1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor /sys/kernel/security/apparmor interface functions 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 */ 10 11 #include <linux/ctype.h> 12 #include <linux/security.h> 13 #include <linux/vmalloc.h> 14 #include <linux/init.h> 15 #include <linux/seq_file.h> 16 #include <linux/uaccess.h> 17 #include <linux/mount.h> 18 #include <linux/namei.h> 19 #include <linux/capability.h> 20 #include <linux/rcupdate.h> 21 #include <linux/fs.h> 22 #include <linux/fs_context.h> 23 #include <linux/poll.h> 24 #include <linux/zstd.h> 25 #include <uapi/linux/major.h> 26 #include <uapi/linux/magic.h> 27 28 #include "include/apparmor.h" 29 #include "include/apparmorfs.h" 30 #include "include/audit.h" 31 #include "include/cred.h" 32 #include "include/crypto.h" 33 #include "include/ipc.h" 34 #include "include/label.h" 35 #include "include/policy.h" 36 #include "include/policy_ns.h" 37 #include "include/resource.h" 38 #include "include/policy_unpack.h" 39 #include "include/task.h" 40 41 /* 42 * The apparmor filesystem interface used for policy load and introspection 43 * The interface is split into two main components based on their function 44 * a securityfs component: 45 * used for static files that are always available, and which allows 46 * userspace to specificy the location of the security filesystem. 47 * 48 * fns and data are prefixed with 49 * aa_sfs_ 50 * 51 * an apparmorfs component: 52 * used loaded policy content and introspection. It is not part of a 53 * regular mounted filesystem and is available only through the magic 54 * policy symlink in the root of the securityfs apparmor/ directory. 55 * Tasks queries will be magically redirected to the correct portion 56 * of the policy tree based on their confinement. 57 * 58 * fns and data are prefixed with 59 * aafs_ 60 * 61 * The aa_fs_ prefix is used to indicate the fn is used by both the 62 * securityfs and apparmorfs filesystems. 63 */ 64 65 66 /* 67 * support fns 68 */ 69 70 struct rawdata_f_data { 71 struct aa_loaddata *loaddata; 72 }; 73 74 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 75 #define RAWDATA_F_DATA_BUF(p) (char *)(p + 1) 76 77 static void rawdata_f_data_free(struct rawdata_f_data *private) 78 { 79 if (!private) 80 return; 81 82 aa_put_loaddata(private->loaddata); 83 kvfree(private); 84 } 85 86 static struct rawdata_f_data *rawdata_f_data_alloc(size_t size) 87 { 88 struct rawdata_f_data *ret; 89 90 if (size > SIZE_MAX - sizeof(*ret)) 91 return ERR_PTR(-EINVAL); 92 93 ret = kvzalloc(sizeof(*ret) + size, GFP_KERNEL); 94 if (!ret) 95 return ERR_PTR(-ENOMEM); 96 97 return ret; 98 } 99 #endif 100 101 /** 102 * mangle_name - mangle a profile name to std profile layout form 103 * @name: profile name to mangle (NOT NULL) 104 * @target: buffer to store mangled name, same length as @name (MAYBE NULL) 105 * 106 * Returns: length of mangled name 107 */ 108 static int mangle_name(const char *name, char *target) 109 { 110 char *t = target; 111 112 while (*name == '/' || *name == '.') 113 name++; 114 115 if (target) { 116 for (; *name; name++) { 117 if (*name == '/') 118 *(t)++ = '.'; 119 else if (isspace(*name)) 120 *(t)++ = '_'; 121 else if (isalnum(*name) || strchr("._-", *name)) 122 *(t)++ = *name; 123 } 124 125 *t = 0; 126 } else { 127 int len = 0; 128 for (; *name; name++) { 129 if (isalnum(*name) || isspace(*name) || 130 strchr("/._-", *name)) 131 len++; 132 } 133 134 return len; 135 } 136 137 return t - target; 138 } 139 140 141 /* 142 * aafs - core fns and data for the policy tree 143 */ 144 145 #define AAFS_NAME "apparmorfs" 146 static struct vfsmount *aafs_mnt; 147 static int aafs_count; 148 149 150 static int aafs_show_path(struct seq_file *seq, struct dentry *dentry) 151 { 152 seq_printf(seq, "%s:[%lu]", AAFS_NAME, d_inode(dentry)->i_ino); 153 return 0; 154 } 155 156 static void aafs_free_inode(struct inode *inode) 157 { 158 if (S_ISLNK(inode->i_mode)) 159 kfree(inode->i_link); 160 free_inode_nonrcu(inode); 161 } 162 163 static const struct super_operations aafs_super_ops = { 164 .statfs = simple_statfs, 165 .free_inode = aafs_free_inode, 166 .show_path = aafs_show_path, 167 }; 168 169 static int apparmorfs_fill_super(struct super_block *sb, struct fs_context *fc) 170 { 171 static struct tree_descr files[] = { {""} }; 172 int error; 173 174 error = simple_fill_super(sb, AAFS_MAGIC, files); 175 if (error) 176 return error; 177 sb->s_op = &aafs_super_ops; 178 179 return 0; 180 } 181 182 static int apparmorfs_get_tree(struct fs_context *fc) 183 { 184 return get_tree_single(fc, apparmorfs_fill_super); 185 } 186 187 static const struct fs_context_operations apparmorfs_context_ops = { 188 .get_tree = apparmorfs_get_tree, 189 }; 190 191 static int apparmorfs_init_fs_context(struct fs_context *fc) 192 { 193 fc->ops = &apparmorfs_context_ops; 194 return 0; 195 } 196 197 static struct file_system_type aafs_ops = { 198 .owner = THIS_MODULE, 199 .name = AAFS_NAME, 200 .init_fs_context = apparmorfs_init_fs_context, 201 .kill_sb = kill_anon_super, 202 }; 203 204 /** 205 * __aafs_setup_d_inode - basic inode setup for apparmorfs 206 * @dir: parent directory for the dentry 207 * @dentry: dentry we are seting the inode up for 208 * @mode: permissions the file should have 209 * @data: data to store on inode.i_private, available in open() 210 * @link: if symlink, symlink target string 211 * @fops: struct file_operations that should be used 212 * @iops: struct of inode_operations that should be used 213 */ 214 static int __aafs_setup_d_inode(struct inode *dir, struct dentry *dentry, 215 umode_t mode, void *data, char *link, 216 const struct file_operations *fops, 217 const struct inode_operations *iops) 218 { 219 struct inode *inode = new_inode(dir->i_sb); 220 221 AA_BUG(!dir); 222 AA_BUG(!dentry); 223 224 if (!inode) 225 return -ENOMEM; 226 227 inode->i_ino = get_next_ino(); 228 inode->i_mode = mode; 229 inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode); 230 inode->i_private = data; 231 if (S_ISDIR(mode)) { 232 inode->i_op = iops ? iops : &simple_dir_inode_operations; 233 inode->i_fop = &simple_dir_operations; 234 inc_nlink(inode); 235 inc_nlink(dir); 236 } else if (S_ISLNK(mode)) { 237 inode->i_op = iops ? iops : &simple_symlink_inode_operations; 238 inode->i_link = link; 239 } else { 240 inode->i_fop = fops; 241 } 242 d_instantiate(dentry, inode); 243 dget(dentry); 244 245 return 0; 246 } 247 248 /** 249 * aafs_create - create a dentry in the apparmorfs filesystem 250 * 251 * @name: name of dentry to create 252 * @mode: permissions the file should have 253 * @parent: parent directory for this dentry 254 * @data: data to store on inode.i_private, available in open() 255 * @link: if symlink, symlink target string 256 * @fops: struct file_operations that should be used for 257 * @iops: struct of inode_operations that should be used 258 * 259 * This is the basic "create a xxx" function for apparmorfs. 260 * 261 * Returns a pointer to a dentry if it succeeds, that must be free with 262 * aafs_remove(). Will return ERR_PTR on failure. 263 */ 264 static struct dentry *aafs_create(const char *name, umode_t mode, 265 struct dentry *parent, void *data, void *link, 266 const struct file_operations *fops, 267 const struct inode_operations *iops) 268 { 269 struct dentry *dentry; 270 struct inode *dir; 271 int error; 272 273 AA_BUG(!name); 274 AA_BUG(!parent); 275 276 if (!(mode & S_IFMT)) 277 mode = (mode & S_IALLUGO) | S_IFREG; 278 279 error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count); 280 if (error) 281 return ERR_PTR(error); 282 283 dir = d_inode(parent); 284 285 inode_lock(dir); 286 dentry = lookup_one_len(name, parent, strlen(name)); 287 if (IS_ERR(dentry)) { 288 error = PTR_ERR(dentry); 289 goto fail_lock; 290 } 291 292 if (d_really_is_positive(dentry)) { 293 error = -EEXIST; 294 goto fail_dentry; 295 } 296 297 error = __aafs_setup_d_inode(dir, dentry, mode, data, link, fops, iops); 298 if (error) 299 goto fail_dentry; 300 inode_unlock(dir); 301 302 return dentry; 303 304 fail_dentry: 305 dput(dentry); 306 307 fail_lock: 308 inode_unlock(dir); 309 simple_release_fs(&aafs_mnt, &aafs_count); 310 311 return ERR_PTR(error); 312 } 313 314 /** 315 * aafs_create_file - create a file in the apparmorfs filesystem 316 * 317 * @name: name of dentry to create 318 * @mode: permissions the file should have 319 * @parent: parent directory for this dentry 320 * @data: data to store on inode.i_private, available in open() 321 * @fops: struct file_operations that should be used for 322 * 323 * see aafs_create 324 */ 325 static struct dentry *aafs_create_file(const char *name, umode_t mode, 326 struct dentry *parent, void *data, 327 const struct file_operations *fops) 328 { 329 return aafs_create(name, mode, parent, data, NULL, fops, NULL); 330 } 331 332 /** 333 * aafs_create_dir - create a directory in the apparmorfs filesystem 334 * 335 * @name: name of dentry to create 336 * @parent: parent directory for this dentry 337 * 338 * see aafs_create 339 */ 340 static struct dentry *aafs_create_dir(const char *name, struct dentry *parent) 341 { 342 return aafs_create(name, S_IFDIR | 0755, parent, NULL, NULL, NULL, 343 NULL); 344 } 345 346 /** 347 * aafs_remove - removes a file or directory from the apparmorfs filesystem 348 * 349 * @dentry: dentry of the file/directory/symlink to removed. 350 */ 351 static void aafs_remove(struct dentry *dentry) 352 { 353 struct inode *dir; 354 355 if (!dentry || IS_ERR(dentry)) 356 return; 357 358 dir = d_inode(dentry->d_parent); 359 inode_lock(dir); 360 if (simple_positive(dentry)) { 361 if (d_is_dir(dentry)) 362 simple_rmdir(dir, dentry); 363 else 364 simple_unlink(dir, dentry); 365 d_delete(dentry); 366 dput(dentry); 367 } 368 inode_unlock(dir); 369 simple_release_fs(&aafs_mnt, &aafs_count); 370 } 371 372 373 /* 374 * aa_fs - policy load/replace/remove 375 */ 376 377 /** 378 * aa_simple_write_to_buffer - common routine for getting policy from user 379 * @userbuf: user buffer to copy data from (NOT NULL) 380 * @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size) 381 * @copy_size: size of data to copy from user buffer 382 * @pos: position write is at in the file (NOT NULL) 383 * 384 * Returns: kernel buffer containing copy of user buffer data or an 385 * ERR_PTR on failure. 386 */ 387 static struct aa_loaddata *aa_simple_write_to_buffer(const char __user *userbuf, 388 size_t alloc_size, 389 size_t copy_size, 390 loff_t *pos) 391 { 392 struct aa_loaddata *data; 393 394 AA_BUG(copy_size > alloc_size); 395 396 if (*pos != 0) 397 /* only writes from pos 0, that is complete writes */ 398 return ERR_PTR(-ESPIPE); 399 400 /* freed by caller to simple_write_to_buffer */ 401 data = aa_loaddata_alloc(alloc_size); 402 if (IS_ERR(data)) 403 return data; 404 405 data->size = copy_size; 406 if (copy_from_user(data->data, userbuf, copy_size)) { 407 aa_put_loaddata(data); 408 return ERR_PTR(-EFAULT); 409 } 410 411 return data; 412 } 413 414 static ssize_t policy_update(u32 mask, const char __user *buf, size_t size, 415 loff_t *pos, struct aa_ns *ns) 416 { 417 struct aa_loaddata *data; 418 struct aa_label *label; 419 ssize_t error; 420 421 label = begin_current_label_crit_section(); 422 423 /* high level check about policy management - fine grained in 424 * below after unpack 425 */ 426 error = aa_may_manage_policy(label, ns, mask); 427 if (error) 428 goto end_section; 429 430 data = aa_simple_write_to_buffer(buf, size, size, pos); 431 error = PTR_ERR(data); 432 if (!IS_ERR(data)) { 433 error = aa_replace_profiles(ns, label, mask, data); 434 aa_put_loaddata(data); 435 } 436 end_section: 437 end_current_label_crit_section(label); 438 439 return error; 440 } 441 442 /* .load file hook fn to load policy */ 443 static ssize_t profile_load(struct file *f, const char __user *buf, size_t size, 444 loff_t *pos) 445 { 446 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); 447 int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns); 448 449 aa_put_ns(ns); 450 451 return error; 452 } 453 454 static const struct file_operations aa_fs_profile_load = { 455 .write = profile_load, 456 .llseek = default_llseek, 457 }; 458 459 /* .replace file hook fn to load and/or replace policy */ 460 static ssize_t profile_replace(struct file *f, const char __user *buf, 461 size_t size, loff_t *pos) 462 { 463 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); 464 int error = policy_update(AA_MAY_LOAD_POLICY | AA_MAY_REPLACE_POLICY, 465 buf, size, pos, ns); 466 aa_put_ns(ns); 467 468 return error; 469 } 470 471 static const struct file_operations aa_fs_profile_replace = { 472 .write = profile_replace, 473 .llseek = default_llseek, 474 }; 475 476 /* .remove file hook fn to remove loaded policy */ 477 static ssize_t profile_remove(struct file *f, const char __user *buf, 478 size_t size, loff_t *pos) 479 { 480 struct aa_loaddata *data; 481 struct aa_label *label; 482 ssize_t error; 483 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); 484 485 label = begin_current_label_crit_section(); 486 /* high level check about policy management - fine grained in 487 * below after unpack 488 */ 489 error = aa_may_manage_policy(label, ns, AA_MAY_REMOVE_POLICY); 490 if (error) 491 goto out; 492 493 /* 494 * aa_remove_profile needs a null terminated string so 1 extra 495 * byte is allocated and the copied data is null terminated. 496 */ 497 data = aa_simple_write_to_buffer(buf, size + 1, size, pos); 498 499 error = PTR_ERR(data); 500 if (!IS_ERR(data)) { 501 data->data[size] = 0; 502 error = aa_remove_profiles(ns, label, data->data, size); 503 aa_put_loaddata(data); 504 } 505 out: 506 end_current_label_crit_section(label); 507 aa_put_ns(ns); 508 return error; 509 } 510 511 static const struct file_operations aa_fs_profile_remove = { 512 .write = profile_remove, 513 .llseek = default_llseek, 514 }; 515 516 struct aa_revision { 517 struct aa_ns *ns; 518 long last_read; 519 }; 520 521 /* revision file hook fn for policy loads */ 522 static int ns_revision_release(struct inode *inode, struct file *file) 523 { 524 struct aa_revision *rev = file->private_data; 525 526 if (rev) { 527 aa_put_ns(rev->ns); 528 kfree(rev); 529 } 530 531 return 0; 532 } 533 534 static ssize_t ns_revision_read(struct file *file, char __user *buf, 535 size_t size, loff_t *ppos) 536 { 537 struct aa_revision *rev = file->private_data; 538 char buffer[32]; 539 long last_read; 540 int avail; 541 542 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 543 last_read = rev->last_read; 544 if (last_read == rev->ns->revision) { 545 mutex_unlock(&rev->ns->lock); 546 if (file->f_flags & O_NONBLOCK) 547 return -EAGAIN; 548 if (wait_event_interruptible(rev->ns->wait, 549 last_read != 550 READ_ONCE(rev->ns->revision))) 551 return -ERESTARTSYS; 552 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 553 } 554 555 avail = sprintf(buffer, "%ld\n", rev->ns->revision); 556 if (*ppos + size > avail) { 557 rev->last_read = rev->ns->revision; 558 *ppos = 0; 559 } 560 mutex_unlock(&rev->ns->lock); 561 562 return simple_read_from_buffer(buf, size, ppos, buffer, avail); 563 } 564 565 static int ns_revision_open(struct inode *inode, struct file *file) 566 { 567 struct aa_revision *rev = kzalloc(sizeof(*rev), GFP_KERNEL); 568 569 if (!rev) 570 return -ENOMEM; 571 572 rev->ns = aa_get_ns(inode->i_private); 573 if (!rev->ns) 574 rev->ns = aa_get_current_ns(); 575 file->private_data = rev; 576 577 return 0; 578 } 579 580 static __poll_t ns_revision_poll(struct file *file, poll_table *pt) 581 { 582 struct aa_revision *rev = file->private_data; 583 __poll_t mask = 0; 584 585 if (rev) { 586 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 587 poll_wait(file, &rev->ns->wait, pt); 588 if (rev->last_read < rev->ns->revision) 589 mask |= EPOLLIN | EPOLLRDNORM; 590 mutex_unlock(&rev->ns->lock); 591 } 592 593 return mask; 594 } 595 596 void __aa_bump_ns_revision(struct aa_ns *ns) 597 { 598 WRITE_ONCE(ns->revision, READ_ONCE(ns->revision) + 1); 599 wake_up_interruptible(&ns->wait); 600 } 601 602 static const struct file_operations aa_fs_ns_revision_fops = { 603 .owner = THIS_MODULE, 604 .open = ns_revision_open, 605 .poll = ns_revision_poll, 606 .read = ns_revision_read, 607 .llseek = generic_file_llseek, 608 .release = ns_revision_release, 609 }; 610 611 static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms, 612 const char *match_str, size_t match_len) 613 { 614 struct aa_ruleset *rules = list_first_entry(&profile->rules, 615 typeof(*rules), list); 616 struct aa_perms tmp = { }; 617 aa_state_t state = DFA_NOMATCH; 618 619 if (profile_unconfined(profile)) 620 return; 621 if (rules->file.dfa && *match_str == AA_CLASS_FILE) { 622 state = aa_dfa_match_len(rules->file.dfa, 623 rules->file.start[AA_CLASS_FILE], 624 match_str + 1, match_len - 1); 625 if (state) { 626 struct path_cond cond = { }; 627 628 tmp = *(aa_lookup_fperms(&(rules->file), state, &cond)); 629 } 630 } else if (rules->policy.dfa) { 631 if (!RULE_MEDIATES(rules, *match_str)) 632 return; /* no change to current perms */ 633 state = aa_dfa_match_len(rules->policy.dfa, 634 rules->policy.start[0], 635 match_str, match_len); 636 if (state) 637 tmp = *aa_lookup_perms(&rules->policy, state); 638 } 639 aa_apply_modes_to_perms(profile, &tmp); 640 aa_perms_accum_raw(perms, &tmp); 641 } 642 643 644 /** 645 * query_data - queries a policy and writes its data to buf 646 * @buf: the resulting data is stored here (NOT NULL) 647 * @buf_len: size of buf 648 * @query: query string used to retrieve data 649 * @query_len: size of query including second NUL byte 650 * 651 * The buffers pointed to by buf and query may overlap. The query buffer is 652 * parsed before buf is written to. 653 * 654 * The query should look like "<LABEL>\0<KEY>\0", where <LABEL> is the name of 655 * the security confinement context and <KEY> is the name of the data to 656 * retrieve. <LABEL> and <KEY> must not be NUL-terminated. 657 * 658 * Don't expect the contents of buf to be preserved on failure. 659 * 660 * Returns: number of characters written to buf or -errno on failure 661 */ 662 static ssize_t query_data(char *buf, size_t buf_len, 663 char *query, size_t query_len) 664 { 665 char *out; 666 const char *key; 667 struct label_it i; 668 struct aa_label *label, *curr; 669 struct aa_profile *profile; 670 struct aa_data *data; 671 u32 bytes, blocks; 672 __le32 outle32; 673 674 if (!query_len) 675 return -EINVAL; /* need a query */ 676 677 key = query + strnlen(query, query_len) + 1; 678 if (key + 1 >= query + query_len) 679 return -EINVAL; /* not enough space for a non-empty key */ 680 if (key + strnlen(key, query + query_len - key) >= query + query_len) 681 return -EINVAL; /* must end with NUL */ 682 683 if (buf_len < sizeof(bytes) + sizeof(blocks)) 684 return -EINVAL; /* not enough space */ 685 686 curr = begin_current_label_crit_section(); 687 label = aa_label_parse(curr, query, GFP_KERNEL, false, false); 688 end_current_label_crit_section(curr); 689 if (IS_ERR(label)) 690 return PTR_ERR(label); 691 692 /* We are going to leave space for two numbers. The first is the total 693 * number of bytes we are writing after the first number. This is so 694 * users can read the full output without reallocation. 695 * 696 * The second number is the number of data blocks we're writing. An 697 * application might be confined by multiple policies having data in 698 * the same key. 699 */ 700 memset(buf, 0, sizeof(bytes) + sizeof(blocks)); 701 out = buf + sizeof(bytes) + sizeof(blocks); 702 703 blocks = 0; 704 label_for_each_confined(i, label, profile) { 705 if (!profile->data) 706 continue; 707 708 data = rhashtable_lookup_fast(profile->data, &key, 709 profile->data->p); 710 711 if (data) { 712 if (out + sizeof(outle32) + data->size > buf + 713 buf_len) { 714 aa_put_label(label); 715 return -EINVAL; /* not enough space */ 716 } 717 outle32 = __cpu_to_le32(data->size); 718 memcpy(out, &outle32, sizeof(outle32)); 719 out += sizeof(outle32); 720 memcpy(out, data->data, data->size); 721 out += data->size; 722 blocks++; 723 } 724 } 725 aa_put_label(label); 726 727 outle32 = __cpu_to_le32(out - buf - sizeof(bytes)); 728 memcpy(buf, &outle32, sizeof(outle32)); 729 outle32 = __cpu_to_le32(blocks); 730 memcpy(buf + sizeof(bytes), &outle32, sizeof(outle32)); 731 732 return out - buf; 733 } 734 735 /** 736 * query_label - queries a label and writes permissions to buf 737 * @buf: the resulting permissions string is stored here (NOT NULL) 738 * @buf_len: size of buf 739 * @query: binary query string to match against the dfa 740 * @query_len: size of query 741 * @view_only: only compute for querier's view 742 * 743 * The buffers pointed to by buf and query may overlap. The query buffer is 744 * parsed before buf is written to. 745 * 746 * The query should look like "LABEL_NAME\0DFA_STRING" where LABEL_NAME is 747 * the name of the label, in the current namespace, that is to be queried and 748 * DFA_STRING is a binary string to match against the label(s)'s DFA. 749 * 750 * LABEL_NAME must be NUL terminated. DFA_STRING may contain NUL characters 751 * but must *not* be NUL terminated. 752 * 753 * Returns: number of characters written to buf or -errno on failure 754 */ 755 static ssize_t query_label(char *buf, size_t buf_len, 756 char *query, size_t query_len, bool view_only) 757 { 758 struct aa_profile *profile; 759 struct aa_label *label, *curr; 760 char *label_name, *match_str; 761 size_t label_name_len, match_len; 762 struct aa_perms perms; 763 struct label_it i; 764 765 if (!query_len) 766 return -EINVAL; 767 768 label_name = query; 769 label_name_len = strnlen(query, query_len); 770 if (!label_name_len || label_name_len == query_len) 771 return -EINVAL; 772 773 /** 774 * The extra byte is to account for the null byte between the 775 * profile name and dfa string. profile_name_len is greater 776 * than zero and less than query_len, so a byte can be safely 777 * added or subtracted. 778 */ 779 match_str = label_name + label_name_len + 1; 780 match_len = query_len - label_name_len - 1; 781 782 curr = begin_current_label_crit_section(); 783 label = aa_label_parse(curr, label_name, GFP_KERNEL, false, false); 784 end_current_label_crit_section(curr); 785 if (IS_ERR(label)) 786 return PTR_ERR(label); 787 788 perms = allperms; 789 if (view_only) { 790 label_for_each_in_ns(i, labels_ns(label), label, profile) { 791 profile_query_cb(profile, &perms, match_str, match_len); 792 } 793 } else { 794 label_for_each(i, label, profile) { 795 profile_query_cb(profile, &perms, match_str, match_len); 796 } 797 } 798 aa_put_label(label); 799 800 return scnprintf(buf, buf_len, 801 "allow 0x%08x\ndeny 0x%08x\naudit 0x%08x\nquiet 0x%08x\n", 802 perms.allow, perms.deny, perms.audit, perms.quiet); 803 } 804 805 /* 806 * Transaction based IO. 807 * The file expects a write which triggers the transaction, and then 808 * possibly a read(s) which collects the result - which is stored in a 809 * file-local buffer. Once a new write is performed, a new set of results 810 * are stored in the file-local buffer. 811 */ 812 struct multi_transaction { 813 struct kref count; 814 ssize_t size; 815 char data[]; 816 }; 817 818 #define MULTI_TRANSACTION_LIMIT (PAGE_SIZE - sizeof(struct multi_transaction)) 819 820 static void multi_transaction_kref(struct kref *kref) 821 { 822 struct multi_transaction *t; 823 824 t = container_of(kref, struct multi_transaction, count); 825 free_page((unsigned long) t); 826 } 827 828 static struct multi_transaction * 829 get_multi_transaction(struct multi_transaction *t) 830 { 831 if (t) 832 kref_get(&(t->count)); 833 834 return t; 835 } 836 837 static void put_multi_transaction(struct multi_transaction *t) 838 { 839 if (t) 840 kref_put(&(t->count), multi_transaction_kref); 841 } 842 843 /* does not increment @new's count */ 844 static void multi_transaction_set(struct file *file, 845 struct multi_transaction *new, size_t n) 846 { 847 struct multi_transaction *old; 848 849 AA_BUG(n > MULTI_TRANSACTION_LIMIT); 850 851 new->size = n; 852 spin_lock(&file->f_lock); 853 old = (struct multi_transaction *) file->private_data; 854 file->private_data = new; 855 spin_unlock(&file->f_lock); 856 put_multi_transaction(old); 857 } 858 859 static struct multi_transaction *multi_transaction_new(struct file *file, 860 const char __user *buf, 861 size_t size) 862 { 863 struct multi_transaction *t; 864 865 if (size > MULTI_TRANSACTION_LIMIT - 1) 866 return ERR_PTR(-EFBIG); 867 868 t = (struct multi_transaction *)get_zeroed_page(GFP_KERNEL); 869 if (!t) 870 return ERR_PTR(-ENOMEM); 871 kref_init(&t->count); 872 if (copy_from_user(t->data, buf, size)) { 873 put_multi_transaction(t); 874 return ERR_PTR(-EFAULT); 875 } 876 877 return t; 878 } 879 880 static ssize_t multi_transaction_read(struct file *file, char __user *buf, 881 size_t size, loff_t *pos) 882 { 883 struct multi_transaction *t; 884 ssize_t ret; 885 886 spin_lock(&file->f_lock); 887 t = get_multi_transaction(file->private_data); 888 spin_unlock(&file->f_lock); 889 890 if (!t) 891 return 0; 892 893 ret = simple_read_from_buffer(buf, size, pos, t->data, t->size); 894 put_multi_transaction(t); 895 896 return ret; 897 } 898 899 static int multi_transaction_release(struct inode *inode, struct file *file) 900 { 901 put_multi_transaction(file->private_data); 902 903 return 0; 904 } 905 906 #define QUERY_CMD_LABEL "label\0" 907 #define QUERY_CMD_LABEL_LEN 6 908 #define QUERY_CMD_PROFILE "profile\0" 909 #define QUERY_CMD_PROFILE_LEN 8 910 #define QUERY_CMD_LABELALL "labelall\0" 911 #define QUERY_CMD_LABELALL_LEN 9 912 #define QUERY_CMD_DATA "data\0" 913 #define QUERY_CMD_DATA_LEN 5 914 915 /** 916 * aa_write_access - generic permissions and data query 917 * @file: pointer to open apparmorfs/access file 918 * @ubuf: user buffer containing the complete query string (NOT NULL) 919 * @count: size of ubuf 920 * @ppos: position in the file (MUST BE ZERO) 921 * 922 * Allows for one permissions or data query per open(), write(), and read() 923 * sequence. The only queries currently supported are label-based queries for 924 * permissions or data. 925 * 926 * For permissions queries, ubuf must begin with "label\0", followed by the 927 * profile query specific format described in the query_label() function 928 * documentation. 929 * 930 * For data queries, ubuf must have the form "data\0<LABEL>\0<KEY>\0", where 931 * <LABEL> is the name of the security confinement context and <KEY> is the 932 * name of the data to retrieve. 933 * 934 * Returns: number of bytes written or -errno on failure 935 */ 936 static ssize_t aa_write_access(struct file *file, const char __user *ubuf, 937 size_t count, loff_t *ppos) 938 { 939 struct multi_transaction *t; 940 ssize_t len; 941 942 if (*ppos) 943 return -ESPIPE; 944 945 t = multi_transaction_new(file, ubuf, count); 946 if (IS_ERR(t)) 947 return PTR_ERR(t); 948 949 if (count > QUERY_CMD_PROFILE_LEN && 950 !memcmp(t->data, QUERY_CMD_PROFILE, QUERY_CMD_PROFILE_LEN)) { 951 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 952 t->data + QUERY_CMD_PROFILE_LEN, 953 count - QUERY_CMD_PROFILE_LEN, true); 954 } else if (count > QUERY_CMD_LABEL_LEN && 955 !memcmp(t->data, QUERY_CMD_LABEL, QUERY_CMD_LABEL_LEN)) { 956 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 957 t->data + QUERY_CMD_LABEL_LEN, 958 count - QUERY_CMD_LABEL_LEN, true); 959 } else if (count > QUERY_CMD_LABELALL_LEN && 960 !memcmp(t->data, QUERY_CMD_LABELALL, 961 QUERY_CMD_LABELALL_LEN)) { 962 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 963 t->data + QUERY_CMD_LABELALL_LEN, 964 count - QUERY_CMD_LABELALL_LEN, false); 965 } else if (count > QUERY_CMD_DATA_LEN && 966 !memcmp(t->data, QUERY_CMD_DATA, QUERY_CMD_DATA_LEN)) { 967 len = query_data(t->data, MULTI_TRANSACTION_LIMIT, 968 t->data + QUERY_CMD_DATA_LEN, 969 count - QUERY_CMD_DATA_LEN); 970 } else 971 len = -EINVAL; 972 973 if (len < 0) { 974 put_multi_transaction(t); 975 return len; 976 } 977 978 multi_transaction_set(file, t, len); 979 980 return count; 981 } 982 983 static const struct file_operations aa_sfs_access = { 984 .write = aa_write_access, 985 .read = multi_transaction_read, 986 .release = multi_transaction_release, 987 .llseek = generic_file_llseek, 988 }; 989 990 static int aa_sfs_seq_show(struct seq_file *seq, void *v) 991 { 992 struct aa_sfs_entry *fs_file = seq->private; 993 994 if (!fs_file) 995 return 0; 996 997 switch (fs_file->v_type) { 998 case AA_SFS_TYPE_BOOLEAN: 999 seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no"); 1000 break; 1001 case AA_SFS_TYPE_STRING: 1002 seq_printf(seq, "%s\n", fs_file->v.string); 1003 break; 1004 case AA_SFS_TYPE_U64: 1005 seq_printf(seq, "%#08lx\n", fs_file->v.u64); 1006 break; 1007 default: 1008 /* Ignore unpritable entry types. */ 1009 break; 1010 } 1011 1012 return 0; 1013 } 1014 1015 static int aa_sfs_seq_open(struct inode *inode, struct file *file) 1016 { 1017 return single_open(file, aa_sfs_seq_show, inode->i_private); 1018 } 1019 1020 const struct file_operations aa_sfs_seq_file_ops = { 1021 .owner = THIS_MODULE, 1022 .open = aa_sfs_seq_open, 1023 .read = seq_read, 1024 .llseek = seq_lseek, 1025 .release = single_release, 1026 }; 1027 1028 /* 1029 * profile based file operations 1030 * policy/profiles/XXXX/profiles/ * 1031 */ 1032 1033 #define SEQ_PROFILE_FOPS(NAME) \ 1034 static int seq_profile_ ##NAME ##_open(struct inode *inode, struct file *file)\ 1035 { \ 1036 return seq_profile_open(inode, file, seq_profile_ ##NAME ##_show); \ 1037 } \ 1038 \ 1039 static const struct file_operations seq_profile_ ##NAME ##_fops = { \ 1040 .owner = THIS_MODULE, \ 1041 .open = seq_profile_ ##NAME ##_open, \ 1042 .read = seq_read, \ 1043 .llseek = seq_lseek, \ 1044 .release = seq_profile_release, \ 1045 } \ 1046 1047 static int seq_profile_open(struct inode *inode, struct file *file, 1048 int (*show)(struct seq_file *, void *)) 1049 { 1050 struct aa_proxy *proxy = aa_get_proxy(inode->i_private); 1051 int error = single_open(file, show, proxy); 1052 1053 if (error) { 1054 file->private_data = NULL; 1055 aa_put_proxy(proxy); 1056 } 1057 1058 return error; 1059 } 1060 1061 static int seq_profile_release(struct inode *inode, struct file *file) 1062 { 1063 struct seq_file *seq = (struct seq_file *) file->private_data; 1064 if (seq) 1065 aa_put_proxy(seq->private); 1066 return single_release(inode, file); 1067 } 1068 1069 static int seq_profile_name_show(struct seq_file *seq, void *v) 1070 { 1071 struct aa_proxy *proxy = seq->private; 1072 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1073 struct aa_profile *profile = labels_profile(label); 1074 seq_printf(seq, "%s\n", profile->base.name); 1075 aa_put_label(label); 1076 1077 return 0; 1078 } 1079 1080 static int seq_profile_mode_show(struct seq_file *seq, void *v) 1081 { 1082 struct aa_proxy *proxy = seq->private; 1083 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1084 struct aa_profile *profile = labels_profile(label); 1085 seq_printf(seq, "%s\n", aa_profile_mode_names[profile->mode]); 1086 aa_put_label(label); 1087 1088 return 0; 1089 } 1090 1091 static int seq_profile_attach_show(struct seq_file *seq, void *v) 1092 { 1093 struct aa_proxy *proxy = seq->private; 1094 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1095 struct aa_profile *profile = labels_profile(label); 1096 if (profile->attach.xmatch_str) 1097 seq_printf(seq, "%s\n", profile->attach.xmatch_str); 1098 else if (profile->attach.xmatch.dfa) 1099 seq_puts(seq, "<unknown>\n"); 1100 else 1101 seq_printf(seq, "%s\n", profile->base.name); 1102 aa_put_label(label); 1103 1104 return 0; 1105 } 1106 1107 static int seq_profile_hash_show(struct seq_file *seq, void *v) 1108 { 1109 struct aa_proxy *proxy = seq->private; 1110 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1111 struct aa_profile *profile = labels_profile(label); 1112 unsigned int i, size = aa_hash_size(); 1113 1114 if (profile->hash) { 1115 for (i = 0; i < size; i++) 1116 seq_printf(seq, "%.2x", profile->hash[i]); 1117 seq_putc(seq, '\n'); 1118 } 1119 aa_put_label(label); 1120 1121 return 0; 1122 } 1123 1124 SEQ_PROFILE_FOPS(name); 1125 SEQ_PROFILE_FOPS(mode); 1126 SEQ_PROFILE_FOPS(attach); 1127 SEQ_PROFILE_FOPS(hash); 1128 1129 /* 1130 * namespace based files 1131 * several root files and 1132 * policy/ * 1133 */ 1134 1135 #define SEQ_NS_FOPS(NAME) \ 1136 static int seq_ns_ ##NAME ##_open(struct inode *inode, struct file *file) \ 1137 { \ 1138 return single_open(file, seq_ns_ ##NAME ##_show, inode->i_private); \ 1139 } \ 1140 \ 1141 static const struct file_operations seq_ns_ ##NAME ##_fops = { \ 1142 .owner = THIS_MODULE, \ 1143 .open = seq_ns_ ##NAME ##_open, \ 1144 .read = seq_read, \ 1145 .llseek = seq_lseek, \ 1146 .release = single_release, \ 1147 } \ 1148 1149 static int seq_ns_stacked_show(struct seq_file *seq, void *v) 1150 { 1151 struct aa_label *label; 1152 1153 label = begin_current_label_crit_section(); 1154 seq_printf(seq, "%s\n", label->size > 1 ? "yes" : "no"); 1155 end_current_label_crit_section(label); 1156 1157 return 0; 1158 } 1159 1160 static int seq_ns_nsstacked_show(struct seq_file *seq, void *v) 1161 { 1162 struct aa_label *label; 1163 struct aa_profile *profile; 1164 struct label_it it; 1165 int count = 1; 1166 1167 label = begin_current_label_crit_section(); 1168 1169 if (label->size > 1) { 1170 label_for_each(it, label, profile) 1171 if (profile->ns != labels_ns(label)) { 1172 count++; 1173 break; 1174 } 1175 } 1176 1177 seq_printf(seq, "%s\n", count > 1 ? "yes" : "no"); 1178 end_current_label_crit_section(label); 1179 1180 return 0; 1181 } 1182 1183 static int seq_ns_level_show(struct seq_file *seq, void *v) 1184 { 1185 struct aa_label *label; 1186 1187 label = begin_current_label_crit_section(); 1188 seq_printf(seq, "%d\n", labels_ns(label)->level); 1189 end_current_label_crit_section(label); 1190 1191 return 0; 1192 } 1193 1194 static int seq_ns_name_show(struct seq_file *seq, void *v) 1195 { 1196 struct aa_label *label = begin_current_label_crit_section(); 1197 seq_printf(seq, "%s\n", labels_ns(label)->base.name); 1198 end_current_label_crit_section(label); 1199 1200 return 0; 1201 } 1202 1203 static int seq_ns_compress_min_show(struct seq_file *seq, void *v) 1204 { 1205 seq_printf(seq, "%d\n", AA_MIN_CLEVEL); 1206 return 0; 1207 } 1208 1209 static int seq_ns_compress_max_show(struct seq_file *seq, void *v) 1210 { 1211 seq_printf(seq, "%d\n", AA_MAX_CLEVEL); 1212 return 0; 1213 } 1214 1215 SEQ_NS_FOPS(stacked); 1216 SEQ_NS_FOPS(nsstacked); 1217 SEQ_NS_FOPS(level); 1218 SEQ_NS_FOPS(name); 1219 SEQ_NS_FOPS(compress_min); 1220 SEQ_NS_FOPS(compress_max); 1221 1222 1223 /* policy/raw_data/ * file ops */ 1224 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1225 #define SEQ_RAWDATA_FOPS(NAME) \ 1226 static int seq_rawdata_ ##NAME ##_open(struct inode *inode, struct file *file)\ 1227 { \ 1228 return seq_rawdata_open(inode, file, seq_rawdata_ ##NAME ##_show); \ 1229 } \ 1230 \ 1231 static const struct file_operations seq_rawdata_ ##NAME ##_fops = { \ 1232 .owner = THIS_MODULE, \ 1233 .open = seq_rawdata_ ##NAME ##_open, \ 1234 .read = seq_read, \ 1235 .llseek = seq_lseek, \ 1236 .release = seq_rawdata_release, \ 1237 } \ 1238 1239 static int seq_rawdata_open(struct inode *inode, struct file *file, 1240 int (*show)(struct seq_file *, void *)) 1241 { 1242 struct aa_loaddata *data = __aa_get_loaddata(inode->i_private); 1243 int error; 1244 1245 if (!data) 1246 /* lost race this ent is being reaped */ 1247 return -ENOENT; 1248 1249 error = single_open(file, show, data); 1250 if (error) { 1251 AA_BUG(file->private_data && 1252 ((struct seq_file *)file->private_data)->private); 1253 aa_put_loaddata(data); 1254 } 1255 1256 return error; 1257 } 1258 1259 static int seq_rawdata_release(struct inode *inode, struct file *file) 1260 { 1261 struct seq_file *seq = (struct seq_file *) file->private_data; 1262 1263 if (seq) 1264 aa_put_loaddata(seq->private); 1265 1266 return single_release(inode, file); 1267 } 1268 1269 static int seq_rawdata_abi_show(struct seq_file *seq, void *v) 1270 { 1271 struct aa_loaddata *data = seq->private; 1272 1273 seq_printf(seq, "v%d\n", data->abi); 1274 1275 return 0; 1276 } 1277 1278 static int seq_rawdata_revision_show(struct seq_file *seq, void *v) 1279 { 1280 struct aa_loaddata *data = seq->private; 1281 1282 seq_printf(seq, "%ld\n", data->revision); 1283 1284 return 0; 1285 } 1286 1287 static int seq_rawdata_hash_show(struct seq_file *seq, void *v) 1288 { 1289 struct aa_loaddata *data = seq->private; 1290 unsigned int i, size = aa_hash_size(); 1291 1292 if (data->hash) { 1293 for (i = 0; i < size; i++) 1294 seq_printf(seq, "%.2x", data->hash[i]); 1295 seq_putc(seq, '\n'); 1296 } 1297 1298 return 0; 1299 } 1300 1301 static int seq_rawdata_compressed_size_show(struct seq_file *seq, void *v) 1302 { 1303 struct aa_loaddata *data = seq->private; 1304 1305 seq_printf(seq, "%zu\n", data->compressed_size); 1306 1307 return 0; 1308 } 1309 1310 SEQ_RAWDATA_FOPS(abi); 1311 SEQ_RAWDATA_FOPS(revision); 1312 SEQ_RAWDATA_FOPS(hash); 1313 SEQ_RAWDATA_FOPS(compressed_size); 1314 1315 static int decompress_zstd(char *src, size_t slen, char *dst, size_t dlen) 1316 { 1317 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1318 if (slen < dlen) { 1319 const size_t wksp_len = zstd_dctx_workspace_bound(); 1320 zstd_dctx *ctx; 1321 void *wksp; 1322 size_t out_len; 1323 int ret = 0; 1324 1325 wksp = kvzalloc(wksp_len, GFP_KERNEL); 1326 if (!wksp) { 1327 ret = -ENOMEM; 1328 goto cleanup; 1329 } 1330 ctx = zstd_init_dctx(wksp, wksp_len); 1331 if (ctx == NULL) { 1332 ret = -ENOMEM; 1333 goto cleanup; 1334 } 1335 out_len = zstd_decompress_dctx(ctx, dst, dlen, src, slen); 1336 if (zstd_is_error(out_len)) { 1337 ret = -EINVAL; 1338 goto cleanup; 1339 } 1340 cleanup: 1341 kvfree(wksp); 1342 return ret; 1343 } 1344 #endif 1345 1346 if (dlen < slen) 1347 return -EINVAL; 1348 memcpy(dst, src, slen); 1349 return 0; 1350 } 1351 1352 static ssize_t rawdata_read(struct file *file, char __user *buf, size_t size, 1353 loff_t *ppos) 1354 { 1355 struct rawdata_f_data *private = file->private_data; 1356 1357 return simple_read_from_buffer(buf, size, ppos, 1358 RAWDATA_F_DATA_BUF(private), 1359 private->loaddata->size); 1360 } 1361 1362 static int rawdata_release(struct inode *inode, struct file *file) 1363 { 1364 rawdata_f_data_free(file->private_data); 1365 1366 return 0; 1367 } 1368 1369 static int rawdata_open(struct inode *inode, struct file *file) 1370 { 1371 int error; 1372 struct aa_loaddata *loaddata; 1373 struct rawdata_f_data *private; 1374 1375 if (!aa_current_policy_view_capable(NULL)) 1376 return -EACCES; 1377 1378 loaddata = __aa_get_loaddata(inode->i_private); 1379 if (!loaddata) 1380 /* lost race: this entry is being reaped */ 1381 return -ENOENT; 1382 1383 private = rawdata_f_data_alloc(loaddata->size); 1384 if (IS_ERR(private)) { 1385 error = PTR_ERR(private); 1386 goto fail_private_alloc; 1387 } 1388 1389 private->loaddata = loaddata; 1390 1391 error = decompress_zstd(loaddata->data, loaddata->compressed_size, 1392 RAWDATA_F_DATA_BUF(private), 1393 loaddata->size); 1394 if (error) 1395 goto fail_decompress; 1396 1397 file->private_data = private; 1398 return 0; 1399 1400 fail_decompress: 1401 rawdata_f_data_free(private); 1402 return error; 1403 1404 fail_private_alloc: 1405 aa_put_loaddata(loaddata); 1406 return error; 1407 } 1408 1409 static const struct file_operations rawdata_fops = { 1410 .open = rawdata_open, 1411 .read = rawdata_read, 1412 .llseek = generic_file_llseek, 1413 .release = rawdata_release, 1414 }; 1415 1416 static void remove_rawdata_dents(struct aa_loaddata *rawdata) 1417 { 1418 int i; 1419 1420 for (i = 0; i < AAFS_LOADDATA_NDENTS; i++) { 1421 if (!IS_ERR_OR_NULL(rawdata->dents[i])) { 1422 /* no refcounts on i_private */ 1423 aafs_remove(rawdata->dents[i]); 1424 rawdata->dents[i] = NULL; 1425 } 1426 } 1427 } 1428 1429 void __aa_fs_remove_rawdata(struct aa_loaddata *rawdata) 1430 { 1431 AA_BUG(rawdata->ns && !mutex_is_locked(&rawdata->ns->lock)); 1432 1433 if (rawdata->ns) { 1434 remove_rawdata_dents(rawdata); 1435 list_del_init(&rawdata->list); 1436 aa_put_ns(rawdata->ns); 1437 rawdata->ns = NULL; 1438 } 1439 } 1440 1441 int __aa_fs_create_rawdata(struct aa_ns *ns, struct aa_loaddata *rawdata) 1442 { 1443 struct dentry *dent, *dir; 1444 1445 AA_BUG(!ns); 1446 AA_BUG(!rawdata); 1447 AA_BUG(!mutex_is_locked(&ns->lock)); 1448 AA_BUG(!ns_subdata_dir(ns)); 1449 1450 /* 1451 * just use ns revision dir was originally created at. This is 1452 * under ns->lock and if load is successful revision will be 1453 * bumped and is guaranteed to be unique 1454 */ 1455 rawdata->name = kasprintf(GFP_KERNEL, "%ld", ns->revision); 1456 if (!rawdata->name) 1457 return -ENOMEM; 1458 1459 dir = aafs_create_dir(rawdata->name, ns_subdata_dir(ns)); 1460 if (IS_ERR(dir)) 1461 /* ->name freed when rawdata freed */ 1462 return PTR_ERR(dir); 1463 rawdata->dents[AAFS_LOADDATA_DIR] = dir; 1464 1465 dent = aafs_create_file("abi", S_IFREG | 0444, dir, rawdata, 1466 &seq_rawdata_abi_fops); 1467 if (IS_ERR(dent)) 1468 goto fail; 1469 rawdata->dents[AAFS_LOADDATA_ABI] = dent; 1470 1471 dent = aafs_create_file("revision", S_IFREG | 0444, dir, rawdata, 1472 &seq_rawdata_revision_fops); 1473 if (IS_ERR(dent)) 1474 goto fail; 1475 rawdata->dents[AAFS_LOADDATA_REVISION] = dent; 1476 1477 if (aa_g_hash_policy) { 1478 dent = aafs_create_file("sha1", S_IFREG | 0444, dir, 1479 rawdata, &seq_rawdata_hash_fops); 1480 if (IS_ERR(dent)) 1481 goto fail; 1482 rawdata->dents[AAFS_LOADDATA_HASH] = dent; 1483 } 1484 1485 dent = aafs_create_file("compressed_size", S_IFREG | 0444, dir, 1486 rawdata, 1487 &seq_rawdata_compressed_size_fops); 1488 if (IS_ERR(dent)) 1489 goto fail; 1490 rawdata->dents[AAFS_LOADDATA_COMPRESSED_SIZE] = dent; 1491 1492 dent = aafs_create_file("raw_data", S_IFREG | 0444, 1493 dir, rawdata, &rawdata_fops); 1494 if (IS_ERR(dent)) 1495 goto fail; 1496 rawdata->dents[AAFS_LOADDATA_DATA] = dent; 1497 d_inode(dent)->i_size = rawdata->size; 1498 1499 rawdata->ns = aa_get_ns(ns); 1500 list_add(&rawdata->list, &ns->rawdata_list); 1501 /* no refcount on inode rawdata */ 1502 1503 return 0; 1504 1505 fail: 1506 remove_rawdata_dents(rawdata); 1507 1508 return PTR_ERR(dent); 1509 } 1510 #endif /* CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ 1511 1512 1513 /** fns to setup dynamic per profile/namespace files **/ 1514 1515 /* 1516 * 1517 * Requires: @profile->ns->lock held 1518 */ 1519 void __aafs_profile_rmdir(struct aa_profile *profile) 1520 { 1521 struct aa_profile *child; 1522 int i; 1523 1524 if (!profile) 1525 return; 1526 1527 list_for_each_entry(child, &profile->base.profiles, base.list) 1528 __aafs_profile_rmdir(child); 1529 1530 for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) { 1531 struct aa_proxy *proxy; 1532 if (!profile->dents[i]) 1533 continue; 1534 1535 proxy = d_inode(profile->dents[i])->i_private; 1536 aafs_remove(profile->dents[i]); 1537 aa_put_proxy(proxy); 1538 profile->dents[i] = NULL; 1539 } 1540 } 1541 1542 /* 1543 * 1544 * Requires: @old->ns->lock held 1545 */ 1546 void __aafs_profile_migrate_dents(struct aa_profile *old, 1547 struct aa_profile *new) 1548 { 1549 int i; 1550 1551 AA_BUG(!old); 1552 AA_BUG(!new); 1553 AA_BUG(!mutex_is_locked(&profiles_ns(old)->lock)); 1554 1555 for (i = 0; i < AAFS_PROF_SIZEOF; i++) { 1556 new->dents[i] = old->dents[i]; 1557 if (new->dents[i]) 1558 new->dents[i]->d_inode->i_mtime = current_time(new->dents[i]->d_inode); 1559 old->dents[i] = NULL; 1560 } 1561 } 1562 1563 static struct dentry *create_profile_file(struct dentry *dir, const char *name, 1564 struct aa_profile *profile, 1565 const struct file_operations *fops) 1566 { 1567 struct aa_proxy *proxy = aa_get_proxy(profile->label.proxy); 1568 struct dentry *dent; 1569 1570 dent = aafs_create_file(name, S_IFREG | 0444, dir, proxy, fops); 1571 if (IS_ERR(dent)) 1572 aa_put_proxy(proxy); 1573 1574 return dent; 1575 } 1576 1577 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1578 static int profile_depth(struct aa_profile *profile) 1579 { 1580 int depth = 0; 1581 1582 rcu_read_lock(); 1583 for (depth = 0; profile; profile = rcu_access_pointer(profile->parent)) 1584 depth++; 1585 rcu_read_unlock(); 1586 1587 return depth; 1588 } 1589 1590 static char *gen_symlink_name(int depth, const char *dirname, const char *fname) 1591 { 1592 char *buffer, *s; 1593 int error; 1594 int size = depth * 6 + strlen(dirname) + strlen(fname) + 11; 1595 1596 s = buffer = kmalloc(size, GFP_KERNEL); 1597 if (!buffer) 1598 return ERR_PTR(-ENOMEM); 1599 1600 for (; depth > 0; depth--) { 1601 strcpy(s, "../../"); 1602 s += 6; 1603 size -= 6; 1604 } 1605 1606 error = snprintf(s, size, "raw_data/%s/%s", dirname, fname); 1607 if (error >= size || error < 0) { 1608 kfree(buffer); 1609 return ERR_PTR(-ENAMETOOLONG); 1610 } 1611 1612 return buffer; 1613 } 1614 1615 static void rawdata_link_cb(void *arg) 1616 { 1617 kfree(arg); 1618 } 1619 1620 static const char *rawdata_get_link_base(struct dentry *dentry, 1621 struct inode *inode, 1622 struct delayed_call *done, 1623 const char *name) 1624 { 1625 struct aa_proxy *proxy = inode->i_private; 1626 struct aa_label *label; 1627 struct aa_profile *profile; 1628 char *target; 1629 int depth; 1630 1631 if (!dentry) 1632 return ERR_PTR(-ECHILD); 1633 1634 label = aa_get_label_rcu(&proxy->label); 1635 profile = labels_profile(label); 1636 depth = profile_depth(profile); 1637 target = gen_symlink_name(depth, profile->rawdata->name, name); 1638 aa_put_label(label); 1639 1640 if (IS_ERR(target)) 1641 return target; 1642 1643 set_delayed_call(done, rawdata_link_cb, target); 1644 1645 return target; 1646 } 1647 1648 static const char *rawdata_get_link_sha1(struct dentry *dentry, 1649 struct inode *inode, 1650 struct delayed_call *done) 1651 { 1652 return rawdata_get_link_base(dentry, inode, done, "sha1"); 1653 } 1654 1655 static const char *rawdata_get_link_abi(struct dentry *dentry, 1656 struct inode *inode, 1657 struct delayed_call *done) 1658 { 1659 return rawdata_get_link_base(dentry, inode, done, "abi"); 1660 } 1661 1662 static const char *rawdata_get_link_data(struct dentry *dentry, 1663 struct inode *inode, 1664 struct delayed_call *done) 1665 { 1666 return rawdata_get_link_base(dentry, inode, done, "raw_data"); 1667 } 1668 1669 static const struct inode_operations rawdata_link_sha1_iops = { 1670 .get_link = rawdata_get_link_sha1, 1671 }; 1672 1673 static const struct inode_operations rawdata_link_abi_iops = { 1674 .get_link = rawdata_get_link_abi, 1675 }; 1676 static const struct inode_operations rawdata_link_data_iops = { 1677 .get_link = rawdata_get_link_data, 1678 }; 1679 #endif /* CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ 1680 1681 /* 1682 * Requires: @profile->ns->lock held 1683 */ 1684 int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) 1685 { 1686 struct aa_profile *child; 1687 struct dentry *dent = NULL, *dir; 1688 int error; 1689 1690 AA_BUG(!profile); 1691 AA_BUG(!mutex_is_locked(&profiles_ns(profile)->lock)); 1692 1693 if (!parent) { 1694 struct aa_profile *p; 1695 p = aa_deref_parent(profile); 1696 dent = prof_dir(p); 1697 /* adding to parent that previously didn't have children */ 1698 dent = aafs_create_dir("profiles", dent); 1699 if (IS_ERR(dent)) 1700 goto fail; 1701 prof_child_dir(p) = parent = dent; 1702 } 1703 1704 if (!profile->dirname) { 1705 int len, id_len; 1706 len = mangle_name(profile->base.name, NULL); 1707 id_len = snprintf(NULL, 0, ".%ld", profile->ns->uniq_id); 1708 1709 profile->dirname = kmalloc(len + id_len + 1, GFP_KERNEL); 1710 if (!profile->dirname) { 1711 error = -ENOMEM; 1712 goto fail2; 1713 } 1714 1715 mangle_name(profile->base.name, profile->dirname); 1716 sprintf(profile->dirname + len, ".%ld", profile->ns->uniq_id++); 1717 } 1718 1719 dent = aafs_create_dir(profile->dirname, parent); 1720 if (IS_ERR(dent)) 1721 goto fail; 1722 prof_dir(profile) = dir = dent; 1723 1724 dent = create_profile_file(dir, "name", profile, 1725 &seq_profile_name_fops); 1726 if (IS_ERR(dent)) 1727 goto fail; 1728 profile->dents[AAFS_PROF_NAME] = dent; 1729 1730 dent = create_profile_file(dir, "mode", profile, 1731 &seq_profile_mode_fops); 1732 if (IS_ERR(dent)) 1733 goto fail; 1734 profile->dents[AAFS_PROF_MODE] = dent; 1735 1736 dent = create_profile_file(dir, "attach", profile, 1737 &seq_profile_attach_fops); 1738 if (IS_ERR(dent)) 1739 goto fail; 1740 profile->dents[AAFS_PROF_ATTACH] = dent; 1741 1742 if (profile->hash) { 1743 dent = create_profile_file(dir, "sha1", profile, 1744 &seq_profile_hash_fops); 1745 if (IS_ERR(dent)) 1746 goto fail; 1747 profile->dents[AAFS_PROF_HASH] = dent; 1748 } 1749 1750 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1751 if (profile->rawdata) { 1752 if (aa_g_hash_policy) { 1753 dent = aafs_create("raw_sha1", S_IFLNK | 0444, dir, 1754 profile->label.proxy, NULL, NULL, 1755 &rawdata_link_sha1_iops); 1756 if (IS_ERR(dent)) 1757 goto fail; 1758 aa_get_proxy(profile->label.proxy); 1759 profile->dents[AAFS_PROF_RAW_HASH] = dent; 1760 } 1761 dent = aafs_create("raw_abi", S_IFLNK | 0444, dir, 1762 profile->label.proxy, NULL, NULL, 1763 &rawdata_link_abi_iops); 1764 if (IS_ERR(dent)) 1765 goto fail; 1766 aa_get_proxy(profile->label.proxy); 1767 profile->dents[AAFS_PROF_RAW_ABI] = dent; 1768 1769 dent = aafs_create("raw_data", S_IFLNK | 0444, dir, 1770 profile->label.proxy, NULL, NULL, 1771 &rawdata_link_data_iops); 1772 if (IS_ERR(dent)) 1773 goto fail; 1774 aa_get_proxy(profile->label.proxy); 1775 profile->dents[AAFS_PROF_RAW_DATA] = dent; 1776 } 1777 #endif /*CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ 1778 1779 list_for_each_entry(child, &profile->base.profiles, base.list) { 1780 error = __aafs_profile_mkdir(child, prof_child_dir(profile)); 1781 if (error) 1782 goto fail2; 1783 } 1784 1785 return 0; 1786 1787 fail: 1788 error = PTR_ERR(dent); 1789 1790 fail2: 1791 __aafs_profile_rmdir(profile); 1792 1793 return error; 1794 } 1795 1796 static int ns_mkdir_op(struct user_namespace *mnt_userns, struct inode *dir, 1797 struct dentry *dentry, umode_t mode) 1798 { 1799 struct aa_ns *ns, *parent; 1800 /* TODO: improve permission check */ 1801 struct aa_label *label; 1802 int error; 1803 1804 label = begin_current_label_crit_section(); 1805 error = aa_may_manage_policy(label, NULL, AA_MAY_LOAD_POLICY); 1806 end_current_label_crit_section(label); 1807 if (error) 1808 return error; 1809 1810 parent = aa_get_ns(dir->i_private); 1811 AA_BUG(d_inode(ns_subns_dir(parent)) != dir); 1812 1813 /* we have to unlock and then relock to get locking order right 1814 * for pin_fs 1815 */ 1816 inode_unlock(dir); 1817 error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count); 1818 mutex_lock_nested(&parent->lock, parent->level); 1819 inode_lock_nested(dir, I_MUTEX_PARENT); 1820 if (error) 1821 goto out; 1822 1823 error = __aafs_setup_d_inode(dir, dentry, mode | S_IFDIR, NULL, 1824 NULL, NULL, NULL); 1825 if (error) 1826 goto out_pin; 1827 1828 ns = __aa_find_or_create_ns(parent, READ_ONCE(dentry->d_name.name), 1829 dentry); 1830 if (IS_ERR(ns)) { 1831 error = PTR_ERR(ns); 1832 ns = NULL; 1833 } 1834 1835 aa_put_ns(ns); /* list ref remains */ 1836 out_pin: 1837 if (error) 1838 simple_release_fs(&aafs_mnt, &aafs_count); 1839 out: 1840 mutex_unlock(&parent->lock); 1841 aa_put_ns(parent); 1842 1843 return error; 1844 } 1845 1846 static int ns_rmdir_op(struct inode *dir, struct dentry *dentry) 1847 { 1848 struct aa_ns *ns, *parent; 1849 /* TODO: improve permission check */ 1850 struct aa_label *label; 1851 int error; 1852 1853 label = begin_current_label_crit_section(); 1854 error = aa_may_manage_policy(label, NULL, AA_MAY_LOAD_POLICY); 1855 end_current_label_crit_section(label); 1856 if (error) 1857 return error; 1858 1859 parent = aa_get_ns(dir->i_private); 1860 /* rmdir calls the generic securityfs functions to remove files 1861 * from the apparmor dir. It is up to the apparmor ns locking 1862 * to avoid races. 1863 */ 1864 inode_unlock(dir); 1865 inode_unlock(dentry->d_inode); 1866 1867 mutex_lock_nested(&parent->lock, parent->level); 1868 ns = aa_get_ns(__aa_findn_ns(&parent->sub_ns, dentry->d_name.name, 1869 dentry->d_name.len)); 1870 if (!ns) { 1871 error = -ENOENT; 1872 goto out; 1873 } 1874 AA_BUG(ns_dir(ns) != dentry); 1875 1876 __aa_remove_ns(ns); 1877 aa_put_ns(ns); 1878 1879 out: 1880 mutex_unlock(&parent->lock); 1881 inode_lock_nested(dir, I_MUTEX_PARENT); 1882 inode_lock(dentry->d_inode); 1883 aa_put_ns(parent); 1884 1885 return error; 1886 } 1887 1888 static const struct inode_operations ns_dir_inode_operations = { 1889 .lookup = simple_lookup, 1890 .mkdir = ns_mkdir_op, 1891 .rmdir = ns_rmdir_op, 1892 }; 1893 1894 static void __aa_fs_list_remove_rawdata(struct aa_ns *ns) 1895 { 1896 struct aa_loaddata *ent, *tmp; 1897 1898 AA_BUG(!mutex_is_locked(&ns->lock)); 1899 1900 list_for_each_entry_safe(ent, tmp, &ns->rawdata_list, list) 1901 __aa_fs_remove_rawdata(ent); 1902 } 1903 1904 /* 1905 * 1906 * Requires: @ns->lock held 1907 */ 1908 void __aafs_ns_rmdir(struct aa_ns *ns) 1909 { 1910 struct aa_ns *sub; 1911 struct aa_profile *child; 1912 int i; 1913 1914 if (!ns) 1915 return; 1916 AA_BUG(!mutex_is_locked(&ns->lock)); 1917 1918 list_for_each_entry(child, &ns->base.profiles, base.list) 1919 __aafs_profile_rmdir(child); 1920 1921 list_for_each_entry(sub, &ns->sub_ns, base.list) { 1922 mutex_lock_nested(&sub->lock, sub->level); 1923 __aafs_ns_rmdir(sub); 1924 mutex_unlock(&sub->lock); 1925 } 1926 1927 __aa_fs_list_remove_rawdata(ns); 1928 1929 if (ns_subns_dir(ns)) { 1930 sub = d_inode(ns_subns_dir(ns))->i_private; 1931 aa_put_ns(sub); 1932 } 1933 if (ns_subload(ns)) { 1934 sub = d_inode(ns_subload(ns))->i_private; 1935 aa_put_ns(sub); 1936 } 1937 if (ns_subreplace(ns)) { 1938 sub = d_inode(ns_subreplace(ns))->i_private; 1939 aa_put_ns(sub); 1940 } 1941 if (ns_subremove(ns)) { 1942 sub = d_inode(ns_subremove(ns))->i_private; 1943 aa_put_ns(sub); 1944 } 1945 if (ns_subrevision(ns)) { 1946 sub = d_inode(ns_subrevision(ns))->i_private; 1947 aa_put_ns(sub); 1948 } 1949 1950 for (i = AAFS_NS_SIZEOF - 1; i >= 0; --i) { 1951 aafs_remove(ns->dents[i]); 1952 ns->dents[i] = NULL; 1953 } 1954 } 1955 1956 /* assumes cleanup in caller */ 1957 static int __aafs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir) 1958 { 1959 struct dentry *dent; 1960 1961 AA_BUG(!ns); 1962 AA_BUG(!dir); 1963 1964 dent = aafs_create_dir("profiles", dir); 1965 if (IS_ERR(dent)) 1966 return PTR_ERR(dent); 1967 ns_subprofs_dir(ns) = dent; 1968 1969 dent = aafs_create_dir("raw_data", dir); 1970 if (IS_ERR(dent)) 1971 return PTR_ERR(dent); 1972 ns_subdata_dir(ns) = dent; 1973 1974 dent = aafs_create_file("revision", 0444, dir, ns, 1975 &aa_fs_ns_revision_fops); 1976 if (IS_ERR(dent)) 1977 return PTR_ERR(dent); 1978 aa_get_ns(ns); 1979 ns_subrevision(ns) = dent; 1980 1981 dent = aafs_create_file(".load", 0640, dir, ns, 1982 &aa_fs_profile_load); 1983 if (IS_ERR(dent)) 1984 return PTR_ERR(dent); 1985 aa_get_ns(ns); 1986 ns_subload(ns) = dent; 1987 1988 dent = aafs_create_file(".replace", 0640, dir, ns, 1989 &aa_fs_profile_replace); 1990 if (IS_ERR(dent)) 1991 return PTR_ERR(dent); 1992 aa_get_ns(ns); 1993 ns_subreplace(ns) = dent; 1994 1995 dent = aafs_create_file(".remove", 0640, dir, ns, 1996 &aa_fs_profile_remove); 1997 if (IS_ERR(dent)) 1998 return PTR_ERR(dent); 1999 aa_get_ns(ns); 2000 ns_subremove(ns) = dent; 2001 2002 /* use create_dentry so we can supply private data */ 2003 dent = aafs_create("namespaces", S_IFDIR | 0755, dir, ns, NULL, NULL, 2004 &ns_dir_inode_operations); 2005 if (IS_ERR(dent)) 2006 return PTR_ERR(dent); 2007 aa_get_ns(ns); 2008 ns_subns_dir(ns) = dent; 2009 2010 return 0; 2011 } 2012 2013 /* 2014 * Requires: @ns->lock held 2015 */ 2016 int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name, 2017 struct dentry *dent) 2018 { 2019 struct aa_ns *sub; 2020 struct aa_profile *child; 2021 struct dentry *dir; 2022 int error; 2023 2024 AA_BUG(!ns); 2025 AA_BUG(!parent); 2026 AA_BUG(!mutex_is_locked(&ns->lock)); 2027 2028 if (!name) 2029 name = ns->base.name; 2030 2031 if (!dent) { 2032 /* create ns dir if it doesn't already exist */ 2033 dent = aafs_create_dir(name, parent); 2034 if (IS_ERR(dent)) 2035 goto fail; 2036 } else 2037 dget(dent); 2038 ns_dir(ns) = dir = dent; 2039 error = __aafs_ns_mkdir_entries(ns, dir); 2040 if (error) 2041 goto fail2; 2042 2043 /* profiles */ 2044 list_for_each_entry(child, &ns->base.profiles, base.list) { 2045 error = __aafs_profile_mkdir(child, ns_subprofs_dir(ns)); 2046 if (error) 2047 goto fail2; 2048 } 2049 2050 /* subnamespaces */ 2051 list_for_each_entry(sub, &ns->sub_ns, base.list) { 2052 mutex_lock_nested(&sub->lock, sub->level); 2053 error = __aafs_ns_mkdir(sub, ns_subns_dir(ns), NULL, NULL); 2054 mutex_unlock(&sub->lock); 2055 if (error) 2056 goto fail2; 2057 } 2058 2059 return 0; 2060 2061 fail: 2062 error = PTR_ERR(dent); 2063 2064 fail2: 2065 __aafs_ns_rmdir(ns); 2066 2067 return error; 2068 } 2069 2070 /** 2071 * __next_ns - find the next namespace to list 2072 * @root: root namespace to stop search at (NOT NULL) 2073 * @ns: current ns position (NOT NULL) 2074 * 2075 * Find the next namespace from @ns under @root and handle all locking needed 2076 * while switching current namespace. 2077 * 2078 * Returns: next namespace or NULL if at last namespace under @root 2079 * Requires: ns->parent->lock to be held 2080 * NOTE: will not unlock root->lock 2081 */ 2082 static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns) 2083 { 2084 struct aa_ns *parent, *next; 2085 2086 AA_BUG(!root); 2087 AA_BUG(!ns); 2088 AA_BUG(ns != root && !mutex_is_locked(&ns->parent->lock)); 2089 2090 /* is next namespace a child */ 2091 if (!list_empty(&ns->sub_ns)) { 2092 next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list); 2093 mutex_lock_nested(&next->lock, next->level); 2094 return next; 2095 } 2096 2097 /* check if the next ns is a sibling, parent, gp, .. */ 2098 parent = ns->parent; 2099 while (ns != root) { 2100 mutex_unlock(&ns->lock); 2101 next = list_next_entry(ns, base.list); 2102 if (!list_entry_is_head(next, &parent->sub_ns, base.list)) { 2103 mutex_lock_nested(&next->lock, next->level); 2104 return next; 2105 } 2106 ns = parent; 2107 parent = parent->parent; 2108 } 2109 2110 return NULL; 2111 } 2112 2113 /** 2114 * __first_profile - find the first profile in a namespace 2115 * @root: namespace that is root of profiles being displayed (NOT NULL) 2116 * @ns: namespace to start in (NOT NULL) 2117 * 2118 * Returns: unrefcounted profile or NULL if no profile 2119 * Requires: profile->ns.lock to be held 2120 */ 2121 static struct aa_profile *__first_profile(struct aa_ns *root, 2122 struct aa_ns *ns) 2123 { 2124 AA_BUG(!root); 2125 AA_BUG(ns && !mutex_is_locked(&ns->lock)); 2126 2127 for (; ns; ns = __next_ns(root, ns)) { 2128 if (!list_empty(&ns->base.profiles)) 2129 return list_first_entry(&ns->base.profiles, 2130 struct aa_profile, base.list); 2131 } 2132 return NULL; 2133 } 2134 2135 /** 2136 * __next_profile - step to the next profile in a profile tree 2137 * @p: current profile in tree (NOT NULL) 2138 * 2139 * Perform a depth first traversal on the profile tree in a namespace 2140 * 2141 * Returns: next profile or NULL if done 2142 * Requires: profile->ns.lock to be held 2143 */ 2144 static struct aa_profile *__next_profile(struct aa_profile *p) 2145 { 2146 struct aa_profile *parent; 2147 struct aa_ns *ns = p->ns; 2148 2149 AA_BUG(!mutex_is_locked(&profiles_ns(p)->lock)); 2150 2151 /* is next profile a child */ 2152 if (!list_empty(&p->base.profiles)) 2153 return list_first_entry(&p->base.profiles, typeof(*p), 2154 base.list); 2155 2156 /* is next profile a sibling, parent sibling, gp, sibling, .. */ 2157 parent = rcu_dereference_protected(p->parent, 2158 mutex_is_locked(&p->ns->lock)); 2159 while (parent) { 2160 p = list_next_entry(p, base.list); 2161 if (!list_entry_is_head(p, &parent->base.profiles, base.list)) 2162 return p; 2163 p = parent; 2164 parent = rcu_dereference_protected(parent->parent, 2165 mutex_is_locked(&parent->ns->lock)); 2166 } 2167 2168 /* is next another profile in the namespace */ 2169 p = list_next_entry(p, base.list); 2170 if (!list_entry_is_head(p, &ns->base.profiles, base.list)) 2171 return p; 2172 2173 return NULL; 2174 } 2175 2176 /** 2177 * next_profile - step to the next profile in where ever it may be 2178 * @root: root namespace (NOT NULL) 2179 * @profile: current profile (NOT NULL) 2180 * 2181 * Returns: next profile or NULL if there isn't one 2182 */ 2183 static struct aa_profile *next_profile(struct aa_ns *root, 2184 struct aa_profile *profile) 2185 { 2186 struct aa_profile *next = __next_profile(profile); 2187 if (next) 2188 return next; 2189 2190 /* finished all profiles in namespace move to next namespace */ 2191 return __first_profile(root, __next_ns(root, profile->ns)); 2192 } 2193 2194 /** 2195 * p_start - start a depth first traversal of profile tree 2196 * @f: seq_file to fill 2197 * @pos: current position 2198 * 2199 * Returns: first profile under current namespace or NULL if none found 2200 * 2201 * acquires first ns->lock 2202 */ 2203 static void *p_start(struct seq_file *f, loff_t *pos) 2204 { 2205 struct aa_profile *profile = NULL; 2206 struct aa_ns *root = aa_get_current_ns(); 2207 loff_t l = *pos; 2208 f->private = root; 2209 2210 /* find the first profile */ 2211 mutex_lock_nested(&root->lock, root->level); 2212 profile = __first_profile(root, root); 2213 2214 /* skip to position */ 2215 for (; profile && l > 0; l--) 2216 profile = next_profile(root, profile); 2217 2218 return profile; 2219 } 2220 2221 /** 2222 * p_next - read the next profile entry 2223 * @f: seq_file to fill 2224 * @p: profile previously returned 2225 * @pos: current position 2226 * 2227 * Returns: next profile after @p or NULL if none 2228 * 2229 * may acquire/release locks in namespace tree as necessary 2230 */ 2231 static void *p_next(struct seq_file *f, void *p, loff_t *pos) 2232 { 2233 struct aa_profile *profile = p; 2234 struct aa_ns *ns = f->private; 2235 (*pos)++; 2236 2237 return next_profile(ns, profile); 2238 } 2239 2240 /** 2241 * p_stop - stop depth first traversal 2242 * @f: seq_file we are filling 2243 * @p: the last profile writen 2244 * 2245 * Release all locking done by p_start/p_next on namespace tree 2246 */ 2247 static void p_stop(struct seq_file *f, void *p) 2248 { 2249 struct aa_profile *profile = p; 2250 struct aa_ns *root = f->private, *ns; 2251 2252 if (profile) { 2253 for (ns = profile->ns; ns && ns != root; ns = ns->parent) 2254 mutex_unlock(&ns->lock); 2255 } 2256 mutex_unlock(&root->lock); 2257 aa_put_ns(root); 2258 } 2259 2260 /** 2261 * seq_show_profile - show a profile entry 2262 * @f: seq_file to file 2263 * @p: current position (profile) (NOT NULL) 2264 * 2265 * Returns: error on failure 2266 */ 2267 static int seq_show_profile(struct seq_file *f, void *p) 2268 { 2269 struct aa_profile *profile = (struct aa_profile *)p; 2270 struct aa_ns *root = f->private; 2271 2272 aa_label_seq_xprint(f, root, &profile->label, 2273 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS, GFP_KERNEL); 2274 seq_putc(f, '\n'); 2275 2276 return 0; 2277 } 2278 2279 static const struct seq_operations aa_sfs_profiles_op = { 2280 .start = p_start, 2281 .next = p_next, 2282 .stop = p_stop, 2283 .show = seq_show_profile, 2284 }; 2285 2286 static int profiles_open(struct inode *inode, struct file *file) 2287 { 2288 if (!aa_current_policy_view_capable(NULL)) 2289 return -EACCES; 2290 2291 return seq_open(file, &aa_sfs_profiles_op); 2292 } 2293 2294 static int profiles_release(struct inode *inode, struct file *file) 2295 { 2296 return seq_release(inode, file); 2297 } 2298 2299 static const struct file_operations aa_sfs_profiles_fops = { 2300 .open = profiles_open, 2301 .read = seq_read, 2302 .llseek = seq_lseek, 2303 .release = profiles_release, 2304 }; 2305 2306 2307 /** Base file system setup **/ 2308 static struct aa_sfs_entry aa_sfs_entry_file[] = { 2309 AA_SFS_FILE_STRING("mask", 2310 "create read write exec append mmap_exec link lock"), 2311 { } 2312 }; 2313 2314 static struct aa_sfs_entry aa_sfs_entry_ptrace[] = { 2315 AA_SFS_FILE_STRING("mask", "read trace"), 2316 { } 2317 }; 2318 2319 static struct aa_sfs_entry aa_sfs_entry_signal[] = { 2320 AA_SFS_FILE_STRING("mask", AA_SFS_SIG_MASK), 2321 { } 2322 }; 2323 2324 static struct aa_sfs_entry aa_sfs_entry_attach[] = { 2325 AA_SFS_FILE_BOOLEAN("xattr", 1), 2326 { } 2327 }; 2328 static struct aa_sfs_entry aa_sfs_entry_domain[] = { 2329 AA_SFS_FILE_BOOLEAN("change_hat", 1), 2330 AA_SFS_FILE_BOOLEAN("change_hatv", 1), 2331 AA_SFS_FILE_BOOLEAN("change_onexec", 1), 2332 AA_SFS_FILE_BOOLEAN("change_profile", 1), 2333 AA_SFS_FILE_BOOLEAN("stack", 1), 2334 AA_SFS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1), 2335 AA_SFS_FILE_BOOLEAN("post_nnp_subset", 1), 2336 AA_SFS_FILE_BOOLEAN("computed_longest_left", 1), 2337 AA_SFS_DIR("attach_conditions", aa_sfs_entry_attach), 2338 AA_SFS_FILE_STRING("version", "1.2"), 2339 { } 2340 }; 2341 2342 static struct aa_sfs_entry aa_sfs_entry_versions[] = { 2343 AA_SFS_FILE_BOOLEAN("v5", 1), 2344 AA_SFS_FILE_BOOLEAN("v6", 1), 2345 AA_SFS_FILE_BOOLEAN("v7", 1), 2346 AA_SFS_FILE_BOOLEAN("v8", 1), 2347 AA_SFS_FILE_BOOLEAN("v9", 1), 2348 { } 2349 }; 2350 2351 static struct aa_sfs_entry aa_sfs_entry_policy[] = { 2352 AA_SFS_DIR("versions", aa_sfs_entry_versions), 2353 AA_SFS_FILE_BOOLEAN("set_load", 1), 2354 /* number of out of band transitions supported */ 2355 AA_SFS_FILE_U64("outofband", MAX_OOB_SUPPORTED), 2356 { } 2357 }; 2358 2359 static struct aa_sfs_entry aa_sfs_entry_mount[] = { 2360 AA_SFS_FILE_STRING("mask", "mount umount pivot_root"), 2361 { } 2362 }; 2363 2364 static struct aa_sfs_entry aa_sfs_entry_ns[] = { 2365 AA_SFS_FILE_BOOLEAN("profile", 1), 2366 AA_SFS_FILE_BOOLEAN("pivot_root", 0), 2367 { } 2368 }; 2369 2370 static struct aa_sfs_entry aa_sfs_entry_query_label[] = { 2371 AA_SFS_FILE_STRING("perms", "allow deny audit quiet"), 2372 AA_SFS_FILE_BOOLEAN("data", 1), 2373 AA_SFS_FILE_BOOLEAN("multi_transaction", 1), 2374 { } 2375 }; 2376 2377 static struct aa_sfs_entry aa_sfs_entry_query[] = { 2378 AA_SFS_DIR("label", aa_sfs_entry_query_label), 2379 { } 2380 }; 2381 static struct aa_sfs_entry aa_sfs_entry_features[] = { 2382 AA_SFS_DIR("policy", aa_sfs_entry_policy), 2383 AA_SFS_DIR("domain", aa_sfs_entry_domain), 2384 AA_SFS_DIR("file", aa_sfs_entry_file), 2385 AA_SFS_DIR("network_v8", aa_sfs_entry_network), 2386 AA_SFS_DIR("mount", aa_sfs_entry_mount), 2387 AA_SFS_DIR("namespaces", aa_sfs_entry_ns), 2388 AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), 2389 AA_SFS_DIR("rlimit", aa_sfs_entry_rlimit), 2390 AA_SFS_DIR("caps", aa_sfs_entry_caps), 2391 AA_SFS_DIR("ptrace", aa_sfs_entry_ptrace), 2392 AA_SFS_DIR("signal", aa_sfs_entry_signal), 2393 AA_SFS_DIR("query", aa_sfs_entry_query), 2394 { } 2395 }; 2396 2397 static struct aa_sfs_entry aa_sfs_entry_apparmor[] = { 2398 AA_SFS_FILE_FOPS(".access", 0666, &aa_sfs_access), 2399 AA_SFS_FILE_FOPS(".stacked", 0444, &seq_ns_stacked_fops), 2400 AA_SFS_FILE_FOPS(".ns_stacked", 0444, &seq_ns_nsstacked_fops), 2401 AA_SFS_FILE_FOPS(".ns_level", 0444, &seq_ns_level_fops), 2402 AA_SFS_FILE_FOPS(".ns_name", 0444, &seq_ns_name_fops), 2403 AA_SFS_FILE_FOPS("profiles", 0444, &aa_sfs_profiles_fops), 2404 AA_SFS_FILE_FOPS("raw_data_compression_level_min", 0444, &seq_ns_compress_min_fops), 2405 AA_SFS_FILE_FOPS("raw_data_compression_level_max", 0444, &seq_ns_compress_max_fops), 2406 AA_SFS_DIR("features", aa_sfs_entry_features), 2407 { } 2408 }; 2409 2410 static struct aa_sfs_entry aa_sfs_entry = 2411 AA_SFS_DIR("apparmor", aa_sfs_entry_apparmor); 2412 2413 /** 2414 * entry_create_file - create a file entry in the apparmor securityfs 2415 * @fs_file: aa_sfs_entry to build an entry for (NOT NULL) 2416 * @parent: the parent dentry in the securityfs 2417 * 2418 * Use entry_remove_file to remove entries created with this fn. 2419 */ 2420 static int __init entry_create_file(struct aa_sfs_entry *fs_file, 2421 struct dentry *parent) 2422 { 2423 int error = 0; 2424 2425 fs_file->dentry = securityfs_create_file(fs_file->name, 2426 S_IFREG | fs_file->mode, 2427 parent, fs_file, 2428 fs_file->file_ops); 2429 if (IS_ERR(fs_file->dentry)) { 2430 error = PTR_ERR(fs_file->dentry); 2431 fs_file->dentry = NULL; 2432 } 2433 return error; 2434 } 2435 2436 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir); 2437 /** 2438 * entry_create_dir - recursively create a directory entry in the securityfs 2439 * @fs_dir: aa_sfs_entry (and all child entries) to build (NOT NULL) 2440 * @parent: the parent dentry in the securityfs 2441 * 2442 * Use entry_remove_dir to remove entries created with this fn. 2443 */ 2444 static int __init entry_create_dir(struct aa_sfs_entry *fs_dir, 2445 struct dentry *parent) 2446 { 2447 struct aa_sfs_entry *fs_file; 2448 struct dentry *dir; 2449 int error; 2450 2451 dir = securityfs_create_dir(fs_dir->name, parent); 2452 if (IS_ERR(dir)) 2453 return PTR_ERR(dir); 2454 fs_dir->dentry = dir; 2455 2456 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { 2457 if (fs_file->v_type == AA_SFS_TYPE_DIR) 2458 error = entry_create_dir(fs_file, fs_dir->dentry); 2459 else 2460 error = entry_create_file(fs_file, fs_dir->dentry); 2461 if (error) 2462 goto failed; 2463 } 2464 2465 return 0; 2466 2467 failed: 2468 entry_remove_dir(fs_dir); 2469 2470 return error; 2471 } 2472 2473 /** 2474 * entry_remove_file - drop a single file entry in the apparmor securityfs 2475 * @fs_file: aa_sfs_entry to detach from the securityfs (NOT NULL) 2476 */ 2477 static void __init entry_remove_file(struct aa_sfs_entry *fs_file) 2478 { 2479 if (!fs_file->dentry) 2480 return; 2481 2482 securityfs_remove(fs_file->dentry); 2483 fs_file->dentry = NULL; 2484 } 2485 2486 /** 2487 * entry_remove_dir - recursively drop a directory entry from the securityfs 2488 * @fs_dir: aa_sfs_entry (and all child entries) to detach (NOT NULL) 2489 */ 2490 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir) 2491 { 2492 struct aa_sfs_entry *fs_file; 2493 2494 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { 2495 if (fs_file->v_type == AA_SFS_TYPE_DIR) 2496 entry_remove_dir(fs_file); 2497 else 2498 entry_remove_file(fs_file); 2499 } 2500 2501 entry_remove_file(fs_dir); 2502 } 2503 2504 /** 2505 * aa_destroy_aafs - cleanup and free aafs 2506 * 2507 * releases dentries allocated by aa_create_aafs 2508 */ 2509 void __init aa_destroy_aafs(void) 2510 { 2511 entry_remove_dir(&aa_sfs_entry); 2512 } 2513 2514 2515 #define NULL_FILE_NAME ".null" 2516 struct path aa_null; 2517 2518 static int aa_mk_null_file(struct dentry *parent) 2519 { 2520 struct vfsmount *mount = NULL; 2521 struct dentry *dentry; 2522 struct inode *inode; 2523 int count = 0; 2524 int error = simple_pin_fs(parent->d_sb->s_type, &mount, &count); 2525 2526 if (error) 2527 return error; 2528 2529 inode_lock(d_inode(parent)); 2530 dentry = lookup_one_len(NULL_FILE_NAME, parent, strlen(NULL_FILE_NAME)); 2531 if (IS_ERR(dentry)) { 2532 error = PTR_ERR(dentry); 2533 goto out; 2534 } 2535 inode = new_inode(parent->d_inode->i_sb); 2536 if (!inode) { 2537 error = -ENOMEM; 2538 goto out1; 2539 } 2540 2541 inode->i_ino = get_next_ino(); 2542 inode->i_mode = S_IFCHR | S_IRUGO | S_IWUGO; 2543 inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode); 2544 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, 2545 MKDEV(MEM_MAJOR, 3)); 2546 d_instantiate(dentry, inode); 2547 aa_null.dentry = dget(dentry); 2548 aa_null.mnt = mntget(mount); 2549 2550 error = 0; 2551 2552 out1: 2553 dput(dentry); 2554 out: 2555 inode_unlock(d_inode(parent)); 2556 simple_release_fs(&mount, &count); 2557 return error; 2558 } 2559 2560 2561 2562 static const char *policy_get_link(struct dentry *dentry, 2563 struct inode *inode, 2564 struct delayed_call *done) 2565 { 2566 struct aa_ns *ns; 2567 struct path path; 2568 int error; 2569 2570 if (!dentry) 2571 return ERR_PTR(-ECHILD); 2572 2573 ns = aa_get_current_ns(); 2574 path.mnt = mntget(aafs_mnt); 2575 path.dentry = dget(ns_dir(ns)); 2576 error = nd_jump_link(&path); 2577 aa_put_ns(ns); 2578 2579 return ERR_PTR(error); 2580 } 2581 2582 static int policy_readlink(struct dentry *dentry, char __user *buffer, 2583 int buflen) 2584 { 2585 char name[32]; 2586 int res; 2587 2588 res = snprintf(name, sizeof(name), "%s:[%lu]", AAFS_NAME, 2589 d_inode(dentry)->i_ino); 2590 if (res > 0 && res < sizeof(name)) 2591 res = readlink_copy(buffer, buflen, name); 2592 else 2593 res = -ENOENT; 2594 2595 return res; 2596 } 2597 2598 static const struct inode_operations policy_link_iops = { 2599 .readlink = policy_readlink, 2600 .get_link = policy_get_link, 2601 }; 2602 2603 2604 /** 2605 * aa_create_aafs - create the apparmor security filesystem 2606 * 2607 * dentries created here are released by aa_destroy_aafs 2608 * 2609 * Returns: error on failure 2610 */ 2611 static int __init aa_create_aafs(void) 2612 { 2613 struct dentry *dent; 2614 int error; 2615 2616 if (!apparmor_initialized) 2617 return 0; 2618 2619 if (aa_sfs_entry.dentry) { 2620 AA_ERROR("%s: AppArmor securityfs already exists\n", __func__); 2621 return -EEXIST; 2622 } 2623 2624 /* setup apparmorfs used to virtualize policy/ */ 2625 aafs_mnt = kern_mount(&aafs_ops); 2626 if (IS_ERR(aafs_mnt)) 2627 panic("can't set apparmorfs up\n"); 2628 aafs_mnt->mnt_sb->s_flags &= ~SB_NOUSER; 2629 2630 /* Populate fs tree. */ 2631 error = entry_create_dir(&aa_sfs_entry, NULL); 2632 if (error) 2633 goto error; 2634 2635 dent = securityfs_create_file(".load", 0666, aa_sfs_entry.dentry, 2636 NULL, &aa_fs_profile_load); 2637 if (IS_ERR(dent)) 2638 goto dent_error; 2639 ns_subload(root_ns) = dent; 2640 2641 dent = securityfs_create_file(".replace", 0666, aa_sfs_entry.dentry, 2642 NULL, &aa_fs_profile_replace); 2643 if (IS_ERR(dent)) 2644 goto dent_error; 2645 ns_subreplace(root_ns) = dent; 2646 2647 dent = securityfs_create_file(".remove", 0666, aa_sfs_entry.dentry, 2648 NULL, &aa_fs_profile_remove); 2649 if (IS_ERR(dent)) 2650 goto dent_error; 2651 ns_subremove(root_ns) = dent; 2652 2653 dent = securityfs_create_file("revision", 0444, aa_sfs_entry.dentry, 2654 NULL, &aa_fs_ns_revision_fops); 2655 if (IS_ERR(dent)) 2656 goto dent_error; 2657 ns_subrevision(root_ns) = dent; 2658 2659 /* policy tree referenced by magic policy symlink */ 2660 mutex_lock_nested(&root_ns->lock, root_ns->level); 2661 error = __aafs_ns_mkdir(root_ns, aafs_mnt->mnt_root, ".policy", 2662 aafs_mnt->mnt_root); 2663 mutex_unlock(&root_ns->lock); 2664 if (error) 2665 goto error; 2666 2667 /* magic symlink similar to nsfs redirects based on task policy */ 2668 dent = securityfs_create_symlink("policy", aa_sfs_entry.dentry, 2669 NULL, &policy_link_iops); 2670 if (IS_ERR(dent)) 2671 goto dent_error; 2672 2673 error = aa_mk_null_file(aa_sfs_entry.dentry); 2674 if (error) 2675 goto error; 2676 2677 /* TODO: add default profile to apparmorfs */ 2678 2679 /* Report that AppArmor fs is enabled */ 2680 aa_info_message("AppArmor Filesystem Enabled"); 2681 return 0; 2682 2683 dent_error: 2684 error = PTR_ERR(dent); 2685 error: 2686 aa_destroy_aafs(); 2687 AA_ERROR("Error creating AppArmor securityfs\n"); 2688 return error; 2689 } 2690 2691 fs_initcall(aa_create_aafs); 2692