Commit | Line | Data |
---|---|---|
b886d83c | 1 | // SPDX-License-Identifier: GPL-2.0-only |
2ea3ffb7 JJ |
2 | /* |
3 | * AppArmor security module | |
4 | * | |
5 | * This file contains AppArmor mediation of files | |
6 | * | |
7 | * Copyright (C) 1998-2008 Novell/SUSE | |
8 | * Copyright 2009-2017 Canonical Ltd. | |
2ea3ffb7 JJ |
9 | */ |
10 | ||
11 | #include <linux/fs.h> | |
12 | #include <linux/mount.h> | |
13 | #include <linux/namei.h> | |
e262e32d | 14 | #include <uapi/linux/mount.h> |
2ea3ffb7 JJ |
15 | |
16 | #include "include/apparmor.h" | |
17 | #include "include/audit.h" | |
d8889d49 | 18 | #include "include/cred.h" |
2ea3ffb7 JJ |
19 | #include "include/domain.h" |
20 | #include "include/file.h" | |
21 | #include "include/match.h" | |
22 | #include "include/mount.h" | |
23 | #include "include/path.h" | |
24 | #include "include/policy.h" | |
25 | ||
26 | ||
27 | static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags) | |
28 | { | |
29 | if (flags & MS_RDONLY) | |
30 | audit_log_format(ab, "ro"); | |
31 | else | |
32 | audit_log_format(ab, "rw"); | |
33 | if (flags & MS_NOSUID) | |
34 | audit_log_format(ab, ", nosuid"); | |
35 | if (flags & MS_NODEV) | |
36 | audit_log_format(ab, ", nodev"); | |
37 | if (flags & MS_NOEXEC) | |
38 | audit_log_format(ab, ", noexec"); | |
39 | if (flags & MS_SYNCHRONOUS) | |
40 | audit_log_format(ab, ", sync"); | |
41 | if (flags & MS_REMOUNT) | |
42 | audit_log_format(ab, ", remount"); | |
43 | if (flags & MS_MANDLOCK) | |
44 | audit_log_format(ab, ", mand"); | |
45 | if (flags & MS_DIRSYNC) | |
46 | audit_log_format(ab, ", dirsync"); | |
47 | if (flags & MS_NOATIME) | |
48 | audit_log_format(ab, ", noatime"); | |
49 | if (flags & MS_NODIRATIME) | |
50 | audit_log_format(ab, ", nodiratime"); | |
51 | if (flags & MS_BIND) | |
52 | audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind"); | |
53 | if (flags & MS_MOVE) | |
54 | audit_log_format(ab, ", move"); | |
55 | if (flags & MS_SILENT) | |
56 | audit_log_format(ab, ", silent"); | |
57 | if (flags & MS_POSIXACL) | |
58 | audit_log_format(ab, ", acl"); | |
59 | if (flags & MS_UNBINDABLE) | |
60 | audit_log_format(ab, flags & MS_REC ? ", runbindable" : | |
61 | ", unbindable"); | |
62 | if (flags & MS_PRIVATE) | |
63 | audit_log_format(ab, flags & MS_REC ? ", rprivate" : | |
64 | ", private"); | |
65 | if (flags & MS_SLAVE) | |
66 | audit_log_format(ab, flags & MS_REC ? ", rslave" : | |
67 | ", slave"); | |
68 | if (flags & MS_SHARED) | |
69 | audit_log_format(ab, flags & MS_REC ? ", rshared" : | |
70 | ", shared"); | |
71 | if (flags & MS_RELATIME) | |
72 | audit_log_format(ab, ", relatime"); | |
73 | if (flags & MS_I_VERSION) | |
74 | audit_log_format(ab, ", iversion"); | |
75 | if (flags & MS_STRICTATIME) | |
76 | audit_log_format(ab, ", strictatime"); | |
77 | if (flags & MS_NOUSER) | |
78 | audit_log_format(ab, ", nouser"); | |
79 | } | |
80 | ||
81 | /** | |
82 | * audit_cb - call back for mount specific audit fields | |
83 | * @ab: audit_buffer (NOT NULL) | |
84 | * @va: audit struct to audit values of (NOT NULL) | |
85 | */ | |
86 | static void audit_cb(struct audit_buffer *ab, void *va) | |
87 | { | |
88 | struct common_audit_data *sa = va; | |
bd7bd201 | 89 | struct apparmor_audit_data *ad = aad(sa); |
2ea3ffb7 | 90 | |
bd7bd201 | 91 | if (ad->mnt.type) { |
2ea3ffb7 | 92 | audit_log_format(ab, " fstype="); |
bd7bd201 | 93 | audit_log_untrustedstring(ab, ad->mnt.type); |
2ea3ffb7 | 94 | } |
bd7bd201 | 95 | if (ad->mnt.src_name) { |
2ea3ffb7 | 96 | audit_log_format(ab, " srcname="); |
bd7bd201 | 97 | audit_log_untrustedstring(ab, ad->mnt.src_name); |
2ea3ffb7 | 98 | } |
bd7bd201 | 99 | if (ad->mnt.trans) { |
2ea3ffb7 | 100 | audit_log_format(ab, " trans="); |
bd7bd201 | 101 | audit_log_untrustedstring(ab, ad->mnt.trans); |
2ea3ffb7 | 102 | } |
bd7bd201 | 103 | if (ad->mnt.flags) { |
2ea3ffb7 | 104 | audit_log_format(ab, " flags=\""); |
bd7bd201 | 105 | audit_mnt_flags(ab, ad->mnt.flags); |
2ea3ffb7 JJ |
106 | audit_log_format(ab, "\""); |
107 | } | |
bd7bd201 | 108 | if (ad->mnt.data) { |
2ea3ffb7 | 109 | audit_log_format(ab, " options="); |
bd7bd201 | 110 | audit_log_untrustedstring(ab, ad->mnt.data); |
2ea3ffb7 JJ |
111 | } |
112 | } | |
113 | ||
114 | /** | |
115 | * audit_mount - handle the auditing of mount operations | |
90c436a6 | 116 | * @subj_cred: cred of the subject |
2ea3ffb7 JJ |
117 | * @profile: the profile being enforced (NOT NULL) |
118 | * @op: operation being mediated (NOT NULL) | |
119 | * @name: name of object being mediated (MAYBE NULL) | |
120 | * @src_name: src_name of object being mediated (MAYBE_NULL) | |
121 | * @type: type of filesystem (MAYBE_NULL) | |
122 | * @trans: name of trans (MAYBE NULL) | |
68a1a0c6 | 123 | * @flags: filesystem independent mount flags |
2ea3ffb7 JJ |
124 | * @data: filesystem mount flags |
125 | * @request: permissions requested | |
126 | * @perms: the permissions computed for the request (NOT NULL) | |
127 | * @info: extra information message (MAYBE NULL) | |
128 | * @error: 0 if operation allowed else failure error code | |
129 | * | |
130 | * Returns: %0 or error on failure | |
131 | */ | |
90c436a6 JJ |
132 | static int audit_mount(const struct cred *subj_cred, |
133 | struct aa_profile *profile, const char *op, | |
2ea3ffb7 JJ |
134 | const char *name, const char *src_name, |
135 | const char *type, const char *trans, | |
136 | unsigned long flags, const void *data, u32 request, | |
137 | struct aa_perms *perms, const char *info, int error) | |
138 | { | |
139 | int audit_type = AUDIT_APPARMOR_AUTO; | |
bd7bd201 | 140 | DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op); |
2ea3ffb7 JJ |
141 | |
142 | if (likely(!error)) { | |
143 | u32 mask = perms->audit; | |
144 | ||
145 | if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL)) | |
146 | mask = 0xffff; | |
147 | ||
148 | /* mask off perms that are not being force audited */ | |
149 | request &= mask; | |
150 | ||
151 | if (likely(!request)) | |
152 | return 0; | |
153 | audit_type = AUDIT_APPARMOR_AUDIT; | |
154 | } else { | |
155 | /* only report permissions that were denied */ | |
156 | request = request & ~perms->allow; | |
157 | ||
158 | if (request & perms->kill) | |
159 | audit_type = AUDIT_APPARMOR_KILL; | |
160 | ||
161 | /* quiet known rejects, assumes quiet and kill do not overlap */ | |
162 | if ((request & perms->quiet) && | |
163 | AUDIT_MODE(profile) != AUDIT_NOQUIET && | |
164 | AUDIT_MODE(profile) != AUDIT_ALL) | |
165 | request &= ~perms->quiet; | |
166 | ||
167 | if (!request) | |
168 | return error; | |
169 | } | |
170 | ||
90c436a6 | 171 | ad.subj_cred = subj_cred; |
bd7bd201 JJ |
172 | ad.name = name; |
173 | ad.mnt.src_name = src_name; | |
174 | ad.mnt.type = type; | |
175 | ad.mnt.trans = trans; | |
176 | ad.mnt.flags = flags; | |
2ea3ffb7 | 177 | if (data && (perms->audit & AA_AUDIT_DATA)) |
bd7bd201 JJ |
178 | ad.mnt.data = data; |
179 | ad.info = info; | |
180 | ad.error = error; | |
2ea3ffb7 | 181 | |
bd7bd201 | 182 | return aa_audit(audit_type, profile, &ad, audit_cb); |
2ea3ffb7 JJ |
183 | } |
184 | ||
185 | /** | |
186 | * match_mnt_flags - Do an ordered match on mount flags | |
187 | * @dfa: dfa to match against | |
188 | * @state: state to start in | |
189 | * @flags: mount flags to match against | |
190 | * | |
191 | * Mount flags are encoded as an ordered match. This is done instead of | |
192 | * checking against a simple bitmask, to allow for logical operations | |
193 | * on the flags. | |
194 | * | |
195 | * Returns: next state after flags match | |
196 | */ | |
33fc95d8 | 197 | static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state, |
2ea3ffb7 JJ |
198 | unsigned long flags) |
199 | { | |
200 | unsigned int i; | |
201 | ||
202 | for (i = 0; i <= 31 ; ++i) { | |
203 | if ((1 << i) & flags) | |
204 | state = aa_dfa_next(dfa, state, i + 1); | |
205 | } | |
206 | ||
207 | return state; | |
208 | } | |
209 | ||
2ea3ffb7 JJ |
210 | static const char * const mnt_info_table[] = { |
211 | "match succeeded", | |
212 | "failed mntpnt match", | |
213 | "failed srcname match", | |
214 | "failed type match", | |
215 | "failed flags match", | |
ec240b59 JJ |
216 | "failed data match", |
217 | "failed perms check" | |
2ea3ffb7 JJ |
218 | }; |
219 | ||
220 | /* | |
221 | * Returns 0 on success else element that match failed in, this is the | |
222 | * index into the mnt_info_table above | |
223 | */ | |
33fc95d8 | 224 | static int do_match_mnt(struct aa_policydb *policy, aa_state_t start, |
2ea3ffb7 JJ |
225 | const char *mntpnt, const char *devname, |
226 | const char *type, unsigned long flags, | |
227 | void *data, bool binary, struct aa_perms *perms) | |
228 | { | |
33fc95d8 | 229 | aa_state_t state; |
2ea3ffb7 | 230 | |
e2967ede JJ |
231 | AA_BUG(!policy); |
232 | AA_BUG(!policy->dfa); | |
233 | AA_BUG(!policy->perms); | |
2ea3ffb7 JJ |
234 | AA_BUG(!perms); |
235 | ||
e2967ede JJ |
236 | state = aa_dfa_match(policy->dfa, start, mntpnt); |
237 | state = aa_dfa_null_transition(policy->dfa, state); | |
2ea3ffb7 JJ |
238 | if (!state) |
239 | return 1; | |
240 | ||
241 | if (devname) | |
e2967ede JJ |
242 | state = aa_dfa_match(policy->dfa, state, devname); |
243 | state = aa_dfa_null_transition(policy->dfa, state); | |
2ea3ffb7 JJ |
244 | if (!state) |
245 | return 2; | |
246 | ||
247 | if (type) | |
e2967ede JJ |
248 | state = aa_dfa_match(policy->dfa, state, type); |
249 | state = aa_dfa_null_transition(policy->dfa, state); | |
2ea3ffb7 JJ |
250 | if (!state) |
251 | return 3; | |
252 | ||
e2967ede | 253 | state = match_mnt_flags(policy->dfa, state, flags); |
2ea3ffb7 JJ |
254 | if (!state) |
255 | return 4; | |
e844fe9b | 256 | *perms = *aa_lookup_perms(policy, state); |
2ea3ffb7 JJ |
257 | if (perms->allow & AA_MAY_MOUNT) |
258 | return 0; | |
259 | ||
260 | /* only match data if not binary and the DFA flags data is expected */ | |
261 | if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) { | |
e2967ede | 262 | state = aa_dfa_null_transition(policy->dfa, state); |
2ea3ffb7 JJ |
263 | if (!state) |
264 | return 4; | |
265 | ||
e2967ede | 266 | state = aa_dfa_match(policy->dfa, state, data); |
2ea3ffb7 JJ |
267 | if (!state) |
268 | return 5; | |
e844fe9b | 269 | *perms = *aa_lookup_perms(policy, state); |
2ea3ffb7 JJ |
270 | if (perms->allow & AA_MAY_MOUNT) |
271 | return 0; | |
272 | } | |
273 | ||
ec240b59 JJ |
274 | /* failed at perms check, don't confuse with flags match */ |
275 | return 6; | |
2ea3ffb7 JJ |
276 | } |
277 | ||
278 | ||
279 | static int path_flags(struct aa_profile *profile, const struct path *path) | |
280 | { | |
281 | AA_BUG(!profile); | |
282 | AA_BUG(!path); | |
283 | ||
284 | return profile->path_flags | | |
285 | (S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0); | |
286 | } | |
287 | ||
288 | /** | |
289 | * match_mnt_path_str - handle path matching for mount | |
90c436a6 | 290 | * @subj_cred: cred of confined subject |
2ea3ffb7 JJ |
291 | * @profile: the confining profile |
292 | * @mntpath: for the mntpnt (NOT NULL) | |
293 | * @buffer: buffer to be used to lookup mntpath | |
e21851b3 | 294 | * @devname: string for the devname/src_name (MAY BE NULL OR ERRPTR) |
2ea3ffb7 JJ |
295 | * @type: string for the dev type (MAYBE NULL) |
296 | * @flags: mount flags to match | |
297 | * @data: fs mount data (MAYBE NULL) | |
298 | * @binary: whether @data is binary | |
299 | * @devinfo: error str if (IS_ERR(@devname)) | |
300 | * | |
301 | * Returns: 0 on success else error | |
302 | */ | |
90c436a6 JJ |
303 | static int match_mnt_path_str(const struct cred *subj_cred, |
304 | struct aa_profile *profile, | |
2ea3ffb7 JJ |
305 | const struct path *mntpath, char *buffer, |
306 | const char *devname, const char *type, | |
307 | unsigned long flags, void *data, bool binary, | |
308 | const char *devinfo) | |
309 | { | |
310 | struct aa_perms perms = { }; | |
311 | const char *mntpnt = NULL, *info = NULL; | |
1ad22fcc JJ |
312 | struct aa_ruleset *rules = list_first_entry(&profile->rules, |
313 | typeof(*rules), list); | |
2ea3ffb7 JJ |
314 | int pos, error; |
315 | ||
316 | AA_BUG(!profile); | |
317 | AA_BUG(!mntpath); | |
318 | AA_BUG(!buffer); | |
319 | ||
217af7e2 | 320 | if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) |
5b9f57cf JJ |
321 | return 0; |
322 | ||
2ea3ffb7 JJ |
323 | error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer, |
324 | &mntpnt, &info, profile->disconnected); | |
325 | if (error) | |
326 | goto audit; | |
327 | if (IS_ERR(devname)) { | |
328 | error = PTR_ERR(devname); | |
329 | devname = NULL; | |
330 | info = devinfo; | |
331 | goto audit; | |
332 | } | |
333 | ||
334 | error = -EACCES; | |
98b824ff JJ |
335 | pos = do_match_mnt(rules->policy, |
336 | rules->policy->start[AA_CLASS_MOUNT], | |
2ea3ffb7 JJ |
337 | mntpnt, devname, type, flags, data, binary, &perms); |
338 | if (pos) { | |
339 | info = mnt_info_table[pos]; | |
340 | goto audit; | |
341 | } | |
342 | error = 0; | |
343 | ||
344 | audit: | |
90c436a6 JJ |
345 | return audit_mount(subj_cred, profile, OP_MOUNT, mntpnt, devname, |
346 | type, NULL, | |
2ea3ffb7 JJ |
347 | flags, data, AA_MAY_MOUNT, &perms, info, error); |
348 | } | |
349 | ||
350 | /** | |
351 | * match_mnt - handle path matching for mount | |
90c436a6 | 352 | * @subj_cred: cred of the subject |
2ea3ffb7 | 353 | * @profile: the confining profile |
e21851b3 | 354 | * @path: for the mntpnt (NOT NULL) |
2ea3ffb7 JJ |
355 | * @buffer: buffer to be used to lookup mntpath |
356 | * @devpath: path devname/src_name (MAYBE NULL) | |
357 | * @devbuffer: buffer to be used to lookup devname/src_name | |
358 | * @type: string for the dev type (MAYBE NULL) | |
359 | * @flags: mount flags to match | |
360 | * @data: fs mount data (MAYBE NULL) | |
361 | * @binary: whether @data is binary | |
362 | * | |
363 | * Returns: 0 on success else error | |
364 | */ | |
90c436a6 JJ |
365 | static int match_mnt(const struct cred *subj_cred, |
366 | struct aa_profile *profile, const struct path *path, | |
64b2f34f | 367 | char *buffer, const struct path *devpath, char *devbuffer, |
2ea3ffb7 JJ |
368 | const char *type, unsigned long flags, void *data, |
369 | bool binary) | |
370 | { | |
371 | const char *devname = NULL, *info = NULL; | |
1ad22fcc JJ |
372 | struct aa_ruleset *rules = list_first_entry(&profile->rules, |
373 | typeof(*rules), list); | |
2ea3ffb7 JJ |
374 | int error = -EACCES; |
375 | ||
376 | AA_BUG(!profile); | |
377 | AA_BUG(devpath && !devbuffer); | |
378 | ||
1ad22fcc | 379 | if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) |
5b9f57cf JJ |
380 | return 0; |
381 | ||
2ea3ffb7 JJ |
382 | if (devpath) { |
383 | error = aa_path_name(devpath, path_flags(profile, devpath), | |
384 | devbuffer, &devname, &info, | |
385 | profile->disconnected); | |
386 | if (error) | |
387 | devname = ERR_PTR(error); | |
388 | } | |
389 | ||
90c436a6 JJ |
390 | return match_mnt_path_str(subj_cred, profile, path, buffer, devname, |
391 | type, flags, data, binary, info); | |
2ea3ffb7 JJ |
392 | } |
393 | ||
90c436a6 JJ |
394 | int aa_remount(const struct cred *subj_cred, |
395 | struct aa_label *label, const struct path *path, | |
2ea3ffb7 JJ |
396 | unsigned long flags, void *data) |
397 | { | |
398 | struct aa_profile *profile; | |
399 | char *buffer = NULL; | |
400 | bool binary; | |
401 | int error; | |
402 | ||
403 | AA_BUG(!label); | |
404 | AA_BUG(!path); | |
405 | ||
406 | binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA; | |
407 | ||
341c1fda | 408 | buffer = aa_get_buffer(false); |
df323337 SAS |
409 | if (!buffer) |
410 | return -ENOMEM; | |
2ea3ffb7 | 411 | error = fn_for_each_confined(label, profile, |
90c436a6 JJ |
412 | match_mnt(subj_cred, profile, path, buffer, NULL, |
413 | NULL, NULL, | |
2ea3ffb7 | 414 | flags, data, binary)); |
df323337 | 415 | aa_put_buffer(buffer); |
2ea3ffb7 JJ |
416 | |
417 | return error; | |
418 | } | |
419 | ||
90c436a6 JJ |
420 | int aa_bind_mount(const struct cred *subj_cred, |
421 | struct aa_label *label, const struct path *path, | |
2ea3ffb7 JJ |
422 | const char *dev_name, unsigned long flags) |
423 | { | |
424 | struct aa_profile *profile; | |
425 | char *buffer = NULL, *old_buffer = NULL; | |
426 | struct path old_path; | |
427 | int error; | |
428 | ||
429 | AA_BUG(!label); | |
430 | AA_BUG(!path); | |
431 | ||
432 | if (!dev_name || !*dev_name) | |
433 | return -EINVAL; | |
434 | ||
435 | flags &= MS_REC | MS_BIND; | |
436 | ||
437 | error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path); | |
438 | if (error) | |
439 | return error; | |
440 | ||
341c1fda JJ |
441 | buffer = aa_get_buffer(false); |
442 | old_buffer = aa_get_buffer(false); | |
df323337 | 443 | error = -ENOMEM; |
9c95a278 | 444 | if (!buffer || !old_buffer) |
df323337 SAS |
445 | goto out; |
446 | ||
2ea3ffb7 | 447 | error = fn_for_each_confined(label, profile, |
90c436a6 JJ |
448 | match_mnt(subj_cred, profile, path, buffer, &old_path, |
449 | old_buffer, NULL, flags, NULL, false)); | |
df323337 SAS |
450 | out: |
451 | aa_put_buffer(buffer); | |
452 | aa_put_buffer(old_buffer); | |
2ea3ffb7 JJ |
453 | path_put(&old_path); |
454 | ||
455 | return error; | |
456 | } | |
457 | ||
90c436a6 JJ |
458 | int aa_mount_change_type(const struct cred *subj_cred, |
459 | struct aa_label *label, const struct path *path, | |
2ea3ffb7 JJ |
460 | unsigned long flags) |
461 | { | |
462 | struct aa_profile *profile; | |
463 | char *buffer = NULL; | |
464 | int error; | |
465 | ||
466 | AA_BUG(!label); | |
467 | AA_BUG(!path); | |
468 | ||
469 | /* These are the flags allowed by do_change_type() */ | |
470 | flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE | | |
471 | MS_UNBINDABLE); | |
472 | ||
341c1fda | 473 | buffer = aa_get_buffer(false); |
df323337 SAS |
474 | if (!buffer) |
475 | return -ENOMEM; | |
2ea3ffb7 | 476 | error = fn_for_each_confined(label, profile, |
90c436a6 JJ |
477 | match_mnt(subj_cred, profile, path, buffer, NULL, |
478 | NULL, NULL, | |
2ea3ffb7 | 479 | flags, NULL, false)); |
df323337 | 480 | aa_put_buffer(buffer); |
2ea3ffb7 JJ |
481 | |
482 | return error; | |
483 | } | |
484 | ||
90c436a6 | 485 | int aa_move_mount(const struct cred *subj_cred, |
157a3537 JJ |
486 | struct aa_label *label, const struct path *from_path, |
487 | const struct path *to_path) | |
2ea3ffb7 JJ |
488 | { |
489 | struct aa_profile *profile; | |
157a3537 | 490 | char *to_buffer = NULL, *from_buffer = NULL; |
2ea3ffb7 JJ |
491 | int error; |
492 | ||
493 | AA_BUG(!label); | |
157a3537 JJ |
494 | AA_BUG(!from_path); |
495 | AA_BUG(!to_path); | |
496 | ||
497 | to_buffer = aa_get_buffer(false); | |
498 | from_buffer = aa_get_buffer(false); | |
499 | error = -ENOMEM; | |
500 | if (!to_buffer || !from_buffer) | |
501 | goto out; | |
8026e406 JJ |
502 | |
503 | if (!our_mnt(from_path->mnt)) | |
504 | /* moving a mount detached from the namespace */ | |
505 | from_path = NULL; | |
157a3537 JJ |
506 | error = fn_for_each_confined(label, profile, |
507 | match_mnt(subj_cred, profile, to_path, to_buffer, | |
508 | from_path, from_buffer, | |
509 | NULL, MS_MOVE, NULL, false)); | |
510 | out: | |
511 | aa_put_buffer(to_buffer); | |
512 | aa_put_buffer(from_buffer); | |
513 | ||
514 | return error; | |
515 | } | |
516 | ||
517 | int aa_move_mount_old(const struct cred *subj_cred, struct aa_label *label, | |
518 | const struct path *path, const char *orig_name) | |
519 | { | |
520 | struct path old_path; | |
521 | int error; | |
2ea3ffb7 JJ |
522 | |
523 | if (!orig_name || !*orig_name) | |
524 | return -EINVAL; | |
2ea3ffb7 JJ |
525 | error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path); |
526 | if (error) | |
527 | return error; | |
528 | ||
157a3537 | 529 | error = aa_move_mount(subj_cred, label, &old_path, path); |
2ea3ffb7 JJ |
530 | path_put(&old_path); |
531 | ||
532 | return error; | |
533 | } | |
534 | ||
90c436a6 JJ |
535 | int aa_new_mount(const struct cred *subj_cred, struct aa_label *label, |
536 | const char *dev_name, const struct path *path, | |
537 | const char *type, unsigned long flags, void *data) | |
2ea3ffb7 JJ |
538 | { |
539 | struct aa_profile *profile; | |
540 | char *buffer = NULL, *dev_buffer = NULL; | |
541 | bool binary = true; | |
542 | int error; | |
543 | int requires_dev = 0; | |
544 | struct path tmp_path, *dev_path = NULL; | |
545 | ||
546 | AA_BUG(!label); | |
547 | AA_BUG(!path); | |
548 | ||
549 | if (type) { | |
550 | struct file_system_type *fstype; | |
551 | ||
552 | fstype = get_fs_type(type); | |
553 | if (!fstype) | |
554 | return -ENODEV; | |
555 | binary = fstype->fs_flags & FS_BINARY_MOUNTDATA; | |
556 | requires_dev = fstype->fs_flags & FS_REQUIRES_DEV; | |
557 | put_filesystem(fstype); | |
558 | ||
559 | if (requires_dev) { | |
560 | if (!dev_name || !*dev_name) | |
561 | return -ENOENT; | |
562 | ||
563 | error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path); | |
564 | if (error) | |
565 | return error; | |
566 | dev_path = &tmp_path; | |
567 | } | |
568 | } | |
569 | ||
341c1fda | 570 | buffer = aa_get_buffer(false); |
df323337 SAS |
571 | if (!buffer) { |
572 | error = -ENOMEM; | |
573 | goto out; | |
574 | } | |
2ea3ffb7 | 575 | if (dev_path) { |
341c1fda | 576 | dev_buffer = aa_get_buffer(false); |
df323337 SAS |
577 | if (!dev_buffer) { |
578 | error = -ENOMEM; | |
579 | goto out; | |
580 | } | |
2ea3ffb7 | 581 | error = fn_for_each_confined(label, profile, |
90c436a6 JJ |
582 | match_mnt(subj_cred, profile, path, buffer, |
583 | dev_path, dev_buffer, | |
2ea3ffb7 JJ |
584 | type, flags, data, binary)); |
585 | } else { | |
586 | error = fn_for_each_confined(label, profile, | |
90c436a6 JJ |
587 | match_mnt_path_str(subj_cred, profile, path, |
588 | buffer, dev_name, | |
589 | type, flags, data, binary, NULL)); | |
2ea3ffb7 | 590 | } |
df323337 SAS |
591 | |
592 | out: | |
593 | aa_put_buffer(buffer); | |
594 | aa_put_buffer(dev_buffer); | |
2ea3ffb7 JJ |
595 | if (dev_path) |
596 | path_put(dev_path); | |
597 | ||
598 | return error; | |
599 | } | |
600 | ||
90c436a6 JJ |
601 | static int profile_umount(const struct cred *subj_cred, |
602 | struct aa_profile *profile, const struct path *path, | |
2ea3ffb7 JJ |
603 | char *buffer) |
604 | { | |
1ad22fcc JJ |
605 | struct aa_ruleset *rules = list_first_entry(&profile->rules, |
606 | typeof(*rules), list); | |
2ea3ffb7 JJ |
607 | struct aa_perms perms = { }; |
608 | const char *name = NULL, *info = NULL; | |
33fc95d8 | 609 | aa_state_t state; |
2ea3ffb7 JJ |
610 | int error; |
611 | ||
612 | AA_BUG(!profile); | |
613 | AA_BUG(!path); | |
614 | ||
217af7e2 | 615 | if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) |
5b9f57cf JJ |
616 | return 0; |
617 | ||
2ea3ffb7 JJ |
618 | error = aa_path_name(path, path_flags(profile, path), buffer, &name, |
619 | &info, profile->disconnected); | |
620 | if (error) | |
621 | goto audit; | |
622 | ||
98b824ff JJ |
623 | state = aa_dfa_match(rules->policy->dfa, |
624 | rules->policy->start[AA_CLASS_MOUNT], | |
2ea3ffb7 | 625 | name); |
98b824ff | 626 | perms = *aa_lookup_perms(rules->policy, state); |
2ea3ffb7 JJ |
627 | if (AA_MAY_UMOUNT & ~perms.allow) |
628 | error = -EACCES; | |
629 | ||
630 | audit: | |
90c436a6 JJ |
631 | return audit_mount(subj_cred, profile, OP_UMOUNT, name, NULL, NULL, |
632 | NULL, 0, NULL, | |
2ea3ffb7 JJ |
633 | AA_MAY_UMOUNT, &perms, info, error); |
634 | } | |
635 | ||
90c436a6 JJ |
636 | int aa_umount(const struct cred *subj_cred, struct aa_label *label, |
637 | struct vfsmount *mnt, int flags) | |
2ea3ffb7 JJ |
638 | { |
639 | struct aa_profile *profile; | |
640 | char *buffer = NULL; | |
641 | int error; | |
642 | struct path path = { .mnt = mnt, .dentry = mnt->mnt_root }; | |
643 | ||
644 | AA_BUG(!label); | |
645 | AA_BUG(!mnt); | |
646 | ||
341c1fda | 647 | buffer = aa_get_buffer(false); |
df323337 SAS |
648 | if (!buffer) |
649 | return -ENOMEM; | |
650 | ||
2ea3ffb7 | 651 | error = fn_for_each_confined(label, profile, |
90c436a6 | 652 | profile_umount(subj_cred, profile, &path, buffer)); |
df323337 | 653 | aa_put_buffer(buffer); |
2ea3ffb7 JJ |
654 | |
655 | return error; | |
656 | } | |
657 | ||
658 | /* helper fn for transition on pivotroot | |
659 | * | |
660 | * Returns: label for transition or ERR_PTR. Does not return NULL | |
661 | */ | |
90c436a6 JJ |
662 | static struct aa_label *build_pivotroot(const struct cred *subj_cred, |
663 | struct aa_profile *profile, | |
2ea3ffb7 JJ |
664 | const struct path *new_path, |
665 | char *new_buffer, | |
666 | const struct path *old_path, | |
667 | char *old_buffer) | |
668 | { | |
1ad22fcc JJ |
669 | struct aa_ruleset *rules = list_first_entry(&profile->rules, |
670 | typeof(*rules), list); | |
2ea3ffb7 JJ |
671 | const char *old_name, *new_name = NULL, *info = NULL; |
672 | const char *trans_name = NULL; | |
673 | struct aa_perms perms = { }; | |
33fc95d8 | 674 | aa_state_t state; |
2ea3ffb7 JJ |
675 | int error; |
676 | ||
677 | AA_BUG(!profile); | |
678 | AA_BUG(!new_path); | |
679 | AA_BUG(!old_path); | |
680 | ||
5b9f57cf | 681 | if (profile_unconfined(profile) || |
217af7e2 | 682 | !RULE_MEDIATES(rules, AA_CLASS_MOUNT)) |
2ea3ffb7 JJ |
683 | return aa_get_newest_label(&profile->label); |
684 | ||
685 | error = aa_path_name(old_path, path_flags(profile, old_path), | |
686 | old_buffer, &old_name, &info, | |
687 | profile->disconnected); | |
688 | if (error) | |
689 | goto audit; | |
690 | error = aa_path_name(new_path, path_flags(profile, new_path), | |
691 | new_buffer, &new_name, &info, | |
692 | profile->disconnected); | |
693 | if (error) | |
694 | goto audit; | |
695 | ||
696 | error = -EACCES; | |
98b824ff JJ |
697 | state = aa_dfa_match(rules->policy->dfa, |
698 | rules->policy->start[AA_CLASS_MOUNT], | |
2ea3ffb7 | 699 | new_name); |
98b824ff JJ |
700 | state = aa_dfa_null_transition(rules->policy->dfa, state); |
701 | state = aa_dfa_match(rules->policy->dfa, state, old_name); | |
702 | perms = *aa_lookup_perms(rules->policy, state); | |
2ea3ffb7 JJ |
703 | |
704 | if (AA_MAY_PIVOTROOT & perms.allow) | |
705 | error = 0; | |
706 | ||
707 | audit: | |
90c436a6 JJ |
708 | error = audit_mount(subj_cred, profile, OP_PIVOTROOT, new_name, |
709 | old_name, | |
2ea3ffb7 JJ |
710 | NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT, |
711 | &perms, info, error); | |
712 | if (error) | |
713 | return ERR_PTR(error); | |
714 | ||
715 | return aa_get_newest_label(&profile->label); | |
716 | } | |
717 | ||
90c436a6 JJ |
718 | int aa_pivotroot(const struct cred *subj_cred, struct aa_label *label, |
719 | const struct path *old_path, | |
2ea3ffb7 JJ |
720 | const struct path *new_path) |
721 | { | |
722 | struct aa_profile *profile; | |
723 | struct aa_label *target = NULL; | |
724 | char *old_buffer = NULL, *new_buffer = NULL, *info = NULL; | |
725 | int error; | |
726 | ||
727 | AA_BUG(!label); | |
728 | AA_BUG(!old_path); | |
729 | AA_BUG(!new_path); | |
730 | ||
341c1fda JJ |
731 | old_buffer = aa_get_buffer(false); |
732 | new_buffer = aa_get_buffer(false); | |
df323337 SAS |
733 | error = -ENOMEM; |
734 | if (!old_buffer || !new_buffer) | |
735 | goto out; | |
8ac2ca32 | 736 | target = fn_label_build(label, profile, GFP_KERNEL, |
90c436a6 JJ |
737 | build_pivotroot(subj_cred, profile, new_path, |
738 | new_buffer, | |
2ea3ffb7 JJ |
739 | old_path, old_buffer)); |
740 | if (!target) { | |
741 | info = "label build failed"; | |
742 | error = -ENOMEM; | |
743 | goto fail; | |
744 | } else if (!IS_ERR(target)) { | |
745 | error = aa_replace_current_label(target); | |
746 | if (error) { | |
747 | /* TODO: audit target */ | |
748 | aa_put_label(target); | |
749 | goto out; | |
750 | } | |
11c3627e | 751 | aa_put_label(target); |
2ea3ffb7 JJ |
752 | } else |
753 | /* already audited error */ | |
754 | error = PTR_ERR(target); | |
755 | out: | |
df323337 SAS |
756 | aa_put_buffer(old_buffer); |
757 | aa_put_buffer(new_buffer); | |
2ea3ffb7 JJ |
758 | |
759 | return error; | |
760 | ||
761 | fail: | |
762 | /* TODO: add back in auditing of new_name and old_name */ | |
763 | error = fn_for_each(label, profile, | |
90c436a6 JJ |
764 | audit_mount(subj_cred, profile, OP_PIVOTROOT, |
765 | NULL /*new_name */, | |
2ea3ffb7 JJ |
766 | NULL /* old_name */, |
767 | NULL, NULL, | |
768 | 0, NULL, AA_MAY_PIVOTROOT, &nullperms, info, | |
769 | error)); | |
770 | goto out; | |
771 | } |