1// SPDX-License-Identifier: GPL-2.0-only
  2/*
  3 * AppArmor security module
  4 *
  5 * This file contains AppArmor task related definitions and mediation
  6 *
  7 * Copyright 2017 Canonical Ltd.
  8 *
  9 * TODO
 10 * If a task uses change_hat it currently does not return to the old
 11 * cred or task context but instead creates a new one.  Ideally the task
 12 * should return to the previous cred if it has not been modified.
 13 */
 14
 15#include "include/cred.h"
 16#include "include/task.h"
 17
 18/**
 19 * aa_get_task_label - Get another task's label
 20 * @task: task to query  (NOT NULL)
 21 *
 22 * Returns: counted reference to @task's label
 23 */
 24struct aa_label *aa_get_task_label(struct task_struct *task)
 25{
 26	struct aa_label *p;
 27
 28	rcu_read_lock();
 29	p = aa_get_newest_label(__aa_task_raw_label(task));
 30	rcu_read_unlock();
 31
 32	return p;
 33}
 34
 35/**
 36 * aa_replace_current_label - replace the current tasks label
 37 * @label: new label  (NOT NULL)
 38 *
 39 * Returns: 0 or error on failure
 40 */
 41int aa_replace_current_label(struct aa_label *label)
 42{
 43	struct aa_label *old = aa_current_raw_label();
 44	struct aa_task_ctx *ctx = task_ctx(current);
 45	struct cred *new;
 46
 47	AA_BUG(!label);
 48
 49	if (old == label)
 50		return 0;
 51
 52	if (current_cred() != current_real_cred())
 53		return -EBUSY;
 54
 55	new  = prepare_creds();
 56	if (!new)
 57		return -ENOMEM;
 58
 59	if (ctx->nnp && label_is_stale(ctx->nnp)) {
 60		struct aa_label *tmp = ctx->nnp;
 61
 62		ctx->nnp = aa_get_newest_label(tmp);
 63		aa_put_label(tmp);
 64	}
 65	if (unconfined(label) || (labels_ns(old) != labels_ns(label)))
 66		/*
 67		 * if switching to unconfined or a different label namespace
 68		 * clear out context state
 69		 */
 70		aa_clear_task_ctx_trans(task_ctx(current));
 71
 72	/*
 73	 * be careful switching cred label, when racing replacement it
 74	 * is possible that the cred labels's->proxy->label is the reference
 75	 * keeping @label valid, so make sure to get its reference before
 76	 * dropping the reference on the cred's label
 77	 */
 78	aa_get_label(label);
 79	aa_put_label(cred_label(new));
 80	set_cred_label(new, label);
 81
 82	commit_creds(new);
 83	return 0;
 84}
 85
 86
 87/**
 88 * aa_set_current_onexec - set the tasks change_profile to happen onexec
 89 * @label: system label to set at exec  (MAYBE NULL to clear value)
 90 * @stack: whether stacking should be done
 91 * Returns: 0 or error on failure
 92 */
 93int aa_set_current_onexec(struct aa_label *label, bool stack)
 94{
 95	struct aa_task_ctx *ctx = task_ctx(current);
 96
 97	aa_get_label(label);
 98	aa_put_label(ctx->onexec);
 99	ctx->onexec = label;
100	ctx->token = stack;
101
102	return 0;
103}
104
105/**
106 * aa_set_current_hat - set the current tasks hat
107 * @label: label to set as the current hat  (NOT NULL)
108 * @token: token value that must be specified to change from the hat
109 *
110 * Do switch of tasks hat.  If the task is currently in a hat
111 * validate the token to match.
112 *
113 * Returns: 0 or error on failure
114 */
115int aa_set_current_hat(struct aa_label *label, u64 token)
116{
117	struct aa_task_ctx *ctx = task_ctx(current);
118	struct cred *new;
119
120	new = prepare_creds();
121	if (!new)
122		return -ENOMEM;
123	AA_BUG(!label);
124
125	if (!ctx->previous) {
126		/* transfer refcount */
127		ctx->previous = cred_label(new);
128		ctx->token = token;
129	} else if (ctx->token == token) {
130		aa_put_label(cred_label(new));
131	} else {
132		/* previous_profile && ctx->token != token */
133		abort_creds(new);
134		return -EACCES;
135	}
136
137	set_cred_label(new, aa_get_newest_label(label));
138	/* clear exec on switching context */
139	aa_put_label(ctx->onexec);
140	ctx->onexec = NULL;
141
142	commit_creds(new);
143	return 0;
144}
145
146/**
147 * aa_restore_previous_label - exit from hat context restoring previous label
148 * @token: the token that must be matched to exit hat context
149 *
150 * Attempt to return out of a hat to the previous label.  The token
151 * must match the stored token value.
152 *
153 * Returns: 0 or error of failure
154 */
155int aa_restore_previous_label(u64 token)
156{
157	struct aa_task_ctx *ctx = task_ctx(current);
158	struct cred *new;
159
160	if (ctx->token != token)
161		return -EACCES;
162	/* ignore restores when there is no saved label */
163	if (!ctx->previous)
164		return 0;
165
166	new = prepare_creds();
167	if (!new)
168		return -ENOMEM;
169
170	aa_put_label(cred_label(new));
171	set_cred_label(new, aa_get_newest_label(ctx->previous));
172	AA_BUG(!cred_label(new));
173	/* clear exec && prev information when restoring to previous context */
174	aa_clear_task_ctx_trans(ctx);
175
176	commit_creds(new);
177
178	return 0;
179}