Lines Matching +full:test +full:- +full:rules
1 // SPDX-License-Identifier: GPL-2.0-only
7 * Copyright (C) 2002-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
33 "conflicting profile attachments - ix fallback";
35 "conflicting profile attachments - ux fallback";
38 * may_change_ptraced_domain - check if can change profile on ptraced task
82 /**** TODO: dedup to aa_label_match - needs perm and dfa, merging
85 * and policy->dfa with file->dfa
88 * Assumes visibility test has already been done.
90 * visibility test.
96 struct aa_ruleset *rules = profile->label.rules[0]; in match_component() local
100 state = aa_dfa_match(rules->file->dfa, state, "&"); in match_component()
101 if (profile->ns == tp->ns) in match_component()
102 return aa_dfa_match(rules->file->dfa, state, tp->base.hname); in match_component()
105 ns_name = aa_ns_name(profile->ns, tp->ns, true); in match_component()
106 state = aa_dfa_match_len(rules->file->dfa, state, ":", 1); in match_component()
107 state = aa_dfa_match(rules->file->dfa, state, ns_name); in match_component()
108 state = aa_dfa_match_len(rules->file->dfa, state, ":", 1); in match_component()
109 return aa_dfa_match(rules->file->dfa, state, tp->base.hname); in match_component()
113 * label_compound_match - find perms for full compound label
133 struct aa_ruleset *rules = profile->label.rules[0]; in label_compound_match() local
140 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_compound_match()
154 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_compound_match()
156 state = aa_dfa_match(rules->file->dfa, state, "//&"); in label_compound_match()
161 *perms = *(aa_lookup_condperms(current_fsuid(), rules->file, state, in label_compound_match()
164 if ((perms->allow & request) != request) in label_compound_match()
165 return -EACCES; in label_compound_match()
171 return -EACCES; in label_compound_match()
175 * label_components_match - find perms for all subcomponents of a label
195 struct aa_ruleset *rules = profile->label.rules[0]; in label_components_match() local
202 /* find first subcomponent to test */ in label_components_match()
204 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_components_match()
212 /* no subcomponents visible - no change in perms */ in label_components_match()
216 tmp = *(aa_lookup_condperms(current_fsuid(), rules->file, state, in label_components_match()
221 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_components_match()
226 tmp = *(aa_lookup_condperms(current_fsuid(), rules->file, state, in label_components_match()
232 if ((perms->allow & request) != request) in label_components_match()
233 return -EACCES; in label_components_match()
239 return -EACCES; in label_components_match()
243 * label_match - do a multi-component label match
274 * change_profile_perms - find permissions for change_profile
294 perms->allow = AA_MAY_CHANGE_PROFILE | AA_MAY_ONEXEC; in change_profile_perms()
295 perms->audit = perms->quiet = perms->kill = 0; in change_profile_perms()
304 * aa_xattrs_match - check whether a file matches the xattrs defined in profile
317 struct aa_attachment *attach = &profile->attach; in aa_xattrs_match()
318 int size, value_size = 0, ret = attach->xattr_count; in aa_xattrs_match()
320 if (!bprm || !attach->xattr_count) in aa_xattrs_match()
325 state = aa_dfa_outofband_transition(attach->xmatch->dfa, state); in aa_xattrs_match()
326 d = bprm->file->f_path.dentry; in aa_xattrs_match()
328 for (i = 0; i < attach->xattr_count; i++) { in aa_xattrs_match()
329 size = vfs_getxattr_alloc(&nop_mnt_idmap, d, attach->xattrs[i], in aa_xattrs_match()
339 state = aa_dfa_null_transition(attach->xmatch->dfa, in aa_xattrs_match()
342 state = aa_dfa_match_len(attach->xmatch->dfa, state, in aa_xattrs_match()
344 perms = aa_lookup_perms(attach->xmatch, state); in aa_xattrs_match()
345 if (!(perms->allow & MAY_EXEC)) { in aa_xattrs_match()
346 ret = -EINVAL; in aa_xattrs_match()
351 state = aa_dfa_outofband_transition(attach->xmatch->dfa, state); in aa_xattrs_match()
359 ret = -EINVAL; in aa_xattrs_match()
363 ret--; in aa_xattrs_match()
373 * find_attach - do attachment search for unconfined processes
403 struct aa_attachment *attach = &profile->attach; in find_attach()
405 if (profile->label.flags & FLAG_NULL && in find_attach()
406 &profile->label == ns_unconfined(profile->ns)) in find_attach()
420 if (attach->xmatch->dfa) { in find_attach()
425 state = aa_dfa_leftmatch(attach->xmatch->dfa, in find_attach()
426 attach->xmatch->start[AA_CLASS_XMATCH], in find_attach()
428 perms = aa_lookup_perms(attach->xmatch, state); in find_attach()
430 if (perms->allow & MAY_EXEC) { in find_attach()
436 if (bprm && attach->xattr_count) { in find_attach()
437 long rev = READ_ONCE(ns->revision); in find_attach()
447 READ_ONCE(ns->revision)) in find_attach()
475 candidate_len = max(count, attach->xmatch_len); in find_attach()
479 } else if (!strcmp(profile->base.name, name)) { in find_attach()
481 * old exact non-re match, without conditionals such in find_attach()
500 return &candidate->label; in find_attach()
509 * x_table_lookup - lookup an x transition name via transition table
520 struct aa_ruleset *rules = profile->label.rules[0]; in x_table_lookup() local
532 for (next = rules->file->trans.table[index]; next; in x_table_lookup()
542 return &new->label; in x_table_lookup()
545 label = aa_label_parse(&profile->label, lookup, GFP_KERNEL, in x_table_lookup()
556 * x_to_label - get target label for a given xindex
576 struct aa_ns *ns = profile->ns; in x_to_label()
583 /* fail exec unless ix || ux fallback - handled by caller */ in x_to_label()
600 new = find_attach(bprm, ns, &profile->base.profiles, in x_to_label()
604 new = find_attach(bprm, ns, &ns->base.profiles, in x_to_label()
613 /* (p|c|n)ix - don't change profile but do in x_to_label()
623 new = aa_get_newest_label(&profile->label); in x_to_label()
625 new = aa_get_newest_label(ns_unconfined(profile->ns)); in x_to_label()
641 profile->base.hname, old_info); in x_to_label()
665 struct aa_ruleset *rules = profile->label.rules[0]; in profile_transition() local
669 aa_state_t state = rules->file->start[AA_CLASS_FILE]; in profile_transition()
678 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer, in profile_transition()
679 &name, &info, profile->disconnected); in profile_transition()
682 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) { in profile_transition()
685 new = aa_get_newest_label(&profile->label); in profile_transition()
687 name = bprm->filename; in profile_transition()
692 new = find_attach(bprm, profile->ns, in profile_transition()
693 &profile->ns->base.profiles, name, &info); in profile_transition()
694 /* info set -> something unusual that we should report in profile_transition()
697 * and only excluded on a case-by-case basis in profile_transition()
707 OP_EXEC, MAY_EXEC, name, target, new, cond->uid, in profile_transition()
715 return aa_get_newest_label(&profile->label); in profile_transition()
719 state = aa_str_perms(rules->file, state, name, cond, &perms); in profile_transition()
724 if (new && new->proxy == profile->label.proxy && info) { in profile_transition()
732 /* hack ix fallback - improve how this is detected */ in profile_transition()
738 __func__, profile->base.hname, info); in profile_transition()
747 error = -EACCES; in profile_transition()
751 /* no exec permission - learning mode */ in profile_transition()
755 error = -ENOMEM; in profile_transition()
758 error = -EACCES; in profile_transition()
759 new = &new_profile->label; in profile_transition()
764 error = -EACCES; in profile_transition()
783 cond->uid, info, error); in profile_transition()
798 struct aa_ruleset *rules = profile->label.rules[0]; in profile_onexec() local
799 aa_state_t state = rules->file->start[AA_CLASS_FILE]; in profile_onexec()
802 int error = -EACCES; in profile_onexec()
819 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer, in profile_onexec()
820 &xname, &info, profile->disconnected); in profile_onexec()
823 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) { in profile_onexec()
827 xname = bprm->filename; in profile_onexec()
832 state = aa_str_perms(rules->file, state, xname, cond, &perms); in profile_onexec()
837 /* test if this exec can be paired with change_profile onexec. in profile_onexec()
841 state = aa_dfa_null_transition(rules->file->dfa, state); in profile_onexec()
862 NULL, onexec, cond->uid, info, error); in profile_onexec()
891 stack ? aa_label_merge(&profile->label, onexec, in handle_onexec()
903 AA_MAY_ONEXEC, bprm->filename, NULL, in handle_onexec()
905 "failed to build target label", -ENOMEM)); in handle_onexec()
910 * apparmor_bprm_creds_for_exec - Update the new creds on the bprm struct
927 vfsuid_t vfsuid = i_uid_into_vfsuid(file_mnt_idmap(bprm->file), in apparmor_bprm_creds_for_exec()
928 file_inode(bprm->file)); in apparmor_bprm_creds_for_exec()
931 file_inode(bprm->file)->i_mode in apparmor_bprm_creds_for_exec()
936 AA_BUG(!cred_label(bprm->cred)); in apparmor_bprm_creds_for_exec()
939 label = aa_get_newest_label(cred_label(bprm->cred)); in apparmor_bprm_creds_for_exec()
946 * Testing for unconfined must be done before the subset test in apparmor_bprm_creds_for_exec()
948 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) && !unconfined(label) && in apparmor_bprm_creds_for_exec()
949 !ctx->nnp) in apparmor_bprm_creds_for_exec()
950 ctx->nnp = aa_get_label(label); in apparmor_bprm_creds_for_exec()
955 error = -ENOMEM; in apparmor_bprm_creds_for_exec()
959 /* Test for onexec first as onexec override other x transitions. */ in apparmor_bprm_creds_for_exec()
960 if (ctx->onexec) in apparmor_bprm_creds_for_exec()
961 new = handle_onexec(subj_cred, label, ctx->onexec, ctx->token, in apparmor_bprm_creds_for_exec()
974 error = -ENOMEM; in apparmor_bprm_creds_for_exec()
986 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) && in apparmor_bprm_creds_for_exec()
988 !aa_label_is_unconfined_subset(new, ctx->nnp)) { in apparmor_bprm_creds_for_exec()
989 error = -EPERM; in apparmor_bprm_creds_for_exec()
994 if (bprm->unsafe & LSM_UNSAFE_SHARE) { in apparmor_bprm_creds_for_exec()
999 if (bprm->unsafe & (LSM_UNSAFE_PTRACE)) { in apparmor_bprm_creds_for_exec()
1000 /* TODO: test needs to be profile of label to new */ in apparmor_bprm_creds_for_exec()
1001 error = may_change_ptraced_domain(bprm->cred, new, &info); in apparmor_bprm_creds_for_exec()
1009 bprm->filename); in apparmor_bprm_creds_for_exec()
1013 bprm->secureexec = 1; in apparmor_bprm_creds_for_exec()
1016 if (label->proxy != new->proxy) { in apparmor_bprm_creds_for_exec()
1020 bprm->filename); in apparmor_bprm_creds_for_exec()
1024 bprm->per_clear |= PER_CLEAR_ON_SETID; in apparmor_bprm_creds_for_exec()
1026 aa_put_label(cred_label(bprm->cred)); in apparmor_bprm_creds_for_exec()
1028 set_cred_label(bprm->cred, new); in apparmor_bprm_creds_for_exec()
1040 bprm->filename, NULL, new, in apparmor_bprm_creds_for_exec()
1064 root = aa_get_profile_rcu(&profile->parent); in build_change_hat()
1069 error = -EPERM; in build_change_hat()
1075 error = -ENOENT; in build_change_hat()
1081 error = -ENOMEM; in build_change_hat()
1090 name, hat ? hat->base.hname : NULL, in build_change_hat()
1091 hat ? &hat->label : NULL, GLOBAL_ROOT_UID, info, in build_change_hat()
1093 if (!hat || (error && error != -ENOENT)) in build_change_hat()
1095 /* if hat && error - complain mode, already audited and we adjust for in build_change_hat()
1096 * complain mode allow by returning hat->label in build_change_hat()
1098 return &hat->label; in build_change_hat()
1128 root = aa_get_profile_rcu(&profile->parent); in change_hat()
1133 error = -EPERM; in change_hat()
1144 error = -EPERM; in change_hat()
1163 if (!list_empty(&profile->base.profiles)) { in change_hat()
1165 error = -ENOENT; in change_hat()
1170 error = -ECHILD; in change_hat()
1194 aa_get_label(&profile->label)); in change_hat()
1197 error = -ENOMEM; in change_hat()
1205 * aa_change_hat - change hat to/from subprofile
1234 previous = aa_get_newest_label(ctx->previous); in aa_change_hat()
1241 * Testing for unconfined must be done before the subset test in aa_change_hat()
1243 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp) in aa_change_hat()
1244 ctx->nnp = aa_get_label(label); in aa_change_hat()
1246 /* return -EPERM when unconfined doesn't have children to avoid in aa_change_hat()
1255 empty &= list_empty(&profile->base.profiles); in aa_change_hat()
1261 error = -EPERM; in aa_change_hat()
1286 !aa_label_is_unconfined_subset(new, ctx->nnp)) { in aa_change_hat()
1289 "no_new_privs - change_hat denied"); in aa_change_hat()
1290 error = -EPERM; in aa_change_hat()
1299 if (error == -EACCES) in aa_change_hat()
1308 !aa_label_is_unconfined_subset(previous, ctx->nnp)) { in aa_change_hat()
1311 "no_new_privs - change_hat denied"); in aa_change_hat()
1312 error = -EPERM; in aa_change_hat()
1322 if (error == -EACCES) in aa_change_hat()
1356 struct aa_ruleset *rules = profile->label.rules[0]; in change_profile_perms_wrapper() local
1362 rules->file->start[AA_CLASS_FILE], in change_profile_perms_wrapper()
1376 * aa_change_profile - perform a one-way profile transition
1409 * Testing for unconfined must be done before the subset test in aa_change_profile()
1411 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp) in aa_change_profile()
1412 ctx->nnp = aa_get_label(label); in aa_change_profile()
1417 return -EINVAL; in aa_change_profile()
1434 /* This should move to a per profile test. Requires pushing build in aa_change_profile()
1438 label == &labels_ns(label)->unconfined->label && in aa_change_profile()
1445 * by-passed in aa_change_profile()
1469 * TODO: fixme using labels_profile is not right - do profile in aa_change_profile()
1480 error = -ENOMEM; in aa_change_profile()
1483 target = &tprofile->label; in aa_change_profile()
1516 * error = -EACCES; in aa_change_profile()
1527 aa_get_label(&profile->label)); in aa_change_profile()
1533 !aa_label_is_unconfined_subset(new, ctx->nnp)) { in aa_change_profile()
1536 "no_new_privs - change_hat denied"); in aa_change_profile()
1537 error = -EPERM; in aa_change_profile()
1549 error = -ENOMEM; in aa_change_profile()