]> git.proxmox.com Git - mirror_ubuntu-eoan-kernel.git/blob - security/apparmor/lsm.c
projects / mirror_ubuntu-eoan-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
UBUNTU: SAUCE: apparmor: fix use after free in sk_peer_label
[mirror_ubuntu-eoan-kernel.git] / security / apparmor / lsm.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * AppArmor security module
4 *
5 * This file contains AppArmor LSM hooks.
6 *
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
9 */
10
11 #include <linux/lsm_hooks.h>
12 #include <linux/moduleparam.h>
13 #include <linux/mm.h>
14 #include <linux/mman.h>
15 #include <linux/mount.h>
16 #include <linux/namei.h>
17 #include <linux/ptrace.h>
18 #include <linux/ctype.h>
19 #include <linux/sysctl.h>
20 #include <linux/audit.h>
21 #include <linux/user_namespace.h>
22 #include <linux/netfilter_ipv4.h>
23 #include <linux/netfilter_ipv6.h>
24 #include <net/sock.h>
25 #include <uapi/linux/mount.h>
26
27 #include "include/af_unix.h"
28 #include "include/apparmor.h"
29 #include "include/apparmorfs.h"
30 #include "include/audit.h"
31 #include "include/capability.h"
32 #include "include/cred.h"
33 #include "include/file.h"
34 #include "include/ipc.h"
35 #include "include/net.h"
36 #include "include/path.h"
37 #include "include/label.h"
38 #include "include/policy.h"
39 #include "include/policy_ns.h"
40 #include "include/procattr.h"
41 #include "include/mount.h"
42 #include "include/secid.h"
43
44 /* Flag indicating whether initialization completed */
45 int apparmor_initialized;
46
47 DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
48
49
50 /*
51 * LSM hook functions
52 */
53
54 /*
55 * put the associated labels
56 */
57 static void apparmor_cred_free(struct cred *cred)
58 {
59 aa_put_label(cred_label(cred));
60 set_cred_label(cred, NULL);
61 }
62
63 /*
64 * allocate the apparmor part of blank credentials
65 */
66 static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
67 {
68 set_cred_label(cred, NULL);
69 return 0;
70 }
71
72 /*
73 * prepare new cred label for modification by prepare_cred block
74 */
75 static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
76 gfp_t gfp)
77 {
78 set_cred_label(new, aa_get_newest_label(cred_label(old)));
79 return 0;
80 }
81
82 /*
83 * transfer the apparmor data to a blank set of creds
84 */
85 static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
86 {
87 set_cred_label(new, aa_get_newest_label(cred_label(old)));
88 }
89
90 static void apparmor_task_free(struct task_struct *task)
91 {
92
93 aa_free_task_ctx(task_ctx(task));
94 }
95
96 static int apparmor_task_alloc(struct task_struct *task,
97 unsigned long clone_flags)
98 {
99 struct aa_task_ctx *new = task_ctx(task);
100
101 aa_dup_task_ctx(new, task_ctx(current));
102
103 return 0;
104 }
105
106 static int apparmor_ptrace_access_check(struct task_struct *child,
107 unsigned int mode)
108 {
109 struct aa_label *tracer, *tracee;
110 int error;
111
112 tracer = __begin_current_label_crit_section();
113 tracee = aa_get_task_label(child);
114 error = aa_may_ptrace(tracer, tracee,
115 (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ
116 : AA_PTRACE_TRACE);
117 aa_put_label(tracee);
118 __end_current_label_crit_section(tracer);
119
120 return error;
121 }
122
123 static int apparmor_ptrace_traceme(struct task_struct *parent)
124 {
125 struct aa_label *tracer, *tracee;
126 int error;
127
128 tracee = __begin_current_label_crit_section();
129 tracer = aa_get_task_label(parent);
130 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
131 aa_put_label(tracer);
132 __end_current_label_crit_section(tracee);
133
134 return error;
135 }
136
137 /* Derived from security/commoncap.c:cap_capget */
138 static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
139 kernel_cap_t *inheritable, kernel_cap_t *permitted)
140 {
141 struct aa_label *label;
142 const struct cred *cred;
143
144 rcu_read_lock();
145 cred = __task_cred(target);
146 label = aa_get_newest_cred_label(cred);
147
148 /*
149 * cap_capget is stacked ahead of this and will
150 * initialize effective and permitted.
151 */
152 if (!unconfined(label)) {
153 struct aa_profile *profile;
154 struct label_it i;
155
156 label_for_each_confined(i, label, profile) {
157 if (COMPLAIN_MODE(profile))
158 continue;
159 *effective = cap_intersect(*effective,
160 profile->caps.allow);
161 *permitted = cap_intersect(*permitted,
162 profile->caps.allow);
163 }
164 }
165 rcu_read_unlock();
166 aa_put_label(label);
167
168 return 0;
169 }
170
171 static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
172 int cap, unsigned int opts)
173 {
174 struct aa_label *label;
175 int error = 0;
176
177 label = aa_get_newest_cred_label(cred);
178 if (!unconfined(label))
179 error = aa_capable(label, cap, opts);
180 aa_put_label(label);
181
182 return error;
183 }
184
185 /**
186 * common_perm - basic common permission check wrapper fn for paths
187 * @op: operation being checked
188 * @path: path to check permission of (NOT NULL)
189 * @mask: requested permissions mask
190 * @cond: conditional info for the permission request (NOT NULL)
191 *
192 * Returns: %0 else error code if error or permission denied
193 */
194 static int common_perm(const char *op, const struct path *path, u32 mask,
195 struct path_cond *cond)
196 {
197 struct aa_label *label;
198 int error = 0;
199
200 label = __begin_current_label_crit_section();
201 if (!unconfined(label))
202 error = aa_path_perm(op, label, path, 0, mask, cond);
203 __end_current_label_crit_section(label);
204
205 return error;
206 }
207
208 /**
209 * common_perm_cond - common permission wrapper around inode cond
210 * @op: operation being checked
211 * @path: location to check (NOT NULL)
212 * @mask: requested permissions mask
213 *
214 * Returns: %0 else error code if error or permission denied
215 */
216 static int common_perm_cond(const char *op, const struct path *path, u32 mask)
217 {
218 struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
219 d_backing_inode(path->dentry)->i_mode
220 };
221
222 if (!path_mediated_fs(path->dentry))
223 return 0;
224
225 return common_perm(op, path, mask, &cond);
226 }
227
228 /**
229 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
230 * @op: operation being checked
231 * @dir: directory of the dentry (NOT NULL)
232 * @dentry: dentry to check (NOT NULL)
233 * @mask: requested permissions mask
234 * @cond: conditional info for the permission request (NOT NULL)
235 *
236 * Returns: %0 else error code if error or permission denied
237 */
238 static int common_perm_dir_dentry(const char *op, const struct path *dir,
239 struct dentry *dentry, u32 mask,
240 struct path_cond *cond)
241 {
242 struct path path = { .mnt = dir->mnt, .dentry = dentry };
243
244 return common_perm(op, &path, mask, cond);
245 }
246
247 /**
248 * common_perm_rm - common permission wrapper for operations doing rm
249 * @op: operation being checked
250 * @dir: directory that the dentry is in (NOT NULL)
251 * @dentry: dentry being rm'd (NOT NULL)
252 * @mask: requested permission mask
253 *
254 * Returns: %0 else error code if error or permission denied
255 */
256 static int common_perm_rm(const char *op, const struct path *dir,
257 struct dentry *dentry, u32 mask)
258 {
259 struct inode *inode = d_backing_inode(dentry);
260 struct path_cond cond = { };
261
262 if (!inode || !path_mediated_fs(dentry))
263 return 0;
264
265 cond.uid = inode->i_uid;
266 cond.mode = inode->i_mode;
267
268 return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
269 }
270
271 /**
272 * common_perm_create - common permission wrapper for operations doing create
273 * @op: operation being checked
274 * @dir: directory that dentry will be created in (NOT NULL)
275 * @dentry: dentry to create (NOT NULL)
276 * @mask: request permission mask
277 * @mode: created file mode
278 *
279 * Returns: %0 else error code if error or permission denied
280 */
281 static int common_perm_create(const char *op, const struct path *dir,
282 struct dentry *dentry, u32 mask, umode_t mode)
283 {
284 struct path_cond cond = { current_fsuid(), mode };
285
286 if (!path_mediated_fs(dir->dentry))
287 return 0;
288
289 return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
290 }
291
292 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry)
293 {
294 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE);
295 }
296
297 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry,
298 umode_t mode)
299 {
300 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE,
301 S_IFDIR);
302 }
303
304 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry)
305 {
306 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE);
307 }
308
309 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
310 umode_t mode, unsigned int dev)
311 {
312 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
313 }
314
315 static int apparmor_path_truncate(const struct path *path)
316 {
317 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR);
318 }
319
320 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
321 const char *old_name)
322 {
323 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE,
324 S_IFLNK);
325 }
326
327 static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir,
328 struct dentry *new_dentry)
329 {
330 struct aa_label *label;
331 int error = 0;
332
333 if (!path_mediated_fs(old_dentry))
334 return 0;
335
336 label = begin_current_label_crit_section();
337 if (!unconfined(label))
338 error = aa_path_link(label, old_dentry, new_dir, new_dentry);
339 end_current_label_crit_section(label);
340
341 return error;
342 }
343
344 static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry,
345 const struct path *new_dir, struct dentry *new_dentry)
346 {
347 struct aa_label *label;
348 int error = 0;
349
350 if (!path_mediated_fs(old_dentry))
351 return 0;
352
353 label = begin_current_label_crit_section();
354 if (!unconfined(label)) {
355 struct path old_path = { .mnt = old_dir->mnt,
356 .dentry = old_dentry };
357 struct path new_path = { .mnt = new_dir->mnt,
358 .dentry = new_dentry };
359 struct path_cond cond = { d_backing_inode(old_dentry)->i_uid,
360 d_backing_inode(old_dentry)->i_mode
361 };
362
363 error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0,
364 MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
365 AA_MAY_SETATTR | AA_MAY_DELETE,
366 &cond);
367 if (!error)
368 error = aa_path_perm(OP_RENAME_DEST, label, &new_path,
369 0, MAY_WRITE | AA_MAY_SETATTR |
370 AA_MAY_CREATE, &cond);
371
372 }
373 end_current_label_crit_section(label);
374
375 return error;
376 }
377
378 static int apparmor_path_chmod(const struct path *path, umode_t mode)
379 {
380 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD);
381 }
382
383 static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
384 {
385 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN);
386 }
387
388 static int apparmor_inode_getattr(const struct path *path)
389 {
390 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR);
391 }
392
393 static int apparmor_file_open(struct file *file)
394 {
395 struct aa_file_ctx *fctx = file_ctx(file);
396 struct aa_label *label;
397 int error = 0;
398
399 if (!path_mediated_fs(file->f_path.dentry))
400 return 0;
401
402 /* If in exec, permission is handled by bprm hooks.
403 * Cache permissions granted by the previous exec check, with
404 * implicit read and executable mmap which are required to
405 * actually execute the image.
406 */
407 if (current->in_execve) {
408 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
409 return 0;
410 }
411
412 label = aa_get_newest_cred_label(file->f_cred);
413 if (!unconfined(label)) {
414 struct inode *inode = file_inode(file);
415 struct path_cond cond = { inode->i_uid, inode->i_mode };
416
417 error = aa_path_perm(OP_OPEN, label, &file->f_path, 0,
418 aa_map_file_to_perms(file), &cond);
419 /* todo cache full allowed permissions set and state */
420 fctx->allow = aa_map_file_to_perms(file);
421 }
422 aa_put_label(label);
423
424 return error;
425 }
426
427 static int apparmor_file_alloc_security(struct file *file)
428 {
429 struct aa_file_ctx *ctx = file_ctx(file);
430 struct aa_label *label = begin_current_label_crit_section();
431
432 spin_lock_init(&ctx->lock);
433 rcu_assign_pointer(ctx->label, aa_get_label(label));
434 end_current_label_crit_section(label);
435 return 0;
436 }
437
438 static void apparmor_file_free_security(struct file *file)
439 {
440 struct aa_file_ctx *ctx = file_ctx(file);
441
442 if (ctx)
443 aa_put_label(rcu_access_pointer(ctx->label));
444 }
445
446 static int common_file_perm(const char *op, struct file *file, u32 mask)
447 {
448 struct aa_label *label;
449 int error = 0;
450
451 /* don't reaudit files closed during inheritance */
452 if (file->f_path.dentry == aa_null.dentry)
453 return -EACCES;
454
455 label = __begin_current_label_crit_section();
456 error = aa_file_perm(op, label, file, mask);
457 __end_current_label_crit_section(label);
458
459 return error;
460 }
461
462 static int apparmor_file_receive(struct file *file)
463 {
464 return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file));
465 }
466
467 static int apparmor_file_permission(struct file *file, int mask)
468 {
469 return common_file_perm(OP_FPERM, file, mask);
470 }
471
472 static int apparmor_file_lock(struct file *file, unsigned int cmd)
473 {
474 u32 mask = AA_MAY_LOCK;
475
476 if (cmd == F_WRLCK)
477 mask |= MAY_WRITE;
478
479 return common_file_perm(OP_FLOCK, file, mask);
480 }
481
482 static int common_mmap(const char *op, struct file *file, unsigned long prot,
483 unsigned long flags)
484 {
485 int mask = 0;
486
487 if (!file || !file_ctx(file))
488 return 0;
489
490 if (prot & PROT_READ)
491 mask |= MAY_READ;
492 /*
493 * Private mappings don't require write perms since they don't
494 * write back to the files
495 */
496 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
497 mask |= MAY_WRITE;
498 if (prot & PROT_EXEC)
499 mask |= AA_EXEC_MMAP;
500
501 return common_file_perm(op, file, mask);
502 }
503
504 static int apparmor_mmap_file(struct file *file, unsigned long reqprot,
505 unsigned long prot, unsigned long flags)
506 {
507 return common_mmap(OP_FMMAP, file, prot, flags);
508 }
509
510 static int apparmor_file_mprotect(struct vm_area_struct *vma,
511 unsigned long reqprot, unsigned long prot)
512 {
513 return common_mmap(OP_FMPROT, vma->vm_file, prot,
514 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
515 }
516
517 static int apparmor_sb_mount(const char *dev_name, const struct path *path,
518 const char *type, unsigned long flags, void *data)
519 {
520 struct aa_label *label;
521 int error = 0;
522
523 /* Discard magic */
524 if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
525 flags &= ~MS_MGC_MSK;
526
527 flags &= ~AA_MS_IGNORE_MASK;
528
529 label = __begin_current_label_crit_section();
530 if (!unconfined(label)) {
531 if (flags & MS_REMOUNT)
532 error = aa_remount(label, path, flags, data);
533 else if (flags & MS_BIND)
534 error = aa_bind_mount(label, path, dev_name, flags);
535 else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE |
536 MS_UNBINDABLE))
537 error = aa_mount_change_type(label, path, flags);
538 else if (flags & MS_MOVE)
539 error = aa_move_mount(label, path, dev_name);
540 else
541 error = aa_new_mount(label, dev_name, path, type,
542 flags, data);
543 }
544 __end_current_label_crit_section(label);
545
546 return error;
547 }
548
549 static int apparmor_sb_umount(struct vfsmount *mnt, int flags)
550 {
551 struct aa_label *label;
552 int error = 0;
553
554 label = __begin_current_label_crit_section();
555 if (!unconfined(label))
556 error = aa_umount(label, mnt, flags);
557 __end_current_label_crit_section(label);
558
559 return error;
560 }
561
562 static int apparmor_sb_pivotroot(const struct path *old_path,
563 const struct path *new_path)
564 {
565 struct aa_label *label;
566 int error = 0;
567
568 label = aa_get_current_label();
569 if (!unconfined(label))
570 error = aa_pivotroot(label, old_path, new_path);
571 aa_put_label(label);
572
573 return error;
574 }
575
576 static int apparmor_getprocattr(struct task_struct *task, char *name,
577 char **value)
578 {
579 int error = -ENOENT;
580 /* released below */
581 const struct cred *cred = get_task_cred(task);
582 struct aa_task_ctx *ctx = task_ctx(current);
583 struct aa_label *label = NULL;
584
585 if (strcmp(name, "current") == 0)
586 label = aa_get_newest_label(cred_label(cred));
587 else if (strcmp(name, "prev") == 0 && ctx->previous)
588 label = aa_get_newest_label(ctx->previous);
589 else if (strcmp(name, "exec") == 0 && ctx->onexec)
590 label = aa_get_newest_label(ctx->onexec);
591 else
592 error = -EINVAL;
593
594 if (label)
595 error = aa_getprocattr(label, value);
596
597 aa_put_label(label);
598 put_cred(cred);
599
600 return error;
601 }
602
603 static int apparmor_setprocattr(const char *name, void *value,
604 size_t size)
605 {
606 char *command, *largs = NULL, *args = value;
607 size_t arg_size;
608 int error;
609 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR);
610
611 if (size == 0)
612 return -EINVAL;
613
614 /* AppArmor requires that the buffer must be null terminated atm */
615 if (args[size - 1] != '\0') {
616 /* null terminate */
617 largs = args = kmalloc(size + 1, GFP_KERNEL);
618 if (!args)
619 return -ENOMEM;
620 memcpy(args, value, size);
621 args[size] = '\0';
622 }
623
624 error = -EINVAL;
625 args = strim(args);
626 command = strsep(&args, " ");
627 if (!args)
628 goto out;
629 args = skip_spaces(args);
630 if (!*args)
631 goto out;
632
633 arg_size = size - (args - (largs ? largs : (char *) value));
634 if (strcmp(name, "current") == 0) {
635 if (strcmp(command, "changehat") == 0) {
636 error = aa_setprocattr_changehat(args, arg_size,
637 AA_CHANGE_NOFLAGS);
638 } else if (strcmp(command, "permhat") == 0) {
639 error = aa_setprocattr_changehat(args, arg_size,
640 AA_CHANGE_TEST);
641 } else if (strcmp(command, "changeprofile") == 0) {
642 error = aa_change_profile(args, AA_CHANGE_NOFLAGS);
643 } else if (strcmp(command, "permprofile") == 0) {
644 error = aa_change_profile(args, AA_CHANGE_TEST);
645 } else if (strcmp(command, "stack") == 0) {
646 error = aa_change_profile(args, AA_CHANGE_STACK);
647 } else
648 goto fail;
649 } else if (strcmp(name, "exec") == 0) {
650 if (strcmp(command, "exec") == 0)
651 error = aa_change_profile(args, AA_CHANGE_ONEXEC);
652 else if (strcmp(command, "stack") == 0)
653 error = aa_change_profile(args, (AA_CHANGE_ONEXEC |
654 AA_CHANGE_STACK));
655 else
656 goto fail;
657 } else
658 /* only support the "current" and "exec" process attributes */
659 goto fail;
660
661 if (!error)
662 error = size;
663 out:
664 kfree(largs);
665 return error;
666
667 fail:
668 aad(&sa)->label = begin_current_label_crit_section();
669 aad(&sa)->info = name;
670 aad(&sa)->error = error = -EINVAL;
671 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
672 end_current_label_crit_section(aad(&sa)->label);
673 goto out;
674 }
675
676 /**
677 * apparmor_bprm_committing_creds - do task cleanup on committing new creds
678 * @bprm: binprm for the exec (NOT NULL)
679 */
680 static void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
681 {
682 struct aa_label *label = aa_current_raw_label();
683 struct aa_label *new_label = cred_label(bprm->cred);
684
685 /* bail out if unconfined or not changing profile */
686 if ((new_label->proxy == label->proxy) ||
687 (unconfined(new_label)))
688 return;
689
690 aa_inherit_files(bprm->cred, current->files);
691
692 current->pdeath_signal = 0;
693
694 /* reset soft limits and set hard limits for the new label */
695 __aa_transition_rlimits(label, new_label);
696 }
697
698 /**
699 * apparmor_bprm_committed_cred - do cleanup after new creds committed
700 * @bprm: binprm for the exec (NOT NULL)
701 */
702 static void apparmor_bprm_committed_creds(struct linux_binprm *bprm)
703 {
704 /* clear out temporary/transitional state from the context */
705 aa_clear_task_ctx_trans(task_ctx(current));
706
707 return;
708 }
709
710 static void apparmor_task_getsecid(struct task_struct *p, u32 *secid)
711 {
712 struct aa_label *label = aa_get_task_label(p);
713 *secid = label->secid;
714 aa_put_label(label);
715 }
716
717 static int apparmor_task_setrlimit(struct task_struct *task,
718 unsigned int resource, struct rlimit *new_rlim)
719 {
720 struct aa_label *label = __begin_current_label_crit_section();
721 int error = 0;
722
723 if (!unconfined(label))
724 error = aa_task_setrlimit(label, task, resource, new_rlim);
725 __end_current_label_crit_section(label);
726
727 return error;
728 }
729
730 static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo *info,
731 int sig, const struct cred *cred)
732 {
733 struct aa_label *cl, *tl;
734 int error;
735
736 if (cred) {
737 /*
738 * Dealing with USB IO specific behavior
739 */
740 cl = aa_get_newest_cred_label(cred);
741 tl = aa_get_task_label(target);
742 error = aa_may_signal(cl, tl, sig);
743 aa_put_label(cl);
744 aa_put_label(tl);
745 return error;
746 }
747
748 cl = __begin_current_label_crit_section();
749 tl = aa_get_task_label(target);
750 error = aa_may_signal(cl, tl, sig);
751 aa_put_label(tl);
752 __end_current_label_crit_section(cl);
753
754 return error;
755 }
756
757 /**
758 * apparmor_sk_alloc_security - allocate and attach the sk_security field
759 */
760 static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags)
761 {
762 struct aa_sk_ctx *ctx;
763
764 ctx = kzalloc(sizeof(*ctx), flags);
765 if (!ctx)
766 return -ENOMEM;
767
768 SK_CTX(sk) = ctx;
769
770 return 0;
771 }
772
773 /**
774 * apparmor_sk_free_security - free the sk_security field
775 */
776 static void apparmor_sk_free_security(struct sock *sk)
777 {
778 struct aa_sk_ctx *ctx = SK_CTX(sk);
779
780 SK_CTX(sk) = NULL;
781 aa_put_label(ctx->label);
782 aa_put_label(ctx->peer);
783 path_put(&ctx->path);
784 kfree(ctx);
785 }
786
787 /**
788 * apparmor_clone_security - clone the sk_security field
789 */
790 static void apparmor_sk_clone_security(const struct sock *sk,
791 struct sock *newsk)
792 {
793 struct aa_sk_ctx *ctx = SK_CTX(sk);
794 struct aa_sk_ctx *new = SK_CTX(newsk);
795
796 new->label = aa_get_label(ctx->label);
797 new->peer = aa_get_label(ctx->peer);
798 new->path = ctx->path;
799 path_get(&new->path);
800 }
801
802 static struct path *UNIX_FS_CONN_PATH(struct sock *sk, struct sock *newsk)
803 {
804 if (sk->sk_family == PF_UNIX && UNIX_FS(sk))
805 return &unix_sk(sk)->path;
806 else if (newsk->sk_family == PF_UNIX && UNIX_FS(newsk))
807 return &unix_sk(newsk)->path;
808 return NULL;
809 }
810
811 /**
812 * apparmor_unix_stream_connect - check perms before making unix domain conn
813 *
814 * peer is locked when this hook is called
815 */
816 static int apparmor_unix_stream_connect(struct sock *sk, struct sock *peer_sk,
817 struct sock *newsk)
818 {
819 struct aa_sk_ctx *sk_ctx = SK_CTX(sk);
820 struct aa_sk_ctx *peer_ctx = SK_CTX(peer_sk);
821 struct aa_sk_ctx *new_ctx = SK_CTX(newsk);
822 struct aa_label *label;
823 struct path *path;
824 int error;
825
826 label = __begin_current_label_crit_section();
827 error = aa_unix_peer_perm(label, OP_CONNECT,
828 (AA_MAY_CONNECT | AA_MAY_SEND | AA_MAY_RECEIVE),
829 sk, peer_sk, NULL);
830 if (!UNIX_FS(peer_sk)) {
831 last_error(error,
832 aa_unix_peer_perm(peer_ctx->label, OP_CONNECT,
833 (AA_MAY_ACCEPT | AA_MAY_SEND | AA_MAY_RECEIVE),
834 peer_sk, sk, label));
835 }
836 __end_current_label_crit_section(label);
837
838 if (error)
839 return error;
840
841 /* label newsk if it wasn't labeled in post_create. Normally this
842 * would be done in sock_graft, but because we are directly looking
843 * at the peer_sk to obtain peer_labeling for unix socks this
844 * does not work
845 */
846 if (!new_ctx->label)
847 new_ctx->label = aa_get_label(peer_ctx->label);
848
849 /* Cross reference the peer labels for SO_PEERSEC */
850 if (new_ctx->peer)
851 aa_put_label(new_ctx->peer);
852
853 if (sk_ctx->peer)
854 aa_put_label(sk_ctx->peer);
855
856 new_ctx->peer = aa_get_label(sk_ctx->label);
857 sk_ctx->peer = aa_get_label(peer_ctx->label);
858
859 path = UNIX_FS_CONN_PATH(sk, peer_sk);
860 if (path) {
861 new_ctx->path = *path;
862 sk_ctx->path = *path;
863 path_get(path);
864 path_get(path);
865 }
866 return 0;
867 }
868
869 /**
870 * apparmor_unix_may_send - check perms before conn or sending unix dgrams
871 *
872 * other is locked when this hook is called
873 *
874 * dgram connect calls may_send, peer setup but path not copied?????
875 */
876 static int apparmor_unix_may_send(struct socket *sock, struct socket *peer)
877 {
878 struct aa_sk_ctx *peer_ctx = SK_CTX(peer->sk);
879 struct aa_label *label;
880 int error;
881
882 label = __begin_current_label_crit_section();
883 error = xcheck(aa_unix_peer_perm(label, OP_SENDMSG, AA_MAY_SEND,
884 sock->sk, peer->sk, NULL),
885 aa_unix_peer_perm(peer_ctx->label, OP_SENDMSG,
886 AA_MAY_RECEIVE,
887 peer->sk, sock->sk, label));
888 __end_current_label_crit_section(label);
889
890 return error;
891 }
892
893 /**
894 * apparmor_socket_create - check perms before creating a new socket
895 */
896 static int apparmor_socket_create(int family, int type, int protocol, int kern)
897 {
898 struct aa_label *label;
899 int error = 0;
900
901 AA_BUG(in_interrupt());
902
903 label = begin_current_label_crit_section();
904 if (!(kern || unconfined(label)))
905 error = af_select(family,
906 create_perm(label, family, type, protocol),
907 aa_af_perm(label, OP_CREATE, AA_MAY_CREATE,
908 family, type, protocol));
909 end_current_label_crit_section(label);
910
911 return error;
912 }
913
914 /**
915 * apparmor_socket_post_create - setup the per-socket security struct
916 *
917 * Note:
918 * - kernel sockets currently labeled unconfined but we may want to
919 * move to a special kernel label
920 * - socket may not have sk here if created with sock_create_lite or
921 * sock_alloc. These should be accept cases which will be handled in
922 * sock_graft.
923 */
924 static int apparmor_socket_post_create(struct socket *sock, int family,
925 int type, int protocol, int kern)
926 {
927 struct aa_label *label;
928
929 if (kern) {
930 struct aa_ns *ns = aa_get_current_ns();
931
932 label = aa_get_label(ns_unconfined(ns));
933 aa_put_ns(ns);
934 } else
935 label = aa_get_current_label();
936
937 if (sock->sk) {
938 struct aa_sk_ctx *ctx = SK_CTX(sock->sk);
939
940 aa_put_label(ctx->label);
941 ctx->label = aa_get_label(label);
942 }
943 aa_put_label(label);
944
945 return 0;
946 }
947
948 /**
949 * apparmor_socket_bind - check perms before bind addr to socket
950 */
951 static int apparmor_socket_bind(struct socket *sock,
952 struct sockaddr *address, int addrlen)
953 {
954 AA_BUG(!sock);
955 AA_BUG(!sock->sk);
956 AA_BUG(!address);
957 AA_BUG(in_interrupt());
958
959 return af_select(sock->sk->sk_family,
960 bind_perm(sock, address, addrlen),
961 aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk));
962 }
963
964 /**
965 * apparmor_socket_connect - check perms before connecting @sock to @address
966 */
967 static int apparmor_socket_connect(struct socket *sock,
968 struct sockaddr *address, int addrlen)
969 {
970 AA_BUG(!sock);
971 AA_BUG(!sock->sk);
972 AA_BUG(!address);
973 AA_BUG(in_interrupt());
974
975 return af_select(sock->sk->sk_family,
976 connect_perm(sock, address, addrlen),
977 aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk));
978 }
979
980 /**
981 * apparmor_socket_list - check perms before allowing listen
982 */
983 static int apparmor_socket_listen(struct socket *sock, int backlog)
984 {
985 AA_BUG(!sock);
986 AA_BUG(!sock->sk);
987 AA_BUG(in_interrupt());
988
989 return af_select(sock->sk->sk_family,
990 listen_perm(sock, backlog),
991 aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk));
992 }
993
994 /**
995 * apparmor_socket_accept - check perms before accepting a new connection.
996 *
997 * Note: while @newsock is created and has some information, the accept
998 * has not been done.
999 */
1000 static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
1001 {
1002 AA_BUG(!sock);
1003 AA_BUG(!sock->sk);
1004 AA_BUG(!newsock);
1005 AA_BUG(in_interrupt());
1006
1007 return af_select(sock->sk->sk_family,
1008 accept_perm(sock, newsock),
1009 aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk));
1010 }
1011
1012 static int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock,
1013 struct msghdr *msg, int size)
1014 {
1015 AA_BUG(!sock);
1016 AA_BUG(!sock->sk);
1017 AA_BUG(!msg);
1018 AA_BUG(in_interrupt());
1019
1020 return af_select(sock->sk->sk_family,
1021 msg_perm(op, request, sock, msg, size),
1022 aa_sk_perm(op, request, sock->sk));
1023 }
1024
1025 /**
1026 * apparmor_socket_sendmsg - check perms before sending msg to another socket
1027 */
1028 static int apparmor_socket_sendmsg(struct socket *sock,
1029 struct msghdr *msg, int size)
1030 {
1031 return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size);
1032 }
1033
1034 /**
1035 * apparmor_socket_recvmsg - check perms before receiving a message
1036 */
1037 static int apparmor_socket_recvmsg(struct socket *sock,
1038 struct msghdr *msg, int size, int flags)
1039 {
1040 return aa_sock_msg_perm(OP_RECVMSG, AA_MAY_RECEIVE, sock, msg, size);
1041 }
1042
1043 /* revaliation, get/set attr, shutdown */
1044 static int aa_sock_perm(const char *op, u32 request, struct socket *sock)
1045 {
1046 AA_BUG(!sock);
1047 AA_BUG(!sock->sk);
1048 AA_BUG(in_interrupt());
1049
1050 return af_select(sock->sk->sk_family,
1051 sock_perm(op, request, sock),
1052 aa_sk_perm(op, request, sock->sk));
1053 }
1054
1055 /**
1056 * apparmor_socket_getsockname - check perms before getting the local address
1057 */
1058 static int apparmor_socket_getsockname(struct socket *sock)
1059 {
1060 return aa_sock_perm(OP_GETSOCKNAME, AA_MAY_GETATTR, sock);
1061 }
1062
1063 /**
1064 * apparmor_socket_getpeername - check perms before getting remote address
1065 */
1066 static int apparmor_socket_getpeername(struct socket *sock)
1067 {
1068 return aa_sock_perm(OP_GETPEERNAME, AA_MAY_GETATTR, sock);
1069 }
1070
1071 /* revaliation, get/set attr, opt */
1072 static int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock,
1073 int level, int optname)
1074 {
1075 AA_BUG(!sock);
1076 AA_BUG(!sock->sk);
1077 AA_BUG(in_interrupt());
1078
1079 return af_select(sock->sk->sk_family,
1080 opt_perm(op, request, sock, level, optname),
1081 aa_sk_perm(op, request, sock->sk));
1082 }
1083
1084 /**
1085 * apparmor_getsockopt - check perms before getting socket options
1086 */
1087 static int apparmor_socket_getsockopt(struct socket *sock, int level,
1088 int optname)
1089 {
1090 return aa_sock_opt_perm(OP_GETSOCKOPT, AA_MAY_GETOPT, sock,
1091 level, optname);
1092 }
1093
1094 /**
1095 * apparmor_setsockopt - check perms before setting socket options
1096 */
1097 static int apparmor_socket_setsockopt(struct socket *sock, int level,
1098 int optname)
1099 {
1100 return aa_sock_opt_perm(OP_SETSOCKOPT, AA_MAY_SETOPT, sock,
1101 level, optname);
1102 }
1103
1104 /**
1105 * apparmor_socket_shutdown - check perms before shutting down @sock conn
1106 */
1107 static int apparmor_socket_shutdown(struct socket *sock, int how)
1108 {
1109 return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock);
1110 }
1111
1112 #ifdef CONFIG_NETWORK_SECMARK
1113 /**
1114 * apparmor_socket_sock_recv_skb - check perms before associating skb to sk
1115 *
1116 * Note: can not sleep may be called with locks held
1117 *
1118 * dont want protocol specific in __skb_recv_datagram()
1119 * to deny an incoming connection socket_sock_rcv_skb()
1120 */
1121 static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
1122 {
1123 struct aa_sk_ctx *ctx = SK_CTX(sk);
1124
1125 if (!skb->secmark)
1126 return 0;
1127
1128 return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE,
1129 skb->secmark, sk);
1130 }
1131 #endif
1132
1133
1134 static struct aa_label *sk_peer_label(struct sock *sk)
1135 {
1136 struct sock *peer_sk;
1137 struct aa_sk_ctx *ctx = SK_CTX(sk);
1138 struct aa_label *label = ERR_PTR(-ENOPROTOOPT);
1139
1140 if (ctx->peer)
1141 return aa_get_label(ctx->peer);
1142
1143 if (sk->sk_family != PF_UNIX)
1144 return ERR_PTR(-ENOPROTOOPT);
1145
1146 /* check for sockpair peering which does not go through
1147 * security_unix_stream_connect
1148 */
1149 peer_sk = unix_peer_get(sk);
1150 if (peer_sk) {
1151 ctx = SK_CTX(peer_sk);
1152 if (ctx->label)
1153 label = aa_get_label(ctx->label);
1154 sock_put(peer_sk);
1155 }
1156
1157 return label;
1158 }
1159
1160 /**
1161 * apparmor_socket_getpeersec_stream - get security context of peer
1162 *
1163 * Note: for tcp only valid if using ipsec or cipso on lan
1164 */
1165 static int apparmor_socket_getpeersec_stream(struct socket *sock,
1166 char __user *optval,
1167 int __user *optlen,
1168 unsigned int len)
1169 {
1170 char *name;
1171 int slen, error = 0;
1172 struct aa_label *label;
1173 struct aa_label *peer;
1174
1175 label = begin_current_label_crit_section();
1176 peer = sk_peer_label(sock->sk);
1177 if (IS_ERR(peer)) {
1178 error = PTR_ERR(peer);
1179 goto done;
1180 }
1181 slen = aa_label_asxprint(&name, labels_ns(label), peer,
1182 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
1183 FLAG_HIDDEN_UNCONFINED, GFP_KERNEL);
1184 /* don't include terminating \0 in slen, it breaks some apps */
1185 if (slen < 0) {
1186 error = -ENOMEM;
1187 } else {
1188 if (slen > len) {
1189 error = -ERANGE;
1190 } else if (copy_to_user(optval, name, slen)) {
1191 error = -EFAULT;
1192 goto out;
1193 }
1194 if (put_user(slen, optlen))
1195 error = -EFAULT;
1196 out:
1197 kfree(name);
1198
1199 }
1200
1201 aa_put_label(peer);
1202 done:
1203 end_current_label_crit_section(label);
1204
1205 return error;
1206 }
1207
1208 /**
1209 * apparmor_socket_getpeersec_dgram - get security label of packet
1210 * @sock: the peer socket
1211 * @skb: packet data
1212 * @secid: pointer to where to put the secid of the packet
1213 *
1214 * Sets the netlabel socket state on sk from parent
1215 */
1216 static int apparmor_socket_getpeersec_dgram(struct socket *sock,
1217 struct sk_buff *skb, u32 *secid)
1218
1219 {
1220 /* TODO: requires secid support */
1221 return -ENOPROTOOPT;
1222 }
1223
1224 /**
1225 * apparmor_sock_graft - Initialize newly created socket
1226 * @sk: child sock
1227 * @parent: parent socket
1228 *
1229 * Note: could set off of SOCK_CTX(parent) but need to track inode and we can
1230 * just set sk security information off of current creating process label
1231 * Labeling of sk for accept case - probably should be sock based
1232 * instead of task, because of the case where an implicitly labeled
1233 * socket is shared by different tasks.
1234 */
1235 static void apparmor_sock_graft(struct sock *sk, struct socket *parent)
1236 {
1237 struct aa_sk_ctx *ctx = SK_CTX(sk);
1238
1239 if (!ctx->label)
1240 ctx->label = aa_get_current_label();
1241 }
1242
1243 #ifdef CONFIG_NETWORK_SECMARK
1244 static int apparmor_inet_conn_request(struct sock *sk, struct sk_buff *skb,
1245 struct request_sock *req)
1246 {
1247 struct aa_sk_ctx *ctx = SK_CTX(sk);
1248
1249 if (!skb->secmark)
1250 return 0;
1251
1252 return apparmor_secmark_check(ctx->label, OP_CONNECT, AA_MAY_CONNECT,
1253 skb->secmark, sk);
1254 }
1255 #endif
1256
1257 /*
1258 * The cred blob is a pointer to, not an instance of, an aa_task_ctx.
1259 */
1260 struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
1261 .lbs_cred = sizeof(struct aa_task_ctx *),
1262 .lbs_file = sizeof(struct aa_file_ctx),
1263 .lbs_task = sizeof(struct aa_task_ctx),
1264 };
1265
1266 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
1267 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
1268 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
1269 LSM_HOOK_INIT(capget, apparmor_capget),
1270 LSM_HOOK_INIT(capable, apparmor_capable),
1271
1272 LSM_HOOK_INIT(sb_mount, apparmor_sb_mount),
1273 LSM_HOOK_INIT(sb_umount, apparmor_sb_umount),
1274 LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot),
1275
1276 LSM_HOOK_INIT(path_link, apparmor_path_link),
1277 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink),
1278 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink),
1279 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir),
1280 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir),
1281 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod),
1282 LSM_HOOK_INIT(path_rename, apparmor_path_rename),
1283 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod),
1284 LSM_HOOK_INIT(path_chown, apparmor_path_chown),
1285 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate),
1286 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr),
1287
1288 LSM_HOOK_INIT(file_open, apparmor_file_open),
1289 LSM_HOOK_INIT(file_receive, apparmor_file_receive),
1290 LSM_HOOK_INIT(file_permission, apparmor_file_permission),
1291 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security),
1292 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security),
1293 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
1294 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
1295 LSM_HOOK_INIT(file_lock, apparmor_file_lock),
1296
1297 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
1298 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
1299
1300 LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security),
1301 LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security),
1302 LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security),
1303
1304 LSM_HOOK_INIT(unix_stream_connect, apparmor_unix_stream_connect),
1305 LSM_HOOK_INIT(unix_may_send, apparmor_unix_may_send),
1306
1307 LSM_HOOK_INIT(socket_create, apparmor_socket_create),
1308 LSM_HOOK_INIT(socket_post_create, apparmor_socket_post_create),
1309 LSM_HOOK_INIT(socket_bind, apparmor_socket_bind),
1310 LSM_HOOK_INIT(socket_connect, apparmor_socket_connect),
1311 LSM_HOOK_INIT(socket_listen, apparmor_socket_listen),
1312 LSM_HOOK_INIT(socket_accept, apparmor_socket_accept),
1313 LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg),
1314 LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg),
1315 LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname),
1316 LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername),
1317 LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt),
1318 LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt),
1319 LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown),
1320 #ifdef CONFIG_NETWORK_SECMARK
1321 LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb),
1322 #endif
1323 LSM_HOOK_INIT(socket_getpeersec_stream,
1324 apparmor_socket_getpeersec_stream),
1325 LSM_HOOK_INIT(socket_getpeersec_dgram,
1326 apparmor_socket_getpeersec_dgram),
1327 LSM_HOOK_INIT(sock_graft, apparmor_sock_graft),
1328 #ifdef CONFIG_NETWORK_SECMARK
1329 LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request),
1330 #endif
1331
1332 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
1333 LSM_HOOK_INIT(cred_free, apparmor_cred_free),
1334 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
1335 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),
1336
1337 LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds),
1338 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
1339 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
1340
1341 LSM_HOOK_INIT(task_free, apparmor_task_free),
1342 LSM_HOOK_INIT(task_alloc, apparmor_task_alloc),
1343 LSM_HOOK_INIT(task_getsecid, apparmor_task_getsecid),
1344 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
1345 LSM_HOOK_INIT(task_kill, apparmor_task_kill),
1346
1347 #ifdef CONFIG_AUDIT
1348 LSM_HOOK_INIT(audit_rule_init, aa_audit_rule_init),
1349 LSM_HOOK_INIT(audit_rule_known, aa_audit_rule_known),
1350 LSM_HOOK_INIT(audit_rule_match, aa_audit_rule_match),
1351 LSM_HOOK_INIT(audit_rule_free, aa_audit_rule_free),
1352 #endif
1353
1354 LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx),
1355 LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid),
1356 LSM_HOOK_INIT(release_secctx, apparmor_release_secctx),
1357 };
1358
1359 /*
1360 * AppArmor sysfs module parameters
1361 */
1362
1363 static int param_set_aabool(const char *val, const struct kernel_param *kp);
1364 static int param_get_aabool(char *buffer, const struct kernel_param *kp);
1365 #define param_check_aabool param_check_bool
1366 static const struct kernel_param_ops param_ops_aabool = {
1367 .flags = KERNEL_PARAM_OPS_FL_NOARG,
1368 .set = param_set_aabool,
1369 .get = param_get_aabool
1370 };
1371
1372 static int param_set_aauint(const char *val, const struct kernel_param *kp);
1373 static int param_get_aauint(char *buffer, const struct kernel_param *kp);
1374 #define param_check_aauint param_check_uint
1375 static const struct kernel_param_ops param_ops_aauint = {
1376 .set = param_set_aauint,
1377 .get = param_get_aauint
1378 };
1379
1380 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
1381 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
1382 #define param_check_aalockpolicy param_check_bool
1383 static const struct kernel_param_ops param_ops_aalockpolicy = {
1384 .flags = KERNEL_PARAM_OPS_FL_NOARG,
1385 .set = param_set_aalockpolicy,
1386 .get = param_get_aalockpolicy
1387 };
1388
1389 static int param_set_audit(const char *val, const struct kernel_param *kp);
1390 static int param_get_audit(char *buffer, const struct kernel_param *kp);
1391
1392 static int param_set_mode(const char *val, const struct kernel_param *kp);
1393 static int param_get_mode(char *buffer, const struct kernel_param *kp);
1394
1395 /* Flag values, also controllable via /sys/module/apparmor/parameters
1396 * We define special types as we want to do additional mediation.
1397 */
1398
1399 /* AppArmor global enforcement switch - complain, enforce, kill */
1400 enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
1401 module_param_call(mode, param_set_mode, param_get_mode,
1402 &aa_g_profile_mode, S_IRUSR | S_IWUSR);
1403
1404 /* whether policy verification hashing is enabled */
1405 bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
1406 #ifdef CONFIG_SECURITY_APPARMOR_HASH
1407 module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
1408 #endif
1409
1410 /* Debug mode */
1411 bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES);
1412 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
1413
1414 /* Audit mode */
1415 enum audit_mode aa_g_audit;
1416 module_param_call(audit, param_set_audit, param_get_audit,
1417 &aa_g_audit, S_IRUSR | S_IWUSR);
1418
1419 /* Determines if audit header is included in audited messages. This
1420 * provides more context if the audit daemon is not running
1421 */
1422 bool aa_g_audit_header = true;
1423 module_param_named(audit_header, aa_g_audit_header, aabool,
1424 S_IRUSR | S_IWUSR);
1425
1426 /* lock out loading/removal of policy
1427 * TODO: add in at boot loading of policy, which is the only way to
1428 * load policy, if lock_policy is set
1429 */
1430 bool aa_g_lock_policy;
1431 module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy,
1432 S_IRUSR | S_IWUSR);
1433
1434 /* Syscall logging mode */
1435 bool aa_g_logsyscall;
1436 module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
1437
1438 /* Maximum pathname length before accesses will start getting rejected */
1439 unsigned int aa_g_path_max = 2 * PATH_MAX;
1440 module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
1441
1442 /* Determines how paranoid loading of policy is and how much verification
1443 * on the loaded policy is done.
1444 * DEPRECATED: read only as strict checking of load is always done now
1445 * that none root users (user namespaces) can load policy.
1446 */
1447 bool aa_g_paranoid_load = true;
1448 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
1449
1450 static int param_get_aaintbool(char *buffer, const struct kernel_param *kp);
1451 static int param_set_aaintbool(const char *val, const struct kernel_param *kp);
1452 #define param_check_aaintbool param_check_int
1453 static const struct kernel_param_ops param_ops_aaintbool = {
1454 .set = param_set_aaintbool,
1455 .get = param_get_aaintbool
1456 };
1457 /* Boot time disable flag */
1458 static int apparmor_enabled __lsm_ro_after_init = 1;
1459 module_param_named(enabled, apparmor_enabled, aaintbool, 0444);
1460
1461 static int __init apparmor_enabled_setup(char *str)
1462 {
1463 unsigned long enabled;
1464 int error = kstrtoul(str, 0, &enabled);
1465 if (!error)
1466 apparmor_enabled = enabled ? 1 : 0;
1467 return 1;
1468 }
1469
1470 __setup("apparmor=", apparmor_enabled_setup);
1471
1472 /* set global flag turning off the ability to load policy */
1473 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
1474 {
1475 if (!apparmor_enabled)
1476 return -EINVAL;
1477 if (apparmor_initialized && !policy_admin_capable(NULL))
1478 return -EPERM;
1479 return param_set_bool(val, kp);
1480 }
1481
1482 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
1483 {
1484 if (!apparmor_enabled)
1485 return -EINVAL;
1486 if (apparmor_initialized && !policy_view_capable(NULL))
1487 return -EPERM;
1488 return param_get_bool(buffer, kp);
1489 }
1490
1491 static int param_set_aabool(const char *val, const struct kernel_param *kp)
1492 {
1493 if (!apparmor_enabled)
1494 return -EINVAL;
1495 if (apparmor_initialized && !policy_admin_capable(NULL))
1496 return -EPERM;
1497 return param_set_bool(val, kp);
1498 }
1499
1500 static int param_get_aabool(char *buffer, const struct kernel_param *kp)
1501 {
1502 if (!apparmor_enabled)
1503 return -EINVAL;
1504 if (apparmor_initialized && !policy_view_capable(NULL))
1505 return -EPERM;
1506 return param_get_bool(buffer, kp);
1507 }
1508
1509 static int param_set_aauint(const char *val, const struct kernel_param *kp)
1510 {
1511 int error;
1512
1513 if (!apparmor_enabled)
1514 return -EINVAL;
1515 /* file is ro but enforce 2nd line check */
1516 if (apparmor_initialized)
1517 return -EPERM;
1518
1519 error = param_set_uint(val, kp);
1520 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max);
1521
1522 return error;
1523 }
1524
1525 static int param_get_aauint(char *buffer, const struct kernel_param *kp)
1526 {
1527 if (!apparmor_enabled)
1528 return -EINVAL;
1529 if (apparmor_initialized && !policy_view_capable(NULL))
1530 return -EPERM;
1531 return param_get_uint(buffer, kp);
1532 }
1533
1534 /* Can only be set before AppArmor is initialized (i.e. on boot cmdline). */
1535 static int param_set_aaintbool(const char *val, const struct kernel_param *kp)
1536 {
1537 struct kernel_param kp_local;
1538 bool value;
1539 int error;
1540
1541 if (apparmor_initialized)
1542 return -EPERM;
1543
1544 /* Create local copy, with arg pointing to bool type. */
1545 value = !!*((int *)kp->arg);
1546 memcpy(&kp_local, kp, sizeof(kp_local));
1547 kp_local.arg = &value;
1548
1549 error = param_set_bool(val, &kp_local);
1550 if (!error)
1551 *((int *)kp->arg) = *((bool *)kp_local.arg);
1552 return error;
1553 }
1554
1555 /*
1556 * To avoid changing /sys/module/apparmor/parameters/enabled from Y/N to
1557 * 1/0, this converts the "int that is actually bool" back to bool for
1558 * display in the /sys filesystem, while keeping it "int" for the LSM
1559 * infrastructure.
1560 */
1561 static int param_get_aaintbool(char *buffer, const struct kernel_param *kp)
1562 {
1563 struct kernel_param kp_local;
1564 bool value;
1565
1566 /* Create local copy, with arg pointing to bool type. */
1567 value = !!*((int *)kp->arg);
1568 memcpy(&kp_local, kp, sizeof(kp_local));
1569 kp_local.arg = &value;
1570
1571 return param_get_bool(buffer, &kp_local);
1572 }
1573
1574 static int param_get_audit(char *buffer, const struct kernel_param *kp)
1575 {
1576 if (!apparmor_enabled)
1577 return -EINVAL;
1578 if (apparmor_initialized && !policy_view_capable(NULL))
1579 return -EPERM;
1580 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
1581 }
1582
1583 static int param_set_audit(const char *val, const struct kernel_param *kp)
1584 {
1585 int i;
1586
1587 if (!apparmor_enabled)
1588 return -EINVAL;
1589 if (!val)
1590 return -EINVAL;
1591 if (apparmor_initialized && !policy_admin_capable(NULL))
1592 return -EPERM;
1593
1594 i = match_string(audit_mode_names, AUDIT_MAX_INDEX, val);
1595 if (i < 0)
1596 return -EINVAL;
1597
1598 aa_g_audit = i;
1599 return 0;
1600 }
1601
1602 static int param_get_mode(char *buffer, const struct kernel_param *kp)
1603 {
1604 if (!apparmor_enabled)
1605 return -EINVAL;
1606 if (apparmor_initialized && !policy_view_capable(NULL))
1607 return -EPERM;
1608
1609 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
1610 }
1611
1612 static int param_set_mode(const char *val, const struct kernel_param *kp)
1613 {
1614 int i;
1615
1616 if (!apparmor_enabled)
1617 return -EINVAL;
1618 if (!val)
1619 return -EINVAL;
1620 if (apparmor_initialized && !policy_admin_capable(NULL))
1621 return -EPERM;
1622
1623 i = match_string(aa_profile_mode_names, APPARMOR_MODE_NAMES_MAX_INDEX,
1624 val);
1625 if (i < 0)
1626 return -EINVAL;
1627
1628 aa_g_profile_mode = i;
1629 return 0;
1630 }
1631
1632 /*
1633 * AppArmor init functions
1634 */
1635
1636 /**
1637 * set_init_ctx - set a task context and profile on the first task.
1638 *
1639 * TODO: allow setting an alternate profile than unconfined
1640 */
1641 static int __init set_init_ctx(void)
1642 {
1643 struct cred *cred = (struct cred *)current->real_cred;
1644
1645 set_cred_label(cred, aa_get_label(ns_unconfined(root_ns)));
1646
1647 return 0;
1648 }
1649
1650 static void destroy_buffers(void)
1651 {
1652 u32 i, j;
1653
1654 for_each_possible_cpu(i) {
1655 for_each_cpu_buffer(j) {
1656 kfree(per_cpu(aa_buffers, i).buf[j]);
1657 per_cpu(aa_buffers, i).buf[j] = NULL;
1658 }
1659 }
1660 }
1661
1662 static int __init alloc_buffers(void)
1663 {
1664 u32 i, j;
1665
1666 for_each_possible_cpu(i) {
1667 for_each_cpu_buffer(j) {
1668 char *buffer;
1669
1670 if (cpu_to_node(i) > num_online_nodes())
1671 /* fallback to kmalloc for offline nodes */
1672 buffer = kmalloc(aa_g_path_max, GFP_KERNEL);
1673 else
1674 buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL,
1675 cpu_to_node(i));
1676 if (!buffer) {
1677 destroy_buffers();
1678 return -ENOMEM;
1679 }
1680 per_cpu(aa_buffers, i).buf[j] = buffer;
1681 }
1682 }
1683
1684 return 0;
1685 }
1686
1687 #ifdef CONFIG_SYSCTL
1688 static int apparmor_dointvec(struct ctl_table *table, int write,
1689 void __user *buffer, size_t *lenp, loff_t *ppos)
1690 {
1691 if (!policy_admin_capable(NULL))
1692 return -EPERM;
1693 if (!apparmor_enabled)
1694 return -EINVAL;
1695
1696 return proc_dointvec(table, write, buffer, lenp, ppos);
1697 }
1698
1699 static struct ctl_path apparmor_sysctl_path[] = {
1700 { .procname = "kernel", },
1701 { }
1702 };
1703
1704 static struct ctl_table apparmor_sysctl_table[] = {
1705 {
1706 .procname = "unprivileged_userns_apparmor_policy",
1707 .data = &unprivileged_userns_apparmor_policy,
1708 .maxlen = sizeof(int),
1709 .mode = 0600,
1710 .proc_handler = apparmor_dointvec,
1711 },
1712 { }
1713 };
1714
1715 static int __init apparmor_init_sysctl(void)
1716 {
1717 return register_sysctl_paths(apparmor_sysctl_path,
1718 apparmor_sysctl_table) ? 0 : -ENOMEM;
1719 }
1720 #else
1721 static inline int apparmor_init_sysctl(void)
1722 {
1723 return 0;
1724 }
1725 #endif /* CONFIG_SYSCTL */
1726
1727 #if defined(CONFIG_NETFILTER) && defined(CONFIG_NETWORK_SECMARK)
1728 static unsigned int apparmor_ip_postroute(void *priv,
1729 struct sk_buff *skb,
1730 const struct nf_hook_state *state)
1731 {
1732 struct aa_sk_ctx *ctx;
1733 struct sock *sk;
1734
1735 if (!skb->secmark)
1736 return NF_ACCEPT;
1737
1738 sk = skb_to_full_sk(skb);
1739 if (sk == NULL)
1740 return NF_ACCEPT;
1741
1742 ctx = SK_CTX(sk);
1743 if (!apparmor_secmark_check(ctx->label, OP_SENDMSG, AA_MAY_SEND,
1744 skb->secmark, sk))
1745 return NF_ACCEPT;
1746
1747 return NF_DROP_ERR(-ECONNREFUSED);
1748
1749 }
1750
1751 static unsigned int apparmor_ipv4_postroute(void *priv,
1752 struct sk_buff *skb,
1753 const struct nf_hook_state *state)
1754 {
1755 return apparmor_ip_postroute(priv, skb, state);
1756 }
1757
1758 #if IS_ENABLED(CONFIG_IPV6)
1759 static unsigned int apparmor_ipv6_postroute(void *priv,
1760 struct sk_buff *skb,
1761 const struct nf_hook_state *state)
1762 {
1763 return apparmor_ip_postroute(priv, skb, state);
1764 }
1765 #endif
1766
1767 static const struct nf_hook_ops apparmor_nf_ops[] = {
1768 {
1769 .hook = apparmor_ipv4_postroute,
1770 .pf = NFPROTO_IPV4,
1771 .hooknum = NF_INET_POST_ROUTING,
1772 .priority = NF_IP_PRI_SELINUX_FIRST,
1773 },
1774 #if IS_ENABLED(CONFIG_IPV6)
1775 {
1776 .hook = apparmor_ipv6_postroute,
1777 .pf = NFPROTO_IPV6,
1778 .hooknum = NF_INET_POST_ROUTING,
1779 .priority = NF_IP6_PRI_SELINUX_FIRST,
1780 },
1781 #endif
1782 };
1783
1784 static int __net_init apparmor_nf_register(struct net *net)
1785 {
1786 int ret;
1787
1788 ret = nf_register_net_hooks(net, apparmor_nf_ops,
1789 ARRAY_SIZE(apparmor_nf_ops));
1790 return ret;
1791 }
1792
1793 static void __net_exit apparmor_nf_unregister(struct net *net)
1794 {
1795 nf_unregister_net_hooks(net, apparmor_nf_ops,
1796 ARRAY_SIZE(apparmor_nf_ops));
1797 }
1798
1799 static struct pernet_operations apparmor_net_ops = {
1800 .init = apparmor_nf_register,
1801 .exit = apparmor_nf_unregister,
1802 };
1803
1804 static int __init apparmor_nf_ip_init(void)
1805 {
1806 int err;
1807
1808 if (!apparmor_enabled)
1809 return 0;
1810
1811 err = register_pernet_subsys(&apparmor_net_ops);
1812 if (err)
1813 panic("Apparmor: register_pernet_subsys: error %d\n", err);
1814
1815 return 0;
1816 }
1817 __initcall(apparmor_nf_ip_init);
1818 #endif
1819
1820 static int __init apparmor_init(void)
1821 {
1822 int error;
1823
1824 aa_secids_init();
1825
1826 error = aa_setup_dfa_engine();
1827 if (error) {
1828 AA_ERROR("Unable to setup dfa engine\n");
1829 goto alloc_out;
1830 }
1831
1832 error = aa_alloc_root_ns();
1833 if (error) {
1834 AA_ERROR("Unable to allocate default profile namespace\n");
1835 goto alloc_out;
1836 }
1837
1838 error = apparmor_init_sysctl();
1839 if (error) {
1840 AA_ERROR("Unable to register sysctls\n");
1841 goto alloc_out;
1842
1843 }
1844
1845 error = alloc_buffers();
1846 if (error) {
1847 AA_ERROR("Unable to allocate work buffers\n");
1848 goto buffers_out;
1849 }
1850
1851 error = set_init_ctx();
1852 if (error) {
1853 AA_ERROR("Failed to set context on init task\n");
1854 aa_free_root_ns();
1855 goto buffers_out;
1856 }
1857 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
1858 "apparmor");
1859
1860 /* Report that AppArmor successfully initialized */
1861 apparmor_initialized = 1;
1862 if (aa_g_profile_mode == APPARMOR_COMPLAIN)
1863 aa_info_message("AppArmor initialized: complain mode enabled");
1864 else if (aa_g_profile_mode == APPARMOR_KILL)
1865 aa_info_message("AppArmor initialized: kill mode enabled");
1866 else
1867 aa_info_message("AppArmor initialized");
1868
1869 return error;
1870
1871 buffers_out:
1872 destroy_buffers();
1873
1874 alloc_out:
1875 aa_destroy_aafs();
1876 aa_teardown_dfa_engine();
1877
1878 apparmor_enabled = false;
1879 return error;
1880 }
1881
1882 DEFINE_LSM(apparmor) = {
1883 .name = "apparmor",
1884 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
1885 .enabled = &apparmor_enabled,
1886 .blobs = &apparmor_blob_sizes,
1887 .init = apparmor_init,
1888 };
Ubuntu Eoan Linux kernel mirror