]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - security/apparmor/domain.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
apparmor: update aa_audit_file() to use labels
[mirror_ubuntu-bionic-kernel.git] / security / apparmor / domain.c
CommitLineData
898127c3
JJ		 1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor policy attachment and domain transitions
5 *
6 * Copyright (C) 2002-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
15#include <linux/errno.h>
16#include <linux/fdtable.h>
17#include <linux/file.h>
18#include <linux/mount.h>
19#include <linux/syscalls.h>
20#include <linux/tracehook.h>
21#include <linux/personality.h>
22
23#include "include/audit.h"
24#include "include/apparmorfs.h"
25#include "include/context.h"
26#include "include/domain.h"
27#include "include/file.h"
28#include "include/ipc.h"
29#include "include/match.h"
30#include "include/path.h"
31#include "include/policy.h"
cff281f6 32#include "include/policy_ns.h"
898127c3
JJ		 33
34/**
35 * aa_free_domain_entries - free entries in a domain table
36 * @domain: the domain table to free (MAYBE NULL)
37 */
38void aa_free_domain_entries(struct aa_domain *domain)
39{
40 int i;
41 if (domain) {
42 if (!domain->table)
43 return;
44
45 for (i = 0; i < domain->size; i++)
46 kzfree(domain->table[i]);
47 kzfree(domain->table);
48 domain->table = NULL;
49 }
50}
51
52/**
53 * may_change_ptraced_domain - check if can change profile on ptraced task
b2d09ae4
JJ		 54 * @to_label: profile to change to (NOT NULL)
55 * @info: message if there is an error
898127c3 56 *
51775fe7 57 * Check if current is ptraced and if so if the tracing task is allowed
898127c3
JJ		 58 * to trace the new domain
59 *
60 * Returns: %0 or error if change not allowed
61 */
b2d09ae4
JJ		 62static int may_change_ptraced_domain(struct aa_label *to_label,
63 const char **info)
898127c3
JJ		 64{
65 struct task_struct *tracer;
637f688d 66 struct aa_label *tracerl = NULL;
898127c3
JJ		 67 int error = 0;
68
69 rcu_read_lock();
51775fe7 70 tracer = ptrace_parent(current);
3cfcc19e 71 if (tracer)
898127c3 72 /* released below */
637f688d 73 tracerl = aa_get_task_label(tracer);
898127c3
JJ		 74
75 /* not ptraced */
637f688d 76 if (!tracer || unconfined(tracerl))
898127c3
JJ		 77 goto out;
78
b2d09ae4 79 error = aa_may_ptrace(tracerl, to_label, PTRACE_MODE_ATTACH);
898127c3
JJ		 80
81out:
04fdc099 82 rcu_read_unlock();
637f688d 83 aa_put_label(tracerl);
898127c3 84
b2d09ae4
JJ		 85 if (error)
86 *info = "ptrace prevents transition";
898127c3
JJ		 87 return error;
88}
89
90/**
91 * change_profile_perms - find permissions for change_profile
92 * @profile: the current profile (NOT NULL)
93 * @ns: the namespace being switched to (NOT NULL)
94 * @name: the name of the profile to change to (NOT NULL)
95 * @request: requested perms
96 * @start: state to start matching in
97 *
98 * Returns: permission set
99 */
2d679f3c
JJ		 100static struct aa_perms change_profile_perms(struct aa_profile *profile,
101 struct aa_ns *ns,
102 const char *name, u32 request,
103 unsigned int start)
898127c3 104{
2d679f3c 105 struct aa_perms perms;
898127c3
JJ		 106 struct path_cond cond = { };
107 unsigned int state;
108
637f688d 109 if (profile_unconfined(profile)) {
898127c3
JJ		 110 perms.allow = AA_MAY_CHANGE_PROFILE | AA_MAY_ONEXEC;
111 perms.audit = perms.quiet = perms.kill = 0;
112 return perms;
113 } else if (!profile->file.dfa) {
114 return nullperms;
115 } else if ((ns == profile->ns)) {
116 /* try matching against rules with out namespace prepended */
117 aa_str_perms(profile->file.dfa, start, name, &cond, &perms);
118 if (COMBINED_PERM_MASK(perms) & request)
119 return perms;
120 }
121
122 /* try matching with namespace name and then profile */
123 state = aa_dfa_match(profile->file.dfa, start, ns->base.name);
124 state = aa_dfa_match_len(profile->file.dfa, state, ":", 1);
125 aa_str_perms(profile->file.dfa, state, name, &cond, &perms);
126
127 return perms;
128}
129
130/**
131 * __attach_match_ - find an attachment match
132 * @name - to match against (NOT NULL)
133 * @head - profile list to walk (NOT NULL)
134 *
135 * Do a linear search on the profiles in the list. There is a matching
136 * preference where an exact match is preferred over a name which uses
137 * expressions to match, and matching expressions with the greatest
138 * xmatch_len are preferred.
139 *
140 * Requires: @head not be shared or have appropriate locks held
141 *
142 * Returns: profile or NULL if no match found
143 */
144static struct aa_profile *__attach_match(const char *name,
145 struct list_head *head)
146{
147 int len = 0;
148 struct aa_profile *profile, *candidate = NULL;
149
01e2b670 150 list_for_each_entry_rcu(profile, head, base.list) {
637f688d 151 if (profile->label.flags & FLAG_NULL)
898127c3
JJ		 152 continue;
153 if (profile->xmatch && profile->xmatch_len > len) {
154 unsigned int state = aa_dfa_match(profile->xmatch,
155 DFA_START, name);
156 u32 perm = dfa_user_allow(profile->xmatch, state);
157 /* any accepting state means a valid match. */
158 if (perm & MAY_EXEC) {
159 candidate = profile;
160 len = profile->xmatch_len;
161 }
162 } else if (!strcmp(profile->base.name, name))
163 /* exact non-re match, no more searching required */
164 return profile;
165 }
166
167 return candidate;
168}
169
170/**
171 * find_attach - do attachment search for unconfined processes
172 * @ns: the current namespace (NOT NULL)
173 * @list: list to search (NOT NULL)
174 * @name: the executable name to match against (NOT NULL)
175 *
176 * Returns: profile or NULL if no match found
177 */
98849dff 178static struct aa_profile *find_attach(struct aa_ns *ns,
898127c3
JJ		 179 struct list_head *list, const char *name)
180{
181 struct aa_profile *profile;
182
01e2b670 183 rcu_read_lock();
898127c3 184 profile = aa_get_profile(__attach_match(name, list));
01e2b670 185 rcu_read_unlock();
898127c3
JJ		 186
187 return profile;
188}
189
190/**
191 * separate_fqname - separate the namespace and profile names
192 * @fqname: the fqname name to split (NOT NULL)
193 * @ns_name: the namespace name if it exists (NOT NULL)
194 *
195 * This is the xtable equivalent routine of aa_split_fqname. It finds the
196 * split in an xtable fqname which contains an embedded \0 instead of a :
197 * if a namespace is specified. This is done so the xtable is constant and
198 * isn't re-split on every lookup.
199 *
200 * Either the profile or namespace name may be optional but if the namespace
201 * is specified the profile name termination must be present. This results
202 * in the following possible encodings:
203 * profile_name\0
204 * :ns_name\0profile_name\0
205 * :ns_name\0\0
206 *
207 * NOTE: the xtable fqname is pre-validated at load time in unpack_trans_table
208 *
209 * Returns: profile name if it is specified else NULL
210 */
211static const char *separate_fqname(const char *fqname, const char **ns_name)
212{
213 const char *name;
214
215 if (fqname[0] == ':') {
216 /* In this case there is guaranteed to be two \0 terminators
217 * in the string. They are verified at load time by
218 * by unpack_trans_table
219 */
220 *ns_name = fqname + 1; /* skip : */
221 name = *ns_name + strlen(*ns_name) + 1;
222 if (!*name)
223 name = NULL;
224 } else {
225 *ns_name = NULL;
226 name = fqname;
227 }
228
229 return name;
230}
231
232static const char *next_name(int xtype, const char *name)
233{
234 return NULL;
235}
236
237/**
238 * x_table_lookup - lookup an x transition name via transition table
239 * @profile: current profile (NOT NULL)
240 * @xindex: index into x transition table
241 *
242 * Returns: refcounted profile, or NULL on failure (MAYBE NULL)
243 */
244static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
245{
246 struct aa_profile *new_profile = NULL;
98849dff 247 struct aa_ns *ns = profile->ns;
898127c3
JJ		 248 u32 xtype = xindex & AA_X_TYPE_MASK;
249 int index = xindex & AA_X_INDEX_MASK;
250 const char *name;
251
252 /* index is guaranteed to be in range, validated at load time */
253 for (name = profile->file.trans.table[index]; !new_profile && name;
254 name = next_name(xtype, name)) {
98849dff 255 struct aa_ns *new_ns;
898127c3
JJ		 256 const char *xname = NULL;
257
258 new_ns = NULL;
259 if (xindex & AA_X_CHILD) {
260 /* release by caller */
261 new_profile = aa_find_child(profile, name);
262 continue;
263 } else if (*name == ':') {
264 /* switching namespace */
265 const char *ns_name;
266 xname = name = separate_fqname(name, &ns_name);
267 if (!xname)
268 /* no name so use profile name */
269 xname = profile->base.hname;
270 if (*ns_name == '@') {
271 /* TODO: variable support */
272 ;
273 }
274 /* released below */
98849dff 275 new_ns = aa_find_ns(ns, ns_name);
898127c3
JJ		 276 if (!new_ns)
277 continue;
278 } else if (*name == '@') {
279 /* TODO: variable support */
280 continue;
281 } else {
282 /* basic namespace lookup */
283 xname = name;
284 }
285
286 /* released by caller */
287 new_profile = aa_lookup_profile(new_ns ? new_ns : ns, xname);
98849dff 288 aa_put_ns(new_ns);
898127c3
JJ		 289 }
290
291 /* released by caller */
292 return new_profile;
293}
294
295/**
296 * x_to_profile - get target profile for a given xindex
297 * @profile: current profile (NOT NULL)
298 * @name: name to lookup (NOT NULL)
299 * @xindex: index into x transition table
300 *
301 * find profile for a transition index
302 *
303 * Returns: refcounted profile or NULL if not found available
304 */
305static struct aa_profile *x_to_profile(struct aa_profile *profile,
306 const char *name, u32 xindex)
307{
308 struct aa_profile *new_profile = NULL;
98849dff 309 struct aa_ns *ns = profile->ns;
898127c3
JJ		 310 u32 xtype = xindex & AA_X_TYPE_MASK;
311
312 switch (xtype) {
313 case AA_X_NONE:
314 /* fail exec unless ix || ux fallback - handled by caller */
315 return NULL;
316 case AA_X_NAME:
317 if (xindex & AA_X_CHILD)
318 /* released by caller */
319 new_profile = find_attach(ns, &profile->base.profiles,
320 name);
321 else
322 /* released by caller */
323 new_profile = find_attach(ns, &ns->base.profiles,
324 name);
325 break;
326 case AA_X_TABLE:
327 /* released by caller */
328 new_profile = x_table_lookup(profile, xindex);
329 break;
330 }
331
332 /* released by caller */
333 return new_profile;
334}
335
336/**
337 * apparmor_bprm_set_creds - set the new creds on the bprm struct
338 * @bprm: binprm for the exec (NOT NULL)
339 *
340 * Returns: %0 or error on failure
341 */
342int apparmor_bprm_set_creds(struct linux_binprm *bprm)
343{
55a26ebf 344 struct aa_task_ctx *ctx;
637f688d 345 struct aa_label *label;
898127c3 346 struct aa_profile *profile, *new_profile = NULL;
98849dff 347 struct aa_ns *ns;
898127c3
JJ		 348 char *buffer = NULL;
349 unsigned int state;
2d679f3c 350 struct aa_perms perms = {};
898127c3 351 struct path_cond cond = {
496ad9aa
AV		 352 file_inode(bprm->file)->i_uid,
353 file_inode(bprm->file)->i_mode
898127c3 354 };
f7da2de0 355 const char *name = NULL, *info = NULL;
b1d9e6b0 356 int error = 0;
898127c3
JJ		 357
358 if (bprm->cred_prepared)
359 return 0;
360
55a26ebf
JJ		 361 ctx = cred_ctx(bprm->cred);
362 AA_BUG(!ctx);
898127c3 363
637f688d
JJ		 364 label = aa_get_newest_label(ctx->label);
365 profile = labels_profile(label);
4227c333
JJ		 366
367 /* buffer freed below, name is pointer into buffer */
368 get_buffers(buffer);
898127c3
JJ		 369 /*
370 * get the namespace from the replacement profile as replacement
371 * can change the namespace
372 */
373 ns = profile->ns;
374 state = profile->file.start;
375
4227c333 376 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,
72c8a768 377 &name, &info, profile->disconnected);
898127c3 378 if (error) {
637f688d
JJ		 379 if (profile_unconfined(profile) ||
380 (profile->label.flags & FLAG_IX_ON_NAME_ERROR))
898127c3 381 error = 0;
898127c3
JJ		 382 name = bprm->filename;
383 goto audit;
384 }
385
386 /* Test for onexec first as onexec directives override other
387 * x transitions.
388 */
637f688d 389 if (profile_unconfined(profile)) {
898127c3 390 /* unconfined task */
55a26ebf 391 if (ctx->onexec)
898127c3 392 /* change_profile on exec already been granted */
637f688d 393 new_profile = labels_profile(aa_get_label(ctx->onexec));
898127c3
JJ		 394 else
395 new_profile = find_attach(ns, &ns->base.profiles, name);
396 if (!new_profile)
397 goto cleanup;
c29bceb3
JJ		 398 /*
399 * NOTE: Domain transitions from unconfined are allowed
400 * even when no_new_privs is set because this aways results
401 * in a further reduction of permissions.
402 */
898127c3
JJ		 403 goto apply;
404 }
405
406 /* find exec permissions for name */
407 state = aa_str_perms(profile->file.dfa, state, name, &cond, &perms);
55a26ebf 408 if (ctx->onexec) {
2d679f3c 409 struct aa_perms cp;
898127c3 410 info = "change_profile onexec";
637f688d 411 new_profile = labels_profile(aa_get_newest_label(ctx->onexec));
898127c3
JJ		 412 if (!(perms.allow & AA_MAY_ONEXEC))
413 goto audit;
414
415 /* test if this exec can be paired with change_profile onexec.
416 * onexec permission is linked to exec with a standard pairing
417 * exec\0change_profile
418 */
419 state = aa_dfa_null_transition(profile->file.dfa, state);
637f688d
JJ		 420 cp = change_profile_perms(profile, labels_ns(ctx->onexec),
421 labels_profile(ctx->onexec)->base.name,
422 AA_MAY_ONEXEC, state);
898127c3
JJ		 423
424 if (!(cp.allow & AA_MAY_ONEXEC))
425 goto audit;
898127c3
JJ		 426 goto apply;
427 }
428
429 if (perms.allow & MAY_EXEC) {
430 /* exec permission determine how to transition */
431 new_profile = x_to_profile(profile, name, perms.xindex);
432 if (!new_profile) {
433 if (perms.xindex & AA_X_INHERIT) {
434 /* (p|c|n)ix - don't change profile but do
435 * use the newest version, which was picked
436 * up above when getting profile
437 */
438 info = "ix fallback";
439 new_profile = aa_get_profile(profile);
440 goto x_clear;
441 } else if (perms.xindex & AA_X_UNCONFINED) {
fa2ac468 442 new_profile = aa_get_newest_profile(ns->unconfined);
898127c3
JJ		 443 info = "ux fallback";
444 } else {
9049a792 445 error = -EACCES;
898127c3 446 info = "profile not found";
17322cc3
JJ		 447 /* remove MAY_EXEC to audit as failure */
448 perms.allow &= ~MAY_EXEC;
898127c3
JJ		 449 }
450 }
451 } else if (COMPLAIN_MODE(profile)) {
452 /* no exec permission - are we in learning mode */
181f7c97
JJ		 453 new_profile = aa_new_null_profile(profile, false, name,
454 GFP_ATOMIC);
898127c3
JJ		 455 if (!new_profile) {
456 error = -ENOMEM;
457 info = "could not create null profile";
f7da2de0 458 } else
898127c3 459 error = -EACCES;
898127c3
JJ		 460 perms.xindex |= AA_X_UNSAFE;
461 } else
462 /* fail exec */
463 error = -EACCES;
464
c29bceb3
JJ		 465 /*
466 * Policy has specified a domain transition, if no_new_privs then
467 * fail the exec.
468 */
469 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) {
c29bceb3
JJ		 470 error = -EPERM;
471 goto cleanup;
472 }
473
898127c3
JJ		 474 if (!new_profile)
475 goto audit;
476
477 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
478 /* FIXME: currently don't mediate shared state */
479 ;
480 }
481
9227dd2a 482 if (bprm->unsafe & LSM_UNSAFE_PTRACE) {
b2d09ae4 483 error = may_change_ptraced_domain(&new_profile->label, &info);
f7da2de0 484 if (error)
898127c3 485 goto audit;
898127c3
JJ		 486 }
487
488 /* Determine if secure exec is needed.
489 * Can be at this point for the following reasons:
490 * 1. unconfined switching to confined
491 * 2. confined switching to different confinement
492 * 3. confined switching to unconfined
493 *
494 * Cases 2 and 3 are marked as requiring secure exec
495 * (unless policy specified "unsafe exec")
496 *
497 * bprm->unsafe is used to cache the AA_X_UNSAFE permission
498 * to avoid having to recompute in secureexec
499 */
500 if (!(perms.xindex & AA_X_UNSAFE)) {
501 AA_DEBUG("scrubbing environment variables for %s profile=%s\n",
502 name, new_profile->base.hname);
503 bprm->unsafe |= AA_SECURE_X_NEEDED;
504 }
505apply:
898127c3
JJ		 506 /* when transitioning profiles clear unsafe personality bits */
507 bprm->per_clear |= PER_CLEAR_ON_SETID;
508
509x_clear:
637f688d 510 aa_put_label(ctx->label);
55a26ebf 511 /* transfer new profile reference will be released when ctx is freed */
637f688d 512 ctx->label = &new_profile->label;
f7da2de0 513 new_profile = NULL;
898127c3
JJ		 514
515 /* clear out all temporary/transitional state from the context */
55a26ebf 516 aa_clear_task_ctx_trans(ctx);
898127c3
JJ		 517
518audit:
ef88a7ac 519 error = aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name,
f7da2de0 520 new_profile ? new_profile->base.hname : NULL,
98c3d182 521 new_profile ? &new_profile->label : NULL,
f7da2de0 522 cond.uid, info, error);
898127c3
JJ		 523
524cleanup:
f7da2de0 525 aa_put_profile(new_profile);
637f688d 526 aa_put_label(label);
4227c333 527 put_buffers(buffer);
898127c3
JJ		 528
529 return error;
530}
531
532/**
533 * apparmor_bprm_secureexec - determine if secureexec is needed
534 * @bprm: binprm for exec (NOT NULL)
535 *
536 * Returns: %1 if secureexec is needed else %0
537 */
538int apparmor_bprm_secureexec(struct linux_binprm *bprm)
539{
898127c3
JJ		 540 /* the decision to use secure exec is computed in set_creds
541 * and stored in bprm->unsafe.
542 */
b1d9e6b0
CS		 543 if (bprm->unsafe & AA_SECURE_X_NEEDED)
544 return 1;
898127c3 545
b1d9e6b0 546 return 0;
898127c3
JJ		 547}
548
898127c3
JJ		 549/*
550 * Functions for self directed profile change
551 */
552
553/**
554 * new_compound_name - create an hname with @n2 appended to @n1
555 * @n1: base of hname (NOT NULL)
556 * @n2: name to append (NOT NULL)
557 *
558 * Returns: new name or NULL on error
559 */
560static char *new_compound_name(const char *n1, const char *n2)
561{
562 char *name = kmalloc(strlen(n1) + strlen(n2) + 3, GFP_KERNEL);
563 if (name)
564 sprintf(name, "%s//%s", n1, n2);
565 return name;
566}
567
568/**
569 * aa_change_hat - change hat to/from subprofile
570 * @hats: vector of hat names to try changing into (MAYBE NULL if @count == 0)
571 * @count: number of hat names in @hats
572 * @token: magic value to validate the hat change
df8073c6 573 * @flags: flags affecting behavior of the change
898127c3
JJ		 574 *
575 * Change to the first profile specified in @hats that exists, and store
576 * the @hat_magic in the current task context. If the count == 0 and the
577 * @token matches that stored in the current task context, return to the
578 * top level profile.
579 *
580 * Returns %0 on success, error otherwise.
581 */
df8073c6 582int aa_change_hat(const char *hats[], int count, u64 token, int flags)
898127c3
JJ		 583{
584 const struct cred *cred;
55a26ebf 585 struct aa_task_ctx *ctx;
637f688d
JJ		 586 struct aa_label *label, *previous_label;
587 struct aa_profile *profile, *hat = NULL;
898127c3
JJ		 588 char *name = NULL;
589 int i;
2d679f3c 590 struct aa_perms perms = {};
898127c3
JJ		 591 const char *target = NULL, *info = NULL;
592 int error = 0;
593
c29bceb3
JJ		 594 /*
595 * Fail explicitly requested domain transitions if no_new_privs.
596 * There is no exception for unconfined as change_hat is not
597 * available.
598 */
1d4457f9 599 if (task_no_new_privs(current))
c29bceb3
JJ		 600 return -EPERM;
601
898127c3
JJ		 602 /* released below */
603 cred = get_current_cred();
55a26ebf 604 ctx = cred_ctx(cred);
637f688d
JJ		 605 label = aa_get_newest_cred_label(cred);
606 previous_label = aa_get_newest_label(ctx->previous);
607 profile = labels_profile(label);
898127c3 608
637f688d 609 if (unconfined(label)) {
898127c3
JJ		 610 info = "unconfined";
611 error = -EPERM;
612 goto audit;
613 }
614
615 if (count) {
616 /* attempting to change into a new hat or switch to a sibling */
617 struct aa_profile *root;
01e2b670
JJ		 618 if (PROFILE_IS_HAT(profile))
619 root = aa_get_profile_rcu(&profile->parent);
620 else
621 root = aa_get_profile(profile);
898127c3
JJ		 622
623 /* find first matching hat */
624 for (i = 0; i < count && !hat; i++)
625 /* released below */
626 hat = aa_find_child(root, hats[i]);
627 if (!hat) {
df8073c6 628 if (!COMPLAIN_MODE(root) || (flags & AA_CHANGE_TEST)) {
898127c3
JJ		 629 if (list_empty(&root->base.profiles))
630 error = -ECHILD;
631 else
632 error = -ENOENT;
01e2b670 633 aa_put_profile(root);
898127c3
JJ		 634 goto out;
635 }
636
637 /*
638 * In complain mode and failed to match any hats.
639 * Audit the failure is based off of the first hat
640 * supplied. This is done due how userspace
641 * interacts with change_hat.
642 *
643 * TODO: Add logging of all failed hats
644 */
645
646 /* freed below */
647 name = new_compound_name(root->base.hname, hats[0]);
01e2b670 648 aa_put_profile(root);
898127c3
JJ		 649 target = name;
650 /* released below */
181f7c97
JJ		 651 hat = aa_new_null_profile(profile, true, hats[0],
652 GFP_KERNEL);
898127c3
JJ		 653 if (!hat) {
654 info = "failed null profile create";
655 error = -ENOMEM;
656 goto audit;
657 }
658 } else {
01e2b670 659 aa_put_profile(root);
898127c3
JJ		 660 target = hat->base.hname;
661 if (!PROFILE_IS_HAT(hat)) {
662 info = "target not hat";
663 error = -EPERM;
664 goto audit;
665 }
666 }
667
b2d09ae4 668 error = may_change_ptraced_domain(&hat->label, &info);
898127c3
JJ		 669 if (error) {
670 info = "ptraced";
671 error = -EPERM;
672 goto audit;
673 }
674
df8073c6 675 if (!(flags & AA_CHANGE_TEST)) {
637f688d 676 error = aa_set_current_hat(&hat->label, token);
898127c3
JJ		 677 if (error == -EACCES)
678 /* kill task in case of brute force attacks */
679 perms.kill = AA_MAY_CHANGEHAT;
680 else if (name && !error)
681 /* reset error for learning of new hats */
682 error = -ENOENT;
683 }
637f688d 684 } else if (previous_label) {
898127c3
JJ		 685 /* Return to saved profile. Kill task if restore fails
686 * to avoid brute force attacks
687 */
637f688d
JJ		 688 target = previous_label->hname;
689 error = aa_restore_previous_label(token);
898127c3
JJ		 690 perms.kill = AA_MAY_CHANGEHAT;
691 } else
692 /* ignore restores when there is no saved profile */
693 goto out;
694
695audit:
df8073c6 696 if (!(flags & AA_CHANGE_TEST))
ef88a7ac 697 error = aa_audit_file(profile, &perms, OP_CHANGE_HAT,
98c3d182 698 AA_MAY_CHANGEHAT, NULL, target, NULL,
ef88a7ac 699 GLOBAL_ROOT_UID, info, error);
898127c3
JJ		 700
701out:
702 aa_put_profile(hat);
703 kfree(name);
637f688d
JJ		 704 aa_put_label(label);
705 aa_put_label(previous_label);
898127c3
JJ		 706 put_cred(cred);
707
708 return error;
709}
710
711/**
712 * aa_change_profile - perform a one-way profile transition
aa9a39ad 713 * @fqname: name of profile may include namespace (NOT NULL)
898127c3 714 * @onexec: whether this transition is to take place immediately or at exec
df8073c6 715 * @flags: flags affecting change behavior
898127c3
JJ		 716 *
717 * Change to new profile @name. Unlike with hats, there is no way
718 * to change back. If @name isn't specified the current profile name is
719 * used.
720 * If @onexec then the transition is delayed until
721 * the next exec.
722 *
723 * Returns %0 on success, error otherwise.
724 */
df8073c6 725int aa_change_profile(const char *fqname, int flags)
898127c3
JJ		 726{
727 const struct cred *cred;
637f688d 728 struct aa_label *label;
898127c3 729 struct aa_profile *profile, *target = NULL;
2d679f3c 730 struct aa_perms perms = {};
aa9a39ad 731 const char *info = NULL, *op;
47f6e5cc 732 int error = 0;
898127c3
JJ		 733 u32 request;
734
aa9a39ad
JJ		 735 if (!fqname || !*fqname) {
736 AA_DEBUG("no profile name");
898127c3 737 return -EINVAL;
aa9a39ad 738 }
898127c3 739
df8073c6 740 if (flags & AA_CHANGE_ONEXEC) {
898127c3
JJ		 741 request = AA_MAY_ONEXEC;
742 op = OP_CHANGE_ONEXEC;
743 } else {
744 request = AA_MAY_CHANGE_PROFILE;
745 op = OP_CHANGE_PROFILE;
746 }
747
748 cred = get_current_cred();
637f688d
JJ		 749 label = aa_get_newest_cred_label(cred);
750 profile = labels_profile(label);
898127c3 751
c29bceb3
JJ		 752 /*
753 * Fail explicitly requested domain transitions if no_new_privs
754 * and not unconfined.
755 * Domain transitions from unconfined are allowed even when
756 * no_new_privs is set because this aways results in a reduction
757 * of permissions.
758 */
637f688d 759 if (task_no_new_privs(current) && !profile_unconfined(profile)) {
c29bceb3
JJ		 760 put_cred(cred);
761 return -EPERM;
762 }
763
637f688d 764 target = aa_fqlookupn_profile(label, fqname, strlen(fqname));
898127c3
JJ		 765 if (!target) {
766 info = "profile not found";
767 error = -ENOENT;
df8073c6
JJ		 768 if ((flags & AA_CHANGE_TEST) ||
769 !COMPLAIN_MODE(profile))
898127c3
JJ		 770 goto audit;
771 /* released below */
aa9a39ad
JJ		 772 target = aa_new_null_profile(profile, false, fqname,
773 GFP_KERNEL);
898127c3
JJ		 774 if (!target) {
775 info = "failed null profile create";
776 error = -ENOMEM;
777 goto audit;
778 }
779 }
780
aa9a39ad
JJ		 781 perms = change_profile_perms(profile, target->ns, target->base.hname,
782 request, profile->file.start);
783 if (!(perms.allow & request)) {
784 error = -EACCES;
785 goto audit;
786 }
787
898127c3 788 /* check if tracing task is allowed to trace target domain */
b2d09ae4 789 error = may_change_ptraced_domain(&target->label, &info);
898127c3
JJ		 790 if (error) {
791 info = "ptrace prevents transition";
792 goto audit;
793 }
794
df8073c6 795 if (flags & AA_CHANGE_TEST)
898127c3
JJ		 796 goto audit;
797
df8073c6 798 if (flags & AA_CHANGE_ONEXEC)
637f688d 799 error = aa_set_current_onexec(&target->label, 0);
898127c3 800 else
637f688d 801 error = aa_replace_current_label(&target->label);
898127c3
JJ		 802
803audit:
df8073c6 804 if (!(flags & AA_CHANGE_TEST))
aa9a39ad 805 error = aa_audit_file(profile, &perms, op, request, NULL,
98c3d182
JJ		 806 fqname, NULL, GLOBAL_ROOT_UID, info,
807 error);
898127c3 808
898127c3 809 aa_put_profile(target);
637f688d 810 aa_put_label(label);
898127c3
JJ		 811 put_cred(cred);
812
813 return error;
814}
ubuntu-bionic-kernel mirror