2 * AppArmor security module
4 * This file contains AppArmor LSM hooks.
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
15 #include <linux/lsm_hooks.h>
16 #include <linux/moduleparam.h>
18 #include <linux/mman.h>
19 #include <linux/mount.h>
20 #include <linux/namei.h>
21 #include <linux/ptrace.h>
22 #include <linux/ctype.h>
23 #include <linux/sysctl.h>
24 #include <linux/audit.h>
25 #include <linux/user_namespace.h>
26 #include <linux/kmemleak.h>
29 #include "include/af_unix.h"
30 #include "include/apparmor.h"
31 #include "include/apparmorfs.h"
32 #include "include/audit.h"
33 #include "include/capability.h"
34 #include "include/context.h"
35 #include "include/file.h"
36 #include "include/ipc.h"
37 #include "include/net.h"
38 #include "include/path.h"
39 #include "include/label.h"
40 #include "include/policy.h"
41 #include "include/policy_ns.h"
42 #include "include/procattr.h"
43 #include "include/mount.h"
45 /* Flag indicating whether initialization completed */
46 int apparmor_initialized
;
48 DEFINE_PER_CPU(struct aa_buffers
, aa_buffers
);
56 * free the associated aa_task_ctx and put its labels
58 static void apparmor_cred_free(struct cred
*cred
)
60 aa_free_task_context(cred_ctx(cred
));
64 * prepare new aa_task_ctx for modification by prepare_cred block
66 static int apparmor_cred_prepare(struct cred
*new, const struct cred
*old
,
69 aa_dup_task_context(cred_ctx(new), cred_ctx(old
));
74 * transfer the apparmor data to a blank set of creds
76 static void apparmor_cred_transfer(struct cred
*new, const struct cred
*old
)
78 const struct aa_task_ctx
*old_ctx
= cred_ctx(old
);
79 struct aa_task_ctx
*new_ctx
= cred_ctx(new);
81 aa_dup_task_context(new_ctx
, old_ctx
);
84 static int apparmor_ptrace_access_check(struct task_struct
*child
,
87 struct aa_label
*tracer
, *tracee
;
90 tracer
= begin_current_label_crit_section();
91 tracee
= aa_get_task_label(child
);
92 error
= aa_may_ptrace(tracer
, tracee
,
93 mode
== PTRACE_MODE_READ
? AA_PTRACE_READ
: AA_PTRACE_TRACE
);
95 end_current_label_crit_section(tracer
);
100 static int apparmor_ptrace_traceme(struct task_struct
*parent
)
102 struct aa_label
*tracer
, *tracee
;
105 tracee
= begin_current_label_crit_section();
106 tracer
= aa_get_task_label(parent
);
107 error
= aa_may_ptrace(tracer
, tracee
, AA_PTRACE_TRACE
);
108 aa_put_label(tracer
);
109 end_current_label_crit_section(tracee
);
114 /* Derived from security/commoncap.c:cap_capget */
115 static int apparmor_capget(struct task_struct
*target
, kernel_cap_t
*effective
,
116 kernel_cap_t
*inheritable
, kernel_cap_t
*permitted
)
118 struct aa_label
*label
;
119 const struct cred
*cred
;
122 cred
= __task_cred(target
);
123 label
= aa_get_newest_cred_label(cred
);
126 * cap_capget is stacked ahead of this and will
127 * initialize effective and permitted.
129 if (!unconfined(label
)) {
130 struct aa_profile
*profile
;
133 label_for_each_confined(i
, label
, profile
) {
134 if (COMPLAIN_MODE(profile
))
136 *effective
= cap_intersect(*effective
,
137 profile
->caps
.allow
);
138 *permitted
= cap_intersect(*permitted
,
139 profile
->caps
.allow
);
148 static int apparmor_capable(const struct cred
*cred
, struct user_namespace
*ns
,
151 struct aa_label
*label
;
154 label
= aa_get_newest_cred_label(cred
);
155 if (!unconfined(label
))
156 error
= aa_capable(label
, cap
, audit
);
163 * common_perm - basic common permission check wrapper fn for paths
164 * @op: operation being checked
165 * @path: path to check permission of (NOT NULL)
166 * @mask: requested permissions mask
167 * @cond: conditional info for the permission request (NOT NULL)
169 * Returns: %0 else error code if error or permission denied
171 static int common_perm(const char *op
, const struct path
*path
, u32 mask
,
172 struct path_cond
*cond
)
174 struct aa_label
*label
;
177 label
= __begin_current_label_crit_section();
178 if (!unconfined(label
))
179 error
= aa_path_perm(op
, label
, path
, 0, mask
, cond
);
180 __end_current_label_crit_section(label
);
186 * common_perm_cond - common permission wrapper around inode cond
187 * @op: operation being checked
188 * @path: location to check (NOT NULL)
189 * @mask: requested permissions mask
191 * Returns: %0 else error code if error or permission denied
193 static int common_perm_cond(const char *op
, const struct path
*path
, u32 mask
)
195 struct path_cond cond
= { d_backing_inode(path
->dentry
)->i_uid
,
196 d_backing_inode(path
->dentry
)->i_mode
199 if (!path_mediated_fs(path
->dentry
))
202 return common_perm(op
, path
, mask
, &cond
);
206 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
207 * @op: operation being checked
208 * @dir: directory of the dentry (NOT NULL)
209 * @dentry: dentry to check (NOT NULL)
210 * @mask: requested permissions mask
211 * @cond: conditional info for the permission request (NOT NULL)
213 * Returns: %0 else error code if error or permission denied
215 static int common_perm_dir_dentry(const char *op
, const struct path
*dir
,
216 struct dentry
*dentry
, u32 mask
,
217 struct path_cond
*cond
)
219 struct path path
= { .mnt
= dir
->mnt
, .dentry
= dentry
};
221 return common_perm(op
, &path
, mask
, cond
);
225 * common_perm_rm - common permission wrapper for operations doing rm
226 * @op: operation being checked
227 * @dir: directory that the dentry is in (NOT NULL)
228 * @dentry: dentry being rm'd (NOT NULL)
229 * @mask: requested permission mask
231 * Returns: %0 else error code if error or permission denied
233 static int common_perm_rm(const char *op
, const struct path
*dir
,
234 struct dentry
*dentry
, u32 mask
)
236 struct inode
*inode
= d_backing_inode(dentry
);
237 struct path_cond cond
= { };
239 if (!inode
|| !path_mediated_fs(dentry
))
242 cond
.uid
= inode
->i_uid
;
243 cond
.mode
= inode
->i_mode
;
245 return common_perm_dir_dentry(op
, dir
, dentry
, mask
, &cond
);
249 * common_perm_create - common permission wrapper for operations doing create
250 * @op: operation being checked
251 * @dir: directory that dentry will be created in (NOT NULL)
252 * @dentry: dentry to create (NOT NULL)
253 * @mask: request permission mask
254 * @mode: created file mode
256 * Returns: %0 else error code if error or permission denied
258 static int common_perm_create(const char *op
, const struct path
*dir
,
259 struct dentry
*dentry
, u32 mask
, umode_t mode
)
261 struct path_cond cond
= { current_fsuid(), mode
};
263 if (!path_mediated_fs(dir
->dentry
))
266 return common_perm_dir_dentry(op
, dir
, dentry
, mask
, &cond
);
269 static int apparmor_path_unlink(const struct path
*dir
, struct dentry
*dentry
)
271 return common_perm_rm(OP_UNLINK
, dir
, dentry
, AA_MAY_DELETE
);
274 static int apparmor_path_mkdir(const struct path
*dir
, struct dentry
*dentry
,
277 return common_perm_create(OP_MKDIR
, dir
, dentry
, AA_MAY_CREATE
,
281 static int apparmor_path_rmdir(const struct path
*dir
, struct dentry
*dentry
)
283 return common_perm_rm(OP_RMDIR
, dir
, dentry
, AA_MAY_DELETE
);
286 static int apparmor_path_mknod(const struct path
*dir
, struct dentry
*dentry
,
287 umode_t mode
, unsigned int dev
)
289 return common_perm_create(OP_MKNOD
, dir
, dentry
, AA_MAY_CREATE
, mode
);
292 static int apparmor_path_truncate(const struct path
*path
)
294 return common_perm_cond(OP_TRUNC
, path
, MAY_WRITE
| AA_MAY_SETATTR
);
297 static int apparmor_path_symlink(const struct path
*dir
, struct dentry
*dentry
,
298 const char *old_name
)
300 return common_perm_create(OP_SYMLINK
, dir
, dentry
, AA_MAY_CREATE
,
304 static int apparmor_path_link(struct dentry
*old_dentry
, const struct path
*new_dir
,
305 struct dentry
*new_dentry
)
307 struct aa_label
*label
;
310 if (!path_mediated_fs(old_dentry
))
313 label
= begin_current_label_crit_section();
314 if (!unconfined(label
))
315 error
= aa_path_link(label
, old_dentry
, new_dir
, new_dentry
);
316 end_current_label_crit_section(label
);
321 static int apparmor_path_rename(const struct path
*old_dir
, struct dentry
*old_dentry
,
322 const struct path
*new_dir
, struct dentry
*new_dentry
)
324 struct aa_label
*label
;
327 if (!path_mediated_fs(old_dentry
))
330 label
= begin_current_label_crit_section();
331 if (!unconfined(label
)) {
332 struct path old_path
= { .mnt
= old_dir
->mnt
,
333 .dentry
= old_dentry
};
334 struct path new_path
= { .mnt
= new_dir
->mnt
,
335 .dentry
= new_dentry
};
336 struct path_cond cond
= { d_backing_inode(old_dentry
)->i_uid
,
337 d_backing_inode(old_dentry
)->i_mode
340 error
= aa_path_perm(OP_RENAME_SRC
, label
, &old_path
, 0,
341 MAY_READ
| AA_MAY_GETATTR
| MAY_WRITE
|
342 AA_MAY_SETATTR
| AA_MAY_DELETE
,
345 error
= aa_path_perm(OP_RENAME_DEST
, label
, &new_path
,
346 0, MAY_WRITE
| AA_MAY_SETATTR
|
347 AA_MAY_CREATE
, &cond
);
350 end_current_label_crit_section(label
);
355 static int apparmor_path_chmod(const struct path
*path
, umode_t mode
)
357 return common_perm_cond(OP_CHMOD
, path
, AA_MAY_CHMOD
);
360 static int apparmor_path_chown(const struct path
*path
, kuid_t uid
, kgid_t gid
)
362 return common_perm_cond(OP_CHOWN
, path
, AA_MAY_CHOWN
);
365 static int apparmor_inode_getattr(const struct path
*path
)
367 return common_perm_cond(OP_GETATTR
, path
, AA_MAY_GETATTR
);
370 static int apparmor_file_open(struct file
*file
, const struct cred
*cred
)
372 struct aa_file_ctx
*fctx
= file_ctx(file
);
373 struct aa_label
*label
;
376 if (!path_mediated_fs(file
->f_path
.dentry
))
379 /* If in exec, permission is handled by bprm hooks.
380 * Cache permissions granted by the previous exec check, with
381 * implicit read and executable mmap which are required to
382 * actually execute the image.
384 if (current
->in_execve
) {
385 fctx
->allow
= MAY_EXEC
| MAY_READ
| AA_EXEC_MMAP
;
389 label
= aa_get_newest_cred_label(cred
);
390 if (!unconfined(label
)) {
391 struct inode
*inode
= file_inode(file
);
392 struct path_cond cond
= { inode
->i_uid
, inode
->i_mode
};
394 error
= aa_path_perm(OP_OPEN
, label
, &file
->f_path
, 0,
395 aa_map_file_to_perms(file
), &cond
);
396 /* todo cache full allowed permissions set and state */
397 fctx
->allow
= aa_map_file_to_perms(file
);
404 static int apparmor_file_alloc_security(struct file
*file
)
408 /* freed by apparmor_file_free_security */
409 struct aa_label
*label
= begin_current_label_crit_section();
410 file
->f_security
= aa_alloc_file_ctx(label
, GFP_KERNEL
);
413 end_current_label_crit_section(label
);
418 static void apparmor_file_free_security(struct file
*file
)
420 aa_free_file_ctx(file_ctx(file
));
423 static int common_file_perm(const char *op
, struct file
*file
, u32 mask
)
425 struct aa_label
*label
;
428 /* don't reaudit files closed during inheritance */
429 if (file
->f_path
.dentry
== aa_null
.dentry
)
432 label
= __begin_current_label_crit_section();
433 error
= aa_file_perm(op
, label
, file
, mask
);
434 __end_current_label_crit_section(label
);
439 static int apparmor_file_receive(struct file
*file
)
441 return common_file_perm(OP_FRECEIVE
, file
, aa_map_file_to_perms(file
));
444 static int apparmor_file_permission(struct file
*file
, int mask
)
446 return common_file_perm(OP_FPERM
, file
, mask
);
449 static int apparmor_file_lock(struct file
*file
, unsigned int cmd
)
451 u32 mask
= AA_MAY_LOCK
;
456 return common_file_perm(OP_FLOCK
, file
, mask
);
459 static int common_mmap(const char *op
, struct file
*file
, unsigned long prot
,
464 if (!file
|| !file_ctx(file
))
467 if (prot
& PROT_READ
)
470 * Private mappings don't require write perms since they don't
471 * write back to the files
473 if ((prot
& PROT_WRITE
) && !(flags
& MAP_PRIVATE
))
475 if (prot
& PROT_EXEC
)
476 mask
|= AA_EXEC_MMAP
;
478 return common_file_perm(op
, file
, mask
);
481 static int apparmor_mmap_file(struct file
*file
, unsigned long reqprot
,
482 unsigned long prot
, unsigned long flags
)
484 return common_mmap(OP_FMMAP
, file
, prot
, flags
);
487 static int apparmor_file_mprotect(struct vm_area_struct
*vma
,
488 unsigned long reqprot
, unsigned long prot
)
490 return common_mmap(OP_FMPROT
, vma
->vm_file
, prot
,
491 !(vma
->vm_flags
& VM_SHARED
) ? MAP_PRIVATE
: 0);
494 static int apparmor_sb_mount(const char *dev_name
, const struct path
*path
,
495 const char *type
, unsigned long flags
, void *data
)
497 struct aa_label
*label
;
501 if ((flags
& MS_MGC_MSK
) == MS_MGC_VAL
)
502 flags
&= ~MS_MGC_MSK
;
504 flags
&= ~AA_MS_IGNORE_MASK
;
506 label
= __begin_current_label_crit_section();
507 if (!unconfined(label
)) {
508 if (flags
& MS_REMOUNT
)
509 error
= aa_remount(label
, path
, flags
, data
);
510 else if (flags
& MS_BIND
)
511 error
= aa_bind_mount(label
, path
, dev_name
, flags
);
512 else if (flags
& (MS_SHARED
| MS_PRIVATE
| MS_SLAVE
|
514 error
= aa_mount_change_type(label
, path
, flags
);
515 else if (flags
& MS_MOVE
)
516 error
= aa_move_mount(label
, path
, dev_name
);
518 error
= aa_new_mount(label
, dev_name
, path
, type
,
521 __end_current_label_crit_section(label
);
526 static int apparmor_sb_umount(struct vfsmount
*mnt
, int flags
)
528 struct aa_label
*label
;
531 label
= __begin_current_label_crit_section();
532 if (!unconfined(label
))
533 error
= aa_umount(label
, mnt
, flags
);
534 __end_current_label_crit_section(label
);
539 static int apparmor_sb_pivotroot(const struct path
*old_path
,
540 const struct path
*new_path
)
542 struct aa_label
*label
;
545 label
= aa_get_current_label();
546 if (!unconfined(label
))
547 error
= aa_pivotroot(label
, old_path
, new_path
);
553 static int apparmor_getprocattr(struct task_struct
*task
, char *name
,
558 const struct cred
*cred
= get_task_cred(task
);
559 struct aa_task_ctx
*ctx
= cred_ctx(cred
);
560 struct aa_label
*label
= NULL
;
562 if (strcmp(name
, "current") == 0)
563 label
= aa_get_newest_label(ctx
->label
);
564 else if (strcmp(name
, "prev") == 0 && ctx
->previous
)
565 label
= aa_get_newest_label(ctx
->previous
);
566 else if (strcmp(name
, "exec") == 0 && ctx
->onexec
)
567 label
= aa_get_newest_label(ctx
->onexec
);
572 error
= aa_getprocattr(label
, value
);
580 static int apparmor_setprocattr(const char *name
, void *value
,
583 char *command
, *largs
= NULL
, *args
= value
;
586 DEFINE_AUDIT_DATA(sa
, LSM_AUDIT_DATA_NONE
, OP_SETPROCATTR
);
591 /* AppArmor requires that the buffer must be null terminated atm */
592 if (args
[size
- 1] != '\0') {
594 largs
= args
= kmalloc(size
+ 1, GFP_KERNEL
);
597 memcpy(args
, value
, size
);
603 command
= strsep(&args
, " ");
606 args
= skip_spaces(args
);
610 arg_size
= size
- (args
- (largs
? largs
: (char *) value
));
611 if (strcmp(name
, "current") == 0) {
612 if (strcmp(command
, "changehat") == 0) {
613 error
= aa_setprocattr_changehat(args
, arg_size
,
615 } else if (strcmp(command
, "permhat") == 0) {
616 error
= aa_setprocattr_changehat(args
, arg_size
,
618 } else if (strcmp(command
, "changeprofile") == 0) {
619 error
= aa_change_profile(args
, AA_CHANGE_NOFLAGS
);
620 } else if (strcmp(command
, "permprofile") == 0) {
621 error
= aa_change_profile(args
, AA_CHANGE_TEST
);
622 } else if (strcmp(command
, "stack") == 0) {
623 error
= aa_change_profile(args
, AA_CHANGE_STACK
);
626 } else if (strcmp(name
, "exec") == 0) {
627 if (strcmp(command
, "exec") == 0)
628 error
= aa_change_profile(args
, AA_CHANGE_ONEXEC
);
629 else if (strcmp(command
, "stack") == 0)
630 error
= aa_change_profile(args
, (AA_CHANGE_ONEXEC
|
635 /* only support the "current" and "exec" process attributes */
645 aad(&sa
)->label
= begin_current_label_crit_section();
646 aad(&sa
)->info
= name
;
647 aad(&sa
)->error
= error
= -EINVAL
;
648 aa_audit_msg(AUDIT_APPARMOR_DENIED
, &sa
, NULL
);
649 end_current_label_crit_section(aad(&sa
)->label
);
654 * apparmor_bprm_committing_creds - do task cleanup on committing new creds
655 * @bprm: binprm for the exec (NOT NULL)
657 static void apparmor_bprm_committing_creds(struct linux_binprm
*bprm
)
659 struct aa_label
*label
= aa_current_raw_label();
660 struct aa_task_ctx
*new_ctx
= cred_ctx(bprm
->cred
);
662 /* bail out if unconfined or not changing profile */
663 if ((new_ctx
->label
->proxy
== label
->proxy
) ||
664 (unconfined(new_ctx
->label
)))
667 aa_inherit_files(bprm
->cred
, current
->files
);
669 current
->pdeath_signal
= 0;
671 /* reset soft limits and set hard limits for the new label */
672 __aa_transition_rlimits(label
, new_ctx
->label
);
676 * apparmor_bprm_committed_cred - do cleanup after new creds committed
677 * @bprm: binprm for the exec (NOT NULL)
679 static void apparmor_bprm_committed_creds(struct linux_binprm
*bprm
)
681 /* TODO: cleanup signals - ipc mediation */
685 static int apparmor_task_setrlimit(struct task_struct
*task
,
686 unsigned int resource
, struct rlimit
*new_rlim
)
688 struct aa_label
*label
= __begin_current_label_crit_section();
691 if (!unconfined(label
))
692 error
= aa_task_setrlimit(label
, task
, resource
, new_rlim
);
693 __end_current_label_crit_section(label
);
698 static int apparmor_task_kill(struct task_struct
*target
, struct siginfo
*info
,
701 struct aa_label
*cl
, *tl
;
705 /* TODO: after secid to label mapping is done.
706 * Dealing with USB IO specific behavior
709 cl
= __begin_current_label_crit_section();
710 tl
= aa_get_task_label(target
);
711 error
= aa_may_signal(cl
, tl
, sig
);
713 __end_current_label_crit_section(cl
);
719 * apparmor_sk_alloc_security - allocate and attach the sk_security field
721 static int apparmor_sk_alloc_security(struct sock
*sk
, int family
, gfp_t flags
)
723 struct aa_sk_ctx
*ctx
;
725 ctx
= kzalloc(sizeof(*ctx
), flags
);
735 * apparmor_sk_free_security - free the sk_security field
737 static void apparmor_sk_free_security(struct sock
*sk
)
739 struct aa_sk_ctx
*ctx
= SK_CTX(sk
);
742 aa_put_label(ctx
->label
);
743 aa_put_label(ctx
->peer
);
744 path_put(&ctx
->path
);
749 * apparmor_clone_security - clone the sk_security field
751 static void apparmor_sk_clone_security(const struct sock
*sk
,
754 struct aa_sk_ctx
*ctx
= SK_CTX(sk
);
755 struct aa_sk_ctx
*new = SK_CTX(newsk
);
757 new->label
= aa_get_label(ctx
->label
);
758 new->peer
= aa_get_label(ctx
->peer
);
759 new->path
= ctx
->path
;
760 path_get(&new->path
);
763 static struct path
*UNIX_FS_CONN_PATH(struct sock
*sk
, struct sock
*newsk
)
765 if (sk
->sk_family
== PF_UNIX
&& UNIX_FS(sk
))
766 return &unix_sk(sk
)->path
;
767 else if (newsk
->sk_family
== PF_UNIX
&& UNIX_FS(newsk
))
768 return &unix_sk(newsk
)->path
;
773 * apparmor_unix_stream_connect - check perms before making unix domain conn
775 * peer is locked when this hook is called
777 static int apparmor_unix_stream_connect(struct sock
*sk
, struct sock
*peer_sk
,
780 struct aa_sk_ctx
*sk_ctx
= SK_CTX(sk
);
781 struct aa_sk_ctx
*peer_ctx
= SK_CTX(peer_sk
);
782 struct aa_sk_ctx
*new_ctx
= SK_CTX(newsk
);
783 struct aa_label
*label
;
787 label
= __begin_current_label_crit_section();
788 error
= aa_unix_peer_perm(label
, OP_CONNECT
,
789 (AA_MAY_CONNECT
| AA_MAY_SEND
| AA_MAY_RECEIVE
),
791 if (!UNIX_FS(peer_sk
)) {
793 aa_unix_peer_perm(peer_ctx
->label
, OP_CONNECT
,
794 (AA_MAY_ACCEPT
| AA_MAY_SEND
| AA_MAY_RECEIVE
),
795 peer_sk
, sk
, label
));
797 __end_current_label_crit_section(label
);
802 /* label newsk if it wasn't labeled in post_create. Normally this
803 * would be done in sock_graft, but because we are directly looking
804 * at the peer_sk to obtain peer_labeling for unix socks this
808 new_ctx
->label
= aa_get_label(peer_ctx
->label
);
810 /* Cross reference the peer labels for SO_PEERSEC */
812 aa_put_label(new_ctx
->peer
);
815 aa_put_label(sk_ctx
->peer
);
817 new_ctx
->peer
= aa_get_label(sk_ctx
->label
);
818 sk_ctx
->peer
= aa_get_label(peer_ctx
->label
);
820 path
= UNIX_FS_CONN_PATH(sk
, peer_sk
);
822 new_ctx
->path
= *path
;
823 sk_ctx
->path
= *path
;
831 * apparmor_unix_may_send - check perms before conn or sending unix dgrams
833 * other is locked when this hook is called
835 * dgram connect calls may_send, peer setup but path not copied?????
837 static int apparmor_unix_may_send(struct socket
*sock
, struct socket
*peer
)
839 struct aa_sk_ctx
*peer_ctx
= SK_CTX(peer
->sk
);
840 struct aa_label
*label
;
843 label
= __begin_current_label_crit_section();
844 error
= xcheck(aa_unix_peer_perm(label
, OP_SENDMSG
, AA_MAY_SEND
,
845 sock
->sk
, peer
->sk
, NULL
),
846 aa_unix_peer_perm(peer_ctx
->label
, OP_SENDMSG
,
848 peer
->sk
, sock
->sk
, label
));
849 __end_current_label_crit_section(label
);
855 * apparmor_socket_create - check perms before creating a new socket
857 static int apparmor_socket_create(int family
, int type
, int protocol
, int kern
)
859 struct aa_label
*label
;
862 label
= begin_current_label_crit_section();
863 if (!(kern
|| unconfined(label
)))
864 error
= aa_sock_create_perm(label
, family
, type
, protocol
);
865 end_current_label_crit_section(label
);
871 * apparmor_socket_post_create - setup the per-socket security struct
874 * - kernel sockets currently labeled unconfined but we may want to
875 * move to a special kernel label
876 * - socket may not have sk here if created with sock_create_lite or
877 * sock_alloc. These should be accept cases which will be handled in
880 static int apparmor_socket_post_create(struct socket
*sock
, int family
,
881 int type
, int protocol
, int kern
)
883 struct aa_label
*label
;
886 struct aa_ns
*ns
= aa_get_current_ns();
888 label
= aa_get_label(ns_unconfined(ns
));
891 label
= aa_get_current_label();
894 struct aa_sk_ctx
*ctx
= SK_CTX(sock
->sk
);
896 aa_put_label(ctx
->label
);
897 ctx
->label
= aa_get_label(label
);
905 * apparmor_socket_bind - check perms before bind addr to socket
907 static int apparmor_socket_bind(struct socket
*sock
,
908 struct sockaddr
*address
, int addrlen
)
910 return aa_sock_bind_perm(sock
, address
, addrlen
);
914 * apparmor_socket_connect - check perms before connecting @sock to @address
916 static int apparmor_socket_connect(struct socket
*sock
,
917 struct sockaddr
*address
, int addrlen
)
919 return aa_sock_connect_perm(sock
, address
, addrlen
);
923 * apparmor_socket_list - check perms before allowing listen
925 static int apparmor_socket_listen(struct socket
*sock
, int backlog
)
927 return aa_sock_listen_perm(sock
, backlog
);
931 * apparmor_socket_accept - check perms before accepting a new connection.
933 * Note: while @newsock is created and has some information, the accept
936 static int apparmor_socket_accept(struct socket
*sock
, struct socket
*newsock
)
938 return aa_sock_accept_perm(sock
, newsock
);
942 * apparmor_socket_sendmsg - check perms before sending msg to another socket
944 static int apparmor_socket_sendmsg(struct socket
*sock
,
945 struct msghdr
*msg
, int size
)
947 return aa_sock_msg_perm(OP_SENDMSG
, AA_MAY_SEND
, sock
, msg
, size
);
951 * apparmor_socket_recvmsg - check perms before receiving a message
953 static int apparmor_socket_recvmsg(struct socket
*sock
,
954 struct msghdr
*msg
, int size
, int flags
)
956 return aa_sock_msg_perm(OP_RECVMSG
, AA_MAY_RECEIVE
, sock
, msg
, size
);
960 * apparmor_socket_getsockname - check perms before getting the local address
962 static int apparmor_socket_getsockname(struct socket
*sock
)
964 return aa_sock_perm(OP_GETSOCKNAME
, AA_MAY_GETATTR
, sock
);
968 * apparmor_socket_getpeername - check perms before getting remote address
970 static int apparmor_socket_getpeername(struct socket
*sock
)
972 return aa_sock_perm(OP_GETPEERNAME
, AA_MAY_GETATTR
, sock
);
976 * apparmor_getsockopt - check perms before getting socket options
978 static int apparmor_socket_getsockopt(struct socket
*sock
, int level
,
981 return aa_sock_opt_perm(OP_GETSOCKOPT
, AA_MAY_GETOPT
, sock
,
986 * apparmor_setsockopt - check perms before setting socket options
988 static int apparmor_socket_setsockopt(struct socket
*sock
, int level
,
991 return aa_sock_opt_perm(OP_SETSOCKOPT
, AA_MAY_SETOPT
, sock
,
996 * apparmor_socket_shutdown - check perms before shutting down @sock conn
998 static int apparmor_socket_shutdown(struct socket
*sock
, int how
)
1000 return aa_sock_perm(OP_SHUTDOWN
, AA_MAY_SHUTDOWN
, sock
);
1004 * apparmor_socket_sock_recv_skb - check perms before associating skb to sk
1006 * Note: can not sleep may be called with locks held
1008 * dont want protocol specific in __skb_recv_datagram()
1009 * to deny an incoming connection socket_sock_rcv_skb()
1011 static int apparmor_socket_sock_rcv_skb(struct sock
*sk
, struct sk_buff
*skb
)
1017 static struct aa_label
*sk_peer_label(struct sock
*sk
)
1019 struct sock
*peer_sk
;
1020 struct aa_sk_ctx
*ctx
= SK_CTX(sk
);
1025 if (sk
->sk_family
!= PF_UNIX
)
1026 return ERR_PTR(-ENOPROTOOPT
);
1028 /* check for sockpair peering which does not go through
1029 * security_unix_stream_connect
1031 peer_sk
= unix_peer(sk
);
1033 ctx
= SK_CTX(peer_sk
);
1038 return ERR_PTR(-ENOPROTOOPT
);
1042 * apparmor_socket_getpeersec_stream - get security context of peer
1044 * Note: for tcp only valid if using ipsec or cipso on lan
1046 static int apparmor_socket_getpeersec_stream(struct socket
*sock
,
1047 char __user
*optval
,
1052 int slen
, error
= 0;
1053 struct aa_label
*label
;
1054 struct aa_label
*peer
;
1056 label
= begin_current_label_crit_section();
1057 peer
= sk_peer_label(sock
->sk
);
1059 error
= PTR_ERR(peer
);
1062 slen
= aa_label_asxprint(&name
, labels_ns(label
), peer
,
1063 FLAG_SHOW_MODE
| FLAG_VIEW_SUBNS
|
1064 FLAG_HIDDEN_UNCONFINED
, GFP_KERNEL
);
1065 /* don't include terminating \0 in slen, it breaks some apps */
1071 } else if (copy_to_user(optval
, name
, slen
)) {
1075 if (put_user(slen
, optlen
))
1083 end_current_label_crit_section(label
);
1089 * apparmor_socket_getpeersec_dgram - get security label of packet
1090 * @sock: the peer socket
1092 * @secid: pointer to where to put the secid of the packet
1094 * Sets the netlabel socket state on sk from parent
1096 static int apparmor_socket_getpeersec_dgram(struct socket
*sock
,
1097 struct sk_buff
*skb
, u32
*secid
)
1100 /* TODO: requires secid support */
1101 return -ENOPROTOOPT
;
1105 * apparmor_sock_graft - Initialize newly created socket
1107 * @parent: parent socket
1109 * Note: could set off of SOCK_CTX(parent) but need to track inode and we can
1110 * just set sk security information off of current creating process label
1111 * Labeling of sk for accept case - probably should be sock based
1112 * instead of task, because of the case where an implicitly labeled
1113 * socket is shared by different tasks.
1115 static void apparmor_sock_graft(struct sock
*sk
, struct socket
*parent
)
1117 struct aa_sk_ctx
*ctx
= SK_CTX(sk
);
1120 ctx
->label
= aa_get_current_label();
1123 struct lsm_blob_sizes apparmor_blob_sizes
= {
1124 .lbs_cred
= sizeof(struct aa_task_ctx
),
1127 static struct security_hook_list apparmor_hooks
[] __lsm_ro_after_init
= {
1128 LSM_HOOK_INIT(ptrace_access_check
, apparmor_ptrace_access_check
),
1129 LSM_HOOK_INIT(ptrace_traceme
, apparmor_ptrace_traceme
),
1130 LSM_HOOK_INIT(capget
, apparmor_capget
),
1131 LSM_HOOK_INIT(capable
, apparmor_capable
),
1133 LSM_HOOK_INIT(sb_mount
, apparmor_sb_mount
),
1134 LSM_HOOK_INIT(sb_umount
, apparmor_sb_umount
),
1135 LSM_HOOK_INIT(sb_pivotroot
, apparmor_sb_pivotroot
),
1137 LSM_HOOK_INIT(path_link
, apparmor_path_link
),
1138 LSM_HOOK_INIT(path_unlink
, apparmor_path_unlink
),
1139 LSM_HOOK_INIT(path_symlink
, apparmor_path_symlink
),
1140 LSM_HOOK_INIT(path_mkdir
, apparmor_path_mkdir
),
1141 LSM_HOOK_INIT(path_rmdir
, apparmor_path_rmdir
),
1142 LSM_HOOK_INIT(path_mknod
, apparmor_path_mknod
),
1143 LSM_HOOK_INIT(path_rename
, apparmor_path_rename
),
1144 LSM_HOOK_INIT(path_chmod
, apparmor_path_chmod
),
1145 LSM_HOOK_INIT(path_chown
, apparmor_path_chown
),
1146 LSM_HOOK_INIT(path_truncate
, apparmor_path_truncate
),
1147 LSM_HOOK_INIT(inode_getattr
, apparmor_inode_getattr
),
1149 LSM_HOOK_INIT(file_open
, apparmor_file_open
),
1150 LSM_HOOK_INIT(file_receive
, apparmor_file_receive
),
1151 LSM_HOOK_INIT(file_permission
, apparmor_file_permission
),
1152 LSM_HOOK_INIT(file_alloc_security
, apparmor_file_alloc_security
),
1153 LSM_HOOK_INIT(file_free_security
, apparmor_file_free_security
),
1154 LSM_HOOK_INIT(mmap_file
, apparmor_mmap_file
),
1155 LSM_HOOK_INIT(file_mprotect
, apparmor_file_mprotect
),
1156 LSM_HOOK_INIT(file_lock
, apparmor_file_lock
),
1158 LSM_HOOK_INIT(getprocattr
, apparmor_getprocattr
),
1159 LSM_HOOK_INIT(setprocattr
, apparmor_setprocattr
),
1161 LSM_HOOK_INIT(sk_alloc_security
, apparmor_sk_alloc_security
),
1162 LSM_HOOK_INIT(sk_free_security
, apparmor_sk_free_security
),
1163 LSM_HOOK_INIT(sk_clone_security
, apparmor_sk_clone_security
),
1165 LSM_HOOK_INIT(unix_stream_connect
, apparmor_unix_stream_connect
),
1166 LSM_HOOK_INIT(unix_may_send
, apparmor_unix_may_send
),
1168 LSM_HOOK_INIT(socket_create
, apparmor_socket_create
),
1169 LSM_HOOK_INIT(socket_post_create
, apparmor_socket_post_create
),
1170 LSM_HOOK_INIT(socket_bind
, apparmor_socket_bind
),
1171 LSM_HOOK_INIT(socket_connect
, apparmor_socket_connect
),
1172 LSM_HOOK_INIT(socket_listen
, apparmor_socket_listen
),
1173 LSM_HOOK_INIT(socket_accept
, apparmor_socket_accept
),
1174 LSM_HOOK_INIT(socket_sendmsg
, apparmor_socket_sendmsg
),
1175 LSM_HOOK_INIT(socket_recvmsg
, apparmor_socket_recvmsg
),
1176 LSM_HOOK_INIT(socket_getsockname
, apparmor_socket_getsockname
),
1177 LSM_HOOK_INIT(socket_getpeername
, apparmor_socket_getpeername
),
1178 LSM_HOOK_INIT(socket_getsockopt
, apparmor_socket_getsockopt
),
1179 LSM_HOOK_INIT(socket_setsockopt
, apparmor_socket_setsockopt
),
1180 LSM_HOOK_INIT(socket_shutdown
, apparmor_socket_shutdown
),
1181 LSM_HOOK_INIT(socket_sock_rcv_skb
, apparmor_socket_sock_rcv_skb
),
1182 LSM_HOOK_INIT(socket_getpeersec_stream
,
1183 apparmor_socket_getpeersec_stream
),
1184 LSM_HOOK_INIT(socket_getpeersec_dgram
,
1185 apparmor_socket_getpeersec_dgram
),
1186 LSM_HOOK_INIT(sock_graft
, apparmor_sock_graft
),
1188 LSM_HOOK_INIT(cred_free
, apparmor_cred_free
),
1189 LSM_HOOK_INIT(cred_prepare
, apparmor_cred_prepare
),
1190 LSM_HOOK_INIT(cred_transfer
, apparmor_cred_transfer
),
1192 LSM_HOOK_INIT(bprm_set_creds
, apparmor_bprm_set_creds
),
1193 LSM_HOOK_INIT(bprm_committing_creds
, apparmor_bprm_committing_creds
),
1194 LSM_HOOK_INIT(bprm_committed_creds
, apparmor_bprm_committed_creds
),
1196 LSM_HOOK_INIT(task_setrlimit
, apparmor_task_setrlimit
),
1197 LSM_HOOK_INIT(task_kill
, apparmor_task_kill
),
1201 * AppArmor sysfs module parameters
1204 static int param_set_aabool(const char *val
, const struct kernel_param
*kp
);
1205 static int param_get_aabool(char *buffer
, const struct kernel_param
*kp
);
1206 #define param_check_aabool param_check_bool
1207 static const struct kernel_param_ops param_ops_aabool
= {
1208 .flags
= KERNEL_PARAM_OPS_FL_NOARG
,
1209 .set
= param_set_aabool
,
1210 .get
= param_get_aabool
1213 static int param_set_aauint(const char *val
, const struct kernel_param
*kp
);
1214 static int param_get_aauint(char *buffer
, const struct kernel_param
*kp
);
1215 #define param_check_aauint param_check_uint
1216 static const struct kernel_param_ops param_ops_aauint
= {
1217 .set
= param_set_aauint
,
1218 .get
= param_get_aauint
1221 static int param_set_aalockpolicy(const char *val
, const struct kernel_param
*kp
);
1222 static int param_get_aalockpolicy(char *buffer
, const struct kernel_param
*kp
);
1223 #define param_check_aalockpolicy param_check_bool
1224 static const struct kernel_param_ops param_ops_aalockpolicy
= {
1225 .flags
= KERNEL_PARAM_OPS_FL_NOARG
,
1226 .set
= param_set_aalockpolicy
,
1227 .get
= param_get_aalockpolicy
1230 static int param_set_audit(const char *val
, const struct kernel_param
*kp
);
1231 static int param_get_audit(char *buffer
, const struct kernel_param
*kp
);
1233 static int param_set_mode(const char *val
, const struct kernel_param
*kp
);
1234 static int param_get_mode(char *buffer
, const struct kernel_param
*kp
);
1236 /* Flag values, also controllable via /sys/module/apparmor/parameters
1237 * We define special types as we want to do additional mediation.
1240 /* AppArmor global enforcement switch - complain, enforce, kill */
1241 enum profile_mode aa_g_profile_mode
= APPARMOR_ENFORCE
;
1242 module_param_call(mode
, param_set_mode
, param_get_mode
,
1243 &aa_g_profile_mode
, S_IRUSR
| S_IWUSR
);
1245 /* whether policy verification hashing is enabled */
1246 bool aa_g_hash_policy
= IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT
);
1247 #ifdef CONFIG_SECURITY_APPARMOR_HASH
1248 module_param_named(hash_policy
, aa_g_hash_policy
, aabool
, S_IRUSR
| S_IWUSR
);
1252 bool aa_g_debug
= IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES
);
1253 module_param_named(debug
, aa_g_debug
, aabool
, S_IRUSR
| S_IWUSR
);
1256 enum audit_mode aa_g_audit
;
1257 module_param_call(audit
, param_set_audit
, param_get_audit
,
1258 &aa_g_audit
, S_IRUSR
| S_IWUSR
);
1260 /* Determines if audit header is included in audited messages. This
1261 * provides more context if the audit daemon is not running
1263 bool aa_g_audit_header
= true;
1264 module_param_named(audit_header
, aa_g_audit_header
, aabool
,
1267 /* lock out loading/removal of policy
1268 * TODO: add in at boot loading of policy, which is the only way to
1269 * load policy, if lock_policy is set
1271 bool aa_g_lock_policy
;
1272 module_param_named(lock_policy
, aa_g_lock_policy
, aalockpolicy
,
1275 /* Syscall logging mode */
1276 bool aa_g_logsyscall
;
1277 module_param_named(logsyscall
, aa_g_logsyscall
, aabool
, S_IRUSR
| S_IWUSR
);
1279 /* Maximum pathname length before accesses will start getting rejected */
1280 unsigned int aa_g_path_max
= 2 * PATH_MAX
;
1281 module_param_named(path_max
, aa_g_path_max
, aauint
, S_IRUSR
);
1283 /* Determines how paranoid loading of policy is and how much verification
1284 * on the loaded policy is done.
1285 * DEPRECATED: read only as strict checking of load is always done now
1286 * that none root users (user namespaces) can load policy.
1288 bool aa_g_paranoid_load
= true;
1289 module_param_named(paranoid_load
, aa_g_paranoid_load
, aabool
, S_IRUGO
);
1291 /* Boot time disable flag */
1292 static bool apparmor_enabled
= CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE
;
1293 module_param_named(enabled
, apparmor_enabled
, bool, S_IRUGO
);
1295 static int __init
apparmor_enabled_setup(char *str
)
1297 unsigned long enabled
;
1298 int error
= kstrtoul(str
, 0, &enabled
);
1300 apparmor_enabled
= enabled
? 1 : 0;
1304 __setup("apparmor=", apparmor_enabled_setup
);
1306 /* set global flag turning off the ability to load policy */
1307 static int param_set_aalockpolicy(const char *val
, const struct kernel_param
*kp
)
1309 if (!apparmor_enabled
)
1311 if (apparmor_initialized
&& !policy_admin_capable(NULL
))
1313 return param_set_bool(val
, kp
);
1316 static int param_get_aalockpolicy(char *buffer
, const struct kernel_param
*kp
)
1318 if (!apparmor_enabled
)
1320 if (apparmor_initialized
&& !policy_view_capable(NULL
))
1322 return param_get_bool(buffer
, kp
);
1325 static int param_set_aabool(const char *val
, const struct kernel_param
*kp
)
1327 if (!apparmor_enabled
)
1329 if (apparmor_initialized
&& !policy_admin_capable(NULL
))
1331 return param_set_bool(val
, kp
);
1334 static int param_get_aabool(char *buffer
, const struct kernel_param
*kp
)
1336 if (!apparmor_enabled
)
1338 if (apparmor_initialized
&& !policy_view_capable(NULL
))
1340 return param_get_bool(buffer
, kp
);
1343 static int param_set_aauint(const char *val
, const struct kernel_param
*kp
)
1347 if (!apparmor_enabled
)
1349 /* file is ro but enforce 2nd line check */
1350 if (apparmor_initialized
)
1353 error
= param_set_uint(val
, kp
);
1354 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max
);
1359 static int param_get_aauint(char *buffer
, const struct kernel_param
*kp
)
1361 if (!apparmor_enabled
)
1363 if (apparmor_initialized
&& !policy_view_capable(NULL
))
1365 return param_get_uint(buffer
, kp
);
1368 static int param_get_audit(char *buffer
, const struct kernel_param
*kp
)
1370 if (!apparmor_enabled
)
1372 if (apparmor_initialized
&& !policy_view_capable(NULL
))
1374 return sprintf(buffer
, "%s", audit_mode_names
[aa_g_audit
]);
1377 static int param_set_audit(const char *val
, const struct kernel_param
*kp
)
1381 if (!apparmor_enabled
)
1385 if (apparmor_initialized
&& !policy_admin_capable(NULL
))
1388 for (i
= 0; i
< AUDIT_MAX_INDEX
; i
++) {
1389 if (strcmp(val
, audit_mode_names
[i
]) == 0) {
1398 static int param_get_mode(char *buffer
, const struct kernel_param
*kp
)
1400 if (!apparmor_enabled
)
1402 if (apparmor_initialized
&& !policy_view_capable(NULL
))
1405 return sprintf(buffer
, "%s", aa_profile_mode_names
[aa_g_profile_mode
]);
1408 static int param_set_mode(const char *val
, const struct kernel_param
*kp
)
1412 if (!apparmor_enabled
)
1416 if (apparmor_initialized
&& !policy_admin_capable(NULL
))
1419 for (i
= 0; i
< APPARMOR_MODE_NAMES_MAX_INDEX
; i
++) {
1420 if (strcmp(val
, aa_profile_mode_names
[i
]) == 0) {
1421 aa_g_profile_mode
= i
;
1430 * AppArmor init functions
1434 * set_init_ctx - set a task context and profile on the first task.
1436 * TODO: allow setting an alternate profile than unconfined
1438 static int __init
set_init_ctx(void)
1440 struct cred
*cred
= (struct cred
*)current
->real_cred
;
1441 struct aa_task_ctx
*ctx
;
1443 lsm_early_cred(cred
);
1444 ctx
= apparmor_cred(cred
);
1446 ctx
->label
= aa_get_label(ns_unconfined(root_ns
));
1451 static void destroy_buffers(void)
1455 for_each_possible_cpu(i
) {
1456 for_each_cpu_buffer(j
) {
1457 kfree(per_cpu(aa_buffers
, i
).buf
[j
]);
1458 per_cpu(aa_buffers
, i
).buf
[j
] = NULL
;
1463 static int __init
alloc_buffers(void)
1467 for_each_possible_cpu(i
) {
1468 for_each_cpu_buffer(j
) {
1471 if (cpu_to_node(i
) > num_online_nodes())
1472 /* fallback to kmalloc for offline nodes */
1473 buffer
= kmalloc(aa_g_path_max
, GFP_KERNEL
);
1475 buffer
= kmalloc_node(aa_g_path_max
, GFP_KERNEL
,
1481 per_cpu(aa_buffers
, i
).buf
[j
] = buffer
;
1488 #ifdef CONFIG_SYSCTL
1489 static int apparmor_dointvec(struct ctl_table
*table
, int write
,
1490 void __user
*buffer
, size_t *lenp
, loff_t
*ppos
)
1492 if (!policy_admin_capable(NULL
))
1494 if (!apparmor_enabled
)
1497 return proc_dointvec(table
, write
, buffer
, lenp
, ppos
);
1500 static struct ctl_path apparmor_sysctl_path
[] = {
1501 { .procname
= "kernel", },
1505 static struct ctl_table apparmor_sysctl_table
[] = {
1507 .procname
= "unprivileged_userns_apparmor_policy",
1508 .data
= &unprivileged_userns_apparmor_policy
,
1509 .maxlen
= sizeof(int),
1511 .proc_handler
= apparmor_dointvec
,
1516 static int __init
apparmor_init_sysctl(void)
1518 return register_sysctl_paths(apparmor_sysctl_path
,
1519 apparmor_sysctl_table
) ? 0 : -ENOMEM
;
1522 static inline int apparmor_init_sysctl(void)
1526 #endif /* CONFIG_SYSCTL */
1528 static int __init
apparmor_init(void)
1534 if (apparmor_enabled
&& security_module_enable("apparmor"))
1535 security_add_blobs(&apparmor_blob_sizes
);
1537 apparmor_enabled
= false;
1542 if (!apparmor_enabled
|| !security_module_enable("apparmor")) {
1543 aa_info_message("AppArmor disabled by boot time parameter");
1544 apparmor_enabled
= false;
1548 error
= aa_setup_dfa_engine();
1550 AA_ERROR("Unable to setup dfa engine\n");
1554 error
= aa_alloc_root_ns();
1556 AA_ERROR("Unable to allocate default profile namespace\n");
1560 error
= apparmor_init_sysctl();
1562 AA_ERROR("Unable to register sysctls\n");
1567 error
= alloc_buffers();
1569 AA_ERROR("Unable to allocate work buffers\n");
1573 error
= set_init_ctx();
1575 AA_ERROR("Failed to set context on init task\n");
1579 security_add_hooks(apparmor_hooks
, ARRAY_SIZE(apparmor_hooks
),
1582 /* Report that AppArmor successfully initialized */
1583 apparmor_initialized
= 1;
1584 if (aa_g_profile_mode
== APPARMOR_COMPLAIN
)
1585 aa_info_message("AppArmor initialized: complain mode enabled");
1586 else if (aa_g_profile_mode
== APPARMOR_KILL
)
1587 aa_info_message("AppArmor initialized: kill mode enabled");
1589 aa_info_message("AppArmor initialized");
1598 aa_teardown_dfa_engine();
1600 apparmor_enabled
= false;
1604 security_initcall(apparmor_init
);