Loading...
1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor LSM hooks.
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
15#include <linux/security.h>
16#include <linux/moduleparam.h>
17#include <linux/mm.h>
18#include <linux/mman.h>
19#include <linux/mount.h>
20#include <linux/namei.h>
21#include <linux/ptrace.h>
22#include <linux/ctype.h>
23#include <linux/sysctl.h>
24#include <linux/audit.h>
25#include <linux/user_namespace.h>
26#include <net/sock.h>
27
28#include "include/apparmor.h"
29#include "include/apparmorfs.h"
30#include "include/audit.h"
31#include "include/capability.h"
32#include "include/context.h"
33#include "include/file.h"
34#include "include/ipc.h"
35#include "include/path.h"
36#include "include/policy.h"
37#include "include/procattr.h"
38
39/* Flag indicating whether initialization completed */
40int apparmor_initialized __initdata;
41
42/*
43 * LSM hook functions
44 */
45
46/*
47 * free the associated aa_task_cxt and put its profiles
48 */
49static void apparmor_cred_free(struct cred *cred)
50{
51 aa_free_task_context(cred->security);
52 cred->security = NULL;
53}
54
55/*
56 * allocate the apparmor part of blank credentials
57 */
58static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
59{
60 /* freed by apparmor_cred_free */
61 struct aa_task_cxt *cxt = aa_alloc_task_context(gfp);
62 if (!cxt)
63 return -ENOMEM;
64
65 cred->security = cxt;
66 return 0;
67}
68
69/*
70 * prepare new aa_task_cxt for modification by prepare_cred block
71 */
72static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
73 gfp_t gfp)
74{
75 /* freed by apparmor_cred_free */
76 struct aa_task_cxt *cxt = aa_alloc_task_context(gfp);
77 if (!cxt)
78 return -ENOMEM;
79
80 aa_dup_task_context(cxt, old->security);
81 new->security = cxt;
82 return 0;
83}
84
85/*
86 * transfer the apparmor data to a blank set of creds
87 */
88static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
89{
90 const struct aa_task_cxt *old_cxt = old->security;
91 struct aa_task_cxt *new_cxt = new->security;
92
93 aa_dup_task_context(new_cxt, old_cxt);
94}
95
96static int apparmor_ptrace_access_check(struct task_struct *child,
97 unsigned int mode)
98{
99 int error = cap_ptrace_access_check(child, mode);
100 if (error)
101 return error;
102
103 return aa_ptrace(current, child, mode);
104}
105
106static int apparmor_ptrace_traceme(struct task_struct *parent)
107{
108 int error = cap_ptrace_traceme(parent);
109 if (error)
110 return error;
111
112 return aa_ptrace(parent, current, PTRACE_MODE_ATTACH);
113}
114
115/* Derived from security/commoncap.c:cap_capget */
116static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
117 kernel_cap_t *inheritable, kernel_cap_t *permitted)
118{
119 struct aa_profile *profile;
120 const struct cred *cred;
121
122 rcu_read_lock();
123 cred = __task_cred(target);
124 profile = aa_cred_profile(cred);
125
126 *effective = cred->cap_effective;
127 *inheritable = cred->cap_inheritable;
128 *permitted = cred->cap_permitted;
129
130 if (!unconfined(profile) && !COMPLAIN_MODE(profile)) {
131 *effective = cap_intersect(*effective, profile->caps.allow);
132 *permitted = cap_intersect(*permitted, profile->caps.allow);
133 }
134 rcu_read_unlock();
135
136 return 0;
137}
138
139static int apparmor_capable(struct task_struct *task, const struct cred *cred,
140 struct user_namespace *ns, int cap, int audit)
141{
142 struct aa_profile *profile;
143 /* cap_capable returns 0 on success, else -EPERM */
144 int error = cap_capable(task, cred, ns, cap, audit);
145 if (!error) {
146 profile = aa_cred_profile(cred);
147 if (!unconfined(profile))
148 error = aa_capable(task, profile, cap, audit);
149 }
150 return error;
151}
152
153/**
154 * common_perm - basic common permission check wrapper fn for paths
155 * @op: operation being checked
156 * @path: path to check permission of (NOT NULL)
157 * @mask: requested permissions mask
158 * @cond: conditional info for the permission request (NOT NULL)
159 *
160 * Returns: %0 else error code if error or permission denied
161 */
162static int common_perm(int op, struct path *path, u32 mask,
163 struct path_cond *cond)
164{
165 struct aa_profile *profile;
166 int error = 0;
167
168 profile = __aa_current_profile();
169 if (!unconfined(profile))
170 error = aa_path_perm(op, profile, path, 0, mask, cond);
171
172 return error;
173}
174
175/**
176 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
177 * @op: operation being checked
178 * @dir: directory of the dentry (NOT NULL)
179 * @dentry: dentry to check (NOT NULL)
180 * @mask: requested permissions mask
181 * @cond: conditional info for the permission request (NOT NULL)
182 *
183 * Returns: %0 else error code if error or permission denied
184 */
185static int common_perm_dir_dentry(int op, struct path *dir,
186 struct dentry *dentry, u32 mask,
187 struct path_cond *cond)
188{
189 struct path path = { dir->mnt, dentry };
190
191 return common_perm(op, &path, mask, cond);
192}
193
194/**
195 * common_perm_mnt_dentry - common permission wrapper when mnt, dentry
196 * @op: operation being checked
197 * @mnt: mount point of dentry (NOT NULL)
198 * @dentry: dentry to check (NOT NULL)
199 * @mask: requested permissions mask
200 *
201 * Returns: %0 else error code if error or permission denied
202 */
203static int common_perm_mnt_dentry(int op, struct vfsmount *mnt,
204 struct dentry *dentry, u32 mask)
205{
206 struct path path = { mnt, dentry };
207 struct path_cond cond = { dentry->d_inode->i_uid,
208 dentry->d_inode->i_mode
209 };
210
211 return common_perm(op, &path, mask, &cond);
212}
213
214/**
215 * common_perm_rm - common permission wrapper for operations doing rm
216 * @op: operation being checked
217 * @dir: directory that the dentry is in (NOT NULL)
218 * @dentry: dentry being rm'd (NOT NULL)
219 * @mask: requested permission mask
220 *
221 * Returns: %0 else error code if error or permission denied
222 */
223static int common_perm_rm(int op, struct path *dir,
224 struct dentry *dentry, u32 mask)
225{
226 struct inode *inode = dentry->d_inode;
227 struct path_cond cond = { };
228
229 if (!inode || !dir->mnt || !mediated_filesystem(inode))
230 return 0;
231
232 cond.uid = inode->i_uid;
233 cond.mode = inode->i_mode;
234
235 return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
236}
237
238/**
239 * common_perm_create - common permission wrapper for operations doing create
240 * @op: operation being checked
241 * @dir: directory that dentry will be created in (NOT NULL)
242 * @dentry: dentry to create (NOT NULL)
243 * @mask: request permission mask
244 * @mode: created file mode
245 *
246 * Returns: %0 else error code if error or permission denied
247 */
248static int common_perm_create(int op, struct path *dir, struct dentry *dentry,
249 u32 mask, umode_t mode)
250{
251 struct path_cond cond = { current_fsuid(), mode };
252
253 if (!dir->mnt || !mediated_filesystem(dir->dentry->d_inode))
254 return 0;
255
256 return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
257}
258
259static int apparmor_path_unlink(struct path *dir, struct dentry *dentry)
260{
261 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE);
262}
263
264static int apparmor_path_mkdir(struct path *dir, struct dentry *dentry,
265 int mode)
266{
267 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE,
268 S_IFDIR);
269}
270
271static int apparmor_path_rmdir(struct path *dir, struct dentry *dentry)
272{
273 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE);
274}
275
276static int apparmor_path_mknod(struct path *dir, struct dentry *dentry,
277 int mode, unsigned int dev)
278{
279 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
280}
281
282static int apparmor_path_truncate(struct path *path)
283{
284 struct path_cond cond = { path->dentry->d_inode->i_uid,
285 path->dentry->d_inode->i_mode
286 };
287
288 if (!path->mnt || !mediated_filesystem(path->dentry->d_inode))
289 return 0;
290
291 return common_perm(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE,
292 &cond);
293}
294
295static int apparmor_path_symlink(struct path *dir, struct dentry *dentry,
296 const char *old_name)
297{
298 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE,
299 S_IFLNK);
300}
301
302static int apparmor_path_link(struct dentry *old_dentry, struct path *new_dir,
303 struct dentry *new_dentry)
304{
305 struct aa_profile *profile;
306 int error = 0;
307
308 if (!mediated_filesystem(old_dentry->d_inode))
309 return 0;
310
311 profile = aa_current_profile();
312 if (!unconfined(profile))
313 error = aa_path_link(profile, old_dentry, new_dir, new_dentry);
314 return error;
315}
316
317static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry,
318 struct path *new_dir, struct dentry *new_dentry)
319{
320 struct aa_profile *profile;
321 int error = 0;
322
323 if (!mediated_filesystem(old_dentry->d_inode))
324 return 0;
325
326 profile = aa_current_profile();
327 if (!unconfined(profile)) {
328 struct path old_path = { old_dir->mnt, old_dentry };
329 struct path new_path = { new_dir->mnt, new_dentry };
330 struct path_cond cond = { old_dentry->d_inode->i_uid,
331 old_dentry->d_inode->i_mode
332 };
333
334 error = aa_path_perm(OP_RENAME_SRC, profile, &old_path, 0,
335 MAY_READ | AA_MAY_META_READ | MAY_WRITE |
336 AA_MAY_META_WRITE | AA_MAY_DELETE,
337 &cond);
338 if (!error)
339 error = aa_path_perm(OP_RENAME_DEST, profile, &new_path,
340 0, MAY_WRITE | AA_MAY_META_WRITE |
341 AA_MAY_CREATE, &cond);
342
343 }
344 return error;
345}
346
347static int apparmor_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
348 mode_t mode)
349{
350 if (!mediated_filesystem(dentry->d_inode))
351 return 0;
352
353 return common_perm_mnt_dentry(OP_CHMOD, mnt, dentry, AA_MAY_CHMOD);
354}
355
356static int apparmor_path_chown(struct path *path, uid_t uid, gid_t gid)
357{
358 struct path_cond cond = { path->dentry->d_inode->i_uid,
359 path->dentry->d_inode->i_mode
360 };
361
362 if (!mediated_filesystem(path->dentry->d_inode))
363 return 0;
364
365 return common_perm(OP_CHOWN, path, AA_MAY_CHOWN, &cond);
366}
367
368static int apparmor_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
369{
370 if (!mediated_filesystem(dentry->d_inode))
371 return 0;
372
373 return common_perm_mnt_dentry(OP_GETATTR, mnt, dentry,
374 AA_MAY_META_READ);
375}
376
377static int apparmor_dentry_open(struct file *file, const struct cred *cred)
378{
379 struct aa_file_cxt *fcxt = file->f_security;
380 struct aa_profile *profile;
381 int error = 0;
382
383 if (!mediated_filesystem(file->f_path.dentry->d_inode))
384 return 0;
385
386 /* If in exec, permission is handled by bprm hooks.
387 * Cache permissions granted by the previous exec check, with
388 * implicit read and executable mmap which are required to
389 * actually execute the image.
390 */
391 if (current->in_execve) {
392 fcxt->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
393 return 0;
394 }
395
396 profile = aa_cred_profile(cred);
397 if (!unconfined(profile)) {
398 struct inode *inode = file->f_path.dentry->d_inode;
399 struct path_cond cond = { inode->i_uid, inode->i_mode };
400
401 error = aa_path_perm(OP_OPEN, profile, &file->f_path, 0,
402 aa_map_file_to_perms(file), &cond);
403 /* todo cache full allowed permissions set and state */
404 fcxt->allow = aa_map_file_to_perms(file);
405 }
406
407 return error;
408}
409
410static int apparmor_file_alloc_security(struct file *file)
411{
412 /* freed by apparmor_file_free_security */
413 file->f_security = aa_alloc_file_context(GFP_KERNEL);
414 if (!file->f_security)
415 return -ENOMEM;
416 return 0;
417
418}
419
420static void apparmor_file_free_security(struct file *file)
421{
422 struct aa_file_cxt *cxt = file->f_security;
423
424 aa_free_file_context(cxt);
425}
426
427static int common_file_perm(int op, struct file *file, u32 mask)
428{
429 struct aa_file_cxt *fcxt = file->f_security;
430 struct aa_profile *profile, *fprofile = aa_cred_profile(file->f_cred);
431 int error = 0;
432
433 BUG_ON(!fprofile);
434
435 if (!file->f_path.mnt ||
436 !mediated_filesystem(file->f_path.dentry->d_inode))
437 return 0;
438
439 profile = __aa_current_profile();
440
441 /* revalidate access, if task is unconfined, or the cached cred
442 * doesn't match or if the request is for more permissions than
443 * was granted.
444 *
445 * Note: the test for !unconfined(fprofile) is to handle file
446 * delegation from unconfined tasks
447 */
448 if (!unconfined(profile) && !unconfined(fprofile) &&
449 ((fprofile != profile) || (mask & ~fcxt->allow)))
450 error = aa_file_perm(op, profile, file, mask);
451
452 return error;
453}
454
455static int apparmor_file_permission(struct file *file, int mask)
456{
457 return common_file_perm(OP_FPERM, file, mask);
458}
459
460static int apparmor_file_lock(struct file *file, unsigned int cmd)
461{
462 u32 mask = AA_MAY_LOCK;
463
464 if (cmd == F_WRLCK)
465 mask |= MAY_WRITE;
466
467 return common_file_perm(OP_FLOCK, file, mask);
468}
469
470static int common_mmap(int op, struct file *file, unsigned long prot,
471 unsigned long flags)
472{
473 struct dentry *dentry;
474 int mask = 0;
475
476 if (!file || !file->f_security)
477 return 0;
478
479 if (prot & PROT_READ)
480 mask |= MAY_READ;
481 /*
482 * Private mappings don't require write perms since they don't
483 * write back to the files
484 */
485 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
486 mask |= MAY_WRITE;
487 if (prot & PROT_EXEC)
488 mask |= AA_EXEC_MMAP;
489
490 dentry = file->f_path.dentry;
491 return common_file_perm(op, file, mask);
492}
493
494static int apparmor_file_mmap(struct file *file, unsigned long reqprot,
495 unsigned long prot, unsigned long flags,
496 unsigned long addr, unsigned long addr_only)
497{
498 int rc = 0;
499
500 /* do DAC check */
501 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
502 if (rc || addr_only)
503 return rc;
504
505 return common_mmap(OP_FMMAP, file, prot, flags);
506}
507
508static int apparmor_file_mprotect(struct vm_area_struct *vma,
509 unsigned long reqprot, unsigned long prot)
510{
511 return common_mmap(OP_FMPROT, vma->vm_file, prot,
512 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
513}
514
515static int apparmor_getprocattr(struct task_struct *task, char *name,
516 char **value)
517{
518 int error = -ENOENT;
519 struct aa_profile *profile;
520 /* released below */
521 const struct cred *cred = get_task_cred(task);
522 struct aa_task_cxt *cxt = cred->security;
523 profile = aa_cred_profile(cred);
524
525 if (strcmp(name, "current") == 0)
526 error = aa_getprocattr(aa_newest_version(cxt->profile),
527 value);
528 else if (strcmp(name, "prev") == 0 && cxt->previous)
529 error = aa_getprocattr(aa_newest_version(cxt->previous),
530 value);
531 else if (strcmp(name, "exec") == 0 && cxt->onexec)
532 error = aa_getprocattr(aa_newest_version(cxt->onexec),
533 value);
534 else
535 error = -EINVAL;
536
537 put_cred(cred);
538
539 return error;
540}
541
542static int apparmor_setprocattr(struct task_struct *task, char *name,
543 void *value, size_t size)
544{
545 char *command, *args = value;
546 size_t arg_size;
547 int error;
548
549 if (size == 0)
550 return -EINVAL;
551 /* args points to a PAGE_SIZE buffer, AppArmor requires that
552 * the buffer must be null terminated or have size <= PAGE_SIZE -1
553 * so that AppArmor can null terminate them
554 */
555 if (args[size - 1] != '\0') {
556 if (size == PAGE_SIZE)
557 return -EINVAL;
558 args[size] = '\0';
559 }
560
561 /* task can only write its own attributes */
562 if (current != task)
563 return -EACCES;
564
565 args = value;
566 args = strim(args);
567 command = strsep(&args, " ");
568 if (!args)
569 return -EINVAL;
570 args = skip_spaces(args);
571 if (!*args)
572 return -EINVAL;
573
574 arg_size = size - (args - (char *) value);
575 if (strcmp(name, "current") == 0) {
576 if (strcmp(command, "changehat") == 0) {
577 error = aa_setprocattr_changehat(args, arg_size,
578 !AA_DO_TEST);
579 } else if (strcmp(command, "permhat") == 0) {
580 error = aa_setprocattr_changehat(args, arg_size,
581 AA_DO_TEST);
582 } else if (strcmp(command, "changeprofile") == 0) {
583 error = aa_setprocattr_changeprofile(args, !AA_ONEXEC,
584 !AA_DO_TEST);
585 } else if (strcmp(command, "permprofile") == 0) {
586 error = aa_setprocattr_changeprofile(args, !AA_ONEXEC,
587 AA_DO_TEST);
588 } else if (strcmp(command, "permipc") == 0) {
589 error = aa_setprocattr_permipc(args);
590 } else {
591 struct common_audit_data sa;
592 COMMON_AUDIT_DATA_INIT(&sa, NONE);
593 sa.aad.op = OP_SETPROCATTR;
594 sa.aad.info = name;
595 sa.aad.error = -EINVAL;
596 return aa_audit(AUDIT_APPARMOR_DENIED,
597 __aa_current_profile(), GFP_KERNEL,
598 &sa, NULL);
599 }
600 } else if (strcmp(name, "exec") == 0) {
601 error = aa_setprocattr_changeprofile(args, AA_ONEXEC,
602 !AA_DO_TEST);
603 } else {
604 /* only support the "current" and "exec" process attributes */
605 return -EINVAL;
606 }
607 if (!error)
608 error = size;
609 return error;
610}
611
612static int apparmor_task_setrlimit(struct task_struct *task,
613 unsigned int resource, struct rlimit *new_rlim)
614{
615 struct aa_profile *profile = __aa_current_profile();
616 int error = 0;
617
618 if (!unconfined(profile))
619 error = aa_task_setrlimit(profile, task, resource, new_rlim);
620
621 return error;
622}
623
624static struct security_operations apparmor_ops = {
625 .name = "apparmor",
626
627 .ptrace_access_check = apparmor_ptrace_access_check,
628 .ptrace_traceme = apparmor_ptrace_traceme,
629 .capget = apparmor_capget,
630 .capable = apparmor_capable,
631
632 .path_link = apparmor_path_link,
633 .path_unlink = apparmor_path_unlink,
634 .path_symlink = apparmor_path_symlink,
635 .path_mkdir = apparmor_path_mkdir,
636 .path_rmdir = apparmor_path_rmdir,
637 .path_mknod = apparmor_path_mknod,
638 .path_rename = apparmor_path_rename,
639 .path_chmod = apparmor_path_chmod,
640 .path_chown = apparmor_path_chown,
641 .path_truncate = apparmor_path_truncate,
642 .dentry_open = apparmor_dentry_open,
643 .inode_getattr = apparmor_inode_getattr,
644
645 .file_permission = apparmor_file_permission,
646 .file_alloc_security = apparmor_file_alloc_security,
647 .file_free_security = apparmor_file_free_security,
648 .file_mmap = apparmor_file_mmap,
649 .file_mprotect = apparmor_file_mprotect,
650 .file_lock = apparmor_file_lock,
651
652 .getprocattr = apparmor_getprocattr,
653 .setprocattr = apparmor_setprocattr,
654
655 .cred_alloc_blank = apparmor_cred_alloc_blank,
656 .cred_free = apparmor_cred_free,
657 .cred_prepare = apparmor_cred_prepare,
658 .cred_transfer = apparmor_cred_transfer,
659
660 .bprm_set_creds = apparmor_bprm_set_creds,
661 .bprm_committing_creds = apparmor_bprm_committing_creds,
662 .bprm_committed_creds = apparmor_bprm_committed_creds,
663 .bprm_secureexec = apparmor_bprm_secureexec,
664
665 .task_setrlimit = apparmor_task_setrlimit,
666};
667
668/*
669 * AppArmor sysfs module parameters
670 */
671
672static int param_set_aabool(const char *val, const struct kernel_param *kp);
673static int param_get_aabool(char *buffer, const struct kernel_param *kp);
674#define param_check_aabool(name, p) __param_check(name, p, int)
675static struct kernel_param_ops param_ops_aabool = {
676 .set = param_set_aabool,
677 .get = param_get_aabool
678};
679
680static int param_set_aauint(const char *val, const struct kernel_param *kp);
681static int param_get_aauint(char *buffer, const struct kernel_param *kp);
682#define param_check_aauint(name, p) __param_check(name, p, int)
683static struct kernel_param_ops param_ops_aauint = {
684 .set = param_set_aauint,
685 .get = param_get_aauint
686};
687
688static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
689static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
690#define param_check_aalockpolicy(name, p) __param_check(name, p, int)
691static struct kernel_param_ops param_ops_aalockpolicy = {
692 .set = param_set_aalockpolicy,
693 .get = param_get_aalockpolicy
694};
695
696static int param_set_audit(const char *val, struct kernel_param *kp);
697static int param_get_audit(char *buffer, struct kernel_param *kp);
698
699static int param_set_mode(const char *val, struct kernel_param *kp);
700static int param_get_mode(char *buffer, struct kernel_param *kp);
701
702/* Flag values, also controllable via /sys/module/apparmor/parameters
703 * We define special types as we want to do additional mediation.
704 */
705
706/* AppArmor global enforcement switch - complain, enforce, kill */
707enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
708module_param_call(mode, param_set_mode, param_get_mode,
709 &aa_g_profile_mode, S_IRUSR | S_IWUSR);
710
711/* Debug mode */
712int aa_g_debug;
713module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
714
715/* Audit mode */
716enum audit_mode aa_g_audit;
717module_param_call(audit, param_set_audit, param_get_audit,
718 &aa_g_audit, S_IRUSR | S_IWUSR);
719
720/* Determines if audit header is included in audited messages. This
721 * provides more context if the audit daemon is not running
722 */
723int aa_g_audit_header = 1;
724module_param_named(audit_header, aa_g_audit_header, aabool,
725 S_IRUSR | S_IWUSR);
726
727/* lock out loading/removal of policy
728 * TODO: add in at boot loading of policy, which is the only way to
729 * load policy, if lock_policy is set
730 */
731int aa_g_lock_policy;
732module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy,
733 S_IRUSR | S_IWUSR);
734
735/* Syscall logging mode */
736int aa_g_logsyscall;
737module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
738
739/* Maximum pathname length before accesses will start getting rejected */
740unsigned int aa_g_path_max = 2 * PATH_MAX;
741module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR);
742
743/* Determines how paranoid loading of policy is and how much verification
744 * on the loaded policy is done.
745 */
746int aa_g_paranoid_load = 1;
747module_param_named(paranoid_load, aa_g_paranoid_load, aabool,
748 S_IRUSR | S_IWUSR);
749
750/* Boot time disable flag */
751static unsigned int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
752module_param_named(enabled, apparmor_enabled, aabool, S_IRUSR);
753
754static int __init apparmor_enabled_setup(char *str)
755{
756 unsigned long enabled;
757 int error = strict_strtoul(str, 0, &enabled);
758 if (!error)
759 apparmor_enabled = enabled ? 1 : 0;
760 return 1;
761}
762
763__setup("apparmor=", apparmor_enabled_setup);
764
765/* set global flag turning off the ability to load policy */
766static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
767{
768 if (!capable(CAP_MAC_ADMIN))
769 return -EPERM;
770 if (aa_g_lock_policy)
771 return -EACCES;
772 return param_set_bool(val, kp);
773}
774
775static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
776{
777 if (!capable(CAP_MAC_ADMIN))
778 return -EPERM;
779 return param_get_bool(buffer, kp);
780}
781
782static int param_set_aabool(const char *val, const struct kernel_param *kp)
783{
784 if (!capable(CAP_MAC_ADMIN))
785 return -EPERM;
786 return param_set_bool(val, kp);
787}
788
789static int param_get_aabool(char *buffer, const struct kernel_param *kp)
790{
791 if (!capable(CAP_MAC_ADMIN))
792 return -EPERM;
793 return param_get_bool(buffer, kp);
794}
795
796static int param_set_aauint(const char *val, const struct kernel_param *kp)
797{
798 if (!capable(CAP_MAC_ADMIN))
799 return -EPERM;
800 return param_set_uint(val, kp);
801}
802
803static int param_get_aauint(char *buffer, const struct kernel_param *kp)
804{
805 if (!capable(CAP_MAC_ADMIN))
806 return -EPERM;
807 return param_get_uint(buffer, kp);
808}
809
810static int param_get_audit(char *buffer, struct kernel_param *kp)
811{
812 if (!capable(CAP_MAC_ADMIN))
813 return -EPERM;
814
815 if (!apparmor_enabled)
816 return -EINVAL;
817
818 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
819}
820
821static int param_set_audit(const char *val, struct kernel_param *kp)
822{
823 int i;
824 if (!capable(CAP_MAC_ADMIN))
825 return -EPERM;
826
827 if (!apparmor_enabled)
828 return -EINVAL;
829
830 if (!val)
831 return -EINVAL;
832
833 for (i = 0; i < AUDIT_MAX_INDEX; i++) {
834 if (strcmp(val, audit_mode_names[i]) == 0) {
835 aa_g_audit = i;
836 return 0;
837 }
838 }
839
840 return -EINVAL;
841}
842
843static int param_get_mode(char *buffer, struct kernel_param *kp)
844{
845 if (!capable(CAP_MAC_ADMIN))
846 return -EPERM;
847
848 if (!apparmor_enabled)
849 return -EINVAL;
850
851 return sprintf(buffer, "%s", profile_mode_names[aa_g_profile_mode]);
852}
853
854static int param_set_mode(const char *val, struct kernel_param *kp)
855{
856 int i;
857 if (!capable(CAP_MAC_ADMIN))
858 return -EPERM;
859
860 if (!apparmor_enabled)
861 return -EINVAL;
862
863 if (!val)
864 return -EINVAL;
865
866 for (i = 0; i < APPARMOR_NAMES_MAX_INDEX; i++) {
867 if (strcmp(val, profile_mode_names[i]) == 0) {
868 aa_g_profile_mode = i;
869 return 0;
870 }
871 }
872
873 return -EINVAL;
874}
875
876/*
877 * AppArmor init functions
878 */
879
880/**
881 * set_init_cxt - set a task context and profile on the first task.
882 *
883 * TODO: allow setting an alternate profile than unconfined
884 */
885static int __init set_init_cxt(void)
886{
887 struct cred *cred = (struct cred *)current->real_cred;
888 struct aa_task_cxt *cxt;
889
890 cxt = aa_alloc_task_context(GFP_KERNEL);
891 if (!cxt)
892 return -ENOMEM;
893
894 cxt->profile = aa_get_profile(root_ns->unconfined);
895 cred->security = cxt;
896
897 return 0;
898}
899
900static int __init apparmor_init(void)
901{
902 int error;
903
904 if (!apparmor_enabled || !security_module_enable(&apparmor_ops)) {
905 aa_info_message("AppArmor disabled by boot time parameter");
906 apparmor_enabled = 0;
907 return 0;
908 }
909
910 error = aa_alloc_root_ns();
911 if (error) {
912 AA_ERROR("Unable to allocate default profile namespace\n");
913 goto alloc_out;
914 }
915
916 error = set_init_cxt();
917 if (error) {
918 AA_ERROR("Failed to set context on init task\n");
919 goto register_security_out;
920 }
921
922 error = register_security(&apparmor_ops);
923 if (error) {
924 AA_ERROR("Unable to register AppArmor\n");
925 goto set_init_cxt_out;
926 }
927
928 /* Report that AppArmor successfully initialized */
929 apparmor_initialized = 1;
930 if (aa_g_profile_mode == APPARMOR_COMPLAIN)
931 aa_info_message("AppArmor initialized: complain mode enabled");
932 else if (aa_g_profile_mode == APPARMOR_KILL)
933 aa_info_message("AppArmor initialized: kill mode enabled");
934 else
935 aa_info_message("AppArmor initialized");
936
937 return error;
938
939set_init_cxt_out:
940 aa_free_task_context(current->real_cred->security);
941
942register_security_out:
943 aa_free_root_ns();
944
945alloc_out:
946 aa_destroy_aafs();
947
948 apparmor_enabled = 0;
949 return error;
950}
951
952security_initcall(apparmor_init);
1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * AppArmor security module
4 *
5 * This file contains AppArmor LSM hooks.
6 *
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
9 */
10
11#include <linux/lsm_hooks.h>
12#include <linux/moduleparam.h>
13#include <linux/mm.h>
14#include <linux/mman.h>
15#include <linux/mount.h>
16#include <linux/namei.h>
17#include <linux/ptrace.h>
18#include <linux/ctype.h>
19#include <linux/sysctl.h>
20#include <linux/audit.h>
21#include <linux/user_namespace.h>
22#include <linux/netfilter_ipv4.h>
23#include <linux/netfilter_ipv6.h>
24#include <linux/zlib.h>
25#include <net/sock.h>
26#include <uapi/linux/mount.h>
27
28#include "include/apparmor.h"
29#include "include/apparmorfs.h"
30#include "include/audit.h"
31#include "include/capability.h"
32#include "include/cred.h"
33#include "include/file.h"
34#include "include/ipc.h"
35#include "include/net.h"
36#include "include/path.h"
37#include "include/label.h"
38#include "include/policy.h"
39#include "include/policy_ns.h"
40#include "include/procattr.h"
41#include "include/mount.h"
42#include "include/secid.h"
43
44/* Flag indicating whether initialization completed */
45int apparmor_initialized;
46
47union aa_buffer {
48 struct list_head list;
49 char buffer[1];
50};
51
52#define RESERVE_COUNT 2
53static int reserve_count = RESERVE_COUNT;
54static int buffer_count;
55
56static LIST_HEAD(aa_global_buffers);
57static DEFINE_SPINLOCK(aa_buffers_lock);
58
59/*
60 * LSM hook functions
61 */
62
63/*
64 * put the associated labels
65 */
66static void apparmor_cred_free(struct cred *cred)
67{
68 aa_put_label(cred_label(cred));
69 set_cred_label(cred, NULL);
70}
71
72/*
73 * allocate the apparmor part of blank credentials
74 */
75static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
76{
77 set_cred_label(cred, NULL);
78 return 0;
79}
80
81/*
82 * prepare new cred label for modification by prepare_cred block
83 */
84static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
85 gfp_t gfp)
86{
87 set_cred_label(new, aa_get_newest_label(cred_label(old)));
88 return 0;
89}
90
91/*
92 * transfer the apparmor data to a blank set of creds
93 */
94static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
95{
96 set_cred_label(new, aa_get_newest_label(cred_label(old)));
97}
98
99static void apparmor_task_free(struct task_struct *task)
100{
101
102 aa_free_task_ctx(task_ctx(task));
103}
104
105static int apparmor_task_alloc(struct task_struct *task,
106 unsigned long clone_flags)
107{
108 struct aa_task_ctx *new = task_ctx(task);
109
110 aa_dup_task_ctx(new, task_ctx(current));
111
112 return 0;
113}
114
115static int apparmor_ptrace_access_check(struct task_struct *child,
116 unsigned int mode)
117{
118 struct aa_label *tracer, *tracee;
119 int error;
120
121 tracer = __begin_current_label_crit_section();
122 tracee = aa_get_task_label(child);
123 error = aa_may_ptrace(tracer, tracee,
124 (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ
125 : AA_PTRACE_TRACE);
126 aa_put_label(tracee);
127 __end_current_label_crit_section(tracer);
128
129 return error;
130}
131
132static int apparmor_ptrace_traceme(struct task_struct *parent)
133{
134 struct aa_label *tracer, *tracee;
135 int error;
136
137 tracee = __begin_current_label_crit_section();
138 tracer = aa_get_task_label(parent);
139 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
140 aa_put_label(tracer);
141 __end_current_label_crit_section(tracee);
142
143 return error;
144}
145
146/* Derived from security/commoncap.c:cap_capget */
147static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
148 kernel_cap_t *inheritable, kernel_cap_t *permitted)
149{
150 struct aa_label *label;
151 const struct cred *cred;
152
153 rcu_read_lock();
154 cred = __task_cred(target);
155 label = aa_get_newest_cred_label(cred);
156
157 /*
158 * cap_capget is stacked ahead of this and will
159 * initialize effective and permitted.
160 */
161 if (!unconfined(label)) {
162 struct aa_profile *profile;
163 struct label_it i;
164
165 label_for_each_confined(i, label, profile) {
166 if (COMPLAIN_MODE(profile))
167 continue;
168 *effective = cap_intersect(*effective,
169 profile->caps.allow);
170 *permitted = cap_intersect(*permitted,
171 profile->caps.allow);
172 }
173 }
174 rcu_read_unlock();
175 aa_put_label(label);
176
177 return 0;
178}
179
180static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
181 int cap, unsigned int opts)
182{
183 struct aa_label *label;
184 int error = 0;
185
186 label = aa_get_newest_cred_label(cred);
187 if (!unconfined(label))
188 error = aa_capable(label, cap, opts);
189 aa_put_label(label);
190
191 return error;
192}
193
194/**
195 * common_perm - basic common permission check wrapper fn for paths
196 * @op: operation being checked
197 * @path: path to check permission of (NOT NULL)
198 * @mask: requested permissions mask
199 * @cond: conditional info for the permission request (NOT NULL)
200 *
201 * Returns: %0 else error code if error or permission denied
202 */
203static int common_perm(const char *op, const struct path *path, u32 mask,
204 struct path_cond *cond)
205{
206 struct aa_label *label;
207 int error = 0;
208
209 label = __begin_current_label_crit_section();
210 if (!unconfined(label))
211 error = aa_path_perm(op, label, path, 0, mask, cond);
212 __end_current_label_crit_section(label);
213
214 return error;
215}
216
217/**
218 * common_perm_cond - common permission wrapper around inode cond
219 * @op: operation being checked
220 * @path: location to check (NOT NULL)
221 * @mask: requested permissions mask
222 *
223 * Returns: %0 else error code if error or permission denied
224 */
225static int common_perm_cond(const char *op, const struct path *path, u32 mask)
226{
227 struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
228 d_backing_inode(path->dentry)->i_mode
229 };
230
231 if (!path_mediated_fs(path->dentry))
232 return 0;
233
234 return common_perm(op, path, mask, &cond);
235}
236
237/**
238 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
239 * @op: operation being checked
240 * @dir: directory of the dentry (NOT NULL)
241 * @dentry: dentry to check (NOT NULL)
242 * @mask: requested permissions mask
243 * @cond: conditional info for the permission request (NOT NULL)
244 *
245 * Returns: %0 else error code if error or permission denied
246 */
247static int common_perm_dir_dentry(const char *op, const struct path *dir,
248 struct dentry *dentry, u32 mask,
249 struct path_cond *cond)
250{
251 struct path path = { .mnt = dir->mnt, .dentry = dentry };
252
253 return common_perm(op, &path, mask, cond);
254}
255
256/**
257 * common_perm_rm - common permission wrapper for operations doing rm
258 * @op: operation being checked
259 * @dir: directory that the dentry is in (NOT NULL)
260 * @dentry: dentry being rm'd (NOT NULL)
261 * @mask: requested permission mask
262 *
263 * Returns: %0 else error code if error or permission denied
264 */
265static int common_perm_rm(const char *op, const struct path *dir,
266 struct dentry *dentry, u32 mask)
267{
268 struct inode *inode = d_backing_inode(dentry);
269 struct path_cond cond = { };
270
271 if (!inode || !path_mediated_fs(dentry))
272 return 0;
273
274 cond.uid = inode->i_uid;
275 cond.mode = inode->i_mode;
276
277 return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
278}
279
280/**
281 * common_perm_create - common permission wrapper for operations doing create
282 * @op: operation being checked
283 * @dir: directory that dentry will be created in (NOT NULL)
284 * @dentry: dentry to create (NOT NULL)
285 * @mask: request permission mask
286 * @mode: created file mode
287 *
288 * Returns: %0 else error code if error or permission denied
289 */
290static int common_perm_create(const char *op, const struct path *dir,
291 struct dentry *dentry, u32 mask, umode_t mode)
292{
293 struct path_cond cond = { current_fsuid(), mode };
294
295 if (!path_mediated_fs(dir->dentry))
296 return 0;
297
298 return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
299}
300
301static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry)
302{
303 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE);
304}
305
306static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry,
307 umode_t mode)
308{
309 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE,
310 S_IFDIR);
311}
312
313static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry)
314{
315 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE);
316}
317
318static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
319 umode_t mode, unsigned int dev)
320{
321 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
322}
323
324static int apparmor_path_truncate(const struct path *path)
325{
326 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR);
327}
328
329static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
330 const char *old_name)
331{
332 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE,
333 S_IFLNK);
334}
335
336static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir,
337 struct dentry *new_dentry)
338{
339 struct aa_label *label;
340 int error = 0;
341
342 if (!path_mediated_fs(old_dentry))
343 return 0;
344
345 label = begin_current_label_crit_section();
346 if (!unconfined(label))
347 error = aa_path_link(label, old_dentry, new_dir, new_dentry);
348 end_current_label_crit_section(label);
349
350 return error;
351}
352
353static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry,
354 const struct path *new_dir, struct dentry *new_dentry)
355{
356 struct aa_label *label;
357 int error = 0;
358
359 if (!path_mediated_fs(old_dentry))
360 return 0;
361
362 label = begin_current_label_crit_section();
363 if (!unconfined(label)) {
364 struct path old_path = { .mnt = old_dir->mnt,
365 .dentry = old_dentry };
366 struct path new_path = { .mnt = new_dir->mnt,
367 .dentry = new_dentry };
368 struct path_cond cond = { d_backing_inode(old_dentry)->i_uid,
369 d_backing_inode(old_dentry)->i_mode
370 };
371
372 error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0,
373 MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
374 AA_MAY_SETATTR | AA_MAY_DELETE,
375 &cond);
376 if (!error)
377 error = aa_path_perm(OP_RENAME_DEST, label, &new_path,
378 0, MAY_WRITE | AA_MAY_SETATTR |
379 AA_MAY_CREATE, &cond);
380
381 }
382 end_current_label_crit_section(label);
383
384 return error;
385}
386
387static int apparmor_path_chmod(const struct path *path, umode_t mode)
388{
389 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD);
390}
391
392static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
393{
394 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN);
395}
396
397static int apparmor_inode_getattr(const struct path *path)
398{
399 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR);
400}
401
402static int apparmor_file_open(struct file *file)
403{
404 struct aa_file_ctx *fctx = file_ctx(file);
405 struct aa_label *label;
406 int error = 0;
407
408 if (!path_mediated_fs(file->f_path.dentry))
409 return 0;
410
411 /* If in exec, permission is handled by bprm hooks.
412 * Cache permissions granted by the previous exec check, with
413 * implicit read and executable mmap which are required to
414 * actually execute the image.
415 */
416 if (current->in_execve) {
417 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
418 return 0;
419 }
420
421 label = aa_get_newest_cred_label(file->f_cred);
422 if (!unconfined(label)) {
423 struct inode *inode = file_inode(file);
424 struct path_cond cond = { inode->i_uid, inode->i_mode };
425
426 error = aa_path_perm(OP_OPEN, label, &file->f_path, 0,
427 aa_map_file_to_perms(file), &cond);
428 /* todo cache full allowed permissions set and state */
429 fctx->allow = aa_map_file_to_perms(file);
430 }
431 aa_put_label(label);
432
433 return error;
434}
435
436static int apparmor_file_alloc_security(struct file *file)
437{
438 struct aa_file_ctx *ctx = file_ctx(file);
439 struct aa_label *label = begin_current_label_crit_section();
440
441 spin_lock_init(&ctx->lock);
442 rcu_assign_pointer(ctx->label, aa_get_label(label));
443 end_current_label_crit_section(label);
444 return 0;
445}
446
447static void apparmor_file_free_security(struct file *file)
448{
449 struct aa_file_ctx *ctx = file_ctx(file);
450
451 if (ctx)
452 aa_put_label(rcu_access_pointer(ctx->label));
453}
454
455static int common_file_perm(const char *op, struct file *file, u32 mask,
456 bool in_atomic)
457{
458 struct aa_label *label;
459 int error = 0;
460
461 /* don't reaudit files closed during inheritance */
462 if (file->f_path.dentry == aa_null.dentry)
463 return -EACCES;
464
465 label = __begin_current_label_crit_section();
466 error = aa_file_perm(op, label, file, mask, in_atomic);
467 __end_current_label_crit_section(label);
468
469 return error;
470}
471
472static int apparmor_file_receive(struct file *file)
473{
474 return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file),
475 false);
476}
477
478static int apparmor_file_permission(struct file *file, int mask)
479{
480 return common_file_perm(OP_FPERM, file, mask, false);
481}
482
483static int apparmor_file_lock(struct file *file, unsigned int cmd)
484{
485 u32 mask = AA_MAY_LOCK;
486
487 if (cmd == F_WRLCK)
488 mask |= MAY_WRITE;
489
490 return common_file_perm(OP_FLOCK, file, mask, false);
491}
492
493static int common_mmap(const char *op, struct file *file, unsigned long prot,
494 unsigned long flags, bool in_atomic)
495{
496 int mask = 0;
497
498 if (!file || !file_ctx(file))
499 return 0;
500
501 if (prot & PROT_READ)
502 mask |= MAY_READ;
503 /*
504 * Private mappings don't require write perms since they don't
505 * write back to the files
506 */
507 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
508 mask |= MAY_WRITE;
509 if (prot & PROT_EXEC)
510 mask |= AA_EXEC_MMAP;
511
512 return common_file_perm(op, file, mask, in_atomic);
513}
514
515static int apparmor_mmap_file(struct file *file, unsigned long reqprot,
516 unsigned long prot, unsigned long flags)
517{
518 return common_mmap(OP_FMMAP, file, prot, flags, GFP_ATOMIC);
519}
520
521static int apparmor_file_mprotect(struct vm_area_struct *vma,
522 unsigned long reqprot, unsigned long prot)
523{
524 return common_mmap(OP_FMPROT, vma->vm_file, prot,
525 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0,
526 false);
527}
528
529static int apparmor_sb_mount(const char *dev_name, const struct path *path,
530 const char *type, unsigned long flags, void *data)
531{
532 struct aa_label *label;
533 int error = 0;
534
535 /* Discard magic */
536 if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
537 flags &= ~MS_MGC_MSK;
538
539 flags &= ~AA_MS_IGNORE_MASK;
540
541 label = __begin_current_label_crit_section();
542 if (!unconfined(label)) {
543 if (flags & MS_REMOUNT)
544 error = aa_remount(label, path, flags, data);
545 else if (flags & MS_BIND)
546 error = aa_bind_mount(label, path, dev_name, flags);
547 else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE |
548 MS_UNBINDABLE))
549 error = aa_mount_change_type(label, path, flags);
550 else if (flags & MS_MOVE)
551 error = aa_move_mount(label, path, dev_name);
552 else
553 error = aa_new_mount(label, dev_name, path, type,
554 flags, data);
555 }
556 __end_current_label_crit_section(label);
557
558 return error;
559}
560
561static int apparmor_sb_umount(struct vfsmount *mnt, int flags)
562{
563 struct aa_label *label;
564 int error = 0;
565
566 label = __begin_current_label_crit_section();
567 if (!unconfined(label))
568 error = aa_umount(label, mnt, flags);
569 __end_current_label_crit_section(label);
570
571 return error;
572}
573
574static int apparmor_sb_pivotroot(const struct path *old_path,
575 const struct path *new_path)
576{
577 struct aa_label *label;
578 int error = 0;
579
580 label = aa_get_current_label();
581 if (!unconfined(label))
582 error = aa_pivotroot(label, old_path, new_path);
583 aa_put_label(label);
584
585 return error;
586}
587
588static int apparmor_getprocattr(struct task_struct *task, char *name,
589 char **value)
590{
591 int error = -ENOENT;
592 /* released below */
593 const struct cred *cred = get_task_cred(task);
594 struct aa_task_ctx *ctx = task_ctx(current);
595 struct aa_label *label = NULL;
596
597 if (strcmp(name, "current") == 0)
598 label = aa_get_newest_label(cred_label(cred));
599 else if (strcmp(name, "prev") == 0 && ctx->previous)
600 label = aa_get_newest_label(ctx->previous);
601 else if (strcmp(name, "exec") == 0 && ctx->onexec)
602 label = aa_get_newest_label(ctx->onexec);
603 else
604 error = -EINVAL;
605
606 if (label)
607 error = aa_getprocattr(label, value);
608
609 aa_put_label(label);
610 put_cred(cred);
611
612 return error;
613}
614
615static int apparmor_setprocattr(const char *name, void *value,
616 size_t size)
617{
618 char *command, *largs = NULL, *args = value;
619 size_t arg_size;
620 int error;
621 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR);
622
623 if (size == 0)
624 return -EINVAL;
625
626 /* AppArmor requires that the buffer must be null terminated atm */
627 if (args[size - 1] != '\0') {
628 /* null terminate */
629 largs = args = kmalloc(size + 1, GFP_KERNEL);
630 if (!args)
631 return -ENOMEM;
632 memcpy(args, value, size);
633 args[size] = '\0';
634 }
635
636 error = -EINVAL;
637 args = strim(args);
638 command = strsep(&args, " ");
639 if (!args)
640 goto out;
641 args = skip_spaces(args);
642 if (!*args)
643 goto out;
644
645 arg_size = size - (args - (largs ? largs : (char *) value));
646 if (strcmp(name, "current") == 0) {
647 if (strcmp(command, "changehat") == 0) {
648 error = aa_setprocattr_changehat(args, arg_size,
649 AA_CHANGE_NOFLAGS);
650 } else if (strcmp(command, "permhat") == 0) {
651 error = aa_setprocattr_changehat(args, arg_size,
652 AA_CHANGE_TEST);
653 } else if (strcmp(command, "changeprofile") == 0) {
654 error = aa_change_profile(args, AA_CHANGE_NOFLAGS);
655 } else if (strcmp(command, "permprofile") == 0) {
656 error = aa_change_profile(args, AA_CHANGE_TEST);
657 } else if (strcmp(command, "stack") == 0) {
658 error = aa_change_profile(args, AA_CHANGE_STACK);
659 } else
660 goto fail;
661 } else if (strcmp(name, "exec") == 0) {
662 if (strcmp(command, "exec") == 0)
663 error = aa_change_profile(args, AA_CHANGE_ONEXEC);
664 else if (strcmp(command, "stack") == 0)
665 error = aa_change_profile(args, (AA_CHANGE_ONEXEC |
666 AA_CHANGE_STACK));
667 else
668 goto fail;
669 } else
670 /* only support the "current" and "exec" process attributes */
671 goto fail;
672
673 if (!error)
674 error = size;
675out:
676 kfree(largs);
677 return error;
678
679fail:
680 aad(&sa)->label = begin_current_label_crit_section();
681 aad(&sa)->info = name;
682 aad(&sa)->error = error = -EINVAL;
683 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
684 end_current_label_crit_section(aad(&sa)->label);
685 goto out;
686}
687
688/**
689 * apparmor_bprm_committing_creds - do task cleanup on committing new creds
690 * @bprm: binprm for the exec (NOT NULL)
691 */
692static void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
693{
694 struct aa_label *label = aa_current_raw_label();
695 struct aa_label *new_label = cred_label(bprm->cred);
696
697 /* bail out if unconfined or not changing profile */
698 if ((new_label->proxy == label->proxy) ||
699 (unconfined(new_label)))
700 return;
701
702 aa_inherit_files(bprm->cred, current->files);
703
704 current->pdeath_signal = 0;
705
706 /* reset soft limits and set hard limits for the new label */
707 __aa_transition_rlimits(label, new_label);
708}
709
710/**
711 * apparmor_bprm_committed_cred - do cleanup after new creds committed
712 * @bprm: binprm for the exec (NOT NULL)
713 */
714static void apparmor_bprm_committed_creds(struct linux_binprm *bprm)
715{
716 /* clear out temporary/transitional state from the context */
717 aa_clear_task_ctx_trans(task_ctx(current));
718
719 return;
720}
721
722static void apparmor_task_getsecid(struct task_struct *p, u32 *secid)
723{
724 struct aa_label *label = aa_get_task_label(p);
725 *secid = label->secid;
726 aa_put_label(label);
727}
728
729static int apparmor_task_setrlimit(struct task_struct *task,
730 unsigned int resource, struct rlimit *new_rlim)
731{
732 struct aa_label *label = __begin_current_label_crit_section();
733 int error = 0;
734
735 if (!unconfined(label))
736 error = aa_task_setrlimit(label, task, resource, new_rlim);
737 __end_current_label_crit_section(label);
738
739 return error;
740}
741
742static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo *info,
743 int sig, const struct cred *cred)
744{
745 struct aa_label *cl, *tl;
746 int error;
747
748 if (cred) {
749 /*
750 * Dealing with USB IO specific behavior
751 */
752 cl = aa_get_newest_cred_label(cred);
753 tl = aa_get_task_label(target);
754 error = aa_may_signal(cl, tl, sig);
755 aa_put_label(cl);
756 aa_put_label(tl);
757 return error;
758 }
759
760 cl = __begin_current_label_crit_section();
761 tl = aa_get_task_label(target);
762 error = aa_may_signal(cl, tl, sig);
763 aa_put_label(tl);
764 __end_current_label_crit_section(cl);
765
766 return error;
767}
768
769/**
770 * apparmor_sk_alloc_security - allocate and attach the sk_security field
771 */
772static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags)
773{
774 struct aa_sk_ctx *ctx;
775
776 ctx = kzalloc(sizeof(*ctx), flags);
777 if (!ctx)
778 return -ENOMEM;
779
780 SK_CTX(sk) = ctx;
781
782 return 0;
783}
784
785/**
786 * apparmor_sk_free_security - free the sk_security field
787 */
788static void apparmor_sk_free_security(struct sock *sk)
789{
790 struct aa_sk_ctx *ctx = SK_CTX(sk);
791
792 SK_CTX(sk) = NULL;
793 aa_put_label(ctx->label);
794 aa_put_label(ctx->peer);
795 kfree(ctx);
796}
797
798/**
799 * apparmor_clone_security - clone the sk_security field
800 */
801static void apparmor_sk_clone_security(const struct sock *sk,
802 struct sock *newsk)
803{
804 struct aa_sk_ctx *ctx = SK_CTX(sk);
805 struct aa_sk_ctx *new = SK_CTX(newsk);
806
807 if (new->label)
808 aa_put_label(new->label);
809 new->label = aa_get_label(ctx->label);
810
811 if (new->peer)
812 aa_put_label(new->peer);
813 new->peer = aa_get_label(ctx->peer);
814}
815
816/**
817 * apparmor_socket_create - check perms before creating a new socket
818 */
819static int apparmor_socket_create(int family, int type, int protocol, int kern)
820{
821 struct aa_label *label;
822 int error = 0;
823
824 AA_BUG(in_interrupt());
825
826 label = begin_current_label_crit_section();
827 if (!(kern || unconfined(label)))
828 error = af_select(family,
829 create_perm(label, family, type, protocol),
830 aa_af_perm(label, OP_CREATE, AA_MAY_CREATE,
831 family, type, protocol));
832 end_current_label_crit_section(label);
833
834 return error;
835}
836
837/**
838 * apparmor_socket_post_create - setup the per-socket security struct
839 *
840 * Note:
841 * - kernel sockets currently labeled unconfined but we may want to
842 * move to a special kernel label
843 * - socket may not have sk here if created with sock_create_lite or
844 * sock_alloc. These should be accept cases which will be handled in
845 * sock_graft.
846 */
847static int apparmor_socket_post_create(struct socket *sock, int family,
848 int type, int protocol, int kern)
849{
850 struct aa_label *label;
851
852 if (kern) {
853 struct aa_ns *ns = aa_get_current_ns();
854
855 label = aa_get_label(ns_unconfined(ns));
856 aa_put_ns(ns);
857 } else
858 label = aa_get_current_label();
859
860 if (sock->sk) {
861 struct aa_sk_ctx *ctx = SK_CTX(sock->sk);
862
863 aa_put_label(ctx->label);
864 ctx->label = aa_get_label(label);
865 }
866 aa_put_label(label);
867
868 return 0;
869}
870
871/**
872 * apparmor_socket_bind - check perms before bind addr to socket
873 */
874static int apparmor_socket_bind(struct socket *sock,
875 struct sockaddr *address, int addrlen)
876{
877 AA_BUG(!sock);
878 AA_BUG(!sock->sk);
879 AA_BUG(!address);
880 AA_BUG(in_interrupt());
881
882 return af_select(sock->sk->sk_family,
883 bind_perm(sock, address, addrlen),
884 aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk));
885}
886
887/**
888 * apparmor_socket_connect - check perms before connecting @sock to @address
889 */
890static int apparmor_socket_connect(struct socket *sock,
891 struct sockaddr *address, int addrlen)
892{
893 AA_BUG(!sock);
894 AA_BUG(!sock->sk);
895 AA_BUG(!address);
896 AA_BUG(in_interrupt());
897
898 return af_select(sock->sk->sk_family,
899 connect_perm(sock, address, addrlen),
900 aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk));
901}
902
903/**
904 * apparmor_socket_list - check perms before allowing listen
905 */
906static int apparmor_socket_listen(struct socket *sock, int backlog)
907{
908 AA_BUG(!sock);
909 AA_BUG(!sock->sk);
910 AA_BUG(in_interrupt());
911
912 return af_select(sock->sk->sk_family,
913 listen_perm(sock, backlog),
914 aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk));
915}
916
917/**
918 * apparmor_socket_accept - check perms before accepting a new connection.
919 *
920 * Note: while @newsock is created and has some information, the accept
921 * has not been done.
922 */
923static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
924{
925 AA_BUG(!sock);
926 AA_BUG(!sock->sk);
927 AA_BUG(!newsock);
928 AA_BUG(in_interrupt());
929
930 return af_select(sock->sk->sk_family,
931 accept_perm(sock, newsock),
932 aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk));
933}
934
935static int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock,
936 struct msghdr *msg, int size)
937{
938 AA_BUG(!sock);
939 AA_BUG(!sock->sk);
940 AA_BUG(!msg);
941 AA_BUG(in_interrupt());
942
943 return af_select(sock->sk->sk_family,
944 msg_perm(op, request, sock, msg, size),
945 aa_sk_perm(op, request, sock->sk));
946}
947
948/**
949 * apparmor_socket_sendmsg - check perms before sending msg to another socket
950 */
951static int apparmor_socket_sendmsg(struct socket *sock,
952 struct msghdr *msg, int size)
953{
954 return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size);
955}
956
957/**
958 * apparmor_socket_recvmsg - check perms before receiving a message
959 */
960static int apparmor_socket_recvmsg(struct socket *sock,
961 struct msghdr *msg, int size, int flags)
962{
963 return aa_sock_msg_perm(OP_RECVMSG, AA_MAY_RECEIVE, sock, msg, size);
964}
965
966/* revaliation, get/set attr, shutdown */
967static int aa_sock_perm(const char *op, u32 request, struct socket *sock)
968{
969 AA_BUG(!sock);
970 AA_BUG(!sock->sk);
971 AA_BUG(in_interrupt());
972
973 return af_select(sock->sk->sk_family,
974 sock_perm(op, request, sock),
975 aa_sk_perm(op, request, sock->sk));
976}
977
978/**
979 * apparmor_socket_getsockname - check perms before getting the local address
980 */
981static int apparmor_socket_getsockname(struct socket *sock)
982{
983 return aa_sock_perm(OP_GETSOCKNAME, AA_MAY_GETATTR, sock);
984}
985
986/**
987 * apparmor_socket_getpeername - check perms before getting remote address
988 */
989static int apparmor_socket_getpeername(struct socket *sock)
990{
991 return aa_sock_perm(OP_GETPEERNAME, AA_MAY_GETATTR, sock);
992}
993
994/* revaliation, get/set attr, opt */
995static int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock,
996 int level, int optname)
997{
998 AA_BUG(!sock);
999 AA_BUG(!sock->sk);
1000 AA_BUG(in_interrupt());
1001
1002 return af_select(sock->sk->sk_family,
1003 opt_perm(op, request, sock, level, optname),
1004 aa_sk_perm(op, request, sock->sk));
1005}
1006
1007/**
1008 * apparmor_getsockopt - check perms before getting socket options
1009 */
1010static int apparmor_socket_getsockopt(struct socket *sock, int level,
1011 int optname)
1012{
1013 return aa_sock_opt_perm(OP_GETSOCKOPT, AA_MAY_GETOPT, sock,
1014 level, optname);
1015}
1016
1017/**
1018 * apparmor_setsockopt - check perms before setting socket options
1019 */
1020static int apparmor_socket_setsockopt(struct socket *sock, int level,
1021 int optname)
1022{
1023 return aa_sock_opt_perm(OP_SETSOCKOPT, AA_MAY_SETOPT, sock,
1024 level, optname);
1025}
1026
1027/**
1028 * apparmor_socket_shutdown - check perms before shutting down @sock conn
1029 */
1030static int apparmor_socket_shutdown(struct socket *sock, int how)
1031{
1032 return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock);
1033}
1034
1035#ifdef CONFIG_NETWORK_SECMARK
1036/**
1037 * apparmor_socket_sock_recv_skb - check perms before associating skb to sk
1038 *
1039 * Note: can not sleep may be called with locks held
1040 *
1041 * dont want protocol specific in __skb_recv_datagram()
1042 * to deny an incoming connection socket_sock_rcv_skb()
1043 */
1044static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
1045{
1046 struct aa_sk_ctx *ctx = SK_CTX(sk);
1047
1048 if (!skb->secmark)
1049 return 0;
1050
1051 return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE,
1052 skb->secmark, sk);
1053}
1054#endif
1055
1056
1057static struct aa_label *sk_peer_label(struct sock *sk)
1058{
1059 struct aa_sk_ctx *ctx = SK_CTX(sk);
1060
1061 if (ctx->peer)
1062 return ctx->peer;
1063
1064 return ERR_PTR(-ENOPROTOOPT);
1065}
1066
1067/**
1068 * apparmor_socket_getpeersec_stream - get security context of peer
1069 *
1070 * Note: for tcp only valid if using ipsec or cipso on lan
1071 */
1072static int apparmor_socket_getpeersec_stream(struct socket *sock,
1073 char __user *optval,
1074 int __user *optlen,
1075 unsigned int len)
1076{
1077 char *name;
1078 int slen, error = 0;
1079 struct aa_label *label;
1080 struct aa_label *peer;
1081
1082 label = begin_current_label_crit_section();
1083 peer = sk_peer_label(sock->sk);
1084 if (IS_ERR(peer)) {
1085 error = PTR_ERR(peer);
1086 goto done;
1087 }
1088 slen = aa_label_asxprint(&name, labels_ns(label), peer,
1089 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
1090 FLAG_HIDDEN_UNCONFINED, GFP_KERNEL);
1091 /* don't include terminating \0 in slen, it breaks some apps */
1092 if (slen < 0) {
1093 error = -ENOMEM;
1094 } else {
1095 if (slen > len) {
1096 error = -ERANGE;
1097 } else if (copy_to_user(optval, name, slen)) {
1098 error = -EFAULT;
1099 goto out;
1100 }
1101 if (put_user(slen, optlen))
1102 error = -EFAULT;
1103out:
1104 kfree(name);
1105
1106 }
1107
1108done:
1109 end_current_label_crit_section(label);
1110
1111 return error;
1112}
1113
1114/**
1115 * apparmor_socket_getpeersec_dgram - get security label of packet
1116 * @sock: the peer socket
1117 * @skb: packet data
1118 * @secid: pointer to where to put the secid of the packet
1119 *
1120 * Sets the netlabel socket state on sk from parent
1121 */
1122static int apparmor_socket_getpeersec_dgram(struct socket *sock,
1123 struct sk_buff *skb, u32 *secid)
1124
1125{
1126 /* TODO: requires secid support */
1127 return -ENOPROTOOPT;
1128}
1129
1130/**
1131 * apparmor_sock_graft - Initialize newly created socket
1132 * @sk: child sock
1133 * @parent: parent socket
1134 *
1135 * Note: could set off of SOCK_CTX(parent) but need to track inode and we can
1136 * just set sk security information off of current creating process label
1137 * Labeling of sk for accept case - probably should be sock based
1138 * instead of task, because of the case where an implicitly labeled
1139 * socket is shared by different tasks.
1140 */
1141static void apparmor_sock_graft(struct sock *sk, struct socket *parent)
1142{
1143 struct aa_sk_ctx *ctx = SK_CTX(sk);
1144
1145 if (!ctx->label)
1146 ctx->label = aa_get_current_label();
1147}
1148
1149#ifdef CONFIG_NETWORK_SECMARK
1150static int apparmor_inet_conn_request(struct sock *sk, struct sk_buff *skb,
1151 struct request_sock *req)
1152{
1153 struct aa_sk_ctx *ctx = SK_CTX(sk);
1154
1155 if (!skb->secmark)
1156 return 0;
1157
1158 return apparmor_secmark_check(ctx->label, OP_CONNECT, AA_MAY_CONNECT,
1159 skb->secmark, sk);
1160}
1161#endif
1162
1163/*
1164 * The cred blob is a pointer to, not an instance of, an aa_task_ctx.
1165 */
1166struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
1167 .lbs_cred = sizeof(struct aa_task_ctx *),
1168 .lbs_file = sizeof(struct aa_file_ctx),
1169 .lbs_task = sizeof(struct aa_task_ctx),
1170};
1171
1172static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
1173 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
1174 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
1175 LSM_HOOK_INIT(capget, apparmor_capget),
1176 LSM_HOOK_INIT(capable, apparmor_capable),
1177
1178 LSM_HOOK_INIT(sb_mount, apparmor_sb_mount),
1179 LSM_HOOK_INIT(sb_umount, apparmor_sb_umount),
1180 LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot),
1181
1182 LSM_HOOK_INIT(path_link, apparmor_path_link),
1183 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink),
1184 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink),
1185 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir),
1186 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir),
1187 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod),
1188 LSM_HOOK_INIT(path_rename, apparmor_path_rename),
1189 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod),
1190 LSM_HOOK_INIT(path_chown, apparmor_path_chown),
1191 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate),
1192 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr),
1193
1194 LSM_HOOK_INIT(file_open, apparmor_file_open),
1195 LSM_HOOK_INIT(file_receive, apparmor_file_receive),
1196 LSM_HOOK_INIT(file_permission, apparmor_file_permission),
1197 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security),
1198 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security),
1199 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
1200 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
1201 LSM_HOOK_INIT(file_lock, apparmor_file_lock),
1202
1203 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
1204 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
1205
1206 LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security),
1207 LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security),
1208 LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security),
1209
1210 LSM_HOOK_INIT(socket_create, apparmor_socket_create),
1211 LSM_HOOK_INIT(socket_post_create, apparmor_socket_post_create),
1212 LSM_HOOK_INIT(socket_bind, apparmor_socket_bind),
1213 LSM_HOOK_INIT(socket_connect, apparmor_socket_connect),
1214 LSM_HOOK_INIT(socket_listen, apparmor_socket_listen),
1215 LSM_HOOK_INIT(socket_accept, apparmor_socket_accept),
1216 LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg),
1217 LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg),
1218 LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname),
1219 LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername),
1220 LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt),
1221 LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt),
1222 LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown),
1223#ifdef CONFIG_NETWORK_SECMARK
1224 LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb),
1225#endif
1226 LSM_HOOK_INIT(socket_getpeersec_stream,
1227 apparmor_socket_getpeersec_stream),
1228 LSM_HOOK_INIT(socket_getpeersec_dgram,
1229 apparmor_socket_getpeersec_dgram),
1230 LSM_HOOK_INIT(sock_graft, apparmor_sock_graft),
1231#ifdef CONFIG_NETWORK_SECMARK
1232 LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request),
1233#endif
1234
1235 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
1236 LSM_HOOK_INIT(cred_free, apparmor_cred_free),
1237 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
1238 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),
1239
1240 LSM_HOOK_INIT(bprm_creds_for_exec, apparmor_bprm_creds_for_exec),
1241 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
1242 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
1243
1244 LSM_HOOK_INIT(task_free, apparmor_task_free),
1245 LSM_HOOK_INIT(task_alloc, apparmor_task_alloc),
1246 LSM_HOOK_INIT(task_getsecid, apparmor_task_getsecid),
1247 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
1248 LSM_HOOK_INIT(task_kill, apparmor_task_kill),
1249
1250#ifdef CONFIG_AUDIT
1251 LSM_HOOK_INIT(audit_rule_init, aa_audit_rule_init),
1252 LSM_HOOK_INIT(audit_rule_known, aa_audit_rule_known),
1253 LSM_HOOK_INIT(audit_rule_match, aa_audit_rule_match),
1254 LSM_HOOK_INIT(audit_rule_free, aa_audit_rule_free),
1255#endif
1256
1257 LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx),
1258 LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid),
1259 LSM_HOOK_INIT(release_secctx, apparmor_release_secctx),
1260};
1261
1262/*
1263 * AppArmor sysfs module parameters
1264 */
1265
1266static int param_set_aabool(const char *val, const struct kernel_param *kp);
1267static int param_get_aabool(char *buffer, const struct kernel_param *kp);
1268#define param_check_aabool param_check_bool
1269static const struct kernel_param_ops param_ops_aabool = {
1270 .flags = KERNEL_PARAM_OPS_FL_NOARG,
1271 .set = param_set_aabool,
1272 .get = param_get_aabool
1273};
1274
1275static int param_set_aauint(const char *val, const struct kernel_param *kp);
1276static int param_get_aauint(char *buffer, const struct kernel_param *kp);
1277#define param_check_aauint param_check_uint
1278static const struct kernel_param_ops param_ops_aauint = {
1279 .set = param_set_aauint,
1280 .get = param_get_aauint
1281};
1282
1283static int param_set_aacompressionlevel(const char *val,
1284 const struct kernel_param *kp);
1285static int param_get_aacompressionlevel(char *buffer,
1286 const struct kernel_param *kp);
1287#define param_check_aacompressionlevel param_check_int
1288static const struct kernel_param_ops param_ops_aacompressionlevel = {
1289 .set = param_set_aacompressionlevel,
1290 .get = param_get_aacompressionlevel
1291};
1292
1293static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
1294static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
1295#define param_check_aalockpolicy param_check_bool
1296static const struct kernel_param_ops param_ops_aalockpolicy = {
1297 .flags = KERNEL_PARAM_OPS_FL_NOARG,
1298 .set = param_set_aalockpolicy,
1299 .get = param_get_aalockpolicy
1300};
1301
1302static int param_set_audit(const char *val, const struct kernel_param *kp);
1303static int param_get_audit(char *buffer, const struct kernel_param *kp);
1304
1305static int param_set_mode(const char *val, const struct kernel_param *kp);
1306static int param_get_mode(char *buffer, const struct kernel_param *kp);
1307
1308/* Flag values, also controllable via /sys/module/apparmor/parameters
1309 * We define special types as we want to do additional mediation.
1310 */
1311
1312/* AppArmor global enforcement switch - complain, enforce, kill */
1313enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
1314module_param_call(mode, param_set_mode, param_get_mode,
1315 &aa_g_profile_mode, S_IRUSR | S_IWUSR);
1316
1317/* whether policy verification hashing is enabled */
1318bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
1319#ifdef CONFIG_SECURITY_APPARMOR_HASH
1320module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
1321#endif
1322
1323/* policy loaddata compression level */
1324int aa_g_rawdata_compression_level = Z_DEFAULT_COMPRESSION;
1325module_param_named(rawdata_compression_level, aa_g_rawdata_compression_level,
1326 aacompressionlevel, 0400);
1327
1328/* Debug mode */
1329bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES);
1330module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
1331
1332/* Audit mode */
1333enum audit_mode aa_g_audit;
1334module_param_call(audit, param_set_audit, param_get_audit,
1335 &aa_g_audit, S_IRUSR | S_IWUSR);
1336
1337/* Determines if audit header is included in audited messages. This
1338 * provides more context if the audit daemon is not running
1339 */
1340bool aa_g_audit_header = true;
1341module_param_named(audit_header, aa_g_audit_header, aabool,
1342 S_IRUSR | S_IWUSR);
1343
1344/* lock out loading/removal of policy
1345 * TODO: add in at boot loading of policy, which is the only way to
1346 * load policy, if lock_policy is set
1347 */
1348bool aa_g_lock_policy;
1349module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy,
1350 S_IRUSR | S_IWUSR);
1351
1352/* Syscall logging mode */
1353bool aa_g_logsyscall;
1354module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
1355
1356/* Maximum pathname length before accesses will start getting rejected */
1357unsigned int aa_g_path_max = 2 * PATH_MAX;
1358module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
1359
1360/* Determines how paranoid loading of policy is and how much verification
1361 * on the loaded policy is done.
1362 * DEPRECATED: read only as strict checking of load is always done now
1363 * that none root users (user namespaces) can load policy.
1364 */
1365bool aa_g_paranoid_load = true;
1366module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
1367
1368static int param_get_aaintbool(char *buffer, const struct kernel_param *kp);
1369static int param_set_aaintbool(const char *val, const struct kernel_param *kp);
1370#define param_check_aaintbool param_check_int
1371static const struct kernel_param_ops param_ops_aaintbool = {
1372 .set = param_set_aaintbool,
1373 .get = param_get_aaintbool
1374};
1375/* Boot time disable flag */
1376static int apparmor_enabled __lsm_ro_after_init = 1;
1377module_param_named(enabled, apparmor_enabled, aaintbool, 0444);
1378
1379static int __init apparmor_enabled_setup(char *str)
1380{
1381 unsigned long enabled;
1382 int error = kstrtoul(str, 0, &enabled);
1383 if (!error)
1384 apparmor_enabled = enabled ? 1 : 0;
1385 return 1;
1386}
1387
1388__setup("apparmor=", apparmor_enabled_setup);
1389
1390/* set global flag turning off the ability to load policy */
1391static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
1392{
1393 if (!apparmor_enabled)
1394 return -EINVAL;
1395 if (apparmor_initialized && !policy_admin_capable(NULL))
1396 return -EPERM;
1397 return param_set_bool(val, kp);
1398}
1399
1400static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
1401{
1402 if (!apparmor_enabled)
1403 return -EINVAL;
1404 if (apparmor_initialized && !policy_view_capable(NULL))
1405 return -EPERM;
1406 return param_get_bool(buffer, kp);
1407}
1408
1409static int param_set_aabool(const char *val, const struct kernel_param *kp)
1410{
1411 if (!apparmor_enabled)
1412 return -EINVAL;
1413 if (apparmor_initialized && !policy_admin_capable(NULL))
1414 return -EPERM;
1415 return param_set_bool(val, kp);
1416}
1417
1418static int param_get_aabool(char *buffer, const struct kernel_param *kp)
1419{
1420 if (!apparmor_enabled)
1421 return -EINVAL;
1422 if (apparmor_initialized && !policy_view_capable(NULL))
1423 return -EPERM;
1424 return param_get_bool(buffer, kp);
1425}
1426
1427static int param_set_aauint(const char *val, const struct kernel_param *kp)
1428{
1429 int error;
1430
1431 if (!apparmor_enabled)
1432 return -EINVAL;
1433 /* file is ro but enforce 2nd line check */
1434 if (apparmor_initialized)
1435 return -EPERM;
1436
1437 error = param_set_uint(val, kp);
1438 aa_g_path_max = max_t(uint32_t, aa_g_path_max, sizeof(union aa_buffer));
1439 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max);
1440
1441 return error;
1442}
1443
1444static int param_get_aauint(char *buffer, const struct kernel_param *kp)
1445{
1446 if (!apparmor_enabled)
1447 return -EINVAL;
1448 if (apparmor_initialized && !policy_view_capable(NULL))
1449 return -EPERM;
1450 return param_get_uint(buffer, kp);
1451}
1452
1453/* Can only be set before AppArmor is initialized (i.e. on boot cmdline). */
1454static int param_set_aaintbool(const char *val, const struct kernel_param *kp)
1455{
1456 struct kernel_param kp_local;
1457 bool value;
1458 int error;
1459
1460 if (apparmor_initialized)
1461 return -EPERM;
1462
1463 /* Create local copy, with arg pointing to bool type. */
1464 value = !!*((int *)kp->arg);
1465 memcpy(&kp_local, kp, sizeof(kp_local));
1466 kp_local.arg = &value;
1467
1468 error = param_set_bool(val, &kp_local);
1469 if (!error)
1470 *((int *)kp->arg) = *((bool *)kp_local.arg);
1471 return error;
1472}
1473
1474/*
1475 * To avoid changing /sys/module/apparmor/parameters/enabled from Y/N to
1476 * 1/0, this converts the "int that is actually bool" back to bool for
1477 * display in the /sys filesystem, while keeping it "int" for the LSM
1478 * infrastructure.
1479 */
1480static int param_get_aaintbool(char *buffer, const struct kernel_param *kp)
1481{
1482 struct kernel_param kp_local;
1483 bool value;
1484
1485 /* Create local copy, with arg pointing to bool type. */
1486 value = !!*((int *)kp->arg);
1487 memcpy(&kp_local, kp, sizeof(kp_local));
1488 kp_local.arg = &value;
1489
1490 return param_get_bool(buffer, &kp_local);
1491}
1492
1493static int param_set_aacompressionlevel(const char *val,
1494 const struct kernel_param *kp)
1495{
1496 int error;
1497
1498 if (!apparmor_enabled)
1499 return -EINVAL;
1500 if (apparmor_initialized)
1501 return -EPERM;
1502
1503 error = param_set_int(val, kp);
1504
1505 aa_g_rawdata_compression_level = clamp(aa_g_rawdata_compression_level,
1506 Z_NO_COMPRESSION,
1507 Z_BEST_COMPRESSION);
1508 pr_info("AppArmor: policy rawdata compression level set to %u\n",
1509 aa_g_rawdata_compression_level);
1510
1511 return error;
1512}
1513
1514static int param_get_aacompressionlevel(char *buffer,
1515 const struct kernel_param *kp)
1516{
1517 if (!apparmor_enabled)
1518 return -EINVAL;
1519 if (apparmor_initialized && !policy_view_capable(NULL))
1520 return -EPERM;
1521 return param_get_int(buffer, kp);
1522}
1523
1524static int param_get_audit(char *buffer, const struct kernel_param *kp)
1525{
1526 if (!apparmor_enabled)
1527 return -EINVAL;
1528 if (apparmor_initialized && !policy_view_capable(NULL))
1529 return -EPERM;
1530 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
1531}
1532
1533static int param_set_audit(const char *val, const struct kernel_param *kp)
1534{
1535 int i;
1536
1537 if (!apparmor_enabled)
1538 return -EINVAL;
1539 if (!val)
1540 return -EINVAL;
1541 if (apparmor_initialized && !policy_admin_capable(NULL))
1542 return -EPERM;
1543
1544 i = match_string(audit_mode_names, AUDIT_MAX_INDEX, val);
1545 if (i < 0)
1546 return -EINVAL;
1547
1548 aa_g_audit = i;
1549 return 0;
1550}
1551
1552static int param_get_mode(char *buffer, const struct kernel_param *kp)
1553{
1554 if (!apparmor_enabled)
1555 return -EINVAL;
1556 if (apparmor_initialized && !policy_view_capable(NULL))
1557 return -EPERM;
1558
1559 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
1560}
1561
1562static int param_set_mode(const char *val, const struct kernel_param *kp)
1563{
1564 int i;
1565
1566 if (!apparmor_enabled)
1567 return -EINVAL;
1568 if (!val)
1569 return -EINVAL;
1570 if (apparmor_initialized && !policy_admin_capable(NULL))
1571 return -EPERM;
1572
1573 i = match_string(aa_profile_mode_names, APPARMOR_MODE_NAMES_MAX_INDEX,
1574 val);
1575 if (i < 0)
1576 return -EINVAL;
1577
1578 aa_g_profile_mode = i;
1579 return 0;
1580}
1581
1582char *aa_get_buffer(bool in_atomic)
1583{
1584 union aa_buffer *aa_buf;
1585 bool try_again = true;
1586 gfp_t flags = (GFP_KERNEL | __GFP_RETRY_MAYFAIL | __GFP_NOWARN);
1587
1588retry:
1589 spin_lock(&aa_buffers_lock);
1590 if (buffer_count > reserve_count ||
1591 (in_atomic && !list_empty(&aa_global_buffers))) {
1592 aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer,
1593 list);
1594 list_del(&aa_buf->list);
1595 buffer_count--;
1596 spin_unlock(&aa_buffers_lock);
1597 return &aa_buf->buffer[0];
1598 }
1599 if (in_atomic) {
1600 /*
1601 * out of reserve buffers and in atomic context so increase
1602 * how many buffers to keep in reserve
1603 */
1604 reserve_count++;
1605 flags = GFP_ATOMIC;
1606 }
1607 spin_unlock(&aa_buffers_lock);
1608
1609 if (!in_atomic)
1610 might_sleep();
1611 aa_buf = kmalloc(aa_g_path_max, flags);
1612 if (!aa_buf) {
1613 if (try_again) {
1614 try_again = false;
1615 goto retry;
1616 }
1617 pr_warn_once("AppArmor: Failed to allocate a memory buffer.\n");
1618 return NULL;
1619 }
1620 return &aa_buf->buffer[0];
1621}
1622
1623void aa_put_buffer(char *buf)
1624{
1625 union aa_buffer *aa_buf;
1626
1627 if (!buf)
1628 return;
1629 aa_buf = container_of(buf, union aa_buffer, buffer[0]);
1630
1631 spin_lock(&aa_buffers_lock);
1632 list_add(&aa_buf->list, &aa_global_buffers);
1633 buffer_count++;
1634 spin_unlock(&aa_buffers_lock);
1635}
1636
1637/*
1638 * AppArmor init functions
1639 */
1640
1641/**
1642 * set_init_ctx - set a task context and profile on the first task.
1643 *
1644 * TODO: allow setting an alternate profile than unconfined
1645 */
1646static int __init set_init_ctx(void)
1647{
1648 struct cred *cred = (__force struct cred *)current->real_cred;
1649
1650 set_cred_label(cred, aa_get_label(ns_unconfined(root_ns)));
1651
1652 return 0;
1653}
1654
1655static void destroy_buffers(void)
1656{
1657 union aa_buffer *aa_buf;
1658
1659 spin_lock(&aa_buffers_lock);
1660 while (!list_empty(&aa_global_buffers)) {
1661 aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer,
1662 list);
1663 list_del(&aa_buf->list);
1664 spin_unlock(&aa_buffers_lock);
1665 kfree(aa_buf);
1666 spin_lock(&aa_buffers_lock);
1667 }
1668 spin_unlock(&aa_buffers_lock);
1669}
1670
1671static int __init alloc_buffers(void)
1672{
1673 union aa_buffer *aa_buf;
1674 int i, num;
1675
1676 /*
1677 * A function may require two buffers at once. Usually the buffers are
1678 * used for a short period of time and are shared. On UP kernel buffers
1679 * two should be enough, with more CPUs it is possible that more
1680 * buffers will be used simultaneously. The preallocated pool may grow.
1681 * This preallocation has also the side-effect that AppArmor will be
1682 * disabled early at boot if aa_g_path_max is extremly high.
1683 */
1684 if (num_online_cpus() > 1)
1685 num = 4 + RESERVE_COUNT;
1686 else
1687 num = 2 + RESERVE_COUNT;
1688
1689 for (i = 0; i < num; i++) {
1690
1691 aa_buf = kmalloc(aa_g_path_max, GFP_KERNEL |
1692 __GFP_RETRY_MAYFAIL | __GFP_NOWARN);
1693 if (!aa_buf) {
1694 destroy_buffers();
1695 return -ENOMEM;
1696 }
1697 aa_put_buffer(&aa_buf->buffer[0]);
1698 }
1699 return 0;
1700}
1701
1702#ifdef CONFIG_SYSCTL
1703static int apparmor_dointvec(struct ctl_table *table, int write,
1704 void *buffer, size_t *lenp, loff_t *ppos)
1705{
1706 if (!policy_admin_capable(NULL))
1707 return -EPERM;
1708 if (!apparmor_enabled)
1709 return -EINVAL;
1710
1711 return proc_dointvec(table, write, buffer, lenp, ppos);
1712}
1713
1714static struct ctl_path apparmor_sysctl_path[] = {
1715 { .procname = "kernel", },
1716 { }
1717};
1718
1719static struct ctl_table apparmor_sysctl_table[] = {
1720 {
1721 .procname = "unprivileged_userns_apparmor_policy",
1722 .data = &unprivileged_userns_apparmor_policy,
1723 .maxlen = sizeof(int),
1724 .mode = 0600,
1725 .proc_handler = apparmor_dointvec,
1726 },
1727 { }
1728};
1729
1730static int __init apparmor_init_sysctl(void)
1731{
1732 return register_sysctl_paths(apparmor_sysctl_path,
1733 apparmor_sysctl_table) ? 0 : -ENOMEM;
1734}
1735#else
1736static inline int apparmor_init_sysctl(void)
1737{
1738 return 0;
1739}
1740#endif /* CONFIG_SYSCTL */
1741
1742#if defined(CONFIG_NETFILTER) && defined(CONFIG_NETWORK_SECMARK)
1743static unsigned int apparmor_ip_postroute(void *priv,
1744 struct sk_buff *skb,
1745 const struct nf_hook_state *state)
1746{
1747 struct aa_sk_ctx *ctx;
1748 struct sock *sk;
1749
1750 if (!skb->secmark)
1751 return NF_ACCEPT;
1752
1753 sk = skb_to_full_sk(skb);
1754 if (sk == NULL)
1755 return NF_ACCEPT;
1756
1757 ctx = SK_CTX(sk);
1758 if (!apparmor_secmark_check(ctx->label, OP_SENDMSG, AA_MAY_SEND,
1759 skb->secmark, sk))
1760 return NF_ACCEPT;
1761
1762 return NF_DROP_ERR(-ECONNREFUSED);
1763
1764}
1765
1766static unsigned int apparmor_ipv4_postroute(void *priv,
1767 struct sk_buff *skb,
1768 const struct nf_hook_state *state)
1769{
1770 return apparmor_ip_postroute(priv, skb, state);
1771}
1772
1773#if IS_ENABLED(CONFIG_IPV6)
1774static unsigned int apparmor_ipv6_postroute(void *priv,
1775 struct sk_buff *skb,
1776 const struct nf_hook_state *state)
1777{
1778 return apparmor_ip_postroute(priv, skb, state);
1779}
1780#endif
1781
1782static const struct nf_hook_ops apparmor_nf_ops[] = {
1783 {
1784 .hook = apparmor_ipv4_postroute,
1785 .pf = NFPROTO_IPV4,
1786 .hooknum = NF_INET_POST_ROUTING,
1787 .priority = NF_IP_PRI_SELINUX_FIRST,
1788 },
1789#if IS_ENABLED(CONFIG_IPV6)
1790 {
1791 .hook = apparmor_ipv6_postroute,
1792 .pf = NFPROTO_IPV6,
1793 .hooknum = NF_INET_POST_ROUTING,
1794 .priority = NF_IP6_PRI_SELINUX_FIRST,
1795 },
1796#endif
1797};
1798
1799static int __net_init apparmor_nf_register(struct net *net)
1800{
1801 int ret;
1802
1803 ret = nf_register_net_hooks(net, apparmor_nf_ops,
1804 ARRAY_SIZE(apparmor_nf_ops));
1805 return ret;
1806}
1807
1808static void __net_exit apparmor_nf_unregister(struct net *net)
1809{
1810 nf_unregister_net_hooks(net, apparmor_nf_ops,
1811 ARRAY_SIZE(apparmor_nf_ops));
1812}
1813
1814static struct pernet_operations apparmor_net_ops = {
1815 .init = apparmor_nf_register,
1816 .exit = apparmor_nf_unregister,
1817};
1818
1819static int __init apparmor_nf_ip_init(void)
1820{
1821 int err;
1822
1823 if (!apparmor_enabled)
1824 return 0;
1825
1826 err = register_pernet_subsys(&apparmor_net_ops);
1827 if (err)
1828 panic("Apparmor: register_pernet_subsys: error %d\n", err);
1829
1830 return 0;
1831}
1832__initcall(apparmor_nf_ip_init);
1833#endif
1834
1835static int __init apparmor_init(void)
1836{
1837 int error;
1838
1839 aa_secids_init();
1840
1841 error = aa_setup_dfa_engine();
1842 if (error) {
1843 AA_ERROR("Unable to setup dfa engine\n");
1844 goto alloc_out;
1845 }
1846
1847 error = aa_alloc_root_ns();
1848 if (error) {
1849 AA_ERROR("Unable to allocate default profile namespace\n");
1850 goto alloc_out;
1851 }
1852
1853 error = apparmor_init_sysctl();
1854 if (error) {
1855 AA_ERROR("Unable to register sysctls\n");
1856 goto alloc_out;
1857
1858 }
1859
1860 error = alloc_buffers();
1861 if (error) {
1862 AA_ERROR("Unable to allocate work buffers\n");
1863 goto alloc_out;
1864 }
1865
1866 error = set_init_ctx();
1867 if (error) {
1868 AA_ERROR("Failed to set context on init task\n");
1869 aa_free_root_ns();
1870 goto buffers_out;
1871 }
1872 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
1873 "apparmor");
1874
1875 /* Report that AppArmor successfully initialized */
1876 apparmor_initialized = 1;
1877 if (aa_g_profile_mode == APPARMOR_COMPLAIN)
1878 aa_info_message("AppArmor initialized: complain mode enabled");
1879 else if (aa_g_profile_mode == APPARMOR_KILL)
1880 aa_info_message("AppArmor initialized: kill mode enabled");
1881 else
1882 aa_info_message("AppArmor initialized");
1883
1884 return error;
1885
1886buffers_out:
1887 destroy_buffers();
1888alloc_out:
1889 aa_destroy_aafs();
1890 aa_teardown_dfa_engine();
1891
1892 apparmor_enabled = false;
1893 return error;
1894}
1895
1896DEFINE_LSM(apparmor) = {
1897 .name = "apparmor",
1898 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
1899 .enabled = &apparmor_enabled,
1900 .blobs = &apparmor_blob_sizes,
1901 .init = apparmor_init,
1902};