Commit | Line | Data |
---|---|---|
cff281f6 JJ |
1 | /* |
2 | * AppArmor security module | |
3 | * | |
4 | * This file contains AppArmor policy manipulation functions | |
5 | * | |
6 | * Copyright (C) 1998-2008 Novell/SUSE | |
7 | * Copyright 2009-2017 Canonical Ltd. | |
8 | * | |
9 | * This program is free software; you can redistribute it and/or | |
10 | * modify it under the terms of the GNU General Public License as | |
11 | * published by the Free Software Foundation, version 2 of the | |
12 | * License. | |
13 | * | |
14 | * AppArmor policy namespaces, allow for different sets of policies | |
15 | * to be loaded for tasks within the namespace. | |
16 | */ | |
17 | ||
18 | #include <linux/list.h> | |
19 | #include <linux/mutex.h> | |
20 | #include <linux/slab.h> | |
21 | #include <linux/string.h> | |
22 | ||
23 | #include "include/apparmor.h" | |
d8889d49 | 24 | #include "include/cred.h" |
cff281f6 | 25 | #include "include/policy_ns.h" |
637f688d | 26 | #include "include/label.h" |
cff281f6 JJ |
27 | #include "include/policy.h" |
28 | ||
29 | /* root profile namespace */ | |
98849dff | 30 | struct aa_ns *root_ns; |
cff281f6 JJ |
31 | const char *aa_hidden_ns_name = "---"; |
32 | ||
33 | /** | |
34 | * aa_ns_visible - test if @view is visible from @curr | |
35 | * @curr: namespace to treat as the parent (NOT NULL) | |
36 | * @view: namespace to test if visible from @curr (NOT NULL) | |
92b6d8ef | 37 | * @subns: whether view of a subns is allowed |
cff281f6 JJ |
38 | * |
39 | * Returns: true if @view is visible from @curr else false | |
40 | */ | |
92b6d8ef | 41 | bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns) |
cff281f6 JJ |
42 | { |
43 | if (curr == view) | |
44 | return true; | |
45 | ||
92b6d8ef JJ |
46 | if (!subns) |
47 | return false; | |
48 | ||
cff281f6 JJ |
49 | for ( ; view; view = view->parent) { |
50 | if (view->parent == curr) | |
51 | return true; | |
52 | } | |
92b6d8ef | 53 | |
cff281f6 JJ |
54 | return false; |
55 | } | |
56 | ||
57 | /** | |
58 | * aa_na_name - Find the ns name to display for @view from @curr | |
59 | * @curr - current namespace (NOT NULL) | |
60 | * @view - namespace attempting to view (NOT NULL) | |
92b6d8ef | 61 | * @subns - are subns visible |
cff281f6 JJ |
62 | * |
63 | * Returns: name of @view visible from @curr | |
64 | */ | |
92b6d8ef | 65 | const char *aa_ns_name(struct aa_ns *curr, struct aa_ns *view, bool subns) |
cff281f6 JJ |
66 | { |
67 | /* if view == curr then the namespace name isn't displayed */ | |
68 | if (curr == view) | |
69 | return ""; | |
70 | ||
92b6d8ef | 71 | if (aa_ns_visible(curr, view, subns)) { |
cff281f6 JJ |
72 | /* at this point if a ns is visible it is in a view ns |
73 | * thus the curr ns.hname is a prefix of its name. | |
74 | * Only output the virtualized portion of the name | |
75 | * Add + 2 to skip over // separating curr hname prefix | |
76 | * from the visible tail of the views hname | |
77 | */ | |
78 | return view->base.hname + strlen(curr->base.hname) + 2; | |
79 | } | |
80 | ||
81 | return aa_hidden_ns_name; | |
82 | } | |
83 | ||
84 | /** | |
98849dff | 85 | * alloc_ns - allocate, initialize and return a new namespace |
cff281f6 JJ |
86 | * @prefix: parent namespace name (MAYBE NULL) |
87 | * @name: a preallocated name (NOT NULL) | |
88 | * | |
89 | * Returns: refcounted namespace or NULL on failure. | |
90 | */ | |
98849dff | 91 | static struct aa_ns *alloc_ns(const char *prefix, const char *name) |
cff281f6 | 92 | { |
98849dff | 93 | struct aa_ns *ns; |
cff281f6 JJ |
94 | |
95 | ns = kzalloc(sizeof(*ns), GFP_KERNEL); | |
96 | AA_DEBUG("%s(%p)\n", __func__, ns); | |
97 | if (!ns) | |
98 | return NULL; | |
d102d895 | 99 | if (!aa_policy_init(&ns->base, prefix, name, GFP_KERNEL)) |
cff281f6 JJ |
100 | goto fail_ns; |
101 | ||
102 | INIT_LIST_HEAD(&ns->sub_ns); | |
5d5182ca | 103 | INIT_LIST_HEAD(&ns->rawdata_list); |
cff281f6 | 104 | mutex_init(&ns->lock); |
d9bf2c26 | 105 | init_waitqueue_head(&ns->wait); |
cff281f6 | 106 | |
98849dff | 107 | /* released by aa_free_ns() */ |
637f688d | 108 | ns->unconfined = aa_alloc_profile("unconfined", NULL, GFP_KERNEL); |
cff281f6 JJ |
109 | if (!ns->unconfined) |
110 | goto fail_unconfined; | |
111 | ||
637f688d JJ |
112 | ns->unconfined->label.flags |= FLAG_IX_ON_NAME_ERROR | |
113 | FLAG_IMMUTIBLE | FLAG_NS_COUNT | FLAG_UNCONFINED; | |
cff281f6 | 114 | ns->unconfined->mode = APPARMOR_UNCONFINED; |
15372b97 JJ |
115 | ns->unconfined->file.dfa = aa_get_dfa(nulldfa); |
116 | ns->unconfined->policy.dfa = aa_get_dfa(nulldfa); | |
cff281f6 JJ |
117 | |
118 | /* ns and ns->unconfined share ns->unconfined refcount */ | |
119 | ns->unconfined->ns = ns; | |
120 | ||
121 | atomic_set(&ns->uniq_null, 0); | |
122 | ||
637f688d JJ |
123 | aa_labelset_init(&ns->labels); |
124 | ||
cff281f6 JJ |
125 | return ns; |
126 | ||
127 | fail_unconfined: | |
128 | kzfree(ns->base.hname); | |
129 | fail_ns: | |
130 | kzfree(ns); | |
131 | return NULL; | |
132 | } | |
133 | ||
134 | /** | |
98849dff | 135 | * aa_free_ns - free a profile namespace |
cff281f6 JJ |
136 | * @ns: the namespace to free (MAYBE NULL) |
137 | * | |
138 | * Requires: All references to the namespace must have been put, if the | |
139 | * namespace was referenced by a profile confining a task, | |
140 | */ | |
98849dff | 141 | void aa_free_ns(struct aa_ns *ns) |
cff281f6 JJ |
142 | { |
143 | if (!ns) | |
144 | return; | |
145 | ||
146 | aa_policy_destroy(&ns->base); | |
637f688d | 147 | aa_labelset_destroy(&ns->labels); |
98849dff | 148 | aa_put_ns(ns->parent); |
cff281f6 JJ |
149 | |
150 | ns->unconfined->ns = NULL; | |
151 | aa_free_profile(ns->unconfined); | |
152 | kzfree(ns); | |
153 | } | |
154 | ||
155 | /** | |
9a2d40c1 | 156 | * aa_findn_ns - look up a profile namespace on the namespace list |
cff281f6 JJ |
157 | * @root: namespace to search in (NOT NULL) |
158 | * @name: name of namespace to find (NOT NULL) | |
9a2d40c1 | 159 | * @n: length of @name |
cff281f6 JJ |
160 | * |
161 | * Returns: a refcounted namespace on the list, or NULL if no namespace | |
162 | * called @name exists. | |
163 | * | |
164 | * refcount released by caller | |
165 | */ | |
9a2d40c1 | 166 | struct aa_ns *aa_findn_ns(struct aa_ns *root, const char *name, size_t n) |
cff281f6 | 167 | { |
98849dff | 168 | struct aa_ns *ns = NULL; |
cff281f6 JJ |
169 | |
170 | rcu_read_lock(); | |
9a2d40c1 | 171 | ns = aa_get_ns(__aa_findn_ns(&root->sub_ns, name, n)); |
cff281f6 JJ |
172 | rcu_read_unlock(); |
173 | ||
174 | return ns; | |
175 | } | |
176 | ||
9a2d40c1 JJ |
177 | /** |
178 | * aa_find_ns - look up a profile namespace on the namespace list | |
179 | * @root: namespace to search in (NOT NULL) | |
180 | * @name: name of namespace to find (NOT NULL) | |
181 | * | |
182 | * Returns: a refcounted namespace on the list, or NULL if no namespace | |
183 | * called @name exists. | |
184 | * | |
185 | * refcount released by caller | |
186 | */ | |
187 | struct aa_ns *aa_find_ns(struct aa_ns *root, const char *name) | |
188 | { | |
189 | return aa_findn_ns(root, name, strlen(name)); | |
190 | } | |
191 | ||
3664268f JJ |
192 | /** |
193 | * __aa_lookupn_ns - lookup the namespace matching @hname | |
194 | * @base: base list to start looking up profile name from (NOT NULL) | |
195 | * @hname: hierarchical ns name (NOT NULL) | |
196 | * @n: length of @hname | |
197 | * | |
198 | * Requires: rcu_read_lock be held | |
199 | * | |
200 | * Returns: unrefcounted ns pointer or NULL if not found | |
201 | * | |
202 | * Do a relative name lookup, recursing through profile tree. | |
203 | */ | |
204 | struct aa_ns *__aa_lookupn_ns(struct aa_ns *view, const char *hname, size_t n) | |
205 | { | |
206 | struct aa_ns *ns = view; | |
207 | const char *split; | |
208 | ||
209 | for (split = strnstr(hname, "//", n); split; | |
210 | split = strnstr(hname, "//", n)) { | |
211 | ns = __aa_findn_ns(&ns->sub_ns, hname, split - hname); | |
212 | if (!ns) | |
213 | return NULL; | |
214 | ||
215 | n -= split + 2 - hname; | |
216 | hname = split + 2; | |
217 | } | |
218 | ||
219 | if (n) | |
220 | return __aa_findn_ns(&ns->sub_ns, hname, n); | |
221 | return NULL; | |
222 | } | |
223 | ||
224 | /** | |
225 | * aa_lookupn_ns - look up a policy namespace relative to @view | |
226 | * @view: namespace to search in (NOT NULL) | |
227 | * @name: name of namespace to find (NOT NULL) | |
228 | * @n: length of @name | |
229 | * | |
230 | * Returns: a refcounted namespace on the list, or NULL if no namespace | |
231 | * called @name exists. | |
232 | * | |
233 | * refcount released by caller | |
234 | */ | |
235 | struct aa_ns *aa_lookupn_ns(struct aa_ns *view, const char *name, size_t n) | |
236 | { | |
237 | struct aa_ns *ns = NULL; | |
238 | ||
239 | rcu_read_lock(); | |
240 | ns = aa_get_ns(__aa_lookupn_ns(view, name, n)); | |
241 | rcu_read_unlock(); | |
242 | ||
243 | return ns; | |
244 | } | |
245 | ||
73688d1e JJ |
246 | static struct aa_ns *__aa_create_ns(struct aa_ns *parent, const char *name, |
247 | struct dentry *dir) | |
248 | { | |
249 | struct aa_ns *ns; | |
250 | int error; | |
251 | ||
252 | AA_BUG(!parent); | |
253 | AA_BUG(!name); | |
254 | AA_BUG(!mutex_is_locked(&parent->lock)); | |
255 | ||
256 | ns = alloc_ns(parent->base.hname, name); | |
257 | if (!ns) | |
0a6b2923 | 258 | return ERR_PTR(-ENOMEM); |
feb3c766 JJ |
259 | ns->level = parent->level + 1; |
260 | mutex_lock_nested(&ns->lock, ns->level); | |
98407f0a | 261 | error = __aafs_ns_mkdir(ns, ns_subns_dir(parent), name, dir); |
73688d1e JJ |
262 | if (error) { |
263 | AA_ERROR("Failed to create interface for ns %s\n", | |
264 | ns->base.name); | |
265 | mutex_unlock(&ns->lock); | |
266 | aa_free_ns(ns); | |
267 | return ERR_PTR(error); | |
268 | } | |
269 | ns->parent = aa_get_ns(parent); | |
270 | list_add_rcu(&ns->base.list, &parent->sub_ns); | |
271 | /* add list ref */ | |
272 | aa_get_ns(ns); | |
273 | mutex_unlock(&ns->lock); | |
274 | ||
275 | return ns; | |
276 | } | |
277 | ||
cff281f6 | 278 | /** |
73688d1e JJ |
279 | * aa_create_ns - create an ns, fail if it already exists |
280 | * @parent: the parent of the namespace being created | |
281 | * @name: the name of the namespace | |
282 | * @dir: if not null the dir to put the ns entries in | |
cff281f6 | 283 | * |
73688d1e | 284 | * Returns: the a refcounted ns that has been add or an ERR_PTR |
cff281f6 | 285 | */ |
73688d1e JJ |
286 | struct aa_ns *__aa_find_or_create_ns(struct aa_ns *parent, const char *name, |
287 | struct dentry *dir) | |
cff281f6 | 288 | { |
73688d1e | 289 | struct aa_ns *ns; |
cff281f6 | 290 | |
73688d1e | 291 | AA_BUG(!mutex_is_locked(&parent->lock)); |
cff281f6 | 292 | |
73688d1e JJ |
293 | /* try and find the specified ns */ |
294 | /* released by caller */ | |
295 | ns = aa_get_ns(__aa_find_ns(&parent->sub_ns, name)); | |
296 | if (!ns) | |
297 | ns = __aa_create_ns(parent, name, dir); | |
298 | else | |
299 | ns = ERR_PTR(-EEXIST); | |
cff281f6 | 300 | |
73688d1e JJ |
301 | /* return ref */ |
302 | return ns; | |
303 | } | |
cff281f6 | 304 | |
73688d1e JJ |
305 | /** |
306 | * aa_prepare_ns - find an existing or create a new namespace of @name | |
307 | * @parent: ns to treat as parent | |
308 | * @name: the namespace to find or add (NOT NULL) | |
309 | * | |
310 | * Returns: refcounted namespace or PTR_ERR if failed to create one | |
311 | */ | |
312 | struct aa_ns *aa_prepare_ns(struct aa_ns *parent, const char *name) | |
313 | { | |
314 | struct aa_ns *ns; | |
315 | ||
feb3c766 | 316 | mutex_lock_nested(&parent->lock, parent->level); |
cff281f6 JJ |
317 | /* try and find the specified ns and if it doesn't exist create it */ |
318 | /* released by caller */ | |
73688d1e JJ |
319 | ns = aa_get_ns(__aa_find_ns(&parent->sub_ns, name)); |
320 | if (!ns) | |
321 | ns = __aa_create_ns(parent, name, NULL); | |
322 | mutex_unlock(&parent->lock); | |
cff281f6 JJ |
323 | |
324 | /* return ref */ | |
325 | return ns; | |
326 | } | |
327 | ||
328 | static void __ns_list_release(struct list_head *head); | |
329 | ||
330 | /** | |
98849dff | 331 | * destroy_ns - remove everything contained by @ns |
31617ddf | 332 | * @ns: namespace to have it contents removed (NOT NULL) |
cff281f6 | 333 | */ |
98849dff | 334 | static void destroy_ns(struct aa_ns *ns) |
cff281f6 JJ |
335 | { |
336 | if (!ns) | |
337 | return; | |
338 | ||
feb3c766 | 339 | mutex_lock_nested(&ns->lock, ns->level); |
cff281f6 JJ |
340 | /* release all profiles in this namespace */ |
341 | __aa_profile_list_release(&ns->base.profiles); | |
342 | ||
343 | /* release all sub namespaces */ | |
344 | __ns_list_release(&ns->sub_ns); | |
345 | ||
637f688d JJ |
346 | if (ns->parent) { |
347 | unsigned long flags; | |
348 | ||
349 | write_lock_irqsave(&ns->labels.lock, flags); | |
350 | __aa_proxy_redirect(ns_unconfined(ns), | |
351 | ns_unconfined(ns->parent)); | |
352 | write_unlock_irqrestore(&ns->labels.lock, flags); | |
353 | } | |
c97204ba | 354 | __aafs_ns_rmdir(ns); |
cff281f6 JJ |
355 | mutex_unlock(&ns->lock); |
356 | } | |
357 | ||
358 | /** | |
98849dff | 359 | * __aa_remove_ns - remove a namespace and all its children |
cff281f6 JJ |
360 | * @ns: namespace to be removed (NOT NULL) |
361 | * | |
362 | * Requires: ns->parent->lock be held and ns removed from parent. | |
363 | */ | |
98849dff | 364 | void __aa_remove_ns(struct aa_ns *ns) |
cff281f6 JJ |
365 | { |
366 | /* remove ns from namespace list */ | |
367 | list_del_rcu(&ns->base.list); | |
98849dff JJ |
368 | destroy_ns(ns); |
369 | aa_put_ns(ns); | |
cff281f6 JJ |
370 | } |
371 | ||
372 | /** | |
373 | * __ns_list_release - remove all profile namespaces on the list put refs | |
374 | * @head: list of profile namespaces (NOT NULL) | |
375 | * | |
376 | * Requires: namespace lock be held | |
377 | */ | |
378 | static void __ns_list_release(struct list_head *head) | |
379 | { | |
98849dff | 380 | struct aa_ns *ns, *tmp; |
cff281f6 JJ |
381 | |
382 | list_for_each_entry_safe(ns, tmp, head, base.list) | |
98849dff | 383 | __aa_remove_ns(ns); |
cff281f6 JJ |
384 | |
385 | } | |
386 | ||
387 | /** | |
31617ddf | 388 | * aa_alloc_root_ns - allocate the root profile namespace |
cff281f6 JJ |
389 | * |
390 | * Returns: %0 on success else error | |
391 | * | |
392 | */ | |
393 | int __init aa_alloc_root_ns(void) | |
394 | { | |
395 | /* released by aa_free_root_ns - used as list ref*/ | |
98849dff | 396 | root_ns = alloc_ns(NULL, "root"); |
cff281f6 JJ |
397 | if (!root_ns) |
398 | return -ENOMEM; | |
399 | ||
400 | return 0; | |
401 | } | |
402 | ||
403 | /** | |
404 | * aa_free_root_ns - free the root profile namespace | |
405 | */ | |
406 | void __init aa_free_root_ns(void) | |
407 | { | |
98849dff | 408 | struct aa_ns *ns = root_ns; |
cff281f6 JJ |
409 | |
410 | root_ns = NULL; | |
411 | ||
98849dff JJ |
412 | destroy_ns(ns); |
413 | aa_put_ns(ns); | |
cff281f6 | 414 | } |