LXR linux/security/apparmor/capability.c

   1/*
   2 * AppArmor security module
   3 *
   4 * This file contains AppArmor capability mediation functions
   5 *
   6 * Copyright (C) 1998-2008 Novell/SUSE
   7 * Copyright 2009-2010 Canonical Ltd.
   8 *
   9 * This program is free software; you can redistribute it and/or
  10 * modify it under the terms of the GNU General Public License as
  11 * published by the Free Software Foundation, version 2 of the
  12 * License.
  13 */
  14
  15#include <linux/capability.h>
  16#include <linux/errno.h>
  17#include <linux/gfp.h>
  18#include <linux/security.h>
  19
  20#include "include/apparmor.h"
  21#include "include/capability.h"
  22#include "include/cred.h"
  23#include "include/policy.h"
  24#include "include/audit.h"
  25
  26/*
  27 * Table of capability names: we generate it from capabilities.h.
  28 */
  29#include "capability_names.h"
  30
  31struct aa_sfs_entry aa_sfs_entry_caps[] = {
  32        AA_SFS_FILE_STRING("mask", AA_SFS_CAPS_MASK),
  33        { }
  34};
  35
  36struct audit_cache {
  37        struct aa_profile *profile;
  38        kernel_cap_t caps;
  39};
  40
  41static DEFINE_PER_CPU(struct audit_cache, audit_cache);
  42
  43/**
  44 * audit_cb - call back for capability components of audit struct
  45 * @ab - audit buffer   (NOT NULL)
  46 * @va - audit struct to audit data from  (NOT NULL)
  47 */
  48static void audit_cb(struct audit_buffer *ab, void *va)
  49{
  50        struct common_audit_data *sa = va;
  51
  52        audit_log_format(ab, " capname=");
  53        audit_log_untrustedstring(ab, capability_names[sa->u.cap]);
  54}
  55
  56/**
  57 * audit_caps - audit a capability
  58 * @sa: audit data
  59 * @profile: profile being tested for confinement (NOT NULL)
  60 * @cap: capability tested
  61 * @error: error code returned by test
  62 *
  63 * Do auditing of capability and handle, audit/complain/kill modes switching
  64 * and duplicate message elimination.
  65 *
  66 * Returns: 0 or sa->error on success,  error code on failure
  67 */
  68static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile,
  69                      int cap, int error)
  70{
  71        struct audit_cache *ent;
  72        int type = AUDIT_APPARMOR_AUTO;
  73
  74        aad(sa)->error = error;
  75
  76        if (likely(!error)) {
  77                /* test if auditing is being forced */
  78                if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
  79                           !cap_raised(profile->caps.audit, cap)))
  80                        return 0;
  81                type = AUDIT_APPARMOR_AUDIT;
  82        } else if (KILL_MODE(profile) ||
  83                   cap_raised(profile->caps.kill, cap)) {
  84                type = AUDIT_APPARMOR_KILL;
  85        } else if (cap_raised(profile->caps.quiet, cap) &&
  86                   AUDIT_MODE(profile) != AUDIT_NOQUIET &&
  87                   AUDIT_MODE(profile) != AUDIT_ALL) {
  88                /* quiet auditing */
  89                return error;
  90        }
  91
  92        /* Do simple duplicate message elimination */
  93        ent = &get_cpu_var(audit_cache);
  94        if (profile == ent->profile && cap_raised(ent->caps, cap)) {
  95                put_cpu_var(audit_cache);
  96                if (COMPLAIN_MODE(profile))
  97                        return complain_error(error);
  98                return error;
  99        } else {
 100                aa_put_profile(ent->profile);
 101                ent->profile = aa_get_profile(profile);
 102                cap_raise(ent->caps, cap);
 103        }
 104        put_cpu_var(audit_cache);
 105
 106        return aa_audit(type, profile, sa, audit_cb);
 107}
 108
 109/**
 110 * profile_capable - test if profile allows use of capability @cap
 111 * @profile: profile being enforced    (NOT NULL, NOT unconfined)
 112 * @cap: capability to test if allowed
 113 * @audit: whether an audit record should be generated
 114 * @sa: audit data (MAY BE NULL indicating no auditing)
 115 *
 116 * Returns: 0 if allowed else -EPERM
 117 */
 118static int profile_capable(struct aa_profile *profile, int cap, int audit,
 119                           struct common_audit_data *sa)
 120{
 121        int error;
 122
 123        if (cap_raised(profile->caps.allow, cap) &&
 124            !cap_raised(profile->caps.denied, cap))
 125                error = 0;
 126        else
 127                error = -EPERM;
 128
 129        if (audit == SECURITY_CAP_NOAUDIT) {
 130                if (!COMPLAIN_MODE(profile))
 131                        return error;
 132                /* audit the cap request in complain mode but note that it
 133                 * should be optional.
 134                 */
 135                aad(sa)->info = "optional: no audit";
 136        }
 137
 138        return audit_caps(sa, profile, cap, error);
 139}
 140
 141/**
 142 * aa_capable - test permission to use capability
 143 * @label: label being tested for capability (NOT NULL)
 144 * @cap: capability to be tested
 145 * @audit: whether an audit record should be generated
 146 *
 147 * Look up capability in profile capability set.
 148 *
 149 * Returns: 0 on success, or else an error code.
 150 */
 151int aa_capable(struct aa_label *label, int cap, int audit)
 152{
 153        struct aa_profile *profile;
 154        int error = 0;
 155        DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, OP_CAPABLE);
 156
 157        sa.u.cap = cap;
 158        error = fn_for_each_confined(label, profile,
 159                        profile_capable(profile, cap, audit, &sa));
 160
 161        return error;
 162}
 163