LXR linux/security/apparmor/lsm.c

   1/*
   2 * AppArmor security module
   3 *
   4 * This file contains AppArmor LSM hooks.
   5 *
   6 * Copyright (C) 1998-2008 Novell/SUSE
   7 * Copyright 2009-2010 Canonical Ltd.
   8 *
   9 * This program is free software; you can redistribute it and/or
  10 * modify it under the terms of the GNU General Public License as
  11 * published by the Free Software Foundation, version 2 of the
  12 * License.
  13 */
  14
  15#include <linux/lsm_hooks.h>
  16#include <linux/moduleparam.h>
  17#include <linux/mm.h>
  18#include <linux/mman.h>
  19#include <linux/mount.h>
  20#include <linux/namei.h>
  21#include <linux/ptrace.h>
  22#include <linux/ctype.h>
  23#include <linux/sysctl.h>
  24#include <linux/audit.h>
  25#include <linux/user_namespace.h>
  26#include <net/sock.h>
  27
  28#include "include/apparmor.h"
  29#include "include/apparmorfs.h"
  30#include "include/audit.h"
  31#include "include/capability.h"
  32#include "include/context.h"
  33#include "include/file.h"
  34#include "include/ipc.h"
  35#include "include/path.h"
  36#include "include/policy.h"
  37#include "include/procattr.h"
  38
  39/* Flag indicating whether initialization completed */
  40int apparmor_initialized __initdata;
  41
  42/*
  43 * LSM hook functions
  44 */
  45
  46/*
  47 * free the associated aa_task_cxt and put its profiles
  48 */
  49static void apparmor_cred_free(struct cred *cred)
  50{
  51        aa_free_task_context(cred_cxt(cred));
  52        cred_cxt(cred) = NULL;
  53}
  54
  55/*
  56 * allocate the apparmor part of blank credentials
  57 */
  58static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
  59{
  60        /* freed by apparmor_cred_free */
  61        struct aa_task_cxt *cxt = aa_alloc_task_context(gfp);
  62        if (!cxt)
  63                return -ENOMEM;
  64
  65        cred_cxt(cred) = cxt;
  66        return 0;
  67}
  68
  69/*
  70 * prepare new aa_task_cxt for modification by prepare_cred block
  71 */
  72static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
  73                                 gfp_t gfp)
  74{
  75        /* freed by apparmor_cred_free */
  76        struct aa_task_cxt *cxt = aa_alloc_task_context(gfp);
  77        if (!cxt)
  78                return -ENOMEM;
  79
  80        aa_dup_task_context(cxt, cred_cxt(old));
  81        cred_cxt(new) = cxt;
  82        return 0;
  83}
  84
  85/*
  86 * transfer the apparmor data to a blank set of creds
  87 */
  88static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
  89{
  90        const struct aa_task_cxt *old_cxt = cred_cxt(old);
  91        struct aa_task_cxt *new_cxt = cred_cxt(new);
  92
  93        aa_dup_task_context(new_cxt, old_cxt);
  94}
  95
  96static int apparmor_ptrace_access_check(struct task_struct *child,
  97                                        unsigned int mode)
  98{
  99        return aa_ptrace(current, child, mode);
 100}
 101
 102static int apparmor_ptrace_traceme(struct task_struct *parent)
 103{
 104        return aa_ptrace(parent, current, PTRACE_MODE_ATTACH);
 105}
 106
 107/* Derived from security/commoncap.c:cap_capget */
 108static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
 109                           kernel_cap_t *inheritable, kernel_cap_t *permitted)
 110{
 111        struct aa_profile *profile;
 112        const struct cred *cred;
 113
 114        rcu_read_lock();
 115        cred = __task_cred(target);
 116        profile = aa_cred_profile(cred);
 117
 118        /*
 119         * cap_capget is stacked ahead of this and will
 120         * initialize effective and permitted.
 121         */
 122        if (!unconfined(profile) && !COMPLAIN_MODE(profile)) {
 123                *effective = cap_intersect(*effective, profile->caps.allow);
 124                *permitted = cap_intersect(*permitted, profile->caps.allow);
 125        }
 126        rcu_read_unlock();
 127
 128        return 0;
 129}
 130
 131static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
 132                            int cap, int audit)
 133{
 134        struct aa_profile *profile;
 135        int error = 0;
 136
 137        profile = aa_cred_profile(cred);
 138        if (!unconfined(profile))
 139                error = aa_capable(profile, cap, audit);
 140        return error;
 141}
 142
 143/**
 144 * common_perm - basic common permission check wrapper fn for paths
 145 * @op: operation being checked
 146 * @path: path to check permission of  (NOT NULL)
 147 * @mask: requested permissions mask
 148 * @cond: conditional info for the permission request  (NOT NULL)
 149 *
 150 * Returns: %0 else error code if error or permission denied
 151 */
 152static int common_perm(int op, struct path *path, u32 mask,
 153                       struct path_cond *cond)
 154{
 155        struct aa_profile *profile;
 156        int error = 0;
 157
 158        profile = __aa_current_profile();
 159        if (!unconfined(profile))
 160                error = aa_path_perm(op, profile, path, 0, mask, cond);
 161
 162        return error;
 163}
 164
 165/**
 166 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
 167 * @op: operation being checked
 168 * @dir: directory of the dentry  (NOT NULL)
 169 * @dentry: dentry to check  (NOT NULL)
 170 * @mask: requested permissions mask
 171 * @cond: conditional info for the permission request  (NOT NULL)
 172 *
 173 * Returns: %0 else error code if error or permission denied
 174 */
 175static int common_perm_dir_dentry(int op, struct path *dir,
 176                                  struct dentry *dentry, u32 mask,
 177                                  struct path_cond *cond)
 178{
 179        struct path path = { dir->mnt, dentry };
 180
 181        return common_perm(op, &path, mask, cond);
 182}
 183
 184/**
 185 * common_perm_mnt_dentry - common permission wrapper when mnt, dentry
 186 * @op: operation being checked
 187 * @mnt: mount point of dentry (NOT NULL)
 188 * @dentry: dentry to check  (NOT NULL)
 189 * @mask: requested permissions mask
 190 *
 191 * Returns: %0 else error code if error or permission denied
 192 */
 193static int common_perm_mnt_dentry(int op, struct vfsmount *mnt,
 194                                  struct dentry *dentry, u32 mask)
 195{
 196        struct path path = { mnt, dentry };
 197        struct path_cond cond = { d_backing_inode(dentry)->i_uid,
 198                                  d_backing_inode(dentry)->i_mode
 199        };
 200
 201        return common_perm(op, &path, mask, &cond);
 202}
 203
 204/**
 205 * common_perm_rm - common permission wrapper for operations doing rm
 206 * @op: operation being checked
 207 * @dir: directory that the dentry is in  (NOT NULL)
 208 * @dentry: dentry being rm'd  (NOT NULL)
 209 * @mask: requested permission mask
 210 *
 211 * Returns: %0 else error code if error or permission denied
 212 */
 213static int common_perm_rm(int op, struct path *dir,
 214                          struct dentry *dentry, u32 mask)
 215{
 216        struct inode *inode = d_backing_inode(dentry);
 217        struct path_cond cond = { };
 218
 219        if (!inode || !dir->mnt || !mediated_filesystem(dentry))
 220                return 0;
 221
 222        cond.uid = inode->i_uid;
 223        cond.mode = inode->i_mode;
 224
 225        return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
 226}
 227
 228/**
 229 * common_perm_create - common permission wrapper for operations doing create
 230 * @op: operation being checked
 231 * @dir: directory that dentry will be created in  (NOT NULL)
 232 * @dentry: dentry to create   (NOT NULL)
 233 * @mask: request permission mask
 234 * @mode: created file mode
 235 *
 236 * Returns: %0 else error code if error or permission denied
 237 */
 238static int common_perm_create(int op, struct path *dir, struct dentry *dentry,
 239                              u32 mask, umode_t mode)
 240{
 241        struct path_cond cond = { current_fsuid(), mode };
 242
 243        if (!dir->mnt || !mediated_filesystem(dir->dentry))
 244                return 0;
 245
 246        return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
 247}
 248
 249static int apparmor_path_unlink(struct path *dir, struct dentry *dentry)
 250{
 251        return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE);
 252}
 253
 254static int apparmor_path_mkdir(struct path *dir, struct dentry *dentry,
 255                               umode_t mode)
 256{
 257        return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE,
 258                                  S_IFDIR);
 259}
 260
 261static int apparmor_path_rmdir(struct path *dir, struct dentry *dentry)
 262{
 263        return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE);
 264}
 265
 266static int apparmor_path_mknod(struct path *dir, struct dentry *dentry,
 267                               umode_t mode, unsigned int dev)
 268{
 269        return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
 270}
 271
 272static int apparmor_path_truncate(struct path *path)
 273{
 274        struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
 275                                  d_backing_inode(path->dentry)->i_mode
 276        };
 277
 278        if (!path->mnt || !mediated_filesystem(path->dentry))
 279                return 0;
 280
 281        return common_perm(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE,
 282                           &cond);
 283}
 284
 285static int apparmor_path_symlink(struct path *dir, struct dentry *dentry,
 286                                 const char *old_name)
 287{
 288        return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE,
 289                                  S_IFLNK);
 290}
 291
 292static int apparmor_path_link(struct dentry *old_dentry, struct path *new_dir,
 293                              struct dentry *new_dentry)
 294{
 295        struct aa_profile *profile;
 296        int error = 0;
 297
 298        if (!mediated_filesystem(old_dentry))
 299                return 0;
 300
 301        profile = aa_current_profile();
 302        if (!unconfined(profile))
 303                error = aa_path_link(profile, old_dentry, new_dir, new_dentry);
 304        return error;
 305}
 306
 307static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry,
 308                                struct path *new_dir, struct dentry *new_dentry)
 309{
 310        struct aa_profile *profile;
 311        int error = 0;
 312
 313        if (!mediated_filesystem(old_dentry))
 314                return 0;
 315
 316        profile = aa_current_profile();
 317        if (!unconfined(profile)) {
 318                struct path old_path = { old_dir->mnt, old_dentry };
 319                struct path new_path = { new_dir->mnt, new_dentry };
 320                struct path_cond cond = { d_backing_inode(old_dentry)->i_uid,
 321                                          d_backing_inode(old_dentry)->i_mode
 322                };
 323
 324                error = aa_path_perm(OP_RENAME_SRC, profile, &old_path, 0,
 325                                     MAY_READ | AA_MAY_META_READ | MAY_WRITE |
 326                                     AA_MAY_META_WRITE | AA_MAY_DELETE,
 327                                     &cond);
 328                if (!error)
 329                        error = aa_path_perm(OP_RENAME_DEST, profile, &new_path,
 330                                             0, MAY_WRITE | AA_MAY_META_WRITE |
 331                                             AA_MAY_CREATE, &cond);
 332
 333        }
 334        return error;
 335}
 336
 337static int apparmor_path_chmod(struct path *path, umode_t mode)
 338{
 339        if (!mediated_filesystem(path->dentry))
 340                return 0;
 341
 342        return common_perm_mnt_dentry(OP_CHMOD, path->mnt, path->dentry, AA_MAY_CHMOD);
 343}
 344
 345static int apparmor_path_chown(struct path *path, kuid_t uid, kgid_t gid)
 346{
 347        struct path_cond cond =  { d_backing_inode(path->dentry)->i_uid,
 348                                   d_backing_inode(path->dentry)->i_mode
 349        };
 350
 351        if (!mediated_filesystem(path->dentry))
 352                return 0;
 353
 354        return common_perm(OP_CHOWN, path, AA_MAY_CHOWN, &cond);
 355}
 356
 357static int apparmor_inode_getattr(const struct path *path)
 358{
 359        if (!mediated_filesystem(path->dentry))
 360                return 0;
 361
 362        return common_perm_mnt_dentry(OP_GETATTR, path->mnt, path->dentry,
 363                                      AA_MAY_META_READ);
 364}
 365
 366static int apparmor_file_open(struct file *file, const struct cred *cred)
 367{
 368        struct aa_file_cxt *fcxt = file->f_security;
 369        struct aa_profile *profile;
 370        int error = 0;
 371
 372        if (!mediated_filesystem(file->f_path.dentry))
 373                return 0;
 374
 375        /* If in exec, permission is handled by bprm hooks.
 376         * Cache permissions granted by the previous exec check, with
 377         * implicit read and executable mmap which are required to
 378         * actually execute the image.
 379         */
 380        if (current->in_execve) {
 381                fcxt->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
 382                return 0;
 383        }
 384
 385        profile = aa_cred_profile(cred);
 386        if (!unconfined(profile)) {
 387                struct inode *inode = file_inode(file);
 388                struct path_cond cond = { inode->i_uid, inode->i_mode };
 389
 390                error = aa_path_perm(OP_OPEN, profile, &file->f_path, 0,
 391                                     aa_map_file_to_perms(file), &cond);
 392                /* todo cache full allowed permissions set and state */
 393                fcxt->allow = aa_map_file_to_perms(file);
 394        }
 395
 396        return error;
 397}
 398
 399static int apparmor_file_alloc_security(struct file *file)
 400{
 401        /* freed by apparmor_file_free_security */
 402        file->f_security = aa_alloc_file_context(GFP_KERNEL);
 403        if (!file->f_security)
 404                return -ENOMEM;
 405        return 0;
 406
 407}
 408
 409static void apparmor_file_free_security(struct file *file)
 410{
 411        struct aa_file_cxt *cxt = file->f_security;
 412
 413        aa_free_file_context(cxt);
 414}
 415
 416static int common_file_perm(int op, struct file *file, u32 mask)
 417{
 418        struct aa_file_cxt *fcxt = file->f_security;
 419        struct aa_profile *profile, *fprofile = aa_cred_profile(file->f_cred);
 420        int error = 0;
 421
 422        BUG_ON(!fprofile);
 423
 424        if (!file->f_path.mnt ||
 425            !mediated_filesystem(file->f_path.dentry))
 426                return 0;
 427
 428        profile = __aa_current_profile();
 429
 430        /* revalidate access, if task is unconfined, or the cached cred
 431         * doesn't match or if the request is for more permissions than
 432         * was granted.
 433         *
 434         * Note: the test for !unconfined(fprofile) is to handle file
 435         *       delegation from unconfined tasks
 436         */
 437        if (!unconfined(profile) && !unconfined(fprofile) &&
 438            ((fprofile != profile) || (mask & ~fcxt->allow)))
 439                error = aa_file_perm(op, profile, file, mask);
 440
 441        return error;
 442}
 443
 444static int apparmor_file_permission(struct file *file, int mask)
 445{
 446        return common_file_perm(OP_FPERM, file, mask);
 447}
 448
 449static int apparmor_file_lock(struct file *file, unsigned int cmd)
 450{
 451        u32 mask = AA_MAY_LOCK;
 452
 453        if (cmd == F_WRLCK)
 454                mask |= MAY_WRITE;
 455
 456        return common_file_perm(OP_FLOCK, file, mask);
 457}
 458
 459static int common_mmap(int op, struct file *file, unsigned long prot,
 460                       unsigned long flags)
 461{
 462        int mask = 0;
 463
 464        if (!file || !file->f_security)
 465                return 0;
 466
 467        if (prot & PROT_READ)
 468                mask |= MAY_READ;
 469        /*
 470         * Private mappings don't require write perms since they don't
 471         * write back to the files
 472         */
 473        if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
 474                mask |= MAY_WRITE;
 475        if (prot & PROT_EXEC)
 476                mask |= AA_EXEC_MMAP;
 477
 478        return common_file_perm(op, file, mask);
 479}
 480
 481static int apparmor_mmap_file(struct file *file, unsigned long reqprot,
 482                              unsigned long prot, unsigned long flags)
 483{
 484        return common_mmap(OP_FMMAP, file, prot, flags);
 485}
 486
 487static int apparmor_file_mprotect(struct vm_area_struct *vma,
 488                                  unsigned long reqprot, unsigned long prot)
 489{
 490        return common_mmap(OP_FMPROT, vma->vm_file, prot,
 491                           !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
 492}
 493
 494static int apparmor_getprocattr(struct task_struct *task, char *name,
 495                                char **value)
 496{
 497        int error = -ENOENT;
 498        /* released below */
 499        const struct cred *cred = get_task_cred(task);
 500        struct aa_task_cxt *cxt = cred_cxt(cred);
 501        struct aa_profile *profile = NULL;
 502
 503        if (strcmp(name, "current") == 0)
 504                profile = aa_get_newest_profile(cxt->profile);
 505        else if (strcmp(name, "prev") == 0  && cxt->previous)
 506                profile = aa_get_newest_profile(cxt->previous);
 507        else if (strcmp(name, "exec") == 0 && cxt->onexec)
 508                profile = aa_get_newest_profile(cxt->onexec);
 509        else
 510                error = -EINVAL;
 511
 512        if (profile)
 513                error = aa_getprocattr(profile, value);
 514
 515        aa_put_profile(profile);
 516        put_cred(cred);
 517
 518        return error;
 519}
 520
 521static int apparmor_setprocattr(struct task_struct *task, char *name,
 522                                void *value, size_t size)
 523{
 524        struct common_audit_data sa;
 525        struct apparmor_audit_data aad = {0,};
 526        char *command, *args = value;
 527        size_t arg_size;
 528        int error;
 529
 530        if (size == 0)
 531                return -EINVAL;
 532        /* args points to a PAGE_SIZE buffer, AppArmor requires that
 533         * the buffer must be null terminated or have size <= PAGE_SIZE -1
 534         * so that AppArmor can null terminate them
 535         */
 536        if (args[size - 1] != '\0') {
 537                if (size == PAGE_SIZE)
 538                        return -EINVAL;
 539                args[size] = '\0';
 540        }
 541
 542        /* task can only write its own attributes */
 543        if (current != task)
 544                return -EACCES;
 545
 546        args = value;
 547        args = strim(args);
 548        command = strsep(&args, " ");
 549        if (!args)
 550                return -EINVAL;
 551        args = skip_spaces(args);
 552        if (!*args)
 553                return -EINVAL;
 554
 555        arg_size = size - (args - (char *) value);
 556        if (strcmp(name, "current") == 0) {
 557                if (strcmp(command, "changehat") == 0) {
 558                        error = aa_setprocattr_changehat(args, arg_size,
 559                                                         !AA_DO_TEST);
 560                } else if (strcmp(command, "permhat") == 0) {
 561                        error = aa_setprocattr_changehat(args, arg_size,
 562                                                         AA_DO_TEST);
 563                } else if (strcmp(command, "changeprofile") == 0) {
 564                        error = aa_setprocattr_changeprofile(args, !AA_ONEXEC,
 565                                                             !AA_DO_TEST);
 566                } else if (strcmp(command, "permprofile") == 0) {
 567                        error = aa_setprocattr_changeprofile(args, !AA_ONEXEC,
 568                                                             AA_DO_TEST);
 569                } else
 570                        goto fail;
 571        } else if (strcmp(name, "exec") == 0) {
 572                if (strcmp(command, "exec") == 0)
 573                        error = aa_setprocattr_changeprofile(args, AA_ONEXEC,
 574                                                             !AA_DO_TEST);
 575                else
 576                        goto fail;
 577        } else
 578                /* only support the "current" and "exec" process attributes */
 579                return -EINVAL;
 580
 581        if (!error)
 582                error = size;
 583        return error;
 584
 585fail:
 586        sa.type = LSM_AUDIT_DATA_NONE;
 587        sa.aad = &aad;
 588        aad.profile = aa_current_profile();
 589        aad.op = OP_SETPROCATTR;
 590        aad.info = name;
 591        aad.error = -EINVAL;
 592        aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
 593        return -EINVAL;
 594}
 595
 596static int apparmor_task_setrlimit(struct task_struct *task,
 597                unsigned int resource, struct rlimit *new_rlim)
 598{
 599        struct aa_profile *profile = __aa_current_profile();
 600        int error = 0;
 601
 602        if (!unconfined(profile))
 603                error = aa_task_setrlimit(profile, task, resource, new_rlim);
 604
 605        return error;
 606}
 607
 608static struct security_hook_list apparmor_hooks[] = {
 609        LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
 610        LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
 611        LSM_HOOK_INIT(capget, apparmor_capget),
 612        LSM_HOOK_INIT(capable, apparmor_capable),
 613
 614        LSM_HOOK_INIT(path_link, apparmor_path_link),
 615        LSM_HOOK_INIT(path_unlink, apparmor_path_unlink),
 616        LSM_HOOK_INIT(path_symlink, apparmor_path_symlink),
 617        LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir),
 618        LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir),
 619        LSM_HOOK_INIT(path_mknod, apparmor_path_mknod),
 620        LSM_HOOK_INIT(path_rename, apparmor_path_rename),
 621        LSM_HOOK_INIT(path_chmod, apparmor_path_chmod),
 622        LSM_HOOK_INIT(path_chown, apparmor_path_chown),
 623        LSM_HOOK_INIT(path_truncate, apparmor_path_truncate),
 624        LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr),
 625
 626        LSM_HOOK_INIT(file_open, apparmor_file_open),
 627        LSM_HOOK_INIT(file_permission, apparmor_file_permission),
 628        LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security),
 629        LSM_HOOK_INIT(file_free_security, apparmor_file_free_security),
 630        LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
 631        LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
 632        LSM_HOOK_INIT(file_lock, apparmor_file_lock),
 633
 634        LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
 635        LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
 636
 637        LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
 638        LSM_HOOK_INIT(cred_free, apparmor_cred_free),
 639        LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
 640        LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),
 641
 642        LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds),
 643        LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
 644        LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
 645        LSM_HOOK_INIT(bprm_secureexec, apparmor_bprm_secureexec),
 646
 647        LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
 648};
 649
 650/*
 651 * AppArmor sysfs module parameters
 652 */
 653
 654static int param_set_aabool(const char *val, const struct kernel_param *kp);
 655static int param_get_aabool(char *buffer, const struct kernel_param *kp);
 656#define param_check_aabool param_check_bool
 657static const struct kernel_param_ops param_ops_aabool = {
 658        .flags = KERNEL_PARAM_OPS_FL_NOARG,
 659        .set = param_set_aabool,
 660        .get = param_get_aabool
 661};
 662
 663static int param_set_aauint(const char *val, const struct kernel_param *kp);
 664static int param_get_aauint(char *buffer, const struct kernel_param *kp);
 665#define param_check_aauint param_check_uint
 666static const struct kernel_param_ops param_ops_aauint = {
 667        .set = param_set_aauint,
 668        .get = param_get_aauint
 669};
 670
 671static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
 672static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
 673#define param_check_aalockpolicy param_check_bool
 674static const struct kernel_param_ops param_ops_aalockpolicy = {
 675        .flags = KERNEL_PARAM_OPS_FL_NOARG,
 676        .set = param_set_aalockpolicy,
 677        .get = param_get_aalockpolicy
 678};
 679
 680static int param_set_audit(const char *val, struct kernel_param *kp);
 681static int param_get_audit(char *buffer, struct kernel_param *kp);
 682
 683static int param_set_mode(const char *val, struct kernel_param *kp);
 684static int param_get_mode(char *buffer, struct kernel_param *kp);
 685
 686/* Flag values, also controllable via /sys/module/apparmor/parameters
 687 * We define special types as we want to do additional mediation.
 688 */
 689
 690/* AppArmor global enforcement switch - complain, enforce, kill */
 691enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
 692module_param_call(mode, param_set_mode, param_get_mode,
 693                  &aa_g_profile_mode, S_IRUSR | S_IWUSR);
 694
 695/* Debug mode */
 696bool aa_g_debug;
 697module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
 698
 699/* Audit mode */
 700enum audit_mode aa_g_audit;
 701module_param_call(audit, param_set_audit, param_get_audit,
 702                  &aa_g_audit, S_IRUSR | S_IWUSR);
 703
 704/* Determines if audit header is included in audited messages.  This
 705 * provides more context if the audit daemon is not running
 706 */
 707bool aa_g_audit_header = 1;
 708module_param_named(audit_header, aa_g_audit_header, aabool,
 709                   S_IRUSR | S_IWUSR);
 710
 711/* lock out loading/removal of policy
 712 * TODO: add in at boot loading of policy, which is the only way to
 713 *       load policy, if lock_policy is set
 714 */
 715bool aa_g_lock_policy;
 716module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy,
 717                   S_IRUSR | S_IWUSR);
 718
 719/* Syscall logging mode */
 720bool aa_g_logsyscall;
 721module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
 722
 723/* Maximum pathname length before accesses will start getting rejected */
 724unsigned int aa_g_path_max = 2 * PATH_MAX;
 725module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR);
 726
 727/* Determines how paranoid loading of policy is and how much verification
 728 * on the loaded policy is done.
 729 */
 730bool aa_g_paranoid_load = 1;
 731module_param_named(paranoid_load, aa_g_paranoid_load, aabool,
 732                   S_IRUSR | S_IWUSR);
 733
 734/* Boot time disable flag */
 735static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
 736module_param_named(enabled, apparmor_enabled, bool, S_IRUGO);
 737
 738static int __init apparmor_enabled_setup(char *str)
 739{
 740        unsigned long enabled;
 741        int error = kstrtoul(str, 0, &enabled);
 742        if (!error)
 743                apparmor_enabled = enabled ? 1 : 0;
 744        return 1;
 745}
 746
 747__setup("apparmor=", apparmor_enabled_setup);
 748
 749/* set global flag turning off the ability to load policy */
 750static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
 751{
 752        if (!capable(CAP_MAC_ADMIN))
 753                return -EPERM;
 754        if (aa_g_lock_policy)
 755                return -EACCES;
 756        return param_set_bool(val, kp);
 757}
 758
 759static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
 760{
 761        if (!capable(CAP_MAC_ADMIN))
 762                return -EPERM;
 763        return param_get_bool(buffer, kp);
 764}
 765
 766static int param_set_aabool(const char *val, const struct kernel_param *kp)
 767{
 768        if (!capable(CAP_MAC_ADMIN))
 769                return -EPERM;
 770        return param_set_bool(val, kp);
 771}
 772
 773static int param_get_aabool(char *buffer, const struct kernel_param *kp)
 774{
 775        if (!capable(CAP_MAC_ADMIN))
 776                return -EPERM;
 777        return param_get_bool(buffer, kp);
 778}
 779
 780static int param_set_aauint(const char *val, const struct kernel_param *kp)
 781{
 782        if (!capable(CAP_MAC_ADMIN))
 783                return -EPERM;
 784        return param_set_uint(val, kp);
 785}
 786
 787static int param_get_aauint(char *buffer, const struct kernel_param *kp)
 788{
 789        if (!capable(CAP_MAC_ADMIN))
 790                return -EPERM;
 791        return param_get_uint(buffer, kp);
 792}
 793
 794static int param_get_audit(char *buffer, struct kernel_param *kp)
 795{
 796        if (!capable(CAP_MAC_ADMIN))
 797                return -EPERM;
 798
 799        if (!apparmor_enabled)
 800                return -EINVAL;
 801
 802        return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
 803}
 804
 805static int param_set_audit(const char *val, struct kernel_param *kp)
 806{
 807        int i;
 808        if (!capable(CAP_MAC_ADMIN))
 809                return -EPERM;
 810
 811        if (!apparmor_enabled)
 812                return -EINVAL;
 813
 814        if (!val)
 815                return -EINVAL;
 816
 817        for (i = 0; i < AUDIT_MAX_INDEX; i++) {
 818                if (strcmp(val, audit_mode_names[i]) == 0) {
 819                        aa_g_audit = i;
 820                        return 0;
 821                }
 822        }
 823
 824        return -EINVAL;
 825}
 826
 827static int param_get_mode(char *buffer, struct kernel_param *kp)
 828{
 829        if (!capable(CAP_MAC_ADMIN))
 830                return -EPERM;
 831
 832        if (!apparmor_enabled)
 833                return -EINVAL;
 834
 835        return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
 836}
 837
 838static int param_set_mode(const char *val, struct kernel_param *kp)
 839{
 840        int i;
 841        if (!capable(CAP_MAC_ADMIN))
 842                return -EPERM;
 843
 844        if (!apparmor_enabled)
 845                return -EINVAL;
 846
 847        if (!val)
 848                return -EINVAL;
 849
 850        for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {
 851                if (strcmp(val, aa_profile_mode_names[i]) == 0) {
 852                        aa_g_profile_mode = i;
 853                        return 0;
 854                }
 855        }
 856
 857        return -EINVAL;
 858}
 859
 860/*
 861 * AppArmor init functions
 862 */
 863
 864/**
 865 * set_init_cxt - set a task context and profile on the first task.
 866 *
 867 * TODO: allow setting an alternate profile than unconfined
 868 */
 869static int __init set_init_cxt(void)
 870{
 871        struct cred *cred = (struct cred *)current->real_cred;
 872        struct aa_task_cxt *cxt;
 873
 874        cxt = aa_alloc_task_context(GFP_KERNEL);
 875        if (!cxt)
 876                return -ENOMEM;
 877
 878        cxt->profile = aa_get_profile(root_ns->unconfined);
 879        cred_cxt(cred) = cxt;
 880
 881        return 0;
 882}
 883
 884static int __init apparmor_init(void)
 885{
 886        int error;
 887
 888        if (!apparmor_enabled || !security_module_enable("apparmor")) {
 889                aa_info_message("AppArmor disabled by boot time parameter");
 890                apparmor_enabled = 0;
 891                return 0;
 892        }
 893
 894        error = aa_alloc_root_ns();
 895        if (error) {
 896                AA_ERROR("Unable to allocate default profile namespace\n");
 897                goto alloc_out;
 898        }
 899
 900        error = set_init_cxt();
 901        if (error) {
 902                AA_ERROR("Failed to set context on init task\n");
 903                aa_free_root_ns();
 904                goto alloc_out;
 905        }
 906        security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks));
 907
 908        /* Report that AppArmor successfully initialized */
 909        apparmor_initialized = 1;
 910        if (aa_g_profile_mode == APPARMOR_COMPLAIN)
 911                aa_info_message("AppArmor initialized: complain mode enabled");
 912        else if (aa_g_profile_mode == APPARMOR_KILL)
 913                aa_info_message("AppArmor initialized: kill mode enabled");
 914        else
 915                aa_info_message("AppArmor initialized");
 916
 917        return error;
 918
 919alloc_out:
 920        aa_destroy_aafs();
 921
 922        apparmor_enabled = 0;
 923        return error;
 924}
 925
 926security_initcall(apparmor_init);
 927