1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * AppArmor security module
4 *
5 * This file contains AppArmor policy attachment and domain transitions
6 *
7 * Copyright (C) 2002-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
9 */
10
11 #include <linux/errno.h>
12 #include <linux/fs.h>
13 #include <linux/file.h>
14 #include <linux/mount.h>
15 #include <linux/syscalls.h>
16 #include <linux/personality.h>
17 #include <linux/xattr.h>
18 #include <linux/user_namespace.h>
19
20 #include "include/audit.h"
21 #include "include/apparmorfs.h"
22 #include "include/cred.h"
23 #include "include/domain.h"
24 #include "include/file.h"
25 #include "include/ipc.h"
26 #include "include/match.h"
27 #include "include/path.h"
28 #include "include/policy.h"
29 #include "include/policy_ns.h"
30
31 static const char * const CONFLICTING_ATTACH_STR = "conflicting profile attachments";
32 static const char * const CONFLICTING_ATTACH_STR_IX =
33 "conflicting profile attachments - ix fallback";
34 static const char * const CONFLICTING_ATTACH_STR_UX =
35 "conflicting profile attachments - ux fallback";
36
37 /**
38 * may_change_ptraced_domain - check if can change profile on ptraced task
39 * @to_cred: cred of task changing domain
40 * @to_label: profile to change to (NOT NULL)
41 * @info: message if there is an error
42 *
43 * Check if current is ptraced and if so if the tracing task is allowed
44 * to trace the new domain
45 *
46 * Returns: %0 or error if change not allowed
47 */
may_change_ptraced_domain(const struct cred * to_cred,struct aa_label * to_label,const char ** info)48 static int may_change_ptraced_domain(const struct cred *to_cred,
49 struct aa_label *to_label,
50 const char **info)
51 {
52 struct task_struct *tracer;
53 struct aa_label *tracerl = NULL;
54 const struct cred *tracer_cred = NULL;
55
56 int error = 0;
57
58 rcu_read_lock();
59 tracer = ptrace_parent(current);
60 if (tracer) {
61 /* released below */
62 tracerl = aa_get_task_label(tracer);
63 tracer_cred = get_task_cred(tracer);
64 }
65 /* not ptraced */
66 if (!tracer || unconfined(tracerl))
67 goto out;
68
69 error = aa_may_ptrace(tracer_cred, tracerl, to_cred, to_label,
70 PTRACE_MODE_ATTACH);
71
72 out:
73 rcu_read_unlock();
74 aa_put_label(tracerl);
75 put_cred(tracer_cred);
76
77 if (error)
78 *info = "ptrace prevents transition";
79 return error;
80 }
81
82 /**** TODO: dedup to aa_label_match - needs perm and dfa, merging
83 * specifically this is an exact copy of aa_label_match except
84 * aa_compute_perms is replaced with aa_compute_fperms
85 * and policy->dfa with file->dfa
86 ****/
87 /* match a profile and its associated ns component if needed
88 * Assumes visibility test has already been done.
89 * If a subns profile is not to be matched should be prescreened with
90 * visibility test.
91 */
match_component(struct aa_profile * profile,struct aa_profile * tp,bool stack,aa_state_t state)92 static inline aa_state_t match_component(struct aa_profile *profile,
93 struct aa_profile *tp,
94 bool stack, aa_state_t state)
95 {
96 struct aa_ruleset *rules = profile->label.rules[0];
97 const char *ns_name;
98
99 if (stack)
100 state = aa_dfa_match(rules->file->dfa, state, "&");
101 if (profile->ns == tp->ns)
102 return aa_dfa_match(rules->file->dfa, state, tp->base.hname);
103
104 /* try matching with namespace name and then profile */
105 ns_name = aa_ns_name(profile->ns, tp->ns, true);
106 state = aa_dfa_match_len(rules->file->dfa, state, ":", 1);
107 state = aa_dfa_match(rules->file->dfa, state, ns_name);
108 state = aa_dfa_match_len(rules->file->dfa, state, ":", 1);
109 return aa_dfa_match(rules->file->dfa, state, tp->base.hname);
110 }
111
112 /**
113 * label_compound_match - find perms for full compound label
114 * @profile: profile to find perms for
115 * @label: label to check access permissions for
116 * @stack: whether this is a stacking request
117 * @state: state to start match in
118 * @inview: whether to match labels in view or only in scope
119 * @request: permissions to request
120 * @perms: perms struct to set
121 *
122 * Returns: 0 on success else ERROR
123 *
124 * For the label A//&B//&C this does the perm match for A//&B//&C
125 * @perms should be preinitialized with allperms OR a previous permission
126 * check to be stacked.
127 */
label_compound_match(struct aa_profile * profile,struct aa_label * label,bool stack,aa_state_t state,bool inview,u32 request,struct aa_perms * perms)128 static int label_compound_match(struct aa_profile *profile,
129 struct aa_label *label, bool stack,
130 aa_state_t state, bool inview, u32 request,
131 struct aa_perms *perms)
132 {
133 struct aa_ruleset *rules = profile->label.rules[0];
134 struct aa_profile *tp;
135 struct label_it i;
136 struct path_cond cond = { };
137
138 /* find first subcomponent that is in view and going to be interated with */
139 label_for_each(i, label, tp) {
140 if (!aa_ns_visible(profile->ns, tp->ns, inview))
141 continue;
142 state = match_component(profile, tp, stack, state);
143 if (!state)
144 goto fail;
145 goto next;
146 }
147
148 /* no component visible */
149 *perms = allperms;
150 return 0;
151
152 next:
153 label_for_each_cont(i, label, tp) {
154 if (!aa_ns_visible(profile->ns, tp->ns, inview))
155 continue;
156 state = aa_dfa_match(rules->file->dfa, state, "//&");
157 state = match_component(profile, tp, false, state);
158 if (!state)
159 goto fail;
160 }
161 *perms = *(aa_lookup_condperms(current_fsuid(), rules->file, state,
162 &cond));
163 aa_apply_modes_to_perms(profile, perms);
164 if ((perms->allow & request) != request)
165 return -EACCES;
166
167 return 0;
168
169 fail:
170 *perms = nullperms;
171 return -EACCES;
172 }
173
174 /**
175 * label_components_match - find perms for all subcomponents of a label
176 * @profile: profile to find perms for
177 * @label: label to check access permissions for
178 * @stack: whether this is a stacking request
179 * @start: state to start match in
180 * @inview: whether to match labels in view or only in scope
181 * @request: permissions to request
182 * @perms: an initialized perms struct to add accumulation to
183 *
184 * Returns: 0 on success else ERROR
185 *
186 * For the label A//&B//&C this does the perm match for each of A and B and C
187 * @perms should be preinitialized with allperms OR a previous permission
188 * check to be stacked.
189 */
label_components_match(struct aa_profile * profile,struct aa_label * label,bool stack,aa_state_t start,bool inview,u32 request,struct aa_perms * perms)190 static int label_components_match(struct aa_profile *profile,
191 struct aa_label *label, bool stack,
192 aa_state_t start, bool inview, u32 request,
193 struct aa_perms *perms)
194 {
195 struct aa_ruleset *rules = profile->label.rules[0];
196 struct aa_profile *tp;
197 struct label_it i;
198 struct aa_perms tmp;
199 struct path_cond cond = { };
200 aa_state_t state = 0;
201
202 /* find first subcomponent to test */
203 label_for_each(i, label, tp) {
204 if (!aa_ns_visible(profile->ns, tp->ns, inview))
205 continue;
206 state = match_component(profile, tp, stack, start);
207 if (!state)
208 goto fail;
209 goto next;
210 }
211
212 /* no subcomponents visible - no change in perms */
213 return 0;
214
215 next:
216 tmp = *(aa_lookup_condperms(current_fsuid(), rules->file, state,
217 &cond));
218 aa_apply_modes_to_perms(profile, &tmp);
219 aa_perms_accum(perms, &tmp);
220 label_for_each_cont(i, label, tp) {
221 if (!aa_ns_visible(profile->ns, tp->ns, inview))
222 continue;
223 state = match_component(profile, tp, stack, start);
224 if (!state)
225 goto fail;
226 tmp = *(aa_lookup_condperms(current_fsuid(), rules->file, state,
227 &cond));
228 aa_apply_modes_to_perms(profile, &tmp);
229 aa_perms_accum(perms, &tmp);
230 }
231
232 if ((perms->allow & request) != request)
233 return -EACCES;
234
235 return 0;
236
237 fail:
238 *perms = nullperms;
239 return -EACCES;
240 }
241
242 /**
243 * label_match - do a multi-component label match
244 * @profile: profile to match against (NOT NULL)
245 * @label: label to match (NOT NULL)
246 * @stack: whether this is a stacking request
247 * @state: state to start in
248 * @inview: whether to match labels in view or only in scope
249 * @request: permission request
250 * @perms: Returns computed perms (NOT NULL)
251 *
252 * Returns: the state the match finished in, may be the none matching state
253 */
label_match(struct aa_profile * profile,struct aa_label * label,bool stack,aa_state_t state,bool inview,u32 request,struct aa_perms * perms)254 static int label_match(struct aa_profile *profile, struct aa_label *label,
255 bool stack, aa_state_t state, bool inview, u32 request,
256 struct aa_perms *perms)
257 {
258 int error;
259
260 *perms = nullperms;
261 error = label_compound_match(profile, label, stack, state, inview,
262 request, perms);
263 if (!error)
264 return error;
265
266 *perms = allperms;
267 return label_components_match(profile, label, stack, state, inview,
268 request, perms);
269 }
270
271 /******* end TODO: dedup *****/
272
273 /**
274 * change_profile_perms - find permissions for change_profile
275 * @profile: the current profile (NOT NULL)
276 * @target: label to transition to (NOT NULL)
277 * @stack: whether this is a stacking request
278 * @request: requested perms
279 * @start: state to start matching in
280 * @perms: Returns computed perms (NOT NULL)
281 *
282 *
283 * Returns: permission set
284 *
285 * currently only matches full label A//&B//&C or individual components A, B, C
286 * not arbitrary combinations. Eg. A//&B, C
287 */
change_profile_perms(struct aa_profile * profile,struct aa_label * target,bool stack,u32 request,aa_state_t start,struct aa_perms * perms)288 static int change_profile_perms(struct aa_profile *profile,
289 struct aa_label *target, bool stack,
290 u32 request, aa_state_t start,
291 struct aa_perms *perms)
292 {
293 if (profile_unconfined(profile)) {
294 perms->allow = AA_MAY_CHANGE_PROFILE | AA_MAY_ONEXEC;
295 perms->audit = perms->quiet = perms->kill = 0;
296 return 0;
297 }
298
299 /* TODO: add profile in ns screening */
300 return label_match(profile, target, stack, start, true, request, perms);
301 }
302
303 /**
304 * aa_xattrs_match - check whether a file matches the xattrs defined in profile
305 * @bprm: binprm struct for the process to validate
306 * @profile: profile to match against (NOT NULL)
307 * @state: state to start match in
308 *
309 * Returns: number of extended attributes that matched, or < 0 on error
310 */
aa_xattrs_match(const struct linux_binprm * bprm,struct aa_profile * profile,aa_state_t state)311 static int aa_xattrs_match(const struct linux_binprm *bprm,
312 struct aa_profile *profile, aa_state_t state)
313 {
314 int i;
315 struct dentry *d;
316 char *value = NULL;
317 struct aa_attachment *attach = &profile->attach;
318 int size, value_size = 0, ret = attach->xattr_count;
319
320 if (!bprm || !attach->xattr_count)
321 return 0;
322 might_sleep();
323
324 /* transition from exec match to xattr set */
325 state = aa_dfa_outofband_transition(attach->xmatch->dfa, state);
326 d = bprm->file->f_path.dentry;
327
328 for (i = 0; i < attach->xattr_count; i++) {
329 size = vfs_getxattr_alloc(&nop_mnt_idmap, d, attach->xattrs[i],
330 &value, value_size, GFP_KERNEL);
331 if (size >= 0) {
332 struct aa_perms *perms;
333
334 /*
335 * Check the xattr presence before value. This ensure
336 * that not present xattr can be distinguished from a 0
337 * length value or rule that matches any value
338 */
339 state = aa_dfa_null_transition(attach->xmatch->dfa,
340 state);
341 /* Check xattr value */
342 state = aa_dfa_match_len(attach->xmatch->dfa, state,
343 value, size);
344 perms = aa_lookup_perms(attach->xmatch, state);
345 if (!(perms->allow & MAY_EXEC)) {
346 ret = -EINVAL;
347 goto out;
348 }
349 }
350 /* transition to next element */
351 state = aa_dfa_outofband_transition(attach->xmatch->dfa, state);
352 if (size < 0) {
353 /*
354 * No xattr match, so verify if transition to
355 * next element was valid. IFF so the xattr
356 * was optional.
357 */
358 if (!state) {
359 ret = -EINVAL;
360 goto out;
361 }
362 /* don't count missing optional xattr as matched */
363 ret--;
364 }
365 }
366
367 out:
368 kfree(value);
369 return ret;
370 }
371
372 /**
373 * find_attach - do attachment search for unconfined processes
374 * @bprm: binprm structure of transitioning task
375 * @ns: the current namespace (NOT NULL)
376 * @head: profile list to walk (NOT NULL)
377 * @name: to match against (NOT NULL)
378 * @info: info message if there was an error (NOT NULL)
379 *
380 * Do a linear search on the profiles in the list. There is a matching
381 * preference where an exact match is preferred over a name which uses
382 * expressions to match, and matching expressions with the greatest
383 * xmatch_len are preferred.
384 *
385 * Requires: @head not be shared or have appropriate locks held
386 *
387 * Returns: label or NULL if no match found
388 */
find_attach(const struct linux_binprm * bprm,struct aa_ns * ns,struct list_head * head,const char * name,const char ** info)389 static struct aa_label *find_attach(const struct linux_binprm *bprm,
390 struct aa_ns *ns, struct list_head *head,
391 const char *name, const char **info)
392 {
393 int candidate_len = 0, candidate_xattrs = 0;
394 bool conflict = false;
395 struct aa_profile *profile, *candidate = NULL;
396
397 AA_BUG(!name);
398 AA_BUG(!head);
399
400 rcu_read_lock();
401 restart:
402 list_for_each_entry_rcu(profile, head, base.list) {
403 struct aa_attachment *attach = &profile->attach;
404
405 if (profile->label.flags & FLAG_NULL &&
406 &profile->label == ns_unconfined(profile->ns))
407 continue;
408
409 /* Find the "best" matching profile. Profiles must
410 * match the path and extended attributes (if any)
411 * associated with the file. A more specific path
412 * match will be preferred over a less specific one,
413 * and a match with more matching extended attributes
414 * will be preferred over one with fewer. If the best
415 * match has both the same level of path specificity
416 * and the same number of matching extended attributes
417 * as another profile, signal a conflict and refuse to
418 * match.
419 */
420 if (attach->xmatch->dfa) {
421 unsigned int count;
422 aa_state_t state;
423 struct aa_perms *perms;
424
425 state = aa_dfa_leftmatch(attach->xmatch->dfa,
426 attach->xmatch->start[AA_CLASS_XMATCH],
427 name, &count);
428 perms = aa_lookup_perms(attach->xmatch, state);
429 /* any accepting state means a valid match. */
430 if (perms->allow & MAY_EXEC) {
431 int ret = 0;
432
433 if (count < candidate_len)
434 continue;
435
436 if (bprm && attach->xattr_count) {
437 long rev = READ_ONCE(ns->revision);
438
439 if (!aa_get_profile_not0(profile))
440 goto restart;
441 rcu_read_unlock();
442 ret = aa_xattrs_match(bprm, profile,
443 state);
444 rcu_read_lock();
445 aa_put_profile(profile);
446 if (rev !=
447 READ_ONCE(ns->revision))
448 /* policy changed */
449 goto restart;
450 /*
451 * Fail matching if the xattrs don't
452 * match
453 */
454 if (ret < 0)
455 continue;
456 }
457 /*
458 * TODO: allow for more flexible best match
459 *
460 * The new match isn't more specific
461 * than the current best match
462 */
463 if (count == candidate_len &&
464 ret <= candidate_xattrs) {
465 /* Match is equivalent, so conflict */
466 if (ret == candidate_xattrs)
467 conflict = true;
468 continue;
469 }
470
471 /* Either the same length with more matching
472 * xattrs, or a longer match
473 */
474 candidate = profile;
475 candidate_len = max(count, attach->xmatch_len);
476 candidate_xattrs = ret;
477 conflict = false;
478 }
479 } else if (!strcmp(profile->base.name, name)) {
480 /*
481 * old exact non-re match, without conditionals such
482 * as xattrs. no more searching required
483 */
484 candidate = profile;
485 goto out;
486 }
487 }
488
489 if (!candidate || conflict) {
490 if (conflict)
491 *info = CONFLICTING_ATTACH_STR;
492 rcu_read_unlock();
493 return NULL;
494 }
495
496 out:
497 candidate = aa_get_newest_profile(candidate);
498 rcu_read_unlock();
499
500 return &candidate->label;
501 }
502
next_name(int xtype,const char * name)503 static const char *next_name(int xtype, const char *name)
504 {
505 return NULL;
506 }
507
508 /**
509 * x_table_lookup - lookup an x transition name via transition table
510 * @profile: current profile (NOT NULL)
511 * @xindex: index into x transition table
512 * @name: returns: name tested to find label (NOT NULL)
513 *
514 * Returns: refcounted label, or NULL on failure (MAYBE NULL)
515 * @name will always be set with the last name tried
516 */
x_table_lookup(struct aa_profile * profile,u32 xindex,const char ** name)517 struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex,
518 const char **name)
519 {
520 struct aa_ruleset *rules = profile->label.rules[0];
521 struct aa_label *label = NULL;
522 u32 xtype = xindex & AA_X_TYPE_MASK;
523 int index = xindex & AA_X_INDEX_MASK;
524 const char *next;
525
526 AA_BUG(!name);
527
528 /* index is guaranteed to be in range, validated at load time */
529 /* TODO: move lookup parsing to unpack time so this is a straight
530 * index into the resultant label
531 */
532 for (next = rules->file->trans.table[index].strs; next;
533 next = next_name(xtype, next)) {
534 const char *lookup = (*next == '&') ? next + 1 : next;
535 *name = next;
536 if (xindex & AA_X_CHILD) {
537 /* TODO: switich to parse to get stack of child */
538 struct aa_profile *new = aa_find_child(profile, lookup);
539
540 if (new)
541 /* release by caller */
542 return &new->label;
543 continue;
544 }
545 label = aa_label_parse(&profile->label, lookup, GFP_KERNEL,
546 true, false);
547 if (!IS_ERR_OR_NULL(label))
548 /* release by caller */
549 return label;
550 }
551
552 return NULL;
553 }
554
555 /**
556 * x_to_label - get target label for a given xindex
557 * @profile: current profile (NOT NULL)
558 * @bprm: binprm structure of transitioning task
559 * @name: name to lookup (NOT NULL)
560 * @xindex: index into x transition table
561 * @lookupname: returns: name used in lookup if one was specified (NOT NULL)
562 * @info: info message if there was an error (NOT NULL)
563 *
564 * find label for a transition index
565 *
566 * Returns: refcounted label or NULL if not found available
567 */
x_to_label(struct aa_profile * profile,const struct linux_binprm * bprm,const char * name,u32 xindex,const char ** lookupname,const char ** info)568 static struct aa_label *x_to_label(struct aa_profile *profile,
569 const struct linux_binprm *bprm,
570 const char *name, u32 xindex,
571 const char **lookupname,
572 const char **info)
573 {
574 struct aa_label *new = NULL;
575 struct aa_label *stack = NULL;
576 struct aa_ns *ns = profile->ns;
577 u32 xtype = xindex & AA_X_TYPE_MASK;
578 /* Used for info checks during fallback handling */
579 const char *old_info = NULL;
580
581 switch (xtype) {
582 case AA_X_NONE:
583 /* fail exec unless ix || ux fallback - handled by caller */
584 *lookupname = NULL;
585 break;
586 case AA_X_TABLE:
587 /* TODO: fix when perm mapping done at unload */
588 /* released by caller
589 * if null for both stack and direct want to try fallback
590 */
591 new = x_table_lookup(profile, xindex, lookupname);
592 if (!new || **lookupname != '&')
593 break;
594 stack = new;
595 new = NULL;
596 fallthrough; /* to X_NAME */
597 case AA_X_NAME:
598 if (xindex & AA_X_CHILD)
599 /* released by caller */
600 new = find_attach(bprm, ns, &profile->base.profiles,
601 name, info);
602 else
603 /* released by caller */
604 new = find_attach(bprm, ns, &ns->base.profiles,
605 name, info);
606 *lookupname = name;
607 break;
608 }
609
610 /* fallback transition check */
611 if (!new) {
612 if (xindex & AA_X_INHERIT) {
613 /* (p|c|n)ix - don't change profile but do
614 * use the newest version
615 */
616 if (*info == CONFLICTING_ATTACH_STR) {
617 *info = CONFLICTING_ATTACH_STR_IX;
618 } else {
619 old_info = *info;
620 *info = "ix fallback";
621 }
622 /* no profile && no error */
623 new = aa_get_newest_label(&profile->label);
624 } else if (xindex & AA_X_UNCONFINED) {
625 new = aa_get_newest_label(ns_unconfined(profile->ns));
626 if (*info == CONFLICTING_ATTACH_STR) {
627 *info = CONFLICTING_ATTACH_STR_UX;
628 } else {
629 old_info = *info;
630 *info = "ux fallback";
631 }
632 }
633 /* We set old_info on the code paths above where overwriting
634 * could have happened, so now check if info was set by
635 * find_attach as well (i.e. whether we actually overwrote)
636 * and warn accordingly.
637 */
638 if (old_info && old_info != CONFLICTING_ATTACH_STR) {
639 pr_warn_ratelimited(
640 "AppArmor: find_attach (from profile %s) audit info \"%s\" dropped",
641 profile->base.hname, old_info);
642 }
643 }
644
645 if (new && stack) {
646 /* base the stack on post domain transition */
647 struct aa_label *base = new;
648
649 new = aa_label_merge(base, stack, GFP_KERNEL);
650 /* null on error */
651 aa_put_label(base);
652 }
653
654 aa_put_label(stack);
655 /* released by caller */
656 return new;
657 }
658
profile_transition(const struct cred * subj_cred,struct aa_profile * profile,const struct linux_binprm * bprm,char * buffer,struct path_cond * cond,bool * secure_exec)659 static struct aa_label *profile_transition(const struct cred *subj_cred,
660 struct aa_profile *profile,
661 const struct linux_binprm *bprm,
662 char *buffer, struct path_cond *cond,
663 bool *secure_exec)
664 {
665 struct aa_ruleset *rules = profile->label.rules[0];
666 struct aa_label *new = NULL;
667 struct aa_profile *new_profile = NULL;
668 const char *info = NULL, *name = NULL, *target = NULL;
669 aa_state_t state = rules->file->start[AA_CLASS_FILE];
670 struct aa_perms perms = {};
671 bool nonewprivs = false;
672 int error = 0;
673
674 AA_BUG(!profile);
675 AA_BUG(!bprm);
676 AA_BUG(!buffer);
677
678 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,
679 &name, &info, profile->disconnected);
680 if (error) {
681 if (profile_unconfined(profile) ||
682 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
683 AA_DEBUG(DEBUG_DOMAIN, "name lookup ix on error");
684 error = 0;
685 new = aa_get_newest_label(&profile->label);
686 }
687 name = bprm->filename;
688 goto audit;
689 }
690
691 if (profile_unconfined(profile)) {
692 new = find_attach(bprm, profile->ns,
693 &profile->ns->base.profiles, name, &info);
694 /* info set -> something unusual that we should report
695 * Currently this is only conflicting attachments, but other
696 * infos added in the future should also be logged by default
697 * and only excluded on a case-by-case basis
698 */
699 if (info) {
700 /* Because perms is never used again after this audit
701 * we don't need to care about clobbering it
702 */
703 perms.audit |= MAY_EXEC;
704 perms.allow |= MAY_EXEC;
705 /* Don't cause error if auditing fails */
706 (void) aa_audit_file(subj_cred, profile, &perms,
707 OP_EXEC, MAY_EXEC, name, target, new, cond->uid,
708 info, error);
709 }
710 if (new) {
711 AA_DEBUG(DEBUG_DOMAIN, "unconfined attached to new label");
712 return new;
713 }
714 AA_DEBUG(DEBUG_DOMAIN, "unconfined exec no attachment");
715 return aa_get_newest_label(&profile->label);
716 }
717
718 /* find exec permissions for name */
719 state = aa_str_perms(rules->file, state, name, cond, &perms);
720 if (perms.allow & MAY_EXEC) {
721 /* exec permission determine how to transition */
722 new = x_to_label(profile, bprm, name, perms.xindex, &target,
723 &info);
724 if (new && new->proxy == profile->label.proxy && info) {
725 /* Force audit on conflicting attachment fallback
726 * Because perms is never used again after this audit
727 * we don't need to care about clobbering it
728 */
729 if (info == CONFLICTING_ATTACH_STR_IX
730 || info == CONFLICTING_ATTACH_STR_UX)
731 perms.audit |= MAY_EXEC;
732 /* hack ix fallback - improve how this is detected */
733 goto audit;
734 } else if (!new) {
735 if (info) {
736 pr_warn_ratelimited(
737 "AppArmor: %s (from profile %s) audit info \"%s\" dropped on missing transition",
738 __func__, profile->base.hname, info);
739 }
740 info = "profile transition not found";
741 /* remove MAY_EXEC to audit as failure or complaint */
742 perms.allow &= ~MAY_EXEC;
743 if (COMPLAIN_MODE(profile)) {
744 /* create null profile instead of failing */
745 goto create_learning_profile;
746 }
747 error = -EACCES;
748 }
749 } else if (COMPLAIN_MODE(profile)) {
750 create_learning_profile:
751 /* no exec permission - learning mode */
752 new_profile = aa_new_learning_profile(profile, false, name,
753 GFP_KERNEL);
754 if (!new_profile) {
755 error = -ENOMEM;
756 info = "could not create null profile";
757 } else {
758 error = -EACCES;
759 new = &new_profile->label;
760 }
761 perms.xindex |= AA_X_UNSAFE;
762 } else
763 /* fail exec */
764 error = -EACCES;
765
766 if (!new)
767 goto audit;
768
769
770 if (!(perms.xindex & AA_X_UNSAFE)) {
771 if (DEBUG_ON) {
772 dbg_printk("apparmor: setting AT_SECURE for %s profile=",
773 name);
774 aa_label_printk(new, GFP_KERNEL);
775 dbg_printk("\n");
776 }
777 *secure_exec = true;
778 }
779
780 audit:
781 aa_audit_file(subj_cred, profile, &perms, OP_EXEC, MAY_EXEC, name,
782 target, new,
783 cond->uid, info, error);
784 if (!new || nonewprivs) {
785 aa_put_label(new);
786 return ERR_PTR(error);
787 }
788
789 return new;
790 }
791
profile_onexec(const struct cred * subj_cred,struct aa_profile * profile,struct aa_label * onexec,bool stack,const struct linux_binprm * bprm,char * buffer,struct path_cond * cond,bool * secure_exec)792 static int profile_onexec(const struct cred *subj_cred,
793 struct aa_profile *profile, struct aa_label *onexec,
794 bool stack, const struct linux_binprm *bprm,
795 char *buffer, struct path_cond *cond,
796 bool *secure_exec)
797 {
798 struct aa_ruleset *rules = profile->label.rules[0];
799 aa_state_t state = rules->file->start[AA_CLASS_FILE];
800 struct aa_perms perms = {};
801 const char *xname = NULL, *info = "change_profile onexec";
802 int error = -EACCES;
803
804 AA_BUG(!profile);
805 AA_BUG(!onexec);
806 AA_BUG(!bprm);
807 AA_BUG(!buffer);
808
809 if (profile_unconfined(profile)) {
810 /* change_profile on exec already granted */
811 /*
812 * NOTE: Domain transitions from unconfined are allowed
813 * even when no_new_privs is set because this always results
814 * in a further reduction of permissions.
815 */
816 return 0;
817 }
818
819 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,
820 &xname, &info, profile->disconnected);
821 if (error) {
822 if (profile_unconfined(profile) ||
823 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
824 AA_DEBUG(DEBUG_DOMAIN, "name lookup ix on error");
825 error = 0;
826 }
827 xname = bprm->filename;
828 goto audit;
829 }
830
831 /* find exec permissions for name */
832 state = aa_str_perms(rules->file, state, xname, cond, &perms);
833 if (!(perms.allow & AA_MAY_ONEXEC)) {
834 info = "no change_onexec valid for executable";
835 goto audit;
836 }
837 /* test if this exec can be paired with change_profile onexec.
838 * onexec permission is linked to exec with a standard pairing
839 * exec\0change_profile
840 */
841 state = aa_dfa_null_transition(rules->file->dfa, state);
842 error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC,
843 state, &perms);
844 if (error) {
845 perms.allow &= ~AA_MAY_ONEXEC;
846 goto audit;
847 }
848
849 if (!(perms.xindex & AA_X_UNSAFE)) {
850 if (DEBUG_ON) {
851 dbg_printk("apparmor: setting AT_SECURE for %s label=",
852 xname);
853 aa_label_printk(onexec, GFP_KERNEL);
854 dbg_printk("\n");
855 }
856 *secure_exec = true;
857 }
858
859 audit:
860 return aa_audit_file(subj_cred, profile, &perms, OP_EXEC,
861 AA_MAY_ONEXEC, xname,
862 NULL, onexec, cond->uid, info, error);
863 }
864
865 /* ensure none ns domain transitions are correctly applied with onexec */
866
handle_onexec(const struct cred * subj_cred,struct aa_label * label,struct aa_label * onexec,bool stack,const struct linux_binprm * bprm,char * buffer,struct path_cond * cond,bool * unsafe)867 static struct aa_label *handle_onexec(const struct cred *subj_cred,
868 struct aa_label *label,
869 struct aa_label *onexec, bool stack,
870 const struct linux_binprm *bprm,
871 char *buffer, struct path_cond *cond,
872 bool *unsafe)
873 {
874 struct aa_profile *profile;
875 struct aa_label *new;
876 int error;
877
878 AA_BUG(!label);
879 AA_BUG(!onexec);
880 AA_BUG(!bprm);
881 AA_BUG(!buffer);
882
883 /* TODO: determine how much we want to loosen this
884 * only check profiles in scope for permission to change at exec
885 */
886 error = fn_for_each_in_scope(label, profile,
887 profile_onexec(subj_cred, profile, onexec, stack,
888 bprm, buffer, cond, unsafe));
889 if (error)
890 return ERR_PTR(error);
891
892 new = fn_label_build_in_scope(label, profile, GFP_KERNEL,
893 stack ? aa_label_merge(&profile->label, onexec,
894 GFP_KERNEL)
895 : aa_get_newest_label(onexec),
896 profile_transition(subj_cred, profile, bprm,
897 buffer, cond, unsafe));
898 if (new)
899 return new;
900
901 /* TODO: get rid of GLOBAL_ROOT_UID */
902 error = fn_for_each_in_scope(label, profile,
903 aa_audit_file(subj_cred, profile, &nullperms,
904 OP_CHANGE_ONEXEC,
905 AA_MAY_ONEXEC, bprm->filename, NULL,
906 onexec, GLOBAL_ROOT_UID,
907 "failed to build target label", -ENOMEM));
908 return ERR_PTR(error);
909 }
910
911 /**
912 * apparmor_bprm_creds_for_exec - Update the new creds on the bprm struct
913 * @bprm: binprm for the exec (NOT NULL)
914 *
915 * Returns: %0 or error on failure
916 *
917 * TODO: once the other paths are done see if we can't refactor into a fn
918 */
apparmor_bprm_creds_for_exec(struct linux_binprm * bprm)919 int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm)
920 {
921 struct aa_task_ctx *ctx;
922 struct aa_label *label, *new = NULL;
923 const struct cred *subj_cred;
924 struct aa_profile *profile;
925 char *buffer = NULL;
926 const char *info = NULL;
927 int error = 0;
928 bool unsafe = false;
929 vfsuid_t vfsuid = i_uid_into_vfsuid(file_mnt_idmap(bprm->file),
930 file_inode(bprm->file));
931 struct path_cond cond = {
932 vfsuid_into_kuid(vfsuid),
933 file_inode(bprm->file)->i_mode
934 };
935
936 subj_cred = current_cred();
937 ctx = task_ctx(current);
938 AA_BUG(!cred_label(bprm->cred));
939 AA_BUG(!ctx);
940
941 label = aa_get_newest_label(cred_label(bprm->cred));
942
943 /*
944 * Detect no new privs being set, and store the label it
945 * occurred under. Ideally this would happen when nnp
946 * is set but there isn't a good way to do that yet.
947 *
948 * Testing for unconfined must be done before the subset test
949 */
950 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) && !unconfined(label) &&
951 !ctx->nnp)
952 ctx->nnp = aa_get_label(label);
953
954 /* buffer freed below, name is pointer into buffer */
955 buffer = aa_get_buffer(false);
956 if (!buffer) {
957 error = -ENOMEM;
958 goto done;
959 }
960
961 /* Test for onexec first as onexec override other x transitions. */
962 if (ctx->onexec)
963 new = handle_onexec(subj_cred, label, ctx->onexec, ctx->token,
964 bprm, buffer, &cond, &unsafe);
965 else
966 new = fn_label_build(label, profile, GFP_KERNEL,
967 profile_transition(subj_cred, profile, bprm,
968 buffer,
969 &cond, &unsafe));
970
971 AA_BUG(!new);
972 if (IS_ERR(new)) {
973 error = PTR_ERR(new);
974 goto done;
975 } else if (!new) {
976 error = -ENOMEM;
977 goto done;
978 }
979
980 /* Policy has specified a domain transitions. If no_new_privs and
981 * confined ensure the transition is to confinement that is subset
982 * of the confinement when the task entered no new privs.
983 *
984 * NOTE: Domain transitions from unconfined and to stacked
985 * subsets are allowed even when no_new_privs is set because this
986 * always results in a further reduction of permissions.
987 */
988 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) &&
989 !unconfined(label) &&
990 !aa_label_is_unconfined_subset(new, ctx->nnp)) {
991 error = -EPERM;
992 info = "no new privs";
993 goto audit;
994 }
995
996 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
997 /* FIXME: currently don't mediate shared state */
998 ;
999 }
1000
1001 if (bprm->unsafe & (LSM_UNSAFE_PTRACE)) {
1002 /* TODO: test needs to be profile of label to new */
1003 error = may_change_ptraced_domain(bprm->cred, new, &info);
1004 if (error)
1005 goto audit;
1006 }
1007
1008 if (unsafe) {
1009 if (DEBUG_ON) {
1010 dbg_printk("setting AT_SECURE for %s label=",
1011 bprm->filename);
1012 aa_label_printk(new, GFP_KERNEL);
1013 dbg_printk("\n");
1014 }
1015 bprm->secureexec = 1;
1016 }
1017
1018 if (label->proxy != new->proxy) {
1019 /* when transitioning clear unsafe personality bits */
1020 if (DEBUG_ON) {
1021 dbg_printk("apparmor: clearing unsafe personality bits. %s label=",
1022 bprm->filename);
1023 aa_label_printk(new, GFP_KERNEL);
1024 dbg_printk("\n");
1025 }
1026 bprm->per_clear |= PER_CLEAR_ON_SETID;
1027 }
1028 aa_put_label(cred_label(bprm->cred));
1029 /* transfer reference, released when cred is freed */
1030 set_cred_label(bprm->cred, new);
1031
1032 done:
1033 aa_put_label(label);
1034 aa_put_buffer(buffer);
1035
1036 return error;
1037
1038 audit:
1039 error = fn_for_each(label, profile,
1040 aa_audit_file(current_cred(), profile, &nullperms,
1041 OP_EXEC, MAY_EXEC,
1042 bprm->filename, NULL, new,
1043 vfsuid_into_kuid(vfsuid), info, error));
1044 aa_put_label(new);
1045 goto done;
1046 }
1047
1048 /*
1049 * Functions for self directed profile change
1050 */
1051
1052
1053 /* helper fn for change_hat
1054 *
1055 * Returns: label for hat transition OR ERR_PTR. Does NOT return NULL
1056 */
build_change_hat(const struct cred * subj_cred,struct aa_profile * profile,const char * name,bool sibling)1057 static struct aa_label *build_change_hat(const struct cred *subj_cred,
1058 struct aa_profile *profile,
1059 const char *name, bool sibling)
1060 {
1061 struct aa_profile *root, *hat = NULL;
1062 const char *info = NULL;
1063 int error = 0;
1064
1065 if (sibling && PROFILE_IS_HAT(profile)) {
1066 root = aa_get_profile_rcu(&profile->parent);
1067 } else if (!sibling && !PROFILE_IS_HAT(profile)) {
1068 root = aa_get_profile(profile);
1069 } else {
1070 info = "conflicting target types";
1071 error = -EPERM;
1072 goto audit;
1073 }
1074
1075 hat = aa_find_child(root, name);
1076 if (!hat) {
1077 error = -ENOENT;
1078 if (COMPLAIN_MODE(profile)) {
1079 hat = aa_new_learning_profile(profile, true, name,
1080 GFP_KERNEL);
1081 if (!hat) {
1082 info = "failed null profile create";
1083 error = -ENOMEM;
1084 }
1085 }
1086 }
1087 aa_put_profile(root);
1088
1089 audit:
1090 aa_audit_file(subj_cred, profile, &nullperms, OP_CHANGE_HAT,
1091 AA_MAY_CHANGEHAT,
1092 name, hat ? hat->base.hname : NULL,
1093 hat ? &hat->label : NULL, GLOBAL_ROOT_UID, info,
1094 error);
1095 if (!hat || (error && error != -ENOENT))
1096 return ERR_PTR(error);
1097 /* if hat && error - complain mode, already audited and we adjust for
1098 * complain mode allow by returning hat->label
1099 */
1100 return &hat->label;
1101 }
1102
1103 /* helper fn for changing into a hat
1104 *
1105 * Returns: label for hat transition or ERR_PTR. Does not return NULL
1106 */
change_hat(const struct cred * subj_cred,struct aa_label * label,const char * hats[],int count,int flags)1107 static struct aa_label *change_hat(const struct cred *subj_cred,
1108 struct aa_label *label, const char *hats[],
1109 int count, int flags)
1110 {
1111 struct aa_profile *profile, *root, *hat = NULL;
1112 struct aa_label *new;
1113 struct label_it it;
1114 bool sibling = false;
1115 const char *name, *info = NULL;
1116 int i, error;
1117
1118 AA_BUG(!label);
1119 AA_BUG(!hats);
1120 AA_BUG(count < 1);
1121
1122 if (PROFILE_IS_HAT(labels_profile(label)))
1123 sibling = true;
1124
1125 /*find first matching hat */
1126 for (i = 0; i < count && !hat; i++) {
1127 name = hats[i];
1128 label_for_each_in_scope(it, labels_ns(label), label, profile) {
1129 if (sibling && PROFILE_IS_HAT(profile)) {
1130 root = aa_get_profile_rcu(&profile->parent);
1131 } else if (!sibling && !PROFILE_IS_HAT(profile)) {
1132 root = aa_get_profile(profile);
1133 } else { /* conflicting change type */
1134 info = "conflicting targets types";
1135 error = -EPERM;
1136 goto fail;
1137 }
1138 hat = aa_find_child(root, name);
1139 aa_put_profile(root);
1140 if (!hat) {
1141 if (!COMPLAIN_MODE(profile))
1142 goto outer_continue;
1143 /* complain mode succeed as if hat */
1144 } else if (!PROFILE_IS_HAT(hat)) {
1145 info = "target not hat";
1146 error = -EPERM;
1147 aa_put_profile(hat);
1148 goto fail;
1149 }
1150 aa_put_profile(hat);
1151 }
1152 /* found a hat for all profiles in ns */
1153 goto build;
1154 outer_continue:
1155 ;
1156 }
1157 /* no hats that match, find appropriate error
1158 *
1159 * In complain mode audit of the failure is based off of the first
1160 * hat supplied. This is done due how userspace interacts with
1161 * change_hat.
1162 */
1163 name = NULL;
1164 label_for_each_in_scope(it, labels_ns(label), label, profile) {
1165 if (!list_empty(&profile->base.profiles)) {
1166 info = "hat not found";
1167 error = -ENOENT;
1168 goto fail;
1169 }
1170 }
1171 info = "no hats defined";
1172 error = -ECHILD;
1173
1174 fail:
1175 label_for_each_in_scope(it, labels_ns(label), label, profile) {
1176 /*
1177 * no target as it has failed to be found or built
1178 *
1179 * change_hat uses probing and should not log failures
1180 * related to missing hats
1181 */
1182 /* TODO: get rid of GLOBAL_ROOT_UID */
1183 if (count > 1 || COMPLAIN_MODE(profile)) {
1184 aa_audit_file(subj_cred, profile, &nullperms,
1185 OP_CHANGE_HAT,
1186 AA_MAY_CHANGEHAT, name, NULL, NULL,
1187 GLOBAL_ROOT_UID, info, error);
1188 }
1189 }
1190 return ERR_PTR(error);
1191
1192 build:
1193 new = fn_label_build_in_scope(label, profile, GFP_KERNEL,
1194 build_change_hat(subj_cred, profile, name,
1195 sibling),
1196 aa_get_label(&profile->label));
1197 if (!new) {
1198 info = "label build failed";
1199 error = -ENOMEM;
1200 goto fail;
1201 } /* else if (IS_ERR) build_change_hat has logged error so return new */
1202
1203 return new;
1204 }
1205
1206 /**
1207 * aa_change_hat - change hat to/from subprofile
1208 * @hats: vector of hat names to try changing into (MAYBE NULL if @count == 0)
1209 * @count: number of hat names in @hats
1210 * @token: magic value to validate the hat change
1211 * @flags: flags affecting behavior of the change
1212 *
1213 * Returns %0 on success, error otherwise.
1214 *
1215 * Change to the first profile specified in @hats that exists, and store
1216 * the @hat_magic in the current task context. If the count == 0 and the
1217 * @token matches that stored in the current task context, return to the
1218 * top level profile.
1219 *
1220 * change_hat only applies to profiles in the current ns, and each profile
1221 * in the ns must make the same transition otherwise change_hat will fail.
1222 */
aa_change_hat(const char * hats[],int count,u64 token,int flags)1223 int aa_change_hat(const char *hats[], int count, u64 token, int flags)
1224 {
1225 const struct cred *subj_cred;
1226 struct aa_task_ctx *ctx = task_ctx(current);
1227 struct aa_label *label, *previous, *new = NULL, *target = NULL;
1228 struct aa_profile *profile;
1229 struct aa_perms perms = {};
1230 const char *info = NULL;
1231 int error = 0;
1232
1233 /* released below */
1234 subj_cred = get_current_cred();
1235 label = aa_get_newest_cred_label(subj_cred);
1236 previous = aa_get_newest_label(ctx->previous);
1237
1238 /*
1239 * Detect no new privs being set, and store the label it
1240 * occurred under. Ideally this would happen when nnp
1241 * is set but there isn't a good way to do that yet.
1242 *
1243 * Testing for unconfined must be done before the subset test
1244 */
1245 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp)
1246 ctx->nnp = aa_get_label(label);
1247
1248 /* return -EPERM when unconfined doesn't have children to avoid
1249 * changing the traditional error code for unconfined.
1250 */
1251 if (unconfined(label)) {
1252 struct label_it i;
1253 bool empty = true;
1254
1255 rcu_read_lock();
1256 label_for_each_in_scope(i, labels_ns(label), label, profile) {
1257 empty &= list_empty(&profile->base.profiles);
1258 }
1259 rcu_read_unlock();
1260
1261 if (empty) {
1262 info = "unconfined can not change_hat";
1263 error = -EPERM;
1264 goto fail;
1265 }
1266 }
1267
1268 if (count) {
1269 new = change_hat(subj_cred, label, hats, count, flags);
1270 AA_BUG(!new);
1271 if (IS_ERR(new)) {
1272 error = PTR_ERR(new);
1273 new = NULL;
1274 /* already audited */
1275 goto out;
1276 }
1277
1278 /* target cred is the same as current except new label */
1279 error = may_change_ptraced_domain(subj_cred, new, &info);
1280 if (error)
1281 goto fail;
1282
1283 /*
1284 * no new privs prevents domain transitions that would
1285 * reduce restrictions.
1286 */
1287 if (task_no_new_privs(current) && !unconfined(label) &&
1288 !aa_label_is_unconfined_subset(new, ctx->nnp)) {
1289 /* not an apparmor denial per se, so don't log it */
1290 AA_DEBUG(DEBUG_DOMAIN,
1291 "no_new_privs - change_hat denied");
1292 error = -EPERM;
1293 goto out;
1294 }
1295
1296 if (flags & AA_CHANGE_TEST)
1297 goto out;
1298
1299 target = new;
1300 error = aa_set_current_hat(new, token);
1301 if (error == -EACCES)
1302 /* kill task in case of brute force attacks */
1303 goto kill;
1304 } else if (previous && !(flags & AA_CHANGE_TEST)) {
1305 /*
1306 * no new privs prevents domain transitions that would
1307 * reduce restrictions.
1308 */
1309 if (task_no_new_privs(current) && !unconfined(label) &&
1310 !aa_label_is_unconfined_subset(previous, ctx->nnp)) {
1311 /* not an apparmor denial per se, so don't log it */
1312 AA_DEBUG(DEBUG_DOMAIN,
1313 "no_new_privs - change_hat denied");
1314 error = -EPERM;
1315 goto out;
1316 }
1317
1318 /* Return to saved label. Kill task if restore fails
1319 * to avoid brute force attacks
1320 */
1321 target = previous;
1322 error = aa_restore_previous_label(token);
1323 if (error) {
1324 if (error == -EACCES)
1325 goto kill;
1326 goto fail;
1327 }
1328 } /* else ignore @flags && restores when there is no saved profile */
1329
1330 out:
1331 aa_put_label(new);
1332 aa_put_label(previous);
1333 aa_put_label(label);
1334 put_cred(subj_cred);
1335
1336 return error;
1337
1338 kill:
1339 info = "failed token match";
1340 perms.kill = AA_MAY_CHANGEHAT;
1341
1342 fail:
1343 fn_for_each_in_scope(label, profile,
1344 aa_audit_file(subj_cred, profile, &perms, OP_CHANGE_HAT,
1345 AA_MAY_CHANGEHAT, NULL, NULL, target,
1346 GLOBAL_ROOT_UID, info, error));
1347
1348 goto out;
1349 }
1350
1351
change_profile_perms_wrapper(const char * op,const char * name,const struct cred * subj_cred,struct aa_profile * profile,struct aa_label * target,bool stack,u32 request,struct aa_perms * perms)1352 static int change_profile_perms_wrapper(const char *op, const char *name,
1353 const struct cred *subj_cred,
1354 struct aa_profile *profile,
1355 struct aa_label *target, bool stack,
1356 u32 request, struct aa_perms *perms)
1357 {
1358 struct aa_ruleset *rules = profile->label.rules[0];
1359 const char *info = NULL;
1360 int error = 0;
1361
1362 if (!error)
1363 error = change_profile_perms(profile, target, stack, request,
1364 rules->file->start[AA_CLASS_FILE],
1365 perms);
1366 if (error)
1367 error = aa_audit_file(subj_cred, profile, perms, op, request,
1368 name,
1369 NULL, target, GLOBAL_ROOT_UID, info,
1370 error);
1371
1372 return error;
1373 }
1374
1375 static const char *stack_msg = "change_profile unprivileged unconfined converted to stacking";
1376
1377 /**
1378 * aa_change_profile - perform a one-way profile transition
1379 * @fqname: name of profile may include namespace (NOT NULL)
1380 * @flags: flags affecting change behavior
1381 *
1382 * Change to new profile @name. Unlike with hats, there is no way
1383 * to change back. If @name isn't specified the current profile name is
1384 * used.
1385 * If @onexec then the transition is delayed until
1386 * the next exec.
1387 *
1388 * Returns %0 on success, error otherwise.
1389 */
aa_change_profile(const char * fqname,int flags)1390 int aa_change_profile(const char *fqname, int flags)
1391 {
1392 struct aa_label *label, *new = NULL, *target = NULL;
1393 struct aa_profile *profile;
1394 struct aa_perms perms = {};
1395 const char *info = NULL;
1396 const char *auditname = fqname; /* retain leading & if stack */
1397 bool stack = flags & AA_CHANGE_STACK;
1398 struct aa_task_ctx *ctx = task_ctx(current);
1399 const struct cred *subj_cred = get_current_cred();
1400 int error = 0;
1401 char *op;
1402 u32 request;
1403
1404 label = aa_get_current_label();
1405
1406 /*
1407 * Detect no new privs being set, and store the label it
1408 * occurred under. Ideally this would happen when nnp
1409 * is set but there isn't a good way to do that yet.
1410 *
1411 * Testing for unconfined must be done before the subset test
1412 */
1413 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp)
1414 ctx->nnp = aa_get_label(label);
1415
1416 if (!fqname || !*fqname) {
1417 aa_put_label(label);
1418 AA_DEBUG(DEBUG_DOMAIN, "no profile name");
1419 return -EINVAL;
1420 }
1421
1422 if (flags & AA_CHANGE_ONEXEC) {
1423 request = AA_MAY_ONEXEC;
1424 if (stack)
1425 op = OP_STACK_ONEXEC;
1426 else
1427 op = OP_CHANGE_ONEXEC;
1428 } else {
1429 request = AA_MAY_CHANGE_PROFILE;
1430 if (stack)
1431 op = OP_STACK;
1432 else
1433 op = OP_CHANGE_PROFILE;
1434 }
1435
1436 /* This should move to a per profile test. Requires pushing build
1437 * into callback
1438 */
1439 if (!stack && unconfined(label) &&
1440 label == &labels_ns(label)->unconfined->label &&
1441 aa_unprivileged_unconfined_restricted &&
1442 /* TODO: refactor so this check is a fn */
1443 cap_capable(current_cred(), &init_user_ns, CAP_MAC_OVERRIDE,
1444 CAP_OPT_NOAUDIT)) {
1445 /* regardless of the request in this case apparmor
1446 * stacks against unconfined so admin set policy can't be
1447 * by-passed
1448 */
1449 stack = true;
1450 perms.audit = request;
1451 (void) fn_for_each_in_scope(label, profile,
1452 aa_audit_file(subj_cred, profile, &perms, op,
1453 request, auditname, NULL, target,
1454 GLOBAL_ROOT_UID, stack_msg, 0));
1455 perms.audit = 0;
1456 }
1457
1458 if (*fqname == '&') {
1459 stack = true;
1460 /* don't have label_parse() do stacking */
1461 fqname++;
1462 }
1463 target = aa_label_parse(label, fqname, GFP_KERNEL, true, false);
1464 if (IS_ERR(target)) {
1465 struct aa_profile *tprofile;
1466
1467 info = "label not found";
1468 error = PTR_ERR(target);
1469 target = NULL;
1470 /*
1471 * TODO: fixme using labels_profile is not right - do profile
1472 * per complain profile
1473 */
1474 if ((flags & AA_CHANGE_TEST) ||
1475 !COMPLAIN_MODE(labels_profile(label)))
1476 goto audit;
1477 /* released below */
1478 tprofile = aa_new_learning_profile(labels_profile(label), false,
1479 fqname, GFP_KERNEL);
1480 if (!tprofile) {
1481 info = "failed null profile create";
1482 error = -ENOMEM;
1483 goto audit;
1484 }
1485 target = &tprofile->label;
1486 goto check;
1487 }
1488
1489 /*
1490 * self directed transitions only apply to current policy ns
1491 * TODO: currently requiring perms for stacking and straight change
1492 * stacking doesn't strictly need this. Determine how much
1493 * we want to loosen this restriction for stacking
1494 *
1495 * if (!stack) {
1496 */
1497 error = fn_for_each_in_scope(label, profile,
1498 change_profile_perms_wrapper(op, auditname,
1499 subj_cred,
1500 profile, target, stack,
1501 request, &perms));
1502 if (error)
1503 /* auditing done in change_profile_perms_wrapper */
1504 goto out;
1505
1506 /* } */
1507
1508 check:
1509 /* check if tracing task is allowed to trace target domain */
1510 error = may_change_ptraced_domain(subj_cred, target, &info);
1511 if (error && !fn_for_each_in_scope(label, profile,
1512 COMPLAIN_MODE(profile)))
1513 goto audit;
1514
1515 /* TODO: add permission check to allow this
1516 * if ((flags & AA_CHANGE_ONEXEC) && !current_is_single_threaded()) {
1517 * info = "not a single threaded task";
1518 * error = -EACCES;
1519 * goto audit;
1520 * }
1521 */
1522 if (flags & AA_CHANGE_TEST)
1523 goto out;
1524
1525 /* stacking is always a subset, so only check the nonstack case */
1526 if (!stack) {
1527 new = fn_label_build_in_scope(label, profile, GFP_KERNEL,
1528 aa_get_label(target),
1529 aa_get_label(&profile->label));
1530 /*
1531 * no new privs prevents domain transitions that would
1532 * reduce restrictions.
1533 */
1534 if (task_no_new_privs(current) && !unconfined(label) &&
1535 !aa_label_is_unconfined_subset(new, ctx->nnp)) {
1536 /* not an apparmor denial per se, so don't log it */
1537 AA_DEBUG(DEBUG_DOMAIN,
1538 "no_new_privs - change_hat denied");
1539 error = -EPERM;
1540 goto out;
1541 }
1542 }
1543
1544 if (!(flags & AA_CHANGE_ONEXEC)) {
1545 /* only transition profiles in the current ns */
1546 if (stack)
1547 new = aa_label_merge(label, target, GFP_KERNEL);
1548 if (IS_ERR_OR_NULL(new)) {
1549 info = "failed to build target label";
1550 if (!new)
1551 error = -ENOMEM;
1552 else
1553 error = PTR_ERR(new);
1554 new = NULL;
1555 perms.allow = 0;
1556 goto audit;
1557 }
1558 error = aa_replace_current_label(new);
1559 } else {
1560 if (new) {
1561 aa_put_label(new);
1562 new = NULL;
1563 }
1564
1565 /* full transition will be built in exec path */
1566 aa_set_current_onexec(target, stack);
1567 }
1568
1569 audit:
1570 error = fn_for_each_in_scope(label, profile,
1571 aa_audit_file(subj_cred,
1572 profile, &perms, op, request, auditname,
1573 NULL, new ? new : target,
1574 GLOBAL_ROOT_UID, info, error));
1575
1576 out:
1577 aa_put_label(new);
1578 aa_put_label(target);
1579 aa_put_label(label);
1580 put_cred(subj_cred);
1581
1582 return error;
1583 }
1584