]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - security/apparmor/lsm.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
apparmor: cleanup remove unused and not fully implemented profile rename
[mirror_ubuntu-artful-kernel.git] / security / apparmor / lsm.c
CommitLineData
b5e95b48
JJ		 1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor LSM hooks.
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
3c4ed7bd 15#include <linux/lsm_hooks.h>
b5e95b48
JJ		 16#include <linux/moduleparam.h>
17#include <linux/mm.h>
18#include <linux/mman.h>
19#include <linux/mount.h>
20#include <linux/namei.h>
21#include <linux/ptrace.h>
22#include <linux/ctype.h>
23#include <linux/sysctl.h>
24#include <linux/audit.h>
3486740a 25#include <linux/user_namespace.h>
e025be0f 26#include <linux/kmemleak.h>
b5e95b48
JJ		 27#include <net/sock.h>
28
29#include "include/apparmor.h"
30#include "include/apparmorfs.h"
31#include "include/audit.h"
32#include "include/capability.h"
33#include "include/context.h"
34#include "include/file.h"
35#include "include/ipc.h"
36#include "include/path.h"
37#include "include/policy.h"
cff281f6 38#include "include/policy_ns.h"
b5e95b48
JJ		 39#include "include/procattr.h"
40
41/* Flag indicating whether initialization completed */
545de8fe 42int apparmor_initialized;
b5e95b48 43
d4669f0b
JJ		 44DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
45
46
b5e95b48
JJ		 47/*
48 * LSM hook functions
49 */
50
51/*
55a26ebf 52 * free the associated aa_task_ctx and put its profiles
b5e95b48
JJ		 53 */
54static void apparmor_cred_free(struct cred *cred)
55{
55a26ebf
JJ		 56 aa_free_task_context(cred_ctx(cred));
57 cred_ctx(cred) = NULL;
b5e95b48
JJ		 58}
59
60/*
61 * allocate the apparmor part of blank credentials
62 */
63static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
64{
65 /* freed by apparmor_cred_free */
55a26ebf
JJ		 66 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
67
68 if (!ctx)
b5e95b48
JJ		 69 return -ENOMEM;
70
55a26ebf 71 cred_ctx(cred) = ctx;
b5e95b48
JJ		 72 return 0;
73}
74
75/*
55a26ebf 76 * prepare new aa_task_ctx for modification by prepare_cred block
b5e95b48
JJ		 77 */
78static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
79 gfp_t gfp)
80{
81 /* freed by apparmor_cred_free */
55a26ebf
JJ		 82 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
83
84 if (!ctx)
b5e95b48
JJ		 85 return -ENOMEM;
86
55a26ebf
JJ		 87 aa_dup_task_context(ctx, cred_ctx(old));
88 cred_ctx(new) = ctx;
b5e95b48
JJ		 89 return 0;
90}
91
92/*
93 * transfer the apparmor data to a blank set of creds
94 */
95static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
96{
55a26ebf
JJ		 97 const struct aa_task_ctx *old_ctx = cred_ctx(old);
98 struct aa_task_ctx *new_ctx = cred_ctx(new);
b5e95b48 99
55a26ebf 100 aa_dup_task_context(new_ctx, old_ctx);
b5e95b48
JJ		 101}
102
103static int apparmor_ptrace_access_check(struct task_struct *child,
104 unsigned int mode)
105{
b5e95b48
JJ		 106 return aa_ptrace(current, child, mode);
107}
108
109static int apparmor_ptrace_traceme(struct task_struct *parent)
110{
b5e95b48
JJ		 111 return aa_ptrace(parent, current, PTRACE_MODE_ATTACH);
112}
113
114/* Derived from security/commoncap.c:cap_capget */
115static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
116 kernel_cap_t *inheritable, kernel_cap_t *permitted)
117{
118 struct aa_profile *profile;
119 const struct cred *cred;
120
121 rcu_read_lock();
122 cred = __task_cred(target);
cf797c0e 123 profile = aa_get_newest_cred_profile(cred);
b5e95b48 124
b1d9e6b0
CS		 125 /*
126 * cap_capget is stacked ahead of this and will
127 * initialize effective and permitted.
128 */
25e75dff 129 if (!unconfined(profile) && !COMPLAIN_MODE(profile)) {
b5e95b48
JJ		 130 *effective = cap_intersect(*effective, profile->caps.allow);
131 *permitted = cap_intersect(*permitted, profile->caps.allow);
132 }
133 rcu_read_unlock();
cf797c0e 134 aa_put_profile(profile);
b5e95b48
JJ		 135
136 return 0;
137}
138
6a9de491
EP		 139static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
140 int cap, int audit)
b5e95b48
JJ		 141{
142 struct aa_profile *profile;
b1d9e6b0
CS		 143 int error = 0;
144
cf797c0e 145 profile = aa_get_newest_cred_profile(cred);
b1d9e6b0
CS		 146 if (!unconfined(profile))
147 error = aa_capable(profile, cap, audit);
cf797c0e
JJ		 148 aa_put_profile(profile);
149
b5e95b48
JJ		 150 return error;
151}
152
153/**
154 * common_perm - basic common permission check wrapper fn for paths
155 * @op: operation being checked
156 * @path: path to check permission of (NOT NULL)
157 * @mask: requested permissions mask
158 * @cond: conditional info for the permission request (NOT NULL)
159 *
160 * Returns: %0 else error code if error or permission denied
161 */
47f6e5cc 162static int common_perm(const char *op, const struct path *path, u32 mask,
b5e95b48
JJ		 163 struct path_cond *cond)
164{
165 struct aa_profile *profile;
166 int error = 0;
167
cf797c0e 168 profile = __begin_current_profile_crit_section();
b5e95b48
JJ		 169 if (!unconfined(profile))
170 error = aa_path_perm(op, profile, path, 0, mask, cond);
cf797c0e 171 __end_current_profile_crit_section(profile);
b5e95b48
JJ		 172
173 return error;
174}
175
176/**
31f75bfe 177 * common_perm_cond - common permission wrapper around inode cond
b5e95b48 178 * @op: operation being checked
31f75bfe 179 * @path: location to check (NOT NULL)
b5e95b48 180 * @mask: requested permissions mask
b5e95b48
JJ		 181 *
182 * Returns: %0 else error code if error or permission denied
183 */
31f75bfe 184static int common_perm_cond(const char *op, const struct path *path, u32 mask)
b5e95b48 185{
31f75bfe
JJ		 186 struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
187 d_backing_inode(path->dentry)->i_mode
188 };
b5e95b48 189
31f75bfe
JJ		 190 if (!path_mediated_fs(path->dentry))
191 return 0;
192
193 return common_perm(op, path, mask, &cond);
b5e95b48
JJ		 194}
195
196/**
31f75bfe 197 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
b5e95b48 198 * @op: operation being checked
31f75bfe
JJ		 199 * @dir: directory of the dentry (NOT NULL)
200 * @dentry: dentry to check (NOT NULL)
b5e95b48 201 * @mask: requested permissions mask
31f75bfe 202 * @cond: conditional info for the permission request (NOT NULL)
b5e95b48
JJ		 203 *
204 * Returns: %0 else error code if error or permission denied
205 */
31f75bfe
JJ		 206static int common_perm_dir_dentry(const char *op, const struct path *dir,
207 struct dentry *dentry, u32 mask,
208 struct path_cond *cond)
b5e95b48 209{
31f75bfe 210 struct path path = { .mnt = dir->mnt, .dentry = dentry };
b5e95b48 211
31f75bfe 212 return common_perm(op, &path, mask, cond);
b5e95b48
JJ		 213}
214
215/**
216 * common_perm_rm - common permission wrapper for operations doing rm
217 * @op: operation being checked
218 * @dir: directory that the dentry is in (NOT NULL)
219 * @dentry: dentry being rm'd (NOT NULL)
220 * @mask: requested permission mask
221 *
222 * Returns: %0 else error code if error or permission denied
223 */
47f6e5cc 224static int common_perm_rm(const char *op, const struct path *dir,
b5e95b48
JJ		 225 struct dentry *dentry, u32 mask)
226{
c6f493d6 227 struct inode *inode = d_backing_inode(dentry);
b5e95b48
JJ		 228 struct path_cond cond = { };
229
efeee83a 230 if (!inode || !path_mediated_fs(dentry))
b5e95b48
JJ		 231 return 0;
232
233 cond.uid = inode->i_uid;
234 cond.mode = inode->i_mode;
235
236 return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
237}
238
239/**
240 * common_perm_create - common permission wrapper for operations doing create
241 * @op: operation being checked
242 * @dir: directory that dentry will be created in (NOT NULL)
243 * @dentry: dentry to create (NOT NULL)
244 * @mask: request permission mask
245 * @mode: created file mode
246 *
247 * Returns: %0 else error code if error or permission denied
248 */
47f6e5cc 249static int common_perm_create(const char *op, const struct path *dir,
d6b49f7a 250 struct dentry *dentry, u32 mask, umode_t mode)
b5e95b48
JJ		 251{
252 struct path_cond cond = { current_fsuid(), mode };
253
efeee83a 254 if (!path_mediated_fs(dir->dentry))
b5e95b48
JJ		 255 return 0;
256
257 return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
258}
259
989f74e0 260static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry)
b5e95b48
JJ		 261{
262 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE);
263}
264
d3607752 265static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry,
4572befe 266 umode_t mode)
b5e95b48
JJ		 267{
268 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE,
269 S_IFDIR);
270}
271
989f74e0 272static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry)
b5e95b48
JJ		 273{
274 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE);
275}
276
d3607752 277static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
04fc66e7 278 umode_t mode, unsigned int dev)
b5e95b48
JJ		 279{
280 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
281}
282
81f4c506 283static int apparmor_path_truncate(const struct path *path)
b5e95b48 284{
e53cfe6c 285 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR);
b5e95b48
JJ		 286}
287
d3607752 288static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
b5e95b48
JJ		 289 const char *old_name)
290{
291 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE,
292 S_IFLNK);
293}
294
3ccee46a 295static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir,
b5e95b48
JJ		 296 struct dentry *new_dentry)
297{
298 struct aa_profile *profile;
299 int error = 0;
300
efeee83a 301 if (!path_mediated_fs(old_dentry))
b5e95b48
JJ		 302 return 0;
303
cf797c0e 304 profile = begin_current_profile_crit_section();
b5e95b48
JJ		 305 if (!unconfined(profile))
306 error = aa_path_link(profile, old_dentry, new_dir, new_dentry);
cf797c0e
JJ		 307 end_current_profile_crit_section(profile);
308
b5e95b48
JJ		 309 return error;
310}
311
3ccee46a
AV		 312static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry,
313 const struct path *new_dir, struct dentry *new_dentry)
b5e95b48
JJ		 314{
315 struct aa_profile *profile;
316 int error = 0;
317
efeee83a 318 if (!path_mediated_fs(old_dentry))
b5e95b48
JJ		 319 return 0;
320
cf797c0e 321 profile = begin_current_profile_crit_section();
b5e95b48 322 if (!unconfined(profile)) {
8486adf0
KC		 323 struct path old_path = { .mnt = old_dir->mnt,
324 .dentry = old_dentry };
325 struct path new_path = { .mnt = new_dir->mnt,
326 .dentry = new_dentry };
c6f493d6
DH		 327 struct path_cond cond = { d_backing_inode(old_dentry)->i_uid,
328 d_backing_inode(old_dentry)->i_mode
b5e95b48
JJ		 329 };
330
331 error = aa_path_perm(OP_RENAME_SRC, profile, &old_path, 0,
e53cfe6c
JJ		 332 MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
333 AA_MAY_SETATTR | AA_MAY_DELETE,
b5e95b48
JJ		 334 &cond);
335 if (!error)
336 error = aa_path_perm(OP_RENAME_DEST, profile, &new_path,
e53cfe6c 337 0, MAY_WRITE | AA_MAY_SETATTR |
b5e95b48
JJ		 338 AA_MAY_CREATE, &cond);
339
340 }
cf797c0e
JJ		 341 end_current_profile_crit_section(profile);
342
b5e95b48
JJ		 343 return error;
344}
345
be01f9f2 346static int apparmor_path_chmod(const struct path *path, umode_t mode)
b5e95b48 347{
31f75bfe 348 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD);
b5e95b48
JJ		 349}
350
7fd25dac 351static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
b5e95b48 352{
31f75bfe 353 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN);
b5e95b48
JJ		 354}
355
3f7036a0 356static int apparmor_inode_getattr(const struct path *path)
b5e95b48 357{
e53cfe6c 358 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR);
b5e95b48
JJ		 359}
360
83d49856 361static int apparmor_file_open(struct file *file, const struct cred *cred)
b5e95b48 362{
55a26ebf 363 struct aa_file_ctx *fctx = file->f_security;
b5e95b48
JJ		 364 struct aa_profile *profile;
365 int error = 0;
366
efeee83a 367 if (!path_mediated_fs(file->f_path.dentry))
b5e95b48
JJ		 368 return 0;
369
370 /* If in exec, permission is handled by bprm hooks.
371 * Cache permissions granted by the previous exec check, with
372 * implicit read and executable mmap which are required to
373 * actually execute the image.
374 */
375 if (current->in_execve) {
55a26ebf 376 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
b5e95b48
JJ		 377 return 0;
378 }
379
cf797c0e 380 profile = aa_get_newest_cred_profile(cred);
b5e95b48 381 if (!unconfined(profile)) {
496ad9aa 382 struct inode *inode = file_inode(file);
b5e95b48
JJ		 383 struct path_cond cond = { inode->i_uid, inode->i_mode };
384
385 error = aa_path_perm(OP_OPEN, profile, &file->f_path, 0,
386 aa_map_file_to_perms(file), &cond);
387 /* todo cache full allowed permissions set and state */
55a26ebf 388 fctx->allow = aa_map_file_to_perms(file);
b5e95b48 389 }
cf797c0e 390 aa_put_profile(profile);
b5e95b48
JJ		 391
392 return error;
393}
394
395static int apparmor_file_alloc_security(struct file *file)
396{
cf797c0e
JJ		 397 int error = 0;
398
b5e95b48 399 /* freed by apparmor_file_free_security */
cf797c0e 400 struct aa_profile *profile = begin_current_profile_crit_section();
b5e95b48
JJ		 401 file->f_security = aa_alloc_file_context(GFP_KERNEL);
402 if (!file->f_security)
403 return -ENOMEM;
cf797c0e 404 end_current_profile_crit_section(profile);
b5e95b48 405
cf797c0e 406 return error;
b5e95b48
JJ		 407}
408
409static void apparmor_file_free_security(struct file *file)
410{
55a26ebf 411 struct aa_file_ctx *ctx = file->f_security;
b5e95b48 412
55a26ebf 413 aa_free_file_context(ctx);
b5e95b48
JJ		 414}
415
47f6e5cc 416static int common_file_perm(const char *op, struct file *file, u32 mask)
b5e95b48 417{
55a26ebf 418 struct aa_file_ctx *fctx = file->f_security;
cf797c0e 419 struct aa_profile *profile, *fprofile;
b5e95b48
JJ		 420 int error = 0;
421
cf797c0e 422 fprofile = aa_cred_raw_profile(file->f_cred);
e6bfa25d 423 AA_BUG(!fprofile);
b5e95b48
JJ		 424
425 if (!file->f_path.mnt ||
efeee83a 426 !path_mediated_fs(file->f_path.dentry))
b5e95b48
JJ		 427 return 0;
428
cf797c0e 429 profile = __begin_current_profile_crit_section();
b5e95b48
JJ		 430
431 /* revalidate access, if task is unconfined, or the cached cred
432 * doesn't match or if the request is for more permissions than
433 * was granted.
434 *
435 * Note: the test for !unconfined(fprofile) is to handle file
436 * delegation from unconfined tasks
437 */
438 if (!unconfined(profile) && !unconfined(fprofile) &&
55a26ebf 439 ((fprofile != profile) || (mask & ~fctx->allow)))
b5e95b48 440 error = aa_file_perm(op, profile, file, mask);
cf797c0e 441 __end_current_profile_crit_section(profile);
b5e95b48
JJ		 442
443 return error;
444}
445
446static int apparmor_file_permission(struct file *file, int mask)
447{
448 return common_file_perm(OP_FPERM, file, mask);
449}
450
451static int apparmor_file_lock(struct file *file, unsigned int cmd)
452{
453 u32 mask = AA_MAY_LOCK;
454
455 if (cmd == F_WRLCK)
456 mask |= MAY_WRITE;
457
458 return common_file_perm(OP_FLOCK, file, mask);
459}
460
47f6e5cc 461static int common_mmap(const char *op, struct file *file, unsigned long prot,
b5e95b48
JJ		 462 unsigned long flags)
463{
b5e95b48
JJ		 464 int mask = 0;
465
466 if (!file || !file->f_security)
467 return 0;
468
469 if (prot & PROT_READ)
470 mask |= MAY_READ;
471 /*
472 * Private mappings don't require write perms since they don't
473 * write back to the files
474 */
475 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
476 mask |= MAY_WRITE;
477 if (prot & PROT_EXEC)
478 mask |= AA_EXEC_MMAP;
479
b5e95b48
JJ		 480 return common_file_perm(op, file, mask);
481}
482
e5467859
AV		 483static int apparmor_mmap_file(struct file *file, unsigned long reqprot,
484 unsigned long prot, unsigned long flags)
b5e95b48 485{
b5e95b48
JJ		 486 return common_mmap(OP_FMMAP, file, prot, flags);
487}
488
489static int apparmor_file_mprotect(struct vm_area_struct *vma,
490 unsigned long reqprot, unsigned long prot)
491{
492 return common_mmap(OP_FMPROT, vma->vm_file, prot,
493 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
494}
495
496static int apparmor_getprocattr(struct task_struct *task, char *name,
497 char **value)
498{
499 int error = -ENOENT;
b5e95b48
JJ		 500 /* released below */
501 const struct cred *cred = get_task_cred(task);
55a26ebf 502 struct aa_task_ctx *ctx = cred_ctx(cred);
77b071b3 503 struct aa_profile *profile = NULL;
b5e95b48
JJ		 504
505 if (strcmp(name, "current") == 0)
55a26ebf
JJ		 506 profile = aa_get_newest_profile(ctx->profile);
507 else if (strcmp(name, "prev") == 0 && ctx->previous)
508 profile = aa_get_newest_profile(ctx->previous);
509 else if (strcmp(name, "exec") == 0 && ctx->onexec)
510 profile = aa_get_newest_profile(ctx->onexec);
b5e95b48
JJ		 511 else
512 error = -EINVAL;
513
77b071b3
JJ		 514 if (profile)
515 error = aa_getprocattr(profile, value);
516
517 aa_put_profile(profile);
b5e95b48
JJ		 518 put_cred(cred);
519
520 return error;
521}
522
b21507e2
SS		 523static int apparmor_setprocattr(const char *name, void *value,
524 size_t size)
b5e95b48 525{
e89b8081 526 char *command, *largs = NULL, *args = value;
b5e95b48
JJ		 527 size_t arg_size;
528 int error;
ef88a7ac 529 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR);
b5e95b48
JJ		 530
531 if (size == 0)
532 return -EINVAL;
b5e95b48 533
e89b8081
VN		 534 /* AppArmor requires that the buffer must be null terminated atm */
535 if (args[size - 1] != '\0') {
536 /* null terminate */
537 largs = args = kmalloc(size + 1, GFP_KERNEL);
538 if (!args)
539 return -ENOMEM;
540 memcpy(args, value, size);
541 args[size] = '\0';
542 }
543
544 error = -EINVAL;
b5e95b48
JJ		 545 args = strim(args);
546 command = strsep(&args, " ");
547 if (!args)
e89b8081 548 goto out;
b5e95b48
JJ		 549 args = skip_spaces(args);
550 if (!*args)
e89b8081 551 goto out;
b5e95b48 552
d4d03f74 553 arg_size = size - (args - (largs ? largs : (char *) value));
b5e95b48
JJ		 554 if (strcmp(name, "current") == 0) {
555 if (strcmp(command, "changehat") == 0) {
556 error = aa_setprocattr_changehat(args, arg_size,
557 !AA_DO_TEST);
558 } else if (strcmp(command, "permhat") == 0) {
559 error = aa_setprocattr_changehat(args, arg_size,
560 AA_DO_TEST);
561 } else if (strcmp(command, "changeprofile") == 0) {
aa9a39ad
JJ		 562 error = aa_change_profile(args, !AA_ONEXEC,
563 !AA_DO_TEST, false);
b5e95b48 564 } else if (strcmp(command, "permprofile") == 0) {
aa9a39ad
JJ		 565 error = aa_change_profile(args, !AA_ONEXEC, AA_DO_TEST,
566 false);
3eea57c2
JJ		 567 } else
568 goto fail;
b5e95b48 569 } else if (strcmp(name, "exec") == 0) {
3eea57c2 570 if (strcmp(command, "exec") == 0)
aa9a39ad
JJ		 571 error = aa_change_profile(args, AA_ONEXEC, !AA_DO_TEST,
572 false);
3eea57c2
JJ		 573 else
574 goto fail;
575 } else
b5e95b48 576 /* only support the "current" and "exec" process attributes */
e89b8081 577 goto fail;
3eea57c2 578
b5e95b48
JJ		 579 if (!error)
580 error = size;
e89b8081
VN		 581out:
582 kfree(largs);
b5e95b48 583 return error;
3eea57c2
JJ		 584
585fail:
cf797c0e 586 aad(&sa)->profile = begin_current_profile_crit_section();
ef88a7ac
JJ		 587 aad(&sa)->info = name;
588 aad(&sa)->error = error = -EINVAL;
3eea57c2 589 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
cf797c0e 590 end_current_profile_crit_section(aad(&sa)->profile);
e89b8081 591 goto out;
b5e95b48
JJ		 592}
593
fe864821
JJ		 594/**
595 * apparmor_bprm_committing_creds - do task cleanup on committing new creds
596 * @bprm: binprm for the exec (NOT NULL)
597 */
598static void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
599{
cf797c0e 600 struct aa_profile *profile = aa_current_raw_profile();
fe864821
JJ		 601 struct aa_task_ctx *new_ctx = cred_ctx(bprm->cred);
602
603 /* bail out if unconfined or not changing profile */
604 if ((new_ctx->profile == profile) ||
605 (unconfined(new_ctx->profile)))
606 return;
607
608 current->pdeath_signal = 0;
609
610 /* reset soft limits and set hard limits for the new profile */
611 __aa_transition_rlimits(profile, new_ctx->profile);
612}
613
614/**
615 * apparmor_bprm_committed_cred - do cleanup after new creds committed
616 * @bprm: binprm for the exec (NOT NULL)
617 */
618static void apparmor_bprm_committed_creds(struct linux_binprm *bprm)
619{
620 /* TODO: cleanup signals - ipc mediation */
621 return;
622}
623
7cb4dc9f
JS		 624static int apparmor_task_setrlimit(struct task_struct *task,
625 unsigned int resource, struct rlimit *new_rlim)
b5e95b48 626{
cf797c0e 627 struct aa_profile *profile = __begin_current_profile_crit_section();
b5e95b48
JJ		 628 int error = 0;
629
630 if (!unconfined(profile))
3a2dc838 631 error = aa_task_setrlimit(profile, task, resource, new_rlim);
cf797c0e 632 __end_current_profile_crit_section(profile);
b5e95b48
JJ		 633
634 return error;
635}
636
ca97d939 637static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
e20b043a
CS		 638 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
639 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
640 LSM_HOOK_INIT(capget, apparmor_capget),
641 LSM_HOOK_INIT(capable, apparmor_capable),
642
643 LSM_HOOK_INIT(path_link, apparmor_path_link),
644 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink),
645 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink),
646 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir),
647 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir),
648 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod),
649 LSM_HOOK_INIT(path_rename, apparmor_path_rename),
650 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod),
651 LSM_HOOK_INIT(path_chown, apparmor_path_chown),
652 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate),
653 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr),
654
655 LSM_HOOK_INIT(file_open, apparmor_file_open),
656 LSM_HOOK_INIT(file_permission, apparmor_file_permission),
657 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security),
658 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security),
659 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
e20b043a
CS		 660 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
661 LSM_HOOK_INIT(file_lock, apparmor_file_lock),
662
663 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
664 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
665
666 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
667 LSM_HOOK_INIT(cred_free, apparmor_cred_free),
668 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
669 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),
670
671 LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds),
672 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
673 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
674 LSM_HOOK_INIT(bprm_secureexec, apparmor_bprm_secureexec),
675
676 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
b5e95b48
JJ		 677};
678
679/*
680 * AppArmor sysfs module parameters
681 */
682
101d6c82
SR		 683static int param_set_aabool(const char *val, const struct kernel_param *kp);
684static int param_get_aabool(char *buffer, const struct kernel_param *kp);
b8aa09fd 685#define param_check_aabool param_check_bool
9c27847d 686static const struct kernel_param_ops param_ops_aabool = {
6a4c2643 687 .flags = KERNEL_PARAM_OPS_FL_NOARG,
101d6c82
SR		 688 .set = param_set_aabool,
689 .get = param_get_aabool
690};
b5e95b48 691
101d6c82
SR		 692static int param_set_aauint(const char *val, const struct kernel_param *kp);
693static int param_get_aauint(char *buffer, const struct kernel_param *kp);
b8aa09fd 694#define param_check_aauint param_check_uint
9c27847d 695static const struct kernel_param_ops param_ops_aauint = {
101d6c82
SR		 696 .set = param_set_aauint,
697 .get = param_get_aauint
698};
b5e95b48 699
101d6c82
SR		 700static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
701static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
b8aa09fd 702#define param_check_aalockpolicy param_check_bool
9c27847d 703static const struct kernel_param_ops param_ops_aalockpolicy = {
6a4c2643 704 .flags = KERNEL_PARAM_OPS_FL_NOARG,
101d6c82
SR		 705 .set = param_set_aalockpolicy,
706 .get = param_get_aalockpolicy
707};
b5e95b48
JJ		 708
709static int param_set_audit(const char *val, struct kernel_param *kp);
710static int param_get_audit(char *buffer, struct kernel_param *kp);
b5e95b48
JJ		 711
712static int param_set_mode(const char *val, struct kernel_param *kp);
713static int param_get_mode(char *buffer, struct kernel_param *kp);
b5e95b48
JJ		 714
715/* Flag values, also controllable via /sys/module/apparmor/parameters
716 * We define special types as we want to do additional mediation.
717 */
718
719/* AppArmor global enforcement switch - complain, enforce, kill */
720enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
721module_param_call(mode, param_set_mode, param_get_mode,
722 &aa_g_profile_mode, S_IRUSR | S_IWUSR);
723
6059f71f 724/* whether policy verification hashing is enabled */
7616ac70 725bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
3ccb76c5 726#ifdef CONFIG_SECURITY_APPARMOR_HASH
6059f71f 727module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
7616ac70 728#endif
6059f71f 729
b5e95b48 730/* Debug mode */
eea7a05f 731bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES);
b5e95b48
JJ		 732module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
733
734/* Audit mode */
735enum audit_mode aa_g_audit;
736module_param_call(audit, param_set_audit, param_get_audit,
737 &aa_g_audit, S_IRUSR | S_IWUSR);
738
739/* Determines if audit header is included in audited messages. This
740 * provides more context if the audit daemon is not running
741 */
90ab5ee9 742bool aa_g_audit_header = 1;
b5e95b48
JJ		 743module_param_named(audit_header, aa_g_audit_header, aabool,
744 S_IRUSR | S_IWUSR);
745
746/* lock out loading/removal of policy
747 * TODO: add in at boot loading of policy, which is the only way to
748 * load policy, if lock_policy is set
749 */
90ab5ee9 750bool aa_g_lock_policy;
b5e95b48
JJ		 751module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy,
752 S_IRUSR | S_IWUSR);
753
754/* Syscall logging mode */
90ab5ee9 755bool aa_g_logsyscall;
b5e95b48
JJ		 756module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
757
758/* Maximum pathname length before accesses will start getting rejected */
759unsigned int aa_g_path_max = 2 * PATH_MAX;
622f6e32 760module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
b5e95b48
JJ		 761
762/* Determines how paranoid loading of policy is and how much verification
763 * on the loaded policy is done.
abbf8734
JJ		 764 * DEPRECATED: read only as strict checking of load is always done now
765 * that none root users (user namespaces) can load policy.
b5e95b48 766 */
90ab5ee9 767bool aa_g_paranoid_load = 1;
abbf8734 768module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
b5e95b48
JJ		 769
770/* Boot time disable flag */
90ab5ee9 771static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
c611616c 772module_param_named(enabled, apparmor_enabled, bool, S_IRUGO);
b5e95b48
JJ		 773
774static int __init apparmor_enabled_setup(char *str)
775{
776 unsigned long enabled;
29707b20 777 int error = kstrtoul(str, 0, &enabled);
b5e95b48
JJ		 778 if (!error)
779 apparmor_enabled = enabled ? 1 : 0;
780 return 1;
781}
782
783__setup("apparmor=", apparmor_enabled_setup);
784
785/* set global flag turning off the ability to load policy */
101d6c82 786static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
b5e95b48 787{
545de8fe
JJ		 788 if (!apparmor_enabled)
789 return -EINVAL;
790 if (apparmor_initialized && !policy_admin_capable(NULL))
b5e95b48 791 return -EPERM;
b5e95b48
JJ		 792 return param_set_bool(val, kp);
793}
794
101d6c82 795static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
b5e95b48 796{
ca4bd5ae
JJ		 797 if (!apparmor_enabled)
798 return -EINVAL;
545de8fe
JJ		 799 if (apparmor_initialized && !policy_view_capable(NULL))
800 return -EPERM;
b5e95b48
JJ		 801 return param_get_bool(buffer, kp);
802}
803
101d6c82 804static int param_set_aabool(const char *val, const struct kernel_param *kp)
b5e95b48 805{
ca4bd5ae
JJ		 806 if (!apparmor_enabled)
807 return -EINVAL;
545de8fe
JJ		 808 if (apparmor_initialized && !policy_admin_capable(NULL))
809 return -EPERM;
b5e95b48
JJ		 810 return param_set_bool(val, kp);
811}
812
101d6c82 813static int param_get_aabool(char *buffer, const struct kernel_param *kp)
b5e95b48 814{
ca4bd5ae
JJ		 815 if (!apparmor_enabled)
816 return -EINVAL;
545de8fe
JJ		 817 if (apparmor_initialized && !policy_view_capable(NULL))
818 return -EPERM;
b5e95b48
JJ		 819 return param_get_bool(buffer, kp);
820}
821
101d6c82 822static int param_set_aauint(const char *val, const struct kernel_param *kp)
b5e95b48 823{
39d84824
JJ		 824 int error;
825
ca4bd5ae
JJ		 826 if (!apparmor_enabled)
827 return -EINVAL;
39d84824
JJ		 828 /* file is ro but enforce 2nd line check */
829 if (apparmor_initialized)
545de8fe 830 return -EPERM;
39d84824
JJ		 831
832 error = param_set_uint(val, kp);
833 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max);
834
835 return error;
b5e95b48
JJ		 836}
837
101d6c82 838static int param_get_aauint(char *buffer, const struct kernel_param *kp)
b5e95b48 839{
ca4bd5ae
JJ		 840 if (!apparmor_enabled)
841 return -EINVAL;
545de8fe
JJ		 842 if (apparmor_initialized && !policy_view_capable(NULL))
843 return -EPERM;
b5e95b48
JJ		 844 return param_get_uint(buffer, kp);
845}
846
847static int param_get_audit(char *buffer, struct kernel_param *kp)
848{
b5e95b48
JJ		 849 if (!apparmor_enabled)
850 return -EINVAL;
545de8fe
JJ		 851 if (apparmor_initialized && !policy_view_capable(NULL))
852 return -EPERM;
b5e95b48
JJ		 853 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
854}
855
856static int param_set_audit(const char *val, struct kernel_param *kp)
857{
858 int i;
b5e95b48
JJ		 859
860 if (!apparmor_enabled)
861 return -EINVAL;
b5e95b48
JJ		 862 if (!val)
863 return -EINVAL;
545de8fe
JJ		 864 if (apparmor_initialized && !policy_admin_capable(NULL))
865 return -EPERM;
b5e95b48
JJ		 866
867 for (i = 0; i < AUDIT_MAX_INDEX; i++) {
868 if (strcmp(val, audit_mode_names[i]) == 0) {
869 aa_g_audit = i;
870 return 0;
871 }
872 }
873
874 return -EINVAL;
875}
876
877static int param_get_mode(char *buffer, struct kernel_param *kp)
878{
b5e95b48
JJ		 879 if (!apparmor_enabled)
880 return -EINVAL;
545de8fe
JJ		 881 if (apparmor_initialized && !policy_view_capable(NULL))
882 return -EPERM;
b5e95b48 883
0d259f04 884 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
b5e95b48
JJ		 885}
886
887static int param_set_mode(const char *val, struct kernel_param *kp)
888{
889 int i;
b5e95b48
JJ		 890
891 if (!apparmor_enabled)
892 return -EINVAL;
b5e95b48
JJ		 893 if (!val)
894 return -EINVAL;
545de8fe
JJ		 895 if (apparmor_initialized && !policy_admin_capable(NULL))
896 return -EPERM;
b5e95b48 897
0d259f04
JJ		 898 for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {
899 if (strcmp(val, aa_profile_mode_names[i]) == 0) {
b5e95b48
JJ		 900 aa_g_profile_mode = i;
901 return 0;
902 }
903 }
904
905 return -EINVAL;
906}
907
908/*
909 * AppArmor init functions
910 */
911
912/**
55a26ebf 913 * set_init_ctx - set a task context and profile on the first task.
b5e95b48
JJ		 914 *
915 * TODO: allow setting an alternate profile than unconfined
916 */
55a26ebf 917static int __init set_init_ctx(void)
b5e95b48
JJ		 918{
919 struct cred *cred = (struct cred *)current->real_cred;
55a26ebf 920 struct aa_task_ctx *ctx;
b5e95b48 921
55a26ebf
JJ		 922 ctx = aa_alloc_task_context(GFP_KERNEL);
923 if (!ctx)
b5e95b48
JJ		 924 return -ENOMEM;
925
55a26ebf
JJ		 926 ctx->profile = aa_get_profile(root_ns->unconfined);
927 cred_ctx(cred) = ctx;
b5e95b48
JJ		 928
929 return 0;
930}
931
d4669f0b
JJ		 932static void destroy_buffers(void)
933{
934 u32 i, j;
935
936 for_each_possible_cpu(i) {
937 for_each_cpu_buffer(j) {
938 kfree(per_cpu(aa_buffers, i).buf[j]);
939 per_cpu(aa_buffers, i).buf[j] = NULL;
940 }
941 }
942}
943
944static int __init alloc_buffers(void)
945{
946 u32 i, j;
947
948 for_each_possible_cpu(i) {
949 for_each_cpu_buffer(j) {
950 char *buffer;
951
952 if (cpu_to_node(i) > num_online_nodes())
953 /* fallback to kmalloc for offline nodes */
954 buffer = kmalloc(aa_g_path_max, GFP_KERNEL);
955 else
956 buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL,
957 cpu_to_node(i));
958 if (!buffer) {
959 destroy_buffers();
960 return -ENOMEM;
961 }
962 per_cpu(aa_buffers, i).buf[j] = buffer;
963 }
964 }
965
966 return 0;
967}
968
e3ea1ca5
TH		 969#ifdef CONFIG_SYSCTL
970static int apparmor_dointvec(struct ctl_table *table, int write,
971 void __user *buffer, size_t *lenp, loff_t *ppos)
972{
973 if (!policy_admin_capable(NULL))
974 return -EPERM;
975 if (!apparmor_enabled)
976 return -EINVAL;
977
978 return proc_dointvec(table, write, buffer, lenp, ppos);
979}
980
981static struct ctl_path apparmor_sysctl_path[] = {
982 { .procname = "kernel", },
983 { }
984};
985
986static struct ctl_table apparmor_sysctl_table[] = {
987 {
988 .procname = "unprivileged_userns_apparmor_policy",
989 .data = &unprivileged_userns_apparmor_policy,
990 .maxlen = sizeof(int),
991 .mode = 0600,
992 .proc_handler = apparmor_dointvec,
993 },
994 { }
995};
996
997static int __init apparmor_init_sysctl(void)
998{
999 return register_sysctl_paths(apparmor_sysctl_path,
1000 apparmor_sysctl_table) ? 0 : -ENOMEM;
1001}
1002#else
1003static inline int apparmor_init_sysctl(void)
1004{
1005 return 0;
1006}
1007#endif /* CONFIG_SYSCTL */
1008
b5e95b48
JJ		 1009static int __init apparmor_init(void)
1010{
1011 int error;
1012
b1d9e6b0 1013 if (!apparmor_enabled || !security_module_enable("apparmor")) {
b5e95b48
JJ		 1014 aa_info_message("AppArmor disabled by boot time parameter");
1015 apparmor_enabled = 0;
1016 return 0;
1017 }
1018
11c236b8
JJ		 1019 error = aa_setup_dfa_engine();
1020 if (error) {
1021 AA_ERROR("Unable to setup dfa engine\n");
1022 goto alloc_out;
1023 }
1024
b5e95b48
JJ		 1025 error = aa_alloc_root_ns();
1026 if (error) {
1027 AA_ERROR("Unable to allocate default profile namespace\n");
1028 goto alloc_out;
1029 }
1030
e3ea1ca5
TH		 1031 error = apparmor_init_sysctl();
1032 if (error) {
1033 AA_ERROR("Unable to register sysctls\n");
1034 goto alloc_out;
1035
1036 }
1037
d4669f0b
JJ		 1038 error = alloc_buffers();
1039 if (error) {
1040 AA_ERROR("Unable to allocate work buffers\n");
1041 goto buffers_out;
1042 }
1043
55a26ebf 1044 error = set_init_ctx();
b5e95b48
JJ		 1045 if (error) {
1046 AA_ERROR("Failed to set context on init task\n");
b1d9e6b0 1047 aa_free_root_ns();
d4669f0b 1048 goto buffers_out;
b5e95b48 1049 }
d69dece5
CS		 1050 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
1051 "apparmor");
b5e95b48
JJ		 1052
1053 /* Report that AppArmor successfully initialized */
1054 apparmor_initialized = 1;
1055 if (aa_g_profile_mode == APPARMOR_COMPLAIN)
1056 aa_info_message("AppArmor initialized: complain mode enabled");
1057 else if (aa_g_profile_mode == APPARMOR_KILL)
1058 aa_info_message("AppArmor initialized: kill mode enabled");
1059 else
1060 aa_info_message("AppArmor initialized");
1061
1062 return error;
1063
d4669f0b
JJ		 1064buffers_out:
1065 destroy_buffers();
1066
b5e95b48
JJ		 1067alloc_out:
1068 aa_destroy_aafs();
11c236b8 1069 aa_teardown_dfa_engine();
b5e95b48
JJ		 1070
1071 apparmor_enabled = 0;
1072 return error;
b5e95b48
JJ		 1073}
1074
1075security_initcall(apparmor_init);
Ubuntu Artful kernel mirror