]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blob - security/apparmor/mount.c
projects / mirror_ubuntu-bionic-kernel.git / blob
? search:


ed9b4d0f9f7e212b161c1a312c52b56f5e0b0b49
[mirror_ubuntu-bionic-kernel.git] / security / apparmor / mount.c
1 /*
2 * AppArmor security module
3 *
4 * This file contains AppArmor mediation of files
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2017 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
15 #include <linux/fs.h>
16 #include <linux/mount.h>
17 #include <linux/namei.h>
18
19 #include "include/apparmor.h"
20 #include "include/audit.h"
21 #include "include/context.h"
22 #include "include/domain.h"
23 #include "include/file.h"
24 #include "include/match.h"
25 #include "include/mount.h"
26 #include "include/path.h"
27 #include "include/policy.h"
28
29
30 static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags)
31 {
32 if (flags & MS_RDONLY)
33 audit_log_format(ab, "ro");
34 else
35 audit_log_format(ab, "rw");
36 if (flags & MS_NOSUID)
37 audit_log_format(ab, ", nosuid");
38 if (flags & MS_NODEV)
39 audit_log_format(ab, ", nodev");
40 if (flags & MS_NOEXEC)
41 audit_log_format(ab, ", noexec");
42 if (flags & MS_SYNCHRONOUS)
43 audit_log_format(ab, ", sync");
44 if (flags & MS_REMOUNT)
45 audit_log_format(ab, ", remount");
46 if (flags & MS_MANDLOCK)
47 audit_log_format(ab, ", mand");
48 if (flags & MS_DIRSYNC)
49 audit_log_format(ab, ", dirsync");
50 if (flags & MS_NOATIME)
51 audit_log_format(ab, ", noatime");
52 if (flags & MS_NODIRATIME)
53 audit_log_format(ab, ", nodiratime");
54 if (flags & MS_BIND)
55 audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind");
56 if (flags & MS_MOVE)
57 audit_log_format(ab, ", move");
58 if (flags & MS_SILENT)
59 audit_log_format(ab, ", silent");
60 if (flags & MS_POSIXACL)
61 audit_log_format(ab, ", acl");
62 if (flags & MS_UNBINDABLE)
63 audit_log_format(ab, flags & MS_REC ? ", runbindable" :
64 ", unbindable");
65 if (flags & MS_PRIVATE)
66 audit_log_format(ab, flags & MS_REC ? ", rprivate" :
67 ", private");
68 if (flags & MS_SLAVE)
69 audit_log_format(ab, flags & MS_REC ? ", rslave" :
70 ", slave");
71 if (flags & MS_SHARED)
72 audit_log_format(ab, flags & MS_REC ? ", rshared" :
73 ", shared");
74 if (flags & MS_RELATIME)
75 audit_log_format(ab, ", relatime");
76 if (flags & MS_I_VERSION)
77 audit_log_format(ab, ", iversion");
78 if (flags & MS_STRICTATIME)
79 audit_log_format(ab, ", strictatime");
80 if (flags & MS_NOUSER)
81 audit_log_format(ab, ", nouser");
82 }
83
84 /**
85 * audit_cb - call back for mount specific audit fields
86 * @ab: audit_buffer (NOT NULL)
87 * @va: audit struct to audit values of (NOT NULL)
88 */
89 static void audit_cb(struct audit_buffer *ab, void *va)
90 {
91 struct common_audit_data *sa = va;
92
93 if (aad(sa)->mnt.type) {
94 audit_log_format(ab, " fstype=");
95 audit_log_untrustedstring(ab, aad(sa)->mnt.type);
96 }
97 if (aad(sa)->mnt.src_name) {
98 audit_log_format(ab, " srcname=");
99 audit_log_untrustedstring(ab, aad(sa)->mnt.src_name);
100 }
101 if (aad(sa)->mnt.trans) {
102 audit_log_format(ab, " trans=");
103 audit_log_untrustedstring(ab, aad(sa)->mnt.trans);
104 }
105 if (aad(sa)->mnt.flags) {
106 audit_log_format(ab, " flags=\"");
107 audit_mnt_flags(ab, aad(sa)->mnt.flags);
108 audit_log_format(ab, "\"");
109 }
110 if (aad(sa)->mnt.data) {
111 audit_log_format(ab, " options=");
112 audit_log_untrustedstring(ab, aad(sa)->mnt.data);
113 }
114 }
115
116 /**
117 * audit_mount - handle the auditing of mount operations
118 * @profile: the profile being enforced (NOT NULL)
119 * @op: operation being mediated (NOT NULL)
120 * @name: name of object being mediated (MAYBE NULL)
121 * @src_name: src_name of object being mediated (MAYBE_NULL)
122 * @type: type of filesystem (MAYBE_NULL)
123 * @trans: name of trans (MAYBE NULL)
124 * @flags: filesystem idependent mount flags
125 * @data: filesystem mount flags
126 * @request: permissions requested
127 * @perms: the permissions computed for the request (NOT NULL)
128 * @info: extra information message (MAYBE NULL)
129 * @error: 0 if operation allowed else failure error code
130 *
131 * Returns: %0 or error on failure
132 */
133 static int audit_mount(struct aa_profile *profile, const char *op,
134 const char *name, const char *src_name,
135 const char *type, const char *trans,
136 unsigned long flags, const void *data, u32 request,
137 struct aa_perms *perms, const char *info, int error)
138 {
139 int audit_type = AUDIT_APPARMOR_AUTO;
140 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, op);
141
142 if (likely(!error)) {
143 u32 mask = perms->audit;
144
145 if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
146 mask = 0xffff;
147
148 /* mask off perms that are not being force audited */
149 request &= mask;
150
151 if (likely(!request))
152 return 0;
153 audit_type = AUDIT_APPARMOR_AUDIT;
154 } else {
155 /* only report permissions that were denied */
156 request = request & ~perms->allow;
157
158 if (request & perms->kill)
159 audit_type = AUDIT_APPARMOR_KILL;
160
161 /* quiet known rejects, assumes quiet and kill do not overlap */
162 if ((request & perms->quiet) &&
163 AUDIT_MODE(profile) != AUDIT_NOQUIET &&
164 AUDIT_MODE(profile) != AUDIT_ALL)
165 request &= ~perms->quiet;
166
167 if (!request)
168 return error;
169 }
170
171 aad(&sa)->name = name;
172 aad(&sa)->mnt.src_name = src_name;
173 aad(&sa)->mnt.type = type;
174 aad(&sa)->mnt.trans = trans;
175 aad(&sa)->mnt.flags = flags;
176 if (data && (perms->audit & AA_AUDIT_DATA))
177 aad(&sa)->mnt.data = data;
178 aad(&sa)->info = info;
179 aad(&sa)->error = error;
180
181 return aa_audit(audit_type, profile, &sa, audit_cb);
182 }
183
184 /**
185 * match_mnt_flags - Do an ordered match on mount flags
186 * @dfa: dfa to match against
187 * @state: state to start in
188 * @flags: mount flags to match against
189 *
190 * Mount flags are encoded as an ordered match. This is done instead of
191 * checking against a simple bitmask, to allow for logical operations
192 * on the flags.
193 *
194 * Returns: next state after flags match
195 */
196 static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state,
197 unsigned long flags)
198 {
199 unsigned int i;
200
201 for (i = 0; i <= 31 ; ++i) {
202 if ((1 << i) & flags)
203 state = aa_dfa_next(dfa, state, i + 1);
204 }
205
206 return state;
207 }
208
209 /**
210 * compute_mnt_perms - compute mount permission associated with @state
211 * @dfa: dfa to match against (NOT NULL)
212 * @state: state match finished in
213 *
214 * Returns: mount permissions
215 */
216 static struct aa_perms compute_mnt_perms(struct aa_dfa *dfa,
217 unsigned int state)
218 {
219 struct aa_perms perms = {
220 .allow = dfa_user_allow(dfa, state),
221 .audit = dfa_user_audit(dfa, state),
222 .quiet = dfa_user_quiet(dfa, state),
223 .xindex = dfa_user_xindex(dfa, state),
224 };
225
226 return perms;
227 }
228
229 static const char * const mnt_info_table[] = {
230 "match succeeded",
231 "failed mntpnt match",
232 "failed srcname match",
233 "failed type match",
234 "failed flags match",
235 "failed data match"
236 };
237
238 /*
239 * Returns 0 on success else element that match failed in, this is the
240 * index into the mnt_info_table above
241 */
242 static int do_match_mnt(struct aa_dfa *dfa, unsigned int start,
243 const char *mntpnt, const char *devname,
244 const char *type, unsigned long flags,
245 void *data, bool binary, struct aa_perms *perms)
246 {
247 unsigned int state;
248
249 AA_BUG(!dfa);
250 AA_BUG(!perms);
251
252 state = aa_dfa_match(dfa, start, mntpnt);
253 state = aa_dfa_null_transition(dfa, state);
254 if (!state)
255 return 1;
256
257 if (devname)
258 state = aa_dfa_match(dfa, state, devname);
259 state = aa_dfa_null_transition(dfa, state);
260 if (!state)
261 return 2;
262
263 if (type)
264 state = aa_dfa_match(dfa, state, type);
265 state = aa_dfa_null_transition(dfa, state);
266 if (!state)
267 return 3;
268
269 state = match_mnt_flags(dfa, state, flags);
270 if (!state)
271 return 4;
272 *perms = compute_mnt_perms(dfa, state);
273 if (perms->allow & AA_MAY_MOUNT)
274 return 0;
275
276 /* only match data if not binary and the DFA flags data is expected */
277 if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) {
278 state = aa_dfa_null_transition(dfa, state);
279 if (!state)
280 return 4;
281
282 state = aa_dfa_match(dfa, state, data);
283 if (!state)
284 return 5;
285 *perms = compute_mnt_perms(dfa, state);
286 if (perms->allow & AA_MAY_MOUNT)
287 return 0;
288 }
289
290 /* failed at end of flags match */
291 return 4;
292 }
293
294
295 static int path_flags(struct aa_profile *profile, const struct path *path)
296 {
297 AA_BUG(!profile);
298 AA_BUG(!path);
299
300 return profile->path_flags |
301 (S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0);
302 }
303
304 /**
305 * match_mnt_path_str - handle path matching for mount
306 * @profile: the confining profile
307 * @mntpath: for the mntpnt (NOT NULL)
308 * @buffer: buffer to be used to lookup mntpath
309 * @devnme: string for the devname/src_name (MAY BE NULL OR ERRPTR)
310 * @type: string for the dev type (MAYBE NULL)
311 * @flags: mount flags to match
312 * @data: fs mount data (MAYBE NULL)
313 * @binary: whether @data is binary
314 * @devinfo: error str if (IS_ERR(@devname))
315 *
316 * Returns: 0 on success else error
317 */
318 static int match_mnt_path_str(struct aa_profile *profile,
319 const struct path *mntpath, char *buffer,
320 const char *devname, const char *type,
321 unsigned long flags, void *data, bool binary,
322 const char *devinfo)
323 {
324 struct aa_perms perms = { };
325 const char *mntpnt = NULL, *info = NULL;
326 int pos, error;
327
328 AA_BUG(!profile);
329 AA_BUG(!mntpath);
330 AA_BUG(!buffer);
331
332 error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
333 &mntpnt, &info, profile->disconnected);
334 if (error)
335 goto audit;
336 if (IS_ERR(devname)) {
337 error = PTR_ERR(devname);
338 devname = NULL;
339 info = devinfo;
340 goto audit;
341 }
342
343 error = -EACCES;
344 pos = do_match_mnt(profile->policy.dfa,
345 profile->policy.start[AA_CLASS_MOUNT],
346 mntpnt, devname, type, flags, data, binary, &perms);
347 if (pos) {
348 info = mnt_info_table[pos];
349 goto audit;
350 }
351 error = 0;
352
353 audit:
354 return audit_mount(profile, OP_MOUNT, mntpnt, devname, type, NULL,
355 flags, data, AA_MAY_MOUNT, &perms, info, error);
356 }
357
358 /**
359 * match_mnt - handle path matching for mount
360 * @profile: the confining profile
361 * @mntpath: for the mntpnt (NOT NULL)
362 * @buffer: buffer to be used to lookup mntpath
363 * @devpath: path devname/src_name (MAYBE NULL)
364 * @devbuffer: buffer to be used to lookup devname/src_name
365 * @type: string for the dev type (MAYBE NULL)
366 * @flags: mount flags to match
367 * @data: fs mount data (MAYBE NULL)
368 * @binary: whether @data is binary
369 *
370 * Returns: 0 on success else error
371 */
372 static int match_mnt(struct aa_profile *profile, const struct path *path,
373 char *buffer, struct path *devpath, char *devbuffer,
374 const char *type, unsigned long flags, void *data,
375 bool binary)
376 {
377 const char *devname = NULL, *info = NULL;
378 int error = -EACCES;
379
380 AA_BUG(!profile);
381 AA_BUG(devpath && !devbuffer);
382
383 if (devpath) {
384 error = aa_path_name(devpath, path_flags(profile, devpath),
385 devbuffer, &devname, &info,
386 profile->disconnected);
387 if (error)
388 devname = ERR_PTR(error);
389 }
390
391 return match_mnt_path_str(profile, path, buffer, devname, type, flags,
392 data, binary, info);
393 }
394
395 int aa_remount(struct aa_label *label, const struct path *path,
396 unsigned long flags, void *data)
397 {
398 struct aa_profile *profile;
399 char *buffer = NULL;
400 bool binary;
401 int error;
402
403 AA_BUG(!label);
404 AA_BUG(!path);
405
406 binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;
407
408 get_buffers(buffer);
409 error = fn_for_each_confined(label, profile,
410 match_mnt(profile, path, buffer, NULL, NULL, NULL,
411 flags, data, binary));
412 put_buffers(buffer);
413
414 return error;
415 }
416
417 int aa_bind_mount(struct aa_label *label, const struct path *path,
418 const char *dev_name, unsigned long flags)
419 {
420 struct aa_profile *profile;
421 char *buffer = NULL, *old_buffer = NULL;
422 struct path old_path;
423 int error;
424
425 AA_BUG(!label);
426 AA_BUG(!path);
427
428 if (!dev_name || !*dev_name)
429 return -EINVAL;
430
431 flags &= MS_REC | MS_BIND;
432
433 error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
434 if (error)
435 return error;
436
437 get_buffers(buffer, old_buffer);
438 error = fn_for_each_confined(label, profile,
439 match_mnt(profile, path, buffer, &old_path, old_buffer,
440 NULL, flags, NULL, false));
441 put_buffers(buffer, old_buffer);
442 path_put(&old_path);
443
444 return error;
445 }
446
447 int aa_mount_change_type(struct aa_label *label, const struct path *path,
448 unsigned long flags)
449 {
450 struct aa_profile *profile;
451 char *buffer = NULL;
452 int error;
453
454 AA_BUG(!label);
455 AA_BUG(!path);
456
457 /* These are the flags allowed by do_change_type() */
458 flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE |
459 MS_UNBINDABLE);
460
461 get_buffers(buffer);
462 error = fn_for_each_confined(label, profile,
463 match_mnt(profile, path, buffer, NULL, NULL, NULL,
464 flags, NULL, false));
465 put_buffers(buffer);
466
467 return error;
468 }
469
470 int aa_move_mount(struct aa_label *label, const struct path *path,
471 const char *orig_name)
472 {
473 struct aa_profile *profile;
474 char *buffer = NULL, *old_buffer = NULL;
475 struct path old_path;
476 int error;
477
478 AA_BUG(!label);
479 AA_BUG(!path);
480
481 if (!orig_name || !*orig_name)
482 return -EINVAL;
483
484 error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path);
485 if (error)
486 return error;
487
488 get_buffers(buffer, old_buffer);
489 error = fn_for_each_confined(label, profile,
490 match_mnt(profile, path, buffer, &old_path, old_buffer,
491 NULL, MS_MOVE, NULL, false));
492 put_buffers(buffer, old_buffer);
493 path_put(&old_path);
494
495 return error;
496 }
497
498 int aa_new_mount(struct aa_label *label, const char *dev_name,
499 const struct path *path, const char *type, unsigned long flags,
500 void *data)
501 {
502 struct aa_profile *profile;
503 char *buffer = NULL, *dev_buffer = NULL;
504 bool binary = true;
505 int error;
506 int requires_dev = 0;
507 struct path tmp_path, *dev_path = NULL;
508
509 AA_BUG(!label);
510 AA_BUG(!path);
511
512 if (type) {
513 struct file_system_type *fstype;
514
515 fstype = get_fs_type(type);
516 if (!fstype)
517 return -ENODEV;
518 binary = fstype->fs_flags & FS_BINARY_MOUNTDATA;
519 requires_dev = fstype->fs_flags & FS_REQUIRES_DEV;
520 put_filesystem(fstype);
521
522 if (requires_dev) {
523 if (!dev_name || !*dev_name)
524 return -ENOENT;
525
526 error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path);
527 if (error)
528 return error;
529 dev_path = &tmp_path;
530 }
531 }
532
533 get_buffers(buffer, dev_buffer);
534 if (dev_path) {
535 error = fn_for_each_confined(label, profile,
536 match_mnt(profile, path, buffer, dev_path, dev_buffer,
537 type, flags, data, binary));
538 } else {
539 error = fn_for_each_confined(label, profile,
540 match_mnt_path_str(profile, path, buffer, dev_name,
541 type, flags, data, binary, NULL));
542 }
543 put_buffers(buffer, dev_buffer);
544 if (dev_path)
545 path_put(dev_path);
546
547 return error;
548 }
549
550 static int profile_umount(struct aa_profile *profile, struct path *path,
551 char *buffer)
552 {
553 struct aa_perms perms = { };
554 const char *name = NULL, *info = NULL;
555 unsigned int state;
556 int error;
557
558 AA_BUG(!profile);
559 AA_BUG(!path);
560
561 error = aa_path_name(path, path_flags(profile, path), buffer, &name,
562 &info, profile->disconnected);
563 if (error)
564 goto audit;
565
566 state = aa_dfa_match(profile->policy.dfa,
567 profile->policy.start[AA_CLASS_MOUNT],
568 name);
569 perms = compute_mnt_perms(profile->policy.dfa, state);
570 if (AA_MAY_UMOUNT & ~perms.allow)
571 error = -EACCES;
572
573 audit:
574 return audit_mount(profile, OP_UMOUNT, name, NULL, NULL, NULL, 0, NULL,
575 AA_MAY_UMOUNT, &perms, info, error);
576 }
577
578 int aa_umount(struct aa_label *label, struct vfsmount *mnt, int flags)
579 {
580 struct aa_profile *profile;
581 char *buffer = NULL;
582 int error;
583 struct path path = { .mnt = mnt, .dentry = mnt->mnt_root };
584
585 AA_BUG(!label);
586 AA_BUG(!mnt);
587
588 get_buffers(buffer);
589 error = fn_for_each_confined(label, profile,
590 profile_umount(profile, &path, buffer));
591 put_buffers(buffer);
592
593 return error;
594 }
595
596 /* helper fn for transition on pivotroot
597 *
598 * Returns: label for transition or ERR_PTR. Does not return NULL
599 */
600 static struct aa_label *build_pivotroot(struct aa_profile *profile,
601 const struct path *new_path,
602 char *new_buffer,
603 const struct path *old_path,
604 char *old_buffer)
605 {
606 const char *old_name, *new_name = NULL, *info = NULL;
607 const char *trans_name = NULL;
608 struct aa_perms perms = { };
609 unsigned int state;
610 int error;
611
612 AA_BUG(!profile);
613 AA_BUG(!new_path);
614 AA_BUG(!old_path);
615
616 if (profile_unconfined(profile))
617 return aa_get_newest_label(&profile->label);
618
619 error = aa_path_name(old_path, path_flags(profile, old_path),
620 old_buffer, &old_name, &info,
621 profile->disconnected);
622 if (error)
623 goto audit;
624 error = aa_path_name(new_path, path_flags(profile, new_path),
625 new_buffer, &new_name, &info,
626 profile->disconnected);
627 if (error)
628 goto audit;
629
630 error = -EACCES;
631 state = aa_dfa_match(profile->policy.dfa,
632 profile->policy.start[AA_CLASS_MOUNT],
633 new_name);
634 state = aa_dfa_null_transition(profile->policy.dfa, state);
635 state = aa_dfa_match(profile->policy.dfa, state, old_name);
636 perms = compute_mnt_perms(profile->policy.dfa, state);
637
638 if (AA_MAY_PIVOTROOT & perms.allow)
639 error = 0;
640
641 audit:
642 error = audit_mount(profile, OP_PIVOTROOT, new_name, old_name,
643 NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT,
644 &perms, info, error);
645 if (error)
646 return ERR_PTR(error);
647
648 return aa_get_newest_label(&profile->label);
649 }
650
651 int aa_pivotroot(struct aa_label *label, const struct path *old_path,
652 const struct path *new_path)
653 {
654 struct aa_profile *profile;
655 struct aa_label *target = NULL;
656 char *old_buffer = NULL, *new_buffer = NULL, *info = NULL;
657 int error;
658
659 AA_BUG(!label);
660 AA_BUG(!old_path);
661 AA_BUG(!new_path);
662
663 get_buffers(old_buffer, new_buffer);
664 target = fn_label_build(label, profile, GFP_ATOMIC,
665 build_pivotroot(profile, new_path, new_buffer,
666 old_path, old_buffer));
667 if (!target) {
668 info = "label build failed";
669 error = -ENOMEM;
670 goto fail;
671 } else if (!IS_ERR(target)) {
672 error = aa_replace_current_label(target);
673 if (error) {
674 /* TODO: audit target */
675 aa_put_label(target);
676 goto out;
677 }
678 } else
679 /* already audited error */
680 error = PTR_ERR(target);
681 out:
682 put_buffers(old_buffer, new_buffer);
683
684 return error;
685
686 fail:
687 /* TODO: add back in auditing of new_name and old_name */
688 error = fn_for_each(label, profile,
689 audit_mount(profile, OP_PIVOTROOT, NULL /*new_name */,
690 NULL /* old_name */,
691 NULL, NULL,
692 0, NULL, AA_MAY_PIVOTROOT, &nullperms, info,
693 error));
694 goto out;
695 }
ubuntu-bionic-kernel mirror