1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor LSM hooks. 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15 #include <linux/lsm_hooks.h> 16 #include <linux/moduleparam.h> 17 #include <linux/mm.h> 18 #include <linux/mman.h> 19 #include <linux/mount.h> 20 #include <linux/namei.h> 21 #include <linux/ptrace.h> 22 #include <linux/ctype.h> 23 #include <linux/sysctl.h> 24 #include <linux/audit.h> 25 #include <linux/user_namespace.h> 26 #include <linux/kmemleak.h> 27 #include <net/sock.h> 28 29 #include "include/apparmor.h" 30 #include "include/apparmorfs.h" 31 #include "include/audit.h" 32 #include "include/capability.h" 33 #include "include/context.h" 34 #include "include/file.h" 35 #include "include/ipc.h" 36 #include "include/path.h" 37 #include "include/label.h" 38 #include "include/policy.h" 39 #include "include/policy_ns.h" 40 #include "include/procattr.h" 41 #include "include/mount.h" 42 43 /* Flag indicating whether initialization completed */ 44 int apparmor_initialized; 45 46 DEFINE_PER_CPU(struct aa_buffers, aa_buffers); 47 48 49 /* 50 * LSM hook functions 51 */ 52 53 /* 54 * free the associated aa_task_ctx and put its labels 55 */ 56 static void apparmor_cred_free(struct cred *cred) 57 { 58 aa_free_task_context(cred_ctx(cred)); 59 cred_ctx(cred) = NULL; 60 } 61 62 /* 63 * allocate the apparmor part of blank credentials 64 */ 65 static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 66 { 67 /* freed by apparmor_cred_free */ 68 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp); 69 70 if (!ctx) 71 return -ENOMEM; 72 73 cred_ctx(cred) = ctx; 74 return 0; 75 } 76 77 /* 78 * prepare new aa_task_ctx for modification by prepare_cred block 79 */ 80 static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 81 gfp_t gfp) 82 { 83 /* freed by apparmor_cred_free */ 84 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp); 85 86 if (!ctx) 87 return -ENOMEM; 88 89 aa_dup_task_context(ctx, cred_ctx(old)); 90 cred_ctx(new) = ctx; 91 return 0; 92 } 93 94 /* 95 * transfer the apparmor data to a blank set of creds 96 */ 97 static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 98 { 99 const struct aa_task_ctx *old_ctx = cred_ctx(old); 100 struct aa_task_ctx *new_ctx = cred_ctx(new); 101 102 aa_dup_task_context(new_ctx, old_ctx); 103 } 104 105 static int apparmor_ptrace_access_check(struct task_struct *child, 106 unsigned int mode) 107 { 108 struct aa_label *tracer, *tracee; 109 int error; 110 111 tracer = begin_current_label_crit_section(); 112 tracee = aa_get_task_label(child); 113 error = aa_may_ptrace(tracer, tracee, 114 mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE); 115 aa_put_label(tracee); 116 end_current_label_crit_section(tracer); 117 118 return error; 119 } 120 121 static int apparmor_ptrace_traceme(struct task_struct *parent) 122 { 123 struct aa_label *tracer, *tracee; 124 int error; 125 126 tracee = begin_current_label_crit_section(); 127 tracer = aa_get_task_label(parent); 128 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); 129 aa_put_label(tracer); 130 end_current_label_crit_section(tracee); 131 132 return error; 133 } 134 135 /* Derived from security/commoncap.c:cap_capget */ 136 static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, 137 kernel_cap_t *inheritable, kernel_cap_t *permitted) 138 { 139 struct aa_label *label; 140 const struct cred *cred; 141 142 rcu_read_lock(); 143 cred = __task_cred(target); 144 label = aa_get_newest_cred_label(cred); 145 146 /* 147 * cap_capget is stacked ahead of this and will 148 * initialize effective and permitted. 149 */ 150 if (!unconfined(label)) { 151 struct aa_profile *profile; 152 struct label_it i; 153 154 label_for_each_confined(i, label, profile) { 155 if (COMPLAIN_MODE(profile)) 156 continue; 157 *effective = cap_intersect(*effective, 158 profile->caps.allow); 159 *permitted = cap_intersect(*permitted, 160 profile->caps.allow); 161 } 162 } 163 rcu_read_unlock(); 164 aa_put_label(label); 165 166 return 0; 167 } 168 169 static int apparmor_capable(const struct cred *cred, struct user_namespace *ns, 170 int cap, int audit) 171 { 172 struct aa_label *label; 173 int error = 0; 174 175 label = aa_get_newest_cred_label(cred); 176 if (!unconfined(label)) 177 error = aa_capable(label, cap, audit); 178 aa_put_label(label); 179 180 return error; 181 } 182 183 /** 184 * common_perm - basic common permission check wrapper fn for paths 185 * @op: operation being checked 186 * @path: path to check permission of (NOT NULL) 187 * @mask: requested permissions mask 188 * @cond: conditional info for the permission request (NOT NULL) 189 * 190 * Returns: %0 else error code if error or permission denied 191 */ 192 static int common_perm(const char *op, const struct path *path, u32 mask, 193 struct path_cond *cond) 194 { 195 struct aa_label *label; 196 int error = 0; 197 198 label = __begin_current_label_crit_section(); 199 if (!unconfined(label)) 200 error = aa_path_perm(op, label, path, 0, mask, cond); 201 __end_current_label_crit_section(label); 202 203 return error; 204 } 205 206 /** 207 * common_perm_cond - common permission wrapper around inode cond 208 * @op: operation being checked 209 * @path: location to check (NOT NULL) 210 * @mask: requested permissions mask 211 * 212 * Returns: %0 else error code if error or permission denied 213 */ 214 static int common_perm_cond(const char *op, const struct path *path, u32 mask) 215 { 216 struct path_cond cond = { d_backing_inode(path->dentry)->i_uid, 217 d_backing_inode(path->dentry)->i_mode 218 }; 219 220 if (!path_mediated_fs(path->dentry)) 221 return 0; 222 223 return common_perm(op, path, mask, &cond); 224 } 225 226 /** 227 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry 228 * @op: operation being checked 229 * @dir: directory of the dentry (NOT NULL) 230 * @dentry: dentry to check (NOT NULL) 231 * @mask: requested permissions mask 232 * @cond: conditional info for the permission request (NOT NULL) 233 * 234 * Returns: %0 else error code if error or permission denied 235 */ 236 static int common_perm_dir_dentry(const char *op, const struct path *dir, 237 struct dentry *dentry, u32 mask, 238 struct path_cond *cond) 239 { 240 struct path path = { .mnt = dir->mnt, .dentry = dentry }; 241 242 return common_perm(op, &path, mask, cond); 243 } 244 245 /** 246 * common_perm_rm - common permission wrapper for operations doing rm 247 * @op: operation being checked 248 * @dir: directory that the dentry is in (NOT NULL) 249 * @dentry: dentry being rm'd (NOT NULL) 250 * @mask: requested permission mask 251 * 252 * Returns: %0 else error code if error or permission denied 253 */ 254 static int common_perm_rm(const char *op, const struct path *dir, 255 struct dentry *dentry, u32 mask) 256 { 257 struct inode *inode = d_backing_inode(dentry); 258 struct path_cond cond = { }; 259 260 if (!inode || !path_mediated_fs(dentry)) 261 return 0; 262 263 cond.uid = inode->i_uid; 264 cond.mode = inode->i_mode; 265 266 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 267 } 268 269 /** 270 * common_perm_create - common permission wrapper for operations doing create 271 * @op: operation being checked 272 * @dir: directory that dentry will be created in (NOT NULL) 273 * @dentry: dentry to create (NOT NULL) 274 * @mask: request permission mask 275 * @mode: created file mode 276 * 277 * Returns: %0 else error code if error or permission denied 278 */ 279 static int common_perm_create(const char *op, const struct path *dir, 280 struct dentry *dentry, u32 mask, umode_t mode) 281 { 282 struct path_cond cond = { current_fsuid(), mode }; 283 284 if (!path_mediated_fs(dir->dentry)) 285 return 0; 286 287 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 288 } 289 290 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry) 291 { 292 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); 293 } 294 295 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry, 296 umode_t mode) 297 { 298 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, 299 S_IFDIR); 300 } 301 302 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry) 303 { 304 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); 305 } 306 307 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, 308 umode_t mode, unsigned int dev) 309 { 310 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); 311 } 312 313 static int apparmor_path_truncate(const struct path *path) 314 { 315 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR); 316 } 317 318 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, 319 const char *old_name) 320 { 321 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, 322 S_IFLNK); 323 } 324 325 static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir, 326 struct dentry *new_dentry) 327 { 328 struct aa_label *label; 329 int error = 0; 330 331 if (!path_mediated_fs(old_dentry)) 332 return 0; 333 334 label = begin_current_label_crit_section(); 335 if (!unconfined(label)) 336 error = aa_path_link(label, old_dentry, new_dir, new_dentry); 337 end_current_label_crit_section(label); 338 339 return error; 340 } 341 342 static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry, 343 const struct path *new_dir, struct dentry *new_dentry) 344 { 345 struct aa_label *label; 346 int error = 0; 347 348 if (!path_mediated_fs(old_dentry)) 349 return 0; 350 351 label = begin_current_label_crit_section(); 352 if (!unconfined(label)) { 353 struct path old_path = { .mnt = old_dir->mnt, 354 .dentry = old_dentry }; 355 struct path new_path = { .mnt = new_dir->mnt, 356 .dentry = new_dentry }; 357 struct path_cond cond = { d_backing_inode(old_dentry)->i_uid, 358 d_backing_inode(old_dentry)->i_mode 359 }; 360 361 error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0, 362 MAY_READ | AA_MAY_GETATTR | MAY_WRITE | 363 AA_MAY_SETATTR | AA_MAY_DELETE, 364 &cond); 365 if (!error) 366 error = aa_path_perm(OP_RENAME_DEST, label, &new_path, 367 0, MAY_WRITE | AA_MAY_SETATTR | 368 AA_MAY_CREATE, &cond); 369 370 } 371 end_current_label_crit_section(label); 372 373 return error; 374 } 375 376 static int apparmor_path_chmod(const struct path *path, umode_t mode) 377 { 378 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD); 379 } 380 381 static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid) 382 { 383 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN); 384 } 385 386 static int apparmor_inode_getattr(const struct path *path) 387 { 388 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 389 } 390 391 static int apparmor_file_open(struct file *file, const struct cred *cred) 392 { 393 struct aa_file_ctx *fctx = file_ctx(file); 394 struct aa_label *label; 395 int error = 0; 396 397 if (!path_mediated_fs(file->f_path.dentry)) 398 return 0; 399 400 /* If in exec, permission is handled by bprm hooks. 401 * Cache permissions granted by the previous exec check, with 402 * implicit read and executable mmap which are required to 403 * actually execute the image. 404 */ 405 if (current->in_execve) { 406 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; 407 return 0; 408 } 409 410 label = aa_get_newest_cred_label(cred); 411 if (!unconfined(label)) { 412 struct inode *inode = file_inode(file); 413 struct path_cond cond = { inode->i_uid, inode->i_mode }; 414 415 error = aa_path_perm(OP_OPEN, label, &file->f_path, 0, 416 aa_map_file_to_perms(file), &cond); 417 /* todo cache full allowed permissions set and state */ 418 fctx->allow = aa_map_file_to_perms(file); 419 } 420 aa_put_label(label); 421 422 return error; 423 } 424 425 static int apparmor_file_alloc_security(struct file *file) 426 { 427 int error = 0; 428 429 /* freed by apparmor_file_free_security */ 430 struct aa_label *label = begin_current_label_crit_section(); 431 file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL); 432 if (!file_ctx(file)) 433 error = -ENOMEM; 434 end_current_label_crit_section(label); 435 436 return error; 437 } 438 439 static void apparmor_file_free_security(struct file *file) 440 { 441 aa_free_file_ctx(file_ctx(file)); 442 } 443 444 static int common_file_perm(const char *op, struct file *file, u32 mask) 445 { 446 struct aa_label *label; 447 int error = 0; 448 449 /* don't reaudit files closed during inheritance */ 450 if (file->f_path.dentry == aa_null.dentry) 451 return -EACCES; 452 453 label = __begin_current_label_crit_section(); 454 error = aa_file_perm(op, label, file, mask); 455 __end_current_label_crit_section(label); 456 457 return error; 458 } 459 460 static int apparmor_file_receive(struct file *file) 461 { 462 return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file)); 463 } 464 465 static int apparmor_file_permission(struct file *file, int mask) 466 { 467 return common_file_perm(OP_FPERM, file, mask); 468 } 469 470 static int apparmor_file_lock(struct file *file, unsigned int cmd) 471 { 472 u32 mask = AA_MAY_LOCK; 473 474 if (cmd == F_WRLCK) 475 mask |= MAY_WRITE; 476 477 return common_file_perm(OP_FLOCK, file, mask); 478 } 479 480 static int common_mmap(const char *op, struct file *file, unsigned long prot, 481 unsigned long flags) 482 { 483 int mask = 0; 484 485 if (!file || !file_ctx(file)) 486 return 0; 487 488 if (prot & PROT_READ) 489 mask |= MAY_READ; 490 /* 491 * Private mappings don't require write perms since they don't 492 * write back to the files 493 */ 494 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE)) 495 mask |= MAY_WRITE; 496 if (prot & PROT_EXEC) 497 mask |= AA_EXEC_MMAP; 498 499 return common_file_perm(op, file, mask); 500 } 501 502 static int apparmor_mmap_file(struct file *file, unsigned long reqprot, 503 unsigned long prot, unsigned long flags) 504 { 505 return common_mmap(OP_FMMAP, file, prot, flags); 506 } 507 508 static int apparmor_file_mprotect(struct vm_area_struct *vma, 509 unsigned long reqprot, unsigned long prot) 510 { 511 return common_mmap(OP_FMPROT, vma->vm_file, prot, 512 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); 513 } 514 515 static int apparmor_sb_mount(const char *dev_name, const struct path *path, 516 const char *type, unsigned long flags, void *data) 517 { 518 struct aa_label *label; 519 int error = 0; 520 521 /* Discard magic */ 522 if ((flags & MS_MGC_MSK) == MS_MGC_VAL) 523 flags &= ~MS_MGC_MSK; 524 525 flags &= ~AA_MS_IGNORE_MASK; 526 527 label = __begin_current_label_crit_section(); 528 if (!unconfined(label)) { 529 if (flags & MS_REMOUNT) 530 error = aa_remount(label, path, flags, data); 531 else if (flags & MS_BIND) 532 error = aa_bind_mount(label, path, dev_name, flags); 533 else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | 534 MS_UNBINDABLE)) 535 error = aa_mount_change_type(label, path, flags); 536 else if (flags & MS_MOVE) 537 error = aa_move_mount(label, path, dev_name); 538 else 539 error = aa_new_mount(label, dev_name, path, type, 540 flags, data); 541 } 542 __end_current_label_crit_section(label); 543 544 return error; 545 } 546 547 static int apparmor_sb_umount(struct vfsmount *mnt, int flags) 548 { 549 struct aa_label *label; 550 int error = 0; 551 552 label = __begin_current_label_crit_section(); 553 if (!unconfined(label)) 554 error = aa_umount(label, mnt, flags); 555 __end_current_label_crit_section(label); 556 557 return error; 558 } 559 560 static int apparmor_sb_pivotroot(const struct path *old_path, 561 const struct path *new_path) 562 { 563 struct aa_label *label; 564 int error = 0; 565 566 label = aa_get_current_label(); 567 if (!unconfined(label)) 568 error = aa_pivotroot(label, old_path, new_path); 569 aa_put_label(label); 570 571 return error; 572 } 573 574 static int apparmor_getprocattr(struct task_struct *task, char *name, 575 char **value) 576 { 577 int error = -ENOENT; 578 /* released below */ 579 const struct cred *cred = get_task_cred(task); 580 struct aa_task_ctx *ctx = cred_ctx(cred); 581 struct aa_label *label = NULL; 582 583 if (strcmp(name, "current") == 0) 584 label = aa_get_newest_label(ctx->label); 585 else if (strcmp(name, "prev") == 0 && ctx->previous) 586 label = aa_get_newest_label(ctx->previous); 587 else if (strcmp(name, "exec") == 0 && ctx->onexec) 588 label = aa_get_newest_label(ctx->onexec); 589 else 590 error = -EINVAL; 591 592 if (label) 593 error = aa_getprocattr(label, value); 594 595 aa_put_label(label); 596 put_cred(cred); 597 598 return error; 599 } 600 601 static int apparmor_setprocattr(const char *name, void *value, 602 size_t size) 603 { 604 char *command, *largs = NULL, *args = value; 605 size_t arg_size; 606 int error; 607 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR); 608 609 if (size == 0) 610 return -EINVAL; 611 612 /* AppArmor requires that the buffer must be null terminated atm */ 613 if (args[size - 1] != '\0') { 614 /* null terminate */ 615 largs = args = kmalloc(size + 1, GFP_KERNEL); 616 if (!args) 617 return -ENOMEM; 618 memcpy(args, value, size); 619 args[size] = '\0'; 620 } 621 622 error = -EINVAL; 623 args = strim(args); 624 command = strsep(&args, " "); 625 if (!args) 626 goto out; 627 args = skip_spaces(args); 628 if (!*args) 629 goto out; 630 631 arg_size = size - (args - (largs ? largs : (char *) value)); 632 if (strcmp(name, "current") == 0) { 633 if (strcmp(command, "changehat") == 0) { 634 error = aa_setprocattr_changehat(args, arg_size, 635 AA_CHANGE_NOFLAGS); 636 } else if (strcmp(command, "permhat") == 0) { 637 error = aa_setprocattr_changehat(args, arg_size, 638 AA_CHANGE_TEST); 639 } else if (strcmp(command, "changeprofile") == 0) { 640 error = aa_change_profile(args, AA_CHANGE_NOFLAGS); 641 } else if (strcmp(command, "permprofile") == 0) { 642 error = aa_change_profile(args, AA_CHANGE_TEST); 643 } else if (strcmp(command, "stack") == 0) { 644 error = aa_change_profile(args, AA_CHANGE_STACK); 645 } else 646 goto fail; 647 } else if (strcmp(name, "exec") == 0) { 648 if (strcmp(command, "exec") == 0) 649 error = aa_change_profile(args, AA_CHANGE_ONEXEC); 650 else if (strcmp(command, "stack") == 0) 651 error = aa_change_profile(args, (AA_CHANGE_ONEXEC | 652 AA_CHANGE_STACK)); 653 else 654 goto fail; 655 } else 656 /* only support the "current" and "exec" process attributes */ 657 goto fail; 658 659 if (!error) 660 error = size; 661 out: 662 kfree(largs); 663 return error; 664 665 fail: 666 aad(&sa)->label = begin_current_label_crit_section(); 667 aad(&sa)->info = name; 668 aad(&sa)->error = error = -EINVAL; 669 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL); 670 end_current_label_crit_section(aad(&sa)->label); 671 goto out; 672 } 673 674 /** 675 * apparmor_bprm_committing_creds - do task cleanup on committing new creds 676 * @bprm: binprm for the exec (NOT NULL) 677 */ 678 static void apparmor_bprm_committing_creds(struct linux_binprm *bprm) 679 { 680 struct aa_label *label = aa_current_raw_label(); 681 struct aa_task_ctx *new_ctx = cred_ctx(bprm->cred); 682 683 /* bail out if unconfined or not changing profile */ 684 if ((new_ctx->label->proxy == label->proxy) || 685 (unconfined(new_ctx->label))) 686 return; 687 688 aa_inherit_files(bprm->cred, current->files); 689 690 current->pdeath_signal = 0; 691 692 /* reset soft limits and set hard limits for the new label */ 693 __aa_transition_rlimits(label, new_ctx->label); 694 } 695 696 /** 697 * apparmor_bprm_committed_cred - do cleanup after new creds committed 698 * @bprm: binprm for the exec (NOT NULL) 699 */ 700 static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) 701 { 702 /* TODO: cleanup signals - ipc mediation */ 703 return; 704 } 705 706 static int apparmor_task_setrlimit(struct task_struct *task, 707 unsigned int resource, struct rlimit *new_rlim) 708 { 709 struct aa_label *label = __begin_current_label_crit_section(); 710 int error = 0; 711 712 if (!unconfined(label)) 713 error = aa_task_setrlimit(label, task, resource, new_rlim); 714 __end_current_label_crit_section(label); 715 716 return error; 717 } 718 719 static int apparmor_task_kill(struct task_struct *target, struct siginfo *info, 720 int sig, const struct cred *cred) 721 { 722 struct aa_label *cl, *tl; 723 int error; 724 725 if (cred) { 726 /* 727 * Dealing with USB IO specific behavior 728 */ 729 cl = aa_get_newest_cred_label(cred); 730 tl = aa_get_task_label(target); 731 error = aa_may_signal(cl, tl, sig); 732 aa_put_label(cl); 733 aa_put_label(tl); 734 return error; 735 } 736 737 cl = __begin_current_label_crit_section(); 738 tl = aa_get_task_label(target); 739 error = aa_may_signal(cl, tl, sig); 740 aa_put_label(tl); 741 __end_current_label_crit_section(cl); 742 743 return error; 744 } 745 746 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { 747 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), 748 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), 749 LSM_HOOK_INIT(capget, apparmor_capget), 750 LSM_HOOK_INIT(capable, apparmor_capable), 751 752 LSM_HOOK_INIT(sb_mount, apparmor_sb_mount), 753 LSM_HOOK_INIT(sb_umount, apparmor_sb_umount), 754 LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot), 755 756 LSM_HOOK_INIT(path_link, apparmor_path_link), 757 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink), 758 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink), 759 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir), 760 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir), 761 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod), 762 LSM_HOOK_INIT(path_rename, apparmor_path_rename), 763 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod), 764 LSM_HOOK_INIT(path_chown, apparmor_path_chown), 765 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate), 766 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr), 767 768 LSM_HOOK_INIT(file_open, apparmor_file_open), 769 LSM_HOOK_INIT(file_receive, apparmor_file_receive), 770 LSM_HOOK_INIT(file_permission, apparmor_file_permission), 771 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security), 772 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security), 773 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file), 774 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect), 775 LSM_HOOK_INIT(file_lock, apparmor_file_lock), 776 777 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), 778 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), 779 780 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), 781 LSM_HOOK_INIT(cred_free, apparmor_cred_free), 782 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare), 783 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer), 784 785 LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds), 786 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds), 787 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds), 788 789 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), 790 LSM_HOOK_INIT(task_kill, apparmor_task_kill), 791 }; 792 793 /* 794 * AppArmor sysfs module parameters 795 */ 796 797 static int param_set_aabool(const char *val, const struct kernel_param *kp); 798 static int param_get_aabool(char *buffer, const struct kernel_param *kp); 799 #define param_check_aabool param_check_bool 800 static const struct kernel_param_ops param_ops_aabool = { 801 .flags = KERNEL_PARAM_OPS_FL_NOARG, 802 .set = param_set_aabool, 803 .get = param_get_aabool 804 }; 805 806 static int param_set_aauint(const char *val, const struct kernel_param *kp); 807 static int param_get_aauint(char *buffer, const struct kernel_param *kp); 808 #define param_check_aauint param_check_uint 809 static const struct kernel_param_ops param_ops_aauint = { 810 .set = param_set_aauint, 811 .get = param_get_aauint 812 }; 813 814 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp); 815 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); 816 #define param_check_aalockpolicy param_check_bool 817 static const struct kernel_param_ops param_ops_aalockpolicy = { 818 .flags = KERNEL_PARAM_OPS_FL_NOARG, 819 .set = param_set_aalockpolicy, 820 .get = param_get_aalockpolicy 821 }; 822 823 static int param_set_audit(const char *val, const struct kernel_param *kp); 824 static int param_get_audit(char *buffer, const struct kernel_param *kp); 825 826 static int param_set_mode(const char *val, const struct kernel_param *kp); 827 static int param_get_mode(char *buffer, const struct kernel_param *kp); 828 829 /* Flag values, also controllable via /sys/module/apparmor/parameters 830 * We define special types as we want to do additional mediation. 831 */ 832 833 /* AppArmor global enforcement switch - complain, enforce, kill */ 834 enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; 835 module_param_call(mode, param_set_mode, param_get_mode, 836 &aa_g_profile_mode, S_IRUSR | S_IWUSR); 837 838 /* whether policy verification hashing is enabled */ 839 bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); 840 #ifdef CONFIG_SECURITY_APPARMOR_HASH 841 module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); 842 #endif 843 844 /* Debug mode */ 845 bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES); 846 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); 847 848 /* Audit mode */ 849 enum audit_mode aa_g_audit; 850 module_param_call(audit, param_set_audit, param_get_audit, 851 &aa_g_audit, S_IRUSR | S_IWUSR); 852 853 /* Determines if audit header is included in audited messages. This 854 * provides more context if the audit daemon is not running 855 */ 856 bool aa_g_audit_header = true; 857 module_param_named(audit_header, aa_g_audit_header, aabool, 858 S_IRUSR | S_IWUSR); 859 860 /* lock out loading/removal of policy 861 * TODO: add in at boot loading of policy, which is the only way to 862 * load policy, if lock_policy is set 863 */ 864 bool aa_g_lock_policy; 865 module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy, 866 S_IRUSR | S_IWUSR); 867 868 /* Syscall logging mode */ 869 bool aa_g_logsyscall; 870 module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); 871 872 /* Maximum pathname length before accesses will start getting rejected */ 873 unsigned int aa_g_path_max = 2 * PATH_MAX; 874 module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); 875 876 /* Determines how paranoid loading of policy is and how much verification 877 * on the loaded policy is done. 878 * DEPRECATED: read only as strict checking of load is always done now 879 * that none root users (user namespaces) can load policy. 880 */ 881 bool aa_g_paranoid_load = true; 882 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); 883 884 /* Boot time disable flag */ 885 static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; 886 module_param_named(enabled, apparmor_enabled, bool, S_IRUGO); 887 888 static int __init apparmor_enabled_setup(char *str) 889 { 890 unsigned long enabled; 891 int error = kstrtoul(str, 0, &enabled); 892 if (!error) 893 apparmor_enabled = enabled ? 1 : 0; 894 return 1; 895 } 896 897 __setup("apparmor=", apparmor_enabled_setup); 898 899 /* set global flag turning off the ability to load policy */ 900 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) 901 { 902 if (!apparmor_enabled) 903 return -EINVAL; 904 if (apparmor_initialized && !policy_admin_capable(NULL)) 905 return -EPERM; 906 return param_set_bool(val, kp); 907 } 908 909 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) 910 { 911 if (!apparmor_enabled) 912 return -EINVAL; 913 if (apparmor_initialized && !policy_view_capable(NULL)) 914 return -EPERM; 915 return param_get_bool(buffer, kp); 916 } 917 918 static int param_set_aabool(const char *val, const struct kernel_param *kp) 919 { 920 if (!apparmor_enabled) 921 return -EINVAL; 922 if (apparmor_initialized && !policy_admin_capable(NULL)) 923 return -EPERM; 924 return param_set_bool(val, kp); 925 } 926 927 static int param_get_aabool(char *buffer, const struct kernel_param *kp) 928 { 929 if (!apparmor_enabled) 930 return -EINVAL; 931 if (apparmor_initialized && !policy_view_capable(NULL)) 932 return -EPERM; 933 return param_get_bool(buffer, kp); 934 } 935 936 static int param_set_aauint(const char *val, const struct kernel_param *kp) 937 { 938 int error; 939 940 if (!apparmor_enabled) 941 return -EINVAL; 942 /* file is ro but enforce 2nd line check */ 943 if (apparmor_initialized) 944 return -EPERM; 945 946 error = param_set_uint(val, kp); 947 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max); 948 949 return error; 950 } 951 952 static int param_get_aauint(char *buffer, const struct kernel_param *kp) 953 { 954 if (!apparmor_enabled) 955 return -EINVAL; 956 if (apparmor_initialized && !policy_view_capable(NULL)) 957 return -EPERM; 958 return param_get_uint(buffer, kp); 959 } 960 961 static int param_get_audit(char *buffer, const struct kernel_param *kp) 962 { 963 if (!apparmor_enabled) 964 return -EINVAL; 965 if (apparmor_initialized && !policy_view_capable(NULL)) 966 return -EPERM; 967 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); 968 } 969 970 static int param_set_audit(const char *val, const struct kernel_param *kp) 971 { 972 int i; 973 974 if (!apparmor_enabled) 975 return -EINVAL; 976 if (!val) 977 return -EINVAL; 978 if (apparmor_initialized && !policy_admin_capable(NULL)) 979 return -EPERM; 980 981 for (i = 0; i < AUDIT_MAX_INDEX; i++) { 982 if (strcmp(val, audit_mode_names[i]) == 0) { 983 aa_g_audit = i; 984 return 0; 985 } 986 } 987 988 return -EINVAL; 989 } 990 991 static int param_get_mode(char *buffer, const struct kernel_param *kp) 992 { 993 if (!apparmor_enabled) 994 return -EINVAL; 995 if (apparmor_initialized && !policy_view_capable(NULL)) 996 return -EPERM; 997 998 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]); 999 } 1000 1001 static int param_set_mode(const char *val, const struct kernel_param *kp) 1002 { 1003 int i; 1004 1005 if (!apparmor_enabled) 1006 return -EINVAL; 1007 if (!val) 1008 return -EINVAL; 1009 if (apparmor_initialized && !policy_admin_capable(NULL)) 1010 return -EPERM; 1011 1012 for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) { 1013 if (strcmp(val, aa_profile_mode_names[i]) == 0) { 1014 aa_g_profile_mode = i; 1015 return 0; 1016 } 1017 } 1018 1019 return -EINVAL; 1020 } 1021 1022 /* 1023 * AppArmor init functions 1024 */ 1025 1026 /** 1027 * set_init_ctx - set a task context and profile on the first task. 1028 * 1029 * TODO: allow setting an alternate profile than unconfined 1030 */ 1031 static int __init set_init_ctx(void) 1032 { 1033 struct cred *cred = (struct cred *)current->real_cred; 1034 struct aa_task_ctx *ctx; 1035 1036 ctx = aa_alloc_task_context(GFP_KERNEL); 1037 if (!ctx) 1038 return -ENOMEM; 1039 1040 ctx->label = aa_get_label(ns_unconfined(root_ns)); 1041 cred_ctx(cred) = ctx; 1042 1043 return 0; 1044 } 1045 1046 static void destroy_buffers(void) 1047 { 1048 u32 i, j; 1049 1050 for_each_possible_cpu(i) { 1051 for_each_cpu_buffer(j) { 1052 kfree(per_cpu(aa_buffers, i).buf[j]); 1053 per_cpu(aa_buffers, i).buf[j] = NULL; 1054 } 1055 } 1056 } 1057 1058 static int __init alloc_buffers(void) 1059 { 1060 u32 i, j; 1061 1062 for_each_possible_cpu(i) { 1063 for_each_cpu_buffer(j) { 1064 char *buffer; 1065 1066 if (cpu_to_node(i) > num_online_nodes()) 1067 /* fallback to kmalloc for offline nodes */ 1068 buffer = kmalloc(aa_g_path_max, GFP_KERNEL); 1069 else 1070 buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL, 1071 cpu_to_node(i)); 1072 if (!buffer) { 1073 destroy_buffers(); 1074 return -ENOMEM; 1075 } 1076 per_cpu(aa_buffers, i).buf[j] = buffer; 1077 } 1078 } 1079 1080 return 0; 1081 } 1082 1083 #ifdef CONFIG_SYSCTL 1084 static int apparmor_dointvec(struct ctl_table *table, int write, 1085 void __user *buffer, size_t *lenp, loff_t *ppos) 1086 { 1087 if (!policy_admin_capable(NULL)) 1088 return -EPERM; 1089 if (!apparmor_enabled) 1090 return -EINVAL; 1091 1092 return proc_dointvec(table, write, buffer, lenp, ppos); 1093 } 1094 1095 static struct ctl_path apparmor_sysctl_path[] = { 1096 { .procname = "kernel", }, 1097 { } 1098 }; 1099 1100 static struct ctl_table apparmor_sysctl_table[] = { 1101 { 1102 .procname = "unprivileged_userns_apparmor_policy", 1103 .data = &unprivileged_userns_apparmor_policy, 1104 .maxlen = sizeof(int), 1105 .mode = 0600, 1106 .proc_handler = apparmor_dointvec, 1107 }, 1108 { } 1109 }; 1110 1111 static int __init apparmor_init_sysctl(void) 1112 { 1113 return register_sysctl_paths(apparmor_sysctl_path, 1114 apparmor_sysctl_table) ? 0 : -ENOMEM; 1115 } 1116 #else 1117 static inline int apparmor_init_sysctl(void) 1118 { 1119 return 0; 1120 } 1121 #endif /* CONFIG_SYSCTL */ 1122 1123 static int __init apparmor_init(void) 1124 { 1125 int error; 1126 1127 if (!apparmor_enabled || !security_module_enable("apparmor")) { 1128 aa_info_message("AppArmor disabled by boot time parameter"); 1129 apparmor_enabled = false; 1130 return 0; 1131 } 1132 1133 error = aa_setup_dfa_engine(); 1134 if (error) { 1135 AA_ERROR("Unable to setup dfa engine\n"); 1136 goto alloc_out; 1137 } 1138 1139 error = aa_alloc_root_ns(); 1140 if (error) { 1141 AA_ERROR("Unable to allocate default profile namespace\n"); 1142 goto alloc_out; 1143 } 1144 1145 error = apparmor_init_sysctl(); 1146 if (error) { 1147 AA_ERROR("Unable to register sysctls\n"); 1148 goto alloc_out; 1149 1150 } 1151 1152 error = alloc_buffers(); 1153 if (error) { 1154 AA_ERROR("Unable to allocate work buffers\n"); 1155 goto buffers_out; 1156 } 1157 1158 error = set_init_ctx(); 1159 if (error) { 1160 AA_ERROR("Failed to set context on init task\n"); 1161 aa_free_root_ns(); 1162 goto buffers_out; 1163 } 1164 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), 1165 "apparmor"); 1166 1167 /* Report that AppArmor successfully initialized */ 1168 apparmor_initialized = 1; 1169 if (aa_g_profile_mode == APPARMOR_COMPLAIN) 1170 aa_info_message("AppArmor initialized: complain mode enabled"); 1171 else if (aa_g_profile_mode == APPARMOR_KILL) 1172 aa_info_message("AppArmor initialized: kill mode enabled"); 1173 else 1174 aa_info_message("AppArmor initialized"); 1175 1176 return error; 1177 1178 buffers_out: 1179 destroy_buffers(); 1180 1181 alloc_out: 1182 aa_destroy_aafs(); 1183 aa_teardown_dfa_engine(); 1184 1185 apparmor_enabled = false; 1186 return error; 1187 } 1188 1189 security_initcall(apparmor_init); 1190