1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor /sys/kernel/security/apparmor interface functions 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 */ 10 11 #include <linux/ctype.h> 12 #include <linux/slab.h> 13 #include <linux/security.h> 14 #include <linux/vmalloc.h> 15 #include <linux/init.h> 16 #include <linux/seq_file.h> 17 #include <linux/uaccess.h> 18 #include <linux/mount.h> 19 #include <linux/namei.h> 20 #include <linux/capability.h> 21 #include <linux/rcupdate.h> 22 #include <linux/fs.h> 23 #include <linux/fs_context.h> 24 #include <linux/poll.h> 25 #include <linux/zstd.h> 26 #include <uapi/linux/major.h> 27 #include <uapi/linux/magic.h> 28 29 #include "include/apparmor.h" 30 #include "include/apparmorfs.h" 31 #include "include/audit.h" 32 #include "include/cred.h" 33 #include "include/crypto.h" 34 #include "include/ipc.h" 35 #include "include/label.h" 36 #include "include/lib.h" 37 #include "include/policy.h" 38 #include "include/policy_ns.h" 39 #include "include/resource.h" 40 #include "include/policy_unpack.h" 41 #include "include/task.h" 42 43 /* 44 * The apparmor filesystem interface used for policy load and introspection 45 * The interface is split into two main components based on their function 46 * a securityfs component: 47 * used for static files that are always available, and which allows 48 * userspace to specify the location of the security filesystem. 49 * 50 * fns and data are prefixed with 51 * aa_sfs_ 52 * 53 * an apparmorfs component: 54 * used loaded policy content and introspection. It is not part of a 55 * regular mounted filesystem and is available only through the magic 56 * policy symlink in the root of the securityfs apparmor/ directory. 57 * Tasks queries will be magically redirected to the correct portion 58 * of the policy tree based on their confinement. 59 * 60 * fns and data are prefixed with 61 * aafs_ 62 * 63 * The aa_fs_ prefix is used to indicate the fn is used by both the 64 * securityfs and apparmorfs filesystems. 65 */ 66 67 #define IREF_POISON 101 68 69 /* 70 * support fns 71 */ 72 73 struct rawdata_f_data { 74 struct aa_loaddata *loaddata; 75 DECLARE_FLEX_ARRAY(char, data); 76 }; 77 78 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 79 80 static void rawdata_f_data_free(struct rawdata_f_data *private) 81 { 82 if (!private) 83 return; 84 85 aa_put_i_loaddata(private->loaddata); 86 kvfree(private); 87 } 88 89 static struct rawdata_f_data *rawdata_f_data_alloc(size_t size) 90 { 91 struct rawdata_f_data *ret; 92 93 if (size > SIZE_MAX - sizeof(*ret)) 94 return ERR_PTR(-EINVAL); 95 96 ret = kvzalloc(sizeof(*ret) + size, GFP_KERNEL); 97 if (!ret) 98 return ERR_PTR(-ENOMEM); 99 100 return ret; 101 } 102 #endif 103 104 /** 105 * mangle_name - mangle a profile name to std profile layout form 106 * @name: profile name to mangle (NOT NULL) 107 * @target: buffer to store mangled name, same length as @name (MAYBE NULL) 108 * 109 * Returns: length of mangled name 110 */ 111 static int mangle_name(const char *name, char *target) 112 { 113 char *t = target; 114 115 while (*name == '/' || *name == '.') 116 name++; 117 118 if (target) { 119 for (; *name; name++) { 120 if (*name == '/') 121 *(t)++ = '.'; 122 else if (isspace(*name)) 123 *(t)++ = '_'; 124 else if (isalnum(*name) || strchr("._-", *name)) 125 *(t)++ = *name; 126 } 127 128 *t = 0; 129 } else { 130 int len = 0; 131 for (; *name; name++) { 132 if (isalnum(*name) || isspace(*name) || 133 strchr("/._-", *name)) 134 len++; 135 } 136 137 return len; 138 } 139 140 return t - target; 141 } 142 143 144 /* 145 * aafs - core fns and data for the policy tree 146 */ 147 148 #define AAFS_NAME "apparmorfs" 149 static struct vfsmount *aafs_mnt; 150 static int aafs_count; 151 152 153 static int aafs_show_path(struct seq_file *seq, struct dentry *dentry) 154 { 155 seq_printf(seq, "%s:[%llu]", AAFS_NAME, d_inode(dentry)->i_ino); 156 return 0; 157 } 158 159 static struct aa_ns *get_ns_common_ref(struct aa_common_ref *ref) 160 { 161 if (ref) { 162 struct aa_label *reflabel = container_of(ref, struct aa_label, 163 count); 164 return aa_get_ns(labels_ns(reflabel)); 165 } 166 167 return NULL; 168 } 169 170 static struct aa_proxy *get_proxy_common_ref(struct aa_common_ref *ref) 171 { 172 if (ref) 173 return aa_get_proxy(container_of(ref, struct aa_proxy, count)); 174 175 return NULL; 176 } 177 178 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 179 static struct aa_loaddata *get_loaddata_common_ref(struct aa_common_ref *ref) 180 { 181 if (ref) 182 return aa_get_i_loaddata(container_of(ref, struct aa_loaddata, 183 count)); 184 return NULL; 185 } 186 #endif 187 188 static void aa_put_common_ref(struct aa_common_ref *ref) 189 { 190 if (!ref) 191 return; 192 193 switch (ref->reftype) { 194 case REF_RAWDATA: 195 aa_put_i_loaddata(container_of(ref, struct aa_loaddata, 196 count)); 197 break; 198 case REF_PROXY: 199 aa_put_proxy(container_of(ref, struct aa_proxy, 200 count)); 201 break; 202 case REF_NS: 203 /* ns count is held on its unconfined label */ 204 aa_put_ns(labels_ns(container_of(ref, struct aa_label, count))); 205 break; 206 default: 207 AA_BUG(true, "unknown refcount type"); 208 break; 209 } 210 } 211 212 static void aa_get_common_ref(struct aa_common_ref *ref) 213 { 214 kref_get(&ref->count); 215 } 216 217 static void aafs_evict(struct inode *inode) 218 { 219 struct aa_common_ref *ref = inode->i_private; 220 221 clear_inode(inode); 222 aa_put_common_ref(ref); 223 inode->i_private = (void *) IREF_POISON; 224 } 225 226 static void aafs_free_inode(struct inode *inode) 227 { 228 if (S_ISLNK(inode->i_mode)) 229 kfree(inode->i_link); 230 free_inode_nonrcu(inode); 231 } 232 233 static const struct super_operations aafs_super_ops = { 234 .statfs = simple_statfs, 235 .evict_inode = aafs_evict, 236 .free_inode = aafs_free_inode, 237 .show_path = aafs_show_path, 238 }; 239 240 static int apparmorfs_fill_super(struct super_block *sb, struct fs_context *fc) 241 { 242 static struct tree_descr files[] = { {""} }; 243 int error; 244 245 error = simple_fill_super(sb, AAFS_MAGIC, files); 246 if (error) 247 return error; 248 sb->s_op = &aafs_super_ops; 249 250 return 0; 251 } 252 253 static int apparmorfs_get_tree(struct fs_context *fc) 254 { 255 return get_tree_single(fc, apparmorfs_fill_super); 256 } 257 258 static const struct fs_context_operations apparmorfs_context_ops = { 259 .get_tree = apparmorfs_get_tree, 260 }; 261 262 static int apparmorfs_init_fs_context(struct fs_context *fc) 263 { 264 fc->ops = &apparmorfs_context_ops; 265 return 0; 266 } 267 268 static struct file_system_type aafs_ops = { 269 .owner = THIS_MODULE, 270 .name = AAFS_NAME, 271 .init_fs_context = apparmorfs_init_fs_context, 272 .kill_sb = kill_anon_super, 273 }; 274 275 /** 276 * __aafs_setup_d_inode - basic inode setup for apparmorfs 277 * @dir: parent directory for the dentry 278 * @dentry: dentry we are setting the inode up for 279 * @mode: permissions the file should have 280 * @data: data to store on inode.i_private, available in open() 281 * @link: if symlink, symlink target string 282 * @fops: struct file_operations that should be used 283 * @iops: struct of inode_operations that should be used 284 */ 285 static int __aafs_setup_d_inode(struct inode *dir, struct dentry *dentry, 286 umode_t mode, void *data, char *link, 287 const struct file_operations *fops, 288 const struct inode_operations *iops) 289 { 290 struct inode *inode = new_inode(dir->i_sb); 291 292 AA_BUG(!dir); 293 AA_BUG(!dentry); 294 295 if (!inode) 296 return -ENOMEM; 297 298 inode->i_ino = get_next_ino(); 299 inode->i_mode = mode; 300 simple_inode_init_ts(inode); 301 inode->i_private = data; 302 if (S_ISDIR(mode)) { 303 inode->i_op = iops ? iops : &simple_dir_inode_operations; 304 inode->i_fop = &simple_dir_operations; 305 inc_nlink(inode); 306 inc_nlink(dir); 307 } else if (S_ISLNK(mode)) { 308 inode->i_op = iops ? iops : &simple_symlink_inode_operations; 309 inode->i_link = link; 310 } else { 311 inode->i_fop = fops; 312 } 313 d_instantiate(dentry, inode); 314 dget(dentry); 315 316 return 0; 317 } 318 319 /** 320 * aafs_create - create a dentry in the apparmorfs filesystem 321 * 322 * @name: name of dentry to create 323 * @mode: permissions the file should have 324 * @parent: parent directory for this dentry 325 * @data: data to store on inode.i_private, available in open() 326 * @link: if symlink, symlink target string 327 * @fops: struct file_operations that should be used for 328 * @iops: struct of inode_operations that should be used 329 * 330 * This is the basic "create a xxx" function for apparmorfs. 331 * 332 * Returns a pointer to a dentry if it succeeds, that must be free with 333 * aafs_remove(). Will return ERR_PTR on failure. 334 */ 335 static struct dentry *aafs_create(const char *name, umode_t mode, 336 struct dentry *parent, 337 struct aa_common_ref *data, void *link, 338 const struct file_operations *fops, 339 const struct inode_operations *iops) 340 { 341 struct dentry *dentry; 342 struct inode *dir; 343 int error; 344 345 AA_BUG(!name); 346 AA_BUG(!parent); 347 348 if (!(mode & S_IFMT)) 349 mode = (mode & S_IALLUGO) | S_IFREG; 350 351 error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count); 352 if (error) 353 return ERR_PTR(error); 354 355 dir = d_inode(parent); 356 357 dentry = simple_start_creating(parent, name); 358 if (IS_ERR(dentry)) { 359 error = PTR_ERR(dentry); 360 goto fail; 361 } 362 363 error = __aafs_setup_d_inode(dir, dentry, mode, data, link, fops, iops); 364 simple_done_creating(dentry); 365 if (error) 366 goto fail; 367 368 if (data) 369 aa_get_common_ref(data); 370 371 return dentry; 372 373 fail: 374 simple_release_fs(&aafs_mnt, &aafs_count); 375 return ERR_PTR(error); 376 } 377 378 /** 379 * aafs_create_file - create a file in the apparmorfs filesystem 380 * 381 * @name: name of dentry to create 382 * @mode: permissions the file should have 383 * @parent: parent directory for this dentry 384 * @data: data to store on inode.i_private, available in open() 385 * @fops: struct file_operations that should be used for 386 * 387 * see aafs_create 388 */ 389 static struct dentry *aafs_create_file(const char *name, umode_t mode, 390 struct dentry *parent, 391 struct aa_common_ref *data, 392 const struct file_operations *fops) 393 { 394 return aafs_create(name, mode, parent, data, NULL, fops, NULL); 395 } 396 397 /** 398 * aafs_create_dir - create a directory in the apparmorfs filesystem 399 * 400 * @name: name of dentry to create 401 * @parent: parent directory for this dentry 402 * 403 * see aafs_create 404 */ 405 static struct dentry *aafs_create_dir(const char *name, struct dentry *parent) 406 { 407 return aafs_create(name, S_IFDIR | 0755, parent, NULL, NULL, NULL, 408 NULL); 409 } 410 411 /** 412 * aafs_remove - removes a file or directory from the apparmorfs filesystem 413 * 414 * @dentry: dentry of the file/directory/symlink to removed. 415 */ 416 static void aafs_remove(struct dentry *dentry) 417 { 418 struct inode *dir; 419 420 if (!dentry || IS_ERR(dentry)) 421 return; 422 423 /* ->d_parent is stable as rename is not supported */ 424 dir = d_inode(dentry->d_parent); 425 dentry = start_removing_dentry(dentry->d_parent, dentry); 426 if (!IS_ERR(dentry) && simple_positive(dentry)) { 427 if (d_is_dir(dentry)) { 428 if (!WARN_ON(!simple_empty(dentry))) { 429 __simple_rmdir(dir, dentry); 430 dput(dentry); 431 } 432 } else { 433 __simple_unlink(dir, dentry); 434 dput(dentry); 435 } 436 d_delete(dentry); 437 } 438 end_removing(dentry); 439 simple_release_fs(&aafs_mnt, &aafs_count); 440 } 441 442 443 /* 444 * aa_fs - policy load/replace/remove 445 */ 446 447 /** 448 * aa_simple_write_to_buffer - common routine for getting policy from user 449 * @userbuf: user buffer to copy data from (NOT NULL) 450 * @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size) 451 * @copy_size: size of data to copy from user buffer 452 * @pos: position write is at in the file (NOT NULL) 453 * 454 * Returns: kernel buffer containing copy of user buffer data or an 455 * ERR_PTR on failure. 456 */ 457 static struct aa_loaddata *aa_simple_write_to_buffer(const char __user *userbuf, 458 size_t alloc_size, 459 size_t copy_size, 460 loff_t *pos) 461 { 462 struct aa_loaddata *data; 463 464 AA_BUG(copy_size > alloc_size); 465 466 if (*pos != 0) 467 /* only writes from pos 0, that is complete writes */ 468 return ERR_PTR(-ESPIPE); 469 470 /* freed by caller to simple_write_to_buffer */ 471 data = aa_loaddata_alloc(alloc_size); 472 if (IS_ERR(data)) 473 return data; 474 475 data->size = copy_size; 476 if (copy_from_user(data->data, userbuf, copy_size)) { 477 /* trigger free - don't need to put pcount */ 478 aa_put_i_loaddata(data); 479 return ERR_PTR(-EFAULT); 480 } 481 482 return data; 483 } 484 485 static ssize_t policy_update(u32 mask, const char __user *buf, size_t size, 486 loff_t *pos, struct aa_ns *ns, 487 const struct cred *ocred) 488 { 489 struct aa_loaddata *data; 490 struct aa_label *label; 491 ssize_t error; 492 493 label = begin_current_label_crit_section(); 494 495 /* high level check about policy management - fine grained in 496 * below after unpack 497 */ 498 error = aa_may_manage_policy(current_cred(), label, ns, ocred, mask); 499 if (error) 500 goto end_section; 501 502 data = aa_simple_write_to_buffer(buf, size, size, pos); 503 error = PTR_ERR(data); 504 if (!IS_ERR(data)) { 505 error = aa_replace_profiles(ns, label, mask, data); 506 /* put pcount, which will put count and free if no 507 * profiles referencing it. 508 */ 509 aa_put_profile_loaddata(data); 510 } 511 end_section: 512 end_current_label_crit_section(label); 513 514 return error; 515 } 516 517 /* .load file hook fn to load policy */ 518 static ssize_t profile_load(struct file *f, const char __user *buf, size_t size, 519 loff_t *pos) 520 { 521 struct aa_ns *ns = get_ns_common_ref(f->f_inode->i_private); 522 int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns, 523 f->f_cred); 524 525 aa_put_ns(ns); 526 527 return error; 528 } 529 530 static const struct file_operations aa_fs_profile_load = { 531 .write = profile_load, 532 .llseek = default_llseek, 533 }; 534 535 /* .replace file hook fn to load and/or replace policy */ 536 static ssize_t profile_replace(struct file *f, const char __user *buf, 537 size_t size, loff_t *pos) 538 { 539 struct aa_ns *ns = get_ns_common_ref(f->f_inode->i_private); 540 int error = policy_update(AA_MAY_LOAD_POLICY | AA_MAY_REPLACE_POLICY, 541 buf, size, pos, ns, f->f_cred); 542 aa_put_ns(ns); 543 544 return error; 545 } 546 547 static const struct file_operations aa_fs_profile_replace = { 548 .write = profile_replace, 549 .llseek = default_llseek, 550 }; 551 552 /* .remove file hook fn to remove loaded policy */ 553 static ssize_t profile_remove(struct file *f, const char __user *buf, 554 size_t size, loff_t *pos) 555 { 556 struct aa_loaddata *data; 557 struct aa_label *label; 558 ssize_t error; 559 struct aa_ns *ns = get_ns_common_ref(f->f_inode->i_private); 560 561 label = begin_current_label_crit_section(); 562 /* high level check about policy management - fine grained in 563 * below after unpack 564 */ 565 error = aa_may_manage_policy(current_cred(), label, ns, 566 f->f_cred, AA_MAY_REMOVE_POLICY); 567 if (error) 568 goto out; 569 570 /* 571 * aa_remove_profile needs a null terminated string so 1 extra 572 * byte is allocated and the copied data is null terminated. 573 */ 574 data = aa_simple_write_to_buffer(buf, size + 1, size, pos); 575 576 error = PTR_ERR(data); 577 if (!IS_ERR(data)) { 578 data->data[size] = 0; 579 error = aa_remove_profiles(ns, label, data->data, size); 580 aa_put_profile_loaddata(data); 581 } 582 out: 583 end_current_label_crit_section(label); 584 aa_put_ns(ns); 585 return error; 586 } 587 588 static const struct file_operations aa_fs_profile_remove = { 589 .write = profile_remove, 590 .llseek = default_llseek, 591 }; 592 593 struct aa_revision { 594 struct aa_ns *ns; 595 long last_read; 596 }; 597 598 /* revision file hook fn for policy loads */ 599 static int ns_revision_release(struct inode *inode, struct file *file) 600 { 601 struct aa_revision *rev = file->private_data; 602 603 if (rev) { 604 aa_put_ns(rev->ns); 605 kfree(rev); 606 } 607 608 return 0; 609 } 610 611 static ssize_t ns_revision_read(struct file *file, char __user *buf, 612 size_t size, loff_t *ppos) 613 { 614 struct aa_revision *rev = file->private_data; 615 char buffer[32]; 616 long last_read; 617 int avail; 618 619 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 620 last_read = rev->last_read; 621 if (last_read == rev->ns->revision) { 622 mutex_unlock(&rev->ns->lock); 623 if (file->f_flags & O_NONBLOCK) 624 return -EAGAIN; 625 if (wait_event_interruptible(rev->ns->wait, 626 last_read != 627 READ_ONCE(rev->ns->revision))) 628 return -ERESTARTSYS; 629 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 630 } 631 632 avail = sprintf(buffer, "%ld\n", rev->ns->revision); 633 if (*ppos + size > avail) { 634 rev->last_read = rev->ns->revision; 635 *ppos = 0; 636 } 637 mutex_unlock(&rev->ns->lock); 638 639 return simple_read_from_buffer(buf, size, ppos, buffer, avail); 640 } 641 642 static int ns_revision_open(struct inode *inode, struct file *file) 643 { 644 struct aa_revision *rev = kzalloc_obj(*rev); 645 646 if (!rev) 647 return -ENOMEM; 648 649 rev->ns = get_ns_common_ref(inode->i_private); 650 if (!rev->ns) 651 rev->ns = aa_get_current_ns(); 652 file->private_data = rev; 653 654 return 0; 655 } 656 657 static __poll_t ns_revision_poll(struct file *file, poll_table *pt) 658 { 659 struct aa_revision *rev = file->private_data; 660 __poll_t mask = 0; 661 662 if (rev) { 663 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 664 poll_wait(file, &rev->ns->wait, pt); 665 if (rev->last_read < rev->ns->revision) 666 mask |= EPOLLIN | EPOLLRDNORM; 667 mutex_unlock(&rev->ns->lock); 668 } 669 670 return mask; 671 } 672 673 void __aa_bump_ns_revision(struct aa_ns *ns) 674 { 675 WRITE_ONCE(ns->revision, READ_ONCE(ns->revision) + 1); 676 wake_up_interruptible(&ns->wait); 677 } 678 679 static const struct file_operations aa_fs_ns_revision_fops = { 680 .owner = THIS_MODULE, 681 .open = ns_revision_open, 682 .poll = ns_revision_poll, 683 .read = ns_revision_read, 684 .llseek = generic_file_llseek, 685 .release = ns_revision_release, 686 }; 687 688 static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms, 689 const char *match_str, size_t match_len) 690 { 691 struct aa_ruleset *rules = profile->label.rules[0]; 692 struct aa_perms tmp = { }; 693 aa_state_t state = DFA_NOMATCH; 694 695 if (profile_unconfined(profile)) 696 return; 697 if (rules->file->dfa && *match_str == AA_CLASS_FILE) { 698 state = aa_dfa_match_len(rules->file->dfa, 699 rules->file->start[AA_CLASS_FILE], 700 match_str + 1, match_len - 1); 701 if (state) { 702 struct path_cond cond = { }; 703 704 tmp = *(aa_lookup_condperms(current_fsuid(), 705 rules->file, state, &cond)); 706 } 707 } else if (rules->policy->dfa) { 708 if (!RULE_MEDIATES(rules, *match_str)) 709 return; /* no change to current perms */ 710 /* old user space does not correctly detect dbus mediation 711 * support so we may get dbus policy and requests when 712 * the abi doesn't support it. This can cause mediation 713 * regressions, so explicitly test for this situation. 714 */ 715 if (*match_str == AA_CLASS_DBUS && 716 !RULE_MEDIATES_v9NET(rules)) 717 return; /* no change to current perms */ 718 state = aa_dfa_match_len(rules->policy->dfa, 719 rules->policy->start[0], 720 match_str, match_len); 721 if (state) 722 tmp = *aa_lookup_perms(rules->policy, state); 723 } 724 aa_apply_modes_to_perms(profile, &tmp); 725 aa_perms_accum_raw(perms, &tmp); 726 } 727 728 729 /** 730 * query_data - queries a policy and writes its data to buf 731 * @buf: the resulting data is stored here (NOT NULL) 732 * @buf_len: size of buf 733 * @query: query string used to retrieve data 734 * @query_len: size of query including second NUL byte 735 * 736 * The buffers pointed to by buf and query may overlap. The query buffer is 737 * parsed before buf is written to. 738 * 739 * The query should look like "<LABEL>\0<KEY>\0", where <LABEL> is the name of 740 * the security confinement context and <KEY> is the name of the data to 741 * retrieve. <LABEL> and <KEY> must not be NUL-terminated. 742 * 743 * Don't expect the contents of buf to be preserved on failure. 744 * 745 * Returns: number of characters written to buf or -errno on failure 746 */ 747 static ssize_t query_data(char *buf, size_t buf_len, 748 char *query, size_t query_len) 749 { 750 char *out; 751 const char *key; 752 struct label_it i; 753 struct aa_label *label, *curr; 754 struct aa_profile *profile; 755 struct aa_data *data; 756 u32 bytes, blocks; 757 __le32 outle32; 758 759 if (!query_len) 760 return -EINVAL; /* need a query */ 761 762 key = query + strnlen(query, query_len) + 1; 763 if (key + 1 >= query + query_len) 764 return -EINVAL; /* not enough space for a non-empty key */ 765 if (key + strnlen(key, query + query_len - key) >= query + query_len) 766 return -EINVAL; /* must end with NUL */ 767 768 if (buf_len < sizeof(bytes) + sizeof(blocks)) 769 return -EINVAL; /* not enough space */ 770 771 curr = begin_current_label_crit_section(); 772 label = aa_label_parse(curr, query, GFP_KERNEL, false, false); 773 end_current_label_crit_section(curr); 774 if (IS_ERR(label)) 775 return PTR_ERR(label); 776 777 /* We are going to leave space for two numbers. The first is the total 778 * number of bytes we are writing after the first number. This is so 779 * users can read the full output without reallocation. 780 * 781 * The second number is the number of data blocks we're writing. An 782 * application might be confined by multiple policies having data in 783 * the same key. 784 */ 785 memset(buf, 0, sizeof(bytes) + sizeof(blocks)); 786 out = buf + sizeof(bytes) + sizeof(blocks); 787 788 blocks = 0; 789 label_for_each_confined(i, label, profile) { 790 if (!profile->data) 791 continue; 792 793 data = rhashtable_lookup_fast(profile->data, &key, 794 profile->data->p); 795 796 if (data) { 797 if (out + sizeof(outle32) + data->size > buf + 798 buf_len) { 799 aa_put_label(label); 800 return -EINVAL; /* not enough space */ 801 } 802 outle32 = __cpu_to_le32(data->size); 803 memcpy(out, &outle32, sizeof(outle32)); 804 out += sizeof(outle32); 805 memcpy(out, data->data, data->size); 806 out += data->size; 807 blocks++; 808 } 809 } 810 aa_put_label(label); 811 812 outle32 = __cpu_to_le32(out - buf - sizeof(bytes)); 813 memcpy(buf, &outle32, sizeof(outle32)); 814 outle32 = __cpu_to_le32(blocks); 815 memcpy(buf + sizeof(bytes), &outle32, sizeof(outle32)); 816 817 return out - buf; 818 } 819 820 /** 821 * query_label - queries a label and writes permissions to buf 822 * @buf: the resulting permissions string is stored here (NOT NULL) 823 * @buf_len: size of buf 824 * @query: binary query string to match against the dfa 825 * @query_len: size of query 826 * @view_only: only compute for querier's view 827 * 828 * The buffers pointed to by buf and query may overlap. The query buffer is 829 * parsed before buf is written to. 830 * 831 * The query should look like "LABEL_NAME\0DFA_STRING" where LABEL_NAME is 832 * the name of the label, in the current namespace, that is to be queried and 833 * DFA_STRING is a binary string to match against the label(s)'s DFA. 834 * 835 * LABEL_NAME must be NUL terminated. DFA_STRING may contain NUL characters 836 * but must *not* be NUL terminated. 837 * 838 * Returns: number of characters written to buf or -errno on failure 839 */ 840 static ssize_t query_label(char *buf, size_t buf_len, 841 char *query, size_t query_len, bool view_only) 842 { 843 struct aa_profile *profile; 844 struct aa_label *label, *curr; 845 char *label_name, *match_str; 846 size_t label_name_len, match_len; 847 struct aa_perms perms; 848 struct label_it i; 849 850 if (!query_len) 851 return -EINVAL; 852 853 label_name = query; 854 label_name_len = strnlen(query, query_len); 855 if (!label_name_len || label_name_len == query_len) 856 return -EINVAL; 857 858 /** 859 * The extra byte is to account for the null byte between the 860 * profile name and dfa string. profile_name_len is greater 861 * than zero and less than query_len, so a byte can be safely 862 * added or subtracted. 863 */ 864 match_str = label_name + label_name_len + 1; 865 match_len = query_len - label_name_len - 1; 866 867 curr = begin_current_label_crit_section(); 868 label = aa_label_parse(curr, label_name, GFP_KERNEL, false, false); 869 end_current_label_crit_section(curr); 870 if (IS_ERR(label)) 871 return PTR_ERR(label); 872 873 perms = allperms; 874 if (view_only) { 875 label_for_each_in_scope(i, labels_ns(label), label, profile) { 876 profile_query_cb(profile, &perms, match_str, match_len); 877 } 878 } else { 879 label_for_each(i, label, profile) { 880 profile_query_cb(profile, &perms, match_str, match_len); 881 } 882 } 883 aa_put_label(label); 884 885 return scnprintf(buf, buf_len, 886 "allow 0x%08x\ndeny 0x%08x\naudit 0x%08x\nquiet 0x%08x\n", 887 perms.allow, perms.deny, perms.audit, perms.quiet); 888 } 889 890 /* 891 * Transaction based IO. 892 * The file expects a write which triggers the transaction, and then 893 * possibly a read(s) which collects the result - which is stored in a 894 * file-local buffer. Once a new write is performed, a new set of results 895 * are stored in the file-local buffer. 896 */ 897 struct multi_transaction { 898 struct kref count; 899 ssize_t size; 900 char data[]; 901 }; 902 903 #define MULTI_TRANSACTION_LIMIT (PAGE_SIZE - sizeof(struct multi_transaction)) 904 905 static void multi_transaction_kref(struct kref *kref) 906 { 907 struct multi_transaction *t; 908 909 t = container_of(kref, struct multi_transaction, count); 910 kfree(t); 911 } 912 913 static struct multi_transaction * 914 get_multi_transaction(struct multi_transaction *t) 915 { 916 if (t) 917 kref_get(&(t->count)); 918 919 return t; 920 } 921 922 static void put_multi_transaction(struct multi_transaction *t) 923 { 924 if (t) 925 kref_put(&(t->count), multi_transaction_kref); 926 } 927 928 /* does not increment @new's count */ 929 static void multi_transaction_set(struct file *file, 930 struct multi_transaction *new, size_t n) 931 { 932 struct multi_transaction *old; 933 934 AA_BUG(n > MULTI_TRANSACTION_LIMIT); 935 936 new->size = n; 937 spin_lock(&file->f_lock); 938 old = (struct multi_transaction *) file->private_data; 939 file->private_data = new; 940 spin_unlock(&file->f_lock); 941 put_multi_transaction(old); 942 } 943 944 static struct multi_transaction *multi_transaction_new(struct file *file, 945 const char __user *buf, 946 size_t size) 947 { 948 struct multi_transaction *t; 949 950 if (size > MULTI_TRANSACTION_LIMIT - 1) 951 return ERR_PTR(-EFBIG); 952 953 t = kzalloc(PAGE_SIZE, GFP_KERNEL); 954 if (!t) 955 return ERR_PTR(-ENOMEM); 956 kref_init(&t->count); 957 if (copy_from_user(t->data, buf, size)) { 958 put_multi_transaction(t); 959 return ERR_PTR(-EFAULT); 960 } 961 962 return t; 963 } 964 965 static ssize_t multi_transaction_read(struct file *file, char __user *buf, 966 size_t size, loff_t *pos) 967 { 968 struct multi_transaction *t; 969 ssize_t ret; 970 971 spin_lock(&file->f_lock); 972 t = get_multi_transaction(file->private_data); 973 spin_unlock(&file->f_lock); 974 975 if (!t) 976 return 0; 977 978 ret = simple_read_from_buffer(buf, size, pos, t->data, t->size); 979 put_multi_transaction(t); 980 981 return ret; 982 } 983 984 static int multi_transaction_release(struct inode *inode, struct file *file) 985 { 986 put_multi_transaction(file->private_data); 987 988 return 0; 989 } 990 991 #define QUERY_CMD_LABEL "label\0" 992 #define QUERY_CMD_LABEL_LEN 6 993 #define QUERY_CMD_PROFILE "profile\0" 994 #define QUERY_CMD_PROFILE_LEN 8 995 #define QUERY_CMD_LABELALL "labelall\0" 996 #define QUERY_CMD_LABELALL_LEN 9 997 #define QUERY_CMD_DATA "data\0" 998 #define QUERY_CMD_DATA_LEN 5 999 1000 /** 1001 * aa_write_access - generic permissions and data query 1002 * @file: pointer to open apparmorfs/access file 1003 * @ubuf: user buffer containing the complete query string (NOT NULL) 1004 * @count: size of ubuf 1005 * @ppos: position in the file (MUST BE ZERO) 1006 * 1007 * Allows for one permissions or data query per open(), write(), and read() 1008 * sequence. The only queries currently supported are label-based queries for 1009 * permissions or data. 1010 * 1011 * For permissions queries, ubuf must begin with "label\0", followed by the 1012 * profile query specific format described in the query_label() function 1013 * documentation. 1014 * 1015 * For data queries, ubuf must have the form "data\0<LABEL>\0<KEY>\0", where 1016 * <LABEL> is the name of the security confinement context and <KEY> is the 1017 * name of the data to retrieve. 1018 * 1019 * Returns: number of bytes written or -errno on failure 1020 */ 1021 static ssize_t aa_write_access(struct file *file, const char __user *ubuf, 1022 size_t count, loff_t *ppos) 1023 { 1024 struct multi_transaction *t; 1025 ssize_t len; 1026 1027 if (*ppos) 1028 return -ESPIPE; 1029 1030 t = multi_transaction_new(file, ubuf, count); 1031 if (IS_ERR(t)) 1032 return PTR_ERR(t); 1033 1034 if (count > QUERY_CMD_PROFILE_LEN && 1035 !memcmp(t->data, QUERY_CMD_PROFILE, QUERY_CMD_PROFILE_LEN)) { 1036 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 1037 t->data + QUERY_CMD_PROFILE_LEN, 1038 count - QUERY_CMD_PROFILE_LEN, true); 1039 } else if (count > QUERY_CMD_LABEL_LEN && 1040 !memcmp(t->data, QUERY_CMD_LABEL, QUERY_CMD_LABEL_LEN)) { 1041 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 1042 t->data + QUERY_CMD_LABEL_LEN, 1043 count - QUERY_CMD_LABEL_LEN, true); 1044 } else if (count > QUERY_CMD_LABELALL_LEN && 1045 !memcmp(t->data, QUERY_CMD_LABELALL, 1046 QUERY_CMD_LABELALL_LEN)) { 1047 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 1048 t->data + QUERY_CMD_LABELALL_LEN, 1049 count - QUERY_CMD_LABELALL_LEN, false); 1050 } else if (count > QUERY_CMD_DATA_LEN && 1051 !memcmp(t->data, QUERY_CMD_DATA, QUERY_CMD_DATA_LEN)) { 1052 len = query_data(t->data, MULTI_TRANSACTION_LIMIT, 1053 t->data + QUERY_CMD_DATA_LEN, 1054 count - QUERY_CMD_DATA_LEN); 1055 } else 1056 len = -EINVAL; 1057 1058 if (len < 0) { 1059 put_multi_transaction(t); 1060 return len; 1061 } 1062 1063 multi_transaction_set(file, t, len); 1064 1065 return count; 1066 } 1067 1068 static const struct file_operations aa_sfs_access = { 1069 .write = aa_write_access, 1070 .read = multi_transaction_read, 1071 .release = multi_transaction_release, 1072 .llseek = generic_file_llseek, 1073 }; 1074 1075 static int aa_sfs_seq_show(struct seq_file *seq, void *v) 1076 { 1077 struct aa_sfs_entry *fs_file = seq->private; 1078 1079 if (!fs_file) 1080 return 0; 1081 1082 switch (fs_file->v_type) { 1083 case AA_SFS_TYPE_BOOLEAN: 1084 seq_printf(seq, "%s\n", str_yes_no(fs_file->v.boolean)); 1085 break; 1086 case AA_SFS_TYPE_STRING: 1087 seq_printf(seq, "%s\n", fs_file->v.string); 1088 break; 1089 case AA_SFS_TYPE_U64: 1090 seq_printf(seq, "%#08lx\n", fs_file->v.u64); 1091 break; 1092 default: 1093 /* Ignore unprintable entry types. */ 1094 break; 1095 } 1096 1097 return 0; 1098 } 1099 1100 static int aa_sfs_seq_open(struct inode *inode, struct file *file) 1101 { 1102 return single_open(file, aa_sfs_seq_show, inode->i_private); 1103 } 1104 1105 const struct file_operations aa_sfs_seq_file_ops = { 1106 .owner = THIS_MODULE, 1107 .open = aa_sfs_seq_open, 1108 .read = seq_read, 1109 .llseek = seq_lseek, 1110 .release = single_release, 1111 }; 1112 1113 /* 1114 * profile based file operations 1115 * policy/profiles/XXXX/profiles/ * 1116 */ 1117 1118 #define SEQ_PROFILE_FOPS(NAME) \ 1119 static int seq_profile_ ##NAME ##_open(struct inode *inode, struct file *file)\ 1120 { \ 1121 return seq_profile_open(inode, file, seq_profile_ ##NAME ##_show); \ 1122 } \ 1123 \ 1124 static const struct file_operations seq_profile_ ##NAME ##_fops = { \ 1125 .owner = THIS_MODULE, \ 1126 .open = seq_profile_ ##NAME ##_open, \ 1127 .read = seq_read, \ 1128 .llseek = seq_lseek, \ 1129 .release = seq_profile_release, \ 1130 } \ 1131 1132 static int seq_profile_open(struct inode *inode, struct file *file, 1133 int (*show)(struct seq_file *, void *)) 1134 { 1135 struct aa_proxy *proxy = get_proxy_common_ref(inode->i_private); 1136 int error = single_open(file, show, proxy); 1137 1138 if (error) { 1139 file->private_data = NULL; 1140 aa_put_proxy(proxy); 1141 } 1142 1143 return error; 1144 } 1145 1146 static int seq_profile_release(struct inode *inode, struct file *file) 1147 { 1148 struct seq_file *seq = (struct seq_file *) file->private_data; 1149 if (seq) 1150 aa_put_proxy(seq->private); 1151 return single_release(inode, file); 1152 } 1153 1154 static int seq_profile_name_show(struct seq_file *seq, void *v) 1155 { 1156 struct aa_proxy *proxy = seq->private; 1157 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1158 struct aa_profile *profile = labels_profile(label); 1159 seq_printf(seq, "%s\n", profile->base.name); 1160 aa_put_label(label); 1161 1162 return 0; 1163 } 1164 1165 static int seq_profile_mode_show(struct seq_file *seq, void *v) 1166 { 1167 struct aa_proxy *proxy = seq->private; 1168 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1169 struct aa_profile *profile = labels_profile(label); 1170 seq_printf(seq, "%s\n", aa_profile_mode_names[profile->mode]); 1171 aa_put_label(label); 1172 1173 return 0; 1174 } 1175 1176 static int seq_profile_attach_show(struct seq_file *seq, void *v) 1177 { 1178 struct aa_proxy *proxy = seq->private; 1179 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1180 struct aa_profile *profile = labels_profile(label); 1181 if (profile->attach.xmatch_str) 1182 seq_printf(seq, "%s\n", profile->attach.xmatch_str); 1183 else if (profile->attach.xmatch->dfa) 1184 seq_puts(seq, "<unknown>\n"); 1185 else 1186 seq_printf(seq, "%s\n", profile->base.name); 1187 aa_put_label(label); 1188 1189 return 0; 1190 } 1191 1192 static int seq_profile_hash_show(struct seq_file *seq, void *v) 1193 { 1194 struct aa_proxy *proxy = seq->private; 1195 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1196 struct aa_profile *profile = labels_profile(label); 1197 unsigned int i, size = aa_hash_size(); 1198 1199 if (profile->hash) { 1200 for (i = 0; i < size; i++) 1201 seq_printf(seq, "%.2x", profile->hash[i]); 1202 seq_putc(seq, '\n'); 1203 } 1204 aa_put_label(label); 1205 1206 return 0; 1207 } 1208 1209 SEQ_PROFILE_FOPS(name); 1210 SEQ_PROFILE_FOPS(mode); 1211 SEQ_PROFILE_FOPS(attach); 1212 SEQ_PROFILE_FOPS(hash); 1213 1214 /* 1215 * namespace based files 1216 * several root files and 1217 * policy/ * 1218 */ 1219 1220 #define SEQ_NS_FOPS(NAME) \ 1221 static int seq_ns_ ##NAME ##_open(struct inode *inode, struct file *file) \ 1222 { \ 1223 return single_open(file, seq_ns_ ##NAME ##_show, inode->i_private); \ 1224 } \ 1225 \ 1226 static const struct file_operations seq_ns_ ##NAME ##_fops = { \ 1227 .owner = THIS_MODULE, \ 1228 .open = seq_ns_ ##NAME ##_open, \ 1229 .read = seq_read, \ 1230 .llseek = seq_lseek, \ 1231 .release = single_release, \ 1232 } \ 1233 1234 static int seq_ns_stacked_show(struct seq_file *seq, void *v) 1235 { 1236 struct aa_label *label; 1237 1238 label = begin_current_label_crit_section(); 1239 seq_printf(seq, "%s\n", str_yes_no(label->size > 1)); 1240 end_current_label_crit_section(label); 1241 1242 return 0; 1243 } 1244 1245 static int seq_ns_nsstacked_show(struct seq_file *seq, void *v) 1246 { 1247 struct aa_label *label; 1248 struct aa_profile *profile; 1249 struct label_it it; 1250 int count = 1; 1251 1252 label = begin_current_label_crit_section(); 1253 1254 if (label->size > 1) { 1255 label_for_each(it, label, profile) 1256 if (profile->ns != labels_ns(label)) { 1257 count++; 1258 break; 1259 } 1260 } 1261 1262 seq_printf(seq, "%s\n", str_yes_no(count > 1)); 1263 end_current_label_crit_section(label); 1264 1265 return 0; 1266 } 1267 1268 static int seq_ns_level_show(struct seq_file *seq, void *v) 1269 { 1270 struct aa_label *label; 1271 1272 label = begin_current_label_crit_section(); 1273 seq_printf(seq, "%d\n", labels_ns(label)->level); 1274 end_current_label_crit_section(label); 1275 1276 return 0; 1277 } 1278 1279 static int seq_ns_name_show(struct seq_file *seq, void *v) 1280 { 1281 struct aa_label *label = begin_current_label_crit_section(); 1282 seq_printf(seq, "%s\n", labels_ns(label)->base.name); 1283 end_current_label_crit_section(label); 1284 1285 return 0; 1286 } 1287 1288 static int seq_ns_compress_min_show(struct seq_file *seq, void *v) 1289 { 1290 seq_printf(seq, "%d\n", AA_MIN_CLEVEL); 1291 return 0; 1292 } 1293 1294 static int seq_ns_compress_max_show(struct seq_file *seq, void *v) 1295 { 1296 seq_printf(seq, "%d\n", AA_MAX_CLEVEL); 1297 return 0; 1298 } 1299 1300 SEQ_NS_FOPS(stacked); 1301 SEQ_NS_FOPS(nsstacked); 1302 SEQ_NS_FOPS(level); 1303 SEQ_NS_FOPS(name); 1304 SEQ_NS_FOPS(compress_min); 1305 SEQ_NS_FOPS(compress_max); 1306 1307 1308 /* policy/raw_data/ * file ops */ 1309 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1310 #define SEQ_RAWDATA_FOPS(NAME) \ 1311 static int seq_rawdata_ ##NAME ##_open(struct inode *inode, struct file *file)\ 1312 { \ 1313 return seq_rawdata_open(inode, file, seq_rawdata_ ##NAME ##_show); \ 1314 } \ 1315 \ 1316 static const struct file_operations seq_rawdata_ ##NAME ##_fops = { \ 1317 .owner = THIS_MODULE, \ 1318 .open = seq_rawdata_ ##NAME ##_open, \ 1319 .read = seq_read, \ 1320 .llseek = seq_lseek, \ 1321 .release = seq_rawdata_release, \ 1322 } \ 1323 1324 static int seq_rawdata_open(struct inode *inode, struct file *file, 1325 int (*show)(struct seq_file *, void *)) 1326 { 1327 struct aa_loaddata *data = get_loaddata_common_ref(inode->i_private); 1328 int error; 1329 1330 if (!data) 1331 return -ENOENT; 1332 1333 error = single_open(file, show, data); 1334 if (error) { 1335 AA_BUG(file->private_data && 1336 ((struct seq_file *)file->private_data)->private); 1337 aa_put_i_loaddata(data); 1338 } 1339 1340 return error; 1341 } 1342 1343 static int seq_rawdata_release(struct inode *inode, struct file *file) 1344 { 1345 struct seq_file *seq = (struct seq_file *) file->private_data; 1346 1347 if (seq) 1348 aa_put_i_loaddata(seq->private); 1349 1350 return single_release(inode, file); 1351 } 1352 1353 static int seq_rawdata_abi_show(struct seq_file *seq, void *v) 1354 { 1355 struct aa_loaddata *data = seq->private; 1356 1357 seq_printf(seq, "v%d\n", data->abi); 1358 1359 return 0; 1360 } 1361 1362 static int seq_rawdata_revision_show(struct seq_file *seq, void *v) 1363 { 1364 struct aa_loaddata *data = seq->private; 1365 1366 seq_printf(seq, "%ld\n", data->revision); 1367 1368 return 0; 1369 } 1370 1371 static int seq_rawdata_hash_show(struct seq_file *seq, void *v) 1372 { 1373 struct aa_loaddata *data = seq->private; 1374 unsigned int i, size = aa_hash_size(); 1375 1376 if (data->hash) { 1377 for (i = 0; i < size; i++) 1378 seq_printf(seq, "%.2x", data->hash[i]); 1379 seq_putc(seq, '\n'); 1380 } 1381 1382 return 0; 1383 } 1384 1385 static int seq_rawdata_compressed_size_show(struct seq_file *seq, void *v) 1386 { 1387 struct aa_loaddata *data = seq->private; 1388 1389 seq_printf(seq, "%zu\n", data->compressed_size); 1390 1391 return 0; 1392 } 1393 1394 SEQ_RAWDATA_FOPS(abi); 1395 SEQ_RAWDATA_FOPS(revision); 1396 SEQ_RAWDATA_FOPS(hash); 1397 SEQ_RAWDATA_FOPS(compressed_size); 1398 1399 static int decompress_zstd(char *src, size_t slen, char *dst, size_t dlen) 1400 { 1401 if (slen < dlen) { 1402 const size_t wksp_len = zstd_dctx_workspace_bound(); 1403 zstd_dctx *ctx; 1404 void *wksp; 1405 size_t out_len; 1406 int ret = 0; 1407 1408 wksp = kvzalloc(wksp_len, GFP_KERNEL); 1409 if (!wksp) { 1410 ret = -ENOMEM; 1411 goto cleanup; 1412 } 1413 ctx = zstd_init_dctx(wksp, wksp_len); 1414 if (ctx == NULL) { 1415 ret = -ENOMEM; 1416 goto cleanup; 1417 } 1418 out_len = zstd_decompress_dctx(ctx, dst, dlen, src, slen); 1419 if (zstd_is_error(out_len)) { 1420 ret = -EINVAL; 1421 goto cleanup; 1422 } 1423 cleanup: 1424 kvfree(wksp); 1425 return ret; 1426 } 1427 1428 if (dlen < slen) 1429 return -EINVAL; 1430 memcpy(dst, src, slen); 1431 return 0; 1432 } 1433 1434 static ssize_t rawdata_read(struct file *file, char __user *buf, size_t size, 1435 loff_t *ppos) 1436 { 1437 struct rawdata_f_data *private = file->private_data; 1438 1439 return simple_read_from_buffer(buf, size, ppos, 1440 private->data, 1441 private->loaddata->size); 1442 } 1443 1444 static int rawdata_release(struct inode *inode, struct file *file) 1445 { 1446 rawdata_f_data_free(file->private_data); 1447 1448 return 0; 1449 } 1450 1451 static int rawdata_open(struct inode *inode, struct file *file) 1452 { 1453 int error; 1454 struct aa_loaddata *loaddata; 1455 struct rawdata_f_data *private; 1456 1457 if (!aa_current_policy_view_capable(NULL)) 1458 return -EACCES; 1459 1460 loaddata = get_loaddata_common_ref(inode->i_private); 1461 if (!loaddata) 1462 return -ENOENT; 1463 1464 private = rawdata_f_data_alloc(loaddata->size); 1465 if (IS_ERR(private)) { 1466 error = PTR_ERR(private); 1467 goto fail_private_alloc; 1468 } 1469 1470 private->loaddata = loaddata; 1471 1472 error = decompress_zstd(loaddata->data, loaddata->compressed_size, 1473 private->data, loaddata->size); 1474 if (error) 1475 goto fail_decompress; 1476 1477 file->private_data = private; 1478 return 0; 1479 1480 fail_decompress: 1481 rawdata_f_data_free(private); 1482 return error; 1483 1484 fail_private_alloc: 1485 aa_put_i_loaddata(loaddata); 1486 return error; 1487 } 1488 1489 static const struct file_operations rawdata_fops = { 1490 .open = rawdata_open, 1491 .read = rawdata_read, 1492 .llseek = generic_file_llseek, 1493 .release = rawdata_release, 1494 }; 1495 1496 static void remove_rawdata_dents(struct aa_loaddata *rawdata) 1497 { 1498 int i; 1499 1500 for (i = 0; i < AAFS_LOADDATA_NDENTS; i++) { 1501 if (!IS_ERR_OR_NULL(rawdata->dents[i])) { 1502 aafs_remove(rawdata->dents[i]); 1503 rawdata->dents[i] = NULL; 1504 } 1505 } 1506 } 1507 1508 void __aa_fs_remove_rawdata(struct aa_loaddata *rawdata) 1509 { 1510 AA_BUG(rawdata->ns && !mutex_is_locked(&rawdata->ns->lock)); 1511 1512 if (rawdata->ns) { 1513 remove_rawdata_dents(rawdata); 1514 list_del_init(&rawdata->list); 1515 aa_put_ns(rawdata->ns); 1516 rawdata->ns = NULL; 1517 } 1518 } 1519 1520 int __aa_fs_create_rawdata(struct aa_ns *ns, struct aa_loaddata *rawdata) 1521 { 1522 struct dentry *dent, *dir; 1523 1524 AA_BUG(!ns); 1525 AA_BUG(!rawdata); 1526 AA_BUG(!mutex_is_locked(&ns->lock)); 1527 AA_BUG(!ns_subdata_dir(ns)); 1528 1529 /* 1530 * just use ns revision dir was originally created at. This is 1531 * under ns->lock and if load is successful revision will be 1532 * bumped and is guaranteed to be unique 1533 */ 1534 rawdata->name = kasprintf(GFP_KERNEL, "%ld", ns->revision); 1535 if (!rawdata->name) 1536 return -ENOMEM; 1537 1538 dir = aafs_create_dir(rawdata->name, ns_subdata_dir(ns)); 1539 if (IS_ERR(dir)) 1540 /* ->name freed when rawdata freed */ 1541 return PTR_ERR(dir); 1542 rawdata->dents[AAFS_LOADDATA_DIR] = dir; 1543 1544 dent = aafs_create_file("abi", S_IFREG | 0444, dir, &rawdata->count, 1545 &seq_rawdata_abi_fops); 1546 if (IS_ERR(dent)) 1547 goto fail; 1548 rawdata->dents[AAFS_LOADDATA_ABI] = dent; 1549 1550 dent = aafs_create_file("revision", S_IFREG | 0444, dir, 1551 &rawdata->count, 1552 &seq_rawdata_revision_fops); 1553 if (IS_ERR(dent)) 1554 goto fail; 1555 rawdata->dents[AAFS_LOADDATA_REVISION] = dent; 1556 1557 if (aa_g_hash_policy) { 1558 dent = aafs_create_file("sha256", S_IFREG | 0444, dir, 1559 &rawdata->count, 1560 &seq_rawdata_hash_fops); 1561 if (IS_ERR(dent)) 1562 goto fail; 1563 rawdata->dents[AAFS_LOADDATA_HASH] = dent; 1564 } 1565 1566 dent = aafs_create_file("compressed_size", S_IFREG | 0444, dir, 1567 &rawdata->count, 1568 &seq_rawdata_compressed_size_fops); 1569 if (IS_ERR(dent)) 1570 goto fail; 1571 rawdata->dents[AAFS_LOADDATA_COMPRESSED_SIZE] = dent; 1572 1573 dent = aafs_create_file("raw_data", S_IFREG | 0444, dir, 1574 &rawdata->count, &rawdata_fops); 1575 if (IS_ERR(dent)) 1576 goto fail; 1577 rawdata->dents[AAFS_LOADDATA_DATA] = dent; 1578 d_inode(dent)->i_size = rawdata->size; 1579 1580 rawdata->ns = aa_get_ns(ns); 1581 list_add(&rawdata->list, &ns->rawdata_list); 1582 1583 return 0; 1584 1585 fail: 1586 remove_rawdata_dents(rawdata); 1587 return PTR_ERR(dent); 1588 } 1589 #endif /* CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ 1590 1591 1592 /** fns to setup dynamic per profile/namespace files **/ 1593 1594 /* 1595 * 1596 * Requires: @profile->ns->lock held 1597 */ 1598 void __aafs_profile_rmdir(struct aa_profile *profile) 1599 { 1600 struct aa_profile *child; 1601 int i; 1602 1603 if (!profile) 1604 return; 1605 1606 list_for_each_entry(child, &profile->base.profiles, base.list) 1607 __aafs_profile_rmdir(child); 1608 1609 for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) { 1610 if (!profile->dents[i]) 1611 continue; 1612 1613 aafs_remove(profile->dents[i]); 1614 profile->dents[i] = NULL; 1615 } 1616 } 1617 1618 /* 1619 * 1620 * Requires: @old->ns->lock held 1621 */ 1622 void __aafs_profile_migrate_dents(struct aa_profile *old, 1623 struct aa_profile *new) 1624 { 1625 int i; 1626 1627 AA_BUG(!old); 1628 AA_BUG(!new); 1629 AA_BUG(!mutex_is_locked(&profiles_ns(old)->lock)); 1630 1631 for (i = 0; i < AAFS_PROF_SIZEOF; i++) { 1632 new->dents[i] = old->dents[i]; 1633 if (new->dents[i]) { 1634 struct inode *inode = d_inode(new->dents[i]); 1635 1636 inode_set_mtime_to_ts(inode, 1637 inode_set_ctime_current(inode)); 1638 } 1639 old->dents[i] = NULL; 1640 } 1641 } 1642 1643 static struct dentry *create_profile_file(struct dentry *dir, const char *name, 1644 struct aa_profile *profile, 1645 const struct file_operations *fops) 1646 { 1647 return aafs_create_file(name, S_IFREG | 0444, dir, &profile->label.proxy->count, fops); 1648 } 1649 1650 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1651 static int profile_depth(struct aa_profile *profile) 1652 { 1653 int depth = 0; 1654 1655 rcu_read_lock(); 1656 for (depth = 0; profile; profile = rcu_access_pointer(profile->parent)) 1657 depth++; 1658 rcu_read_unlock(); 1659 1660 return depth; 1661 } 1662 1663 static char *gen_symlink_name(int depth, const char *dirname, const char *fname) 1664 { 1665 char *buffer, *s; 1666 int error; 1667 const char *path = "../../"; 1668 size_t path_len = strlen(path); 1669 int size; 1670 1671 /* Extra 11 bytes: "raw_data" (9) + two slashes "//" (2) */ 1672 size = depth * path_len + strlen(dirname) + strlen(fname) + 11; 1673 s = buffer = kmalloc(size, GFP_KERNEL); 1674 if (!buffer) 1675 return ERR_PTR(-ENOMEM); 1676 1677 for (; depth > 0; depth--) { 1678 memcpy(s, path, path_len); 1679 s += path_len; 1680 size -= path_len; 1681 } 1682 1683 error = snprintf(s, size, "raw_data/%s/%s", dirname, fname); 1684 if (error >= size || error < 0) { 1685 kfree(buffer); 1686 return ERR_PTR(-ENAMETOOLONG); 1687 } 1688 1689 return buffer; 1690 } 1691 1692 static const char *rawdata_get_link_base(struct dentry *dentry, 1693 struct inode *inode, 1694 struct delayed_call *done, 1695 const char *name) 1696 { 1697 struct aa_common_ref *ref = inode->i_private; 1698 struct aa_proxy *proxy = container_of(ref, struct aa_proxy, count); 1699 struct aa_label *label; 1700 struct aa_profile *profile; 1701 char *target; 1702 int depth; 1703 1704 if (!dentry) 1705 return ERR_PTR(-ECHILD); 1706 1707 label = aa_get_label_rcu(&proxy->label); 1708 profile = labels_profile(label); 1709 1710 /* rawdata can be null when aa_g_export_binary is unset during 1711 * runtime and a profile is replaced 1712 */ 1713 if (!profile->rawdata) { 1714 aa_put_label(label); 1715 return ERR_PTR(-ENOENT); 1716 } 1717 1718 depth = profile_depth(profile); 1719 target = gen_symlink_name(depth, profile->rawdata->name, name); 1720 aa_put_label(label); 1721 1722 if (IS_ERR(target)) 1723 return target; 1724 1725 set_delayed_call(done, kfree_link, target); 1726 1727 return target; 1728 } 1729 1730 static const char *rawdata_get_link_sha256(struct dentry *dentry, 1731 struct inode *inode, 1732 struct delayed_call *done) 1733 { 1734 return rawdata_get_link_base(dentry, inode, done, "sha256"); 1735 } 1736 1737 static const char *rawdata_get_link_abi(struct dentry *dentry, 1738 struct inode *inode, 1739 struct delayed_call *done) 1740 { 1741 return rawdata_get_link_base(dentry, inode, done, "abi"); 1742 } 1743 1744 static const char *rawdata_get_link_data(struct dentry *dentry, 1745 struct inode *inode, 1746 struct delayed_call *done) 1747 { 1748 return rawdata_get_link_base(dentry, inode, done, "raw_data"); 1749 } 1750 1751 static const struct inode_operations rawdata_link_sha256_iops = { 1752 .get_link = rawdata_get_link_sha256, 1753 }; 1754 1755 static const struct inode_operations rawdata_link_abi_iops = { 1756 .get_link = rawdata_get_link_abi, 1757 }; 1758 static const struct inode_operations rawdata_link_data_iops = { 1759 .get_link = rawdata_get_link_data, 1760 }; 1761 1762 /* 1763 * Requires: @profile->ns->lock held 1764 */ 1765 void __aa_remove_rawdata_symlink_dents(struct aa_profile *profile) 1766 { 1767 aafs_remove(profile->dents[AAFS_PROF_RAW_HASH]); 1768 profile->dents[AAFS_PROF_RAW_HASH] = NULL; 1769 aafs_remove(profile->dents[AAFS_PROF_RAW_ABI]); 1770 profile->dents[AAFS_PROF_RAW_ABI] = NULL; 1771 aafs_remove(profile->dents[AAFS_PROF_RAW_DATA]); 1772 profile->dents[AAFS_PROF_RAW_DATA] = NULL; 1773 } 1774 1775 static inline int create_symlink_dent(struct aa_profile *profile, 1776 const char *name, 1777 enum aafs_prof_type type, 1778 const struct inode_operations *iops) 1779 { 1780 struct dentry *dent = NULL; 1781 struct dentry *dir = prof_dir(profile); 1782 1783 if (profile->dents[type]) 1784 return 0; 1785 1786 dent = aafs_create(name, S_IFLNK | 0444, dir, 1787 &profile->label.proxy->count, NULL, NULL, iops); 1788 if (IS_ERR(dent)) 1789 return PTR_ERR(dent); 1790 1791 profile->dents[type] = dent; 1792 return 0; 1793 } 1794 1795 /* 1796 * Requires: @profile->ns->lock held 1797 */ 1798 int __aa_create_rawdata_symlink_dents(struct aa_profile *profile) 1799 { 1800 int error; 1801 1802 if (!profile || 1803 (profile->dents[AAFS_PROF_RAW_HASH] && 1804 profile->dents[AAFS_PROF_RAW_ABI] && 1805 profile->dents[AAFS_PROF_RAW_DATA])) 1806 return 0; 1807 1808 if (!profile->rawdata) 1809 return 0; 1810 1811 if (aa_g_hash_policy) { 1812 error = create_symlink_dent(profile, "raw_sha256", 1813 AAFS_PROF_RAW_HASH, 1814 &rawdata_link_sha256_iops); 1815 if (error) 1816 return error; 1817 } 1818 1819 error = create_symlink_dent(profile, "raw_abi", 1820 AAFS_PROF_RAW_ABI, 1821 &rawdata_link_abi_iops); 1822 if (error) 1823 return error; 1824 1825 1826 error = create_symlink_dent(profile, "raw_data", 1827 AAFS_PROF_RAW_DATA, 1828 &rawdata_link_data_iops); 1829 if (error) 1830 return error; 1831 1832 return 0; 1833 } 1834 1835 #endif /* CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ 1836 1837 /* 1838 * Requires: @profile->ns->lock held 1839 */ 1840 int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) 1841 { 1842 struct aa_profile *child; 1843 struct dentry *dent = NULL, *dir; 1844 int error; 1845 1846 AA_BUG(!profile); 1847 AA_BUG(!mutex_is_locked(&profiles_ns(profile)->lock)); 1848 1849 if (!parent) { 1850 struct aa_profile *p; 1851 p = aa_deref_parent(profile); 1852 dent = prof_dir(p); 1853 if (!dent) { 1854 error = -ENOENT; 1855 goto fail2; 1856 } 1857 /* adding to parent that previously didn't have children */ 1858 dent = aafs_create_dir("profiles", dent); 1859 if (IS_ERR(dent)) 1860 goto fail; 1861 prof_child_dir(p) = parent = dent; 1862 } 1863 1864 if (!profile->dirname) { 1865 int len, id_len; 1866 len = mangle_name(profile->base.name, NULL); 1867 id_len = snprintf(NULL, 0, ".%ld", profile->ns->uniq_id); 1868 1869 profile->dirname = kmalloc(len + id_len + 1, GFP_KERNEL); 1870 if (!profile->dirname) { 1871 error = -ENOMEM; 1872 goto fail2; 1873 } 1874 1875 mangle_name(profile->base.name, profile->dirname); 1876 sprintf(profile->dirname + len, ".%ld", profile->ns->uniq_id++); 1877 } 1878 1879 dent = aafs_create_dir(profile->dirname, parent); 1880 if (IS_ERR(dent)) 1881 goto fail; 1882 prof_dir(profile) = dir = dent; 1883 1884 dent = create_profile_file(dir, "name", profile, 1885 &seq_profile_name_fops); 1886 if (IS_ERR(dent)) 1887 goto fail; 1888 profile->dents[AAFS_PROF_NAME] = dent; 1889 1890 dent = create_profile_file(dir, "mode", profile, 1891 &seq_profile_mode_fops); 1892 if (IS_ERR(dent)) 1893 goto fail; 1894 profile->dents[AAFS_PROF_MODE] = dent; 1895 1896 dent = create_profile_file(dir, "attach", profile, 1897 &seq_profile_attach_fops); 1898 if (IS_ERR(dent)) 1899 goto fail; 1900 profile->dents[AAFS_PROF_ATTACH] = dent; 1901 1902 if (profile->hash) { 1903 dent = create_profile_file(dir, "sha256", profile, 1904 &seq_profile_hash_fops); 1905 if (IS_ERR(dent)) 1906 goto fail; 1907 profile->dents[AAFS_PROF_HASH] = dent; 1908 } 1909 1910 error = __aa_create_rawdata_symlink_dents(profile); 1911 if (error) 1912 goto fail2; 1913 1914 list_for_each_entry(child, &profile->base.profiles, base.list) { 1915 error = __aafs_profile_mkdir(child, prof_child_dir(profile)); 1916 if (error) 1917 goto fail2; 1918 } 1919 1920 return 0; 1921 1922 fail: 1923 error = PTR_ERR(dent); 1924 1925 fail2: 1926 __aafs_profile_rmdir(profile); 1927 1928 return error; 1929 } 1930 1931 static struct dentry *ns_mkdir_op(struct mnt_idmap *idmap, struct inode *dir, 1932 struct dentry *dentry, umode_t mode) 1933 { 1934 struct aa_ns *ns, *parent; 1935 /* TODO: improve permission check */ 1936 struct aa_label *label; 1937 int error; 1938 1939 label = begin_current_label_crit_section(); 1940 error = aa_may_manage_policy(current_cred(), label, NULL, NULL, 1941 AA_MAY_LOAD_POLICY); 1942 end_current_label_crit_section(label); 1943 if (error) 1944 return ERR_PTR(error); 1945 1946 parent = get_ns_common_ref(dir->i_private); 1947 AA_BUG(d_inode(ns_subns_dir(parent)) != dir); 1948 1949 /* we have to unlock and then relock to get locking order right 1950 * for pin_fs 1951 */ 1952 inode_unlock(dir); 1953 error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count); 1954 mutex_lock_nested(&parent->lock, parent->level); 1955 inode_lock_nested(dir, I_MUTEX_PARENT); 1956 if (error) 1957 goto out; 1958 1959 error = __aafs_setup_d_inode(dir, dentry, mode | S_IFDIR, NULL, 1960 NULL, NULL, NULL); 1961 if (error) 1962 goto out_pin; 1963 1964 ns = __aa_find_or_create_ns(parent, READ_ONCE(dentry->d_name.name), 1965 dentry); 1966 if (IS_ERR(ns)) { 1967 error = PTR_ERR(ns); 1968 ns = NULL; 1969 } 1970 1971 aa_put_ns(ns); /* list ref remains */ 1972 out_pin: 1973 if (error) 1974 simple_release_fs(&aafs_mnt, &aafs_count); 1975 out: 1976 mutex_unlock(&parent->lock); 1977 aa_put_ns(parent); 1978 1979 return error ? ERR_PTR(error) : NULL; 1980 } 1981 1982 static int ns_rmdir_op(struct inode *dir, struct dentry *dentry) 1983 { 1984 struct aa_ns *ns, *parent; 1985 /* TODO: improve permission check */ 1986 struct aa_label *label; 1987 int error; 1988 1989 label = begin_current_label_crit_section(); 1990 error = aa_may_manage_policy(current_cred(), label, NULL, NULL, 1991 AA_MAY_LOAD_POLICY); 1992 end_current_label_crit_section(label); 1993 if (error) 1994 return error; 1995 1996 parent = get_ns_common_ref(dir->i_private); 1997 /* rmdir calls the generic securityfs functions to remove files 1998 * from the apparmor dir. It is up to the apparmor ns locking 1999 * to avoid races. 2000 */ 2001 inode_unlock(dir); 2002 inode_unlock(dentry->d_inode); 2003 2004 mutex_lock_nested(&parent->lock, parent->level); 2005 ns = aa_get_ns(__aa_findn_ns(&parent->sub_ns, dentry->d_name.name, 2006 dentry->d_name.len)); 2007 if (!ns) { 2008 error = -ENOENT; 2009 goto out; 2010 } 2011 AA_BUG(ns_dir(ns) != dentry); 2012 2013 __aa_remove_ns(ns); 2014 aa_put_ns(ns); 2015 2016 out: 2017 mutex_unlock(&parent->lock); 2018 inode_lock_nested(dir, I_MUTEX_PARENT); 2019 inode_lock(dentry->d_inode); 2020 aa_put_ns(parent); 2021 2022 return error; 2023 } 2024 2025 static const struct inode_operations ns_dir_inode_operations = { 2026 .lookup = simple_lookup, 2027 .mkdir = ns_mkdir_op, 2028 .rmdir = ns_rmdir_op, 2029 }; 2030 2031 static void __aa_fs_list_remove_rawdata(struct aa_ns *ns) 2032 { 2033 struct aa_loaddata *ent, *tmp; 2034 2035 AA_BUG(!mutex_is_locked(&ns->lock)); 2036 2037 list_for_each_entry_safe(ent, tmp, &ns->rawdata_list, list) 2038 __aa_fs_remove_rawdata(ent); 2039 } 2040 2041 /* 2042 * 2043 * Requires: @ns->lock held 2044 */ 2045 void __aafs_ns_rmdir(struct aa_ns *ns) 2046 { 2047 struct aa_ns *sub; 2048 struct aa_profile *child; 2049 int i; 2050 2051 if (!ns) 2052 return; 2053 AA_BUG(!mutex_is_locked(&ns->lock)); 2054 2055 list_for_each_entry(child, &ns->base.profiles, base.list) 2056 __aafs_profile_rmdir(child); 2057 2058 list_for_each_entry(sub, &ns->sub_ns, base.list) { 2059 mutex_lock_nested(&sub->lock, sub->level); 2060 __aafs_ns_rmdir(sub); 2061 mutex_unlock(&sub->lock); 2062 } 2063 2064 __aa_fs_list_remove_rawdata(ns); 2065 2066 for (i = AAFS_NS_SIZEOF - 1; i >= 0; --i) { 2067 aafs_remove(ns->dents[i]); 2068 ns->dents[i] = NULL; 2069 } 2070 } 2071 2072 /* assumes cleanup in caller */ 2073 static int __aafs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir) 2074 { 2075 struct dentry *dent; 2076 2077 AA_BUG(!ns); 2078 AA_BUG(!dir); 2079 2080 dent = aafs_create_dir("profiles", dir); 2081 if (IS_ERR(dent)) 2082 return PTR_ERR(dent); 2083 ns_subprofs_dir(ns) = dent; 2084 2085 dent = aafs_create_dir("raw_data", dir); 2086 if (IS_ERR(dent)) 2087 return PTR_ERR(dent); 2088 ns_subdata_dir(ns) = dent; 2089 2090 dent = aafs_create_file("revision", 0444, dir, 2091 &ns->unconfined->label.count, 2092 &aa_fs_ns_revision_fops); 2093 if (IS_ERR(dent)) 2094 return PTR_ERR(dent); 2095 ns_subrevision(ns) = dent; 2096 2097 dent = aafs_create_file(".load", 0640, dir, 2098 &ns->unconfined->label.count, 2099 &aa_fs_profile_load); 2100 if (IS_ERR(dent)) 2101 return PTR_ERR(dent); 2102 ns_subload(ns) = dent; 2103 2104 dent = aafs_create_file(".replace", 0640, dir, 2105 &ns->unconfined->label.count, 2106 &aa_fs_profile_replace); 2107 if (IS_ERR(dent)) 2108 return PTR_ERR(dent); 2109 ns_subreplace(ns) = dent; 2110 2111 dent = aafs_create_file(".remove", 0640, dir, 2112 &ns->unconfined->label.count, 2113 &aa_fs_profile_remove); 2114 if (IS_ERR(dent)) 2115 return PTR_ERR(dent); 2116 ns_subremove(ns) = dent; 2117 2118 /* use create_dentry so we can supply private data */ 2119 dent = aafs_create("namespaces", S_IFDIR | 0755, dir, 2120 &ns->unconfined->label.count, 2121 NULL, NULL, &ns_dir_inode_operations); 2122 if (IS_ERR(dent)) 2123 return PTR_ERR(dent); 2124 ns_subns_dir(ns) = dent; 2125 2126 return 0; 2127 } 2128 2129 /* 2130 * Requires: @ns->lock held 2131 */ 2132 int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name, 2133 struct dentry *dent) 2134 { 2135 struct aa_ns *sub; 2136 struct aa_profile *child; 2137 struct dentry *dir; 2138 int error; 2139 2140 AA_BUG(!ns); 2141 AA_BUG(!parent); 2142 AA_BUG(!mutex_is_locked(&ns->lock)); 2143 2144 if (!name) 2145 name = ns->base.name; 2146 2147 if (!dent) { 2148 /* create ns dir if it doesn't already exist */ 2149 dent = aafs_create_dir(name, parent); 2150 if (IS_ERR(dent)) 2151 goto fail; 2152 } else 2153 dget(dent); 2154 ns_dir(ns) = dir = dent; 2155 error = __aafs_ns_mkdir_entries(ns, dir); 2156 if (error) 2157 goto fail2; 2158 2159 /* profiles */ 2160 list_for_each_entry(child, &ns->base.profiles, base.list) { 2161 error = __aafs_profile_mkdir(child, ns_subprofs_dir(ns)); 2162 if (error) 2163 goto fail2; 2164 } 2165 2166 /* subnamespaces */ 2167 list_for_each_entry(sub, &ns->sub_ns, base.list) { 2168 mutex_lock_nested(&sub->lock, sub->level); 2169 error = __aafs_ns_mkdir(sub, ns_subns_dir(ns), NULL, NULL); 2170 mutex_unlock(&sub->lock); 2171 if (error) 2172 goto fail2; 2173 } 2174 2175 return 0; 2176 2177 fail: 2178 error = PTR_ERR(dent); 2179 2180 fail2: 2181 __aafs_ns_rmdir(ns); 2182 2183 return error; 2184 } 2185 2186 /** 2187 * __next_ns - find the next namespace to list 2188 * @root: root namespace to stop search at (NOT NULL) 2189 * @ns: current ns position (NOT NULL) 2190 * 2191 * Find the next namespace from @ns under @root and handle all locking needed 2192 * while switching current namespace. 2193 * 2194 * Returns: next namespace or NULL if at last namespace under @root 2195 * Requires: ns->parent->lock to be held 2196 * NOTE: will not unlock root->lock 2197 */ 2198 static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns) 2199 { 2200 struct aa_ns *parent, *next; 2201 2202 AA_BUG(!root); 2203 AA_BUG(!ns); 2204 AA_BUG(ns != root && !mutex_is_locked(&ns->parent->lock)); 2205 2206 /* is next namespace a child */ 2207 if (!list_empty(&ns->sub_ns)) { 2208 next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list); 2209 mutex_lock_nested(&next->lock, next->level); 2210 return next; 2211 } 2212 2213 /* check if the next ns is a sibling, parent, gp, .. */ 2214 parent = ns->parent; 2215 while (ns != root) { 2216 mutex_unlock(&ns->lock); 2217 next = list_next_entry(ns, base.list); 2218 if (!list_entry_is_head(next, &parent->sub_ns, base.list)) { 2219 mutex_lock_nested(&next->lock, next->level); 2220 return next; 2221 } 2222 ns = parent; 2223 parent = parent->parent; 2224 } 2225 2226 return NULL; 2227 } 2228 2229 /** 2230 * __first_profile - find the first profile in a namespace 2231 * @root: namespace that is root of profiles being displayed (NOT NULL) 2232 * @ns: namespace to start in (NOT NULL) 2233 * 2234 * Returns: unrefcounted profile or NULL if no profile 2235 * Requires: profile->ns.lock to be held 2236 */ 2237 static struct aa_profile *__first_profile(struct aa_ns *root, 2238 struct aa_ns *ns) 2239 { 2240 AA_BUG(!root); 2241 AA_BUG(ns && !mutex_is_locked(&ns->lock)); 2242 2243 for (; ns; ns = __next_ns(root, ns)) { 2244 if (!list_empty(&ns->base.profiles)) 2245 return list_first_entry(&ns->base.profiles, 2246 struct aa_profile, base.list); 2247 } 2248 return NULL; 2249 } 2250 2251 /** 2252 * __next_profile - step to the next profile in a profile tree 2253 * @p: current profile in tree (NOT NULL) 2254 * 2255 * Perform a depth first traversal on the profile tree in a namespace 2256 * 2257 * Returns: next profile or NULL if done 2258 * Requires: profile->ns.lock to be held 2259 */ 2260 static struct aa_profile *__next_profile(struct aa_profile *p) 2261 { 2262 struct aa_profile *parent; 2263 struct aa_ns *ns = p->ns; 2264 2265 AA_BUG(!mutex_is_locked(&profiles_ns(p)->lock)); 2266 2267 /* is next profile a child */ 2268 if (!list_empty(&p->base.profiles)) 2269 return list_first_entry(&p->base.profiles, typeof(*p), 2270 base.list); 2271 2272 /* is next profile a sibling, parent sibling, gp, sibling, .. */ 2273 parent = rcu_dereference_protected(p->parent, 2274 mutex_is_locked(&p->ns->lock)); 2275 while (parent) { 2276 p = list_next_entry(p, base.list); 2277 if (!list_entry_is_head(p, &parent->base.profiles, base.list)) 2278 return p; 2279 p = parent; 2280 parent = rcu_dereference_protected(parent->parent, 2281 mutex_is_locked(&parent->ns->lock)); 2282 } 2283 2284 /* is next another profile in the namespace */ 2285 p = list_next_entry(p, base.list); 2286 if (!list_entry_is_head(p, &ns->base.profiles, base.list)) 2287 return p; 2288 2289 return NULL; 2290 } 2291 2292 /** 2293 * next_profile - step to the next profile in where ever it may be 2294 * @root: root namespace (NOT NULL) 2295 * @profile: current profile (NOT NULL) 2296 * 2297 * Returns: next profile or NULL if there isn't one 2298 */ 2299 static struct aa_profile *next_profile(struct aa_ns *root, 2300 struct aa_profile *profile) 2301 { 2302 struct aa_profile *next = __next_profile(profile); 2303 if (next) 2304 return next; 2305 2306 /* finished all profiles in namespace move to next namespace */ 2307 return __first_profile(root, __next_ns(root, profile->ns)); 2308 } 2309 2310 /** 2311 * p_start - start a depth first traversal of profile tree 2312 * @f: seq_file to fill 2313 * @pos: current position 2314 * 2315 * Returns: first profile under current namespace or NULL if none found 2316 * 2317 * acquires first ns->lock 2318 */ 2319 static void *p_start(struct seq_file *f, loff_t *pos) 2320 { 2321 struct aa_profile *profile = NULL; 2322 struct aa_ns *root = aa_get_current_ns(); 2323 loff_t l = *pos; 2324 f->private = root; 2325 2326 /* find the first profile */ 2327 mutex_lock_nested(&root->lock, root->level); 2328 profile = __first_profile(root, root); 2329 2330 /* skip to position */ 2331 for (; profile && l > 0; l--) 2332 profile = next_profile(root, profile); 2333 2334 return profile; 2335 } 2336 2337 /** 2338 * p_next - read the next profile entry 2339 * @f: seq_file to fill 2340 * @p: profile previously returned 2341 * @pos: current position 2342 * 2343 * Returns: next profile after @p or NULL if none 2344 * 2345 * may acquire/release locks in namespace tree as necessary 2346 */ 2347 static void *p_next(struct seq_file *f, void *p, loff_t *pos) 2348 { 2349 struct aa_profile *profile = p; 2350 struct aa_ns *ns = f->private; 2351 (*pos)++; 2352 2353 return next_profile(ns, profile); 2354 } 2355 2356 /** 2357 * p_stop - stop depth first traversal 2358 * @f: seq_file we are filling 2359 * @p: the last profile written 2360 * 2361 * Release all locking done by p_start/p_next on namespace tree 2362 */ 2363 static void p_stop(struct seq_file *f, void *p) 2364 { 2365 struct aa_profile *profile = p; 2366 struct aa_ns *root = f->private, *ns; 2367 2368 if (profile) { 2369 for (ns = profile->ns; ns && ns != root; ns = ns->parent) 2370 mutex_unlock(&ns->lock); 2371 } 2372 mutex_unlock(&root->lock); 2373 aa_put_ns(root); 2374 } 2375 2376 /** 2377 * seq_show_profile - show a profile entry 2378 * @f: seq_file to file 2379 * @p: current position (profile) (NOT NULL) 2380 * 2381 * Returns: error on failure 2382 */ 2383 static int seq_show_profile(struct seq_file *f, void *p) 2384 { 2385 struct aa_profile *profile = (struct aa_profile *)p; 2386 struct aa_ns *root = f->private; 2387 2388 aa_label_seq_xprint(f, root, &profile->label, 2389 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS, GFP_KERNEL); 2390 seq_putc(f, '\n'); 2391 2392 return 0; 2393 } 2394 2395 static const struct seq_operations aa_sfs_profiles_op = { 2396 .start = p_start, 2397 .next = p_next, 2398 .stop = p_stop, 2399 .show = seq_show_profile, 2400 }; 2401 2402 static int profiles_open(struct inode *inode, struct file *file) 2403 { 2404 if (!aa_current_policy_view_capable(NULL)) 2405 return -EACCES; 2406 2407 return seq_open(file, &aa_sfs_profiles_op); 2408 } 2409 2410 static int profiles_release(struct inode *inode, struct file *file) 2411 { 2412 return seq_release(inode, file); 2413 } 2414 2415 static const struct file_operations aa_sfs_profiles_fops = { 2416 .open = profiles_open, 2417 .read = seq_read, 2418 .llseek = seq_lseek, 2419 .release = profiles_release, 2420 }; 2421 2422 2423 /** Base file system setup **/ 2424 static struct aa_sfs_entry aa_sfs_entry_file[] = { 2425 AA_SFS_FILE_STRING("mask", 2426 "create read write exec append mmap_exec link lock"), 2427 { } 2428 }; 2429 2430 static struct aa_sfs_entry aa_sfs_entry_ptrace[] = { 2431 AA_SFS_FILE_STRING("mask", "read trace"), 2432 { } 2433 }; 2434 2435 static struct aa_sfs_entry aa_sfs_entry_signal[] = { 2436 AA_SFS_FILE_STRING("mask", AA_SFS_SIG_MASK), 2437 { } 2438 }; 2439 2440 static struct aa_sfs_entry aa_sfs_entry_attach[] = { 2441 AA_SFS_FILE_BOOLEAN("xattr", 1), 2442 { } 2443 }; 2444 static struct aa_sfs_entry aa_sfs_entry_domain[] = { 2445 AA_SFS_FILE_BOOLEAN("change_hat", 1), 2446 AA_SFS_FILE_BOOLEAN("change_hatv", 1), 2447 AA_SFS_FILE_BOOLEAN("unconfined_allowed_children", 1), 2448 AA_SFS_FILE_BOOLEAN("change_onexec", 1), 2449 AA_SFS_FILE_BOOLEAN("change_profile", 1), 2450 AA_SFS_FILE_BOOLEAN("stack", 1), 2451 AA_SFS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1), 2452 AA_SFS_FILE_BOOLEAN("post_nnp_subset", 1), 2453 AA_SFS_FILE_BOOLEAN("computed_longest_left", 1), 2454 AA_SFS_DIR("attach_conditions", aa_sfs_entry_attach), 2455 AA_SFS_FILE_BOOLEAN("disconnected.path", 1), 2456 AA_SFS_FILE_BOOLEAN("kill.signal", 1), 2457 AA_SFS_FILE_STRING("version", "1.2"), 2458 { } 2459 }; 2460 2461 static struct aa_sfs_entry aa_sfs_entry_unconfined[] = { 2462 AA_SFS_FILE_BOOLEAN("change_profile", 1), 2463 { } 2464 }; 2465 2466 static struct aa_sfs_entry aa_sfs_entry_versions[] = { 2467 AA_SFS_FILE_BOOLEAN("v5", 1), 2468 AA_SFS_FILE_BOOLEAN("v6", 1), 2469 AA_SFS_FILE_BOOLEAN("v7", 1), 2470 AA_SFS_FILE_BOOLEAN("v8", 1), 2471 AA_SFS_FILE_BOOLEAN("v9", 1), 2472 { } 2473 }; 2474 2475 #define PERMS32STR "allow deny subtree cond kill complain prompt audit quiet hide xindex tag label" 2476 static struct aa_sfs_entry aa_sfs_entry_policy[] = { 2477 AA_SFS_DIR("versions", aa_sfs_entry_versions), 2478 AA_SFS_FILE_BOOLEAN("set_load", 1), 2479 AA_SFS_FILE_BOOLEAN("diff-encode", 1), 2480 /* number of out of band transitions supported */ 2481 AA_SFS_FILE_U64("outofband", MAX_OOB_SUPPORTED), 2482 AA_SFS_FILE_U64("permstable32_version", 3), 2483 AA_SFS_FILE_STRING("permstable32", PERMS32STR), 2484 AA_SFS_FILE_U64("state32", 1), 2485 AA_SFS_DIR("unconfined_restrictions", aa_sfs_entry_unconfined), 2486 { } 2487 }; 2488 2489 static struct aa_sfs_entry aa_sfs_entry_mount[] = { 2490 AA_SFS_FILE_STRING("mask", "mount umount pivot_root"), 2491 AA_SFS_FILE_STRING("move_mount", "detached"), 2492 { } 2493 }; 2494 2495 static struct aa_sfs_entry aa_sfs_entry_ns[] = { 2496 AA_SFS_FILE_BOOLEAN("profile", 1), 2497 AA_SFS_FILE_BOOLEAN("pivot_root", 0), 2498 AA_SFS_FILE_STRING("mask", "userns_create"), 2499 { } 2500 }; 2501 2502 static struct aa_sfs_entry aa_sfs_entry_dbus[] = { 2503 AA_SFS_FILE_STRING("mask", "acquire send receive"), 2504 { } 2505 }; 2506 2507 static struct aa_sfs_entry aa_sfs_entry_query_label[] = { 2508 AA_SFS_FILE_STRING("perms", "allow deny audit quiet"), 2509 AA_SFS_FILE_BOOLEAN("data", 1), 2510 AA_SFS_FILE_BOOLEAN("multi_transaction", 1), 2511 { } 2512 }; 2513 2514 static struct aa_sfs_entry aa_sfs_entry_query[] = { 2515 AA_SFS_DIR("label", aa_sfs_entry_query_label), 2516 { } 2517 }; 2518 2519 static struct aa_sfs_entry aa_sfs_entry_io_uring[] = { 2520 AA_SFS_FILE_STRING("mask", "sqpoll override_creds"), 2521 { } 2522 }; 2523 2524 static struct aa_sfs_entry aa_sfs_entry_features[] = { 2525 AA_SFS_DIR("policy", aa_sfs_entry_policy), 2526 AA_SFS_DIR("domain", aa_sfs_entry_domain), 2527 AA_SFS_DIR("file", aa_sfs_entry_file), 2528 AA_SFS_DIR("network_v8", aa_sfs_entry_network), 2529 AA_SFS_DIR("network_v9", aa_sfs_entry_networkv9), 2530 AA_SFS_DIR("mount", aa_sfs_entry_mount), 2531 AA_SFS_DIR("namespaces", aa_sfs_entry_ns), 2532 AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), 2533 AA_SFS_DIR("rlimit", aa_sfs_entry_rlimit), 2534 AA_SFS_DIR("caps", aa_sfs_entry_caps), 2535 AA_SFS_DIR("ptrace", aa_sfs_entry_ptrace), 2536 AA_SFS_DIR("signal", aa_sfs_entry_signal), 2537 AA_SFS_DIR("dbus", aa_sfs_entry_dbus), 2538 AA_SFS_DIR("query", aa_sfs_entry_query), 2539 AA_SFS_DIR("io_uring", aa_sfs_entry_io_uring), 2540 { } 2541 }; 2542 2543 static struct aa_sfs_entry aa_sfs_entry_apparmor[] = { 2544 AA_SFS_FILE_FOPS(".access", 0666, &aa_sfs_access), 2545 AA_SFS_FILE_FOPS(".stacked", 0444, &seq_ns_stacked_fops), 2546 AA_SFS_FILE_FOPS(".ns_stacked", 0444, &seq_ns_nsstacked_fops), 2547 AA_SFS_FILE_FOPS(".ns_level", 0444, &seq_ns_level_fops), 2548 AA_SFS_FILE_FOPS(".ns_name", 0444, &seq_ns_name_fops), 2549 AA_SFS_FILE_FOPS("profiles", 0444, &aa_sfs_profiles_fops), 2550 AA_SFS_FILE_FOPS("raw_data_compression_level_min", 0444, &seq_ns_compress_min_fops), 2551 AA_SFS_FILE_FOPS("raw_data_compression_level_max", 0444, &seq_ns_compress_max_fops), 2552 AA_SFS_DIR("features", aa_sfs_entry_features), 2553 { } 2554 }; 2555 2556 static struct aa_sfs_entry aa_sfs_entry = 2557 AA_SFS_DIR("apparmor", aa_sfs_entry_apparmor); 2558 2559 /** 2560 * entry_create_file - create a file entry in the apparmor securityfs 2561 * @fs_file: aa_sfs_entry to build an entry for (NOT NULL) 2562 * @parent: the parent dentry in the securityfs 2563 * 2564 * Use entry_remove_file to remove entries created with this fn. 2565 */ 2566 static int __init entry_create_file(struct aa_sfs_entry *fs_file, 2567 struct dentry *parent) 2568 { 2569 int error = 0; 2570 2571 fs_file->dentry = securityfs_create_file(fs_file->name, 2572 S_IFREG | fs_file->mode, 2573 parent, fs_file, 2574 fs_file->file_ops); 2575 if (IS_ERR(fs_file->dentry)) { 2576 error = PTR_ERR(fs_file->dentry); 2577 fs_file->dentry = NULL; 2578 } 2579 return error; 2580 } 2581 2582 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir); 2583 /** 2584 * entry_create_dir - recursively create a directory entry in the securityfs 2585 * @fs_dir: aa_sfs_entry (and all child entries) to build (NOT NULL) 2586 * @parent: the parent dentry in the securityfs 2587 * 2588 * Use entry_remove_dir to remove entries created with this fn. 2589 */ 2590 static int __init entry_create_dir(struct aa_sfs_entry *fs_dir, 2591 struct dentry *parent) 2592 { 2593 struct aa_sfs_entry *fs_file; 2594 struct dentry *dir; 2595 int error; 2596 2597 dir = securityfs_create_dir(fs_dir->name, parent); 2598 if (IS_ERR(dir)) 2599 return PTR_ERR(dir); 2600 fs_dir->dentry = dir; 2601 2602 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { 2603 if (fs_file->v_type == AA_SFS_TYPE_DIR) 2604 error = entry_create_dir(fs_file, fs_dir->dentry); 2605 else 2606 error = entry_create_file(fs_file, fs_dir->dentry); 2607 if (error) 2608 goto failed; 2609 } 2610 2611 return 0; 2612 2613 failed: 2614 entry_remove_dir(fs_dir); 2615 2616 return error; 2617 } 2618 2619 /** 2620 * entry_remove_file - drop a single file entry in the apparmor securityfs 2621 * @fs_file: aa_sfs_entry to detach from the securityfs (NOT NULL) 2622 */ 2623 static void __init entry_remove_file(struct aa_sfs_entry *fs_file) 2624 { 2625 if (!fs_file->dentry) 2626 return; 2627 2628 securityfs_remove(fs_file->dentry); 2629 fs_file->dentry = NULL; 2630 } 2631 2632 /** 2633 * entry_remove_dir - recursively drop a directory entry from the securityfs 2634 * @fs_dir: aa_sfs_entry (and all child entries) to detach (NOT NULL) 2635 */ 2636 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir) 2637 { 2638 struct aa_sfs_entry *fs_file; 2639 2640 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { 2641 if (fs_file->v_type == AA_SFS_TYPE_DIR) 2642 entry_remove_dir(fs_file); 2643 else 2644 entry_remove_file(fs_file); 2645 } 2646 2647 entry_remove_file(fs_dir); 2648 } 2649 2650 /** 2651 * aa_destroy_aafs - cleanup and free aafs 2652 * 2653 * releases dentries allocated by aa_create_aafs 2654 */ 2655 void __init aa_destroy_aafs(void) 2656 { 2657 entry_remove_dir(&aa_sfs_entry); 2658 } 2659 2660 2661 #define NULL_FILE_NAME ".null" 2662 struct path aa_null; 2663 2664 static int aa_mk_null_file(struct dentry *parent) 2665 { 2666 struct vfsmount *mount = NULL; 2667 struct dentry *dentry; 2668 struct inode *inode; 2669 int count = 0; 2670 int error = simple_pin_fs(parent->d_sb->s_type, &mount, &count); 2671 2672 if (error) 2673 return error; 2674 2675 dentry = simple_start_creating(parent, NULL_FILE_NAME); 2676 if (IS_ERR(dentry)) { 2677 error = PTR_ERR(dentry); 2678 goto out; 2679 } 2680 inode = new_inode(parent->d_inode->i_sb); 2681 if (!inode) { 2682 error = -ENOMEM; 2683 goto out; 2684 } 2685 2686 inode->i_ino = get_next_ino(); 2687 inode->i_mode = S_IFCHR | S_IRUGO | S_IWUGO; 2688 simple_inode_init_ts(inode); 2689 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, 2690 MKDEV(MEM_MAJOR, 3)); 2691 d_instantiate(dentry, inode); 2692 aa_null.dentry = dget(dentry); 2693 aa_null.mnt = mntget(mount); 2694 2695 out: 2696 simple_done_creating(dentry); 2697 simple_release_fs(&mount, &count); 2698 return error; 2699 } 2700 2701 static const char *policy_get_link(struct dentry *dentry, 2702 struct inode *inode, 2703 struct delayed_call *done) 2704 { 2705 struct aa_ns *ns; 2706 struct path path; 2707 int error; 2708 2709 if (!dentry) 2710 return ERR_PTR(-ECHILD); 2711 2712 ns = aa_get_current_ns(); 2713 path.mnt = mntget(aafs_mnt); 2714 path.dentry = dget(ns_dir(ns)); 2715 error = nd_jump_link(&path); 2716 aa_put_ns(ns); 2717 2718 return ERR_PTR(error); 2719 } 2720 2721 static int policy_readlink(struct dentry *dentry, char __user *buffer, 2722 int buflen) 2723 { 2724 char name[32]; 2725 int res; 2726 2727 res = snprintf(name, sizeof(name), "%s:[%llu]", AAFS_NAME, 2728 d_inode(dentry)->i_ino); 2729 if (res > 0 && res < sizeof(name)) 2730 res = readlink_copy(buffer, buflen, name, strlen(name)); 2731 else 2732 res = -ENOENT; 2733 2734 return res; 2735 } 2736 2737 static const struct inode_operations policy_link_iops = { 2738 .readlink = policy_readlink, 2739 .get_link = policy_get_link, 2740 }; 2741 2742 2743 /** 2744 * aa_create_aafs - create the apparmor security filesystem 2745 * 2746 * dentries created here are released by aa_destroy_aafs 2747 * 2748 * Returns: error on failure 2749 */ 2750 int __init aa_create_aafs(void) 2751 { 2752 struct dentry *dent; 2753 int error; 2754 2755 if (!apparmor_initialized) 2756 return 0; 2757 2758 if (aa_sfs_entry.dentry) { 2759 AA_ERROR("%s: AppArmor securityfs already exists\n", __func__); 2760 return -EEXIST; 2761 } 2762 2763 /* setup apparmorfs used to virtualize policy/ */ 2764 aafs_mnt = kern_mount(&aafs_ops); 2765 if (IS_ERR(aafs_mnt)) 2766 panic("can't set apparmorfs up\n"); 2767 aafs_mnt->mnt_sb->s_flags &= ~SB_NOUSER; 2768 2769 /* Populate fs tree. */ 2770 error = entry_create_dir(&aa_sfs_entry, NULL); 2771 if (error) 2772 goto error; 2773 2774 dent = securityfs_create_file(".load", 0666, aa_sfs_entry.dentry, 2775 NULL, &aa_fs_profile_load); 2776 if (IS_ERR(dent)) 2777 goto dent_error; 2778 ns_subload(root_ns) = dent; 2779 2780 dent = securityfs_create_file(".replace", 0666, aa_sfs_entry.dentry, 2781 NULL, &aa_fs_profile_replace); 2782 if (IS_ERR(dent)) 2783 goto dent_error; 2784 ns_subreplace(root_ns) = dent; 2785 2786 dent = securityfs_create_file(".remove", 0666, aa_sfs_entry.dentry, 2787 NULL, &aa_fs_profile_remove); 2788 if (IS_ERR(dent)) 2789 goto dent_error; 2790 ns_subremove(root_ns) = dent; 2791 2792 dent = securityfs_create_file("revision", 0444, aa_sfs_entry.dentry, 2793 NULL, &aa_fs_ns_revision_fops); 2794 if (IS_ERR(dent)) 2795 goto dent_error; 2796 ns_subrevision(root_ns) = dent; 2797 2798 /* policy tree referenced by magic policy symlink */ 2799 mutex_lock_nested(&root_ns->lock, root_ns->level); 2800 error = __aafs_ns_mkdir(root_ns, aafs_mnt->mnt_root, ".policy", 2801 aafs_mnt->mnt_root); 2802 mutex_unlock(&root_ns->lock); 2803 if (error) 2804 goto error; 2805 2806 /* magic symlink similar to nsfs redirects based on task policy */ 2807 dent = securityfs_create_symlink("policy", aa_sfs_entry.dentry, 2808 NULL, &policy_link_iops); 2809 if (IS_ERR(dent)) 2810 goto dent_error; 2811 2812 error = aa_mk_null_file(aa_sfs_entry.dentry); 2813 if (error) 2814 goto error; 2815 2816 /* TODO: add default profile to apparmorfs */ 2817 2818 /* Report that AppArmor fs is enabled */ 2819 aa_info_message("AppArmor Filesystem Enabled"); 2820 return 0; 2821 2822 dent_error: 2823 error = PTR_ERR(dent); 2824 error: 2825 aa_destroy_aafs(); 2826 AA_ERROR("Error creating AppArmor securityfs\n"); 2827 return error; 2828 } 2829