login
Search
"Smack is the Simplified Mandatory Access Control Kernel," Casey Schaufler said posting the third version of his patchest. He explained, "Smack implements mandatory access control (MAC) using labels attached to tasks and data containers, including files, SVIPC, and other tasks. Smack is a kernel based scheme that requires an absolute minimum of application support and a very small amount of configuration data." Casey continued:
"Smack is implemented as a clean LSM. It requires no external code changes and the patch modifies only the Kconfig and Makefile in the security directory. Smack uses extended attributes and provides a set of general mount options, borrowing technics used elsewhere. Smack uses netlabel for CIPSO labeling. Smack provides a pseudo-filesystem smackfs that is used for manipulation of system Smack attributes."
Andrew Morton replied to Casy's lengthy description, "I don't know enough about security even to be dangerous. I went back and reviewed the August thread from your version 1 submission and the message I take away is that the code has been well-received and looks good when considered on its own merits, but selinux could probably be configured to do something sufficiently similar." He added, "so with the information which I presently have available to me, I'm thinking that this should go into 2.6.24."
From: Casey Schaufler Subject: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel Date: Sep 29, 5:20 pm 2007 From: Casey Schaufler <casey@schaufler-ca.com> Smack is the Simplified Mandatory Access Control Kernel. Smack implements mandatory access control (MAC) using labels attached to tasks and data containers, including files, SVIPC, and other tasks. Smack is a kernel based scheme that requires an absolute minimum of application support and a very small amount of configuration data. Smack is implemented as a clean LSM. It requires no external code changes and the patch modifies only the Kconfig and Makefile in the security directory. Smack uses extended attributes and provides a set of general mount options, borrowing technics used elsewhere. Smack uses netlabel for CIPSO labeling. Smack provides a pseudo-filesystem smackfs that is used for manipulation of system Smack attributes. The patch, patches for ls and sshd, a README, a startup script, and x86 binaries for ls and sshd are also available on http:/www.schaufler-ca.com The patch has been tested with 2.6.22, 2.6.23-rc8, and 2.6.23-rc8-mm2. Development has been done using Fedora Core 7 in a virtual machine environment and on an old Sony laptop. Smack provides mandatory access controls based on the label attached to a task and the label attached to the object it is attempting to access. Smack labels are deliberately short (1-23 characters) text strings. Single character labels using special characters are reserved for system use. The only operation applied to Smack labels is equality comparison. No wildcards or expressions, regular or otherwise, are used. A file always gets the Smack label of the task that created it. Smack defines and uses these labels: "*" - pronounced "star" "_" - pronounced "floor" "^" - pronounced "hat" "?" - pronounced "huh" The access rules enforced by Smack are, in order: 1. Any access requested by a task labeled "*" is denied. 2. A read or execute access requested by a task labeled "^" is permitted. 3. A read or execute access requested on an object labeled "_" is permitted. 4. Any access requested on an object labeled "*" is permitted. 5. Any access requested by a task on an object with the same label is permitted. 6. Any access requested that is explicitly defined in the loaded rule set is permitted. 7. Any other access is denied. Rules may be explicitly defined by writing subject,object,access triples to /smack/load. Smack rule sets can be easily defined that describe Bell&LaPadula sensitivity, Biba integrity, and a variety of interesting configurations. Smack rule sets can be modified on the fly to accomodate changes in the operating environment or even the time of day. Some practical use cases: Hierarchical levels. The less common of the two usual uses for MLS systems is to define hierarchical levels, often unclassified, confidential, secret, and so on. To set up smack to support this, these rules could be defined: C Unclass rx S C rx S Unclass rx TS S rx TS C rx TS Unclass rx A TS process can read S, C, and Unclass data, but cannot write it. An S process can read C and Unclass. Note that specifying that TS can read S and S can read C does not imply TS can read C, it has to be explicitly stated. Non-hierarchical categories. This is the more common of the usual uses for an MLS system. Since the default rule is that a subject cannot access an object with a different label no access rules are required to implement compartmentalization. A case that the Bell & LaPadula policy does not allow is demonstrated with this Smack access rule: A case that Bell&LaPadula does not allow that Smack does: ESPN ABC r ABC ESPN r On my portable video device I have two applications, one that shows ABC programming and the other ESPN programming. ESPN wants to show me sport stories that show up as news, and ABC will only provide minimal information about a sports story if ESPN is covering it. Each side can look at the other's info, neither can change the other. Neither can see what FOX is up to, which is just as well all things considered. Another case that I especially like: SatData Guard w Guard Publish w A program running with the Guard label opens a UDP socket and accepts messages sent by a program running with a SatData label. The Guard program inspects the message to ensure it is wholesome and if it is sends it to a program running with the Publish label. This program then puts the information passed in an appropriate place. Note that the Guard program cannot write to a Publish file system object because file system semanitic require read as well as write. The four cases (categories, levels, mutual read, guardbox) here are all quite real, and problems I've been asked to solve over the years. The first two are easy to do with traditonal MLS systems while the last two you can't without invoking privilege, at least for a while. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- Changes since the previous version: - Smack labels can now be up to 23 characters in length. My UI expert advised that 12 was the absolute minimum, and CIPSO starts to get troublesome at 30. - Reading the SMACK64PACKET attribute from a socket used to provide the label of the last packet delivered. Now it provides the label of the packet returned by the most recent recv call, or ENOATTR if that value is not available. It's better to get no value than an incorrect value. Documentation/Smack.txt | 104 + security/Kconfig | 1 security/Makefile | 2 security/smack/Kconfig | 10 security/smack/Makefile | 9 security/smack/smack.h | 207 ++ security/smack/smack_access.c | 345 ++++ security/smack/smack_lsm.c | 2685 ++++++++++++++++++++++++++++++++ security/smack/smackfs.c | 1201 ++++++++++++++ 9 files changed, 4564 insertions(+) diff -uprN -X linux-2.6.23-rc8-base/Documentation/dontdiff linux-2.6.23-rc8-base/Documentation/Smack.txt linux-2.6.23-rc8-smack/Documentation/Smack.txt --- linux-2.6.23-rc8-base/Documentation/Smack.txt 1969-12-31 16:00:00.000000000 -0800 +++ linux-2.6.23-rc8-smack/Documentation/Smack.txt 2007-09-25 15:30:37.000000000 -0700 @@ -0,0 +1,104 @@ + + + "Good for you, you've decided to clean the elevator!" + - The Elevator, from Dark Star + +Smack is the the Simplified Mandatory Access Control Kernel. +Smack is a kernel based implementation of mandatory access +control that includes simplicity in its primary design goals. + +Smack does not implement Domain Type Enforcement (DTE). If +you want DTE Linux has an implementation called SELinux. +Those who really want DTE are encouraged to use SELinux. +Those who don't know what DTE is are encouraged to compare +SELinux with Smack to determine which mechanisms are best +suited to the problem at hand. + +Smack consists of three major components: + - The kernel + - A start-up script and a few modified applications + - Configuration data + +The kernel component of Smack is implemented as a Linux +Security Modules (LSM) module. It requires netlabel and +works best with file systems that support extended attributes, +although xattr support is not strictly required. The Smack +patch is (currently) self contained, except for Kconfig +and Makefile changes in the security directory. It is safe +to run a Smack kernel under a "vanilla" distribution. +Smack kernels use the CIPSO IP option. Some network +configurations are intolerant of IP options and can impede +access to systems that use them as Smack does. + +The startup script etc-init.d-smack should be installed +in /etc/init.d/smack and should be invoked early in the +start-up process. On Fedora rc5.d/S02smack is recommended. +This script ensures that certain devices have the correct +Smack attributes and loads the Smack configuration if +any is defined. + +A version of "ls" that provides a "-M" option to display +Smack labels on long listing is available. + +A hacked version of sshd that allows network logins by users +with specific Smack labels is available. This version does +not work for scp. You must set the /etc/ssh/sshd_config +line: + UsePrivilegeSeparation no + +The format of /etc/smack/usr is: + + username smack + +In keeping with the intent of Smack, configuration data is +minimal and not strictly required. The most important +configuration step is mounting the smackfs pseudo filesystem. + +Add this line to /etc/fstab: + + smackfs /smack smackfs smackfsdef=* 0 0 + +and create the /smack directory for mounting. + +Smack uses extended attributes (xattrs) to store file labels. +The command to set a Smack label on a file is: + + # attr -S -s SMACK64 -V "value" path + +NOTE: Smack labels are limited to 23 characters. The attr command + does not enforce this restriction and can be used to set + invalid Smack labels on files. + +The smackfs filesystem treats symbolic links in a special way. +The Smack label of the process is appended to the link value +during resolution. To provide a /tmp that is available to users +with multiple labels: + + # mkdir /moldy + # mv /tmp /moldy/_ + # ln -s /smack/tmp /tmp + +For each label users are going to use: + + # mkdir /moldy/label + # chmod <appropriate-value> /moldy/label + # attr -S -s SMACK64 -V "label" /moldy/label + +If you don't do anything special all users will get the floor ("_") +label when they log in. If you do want to log in via the hacked ssh +at other labels use the attr command to set the smack value on the +home directory and it's contents. + +You can add access rules in /etc/smack/accesses. They take the form: + + subjectlabel objectlabel access + +access is a combination of the letters rwxa which specify the +kind of access permitted a subject with subjectlabel on an +object with objectlabel. If there is no rule no access is allowed. + +A process can see the smack label it is running with by +reading /proc/self/attr/current. A privileged process can +set the process smack by writing there. + + diff -uprN -X linux-2.6.23-rc8-base/Documentation/dontdiff linux-2.6.23-rc8-base/security/Kconfig linux-2.6.23-rc8-smack/security/Kconfig --- linux-2.6.23-rc8-base/security/Kconfig 2007-07-08 16:32:17.000000000 -0700 +++ linux-2.6.23-rc8-smack/security/Kconfig 2007-09-25 15:30:37.000000000 -0700 @@ -94,6 +94,7 @@ config SECURITY_ROOTPLUG If you are unsure how to answer this question, answer N. source security/selinux/Kconfig +source security/smack/Kconfig endmenu diff -uprN -X linux-2.6.23-rc8-base/Documentation/dontdiff linux-2.6.23-rc8-base/security/Makefile linux-2.6.23-rc8-smack/security/Makefile --- linux-2.6.23-rc8-base/security/Makefile 2007-07-08 16:32:17.000000000 -0700 +++ linux-2.6.23-rc8-smack/security/Makefile 2007-09-25 15:30:37.000000000 -0700 @@ -4,6 +4,7 @@ obj-$(CONFIG_KEYS) += keys/ subdir-$(CONFIG_SECURITY_SELINUX) += selinux +subdir-$(CONFIG_SECURITY_SMACK) += smack # if we don't select a security model, use the default capabilities ifneq ($(CONFIG_SECURITY),y) @@ -14,5 +15,6 @@ endif obj-$(CONFIG_SECURITY) += security.o dummy.o inode.o # Must precede capability.o in order to stack properly. obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o +obj-$(CONFIG_SECURITY_SMACK) += commoncap.o smack/built-in.o obj-$(CONFIG_SECURITY_CAPABILITIES) += commoncap.o capability.o obj-$(CONFIG_SECURITY_ROOTPLUG) += commoncap.o root_plug.o diff -uprN -X linux-2.6.23-rc8-base/Documentation/dontdiff linux-2.6.23-rc8-base/security/smack/Kconfig linux-2.6.23-rc8-smack/security/smack/Kconfig --- linux-2.6.23-rc8-base/security/smack/Kconfig 1969-12-31 16:00:00.000000000 -0800 +++ linux-2.6.23-rc8-smack/security/smack/Kconfig 2007-09-25 15:30:38.000000000 -0700 @@ -0,0 +1,10 @@ +config SECURITY_SMACK + bool "Simplified Mandatory Access Control Kernel Support" + depends on NETLABEL && SECURITY_NETWORK + default n + help + This selects the Simplified Mandatory Access Control Kernel. + Smack is useful for sensitivity, integrity, and a variety + of other mandatory security schemes. + If you are unsure how to answer this question, answer N. + diff -uprN -X linux-2.6.23-rc8-base/Documentation/dontdiff linux-2.6.23-rc8-base/security/smack/Makefile linux-2.6.23-rc8-smack/security/smack/Makefile --- linux-2.6.23-rc8-base/security/smack/Makefile 1969-12-31 16:00:00.000000000 -0800 +++ linux-2.6.23-rc8-smack/security/smack/Makefile 2007-09-25 15:30:38.000000000 -0700 @@ -0,0 +1,9 @@ +# +# Makefile for the SMACK LSM +# + +obj-$(CONFIG_SECURITY_SMACK) := smack.o + +smack-y := smack_lsm.o smack_access.o smackfs.o + +EXTRA_CFLAGS += -Inet/netlabel diff -uprN -X linux-2.6.23-rc8-base/Documentation/dontdiff linux-2.6.23-rc8-base/security/smack/smack_access.c linux-2.6.23-rc8-smack/security/smack/smack_access.c --- linux-2.6.23-rc8-base/security/smack/smack_access.c 1969-12-31 16:00:00.000000000 -0800 +++ linux-2.6.23-rc8-smack/security/smack/smack_access.c 2007-09-25 15:30:38.000000000 -0700 @@ -0,0 +1,345 @@ +/* + * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2. + * + * Author: + * Casey Schaufler <casey@schaufler-ca.com> + * + */ + +#include <linux/types.h> +#include <linux/fs.h> +#include <linux/sched.h> +#include "smack.h" + +struct smack_known smack_known_unset = { + .smk_next = NULL, + .smk_known = "UNSET", + .smk_secid = 1, + .smk_cipso = NULL, +}; + +struct smack_known smack_known_huh = { + .smk_next = &smack_known_unset, + .smk_known = "?", + .smk_secid = 2, + .smk_cipso = NULL, +}; + +struct smack_known smack_known_hat = { + .smk_next = &smack_known_huh, + .smk_known = "^", + .smk_secid = 3, + .smk_cipso = NULL, +}; + +struct smack_known smack_known_star = { + .smk_next = &smack_known_hat, + .smk_known = "*", + .smk_secid = 4, + .smk_cipso = NULL, +}; + +struct smack_known smack_known_floor = { + .smk_next = &smack_known_star, + .smk_known = "_", + .smk_secid = 5, + .smk_cipso = NULL, +}; + +struct smack_known smack_known_invalid = { + .smk_next = &smack_known_floor, + .smk_known = "", + .smk_secid = 6, + .smk_cipso = NULL, +}; + +struct smack_known *smack_known = &smack_known_invalid; +/* + * The initial value needs to be bigger than any of the + * known values above. + */ +static u32 smack_next_secid = 10; + +extern struct smk_list_entry *smack_list; + +/** + * smk_access - determine if a subject has a specific access to an object + * @subject_label: a pointer to the subject's Smack label + * @object_label: a pointer to the object's Smack label + * @request: the access requested, in "MAY" format + * + * This function looks up the subject/object pair in the + * access rule list and returns 0 if the access is permitted, + * non zero otherwise. + * + * Even though Smack labels are usually shared on smack_list + * labels that come in off the network can't be imported + * and added to the list for locking reasons. + * + * Therefore, it is necessary to check the contents of the labels, + * not just the pointer values. Of course, in most cases the labels + * will be on the list, so checking the pointers may be a worthwhile + * optimization. + */ +int smk_access(char *subject_label, char *object_label, int request) +{ + u32 may = MAY_NOT; + struct smk_list_entry *sp; + struct smack_rule *srp; + + /* + * Hardcoded comparisons. + * + * A star subject can't access any object. + */ + if (subject_label == smack_known_star.smk_known || + strcmp(subject_label, smack_known_star.smk_known) == 0) + return -EACCES; + /* + * A star object can be accessed by any subject. + */ + if (object_label == smack_known_star.smk_known || + strcmp(object_label, smack_known_star.smk_known) == 0) + return 0; + /* + * An object can be accessed in any way by a subject + * with the same label. + */ + if (subject_label == object_label || + strcmp(subject_label, object_label) == 0) + return 0; + /* + * A hat subject can read any object. + * A floor object can be read by any subject. + */ + if ((request & MAY_ANYREAD) == request) { + if (object_label == smack_known_floor.smk_known || + strcmp(object_label, smack_known_floor.smk_known) == 0) + return 0; + if (subject_label == smack_known_hat.smk_known || + strcmp(subject_label, smack_known_hat.smk_known) == 0) + return 0; + } + /* + * Beyond here an explicit relationship is required. + * If the requested access is contained in the available + * access (e.g. read is included in readwrite) it's + * good. + */ + for (sp = smack_list; sp != NULL; sp = sp->smk_next) { + srp = &sp->smk_rule; + + if (srp->smk_subject == subject_label || + strcmp(srp->smk_subject, subject_label) == 0) { + if (srp->smk_object == object_label || + strcmp(srp->smk_object, object_label) == 0) { + may = srp->smk_access; + break; + } + } + } + /* + * This is a bit map operation. + */ + if ((request & may) == request) + return 0; + + return -EACCES; +} + +/** + * smk_curacc - determine if current has a specific access to an object + * @object_label: a pointer to the object's Smack label + * @request: the access requested, in "MAY" format + * + * This function checks the current subject label/object label pair + * in the access rule list and returns 0 if the access is permitted, + * non zero otherwise. It allows that current my have the capability + * to override the rules. + */ +int smk_curacc(char *obj_label, u32 mode) +{ + int rc; + + rc = smk_access(current->security, obj_label, mode); + if (rc == 0) + return 0; + + if (capable(CAP_MAC_OVERRIDE)) + return 0; + + return rc; +} + +extern struct mutex smack_known_lock; + +/** + * smk_import_entry - import a label, return the list entry + * @string: a text string that might be a Smack label + * @len: the maximum size, or zero if it is NULL terminated. + * + * Returns a pointer to the entry in the label list that + * matches the passed string, adding it if necessary. + */ +struct smack_known *smk_import_entry(const char *string, int len) +{ + struct smack_known *skp; + char smack[SMK_LABELLEN]; + int found; + int i; + + if (len <= 0 || len > SMK_MAXLEN) + len = SMK_MAXLEN; + + for (i = 0, found = 0; i < SMK_LABELLEN; i++) { + if (found) + smack[i] = '[mid=325567,325654,325663,325847,325843,325884,325908,325923]'; + else if (i >= len || string[i] > '~' || string[i] <= ' ') { + smack[i] = '[mid=325567,325654,325663,325847,325843,325884,325908,325923]'; + found = 1; + } + else + smack[i] = string[i]; + } + + if (smack[0] == '[mid=325567,325654,325663,325847,325843,325884,325908,325923]') + return NULL; + + mutex_lock(&smack_known_lock); + + for (skp = smack_known; skp != NULL; skp = skp->smk_next) + if (skp->smk_known == smack) + break; + + if (skp == NULL) { + skp = kzalloc(sizeof(struct smack_known), GFP_KERNEL); + if (skp != NULL) { + skp->smk_next = smack_known; + strncpy(skp->smk_known, smack, SMK_MAXLEN); + skp->smk_secid = smack_next_secid++; + skp->smk_cipso = NULL; + spin_lock_init(&skp->smk_cipsolock); + smack_known = skp; + } + } + + mutex_unlock(&smack_known_lock); + + return skp; +} + +/** + * smk_import - import a smack label + * @string: a text string that might be a Smack label + * @len: the maximum size, or zero if it is NULL terminated. + * + * Returns a pointer to the label in the label list that + * matches the passed string, adding it if necessary. + */ +char *smk_import(const char *string, int len) +{ + struct smack_known *skp; + + skp = smk_import_entry(string, len); + if (skp == NULL) + return NULL; + return skp->smk_known; +} + +/** + * smack_from_secid - find the Smack label associated with a secid + * @secid: an integer that might be associated with a Smack label + * + * Returns a pointer to the appropraite Smack label if there is one, + * otherwise a pointer to the invalid Smack label. + */ +char *smack_from_secid(const u32 secid) +{ + struct smack_known *skp; + + for (skp = smack_known; skp != NULL; skp = skp->smk_next) + if (skp->smk_secid == secid) + return skp->smk_known; + + /* + * If we got this far someone asked for the translation + * of a secid that is not on the list. + */ + return smack_known_invalid.smk_known; +} + +u32 smack_to_secid(const char *smack) +{ + struct smack_known *skp; + + for (skp = smack_known; skp != NULL; skp = skp->smk_next) + if (skp->smk_known == smack) + return skp->smk_secid; + return 0; +} + +/** + * smack_from_cipso - find the Smack label associated with a CIPSO option + * @level: Bell & LaPadula level from the network + * @catset: Bell & LaPadula categories from the network + * @result: where to put the Smack value + * + * This is a simple lookup in the label table. + * + * This is an odd duck as far as smack handling goes in that + * it sends back a copy of the smack label rather than a pointer + * to the master list. This is done because it is possible for + * a foreign host to send a smack label that is new to this + * machine and hence not on the list. That would not be an + * issue except that adding an entry to the master list can't + * be done at that point. + */ +void smack_from_cipso(u32 level, char *catset, char *result) +{ + struct smack_known *kp; + char *final = NULL; + + for (kp = smack_known; final == NULL && kp != NULL; kp = kp->smk_next) { + if (kp->smk_cipso == NULL) + continue; + + spin_lock_bh(&kp->smk_cipsolock); + + if (kp->smk_cipso->smk_level == level && + memcmp(kp->smk_cipso->smk_catset,catset,SMK_LABELLEN) == 0) + final = kp->smk_known; + + spin_unlock_bh(&kp->smk_cipsolock); + } + if (final == NULL) + final = smack_known_huh.smk_known; + strncpy(result, final, SMK_MAXLEN); + return; +} + +/** + * smack_to_cipso - find the CIPSO option to go with a Smack label + * @smack: a pointer to the smack label in question + * @cp: where to put the result + * + * Returns zero if a value is available, non-zero otherwise. + */ +int smack_to_cipso(const char *smack, struct smack_cipso *cp) +{ + struct smack_known *kp; + + for (kp = smack_known; kp != NULL; kp = kp->smk_next) + if (kp->smk_known == smack || + strcmp(kp->smk_known, smack) == 0) + break; + + if (kp == NULL || kp->smk_cipso == NULL) + return -ENOENT; + + memcpy(cp, kp->smk_cipso, sizeof(struct smack_cipso)); + return 0; +} diff -uprN -X linux-2.6.23-rc8-base/Documentation/dontdiff linux-2.6.23-rc8-base/security/smack/smackfs.c linux-2.6.23-rc8-smack/security/smack/smackfs.c --- linux-2.6.23-rc8-base/security/smack/smackfs.c 1969-12-31 16:00:00.000000000 -0800 +++ linux-2.6.23-rc8-smack/security/smack/smackfs.c 2007-09-25 15:30:38.000000000 -0700 @@ -0,0 +1,1201 @@ +/* + * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2. + * + * Author: + * Casey Schaufler <casey@schaufler-ca.com> + * + * Special thanks to the authors of selinuxfs. + * + * Karl MacMillan <kmacmillan@tresys.com> + * James Morris <jmorris@redhat.com> + * + */ + +#include <linux/kernel.h> +#include <linux/vmalloc.h> +#include <linux/security.h> +#include <linux/mutex.h> +#include <net/netlabel.h> +/* + * This include could get changed when the internal + * netlabel interface for initializing a netlabel domain + * has been worked out. + */ +#include "netlabel_domainhash.h" +#include <net/cipso_ipv4.h> +#include "smack.h" + +extern struct mutex smack_list_lock; +extern struct smack_known smack_known_floor; +extern struct smack_known smack_known_star; +extern struct smack_known *smack_known; + +/* + * smackfs pseudo filesystem. + */ + +enum smk_inos { + SMK_ROOT_INO = 2, + SMK_LOAD = 3, /* load policy */ + SMK_LINKS = 4, /* symlinks */ + SMK_CIPSO = 5, /* load label -> CIPSO mapping */ + SMK_DOI = 6, /* CIPSO DOI */ + SMK_DIRECT = 7, /* CIPSO level indicating direct label */ + SMK_AMBIENT = 8, /* internet ambient label */ + SMK_NLTYPE = 9, /* label scheme to use by default */ + SMK_TMP = 100, /* MUST BE LAST! /smack/tmp */ +}; + +/* + * This is the "ambient" label for network traffic. + * If it isn't somehow marked, use this. + * It can be reset via smackfs/ambient + */ +char *smack_net_ambient = smack_known_floor.smk_known; + +/* + * This is the default packet marking scheme for network traffic. + * It can be reset via smackfs/nltype + */ +int smack_net_nltype = NETLBL_NLTYPE_CIPSOV4; + +/* + * This is the level in a CIPSO header that indicates a + * smack label is contained directly in the category set. + * It can be reset via smackfs/direct + */ +int smack_cipso_direct = SMACK_CIPSO_DIRECT_DEFAULT; + +static int smk_cipso_doi_value = SMACK_CIPSO_DOI_DEFAULT; +static int smack_list_count; +struct smk_list_entry *smack_list; + +/* + * 'ssssssss oooooooo mmmm\n[mid=325567,325654,325663,325847,325843,325884,325908,325923]' + */ +#define SMACK_RULE_LINE_SIZE (2 * SMK_MAXLEN + 6) + +/** + * smk_read_load - read() for /smack/load + * @filp: file pointer, not actually used + * @buf: where to put the result + * @count: maximum to send along + * @ppos: where to start + * + * Returns number of bytes read or error code, as appropriate + */ +static ssize_t smk_read_load(struct file *filp, char __user *buf, + size_t count, loff_t *ppos) +{ + ssize_t bytes; + struct smk_list_entry *slp = smack_list; + struct smack_rule *srp; + char *result; + char *cp; + int realbytes = 0; + + bytes = SMACK_RULE_LINE_SIZE * smack_list_count; + if (bytes == 0) + return 0; + + result = kzalloc(bytes, GFP_KERNEL); + if (result == NULL) + return -ENOMEM; + + for (cp = result; slp != NULL; slp = slp->smk_next) { + srp = &slp->smk_rule; + sprintf(cp, "%-8s %-8s", + (char *)srp->smk_subject, (char *)srp->smk_object); + cp += strlen(cp); + if (srp->smk_access != 0) + *cp++ = ' '; + if ((srp->smk_access & MAY_READ) != 0) + *cp++ = 'r'; + if ((srp->smk_access & MAY_WRITE) != 0) + *cp++ = 'w'; + if ((srp->smk_access & MAY_EXEC) != 0) + *cp++ = 'x'; + if ((srp->smk_access & MAY_APPEND) != 0) + *cp++ = 'a'; + *cp++ = '\n'; + } + *cp++ = '[mid=325567,325654,325663,325847,325843,325884,325908,325923]'; + realbytes = strlen(result); + + bytes = simple_read_from_buffer(buf, count, ppos, result, realbytes); + + kfree(result); + + return bytes; +} + +/** + * smk_set_access - add a rule to the rule list + * @srp: the new rule to add + * + * Looks through the current subject/object/access list for + * the subject/object pair and replaces the access that was + * there. If the pair isn't found add it with the specified + * access. + */ +static void smk_set_access(struct smack_rule *srp) +{ + struct smk_list_entry *sp; + struct smk_list_entry *newp; + + mutex_lock(&smack_list_lock); + + for (sp = smack_list; sp != NULL; sp = sp->smk_next) + if (sp->smk_rule.smk_subject == srp->smk_subject && + sp->smk_rule.smk_object == srp->smk_object) { + sp->smk_rule.smk_access = srp->smk_access; + break; + } + + if (sp == NULL) { + newp = kzalloc(sizeof(struct smk_list_entry), GFP_KERNEL); + newp->smk_rule = *srp; + newp->smk_next = smack_list; + smack_list = newp; + smack_list_count++; + } + + mutex_unlock(&smack_list_lock); + + return; +} + + +/** + * smk_write_load - write() for /smack/load + * @filp: file pointer, not actually used + * @buf: where to get the data from + * @count: bytes sent + * @ppos: where to start + * + * Returns number of bytes written or error code, as appropriate + */ +static ssize_t smk_write_load(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) +{ + struct smack_rule rule; + ssize_t rc = count; + char *data = NULL; + char subjectstr[SMK_LABELLEN]; + char objectstr[SMK_LABELLEN]; + char modestr[8]; + char *cp; + + + if (!capable(CAP_MAC_OVERRIDE)) + return -EPERM; + /* + * No partial writes. + */ + if (*ppos != 0) + return -EINVAL; + + /* + * 80 characters per line ought to be enough. + */ + if (count > SMACK_LIST_MAX * 80) + return -ENOMEM; + + data = kzalloc(count + 1, GFP_KERNEL); + if (data == NULL) + return -ENOMEM; + + if (copy_from_user(data, buf, count) != 0) { + kfree(data); + return -EFAULT; + } + + *(data + count) = '[mid=325567,325654,325663,325847,325843,325884,325908,325923]'; + + for (cp = data - 1; cp != NULL; cp = strchr(cp + 1, '\n')) { + if (*++cp == '[mid=325567,325654,325663,325847,325843,325884,325908,325923]') + break; + if (sscanf(cp, "%23s %23s %7s\n", subjectstr, objectstr, + modestr) != 3) { + printk("%s:%d bad scan\n", __func__, __LINE__); + break; + } + rule.smk_subject = smk_import(subjectstr, 0); + if (rule.smk_subject == NULL) + break; + rule.smk_object = smk_import(objectstr, 0); + if (rule.smk_object == NULL) + break; + rule.smk_access = 0; + if (strpbrk(modestr, "rR") != NULL) + rule.smk_access |= MAY_READ; + if (strpbrk(modestr, "wW") != NULL) + rule.smk_access |= MAY_WRITE; + if (strpbrk(modestr, "xX") != NULL) + rule.smk_access |= MAY_EXEC; + if (strpbrk(modestr, "aA") != NULL) + rule.smk_access |= MAY_APPEND; + smk_set_access(&rule); + printk("%s:%d rule %s %s 0x%x\n", __func__, __LINE__, + (char *)rule.smk_subject, (char *)rule.smk_object, + rule.smk_access); + } + + kfree(data); + return rc; +} + +static const struct file_operations smk_load_ops = { + .read = smk_read_load, + .write = smk_write_load, +}; + +/** + * smk_digit - return a pointer to the next digit + * @cp: where to start + * + * Returns a pointer to the next digit in the string, or NULL + */ +static inline char *smk_digit(const char *cp) +{ + return strpbrk(cp, "0123456789"); +} + +static unsigned int smk_cipso_written; + +/** + * smk_cipso_doi - initialize the CIPSO domain + * + * This code reaches too deeply into netlabel internals + * for comfort, however there is no netlabel KAPI that + * allows for kernel based initialization of a CIPSO DOI. + * Until Paul and Casey can work out an appropriate + * interface Smack will do it this way. + */ +void smk_cipso_doi(void) +{ + int rc; + struct cipso_v4_doi *doip; + struct netlbl_dom_map *ndmp; + struct netlbl_audit audit_info; + + doip = kmalloc(sizeof(struct cipso_v4_doi), GFP_KERNEL); + if (doip == NULL) + panic("smack: Failed to initialize cipso DOI.\n"); + doip->map.std = NULL; + + ndmp = kmalloc(sizeof(struct netlbl_dom_map), GFP_KERNEL); + if (ndmp == NULL) + panic("smack: Failed to initialize cipso ndmp.\n"); + + doip->doi = smk_cipso_doi_value; + doip->type = CIPSO_V4_MAP_PASS; + doip->tags[0] = CIPSO_V4_TAG_RBITMAP; + for (rc = 1; rc < CIPSO_V4_TAG_MAXCNT; rc++) + doip->tags[rc] = CIPSO_V4_TAG_INVALID; + + rc = cipso_v4_doi_add(doip); + if (rc != 0) + printk("%s:%d add doi rc = %d\n", __func__, __LINE__, rc); + + ndmp->domain = NULL; + ndmp->type = NETLBL_NLTYPE_CIPSOV4; + ndmp->type_def.cipsov4 = doip; + + rc = netlbl_domhsh_remove_default(&audit_info); + if (rc != 0) + printk("%s:%d remove rc = %d\n", __func__, __LINE__, rc); + + rc = netlbl_domhsh_add_default(ndmp, &audit_info); + if (rc != 0) + printk("%s:%d add rc = %d\n", __func__, __LINE__, rc); +} + +/** + * smk_read_cipso - read() for /smack/cipso + * @filp: file pointer, not actually used + * @buf: where to put the result + * @count: maximum to send along + * @ppos: where to start + * + * Returns number of bytes read or error code, as appropriate + * + * label level[/cat[,cat]] + */ +static ssize_t smk_read_cipso(struct file *filp, char __user *buf, + size_t count, loff_t *ppos) +{ + struct smack_known *skp; + struct smack_cipso *scp; + ssize_t bytes; + char sep; + char *result; + char *cp; + char *cbp; + int realbytes = 0; + int cat = -1; + int i; + unsigned char m; + + if (smk_cipso_written == 0) + return 0; + + result = kzalloc(smk_cipso_written, GFP_KERNEL); + if (result == NULL) + return -ENOMEM; + cp = result; + + for (skp = smack_known; skp != NULL; skp = skp->smk_next) { + if (skp->smk_cipso == NULL) + continue; + scp = skp->smk_cipso; + cp += sprintf(cp, "%-8s %3d", + (char *)&skp->smk_known, scp->smk_level); + cat = 1; + sep = '/'; + cbp = scp->smk_catset; + for (i = 0; i < SMK_LABELLEN; i++) { + for (m = 0x80; m != 0; m >>= 1) { + if ((m & cbp[i]) != 0) { + cp += sprintf(cp, "%c%d", sep, cat); + sep = ','; + } + cat++; + } + } + *cp++ = '\n'; + } + *cp++ = '[mid=325567,325654,325663,325847,325843,325884,325908,325923]'; + realbytes = strlen(result); + + bytes = simple_read_from_buffer(buf, count, ppos, result, realbytes); + + kfree(result); + + return bytes; +} + +/** + * smk_write_cipso - write() for /smack/cipso + * @filp: file pointer, not actually used + * @buf: where to get the data from + * @count: bytes sent + * @ppos: where to start + * + * Returns number of bytes written or error code, as appropriate + */ +static ssize_t smk_write_cipso(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) +{ + struct smack_known *skp; + struct smack_cipso *scp; + char *mapsmack; + char mapcatset[SMK_LABELLEN]; + int maplevel; + ssize_t rc = count; + char *data = NULL; + char *cp; + char *eolp; + char *linep; + int cat; + int i; + + if (!capable(CAP_MAC_OVERRIDE)) + return -EPERM; + /* + * No partial writes. + */ + if (*ppos != 0) + return -EINVAL; + /* + * 80 characters per line ought to be enough. + */ + if (count > SMACK_LIST_MAX * 80) + return -ENOMEM; + + data = kzalloc(count + 1, GFP_KERNEL); + if (data == NULL) + return -ENOMEM; + + if (copy_from_user(data, buf, count) != 0) { + kfree(data); + return -EFAULT; + } + + *(data + count) = '[mid=325567,325654,325663,325847,325843,325884,325908,325923]'; + smk_cipso_written += count; + + for (eolp = strchr(data, '\n'), linep = data; + eolp != NULL && rc >= 0; + linep = eolp + 1, eolp = strchr(linep, '\n')) { + + if (eolp == linep) + continue; + *eolp = '[mid=325567,325654,325663,325847,325843,325884,325908,325923]'; + memset(mapcatset, '[mid=325567,325654,325663,325847,325843,325884,325908,325923]', SMK_LABELLEN); + + skp = smk_import_entry(linep, 0); + if (skp == NULL) + continue; + mapsmack = skp->smk_known; + + cp = smk_digit(linep + strlen((char *)mapsmack)); + if (cp == NULL) + continue; + + i = sscanf(cp, "%d", &maplevel); + if (i != 1) + continue; + + cp = strchr(cp, '/'); + if (cp != NULL) { + cp = smk_digit(cp); + if (cp == NULL) + continue; + + do { + i = sscanf(cp, "%d", &cat); + if (i != 1) + break; + if (cat > SMACK_CIPSO_MAXCAT) { + i = 0; + break; + } + smack_catset_bit(cat, mapcatset); + + cp = strchr(cp, ','); + if (cp != NULL) + cp = smk_digit(cp); + } while (cp != NULL); + } + + if (i != 1) + continue; + + + if (skp->smk_cipso == NULL) { + scp = kzalloc(sizeof(struct smack_cipso), GFP_KERNEL); + if (scp == NULL) { + rc = -ENOMEM; + break; + } + } else + scp = NULL; + + spin_lock_bh(&skp->smk_cipsolock); + if (skp->smk_cipso == NULL) { + skp->smk_cipso = scp; + scp = NULL; + } + skp->smk_cipso->smk_level = maplevel; + memcpy(skp->smk_cipso->smk_catset, mapcatset, SMK_MAXLEN); + spin_unlock_bh(&skp->smk_cipsolock); + + /* + * The only way this could be true is for there + * to have been two attempts to update the cipso + * list at the same time. One of the two will have + * won cleanly, but there remains cleanup to do. + */ + if (scp != NULL) { + printk(KERN_WARNING "%s: CIPSO collision for \"%s\"\n", + __func__, skp->smk_known); + kfree(scp); + } + /* + * Add this to ensure that there are + * enough bytes for the regurgitation + */ + smk_cipso_written += SMK_LABELLEN; + } + + kfree(data); + return rc; +} + +static const struct file_operations smk_cipso_ops = { + .read = smk_read_cipso, + .write = smk_write_cipso, +}; + +/** + * smk_read_doi - read() for /smack/doi + * @filp: file pointer, not actually used + * @buf: where to put the result + * @count: maximum to send along + * @ppos: where to start + * + * Returns number of bytes read or error code, as appropriate + */ +static ssize_t smk_read_doi(struct file *filp, char __user *buf, + size_t count, loff_t *ppos) +{ + char temp[80]; + ssize_t rc; + + if (*ppos != 0) + return 0; + + sprintf(temp, "%d", smk_cipso_doi_value); + rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); + + return rc; +} + +/** + * smk_write_doi - write() for /smack/doi + * @filp: file pointer, not actually used + * @buf: where to get the data from + * @count: bytes sent + * @ppos: where to start + * + * Returns number of bytes written or error code, as appropriate + */ +static ssize_t smk_write_doi(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) +{ + char temp[80]; + int i; + + if (!capable(CAP_MAC_OVERRIDE)) + return -EPERM; + + if (count > sizeof(temp)) + return -EINVAL; + + if (copy_from_user(temp, buf, count) != 0) + return -EFAULT; + + if (sscanf(temp, "%d", &i) != 1) + return -EINVAL; + + smk_cipso_doi_value = i; + + return count; +} + +static const struct file_operations smk_doi_ops = { + .read = smk_read_doi, + .write = smk_write_doi, +}; + +/** + * smk_read_direct - read() for /smack/direct + * @filp: file pointer, not actually used + * @buf: where to put the result + * @count: maximum to send along + * @ppos: where to start + * + * Returns number of bytes read or error code, as appropriate + */ +static ssize_t smk_read_direct(struct file *filp, char __user *buf, + size_t count, loff_t *ppos) +{ + char temp[80]; + ssize_t rc; + + if (*ppos != 0) + return 0; + + sprintf(temp, "%d", smack_cipso_direct); + rc = simple_read_from_buffer(buf, count, ppos, temp, strlen(temp)); + + return rc; +} + +/** + * smk_write_direct - write() for /smack/direct + * @filp: file pointer, not actually used + * @buf: where to get the data from + * @count: bytes sent + * @ppos: where to start + * + * Returns number of bytes written or error code, as appropriate + */ +static ssize_t smk_write_direct(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) +{ + char temp[80]; + int i; + + if (!capable(CAP_MAC_OVERRIDE)) + return -EPERM; + + if (count > sizeof(temp)) + return -EINVAL; + + if (copy_from_user(temp, buf, count) != 0) + return -EFAULT; + + if (sscanf(temp, "%d", &i) != 1) + return -EINVAL; + + smack_cipso_direct = i; + + return count; +} + +static const struct file_operations smk_direct_ops = { + .read = smk_read_direct, + .write = smk_write_direct, +}; + +/** + * smk_read_ambient - read() for /smack/ambient + * @filp: file pointer, not actually used + * @buf: where to put the result + * @count: maximum to send along + * @ppos: where to start + * + * Returns number of bytes read or error code, as appropriate + */ +static ssize_t smk_read_ambient(struct file *filp, char __user *buf, + size_t count, loff_t *ppos) +{ + ssize_t rc; + int asize = strlen(smack_net_ambient) + 1; + + if (count < asize) + return -EINVAL; + + if (*ppos != 0) + return 0; + + rc = simple_read_from_buffer(buf,count,ppos,smack_net_ambient,asize); + + return rc; +} + +/** + * smk_write_ambient - write() for /smack/ambient + * @filp: file pointer, not actually used + * @buf: where to get the data from + * @count: bytes sent + * @ppos: where to start + * + * Returns number of bytes written or error code, as appropriate + */ +static ssize_t smk_write_ambient(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) +{ + char in[SMK_LABELLEN]; + char *smack; + + if (!capable(CAP_MAC_OVERRIDE)) + return -EPERM; + + if (count >= SMK_LABELLEN) + return -EINVAL; + + if (copy_from_user(in, buf, count) != 0) + return -EFAULT; + + smack = smk_import(in, count); + if (smack == NULL) + return -EINVAL; + /* + * Better check to be sure this is OK. + */ + smack_net_ambient = smack; + + return count; +} + +static const struct file_operations smk_ambient_ops = { + .read = smk_read_ambient, + .write = smk_write_ambient, +}; + +struct option_names { + int o_number; + char *o_name; + char *o_alias; +}; + +static struct option_names netlbl_choices[] = { + { NETLBL_NLTYPE_RIPSO, + NETLBL_NLTYPE_RIPSO_NAME, "ripso" }, + { NETLBL_NLTYPE_CIPSOV4, + NETLBL_NLTYPE_CIPSOV4_NAME, "cipsov4" }, + { NETLBL_NLTYPE_CIPSOV4, + NETLBL_NLTYPE_CIPSOV4_NAME, "cipso" }, + { NETLBL_NLTYPE_CIPSOV6, + NETLBL_NLTYPE_CIPSOV6_NAME, "cipsov6" }, + { NETLBL_NLTYPE_UNLABELED, + NETLBL_NLTYPE_UNLABELED_NAME, "unlabeled" }, +}; + +/** + * smk_read_nltype - read() for /smack/nltype + * @filp: file pointer, not actually used + * @buf: where to put the result + * @count: maximum to send along + * @ppos: where to start + * + * Returns number of bytes read or error code, as appropriate + */ +static ssize_t smk_read_nltype(struct file *filp, char __user *buf, + size_t count, loff_t *ppos) +{ + char bound[40]; + ssize_t rc; + int i; + + if (count < SMK_LABELLEN) + return -EINVAL; + + if (*ppos != 0) + return 0; + + sprintf(bound, "unknown"); + + for (i = 0; i < ARRAY_SIZE(netlbl_choices); i++) + if (smack_net_nltype == netlbl_choices[i].o_number) { + sprintf(bound, "%s", netlbl_choices[i].o_name); + break; + } + + rc = simple_read_from_buffer(buf, count, ppos, bound, strlen(bound)); + + return rc; +} + +/** + * smk_write_nltype - write() for /smack/nltype + * @filp: file pointer, not actually used + * @buf: where to get the data from + * @count: bytes sent + * @ppos: where to start + * + * Returns number of bytes written or error code, as appropriate + */ +static ssize_t smk_write_nltype(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) +{ + char bound[40]; + char *cp; + int i; + + if (!capable(CAP_MAC_OVERRIDE)) + return -EPERM; + + if (count >= 40) + return -EINVAL; + + if (copy_from_user(bound, buf, count) != 0) + return -EFAULT; + + bound[count] = '[mid=325567,325654,325663,325847,325843,325884,325908,325923]'; + cp = strchr(bound, ' '); + if (cp != NULL) + *cp = '[mid=325567,325654,325663,325847,325843,325884,325908,325923]'; + cp = strchr(bound, '\n'); + if (cp != NULL) + *cp = '[mid=325567,325654,325663,325847,325843,325884,325908,325923]'; + + for (i = 0; i < ARRAY_SIZE(netlbl_choices); i++) + if (strcmp(bound, netlbl_choices[i].o_name) == 0 || + strcmp(bound, netlbl_choices[i].o_alias) == 0) { + smack_net_nltype = netlbl_choices[i].o_number; + return count; + } + /* + * Not a valid choice. + */ + return -EINVAL; +} + +static const struct file_operations smk_nltype_ops = { + .read = smk_read_nltype, + .write = smk_write_nltype, +}; + +/* + * mapping for symlinks + */ +#define SMK_TMPPATH_SIZE 1024 +#define SMK_TMPPATH_ROOT "/moldy/" + +struct smk_link { + struct smk_link *sl_next; + int sl_inum; + char sl_name[SMK_TMPPATH_SIZE]; + char sl_target[SMK_TMPPATH_SIZE]; +}; + +static struct super_block *smk_sb = NULL; +static struct smk_link *smk_links = NULL; +static int smk_links_count = 0; + +/** + * smackfs_follow_link - follow a smackfs symlink + * @dentry: name cache entry + * @nd: name entry + * + * A symlink on smackfs has unusual semantics. + * + * The Smack value of the task is appended to the link string. + * Thus, if a task labeled "Gentoo" does chdir("/smack/tmp") + * it will use "/moldy/Gentoo". + * + * The expected usage is the /tmp is a symlink to /smack/tmp + * which is itself a symlink to /moldy. /moldy should have a + * directory for each label in use to accomodate the value + * appended on the redirection. + * + * An interesting addition would be a file system that automatically + * creates directories as needed, at the appropriate label. + */ +static void *smackfs_follow_link(struct dentry *dentry, struct nameidata *nd) +{ + char *sp = current->security; + char *cp; + int inum = dentry->d_inode->i_ino; + struct smk_link *slp; + + for (slp = smk_links; slp != NULL; slp = slp->sl_next) + if (slp->sl_inum == inum) + break; + + if (slp == NULL) { + printk("%s:%d failed\n", __func__, __LINE__); + return NULL; + } + cp = kzalloc(SMK_TMPPATH_SIZE, GFP_KERNEL); + if (cp == NULL) + return NULL; + + strcpy(cp, slp->sl_target); + strcat(cp, sp); + nd_set_link(nd, cp); + /* + * Unlike the readlink below, hang on to the memory allocated + * because nd_set_link passes it along. + */ + return NULL; +} + +/** + * smackfs_readlink - read a smackfs symlink + * @dentry: name cache entry + * @buffer: where the result goes + * @buflen: buffer size + * + * Returns 0 on success, an error code otherwise + * + * Supports the same semantics as the follow code. + */ +static int smackfs_readlink(struct dentry *dentry, char __user *buffer, + int buflen) +{ + char *csp = current->security; + char *cp; + int len; + int inum = dentry->d_inode->i_ino; + struct smk_link *slp; + + for (slp = smk_links; slp != NULL; slp = slp->sl_next) + if (slp->sl_inum == inum) + break; + + if (slp == NULL) { + printk("%s:%d failed\n", __func__, __LINE__); + return -EACCES; + } + + cp = kzalloc(SMK_TMPPATH_SIZE, GFP_KERNEL); + if (cp == NULL) + return -ENOMEM; + + strcpy(cp, slp->sl_target); + strcat(cp, csp); + len = strlen(cp); + len = (len > buflen) ? buflen : len; + + if (copy_to_user(buffer, cp, len) != 0) + len = -EFAULT; + + kfree(cp); + return len; +} + +/** + * smackfs_put_link - free a followed component + * @dentry: unused + * @nd: name entry + * @ptr: unused + * + * free the buffer used in following the link. + */ +static void smackfs_put_link(struct dentry *dentry, struct nameidata *nd, void *ptr) +{ + kfree(nd_get_link(nd)); +} + +static struct inode_operations smackfs_symlink_inode_operations = { + .readlink = smackfs_readlink, + .follow_link = smackfs_follow_link, + .put_link = smackfs_put_link, +}; + +/** + * smk_add_symlink - follow a smackfs symlink + * @name: the name of the synlink + * @target: where it points to + * + * Add a smackfs symlink + */ +static void smk_add_symlink(char *name, char *target) +{ + static int inum = SMK_TMP; + struct inode *inode; + struct dentry *dentry; + struct smk_link *slp; + + for (slp = smk_links; slp != NULL; slp = slp->sl_next) { + if (strcmp(slp->sl_name, name) != 0) + continue; + strcpy(slp->sl_target, target); + return; + } + + slp = kzalloc(sizeof(struct smk_link), GFP_KERNEL); + if (slp == NULL) + return; + + dentry = d_alloc_name(smk_sb->s_root, name); + if (dentry == NULL) { + printk("%s:%d link dentry failed\n", __func__, __LINE__); + return; + } + + inode = new_inode(smk_sb); + if (inode == NULL) { + printk("%s:%d link inode failed\n", __func__, __LINE__); + return; + } + + inode->i_mode = S_IFLNK | S_IRWXUGO; + inode->i_uid = 0; + inode->i_gid = 0; + inode->i_blocks = 0; + inode->i_atime = CURRENT_TIME; + inode->i_mtime = inode->i_atime; + inode->i_ctime = inode->i_atime; + inode->i_ino = inum++; + inode->i_op = &smackfs_symlink_inode_operations; + d_add(dentry, inode); + + strcpy(slp->sl_name, name); + strcpy(slp->sl_target, target); + slp->sl_inum = inode->i_ino; + slp->sl_next = smk_links; + smk_links = slp; + smk_links_count++; + + return; +} + +/** + * smk_read_links - read() for /smack/links + * @filp: file pointer, not actually used + * @buf: where to put the result + * @count: maximum to send along + * @ppos: where to start + * + * Returns number of bytes read or error code, as appropriate + */ +static ssize_t smk_read_links(struct file *filp, char __user *buf, + size_t count, loff_t *ppos) +{ + ssize_t bytes = sizeof(struct smk_link) * smk_links_count; + struct smk_link *slp; + char *result; + char *cp; + + + result = kzalloc(bytes, GFP_KERNEL); + if (result == NULL) + return -ENOMEM; + *result = '[mid=325567,325654,325663,325847,325843,325884,325908,325923]'; + + for (slp = smk_links, cp = result; slp != NULL; slp = slp->sl_next) + cp += sprintf(cp, "%s %s\n", slp->sl_name, slp->sl_target); + + bytes = simple_read_from_buffer(buf,count,ppos,result,strlen(result)); + + kfree(result); + + return bytes; +} + +/** + * smk_write_links - write() for /smack/links + * @filp: file pointer, not actually used + * @buf: where to get the data from + * @count: bytes sent + * @ppos: where to start + * + * Returns number of bytes written or error code, as appropriate + * + * This might be better done using "real" symlink creation. + */ +static ssize_t smk_write_links(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) +{ + ssize_t rc = count; + char *data; + char *cp; + char name[SMK_TMPPATH_SIZE]; + char target[SMK_TMPPATH_SIZE]; + + /* + * No partial writes. + */ + if (*ppos != 0) + return -EINVAL; + /* + * 80 characters per line ought to be enough. + */ + if (count > SMACK_LIST_MAX * 80) + return -ENOMEM; + + data = kzalloc(count + 1, GFP_KERNEL); + if (data == NULL) + return -ENOMEM; + + if (copy_from_user(data, buf, count) != 0) { + kfree(data); + return -EFAULT; + } + + data[count] = '[mid=325567,325654,325663,325847,325843,325884,325908,325923]'; + + for (cp = data - 1; cp != NULL; cp = strchr(cp + 1, '\n')) { + if (*++cp == '[mid=325567,325654,325663,325847,325843,325884,325908,325923]') + break; + if (sscanf(cp, "%14s %30s\n", name, target) != 2) { + printk("%s:%d bad scan\n", + __func__, __LINE__); + break; + } + smk_add_symlink(name, target); + printk("%s:%d add %s -> %s\n", + __func__, __LINE__, name, target); + } + + kfree(data); + return rc; +} + +static const struct file_operations smk_links_ops = { + .read = smk_read_links, + .write = smk_write_links, +}; + +/** + * smk_fill_super - fill the /smackfs superblock + * @sb: the empty superblock + * @data: unused + * @silent: unused + * + * Fill in the well known entries for /smack and set up for + * symlinks + * + * Returns 0 on success, an error code on failure + */ +static int smk_fill_super(struct super_block *sb, void * data, int silent) +{ + int rc; + struct inode *root_inode; + + static struct tree_descr smack_files[] = { + [SMK_LOAD] = {"load", &smk_load_ops, S_IRUGO|S_IWUSR}, + [SMK_LINKS] = {"links", &smk_links_ops, S_IRUGO|S_IWUSR}, + [SMK_CIPSO] = {"cipso", &smk_cipso_ops, S_IRUGO|S_IWUSR}, + [SMK_DOI] = {"doi", &smk_doi_ops, S_IRUGO|S_IWUSR}, + [SMK_DIRECT] = {"direct", &smk_direct_ops, S_IRUGO|S_IWUSR}, + [SMK_AMBIENT] = {"ambient", &smk_ambient_ops,S_IRUGO|S_IWUSR}, + [SMK_NLTYPE] = {"nltype", &smk_nltype_ops, S_IRUGO|S_IWUSR}, + /* last one */ {""} + }; + + /* + * There will be only one smackfs. Casey says so. + */ + smk_sb = sb; + + rc = simple_fill_super(sb, SMACK_MAGIC, smack_files); + if (rc != 0) { + printk(KERN_ERR "%s failed %d while creating inodes\n", + __func__, rc); + return rc; + } + + root_inode = sb->s_root->d_inode; + root_inode->i_security = new_inode_smack(smack_known_floor.smk_known); + + /* + * Create a directory for /smack/tmp + */ + smk_add_symlink("tmp", SMK_TMPPATH_ROOT); + + return 0; +} + +/** + * smk_get_sb - get the smackfs superblock + * @fs_type: passed along without comment + * @flags: passed along without comment + * @dev_name: passed along without comment + * @data: passed along without comment + * @mnt: passed along without comment + * + * Just passes everything along. + * + * Returns what the lower level code does. + */ +static int smk_get_sb(struct file_system_type *fs_type, + int flags, const char *dev_name, void *data, + struct vfsmount *mnt) +{ + return get_sb_single(fs_type, flags, data, smk_fill_super, mnt); +} + +static struct file_system_type smk_fs_type = { + .name = "smackfs", + .get_sb = smk_get_sb, + .kill_sb = kill_litter_super, +}; + +static struct vfsmount *smackfs_mount; + +/** + * init_smk_fs - get the smackfs superblock + * + * register the smackfs + * + * Returns 0 unless the registration fails. + */ +static int __init init_smk_fs(void) +{ + int err; + + err = register_filesystem(&smk_fs_type); + if (!err) { + smackfs_mount = kern_mount(&smk_fs_type); + if (IS_ERR(smackfs_mount)) { + printk(KERN_ERR "smackfs: could not mount!\n"); + err = PTR_ERR(smackfs_mount); + smackfs_mount = NULL; + } + } + + return err; +} + +__initcall(init_smk_fs); diff -uprN -X linux-2.6.23-rc8-base/Documentation/dontdiff linux-2.6.23-rc8-base/security/smack/smack.h linux-2.6.23-rc8-smack/security/smack/smack.h --- linux-2.6.23-rc8-base/security/smack/smack.h 1969-12-31 16:00:00.000000000 -0800 +++ linux-2.6.23-rc8-smack/security/smack/smack.h 2007-09-25 15:30:38.000000000 -0700 @@ -0,0 +1,207 @@ +/* + * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation, version 2. + * + * Author: + * Casey Schaufler <casey@schaufler-ca.com> + * + */ + +#ifndef _SECURITY_SMACK_H +#define _SECURITY_SMACK_H + +#include <linux/capability.h> +#include <linux/spinlock.h> +#include <net/netlabel.h> + +/* + * Why 23? CIPSO is constrained to 30, so a 32 byte buffer is + * bigger than can be used, and 24 is the next lower multiple + * of 8, and there are too many issues if there isn't space set + * aside for the terminating null byte. + */ +#define SMK_MAXLEN 23 +#define SMK_LABELLEN (SMK_MAXLEN+1) + +struct superblock_smack { + char *smk_root; + char *smk_floor; + char *smk_hat; + char *smk_default; + int smk_initialized; +}; + +struct socket_smack { + char *smk_out; /* outbound label */ + char *smk_in; /* inbound label */ + char smk_packet[SMK_LABELLEN]; + int smk_depth; +}; + +/* + * Inode smack data + */ +struct inode_smack { + char *smk_inode; /* label of the fso */ + struct mutex smk_lock; /* initialization lock */ + int smk_flags; /* smack inode flags */ +}; + +#define SMK_INODE_INSTANT 0x01 /* inode is instantiated */ + +/* + * A label access rule. + */ +struct smack_rule { + char *smk_subject; + char *smk_object; + int smk_access; +}; + +/* + * An entry in the table of permitted label accesses. + */ +struct smk_list_entry { + struct smk_list_entry *smk_next; + struct smack_rule smk_rule; +}; + +/* + * An entry in the table mapping smack values to + * CIPSO level/category-set values. + */ +struct smack_cipso { + int smk_level; + char smk_catset[SMK_LABELLEN]; +}; + +/* + * This is the repository for labels seen so that it is + * not necessary to keep allocating tiny chuncks of memory + * and so that they can be shared. + * + * Labels are never modified in place. Anytime a label + * is imported (e.g. xattrset on a file) the list is checked + * for it and it is added if it doesn't exist. The address + * is passed out in either case. Entries are added, but + * never deleted. + * + * Since labels are hanging around anyway it doesn't + * hurt to maintain a secid for those awkward situations + * where kernel components that ought to use LSM independent + * interfaces don't. The secid should go away when all of + * these components have been repaired. + * + * If there is a cipso value associated with the label it + * gets stored here, too. This will most likely be rare as + * the cipso direct mapping in used internally. + */ +struct smack_known { + struct smack_known *smk_next; + char smk_known[SMK_LABELLEN]; + u32 smk_secid; + struct smack_cipso *smk_cipso; + spinlock_t smk_cipsolock; +}; + +/* + * Mount options + */ +#define SMK_FSDEFAULT "smackfsdef=" +#define SMK_FSFLOOR "smackfsfloor=" +#define SMK_FSHAT "smackfshat=" +#define SMK_FSROOT "smackfsroot=" + +/* + * xattr names + */ +#define XATTR_SMACK_SUFFIX "SMACK64" +#define XATTR_SMACK_IPIN "SMACK64IPIN" +#define XATTR_SMACK_IPOUT "SMACK64IPOUT" +#define XATTR_SMACK_PACKET "SMACK64PACKET" +#define XATTR_NAME_SMACK XATTR_SECURITY_PREFIX XATTR_SMACK_SUFFIX + +/* + * smackfs macic number + */ +#define SMACK_MAGIC 0x43415d53 /* "SMAC" */ + +/* + * A limit on the number of entries in the lists + * makes some of the list administration easier. + */ +#define SMACK_LIST_MAX 10000 + +/* + * CIPSO defaults. + */ +#define SMACK_CIPSO_DOI_DEFAULT 3 /* Historical */ +#define SMACK_CIPSO_DIRECT_DEFAULT 250 /* Arbitrary */ +#define SMACK_CIPSO_MAXCAT 63 /* Bigger gets harder */ + +/* + * Just to make the common cases easier to deal with + */ +#define MAY_ANY (MAY_READ | MAY_WRITE | MAY_APPEND | MAY_EXEC) +#define MAY_ANYREAD (MAY_READ | MAY_EXEC) +#define MAY_ANYWRITE (MAY_WRITE | MAY_APPEND) +#define MAY_READWRITE (MAY_READ | MAY_WRITE) +#define MAY_NOT 0 + +/* + * There are not enough CAP bits available to make this + * real, so Casey borrowed the capability that looks to + * him like it has the best balance of similarity amd + * low use. + */ +#define CAP_MAC_OVERRIDE CAP_LINUX_IMMUTABLE + +/* + * These functions are in smackfs.c + */ +void smk_cipso_doi(void); + +/* + * These functions are in smack_lsm.c + */ +struct inode_smack *new_inode_smack(char *); + +/* + * These functions are in smack_access.c + */ +int smk_access(char *, char *, int); +int smk_curacc(char *, u32); +int smack_to_cipso(const char *, struct smack_cipso *); +void smack_from_cipso(u32, char *, char *); +char *smack_from_secid(const u32); +char *smk_import(const char *, int); +struct smack_known *smk_import_entry(const char *, int); +u32 smack_to_secid(const char *); + +/* + * Stricly for CIPSO level manipulation. + * Set the category bit number in a smack label sized buffer. + */ +static inline void smack_catset_bit(int cat, char *catsetp) +{ + char *cp = (char *)catsetp; + + if (cat > SMK_LABELLEN * 8) + return; + + cp[(cat - 1) / 8] |= 0x80 >> ((cat - 1) % 8); +} + +/* + * Present a pointer to the smack label in an inode blob. + */ +static inline char *smk_of_inode(const struct inode *isp) +{ + struct inode_smack *sip = isp->i_security; + return sip->smk_inode; +} + +#endif /* _SECURITY_SMACK_H */ diff -uprN -X linux-2.6.23-rc8-base/Documentation/dontdiff linux-2.6.23-rc8-base/security/smack/smack_lsm.c linux-2.6.23-rc8-smack/security/smack/smack_lsm.c --- linux-2.6.23-rc8-base/security/smack/smack_lsm.c 1969-12-31 16:00:00.000000000 -0800 +++ linux-2.6.23-rc8-smack/security/smack/smack_lsm.c 2007-09-25 15:30:38.000000000 -0700 @@ -0,0 +1,2685 @@ +/* + * Simplified MAC Kernel (smack) security module + * + * This file contains the smack hook function implementations. + * + * Author: + * Casey Schaufler <casey@schaufler-ca.com> + * + * Copyright (C) 2007 Casey Schaufler <casey@schaufler-ca.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ + +#include <linux/xattr.h> +#include <linux/pagemap.h> +#include <linux/mount.h> +#include <linux/stat.h> +#include <linux/ext2_fs.h> +#include <linux/kd.h> +#include <asm/ioctls.h> +#include <linux/tcp.h> +#include <linux/udp.h> +#include <linux/mutex.h> +#include <net/netlabel.h> +#include <net/cipso_ipv4.h> + +#include "smack.h" + +/* + * I hope these are the hokeyist lines of code in the module. Casey. + */ +#define DEVPTS_SUPER_MAGIC 0x1cd1 +#define SOCKFS_MAGIC 0x534F434B +#define PIPEFS_MAGIC 0x50495045 +#define TMPFS_MAGIC 0x01021994 + +/* + * These are in smack_access.c + */ +extern struct smack_known smack_known_unset; +extern struct smack_known smack_known_huh; +extern struct smack_known smack_known_hat; +extern struct smack_known smack_known_star; +extern struct smack_known smack_known_floor; +extern struct smack_known smack_known_invalid; + +/* + * These are maintained in smackfs.c + */ +extern char *smack_net_ambient; +extern int smack_net_nltype; +extern int smack_cipso_direct; + +/** + * smk_fetch - Fetch the smack label from a file. + * @ip: a pointer to the inode + * @dp: a pointer to the dentry + * + * Returns a pointer to the master list entry for the Smack label + * or NULL if there was no label to fetch. + */ +static char *smk_fetch(struct inode *ip, struct dentry *dp) +{ + int rc; + char in[SMK_LABELLEN]; + + if (ip->i_op->getxattr == NULL) + return NULL; + + rc = ip->i_op->getxattr(dp, XATTR_NAME_SMACK, in, SMK_LABELLEN); + if (rc < 0) + return NULL; + + return smk_import(in, rc); +} + +/** + * new_inode_smack - allocate an inode security blob + * @smack: a pointer to the Smack label to use in the blob + * + * Returns the new blob or NULL if there's no memory available + */ +struct inode_smack *new_inode_smack(char *smack) +{ + struct inode_smack *isp; + + isp = kzalloc(sizeof(struct inode_smack), GFP_KERNEL); + if (isp == NULL) + return NULL; + + isp->smk_inode = smack; + isp->smk_flags = 0; + mutex_init(&isp->smk_lock); + + return isp; +} + +/* + * LSM hooks. + * We he, that is fun! + */ + +/** + * smack_ptrace - Smack approval on ptrace + * @ptp: parent task pointer + * @ctp: child task pointer + * + * Returns 0 if access is OK, an error code otherwise + * + * Do the capability checks, and require read and write. + */ +static int smack_ptrace(struct task_struct *ptp, struct task_struct *ctp) +{ + int rc; + + rc = cap_ptrace(ptp, ctp); + if (rc != 0) + return rc; + + rc = smk_access(ptp->security, ctp->security, MAY_READWRITE); + if (rc != 0 && __capable(ptp, CAP_MAC_OVERRIDE)) + return 0; + + return rc; +} + +/** + * smack_syslog - Smack approval on syslog + * @type: message type + * + * Require that the task has the floor label + * + * Returns 0 on success, error code otherwise. + */ +static int smack_syslog(int type) +{ + int rc; + char *sp = current->security; + + rc = cap_syslog(type); + if (rc != 0) + return rc; + + if (__capable(current, CAP_MAC_OVERRIDE)) + return 0; + + if (sp != smack_known_floor.smk_known) + rc = -EACCES; + + return rc; +} + +/** + * smack_task_alloc_security - "allocate" a task blob + * @tsk: the task in need of a blob + * + * Smack isn't using copies of blobs. Everyone + * points to an immutible list. No alloc required. + * No data copy required. + * + * Always returns 0 + */ +static int smack_task_alloc_security(struct task_struct *tsk) +{ + tsk->security = current->security; + + return 0; +} + +/** + * smack_task_free_security - "free" a task blob + * @task: the task with the blob + * + * Smack isn't using copies of blobs. Everyone + * points to an immutible list. The blobs never go away. + * There is no leak here. + */ +static void smack_task_free_security(struct task_struct *task) +{ + task->security = NULL; +} + +/** + * smack_task_setpgid - Smack check on setting pgid + * @p: the task object + * @pgid: unused + * + * Return 0 if write access is permitted + */ +static int smack_task_setpgid(struct task_struct *p, pid_t pgid) +{ + return smk_curacc(p->security, MAY_WRITE); +} + +/** + * smack_task_setnice - Smack check on setting nice + * @p: the task object + * @nice: unused + * + * Return 0 if write access is permitted + */ +static int smack_task_setnice(struct task_struct *p, int nice) +{ + return smk_curacc(p->security, MAY_WRITE); +} + +/** + * smack_task_setioprio - Smack check on setting ioprio + * @p: the task object + * @ioprio: unused + * + * Return 0 if write access is permitted + */ +static int smack_task_setioprio(struct task_struct *p, int ioprio) +{ + return smk_curacc(p->security, MAY_WRITE); +} + +/** + * smack_task_getioprio - Smack check on reading ioprio + * @p: the task object + * + * Return 0 if read access is permitted + */ +static int smack_task_getioprio(struct task_struct *p) +{ + return smk_curacc(p->security, MAY_READ); +} + +/** + * smack_task_setscheduler - Smack check on setting scheduler + * @p: the task object + * @policy: unused + * @lp: unused + * + * Return 0 if read access is permitted + */ +static int smack_task_setscheduler(struct task_struct *p, int policy, + struct sched_param *lp) +{ + return smk_curacc(p->security, MAY_WRITE); +} + +/** + * smack_task_getscheduler - Smack check on reading scheduler + * @p: the task object + * + * Return 0 if read access is permitted + */ +static int smack_task_
From: Andrew Morton Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel Date: Sep 30, 1:16 am 2007 On Sat, 29 Sep 2007 17:20:36 -0700 Casey Schaufler <casey@schaufler-ca.com> wrote: > > Smack is the Simplified Mandatory Access Control Kernel. > I don't know enough about security even to be dangerous. I went back and reviewed the August thread from your version 1 submission and the message I take away is that the code has been well-received and looks good when considered on its own merits, but selinux could probably be configured to do something sufficiently similar. I'd have trouble declaring that "but" to be a reason to not merge smack. I'm more thinking "let's merge it and see if people use it". > > Documentation/Smack.txt | 104 + > security/Kconfig | 1 > security/Makefile | 2 > security/smack/Kconfig | 10 > security/smack/Makefile | 9 > security/smack/smack.h | 207 ++ > security/smack/smack_access.c | 345 ++++ > security/smack/smack_lsm.c | 2685 ++++++++++++++++++++++++++++++++ > security/smack/smackfs.c | 1201 ++++++++++++++ > 9 files changed, 4564 insertions(+) And that wonderful diffstat really is key to being able to do this. My major non-technical concern is that Casey Schaufler might get hit by a bus. If this happens, we can remove the feature in three minutes (that diffstat again), but that may not be feasible if people have come to rely upon the feature. otoh, if a significant number of people are using smack, presumably someone else would step up to maintain smack post-bus. The risk seems acceptable to me. My major technical concern is the apparent paucity of documentation. So with the information which I presently have available to me, I'm thinking that this should go into 2.6.24. Is smack useful without a patched ls, sshd and init.d? What is the status of getting those userspace patches merged? ie: do you know who to send the diffs to, and are they likely to take them? What other userspace tools are likely to need patching? Notes on the code: - Please run scripts/checkpatch.pl across the diff. It generates 50-100 warnings about minor stylistic matters, and those warnings all look legit to me. (extern decls in C are my fave peeve). - Smack.txt and the website seem a bit skimpy. Is there enough documentation out there for someone to usefully (and, more importantly, safely) start using smack? - In his review of version 1, Andi suggested that your ruleset traversal be protected by RCU. But it seems that this wasn't done. Were the races which he identified fixed by other means? If so, what were they? - hm, netlabels. Who might be a suitable person to review that code? Seems that Paul Moore is the man. Maybe he'd be interested in taking a look over it (please?) - some parts of the code use the "smack_foo" naming convention and other parts use "smk_foo". Seems odd. Deliberate? - According to git-log, you haven't merged any kernel code at all in at least 5.5 years. This patch makes it look like you've been doing kernel full time for a decade. That thing in my hand is a hat. -
From: Andi Kleen Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel Date: Sep 30, 1:42 am 2007 > - Smack.txt and the website seem a bit skimpy. Is there enough > documentation out there for someone to usefully (and, more importantly, > safely) start using smack? Yes that's the important thing. > - In his review of version 1, Andi suggested that your ruleset traversal > be protected by RCU. But it seems that this wasn't done. Were the races > which he identified fixed by other means? If so, what were they? The issue was moot because rulesets never get removed in the current implementation. I had missed that. If that ever changes RCU would be likely needed though. > - hm, netlabels. Who might be a suitable person to review that code? > Seems that Paul Moore is the man. Maybe he'd be interested in taking a > look over it (please?) I personally consider these IP options it uses to be pretty useless. Who could ever use that without cryptographic authentication? Clearly when they were designed in the original IP spec long ago the designers didn't understand network security very well because the whole field was at its infancy. And CIPSO doesn't solve any of these fundamental issues. It assumes a trusted network which is a very dangerous assumption. I don't think that was in the original patch I looked at, I surely would have objected to it. Perhaps take the network part out? I guess SMACK would be useful locally even without questionable network support. -Andi -
From: Joshua Brindle Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel Date: Sep 30, 10:29 am 2007 Andi Kleen wrote: >> - hm, netlabels. Who might be a suitable person to review that code? >> Seems that Paul Moore is the man. Maybe he'd be interested in taking a >> look over it (please?) >> > > I personally consider these IP options it uses to be pretty useless. Who could > ever use that without cryptographic authentication? Clearly when they > were designed in the original IP spec long ago the designers didn't understand > network security very well because the whole field was at its infancy. And > CIPSO doesn't solve any of these fundamental issues. > > It assumes a trusted network which is a very dangerous assumption. I don't > think that was in the original patch I looked at, I surely would have > objected to it. > > Perhaps take the network part out? I guess SMACK would be useful > locally even without questionable network support. > CIPSO is supported on SELinux as well. It certainly has uses where IPSec is excessive. One example is someone I talked to recently that basically has a set of blade systems connected with a high speed backplane that looks like a network interface. CIPSO is useful in this case because they can't afford the overhead of IPSec but need to transfer the level of the connection to the other machines. The backplane is a trusted network and that isn't a dangerous assumption in this case. CIPSO also lets systems like SELinux and SMACK talk to other trusted systems (eg., trusted solaris) in a way they understand. I don't regularly support CIPSO as I believe IPSec labeling is more useful in more situations but that doesn't mean CIPSO is never useful. -
From: Andi Kleen Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel Date: Sep 30, 10:39 am 2007 > CIPSO is supported on SELinux as well. That's no reason to extend that design mistake. > It certainly has uses where IPSec > is excessive. One example is someone I talked to recently that basically > has a set of blade systems connected with a high speed backplane that > looks like a network interface. CIPSO is useful in this case because > they can't afford the overhead of IPSec but need to transfer the level > of the connection to the other machines. The backplane is a trusted > network and that isn't a dangerous assumption in this case. If one of the boxes gets broken in all are compromised this way? > CIPSO also lets systems like SELinux and SMACK talk to other trusted > systems (eg., trusted solaris) in a way they understand. Perhaps, but is the result secure? I have severe doubts. > I don't > regularly support CIPSO as I believe IPSec labeling is more useful in > more situations but that doesn't mean CIPSO is never useful. Security that isn't secure is not really useful. You might as well not bother. -Andi -
From: Theodore Tso Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel Date: Sep 30, 12:07 pm 2007 On Sun, Sep 30, 2007 at 07:39:57PM +0200, Andi Kleen wrote: > > CIPSO also lets systems like SELinux and SMACK talk to other trusted > > systems (eg., trusted solaris) in a way they understand. > > Perhaps, but is the result secure? I have severe doubts. As always, it depends on your environment. There are people who are using Linux systems where trusting the network makes sense. For example, if you're on a battleship, say, or all of the machines are in a cluster which is inside a Tempest-shielded machine room with a massive combination lock that you might find on a bank vault, or if you're environment where network cables are protected by pressurized pipes (so any attempt to tamper with or tap the cables causes a pressure drop which sets off the alarm which summons the Marines armed with M-16's...). (I've been inside classified machine rooms, which is why my laptop has the 'Unclassified' label on it; it's needed so people can easily eyeball it and know that I'm not allowed to connect it to any of the classified networks. And those are just the less serious machine rooms. In the really serious classified areas with the bank vault-like doors, and the copper-tinted windows, I'm not allowed to bring in an unclassified laptop at all --- and yes, Linux is being used in such environments. And yes, they do sometimes use IPSO and/or CIPSO.) > Security that isn't secure is not really useful. You might as well not > bother. There are different kinds of security. Not all of them involve cryptography and IPSEC. Some of them involve armed soldiers and air gap firewalls. :-) Yes, normally the network is outside the Trusted Computing Base (TCB), but a cluster of Linux machines in a rack is roughly the same size of a huge Unix server tens year ago --- and it's not like Ethernet is any more secure than the PCI bus. So why do we consider communications across a PCI bus secure even though they aren't encrypted? Why, because normally we assume the PCI bus is inside the trust boundary, and so we don't worry about bad guys tapping communications between the CPU and the hard drive on the PCI bus. But these days, it is obviously possible to create clusters where certain network interfaces are only connected to machines contained completely inside the trust boundary, just like a PCI bus in a traditional server. So don't be so quick to dismiss something like CIPSO out of hand, just because it doesn't use IPSEC. Regards, - Ted -
From: Andi Kleen Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel Date: Sep 30, 1:05 pm 2007 > Yes, normally the network is outside the Trusted Computing Base (TCB), Normally as in the 99.99999% case. > but a cluster of Linux machines in a rack is roughly the same size of > a huge Unix server tens year ago --- and it's not like Ethernet is any > more secure than the PCI bus. PCI busses normally don't have routers to networks outside the box connected to them. > So don't be so quick to dismiss something like > CIPSO out of hand, just because it doesn't use IPSEC. With your argumentation we could also just disable all security in these situations (as in null LSM to save some overhead); after all these systems are protected by armed guards. If someone gets past the guards they could connect their laptop to the network and fake all the "secured" packets. If you assume that won't happen why do you need computer security at all? Anyways; if someone wants to cripple their security for some performance this way they can surely do this; but i don't think we should offer it as a default configuration option (just as we don't have a CONFIG_NULL_LSM even though there are undoubtedly systems that don't care about permission checking[1]) -Andi [1] I bet I gave the linux-tiny crowd an idea now ;-) -
From: Theodore Tso Subject: Re: [PATCH] Version 3 (2.6.23-rc8) Smack: Simplified Mandatory Access Control Kernel Date: Sep 30, 1:22 pm 2007 On Sun, Sep 30, 2007 at 10:05:57PM +0200, Andi Kleen wrote: > > but a cluster of Linux machines in a rack is roughly the same size of > > a huge Unix server tens year ago --- and it's not like Ethernet is any > > more secure than the PCI bus. > > PCI busses normally don't have routers to networks outside the box connected > to them. The whole *point* is that the routers are interconnecting boxes inside the cluster, and none of them connect to the outside world. It's no different than a SCSI cable connecting to JBOD in a separate box, or a Fiber Channel router connected to a SAN network connecting to a storrage array. The SCSI or FC buses aren't encrypted either, and the in the Fiber channel case we have a router --- yet people aren't stressing out that we're not encrpying the traffic over the Storage Area Network? Why? Because it's understood the network stays inside the machine room. The same thing can true for Ethernet --- think iSCSI, for example. > > So don't be so quick to dismiss something like > > CIPSO out of hand, just because it doesn't use IPSEC. > > With your argumentation we could also just disable all security > in these situations (as in null LSM to save some overhead); after all these > systems are protected by armed guards. If someone gets past the guards > they could connect their laptop to the network and fake all the "secured" > packets. If you assume that won't happen why do you need computer security at all? If you get past all of the guards, you can usually reboot in single user mode, and get root anyway. If you have physical access to the computer, you're generally doomed anyway, unless you are willing to pay the cost of encrypting everything on every single disk platter. (And yes, in the more paranoid environments, where it's too expensive to have 7x24 armed guards, maybe that makes sense.) The point of something like CIPSO is because you want to label the packets so the otherside knows how they should be treated. We don't encrypt unix permission bits on most on-disk filesystems, either. Yet I haven't heard people saying that just because someone could break into a machine room, disconnect the JBOD from the computer, hook up the JBOD to their laptop, and futz with the Unix permission bits, rehook up the JBOD and reboot, that Unix permission bits are useless, and we should leave all files at mode 777 --- since clearly we're not secure against someone who can break into the machine room..... I *hope* that sounds absurd, right? - Ted -
Offline
SE-Linux
Yeah, but SE-Linux is coded by the guys at NSA.
It must be crazy secure and good quality.
mod parent +1 funny or +10
mod parent +1 funny or +10 troll ? hmm hard to choose.. :)