]> git.ipfire.org Git - thirdparty/kernel/stable.git/blame - security/apparmor/lsm.c
projects / thirdparty / kernel / stable.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
apparmor: add cross check permission helper macros
[thirdparty/kernel/stable.git] / security / apparmor / lsm.c
CommitLineData
b5e95b48
JJ		 1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor LSM hooks.
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
3c4ed7bd 15#include <linux/lsm_hooks.h>
b5e95b48
JJ		 16#include <linux/moduleparam.h>
17#include <linux/mm.h>
18#include <linux/mman.h>
19#include <linux/mount.h>
20#include <linux/namei.h>
21#include <linux/ptrace.h>
22#include <linux/ctype.h>
23#include <linux/sysctl.h>
24#include <linux/audit.h>
3486740a 25#include <linux/user_namespace.h>
e025be0f 26#include <linux/kmemleak.h>
b5e95b48
JJ		 27#include <net/sock.h>
28
29#include "include/apparmor.h"
30#include "include/apparmorfs.h"
31#include "include/audit.h"
32#include "include/capability.h"
33#include "include/context.h"
34#include "include/file.h"
35#include "include/ipc.h"
36#include "include/path.h"
637f688d 37#include "include/label.h"
b5e95b48 38#include "include/policy.h"
cff281f6 39#include "include/policy_ns.h"
b5e95b48
JJ		 40#include "include/procattr.h"
41
42/* Flag indicating whether initialization completed */
545de8fe 43int apparmor_initialized;
b5e95b48 44
d4669f0b
JJ		 45DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
46
47
b5e95b48
JJ		 48/*
49 * LSM hook functions
50 */
51
52/*
637f688d 53 * free the associated aa_task_ctx and put its labels
b5e95b48
JJ		 54 */
55static void apparmor_cred_free(struct cred *cred)
56{
55a26ebf
JJ		 57 aa_free_task_context(cred_ctx(cred));
58 cred_ctx(cred) = NULL;
b5e95b48
JJ		 59}
60
61/*
62 * allocate the apparmor part of blank credentials
63 */
64static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
65{
66 /* freed by apparmor_cred_free */
55a26ebf
JJ		 67 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
68
69 if (!ctx)
b5e95b48
JJ		 70 return -ENOMEM;
71
55a26ebf 72 cred_ctx(cred) = ctx;
b5e95b48
JJ		 73 return 0;
74}
75
76/*
55a26ebf 77 * prepare new aa_task_ctx for modification by prepare_cred block
b5e95b48
JJ		 78 */
79static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
80 gfp_t gfp)
81{
82 /* freed by apparmor_cred_free */
55a26ebf
JJ		 83 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
84
85 if (!ctx)
b5e95b48
JJ		 86 return -ENOMEM;
87
55a26ebf
JJ		 88 aa_dup_task_context(ctx, cred_ctx(old));
89 cred_ctx(new) = ctx;
b5e95b48
JJ		 90 return 0;
91}
92
93/*
94 * transfer the apparmor data to a blank set of creds
95 */
96static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
97{
55a26ebf
JJ		 98 const struct aa_task_ctx *old_ctx = cred_ctx(old);
99 struct aa_task_ctx *new_ctx = cred_ctx(new);
b5e95b48 100
55a26ebf 101 aa_dup_task_context(new_ctx, old_ctx);
b5e95b48
JJ		 102}
103
104static int apparmor_ptrace_access_check(struct task_struct *child,
105 unsigned int mode)
106{
b5e95b48
JJ		 107 return aa_ptrace(current, child, mode);
108}
109
110static int apparmor_ptrace_traceme(struct task_struct *parent)
111{
b5e95b48
JJ		 112 return aa_ptrace(parent, current, PTRACE_MODE_ATTACH);
113}
114
115/* Derived from security/commoncap.c:cap_capget */
116static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
117 kernel_cap_t *inheritable, kernel_cap_t *permitted)
118{
637f688d 119 struct aa_label *label;
b5e95b48
JJ		 120 const struct cred *cred;
121
122 rcu_read_lock();
123 cred = __task_cred(target);
637f688d 124 label = aa_get_newest_cred_label(cred);
c70c86c4 125
b1d9e6b0
CS		 126 /*
127 * cap_capget is stacked ahead of this and will
128 * initialize effective and permitted.
129 */
c70c86c4
JJ		 130 if (!unconfined(label)) {
131 struct aa_profile *profile;
132 struct label_it i;
133
134 label_for_each_confined(i, label, profile) {
135 if (COMPLAIN_MODE(profile))
136 continue;
137 *effective = cap_intersect(*effective,
138 profile->caps.allow);
139 *permitted = cap_intersect(*permitted,
140 profile->caps.allow);
141 }
b5e95b48
JJ		 142 }
143 rcu_read_unlock();
637f688d 144 aa_put_label(label);
b5e95b48
JJ		 145
146 return 0;
147}
148
6a9de491
EP		 149static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
150 int cap, int audit)
b5e95b48 151{
637f688d 152 struct aa_label *label;
b1d9e6b0
CS		 153 int error = 0;
154
637f688d
JJ		 155 label = aa_get_newest_cred_label(cred);
156 if (!unconfined(label))
c70c86c4 157 error = aa_capable(label, cap, audit);
637f688d 158 aa_put_label(label);
cf797c0e 159
b5e95b48
JJ		 160 return error;
161}
162
163/**
164 * common_perm - basic common permission check wrapper fn for paths
165 * @op: operation being checked
166 * @path: path to check permission of (NOT NULL)
167 * @mask: requested permissions mask
168 * @cond: conditional info for the permission request (NOT NULL)
169 *
170 * Returns: %0 else error code if error or permission denied
171 */
47f6e5cc 172static int common_perm(const char *op, const struct path *path, u32 mask,
b5e95b48
JJ		 173 struct path_cond *cond)
174{
637f688d 175 struct aa_label *label;
b5e95b48
JJ		 176 int error = 0;
177
637f688d
JJ		 178 label = __begin_current_label_crit_section();
179 if (!unconfined(label))
180 error = aa_path_perm(op, labels_profile(label), path, 0, mask,
181 cond);
182 __end_current_label_crit_section(label);
b5e95b48
JJ		 183
184 return error;
185}
186
187/**
31f75bfe 188 * common_perm_cond - common permission wrapper around inode cond
b5e95b48 189 * @op: operation being checked
31f75bfe 190 * @path: location to check (NOT NULL)
b5e95b48 191 * @mask: requested permissions mask
b5e95b48
JJ		 192 *
193 * Returns: %0 else error code if error or permission denied
194 */
31f75bfe 195static int common_perm_cond(const char *op, const struct path *path, u32 mask)
b5e95b48 196{
31f75bfe
JJ		 197 struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
198 d_backing_inode(path->dentry)->i_mode
199 };
b5e95b48 200
31f75bfe
JJ		 201 if (!path_mediated_fs(path->dentry))
202 return 0;
203
204 return common_perm(op, path, mask, &cond);
b5e95b48
JJ		 205}
206
207/**
31f75bfe 208 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
b5e95b48 209 * @op: operation being checked
31f75bfe
JJ		 210 * @dir: directory of the dentry (NOT NULL)
211 * @dentry: dentry to check (NOT NULL)
b5e95b48 212 * @mask: requested permissions mask
31f75bfe 213 * @cond: conditional info for the permission request (NOT NULL)
b5e95b48
JJ		 214 *
215 * Returns: %0 else error code if error or permission denied
216 */
31f75bfe
JJ		 217static int common_perm_dir_dentry(const char *op, const struct path *dir,
218 struct dentry *dentry, u32 mask,
219 struct path_cond *cond)
b5e95b48 220{
31f75bfe 221 struct path path = { .mnt = dir->mnt, .dentry = dentry };
b5e95b48 222
31f75bfe 223 return common_perm(op, &path, mask, cond);
b5e95b48
JJ		 224}
225
226/**
227 * common_perm_rm - common permission wrapper for operations doing rm
228 * @op: operation being checked
229 * @dir: directory that the dentry is in (NOT NULL)
230 * @dentry: dentry being rm'd (NOT NULL)
231 * @mask: requested permission mask
232 *
233 * Returns: %0 else error code if error or permission denied
234 */
47f6e5cc 235static int common_perm_rm(const char *op, const struct path *dir,
b5e95b48
JJ		 236 struct dentry *dentry, u32 mask)
237{
c6f493d6 238 struct inode *inode = d_backing_inode(dentry);
b5e95b48
JJ		 239 struct path_cond cond = { };
240
efeee83a 241 if (!inode || !path_mediated_fs(dentry))
b5e95b48
JJ		 242 return 0;
243
244 cond.uid = inode->i_uid;
245 cond.mode = inode->i_mode;
246
247 return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
248}
249
250/**
251 * common_perm_create - common permission wrapper for operations doing create
252 * @op: operation being checked
253 * @dir: directory that dentry will be created in (NOT NULL)
254 * @dentry: dentry to create (NOT NULL)
255 * @mask: request permission mask
256 * @mode: created file mode
257 *
258 * Returns: %0 else error code if error or permission denied
259 */
47f6e5cc 260static int common_perm_create(const char *op, const struct path *dir,
d6b49f7a 261 struct dentry *dentry, u32 mask, umode_t mode)
b5e95b48
JJ		 262{
263 struct path_cond cond = { current_fsuid(), mode };
264
efeee83a 265 if (!path_mediated_fs(dir->dentry))
b5e95b48
JJ		 266 return 0;
267
268 return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
269}
270
989f74e0 271static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry)
b5e95b48
JJ		 272{
273 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE);
274}
275
d3607752 276static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry,
4572befe 277 umode_t mode)
b5e95b48
JJ		 278{
279 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE,
280 S_IFDIR);
281}
282
989f74e0 283static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry)
b5e95b48
JJ		 284{
285 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE);
286}
287
d3607752 288static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
04fc66e7 289 umode_t mode, unsigned int dev)
b5e95b48
JJ		 290{
291 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
292}
293
81f4c506 294static int apparmor_path_truncate(const struct path *path)
b5e95b48 295{
e53cfe6c 296 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR);
b5e95b48
JJ		 297}
298
d3607752 299static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
b5e95b48
JJ		 300 const char *old_name)
301{
302 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE,
303 S_IFLNK);
304}
305
3ccee46a 306static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir,
b5e95b48
JJ		 307 struct dentry *new_dentry)
308{
637f688d 309 struct aa_label *label;
b5e95b48
JJ		 310 int error = 0;
311
efeee83a 312 if (!path_mediated_fs(old_dentry))
b5e95b48
JJ		 313 return 0;
314
637f688d
JJ		 315 label = begin_current_label_crit_section();
316 if (!unconfined(label))
317 error = aa_path_link(labels_profile(label), old_dentry, new_dir,
318 new_dentry);
319 end_current_label_crit_section(label);
cf797c0e 320
b5e95b48
JJ		 321 return error;
322}
323
3ccee46a
AV		 324static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry,
325 const struct path *new_dir, struct dentry *new_dentry)
b5e95b48 326{
637f688d 327 struct aa_label *label;
b5e95b48
JJ		 328 int error = 0;
329
efeee83a 330 if (!path_mediated_fs(old_dentry))
b5e95b48
JJ		 331 return 0;
332
637f688d
JJ		 333 label = begin_current_label_crit_section();
334 if (!unconfined(label)) {
8486adf0
KC		 335 struct path old_path = { .mnt = old_dir->mnt,
336 .dentry = old_dentry };
337 struct path new_path = { .mnt = new_dir->mnt,
338 .dentry = new_dentry };
c6f493d6
DH		 339 struct path_cond cond = { d_backing_inode(old_dentry)->i_uid,
340 d_backing_inode(old_dentry)->i_mode
b5e95b48
JJ		 341 };
342
637f688d
JJ		 343 error = aa_path_perm(OP_RENAME_SRC, labels_profile(label),
344 &old_path, 0,
e53cfe6c
JJ		 345 MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
346 AA_MAY_SETATTR | AA_MAY_DELETE,
b5e95b48
JJ		 347 &cond);
348 if (!error)
637f688d
JJ		 349 error = aa_path_perm(OP_RENAME_DEST,
350 labels_profile(label),
351 &new_path,
e53cfe6c 352 0, MAY_WRITE | AA_MAY_SETATTR |
b5e95b48
JJ		 353 AA_MAY_CREATE, &cond);
354
355 }
637f688d 356 end_current_label_crit_section(label);
cf797c0e 357
b5e95b48
JJ		 358 return error;
359}
360
be01f9f2 361static int apparmor_path_chmod(const struct path *path, umode_t mode)
b5e95b48 362{
31f75bfe 363 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD);
b5e95b48
JJ		 364}
365
7fd25dac 366static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
b5e95b48 367{
31f75bfe 368 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN);
b5e95b48
JJ		 369}
370
3f7036a0 371static int apparmor_inode_getattr(const struct path *path)
b5e95b48 372{
e53cfe6c 373 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR);
b5e95b48
JJ		 374}
375
83d49856 376static int apparmor_file_open(struct file *file, const struct cred *cred)
b5e95b48 377{
637f688d
JJ		 378 struct aa_file_ctx *fctx = file_ctx(file);
379 struct aa_label *label;
b5e95b48
JJ		 380 int error = 0;
381
efeee83a 382 if (!path_mediated_fs(file->f_path.dentry))
b5e95b48
JJ		 383 return 0;
384
385 /* If in exec, permission is handled by bprm hooks.
386 * Cache permissions granted by the previous exec check, with
387 * implicit read and executable mmap which are required to
388 * actually execute the image.
389 */
390 if (current->in_execve) {
55a26ebf 391 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
b5e95b48
JJ		 392 return 0;
393 }
394
637f688d
JJ		 395 label = aa_get_newest_cred_label(cred);
396 if (!unconfined(label)) {
496ad9aa 397 struct inode *inode = file_inode(file);
b5e95b48
JJ		 398 struct path_cond cond = { inode->i_uid, inode->i_mode };
399
637f688d
JJ		 400 error = aa_path_perm(OP_OPEN, labels_profile(label),
401 &file->f_path, 0,
b5e95b48
JJ		 402 aa_map_file_to_perms(file), &cond);
403 /* todo cache full allowed permissions set and state */
55a26ebf 404 fctx->allow = aa_map_file_to_perms(file);
b5e95b48 405 }
637f688d 406 aa_put_label(label);
b5e95b48
JJ		 407
408 return error;
409}
410
411static int apparmor_file_alloc_security(struct file *file)
412{
cf797c0e
JJ		 413 int error = 0;
414
b5e95b48 415 /* freed by apparmor_file_free_security */
637f688d 416 struct aa_label *label = begin_current_label_crit_section();
2835a13b
JJ		 417 file->f_security = aa_alloc_file_ctx(GFP_KERNEL);
418 if (!file_ctx(file))
419 error = -ENOMEM;
637f688d 420 end_current_label_crit_section(label);
b5e95b48 421
cf797c0e 422 return error;
b5e95b48
JJ		 423}
424
425static void apparmor_file_free_security(struct file *file)
426{
2835a13b 427 aa_free_file_ctx(file_ctx(file));
b5e95b48
JJ		 428}
429
47f6e5cc 430static int common_file_perm(const char *op, struct file *file, u32 mask)
b5e95b48 431{
55a26ebf 432 struct aa_file_ctx *fctx = file->f_security;
637f688d 433 struct aa_label *label, *flabel;
b5e95b48
JJ		 434 int error = 0;
435
192ca6b5
JJ		 436 /* don't reaudit files closed during inheritance */
437 if (file->f_path.dentry == aa_null.dentry)
438 return -EACCES;
439
637f688d
JJ		 440 flabel = aa_cred_raw_label(file->f_cred);
441 AA_BUG(!flabel);
b5e95b48
JJ		 442
443 if (!file->f_path.mnt ||
efeee83a 444 !path_mediated_fs(file->f_path.dentry))
b5e95b48
JJ		 445 return 0;
446
637f688d 447 label = __begin_current_label_crit_section();
b5e95b48
JJ		 448
449 /* revalidate access, if task is unconfined, or the cached cred
450 * doesn't match or if the request is for more permissions than
451 * was granted.
452 *
453 * Note: the test for !unconfined(fprofile) is to handle file
454 * delegation from unconfined tasks
455 */
637f688d
JJ		 456 if (!unconfined(label) && !unconfined(flabel) &&
457 ((flabel != label) || (mask & ~fctx->allow)))
458 error = aa_file_perm(op, labels_profile(label), file, mask);
459 __end_current_label_crit_section(label);
b5e95b48
JJ		 460
461 return error;
462}
463
464static int apparmor_file_permission(struct file *file, int mask)
465{
466 return common_file_perm(OP_FPERM, file, mask);
467}
468
469static int apparmor_file_lock(struct file *file, unsigned int cmd)
470{
471 u32 mask = AA_MAY_LOCK;
472
473 if (cmd == F_WRLCK)
474 mask |= MAY_WRITE;
475
476 return common_file_perm(OP_FLOCK, file, mask);
477}
478
47f6e5cc 479static int common_mmap(const char *op, struct file *file, unsigned long prot,
b5e95b48
JJ		 480 unsigned long flags)
481{
b5e95b48
JJ		 482 int mask = 0;
483
637f688d 484 if (!file || !file_ctx(file))
b5e95b48
JJ		 485 return 0;
486
487 if (prot & PROT_READ)
488 mask |= MAY_READ;
489 /*
490 * Private mappings don't require write perms since they don't
491 * write back to the files
492 */
493 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
494 mask |= MAY_WRITE;
495 if (prot & PROT_EXEC)
496 mask |= AA_EXEC_MMAP;
497
b5e95b48
JJ		 498 return common_file_perm(op, file, mask);
499}
500
e5467859
AV		 501static int apparmor_mmap_file(struct file *file, unsigned long reqprot,
502 unsigned long prot, unsigned long flags)
b5e95b48 503{
b5e95b48
JJ		 504 return common_mmap(OP_FMMAP, file, prot, flags);
505}
506
507static int apparmor_file_mprotect(struct vm_area_struct *vma,
508 unsigned long reqprot, unsigned long prot)
509{
510 return common_mmap(OP_FMPROT, vma->vm_file, prot,
511 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
512}
513
514static int apparmor_getprocattr(struct task_struct *task, char *name,
515 char **value)
516{
517 int error = -ENOENT;
b5e95b48
JJ		 518 /* released below */
519 const struct cred *cred = get_task_cred(task);
55a26ebf 520 struct aa_task_ctx *ctx = cred_ctx(cred);
637f688d 521 struct aa_label *label = NULL;
b5e95b48
JJ		 522
523 if (strcmp(name, "current") == 0)
637f688d 524 label = aa_get_newest_label(ctx->label);
55a26ebf 525 else if (strcmp(name, "prev") == 0 && ctx->previous)
637f688d 526 label = aa_get_newest_label(ctx->previous);
55a26ebf 527 else if (strcmp(name, "exec") == 0 && ctx->onexec)
637f688d 528 label = aa_get_newest_label(ctx->onexec);
b5e95b48
JJ		 529 else
530 error = -EINVAL;
531
637f688d 532 if (label)
76a1d263 533 error = aa_getprocattr(label, value);
77b071b3 534
637f688d 535 aa_put_label(label);
b5e95b48
JJ		 536 put_cred(cred);
537
538 return error;
539}
540
b21507e2
SS		 541static int apparmor_setprocattr(const char *name, void *value,
542 size_t size)
b5e95b48 543{
e89b8081 544 char *command, *largs = NULL, *args = value;
b5e95b48
JJ		 545 size_t arg_size;
546 int error;
ef88a7ac 547 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR);
b5e95b48
JJ		 548
549 if (size == 0)
550 return -EINVAL;
b5e95b48 551
e89b8081
VN		 552 /* AppArmor requires that the buffer must be null terminated atm */
553 if (args[size - 1] != '\0') {
554 /* null terminate */
555 largs = args = kmalloc(size + 1, GFP_KERNEL);
556 if (!args)
557 return -ENOMEM;
558 memcpy(args, value, size);
559 args[size] = '\0';
560 }
561
562 error = -EINVAL;
b5e95b48
JJ		 563 args = strim(args);
564 command = strsep(&args, " ");
565 if (!args)
e89b8081 566 goto out;
b5e95b48
JJ		 567 args = skip_spaces(args);
568 if (!*args)
e89b8081 569 goto out;
b5e95b48 570
d4d03f74 571 arg_size = size - (args - (largs ? largs : (char *) value));
b5e95b48
JJ		 572 if (strcmp(name, "current") == 0) {
573 if (strcmp(command, "changehat") == 0) {
574 error = aa_setprocattr_changehat(args, arg_size,
df8073c6 575 AA_CHANGE_NOFLAGS);
b5e95b48
JJ		 576 } else if (strcmp(command, "permhat") == 0) {
577 error = aa_setprocattr_changehat(args, arg_size,
df8073c6 578 AA_CHANGE_TEST);
b5e95b48 579 } else if (strcmp(command, "changeprofile") == 0) {
df8073c6 580 error = aa_change_profile(args, AA_CHANGE_NOFLAGS);
b5e95b48 581 } else if (strcmp(command, "permprofile") == 0) {
df8073c6 582 error = aa_change_profile(args, AA_CHANGE_TEST);
3eea57c2
JJ		 583 } else
584 goto fail;
b5e95b48 585 } else if (strcmp(name, "exec") == 0) {
3eea57c2 586 if (strcmp(command, "exec") == 0)
df8073c6 587 error = aa_change_profile(args, AA_CHANGE_ONEXEC);
3eea57c2
JJ		 588 else
589 goto fail;
590 } else
b5e95b48 591 /* only support the "current" and "exec" process attributes */
e89b8081 592 goto fail;
3eea57c2 593
b5e95b48
JJ		 594 if (!error)
595 error = size;
e89b8081
VN		 596out:
597 kfree(largs);
b5e95b48 598 return error;
3eea57c2
JJ		 599
600fail:
637f688d 601 aad(&sa)->label = begin_current_label_crit_section();
ef88a7ac
JJ		 602 aad(&sa)->info = name;
603 aad(&sa)->error = error = -EINVAL;
3eea57c2 604 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
637f688d 605 end_current_label_crit_section(aad(&sa)->label);
e89b8081 606 goto out;
b5e95b48
JJ		 607}
608
fe864821
JJ		 609/**
610 * apparmor_bprm_committing_creds - do task cleanup on committing new creds
611 * @bprm: binprm for the exec (NOT NULL)
612 */
613static void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
614{
637f688d 615 struct aa_label *label = aa_current_raw_label();
fe864821
JJ		 616 struct aa_task_ctx *new_ctx = cred_ctx(bprm->cred);
617
618 /* bail out if unconfined or not changing profile */
637f688d
JJ		 619 if ((new_ctx->label->proxy == label->proxy) ||
620 (unconfined(new_ctx->label)))
fe864821
JJ		 621 return;
622
192ca6b5
JJ		 623 aa_inherit_files(bprm->cred, current->files);
624
fe864821
JJ		 625 current->pdeath_signal = 0;
626
637f688d 627 /* reset soft limits and set hard limits for the new label */
86b92cb7 628 __aa_transition_rlimits(label, new_ctx->label);
fe864821
JJ		 629}
630
631/**
632 * apparmor_bprm_committed_cred - do cleanup after new creds committed
633 * @bprm: binprm for the exec (NOT NULL)
634 */
635static void apparmor_bprm_committed_creds(struct linux_binprm *bprm)
636{
637 /* TODO: cleanup signals - ipc mediation */
638 return;
639}
640
7cb4dc9f
JS		 641static int apparmor_task_setrlimit(struct task_struct *task,
642 unsigned int resource, struct rlimit *new_rlim)
b5e95b48 643{
637f688d 644 struct aa_label *label = __begin_current_label_crit_section();
b5e95b48
JJ		 645 int error = 0;
646
637f688d 647 if (!unconfined(label))
86b92cb7 648 error = aa_task_setrlimit(label, task, resource, new_rlim);
637f688d 649 __end_current_label_crit_section(label);
b5e95b48
JJ		 650
651 return error;
652}
653
ca97d939 654static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
e20b043a
CS		 655 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
656 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
657 LSM_HOOK_INIT(capget, apparmor_capget),
658 LSM_HOOK_INIT(capable, apparmor_capable),
659
660 LSM_HOOK_INIT(path_link, apparmor_path_link),
661 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink),
662 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink),
663 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir),
664 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir),
665 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod),
666 LSM_HOOK_INIT(path_rename, apparmor_path_rename),
667 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod),
668 LSM_HOOK_INIT(path_chown, apparmor_path_chown),
669 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate),
670 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr),
671
672 LSM_HOOK_INIT(file_open, apparmor_file_open),
673 LSM_HOOK_INIT(file_permission, apparmor_file_permission),
674 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security),
675 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security),
676 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
e20b043a
CS		 677 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
678 LSM_HOOK_INIT(file_lock, apparmor_file_lock),
679
680 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
681 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
682
683 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
684 LSM_HOOK_INIT(cred_free, apparmor_cred_free),
685 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
686 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),
687
688 LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds),
689 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
690 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
691 LSM_HOOK_INIT(bprm_secureexec, apparmor_bprm_secureexec),
692
693 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
b5e95b48
JJ		 694};
695
696/*
697 * AppArmor sysfs module parameters
698 */
699
101d6c82
SR		 700static int param_set_aabool(const char *val, const struct kernel_param *kp);
701static int param_get_aabool(char *buffer, const struct kernel_param *kp);
b8aa09fd 702#define param_check_aabool param_check_bool
9c27847d 703static const struct kernel_param_ops param_ops_aabool = {
6a4c2643 704 .flags = KERNEL_PARAM_OPS_FL_NOARG,
101d6c82
SR		 705 .set = param_set_aabool,
706 .get = param_get_aabool
707};
b5e95b48 708
101d6c82
SR		 709static int param_set_aauint(const char *val, const struct kernel_param *kp);
710static int param_get_aauint(char *buffer, const struct kernel_param *kp);
b8aa09fd 711#define param_check_aauint param_check_uint
9c27847d 712static const struct kernel_param_ops param_ops_aauint = {
101d6c82
SR		 713 .set = param_set_aauint,
714 .get = param_get_aauint
715};
b5e95b48 716
101d6c82
SR		 717static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
718static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
b8aa09fd 719#define param_check_aalockpolicy param_check_bool
9c27847d 720static const struct kernel_param_ops param_ops_aalockpolicy = {
6a4c2643 721 .flags = KERNEL_PARAM_OPS_FL_NOARG,
101d6c82
SR		 722 .set = param_set_aalockpolicy,
723 .get = param_get_aalockpolicy
724};
b5e95b48
JJ		 725
726static int param_set_audit(const char *val, struct kernel_param *kp);
727static int param_get_audit(char *buffer, struct kernel_param *kp);
b5e95b48
JJ		 728
729static int param_set_mode(const char *val, struct kernel_param *kp);
730static int param_get_mode(char *buffer, struct kernel_param *kp);
b5e95b48
JJ		 731
732/* Flag values, also controllable via /sys/module/apparmor/parameters
733 * We define special types as we want to do additional mediation.
734 */
735
736/* AppArmor global enforcement switch - complain, enforce, kill */
737enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
738module_param_call(mode, param_set_mode, param_get_mode,
739 &aa_g_profile_mode, S_IRUSR | S_IWUSR);
740
6059f71f 741/* whether policy verification hashing is enabled */
7616ac70 742bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
3ccb76c5 743#ifdef CONFIG_SECURITY_APPARMOR_HASH
6059f71f 744module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
7616ac70 745#endif
6059f71f 746
b5e95b48 747/* Debug mode */
eea7a05f 748bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES);
b5e95b48
JJ		 749module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
750
751/* Audit mode */
752enum audit_mode aa_g_audit;
753module_param_call(audit, param_set_audit, param_get_audit,
754 &aa_g_audit, S_IRUSR | S_IWUSR);
755
756/* Determines if audit header is included in audited messages. This
757 * provides more context if the audit daemon is not running
758 */
90ab5ee9 759bool aa_g_audit_header = 1;
b5e95b48
JJ		 760module_param_named(audit_header, aa_g_audit_header, aabool,
761 S_IRUSR | S_IWUSR);
762
763/* lock out loading/removal of policy
764 * TODO: add in at boot loading of policy, which is the only way to
765 * load policy, if lock_policy is set
766 */
90ab5ee9 767bool aa_g_lock_policy;
b5e95b48
JJ		 768module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy,
769 S_IRUSR | S_IWUSR);
770
771/* Syscall logging mode */
90ab5ee9 772bool aa_g_logsyscall;
b5e95b48
JJ		 773module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
774
775/* Maximum pathname length before accesses will start getting rejected */
776unsigned int aa_g_path_max = 2 * PATH_MAX;
622f6e32 777module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
b5e95b48
JJ		 778
779/* Determines how paranoid loading of policy is and how much verification
780 * on the loaded policy is done.
abbf8734
JJ		 781 * DEPRECATED: read only as strict checking of load is always done now
782 * that none root users (user namespaces) can load policy.
b5e95b48 783 */
90ab5ee9 784bool aa_g_paranoid_load = 1;
abbf8734 785module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
b5e95b48
JJ		 786
787/* Boot time disable flag */
90ab5ee9 788static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
c611616c 789module_param_named(enabled, apparmor_enabled, bool, S_IRUGO);
b5e95b48
JJ		 790
791static int __init apparmor_enabled_setup(char *str)
792{
793 unsigned long enabled;
29707b20 794 int error = kstrtoul(str, 0, &enabled);
b5e95b48
JJ		 795 if (!error)
796 apparmor_enabled = enabled ? 1 : 0;
797 return 1;
798}
799
800__setup("apparmor=", apparmor_enabled_setup);
801
802/* set global flag turning off the ability to load policy */
101d6c82 803static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
b5e95b48 804{
545de8fe
JJ		 805 if (!apparmor_enabled)
806 return -EINVAL;
807 if (apparmor_initialized && !policy_admin_capable(NULL))
b5e95b48 808 return -EPERM;
b5e95b48
JJ		 809 return param_set_bool(val, kp);
810}
811
101d6c82 812static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
b5e95b48 813{
ca4bd5ae
JJ		 814 if (!apparmor_enabled)
815 return -EINVAL;
545de8fe
JJ		 816 if (apparmor_initialized && !policy_view_capable(NULL))
817 return -EPERM;
b5e95b48
JJ		 818 return param_get_bool(buffer, kp);
819}
820
101d6c82 821static int param_set_aabool(const char *val, const struct kernel_param *kp)
b5e95b48 822{
ca4bd5ae
JJ		 823 if (!apparmor_enabled)
824 return -EINVAL;
545de8fe
JJ		 825 if (apparmor_initialized && !policy_admin_capable(NULL))
826 return -EPERM;
b5e95b48
JJ		 827 return param_set_bool(val, kp);
828}
829
101d6c82 830static int param_get_aabool(char *buffer, const struct kernel_param *kp)
b5e95b48 831{
ca4bd5ae
JJ		 832 if (!apparmor_enabled)
833 return -EINVAL;
545de8fe
JJ		 834 if (apparmor_initialized && !policy_view_capable(NULL))
835 return -EPERM;
b5e95b48
JJ		 836 return param_get_bool(buffer, kp);
837}
838
101d6c82 839static int param_set_aauint(const char *val, const struct kernel_param *kp)
b5e95b48 840{
39d84824
JJ		 841 int error;
842
ca4bd5ae
JJ		 843 if (!apparmor_enabled)
844 return -EINVAL;
39d84824
JJ		 845 /* file is ro but enforce 2nd line check */
846 if (apparmor_initialized)
545de8fe 847 return -EPERM;
39d84824
JJ		 848
849 error = param_set_uint(val, kp);
850 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max);
851
852 return error;
b5e95b48
JJ		 853}
854
101d6c82 855static int param_get_aauint(char *buffer, const struct kernel_param *kp)
b5e95b48 856{
ca4bd5ae
JJ		 857 if (!apparmor_enabled)
858 return -EINVAL;
545de8fe
JJ		 859 if (apparmor_initialized && !policy_view_capable(NULL))
860 return -EPERM;
b5e95b48
JJ		 861 return param_get_uint(buffer, kp);
862}
863
864static int param_get_audit(char *buffer, struct kernel_param *kp)
865{
b5e95b48
JJ		 866 if (!apparmor_enabled)
867 return -EINVAL;
545de8fe
JJ		 868 if (apparmor_initialized && !policy_view_capable(NULL))
869 return -EPERM;
b5e95b48
JJ		 870 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
871}
872
873static int param_set_audit(const char *val, struct kernel_param *kp)
874{
875 int i;
b5e95b48
JJ		 876
877 if (!apparmor_enabled)
878 return -EINVAL;
b5e95b48
JJ		 879 if (!val)
880 return -EINVAL;
545de8fe
JJ		 881 if (apparmor_initialized && !policy_admin_capable(NULL))
882 return -EPERM;
b5e95b48
JJ		 883
884 for (i = 0; i < AUDIT_MAX_INDEX; i++) {
885 if (strcmp(val, audit_mode_names[i]) == 0) {
886 aa_g_audit = i;
887 return 0;
888 }
889 }
890
891 return -EINVAL;
892}
893
894static int param_get_mode(char *buffer, struct kernel_param *kp)
895{
b5e95b48
JJ		 896 if (!apparmor_enabled)
897 return -EINVAL;
545de8fe
JJ		 898 if (apparmor_initialized && !policy_view_capable(NULL))
899 return -EPERM;
b5e95b48 900
0d259f04 901 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
b5e95b48
JJ		 902}
903
904static int param_set_mode(const char *val, struct kernel_param *kp)
905{
906 int i;
b5e95b48
JJ		 907
908 if (!apparmor_enabled)
909 return -EINVAL;
b5e95b48
JJ		 910 if (!val)
911 return -EINVAL;
545de8fe
JJ		 912 if (apparmor_initialized && !policy_admin_capable(NULL))
913 return -EPERM;
b5e95b48 914
0d259f04
JJ		 915 for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {
916 if (strcmp(val, aa_profile_mode_names[i]) == 0) {
b5e95b48
JJ		 917 aa_g_profile_mode = i;
918 return 0;
919 }
920 }
921
922 return -EINVAL;
923}
924
925/*
926 * AppArmor init functions
927 */
928
929/**
55a26ebf 930 * set_init_ctx - set a task context and profile on the first task.
b5e95b48
JJ		 931 *
932 * TODO: allow setting an alternate profile than unconfined
933 */
55a26ebf 934static int __init set_init_ctx(void)
b5e95b48
JJ		 935{
936 struct cred *cred = (struct cred *)current->real_cred;
55a26ebf 937 struct aa_task_ctx *ctx;
b5e95b48 938
55a26ebf
JJ		 939 ctx = aa_alloc_task_context(GFP_KERNEL);
940 if (!ctx)
b5e95b48
JJ		 941 return -ENOMEM;
942
637f688d 943 ctx->label = aa_get_label(ns_unconfined(root_ns));
55a26ebf 944 cred_ctx(cred) = ctx;
b5e95b48
JJ		 945
946 return 0;
947}
948
d4669f0b
JJ		 949static void destroy_buffers(void)
950{
951 u32 i, j;
952
953 for_each_possible_cpu(i) {
954 for_each_cpu_buffer(j) {
955 kfree(per_cpu(aa_buffers, i).buf[j]);
956 per_cpu(aa_buffers, i).buf[j] = NULL;
957 }
958 }
959}
960
961static int __init alloc_buffers(void)
962{
963 u32 i, j;
964
965 for_each_possible_cpu(i) {
966 for_each_cpu_buffer(j) {
967 char *buffer;
968
969 if (cpu_to_node(i) > num_online_nodes())
970 /* fallback to kmalloc for offline nodes */
971 buffer = kmalloc(aa_g_path_max, GFP_KERNEL);
972 else
973 buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL,
974 cpu_to_node(i));
975 if (!buffer) {
976 destroy_buffers();
977 return -ENOMEM;
978 }
979 per_cpu(aa_buffers, i).buf[j] = buffer;
980 }
981 }
982
983 return 0;
984}
985
e3ea1ca5
TH		 986#ifdef CONFIG_SYSCTL
987static int apparmor_dointvec(struct ctl_table *table, int write,
988 void __user *buffer, size_t *lenp, loff_t *ppos)
989{
990 if (!policy_admin_capable(NULL))
991 return -EPERM;
992 if (!apparmor_enabled)
993 return -EINVAL;
994
995 return proc_dointvec(table, write, buffer, lenp, ppos);
996}
997
998static struct ctl_path apparmor_sysctl_path[] = {
999 { .procname = "kernel", },
1000 { }
1001};
1002
1003static struct ctl_table apparmor_sysctl_table[] = {
1004 {
1005 .procname = "unprivileged_userns_apparmor_policy",
1006 .data = &unprivileged_userns_apparmor_policy,
1007 .maxlen = sizeof(int),
1008 .mode = 0600,
1009 .proc_handler = apparmor_dointvec,
1010 },
1011 { }
1012};
1013
1014static int __init apparmor_init_sysctl(void)
1015{
1016 return register_sysctl_paths(apparmor_sysctl_path,
1017 apparmor_sysctl_table) ? 0 : -ENOMEM;
1018}
1019#else
1020static inline int apparmor_init_sysctl(void)
1021{
1022 return 0;
1023}
1024#endif /* CONFIG_SYSCTL */
1025
b5e95b48
JJ		 1026static int __init apparmor_init(void)
1027{
1028 int error;
1029
b1d9e6b0 1030 if (!apparmor_enabled || !security_module_enable("apparmor")) {
b5e95b48
JJ		 1031 aa_info_message("AppArmor disabled by boot time parameter");
1032 apparmor_enabled = 0;
1033 return 0;
1034 }
1035
11c236b8
JJ		 1036 error = aa_setup_dfa_engine();
1037 if (error) {
1038 AA_ERROR("Unable to setup dfa engine\n");
1039 goto alloc_out;
1040 }
1041
b5e95b48
JJ		 1042 error = aa_alloc_root_ns();
1043 if (error) {
1044 AA_ERROR("Unable to allocate default profile namespace\n");
1045 goto alloc_out;
1046 }
1047
e3ea1ca5
TH		 1048 error = apparmor_init_sysctl();
1049 if (error) {
1050 AA_ERROR("Unable to register sysctls\n");
1051 goto alloc_out;
1052
1053 }
1054
d4669f0b
JJ		 1055 error = alloc_buffers();
1056 if (error) {
1057 AA_ERROR("Unable to allocate work buffers\n");
1058 goto buffers_out;
1059 }
1060
55a26ebf 1061 error = set_init_ctx();
b5e95b48
JJ		 1062 if (error) {
1063 AA_ERROR("Failed to set context on init task\n");
b1d9e6b0 1064 aa_free_root_ns();
d4669f0b 1065 goto buffers_out;
b5e95b48 1066 }
d69dece5
CS		 1067 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
1068 "apparmor");
b5e95b48
JJ		 1069
1070 /* Report that AppArmor successfully initialized */
1071 apparmor_initialized = 1;
1072 if (aa_g_profile_mode == APPARMOR_COMPLAIN)
1073 aa_info_message("AppArmor initialized: complain mode enabled");
1074 else if (aa_g_profile_mode == APPARMOR_KILL)
1075 aa_info_message("AppArmor initialized: kill mode enabled");
1076 else
1077 aa_info_message("AppArmor initialized");
1078
1079 return error;
1080
d4669f0b
JJ		 1081buffers_out:
1082 destroy_buffers();
1083
b5e95b48
JJ		 1084alloc_out:
1085 aa_destroy_aafs();
11c236b8 1086 aa_teardown_dfa_engine();
b5e95b48
JJ		 1087
1088 apparmor_enabled = 0;
1089 return error;
b5e95b48
JJ		 1090}
1091
1092security_initcall(apparmor_init);
Mirror https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git