entry has

			 * been renounced. Ignore it.

			 */

			if (snp->smk_label == NULL)

				continue;

			if ((sap->s6_addr16[i] & snp->smk_mask.s6_addr16[i]) !=

			    snp->smk_host.s6_addr16[i]) {

				found = 0;

				break;

			}

		}

		if (found)

			return snp->smk_label;

	}

	return NULL;

}

#endif /* CONFIG_IPV6 */

/**

 * smack_netlabel - Set the secattr on a socket

	struct smk_audit_info ad;

	rcu_read_lock();

	hkp = smack_host_label(sap);

	hkp = smack_ipv4host_label(sap);

	if (hkp != NULL) {

#ifdef CONFIG_AUDIT

		struct lsm_network_audit net;

	return smack_netlabel(sk, sk_lbl);

}

#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)

#if IS_ENABLED(CONFIG_IPV6)

/**

 * smk_ipv6_check - check Smack access

 * @subject: subject Smack label

 * @object: object Smack label

 * @address: address

 * @act: the action being taken

 *

 * Check an IPv6 access

 */

static int smk_ipv6_check(struct smack_known *subject,

				struct smack_known *object,

				struct sockaddr_in6 *address, int act)

{

#ifdef CONFIG_AUDIT

	struct lsm_network_audit net;

#endif

	struct smk_audit_info ad;

	int rc;

#ifdef CONFIG_AUDIT

	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);

	ad.a.u.net->family = PF_INET6;

	ad.a.u.net->dport = ntohs(address->sin6_port);

	if (act == SMK_RECEIVING)

		ad.a.u.net->v6info.saddr = address->sin6_addr;

	else

		ad.a.u.net->v6info.daddr = address->sin6_addr;

#endif

	rc = smk_access(subject, object, MAY_WRITE, &ad);

	rc = smk_bu_note("IPv6 check", subject, object, MAY_WRITE, rc);

	return rc;

}

#endif /* CONFIG_IPV6 */

#ifdef SMACK_IPV6_PORT_LABELING

/**

 * smk_ipv6_port_label - Smack port access table management

 * @sock: socket

static int smk_ipv6_port_check(struct sock *sk, struct sockaddr_in6 *address,

				int act)

{

	__be16 *bep;

	__be32 *be32p;

	struct smk_port_label *spp;

	struct socket_smack *ssp = sk->sk_security;

	struct smack_known *skp;

	unsigned short port = 0;

	struct smack_known *skp = NULL;

	unsigned short port;

	struct smack_known *object;

	struct smk_audit_info ad;

	int rc;

#ifdef CONFIG_AUDIT

	struct lsm_network_audit net;

#endif

	if (act == SMK_RECEIVING) {

		skp = smack_net_ambient;

		skp = smack_ipv6host_label(address);

		object = ssp->smk_in;

	} else {

		skp = ssp->smk_out;

		object = smack_net_ambient;

		object = smack_ipv6host_label(address);

	}

	/*

	 * Get the IP address and port from the address.

	 * The other end is a single label host.

	 */

	port = ntohs(address->sin6_port);

	bep = (__be16 *)(&address->sin6_addr);

	be32p = (__be32 *)(&address->sin6_addr);

	if (skp != NULL && object != NULL)

		return smk_ipv6_check(skp, object, address, act);

	if (skp == NULL)

		skp = smack_net_ambient;

	if (object == NULL)

		object = smack_net_ambient;

	/*

	 * It's remote, so port lookup does no good.

	 */

	if (be32p[0] || be32p[1] || be32p[2] || bep[6] || ntohs(bep[7]) != 1)

		goto auditout;

	if (!smk_ipv6_localhost(address))

		return smk_ipv6_check(skp, object, address, act);

	/*

	 * It's local so the send check has to have passed.

	 */

	if (act == SMK_RECEIVING) {

		skp = &smack_known_web;

		goto auditout;

	}

	if (act == SMK_RECEIVING)

		return 0;

	port = ntohs(address->sin6_port);

	list_for_each_entry(spp, &smk_ipv6_port_list, list) {

		if (spp->smk_port != port)

			continue;

		break;

	}

auditout:

#ifdef CONFIG_AUDIT

	smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);

	ad.a.u.net->family = sk->sk_family;

	ad.a.u.net->dport = port;

	if (act == SMK_RECEIVING)

		ad.a.u.net->v6info.saddr = address->sin6_addr;

	else

		ad.a.u.net->v6info.daddr = address->sin6_addr;

#endif

	rc = smk_access(skp, object, MAY_WRITE, &ad);

	rc = smk_bu_note("IPv6 port check", skp, object, MAY_WRITE, rc);

	return rc;

	return smk_ipv6_check(skp, object, address, act);

}

#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */

#endif /* SMACK_IPV6_PORT_LABELING */

/**

 * smack_inode_setsecurity - set smack xattrs

	} else

		return -EOPNOTSUPP;

#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)

#ifdef SMACK_IPV6_PORT_LABELING

	if (sock->sk->sk_family == PF_INET6)

		smk_ipv6_port_label(sock, NULL);

#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */

#endif

	return 0;

}

	return smack_netlabel(sock->sk, SMACK_CIPSO_SOCKET);

}

#ifndef CONFIG_SECURITY_SMACK_NETFILTER

#ifdef SMACK_IPV6_PORT_LABELING

/**

 * smack_socket_bind - record port binding information.

 * @sock: the socket

static int smack_socket_bind(struct socket *sock, struct sockaddr *address,

				int addrlen)

{

#if IS_ENABLED(CONFIG_IPV6)

	if (sock->sk != NULL && sock->sk->sk_family == PF_INET6)

		smk_ipv6_port_label(sock, address);

#endif

	return 0;

}

#endif /* !CONFIG_SECURITY_SMACK_NETFILTER */

#endif /* SMACK_IPV6_PORT_LABELING */

/**

 * smack_socket_connect - connect access check

				int addrlen)

{

	int rc = 0;

#if IS_ENABLED(CONFIG_IPV6)

	struct sockaddr_in6 *sip = (struct sockaddr_in6 *)sap;

#endif

#ifdef SMACK_IPV6_SECMARK_LABELING

	struct smack_known *rsp;

	struct socket_smack *ssp = sock->sk->sk_security;

#endif

	if (sock->sk == NULL)

		return 0;

	case PF_INET6:

		if (addrlen < sizeof(struct sockaddr_in6))

			return -EINVAL;

#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)

		rc = smk_ipv6_port_check(sock->sk, (struct sockaddr_in6 *)sap,

#ifdef SMACK_IPV6_SECMARK_LABELING

		rsp = smack_ipv6host_label(sip);

		if (rsp != NULL)

			rc = smk_ipv6_check(ssp->smk_out, rsp, sip,

						SMK_CONNECTING);

#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */

#endif

#ifdef SMACK_IPV6_PORT_LABELING

		rc = smk_ipv6_port_check(sock->sk, sip, SMK_CONNECTING);

#endif

		break;

	}

	return rc;

				int size)

{

	struct sockaddr_in *sip = (struct sockaddr_in *) msg->msg_name;

#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)

#if IS_ENABLED(CONFIG_IPV6)

	struct sockaddr_in6 *sap = (struct sockaddr_in6 *) msg->msg_name;

#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */

#endif

#ifdef SMACK_IPV6_SECMARK_LABELING

	struct socket_smack *ssp = sock->sk->sk_security;

	struct smack_known *rsp;

#endif

	int rc = 0;

	/*

		rc = smack_netlabel_send(sock->sk, sip);

		break;

	case AF_INET6:

#if IS_ENABLED(CONFIG_IPV6) && !defined(CONFIG_SECURITY_SMACK_NETFILTER)

#ifdef SMACK_IPV6_SECMARK_LABELING

		rsp = smack_ipv6host_label(sap);

		if (rsp != NULL)

			rc = smk_ipv6_check(ssp->smk_out, rsp, sap,

						SMK_CONNECTING);

#endif

#ifdef SMACK_IPV6_PORT_LABELING

		rc = smk_ipv6_port_check(sock->sk, sap, SMK_SENDING);

#endif /* CONFIG_IPV6 && !CONFIG_SECURITY_SMACK_NETFILTER */

#endif

		break;

	}

	return rc;

		proto = smk_skb_to_addr_ipv6(skb, &sadd);

		if (proto != IPPROTO_UDP && proto != IPPROTO_TCP)

			break;

#ifdef CONFIG_SECURITY_SMACK_NETFILTER

#ifdef SMACK_IPV6_SECMARK_LABELING

		if (skb && skb->secmark != 0)

			skp = smack_from_secid(skb->secmark);

		else

			skp = smack_ipv6host_label(&sadd);

		if (skp == NULL)

			skp = smack_net_ambient;

#ifdef CONFIG_AUDIT

		smk_ad_init_net(&ad, __func__, LSM_AUDIT_DATA_NET, &net);

		rc = smk_access(skp, ssp->smk_in, MAY_WRITE, &ad);

		rc = smk_bu_note("IPv6 delivery", skp, ssp->smk_in,

					MAY_WRITE, rc);

#else /* CONFIG_SECURITY_SMACK_NETFILTER */

#endif /* SMACK_IPV6_SECMARK_LABELING */

#ifdef SMACK_IPV6_PORT_LABELING

		rc = smk_ipv6_port_check(sk, &sadd, SMK_RECEIVING);

#endif /* CONFIG_SECURITY_SMACK_NETFILTER */

#endif /* SMACK_IPV6_PORT_LABELING */

		break;

#endif /* CONFIG_IPV6 */

	}

		}

		netlbl_secattr_destroy(&secattr);

		break;

#if IS_ENABLED(CONFIG_IPV6)

	case PF_INET6:

#ifdef CONFIG_SECURITY_SMACK_NETFILTER

#ifdef SMACK_IPV6_SECMARK_LABELING

		s = skb->secmark;

#endif /* CONFIG_SECURITY_SMACK_NETFILTER */

#endif

		break;

#endif /* CONFIG_IPV6 */

	}

	*secid = s;

	if (s == 0)

	hdr = ip_hdr(skb);

	addr.sin_addr.s_addr = hdr->saddr;

	rcu_read_lock();

	hskp = smack_host_label(&addr);

	hskp = smack_ipv4host_label(&addr);

	rcu_read_unlock();

	if (hskp == NULL)

	LSM_HOOK_INIT(unix_may_send, smack_unix_may_send),

	LSM_HOOK_INIT(socket_post_create, smack_socket_post_create),

#ifndef CONFIG_SECURITY_SMACK_NETFILTER

#ifdef SMACK_IPV6_PORT_LABELING

	LSM_HOOK_INIT(socket_bind, smack_socket_bind),

#endif /* CONFIG_SECURITY_SMACK_NETFILTER */

#endif

	LSM_HOOK_INIT(socket_connect, smack_socket_connect),

	LSM_HOOK_INIT(socket_sendmsg, smack_socket_sendmsg),

	LSM_HOOK_INIT(socket_sock_rcv_skb, smack_socket_sock_rcv_skb),

		return -ENOMEM;

	}

	printk(KERN_INFO "Smack:  Initializing.\n");

	pr_info("Smack:  Initializing.\n");

#ifdef CONFIG_SECURITY_SMACK_NETFILTER

	pr_info("Smack:  Netfilter enabled.\n");

#endif

#ifdef SMACK_IPV6_PORT_LABELING

	pr_info("Smack:  IPv6 port labeling enabled.\n");

#endif

#ifdef SMACK_IPV6_SECMARK_LABELING

	pr_info("Smack:  IPv6 Netfilter enabled.\n");

#endif

	/*

	 * Set the security state for the initial task.