1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor /sys/kernel/security/apparmor interface functions 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 */ 10 11 #include <linux/ctype.h> 12 #include <linux/security.h> 13 #include <linux/vmalloc.h> 14 #include <linux/init.h> 15 #include <linux/seq_file.h> 16 #include <linux/uaccess.h> 17 #include <linux/mount.h> 18 #include <linux/namei.h> 19 #include <linux/capability.h> 20 #include <linux/rcupdate.h> 21 #include <linux/fs.h> 22 #include <linux/fs_context.h> 23 #include <linux/poll.h> 24 #include <linux/zstd.h> 25 #include <uapi/linux/major.h> 26 #include <uapi/linux/magic.h> 27 28 #include "include/apparmor.h" 29 #include "include/apparmorfs.h" 30 #include "include/audit.h" 31 #include "include/cred.h" 32 #include "include/crypto.h" 33 #include "include/ipc.h" 34 #include "include/label.h" 35 #include "include/policy.h" 36 #include "include/policy_ns.h" 37 #include "include/resource.h" 38 #include "include/policy_unpack.h" 39 #include "include/task.h" 40 41 /* 42 * The apparmor filesystem interface used for policy load and introspection 43 * The interface is split into two main components based on their function 44 * a securityfs component: 45 * used for static files that are always available, and which allows 46 * userspace to specify the location of the security filesystem. 47 * 48 * fns and data are prefixed with 49 * aa_sfs_ 50 * 51 * an apparmorfs component: 52 * used loaded policy content and introspection. It is not part of a 53 * regular mounted filesystem and is available only through the magic 54 * policy symlink in the root of the securityfs apparmor/ directory. 55 * Tasks queries will be magically redirected to the correct portion 56 * of the policy tree based on their confinement. 57 * 58 * fns and data are prefixed with 59 * aafs_ 60 * 61 * The aa_fs_ prefix is used to indicate the fn is used by both the 62 * securityfs and apparmorfs filesystems. 63 */ 64 65 66 /* 67 * support fns 68 */ 69 70 struct rawdata_f_data { 71 struct aa_loaddata *loaddata; 72 }; 73 74 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 75 #define RAWDATA_F_DATA_BUF(p) (char *)(p + 1) 76 77 static void rawdata_f_data_free(struct rawdata_f_data *private) 78 { 79 if (!private) 80 return; 81 82 aa_put_i_loaddata(private->loaddata); 83 kvfree(private); 84 } 85 86 static struct rawdata_f_data *rawdata_f_data_alloc(size_t size) 87 { 88 struct rawdata_f_data *ret; 89 90 if (size > SIZE_MAX - sizeof(*ret)) 91 return ERR_PTR(-EINVAL); 92 93 ret = kvzalloc(sizeof(*ret) + size, GFP_KERNEL); 94 if (!ret) 95 return ERR_PTR(-ENOMEM); 96 97 return ret; 98 } 99 #endif 100 101 /** 102 * mangle_name - mangle a profile name to std profile layout form 103 * @name: profile name to mangle (NOT NULL) 104 * @target: buffer to store mangled name, same length as @name (MAYBE NULL) 105 * 106 * Returns: length of mangled name 107 */ 108 static int mangle_name(const char *name, char *target) 109 { 110 char *t = target; 111 112 while (*name == '/' || *name == '.') 113 name++; 114 115 if (target) { 116 for (; *name; name++) { 117 if (*name == '/') 118 *(t)++ = '.'; 119 else if (isspace(*name)) 120 *(t)++ = '_'; 121 else if (isalnum(*name) || strchr("._-", *name)) 122 *(t)++ = *name; 123 } 124 125 *t = 0; 126 } else { 127 int len = 0; 128 for (; *name; name++) { 129 if (isalnum(*name) || isspace(*name) || 130 strchr("/._-", *name)) 131 len++; 132 } 133 134 return len; 135 } 136 137 return t - target; 138 } 139 140 141 /* 142 * aafs - core fns and data for the policy tree 143 */ 144 145 #define AAFS_NAME "apparmorfs" 146 static struct vfsmount *aafs_mnt; 147 static int aafs_count; 148 149 150 static int aafs_show_path(struct seq_file *seq, struct dentry *dentry) 151 { 152 seq_printf(seq, "%s:[%lu]", AAFS_NAME, d_inode(dentry)->i_ino); 153 return 0; 154 } 155 156 static void aafs_free_inode(struct inode *inode) 157 { 158 if (S_ISLNK(inode->i_mode)) 159 kfree(inode->i_link); 160 free_inode_nonrcu(inode); 161 } 162 163 static const struct super_operations aafs_super_ops = { 164 .statfs = simple_statfs, 165 .free_inode = aafs_free_inode, 166 .show_path = aafs_show_path, 167 }; 168 169 static int apparmorfs_fill_super(struct super_block *sb, struct fs_context *fc) 170 { 171 static struct tree_descr files[] = { {""} }; 172 int error; 173 174 error = simple_fill_super(sb, AAFS_MAGIC, files); 175 if (error) 176 return error; 177 sb->s_op = &aafs_super_ops; 178 179 return 0; 180 } 181 182 static int apparmorfs_get_tree(struct fs_context *fc) 183 { 184 return get_tree_single(fc, apparmorfs_fill_super); 185 } 186 187 static const struct fs_context_operations apparmorfs_context_ops = { 188 .get_tree = apparmorfs_get_tree, 189 }; 190 191 static int apparmorfs_init_fs_context(struct fs_context *fc) 192 { 193 fc->ops = &apparmorfs_context_ops; 194 return 0; 195 } 196 197 static struct file_system_type aafs_ops = { 198 .owner = THIS_MODULE, 199 .name = AAFS_NAME, 200 .init_fs_context = apparmorfs_init_fs_context, 201 .kill_sb = kill_anon_super, 202 }; 203 204 /** 205 * __aafs_setup_d_inode - basic inode setup for apparmorfs 206 * @dir: parent directory for the dentry 207 * @dentry: dentry we are setting the inode up for 208 * @mode: permissions the file should have 209 * @data: data to store on inode.i_private, available in open() 210 * @link: if symlink, symlink target string 211 * @fops: struct file_operations that should be used 212 * @iops: struct of inode_operations that should be used 213 */ 214 static int __aafs_setup_d_inode(struct inode *dir, struct dentry *dentry, 215 umode_t mode, void *data, char *link, 216 const struct file_operations *fops, 217 const struct inode_operations *iops) 218 { 219 struct inode *inode = new_inode(dir->i_sb); 220 221 AA_BUG(!dir); 222 AA_BUG(!dentry); 223 224 if (!inode) 225 return -ENOMEM; 226 227 inode->i_ino = get_next_ino(); 228 inode->i_mode = mode; 229 simple_inode_init_ts(inode); 230 inode->i_private = data; 231 if (S_ISDIR(mode)) { 232 inode->i_op = iops ? iops : &simple_dir_inode_operations; 233 inode->i_fop = &simple_dir_operations; 234 inc_nlink(inode); 235 inc_nlink(dir); 236 } else if (S_ISLNK(mode)) { 237 inode->i_op = iops ? iops : &simple_symlink_inode_operations; 238 inode->i_link = link; 239 } else { 240 inode->i_fop = fops; 241 } 242 d_instantiate(dentry, inode); 243 dget(dentry); 244 245 return 0; 246 } 247 248 /** 249 * aafs_create - create a dentry in the apparmorfs filesystem 250 * 251 * @name: name of dentry to create 252 * @mode: permissions the file should have 253 * @parent: parent directory for this dentry 254 * @data: data to store on inode.i_private, available in open() 255 * @link: if symlink, symlink target string 256 * @fops: struct file_operations that should be used for 257 * @iops: struct of inode_operations that should be used 258 * 259 * This is the basic "create a xxx" function for apparmorfs. 260 * 261 * Returns a pointer to a dentry if it succeeds, that must be free with 262 * aafs_remove(). Will return ERR_PTR on failure. 263 */ 264 static struct dentry *aafs_create(const char *name, umode_t mode, 265 struct dentry *parent, void *data, void *link, 266 const struct file_operations *fops, 267 const struct inode_operations *iops) 268 { 269 struct dentry *dentry; 270 struct inode *dir; 271 int error; 272 273 AA_BUG(!name); 274 AA_BUG(!parent); 275 276 if (!(mode & S_IFMT)) 277 mode = (mode & S_IALLUGO) | S_IFREG; 278 279 error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count); 280 if (error) 281 return ERR_PTR(error); 282 283 dir = d_inode(parent); 284 285 inode_lock(dir); 286 dentry = lookup_noperm(&QSTR(name), parent); 287 if (IS_ERR(dentry)) { 288 error = PTR_ERR(dentry); 289 goto fail_lock; 290 } 291 292 if (d_really_is_positive(dentry)) { 293 error = -EEXIST; 294 goto fail_dentry; 295 } 296 297 error = __aafs_setup_d_inode(dir, dentry, mode, data, link, fops, iops); 298 if (error) 299 goto fail_dentry; 300 inode_unlock(dir); 301 302 return dentry; 303 304 fail_dentry: 305 dput(dentry); 306 307 fail_lock: 308 inode_unlock(dir); 309 simple_release_fs(&aafs_mnt, &aafs_count); 310 311 return ERR_PTR(error); 312 } 313 314 /** 315 * aafs_create_file - create a file in the apparmorfs filesystem 316 * 317 * @name: name of dentry to create 318 * @mode: permissions the file should have 319 * @parent: parent directory for this dentry 320 * @data: data to store on inode.i_private, available in open() 321 * @fops: struct file_operations that should be used for 322 * 323 * see aafs_create 324 */ 325 static struct dentry *aafs_create_file(const char *name, umode_t mode, 326 struct dentry *parent, void *data, 327 const struct file_operations *fops) 328 { 329 return aafs_create(name, mode, parent, data, NULL, fops, NULL); 330 } 331 332 /** 333 * aafs_create_dir - create a directory in the apparmorfs filesystem 334 * 335 * @name: name of dentry to create 336 * @parent: parent directory for this dentry 337 * 338 * see aafs_create 339 */ 340 static struct dentry *aafs_create_dir(const char *name, struct dentry *parent) 341 { 342 return aafs_create(name, S_IFDIR | 0755, parent, NULL, NULL, NULL, 343 NULL); 344 } 345 346 /** 347 * aafs_remove - removes a file or directory from the apparmorfs filesystem 348 * 349 * @dentry: dentry of the file/directory/symlink to removed. 350 */ 351 static void aafs_remove(struct dentry *dentry) 352 { 353 struct inode *dir; 354 355 if (!dentry || IS_ERR(dentry)) 356 return; 357 358 /* ->d_parent is stable as rename is not supported */ 359 dir = d_inode(dentry->d_parent); 360 dentry = start_removing_dentry(dentry->d_parent, dentry); 361 if (!IS_ERR(dentry) && simple_positive(dentry)) { 362 if (d_is_dir(dentry)) { 363 if (!WARN_ON(!simple_empty(dentry))) { 364 __simple_rmdir(dir, dentry); 365 dput(dentry); 366 } 367 } else { 368 __simple_unlink(dir, dentry); 369 dput(dentry); 370 } 371 d_delete(dentry); 372 } 373 end_removing(dentry); 374 simple_release_fs(&aafs_mnt, &aafs_count); 375 } 376 377 378 /* 379 * aa_fs - policy load/replace/remove 380 */ 381 382 /** 383 * aa_simple_write_to_buffer - common routine for getting policy from user 384 * @userbuf: user buffer to copy data from (NOT NULL) 385 * @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size) 386 * @copy_size: size of data to copy from user buffer 387 * @pos: position write is at in the file (NOT NULL) 388 * 389 * Returns: kernel buffer containing copy of user buffer data or an 390 * ERR_PTR on failure. 391 */ 392 static struct aa_loaddata *aa_simple_write_to_buffer(const char __user *userbuf, 393 size_t alloc_size, 394 size_t copy_size, 395 loff_t *pos) 396 { 397 struct aa_loaddata *data; 398 399 AA_BUG(copy_size > alloc_size); 400 401 if (*pos != 0) 402 /* only writes from pos 0, that is complete writes */ 403 return ERR_PTR(-ESPIPE); 404 405 /* freed by caller to simple_write_to_buffer */ 406 data = aa_loaddata_alloc(alloc_size); 407 if (IS_ERR(data)) 408 return data; 409 410 data->size = copy_size; 411 if (copy_from_user(data->data, userbuf, copy_size)) { 412 /* trigger free - don't need to put pcount */ 413 aa_put_i_loaddata(data); 414 return ERR_PTR(-EFAULT); 415 } 416 417 return data; 418 } 419 420 static ssize_t policy_update(u32 mask, const char __user *buf, size_t size, 421 loff_t *pos, struct aa_ns *ns, 422 const struct cred *ocred) 423 { 424 struct aa_loaddata *data; 425 struct aa_label *label; 426 ssize_t error; 427 428 label = begin_current_label_crit_section(); 429 430 /* high level check about policy management - fine grained in 431 * below after unpack 432 */ 433 error = aa_may_manage_policy(current_cred(), label, ns, ocred, mask); 434 if (error) 435 goto end_section; 436 437 data = aa_simple_write_to_buffer(buf, size, size, pos); 438 error = PTR_ERR(data); 439 if (!IS_ERR(data)) { 440 error = aa_replace_profiles(ns, label, mask, data); 441 /* put pcount, which will put count and free if no 442 * profiles referencing it. 443 */ 444 aa_put_profile_loaddata(data); 445 } 446 end_section: 447 end_current_label_crit_section(label); 448 449 return error; 450 } 451 452 /* .load file hook fn to load policy */ 453 static ssize_t profile_load(struct file *f, const char __user *buf, size_t size, 454 loff_t *pos) 455 { 456 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); 457 int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns, 458 f->f_cred); 459 460 aa_put_ns(ns); 461 462 return error; 463 } 464 465 static const struct file_operations aa_fs_profile_load = { 466 .write = profile_load, 467 .llseek = default_llseek, 468 }; 469 470 /* .replace file hook fn to load and/or replace policy */ 471 static ssize_t profile_replace(struct file *f, const char __user *buf, 472 size_t size, loff_t *pos) 473 { 474 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); 475 int error = policy_update(AA_MAY_LOAD_POLICY | AA_MAY_REPLACE_POLICY, 476 buf, size, pos, ns, f->f_cred); 477 aa_put_ns(ns); 478 479 return error; 480 } 481 482 static const struct file_operations aa_fs_profile_replace = { 483 .write = profile_replace, 484 .llseek = default_llseek, 485 }; 486 487 /* .remove file hook fn to remove loaded policy */ 488 static ssize_t profile_remove(struct file *f, const char __user *buf, 489 size_t size, loff_t *pos) 490 { 491 struct aa_loaddata *data; 492 struct aa_label *label; 493 ssize_t error; 494 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); 495 496 label = begin_current_label_crit_section(); 497 /* high level check about policy management - fine grained in 498 * below after unpack 499 */ 500 error = aa_may_manage_policy(current_cred(), label, ns, 501 f->f_cred, AA_MAY_REMOVE_POLICY); 502 if (error) 503 goto out; 504 505 /* 506 * aa_remove_profile needs a null terminated string so 1 extra 507 * byte is allocated and the copied data is null terminated. 508 */ 509 data = aa_simple_write_to_buffer(buf, size + 1, size, pos); 510 511 error = PTR_ERR(data); 512 if (!IS_ERR(data)) { 513 data->data[size] = 0; 514 error = aa_remove_profiles(ns, label, data->data, size); 515 aa_put_profile_loaddata(data); 516 } 517 out: 518 end_current_label_crit_section(label); 519 aa_put_ns(ns); 520 return error; 521 } 522 523 static const struct file_operations aa_fs_profile_remove = { 524 .write = profile_remove, 525 .llseek = default_llseek, 526 }; 527 528 struct aa_revision { 529 struct aa_ns *ns; 530 long last_read; 531 }; 532 533 /* revision file hook fn for policy loads */ 534 static int ns_revision_release(struct inode *inode, struct file *file) 535 { 536 struct aa_revision *rev = file->private_data; 537 538 if (rev) { 539 aa_put_ns(rev->ns); 540 kfree(rev); 541 } 542 543 return 0; 544 } 545 546 static ssize_t ns_revision_read(struct file *file, char __user *buf, 547 size_t size, loff_t *ppos) 548 { 549 struct aa_revision *rev = file->private_data; 550 char buffer[32]; 551 long last_read; 552 int avail; 553 554 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 555 last_read = rev->last_read; 556 if (last_read == rev->ns->revision) { 557 mutex_unlock(&rev->ns->lock); 558 if (file->f_flags & O_NONBLOCK) 559 return -EAGAIN; 560 if (wait_event_interruptible(rev->ns->wait, 561 last_read != 562 READ_ONCE(rev->ns->revision))) 563 return -ERESTARTSYS; 564 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 565 } 566 567 avail = sprintf(buffer, "%ld\n", rev->ns->revision); 568 if (*ppos + size > avail) { 569 rev->last_read = rev->ns->revision; 570 *ppos = 0; 571 } 572 mutex_unlock(&rev->ns->lock); 573 574 return simple_read_from_buffer(buf, size, ppos, buffer, avail); 575 } 576 577 static int ns_revision_open(struct inode *inode, struct file *file) 578 { 579 struct aa_revision *rev = kzalloc_obj(*rev); 580 581 if (!rev) 582 return -ENOMEM; 583 584 rev->ns = aa_get_ns(inode->i_private); 585 if (!rev->ns) 586 rev->ns = aa_get_current_ns(); 587 file->private_data = rev; 588 589 return 0; 590 } 591 592 static __poll_t ns_revision_poll(struct file *file, poll_table *pt) 593 { 594 struct aa_revision *rev = file->private_data; 595 __poll_t mask = 0; 596 597 if (rev) { 598 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 599 poll_wait(file, &rev->ns->wait, pt); 600 if (rev->last_read < rev->ns->revision) 601 mask |= EPOLLIN | EPOLLRDNORM; 602 mutex_unlock(&rev->ns->lock); 603 } 604 605 return mask; 606 } 607 608 void __aa_bump_ns_revision(struct aa_ns *ns) 609 { 610 WRITE_ONCE(ns->revision, READ_ONCE(ns->revision) + 1); 611 wake_up_interruptible(&ns->wait); 612 } 613 614 static const struct file_operations aa_fs_ns_revision_fops = { 615 .owner = THIS_MODULE, 616 .open = ns_revision_open, 617 .poll = ns_revision_poll, 618 .read = ns_revision_read, 619 .llseek = generic_file_llseek, 620 .release = ns_revision_release, 621 }; 622 623 static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms, 624 const char *match_str, size_t match_len) 625 { 626 struct aa_ruleset *rules = profile->label.rules[0]; 627 struct aa_perms tmp = { }; 628 aa_state_t state = DFA_NOMATCH; 629 630 if (profile_unconfined(profile)) 631 return; 632 if (rules->file->dfa && *match_str == AA_CLASS_FILE) { 633 state = aa_dfa_match_len(rules->file->dfa, 634 rules->file->start[AA_CLASS_FILE], 635 match_str + 1, match_len - 1); 636 if (state) { 637 struct path_cond cond = { }; 638 639 tmp = *(aa_lookup_condperms(current_fsuid(), 640 rules->file, state, &cond)); 641 } 642 } else if (rules->policy->dfa) { 643 if (!RULE_MEDIATES(rules, *match_str)) 644 return; /* no change to current perms */ 645 /* old user space does not correctly detect dbus mediation 646 * support so we may get dbus policy and requests when 647 * the abi doesn't support it. This can cause mediation 648 * regressions, so explicitly test for this situation. 649 */ 650 if (*match_str == AA_CLASS_DBUS && 651 !RULE_MEDIATES_v9NET(rules)) 652 return; /* no change to current perms */ 653 state = aa_dfa_match_len(rules->policy->dfa, 654 rules->policy->start[0], 655 match_str, match_len); 656 if (state) 657 tmp = *aa_lookup_perms(rules->policy, state); 658 } 659 aa_apply_modes_to_perms(profile, &tmp); 660 aa_perms_accum_raw(perms, &tmp); 661 } 662 663 664 /** 665 * query_data - queries a policy and writes its data to buf 666 * @buf: the resulting data is stored here (NOT NULL) 667 * @buf_len: size of buf 668 * @query: query string used to retrieve data 669 * @query_len: size of query including second NUL byte 670 * 671 * The buffers pointed to by buf and query may overlap. The query buffer is 672 * parsed before buf is written to. 673 * 674 * The query should look like "<LABEL>\0<KEY>\0", where <LABEL> is the name of 675 * the security confinement context and <KEY> is the name of the data to 676 * retrieve. <LABEL> and <KEY> must not be NUL-terminated. 677 * 678 * Don't expect the contents of buf to be preserved on failure. 679 * 680 * Returns: number of characters written to buf or -errno on failure 681 */ 682 static ssize_t query_data(char *buf, size_t buf_len, 683 char *query, size_t query_len) 684 { 685 char *out; 686 const char *key; 687 struct label_it i; 688 struct aa_label *label, *curr; 689 struct aa_profile *profile; 690 struct aa_data *data; 691 u32 bytes, blocks; 692 __le32 outle32; 693 694 if (!query_len) 695 return -EINVAL; /* need a query */ 696 697 key = query + strnlen(query, query_len) + 1; 698 if (key + 1 >= query + query_len) 699 return -EINVAL; /* not enough space for a non-empty key */ 700 if (key + strnlen(key, query + query_len - key) >= query + query_len) 701 return -EINVAL; /* must end with NUL */ 702 703 if (buf_len < sizeof(bytes) + sizeof(blocks)) 704 return -EINVAL; /* not enough space */ 705 706 curr = begin_current_label_crit_section(); 707 label = aa_label_parse(curr, query, GFP_KERNEL, false, false); 708 end_current_label_crit_section(curr); 709 if (IS_ERR(label)) 710 return PTR_ERR(label); 711 712 /* We are going to leave space for two numbers. The first is the total 713 * number of bytes we are writing after the first number. This is so 714 * users can read the full output without reallocation. 715 * 716 * The second number is the number of data blocks we're writing. An 717 * application might be confined by multiple policies having data in 718 * the same key. 719 */ 720 memset(buf, 0, sizeof(bytes) + sizeof(blocks)); 721 out = buf + sizeof(bytes) + sizeof(blocks); 722 723 blocks = 0; 724 label_for_each_confined(i, label, profile) { 725 if (!profile->data) 726 continue; 727 728 data = rhashtable_lookup_fast(profile->data, &key, 729 profile->data->p); 730 731 if (data) { 732 if (out + sizeof(outle32) + data->size > buf + 733 buf_len) { 734 aa_put_label(label); 735 return -EINVAL; /* not enough space */ 736 } 737 outle32 = __cpu_to_le32(data->size); 738 memcpy(out, &outle32, sizeof(outle32)); 739 out += sizeof(outle32); 740 memcpy(out, data->data, data->size); 741 out += data->size; 742 blocks++; 743 } 744 } 745 aa_put_label(label); 746 747 outle32 = __cpu_to_le32(out - buf - sizeof(bytes)); 748 memcpy(buf, &outle32, sizeof(outle32)); 749 outle32 = __cpu_to_le32(blocks); 750 memcpy(buf + sizeof(bytes), &outle32, sizeof(outle32)); 751 752 return out - buf; 753 } 754 755 /** 756 * query_label - queries a label and writes permissions to buf 757 * @buf: the resulting permissions string is stored here (NOT NULL) 758 * @buf_len: size of buf 759 * @query: binary query string to match against the dfa 760 * @query_len: size of query 761 * @view_only: only compute for querier's view 762 * 763 * The buffers pointed to by buf and query may overlap. The query buffer is 764 * parsed before buf is written to. 765 * 766 * The query should look like "LABEL_NAME\0DFA_STRING" where LABEL_NAME is 767 * the name of the label, in the current namespace, that is to be queried and 768 * DFA_STRING is a binary string to match against the label(s)'s DFA. 769 * 770 * LABEL_NAME must be NUL terminated. DFA_STRING may contain NUL characters 771 * but must *not* be NUL terminated. 772 * 773 * Returns: number of characters written to buf or -errno on failure 774 */ 775 static ssize_t query_label(char *buf, size_t buf_len, 776 char *query, size_t query_len, bool view_only) 777 { 778 struct aa_profile *profile; 779 struct aa_label *label, *curr; 780 char *label_name, *match_str; 781 size_t label_name_len, match_len; 782 struct aa_perms perms; 783 struct label_it i; 784 785 if (!query_len) 786 return -EINVAL; 787 788 label_name = query; 789 label_name_len = strnlen(query, query_len); 790 if (!label_name_len || label_name_len == query_len) 791 return -EINVAL; 792 793 /** 794 * The extra byte is to account for the null byte between the 795 * profile name and dfa string. profile_name_len is greater 796 * than zero and less than query_len, so a byte can be safely 797 * added or subtracted. 798 */ 799 match_str = label_name + label_name_len + 1; 800 match_len = query_len - label_name_len - 1; 801 802 curr = begin_current_label_crit_section(); 803 label = aa_label_parse(curr, label_name, GFP_KERNEL, false, false); 804 end_current_label_crit_section(curr); 805 if (IS_ERR(label)) 806 return PTR_ERR(label); 807 808 perms = allperms; 809 if (view_only) { 810 label_for_each_in_scope(i, labels_ns(label), label, profile) { 811 profile_query_cb(profile, &perms, match_str, match_len); 812 } 813 } else { 814 label_for_each(i, label, profile) { 815 profile_query_cb(profile, &perms, match_str, match_len); 816 } 817 } 818 aa_put_label(label); 819 820 return scnprintf(buf, buf_len, 821 "allow 0x%08x\ndeny 0x%08x\naudit 0x%08x\nquiet 0x%08x\n", 822 perms.allow, perms.deny, perms.audit, perms.quiet); 823 } 824 825 /* 826 * Transaction based IO. 827 * The file expects a write which triggers the transaction, and then 828 * possibly a read(s) which collects the result - which is stored in a 829 * file-local buffer. Once a new write is performed, a new set of results 830 * are stored in the file-local buffer. 831 */ 832 struct multi_transaction { 833 struct kref count; 834 ssize_t size; 835 char data[]; 836 }; 837 838 #define MULTI_TRANSACTION_LIMIT (PAGE_SIZE - sizeof(struct multi_transaction)) 839 840 static void multi_transaction_kref(struct kref *kref) 841 { 842 struct multi_transaction *t; 843 844 t = container_of(kref, struct multi_transaction, count); 845 free_page((unsigned long) t); 846 } 847 848 static struct multi_transaction * 849 get_multi_transaction(struct multi_transaction *t) 850 { 851 if (t) 852 kref_get(&(t->count)); 853 854 return t; 855 } 856 857 static void put_multi_transaction(struct multi_transaction *t) 858 { 859 if (t) 860 kref_put(&(t->count), multi_transaction_kref); 861 } 862 863 /* does not increment @new's count */ 864 static void multi_transaction_set(struct file *file, 865 struct multi_transaction *new, size_t n) 866 { 867 struct multi_transaction *old; 868 869 AA_BUG(n > MULTI_TRANSACTION_LIMIT); 870 871 new->size = n; 872 spin_lock(&file->f_lock); 873 old = (struct multi_transaction *) file->private_data; 874 file->private_data = new; 875 spin_unlock(&file->f_lock); 876 put_multi_transaction(old); 877 } 878 879 static struct multi_transaction *multi_transaction_new(struct file *file, 880 const char __user *buf, 881 size_t size) 882 { 883 struct multi_transaction *t; 884 885 if (size > MULTI_TRANSACTION_LIMIT - 1) 886 return ERR_PTR(-EFBIG); 887 888 t = (struct multi_transaction *)get_zeroed_page(GFP_KERNEL); 889 if (!t) 890 return ERR_PTR(-ENOMEM); 891 kref_init(&t->count); 892 if (copy_from_user(t->data, buf, size)) { 893 put_multi_transaction(t); 894 return ERR_PTR(-EFAULT); 895 } 896 897 return t; 898 } 899 900 static ssize_t multi_transaction_read(struct file *file, char __user *buf, 901 size_t size, loff_t *pos) 902 { 903 struct multi_transaction *t; 904 ssize_t ret; 905 906 spin_lock(&file->f_lock); 907 t = get_multi_transaction(file->private_data); 908 spin_unlock(&file->f_lock); 909 910 if (!t) 911 return 0; 912 913 ret = simple_read_from_buffer(buf, size, pos, t->data, t->size); 914 put_multi_transaction(t); 915 916 return ret; 917 } 918 919 static int multi_transaction_release(struct inode *inode, struct file *file) 920 { 921 put_multi_transaction(file->private_data); 922 923 return 0; 924 } 925 926 #define QUERY_CMD_LABEL "label\0" 927 #define QUERY_CMD_LABEL_LEN 6 928 #define QUERY_CMD_PROFILE "profile\0" 929 #define QUERY_CMD_PROFILE_LEN 8 930 #define QUERY_CMD_LABELALL "labelall\0" 931 #define QUERY_CMD_LABELALL_LEN 9 932 #define QUERY_CMD_DATA "data\0" 933 #define QUERY_CMD_DATA_LEN 5 934 935 /** 936 * aa_write_access - generic permissions and data query 937 * @file: pointer to open apparmorfs/access file 938 * @ubuf: user buffer containing the complete query string (NOT NULL) 939 * @count: size of ubuf 940 * @ppos: position in the file (MUST BE ZERO) 941 * 942 * Allows for one permissions or data query per open(), write(), and read() 943 * sequence. The only queries currently supported are label-based queries for 944 * permissions or data. 945 * 946 * For permissions queries, ubuf must begin with "label\0", followed by the 947 * profile query specific format described in the query_label() function 948 * documentation. 949 * 950 * For data queries, ubuf must have the form "data\0<LABEL>\0<KEY>\0", where 951 * <LABEL> is the name of the security confinement context and <KEY> is the 952 * name of the data to retrieve. 953 * 954 * Returns: number of bytes written or -errno on failure 955 */ 956 static ssize_t aa_write_access(struct file *file, const char __user *ubuf, 957 size_t count, loff_t *ppos) 958 { 959 struct multi_transaction *t; 960 ssize_t len; 961 962 if (*ppos) 963 return -ESPIPE; 964 965 t = multi_transaction_new(file, ubuf, count); 966 if (IS_ERR(t)) 967 return PTR_ERR(t); 968 969 if (count > QUERY_CMD_PROFILE_LEN && 970 !memcmp(t->data, QUERY_CMD_PROFILE, QUERY_CMD_PROFILE_LEN)) { 971 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 972 t->data + QUERY_CMD_PROFILE_LEN, 973 count - QUERY_CMD_PROFILE_LEN, true); 974 } else if (count > QUERY_CMD_LABEL_LEN && 975 !memcmp(t->data, QUERY_CMD_LABEL, QUERY_CMD_LABEL_LEN)) { 976 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 977 t->data + QUERY_CMD_LABEL_LEN, 978 count - QUERY_CMD_LABEL_LEN, true); 979 } else if (count > QUERY_CMD_LABELALL_LEN && 980 !memcmp(t->data, QUERY_CMD_LABELALL, 981 QUERY_CMD_LABELALL_LEN)) { 982 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 983 t->data + QUERY_CMD_LABELALL_LEN, 984 count - QUERY_CMD_LABELALL_LEN, false); 985 } else if (count > QUERY_CMD_DATA_LEN && 986 !memcmp(t->data, QUERY_CMD_DATA, QUERY_CMD_DATA_LEN)) { 987 len = query_data(t->data, MULTI_TRANSACTION_LIMIT, 988 t->data + QUERY_CMD_DATA_LEN, 989 count - QUERY_CMD_DATA_LEN); 990 } else 991 len = -EINVAL; 992 993 if (len < 0) { 994 put_multi_transaction(t); 995 return len; 996 } 997 998 multi_transaction_set(file, t, len); 999 1000 return count; 1001 } 1002 1003 static const struct file_operations aa_sfs_access = { 1004 .write = aa_write_access, 1005 .read = multi_transaction_read, 1006 .release = multi_transaction_release, 1007 .llseek = generic_file_llseek, 1008 }; 1009 1010 static int aa_sfs_seq_show(struct seq_file *seq, void *v) 1011 { 1012 struct aa_sfs_entry *fs_file = seq->private; 1013 1014 if (!fs_file) 1015 return 0; 1016 1017 switch (fs_file->v_type) { 1018 case AA_SFS_TYPE_BOOLEAN: 1019 seq_printf(seq, "%s\n", str_yes_no(fs_file->v.boolean)); 1020 break; 1021 case AA_SFS_TYPE_STRING: 1022 seq_printf(seq, "%s\n", fs_file->v.string); 1023 break; 1024 case AA_SFS_TYPE_U64: 1025 seq_printf(seq, "%#08lx\n", fs_file->v.u64); 1026 break; 1027 default: 1028 /* Ignore unprintable entry types. */ 1029 break; 1030 } 1031 1032 return 0; 1033 } 1034 1035 static int aa_sfs_seq_open(struct inode *inode, struct file *file) 1036 { 1037 return single_open(file, aa_sfs_seq_show, inode->i_private); 1038 } 1039 1040 const struct file_operations aa_sfs_seq_file_ops = { 1041 .owner = THIS_MODULE, 1042 .open = aa_sfs_seq_open, 1043 .read = seq_read, 1044 .llseek = seq_lseek, 1045 .release = single_release, 1046 }; 1047 1048 /* 1049 * profile based file operations 1050 * policy/profiles/XXXX/profiles/ * 1051 */ 1052 1053 #define SEQ_PROFILE_FOPS(NAME) \ 1054 static int seq_profile_ ##NAME ##_open(struct inode *inode, struct file *file)\ 1055 { \ 1056 return seq_profile_open(inode, file, seq_profile_ ##NAME ##_show); \ 1057 } \ 1058 \ 1059 static const struct file_operations seq_profile_ ##NAME ##_fops = { \ 1060 .owner = THIS_MODULE, \ 1061 .open = seq_profile_ ##NAME ##_open, \ 1062 .read = seq_read, \ 1063 .llseek = seq_lseek, \ 1064 .release = seq_profile_release, \ 1065 } \ 1066 1067 static int seq_profile_open(struct inode *inode, struct file *file, 1068 int (*show)(struct seq_file *, void *)) 1069 { 1070 struct aa_proxy *proxy = aa_get_proxy(inode->i_private); 1071 int error = single_open(file, show, proxy); 1072 1073 if (error) { 1074 file->private_data = NULL; 1075 aa_put_proxy(proxy); 1076 } 1077 1078 return error; 1079 } 1080 1081 static int seq_profile_release(struct inode *inode, struct file *file) 1082 { 1083 struct seq_file *seq = (struct seq_file *) file->private_data; 1084 if (seq) 1085 aa_put_proxy(seq->private); 1086 return single_release(inode, file); 1087 } 1088 1089 static int seq_profile_name_show(struct seq_file *seq, void *v) 1090 { 1091 struct aa_proxy *proxy = seq->private; 1092 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1093 struct aa_profile *profile = labels_profile(label); 1094 seq_printf(seq, "%s\n", profile->base.name); 1095 aa_put_label(label); 1096 1097 return 0; 1098 } 1099 1100 static int seq_profile_mode_show(struct seq_file *seq, void *v) 1101 { 1102 struct aa_proxy *proxy = seq->private; 1103 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1104 struct aa_profile *profile = labels_profile(label); 1105 seq_printf(seq, "%s\n", aa_profile_mode_names[profile->mode]); 1106 aa_put_label(label); 1107 1108 return 0; 1109 } 1110 1111 static int seq_profile_attach_show(struct seq_file *seq, void *v) 1112 { 1113 struct aa_proxy *proxy = seq->private; 1114 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1115 struct aa_profile *profile = labels_profile(label); 1116 if (profile->attach.xmatch_str) 1117 seq_printf(seq, "%s\n", profile->attach.xmatch_str); 1118 else if (profile->attach.xmatch->dfa) 1119 seq_puts(seq, "<unknown>\n"); 1120 else 1121 seq_printf(seq, "%s\n", profile->base.name); 1122 aa_put_label(label); 1123 1124 return 0; 1125 } 1126 1127 static int seq_profile_hash_show(struct seq_file *seq, void *v) 1128 { 1129 struct aa_proxy *proxy = seq->private; 1130 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1131 struct aa_profile *profile = labels_profile(label); 1132 unsigned int i, size = aa_hash_size(); 1133 1134 if (profile->hash) { 1135 for (i = 0; i < size; i++) 1136 seq_printf(seq, "%.2x", profile->hash[i]); 1137 seq_putc(seq, '\n'); 1138 } 1139 aa_put_label(label); 1140 1141 return 0; 1142 } 1143 1144 SEQ_PROFILE_FOPS(name); 1145 SEQ_PROFILE_FOPS(mode); 1146 SEQ_PROFILE_FOPS(attach); 1147 SEQ_PROFILE_FOPS(hash); 1148 1149 /* 1150 * namespace based files 1151 * several root files and 1152 * policy/ * 1153 */ 1154 1155 #define SEQ_NS_FOPS(NAME) \ 1156 static int seq_ns_ ##NAME ##_open(struct inode *inode, struct file *file) \ 1157 { \ 1158 return single_open(file, seq_ns_ ##NAME ##_show, inode->i_private); \ 1159 } \ 1160 \ 1161 static const struct file_operations seq_ns_ ##NAME ##_fops = { \ 1162 .owner = THIS_MODULE, \ 1163 .open = seq_ns_ ##NAME ##_open, \ 1164 .read = seq_read, \ 1165 .llseek = seq_lseek, \ 1166 .release = single_release, \ 1167 } \ 1168 1169 static int seq_ns_stacked_show(struct seq_file *seq, void *v) 1170 { 1171 struct aa_label *label; 1172 1173 label = begin_current_label_crit_section(); 1174 seq_printf(seq, "%s\n", str_yes_no(label->size > 1)); 1175 end_current_label_crit_section(label); 1176 1177 return 0; 1178 } 1179 1180 static int seq_ns_nsstacked_show(struct seq_file *seq, void *v) 1181 { 1182 struct aa_label *label; 1183 struct aa_profile *profile; 1184 struct label_it it; 1185 int count = 1; 1186 1187 label = begin_current_label_crit_section(); 1188 1189 if (label->size > 1) { 1190 label_for_each(it, label, profile) 1191 if (profile->ns != labels_ns(label)) { 1192 count++; 1193 break; 1194 } 1195 } 1196 1197 seq_printf(seq, "%s\n", str_yes_no(count > 1)); 1198 end_current_label_crit_section(label); 1199 1200 return 0; 1201 } 1202 1203 static int seq_ns_level_show(struct seq_file *seq, void *v) 1204 { 1205 struct aa_label *label; 1206 1207 label = begin_current_label_crit_section(); 1208 seq_printf(seq, "%d\n", labels_ns(label)->level); 1209 end_current_label_crit_section(label); 1210 1211 return 0; 1212 } 1213 1214 static int seq_ns_name_show(struct seq_file *seq, void *v) 1215 { 1216 struct aa_label *label = begin_current_label_crit_section(); 1217 seq_printf(seq, "%s\n", labels_ns(label)->base.name); 1218 end_current_label_crit_section(label); 1219 1220 return 0; 1221 } 1222 1223 static int seq_ns_compress_min_show(struct seq_file *seq, void *v) 1224 { 1225 seq_printf(seq, "%d\n", AA_MIN_CLEVEL); 1226 return 0; 1227 } 1228 1229 static int seq_ns_compress_max_show(struct seq_file *seq, void *v) 1230 { 1231 seq_printf(seq, "%d\n", AA_MAX_CLEVEL); 1232 return 0; 1233 } 1234 1235 SEQ_NS_FOPS(stacked); 1236 SEQ_NS_FOPS(nsstacked); 1237 SEQ_NS_FOPS(level); 1238 SEQ_NS_FOPS(name); 1239 SEQ_NS_FOPS(compress_min); 1240 SEQ_NS_FOPS(compress_max); 1241 1242 1243 /* policy/raw_data/ * file ops */ 1244 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1245 #define SEQ_RAWDATA_FOPS(NAME) \ 1246 static int seq_rawdata_ ##NAME ##_open(struct inode *inode, struct file *file)\ 1247 { \ 1248 return seq_rawdata_open(inode, file, seq_rawdata_ ##NAME ##_show); \ 1249 } \ 1250 \ 1251 static const struct file_operations seq_rawdata_ ##NAME ##_fops = { \ 1252 .owner = THIS_MODULE, \ 1253 .open = seq_rawdata_ ##NAME ##_open, \ 1254 .read = seq_read, \ 1255 .llseek = seq_lseek, \ 1256 .release = seq_rawdata_release, \ 1257 } \ 1258 1259 static int seq_rawdata_open(struct inode *inode, struct file *file, 1260 int (*show)(struct seq_file *, void *)) 1261 { 1262 struct aa_loaddata *data = aa_get_i_loaddata(inode->i_private); 1263 int error; 1264 1265 if (!data) 1266 return -ENOENT; 1267 1268 error = single_open(file, show, data); 1269 if (error) { 1270 AA_BUG(file->private_data && 1271 ((struct seq_file *)file->private_data)->private); 1272 aa_put_i_loaddata(data); 1273 } 1274 1275 return error; 1276 } 1277 1278 static int seq_rawdata_release(struct inode *inode, struct file *file) 1279 { 1280 struct seq_file *seq = (struct seq_file *) file->private_data; 1281 1282 if (seq) 1283 aa_put_i_loaddata(seq->private); 1284 1285 return single_release(inode, file); 1286 } 1287 1288 static int seq_rawdata_abi_show(struct seq_file *seq, void *v) 1289 { 1290 struct aa_loaddata *data = seq->private; 1291 1292 seq_printf(seq, "v%d\n", data->abi); 1293 1294 return 0; 1295 } 1296 1297 static int seq_rawdata_revision_show(struct seq_file *seq, void *v) 1298 { 1299 struct aa_loaddata *data = seq->private; 1300 1301 seq_printf(seq, "%ld\n", data->revision); 1302 1303 return 0; 1304 } 1305 1306 static int seq_rawdata_hash_show(struct seq_file *seq, void *v) 1307 { 1308 struct aa_loaddata *data = seq->private; 1309 unsigned int i, size = aa_hash_size(); 1310 1311 if (data->hash) { 1312 for (i = 0; i < size; i++) 1313 seq_printf(seq, "%.2x", data->hash[i]); 1314 seq_putc(seq, '\n'); 1315 } 1316 1317 return 0; 1318 } 1319 1320 static int seq_rawdata_compressed_size_show(struct seq_file *seq, void *v) 1321 { 1322 struct aa_loaddata *data = seq->private; 1323 1324 seq_printf(seq, "%zu\n", data->compressed_size); 1325 1326 return 0; 1327 } 1328 1329 SEQ_RAWDATA_FOPS(abi); 1330 SEQ_RAWDATA_FOPS(revision); 1331 SEQ_RAWDATA_FOPS(hash); 1332 SEQ_RAWDATA_FOPS(compressed_size); 1333 1334 static int decompress_zstd(char *src, size_t slen, char *dst, size_t dlen) 1335 { 1336 if (slen < dlen) { 1337 const size_t wksp_len = zstd_dctx_workspace_bound(); 1338 zstd_dctx *ctx; 1339 void *wksp; 1340 size_t out_len; 1341 int ret = 0; 1342 1343 wksp = kvzalloc(wksp_len, GFP_KERNEL); 1344 if (!wksp) { 1345 ret = -ENOMEM; 1346 goto cleanup; 1347 } 1348 ctx = zstd_init_dctx(wksp, wksp_len); 1349 if (ctx == NULL) { 1350 ret = -ENOMEM; 1351 goto cleanup; 1352 } 1353 out_len = zstd_decompress_dctx(ctx, dst, dlen, src, slen); 1354 if (zstd_is_error(out_len)) { 1355 ret = -EINVAL; 1356 goto cleanup; 1357 } 1358 cleanup: 1359 kvfree(wksp); 1360 return ret; 1361 } 1362 1363 if (dlen < slen) 1364 return -EINVAL; 1365 memcpy(dst, src, slen); 1366 return 0; 1367 } 1368 1369 static ssize_t rawdata_read(struct file *file, char __user *buf, size_t size, 1370 loff_t *ppos) 1371 { 1372 struct rawdata_f_data *private = file->private_data; 1373 1374 return simple_read_from_buffer(buf, size, ppos, 1375 RAWDATA_F_DATA_BUF(private), 1376 private->loaddata->size); 1377 } 1378 1379 static int rawdata_release(struct inode *inode, struct file *file) 1380 { 1381 rawdata_f_data_free(file->private_data); 1382 1383 return 0; 1384 } 1385 1386 static int rawdata_open(struct inode *inode, struct file *file) 1387 { 1388 int error; 1389 struct aa_loaddata *loaddata; 1390 struct rawdata_f_data *private; 1391 1392 if (!aa_current_policy_view_capable(NULL)) 1393 return -EACCES; 1394 1395 loaddata = aa_get_i_loaddata(inode->i_private); 1396 if (!loaddata) 1397 return -ENOENT; 1398 1399 private = rawdata_f_data_alloc(loaddata->size); 1400 if (IS_ERR(private)) { 1401 error = PTR_ERR(private); 1402 goto fail_private_alloc; 1403 } 1404 1405 private->loaddata = loaddata; 1406 1407 error = decompress_zstd(loaddata->data, loaddata->compressed_size, 1408 RAWDATA_F_DATA_BUF(private), 1409 loaddata->size); 1410 if (error) 1411 goto fail_decompress; 1412 1413 file->private_data = private; 1414 return 0; 1415 1416 fail_decompress: 1417 rawdata_f_data_free(private); 1418 return error; 1419 1420 fail_private_alloc: 1421 aa_put_i_loaddata(loaddata); 1422 return error; 1423 } 1424 1425 static const struct file_operations rawdata_fops = { 1426 .open = rawdata_open, 1427 .read = rawdata_read, 1428 .llseek = generic_file_llseek, 1429 .release = rawdata_release, 1430 }; 1431 1432 static void remove_rawdata_dents(struct aa_loaddata *rawdata) 1433 { 1434 int i; 1435 1436 for (i = 0; i < AAFS_LOADDATA_NDENTS; i++) { 1437 if (!IS_ERR_OR_NULL(rawdata->dents[i])) { 1438 aafs_remove(rawdata->dents[i]); 1439 rawdata->dents[i] = NULL; 1440 aa_put_i_loaddata(rawdata); 1441 } 1442 } 1443 } 1444 1445 void __aa_fs_remove_rawdata(struct aa_loaddata *rawdata) 1446 { 1447 AA_BUG(rawdata->ns && !mutex_is_locked(&rawdata->ns->lock)); 1448 1449 if (rawdata->ns) { 1450 remove_rawdata_dents(rawdata); 1451 list_del_init(&rawdata->list); 1452 aa_put_ns(rawdata->ns); 1453 rawdata->ns = NULL; 1454 } 1455 } 1456 1457 int __aa_fs_create_rawdata(struct aa_ns *ns, struct aa_loaddata *rawdata) 1458 { 1459 struct dentry *dent, *dir; 1460 1461 AA_BUG(!ns); 1462 AA_BUG(!rawdata); 1463 AA_BUG(!mutex_is_locked(&ns->lock)); 1464 AA_BUG(!ns_subdata_dir(ns)); 1465 1466 /* 1467 * just use ns revision dir was originally created at. This is 1468 * under ns->lock and if load is successful revision will be 1469 * bumped and is guaranteed to be unique 1470 */ 1471 rawdata->name = kasprintf(GFP_KERNEL, "%ld", ns->revision); 1472 if (!rawdata->name) 1473 return -ENOMEM; 1474 1475 dir = aafs_create_dir(rawdata->name, ns_subdata_dir(ns)); 1476 if (IS_ERR(dir)) 1477 /* ->name freed when rawdata freed */ 1478 return PTR_ERR(dir); 1479 aa_get_i_loaddata(rawdata); 1480 rawdata->dents[AAFS_LOADDATA_DIR] = dir; 1481 1482 dent = aafs_create_file("abi", S_IFREG | 0444, dir, rawdata, 1483 &seq_rawdata_abi_fops); 1484 if (IS_ERR(dent)) 1485 goto fail; 1486 aa_get_i_loaddata(rawdata); 1487 rawdata->dents[AAFS_LOADDATA_ABI] = dent; 1488 1489 dent = aafs_create_file("revision", S_IFREG | 0444, dir, rawdata, 1490 &seq_rawdata_revision_fops); 1491 if (IS_ERR(dent)) 1492 goto fail; 1493 aa_get_i_loaddata(rawdata); 1494 rawdata->dents[AAFS_LOADDATA_REVISION] = dent; 1495 1496 if (aa_g_hash_policy) { 1497 dent = aafs_create_file("sha256", S_IFREG | 0444, dir, 1498 rawdata, &seq_rawdata_hash_fops); 1499 if (IS_ERR(dent)) 1500 goto fail; 1501 aa_get_i_loaddata(rawdata); 1502 rawdata->dents[AAFS_LOADDATA_HASH] = dent; 1503 } 1504 1505 dent = aafs_create_file("compressed_size", S_IFREG | 0444, dir, 1506 rawdata, 1507 &seq_rawdata_compressed_size_fops); 1508 if (IS_ERR(dent)) 1509 goto fail; 1510 aa_get_i_loaddata(rawdata); 1511 rawdata->dents[AAFS_LOADDATA_COMPRESSED_SIZE] = dent; 1512 1513 dent = aafs_create_file("raw_data", S_IFREG | 0444, 1514 dir, rawdata, &rawdata_fops); 1515 if (IS_ERR(dent)) 1516 goto fail; 1517 aa_get_i_loaddata(rawdata); 1518 rawdata->dents[AAFS_LOADDATA_DATA] = dent; 1519 d_inode(dent)->i_size = rawdata->size; 1520 1521 rawdata->ns = aa_get_ns(ns); 1522 list_add(&rawdata->list, &ns->rawdata_list); 1523 1524 return 0; 1525 1526 fail: 1527 remove_rawdata_dents(rawdata); 1528 aa_put_i_loaddata(rawdata); 1529 return PTR_ERR(dent); 1530 } 1531 #endif /* CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ 1532 1533 1534 /** fns to setup dynamic per profile/namespace files **/ 1535 1536 /* 1537 * 1538 * Requires: @profile->ns->lock held 1539 */ 1540 void __aafs_profile_rmdir(struct aa_profile *profile) 1541 { 1542 struct aa_profile *child; 1543 int i; 1544 1545 if (!profile) 1546 return; 1547 1548 list_for_each_entry(child, &profile->base.profiles, base.list) 1549 __aafs_profile_rmdir(child); 1550 1551 for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) { 1552 struct aa_proxy *proxy; 1553 if (!profile->dents[i]) 1554 continue; 1555 1556 proxy = d_inode(profile->dents[i])->i_private; 1557 aafs_remove(profile->dents[i]); 1558 aa_put_proxy(proxy); 1559 profile->dents[i] = NULL; 1560 } 1561 } 1562 1563 /* 1564 * 1565 * Requires: @old->ns->lock held 1566 */ 1567 void __aafs_profile_migrate_dents(struct aa_profile *old, 1568 struct aa_profile *new) 1569 { 1570 int i; 1571 1572 AA_BUG(!old); 1573 AA_BUG(!new); 1574 AA_BUG(!mutex_is_locked(&profiles_ns(old)->lock)); 1575 1576 for (i = 0; i < AAFS_PROF_SIZEOF; i++) { 1577 new->dents[i] = old->dents[i]; 1578 if (new->dents[i]) { 1579 struct inode *inode = d_inode(new->dents[i]); 1580 1581 inode_set_mtime_to_ts(inode, 1582 inode_set_ctime_current(inode)); 1583 } 1584 old->dents[i] = NULL; 1585 } 1586 } 1587 1588 static struct dentry *create_profile_file(struct dentry *dir, const char *name, 1589 struct aa_profile *profile, 1590 const struct file_operations *fops) 1591 { 1592 struct aa_proxy *proxy = aa_get_proxy(profile->label.proxy); 1593 struct dentry *dent; 1594 1595 dent = aafs_create_file(name, S_IFREG | 0444, dir, proxy, fops); 1596 if (IS_ERR(dent)) 1597 aa_put_proxy(proxy); 1598 1599 return dent; 1600 } 1601 1602 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1603 static int profile_depth(struct aa_profile *profile) 1604 { 1605 int depth = 0; 1606 1607 rcu_read_lock(); 1608 for (depth = 0; profile; profile = rcu_access_pointer(profile->parent)) 1609 depth++; 1610 rcu_read_unlock(); 1611 1612 return depth; 1613 } 1614 1615 static char *gen_symlink_name(int depth, const char *dirname, const char *fname) 1616 { 1617 char *buffer, *s; 1618 int error; 1619 const char *path = "../../"; 1620 size_t path_len = strlen(path); 1621 int size; 1622 1623 /* Extra 11 bytes: "raw_data" (9) + two slashes "//" (2) */ 1624 size = depth * path_len + strlen(dirname) + strlen(fname) + 11; 1625 s = buffer = kmalloc(size, GFP_KERNEL); 1626 if (!buffer) 1627 return ERR_PTR(-ENOMEM); 1628 1629 for (; depth > 0; depth--) { 1630 memcpy(s, path, path_len); 1631 s += path_len; 1632 size -= path_len; 1633 } 1634 1635 error = snprintf(s, size, "raw_data/%s/%s", dirname, fname); 1636 if (error >= size || error < 0) { 1637 kfree(buffer); 1638 return ERR_PTR(-ENAMETOOLONG); 1639 } 1640 1641 return buffer; 1642 } 1643 1644 static const char *rawdata_get_link_base(struct dentry *dentry, 1645 struct inode *inode, 1646 struct delayed_call *done, 1647 const char *name) 1648 { 1649 struct aa_proxy *proxy = inode->i_private; 1650 struct aa_label *label; 1651 struct aa_profile *profile; 1652 char *target; 1653 int depth; 1654 1655 if (!dentry) 1656 return ERR_PTR(-ECHILD); 1657 1658 label = aa_get_label_rcu(&proxy->label); 1659 profile = labels_profile(label); 1660 1661 /* rawdata can be null when aa_g_export_binary is unset during 1662 * runtime and a profile is replaced 1663 */ 1664 if (!profile->rawdata) { 1665 aa_put_label(label); 1666 return ERR_PTR(-ENOENT); 1667 } 1668 1669 depth = profile_depth(profile); 1670 target = gen_symlink_name(depth, profile->rawdata->name, name); 1671 aa_put_label(label); 1672 1673 if (IS_ERR(target)) 1674 return target; 1675 1676 set_delayed_call(done, kfree_link, target); 1677 1678 return target; 1679 } 1680 1681 static const char *rawdata_get_link_sha256(struct dentry *dentry, 1682 struct inode *inode, 1683 struct delayed_call *done) 1684 { 1685 return rawdata_get_link_base(dentry, inode, done, "sha256"); 1686 } 1687 1688 static const char *rawdata_get_link_abi(struct dentry *dentry, 1689 struct inode *inode, 1690 struct delayed_call *done) 1691 { 1692 return rawdata_get_link_base(dentry, inode, done, "abi"); 1693 } 1694 1695 static const char *rawdata_get_link_data(struct dentry *dentry, 1696 struct inode *inode, 1697 struct delayed_call *done) 1698 { 1699 return rawdata_get_link_base(dentry, inode, done, "raw_data"); 1700 } 1701 1702 static const struct inode_operations rawdata_link_sha256_iops = { 1703 .get_link = rawdata_get_link_sha256, 1704 }; 1705 1706 static const struct inode_operations rawdata_link_abi_iops = { 1707 .get_link = rawdata_get_link_abi, 1708 }; 1709 static const struct inode_operations rawdata_link_data_iops = { 1710 .get_link = rawdata_get_link_data, 1711 }; 1712 #endif /* CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ 1713 1714 /* 1715 * Requires: @profile->ns->lock held 1716 */ 1717 int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) 1718 { 1719 struct aa_profile *child; 1720 struct dentry *dent = NULL, *dir; 1721 int error; 1722 1723 AA_BUG(!profile); 1724 AA_BUG(!mutex_is_locked(&profiles_ns(profile)->lock)); 1725 1726 if (!parent) { 1727 struct aa_profile *p; 1728 p = aa_deref_parent(profile); 1729 dent = prof_dir(p); 1730 if (!dent) { 1731 error = -ENOENT; 1732 goto fail2; 1733 } 1734 /* adding to parent that previously didn't have children */ 1735 dent = aafs_create_dir("profiles", dent); 1736 if (IS_ERR(dent)) 1737 goto fail; 1738 prof_child_dir(p) = parent = dent; 1739 } 1740 1741 if (!profile->dirname) { 1742 int len, id_len; 1743 len = mangle_name(profile->base.name, NULL); 1744 id_len = snprintf(NULL, 0, ".%ld", profile->ns->uniq_id); 1745 1746 profile->dirname = kmalloc(len + id_len + 1, GFP_KERNEL); 1747 if (!profile->dirname) { 1748 error = -ENOMEM; 1749 goto fail2; 1750 } 1751 1752 mangle_name(profile->base.name, profile->dirname); 1753 sprintf(profile->dirname + len, ".%ld", profile->ns->uniq_id++); 1754 } 1755 1756 dent = aafs_create_dir(profile->dirname, parent); 1757 if (IS_ERR(dent)) 1758 goto fail; 1759 prof_dir(profile) = dir = dent; 1760 1761 dent = create_profile_file(dir, "name", profile, 1762 &seq_profile_name_fops); 1763 if (IS_ERR(dent)) 1764 goto fail; 1765 profile->dents[AAFS_PROF_NAME] = dent; 1766 1767 dent = create_profile_file(dir, "mode", profile, 1768 &seq_profile_mode_fops); 1769 if (IS_ERR(dent)) 1770 goto fail; 1771 profile->dents[AAFS_PROF_MODE] = dent; 1772 1773 dent = create_profile_file(dir, "attach", profile, 1774 &seq_profile_attach_fops); 1775 if (IS_ERR(dent)) 1776 goto fail; 1777 profile->dents[AAFS_PROF_ATTACH] = dent; 1778 1779 if (profile->hash) { 1780 dent = create_profile_file(dir, "sha256", profile, 1781 &seq_profile_hash_fops); 1782 if (IS_ERR(dent)) 1783 goto fail; 1784 profile->dents[AAFS_PROF_HASH] = dent; 1785 } 1786 1787 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1788 if (profile->rawdata) { 1789 if (aa_g_hash_policy) { 1790 dent = aafs_create("raw_sha256", S_IFLNK | 0444, dir, 1791 profile->label.proxy, NULL, NULL, 1792 &rawdata_link_sha256_iops); 1793 if (IS_ERR(dent)) 1794 goto fail; 1795 aa_get_proxy(profile->label.proxy); 1796 profile->dents[AAFS_PROF_RAW_HASH] = dent; 1797 } 1798 dent = aafs_create("raw_abi", S_IFLNK | 0444, dir, 1799 profile->label.proxy, NULL, NULL, 1800 &rawdata_link_abi_iops); 1801 if (IS_ERR(dent)) 1802 goto fail; 1803 aa_get_proxy(profile->label.proxy); 1804 profile->dents[AAFS_PROF_RAW_ABI] = dent; 1805 1806 dent = aafs_create("raw_data", S_IFLNK | 0444, dir, 1807 profile->label.proxy, NULL, NULL, 1808 &rawdata_link_data_iops); 1809 if (IS_ERR(dent)) 1810 goto fail; 1811 aa_get_proxy(profile->label.proxy); 1812 profile->dents[AAFS_PROF_RAW_DATA] = dent; 1813 } 1814 #endif /*CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ 1815 1816 list_for_each_entry(child, &profile->base.profiles, base.list) { 1817 error = __aafs_profile_mkdir(child, prof_child_dir(profile)); 1818 if (error) 1819 goto fail2; 1820 } 1821 1822 return 0; 1823 1824 fail: 1825 error = PTR_ERR(dent); 1826 1827 fail2: 1828 __aafs_profile_rmdir(profile); 1829 1830 return error; 1831 } 1832 1833 static struct dentry *ns_mkdir_op(struct mnt_idmap *idmap, struct inode *dir, 1834 struct dentry *dentry, umode_t mode) 1835 { 1836 struct aa_ns *ns, *parent; 1837 /* TODO: improve permission check */ 1838 struct aa_label *label; 1839 int error; 1840 1841 label = begin_current_label_crit_section(); 1842 error = aa_may_manage_policy(current_cred(), label, NULL, NULL, 1843 AA_MAY_LOAD_POLICY); 1844 end_current_label_crit_section(label); 1845 if (error) 1846 return ERR_PTR(error); 1847 1848 parent = aa_get_ns(dir->i_private); 1849 AA_BUG(d_inode(ns_subns_dir(parent)) != dir); 1850 1851 /* we have to unlock and then relock to get locking order right 1852 * for pin_fs 1853 */ 1854 inode_unlock(dir); 1855 error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count); 1856 mutex_lock_nested(&parent->lock, parent->level); 1857 inode_lock_nested(dir, I_MUTEX_PARENT); 1858 if (error) 1859 goto out; 1860 1861 error = __aafs_setup_d_inode(dir, dentry, mode | S_IFDIR, NULL, 1862 NULL, NULL, NULL); 1863 if (error) 1864 goto out_pin; 1865 1866 ns = __aa_find_or_create_ns(parent, READ_ONCE(dentry->d_name.name), 1867 dentry); 1868 if (IS_ERR(ns)) { 1869 error = PTR_ERR(ns); 1870 ns = NULL; 1871 } 1872 1873 aa_put_ns(ns); /* list ref remains */ 1874 out_pin: 1875 if (error) 1876 simple_release_fs(&aafs_mnt, &aafs_count); 1877 out: 1878 mutex_unlock(&parent->lock); 1879 aa_put_ns(parent); 1880 1881 return ERR_PTR(error); 1882 } 1883 1884 static int ns_rmdir_op(struct inode *dir, struct dentry *dentry) 1885 { 1886 struct aa_ns *ns, *parent; 1887 /* TODO: improve permission check */ 1888 struct aa_label *label; 1889 int error; 1890 1891 label = begin_current_label_crit_section(); 1892 error = aa_may_manage_policy(current_cred(), label, NULL, NULL, 1893 AA_MAY_LOAD_POLICY); 1894 end_current_label_crit_section(label); 1895 if (error) 1896 return error; 1897 1898 parent = aa_get_ns(dir->i_private); 1899 /* rmdir calls the generic securityfs functions to remove files 1900 * from the apparmor dir. It is up to the apparmor ns locking 1901 * to avoid races. 1902 */ 1903 inode_unlock(dir); 1904 inode_unlock(dentry->d_inode); 1905 1906 mutex_lock_nested(&parent->lock, parent->level); 1907 ns = aa_get_ns(__aa_findn_ns(&parent->sub_ns, dentry->d_name.name, 1908 dentry->d_name.len)); 1909 if (!ns) { 1910 error = -ENOENT; 1911 goto out; 1912 } 1913 AA_BUG(ns_dir(ns) != dentry); 1914 1915 __aa_remove_ns(ns); 1916 aa_put_ns(ns); 1917 1918 out: 1919 mutex_unlock(&parent->lock); 1920 inode_lock_nested(dir, I_MUTEX_PARENT); 1921 inode_lock(dentry->d_inode); 1922 aa_put_ns(parent); 1923 1924 return error; 1925 } 1926 1927 static const struct inode_operations ns_dir_inode_operations = { 1928 .lookup = simple_lookup, 1929 .mkdir = ns_mkdir_op, 1930 .rmdir = ns_rmdir_op, 1931 }; 1932 1933 static void __aa_fs_list_remove_rawdata(struct aa_ns *ns) 1934 { 1935 struct aa_loaddata *ent, *tmp; 1936 1937 AA_BUG(!mutex_is_locked(&ns->lock)); 1938 1939 list_for_each_entry_safe(ent, tmp, &ns->rawdata_list, list) 1940 __aa_fs_remove_rawdata(ent); 1941 } 1942 1943 /* 1944 * 1945 * Requires: @ns->lock held 1946 */ 1947 void __aafs_ns_rmdir(struct aa_ns *ns) 1948 { 1949 struct aa_ns *sub; 1950 struct aa_profile *child; 1951 int i; 1952 1953 if (!ns) 1954 return; 1955 AA_BUG(!mutex_is_locked(&ns->lock)); 1956 1957 list_for_each_entry(child, &ns->base.profiles, base.list) 1958 __aafs_profile_rmdir(child); 1959 1960 list_for_each_entry(sub, &ns->sub_ns, base.list) { 1961 mutex_lock_nested(&sub->lock, sub->level); 1962 __aafs_ns_rmdir(sub); 1963 mutex_unlock(&sub->lock); 1964 } 1965 1966 __aa_fs_list_remove_rawdata(ns); 1967 1968 if (ns_subns_dir(ns)) { 1969 sub = d_inode(ns_subns_dir(ns))->i_private; 1970 aa_put_ns(sub); 1971 } 1972 if (ns_subload(ns)) { 1973 sub = d_inode(ns_subload(ns))->i_private; 1974 aa_put_ns(sub); 1975 } 1976 if (ns_subreplace(ns)) { 1977 sub = d_inode(ns_subreplace(ns))->i_private; 1978 aa_put_ns(sub); 1979 } 1980 if (ns_subremove(ns)) { 1981 sub = d_inode(ns_subremove(ns))->i_private; 1982 aa_put_ns(sub); 1983 } 1984 if (ns_subrevision(ns)) { 1985 sub = d_inode(ns_subrevision(ns))->i_private; 1986 aa_put_ns(sub); 1987 } 1988 1989 for (i = AAFS_NS_SIZEOF - 1; i >= 0; --i) { 1990 aafs_remove(ns->dents[i]); 1991 ns->dents[i] = NULL; 1992 } 1993 } 1994 1995 /* assumes cleanup in caller */ 1996 static int __aafs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir) 1997 { 1998 struct dentry *dent; 1999 2000 AA_BUG(!ns); 2001 AA_BUG(!dir); 2002 2003 dent = aafs_create_dir("profiles", dir); 2004 if (IS_ERR(dent)) 2005 return PTR_ERR(dent); 2006 ns_subprofs_dir(ns) = dent; 2007 2008 dent = aafs_create_dir("raw_data", dir); 2009 if (IS_ERR(dent)) 2010 return PTR_ERR(dent); 2011 ns_subdata_dir(ns) = dent; 2012 2013 dent = aafs_create_file("revision", 0444, dir, ns, 2014 &aa_fs_ns_revision_fops); 2015 if (IS_ERR(dent)) 2016 return PTR_ERR(dent); 2017 aa_get_ns(ns); 2018 ns_subrevision(ns) = dent; 2019 2020 dent = aafs_create_file(".load", 0640, dir, ns, 2021 &aa_fs_profile_load); 2022 if (IS_ERR(dent)) 2023 return PTR_ERR(dent); 2024 aa_get_ns(ns); 2025 ns_subload(ns) = dent; 2026 2027 dent = aafs_create_file(".replace", 0640, dir, ns, 2028 &aa_fs_profile_replace); 2029 if (IS_ERR(dent)) 2030 return PTR_ERR(dent); 2031 aa_get_ns(ns); 2032 ns_subreplace(ns) = dent; 2033 2034 dent = aafs_create_file(".remove", 0640, dir, ns, 2035 &aa_fs_profile_remove); 2036 if (IS_ERR(dent)) 2037 return PTR_ERR(dent); 2038 aa_get_ns(ns); 2039 ns_subremove(ns) = dent; 2040 2041 /* use create_dentry so we can supply private data */ 2042 dent = aafs_create("namespaces", S_IFDIR | 0755, dir, ns, NULL, NULL, 2043 &ns_dir_inode_operations); 2044 if (IS_ERR(dent)) 2045 return PTR_ERR(dent); 2046 aa_get_ns(ns); 2047 ns_subns_dir(ns) = dent; 2048 2049 return 0; 2050 } 2051 2052 /* 2053 * Requires: @ns->lock held 2054 */ 2055 int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name, 2056 struct dentry *dent) 2057 { 2058 struct aa_ns *sub; 2059 struct aa_profile *child; 2060 struct dentry *dir; 2061 int error; 2062 2063 AA_BUG(!ns); 2064 AA_BUG(!parent); 2065 AA_BUG(!mutex_is_locked(&ns->lock)); 2066 2067 if (!name) 2068 name = ns->base.name; 2069 2070 if (!dent) { 2071 /* create ns dir if it doesn't already exist */ 2072 dent = aafs_create_dir(name, parent); 2073 if (IS_ERR(dent)) 2074 goto fail; 2075 } else 2076 dget(dent); 2077 ns_dir(ns) = dir = dent; 2078 error = __aafs_ns_mkdir_entries(ns, dir); 2079 if (error) 2080 goto fail2; 2081 2082 /* profiles */ 2083 list_for_each_entry(child, &ns->base.profiles, base.list) { 2084 error = __aafs_profile_mkdir(child, ns_subprofs_dir(ns)); 2085 if (error) 2086 goto fail2; 2087 } 2088 2089 /* subnamespaces */ 2090 list_for_each_entry(sub, &ns->sub_ns, base.list) { 2091 mutex_lock_nested(&sub->lock, sub->level); 2092 error = __aafs_ns_mkdir(sub, ns_subns_dir(ns), NULL, NULL); 2093 mutex_unlock(&sub->lock); 2094 if (error) 2095 goto fail2; 2096 } 2097 2098 return 0; 2099 2100 fail: 2101 error = PTR_ERR(dent); 2102 2103 fail2: 2104 __aafs_ns_rmdir(ns); 2105 2106 return error; 2107 } 2108 2109 /** 2110 * __next_ns - find the next namespace to list 2111 * @root: root namespace to stop search at (NOT NULL) 2112 * @ns: current ns position (NOT NULL) 2113 * 2114 * Find the next namespace from @ns under @root and handle all locking needed 2115 * while switching current namespace. 2116 * 2117 * Returns: next namespace or NULL if at last namespace under @root 2118 * Requires: ns->parent->lock to be held 2119 * NOTE: will not unlock root->lock 2120 */ 2121 static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns) 2122 { 2123 struct aa_ns *parent, *next; 2124 2125 AA_BUG(!root); 2126 AA_BUG(!ns); 2127 AA_BUG(ns != root && !mutex_is_locked(&ns->parent->lock)); 2128 2129 /* is next namespace a child */ 2130 if (!list_empty(&ns->sub_ns)) { 2131 next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list); 2132 mutex_lock_nested(&next->lock, next->level); 2133 return next; 2134 } 2135 2136 /* check if the next ns is a sibling, parent, gp, .. */ 2137 parent = ns->parent; 2138 while (ns != root) { 2139 mutex_unlock(&ns->lock); 2140 next = list_next_entry(ns, base.list); 2141 if (!list_entry_is_head(next, &parent->sub_ns, base.list)) { 2142 mutex_lock_nested(&next->lock, next->level); 2143 return next; 2144 } 2145 ns = parent; 2146 parent = parent->parent; 2147 } 2148 2149 return NULL; 2150 } 2151 2152 /** 2153 * __first_profile - find the first profile in a namespace 2154 * @root: namespace that is root of profiles being displayed (NOT NULL) 2155 * @ns: namespace to start in (NOT NULL) 2156 * 2157 * Returns: unrefcounted profile or NULL if no profile 2158 * Requires: profile->ns.lock to be held 2159 */ 2160 static struct aa_profile *__first_profile(struct aa_ns *root, 2161 struct aa_ns *ns) 2162 { 2163 AA_BUG(!root); 2164 AA_BUG(ns && !mutex_is_locked(&ns->lock)); 2165 2166 for (; ns; ns = __next_ns(root, ns)) { 2167 if (!list_empty(&ns->base.profiles)) 2168 return list_first_entry(&ns->base.profiles, 2169 struct aa_profile, base.list); 2170 } 2171 return NULL; 2172 } 2173 2174 /** 2175 * __next_profile - step to the next profile in a profile tree 2176 * @p: current profile in tree (NOT NULL) 2177 * 2178 * Perform a depth first traversal on the profile tree in a namespace 2179 * 2180 * Returns: next profile or NULL if done 2181 * Requires: profile->ns.lock to be held 2182 */ 2183 static struct aa_profile *__next_profile(struct aa_profile *p) 2184 { 2185 struct aa_profile *parent; 2186 struct aa_ns *ns = p->ns; 2187 2188 AA_BUG(!mutex_is_locked(&profiles_ns(p)->lock)); 2189 2190 /* is next profile a child */ 2191 if (!list_empty(&p->base.profiles)) 2192 return list_first_entry(&p->base.profiles, typeof(*p), 2193 base.list); 2194 2195 /* is next profile a sibling, parent sibling, gp, sibling, .. */ 2196 parent = rcu_dereference_protected(p->parent, 2197 mutex_is_locked(&p->ns->lock)); 2198 while (parent) { 2199 p = list_next_entry(p, base.list); 2200 if (!list_entry_is_head(p, &parent->base.profiles, base.list)) 2201 return p; 2202 p = parent; 2203 parent = rcu_dereference_protected(parent->parent, 2204 mutex_is_locked(&parent->ns->lock)); 2205 } 2206 2207 /* is next another profile in the namespace */ 2208 p = list_next_entry(p, base.list); 2209 if (!list_entry_is_head(p, &ns->base.profiles, base.list)) 2210 return p; 2211 2212 return NULL; 2213 } 2214 2215 /** 2216 * next_profile - step to the next profile in where ever it may be 2217 * @root: root namespace (NOT NULL) 2218 * @profile: current profile (NOT NULL) 2219 * 2220 * Returns: next profile or NULL if there isn't one 2221 */ 2222 static struct aa_profile *next_profile(struct aa_ns *root, 2223 struct aa_profile *profile) 2224 { 2225 struct aa_profile *next = __next_profile(profile); 2226 if (next) 2227 return next; 2228 2229 /* finished all profiles in namespace move to next namespace */ 2230 return __first_profile(root, __next_ns(root, profile->ns)); 2231 } 2232 2233 /** 2234 * p_start - start a depth first traversal of profile tree 2235 * @f: seq_file to fill 2236 * @pos: current position 2237 * 2238 * Returns: first profile under current namespace or NULL if none found 2239 * 2240 * acquires first ns->lock 2241 */ 2242 static void *p_start(struct seq_file *f, loff_t *pos) 2243 { 2244 struct aa_profile *profile = NULL; 2245 struct aa_ns *root = aa_get_current_ns(); 2246 loff_t l = *pos; 2247 f->private = root; 2248 2249 /* find the first profile */ 2250 mutex_lock_nested(&root->lock, root->level); 2251 profile = __first_profile(root, root); 2252 2253 /* skip to position */ 2254 for (; profile && l > 0; l--) 2255 profile = next_profile(root, profile); 2256 2257 return profile; 2258 } 2259 2260 /** 2261 * p_next - read the next profile entry 2262 * @f: seq_file to fill 2263 * @p: profile previously returned 2264 * @pos: current position 2265 * 2266 * Returns: next profile after @p or NULL if none 2267 * 2268 * may acquire/release locks in namespace tree as necessary 2269 */ 2270 static void *p_next(struct seq_file *f, void *p, loff_t *pos) 2271 { 2272 struct aa_profile *profile = p; 2273 struct aa_ns *ns = f->private; 2274 (*pos)++; 2275 2276 return next_profile(ns, profile); 2277 } 2278 2279 /** 2280 * p_stop - stop depth first traversal 2281 * @f: seq_file we are filling 2282 * @p: the last profile written 2283 * 2284 * Release all locking done by p_start/p_next on namespace tree 2285 */ 2286 static void p_stop(struct seq_file *f, void *p) 2287 { 2288 struct aa_profile *profile = p; 2289 struct aa_ns *root = f->private, *ns; 2290 2291 if (profile) { 2292 for (ns = profile->ns; ns && ns != root; ns = ns->parent) 2293 mutex_unlock(&ns->lock); 2294 } 2295 mutex_unlock(&root->lock); 2296 aa_put_ns(root); 2297 } 2298 2299 /** 2300 * seq_show_profile - show a profile entry 2301 * @f: seq_file to file 2302 * @p: current position (profile) (NOT NULL) 2303 * 2304 * Returns: error on failure 2305 */ 2306 static int seq_show_profile(struct seq_file *f, void *p) 2307 { 2308 struct aa_profile *profile = (struct aa_profile *)p; 2309 struct aa_ns *root = f->private; 2310 2311 aa_label_seq_xprint(f, root, &profile->label, 2312 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS, GFP_KERNEL); 2313 seq_putc(f, '\n'); 2314 2315 return 0; 2316 } 2317 2318 static const struct seq_operations aa_sfs_profiles_op = { 2319 .start = p_start, 2320 .next = p_next, 2321 .stop = p_stop, 2322 .show = seq_show_profile, 2323 }; 2324 2325 static int profiles_open(struct inode *inode, struct file *file) 2326 { 2327 if (!aa_current_policy_view_capable(NULL)) 2328 return -EACCES; 2329 2330 return seq_open(file, &aa_sfs_profiles_op); 2331 } 2332 2333 static int profiles_release(struct inode *inode, struct file *file) 2334 { 2335 return seq_release(inode, file); 2336 } 2337 2338 static const struct file_operations aa_sfs_profiles_fops = { 2339 .open = profiles_open, 2340 .read = seq_read, 2341 .llseek = seq_lseek, 2342 .release = profiles_release, 2343 }; 2344 2345 2346 /** Base file system setup **/ 2347 static struct aa_sfs_entry aa_sfs_entry_file[] = { 2348 AA_SFS_FILE_STRING("mask", 2349 "create read write exec append mmap_exec link lock"), 2350 { } 2351 }; 2352 2353 static struct aa_sfs_entry aa_sfs_entry_ptrace[] = { 2354 AA_SFS_FILE_STRING("mask", "read trace"), 2355 { } 2356 }; 2357 2358 static struct aa_sfs_entry aa_sfs_entry_signal[] = { 2359 AA_SFS_FILE_STRING("mask", AA_SFS_SIG_MASK), 2360 { } 2361 }; 2362 2363 static struct aa_sfs_entry aa_sfs_entry_attach[] = { 2364 AA_SFS_FILE_BOOLEAN("xattr", 1), 2365 { } 2366 }; 2367 static struct aa_sfs_entry aa_sfs_entry_domain[] = { 2368 AA_SFS_FILE_BOOLEAN("change_hat", 1), 2369 AA_SFS_FILE_BOOLEAN("change_hatv", 1), 2370 AA_SFS_FILE_BOOLEAN("unconfined_allowed_children", 1), 2371 AA_SFS_FILE_BOOLEAN("change_onexec", 1), 2372 AA_SFS_FILE_BOOLEAN("change_profile", 1), 2373 AA_SFS_FILE_BOOLEAN("stack", 1), 2374 AA_SFS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1), 2375 AA_SFS_FILE_BOOLEAN("post_nnp_subset", 1), 2376 AA_SFS_FILE_BOOLEAN("computed_longest_left", 1), 2377 AA_SFS_DIR("attach_conditions", aa_sfs_entry_attach), 2378 AA_SFS_FILE_BOOLEAN("disconnected.path", 1), 2379 AA_SFS_FILE_BOOLEAN("kill.signal", 1), 2380 AA_SFS_FILE_STRING("version", "1.2"), 2381 { } 2382 }; 2383 2384 static struct aa_sfs_entry aa_sfs_entry_unconfined[] = { 2385 AA_SFS_FILE_BOOLEAN("change_profile", 1), 2386 { } 2387 }; 2388 2389 static struct aa_sfs_entry aa_sfs_entry_versions[] = { 2390 AA_SFS_FILE_BOOLEAN("v5", 1), 2391 AA_SFS_FILE_BOOLEAN("v6", 1), 2392 AA_SFS_FILE_BOOLEAN("v7", 1), 2393 AA_SFS_FILE_BOOLEAN("v8", 1), 2394 AA_SFS_FILE_BOOLEAN("v9", 1), 2395 { } 2396 }; 2397 2398 #define PERMS32STR "allow deny subtree cond kill complain prompt audit quiet hide xindex tag label" 2399 static struct aa_sfs_entry aa_sfs_entry_policy[] = { 2400 AA_SFS_DIR("versions", aa_sfs_entry_versions), 2401 AA_SFS_FILE_BOOLEAN("set_load", 1), 2402 /* number of out of band transitions supported */ 2403 AA_SFS_FILE_U64("outofband", MAX_OOB_SUPPORTED), 2404 AA_SFS_FILE_U64("permstable32_version", 3), 2405 AA_SFS_FILE_STRING("permstable32", PERMS32STR), 2406 AA_SFS_FILE_U64("state32", 1), 2407 AA_SFS_DIR("unconfined_restrictions", aa_sfs_entry_unconfined), 2408 { } 2409 }; 2410 2411 static struct aa_sfs_entry aa_sfs_entry_mount[] = { 2412 AA_SFS_FILE_STRING("mask", "mount umount pivot_root"), 2413 AA_SFS_FILE_STRING("move_mount", "detached"), 2414 { } 2415 }; 2416 2417 static struct aa_sfs_entry aa_sfs_entry_ns[] = { 2418 AA_SFS_FILE_BOOLEAN("profile", 1), 2419 AA_SFS_FILE_BOOLEAN("pivot_root", 0), 2420 AA_SFS_FILE_STRING("mask", "userns_create"), 2421 { } 2422 }; 2423 2424 static struct aa_sfs_entry aa_sfs_entry_dbus[] = { 2425 AA_SFS_FILE_STRING("mask", "acquire send receive"), 2426 { } 2427 }; 2428 2429 static struct aa_sfs_entry aa_sfs_entry_query_label[] = { 2430 AA_SFS_FILE_STRING("perms", "allow deny audit quiet"), 2431 AA_SFS_FILE_BOOLEAN("data", 1), 2432 AA_SFS_FILE_BOOLEAN("multi_transaction", 1), 2433 { } 2434 }; 2435 2436 static struct aa_sfs_entry aa_sfs_entry_query[] = { 2437 AA_SFS_DIR("label", aa_sfs_entry_query_label), 2438 { } 2439 }; 2440 2441 static struct aa_sfs_entry aa_sfs_entry_io_uring[] = { 2442 AA_SFS_FILE_STRING("mask", "sqpoll override_creds"), 2443 { } 2444 }; 2445 2446 static struct aa_sfs_entry aa_sfs_entry_features[] = { 2447 AA_SFS_DIR("policy", aa_sfs_entry_policy), 2448 AA_SFS_DIR("domain", aa_sfs_entry_domain), 2449 AA_SFS_DIR("file", aa_sfs_entry_file), 2450 AA_SFS_DIR("network_v8", aa_sfs_entry_network), 2451 AA_SFS_DIR("network_v9", aa_sfs_entry_networkv9), 2452 AA_SFS_DIR("mount", aa_sfs_entry_mount), 2453 AA_SFS_DIR("namespaces", aa_sfs_entry_ns), 2454 AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), 2455 AA_SFS_DIR("rlimit", aa_sfs_entry_rlimit), 2456 AA_SFS_DIR("caps", aa_sfs_entry_caps), 2457 AA_SFS_DIR("ptrace", aa_sfs_entry_ptrace), 2458 AA_SFS_DIR("signal", aa_sfs_entry_signal), 2459 AA_SFS_DIR("dbus", aa_sfs_entry_dbus), 2460 AA_SFS_DIR("query", aa_sfs_entry_query), 2461 AA_SFS_DIR("io_uring", aa_sfs_entry_io_uring), 2462 { } 2463 }; 2464 2465 static struct aa_sfs_entry aa_sfs_entry_apparmor[] = { 2466 AA_SFS_FILE_FOPS(".access", 0666, &aa_sfs_access), 2467 AA_SFS_FILE_FOPS(".stacked", 0444, &seq_ns_stacked_fops), 2468 AA_SFS_FILE_FOPS(".ns_stacked", 0444, &seq_ns_nsstacked_fops), 2469 AA_SFS_FILE_FOPS(".ns_level", 0444, &seq_ns_level_fops), 2470 AA_SFS_FILE_FOPS(".ns_name", 0444, &seq_ns_name_fops), 2471 AA_SFS_FILE_FOPS("profiles", 0444, &aa_sfs_profiles_fops), 2472 AA_SFS_FILE_FOPS("raw_data_compression_level_min", 0444, &seq_ns_compress_min_fops), 2473 AA_SFS_FILE_FOPS("raw_data_compression_level_max", 0444, &seq_ns_compress_max_fops), 2474 AA_SFS_DIR("features", aa_sfs_entry_features), 2475 { } 2476 }; 2477 2478 static struct aa_sfs_entry aa_sfs_entry = 2479 AA_SFS_DIR("apparmor", aa_sfs_entry_apparmor); 2480 2481 /** 2482 * entry_create_file - create a file entry in the apparmor securityfs 2483 * @fs_file: aa_sfs_entry to build an entry for (NOT NULL) 2484 * @parent: the parent dentry in the securityfs 2485 * 2486 * Use entry_remove_file to remove entries created with this fn. 2487 */ 2488 static int __init entry_create_file(struct aa_sfs_entry *fs_file, 2489 struct dentry *parent) 2490 { 2491 int error = 0; 2492 2493 fs_file->dentry = securityfs_create_file(fs_file->name, 2494 S_IFREG | fs_file->mode, 2495 parent, fs_file, 2496 fs_file->file_ops); 2497 if (IS_ERR(fs_file->dentry)) { 2498 error = PTR_ERR(fs_file->dentry); 2499 fs_file->dentry = NULL; 2500 } 2501 return error; 2502 } 2503 2504 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir); 2505 /** 2506 * entry_create_dir - recursively create a directory entry in the securityfs 2507 * @fs_dir: aa_sfs_entry (and all child entries) to build (NOT NULL) 2508 * @parent: the parent dentry in the securityfs 2509 * 2510 * Use entry_remove_dir to remove entries created with this fn. 2511 */ 2512 static int __init entry_create_dir(struct aa_sfs_entry *fs_dir, 2513 struct dentry *parent) 2514 { 2515 struct aa_sfs_entry *fs_file; 2516 struct dentry *dir; 2517 int error; 2518 2519 dir = securityfs_create_dir(fs_dir->name, parent); 2520 if (IS_ERR(dir)) 2521 return PTR_ERR(dir); 2522 fs_dir->dentry = dir; 2523 2524 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { 2525 if (fs_file->v_type == AA_SFS_TYPE_DIR) 2526 error = entry_create_dir(fs_file, fs_dir->dentry); 2527 else 2528 error = entry_create_file(fs_file, fs_dir->dentry); 2529 if (error) 2530 goto failed; 2531 } 2532 2533 return 0; 2534 2535 failed: 2536 entry_remove_dir(fs_dir); 2537 2538 return error; 2539 } 2540 2541 /** 2542 * entry_remove_file - drop a single file entry in the apparmor securityfs 2543 * @fs_file: aa_sfs_entry to detach from the securityfs (NOT NULL) 2544 */ 2545 static void __init entry_remove_file(struct aa_sfs_entry *fs_file) 2546 { 2547 if (!fs_file->dentry) 2548 return; 2549 2550 securityfs_remove(fs_file->dentry); 2551 fs_file->dentry = NULL; 2552 } 2553 2554 /** 2555 * entry_remove_dir - recursively drop a directory entry from the securityfs 2556 * @fs_dir: aa_sfs_entry (and all child entries) to detach (NOT NULL) 2557 */ 2558 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir) 2559 { 2560 struct aa_sfs_entry *fs_file; 2561 2562 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { 2563 if (fs_file->v_type == AA_SFS_TYPE_DIR) 2564 entry_remove_dir(fs_file); 2565 else 2566 entry_remove_file(fs_file); 2567 } 2568 2569 entry_remove_file(fs_dir); 2570 } 2571 2572 /** 2573 * aa_destroy_aafs - cleanup and free aafs 2574 * 2575 * releases dentries allocated by aa_create_aafs 2576 */ 2577 void __init aa_destroy_aafs(void) 2578 { 2579 entry_remove_dir(&aa_sfs_entry); 2580 } 2581 2582 2583 #define NULL_FILE_NAME ".null" 2584 struct path aa_null; 2585 2586 static int aa_mk_null_file(struct dentry *parent) 2587 { 2588 struct vfsmount *mount = NULL; 2589 struct dentry *dentry; 2590 struct inode *inode; 2591 int count = 0; 2592 int error = simple_pin_fs(parent->d_sb->s_type, &mount, &count); 2593 2594 if (error) 2595 return error; 2596 2597 inode_lock(d_inode(parent)); 2598 dentry = lookup_noperm(&QSTR(NULL_FILE_NAME), parent); 2599 if (IS_ERR(dentry)) { 2600 error = PTR_ERR(dentry); 2601 goto out; 2602 } 2603 inode = new_inode(parent->d_inode->i_sb); 2604 if (!inode) { 2605 error = -ENOMEM; 2606 goto out1; 2607 } 2608 2609 inode->i_ino = get_next_ino(); 2610 inode->i_mode = S_IFCHR | S_IRUGO | S_IWUGO; 2611 simple_inode_init_ts(inode); 2612 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, 2613 MKDEV(MEM_MAJOR, 3)); 2614 d_instantiate(dentry, inode); 2615 aa_null.dentry = dget(dentry); 2616 aa_null.mnt = mntget(mount); 2617 2618 error = 0; 2619 2620 out1: 2621 dput(dentry); 2622 out: 2623 inode_unlock(d_inode(parent)); 2624 simple_release_fs(&mount, &count); 2625 return error; 2626 } 2627 2628 2629 2630 static const char *policy_get_link(struct dentry *dentry, 2631 struct inode *inode, 2632 struct delayed_call *done) 2633 { 2634 struct aa_ns *ns; 2635 struct path path; 2636 int error; 2637 2638 if (!dentry) 2639 return ERR_PTR(-ECHILD); 2640 2641 ns = aa_get_current_ns(); 2642 path.mnt = mntget(aafs_mnt); 2643 path.dentry = dget(ns_dir(ns)); 2644 error = nd_jump_link(&path); 2645 aa_put_ns(ns); 2646 2647 return ERR_PTR(error); 2648 } 2649 2650 static int policy_readlink(struct dentry *dentry, char __user *buffer, 2651 int buflen) 2652 { 2653 char name[32]; 2654 int res; 2655 2656 res = snprintf(name, sizeof(name), "%s:[%lu]", AAFS_NAME, 2657 d_inode(dentry)->i_ino); 2658 if (res > 0 && res < sizeof(name)) 2659 res = readlink_copy(buffer, buflen, name, strlen(name)); 2660 else 2661 res = -ENOENT; 2662 2663 return res; 2664 } 2665 2666 static const struct inode_operations policy_link_iops = { 2667 .readlink = policy_readlink, 2668 .get_link = policy_get_link, 2669 }; 2670 2671 2672 /** 2673 * aa_create_aafs - create the apparmor security filesystem 2674 * 2675 * dentries created here are released by aa_destroy_aafs 2676 * 2677 * Returns: error on failure 2678 */ 2679 int __init aa_create_aafs(void) 2680 { 2681 struct dentry *dent; 2682 int error; 2683 2684 if (!apparmor_initialized) 2685 return 0; 2686 2687 if (aa_sfs_entry.dentry) { 2688 AA_ERROR("%s: AppArmor securityfs already exists\n", __func__); 2689 return -EEXIST; 2690 } 2691 2692 /* setup apparmorfs used to virtualize policy/ */ 2693 aafs_mnt = kern_mount(&aafs_ops); 2694 if (IS_ERR(aafs_mnt)) 2695 panic("can't set apparmorfs up\n"); 2696 aafs_mnt->mnt_sb->s_flags &= ~SB_NOUSER; 2697 2698 /* Populate fs tree. */ 2699 error = entry_create_dir(&aa_sfs_entry, NULL); 2700 if (error) 2701 goto error; 2702 2703 dent = securityfs_create_file(".load", 0666, aa_sfs_entry.dentry, 2704 NULL, &aa_fs_profile_load); 2705 if (IS_ERR(dent)) 2706 goto dent_error; 2707 ns_subload(root_ns) = dent; 2708 2709 dent = securityfs_create_file(".replace", 0666, aa_sfs_entry.dentry, 2710 NULL, &aa_fs_profile_replace); 2711 if (IS_ERR(dent)) 2712 goto dent_error; 2713 ns_subreplace(root_ns) = dent; 2714 2715 dent = securityfs_create_file(".remove", 0666, aa_sfs_entry.dentry, 2716 NULL, &aa_fs_profile_remove); 2717 if (IS_ERR(dent)) 2718 goto dent_error; 2719 ns_subremove(root_ns) = dent; 2720 2721 dent = securityfs_create_file("revision", 0444, aa_sfs_entry.dentry, 2722 NULL, &aa_fs_ns_revision_fops); 2723 if (IS_ERR(dent)) 2724 goto dent_error; 2725 ns_subrevision(root_ns) = dent; 2726 2727 /* policy tree referenced by magic policy symlink */ 2728 mutex_lock_nested(&root_ns->lock, root_ns->level); 2729 error = __aafs_ns_mkdir(root_ns, aafs_mnt->mnt_root, ".policy", 2730 aafs_mnt->mnt_root); 2731 mutex_unlock(&root_ns->lock); 2732 if (error) 2733 goto error; 2734 2735 /* magic symlink similar to nsfs redirects based on task policy */ 2736 dent = securityfs_create_symlink("policy", aa_sfs_entry.dentry, 2737 NULL, &policy_link_iops); 2738 if (IS_ERR(dent)) 2739 goto dent_error; 2740 2741 error = aa_mk_null_file(aa_sfs_entry.dentry); 2742 if (error) 2743 goto error; 2744 2745 /* TODO: add default profile to apparmorfs */ 2746 2747 /* Report that AppArmor fs is enabled */ 2748 aa_info_message("AppArmor Filesystem Enabled"); 2749 return 0; 2750 2751 dent_error: 2752 error = PTR_ERR(dent); 2753 error: 2754 aa_destroy_aafs(); 2755 AA_ERROR("Error creating AppArmor securityfs\n"); 2756 return error; 2757 } 2758