LXR linux/security/apparmor/procattr.c

   1/*
   2 * AppArmor security module
   3 *
   4 * This file contains AppArmor /proc/<pid>/attr/ interface functions
   5 *
   6 * Copyright (C) 1998-2008 Novell/SUSE
   7 * Copyright 2009-2010 Canonical Ltd.
   8 *
   9 * This program is free software; you can redistribute it and/or
  10 * modify it under the terms of the GNU General Public License as
  11 * published by the Free Software Foundation, version 2 of the
  12 * License.
  13 */
  14
  15#include "include/apparmor.h"
  16#include "include/cred.h"
  17#include "include/policy.h"
  18#include "include/policy_ns.h"
  19#include "include/domain.h"
  20#include "include/procattr.h"
  21
  22
  23/**
  24 * aa_getprocattr - Return the profile information for @profile
  25 * @profile: the profile to print profile info about  (NOT NULL)
  26 * @string: Returns - string containing the profile info (NOT NULL)
  27 *
  28 * Returns: length of @string on success else error on failure
  29 *
  30 * Requires: profile != NULL
  31 *
  32 * Creates a string containing the namespace_name://profile_name for
  33 * @profile.
  34 *
  35 * Returns: size of string placed in @string else error code on failure
  36 */
  37int aa_getprocattr(struct aa_label *label, char **string)
  38{
  39        struct aa_ns *ns = labels_ns(label);
  40        struct aa_ns *current_ns = aa_get_current_ns();
  41        int len;
  42
  43        if (!aa_ns_visible(current_ns, ns, true)) {
  44                aa_put_ns(current_ns);
  45                return -EACCES;
  46        }
  47
  48        len = aa_label_snxprint(NULL, 0, current_ns, label,
  49                                FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
  50                                FLAG_HIDDEN_UNCONFINED);
  51        AA_BUG(len < 0);
  52
  53        *string = kmalloc(len + 2, GFP_KERNEL);
  54        if (!*string) {
  55                aa_put_ns(current_ns);
  56                return -ENOMEM;
  57        }
  58
  59        len = aa_label_snxprint(*string, len + 2, current_ns, label,
  60                                FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
  61                                FLAG_HIDDEN_UNCONFINED);
  62        if (len < 0) {
  63                aa_put_ns(current_ns);
  64                return len;
  65        }
  66
  67        (*string)[len] = '\n';
  68        (*string)[len + 1] = 0;
  69
  70        aa_put_ns(current_ns);
  71        return len + 1;
  72}
  73
  74/**
  75 * split_token_from_name - separate a string of form  <token>^<name>
  76 * @op: operation being checked
  77 * @args: string to parse  (NOT NULL)
  78 * @token: stores returned parsed token value  (NOT NULL)
  79 *
  80 * Returns: start position of name after token else NULL on failure
  81 */
  82static char *split_token_from_name(const char *op, char *args, u64 *token)
  83{
  84        char *name;
  85
  86        *token = simple_strtoull(args, &name, 16);
  87        if ((name == args) || *name != '^') {
  88                AA_ERROR("%s: Invalid input '%s'", op, args);
  89                return ERR_PTR(-EINVAL);
  90        }
  91
  92        name++;                 /* skip ^ */
  93        if (!*name)
  94                name = NULL;
  95        return name;
  96}
  97
  98/**
  99 * aa_setprocattr_chagnehat - handle procattr interface to change_hat
 100 * @args: args received from writing to /proc/<pid>/attr/current (NOT NULL)
 101 * @size: size of the args
 102 * @flags: set of flags governing behavior
 103 *
 104 * Returns: %0 or error code if change_hat fails
 105 */
 106int aa_setprocattr_changehat(char *args, size_t size, int flags)
 107{
 108        char *hat;
 109        u64 token;
 110        const char *hats[16];           /* current hard limit on # of names */
 111        int count = 0;
 112
 113        hat = split_token_from_name(OP_CHANGE_HAT, args, &token);
 114        if (IS_ERR(hat))
 115                return PTR_ERR(hat);
 116
 117        if (!hat && !token) {
 118                AA_ERROR("change_hat: Invalid input, NULL hat and NULL magic");
 119                return -EINVAL;
 120        }
 121
 122        if (hat) {
 123                /* set up hat name vector, args guaranteed null terminated
 124                 * at args[size] by setprocattr.
 125                 *
 126                 * If there are multiple hat names in the buffer each is
 127                 * separated by a \0.  Ie. userspace writes them pre tokenized
 128                 */
 129                char *end = args + size;
 130                for (count = 0; (hat < end) && count < 16; ++count) {
 131                        char *next = hat + strlen(hat) + 1;
 132                        hats[count] = hat;
 133                        AA_DEBUG("%s: (pid %d) Magic 0x%llx count %d hat '%s'\n"
 134                                 , __func__, current->pid, token, count, hat);
 135                        hat = next;
 136                }
 137        } else
 138                AA_DEBUG("%s: (pid %d) Magic 0x%llx count %d Hat '%s'\n",
 139                         __func__, current->pid, token, count, "<NULL>");
 140
 141        return aa_change_hat(hats, count, token, flags);
 142}
 143