1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor LSM hooks. 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15 #include <linux/lsm_hooks.h> 16 #include <linux/moduleparam.h> 17 #include <linux/mm.h> 18 #include <linux/mman.h> 19 #include <linux/mount.h> 20 #include <linux/namei.h> 21 #include <linux/ptrace.h> 22 #include <linux/ctype.h> 23 #include <linux/sysctl.h> 24 #include <linux/audit.h> 25 #include <linux/user_namespace.h> 26 #include <net/sock.h> 27 28 #include "include/apparmor.h" 29 #include "include/apparmorfs.h" 30 #include "include/audit.h" 31 #include "include/capability.h" 32 #include "include/context.h" 33 #include "include/file.h" 34 #include "include/ipc.h" 35 #include "include/path.h" 36 #include "include/label.h" 37 #include "include/policy.h" 38 #include "include/policy_ns.h" 39 #include "include/procattr.h" 40 #include "include/mount.h" 41 42 /* Flag indicating whether initialization completed */ 43 int apparmor_initialized; 44 45 DEFINE_PER_CPU(struct aa_buffers, aa_buffers); 46 47 48 /* 49 * LSM hook functions 50 */ 51 52 /* 53 * free the associated aa_task_ctx and put its labels 54 */ 55 static void apparmor_cred_free(struct cred *cred) 56 { 57 aa_free_task_context(cred_ctx(cred)); 58 cred_ctx(cred) = NULL; 59 } 60 61 /* 62 * allocate the apparmor part of blank credentials 63 */ 64 static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 65 { 66 /* freed by apparmor_cred_free */ 67 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp); 68 69 if (!ctx) 70 return -ENOMEM; 71 72 cred_ctx(cred) = ctx; 73 return 0; 74 } 75 76 /* 77 * prepare new aa_task_ctx for modification by prepare_cred block 78 */ 79 static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 80 gfp_t gfp) 81 { 82 /* freed by apparmor_cred_free */ 83 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp); 84 85 if (!ctx) 86 return -ENOMEM; 87 88 aa_dup_task_context(ctx, cred_ctx(old)); 89 cred_ctx(new) = ctx; 90 return 0; 91 } 92 93 /* 94 * transfer the apparmor data to a blank set of creds 95 */ 96 static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 97 { 98 const struct aa_task_ctx *old_ctx = cred_ctx(old); 99 struct aa_task_ctx *new_ctx = cred_ctx(new); 100 101 aa_dup_task_context(new_ctx, old_ctx); 102 } 103 104 static int apparmor_ptrace_access_check(struct task_struct *child, 105 unsigned int mode) 106 { 107 struct aa_label *tracer, *tracee; 108 int error; 109 110 tracer = begin_current_label_crit_section(); 111 tracee = aa_get_task_label(child); 112 error = aa_may_ptrace(tracer, tracee, 113 mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE); 114 aa_put_label(tracee); 115 end_current_label_crit_section(tracer); 116 117 return error; 118 } 119 120 static int apparmor_ptrace_traceme(struct task_struct *parent) 121 { 122 struct aa_label *tracer, *tracee; 123 int error; 124 125 tracee = begin_current_label_crit_section(); 126 tracer = aa_get_task_label(parent); 127 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); 128 aa_put_label(tracer); 129 end_current_label_crit_section(tracee); 130 131 return error; 132 } 133 134 /* Derived from security/commoncap.c:cap_capget */ 135 static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, 136 kernel_cap_t *inheritable, kernel_cap_t *permitted) 137 { 138 struct aa_label *label; 139 const struct cred *cred; 140 141 rcu_read_lock(); 142 cred = __task_cred(target); 143 label = aa_get_newest_cred_label(cred); 144 145 /* 146 * cap_capget is stacked ahead of this and will 147 * initialize effective and permitted. 148 */ 149 if (!unconfined(label)) { 150 struct aa_profile *profile; 151 struct label_it i; 152 153 label_for_each_confined(i, label, profile) { 154 if (COMPLAIN_MODE(profile)) 155 continue; 156 *effective = cap_intersect(*effective, 157 profile->caps.allow); 158 *permitted = cap_intersect(*permitted, 159 profile->caps.allow); 160 } 161 } 162 rcu_read_unlock(); 163 aa_put_label(label); 164 165 return 0; 166 } 167 168 static int apparmor_capable(const struct cred *cred, struct user_namespace *ns, 169 int cap, int audit) 170 { 171 struct aa_label *label; 172 int error = 0; 173 174 label = aa_get_newest_cred_label(cred); 175 if (!unconfined(label)) 176 error = aa_capable(label, cap, audit); 177 aa_put_label(label); 178 179 return error; 180 } 181 182 /** 183 * common_perm - basic common permission check wrapper fn for paths 184 * @op: operation being checked 185 * @path: path to check permission of (NOT NULL) 186 * @mask: requested permissions mask 187 * @cond: conditional info for the permission request (NOT NULL) 188 * 189 * Returns: %0 else error code if error or permission denied 190 */ 191 static int common_perm(const char *op, const struct path *path, u32 mask, 192 struct path_cond *cond) 193 { 194 struct aa_label *label; 195 int error = 0; 196 197 label = __begin_current_label_crit_section(); 198 if (!unconfined(label)) 199 error = aa_path_perm(op, label, path, 0, mask, cond); 200 __end_current_label_crit_section(label); 201 202 return error; 203 } 204 205 /** 206 * common_perm_cond - common permission wrapper around inode cond 207 * @op: operation being checked 208 * @path: location to check (NOT NULL) 209 * @mask: requested permissions mask 210 * 211 * Returns: %0 else error code if error or permission denied 212 */ 213 static int common_perm_cond(const char *op, const struct path *path, u32 mask) 214 { 215 struct path_cond cond = { d_backing_inode(path->dentry)->i_uid, 216 d_backing_inode(path->dentry)->i_mode 217 }; 218 219 if (!path_mediated_fs(path->dentry)) 220 return 0; 221 222 return common_perm(op, path, mask, &cond); 223 } 224 225 /** 226 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry 227 * @op: operation being checked 228 * @dir: directory of the dentry (NOT NULL) 229 * @dentry: dentry to check (NOT NULL) 230 * @mask: requested permissions mask 231 * @cond: conditional info for the permission request (NOT NULL) 232 * 233 * Returns: %0 else error code if error or permission denied 234 */ 235 static int common_perm_dir_dentry(const char *op, const struct path *dir, 236 struct dentry *dentry, u32 mask, 237 struct path_cond *cond) 238 { 239 struct path path = { .mnt = dir->mnt, .dentry = dentry }; 240 241 return common_perm(op, &path, mask, cond); 242 } 243 244 /** 245 * common_perm_rm - common permission wrapper for operations doing rm 246 * @op: operation being checked 247 * @dir: directory that the dentry is in (NOT NULL) 248 * @dentry: dentry being rm'd (NOT NULL) 249 * @mask: requested permission mask 250 * 251 * Returns: %0 else error code if error or permission denied 252 */ 253 static int common_perm_rm(const char *op, const struct path *dir, 254 struct dentry *dentry, u32 mask) 255 { 256 struct inode *inode = d_backing_inode(dentry); 257 struct path_cond cond = { }; 258 259 if (!inode || !path_mediated_fs(dentry)) 260 return 0; 261 262 cond.uid = inode->i_uid; 263 cond.mode = inode->i_mode; 264 265 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 266 } 267 268 /** 269 * common_perm_create - common permission wrapper for operations doing create 270 * @op: operation being checked 271 * @dir: directory that dentry will be created in (NOT NULL) 272 * @dentry: dentry to create (NOT NULL) 273 * @mask: request permission mask 274 * @mode: created file mode 275 * 276 * Returns: %0 else error code if error or permission denied 277 */ 278 static int common_perm_create(const char *op, const struct path *dir, 279 struct dentry *dentry, u32 mask, umode_t mode) 280 { 281 struct path_cond cond = { current_fsuid(), mode }; 282 283 if (!path_mediated_fs(dir->dentry)) 284 return 0; 285 286 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 287 } 288 289 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry) 290 { 291 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); 292 } 293 294 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry, 295 umode_t mode) 296 { 297 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, 298 S_IFDIR); 299 } 300 301 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry) 302 { 303 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); 304 } 305 306 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, 307 umode_t mode, unsigned int dev) 308 { 309 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); 310 } 311 312 static int apparmor_path_truncate(const struct path *path) 313 { 314 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR); 315 } 316 317 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, 318 const char *old_name) 319 { 320 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, 321 S_IFLNK); 322 } 323 324 static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir, 325 struct dentry *new_dentry) 326 { 327 struct aa_label *label; 328 int error = 0; 329 330 if (!path_mediated_fs(old_dentry)) 331 return 0; 332 333 label = begin_current_label_crit_section(); 334 if (!unconfined(label)) 335 error = aa_path_link(label, old_dentry, new_dir, new_dentry); 336 end_current_label_crit_section(label); 337 338 return error; 339 } 340 341 static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry, 342 const struct path *new_dir, struct dentry *new_dentry) 343 { 344 struct aa_label *label; 345 int error = 0; 346 347 if (!path_mediated_fs(old_dentry)) 348 return 0; 349 350 label = begin_current_label_crit_section(); 351 if (!unconfined(label)) { 352 struct path old_path = { .mnt = old_dir->mnt, 353 .dentry = old_dentry }; 354 struct path new_path = { .mnt = new_dir->mnt, 355 .dentry = new_dentry }; 356 struct path_cond cond = { d_backing_inode(old_dentry)->i_uid, 357 d_backing_inode(old_dentry)->i_mode 358 }; 359 360 error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0, 361 MAY_READ | AA_MAY_GETATTR | MAY_WRITE | 362 AA_MAY_SETATTR | AA_MAY_DELETE, 363 &cond); 364 if (!error) 365 error = aa_path_perm(OP_RENAME_DEST, label, &new_path, 366 0, MAY_WRITE | AA_MAY_SETATTR | 367 AA_MAY_CREATE, &cond); 368 369 } 370 end_current_label_crit_section(label); 371 372 return error; 373 } 374 375 static int apparmor_path_chmod(const struct path *path, umode_t mode) 376 { 377 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD); 378 } 379 380 static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid) 381 { 382 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN); 383 } 384 385 static int apparmor_inode_getattr(const struct path *path) 386 { 387 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 388 } 389 390 static int apparmor_file_open(struct file *file, const struct cred *cred) 391 { 392 struct aa_file_ctx *fctx = file_ctx(file); 393 struct aa_label *label; 394 int error = 0; 395 396 if (!path_mediated_fs(file->f_path.dentry)) 397 return 0; 398 399 /* If in exec, permission is handled by bprm hooks. 400 * Cache permissions granted by the previous exec check, with 401 * implicit read and executable mmap which are required to 402 * actually execute the image. 403 */ 404 if (current->in_execve) { 405 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; 406 return 0; 407 } 408 409 label = aa_get_newest_cred_label(cred); 410 if (!unconfined(label)) { 411 struct inode *inode = file_inode(file); 412 struct path_cond cond = { inode->i_uid, inode->i_mode }; 413 414 error = aa_path_perm(OP_OPEN, label, &file->f_path, 0, 415 aa_map_file_to_perms(file), &cond); 416 /* todo cache full allowed permissions set and state */ 417 fctx->allow = aa_map_file_to_perms(file); 418 } 419 aa_put_label(label); 420 421 return error; 422 } 423 424 static int apparmor_file_alloc_security(struct file *file) 425 { 426 int error = 0; 427 428 /* freed by apparmor_file_free_security */ 429 struct aa_label *label = begin_current_label_crit_section(); 430 file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL); 431 if (!file_ctx(file)) 432 error = -ENOMEM; 433 end_current_label_crit_section(label); 434 435 return error; 436 } 437 438 static void apparmor_file_free_security(struct file *file) 439 { 440 aa_free_file_ctx(file_ctx(file)); 441 } 442 443 static int common_file_perm(const char *op, struct file *file, u32 mask) 444 { 445 struct aa_label *label; 446 int error = 0; 447 448 /* don't reaudit files closed during inheritance */ 449 if (file->f_path.dentry == aa_null.dentry) 450 return -EACCES; 451 452 label = __begin_current_label_crit_section(); 453 error = aa_file_perm(op, label, file, mask); 454 __end_current_label_crit_section(label); 455 456 return error; 457 } 458 459 static int apparmor_file_receive(struct file *file) 460 { 461 return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file)); 462 } 463 464 static int apparmor_file_permission(struct file *file, int mask) 465 { 466 return common_file_perm(OP_FPERM, file, mask); 467 } 468 469 static int apparmor_file_lock(struct file *file, unsigned int cmd) 470 { 471 u32 mask = AA_MAY_LOCK; 472 473 if (cmd == F_WRLCK) 474 mask |= MAY_WRITE; 475 476 return common_file_perm(OP_FLOCK, file, mask); 477 } 478 479 static int common_mmap(const char *op, struct file *file, unsigned long prot, 480 unsigned long flags) 481 { 482 int mask = 0; 483 484 if (!file || !file_ctx(file)) 485 return 0; 486 487 if (prot & PROT_READ) 488 mask |= MAY_READ; 489 /* 490 * Private mappings don't require write perms since they don't 491 * write back to the files 492 */ 493 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE)) 494 mask |= MAY_WRITE; 495 if (prot & PROT_EXEC) 496 mask |= AA_EXEC_MMAP; 497 498 return common_file_perm(op, file, mask); 499 } 500 501 static int apparmor_mmap_file(struct file *file, unsigned long reqprot, 502 unsigned long prot, unsigned long flags) 503 { 504 return common_mmap(OP_FMMAP, file, prot, flags); 505 } 506 507 static int apparmor_file_mprotect(struct vm_area_struct *vma, 508 unsigned long reqprot, unsigned long prot) 509 { 510 return common_mmap(OP_FMPROT, vma->vm_file, prot, 511 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); 512 } 513 514 static int apparmor_sb_mount(const char *dev_name, const struct path *path, 515 const char *type, unsigned long flags, void *data) 516 { 517 struct aa_label *label; 518 int error = 0; 519 520 /* Discard magic */ 521 if ((flags & MS_MGC_MSK) == MS_MGC_VAL) 522 flags &= ~MS_MGC_MSK; 523 524 flags &= ~AA_MS_IGNORE_MASK; 525 526 label = __begin_current_label_crit_section(); 527 if (!unconfined(label)) { 528 if (flags & MS_REMOUNT) 529 error = aa_remount(label, path, flags, data); 530 else if (flags & MS_BIND) 531 error = aa_bind_mount(label, path, dev_name, flags); 532 else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | 533 MS_UNBINDABLE)) 534 error = aa_mount_change_type(label, path, flags); 535 else if (flags & MS_MOVE) 536 error = aa_move_mount(label, path, dev_name); 537 else 538 error = aa_new_mount(label, dev_name, path, type, 539 flags, data); 540 } 541 __end_current_label_crit_section(label); 542 543 return error; 544 } 545 546 static int apparmor_sb_umount(struct vfsmount *mnt, int flags) 547 { 548 struct aa_label *label; 549 int error = 0; 550 551 label = __begin_current_label_crit_section(); 552 if (!unconfined(label)) 553 error = aa_umount(label, mnt, flags); 554 __end_current_label_crit_section(label); 555 556 return error; 557 } 558 559 static int apparmor_sb_pivotroot(const struct path *old_path, 560 const struct path *new_path) 561 { 562 struct aa_label *label; 563 int error = 0; 564 565 label = aa_get_current_label(); 566 if (!unconfined(label)) 567 error = aa_pivotroot(label, old_path, new_path); 568 aa_put_label(label); 569 570 return error; 571 } 572 573 static int apparmor_getprocattr(struct task_struct *task, char *name, 574 char **value) 575 { 576 int error = -ENOENT; 577 /* released below */ 578 const struct cred *cred = get_task_cred(task); 579 struct aa_task_ctx *ctx = cred_ctx(cred); 580 struct aa_label *label = NULL; 581 582 if (strcmp(name, "current") == 0) 583 label = aa_get_newest_label(ctx->label); 584 else if (strcmp(name, "prev") == 0 && ctx->previous) 585 label = aa_get_newest_label(ctx->previous); 586 else if (strcmp(name, "exec") == 0 && ctx->onexec) 587 label = aa_get_newest_label(ctx->onexec); 588 else 589 error = -EINVAL; 590 591 if (label) 592 error = aa_getprocattr(label, value); 593 594 aa_put_label(label); 595 put_cred(cred); 596 597 return error; 598 } 599 600 static int apparmor_setprocattr(const char *name, void *value, 601 size_t size) 602 { 603 char *command, *largs = NULL, *args = value; 604 size_t arg_size; 605 int error; 606 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR); 607 608 if (size == 0) 609 return -EINVAL; 610 611 /* AppArmor requires that the buffer must be null terminated atm */ 612 if (args[size - 1] != '\0') { 613 /* null terminate */ 614 largs = args = kmalloc(size + 1, GFP_KERNEL); 615 if (!args) 616 return -ENOMEM; 617 memcpy(args, value, size); 618 args[size] = '\0'; 619 } 620 621 error = -EINVAL; 622 args = strim(args); 623 command = strsep(&args, " "); 624 if (!args) 625 goto out; 626 args = skip_spaces(args); 627 if (!*args) 628 goto out; 629 630 arg_size = size - (args - (largs ? largs : (char *) value)); 631 if (strcmp(name, "current") == 0) { 632 if (strcmp(command, "changehat") == 0) { 633 error = aa_setprocattr_changehat(args, arg_size, 634 AA_CHANGE_NOFLAGS); 635 } else if (strcmp(command, "permhat") == 0) { 636 error = aa_setprocattr_changehat(args, arg_size, 637 AA_CHANGE_TEST); 638 } else if (strcmp(command, "changeprofile") == 0) { 639 error = aa_change_profile(args, AA_CHANGE_NOFLAGS); 640 } else if (strcmp(command, "permprofile") == 0) { 641 error = aa_change_profile(args, AA_CHANGE_TEST); 642 } else if (strcmp(command, "stack") == 0) { 643 error = aa_change_profile(args, AA_CHANGE_STACK); 644 } else 645 goto fail; 646 } else if (strcmp(name, "exec") == 0) { 647 if (strcmp(command, "exec") == 0) 648 error = aa_change_profile(args, AA_CHANGE_ONEXEC); 649 else if (strcmp(command, "stack") == 0) 650 error = aa_change_profile(args, (AA_CHANGE_ONEXEC | 651 AA_CHANGE_STACK)); 652 else 653 goto fail; 654 } else 655 /* only support the "current" and "exec" process attributes */ 656 goto fail; 657 658 if (!error) 659 error = size; 660 out: 661 kfree(largs); 662 return error; 663 664 fail: 665 aad(&sa)->label = begin_current_label_crit_section(); 666 aad(&sa)->info = name; 667 aad(&sa)->error = error = -EINVAL; 668 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL); 669 end_current_label_crit_section(aad(&sa)->label); 670 goto out; 671 } 672 673 /** 674 * apparmor_bprm_committing_creds - do task cleanup on committing new creds 675 * @bprm: binprm for the exec (NOT NULL) 676 */ 677 static void apparmor_bprm_committing_creds(struct linux_binprm *bprm) 678 { 679 struct aa_label *label = aa_current_raw_label(); 680 struct aa_task_ctx *new_ctx = cred_ctx(bprm->cred); 681 682 /* bail out if unconfined or not changing profile */ 683 if ((new_ctx->label->proxy == label->proxy) || 684 (unconfined(new_ctx->label))) 685 return; 686 687 aa_inherit_files(bprm->cred, current->files); 688 689 current->pdeath_signal = 0; 690 691 /* reset soft limits and set hard limits for the new label */ 692 __aa_transition_rlimits(label, new_ctx->label); 693 } 694 695 /** 696 * apparmor_bprm_committed_cred - do cleanup after new creds committed 697 * @bprm: binprm for the exec (NOT NULL) 698 */ 699 static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) 700 { 701 /* TODO: cleanup signals - ipc mediation */ 702 return; 703 } 704 705 static int apparmor_task_setrlimit(struct task_struct *task, 706 unsigned int resource, struct rlimit *new_rlim) 707 { 708 struct aa_label *label = __begin_current_label_crit_section(); 709 int error = 0; 710 711 if (!unconfined(label)) 712 error = aa_task_setrlimit(label, task, resource, new_rlim); 713 __end_current_label_crit_section(label); 714 715 return error; 716 } 717 718 static int apparmor_task_kill(struct task_struct *target, struct siginfo *info, 719 int sig, const struct cred *cred) 720 { 721 struct aa_label *cl, *tl; 722 int error; 723 724 if (cred) { 725 /* 726 * Dealing with USB IO specific behavior 727 */ 728 cl = aa_get_newest_cred_label(cred); 729 tl = aa_get_task_label(target); 730 error = aa_may_signal(cl, tl, sig); 731 aa_put_label(cl); 732 aa_put_label(tl); 733 return error; 734 } 735 736 cl = __begin_current_label_crit_section(); 737 tl = aa_get_task_label(target); 738 error = aa_may_signal(cl, tl, sig); 739 aa_put_label(tl); 740 __end_current_label_crit_section(cl); 741 742 return error; 743 } 744 745 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { 746 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), 747 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), 748 LSM_HOOK_INIT(capget, apparmor_capget), 749 LSM_HOOK_INIT(capable, apparmor_capable), 750 751 LSM_HOOK_INIT(sb_mount, apparmor_sb_mount), 752 LSM_HOOK_INIT(sb_umount, apparmor_sb_umount), 753 LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot), 754 755 LSM_HOOK_INIT(path_link, apparmor_path_link), 756 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink), 757 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink), 758 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir), 759 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir), 760 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod), 761 LSM_HOOK_INIT(path_rename, apparmor_path_rename), 762 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod), 763 LSM_HOOK_INIT(path_chown, apparmor_path_chown), 764 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate), 765 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr), 766 767 LSM_HOOK_INIT(file_open, apparmor_file_open), 768 LSM_HOOK_INIT(file_receive, apparmor_file_receive), 769 LSM_HOOK_INIT(file_permission, apparmor_file_permission), 770 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security), 771 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security), 772 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file), 773 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect), 774 LSM_HOOK_INIT(file_lock, apparmor_file_lock), 775 776 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), 777 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), 778 779 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), 780 LSM_HOOK_INIT(cred_free, apparmor_cred_free), 781 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare), 782 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer), 783 784 LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds), 785 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds), 786 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds), 787 788 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), 789 LSM_HOOK_INIT(task_kill, apparmor_task_kill), 790 }; 791 792 /* 793 * AppArmor sysfs module parameters 794 */ 795 796 static int param_set_aabool(const char *val, const struct kernel_param *kp); 797 static int param_get_aabool(char *buffer, const struct kernel_param *kp); 798 #define param_check_aabool param_check_bool 799 static const struct kernel_param_ops param_ops_aabool = { 800 .flags = KERNEL_PARAM_OPS_FL_NOARG, 801 .set = param_set_aabool, 802 .get = param_get_aabool 803 }; 804 805 static int param_set_aauint(const char *val, const struct kernel_param *kp); 806 static int param_get_aauint(char *buffer, const struct kernel_param *kp); 807 #define param_check_aauint param_check_uint 808 static const struct kernel_param_ops param_ops_aauint = { 809 .set = param_set_aauint, 810 .get = param_get_aauint 811 }; 812 813 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp); 814 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); 815 #define param_check_aalockpolicy param_check_bool 816 static const struct kernel_param_ops param_ops_aalockpolicy = { 817 .flags = KERNEL_PARAM_OPS_FL_NOARG, 818 .set = param_set_aalockpolicy, 819 .get = param_get_aalockpolicy 820 }; 821 822 static int param_set_audit(const char *val, const struct kernel_param *kp); 823 static int param_get_audit(char *buffer, const struct kernel_param *kp); 824 825 static int param_set_mode(const char *val, const struct kernel_param *kp); 826 static int param_get_mode(char *buffer, const struct kernel_param *kp); 827 828 /* Flag values, also controllable via /sys/module/apparmor/parameters 829 * We define special types as we want to do additional mediation. 830 */ 831 832 /* AppArmor global enforcement switch - complain, enforce, kill */ 833 enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; 834 module_param_call(mode, param_set_mode, param_get_mode, 835 &aa_g_profile_mode, S_IRUSR | S_IWUSR); 836 837 /* whether policy verification hashing is enabled */ 838 bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); 839 #ifdef CONFIG_SECURITY_APPARMOR_HASH 840 module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); 841 #endif 842 843 /* Debug mode */ 844 bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES); 845 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); 846 847 /* Audit mode */ 848 enum audit_mode aa_g_audit; 849 module_param_call(audit, param_set_audit, param_get_audit, 850 &aa_g_audit, S_IRUSR | S_IWUSR); 851 852 /* Determines if audit header is included in audited messages. This 853 * provides more context if the audit daemon is not running 854 */ 855 bool aa_g_audit_header = true; 856 module_param_named(audit_header, aa_g_audit_header, aabool, 857 S_IRUSR | S_IWUSR); 858 859 /* lock out loading/removal of policy 860 * TODO: add in at boot loading of policy, which is the only way to 861 * load policy, if lock_policy is set 862 */ 863 bool aa_g_lock_policy; 864 module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy, 865 S_IRUSR | S_IWUSR); 866 867 /* Syscall logging mode */ 868 bool aa_g_logsyscall; 869 module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); 870 871 /* Maximum pathname length before accesses will start getting rejected */ 872 unsigned int aa_g_path_max = 2 * PATH_MAX; 873 module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); 874 875 /* Determines how paranoid loading of policy is and how much verification 876 * on the loaded policy is done. 877 * DEPRECATED: read only as strict checking of load is always done now 878 * that none root users (user namespaces) can load policy. 879 */ 880 bool aa_g_paranoid_load = true; 881 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); 882 883 /* Boot time disable flag */ 884 static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; 885 module_param_named(enabled, apparmor_enabled, bool, S_IRUGO); 886 887 static int __init apparmor_enabled_setup(char *str) 888 { 889 unsigned long enabled; 890 int error = kstrtoul(str, 0, &enabled); 891 if (!error) 892 apparmor_enabled = enabled ? 1 : 0; 893 return 1; 894 } 895 896 __setup("apparmor=", apparmor_enabled_setup); 897 898 /* set global flag turning off the ability to load policy */ 899 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) 900 { 901 if (!apparmor_enabled) 902 return -EINVAL; 903 if (apparmor_initialized && !policy_admin_capable(NULL)) 904 return -EPERM; 905 return param_set_bool(val, kp); 906 } 907 908 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) 909 { 910 if (!apparmor_enabled) 911 return -EINVAL; 912 if (apparmor_initialized && !policy_view_capable(NULL)) 913 return -EPERM; 914 return param_get_bool(buffer, kp); 915 } 916 917 static int param_set_aabool(const char *val, const struct kernel_param *kp) 918 { 919 if (!apparmor_enabled) 920 return -EINVAL; 921 if (apparmor_initialized && !policy_admin_capable(NULL)) 922 return -EPERM; 923 return param_set_bool(val, kp); 924 } 925 926 static int param_get_aabool(char *buffer, const struct kernel_param *kp) 927 { 928 if (!apparmor_enabled) 929 return -EINVAL; 930 if (apparmor_initialized && !policy_view_capable(NULL)) 931 return -EPERM; 932 return param_get_bool(buffer, kp); 933 } 934 935 static int param_set_aauint(const char *val, const struct kernel_param *kp) 936 { 937 int error; 938 939 if (!apparmor_enabled) 940 return -EINVAL; 941 /* file is ro but enforce 2nd line check */ 942 if (apparmor_initialized) 943 return -EPERM; 944 945 error = param_set_uint(val, kp); 946 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max); 947 948 return error; 949 } 950 951 static int param_get_aauint(char *buffer, const struct kernel_param *kp) 952 { 953 if (!apparmor_enabled) 954 return -EINVAL; 955 if (apparmor_initialized && !policy_view_capable(NULL)) 956 return -EPERM; 957 return param_get_uint(buffer, kp); 958 } 959 960 static int param_get_audit(char *buffer, const struct kernel_param *kp) 961 { 962 if (!apparmor_enabled) 963 return -EINVAL; 964 if (apparmor_initialized && !policy_view_capable(NULL)) 965 return -EPERM; 966 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); 967 } 968 969 static int param_set_audit(const char *val, const struct kernel_param *kp) 970 { 971 int i; 972 973 if (!apparmor_enabled) 974 return -EINVAL; 975 if (!val) 976 return -EINVAL; 977 if (apparmor_initialized && !policy_admin_capable(NULL)) 978 return -EPERM; 979 980 for (i = 0; i < AUDIT_MAX_INDEX; i++) { 981 if (strcmp(val, audit_mode_names[i]) == 0) { 982 aa_g_audit = i; 983 return 0; 984 } 985 } 986 987 return -EINVAL; 988 } 989 990 static int param_get_mode(char *buffer, const struct kernel_param *kp) 991 { 992 if (!apparmor_enabled) 993 return -EINVAL; 994 if (apparmor_initialized && !policy_view_capable(NULL)) 995 return -EPERM; 996 997 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]); 998 } 999 1000 static int param_set_mode(const char *val, const struct kernel_param *kp) 1001 { 1002 int i; 1003 1004 if (!apparmor_enabled) 1005 return -EINVAL; 1006 if (!val) 1007 return -EINVAL; 1008 if (apparmor_initialized && !policy_admin_capable(NULL)) 1009 return -EPERM; 1010 1011 for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) { 1012 if (strcmp(val, aa_profile_mode_names[i]) == 0) { 1013 aa_g_profile_mode = i; 1014 return 0; 1015 } 1016 } 1017 1018 return -EINVAL; 1019 } 1020 1021 /* 1022 * AppArmor init functions 1023 */ 1024 1025 /** 1026 * set_init_ctx - set a task context and profile on the first task. 1027 * 1028 * TODO: allow setting an alternate profile than unconfined 1029 */ 1030 static int __init set_init_ctx(void) 1031 { 1032 struct cred *cred = (struct cred *)current->real_cred; 1033 struct aa_task_ctx *ctx; 1034 1035 ctx = aa_alloc_task_context(GFP_KERNEL); 1036 if (!ctx) 1037 return -ENOMEM; 1038 1039 ctx->label = aa_get_label(ns_unconfined(root_ns)); 1040 cred_ctx(cred) = ctx; 1041 1042 return 0; 1043 } 1044 1045 static void destroy_buffers(void) 1046 { 1047 u32 i, j; 1048 1049 for_each_possible_cpu(i) { 1050 for_each_cpu_buffer(j) { 1051 kfree(per_cpu(aa_buffers, i).buf[j]); 1052 per_cpu(aa_buffers, i).buf[j] = NULL; 1053 } 1054 } 1055 } 1056 1057 static int __init alloc_buffers(void) 1058 { 1059 u32 i, j; 1060 1061 for_each_possible_cpu(i) { 1062 for_each_cpu_buffer(j) { 1063 char *buffer; 1064 1065 if (cpu_to_node(i) > num_online_nodes()) 1066 /* fallback to kmalloc for offline nodes */ 1067 buffer = kmalloc(aa_g_path_max, GFP_KERNEL); 1068 else 1069 buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL, 1070 cpu_to_node(i)); 1071 if (!buffer) { 1072 destroy_buffers(); 1073 return -ENOMEM; 1074 } 1075 per_cpu(aa_buffers, i).buf[j] = buffer; 1076 } 1077 } 1078 1079 return 0; 1080 } 1081 1082 #ifdef CONFIG_SYSCTL 1083 static int apparmor_dointvec(struct ctl_table *table, int write, 1084 void __user *buffer, size_t *lenp, loff_t *ppos) 1085 { 1086 if (!policy_admin_capable(NULL)) 1087 return -EPERM; 1088 if (!apparmor_enabled) 1089 return -EINVAL; 1090 1091 return proc_dointvec(table, write, buffer, lenp, ppos); 1092 } 1093 1094 static struct ctl_path apparmor_sysctl_path[] = { 1095 { .procname = "kernel", }, 1096 { } 1097 }; 1098 1099 static struct ctl_table apparmor_sysctl_table[] = { 1100 { 1101 .procname = "unprivileged_userns_apparmor_policy", 1102 .data = &unprivileged_userns_apparmor_policy, 1103 .maxlen = sizeof(int), 1104 .mode = 0600, 1105 .proc_handler = apparmor_dointvec, 1106 }, 1107 { } 1108 }; 1109 1110 static int __init apparmor_init_sysctl(void) 1111 { 1112 return register_sysctl_paths(apparmor_sysctl_path, 1113 apparmor_sysctl_table) ? 0 : -ENOMEM; 1114 } 1115 #else 1116 static inline int apparmor_init_sysctl(void) 1117 { 1118 return 0; 1119 } 1120 #endif /* CONFIG_SYSCTL */ 1121 1122 static int __init apparmor_init(void) 1123 { 1124 int error; 1125 1126 if (!apparmor_enabled || !security_module_enable("apparmor")) { 1127 aa_info_message("AppArmor disabled by boot time parameter"); 1128 apparmor_enabled = false; 1129 return 0; 1130 } 1131 1132 error = aa_setup_dfa_engine(); 1133 if (error) { 1134 AA_ERROR("Unable to setup dfa engine\n"); 1135 goto alloc_out; 1136 } 1137 1138 error = aa_alloc_root_ns(); 1139 if (error) { 1140 AA_ERROR("Unable to allocate default profile namespace\n"); 1141 goto alloc_out; 1142 } 1143 1144 error = apparmor_init_sysctl(); 1145 if (error) { 1146 AA_ERROR("Unable to register sysctls\n"); 1147 goto alloc_out; 1148 1149 } 1150 1151 error = alloc_buffers(); 1152 if (error) { 1153 AA_ERROR("Unable to allocate work buffers\n"); 1154 goto buffers_out; 1155 } 1156 1157 error = set_init_ctx(); 1158 if (error) { 1159 AA_ERROR("Failed to set context on init task\n"); 1160 aa_free_root_ns(); 1161 goto buffers_out; 1162 } 1163 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), 1164 "apparmor"); 1165 1166 /* Report that AppArmor successfully initialized */ 1167 apparmor_initialized = 1; 1168 if (aa_g_profile_mode == APPARMOR_COMPLAIN) 1169 aa_info_message("AppArmor initialized: complain mode enabled"); 1170 else if (aa_g_profile_mode == APPARMOR_KILL) 1171 aa_info_message("AppArmor initialized: kill mode enabled"); 1172 else 1173 aa_info_message("AppArmor initialized"); 1174 1175 return error; 1176 1177 buffers_out: 1178 destroy_buffers(); 1179 1180 alloc_out: 1181 aa_destroy_aafs(); 1182 aa_teardown_dfa_engine(); 1183 1184 apparmor_enabled = false; 1185 return error; 1186 } 1187 1188 security_initcall(apparmor_init); 1189