]>
git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - security/apparmor/domain.c
2 * AppArmor security module
4 * This file contains AppArmor policy attachment and domain transitions
6 * Copyright (C) 2002-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
15 #include <linux/errno.h>
16 #include <linux/fdtable.h>
17 #include <linux/file.h>
18 #include <linux/mount.h>
19 #include <linux/syscalls.h>
20 #include <linux/tracehook.h>
21 #include <linux/personality.h>
23 #include "include/audit.h"
24 #include "include/apparmorfs.h"
25 #include "include/context.h"
26 #include "include/domain.h"
27 #include "include/file.h"
28 #include "include/ipc.h"
29 #include "include/match.h"
30 #include "include/path.h"
31 #include "include/policy.h"
34 * aa_free_domain_entries - free entries in a domain table
35 * @domain: the domain table to free (MAYBE NULL)
37 void aa_free_domain_entries(struct aa_domain
*domain
)
44 for (i
= 0; i
< domain
->size
; i
++)
45 kzfree(domain
->table
[i
]);
46 kzfree(domain
->table
);
52 * may_change_ptraced_domain - check if can change profile on ptraced task
53 * @to_label: profile to change to (NOT NULL)
54 * @info: message if there is an error
56 * Check if current is ptraced and if so if the tracing task is allowed
57 * to trace the new domain
59 * Returns: %0 or error if change not allowed
61 static int may_change_ptraced_domain(struct aa_label
*to_label
,
64 struct task_struct
*tracer
;
65 struct aa_label
*tracerl
= NULL
;
69 tracer
= ptrace_parent(current
);
72 tracerl
= aa_get_task_label(tracer
);
75 if (!tracer
|| unconfined(tracerl
))
78 error
= aa_may_ptrace(tracerl
, to_label
, PTRACE_MODE_ATTACH
);
82 aa_put_label(tracerl
);
85 *info
= "ptrace prevents transition";
89 /**** TODO: dedup to aa_label_match - needs perm and dfa, merging
90 * specifically this is an exact copy of aa_label_match except
91 * aa_compute_perms is replaced with aa_compute_fperms
92 * and policy.dfa with file.dfa
94 /* match a profile and its associated ns component if needed
95 * Assumes visibility test has already been done.
96 * If a subns profile is not to be matched should be prescreened with
99 /* match a profile and its associated ns component if needed
100 * Assumes visibility test has already been done.
101 * If a subns profile is not to be matched should be prescreened with
104 static inline unsigned int match_component(struct aa_profile
*profile
,
105 struct aa_profile
*tp
,
106 bool stack
, unsigned int state
)
111 state
= aa_dfa_match(profile
->file
.dfa
, state
, "&");
112 if (profile
->ns
== tp
->ns
)
113 return aa_dfa_match(profile
->file
.dfa
, state
, tp
->base
.hname
);
115 /* try matching with namespace name and then profile */
116 ns_name
= aa_ns_name(profile
->ns
, tp
->ns
, true);
117 state
= aa_dfa_match_len(profile
->file
.dfa
, state
, ":", 1);
118 state
= aa_dfa_match(profile
->file
.dfa
, state
, ns_name
);
119 state
= aa_dfa_match_len(profile
->file
.dfa
, state
, ":", 1);
120 return aa_dfa_match(profile
->file
.dfa
, state
, tp
->base
.hname
);
124 * label_component_match - find perms for full compound label
125 * @profile: profile to find perms for
126 * @label: label to check access permissions for
127 * @stack: whether this is a stacking request
128 * @start: state to start match in
129 * @subns: whether to do permission checks on components in a subns
130 * @request: permissions to request
131 * @perms: perms struct to set
133 * Returns: 0 on success else ERROR
135 * For the label A//&B//&C this does the perm match for A//&B//&C
136 * @perms should be preinitialized with allperms OR a previous permission
137 * check to be stacked.
139 static int label_compound_match(struct aa_profile
*profile
,
140 struct aa_label
*label
, bool stack
,
141 unsigned int state
, bool subns
, u32 request
,
142 struct aa_perms
*perms
)
144 struct aa_profile
*tp
;
146 struct path_cond cond
= { };
148 /* find first subcomponent that is visible */
149 label_for_each(i
, label
, tp
) {
150 if (!aa_ns_visible(profile
->ns
, tp
->ns
, subns
))
152 state
= match_component(profile
, tp
, stack
, state
);
158 /* no component visible */
163 label_for_each_cont(i
, label
, tp
) {
164 if (!aa_ns_visible(profile
->ns
, tp
->ns
, subns
))
166 state
= aa_dfa_match(profile
->file
.dfa
, state
, "//&");
167 state
= match_component(profile
, tp
, false, state
);
171 *perms
= aa_compute_fperms(profile
->file
.dfa
, state
, &cond
);
172 aa_apply_modes_to_perms(profile
, perms
);
173 if ((perms
->allow
& request
) != request
)
184 * label_component_match - find perms for all subcomponents of a label
185 * @profile: profile to find perms for
186 * @label: label to check access permissions for
187 * @stack: whether this is a stacking request
188 * @start: state to start match in
189 * @subns: whether to do permission checks on components in a subns
190 * @request: permissions to request
191 * @perms: an initialized perms struct to add accumulation to
193 * Returns: 0 on success else ERROR
195 * For the label A//&B//&C this does the perm match for each of A and B and C
196 * @perms should be preinitialized with allperms OR a previous permission
197 * check to be stacked.
199 static int label_components_match(struct aa_profile
*profile
,
200 struct aa_label
*label
, bool stack
,
201 unsigned int start
, bool subns
, u32 request
,
202 struct aa_perms
*perms
)
204 struct aa_profile
*tp
;
207 struct path_cond cond
= { };
208 unsigned int state
= 0;
210 /* find first subcomponent to test */
211 label_for_each(i
, label
, tp
) {
212 if (!aa_ns_visible(profile
->ns
, tp
->ns
, subns
))
214 state
= match_component(profile
, tp
, stack
, start
);
220 /* no subcomponents visible - no change in perms */
224 tmp
= aa_compute_fperms(profile
->file
.dfa
, state
, &cond
);
225 aa_apply_modes_to_perms(profile
, &tmp
);
226 aa_perms_accum(perms
, &tmp
);
227 label_for_each_cont(i
, label
, tp
) {
228 if (!aa_ns_visible(profile
->ns
, tp
->ns
, subns
))
230 state
= match_component(profile
, tp
, stack
, start
);
233 tmp
= aa_compute_fperms(profile
->file
.dfa
, state
, &cond
);
234 aa_apply_modes_to_perms(profile
, &tmp
);
235 aa_perms_accum(perms
, &tmp
);
238 if ((perms
->allow
& request
) != request
)
249 * aa_label_match - do a multi-component label match
250 * @profile: profile to match against (NOT NULL)
251 * @label: label to match (NOT NULL)
252 * @stack: whether this is a stacking request
253 * @state: state to start in
254 * @subns: whether to match subns components
255 * @request: permission request
256 * @perms: Returns computed perms (NOT NULL)
258 * Returns: the state the match finished in, may be the none matching state
260 static int label_match(struct aa_profile
*profile
, struct aa_label
*label
,
261 bool stack
, unsigned int state
, bool subns
, u32 request
,
262 struct aa_perms
*perms
)
267 error
= label_compound_match(profile
, label
, stack
, state
, subns
,
273 return label_components_match(profile
, label
, stack
, state
, subns
,
277 /******* end TODO: dedup *****/
280 * change_profile_perms - find permissions for change_profile
281 * @profile: the current profile (NOT NULL)
282 * @target: label to transition to (NOT NULL)
283 * @stack: whether this is a stacking request
284 * @request: requested perms
285 * @start: state to start matching in
288 * Returns: permission set
290 * currently only matches full label A//&B//&C or individual components A, B, C
291 * not arbitrary combinations. Eg. A//&B, C
293 static int change_profile_perms(struct aa_profile
*profile
,
294 struct aa_label
*target
, bool stack
,
295 u32 request
, unsigned int start
,
296 struct aa_perms
*perms
)
298 if (profile_unconfined(profile
)) {
299 perms
->allow
= AA_MAY_CHANGE_PROFILE
| AA_MAY_ONEXEC
;
300 perms
->audit
= perms
->quiet
= perms
->kill
= 0;
304 /* TODO: add profile in ns screening */
305 return label_match(profile
, target
, stack
, start
, true, request
, perms
);
309 * __attach_match_ - find an attachment match
310 * @name - to match against (NOT NULL)
311 * @head - profile list to walk (NOT NULL)
313 * Do a linear search on the profiles in the list. There is a matching
314 * preference where an exact match is preferred over a name which uses
315 * expressions to match, and matching expressions with the greatest
316 * xmatch_len are preferred.
318 * Requires: @head not be shared or have appropriate locks held
320 * Returns: profile or NULL if no match found
322 static struct aa_profile
*__attach_match(const char *name
,
323 struct list_head
*head
)
326 struct aa_profile
*profile
, *candidate
= NULL
;
328 list_for_each_entry_rcu(profile
, head
, base
.list
) {
329 if (profile
->label
.flags
& FLAG_NULL
)
331 if (profile
->xmatch
&& profile
->xmatch_len
> len
) {
332 unsigned int state
= aa_dfa_match(profile
->xmatch
,
334 u32 perm
= dfa_user_allow(profile
->xmatch
, state
);
335 /* any accepting state means a valid match. */
336 if (perm
& MAY_EXEC
) {
338 len
= profile
->xmatch_len
;
340 } else if (!strcmp(profile
->base
.name
, name
))
341 /* exact non-re match, no more searching required */
349 * find_attach - do attachment search for unconfined processes
350 * @ns: the current namespace (NOT NULL)
351 * @list: list to search (NOT NULL)
352 * @name: the executable name to match against (NOT NULL)
354 * Returns: label or NULL if no match found
356 static struct aa_label
*find_attach(struct aa_ns
*ns
, struct list_head
*list
,
359 struct aa_profile
*profile
;
362 profile
= aa_get_profile(__attach_match(name
, list
));
365 return profile
? &profile
->label
: NULL
;
368 static const char *next_name(int xtype
, const char *name
)
374 * x_table_lookup - lookup an x transition name via transition table
375 * @profile: current profile (NOT NULL)
376 * @xindex: index into x transition table
377 * @name: returns: name tested to find label (NOT NULL)
379 * Returns: refcounted label, or NULL on failure (MAYBE NULL)
381 struct aa_label
*x_table_lookup(struct aa_profile
*profile
, u32 xindex
,
384 struct aa_label
*label
= NULL
;
385 u32 xtype
= xindex
& AA_X_TYPE_MASK
;
386 int index
= xindex
& AA_X_INDEX_MASK
;
390 /* index is guaranteed to be in range, validated at load time */
391 /* TODO: move lookup parsing to unpack time so this is a straight
392 * index into the resultant label
394 for (*name
= profile
->file
.trans
.table
[index
]; !label
&& *name
;
395 *name
= next_name(xtype
, *name
)) {
396 if (xindex
& AA_X_CHILD
) {
397 struct aa_profile
*new_profile
;
398 /* release by caller */
399 new_profile
= aa_find_child(profile
, *name
);
401 label
= &new_profile
->label
;
404 label
= aa_label_parse(&profile
->label
, *name
, GFP_ATOMIC
,
410 /* released by caller */
415 * x_to_label - get target label for a given xindex
416 * @profile: current profile (NOT NULL)
417 * @name: name to lookup (NOT NULL)
418 * @xindex: index into x transition table
419 * @lookupname: returns: name used in lookup if one was specified (NOT NULL)
421 * find label for a transition index
423 * Returns: refcounted label or NULL if not found available
425 static struct aa_label
*x_to_label(struct aa_profile
*profile
,
426 const char *name
, u32 xindex
,
427 const char **lookupname
,
430 struct aa_label
*new = NULL
;
431 struct aa_ns
*ns
= profile
->ns
;
432 u32 xtype
= xindex
& AA_X_TYPE_MASK
;
433 const char *stack
= NULL
;
437 /* fail exec unless ix || ux fallback - handled by caller */
441 /* TODO: fix when perm mapping done at unload */
442 stack
= profile
->file
.trans
.table
[xindex
& AA_X_INDEX_MASK
];
444 /* released by caller */
445 new = x_table_lookup(profile
, xindex
, lookupname
);
449 /* fall through to X_NAME */
451 if (xindex
& AA_X_CHILD
)
452 /* released by caller */
453 new = find_attach(ns
, &profile
->base
.profiles
,
456 /* released by caller */
457 new = find_attach(ns
, &ns
->base
.profiles
,
464 if (xindex
& AA_X_INHERIT
) {
465 /* (p|c|n)ix - don't change profile but do
466 * use the newest version
468 *info
= "ix fallback";
469 /* no profile && no error */
470 new = aa_get_newest_label(&profile
->label
);
471 } else if (xindex
& AA_X_UNCONFINED
) {
472 new = aa_get_newest_label(ns_unconfined(profile
->ns
));
473 *info
= "ux fallback";
478 /* base the stack on post domain transition */
479 struct aa_label
*base
= new;
480 new = aa_label_parse(base
, stack
, GFP_ATOMIC
, true, false);
486 /* released by caller */
490 static struct aa_label
*profile_transition(struct aa_profile
*profile
,
491 const struct linux_binprm
*bprm
,
492 char *buffer
, struct path_cond
*cond
,
495 struct aa_label
*new = NULL
;
496 const char *info
= NULL
, *name
= NULL
, *target
= NULL
;
497 unsigned int state
= profile
->file
.start
;
498 struct aa_perms perms
= {};
505 error
= aa_path_name(&bprm
->file
->f_path
, profile
->path_flags
, buffer
,
506 &name
, &info
, profile
->disconnected
);
508 if (profile_unconfined(profile
) ||
509 (profile
->label
.flags
& FLAG_IX_ON_NAME_ERROR
)) {
510 AA_DEBUG("name lookup ix on error");
512 new = aa_get_newest_label(&profile
->label
);
514 name
= bprm
->filename
;
518 if (profile_unconfined(profile
)) {
519 new = find_attach(profile
->ns
, &profile
->ns
->base
.profiles
,
522 AA_DEBUG("unconfined attached to new label");
525 AA_DEBUG("unconfined exec no attachment");
526 return aa_get_newest_label(&profile
->label
);
529 /* find exec permissions for name */
530 state
= aa_str_perms(profile
->file
.dfa
, state
, name
, cond
, &perms
);
531 if (perms
.allow
& MAY_EXEC
) {
532 /* exec permission determine how to transition */
533 new = x_to_label(profile
, name
, perms
.xindex
, &target
, &info
);
534 if (new && new->proxy
== profile
->label
.proxy
&& info
) {
535 /* hack ix fallback - improve how this is detected */
539 info
= "profile transition not found";
540 /* remove MAY_EXEC to audit as failure */
541 perms
.allow
&= ~MAY_EXEC
;
543 } else if (COMPLAIN_MODE(profile
)) {
544 /* no exec permission - learning mode */
545 struct aa_profile
*new_profile
= aa_null_profile(profile
, false,
549 info
= "could not create null profile";
552 new = &new_profile
->label
;
554 perms
.xindex
|= AA_X_UNSAFE
;
562 if (!(perms
.xindex
& AA_X_UNSAFE
)) {
564 dbg_printk("apparmor: scrubbing environment variables "
565 "for %s profile=", name
);
566 aa_label_printk(new, GFP_ATOMIC
);
573 aa_audit_file(profile
, &perms
, OP_EXEC
, MAY_EXEC
, name
, target
, new,
574 cond
->uid
, info
, error
);
576 return ERR_PTR(error
);
581 static int profile_onexec(struct aa_profile
*profile
, struct aa_label
*onexec
,
582 bool stack
, const struct linux_binprm
*bprm
,
583 char *buffer
, struct path_cond
*cond
,
586 unsigned int state
= profile
->file
.start
;
587 struct aa_perms perms
= {};
588 const char *xname
= NULL
, *info
= "change_profile onexec";
596 if (profile_unconfined(profile
)) {
597 /* change_profile on exec already granted */
599 * NOTE: Domain transitions from unconfined are allowed
600 * even when no_new_privs is set because this aways results
601 * in a further reduction of permissions.
606 error
= aa_path_name(&bprm
->file
->f_path
, profile
->path_flags
, buffer
,
607 &xname
, &info
, profile
->disconnected
);
609 if (profile_unconfined(profile
) ||
610 (profile
->label
.flags
& FLAG_IX_ON_NAME_ERROR
)) {
611 AA_DEBUG("name lookup ix on error");
614 xname
= bprm
->filename
;
618 /* find exec permissions for name */
619 state
= aa_str_perms(profile
->file
.dfa
, state
, xname
, cond
, &perms
);
620 if (!(perms
.allow
& AA_MAY_ONEXEC
)) {
621 info
= "no change_onexec valid for executable";
624 /* test if this exec can be paired with change_profile onexec.
625 * onexec permission is linked to exec with a standard pairing
626 * exec\0change_profile
628 state
= aa_dfa_null_transition(profile
->file
.dfa
, state
);
629 error
= change_profile_perms(profile
, onexec
, stack
, AA_MAY_ONEXEC
,
634 if (!(perms
.xindex
& AA_X_UNSAFE
)) {
636 dbg_printk("appaarmor: scrubbing environment "
637 "variables for %s label=", xname
);
638 aa_label_printk(onexec
, GFP_ATOMIC
);
645 return aa_audit_file(profile
, &perms
, OP_EXEC
, AA_MAY_ONEXEC
, xname
,
646 NULL
, onexec
, cond
->uid
, info
, error
);
649 /* ensure none ns domain transitions are correctly applied with onexec */
651 static struct aa_label
*handle_onexec(struct aa_label
*label
,
652 struct aa_label
*onexec
, bool stack
,
653 const struct linux_binprm
*bprm
,
654 char *buffer
, struct path_cond
*cond
,
657 struct aa_profile
*profile
;
658 struct aa_label
*new;
667 error
= fn_for_each_in_ns(label
, profile
,
668 profile_onexec(profile
, onexec
, stack
,
669 bprm
, buffer
, cond
, unsafe
));
671 return ERR_PTR(error
);
672 new = fn_label_build_in_ns(label
, profile
, GFP_ATOMIC
,
673 aa_get_newest_label(onexec
),
674 profile_transition(profile
, bprm
, buffer
,
678 /* TODO: determine how much we want to losen this */
679 error
= fn_for_each_in_ns(label
, profile
,
680 profile_onexec(profile
, onexec
, stack
, bprm
,
681 buffer
, cond
, unsafe
));
683 return ERR_PTR(error
);
684 new = fn_label_build_in_ns(label
, profile
, GFP_ATOMIC
,
685 aa_label_merge(&profile
->label
, onexec
,
687 profile_transition(profile
, bprm
, buffer
,
694 /* TODO: get rid of GLOBAL_ROOT_UID */
695 error
= fn_for_each_in_ns(label
, profile
,
696 aa_audit_file(profile
, &nullperms
, OP_CHANGE_ONEXEC
,
697 AA_MAY_ONEXEC
, bprm
->filename
, NULL
,
698 onexec
, GLOBAL_ROOT_UID
,
699 "failed to build target label", -ENOMEM
));
700 return ERR_PTR(error
);
704 * apparmor_bprm_set_creds - set the new creds on the bprm struct
705 * @bprm: binprm for the exec (NOT NULL)
707 * Returns: %0 or error on failure
709 * TODO: once the other paths are done see if we can't refactor into a fn
711 int apparmor_bprm_set_creds(struct linux_binprm
*bprm
)
713 struct aa_task_ctx
*ctx
;
714 struct aa_label
*label
, *new = NULL
;
715 struct aa_profile
*profile
;
717 const char *info
= NULL
;
720 struct path_cond cond
= {
721 file_inode(bprm
->file
)->i_uid
,
722 file_inode(bprm
->file
)->i_mode
725 if (bprm
->cred_prepared
)
728 ctx
= cred_ctx(bprm
->cred
);
731 label
= aa_get_newest_label(ctx
->label
);
733 /* buffer freed below, name is pointer into buffer */
735 /* Test for onexec first as onexec override other x transitions. */
737 new = handle_onexec(label
, ctx
->onexec
, ctx
->token
,
738 bprm
, buffer
, &cond
, &unsafe
);
740 new = fn_label_build(label
, profile
, GFP_ATOMIC
,
741 profile_transition(profile
, bprm
, buffer
,
746 error
= PTR_ERR(new);
753 /* Policy has specified a domain transitions. if no_new_privs and
754 * confined and not transitioning to the current domain fail.
756 * NOTE: Domain transitions from unconfined and to stritly stacked
757 * subsets are allowed even when no_new_privs is set because this
758 * aways results in a further reduction of permissions.
760 if ((bprm
->unsafe
& LSM_UNSAFE_NO_NEW_PRIVS
) &&
761 !unconfined(label
) && !aa_label_is_subset(new, label
)) {
763 info
= "no new privs";
767 if (bprm
->unsafe
& LSM_UNSAFE_SHARE
) {
768 /* FIXME: currently don't mediate shared state */
772 if (bprm
->unsafe
& (LSM_UNSAFE_PTRACE
| LSM_UNSAFE_PTRACE_CAP
)) {
773 /* TODO: test needs to be profile of label to new */
774 error
= may_change_ptraced_domain(new, &info
);
781 dbg_printk("scrubbing environment variables for %s "
782 "label=", bprm
->filename
);
783 aa_label_printk(new, GFP_ATOMIC
);
786 bprm
->unsafe
|= AA_SECURE_X_NEEDED
;
789 if (label
->proxy
!= new->proxy
) {
790 /* when transitioning clear unsafe personality bits */
792 dbg_printk("apparmor: clearing unsafe personality "
793 "bits. %s label=", bprm
->filename
);
794 aa_label_printk(new, GFP_ATOMIC
);
797 bprm
->per_clear
|= PER_CLEAR_ON_SETID
;
799 aa_put_label(ctx
->label
);
800 /* transfer reference, released when ctx is freed */
804 /* clear out temporary/transitional state from the context */
805 aa_clear_task_ctx_trans(ctx
);
813 error
= fn_for_each(label
, profile
,
814 aa_audit_file(profile
, &nullperms
, OP_EXEC
, MAY_EXEC
,
815 bprm
->filename
, NULL
, new,
816 file_inode(bprm
->file
)->i_uid
, info
,
823 * apparmor_bprm_secureexec - determine if secureexec is needed
824 * @bprm: binprm for exec (NOT NULL)
826 * Returns: %1 if secureexec is needed else %0
828 int apparmor_bprm_secureexec(struct linux_binprm
*bprm
)
830 /* the decision to use secure exec is computed in set_creds
831 * and stored in bprm->unsafe.
833 if (bprm
->unsafe
& AA_SECURE_X_NEEDED
)
840 * Functions for self directed profile change
844 /* helper fn for change_hat
846 * Returns: label for hat transition OR ERR_PTR. Does NOT return NULL
848 static struct aa_label
*build_change_hat(struct aa_profile
*profile
,
849 const char *name
, bool sibling
)
851 struct aa_profile
*root
, *hat
= NULL
;
852 const char *info
= NULL
;
855 if (sibling
&& PROFILE_IS_HAT(profile
)) {
856 root
= aa_get_profile_rcu(&profile
->parent
);
857 } else if (!sibling
&& !PROFILE_IS_HAT(profile
)) {
858 root
= aa_get_profile(profile
);
860 info
= "conflicting target types";
865 hat
= aa_find_child(root
, name
);
868 if (COMPLAIN_MODE(profile
)) {
869 hat
= aa_null_profile(profile
, true, name
, GFP_KERNEL
);
871 info
= "failed null profile create";
876 aa_put_profile(root
);
879 aa_audit_file(profile
, &nullperms
, OP_CHANGE_HAT
, AA_MAY_CHANGEHAT
,
880 name
, hat
? hat
->base
.hname
: NULL
, hat
? &hat
->label
: NULL
, GLOBAL_ROOT_UID
,
882 if (!hat
|| (error
&& error
!= -ENOENT
))
883 return ERR_PTR(error
);
884 /* if hat && error - complain mode, already audited and we adjust for
885 * complain mode allow by returning hat->label
890 /* helper fn for changing into a hat
892 * Returns: label for hat transition or ERR_PTR. Does not return NULL
894 static struct aa_label
*change_hat(struct aa_label
*label
, const char *hats
[],
895 int count
, bool permtest
)
897 struct aa_profile
*profile
, *root
, *hat
= NULL
;
898 struct aa_label
*new;
900 bool sibling
= false;
901 const char *name
, *info
= NULL
;
908 if (PROFILE_IS_HAT(labels_profile(label
)))
911 /*find first matching hat */
912 for (i
= 0; i
< count
&& !hat
; i
++) {
914 label_for_each_in_ns(it
, labels_ns(label
), label
, profile
) {
915 if (sibling
&& PROFILE_IS_HAT(profile
)) {
916 root
= aa_get_profile_rcu(&profile
->parent
);
917 } else if (!sibling
&& !PROFILE_IS_HAT(profile
)) {
918 root
= aa_get_profile(profile
);
919 } else { /* conflicting change type */
920 info
= "conflicting targets types";
924 hat
= aa_find_child(root
, name
);
925 aa_put_profile(root
);
927 if (!COMPLAIN_MODE(profile
))
929 /* complain mode succeed as if hat */
930 } else if (!PROFILE_IS_HAT(hat
)) {
931 info
= "target not hat";
938 /* found a hat for all profiles in ns */
942 /* no hats that match, find appropriate error
944 * In complain mode audit of the failure is based off of the first
945 * hat supplied. This is done due how userspace interacts with
949 label_for_each_in_ns(it
, labels_ns(label
), label
, profile
) {
950 if (!list_empty(&profile
->base
.profiles
)) {
951 info
= "hat not found";
956 info
= "no hats defined";
960 label_for_each_in_ns(it
, labels_ns(label
), label
, profile
) {
962 * no target as it has failed to be found or built
964 * change_hat uses probing and should not log failures
965 * related to missing hats
967 /* TODO: get rid of GLOBAL_ROOT_UID */
968 if (count
> 1 || COMPLAIN_MODE(profile
)) {
969 aa_audit_file(profile
, &nullperms
, OP_CHANGE_HAT
,
970 AA_MAY_CHANGEHAT
, name
, NULL
, NULL
,
971 GLOBAL_ROOT_UID
, info
, error
);
974 return (ERR_PTR(error
));
977 new = fn_label_build_in_ns(label
, profile
, GFP_KERNEL
,
978 build_change_hat(profile
, name
, sibling
),
979 aa_get_label(&profile
->label
));
981 info
= "label build failed";
984 } /* else if (IS_ERR) build_change_hat has logged error so return new */
990 * aa_change_hat - change hat to/from subprofile
991 * @hats: vector of hat names to try changing into (MAYBE NULL if @count == 0)
992 * @count: number of hat names in @hats
993 * @token: magic value to validate the hat change
994 * @permtest: true if this is just a permission test
996 * Returns %0 on success, error otherwise.
998 * Change to the first profile specified in @hats that exists, and store
999 * the @hat_magic in the current task context. If the count == 0 and the
1000 * @token matches that stored in the current task context, return to the
1001 * top level profile.
1003 * change_hat only applies to profiles in the current ns, and each profile
1004 * in the ns must make the same transition otherwise change_hat will fail.
1006 int aa_change_hat(const char *hats
[], int count
, u64 token
, bool permtest
)
1008 const struct cred
*cred
;
1009 struct aa_task_ctx
*ctx
;
1010 struct aa_label
*label
, *previous
, *new = NULL
, *target
= NULL
;
1011 struct aa_profile
*profile
;
1012 struct aa_perms perms
= {};
1013 const char *info
= NULL
;
1017 * Fail explicitly requested domain transitions if no_new_privs.
1018 * There is no exception for unconfined as change_hat is not
1021 if (task_no_new_privs(current
)) {
1022 /* not an apparmor denial per se, so don't log it */
1023 AA_DEBUG("no_new_privs - chanage_hat denied");
1027 /* released below */
1028 cred
= get_current_cred();
1029 ctx
= cred_ctx(cred
);
1030 label
= aa_get_newest_cred_label(cred
);
1031 previous
= aa_get_newest_label(ctx
->previous
);
1033 if (unconfined(label
)) {
1034 info
= "unconfined can not change_hat";
1040 new = change_hat(label
, hats
, count
, permtest
);
1043 error
= PTR_ERR(new);
1045 /* already audited */
1049 error
= may_change_ptraced_domain(new, &info
);
1057 error
= aa_set_current_hat(new, token
);
1058 if (error
== -EACCES
)
1059 /* kill task in case of brute force attacks */
1061 } else if (previous
&& !permtest
) {
1062 /* Return to saved label. Kill task if restore fails
1063 * to avoid brute force attacks
1066 error
= aa_restore_previous_label(token
);
1068 if (error
== -EACCES
)
1072 } /* else ignore permtest && restores when there is no saved profile */
1076 aa_put_label(previous
);
1077 aa_put_label(label
);
1083 info
= "failed token match";
1084 perms
.kill
= AA_MAY_CHANGEHAT
;
1087 fn_for_each_in_ns(label
, profile
,
1088 aa_audit_file(profile
, &perms
, OP_CHANGE_HAT
, AA_MAY_CHANGEHAT
,
1089 NULL
, NULL
, target
, GLOBAL_ROOT_UID
, info
, error
));
1095 static int change_profile_perms_wrapper(const char *op
, const char *name
,
1096 struct aa_profile
*profile
,
1097 struct aa_label
*target
, bool stack
,
1098 u32 request
, struct aa_perms
*perms
)
1100 int error
= change_profile_perms(profile
, target
,
1102 profile
->file
.start
, perms
);
1104 error
= aa_audit_file(profile
, perms
, op
, request
, name
,
1105 NULL
, target
, GLOBAL_ROOT_UID
, NULL
,
1112 * aa_change_profile - perform a one-way profile transition
1113 * @fqname: name of profile may include namespace (NOT NULL)
1114 * @onexec: whether this transition is to take place immediately or at exec
1115 * @permtest: true if this is just a permission test
1116 * @stack: true if this call is to stack on top of current domain
1117 * Change to new profile @name. Unlike with hats, there is no way
1118 * to change back. If @name isn't specified the current profile name is
1120 * If @onexec then the transition is delayed until
1123 * Returns %0 on success, error otherwise.
1125 int aa_change_profile(const char *fqname
, bool onexec
,
1126 bool permtest
, bool stack
)
1128 struct aa_label
*label
, *new = NULL
, *target
= NULL
;
1129 struct aa_profile
*profile
;
1130 struct aa_perms perms
= {};
1131 const char *info
= NULL
;
1132 const char *auditname
= fqname
; /* retain leading & if stack */
1137 if (!fqname
|| !*fqname
) {
1138 AA_DEBUG("no profile name");
1143 request
= AA_MAY_ONEXEC
;
1145 op
= OP_STACK_ONEXEC
;
1147 op
= OP_CHANGE_ONEXEC
;
1149 request
= AA_MAY_CHANGE_PROFILE
;
1153 op
= OP_CHANGE_PROFILE
;
1156 label
= aa_get_current_label();
1158 if (*fqname
== '&') {
1160 /* don't have label_parse() do stacking */
1163 target
= aa_label_parse(label
, fqname
, GFP_KERNEL
, true, false);
1164 if (IS_ERR(target
)) {
1165 struct aa_profile
*tprofile
;
1167 info
= "label not found";
1168 error
= PTR_ERR(target
);
1170 /* TODO: fixme using labels_profile is not right - do profile
1171 per complain profile ??? */
1172 if (permtest
|| !COMPLAIN_MODE(labels_profile(label
)))
1174 /* released below */
1175 tprofile
= aa_null_profile(labels_profile(label
), false, fqname
, GFP_KERNEL
);
1177 info
= "failed null profile create";
1181 target
= &tprofile
->label
;
1186 * Fail explicitly requested domain transitions when no_new_privs
1187 * and not unconfined OR the transition results in a stack on
1188 * the current label.
1189 * Stacking domain transitions and transitions from unconfined are
1190 * allowed even when no_new_privs is set because this aways results
1191 * in a reduction of permissions.
1193 if (task_no_new_privs(current
) && !stack
&& !unconfined(label
) &&
1194 !aa_label_is_subset(target
, label
)) {
1195 info
= "no new privs";
1200 /* self directed transitions only apply to current policy ns */
1201 /* TODO: currently requiring perms for stacking and straight change
1202 * stacking doesn't strictly need this. Determine how much
1203 * we want to loosen this restriction for stacking
1206 error
= fn_for_each_in_ns(label
, profile
,
1207 change_profile_perms_wrapper(op
, auditname
,
1208 profile
, target
, stack
,
1211 /* auditing done in change_profile_perms_wrapper */
1217 /* check if tracing task is allowed to trace target domain */
1218 error
= may_change_ptraced_domain(target
, &info
);
1219 if (error
&& !fn_for_each_in_ns(label
, profile
,
1220 COMPLAIN_MODE(profile
)))
1223 /* TODO: add permission check to allow this
1224 if (onexec && !current_is_single_threaded()) {
1225 info = "not a single threaded task";
1234 /* only transition profiles in the current ns */
1236 new = aa_label_merge(label
, target
, GFP_KERNEL
);
1238 new = fn_label_build_in_ns(label
, profile
, GFP_KERNEL
,
1239 aa_get_label(target
),
1240 aa_get_label(&profile
->label
));
1241 if (IS_ERR_OR_NULL(new)) {
1242 info
= "failed to build target label";
1243 error
= PTR_ERR(new);
1248 error
= aa_replace_current_label(new);
1250 /* full transition will be built in exec path */
1251 error
= aa_set_current_onexec(target
, stack
);
1254 error
= fn_for_each_in_ns(label
, profile
,
1255 aa_audit_file(profile
, &perms
, op
, request
, auditname
,
1256 NULL
, new ? new : target
,
1257 GLOBAL_ROOT_UID
, info
, error
));
1261 aa_put_label(target
);
1262 aa_put_label(label
);