]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - security/apparmor/domain.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Revert "UBUNTU: SAUCE: apparmor: Fix no_new_privs blocking change_onexec when using...
[mirror_ubuntu-artful-kernel.git] / security / apparmor / domain.c
1 /*
2 * AppArmor security module
3 *
4 * This file contains AppArmor policy attachment and domain transitions
5 *
6 * Copyright (C) 2002-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
15 #include <linux/errno.h>
16 #include <linux/fdtable.h>
17 #include <linux/file.h>
18 #include <linux/mount.h>
19 #include <linux/syscalls.h>
20 #include <linux/tracehook.h>
21 #include <linux/personality.h>
22
23 #include "include/audit.h"
24 #include "include/apparmorfs.h"
25 #include "include/context.h"
26 #include "include/domain.h"
27 #include "include/file.h"
28 #include "include/ipc.h"
29 #include "include/match.h"
30 #include "include/path.h"
31 #include "include/policy.h"
32
33 /**
34 * aa_free_domain_entries - free entries in a domain table
35 * @domain: the domain table to free (MAYBE NULL)
36 */
37 void aa_free_domain_entries(struct aa_domain *domain)
38 {
39 int i;
40 if (domain) {
41 if (!domain->table)
42 return;
43
44 for (i = 0; i < domain->size; i++)
45 kzfree(domain->table[i]);
46 kzfree(domain->table);
47 domain->table = NULL;
48 }
49 }
50
51 /**
52 * may_change_ptraced_domain - check if can change profile on ptraced task
53 * @to_label: profile to change to (NOT NULL)
54 * @info: message if there is an error
55 *
56 * Check if current is ptraced and if so if the tracing task is allowed
57 * to trace the new domain
58 *
59 * Returns: %0 or error if change not allowed
60 */
61 static int may_change_ptraced_domain(struct aa_label *to_label,
62 const char **info)
63 {
64 struct task_struct *tracer;
65 struct aa_label *tracerl = NULL;
66 int error = 0;
67
68 rcu_read_lock();
69 tracer = ptrace_parent(current);
70 if (tracer)
71 /* released below */
72 tracerl = aa_get_task_label(tracer);
73
74 /* not ptraced */
75 if (!tracer || unconfined(tracerl))
76 goto out;
77
78 error = aa_may_ptrace(tracerl, to_label, PTRACE_MODE_ATTACH);
79
80 out:
81 rcu_read_unlock();
82 aa_put_label(tracerl);
83
84 if (error)
85 *info = "ptrace prevents transition";
86 return error;
87 }
88
89 /**** TODO: dedup to aa_label_match - needs perm and dfa, merging
90 * specifically this is an exact copy of aa_label_match except
91 * aa_compute_perms is replaced with aa_compute_fperms
92 * and policy.dfa with file.dfa
93 ****/
94 /* match a profile and its associated ns component if needed
95 * Assumes visibility test has already been done.
96 * If a subns profile is not to be matched should be prescreened with
97 * visibility test.
98 */
99 /* match a profile and its associated ns component if needed
100 * Assumes visibility test has already been done.
101 * If a subns profile is not to be matched should be prescreened with
102 * visibility test.
103 */
104 static inline unsigned int match_component(struct aa_profile *profile,
105 struct aa_profile *tp,
106 bool stack, unsigned int state)
107 {
108 const char *ns_name;
109
110 if (stack)
111 state = aa_dfa_match(profile->file.dfa, state, "&");
112 if (profile->ns == tp->ns)
113 return aa_dfa_match(profile->file.dfa, state, tp->base.hname);
114
115 /* try matching with namespace name and then profile */
116 ns_name = aa_ns_name(profile->ns, tp->ns, true);
117 state = aa_dfa_match_len(profile->file.dfa, state, ":", 1);
118 state = aa_dfa_match(profile->file.dfa, state, ns_name);
119 state = aa_dfa_match_len(profile->file.dfa, state, ":", 1);
120 return aa_dfa_match(profile->file.dfa, state, tp->base.hname);
121 }
122
123 /**
124 * label_component_match - find perms for full compound label
125 * @profile: profile to find perms for
126 * @label: label to check access permissions for
127 * @stack: whether this is a stacking request
128 * @start: state to start match in
129 * @subns: whether to do permission checks on components in a subns
130 * @request: permissions to request
131 * @perms: perms struct to set
132 *
133 * Returns: 0 on success else ERROR
134 *
135 * For the label A//&B//&C this does the perm match for A//&B//&C
136 * @perms should be preinitialized with allperms OR a previous permission
137 * check to be stacked.
138 */
139 static int label_compound_match(struct aa_profile *profile,
140 struct aa_label *label, bool stack,
141 unsigned int state, bool subns, u32 request,
142 struct aa_perms *perms)
143 {
144 struct aa_profile *tp;
145 struct label_it i;
146 struct path_cond cond = { };
147
148 /* find first subcomponent that is visible */
149 label_for_each(i, label, tp) {
150 if (!aa_ns_visible(profile->ns, tp->ns, subns))
151 continue;
152 state = match_component(profile, tp, stack, state);
153 if (!state)
154 goto fail;
155 goto next;
156 }
157
158 /* no component visible */
159 *perms = allperms;
160 return 0;
161
162 next:
163 label_for_each_cont(i, label, tp) {
164 if (!aa_ns_visible(profile->ns, tp->ns, subns))
165 continue;
166 state = aa_dfa_match(profile->file.dfa, state, "//&");
167 state = match_component(profile, tp, false, state);
168 if (!state)
169 goto fail;
170 }
171 *perms = aa_compute_fperms(profile->file.dfa, state, &cond);
172 aa_apply_modes_to_perms(profile, perms);
173 if ((perms->allow & request) != request)
174 return -EACCES;
175
176 return 0;
177
178 fail:
179 *perms = nullperms;
180 return -EACCES;
181 }
182
183 /**
184 * label_component_match - find perms for all subcomponents of a label
185 * @profile: profile to find perms for
186 * @label: label to check access permissions for
187 * @stack: whether this is a stacking request
188 * @start: state to start match in
189 * @subns: whether to do permission checks on components in a subns
190 * @request: permissions to request
191 * @perms: an initialized perms struct to add accumulation to
192 *
193 * Returns: 0 on success else ERROR
194 *
195 * For the label A//&B//&C this does the perm match for each of A and B and C
196 * @perms should be preinitialized with allperms OR a previous permission
197 * check to be stacked.
198 */
199 static int label_components_match(struct aa_profile *profile,
200 struct aa_label *label, bool stack,
201 unsigned int start, bool subns, u32 request,
202 struct aa_perms *perms)
203 {
204 struct aa_profile *tp;
205 struct label_it i;
206 struct aa_perms tmp;
207 struct path_cond cond = { };
208 unsigned int state = 0;
209
210 /* find first subcomponent to test */
211 label_for_each(i, label, tp) {
212 if (!aa_ns_visible(profile->ns, tp->ns, subns))
213 continue;
214 state = match_component(profile, tp, stack, start);
215 if (!state)
216 goto fail;
217 goto next;
218 }
219
220 /* no subcomponents visible - no change in perms */
221 return 0;
222
223 next:
224 tmp = aa_compute_fperms(profile->file.dfa, state, &cond);
225 aa_apply_modes_to_perms(profile, &tmp);
226 aa_perms_accum(perms, &tmp);
227 label_for_each_cont(i, label, tp) {
228 if (!aa_ns_visible(profile->ns, tp->ns, subns))
229 continue;
230 state = match_component(profile, tp, stack, start);
231 if (!state)
232 goto fail;
233 tmp = aa_compute_fperms(profile->file.dfa, state, &cond);
234 aa_apply_modes_to_perms(profile, &tmp);
235 aa_perms_accum(perms, &tmp);
236 }
237
238 if ((perms->allow & request) != request)
239 return -EACCES;
240
241 return 0;
242
243 fail:
244 *perms = nullperms;
245 return -EACCES;
246 }
247
248 /**
249 * aa_label_match - do a multi-component label match
250 * @profile: profile to match against (NOT NULL)
251 * @label: label to match (NOT NULL)
252 * @stack: whether this is a stacking request
253 * @state: state to start in
254 * @subns: whether to match subns components
255 * @request: permission request
256 * @perms: Returns computed perms (NOT NULL)
257 *
258 * Returns: the state the match finished in, may be the none matching state
259 */
260 static int label_match(struct aa_profile *profile, struct aa_label *label,
261 bool stack, unsigned int state, bool subns, u32 request,
262 struct aa_perms *perms)
263 {
264 int error;
265
266 *perms = nullperms;
267 error = label_compound_match(profile, label, stack, state, subns,
268 request, perms);
269 if (!error)
270 return error;
271
272 *perms = allperms;
273 return label_components_match(profile, label, stack, state, subns,
274 request, perms);
275 }
276
277 /******* end TODO: dedup *****/
278
279 /**
280 * change_profile_perms - find permissions for change_profile
281 * @profile: the current profile (NOT NULL)
282 * @target: label to transition to (NOT NULL)
283 * @stack: whether this is a stacking request
284 * @request: requested perms
285 * @start: state to start matching in
286 *
287 *
288 * Returns: permission set
289 *
290 * currently only matches full label A//&B//&C or individual components A, B, C
291 * not arbitrary combinations. Eg. A//&B, C
292 */
293 static int change_profile_perms(struct aa_profile *profile,
294 struct aa_label *target, bool stack,
295 u32 request, unsigned int start,
296 struct aa_perms *perms)
297 {
298 if (profile_unconfined(profile)) {
299 perms->allow = AA_MAY_CHANGE_PROFILE | AA_MAY_ONEXEC;
300 perms->audit = perms->quiet = perms->kill = 0;
301 return 0;
302 }
303
304 /* TODO: add profile in ns screening */
305 return label_match(profile, target, stack, start, true, request, perms);
306 }
307
308 /**
309 * __attach_match_ - find an attachment match
310 * @name - to match against (NOT NULL)
311 * @head - profile list to walk (NOT NULL)
312 *
313 * Do a linear search on the profiles in the list. There is a matching
314 * preference where an exact match is preferred over a name which uses
315 * expressions to match, and matching expressions with the greatest
316 * xmatch_len are preferred.
317 *
318 * Requires: @head not be shared or have appropriate locks held
319 *
320 * Returns: profile or NULL if no match found
321 */
322 static struct aa_profile *__attach_match(const char *name,
323 struct list_head *head)
324 {
325 int len = 0;
326 struct aa_profile *profile, *candidate = NULL;
327
328 list_for_each_entry_rcu(profile, head, base.list) {
329 if (profile->label.flags & FLAG_NULL)
330 continue;
331 if (profile->xmatch && profile->xmatch_len > len) {
332 unsigned int state = aa_dfa_match(profile->xmatch,
333 DFA_START, name);
334 u32 perm = dfa_user_allow(profile->xmatch, state);
335 /* any accepting state means a valid match. */
336 if (perm & MAY_EXEC) {
337 candidate = profile;
338 len = profile->xmatch_len;
339 }
340 } else if (!strcmp(profile->base.name, name))
341 /* exact non-re match, no more searching required */
342 return profile;
343 }
344
345 return candidate;
346 }
347
348 /**
349 * find_attach - do attachment search for unconfined processes
350 * @ns: the current namespace (NOT NULL)
351 * @list: list to search (NOT NULL)
352 * @name: the executable name to match against (NOT NULL)
353 *
354 * Returns: label or NULL if no match found
355 */
356 static struct aa_label *find_attach(struct aa_ns *ns, struct list_head *list,
357 const char *name)
358 {
359 struct aa_profile *profile;
360
361 rcu_read_lock();
362 profile = aa_get_profile(__attach_match(name, list));
363 rcu_read_unlock();
364
365 return profile ? &profile->label : NULL;
366 }
367
368 static const char *next_name(int xtype, const char *name)
369 {
370 return NULL;
371 }
372
373 /**
374 * x_table_lookup - lookup an x transition name via transition table
375 * @profile: current profile (NOT NULL)
376 * @xindex: index into x transition table
377 * @name: returns: name tested to find label (NOT NULL)
378 *
379 * Returns: refcounted label, or NULL on failure (MAYBE NULL)
380 */
381 struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex,
382 const char **name)
383 {
384 struct aa_label *label = NULL;
385 u32 xtype = xindex & AA_X_TYPE_MASK;
386 int index = xindex & AA_X_INDEX_MASK;
387
388 AA_BUG(!name);
389
390 /* index is guaranteed to be in range, validated at load time */
391 /* TODO: move lookup parsing to unpack time so this is a straight
392 * index into the resultant label
393 */
394 for (*name = profile->file.trans.table[index]; !label && *name;
395 *name = next_name(xtype, *name)) {
396 if (xindex & AA_X_CHILD) {
397 struct aa_profile *new_profile;
398 /* release by caller */
399 new_profile = aa_find_child(profile, *name);
400 if (new_profile)
401 label = &new_profile->label;
402 continue;
403 }
404 label = aa_label_parse(&profile->label, *name, GFP_ATOMIC,
405 true, false);
406 if (IS_ERR(label))
407 label = NULL;
408 }
409
410 /* released by caller */
411 return label;
412 }
413
414 /**
415 * x_to_label - get target label for a given xindex
416 * @profile: current profile (NOT NULL)
417 * @name: name to lookup (NOT NULL)
418 * @xindex: index into x transition table
419 * @lookupname: returns: name used in lookup if one was specified (NOT NULL)
420 *
421 * find label for a transition index
422 *
423 * Returns: refcounted label or NULL if not found available
424 */
425 static struct aa_label *x_to_label(struct aa_profile *profile,
426 const char *name, u32 xindex,
427 const char **lookupname,
428 const char **info)
429 {
430 struct aa_label *new = NULL;
431 struct aa_ns *ns = profile->ns;
432 u32 xtype = xindex & AA_X_TYPE_MASK;
433 const char *stack = NULL;
434
435 switch (xtype) {
436 case AA_X_NONE:
437 /* fail exec unless ix || ux fallback - handled by caller */
438 *lookupname = NULL;
439 break;
440 case AA_X_TABLE:
441 /* TODO: fix when perm mapping done at unload */
442 stack = profile->file.trans.table[xindex & AA_X_INDEX_MASK];
443 if (*stack != '&') {
444 /* released by caller */
445 new = x_table_lookup(profile, xindex, lookupname);
446 stack = NULL;
447 break;
448 }
449 /* fall through to X_NAME */
450 case AA_X_NAME:
451 if (xindex & AA_X_CHILD)
452 /* released by caller */
453 new = find_attach(ns, &profile->base.profiles,
454 name);
455 else
456 /* released by caller */
457 new = find_attach(ns, &ns->base.profiles,
458 name);
459 *lookupname = name;
460 break;
461 }
462
463 if (!new) {
464 if (xindex & AA_X_INHERIT) {
465 /* (p|c|n)ix - don't change profile but do
466 * use the newest version
467 */
468 *info = "ix fallback";
469 /* no profile && no error */
470 new = aa_get_newest_label(&profile->label);
471 } else if (xindex & AA_X_UNCONFINED) {
472 new = aa_get_newest_label(ns_unconfined(profile->ns));
473 *info = "ux fallback";
474 }
475 }
476
477 if (new && stack) {
478 /* base the stack on post domain transition */
479 struct aa_label *base = new;
480 new = aa_label_parse(base, stack, GFP_ATOMIC, true, false);
481 if (IS_ERR(new))
482 new = NULL;
483 aa_put_label(base);
484 }
485
486 /* released by caller */
487 return new;
488 }
489
490 static struct aa_label *profile_transition(struct aa_profile *profile,
491 const struct linux_binprm *bprm,
492 char *buffer, struct path_cond *cond,
493 bool *secure_exec)
494 {
495 struct aa_label *new = NULL;
496 const char *info = NULL, *name = NULL, *target = NULL;
497 unsigned int state = profile->file.start;
498 struct aa_perms perms = {};
499 int error = 0;
500
501 AA_BUG(!profile);
502 AA_BUG(!bprm);
503 AA_BUG(!buffer);
504
505 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,
506 &name, &info, profile->disconnected);
507 if (error) {
508 if (profile_unconfined(profile) ||
509 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
510 AA_DEBUG("name lookup ix on error");
511 error = 0;
512 new = aa_get_newest_label(&profile->label);
513 }
514 name = bprm->filename;
515 goto audit;
516 }
517
518 if (profile_unconfined(profile)) {
519 new = find_attach(profile->ns, &profile->ns->base.profiles,
520 name);
521 if (new) {
522 AA_DEBUG("unconfined attached to new label");
523 return new;
524 }
525 AA_DEBUG("unconfined exec no attachment");
526 return aa_get_newest_label(&profile->label);
527 }
528
529 /* find exec permissions for name */
530 state = aa_str_perms(profile->file.dfa, state, name, cond, &perms);
531 if (perms.allow & MAY_EXEC) {
532 /* exec permission determine how to transition */
533 new = x_to_label(profile, name, perms.xindex, &target, &info);
534 if (new && new->proxy == profile->label.proxy && info) {
535 /* hack ix fallback - improve how this is detected */
536 goto audit;
537 } else if (!new) {
538 error = -EACCES;
539 info = "profile transition not found";
540 /* remove MAY_EXEC to audit as failure */
541 perms.allow &= ~MAY_EXEC;
542 }
543 } else if (COMPLAIN_MODE(profile)) {
544 /* no exec permission - learning mode */
545 struct aa_profile *new_profile = aa_null_profile(profile, false,
546 name, GFP_ATOMIC);
547 if (!new_profile) {
548 error = -ENOMEM;
549 info = "could not create null profile";
550 } else {
551 error = -EACCES;
552 new = &new_profile->label;
553 }
554 perms.xindex |= AA_X_UNSAFE;
555 } else
556 /* fail exec */
557 error = -EACCES;
558
559 if (!new)
560 goto audit;
561
562 if (!(perms.xindex & AA_X_UNSAFE)) {
563 if (DEBUG_ON) {
564 dbg_printk("apparmor: scrubbing environment variables "
565 "for %s profile=", name);
566 aa_label_printk(new, GFP_ATOMIC);
567 dbg_printk("\n");
568 }
569 *secure_exec = true;
570 }
571
572 audit:
573 aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name, target, new,
574 cond->uid, info, error);
575 if (!new)
576 return ERR_PTR(error);
577
578 return new;
579 }
580
581 static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec,
582 bool stack, const struct linux_binprm *bprm,
583 char *buffer, struct path_cond *cond,
584 bool *secure_exec)
585 {
586 unsigned int state = profile->file.start;
587 struct aa_perms perms = {};
588 const char *xname = NULL, *info = "change_profile onexec";
589 int error = -EACCES;
590
591 AA_BUG(!profile);
592 AA_BUG(!onexec);
593 AA_BUG(!bprm);
594 AA_BUG(!buffer);
595
596 if (profile_unconfined(profile)) {
597 /* change_profile on exec already granted */
598 /*
599 * NOTE: Domain transitions from unconfined are allowed
600 * even when no_new_privs is set because this aways results
601 * in a further reduction of permissions.
602 */
603 return 0;
604 }
605
606 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,
607 &xname, &info, profile->disconnected);
608 if (error) {
609 if (profile_unconfined(profile) ||
610 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
611 AA_DEBUG("name lookup ix on error");
612 error = 0;
613 }
614 xname = bprm->filename;
615 goto audit;
616 }
617
618 /* find exec permissions for name */
619 state = aa_str_perms(profile->file.dfa, state, xname, cond, &perms);
620 if (!(perms.allow & AA_MAY_ONEXEC)) {
621 info = "no change_onexec valid for executable";
622 goto audit;
623 }
624 /* test if this exec can be paired with change_profile onexec.
625 * onexec permission is linked to exec with a standard pairing
626 * exec\0change_profile
627 */
628 state = aa_dfa_null_transition(profile->file.dfa, state);
629 error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC,
630 state, &perms);
631 if (error)
632 goto audit;
633
634 if (!(perms.xindex & AA_X_UNSAFE)) {
635 if (DEBUG_ON) {
636 dbg_printk("appaarmor: scrubbing environment "
637 "variables for %s label=", xname);
638 aa_label_printk(onexec, GFP_ATOMIC);
639 dbg_printk("\n");
640 }
641 *secure_exec = true;
642 }
643
644 audit:
645 return aa_audit_file(profile, &perms, OP_EXEC, AA_MAY_ONEXEC, xname,
646 NULL, onexec, cond->uid, info, error);
647 }
648
649 /* ensure none ns domain transitions are correctly applied with onexec */
650
651 static struct aa_label *handle_onexec(struct aa_label *label,
652 struct aa_label *onexec, bool stack,
653 const struct linux_binprm *bprm,
654 char *buffer, struct path_cond *cond,
655 bool *unsafe)
656 {
657 struct aa_profile *profile;
658 struct aa_label *new;
659 int error;
660
661 AA_BUG(!label);
662 AA_BUG(!onexec);
663 AA_BUG(!bprm);
664 AA_BUG(!buffer);
665
666 if (!stack) {
667 error = fn_for_each_in_ns(label, profile,
668 profile_onexec(profile, onexec, stack,
669 bprm, buffer, cond, unsafe));
670 if (error)
671 return ERR_PTR(error);
672 new = fn_label_build_in_ns(label, profile, GFP_ATOMIC,
673 aa_get_newest_label(onexec),
674 profile_transition(profile, bprm, buffer,
675 cond, unsafe));
676
677 } else {
678 /* TODO: determine how much we want to losen this */
679 error = fn_for_each_in_ns(label, profile,
680 profile_onexec(profile, onexec, stack, bprm,
681 buffer, cond, unsafe));
682 if (error)
683 return ERR_PTR(error);
684 new = fn_label_build_in_ns(label, profile, GFP_ATOMIC,
685 aa_label_merge(&profile->label, onexec,
686 GFP_ATOMIC),
687 profile_transition(profile, bprm, buffer,
688 cond, unsafe));
689 }
690
691 if (new)
692 return new;
693
694 /* TODO: get rid of GLOBAL_ROOT_UID */
695 error = fn_for_each_in_ns(label, profile,
696 aa_audit_file(profile, &nullperms, OP_CHANGE_ONEXEC,
697 AA_MAY_ONEXEC, bprm->filename, NULL,
698 onexec, GLOBAL_ROOT_UID,
699 "failed to build target label", -ENOMEM));
700 return ERR_PTR(error);
701 }
702
703 /**
704 * apparmor_bprm_set_creds - set the new creds on the bprm struct
705 * @bprm: binprm for the exec (NOT NULL)
706 *
707 * Returns: %0 or error on failure
708 *
709 * TODO: once the other paths are done see if we can't refactor into a fn
710 */
711 int apparmor_bprm_set_creds(struct linux_binprm *bprm)
712 {
713 struct aa_task_ctx *ctx;
714 struct aa_label *label, *new = NULL;
715 struct aa_profile *profile;
716 char *buffer = NULL;
717 const char *info = NULL;
718 int error = 0;
719 bool unsafe = false;
720 struct path_cond cond = {
721 file_inode(bprm->file)->i_uid,
722 file_inode(bprm->file)->i_mode
723 };
724
725 if (bprm->cred_prepared)
726 return 0;
727
728 ctx = cred_ctx(bprm->cred);
729 AA_BUG(!ctx);
730
731 label = aa_get_newest_label(ctx->label);
732
733 /* buffer freed below, name is pointer into buffer */
734 get_buffers(buffer);
735 /* Test for onexec first as onexec override other x transitions. */
736 if (ctx->onexec)
737 new = handle_onexec(label, ctx->onexec, ctx->token,
738 bprm, buffer, &cond, &unsafe);
739 else
740 new = fn_label_build(label, profile, GFP_ATOMIC,
741 profile_transition(profile, bprm, buffer,
742 &cond, &unsafe));
743
744 AA_BUG(!new);
745 if (IS_ERR(new)) {
746 error = PTR_ERR(new);
747 goto done;
748 } else if (!new) {
749 error = -ENOMEM;
750 goto done;
751 }
752
753 /* Policy has specified a domain transitions. if no_new_privs and
754 * confined and not transitioning to the current domain fail.
755 *
756 * NOTE: Domain transitions from unconfined and to stritly stacked
757 * subsets are allowed even when no_new_privs is set because this
758 * aways results in a further reduction of permissions.
759 */
760 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) &&
761 !unconfined(label) && !aa_label_is_subset(new, label)) {
762 error = -EPERM;
763 info = "no new privs";
764 goto audit;
765 }
766
767 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
768 /* FIXME: currently don't mediate shared state */
769 ;
770 }
771
772 if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
773 /* TODO: test needs to be profile of label to new */
774 error = may_change_ptraced_domain(new, &info);
775 if (error)
776 goto audit;
777 }
778
779 if (unsafe) {
780 if (DEBUG_ON) {
781 dbg_printk("scrubbing environment variables for %s "
782 "label=", bprm->filename);
783 aa_label_printk(new, GFP_ATOMIC);
784 dbg_printk("\n");
785 }
786 bprm->unsafe |= AA_SECURE_X_NEEDED;
787 }
788
789 if (label->proxy != new->proxy) {
790 /* when transitioning clear unsafe personality bits */
791 if (DEBUG_ON) {
792 dbg_printk("apparmor: clearing unsafe personality "
793 "bits. %s label=", bprm->filename);
794 aa_label_printk(new, GFP_ATOMIC);
795 dbg_printk("\n");
796 }
797 bprm->per_clear |= PER_CLEAR_ON_SETID;
798 }
799 aa_put_label(ctx->label);
800 /* transfer reference, released when ctx is freed */
801 ctx->label = new;
802
803 done:
804 /* clear out temporary/transitional state from the context */
805 aa_clear_task_ctx_trans(ctx);
806
807 aa_put_label(label);
808 put_buffers(buffer);
809
810 return error;
811
812 audit:
813 error = fn_for_each(label, profile,
814 aa_audit_file(profile, &nullperms, OP_EXEC, MAY_EXEC,
815 bprm->filename, NULL, new,
816 file_inode(bprm->file)->i_uid, info,
817 error));
818 aa_put_label(new);
819 goto done;
820 }
821
822 /**
823 * apparmor_bprm_secureexec - determine if secureexec is needed
824 * @bprm: binprm for exec (NOT NULL)
825 *
826 * Returns: %1 if secureexec is needed else %0
827 */
828 int apparmor_bprm_secureexec(struct linux_binprm *bprm)
829 {
830 /* the decision to use secure exec is computed in set_creds
831 * and stored in bprm->unsafe.
832 */
833 if (bprm->unsafe & AA_SECURE_X_NEEDED)
834 return 1;
835
836 return 0;
837 }
838
839 /*
840 * Functions for self directed profile change
841 */
842
843
844 /* helper fn for change_hat
845 *
846 * Returns: label for hat transition OR ERR_PTR. Does NOT return NULL
847 */
848 static struct aa_label *build_change_hat(struct aa_profile *profile,
849 const char *name, bool sibling)
850 {
851 struct aa_profile *root, *hat = NULL;
852 const char *info = NULL;
853 int error = 0;
854
855 if (sibling && PROFILE_IS_HAT(profile)) {
856 root = aa_get_profile_rcu(&profile->parent);
857 } else if (!sibling && !PROFILE_IS_HAT(profile)) {
858 root = aa_get_profile(profile);
859 } else {
860 info = "conflicting target types";
861 error = -EPERM;
862 goto audit;
863 }
864
865 hat = aa_find_child(root, name);
866 if (!hat) {
867 error = -ENOENT;
868 if (COMPLAIN_MODE(profile)) {
869 hat = aa_null_profile(profile, true, name, GFP_KERNEL);
870 if (!hat) {
871 info = "failed null profile create";
872 error = -ENOMEM;
873 }
874 }
875 }
876 aa_put_profile(root);
877
878 audit:
879 aa_audit_file(profile, &nullperms, OP_CHANGE_HAT, AA_MAY_CHANGEHAT,
880 name, hat ? hat->base.hname : NULL, hat ? &hat->label : NULL, GLOBAL_ROOT_UID,
881 NULL, error);
882 if (!hat || (error && error != -ENOENT))
883 return ERR_PTR(error);
884 /* if hat && error - complain mode, already audited and we adjust for
885 * complain mode allow by returning hat->label
886 */
887 return &hat->label;
888 }
889
890 /* helper fn for changing into a hat
891 *
892 * Returns: label for hat transition or ERR_PTR. Does not return NULL
893 */
894 static struct aa_label *change_hat(struct aa_label *label, const char *hats[],
895 int count, bool permtest)
896 {
897 struct aa_profile *profile, *root, *hat = NULL;
898 struct aa_label *new;
899 struct label_it it;
900 bool sibling = false;
901 const char *name, *info = NULL;
902 int i, error;
903
904 AA_BUG(!label);
905 AA_BUG(!hats);
906 AA_BUG(count < 1);
907
908 if (PROFILE_IS_HAT(labels_profile(label)))
909 sibling = true;
910
911 /*find first matching hat */
912 for (i = 0; i < count && !hat; i++) {
913 name = hats[i];
914 label_for_each_in_ns(it, labels_ns(label), label, profile) {
915 if (sibling && PROFILE_IS_HAT(profile)) {
916 root = aa_get_profile_rcu(&profile->parent);
917 } else if (!sibling && !PROFILE_IS_HAT(profile)) {
918 root = aa_get_profile(profile);
919 } else { /* conflicting change type */
920 info = "conflicting targets types";
921 error = -EPERM;
922 goto fail;
923 }
924 hat = aa_find_child(root, name);
925 aa_put_profile(root);
926 if (!hat) {
927 if (!COMPLAIN_MODE(profile))
928 goto outer_continue;
929 /* complain mode succeed as if hat */
930 } else if (!PROFILE_IS_HAT(hat)) {
931 info = "target not hat";
932 error = -EPERM;
933 aa_put_profile(hat);
934 goto fail;
935 }
936 aa_put_profile(hat);
937 }
938 /* found a hat for all profiles in ns */
939 goto build;
940 outer_continue: ;
941 }
942 /* no hats that match, find appropriate error
943 *
944 * In complain mode audit of the failure is based off of the first
945 * hat supplied. This is done due how userspace interacts with
946 * change_hat.
947 */
948 name = NULL;
949 label_for_each_in_ns(it, labels_ns(label), label, profile) {
950 if (!list_empty(&profile->base.profiles)) {
951 info = "hat not found";
952 error = -ENOENT;
953 goto fail;
954 }
955 }
956 info = "no hats defined";
957 error = -ECHILD;
958
959 fail:
960 label_for_each_in_ns(it, labels_ns(label), label, profile) {
961 /*
962 * no target as it has failed to be found or built
963 *
964 * change_hat uses probing and should not log failures
965 * related to missing hats
966 */
967 /* TODO: get rid of GLOBAL_ROOT_UID */
968 if (count > 1 || COMPLAIN_MODE(profile)) {
969 aa_audit_file(profile, &nullperms, OP_CHANGE_HAT,
970 AA_MAY_CHANGEHAT, name, NULL, NULL,
971 GLOBAL_ROOT_UID, info, error);
972 }
973 }
974 return (ERR_PTR(error));
975
976 build:
977 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
978 build_change_hat(profile, name, sibling),
979 aa_get_label(&profile->label));
980 if (!new) {
981 info = "label build failed";
982 error = -ENOMEM;
983 goto fail;
984 } /* else if (IS_ERR) build_change_hat has logged error so return new */
985
986 return new;
987 }
988
989 /**
990 * aa_change_hat - change hat to/from subprofile
991 * @hats: vector of hat names to try changing into (MAYBE NULL if @count == 0)
992 * @count: number of hat names in @hats
993 * @token: magic value to validate the hat change
994 * @permtest: true if this is just a permission test
995 *
996 * Returns %0 on success, error otherwise.
997 *
998 * Change to the first profile specified in @hats that exists, and store
999 * the @hat_magic in the current task context. If the count == 0 and the
1000 * @token matches that stored in the current task context, return to the
1001 * top level profile.
1002 *
1003 * change_hat only applies to profiles in the current ns, and each profile
1004 * in the ns must make the same transition otherwise change_hat will fail.
1005 */
1006 int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
1007 {
1008 const struct cred *cred;
1009 struct aa_task_ctx *ctx;
1010 struct aa_label *label, *previous, *new = NULL, *target = NULL;
1011 struct aa_profile *profile;
1012 struct aa_perms perms = {};
1013 const char *info = NULL;
1014 int error = 0;
1015
1016 /*
1017 * Fail explicitly requested domain transitions if no_new_privs.
1018 * There is no exception for unconfined as change_hat is not
1019 * available.
1020 */
1021 if (task_no_new_privs(current)) {
1022 /* not an apparmor denial per se, so don't log it */
1023 AA_DEBUG("no_new_privs - chanage_hat denied");
1024 return -EPERM;
1025 }
1026
1027 /* released below */
1028 cred = get_current_cred();
1029 ctx = cred_ctx(cred);
1030 label = aa_get_newest_cred_label(cred);
1031 previous = aa_get_newest_label(ctx->previous);
1032
1033 if (unconfined(label)) {
1034 info = "unconfined can not change_hat";
1035 error = -EPERM;
1036 goto fail;
1037 }
1038
1039 if (count) {
1040 new = change_hat(label, hats, count, permtest);
1041 AA_BUG(!new);
1042 if (IS_ERR(new)) {
1043 error = PTR_ERR(new);
1044 new = NULL;
1045 /* already audited */
1046 goto out;
1047 }
1048
1049 error = may_change_ptraced_domain(new, &info);
1050 if (error)
1051 goto fail;
1052
1053 if (permtest)
1054 goto out;
1055
1056 target = new;
1057 error = aa_set_current_hat(new, token);
1058 if (error == -EACCES)
1059 /* kill task in case of brute force attacks */
1060 goto kill;
1061 } else if (previous && !permtest) {
1062 /* Return to saved label. Kill task if restore fails
1063 * to avoid brute force attacks
1064 */
1065 target = previous;
1066 error = aa_restore_previous_label(token);
1067 if (error) {
1068 if (error == -EACCES)
1069 goto kill;
1070 goto fail;
1071 }
1072 } /* else ignore permtest && restores when there is no saved profile */
1073
1074 out:
1075 aa_put_label(new);
1076 aa_put_label(previous);
1077 aa_put_label(label);
1078 put_cred(cred);
1079
1080 return error;
1081
1082 kill:
1083 info = "failed token match";
1084 perms.kill = AA_MAY_CHANGEHAT;
1085
1086 fail:
1087 fn_for_each_in_ns(label, profile,
1088 aa_audit_file(profile, &perms, OP_CHANGE_HAT, AA_MAY_CHANGEHAT,
1089 NULL, NULL, target, GLOBAL_ROOT_UID, info, error));
1090
1091 goto out;
1092 }
1093
1094
1095 static int change_profile_perms_wrapper(const char *op, const char *name,
1096 struct aa_profile *profile,
1097 struct aa_label *target, bool stack,
1098 u32 request, struct aa_perms *perms)
1099 {
1100 int error = change_profile_perms(profile, target,
1101 stack, request,
1102 profile->file.start, perms);
1103 if (error)
1104 error = aa_audit_file(profile, perms, op, request, name,
1105 NULL, target, GLOBAL_ROOT_UID, NULL,
1106 error);
1107
1108 return error;
1109 }
1110
1111 /**
1112 * aa_change_profile - perform a one-way profile transition
1113 * @fqname: name of profile may include namespace (NOT NULL)
1114 * @onexec: whether this transition is to take place immediately or at exec
1115 * @permtest: true if this is just a permission test
1116 * @stack: true if this call is to stack on top of current domain
1117 * Change to new profile @name. Unlike with hats, there is no way
1118 * to change back. If @name isn't specified the current profile name is
1119 * used.
1120 * If @onexec then the transition is delayed until
1121 * the next exec.
1122 *
1123 * Returns %0 on success, error otherwise.
1124 */
1125 int aa_change_profile(const char *fqname, bool onexec,
1126 bool permtest, bool stack)
1127 {
1128 struct aa_label *label, *new = NULL, *target = NULL;
1129 struct aa_profile *profile;
1130 struct aa_perms perms = {};
1131 const char *info = NULL;
1132 const char *auditname = fqname; /* retain leading & if stack */
1133 int error = 0;
1134 char *op;
1135 u32 request;
1136
1137 if (!fqname || !*fqname) {
1138 AA_DEBUG("no profile name");
1139 return -EINVAL;
1140 }
1141
1142 if (onexec) {
1143 request = AA_MAY_ONEXEC;
1144 if (stack)
1145 op = OP_STACK_ONEXEC;
1146 else
1147 op = OP_CHANGE_ONEXEC;
1148 } else {
1149 request = AA_MAY_CHANGE_PROFILE;
1150 if (stack)
1151 op = OP_STACK;
1152 else
1153 op = OP_CHANGE_PROFILE;
1154 }
1155
1156 label = aa_get_current_label();
1157
1158 if (*fqname == '&') {
1159 stack = true;
1160 /* don't have label_parse() do stacking */
1161 fqname++;
1162 }
1163 target = aa_label_parse(label, fqname, GFP_KERNEL, true, false);
1164 if (IS_ERR(target)) {
1165 struct aa_profile *tprofile;
1166
1167 info = "label not found";
1168 error = PTR_ERR(target);
1169 target = NULL;
1170 /* TODO: fixme using labels_profile is not right - do profile
1171 per complain profile ??? */
1172 if (permtest || !COMPLAIN_MODE(labels_profile(label)))
1173 goto audit;
1174 /* released below */
1175 tprofile = aa_null_profile(labels_profile(label), false, fqname, GFP_KERNEL);
1176 if (!tprofile) {
1177 info = "failed null profile create";
1178 error = -ENOMEM;
1179 goto audit;
1180 }
1181 target = &tprofile->label;
1182 goto check;
1183 }
1184
1185 /*
1186 * Fail explicitly requested domain transitions when no_new_privs
1187 * and not unconfined OR the transition results in a stack on
1188 * the current label.
1189 * Stacking domain transitions and transitions from unconfined are
1190 * allowed even when no_new_privs is set because this aways results
1191 * in a reduction of permissions.
1192 */
1193 if (task_no_new_privs(current) && !stack && !unconfined(label) &&
1194 !aa_label_is_subset(target, label)) {
1195 info = "no new privs";
1196 error = -EPERM;
1197 goto audit;
1198 }
1199
1200 /* self directed transitions only apply to current policy ns */
1201 /* TODO: currently requiring perms for stacking and straight change
1202 * stacking doesn't strictly need this. Determine how much
1203 * we want to loosen this restriction for stacking
1204 */
1205 /* if (!stack) { */
1206 error = fn_for_each_in_ns(label, profile,
1207 change_profile_perms_wrapper(op, auditname,
1208 profile, target, stack,
1209 request, &perms));
1210 if (error)
1211 /* auditing done in change_profile_perms_wrapper */
1212 goto out;
1213
1214 /* } */
1215
1216 check:
1217 /* check if tracing task is allowed to trace target domain */
1218 error = may_change_ptraced_domain(target, &info);
1219 if (error && !fn_for_each_in_ns(label, profile,
1220 COMPLAIN_MODE(profile)))
1221 goto audit;
1222
1223 /* TODO: add permission check to allow this
1224 if (onexec && !current_is_single_threaded()) {
1225 info = "not a single threaded task";
1226 error = -EACCES;
1227 goto audit;
1228 }
1229 */
1230 if (permtest)
1231 goto out;
1232
1233 if (!onexec) {
1234 /* only transition profiles in the current ns */
1235 if (stack)
1236 new = aa_label_merge(label, target, GFP_KERNEL);
1237 else
1238 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
1239 aa_get_label(target),
1240 aa_get_label(&profile->label));
1241 if (IS_ERR_OR_NULL(new)) {
1242 info = "failed to build target label";
1243 error = PTR_ERR(new);
1244 new = NULL;
1245 perms.allow = 0;
1246 goto audit;
1247 }
1248 error = aa_replace_current_label(new);
1249 } else
1250 /* full transition will be built in exec path */
1251 error = aa_set_current_onexec(target, stack);
1252
1253 audit:
1254 error = fn_for_each_in_ns(label, profile,
1255 aa_audit_file(profile, &perms, op, request, auditname,
1256 NULL, new ? new : target,
1257 GLOBAL_ROOT_UID, info, error));
1258
1259 out:
1260 aa_put_label(new);
1261 aa_put_label(target);
1262 aa_put_label(label);
1263
1264 return error;
1265 }
Ubuntu Artful kernel mirror