Subject: [PATCH] Smack: mmap controls for library containment

#define XATTR_SMACK_IPOUT "SMACK64IPOUT"

#define XATTR_SMACK_EXEC "SMACK64EXEC"

#define XATTR_SMACK_TRANSMUTE "SMACK64TRANSMUTE"

#define XATTR_SMACK_MMAP "SMACK64MMAP"

#define XATTR_NAME_SMACK XATTR_SECURITY_PREFIX XATTR_SMACK_SUFFIX

#define XATTR_NAME_SMACKIPIN	XATTR_SECURITY_PREFIX XATTR_SMACK_IPIN

#define XATTR_NAME_SMACKIPOUT	XATTR_SECURITY_PREFIX XATTR_SMACK_IPOUT

#define XATTR_NAME_SMACKEXEC	XATTR_SECURITY_PREFIX XATTR_SMACK_EXEC

#define XATTR_NAME_SMACKTRANSMUTE XATTR_SECURITY_PREFIX XATTR_SMACK_TRANSMUTE

#define XATTR_NAME_SMACKMMAP XATTR_SECURITY_PREFIX XATTR_SMACK_MMAP

#define XATTR_CAPS_SUFFIX "capability"

#define XATTR_NAME_CAPS XATTR_SECURITY_PREFIX XATTR_CAPS_SUFFIX

struct inode_smack {

	char		*smk_inode;	/* label of the fso */

	char		*smk_task;	/* label of the task */

	char		*smk_mmap;	/* label of the mmap domain */

	struct mutex	smk_lock;	/* initialization lock */

	int		smk_flags;	/* smack inode flags */

};

struct task_smack {

	char		*smk_task;	/* label used for access control */

	char			*smk_task;	/* label for access control */

	char			*smk_forked;	/* label when forked */

	struct list_head	smk_rules;	/* per task access rules */

	struct mutex		smk_rules_lock;	/* lock for the rules */

};

#define	SMK_INODE_INSTANT	0x01	/* inode is instantiated */

/*

 * These functions are in smack_access.c

 */

int smk_access_entry(char *, char *);

int smk_access_entry(char *, char *, struct list_head *);

int smk_access(char *, char *, int, struct smk_audit_info *);

int smk_curacc(char *, u32, struct smk_audit_info *);

int smack_to_cipso(const char *, struct smack_cipso *);

 * smk_access_entry - look up matching access rule

 * @subject_label: a pointer to the subject's Smack label

 * @object_label: a pointer to the object's Smack label

 * @rule_list: the list of rules to search

 *

 * This function looks up the subject/object pair in the

 * access rule list and returns pointer to the matching rule if found,

 * NULL otherwise.

 * access rule list and returns the access mode. If no

 * entry is found returns -ENOENT.

 *

 * NOTE:

 * Even though Smack labels are usually shared on smack_list

 * will be on the list, so checking the pointers may be a worthwhile

 * optimization.

 */

int smk_access_entry(char *subject_label, char *object_label)

int smk_access_entry(char *subject_label, char *object_label,

			struct list_head *rule_list)

{

	u32 may = MAY_NOT;

	int may = -ENOENT;

	struct smack_rule *srp;

	rcu_read_lock();

	list_for_each_entry_rcu(srp, &smack_rule_list, list) {

	list_for_each_entry_rcu(srp, rule_list, list) {

		if (srp->smk_subject == subject_label ||

		    strcmp(srp->smk_subject, subject_label) == 0) {

			if (srp->smk_object == object_label ||

			}

		}

	}

	rcu_read_unlock();

	return may;

}

int smk_access(char *subject_label, char *object_label, int request,

	       struct smk_audit_info *a)

{

	u32 may = MAY_NOT;

	int may = MAY_NOT;

	int rc = 0;

	/*

	 * Beyond here an explicit relationship is required.

	 * If the requested access is contained in the available

	 * access (e.g. read is included in readwrite) it's

	 * good.

	 */

	may = smk_access_entry(subject_label, object_label);

	/*

	 * This is a bit map operation.

	 * good. A negative response from smk_access_entry()

	 * indicates there is no entry for this pair.

	 */

	if ((request & may) == request)

	rcu_read_lock();

	may = smk_access_entry(subject_label, object_label, &smack_rule_list);

	rcu_read_unlock();

	if (may > 0 && (request & may) == request)

		goto out_audit;

	rc = -EACCES;

 */

int smk_curacc(char *obj_label, u32 mode, struct smk_audit_info *a)

{

	struct task_smack *tsp = current_security();

	char *sp = smk_of_task(tsp);

	int may;

	int rc;

	char *sp = smk_of_current();

	/*

	 * Check the global rule list

	 */

	rc = smk_access(sp, obj_label, mode, NULL);

	if (rc == 0)

	if (rc == 0) {

		/*

		 * If there is an entry in the task's rule list

		 * it can further restrict access.

		 */

		may = smk_access_entry(sp, obj_label, &tsp->smk_rules);

		if (may < 0)

			goto out_audit;

		if ((mode & may) == mode)

			goto out_audit;

		rc = -EACCES;

	}

	/*

	 * Return if a specific label has been designated as the

		goto out_audit;

	if (capable(CAP_MAC_OVERRIDE))

		return 0;

		rc = 0;

out_audit:

#ifdef CONFIG_AUDIT

	return isp;

}

/**

 * new_task_smack - allocate a task security blob

 * @smack: a pointer to the Smack label to use in the blob

 *

 * Returns the new blob or NULL if there's no memory available

 */

static struct task_smack *new_task_smack(char *task, char *forked, gfp_t gfp)

{

	struct task_smack *tsp;

	tsp = kzalloc(sizeof(struct task_smack), gfp);

	if (tsp == NULL)

		return NULL;

	tsp->smk_task = task;

	tsp->smk_forked = forked;

	INIT_LIST_HEAD(&tsp->smk_rules);

	mutex_init(&tsp->smk_rules_lock);

	return tsp;

}

/**

 * smk_copy_rules - copy a rule set

 * @nhead - new rules header pointer

 * @ohead - old rules header pointer

 *

 * Returns 0 on success, -ENOMEM on error

 */

static int smk_copy_rules(struct list_head *nhead, struct list_head *ohead,

				gfp_t gfp)

{

	struct smack_rule *nrp;

	struct smack_rule *orp;

	int rc = 0;

	INIT_LIST_HEAD(nhead);

	list_for_each_entry_rcu(orp, ohead, list) {

		nrp = kzalloc(sizeof(struct smack_rule), gfp);

		if (nrp == NULL) {

			rc = -ENOMEM;

			break;

		}

		*nrp = *orp;

		list_add_rcu(&nrp->list, nhead);

	}

	return rc;

}

/*

 * LSM hooks.

 * We he, that is fun!

{

	int rc;

	struct smk_audit_info ad;

	char *sp, *tsp;

	char *tsp;

	rc = cap_ptrace_access_check(ctp, mode);

	if (rc != 0)

		return rc;

	sp = smk_of_current();

	tsp = smk_of_task(task_security(ctp));

	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);

	smk_ad_setfield_u_tsk(&ad, ctp);

	/* we won't log here, because rc can be overriden */

	rc = smk_access(sp, tsp, MAY_READWRITE, NULL);

	if (rc != 0 && capable(CAP_MAC_OVERRIDE))

		rc = 0;

	smack_log(sp, tsp, MAY_READWRITE, rc, &ad);

	rc = smk_curacc(tsp, MAY_READWRITE, &ad);

	return rc;

}

{

	int rc;

	struct smk_audit_info ad;

	char *sp, *tsp;

	char *tsp;

	rc = cap_ptrace_traceme(ptp);

	if (rc != 0)

		return rc;

	tsp = smk_of_task(task_security(ptp));

	smk_ad_init(&ad, __func__, LSM_AUDIT_DATA_TASK);

	smk_ad_setfield_u_tsk(&ad, ptp);

	sp = smk_of_current();

	tsp = smk_of_task(task_security(ptp));

	/* we won't log here, because rc can be overriden */

	rc = smk_access(tsp, sp, MAY_READWRITE, NULL);

	if (rc != 0 && has_capability(ptp, CAP_MAC_OVERRIDE))

		rc = 0;

	smack_log(tsp, sp, MAY_READWRITE, rc, &ad);

	rc = smk_curacc(tsp, MAY_READWRITE, &ad);

	return rc;

}

{

	char *isp = smk_of_inode(inode);

	char *dsp = smk_of_inode(dir);

	u32 may;

	int may;

	if (name) {

		*name = kstrdup(XATTR_SMACK_SUFFIX, GFP_KERNEL);

	}

	if (value) {

		may = smk_access_entry(smk_of_current(), dsp);

		rcu_read_lock();

		may = smk_access_entry(smk_of_current(), dsp, &smack_rule_list);

		rcu_read_unlock();

		/*

		 * If the access rule allows transmutation and

		 * the directory requests transmutation then

		 * by all means transmute.

		 */

		if (((may & MAY_TRANSMUTE) != 0) && smk_inode_transmutable(dir))

		if (may > 0 && ((may & MAY_TRANSMUTE) != 0) &&

		    smk_inode_transmutable(dir))

			isp = dsp;

		*value = kstrdup(isp, GFP_KERNEL);

	if (strcmp(name, XATTR_NAME_SMACK) == 0 ||

	    strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||

	    strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 ||

	    strcmp(name, XATTR_NAME_SMACKEXEC) == 0) {

	    strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||

	    strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {

		if (!capable(CAP_MAC_ADMIN))

			rc = -EPERM;

		/*

			isp->smk_task = nsp;

		else

			isp->smk_task = smack_known_invalid.smk_known;

	} else if (strcmp(name, XATTR_NAME_SMACKMMAP) == 0) {

		nsp = smk_import(value, size);

		if (nsp != NULL)

			isp->smk_mmap = nsp;

		else

			isp->smk_mmap = smack_known_invalid.smk_known;

	} else if (strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0)

		isp->smk_flags |= SMK_INODE_TRANSMUTE;

	    strcmp(name, XATTR_NAME_SMACKIPIN) == 0 ||

	    strcmp(name, XATTR_NAME_SMACKIPOUT) == 0 ||

	    strcmp(name, XATTR_NAME_SMACKEXEC) == 0 ||

	    strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0) {

	    strcmp(name, XATTR_NAME_SMACKTRANSMUTE) == 0 ||

	    strcmp(name, XATTR_NAME_SMACKMMAP)) {

		if (!capable(CAP_MAC_ADMIN))

			rc = -EPERM;

	} else

	if (rc == 0) {

		isp = dentry->d_inode->i_security;

		isp->smk_task = NULL;

		isp->smk_mmap = NULL;

	}

	return rc;

	return rc;

}

/**

 * smk_mmap_list_check - the mmap check

 * @sub: subject label

 * @obj: object label

 * @access: access mode

 * @local: the task specific rule list

 *

 * Returns 0 if acces is permitted, -EACCES otherwise

 */

static int smk_mmap_list_check(char *sub, char *obj, int access,

				struct list_head *local)

{

	int may;

	/*

	 * If there is not a global rule that

	 * allows access say no.

	 */

	may = smk_access_entry(sub, obj, &smack_rule_list);

	if (may == -ENOENT || (may & access) != access)

		return -EACCES;

	/*

	 * If there is a task local rule that

	 * denies access say no.

	 */

	may = smk_access_entry(sub, obj, local);

	if (may != -ENOENT && (may & access) != access)

		return -EACCES;

	return 0;

}

/**

 * smack_file_mmap :

 * Check permissions for a mmap operation.  The @file may be NULL, e.g.

 * if mapping anonymous memory.

 * @file contains the file structure for file to map (may be NULL).

 * @reqprot contains the protection requested by the application.

 * @prot contains the protection that will be applied by the kernel.

 * @flags contains the operational flags.

 * Return 0 if permission is granted.

 */

static int smack_file_mmap(struct file *file,

			   unsigned long reqprot, unsigned long prot,

			   unsigned long flags, unsigned long addr,

			   unsigned long addr_only)

{

	struct smack_rule *srp;

	struct task_smack *tsp;

	char *sp;

	char *msmack;

	struct inode_smack *isp;

	struct dentry *dp;

	int rc;

	/* do DAC check on address space usage */

	rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);

	if (rc || addr_only)

		return rc;

	if (file == NULL || file->f_dentry == NULL)

		return 0;

	dp = file->f_dentry;

	if (dp->d_inode == NULL)

		return 0;

	isp = dp->d_inode->i_security;

	if (isp->smk_mmap == NULL)

		return 0;

	msmack = isp->smk_mmap;

	tsp = current_security();

	sp = smk_of_current();

	rc = 0;

	rcu_read_lock();

	/*

	 * For each Smack rule associated with the subject

	 * label verify that the SMACK64MMAP also has access

	 * to that rule's object label.

	 *

	 * Because neither of the labels comes

	 * from the networking code it is sufficient

	 * to compare pointers.

	 */

	list_for_each_entry_rcu(srp, &smack_rule_list, list) {

		if (srp->smk_subject != sp)

			continue;

		/*

		 * Matching labels always allows access.

		 */

		if (msmack == srp->smk_object)

			continue;

		rc = smk_mmap_list_check(msmack, srp->smk_object,

					 srp->smk_access, &tsp->smk_rules);

		if (rc != 0)

			break;

	}

	rcu_read_unlock();

	return rc;

}

/**

 * smack_file_set_fowner - set the file security blob value

 * @file: object in question

	 * struct fown_struct is never outside the context of a struct file

	 */

	file = container_of(fown, struct file, f_owner);

	/* we don't log here as rc can be overriden */

	rc = smk_access(file->f_security, tsp, MAY_WRITE, NULL);

	if (rc != 0 && has_capability(tsk, CAP_MAC_OVERRIDE))

 */

static int smack_cred_alloc_blank(struct cred *cred, gfp_t gfp)

{

	cred->security = kzalloc(sizeof(struct task_smack), gfp);

	if (cred->security == NULL)

	struct task_smack *tsp;

	tsp = new_task_smack(NULL, NULL, gfp);

	if (tsp == NULL)

		return -ENOMEM;

	cred->security = tsp;

	return 0;

}

 * smack_cred_free - "free" task-level security credentials

 * @cred: the credentials in question

 *

 * Smack isn't using copies of blobs. Everyone

 * points to an immutable list. The blobs never go away.

 * There is no leak here.

 */

static void smack_cred_free(struct cred *cred)

{

	kfree(cred->security);

	struct task_smack *tsp = cred->security;

	struct smack_rule *rp;

	struct list_head *l;

	struct list_head *n;

	if (tsp == NULL)

		return;

	cred->security = NULL;

	list_for_each_safe(l, n, &tsp->smk_rules) {

		rp = list_entry(l, struct smack_rule, list);

		list_del(&rp->list);

		kfree(rp);

	}

	kfree(tsp);

}

/**

{

	struct task_smack *old_tsp = old->security;

	struct task_smack *new_tsp;

	int rc;

	new_tsp = kzalloc(sizeof(struct task_smack), gfp);

	new_tsp = new_task_smack(old_tsp->smk_task, old_tsp->smk_task, gfp);

	if (new_tsp == NULL)

		return -ENOMEM;

	new_tsp->smk_task = old_tsp->smk_task;

	new_tsp->smk_forked = old_tsp->smk_task;

	rc = smk_copy_rules(&new_tsp->smk_rules, &old_tsp->smk_rules, gfp);

	if (rc != 0)

		return rc;

	new->security = new_tsp;

	return 0;

}

	new_tsp->smk_task = old_tsp->smk_task;

	new_tsp->smk_forked = old_tsp->smk_task;

	mutex_init(&new_tsp->smk_rules_lock);

	INIT_LIST_HEAD(&new_tsp->smk_rules);

	/* cbs copy rule list */

}

/**

			}

		}

		isp->smk_task = smk_fetch(XATTR_NAME_SMACKEXEC, inode, dp);

		isp->smk_mmap = smk_fetch(XATTR_NAME_SMACKMMAP, inode, dp);

		dput(dp);

		break;

static int smack_setprocattr(struct task_struct *p, char *name,

			     void *value, size_t size)

{

	int rc;

	struct task_smack *tsp;

	struct task_smack *oldtsp;

	struct cred *new;

	new = prepare_creds();

	if (new == NULL)

		return -ENOMEM;

	tsp = kzalloc(sizeof(struct task_smack), GFP_KERNEL);

	tsp = new_task_smack(newsmack, oldtsp->smk_forked, GFP_KERNEL);

	if (tsp == NULL) {

		kfree(new);

		return -ENOMEM;

	}

	tsp->smk_task = newsmack;

	tsp->smk_forked = oldtsp->smk_forked;

	rc = smk_copy_rules(&tsp->smk_rules, &oldtsp->smk_rules, GFP_KERNEL);

	if (rc != 0)

		return rc;

	new->security = tsp;

	commit_creds(new);

	return size;

	.file_ioctl = 			smack_file_ioctl,

	.file_lock = 			smack_file_lock,

	.file_fcntl = 			smack_file_fcntl,

	.file_mmap =			smack_file_mmap,

	.file_set_fowner = 		smack_file_set_fowner,

	.file_send_sigiotask = 		smack_file_send_sigiotask,

	.file_receive = 		smack_file_receive,

	struct cred *cred;

	struct task_smack *tsp;

	tsp = kzalloc(sizeof(struct task_smack), GFP_KERNEL);

	if (!security_module_enable(&smack_ops))

		return 0;

	tsp = new_task_smack(smack_known_floor.smk_known,

				smack_known_floor.smk_known, GFP_KERNEL);

	if (tsp == NULL)

		return -ENOMEM;

	if (!security_module_enable(&smack_ops)) {

		kfree(tsp);

		return 0;

	}

	printk(KERN_INFO "Smack:  Initializing.\n");

	/*

	 * Set the security state for the initial task.

	 */

	cred = (struct cred *) current->cred;

	tsp->smk_forked = smack_known_floor.smk_known;

	tsp->smk_task = smack_known_floor.smk_known;

	cred->security = tsp;

	/* initialize the smack_know_list */