1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76#include <linux/slab.h>
77#include <linux/spinlock.h>
78#include <linux/string.h>
79
80#include "include/apparmor.h"
81#include "include/capability.h"
82#include "include/context.h"
83#include "include/file.h"
84#include "include/ipc.h"
85#include "include/match.h"
86#include "include/path.h"
87#include "include/policy.h"
88#include "include/policy_unpack.h"
89#include "include/resource.h"
90
91
92
93struct aa_namespace *root_ns;
94
95const char *const profile_mode_names[] = {
96 "enforce",
97 "complain",
98 "kill",
99};
100
101
102
103
104
105
106
107static const char *hname_tail(const char *hname)
108{
109 char *split;
110 hname = strim((char *)hname);
111 for (split = strstr(hname, "//"); split; split = strstr(hname, "//"))
112 hname = split + 2;
113
114 return hname;
115}
116
117
118
119
120
121
122
123
124
125
126
127static bool policy_init(struct aa_policy *policy, const char *prefix,
128 const char *name)
129{
130
131 if (prefix) {
132 policy->hname = kmalloc(strlen(prefix) + strlen(name) + 3,
133 GFP_KERNEL);
134 if (policy->hname)
135 sprintf(policy->hname, "%s//%s", prefix, name);
136 } else
137 policy->hname = kstrdup(name, GFP_KERNEL);
138 if (!policy->hname)
139 return 0;
140
141 policy->name = (char *)hname_tail(policy->hname);
142 INIT_LIST_HEAD(&policy->list);
143 INIT_LIST_HEAD(&policy->profiles);
144 kref_init(&policy->count);
145
146 return 1;
147}
148
149
150
151
152
153static void policy_destroy(struct aa_policy *policy)
154{
155
156 if (!list_empty(&policy->profiles)) {
157 AA_ERROR("%s: internal error, "
158 "policy '%s' still contains profiles\n",
159 __func__, policy->name);
160 BUG();
161 }
162 if (!list_empty(&policy->list)) {
163 AA_ERROR("%s: internal error, policy '%s' still on list\n",
164 __func__, policy->name);
165 BUG();
166 }
167
168
169 kzfree(policy->hname);
170}
171
172
173
174
175
176
177
178
179
180
181static struct aa_policy *__policy_find(struct list_head *head, const char *name)
182{
183 struct aa_policy *policy;
184
185 list_for_each_entry(policy, head, list) {
186 if (!strcmp(policy->name, name))
187 return policy;
188 }
189 return NULL;
190}
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205static struct aa_policy *__policy_strn_find(struct list_head *head,
206 const char *str, int len)
207{
208 struct aa_policy *policy;
209
210 list_for_each_entry(policy, head, list) {
211 if (aa_strneq(policy->name, str, len))
212 return policy;
213 }
214
215 return NULL;
216}
217
218
219
220
221
222static const char *hidden_ns_name = "---";
223
224
225
226
227
228
229
230bool aa_ns_visible(struct aa_namespace *curr, struct aa_namespace *view)
231{
232 if (curr == view)
233 return true;
234
235 for ( ; view; view = view->parent) {
236 if (view->parent == curr)
237 return true;
238 }
239 return false;
240}
241
242
243
244
245
246
247
248
249const char *aa_ns_name(struct aa_namespace *curr, struct aa_namespace *view)
250{
251
252 if (curr == view)
253 return "";
254
255 if (aa_ns_visible(curr, view)) {
256
257
258
259
260
261
262 return view->base.hname + strlen(curr->base.hname) + 2;
263 } else
264 return hidden_ns_name;
265}
266
267
268
269
270
271
272
273
274static struct aa_namespace *alloc_namespace(const char *prefix,
275 const char *name)
276{
277 struct aa_namespace *ns;
278
279 ns = kzalloc(sizeof(*ns), GFP_KERNEL);
280 AA_DEBUG("%s(%p)\n", __func__, ns);
281 if (!ns)
282 return NULL;
283 if (!policy_init(&ns->base, prefix, name))
284 goto fail_ns;
285
286 INIT_LIST_HEAD(&ns->sub_ns);
287 rwlock_init(&ns->lock);
288
289
290 ns->unconfined = aa_alloc_profile("unconfined");
291 if (!ns->unconfined)
292 goto fail_unconfined;
293
294 ns->unconfined->flags = PFLAG_UNCONFINED | PFLAG_IX_ON_NAME_ERROR |
295 PFLAG_IMMUTABLE;
296
297
298
299
300
301
302 ns->unconfined->ns = aa_get_namespace(ns);
303
304 atomic_set(&ns->uniq_null, 0);
305
306 return ns;
307
308fail_unconfined:
309 kzfree(ns->base.hname);
310fail_ns:
311 kzfree(ns);
312 return NULL;
313}
314
315
316
317
318
319
320
321
322static void free_namespace(struct aa_namespace *ns)
323{
324 if (!ns)
325 return;
326
327 policy_destroy(&ns->base);
328 aa_put_namespace(ns->parent);
329
330 if (ns->unconfined && ns->unconfined->ns == ns)
331 ns->unconfined->ns = NULL;
332
333 aa_put_profile(ns->unconfined);
334 kzfree(ns);
335}
336
337
338
339
340
341void aa_free_namespace_kref(struct kref *kref)
342{
343 free_namespace(container_of(kref, struct aa_namespace, base.count));
344}
345
346
347
348
349
350
351
352
353
354
355static struct aa_namespace *__aa_find_namespace(struct list_head *head,
356 const char *name)
357{
358 return (struct aa_namespace *)__policy_find(head, name);
359}
360
361
362
363
364
365
366
367
368
369
370
371struct aa_namespace *aa_find_namespace(struct aa_namespace *root,
372 const char *name)
373{
374 struct aa_namespace *ns = NULL;
375
376 read_lock(&root->lock);
377 ns = aa_get_namespace(__aa_find_namespace(&root->sub_ns, name));
378 read_unlock(&root->lock);
379
380 return ns;
381}
382
383
384
385
386
387
388
389static struct aa_namespace *aa_prepare_namespace(const char *name)
390{
391 struct aa_namespace *ns, *root;
392
393 root = aa_current_profile()->ns;
394
395 write_lock(&root->lock);
396
397
398 if (!name) {
399
400 ns = aa_get_namespace(root);
401 goto out;
402 }
403
404
405
406 ns = aa_get_namespace(__aa_find_namespace(&root->sub_ns, name));
407 if (!ns) {
408
409 struct aa_namespace *new_ns;
410 write_unlock(&root->lock);
411 new_ns = alloc_namespace(root->base.hname, name);
412 if (!new_ns)
413 return NULL;
414 write_lock(&root->lock);
415
416 ns = __aa_find_namespace(&root->sub_ns, name);
417 if (!ns) {
418
419 new_ns->parent = aa_get_namespace(root);
420
421 list_add(&new_ns->base.list, &root->sub_ns);
422
423 ns = aa_get_namespace(new_ns);
424 } else {
425
426 free_namespace(new_ns);
427
428 aa_get_namespace(ns);
429 }
430 }
431out:
432 write_unlock(&root->lock);
433
434
435 return ns;
436}
437
438
439
440
441
442
443
444
445
446
447static void __list_add_profile(struct list_head *list,
448 struct aa_profile *profile)
449{
450 list_add(&profile->base.list, list);
451
452 aa_get_profile(profile);
453}
454
455
456
457
458
459
460
461
462
463
464
465
466
467static void __list_remove_profile(struct aa_profile *profile)
468{
469 list_del_init(&profile->base.list);
470 if (!(profile->flags & PFLAG_NO_LIST_REF))
471
472 aa_put_profile(profile);
473}
474
475
476
477
478
479
480
481
482
483
484
485
486
487static void __replace_profile(struct aa_profile *old, struct aa_profile *new)
488{
489 struct aa_policy *policy;
490 struct aa_profile *child, *tmp;
491
492 if (old->parent)
493 policy = &old->parent->base;
494 else
495 policy = &old->ns->base;
496
497
498 new->parent = aa_get_profile(old->parent);
499 new->ns = aa_get_namespace(old->ns);
500 __list_add_profile(&policy->profiles, new);
501
502 list_for_each_entry_safe(child, tmp, &old->base.profiles, base.list) {
503 aa_put_profile(child->parent);
504 child->parent = aa_get_profile(new);
505
506 list_move(&child->base.list, &new->base.profiles);
507 }
508
509
510 old->replacedby = aa_get_profile(new);
511 __list_remove_profile(old);
512}
513
514static void __profile_list_release(struct list_head *head);
515
516
517
518
519
520
521
522static void __remove_profile(struct aa_profile *profile)
523{
524
525 __profile_list_release(&profile->base.profiles);
526
527 profile->replacedby = aa_get_profile(profile->ns->unconfined);
528 __list_remove_profile(profile);
529}
530
531
532
533
534
535
536
537static void __profile_list_release(struct list_head *head)
538{
539 struct aa_profile *profile, *tmp;
540 list_for_each_entry_safe(profile, tmp, head, base.list)
541 __remove_profile(profile);
542}
543
544static void __ns_list_release(struct list_head *head);
545
546
547
548
549
550static void destroy_namespace(struct aa_namespace *ns)
551{
552 if (!ns)
553 return;
554
555 write_lock(&ns->lock);
556
557 __profile_list_release(&ns->base.profiles);
558
559
560 __ns_list_release(&ns->sub_ns);
561
562 write_unlock(&ns->lock);
563}
564
565
566
567
568
569
570
571static void __remove_namespace(struct aa_namespace *ns)
572{
573 struct aa_profile *unconfined = ns->unconfined;
574
575
576 list_del_init(&ns->base.list);
577
578
579
580
581
582
583
584 if (ns->parent)
585 ns->unconfined = aa_get_profile(ns->parent->unconfined);
586
587 destroy_namespace(ns);
588
589
590 aa_put_profile(unconfined);
591
592 aa_put_namespace(ns);
593}
594
595
596
597
598
599
600
601static void __ns_list_release(struct list_head *head)
602{
603 struct aa_namespace *ns, *tmp;
604 list_for_each_entry_safe(ns, tmp, head, base.list)
605 __remove_namespace(ns);
606
607}
608
609
610
611
612
613
614
615int __init aa_alloc_root_ns(void)
616{
617
618 root_ns = alloc_namespace(NULL, "root");
619 if (!root_ns)
620 return -ENOMEM;
621
622 return 0;
623}
624
625
626
627
628void __init aa_free_root_ns(void)
629 {
630 struct aa_namespace *ns = root_ns;
631 root_ns = NULL;
632
633 destroy_namespace(ns);
634 aa_put_namespace(ns);
635}
636
637
638
639
640
641
642
643
644
645
646
647static void free_profile(struct aa_profile *profile)
648{
649 struct aa_profile *p;
650
651 AA_DEBUG("%s(%p)\n", __func__, profile);
652
653 if (!profile)
654 return;
655
656 if (!list_empty(&profile->base.list)) {
657 AA_ERROR("%s: internal error, "
658 "profile '%s' still on ns list\n",
659 __func__, profile->base.name);
660 BUG();
661 }
662
663
664 policy_destroy(&profile->base);
665 aa_put_profile(profile->parent);
666
667 aa_put_namespace(profile->ns);
668 kzfree(profile->rename);
669
670 aa_free_file_rules(&profile->file);
671 aa_free_cap_rules(&profile->caps);
672 aa_free_rlimit_rules(&profile->rlimits);
673
674 aa_put_dfa(profile->xmatch);
675 aa_put_dfa(profile->policy.dfa);
676
677
678
679
680
681
682
683
684 for (p = profile->replacedby; p; ) {
685 if (atomic_dec_and_test(&p->base.count.refcount)) {
686
687 struct aa_profile *next = p->replacedby;
688
689 p->replacedby = NULL;
690
691 free_profile(p);
692
693
694 p = next;
695 } else
696 break;
697 }
698
699 kzfree(profile);
700}
701
702
703
704
705
706void aa_free_profile_kref(struct kref *kref)
707{
708 struct aa_profile *p = container_of(kref, struct aa_profile,
709 base.count);
710
711 free_profile(p);
712}
713
714
715
716
717
718
719
720struct aa_profile *aa_alloc_profile(const char *hname)
721{
722 struct aa_profile *profile;
723
724
725 profile = kzalloc(sizeof(*profile), GFP_KERNEL);
726 if (!profile)
727 return NULL;
728
729 if (!policy_init(&profile->base, NULL, hname)) {
730 kzfree(profile);
731 return NULL;
732 }
733
734
735 return profile;
736}
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat)
753{
754 struct aa_profile *profile = NULL;
755 char *name;
756 int uniq = atomic_inc_return(&parent->ns->uniq_null);
757
758
759 name = kmalloc(strlen(parent->base.hname) + 2 + 7 + 8, GFP_KERNEL);
760 if (!name)
761 goto fail;
762 sprintf(name, "%s//null-%x", parent->base.hname, uniq);
763
764 profile = aa_alloc_profile(name);
765 kfree(name);
766 if (!profile)
767 goto fail;
768
769 profile->mode = APPARMOR_COMPLAIN;
770 profile->flags = PFLAG_NULL;
771 if (hat)
772 profile->flags |= PFLAG_HAT;
773
774
775 profile->parent = aa_get_profile(parent);
776 profile->ns = aa_get_namespace(parent->ns);
777
778 write_lock(&profile->ns->lock);
779 __list_add_profile(&parent->base.profiles, profile);
780 write_unlock(&profile->ns->lock);
781
782
783 return profile;
784
785fail:
786 return NULL;
787}
788
789
790
791
792
793
794
795
796
797
798
799
800static struct aa_profile *__find_child(struct list_head *head, const char *name)
801{
802 return (struct aa_profile *)__policy_find(head, name);
803}
804
805
806
807
808
809
810
811
812
813
814
815static struct aa_profile *__strn_find_child(struct list_head *head,
816 const char *name, int len)
817{
818 return (struct aa_profile *)__policy_strn_find(head, name, len);
819}
820
821
822
823
824
825
826
827
828struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name)
829{
830 struct aa_profile *profile;
831
832 read_lock(&parent->ns->lock);
833 profile = aa_get_profile(__find_child(&parent->base.profiles, name));
834 read_unlock(&parent->ns->lock);
835
836
837 return profile;
838}
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853static struct aa_policy *__lookup_parent(struct aa_namespace *ns,
854 const char *hname)
855{
856 struct aa_policy *policy;
857 struct aa_profile *profile = NULL;
858 char *split;
859
860 policy = &ns->base;
861
862 for (split = strstr(hname, "//"); split;) {
863 profile = __strn_find_child(&policy->profiles, hname,
864 split - hname);
865 if (!profile)
866 return NULL;
867 policy = &profile->base;
868 hname = split + 2;
869 split = strstr(hname, "//");
870 }
871 if (!profile)
872 return &ns->base;
873 return &profile->base;
874}
875
876
877
878
879
880
881
882
883
884
885
886
887static struct aa_profile *__lookup_profile(struct aa_policy *base,
888 const char *hname)
889{
890 struct aa_profile *profile = NULL;
891 char *split;
892
893 for (split = strstr(hname, "//"); split;) {
894 profile = __strn_find_child(&base->profiles, hname,
895 split - hname);
896 if (!profile)
897 return NULL;
898
899 base = &profile->base;
900 hname = split + 2;
901 split = strstr(hname, "//");
902 }
903
904 profile = __find_child(&base->profiles, hname);
905
906 return profile;
907}
908
909
910
911
912
913
914
915
916struct aa_profile *aa_lookup_profile(struct aa_namespace *ns, const char *hname)
917{
918 struct aa_profile *profile;
919
920 read_lock(&ns->lock);
921 profile = aa_get_profile(__lookup_profile(&ns->base, hname));
922 read_unlock(&ns->lock);
923
924
925 if (!profile && strcmp(hname, "unconfined") == 0)
926 profile = aa_get_profile(ns->unconfined);
927
928
929 return profile;
930}
931
932
933
934
935
936
937
938
939
940static int replacement_allowed(struct aa_profile *profile, int noreplace,
941 const char **info)
942{
943 if (profile) {
944 if (profile->flags & PFLAG_IMMUTABLE) {
945 *info = "cannot replace immutible profile";
946 return -EPERM;
947 } else if (noreplace) {
948 *info = "profile already exists";
949 return -EEXIST;
950 }
951 }
952 return 0;
953}
954
955
956
957
958
959
960
961
962
963static void __add_new_profile(struct aa_namespace *ns, struct aa_policy *policy,
964 struct aa_profile *profile)
965{
966 if (policy != &ns->base)
967
968 profile->parent = aa_get_profile((struct aa_profile *) policy);
969 __list_add_profile(&policy->profiles, profile);
970
971 profile->ns = aa_get_namespace(ns);
972}
973
974
975
976
977
978
979
980
981
982
983
984static int audit_policy(int op, gfp_t gfp, const char *name, const char *info,
985 int error)
986{
987 struct common_audit_data sa;
988 struct apparmor_audit_data aad = {0,};
989 sa.type = LSM_AUDIT_DATA_NONE;
990 sa.aad = &aad;
991 aad.op = op;
992 aad.name = name;
993 aad.info = info;
994 aad.error = error;
995
996 return aa_audit(AUDIT_APPARMOR_STATUS, __aa_current_profile(), gfp,
997 &sa, NULL);
998}
999
1000
1001
1002
1003
1004
1005
1006bool aa_may_manage_policy(int op)
1007{
1008
1009 if (aa_g_lock_policy) {
1010 audit_policy(op, GFP_KERNEL, NULL, "policy_locked", -EACCES);
1011 return 0;
1012 }
1013
1014 if (!capable(CAP_MAC_ADMIN)) {
1015 audit_policy(op, GFP_KERNEL, NULL, "not policy admin", -EACCES);
1016 return 0;
1017 }
1018
1019 return 1;
1020}
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
1035{
1036 struct aa_policy *policy;
1037 struct aa_profile *old_profile = NULL, *new_profile = NULL;
1038 struct aa_profile *rename_profile = NULL;
1039 struct aa_namespace *ns = NULL;
1040 const char *ns_name, *name = NULL, *info = NULL;
1041 int op = OP_PROF_REPL;
1042 ssize_t error;
1043
1044
1045 new_profile = aa_unpack(udata, size, &ns_name);
1046 if (IS_ERR(new_profile)) {
1047 error = PTR_ERR(new_profile);
1048 new_profile = NULL;
1049 goto fail;
1050 }
1051
1052
1053 ns = aa_prepare_namespace(ns_name);
1054 if (!ns) {
1055 info = "failed to prepare namespace";
1056 error = -ENOMEM;
1057 name = ns_name;
1058 goto fail;
1059 }
1060
1061 name = new_profile->base.hname;
1062
1063 write_lock(&ns->lock);
1064
1065 policy = __lookup_parent(ns, new_profile->base.hname);
1066
1067 if (!policy) {
1068 info = "parent does not exist";
1069 error = -ENOENT;
1070 goto audit;
1071 }
1072
1073 old_profile = __find_child(&policy->profiles, new_profile->base.name);
1074
1075 aa_get_profile(old_profile);
1076
1077 if (new_profile->rename) {
1078 rename_profile = __lookup_profile(&ns->base,
1079 new_profile->rename);
1080
1081 aa_get_profile(rename_profile);
1082
1083 if (!rename_profile) {
1084 info = "profile to rename does not exist";
1085 name = new_profile->rename;
1086 error = -ENOENT;
1087 goto audit;
1088 }
1089 }
1090
1091 error = replacement_allowed(old_profile, noreplace, &info);
1092 if (error)
1093 goto audit;
1094
1095 error = replacement_allowed(rename_profile, noreplace, &info);
1096 if (error)
1097 goto audit;
1098
1099audit:
1100 if (!old_profile && !rename_profile)
1101 op = OP_PROF_LOAD;
1102
1103 error = audit_policy(op, GFP_ATOMIC, name, info, error);
1104
1105 if (!error) {
1106 if (rename_profile)
1107 __replace_profile(rename_profile, new_profile);
1108 if (old_profile)
1109 __replace_profile(old_profile, new_profile);
1110 if (!(old_profile || rename_profile))
1111 __add_new_profile(ns, policy, new_profile);
1112 }
1113 write_unlock(&ns->lock);
1114
1115out:
1116 aa_put_namespace(ns);
1117 aa_put_profile(rename_profile);
1118 aa_put_profile(old_profile);
1119 aa_put_profile(new_profile);
1120 if (error)
1121 return error;
1122 return size;
1123
1124fail:
1125 error = audit_policy(op, GFP_KERNEL, name, info, error);
1126 goto out;
1127}
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141ssize_t aa_remove_profiles(char *fqname, size_t size)
1142{
1143 struct aa_namespace *root, *ns = NULL;
1144 struct aa_profile *profile = NULL;
1145 const char *name = fqname, *info = NULL;
1146 ssize_t error = 0;
1147
1148 if (*fqname == 0) {
1149 info = "no profile specified";
1150 error = -ENOENT;
1151 goto fail;
1152 }
1153
1154 root = aa_current_profile()->ns;
1155
1156 if (fqname[0] == ':') {
1157 char *ns_name;
1158 name = aa_split_fqname(fqname, &ns_name);
1159
1160 ns = aa_find_namespace(root, ns_name);
1161 if (!ns) {
1162 info = "namespace does not exist";
1163 error = -ENOENT;
1164 goto fail;
1165 }
1166 } else
1167
1168 ns = aa_get_namespace(root);
1169
1170 if (!name) {
1171
1172 write_lock(&ns->parent->lock);
1173 __remove_namespace(ns);
1174 write_unlock(&ns->parent->lock);
1175 } else {
1176
1177 write_lock(&ns->lock);
1178 profile = aa_get_profile(__lookup_profile(&ns->base, name));
1179 if (!profile) {
1180 error = -ENOENT;
1181 info = "profile does not exist";
1182 goto fail_ns_lock;
1183 }
1184 name = profile->base.hname;
1185 __remove_profile(profile);
1186 write_unlock(&ns->lock);
1187 }
1188
1189
1190 (void) audit_policy(OP_PROF_RM, GFP_KERNEL, name, info, error);
1191 aa_put_namespace(ns);
1192 aa_put_profile(profile);
1193 return size;
1194
1195fail_ns_lock:
1196 write_unlock(&ns->lock);
1197 aa_put_namespace(ns);
1198
1199fail:
1200 (void) audit_policy(OP_PROF_RM, GFP_KERNEL, name, info, error);
1201 return error;
1202}
1203