]>
git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blob - security/apparmor/domain.c
2 * AppArmor security module
4 * This file contains AppArmor policy attachment and domain transitions
6 * Copyright (C) 2002-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
15 #include <linux/errno.h>
16 #include <linux/fdtable.h>
17 #include <linux/file.h>
18 #include <linux/mount.h>
19 #include <linux/syscalls.h>
20 #include <linux/tracehook.h>
21 #include <linux/personality.h>
23 #include "include/audit.h"
24 #include "include/apparmorfs.h"
25 #include "include/context.h"
26 #include "include/domain.h"
27 #include "include/file.h"
28 #include "include/ipc.h"
29 #include "include/match.h"
30 #include "include/path.h"
31 #include "include/policy.h"
34 * aa_free_domain_entries - free entries in a domain table
35 * @domain: the domain table to free (MAYBE NULL)
37 void aa_free_domain_entries(struct aa_domain
*domain
)
44 for (i
= 0; i
< domain
->size
; i
++)
45 kzfree(domain
->table
[i
]);
46 kzfree(domain
->table
);
52 * may_change_ptraced_domain - check if can change profile on ptraced task
53 * @to_label: profile to change to (NOT NULL)
54 * @info: message if there is an error
56 * Check if current is ptraced and if so if the tracing task is allowed
57 * to trace the new domain
59 * Returns: %0 or error if change not allowed
61 static int may_change_ptraced_domain(struct aa_label
*to_label
,
64 struct task_struct
*tracer
;
65 struct aa_label
*tracerl
= NULL
;
69 tracer
= ptrace_parent(current
);
72 tracerl
= aa_get_task_label(tracer
);
75 if (!tracer
|| unconfined(tracerl
))
78 error
= aa_may_ptrace(tracerl
, to_label
, PTRACE_MODE_ATTACH
);
82 aa_put_label(tracerl
);
85 *info
= "ptrace prevents transition";
89 /**** TODO: dedup to aa_label_match - needs perm and dfa, merging
90 * specifically this is an exact copy of aa_label_match except
91 * aa_compute_perms is replaced with aa_compute_fperms
92 * and policy.dfa with file.dfa
94 /* match a profile and its associated ns component if needed
95 * Assumes visibility test has already been done.
96 * If a subns profile is not to be matched should be prescreened with
99 /* match a profile and its associated ns component if needed
100 * Assumes visibility test has already been done.
101 * If a subns profile is not to be matched should be prescreened with
104 static inline unsigned int match_component(struct aa_profile
*profile
,
105 struct aa_profile
*tp
,
106 bool stack
, unsigned int state
)
111 state
= aa_dfa_match(profile
->file
.dfa
, state
, "&");
112 if (profile
->ns
== tp
->ns
)
113 return aa_dfa_match(profile
->file
.dfa
, state
, tp
->base
.hname
);
115 /* try matching with namespace name and then profile */
116 ns_name
= aa_ns_name(profile
->ns
, tp
->ns
, true);
117 state
= aa_dfa_match_len(profile
->file
.dfa
, state
, ":", 1);
118 state
= aa_dfa_match(profile
->file
.dfa
, state
, ns_name
);
119 state
= aa_dfa_match_len(profile
->file
.dfa
, state
, ":", 1);
120 return aa_dfa_match(profile
->file
.dfa
, state
, tp
->base
.hname
);
124 * label_component_match - find perms for full compound label
125 * @profile: profile to find perms for
126 * @label: label to check access permissions for
127 * @stack: whether this is a stacking request
128 * @start: state to start match in
129 * @subns: whether to do permission checks on components in a subns
130 * @request: permissions to request
131 * @perms: perms struct to set
133 * Returns: 0 on success else ERROR
135 * For the label A//&B//&C this does the perm match for A//&B//&C
136 * @perms should be preinitialized with allperms OR a previous permission
137 * check to be stacked.
139 static int label_compound_match(struct aa_profile
*profile
,
140 struct aa_label
*label
, bool stack
,
141 unsigned int state
, bool subns
, u32 request
,
142 struct aa_perms
*perms
)
144 struct aa_profile
*tp
;
146 struct path_cond cond
= { };
148 /* find first subcomponent that is visible */
149 label_for_each(i
, label
, tp
) {
150 if (!aa_ns_visible(profile
->ns
, tp
->ns
, subns
))
152 state
= match_component(profile
, tp
, stack
, state
);
158 /* no component visible */
163 label_for_each_cont(i
, label
, tp
) {
164 if (!aa_ns_visible(profile
->ns
, tp
->ns
, subns
))
166 state
= aa_dfa_match(profile
->file
.dfa
, state
, "//&");
167 state
= match_component(profile
, tp
, false, state
);
171 *perms
= aa_compute_fperms(profile
->file
.dfa
, state
, &cond
);
172 aa_apply_modes_to_perms(profile
, perms
);
173 if ((perms
->allow
& request
) != request
)
184 * label_component_match - find perms for all subcomponents of a label
185 * @profile: profile to find perms for
186 * @label: label to check access permissions for
187 * @stack: whether this is a stacking request
188 * @start: state to start match in
189 * @subns: whether to do permission checks on components in a subns
190 * @request: permissions to request
191 * @perms: an initialized perms struct to add accumulation to
193 * Returns: 0 on success else ERROR
195 * For the label A//&B//&C this does the perm match for each of A and B and C
196 * @perms should be preinitialized with allperms OR a previous permission
197 * check to be stacked.
199 static int label_components_match(struct aa_profile
*profile
,
200 struct aa_label
*label
, bool stack
,
201 unsigned int start
, bool subns
, u32 request
,
202 struct aa_perms
*perms
)
204 struct aa_profile
*tp
;
207 struct path_cond cond
= { };
208 unsigned int state
= 0;
210 /* find first subcomponent to test */
211 label_for_each(i
, label
, tp
) {
212 if (!aa_ns_visible(profile
->ns
, tp
->ns
, subns
))
214 state
= match_component(profile
, tp
, stack
, start
);
220 /* no subcomponents visible - no change in perms */
224 tmp
= aa_compute_fperms(profile
->file
.dfa
, state
, &cond
);
225 aa_apply_modes_to_perms(profile
, &tmp
);
226 aa_perms_accum(perms
, &tmp
);
227 label_for_each_cont(i
, label
, tp
) {
228 if (!aa_ns_visible(profile
->ns
, tp
->ns
, subns
))
230 state
= match_component(profile
, tp
, stack
, start
);
233 tmp
= aa_compute_fperms(profile
->file
.dfa
, state
, &cond
);
234 aa_apply_modes_to_perms(profile
, &tmp
);
235 aa_perms_accum(perms
, &tmp
);
238 if ((perms
->allow
& request
) != request
)
249 * aa_label_match - do a multi-component label match
250 * @profile: profile to match against (NOT NULL)
251 * @label: label to match (NOT NULL)
252 * @stack: whether this is a stacking request
253 * @state: state to start in
254 * @subns: whether to match subns components
255 * @request: permission request
256 * @perms: Returns computed perms (NOT NULL)
258 * Returns: the state the match finished in, may be the none matching state
260 static int label_match(struct aa_profile
*profile
, struct aa_label
*label
,
261 bool stack
, unsigned int state
, bool subns
, u32 request
,
262 struct aa_perms
*perms
)
267 error
= label_compound_match(profile
, label
, stack
, state
, subns
,
273 return label_components_match(profile
, label
, stack
, state
, subns
,
277 /******* end TODO: dedup *****/
280 * change_profile_perms - find permissions for change_profile
281 * @profile: the current profile (NOT NULL)
282 * @target: label to transition to (NOT NULL)
283 * @stack: whether this is a stacking request
284 * @request: requested perms
285 * @start: state to start matching in
288 * Returns: permission set
290 * currently only matches full label A//&B//&C or individual components A, B, C
291 * not arbitrary combinations. Eg. A//&B, C
293 static int change_profile_perms(struct aa_profile
*profile
,
294 struct aa_label
*target
, bool stack
,
295 u32 request
, unsigned int start
,
296 struct aa_perms
*perms
)
298 if (profile_unconfined(profile
)) {
299 perms
->allow
= AA_MAY_CHANGE_PROFILE
| AA_MAY_ONEXEC
;
300 perms
->audit
= perms
->quiet
= perms
->kill
= 0;
304 /* TODO: add profile in ns screening */
305 return label_match(profile
, target
, stack
, start
, true, request
, perms
);
309 * __attach_match_ - find an attachment match
310 * @name - to match against (NOT NULL)
311 * @head - profile list to walk (NOT NULL)
313 * Do a linear search on the profiles in the list. There is a matching
314 * preference where an exact match is preferred over a name which uses
315 * expressions to match, and matching expressions with the greatest
316 * xmatch_len are preferred.
318 * Requires: @head not be shared or have appropriate locks held
320 * Returns: profile or NULL if no match found
322 static struct aa_profile
*__attach_match(const char *name
,
323 struct list_head
*head
)
326 struct aa_profile
*profile
, *candidate
= NULL
;
328 list_for_each_entry_rcu(profile
, head
, base
.list
) {
329 if (profile
->label
.flags
& FLAG_NULL
)
331 if (profile
->xmatch
&& profile
->xmatch_len
> len
) {
332 unsigned int state
= aa_dfa_match(profile
->xmatch
,
334 u32 perm
= dfa_user_allow(profile
->xmatch
, state
);
335 /* any accepting state means a valid match. */
336 if (perm
& MAY_EXEC
) {
338 len
= profile
->xmatch_len
;
340 } else if (!strcmp(profile
->base
.name
, name
))
341 /* exact non-re match, no more searching required */
349 * find_attach - do attachment search for unconfined processes
350 * @ns: the current namespace (NOT NULL)
351 * @list: list to search (NOT NULL)
352 * @name: the executable name to match against (NOT NULL)
354 * Returns: label or NULL if no match found
356 static struct aa_label
*find_attach(struct aa_ns
*ns
, struct list_head
*list
,
359 struct aa_profile
*profile
;
362 profile
= aa_get_profile(__attach_match(name
, list
));
365 return profile
? &profile
->label
: NULL
;
368 static const char *next_name(int xtype
, const char *name
)
374 * x_table_lookup - lookup an x transition name via transition table
375 * @profile: current profile (NOT NULL)
376 * @xindex: index into x transition table
377 * @name: returns: name tested to find label (NOT NULL)
379 * Returns: refcounted label, or NULL on failure (MAYBE NULL)
381 struct aa_label
*x_table_lookup(struct aa_profile
*profile
, u32 xindex
,
384 struct aa_label
*label
= NULL
;
385 u32 xtype
= xindex
& AA_X_TYPE_MASK
;
386 int index
= xindex
& AA_X_INDEX_MASK
;
390 /* index is guaranteed to be in range, validated at load time */
391 /* TODO: move lookup parsing to unpack time so this is a straight
392 * index into the resultant label
394 for (*name
= profile
->file
.trans
.table
[index
]; !label
&& *name
;
395 *name
= next_name(xtype
, *name
)) {
396 if (xindex
& AA_X_CHILD
) {
397 struct aa_profile
*new_profile
;
398 /* release by caller */
399 new_profile
= aa_find_child(profile
, *name
);
401 label
= &new_profile
->label
;
404 label
= aa_label_parse(&profile
->label
, *name
, GFP_ATOMIC
,
410 /* released by caller */
415 * x_to_label - get target label for a given xindex
416 * @profile: current profile (NOT NULL)
417 * @name: name to lookup (NOT NULL)
418 * @xindex: index into x transition table
419 * @lookupname: returns: name used in lookup if one was specified (NOT NULL)
421 * find label for a transition index
423 * Returns: refcounted label or NULL if not found available
425 static struct aa_label
*x_to_label(struct aa_profile
*profile
,
426 const char *name
, u32 xindex
,
427 const char **lookupname
,
430 struct aa_label
*new = NULL
;
431 struct aa_ns
*ns
= profile
->ns
;
432 u32 xtype
= xindex
& AA_X_TYPE_MASK
;
433 const char *stack
= NULL
;
437 /* fail exec unless ix || ux fallback - handled by caller */
441 /* TODO: fix when perm mapping done at unload */
442 stack
= profile
->file
.trans
.table
[xindex
& AA_X_INDEX_MASK
];
444 /* released by caller */
445 new = x_table_lookup(profile
, xindex
, lookupname
);
449 /* fall through to X_NAME */
451 if (xindex
& AA_X_CHILD
)
452 /* released by caller */
453 new = find_attach(ns
, &profile
->base
.profiles
,
456 /* released by caller */
457 new = find_attach(ns
, &ns
->base
.profiles
,
464 if (xindex
& AA_X_INHERIT
) {
465 /* (p|c|n)ix - don't change profile but do
466 * use the newest version
468 *info
= "ix fallback";
469 /* no profile && no error */
470 new = aa_get_newest_label(&profile
->label
);
471 } else if (xindex
& AA_X_UNCONFINED
) {
472 new = aa_get_newest_label(ns_unconfined(profile
->ns
));
473 *info
= "ux fallback";
478 /* base the stack on post domain transition */
479 struct aa_label
*base
= new;
480 new = aa_label_parse(base
, stack
, GFP_ATOMIC
, true, false);
486 /* released by caller */
490 static struct aa_label
*profile_transition(struct aa_profile
*profile
,
491 const struct linux_binprm
*bprm
,
492 char *buffer
, struct path_cond
*cond
,
495 struct aa_label
*new = NULL
;
496 const char *info
= NULL
, *name
= NULL
, *target
= NULL
;
497 unsigned int state
= profile
->file
.start
;
498 struct aa_perms perms
= {};
499 bool nonewprivs
= false;
506 error
= aa_path_name(&bprm
->file
->f_path
, profile
->path_flags
, buffer
,
507 &name
, &info
, profile
->disconnected
);
509 if (profile_unconfined(profile
) ||
510 (profile
->label
.flags
& FLAG_IX_ON_NAME_ERROR
)) {
511 AA_DEBUG("name lookup ix on error");
513 new = aa_get_newest_label(&profile
->label
);
515 name
= bprm
->filename
;
519 if (profile_unconfined(profile
)) {
520 new = find_attach(profile
->ns
, &profile
->ns
->base
.profiles
,
523 AA_DEBUG("unconfined attached to new label");
526 AA_DEBUG("unconfined exec no attachment");
527 return aa_get_newest_label(&profile
->label
);
530 /* find exec permissions for name */
531 state
= aa_str_perms(profile
->file
.dfa
, state
, name
, cond
, &perms
);
532 if (perms
.allow
& MAY_EXEC
) {
533 /* exec permission determine how to transition */
534 new = x_to_label(profile
, name
, perms
.xindex
, &target
, &info
);
535 if (new && new->proxy
== profile
->label
.proxy
&& info
) {
536 /* hack ix fallback - improve how this is detected */
540 info
= "profile transition not found";
541 /* remove MAY_EXEC to audit as failure */
542 perms
.allow
&= ~MAY_EXEC
;
544 } else if (COMPLAIN_MODE(profile
)) {
545 /* no exec permission - learning mode */
546 struct aa_profile
*new_profile
= aa_null_profile(profile
, false,
550 info
= "could not create null profile";
553 new = &new_profile
->label
;
555 perms
.xindex
|= AA_X_UNSAFE
;
563 /* Policy has specified a domain transitions. if no_new_privs and
564 * confined and not transitioning to the current domain fail.
566 * NOTE: Domain transitions from unconfined and to stritly stacked
567 * subsets are allowed even when no_new_privs is set because this
568 * aways results in a further reduction of permissions.
570 if ((bprm
->unsafe
& LSM_UNSAFE_NO_NEW_PRIVS
) &&
571 !profile_unconfined(profile
) &&
572 !aa_label_is_subset(new, &profile
->label
)) {
574 info
= "no new privs";
579 if (!(perms
.xindex
& AA_X_UNSAFE
)) {
581 dbg_printk("apparmor: scrubbing environment variables "
582 "for %s profile=", name
);
583 aa_label_printk(new, GFP_ATOMIC
);
590 aa_audit_file(profile
, &perms
, OP_EXEC
, MAY_EXEC
, name
, target
, new,
591 cond
->uid
, info
, error
);
592 if (!new || nonewprivs
) {
594 return ERR_PTR(error
);
600 static int profile_onexec(struct aa_profile
*profile
, struct aa_label
*onexec
,
601 bool stack
, const struct linux_binprm
*bprm
,
602 char *buffer
, struct path_cond
*cond
,
605 unsigned int state
= profile
->file
.start
;
606 struct aa_perms perms
= {};
607 const char *xname
= NULL
, *info
= "change_profile onexec";
615 if (profile_unconfined(profile
)) {
616 /* change_profile on exec already granted */
618 * NOTE: Domain transitions from unconfined are allowed
619 * even when no_new_privs is set because this aways results
620 * in a further reduction of permissions.
625 error
= aa_path_name(&bprm
->file
->f_path
, profile
->path_flags
, buffer
,
626 &xname
, &info
, profile
->disconnected
);
628 if (profile_unconfined(profile
) ||
629 (profile
->label
.flags
& FLAG_IX_ON_NAME_ERROR
)) {
630 AA_DEBUG("name lookup ix on error");
633 xname
= bprm
->filename
;
637 /* find exec permissions for name */
638 state
= aa_str_perms(profile
->file
.dfa
, state
, xname
, cond
, &perms
);
639 if (!(perms
.allow
& AA_MAY_ONEXEC
)) {
640 info
= "no change_onexec valid for executable";
643 /* test if this exec can be paired with change_profile onexec.
644 * onexec permission is linked to exec with a standard pairing
645 * exec\0change_profile
647 state
= aa_dfa_null_transition(profile
->file
.dfa
, state
);
648 error
= change_profile_perms(profile
, onexec
, stack
, AA_MAY_ONEXEC
,
653 /* Policy has specified a domain transitions. if no_new_privs and
654 * confined and not transitioning to the current domain fail.
656 * NOTE: Domain transitions from unconfined and to stritly stacked
657 * subsets are allowed even when no_new_privs is set because this
658 * aways results in a further reduction of permissions.
660 if ((bprm
->unsafe
& LSM_UNSAFE_NO_NEW_PRIVS
) &&
661 !profile_unconfined(profile
) &&
662 !aa_label_is_subset(onexec
, &profile
->label
)) {
664 info
= "no new privs";
668 if (!(perms
.xindex
& AA_X_UNSAFE
)) {
670 dbg_printk("appaarmor: scrubbing environment "
671 "variables for %s label=", xname
);
672 aa_label_printk(onexec
, GFP_ATOMIC
);
679 return aa_audit_file(profile
, &perms
, OP_EXEC
, AA_MAY_ONEXEC
, xname
,
680 NULL
, onexec
, cond
->uid
, info
, error
);
683 /* ensure none ns domain transitions are correctly applied with onexec */
685 static struct aa_label
*handle_onexec(struct aa_label
*label
,
686 struct aa_label
*onexec
, bool stack
,
687 const struct linux_binprm
*bprm
,
688 char *buffer
, struct path_cond
*cond
,
691 struct aa_profile
*profile
;
692 struct aa_label
*new;
701 error
= fn_for_each_in_ns(label
, profile
,
702 profile_onexec(profile
, onexec
, stack
,
703 bprm
, buffer
, cond
, unsafe
));
705 return ERR_PTR(error
);
706 new = fn_label_build_in_ns(label
, profile
, GFP_ATOMIC
,
707 aa_get_newest_label(onexec
),
708 profile_transition(profile
, bprm
, buffer
,
712 /* TODO: determine how much we want to losen this */
713 error
= fn_for_each_in_ns(label
, profile
,
714 profile_onexec(profile
, onexec
, stack
, bprm
,
715 buffer
, cond
, unsafe
));
717 return ERR_PTR(error
);
718 new = fn_label_build_in_ns(label
, profile
, GFP_ATOMIC
,
719 aa_label_merge(&profile
->label
, onexec
,
721 profile_transition(profile
, bprm
, buffer
,
728 /* TODO: get rid of GLOBAL_ROOT_UID */
729 error
= fn_for_each_in_ns(label
, profile
,
730 aa_audit_file(profile
, &nullperms
, OP_CHANGE_ONEXEC
,
731 AA_MAY_ONEXEC
, bprm
->filename
, NULL
,
732 onexec
, GLOBAL_ROOT_UID
,
733 "failed to build target label", -ENOMEM
));
734 return ERR_PTR(error
);
738 * apparmor_bprm_set_creds - set the new creds on the bprm struct
739 * @bprm: binprm for the exec (NOT NULL)
741 * Returns: %0 or error on failure
743 * TODO: once the other paths are done see if we can't refactor into a fn
745 int apparmor_bprm_set_creds(struct linux_binprm
*bprm
)
747 struct aa_task_ctx
*ctx
;
748 struct aa_label
*label
, *new = NULL
;
749 struct aa_profile
*profile
;
751 const char *info
= NULL
;
754 struct path_cond cond
= {
755 file_inode(bprm
->file
)->i_uid
,
756 file_inode(bprm
->file
)->i_mode
759 if (bprm
->cred_prepared
)
762 ctx
= cred_ctx(bprm
->cred
);
765 label
= aa_get_newest_label(ctx
->label
);
767 /* buffer freed below, name is pointer into buffer */
769 /* Test for onexec first as onexec override other x transitions. */
771 new = handle_onexec(label
, ctx
->onexec
, ctx
->token
,
772 bprm
, buffer
, &cond
, &unsafe
);
774 new = fn_label_build(label
, profile
, GFP_ATOMIC
,
775 profile_transition(profile
, bprm
, buffer
,
780 error
= PTR_ERR(new);
787 /* TODO: Add ns level no_new_privs subset test */
789 if (bprm
->unsafe
& LSM_UNSAFE_SHARE
) {
790 /* FIXME: currently don't mediate shared state */
794 if (bprm
->unsafe
& (LSM_UNSAFE_PTRACE
| LSM_UNSAFE_PTRACE_CAP
)) {
795 /* TODO: test needs to be profile of label to new */
796 error
= may_change_ptraced_domain(new, &info
);
803 dbg_printk("scrubbing environment variables for %s "
804 "label=", bprm
->filename
);
805 aa_label_printk(new, GFP_ATOMIC
);
808 bprm
->unsafe
|= AA_SECURE_X_NEEDED
;
811 if (label
->proxy
!= new->proxy
) {
812 /* when transitioning clear unsafe personality bits */
814 dbg_printk("apparmor: clearing unsafe personality "
815 "bits. %s label=", bprm
->filename
);
816 aa_label_printk(new, GFP_ATOMIC
);
819 bprm
->per_clear
|= PER_CLEAR_ON_SETID
;
821 aa_put_label(ctx
->label
);
822 /* transfer reference, released when ctx is freed */
826 /* clear out temporary/transitional state from the context */
827 aa_clear_task_ctx_trans(ctx
);
835 error
= fn_for_each(label
, profile
,
836 aa_audit_file(profile
, &nullperms
, OP_EXEC
, MAY_EXEC
,
837 bprm
->filename
, NULL
, new,
838 file_inode(bprm
->file
)->i_uid
, info
,
845 * apparmor_bprm_secureexec - determine if secureexec is needed
846 * @bprm: binprm for exec (NOT NULL)
848 * Returns: %1 if secureexec is needed else %0
850 int apparmor_bprm_secureexec(struct linux_binprm
*bprm
)
852 /* the decision to use secure exec is computed in set_creds
853 * and stored in bprm->unsafe.
855 if (bprm
->unsafe
& AA_SECURE_X_NEEDED
)
862 * Functions for self directed profile change
866 /* helper fn for change_hat
868 * Returns: label for hat transition OR ERR_PTR. Does NOT return NULL
870 static struct aa_label
*build_change_hat(struct aa_profile
*profile
,
871 const char *name
, bool sibling
)
873 struct aa_profile
*root
, *hat
= NULL
;
874 const char *info
= NULL
;
877 if (sibling
&& PROFILE_IS_HAT(profile
)) {
878 root
= aa_get_profile_rcu(&profile
->parent
);
879 } else if (!sibling
&& !PROFILE_IS_HAT(profile
)) {
880 root
= aa_get_profile(profile
);
882 info
= "conflicting target types";
887 hat
= aa_find_child(root
, name
);
890 if (COMPLAIN_MODE(profile
)) {
891 hat
= aa_null_profile(profile
, true, name
, GFP_KERNEL
);
893 info
= "failed null profile create";
898 aa_put_profile(root
);
901 aa_audit_file(profile
, &nullperms
, OP_CHANGE_HAT
, AA_MAY_CHANGEHAT
,
902 name
, hat
? hat
->base
.hname
: NULL
, hat
? &hat
->label
: NULL
, GLOBAL_ROOT_UID
,
904 if (!hat
|| (error
&& error
!= -ENOENT
))
905 return ERR_PTR(error
);
906 /* if hat && error - complain mode, already audited and we adjust for
907 * complain mode allow by returning hat->label
912 /* helper fn for changing into a hat
914 * Returns: label for hat transition or ERR_PTR. Does not return NULL
916 static struct aa_label
*change_hat(struct aa_label
*label
, const char *hats
[],
917 int count
, bool permtest
)
919 struct aa_profile
*profile
, *root
, *hat
= NULL
;
920 struct aa_label
*new;
922 bool sibling
= false;
923 const char *name
, *info
= NULL
;
930 if (PROFILE_IS_HAT(labels_profile(label
)))
933 /*find first matching hat */
934 for (i
= 0; i
< count
&& !hat
; i
++) {
936 label_for_each_in_ns(it
, labels_ns(label
), label
, profile
) {
937 if (sibling
&& PROFILE_IS_HAT(profile
)) {
938 root
= aa_get_profile_rcu(&profile
->parent
);
939 } else if (!sibling
&& !PROFILE_IS_HAT(profile
)) {
940 root
= aa_get_profile(profile
);
941 } else { /* conflicting change type */
942 info
= "conflicting targets types";
946 hat
= aa_find_child(root
, name
);
947 aa_put_profile(root
);
949 if (!COMPLAIN_MODE(profile
))
951 /* complain mode succeed as if hat */
952 } else if (!PROFILE_IS_HAT(hat
)) {
953 info
= "target not hat";
960 /* found a hat for all profiles in ns */
964 /* no hats that match, find appropriate error
966 * In complain mode audit of the failure is based off of the first
967 * hat supplied. This is done due how userspace interacts with
971 label_for_each_in_ns(it
, labels_ns(label
), label
, profile
) {
972 if (!list_empty(&profile
->base
.profiles
)) {
973 info
= "hat not found";
978 info
= "no hats defined";
982 label_for_each_in_ns(it
, labels_ns(label
), label
, profile
) {
984 * no target as it has failed to be found or built
986 * change_hat uses probing and should not log failures
987 * related to missing hats
989 /* TODO: get rid of GLOBAL_ROOT_UID */
990 if (count
> 1 || COMPLAIN_MODE(profile
)) {
991 aa_audit_file(profile
, &nullperms
, OP_CHANGE_HAT
,
992 AA_MAY_CHANGEHAT
, name
, NULL
, NULL
,
993 GLOBAL_ROOT_UID
, info
, error
);
996 return (ERR_PTR(error
));
999 new = fn_label_build_in_ns(label
, profile
, GFP_KERNEL
,
1000 build_change_hat(profile
, name
, sibling
),
1001 aa_get_label(&profile
->label
));
1003 info
= "label build failed";
1006 } /* else if (IS_ERR) build_change_hat has logged error so return new */
1012 * aa_change_hat - change hat to/from subprofile
1013 * @hats: vector of hat names to try changing into (MAYBE NULL if @count == 0)
1014 * @count: number of hat names in @hats
1015 * @token: magic value to validate the hat change
1016 * @permtest: true if this is just a permission test
1018 * Returns %0 on success, error otherwise.
1020 * Change to the first profile specified in @hats that exists, and store
1021 * the @hat_magic in the current task context. If the count == 0 and the
1022 * @token matches that stored in the current task context, return to the
1023 * top level profile.
1025 * change_hat only applies to profiles in the current ns, and each profile
1026 * in the ns must make the same transition otherwise change_hat will fail.
1028 int aa_change_hat(const char *hats
[], int count
, u64 token
, bool permtest
)
1030 const struct cred
*cred
;
1031 struct aa_task_ctx
*ctx
;
1032 struct aa_label
*label
, *previous
, *new = NULL
, *target
= NULL
;
1033 struct aa_profile
*profile
;
1034 struct aa_perms perms
= {};
1035 const char *info
= NULL
;
1039 * Fail explicitly requested domain transitions if no_new_privs.
1040 * There is no exception for unconfined as change_hat is not
1043 if (task_no_new_privs(current
)) {
1044 /* not an apparmor denial per se, so don't log it */
1045 AA_DEBUG("no_new_privs - chanage_hat denied");
1049 /* released below */
1050 cred
= get_current_cred();
1051 ctx
= cred_ctx(cred
);
1052 label
= aa_get_newest_cred_label(cred
);
1053 previous
= aa_get_newest_label(ctx
->previous
);
1055 if (unconfined(label
)) {
1056 info
= "unconfined can not change_hat";
1062 new = change_hat(label
, hats
, count
, permtest
);
1065 error
= PTR_ERR(new);
1067 /* already audited */
1071 error
= may_change_ptraced_domain(new, &info
);
1079 error
= aa_set_current_hat(new, token
);
1080 if (error
== -EACCES
)
1081 /* kill task in case of brute force attacks */
1083 } else if (previous
&& !permtest
) {
1084 /* Return to saved label. Kill task if restore fails
1085 * to avoid brute force attacks
1088 error
= aa_restore_previous_label(token
);
1090 if (error
== -EACCES
)
1094 } /* else ignore permtest && restores when there is no saved profile */
1098 aa_put_label(previous
);
1099 aa_put_label(label
);
1105 info
= "failed token match";
1106 perms
.kill
= AA_MAY_CHANGEHAT
;
1109 fn_for_each_in_ns(label
, profile
,
1110 aa_audit_file(profile
, &perms
, OP_CHANGE_HAT
, AA_MAY_CHANGEHAT
,
1111 NULL
, NULL
, target
, GLOBAL_ROOT_UID
, info
, error
));
1117 static int change_profile_perms_wrapper(const char *op
, const char *name
,
1118 struct aa_profile
*profile
,
1119 struct aa_label
*target
, bool stack
,
1120 u32 request
, struct aa_perms
*perms
)
1122 const char *info
= NULL
;
1126 * Fail explicitly requested domain transitions when no_new_privs
1127 * and not unconfined OR the transition results in a stack on
1128 * the current label.
1129 * Stacking domain transitions and transitions from unconfined are
1130 * allowed even when no_new_privs is set because this aways results
1131 * in a reduction of permissions.
1133 if (task_no_new_privs(current
) && !stack
&&
1134 !profile_unconfined(profile
) &&
1135 !aa_label_is_subset(target
, &profile
->label
)) {
1136 info
= "no new privs";
1141 error
= change_profile_perms(profile
, target
, stack
, request
,
1142 profile
->file
.start
, perms
);
1144 error
= aa_audit_file(profile
, perms
, op
, request
, name
,
1145 NULL
, target
, GLOBAL_ROOT_UID
, info
,
1152 * aa_change_profile - perform a one-way profile transition
1153 * @fqname: name of profile may include namespace (NOT NULL)
1154 * @onexec: whether this transition is to take place immediately or at exec
1155 * @permtest: true if this is just a permission test
1156 * @stack: true if this call is to stack on top of current domain
1157 * Change to new profile @name. Unlike with hats, there is no way
1158 * to change back. If @name isn't specified the current profile name is
1160 * If @onexec then the transition is delayed until
1163 * Returns %0 on success, error otherwise.
1165 int aa_change_profile(const char *fqname
, bool onexec
,
1166 bool permtest
, bool stack
)
1168 struct aa_label
*label
, *new = NULL
, *target
= NULL
;
1169 struct aa_profile
*profile
;
1170 struct aa_perms perms
= {};
1171 const char *info
= NULL
;
1172 const char *auditname
= fqname
; /* retain leading & if stack */
1177 if (!fqname
|| !*fqname
) {
1178 AA_DEBUG("no profile name");
1183 request
= AA_MAY_ONEXEC
;
1185 op
= OP_STACK_ONEXEC
;
1187 op
= OP_CHANGE_ONEXEC
;
1189 request
= AA_MAY_CHANGE_PROFILE
;
1193 op
= OP_CHANGE_PROFILE
;
1196 label
= aa_get_current_label();
1198 if (*fqname
== '&') {
1200 /* don't have label_parse() do stacking */
1203 target
= aa_label_parse(label
, fqname
, GFP_KERNEL
, true, false);
1204 if (IS_ERR(target
)) {
1205 struct aa_profile
*tprofile
;
1207 info
= "label not found";
1208 error
= PTR_ERR(target
);
1210 /* TODO: fixme using labels_profile is not right - do profile
1211 per complain profile ??? */
1212 if (permtest
|| !COMPLAIN_MODE(labels_profile(label
)))
1214 /* released below */
1215 tprofile
= aa_null_profile(labels_profile(label
), false, fqname
, GFP_KERNEL
);
1217 info
= "failed null profile create";
1221 target
= &tprofile
->label
;
1225 /* self directed transitions only apply to current policy ns */
1226 /* TODO: currently requiring perms for stacking and straight change
1227 * stacking doesn't strictly need this. Determine how much
1228 * we want to loosen this restriction for stacking
1231 error
= fn_for_each_in_ns(label
, profile
,
1232 change_profile_perms_wrapper(op
, auditname
,
1233 profile
, target
, stack
,
1236 /* auditing done in change_profile_perms_wrapper */
1242 /* check if tracing task is allowed to trace target domain */
1243 error
= may_change_ptraced_domain(target
, &info
);
1244 if (error
&& !fn_for_each_in_ns(label
, profile
,
1245 COMPLAIN_MODE(profile
)))
1248 /* TODO: add permission check to allow this
1249 if (onexec && !current_is_single_threaded()) {
1250 info = "not a single threaded task";
1259 /* only transition profiles in the current ns */
1261 new = aa_label_merge(label
, target
, GFP_KERNEL
);
1263 new = fn_label_build_in_ns(label
, profile
, GFP_KERNEL
,
1264 aa_get_label(target
),
1265 aa_get_label(&profile
->label
));
1266 if (IS_ERR_OR_NULL(new)) {
1267 info
= "failed to build target label";
1268 error
= PTR_ERR(new);
1273 error
= aa_replace_current_label(new);
1275 /* full transition will be built in exec path */
1276 error
= aa_set_current_onexec(target
, stack
);
1279 error
= fn_for_each_in_ns(label
, profile
,
1280 aa_audit_file(profile
, &perms
, op
, request
, auditname
,
1281 NULL
, new ? new : target
,
1282 GLOBAL_ROOT_UID
, info
, error
));
1286 aa_put_label(target
);
1287 aa_put_label(label
);