]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blob - security/apparmor/policy.c
projects / mirror_ubuntu-zesty-kernel.git / blob
? search:


52abc2fa76b64caf3a8e9aeb4572f2fb650d58ea
[mirror_ubuntu-zesty-kernel.git] / security / apparmor / policy.c
1 /*
2 * AppArmor security module
3 *
4 * This file contains AppArmor policy manipulation functions
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 *
14 *
15 * AppArmor policy is based around profiles, which contain the rules a
16 * task is confined by. Every task in the system has a profile attached
17 * to it determined either by matching "unconfined" tasks against the
18 * visible set of profiles or by following a profiles attachment rules.
19 *
20 * Each profile exists in a profile namespace which is a container of
21 * visible profiles. Each namespace contains a special "unconfined" profile,
22 * which doesn't enforce any confinement on a task beyond DAC.
23 *
24 * Namespace and profile names can be written together in either
25 * of two syntaxes.
26 * :namespace:profile - used by kernel interfaces for easy detection
27 * namespace://profile - used by policy
28 *
29 * Profile names can not start with : or @ or ^ and may not contain \0
30 *
31 * Reserved profile names
32 * unconfined - special automatically generated unconfined profile
33 * inherit - special name to indicate profile inheritance
34 * null-XXXX-YYYY - special automatically generated learning profiles
35 *
36 * Namespace names may not start with / or @ and may not contain \0 or :
37 * Reserved namespace names
38 * user-XXXX - user defined profiles
39 *
40 * a // in a profile or namespace name indicates a hierarchical name with the
41 * name before the // being the parent and the name after the child.
42 *
43 * Profile and namespace hierarchies serve two different but similar purposes.
44 * The namespace contains the set of visible profiles that are considered
45 * for attachment. The hierarchy of namespaces allows for virtualizing
46 * the namespace so that for example a chroot can have its own set of profiles
47 * which may define some local user namespaces.
48 * The profile hierarchy severs two distinct purposes,
49 * - it allows for sub profiles or hats, which allows an application to run
50 * subprograms under its own profile with different restriction than it
51 * self, and not have it use the system profile.
52 * eg. if a mail program starts an editor, the policy might make the
53 * restrictions tighter on the editor tighter than the mail program,
54 * and definitely different than general editor restrictions
55 * - it allows for binary hierarchy of profiles, so that execution history
56 * is preserved. This feature isn't exploited by AppArmor reference policy
57 * but is allowed. NOTE: this is currently suboptimal because profile
58 * aliasing is not currently implemented so that a profile for each
59 * level must be defined.
60 * eg. /bin/bash///bin/ls as a name would indicate /bin/ls was started
61 * from /bin/bash
62 *
63 * A profile or namespace name that can contain one or more // separators
64 * is referred to as an hname (hierarchical).
65 * eg. /bin/bash//bin/ls
66 *
67 * An fqname is a name that may contain both namespace and profile hnames.
68 * eg. :ns:/bin/bash//bin/ls
69 *
70 * NOTES:
71 * - locking of profile lists is currently fairly coarse. All profile
72 * lists within a namespace use the namespace lock.
73 * FIXME: move profile lists to using rcu_lists
74 */
75
76 #include <linux/slab.h>
77 #include <linux/spinlock.h>
78 #include <linux/string.h>
79 #include <linux/user_namespace.h>
80
81 #include "include/apparmor.h"
82 #include "include/capability.h"
83 #include "include/context.h"
84 #include "include/file.h"
85 #include "include/ipc.h"
86 #include "include/label.h"
87 #include "include/match.h"
88 #include "include/path.h"
89 #include "include/policy.h"
90 #include "include/policy_unpack.h"
91 #include "include/resource.h"
92
93 int unprivileged_userns_apparmor_policy = 0;
94
95 /* Note: mode names must be unique in the first character because of
96 * modechrs used to print modes on compound labels on some interfaces
97 */
98 const char *const aa_profile_mode_names[] = {
99 "enforce",
100 "complain",
101 "kill",
102 "unconfined",
103 };
104
105
106 /**
107 * __add_profile - add a profiles to list and label tree
108 * @list: list to add it to (NOT NULL)
109 * @profile: the profile to add (NOT NULL)
110 *
111 * refcount @profile, should be put by __list_remove_profile
112 *
113 * Requires: namespace lock be held, or list not be shared
114 */
115 static void __add_profile(struct list_head *list, struct aa_profile *profile)
116 {
117 struct aa_label *l;
118
119 AA_BUG(!list);
120 AA_BUG(!profile);
121 AA_BUG(!profile->ns);
122 AA_BUG(!mutex_is_locked(&profile->ns->lock));
123
124 list_add_rcu(&profile->base.list, list);
125 /* get list reference */
126 aa_get_profile(profile);
127 l = aa_label_insert(&profile->ns->labels, &profile->label);
128 AA_BUG(l != &profile->label);
129 aa_put_label(l);
130 }
131
132 /**
133 * __list_remove_profile - remove a profile from the list it is on
134 * @profile: the profile to remove (NOT NULL)
135 *
136 * remove a profile from the list, warning generally removal should
137 * be done with __replace_profile as most profile removals are
138 * replacements to the unconfined profile.
139 *
140 * put @profile list refcount
141 *
142 * Requires: namespace lock be held, or list not have been live
143 */
144 static void __list_remove_profile(struct aa_profile *profile)
145 {
146 AA_BUG(!profile);
147 AA_BUG(!profile->ns);
148 AA_BUG(!mutex_is_locked(&profile->ns->lock));
149
150 list_del_rcu(&profile->base.list);
151 aa_put_profile(profile);
152 }
153
154 void __aa_profile_list_release(struct list_head *head);
155
156 /**
157 * __remove_profile - remove old profile, and children
158 * @profile: profile to be replaced (NOT NULL)
159 *
160 * Requires: namespace list lock be held, or list not be shared
161 */
162 static void __remove_profile(struct aa_profile *profile)
163 {
164 AA_BUG(!profile);
165 AA_BUG(!profile->ns);
166 AA_BUG(!mutex_is_locked(&profile->ns->lock));
167
168 /* release any children lists first */
169 __aa_profile_list_release(&profile->base.profiles);
170 /* released by free_profile */
171 aa_label_remove(&profile->label);
172 __aa_fs_profile_rmdir(profile);
173 __list_remove_profile(profile);
174 }
175
176 /**
177 * __aa_profile_list_release - remove all profiles on the list and put refs
178 * @head: list of profiles (NOT NULL)
179 *
180 * Requires: namespace lock be held
181 */
182 void __aa_profile_list_release(struct list_head *head)
183 {
184 struct aa_profile *profile, *tmp;
185 list_for_each_entry_safe(profile, tmp, head, base.list)
186 __remove_profile(profile);
187 }
188
189
190 /**
191 * aa_free_profile - free a profile
192 * @profile: the profile to free (MAYBE NULL)
193 *
194 * Free a profile, its hats and null_profile. All references to the profile,
195 * its hats and null_profile must have been put.
196 *
197 * If the profile was referenced from a task context, free_profile() will
198 * be called from an rcu callback routine, so we must not sleep here.
199 */
200 void aa_free_profile(struct aa_profile *profile)
201 {
202 AA_DEBUG("%s(%p)\n", __func__, profile);
203
204 if (!profile)
205 return;
206
207 /* free children profiles */
208 aa_policy_destroy(&profile->base);
209 aa_put_profile(rcu_access_pointer(profile->parent));
210
211 aa_put_ns(profile->ns);
212 kzfree(profile->rename);
213
214 aa_free_file_rules(&profile->file);
215 aa_free_cap_rules(&profile->caps);
216 aa_free_net_rules(&profile->net);
217 aa_free_rlimit_rules(&profile->rlimits);
218
219 kzfree(profile->dirname);
220 aa_put_dfa(profile->xmatch);
221 aa_put_dfa(profile->policy.dfa);
222
223 kzfree(profile->hash);
224 kzfree(profile);
225 }
226
227 /**
228 * aa_alloc_profile - allocate, initialize and return a new profile
229 * @hname: name of the profile (NOT NULL)
230 * @gfp: allocation type
231 *
232 * Returns: refcount profile or NULL on failure
233 */
234 struct aa_profile *aa_alloc_profile(const char *hname, struct aa_proxy *proxy,
235 gfp_t gfp)
236 {
237 struct aa_profile *profile;
238
239 /* freed by free_profile - usually through aa_put_profile */
240 profile = kzalloc(sizeof(*profile) + sizeof (struct aa_profile *) * 2,
241 gfp);
242 if (!profile)
243 return NULL;
244
245 if (!aa_policy_init(&profile->base, NULL, hname, gfp))
246 goto fail;
247 if (!aa_label_init(&profile->label, 1))
248 goto fail;
249
250 /* update being set needed by fs interface */
251 if (!proxy) {
252 proxy = aa_alloc_proxy(&profile->label, gfp);
253 if (!proxy)
254 goto fail;
255 } else
256 aa_get_proxy(proxy);
257 profile->label.proxy = proxy;
258
259 profile->label.hname = profile->base.hname;
260 profile->label.flags |= FLAG_PROFILE;
261 profile->label.vec[0] = profile;
262
263 /* refcount released by caller */
264 return profile;
265
266 fail:
267 aa_free_profile(profile);
268
269 return NULL;
270 }
271
272 /**
273 * aa_null_profile - create or find a null-X learning profile
274 * @parent: profile that caused this profile to be created (NOT NULL)
275 * @hat: true if the null- learning profile is a hat
276 * @base: name to base the null profile off of
277 * @gfp: type of allocation
278 *
279 * Find/Create a null- complain mode profile used in learning mode. The
280 * name of the profile is unique and follows the format of parent//null-XXX.
281 * where XXX is based on the @name or if that fails or is not supplied
282 * a unique number
283 *
284 * null profiles are added to the profile list but the list does not
285 * hold a count on them so that they are automatically released when
286 * not in use.
287 *
288 * Returns: new refcounted profile else NULL on failure
289 */
290 struct aa_profile *aa_null_profile(struct aa_profile *parent, bool hat,
291 const char *base, gfp_t gfp)
292 {
293 struct aa_profile *profile;
294 char *name;
295
296 AA_BUG(!parent);
297
298 if (base) {
299 name = kmalloc(strlen(parent->base.hname) + 8 + strlen(base),
300 gfp);
301 if (name) {
302 sprintf(name, "%s//null-%s", parent->base.hname, base);
303 goto name;
304 }
305 /* fall through to try shorter uniq */
306 }
307
308 name = kmalloc(strlen(parent->base.hname) + 2 + 7 + 8, gfp);
309 if (!name)
310 return NULL;
311 sprintf(name, "%s//null-%x", parent->base.hname,
312 atomic_inc_return(&parent->ns->uniq_null));
313
314 name:
315 /* lookup to see if this is a dup creation */
316 profile = aa_find_child(parent, basename(name));
317 if (profile)
318 goto out;
319
320 profile = aa_alloc_profile(name, NULL, gfp);
321 if (!profile)
322 goto fail;
323
324 profile->mode = APPARMOR_COMPLAIN;
325 profile->label.flags |= FLAG_NULL;
326 if (hat)
327 profile->label.flags |= FLAG_HAT;
328
329 /* released on free_profile */
330 rcu_assign_pointer(profile->parent, aa_get_profile(parent));
331 profile->ns = aa_get_ns(parent->ns);
332 profile->file.dfa = aa_get_dfa(nulldfa);
333 profile->policy.dfa = aa_get_dfa(nulldfa);
334
335 mutex_lock(&profile->ns->lock);
336 __add_profile(&parent->base.profiles, profile);
337 mutex_unlock(&profile->ns->lock);
338
339 /* refcount released by caller */
340 out:
341 kfree(name);
342 return profile;
343
344 fail:
345 aa_free_profile(profile);
346 return NULL;
347 }
348
349 /**
350 * aa_setup_default_label - create the initial default label
351 */
352 struct aa_label *aa_setup_default_label(void)
353 {
354 struct aa_profile *profile = aa_alloc_profile("default", NULL,
355 GFP_KERNEL);
356 if (!profile)
357 return NULL;
358
359 /* the default profile pretends to be unconfined until it is replaced */
360 profile->label.flags |= FLAG_IX_ON_NAME_ERROR | FLAG_UNCONFINED;
361 profile->mode = APPARMOR_UNCONFINED;
362
363 profile->ns = aa_get_ns(root_ns);
364
365 __add_profile(&root_ns->base.profiles, profile);
366
367 return &profile->label;
368 }
369
370 /* TODO: profile accounting - setup in remove */
371
372 /**
373 * __find_child - find a profile on @head list with a name matching @name
374 * @head: list to search (NOT NULL)
375 * @name: name of profile (NOT NULL)
376 *
377 * Requires: rcu_read_lock be held
378 *
379 * Returns: unrefcounted profile ptr, or NULL if not found
380 */
381 static struct aa_profile *__find_child(struct list_head *head, const char *name)
382 {
383 return (struct aa_profile *)__policy_find(head, name);
384 }
385
386 /**
387 * __strn_find_child - find a profile on @head list using substring of @name
388 * @head: list to search (NOT NULL)
389 * @name: name of profile (NOT NULL)
390 * @len: length of @name substring to match
391 *
392 * Requires: rcu_read_lock be held
393 *
394 * Returns: unrefcounted profile ptr, or NULL if not found
395 */
396 static struct aa_profile *__strn_find_child(struct list_head *head,
397 const char *name, int len)
398 {
399 return (struct aa_profile *)__policy_strn_find(head, name, len);
400 }
401
402 /**
403 * aa_find_child - find a profile by @name in @parent
404 * @parent: profile to search (NOT NULL)
405 * @name: profile name to search for (NOT NULL)
406 *
407 * Returns: a refcounted profile or NULL if not found
408 */
409 struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name)
410 {
411 struct aa_profile *profile;
412
413 rcu_read_lock();
414 do {
415 profile = __find_child(&parent->base.profiles, name);
416 } while (profile && !aa_get_profile_not0(profile));
417 rcu_read_unlock();
418
419 /* refcount released by caller */
420 return profile;
421 }
422
423 /**
424 * __lookup_parent - lookup the parent of a profile of name @hname
425 * @ns: namespace to lookup profile in (NOT NULL)
426 * @hname: hierarchical profile name to find parent of (NOT NULL)
427 *
428 * Lookups up the parent of a fully qualified profile name, the profile
429 * that matches hname does not need to exist, in general this
430 * is used to load a new profile.
431 *
432 * Requires: rcu_read_lock be held
433 *
434 * Returns: unrefcounted policy or NULL if not found
435 */
436 static struct aa_policy *__lookup_parent(struct aa_ns *ns, const char *hname)
437 {
438 struct aa_policy *policy;
439 struct aa_profile *profile = NULL;
440 char *split;
441
442 policy = &ns->base;
443
444 for (split = strstr(hname, "//"); split;) {
445 profile = __strn_find_child(&policy->profiles, hname,
446 split - hname);
447 if (!profile)
448 return NULL;
449 policy = &profile->base;
450 hname = split + 2;
451 split = strstr(hname, "//");
452 }
453 if (!profile)
454 return &ns->base;
455 return &profile->base;
456 }
457
458 /**
459 * __lookupn_profile - lookup the profile matching @hname
460 * @base: base list to start looking up profile name from (NOT NULL)
461 * @hname: hierarchical profile name (NOT NULL)
462 * @n: length of @hname
463 *
464 * Requires: rcu_read_lock be held
465 *
466 * Returns: unrefcounted profile pointer or NULL if not found
467 *
468 * Do a relative name lookup, recursing through profile tree.
469 */
470 static struct aa_profile *__lookupn_profile(struct aa_policy *base,
471 const char *hname, size_t n)
472 {
473 struct aa_profile *profile = NULL;
474 const char *split;
475
476 for (split = strnstr(hname, "//", n); split;
477 split = strnstr(hname, "//", n)) {
478 profile = __strn_find_child(&base->profiles, hname,
479 split - hname);
480 if (!profile)
481 return NULL;
482
483 base = &profile->base;
484 n -= split + 2 - hname;
485 hname = split + 2;
486 }
487
488 if (n)
489 return __strn_find_child(&base->profiles, hname, n);
490 return NULL;
491 }
492
493 static struct aa_profile *__lookup_profile(struct aa_policy *base,
494 const char *hname)
495 {
496 return __lookupn_profile(base, hname, strlen(hname));
497 }
498
499 /**
500 * aa_lookup_profile - find a profile by its full or partial name
501 * @ns: the namespace to start from (NOT NULL)
502 * @hname: name to do lookup on. Does not contain namespace prefix (NOT NULL)
503 * @n: size of @hname
504 *
505 * Returns: refcounted profile or NULL if not found
506 */
507 struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname,
508 size_t n)
509 {
510 struct aa_profile *profile;
511
512 rcu_read_lock();
513 do {
514 profile = __lookupn_profile(&ns->base, hname, n);
515 } while (profile && !aa_get_profile_not0(profile));
516 rcu_read_unlock();
517
518 /* the unconfined profile is not in the regular profile list */
519 if (!profile && strncmp(hname, "unconfined", n) == 0)
520 profile = aa_get_newest_profile(ns->unconfined);
521
522 /* refcount released by caller */
523 return profile;
524 }
525
526 struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *hname)
527 {
528 return aa_lookupn_profile(ns, hname, strlen(hname));
529 }
530
531 struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
532 const char *fqname, size_t n)
533 {
534 struct aa_profile *profile;
535 struct aa_ns *ns;
536 const char *name, *ns_name;
537 size_t ns_len;
538
539 name = aa_splitn_fqname(fqname, n, &ns_name, &ns_len);
540 if (ns_name) {
541 ns = aa_findn_ns(labels_ns(base), ns_name, ns_len);
542 if (!ns)
543 return NULL;
544 } else
545 ns = aa_get_ns(labels_ns(base));
546
547 if (name)
548 profile = aa_lookupn_profile(ns, name, n - (name - fqname));
549 else if (ns)
550 /* default profile for ns, currently unconfined */
551 profile = aa_get_newest_profile(ns->unconfined);
552 else
553 profile = NULL;
554 aa_put_ns(ns);
555
556 return profile;
557 }
558
559 /**
560 * replacement_allowed - test to see if replacement is allowed
561 * @profile: profile to test if it can be replaced (MAYBE NULL)
562 * @noreplace: true if replacement shouldn't be allowed but addition is okay
563 * @info: Returns - info about why replacement failed (NOT NULL)
564 *
565 * Returns: %0 if replacement allowed else error code
566 */
567 static int replacement_allowed(struct aa_profile *profile, int noreplace,
568 const char **info)
569 {
570 if (profile) {
571 if (profile->label.flags & FLAG_IMMUTIBLE) {
572 *info = "cannot replace immutible profile";
573 return -EPERM;
574 } else if (noreplace) {
575 *info = "profile already exists";
576 return -EEXIST;
577 }
578 }
579 return 0;
580 }
581
582 /* audit callback for net specific fields */
583 static void audit_cb(struct audit_buffer *ab, void *va)
584 {
585 struct common_audit_data *sa = va;
586
587 if (aad(sa)->iface.ns) {
588 audit_log_format(ab, " ns=");
589 audit_log_untrustedstring(ab, aad(sa)->iface.ns);
590 }
591 }
592
593 /**
594 * audit_policy - Do auditing of policy changes
595 * @label: label to check if it can manage policy
596 * @op: policy operation being performed
597 * @profile: name of profile being manipulated (NOT NULL)
598 * @info: any extra information to be audited (MAYBE NULL)
599 * @error: error code
600 *
601 * Returns: the error to be returned after audit is done
602 */
603 static int audit_policy(struct aa_label *label, const char *op,
604 const char *ns_name, const char *name,
605 const char *info, int error)
606 {
607 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, op);
608 // aad(&sa)->op = op;
609 aad(&sa)->iface.ns = ns_name;
610 aad(&sa)->name = name;
611 aad(&sa)->info = info;
612 aad(&sa)->error = error;
613 aad(&sa)->label = label;
614
615 aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, audit_cb);
616
617 return error;
618 }
619
620 bool policy_view_capable(void)
621 {
622 struct user_namespace *user_ns = current_user_ns();
623 struct aa_ns *ns = aa_get_current_ns();
624 bool response = false;
625
626 if (ns_capable(user_ns, CAP_MAC_ADMIN) &&
627 (user_ns == &init_user_ns ||
628 (unprivileged_userns_apparmor_policy != 0 &&
629 user_ns->level == 1 && ns != root_ns)))
630 response = true;
631 aa_put_ns(ns);
632
633 return response;
634 }
635
636 bool policy_admin_capable(void)
637 {
638 return policy_view_capable() && !aa_g_lock_policy;
639 }
640
641 bool aa_may_open_profiles(void)
642 {
643 struct user_namespace *user_ns = current_user_ns();
644 struct aa_ns *ns = aa_get_current_ns();
645 bool root_in_user_ns = uid_eq(current_euid(), make_kuid(user_ns, 0)) ||
646 in_egroup_p(make_kgid(user_ns, 0));
647 bool response = false;
648
649 if (root_in_user_ns &&
650 (user_ns == &init_user_ns ||
651 (unprivileged_userns_apparmor_policy != 0 &&
652 user_ns->level == 1 && ns != root_ns)))
653 response = true;
654 aa_put_ns(ns);
655
656 return response;
657 }
658
659 /**
660 * aa_may_manage_policy - can the current task manage policy
661 * @label: label to check if it can manage policy
662 * @op: the policy manipulation operation being done
663 *
664 * Returns: 0 if the task is allowed to manipulate policy else error
665 */
666 int aa_may_manage_policy(struct aa_label *label, u32 mask)
667 {
668 const char *op;
669
670 if (mask & AA_MAY_REMOVE_POLICY)
671 op = OP_PROF_RM;
672 else if (mask & AA_MAY_REPLACE_POLICY)
673 op = OP_PROF_REPL;
674 else
675 op = OP_PROF_LOAD;
676
677 /* check if loading policy is locked out */
678 if (aa_g_lock_policy)
679 return audit_policy(label, op, NULL, NULL, "policy_locked",
680 -EACCES);
681
682 if (!policy_admin_capable())
683 return audit_policy(label, op, NULL, NULL, "not policy admin",
684 -EACCES);
685
686 /* TODO: add fine grained mediation of policy loads */
687 return 0;
688 }
689
690 static struct aa_profile *__list_lookup_parent(struct list_head *lh,
691 struct aa_profile *profile)
692 {
693 const char *base = basename(profile->base.hname);
694 long len = base - profile->base.hname;
695 struct aa_load_ent *ent;
696
697 /* parent won't have trailing // so remove from len */
698 if (len <= 2)
699 return NULL;
700 len -= 2;
701
702 list_for_each_entry(ent, lh, list) {
703 if (ent->new == profile)
704 continue;
705 if (strncmp(ent->new->base.hname, profile->base.hname, len) ==
706 0 && ent->new->base.hname[len] == 0)
707 return ent->new;
708 }
709
710 return NULL;
711 }
712
713 /**
714 * __replace_profile - replace @old with @new on a list
715 * @old: profile to be replaced (NOT NULL)
716 * @new: profile to replace @old with (NOT NULL)
717 *
718 * Will duplicate and refcount elements that @new inherits from @old
719 * and will inherit @old children.
720 *
721 * refcount @new for list, put @old list refcount
722 *
723 * Requires: namespace list lock be held, or list not be shared
724 */
725 static void __replace_profile(struct aa_profile *old, struct aa_profile *new)
726 {
727 struct aa_profile *child, *tmp;
728
729 if (!list_empty(&old->base.profiles)) {
730 LIST_HEAD(lh);
731 list_splice_init_rcu(&old->base.profiles, &lh, synchronize_rcu);
732
733 list_for_each_entry_safe(child, tmp, &lh, base.list) {
734 struct aa_profile *p;
735
736 list_del_init(&child->base.list);
737 p = __find_child(&new->base.profiles, child->base.name);
738 if (p) {
739 /* @p replaces @child */
740 __replace_profile(child, p);
741 continue;
742 }
743
744 /* inherit @child and its children */
745 /* TODO: update hname of inherited children */
746 /* list refcount transferred to @new */
747 p = aa_deref_parent(child);
748 rcu_assign_pointer(child->parent, aa_get_profile(new));
749 list_add_rcu(&child->base.list, &new->base.profiles);
750 aa_put_profile(p);
751 }
752 }
753
754 if (!rcu_access_pointer(new->parent)) {
755 struct aa_profile *parent = aa_deref_parent(old);
756 rcu_assign_pointer(new->parent, aa_get_profile(parent));
757 }
758 aa_label_replace(&old->label, &new->label);
759 /* migrate dents must come after label replacement b/c update */
760 __aa_fs_profile_migrate_dents(old, new);
761
762 if (list_empty(&new->base.list)) {
763 /* new is not on a list already */
764 list_replace_rcu(&old->base.list, &new->base.list);
765 aa_get_profile(new);
766 aa_put_profile(old);
767 } else
768 __list_remove_profile(old);
769 }
770
771 /**
772 * __lookup_replace - lookup replacement information for a profile
773 * @ns - namespace the lookup occurs in
774 * @hname - name of profile to lookup
775 * @noreplace - true if not replacing an existing profile
776 * @p - Returns: profile to be replaced
777 * @info - Returns: info string on why lookup failed
778 *
779 * Returns: profile to replace (no ref) on success else ptr error
780 */
781 static int __lookup_replace(struct aa_ns *ns, const char *hname,
782 bool noreplace, struct aa_profile **p,
783 const char **info)
784 {
785 *p = aa_get_profile(__lookup_profile(&ns->base, hname));
786 if (*p) {
787 int error = replacement_allowed(*p, noreplace, info);
788 if (error) {
789 *info = "profile can not be replaced";
790 return error;
791 }
792 }
793
794 return 0;
795 }
796
797 static void share_name(struct aa_profile *old, struct aa_profile *new)
798 {
799 aa_put_str(new->base.hname);
800 aa_get_str(old->base.hname);
801 new->base.hname = old->base.hname;
802 new->base.name = old->base.name;
803 new->label.hname = old->label.hname;
804 }
805
806 /* Update to newest version of parent after previous replacements
807 * Returns: unrefcount newest version of parent
808 */
809 static struct aa_profile *update_to_newest_parent(struct aa_profile *new)
810 {
811 struct aa_profile *parent, *newest;
812 parent = rcu_dereference_protected(new->parent,
813 mutex_is_locked(&new->ns->lock));
814 newest = aa_get_newest_profile(parent);
815
816 /* parent replaced in this atomic set? */
817 if (newest != parent) {
818 aa_put_profile(parent);
819 rcu_assign_pointer(new->parent, newest);
820 } else
821 aa_put_profile(newest);
822
823 return newest;
824 }
825
826 /**
827 * aa_replace_profiles - replace profile(s) on the profile list
828 * @label: label that is attempting to load/replace policy
829 * @mask: permission mask
830 * @udata: serialized data stream (NOT NULL)
831 * @size: size of the serialized data stream
832 *
833 * unpack and replace a profile on the profile list and uses of that profile
834 * by any aa_task_ctx. If the profile does not exist on the profile list
835 * it is added.
836 *
837 * Returns: size of data consumed else error code on failure.
838 */
839 ssize_t aa_replace_profiles(struct aa_label *label, u32 mask, void *udata,
840 size_t size)
841 {
842 const char *ns_name, *info = NULL;
843 struct aa_ns *ns = NULL;
844 struct aa_load_ent *ent, *tmp;
845 const char *op = mask & AA_MAY_REPLACE_POLICY ? OP_PROF_REPL : OP_PROF_LOAD;
846 ssize_t count, error;
847
848 LIST_HEAD(lh);
849
850 /* released below */
851 error = aa_unpack(udata, size, &lh, &ns_name);
852 if (error)
853 goto out;
854
855 /* ensure that profiles are all for the same ns
856 * TODO: update locking to remove this constaint. All profiles in
857 * the load set must succeed as a set or the load will
858 * fail. Sort ent list and take ns locks in hierarchy order
859 */
860 count = 0;
861 list_for_each_entry(ent, &lh, list) {
862 if (ns_name) {
863 if (ent->ns_name &&
864 strcmp(ent->ns_name, ns_name) != 0) {
865 info = "policy load has mixed namespaces";
866 error = -EACCES;
867 goto fail;
868 }
869 } else if (ent->ns_name) {
870 if (count) {
871 info = "policy load has mixed namespaces";
872 error = -EACCES;
873 goto fail;
874 }
875 ns_name = ent->ns_name;
876 } else
877 count++;
878 }
879 if (ns_name) {
880 ns = aa_prepare_ns(labels_ns(label), ns_name);
881 if (!ns) {
882 info = "failed to prepare namespace";
883 error = -ENOMEM;
884 goto fail;
885 }
886 } else
887 ns = aa_get_ns(labels_ns(label));
888
889 mutex_lock(&ns->lock);
890 /* setup parent and ns info */
891 list_for_each_entry(ent, &lh, list) {
892 struct aa_policy *policy;
893
894 error = __lookup_replace(ns, ent->new->base.hname,
895 !(mask & AA_MAY_REPLACE_POLICY),
896 &ent->old, &info);
897 if (error)
898 goto fail_lock;
899
900 if (ent->new->rename) {
901 error = __lookup_replace(ns, ent->new->rename,
902 !(mask & AA_MAY_REPLACE_POLICY),
903 &ent->rename, &info);
904 if (error)
905 goto fail_lock;
906 }
907
908 /* released when @new is freed */
909 ent->new->ns = aa_get_ns(ns);
910
911 if (ent->old || ent->rename)
912 continue;
913
914 /* no ref on policy only use inside lock */
915 policy = __lookup_parent(ns, ent->new->base.hname);
916 if (!policy) {
917 struct aa_profile *p;
918 p = __list_lookup_parent(&lh, ent->new);
919 if (!p) {
920 error = -ENOENT;
921 info = "parent does not exist";
922 goto fail_lock;
923 }
924 rcu_assign_pointer(ent->new->parent, aa_get_profile(p));
925 } else if (policy != &ns->base) {
926 /* released on profile replacement or free_profile */
927 struct aa_profile *p = (struct aa_profile *) policy;
928 rcu_assign_pointer(ent->new->parent, aa_get_profile(p));
929 }
930 }
931
932 /* create new fs entries for introspection if needed */
933 list_for_each_entry(ent, &lh, list) {
934 if (!ent->old) {
935 struct dentry *parent;
936 if (rcu_access_pointer(ent->new->parent)) {
937 struct aa_profile *p;
938 p = aa_deref_parent(ent->new);
939 parent = prof_child_dir(p);
940 } else
941 parent = ns_subprofs_dir(ent->new->ns);
942 error = __aa_fs_profile_mkdir(ent->new, parent);
943 }
944
945 if (error) {
946 info = "failed to create";
947 goto fail_lock;
948 }
949 }
950
951 /* Done with checks that may fail - do actual replacement */
952 list_for_each_entry_safe(ent, tmp, &lh, list) {
953 list_del_init(&ent->list);
954 op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL;
955
956 audit_policy(label, op, ns_name, ent->new->base.hname, NULL, error);
957
958 if (ent->old) {
959 share_name(ent->old, ent->new);
960 __replace_profile(ent->old, ent->new);
961 if (ent->rename)
962 __replace_profile(ent->rename, ent->new);
963 } else if (ent->rename) {
964 /* TODO: case not actually supported yet */
965 ;
966 } else {
967 struct list_head *lh;
968 if (rcu_access_pointer(ent->new->parent)) {
969 struct aa_profile *parent;
970 parent = update_to_newest_parent(ent->new);
971 lh = &parent->base.profiles;
972 } else
973 lh = &ns->base.profiles;
974 __add_profile(lh, ent->new);
975 }
976 aa_load_ent_free(ent);
977 }
978 __aa_labelset_update_subtree(ns);
979 mutex_unlock(&ns->lock);
980
981 out:
982 aa_put_ns(ns);
983
984 if (error)
985 return error;
986 return size;
987
988 fail_lock:
989 mutex_unlock(&ns->lock);
990
991 /* audit cause of failure */
992 op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
993 fail:
994 audit_policy(label, op, ns_name, ent->new->base.hname, info, error);
995 /* audit status that rest of profiles in the atomic set failed too */
996 info = "valid profile in failed atomic policy load";
997 list_for_each_entry(tmp, &lh, list) {
998 if (tmp == ent) {
999 info = "unchecked profile in failed atomic policy load";
1000 /* skip entry that caused failure */
1001 continue;
1002 }
1003 op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
1004 audit_policy(label, op, ns_name, tmp->new->base.hname, info, error);
1005 }
1006 list_for_each_entry_safe(ent, tmp, &lh, list) {
1007 list_del_init(&ent->list);
1008 aa_load_ent_free(ent);
1009 }
1010
1011 goto out;
1012 }
1013
1014 /**
1015 * aa_remove_profiles - remove profile(s) from the system
1016 * @label: label attempting to remove policy
1017 * @fqname: name of the profile or namespace to remove (NOT NULL)
1018 * @size: size of the name
1019 *
1020 * Remove a profile or sub namespace from the current namespace, so that
1021 * they can not be found anymore and mark them as replaced by unconfined
1022 *
1023 * NOTE: removing confinement does not restore rlimits to preconfinemnet values
1024 *
1025 * Returns: size of data consume else error code if fails
1026 */
1027 ssize_t aa_remove_profiles(struct aa_label *label, char *fqname, size_t size)
1028 {
1029 struct aa_ns *root = NULL, *ns = NULL;
1030 struct aa_profile *profile = NULL;
1031 const char *name = fqname, *info = NULL;
1032 char *ns_name = NULL;
1033 ssize_t error = 0;
1034
1035 if (*fqname == 0) {
1036 info = "no profile specified";
1037 error = -ENOENT;
1038 goto fail;
1039 }
1040
1041 root = labels_ns(label);
1042
1043 if (fqname[0] == ':') {
1044 name = aa_split_fqname(fqname, &ns_name);
1045 /* released below */
1046 ns = aa_find_ns(root, ns_name);
1047 if (!ns) {
1048 info = "namespace does not exist";
1049 error = -ENOENT;
1050 goto fail;
1051 }
1052 } else
1053 /* released below */
1054 ns = aa_get_ns(root);
1055
1056 if (!name) {
1057 /* remove namespace - can only happen if fqname[0] == ':' */
1058 mutex_lock(&ns->parent->lock);
1059 __aa_remove_ns(ns);
1060 mutex_unlock(&ns->parent->lock);
1061 } else {
1062 /* remove profile */
1063 mutex_lock(&ns->lock);
1064 profile = aa_get_profile(__lookup_profile(&ns->base, name));
1065 if (!profile) {
1066 error = -ENOENT;
1067 info = "profile does not exist";
1068 goto fail_ns_lock;
1069 }
1070 name = profile->base.hname;
1071 __remove_profile(profile);
1072 __aa_labelset_update_subtree(ns);
1073 mutex_unlock(&ns->lock);
1074 }
1075
1076 /* don't fail removal if audit fails */
1077 (void) audit_policy(label, OP_PROF_RM, ns_name, name, info, error);
1078 aa_put_profile(profile);
1079 return size;
1080
1081 fail_ns_lock:
1082 mutex_unlock(&ns->lock);
1083
1084 fail:
1085 (void) audit_policy(label, OP_PROF_RM, ns_name, name, info, error);
1086 return error;
1087 }
ubuntu-zesty-kernel mirror