[mirror_ubuntu-bionic-kernel.git] / security / apparmor / capability.c

/*
 * AppArmor security module
 *
 * This file contains AppArmor capability mediation functions
 *
 * Copyright (C) 1998-2008 Novell/SUSE
 * Copyright 2009-2010 Canonical Ltd.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, version 2 of the
 * License.
 */

#include <linux/capability.h>
#include <linux/errno.h>
#include <linux/gfp.h>
#include <linux/security.h>

#include "include/apparmor.h"
#include "include/capability.h"
#include "include/context.h"
#include "include/policy.h"
#include "include/audit.h"

/*
 * Table of capability names: we generate it from capabilities.h.
 */
#include "capability_names.h"

struct aa_sfs_entry aa_sfs_entry_caps[] = {
	AA_SFS_FILE_STRING("mask", AA_SFS_CAPS_MASK),
	{ }
};

struct audit_cache {
	struct aa_profile *profile;
	kernel_cap_t caps;
};

static DEFINE_PER_CPU(struct audit_cache, audit_cache);

/**
 * audit_cb - call back for capability components of audit struct
 * @ab - audit buffer   (NOT NULL)
 * @va - audit struct to audit data from  (NOT NULL)
 */
static void audit_cb(struct audit_buffer *ab, void *va)
{
	struct common_audit_data *sa = va;

	audit_log_format(ab, " capname=");
	audit_log_untrustedstring(ab, capability_names[sa->u.cap]);
}

/**
 * audit_caps - audit a capability
 * @sa: audit data
 * @profile: profile being tested for confinement (NOT NULL)
 * @cap: capability tested
 * @error: error code returned by test
 *
 * Do auditing of capability and handle, audit/complain/kill modes switching
 * and duplicate message elimination.
 *
 * Returns: 0 or sa->error on success,  error code on failure
 */
static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile,
		      int cap, int error)
{
	struct audit_cache *ent;
	int type = AUDIT_APPARMOR_AUTO;

	aad(sa)->error = error;

	if (likely(!error)) {
		/* test if auditing is being forced */
		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
			   !cap_raised(profile->caps.audit, cap)))
			return 0;
		type = AUDIT_APPARMOR_AUDIT;
	} else if (KILL_MODE(profile) ||
		   cap_raised(profile->caps.kill, cap)) {
		type = AUDIT_APPARMOR_KILL;
	} else if (cap_raised(profile->caps.quiet, cap) &&
		   AUDIT_MODE(profile) != AUDIT_NOQUIET &&
		   AUDIT_MODE(profile) != AUDIT_ALL) {
		/* quiet auditing */
		return error;
	}

	/* Do simple duplicate message elimination */
	ent = &get_cpu_var(audit_cache);
	if (profile == ent->profile && cap_raised(ent->caps, cap)) {
		put_cpu_var(audit_cache);
		if (COMPLAIN_MODE(profile))
			return complain_error(error);
		return error;
	} else {
		aa_put_profile(ent->profile);
		ent->profile = aa_get_profile(profile);
		cap_raise(ent->caps, cap);
	}
	put_cpu_var(audit_cache);

	return aa_audit(type, profile, sa, audit_cb);
}

/**
 * profile_capable - test if profile allows use of capability @cap
 * @profile: profile being enforced    (NOT NULL, NOT unconfined)
 * @cap: capability to test if allowed
 * @audit: whether an audit record should be generated
 * @sa: audit data (MAY BE NULL indicating no auditing)
 *
 * Returns: 0 if allowed else -EPERM
 */
static int profile_capable(struct aa_profile *profile, int cap, int audit,
			   struct common_audit_data *sa)
{
	int error;

	if (cap_raised(profile->caps.allow, cap) &&
	    !cap_raised(profile->caps.denied, cap))
		error = 0;
	else
		error = -EPERM;

	if (audit == SECURITY_CAP_NOAUDIT) {
		if (!COMPLAIN_MODE(profile))
			return error;
		/* audit the cap request in complain mode but note that it
		 * should be optional.
		 */
		aad(sa)->info = "optional: no audit";
	}

	return audit_caps(sa, profile, cap, error);
}

/**
 * aa_capable - test permission to use capability
 * @label: label being tested for capability (NOT NULL)
 * @cap: capability to be tested
 * @audit: whether an audit record should be generated
 *
 * Look up capability in profile capability set.
 *
 * Returns: 0 on success, or else an error code.
 */
int aa_capable(struct aa_label *label, int cap, int audit)
{
	struct aa_profile *profile;
	int error = 0;
	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, OP_CAPABLE);

	sa.u.cap = cap;
	error = fn_for_each_confined(label, profile,
			profile_capable(profile, cap, audit, &sa));

	return error;
}
Commit	Line	Data
0ed3b28a JJ	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor capability mediation functions
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#include <linux/capability.h>
	16	#include <linux/errno.h>
	17	#include <linux/gfp.h>
12eb87d5	18	#include <linux/security.h>
0ed3b28a JJ	19
	20	#include "include/apparmor.h"
	21	#include "include/capability.h"
	22	#include "include/context.h"
	23	#include "include/policy.h"
	24	#include "include/audit.h"
	25
	26	/*
	27	* Table of capability names: we generate it from capabilities.h.
	28	*/
	29	#include "capability_names.h"
	30
c97204ba JJ	31	struct aa_sfs_entry aa_sfs_entry_caps[] = {
c97204ba JJ	32	AA_SFS_FILE_STRING("mask", AA_SFS_CAPS_MASK),
84f1f787 JJ	33	{ }
	34	};
	35
0ed3b28a JJ	36	struct audit_cache {
	37	struct aa_profile *profile;
	38	kernel_cap_t caps;
	39	};
	40
	41	static DEFINE_PER_CPU(struct audit_cache, audit_cache);
	42
	43	/**
	44	* audit_cb - call back for capability components of audit struct
	45	* @ab - audit buffer (NOT NULL)
	46	* @va - audit struct to audit data from (NOT NULL)
	47	*/
	48	static void audit_cb(struct audit_buffer ab, void va)
	49	{
	50	struct common_audit_data *sa = va;
c70c86c4	51
0ed3b28a JJ	52	audit_log_format(ab, " capname=");
	53	audit_log_untrustedstring(ab, capability_names[sa->u.cap]);
	54	}
	55
	56	/**
	57	* audit_caps - audit a capability
c70c86c4	58	* @sa: audit data
dd0c6e86	59	* @profile: profile being tested for confinement (NOT NULL)
0ed3b28a JJ	60	* @cap: capability tested
	61	* @error: error code returned by test
	62	*
	63	* Do auditing of capability and handle, audit/complain/kill modes switching
	64	* and duplicate message elimination.
	65	*
	66	* Returns: 0 or sa->error on success, error code on failure
	67	*/
c70c86c4 JJ	68	static int audit_caps(struct common_audit_data sa, struct aa_profile profile,
c70c86c4 JJ	69	int cap, int error)
0ed3b28a JJ	70	{
	71	struct audit_cache *ent;
	72	int type = AUDIT_APPARMOR_AUTO;
c70c86c4 JJ	73
c70c86c4 JJ	74	aad(sa)->error = error;
0ed3b28a JJ	75
	76	if (likely(!error)) {
	77	/* test if auditing is being forced */
	78	if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
	79	!cap_raised(profile->caps.audit, cap)))
	80	return 0;
	81	type = AUDIT_APPARMOR_AUDIT;
	82	} else if (KILL_MODE(profile) \|\|
	83	cap_raised(profile->caps.kill, cap)) {
	84	type = AUDIT_APPARMOR_KILL;
	85	} else if (cap_raised(profile->caps.quiet, cap) &&
	86	AUDIT_MODE(profile) != AUDIT_NOQUIET &&
	87	AUDIT_MODE(profile) != AUDIT_ALL) {
	88	/* quiet auditing */
	89	return error;
	90	}
	91
	92	/* Do simple duplicate message elimination */
	93	ent = &get_cpu_var(audit_cache);
	94	if (profile == ent->profile && cap_raised(ent->caps, cap)) {
	95	put_cpu_var(audit_cache);
	96	if (COMPLAIN_MODE(profile))
	97	return complain_error(error);
	98	return error;
	99	} else {
	100	aa_put_profile(ent->profile);
	101	ent->profile = aa_get_profile(profile);
	102	cap_raise(ent->caps, cap);
	103	}
	104	put_cpu_var(audit_cache);
	105
c70c86c4	106	return aa_audit(type, profile, sa, audit_cb);
0ed3b28a JJ	107	}
	108
	109	/**
	110	* profile_capable - test if profile allows use of capability @cap
	111	* @profile: profile being enforced (NOT NULL, NOT unconfined)
	112	* @cap: capability to test if allowed
c70c86c4 JJ	113	* @audit: whether an audit record should be generated
c70c86c4 JJ	114	* @sa: audit data (MAY BE NULL indicating no auditing)
0ed3b28a JJ	115	*
	116	* Returns: 0 if allowed else -EPERM
	117	*/
c70c86c4 JJ	118	static int profile_capable(struct aa_profile *profile, int cap, int audit,
c70c86c4 JJ	119	struct common_audit_data *sa)
0ed3b28a	120	{
c70c86c4 JJ	121	int error;
	122
	123	if (cap_raised(profile->caps.allow, cap) &&
	124	!cap_raised(profile->caps.denied, cap))
	125	error = 0;
	126	else
	127	error = -EPERM;
	128
	129	if (audit == SECURITY_CAP_NOAUDIT) {
	130	if (!COMPLAIN_MODE(profile))
	131	return error;
	132	/* audit the cap request in complain mode but note that it
	133	* should be optional.
	134	*/
	135	aad(sa)->info = "optional: no audit";
	136	}
	137
	138	return audit_caps(sa, profile, cap, error);
0ed3b28a JJ	139	}
	140
	141	/**
	142	* aa_capable - test permission to use capability
c70c86c4	143	* @label: label being tested for capability (NOT NULL)
0ed3b28a JJ	144	* @cap: capability to be tested
	145	* @audit: whether an audit record should be generated
	146	*
	147	* Look up capability in profile capability set.
	148	*
	149	* Returns: 0 on success, or else an error code.
	150	*/
c70c86c4	151	int aa_capable(struct aa_label *label, int cap, int audit)
0ed3b28a	152	{
c70c86c4 JJ	153	struct aa_profile *profile;
	154	int error = 0;
	155	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, OP_CAPABLE);
0ed3b28a	156
c70c86c4 JJ	157	sa.u.cap = cap;
	158	error = fn_for_each_confined(label, profile,
	159	profile_capable(profile, cap, audit, &sa));
0ed3b28a	160
c70c86c4	161	return error;
0ed3b28a	162	}