]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - security/apparmor/lsm.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
apparmor: move aa_file_perm() to use labels
[mirror_ubuntu-artful-kernel.git] / security / apparmor / lsm.c
CommitLineData
b5e95b48
JJ		 1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor LSM hooks.
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
3c4ed7bd 15#include <linux/lsm_hooks.h>
b5e95b48
JJ		 16#include <linux/moduleparam.h>
17#include <linux/mm.h>
18#include <linux/mman.h>
19#include <linux/mount.h>
20#include <linux/namei.h>
21#include <linux/ptrace.h>
22#include <linux/ctype.h>
23#include <linux/sysctl.h>
24#include <linux/audit.h>
3486740a 25#include <linux/user_namespace.h>
e025be0f 26#include <linux/kmemleak.h>
b5e95b48
JJ		 27#include <net/sock.h>
28
29#include "include/apparmor.h"
30#include "include/apparmorfs.h"
31#include "include/audit.h"
32#include "include/capability.h"
33#include "include/context.h"
34#include "include/file.h"
35#include "include/ipc.h"
36#include "include/path.h"
637f688d 37#include "include/label.h"
b5e95b48 38#include "include/policy.h"
cff281f6 39#include "include/policy_ns.h"
b5e95b48
JJ		 40#include "include/procattr.h"
41
42/* Flag indicating whether initialization completed */
545de8fe 43int apparmor_initialized;
b5e95b48 44
d4669f0b
JJ		 45DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
46
47
b5e95b48
JJ		 48/*
49 * LSM hook functions
50 */
51
52/*
637f688d 53 * free the associated aa_task_ctx and put its labels
b5e95b48
JJ		 54 */
55static void apparmor_cred_free(struct cred *cred)
56{
55a26ebf
JJ		 57 aa_free_task_context(cred_ctx(cred));
58 cred_ctx(cred) = NULL;
b5e95b48
JJ		 59}
60
61/*
62 * allocate the apparmor part of blank credentials
63 */
64static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
65{
66 /* freed by apparmor_cred_free */
55a26ebf
JJ		 67 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
68
69 if (!ctx)
b5e95b48
JJ		 70 return -ENOMEM;
71
55a26ebf 72 cred_ctx(cred) = ctx;
b5e95b48
JJ		 73 return 0;
74}
75
76/*
55a26ebf 77 * prepare new aa_task_ctx for modification by prepare_cred block
b5e95b48
JJ		 78 */
79static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
80 gfp_t gfp)
81{
82 /* freed by apparmor_cred_free */
55a26ebf
JJ		 83 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
84
85 if (!ctx)
b5e95b48
JJ		 86 return -ENOMEM;
87
55a26ebf
JJ		 88 aa_dup_task_context(ctx, cred_ctx(old));
89 cred_ctx(new) = ctx;
b5e95b48
JJ		 90 return 0;
91}
92
93/*
94 * transfer the apparmor data to a blank set of creds
95 */
96static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
97{
55a26ebf
JJ		 98 const struct aa_task_ctx *old_ctx = cred_ctx(old);
99 struct aa_task_ctx *new_ctx = cred_ctx(new);
b5e95b48 100
55a26ebf 101 aa_dup_task_context(new_ctx, old_ctx);
b5e95b48
JJ		 102}
103
104static int apparmor_ptrace_access_check(struct task_struct *child,
105 unsigned int mode)
106{
b2d09ae4
JJ		 107 struct aa_label *tracer, *tracee;
108 int error;
109
110 tracer = begin_current_label_crit_section();
111 tracee = aa_get_task_label(child);
112 error = aa_may_ptrace(tracer, tracee,
113 mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE);
114 aa_put_label(tracee);
115 end_current_label_crit_section(tracer);
116
117 return error;
b5e95b48
JJ		 118}
119
120static int apparmor_ptrace_traceme(struct task_struct *parent)
121{
b2d09ae4
JJ		 122 struct aa_label *tracer, *tracee;
123 int error;
124
125 tracee = begin_current_label_crit_section();
126 tracer = aa_get_task_label(parent);
127 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
128 aa_put_label(tracer);
129 end_current_label_crit_section(tracee);
130
131 return error;
b5e95b48
JJ		 132}
133
134/* Derived from security/commoncap.c:cap_capget */
135static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
136 kernel_cap_t *inheritable, kernel_cap_t *permitted)
137{
637f688d 138 struct aa_label *label;
b5e95b48
JJ		 139 const struct cred *cred;
140
141 rcu_read_lock();
142 cred = __task_cred(target);
637f688d 143 label = aa_get_newest_cred_label(cred);
c70c86c4 144
b1d9e6b0
CS		 145 /*
146 * cap_capget is stacked ahead of this and will
147 * initialize effective and permitted.
148 */
c70c86c4
JJ		 149 if (!unconfined(label)) {
150 struct aa_profile *profile;
151 struct label_it i;
152
153 label_for_each_confined(i, label, profile) {
154 if (COMPLAIN_MODE(profile))
155 continue;
156 *effective = cap_intersect(*effective,
157 profile->caps.allow);
158 *permitted = cap_intersect(*permitted,
159 profile->caps.allow);
160 }
b5e95b48
JJ		 161 }
162 rcu_read_unlock();
637f688d 163 aa_put_label(label);
b5e95b48
JJ		 164
165 return 0;
166}
167
6a9de491
EP		 168static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
169 int cap, int audit)
b5e95b48 170{
637f688d 171 struct aa_label *label;
b1d9e6b0
CS		 172 int error = 0;
173
637f688d
JJ		 174 label = aa_get_newest_cred_label(cred);
175 if (!unconfined(label))
c70c86c4 176 error = aa_capable(label, cap, audit);
637f688d 177 aa_put_label(label);
cf797c0e 178
b5e95b48
JJ		 179 return error;
180}
181
182/**
183 * common_perm - basic common permission check wrapper fn for paths
184 * @op: operation being checked
185 * @path: path to check permission of (NOT NULL)
186 * @mask: requested permissions mask
187 * @cond: conditional info for the permission request (NOT NULL)
188 *
189 * Returns: %0 else error code if error or permission denied
190 */
47f6e5cc 191static int common_perm(const char *op, const struct path *path, u32 mask,
b5e95b48
JJ		 192 struct path_cond *cond)
193{
637f688d 194 struct aa_label *label;
b5e95b48
JJ		 195 int error = 0;
196
637f688d
JJ		 197 label = __begin_current_label_crit_section();
198 if (!unconfined(label))
199 error = aa_path_perm(op, labels_profile(label), path, 0, mask,
200 cond);
201 __end_current_label_crit_section(label);
b5e95b48
JJ		 202
203 return error;
204}
205
206/**
31f75bfe 207 * common_perm_cond - common permission wrapper around inode cond
b5e95b48 208 * @op: operation being checked
31f75bfe 209 * @path: location to check (NOT NULL)
b5e95b48 210 * @mask: requested permissions mask
b5e95b48
JJ		 211 *
212 * Returns: %0 else error code if error or permission denied
213 */
31f75bfe 214static int common_perm_cond(const char *op, const struct path *path, u32 mask)
b5e95b48 215{
31f75bfe
JJ		 216 struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
217 d_backing_inode(path->dentry)->i_mode
218 };
b5e95b48 219
31f75bfe
JJ		 220 if (!path_mediated_fs(path->dentry))
221 return 0;
222
223 return common_perm(op, path, mask, &cond);
b5e95b48
JJ		 224}
225
226/**
31f75bfe 227 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
b5e95b48 228 * @op: operation being checked
31f75bfe
JJ		 229 * @dir: directory of the dentry (NOT NULL)
230 * @dentry: dentry to check (NOT NULL)
b5e95b48 231 * @mask: requested permissions mask
31f75bfe 232 * @cond: conditional info for the permission request (NOT NULL)
b5e95b48
JJ		 233 *
234 * Returns: %0 else error code if error or permission denied
235 */
31f75bfe
JJ		 236static int common_perm_dir_dentry(const char *op, const struct path *dir,
237 struct dentry *dentry, u32 mask,
238 struct path_cond *cond)
b5e95b48 239{
31f75bfe 240 struct path path = { .mnt = dir->mnt, .dentry = dentry };
b5e95b48 241
31f75bfe 242 return common_perm(op, &path, mask, cond);
b5e95b48
JJ		 243}
244
245/**
246 * common_perm_rm - common permission wrapper for operations doing rm
247 * @op: operation being checked
248 * @dir: directory that the dentry is in (NOT NULL)
249 * @dentry: dentry being rm'd (NOT NULL)
250 * @mask: requested permission mask
251 *
252 * Returns: %0 else error code if error or permission denied
253 */
47f6e5cc 254static int common_perm_rm(const char *op, const struct path *dir,
b5e95b48
JJ		 255 struct dentry *dentry, u32 mask)
256{
c6f493d6 257 struct inode *inode = d_backing_inode(dentry);
b5e95b48
JJ		 258 struct path_cond cond = { };
259
efeee83a 260 if (!inode || !path_mediated_fs(dentry))
b5e95b48
JJ		 261 return 0;
262
263 cond.uid = inode->i_uid;
264 cond.mode = inode->i_mode;
265
266 return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
267}
268
269/**
270 * common_perm_create - common permission wrapper for operations doing create
271 * @op: operation being checked
272 * @dir: directory that dentry will be created in (NOT NULL)
273 * @dentry: dentry to create (NOT NULL)
274 * @mask: request permission mask
275 * @mode: created file mode
276 *
277 * Returns: %0 else error code if error or permission denied
278 */
47f6e5cc 279static int common_perm_create(const char *op, const struct path *dir,
d6b49f7a 280 struct dentry *dentry, u32 mask, umode_t mode)
b5e95b48
JJ		 281{
282 struct path_cond cond = { current_fsuid(), mode };
283
efeee83a 284 if (!path_mediated_fs(dir->dentry))
b5e95b48
JJ		 285 return 0;
286
287 return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
288}
289
989f74e0 290static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry)
b5e95b48
JJ		 291{
292 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE);
293}
294
d3607752 295static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry,
4572befe 296 umode_t mode)
b5e95b48
JJ		 297{
298 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE,
299 S_IFDIR);
300}
301
989f74e0 302static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry)
b5e95b48
JJ		 303{
304 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE);
305}
306
d3607752 307static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
04fc66e7 308 umode_t mode, unsigned int dev)
b5e95b48
JJ		 309{
310 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
311}
312
81f4c506 313static int apparmor_path_truncate(const struct path *path)
b5e95b48 314{
e53cfe6c 315 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR);
b5e95b48
JJ		 316}
317
d3607752 318static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
b5e95b48
JJ		 319 const char *old_name)
320{
321 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE,
322 S_IFLNK);
323}
324
3ccee46a 325static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir,
b5e95b48
JJ		 326 struct dentry *new_dentry)
327{
637f688d 328 struct aa_label *label;
b5e95b48
JJ		 329 int error = 0;
330
efeee83a 331 if (!path_mediated_fs(old_dentry))
b5e95b48
JJ		 332 return 0;
333
637f688d
JJ		 334 label = begin_current_label_crit_section();
335 if (!unconfined(label))
336 error = aa_path_link(labels_profile(label), old_dentry, new_dir,
337 new_dentry);
338 end_current_label_crit_section(label);
cf797c0e 339
b5e95b48
JJ		 340 return error;
341}
342
3ccee46a
AV		 343static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry,
344 const struct path *new_dir, struct dentry *new_dentry)
b5e95b48 345{
637f688d 346 struct aa_label *label;
b5e95b48
JJ		 347 int error = 0;
348
efeee83a 349 if (!path_mediated_fs(old_dentry))
b5e95b48
JJ		 350 return 0;
351
637f688d
JJ		 352 label = begin_current_label_crit_section();
353 if (!unconfined(label)) {
8486adf0
KC		 354 struct path old_path = { .mnt = old_dir->mnt,
355 .dentry = old_dentry };
356 struct path new_path = { .mnt = new_dir->mnt,
357 .dentry = new_dentry };
c6f493d6
DH		 358 struct path_cond cond = { d_backing_inode(old_dentry)->i_uid,
359 d_backing_inode(old_dentry)->i_mode
b5e95b48
JJ		 360 };
361
637f688d
JJ		 362 error = aa_path_perm(OP_RENAME_SRC, labels_profile(label),
363 &old_path, 0,
e53cfe6c
JJ		 364 MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
365 AA_MAY_SETATTR | AA_MAY_DELETE,
b5e95b48
JJ		 366 &cond);
367 if (!error)
637f688d
JJ		 368 error = aa_path_perm(OP_RENAME_DEST,
369 labels_profile(label),
370 &new_path,
e53cfe6c 371 0, MAY_WRITE | AA_MAY_SETATTR |
b5e95b48
JJ		 372 AA_MAY_CREATE, &cond);
373
374 }
637f688d 375 end_current_label_crit_section(label);
cf797c0e 376
b5e95b48
JJ		 377 return error;
378}
379
be01f9f2 380static int apparmor_path_chmod(const struct path *path, umode_t mode)
b5e95b48 381{
31f75bfe 382 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD);
b5e95b48
JJ		 383}
384
7fd25dac 385static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
b5e95b48 386{
31f75bfe 387 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN);
b5e95b48
JJ		 388}
389
3f7036a0 390static int apparmor_inode_getattr(const struct path *path)
b5e95b48 391{
e53cfe6c 392 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR);
b5e95b48
JJ		 393}
394
83d49856 395static int apparmor_file_open(struct file *file, const struct cred *cred)
b5e95b48 396{
637f688d
JJ		 397 struct aa_file_ctx *fctx = file_ctx(file);
398 struct aa_label *label;
b5e95b48
JJ		 399 int error = 0;
400
efeee83a 401 if (!path_mediated_fs(file->f_path.dentry))
b5e95b48
JJ		 402 return 0;
403
404 /* If in exec, permission is handled by bprm hooks.
405 * Cache permissions granted by the previous exec check, with
406 * implicit read and executable mmap which are required to
407 * actually execute the image.
408 */
409 if (current->in_execve) {
55a26ebf 410 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
b5e95b48
JJ		 411 return 0;
412 }
413
637f688d
JJ		 414 label = aa_get_newest_cred_label(cred);
415 if (!unconfined(label)) {
496ad9aa 416 struct inode *inode = file_inode(file);
b5e95b48
JJ		 417 struct path_cond cond = { inode->i_uid, inode->i_mode };
418
637f688d
JJ		 419 error = aa_path_perm(OP_OPEN, labels_profile(label),
420 &file->f_path, 0,
b5e95b48
JJ		 421 aa_map_file_to_perms(file), &cond);
422 /* todo cache full allowed permissions set and state */
55a26ebf 423 fctx->allow = aa_map_file_to_perms(file);
b5e95b48 424 }
637f688d 425 aa_put_label(label);
b5e95b48
JJ		 426
427 return error;
428}
429
430static int apparmor_file_alloc_security(struct file *file)
431{
cf797c0e
JJ		 432 int error = 0;
433
b5e95b48 434 /* freed by apparmor_file_free_security */
637f688d 435 struct aa_label *label = begin_current_label_crit_section();
190a9518 436 file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL);
2835a13b
JJ		 437 if (!file_ctx(file))
438 error = -ENOMEM;
637f688d 439 end_current_label_crit_section(label);
b5e95b48 440
cf797c0e 441 return error;
b5e95b48
JJ		 442}
443
444static void apparmor_file_free_security(struct file *file)
445{
2835a13b 446 aa_free_file_ctx(file_ctx(file));
b5e95b48
JJ		 447}
448
47f6e5cc 449static int common_file_perm(const char *op, struct file *file, u32 mask)
b5e95b48 450{
190a9518 451 struct aa_label *label;
b5e95b48
JJ		 452 int error = 0;
453
192ca6b5
JJ		 454 /* don't reaudit files closed during inheritance */
455 if (file->f_path.dentry == aa_null.dentry)
456 return -EACCES;
457
637f688d 458 label = __begin_current_label_crit_section();
190a9518 459 error = aa_file_perm(op, label, file, mask);
637f688d 460 __end_current_label_crit_section(label);
b5e95b48
JJ		 461
462 return error;
463}
464
465static int apparmor_file_permission(struct file *file, int mask)
466{
467 return common_file_perm(OP_FPERM, file, mask);
468}
469
470static int apparmor_file_lock(struct file *file, unsigned int cmd)
471{
472 u32 mask = AA_MAY_LOCK;
473
474 if (cmd == F_WRLCK)
475 mask |= MAY_WRITE;
476
477 return common_file_perm(OP_FLOCK, file, mask);
478}
479
47f6e5cc 480static int common_mmap(const char *op, struct file *file, unsigned long prot,
b5e95b48
JJ		 481 unsigned long flags)
482{
b5e95b48
JJ		 483 int mask = 0;
484
637f688d 485 if (!file || !file_ctx(file))
b5e95b48
JJ		 486 return 0;
487
488 if (prot & PROT_READ)
489 mask |= MAY_READ;
490 /*
491 * Private mappings don't require write perms since they don't
492 * write back to the files
493 */
494 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
495 mask |= MAY_WRITE;
496 if (prot & PROT_EXEC)
497 mask |= AA_EXEC_MMAP;
498
b5e95b48
JJ		 499 return common_file_perm(op, file, mask);
500}
501
e5467859
AV		 502static int apparmor_mmap_file(struct file *file, unsigned long reqprot,
503 unsigned long prot, unsigned long flags)
b5e95b48 504{
b5e95b48
JJ		 505 return common_mmap(OP_FMMAP, file, prot, flags);
506}
507
508static int apparmor_file_mprotect(struct vm_area_struct *vma,
509 unsigned long reqprot, unsigned long prot)
510{
511 return common_mmap(OP_FMPROT, vma->vm_file, prot,
512 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
513}
514
515static int apparmor_getprocattr(struct task_struct *task, char *name,
516 char **value)
517{
518 int error = -ENOENT;
b5e95b48
JJ		 519 /* released below */
520 const struct cred *cred = get_task_cred(task);
55a26ebf 521 struct aa_task_ctx *ctx = cred_ctx(cred);
637f688d 522 struct aa_label *label = NULL;
b5e95b48
JJ		 523
524 if (strcmp(name, "current") == 0)
637f688d 525 label = aa_get_newest_label(ctx->label);
55a26ebf 526 else if (strcmp(name, "prev") == 0 && ctx->previous)
637f688d 527 label = aa_get_newest_label(ctx->previous);
55a26ebf 528 else if (strcmp(name, "exec") == 0 && ctx->onexec)
637f688d 529 label = aa_get_newest_label(ctx->onexec);
b5e95b48
JJ		 530 else
531 error = -EINVAL;
532
637f688d 533 if (label)
76a1d263 534 error = aa_getprocattr(label, value);
77b071b3 535
637f688d 536 aa_put_label(label);
b5e95b48
JJ		 537 put_cred(cred);
538
539 return error;
540}
541
b21507e2
SS		 542static int apparmor_setprocattr(const char *name, void *value,
543 size_t size)
b5e95b48 544{
e89b8081 545 char *command, *largs = NULL, *args = value;
b5e95b48
JJ		 546 size_t arg_size;
547 int error;
ef88a7ac 548 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR);
b5e95b48
JJ		 549
550 if (size == 0)
551 return -EINVAL;
b5e95b48 552
e89b8081
VN		 553 /* AppArmor requires that the buffer must be null terminated atm */
554 if (args[size - 1] != '\0') {
555 /* null terminate */
556 largs = args = kmalloc(size + 1, GFP_KERNEL);
557 if (!args)
558 return -ENOMEM;
559 memcpy(args, value, size);
560 args[size] = '\0';
561 }
562
563 error = -EINVAL;
b5e95b48
JJ		 564 args = strim(args);
565 command = strsep(&args, " ");
566 if (!args)
e89b8081 567 goto out;
b5e95b48
JJ		 568 args = skip_spaces(args);
569 if (!*args)
e89b8081 570 goto out;
b5e95b48 571
d4d03f74 572 arg_size = size - (args - (largs ? largs : (char *) value));
b5e95b48
JJ		 573 if (strcmp(name, "current") == 0) {
574 if (strcmp(command, "changehat") == 0) {
575 error = aa_setprocattr_changehat(args, arg_size,
df8073c6 576 AA_CHANGE_NOFLAGS);
b5e95b48
JJ		 577 } else if (strcmp(command, "permhat") == 0) {
578 error = aa_setprocattr_changehat(args, arg_size,
df8073c6 579 AA_CHANGE_TEST);
b5e95b48 580 } else if (strcmp(command, "changeprofile") == 0) {
df8073c6 581 error = aa_change_profile(args, AA_CHANGE_NOFLAGS);
b5e95b48 582 } else if (strcmp(command, "permprofile") == 0) {
df8073c6 583 error = aa_change_profile(args, AA_CHANGE_TEST);
3eea57c2
JJ		 584 } else
585 goto fail;
b5e95b48 586 } else if (strcmp(name, "exec") == 0) {
3eea57c2 587 if (strcmp(command, "exec") == 0)
df8073c6 588 error = aa_change_profile(args, AA_CHANGE_ONEXEC);
3eea57c2
JJ		 589 else
590 goto fail;
591 } else
b5e95b48 592 /* only support the "current" and "exec" process attributes */
e89b8081 593 goto fail;
3eea57c2 594
b5e95b48
JJ		 595 if (!error)
596 error = size;
e89b8081
VN		 597out:
598 kfree(largs);
b5e95b48 599 return error;
3eea57c2
JJ		 600
601fail:
637f688d 602 aad(&sa)->label = begin_current_label_crit_section();
ef88a7ac
JJ		 603 aad(&sa)->info = name;
604 aad(&sa)->error = error = -EINVAL;
3eea57c2 605 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
637f688d 606 end_current_label_crit_section(aad(&sa)->label);
e89b8081 607 goto out;
b5e95b48
JJ		 608}
609
fe864821
JJ		 610/**
611 * apparmor_bprm_committing_creds - do task cleanup on committing new creds
612 * @bprm: binprm for the exec (NOT NULL)
613 */
614static void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
615{
637f688d 616 struct aa_label *label = aa_current_raw_label();
fe864821
JJ		 617 struct aa_task_ctx *new_ctx = cred_ctx(bprm->cred);
618
619 /* bail out if unconfined or not changing profile */
637f688d
JJ		 620 if ((new_ctx->label->proxy == label->proxy) ||
621 (unconfined(new_ctx->label)))
fe864821
JJ		 622 return;
623
192ca6b5
JJ		 624 aa_inherit_files(bprm->cred, current->files);
625
fe864821
JJ		 626 current->pdeath_signal = 0;
627
637f688d 628 /* reset soft limits and set hard limits for the new label */
86b92cb7 629 __aa_transition_rlimits(label, new_ctx->label);
fe864821
JJ		 630}
631
632/**
633 * apparmor_bprm_committed_cred - do cleanup after new creds committed
634 * @bprm: binprm for the exec (NOT NULL)
635 */
636static void apparmor_bprm_committed_creds(struct linux_binprm *bprm)
637{
638 /* TODO: cleanup signals - ipc mediation */
639 return;
640}
641
7cb4dc9f
JS		 642static int apparmor_task_setrlimit(struct task_struct *task,
643 unsigned int resource, struct rlimit *new_rlim)
b5e95b48 644{
637f688d 645 struct aa_label *label = __begin_current_label_crit_section();
b5e95b48
JJ		 646 int error = 0;
647
637f688d 648 if (!unconfined(label))
86b92cb7 649 error = aa_task_setrlimit(label, task, resource, new_rlim);
637f688d 650 __end_current_label_crit_section(label);
b5e95b48
JJ		 651
652 return error;
653}
654
ca97d939 655static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
e20b043a
CS		 656 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
657 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
658 LSM_HOOK_INIT(capget, apparmor_capget),
659 LSM_HOOK_INIT(capable, apparmor_capable),
660
661 LSM_HOOK_INIT(path_link, apparmor_path_link),
662 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink),
663 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink),
664 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir),
665 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir),
666 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod),
667 LSM_HOOK_INIT(path_rename, apparmor_path_rename),
668 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod),
669 LSM_HOOK_INIT(path_chown, apparmor_path_chown),
670 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate),
671 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr),
672
673 LSM_HOOK_INIT(file_open, apparmor_file_open),
674 LSM_HOOK_INIT(file_permission, apparmor_file_permission),
675 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security),
676 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security),
677 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
e20b043a
CS		 678 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
679 LSM_HOOK_INIT(file_lock, apparmor_file_lock),
680
681 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
682 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
683
684 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
685 LSM_HOOK_INIT(cred_free, apparmor_cred_free),
686 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
687 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),
688
689 LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds),
690 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
691 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
692 LSM_HOOK_INIT(bprm_secureexec, apparmor_bprm_secureexec),
693
694 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
b5e95b48
JJ		 695};
696
697/*
698 * AppArmor sysfs module parameters
699 */
700
101d6c82
SR		 701static int param_set_aabool(const char *val, const struct kernel_param *kp);
702static int param_get_aabool(char *buffer, const struct kernel_param *kp);
b8aa09fd 703#define param_check_aabool param_check_bool
9c27847d 704static const struct kernel_param_ops param_ops_aabool = {
6a4c2643 705 .flags = KERNEL_PARAM_OPS_FL_NOARG,
101d6c82
SR		 706 .set = param_set_aabool,
707 .get = param_get_aabool
708};
b5e95b48 709
101d6c82
SR		 710static int param_set_aauint(const char *val, const struct kernel_param *kp);
711static int param_get_aauint(char *buffer, const struct kernel_param *kp);
b8aa09fd 712#define param_check_aauint param_check_uint
9c27847d 713static const struct kernel_param_ops param_ops_aauint = {
101d6c82
SR		 714 .set = param_set_aauint,
715 .get = param_get_aauint
716};
b5e95b48 717
101d6c82
SR		 718static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
719static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
b8aa09fd 720#define param_check_aalockpolicy param_check_bool
9c27847d 721static const struct kernel_param_ops param_ops_aalockpolicy = {
6a4c2643 722 .flags = KERNEL_PARAM_OPS_FL_NOARG,
101d6c82
SR		 723 .set = param_set_aalockpolicy,
724 .get = param_get_aalockpolicy
725};
b5e95b48
JJ		 726
727static int param_set_audit(const char *val, struct kernel_param *kp);
728static int param_get_audit(char *buffer, struct kernel_param *kp);
b5e95b48
JJ		 729
730static int param_set_mode(const char *val, struct kernel_param *kp);
731static int param_get_mode(char *buffer, struct kernel_param *kp);
b5e95b48
JJ		 732
733/* Flag values, also controllable via /sys/module/apparmor/parameters
734 * We define special types as we want to do additional mediation.
735 */
736
737/* AppArmor global enforcement switch - complain, enforce, kill */
738enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
739module_param_call(mode, param_set_mode, param_get_mode,
740 &aa_g_profile_mode, S_IRUSR | S_IWUSR);
741
6059f71f 742/* whether policy verification hashing is enabled */
7616ac70 743bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
3ccb76c5 744#ifdef CONFIG_SECURITY_APPARMOR_HASH
6059f71f 745module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
7616ac70 746#endif
6059f71f 747
b5e95b48 748/* Debug mode */
eea7a05f 749bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES);
b5e95b48
JJ		 750module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
751
752/* Audit mode */
753enum audit_mode aa_g_audit;
754module_param_call(audit, param_set_audit, param_get_audit,
755 &aa_g_audit, S_IRUSR | S_IWUSR);
756
757/* Determines if audit header is included in audited messages. This
758 * provides more context if the audit daemon is not running
759 */
90ab5ee9 760bool aa_g_audit_header = 1;
b5e95b48
JJ		 761module_param_named(audit_header, aa_g_audit_header, aabool,
762 S_IRUSR | S_IWUSR);
763
764/* lock out loading/removal of policy
765 * TODO: add in at boot loading of policy, which is the only way to
766 * load policy, if lock_policy is set
767 */
90ab5ee9 768bool aa_g_lock_policy;
b5e95b48
JJ		 769module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy,
770 S_IRUSR | S_IWUSR);
771
772/* Syscall logging mode */
90ab5ee9 773bool aa_g_logsyscall;
b5e95b48
JJ		 774module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
775
776/* Maximum pathname length before accesses will start getting rejected */
777unsigned int aa_g_path_max = 2 * PATH_MAX;
622f6e32 778module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
b5e95b48
JJ		 779
780/* Determines how paranoid loading of policy is and how much verification
781 * on the loaded policy is done.
abbf8734
JJ		 782 * DEPRECATED: read only as strict checking of load is always done now
783 * that none root users (user namespaces) can load policy.
b5e95b48 784 */
90ab5ee9 785bool aa_g_paranoid_load = 1;
abbf8734 786module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
b5e95b48
JJ		 787
788/* Boot time disable flag */
90ab5ee9 789static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
c611616c 790module_param_named(enabled, apparmor_enabled, bool, S_IRUGO);
b5e95b48
JJ		 791
792static int __init apparmor_enabled_setup(char *str)
793{
794 unsigned long enabled;
29707b20 795 int error = kstrtoul(str, 0, &enabled);
b5e95b48
JJ		 796 if (!error)
797 apparmor_enabled = enabled ? 1 : 0;
798 return 1;
799}
800
801__setup("apparmor=", apparmor_enabled_setup);
802
803/* set global flag turning off the ability to load policy */
101d6c82 804static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
b5e95b48 805{
545de8fe
JJ		 806 if (!apparmor_enabled)
807 return -EINVAL;
808 if (apparmor_initialized && !policy_admin_capable(NULL))
b5e95b48 809 return -EPERM;
b5e95b48
JJ		 810 return param_set_bool(val, kp);
811}
812
101d6c82 813static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
b5e95b48 814{
ca4bd5ae
JJ		 815 if (!apparmor_enabled)
816 return -EINVAL;
545de8fe
JJ		 817 if (apparmor_initialized && !policy_view_capable(NULL))
818 return -EPERM;
b5e95b48
JJ		 819 return param_get_bool(buffer, kp);
820}
821
101d6c82 822static int param_set_aabool(const char *val, const struct kernel_param *kp)
b5e95b48 823{
ca4bd5ae
JJ		 824 if (!apparmor_enabled)
825 return -EINVAL;
545de8fe
JJ		 826 if (apparmor_initialized && !policy_admin_capable(NULL))
827 return -EPERM;
b5e95b48
JJ		 828 return param_set_bool(val, kp);
829}
830
101d6c82 831static int param_get_aabool(char *buffer, const struct kernel_param *kp)
b5e95b48 832{
ca4bd5ae
JJ		 833 if (!apparmor_enabled)
834 return -EINVAL;
545de8fe
JJ		 835 if (apparmor_initialized && !policy_view_capable(NULL))
836 return -EPERM;
b5e95b48
JJ		 837 return param_get_bool(buffer, kp);
838}
839
101d6c82 840static int param_set_aauint(const char *val, const struct kernel_param *kp)
b5e95b48 841{
39d84824
JJ		 842 int error;
843
ca4bd5ae
JJ		 844 if (!apparmor_enabled)
845 return -EINVAL;
39d84824
JJ		 846 /* file is ro but enforce 2nd line check */
847 if (apparmor_initialized)
545de8fe 848 return -EPERM;
39d84824
JJ		 849
850 error = param_set_uint(val, kp);
851 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max);
852
853 return error;
b5e95b48
JJ		 854}
855
101d6c82 856static int param_get_aauint(char *buffer, const struct kernel_param *kp)
b5e95b48 857{
ca4bd5ae
JJ		 858 if (!apparmor_enabled)
859 return -EINVAL;
545de8fe
JJ		 860 if (apparmor_initialized && !policy_view_capable(NULL))
861 return -EPERM;
b5e95b48
JJ		 862 return param_get_uint(buffer, kp);
863}
864
865static int param_get_audit(char *buffer, struct kernel_param *kp)
866{
b5e95b48
JJ		 867 if (!apparmor_enabled)
868 return -EINVAL;
545de8fe
JJ		 869 if (apparmor_initialized && !policy_view_capable(NULL))
870 return -EPERM;
b5e95b48
JJ		 871 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
872}
873
874static int param_set_audit(const char *val, struct kernel_param *kp)
875{
876 int i;
b5e95b48
JJ		 877
878 if (!apparmor_enabled)
879 return -EINVAL;
b5e95b48
JJ		 880 if (!val)
881 return -EINVAL;
545de8fe
JJ		 882 if (apparmor_initialized && !policy_admin_capable(NULL))
883 return -EPERM;
b5e95b48
JJ		 884
885 for (i = 0; i < AUDIT_MAX_INDEX; i++) {
886 if (strcmp(val, audit_mode_names[i]) == 0) {
887 aa_g_audit = i;
888 return 0;
889 }
890 }
891
892 return -EINVAL;
893}
894
895static int param_get_mode(char *buffer, struct kernel_param *kp)
896{
b5e95b48
JJ		 897 if (!apparmor_enabled)
898 return -EINVAL;
545de8fe
JJ		 899 if (apparmor_initialized && !policy_view_capable(NULL))
900 return -EPERM;
b5e95b48 901
0d259f04 902 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
b5e95b48
JJ		 903}
904
905static int param_set_mode(const char *val, struct kernel_param *kp)
906{
907 int i;
b5e95b48
JJ		 908
909 if (!apparmor_enabled)
910 return -EINVAL;
b5e95b48
JJ		 911 if (!val)
912 return -EINVAL;
545de8fe
JJ		 913 if (apparmor_initialized && !policy_admin_capable(NULL))
914 return -EPERM;
b5e95b48 915
0d259f04
JJ		 916 for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {
917 if (strcmp(val, aa_profile_mode_names[i]) == 0) {
b5e95b48
JJ		 918 aa_g_profile_mode = i;
919 return 0;
920 }
921 }
922
923 return -EINVAL;
924}
925
926/*
927 * AppArmor init functions
928 */
929
930/**
55a26ebf 931 * set_init_ctx - set a task context and profile on the first task.
b5e95b48
JJ		 932 *
933 * TODO: allow setting an alternate profile than unconfined
934 */
55a26ebf 935static int __init set_init_ctx(void)
b5e95b48
JJ		 936{
937 struct cred *cred = (struct cred *)current->real_cred;
55a26ebf 938 struct aa_task_ctx *ctx;
b5e95b48 939
55a26ebf
JJ		 940 ctx = aa_alloc_task_context(GFP_KERNEL);
941 if (!ctx)
b5e95b48
JJ		 942 return -ENOMEM;
943
637f688d 944 ctx->label = aa_get_label(ns_unconfined(root_ns));
55a26ebf 945 cred_ctx(cred) = ctx;
b5e95b48
JJ		 946
947 return 0;
948}
949
d4669f0b
JJ		 950static void destroy_buffers(void)
951{
952 u32 i, j;
953
954 for_each_possible_cpu(i) {
955 for_each_cpu_buffer(j) {
956 kfree(per_cpu(aa_buffers, i).buf[j]);
957 per_cpu(aa_buffers, i).buf[j] = NULL;
958 }
959 }
960}
961
962static int __init alloc_buffers(void)
963{
964 u32 i, j;
965
966 for_each_possible_cpu(i) {
967 for_each_cpu_buffer(j) {
968 char *buffer;
969
970 if (cpu_to_node(i) > num_online_nodes())
971 /* fallback to kmalloc for offline nodes */
972 buffer = kmalloc(aa_g_path_max, GFP_KERNEL);
973 else
974 buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL,
975 cpu_to_node(i));
976 if (!buffer) {
977 destroy_buffers();
978 return -ENOMEM;
979 }
980 per_cpu(aa_buffers, i).buf[j] = buffer;
981 }
982 }
983
984 return 0;
985}
986
e3ea1ca5
TH		 987#ifdef CONFIG_SYSCTL
988static int apparmor_dointvec(struct ctl_table *table, int write,
989 void __user *buffer, size_t *lenp, loff_t *ppos)
990{
991 if (!policy_admin_capable(NULL))
992 return -EPERM;
993 if (!apparmor_enabled)
994 return -EINVAL;
995
996 return proc_dointvec(table, write, buffer, lenp, ppos);
997}
998
999static struct ctl_path apparmor_sysctl_path[] = {
1000 { .procname = "kernel", },
1001 { }
1002};
1003
1004static struct ctl_table apparmor_sysctl_table[] = {
1005 {
1006 .procname = "unprivileged_userns_apparmor_policy",
1007 .data = &unprivileged_userns_apparmor_policy,
1008 .maxlen = sizeof(int),
1009 .mode = 0600,
1010 .proc_handler = apparmor_dointvec,
1011 },
1012 { }
1013};
1014
1015static int __init apparmor_init_sysctl(void)
1016{
1017 return register_sysctl_paths(apparmor_sysctl_path,
1018 apparmor_sysctl_table) ? 0 : -ENOMEM;
1019}
1020#else
1021static inline int apparmor_init_sysctl(void)
1022{
1023 return 0;
1024}
1025#endif /* CONFIG_SYSCTL */
1026
b5e95b48
JJ		 1027static int __init apparmor_init(void)
1028{
1029 int error;
1030
b1d9e6b0 1031 if (!apparmor_enabled || !security_module_enable("apparmor")) {
b5e95b48
JJ		 1032 aa_info_message("AppArmor disabled by boot time parameter");
1033 apparmor_enabled = 0;
1034 return 0;
1035 }
1036
11c236b8
JJ		 1037 error = aa_setup_dfa_engine();
1038 if (error) {
1039 AA_ERROR("Unable to setup dfa engine\n");
1040 goto alloc_out;
1041 }
1042
b5e95b48
JJ		 1043 error = aa_alloc_root_ns();
1044 if (error) {
1045 AA_ERROR("Unable to allocate default profile namespace\n");
1046 goto alloc_out;
1047 }
1048
e3ea1ca5
TH		 1049 error = apparmor_init_sysctl();
1050 if (error) {
1051 AA_ERROR("Unable to register sysctls\n");
1052 goto alloc_out;
1053
1054 }
1055
d4669f0b
JJ		 1056 error = alloc_buffers();
1057 if (error) {
1058 AA_ERROR("Unable to allocate work buffers\n");
1059 goto buffers_out;
1060 }
1061
55a26ebf 1062 error = set_init_ctx();
b5e95b48
JJ		 1063 if (error) {
1064 AA_ERROR("Failed to set context on init task\n");
b1d9e6b0 1065 aa_free_root_ns();
d4669f0b 1066 goto buffers_out;
b5e95b48 1067 }
d69dece5
CS		 1068 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
1069 "apparmor");
b5e95b48
JJ		 1070
1071 /* Report that AppArmor successfully initialized */
1072 apparmor_initialized = 1;
1073 if (aa_g_profile_mode == APPARMOR_COMPLAIN)
1074 aa_info_message("AppArmor initialized: complain mode enabled");
1075 else if (aa_g_profile_mode == APPARMOR_KILL)
1076 aa_info_message("AppArmor initialized: kill mode enabled");
1077 else
1078 aa_info_message("AppArmor initialized");
1079
1080 return error;
1081
d4669f0b
JJ		 1082buffers_out:
1083 destroy_buffers();
1084
b5e95b48
JJ		 1085alloc_out:
1086 aa_destroy_aafs();
11c236b8 1087 aa_teardown_dfa_engine();
b5e95b48
JJ		 1088
1089 apparmor_enabled = 0;
1090 return error;
b5e95b48
JJ		 1091}
1092
1093security_initcall(apparmor_init);
Ubuntu Artful kernel mirror