projects / linux-2.6-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
apparmor: Redundant condition: prev_ns. in [label.c:1498]
[linux-2.6-block.git] / security / apparmor / lsm.c
CommitLineData
b5e95b48
JJ		 1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor LSM hooks.
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
3c4ed7bd 15#include <linux/lsm_hooks.h>
b5e95b48
JJ		 16#include <linux/moduleparam.h>
17#include <linux/mm.h>
18#include <linux/mman.h>
19#include <linux/mount.h>
20#include <linux/namei.h>
21#include <linux/ptrace.h>
22#include <linux/ctype.h>
23#include <linux/sysctl.h>
24#include <linux/audit.h>
3486740a 25#include <linux/user_namespace.h>
e025be0f 26#include <linux/kmemleak.h>
b5e95b48
JJ		 27#include <net/sock.h>
28
29#include "include/apparmor.h"
30#include "include/apparmorfs.h"
31#include "include/audit.h"
32#include "include/capability.h"
33#include "include/context.h"
34#include "include/file.h"
35#include "include/ipc.h"
36#include "include/path.h"
637f688d 37#include "include/label.h"
b5e95b48 38#include "include/policy.h"
cff281f6 39#include "include/policy_ns.h"
b5e95b48
JJ		 40#include "include/procattr.h"
41
42/* Flag indicating whether initialization completed */
545de8fe 43int apparmor_initialized;
b5e95b48 44
d4669f0b
JJ		 45DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
46
47
b5e95b48
JJ		 48/*
49 * LSM hook functions
50 */
51
52/*
637f688d 53 * free the associated aa_task_ctx and put its labels
b5e95b48
JJ		 54 */
55static void apparmor_cred_free(struct cred *cred)
56{
55a26ebf
JJ		 57 aa_free_task_context(cred_ctx(cred));
58 cred_ctx(cred) = NULL;
b5e95b48
JJ		 59}
60
61/*
62 * allocate the apparmor part of blank credentials
63 */
64static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
65{
66 /* freed by apparmor_cred_free */
55a26ebf
JJ		 67 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
68
69 if (!ctx)
b5e95b48
JJ		 70 return -ENOMEM;
71
55a26ebf 72 cred_ctx(cred) = ctx;
b5e95b48
JJ		 73 return 0;
74}
75
76/*
55a26ebf 77 * prepare new aa_task_ctx for modification by prepare_cred block
b5e95b48
JJ		 78 */
79static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
80 gfp_t gfp)
81{
82 /* freed by apparmor_cred_free */
55a26ebf
JJ		 83 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
84
85 if (!ctx)
b5e95b48
JJ		 86 return -ENOMEM;
87
55a26ebf
JJ		 88 aa_dup_task_context(ctx, cred_ctx(old));
89 cred_ctx(new) = ctx;
b5e95b48
JJ		 90 return 0;
91}
92
93/*
94 * transfer the apparmor data to a blank set of creds
95 */
96static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
97{
55a26ebf
JJ		 98 const struct aa_task_ctx *old_ctx = cred_ctx(old);
99 struct aa_task_ctx *new_ctx = cred_ctx(new);
b5e95b48 100
55a26ebf 101 aa_dup_task_context(new_ctx, old_ctx);
b5e95b48
JJ		 102}
103
104static int apparmor_ptrace_access_check(struct task_struct *child,
105 unsigned int mode)
106{
b2d09ae4
JJ		 107 struct aa_label *tracer, *tracee;
108 int error;
109
110 tracer = begin_current_label_crit_section();
111 tracee = aa_get_task_label(child);
112 error = aa_may_ptrace(tracer, tracee,
113 mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE);
114 aa_put_label(tracee);
115 end_current_label_crit_section(tracer);
116
117 return error;
b5e95b48
JJ		 118}
119
120static int apparmor_ptrace_traceme(struct task_struct *parent)
121{
b2d09ae4
JJ		 122 struct aa_label *tracer, *tracee;
123 int error;
124
125 tracee = begin_current_label_crit_section();
126 tracer = aa_get_task_label(parent);
127 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
128 aa_put_label(tracer);
129 end_current_label_crit_section(tracee);
130
131 return error;
b5e95b48
JJ		 132}
133
134/* Derived from security/commoncap.c:cap_capget */
135static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
136 kernel_cap_t *inheritable, kernel_cap_t *permitted)
137{
637f688d 138 struct aa_label *label;
b5e95b48
JJ		 139 const struct cred *cred;
140
141 rcu_read_lock();
142 cred = __task_cred(target);
637f688d 143 label = aa_get_newest_cred_label(cred);
c70c86c4 144
b1d9e6b0
CS		 145 /*
146 * cap_capget is stacked ahead of this and will
147 * initialize effective and permitted.
148 */
c70c86c4
JJ		 149 if (!unconfined(label)) {
150 struct aa_profile *profile;
151 struct label_it i;
152
153 label_for_each_confined(i, label, profile) {
154 if (COMPLAIN_MODE(profile))
155 continue;
156 *effective = cap_intersect(*effective,
157 profile->caps.allow);
158 *permitted = cap_intersect(*permitted,
159 profile->caps.allow);
160 }
b5e95b48
JJ		 161 }
162 rcu_read_unlock();
637f688d 163 aa_put_label(label);
b5e95b48
JJ		 164
165 return 0;
166}
167
6a9de491
EP		 168static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
169 int cap, int audit)
b5e95b48 170{
637f688d 171 struct aa_label *label;
b1d9e6b0
CS		 172 int error = 0;
173
637f688d
JJ		 174 label = aa_get_newest_cred_label(cred);
175 if (!unconfined(label))
c70c86c4 176 error = aa_capable(label, cap, audit);
637f688d 177 aa_put_label(label);
cf797c0e 178
b5e95b48
JJ		 179 return error;
180}
181
182/**
183 * common_perm - basic common permission check wrapper fn for paths
184 * @op: operation being checked
185 * @path: path to check permission of (NOT NULL)
186 * @mask: requested permissions mask
187 * @cond: conditional info for the permission request (NOT NULL)
188 *
189 * Returns: %0 else error code if error or permission denied
190 */
47f6e5cc 191static int common_perm(const char *op, const struct path *path, u32 mask,
b5e95b48
JJ		 192 struct path_cond *cond)
193{
637f688d 194 struct aa_label *label;
b5e95b48
JJ		 195 int error = 0;
196
637f688d
JJ		 197 label = __begin_current_label_crit_section();
198 if (!unconfined(label))
aebd873e 199 error = aa_path_perm(op, label, path, 0, mask, cond);
637f688d 200 __end_current_label_crit_section(label);
b5e95b48
JJ		 201
202 return error;
203}
204
205/**
31f75bfe 206 * common_perm_cond - common permission wrapper around inode cond
b5e95b48 207 * @op: operation being checked
31f75bfe 208 * @path: location to check (NOT NULL)
b5e95b48 209 * @mask: requested permissions mask
b5e95b48
JJ		 210 *
211 * Returns: %0 else error code if error or permission denied
212 */
31f75bfe 213static int common_perm_cond(const char *op, const struct path *path, u32 mask)
b5e95b48 214{
31f75bfe
JJ		 215 struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
216 d_backing_inode(path->dentry)->i_mode
217 };
b5e95b48 218
31f75bfe
JJ		 219 if (!path_mediated_fs(path->dentry))
220 return 0;
221
222 return common_perm(op, path, mask, &cond);
b5e95b48
JJ		 223}
224
225/**
31f75bfe 226 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
b5e95b48 227 * @op: operation being checked
31f75bfe
JJ		 228 * @dir: directory of the dentry (NOT NULL)
229 * @dentry: dentry to check (NOT NULL)
b5e95b48 230 * @mask: requested permissions mask
31f75bfe 231 * @cond: conditional info for the permission request (NOT NULL)
b5e95b48
JJ		 232 *
233 * Returns: %0 else error code if error or permission denied
234 */
31f75bfe
JJ		 235static int common_perm_dir_dentry(const char *op, const struct path *dir,
236 struct dentry *dentry, u32 mask,
237 struct path_cond *cond)
b5e95b48 238{
31f75bfe 239 struct path path = { .mnt = dir->mnt, .dentry = dentry };
b5e95b48 240
31f75bfe 241 return common_perm(op, &path, mask, cond);
b5e95b48
JJ		 242}
243
244/**
245 * common_perm_rm - common permission wrapper for operations doing rm
246 * @op: operation being checked
247 * @dir: directory that the dentry is in (NOT NULL)
248 * @dentry: dentry being rm'd (NOT NULL)
249 * @mask: requested permission mask
250 *
251 * Returns: %0 else error code if error or permission denied
252 */
47f6e5cc 253static int common_perm_rm(const char *op, const struct path *dir,
b5e95b48
JJ		 254 struct dentry *dentry, u32 mask)
255{
c6f493d6 256 struct inode *inode = d_backing_inode(dentry);
b5e95b48
JJ		 257 struct path_cond cond = { };
258
efeee83a 259 if (!inode || !path_mediated_fs(dentry))
b5e95b48
JJ		 260 return 0;
261
262 cond.uid = inode->i_uid;
263 cond.mode = inode->i_mode;
264
265 return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
266}
267
268/**
269 * common_perm_create - common permission wrapper for operations doing create
270 * @op: operation being checked
271 * @dir: directory that dentry will be created in (NOT NULL)
272 * @dentry: dentry to create (NOT NULL)
273 * @mask: request permission mask
274 * @mode: created file mode
275 *
276 * Returns: %0 else error code if error or permission denied
277 */
47f6e5cc 278static int common_perm_create(const char *op, const struct path *dir,
d6b49f7a 279 struct dentry *dentry, u32 mask, umode_t mode)
b5e95b48
JJ		 280{
281 struct path_cond cond = { current_fsuid(), mode };
282
efeee83a 283 if (!path_mediated_fs(dir->dentry))
b5e95b48
JJ		 284 return 0;
285
286 return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
287}
288
989f74e0 289static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry)
b5e95b48
JJ		 290{
291 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE);
292}
293
d3607752 294static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry,
4572befe 295 umode_t mode)
b5e95b48
JJ		 296{
297 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE,
298 S_IFDIR);
299}
300
989f74e0 301static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry)
b5e95b48
JJ		 302{
303 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE);
304}
305
d3607752 306static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
04fc66e7 307 umode_t mode, unsigned int dev)
b5e95b48
JJ		 308{
309 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
310}
311
81f4c506 312static int apparmor_path_truncate(const struct path *path)
b5e95b48 313{
e53cfe6c 314 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR);
b5e95b48
JJ		 315}
316
d3607752 317static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
b5e95b48
JJ		 318 const char *old_name)
319{
320 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE,
321 S_IFLNK);
322}
323
3ccee46a 324static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir,
b5e95b48
JJ		 325 struct dentry *new_dentry)
326{
637f688d 327 struct aa_label *label;
b5e95b48
JJ		 328 int error = 0;
329
efeee83a 330 if (!path_mediated_fs(old_dentry))
b5e95b48
JJ		 331 return 0;
332
637f688d
JJ		 333 label = begin_current_label_crit_section();
334 if (!unconfined(label))
8014370f 335 error = aa_path_link(label, old_dentry, new_dir, new_dentry);
637f688d 336 end_current_label_crit_section(label);
cf797c0e 337
b5e95b48
JJ		 338 return error;
339}
340
3ccee46a
AV		 341static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry,
342 const struct path *new_dir, struct dentry *new_dentry)
b5e95b48 343{
637f688d 344 struct aa_label *label;
b5e95b48
JJ		 345 int error = 0;
346
efeee83a 347 if (!path_mediated_fs(old_dentry))
b5e95b48
JJ		 348 return 0;
349
637f688d
JJ		 350 label = begin_current_label_crit_section();
351 if (!unconfined(label)) {
8486adf0
KC		 352 struct path old_path = { .mnt = old_dir->mnt,
353 .dentry = old_dentry };
354 struct path new_path = { .mnt = new_dir->mnt,
355 .dentry = new_dentry };
c6f493d6
DH		 356 struct path_cond cond = { d_backing_inode(old_dentry)->i_uid,
357 d_backing_inode(old_dentry)->i_mode
b5e95b48
JJ		 358 };
359
aebd873e 360 error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0,
e53cfe6c
JJ		 361 MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
362 AA_MAY_SETATTR | AA_MAY_DELETE,
b5e95b48
JJ		 363 &cond);
364 if (!error)
aebd873e 365 error = aa_path_perm(OP_RENAME_DEST, label, &new_path,
e53cfe6c 366 0, MAY_WRITE | AA_MAY_SETATTR |
b5e95b48
JJ		 367 AA_MAY_CREATE, &cond);
368
369 }
637f688d 370 end_current_label_crit_section(label);
cf797c0e 371
b5e95b48
JJ		 372 return error;
373}
374
be01f9f2 375static int apparmor_path_chmod(const struct path *path, umode_t mode)
b5e95b48 376{
31f75bfe 377 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD);
b5e95b48
JJ		 378}
379
7fd25dac 380static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
b5e95b48 381{
31f75bfe 382 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN);
b5e95b48
JJ		 383}
384
3f7036a0 385static int apparmor_inode_getattr(const struct path *path)
b5e95b48 386{
e53cfe6c 387 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR);
b5e95b48
JJ		 388}
389
83d49856 390static int apparmor_file_open(struct file *file, const struct cred *cred)
b5e95b48 391{
637f688d
JJ		 392 struct aa_file_ctx *fctx = file_ctx(file);
393 struct aa_label *label;
b5e95b48
JJ		 394 int error = 0;
395
efeee83a 396 if (!path_mediated_fs(file->f_path.dentry))
b5e95b48
JJ		 397 return 0;
398
399 /* If in exec, permission is handled by bprm hooks.
400 * Cache permissions granted by the previous exec check, with
401 * implicit read and executable mmap which are required to
402 * actually execute the image.
403 */
404 if (current->in_execve) {
55a26ebf 405 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
b5e95b48
JJ		 406 return 0;
407 }
408
637f688d
JJ		 409 label = aa_get_newest_cred_label(cred);
410 if (!unconfined(label)) {
496ad9aa 411 struct inode *inode = file_inode(file);
b5e95b48
JJ		 412 struct path_cond cond = { inode->i_uid, inode->i_mode };
413
aebd873e 414 error = aa_path_perm(OP_OPEN, label, &file->f_path, 0,
b5e95b48
JJ		 415 aa_map_file_to_perms(file), &cond);
416 /* todo cache full allowed permissions set and state */
55a26ebf 417 fctx->allow = aa_map_file_to_perms(file);
b5e95b48 418 }
637f688d 419 aa_put_label(label);
b5e95b48
JJ		 420
421 return error;
422}
423
424static int apparmor_file_alloc_security(struct file *file)
425{
cf797c0e
JJ		 426 int error = 0;
427
b5e95b48 428 /* freed by apparmor_file_free_security */
637f688d 429 struct aa_label *label = begin_current_label_crit_section();
190a9518 430 file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL);
2835a13b
JJ		 431 if (!file_ctx(file))
432 error = -ENOMEM;
637f688d 433 end_current_label_crit_section(label);
b5e95b48 434
cf797c0e 435 return error;
b5e95b48
JJ		 436}
437
438static void apparmor_file_free_security(struct file *file)
439{
2835a13b 440 aa_free_file_ctx(file_ctx(file));
b5e95b48
JJ		 441}
442
47f6e5cc 443static int common_file_perm(const char *op, struct file *file, u32 mask)
b5e95b48 444{
190a9518 445 struct aa_label *label;
b5e95b48
JJ		 446 int error = 0;
447
192ca6b5
JJ		 448 /* don't reaudit files closed during inheritance */
449 if (file->f_path.dentry == aa_null.dentry)
450 return -EACCES;
451
637f688d 452 label = __begin_current_label_crit_section();
190a9518 453 error = aa_file_perm(op, label, file, mask);
637f688d 454 __end_current_label_crit_section(label);
b5e95b48
JJ		 455
456 return error;
457}
458
064dc947
JJ		 459static int apparmor_file_receive(struct file *file)
460{
461 return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file));
462}
463
b5e95b48
JJ		 464static int apparmor_file_permission(struct file *file, int mask)
465{
466 return common_file_perm(OP_FPERM, file, mask);
467}
468
469static int apparmor_file_lock(struct file *file, unsigned int cmd)
470{
471 u32 mask = AA_MAY_LOCK;
472
473 if (cmd == F_WRLCK)
474 mask |= MAY_WRITE;
475
476 return common_file_perm(OP_FLOCK, file, mask);
477}
478
47f6e5cc 479static int common_mmap(const char *op, struct file *file, unsigned long prot,
b5e95b48
JJ		 480 unsigned long flags)
481{
b5e95b48
JJ		 482 int mask = 0;
483
637f688d 484 if (!file || !file_ctx(file))
b5e95b48
JJ		 485 return 0;
486
487 if (prot & PROT_READ)
488 mask |= MAY_READ;
489 /*
490 * Private mappings don't require write perms since they don't
491 * write back to the files
492 */
493 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
494 mask |= MAY_WRITE;
495 if (prot & PROT_EXEC)
496 mask |= AA_EXEC_MMAP;
497
b5e95b48
JJ		 498 return common_file_perm(op, file, mask);
499}
500
e5467859
AV		 501static int apparmor_mmap_file(struct file *file, unsigned long reqprot,
502 unsigned long prot, unsigned long flags)
b5e95b48 503{
b5e95b48
JJ		 504 return common_mmap(OP_FMMAP, file, prot, flags);
505}
506
507static int apparmor_file_mprotect(struct vm_area_struct *vma,
508 unsigned long reqprot, unsigned long prot)
509{
510 return common_mmap(OP_FMPROT, vma->vm_file, prot,
511 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
512}
513
514static int apparmor_getprocattr(struct task_struct *task, char *name,
515 char **value)
516{
517 int error = -ENOENT;
b5e95b48
JJ		 518 /* released below */
519 const struct cred *cred = get_task_cred(task);
55a26ebf 520 struct aa_task_ctx *ctx = cred_ctx(cred);
637f688d 521 struct aa_label *label = NULL;
b5e95b48
JJ		 522
523 if (strcmp(name, "current") == 0)
637f688d 524 label = aa_get_newest_label(ctx->label);
55a26ebf 525 else if (strcmp(name, "prev") == 0 && ctx->previous)
637f688d 526 label = aa_get_newest_label(ctx->previous);
55a26ebf 527 else if (strcmp(name, "exec") == 0 && ctx->onexec)
637f688d 528 label = aa_get_newest_label(ctx->onexec);
b5e95b48
JJ		 529 else
530 error = -EINVAL;
531
637f688d 532 if (label)
76a1d263 533 error = aa_getprocattr(label, value);
77b071b3 534
637f688d 535 aa_put_label(label);
b5e95b48
JJ		 536 put_cred(cred);
537
538 return error;
539}
540
b21507e2
SS		 541static int apparmor_setprocattr(const char *name, void *value,
542 size_t size)
b5e95b48 543{
e89b8081 544 char *command, *largs = NULL, *args = value;
b5e95b48
JJ		 545 size_t arg_size;
546 int error;
ef88a7ac 547 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR);
b5e95b48
JJ		 548
549 if (size == 0)
550 return -EINVAL;
b5e95b48 551
e89b8081
VN		 552 /* AppArmor requires that the buffer must be null terminated atm */
553 if (args[size - 1] != '\0') {
554 /* null terminate */
555 largs = args = kmalloc(size + 1, GFP_KERNEL);
556 if (!args)
557 return -ENOMEM;
558 memcpy(args, value, size);
559 args[size] = '\0';
560 }
561
562 error = -EINVAL;
b5e95b48
JJ		 563 args = strim(args);
564 command = strsep(&args, " ");
565 if (!args)
e89b8081 566 goto out;
b5e95b48
JJ		 567 args = skip_spaces(args);
568 if (!*args)
e89b8081 569 goto out;
b5e95b48 570
d4d03f74 571 arg_size = size - (args - (largs ? largs : (char *) value));
b5e95b48
JJ		 572 if (strcmp(name, "current") == 0) {
573 if (strcmp(command, "changehat") == 0) {
574 error = aa_setprocattr_changehat(args, arg_size,
df8073c6 575 AA_CHANGE_NOFLAGS);
b5e95b48
JJ		 576 } else if (strcmp(command, "permhat") == 0) {
577 error = aa_setprocattr_changehat(args, arg_size,
df8073c6 578 AA_CHANGE_TEST);
b5e95b48 579 } else if (strcmp(command, "changeprofile") == 0) {
df8073c6 580 error = aa_change_profile(args, AA_CHANGE_NOFLAGS);
b5e95b48 581 } else if (strcmp(command, "permprofile") == 0) {
df8073c6 582 error = aa_change_profile(args, AA_CHANGE_TEST);
6c5fc8f1
JJ		 583 } else if (strcmp(command, "stack") == 0) {
584 error = aa_change_profile(args, AA_CHANGE_STACK);
3eea57c2
JJ		 585 } else
586 goto fail;
b5e95b48 587 } else if (strcmp(name, "exec") == 0) {
3eea57c2 588 if (strcmp(command, "exec") == 0)
df8073c6 589 error = aa_change_profile(args, AA_CHANGE_ONEXEC);
6c5fc8f1
JJ		 590 else if (strcmp(command, "stack") == 0)
591 error = aa_change_profile(args, (AA_CHANGE_ONEXEC |
592 AA_CHANGE_STACK));
3eea57c2
JJ		 593 else
594 goto fail;
595 } else
b5e95b48 596 /* only support the "current" and "exec" process attributes */
e89b8081 597 goto fail;
3eea57c2 598
b5e95b48
JJ		 599 if (!error)
600 error = size;
e89b8081
VN		 601out:
602 kfree(largs);
b5e95b48 603 return error;
3eea57c2
JJ		 604
605fail:
637f688d 606 aad(&sa)->label = begin_current_label_crit_section();
ef88a7ac
JJ		 607 aad(&sa)->info = name;
608 aad(&sa)->error = error = -EINVAL;
3eea57c2 609 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
637f688d 610 end_current_label_crit_section(aad(&sa)->label);
e89b8081 611 goto out;
b5e95b48
JJ		 612}
613
fe864821
JJ		 614/**
615 * apparmor_bprm_committing_creds - do task cleanup on committing new creds
616 * @bprm: binprm for the exec (NOT NULL)
617 */
618static void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
619{
637f688d 620 struct aa_label *label = aa_current_raw_label();
fe864821
JJ		 621 struct aa_task_ctx *new_ctx = cred_ctx(bprm->cred);
622
623 /* bail out if unconfined or not changing profile */
637f688d
JJ		 624 if ((new_ctx->label->proxy == label->proxy) ||
625 (unconfined(new_ctx->label)))
fe864821
JJ		 626 return;
627
192ca6b5
JJ		 628 aa_inherit_files(bprm->cred, current->files);
629
fe864821
JJ		 630 current->pdeath_signal = 0;
631
637f688d 632 /* reset soft limits and set hard limits for the new label */
86b92cb7 633 __aa_transition_rlimits(label, new_ctx->label);
fe864821
JJ		 634}
635
636/**
637 * apparmor_bprm_committed_cred - do cleanup after new creds committed
638 * @bprm: binprm for the exec (NOT NULL)
639 */
640static void apparmor_bprm_committed_creds(struct linux_binprm *bprm)
641{
642 /* TODO: cleanup signals - ipc mediation */
643 return;
644}
645
7cb4dc9f
JS		 646static int apparmor_task_setrlimit(struct task_struct *task,
647 unsigned int resource, struct rlimit *new_rlim)
b5e95b48 648{
637f688d 649 struct aa_label *label = __begin_current_label_crit_section();
b5e95b48
JJ		 650 int error = 0;
651
637f688d 652 if (!unconfined(label))
86b92cb7 653 error = aa_task_setrlimit(label, task, resource, new_rlim);
637f688d 654 __end_current_label_crit_section(label);
b5e95b48
JJ		 655
656 return error;
657}
658
ca97d939 659static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
e20b043a
CS		 660 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
661 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
662 LSM_HOOK_INIT(capget, apparmor_capget),
663 LSM_HOOK_INIT(capable, apparmor_capable),
664
665 LSM_HOOK_INIT(path_link, apparmor_path_link),
666 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink),
667 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink),
668 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir),
669 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir),
670 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod),
671 LSM_HOOK_INIT(path_rename, apparmor_path_rename),
672 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod),
673 LSM_HOOK_INIT(path_chown, apparmor_path_chown),
674 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate),
675 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr),
676
677 LSM_HOOK_INIT(file_open, apparmor_file_open),
064dc947 678 LSM_HOOK_INIT(file_receive, apparmor_file_receive),
e20b043a
CS		 679 LSM_HOOK_INIT(file_permission, apparmor_file_permission),
680 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security),
681 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security),
682 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
e20b043a
CS		 683 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
684 LSM_HOOK_INIT(file_lock, apparmor_file_lock),
685
686 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
687 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
688
689 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
690 LSM_HOOK_INIT(cred_free, apparmor_cred_free),
691 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
692 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),
693
694 LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds),
695 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
696 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
697 LSM_HOOK_INIT(bprm_secureexec, apparmor_bprm_secureexec),
698
699 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
b5e95b48
JJ		 700};
701
702/*
703 * AppArmor sysfs module parameters
704 */
705
101d6c82
SR		 706static int param_set_aabool(const char *val, const struct kernel_param *kp);
707static int param_get_aabool(char *buffer, const struct kernel_param *kp);
b8aa09fd 708#define param_check_aabool param_check_bool
9c27847d 709static const struct kernel_param_ops param_ops_aabool = {
6a4c2643 710 .flags = KERNEL_PARAM_OPS_FL_NOARG,
101d6c82
SR		 711 .set = param_set_aabool,
712 .get = param_get_aabool
713};
b5e95b48 714
101d6c82
SR		 715static int param_set_aauint(const char *val, const struct kernel_param *kp);
716static int param_get_aauint(char *buffer, const struct kernel_param *kp);
b8aa09fd 717#define param_check_aauint param_check_uint
9c27847d 718static const struct kernel_param_ops param_ops_aauint = {
101d6c82
SR		 719 .set = param_set_aauint,
720 .get = param_get_aauint
721};
b5e95b48 722
101d6c82
SR		 723static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
724static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
b8aa09fd 725#define param_check_aalockpolicy param_check_bool
9c27847d 726static const struct kernel_param_ops param_ops_aalockpolicy = {
6a4c2643 727 .flags = KERNEL_PARAM_OPS_FL_NOARG,
101d6c82
SR		 728 .set = param_set_aalockpolicy,
729 .get = param_get_aalockpolicy
730};
b5e95b48
JJ		 731
732static int param_set_audit(const char *val, struct kernel_param *kp);
733static int param_get_audit(char *buffer, struct kernel_param *kp);
b5e95b48
JJ		 734
735static int param_set_mode(const char *val, struct kernel_param *kp);
736static int param_get_mode(char *buffer, struct kernel_param *kp);
b5e95b48
JJ		 737
738/* Flag values, also controllable via /sys/module/apparmor/parameters
739 * We define special types as we want to do additional mediation.
740 */
741
742/* AppArmor global enforcement switch - complain, enforce, kill */
743enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
744module_param_call(mode, param_set_mode, param_get_mode,
745 &aa_g_profile_mode, S_IRUSR | S_IWUSR);
746
6059f71f 747/* whether policy verification hashing is enabled */
7616ac70 748bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
3ccb76c5 749#ifdef CONFIG_SECURITY_APPARMOR_HASH
6059f71f 750module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
7616ac70 751#endif
6059f71f 752
b5e95b48 753/* Debug mode */
eea7a05f 754bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES);
b5e95b48
JJ		 755module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
756
757/* Audit mode */
758enum audit_mode aa_g_audit;
759module_param_call(audit, param_set_audit, param_get_audit,
760 &aa_g_audit, S_IRUSR | S_IWUSR);
761
762/* Determines if audit header is included in audited messages. This
763 * provides more context if the audit daemon is not running
764 */
90ab5ee9 765bool aa_g_audit_header = 1;
b5e95b48
JJ		 766module_param_named(audit_header, aa_g_audit_header, aabool,
767 S_IRUSR | S_IWUSR);
768
769/* lock out loading/removal of policy
770 * TODO: add in at boot loading of policy, which is the only way to
771 * load policy, if lock_policy is set
772 */
90ab5ee9 773bool aa_g_lock_policy;
b5e95b48
JJ		 774module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy,
775 S_IRUSR | S_IWUSR);
776
777/* Syscall logging mode */
90ab5ee9 778bool aa_g_logsyscall;
b5e95b48
JJ		 779module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
780
781/* Maximum pathname length before accesses will start getting rejected */
782unsigned int aa_g_path_max = 2 * PATH_MAX;
622f6e32 783module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
b5e95b48
JJ		 784
785/* Determines how paranoid loading of policy is and how much verification
786 * on the loaded policy is done.
abbf8734
JJ		 787 * DEPRECATED: read only as strict checking of load is always done now
788 * that none root users (user namespaces) can load policy.
b5e95b48 789 */
90ab5ee9 790bool aa_g_paranoid_load = 1;
abbf8734 791module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
b5e95b48
JJ		 792
793/* Boot time disable flag */
90ab5ee9 794static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
c611616c 795module_param_named(enabled, apparmor_enabled, bool, S_IRUGO);
b5e95b48
JJ		 796
797static int __init apparmor_enabled_setup(char *str)
798{
799 unsigned long enabled;
29707b20 800 int error = kstrtoul(str, 0, &enabled);
b5e95b48
JJ		 801 if (!error)
802 apparmor_enabled = enabled ? 1 : 0;
803 return 1;
804}
805
806__setup("apparmor=", apparmor_enabled_setup);
807
808/* set global flag turning off the ability to load policy */
101d6c82 809static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
b5e95b48 810{
545de8fe
JJ		 811 if (!apparmor_enabled)
812 return -EINVAL;
813 if (apparmor_initialized && !policy_admin_capable(NULL))
b5e95b48 814 return -EPERM;
b5e95b48
JJ		 815 return param_set_bool(val, kp);
816}
817
101d6c82 818static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
b5e95b48 819{
ca4bd5ae
JJ		 820 if (!apparmor_enabled)
821 return -EINVAL;
545de8fe
JJ		 822 if (apparmor_initialized && !policy_view_capable(NULL))
823 return -EPERM;
b5e95b48
JJ		 824 return param_get_bool(buffer, kp);
825}
826
101d6c82 827static int param_set_aabool(const char *val, const struct kernel_param *kp)
b5e95b48 828{
ca4bd5ae
JJ		 829 if (!apparmor_enabled)
830 return -EINVAL;
545de8fe
JJ		 831 if (apparmor_initialized && !policy_admin_capable(NULL))
832 return -EPERM;
b5e95b48
JJ		 833 return param_set_bool(val, kp);
834}
835
101d6c82 836static int param_get_aabool(char *buffer, const struct kernel_param *kp)
b5e95b48 837{
ca4bd5ae
JJ		 838 if (!apparmor_enabled)
839 return -EINVAL;
545de8fe
JJ		 840 if (apparmor_initialized && !policy_view_capable(NULL))
841 return -EPERM;
b5e95b48
JJ		 842 return param_get_bool(buffer, kp);
843}
844
101d6c82 845static int param_set_aauint(const char *val, const struct kernel_param *kp)
b5e95b48 846{
39d84824
JJ		 847 int error;
848
ca4bd5ae
JJ		 849 if (!apparmor_enabled)
850 return -EINVAL;
39d84824
JJ		 851 /* file is ro but enforce 2nd line check */
852 if (apparmor_initialized)
545de8fe 853 return -EPERM;
39d84824
JJ		 854
855 error = param_set_uint(val, kp);
856 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max);
857
858 return error;
b5e95b48
JJ		 859}
860
101d6c82 861static int param_get_aauint(char *buffer, const struct kernel_param *kp)
b5e95b48 862{
ca4bd5ae
JJ		 863 if (!apparmor_enabled)
864 return -EINVAL;
545de8fe
JJ		 865 if (apparmor_initialized && !policy_view_capable(NULL))
866 return -EPERM;
b5e95b48
JJ		 867 return param_get_uint(buffer, kp);
868}
869
870static int param_get_audit(char *buffer, struct kernel_param *kp)
871{
b5e95b48
JJ		 872 if (!apparmor_enabled)
873 return -EINVAL;
545de8fe
JJ		 874 if (apparmor_initialized && !policy_view_capable(NULL))
875 return -EPERM;
b5e95b48
JJ		 876 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
877}
878
879static int param_set_audit(const char *val, struct kernel_param *kp)
880{
881 int i;
b5e95b48
JJ		 882
883 if (!apparmor_enabled)
884 return -EINVAL;
b5e95b48
JJ		 885 if (!val)
886 return -EINVAL;
545de8fe
JJ		 887 if (apparmor_initialized && !policy_admin_capable(NULL))
888 return -EPERM;
b5e95b48
JJ		 889
890 for (i = 0; i < AUDIT_MAX_INDEX; i++) {
891 if (strcmp(val, audit_mode_names[i]) == 0) {
892 aa_g_audit = i;
893 return 0;
894 }
895 }
896
897 return -EINVAL;
898}
899
900static int param_get_mode(char *buffer, struct kernel_param *kp)
901{
b5e95b48
JJ		 902 if (!apparmor_enabled)
903 return -EINVAL;
545de8fe
JJ		 904 if (apparmor_initialized && !policy_view_capable(NULL))
905 return -EPERM;
b5e95b48 906
0d259f04 907 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
b5e95b48
JJ		 908}
909
910static int param_set_mode(const char *val, struct kernel_param *kp)
911{
912 int i;
b5e95b48
JJ		 913
914 if (!apparmor_enabled)
915 return -EINVAL;
b5e95b48
JJ		 916 if (!val)
917 return -EINVAL;
545de8fe
JJ		 918 if (apparmor_initialized && !policy_admin_capable(NULL))
919 return -EPERM;
b5e95b48 920
0d259f04
JJ		 921 for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {
922 if (strcmp(val, aa_profile_mode_names[i]) == 0) {
b5e95b48
JJ		 923 aa_g_profile_mode = i;
924 return 0;
925 }
926 }
927
928 return -EINVAL;
929}
930
931/*
932 * AppArmor init functions
933 */
934
935/**
55a26ebf 936 * set_init_ctx - set a task context and profile on the first task.
b5e95b48
JJ		 937 *
938 * TODO: allow setting an alternate profile than unconfined
939 */
55a26ebf 940static int __init set_init_ctx(void)
b5e95b48
JJ		 941{
942 struct cred *cred = (struct cred *)current->real_cred;
55a26ebf 943 struct aa_task_ctx *ctx;
b5e95b48 944
55a26ebf
JJ		 945 ctx = aa_alloc_task_context(GFP_KERNEL);
946 if (!ctx)
b5e95b48
JJ		 947 return -ENOMEM;
948
637f688d 949 ctx->label = aa_get_label(ns_unconfined(root_ns));
55a26ebf 950 cred_ctx(cred) = ctx;
b5e95b48
JJ		 951
952 return 0;
953}
954
d4669f0b
JJ		 955static void destroy_buffers(void)
956{
957 u32 i, j;
958
959 for_each_possible_cpu(i) {
960 for_each_cpu_buffer(j) {
961 kfree(per_cpu(aa_buffers, i).buf[j]);
962 per_cpu(aa_buffers, i).buf[j] = NULL;
963 }
964 }
965}
966
967static int __init alloc_buffers(void)
968{
969 u32 i, j;
970
971 for_each_possible_cpu(i) {
972 for_each_cpu_buffer(j) {
973 char *buffer;
974
975 if (cpu_to_node(i) > num_online_nodes())
976 /* fallback to kmalloc for offline nodes */
977 buffer = kmalloc(aa_g_path_max, GFP_KERNEL);
978 else
979 buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL,
980 cpu_to_node(i));
981 if (!buffer) {
982 destroy_buffers();
983 return -ENOMEM;
984 }
985 per_cpu(aa_buffers, i).buf[j] = buffer;
986 }
987 }
988
989 return 0;
990}
991
e3ea1ca5
TH		 992#ifdef CONFIG_SYSCTL
993static int apparmor_dointvec(struct ctl_table *table, int write,
994 void __user *buffer, size_t *lenp, loff_t *ppos)
995{
996 if (!policy_admin_capable(NULL))
997 return -EPERM;
998 if (!apparmor_enabled)
999 return -EINVAL;
1000
1001 return proc_dointvec(table, write, buffer, lenp, ppos);
1002}
1003
1004static struct ctl_path apparmor_sysctl_path[] = {
1005 { .procname = "kernel", },
1006 { }
1007};
1008
1009static struct ctl_table apparmor_sysctl_table[] = {
1010 {
1011 .procname = "unprivileged_userns_apparmor_policy",
1012 .data = &unprivileged_userns_apparmor_policy,
1013 .maxlen = sizeof(int),
1014 .mode = 0600,
1015 .proc_handler = apparmor_dointvec,
1016 },
1017 { }
1018};
1019
1020static int __init apparmor_init_sysctl(void)
1021{
1022 return register_sysctl_paths(apparmor_sysctl_path,
1023 apparmor_sysctl_table) ? 0 : -ENOMEM;
1024}
1025#else
1026static inline int apparmor_init_sysctl(void)
1027{
1028 return 0;
1029}
1030#endif /* CONFIG_SYSCTL */
1031
b5e95b48
JJ		 1032static int __init apparmor_init(void)
1033{
1034 int error;
1035
b1d9e6b0 1036 if (!apparmor_enabled || !security_module_enable("apparmor")) {
b5e95b48
JJ		 1037 aa_info_message("AppArmor disabled by boot time parameter");
1038 apparmor_enabled = 0;
1039 return 0;
1040 }
1041
11c236b8
JJ		 1042 error = aa_setup_dfa_engine();
1043 if (error) {
1044 AA_ERROR("Unable to setup dfa engine\n");
1045 goto alloc_out;
1046 }
1047
b5e95b48
JJ		 1048 error = aa_alloc_root_ns();
1049 if (error) {
1050 AA_ERROR("Unable to allocate default profile namespace\n");
1051 goto alloc_out;
1052 }
1053
e3ea1ca5
TH		 1054 error = apparmor_init_sysctl();
1055 if (error) {
1056 AA_ERROR("Unable to register sysctls\n");
1057 goto alloc_out;
1058
1059 }
1060
d4669f0b
JJ		 1061 error = alloc_buffers();
1062 if (error) {
1063 AA_ERROR("Unable to allocate work buffers\n");
1064 goto buffers_out;
1065 }
1066
55a26ebf 1067 error = set_init_ctx();
b5e95b48
JJ		 1068 if (error) {
1069 AA_ERROR("Failed to set context on init task\n");
b1d9e6b0 1070 aa_free_root_ns();
d4669f0b 1071 goto buffers_out;
b5e95b48 1072 }
d69dece5
CS		 1073 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
1074 "apparmor");
b5e95b48
JJ		 1075
1076 /* Report that AppArmor successfully initialized */
1077 apparmor_initialized = 1;
1078 if (aa_g_profile_mode == APPARMOR_COMPLAIN)
1079 aa_info_message("AppArmor initialized: complain mode enabled");
1080 else if (aa_g_profile_mode == APPARMOR_KILL)
1081 aa_info_message("AppArmor initialized: kill mode enabled");
1082 else
1083 aa_info_message("AppArmor initialized");
1084
1085 return error;
1086
d4669f0b
JJ		 1087buffers_out:
1088 destroy_buffers();
1089
b5e95b48
JJ		 1090alloc_out:
1091 aa_destroy_aafs();
11c236b8 1092 aa_teardown_dfa_engine();
b5e95b48
JJ		 1093
1094 apparmor_enabled = 0;
1095 return error;
b5e95b48
JJ		 1096}
1097
1098security_initcall(apparmor_init);
Linux 6.x block layer and io_uring tree(s)