1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * AppArmor security module
4 *
5 * This file contains AppArmor policy manipulation functions
6 *
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
9 *
10 * AppArmor policy is based around profiles, which contain the rules a
11 * task is confined by. Every task in the system has a profile attached
12 * to it determined either by matching "unconfined" tasks against the
13 * visible set of profiles or by following a profiles attachment rules.
14 *
15 * Each profile exists in a profile namespace which is a container of
16 * visible profiles. Each namespace contains a special "unconfined" profile,
17 * which doesn't enforce any confinement on a task beyond DAC.
18 *
19 * Namespace and profile names can be written together in either
20 * of two syntaxes.
21 * :namespace:profile - used by kernel interfaces for easy detection
22 * namespace://profile - used by policy
23 *
24 * Profile names can not start with : or @ or ^ and may not contain \0
25 *
26 * Reserved profile names
27 * unconfined - special automatically generated unconfined profile
28 * inherit - special name to indicate profile inheritance
29 * null-XXXX-YYYY - special automatically generated learning profiles
30 *
31 * Namespace names may not start with / or @ and may not contain \0 or :
32 * Reserved namespace names
33 * user-XXXX - user defined profiles
34 *
35 * a // in a profile or namespace name indicates a hierarchical name with the
36 * name before the // being the parent and the name after the child.
37 *
38 * Profile and namespace hierarchies serve two different but similar purposes.
39 * The namespace contains the set of visible profiles that are considered
40 * for attachment. The hierarchy of namespaces allows for virtualizing
41 * the namespace so that for example a chroot can have its own set of profiles
42 * which may define some local user namespaces.
43 * The profile hierarchy severs two distinct purposes,
44 * - it allows for sub profiles or hats, which allows an application to run
45 * subprograms under its own profile with different restriction than it
46 * self, and not have it use the system profile.
47 * eg. if a mail program starts an editor, the policy might make the
48 * restrictions tighter on the editor tighter than the mail program,
49 * and definitely different than general editor restrictions
50 * - it allows for binary hierarchy of profiles, so that execution history
51 * is preserved. This feature isn't exploited by AppArmor reference policy
52 * but is allowed. NOTE: this is currently suboptimal because profile
53 * aliasing is not currently implemented so that a profile for each
54 * level must be defined.
55 * eg. /bin/bash///bin/ls as a name would indicate /bin/ls was started
56 * from /bin/bash
57 *
58 * A profile or namespace name that can contain one or more // separators
59 * is referred to as an hname (hierarchical).
60 * eg. /bin/bash//bin/ls
61 *
62 * An fqname is a name that may contain both namespace and profile hnames.
63 * eg. :ns:/bin/bash//bin/ls
64 *
65 * NOTES:
66 * - locking of profile lists is currently fairly coarse. All profile
67 * lists within a namespace use the namespace lock.
68 * FIXME: move profile lists to using rcu_lists
69 */
70
71 #include <linux/slab.h>
72 #include <linux/spinlock.h>
73 #include <linux/string.h>
74 #include <linux/cred.h>
75 #include <linux/rculist.h>
76 #include <linux/user_namespace.h>
77
78 #include "include/apparmor.h"
79 #include "include/capability.h"
80 #include "include/cred.h"
81 #include "include/file.h"
82 #include "include/ipc.h"
83 #include "include/match.h"
84 #include "include/path.h"
85 #include "include/policy.h"
86 #include "include/policy_ns.h"
87 #include "include/policy_unpack.h"
88 #include "include/resource.h"
89
90 int unprivileged_userns_apparmor_policy = 1;
91 int aa_unprivileged_unconfined_restricted;
92
93 const char *const aa_profile_mode_names[] = {
94 "enforce",
95 "complain",
96 "kill",
97 "unconfined",
98 "user",
99 };
100
aa_destroy_tags(struct aa_tags_struct * tags)101 void aa_destroy_tags(struct aa_tags_struct *tags)
102 {
103 kfree_sensitive(tags->hdrs.table);
104 kfree_sensitive(tags->sets.table);
105 aa_destroy_str_table(&tags->strs);
106 memset(tags, 0, sizeof(*tags));
107 }
108
aa_free_pdb(struct aa_policydb * pdb)109 static void aa_free_pdb(struct aa_policydb *pdb)
110 {
111 if (pdb) {
112 aa_put_dfa(pdb->dfa);
113 kvfree(pdb->perms);
114 aa_destroy_str_table(&pdb->trans);
115 aa_destroy_tags(&pdb->tags);
116 kfree(pdb);
117 }
118 }
119
120 /**
121 * aa_pdb_free_kref - free aa_policydb by kref (called by aa_put_pdb)
122 * @kref: kref callback for freeing of a dfa (NOT NULL)
123 */
aa_pdb_free_kref(struct kref * kref)124 void aa_pdb_free_kref(struct kref *kref)
125 {
126 struct aa_policydb *pdb = container_of(kref, struct aa_policydb, count);
127
128 aa_free_pdb(pdb);
129 }
130
131
aa_alloc_pdb(gfp_t gfp)132 struct aa_policydb *aa_alloc_pdb(gfp_t gfp)
133 {
134 struct aa_policydb *pdb = kzalloc_obj(struct aa_policydb, gfp);
135
136 if (!pdb)
137 return NULL;
138
139 kref_init(&pdb->count);
140
141 return pdb;
142 }
143
144
145 /**
146 * __add_profile - add a profiles to list and label tree
147 * @list: list to add it to (NOT NULL)
148 * @profile: the profile to add (NOT NULL)
149 *
150 * refcount @profile, should be put by __list_remove_profile
151 *
152 * Requires: namespace lock be held, or list not be shared
153 */
__add_profile(struct list_head * list,struct aa_profile * profile)154 static void __add_profile(struct list_head *list, struct aa_profile *profile)
155 {
156 struct aa_label *l;
157
158 AA_BUG(!list);
159 AA_BUG(!profile);
160 AA_BUG(!profile->ns);
161 AA_BUG(!mutex_is_locked(&profile->ns->lock));
162
163 list_add_rcu(&profile->base.list, list);
164 /* get list reference */
165 aa_get_profile(profile);
166 l = aa_label_insert(&profile->ns->labels, &profile->label);
167 AA_BUG(l != &profile->label);
168 aa_put_label(l);
169 }
170
171 /**
172 * __list_remove_profile - remove a profile from the list it is on
173 * @profile: the profile to remove (NOT NULL)
174 *
175 * remove a profile from the list, warning generally removal should
176 * be done with __replace_profile as most profile removals are
177 * replacements to the unconfined profile.
178 *
179 * put @profile list refcount
180 *
181 * Requires: namespace lock be held, or list not have been live
182 */
__list_remove_profile(struct aa_profile * profile)183 static void __list_remove_profile(struct aa_profile *profile)
184 {
185 AA_BUG(!profile);
186 AA_BUG(!profile->ns);
187 AA_BUG(!mutex_is_locked(&profile->ns->lock));
188
189 list_del_rcu(&profile->base.list);
190 aa_put_profile(profile);
191 }
192
193 /**
194 * __remove_profile - remove profile, and children
195 * @profile: profile to be removed (NOT NULL)
196 *
197 * Requires: namespace list lock be held, or list not be shared
198 */
__remove_profile(struct aa_profile * profile)199 static void __remove_profile(struct aa_profile *profile)
200 {
201 struct aa_profile *curr, *to_remove;
202
203 AA_BUG(!profile);
204 AA_BUG(!profile->ns);
205 AA_BUG(!mutex_is_locked(&profile->ns->lock));
206
207 /* release any children lists first */
208 if (!list_empty(&profile->base.profiles)) {
209 curr = list_first_entry(&profile->base.profiles, struct aa_profile, base.list);
210
211 while (curr != profile) {
212
213 while (!list_empty(&curr->base.profiles))
214 curr = list_first_entry(&curr->base.profiles,
215 struct aa_profile, base.list);
216
217 to_remove = curr;
218 if (!list_is_last(&to_remove->base.list,
219 &aa_deref_parent(curr)->base.profiles))
220 curr = list_next_entry(to_remove, base.list);
221 else
222 curr = aa_deref_parent(curr);
223
224 /* released by free_profile */
225 aa_label_remove(&to_remove->label);
226 __aafs_profile_rmdir(to_remove);
227 __list_remove_profile(to_remove);
228 }
229 }
230
231 /* released by free_profile */
232 aa_label_remove(&profile->label);
233 __aafs_profile_rmdir(profile);
234 __list_remove_profile(profile);
235 }
236
237 /**
238 * __aa_profile_list_release - remove all profiles on the list and put refs
239 * @head: list of profiles (NOT NULL)
240 *
241 * Requires: namespace lock be held
242 */
__aa_profile_list_release(struct list_head * head)243 void __aa_profile_list_release(struct list_head *head)
244 {
245 struct aa_profile *profile, *tmp;
246 list_for_each_entry_safe(profile, tmp, head, base.list)
247 __remove_profile(profile);
248 }
249
250 /**
251 * aa_free_data - free a data blob
252 * @ptr: data to free
253 * @arg: unused
254 */
aa_free_data(void * ptr,void * arg)255 static void aa_free_data(void *ptr, void *arg)
256 {
257 struct aa_data *data = ptr;
258
259 if (!ptr)
260 return;
261
262 kvfree_sensitive(data->data, data->size);
263 kfree_sensitive(data->key);
264 kfree_sensitive(data);
265 }
266
free_attachment(struct aa_attachment * attach)267 static void free_attachment(struct aa_attachment *attach)
268 {
269 int i;
270
271 if (!attach)
272 return;
273
274 for (i = 0; i < attach->xattr_count; i++)
275 kfree_sensitive(attach->xattrs[i]);
276 kfree_sensitive(attach->xattrs);
277 aa_put_pdb(attach->xmatch);
278 }
279
free_ruleset(struct aa_ruleset * rules)280 static void free_ruleset(struct aa_ruleset *rules)
281 {
282 int i;
283
284 if (!rules)
285 return;
286
287 aa_put_pdb(rules->file);
288 aa_put_pdb(rules->policy);
289 aa_free_cap_rules(&rules->caps);
290 aa_free_rlimit_rules(&rules->rlimits);
291
292 for (i = 0; i < rules->secmark_count; i++)
293 kfree_sensitive(rules->secmark[i].label);
294 kfree_sensitive(rules->secmark);
295 kfree_sensitive(rules);
296 }
297
aa_alloc_ruleset(gfp_t gfp)298 struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp)
299 {
300 struct aa_ruleset *rules;
301
302 rules = kzalloc_obj(*rules, gfp);
303
304 return rules;
305 }
306
307 /**
308 * aa_free_profile - free a profile
309 * @profile: the profile to free (MAYBE NULL)
310 *
311 * Free a profile, its hats and null_profile. All references to the profile,
312 * its hats and null_profile must have been put.
313 *
314 * If the profile was referenced from a task context, free_profile() will
315 * be called from an rcu callback routine, so we must not sleep here.
316 */
aa_free_profile(struct aa_profile * profile)317 void aa_free_profile(struct aa_profile *profile)
318 {
319 struct rhashtable *rht;
320
321 AA_DEBUG(DEBUG_POLICY, "%s(%p)\n", __func__, profile);
322
323 if (!profile)
324 return;
325
326 /* free children profiles */
327 aa_policy_destroy(&profile->base);
328 aa_put_profile(rcu_access_pointer(profile->parent));
329
330 aa_put_ns(profile->ns);
331 kfree_sensitive(profile->rename);
332 kfree_sensitive(profile->disconnected);
333
334 free_attachment(&profile->attach);
335
336 /*
337 * at this point there are no tasks that can have a reference
338 * to rules
339 */
340 for (int i = 0; i < profile->n_rules; i++)
341 free_ruleset(profile->label.rules[i]);
342
343 kfree_sensitive(profile->dirname);
344
345 if (profile->data) {
346 rht = profile->data;
347 profile->data = NULL;
348 rhashtable_free_and_destroy(rht, aa_free_data, NULL);
349 kfree_sensitive(rht);
350 }
351
352 kfree_sensitive(profile->hash);
353 aa_put_profile_loaddata(profile->rawdata);
354 aa_label_destroy(&profile->label);
355
356 kfree_sensitive(profile);
357 }
358
359 /**
360 * aa_alloc_profile - allocate, initialize and return a new profile
361 * @hname: name of the profile (NOT NULL)
362 * @proxy: proxy to use OR null if to allocate a new one
363 * @gfp: allocation type
364 *
365 * Returns: refcount profile or NULL on failure
366 */
aa_alloc_profile(const char * hname,struct aa_proxy * proxy,gfp_t gfp)367 struct aa_profile *aa_alloc_profile(const char *hname, struct aa_proxy *proxy,
368 gfp_t gfp)
369 {
370 struct aa_profile *profile;
371
372 /* freed by free_profile - usually through aa_put_profile
373 * this adds space for a single ruleset in the rules section of the
374 * label
375 */
376 profile = kzalloc_flex(*profile, label.rules, 1, gfp);
377 if (!profile)
378 return NULL;
379
380 if (!aa_policy_init(&profile->base, NULL, hname, gfp))
381 goto fail;
382 if (!aa_label_init(&profile->label, 1, gfp))
383 goto fail;
384
385 /* allocate the first ruleset, but leave it empty */
386 profile->label.rules[0] = aa_alloc_ruleset(gfp);
387 if (!profile->label.rules[0])
388 goto fail;
389 profile->n_rules = 1;
390
391 /* update being set needed by fs interface */
392 if (!proxy) {
393 proxy = aa_alloc_proxy(&profile->label, gfp);
394 if (!proxy)
395 goto fail;
396 } else
397 aa_get_proxy(proxy);
398 profile->label.proxy = proxy;
399
400 profile->label.hname = profile->base.hname;
401 profile->label.flags |= FLAG_PROFILE;
402 profile->label.vec[0] = profile;
403
404 profile->signal = SIGKILL;
405 /* refcount released by caller */
406 return profile;
407
408 fail:
409 aa_free_profile(profile);
410
411 return NULL;
412 }
413
ANY_RULE_MEDIATES(struct aa_profile * profile,unsigned char class)414 static inline bool ANY_RULE_MEDIATES(struct aa_profile *profile,
415 unsigned char class)
416 {
417 int i;
418
419 for (i = 0; i < profile->n_rules; i++) {
420 if (RULE_MEDIATES(profile->label.rules[i], class))
421 return true;
422 }
423 return false;
424 }
425
426 /* set of rules that are mediated by unconfined */
427 static int unconfined_mediates[] = { AA_CLASS_NS, AA_CLASS_IO_URING, 0 };
428
429 /* must be called after profile rulesets and start information is setup */
aa_compute_profile_mediates(struct aa_profile * profile)430 void aa_compute_profile_mediates(struct aa_profile *profile)
431 {
432 int c;
433
434 if (profile_unconfined(profile)) {
435 int *pos;
436
437 for (pos = unconfined_mediates; *pos; pos++) {
438 if (ANY_RULE_MEDIATES(profile, *pos))
439 profile->label.mediates |= ((u64) 1) << AA_CLASS_NS;
440 }
441 return;
442 }
443 for (c = 0; c <= AA_CLASS_LAST; c++) {
444 if (ANY_RULE_MEDIATES(profile, c))
445 profile->label.mediates |= ((u64) 1) << c;
446 }
447 }
448
449 /* TODO: profile accounting - setup in remove */
450
451 /**
452 * __strn_find_child - find a profile on @head list using substring of @name
453 * @head: list to search (NOT NULL)
454 * @name: name of profile (NOT NULL)
455 * @len: length of @name substring to match
456 *
457 * Requires: rcu_read_lock be held
458 *
459 * Returns: unrefcounted profile ptr, or NULL if not found
460 */
__strn_find_child(struct list_head * head,const char * name,int len)461 static struct aa_profile *__strn_find_child(struct list_head *head,
462 const char *name, int len)
463 {
464 return (struct aa_profile *)__policy_strn_find(head, name, len);
465 }
466
467 /**
468 * __find_child - find a profile on @head list with a name matching @name
469 * @head: list to search (NOT NULL)
470 * @name: name of profile (NOT NULL)
471 *
472 * Requires: rcu_read_lock be held
473 *
474 * Returns: unrefcounted profile ptr, or NULL if not found
475 */
__find_child(struct list_head * head,const char * name)476 static struct aa_profile *__find_child(struct list_head *head, const char *name)
477 {
478 return __strn_find_child(head, name, strlen(name));
479 }
480
481 /**
482 * aa_find_child - find a profile by @name in @parent
483 * @parent: profile to search (NOT NULL)
484 * @name: profile name to search for (NOT NULL)
485 *
486 * Returns: a refcounted profile or NULL if not found
487 */
aa_find_child(struct aa_profile * parent,const char * name)488 struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name)
489 {
490 struct aa_profile *profile;
491
492 rcu_read_lock();
493 do {
494 profile = __find_child(&parent->base.profiles, name);
495 } while (profile && !aa_get_profile_not0(profile));
496 rcu_read_unlock();
497
498 /* refcount released by caller */
499 return profile;
500 }
501
502 /**
503 * __lookup_parent - lookup the parent of a profile of name @hname
504 * @ns: namespace to lookup profile in (NOT NULL)
505 * @hname: hierarchical profile name to find parent of (NOT NULL)
506 *
507 * Lookups up the parent of a fully qualified profile name, the profile
508 * that matches hname does not need to exist, in general this
509 * is used to load a new profile.
510 *
511 * Requires: rcu_read_lock be held
512 *
513 * Returns: unrefcounted policy or NULL if not found
514 */
__lookup_parent(struct aa_ns * ns,const char * hname)515 static struct aa_policy *__lookup_parent(struct aa_ns *ns,
516 const char *hname)
517 {
518 struct aa_policy *policy;
519 struct aa_profile *profile = NULL;
520 char *split;
521
522 policy = &ns->base;
523
524 for (split = strstr(hname, "//"); split;) {
525 profile = __strn_find_child(&policy->profiles, hname,
526 split - hname);
527 if (!profile)
528 return NULL;
529 policy = &profile->base;
530 hname = split + 2;
531 split = strstr(hname, "//");
532 }
533 if (!profile)
534 return &ns->base;
535 return &profile->base;
536 }
537
538 /**
539 * __create_missing_ancestors - create place holders for missing ancestors
540 * @ns: namespace to lookup profile in (NOT NULL)
541 * @hname: hierarchical profile name to find parent of (NOT NULL)
542 * @gfp: type of allocation.
543 *
544 * Requires: ns mutex lock held
545 *
546 * Return: unrefcounted parent policy on success or %NULL if error creating
547 * place holder profiles.
548 */
__create_missing_ancestors(struct aa_ns * ns,const char * hname,gfp_t gfp)549 static struct aa_policy *__create_missing_ancestors(struct aa_ns *ns,
550 const char *hname,
551 gfp_t gfp)
552 {
553 struct aa_policy *policy;
554 struct aa_profile *parent, *profile = NULL;
555 char *split;
556
557 AA_BUG(!ns);
558 AA_BUG(!hname);
559
560 policy = &ns->base;
561
562 for (split = strstr(hname, "//"); split;) {
563 parent = profile;
564 profile = __strn_find_child(&policy->profiles, hname,
565 split - hname);
566 if (!profile) {
567 const char *name = kstrndup(hname, split - hname,
568 gfp);
569 if (!name)
570 return NULL;
571 profile = aa_alloc_null(parent, name, gfp);
572 kfree(name);
573 if (!profile)
574 return NULL;
575 if (!parent)
576 profile->ns = aa_get_ns(ns);
577 }
578 policy = &profile->base;
579 hname = split + 2;
580 split = strstr(hname, "//");
581 }
582 if (!profile)
583 return &ns->base;
584 return &profile->base;
585 }
586
587 /**
588 * __lookupn_profile - lookup the profile matching @hname
589 * @base: base list to start looking up profile name from (NOT NULL)
590 * @hname: hierarchical profile name (NOT NULL)
591 * @n: length of @hname
592 *
593 * Requires: rcu_read_lock be held
594 *
595 * Returns: unrefcounted profile pointer or NULL if not found
596 *
597 * Do a relative name lookup, recursing through profile tree.
598 */
__lookupn_profile(struct aa_policy * base,const char * hname,size_t n)599 static struct aa_profile *__lookupn_profile(struct aa_policy *base,
600 const char *hname, size_t n)
601 {
602 struct aa_profile *profile = NULL;
603 const char *split;
604
605 for (split = strnstr(hname, "//", n); split;
606 split = strnstr(hname, "//", n)) {
607 profile = __strn_find_child(&base->profiles, hname,
608 split - hname);
609 if (!profile)
610 return NULL;
611
612 base = &profile->base;
613 n -= split + 2 - hname;
614 hname = split + 2;
615 }
616
617 if (n)
618 return __strn_find_child(&base->profiles, hname, n);
619 return NULL;
620 }
621
__lookup_profile(struct aa_policy * base,const char * hname)622 static struct aa_profile *__lookup_profile(struct aa_policy *base,
623 const char *hname)
624 {
625 return __lookupn_profile(base, hname, strlen(hname));
626 }
627
628 /**
629 * aa_lookupn_profile - find a profile by its full or partial name
630 * @ns: the namespace to start from (NOT NULL)
631 * @hname: name to do lookup on. Does not contain namespace prefix (NOT NULL)
632 * @n: size of @hname
633 *
634 * Returns: refcounted profile or NULL if not found
635 */
aa_lookupn_profile(struct aa_ns * ns,const char * hname,size_t n)636 struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname,
637 size_t n)
638 {
639 struct aa_profile *profile;
640
641 rcu_read_lock();
642 do {
643 profile = __lookupn_profile(&ns->base, hname, n);
644 } while (profile && !aa_get_profile_not0(profile));
645 rcu_read_unlock();
646
647 /* the unconfined profile is not in the regular profile list */
648 if (!profile && strncmp(hname, "unconfined", n) == 0)
649 profile = aa_get_newest_profile(ns->unconfined);
650
651 /* refcount released by caller */
652 return profile;
653 }
654
aa_fqlookupn_profile(struct aa_label * base,const char * fqname,size_t n)655 struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
656 const char *fqname, size_t n)
657 {
658 struct aa_profile *profile;
659 struct aa_ns *ns;
660 const char *name, *ns_name;
661 size_t ns_len;
662
663 name = aa_splitn_fqname(fqname, n, &ns_name, &ns_len);
664 if (ns_name) {
665 ns = aa_lookupn_ns(labels_ns(base), ns_name, ns_len);
666 if (!ns)
667 return NULL;
668 } else
669 ns = aa_get_ns(labels_ns(base));
670
671 if (name)
672 profile = aa_lookupn_profile(ns, name, n - (name - fqname));
673 else if (ns)
674 /* default profile for ns, currently unconfined */
675 profile = aa_get_newest_profile(ns->unconfined);
676 else
677 profile = NULL;
678 aa_put_ns(ns);
679
680 return profile;
681 }
682
683
aa_alloc_null(struct aa_profile * parent,const char * name,gfp_t gfp)684 struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
685 gfp_t gfp)
686 {
687 struct aa_profile *profile;
688 struct aa_ruleset *rules;
689
690 profile = aa_alloc_profile(name, NULL, gfp);
691 if (!profile)
692 return NULL;
693
694 /* TODO: ideally we should inherit abi from parent */
695 profile->label.flags |= FLAG_NULL;
696 profile->attach.xmatch = aa_get_pdb(nullpdb);
697 rules = profile->label.rules[0];
698 rules->file = aa_get_pdb(nullpdb);
699 rules->policy = aa_get_pdb(nullpdb);
700 aa_compute_profile_mediates(profile);
701
702 if (parent) {
703 profile->path_flags = parent->path_flags;
704 /* override/inherit what is mediated from parent */
705 profile->label.mediates = parent->label.mediates;
706 /* released on free_profile */
707 rcu_assign_pointer(profile->parent, aa_get_profile(parent));
708 profile->ns = aa_get_ns(parent->ns);
709 }
710
711 return profile;
712 }
713
714 /**
715 * aa_new_learning_profile - create or find a null-X learning profile
716 * @parent: profile that caused this profile to be created (NOT NULL)
717 * @hat: true if the null- learning profile is a hat
718 * @base: name to base the null profile off of
719 * @gfp: type of allocation
720 *
721 * Find/Create a null- complain mode profile used in learning mode. The
722 * name of the profile is unique and follows the format of parent//null-XXX.
723 * where XXX is based on the @name or if that fails or is not supplied
724 * a unique number
725 *
726 * null profiles are added to the profile list but the list does not
727 * hold a count on them so that they are automatically released when
728 * not in use.
729 *
730 * Returns: new refcounted profile else NULL on failure
731 */
aa_new_learning_profile(struct aa_profile * parent,bool hat,const char * base,gfp_t gfp)732 struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat,
733 const char *base, gfp_t gfp)
734 {
735 struct aa_profile *p, *profile;
736 const char *bname;
737 char *name = NULL;
738 size_t name_sz;
739
740 AA_BUG(!parent);
741
742 if (base) {
743 name_sz = strlen(parent->base.hname) + 8 + strlen(base);
744 name = kmalloc(name_sz, gfp);
745 if (name) {
746 snprintf(name, name_sz, "%s//null-%s",
747 parent->base.hname, base);
748 goto name;
749 }
750 /* fall through to try shorter uniq */
751 }
752
753 name_sz = strlen(parent->base.hname) + 2 + 7 + 8;
754 name = kmalloc(name_sz, gfp);
755 if (!name)
756 return NULL;
757 snprintf(name, name_sz, "%s//null-%x", parent->base.hname,
758 atomic_inc_return(&parent->ns->uniq_null));
759
760 name:
761 /* lookup to see if this is a dup creation */
762 bname = basename(name);
763 profile = aa_find_child(parent, bname);
764 if (profile)
765 goto out;
766
767 profile = aa_alloc_null(parent, name, gfp);
768 if (!profile)
769 goto fail;
770 profile->mode = APPARMOR_COMPLAIN;
771 if (hat)
772 profile->label.flags |= FLAG_HAT;
773
774 mutex_lock_nested(&profile->ns->lock, profile->ns->level);
775 p = __find_child(&parent->base.profiles, bname);
776 if (p) {
777 aa_free_profile(profile);
778 profile = aa_get_profile(p);
779 } else {
780 __add_profile(&parent->base.profiles, profile);
781 }
782 mutex_unlock(&profile->ns->lock);
783
784 /* refcount released by caller */
785 out:
786 kfree(name);
787
788 return profile;
789
790 fail:
791 kfree(name);
792 aa_free_profile(profile);
793 return NULL;
794 }
795
796 /**
797 * replacement_allowed - test to see if replacement is allowed
798 * @profile: profile to test if it can be replaced (MAYBE NULL)
799 * @noreplace: true if replacement shouldn't be allowed but addition is okay
800 * @info: Returns - info about why replacement failed (NOT NULL)
801 *
802 * Returns: %0 if replacement allowed else error code
803 */
replacement_allowed(struct aa_profile * profile,int noreplace,const char ** info)804 static int replacement_allowed(struct aa_profile *profile, int noreplace,
805 const char **info)
806 {
807 if (profile) {
808 if (profile->label.flags & FLAG_IMMUTIBLE) {
809 *info = "cannot replace immutable profile";
810 return -EPERM;
811 } else if (noreplace) {
812 *info = "profile already exists";
813 return -EEXIST;
814 }
815 }
816 return 0;
817 }
818
819 /* audit callback for net specific fields */
audit_cb(struct audit_buffer * ab,void * va)820 static void audit_cb(struct audit_buffer *ab, void *va)
821 {
822 struct common_audit_data *sa = va;
823 struct apparmor_audit_data *ad = aad(sa);
824
825 if (ad->iface.ns) {
826 audit_log_format(ab, " ns=");
827 audit_log_untrustedstring(ab, ad->iface.ns);
828 }
829 }
830
831 /**
832 * audit_policy - Do auditing of policy changes
833 * @subj_label: label to check if it can manage policy
834 * @op: policy operation being performed
835 * @ns_name: name of namespace being manipulated
836 * @name: name of profile being manipulated (NOT NULL)
837 * @info: any extra information to be audited (MAYBE NULL)
838 * @error: error code
839 *
840 * Returns: the error to be returned after audit is done
841 */
audit_policy(struct aa_label * subj_label,const char * op,const char * ns_name,const char * name,const char * info,int error)842 static int audit_policy(struct aa_label *subj_label, const char *op,
843 const char *ns_name, const char *name,
844 const char *info, int error)
845 {
846 DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, op);
847
848 ad.iface.ns = ns_name;
849 ad.name = name;
850 ad.info = info;
851 ad.error = error;
852 ad.subj_label = subj_label;
853
854 aa_audit_msg(AUDIT_APPARMOR_STATUS, &ad, audit_cb);
855
856 return error;
857 }
858
859 /* don't call out to other LSMs in the stack for apparmor policy admin
860 * permissions
861 */
policy_ns_capable(const struct cred * subj_cred,struct aa_label * label,struct user_namespace * userns,int cap)862 static int policy_ns_capable(const struct cred *subj_cred,
863 struct aa_label *label,
864 struct user_namespace *userns, int cap)
865 {
866 int err;
867
868 /* check for MAC_ADMIN cap in cred */
869 err = cap_capable(subj_cred, userns, cap, CAP_OPT_NONE);
870 if (!err)
871 err = aa_capable(subj_cred, label, cap, CAP_OPT_NONE);
872
873 return err;
874 }
875
876 /**
877 * aa_policy_view_capable - check if viewing policy in at @ns is allowed
878 * @subj_cred: cred of subject
879 * @label: label that is trying to view policy in ns
880 * @ns: namespace being viewed by @label (may be NULL if @label's ns)
881 *
882 * Returns: true if viewing policy is allowed
883 *
884 * If @ns is NULL then the namespace being viewed is assumed to be the
885 * tasks current namespace.
886 */
aa_policy_view_capable(const struct cred * subj_cred,struct aa_label * label,struct aa_ns * ns)887 bool aa_policy_view_capable(const struct cred *subj_cred,
888 struct aa_label *label, struct aa_ns *ns)
889 {
890 struct user_namespace *user_ns = subj_cred->user_ns;
891 struct aa_ns *view_ns = labels_view(label);
892 bool root_in_user_ns = uid_eq(current_euid(), make_kuid(user_ns, 0)) ||
893 in_egroup_p(make_kgid(user_ns, 0));
894 bool response = false;
895 if (!ns)
896 ns = view_ns;
897
898 if (root_in_user_ns && aa_ns_visible(view_ns, ns, true) &&
899 (user_ns == &init_user_ns ||
900 (unprivileged_userns_apparmor_policy != 0 &&
901 user_ns->level == view_ns->level)))
902 response = true;
903
904 return response;
905 }
906
aa_policy_admin_capable(const struct cred * subj_cred,struct aa_label * label,struct aa_ns * ns)907 bool aa_policy_admin_capable(const struct cred *subj_cred,
908 struct aa_label *label, struct aa_ns *ns)
909 {
910 struct user_namespace *user_ns = subj_cred->user_ns;
911 bool capable = policy_ns_capable(subj_cred, label, user_ns,
912 CAP_MAC_ADMIN) == 0;
913
914 AA_DEBUG(DEBUG_POLICY, "cap_mac_admin? %d\n", capable);
915 AA_DEBUG(DEBUG_POLICY, "policy locked? %d\n", aa_g_lock_policy);
916
917 return aa_policy_view_capable(subj_cred, label, ns) && capable &&
918 !aa_g_lock_policy;
919 }
920
aa_current_policy_view_capable(struct aa_ns * ns)921 bool aa_current_policy_view_capable(struct aa_ns *ns)
922 {
923 struct aa_label *label;
924 bool needput, res;
925
926 label = __begin_current_label_crit_section(&needput);
927 res = aa_policy_view_capable(current_cred(), label, ns);
928 __end_current_label_crit_section(label, needput);
929
930 return res;
931 }
932
aa_current_policy_admin_capable(struct aa_ns * ns)933 bool aa_current_policy_admin_capable(struct aa_ns *ns)
934 {
935 struct aa_label *label;
936 bool needput, res;
937
938 label = __begin_current_label_crit_section(&needput);
939 res = aa_policy_admin_capable(current_cred(), label, ns);
940 __end_current_label_crit_section(label, needput);
941
942 return res;
943 }
944
is_subset_of_obj_privilege(const struct cred * cred,struct aa_label * label,const struct cred * ocred)945 static bool is_subset_of_obj_privilege(const struct cred *cred,
946 struct aa_label *label,
947 const struct cred *ocred)
948 {
949 if (cred == ocred)
950 return true;
951
952 if (!aa_label_is_subset(label, cred_label(ocred)))
953 return false;
954 /* don't allow crossing userns for now */
955 if (cred->user_ns != ocred->user_ns)
956 return false;
957 if (!cap_issubset(cred->cap_inheritable, ocred->cap_inheritable))
958 return false;
959 if (!cap_issubset(cred->cap_permitted, ocred->cap_permitted))
960 return false;
961 if (!cap_issubset(cred->cap_effective, ocred->cap_effective))
962 return false;
963 if (!cap_issubset(cred->cap_bset, ocred->cap_bset))
964 return false;
965 if (!cap_issubset(cred->cap_ambient, ocred->cap_ambient))
966 return false;
967 return true;
968 }
969
970
971 /**
972 * aa_may_manage_policy - can the current task manage policy
973 * @subj_cred: subjects cred
974 * @label: label to check if it can manage policy
975 * @ns: namespace being managed by @label (may be NULL if @label's ns)
976 * @ocred: object cred if request is coming from an open object
977 * @mask: contains the policy manipulation operation being done
978 *
979 * Returns: 0 if the task is allowed to manipulate policy else error
980 */
aa_may_manage_policy(const struct cred * subj_cred,struct aa_label * label,struct aa_ns * ns,const struct cred * ocred,u32 mask)981 int aa_may_manage_policy(const struct cred *subj_cred, struct aa_label *label,
982 struct aa_ns *ns, const struct cred *ocred, u32 mask)
983 {
984 const char *op;
985
986 if (mask & AA_MAY_REMOVE_POLICY)
987 op = OP_PROF_RM;
988 else if (mask & AA_MAY_REPLACE_POLICY)
989 op = OP_PROF_REPL;
990 else
991 op = OP_PROF_LOAD;
992
993 /* check if loading policy is locked out */
994 if (aa_g_lock_policy)
995 return audit_policy(label, op, NULL, NULL, "policy_locked",
996 -EACCES);
997
998 if (ocred && !is_subset_of_obj_privilege(subj_cred, label, ocred))
999 return audit_policy(label, op, NULL, NULL,
1000 "not privileged for target profile",
1001 -EACCES);
1002
1003 if (!aa_policy_admin_capable(subj_cred, label, ns))
1004 return audit_policy(label, op, NULL, NULL, "not policy admin",
1005 -EACCES);
1006
1007 /* TODO: add fine grained mediation of policy loads */
1008 return 0;
1009 }
1010
__list_lookup_parent(struct list_head * lh,struct aa_profile * profile)1011 static struct aa_profile *__list_lookup_parent(struct list_head *lh,
1012 struct aa_profile *profile)
1013 {
1014 const char *base = basename(profile->base.hname);
1015 long len = base - profile->base.hname;
1016 struct aa_load_ent *ent;
1017
1018 /* parent won't have trailing // so remove from len */
1019 if (len <= 2)
1020 return NULL;
1021 len -= 2;
1022
1023 list_for_each_entry(ent, lh, list) {
1024 if (ent->new == profile)
1025 continue;
1026 if (strncmp(ent->new->base.hname, profile->base.hname, len) ==
1027 0 && ent->new->base.hname[len] == 0)
1028 return ent->new;
1029 }
1030
1031 return NULL;
1032 }
1033
1034 /**
1035 * __replace_profile - replace @old with @new on a list
1036 * @old: profile to be replaced (NOT NULL)
1037 * @new: profile to replace @old with (NOT NULL)
1038 *
1039 * Will duplicate and refcount elements that @new inherits from @old
1040 * and will inherit @old children.
1041 *
1042 * refcount @new for list, put @old list refcount
1043 *
1044 * Requires: namespace list lock be held, or list not be shared
1045 */
__replace_profile(struct aa_profile * old,struct aa_profile * new)1046 static void __replace_profile(struct aa_profile *old, struct aa_profile *new)
1047 {
1048 struct aa_profile *child, *tmp;
1049
1050 if (!list_empty(&old->base.profiles)) {
1051 LIST_HEAD(lh);
1052 list_splice_init_rcu(&old->base.profiles, &lh, synchronize_rcu);
1053
1054 list_for_each_entry_safe(child, tmp, &lh, base.list) {
1055 struct aa_profile *p;
1056
1057 list_del_init(&child->base.list);
1058 p = __find_child(&new->base.profiles, child->base.name);
1059 if (p) {
1060 /* @p replaces @child */
1061 __replace_profile(child, p);
1062 continue;
1063 }
1064
1065 /* inherit @child and its children */
1066 /* TODO: update hname of inherited children */
1067 /* list refcount transferred to @new */
1068 p = aa_deref_parent(child);
1069 rcu_assign_pointer(child->parent, aa_get_profile(new));
1070 list_add_rcu(&child->base.list, &new->base.profiles);
1071 aa_put_profile(p);
1072 }
1073 }
1074
1075 if (!rcu_access_pointer(new->parent)) {
1076 struct aa_profile *parent = aa_deref_parent(old);
1077 rcu_assign_pointer(new->parent, aa_get_profile(parent));
1078 }
1079 aa_label_replace(&old->label, &new->label);
1080 /* migrate dents must come after label replacement b/c update */
1081 __aafs_profile_migrate_dents(old, new);
1082
1083 if (list_empty(&new->base.list)) {
1084 /* new is not on a list already */
1085 list_replace_rcu(&old->base.list, &new->base.list);
1086 aa_get_profile(new);
1087 aa_put_profile(old);
1088 } else
1089 __list_remove_profile(old);
1090 }
1091
1092 /**
1093 * __lookup_replace - lookup replacement information for a profile
1094 * @ns: namespace the lookup occurs in
1095 * @hname: name of profile to lookup
1096 * @noreplace: true if not replacing an existing profile
1097 * @p: Returns - profile to be replaced
1098 * @info: Returns - info string on why lookup failed
1099 *
1100 * Returns: profile to replace (no ref) on success else ptr error
1101 */
__lookup_replace(struct aa_ns * ns,const char * hname,bool noreplace,struct aa_profile ** p,const char ** info)1102 static int __lookup_replace(struct aa_ns *ns, const char *hname,
1103 bool noreplace, struct aa_profile **p,
1104 const char **info)
1105 {
1106 *p = aa_get_profile(__lookup_profile(&ns->base, hname));
1107 if (*p) {
1108 int error = replacement_allowed(*p, noreplace, info);
1109 if (error) {
1110 *info = "profile can not be replaced";
1111 return error;
1112 }
1113 }
1114
1115 return 0;
1116 }
1117
share_name(struct aa_profile * old,struct aa_profile * new)1118 static void share_name(struct aa_profile *old, struct aa_profile *new)
1119 {
1120 aa_put_str(new->base.hname);
1121 aa_get_str(old->base.hname);
1122 new->base.hname = old->base.hname;
1123 new->base.name = old->base.name;
1124 new->label.hname = old->label.hname;
1125 }
1126
1127 /* Update to newest version of parent after previous replacements
1128 * Returns: unrefcount newest version of parent
1129 */
update_to_newest_parent(struct aa_profile * new)1130 static struct aa_profile *update_to_newest_parent(struct aa_profile *new)
1131 {
1132 struct aa_profile *parent, *newest;
1133
1134 parent = rcu_dereference_protected(new->parent,
1135 mutex_is_locked(&new->ns->lock));
1136 newest = aa_get_newest_profile(parent);
1137
1138 /* parent replaced in this atomic set? */
1139 if (newest != parent) {
1140 aa_put_profile(parent);
1141 rcu_assign_pointer(new->parent, newest);
1142 } else
1143 aa_put_profile(newest);
1144
1145 return newest;
1146 }
1147
1148 /**
1149 * aa_replace_profiles - replace profile(s) on the profile list
1150 * @policy_ns: namespace load is occurring on
1151 * @label: label that is attempting to load/replace policy
1152 * @mask: permission mask
1153 * @udata: serialized data stream (NOT NULL)
1154 *
1155 * unpack and replace a profile on the profile list and uses of that profile
1156 * by any task creds via invalidating the old version of the profile, which
1157 * tasks will notice to update their own cred. If the profile does not exist
1158 * on the profile list it is added.
1159 *
1160 * Returns: size of data consumed else error code on failure.
1161 */
aa_replace_profiles(struct aa_ns * policy_ns,struct aa_label * label,u32 mask,struct aa_loaddata * udata)1162 ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label,
1163 u32 mask, struct aa_loaddata *udata)
1164 {
1165 const char *ns_name = NULL, *info = NULL;
1166 struct aa_ns *ns = NULL;
1167 struct aa_load_ent *ent, *tmp;
1168 struct aa_loaddata *rawdata_ent;
1169 const char *op;
1170 ssize_t count, error;
1171 LIST_HEAD(lh);
1172
1173 op = mask & AA_MAY_REPLACE_POLICY ? OP_PROF_REPL : OP_PROF_LOAD;
1174 aa_get_profile_loaddata(udata);
1175 /* released below */
1176 error = aa_unpack(udata, &lh, &ns_name);
1177 if (error)
1178 goto out;
1179
1180 /* ensure that profiles are all for the same ns
1181 * TODO: update locking to remove this constraint. All profiles in
1182 * the load set must succeed as a set or the load will
1183 * fail. Sort ent list and take ns locks in hierarchy order
1184 */
1185 count = 0;
1186 list_for_each_entry(ent, &lh, list) {
1187 if (ns_name) {
1188 if (ent->ns_name &&
1189 strcmp(ent->ns_name, ns_name) != 0) {
1190 info = "policy load has mixed namespaces";
1191 error = -EACCES;
1192 goto fail;
1193 }
1194 } else if (ent->ns_name) {
1195 if (count) {
1196 info = "policy load has mixed namespaces";
1197 error = -EACCES;
1198 goto fail;
1199 }
1200 ns_name = ent->ns_name;
1201 ent->ns_name = NULL;
1202 } else
1203 count++;
1204 }
1205 if (ns_name) {
1206 ns = aa_prepare_ns(policy_ns ? policy_ns : labels_ns(label),
1207 ns_name);
1208 if (IS_ERR(ns)) {
1209 op = OP_PROF_LOAD;
1210 info = "failed to prepare namespace";
1211 error = PTR_ERR(ns);
1212 ns = NULL;
1213 ent = NULL;
1214 goto fail;
1215 }
1216 } else
1217 ns = aa_get_ns(policy_ns ? policy_ns : labels_ns(label));
1218
1219 mutex_lock_nested(&ns->lock, ns->level);
1220 /* check for duplicate rawdata blobs: space and file dedup */
1221 if (!list_empty(&ns->rawdata_list)) {
1222 list_for_each_entry(rawdata_ent, &ns->rawdata_list, list) {
1223 if (aa_rawdata_eq(rawdata_ent, udata)) {
1224 struct aa_loaddata *tmp;
1225
1226 tmp = aa_get_profile_loaddata(rawdata_ent);
1227 /* check we didn't fail the race */
1228 if (tmp) {
1229 aa_put_profile_loaddata(udata);
1230 udata = tmp;
1231 break;
1232 }
1233 }
1234 }
1235 }
1236 /* setup parent and ns info */
1237 list_for_each_entry(ent, &lh, list) {
1238 struct aa_policy *policy;
1239 struct aa_profile *p;
1240
1241 if (aa_g_export_binary)
1242 ent->new->rawdata = aa_get_profile_loaddata(udata);
1243 error = __lookup_replace(ns, ent->new->base.hname,
1244 !(mask & AA_MAY_REPLACE_POLICY),
1245 &ent->old, &info);
1246 if (error)
1247 goto fail_lock;
1248
1249 if (ent->new->rename) {
1250 error = __lookup_replace(ns, ent->new->rename,
1251 !(mask & AA_MAY_REPLACE_POLICY),
1252 &ent->rename, &info);
1253 if (error)
1254 goto fail_lock;
1255 }
1256
1257 /* released when @new is freed */
1258 ent->new->ns = aa_get_ns(ns);
1259
1260 if (ent->old || ent->rename)
1261 continue;
1262
1263 /* no ref on policy only use inside lock */
1264 p = NULL;
1265 policy = __lookup_parent(ns, ent->new->base.hname);
1266 if (!policy) {
1267 /* first check for parent in the load set */
1268 p = __list_lookup_parent(&lh, ent->new);
1269 if (!p) {
1270 /*
1271 * fill in missing parent with null
1272 * profile that doesn't have
1273 * permissions. This allows for
1274 * individual profile loading where
1275 * the child is loaded before the
1276 * parent, and outside of the current
1277 * atomic set. This unfortunately can
1278 * happen with some userspaces. The
1279 * null profile will be replaced once
1280 * the parent is loaded.
1281 */
1282 policy = __create_missing_ancestors(ns,
1283 ent->new->base.hname,
1284 GFP_KERNEL);
1285 if (!policy) {
1286 error = -ENOENT;
1287 info = "parent does not exist";
1288 goto fail_lock;
1289 }
1290 }
1291 }
1292 if (!p && policy != &ns->base)
1293 /* released on profile replacement or free_profile */
1294 p = (struct aa_profile *) policy;
1295 rcu_assign_pointer(ent->new->parent, aa_get_profile(p));
1296 }
1297
1298 /* create new fs entries for introspection if needed */
1299 if (!udata->dents[AAFS_LOADDATA_DIR] && aa_g_export_binary) {
1300 error = __aa_fs_create_rawdata(ns, udata);
1301 if (error) {
1302 info = "failed to create raw_data dir and files";
1303 ent = NULL;
1304 goto fail_lock;
1305 }
1306 }
1307 list_for_each_entry(ent, &lh, list) {
1308 if (!ent->old) {
1309 struct dentry *parent;
1310 if (rcu_access_pointer(ent->new->parent)) {
1311 struct aa_profile *p;
1312 p = aa_deref_parent(ent->new);
1313 parent = prof_child_dir(p);
1314 } else
1315 parent = ns_subprofs_dir(ent->new->ns);
1316 error = __aafs_profile_mkdir(ent->new, parent);
1317 }
1318
1319 if (error) {
1320 info = "failed to create";
1321 goto fail_lock;
1322 }
1323 }
1324
1325 /* Done with checks that may fail - do actual replacement */
1326 __aa_bump_ns_revision(ns);
1327 if (aa_g_export_binary)
1328 __aa_loaddata_update(udata, ns->revision);
1329 list_for_each_entry_safe(ent, tmp, &lh, list) {
1330 list_del_init(&ent->list);
1331 op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL;
1332
1333 if (ent->old && ent->old->rawdata == ent->new->rawdata &&
1334 ent->new->rawdata) {
1335 /* dedup actual profile replacement */
1336 audit_policy(label, op, ns_name, ent->new->base.hname,
1337 "same as current profile, skipping",
1338 error);
1339 /* break refcount cycle with proxy. */
1340 aa_put_proxy(ent->new->label.proxy);
1341 ent->new->label.proxy = NULL;
1342 goto skip;
1343 }
1344
1345 /*
1346 * TODO: finer dedup based on profile range in data. Load set
1347 * can differ but profile may remain unchanged
1348 */
1349 audit_policy(label, op, ns_name, ent->new->base.hname, NULL,
1350 error);
1351
1352 if (ent->old) {
1353 share_name(ent->old, ent->new);
1354 __replace_profile(ent->old, ent->new);
1355 } else {
1356 struct list_head *lh;
1357
1358 if (rcu_access_pointer(ent->new->parent)) {
1359 struct aa_profile *parent;
1360
1361 parent = update_to_newest_parent(ent->new);
1362 lh = &parent->base.profiles;
1363 } else
1364 lh = &ns->base.profiles;
1365 __add_profile(lh, ent->new);
1366 }
1367 skip:
1368 aa_load_ent_free(ent);
1369 }
1370 __aa_labelset_update_subtree(ns);
1371 mutex_unlock(&ns->lock);
1372
1373 out:
1374 aa_put_ns(ns);
1375 aa_put_profile_loaddata(udata);
1376 kfree(ns_name);
1377
1378 if (error)
1379 return error;
1380 return udata->size;
1381
1382 fail_lock:
1383 mutex_unlock(&ns->lock);
1384
1385 /* audit cause of failure */
1386 op = (ent && !ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
1387 fail:
1388 audit_policy(label, op, ns_name, ent ? ent->new->base.hname : NULL,
1389 info, error);
1390 /* audit status that rest of profiles in the atomic set failed too */
1391 info = "valid profile in failed atomic policy load";
1392 list_for_each_entry(tmp, &lh, list) {
1393 if (tmp == ent) {
1394 info = "unchecked profile in failed atomic policy load";
1395 /* skip entry that caused failure */
1396 continue;
1397 }
1398 op = (!tmp->old) ? OP_PROF_LOAD : OP_PROF_REPL;
1399 audit_policy(label, op, ns_name, tmp->new->base.hname, info,
1400 error);
1401 }
1402 list_for_each_entry_safe(ent, tmp, &lh, list) {
1403 list_del_init(&ent->list);
1404 aa_load_ent_free(ent);
1405 }
1406
1407 goto out;
1408 }
1409
1410 /**
1411 * aa_remove_profiles - remove profile(s) from the system
1412 * @policy_ns: namespace the remove is being done from
1413 * @subj: label attempting to remove policy
1414 * @fqname: name of the profile or namespace to remove (NOT NULL)
1415 * @size: size of the name
1416 *
1417 * Remove a profile or sub namespace from the current namespace, so that
1418 * they can not be found anymore and mark them as replaced by unconfined
1419 *
1420 * NOTE: removing confinement does not restore rlimits to preconfinement values
1421 *
1422 * Returns: size of data consume else error code if fails
1423 */
aa_remove_profiles(struct aa_ns * policy_ns,struct aa_label * subj,char * fqname,size_t size)1424 ssize_t aa_remove_profiles(struct aa_ns *policy_ns, struct aa_label *subj,
1425 char *fqname, size_t size)
1426 {
1427 struct aa_ns *ns = NULL;
1428 struct aa_profile *profile = NULL;
1429 const char *name = fqname, *info = NULL;
1430 const char *ns_name = NULL;
1431 ssize_t error = 0;
1432
1433 if (*fqname == 0) {
1434 info = "no profile specified";
1435 error = -ENOENT;
1436 goto fail;
1437 }
1438
1439 if (fqname[0] == ':') {
1440 size_t ns_len;
1441
1442 name = aa_splitn_fqname(fqname, size, &ns_name, &ns_len);
1443 /* released below */
1444 ns = aa_lookupn_ns(policy_ns ? policy_ns : labels_ns(subj),
1445 ns_name, ns_len);
1446 if (!ns) {
1447 info = "namespace does not exist";
1448 error = -ENOENT;
1449 goto fail;
1450 }
1451 } else
1452 /* released below */
1453 ns = aa_get_ns(policy_ns ? policy_ns : labels_ns(subj));
1454
1455 if (!name) {
1456 /* remove namespace - can only happen if fqname[0] == ':' */
1457 mutex_lock_nested(&ns->parent->lock, ns->parent->level);
1458 __aa_bump_ns_revision(ns);
1459 __aa_remove_ns(ns);
1460 mutex_unlock(&ns->parent->lock);
1461 } else {
1462 /* remove profile */
1463 mutex_lock_nested(&ns->lock, ns->level);
1464 profile = aa_get_profile(__lookup_profile(&ns->base, name));
1465 if (!profile) {
1466 error = -ENOENT;
1467 info = "profile does not exist";
1468 goto fail_ns_lock;
1469 }
1470 name = profile->base.hname;
1471 __aa_bump_ns_revision(ns);
1472 __remove_profile(profile);
1473 __aa_labelset_update_subtree(ns);
1474 mutex_unlock(&ns->lock);
1475 }
1476
1477 /* don't fail removal if audit fails */
1478 (void) audit_policy(subj, OP_PROF_RM, ns_name, name, info,
1479 error);
1480 aa_put_ns(ns);
1481 aa_put_profile(profile);
1482 return size;
1483
1484 fail_ns_lock:
1485 mutex_unlock(&ns->lock);
1486 aa_put_ns(ns);
1487
1488 fail:
1489 (void) audit_policy(subj, OP_PROF_RM, ns_name, name, info,
1490 error);
1491 return error;
1492 }
1493