1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor LSM hooks. 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15 #include <linux/lsm_hooks.h> 16 #include <linux/moduleparam.h> 17 #include <linux/mm.h> 18 #include <linux/mman.h> 19 #include <linux/mount.h> 20 #include <linux/namei.h> 21 #include <linux/ptrace.h> 22 #include <linux/ctype.h> 23 #include <linux/sysctl.h> 24 #include <linux/audit.h> 25 #include <linux/user_namespace.h> 26 #include <linux/kmemleak.h> 27 #include <net/sock.h> 28 29 #include "include/apparmor.h" 30 #include "include/apparmorfs.h" 31 #include "include/audit.h" 32 #include "include/capability.h" 33 #include "include/context.h" 34 #include "include/file.h" 35 #include "include/ipc.h" 36 #include "include/net.h" 37 #include "include/path.h" 38 #include "include/label.h" 39 #include "include/policy.h" 40 #include "include/policy_ns.h" 41 #include "include/procattr.h" 42 #include "include/mount.h" 43 44 /* Flag indicating whether initialization completed */ 45 int apparmor_initialized; 46 47 DEFINE_PER_CPU(struct aa_buffers, aa_buffers); 48 49 50 /* 51 * LSM hook functions 52 */ 53 54 /* 55 * free the associated aa_task_ctx and put its labels 56 */ 57 static void apparmor_cred_free(struct cred *cred) 58 { 59 aa_free_task_context(cred_ctx(cred)); 60 cred_ctx(cred) = NULL; 61 } 62 63 /* 64 * allocate the apparmor part of blank credentials 65 */ 66 static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 67 { 68 /* freed by apparmor_cred_free */ 69 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp); 70 71 if (!ctx) 72 return -ENOMEM; 73 74 cred_ctx(cred) = ctx; 75 return 0; 76 } 77 78 /* 79 * prepare new aa_task_ctx for modification by prepare_cred block 80 */ 81 static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 82 gfp_t gfp) 83 { 84 /* freed by apparmor_cred_free */ 85 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp); 86 87 if (!ctx) 88 return -ENOMEM; 89 90 aa_dup_task_context(ctx, cred_ctx(old)); 91 cred_ctx(new) = ctx; 92 return 0; 93 } 94 95 /* 96 * transfer the apparmor data to a blank set of creds 97 */ 98 static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 99 { 100 const struct aa_task_ctx *old_ctx = cred_ctx(old); 101 struct aa_task_ctx *new_ctx = cred_ctx(new); 102 103 aa_dup_task_context(new_ctx, old_ctx); 104 } 105 106 static int apparmor_ptrace_access_check(struct task_struct *child, 107 unsigned int mode) 108 { 109 struct aa_label *tracer, *tracee; 110 int error; 111 112 tracer = begin_current_label_crit_section(); 113 tracee = aa_get_task_label(child); 114 error = aa_may_ptrace(tracer, tracee, 115 mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE); 116 aa_put_label(tracee); 117 end_current_label_crit_section(tracer); 118 119 return error; 120 } 121 122 static int apparmor_ptrace_traceme(struct task_struct *parent) 123 { 124 struct aa_label *tracer, *tracee; 125 int error; 126 127 tracee = begin_current_label_crit_section(); 128 tracer = aa_get_task_label(parent); 129 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); 130 aa_put_label(tracer); 131 end_current_label_crit_section(tracee); 132 133 return error; 134 } 135 136 /* Derived from security/commoncap.c:cap_capget */ 137 static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, 138 kernel_cap_t *inheritable, kernel_cap_t *permitted) 139 { 140 struct aa_label *label; 141 const struct cred *cred; 142 143 rcu_read_lock(); 144 cred = __task_cred(target); 145 label = aa_get_newest_cred_label(cred); 146 147 /* 148 * cap_capget is stacked ahead of this and will 149 * initialize effective and permitted. 150 */ 151 if (!unconfined(label)) { 152 struct aa_profile *profile; 153 struct label_it i; 154 155 label_for_each_confined(i, label, profile) { 156 if (COMPLAIN_MODE(profile)) 157 continue; 158 *effective = cap_intersect(*effective, 159 profile->caps.allow); 160 *permitted = cap_intersect(*permitted, 161 profile->caps.allow); 162 } 163 } 164 rcu_read_unlock(); 165 aa_put_label(label); 166 167 return 0; 168 } 169 170 static int apparmor_capable(const struct cred *cred, struct user_namespace *ns, 171 int cap, int audit) 172 { 173 struct aa_label *label; 174 int error = 0; 175 176 label = aa_get_newest_cred_label(cred); 177 if (!unconfined(label)) 178 error = aa_capable(label, cap, audit); 179 aa_put_label(label); 180 181 return error; 182 } 183 184 /** 185 * common_perm - basic common permission check wrapper fn for paths 186 * @op: operation being checked 187 * @path: path to check permission of (NOT NULL) 188 * @mask: requested permissions mask 189 * @cond: conditional info for the permission request (NOT NULL) 190 * 191 * Returns: %0 else error code if error or permission denied 192 */ 193 static int common_perm(const char *op, const struct path *path, u32 mask, 194 struct path_cond *cond) 195 { 196 struct aa_label *label; 197 int error = 0; 198 199 label = __begin_current_label_crit_section(); 200 if (!unconfined(label)) 201 error = aa_path_perm(op, label, path, 0, mask, cond); 202 __end_current_label_crit_section(label); 203 204 return error; 205 } 206 207 /** 208 * common_perm_cond - common permission wrapper around inode cond 209 * @op: operation being checked 210 * @path: location to check (NOT NULL) 211 * @mask: requested permissions mask 212 * 213 * Returns: %0 else error code if error or permission denied 214 */ 215 static int common_perm_cond(const char *op, const struct path *path, u32 mask) 216 { 217 struct path_cond cond = { d_backing_inode(path->dentry)->i_uid, 218 d_backing_inode(path->dentry)->i_mode 219 }; 220 221 if (!path_mediated_fs(path->dentry)) 222 return 0; 223 224 return common_perm(op, path, mask, &cond); 225 } 226 227 /** 228 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry 229 * @op: operation being checked 230 * @dir: directory of the dentry (NOT NULL) 231 * @dentry: dentry to check (NOT NULL) 232 * @mask: requested permissions mask 233 * @cond: conditional info for the permission request (NOT NULL) 234 * 235 * Returns: %0 else error code if error or permission denied 236 */ 237 static int common_perm_dir_dentry(const char *op, const struct path *dir, 238 struct dentry *dentry, u32 mask, 239 struct path_cond *cond) 240 { 241 struct path path = { .mnt = dir->mnt, .dentry = dentry }; 242 243 return common_perm(op, &path, mask, cond); 244 } 245 246 /** 247 * common_perm_rm - common permission wrapper for operations doing rm 248 * @op: operation being checked 249 * @dir: directory that the dentry is in (NOT NULL) 250 * @dentry: dentry being rm'd (NOT NULL) 251 * @mask: requested permission mask 252 * 253 * Returns: %0 else error code if error or permission denied 254 */ 255 static int common_perm_rm(const char *op, const struct path *dir, 256 struct dentry *dentry, u32 mask) 257 { 258 struct inode *inode = d_backing_inode(dentry); 259 struct path_cond cond = { }; 260 261 if (!inode || !path_mediated_fs(dentry)) 262 return 0; 263 264 cond.uid = inode->i_uid; 265 cond.mode = inode->i_mode; 266 267 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 268 } 269 270 /** 271 * common_perm_create - common permission wrapper for operations doing create 272 * @op: operation being checked 273 * @dir: directory that dentry will be created in (NOT NULL) 274 * @dentry: dentry to create (NOT NULL) 275 * @mask: request permission mask 276 * @mode: created file mode 277 * 278 * Returns: %0 else error code if error or permission denied 279 */ 280 static int common_perm_create(const char *op, const struct path *dir, 281 struct dentry *dentry, u32 mask, umode_t mode) 282 { 283 struct path_cond cond = { current_fsuid(), mode }; 284 285 if (!path_mediated_fs(dir->dentry)) 286 return 0; 287 288 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 289 } 290 291 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry) 292 { 293 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); 294 } 295 296 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry, 297 umode_t mode) 298 { 299 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, 300 S_IFDIR); 301 } 302 303 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry) 304 { 305 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); 306 } 307 308 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, 309 umode_t mode, unsigned int dev) 310 { 311 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); 312 } 313 314 static int apparmor_path_truncate(const struct path *path) 315 { 316 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR); 317 } 318 319 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, 320 const char *old_name) 321 { 322 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, 323 S_IFLNK); 324 } 325 326 static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir, 327 struct dentry *new_dentry) 328 { 329 struct aa_label *label; 330 int error = 0; 331 332 if (!path_mediated_fs(old_dentry)) 333 return 0; 334 335 label = begin_current_label_crit_section(); 336 if (!unconfined(label)) 337 error = aa_path_link(label, old_dentry, new_dir, new_dentry); 338 end_current_label_crit_section(label); 339 340 return error; 341 } 342 343 static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry, 344 const struct path *new_dir, struct dentry *new_dentry) 345 { 346 struct aa_label *label; 347 int error = 0; 348 349 if (!path_mediated_fs(old_dentry)) 350 return 0; 351 352 label = begin_current_label_crit_section(); 353 if (!unconfined(label)) { 354 struct path old_path = { .mnt = old_dir->mnt, 355 .dentry = old_dentry }; 356 struct path new_path = { .mnt = new_dir->mnt, 357 .dentry = new_dentry }; 358 struct path_cond cond = { d_backing_inode(old_dentry)->i_uid, 359 d_backing_inode(old_dentry)->i_mode 360 }; 361 362 error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0, 363 MAY_READ | AA_MAY_GETATTR | MAY_WRITE | 364 AA_MAY_SETATTR | AA_MAY_DELETE, 365 &cond); 366 if (!error) 367 error = aa_path_perm(OP_RENAME_DEST, label, &new_path, 368 0, MAY_WRITE | AA_MAY_SETATTR | 369 AA_MAY_CREATE, &cond); 370 371 } 372 end_current_label_crit_section(label); 373 374 return error; 375 } 376 377 static int apparmor_path_chmod(const struct path *path, umode_t mode) 378 { 379 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD); 380 } 381 382 static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid) 383 { 384 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN); 385 } 386 387 static int apparmor_inode_getattr(const struct path *path) 388 { 389 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 390 } 391 392 static int apparmor_file_open(struct file *file, const struct cred *cred) 393 { 394 struct aa_file_ctx *fctx = file_ctx(file); 395 struct aa_label *label; 396 int error = 0; 397 398 if (!path_mediated_fs(file->f_path.dentry)) 399 return 0; 400 401 /* If in exec, permission is handled by bprm hooks. 402 * Cache permissions granted by the previous exec check, with 403 * implicit read and executable mmap which are required to 404 * actually execute the image. 405 */ 406 if (current->in_execve) { 407 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; 408 return 0; 409 } 410 411 label = aa_get_newest_cred_label(cred); 412 if (!unconfined(label)) { 413 struct inode *inode = file_inode(file); 414 struct path_cond cond = { inode->i_uid, inode->i_mode }; 415 416 error = aa_path_perm(OP_OPEN, label, &file->f_path, 0, 417 aa_map_file_to_perms(file), &cond); 418 /* todo cache full allowed permissions set and state */ 419 fctx->allow = aa_map_file_to_perms(file); 420 } 421 aa_put_label(label); 422 423 return error; 424 } 425 426 static int apparmor_file_alloc_security(struct file *file) 427 { 428 int error = 0; 429 430 /* freed by apparmor_file_free_security */ 431 struct aa_label *label = begin_current_label_crit_section(); 432 file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL); 433 if (!file_ctx(file)) 434 error = -ENOMEM; 435 end_current_label_crit_section(label); 436 437 return error; 438 } 439 440 static void apparmor_file_free_security(struct file *file) 441 { 442 aa_free_file_ctx(file_ctx(file)); 443 } 444 445 static int common_file_perm(const char *op, struct file *file, u32 mask) 446 { 447 struct aa_label *label; 448 int error = 0; 449 450 /* don't reaudit files closed during inheritance */ 451 if (file->f_path.dentry == aa_null.dentry) 452 return -EACCES; 453 454 label = __begin_current_label_crit_section(); 455 error = aa_file_perm(op, label, file, mask); 456 __end_current_label_crit_section(label); 457 458 return error; 459 } 460 461 static int apparmor_file_receive(struct file *file) 462 { 463 return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file)); 464 } 465 466 static int apparmor_file_permission(struct file *file, int mask) 467 { 468 return common_file_perm(OP_FPERM, file, mask); 469 } 470 471 static int apparmor_file_lock(struct file *file, unsigned int cmd) 472 { 473 u32 mask = AA_MAY_LOCK; 474 475 if (cmd == F_WRLCK) 476 mask |= MAY_WRITE; 477 478 return common_file_perm(OP_FLOCK, file, mask); 479 } 480 481 static int common_mmap(const char *op, struct file *file, unsigned long prot, 482 unsigned long flags) 483 { 484 int mask = 0; 485 486 if (!file || !file_ctx(file)) 487 return 0; 488 489 if (prot & PROT_READ) 490 mask |= MAY_READ; 491 /* 492 * Private mappings don't require write perms since they don't 493 * write back to the files 494 */ 495 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE)) 496 mask |= MAY_WRITE; 497 if (prot & PROT_EXEC) 498 mask |= AA_EXEC_MMAP; 499 500 return common_file_perm(op, file, mask); 501 } 502 503 static int apparmor_mmap_file(struct file *file, unsigned long reqprot, 504 unsigned long prot, unsigned long flags) 505 { 506 return common_mmap(OP_FMMAP, file, prot, flags); 507 } 508 509 static int apparmor_file_mprotect(struct vm_area_struct *vma, 510 unsigned long reqprot, unsigned long prot) 511 { 512 return common_mmap(OP_FMPROT, vma->vm_file, prot, 513 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); 514 } 515 516 static int apparmor_sb_mount(const char *dev_name, const struct path *path, 517 const char *type, unsigned long flags, void *data) 518 { 519 struct aa_label *label; 520 int error = 0; 521 522 /* Discard magic */ 523 if ((flags & MS_MGC_MSK) == MS_MGC_VAL) 524 flags &= ~MS_MGC_MSK; 525 526 flags &= ~AA_MS_IGNORE_MASK; 527 528 label = __begin_current_label_crit_section(); 529 if (!unconfined(label)) { 530 if (flags & MS_REMOUNT) 531 error = aa_remount(label, path, flags, data); 532 else if (flags & MS_BIND) 533 error = aa_bind_mount(label, path, dev_name, flags); 534 else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | 535 MS_UNBINDABLE)) 536 error = aa_mount_change_type(label, path, flags); 537 else if (flags & MS_MOVE) 538 error = aa_move_mount(label, path, dev_name); 539 else 540 error = aa_new_mount(label, dev_name, path, type, 541 flags, data); 542 } 543 __end_current_label_crit_section(label); 544 545 return error; 546 } 547 548 static int apparmor_sb_umount(struct vfsmount *mnt, int flags) 549 { 550 struct aa_label *label; 551 int error = 0; 552 553 label = __begin_current_label_crit_section(); 554 if (!unconfined(label)) 555 error = aa_umount(label, mnt, flags); 556 __end_current_label_crit_section(label); 557 558 return error; 559 } 560 561 static int apparmor_sb_pivotroot(const struct path *old_path, 562 const struct path *new_path) 563 { 564 struct aa_label *label; 565 int error = 0; 566 567 label = aa_get_current_label(); 568 if (!unconfined(label)) 569 error = aa_pivotroot(label, old_path, new_path); 570 aa_put_label(label); 571 572 return error; 573 } 574 575 static int apparmor_getprocattr(struct task_struct *task, char *name, 576 char **value) 577 { 578 int error = -ENOENT; 579 /* released below */ 580 const struct cred *cred = get_task_cred(task); 581 struct aa_task_ctx *ctx = cred_ctx(cred); 582 struct aa_label *label = NULL; 583 584 if (strcmp(name, "current") == 0) 585 label = aa_get_newest_label(ctx->label); 586 else if (strcmp(name, "prev") == 0 && ctx->previous) 587 label = aa_get_newest_label(ctx->previous); 588 else if (strcmp(name, "exec") == 0 && ctx->onexec) 589 label = aa_get_newest_label(ctx->onexec); 590 else 591 error = -EINVAL; 592 593 if (label) 594 error = aa_getprocattr(label, value); 595 596 aa_put_label(label); 597 put_cred(cred); 598 599 return error; 600 } 601 602 static int apparmor_setprocattr(const char *name, void *value, 603 size_t size) 604 { 605 char *command, *largs = NULL, *args = value; 606 size_t arg_size; 607 int error; 608 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR); 609 610 if (size == 0) 611 return -EINVAL; 612 613 /* AppArmor requires that the buffer must be null terminated atm */ 614 if (args[size - 1] != '\0') { 615 /* null terminate */ 616 largs = args = kmalloc(size + 1, GFP_KERNEL); 617 if (!args) 618 return -ENOMEM; 619 memcpy(args, value, size); 620 args[size] = '\0'; 621 } 622 623 error = -EINVAL; 624 args = strim(args); 625 command = strsep(&args, " "); 626 if (!args) 627 goto out; 628 args = skip_spaces(args); 629 if (!*args) 630 goto out; 631 632 arg_size = size - (args - (largs ? largs : (char *) value)); 633 if (strcmp(name, "current") == 0) { 634 if (strcmp(command, "changehat") == 0) { 635 error = aa_setprocattr_changehat(args, arg_size, 636 AA_CHANGE_NOFLAGS); 637 } else if (strcmp(command, "permhat") == 0) { 638 error = aa_setprocattr_changehat(args, arg_size, 639 AA_CHANGE_TEST); 640 } else if (strcmp(command, "changeprofile") == 0) { 641 error = aa_change_profile(args, AA_CHANGE_NOFLAGS); 642 } else if (strcmp(command, "permprofile") == 0) { 643 error = aa_change_profile(args, AA_CHANGE_TEST); 644 } else if (strcmp(command, "stack") == 0) { 645 error = aa_change_profile(args, AA_CHANGE_STACK); 646 } else 647 goto fail; 648 } else if (strcmp(name, "exec") == 0) { 649 if (strcmp(command, "exec") == 0) 650 error = aa_change_profile(args, AA_CHANGE_ONEXEC); 651 else if (strcmp(command, "stack") == 0) 652 error = aa_change_profile(args, (AA_CHANGE_ONEXEC | 653 AA_CHANGE_STACK)); 654 else 655 goto fail; 656 } else 657 /* only support the "current" and "exec" process attributes */ 658 goto fail; 659 660 if (!error) 661 error = size; 662 out: 663 kfree(largs); 664 return error; 665 666 fail: 667 aad(&sa)->label = begin_current_label_crit_section(); 668 aad(&sa)->info = name; 669 aad(&sa)->error = error = -EINVAL; 670 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL); 671 end_current_label_crit_section(aad(&sa)->label); 672 goto out; 673 } 674 675 /** 676 * apparmor_bprm_committing_creds - do task cleanup on committing new creds 677 * @bprm: binprm for the exec (NOT NULL) 678 */ 679 static void apparmor_bprm_committing_creds(struct linux_binprm *bprm) 680 { 681 struct aa_label *label = aa_current_raw_label(); 682 struct aa_task_ctx *new_ctx = cred_ctx(bprm->cred); 683 684 /* bail out if unconfined or not changing profile */ 685 if ((new_ctx->label->proxy == label->proxy) || 686 (unconfined(new_ctx->label))) 687 return; 688 689 aa_inherit_files(bprm->cred, current->files); 690 691 current->pdeath_signal = 0; 692 693 /* reset soft limits and set hard limits for the new label */ 694 __aa_transition_rlimits(label, new_ctx->label); 695 } 696 697 /** 698 * apparmor_bprm_committed_cred - do cleanup after new creds committed 699 * @bprm: binprm for the exec (NOT NULL) 700 */ 701 static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) 702 { 703 /* TODO: cleanup signals - ipc mediation */ 704 return; 705 } 706 707 static int apparmor_task_setrlimit(struct task_struct *task, 708 unsigned int resource, struct rlimit *new_rlim) 709 { 710 struct aa_label *label = __begin_current_label_crit_section(); 711 int error = 0; 712 713 if (!unconfined(label)) 714 error = aa_task_setrlimit(label, task, resource, new_rlim); 715 __end_current_label_crit_section(label); 716 717 return error; 718 } 719 720 static int apparmor_task_kill(struct task_struct *target, struct siginfo *info, 721 int sig, u32 secid) 722 { 723 struct aa_label *cl, *tl; 724 int error; 725 726 if (secid) 727 /* TODO: after secid to label mapping is done. 728 * Dealing with USB IO specific behavior 729 */ 730 return 0; 731 cl = __begin_current_label_crit_section(); 732 tl = aa_get_task_label(target); 733 error = aa_may_signal(cl, tl, sig); 734 aa_put_label(tl); 735 __end_current_label_crit_section(cl); 736 737 return error; 738 } 739 740 /** 741 * apparmor_sk_alloc_security - allocate and attach the sk_security field 742 */ 743 static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags) 744 { 745 struct aa_sk_ctx *ctx; 746 747 ctx = kzalloc(sizeof(*ctx), flags); 748 if (!ctx) 749 return -ENOMEM; 750 751 SK_CTX(sk) = ctx; 752 753 return 0; 754 } 755 756 /** 757 * apparmor_sk_free_security - free the sk_security field 758 */ 759 static void apparmor_sk_free_security(struct sock *sk) 760 { 761 struct aa_sk_ctx *ctx = SK_CTX(sk); 762 763 SK_CTX(sk) = NULL; 764 aa_put_label(ctx->label); 765 aa_put_label(ctx->peer); 766 path_put(&ctx->path); 767 kfree(ctx); 768 } 769 770 /** 771 * apparmor_clone_security - clone the sk_security field 772 */ 773 static void apparmor_sk_clone_security(const struct sock *sk, 774 struct sock *newsk) 775 { 776 struct aa_sk_ctx *ctx = SK_CTX(sk); 777 struct aa_sk_ctx *new = SK_CTX(newsk); 778 779 new->label = aa_get_label(ctx->label); 780 new->peer = aa_get_label(ctx->peer); 781 new->path = ctx->path; 782 path_get(&new->path); 783 } 784 785 static int aa_sock_create_perm(struct aa_label *label, int family, int type, 786 int protocol) 787 { 788 AA_BUG(!label); 789 AA_BUG(in_interrupt()); 790 791 return aa_af_perm(label, OP_CREATE, AA_MAY_CREATE, family, type, 792 protocol); 793 } 794 795 796 /** 797 * apparmor_socket_create - check perms before creating a new socket 798 */ 799 static int apparmor_socket_create(int family, int type, int protocol, int kern) 800 { 801 struct aa_label *label; 802 int error = 0; 803 804 label = begin_current_label_crit_section(); 805 if (!(kern || unconfined(label))) 806 error = aa_sock_create_perm(label, family, type, protocol); 807 end_current_label_crit_section(label); 808 809 return error; 810 } 811 812 /** 813 * apparmor_socket_post_create - setup the per-socket security struct 814 * 815 * Note: 816 * - kernel sockets currently labeled unconfined but we may want to 817 * move to a special kernel label 818 * - socket may not have sk here if created with sock_create_lite or 819 * sock_alloc. These should be accept cases which will be handled in 820 * sock_graft. 821 */ 822 static int apparmor_socket_post_create(struct socket *sock, int family, 823 int type, int protocol, int kern) 824 { 825 struct aa_label *label; 826 827 if (kern) { 828 struct aa_ns *ns = aa_get_current_ns(); 829 830 label = aa_get_label(ns_unconfined(ns)); 831 aa_put_ns(ns); 832 } else 833 label = aa_get_current_label(); 834 835 if (sock->sk) { 836 struct aa_sk_ctx *ctx = SK_CTX(sock->sk); 837 838 aa_put_label(ctx->label); 839 ctx->label = aa_get_label(label); 840 } 841 aa_put_label(label); 842 843 return 0; 844 } 845 846 /** 847 * apparmor_socket_bind - check perms before bind addr to socket 848 */ 849 static int apparmor_socket_bind(struct socket *sock, 850 struct sockaddr *address, int addrlen) 851 { 852 AA_BUG(!sock); 853 AA_BUG(!sock->sk); 854 AA_BUG(!address); 855 AA_BUG(in_interrupt()); 856 857 return aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk); 858 } 859 860 /** 861 * apparmor_socket_connect - check perms before connecting @sock to @address 862 */ 863 static int apparmor_socket_connect(struct socket *sock, 864 struct sockaddr *address, int addrlen) 865 { 866 AA_BUG(!sock); 867 AA_BUG(!sock->sk); 868 AA_BUG(!address); 869 AA_BUG(in_interrupt()); 870 871 return aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk); 872 } 873 874 /** 875 * apparmor_socket_list - check perms before allowing listen 876 */ 877 static int apparmor_socket_listen(struct socket *sock, int backlog) 878 { 879 AA_BUG(!sock); 880 AA_BUG(!sock->sk); 881 AA_BUG(in_interrupt()); 882 883 return aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk); 884 } 885 886 /** 887 * apparmor_socket_accept - check perms before accepting a new connection. 888 * 889 * Note: while @newsock is created and has some information, the accept 890 * has not been done. 891 */ 892 static int apparmor_socket_accept(struct socket *sock, struct socket *newsock) 893 { 894 AA_BUG(!sock); 895 AA_BUG(!sock->sk); 896 AA_BUG(!newsock); 897 AA_BUG(in_interrupt()); 898 899 return aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk); 900 } 901 902 static int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock, 903 struct msghdr *msg, int size) 904 { 905 AA_BUG(!sock); 906 AA_BUG(!sock->sk); 907 AA_BUG(!msg); 908 AA_BUG(in_interrupt()); 909 910 return aa_sk_perm(op, request, sock->sk); 911 } 912 913 /** 914 * apparmor_socket_sendmsg - check perms before sending msg to another socket 915 */ 916 static int apparmor_socket_sendmsg(struct socket *sock, 917 struct msghdr *msg, int size) 918 { 919 return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size); 920 } 921 922 /** 923 * apparmor_socket_recvmsg - check perms before receiving a message 924 */ 925 static int apparmor_socket_recvmsg(struct socket *sock, 926 struct msghdr *msg, int size, int flags) 927 { 928 return aa_sock_msg_perm(OP_RECVMSG, AA_MAY_RECEIVE, sock, msg, size); 929 } 930 931 /* revaliation, get/set attr, shutdown */ 932 static int aa_sock_perm(const char *op, u32 request, struct socket *sock) 933 { 934 AA_BUG(!sock); 935 AA_BUG(!sock->sk); 936 AA_BUG(in_interrupt()); 937 938 return aa_sk_perm(op, request, sock->sk); 939 } 940 941 /** 942 * apparmor_socket_getsockname - check perms before getting the local address 943 */ 944 static int apparmor_socket_getsockname(struct socket *sock) 945 { 946 return aa_sock_perm(OP_GETSOCKNAME, AA_MAY_GETATTR, sock); 947 } 948 949 /** 950 * apparmor_socket_getpeername - check perms before getting remote address 951 */ 952 static int apparmor_socket_getpeername(struct socket *sock) 953 { 954 return aa_sock_perm(OP_GETPEERNAME, AA_MAY_GETATTR, sock); 955 } 956 957 /* revaliation, get/set attr, opt */ 958 static int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock, 959 int level, int optname) 960 { 961 AA_BUG(!sock); 962 AA_BUG(!sock->sk); 963 AA_BUG(in_interrupt()); 964 965 return aa_sk_perm(op, request, sock->sk); 966 } 967 968 /** 969 * apparmor_getsockopt - check perms before getting socket options 970 */ 971 static int apparmor_socket_getsockopt(struct socket *sock, int level, 972 int optname) 973 { 974 return aa_sock_opt_perm(OP_GETSOCKOPT, AA_MAY_GETOPT, sock, 975 level, optname); 976 } 977 978 /** 979 * apparmor_setsockopt - check perms before setting socket options 980 */ 981 static int apparmor_socket_setsockopt(struct socket *sock, int level, 982 int optname) 983 { 984 return aa_sock_opt_perm(OP_SETSOCKOPT, AA_MAY_SETOPT, sock, 985 level, optname); 986 } 987 988 /** 989 * apparmor_socket_shutdown - check perms before shutting down @sock conn 990 */ 991 static int apparmor_socket_shutdown(struct socket *sock, int how) 992 { 993 return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock); 994 } 995 996 /** 997 * apparmor_socket_sock_recv_skb - check perms before associating skb to sk 998 * 999 * Note: can not sleep may be called with locks held 1000 * 1001 * dont want protocol specific in __skb_recv_datagram() 1002 * to deny an incoming connection socket_sock_rcv_skb() 1003 */ 1004 static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 1005 { 1006 return 0; 1007 } 1008 1009 1010 static struct aa_label *sk_peer_label(struct sock *sk) 1011 { 1012 struct aa_sk_ctx *ctx = SK_CTX(sk); 1013 1014 if (ctx->peer) 1015 return ctx->peer; 1016 1017 return ERR_PTR(-ENOPROTOOPT); 1018 } 1019 1020 /** 1021 * apparmor_socket_getpeersec_stream - get security context of peer 1022 * 1023 * Note: for tcp only valid if using ipsec or cipso on lan 1024 */ 1025 static int apparmor_socket_getpeersec_stream(struct socket *sock, 1026 char __user *optval, 1027 int __user *optlen, 1028 unsigned int len) 1029 { 1030 char *name; 1031 int slen, error = 0; 1032 struct aa_label *label; 1033 struct aa_label *peer; 1034 1035 label = begin_current_label_crit_section(); 1036 peer = sk_peer_label(sock->sk); 1037 if (IS_ERR(peer)) { 1038 error = PTR_ERR(peer); 1039 goto done; 1040 } 1041 slen = aa_label_asxprint(&name, labels_ns(label), peer, 1042 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS | 1043 FLAG_HIDDEN_UNCONFINED, GFP_KERNEL); 1044 /* don't include terminating \0 in slen, it breaks some apps */ 1045 if (slen < 0) { 1046 error = -ENOMEM; 1047 } else { 1048 if (slen > len) { 1049 error = -ERANGE; 1050 } else if (copy_to_user(optval, name, slen)) { 1051 error = -EFAULT; 1052 goto out; 1053 } 1054 if (put_user(slen, optlen)) 1055 error = -EFAULT; 1056 out: 1057 kfree(name); 1058 1059 } 1060 1061 done: 1062 end_current_label_crit_section(label); 1063 1064 return error; 1065 } 1066 1067 /** 1068 * apparmor_socket_getpeersec_dgram - get security label of packet 1069 * @sock: the peer socket 1070 * @skb: packet data 1071 * @secid: pointer to where to put the secid of the packet 1072 * 1073 * Sets the netlabel socket state on sk from parent 1074 */ 1075 static int apparmor_socket_getpeersec_dgram(struct socket *sock, 1076 struct sk_buff *skb, u32 *secid) 1077 1078 { 1079 /* TODO: requires secid support */ 1080 return -ENOPROTOOPT; 1081 } 1082 1083 /** 1084 * apparmor_sock_graft - Initialize newly created socket 1085 * @sk: child sock 1086 * @parent: parent socket 1087 * 1088 * Note: could set off of SOCK_CTX(parent) but need to track inode and we can 1089 * just set sk security information off of current creating process label 1090 * Labeling of sk for accept case - probably should be sock based 1091 * instead of task, because of the case where an implicitly labeled 1092 * socket is shared by different tasks. 1093 */ 1094 static void apparmor_sock_graft(struct sock *sk, struct socket *parent) 1095 { 1096 struct aa_sk_ctx *ctx = SK_CTX(sk); 1097 1098 if (!ctx->label) 1099 ctx->label = aa_get_current_label(); 1100 } 1101 1102 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { 1103 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), 1104 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), 1105 LSM_HOOK_INIT(capget, apparmor_capget), 1106 LSM_HOOK_INIT(capable, apparmor_capable), 1107 1108 LSM_HOOK_INIT(sb_mount, apparmor_sb_mount), 1109 LSM_HOOK_INIT(sb_umount, apparmor_sb_umount), 1110 LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot), 1111 1112 LSM_HOOK_INIT(path_link, apparmor_path_link), 1113 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink), 1114 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink), 1115 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir), 1116 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir), 1117 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod), 1118 LSM_HOOK_INIT(path_rename, apparmor_path_rename), 1119 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod), 1120 LSM_HOOK_INIT(path_chown, apparmor_path_chown), 1121 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate), 1122 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr), 1123 1124 LSM_HOOK_INIT(file_open, apparmor_file_open), 1125 LSM_HOOK_INIT(file_receive, apparmor_file_receive), 1126 LSM_HOOK_INIT(file_permission, apparmor_file_permission), 1127 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security), 1128 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security), 1129 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file), 1130 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect), 1131 LSM_HOOK_INIT(file_lock, apparmor_file_lock), 1132 1133 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), 1134 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), 1135 1136 LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security), 1137 LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security), 1138 LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security), 1139 1140 LSM_HOOK_INIT(socket_create, apparmor_socket_create), 1141 LSM_HOOK_INIT(socket_post_create, apparmor_socket_post_create), 1142 LSM_HOOK_INIT(socket_bind, apparmor_socket_bind), 1143 LSM_HOOK_INIT(socket_connect, apparmor_socket_connect), 1144 LSM_HOOK_INIT(socket_listen, apparmor_socket_listen), 1145 LSM_HOOK_INIT(socket_accept, apparmor_socket_accept), 1146 LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg), 1147 LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg), 1148 LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname), 1149 LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername), 1150 LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt), 1151 LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt), 1152 LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown), 1153 LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb), 1154 LSM_HOOK_INIT(socket_getpeersec_stream, 1155 apparmor_socket_getpeersec_stream), 1156 LSM_HOOK_INIT(socket_getpeersec_dgram, 1157 apparmor_socket_getpeersec_dgram), 1158 LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), 1159 1160 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), 1161 LSM_HOOK_INIT(cred_free, apparmor_cred_free), 1162 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare), 1163 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer), 1164 1165 LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds), 1166 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds), 1167 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds), 1168 LSM_HOOK_INIT(bprm_secureexec, apparmor_bprm_secureexec), 1169 1170 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), 1171 LSM_HOOK_INIT(task_kill, apparmor_task_kill), 1172 }; 1173 1174 /* 1175 * AppArmor sysfs module parameters 1176 */ 1177 1178 static int param_set_aabool(const char *val, const struct kernel_param *kp); 1179 static int param_get_aabool(char *buffer, const struct kernel_param *kp); 1180 #define param_check_aabool param_check_bool 1181 static const struct kernel_param_ops param_ops_aabool = { 1182 .flags = KERNEL_PARAM_OPS_FL_NOARG, 1183 .set = param_set_aabool, 1184 .get = param_get_aabool 1185 }; 1186 1187 static int param_set_aauint(const char *val, const struct kernel_param *kp); 1188 static int param_get_aauint(char *buffer, const struct kernel_param *kp); 1189 #define param_check_aauint param_check_uint 1190 static const struct kernel_param_ops param_ops_aauint = { 1191 .set = param_set_aauint, 1192 .get = param_get_aauint 1193 }; 1194 1195 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp); 1196 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); 1197 #define param_check_aalockpolicy param_check_bool 1198 static const struct kernel_param_ops param_ops_aalockpolicy = { 1199 .flags = KERNEL_PARAM_OPS_FL_NOARG, 1200 .set = param_set_aalockpolicy, 1201 .get = param_get_aalockpolicy 1202 }; 1203 1204 static int param_set_audit(const char *val, struct kernel_param *kp); 1205 static int param_get_audit(char *buffer, struct kernel_param *kp); 1206 1207 static int param_set_mode(const char *val, struct kernel_param *kp); 1208 static int param_get_mode(char *buffer, struct kernel_param *kp); 1209 1210 /* Flag values, also controllable via /sys/module/apparmor/parameters 1211 * We define special types as we want to do additional mediation. 1212 */ 1213 1214 /* AppArmor global enforcement switch - complain, enforce, kill */ 1215 enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; 1216 module_param_call(mode, param_set_mode, param_get_mode, 1217 &aa_g_profile_mode, S_IRUSR | S_IWUSR); 1218 1219 /* whether policy verification hashing is enabled */ 1220 bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); 1221 #ifdef CONFIG_SECURITY_APPARMOR_HASH 1222 module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); 1223 #endif 1224 1225 /* Debug mode */ 1226 bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES); 1227 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); 1228 1229 /* Audit mode */ 1230 enum audit_mode aa_g_audit; 1231 module_param_call(audit, param_set_audit, param_get_audit, 1232 &aa_g_audit, S_IRUSR | S_IWUSR); 1233 1234 /* Determines if audit header is included in audited messages. This 1235 * provides more context if the audit daemon is not running 1236 */ 1237 bool aa_g_audit_header = 1; 1238 module_param_named(audit_header, aa_g_audit_header, aabool, 1239 S_IRUSR | S_IWUSR); 1240 1241 /* lock out loading/removal of policy 1242 * TODO: add in at boot loading of policy, which is the only way to 1243 * load policy, if lock_policy is set 1244 */ 1245 bool aa_g_lock_policy; 1246 module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy, 1247 S_IRUSR | S_IWUSR); 1248 1249 /* Syscall logging mode */ 1250 bool aa_g_logsyscall; 1251 module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); 1252 1253 /* Maximum pathname length before accesses will start getting rejected */ 1254 unsigned int aa_g_path_max = 2 * PATH_MAX; 1255 module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); 1256 1257 /* Determines how paranoid loading of policy is and how much verification 1258 * on the loaded policy is done. 1259 * DEPRECATED: read only as strict checking of load is always done now 1260 * that none root users (user namespaces) can load policy. 1261 */ 1262 bool aa_g_paranoid_load = 1; 1263 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); 1264 1265 /* Boot time disable flag */ 1266 static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; 1267 module_param_named(enabled, apparmor_enabled, bool, S_IRUGO); 1268 1269 static int __init apparmor_enabled_setup(char *str) 1270 { 1271 unsigned long enabled; 1272 int error = kstrtoul(str, 0, &enabled); 1273 if (!error) 1274 apparmor_enabled = enabled ? 1 : 0; 1275 return 1; 1276 } 1277 1278 __setup("apparmor=", apparmor_enabled_setup); 1279 1280 /* set global flag turning off the ability to load policy */ 1281 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) 1282 { 1283 if (!apparmor_enabled) 1284 return -EINVAL; 1285 if (apparmor_initialized && !policy_admin_capable(NULL)) 1286 return -EPERM; 1287 return param_set_bool(val, kp); 1288 } 1289 1290 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) 1291 { 1292 if (!apparmor_enabled) 1293 return -EINVAL; 1294 if (apparmor_initialized && !policy_view_capable(NULL)) 1295 return -EPERM; 1296 return param_get_bool(buffer, kp); 1297 } 1298 1299 static int param_set_aabool(const char *val, const struct kernel_param *kp) 1300 { 1301 if (!apparmor_enabled) 1302 return -EINVAL; 1303 if (apparmor_initialized && !policy_admin_capable(NULL)) 1304 return -EPERM; 1305 return param_set_bool(val, kp); 1306 } 1307 1308 static int param_get_aabool(char *buffer, const struct kernel_param *kp) 1309 { 1310 if (!apparmor_enabled) 1311 return -EINVAL; 1312 if (apparmor_initialized && !policy_view_capable(NULL)) 1313 return -EPERM; 1314 return param_get_bool(buffer, kp); 1315 } 1316 1317 static int param_set_aauint(const char *val, const struct kernel_param *kp) 1318 { 1319 int error; 1320 1321 if (!apparmor_enabled) 1322 return -EINVAL; 1323 /* file is ro but enforce 2nd line check */ 1324 if (apparmor_initialized) 1325 return -EPERM; 1326 1327 error = param_set_uint(val, kp); 1328 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max); 1329 1330 return error; 1331 } 1332 1333 static int param_get_aauint(char *buffer, const struct kernel_param *kp) 1334 { 1335 if (!apparmor_enabled) 1336 return -EINVAL; 1337 if (apparmor_initialized && !policy_view_capable(NULL)) 1338 return -EPERM; 1339 return param_get_uint(buffer, kp); 1340 } 1341 1342 static int param_get_audit(char *buffer, struct kernel_param *kp) 1343 { 1344 if (!apparmor_enabled) 1345 return -EINVAL; 1346 if (apparmor_initialized && !policy_view_capable(NULL)) 1347 return -EPERM; 1348 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); 1349 } 1350 1351 static int param_set_audit(const char *val, struct kernel_param *kp) 1352 { 1353 int i; 1354 1355 if (!apparmor_enabled) 1356 return -EINVAL; 1357 if (!val) 1358 return -EINVAL; 1359 if (apparmor_initialized && !policy_admin_capable(NULL)) 1360 return -EPERM; 1361 1362 for (i = 0; i < AUDIT_MAX_INDEX; i++) { 1363 if (strcmp(val, audit_mode_names[i]) == 0) { 1364 aa_g_audit = i; 1365 return 0; 1366 } 1367 } 1368 1369 return -EINVAL; 1370 } 1371 1372 static int param_get_mode(char *buffer, struct kernel_param *kp) 1373 { 1374 if (!apparmor_enabled) 1375 return -EINVAL; 1376 if (apparmor_initialized && !policy_view_capable(NULL)) 1377 return -EPERM; 1378 1379 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]); 1380 } 1381 1382 static int param_set_mode(const char *val, struct kernel_param *kp) 1383 { 1384 int i; 1385 1386 if (!apparmor_enabled) 1387 return -EINVAL; 1388 if (!val) 1389 return -EINVAL; 1390 if (apparmor_initialized && !policy_admin_capable(NULL)) 1391 return -EPERM; 1392 1393 for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) { 1394 if (strcmp(val, aa_profile_mode_names[i]) == 0) { 1395 aa_g_profile_mode = i; 1396 return 0; 1397 } 1398 } 1399 1400 return -EINVAL; 1401 } 1402 1403 /* 1404 * AppArmor init functions 1405 */ 1406 1407 /** 1408 * set_init_ctx - set a task context and profile on the first task. 1409 * 1410 * TODO: allow setting an alternate profile than unconfined 1411 */ 1412 static int __init set_init_ctx(void) 1413 { 1414 struct cred *cred = (struct cred *)current->real_cred; 1415 struct aa_task_ctx *ctx; 1416 1417 ctx = aa_alloc_task_context(GFP_KERNEL); 1418 if (!ctx) 1419 return -ENOMEM; 1420 1421 ctx->label = aa_get_label(ns_unconfined(root_ns)); 1422 cred_ctx(cred) = ctx; 1423 1424 return 0; 1425 } 1426 1427 static void destroy_buffers(void) 1428 { 1429 u32 i, j; 1430 1431 for_each_possible_cpu(i) { 1432 for_each_cpu_buffer(j) { 1433 kfree(per_cpu(aa_buffers, i).buf[j]); 1434 per_cpu(aa_buffers, i).buf[j] = NULL; 1435 } 1436 } 1437 } 1438 1439 static int __init alloc_buffers(void) 1440 { 1441 u32 i, j; 1442 1443 for_each_possible_cpu(i) { 1444 for_each_cpu_buffer(j) { 1445 char *buffer; 1446 1447 if (cpu_to_node(i) > num_online_nodes()) 1448 /* fallback to kmalloc for offline nodes */ 1449 buffer = kmalloc(aa_g_path_max, GFP_KERNEL); 1450 else 1451 buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL, 1452 cpu_to_node(i)); 1453 if (!buffer) { 1454 destroy_buffers(); 1455 return -ENOMEM; 1456 } 1457 per_cpu(aa_buffers, i).buf[j] = buffer; 1458 } 1459 } 1460 1461 return 0; 1462 } 1463 1464 #ifdef CONFIG_SYSCTL 1465 static int apparmor_dointvec(struct ctl_table *table, int write, 1466 void __user *buffer, size_t *lenp, loff_t *ppos) 1467 { 1468 if (!policy_admin_capable(NULL)) 1469 return -EPERM; 1470 if (!apparmor_enabled) 1471 return -EINVAL; 1472 1473 return proc_dointvec(table, write, buffer, lenp, ppos); 1474 } 1475 1476 static struct ctl_path apparmor_sysctl_path[] = { 1477 { .procname = "kernel", }, 1478 { } 1479 }; 1480 1481 static struct ctl_table apparmor_sysctl_table[] = { 1482 { 1483 .procname = "unprivileged_userns_apparmor_policy", 1484 .data = &unprivileged_userns_apparmor_policy, 1485 .maxlen = sizeof(int), 1486 .mode = 0600, 1487 .proc_handler = apparmor_dointvec, 1488 }, 1489 { } 1490 }; 1491 1492 static int __init apparmor_init_sysctl(void) 1493 { 1494 return register_sysctl_paths(apparmor_sysctl_path, 1495 apparmor_sysctl_table) ? 0 : -ENOMEM; 1496 } 1497 #else 1498 static inline int apparmor_init_sysctl(void) 1499 { 1500 return 0; 1501 } 1502 #endif /* CONFIG_SYSCTL */ 1503 1504 static int __init apparmor_init(void) 1505 { 1506 int error; 1507 1508 if (!apparmor_enabled || !security_module_enable("apparmor")) { 1509 aa_info_message("AppArmor disabled by boot time parameter"); 1510 apparmor_enabled = 0; 1511 return 0; 1512 } 1513 1514 error = aa_setup_dfa_engine(); 1515 if (error) { 1516 AA_ERROR("Unable to setup dfa engine\n"); 1517 goto alloc_out; 1518 } 1519 1520 error = aa_alloc_root_ns(); 1521 if (error) { 1522 AA_ERROR("Unable to allocate default profile namespace\n"); 1523 goto alloc_out; 1524 } 1525 1526 error = apparmor_init_sysctl(); 1527 if (error) { 1528 AA_ERROR("Unable to register sysctls\n"); 1529 goto alloc_out; 1530 1531 } 1532 1533 error = alloc_buffers(); 1534 if (error) { 1535 AA_ERROR("Unable to allocate work buffers\n"); 1536 goto buffers_out; 1537 } 1538 1539 error = set_init_ctx(); 1540 if (error) { 1541 AA_ERROR("Failed to set context on init task\n"); 1542 aa_free_root_ns(); 1543 goto buffers_out; 1544 } 1545 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), 1546 "apparmor"); 1547 1548 /* Report that AppArmor successfully initialized */ 1549 apparmor_initialized = 1; 1550 if (aa_g_profile_mode == APPARMOR_COMPLAIN) 1551 aa_info_message("AppArmor initialized: complain mode enabled"); 1552 else if (aa_g_profile_mode == APPARMOR_KILL) 1553 aa_info_message("AppArmor initialized: kill mode enabled"); 1554 else 1555 aa_info_message("AppArmor initialized"); 1556 1557 return error; 1558 1559 buffers_out: 1560 destroy_buffers(); 1561 1562 alloc_out: 1563 aa_destroy_aafs(); 1564 aa_teardown_dfa_engine(); 1565 1566 apparmor_enabled = 0; 1567 return error; 1568 } 1569 1570 security_initcall(apparmor_init); 1571