1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor /sys/kernel/security/apparmor interface functions 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 */ 10 11 #include <linux/ctype.h> 12 #include <linux/security.h> 13 #include <linux/vmalloc.h> 14 #include <linux/init.h> 15 #include <linux/seq_file.h> 16 #include <linux/uaccess.h> 17 #include <linux/mount.h> 18 #include <linux/namei.h> 19 #include <linux/capability.h> 20 #include <linux/rcupdate.h> 21 #include <linux/fs.h> 22 #include <linux/fs_context.h> 23 #include <linux/poll.h> 24 #include <linux/zstd.h> 25 #include <uapi/linux/major.h> 26 #include <uapi/linux/magic.h> 27 28 #include "include/apparmor.h" 29 #include "include/apparmorfs.h" 30 #include "include/audit.h" 31 #include "include/cred.h" 32 #include "include/crypto.h" 33 #include "include/ipc.h" 34 #include "include/label.h" 35 #include "include/policy.h" 36 #include "include/policy_ns.h" 37 #include "include/resource.h" 38 #include "include/policy_unpack.h" 39 #include "include/task.h" 40 41 /* 42 * The apparmor filesystem interface used for policy load and introspection 43 * The interface is split into two main components based on their function 44 * a securityfs component: 45 * used for static files that are always available, and which allows 46 * userspace to specify the location of the security filesystem. 47 * 48 * fns and data are prefixed with 49 * aa_sfs_ 50 * 51 * an apparmorfs component: 52 * used loaded policy content and introspection. It is not part of a 53 * regular mounted filesystem and is available only through the magic 54 * policy symlink in the root of the securityfs apparmor/ directory. 55 * Tasks queries will be magically redirected to the correct portion 56 * of the policy tree based on their confinement. 57 * 58 * fns and data are prefixed with 59 * aafs_ 60 * 61 * The aa_fs_ prefix is used to indicate the fn is used by both the 62 * securityfs and apparmorfs filesystems. 63 */ 64 65 66 /* 67 * support fns 68 */ 69 70 struct rawdata_f_data { 71 struct aa_loaddata *loaddata; 72 }; 73 74 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 75 #define RAWDATA_F_DATA_BUF(p) (char *)(p + 1) 76 77 static void rawdata_f_data_free(struct rawdata_f_data *private) 78 { 79 if (!private) 80 return; 81 82 aa_put_loaddata(private->loaddata); 83 kvfree(private); 84 } 85 86 static struct rawdata_f_data *rawdata_f_data_alloc(size_t size) 87 { 88 struct rawdata_f_data *ret; 89 90 if (size > SIZE_MAX - sizeof(*ret)) 91 return ERR_PTR(-EINVAL); 92 93 ret = kvzalloc(sizeof(*ret) + size, GFP_KERNEL); 94 if (!ret) 95 return ERR_PTR(-ENOMEM); 96 97 return ret; 98 } 99 #endif 100 101 /** 102 * mangle_name - mangle a profile name to std profile layout form 103 * @name: profile name to mangle (NOT NULL) 104 * @target: buffer to store mangled name, same length as @name (MAYBE NULL) 105 * 106 * Returns: length of mangled name 107 */ 108 static int mangle_name(const char *name, char *target) 109 { 110 char *t = target; 111 112 while (*name == '/' || *name == '.') 113 name++; 114 115 if (target) { 116 for (; *name; name++) { 117 if (*name == '/') 118 *(t)++ = '.'; 119 else if (isspace(*name)) 120 *(t)++ = '_'; 121 else if (isalnum(*name) || strchr("._-", *name)) 122 *(t)++ = *name; 123 } 124 125 *t = 0; 126 } else { 127 int len = 0; 128 for (; *name; name++) { 129 if (isalnum(*name) || isspace(*name) || 130 strchr("/._-", *name)) 131 len++; 132 } 133 134 return len; 135 } 136 137 return t - target; 138 } 139 140 141 /* 142 * aafs - core fns and data for the policy tree 143 */ 144 145 #define AAFS_NAME "apparmorfs" 146 static struct vfsmount *aafs_mnt; 147 static int aafs_count; 148 149 150 static int aafs_show_path(struct seq_file *seq, struct dentry *dentry) 151 { 152 seq_printf(seq, "%s:[%lu]", AAFS_NAME, d_inode(dentry)->i_ino); 153 return 0; 154 } 155 156 static void aafs_free_inode(struct inode *inode) 157 { 158 if (S_ISLNK(inode->i_mode)) 159 kfree(inode->i_link); 160 free_inode_nonrcu(inode); 161 } 162 163 static const struct super_operations aafs_super_ops = { 164 .statfs = simple_statfs, 165 .free_inode = aafs_free_inode, 166 .show_path = aafs_show_path, 167 }; 168 169 static int apparmorfs_fill_super(struct super_block *sb, struct fs_context *fc) 170 { 171 static struct tree_descr files[] = { {""} }; 172 int error; 173 174 error = simple_fill_super(sb, AAFS_MAGIC, files); 175 if (error) 176 return error; 177 sb->s_op = &aafs_super_ops; 178 179 return 0; 180 } 181 182 static int apparmorfs_get_tree(struct fs_context *fc) 183 { 184 return get_tree_single(fc, apparmorfs_fill_super); 185 } 186 187 static const struct fs_context_operations apparmorfs_context_ops = { 188 .get_tree = apparmorfs_get_tree, 189 }; 190 191 static int apparmorfs_init_fs_context(struct fs_context *fc) 192 { 193 fc->ops = &apparmorfs_context_ops; 194 return 0; 195 } 196 197 static struct file_system_type aafs_ops = { 198 .owner = THIS_MODULE, 199 .name = AAFS_NAME, 200 .init_fs_context = apparmorfs_init_fs_context, 201 .kill_sb = kill_anon_super, 202 }; 203 204 /** 205 * __aafs_setup_d_inode - basic inode setup for apparmorfs 206 * @dir: parent directory for the dentry 207 * @dentry: dentry we are setting the inode up for 208 * @mode: permissions the file should have 209 * @data: data to store on inode.i_private, available in open() 210 * @link: if symlink, symlink target string 211 * @fops: struct file_operations that should be used 212 * @iops: struct of inode_operations that should be used 213 */ 214 static int __aafs_setup_d_inode(struct inode *dir, struct dentry *dentry, 215 umode_t mode, void *data, char *link, 216 const struct file_operations *fops, 217 const struct inode_operations *iops) 218 { 219 struct inode *inode = new_inode(dir->i_sb); 220 221 AA_BUG(!dir); 222 AA_BUG(!dentry); 223 224 if (!inode) 225 return -ENOMEM; 226 227 inode->i_ino = get_next_ino(); 228 inode->i_mode = mode; 229 simple_inode_init_ts(inode); 230 inode->i_private = data; 231 if (S_ISDIR(mode)) { 232 inode->i_op = iops ? iops : &simple_dir_inode_operations; 233 inode->i_fop = &simple_dir_operations; 234 inc_nlink(inode); 235 inc_nlink(dir); 236 } else if (S_ISLNK(mode)) { 237 inode->i_op = iops ? iops : &simple_symlink_inode_operations; 238 inode->i_link = link; 239 } else { 240 inode->i_fop = fops; 241 } 242 d_instantiate(dentry, inode); 243 dget(dentry); 244 245 return 0; 246 } 247 248 /** 249 * aafs_create - create a dentry in the apparmorfs filesystem 250 * 251 * @name: name of dentry to create 252 * @mode: permissions the file should have 253 * @parent: parent directory for this dentry 254 * @data: data to store on inode.i_private, available in open() 255 * @link: if symlink, symlink target string 256 * @fops: struct file_operations that should be used for 257 * @iops: struct of inode_operations that should be used 258 * 259 * This is the basic "create a xxx" function for apparmorfs. 260 * 261 * Returns a pointer to a dentry if it succeeds, that must be free with 262 * aafs_remove(). Will return ERR_PTR on failure. 263 */ 264 static struct dentry *aafs_create(const char *name, umode_t mode, 265 struct dentry *parent, void *data, void *link, 266 const struct file_operations *fops, 267 const struct inode_operations *iops) 268 { 269 struct dentry *dentry; 270 struct inode *dir; 271 int error; 272 273 AA_BUG(!name); 274 AA_BUG(!parent); 275 276 if (!(mode & S_IFMT)) 277 mode = (mode & S_IALLUGO) | S_IFREG; 278 279 error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count); 280 if (error) 281 return ERR_PTR(error); 282 283 dir = d_inode(parent); 284 285 inode_lock(dir); 286 dentry = lookup_noperm(&QSTR(name), parent); 287 if (IS_ERR(dentry)) { 288 error = PTR_ERR(dentry); 289 goto fail_lock; 290 } 291 292 if (d_really_is_positive(dentry)) { 293 error = -EEXIST; 294 goto fail_dentry; 295 } 296 297 error = __aafs_setup_d_inode(dir, dentry, mode, data, link, fops, iops); 298 if (error) 299 goto fail_dentry; 300 inode_unlock(dir); 301 302 return dentry; 303 304 fail_dentry: 305 dput(dentry); 306 307 fail_lock: 308 inode_unlock(dir); 309 simple_release_fs(&aafs_mnt, &aafs_count); 310 311 return ERR_PTR(error); 312 } 313 314 /** 315 * aafs_create_file - create a file in the apparmorfs filesystem 316 * 317 * @name: name of dentry to create 318 * @mode: permissions the file should have 319 * @parent: parent directory for this dentry 320 * @data: data to store on inode.i_private, available in open() 321 * @fops: struct file_operations that should be used for 322 * 323 * see aafs_create 324 */ 325 static struct dentry *aafs_create_file(const char *name, umode_t mode, 326 struct dentry *parent, void *data, 327 const struct file_operations *fops) 328 { 329 return aafs_create(name, mode, parent, data, NULL, fops, NULL); 330 } 331 332 /** 333 * aafs_create_dir - create a directory in the apparmorfs filesystem 334 * 335 * @name: name of dentry to create 336 * @parent: parent directory for this dentry 337 * 338 * see aafs_create 339 */ 340 static struct dentry *aafs_create_dir(const char *name, struct dentry *parent) 341 { 342 return aafs_create(name, S_IFDIR | 0755, parent, NULL, NULL, NULL, 343 NULL); 344 } 345 346 /** 347 * aafs_remove - removes a file or directory from the apparmorfs filesystem 348 * 349 * @dentry: dentry of the file/directory/symlink to removed. 350 */ 351 static void aafs_remove(struct dentry *dentry) 352 { 353 struct inode *dir; 354 355 if (!dentry || IS_ERR(dentry)) 356 return; 357 358 /* ->d_parent is stable as rename is not supported */ 359 dir = d_inode(dentry->d_parent); 360 dentry = start_removing_dentry(dentry->d_parent, dentry); 361 if (!IS_ERR(dentry) && simple_positive(dentry)) { 362 if (d_is_dir(dentry)) { 363 if (!WARN_ON(!simple_empty(dentry))) { 364 __simple_rmdir(dir, dentry); 365 dput(dentry); 366 } 367 } else { 368 __simple_unlink(dir, dentry); 369 dput(dentry); 370 } 371 d_delete(dentry); 372 } 373 end_removing(dentry); 374 simple_release_fs(&aafs_mnt, &aafs_count); 375 } 376 377 378 /* 379 * aa_fs - policy load/replace/remove 380 */ 381 382 /** 383 * aa_simple_write_to_buffer - common routine for getting policy from user 384 * @userbuf: user buffer to copy data from (NOT NULL) 385 * @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size) 386 * @copy_size: size of data to copy from user buffer 387 * @pos: position write is at in the file (NOT NULL) 388 * 389 * Returns: kernel buffer containing copy of user buffer data or an 390 * ERR_PTR on failure. 391 */ 392 static struct aa_loaddata *aa_simple_write_to_buffer(const char __user *userbuf, 393 size_t alloc_size, 394 size_t copy_size, 395 loff_t *pos) 396 { 397 struct aa_loaddata *data; 398 399 AA_BUG(copy_size > alloc_size); 400 401 if (*pos != 0) 402 /* only writes from pos 0, that is complete writes */ 403 return ERR_PTR(-ESPIPE); 404 405 /* freed by caller to simple_write_to_buffer */ 406 data = aa_loaddata_alloc(alloc_size); 407 if (IS_ERR(data)) 408 return data; 409 410 data->size = copy_size; 411 if (copy_from_user(data->data, userbuf, copy_size)) { 412 aa_put_loaddata(data); 413 return ERR_PTR(-EFAULT); 414 } 415 416 return data; 417 } 418 419 static ssize_t policy_update(u32 mask, const char __user *buf, size_t size, 420 loff_t *pos, struct aa_ns *ns) 421 { 422 struct aa_loaddata *data; 423 struct aa_label *label; 424 ssize_t error; 425 426 label = begin_current_label_crit_section(); 427 428 /* high level check about policy management - fine grained in 429 * below after unpack 430 */ 431 error = aa_may_manage_policy(current_cred(), label, ns, mask); 432 if (error) 433 goto end_section; 434 435 data = aa_simple_write_to_buffer(buf, size, size, pos); 436 error = PTR_ERR(data); 437 if (!IS_ERR(data)) { 438 error = aa_replace_profiles(ns, label, mask, data); 439 aa_put_loaddata(data); 440 } 441 end_section: 442 end_current_label_crit_section(label); 443 444 return error; 445 } 446 447 /* .load file hook fn to load policy */ 448 static ssize_t profile_load(struct file *f, const char __user *buf, size_t size, 449 loff_t *pos) 450 { 451 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); 452 int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns); 453 454 aa_put_ns(ns); 455 456 return error; 457 } 458 459 static const struct file_operations aa_fs_profile_load = { 460 .write = profile_load, 461 .llseek = default_llseek, 462 }; 463 464 /* .replace file hook fn to load and/or replace policy */ 465 static ssize_t profile_replace(struct file *f, const char __user *buf, 466 size_t size, loff_t *pos) 467 { 468 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); 469 int error = policy_update(AA_MAY_LOAD_POLICY | AA_MAY_REPLACE_POLICY, 470 buf, size, pos, ns); 471 aa_put_ns(ns); 472 473 return error; 474 } 475 476 static const struct file_operations aa_fs_profile_replace = { 477 .write = profile_replace, 478 .llseek = default_llseek, 479 }; 480 481 /* .remove file hook fn to remove loaded policy */ 482 static ssize_t profile_remove(struct file *f, const char __user *buf, 483 size_t size, loff_t *pos) 484 { 485 struct aa_loaddata *data; 486 struct aa_label *label; 487 ssize_t error; 488 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); 489 490 label = begin_current_label_crit_section(); 491 /* high level check about policy management - fine grained in 492 * below after unpack 493 */ 494 error = aa_may_manage_policy(current_cred(), label, ns, 495 AA_MAY_REMOVE_POLICY); 496 if (error) 497 goto out; 498 499 /* 500 * aa_remove_profile needs a null terminated string so 1 extra 501 * byte is allocated and the copied data is null terminated. 502 */ 503 data = aa_simple_write_to_buffer(buf, size + 1, size, pos); 504 505 error = PTR_ERR(data); 506 if (!IS_ERR(data)) { 507 data->data[size] = 0; 508 error = aa_remove_profiles(ns, label, data->data, size); 509 aa_put_loaddata(data); 510 } 511 out: 512 end_current_label_crit_section(label); 513 aa_put_ns(ns); 514 return error; 515 } 516 517 static const struct file_operations aa_fs_profile_remove = { 518 .write = profile_remove, 519 .llseek = default_llseek, 520 }; 521 522 struct aa_revision { 523 struct aa_ns *ns; 524 long last_read; 525 }; 526 527 /* revision file hook fn for policy loads */ 528 static int ns_revision_release(struct inode *inode, struct file *file) 529 { 530 struct aa_revision *rev = file->private_data; 531 532 if (rev) { 533 aa_put_ns(rev->ns); 534 kfree(rev); 535 } 536 537 return 0; 538 } 539 540 static ssize_t ns_revision_read(struct file *file, char __user *buf, 541 size_t size, loff_t *ppos) 542 { 543 struct aa_revision *rev = file->private_data; 544 char buffer[32]; 545 long last_read; 546 int avail; 547 548 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 549 last_read = rev->last_read; 550 if (last_read == rev->ns->revision) { 551 mutex_unlock(&rev->ns->lock); 552 if (file->f_flags & O_NONBLOCK) 553 return -EAGAIN; 554 if (wait_event_interruptible(rev->ns->wait, 555 last_read != 556 READ_ONCE(rev->ns->revision))) 557 return -ERESTARTSYS; 558 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 559 } 560 561 avail = sprintf(buffer, "%ld\n", rev->ns->revision); 562 if (*ppos + size > avail) { 563 rev->last_read = rev->ns->revision; 564 *ppos = 0; 565 } 566 mutex_unlock(&rev->ns->lock); 567 568 return simple_read_from_buffer(buf, size, ppos, buffer, avail); 569 } 570 571 static int ns_revision_open(struct inode *inode, struct file *file) 572 { 573 struct aa_revision *rev = kzalloc(sizeof(*rev), GFP_KERNEL); 574 575 if (!rev) 576 return -ENOMEM; 577 578 rev->ns = aa_get_ns(inode->i_private); 579 if (!rev->ns) 580 rev->ns = aa_get_current_ns(); 581 file->private_data = rev; 582 583 return 0; 584 } 585 586 static __poll_t ns_revision_poll(struct file *file, poll_table *pt) 587 { 588 struct aa_revision *rev = file->private_data; 589 __poll_t mask = 0; 590 591 if (rev) { 592 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 593 poll_wait(file, &rev->ns->wait, pt); 594 if (rev->last_read < rev->ns->revision) 595 mask |= EPOLLIN | EPOLLRDNORM; 596 mutex_unlock(&rev->ns->lock); 597 } 598 599 return mask; 600 } 601 602 void __aa_bump_ns_revision(struct aa_ns *ns) 603 { 604 WRITE_ONCE(ns->revision, READ_ONCE(ns->revision) + 1); 605 wake_up_interruptible(&ns->wait); 606 } 607 608 static const struct file_operations aa_fs_ns_revision_fops = { 609 .owner = THIS_MODULE, 610 .open = ns_revision_open, 611 .poll = ns_revision_poll, 612 .read = ns_revision_read, 613 .llseek = generic_file_llseek, 614 .release = ns_revision_release, 615 }; 616 617 static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms, 618 const char *match_str, size_t match_len) 619 { 620 struct aa_ruleset *rules = profile->label.rules[0]; 621 struct aa_perms tmp = { }; 622 aa_state_t state = DFA_NOMATCH; 623 624 if (profile_unconfined(profile)) 625 return; 626 if (rules->file->dfa && *match_str == AA_CLASS_FILE) { 627 state = aa_dfa_match_len(rules->file->dfa, 628 rules->file->start[AA_CLASS_FILE], 629 match_str + 1, match_len - 1); 630 if (state) { 631 struct path_cond cond = { }; 632 633 tmp = *(aa_lookup_condperms(current_fsuid(), 634 rules->file, state, &cond)); 635 } 636 } else if (rules->policy->dfa) { 637 if (!RULE_MEDIATES(rules, *match_str)) 638 return; /* no change to current perms */ 639 /* old user space does not correctly detect dbus mediation 640 * support so we may get dbus policy and requests when 641 * the abi doesn't support it. This can cause mediation 642 * regressions, so explicitly test for this situation. 643 */ 644 if (*match_str == AA_CLASS_DBUS && 645 !RULE_MEDIATES_v9NET(rules)) 646 return; /* no change to current perms */ 647 state = aa_dfa_match_len(rules->policy->dfa, 648 rules->policy->start[0], 649 match_str, match_len); 650 if (state) 651 tmp = *aa_lookup_perms(rules->policy, state); 652 } 653 aa_apply_modes_to_perms(profile, &tmp); 654 aa_perms_accum_raw(perms, &tmp); 655 } 656 657 658 /** 659 * query_data - queries a policy and writes its data to buf 660 * @buf: the resulting data is stored here (NOT NULL) 661 * @buf_len: size of buf 662 * @query: query string used to retrieve data 663 * @query_len: size of query including second NUL byte 664 * 665 * The buffers pointed to by buf and query may overlap. The query buffer is 666 * parsed before buf is written to. 667 * 668 * The query should look like "<LABEL>\0<KEY>\0", where <LABEL> is the name of 669 * the security confinement context and <KEY> is the name of the data to 670 * retrieve. <LABEL> and <KEY> must not be NUL-terminated. 671 * 672 * Don't expect the contents of buf to be preserved on failure. 673 * 674 * Returns: number of characters written to buf or -errno on failure 675 */ 676 static ssize_t query_data(char *buf, size_t buf_len, 677 char *query, size_t query_len) 678 { 679 char *out; 680 const char *key; 681 struct label_it i; 682 struct aa_label *label, *curr; 683 struct aa_profile *profile; 684 struct aa_data *data; 685 u32 bytes, blocks; 686 __le32 outle32; 687 688 if (!query_len) 689 return -EINVAL; /* need a query */ 690 691 key = query + strnlen(query, query_len) + 1; 692 if (key + 1 >= query + query_len) 693 return -EINVAL; /* not enough space for a non-empty key */ 694 if (key + strnlen(key, query + query_len - key) >= query + query_len) 695 return -EINVAL; /* must end with NUL */ 696 697 if (buf_len < sizeof(bytes) + sizeof(blocks)) 698 return -EINVAL; /* not enough space */ 699 700 curr = begin_current_label_crit_section(); 701 label = aa_label_parse(curr, query, GFP_KERNEL, false, false); 702 end_current_label_crit_section(curr); 703 if (IS_ERR(label)) 704 return PTR_ERR(label); 705 706 /* We are going to leave space for two numbers. The first is the total 707 * number of bytes we are writing after the first number. This is so 708 * users can read the full output without reallocation. 709 * 710 * The second number is the number of data blocks we're writing. An 711 * application might be confined by multiple policies having data in 712 * the same key. 713 */ 714 memset(buf, 0, sizeof(bytes) + sizeof(blocks)); 715 out = buf + sizeof(bytes) + sizeof(blocks); 716 717 blocks = 0; 718 label_for_each_confined(i, label, profile) { 719 if (!profile->data) 720 continue; 721 722 data = rhashtable_lookup_fast(profile->data, &key, 723 profile->data->p); 724 725 if (data) { 726 if (out + sizeof(outle32) + data->size > buf + 727 buf_len) { 728 aa_put_label(label); 729 return -EINVAL; /* not enough space */ 730 } 731 outle32 = __cpu_to_le32(data->size); 732 memcpy(out, &outle32, sizeof(outle32)); 733 out += sizeof(outle32); 734 memcpy(out, data->data, data->size); 735 out += data->size; 736 blocks++; 737 } 738 } 739 aa_put_label(label); 740 741 outle32 = __cpu_to_le32(out - buf - sizeof(bytes)); 742 memcpy(buf, &outle32, sizeof(outle32)); 743 outle32 = __cpu_to_le32(blocks); 744 memcpy(buf + sizeof(bytes), &outle32, sizeof(outle32)); 745 746 return out - buf; 747 } 748 749 /** 750 * query_label - queries a label and writes permissions to buf 751 * @buf: the resulting permissions string is stored here (NOT NULL) 752 * @buf_len: size of buf 753 * @query: binary query string to match against the dfa 754 * @query_len: size of query 755 * @view_only: only compute for querier's view 756 * 757 * The buffers pointed to by buf and query may overlap. The query buffer is 758 * parsed before buf is written to. 759 * 760 * The query should look like "LABEL_NAME\0DFA_STRING" where LABEL_NAME is 761 * the name of the label, in the current namespace, that is to be queried and 762 * DFA_STRING is a binary string to match against the label(s)'s DFA. 763 * 764 * LABEL_NAME must be NUL terminated. DFA_STRING may contain NUL characters 765 * but must *not* be NUL terminated. 766 * 767 * Returns: number of characters written to buf or -errno on failure 768 */ 769 static ssize_t query_label(char *buf, size_t buf_len, 770 char *query, size_t query_len, bool view_only) 771 { 772 struct aa_profile *profile; 773 struct aa_label *label, *curr; 774 char *label_name, *match_str; 775 size_t label_name_len, match_len; 776 struct aa_perms perms; 777 struct label_it i; 778 779 if (!query_len) 780 return -EINVAL; 781 782 label_name = query; 783 label_name_len = strnlen(query, query_len); 784 if (!label_name_len || label_name_len == query_len) 785 return -EINVAL; 786 787 /** 788 * The extra byte is to account for the null byte between the 789 * profile name and dfa string. profile_name_len is greater 790 * than zero and less than query_len, so a byte can be safely 791 * added or subtracted. 792 */ 793 match_str = label_name + label_name_len + 1; 794 match_len = query_len - label_name_len - 1; 795 796 curr = begin_current_label_crit_section(); 797 label = aa_label_parse(curr, label_name, GFP_KERNEL, false, false); 798 end_current_label_crit_section(curr); 799 if (IS_ERR(label)) 800 return PTR_ERR(label); 801 802 perms = allperms; 803 if (view_only) { 804 label_for_each_in_ns(i, labels_ns(label), label, profile) { 805 profile_query_cb(profile, &perms, match_str, match_len); 806 } 807 } else { 808 label_for_each(i, label, profile) { 809 profile_query_cb(profile, &perms, match_str, match_len); 810 } 811 } 812 aa_put_label(label); 813 814 return scnprintf(buf, buf_len, 815 "allow 0x%08x\ndeny 0x%08x\naudit 0x%08x\nquiet 0x%08x\n", 816 perms.allow, perms.deny, perms.audit, perms.quiet); 817 } 818 819 /* 820 * Transaction based IO. 821 * The file expects a write which triggers the transaction, and then 822 * possibly a read(s) which collects the result - which is stored in a 823 * file-local buffer. Once a new write is performed, a new set of results 824 * are stored in the file-local buffer. 825 */ 826 struct multi_transaction { 827 struct kref count; 828 ssize_t size; 829 char data[]; 830 }; 831 832 #define MULTI_TRANSACTION_LIMIT (PAGE_SIZE - sizeof(struct multi_transaction)) 833 834 static void multi_transaction_kref(struct kref *kref) 835 { 836 struct multi_transaction *t; 837 838 t = container_of(kref, struct multi_transaction, count); 839 free_page((unsigned long) t); 840 } 841 842 static struct multi_transaction * 843 get_multi_transaction(struct multi_transaction *t) 844 { 845 if (t) 846 kref_get(&(t->count)); 847 848 return t; 849 } 850 851 static void put_multi_transaction(struct multi_transaction *t) 852 { 853 if (t) 854 kref_put(&(t->count), multi_transaction_kref); 855 } 856 857 /* does not increment @new's count */ 858 static void multi_transaction_set(struct file *file, 859 struct multi_transaction *new, size_t n) 860 { 861 struct multi_transaction *old; 862 863 AA_BUG(n > MULTI_TRANSACTION_LIMIT); 864 865 new->size = n; 866 spin_lock(&file->f_lock); 867 old = (struct multi_transaction *) file->private_data; 868 file->private_data = new; 869 spin_unlock(&file->f_lock); 870 put_multi_transaction(old); 871 } 872 873 static struct multi_transaction *multi_transaction_new(struct file *file, 874 const char __user *buf, 875 size_t size) 876 { 877 struct multi_transaction *t; 878 879 if (size > MULTI_TRANSACTION_LIMIT - 1) 880 return ERR_PTR(-EFBIG); 881 882 t = (struct multi_transaction *)get_zeroed_page(GFP_KERNEL); 883 if (!t) 884 return ERR_PTR(-ENOMEM); 885 kref_init(&t->count); 886 if (copy_from_user(t->data, buf, size)) { 887 put_multi_transaction(t); 888 return ERR_PTR(-EFAULT); 889 } 890 891 return t; 892 } 893 894 static ssize_t multi_transaction_read(struct file *file, char __user *buf, 895 size_t size, loff_t *pos) 896 { 897 struct multi_transaction *t; 898 ssize_t ret; 899 900 spin_lock(&file->f_lock); 901 t = get_multi_transaction(file->private_data); 902 spin_unlock(&file->f_lock); 903 904 if (!t) 905 return 0; 906 907 ret = simple_read_from_buffer(buf, size, pos, t->data, t->size); 908 put_multi_transaction(t); 909 910 return ret; 911 } 912 913 static int multi_transaction_release(struct inode *inode, struct file *file) 914 { 915 put_multi_transaction(file->private_data); 916 917 return 0; 918 } 919 920 #define QUERY_CMD_LABEL "label\0" 921 #define QUERY_CMD_LABEL_LEN 6 922 #define QUERY_CMD_PROFILE "profile\0" 923 #define QUERY_CMD_PROFILE_LEN 8 924 #define QUERY_CMD_LABELALL "labelall\0" 925 #define QUERY_CMD_LABELALL_LEN 9 926 #define QUERY_CMD_DATA "data\0" 927 #define QUERY_CMD_DATA_LEN 5 928 929 /** 930 * aa_write_access - generic permissions and data query 931 * @file: pointer to open apparmorfs/access file 932 * @ubuf: user buffer containing the complete query string (NOT NULL) 933 * @count: size of ubuf 934 * @ppos: position in the file (MUST BE ZERO) 935 * 936 * Allows for one permissions or data query per open(), write(), and read() 937 * sequence. The only queries currently supported are label-based queries for 938 * permissions or data. 939 * 940 * For permissions queries, ubuf must begin with "label\0", followed by the 941 * profile query specific format described in the query_label() function 942 * documentation. 943 * 944 * For data queries, ubuf must have the form "data\0<LABEL>\0<KEY>\0", where 945 * <LABEL> is the name of the security confinement context and <KEY> is the 946 * name of the data to retrieve. 947 * 948 * Returns: number of bytes written or -errno on failure 949 */ 950 static ssize_t aa_write_access(struct file *file, const char __user *ubuf, 951 size_t count, loff_t *ppos) 952 { 953 struct multi_transaction *t; 954 ssize_t len; 955 956 if (*ppos) 957 return -ESPIPE; 958 959 t = multi_transaction_new(file, ubuf, count); 960 if (IS_ERR(t)) 961 return PTR_ERR(t); 962 963 if (count > QUERY_CMD_PROFILE_LEN && 964 !memcmp(t->data, QUERY_CMD_PROFILE, QUERY_CMD_PROFILE_LEN)) { 965 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 966 t->data + QUERY_CMD_PROFILE_LEN, 967 count - QUERY_CMD_PROFILE_LEN, true); 968 } else if (count > QUERY_CMD_LABEL_LEN && 969 !memcmp(t->data, QUERY_CMD_LABEL, QUERY_CMD_LABEL_LEN)) { 970 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 971 t->data + QUERY_CMD_LABEL_LEN, 972 count - QUERY_CMD_LABEL_LEN, true); 973 } else if (count > QUERY_CMD_LABELALL_LEN && 974 !memcmp(t->data, QUERY_CMD_LABELALL, 975 QUERY_CMD_LABELALL_LEN)) { 976 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 977 t->data + QUERY_CMD_LABELALL_LEN, 978 count - QUERY_CMD_LABELALL_LEN, false); 979 } else if (count > QUERY_CMD_DATA_LEN && 980 !memcmp(t->data, QUERY_CMD_DATA, QUERY_CMD_DATA_LEN)) { 981 len = query_data(t->data, MULTI_TRANSACTION_LIMIT, 982 t->data + QUERY_CMD_DATA_LEN, 983 count - QUERY_CMD_DATA_LEN); 984 } else 985 len = -EINVAL; 986 987 if (len < 0) { 988 put_multi_transaction(t); 989 return len; 990 } 991 992 multi_transaction_set(file, t, len); 993 994 return count; 995 } 996 997 static const struct file_operations aa_sfs_access = { 998 .write = aa_write_access, 999 .read = multi_transaction_read, 1000 .release = multi_transaction_release, 1001 .llseek = generic_file_llseek, 1002 }; 1003 1004 static int aa_sfs_seq_show(struct seq_file *seq, void *v) 1005 { 1006 struct aa_sfs_entry *fs_file = seq->private; 1007 1008 if (!fs_file) 1009 return 0; 1010 1011 switch (fs_file->v_type) { 1012 case AA_SFS_TYPE_BOOLEAN: 1013 seq_printf(seq, "%s\n", str_yes_no(fs_file->v.boolean)); 1014 break; 1015 case AA_SFS_TYPE_STRING: 1016 seq_printf(seq, "%s\n", fs_file->v.string); 1017 break; 1018 case AA_SFS_TYPE_U64: 1019 seq_printf(seq, "%#08lx\n", fs_file->v.u64); 1020 break; 1021 default: 1022 /* Ignore unprintable entry types. */ 1023 break; 1024 } 1025 1026 return 0; 1027 } 1028 1029 static int aa_sfs_seq_open(struct inode *inode, struct file *file) 1030 { 1031 return single_open(file, aa_sfs_seq_show, inode->i_private); 1032 } 1033 1034 const struct file_operations aa_sfs_seq_file_ops = { 1035 .owner = THIS_MODULE, 1036 .open = aa_sfs_seq_open, 1037 .read = seq_read, 1038 .llseek = seq_lseek, 1039 .release = single_release, 1040 }; 1041 1042 /* 1043 * profile based file operations 1044 * policy/profiles/XXXX/profiles/ * 1045 */ 1046 1047 #define SEQ_PROFILE_FOPS(NAME) \ 1048 static int seq_profile_ ##NAME ##_open(struct inode *inode, struct file *file)\ 1049 { \ 1050 return seq_profile_open(inode, file, seq_profile_ ##NAME ##_show); \ 1051 } \ 1052 \ 1053 static const struct file_operations seq_profile_ ##NAME ##_fops = { \ 1054 .owner = THIS_MODULE, \ 1055 .open = seq_profile_ ##NAME ##_open, \ 1056 .read = seq_read, \ 1057 .llseek = seq_lseek, \ 1058 .release = seq_profile_release, \ 1059 } \ 1060 1061 static int seq_profile_open(struct inode *inode, struct file *file, 1062 int (*show)(struct seq_file *, void *)) 1063 { 1064 struct aa_proxy *proxy = aa_get_proxy(inode->i_private); 1065 int error = single_open(file, show, proxy); 1066 1067 if (error) { 1068 file->private_data = NULL; 1069 aa_put_proxy(proxy); 1070 } 1071 1072 return error; 1073 } 1074 1075 static int seq_profile_release(struct inode *inode, struct file *file) 1076 { 1077 struct seq_file *seq = (struct seq_file *) file->private_data; 1078 if (seq) 1079 aa_put_proxy(seq->private); 1080 return single_release(inode, file); 1081 } 1082 1083 static int seq_profile_name_show(struct seq_file *seq, void *v) 1084 { 1085 struct aa_proxy *proxy = seq->private; 1086 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1087 struct aa_profile *profile = labels_profile(label); 1088 seq_printf(seq, "%s\n", profile->base.name); 1089 aa_put_label(label); 1090 1091 return 0; 1092 } 1093 1094 static int seq_profile_mode_show(struct seq_file *seq, void *v) 1095 { 1096 struct aa_proxy *proxy = seq->private; 1097 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1098 struct aa_profile *profile = labels_profile(label); 1099 seq_printf(seq, "%s\n", aa_profile_mode_names[profile->mode]); 1100 aa_put_label(label); 1101 1102 return 0; 1103 } 1104 1105 static int seq_profile_attach_show(struct seq_file *seq, void *v) 1106 { 1107 struct aa_proxy *proxy = seq->private; 1108 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1109 struct aa_profile *profile = labels_profile(label); 1110 if (profile->attach.xmatch_str) 1111 seq_printf(seq, "%s\n", profile->attach.xmatch_str); 1112 else if (profile->attach.xmatch->dfa) 1113 seq_puts(seq, "<unknown>\n"); 1114 else 1115 seq_printf(seq, "%s\n", profile->base.name); 1116 aa_put_label(label); 1117 1118 return 0; 1119 } 1120 1121 static int seq_profile_hash_show(struct seq_file *seq, void *v) 1122 { 1123 struct aa_proxy *proxy = seq->private; 1124 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1125 struct aa_profile *profile = labels_profile(label); 1126 unsigned int i, size = aa_hash_size(); 1127 1128 if (profile->hash) { 1129 for (i = 0; i < size; i++) 1130 seq_printf(seq, "%.2x", profile->hash[i]); 1131 seq_putc(seq, '\n'); 1132 } 1133 aa_put_label(label); 1134 1135 return 0; 1136 } 1137 1138 SEQ_PROFILE_FOPS(name); 1139 SEQ_PROFILE_FOPS(mode); 1140 SEQ_PROFILE_FOPS(attach); 1141 SEQ_PROFILE_FOPS(hash); 1142 1143 /* 1144 * namespace based files 1145 * several root files and 1146 * policy/ * 1147 */ 1148 1149 #define SEQ_NS_FOPS(NAME) \ 1150 static int seq_ns_ ##NAME ##_open(struct inode *inode, struct file *file) \ 1151 { \ 1152 return single_open(file, seq_ns_ ##NAME ##_show, inode->i_private); \ 1153 } \ 1154 \ 1155 static const struct file_operations seq_ns_ ##NAME ##_fops = { \ 1156 .owner = THIS_MODULE, \ 1157 .open = seq_ns_ ##NAME ##_open, \ 1158 .read = seq_read, \ 1159 .llseek = seq_lseek, \ 1160 .release = single_release, \ 1161 } \ 1162 1163 static int seq_ns_stacked_show(struct seq_file *seq, void *v) 1164 { 1165 struct aa_label *label; 1166 1167 label = begin_current_label_crit_section(); 1168 seq_printf(seq, "%s\n", str_yes_no(label->size > 1)); 1169 end_current_label_crit_section(label); 1170 1171 return 0; 1172 } 1173 1174 static int seq_ns_nsstacked_show(struct seq_file *seq, void *v) 1175 { 1176 struct aa_label *label; 1177 struct aa_profile *profile; 1178 struct label_it it; 1179 int count = 1; 1180 1181 label = begin_current_label_crit_section(); 1182 1183 if (label->size > 1) { 1184 label_for_each(it, label, profile) 1185 if (profile->ns != labels_ns(label)) { 1186 count++; 1187 break; 1188 } 1189 } 1190 1191 seq_printf(seq, "%s\n", str_yes_no(count > 1)); 1192 end_current_label_crit_section(label); 1193 1194 return 0; 1195 } 1196 1197 static int seq_ns_level_show(struct seq_file *seq, void *v) 1198 { 1199 struct aa_label *label; 1200 1201 label = begin_current_label_crit_section(); 1202 seq_printf(seq, "%d\n", labels_ns(label)->level); 1203 end_current_label_crit_section(label); 1204 1205 return 0; 1206 } 1207 1208 static int seq_ns_name_show(struct seq_file *seq, void *v) 1209 { 1210 struct aa_label *label = begin_current_label_crit_section(); 1211 seq_printf(seq, "%s\n", labels_ns(label)->base.name); 1212 end_current_label_crit_section(label); 1213 1214 return 0; 1215 } 1216 1217 static int seq_ns_compress_min_show(struct seq_file *seq, void *v) 1218 { 1219 seq_printf(seq, "%d\n", AA_MIN_CLEVEL); 1220 return 0; 1221 } 1222 1223 static int seq_ns_compress_max_show(struct seq_file *seq, void *v) 1224 { 1225 seq_printf(seq, "%d\n", AA_MAX_CLEVEL); 1226 return 0; 1227 } 1228 1229 SEQ_NS_FOPS(stacked); 1230 SEQ_NS_FOPS(nsstacked); 1231 SEQ_NS_FOPS(level); 1232 SEQ_NS_FOPS(name); 1233 SEQ_NS_FOPS(compress_min); 1234 SEQ_NS_FOPS(compress_max); 1235 1236 1237 /* policy/raw_data/ * file ops */ 1238 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1239 #define SEQ_RAWDATA_FOPS(NAME) \ 1240 static int seq_rawdata_ ##NAME ##_open(struct inode *inode, struct file *file)\ 1241 { \ 1242 return seq_rawdata_open(inode, file, seq_rawdata_ ##NAME ##_show); \ 1243 } \ 1244 \ 1245 static const struct file_operations seq_rawdata_ ##NAME ##_fops = { \ 1246 .owner = THIS_MODULE, \ 1247 .open = seq_rawdata_ ##NAME ##_open, \ 1248 .read = seq_read, \ 1249 .llseek = seq_lseek, \ 1250 .release = seq_rawdata_release, \ 1251 } \ 1252 1253 static int seq_rawdata_open(struct inode *inode, struct file *file, 1254 int (*show)(struct seq_file *, void *)) 1255 { 1256 struct aa_loaddata *data = __aa_get_loaddata(inode->i_private); 1257 int error; 1258 1259 if (!data) 1260 /* lost race this ent is being reaped */ 1261 return -ENOENT; 1262 1263 error = single_open(file, show, data); 1264 if (error) { 1265 AA_BUG(file->private_data && 1266 ((struct seq_file *)file->private_data)->private); 1267 aa_put_loaddata(data); 1268 } 1269 1270 return error; 1271 } 1272 1273 static int seq_rawdata_release(struct inode *inode, struct file *file) 1274 { 1275 struct seq_file *seq = (struct seq_file *) file->private_data; 1276 1277 if (seq) 1278 aa_put_loaddata(seq->private); 1279 1280 return single_release(inode, file); 1281 } 1282 1283 static int seq_rawdata_abi_show(struct seq_file *seq, void *v) 1284 { 1285 struct aa_loaddata *data = seq->private; 1286 1287 seq_printf(seq, "v%d\n", data->abi); 1288 1289 return 0; 1290 } 1291 1292 static int seq_rawdata_revision_show(struct seq_file *seq, void *v) 1293 { 1294 struct aa_loaddata *data = seq->private; 1295 1296 seq_printf(seq, "%ld\n", data->revision); 1297 1298 return 0; 1299 } 1300 1301 static int seq_rawdata_hash_show(struct seq_file *seq, void *v) 1302 { 1303 struct aa_loaddata *data = seq->private; 1304 unsigned int i, size = aa_hash_size(); 1305 1306 if (data->hash) { 1307 for (i = 0; i < size; i++) 1308 seq_printf(seq, "%.2x", data->hash[i]); 1309 seq_putc(seq, '\n'); 1310 } 1311 1312 return 0; 1313 } 1314 1315 static int seq_rawdata_compressed_size_show(struct seq_file *seq, void *v) 1316 { 1317 struct aa_loaddata *data = seq->private; 1318 1319 seq_printf(seq, "%zu\n", data->compressed_size); 1320 1321 return 0; 1322 } 1323 1324 SEQ_RAWDATA_FOPS(abi); 1325 SEQ_RAWDATA_FOPS(revision); 1326 SEQ_RAWDATA_FOPS(hash); 1327 SEQ_RAWDATA_FOPS(compressed_size); 1328 1329 static int decompress_zstd(char *src, size_t slen, char *dst, size_t dlen) 1330 { 1331 if (slen < dlen) { 1332 const size_t wksp_len = zstd_dctx_workspace_bound(); 1333 zstd_dctx *ctx; 1334 void *wksp; 1335 size_t out_len; 1336 int ret = 0; 1337 1338 wksp = kvzalloc(wksp_len, GFP_KERNEL); 1339 if (!wksp) { 1340 ret = -ENOMEM; 1341 goto cleanup; 1342 } 1343 ctx = zstd_init_dctx(wksp, wksp_len); 1344 if (ctx == NULL) { 1345 ret = -ENOMEM; 1346 goto cleanup; 1347 } 1348 out_len = zstd_decompress_dctx(ctx, dst, dlen, src, slen); 1349 if (zstd_is_error(out_len)) { 1350 ret = -EINVAL; 1351 goto cleanup; 1352 } 1353 cleanup: 1354 kvfree(wksp); 1355 return ret; 1356 } 1357 1358 if (dlen < slen) 1359 return -EINVAL; 1360 memcpy(dst, src, slen); 1361 return 0; 1362 } 1363 1364 static ssize_t rawdata_read(struct file *file, char __user *buf, size_t size, 1365 loff_t *ppos) 1366 { 1367 struct rawdata_f_data *private = file->private_data; 1368 1369 return simple_read_from_buffer(buf, size, ppos, 1370 RAWDATA_F_DATA_BUF(private), 1371 private->loaddata->size); 1372 } 1373 1374 static int rawdata_release(struct inode *inode, struct file *file) 1375 { 1376 rawdata_f_data_free(file->private_data); 1377 1378 return 0; 1379 } 1380 1381 static int rawdata_open(struct inode *inode, struct file *file) 1382 { 1383 int error; 1384 struct aa_loaddata *loaddata; 1385 struct rawdata_f_data *private; 1386 1387 if (!aa_current_policy_view_capable(NULL)) 1388 return -EACCES; 1389 1390 loaddata = __aa_get_loaddata(inode->i_private); 1391 if (!loaddata) 1392 /* lost race: this entry is being reaped */ 1393 return -ENOENT; 1394 1395 private = rawdata_f_data_alloc(loaddata->size); 1396 if (IS_ERR(private)) { 1397 error = PTR_ERR(private); 1398 goto fail_private_alloc; 1399 } 1400 1401 private->loaddata = loaddata; 1402 1403 error = decompress_zstd(loaddata->data, loaddata->compressed_size, 1404 RAWDATA_F_DATA_BUF(private), 1405 loaddata->size); 1406 if (error) 1407 goto fail_decompress; 1408 1409 file->private_data = private; 1410 return 0; 1411 1412 fail_decompress: 1413 rawdata_f_data_free(private); 1414 return error; 1415 1416 fail_private_alloc: 1417 aa_put_loaddata(loaddata); 1418 return error; 1419 } 1420 1421 static const struct file_operations rawdata_fops = { 1422 .open = rawdata_open, 1423 .read = rawdata_read, 1424 .llseek = generic_file_llseek, 1425 .release = rawdata_release, 1426 }; 1427 1428 static void remove_rawdata_dents(struct aa_loaddata *rawdata) 1429 { 1430 int i; 1431 1432 for (i = 0; i < AAFS_LOADDATA_NDENTS; i++) { 1433 if (!IS_ERR_OR_NULL(rawdata->dents[i])) { 1434 /* no refcounts on i_private */ 1435 aafs_remove(rawdata->dents[i]); 1436 rawdata->dents[i] = NULL; 1437 } 1438 } 1439 } 1440 1441 void __aa_fs_remove_rawdata(struct aa_loaddata *rawdata) 1442 { 1443 AA_BUG(rawdata->ns && !mutex_is_locked(&rawdata->ns->lock)); 1444 1445 if (rawdata->ns) { 1446 remove_rawdata_dents(rawdata); 1447 list_del_init(&rawdata->list); 1448 aa_put_ns(rawdata->ns); 1449 rawdata->ns = NULL; 1450 } 1451 } 1452 1453 int __aa_fs_create_rawdata(struct aa_ns *ns, struct aa_loaddata *rawdata) 1454 { 1455 struct dentry *dent, *dir; 1456 1457 AA_BUG(!ns); 1458 AA_BUG(!rawdata); 1459 AA_BUG(!mutex_is_locked(&ns->lock)); 1460 AA_BUG(!ns_subdata_dir(ns)); 1461 1462 /* 1463 * just use ns revision dir was originally created at. This is 1464 * under ns->lock and if load is successful revision will be 1465 * bumped and is guaranteed to be unique 1466 */ 1467 rawdata->name = kasprintf(GFP_KERNEL, "%ld", ns->revision); 1468 if (!rawdata->name) 1469 return -ENOMEM; 1470 1471 dir = aafs_create_dir(rawdata->name, ns_subdata_dir(ns)); 1472 if (IS_ERR(dir)) 1473 /* ->name freed when rawdata freed */ 1474 return PTR_ERR(dir); 1475 rawdata->dents[AAFS_LOADDATA_DIR] = dir; 1476 1477 dent = aafs_create_file("abi", S_IFREG | 0444, dir, rawdata, 1478 &seq_rawdata_abi_fops); 1479 if (IS_ERR(dent)) 1480 goto fail; 1481 rawdata->dents[AAFS_LOADDATA_ABI] = dent; 1482 1483 dent = aafs_create_file("revision", S_IFREG | 0444, dir, rawdata, 1484 &seq_rawdata_revision_fops); 1485 if (IS_ERR(dent)) 1486 goto fail; 1487 rawdata->dents[AAFS_LOADDATA_REVISION] = dent; 1488 1489 if (aa_g_hash_policy) { 1490 dent = aafs_create_file("sha256", S_IFREG | 0444, dir, 1491 rawdata, &seq_rawdata_hash_fops); 1492 if (IS_ERR(dent)) 1493 goto fail; 1494 rawdata->dents[AAFS_LOADDATA_HASH] = dent; 1495 } 1496 1497 dent = aafs_create_file("compressed_size", S_IFREG | 0444, dir, 1498 rawdata, 1499 &seq_rawdata_compressed_size_fops); 1500 if (IS_ERR(dent)) 1501 goto fail; 1502 rawdata->dents[AAFS_LOADDATA_COMPRESSED_SIZE] = dent; 1503 1504 dent = aafs_create_file("raw_data", S_IFREG | 0444, 1505 dir, rawdata, &rawdata_fops); 1506 if (IS_ERR(dent)) 1507 goto fail; 1508 rawdata->dents[AAFS_LOADDATA_DATA] = dent; 1509 d_inode(dent)->i_size = rawdata->size; 1510 1511 rawdata->ns = aa_get_ns(ns); 1512 list_add(&rawdata->list, &ns->rawdata_list); 1513 /* no refcount on inode rawdata */ 1514 1515 return 0; 1516 1517 fail: 1518 remove_rawdata_dents(rawdata); 1519 1520 return PTR_ERR(dent); 1521 } 1522 #endif /* CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ 1523 1524 1525 /** fns to setup dynamic per profile/namespace files **/ 1526 1527 /* 1528 * 1529 * Requires: @profile->ns->lock held 1530 */ 1531 void __aafs_profile_rmdir(struct aa_profile *profile) 1532 { 1533 struct aa_profile *child; 1534 int i; 1535 1536 if (!profile) 1537 return; 1538 1539 list_for_each_entry(child, &profile->base.profiles, base.list) 1540 __aafs_profile_rmdir(child); 1541 1542 for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) { 1543 struct aa_proxy *proxy; 1544 if (!profile->dents[i]) 1545 continue; 1546 1547 proxy = d_inode(profile->dents[i])->i_private; 1548 aafs_remove(profile->dents[i]); 1549 aa_put_proxy(proxy); 1550 profile->dents[i] = NULL; 1551 } 1552 } 1553 1554 /* 1555 * 1556 * Requires: @old->ns->lock held 1557 */ 1558 void __aafs_profile_migrate_dents(struct aa_profile *old, 1559 struct aa_profile *new) 1560 { 1561 int i; 1562 1563 AA_BUG(!old); 1564 AA_BUG(!new); 1565 AA_BUG(!mutex_is_locked(&profiles_ns(old)->lock)); 1566 1567 for (i = 0; i < AAFS_PROF_SIZEOF; i++) { 1568 new->dents[i] = old->dents[i]; 1569 if (new->dents[i]) { 1570 struct inode *inode = d_inode(new->dents[i]); 1571 1572 inode_set_mtime_to_ts(inode, 1573 inode_set_ctime_current(inode)); 1574 } 1575 old->dents[i] = NULL; 1576 } 1577 } 1578 1579 static struct dentry *create_profile_file(struct dentry *dir, const char *name, 1580 struct aa_profile *profile, 1581 const struct file_operations *fops) 1582 { 1583 struct aa_proxy *proxy = aa_get_proxy(profile->label.proxy); 1584 struct dentry *dent; 1585 1586 dent = aafs_create_file(name, S_IFREG | 0444, dir, proxy, fops); 1587 if (IS_ERR(dent)) 1588 aa_put_proxy(proxy); 1589 1590 return dent; 1591 } 1592 1593 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1594 static int profile_depth(struct aa_profile *profile) 1595 { 1596 int depth = 0; 1597 1598 rcu_read_lock(); 1599 for (depth = 0; profile; profile = rcu_access_pointer(profile->parent)) 1600 depth++; 1601 rcu_read_unlock(); 1602 1603 return depth; 1604 } 1605 1606 static char *gen_symlink_name(int depth, const char *dirname, const char *fname) 1607 { 1608 char *buffer, *s; 1609 int error; 1610 int size = depth * 6 + strlen(dirname) + strlen(fname) + 11; 1611 1612 s = buffer = kmalloc(size, GFP_KERNEL); 1613 if (!buffer) 1614 return ERR_PTR(-ENOMEM); 1615 1616 for (; depth > 0; depth--) { 1617 strcpy(s, "../../"); 1618 s += 6; 1619 size -= 6; 1620 } 1621 1622 error = snprintf(s, size, "raw_data/%s/%s", dirname, fname); 1623 if (error >= size || error < 0) { 1624 kfree(buffer); 1625 return ERR_PTR(-ENAMETOOLONG); 1626 } 1627 1628 return buffer; 1629 } 1630 1631 static const char *rawdata_get_link_base(struct dentry *dentry, 1632 struct inode *inode, 1633 struct delayed_call *done, 1634 const char *name) 1635 { 1636 struct aa_proxy *proxy = inode->i_private; 1637 struct aa_label *label; 1638 struct aa_profile *profile; 1639 char *target; 1640 int depth; 1641 1642 if (!dentry) 1643 return ERR_PTR(-ECHILD); 1644 1645 label = aa_get_label_rcu(&proxy->label); 1646 profile = labels_profile(label); 1647 depth = profile_depth(profile); 1648 target = gen_symlink_name(depth, profile->rawdata->name, name); 1649 aa_put_label(label); 1650 1651 if (IS_ERR(target)) 1652 return target; 1653 1654 set_delayed_call(done, kfree_link, target); 1655 1656 return target; 1657 } 1658 1659 static const char *rawdata_get_link_sha256(struct dentry *dentry, 1660 struct inode *inode, 1661 struct delayed_call *done) 1662 { 1663 return rawdata_get_link_base(dentry, inode, done, "sha256"); 1664 } 1665 1666 static const char *rawdata_get_link_abi(struct dentry *dentry, 1667 struct inode *inode, 1668 struct delayed_call *done) 1669 { 1670 return rawdata_get_link_base(dentry, inode, done, "abi"); 1671 } 1672 1673 static const char *rawdata_get_link_data(struct dentry *dentry, 1674 struct inode *inode, 1675 struct delayed_call *done) 1676 { 1677 return rawdata_get_link_base(dentry, inode, done, "raw_data"); 1678 } 1679 1680 static const struct inode_operations rawdata_link_sha256_iops = { 1681 .get_link = rawdata_get_link_sha256, 1682 }; 1683 1684 static const struct inode_operations rawdata_link_abi_iops = { 1685 .get_link = rawdata_get_link_abi, 1686 }; 1687 static const struct inode_operations rawdata_link_data_iops = { 1688 .get_link = rawdata_get_link_data, 1689 }; 1690 #endif /* CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ 1691 1692 /* 1693 * Requires: @profile->ns->lock held 1694 */ 1695 int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) 1696 { 1697 struct aa_profile *child; 1698 struct dentry *dent = NULL, *dir; 1699 int error; 1700 1701 AA_BUG(!profile); 1702 AA_BUG(!mutex_is_locked(&profiles_ns(profile)->lock)); 1703 1704 if (!parent) { 1705 struct aa_profile *p; 1706 p = aa_deref_parent(profile); 1707 dent = prof_dir(p); 1708 if (!dent) { 1709 error = -ENOENT; 1710 goto fail2; 1711 } 1712 /* adding to parent that previously didn't have children */ 1713 dent = aafs_create_dir("profiles", dent); 1714 if (IS_ERR(dent)) 1715 goto fail; 1716 prof_child_dir(p) = parent = dent; 1717 } 1718 1719 if (!profile->dirname) { 1720 int len, id_len; 1721 len = mangle_name(profile->base.name, NULL); 1722 id_len = snprintf(NULL, 0, ".%ld", profile->ns->uniq_id); 1723 1724 profile->dirname = kmalloc(len + id_len + 1, GFP_KERNEL); 1725 if (!profile->dirname) { 1726 error = -ENOMEM; 1727 goto fail2; 1728 } 1729 1730 mangle_name(profile->base.name, profile->dirname); 1731 sprintf(profile->dirname + len, ".%ld", profile->ns->uniq_id++); 1732 } 1733 1734 dent = aafs_create_dir(profile->dirname, parent); 1735 if (IS_ERR(dent)) 1736 goto fail; 1737 prof_dir(profile) = dir = dent; 1738 1739 dent = create_profile_file(dir, "name", profile, 1740 &seq_profile_name_fops); 1741 if (IS_ERR(dent)) 1742 goto fail; 1743 profile->dents[AAFS_PROF_NAME] = dent; 1744 1745 dent = create_profile_file(dir, "mode", profile, 1746 &seq_profile_mode_fops); 1747 if (IS_ERR(dent)) 1748 goto fail; 1749 profile->dents[AAFS_PROF_MODE] = dent; 1750 1751 dent = create_profile_file(dir, "attach", profile, 1752 &seq_profile_attach_fops); 1753 if (IS_ERR(dent)) 1754 goto fail; 1755 profile->dents[AAFS_PROF_ATTACH] = dent; 1756 1757 if (profile->hash) { 1758 dent = create_profile_file(dir, "sha256", profile, 1759 &seq_profile_hash_fops); 1760 if (IS_ERR(dent)) 1761 goto fail; 1762 profile->dents[AAFS_PROF_HASH] = dent; 1763 } 1764 1765 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1766 if (profile->rawdata) { 1767 if (aa_g_hash_policy) { 1768 dent = aafs_create("raw_sha256", S_IFLNK | 0444, dir, 1769 profile->label.proxy, NULL, NULL, 1770 &rawdata_link_sha256_iops); 1771 if (IS_ERR(dent)) 1772 goto fail; 1773 aa_get_proxy(profile->label.proxy); 1774 profile->dents[AAFS_PROF_RAW_HASH] = dent; 1775 } 1776 dent = aafs_create("raw_abi", S_IFLNK | 0444, dir, 1777 profile->label.proxy, NULL, NULL, 1778 &rawdata_link_abi_iops); 1779 if (IS_ERR(dent)) 1780 goto fail; 1781 aa_get_proxy(profile->label.proxy); 1782 profile->dents[AAFS_PROF_RAW_ABI] = dent; 1783 1784 dent = aafs_create("raw_data", S_IFLNK | 0444, dir, 1785 profile->label.proxy, NULL, NULL, 1786 &rawdata_link_data_iops); 1787 if (IS_ERR(dent)) 1788 goto fail; 1789 aa_get_proxy(profile->label.proxy); 1790 profile->dents[AAFS_PROF_RAW_DATA] = dent; 1791 } 1792 #endif /*CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ 1793 1794 list_for_each_entry(child, &profile->base.profiles, base.list) { 1795 error = __aafs_profile_mkdir(child, prof_child_dir(profile)); 1796 if (error) 1797 goto fail2; 1798 } 1799 1800 return 0; 1801 1802 fail: 1803 error = PTR_ERR(dent); 1804 1805 fail2: 1806 __aafs_profile_rmdir(profile); 1807 1808 return error; 1809 } 1810 1811 static struct dentry *ns_mkdir_op(struct mnt_idmap *idmap, struct inode *dir, 1812 struct dentry *dentry, umode_t mode) 1813 { 1814 struct aa_ns *ns, *parent; 1815 /* TODO: improve permission check */ 1816 struct aa_label *label; 1817 int error; 1818 1819 label = begin_current_label_crit_section(); 1820 error = aa_may_manage_policy(current_cred(), label, NULL, 1821 AA_MAY_LOAD_POLICY); 1822 end_current_label_crit_section(label); 1823 if (error) 1824 return ERR_PTR(error); 1825 1826 parent = aa_get_ns(dir->i_private); 1827 AA_BUG(d_inode(ns_subns_dir(parent)) != dir); 1828 1829 /* we have to unlock and then relock to get locking order right 1830 * for pin_fs 1831 */ 1832 inode_unlock(dir); 1833 error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count); 1834 mutex_lock_nested(&parent->lock, parent->level); 1835 inode_lock_nested(dir, I_MUTEX_PARENT); 1836 if (error) 1837 goto out; 1838 1839 error = __aafs_setup_d_inode(dir, dentry, mode | S_IFDIR, NULL, 1840 NULL, NULL, NULL); 1841 if (error) 1842 goto out_pin; 1843 1844 ns = __aa_find_or_create_ns(parent, READ_ONCE(dentry->d_name.name), 1845 dentry); 1846 if (IS_ERR(ns)) { 1847 error = PTR_ERR(ns); 1848 ns = NULL; 1849 } 1850 1851 aa_put_ns(ns); /* list ref remains */ 1852 out_pin: 1853 if (error) 1854 simple_release_fs(&aafs_mnt, &aafs_count); 1855 out: 1856 mutex_unlock(&parent->lock); 1857 aa_put_ns(parent); 1858 1859 return ERR_PTR(error); 1860 } 1861 1862 static int ns_rmdir_op(struct inode *dir, struct dentry *dentry) 1863 { 1864 struct aa_ns *ns, *parent; 1865 /* TODO: improve permission check */ 1866 struct aa_label *label; 1867 int error; 1868 1869 label = begin_current_label_crit_section(); 1870 error = aa_may_manage_policy(current_cred(), label, NULL, 1871 AA_MAY_LOAD_POLICY); 1872 end_current_label_crit_section(label); 1873 if (error) 1874 return error; 1875 1876 parent = aa_get_ns(dir->i_private); 1877 /* rmdir calls the generic securityfs functions to remove files 1878 * from the apparmor dir. It is up to the apparmor ns locking 1879 * to avoid races. 1880 */ 1881 inode_unlock(dir); 1882 inode_unlock(dentry->d_inode); 1883 1884 mutex_lock_nested(&parent->lock, parent->level); 1885 ns = aa_get_ns(__aa_findn_ns(&parent->sub_ns, dentry->d_name.name, 1886 dentry->d_name.len)); 1887 if (!ns) { 1888 error = -ENOENT; 1889 goto out; 1890 } 1891 AA_BUG(ns_dir(ns) != dentry); 1892 1893 __aa_remove_ns(ns); 1894 aa_put_ns(ns); 1895 1896 out: 1897 mutex_unlock(&parent->lock); 1898 inode_lock_nested(dir, I_MUTEX_PARENT); 1899 inode_lock(dentry->d_inode); 1900 aa_put_ns(parent); 1901 1902 return error; 1903 } 1904 1905 static const struct inode_operations ns_dir_inode_operations = { 1906 .lookup = simple_lookup, 1907 .mkdir = ns_mkdir_op, 1908 .rmdir = ns_rmdir_op, 1909 }; 1910 1911 static void __aa_fs_list_remove_rawdata(struct aa_ns *ns) 1912 { 1913 struct aa_loaddata *ent, *tmp; 1914 1915 AA_BUG(!mutex_is_locked(&ns->lock)); 1916 1917 list_for_each_entry_safe(ent, tmp, &ns->rawdata_list, list) 1918 __aa_fs_remove_rawdata(ent); 1919 } 1920 1921 /* 1922 * 1923 * Requires: @ns->lock held 1924 */ 1925 void __aafs_ns_rmdir(struct aa_ns *ns) 1926 { 1927 struct aa_ns *sub; 1928 struct aa_profile *child; 1929 int i; 1930 1931 if (!ns) 1932 return; 1933 AA_BUG(!mutex_is_locked(&ns->lock)); 1934 1935 list_for_each_entry(child, &ns->base.profiles, base.list) 1936 __aafs_profile_rmdir(child); 1937 1938 list_for_each_entry(sub, &ns->sub_ns, base.list) { 1939 mutex_lock_nested(&sub->lock, sub->level); 1940 __aafs_ns_rmdir(sub); 1941 mutex_unlock(&sub->lock); 1942 } 1943 1944 __aa_fs_list_remove_rawdata(ns); 1945 1946 if (ns_subns_dir(ns)) { 1947 sub = d_inode(ns_subns_dir(ns))->i_private; 1948 aa_put_ns(sub); 1949 } 1950 if (ns_subload(ns)) { 1951 sub = d_inode(ns_subload(ns))->i_private; 1952 aa_put_ns(sub); 1953 } 1954 if (ns_subreplace(ns)) { 1955 sub = d_inode(ns_subreplace(ns))->i_private; 1956 aa_put_ns(sub); 1957 } 1958 if (ns_subremove(ns)) { 1959 sub = d_inode(ns_subremove(ns))->i_private; 1960 aa_put_ns(sub); 1961 } 1962 if (ns_subrevision(ns)) { 1963 sub = d_inode(ns_subrevision(ns))->i_private; 1964 aa_put_ns(sub); 1965 } 1966 1967 for (i = AAFS_NS_SIZEOF - 1; i >= 0; --i) { 1968 aafs_remove(ns->dents[i]); 1969 ns->dents[i] = NULL; 1970 } 1971 } 1972 1973 /* assumes cleanup in caller */ 1974 static int __aafs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir) 1975 { 1976 struct dentry *dent; 1977 1978 AA_BUG(!ns); 1979 AA_BUG(!dir); 1980 1981 dent = aafs_create_dir("profiles", dir); 1982 if (IS_ERR(dent)) 1983 return PTR_ERR(dent); 1984 ns_subprofs_dir(ns) = dent; 1985 1986 dent = aafs_create_dir("raw_data", dir); 1987 if (IS_ERR(dent)) 1988 return PTR_ERR(dent); 1989 ns_subdata_dir(ns) = dent; 1990 1991 dent = aafs_create_file("revision", 0444, dir, ns, 1992 &aa_fs_ns_revision_fops); 1993 if (IS_ERR(dent)) 1994 return PTR_ERR(dent); 1995 aa_get_ns(ns); 1996 ns_subrevision(ns) = dent; 1997 1998 dent = aafs_create_file(".load", 0640, dir, ns, 1999 &aa_fs_profile_load); 2000 if (IS_ERR(dent)) 2001 return PTR_ERR(dent); 2002 aa_get_ns(ns); 2003 ns_subload(ns) = dent; 2004 2005 dent = aafs_create_file(".replace", 0640, dir, ns, 2006 &aa_fs_profile_replace); 2007 if (IS_ERR(dent)) 2008 return PTR_ERR(dent); 2009 aa_get_ns(ns); 2010 ns_subreplace(ns) = dent; 2011 2012 dent = aafs_create_file(".remove", 0640, dir, ns, 2013 &aa_fs_profile_remove); 2014 if (IS_ERR(dent)) 2015 return PTR_ERR(dent); 2016 aa_get_ns(ns); 2017 ns_subremove(ns) = dent; 2018 2019 /* use create_dentry so we can supply private data */ 2020 dent = aafs_create("namespaces", S_IFDIR | 0755, dir, ns, NULL, NULL, 2021 &ns_dir_inode_operations); 2022 if (IS_ERR(dent)) 2023 return PTR_ERR(dent); 2024 aa_get_ns(ns); 2025 ns_subns_dir(ns) = dent; 2026 2027 return 0; 2028 } 2029 2030 /* 2031 * Requires: @ns->lock held 2032 */ 2033 int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name, 2034 struct dentry *dent) 2035 { 2036 struct aa_ns *sub; 2037 struct aa_profile *child; 2038 struct dentry *dir; 2039 int error; 2040 2041 AA_BUG(!ns); 2042 AA_BUG(!parent); 2043 AA_BUG(!mutex_is_locked(&ns->lock)); 2044 2045 if (!name) 2046 name = ns->base.name; 2047 2048 if (!dent) { 2049 /* create ns dir if it doesn't already exist */ 2050 dent = aafs_create_dir(name, parent); 2051 if (IS_ERR(dent)) 2052 goto fail; 2053 } else 2054 dget(dent); 2055 ns_dir(ns) = dir = dent; 2056 error = __aafs_ns_mkdir_entries(ns, dir); 2057 if (error) 2058 goto fail2; 2059 2060 /* profiles */ 2061 list_for_each_entry(child, &ns->base.profiles, base.list) { 2062 error = __aafs_profile_mkdir(child, ns_subprofs_dir(ns)); 2063 if (error) 2064 goto fail2; 2065 } 2066 2067 /* subnamespaces */ 2068 list_for_each_entry(sub, &ns->sub_ns, base.list) { 2069 mutex_lock_nested(&sub->lock, sub->level); 2070 error = __aafs_ns_mkdir(sub, ns_subns_dir(ns), NULL, NULL); 2071 mutex_unlock(&sub->lock); 2072 if (error) 2073 goto fail2; 2074 } 2075 2076 return 0; 2077 2078 fail: 2079 error = PTR_ERR(dent); 2080 2081 fail2: 2082 __aafs_ns_rmdir(ns); 2083 2084 return error; 2085 } 2086 2087 /** 2088 * __next_ns - find the next namespace to list 2089 * @root: root namespace to stop search at (NOT NULL) 2090 * @ns: current ns position (NOT NULL) 2091 * 2092 * Find the next namespace from @ns under @root and handle all locking needed 2093 * while switching current namespace. 2094 * 2095 * Returns: next namespace or NULL if at last namespace under @root 2096 * Requires: ns->parent->lock to be held 2097 * NOTE: will not unlock root->lock 2098 */ 2099 static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns) 2100 { 2101 struct aa_ns *parent, *next; 2102 2103 AA_BUG(!root); 2104 AA_BUG(!ns); 2105 AA_BUG(ns != root && !mutex_is_locked(&ns->parent->lock)); 2106 2107 /* is next namespace a child */ 2108 if (!list_empty(&ns->sub_ns)) { 2109 next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list); 2110 mutex_lock_nested(&next->lock, next->level); 2111 return next; 2112 } 2113 2114 /* check if the next ns is a sibling, parent, gp, .. */ 2115 parent = ns->parent; 2116 while (ns != root) { 2117 mutex_unlock(&ns->lock); 2118 next = list_next_entry(ns, base.list); 2119 if (!list_entry_is_head(next, &parent->sub_ns, base.list)) { 2120 mutex_lock_nested(&next->lock, next->level); 2121 return next; 2122 } 2123 ns = parent; 2124 parent = parent->parent; 2125 } 2126 2127 return NULL; 2128 } 2129 2130 /** 2131 * __first_profile - find the first profile in a namespace 2132 * @root: namespace that is root of profiles being displayed (NOT NULL) 2133 * @ns: namespace to start in (NOT NULL) 2134 * 2135 * Returns: unrefcounted profile or NULL if no profile 2136 * Requires: profile->ns.lock to be held 2137 */ 2138 static struct aa_profile *__first_profile(struct aa_ns *root, 2139 struct aa_ns *ns) 2140 { 2141 AA_BUG(!root); 2142 AA_BUG(ns && !mutex_is_locked(&ns->lock)); 2143 2144 for (; ns; ns = __next_ns(root, ns)) { 2145 if (!list_empty(&ns->base.profiles)) 2146 return list_first_entry(&ns->base.profiles, 2147 struct aa_profile, base.list); 2148 } 2149 return NULL; 2150 } 2151 2152 /** 2153 * __next_profile - step to the next profile in a profile tree 2154 * @p: current profile in tree (NOT NULL) 2155 * 2156 * Perform a depth first traversal on the profile tree in a namespace 2157 * 2158 * Returns: next profile or NULL if done 2159 * Requires: profile->ns.lock to be held 2160 */ 2161 static struct aa_profile *__next_profile(struct aa_profile *p) 2162 { 2163 struct aa_profile *parent; 2164 struct aa_ns *ns = p->ns; 2165 2166 AA_BUG(!mutex_is_locked(&profiles_ns(p)->lock)); 2167 2168 /* is next profile a child */ 2169 if (!list_empty(&p->base.profiles)) 2170 return list_first_entry(&p->base.profiles, typeof(*p), 2171 base.list); 2172 2173 /* is next profile a sibling, parent sibling, gp, sibling, .. */ 2174 parent = rcu_dereference_protected(p->parent, 2175 mutex_is_locked(&p->ns->lock)); 2176 while (parent) { 2177 p = list_next_entry(p, base.list); 2178 if (!list_entry_is_head(p, &parent->base.profiles, base.list)) 2179 return p; 2180 p = parent; 2181 parent = rcu_dereference_protected(parent->parent, 2182 mutex_is_locked(&parent->ns->lock)); 2183 } 2184 2185 /* is next another profile in the namespace */ 2186 p = list_next_entry(p, base.list); 2187 if (!list_entry_is_head(p, &ns->base.profiles, base.list)) 2188 return p; 2189 2190 return NULL; 2191 } 2192 2193 /** 2194 * next_profile - step to the next profile in where ever it may be 2195 * @root: root namespace (NOT NULL) 2196 * @profile: current profile (NOT NULL) 2197 * 2198 * Returns: next profile or NULL if there isn't one 2199 */ 2200 static struct aa_profile *next_profile(struct aa_ns *root, 2201 struct aa_profile *profile) 2202 { 2203 struct aa_profile *next = __next_profile(profile); 2204 if (next) 2205 return next; 2206 2207 /* finished all profiles in namespace move to next namespace */ 2208 return __first_profile(root, __next_ns(root, profile->ns)); 2209 } 2210 2211 /** 2212 * p_start - start a depth first traversal of profile tree 2213 * @f: seq_file to fill 2214 * @pos: current position 2215 * 2216 * Returns: first profile under current namespace or NULL if none found 2217 * 2218 * acquires first ns->lock 2219 */ 2220 static void *p_start(struct seq_file *f, loff_t *pos) 2221 { 2222 struct aa_profile *profile = NULL; 2223 struct aa_ns *root = aa_get_current_ns(); 2224 loff_t l = *pos; 2225 f->private = root; 2226 2227 /* find the first profile */ 2228 mutex_lock_nested(&root->lock, root->level); 2229 profile = __first_profile(root, root); 2230 2231 /* skip to position */ 2232 for (; profile && l > 0; l--) 2233 profile = next_profile(root, profile); 2234 2235 return profile; 2236 } 2237 2238 /** 2239 * p_next - read the next profile entry 2240 * @f: seq_file to fill 2241 * @p: profile previously returned 2242 * @pos: current position 2243 * 2244 * Returns: next profile after @p or NULL if none 2245 * 2246 * may acquire/release locks in namespace tree as necessary 2247 */ 2248 static void *p_next(struct seq_file *f, void *p, loff_t *pos) 2249 { 2250 struct aa_profile *profile = p; 2251 struct aa_ns *ns = f->private; 2252 (*pos)++; 2253 2254 return next_profile(ns, profile); 2255 } 2256 2257 /** 2258 * p_stop - stop depth first traversal 2259 * @f: seq_file we are filling 2260 * @p: the last profile written 2261 * 2262 * Release all locking done by p_start/p_next on namespace tree 2263 */ 2264 static void p_stop(struct seq_file *f, void *p) 2265 { 2266 struct aa_profile *profile = p; 2267 struct aa_ns *root = f->private, *ns; 2268 2269 if (profile) { 2270 for (ns = profile->ns; ns && ns != root; ns = ns->parent) 2271 mutex_unlock(&ns->lock); 2272 } 2273 mutex_unlock(&root->lock); 2274 aa_put_ns(root); 2275 } 2276 2277 /** 2278 * seq_show_profile - show a profile entry 2279 * @f: seq_file to file 2280 * @p: current position (profile) (NOT NULL) 2281 * 2282 * Returns: error on failure 2283 */ 2284 static int seq_show_profile(struct seq_file *f, void *p) 2285 { 2286 struct aa_profile *profile = (struct aa_profile *)p; 2287 struct aa_ns *root = f->private; 2288 2289 aa_label_seq_xprint(f, root, &profile->label, 2290 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS, GFP_KERNEL); 2291 seq_putc(f, '\n'); 2292 2293 return 0; 2294 } 2295 2296 static const struct seq_operations aa_sfs_profiles_op = { 2297 .start = p_start, 2298 .next = p_next, 2299 .stop = p_stop, 2300 .show = seq_show_profile, 2301 }; 2302 2303 static int profiles_open(struct inode *inode, struct file *file) 2304 { 2305 if (!aa_current_policy_view_capable(NULL)) 2306 return -EACCES; 2307 2308 return seq_open(file, &aa_sfs_profiles_op); 2309 } 2310 2311 static int profiles_release(struct inode *inode, struct file *file) 2312 { 2313 return seq_release(inode, file); 2314 } 2315 2316 static const struct file_operations aa_sfs_profiles_fops = { 2317 .open = profiles_open, 2318 .read = seq_read, 2319 .llseek = seq_lseek, 2320 .release = profiles_release, 2321 }; 2322 2323 2324 /** Base file system setup **/ 2325 static struct aa_sfs_entry aa_sfs_entry_file[] = { 2326 AA_SFS_FILE_STRING("mask", 2327 "create read write exec append mmap_exec link lock"), 2328 { } 2329 }; 2330 2331 static struct aa_sfs_entry aa_sfs_entry_ptrace[] = { 2332 AA_SFS_FILE_STRING("mask", "read trace"), 2333 { } 2334 }; 2335 2336 static struct aa_sfs_entry aa_sfs_entry_signal[] = { 2337 AA_SFS_FILE_STRING("mask", AA_SFS_SIG_MASK), 2338 { } 2339 }; 2340 2341 static struct aa_sfs_entry aa_sfs_entry_attach[] = { 2342 AA_SFS_FILE_BOOLEAN("xattr", 1), 2343 { } 2344 }; 2345 static struct aa_sfs_entry aa_sfs_entry_domain[] = { 2346 AA_SFS_FILE_BOOLEAN("change_hat", 1), 2347 AA_SFS_FILE_BOOLEAN("change_hatv", 1), 2348 AA_SFS_FILE_BOOLEAN("unconfined_allowed_children", 1), 2349 AA_SFS_FILE_BOOLEAN("change_onexec", 1), 2350 AA_SFS_FILE_BOOLEAN("change_profile", 1), 2351 AA_SFS_FILE_BOOLEAN("stack", 1), 2352 AA_SFS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1), 2353 AA_SFS_FILE_BOOLEAN("post_nnp_subset", 1), 2354 AA_SFS_FILE_BOOLEAN("computed_longest_left", 1), 2355 AA_SFS_DIR("attach_conditions", aa_sfs_entry_attach), 2356 AA_SFS_FILE_BOOLEAN("disconnected.path", 1), 2357 AA_SFS_FILE_BOOLEAN("kill.signal", 1), 2358 AA_SFS_FILE_STRING("version", "1.2"), 2359 { } 2360 }; 2361 2362 static struct aa_sfs_entry aa_sfs_entry_unconfined[] = { 2363 AA_SFS_FILE_BOOLEAN("change_profile", 1), 2364 { } 2365 }; 2366 2367 static struct aa_sfs_entry aa_sfs_entry_versions[] = { 2368 AA_SFS_FILE_BOOLEAN("v5", 1), 2369 AA_SFS_FILE_BOOLEAN("v6", 1), 2370 AA_SFS_FILE_BOOLEAN("v7", 1), 2371 AA_SFS_FILE_BOOLEAN("v8", 1), 2372 AA_SFS_FILE_BOOLEAN("v9", 1), 2373 { } 2374 }; 2375 2376 #define PERMS32STR "allow deny subtree cond kill complain prompt audit quiet hide xindex tag label" 2377 static struct aa_sfs_entry aa_sfs_entry_policy[] = { 2378 AA_SFS_DIR("versions", aa_sfs_entry_versions), 2379 AA_SFS_FILE_BOOLEAN("set_load", 1), 2380 /* number of out of band transitions supported */ 2381 AA_SFS_FILE_U64("outofband", MAX_OOB_SUPPORTED), 2382 AA_SFS_FILE_U64("permstable32_version", 3), 2383 AA_SFS_FILE_STRING("permstable32", PERMS32STR), 2384 AA_SFS_FILE_U64("state32", 1), 2385 AA_SFS_DIR("unconfined_restrictions", aa_sfs_entry_unconfined), 2386 { } 2387 }; 2388 2389 static struct aa_sfs_entry aa_sfs_entry_mount[] = { 2390 AA_SFS_FILE_STRING("mask", "mount umount pivot_root"), 2391 AA_SFS_FILE_STRING("move_mount", "detached"), 2392 { } 2393 }; 2394 2395 static struct aa_sfs_entry aa_sfs_entry_ns[] = { 2396 AA_SFS_FILE_BOOLEAN("profile", 1), 2397 AA_SFS_FILE_BOOLEAN("pivot_root", 0), 2398 AA_SFS_FILE_STRING("mask", "userns_create"), 2399 { } 2400 }; 2401 2402 static struct aa_sfs_entry aa_sfs_entry_dbus[] = { 2403 AA_SFS_FILE_STRING("mask", "acquire send receive"), 2404 { } 2405 }; 2406 2407 static struct aa_sfs_entry aa_sfs_entry_query_label[] = { 2408 AA_SFS_FILE_STRING("perms", "allow deny audit quiet"), 2409 AA_SFS_FILE_BOOLEAN("data", 1), 2410 AA_SFS_FILE_BOOLEAN("multi_transaction", 1), 2411 { } 2412 }; 2413 2414 static struct aa_sfs_entry aa_sfs_entry_query[] = { 2415 AA_SFS_DIR("label", aa_sfs_entry_query_label), 2416 { } 2417 }; 2418 2419 static struct aa_sfs_entry aa_sfs_entry_io_uring[] = { 2420 AA_SFS_FILE_STRING("mask", "sqpoll override_creds"), 2421 { } 2422 }; 2423 2424 static struct aa_sfs_entry aa_sfs_entry_features[] = { 2425 AA_SFS_DIR("policy", aa_sfs_entry_policy), 2426 AA_SFS_DIR("domain", aa_sfs_entry_domain), 2427 AA_SFS_DIR("file", aa_sfs_entry_file), 2428 AA_SFS_DIR("network_v8", aa_sfs_entry_network), 2429 AA_SFS_DIR("network_v9", aa_sfs_entry_networkv9), 2430 AA_SFS_DIR("mount", aa_sfs_entry_mount), 2431 AA_SFS_DIR("namespaces", aa_sfs_entry_ns), 2432 AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), 2433 AA_SFS_DIR("rlimit", aa_sfs_entry_rlimit), 2434 AA_SFS_DIR("caps", aa_sfs_entry_caps), 2435 AA_SFS_DIR("ptrace", aa_sfs_entry_ptrace), 2436 AA_SFS_DIR("signal", aa_sfs_entry_signal), 2437 AA_SFS_DIR("dbus", aa_sfs_entry_dbus), 2438 AA_SFS_DIR("query", aa_sfs_entry_query), 2439 AA_SFS_DIR("io_uring", aa_sfs_entry_io_uring), 2440 { } 2441 }; 2442 2443 static struct aa_sfs_entry aa_sfs_entry_apparmor[] = { 2444 AA_SFS_FILE_FOPS(".access", 0666, &aa_sfs_access), 2445 AA_SFS_FILE_FOPS(".stacked", 0444, &seq_ns_stacked_fops), 2446 AA_SFS_FILE_FOPS(".ns_stacked", 0444, &seq_ns_nsstacked_fops), 2447 AA_SFS_FILE_FOPS(".ns_level", 0444, &seq_ns_level_fops), 2448 AA_SFS_FILE_FOPS(".ns_name", 0444, &seq_ns_name_fops), 2449 AA_SFS_FILE_FOPS("profiles", 0444, &aa_sfs_profiles_fops), 2450 AA_SFS_FILE_FOPS("raw_data_compression_level_min", 0444, &seq_ns_compress_min_fops), 2451 AA_SFS_FILE_FOPS("raw_data_compression_level_max", 0444, &seq_ns_compress_max_fops), 2452 AA_SFS_DIR("features", aa_sfs_entry_features), 2453 { } 2454 }; 2455 2456 static struct aa_sfs_entry aa_sfs_entry = 2457 AA_SFS_DIR("apparmor", aa_sfs_entry_apparmor); 2458 2459 /** 2460 * entry_create_file - create a file entry in the apparmor securityfs 2461 * @fs_file: aa_sfs_entry to build an entry for (NOT NULL) 2462 * @parent: the parent dentry in the securityfs 2463 * 2464 * Use entry_remove_file to remove entries created with this fn. 2465 */ 2466 static int __init entry_create_file(struct aa_sfs_entry *fs_file, 2467 struct dentry *parent) 2468 { 2469 int error = 0; 2470 2471 fs_file->dentry = securityfs_create_file(fs_file->name, 2472 S_IFREG | fs_file->mode, 2473 parent, fs_file, 2474 fs_file->file_ops); 2475 if (IS_ERR(fs_file->dentry)) { 2476 error = PTR_ERR(fs_file->dentry); 2477 fs_file->dentry = NULL; 2478 } 2479 return error; 2480 } 2481 2482 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir); 2483 /** 2484 * entry_create_dir - recursively create a directory entry in the securityfs 2485 * @fs_dir: aa_sfs_entry (and all child entries) to build (NOT NULL) 2486 * @parent: the parent dentry in the securityfs 2487 * 2488 * Use entry_remove_dir to remove entries created with this fn. 2489 */ 2490 static int __init entry_create_dir(struct aa_sfs_entry *fs_dir, 2491 struct dentry *parent) 2492 { 2493 struct aa_sfs_entry *fs_file; 2494 struct dentry *dir; 2495 int error; 2496 2497 dir = securityfs_create_dir(fs_dir->name, parent); 2498 if (IS_ERR(dir)) 2499 return PTR_ERR(dir); 2500 fs_dir->dentry = dir; 2501 2502 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { 2503 if (fs_file->v_type == AA_SFS_TYPE_DIR) 2504 error = entry_create_dir(fs_file, fs_dir->dentry); 2505 else 2506 error = entry_create_file(fs_file, fs_dir->dentry); 2507 if (error) 2508 goto failed; 2509 } 2510 2511 return 0; 2512 2513 failed: 2514 entry_remove_dir(fs_dir); 2515 2516 return error; 2517 } 2518 2519 /** 2520 * entry_remove_file - drop a single file entry in the apparmor securityfs 2521 * @fs_file: aa_sfs_entry to detach from the securityfs (NOT NULL) 2522 */ 2523 static void __init entry_remove_file(struct aa_sfs_entry *fs_file) 2524 { 2525 if (!fs_file->dentry) 2526 return; 2527 2528 securityfs_remove(fs_file->dentry); 2529 fs_file->dentry = NULL; 2530 } 2531 2532 /** 2533 * entry_remove_dir - recursively drop a directory entry from the securityfs 2534 * @fs_dir: aa_sfs_entry (and all child entries) to detach (NOT NULL) 2535 */ 2536 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir) 2537 { 2538 struct aa_sfs_entry *fs_file; 2539 2540 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { 2541 if (fs_file->v_type == AA_SFS_TYPE_DIR) 2542 entry_remove_dir(fs_file); 2543 else 2544 entry_remove_file(fs_file); 2545 } 2546 2547 entry_remove_file(fs_dir); 2548 } 2549 2550 /** 2551 * aa_destroy_aafs - cleanup and free aafs 2552 * 2553 * releases dentries allocated by aa_create_aafs 2554 */ 2555 void __init aa_destroy_aafs(void) 2556 { 2557 entry_remove_dir(&aa_sfs_entry); 2558 } 2559 2560 2561 #define NULL_FILE_NAME ".null" 2562 struct path aa_null; 2563 2564 static int aa_mk_null_file(struct dentry *parent) 2565 { 2566 struct vfsmount *mount = NULL; 2567 struct dentry *dentry; 2568 struct inode *inode; 2569 int count = 0; 2570 int error = simple_pin_fs(parent->d_sb->s_type, &mount, &count); 2571 2572 if (error) 2573 return error; 2574 2575 inode_lock(d_inode(parent)); 2576 dentry = lookup_noperm(&QSTR(NULL_FILE_NAME), parent); 2577 if (IS_ERR(dentry)) { 2578 error = PTR_ERR(dentry); 2579 goto out; 2580 } 2581 inode = new_inode(parent->d_inode->i_sb); 2582 if (!inode) { 2583 error = -ENOMEM; 2584 goto out1; 2585 } 2586 2587 inode->i_ino = get_next_ino(); 2588 inode->i_mode = S_IFCHR | S_IRUGO | S_IWUGO; 2589 simple_inode_init_ts(inode); 2590 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, 2591 MKDEV(MEM_MAJOR, 3)); 2592 d_instantiate(dentry, inode); 2593 aa_null.dentry = dget(dentry); 2594 aa_null.mnt = mntget(mount); 2595 2596 error = 0; 2597 2598 out1: 2599 dput(dentry); 2600 out: 2601 inode_unlock(d_inode(parent)); 2602 simple_release_fs(&mount, &count); 2603 return error; 2604 } 2605 2606 2607 2608 static const char *policy_get_link(struct dentry *dentry, 2609 struct inode *inode, 2610 struct delayed_call *done) 2611 { 2612 struct aa_ns *ns; 2613 struct path path; 2614 int error; 2615 2616 if (!dentry) 2617 return ERR_PTR(-ECHILD); 2618 2619 ns = aa_get_current_ns(); 2620 path.mnt = mntget(aafs_mnt); 2621 path.dentry = dget(ns_dir(ns)); 2622 error = nd_jump_link(&path); 2623 aa_put_ns(ns); 2624 2625 return ERR_PTR(error); 2626 } 2627 2628 static int policy_readlink(struct dentry *dentry, char __user *buffer, 2629 int buflen) 2630 { 2631 char name[32]; 2632 int res; 2633 2634 res = snprintf(name, sizeof(name), "%s:[%lu]", AAFS_NAME, 2635 d_inode(dentry)->i_ino); 2636 if (res > 0 && res < sizeof(name)) 2637 res = readlink_copy(buffer, buflen, name, strlen(name)); 2638 else 2639 res = -ENOENT; 2640 2641 return res; 2642 } 2643 2644 static const struct inode_operations policy_link_iops = { 2645 .readlink = policy_readlink, 2646 .get_link = policy_get_link, 2647 }; 2648 2649 2650 /** 2651 * aa_create_aafs - create the apparmor security filesystem 2652 * 2653 * dentries created here are released by aa_destroy_aafs 2654 * 2655 * Returns: error on failure 2656 */ 2657 int __init aa_create_aafs(void) 2658 { 2659 struct dentry *dent; 2660 int error; 2661 2662 if (!apparmor_initialized) 2663 return 0; 2664 2665 if (aa_sfs_entry.dentry) { 2666 AA_ERROR("%s: AppArmor securityfs already exists\n", __func__); 2667 return -EEXIST; 2668 } 2669 2670 /* setup apparmorfs used to virtualize policy/ */ 2671 aafs_mnt = kern_mount(&aafs_ops); 2672 if (IS_ERR(aafs_mnt)) 2673 panic("can't set apparmorfs up\n"); 2674 aafs_mnt->mnt_sb->s_flags &= ~SB_NOUSER; 2675 2676 /* Populate fs tree. */ 2677 error = entry_create_dir(&aa_sfs_entry, NULL); 2678 if (error) 2679 goto error; 2680 2681 dent = securityfs_create_file(".load", 0666, aa_sfs_entry.dentry, 2682 NULL, &aa_fs_profile_load); 2683 if (IS_ERR(dent)) 2684 goto dent_error; 2685 ns_subload(root_ns) = dent; 2686 2687 dent = securityfs_create_file(".replace", 0666, aa_sfs_entry.dentry, 2688 NULL, &aa_fs_profile_replace); 2689 if (IS_ERR(dent)) 2690 goto dent_error; 2691 ns_subreplace(root_ns) = dent; 2692 2693 dent = securityfs_create_file(".remove", 0666, aa_sfs_entry.dentry, 2694 NULL, &aa_fs_profile_remove); 2695 if (IS_ERR(dent)) 2696 goto dent_error; 2697 ns_subremove(root_ns) = dent; 2698 2699 dent = securityfs_create_file("revision", 0444, aa_sfs_entry.dentry, 2700 NULL, &aa_fs_ns_revision_fops); 2701 if (IS_ERR(dent)) 2702 goto dent_error; 2703 ns_subrevision(root_ns) = dent; 2704 2705 /* policy tree referenced by magic policy symlink */ 2706 mutex_lock_nested(&root_ns->lock, root_ns->level); 2707 error = __aafs_ns_mkdir(root_ns, aafs_mnt->mnt_root, ".policy", 2708 aafs_mnt->mnt_root); 2709 mutex_unlock(&root_ns->lock); 2710 if (error) 2711 goto error; 2712 2713 /* magic symlink similar to nsfs redirects based on task policy */ 2714 dent = securityfs_create_symlink("policy", aa_sfs_entry.dentry, 2715 NULL, &policy_link_iops); 2716 if (IS_ERR(dent)) 2717 goto dent_error; 2718 2719 error = aa_mk_null_file(aa_sfs_entry.dentry); 2720 if (error) 2721 goto error; 2722 2723 /* TODO: add default profile to apparmorfs */ 2724 2725 /* Report that AppArmor fs is enabled */ 2726 aa_info_message("AppArmor Filesystem Enabled"); 2727 return 0; 2728 2729 dent_error: 2730 error = PTR_ERR(dent); 2731 error: 2732 aa_destroy_aafs(); 2733 AA_ERROR("Error creating AppArmor securityfs\n"); 2734 return error; 2735 } 2736