1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor policy attachment and domain transitions 6 * 7 * Copyright (C) 2002-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 */ 10 11 #include <linux/errno.h> 12 #include <linux/fs.h> 13 #include <linux/file.h> 14 #include <linux/mount.h> 15 #include <linux/syscalls.h> 16 #include <linux/personality.h> 17 #include <linux/xattr.h> 18 #include <linux/user_namespace.h> 19 20 #include "include/audit.h" 21 #include "include/apparmorfs.h" 22 #include "include/cred.h" 23 #include "include/domain.h" 24 #include "include/file.h" 25 #include "include/ipc.h" 26 #include "include/match.h" 27 #include "include/path.h" 28 #include "include/policy.h" 29 #include "include/policy_ns.h" 30 31 static const char * const CONFLICTING_ATTACH_STR = "conflicting profile attachments"; 32 static const char * const CONFLICTING_ATTACH_STR_IX = 33 "conflicting profile attachments - ix fallback"; 34 static const char * const CONFLICTING_ATTACH_STR_UX = 35 "conflicting profile attachments - ux fallback"; 36 37 /** 38 * may_change_ptraced_domain - check if can change profile on ptraced task 39 * @to_cred: cred of task changing domain 40 * @to_label: profile to change to (NOT NULL) 41 * @info: message if there is an error 42 * 43 * Check if current is ptraced and if so if the tracing task is allowed 44 * to trace the new domain 45 * 46 * Returns: %0 or error if change not allowed 47 */ 48 static int may_change_ptraced_domain(const struct cred *to_cred, 49 struct aa_label *to_label, 50 const char **info) 51 { 52 struct task_struct *tracer; 53 struct aa_label *tracerl = NULL; 54 const struct cred *tracer_cred = NULL; 55 56 int error = 0; 57 58 rcu_read_lock(); 59 tracer = ptrace_parent(current); 60 if (tracer) { 61 /* released below */ 62 tracerl = aa_get_task_label(tracer); 63 tracer_cred = get_task_cred(tracer); 64 } 65 /* not ptraced */ 66 if (!tracer || unconfined(tracerl)) 67 goto out; 68 69 error = aa_may_ptrace(tracer_cred, tracerl, to_cred, to_label, 70 PTRACE_MODE_ATTACH); 71 72 out: 73 rcu_read_unlock(); 74 aa_put_label(tracerl); 75 put_cred(tracer_cred); 76 77 if (error) 78 *info = "ptrace prevents transition"; 79 return error; 80 } 81 82 /**** TODO: dedup to aa_label_match - needs perm and dfa, merging 83 * specifically this is an exact copy of aa_label_match except 84 * aa_compute_perms is replaced with aa_compute_fperms 85 * and policy->dfa with file->dfa 86 ****/ 87 /* match a profile and its associated ns component if needed 88 * Assumes visibility test has already been done. 89 * If a subns profile is not to be matched should be prescreened with 90 * visibility test. 91 */ 92 static inline aa_state_t match_component(struct aa_profile *profile, 93 struct aa_profile *tp, 94 bool stack, aa_state_t state) 95 { 96 struct aa_ruleset *rules = profile->label.rules[0]; 97 const char *ns_name; 98 99 if (stack) 100 state = aa_dfa_match(rules->file->dfa, state, "&"); 101 if (profile->ns == tp->ns) 102 return aa_dfa_match(rules->file->dfa, state, tp->base.hname); 103 104 /* try matching with namespace name and then profile */ 105 ns_name = aa_ns_name(profile->ns, tp->ns, true); 106 state = aa_dfa_match_len(rules->file->dfa, state, ":", 1); 107 state = aa_dfa_match(rules->file->dfa, state, ns_name); 108 state = aa_dfa_match_len(rules->file->dfa, state, ":", 1); 109 return aa_dfa_match(rules->file->dfa, state, tp->base.hname); 110 } 111 112 /** 113 * label_compound_match - find perms for full compound label 114 * @profile: profile to find perms for 115 * @label: label to check access permissions for 116 * @stack: whether this is a stacking request 117 * @state: state to start match in 118 * @inview: whether to match labels in view or only in scope 119 * @request: permissions to request 120 * @perms: perms struct to set 121 * 122 * Returns: 0 on success else ERROR 123 * 124 * For the label A//&B//&C this does the perm match for A//&B//&C 125 * @perms should be preinitialized with allperms OR a previous permission 126 * check to be stacked. 127 */ 128 static int label_compound_match(struct aa_profile *profile, 129 struct aa_label *label, bool stack, 130 aa_state_t state, bool inview, u32 request, 131 struct aa_perms *perms) 132 { 133 struct aa_ruleset *rules = profile->label.rules[0]; 134 struct aa_profile *tp; 135 struct label_it i; 136 struct path_cond cond = { }; 137 138 /* find first subcomponent that is in view and going to be interated with */ 139 label_for_each(i, label, tp) { 140 if (!aa_ns_visible(profile->ns, tp->ns, inview)) 141 continue; 142 state = match_component(profile, tp, stack, state); 143 if (!state) 144 goto fail; 145 goto next; 146 } 147 148 /* no component visible */ 149 *perms = allperms; 150 return 0; 151 152 next: 153 label_for_each_cont(i, label, tp) { 154 if (!aa_ns_visible(profile->ns, tp->ns, inview)) 155 continue; 156 state = aa_dfa_match(rules->file->dfa, state, "//&"); 157 state = match_component(profile, tp, false, state); 158 if (!state) 159 goto fail; 160 } 161 *perms = *(aa_lookup_condperms(current_fsuid(), rules->file, state, 162 &cond)); 163 aa_apply_modes_to_perms(profile, perms); 164 if ((perms->allow & request) != request) 165 return -EACCES; 166 167 return 0; 168 169 fail: 170 *perms = nullperms; 171 return -EACCES; 172 } 173 174 /** 175 * label_components_match - find perms for all subcomponents of a label 176 * @profile: profile to find perms for 177 * @label: label to check access permissions for 178 * @stack: whether this is a stacking request 179 * @start: state to start match in 180 * @inview: whether to match labels in view or only in scope 181 * @request: permissions to request 182 * @perms: an initialized perms struct to add accumulation to 183 * 184 * Returns: 0 on success else ERROR 185 * 186 * For the label A//&B//&C this does the perm match for each of A and B and C 187 * @perms should be preinitialized with allperms OR a previous permission 188 * check to be stacked. 189 */ 190 static int label_components_match(struct aa_profile *profile, 191 struct aa_label *label, bool stack, 192 aa_state_t start, bool inview, u32 request, 193 struct aa_perms *perms) 194 { 195 struct aa_ruleset *rules = profile->label.rules[0]; 196 struct aa_profile *tp; 197 struct label_it i; 198 struct aa_perms tmp; 199 struct path_cond cond = { }; 200 aa_state_t state = 0; 201 202 /* find first subcomponent to test */ 203 label_for_each(i, label, tp) { 204 if (!aa_ns_visible(profile->ns, tp->ns, inview)) 205 continue; 206 state = match_component(profile, tp, stack, start); 207 if (!state) 208 goto fail; 209 goto next; 210 } 211 212 /* no subcomponents visible - no change in perms */ 213 return 0; 214 215 next: 216 tmp = *(aa_lookup_condperms(current_fsuid(), rules->file, state, 217 &cond)); 218 aa_apply_modes_to_perms(profile, &tmp); 219 aa_perms_accum(perms, &tmp); 220 label_for_each_cont(i, label, tp) { 221 if (!aa_ns_visible(profile->ns, tp->ns, inview)) 222 continue; 223 state = match_component(profile, tp, stack, start); 224 if (!state) 225 goto fail; 226 tmp = *(aa_lookup_condperms(current_fsuid(), rules->file, state, 227 &cond)); 228 aa_apply_modes_to_perms(profile, &tmp); 229 aa_perms_accum(perms, &tmp); 230 } 231 232 if ((perms->allow & request) != request) 233 return -EACCES; 234 235 return 0; 236 237 fail: 238 *perms = nullperms; 239 return -EACCES; 240 } 241 242 /** 243 * label_match - do a multi-component label match 244 * @profile: profile to match against (NOT NULL) 245 * @label: label to match (NOT NULL) 246 * @stack: whether this is a stacking request 247 * @state: state to start in 248 * @inview: whether to match labels in view or only in scope 249 * @request: permission request 250 * @perms: Returns computed perms (NOT NULL) 251 * 252 * Returns: the state the match finished in, may be the none matching state 253 */ 254 static int label_match(struct aa_profile *profile, struct aa_label *label, 255 bool stack, aa_state_t state, bool inview, u32 request, 256 struct aa_perms *perms) 257 { 258 int error; 259 260 *perms = nullperms; 261 error = label_compound_match(profile, label, stack, state, inview, 262 request, perms); 263 if (!error) 264 return error; 265 266 *perms = allperms; 267 return label_components_match(profile, label, stack, state, inview, 268 request, perms); 269 } 270 271 /******* end TODO: dedup *****/ 272 273 /** 274 * change_profile_perms - find permissions for change_profile 275 * @profile: the current profile (NOT NULL) 276 * @target: label to transition to (NOT NULL) 277 * @stack: whether this is a stacking request 278 * @request: requested perms 279 * @start: state to start matching in 280 * @perms: Returns computed perms (NOT NULL) 281 * 282 * 283 * Returns: permission set 284 * 285 * currently only matches full label A//&B//&C or individual components A, B, C 286 * not arbitrary combinations. Eg. A//&B, C 287 */ 288 static int change_profile_perms(struct aa_profile *profile, 289 struct aa_label *target, bool stack, 290 u32 request, aa_state_t start, 291 struct aa_perms *perms) 292 { 293 if (profile_unconfined(profile)) { 294 perms->allow = AA_MAY_CHANGE_PROFILE | AA_MAY_ONEXEC; 295 perms->audit = perms->quiet = perms->kill = 0; 296 return 0; 297 } 298 299 /* TODO: add profile in ns screening */ 300 return label_match(profile, target, stack, start, true, request, perms); 301 } 302 303 /** 304 * aa_xattrs_match - check whether a file matches the xattrs defined in profile 305 * @bprm: binprm struct for the process to validate 306 * @profile: profile to match against (NOT NULL) 307 * @state: state to start match in 308 * 309 * Returns: number of extended attributes that matched, or < 0 on error 310 */ 311 static int aa_xattrs_match(const struct linux_binprm *bprm, 312 struct aa_profile *profile, aa_state_t state) 313 { 314 int i; 315 struct dentry *d; 316 char *value = NULL; 317 struct aa_attachment *attach = &profile->attach; 318 int size, value_size = 0, ret = attach->xattr_count; 319 320 if (!bprm || !attach->xattr_count) 321 return 0; 322 might_sleep(); 323 324 /* transition from exec match to xattr set */ 325 state = aa_dfa_outofband_transition(attach->xmatch->dfa, state); 326 d = bprm->file->f_path.dentry; 327 328 for (i = 0; i < attach->xattr_count; i++) { 329 size = vfs_getxattr_alloc(&nop_mnt_idmap, d, attach->xattrs[i], 330 &value, value_size, GFP_KERNEL); 331 if (size >= 0) { 332 struct aa_perms *perms; 333 334 /* 335 * Check the xattr presence before value. This ensure 336 * that not present xattr can be distinguished from a 0 337 * length value or rule that matches any value 338 */ 339 state = aa_dfa_null_transition(attach->xmatch->dfa, 340 state); 341 /* Check xattr value */ 342 state = aa_dfa_match_len(attach->xmatch->dfa, state, 343 value, size); 344 perms = aa_lookup_perms(attach->xmatch, state); 345 if (!(perms->allow & MAY_EXEC)) { 346 ret = -EINVAL; 347 goto out; 348 } 349 } 350 /* transition to next element */ 351 state = aa_dfa_outofband_transition(attach->xmatch->dfa, state); 352 if (size < 0) { 353 /* 354 * No xattr match, so verify if transition to 355 * next element was valid. IFF so the xattr 356 * was optional. 357 */ 358 if (!state) { 359 ret = -EINVAL; 360 goto out; 361 } 362 /* don't count missing optional xattr as matched */ 363 ret--; 364 } 365 } 366 367 out: 368 kfree(value); 369 return ret; 370 } 371 372 /** 373 * find_attach - do attachment search for unconfined processes 374 * @bprm: binprm structure of transitioning task 375 * @ns: the current namespace (NOT NULL) 376 * @head: profile list to walk (NOT NULL) 377 * @name: to match against (NOT NULL) 378 * @info: info message if there was an error (NOT NULL) 379 * 380 * Do a linear search on the profiles in the list. There is a matching 381 * preference where an exact match is preferred over a name which uses 382 * expressions to match, and matching expressions with the greatest 383 * xmatch_len are preferred. 384 * 385 * Requires: @head not be shared or have appropriate locks held 386 * 387 * Returns: label or NULL if no match found 388 */ 389 static struct aa_label *find_attach(const struct linux_binprm *bprm, 390 struct aa_ns *ns, struct list_head *head, 391 const char *name, const char **info) 392 { 393 int candidate_len = 0, candidate_xattrs = 0; 394 bool conflict = false; 395 struct aa_profile *profile, *candidate = NULL; 396 397 AA_BUG(!name); 398 AA_BUG(!head); 399 400 rcu_read_lock(); 401 restart: 402 list_for_each_entry_rcu(profile, head, base.list) { 403 struct aa_attachment *attach = &profile->attach; 404 405 if (profile->label.flags & FLAG_NULL && 406 &profile->label == ns_unconfined(profile->ns)) 407 continue; 408 409 /* Find the "best" matching profile. Profiles must 410 * match the path and extended attributes (if any) 411 * associated with the file. A more specific path 412 * match will be preferred over a less specific one, 413 * and a match with more matching extended attributes 414 * will be preferred over one with fewer. If the best 415 * match has both the same level of path specificity 416 * and the same number of matching extended attributes 417 * as another profile, signal a conflict and refuse to 418 * match. 419 */ 420 if (attach->xmatch->dfa) { 421 unsigned int count; 422 aa_state_t state; 423 struct aa_perms *perms; 424 425 state = aa_dfa_leftmatch(attach->xmatch->dfa, 426 attach->xmatch->start[AA_CLASS_XMATCH], 427 name, &count); 428 perms = aa_lookup_perms(attach->xmatch, state); 429 /* any accepting state means a valid match. */ 430 if (perms->allow & MAY_EXEC) { 431 int ret = 0; 432 433 if (count < candidate_len) 434 continue; 435 436 if (bprm && attach->xattr_count) { 437 long rev = READ_ONCE(ns->revision); 438 439 if (!aa_get_profile_not0(profile)) 440 goto restart; 441 rcu_read_unlock(); 442 ret = aa_xattrs_match(bprm, profile, 443 state); 444 rcu_read_lock(); 445 aa_put_profile(profile); 446 if (rev != 447 READ_ONCE(ns->revision)) 448 /* policy changed */ 449 goto restart; 450 /* 451 * Fail matching if the xattrs don't 452 * match 453 */ 454 if (ret < 0) 455 continue; 456 } 457 /* 458 * TODO: allow for more flexible best match 459 * 460 * The new match isn't more specific 461 * than the current best match 462 */ 463 if (count == candidate_len && 464 ret <= candidate_xattrs) { 465 /* Match is equivalent, so conflict */ 466 if (ret == candidate_xattrs) 467 conflict = true; 468 continue; 469 } 470 471 /* Either the same length with more matching 472 * xattrs, or a longer match 473 */ 474 candidate = profile; 475 candidate_len = max(count, attach->xmatch_len); 476 candidate_xattrs = ret; 477 conflict = false; 478 } 479 } else if (!strcmp(profile->base.name, name)) { 480 /* 481 * old exact non-re match, without conditionals such 482 * as xattrs. no more searching required 483 */ 484 candidate = profile; 485 goto out; 486 } 487 } 488 489 if (!candidate || conflict) { 490 if (conflict) 491 *info = CONFLICTING_ATTACH_STR; 492 rcu_read_unlock(); 493 return NULL; 494 } 495 496 out: 497 candidate = aa_get_newest_profile(candidate); 498 rcu_read_unlock(); 499 500 return &candidate->label; 501 } 502 503 static const char *next_name(int xtype, const char *name) 504 { 505 return NULL; 506 } 507 508 /** 509 * x_table_lookup - lookup an x transition name via transition table 510 * @profile: current profile (NOT NULL) 511 * @xindex: index into x transition table 512 * @name: returns: name tested to find label (NOT NULL) 513 * 514 * Returns: refcounted label, or NULL on failure (MAYBE NULL) 515 * @name will always be set with the last name tried 516 */ 517 struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex, 518 const char **name) 519 { 520 struct aa_ruleset *rules = profile->label.rules[0]; 521 struct aa_label *label = NULL; 522 u32 xtype = xindex & AA_X_TYPE_MASK; 523 int index = xindex & AA_X_INDEX_MASK; 524 const char *next; 525 526 AA_BUG(!name); 527 528 /* index is guaranteed to be in range, validated at load time */ 529 /* TODO: move lookup parsing to unpack time so this is a straight 530 * index into the resultant label 531 */ 532 for (next = rules->file->trans.table[index].strs; next; 533 next = next_name(xtype, next)) { 534 const char *lookup = (*next == '&') ? next + 1 : next; 535 *name = next; 536 if (xindex & AA_X_CHILD) { 537 /* TODO: switich to parse to get stack of child */ 538 struct aa_profile *new = aa_find_child(profile, lookup); 539 540 if (new) 541 /* release by caller */ 542 return &new->label; 543 continue; 544 } 545 label = aa_label_parse(&profile->label, lookup, GFP_KERNEL, 546 true, false); 547 if (!IS_ERR_OR_NULL(label)) 548 /* release by caller */ 549 return label; 550 } 551 552 return NULL; 553 } 554 555 /** 556 * x_to_label - get target label for a given xindex 557 * @profile: current profile (NOT NULL) 558 * @bprm: binprm structure of transitioning task 559 * @name: name to lookup (NOT NULL) 560 * @xindex: index into x transition table 561 * @lookupname: returns: name used in lookup if one was specified (NOT NULL) 562 * @info: info message if there was an error (NOT NULL) 563 * 564 * find label for a transition index 565 * 566 * Returns: refcounted label or NULL if not found available 567 */ 568 static struct aa_label *x_to_label(struct aa_profile *profile, 569 const struct linux_binprm *bprm, 570 const char *name, u32 xindex, 571 const char **lookupname, 572 const char **info) 573 { 574 struct aa_label *new = NULL; 575 struct aa_label *stack = NULL; 576 struct aa_ns *ns = profile->ns; 577 u32 xtype = xindex & AA_X_TYPE_MASK; 578 /* Used for info checks during fallback handling */ 579 const char *old_info = NULL; 580 581 switch (xtype) { 582 case AA_X_NONE: 583 /* fail exec unless ix || ux fallback - handled by caller */ 584 *lookupname = NULL; 585 break; 586 case AA_X_TABLE: 587 /* TODO: fix when perm mapping done at unload */ 588 /* released by caller 589 * if null for both stack and direct want to try fallback 590 */ 591 new = x_table_lookup(profile, xindex, lookupname); 592 if (!new || **lookupname != '&') 593 break; 594 stack = new; 595 new = NULL; 596 fallthrough; /* to X_NAME */ 597 case AA_X_NAME: 598 if (xindex & AA_X_CHILD) 599 /* released by caller */ 600 new = find_attach(bprm, ns, &profile->base.profiles, 601 name, info); 602 else 603 /* released by caller */ 604 new = find_attach(bprm, ns, &ns->base.profiles, 605 name, info); 606 *lookupname = name; 607 break; 608 } 609 610 /* fallback transition check */ 611 if (!new) { 612 if (xindex & AA_X_INHERIT) { 613 /* (p|c|n)ix - don't change profile but do 614 * use the newest version 615 */ 616 if (*info == CONFLICTING_ATTACH_STR) { 617 *info = CONFLICTING_ATTACH_STR_IX; 618 } else { 619 old_info = *info; 620 *info = "ix fallback"; 621 } 622 /* no profile && no error */ 623 new = aa_get_newest_label(&profile->label); 624 } else if (xindex & AA_X_UNCONFINED) { 625 new = aa_get_newest_label(ns_unconfined(profile->ns)); 626 if (*info == CONFLICTING_ATTACH_STR) { 627 *info = CONFLICTING_ATTACH_STR_UX; 628 } else { 629 old_info = *info; 630 *info = "ux fallback"; 631 } 632 } 633 /* We set old_info on the code paths above where overwriting 634 * could have happened, so now check if info was set by 635 * find_attach as well (i.e. whether we actually overwrote) 636 * and warn accordingly. 637 */ 638 if (old_info && old_info != CONFLICTING_ATTACH_STR) { 639 pr_warn_ratelimited( 640 "AppArmor: find_attach (from profile %s) audit info \"%s\" dropped", 641 profile->base.hname, old_info); 642 } 643 } 644 645 if (new && stack) { 646 /* base the stack on post domain transition */ 647 struct aa_label *base = new; 648 649 new = aa_label_merge(base, stack, GFP_KERNEL); 650 /* null on error */ 651 aa_put_label(base); 652 } 653 654 aa_put_label(stack); 655 /* released by caller */ 656 return new; 657 } 658 659 static struct aa_label *profile_transition(const struct cred *subj_cred, 660 struct aa_profile *profile, 661 const struct linux_binprm *bprm, 662 char *buffer, struct path_cond *cond, 663 bool *secure_exec) 664 { 665 struct aa_ruleset *rules = profile->label.rules[0]; 666 struct aa_label *new = NULL; 667 struct aa_profile *new_profile = NULL; 668 const char *info = NULL, *name = NULL, *target = NULL; 669 aa_state_t state = rules->file->start[AA_CLASS_FILE]; 670 struct aa_perms perms = {}; 671 bool nonewprivs = false; 672 int error = 0; 673 674 AA_BUG(!profile); 675 AA_BUG(!bprm); 676 AA_BUG(!buffer); 677 678 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer, 679 &name, &info, profile->disconnected); 680 if (error) { 681 if (profile_unconfined(profile) || 682 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) { 683 AA_DEBUG(DEBUG_DOMAIN, "name lookup ix on error"); 684 error = 0; 685 new = aa_get_newest_label(&profile->label); 686 } 687 name = bprm->filename; 688 goto audit; 689 } 690 691 if (profile_unconfined(profile)) { 692 new = find_attach(bprm, profile->ns, 693 &profile->ns->base.profiles, name, &info); 694 /* info set -> something unusual that we should report 695 * Currently this is only conflicting attachments, but other 696 * infos added in the future should also be logged by default 697 * and only excluded on a case-by-case basis 698 */ 699 if (info) { 700 /* Because perms is never used again after this audit 701 * we don't need to care about clobbering it 702 */ 703 perms.audit |= MAY_EXEC; 704 perms.allow |= MAY_EXEC; 705 /* Don't cause error if auditing fails */ 706 (void) aa_audit_file(subj_cred, profile, &perms, 707 OP_EXEC, MAY_EXEC, name, target, new, cond->uid, 708 info, error); 709 } 710 if (new) { 711 AA_DEBUG(DEBUG_DOMAIN, "unconfined attached to new label"); 712 return new; 713 } 714 AA_DEBUG(DEBUG_DOMAIN, "unconfined exec no attachment"); 715 return aa_get_newest_label(&profile->label); 716 } 717 718 /* find exec permissions for name */ 719 state = aa_str_perms(rules->file, state, name, cond, &perms); 720 if (perms.allow & MAY_EXEC) { 721 /* exec permission determine how to transition */ 722 new = x_to_label(profile, bprm, name, perms.xindex, &target, 723 &info); 724 if (new && new->proxy == profile->label.proxy && info) { 725 /* Force audit on conflicting attachment fallback 726 * Because perms is never used again after this audit 727 * we don't need to care about clobbering it 728 */ 729 if (info == CONFLICTING_ATTACH_STR_IX 730 || info == CONFLICTING_ATTACH_STR_UX) 731 perms.audit |= MAY_EXEC; 732 /* hack ix fallback - improve how this is detected */ 733 goto audit; 734 } else if (!new) { 735 if (info) { 736 pr_warn_ratelimited( 737 "AppArmor: %s (from profile %s) audit info \"%s\" dropped on missing transition", 738 __func__, profile->base.hname, info); 739 } 740 info = "profile transition not found"; 741 /* remove MAY_EXEC to audit as failure or complaint */ 742 perms.allow &= ~MAY_EXEC; 743 if (COMPLAIN_MODE(profile)) { 744 /* create null profile instead of failing */ 745 goto create_learning_profile; 746 } 747 error = -EACCES; 748 } 749 } else if (COMPLAIN_MODE(profile)) { 750 create_learning_profile: 751 /* no exec permission - learning mode */ 752 new_profile = aa_new_learning_profile(profile, false, name, 753 GFP_KERNEL); 754 if (!new_profile) { 755 error = -ENOMEM; 756 info = "could not create null profile"; 757 } else { 758 error = -EACCES; 759 new = &new_profile->label; 760 } 761 perms.xindex |= AA_X_UNSAFE; 762 } else 763 /* fail exec */ 764 error = -EACCES; 765 766 if (!new) 767 goto audit; 768 769 770 if (!(perms.xindex & AA_X_UNSAFE)) { 771 if (DEBUG_ON) { 772 dbg_printk("apparmor: setting AT_SECURE for %s profile=", 773 name); 774 aa_label_printk(new, GFP_KERNEL); 775 dbg_printk("\n"); 776 } 777 *secure_exec = true; 778 } 779 780 audit: 781 aa_audit_file(subj_cred, profile, &perms, OP_EXEC, MAY_EXEC, name, 782 target, new, 783 cond->uid, info, error); 784 if (!new || nonewprivs) { 785 aa_put_label(new); 786 return ERR_PTR(error); 787 } 788 789 return new; 790 } 791 792 static int profile_onexec(const struct cred *subj_cred, 793 struct aa_profile *profile, struct aa_label *onexec, 794 bool stack, const struct linux_binprm *bprm, 795 char *buffer, struct path_cond *cond, 796 bool *secure_exec) 797 { 798 struct aa_ruleset *rules = profile->label.rules[0]; 799 aa_state_t state = rules->file->start[AA_CLASS_FILE]; 800 struct aa_perms perms = {}; 801 const char *xname = NULL, *info = "change_profile onexec"; 802 int error = -EACCES; 803 804 AA_BUG(!profile); 805 AA_BUG(!onexec); 806 AA_BUG(!bprm); 807 AA_BUG(!buffer); 808 809 if (profile_unconfined(profile)) { 810 /* change_profile on exec already granted */ 811 /* 812 * NOTE: Domain transitions from unconfined are allowed 813 * even when no_new_privs is set because this always results 814 * in a further reduction of permissions. 815 */ 816 return 0; 817 } 818 819 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer, 820 &xname, &info, profile->disconnected); 821 if (error) { 822 if (profile_unconfined(profile) || 823 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) { 824 AA_DEBUG(DEBUG_DOMAIN, "name lookup ix on error"); 825 error = 0; 826 } 827 xname = bprm->filename; 828 goto audit; 829 } 830 831 /* find exec permissions for name */ 832 state = aa_str_perms(rules->file, state, xname, cond, &perms); 833 if (!(perms.allow & AA_MAY_ONEXEC)) { 834 info = "no change_onexec valid for executable"; 835 goto audit; 836 } 837 /* test if this exec can be paired with change_profile onexec. 838 * onexec permission is linked to exec with a standard pairing 839 * exec\0change_profile 840 */ 841 state = aa_dfa_null_transition(rules->file->dfa, state); 842 error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC, 843 state, &perms); 844 if (error) { 845 perms.allow &= ~AA_MAY_ONEXEC; 846 goto audit; 847 } 848 849 if (!(perms.xindex & AA_X_UNSAFE)) { 850 if (DEBUG_ON) { 851 dbg_printk("apparmor: setting AT_SECURE for %s label=", 852 xname); 853 aa_label_printk(onexec, GFP_KERNEL); 854 dbg_printk("\n"); 855 } 856 *secure_exec = true; 857 } 858 859 audit: 860 return aa_audit_file(subj_cred, profile, &perms, OP_EXEC, 861 AA_MAY_ONEXEC, xname, 862 NULL, onexec, cond->uid, info, error); 863 } 864 865 /* ensure none ns domain transitions are correctly applied with onexec */ 866 867 static struct aa_label *handle_onexec(const struct cred *subj_cred, 868 struct aa_label *label, 869 struct aa_label *onexec, bool stack, 870 const struct linux_binprm *bprm, 871 char *buffer, struct path_cond *cond, 872 bool *unsafe) 873 { 874 struct aa_profile *profile; 875 struct aa_label *new; 876 int error; 877 878 AA_BUG(!label); 879 AA_BUG(!onexec); 880 AA_BUG(!bprm); 881 AA_BUG(!buffer); 882 883 /* TODO: determine how much we want to loosen this 884 * only check profiles in scope for permission to change at exec 885 */ 886 error = fn_for_each_in_scope(label, profile, 887 profile_onexec(subj_cred, profile, onexec, stack, 888 bprm, buffer, cond, unsafe)); 889 if (error) 890 return ERR_PTR(error); 891 892 new = fn_label_build_in_scope(label, profile, GFP_KERNEL, 893 stack ? aa_label_merge(&profile->label, onexec, 894 GFP_KERNEL) 895 : aa_get_newest_label(onexec), 896 profile_transition(subj_cred, profile, bprm, 897 buffer, cond, unsafe)); 898 if (new) 899 return new; 900 901 /* TODO: get rid of GLOBAL_ROOT_UID */ 902 error = fn_for_each_in_scope(label, profile, 903 aa_audit_file(subj_cred, profile, &nullperms, 904 OP_CHANGE_ONEXEC, 905 AA_MAY_ONEXEC, bprm->filename, NULL, 906 onexec, GLOBAL_ROOT_UID, 907 "failed to build target label", -ENOMEM)); 908 return ERR_PTR(error); 909 } 910 911 /** 912 * apparmor_bprm_creds_for_exec - Update the new creds on the bprm struct 913 * @bprm: binprm for the exec (NOT NULL) 914 * 915 * Returns: %0 or error on failure 916 * 917 * TODO: once the other paths are done see if we can't refactor into a fn 918 */ 919 int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm) 920 { 921 struct aa_task_ctx *ctx; 922 struct aa_label *label, *new = NULL; 923 const struct cred *subj_cred; 924 struct aa_profile *profile; 925 char *buffer = NULL; 926 const char *info = NULL; 927 int error = 0; 928 bool unsafe = false; 929 vfsuid_t vfsuid = i_uid_into_vfsuid(file_mnt_idmap(bprm->file), 930 file_inode(bprm->file)); 931 struct path_cond cond = { 932 vfsuid_into_kuid(vfsuid), 933 file_inode(bprm->file)->i_mode 934 }; 935 936 subj_cred = current_cred(); 937 ctx = task_ctx(current); 938 AA_BUG(!cred_label(bprm->cred)); 939 AA_BUG(!ctx); 940 941 label = aa_get_newest_label(cred_label(bprm->cred)); 942 943 /* 944 * Detect no new privs being set, and store the label it 945 * occurred under. Ideally this would happen when nnp 946 * is set but there isn't a good way to do that yet. 947 * 948 * Testing for unconfined must be done before the subset test 949 */ 950 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) && !unconfined(label) && 951 !ctx->nnp) 952 ctx->nnp = aa_get_label(label); 953 954 /* buffer freed below, name is pointer into buffer */ 955 buffer = aa_get_buffer(false); 956 if (!buffer) { 957 error = -ENOMEM; 958 goto done; 959 } 960 961 /* Test for onexec first as onexec override other x transitions. */ 962 if (ctx->onexec) 963 new = handle_onexec(subj_cred, label, ctx->onexec, ctx->token, 964 bprm, buffer, &cond, &unsafe); 965 else 966 new = fn_label_build(label, profile, GFP_KERNEL, 967 profile_transition(subj_cred, profile, bprm, 968 buffer, 969 &cond, &unsafe)); 970 971 AA_BUG(!new); 972 if (IS_ERR(new)) { 973 error = PTR_ERR(new); 974 goto done; 975 } else if (!new) { 976 error = -ENOMEM; 977 goto done; 978 } 979 980 /* Policy has specified a domain transitions. If no_new_privs and 981 * confined ensure the transition is to confinement that is subset 982 * of the confinement when the task entered no new privs. 983 * 984 * NOTE: Domain transitions from unconfined and to stacked 985 * subsets are allowed even when no_new_privs is set because this 986 * always results in a further reduction of permissions. 987 */ 988 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) && 989 !unconfined(label) && 990 !aa_label_is_unconfined_subset(new, ctx->nnp)) { 991 error = -EPERM; 992 info = "no new privs"; 993 goto audit; 994 } 995 996 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 997 /* FIXME: currently don't mediate shared state */ 998 ; 999 } 1000 1001 if (bprm->unsafe & (LSM_UNSAFE_PTRACE)) { 1002 /* TODO: test needs to be profile of label to new */ 1003 error = may_change_ptraced_domain(bprm->cred, new, &info); 1004 if (error) 1005 goto audit; 1006 } 1007 1008 if (unsafe) { 1009 if (DEBUG_ON) { 1010 dbg_printk("setting AT_SECURE for %s label=", 1011 bprm->filename); 1012 aa_label_printk(new, GFP_KERNEL); 1013 dbg_printk("\n"); 1014 } 1015 bprm->secureexec = 1; 1016 } 1017 1018 if (label->proxy != new->proxy) { 1019 /* when transitioning clear unsafe personality bits */ 1020 if (DEBUG_ON) { 1021 dbg_printk("apparmor: clearing unsafe personality bits. %s label=", 1022 bprm->filename); 1023 aa_label_printk(new, GFP_KERNEL); 1024 dbg_printk("\n"); 1025 } 1026 bprm->per_clear |= PER_CLEAR_ON_SETID; 1027 } 1028 aa_put_label(cred_label(bprm->cred)); 1029 /* transfer reference, released when cred is freed */ 1030 set_cred_label(bprm->cred, new); 1031 1032 done: 1033 aa_put_label(label); 1034 aa_put_buffer(buffer); 1035 1036 return error; 1037 1038 audit: 1039 error = fn_for_each(label, profile, 1040 aa_audit_file(current_cred(), profile, &nullperms, 1041 OP_EXEC, MAY_EXEC, 1042 bprm->filename, NULL, new, 1043 vfsuid_into_kuid(vfsuid), info, error)); 1044 aa_put_label(new); 1045 goto done; 1046 } 1047 1048 /* 1049 * Functions for self directed profile change 1050 */ 1051 1052 1053 /* helper fn for change_hat 1054 * 1055 * Returns: label for hat transition OR ERR_PTR. Does NOT return NULL 1056 */ 1057 static struct aa_label *build_change_hat(const struct cred *subj_cred, 1058 struct aa_profile *profile, 1059 const char *name, bool sibling) 1060 { 1061 struct aa_profile *root, *hat = NULL; 1062 const char *info = NULL; 1063 int error = 0; 1064 1065 if (sibling && PROFILE_IS_HAT(profile)) { 1066 root = aa_get_profile_rcu(&profile->parent); 1067 } else if (!sibling && !PROFILE_IS_HAT(profile)) { 1068 root = aa_get_profile(profile); 1069 } else { 1070 info = "conflicting target types"; 1071 error = -EPERM; 1072 goto audit; 1073 } 1074 1075 hat = aa_find_child(root, name); 1076 if (!hat) { 1077 error = -ENOENT; 1078 if (COMPLAIN_MODE(profile)) { 1079 hat = aa_new_learning_profile(profile, true, name, 1080 GFP_KERNEL); 1081 if (!hat) { 1082 info = "failed null profile create"; 1083 error = -ENOMEM; 1084 } 1085 } 1086 } 1087 aa_put_profile(root); 1088 1089 audit: 1090 aa_audit_file(subj_cred, profile, &nullperms, OP_CHANGE_HAT, 1091 AA_MAY_CHANGEHAT, 1092 name, hat ? hat->base.hname : NULL, 1093 hat ? &hat->label : NULL, GLOBAL_ROOT_UID, info, 1094 error); 1095 if (!hat || (error && error != -ENOENT)) 1096 return ERR_PTR(error); 1097 /* if hat && error - complain mode, already audited and we adjust for 1098 * complain mode allow by returning hat->label 1099 */ 1100 return &hat->label; 1101 } 1102 1103 /* helper fn for changing into a hat 1104 * 1105 * Returns: label for hat transition or ERR_PTR. Does not return NULL 1106 */ 1107 static struct aa_label *change_hat(const struct cred *subj_cred, 1108 struct aa_label *label, const char *hats[], 1109 int count, int flags) 1110 { 1111 struct aa_profile *profile, *root, *hat = NULL; 1112 struct aa_label *new; 1113 struct label_it it; 1114 bool sibling = false; 1115 const char *name, *info = NULL; 1116 int i, error; 1117 1118 AA_BUG(!label); 1119 AA_BUG(!hats); 1120 AA_BUG(count < 1); 1121 1122 if (PROFILE_IS_HAT(labels_profile(label))) 1123 sibling = true; 1124 1125 /*find first matching hat */ 1126 for (i = 0; i < count && !hat; i++) { 1127 name = hats[i]; 1128 label_for_each_in_scope(it, labels_ns(label), label, profile) { 1129 if (sibling && PROFILE_IS_HAT(profile)) { 1130 root = aa_get_profile_rcu(&profile->parent); 1131 } else if (!sibling && !PROFILE_IS_HAT(profile)) { 1132 root = aa_get_profile(profile); 1133 } else { /* conflicting change type */ 1134 info = "conflicting targets types"; 1135 error = -EPERM; 1136 goto fail; 1137 } 1138 hat = aa_find_child(root, name); 1139 aa_put_profile(root); 1140 if (!hat) { 1141 if (!COMPLAIN_MODE(profile)) 1142 goto outer_continue; 1143 /* complain mode succeed as if hat */ 1144 } else if (!PROFILE_IS_HAT(hat)) { 1145 info = "target not hat"; 1146 error = -EPERM; 1147 aa_put_profile(hat); 1148 goto fail; 1149 } 1150 aa_put_profile(hat); 1151 } 1152 /* found a hat for all profiles in ns */ 1153 goto build; 1154 outer_continue: 1155 ; 1156 } 1157 /* no hats that match, find appropriate error 1158 * 1159 * In complain mode audit of the failure is based off of the first 1160 * hat supplied. This is done due how userspace interacts with 1161 * change_hat. 1162 */ 1163 name = NULL; 1164 label_for_each_in_scope(it, labels_ns(label), label, profile) { 1165 if (!list_empty(&profile->base.profiles)) { 1166 info = "hat not found"; 1167 error = -ENOENT; 1168 goto fail; 1169 } 1170 } 1171 info = "no hats defined"; 1172 error = -ECHILD; 1173 1174 fail: 1175 label_for_each_in_scope(it, labels_ns(label), label, profile) { 1176 /* 1177 * no target as it has failed to be found or built 1178 * 1179 * change_hat uses probing and should not log failures 1180 * related to missing hats 1181 */ 1182 /* TODO: get rid of GLOBAL_ROOT_UID */ 1183 if (count > 1 || COMPLAIN_MODE(profile)) { 1184 aa_audit_file(subj_cred, profile, &nullperms, 1185 OP_CHANGE_HAT, 1186 AA_MAY_CHANGEHAT, name, NULL, NULL, 1187 GLOBAL_ROOT_UID, info, error); 1188 } 1189 } 1190 return ERR_PTR(error); 1191 1192 build: 1193 new = fn_label_build_in_scope(label, profile, GFP_KERNEL, 1194 build_change_hat(subj_cred, profile, name, 1195 sibling), 1196 aa_get_label(&profile->label)); 1197 if (!new) { 1198 info = "label build failed"; 1199 error = -ENOMEM; 1200 goto fail; 1201 } /* else if (IS_ERR) build_change_hat has logged error so return new */ 1202 1203 return new; 1204 } 1205 1206 /** 1207 * aa_change_hat - change hat to/from subprofile 1208 * @hats: vector of hat names to try changing into (MAYBE NULL if @count == 0) 1209 * @count: number of hat names in @hats 1210 * @token: magic value to validate the hat change 1211 * @flags: flags affecting behavior of the change 1212 * 1213 * Returns %0 on success, error otherwise. 1214 * 1215 * Change to the first profile specified in @hats that exists, and store 1216 * the @hat_magic in the current task context. If the count == 0 and the 1217 * @token matches that stored in the current task context, return to the 1218 * top level profile. 1219 * 1220 * change_hat only applies to profiles in the current ns, and each profile 1221 * in the ns must make the same transition otherwise change_hat will fail. 1222 */ 1223 int aa_change_hat(const char *hats[], int count, u64 token, int flags) 1224 { 1225 const struct cred *subj_cred; 1226 struct aa_task_ctx *ctx = task_ctx(current); 1227 struct aa_label *label, *previous, *new = NULL, *target = NULL; 1228 struct aa_profile *profile; 1229 struct aa_perms perms = {}; 1230 const char *info = NULL; 1231 int error = 0; 1232 1233 /* released below */ 1234 subj_cred = get_current_cred(); 1235 label = aa_get_newest_cred_label(subj_cred); 1236 previous = aa_get_newest_label(ctx->previous); 1237 1238 /* 1239 * Detect no new privs being set, and store the label it 1240 * occurred under. Ideally this would happen when nnp 1241 * is set but there isn't a good way to do that yet. 1242 * 1243 * Testing for unconfined must be done before the subset test 1244 */ 1245 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp) 1246 ctx->nnp = aa_get_label(label); 1247 1248 /* return -EPERM when unconfined doesn't have children to avoid 1249 * changing the traditional error code for unconfined. 1250 */ 1251 if (unconfined(label)) { 1252 struct label_it i; 1253 bool empty = true; 1254 1255 rcu_read_lock(); 1256 label_for_each_in_scope(i, labels_ns(label), label, profile) { 1257 empty &= list_empty(&profile->base.profiles); 1258 } 1259 rcu_read_unlock(); 1260 1261 if (empty) { 1262 info = "unconfined can not change_hat"; 1263 error = -EPERM; 1264 goto fail; 1265 } 1266 } 1267 1268 if (count) { 1269 new = change_hat(subj_cred, label, hats, count, flags); 1270 AA_BUG(!new); 1271 if (IS_ERR(new)) { 1272 error = PTR_ERR(new); 1273 new = NULL; 1274 /* already audited */ 1275 goto out; 1276 } 1277 1278 /* target cred is the same as current except new label */ 1279 error = may_change_ptraced_domain(subj_cred, new, &info); 1280 if (error) 1281 goto fail; 1282 1283 /* 1284 * no new privs prevents domain transitions that would 1285 * reduce restrictions. 1286 */ 1287 if (task_no_new_privs(current) && !unconfined(label) && 1288 !aa_label_is_unconfined_subset(new, ctx->nnp)) { 1289 /* not an apparmor denial per se, so don't log it */ 1290 AA_DEBUG(DEBUG_DOMAIN, 1291 "no_new_privs - change_hat denied"); 1292 error = -EPERM; 1293 goto out; 1294 } 1295 1296 if (flags & AA_CHANGE_TEST) 1297 goto out; 1298 1299 target = new; 1300 error = aa_set_current_hat(new, token); 1301 if (error == -EACCES) 1302 /* kill task in case of brute force attacks */ 1303 goto kill; 1304 } else if (previous && !(flags & AA_CHANGE_TEST)) { 1305 /* 1306 * no new privs prevents domain transitions that would 1307 * reduce restrictions. 1308 */ 1309 if (task_no_new_privs(current) && !unconfined(label) && 1310 !aa_label_is_unconfined_subset(previous, ctx->nnp)) { 1311 /* not an apparmor denial per se, so don't log it */ 1312 AA_DEBUG(DEBUG_DOMAIN, 1313 "no_new_privs - change_hat denied"); 1314 error = -EPERM; 1315 goto out; 1316 } 1317 1318 /* Return to saved label. Kill task if restore fails 1319 * to avoid brute force attacks 1320 */ 1321 target = previous; 1322 error = aa_restore_previous_label(token); 1323 if (error) { 1324 if (error == -EACCES) 1325 goto kill; 1326 goto fail; 1327 } 1328 } /* else ignore @flags && restores when there is no saved profile */ 1329 1330 out: 1331 aa_put_label(new); 1332 aa_put_label(previous); 1333 aa_put_label(label); 1334 put_cred(subj_cred); 1335 1336 return error; 1337 1338 kill: 1339 info = "failed token match"; 1340 perms.kill = AA_MAY_CHANGEHAT; 1341 1342 fail: 1343 fn_for_each_in_scope(label, profile, 1344 aa_audit_file(subj_cred, profile, &perms, OP_CHANGE_HAT, 1345 AA_MAY_CHANGEHAT, NULL, NULL, target, 1346 GLOBAL_ROOT_UID, info, error)); 1347 1348 goto out; 1349 } 1350 1351 1352 static int change_profile_perms_wrapper(const char *op, const char *name, 1353 const struct cred *subj_cred, 1354 struct aa_profile *profile, 1355 struct aa_label *target, bool stack, 1356 u32 request, struct aa_perms *perms) 1357 { 1358 struct aa_ruleset *rules = profile->label.rules[0]; 1359 const char *info = NULL; 1360 int error = 0; 1361 1362 if (!error) 1363 error = change_profile_perms(profile, target, stack, request, 1364 rules->file->start[AA_CLASS_FILE], 1365 perms); 1366 if (error) 1367 error = aa_audit_file(subj_cred, profile, perms, op, request, 1368 name, 1369 NULL, target, GLOBAL_ROOT_UID, info, 1370 error); 1371 1372 return error; 1373 } 1374 1375 static const char *stack_msg = "change_profile unprivileged unconfined converted to stacking"; 1376 1377 /** 1378 * aa_change_profile - perform a one-way profile transition 1379 * @fqname: name of profile may include namespace (NOT NULL) 1380 * @flags: flags affecting change behavior 1381 * 1382 * Change to new profile @name. Unlike with hats, there is no way 1383 * to change back. If @name isn't specified the current profile name is 1384 * used. 1385 * If @onexec then the transition is delayed until 1386 * the next exec. 1387 * 1388 * Returns %0 on success, error otherwise. 1389 */ 1390 int aa_change_profile(const char *fqname, int flags) 1391 { 1392 struct aa_label *label, *new = NULL, *target = NULL; 1393 struct aa_profile *profile; 1394 struct aa_perms perms = {}; 1395 const char *info = NULL; 1396 const char *auditname = fqname; /* retain leading & if stack */ 1397 bool stack = flags & AA_CHANGE_STACK; 1398 struct aa_task_ctx *ctx = task_ctx(current); 1399 const struct cred *subj_cred = get_current_cred(); 1400 int error = 0; 1401 char *op; 1402 u32 request; 1403 1404 label = aa_get_current_label(); 1405 1406 /* 1407 * Detect no new privs being set, and store the label it 1408 * occurred under. Ideally this would happen when nnp 1409 * is set but there isn't a good way to do that yet. 1410 * 1411 * Testing for unconfined must be done before the subset test 1412 */ 1413 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp) 1414 ctx->nnp = aa_get_label(label); 1415 1416 if (!fqname || !*fqname) { 1417 aa_put_label(label); 1418 AA_DEBUG(DEBUG_DOMAIN, "no profile name"); 1419 return -EINVAL; 1420 } 1421 1422 if (flags & AA_CHANGE_ONEXEC) { 1423 request = AA_MAY_ONEXEC; 1424 if (stack) 1425 op = OP_STACK_ONEXEC; 1426 else 1427 op = OP_CHANGE_ONEXEC; 1428 } else { 1429 request = AA_MAY_CHANGE_PROFILE; 1430 if (stack) 1431 op = OP_STACK; 1432 else 1433 op = OP_CHANGE_PROFILE; 1434 } 1435 1436 /* This should move to a per profile test. Requires pushing build 1437 * into callback 1438 */ 1439 if (!stack && unconfined(label) && 1440 label == &labels_ns(label)->unconfined->label && 1441 aa_unprivileged_unconfined_restricted && 1442 /* TODO: refactor so this check is a fn */ 1443 cap_capable(current_cred(), &init_user_ns, CAP_MAC_OVERRIDE, 1444 CAP_OPT_NOAUDIT)) { 1445 /* regardless of the request in this case apparmor 1446 * stacks against unconfined so admin set policy can't be 1447 * by-passed 1448 */ 1449 stack = true; 1450 perms.audit = request; 1451 (void) fn_for_each_in_scope(label, profile, 1452 aa_audit_file(subj_cred, profile, &perms, op, 1453 request, auditname, NULL, target, 1454 GLOBAL_ROOT_UID, stack_msg, 0)); 1455 perms.audit = 0; 1456 } 1457 1458 if (*fqname == '&') { 1459 stack = true; 1460 /* don't have label_parse() do stacking */ 1461 fqname++; 1462 } 1463 target = aa_label_parse(label, fqname, GFP_KERNEL, true, false); 1464 if (IS_ERR(target)) { 1465 struct aa_profile *tprofile; 1466 1467 info = "label not found"; 1468 error = PTR_ERR(target); 1469 target = NULL; 1470 /* 1471 * TODO: fixme using labels_profile is not right - do profile 1472 * per complain profile 1473 */ 1474 if ((flags & AA_CHANGE_TEST) || 1475 !COMPLAIN_MODE(labels_profile(label))) 1476 goto audit; 1477 /* released below */ 1478 tprofile = aa_new_learning_profile(labels_profile(label), false, 1479 fqname, GFP_KERNEL); 1480 if (!tprofile) { 1481 info = "failed null profile create"; 1482 error = -ENOMEM; 1483 goto audit; 1484 } 1485 target = &tprofile->label; 1486 goto check; 1487 } 1488 1489 /* 1490 * self directed transitions only apply to current policy ns 1491 * TODO: currently requiring perms for stacking and straight change 1492 * stacking doesn't strictly need this. Determine how much 1493 * we want to loosen this restriction for stacking 1494 * 1495 * if (!stack) { 1496 */ 1497 error = fn_for_each_in_scope(label, profile, 1498 change_profile_perms_wrapper(op, auditname, 1499 subj_cred, 1500 profile, target, stack, 1501 request, &perms)); 1502 if (error) 1503 /* auditing done in change_profile_perms_wrapper */ 1504 goto out; 1505 1506 /* } */ 1507 1508 check: 1509 /* check if tracing task is allowed to trace target domain */ 1510 error = may_change_ptraced_domain(subj_cred, target, &info); 1511 if (error && !fn_for_each_in_scope(label, profile, 1512 COMPLAIN_MODE(profile))) 1513 goto audit; 1514 1515 /* TODO: add permission check to allow this 1516 * if ((flags & AA_CHANGE_ONEXEC) && !current_is_single_threaded()) { 1517 * info = "not a single threaded task"; 1518 * error = -EACCES; 1519 * goto audit; 1520 * } 1521 */ 1522 if (flags & AA_CHANGE_TEST) 1523 goto out; 1524 1525 /* stacking is always a subset, so only check the nonstack case */ 1526 if (!stack) { 1527 new = fn_label_build_in_scope(label, profile, GFP_KERNEL, 1528 aa_get_label(target), 1529 aa_get_label(&profile->label)); 1530 /* 1531 * no new privs prevents domain transitions that would 1532 * reduce restrictions. 1533 */ 1534 if (task_no_new_privs(current) && !unconfined(label) && 1535 !aa_label_is_unconfined_subset(new, ctx->nnp)) { 1536 /* not an apparmor denial per se, so don't log it */ 1537 AA_DEBUG(DEBUG_DOMAIN, 1538 "no_new_privs - change_hat denied"); 1539 error = -EPERM; 1540 goto out; 1541 } 1542 } 1543 1544 if (!(flags & AA_CHANGE_ONEXEC)) { 1545 /* only transition profiles in the current ns */ 1546 if (stack) 1547 new = aa_label_merge(label, target, GFP_KERNEL); 1548 if (IS_ERR_OR_NULL(new)) { 1549 info = "failed to build target label"; 1550 if (!new) 1551 error = -ENOMEM; 1552 else 1553 error = PTR_ERR(new); 1554 new = NULL; 1555 perms.allow = 0; 1556 goto audit; 1557 } 1558 error = aa_replace_current_label(new); 1559 } else { 1560 if (new) { 1561 aa_put_label(new); 1562 new = NULL; 1563 } 1564 1565 /* full transition will be built in exec path */ 1566 aa_set_current_onexec(target, stack); 1567 } 1568 1569 audit: 1570 error = fn_for_each_in_scope(label, profile, 1571 aa_audit_file(subj_cred, 1572 profile, &perms, op, request, auditname, 1573 NULL, new ? new : target, 1574 GLOBAL_ROOT_UID, info, error)); 1575 1576 out: 1577 aa_put_label(new); 1578 aa_put_label(target); 1579 aa_put_label(label); 1580 put_cred(subj_cred); 1581 1582 return error; 1583 } 1584