LXR linux/security/apparmor/lsm.c

   1/*
   2 * AppArmor security module
   3 *
   4 * This file contains AppArmor LSM hooks.
   5 *
   6 * Copyright (C) 1998-2008 Novell/SUSE
   7 * Copyright 2009-2010 Canonical Ltd.
   8 *
   9 * This program is free software; you can redistribute it and/or
  10 * modify it under the terms of the GNU General Public License as
  11 * published by the Free Software Foundation, version 2 of the
  12 * License.
  13 */
  14
  15#include <linux/lsm_hooks.h>
  16#include <linux/moduleparam.h>
  17#include <linux/mm.h>
  18#include <linux/mman.h>
  19#include <linux/mount.h>
  20#include <linux/namei.h>
  21#include <linux/ptrace.h>
  22#include <linux/ctype.h>
  23#include <linux/sysctl.h>
  24#include <linux/audit.h>
  25#include <linux/user_namespace.h>
  26#include <linux/kmemleak.h>
  27#include <net/sock.h>
  28
  29#include "include/apparmor.h"
  30#include "include/apparmorfs.h"
  31#include "include/audit.h"
  32#include "include/capability.h"
  33#include "include/context.h"
  34#include "include/file.h"
  35#include "include/ipc.h"
  36#include "include/path.h"
  37#include "include/label.h"
  38#include "include/policy.h"
  39#include "include/policy_ns.h"
  40#include "include/procattr.h"
  41#include "include/mount.h"
  42
  43/* Flag indicating whether initialization completed */
  44int apparmor_initialized;
  45
  46DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
  47
  48
  49/*
  50 * LSM hook functions
  51 */
  52
  53/*
  54 * free the associated aa_task_ctx and put its labels
  55 */
  56static void apparmor_cred_free(struct cred *cred)
  57{
  58        aa_free_task_context(cred_ctx(cred));
  59        cred_ctx(cred) = NULL;
  60}
  61
  62/*
  63 * allocate the apparmor part of blank credentials
  64 */
  65static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
  66{
  67        /* freed by apparmor_cred_free */
  68        struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
  69
  70        if (!ctx)
  71                return -ENOMEM;
  72
  73        cred_ctx(cred) = ctx;
  74        return 0;
  75}
  76
  77/*
  78 * prepare new aa_task_ctx for modification by prepare_cred block
  79 */
  80static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
  81                                 gfp_t gfp)
  82{
  83        /* freed by apparmor_cred_free */
  84        struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
  85
  86        if (!ctx)
  87                return -ENOMEM;
  88
  89        aa_dup_task_context(ctx, cred_ctx(old));
  90        cred_ctx(new) = ctx;
  91        return 0;
  92}
  93
  94/*
  95 * transfer the apparmor data to a blank set of creds
  96 */
  97static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
  98{
  99        const struct aa_task_ctx *old_ctx = cred_ctx(old);
 100        struct aa_task_ctx *new_ctx = cred_ctx(new);
 101
 102        aa_dup_task_context(new_ctx, old_ctx);
 103}
 104
 105static int apparmor_ptrace_access_check(struct task_struct *child,
 106                                        unsigned int mode)
 107{
 108        struct aa_label *tracer, *tracee;
 109        int error;
 110
 111        tracer = begin_current_label_crit_section();
 112        tracee = aa_get_task_label(child);
 113        error = aa_may_ptrace(tracer, tracee,
 114                  mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE);
 115        aa_put_label(tracee);
 116        end_current_label_crit_section(tracer);
 117
 118        return error;
 119}
 120
 121static int apparmor_ptrace_traceme(struct task_struct *parent)
 122{
 123        struct aa_label *tracer, *tracee;
 124        int error;
 125
 126        tracee = begin_current_label_crit_section();
 127        tracer = aa_get_task_label(parent);
 128        error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
 129        aa_put_label(tracer);
 130        end_current_label_crit_section(tracee);
 131
 132        return error;
 133}
 134
 135/* Derived from security/commoncap.c:cap_capget */
 136static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
 137                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
 138{
 139        struct aa_label *label;
 140        const struct cred *cred;
 141
 142        rcu_read_lock();
 143        cred = __task_cred(target);
 144        label = aa_get_newest_cred_label(cred);
 145
 146        /*
 147         * cap_capget is stacked ahead of this and will
 148         * initialize effective and permitted.
 149         */
 150        if (!unconfined(label)) {
 151                struct aa_profile *profile;
 152                struct label_it i;
 153
 154                label_for_each_confined(i, label, profile) {
 155                        if (COMPLAIN_MODE(profile))
 156                                continue;
 157                        *effective = cap_intersect(*effective,
 158                                                   profile->caps.allow);
 159                        *permitted = cap_intersect(*permitted,
 160                                                   profile->caps.allow);
 161                }
 162        }
 163        rcu_read_unlock();
 164        aa_put_label(label);
 165
 166        return 0;
 167}
 168
 169static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
 170                            int cap, int audit)
 171{
 172        struct aa_label *label;
 173        int error = 0;
 174
 175        label = aa_get_newest_cred_label(cred);
 176        if (!unconfined(label))
 177                error = aa_capable(label, cap, audit);
 178        aa_put_label(label);
 179
 180        return error;
 181}
 182
 183/**
 184 * common_perm - basic common permission check wrapper fn for paths
 185 * @op: operation being checked
 186 * @path: path to check permission of  (NOT NULL)
 187 * @mask: requested permissions mask
 188 * @cond: conditional info for the permission request  (NOT NULL)
 189 *
 190 * Returns: %0 else error code if error or permission denied
 191 */
 192static int common_perm(const char *op, const struct path *path, u32 mask,
 193                       struct path_cond *cond)
 194{
 195        struct aa_label *label;
 196        int error = 0;
 197
 198        label = __begin_current_label_crit_section();
 199        if (!unconfined(label))
 200                error = aa_path_perm(op, label, path, 0, mask, cond);
 201        __end_current_label_crit_section(label);
 202
 203        return error;
 204}
 205
 206/**
 207 * common_perm_cond - common permission wrapper around inode cond
 208 * @op: operation being checked
 209 * @path: location to check (NOT NULL)
 210 * @mask: requested permissions mask
 211 *
 212 * Returns: %0 else error code if error or permission denied
 213 */
 214static int common_perm_cond(const char *op, const struct path *path, u32 mask)
 215{
 216        struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
 217                                  d_backing_inode(path->dentry)->i_mode
 218        };
 219
 220        if (!path_mediated_fs(path->dentry))
 221                return 0;
 222
 223        return common_perm(op, path, mask, &cond);
 224}
 225
 226/**
 227 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
 228 * @op: operation being checked
 229 * @dir: directory of the dentry  (NOT NULL)
 230 * @dentry: dentry to check  (NOT NULL)
 231 * @mask: requested permissions mask
 232 * @cond: conditional info for the permission request  (NOT NULL)
 233 *
 234 * Returns: %0 else error code if error or permission denied
 235 */
 236static int common_perm_dir_dentry(const char *op, const struct path *dir,
 237                                  struct dentry *dentry, u32 mask,
 238                                  struct path_cond *cond)
 239{
 240        struct path path = { .mnt = dir->mnt, .dentry = dentry };
 241
 242        return common_perm(op, &path, mask, cond);
 243}
 244
 245/**
 246 * common_perm_rm - common permission wrapper for operations doing rm
 247 * @op: operation being checked
 248 * @dir: directory that the dentry is in  (NOT NULL)
 249 * @dentry: dentry being rm'd  (NOT NULL)
 250 * @mask: requested permission mask
 251 *
 252 * Returns: %0 else error code if error or permission denied
 253 */
 254static int common_perm_rm(const char *op, const struct path *dir,
 255                          struct dentry *dentry, u32 mask)
 256{
 257        struct inode *inode = d_backing_inode(dentry);
 258        struct path_cond cond = { };
 259
 260        if (!inode || !path_mediated_fs(dentry))
 261                return 0;
 262
 263        cond.uid = inode->i_uid;
 264        cond.mode = inode->i_mode;
 265
 266        return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
 267}
 268
 269/**
 270 * common_perm_create - common permission wrapper for operations doing create
 271 * @op: operation being checked
 272 * @dir: directory that dentry will be created in  (NOT NULL)
 273 * @dentry: dentry to create   (NOT NULL)
 274 * @mask: request permission mask
 275 * @mode: created file mode
 276 *
 277 * Returns: %0 else error code if error or permission denied
 278 */
 279static int common_perm_create(const char *op, const struct path *dir,
 280                              struct dentry *dentry, u32 mask, umode_t mode)
 281{
 282        struct path_cond cond = { current_fsuid(), mode };
 283
 284        if (!path_mediated_fs(dir->dentry))
 285                return 0;
 286
 287        return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
 288}
 289
 290static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry)
 291{
 292        return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE);
 293}
 294
 295static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry,
 296                               umode_t mode)
 297{
 298        return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE,
 299                                  S_IFDIR);
 300}
 301
 302static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry)
 303{
 304        return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE);
 305}
 306
 307static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
 308                               umode_t mode, unsigned int dev)
 309{
 310        return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
 311}
 312
 313static int apparmor_path_truncate(const struct path *path)
 314{
 315        return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR);
 316}
 317
 318static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
 319                                 const char *old_name)
 320{
 321        return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE,
 322                                  S_IFLNK);
 323}
 324
 325static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir,
 326                              struct dentry *new_dentry)
 327{
 328        struct aa_label *label;
 329        int error = 0;
 330
 331        if (!path_mediated_fs(old_dentry))
 332                return 0;
 333
 334        label = begin_current_label_crit_section();
 335        if (!unconfined(label))
 336                error = aa_path_link(label, old_dentry, new_dir, new_dentry);
 337        end_current_label_crit_section(label);
 338
 339        return error;
 340}
 341
 342static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry,
 343                                const struct path *new_dir, struct dentry *new_dentry)
 344{
 345        struct aa_label *label;
 346        int error = 0;
 347
 348        if (!path_mediated_fs(old_dentry))
 349                return 0;
 350
 351        label = begin_current_label_crit_section();
 352        if (!unconfined(label)) {
 353                struct path old_path = { .mnt = old_dir->mnt,
 354                                         .dentry = old_dentry };
 355                struct path new_path = { .mnt = new_dir->mnt,
 356                                         .dentry = new_dentry };
 357                struct path_cond cond = { d_backing_inode(old_dentry)->i_uid,
 358                                          d_backing_inode(old_dentry)->i_mode
 359                };
 360
 361                error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0,
 362                                     MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
 363                                     AA_MAY_SETATTR | AA_MAY_DELETE,
 364                                     &cond);
 365                if (!error)
 366                        error = aa_path_perm(OP_RENAME_DEST, label, &new_path,
 367                                             0, MAY_WRITE | AA_MAY_SETATTR |
 368                                             AA_MAY_CREATE, &cond);
 369
 370        }
 371        end_current_label_crit_section(label);
 372
 373        return error;
 374}
 375
 376static int apparmor_path_chmod(const struct path *path, umode_t mode)
 377{
 378        return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD);
 379}
 380
 381static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
 382{
 383        return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN);
 384}
 385
 386static int apparmor_inode_getattr(const struct path *path)
 387{
 388        return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR);
 389}
 390
 391static int apparmor_file_open(struct file *file, const struct cred *cred)
 392{
 393        struct aa_file_ctx *fctx = file_ctx(file);
 394        struct aa_label *label;
 395        int error = 0;
 396
 397        if (!path_mediated_fs(file->f_path.dentry))
 398                return 0;
 399
 400        /* If in exec, permission is handled by bprm hooks.
 401         * Cache permissions granted by the previous exec check, with
 402         * implicit read and executable mmap which are required to
 403         * actually execute the image.
 404         */
 405        if (current->in_execve) {
 406                fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
 407                return 0;
 408        }
 409
 410        label = aa_get_newest_cred_label(cred);
 411        if (!unconfined(label)) {
 412                struct inode *inode = file_inode(file);
 413                struct path_cond cond = { inode->i_uid, inode->i_mode };
 414
 415                error = aa_path_perm(OP_OPEN, label, &file->f_path, 0,
 416                                     aa_map_file_to_perms(file), &cond);
 417                /* todo cache full allowed permissions set and state */
 418                fctx->allow = aa_map_file_to_perms(file);
 419        }
 420        aa_put_label(label);
 421
 422        return error;
 423}
 424
 425static int apparmor_file_alloc_security(struct file *file)
 426{
 427        int error = 0;
 428
 429        /* freed by apparmor_file_free_security */
 430        struct aa_label *label = begin_current_label_crit_section();
 431        file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL);
 432        if (!file_ctx(file))
 433                error = -ENOMEM;
 434        end_current_label_crit_section(label);
 435
 436        return error;
 437}
 438
 439static void apparmor_file_free_security(struct file *file)
 440{
 441        aa_free_file_ctx(file_ctx(file));
 442}
 443
 444static int common_file_perm(const char *op, struct file *file, u32 mask)
 445{
 446        struct aa_label *label;
 447        int error = 0;
 448
 449        /* don't reaudit files closed during inheritance */
 450        if (file->f_path.dentry == aa_null.dentry)
 451                return -EACCES;
 452
 453        label = __begin_current_label_crit_section();
 454        error = aa_file_perm(op, label, file, mask);
 455        __end_current_label_crit_section(label);
 456
 457        return error;
 458}
 459
 460static int apparmor_file_receive(struct file *file)
 461{
 462        return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file));
 463}
 464
 465static int apparmor_file_permission(struct file *file, int mask)
 466{
 467        return common_file_perm(OP_FPERM, file, mask);
 468}
 469
 470static int apparmor_file_lock(struct file *file, unsigned int cmd)
 471{
 472        u32 mask = AA_MAY_LOCK;
 473
 474        if (cmd == F_WRLCK)
 475                mask |= MAY_WRITE;
 476
 477        return common_file_perm(OP_FLOCK, file, mask);
 478}
 479
 480static int common_mmap(const char *op, struct file *file, unsigned long prot,
 481                       unsigned long flags)
 482{
 483        int mask = 0;
 484
 485        if (!file || !file_ctx(file))
 486                return 0;
 487
 488        if (prot & PROT_READ)
 489                mask |= MAY_READ;
 490        /*
 491         * Private mappings don't require write perms since they don't
 492         * write back to the files
 493         */
 494        if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
 495                mask |= MAY_WRITE;
 496        if (prot & PROT_EXEC)
 497                mask |= AA_EXEC_MMAP;
 498
 499        return common_file_perm(op, file, mask);
 500}
 501
 502static int apparmor_mmap_file(struct file *file, unsigned long reqprot,
 503                              unsigned long prot, unsigned long flags)
 504{
 505        return common_mmap(OP_FMMAP, file, prot, flags);
 506}
 507
 508static int apparmor_file_mprotect(struct vm_area_struct *vma,
 509                                  unsigned long reqprot, unsigned long prot)
 510{
 511        return common_mmap(OP_FMPROT, vma->vm_file, prot,
 512                           !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
 513}
 514
 515static int apparmor_sb_mount(const char *dev_name, const struct path *path,
 516                             const char *type, unsigned long flags, void *data)
 517{
 518        struct aa_label *label;
 519        int error = 0;
 520
 521        /* Discard magic */
 522        if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
 523                flags &= ~MS_MGC_MSK;
 524
 525        flags &= ~AA_MS_IGNORE_MASK;
 526
 527        label = __begin_current_label_crit_section();
 528        if (!unconfined(label)) {
 529                if (flags & MS_REMOUNT)
 530                        error = aa_remount(label, path, flags, data);
 531                else if (flags & MS_BIND)
 532                        error = aa_bind_mount(label, path, dev_name, flags);
 533                else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE |
 534                                  MS_UNBINDABLE))
 535                        error = aa_mount_change_type(label, path, flags);
 536                else if (flags & MS_MOVE)
 537                        error = aa_move_mount(label, path, dev_name);
 538                else
 539                        error = aa_new_mount(label, dev_name, path, type,
 540                                             flags, data);
 541        }
 542        __end_current_label_crit_section(label);
 543
 544        return error;
 545}
 546
 547static int apparmor_sb_umount(struct vfsmount *mnt, int flags)
 548{
 549        struct aa_label *label;
 550        int error = 0;
 551
 552        label = __begin_current_label_crit_section();
 553        if (!unconfined(label))
 554                error = aa_umount(label, mnt, flags);
 555        __end_current_label_crit_section(label);
 556
 557        return error;
 558}
 559
 560static int apparmor_sb_pivotroot(const struct path *old_path,
 561                                 const struct path *new_path)
 562{
 563        struct aa_label *label;
 564        int error = 0;
 565
 566        label = aa_get_current_label();
 567        if (!unconfined(label))
 568                error = aa_pivotroot(label, old_path, new_path);
 569        aa_put_label(label);
 570
 571        return error;
 572}
 573
 574static int apparmor_getprocattr(struct task_struct *task, char *name,
 575                                char **value)
 576{
 577        int error = -ENOENT;
 578        /* released below */
 579        const struct cred *cred = get_task_cred(task);
 580        struct aa_task_ctx *ctx = cred_ctx(cred);
 581        struct aa_label *label = NULL;
 582
 583        if (strcmp(name, "current") == 0)
 584                label = aa_get_newest_label(ctx->label);
 585        else if (strcmp(name, "prev") == 0  && ctx->previous)
 586                label = aa_get_newest_label(ctx->previous);
 587        else if (strcmp(name, "exec") == 0 && ctx->onexec)
 588                label = aa_get_newest_label(ctx->onexec);
 589        else
 590                error = -EINVAL;
 591
 592        if (label)
 593                error = aa_getprocattr(label, value);
 594
 595        aa_put_label(label);
 596        put_cred(cred);
 597
 598        return error;
 599}
 600
 601static int apparmor_setprocattr(const char *name, void *value,
 602                                size_t size)
 603{
 604        char *command, *largs = NULL, *args = value;
 605        size_t arg_size;
 606        int error;
 607        DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR);
 608
 609        if (size == 0)
 610                return -EINVAL;
 611
 612        /* AppArmor requires that the buffer must be null terminated atm */
 613        if (args[size - 1] != '\0') {
 614                /* null terminate */
 615                largs = args = kmalloc(size + 1, GFP_KERNEL);
 616                if (!args)
 617                        return -ENOMEM;
 618                memcpy(args, value, size);
 619                args[size] = '\0';
 620        }
 621
 622        error = -EINVAL;
 623        args = strim(args);
 624        command = strsep(&args, " ");
 625        if (!args)
 626                goto out;
 627        args = skip_spaces(args);
 628        if (!*args)
 629                goto out;
 630
 631        arg_size = size - (args - (largs ? largs : (char *) value));
 632        if (strcmp(name, "current") == 0) {
 633                if (strcmp(command, "changehat") == 0) {
 634                        error = aa_setprocattr_changehat(args, arg_size,
 635                                                         AA_CHANGE_NOFLAGS);
 636                } else if (strcmp(command, "permhat") == 0) {
 637                        error = aa_setprocattr_changehat(args, arg_size,
 638                                                         AA_CHANGE_TEST);
 639                } else if (strcmp(command, "changeprofile") == 0) {
 640                        error = aa_change_profile(args, AA_CHANGE_NOFLAGS);
 641                } else if (strcmp(command, "permprofile") == 0) {
 642                        error = aa_change_profile(args, AA_CHANGE_TEST);
 643                } else if (strcmp(command, "stack") == 0) {
 644                        error = aa_change_profile(args, AA_CHANGE_STACK);
 645                } else
 646                        goto fail;
 647        } else if (strcmp(name, "exec") == 0) {
 648                if (strcmp(command, "exec") == 0)
 649                        error = aa_change_profile(args, AA_CHANGE_ONEXEC);
 650                else if (strcmp(command, "stack") == 0)
 651                        error = aa_change_profile(args, (AA_CHANGE_ONEXEC |
 652                                                         AA_CHANGE_STACK));
 653                else
 654                        goto fail;
 655        } else
 656                /* only support the "current" and "exec" process attributes */
 657                goto fail;
 658
 659        if (!error)
 660                error = size;
 661out:
 662        kfree(largs);
 663        return error;
 664
 665fail:
 666        aad(&sa)->label = begin_current_label_crit_section();
 667        aad(&sa)->info = name;
 668        aad(&sa)->error = error = -EINVAL;
 669        aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
 670        end_current_label_crit_section(aad(&sa)->label);
 671        goto out;
 672}
 673
 674/**
 675 * apparmor_bprm_committing_creds - do task cleanup on committing new creds
 676 * @bprm: binprm for the exec  (NOT NULL)
 677 */
 678static void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
 679{
 680        struct aa_label *label = aa_current_raw_label();
 681        struct aa_task_ctx *new_ctx = cred_ctx(bprm->cred);
 682
 683        /* bail out if unconfined or not changing profile */
 684        if ((new_ctx->label->proxy == label->proxy) ||
 685            (unconfined(new_ctx->label)))
 686                return;
 687
 688        aa_inherit_files(bprm->cred, current->files);
 689
 690        current->pdeath_signal = 0;
 691
 692        /* reset soft limits and set hard limits for the new label */
 693        __aa_transition_rlimits(label, new_ctx->label);
 694}
 695
 696/**
 697 * apparmor_bprm_committed_cred - do cleanup after new creds committed
 698 * @bprm: binprm for the exec  (NOT NULL)
 699 */
 700static void apparmor_bprm_committed_creds(struct linux_binprm *bprm)
 701{
 702        /* TODO: cleanup signals - ipc mediation */
 703        return;
 704}
 705
 706static int apparmor_task_setrlimit(struct task_struct *task,
 707                unsigned int resource, struct rlimit *new_rlim)
 708{
 709        struct aa_label *label = __begin_current_label_crit_section();
 710        int error = 0;
 711
 712        if (!unconfined(label))
 713                error = aa_task_setrlimit(label, task, resource, new_rlim);
 714        __end_current_label_crit_section(label);
 715
 716        return error;
 717}
 718
 719static int apparmor_task_kill(struct task_struct *target, struct siginfo *info,
 720                              int sig, u32 secid)
 721{
 722        struct aa_label *cl, *tl;
 723        int error;
 724
 725        if (secid)
 726                /* TODO: after secid to label mapping is done.
 727                 *  Dealing with USB IO specific behavior
 728                 */
 729                return 0;
 730        cl = __begin_current_label_crit_section();
 731        tl = aa_get_task_label(target);
 732        error = aa_may_signal(cl, tl, sig);
 733        aa_put_label(tl);
 734        __end_current_label_crit_section(cl);
 735
 736        return error;
 737}
 738
 739static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
 740        LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
 741        LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
 742        LSM_HOOK_INIT(capget, apparmor_capget),
 743        LSM_HOOK_INIT(capable, apparmor_capable),
 744
 745        LSM_HOOK_INIT(sb_mount, apparmor_sb_mount),
 746        LSM_HOOK_INIT(sb_umount, apparmor_sb_umount),
 747        LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot),
 748
 749        LSM_HOOK_INIT(path_link, apparmor_path_link),
 750        LSM_HOOK_INIT(path_unlink, apparmor_path_unlink),
 751        LSM_HOOK_INIT(path_symlink, apparmor_path_symlink),
 752        LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir),
 753        LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir),
 754        LSM_HOOK_INIT(path_mknod, apparmor_path_mknod),
 755        LSM_HOOK_INIT(path_rename, apparmor_path_rename),
 756        LSM_HOOK_INIT(path_chmod, apparmor_path_chmod),
 757        LSM_HOOK_INIT(path_chown, apparmor_path_chown),
 758        LSM_HOOK_INIT(path_truncate, apparmor_path_truncate),
 759        LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr),
 760
 761        LSM_HOOK_INIT(file_open, apparmor_file_open),
 762        LSM_HOOK_INIT(file_receive, apparmor_file_receive),
 763        LSM_HOOK_INIT(file_permission, apparmor_file_permission),
 764        LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security),
 765        LSM_HOOK_INIT(file_free_security, apparmor_file_free_security),
 766        LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
 767        LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
 768        LSM_HOOK_INIT(file_lock, apparmor_file_lock),
 769
 770        LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
 771        LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
 772
 773        LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
 774        LSM_HOOK_INIT(cred_free, apparmor_cred_free),
 775        LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
 776        LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),
 777
 778        LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds),
 779        LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
 780        LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
 781
 782        LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
 783        LSM_HOOK_INIT(task_kill, apparmor_task_kill),
 784};
 785
 786/*
 787 * AppArmor sysfs module parameters
 788 */
 789
 790static int param_set_aabool(const char *val, const struct kernel_param *kp);
 791static int param_get_aabool(char *buffer, const struct kernel_param *kp);
 792#define param_check_aabool param_check_bool
 793static const struct kernel_param_ops param_ops_aabool = {
 794        .flags = KERNEL_PARAM_OPS_FL_NOARG,
 795        .set = param_set_aabool,
 796        .get = param_get_aabool
 797};
 798
 799static int param_set_aauint(const char *val, const struct kernel_param *kp);
 800static int param_get_aauint(char *buffer, const struct kernel_param *kp);
 801#define param_check_aauint param_check_uint
 802static const struct kernel_param_ops param_ops_aauint = {
 803        .set = param_set_aauint,
 804        .get = param_get_aauint
 805};
 806
 807static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
 808static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
 809#define param_check_aalockpolicy param_check_bool
 810static const struct kernel_param_ops param_ops_aalockpolicy = {
 811        .flags = KERNEL_PARAM_OPS_FL_NOARG,
 812        .set = param_set_aalockpolicy,
 813        .get = param_get_aalockpolicy
 814};
 815
 816static int param_set_audit(const char *val, const struct kernel_param *kp);
 817static int param_get_audit(char *buffer, const struct kernel_param *kp);
 818
 819static int param_set_mode(const char *val, const struct kernel_param *kp);
 820static int param_get_mode(char *buffer, const struct kernel_param *kp);
 821
 822/* Flag values, also controllable via /sys/module/apparmor/parameters
 823 * We define special types as we want to do additional mediation.
 824 */
 825
 826/* AppArmor global enforcement switch - complain, enforce, kill */
 827enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
 828module_param_call(mode, param_set_mode, param_get_mode,
 829                  &aa_g_profile_mode, S_IRUSR | S_IWUSR);
 830
 831/* whether policy verification hashing is enabled */
 832bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
 833#ifdef CONFIG_SECURITY_APPARMOR_HASH
 834module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
 835#endif
 836
 837/* Debug mode */
 838bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES);
 839module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
 840
 841/* Audit mode */
 842enum audit_mode aa_g_audit;
 843module_param_call(audit, param_set_audit, param_get_audit,
 844                  &aa_g_audit, S_IRUSR | S_IWUSR);
 845
 846/* Determines if audit header is included in audited messages.  This
 847 * provides more context if the audit daemon is not running
 848 */
 849bool aa_g_audit_header = true;
 850module_param_named(audit_header, aa_g_audit_header, aabool,
 851                   S_IRUSR | S_IWUSR);
 852
 853/* lock out loading/removal of policy
 854 * TODO: add in at boot loading of policy, which is the only way to
 855 *       load policy, if lock_policy is set
 856 */
 857bool aa_g_lock_policy;
 858module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy,
 859                   S_IRUSR | S_IWUSR);
 860
 861/* Syscall logging mode */
 862bool aa_g_logsyscall;
 863module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
 864
 865/* Maximum pathname length before accesses will start getting rejected */
 866unsigned int aa_g_path_max = 2 * PATH_MAX;
 867module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
 868
 869/* Determines how paranoid loading of policy is and how much verification
 870 * on the loaded policy is done.
 871 * DEPRECATED: read only as strict checking of load is always done now
 872 * that none root users (user namespaces) can load policy.
 873 */
 874bool aa_g_paranoid_load = true;
 875module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
 876
 877/* Boot time disable flag */
 878static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
 879module_param_named(enabled, apparmor_enabled, bool, S_IRUGO);
 880
 881static int __init apparmor_enabled_setup(char *str)
 882{
 883        unsigned long enabled;
 884        int error = kstrtoul(str, 0, &enabled);
 885        if (!error)
 886                apparmor_enabled = enabled ? 1 : 0;
 887        return 1;
 888}
 889
 890__setup("apparmor=", apparmor_enabled_setup);
 891
 892/* set global flag turning off the ability to load policy */
 893static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
 894{
 895        if (!apparmor_enabled)
 896                return -EINVAL;
 897        if (apparmor_initialized && !policy_admin_capable(NULL))
 898                return -EPERM;
 899        return param_set_bool(val, kp);
 900}
 901
 902static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
 903{
 904        if (!apparmor_enabled)
 905                return -EINVAL;
 906        if (apparmor_initialized && !policy_view_capable(NULL))
 907                return -EPERM;
 908        return param_get_bool(buffer, kp);
 909}
 910
 911static int param_set_aabool(const char *val, const struct kernel_param *kp)
 912{
 913        if (!apparmor_enabled)
 914                return -EINVAL;
 915        if (apparmor_initialized && !policy_admin_capable(NULL))
 916                return -EPERM;
 917        return param_set_bool(val, kp);
 918}
 919
 920static int param_get_aabool(char *buffer, const struct kernel_param *kp)
 921{
 922        if (!apparmor_enabled)
 923                return -EINVAL;
 924        if (apparmor_initialized && !policy_view_capable(NULL))
 925                return -EPERM;
 926        return param_get_bool(buffer, kp);
 927}
 928
 929static int param_set_aauint(const char *val, const struct kernel_param *kp)
 930{
 931        int error;
 932
 933        if (!apparmor_enabled)
 934                return -EINVAL;
 935        /* file is ro but enforce 2nd line check */
 936        if (apparmor_initialized)
 937                return -EPERM;
 938
 939        error = param_set_uint(val, kp);
 940        pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max);
 941
 942        return error;
 943}
 944
 945static int param_get_aauint(char *buffer, const struct kernel_param *kp)
 946{
 947        if (!apparmor_enabled)
 948                return -EINVAL;
 949        if (apparmor_initialized && !policy_view_capable(NULL))
 950                return -EPERM;
 951        return param_get_uint(buffer, kp);
 952}
 953
 954static int param_get_audit(char *buffer, const struct kernel_param *kp)
 955{
 956        if (!apparmor_enabled)
 957                return -EINVAL;
 958        if (apparmor_initialized && !policy_view_capable(NULL))
 959                return -EPERM;
 960        return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
 961}
 962
 963static int param_set_audit(const char *val, const struct kernel_param *kp)
 964{
 965        int i;
 966
 967        if (!apparmor_enabled)
 968                return -EINVAL;
 969        if (!val)
 970                return -EINVAL;
 971        if (apparmor_initialized && !policy_admin_capable(NULL))
 972                return -EPERM;
 973
 974        for (i = 0; i < AUDIT_MAX_INDEX; i++) {
 975                if (strcmp(val, audit_mode_names[i]) == 0) {
 976                        aa_g_audit = i;
 977                        return 0;
 978                }
 979        }
 980
 981        return -EINVAL;
 982}
 983
 984static int param_get_mode(char *buffer, const struct kernel_param *kp)
 985{
 986        if (!apparmor_enabled)
 987                return -EINVAL;
 988        if (apparmor_initialized && !policy_view_capable(NULL))
 989                return -EPERM;
 990
 991        return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
 992}
 993
 994static int param_set_mode(const char *val, const struct kernel_param *kp)
 995{
 996        int i;
 997
 998        if (!apparmor_enabled)
 999                return -EINVAL;
1000        if (!val)

1001                return -EINVAL;
1002        if (apparmor_initialized && !policy_admin_capable(NULL))
1003                return -EPERM;
1004
1005        for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {
1006                if (strcmp(val, aa_profile_mode_names[i]) == 0) {
1007                        aa_g_profile_mode = i;
1008                        return 0;
1009                }
1010        }
1011
1012        return -EINVAL;
1013}
1014
1015/*
1016 * AppArmor init functions
1017 */
1018
1019/**
1020 * set_init_ctx - set a task context and profile on the first task.
1021 *
1022 * TODO: allow setting an alternate profile than unconfined
1023 */
1024static int __init set_init_ctx(void)
1025{
1026        struct cred *cred = (struct cred *)current->real_cred;
1027        struct aa_task_ctx *ctx;
1028
1029        ctx = aa_alloc_task_context(GFP_KERNEL);
1030        if (!ctx)
1031                return -ENOMEM;
1032
1033        ctx->label = aa_get_label(ns_unconfined(root_ns));
1034        cred_ctx(cred) = ctx;
1035
1036        return 0;
1037}
1038
1039static void destroy_buffers(void)
1040{
1041        u32 i, j;
1042
1043        for_each_possible_cpu(i) {
1044                for_each_cpu_buffer(j) {
1045                        kfree(per_cpu(aa_buffers, i).buf[j]);
1046                        per_cpu(aa_buffers, i).buf[j] = NULL;
1047                }
1048        }
1049}
1050
1051static int __init alloc_buffers(void)
1052{
1053        u32 i, j;
1054
1055        for_each_possible_cpu(i) {
1056                for_each_cpu_buffer(j) {
1057                        char *buffer;
1058
1059                        if (cpu_to_node(i) > num_online_nodes())
1060                                /* fallback to kmalloc for offline nodes */
1061                                buffer = kmalloc(aa_g_path_max, GFP_KERNEL);
1062                        else
1063                                buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL,
1064                                                      cpu_to_node(i));
1065                        if (!buffer) {
1066                                destroy_buffers();
1067                                return -ENOMEM;
1068                        }
1069                        per_cpu(aa_buffers, i).buf[j] = buffer;
1070                }
1071        }
1072
1073        return 0;
1074}
1075
1076#ifdef CONFIG_SYSCTL
1077static int apparmor_dointvec(struct ctl_table *table, int write,
1078                             void __user *buffer, size_t *lenp, loff_t *ppos)
1079{
1080        if (!policy_admin_capable(NULL))
1081                return -EPERM;
1082        if (!apparmor_enabled)
1083                return -EINVAL;
1084
1085        return proc_dointvec(table, write, buffer, lenp, ppos);
1086}
1087
1088static struct ctl_path apparmor_sysctl_path[] = {
1089        { .procname = "kernel", },
1090        { }
1091};
1092
1093static struct ctl_table apparmor_sysctl_table[] = {
1094        {
1095                .procname       = "unprivileged_userns_apparmor_policy",
1096                .data           = &unprivileged_userns_apparmor_policy,
1097                .maxlen         = sizeof(int),
1098                .mode           = 0600,
1099                .proc_handler   = apparmor_dointvec,
1100        },
1101        { }
1102};
1103
1104static int __init apparmor_init_sysctl(void)
1105{
1106        return register_sysctl_paths(apparmor_sysctl_path,
1107                                     apparmor_sysctl_table) ? 0 : -ENOMEM;
1108}
1109#else
1110static inline int apparmor_init_sysctl(void)
1111{
1112        return 0;
1113}
1114#endif /* CONFIG_SYSCTL */
1115
1116static int __init apparmor_init(void)
1117{
1118        int error;
1119
1120        if (!apparmor_enabled || !security_module_enable("apparmor")) {
1121                aa_info_message("AppArmor disabled by boot time parameter");
1122                apparmor_enabled = false;
1123                return 0;
1124        }
1125
1126        error = aa_setup_dfa_engine();
1127        if (error) {
1128                AA_ERROR("Unable to setup dfa engine\n");
1129                goto alloc_out;
1130        }
1131
1132        error = aa_alloc_root_ns();
1133        if (error) {
1134                AA_ERROR("Unable to allocate default profile namespace\n");
1135                goto alloc_out;
1136        }
1137
1138        error = apparmor_init_sysctl();
1139        if (error) {
1140                AA_ERROR("Unable to register sysctls\n");
1141                goto alloc_out;
1142
1143        }
1144
1145        error = alloc_buffers();
1146        if (error) {
1147                AA_ERROR("Unable to allocate work buffers\n");
1148                goto buffers_out;
1149        }
1150
1151        error = set_init_ctx();
1152        if (error) {
1153                AA_ERROR("Failed to set context on init task\n");
1154                aa_free_root_ns();
1155                goto buffers_out;
1156        }
1157        security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
1158                                "apparmor");
1159
1160        /* Report that AppArmor successfully initialized */
1161        apparmor_initialized = 1;
1162        if (aa_g_profile_mode == APPARMOR_COMPLAIN)
1163                aa_info_message("AppArmor initialized: complain mode enabled");
1164        else if (aa_g_profile_mode == APPARMOR_KILL)
1165                aa_info_message("AppArmor initialized: kill mode enabled");
1166        else
1167                aa_info_message("AppArmor initialized");
1168
1169        return error;
1170
1171buffers_out:
1172        destroy_buffers();
1173
1174alloc_out:
1175        aa_destroy_aafs();
1176        aa_teardown_dfa_engine();
1177
1178        apparmor_enabled = false;
1179        return error;
1180}
1181
1182security_initcall(apparmor_init);
1183