1 // SPDX-License-Identifier: GPL-2.0-only
5  * This file contains AppArmor mediation of files
7  * Copyright (C) 1998-2008 Novell/SUSE
8  * Copyright 2009-2010 Canonical Ltd.
41  * file_audit_cb - call back for file specific audit fields
43  * @va: audit struct to audit values of  (NOT NULL)
49 	kuid_t fsuid = ad->subj_cred ? ad->subj_cred->fsuid : current_fsuid();  in file_audit_cb()
52 	if (ad->request & AA_AUDIT_FILE_MASK) {  in file_audit_cb()
54 				    map_mask_to_chr_mask(ad->request));  in file_audit_cb()
57 	if (ad->denied & AA_AUDIT_FILE_MASK) {  in file_audit_cb()
59 				    map_mask_to_chr_mask(ad->denied));  in file_audit_cb()
62 	if (ad->request & AA_AUDIT_FILE_MASK) {  in file_audit_cb()
66 				 from_kuid(&init_user_ns, ad->fs.ouid));  in file_audit_cb()
69 	if (ad->peer) {  in file_audit_cb()
71 		aa_label_xaudit(ab, labels_ns(ad->subj_label), ad->peer,  in file_audit_cb()
73 	} else if (ad->fs.target) {  in file_audit_cb()
75 		audit_log_untrustedstring(ab, ad->fs.target);  in file_audit_cb()
80  * aa_audit_file - handle the auditing of file operations
81  * @subj_cred: cred of the subject
86  * @name: name of object being mediated (MAYBE NULL)
87  * @target: name of target (MAYBE NULL)
115 		u32 mask = perms->audit;  in aa_audit_file()
128 		ad.request = ad.request & ~perms->allow;  in aa_audit_file()
131 		if (ad.request & perms->kill)  in aa_audit_file()
135 		if ((ad.request & perms->quiet) &&  in aa_audit_file()
138 			ad.request &= ~perms->quiet;  in aa_audit_file()
144 	ad.denied = ad.request & ~perms->allow;  in aa_audit_file()
158 			     labels_profile(label)->disconnected);  in path_name()
163 				      NULL, NULL, cond->uid, info, error));  in path_name()
172  * aa_lookup_condperms - convert dfa compressed perms to internal perms
185 	unsigned int index = ACCEPT_TABLE(rules->dfa)[state];  in aa_lookup_condperms()
187 	if (!(rules->perms))  in aa_lookup_condperms()
190 	if ((ACCEPT_TABLE2(rules->dfa)[state] & ACCEPT_FLAG_OWNER)) {  in aa_lookup_condperms()
191 		if (uid_eq(subj_uid, cond->uid))  in aa_lookup_condperms()
192 			return &(rules->perms[index]);  in aa_lookup_condperms()
193 		return &(rules->perms[index + 1]);  in aa_lookup_condperms()
196 	return &(rules->perms[index]);  in aa_lookup_condperms()
200  * aa_str_perms - find permission that match @name
205  * @perms: Returns - the permissions found when matching @name
214 	state = aa_dfa_match(file_rules->dfa, start, name);  in aa_str_perms()
226 	struct aa_ruleset *rules = profile->label.rules[0];  in __aa_path_perm()
232 	aa_str_perms(rules->file, rules->file->start[AA_CLASS_FILE],  in __aa_path_perm()
234 	if (request & ~perms->allow)  in __aa_path_perm()
235 		e = -EACCES;  in __aa_path_perm()
238 			     cond->uid, NULL, e);  in __aa_path_perm()
254 	error = path_name(op, subj_cred, &profile->label, path,  in profile_path_perm()
255 			  flags | profile->path_flags, buffer, &name, cond,  in profile_path_perm()
264  * aa_path_perm - do permissions check & audit for @path
268  * @path: path to check permissions of  (NOT NULL)
285 	flags |= PATH_DELEGATE_DELETED | (S_ISDIR(cond->mode) ? PATH_IS_DIR :  in aa_path_perm()
289 		return -ENOMEM;  in aa_path_perm()
300  * xindex_is_subset - helper for aa_path_link
304  * test target x permissions are equal OR a subset of link x permissions
305  * this is done as part of the subset test, where a hardlink must have
306  * a subset of permissions that the target has.
308  * Returns: true if subset else false
325 	struct aa_ruleset *rules = profile->label.rules[0];  in profile_path_link()
333 	error = path_name(OP_LINK, subj_cred, &profile->label, link,  in profile_path_link()
334 			  profile->path_flags,  in profile_path_link()
340 	error = path_name(OP_LINK, subj_cred, &profile->label, target,  in profile_path_link()
341 			  profile->path_flags,  in profile_path_link()
346 	error = -EACCES;  in profile_path_link()
347 	/* aa_str_perms - handles the case of the dfa being NULL */  in profile_path_link()
348 	state = aa_str_perms(rules->file,  in profile_path_link()
349 			     rules->file->start[AA_CLASS_FILE], lname,  in profile_path_link()
356 	state = aa_dfa_null_transition(rules->file->dfa, state);  in profile_path_link()
357 	aa_str_perms(rules->file, state, tname, cond, &perms);  in profile_path_link()
372 	/* done if link subset test is not required */  in profile_path_link()
376 	/* Do link perm subset test requiring allowed permission on link are  in profile_path_link()
377 	 * a subset of the allowed permissions on target.  in profile_path_link()
379 	aa_str_perms(rules->file, rules->file->start[AA_CLASS_FILE],  in profile_path_link()
382 	/* AA_MAY_LINK is not considered in the subset test */  in profile_path_link()
393 		info = "link not subset of target";  in profile_path_link()
403 			     NULL, cond->uid, info, error);  in profile_path_link()
407  * aa_path_link - Handle hard link permission check
417  * is done from the point of the link match (not start of DFA)
420  * The subset test if required forces that permissions granted
421  * on link are a subset of the permission granted to target.
429 	struct path link = { .mnt = new_dir->mnt, .dentry = new_dentry };  in aa_path_link()
430 	struct path target = { .mnt = new_dir->mnt, .dentry = old_dentry };  in aa_path_link()
435 		.mode = inode->i_mode,  in aa_path_link()
444 	error = -ENOMEM;  in aa_path_link()
462 	/* update caching of label on file_ctx */  in update_file_ctx()
463 	spin_lock(&fctx->lock);  in update_file_ctx()
464 	old = rcu_dereference_protected(fctx->label,  in update_file_ctx()
465 					lockdep_is_held(&fctx->lock));  in update_file_ctx()
469 			rcu_assign_pointer(fctx->label, l);  in update_file_ctx()
473 		fctx->allow |= request;  in update_file_ctx()
475 	spin_unlock(&fctx->lock);  in update_file_ctx()
489 		.mode = file_inode(file)->i_mode  in __file_path_perm()
494 	/* revalidation due to label out of date. No revocation at this time */  in __file_path_perm()
502 		return -ENOMEM;  in __file_path_perm()
507 					  &file->f_path, buffer,  in __file_path_perm()
514 		 * TODO: cache full perms so this only happens because of  in __file_path_perm()
521 						  profile, &file->f_path,  in __file_path_perm()
527 						  profile, &file->f_path,  in __file_path_perm()
546 	/* revalidation due to label out of date. No revocation at this time */  in __file_sock_perm()
564 /* for now separate fn to indicate semantics of the check */
573 	struct socket *sock = (struct socket *) file->private_data;  in __unix_needs_revalidation()
577 	if (!S_ISSOCK(file_inode(file)->i_mode))  in __unix_needs_revalidation()
581 	if (sock->sk->sk_family == PF_UNIX) {  in __unix_needs_revalidation()
582 		struct aa_sk_ctx *ctx = aa_sock(sock->sk);  in __unix_needs_revalidation()
584 		if (rcu_access_pointer(ctx->peer) !=  in __unix_needs_revalidation()
585 		    rcu_access_pointer(ctx->peer_lastupdate))  in __unix_needs_revalidation()
587 		return !__aa_subj_label_is_cached(rcu_dereference(ctx->label),  in __unix_needs_revalidation()
594  * aa_file_perm - do permission revalidation check & audit for @file
619 	flabel  = rcu_dereference(fctx->label);  in aa_file_perm()
629 	denied = request & ~fctx->allow;  in aa_file_perm()
637 	/* slow path - revalidate access */  in aa_file_perm()
641 	if (path_mediated_fs(file->f_path.dentry))  in aa_file_perm()
645 	else if (S_ISSOCK(file_inode(file)->i_mode))  in aa_file_perm()
663 	spin_lock(&tty->files_lock);  in revalidate_tty()
664 	if (!list_empty(&tty->tty_files)) {  in revalidate_tty()
668 		file_priv = list_first_entry(&tty->tty_files,  in revalidate_tty()
670 		file = file_priv->file;  in revalidate_tty()
676 	spin_unlock(&tty->files_lock);  in revalidate_tty()
692 	if (aa_file_perm(OP_INHERIT, cl->cred, cl->label, file,  in match_file()
722 		replace_fd(n - 1, devnull, 0);  in aa_inherit_files()