1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor policy definitions. 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 */ 10 11 #ifndef __AA_POLICY_H 12 #define __AA_POLICY_H 13 14 #include <linux/capability.h> 15 #include <linux/cred.h> 16 #include <linux/kref.h> 17 #include <linux/rhashtable.h> 18 #include <linux/sched.h> 19 #include <linux/slab.h> 20 #include <linux/socket.h> 21 22 #include "apparmor.h" 23 #include "audit.h" 24 #include "capability.h" 25 #include "domain.h" 26 #include "file.h" 27 #include "lib.h" 28 #include "label.h" 29 #include "net.h" 30 #include "perms.h" 31 #include "resource.h" 32 33 34 struct aa_ns; 35 36 extern int unprivileged_userns_apparmor_policy; 37 extern int aa_unprivileged_unconfined_restricted; 38 39 extern const char *const aa_profile_mode_names[]; 40 #define APPARMOR_MODE_NAMES_MAX_INDEX 4 41 42 #define PROFILE_MODE(_profile, _mode) \ 43 ((aa_g_profile_mode == (_mode)) || \ 44 ((_profile)->mode == (_mode))) 45 46 #define COMPLAIN_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_COMPLAIN) 47 48 #define USER_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_USER) 49 50 #define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL) 51 52 #define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT) 53 54 #define CHECK_DEBUG1(_profile) ((_profile)->label.flags & FLAG_DEBUG1) 55 56 #define CHECK_DEBUG2(_profile) ((_profile)->label.flags & FLAG_DEBUG2) 57 58 #define profile_is_stale(_profile) (label_is_stale(&(_profile)->label)) 59 60 #define on_list_rcu(X) (!list_empty(X) && (X)->prev != LIST_POISON2) 61 62 /* 63 * FIXME: currently need a clean way to replace and remove profiles as a 64 * set. It should be done at the namespace level. 65 * Either, with a set of profiles loaded at the namespace level or via 66 * a mark and remove marked interface. 67 */ 68 enum profile_mode { 69 APPARMOR_ENFORCE, /* enforce access rules */ 70 APPARMOR_COMPLAIN, /* allow and log access violations */ 71 APPARMOR_KILL, /* kill task on access violation */ 72 APPARMOR_UNCONFINED, /* profile set to unconfined */ 73 APPARMOR_USER, /* modified complain mode to userspace */ 74 }; 75 76 77 /* struct aa_policydb - match engine for a policy 78 * count: refcount for the pdb 79 * dfa: dfa pattern match 80 * perms: table of permissions 81 * strs: table of strings, index by x 82 * start: set of start states for the different classes of data 83 */ 84 struct aa_policydb { 85 struct kref count; 86 struct aa_dfa *dfa; 87 struct { 88 struct aa_perms *perms; 89 u32 size; 90 }; 91 struct aa_str_table trans; 92 aa_state_t start[AA_CLASS_LAST + 1]; 93 }; 94 95 extern struct aa_policydb *nullpdb; 96 97 struct aa_policydb *aa_alloc_pdb(gfp_t gfp); 98 void aa_pdb_free_kref(struct kref *kref); 99 100 /** 101 * aa_get_pdb - increment refcount on @pdb 102 * @pdb: policydb (MAYBE NULL) 103 * 104 * Returns: pointer to @pdb if @pdb is NULL will return NULL 105 * Requires: @pdb must be held with valid refcount when called 106 */ 107 static inline struct aa_policydb *aa_get_pdb(struct aa_policydb *pdb) 108 { 109 if (pdb) 110 kref_get(&(pdb->count)); 111 112 return pdb; 113 } 114 115 /** 116 * aa_put_pdb - put a pdb refcount 117 * @pdb: pdb to put refcount (MAYBE NULL) 118 * 119 * Requires: if @pdb != NULL that a valid refcount be held 120 */ 121 static inline void aa_put_pdb(struct aa_policydb *pdb) 122 { 123 if (pdb) 124 kref_put(&pdb->count, aa_pdb_free_kref); 125 } 126 127 static inline struct aa_perms *aa_lookup_perms(struct aa_policydb *policy, 128 aa_state_t state) 129 { 130 unsigned int index = ACCEPT_TABLE(policy->dfa)[state]; 131 132 if (!(policy->perms)) 133 return &default_perms; 134 135 return &(policy->perms[index]); 136 } 137 138 139 /* struct aa_data - generic data structure 140 * key: name for retrieving this data 141 * size: size of data in bytes 142 * data: binary data 143 * head: reserved for rhashtable 144 */ 145 struct aa_data { 146 char *key; 147 u32 size; 148 char *data; 149 struct rhash_head head; 150 }; 151 152 /* struct aa_ruleset - data covering mediation rules 153 * @list: list the rule is on 154 * @size: the memory consumed by this ruleset 155 * @policy: general match rules governing policy 156 * @file: The set of rules governing basic file access and domain transitions 157 * @caps: capabilities for the profile 158 * @rlimits: rlimits for the profile 159 * @secmark_count: number of secmark entries 160 * @secmark: secmark label match info 161 */ 162 struct aa_ruleset { 163 struct list_head list; 164 165 int size; 166 167 /* TODO: merge policy and file */ 168 struct aa_policydb *policy; 169 struct aa_policydb *file; 170 struct aa_caps caps; 171 172 struct aa_rlimit rlimits; 173 174 int secmark_count; 175 struct aa_secmark *secmark; 176 }; 177 178 /* struct aa_attachment - data and rules for a profiles attachment 179 * @list: 180 * @xmatch_str: human readable attachment string 181 * @xmatch: optional extended matching for unconfined executables names 182 * @xmatch_len: xmatch prefix len, used to determine xmatch priority 183 * @xattr_count: number of xattrs in table 184 * @xattrs: table of xattrs 185 */ 186 struct aa_attachment { 187 const char *xmatch_str; 188 struct aa_policydb *xmatch; 189 unsigned int xmatch_len; 190 int xattr_count; 191 char **xattrs; 192 }; 193 194 /* struct aa_profile - basic confinement data 195 * @base - base components of the profile (name, refcount, lists, lock ...) 196 * @label - label this profile is an extension of 197 * @parent: parent of profile 198 * @ns: namespace the profile is in 199 * @rename: optional profile name that this profile renamed 200 * 201 * @audit: the auditing mode of the profile 202 * @mode: the enforcement mode of the profile 203 * @path_flags: flags controlling path generation behavior 204 * @disconnected: what to prepend if attach_disconnected is specified 205 * @attach: attachment rules for the profile 206 * @rules: rules to be enforced 207 * 208 * @dents: dentries for the profiles file entries in apparmorfs 209 * @dirname: name of the profile dir in apparmorfs 210 * @data: hashtable for free-form policy aa_data 211 * 212 * The AppArmor profile contains the basic confinement data. Each profile 213 * has a name, and exists in a namespace. The @name and @exec_match are 214 * used to determine profile attachment against unconfined tasks. All other 215 * attachments are determined by profile X transition rules. 216 * 217 * Profiles have a hierarchy where hats and children profiles keep 218 * a reference to their parent. 219 * 220 * Profile names can not begin with a : and can not contain the \0 221 * character. If a profile name begins with / it will be considered when 222 * determining profile attachment on "unconfined" tasks. 223 */ 224 struct aa_profile { 225 struct aa_policy base; 226 struct aa_profile __rcu *parent; 227 228 struct aa_ns *ns; 229 const char *rename; 230 231 enum audit_mode audit; 232 long mode; 233 u32 path_flags; 234 const char *disconnected; 235 236 struct aa_attachment attach; 237 struct list_head rules; 238 239 struct aa_loaddata *rawdata; 240 unsigned char *hash; 241 char *dirname; 242 struct dentry *dents[AAFS_PROF_SIZEOF]; 243 struct rhashtable *data; 244 struct aa_label label; 245 }; 246 247 extern enum profile_mode aa_g_profile_mode; 248 249 #define AA_MAY_LOAD_POLICY AA_MAY_APPEND 250 #define AA_MAY_REPLACE_POLICY AA_MAY_WRITE 251 #define AA_MAY_REMOVE_POLICY AA_MAY_DELETE 252 253 #define profiles_ns(P) ((P)->ns) 254 #define name_is_shared(A, B) ((A)->hname && (A)->hname == (B)->hname) 255 256 struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp); 257 struct aa_profile *aa_alloc_profile(const char *name, struct aa_proxy *proxy, 258 gfp_t gfp); 259 struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name, 260 gfp_t gfp); 261 struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat, 262 const char *base, gfp_t gfp); 263 void aa_free_profile(struct aa_profile *profile); 264 struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name); 265 struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname, 266 size_t n); 267 struct aa_profile *aa_fqlookupn_profile(struct aa_label *base, 268 const char *fqname, size_t n); 269 270 ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_label *label, 271 u32 mask, struct aa_loaddata *udata); 272 ssize_t aa_remove_profiles(struct aa_ns *view, struct aa_label *label, 273 char *name, size_t size); 274 void __aa_profile_list_release(struct list_head *head); 275 276 #define profile_unconfined(X) ((X)->mode == APPARMOR_UNCONFINED) 277 278 /** 279 * aa_get_newest_profile - simple wrapper fn to wrap the label version 280 * @p: profile (NOT NULL) 281 * 282 * Returns refcount to newest version of the profile (maybe @p) 283 * 284 * Requires: @p must be held with a valid refcount 285 */ 286 static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p) 287 { 288 return labels_profile(aa_get_newest_label(&p->label)); 289 } 290 291 static inline aa_state_t RULE_MEDIATES(struct aa_ruleset *rules, 292 unsigned char class) 293 { 294 if (class <= AA_CLASS_LAST) 295 return rules->policy->start[class]; 296 else 297 return aa_dfa_match_len(rules->policy->dfa, 298 rules->policy->start[0], &class, 1); 299 } 300 301 static inline aa_state_t RULE_MEDIATES_AF(struct aa_ruleset *rules, u16 AF) 302 { 303 aa_state_t state = RULE_MEDIATES(rules, AA_CLASS_NET); 304 __be16 be_af = cpu_to_be16(AF); 305 306 if (!state) 307 return DFA_NOMATCH; 308 return aa_dfa_match_len(rules->policy->dfa, state, (char *) &be_af, 2); 309 } 310 311 static inline aa_state_t ANY_RULE_MEDIATES(struct list_head *head, 312 unsigned char class) 313 { 314 struct aa_ruleset *rule; 315 316 /* TODO: change to list walk */ 317 rule = list_first_entry(head, typeof(*rule), list); 318 return RULE_MEDIATES(rule, class); 319 } 320 321 /** 322 * aa_get_profile - increment refcount on profile @p 323 * @p: profile (MAYBE NULL) 324 * 325 * Returns: pointer to @p if @p is NULL will return NULL 326 * Requires: @p must be held with valid refcount when called 327 */ 328 static inline struct aa_profile *aa_get_profile(struct aa_profile *p) 329 { 330 if (p) 331 kref_get(&(p->label.count)); 332 333 return p; 334 } 335 336 /** 337 * aa_get_profile_not0 - increment refcount on profile @p found via lookup 338 * @p: profile (MAYBE NULL) 339 * 340 * Returns: pointer to @p if @p is NULL will return NULL 341 * Requires: @p must be held with valid refcount when called 342 */ 343 static inline struct aa_profile *aa_get_profile_not0(struct aa_profile *p) 344 { 345 if (p && kref_get_unless_zero(&p->label.count)) 346 return p; 347 348 return NULL; 349 } 350 351 /** 352 * aa_get_profile_rcu - increment a refcount profile that can be replaced 353 * @p: pointer to profile that can be replaced (NOT NULL) 354 * 355 * Returns: pointer to a refcounted profile. 356 * else NULL if no profile 357 */ 358 static inline struct aa_profile *aa_get_profile_rcu(struct aa_profile __rcu **p) 359 { 360 struct aa_profile *c; 361 362 rcu_read_lock(); 363 do { 364 c = rcu_dereference(*p); 365 } while (c && !kref_get_unless_zero(&c->label.count)); 366 rcu_read_unlock(); 367 368 return c; 369 } 370 371 /** 372 * aa_put_profile - decrement refcount on profile @p 373 * @p: profile (MAYBE NULL) 374 */ 375 static inline void aa_put_profile(struct aa_profile *p) 376 { 377 if (p) 378 kref_put(&p->label.count, aa_label_kref); 379 } 380 381 static inline int AUDIT_MODE(struct aa_profile *profile) 382 { 383 if (aa_g_audit != AUDIT_NORMAL) 384 return aa_g_audit; 385 386 return profile->audit; 387 } 388 389 bool aa_policy_view_capable(const struct cred *subj_cred, 390 struct aa_label *label, struct aa_ns *ns); 391 bool aa_policy_admin_capable(const struct cred *subj_cred, 392 struct aa_label *label, struct aa_ns *ns); 393 int aa_may_manage_policy(const struct cred *subj_cred, 394 struct aa_label *label, struct aa_ns *ns, 395 u32 mask); 396 bool aa_current_policy_view_capable(struct aa_ns *ns); 397 bool aa_current_policy_admin_capable(struct aa_ns *ns); 398 399 #endif /* __AA_POLICY_H */ 400