2 * AppArmor security module
4 * This file contains AppArmor LSM hooks.
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
15 #include <linux/lsm_hooks.h>
16 #include <linux/moduleparam.h>
18 #include <linux/mman.h>
19 #include <linux/mount.h>
20 #include <linux/namei.h>
21 #include <linux/ptrace.h>
22 #include <linux/ctype.h>
23 #include <linux/sysctl.h>
24 #include <linux/audit.h>
25 #include <linux/user_namespace.h>
26 #include <linux/kmemleak.h>
29 #include "include/apparmor.h"
30 #include "include/apparmorfs.h"
31 #include "include/audit.h"
32 #include "include/capability.h"
33 #include "include/context.h"
34 #include "include/file.h"
35 #include "include/ipc.h"
36 #include "include/path.h"
37 #include "include/label.h"
38 #include "include/policy.h"
39 #include "include/policy_ns.h"
40 #include "include/procattr.h"
42 /* Flag indicating whether initialization completed */
43 int apparmor_initialized
;
45 DEFINE_PER_CPU(struct aa_buffers
, aa_buffers
);
53 * free the associated aa_task_ctx and put its labels
55 static void apparmor_cred_free(struct cred
*cred
)
57 aa_free_task_context(cred_ctx(cred
));
58 cred_ctx(cred
) = NULL
;
62 * allocate the apparmor part of blank credentials
64 static int apparmor_cred_alloc_blank(struct cred
*cred
, gfp_t gfp
)
66 /* freed by apparmor_cred_free */
67 struct aa_task_ctx
*ctx
= aa_alloc_task_context(gfp
);
77 * prepare new aa_task_ctx for modification by prepare_cred block
79 static int apparmor_cred_prepare(struct cred
*new, const struct cred
*old
,
82 /* freed by apparmor_cred_free */
83 struct aa_task_ctx
*ctx
= aa_alloc_task_context(gfp
);
88 aa_dup_task_context(ctx
, cred_ctx(old
));
94 * transfer the apparmor data to a blank set of creds
96 static void apparmor_cred_transfer(struct cred
*new, const struct cred
*old
)
98 const struct aa_task_ctx
*old_ctx
= cred_ctx(old
);
99 struct aa_task_ctx
*new_ctx
= cred_ctx(new);
101 aa_dup_task_context(new_ctx
, old_ctx
);
104 static int apparmor_ptrace_access_check(struct task_struct
*child
,
107 struct aa_label
*tracer
, *tracee
;
110 tracer
= begin_current_label_crit_section();
111 tracee
= aa_get_task_label(child
);
112 error
= aa_may_ptrace(tracer
, tracee
,
113 mode
== PTRACE_MODE_READ
? AA_PTRACE_READ
: AA_PTRACE_TRACE
);
114 aa_put_label(tracee
);
115 end_current_label_crit_section(tracer
);
120 static int apparmor_ptrace_traceme(struct task_struct
*parent
)
122 struct aa_label
*tracer
, *tracee
;
125 tracee
= begin_current_label_crit_section();
126 tracer
= aa_get_task_label(parent
);
127 error
= aa_may_ptrace(tracer
, tracee
, AA_PTRACE_TRACE
);
128 aa_put_label(tracer
);
129 end_current_label_crit_section(tracee
);
134 /* Derived from security/commoncap.c:cap_capget */
135 static int apparmor_capget(struct task_struct
*target
, kernel_cap_t
*effective
,
136 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
138 struct aa_label
*label
;
139 const struct cred
*cred
;
142 cred
= __task_cred(target
);
143 label
= aa_get_newest_cred_label(cred
);
146 * cap_capget is stacked ahead of this and will
147 * initialize effective and permitted.
149 if (!unconfined(label
)) {
150 struct aa_profile
*profile
;
153 label_for_each_confined(i
, label
, profile
) {
154 if (COMPLAIN_MODE(profile
))
156 *effective
= cap_intersect(*effective
,
157 profile
->caps
.allow
);
158 *permitted
= cap_intersect(*permitted
,
159 profile
->caps
.allow
);
168 static int apparmor_capable(const struct cred
*cred
, struct user_namespace
*ns
,
171 struct aa_label
*label
;
174 label
= aa_get_newest_cred_label(cred
);
175 if (!unconfined(label
))
176 error
= aa_capable(label
, cap
, audit
);
183 * common_perm - basic common permission check wrapper fn for paths
184 * @op: operation being checked
185 * @path: path to check permission of (NOT NULL)
186 * @mask: requested permissions mask
187 * @cond: conditional info for the permission request (NOT NULL)
189 * Returns: %0 else error code if error or permission denied
191 static int common_perm(const char *op
, const struct path
*path
, u32 mask
,
192 struct path_cond
*cond
)
194 struct aa_label
*label
;
197 label
= __begin_current_label_crit_section();
198 if (!unconfined(label
))
199 error
= aa_path_perm(op
, label
, path
, 0, mask
, cond
);
200 __end_current_label_crit_section(label
);
206 * common_perm_cond - common permission wrapper around inode cond
207 * @op: operation being checked
208 * @path: location to check (NOT NULL)
209 * @mask: requested permissions mask
211 * Returns: %0 else error code if error or permission denied
213 static int common_perm_cond(const char *op
, const struct path
*path
, u32 mask
)
215 struct path_cond cond
= { d_backing_inode(path
->dentry
)->i_uid
,
216 d_backing_inode(path
->dentry
)->i_mode
219 if (!path_mediated_fs(path
->dentry
))
222 return common_perm(op
, path
, mask
, &cond
);
226 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
227 * @op: operation being checked
228 * @dir: directory of the dentry (NOT NULL)
229 * @dentry: dentry to check (NOT NULL)
230 * @mask: requested permissions mask
231 * @cond: conditional info for the permission request (NOT NULL)
233 * Returns: %0 else error code if error or permission denied
235 static int common_perm_dir_dentry(const char *op
, const struct path
*dir
,
236 struct dentry
*dentry
, u32 mask
,
237 struct path_cond
*cond
)
239 struct path path
= { .mnt
= dir
->mnt
, .dentry
= dentry
};
241 return common_perm(op
, &path
, mask
, cond
);
245 * common_perm_rm - common permission wrapper for operations doing rm
246 * @op: operation being checked
247 * @dir: directory that the dentry is in (NOT NULL)
248 * @dentry: dentry being rm'd (NOT NULL)
249 * @mask: requested permission mask
251 * Returns: %0 else error code if error or permission denied
253 static int common_perm_rm(const char *op
, const struct path
*dir
,
254 struct dentry
*dentry
, u32 mask
)
256 struct inode
*inode
= d_backing_inode(dentry
);
257 struct path_cond cond
= { };
259 if (!inode
|| !path_mediated_fs(dentry
))
262 cond
.uid
= inode
->i_uid
;
263 cond
.mode
= inode
->i_mode
;
265 return common_perm_dir_dentry(op
, dir
, dentry
, mask
, &cond
);
269 * common_perm_create - common permission wrapper for operations doing create
270 * @op: operation being checked
271 * @dir: directory that dentry will be created in (NOT NULL)
272 * @dentry: dentry to create (NOT NULL)
273 * @mask: request permission mask
274 * @mode: created file mode
276 * Returns: %0 else error code if error or permission denied
278 static int common_perm_create(const char *op
, const struct path
*dir
,
279 struct dentry
*dentry
, u32 mask
, umode_t mode
)
281 struct path_cond cond
= { current_fsuid(), mode
};
283 if (!path_mediated_fs(dir
->dentry
))
286 return common_perm_dir_dentry(op
, dir
, dentry
, mask
, &cond
);
289 static int apparmor_path_unlink(const struct path
*dir
, struct dentry
*dentry
)
291 return common_perm_rm(OP_UNLINK
, dir
, dentry
, AA_MAY_DELETE
);
294 static int apparmor_path_mkdir(const struct path
*dir
, struct dentry
*dentry
,
297 return common_perm_create(OP_MKDIR
, dir
, dentry
, AA_MAY_CREATE
,
301 static int apparmor_path_rmdir(const struct path
*dir
, struct dentry
*dentry
)
303 return common_perm_rm(OP_RMDIR
, dir
, dentry
, AA_MAY_DELETE
);
306 static int apparmor_path_mknod(const struct path
*dir
, struct dentry
*dentry
,
307 umode_t mode
, unsigned int dev
)
309 return common_perm_create(OP_MKNOD
, dir
, dentry
, AA_MAY_CREATE
, mode
);
312 static int apparmor_path_truncate(const struct path
*path
)
314 return common_perm_cond(OP_TRUNC
, path
, MAY_WRITE
| AA_MAY_SETATTR
);
317 static int apparmor_path_symlink(const struct path
*dir
, struct dentry
*dentry
,
318 const char *old_name
)
320 return common_perm_create(OP_SYMLINK
, dir
, dentry
, AA_MAY_CREATE
,
324 static int apparmor_path_link(struct dentry
*old_dentry
, const struct path
*new_dir
,
325 struct dentry
*new_dentry
)
327 struct aa_label
*label
;
330 if (!path_mediated_fs(old_dentry
))
333 label
= begin_current_label_crit_section();
334 if (!unconfined(label
))
335 error
= aa_path_link(label
, old_dentry
, new_dir
, new_dentry
);
336 end_current_label_crit_section(label
);
341 static int apparmor_path_rename(const struct path
*old_dir
, struct dentry
*old_dentry
,
342 const struct path
*new_dir
, struct dentry
*new_dentry
)
344 struct aa_label
*label
;
347 if (!path_mediated_fs(old_dentry
))
350 label
= begin_current_label_crit_section();
351 if (!unconfined(label
)) {
352 struct path old_path
= { .mnt
= old_dir
->mnt
,
353 .dentry
= old_dentry
};
354 struct path new_path
= { .mnt
= new_dir
->mnt
,
355 .dentry
= new_dentry
};
356 struct path_cond cond
= { d_backing_inode(old_dentry
)->i_uid
,
357 d_backing_inode(old_dentry
)->i_mode
360 error
= aa_path_perm(OP_RENAME_SRC
, label
, &old_path
, 0,
361 MAY_READ
| AA_MAY_GETATTR
| MAY_WRITE
|
362 AA_MAY_SETATTR
| AA_MAY_DELETE
,
365 error
= aa_path_perm(OP_RENAME_DEST
, label
, &new_path
,
366 0, MAY_WRITE
| AA_MAY_SETATTR
|
367 AA_MAY_CREATE
, &cond
);
370 end_current_label_crit_section(label
);
375 static int apparmor_path_chmod(const struct path
*path
, umode_t mode
)
377 return common_perm_cond(OP_CHMOD
, path
, AA_MAY_CHMOD
);
380 static int apparmor_path_chown(const struct path
*path
, kuid_t uid
, kgid_t gid
)
382 return common_perm_cond(OP_CHOWN
, path
, AA_MAY_CHOWN
);
385 static int apparmor_inode_getattr(const struct path
*path
)
387 return common_perm_cond(OP_GETATTR
, path
, AA_MAY_GETATTR
);
390 static int apparmor_file_open(struct file
*file
, const struct cred
*cred
)
392 struct aa_file_ctx
*fctx
= file_ctx(file
);
393 struct aa_label
*label
;
396 if (!path_mediated_fs(file
->f_path
.dentry
))
399 /* If in exec, permission is handled by bprm hooks.
400 * Cache permissions granted by the previous exec check, with
401 * implicit read and executable mmap which are required to
402 * actually execute the image.
404 if (current
->in_execve
) {
405 fctx
->allow
= MAY_EXEC
| MAY_READ
| AA_EXEC_MMAP
;
409 label
= aa_get_newest_cred_label(cred
);
410 if (!unconfined(label
)) {
411 struct inode
*inode
= file_inode(file
);
412 struct path_cond cond
= { inode
->i_uid
, inode
->i_mode
};
414 error
= aa_path_perm(OP_OPEN
, label
, &file
->f_path
, 0,
415 aa_map_file_to_perms(file
), &cond
);
416 /* todo cache full allowed permissions set and state */
417 fctx
->allow
= aa_map_file_to_perms(file
);
424 static int apparmor_file_alloc_security(struct file
*file
)
428 /* freed by apparmor_file_free_security */
429 struct aa_label
*label
= begin_current_label_crit_section();
430 file
->f_security
= aa_alloc_file_ctx(label
, GFP_KERNEL
);
433 end_current_label_crit_section(label
);
438 static void apparmor_file_free_security(struct file
*file
)
440 aa_free_file_ctx(file_ctx(file
));
443 static int common_file_perm(const char *op
, struct file
*file
, u32 mask
)
445 struct aa_label
*label
;
448 /* don't reaudit files closed during inheritance */
449 if (file
->f_path
.dentry
== aa_null
.dentry
)
452 label
= __begin_current_label_crit_section();
453 error
= aa_file_perm(op
, label
, file
, mask
);
454 __end_current_label_crit_section(label
);
459 static int apparmor_file_receive(struct file
*file
)
461 return common_file_perm(OP_FRECEIVE
, file
, aa_map_file_to_perms(file
));
464 static int apparmor_file_permission(struct file
*file
, int mask
)
466 return common_file_perm(OP_FPERM
, file
, mask
);
469 static int apparmor_file_lock(struct file
*file
, unsigned int cmd
)
471 u32 mask
= AA_MAY_LOCK
;
476 return common_file_perm(OP_FLOCK
, file
, mask
);
479 static int common_mmap(const char *op
, struct file
*file
, unsigned long prot
,
484 if (!file
|| !file_ctx(file
))
487 if (prot
& PROT_READ
)
490 * Private mappings don't require write perms since they don't
491 * write back to the files
493 if ((prot
& PROT_WRITE
) && !(flags
& MAP_PRIVATE
))
495 if (prot
& PROT_EXEC
)
496 mask
|= AA_EXEC_MMAP
;
498 return common_file_perm(op
, file
, mask
);
501 static int apparmor_mmap_file(struct file
*file
, unsigned long reqprot
,
502 unsigned long prot
, unsigned long flags
)
504 return common_mmap(OP_FMMAP
, file
, prot
, flags
);
507 static int apparmor_file_mprotect(struct vm_area_struct
*vma
,
508 unsigned long reqprot
, unsigned long prot
)
510 return common_mmap(OP_FMPROT
, vma
->vm_file
, prot
,
511 !(vma
->vm_flags
& VM_SHARED
) ? MAP_PRIVATE
: 0);
514 static int apparmor_getprocattr(struct task_struct
*task
, char *name
,
519 const struct cred
*cred
= get_task_cred(task
);
520 struct aa_task_ctx
*ctx
= cred_ctx(cred
);
521 struct aa_label
*label
= NULL
;
523 if (strcmp(name
, "current") == 0)
524 label
= aa_get_newest_label(ctx
->label
);
525 else if (strcmp(name
, "prev") == 0 && ctx
->previous
)
526 label
= aa_get_newest_label(ctx
->previous
);
527 else if (strcmp(name
, "exec") == 0 && ctx
->onexec
)
528 label
= aa_get_newest_label(ctx
->onexec
);
533 error
= aa_getprocattr(label
, value
);
541 static int apparmor_setprocattr(const char *name
, void *value
,
544 char *command
, *largs
= NULL
, *args
= value
;
547 DEFINE_AUDIT_DATA(sa
, LSM_AUDIT_DATA_NONE
, OP_SETPROCATTR
);
552 /* AppArmor requires that the buffer must be null terminated atm */
553 if (args
[size
- 1] != '\0') {
555 largs
= args
= kmalloc(size
+ 1, GFP_KERNEL
);
558 memcpy(args
, value
, size
);
564 command
= strsep(&args
, " ");
567 args
= skip_spaces(args
);
571 arg_size
= size
- (args
- (largs
? largs
: (char *) value
));
572 if (strcmp(name
, "current") == 0) {
573 if (strcmp(command
, "changehat") == 0) {
574 error
= aa_setprocattr_changehat(args
, arg_size
,
576 } else if (strcmp(command
, "permhat") == 0) {
577 error
= aa_setprocattr_changehat(args
, arg_size
,
579 } else if (strcmp(command
, "changeprofile") == 0) {
580 error
= aa_change_profile(args
, AA_CHANGE_NOFLAGS
);
581 } else if (strcmp(command
, "permprofile") == 0) {
582 error
= aa_change_profile(args
, AA_CHANGE_TEST
);
583 } else if (strcmp(command
, "stack") == 0) {
584 error
= aa_change_profile(args
, AA_CHANGE_STACK
);
587 } else if (strcmp(name
, "exec") == 0) {
588 if (strcmp(command
, "exec") == 0)
589 error
= aa_change_profile(args
, AA_CHANGE_ONEXEC
);
590 else if (strcmp(command
, "stack") == 0)
591 error
= aa_change_profile(args
, (AA_CHANGE_ONEXEC
|
596 /* only support the "current" and "exec" process attributes */
606 aad(&sa
)->label
= begin_current_label_crit_section();
607 aad(&sa
)->info
= name
;
608 aad(&sa
)->error
= error
= -EINVAL
;
609 aa_audit_msg(AUDIT_APPARMOR_DENIED
, &sa
, NULL
);
610 end_current_label_crit_section(aad(&sa
)->label
);
615 * apparmor_bprm_committing_creds - do task cleanup on committing new creds
616 * @bprm: binprm for the exec (NOT NULL)
618 static void apparmor_bprm_committing_creds(struct linux_binprm
*bprm
)
620 struct aa_label
*label
= aa_current_raw_label();
621 struct aa_task_ctx
*new_ctx
= cred_ctx(bprm
->cred
);
623 /* bail out if unconfined or not changing profile */
624 if ((new_ctx
->label
->proxy
== label
->proxy
) ||
625 (unconfined(new_ctx
->label
)))
628 aa_inherit_files(bprm
->cred
, current
->files
);
630 current
->pdeath_signal
= 0;
632 /* reset soft limits and set hard limits for the new label */
633 __aa_transition_rlimits(label
, new_ctx
->label
);
637 * apparmor_bprm_committed_cred - do cleanup after new creds committed
638 * @bprm: binprm for the exec (NOT NULL)
640 static void apparmor_bprm_committed_creds(struct linux_binprm
*bprm
)
642 /* TODO: cleanup signals - ipc mediation */
646 static int apparmor_task_setrlimit(struct task_struct
*task
,
647 unsigned int resource
, struct rlimit
*new_rlim
)
649 struct aa_label
*label
= __begin_current_label_crit_section();
652 if (!unconfined(label
))
653 error
= aa_task_setrlimit(label
, task
, resource
, new_rlim
);
654 __end_current_label_crit_section(label
);
659 static struct security_hook_list apparmor_hooks
[] __lsm_ro_after_init
= {
660 LSM_HOOK_INIT(ptrace_access_check
, apparmor_ptrace_access_check
),
661 LSM_HOOK_INIT(ptrace_traceme
, apparmor_ptrace_traceme
),
662 LSM_HOOK_INIT(capget
, apparmor_capget
),
663 LSM_HOOK_INIT(capable
, apparmor_capable
),
665 LSM_HOOK_INIT(path_link
, apparmor_path_link
),
666 LSM_HOOK_INIT(path_unlink
, apparmor_path_unlink
),
667 LSM_HOOK_INIT(path_symlink
, apparmor_path_symlink
),
668 LSM_HOOK_INIT(path_mkdir
, apparmor_path_mkdir
),
669 LSM_HOOK_INIT(path_rmdir
, apparmor_path_rmdir
),
670 LSM_HOOK_INIT(path_mknod
, apparmor_path_mknod
),
671 LSM_HOOK_INIT(path_rename
, apparmor_path_rename
),
672 LSM_HOOK_INIT(path_chmod
, apparmor_path_chmod
),
673 LSM_HOOK_INIT(path_chown
, apparmor_path_chown
),
674 LSM_HOOK_INIT(path_truncate
, apparmor_path_truncate
),
675 LSM_HOOK_INIT(inode_getattr
, apparmor_inode_getattr
),
677 LSM_HOOK_INIT(file_open
, apparmor_file_open
),
678 LSM_HOOK_INIT(file_receive
, apparmor_file_receive
),
679 LSM_HOOK_INIT(file_permission
, apparmor_file_permission
),
680 LSM_HOOK_INIT(file_alloc_security
, apparmor_file_alloc_security
),
681 LSM_HOOK_INIT(file_free_security
, apparmor_file_free_security
),
682 LSM_HOOK_INIT(mmap_file
, apparmor_mmap_file
),
683 LSM_HOOK_INIT(file_mprotect
, apparmor_file_mprotect
),
684 LSM_HOOK_INIT(file_lock
, apparmor_file_lock
),
686 LSM_HOOK_INIT(getprocattr
, apparmor_getprocattr
),
687 LSM_HOOK_INIT(setprocattr
, apparmor_setprocattr
),
689 LSM_HOOK_INIT(cred_alloc_blank
, apparmor_cred_alloc_blank
),
690 LSM_HOOK_INIT(cred_free
, apparmor_cred_free
),
691 LSM_HOOK_INIT(cred_prepare
, apparmor_cred_prepare
),
692 LSM_HOOK_INIT(cred_transfer
, apparmor_cred_transfer
),
694 LSM_HOOK_INIT(bprm_set_creds
, apparmor_bprm_set_creds
),
695 LSM_HOOK_INIT(bprm_committing_creds
, apparmor_bprm_committing_creds
),
696 LSM_HOOK_INIT(bprm_committed_creds
, apparmor_bprm_committed_creds
),
697 LSM_HOOK_INIT(bprm_secureexec
, apparmor_bprm_secureexec
),
699 LSM_HOOK_INIT(task_setrlimit
, apparmor_task_setrlimit
),
703 * AppArmor sysfs module parameters
706 static int param_set_aabool(const char *val
, const struct kernel_param
*kp
);
707 static int param_get_aabool(char *buffer
, const struct kernel_param
*kp
);
708 #define param_check_aabool param_check_bool
709 static const struct kernel_param_ops param_ops_aabool
= {
710 .flags
= KERNEL_PARAM_OPS_FL_NOARG
,
711 .set
= param_set_aabool
,
712 .get
= param_get_aabool
715 static int param_set_aauint(const char *val
, const struct kernel_param
*kp
);
716 static int param_get_aauint(char *buffer
, const struct kernel_param
*kp
);
717 #define param_check_aauint param_check_uint
718 static const struct kernel_param_ops param_ops_aauint
= {
719 .set
= param_set_aauint
,
720 .get
= param_get_aauint
723 static int param_set_aalockpolicy(const char *val
, const struct kernel_param
*kp
);
724 static int param_get_aalockpolicy(char *buffer
, const struct kernel_param
*kp
);
725 #define param_check_aalockpolicy param_check_bool
726 static const struct kernel_param_ops param_ops_aalockpolicy
= {
727 .flags
= KERNEL_PARAM_OPS_FL_NOARG
,
728 .set
= param_set_aalockpolicy
,
729 .get
= param_get_aalockpolicy
732 static int param_set_audit(const char *val
, struct kernel_param
*kp
);
733 static int param_get_audit(char *buffer
, struct kernel_param
*kp
);
735 static int param_set_mode(const char *val
, struct kernel_param
*kp
);
736 static int param_get_mode(char *buffer
, struct kernel_param
*kp
);
738 /* Flag values, also controllable via /sys/module/apparmor/parameters
739 * We define special types as we want to do additional mediation.
742 /* AppArmor global enforcement switch - complain, enforce, kill */
743 enum profile_mode aa_g_profile_mode
= APPARMOR_ENFORCE
;
744 module_param_call(mode
, param_set_mode
, param_get_mode
,
745 &aa_g_profile_mode
, S_IRUSR
| S_IWUSR
);
747 /* whether policy verification hashing is enabled */
748 bool aa_g_hash_policy
= IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT
);
749 #ifdef CONFIG_SECURITY_APPARMOR_HASH
750 module_param_named(hash_policy
, aa_g_hash_policy
, aabool
, S_IRUSR
| S_IWUSR
);
754 bool aa_g_debug
= IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES
);
755 module_param_named(debug
, aa_g_debug
, aabool
, S_IRUSR
| S_IWUSR
);
758 enum audit_mode aa_g_audit
;
759 module_param_call(audit
, param_set_audit
, param_get_audit
,
760 &aa_g_audit
, S_IRUSR
| S_IWUSR
);
762 /* Determines if audit header is included in audited messages. This
763 * provides more context if the audit daemon is not running
765 bool aa_g_audit_header
= 1;
766 module_param_named(audit_header
, aa_g_audit_header
, aabool
,
769 /* lock out loading/removal of policy
770 * TODO: add in at boot loading of policy, which is the only way to
771 * load policy, if lock_policy is set
773 bool aa_g_lock_policy
;
774 module_param_named(lock_policy
, aa_g_lock_policy
, aalockpolicy
,
777 /* Syscall logging mode */
778 bool aa_g_logsyscall
;
779 module_param_named(logsyscall
, aa_g_logsyscall
, aabool
, S_IRUSR
| S_IWUSR
);
781 /* Maximum pathname length before accesses will start getting rejected */
782 unsigned int aa_g_path_max
= 2 * PATH_MAX
;
783 module_param_named(path_max
, aa_g_path_max
, aauint
, S_IRUSR
);
785 /* Determines how paranoid loading of policy is and how much verification
786 * on the loaded policy is done.
787 * DEPRECATED: read only as strict checking of load is always done now
788 * that none root users (user namespaces) can load policy.
790 bool aa_g_paranoid_load
= 1;
791 module_param_named(paranoid_load
, aa_g_paranoid_load
, aabool
, S_IRUGO
);
793 /* Boot time disable flag */
794 static bool apparmor_enabled
= CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE
;
795 module_param_named(enabled
, apparmor_enabled
, bool, S_IRUGO
);
797 static int __init
apparmor_enabled_setup(char *str
)
799 unsigned long enabled
;
800 int error
= kstrtoul(str
, 0, &enabled
);
802 apparmor_enabled
= enabled
? 1 : 0;
806 __setup("apparmor=", apparmor_enabled_setup
);
808 /* set global flag turning off the ability to load policy */
809 static int param_set_aalockpolicy(const char *val
, const struct kernel_param
*kp
)
811 if (!apparmor_enabled
)
813 if (apparmor_initialized
&& !policy_admin_capable(NULL
))
815 return param_set_bool(val
, kp
);
818 static int param_get_aalockpolicy(char *buffer
, const struct kernel_param
*kp
)
820 if (!apparmor_enabled
)
822 if (apparmor_initialized
&& !policy_view_capable(NULL
))
824 return param_get_bool(buffer
, kp
);
827 static int param_set_aabool(const char *val
, const struct kernel_param
*kp
)
829 if (!apparmor_enabled
)
831 if (apparmor_initialized
&& !policy_admin_capable(NULL
))
833 return param_set_bool(val
, kp
);
836 static int param_get_aabool(char *buffer
, const struct kernel_param
*kp
)
838 if (!apparmor_enabled
)
840 if (apparmor_initialized
&& !policy_view_capable(NULL
))
842 return param_get_bool(buffer
, kp
);
845 static int param_set_aauint(const char *val
, const struct kernel_param
*kp
)
849 if (!apparmor_enabled
)
851 /* file is ro but enforce 2nd line check */
852 if (apparmor_initialized
)
855 error
= param_set_uint(val
, kp
);
856 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max
);
861 static int param_get_aauint(char *buffer
, const struct kernel_param
*kp
)
863 if (!apparmor_enabled
)
865 if (apparmor_initialized
&& !policy_view_capable(NULL
))
867 return param_get_uint(buffer
, kp
);
870 static int param_get_audit(char *buffer
, struct kernel_param
*kp
)
872 if (!apparmor_enabled
)
874 if (apparmor_initialized
&& !policy_view_capable(NULL
))
876 return sprintf(buffer
, "%s", audit_mode_names
[aa_g_audit
]);
879 static int param_set_audit(const char *val
, struct kernel_param
*kp
)
883 if (!apparmor_enabled
)
887 if (apparmor_initialized
&& !policy_admin_capable(NULL
))
890 for (i
= 0; i
< AUDIT_MAX_INDEX
; i
++) {
891 if (strcmp(val
, audit_mode_names
[i
]) == 0) {
900 static int param_get_mode(char *buffer
, struct kernel_param
*kp
)
902 if (!apparmor_enabled
)
904 if (apparmor_initialized
&& !policy_view_capable(NULL
))
907 return sprintf(buffer
, "%s", aa_profile_mode_names
[aa_g_profile_mode
]);
910 static int param_set_mode(const char *val
, struct kernel_param
*kp
)
914 if (!apparmor_enabled
)
918 if (apparmor_initialized
&& !policy_admin_capable(NULL
))
921 for (i
= 0; i
< APPARMOR_MODE_NAMES_MAX_INDEX
; i
++) {
922 if (strcmp(val
, aa_profile_mode_names
[i
]) == 0) {
923 aa_g_profile_mode
= i
;
932 * AppArmor init functions
936 * set_init_ctx - set a task context and profile on the first task.
938 * TODO: allow setting an alternate profile than unconfined
940 static int __init
set_init_ctx(void)
942 struct cred
*cred
= (struct cred
*)current
->real_cred
;
943 struct aa_task_ctx
*ctx
;
945 ctx
= aa_alloc_task_context(GFP_KERNEL
);
949 ctx
->label
= aa_get_label(ns_unconfined(root_ns
));
950 cred_ctx(cred
) = ctx
;
955 static void destroy_buffers(void)
959 for_each_possible_cpu(i
) {
960 for_each_cpu_buffer(j
) {
961 kfree(per_cpu(aa_buffers
, i
).buf
[j
]);
962 per_cpu(aa_buffers
, i
).buf
[j
] = NULL
;
967 static int __init
alloc_buffers(void)
971 for_each_possible_cpu(i
) {
972 for_each_cpu_buffer(j
) {
975 if (cpu_to_node(i
) > num_online_nodes())
976 /* fallback to kmalloc for offline nodes */
977 buffer
= kmalloc(aa_g_path_max
, GFP_KERNEL
);
979 buffer
= kmalloc_node(aa_g_path_max
, GFP_KERNEL
,
985 per_cpu(aa_buffers
, i
).buf
[j
] = buffer
;
993 static int apparmor_dointvec(struct ctl_table
*table
, int write
,
994 void __user
*buffer
, size_t *lenp
, loff_t
*ppos
)
996 if (!policy_admin_capable(NULL
))
998 if (!apparmor_enabled
)
1001 return proc_dointvec(table
, write
, buffer
, lenp
, ppos
);
1004 static struct ctl_path apparmor_sysctl_path
[] = {
1005 { .procname
= "kernel", },
1009 static struct ctl_table apparmor_sysctl_table
[] = {
1011 .procname
= "unprivileged_userns_apparmor_policy",
1012 .data
= &unprivileged_userns_apparmor_policy
,
1013 .maxlen
= sizeof(int),
1015 .proc_handler
= apparmor_dointvec
,
1020 static int __init
apparmor_init_sysctl(void)
1022 return register_sysctl_paths(apparmor_sysctl_path
,
1023 apparmor_sysctl_table
) ? 0 : -ENOMEM
;
1026 static inline int apparmor_init_sysctl(void)
1030 #endif /* CONFIG_SYSCTL */
1032 static int __init
apparmor_init(void)
1036 if (!apparmor_enabled
|| !security_module_enable("apparmor")) {
1037 aa_info_message("AppArmor disabled by boot time parameter");
1038 apparmor_enabled
= 0;
1042 error
= aa_setup_dfa_engine();
1044 AA_ERROR("Unable to setup dfa engine\n");
1048 error
= aa_alloc_root_ns();
1050 AA_ERROR("Unable to allocate default profile namespace\n");
1054 error
= apparmor_init_sysctl();
1056 AA_ERROR("Unable to register sysctls\n");
1061 error
= alloc_buffers();
1063 AA_ERROR("Unable to allocate work buffers\n");
1067 error
= set_init_ctx();
1069 AA_ERROR("Failed to set context on init task\n");
1073 security_add_hooks(apparmor_hooks
, ARRAY_SIZE(apparmor_hooks
),
1076 /* Report that AppArmor successfully initialized */
1077 apparmor_initialized
= 1;
1078 if (aa_g_profile_mode
== APPARMOR_COMPLAIN
)
1079 aa_info_message("AppArmor initialized: complain mode enabled");
1080 else if (aa_g_profile_mode
== APPARMOR_KILL
)
1081 aa_info_message("AppArmor initialized: kill mode enabled");
1083 aa_info_message("AppArmor initialized");
1092 aa_teardown_dfa_engine();
1094 apparmor_enabled
= 0;
1098 security_initcall(apparmor_init
);