1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor /sys/kernel/security/apparmor interface functions 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 */ 10 11 #include <linux/ctype.h> 12 #include <linux/security.h> 13 #include <linux/vmalloc.h> 14 #include <linux/init.h> 15 #include <linux/seq_file.h> 16 #include <linux/uaccess.h> 17 #include <linux/mount.h> 18 #include <linux/namei.h> 19 #include <linux/capability.h> 20 #include <linux/rcupdate.h> 21 #include <linux/fs.h> 22 #include <linux/fs_context.h> 23 #include <linux/poll.h> 24 #include <linux/zstd.h> 25 #include <uapi/linux/major.h> 26 #include <uapi/linux/magic.h> 27 28 #include "include/apparmor.h" 29 #include "include/apparmorfs.h" 30 #include "include/audit.h" 31 #include "include/cred.h" 32 #include "include/crypto.h" 33 #include "include/ipc.h" 34 #include "include/label.h" 35 #include "include/lib.h" 36 #include "include/policy.h" 37 #include "include/policy_ns.h" 38 #include "include/resource.h" 39 #include "include/policy_unpack.h" 40 #include "include/task.h" 41 42 /* 43 * The apparmor filesystem interface used for policy load and introspection 44 * The interface is split into two main components based on their function 45 * a securityfs component: 46 * used for static files that are always available, and which allows 47 * userspace to specify the location of the security filesystem. 48 * 49 * fns and data are prefixed with 50 * aa_sfs_ 51 * 52 * an apparmorfs component: 53 * used loaded policy content and introspection. It is not part of a 54 * regular mounted filesystem and is available only through the magic 55 * policy symlink in the root of the securityfs apparmor/ directory. 56 * Tasks queries will be magically redirected to the correct portion 57 * of the policy tree based on their confinement. 58 * 59 * fns and data are prefixed with 60 * aafs_ 61 * 62 * The aa_fs_ prefix is used to indicate the fn is used by both the 63 * securityfs and apparmorfs filesystems. 64 */ 65 66 #define IREF_POISON 101 67 68 /* 69 * support fns 70 */ 71 72 struct rawdata_f_data { 73 struct aa_loaddata *loaddata; 74 }; 75 76 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 77 #define RAWDATA_F_DATA_BUF(p) (char *)(p + 1) 78 79 static void rawdata_f_data_free(struct rawdata_f_data *private) 80 { 81 if (!private) 82 return; 83 84 aa_put_i_loaddata(private->loaddata); 85 kvfree(private); 86 } 87 88 static struct rawdata_f_data *rawdata_f_data_alloc(size_t size) 89 { 90 struct rawdata_f_data *ret; 91 92 if (size > SIZE_MAX - sizeof(*ret)) 93 return ERR_PTR(-EINVAL); 94 95 ret = kvzalloc(sizeof(*ret) + size, GFP_KERNEL); 96 if (!ret) 97 return ERR_PTR(-ENOMEM); 98 99 return ret; 100 } 101 #endif 102 103 /** 104 * mangle_name - mangle a profile name to std profile layout form 105 * @name: profile name to mangle (NOT NULL) 106 * @target: buffer to store mangled name, same length as @name (MAYBE NULL) 107 * 108 * Returns: length of mangled name 109 */ 110 static int mangle_name(const char *name, char *target) 111 { 112 char *t = target; 113 114 while (*name == '/' || *name == '.') 115 name++; 116 117 if (target) { 118 for (; *name; name++) { 119 if (*name == '/') 120 *(t)++ = '.'; 121 else if (isspace(*name)) 122 *(t)++ = '_'; 123 else if (isalnum(*name) || strchr("._-", *name)) 124 *(t)++ = *name; 125 } 126 127 *t = 0; 128 } else { 129 int len = 0; 130 for (; *name; name++) { 131 if (isalnum(*name) || isspace(*name) || 132 strchr("/._-", *name)) 133 len++; 134 } 135 136 return len; 137 } 138 139 return t - target; 140 } 141 142 143 /* 144 * aafs - core fns and data for the policy tree 145 */ 146 147 #define AAFS_NAME "apparmorfs" 148 static struct vfsmount *aafs_mnt; 149 static int aafs_count; 150 151 152 static int aafs_show_path(struct seq_file *seq, struct dentry *dentry) 153 { 154 seq_printf(seq, "%s:[%lu]", AAFS_NAME, d_inode(dentry)->i_ino); 155 return 0; 156 } 157 158 static struct aa_ns *get_ns_common_ref(struct aa_common_ref *ref) 159 { 160 if (ref) { 161 struct aa_label *reflabel = container_of(ref, struct aa_label, 162 count); 163 return aa_get_ns(labels_ns(reflabel)); 164 } 165 166 return NULL; 167 } 168 169 static struct aa_proxy *get_proxy_common_ref(struct aa_common_ref *ref) 170 { 171 if (ref) 172 return aa_get_proxy(container_of(ref, struct aa_proxy, count)); 173 174 return NULL; 175 } 176 177 static struct aa_loaddata *get_loaddata_common_ref(struct aa_common_ref *ref) 178 { 179 if (ref) 180 return aa_get_i_loaddata(container_of(ref, struct aa_loaddata, 181 count)); 182 return NULL; 183 } 184 185 static void aa_put_common_ref(struct aa_common_ref *ref) 186 { 187 if (!ref) 188 return; 189 190 switch (ref->reftype) { 191 case REF_RAWDATA: 192 aa_put_i_loaddata(container_of(ref, struct aa_loaddata, 193 count)); 194 break; 195 case REF_PROXY: 196 aa_put_proxy(container_of(ref, struct aa_proxy, 197 count)); 198 break; 199 case REF_NS: 200 /* ns count is held on its unconfined label */ 201 aa_put_ns(labels_ns(container_of(ref, struct aa_label, count))); 202 break; 203 default: 204 AA_BUG(true, "unknown refcount type"); 205 break; 206 } 207 } 208 209 static void aa_get_common_ref(struct aa_common_ref *ref) 210 { 211 kref_get(&ref->count); 212 } 213 214 static void aafs_evict(struct inode *inode) 215 { 216 struct aa_common_ref *ref = inode->i_private; 217 218 clear_inode(inode); 219 aa_put_common_ref(ref); 220 inode->i_private = (void *) IREF_POISON; 221 } 222 223 static void aafs_free_inode(struct inode *inode) 224 { 225 if (S_ISLNK(inode->i_mode)) 226 kfree(inode->i_link); 227 free_inode_nonrcu(inode); 228 } 229 230 static const struct super_operations aafs_super_ops = { 231 .statfs = simple_statfs, 232 .evict_inode = aafs_evict, 233 .free_inode = aafs_free_inode, 234 .show_path = aafs_show_path, 235 }; 236 237 static int apparmorfs_fill_super(struct super_block *sb, struct fs_context *fc) 238 { 239 static struct tree_descr files[] = { {""} }; 240 int error; 241 242 error = simple_fill_super(sb, AAFS_MAGIC, files); 243 if (error) 244 return error; 245 sb->s_op = &aafs_super_ops; 246 247 return 0; 248 } 249 250 static int apparmorfs_get_tree(struct fs_context *fc) 251 { 252 return get_tree_single(fc, apparmorfs_fill_super); 253 } 254 255 static const struct fs_context_operations apparmorfs_context_ops = { 256 .get_tree = apparmorfs_get_tree, 257 }; 258 259 static int apparmorfs_init_fs_context(struct fs_context *fc) 260 { 261 fc->ops = &apparmorfs_context_ops; 262 return 0; 263 } 264 265 static struct file_system_type aafs_ops = { 266 .owner = THIS_MODULE, 267 .name = AAFS_NAME, 268 .init_fs_context = apparmorfs_init_fs_context, 269 .kill_sb = kill_anon_super, 270 }; 271 272 /** 273 * __aafs_setup_d_inode - basic inode setup for apparmorfs 274 * @dir: parent directory for the dentry 275 * @dentry: dentry we are setting the inode up for 276 * @mode: permissions the file should have 277 * @data: data to store on inode.i_private, available in open() 278 * @link: if symlink, symlink target string 279 * @fops: struct file_operations that should be used 280 * @iops: struct of inode_operations that should be used 281 */ 282 static int __aafs_setup_d_inode(struct inode *dir, struct dentry *dentry, 283 umode_t mode, void *data, char *link, 284 const struct file_operations *fops, 285 const struct inode_operations *iops) 286 { 287 struct inode *inode = new_inode(dir->i_sb); 288 289 AA_BUG(!dir); 290 AA_BUG(!dentry); 291 292 if (!inode) 293 return -ENOMEM; 294 295 inode->i_ino = get_next_ino(); 296 inode->i_mode = mode; 297 simple_inode_init_ts(inode); 298 inode->i_private = data; 299 if (S_ISDIR(mode)) { 300 inode->i_op = iops ? iops : &simple_dir_inode_operations; 301 inode->i_fop = &simple_dir_operations; 302 inc_nlink(inode); 303 inc_nlink(dir); 304 } else if (S_ISLNK(mode)) { 305 inode->i_op = iops ? iops : &simple_symlink_inode_operations; 306 inode->i_link = link; 307 } else { 308 inode->i_fop = fops; 309 } 310 d_instantiate(dentry, inode); 311 dget(dentry); 312 313 return 0; 314 } 315 316 /** 317 * aafs_create - create a dentry in the apparmorfs filesystem 318 * 319 * @name: name of dentry to create 320 * @mode: permissions the file should have 321 * @parent: parent directory for this dentry 322 * @data: data to store on inode.i_private, available in open() 323 * @link: if symlink, symlink target string 324 * @fops: struct file_operations that should be used for 325 * @iops: struct of inode_operations that should be used 326 * 327 * This is the basic "create a xxx" function for apparmorfs. 328 * 329 * Returns a pointer to a dentry if it succeeds, that must be free with 330 * aafs_remove(). Will return ERR_PTR on failure. 331 */ 332 static struct dentry *aafs_create(const char *name, umode_t mode, 333 struct dentry *parent, 334 struct aa_common_ref *data, void *link, 335 const struct file_operations *fops, 336 const struct inode_operations *iops) 337 { 338 struct dentry *dentry; 339 struct inode *dir; 340 int error; 341 342 AA_BUG(!name); 343 AA_BUG(!parent); 344 345 if (!(mode & S_IFMT)) 346 mode = (mode & S_IALLUGO) | S_IFREG; 347 348 error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count); 349 if (error) 350 return ERR_PTR(error); 351 352 dir = d_inode(parent); 353 354 inode_lock(dir); 355 dentry = lookup_noperm(&QSTR(name), parent); 356 if (IS_ERR(dentry)) { 357 error = PTR_ERR(dentry); 358 goto fail_lock; 359 } 360 361 if (d_really_is_positive(dentry)) { 362 error = -EEXIST; 363 goto fail_dentry; 364 } 365 366 error = __aafs_setup_d_inode(dir, dentry, mode, data, link, fops, iops); 367 if (error) 368 goto fail_dentry; 369 inode_unlock(dir); 370 371 if (data) 372 aa_get_common_ref(data); 373 374 return dentry; 375 376 fail_dentry: 377 dput(dentry); 378 379 fail_lock: 380 inode_unlock(dir); 381 simple_release_fs(&aafs_mnt, &aafs_count); 382 383 return ERR_PTR(error); 384 } 385 386 /** 387 * aafs_create_file - create a file in the apparmorfs filesystem 388 * 389 * @name: name of dentry to create 390 * @mode: permissions the file should have 391 * @parent: parent directory for this dentry 392 * @data: data to store on inode.i_private, available in open() 393 * @fops: struct file_operations that should be used for 394 * 395 * see aafs_create 396 */ 397 static struct dentry *aafs_create_file(const char *name, umode_t mode, 398 struct dentry *parent, 399 struct aa_common_ref *data, 400 const struct file_operations *fops) 401 { 402 return aafs_create(name, mode, parent, data, NULL, fops, NULL); 403 } 404 405 /** 406 * aafs_create_dir - create a directory in the apparmorfs filesystem 407 * 408 * @name: name of dentry to create 409 * @parent: parent directory for this dentry 410 * 411 * see aafs_create 412 */ 413 static struct dentry *aafs_create_dir(const char *name, struct dentry *parent) 414 { 415 return aafs_create(name, S_IFDIR | 0755, parent, NULL, NULL, NULL, 416 NULL); 417 } 418 419 /** 420 * aafs_remove - removes a file or directory from the apparmorfs filesystem 421 * 422 * @dentry: dentry of the file/directory/symlink to removed. 423 */ 424 static void aafs_remove(struct dentry *dentry) 425 { 426 struct inode *dir; 427 428 if (!dentry || IS_ERR(dentry)) 429 return; 430 431 /* ->d_parent is stable as rename is not supported */ 432 dir = d_inode(dentry->d_parent); 433 dentry = start_removing_dentry(dentry->d_parent, dentry); 434 if (!IS_ERR(dentry) && simple_positive(dentry)) { 435 if (d_is_dir(dentry)) { 436 if (!WARN_ON(!simple_empty(dentry))) { 437 __simple_rmdir(dir, dentry); 438 dput(dentry); 439 } 440 } else { 441 __simple_unlink(dir, dentry); 442 dput(dentry); 443 } 444 d_delete(dentry); 445 } 446 end_removing(dentry); 447 simple_release_fs(&aafs_mnt, &aafs_count); 448 } 449 450 451 /* 452 * aa_fs - policy load/replace/remove 453 */ 454 455 /** 456 * aa_simple_write_to_buffer - common routine for getting policy from user 457 * @userbuf: user buffer to copy data from (NOT NULL) 458 * @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size) 459 * @copy_size: size of data to copy from user buffer 460 * @pos: position write is at in the file (NOT NULL) 461 * 462 * Returns: kernel buffer containing copy of user buffer data or an 463 * ERR_PTR on failure. 464 */ 465 static struct aa_loaddata *aa_simple_write_to_buffer(const char __user *userbuf, 466 size_t alloc_size, 467 size_t copy_size, 468 loff_t *pos) 469 { 470 struct aa_loaddata *data; 471 472 AA_BUG(copy_size > alloc_size); 473 474 if (*pos != 0) 475 /* only writes from pos 0, that is complete writes */ 476 return ERR_PTR(-ESPIPE); 477 478 /* freed by caller to simple_write_to_buffer */ 479 data = aa_loaddata_alloc(alloc_size); 480 if (IS_ERR(data)) 481 return data; 482 483 data->size = copy_size; 484 if (copy_from_user(data->data, userbuf, copy_size)) { 485 /* trigger free - don't need to put pcount */ 486 aa_put_i_loaddata(data); 487 return ERR_PTR(-EFAULT); 488 } 489 490 return data; 491 } 492 493 static ssize_t policy_update(u32 mask, const char __user *buf, size_t size, 494 loff_t *pos, struct aa_ns *ns, 495 const struct cred *ocred) 496 { 497 struct aa_loaddata *data; 498 struct aa_label *label; 499 ssize_t error; 500 501 label = begin_current_label_crit_section(); 502 503 /* high level check about policy management - fine grained in 504 * below after unpack 505 */ 506 error = aa_may_manage_policy(current_cred(), label, ns, ocred, mask); 507 if (error) 508 goto end_section; 509 510 data = aa_simple_write_to_buffer(buf, size, size, pos); 511 error = PTR_ERR(data); 512 if (!IS_ERR(data)) { 513 error = aa_replace_profiles(ns, label, mask, data); 514 /* put pcount, which will put count and free if no 515 * profiles referencing it. 516 */ 517 aa_put_profile_loaddata(data); 518 } 519 end_section: 520 end_current_label_crit_section(label); 521 522 return error; 523 } 524 525 /* .load file hook fn to load policy */ 526 static ssize_t profile_load(struct file *f, const char __user *buf, size_t size, 527 loff_t *pos) 528 { 529 struct aa_ns *ns = get_ns_common_ref(f->f_inode->i_private); 530 int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns, 531 f->f_cred); 532 533 aa_put_ns(ns); 534 535 return error; 536 } 537 538 static const struct file_operations aa_fs_profile_load = { 539 .write = profile_load, 540 .llseek = default_llseek, 541 }; 542 543 /* .replace file hook fn to load and/or replace policy */ 544 static ssize_t profile_replace(struct file *f, const char __user *buf, 545 size_t size, loff_t *pos) 546 { 547 struct aa_ns *ns = get_ns_common_ref(f->f_inode->i_private); 548 int error = policy_update(AA_MAY_LOAD_POLICY | AA_MAY_REPLACE_POLICY, 549 buf, size, pos, ns, f->f_cred); 550 aa_put_ns(ns); 551 552 return error; 553 } 554 555 static const struct file_operations aa_fs_profile_replace = { 556 .write = profile_replace, 557 .llseek = default_llseek, 558 }; 559 560 /* .remove file hook fn to remove loaded policy */ 561 static ssize_t profile_remove(struct file *f, const char __user *buf, 562 size_t size, loff_t *pos) 563 { 564 struct aa_loaddata *data; 565 struct aa_label *label; 566 ssize_t error; 567 struct aa_ns *ns = get_ns_common_ref(f->f_inode->i_private); 568 569 label = begin_current_label_crit_section(); 570 /* high level check about policy management - fine grained in 571 * below after unpack 572 */ 573 error = aa_may_manage_policy(current_cred(), label, ns, 574 f->f_cred, AA_MAY_REMOVE_POLICY); 575 if (error) 576 goto out; 577 578 /* 579 * aa_remove_profile needs a null terminated string so 1 extra 580 * byte is allocated and the copied data is null terminated. 581 */ 582 data = aa_simple_write_to_buffer(buf, size + 1, size, pos); 583 584 error = PTR_ERR(data); 585 if (!IS_ERR(data)) { 586 data->data[size] = 0; 587 error = aa_remove_profiles(ns, label, data->data, size); 588 aa_put_profile_loaddata(data); 589 } 590 out: 591 end_current_label_crit_section(label); 592 aa_put_ns(ns); 593 return error; 594 } 595 596 static const struct file_operations aa_fs_profile_remove = { 597 .write = profile_remove, 598 .llseek = default_llseek, 599 }; 600 601 struct aa_revision { 602 struct aa_ns *ns; 603 long last_read; 604 }; 605 606 /* revision file hook fn for policy loads */ 607 static int ns_revision_release(struct inode *inode, struct file *file) 608 { 609 struct aa_revision *rev = file->private_data; 610 611 if (rev) { 612 aa_put_ns(rev->ns); 613 kfree(rev); 614 } 615 616 return 0; 617 } 618 619 static ssize_t ns_revision_read(struct file *file, char __user *buf, 620 size_t size, loff_t *ppos) 621 { 622 struct aa_revision *rev = file->private_data; 623 char buffer[32]; 624 long last_read; 625 int avail; 626 627 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 628 last_read = rev->last_read; 629 if (last_read == rev->ns->revision) { 630 mutex_unlock(&rev->ns->lock); 631 if (file->f_flags & O_NONBLOCK) 632 return -EAGAIN; 633 if (wait_event_interruptible(rev->ns->wait, 634 last_read != 635 READ_ONCE(rev->ns->revision))) 636 return -ERESTARTSYS; 637 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 638 } 639 640 avail = sprintf(buffer, "%ld\n", rev->ns->revision); 641 if (*ppos + size > avail) { 642 rev->last_read = rev->ns->revision; 643 *ppos = 0; 644 } 645 mutex_unlock(&rev->ns->lock); 646 647 return simple_read_from_buffer(buf, size, ppos, buffer, avail); 648 } 649 650 static int ns_revision_open(struct inode *inode, struct file *file) 651 { 652 struct aa_revision *rev = kzalloc_obj(*rev); 653 654 if (!rev) 655 return -ENOMEM; 656 657 rev->ns = get_ns_common_ref(inode->i_private); 658 if (!rev->ns) 659 rev->ns = aa_get_current_ns(); 660 file->private_data = rev; 661 662 return 0; 663 } 664 665 static __poll_t ns_revision_poll(struct file *file, poll_table *pt) 666 { 667 struct aa_revision *rev = file->private_data; 668 __poll_t mask = 0; 669 670 if (rev) { 671 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 672 poll_wait(file, &rev->ns->wait, pt); 673 if (rev->last_read < rev->ns->revision) 674 mask |= EPOLLIN | EPOLLRDNORM; 675 mutex_unlock(&rev->ns->lock); 676 } 677 678 return mask; 679 } 680 681 void __aa_bump_ns_revision(struct aa_ns *ns) 682 { 683 WRITE_ONCE(ns->revision, READ_ONCE(ns->revision) + 1); 684 wake_up_interruptible(&ns->wait); 685 } 686 687 static const struct file_operations aa_fs_ns_revision_fops = { 688 .owner = THIS_MODULE, 689 .open = ns_revision_open, 690 .poll = ns_revision_poll, 691 .read = ns_revision_read, 692 .llseek = generic_file_llseek, 693 .release = ns_revision_release, 694 }; 695 696 static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms, 697 const char *match_str, size_t match_len) 698 { 699 struct aa_ruleset *rules = profile->label.rules[0]; 700 struct aa_perms tmp = { }; 701 aa_state_t state = DFA_NOMATCH; 702 703 if (profile_unconfined(profile)) 704 return; 705 if (rules->file->dfa && *match_str == AA_CLASS_FILE) { 706 state = aa_dfa_match_len(rules->file->dfa, 707 rules->file->start[AA_CLASS_FILE], 708 match_str + 1, match_len - 1); 709 if (state) { 710 struct path_cond cond = { }; 711 712 tmp = *(aa_lookup_condperms(current_fsuid(), 713 rules->file, state, &cond)); 714 } 715 } else if (rules->policy->dfa) { 716 if (!RULE_MEDIATES(rules, *match_str)) 717 return; /* no change to current perms */ 718 /* old user space does not correctly detect dbus mediation 719 * support so we may get dbus policy and requests when 720 * the abi doesn't support it. This can cause mediation 721 * regressions, so explicitly test for this situation. 722 */ 723 if (*match_str == AA_CLASS_DBUS && 724 !RULE_MEDIATES_v9NET(rules)) 725 return; /* no change to current perms */ 726 state = aa_dfa_match_len(rules->policy->dfa, 727 rules->policy->start[0], 728 match_str, match_len); 729 if (state) 730 tmp = *aa_lookup_perms(rules->policy, state); 731 } 732 aa_apply_modes_to_perms(profile, &tmp); 733 aa_perms_accum_raw(perms, &tmp); 734 } 735 736 737 /** 738 * query_data - queries a policy and writes its data to buf 739 * @buf: the resulting data is stored here (NOT NULL) 740 * @buf_len: size of buf 741 * @query: query string used to retrieve data 742 * @query_len: size of query including second NUL byte 743 * 744 * The buffers pointed to by buf and query may overlap. The query buffer is 745 * parsed before buf is written to. 746 * 747 * The query should look like "<LABEL>\0<KEY>\0", where <LABEL> is the name of 748 * the security confinement context and <KEY> is the name of the data to 749 * retrieve. <LABEL> and <KEY> must not be NUL-terminated. 750 * 751 * Don't expect the contents of buf to be preserved on failure. 752 * 753 * Returns: number of characters written to buf or -errno on failure 754 */ 755 static ssize_t query_data(char *buf, size_t buf_len, 756 char *query, size_t query_len) 757 { 758 char *out; 759 const char *key; 760 struct label_it i; 761 struct aa_label *label, *curr; 762 struct aa_profile *profile; 763 struct aa_data *data; 764 u32 bytes, blocks; 765 __le32 outle32; 766 767 if (!query_len) 768 return -EINVAL; /* need a query */ 769 770 key = query + strnlen(query, query_len) + 1; 771 if (key + 1 >= query + query_len) 772 return -EINVAL; /* not enough space for a non-empty key */ 773 if (key + strnlen(key, query + query_len - key) >= query + query_len) 774 return -EINVAL; /* must end with NUL */ 775 776 if (buf_len < sizeof(bytes) + sizeof(blocks)) 777 return -EINVAL; /* not enough space */ 778 779 curr = begin_current_label_crit_section(); 780 label = aa_label_parse(curr, query, GFP_KERNEL, false, false); 781 end_current_label_crit_section(curr); 782 if (IS_ERR(label)) 783 return PTR_ERR(label); 784 785 /* We are going to leave space for two numbers. The first is the total 786 * number of bytes we are writing after the first number. This is so 787 * users can read the full output without reallocation. 788 * 789 * The second number is the number of data blocks we're writing. An 790 * application might be confined by multiple policies having data in 791 * the same key. 792 */ 793 memset(buf, 0, sizeof(bytes) + sizeof(blocks)); 794 out = buf + sizeof(bytes) + sizeof(blocks); 795 796 blocks = 0; 797 label_for_each_confined(i, label, profile) { 798 if (!profile->data) 799 continue; 800 801 data = rhashtable_lookup_fast(profile->data, &key, 802 profile->data->p); 803 804 if (data) { 805 if (out + sizeof(outle32) + data->size > buf + 806 buf_len) { 807 aa_put_label(label); 808 return -EINVAL; /* not enough space */ 809 } 810 outle32 = __cpu_to_le32(data->size); 811 memcpy(out, &outle32, sizeof(outle32)); 812 out += sizeof(outle32); 813 memcpy(out, data->data, data->size); 814 out += data->size; 815 blocks++; 816 } 817 } 818 aa_put_label(label); 819 820 outle32 = __cpu_to_le32(out - buf - sizeof(bytes)); 821 memcpy(buf, &outle32, sizeof(outle32)); 822 outle32 = __cpu_to_le32(blocks); 823 memcpy(buf + sizeof(bytes), &outle32, sizeof(outle32)); 824 825 return out - buf; 826 } 827 828 /** 829 * query_label - queries a label and writes permissions to buf 830 * @buf: the resulting permissions string is stored here (NOT NULL) 831 * @buf_len: size of buf 832 * @query: binary query string to match against the dfa 833 * @query_len: size of query 834 * @view_only: only compute for querier's view 835 * 836 * The buffers pointed to by buf and query may overlap. The query buffer is 837 * parsed before buf is written to. 838 * 839 * The query should look like "LABEL_NAME\0DFA_STRING" where LABEL_NAME is 840 * the name of the label, in the current namespace, that is to be queried and 841 * DFA_STRING is a binary string to match against the label(s)'s DFA. 842 * 843 * LABEL_NAME must be NUL terminated. DFA_STRING may contain NUL characters 844 * but must *not* be NUL terminated. 845 * 846 * Returns: number of characters written to buf or -errno on failure 847 */ 848 static ssize_t query_label(char *buf, size_t buf_len, 849 char *query, size_t query_len, bool view_only) 850 { 851 struct aa_profile *profile; 852 struct aa_label *label, *curr; 853 char *label_name, *match_str; 854 size_t label_name_len, match_len; 855 struct aa_perms perms; 856 struct label_it i; 857 858 if (!query_len) 859 return -EINVAL; 860 861 label_name = query; 862 label_name_len = strnlen(query, query_len); 863 if (!label_name_len || label_name_len == query_len) 864 return -EINVAL; 865 866 /** 867 * The extra byte is to account for the null byte between the 868 * profile name and dfa string. profile_name_len is greater 869 * than zero and less than query_len, so a byte can be safely 870 * added or subtracted. 871 */ 872 match_str = label_name + label_name_len + 1; 873 match_len = query_len - label_name_len - 1; 874 875 curr = begin_current_label_crit_section(); 876 label = aa_label_parse(curr, label_name, GFP_KERNEL, false, false); 877 end_current_label_crit_section(curr); 878 if (IS_ERR(label)) 879 return PTR_ERR(label); 880 881 perms = allperms; 882 if (view_only) { 883 label_for_each_in_scope(i, labels_ns(label), label, profile) { 884 profile_query_cb(profile, &perms, match_str, match_len); 885 } 886 } else { 887 label_for_each(i, label, profile) { 888 profile_query_cb(profile, &perms, match_str, match_len); 889 } 890 } 891 aa_put_label(label); 892 893 return scnprintf(buf, buf_len, 894 "allow 0x%08x\ndeny 0x%08x\naudit 0x%08x\nquiet 0x%08x\n", 895 perms.allow, perms.deny, perms.audit, perms.quiet); 896 } 897 898 /* 899 * Transaction based IO. 900 * The file expects a write which triggers the transaction, and then 901 * possibly a read(s) which collects the result - which is stored in a 902 * file-local buffer. Once a new write is performed, a new set of results 903 * are stored in the file-local buffer. 904 */ 905 struct multi_transaction { 906 struct kref count; 907 ssize_t size; 908 char data[]; 909 }; 910 911 #define MULTI_TRANSACTION_LIMIT (PAGE_SIZE - sizeof(struct multi_transaction)) 912 913 static void multi_transaction_kref(struct kref *kref) 914 { 915 struct multi_transaction *t; 916 917 t = container_of(kref, struct multi_transaction, count); 918 free_page((unsigned long) t); 919 } 920 921 static struct multi_transaction * 922 get_multi_transaction(struct multi_transaction *t) 923 { 924 if (t) 925 kref_get(&(t->count)); 926 927 return t; 928 } 929 930 static void put_multi_transaction(struct multi_transaction *t) 931 { 932 if (t) 933 kref_put(&(t->count), multi_transaction_kref); 934 } 935 936 /* does not increment @new's count */ 937 static void multi_transaction_set(struct file *file, 938 struct multi_transaction *new, size_t n) 939 { 940 struct multi_transaction *old; 941 942 AA_BUG(n > MULTI_TRANSACTION_LIMIT); 943 944 new->size = n; 945 spin_lock(&file->f_lock); 946 old = (struct multi_transaction *) file->private_data; 947 file->private_data = new; 948 spin_unlock(&file->f_lock); 949 put_multi_transaction(old); 950 } 951 952 static struct multi_transaction *multi_transaction_new(struct file *file, 953 const char __user *buf, 954 size_t size) 955 { 956 struct multi_transaction *t; 957 958 if (size > MULTI_TRANSACTION_LIMIT - 1) 959 return ERR_PTR(-EFBIG); 960 961 t = (struct multi_transaction *)get_zeroed_page(GFP_KERNEL); 962 if (!t) 963 return ERR_PTR(-ENOMEM); 964 kref_init(&t->count); 965 if (copy_from_user(t->data, buf, size)) { 966 put_multi_transaction(t); 967 return ERR_PTR(-EFAULT); 968 } 969 970 return t; 971 } 972 973 static ssize_t multi_transaction_read(struct file *file, char __user *buf, 974 size_t size, loff_t *pos) 975 { 976 struct multi_transaction *t; 977 ssize_t ret; 978 979 spin_lock(&file->f_lock); 980 t = get_multi_transaction(file->private_data); 981 spin_unlock(&file->f_lock); 982 983 if (!t) 984 return 0; 985 986 ret = simple_read_from_buffer(buf, size, pos, t->data, t->size); 987 put_multi_transaction(t); 988 989 return ret; 990 } 991 992 static int multi_transaction_release(struct inode *inode, struct file *file) 993 { 994 put_multi_transaction(file->private_data); 995 996 return 0; 997 } 998 999 #define QUERY_CMD_LABEL "label\0" 1000 #define QUERY_CMD_LABEL_LEN 6 1001 #define QUERY_CMD_PROFILE "profile\0" 1002 #define QUERY_CMD_PROFILE_LEN 8 1003 #define QUERY_CMD_LABELALL "labelall\0" 1004 #define QUERY_CMD_LABELALL_LEN 9 1005 #define QUERY_CMD_DATA "data\0" 1006 #define QUERY_CMD_DATA_LEN 5 1007 1008 /** 1009 * aa_write_access - generic permissions and data query 1010 * @file: pointer to open apparmorfs/access file 1011 * @ubuf: user buffer containing the complete query string (NOT NULL) 1012 * @count: size of ubuf 1013 * @ppos: position in the file (MUST BE ZERO) 1014 * 1015 * Allows for one permissions or data query per open(), write(), and read() 1016 * sequence. The only queries currently supported are label-based queries for 1017 * permissions or data. 1018 * 1019 * For permissions queries, ubuf must begin with "label\0", followed by the 1020 * profile query specific format described in the query_label() function 1021 * documentation. 1022 * 1023 * For data queries, ubuf must have the form "data\0<LABEL>\0<KEY>\0", where 1024 * <LABEL> is the name of the security confinement context and <KEY> is the 1025 * name of the data to retrieve. 1026 * 1027 * Returns: number of bytes written or -errno on failure 1028 */ 1029 static ssize_t aa_write_access(struct file *file, const char __user *ubuf, 1030 size_t count, loff_t *ppos) 1031 { 1032 struct multi_transaction *t; 1033 ssize_t len; 1034 1035 if (*ppos) 1036 return -ESPIPE; 1037 1038 t = multi_transaction_new(file, ubuf, count); 1039 if (IS_ERR(t)) 1040 return PTR_ERR(t); 1041 1042 if (count > QUERY_CMD_PROFILE_LEN && 1043 !memcmp(t->data, QUERY_CMD_PROFILE, QUERY_CMD_PROFILE_LEN)) { 1044 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 1045 t->data + QUERY_CMD_PROFILE_LEN, 1046 count - QUERY_CMD_PROFILE_LEN, true); 1047 } else if (count > QUERY_CMD_LABEL_LEN && 1048 !memcmp(t->data, QUERY_CMD_LABEL, QUERY_CMD_LABEL_LEN)) { 1049 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 1050 t->data + QUERY_CMD_LABEL_LEN, 1051 count - QUERY_CMD_LABEL_LEN, true); 1052 } else if (count > QUERY_CMD_LABELALL_LEN && 1053 !memcmp(t->data, QUERY_CMD_LABELALL, 1054 QUERY_CMD_LABELALL_LEN)) { 1055 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 1056 t->data + QUERY_CMD_LABELALL_LEN, 1057 count - QUERY_CMD_LABELALL_LEN, false); 1058 } else if (count > QUERY_CMD_DATA_LEN && 1059 !memcmp(t->data, QUERY_CMD_DATA, QUERY_CMD_DATA_LEN)) { 1060 len = query_data(t->data, MULTI_TRANSACTION_LIMIT, 1061 t->data + QUERY_CMD_DATA_LEN, 1062 count - QUERY_CMD_DATA_LEN); 1063 } else 1064 len = -EINVAL; 1065 1066 if (len < 0) { 1067 put_multi_transaction(t); 1068 return len; 1069 } 1070 1071 multi_transaction_set(file, t, len); 1072 1073 return count; 1074 } 1075 1076 static const struct file_operations aa_sfs_access = { 1077 .write = aa_write_access, 1078 .read = multi_transaction_read, 1079 .release = multi_transaction_release, 1080 .llseek = generic_file_llseek, 1081 }; 1082 1083 static int aa_sfs_seq_show(struct seq_file *seq, void *v) 1084 { 1085 struct aa_sfs_entry *fs_file = seq->private; 1086 1087 if (!fs_file) 1088 return 0; 1089 1090 switch (fs_file->v_type) { 1091 case AA_SFS_TYPE_BOOLEAN: 1092 seq_printf(seq, "%s\n", str_yes_no(fs_file->v.boolean)); 1093 break; 1094 case AA_SFS_TYPE_STRING: 1095 seq_printf(seq, "%s\n", fs_file->v.string); 1096 break; 1097 case AA_SFS_TYPE_U64: 1098 seq_printf(seq, "%#08lx\n", fs_file->v.u64); 1099 break; 1100 default: 1101 /* Ignore unprintable entry types. */ 1102 break; 1103 } 1104 1105 return 0; 1106 } 1107 1108 static int aa_sfs_seq_open(struct inode *inode, struct file *file) 1109 { 1110 return single_open(file, aa_sfs_seq_show, inode->i_private); 1111 } 1112 1113 const struct file_operations aa_sfs_seq_file_ops = { 1114 .owner = THIS_MODULE, 1115 .open = aa_sfs_seq_open, 1116 .read = seq_read, 1117 .llseek = seq_lseek, 1118 .release = single_release, 1119 }; 1120 1121 /* 1122 * profile based file operations 1123 * policy/profiles/XXXX/profiles/ * 1124 */ 1125 1126 #define SEQ_PROFILE_FOPS(NAME) \ 1127 static int seq_profile_ ##NAME ##_open(struct inode *inode, struct file *file)\ 1128 { \ 1129 return seq_profile_open(inode, file, seq_profile_ ##NAME ##_show); \ 1130 } \ 1131 \ 1132 static const struct file_operations seq_profile_ ##NAME ##_fops = { \ 1133 .owner = THIS_MODULE, \ 1134 .open = seq_profile_ ##NAME ##_open, \ 1135 .read = seq_read, \ 1136 .llseek = seq_lseek, \ 1137 .release = seq_profile_release, \ 1138 } \ 1139 1140 static int seq_profile_open(struct inode *inode, struct file *file, 1141 int (*show)(struct seq_file *, void *)) 1142 { 1143 struct aa_proxy *proxy = get_proxy_common_ref(inode->i_private); 1144 int error = single_open(file, show, proxy); 1145 1146 if (error) { 1147 file->private_data = NULL; 1148 aa_put_proxy(proxy); 1149 } 1150 1151 return error; 1152 } 1153 1154 static int seq_profile_release(struct inode *inode, struct file *file) 1155 { 1156 struct seq_file *seq = (struct seq_file *) file->private_data; 1157 if (seq) 1158 aa_put_proxy(seq->private); 1159 return single_release(inode, file); 1160 } 1161 1162 static int seq_profile_name_show(struct seq_file *seq, void *v) 1163 { 1164 struct aa_proxy *proxy = seq->private; 1165 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1166 struct aa_profile *profile = labels_profile(label); 1167 seq_printf(seq, "%s\n", profile->base.name); 1168 aa_put_label(label); 1169 1170 return 0; 1171 } 1172 1173 static int seq_profile_mode_show(struct seq_file *seq, void *v) 1174 { 1175 struct aa_proxy *proxy = seq->private; 1176 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1177 struct aa_profile *profile = labels_profile(label); 1178 seq_printf(seq, "%s\n", aa_profile_mode_names[profile->mode]); 1179 aa_put_label(label); 1180 1181 return 0; 1182 } 1183 1184 static int seq_profile_attach_show(struct seq_file *seq, void *v) 1185 { 1186 struct aa_proxy *proxy = seq->private; 1187 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1188 struct aa_profile *profile = labels_profile(label); 1189 if (profile->attach.xmatch_str) 1190 seq_printf(seq, "%s\n", profile->attach.xmatch_str); 1191 else if (profile->attach.xmatch->dfa) 1192 seq_puts(seq, "<unknown>\n"); 1193 else 1194 seq_printf(seq, "%s\n", profile->base.name); 1195 aa_put_label(label); 1196 1197 return 0; 1198 } 1199 1200 static int seq_profile_hash_show(struct seq_file *seq, void *v) 1201 { 1202 struct aa_proxy *proxy = seq->private; 1203 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1204 struct aa_profile *profile = labels_profile(label); 1205 unsigned int i, size = aa_hash_size(); 1206 1207 if (profile->hash) { 1208 for (i = 0; i < size; i++) 1209 seq_printf(seq, "%.2x", profile->hash[i]); 1210 seq_putc(seq, '\n'); 1211 } 1212 aa_put_label(label); 1213 1214 return 0; 1215 } 1216 1217 SEQ_PROFILE_FOPS(name); 1218 SEQ_PROFILE_FOPS(mode); 1219 SEQ_PROFILE_FOPS(attach); 1220 SEQ_PROFILE_FOPS(hash); 1221 1222 /* 1223 * namespace based files 1224 * several root files and 1225 * policy/ * 1226 */ 1227 1228 #define SEQ_NS_FOPS(NAME) \ 1229 static int seq_ns_ ##NAME ##_open(struct inode *inode, struct file *file) \ 1230 { \ 1231 return single_open(file, seq_ns_ ##NAME ##_show, inode->i_private); \ 1232 } \ 1233 \ 1234 static const struct file_operations seq_ns_ ##NAME ##_fops = { \ 1235 .owner = THIS_MODULE, \ 1236 .open = seq_ns_ ##NAME ##_open, \ 1237 .read = seq_read, \ 1238 .llseek = seq_lseek, \ 1239 .release = single_release, \ 1240 } \ 1241 1242 static int seq_ns_stacked_show(struct seq_file *seq, void *v) 1243 { 1244 struct aa_label *label; 1245 1246 label = begin_current_label_crit_section(); 1247 seq_printf(seq, "%s\n", str_yes_no(label->size > 1)); 1248 end_current_label_crit_section(label); 1249 1250 return 0; 1251 } 1252 1253 static int seq_ns_nsstacked_show(struct seq_file *seq, void *v) 1254 { 1255 struct aa_label *label; 1256 struct aa_profile *profile; 1257 struct label_it it; 1258 int count = 1; 1259 1260 label = begin_current_label_crit_section(); 1261 1262 if (label->size > 1) { 1263 label_for_each(it, label, profile) 1264 if (profile->ns != labels_ns(label)) { 1265 count++; 1266 break; 1267 } 1268 } 1269 1270 seq_printf(seq, "%s\n", str_yes_no(count > 1)); 1271 end_current_label_crit_section(label); 1272 1273 return 0; 1274 } 1275 1276 static int seq_ns_level_show(struct seq_file *seq, void *v) 1277 { 1278 struct aa_label *label; 1279 1280 label = begin_current_label_crit_section(); 1281 seq_printf(seq, "%d\n", labels_ns(label)->level); 1282 end_current_label_crit_section(label); 1283 1284 return 0; 1285 } 1286 1287 static int seq_ns_name_show(struct seq_file *seq, void *v) 1288 { 1289 struct aa_label *label = begin_current_label_crit_section(); 1290 seq_printf(seq, "%s\n", labels_ns(label)->base.name); 1291 end_current_label_crit_section(label); 1292 1293 return 0; 1294 } 1295 1296 static int seq_ns_compress_min_show(struct seq_file *seq, void *v) 1297 { 1298 seq_printf(seq, "%d\n", AA_MIN_CLEVEL); 1299 return 0; 1300 } 1301 1302 static int seq_ns_compress_max_show(struct seq_file *seq, void *v) 1303 { 1304 seq_printf(seq, "%d\n", AA_MAX_CLEVEL); 1305 return 0; 1306 } 1307 1308 SEQ_NS_FOPS(stacked); 1309 SEQ_NS_FOPS(nsstacked); 1310 SEQ_NS_FOPS(level); 1311 SEQ_NS_FOPS(name); 1312 SEQ_NS_FOPS(compress_min); 1313 SEQ_NS_FOPS(compress_max); 1314 1315 1316 /* policy/raw_data/ * file ops */ 1317 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1318 #define SEQ_RAWDATA_FOPS(NAME) \ 1319 static int seq_rawdata_ ##NAME ##_open(struct inode *inode, struct file *file)\ 1320 { \ 1321 return seq_rawdata_open(inode, file, seq_rawdata_ ##NAME ##_show); \ 1322 } \ 1323 \ 1324 static const struct file_operations seq_rawdata_ ##NAME ##_fops = { \ 1325 .owner = THIS_MODULE, \ 1326 .open = seq_rawdata_ ##NAME ##_open, \ 1327 .read = seq_read, \ 1328 .llseek = seq_lseek, \ 1329 .release = seq_rawdata_release, \ 1330 } \ 1331 1332 static int seq_rawdata_open(struct inode *inode, struct file *file, 1333 int (*show)(struct seq_file *, void *)) 1334 { 1335 struct aa_loaddata *data = get_loaddata_common_ref(inode->i_private); 1336 int error; 1337 1338 if (!data) 1339 return -ENOENT; 1340 1341 error = single_open(file, show, data); 1342 if (error) { 1343 AA_BUG(file->private_data && 1344 ((struct seq_file *)file->private_data)->private); 1345 aa_put_i_loaddata(data); 1346 } 1347 1348 return error; 1349 } 1350 1351 static int seq_rawdata_release(struct inode *inode, struct file *file) 1352 { 1353 struct seq_file *seq = (struct seq_file *) file->private_data; 1354 1355 if (seq) 1356 aa_put_i_loaddata(seq->private); 1357 1358 return single_release(inode, file); 1359 } 1360 1361 static int seq_rawdata_abi_show(struct seq_file *seq, void *v) 1362 { 1363 struct aa_loaddata *data = seq->private; 1364 1365 seq_printf(seq, "v%d\n", data->abi); 1366 1367 return 0; 1368 } 1369 1370 static int seq_rawdata_revision_show(struct seq_file *seq, void *v) 1371 { 1372 struct aa_loaddata *data = seq->private; 1373 1374 seq_printf(seq, "%ld\n", data->revision); 1375 1376 return 0; 1377 } 1378 1379 static int seq_rawdata_hash_show(struct seq_file *seq, void *v) 1380 { 1381 struct aa_loaddata *data = seq->private; 1382 unsigned int i, size = aa_hash_size(); 1383 1384 if (data->hash) { 1385 for (i = 0; i < size; i++) 1386 seq_printf(seq, "%.2x", data->hash[i]); 1387 seq_putc(seq, '\n'); 1388 } 1389 1390 return 0; 1391 } 1392 1393 static int seq_rawdata_compressed_size_show(struct seq_file *seq, void *v) 1394 { 1395 struct aa_loaddata *data = seq->private; 1396 1397 seq_printf(seq, "%zu\n", data->compressed_size); 1398 1399 return 0; 1400 } 1401 1402 SEQ_RAWDATA_FOPS(abi); 1403 SEQ_RAWDATA_FOPS(revision); 1404 SEQ_RAWDATA_FOPS(hash); 1405 SEQ_RAWDATA_FOPS(compressed_size); 1406 1407 static int decompress_zstd(char *src, size_t slen, char *dst, size_t dlen) 1408 { 1409 if (slen < dlen) { 1410 const size_t wksp_len = zstd_dctx_workspace_bound(); 1411 zstd_dctx *ctx; 1412 void *wksp; 1413 size_t out_len; 1414 int ret = 0; 1415 1416 wksp = kvzalloc(wksp_len, GFP_KERNEL); 1417 if (!wksp) { 1418 ret = -ENOMEM; 1419 goto cleanup; 1420 } 1421 ctx = zstd_init_dctx(wksp, wksp_len); 1422 if (ctx == NULL) { 1423 ret = -ENOMEM; 1424 goto cleanup; 1425 } 1426 out_len = zstd_decompress_dctx(ctx, dst, dlen, src, slen); 1427 if (zstd_is_error(out_len)) { 1428 ret = -EINVAL; 1429 goto cleanup; 1430 } 1431 cleanup: 1432 kvfree(wksp); 1433 return ret; 1434 } 1435 1436 if (dlen < slen) 1437 return -EINVAL; 1438 memcpy(dst, src, slen); 1439 return 0; 1440 } 1441 1442 static ssize_t rawdata_read(struct file *file, char __user *buf, size_t size, 1443 loff_t *ppos) 1444 { 1445 struct rawdata_f_data *private = file->private_data; 1446 1447 return simple_read_from_buffer(buf, size, ppos, 1448 RAWDATA_F_DATA_BUF(private), 1449 private->loaddata->size); 1450 } 1451 1452 static int rawdata_release(struct inode *inode, struct file *file) 1453 { 1454 rawdata_f_data_free(file->private_data); 1455 1456 return 0; 1457 } 1458 1459 static int rawdata_open(struct inode *inode, struct file *file) 1460 { 1461 int error; 1462 struct aa_loaddata *loaddata; 1463 struct rawdata_f_data *private; 1464 1465 if (!aa_current_policy_view_capable(NULL)) 1466 return -EACCES; 1467 1468 loaddata = get_loaddata_common_ref(inode->i_private); 1469 if (!loaddata) 1470 return -ENOENT; 1471 1472 private = rawdata_f_data_alloc(loaddata->size); 1473 if (IS_ERR(private)) { 1474 error = PTR_ERR(private); 1475 goto fail_private_alloc; 1476 } 1477 1478 private->loaddata = loaddata; 1479 1480 error = decompress_zstd(loaddata->data, loaddata->compressed_size, 1481 RAWDATA_F_DATA_BUF(private), 1482 loaddata->size); 1483 if (error) 1484 goto fail_decompress; 1485 1486 file->private_data = private; 1487 return 0; 1488 1489 fail_decompress: 1490 rawdata_f_data_free(private); 1491 return error; 1492 1493 fail_private_alloc: 1494 aa_put_i_loaddata(loaddata); 1495 return error; 1496 } 1497 1498 static const struct file_operations rawdata_fops = { 1499 .open = rawdata_open, 1500 .read = rawdata_read, 1501 .llseek = generic_file_llseek, 1502 .release = rawdata_release, 1503 }; 1504 1505 static void remove_rawdata_dents(struct aa_loaddata *rawdata) 1506 { 1507 int i; 1508 1509 for (i = 0; i < AAFS_LOADDATA_NDENTS; i++) { 1510 if (!IS_ERR_OR_NULL(rawdata->dents[i])) { 1511 aafs_remove(rawdata->dents[i]); 1512 rawdata->dents[i] = NULL; 1513 } 1514 } 1515 } 1516 1517 void __aa_fs_remove_rawdata(struct aa_loaddata *rawdata) 1518 { 1519 AA_BUG(rawdata->ns && !mutex_is_locked(&rawdata->ns->lock)); 1520 1521 if (rawdata->ns) { 1522 remove_rawdata_dents(rawdata); 1523 list_del_init(&rawdata->list); 1524 aa_put_ns(rawdata->ns); 1525 rawdata->ns = NULL; 1526 } 1527 } 1528 1529 int __aa_fs_create_rawdata(struct aa_ns *ns, struct aa_loaddata *rawdata) 1530 { 1531 struct dentry *dent, *dir; 1532 1533 AA_BUG(!ns); 1534 AA_BUG(!rawdata); 1535 AA_BUG(!mutex_is_locked(&ns->lock)); 1536 AA_BUG(!ns_subdata_dir(ns)); 1537 1538 /* 1539 * just use ns revision dir was originally created at. This is 1540 * under ns->lock and if load is successful revision will be 1541 * bumped and is guaranteed to be unique 1542 */ 1543 rawdata->name = kasprintf(GFP_KERNEL, "%ld", ns->revision); 1544 if (!rawdata->name) 1545 return -ENOMEM; 1546 1547 dir = aafs_create_dir(rawdata->name, ns_subdata_dir(ns)); 1548 if (IS_ERR(dir)) 1549 /* ->name freed when rawdata freed */ 1550 return PTR_ERR(dir); 1551 rawdata->dents[AAFS_LOADDATA_DIR] = dir; 1552 1553 dent = aafs_create_file("abi", S_IFREG | 0444, dir, &rawdata->count, 1554 &seq_rawdata_abi_fops); 1555 if (IS_ERR(dent)) 1556 goto fail; 1557 rawdata->dents[AAFS_LOADDATA_ABI] = dent; 1558 1559 dent = aafs_create_file("revision", S_IFREG | 0444, dir, 1560 &rawdata->count, 1561 &seq_rawdata_revision_fops); 1562 if (IS_ERR(dent)) 1563 goto fail; 1564 rawdata->dents[AAFS_LOADDATA_REVISION] = dent; 1565 1566 if (aa_g_hash_policy) { 1567 dent = aafs_create_file("sha256", S_IFREG | 0444, dir, 1568 &rawdata->count, 1569 &seq_rawdata_hash_fops); 1570 if (IS_ERR(dent)) 1571 goto fail; 1572 rawdata->dents[AAFS_LOADDATA_HASH] = dent; 1573 } 1574 1575 dent = aafs_create_file("compressed_size", S_IFREG | 0444, dir, 1576 &rawdata->count, 1577 &seq_rawdata_compressed_size_fops); 1578 if (IS_ERR(dent)) 1579 goto fail; 1580 rawdata->dents[AAFS_LOADDATA_COMPRESSED_SIZE] = dent; 1581 1582 dent = aafs_create_file("raw_data", S_IFREG | 0444, dir, 1583 &rawdata->count, &rawdata_fops); 1584 if (IS_ERR(dent)) 1585 goto fail; 1586 rawdata->dents[AAFS_LOADDATA_DATA] = dent; 1587 d_inode(dent)->i_size = rawdata->size; 1588 1589 rawdata->ns = aa_get_ns(ns); 1590 list_add(&rawdata->list, &ns->rawdata_list); 1591 1592 return 0; 1593 1594 fail: 1595 remove_rawdata_dents(rawdata); 1596 return PTR_ERR(dent); 1597 } 1598 #endif /* CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ 1599 1600 1601 /** fns to setup dynamic per profile/namespace files **/ 1602 1603 /* 1604 * 1605 * Requires: @profile->ns->lock held 1606 */ 1607 void __aafs_profile_rmdir(struct aa_profile *profile) 1608 { 1609 struct aa_profile *child; 1610 int i; 1611 1612 if (!profile) 1613 return; 1614 1615 list_for_each_entry(child, &profile->base.profiles, base.list) 1616 __aafs_profile_rmdir(child); 1617 1618 for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) { 1619 if (!profile->dents[i]) 1620 continue; 1621 1622 aafs_remove(profile->dents[i]); 1623 profile->dents[i] = NULL; 1624 } 1625 } 1626 1627 /* 1628 * 1629 * Requires: @old->ns->lock held 1630 */ 1631 void __aafs_profile_migrate_dents(struct aa_profile *old, 1632 struct aa_profile *new) 1633 { 1634 int i; 1635 1636 AA_BUG(!old); 1637 AA_BUG(!new); 1638 AA_BUG(!mutex_is_locked(&profiles_ns(old)->lock)); 1639 1640 for (i = 0; i < AAFS_PROF_SIZEOF; i++) { 1641 new->dents[i] = old->dents[i]; 1642 if (new->dents[i]) { 1643 struct inode *inode = d_inode(new->dents[i]); 1644 1645 inode_set_mtime_to_ts(inode, 1646 inode_set_ctime_current(inode)); 1647 } 1648 old->dents[i] = NULL; 1649 } 1650 } 1651 1652 static struct dentry *create_profile_file(struct dentry *dir, const char *name, 1653 struct aa_profile *profile, 1654 const struct file_operations *fops) 1655 { 1656 return aafs_create_file(name, S_IFREG | 0444, dir, &profile->label.proxy->count, fops); 1657 } 1658 1659 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1660 static int profile_depth(struct aa_profile *profile) 1661 { 1662 int depth = 0; 1663 1664 rcu_read_lock(); 1665 for (depth = 0; profile; profile = rcu_access_pointer(profile->parent)) 1666 depth++; 1667 rcu_read_unlock(); 1668 1669 return depth; 1670 } 1671 1672 static char *gen_symlink_name(int depth, const char *dirname, const char *fname) 1673 { 1674 char *buffer, *s; 1675 int error; 1676 const char *path = "../../"; 1677 size_t path_len = strlen(path); 1678 int size; 1679 1680 /* Extra 11 bytes: "raw_data" (9) + two slashes "//" (2) */ 1681 size = depth * path_len + strlen(dirname) + strlen(fname) + 11; 1682 s = buffer = kmalloc(size, GFP_KERNEL); 1683 if (!buffer) 1684 return ERR_PTR(-ENOMEM); 1685 1686 for (; depth > 0; depth--) { 1687 memcpy(s, path, path_len); 1688 s += path_len; 1689 size -= path_len; 1690 } 1691 1692 error = snprintf(s, size, "raw_data/%s/%s", dirname, fname); 1693 if (error >= size || error < 0) { 1694 kfree(buffer); 1695 return ERR_PTR(-ENAMETOOLONG); 1696 } 1697 1698 return buffer; 1699 } 1700 1701 static const char *rawdata_get_link_base(struct dentry *dentry, 1702 struct inode *inode, 1703 struct delayed_call *done, 1704 const char *name) 1705 { 1706 struct aa_common_ref *ref = inode->i_private; 1707 struct aa_proxy *proxy = container_of(ref, struct aa_proxy, count); 1708 struct aa_label *label; 1709 struct aa_profile *profile; 1710 char *target; 1711 int depth; 1712 1713 if (!dentry) 1714 return ERR_PTR(-ECHILD); 1715 1716 label = aa_get_label_rcu(&proxy->label); 1717 profile = labels_profile(label); 1718 1719 /* rawdata can be null when aa_g_export_binary is unset during 1720 * runtime and a profile is replaced 1721 */ 1722 if (!profile->rawdata) { 1723 aa_put_label(label); 1724 return ERR_PTR(-ENOENT); 1725 } 1726 1727 depth = profile_depth(profile); 1728 target = gen_symlink_name(depth, profile->rawdata->name, name); 1729 aa_put_label(label); 1730 1731 if (IS_ERR(target)) 1732 return target; 1733 1734 set_delayed_call(done, kfree_link, target); 1735 1736 return target; 1737 } 1738 1739 static const char *rawdata_get_link_sha256(struct dentry *dentry, 1740 struct inode *inode, 1741 struct delayed_call *done) 1742 { 1743 return rawdata_get_link_base(dentry, inode, done, "sha256"); 1744 } 1745 1746 static const char *rawdata_get_link_abi(struct dentry *dentry, 1747 struct inode *inode, 1748 struct delayed_call *done) 1749 { 1750 return rawdata_get_link_base(dentry, inode, done, "abi"); 1751 } 1752 1753 static const char *rawdata_get_link_data(struct dentry *dentry, 1754 struct inode *inode, 1755 struct delayed_call *done) 1756 { 1757 return rawdata_get_link_base(dentry, inode, done, "raw_data"); 1758 } 1759 1760 static const struct inode_operations rawdata_link_sha256_iops = { 1761 .get_link = rawdata_get_link_sha256, 1762 }; 1763 1764 static const struct inode_operations rawdata_link_abi_iops = { 1765 .get_link = rawdata_get_link_abi, 1766 }; 1767 static const struct inode_operations rawdata_link_data_iops = { 1768 .get_link = rawdata_get_link_data, 1769 }; 1770 #endif /* CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ 1771 1772 /* 1773 * Requires: @profile->ns->lock held 1774 */ 1775 int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) 1776 { 1777 struct aa_profile *child; 1778 struct dentry *dent = NULL, *dir; 1779 int error; 1780 1781 AA_BUG(!profile); 1782 AA_BUG(!mutex_is_locked(&profiles_ns(profile)->lock)); 1783 1784 if (!parent) { 1785 struct aa_profile *p; 1786 p = aa_deref_parent(profile); 1787 dent = prof_dir(p); 1788 if (!dent) { 1789 error = -ENOENT; 1790 goto fail2; 1791 } 1792 /* adding to parent that previously didn't have children */ 1793 dent = aafs_create_dir("profiles", dent); 1794 if (IS_ERR(dent)) 1795 goto fail; 1796 prof_child_dir(p) = parent = dent; 1797 } 1798 1799 if (!profile->dirname) { 1800 int len, id_len; 1801 len = mangle_name(profile->base.name, NULL); 1802 id_len = snprintf(NULL, 0, ".%ld", profile->ns->uniq_id); 1803 1804 profile->dirname = kmalloc(len + id_len + 1, GFP_KERNEL); 1805 if (!profile->dirname) { 1806 error = -ENOMEM; 1807 goto fail2; 1808 } 1809 1810 mangle_name(profile->base.name, profile->dirname); 1811 sprintf(profile->dirname + len, ".%ld", profile->ns->uniq_id++); 1812 } 1813 1814 dent = aafs_create_dir(profile->dirname, parent); 1815 if (IS_ERR(dent)) 1816 goto fail; 1817 prof_dir(profile) = dir = dent; 1818 1819 dent = create_profile_file(dir, "name", profile, 1820 &seq_profile_name_fops); 1821 if (IS_ERR(dent)) 1822 goto fail; 1823 profile->dents[AAFS_PROF_NAME] = dent; 1824 1825 dent = create_profile_file(dir, "mode", profile, 1826 &seq_profile_mode_fops); 1827 if (IS_ERR(dent)) 1828 goto fail; 1829 profile->dents[AAFS_PROF_MODE] = dent; 1830 1831 dent = create_profile_file(dir, "attach", profile, 1832 &seq_profile_attach_fops); 1833 if (IS_ERR(dent)) 1834 goto fail; 1835 profile->dents[AAFS_PROF_ATTACH] = dent; 1836 1837 if (profile->hash) { 1838 dent = create_profile_file(dir, "sha256", profile, 1839 &seq_profile_hash_fops); 1840 if (IS_ERR(dent)) 1841 goto fail; 1842 profile->dents[AAFS_PROF_HASH] = dent; 1843 } 1844 1845 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1846 if (profile->rawdata) { 1847 if (aa_g_hash_policy) { 1848 dent = aafs_create("raw_sha256", S_IFLNK | 0444, dir, 1849 &profile->label.proxy->count, NULL, 1850 NULL, &rawdata_link_sha256_iops); 1851 if (IS_ERR(dent)) 1852 goto fail; 1853 profile->dents[AAFS_PROF_RAW_HASH] = dent; 1854 } 1855 dent = aafs_create("raw_abi", S_IFLNK | 0444, dir, 1856 &profile->label.proxy->count, NULL, NULL, 1857 &rawdata_link_abi_iops); 1858 if (IS_ERR(dent)) 1859 goto fail; 1860 profile->dents[AAFS_PROF_RAW_ABI] = dent; 1861 1862 dent = aafs_create("raw_data", S_IFLNK | 0444, dir, 1863 &profile->label.proxy->count, NULL, NULL, 1864 &rawdata_link_data_iops); 1865 if (IS_ERR(dent)) 1866 goto fail; 1867 profile->dents[AAFS_PROF_RAW_DATA] = dent; 1868 } 1869 #endif /*CONFIG_SECURITY_APPARMOR_EXPORT_BINARY */ 1870 1871 list_for_each_entry(child, &profile->base.profiles, base.list) { 1872 error = __aafs_profile_mkdir(child, prof_child_dir(profile)); 1873 if (error) 1874 goto fail2; 1875 } 1876 1877 return 0; 1878 1879 fail: 1880 error = PTR_ERR(dent); 1881 1882 fail2: 1883 __aafs_profile_rmdir(profile); 1884 1885 return error; 1886 } 1887 1888 static struct dentry *ns_mkdir_op(struct mnt_idmap *idmap, struct inode *dir, 1889 struct dentry *dentry, umode_t mode) 1890 { 1891 struct aa_ns *ns, *parent; 1892 /* TODO: improve permission check */ 1893 struct aa_label *label; 1894 int error; 1895 1896 label = begin_current_label_crit_section(); 1897 error = aa_may_manage_policy(current_cred(), label, NULL, NULL, 1898 AA_MAY_LOAD_POLICY); 1899 end_current_label_crit_section(label); 1900 if (error) 1901 return ERR_PTR(error); 1902 1903 parent = get_ns_common_ref(dir->i_private); 1904 AA_BUG(d_inode(ns_subns_dir(parent)) != dir); 1905 1906 /* we have to unlock and then relock to get locking order right 1907 * for pin_fs 1908 */ 1909 inode_unlock(dir); 1910 error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count); 1911 mutex_lock_nested(&parent->lock, parent->level); 1912 inode_lock_nested(dir, I_MUTEX_PARENT); 1913 if (error) 1914 goto out; 1915 1916 error = __aafs_setup_d_inode(dir, dentry, mode | S_IFDIR, NULL, 1917 NULL, NULL, NULL); 1918 if (error) 1919 goto out_pin; 1920 1921 ns = __aa_find_or_create_ns(parent, READ_ONCE(dentry->d_name.name), 1922 dentry); 1923 if (IS_ERR(ns)) { 1924 error = PTR_ERR(ns); 1925 ns = NULL; 1926 } 1927 1928 aa_put_ns(ns); /* list ref remains */ 1929 out_pin: 1930 if (error) 1931 simple_release_fs(&aafs_mnt, &aafs_count); 1932 out: 1933 mutex_unlock(&parent->lock); 1934 aa_put_ns(parent); 1935 1936 return ERR_PTR(error); 1937 } 1938 1939 static int ns_rmdir_op(struct inode *dir, struct dentry *dentry) 1940 { 1941 struct aa_ns *ns, *parent; 1942 /* TODO: improve permission check */ 1943 struct aa_label *label; 1944 int error; 1945 1946 label = begin_current_label_crit_section(); 1947 error = aa_may_manage_policy(current_cred(), label, NULL, NULL, 1948 AA_MAY_LOAD_POLICY); 1949 end_current_label_crit_section(label); 1950 if (error) 1951 return error; 1952 1953 parent = get_ns_common_ref(dir->i_private); 1954 /* rmdir calls the generic securityfs functions to remove files 1955 * from the apparmor dir. It is up to the apparmor ns locking 1956 * to avoid races. 1957 */ 1958 inode_unlock(dir); 1959 inode_unlock(dentry->d_inode); 1960 1961 mutex_lock_nested(&parent->lock, parent->level); 1962 ns = aa_get_ns(__aa_findn_ns(&parent->sub_ns, dentry->d_name.name, 1963 dentry->d_name.len)); 1964 if (!ns) { 1965 error = -ENOENT; 1966 goto out; 1967 } 1968 AA_BUG(ns_dir(ns) != dentry); 1969 1970 __aa_remove_ns(ns); 1971 aa_put_ns(ns); 1972 1973 out: 1974 mutex_unlock(&parent->lock); 1975 inode_lock_nested(dir, I_MUTEX_PARENT); 1976 inode_lock(dentry->d_inode); 1977 aa_put_ns(parent); 1978 1979 return error; 1980 } 1981 1982 static const struct inode_operations ns_dir_inode_operations = { 1983 .lookup = simple_lookup, 1984 .mkdir = ns_mkdir_op, 1985 .rmdir = ns_rmdir_op, 1986 }; 1987 1988 static void __aa_fs_list_remove_rawdata(struct aa_ns *ns) 1989 { 1990 struct aa_loaddata *ent, *tmp; 1991 1992 AA_BUG(!mutex_is_locked(&ns->lock)); 1993 1994 list_for_each_entry_safe(ent, tmp, &ns->rawdata_list, list) 1995 __aa_fs_remove_rawdata(ent); 1996 } 1997 1998 /* 1999 * 2000 * Requires: @ns->lock held 2001 */ 2002 void __aafs_ns_rmdir(struct aa_ns *ns) 2003 { 2004 struct aa_ns *sub; 2005 struct aa_profile *child; 2006 int i; 2007 2008 if (!ns) 2009 return; 2010 AA_BUG(!mutex_is_locked(&ns->lock)); 2011 2012 list_for_each_entry(child, &ns->base.profiles, base.list) 2013 __aafs_profile_rmdir(child); 2014 2015 list_for_each_entry(sub, &ns->sub_ns, base.list) { 2016 mutex_lock_nested(&sub->lock, sub->level); 2017 __aafs_ns_rmdir(sub); 2018 mutex_unlock(&sub->lock); 2019 } 2020 2021 __aa_fs_list_remove_rawdata(ns); 2022 2023 for (i = AAFS_NS_SIZEOF - 1; i >= 0; --i) { 2024 aafs_remove(ns->dents[i]); 2025 ns->dents[i] = NULL; 2026 } 2027 } 2028 2029 /* assumes cleanup in caller */ 2030 static int __aafs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir) 2031 { 2032 struct dentry *dent; 2033 2034 AA_BUG(!ns); 2035 AA_BUG(!dir); 2036 2037 dent = aafs_create_dir("profiles", dir); 2038 if (IS_ERR(dent)) 2039 return PTR_ERR(dent); 2040 ns_subprofs_dir(ns) = dent; 2041 2042 dent = aafs_create_dir("raw_data", dir); 2043 if (IS_ERR(dent)) 2044 return PTR_ERR(dent); 2045 ns_subdata_dir(ns) = dent; 2046 2047 dent = aafs_create_file("revision", 0444, dir, 2048 &ns->unconfined->label.count, 2049 &aa_fs_ns_revision_fops); 2050 if (IS_ERR(dent)) 2051 return PTR_ERR(dent); 2052 ns_subrevision(ns) = dent; 2053 2054 dent = aafs_create_file(".load", 0640, dir, 2055 &ns->unconfined->label.count, 2056 &aa_fs_profile_load); 2057 if (IS_ERR(dent)) 2058 return PTR_ERR(dent); 2059 ns_subload(ns) = dent; 2060 2061 dent = aafs_create_file(".replace", 0640, dir, 2062 &ns->unconfined->label.count, 2063 &aa_fs_profile_replace); 2064 if (IS_ERR(dent)) 2065 return PTR_ERR(dent); 2066 ns_subreplace(ns) = dent; 2067 2068 dent = aafs_create_file(".remove", 0640, dir, 2069 &ns->unconfined->label.count, 2070 &aa_fs_profile_remove); 2071 if (IS_ERR(dent)) 2072 return PTR_ERR(dent); 2073 ns_subremove(ns) = dent; 2074 2075 /* use create_dentry so we can supply private data */ 2076 dent = aafs_create("namespaces", S_IFDIR | 0755, dir, 2077 &ns->unconfined->label.count, 2078 NULL, NULL, &ns_dir_inode_operations); 2079 if (IS_ERR(dent)) 2080 return PTR_ERR(dent); 2081 ns_subns_dir(ns) = dent; 2082 2083 return 0; 2084 } 2085 2086 /* 2087 * Requires: @ns->lock held 2088 */ 2089 int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name, 2090 struct dentry *dent) 2091 { 2092 struct aa_ns *sub; 2093 struct aa_profile *child; 2094 struct dentry *dir; 2095 int error; 2096 2097 AA_BUG(!ns); 2098 AA_BUG(!parent); 2099 AA_BUG(!mutex_is_locked(&ns->lock)); 2100 2101 if (!name) 2102 name = ns->base.name; 2103 2104 if (!dent) { 2105 /* create ns dir if it doesn't already exist */ 2106 dent = aafs_create_dir(name, parent); 2107 if (IS_ERR(dent)) 2108 goto fail; 2109 } else 2110 dget(dent); 2111 ns_dir(ns) = dir = dent; 2112 error = __aafs_ns_mkdir_entries(ns, dir); 2113 if (error) 2114 goto fail2; 2115 2116 /* profiles */ 2117 list_for_each_entry(child, &ns->base.profiles, base.list) { 2118 error = __aafs_profile_mkdir(child, ns_subprofs_dir(ns)); 2119 if (error) 2120 goto fail2; 2121 } 2122 2123 /* subnamespaces */ 2124 list_for_each_entry(sub, &ns->sub_ns, base.list) { 2125 mutex_lock_nested(&sub->lock, sub->level); 2126 error = __aafs_ns_mkdir(sub, ns_subns_dir(ns), NULL, NULL); 2127 mutex_unlock(&sub->lock); 2128 if (error) 2129 goto fail2; 2130 } 2131 2132 return 0; 2133 2134 fail: 2135 error = PTR_ERR(dent); 2136 2137 fail2: 2138 __aafs_ns_rmdir(ns); 2139 2140 return error; 2141 } 2142 2143 /** 2144 * __next_ns - find the next namespace to list 2145 * @root: root namespace to stop search at (NOT NULL) 2146 * @ns: current ns position (NOT NULL) 2147 * 2148 * Find the next namespace from @ns under @root and handle all locking needed 2149 * while switching current namespace. 2150 * 2151 * Returns: next namespace or NULL if at last namespace under @root 2152 * Requires: ns->parent->lock to be held 2153 * NOTE: will not unlock root->lock 2154 */ 2155 static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns) 2156 { 2157 struct aa_ns *parent, *next; 2158 2159 AA_BUG(!root); 2160 AA_BUG(!ns); 2161 AA_BUG(ns != root && !mutex_is_locked(&ns->parent->lock)); 2162 2163 /* is next namespace a child */ 2164 if (!list_empty(&ns->sub_ns)) { 2165 next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list); 2166 mutex_lock_nested(&next->lock, next->level); 2167 return next; 2168 } 2169 2170 /* check if the next ns is a sibling, parent, gp, .. */ 2171 parent = ns->parent; 2172 while (ns != root) { 2173 mutex_unlock(&ns->lock); 2174 next = list_next_entry(ns, base.list); 2175 if (!list_entry_is_head(next, &parent->sub_ns, base.list)) { 2176 mutex_lock_nested(&next->lock, next->level); 2177 return next; 2178 } 2179 ns = parent; 2180 parent = parent->parent; 2181 } 2182 2183 return NULL; 2184 } 2185 2186 /** 2187 * __first_profile - find the first profile in a namespace 2188 * @root: namespace that is root of profiles being displayed (NOT NULL) 2189 * @ns: namespace to start in (NOT NULL) 2190 * 2191 * Returns: unrefcounted profile or NULL if no profile 2192 * Requires: profile->ns.lock to be held 2193 */ 2194 static struct aa_profile *__first_profile(struct aa_ns *root, 2195 struct aa_ns *ns) 2196 { 2197 AA_BUG(!root); 2198 AA_BUG(ns && !mutex_is_locked(&ns->lock)); 2199 2200 for (; ns; ns = __next_ns(root, ns)) { 2201 if (!list_empty(&ns->base.profiles)) 2202 return list_first_entry(&ns->base.profiles, 2203 struct aa_profile, base.list); 2204 } 2205 return NULL; 2206 } 2207 2208 /** 2209 * __next_profile - step to the next profile in a profile tree 2210 * @p: current profile in tree (NOT NULL) 2211 * 2212 * Perform a depth first traversal on the profile tree in a namespace 2213 * 2214 * Returns: next profile or NULL if done 2215 * Requires: profile->ns.lock to be held 2216 */ 2217 static struct aa_profile *__next_profile(struct aa_profile *p) 2218 { 2219 struct aa_profile *parent; 2220 struct aa_ns *ns = p->ns; 2221 2222 AA_BUG(!mutex_is_locked(&profiles_ns(p)->lock)); 2223 2224 /* is next profile a child */ 2225 if (!list_empty(&p->base.profiles)) 2226 return list_first_entry(&p->base.profiles, typeof(*p), 2227 base.list); 2228 2229 /* is next profile a sibling, parent sibling, gp, sibling, .. */ 2230 parent = rcu_dereference_protected(p->parent, 2231 mutex_is_locked(&p->ns->lock)); 2232 while (parent) { 2233 p = list_next_entry(p, base.list); 2234 if (!list_entry_is_head(p, &parent->base.profiles, base.list)) 2235 return p; 2236 p = parent; 2237 parent = rcu_dereference_protected(parent->parent, 2238 mutex_is_locked(&parent->ns->lock)); 2239 } 2240 2241 /* is next another profile in the namespace */ 2242 p = list_next_entry(p, base.list); 2243 if (!list_entry_is_head(p, &ns->base.profiles, base.list)) 2244 return p; 2245 2246 return NULL; 2247 } 2248 2249 /** 2250 * next_profile - step to the next profile in where ever it may be 2251 * @root: root namespace (NOT NULL) 2252 * @profile: current profile (NOT NULL) 2253 * 2254 * Returns: next profile or NULL if there isn't one 2255 */ 2256 static struct aa_profile *next_profile(struct aa_ns *root, 2257 struct aa_profile *profile) 2258 { 2259 struct aa_profile *next = __next_profile(profile); 2260 if (next) 2261 return next; 2262 2263 /* finished all profiles in namespace move to next namespace */ 2264 return __first_profile(root, __next_ns(root, profile->ns)); 2265 } 2266 2267 /** 2268 * p_start - start a depth first traversal of profile tree 2269 * @f: seq_file to fill 2270 * @pos: current position 2271 * 2272 * Returns: first profile under current namespace or NULL if none found 2273 * 2274 * acquires first ns->lock 2275 */ 2276 static void *p_start(struct seq_file *f, loff_t *pos) 2277 { 2278 struct aa_profile *profile = NULL; 2279 struct aa_ns *root = aa_get_current_ns(); 2280 loff_t l = *pos; 2281 f->private = root; 2282 2283 /* find the first profile */ 2284 mutex_lock_nested(&root->lock, root->level); 2285 profile = __first_profile(root, root); 2286 2287 /* skip to position */ 2288 for (; profile && l > 0; l--) 2289 profile = next_profile(root, profile); 2290 2291 return profile; 2292 } 2293 2294 /** 2295 * p_next - read the next profile entry 2296 * @f: seq_file to fill 2297 * @p: profile previously returned 2298 * @pos: current position 2299 * 2300 * Returns: next profile after @p or NULL if none 2301 * 2302 * may acquire/release locks in namespace tree as necessary 2303 */ 2304 static void *p_next(struct seq_file *f, void *p, loff_t *pos) 2305 { 2306 struct aa_profile *profile = p; 2307 struct aa_ns *ns = f->private; 2308 (*pos)++; 2309 2310 return next_profile(ns, profile); 2311 } 2312 2313 /** 2314 * p_stop - stop depth first traversal 2315 * @f: seq_file we are filling 2316 * @p: the last profile written 2317 * 2318 * Release all locking done by p_start/p_next on namespace tree 2319 */ 2320 static void p_stop(struct seq_file *f, void *p) 2321 { 2322 struct aa_profile *profile = p; 2323 struct aa_ns *root = f->private, *ns; 2324 2325 if (profile) { 2326 for (ns = profile->ns; ns && ns != root; ns = ns->parent) 2327 mutex_unlock(&ns->lock); 2328 } 2329 mutex_unlock(&root->lock); 2330 aa_put_ns(root); 2331 } 2332 2333 /** 2334 * seq_show_profile - show a profile entry 2335 * @f: seq_file to file 2336 * @p: current position (profile) (NOT NULL) 2337 * 2338 * Returns: error on failure 2339 */ 2340 static int seq_show_profile(struct seq_file *f, void *p) 2341 { 2342 struct aa_profile *profile = (struct aa_profile *)p; 2343 struct aa_ns *root = f->private; 2344 2345 aa_label_seq_xprint(f, root, &profile->label, 2346 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS, GFP_KERNEL); 2347 seq_putc(f, '\n'); 2348 2349 return 0; 2350 } 2351 2352 static const struct seq_operations aa_sfs_profiles_op = { 2353 .start = p_start, 2354 .next = p_next, 2355 .stop = p_stop, 2356 .show = seq_show_profile, 2357 }; 2358 2359 static int profiles_open(struct inode *inode, struct file *file) 2360 { 2361 if (!aa_current_policy_view_capable(NULL)) 2362 return -EACCES; 2363 2364 return seq_open(file, &aa_sfs_profiles_op); 2365 } 2366 2367 static int profiles_release(struct inode *inode, struct file *file) 2368 { 2369 return seq_release(inode, file); 2370 } 2371 2372 static const struct file_operations aa_sfs_profiles_fops = { 2373 .open = profiles_open, 2374 .read = seq_read, 2375 .llseek = seq_lseek, 2376 .release = profiles_release, 2377 }; 2378 2379 2380 /** Base file system setup **/ 2381 static struct aa_sfs_entry aa_sfs_entry_file[] = { 2382 AA_SFS_FILE_STRING("mask", 2383 "create read write exec append mmap_exec link lock"), 2384 { } 2385 }; 2386 2387 static struct aa_sfs_entry aa_sfs_entry_ptrace[] = { 2388 AA_SFS_FILE_STRING("mask", "read trace"), 2389 { } 2390 }; 2391 2392 static struct aa_sfs_entry aa_sfs_entry_signal[] = { 2393 AA_SFS_FILE_STRING("mask", AA_SFS_SIG_MASK), 2394 { } 2395 }; 2396 2397 static struct aa_sfs_entry aa_sfs_entry_attach[] = { 2398 AA_SFS_FILE_BOOLEAN("xattr", 1), 2399 { } 2400 }; 2401 static struct aa_sfs_entry aa_sfs_entry_domain[] = { 2402 AA_SFS_FILE_BOOLEAN("change_hat", 1), 2403 AA_SFS_FILE_BOOLEAN("change_hatv", 1), 2404 AA_SFS_FILE_BOOLEAN("unconfined_allowed_children", 1), 2405 AA_SFS_FILE_BOOLEAN("change_onexec", 1), 2406 AA_SFS_FILE_BOOLEAN("change_profile", 1), 2407 AA_SFS_FILE_BOOLEAN("stack", 1), 2408 AA_SFS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1), 2409 AA_SFS_FILE_BOOLEAN("post_nnp_subset", 1), 2410 AA_SFS_FILE_BOOLEAN("computed_longest_left", 1), 2411 AA_SFS_DIR("attach_conditions", aa_sfs_entry_attach), 2412 AA_SFS_FILE_BOOLEAN("disconnected.path", 1), 2413 AA_SFS_FILE_BOOLEAN("kill.signal", 1), 2414 AA_SFS_FILE_STRING("version", "1.2"), 2415 { } 2416 }; 2417 2418 static struct aa_sfs_entry aa_sfs_entry_unconfined[] = { 2419 AA_SFS_FILE_BOOLEAN("change_profile", 1), 2420 { } 2421 }; 2422 2423 static struct aa_sfs_entry aa_sfs_entry_versions[] = { 2424 AA_SFS_FILE_BOOLEAN("v5", 1), 2425 AA_SFS_FILE_BOOLEAN("v6", 1), 2426 AA_SFS_FILE_BOOLEAN("v7", 1), 2427 AA_SFS_FILE_BOOLEAN("v8", 1), 2428 AA_SFS_FILE_BOOLEAN("v9", 1), 2429 { } 2430 }; 2431 2432 #define PERMS32STR "allow deny subtree cond kill complain prompt audit quiet hide xindex tag label" 2433 static struct aa_sfs_entry aa_sfs_entry_policy[] = { 2434 AA_SFS_DIR("versions", aa_sfs_entry_versions), 2435 AA_SFS_FILE_BOOLEAN("set_load", 1), 2436 /* number of out of band transitions supported */ 2437 AA_SFS_FILE_U64("outofband", MAX_OOB_SUPPORTED), 2438 AA_SFS_FILE_U64("permstable32_version", 3), 2439 AA_SFS_FILE_STRING("permstable32", PERMS32STR), 2440 AA_SFS_FILE_U64("state32", 1), 2441 AA_SFS_DIR("unconfined_restrictions", aa_sfs_entry_unconfined), 2442 { } 2443 }; 2444 2445 static struct aa_sfs_entry aa_sfs_entry_mount[] = { 2446 AA_SFS_FILE_STRING("mask", "mount umount pivot_root"), 2447 AA_SFS_FILE_STRING("move_mount", "detached"), 2448 { } 2449 }; 2450 2451 static struct aa_sfs_entry aa_sfs_entry_ns[] = { 2452 AA_SFS_FILE_BOOLEAN("profile", 1), 2453 AA_SFS_FILE_BOOLEAN("pivot_root", 0), 2454 AA_SFS_FILE_STRING("mask", "userns_create"), 2455 { } 2456 }; 2457 2458 static struct aa_sfs_entry aa_sfs_entry_dbus[] = { 2459 AA_SFS_FILE_STRING("mask", "acquire send receive"), 2460 { } 2461 }; 2462 2463 static struct aa_sfs_entry aa_sfs_entry_query_label[] = { 2464 AA_SFS_FILE_STRING("perms", "allow deny audit quiet"), 2465 AA_SFS_FILE_BOOLEAN("data", 1), 2466 AA_SFS_FILE_BOOLEAN("multi_transaction", 1), 2467 { } 2468 }; 2469 2470 static struct aa_sfs_entry aa_sfs_entry_query[] = { 2471 AA_SFS_DIR("label", aa_sfs_entry_query_label), 2472 { } 2473 }; 2474 2475 static struct aa_sfs_entry aa_sfs_entry_io_uring[] = { 2476 AA_SFS_FILE_STRING("mask", "sqpoll override_creds"), 2477 { } 2478 }; 2479 2480 static struct aa_sfs_entry aa_sfs_entry_features[] = { 2481 AA_SFS_DIR("policy", aa_sfs_entry_policy), 2482 AA_SFS_DIR("domain", aa_sfs_entry_domain), 2483 AA_SFS_DIR("file", aa_sfs_entry_file), 2484 AA_SFS_DIR("network_v8", aa_sfs_entry_network), 2485 AA_SFS_DIR("network_v9", aa_sfs_entry_networkv9), 2486 AA_SFS_DIR("mount", aa_sfs_entry_mount), 2487 AA_SFS_DIR("namespaces", aa_sfs_entry_ns), 2488 AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), 2489 AA_SFS_DIR("rlimit", aa_sfs_entry_rlimit), 2490 AA_SFS_DIR("caps", aa_sfs_entry_caps), 2491 AA_SFS_DIR("ptrace", aa_sfs_entry_ptrace), 2492 AA_SFS_DIR("signal", aa_sfs_entry_signal), 2493 AA_SFS_DIR("dbus", aa_sfs_entry_dbus), 2494 AA_SFS_DIR("query", aa_sfs_entry_query), 2495 AA_SFS_DIR("io_uring", aa_sfs_entry_io_uring), 2496 { } 2497 }; 2498 2499 static struct aa_sfs_entry aa_sfs_entry_apparmor[] = { 2500 AA_SFS_FILE_FOPS(".access", 0666, &aa_sfs_access), 2501 AA_SFS_FILE_FOPS(".stacked", 0444, &seq_ns_stacked_fops), 2502 AA_SFS_FILE_FOPS(".ns_stacked", 0444, &seq_ns_nsstacked_fops), 2503 AA_SFS_FILE_FOPS(".ns_level", 0444, &seq_ns_level_fops), 2504 AA_SFS_FILE_FOPS(".ns_name", 0444, &seq_ns_name_fops), 2505 AA_SFS_FILE_FOPS("profiles", 0444, &aa_sfs_profiles_fops), 2506 AA_SFS_FILE_FOPS("raw_data_compression_level_min", 0444, &seq_ns_compress_min_fops), 2507 AA_SFS_FILE_FOPS("raw_data_compression_level_max", 0444, &seq_ns_compress_max_fops), 2508 AA_SFS_DIR("features", aa_sfs_entry_features), 2509 { } 2510 }; 2511 2512 static struct aa_sfs_entry aa_sfs_entry = 2513 AA_SFS_DIR("apparmor", aa_sfs_entry_apparmor); 2514 2515 /** 2516 * entry_create_file - create a file entry in the apparmor securityfs 2517 * @fs_file: aa_sfs_entry to build an entry for (NOT NULL) 2518 * @parent: the parent dentry in the securityfs 2519 * 2520 * Use entry_remove_file to remove entries created with this fn. 2521 */ 2522 static int __init entry_create_file(struct aa_sfs_entry *fs_file, 2523 struct dentry *parent) 2524 { 2525 int error = 0; 2526 2527 fs_file->dentry = securityfs_create_file(fs_file->name, 2528 S_IFREG | fs_file->mode, 2529 parent, fs_file, 2530 fs_file->file_ops); 2531 if (IS_ERR(fs_file->dentry)) { 2532 error = PTR_ERR(fs_file->dentry); 2533 fs_file->dentry = NULL; 2534 } 2535 return error; 2536 } 2537 2538 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir); 2539 /** 2540 * entry_create_dir - recursively create a directory entry in the securityfs 2541 * @fs_dir: aa_sfs_entry (and all child entries) to build (NOT NULL) 2542 * @parent: the parent dentry in the securityfs 2543 * 2544 * Use entry_remove_dir to remove entries created with this fn. 2545 */ 2546 static int __init entry_create_dir(struct aa_sfs_entry *fs_dir, 2547 struct dentry *parent) 2548 { 2549 struct aa_sfs_entry *fs_file; 2550 struct dentry *dir; 2551 int error; 2552 2553 dir = securityfs_create_dir(fs_dir->name, parent); 2554 if (IS_ERR(dir)) 2555 return PTR_ERR(dir); 2556 fs_dir->dentry = dir; 2557 2558 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { 2559 if (fs_file->v_type == AA_SFS_TYPE_DIR) 2560 error = entry_create_dir(fs_file, fs_dir->dentry); 2561 else 2562 error = entry_create_file(fs_file, fs_dir->dentry); 2563 if (error) 2564 goto failed; 2565 } 2566 2567 return 0; 2568 2569 failed: 2570 entry_remove_dir(fs_dir); 2571 2572 return error; 2573 } 2574 2575 /** 2576 * entry_remove_file - drop a single file entry in the apparmor securityfs 2577 * @fs_file: aa_sfs_entry to detach from the securityfs (NOT NULL) 2578 */ 2579 static void __init entry_remove_file(struct aa_sfs_entry *fs_file) 2580 { 2581 if (!fs_file->dentry) 2582 return; 2583 2584 securityfs_remove(fs_file->dentry); 2585 fs_file->dentry = NULL; 2586 } 2587 2588 /** 2589 * entry_remove_dir - recursively drop a directory entry from the securityfs 2590 * @fs_dir: aa_sfs_entry (and all child entries) to detach (NOT NULL) 2591 */ 2592 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir) 2593 { 2594 struct aa_sfs_entry *fs_file; 2595 2596 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { 2597 if (fs_file->v_type == AA_SFS_TYPE_DIR) 2598 entry_remove_dir(fs_file); 2599 else 2600 entry_remove_file(fs_file); 2601 } 2602 2603 entry_remove_file(fs_dir); 2604 } 2605 2606 /** 2607 * aa_destroy_aafs - cleanup and free aafs 2608 * 2609 * releases dentries allocated by aa_create_aafs 2610 */ 2611 void __init aa_destroy_aafs(void) 2612 { 2613 entry_remove_dir(&aa_sfs_entry); 2614 } 2615 2616 2617 #define NULL_FILE_NAME ".null" 2618 struct path aa_null; 2619 2620 static int aa_mk_null_file(struct dentry *parent) 2621 { 2622 struct vfsmount *mount = NULL; 2623 struct dentry *dentry; 2624 struct inode *inode; 2625 int count = 0; 2626 int error = simple_pin_fs(parent->d_sb->s_type, &mount, &count); 2627 2628 if (error) 2629 return error; 2630 2631 inode_lock(d_inode(parent)); 2632 dentry = lookup_noperm(&QSTR(NULL_FILE_NAME), parent); 2633 if (IS_ERR(dentry)) { 2634 error = PTR_ERR(dentry); 2635 goto out; 2636 } 2637 inode = new_inode(parent->d_inode->i_sb); 2638 if (!inode) { 2639 error = -ENOMEM; 2640 goto out1; 2641 } 2642 2643 inode->i_ino = get_next_ino(); 2644 inode->i_mode = S_IFCHR | S_IRUGO | S_IWUGO; 2645 simple_inode_init_ts(inode); 2646 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, 2647 MKDEV(MEM_MAJOR, 3)); 2648 d_instantiate(dentry, inode); 2649 aa_null.dentry = dget(dentry); 2650 aa_null.mnt = mntget(mount); 2651 2652 error = 0; 2653 2654 out1: 2655 dput(dentry); 2656 out: 2657 inode_unlock(d_inode(parent)); 2658 simple_release_fs(&mount, &count); 2659 return error; 2660 } 2661 2662 2663 2664 static const char *policy_get_link(struct dentry *dentry, 2665 struct inode *inode, 2666 struct delayed_call *done) 2667 { 2668 struct aa_ns *ns; 2669 struct path path; 2670 int error; 2671 2672 if (!dentry) 2673 return ERR_PTR(-ECHILD); 2674 2675 ns = aa_get_current_ns(); 2676 path.mnt = mntget(aafs_mnt); 2677 path.dentry = dget(ns_dir(ns)); 2678 error = nd_jump_link(&path); 2679 aa_put_ns(ns); 2680 2681 return ERR_PTR(error); 2682 } 2683 2684 static int policy_readlink(struct dentry *dentry, char __user *buffer, 2685 int buflen) 2686 { 2687 char name[32]; 2688 int res; 2689 2690 res = snprintf(name, sizeof(name), "%s:[%lu]", AAFS_NAME, 2691 d_inode(dentry)->i_ino); 2692 if (res > 0 && res < sizeof(name)) 2693 res = readlink_copy(buffer, buflen, name, strlen(name)); 2694 else 2695 res = -ENOENT; 2696 2697 return res; 2698 } 2699 2700 static const struct inode_operations policy_link_iops = { 2701 .readlink = policy_readlink, 2702 .get_link = policy_get_link, 2703 }; 2704 2705 2706 /** 2707 * aa_create_aafs - create the apparmor security filesystem 2708 * 2709 * dentries created here are released by aa_destroy_aafs 2710 * 2711 * Returns: error on failure 2712 */ 2713 int __init aa_create_aafs(void) 2714 { 2715 struct dentry *dent; 2716 int error; 2717 2718 if (!apparmor_initialized) 2719 return 0; 2720 2721 if (aa_sfs_entry.dentry) { 2722 AA_ERROR("%s: AppArmor securityfs already exists\n", __func__); 2723 return -EEXIST; 2724 } 2725 2726 /* setup apparmorfs used to virtualize policy/ */ 2727 aafs_mnt = kern_mount(&aafs_ops); 2728 if (IS_ERR(aafs_mnt)) 2729 panic("can't set apparmorfs up\n"); 2730 aafs_mnt->mnt_sb->s_flags &= ~SB_NOUSER; 2731 2732 /* Populate fs tree. */ 2733 error = entry_create_dir(&aa_sfs_entry, NULL); 2734 if (error) 2735 goto error; 2736 2737 dent = securityfs_create_file(".load", 0666, aa_sfs_entry.dentry, 2738 NULL, &aa_fs_profile_load); 2739 if (IS_ERR(dent)) 2740 goto dent_error; 2741 ns_subload(root_ns) = dent; 2742 2743 dent = securityfs_create_file(".replace", 0666, aa_sfs_entry.dentry, 2744 NULL, &aa_fs_profile_replace); 2745 if (IS_ERR(dent)) 2746 goto dent_error; 2747 ns_subreplace(root_ns) = dent; 2748 2749 dent = securityfs_create_file(".remove", 0666, aa_sfs_entry.dentry, 2750 NULL, &aa_fs_profile_remove); 2751 if (IS_ERR(dent)) 2752 goto dent_error; 2753 ns_subremove(root_ns) = dent; 2754 2755 dent = securityfs_create_file("revision", 0444, aa_sfs_entry.dentry, 2756 NULL, &aa_fs_ns_revision_fops); 2757 if (IS_ERR(dent)) 2758 goto dent_error; 2759 ns_subrevision(root_ns) = dent; 2760 2761 /* policy tree referenced by magic policy symlink */ 2762 mutex_lock_nested(&root_ns->lock, root_ns->level); 2763 error = __aafs_ns_mkdir(root_ns, aafs_mnt->mnt_root, ".policy", 2764 aafs_mnt->mnt_root); 2765 mutex_unlock(&root_ns->lock); 2766 if (error) 2767 goto error; 2768 2769 /* magic symlink similar to nsfs redirects based on task policy */ 2770 dent = securityfs_create_symlink("policy", aa_sfs_entry.dentry, 2771 NULL, &policy_link_iops); 2772 if (IS_ERR(dent)) 2773 goto dent_error; 2774 2775 error = aa_mk_null_file(aa_sfs_entry.dentry); 2776 if (error) 2777 goto error; 2778 2779 /* TODO: add default profile to apparmorfs */ 2780 2781 /* Report that AppArmor fs is enabled */ 2782 aa_info_message("AppArmor Filesystem Enabled"); 2783 return 0; 2784 2785 dent_error: 2786 error = PTR_ERR(dent); 2787 error: 2788 aa_destroy_aafs(); 2789 AA_ERROR("Error creating AppArmor securityfs\n"); 2790 return error; 2791 } 2792