2 * AppArmor security module
4 * This file contains AppArmor LSM hooks.
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
15 #include <linux/lsm_hooks.h>
16 #include <linux/moduleparam.h>
18 #include <linux/mman.h>
19 #include <linux/mount.h>
20 #include <linux/namei.h>
21 #include <linux/ptrace.h>
22 #include <linux/ctype.h>
23 #include <linux/sysctl.h>
24 #include <linux/audit.h>
25 #include <linux/user_namespace.h>
26 #include <linux/netfilter_ipv4.h>
27 #include <linux/netfilter_ipv6.h>
29 #include <uapi/linux/mount.h>
31 #include "include/apparmor.h"
32 #include "include/apparmorfs.h"
33 #include "include/audit.h"
34 #include "include/capability.h"
35 #include "include/cred.h"
36 #include "include/file.h"
37 #include "include/ipc.h"
38 #include "include/net.h"
39 #include "include/path.h"
40 #include "include/label.h"
41 #include "include/policy.h"
42 #include "include/policy_ns.h"
43 #include "include/procattr.h"
44 #include "include/mount.h"
45 #include "include/secid.h"
47 /* Flag indicating whether initialization completed */
48 int apparmor_initialized
;
50 DEFINE_PER_CPU(struct aa_buffers
, aa_buffers
);
58 * put the associated labels
60 static void apparmor_cred_free(struct cred
*cred
)
62 aa_put_label(cred_label(cred
));
63 set_cred_label(cred
, NULL
);
67 * allocate the apparmor part of blank credentials
69 static int apparmor_cred_alloc_blank(struct cred
*cred
, gfp_t gfp
)
71 set_cred_label(cred
, NULL
);
76 * prepare new cred label for modification by prepare_cred block
78 static int apparmor_cred_prepare(struct cred
*new, const struct cred
*old
,
81 set_cred_label(new, aa_get_newest_label(cred_label(old
)));
86 * transfer the apparmor data to a blank set of creds
88 static void apparmor_cred_transfer(struct cred
*new, const struct cred
*old
)
90 set_cred_label(new, aa_get_newest_label(cred_label(old
)));
93 static void apparmor_task_free(struct task_struct
*task
)
96 aa_free_task_ctx(task_ctx(task
));
99 static int apparmor_task_alloc(struct task_struct
*task
,
100 unsigned long clone_flags
)
102 struct aa_task_ctx
*new = task_ctx(task
);
104 aa_dup_task_ctx(new, task_ctx(current
));
109 static int apparmor_ptrace_access_check(struct task_struct
*child
,
112 struct aa_label
*tracer
, *tracee
;
115 tracer
= __begin_current_label_crit_section();
116 tracee
= aa_get_task_label(child
);
117 error
= aa_may_ptrace(tracer
, tracee
,
118 (mode
& PTRACE_MODE_READ
) ? AA_PTRACE_READ
120 aa_put_label(tracee
);
121 __end_current_label_crit_section(tracer
);
126 static int apparmor_ptrace_traceme(struct task_struct
*parent
)
128 struct aa_label
*tracer
, *tracee
;
131 tracee
= __begin_current_label_crit_section();
132 tracer
= aa_get_task_label(parent
);
133 error
= aa_may_ptrace(tracer
, tracee
, AA_PTRACE_TRACE
);
134 aa_put_label(tracer
);
135 __end_current_label_crit_section(tracee
);
140 /* Derived from security/commoncap.c:cap_capget */
141 static int apparmor_capget(struct task_struct
*target
, kernel_cap_t
*effective
,
142 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
144 struct aa_label
*label
;
145 const struct cred
*cred
;
148 cred
= __task_cred(target
);
149 label
= aa_get_newest_cred_label(cred
);
152 * cap_capget is stacked ahead of this and will
153 * initialize effective and permitted.
155 if (!unconfined(label
)) {
156 struct aa_profile
*profile
;
159 label_for_each_confined(i
, label
, profile
) {
160 if (COMPLAIN_MODE(profile
))
162 *effective
= cap_intersect(*effective
,
163 profile
->caps
.allow
);
164 *permitted
= cap_intersect(*permitted
,
165 profile
->caps
.allow
);
174 static int apparmor_capable(const struct cred
*cred
, struct user_namespace
*ns
,
175 int cap
, unsigned int opts
)
177 struct aa_label
*label
;
180 label
= aa_get_newest_cred_label(cred
);
181 if (!unconfined(label
))
182 error
= aa_capable(label
, cap
, opts
);
189 * common_perm - basic common permission check wrapper fn for paths
190 * @op: operation being checked
191 * @path: path to check permission of (NOT NULL)
192 * @mask: requested permissions mask
193 * @cond: conditional info for the permission request (NOT NULL)
195 * Returns: %0 else error code if error or permission denied
197 static int common_perm(const char *op
, const struct path
*path
, u32 mask
,
198 struct path_cond
*cond
)
200 struct aa_label
*label
;
203 label
= __begin_current_label_crit_section();
204 if (!unconfined(label
))
205 error
= aa_path_perm(op
, label
, path
, 0, mask
, cond
);
206 __end_current_label_crit_section(label
);
212 * common_perm_cond - common permission wrapper around inode cond
213 * @op: operation being checked
214 * @path: location to check (NOT NULL)
215 * @mask: requested permissions mask
217 * Returns: %0 else error code if error or permission denied
219 static int common_perm_cond(const char *op
, const struct path
*path
, u32 mask
)
221 struct path_cond cond
= { d_backing_inode(path
->dentry
)->i_uid
,
222 d_backing_inode(path
->dentry
)->i_mode
225 if (!path_mediated_fs(path
->dentry
))
228 return common_perm(op
, path
, mask
, &cond
);
232 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
233 * @op: operation being checked
234 * @dir: directory of the dentry (NOT NULL)
235 * @dentry: dentry to check (NOT NULL)
236 * @mask: requested permissions mask
237 * @cond: conditional info for the permission request (NOT NULL)
239 * Returns: %0 else error code if error or permission denied
241 static int common_perm_dir_dentry(const char *op
, const struct path
*dir
,
242 struct dentry
*dentry
, u32 mask
,
243 struct path_cond
*cond
)
245 struct path path
= { .mnt
= dir
->mnt
, .dentry
= dentry
};
247 return common_perm(op
, &path
, mask
, cond
);
251 * common_perm_rm - common permission wrapper for operations doing rm
252 * @op: operation being checked
253 * @dir: directory that the dentry is in (NOT NULL)
254 * @dentry: dentry being rm'd (NOT NULL)
255 * @mask: requested permission mask
257 * Returns: %0 else error code if error or permission denied
259 static int common_perm_rm(const char *op
, const struct path
*dir
,
260 struct dentry
*dentry
, u32 mask
)
262 struct inode
*inode
= d_backing_inode(dentry
);
263 struct path_cond cond
= { };
265 if (!inode
|| !path_mediated_fs(dentry
))
268 cond
.uid
= inode
->i_uid
;
269 cond
.mode
= inode
->i_mode
;
271 return common_perm_dir_dentry(op
, dir
, dentry
, mask
, &cond
);
275 * common_perm_create - common permission wrapper for operations doing create
276 * @op: operation being checked
277 * @dir: directory that dentry will be created in (NOT NULL)
278 * @dentry: dentry to create (NOT NULL)
279 * @mask: request permission mask
280 * @mode: created file mode
282 * Returns: %0 else error code if error or permission denied
284 static int common_perm_create(const char *op
, const struct path
*dir
,
285 struct dentry
*dentry
, u32 mask
, umode_t mode
)
287 struct path_cond cond
= { current_fsuid(), mode
};
289 if (!path_mediated_fs(dir
->dentry
))
292 return common_perm_dir_dentry(op
, dir
, dentry
, mask
, &cond
);
295 static int apparmor_path_unlink(const struct path
*dir
, struct dentry
*dentry
)
297 return common_perm_rm(OP_UNLINK
, dir
, dentry
, AA_MAY_DELETE
);
300 static int apparmor_path_mkdir(const struct path
*dir
, struct dentry
*dentry
,
303 return common_perm_create(OP_MKDIR
, dir
, dentry
, AA_MAY_CREATE
,
307 static int apparmor_path_rmdir(const struct path
*dir
, struct dentry
*dentry
)
309 return common_perm_rm(OP_RMDIR
, dir
, dentry
, AA_MAY_DELETE
);
312 static int apparmor_path_mknod(const struct path
*dir
, struct dentry
*dentry
,
313 umode_t mode
, unsigned int dev
)
315 return common_perm_create(OP_MKNOD
, dir
, dentry
, AA_MAY_CREATE
, mode
);
318 static int apparmor_path_truncate(const struct path
*path
)
320 return common_perm_cond(OP_TRUNC
, path
, MAY_WRITE
| AA_MAY_SETATTR
);
323 static int apparmor_path_symlink(const struct path
*dir
, struct dentry
*dentry
,
324 const char *old_name
)
326 return common_perm_create(OP_SYMLINK
, dir
, dentry
, AA_MAY_CREATE
,
330 static int apparmor_path_link(struct dentry
*old_dentry
, const struct path
*new_dir
,
331 struct dentry
*new_dentry
)
333 struct aa_label
*label
;
336 if (!path_mediated_fs(old_dentry
))
339 label
= begin_current_label_crit_section();
340 if (!unconfined(label
))
341 error
= aa_path_link(label
, old_dentry
, new_dir
, new_dentry
);
342 end_current_label_crit_section(label
);
347 static int apparmor_path_rename(const struct path
*old_dir
, struct dentry
*old_dentry
,
348 const struct path
*new_dir
, struct dentry
*new_dentry
)
350 struct aa_label
*label
;
353 if (!path_mediated_fs(old_dentry
))
356 label
= begin_current_label_crit_section();
357 if (!unconfined(label
)) {
358 struct path old_path
= { .mnt
= old_dir
->mnt
,
359 .dentry
= old_dentry
};
360 struct path new_path
= { .mnt
= new_dir
->mnt
,
361 .dentry
= new_dentry
};
362 struct path_cond cond
= { d_backing_inode(old_dentry
)->i_uid
,
363 d_backing_inode(old_dentry
)->i_mode
366 error
= aa_path_perm(OP_RENAME_SRC
, label
, &old_path
, 0,
367 MAY_READ
| AA_MAY_GETATTR
| MAY_WRITE
|
368 AA_MAY_SETATTR
| AA_MAY_DELETE
,
371 error
= aa_path_perm(OP_RENAME_DEST
, label
, &new_path
,
372 0, MAY_WRITE
| AA_MAY_SETATTR
|
373 AA_MAY_CREATE
, &cond
);
376 end_current_label_crit_section(label
);
381 static int apparmor_path_chmod(const struct path
*path
, umode_t mode
)
383 return common_perm_cond(OP_CHMOD
, path
, AA_MAY_CHMOD
);
386 static int apparmor_path_chown(const struct path
*path
, kuid_t uid
, kgid_t gid
)
388 return common_perm_cond(OP_CHOWN
, path
, AA_MAY_CHOWN
);
391 static int apparmor_inode_getattr(const struct path
*path
)
393 return common_perm_cond(OP_GETATTR
, path
, AA_MAY_GETATTR
);
396 static int apparmor_file_open(struct file
*file
)
398 struct aa_file_ctx
*fctx
= file_ctx(file
);
399 struct aa_label
*label
;
402 if (!path_mediated_fs(file
->f_path
.dentry
))
405 /* If in exec, permission is handled by bprm hooks.
406 * Cache permissions granted by the previous exec check, with
407 * implicit read and executable mmap which are required to
408 * actually execute the image.
410 if (current
->in_execve
) {
411 fctx
->allow
= MAY_EXEC
| MAY_READ
| AA_EXEC_MMAP
;
415 label
= aa_get_newest_cred_label(file
->f_cred
);
416 if (!unconfined(label
)) {
417 struct inode
*inode
= file_inode(file
);
418 struct path_cond cond
= { inode
->i_uid
, inode
->i_mode
};
420 error
= aa_path_perm(OP_OPEN
, label
, &file
->f_path
, 0,
421 aa_map_file_to_perms(file
), &cond
);
422 /* todo cache full allowed permissions set and state */
423 fctx
->allow
= aa_map_file_to_perms(file
);
430 static int apparmor_file_alloc_security(struct file
*file
)
432 struct aa_file_ctx
*ctx
= file_ctx(file
);
433 struct aa_label
*label
= begin_current_label_crit_section();
435 spin_lock_init(&ctx
->lock
);
436 rcu_assign_pointer(ctx
->label
, aa_get_label(label
));
437 end_current_label_crit_section(label
);
441 static void apparmor_file_free_security(struct file
*file
)
443 struct aa_file_ctx
*ctx
= file_ctx(file
);
446 aa_put_label(rcu_access_pointer(ctx
->label
));
449 static int common_file_perm(const char *op
, struct file
*file
, u32 mask
)
451 struct aa_label
*label
;
454 /* don't reaudit files closed during inheritance */
455 if (file
->f_path
.dentry
== aa_null
.dentry
)
458 label
= __begin_current_label_crit_section();
459 error
= aa_file_perm(op
, label
, file
, mask
);
460 __end_current_label_crit_section(label
);
465 static int apparmor_file_receive(struct file
*file
)
467 return common_file_perm(OP_FRECEIVE
, file
, aa_map_file_to_perms(file
));
470 static int apparmor_file_permission(struct file
*file
, int mask
)
472 return common_file_perm(OP_FPERM
, file
, mask
);
475 static int apparmor_file_lock(struct file
*file
, unsigned int cmd
)
477 u32 mask
= AA_MAY_LOCK
;
482 return common_file_perm(OP_FLOCK
, file
, mask
);
485 static int common_mmap(const char *op
, struct file
*file
, unsigned long prot
,
490 if (!file
|| !file_ctx(file
))
493 if (prot
& PROT_READ
)
496 * Private mappings don't require write perms since they don't
497 * write back to the files
499 if ((prot
& PROT_WRITE
) && !(flags
& MAP_PRIVATE
))
501 if (prot
& PROT_EXEC
)
502 mask
|= AA_EXEC_MMAP
;
504 return common_file_perm(op
, file
, mask
);
507 static int apparmor_mmap_file(struct file
*file
, unsigned long reqprot
,
508 unsigned long prot
, unsigned long flags
)
510 return common_mmap(OP_FMMAP
, file
, prot
, flags
);
513 static int apparmor_file_mprotect(struct vm_area_struct
*vma
,
514 unsigned long reqprot
, unsigned long prot
)
516 return common_mmap(OP_FMPROT
, vma
->vm_file
, prot
,
517 !(vma
->vm_flags
& VM_SHARED
) ? MAP_PRIVATE
: 0);
520 static int apparmor_sb_mount(const char *dev_name
, const struct path
*path
,
521 const char *type
, unsigned long flags
, void *data
)
523 struct aa_label
*label
;
527 if ((flags
& MS_MGC_MSK
) == MS_MGC_VAL
)
528 flags
&= ~MS_MGC_MSK
;
530 flags
&= ~AA_MS_IGNORE_MASK
;
532 label
= __begin_current_label_crit_section();
533 if (!unconfined(label
)) {
534 if (flags
& MS_REMOUNT
)
535 error
= aa_remount(label
, path
, flags
, data
);
536 else if (flags
& MS_BIND
)
537 error
= aa_bind_mount(label
, path
, dev_name
, flags
);
538 else if (flags
& (MS_SHARED
| MS_PRIVATE
| MS_SLAVE
|
540 error
= aa_mount_change_type(label
, path
, flags
);
541 else if (flags
& MS_MOVE
)
542 error
= aa_move_mount(label
, path
, dev_name
);
544 error
= aa_new_mount(label
, dev_name
, path
, type
,
547 __end_current_label_crit_section(label
);
552 static int apparmor_sb_umount(struct vfsmount
*mnt
, int flags
)
554 struct aa_label
*label
;
557 label
= __begin_current_label_crit_section();
558 if (!unconfined(label
))
559 error
= aa_umount(label
, mnt
, flags
);
560 __end_current_label_crit_section(label
);
565 static int apparmor_sb_pivotroot(const struct path
*old_path
,
566 const struct path
*new_path
)
568 struct aa_label
*label
;
571 label
= aa_get_current_label();
572 if (!unconfined(label
))
573 error
= aa_pivotroot(label
, old_path
, new_path
);
579 static int apparmor_getprocattr(struct task_struct
*task
, char *name
,
584 const struct cred
*cred
= get_task_cred(task
);
585 struct aa_task_ctx
*ctx
= task_ctx(current
);
586 struct aa_label
*label
= NULL
;
588 if (strcmp(name
, "current") == 0)
589 label
= aa_get_newest_label(cred_label(cred
));
590 else if (strcmp(name
, "prev") == 0 && ctx
->previous
)
591 label
= aa_get_newest_label(ctx
->previous
);
592 else if (strcmp(name
, "exec") == 0 && ctx
->onexec
)
593 label
= aa_get_newest_label(ctx
->onexec
);
598 error
= aa_getprocattr(label
, value
);
606 static int apparmor_setprocattr(const char *name
, void *value
,
609 char *command
, *largs
= NULL
, *args
= value
;
612 DEFINE_AUDIT_DATA(sa
, LSM_AUDIT_DATA_NONE
, OP_SETPROCATTR
);
617 /* AppArmor requires that the buffer must be null terminated atm */
618 if (args
[size
- 1] != '\0') {
620 largs
= args
= kmalloc(size
+ 1, GFP_KERNEL
);
623 memcpy(args
, value
, size
);
629 command
= strsep(&args
, " ");
632 args
= skip_spaces(args
);
636 arg_size
= size
- (args
- (largs
? largs
: (char *) value
));
637 if (strcmp(name
, "current") == 0) {
638 if (strcmp(command
, "changehat") == 0) {
639 error
= aa_setprocattr_changehat(args
, arg_size
,
641 } else if (strcmp(command
, "permhat") == 0) {
642 error
= aa_setprocattr_changehat(args
, arg_size
,
644 } else if (strcmp(command
, "changeprofile") == 0) {
645 error
= aa_change_profile(args
, AA_CHANGE_NOFLAGS
);
646 } else if (strcmp(command
, "permprofile") == 0) {
647 error
= aa_change_profile(args
, AA_CHANGE_TEST
);
648 } else if (strcmp(command
, "stack") == 0) {
649 error
= aa_change_profile(args
, AA_CHANGE_STACK
);
652 } else if (strcmp(name
, "exec") == 0) {
653 if (strcmp(command
, "exec") == 0)
654 error
= aa_change_profile(args
, AA_CHANGE_ONEXEC
);
655 else if (strcmp(command
, "stack") == 0)
656 error
= aa_change_profile(args
, (AA_CHANGE_ONEXEC
|
661 /* only support the "current" and "exec" process attributes */
671 aad(&sa
)->label
= begin_current_label_crit_section();
672 aad(&sa
)->info
= name
;
673 aad(&sa
)->error
= error
= -EINVAL
;
674 aa_audit_msg(AUDIT_APPARMOR_DENIED
, &sa
, NULL
);
675 end_current_label_crit_section(aad(&sa
)->label
);
680 * apparmor_bprm_committing_creds - do task cleanup on committing new creds
681 * @bprm: binprm for the exec (NOT NULL)
683 static void apparmor_bprm_committing_creds(struct linux_binprm
*bprm
)
685 struct aa_label
*label
= aa_current_raw_label();
686 struct aa_label
*new_label
= cred_label(bprm
->cred
);
688 /* bail out if unconfined or not changing profile */
689 if ((new_label
->proxy
== label
->proxy
) ||
690 (unconfined(new_label
)))
693 aa_inherit_files(bprm
->cred
, current
->files
);
695 current
->pdeath_signal
= 0;
697 /* reset soft limits and set hard limits for the new label */
698 __aa_transition_rlimits(label
, new_label
);
702 * apparmor_bprm_committed_cred - do cleanup after new creds committed
703 * @bprm: binprm for the exec (NOT NULL)
705 static void apparmor_bprm_committed_creds(struct linux_binprm
*bprm
)
707 /* clear out temporary/transitional state from the context */
708 aa_clear_task_ctx_trans(task_ctx(current
));
713 static void apparmor_task_getsecid(struct task_struct
*p
, u32
*secid
)
715 struct aa_label
*label
= aa_get_task_label(p
);
716 *secid
= label
->secid
;
720 static int apparmor_task_setrlimit(struct task_struct
*task
,
721 unsigned int resource
, struct rlimit
*new_rlim
)
723 struct aa_label
*label
= __begin_current_label_crit_section();
726 if (!unconfined(label
))
727 error
= aa_task_setrlimit(label
, task
, resource
, new_rlim
);
728 __end_current_label_crit_section(label
);
733 static int apparmor_task_kill(struct task_struct
*target
, struct kernel_siginfo
*info
,
734 int sig
, const struct cred
*cred
)
736 struct aa_label
*cl
, *tl
;
741 * Dealing with USB IO specific behavior
743 cl
= aa_get_newest_cred_label(cred
);
744 tl
= aa_get_task_label(target
);
745 error
= aa_may_signal(cl
, tl
, sig
);
751 cl
= __begin_current_label_crit_section();
752 tl
= aa_get_task_label(target
);
753 error
= aa_may_signal(cl
, tl
, sig
);
755 __end_current_label_crit_section(cl
);
761 * apparmor_sk_alloc_security - allocate and attach the sk_security field
763 static int apparmor_sk_alloc_security(struct sock
*sk
, int family
, gfp_t flags
)
765 struct aa_sk_ctx
*ctx
;
767 ctx
= kzalloc(sizeof(*ctx
), flags
);
777 * apparmor_sk_free_security - free the sk_security field
779 static void apparmor_sk_free_security(struct sock
*sk
)
781 struct aa_sk_ctx
*ctx
= SK_CTX(sk
);
784 aa_put_label(ctx
->label
);
785 aa_put_label(ctx
->peer
);
790 * apparmor_clone_security - clone the sk_security field
792 static void apparmor_sk_clone_security(const struct sock
*sk
,
795 struct aa_sk_ctx
*ctx
= SK_CTX(sk
);
796 struct aa_sk_ctx
*new = SK_CTX(newsk
);
798 new->label
= aa_get_label(ctx
->label
);
799 new->peer
= aa_get_label(ctx
->peer
);
803 * apparmor_socket_create - check perms before creating a new socket
805 static int apparmor_socket_create(int family
, int type
, int protocol
, int kern
)
807 struct aa_label
*label
;
810 AA_BUG(in_interrupt());
812 label
= begin_current_label_crit_section();
813 if (!(kern
|| unconfined(label
)))
814 error
= af_select(family
,
815 create_perm(label
, family
, type
, protocol
),
816 aa_af_perm(label
, OP_CREATE
, AA_MAY_CREATE
,
817 family
, type
, protocol
));
818 end_current_label_crit_section(label
);
824 * apparmor_socket_post_create - setup the per-socket security struct
827 * - kernel sockets currently labeled unconfined but we may want to
828 * move to a special kernel label
829 * - socket may not have sk here if created with sock_create_lite or
830 * sock_alloc. These should be accept cases which will be handled in
833 static int apparmor_socket_post_create(struct socket
*sock
, int family
,
834 int type
, int protocol
, int kern
)
836 struct aa_label
*label
;
839 struct aa_ns
*ns
= aa_get_current_ns();
841 label
= aa_get_label(ns_unconfined(ns
));
844 label
= aa_get_current_label();
847 struct aa_sk_ctx
*ctx
= SK_CTX(sock
->sk
);
849 aa_put_label(ctx
->label
);
850 ctx
->label
= aa_get_label(label
);
858 * apparmor_socket_bind - check perms before bind addr to socket
860 static int apparmor_socket_bind(struct socket
*sock
,
861 struct sockaddr
*address
, int addrlen
)
866 AA_BUG(in_interrupt());
868 return af_select(sock
->sk
->sk_family
,
869 bind_perm(sock
, address
, addrlen
),
870 aa_sk_perm(OP_BIND
, AA_MAY_BIND
, sock
->sk
));
874 * apparmor_socket_connect - check perms before connecting @sock to @address
876 static int apparmor_socket_connect(struct socket
*sock
,
877 struct sockaddr
*address
, int addrlen
)
882 AA_BUG(in_interrupt());
884 return af_select(sock
->sk
->sk_family
,
885 connect_perm(sock
, address
, addrlen
),
886 aa_sk_perm(OP_CONNECT
, AA_MAY_CONNECT
, sock
->sk
));
890 * apparmor_socket_list - check perms before allowing listen
892 static int apparmor_socket_listen(struct socket
*sock
, int backlog
)
896 AA_BUG(in_interrupt());
898 return af_select(sock
->sk
->sk_family
,
899 listen_perm(sock
, backlog
),
900 aa_sk_perm(OP_LISTEN
, AA_MAY_LISTEN
, sock
->sk
));
904 * apparmor_socket_accept - check perms before accepting a new connection.
906 * Note: while @newsock is created and has some information, the accept
909 static int apparmor_socket_accept(struct socket
*sock
, struct socket
*newsock
)
914 AA_BUG(in_interrupt());
916 return af_select(sock
->sk
->sk_family
,
917 accept_perm(sock
, newsock
),
918 aa_sk_perm(OP_ACCEPT
, AA_MAY_ACCEPT
, sock
->sk
));
921 static int aa_sock_msg_perm(const char *op
, u32 request
, struct socket
*sock
,
922 struct msghdr
*msg
, int size
)
927 AA_BUG(in_interrupt());
929 return af_select(sock
->sk
->sk_family
,
930 msg_perm(op
, request
, sock
, msg
, size
),
931 aa_sk_perm(op
, request
, sock
->sk
));
935 * apparmor_socket_sendmsg - check perms before sending msg to another socket
937 static int apparmor_socket_sendmsg(struct socket
*sock
,
938 struct msghdr
*msg
, int size
)
940 return aa_sock_msg_perm(OP_SENDMSG
, AA_MAY_SEND
, sock
, msg
, size
);
944 * apparmor_socket_recvmsg - check perms before receiving a message
946 static int apparmor_socket_recvmsg(struct socket
*sock
,
947 struct msghdr
*msg
, int size
, int flags
)
949 return aa_sock_msg_perm(OP_RECVMSG
, AA_MAY_RECEIVE
, sock
, msg
, size
);
952 /* revaliation, get/set attr, shutdown */
953 static int aa_sock_perm(const char *op
, u32 request
, struct socket
*sock
)
957 AA_BUG(in_interrupt());
959 return af_select(sock
->sk
->sk_family
,
960 sock_perm(op
, request
, sock
),
961 aa_sk_perm(op
, request
, sock
->sk
));
965 * apparmor_socket_getsockname - check perms before getting the local address
967 static int apparmor_socket_getsockname(struct socket
*sock
)
969 return aa_sock_perm(OP_GETSOCKNAME
, AA_MAY_GETATTR
, sock
);
973 * apparmor_socket_getpeername - check perms before getting remote address
975 static int apparmor_socket_getpeername(struct socket
*sock
)
977 return aa_sock_perm(OP_GETPEERNAME
, AA_MAY_GETATTR
, sock
);
980 /* revaliation, get/set attr, opt */
981 static int aa_sock_opt_perm(const char *op
, u32 request
, struct socket
*sock
,
982 int level
, int optname
)
986 AA_BUG(in_interrupt());
988 return af_select(sock
->sk
->sk_family
,
989 opt_perm(op
, request
, sock
, level
, optname
),
990 aa_sk_perm(op
, request
, sock
->sk
));
994 * apparmor_getsockopt - check perms before getting socket options
996 static int apparmor_socket_getsockopt(struct socket
*sock
, int level
,
999 return aa_sock_opt_perm(OP_GETSOCKOPT
, AA_MAY_GETOPT
, sock
,
1004 * apparmor_setsockopt - check perms before setting socket options
1006 static int apparmor_socket_setsockopt(struct socket
*sock
, int level
,
1009 return aa_sock_opt_perm(OP_SETSOCKOPT
, AA_MAY_SETOPT
, sock
,
1014 * apparmor_socket_shutdown - check perms before shutting down @sock conn
1016 static int apparmor_socket_shutdown(struct socket
*sock
, int how
)
1018 return aa_sock_perm(OP_SHUTDOWN
, AA_MAY_SHUTDOWN
, sock
);
1021 #ifdef CONFIG_NETWORK_SECMARK
1023 * apparmor_socket_sock_recv_skb - check perms before associating skb to sk
1025 * Note: can not sleep may be called with locks held
1027 * dont want protocol specific in __skb_recv_datagram()
1028 * to deny an incoming connection socket_sock_rcv_skb()
1030 static int apparmor_socket_sock_rcv_skb(struct sock
*sk
, struct sk_buff
*skb
)
1032 struct aa_sk_ctx
*ctx
= SK_CTX(sk
);
1037 return apparmor_secmark_check(ctx
->label
, OP_RECVMSG
, AA_MAY_RECEIVE
,
1043 static struct aa_label
*sk_peer_label(struct sock
*sk
)
1045 struct aa_sk_ctx
*ctx
= SK_CTX(sk
);
1050 return ERR_PTR(-ENOPROTOOPT
);
1054 * apparmor_socket_getpeersec_stream - get security context of peer
1056 * Note: for tcp only valid if using ipsec or cipso on lan
1058 static int apparmor_socket_getpeersec_stream(struct socket
*sock
,
1059 char __user
*optval
,
1064 int slen
, error
= 0;
1065 struct aa_label
*label
;
1066 struct aa_label
*peer
;
1068 label
= begin_current_label_crit_section();
1069 peer
= sk_peer_label(sock
->sk
);
1071 error
= PTR_ERR(peer
);
1074 slen
= aa_label_asxprint(&name
, labels_ns(label
), peer
,
1075 FLAG_SHOW_MODE
| FLAG_VIEW_SUBNS
|
1076 FLAG_HIDDEN_UNCONFINED
, GFP_KERNEL
);
1077 /* don't include terminating \0 in slen, it breaks some apps */
1083 } else if (copy_to_user(optval
, name
, slen
)) {
1087 if (put_user(slen
, optlen
))
1095 end_current_label_crit_section(label
);
1101 * apparmor_socket_getpeersec_dgram - get security label of packet
1102 * @sock: the peer socket
1104 * @secid: pointer to where to put the secid of the packet
1106 * Sets the netlabel socket state on sk from parent
1108 static int apparmor_socket_getpeersec_dgram(struct socket
*sock
,
1109 struct sk_buff
*skb
, u32
*secid
)
1112 /* TODO: requires secid support */
1113 return -ENOPROTOOPT
;
1117 * apparmor_sock_graft - Initialize newly created socket
1119 * @parent: parent socket
1121 * Note: could set off of SOCK_CTX(parent) but need to track inode and we can
1122 * just set sk security information off of current creating process label
1123 * Labeling of sk for accept case - probably should be sock based
1124 * instead of task, because of the case where an implicitly labeled
1125 * socket is shared by different tasks.
1127 static void apparmor_sock_graft(struct sock
*sk
, struct socket
*parent
)
1129 struct aa_sk_ctx
*ctx
= SK_CTX(sk
);
1132 ctx
->label
= aa_get_current_label();
1135 #ifdef CONFIG_NETWORK_SECMARK
1136 static int apparmor_inet_conn_request(struct sock
*sk
, struct sk_buff
*skb
,
1137 struct request_sock
*req
)
1139 struct aa_sk_ctx
*ctx
= SK_CTX(sk
);
1144 return apparmor_secmark_check(ctx
->label
, OP_CONNECT
, AA_MAY_CONNECT
,
1150 * The cred blob is a pointer to, not an instance of, an aa_task_ctx.
1152 struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init
= {
1153 .lbs_cred
= sizeof(struct aa_task_ctx
*),
1154 .lbs_file
= sizeof(struct aa_file_ctx
),
1155 .lbs_task
= sizeof(struct aa_task_ctx
),
1158 static struct security_hook_list apparmor_hooks
[] __lsm_ro_after_init
= {
1159 LSM_HOOK_INIT(ptrace_access_check
, apparmor_ptrace_access_check
),
1160 LSM_HOOK_INIT(ptrace_traceme
, apparmor_ptrace_traceme
),
1161 LSM_HOOK_INIT(capget
, apparmor_capget
),
1162 LSM_HOOK_INIT(capable
, apparmor_capable
),
1164 LSM_HOOK_INIT(sb_mount
, apparmor_sb_mount
),
1165 LSM_HOOK_INIT(sb_umount
, apparmor_sb_umount
),
1166 LSM_HOOK_INIT(sb_pivotroot
, apparmor_sb_pivotroot
),
1168 LSM_HOOK_INIT(path_link
, apparmor_path_link
),
1169 LSM_HOOK_INIT(path_unlink
, apparmor_path_unlink
),
1170 LSM_HOOK_INIT(path_symlink
, apparmor_path_symlink
),
1171 LSM_HOOK_INIT(path_mkdir
, apparmor_path_mkdir
),
1172 LSM_HOOK_INIT(path_rmdir
, apparmor_path_rmdir
),
1173 LSM_HOOK_INIT(path_mknod
, apparmor_path_mknod
),
1174 LSM_HOOK_INIT(path_rename
, apparmor_path_rename
),
1175 LSM_HOOK_INIT(path_chmod
, apparmor_path_chmod
),
1176 LSM_HOOK_INIT(path_chown
, apparmor_path_chown
),
1177 LSM_HOOK_INIT(path_truncate
, apparmor_path_truncate
),
1178 LSM_HOOK_INIT(inode_getattr
, apparmor_inode_getattr
),
1180 LSM_HOOK_INIT(file_open
, apparmor_file_open
),
1181 LSM_HOOK_INIT(file_receive
, apparmor_file_receive
),
1182 LSM_HOOK_INIT(file_permission
, apparmor_file_permission
),
1183 LSM_HOOK_INIT(file_alloc_security
, apparmor_file_alloc_security
),
1184 LSM_HOOK_INIT(file_free_security
, apparmor_file_free_security
),
1185 LSM_HOOK_INIT(mmap_file
, apparmor_mmap_file
),
1186 LSM_HOOK_INIT(file_mprotect
, apparmor_file_mprotect
),
1187 LSM_HOOK_INIT(file_lock
, apparmor_file_lock
),
1189 LSM_HOOK_INIT(getprocattr
, apparmor_getprocattr
),
1190 LSM_HOOK_INIT(setprocattr
, apparmor_setprocattr
),
1192 LSM_HOOK_INIT(sk_alloc_security
, apparmor_sk_alloc_security
),
1193 LSM_HOOK_INIT(sk_free_security
, apparmor_sk_free_security
),
1194 LSM_HOOK_INIT(sk_clone_security
, apparmor_sk_clone_security
),
1196 LSM_HOOK_INIT(socket_create
, apparmor_socket_create
),
1197 LSM_HOOK_INIT(socket_post_create
, apparmor_socket_post_create
),
1198 LSM_HOOK_INIT(socket_bind
, apparmor_socket_bind
),
1199 LSM_HOOK_INIT(socket_connect
, apparmor_socket_connect
),
1200 LSM_HOOK_INIT(socket_listen
, apparmor_socket_listen
),
1201 LSM_HOOK_INIT(socket_accept
, apparmor_socket_accept
),
1202 LSM_HOOK_INIT(socket_sendmsg
, apparmor_socket_sendmsg
),
1203 LSM_HOOK_INIT(socket_recvmsg
, apparmor_socket_recvmsg
),
1204 LSM_HOOK_INIT(socket_getsockname
, apparmor_socket_getsockname
),
1205 LSM_HOOK_INIT(socket_getpeername
, apparmor_socket_getpeername
),
1206 LSM_HOOK_INIT(socket_getsockopt
, apparmor_socket_getsockopt
),
1207 LSM_HOOK_INIT(socket_setsockopt
, apparmor_socket_setsockopt
),
1208 LSM_HOOK_INIT(socket_shutdown
, apparmor_socket_shutdown
),
1209 #ifdef CONFIG_NETWORK_SECMARK
1210 LSM_HOOK_INIT(socket_sock_rcv_skb
, apparmor_socket_sock_rcv_skb
),
1212 LSM_HOOK_INIT(socket_getpeersec_stream
,
1213 apparmor_socket_getpeersec_stream
),
1214 LSM_HOOK_INIT(socket_getpeersec_dgram
,
1215 apparmor_socket_getpeersec_dgram
),
1216 LSM_HOOK_INIT(sock_graft
, apparmor_sock_graft
),
1217 #ifdef CONFIG_NETWORK_SECMARK
1218 LSM_HOOK_INIT(inet_conn_request
, apparmor_inet_conn_request
),
1221 LSM_HOOK_INIT(cred_alloc_blank
, apparmor_cred_alloc_blank
),
1222 LSM_HOOK_INIT(cred_free
, apparmor_cred_free
),
1223 LSM_HOOK_INIT(cred_prepare
, apparmor_cred_prepare
),
1224 LSM_HOOK_INIT(cred_transfer
, apparmor_cred_transfer
),
1226 LSM_HOOK_INIT(bprm_set_creds
, apparmor_bprm_set_creds
),
1227 LSM_HOOK_INIT(bprm_committing_creds
, apparmor_bprm_committing_creds
),
1228 LSM_HOOK_INIT(bprm_committed_creds
, apparmor_bprm_committed_creds
),
1230 LSM_HOOK_INIT(task_free
, apparmor_task_free
),
1231 LSM_HOOK_INIT(task_alloc
, apparmor_task_alloc
),
1232 LSM_HOOK_INIT(task_getsecid
, apparmor_task_getsecid
),
1233 LSM_HOOK_INIT(task_setrlimit
, apparmor_task_setrlimit
),
1234 LSM_HOOK_INIT(task_kill
, apparmor_task_kill
),
1237 LSM_HOOK_INIT(audit_rule_init
, aa_audit_rule_init
),
1238 LSM_HOOK_INIT(audit_rule_known
, aa_audit_rule_known
),
1239 LSM_HOOK_INIT(audit_rule_match
, aa_audit_rule_match
),
1240 LSM_HOOK_INIT(audit_rule_free
, aa_audit_rule_free
),
1243 LSM_HOOK_INIT(secid_to_secctx
, apparmor_secid_to_secctx
),
1244 LSM_HOOK_INIT(secctx_to_secid
, apparmor_secctx_to_secid
),
1245 LSM_HOOK_INIT(release_secctx
, apparmor_release_secctx
),
1249 * AppArmor sysfs module parameters
1252 static int param_set_aabool(const char *val
, const struct kernel_param
*kp
);
1253 static int param_get_aabool(char *buffer
, const struct kernel_param
*kp
);
1254 #define param_check_aabool param_check_bool
1255 static const struct kernel_param_ops param_ops_aabool
= {
1256 .flags
= KERNEL_PARAM_OPS_FL_NOARG
,
1257 .set
= param_set_aabool
,
1258 .get
= param_get_aabool
1261 static int param_set_aauint(const char *val
, const struct kernel_param
*kp
);
1262 static int param_get_aauint(char *buffer
, const struct kernel_param
*kp
);
1263 #define param_check_aauint param_check_uint
1264 static const struct kernel_param_ops param_ops_aauint
= {
1265 .set
= param_set_aauint
,
1266 .get
= param_get_aauint
1269 static int param_set_aalockpolicy(const char *val
, const struct kernel_param
*kp
);
1270 static int param_get_aalockpolicy(char *buffer
, const struct kernel_param
*kp
);
1271 #define param_check_aalockpolicy param_check_bool
1272 static const struct kernel_param_ops param_ops_aalockpolicy
= {
1273 .flags
= KERNEL_PARAM_OPS_FL_NOARG
,
1274 .set
= param_set_aalockpolicy
,
1275 .get
= param_get_aalockpolicy
1278 static int param_set_audit(const char *val
, const struct kernel_param
*kp
);
1279 static int param_get_audit(char *buffer
, const struct kernel_param
*kp
);
1281 static int param_set_mode(const char *val
, const struct kernel_param
*kp
);
1282 static int param_get_mode(char *buffer
, const struct kernel_param
*kp
);
1284 /* Flag values, also controllable via /sys/module/apparmor/parameters
1285 * We define special types as we want to do additional mediation.
1288 /* AppArmor global enforcement switch - complain, enforce, kill */
1289 enum profile_mode aa_g_profile_mode
= APPARMOR_ENFORCE
;
1290 module_param_call(mode
, param_set_mode
, param_get_mode
,
1291 &aa_g_profile_mode
, S_IRUSR
| S_IWUSR
);
1293 /* whether policy verification hashing is enabled */
1294 bool aa_g_hash_policy
= IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT
);
1295 #ifdef CONFIG_SECURITY_APPARMOR_HASH
1296 module_param_named(hash_policy
, aa_g_hash_policy
, aabool
, S_IRUSR
| S_IWUSR
);
1300 bool aa_g_debug
= IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES
);
1301 module_param_named(debug
, aa_g_debug
, aabool
, S_IRUSR
| S_IWUSR
);
1304 enum audit_mode aa_g_audit
;
1305 module_param_call(audit
, param_set_audit
, param_get_audit
,
1306 &aa_g_audit
, S_IRUSR
| S_IWUSR
);
1308 /* Determines if audit header is included in audited messages. This
1309 * provides more context if the audit daemon is not running
1311 bool aa_g_audit_header
= true;
1312 module_param_named(audit_header
, aa_g_audit_header
, aabool
,
1315 /* lock out loading/removal of policy
1316 * TODO: add in at boot loading of policy, which is the only way to
1317 * load policy, if lock_policy is set
1319 bool aa_g_lock_policy
;
1320 module_param_named(lock_policy
, aa_g_lock_policy
, aalockpolicy
,
1323 /* Syscall logging mode */
1324 bool aa_g_logsyscall
;
1325 module_param_named(logsyscall
, aa_g_logsyscall
, aabool
, S_IRUSR
| S_IWUSR
);
1327 /* Maximum pathname length before accesses will start getting rejected */
1328 unsigned int aa_g_path_max
= 2 * PATH_MAX
;
1329 module_param_named(path_max
, aa_g_path_max
, aauint
, S_IRUSR
);
1331 /* Determines how paranoid loading of policy is and how much verification
1332 * on the loaded policy is done.
1333 * DEPRECATED: read only as strict checking of load is always done now
1334 * that none root users (user namespaces) can load policy.
1336 bool aa_g_paranoid_load
= true;
1337 module_param_named(paranoid_load
, aa_g_paranoid_load
, aabool
, S_IRUGO
);
1339 static int param_get_aaintbool(char *buffer
, const struct kernel_param
*kp
);
1340 static int param_set_aaintbool(const char *val
, const struct kernel_param
*kp
);
1341 #define param_check_aaintbool param_check_int
1342 static const struct kernel_param_ops param_ops_aaintbool
= {
1343 .set
= param_set_aaintbool
,
1344 .get
= param_get_aaintbool
1346 /* Boot time disable flag */
1347 static int apparmor_enabled __lsm_ro_after_init
= 1;
1348 module_param_named(enabled
, apparmor_enabled
, aaintbool
, 0444);
1350 static int __init
apparmor_enabled_setup(char *str
)
1352 unsigned long enabled
;
1353 int error
= kstrtoul(str
, 0, &enabled
);
1355 apparmor_enabled
= enabled
? 1 : 0;
1359 __setup("apparmor=", apparmor_enabled_setup
);
1361 /* set global flag turning off the ability to load policy */
1362 static int param_set_aalockpolicy(const char *val
, const struct kernel_param
*kp
)
1364 if (!apparmor_enabled
)
1366 if (apparmor_initialized
&& !policy_admin_capable(NULL
))
1368 return param_set_bool(val
, kp
);
1371 static int param_get_aalockpolicy(char *buffer
, const struct kernel_param
*kp
)
1373 if (!apparmor_enabled
)
1375 if (apparmor_initialized
&& !policy_view_capable(NULL
))
1377 return param_get_bool(buffer
, kp
);
1380 static int param_set_aabool(const char *val
, const struct kernel_param
*kp
)
1382 if (!apparmor_enabled
)
1384 if (apparmor_initialized
&& !policy_admin_capable(NULL
))
1386 return param_set_bool(val
, kp
);
1389 static int param_get_aabool(char *buffer
, const struct kernel_param
*kp
)
1391 if (!apparmor_enabled
)
1393 if (apparmor_initialized
&& !policy_view_capable(NULL
))
1395 return param_get_bool(buffer
, kp
);
1398 static int param_set_aauint(const char *val
, const struct kernel_param
*kp
)
1402 if (!apparmor_enabled
)
1404 /* file is ro but enforce 2nd line check */
1405 if (apparmor_initialized
)
1408 error
= param_set_uint(val
, kp
);
1409 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max
);
1414 static int param_get_aauint(char *buffer
, const struct kernel_param
*kp
)
1416 if (!apparmor_enabled
)
1418 if (apparmor_initialized
&& !policy_view_capable(NULL
))
1420 return param_get_uint(buffer
, kp
);
1423 /* Can only be set before AppArmor is initialized (i.e. on boot cmdline). */
1424 static int param_set_aaintbool(const char *val
, const struct kernel_param
*kp
)
1426 struct kernel_param kp_local
;
1430 if (apparmor_initialized
)
1433 /* Create local copy, with arg pointing to bool type. */
1434 value
= !!*((int *)kp
->arg
);
1435 memcpy(&kp_local
, kp
, sizeof(kp_local
));
1436 kp_local
.arg
= &value
;
1438 error
= param_set_bool(val
, &kp_local
);
1440 *((int *)kp
->arg
) = *((bool *)kp_local
.arg
);
1445 * To avoid changing /sys/module/apparmor/parameters/enabled from Y/N to
1446 * 1/0, this converts the "int that is actually bool" back to bool for
1447 * display in the /sys filesystem, while keeping it "int" for the LSM
1450 static int param_get_aaintbool(char *buffer
, const struct kernel_param
*kp
)
1452 struct kernel_param kp_local
;
1455 /* Create local copy, with arg pointing to bool type. */
1456 value
= !!*((int *)kp
->arg
);
1457 memcpy(&kp_local
, kp
, sizeof(kp_local
));
1458 kp_local
.arg
= &value
;
1460 return param_get_bool(buffer
, &kp_local
);
1463 static int param_get_audit(char *buffer
, const struct kernel_param
*kp
)
1465 if (!apparmor_enabled
)
1467 if (apparmor_initialized
&& !policy_view_capable(NULL
))
1469 return sprintf(buffer
, "%s", audit_mode_names
[aa_g_audit
]);
1472 static int param_set_audit(const char *val
, const struct kernel_param
*kp
)
1476 if (!apparmor_enabled
)
1480 if (apparmor_initialized
&& !policy_admin_capable(NULL
))
1483 i
= match_string(audit_mode_names
, AUDIT_MAX_INDEX
, val
);
1491 static int param_get_mode(char *buffer
, const struct kernel_param
*kp
)
1493 if (!apparmor_enabled
)
1495 if (apparmor_initialized
&& !policy_view_capable(NULL
))
1498 return sprintf(buffer
, "%s", aa_profile_mode_names
[aa_g_profile_mode
]);
1501 static int param_set_mode(const char *val
, const struct kernel_param
*kp
)
1505 if (!apparmor_enabled
)
1509 if (apparmor_initialized
&& !policy_admin_capable(NULL
))
1512 i
= match_string(aa_profile_mode_names
, APPARMOR_MODE_NAMES_MAX_INDEX
,
1517 aa_g_profile_mode
= i
;
1522 * AppArmor init functions
1526 * set_init_ctx - set a task context and profile on the first task.
1528 * TODO: allow setting an alternate profile than unconfined
1530 static int __init
set_init_ctx(void)
1532 struct cred
*cred
= (struct cred
*)current
->real_cred
;
1534 set_cred_label(cred
, aa_get_label(ns_unconfined(root_ns
)));
1539 static void destroy_buffers(void)
1543 for_each_possible_cpu(i
) {
1544 for_each_cpu_buffer(j
) {
1545 kfree(per_cpu(aa_buffers
, i
).buf
[j
]);
1546 per_cpu(aa_buffers
, i
).buf
[j
] = NULL
;
1551 static int __init
alloc_buffers(void)
1555 for_each_possible_cpu(i
) {
1556 for_each_cpu_buffer(j
) {
1559 if (cpu_to_node(i
) > num_online_nodes())
1560 /* fallback to kmalloc for offline nodes */
1561 buffer
= kmalloc(aa_g_path_max
, GFP_KERNEL
);
1563 buffer
= kmalloc_node(aa_g_path_max
, GFP_KERNEL
,
1569 per_cpu(aa_buffers
, i
).buf
[j
] = buffer
;
1576 #ifdef CONFIG_SYSCTL
1577 static int apparmor_dointvec(struct ctl_table
*table
, int write
,
1578 void __user
*buffer
, size_t *lenp
, loff_t
*ppos
)
1580 if (!policy_admin_capable(NULL
))
1582 if (!apparmor_enabled
)
1585 return proc_dointvec(table
, write
, buffer
, lenp
, ppos
);
1588 static struct ctl_path apparmor_sysctl_path
[] = {
1589 { .procname
= "kernel", },
1593 static struct ctl_table apparmor_sysctl_table
[] = {
1595 .procname
= "unprivileged_userns_apparmor_policy",
1596 .data
= &unprivileged_userns_apparmor_policy
,
1597 .maxlen
= sizeof(int),
1599 .proc_handler
= apparmor_dointvec
,
1604 static int __init
apparmor_init_sysctl(void)
1606 return register_sysctl_paths(apparmor_sysctl_path
,
1607 apparmor_sysctl_table
) ? 0 : -ENOMEM
;
1610 static inline int apparmor_init_sysctl(void)
1614 #endif /* CONFIG_SYSCTL */
1616 #if defined(CONFIG_NETFILTER) && defined(CONFIG_NETWORK_SECMARK)
1617 static unsigned int apparmor_ip_postroute(void *priv
,
1618 struct sk_buff
*skb
,
1619 const struct nf_hook_state
*state
)
1621 struct aa_sk_ctx
*ctx
;
1627 sk
= skb_to_full_sk(skb
);
1632 if (!apparmor_secmark_check(ctx
->label
, OP_SENDMSG
, AA_MAY_SEND
,
1636 return NF_DROP_ERR(-ECONNREFUSED
);
1640 static unsigned int apparmor_ipv4_postroute(void *priv
,
1641 struct sk_buff
*skb
,
1642 const struct nf_hook_state
*state
)
1644 return apparmor_ip_postroute(priv
, skb
, state
);
1647 #if IS_ENABLED(CONFIG_IPV6)
1648 static unsigned int apparmor_ipv6_postroute(void *priv
,
1649 struct sk_buff
*skb
,
1650 const struct nf_hook_state
*state
)
1652 return apparmor_ip_postroute(priv
, skb
, state
);
1656 static const struct nf_hook_ops apparmor_nf_ops
[] = {
1658 .hook
= apparmor_ipv4_postroute
,
1660 .hooknum
= NF_INET_POST_ROUTING
,
1661 .priority
= NF_IP_PRI_SELINUX_FIRST
,
1663 #if IS_ENABLED(CONFIG_IPV6)
1665 .hook
= apparmor_ipv6_postroute
,
1667 .hooknum
= NF_INET_POST_ROUTING
,
1668 .priority
= NF_IP6_PRI_SELINUX_FIRST
,
1673 static int __net_init
apparmor_nf_register(struct net
*net
)
1677 ret
= nf_register_net_hooks(net
, apparmor_nf_ops
,
1678 ARRAY_SIZE(apparmor_nf_ops
));
1682 static void __net_exit
apparmor_nf_unregister(struct net
*net
)
1684 nf_unregister_net_hooks(net
, apparmor_nf_ops
,
1685 ARRAY_SIZE(apparmor_nf_ops
));
1688 static struct pernet_operations apparmor_net_ops
= {
1689 .init
= apparmor_nf_register
,
1690 .exit
= apparmor_nf_unregister
,
1693 static int __init
apparmor_nf_ip_init(void)
1697 if (!apparmor_enabled
)
1700 err
= register_pernet_subsys(&apparmor_net_ops
);
1702 panic("Apparmor: register_pernet_subsys: error %d\n", err
);
1706 __initcall(apparmor_nf_ip_init
);
1709 static int __init
apparmor_init(void)
1715 error
= aa_setup_dfa_engine();
1717 AA_ERROR("Unable to setup dfa engine\n");
1721 error
= aa_alloc_root_ns();
1723 AA_ERROR("Unable to allocate default profile namespace\n");
1727 error
= apparmor_init_sysctl();
1729 AA_ERROR("Unable to register sysctls\n");
1734 error
= alloc_buffers();
1736 AA_ERROR("Unable to allocate work buffers\n");
1740 error
= set_init_ctx();
1742 AA_ERROR("Failed to set context on init task\n");
1746 security_add_hooks(apparmor_hooks
, ARRAY_SIZE(apparmor_hooks
),
1749 /* Report that AppArmor successfully initialized */
1750 apparmor_initialized
= 1;
1751 if (aa_g_profile_mode
== APPARMOR_COMPLAIN
)
1752 aa_info_message("AppArmor initialized: complain mode enabled");
1753 else if (aa_g_profile_mode
== APPARMOR_KILL
)
1754 aa_info_message("AppArmor initialized: kill mode enabled");
1756 aa_info_message("AppArmor initialized");
1765 aa_teardown_dfa_engine();
1767 apparmor_enabled
= false;
1771 DEFINE_LSM(apparmor
) = {
1773 .flags
= LSM_FLAG_LEGACY_MAJOR
| LSM_FLAG_EXCLUSIVE
,
1774 .enabled
= &apparmor_enabled
,
1775 .blobs
= &apparmor_blob_sizes
,
1776 .init
= apparmor_init
,