Lines Matching +full:sig +full:- +full:dir +full:- +full:cmd
1 // SPDX-License-Identifier: GPL-2.0-only
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
210 * common_perm - basic common permission check wrapper fn for paths
235 * common_perm_cond - common permission wrapper around inode cond
244 vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_idmap(path->mnt), in common_perm_cond()
245 d_backing_inode(path->dentry)); in common_perm_cond()
248 d_backing_inode(path->dentry)->i_mode in common_perm_cond()
251 if (!path_mediated_fs(path->dentry)) in common_perm_cond()
258 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
260 * @dir: directory of the dentry (NOT NULL)
267 static int common_perm_dir_dentry(const char *op, const struct path *dir, in common_perm_dir_dentry() argument
271 struct path path = { .mnt = dir->mnt, .dentry = dentry }; in common_perm_dir_dentry()
277 * common_perm_rm - common permission wrapper for operations doing rm
279 * @dir: directory that the dentry is in (NOT NULL)
285 static int common_perm_rm(const char *op, const struct path *dir, in common_perm_rm() argument
295 vfsuid = i_uid_into_vfsuid(mnt_idmap(dir->mnt), inode); in common_perm_rm()
297 cond.mode = inode->i_mode; in common_perm_rm()
299 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); in common_perm_rm()
303 * common_perm_create - common permission wrapper for operations doing create
305 * @dir: directory that dentry will be created in (NOT NULL)
312 static int common_perm_create(const char *op, const struct path *dir, in common_perm_create() argument
317 if (!path_mediated_fs(dir->dentry)) in common_perm_create()
320 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); in common_perm_create()
323 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry) in apparmor_path_unlink() argument
325 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); in apparmor_path_unlink()
328 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry, in apparmor_path_mkdir() argument
331 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, in apparmor_path_mkdir()
335 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry) in apparmor_path_rmdir() argument
337 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); in apparmor_path_rmdir()
340 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, in apparmor_path_mknod() argument
343 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); in apparmor_path_mknod()
353 return apparmor_path_truncate(&file->f_path); in apparmor_file_truncate()
356 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, in apparmor_path_symlink() argument
359 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, in apparmor_path_symlink()
395 struct mnt_idmap *idmap = mnt_idmap(old_dir->mnt); in apparmor_path_rename()
397 struct path old_path = { .mnt = old_dir->mnt, in apparmor_path_rename()
399 struct path new_path = { .mnt = new_dir->mnt, in apparmor_path_rename()
402 .mode = d_backing_inode(old_dentry)->i_mode in apparmor_path_rename()
409 .mode = d_backing_inode(new_dentry)->i_mode, in apparmor_path_rename()
466 if (!path_mediated_fs(file->f_path.dentry)) in apparmor_file_open()
476 if (file->f_flags & __FMODE_EXEC) { in apparmor_file_open()
477 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; in apparmor_file_open()
481 label = aa_get_newest_cred_label_condref(file->f_cred, &needput); in apparmor_file_open()
487 .mode = inode->i_mode, in apparmor_file_open()
492 error = aa_path_perm(OP_OPEN, file->f_cred, in apparmor_file_open()
493 label, &file->f_path, 0, in apparmor_file_open()
496 fctx->allow = aa_map_file_to_perms(file); in apparmor_file_open()
508 spin_lock_init(&ctx->lock); in apparmor_file_alloc_security()
509 rcu_assign_pointer(ctx->label, aa_get_label(label)); in apparmor_file_alloc_security()
519 aa_put_label(rcu_access_pointer(ctx->label)); in apparmor_file_free_security()
530 if (unlikely(file->f_path.dentry == aa_null.dentry)) in common_file_perm()
531 return -EACCES; in common_file_perm()
551 static int apparmor_file_lock(struct file *file, unsigned int cmd) in apparmor_file_lock() argument
555 if (cmd == F_WRLCK) in apparmor_file_lock()
592 return common_mmap(OP_FMPROT, vma->vm_file, prot, in apparmor_file_mprotect()
593 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0, in apparmor_file_mprotect()
611 if (ad->request & AA_URING_PERM_MASK) { in audit_uring_cb()
613 audit_uring_mask(ad->request)); in audit_uring_cb()
614 if (ad->denied & AA_URING_PERM_MASK) { in audit_uring_cb()
616 audit_uring_mask(ad->denied)); in audit_uring_cb()
619 if (ad->uring.target) { in audit_uring_cb()
621 aa_label_xaudit(ab, labels_ns(ad->subj_label), in audit_uring_cb()
622 ad->uring.target, in audit_uring_cb()
637 rules = profile->label.rules[0]; in profile_uring()
646 perms = *aa_lookup_perms(rules->policy, state); in profile_uring()
657 * apparmor_uring_override_creds - check the requested cred override
683 * apparmor_uring_sqpoll - check if a io_uring polling thread can be created
791 int error = -ENOENT; in apparmor_getselfattr()
801 if (ctx->previous) in apparmor_getselfattr()
802 label = aa_get_newest_label(ctx->previous); in apparmor_getselfattr()
805 if (ctx->onexec) in apparmor_getselfattr()
806 label = aa_get_newest_label(ctx->onexec); in apparmor_getselfattr()
809 error = -EOPNOTSUPP; in apparmor_getselfattr()
831 int error = -ENOENT; in apparmor_getprocattr()
839 else if (strcmp(name, "prev") == 0 && ctx->previous) in apparmor_getprocattr()
840 label = aa_get_newest_label(ctx->previous); in apparmor_getprocattr()
841 else if (strcmp(name, "exec") == 0 && ctx->onexec) in apparmor_getprocattr()
842 label = aa_get_newest_label(ctx->onexec); in apparmor_getprocattr()
844 error = -EINVAL; in apparmor_getprocattr()
864 return -EINVAL; in do_setattr()
867 if (args[size - 1] != '\0') { in do_setattr()
871 return -ENOMEM; in do_setattr()
876 error = -EINVAL; in do_setattr()
885 arg_size = size - (args - (largs ? largs : (char *) value)); in do_setattr()
927 ad.error = error = -EINVAL; in do_setattr()
939 return -EOPNOTSUPP; in apparmor_setselfattr()
941 rc = do_setattr(attr, ctx->ctx, ctx->ctx_len); in apparmor_setselfattr()
954 return -EINVAL; in apparmor_setprocattr()
958 * apparmor_bprm_committing_creds - do task cleanup on committing new creds
964 struct aa_label *new_label = cred_label(bprm->cred); in apparmor_bprm_committing_creds()
967 if ((new_label->proxy == label->proxy) || in apparmor_bprm_committing_creds()
971 aa_inherit_files(bprm->cred, current->files); in apparmor_bprm_committing_creds()
973 current->pdeath_signal = 0; in apparmor_bprm_committing_creds()
980 * apparmor_bprm_committed_creds() - do cleanup after new creds committed
997 prop->apparmor.label = label; in apparmor_current_getlsmprop_subj()
1006 prop->apparmor.label = label; in apparmor_task_getlsmprop_obj()
1028 int sig, const struct cred *cred) in apparmor_task_kill() argument
1042 error = aa_may_signal(cred, cl, tc, tl, sig); in apparmor_task_kill()
1046 error = aa_may_signal(current_cred(), cl, tc, tl, sig); in apparmor_task_kill()
1083 //spin_lock_init(&ctx->lock); in apparmor_sk_alloc_security()
1084 rcu_assign_pointer(ctx->label, aa_get_label(label)); in apparmor_sk_alloc_security()
1085 rcu_assign_pointer(ctx->peer, NULL); in apparmor_sk_alloc_security()
1086 rcu_assign_pointer(ctx->peer_lastupdate, NULL); in apparmor_sk_alloc_security()
1096 aa_put_label(rcu_dereference_protected(ctx->label, true)); in apparmor_sk_free_security()
1097 aa_put_label(rcu_dereference_protected(ctx->peer, true)); in apparmor_sk_free_security()
1098 aa_put_label(rcu_dereference_protected(ctx->peer_lastupdate, true)); in apparmor_sk_free_security()
1102 * apparmor_sk_clone_security - clone the sk_security field
1113 if (rcu_access_pointer(ctx->label) != rcu_access_pointer(new->label)) { in apparmor_sk_clone_security()
1114 aa_put_label(rcu_dereference_protected(new->label, true)); in apparmor_sk_clone_security()
1115 rcu_assign_pointer(new->label, aa_get_label_rcu(&ctx->label)); in apparmor_sk_clone_security()
1118 if (rcu_access_pointer(ctx->peer) != rcu_access_pointer(new->peer)) { in apparmor_sk_clone_security()
1119 aa_put_label(rcu_dereference_protected(new->peer, true)); in apparmor_sk_clone_security()
1120 rcu_assign_pointer(new->peer, aa_get_label_rcu(&ctx->peer)); in apparmor_sk_clone_security()
1123 if (rcu_access_pointer(ctx->peer_lastupdate) != rcu_access_pointer(new->peer_lastupdate)) { in apparmor_sk_clone_security()
1124 aa_put_label(rcu_dereference_protected(new->peer_lastupdate, true)); in apparmor_sk_clone_security()
1125 rcu_assign_pointer(new->peer_lastupdate, in apparmor_sk_clone_security()
1126 aa_get_label_rcu(&ctx->peer_lastupdate)); in apparmor_sk_clone_security()
1139 rcu_dereference_protected(peer_ctx->label, in unix_connect_perm()
1140 lockdep_is_held(&unix_sk(peer_sk)->lock))); in unix_connect_perm()
1144 rcu_dereference_protected(peer_ctx->label, in unix_connect_perm()
1145 lockdep_is_held(&unix_sk(peer_sk)->lock)), in unix_connect_perm()
1154 /* lockdep check in unix_connect_perm - push sks here to check */
1159 struct aa_label *label = rcu_dereference_protected(sk_ctx->label, true); in unix_connect_peers()
1162 aa_put_label(rcu_dereference_protected(peer_ctx->peer, in unix_connect_peers()
1164 rcu_assign_pointer(peer_ctx->peer, label); /* transfer cnt */ in unix_connect_peers()
1166 label = aa_get_label(rcu_dereference_protected(peer_ctx->label, in unix_connect_peers()
1168 //spin_unlock(&peer_ctx->lock); in unix_connect_peers()
1170 //spin_lock(&sk_ctx->lock); in unix_connect_peers()
1171 aa_put_label(rcu_dereference_protected(sk_ctx->peer, in unix_connect_peers()
1173 aa_put_label(rcu_dereference_protected(sk_ctx->peer_lastupdate, in unix_connect_peers()
1176 rcu_assign_pointer(sk_ctx->peer, aa_get_label(label)); in unix_connect_peers()
1177 rcu_assign_pointer(sk_ctx->peer_lastupdate, label); /* transfer cnt */ in unix_connect_peers()
1178 //spin_unlock(&sk_ctx->lock); in unix_connect_peers()
1182 * apparmor_unix_stream_connect - check perms before making unix domain conn
1212 rcu_assign_pointer(new_ctx->label, in apparmor_unix_stream_connect()
1213 aa_get_label(rcu_dereference_protected(peer_ctx->label, in apparmor_unix_stream_connect()
1223 * apparmor_unix_may_send - check perms before conn or sending unix dgrams
1240 struct aa_sk_ctx *peer_ctx = aa_sock(peer->sk); in apparmor_unix_may_send()
1248 sock->sk, peer->sk, in apparmor_unix_may_send()
1249 rcu_dereference_protected(peer_ctx->label, in apparmor_unix_may_send()
1251 aa_unix_peer_perm(peer->file ? peer->file->f_cred : NULL, in apparmor_unix_may_send()
1252 rcu_dereference_protected(peer_ctx->label, in apparmor_unix_may_send()
1254 OP_SENDMSG, AA_MAY_RECEIVE, peer->sk, in apparmor_unix_may_send()
1255 sock->sk, label)); in apparmor_unix_may_send()
1287 * apparmor_socket_post_create - setup the per-socket security struct
1295 * - kernel sockets labeled kernel_t used to use unconfined
1296 * - socket may not have sk here if created with sock_create_lite or
1310 if (sock->sk) { in apparmor_socket_post_create()
1311 struct aa_sk_ctx *ctx = aa_sock(sock->sk); in apparmor_socket_post_create()
1314 aa_put_label(rcu_dereference_protected(ctx->label, true)); in apparmor_socket_post_create()
1315 rcu_assign_pointer(ctx->label, aa_get_label(label)); in apparmor_socket_post_create()
1325 struct aa_sk_ctx *a_ctx = aa_sock(socka->sk); in apparmor_socket_socketpair()
1326 struct aa_sk_ctx *b_ctx = aa_sock(sockb->sk); in apparmor_socket_socketpair()
1329 /* socks not live yet - initial values set in sk_alloc */ in apparmor_socket_socketpair()
1331 if (rcu_access_pointer(a_ctx->label) != label) { in apparmor_socket_socketpair()
1333 aa_put_label(rcu_dereference_protected(a_ctx->label, true)); in apparmor_socket_socketpair()
1334 rcu_assign_pointer(a_ctx->label, aa_get_label(label)); in apparmor_socket_socketpair()
1336 if (rcu_access_pointer(b_ctx->label) != label) { in apparmor_socket_socketpair()
1338 aa_put_label(rcu_dereference_protected(b_ctx->label, true)); in apparmor_socket_socketpair()
1339 rcu_assign_pointer(b_ctx->label, aa_get_label(label)); in apparmor_socket_socketpair()
1342 if (socka->sk->sk_family == PF_UNIX) { in apparmor_socket_socketpair()
1343 /* unix socket pairs by-pass unix_stream_connect */ in apparmor_socket_socketpair()
1352 * apparmor_socket_bind - check perms before bind addr to socket
1353 * @sock: socket to bind the address to (must be non-NULL)
1354 * @address: address that is being bound (must be non-NULL)
1369 AA_BUG(!sock->sk); in apparmor_socket_bind()
1373 if (sock->sk->sk_family == PF_UNIX) in apparmor_socket_bind()
1375 return aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk); in apparmor_socket_bind()
1382 AA_BUG(!sock->sk); in apparmor_socket_connect()
1387 if (sock->sk->sk_family == PF_UNIX) in apparmor_socket_connect()
1389 return aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk); in apparmor_socket_connect()
1395 AA_BUG(!sock->sk); in apparmor_socket_listen()
1398 if (sock->sk->sk_family == PF_UNIX) in apparmor_socket_listen()
1400 return aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk); in apparmor_socket_listen()
1410 AA_BUG(!sock->sk); in apparmor_socket_accept()
1414 if (sock->sk->sk_family == PF_UNIX) in apparmor_socket_accept()
1416 return aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk); in apparmor_socket_accept()
1423 AA_BUG(!sock->sk); in aa_sock_msg_perm()
1428 if (sock->sk->sk_family == PF_UNIX) in aa_sock_msg_perm()
1430 return aa_sk_perm(op, request, sock->sk); in aa_sock_msg_perm()
1449 AA_BUG(!sock->sk); in aa_sock_perm()
1452 if (sock->sk->sk_family == PF_UNIX) in aa_sock_perm()
1454 return aa_sk_perm(op, request, sock->sk); in aa_sock_perm()
1472 AA_BUG(!sock->sk); in aa_sock_opt_perm()
1475 if (sock->sk->sk_family == PF_UNIX) in aa_sock_opt_perm()
1477 return aa_sk_perm(op, request, sock->sk); in aa_sock_opt_perm()
1501 * apparmor_socket_sock_rcv_skb - check perms before associating skb to sk
1515 if (!skb->secmark) in apparmor_socket_sock_rcv_skb()
1522 if (!rcu_access_pointer(ctx->label)) in apparmor_socket_sock_rcv_skb()
1523 return -EACCES; in apparmor_socket_sock_rcv_skb()
1526 error = apparmor_secmark_check(rcu_dereference(ctx->label), OP_RECVMSG, in apparmor_socket_sock_rcv_skb()
1527 AA_MAY_RECEIVE, skb->secmark, sk); in apparmor_socket_sock_rcv_skb()
1538 struct aa_label *label = ERR_PTR(-ENOPROTOOPT); in sk_peer_get_label()
1540 if (rcu_access_pointer(ctx->peer)) in sk_peer_get_label()
1541 return aa_get_label_rcu(&ctx->peer); in sk_peer_get_label()
1543 if (sk->sk_family != PF_UNIX) in sk_peer_get_label()
1544 return ERR_PTR(-ENOPROTOOPT); in sk_peer_get_label()
1550 * apparmor_socket_getpeersec_stream - get security context of peer
1552 * @optval: output - buffer to copy peer name to
1553 * @optlen: output - size of copied name in @optval
1555 * Returns: 0 on success, -errno of failure
1568 peer = sk_peer_get_label(sock->sk); in apparmor_socket_getpeersec_stream()
1579 error = -ENOMEM; in apparmor_socket_getpeersec_stream()
1583 error = -ERANGE; in apparmor_socket_getpeersec_stream()
1588 error = -EFAULT; in apparmor_socket_getpeersec_stream()
1591 error = -EFAULT; in apparmor_socket_getpeersec_stream()
1602 * apparmor_socket_getpeersec_dgram - get security label of packet
1614 return -ENOPROTOOPT; in apparmor_socket_getpeersec_dgram()
1618 * apparmor_sock_graft - Initialize newly created socket
1624 * Labeling of sk for accept case - probably should be sock based
1632 /* setup - not live */ in apparmor_sock_graft()
1633 if (!rcu_access_pointer(ctx->label)) in apparmor_sock_graft()
1634 rcu_assign_pointer(ctx->label, aa_get_current_label()); in apparmor_sock_graft()
1644 if (!skb->secmark) in apparmor_inet_conn_request()
1648 error = apparmor_secmark_check(rcu_dereference(ctx->label), OP_CONNECT, in apparmor_inet_conn_request()
1649 AA_MAY_CONNECT, skb->secmark, sk); in apparmor_inet_conn_request()
1831 /* AppArmor global enforcement switch - complain, enforce, kill */
1920 return -EINVAL; in param_set_aalockpolicy()
1922 return -EPERM; in param_set_aalockpolicy()
1929 return -EINVAL; in param_get_aalockpolicy()
1931 return -EPERM; in param_get_aalockpolicy()
1938 return -EINVAL; in param_set_aabool()
1940 return -EPERM; in param_set_aabool()
1947 return -EINVAL; in param_get_aabool()
1949 return -EPERM; in param_get_aabool()
1958 return -EINVAL; in param_set_aauint()
1961 return -EPERM; in param_set_aauint()
1973 return -EINVAL; in param_get_aauint()
1975 return -EPERM; in param_get_aauint()
1987 return -EPERM; in param_set_aaintbool()
1990 value = !!*((int *)kp->arg); in param_set_aaintbool()
1996 *((int *)kp->arg) = *((bool *)kp_local.arg); in param_set_aaintbool()
2012 value = !!*((int *)kp->arg); in param_get_aaintbool()
2025 return -EINVAL; in param_set_aacompressionlevel()
2027 return -EPERM; in param_set_aacompressionlevel()
2043 return -EINVAL; in param_get_aacompressionlevel()
2045 return -EPERM; in param_get_aacompressionlevel()
2052 return -EINVAL; in param_get_debug()
2054 return -EPERM; in param_get_debug()
2063 return -EINVAL; in param_set_debug()
2065 return -EINVAL; in param_set_debug()
2067 return -EPERM; in param_set_debug()
2071 return -EINVAL; in param_set_debug()
2080 return -EINVAL; in param_get_audit()
2082 return -EPERM; in param_get_audit()
2091 return -EINVAL; in param_set_audit()
2093 return -EINVAL; in param_set_audit()
2095 return -EPERM; in param_set_audit()
2099 return -EINVAL; in param_set_audit()
2108 return -EINVAL; in param_get_mode()
2110 return -EPERM; in param_get_mode()
2120 return -EINVAL; in param_set_mode()
2122 return -EINVAL; in param_set_mode()
2124 return -EPERM; in param_set_mode()
2129 return -EINVAL; in param_set_mode()
2144 if (!list_empty(&cache->head)) { in aa_get_buffer()
2145 aa_buf = list_first_entry(&cache->head, union aa_buffer, list); in aa_get_buffer()
2146 list_del(&aa_buf->list); in aa_get_buffer()
2147 cache->hold--; in aa_get_buffer()
2148 cache->count--; in aa_get_buffer()
2150 return &aa_buf->buffer[0]; in aa_get_buffer()
2156 cache->hold += 1; in aa_get_buffer()
2168 list_del(&aa_buf->list); in aa_get_buffer()
2169 buffer_count--; in aa_get_buffer()
2171 return aa_buf->buffer; in aa_get_buffer()
2195 return aa_buf->buffer; in aa_get_buffer()
2208 if (!cache->hold) { in aa_put_buffer()
2213 list_add(&aa_buf->list, &aa_global_buffers); in aa_put_buffer()
2222 cache->hold += 1; in aa_put_buffer()
2226 list_add(&aa_buf->list, &cache->head); in aa_put_buffer()
2227 cache->count++; in aa_put_buffer()
2236 * set_init_ctx - set a task context and profile on the first task.
2242 struct cred *cred = (__force struct cred *)current->real_cred; in set_init_ctx()
2257 list_del(&aa_buf->list); in destroy_buffers()
2284 * This preallocation has also the side-effect that AppArmor will be in alloc_buffers()
2298 return -ENOMEM; in alloc_buffers()
2300 aa_put_buffer(aa_buf->buffer); in alloc_buffers()
2310 return -EPERM; in apparmor_dointvec()
2312 return -EINVAL; in apparmor_dointvec()
2345 return register_sysctl("kernel", apparmor_sysctl_table) ? 0 : -ENOMEM; in apparmor_init_sysctl()
2363 if (!skb->secmark) in apparmor_ip_postroute()
2372 error = apparmor_secmark_check(rcu_dereference(ctx->label), OP_SENDMSG, in apparmor_ip_postroute()
2373 AA_MAY_SEND, skb->secmark, sk); in apparmor_ip_postroute()
2378 return NF_DROP_ERR(-ECONNREFUSED); in apparmor_ip_postroute()
2445 int error = -ENOMEM; in aa_setup_dfa_engine()
2449 return -ENOMEM; in aa_setup_dfa_engine()
2458 nullpdb->dfa = aa_get_dfa(nulldfa); in aa_setup_dfa_engine()
2459 nullpdb->perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL); in aa_setup_dfa_engine()
2460 if (!nullpdb->perms) in aa_setup_dfa_engine()
2462 nullpdb->size = 2; in aa_setup_dfa_engine()