1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor LSM hooks. 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15 #include <linux/security.h> 16 #include <linux/moduleparam.h> 17 #include <linux/mm.h> 18 #include <linux/mman.h> 19 #include <linux/mount.h> 20 #include <linux/namei.h> 21 #include <linux/ptrace.h> 22 #include <linux/ctype.h> 23 #include <linux/sysctl.h> 24 #include <linux/audit.h> 25 #include <net/sock.h> 26 27 #include "include/apparmor.h" 28 #include "include/apparmorfs.h" 29 #include "include/audit.h" 30 #include "include/capability.h" 31 #include "include/context.h" 32 #include "include/file.h" 33 #include "include/ipc.h" 34 #include "include/path.h" 35 #include "include/policy.h" 36 #include "include/procattr.h" 37 38 /* Flag indicating whether initialization completed */ 39 int apparmor_initialized __initdata; 40 41 /* 42 * LSM hook functions 43 */ 44 45 /* 46 * free the associated aa_task_cxt and put its profiles 47 */ 48 static void apparmor_cred_free(struct cred *cred) 49 { 50 aa_free_task_context(cred->security); 51 cred->security = NULL; 52 } 53 54 /* 55 * allocate the apparmor part of blank credentials 56 */ 57 static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 58 { 59 /* freed by apparmor_cred_free */ 60 struct aa_task_cxt *cxt = aa_alloc_task_context(gfp); 61 if (!cxt) 62 return -ENOMEM; 63 64 cred->security = cxt; 65 return 0; 66 } 67 68 /* 69 * prepare new aa_task_cxt for modification by prepare_cred block 70 */ 71 static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 72 gfp_t gfp) 73 { 74 /* freed by apparmor_cred_free */ 75 struct aa_task_cxt *cxt = aa_alloc_task_context(gfp); 76 if (!cxt) 77 return -ENOMEM; 78 79 aa_dup_task_context(cxt, old->security); 80 new->security = cxt; 81 return 0; 82 } 83 84 /* 85 * transfer the apparmor data to a blank set of creds 86 */ 87 static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 88 { 89 const struct aa_task_cxt *old_cxt = old->security; 90 struct aa_task_cxt *new_cxt = new->security; 91 92 aa_dup_task_context(new_cxt, old_cxt); 93 } 94 95 static int apparmor_ptrace_access_check(struct task_struct *child, 96 unsigned int mode) 97 { 98 int error = cap_ptrace_access_check(child, mode); 99 if (error) 100 return error; 101 102 return aa_ptrace(current, child, mode); 103 } 104 105 static int apparmor_ptrace_traceme(struct task_struct *parent) 106 { 107 int error = cap_ptrace_traceme(parent); 108 if (error) 109 return error; 110 111 return aa_ptrace(parent, current, PTRACE_MODE_ATTACH); 112 } 113 114 /* Derived from security/commoncap.c:cap_capget */ 115 static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, 116 kernel_cap_t *inheritable, kernel_cap_t *permitted) 117 { 118 struct aa_profile *profile; 119 const struct cred *cred; 120 121 rcu_read_lock(); 122 cred = __task_cred(target); 123 profile = aa_cred_profile(cred); 124 125 *effective = cred->cap_effective; 126 *inheritable = cred->cap_inheritable; 127 *permitted = cred->cap_permitted; 128 129 if (!unconfined(profile)) { 130 *effective = cap_intersect(*effective, profile->caps.allow); 131 *permitted = cap_intersect(*permitted, profile->caps.allow); 132 } 133 rcu_read_unlock(); 134 135 return 0; 136 } 137 138 static int apparmor_capable(struct task_struct *task, const struct cred *cred, 139 int cap, int audit) 140 { 141 struct aa_profile *profile; 142 /* cap_capable returns 0 on success, else -EPERM */ 143 int error = cap_capable(task, cred, cap, audit); 144 if (!error) { 145 profile = aa_cred_profile(cred); 146 if (!unconfined(profile)) 147 error = aa_capable(task, profile, cap, audit); 148 } 149 return error; 150 } 151 152 /** 153 * common_perm - basic common permission check wrapper fn for paths 154 * @op: operation being checked 155 * @path: path to check permission of (NOT NULL) 156 * @mask: requested permissions mask 157 * @cond: conditional info for the permission request (NOT NULL) 158 * 159 * Returns: %0 else error code if error or permission denied 160 */ 161 static int common_perm(int op, struct path *path, u32 mask, 162 struct path_cond *cond) 163 { 164 struct aa_profile *profile; 165 int error = 0; 166 167 profile = __aa_current_profile(); 168 if (!unconfined(profile)) 169 error = aa_path_perm(op, profile, path, 0, mask, cond); 170 171 return error; 172 } 173 174 /** 175 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry 176 * @op: operation being checked 177 * @dir: directory of the dentry (NOT NULL) 178 * @dentry: dentry to check (NOT NULL) 179 * @mask: requested permissions mask 180 * @cond: conditional info for the permission request (NOT NULL) 181 * 182 * Returns: %0 else error code if error or permission denied 183 */ 184 static int common_perm_dir_dentry(int op, struct path *dir, 185 struct dentry *dentry, u32 mask, 186 struct path_cond *cond) 187 { 188 struct path path = { dir->mnt, dentry }; 189 190 return common_perm(op, &path, mask, cond); 191 } 192 193 /** 194 * common_perm_mnt_dentry - common permission wrapper when mnt, dentry 195 * @op: operation being checked 196 * @mnt: mount point of dentry (NOT NULL) 197 * @dentry: dentry to check (NOT NULL) 198 * @mask: requested permissions mask 199 * 200 * Returns: %0 else error code if error or permission denied 201 */ 202 static int common_perm_mnt_dentry(int op, struct vfsmount *mnt, 203 struct dentry *dentry, u32 mask) 204 { 205 struct path path = { mnt, dentry }; 206 struct path_cond cond = { dentry->d_inode->i_uid, 207 dentry->d_inode->i_mode 208 }; 209 210 return common_perm(op, &path, mask, &cond); 211 } 212 213 /** 214 * common_perm_rm - common permission wrapper for operations doing rm 215 * @op: operation being checked 216 * @dir: directory that the dentry is in (NOT NULL) 217 * @dentry: dentry being rm'd (NOT NULL) 218 * @mask: requested permission mask 219 * 220 * Returns: %0 else error code if error or permission denied 221 */ 222 static int common_perm_rm(int op, struct path *dir, 223 struct dentry *dentry, u32 mask) 224 { 225 struct inode *inode = dentry->d_inode; 226 struct path_cond cond = { }; 227 228 if (!inode || !dir->mnt || !mediated_filesystem(inode)) 229 return 0; 230 231 cond.uid = inode->i_uid; 232 cond.mode = inode->i_mode; 233 234 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 235 } 236 237 /** 238 * common_perm_create - common permission wrapper for operations doing create 239 * @op: operation being checked 240 * @dir: directory that dentry will be created in (NOT NULL) 241 * @dentry: dentry to create (NOT NULL) 242 * @mask: request permission mask 243 * @mode: created file mode 244 * 245 * Returns: %0 else error code if error or permission denied 246 */ 247 static int common_perm_create(int op, struct path *dir, struct dentry *dentry, 248 u32 mask, umode_t mode) 249 { 250 struct path_cond cond = { current_fsuid(), mode }; 251 252 if (!dir->mnt || !mediated_filesystem(dir->dentry->d_inode)) 253 return 0; 254 255 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 256 } 257 258 static int apparmor_path_unlink(struct path *dir, struct dentry *dentry) 259 { 260 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); 261 } 262 263 static int apparmor_path_mkdir(struct path *dir, struct dentry *dentry, 264 int mode) 265 { 266 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, 267 S_IFDIR); 268 } 269 270 static int apparmor_path_rmdir(struct path *dir, struct dentry *dentry) 271 { 272 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); 273 } 274 275 static int apparmor_path_mknod(struct path *dir, struct dentry *dentry, 276 int mode, unsigned int dev) 277 { 278 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); 279 } 280 281 static int apparmor_path_truncate(struct path *path) 282 { 283 struct path_cond cond = { path->dentry->d_inode->i_uid, 284 path->dentry->d_inode->i_mode 285 }; 286 287 if (!path->mnt || !mediated_filesystem(path->dentry->d_inode)) 288 return 0; 289 290 return common_perm(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE, 291 &cond); 292 } 293 294 static int apparmor_path_symlink(struct path *dir, struct dentry *dentry, 295 const char *old_name) 296 { 297 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, 298 S_IFLNK); 299 } 300 301 static int apparmor_path_link(struct dentry *old_dentry, struct path *new_dir, 302 struct dentry *new_dentry) 303 { 304 struct aa_profile *profile; 305 int error = 0; 306 307 if (!mediated_filesystem(old_dentry->d_inode)) 308 return 0; 309 310 profile = aa_current_profile(); 311 if (!unconfined(profile)) 312 error = aa_path_link(profile, old_dentry, new_dir, new_dentry); 313 return error; 314 } 315 316 static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry, 317 struct path *new_dir, struct dentry *new_dentry) 318 { 319 struct aa_profile *profile; 320 int error = 0; 321 322 if (!mediated_filesystem(old_dentry->d_inode)) 323 return 0; 324 325 profile = aa_current_profile(); 326 if (!unconfined(profile)) { 327 struct path old_path = { old_dir->mnt, old_dentry }; 328 struct path new_path = { new_dir->mnt, new_dentry }; 329 struct path_cond cond = { old_dentry->d_inode->i_uid, 330 old_dentry->d_inode->i_mode 331 }; 332 333 error = aa_path_perm(OP_RENAME_SRC, profile, &old_path, 0, 334 MAY_READ | AA_MAY_META_READ | MAY_WRITE | 335 AA_MAY_META_WRITE | AA_MAY_DELETE, 336 &cond); 337 if (!error) 338 error = aa_path_perm(OP_RENAME_DEST, profile, &new_path, 339 0, MAY_WRITE | AA_MAY_META_WRITE | 340 AA_MAY_CREATE, &cond); 341 342 } 343 return error; 344 } 345 346 static int apparmor_path_chmod(struct dentry *dentry, struct vfsmount *mnt, 347 mode_t mode) 348 { 349 if (!mediated_filesystem(dentry->d_inode)) 350 return 0; 351 352 return common_perm_mnt_dentry(OP_CHMOD, mnt, dentry, AA_MAY_CHMOD); 353 } 354 355 static int apparmor_path_chown(struct path *path, uid_t uid, gid_t gid) 356 { 357 struct path_cond cond = { path->dentry->d_inode->i_uid, 358 path->dentry->d_inode->i_mode 359 }; 360 361 if (!mediated_filesystem(path->dentry->d_inode)) 362 return 0; 363 364 return common_perm(OP_CHOWN, path, AA_MAY_CHOWN, &cond); 365 } 366 367 static int apparmor_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 368 { 369 if (!mediated_filesystem(dentry->d_inode)) 370 return 0; 371 372 return common_perm_mnt_dentry(OP_GETATTR, mnt, dentry, 373 AA_MAY_META_READ); 374 } 375 376 static int apparmor_dentry_open(struct file *file, const struct cred *cred) 377 { 378 struct aa_file_cxt *fcxt = file->f_security; 379 struct aa_profile *profile; 380 int error = 0; 381 382 if (!mediated_filesystem(file->f_path.dentry->d_inode)) 383 return 0; 384 385 /* If in exec, permission is handled by bprm hooks. 386 * Cache permissions granted by the previous exec check, with 387 * implicit read and executable mmap which are required to 388 * actually execute the image. 389 */ 390 if (current->in_execve) { 391 fcxt->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; 392 return 0; 393 } 394 395 profile = aa_cred_profile(cred); 396 if (!unconfined(profile)) { 397 struct inode *inode = file->f_path.dentry->d_inode; 398 struct path_cond cond = { inode->i_uid, inode->i_mode }; 399 400 error = aa_path_perm(OP_OPEN, profile, &file->f_path, 0, 401 aa_map_file_to_perms(file), &cond); 402 /* todo cache full allowed permissions set and state */ 403 fcxt->allow = aa_map_file_to_perms(file); 404 } 405 406 return error; 407 } 408 409 static int apparmor_file_alloc_security(struct file *file) 410 { 411 /* freed by apparmor_file_free_security */ 412 file->f_security = aa_alloc_file_context(GFP_KERNEL); 413 if (!file->f_security) 414 return -ENOMEM; 415 return 0; 416 417 } 418 419 static void apparmor_file_free_security(struct file *file) 420 { 421 struct aa_file_cxt *cxt = file->f_security; 422 423 aa_free_file_context(cxt); 424 } 425 426 static int common_file_perm(int op, struct file *file, u32 mask) 427 { 428 struct aa_file_cxt *fcxt = file->f_security; 429 struct aa_profile *profile, *fprofile = aa_cred_profile(file->f_cred); 430 int error = 0; 431 432 BUG_ON(!fprofile); 433 434 if (!file->f_path.mnt || 435 !mediated_filesystem(file->f_path.dentry->d_inode)) 436 return 0; 437 438 profile = __aa_current_profile(); 439 440 /* revalidate access, if task is unconfined, or the cached cred 441 * doesn't match or if the request is for more permissions than 442 * was granted. 443 * 444 * Note: the test for !unconfined(fprofile) is to handle file 445 * delegation from unconfined tasks 446 */ 447 if (!unconfined(profile) && !unconfined(fprofile) && 448 ((fprofile != profile) || (mask & ~fcxt->allow))) 449 error = aa_file_perm(op, profile, file, mask); 450 451 return error; 452 } 453 454 static int apparmor_file_permission(struct file *file, int mask) 455 { 456 return common_file_perm(OP_FPERM, file, mask); 457 } 458 459 static int apparmor_file_lock(struct file *file, unsigned int cmd) 460 { 461 u32 mask = AA_MAY_LOCK; 462 463 if (cmd == F_WRLCK) 464 mask |= MAY_WRITE; 465 466 return common_file_perm(OP_FLOCK, file, mask); 467 } 468 469 static int common_mmap(int op, struct file *file, unsigned long prot, 470 unsigned long flags) 471 { 472 struct dentry *dentry; 473 int mask = 0; 474 475 if (!file || !file->f_security) 476 return 0; 477 478 if (prot & PROT_READ) 479 mask |= MAY_READ; 480 /* 481 * Private mappings don't require write perms since they don't 482 * write back to the files 483 */ 484 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE)) 485 mask |= MAY_WRITE; 486 if (prot & PROT_EXEC) 487 mask |= AA_EXEC_MMAP; 488 489 dentry = file->f_path.dentry; 490 return common_file_perm(op, file, mask); 491 } 492 493 static int apparmor_file_mmap(struct file *file, unsigned long reqprot, 494 unsigned long prot, unsigned long flags, 495 unsigned long addr, unsigned long addr_only) 496 { 497 int rc = 0; 498 499 /* do DAC check */ 500 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); 501 if (rc || addr_only) 502 return rc; 503 504 return common_mmap(OP_FMMAP, file, prot, flags); 505 } 506 507 static int apparmor_file_mprotect(struct vm_area_struct *vma, 508 unsigned long reqprot, unsigned long prot) 509 { 510 return common_mmap(OP_FMPROT, vma->vm_file, prot, 511 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); 512 } 513 514 static int apparmor_getprocattr(struct task_struct *task, char *name, 515 char **value) 516 { 517 int error = -ENOENT; 518 struct aa_profile *profile; 519 /* released below */ 520 const struct cred *cred = get_task_cred(task); 521 struct aa_task_cxt *cxt = cred->security; 522 profile = aa_cred_profile(cred); 523 524 if (strcmp(name, "current") == 0) 525 error = aa_getprocattr(aa_newest_version(cxt->profile), 526 value); 527 else if (strcmp(name, "prev") == 0 && cxt->previous) 528 error = aa_getprocattr(aa_newest_version(cxt->previous), 529 value); 530 else if (strcmp(name, "exec") == 0 && cxt->onexec) 531 error = aa_getprocattr(aa_newest_version(cxt->onexec), 532 value); 533 else 534 error = -EINVAL; 535 536 put_cred(cred); 537 538 return error; 539 } 540 541 static int apparmor_setprocattr(struct task_struct *task, char *name, 542 void *value, size_t size) 543 { 544 char *command, *args = value; 545 size_t arg_size; 546 int error; 547 548 if (size == 0) 549 return -EINVAL; 550 /* args points to a PAGE_SIZE buffer, AppArmor requires that 551 * the buffer must be null terminated or have size <= PAGE_SIZE -1 552 * so that AppArmor can null terminate them 553 */ 554 if (args[size - 1] != '\0') { 555 if (size == PAGE_SIZE) 556 return -EINVAL; 557 args[size] = '\0'; 558 } 559 560 /* task can only write its own attributes */ 561 if (current != task) 562 return -EACCES; 563 564 args = value; 565 args = strim(args); 566 command = strsep(&args, " "); 567 if (!args) 568 return -EINVAL; 569 args = skip_spaces(args); 570 if (!*args) 571 return -EINVAL; 572 573 arg_size = size - (args - (char *) value); 574 if (strcmp(name, "current") == 0) { 575 if (strcmp(command, "changehat") == 0) { 576 error = aa_setprocattr_changehat(args, arg_size, 577 !AA_DO_TEST); 578 } else if (strcmp(command, "permhat") == 0) { 579 error = aa_setprocattr_changehat(args, arg_size, 580 AA_DO_TEST); 581 } else if (strcmp(command, "changeprofile") == 0) { 582 error = aa_setprocattr_changeprofile(args, !AA_ONEXEC, 583 !AA_DO_TEST); 584 } else if (strcmp(command, "permprofile") == 0) { 585 error = aa_setprocattr_changeprofile(args, !AA_ONEXEC, 586 AA_DO_TEST); 587 } else if (strcmp(command, "permipc") == 0) { 588 error = aa_setprocattr_permipc(args); 589 } else { 590 struct common_audit_data sa; 591 COMMON_AUDIT_DATA_INIT(&sa, NONE); 592 sa.aad.op = OP_SETPROCATTR; 593 sa.aad.info = name; 594 sa.aad.error = -EINVAL; 595 return aa_audit(AUDIT_APPARMOR_DENIED, NULL, GFP_KERNEL, 596 &sa, NULL); 597 } 598 } else if (strcmp(name, "exec") == 0) { 599 error = aa_setprocattr_changeprofile(args, AA_ONEXEC, 600 !AA_DO_TEST); 601 } else { 602 /* only support the "current" and "exec" process attributes */ 603 return -EINVAL; 604 } 605 if (!error) 606 error = size; 607 return error; 608 } 609 610 static int apparmor_task_setrlimit(struct task_struct *task, 611 unsigned int resource, struct rlimit *new_rlim) 612 { 613 struct aa_profile *profile = aa_current_profile(); 614 int error = 0; 615 616 if (!unconfined(profile)) 617 error = aa_task_setrlimit(profile, task, resource, new_rlim); 618 619 return error; 620 } 621 622 static struct security_operations apparmor_ops = { 623 .name = "apparmor", 624 625 .ptrace_access_check = apparmor_ptrace_access_check, 626 .ptrace_traceme = apparmor_ptrace_traceme, 627 .capget = apparmor_capget, 628 .capable = apparmor_capable, 629 630 .path_link = apparmor_path_link, 631 .path_unlink = apparmor_path_unlink, 632 .path_symlink = apparmor_path_symlink, 633 .path_mkdir = apparmor_path_mkdir, 634 .path_rmdir = apparmor_path_rmdir, 635 .path_mknod = apparmor_path_mknod, 636 .path_rename = apparmor_path_rename, 637 .path_chmod = apparmor_path_chmod, 638 .path_chown = apparmor_path_chown, 639 .path_truncate = apparmor_path_truncate, 640 .dentry_open = apparmor_dentry_open, 641 .inode_getattr = apparmor_inode_getattr, 642 643 .file_permission = apparmor_file_permission, 644 .file_alloc_security = apparmor_file_alloc_security, 645 .file_free_security = apparmor_file_free_security, 646 .file_mmap = apparmor_file_mmap, 647 .file_mprotect = apparmor_file_mprotect, 648 .file_lock = apparmor_file_lock, 649 650 .getprocattr = apparmor_getprocattr, 651 .setprocattr = apparmor_setprocattr, 652 653 .cred_alloc_blank = apparmor_cred_alloc_blank, 654 .cred_free = apparmor_cred_free, 655 .cred_prepare = apparmor_cred_prepare, 656 .cred_transfer = apparmor_cred_transfer, 657 658 .bprm_set_creds = apparmor_bprm_set_creds, 659 .bprm_committing_creds = apparmor_bprm_committing_creds, 660 .bprm_committed_creds = apparmor_bprm_committed_creds, 661 .bprm_secureexec = apparmor_bprm_secureexec, 662 663 .task_setrlimit = apparmor_task_setrlimit, 664 }; 665 666 /* 667 * AppArmor sysfs module parameters 668 */ 669 670 static int param_set_aabool(const char *val, const struct kernel_param *kp); 671 static int param_get_aabool(char *buffer, const struct kernel_param *kp); 672 #define param_check_aabool(name, p) __param_check(name, p, int) 673 static struct kernel_param_ops param_ops_aabool = { 674 .set = param_set_aabool, 675 .get = param_get_aabool 676 }; 677 678 static int param_set_aauint(const char *val, const struct kernel_param *kp); 679 static int param_get_aauint(char *buffer, const struct kernel_param *kp); 680 #define param_check_aauint(name, p) __param_check(name, p, int) 681 static struct kernel_param_ops param_ops_aauint = { 682 .set = param_set_aauint, 683 .get = param_get_aauint 684 }; 685 686 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp); 687 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); 688 #define param_check_aalockpolicy(name, p) __param_check(name, p, int) 689 static struct kernel_param_ops param_ops_aalockpolicy = { 690 .set = param_set_aalockpolicy, 691 .get = param_get_aalockpolicy 692 }; 693 694 static int param_set_audit(const char *val, struct kernel_param *kp); 695 static int param_get_audit(char *buffer, struct kernel_param *kp); 696 697 static int param_set_mode(const char *val, struct kernel_param *kp); 698 static int param_get_mode(char *buffer, struct kernel_param *kp); 699 700 /* Flag values, also controllable via /sys/module/apparmor/parameters 701 * We define special types as we want to do additional mediation. 702 */ 703 704 /* AppArmor global enforcement switch - complain, enforce, kill */ 705 enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; 706 module_param_call(mode, param_set_mode, param_get_mode, 707 &aa_g_profile_mode, S_IRUSR | S_IWUSR); 708 709 /* Debug mode */ 710 int aa_g_debug; 711 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); 712 713 /* Audit mode */ 714 enum audit_mode aa_g_audit; 715 module_param_call(audit, param_set_audit, param_get_audit, 716 &aa_g_audit, S_IRUSR | S_IWUSR); 717 718 /* Determines if audit header is included in audited messages. This 719 * provides more context if the audit daemon is not running 720 */ 721 int aa_g_audit_header = 1; 722 module_param_named(audit_header, aa_g_audit_header, aabool, 723 S_IRUSR | S_IWUSR); 724 725 /* lock out loading/removal of policy 726 * TODO: add in at boot loading of policy, which is the only way to 727 * load policy, if lock_policy is set 728 */ 729 int aa_g_lock_policy; 730 module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy, 731 S_IRUSR | S_IWUSR); 732 733 /* Syscall logging mode */ 734 int aa_g_logsyscall; 735 module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); 736 737 /* Maximum pathname length before accesses will start getting rejected */ 738 unsigned int aa_g_path_max = 2 * PATH_MAX; 739 module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR); 740 741 /* Determines how paranoid loading of policy is and how much verification 742 * on the loaded policy is done. 743 */ 744 int aa_g_paranoid_load = 1; 745 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, 746 S_IRUSR | S_IWUSR); 747 748 /* Boot time disable flag */ 749 static unsigned int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; 750 module_param_named(enabled, apparmor_enabled, aabool, S_IRUSR); 751 752 static int __init apparmor_enabled_setup(char *str) 753 { 754 unsigned long enabled; 755 int error = strict_strtoul(str, 0, &enabled); 756 if (!error) 757 apparmor_enabled = enabled ? 1 : 0; 758 return 1; 759 } 760 761 __setup("apparmor=", apparmor_enabled_setup); 762 763 /* set global flag turning off the ability to load policy */ 764 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) 765 { 766 if (!capable(CAP_MAC_ADMIN)) 767 return -EPERM; 768 if (aa_g_lock_policy) 769 return -EACCES; 770 return param_set_bool(val, kp); 771 } 772 773 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) 774 { 775 if (!capable(CAP_MAC_ADMIN)) 776 return -EPERM; 777 return param_get_bool(buffer, kp); 778 } 779 780 static int param_set_aabool(const char *val, const struct kernel_param *kp) 781 { 782 if (!capable(CAP_MAC_ADMIN)) 783 return -EPERM; 784 return param_set_bool(val, kp); 785 } 786 787 static int param_get_aabool(char *buffer, const struct kernel_param *kp) 788 { 789 if (!capable(CAP_MAC_ADMIN)) 790 return -EPERM; 791 return param_get_bool(buffer, kp); 792 } 793 794 static int param_set_aauint(const char *val, const struct kernel_param *kp) 795 { 796 if (!capable(CAP_MAC_ADMIN)) 797 return -EPERM; 798 return param_set_uint(val, kp); 799 } 800 801 static int param_get_aauint(char *buffer, const struct kernel_param *kp) 802 { 803 if (!capable(CAP_MAC_ADMIN)) 804 return -EPERM; 805 return param_get_uint(buffer, kp); 806 } 807 808 static int param_get_audit(char *buffer, struct kernel_param *kp) 809 { 810 if (!capable(CAP_MAC_ADMIN)) 811 return -EPERM; 812 813 if (!apparmor_enabled) 814 return -EINVAL; 815 816 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); 817 } 818 819 static int param_set_audit(const char *val, struct kernel_param *kp) 820 { 821 int i; 822 if (!capable(CAP_MAC_ADMIN)) 823 return -EPERM; 824 825 if (!apparmor_enabled) 826 return -EINVAL; 827 828 if (!val) 829 return -EINVAL; 830 831 for (i = 0; i < AUDIT_MAX_INDEX; i++) { 832 if (strcmp(val, audit_mode_names[i]) == 0) { 833 aa_g_audit = i; 834 return 0; 835 } 836 } 837 838 return -EINVAL; 839 } 840 841 static int param_get_mode(char *buffer, struct kernel_param *kp) 842 { 843 if (!capable(CAP_MAC_ADMIN)) 844 return -EPERM; 845 846 if (!apparmor_enabled) 847 return -EINVAL; 848 849 return sprintf(buffer, "%s", profile_mode_names[aa_g_profile_mode]); 850 } 851 852 static int param_set_mode(const char *val, struct kernel_param *kp) 853 { 854 int i; 855 if (!capable(CAP_MAC_ADMIN)) 856 return -EPERM; 857 858 if (!apparmor_enabled) 859 return -EINVAL; 860 861 if (!val) 862 return -EINVAL; 863 864 for (i = 0; i < APPARMOR_NAMES_MAX_INDEX; i++) { 865 if (strcmp(val, profile_mode_names[i]) == 0) { 866 aa_g_profile_mode = i; 867 return 0; 868 } 869 } 870 871 return -EINVAL; 872 } 873 874 /* 875 * AppArmor init functions 876 */ 877 878 /** 879 * set_init_cxt - set a task context and profile on the first task. 880 * 881 * TODO: allow setting an alternate profile than unconfined 882 */ 883 static int __init set_init_cxt(void) 884 { 885 struct cred *cred = (struct cred *)current->real_cred; 886 struct aa_task_cxt *cxt; 887 888 cxt = aa_alloc_task_context(GFP_KERNEL); 889 if (!cxt) 890 return -ENOMEM; 891 892 cxt->profile = aa_get_profile(root_ns->unconfined); 893 cred->security = cxt; 894 895 return 0; 896 } 897 898 static int __init apparmor_init(void) 899 { 900 int error; 901 902 if (!apparmor_enabled || !security_module_enable(&apparmor_ops)) { 903 aa_info_message("AppArmor disabled by boot time parameter"); 904 apparmor_enabled = 0; 905 return 0; 906 } 907 908 error = aa_alloc_root_ns(); 909 if (error) { 910 AA_ERROR("Unable to allocate default profile namespace\n"); 911 goto alloc_out; 912 } 913 914 error = set_init_cxt(); 915 if (error) { 916 AA_ERROR("Failed to set context on init task\n"); 917 goto register_security_out; 918 } 919 920 error = register_security(&apparmor_ops); 921 if (error) { 922 AA_ERROR("Unable to register AppArmor\n"); 923 goto set_init_cxt_out; 924 } 925 926 /* Report that AppArmor successfully initialized */ 927 apparmor_initialized = 1; 928 if (aa_g_profile_mode == APPARMOR_COMPLAIN) 929 aa_info_message("AppArmor initialized: complain mode enabled"); 930 else if (aa_g_profile_mode == APPARMOR_KILL) 931 aa_info_message("AppArmor initialized: kill mode enabled"); 932 else 933 aa_info_message("AppArmor initialized"); 934 935 return error; 936 937 set_init_cxt_out: 938 aa_free_task_context(current->real_cred->security); 939 940 register_security_out: 941 aa_free_root_ns(); 942 943 alloc_out: 944 aa_destroy_aafs(); 945 946 apparmor_enabled = 0; 947 return error; 948 } 949 950 security_initcall(apparmor_init); 951