1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor LSM hooks. 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 */ 10 11 #include <linux/lsm_hooks.h> 12 #include <linux/moduleparam.h> 13 #include <linux/mm.h> 14 #include <linux/mman.h> 15 #include <linux/mount.h> 16 #include <linux/namei.h> 17 #include <linux/ptrace.h> 18 #include <linux/ctype.h> 19 #include <linux/sysctl.h> 20 #include <linux/audit.h> 21 #include <linux/user_namespace.h> 22 #include <linux/netfilter_ipv4.h> 23 #include <linux/netfilter_ipv6.h> 24 #include <linux/zlib.h> 25 #include <net/sock.h> 26 #include <uapi/linux/mount.h> 27 28 #include "include/apparmor.h" 29 #include "include/apparmorfs.h" 30 #include "include/audit.h" 31 #include "include/capability.h" 32 #include "include/cred.h" 33 #include "include/file.h" 34 #include "include/ipc.h" 35 #include "include/net.h" 36 #include "include/path.h" 37 #include "include/label.h" 38 #include "include/policy.h" 39 #include "include/policy_ns.h" 40 #include "include/procattr.h" 41 #include "include/mount.h" 42 #include "include/secid.h" 43 44 /* Flag indicating whether initialization completed */ 45 int apparmor_initialized; 46 47 union aa_buffer { 48 struct list_head list; 49 char buffer[1]; 50 }; 51 52 #define RESERVE_COUNT 2 53 static int reserve_count = RESERVE_COUNT; 54 static int buffer_count; 55 56 static LIST_HEAD(aa_global_buffers); 57 static DEFINE_SPINLOCK(aa_buffers_lock); 58 59 /* 60 * LSM hook functions 61 */ 62 63 /* 64 * put the associated labels 65 */ 66 static void apparmor_cred_free(struct cred *cred) 67 { 68 aa_put_label(cred_label(cred)); 69 set_cred_label(cred, NULL); 70 } 71 72 /* 73 * allocate the apparmor part of blank credentials 74 */ 75 static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 76 { 77 set_cred_label(cred, NULL); 78 return 0; 79 } 80 81 /* 82 * prepare new cred label for modification by prepare_cred block 83 */ 84 static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 85 gfp_t gfp) 86 { 87 set_cred_label(new, aa_get_newest_label(cred_label(old))); 88 return 0; 89 } 90 91 /* 92 * transfer the apparmor data to a blank set of creds 93 */ 94 static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 95 { 96 set_cred_label(new, aa_get_newest_label(cred_label(old))); 97 } 98 99 static void apparmor_task_free(struct task_struct *task) 100 { 101 102 aa_free_task_ctx(task_ctx(task)); 103 } 104 105 static int apparmor_task_alloc(struct task_struct *task, 106 unsigned long clone_flags) 107 { 108 struct aa_task_ctx *new = task_ctx(task); 109 110 aa_dup_task_ctx(new, task_ctx(current)); 111 112 return 0; 113 } 114 115 static int apparmor_ptrace_access_check(struct task_struct *child, 116 unsigned int mode) 117 { 118 struct aa_label *tracer, *tracee; 119 int error; 120 121 tracer = __begin_current_label_crit_section(); 122 tracee = aa_get_task_label(child); 123 error = aa_may_ptrace(tracer, tracee, 124 (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ 125 : AA_PTRACE_TRACE); 126 aa_put_label(tracee); 127 __end_current_label_crit_section(tracer); 128 129 return error; 130 } 131 132 static int apparmor_ptrace_traceme(struct task_struct *parent) 133 { 134 struct aa_label *tracer, *tracee; 135 int error; 136 137 tracee = __begin_current_label_crit_section(); 138 tracer = aa_get_task_label(parent); 139 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); 140 aa_put_label(tracer); 141 __end_current_label_crit_section(tracee); 142 143 return error; 144 } 145 146 /* Derived from security/commoncap.c:cap_capget */ 147 static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, 148 kernel_cap_t *inheritable, kernel_cap_t *permitted) 149 { 150 struct aa_label *label; 151 const struct cred *cred; 152 153 rcu_read_lock(); 154 cred = __task_cred(target); 155 label = aa_get_newest_cred_label(cred); 156 157 /* 158 * cap_capget is stacked ahead of this and will 159 * initialize effective and permitted. 160 */ 161 if (!unconfined(label)) { 162 struct aa_profile *profile; 163 struct label_it i; 164 165 label_for_each_confined(i, label, profile) { 166 if (COMPLAIN_MODE(profile)) 167 continue; 168 *effective = cap_intersect(*effective, 169 profile->caps.allow); 170 *permitted = cap_intersect(*permitted, 171 profile->caps.allow); 172 } 173 } 174 rcu_read_unlock(); 175 aa_put_label(label); 176 177 return 0; 178 } 179 180 static int apparmor_capable(const struct cred *cred, struct user_namespace *ns, 181 int cap, unsigned int opts) 182 { 183 struct aa_label *label; 184 int error = 0; 185 186 label = aa_get_newest_cred_label(cred); 187 if (!unconfined(label)) 188 error = aa_capable(label, cap, opts); 189 aa_put_label(label); 190 191 return error; 192 } 193 194 /** 195 * common_perm - basic common permission check wrapper fn for paths 196 * @op: operation being checked 197 * @path: path to check permission of (NOT NULL) 198 * @mask: requested permissions mask 199 * @cond: conditional info for the permission request (NOT NULL) 200 * 201 * Returns: %0 else error code if error or permission denied 202 */ 203 static int common_perm(const char *op, const struct path *path, u32 mask, 204 struct path_cond *cond) 205 { 206 struct aa_label *label; 207 int error = 0; 208 209 label = __begin_current_label_crit_section(); 210 if (!unconfined(label)) 211 error = aa_path_perm(op, label, path, 0, mask, cond); 212 __end_current_label_crit_section(label); 213 214 return error; 215 } 216 217 /** 218 * common_perm_cond - common permission wrapper around inode cond 219 * @op: operation being checked 220 * @path: location to check (NOT NULL) 221 * @mask: requested permissions mask 222 * 223 * Returns: %0 else error code if error or permission denied 224 */ 225 static int common_perm_cond(const char *op, const struct path *path, u32 mask) 226 { 227 struct user_namespace *mnt_userns = mnt_user_ns(path->mnt); 228 vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_userns, 229 d_backing_inode(path->dentry)); 230 struct path_cond cond = { 231 vfsuid_into_kuid(vfsuid), 232 d_backing_inode(path->dentry)->i_mode 233 }; 234 235 if (!path_mediated_fs(path->dentry)) 236 return 0; 237 238 return common_perm(op, path, mask, &cond); 239 } 240 241 /** 242 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry 243 * @op: operation being checked 244 * @dir: directory of the dentry (NOT NULL) 245 * @dentry: dentry to check (NOT NULL) 246 * @mask: requested permissions mask 247 * @cond: conditional info for the permission request (NOT NULL) 248 * 249 * Returns: %0 else error code if error or permission denied 250 */ 251 static int common_perm_dir_dentry(const char *op, const struct path *dir, 252 struct dentry *dentry, u32 mask, 253 struct path_cond *cond) 254 { 255 struct path path = { .mnt = dir->mnt, .dentry = dentry }; 256 257 return common_perm(op, &path, mask, cond); 258 } 259 260 /** 261 * common_perm_rm - common permission wrapper for operations doing rm 262 * @op: operation being checked 263 * @dir: directory that the dentry is in (NOT NULL) 264 * @dentry: dentry being rm'd (NOT NULL) 265 * @mask: requested permission mask 266 * 267 * Returns: %0 else error code if error or permission denied 268 */ 269 static int common_perm_rm(const char *op, const struct path *dir, 270 struct dentry *dentry, u32 mask) 271 { 272 struct inode *inode = d_backing_inode(dentry); 273 struct user_namespace *mnt_userns = mnt_user_ns(dir->mnt); 274 struct path_cond cond = { }; 275 vfsuid_t vfsuid; 276 277 if (!inode || !path_mediated_fs(dentry)) 278 return 0; 279 280 vfsuid = i_uid_into_vfsuid(mnt_userns, inode); 281 cond.uid = vfsuid_into_kuid(vfsuid); 282 cond.mode = inode->i_mode; 283 284 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 285 } 286 287 /** 288 * common_perm_create - common permission wrapper for operations doing create 289 * @op: operation being checked 290 * @dir: directory that dentry will be created in (NOT NULL) 291 * @dentry: dentry to create (NOT NULL) 292 * @mask: request permission mask 293 * @mode: created file mode 294 * 295 * Returns: %0 else error code if error or permission denied 296 */ 297 static int common_perm_create(const char *op, const struct path *dir, 298 struct dentry *dentry, u32 mask, umode_t mode) 299 { 300 struct path_cond cond = { current_fsuid(), mode }; 301 302 if (!path_mediated_fs(dir->dentry)) 303 return 0; 304 305 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 306 } 307 308 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry) 309 { 310 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); 311 } 312 313 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry, 314 umode_t mode) 315 { 316 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, 317 S_IFDIR); 318 } 319 320 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry) 321 { 322 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); 323 } 324 325 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, 326 umode_t mode, unsigned int dev) 327 { 328 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); 329 } 330 331 static int apparmor_path_truncate(const struct path *path) 332 { 333 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR); 334 } 335 336 static int apparmor_file_truncate(struct file *file) 337 { 338 return apparmor_path_truncate(&file->f_path); 339 } 340 341 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, 342 const char *old_name) 343 { 344 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, 345 S_IFLNK); 346 } 347 348 static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir, 349 struct dentry *new_dentry) 350 { 351 struct aa_label *label; 352 int error = 0; 353 354 if (!path_mediated_fs(old_dentry)) 355 return 0; 356 357 label = begin_current_label_crit_section(); 358 if (!unconfined(label)) 359 error = aa_path_link(label, old_dentry, new_dir, new_dentry); 360 end_current_label_crit_section(label); 361 362 return error; 363 } 364 365 static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry, 366 const struct path *new_dir, struct dentry *new_dentry, 367 const unsigned int flags) 368 { 369 struct aa_label *label; 370 int error = 0; 371 372 if (!path_mediated_fs(old_dentry)) 373 return 0; 374 if ((flags & RENAME_EXCHANGE) && !path_mediated_fs(new_dentry)) 375 return 0; 376 377 label = begin_current_label_crit_section(); 378 if (!unconfined(label)) { 379 struct user_namespace *mnt_userns = mnt_user_ns(old_dir->mnt); 380 vfsuid_t vfsuid; 381 struct path old_path = { .mnt = old_dir->mnt, 382 .dentry = old_dentry }; 383 struct path new_path = { .mnt = new_dir->mnt, 384 .dentry = new_dentry }; 385 struct path_cond cond = { 386 .mode = d_backing_inode(old_dentry)->i_mode 387 }; 388 vfsuid = i_uid_into_vfsuid(mnt_userns, d_backing_inode(old_dentry)); 389 cond.uid = vfsuid_into_kuid(vfsuid); 390 391 if (flags & RENAME_EXCHANGE) { 392 struct path_cond cond_exchange = { 393 .mode = d_backing_inode(new_dentry)->i_mode, 394 }; 395 vfsuid = i_uid_into_vfsuid(mnt_userns, d_backing_inode(old_dentry)); 396 cond_exchange.uid = vfsuid_into_kuid(vfsuid); 397 398 error = aa_path_perm(OP_RENAME_SRC, label, &new_path, 0, 399 MAY_READ | AA_MAY_GETATTR | MAY_WRITE | 400 AA_MAY_SETATTR | AA_MAY_DELETE, 401 &cond_exchange); 402 if (!error) 403 error = aa_path_perm(OP_RENAME_DEST, label, &old_path, 404 0, MAY_WRITE | AA_MAY_SETATTR | 405 AA_MAY_CREATE, &cond_exchange); 406 } 407 408 if (!error) 409 error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0, 410 MAY_READ | AA_MAY_GETATTR | MAY_WRITE | 411 AA_MAY_SETATTR | AA_MAY_DELETE, 412 &cond); 413 if (!error) 414 error = aa_path_perm(OP_RENAME_DEST, label, &new_path, 415 0, MAY_WRITE | AA_MAY_SETATTR | 416 AA_MAY_CREATE, &cond); 417 418 } 419 end_current_label_crit_section(label); 420 421 return error; 422 } 423 424 static int apparmor_path_chmod(const struct path *path, umode_t mode) 425 { 426 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD); 427 } 428 429 static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid) 430 { 431 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN); 432 } 433 434 static int apparmor_inode_getattr(const struct path *path) 435 { 436 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 437 } 438 439 static int apparmor_file_open(struct file *file) 440 { 441 struct aa_file_ctx *fctx = file_ctx(file); 442 struct aa_label *label; 443 int error = 0; 444 445 if (!path_mediated_fs(file->f_path.dentry)) 446 return 0; 447 448 /* If in exec, permission is handled by bprm hooks. 449 * Cache permissions granted by the previous exec check, with 450 * implicit read and executable mmap which are required to 451 * actually execute the image. 452 */ 453 if (current->in_execve) { 454 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; 455 return 0; 456 } 457 458 label = aa_get_newest_cred_label(file->f_cred); 459 if (!unconfined(label)) { 460 struct user_namespace *mnt_userns = file_mnt_user_ns(file); 461 struct inode *inode = file_inode(file); 462 vfsuid_t vfsuid; 463 struct path_cond cond = { 464 .mode = inode->i_mode, 465 }; 466 vfsuid = i_uid_into_vfsuid(mnt_userns, inode); 467 cond.uid = vfsuid_into_kuid(vfsuid); 468 469 error = aa_path_perm(OP_OPEN, label, &file->f_path, 0, 470 aa_map_file_to_perms(file), &cond); 471 /* todo cache full allowed permissions set and state */ 472 fctx->allow = aa_map_file_to_perms(file); 473 } 474 aa_put_label(label); 475 476 return error; 477 } 478 479 static int apparmor_file_alloc_security(struct file *file) 480 { 481 struct aa_file_ctx *ctx = file_ctx(file); 482 struct aa_label *label = begin_current_label_crit_section(); 483 484 spin_lock_init(&ctx->lock); 485 rcu_assign_pointer(ctx->label, aa_get_label(label)); 486 end_current_label_crit_section(label); 487 return 0; 488 } 489 490 static void apparmor_file_free_security(struct file *file) 491 { 492 struct aa_file_ctx *ctx = file_ctx(file); 493 494 if (ctx) 495 aa_put_label(rcu_access_pointer(ctx->label)); 496 } 497 498 static int common_file_perm(const char *op, struct file *file, u32 mask, 499 bool in_atomic) 500 { 501 struct aa_label *label; 502 int error = 0; 503 504 /* don't reaudit files closed during inheritance */ 505 if (file->f_path.dentry == aa_null.dentry) 506 return -EACCES; 507 508 label = __begin_current_label_crit_section(); 509 error = aa_file_perm(op, label, file, mask, in_atomic); 510 __end_current_label_crit_section(label); 511 512 return error; 513 } 514 515 static int apparmor_file_receive(struct file *file) 516 { 517 return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file), 518 false); 519 } 520 521 static int apparmor_file_permission(struct file *file, int mask) 522 { 523 return common_file_perm(OP_FPERM, file, mask, false); 524 } 525 526 static int apparmor_file_lock(struct file *file, unsigned int cmd) 527 { 528 u32 mask = AA_MAY_LOCK; 529 530 if (cmd == F_WRLCK) 531 mask |= MAY_WRITE; 532 533 return common_file_perm(OP_FLOCK, file, mask, false); 534 } 535 536 static int common_mmap(const char *op, struct file *file, unsigned long prot, 537 unsigned long flags, bool in_atomic) 538 { 539 int mask = 0; 540 541 if (!file || !file_ctx(file)) 542 return 0; 543 544 if (prot & PROT_READ) 545 mask |= MAY_READ; 546 /* 547 * Private mappings don't require write perms since they don't 548 * write back to the files 549 */ 550 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE)) 551 mask |= MAY_WRITE; 552 if (prot & PROT_EXEC) 553 mask |= AA_EXEC_MMAP; 554 555 return common_file_perm(op, file, mask, in_atomic); 556 } 557 558 static int apparmor_mmap_file(struct file *file, unsigned long reqprot, 559 unsigned long prot, unsigned long flags) 560 { 561 return common_mmap(OP_FMMAP, file, prot, flags, GFP_ATOMIC); 562 } 563 564 static int apparmor_file_mprotect(struct vm_area_struct *vma, 565 unsigned long reqprot, unsigned long prot) 566 { 567 return common_mmap(OP_FMPROT, vma->vm_file, prot, 568 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0, 569 false); 570 } 571 572 static int apparmor_sb_mount(const char *dev_name, const struct path *path, 573 const char *type, unsigned long flags, void *data) 574 { 575 struct aa_label *label; 576 int error = 0; 577 578 /* Discard magic */ 579 if ((flags & MS_MGC_MSK) == MS_MGC_VAL) 580 flags &= ~MS_MGC_MSK; 581 582 flags &= ~AA_MS_IGNORE_MASK; 583 584 label = __begin_current_label_crit_section(); 585 if (!unconfined(label)) { 586 if (flags & MS_REMOUNT) 587 error = aa_remount(label, path, flags, data); 588 else if (flags & MS_BIND) 589 error = aa_bind_mount(label, path, dev_name, flags); 590 else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | 591 MS_UNBINDABLE)) 592 error = aa_mount_change_type(label, path, flags); 593 else if (flags & MS_MOVE) 594 error = aa_move_mount(label, path, dev_name); 595 else 596 error = aa_new_mount(label, dev_name, path, type, 597 flags, data); 598 } 599 __end_current_label_crit_section(label); 600 601 return error; 602 } 603 604 static int apparmor_sb_umount(struct vfsmount *mnt, int flags) 605 { 606 struct aa_label *label; 607 int error = 0; 608 609 label = __begin_current_label_crit_section(); 610 if (!unconfined(label)) 611 error = aa_umount(label, mnt, flags); 612 __end_current_label_crit_section(label); 613 614 return error; 615 } 616 617 static int apparmor_sb_pivotroot(const struct path *old_path, 618 const struct path *new_path) 619 { 620 struct aa_label *label; 621 int error = 0; 622 623 label = aa_get_current_label(); 624 if (!unconfined(label)) 625 error = aa_pivotroot(label, old_path, new_path); 626 aa_put_label(label); 627 628 return error; 629 } 630 631 static int apparmor_getprocattr(struct task_struct *task, const char *name, 632 char **value) 633 { 634 int error = -ENOENT; 635 /* released below */ 636 const struct cred *cred = get_task_cred(task); 637 struct aa_task_ctx *ctx = task_ctx(current); 638 struct aa_label *label = NULL; 639 640 if (strcmp(name, "current") == 0) 641 label = aa_get_newest_label(cred_label(cred)); 642 else if (strcmp(name, "prev") == 0 && ctx->previous) 643 label = aa_get_newest_label(ctx->previous); 644 else if (strcmp(name, "exec") == 0 && ctx->onexec) 645 label = aa_get_newest_label(ctx->onexec); 646 else 647 error = -EINVAL; 648 649 if (label) 650 error = aa_getprocattr(label, value); 651 652 aa_put_label(label); 653 put_cred(cred); 654 655 return error; 656 } 657 658 static int apparmor_setprocattr(const char *name, void *value, 659 size_t size) 660 { 661 char *command, *largs = NULL, *args = value; 662 size_t arg_size; 663 int error; 664 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR); 665 666 if (size == 0) 667 return -EINVAL; 668 669 /* AppArmor requires that the buffer must be null terminated atm */ 670 if (args[size - 1] != '\0') { 671 /* null terminate */ 672 largs = args = kmalloc(size + 1, GFP_KERNEL); 673 if (!args) 674 return -ENOMEM; 675 memcpy(args, value, size); 676 args[size] = '\0'; 677 } 678 679 error = -EINVAL; 680 args = strim(args); 681 command = strsep(&args, " "); 682 if (!args) 683 goto out; 684 args = skip_spaces(args); 685 if (!*args) 686 goto out; 687 688 arg_size = size - (args - (largs ? largs : (char *) value)); 689 if (strcmp(name, "current") == 0) { 690 if (strcmp(command, "changehat") == 0) { 691 error = aa_setprocattr_changehat(args, arg_size, 692 AA_CHANGE_NOFLAGS); 693 } else if (strcmp(command, "permhat") == 0) { 694 error = aa_setprocattr_changehat(args, arg_size, 695 AA_CHANGE_TEST); 696 } else if (strcmp(command, "changeprofile") == 0) { 697 error = aa_change_profile(args, AA_CHANGE_NOFLAGS); 698 } else if (strcmp(command, "permprofile") == 0) { 699 error = aa_change_profile(args, AA_CHANGE_TEST); 700 } else if (strcmp(command, "stack") == 0) { 701 error = aa_change_profile(args, AA_CHANGE_STACK); 702 } else 703 goto fail; 704 } else if (strcmp(name, "exec") == 0) { 705 if (strcmp(command, "exec") == 0) 706 error = aa_change_profile(args, AA_CHANGE_ONEXEC); 707 else if (strcmp(command, "stack") == 0) 708 error = aa_change_profile(args, (AA_CHANGE_ONEXEC | 709 AA_CHANGE_STACK)); 710 else 711 goto fail; 712 } else 713 /* only support the "current" and "exec" process attributes */ 714 goto fail; 715 716 if (!error) 717 error = size; 718 out: 719 kfree(largs); 720 return error; 721 722 fail: 723 aad(&sa)->label = begin_current_label_crit_section(); 724 aad(&sa)->info = name; 725 aad(&sa)->error = error = -EINVAL; 726 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL); 727 end_current_label_crit_section(aad(&sa)->label); 728 goto out; 729 } 730 731 /** 732 * apparmor_bprm_committing_creds - do task cleanup on committing new creds 733 * @bprm: binprm for the exec (NOT NULL) 734 */ 735 static void apparmor_bprm_committing_creds(struct linux_binprm *bprm) 736 { 737 struct aa_label *label = aa_current_raw_label(); 738 struct aa_label *new_label = cred_label(bprm->cred); 739 740 /* bail out if unconfined or not changing profile */ 741 if ((new_label->proxy == label->proxy) || 742 (unconfined(new_label))) 743 return; 744 745 aa_inherit_files(bprm->cred, current->files); 746 747 current->pdeath_signal = 0; 748 749 /* reset soft limits and set hard limits for the new label */ 750 __aa_transition_rlimits(label, new_label); 751 } 752 753 /** 754 * apparmor_bprm_committed_cred - do cleanup after new creds committed 755 * @bprm: binprm for the exec (NOT NULL) 756 */ 757 static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) 758 { 759 /* clear out temporary/transitional state from the context */ 760 aa_clear_task_ctx_trans(task_ctx(current)); 761 762 return; 763 } 764 765 static void apparmor_current_getsecid_subj(u32 *secid) 766 { 767 struct aa_label *label = aa_get_current_label(); 768 *secid = label->secid; 769 aa_put_label(label); 770 } 771 772 static void apparmor_task_getsecid_obj(struct task_struct *p, u32 *secid) 773 { 774 struct aa_label *label = aa_get_task_label(p); 775 *secid = label->secid; 776 aa_put_label(label); 777 } 778 779 static int apparmor_task_setrlimit(struct task_struct *task, 780 unsigned int resource, struct rlimit *new_rlim) 781 { 782 struct aa_label *label = __begin_current_label_crit_section(); 783 int error = 0; 784 785 if (!unconfined(label)) 786 error = aa_task_setrlimit(label, task, resource, new_rlim); 787 __end_current_label_crit_section(label); 788 789 return error; 790 } 791 792 static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo *info, 793 int sig, const struct cred *cred) 794 { 795 struct aa_label *cl, *tl; 796 int error; 797 798 if (cred) { 799 /* 800 * Dealing with USB IO specific behavior 801 */ 802 cl = aa_get_newest_cred_label(cred); 803 tl = aa_get_task_label(target); 804 error = aa_may_signal(cl, tl, sig); 805 aa_put_label(cl); 806 aa_put_label(tl); 807 return error; 808 } 809 810 cl = __begin_current_label_crit_section(); 811 tl = aa_get_task_label(target); 812 error = aa_may_signal(cl, tl, sig); 813 aa_put_label(tl); 814 __end_current_label_crit_section(cl); 815 816 return error; 817 } 818 819 /** 820 * apparmor_sk_alloc_security - allocate and attach the sk_security field 821 */ 822 static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags) 823 { 824 struct aa_sk_ctx *ctx; 825 826 ctx = kzalloc(sizeof(*ctx), flags); 827 if (!ctx) 828 return -ENOMEM; 829 830 SK_CTX(sk) = ctx; 831 832 return 0; 833 } 834 835 /** 836 * apparmor_sk_free_security - free the sk_security field 837 */ 838 static void apparmor_sk_free_security(struct sock *sk) 839 { 840 struct aa_sk_ctx *ctx = SK_CTX(sk); 841 842 SK_CTX(sk) = NULL; 843 aa_put_label(ctx->label); 844 aa_put_label(ctx->peer); 845 kfree(ctx); 846 } 847 848 /** 849 * apparmor_sk_clone_security - clone the sk_security field 850 */ 851 static void apparmor_sk_clone_security(const struct sock *sk, 852 struct sock *newsk) 853 { 854 struct aa_sk_ctx *ctx = SK_CTX(sk); 855 struct aa_sk_ctx *new = SK_CTX(newsk); 856 857 if (new->label) 858 aa_put_label(new->label); 859 new->label = aa_get_label(ctx->label); 860 861 if (new->peer) 862 aa_put_label(new->peer); 863 new->peer = aa_get_label(ctx->peer); 864 } 865 866 /** 867 * apparmor_socket_create - check perms before creating a new socket 868 */ 869 static int apparmor_socket_create(int family, int type, int protocol, int kern) 870 { 871 struct aa_label *label; 872 int error = 0; 873 874 AA_BUG(in_interrupt()); 875 876 label = begin_current_label_crit_section(); 877 if (!(kern || unconfined(label))) 878 error = af_select(family, 879 create_perm(label, family, type, protocol), 880 aa_af_perm(label, OP_CREATE, AA_MAY_CREATE, 881 family, type, protocol)); 882 end_current_label_crit_section(label); 883 884 return error; 885 } 886 887 /** 888 * apparmor_socket_post_create - setup the per-socket security struct 889 * 890 * Note: 891 * - kernel sockets currently labeled unconfined but we may want to 892 * move to a special kernel label 893 * - socket may not have sk here if created with sock_create_lite or 894 * sock_alloc. These should be accept cases which will be handled in 895 * sock_graft. 896 */ 897 static int apparmor_socket_post_create(struct socket *sock, int family, 898 int type, int protocol, int kern) 899 { 900 struct aa_label *label; 901 902 if (kern) { 903 label = aa_get_label(kernel_t); 904 } else 905 label = aa_get_current_label(); 906 907 if (sock->sk) { 908 struct aa_sk_ctx *ctx = SK_CTX(sock->sk); 909 910 aa_put_label(ctx->label); 911 ctx->label = aa_get_label(label); 912 } 913 aa_put_label(label); 914 915 return 0; 916 } 917 918 /** 919 * apparmor_socket_bind - check perms before bind addr to socket 920 */ 921 static int apparmor_socket_bind(struct socket *sock, 922 struct sockaddr *address, int addrlen) 923 { 924 AA_BUG(!sock); 925 AA_BUG(!sock->sk); 926 AA_BUG(!address); 927 AA_BUG(in_interrupt()); 928 929 return af_select(sock->sk->sk_family, 930 bind_perm(sock, address, addrlen), 931 aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk)); 932 } 933 934 /** 935 * apparmor_socket_connect - check perms before connecting @sock to @address 936 */ 937 static int apparmor_socket_connect(struct socket *sock, 938 struct sockaddr *address, int addrlen) 939 { 940 AA_BUG(!sock); 941 AA_BUG(!sock->sk); 942 AA_BUG(!address); 943 AA_BUG(in_interrupt()); 944 945 return af_select(sock->sk->sk_family, 946 connect_perm(sock, address, addrlen), 947 aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk)); 948 } 949 950 /** 951 * apparmor_socket_listen - check perms before allowing listen 952 */ 953 static int apparmor_socket_listen(struct socket *sock, int backlog) 954 { 955 AA_BUG(!sock); 956 AA_BUG(!sock->sk); 957 AA_BUG(in_interrupt()); 958 959 return af_select(sock->sk->sk_family, 960 listen_perm(sock, backlog), 961 aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk)); 962 } 963 964 /** 965 * apparmor_socket_accept - check perms before accepting a new connection. 966 * 967 * Note: while @newsock is created and has some information, the accept 968 * has not been done. 969 */ 970 static int apparmor_socket_accept(struct socket *sock, struct socket *newsock) 971 { 972 AA_BUG(!sock); 973 AA_BUG(!sock->sk); 974 AA_BUG(!newsock); 975 AA_BUG(in_interrupt()); 976 977 return af_select(sock->sk->sk_family, 978 accept_perm(sock, newsock), 979 aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk)); 980 } 981 982 static int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock, 983 struct msghdr *msg, int size) 984 { 985 AA_BUG(!sock); 986 AA_BUG(!sock->sk); 987 AA_BUG(!msg); 988 AA_BUG(in_interrupt()); 989 990 return af_select(sock->sk->sk_family, 991 msg_perm(op, request, sock, msg, size), 992 aa_sk_perm(op, request, sock->sk)); 993 } 994 995 /** 996 * apparmor_socket_sendmsg - check perms before sending msg to another socket 997 */ 998 static int apparmor_socket_sendmsg(struct socket *sock, 999 struct msghdr *msg, int size) 1000 { 1001 return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size); 1002 } 1003 1004 /** 1005 * apparmor_socket_recvmsg - check perms before receiving a message 1006 */ 1007 static int apparmor_socket_recvmsg(struct socket *sock, 1008 struct msghdr *msg, int size, int flags) 1009 { 1010 return aa_sock_msg_perm(OP_RECVMSG, AA_MAY_RECEIVE, sock, msg, size); 1011 } 1012 1013 /* revaliation, get/set attr, shutdown */ 1014 static int aa_sock_perm(const char *op, u32 request, struct socket *sock) 1015 { 1016 AA_BUG(!sock); 1017 AA_BUG(!sock->sk); 1018 AA_BUG(in_interrupt()); 1019 1020 return af_select(sock->sk->sk_family, 1021 sock_perm(op, request, sock), 1022 aa_sk_perm(op, request, sock->sk)); 1023 } 1024 1025 /** 1026 * apparmor_socket_getsockname - check perms before getting the local address 1027 */ 1028 static int apparmor_socket_getsockname(struct socket *sock) 1029 { 1030 return aa_sock_perm(OP_GETSOCKNAME, AA_MAY_GETATTR, sock); 1031 } 1032 1033 /** 1034 * apparmor_socket_getpeername - check perms before getting remote address 1035 */ 1036 static int apparmor_socket_getpeername(struct socket *sock) 1037 { 1038 return aa_sock_perm(OP_GETPEERNAME, AA_MAY_GETATTR, sock); 1039 } 1040 1041 /* revaliation, get/set attr, opt */ 1042 static int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock, 1043 int level, int optname) 1044 { 1045 AA_BUG(!sock); 1046 AA_BUG(!sock->sk); 1047 AA_BUG(in_interrupt()); 1048 1049 return af_select(sock->sk->sk_family, 1050 opt_perm(op, request, sock, level, optname), 1051 aa_sk_perm(op, request, sock->sk)); 1052 } 1053 1054 /** 1055 * apparmor_socket_getsockopt - check perms before getting socket options 1056 */ 1057 static int apparmor_socket_getsockopt(struct socket *sock, int level, 1058 int optname) 1059 { 1060 return aa_sock_opt_perm(OP_GETSOCKOPT, AA_MAY_GETOPT, sock, 1061 level, optname); 1062 } 1063 1064 /** 1065 * apparmor_socket_setsockopt - check perms before setting socket options 1066 */ 1067 static int apparmor_socket_setsockopt(struct socket *sock, int level, 1068 int optname) 1069 { 1070 return aa_sock_opt_perm(OP_SETSOCKOPT, AA_MAY_SETOPT, sock, 1071 level, optname); 1072 } 1073 1074 /** 1075 * apparmor_socket_shutdown - check perms before shutting down @sock conn 1076 */ 1077 static int apparmor_socket_shutdown(struct socket *sock, int how) 1078 { 1079 return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock); 1080 } 1081 1082 #ifdef CONFIG_NETWORK_SECMARK 1083 /** 1084 * apparmor_socket_sock_rcv_skb - check perms before associating skb to sk 1085 * 1086 * Note: can not sleep may be called with locks held 1087 * 1088 * dont want protocol specific in __skb_recv_datagram() 1089 * to deny an incoming connection socket_sock_rcv_skb() 1090 */ 1091 static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 1092 { 1093 struct aa_sk_ctx *ctx = SK_CTX(sk); 1094 1095 if (!skb->secmark) 1096 return 0; 1097 1098 return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE, 1099 skb->secmark, sk); 1100 } 1101 #endif 1102 1103 1104 static struct aa_label *sk_peer_label(struct sock *sk) 1105 { 1106 struct aa_sk_ctx *ctx = SK_CTX(sk); 1107 1108 if (ctx->peer) 1109 return ctx->peer; 1110 1111 return ERR_PTR(-ENOPROTOOPT); 1112 } 1113 1114 /** 1115 * apparmor_socket_getpeersec_stream - get security context of peer 1116 * 1117 * Note: for tcp only valid if using ipsec or cipso on lan 1118 */ 1119 static int apparmor_socket_getpeersec_stream(struct socket *sock, 1120 sockptr_t optval, sockptr_t optlen, 1121 unsigned int len) 1122 { 1123 char *name = NULL; 1124 int slen, error = 0; 1125 struct aa_label *label; 1126 struct aa_label *peer; 1127 1128 label = begin_current_label_crit_section(); 1129 peer = sk_peer_label(sock->sk); 1130 if (IS_ERR(peer)) { 1131 error = PTR_ERR(peer); 1132 goto done; 1133 } 1134 slen = aa_label_asxprint(&name, labels_ns(label), peer, 1135 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS | 1136 FLAG_HIDDEN_UNCONFINED, GFP_KERNEL); 1137 /* don't include terminating \0 in slen, it breaks some apps */ 1138 if (slen < 0) { 1139 error = -ENOMEM; 1140 goto done; 1141 } 1142 if (slen > len) { 1143 error = -ERANGE; 1144 goto done_len; 1145 } 1146 1147 if (copy_to_sockptr(optval, name, slen)) 1148 error = -EFAULT; 1149 done_len: 1150 if (copy_to_sockptr(optlen, &slen, sizeof(slen))) 1151 error = -EFAULT; 1152 done: 1153 end_current_label_crit_section(label); 1154 kfree(name); 1155 return error; 1156 } 1157 1158 /** 1159 * apparmor_socket_getpeersec_dgram - get security label of packet 1160 * @sock: the peer socket 1161 * @skb: packet data 1162 * @secid: pointer to where to put the secid of the packet 1163 * 1164 * Sets the netlabel socket state on sk from parent 1165 */ 1166 static int apparmor_socket_getpeersec_dgram(struct socket *sock, 1167 struct sk_buff *skb, u32 *secid) 1168 1169 { 1170 /* TODO: requires secid support */ 1171 return -ENOPROTOOPT; 1172 } 1173 1174 /** 1175 * apparmor_sock_graft - Initialize newly created socket 1176 * @sk: child sock 1177 * @parent: parent socket 1178 * 1179 * Note: could set off of SOCK_CTX(parent) but need to track inode and we can 1180 * just set sk security information off of current creating process label 1181 * Labeling of sk for accept case - probably should be sock based 1182 * instead of task, because of the case where an implicitly labeled 1183 * socket is shared by different tasks. 1184 */ 1185 static void apparmor_sock_graft(struct sock *sk, struct socket *parent) 1186 { 1187 struct aa_sk_ctx *ctx = SK_CTX(sk); 1188 1189 if (!ctx->label) 1190 ctx->label = aa_get_current_label(); 1191 } 1192 1193 #ifdef CONFIG_NETWORK_SECMARK 1194 static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 1195 struct request_sock *req) 1196 { 1197 struct aa_sk_ctx *ctx = SK_CTX(sk); 1198 1199 if (!skb->secmark) 1200 return 0; 1201 1202 return apparmor_secmark_check(ctx->label, OP_CONNECT, AA_MAY_CONNECT, 1203 skb->secmark, sk); 1204 } 1205 #endif 1206 1207 /* 1208 * The cred blob is a pointer to, not an instance of, an aa_task_ctx. 1209 */ 1210 struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = { 1211 .lbs_cred = sizeof(struct aa_task_ctx *), 1212 .lbs_file = sizeof(struct aa_file_ctx), 1213 .lbs_task = sizeof(struct aa_task_ctx), 1214 }; 1215 1216 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { 1217 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), 1218 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), 1219 LSM_HOOK_INIT(capget, apparmor_capget), 1220 LSM_HOOK_INIT(capable, apparmor_capable), 1221 1222 LSM_HOOK_INIT(sb_mount, apparmor_sb_mount), 1223 LSM_HOOK_INIT(sb_umount, apparmor_sb_umount), 1224 LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot), 1225 1226 LSM_HOOK_INIT(path_link, apparmor_path_link), 1227 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink), 1228 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink), 1229 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir), 1230 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir), 1231 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod), 1232 LSM_HOOK_INIT(path_rename, apparmor_path_rename), 1233 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod), 1234 LSM_HOOK_INIT(path_chown, apparmor_path_chown), 1235 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate), 1236 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr), 1237 1238 LSM_HOOK_INIT(file_open, apparmor_file_open), 1239 LSM_HOOK_INIT(file_receive, apparmor_file_receive), 1240 LSM_HOOK_INIT(file_permission, apparmor_file_permission), 1241 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security), 1242 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security), 1243 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file), 1244 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect), 1245 LSM_HOOK_INIT(file_lock, apparmor_file_lock), 1246 LSM_HOOK_INIT(file_truncate, apparmor_file_truncate), 1247 1248 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), 1249 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), 1250 1251 LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security), 1252 LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security), 1253 LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security), 1254 1255 LSM_HOOK_INIT(socket_create, apparmor_socket_create), 1256 LSM_HOOK_INIT(socket_post_create, apparmor_socket_post_create), 1257 LSM_HOOK_INIT(socket_bind, apparmor_socket_bind), 1258 LSM_HOOK_INIT(socket_connect, apparmor_socket_connect), 1259 LSM_HOOK_INIT(socket_listen, apparmor_socket_listen), 1260 LSM_HOOK_INIT(socket_accept, apparmor_socket_accept), 1261 LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg), 1262 LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg), 1263 LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname), 1264 LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername), 1265 LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt), 1266 LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt), 1267 LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown), 1268 #ifdef CONFIG_NETWORK_SECMARK 1269 LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb), 1270 #endif 1271 LSM_HOOK_INIT(socket_getpeersec_stream, 1272 apparmor_socket_getpeersec_stream), 1273 LSM_HOOK_INIT(socket_getpeersec_dgram, 1274 apparmor_socket_getpeersec_dgram), 1275 LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), 1276 #ifdef CONFIG_NETWORK_SECMARK 1277 LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request), 1278 #endif 1279 1280 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), 1281 LSM_HOOK_INIT(cred_free, apparmor_cred_free), 1282 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare), 1283 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer), 1284 1285 LSM_HOOK_INIT(bprm_creds_for_exec, apparmor_bprm_creds_for_exec), 1286 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds), 1287 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds), 1288 1289 LSM_HOOK_INIT(task_free, apparmor_task_free), 1290 LSM_HOOK_INIT(task_alloc, apparmor_task_alloc), 1291 LSM_HOOK_INIT(current_getsecid_subj, apparmor_current_getsecid_subj), 1292 LSM_HOOK_INIT(task_getsecid_obj, apparmor_task_getsecid_obj), 1293 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), 1294 LSM_HOOK_INIT(task_kill, apparmor_task_kill), 1295 1296 #ifdef CONFIG_AUDIT 1297 LSM_HOOK_INIT(audit_rule_init, aa_audit_rule_init), 1298 LSM_HOOK_INIT(audit_rule_known, aa_audit_rule_known), 1299 LSM_HOOK_INIT(audit_rule_match, aa_audit_rule_match), 1300 LSM_HOOK_INIT(audit_rule_free, aa_audit_rule_free), 1301 #endif 1302 1303 LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx), 1304 LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid), 1305 LSM_HOOK_INIT(release_secctx, apparmor_release_secctx), 1306 }; 1307 1308 /* 1309 * AppArmor sysfs module parameters 1310 */ 1311 1312 static int param_set_aabool(const char *val, const struct kernel_param *kp); 1313 static int param_get_aabool(char *buffer, const struct kernel_param *kp); 1314 #define param_check_aabool param_check_bool 1315 static const struct kernel_param_ops param_ops_aabool = { 1316 .flags = KERNEL_PARAM_OPS_FL_NOARG, 1317 .set = param_set_aabool, 1318 .get = param_get_aabool 1319 }; 1320 1321 static int param_set_aauint(const char *val, const struct kernel_param *kp); 1322 static int param_get_aauint(char *buffer, const struct kernel_param *kp); 1323 #define param_check_aauint param_check_uint 1324 static const struct kernel_param_ops param_ops_aauint = { 1325 .set = param_set_aauint, 1326 .get = param_get_aauint 1327 }; 1328 1329 static int param_set_aacompressionlevel(const char *val, 1330 const struct kernel_param *kp); 1331 static int param_get_aacompressionlevel(char *buffer, 1332 const struct kernel_param *kp); 1333 #define param_check_aacompressionlevel param_check_int 1334 static const struct kernel_param_ops param_ops_aacompressionlevel = { 1335 .set = param_set_aacompressionlevel, 1336 .get = param_get_aacompressionlevel 1337 }; 1338 1339 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp); 1340 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); 1341 #define param_check_aalockpolicy param_check_bool 1342 static const struct kernel_param_ops param_ops_aalockpolicy = { 1343 .flags = KERNEL_PARAM_OPS_FL_NOARG, 1344 .set = param_set_aalockpolicy, 1345 .get = param_get_aalockpolicy 1346 }; 1347 1348 static int param_set_audit(const char *val, const struct kernel_param *kp); 1349 static int param_get_audit(char *buffer, const struct kernel_param *kp); 1350 1351 static int param_set_mode(const char *val, const struct kernel_param *kp); 1352 static int param_get_mode(char *buffer, const struct kernel_param *kp); 1353 1354 /* Flag values, also controllable via /sys/module/apparmor/parameters 1355 * We define special types as we want to do additional mediation. 1356 */ 1357 1358 /* AppArmor global enforcement switch - complain, enforce, kill */ 1359 enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; 1360 module_param_call(mode, param_set_mode, param_get_mode, 1361 &aa_g_profile_mode, S_IRUSR | S_IWUSR); 1362 1363 /* whether policy verification hashing is enabled */ 1364 bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); 1365 #ifdef CONFIG_SECURITY_APPARMOR_HASH 1366 module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); 1367 #endif 1368 1369 /* whether policy exactly as loaded is retained for debug and checkpointing */ 1370 bool aa_g_export_binary = IS_ENABLED(CONFIG_SECURITY_APPARMOR_EXPORT_BINARY); 1371 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1372 module_param_named(export_binary, aa_g_export_binary, aabool, 0600); 1373 #endif 1374 1375 /* policy loaddata compression level */ 1376 int aa_g_rawdata_compression_level = Z_DEFAULT_COMPRESSION; 1377 module_param_named(rawdata_compression_level, aa_g_rawdata_compression_level, 1378 aacompressionlevel, 0400); 1379 1380 /* Debug mode */ 1381 bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES); 1382 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); 1383 1384 /* Audit mode */ 1385 enum audit_mode aa_g_audit; 1386 module_param_call(audit, param_set_audit, param_get_audit, 1387 &aa_g_audit, S_IRUSR | S_IWUSR); 1388 1389 /* Determines if audit header is included in audited messages. This 1390 * provides more context if the audit daemon is not running 1391 */ 1392 bool aa_g_audit_header = true; 1393 module_param_named(audit_header, aa_g_audit_header, aabool, 1394 S_IRUSR | S_IWUSR); 1395 1396 /* lock out loading/removal of policy 1397 * TODO: add in at boot loading of policy, which is the only way to 1398 * load policy, if lock_policy is set 1399 */ 1400 bool aa_g_lock_policy; 1401 module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy, 1402 S_IRUSR | S_IWUSR); 1403 1404 /* Syscall logging mode */ 1405 bool aa_g_logsyscall; 1406 module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); 1407 1408 /* Maximum pathname length before accesses will start getting rejected */ 1409 unsigned int aa_g_path_max = 2 * PATH_MAX; 1410 module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); 1411 1412 /* Determines how paranoid loading of policy is and how much verification 1413 * on the loaded policy is done. 1414 * DEPRECATED: read only as strict checking of load is always done now 1415 * that none root users (user namespaces) can load policy. 1416 */ 1417 bool aa_g_paranoid_load = IS_ENABLED(CONFIG_SECURITY_APPARMOR_PARANOID_LOAD); 1418 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); 1419 1420 static int param_get_aaintbool(char *buffer, const struct kernel_param *kp); 1421 static int param_set_aaintbool(const char *val, const struct kernel_param *kp); 1422 #define param_check_aaintbool param_check_int 1423 static const struct kernel_param_ops param_ops_aaintbool = { 1424 .set = param_set_aaintbool, 1425 .get = param_get_aaintbool 1426 }; 1427 /* Boot time disable flag */ 1428 static int apparmor_enabled __lsm_ro_after_init = 1; 1429 module_param_named(enabled, apparmor_enabled, aaintbool, 0444); 1430 1431 static int __init apparmor_enabled_setup(char *str) 1432 { 1433 unsigned long enabled; 1434 int error = kstrtoul(str, 0, &enabled); 1435 if (!error) 1436 apparmor_enabled = enabled ? 1 : 0; 1437 return 1; 1438 } 1439 1440 __setup("apparmor=", apparmor_enabled_setup); 1441 1442 /* set global flag turning off the ability to load policy */ 1443 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) 1444 { 1445 if (!apparmor_enabled) 1446 return -EINVAL; 1447 if (apparmor_initialized && !aa_current_policy_admin_capable(NULL)) 1448 return -EPERM; 1449 return param_set_bool(val, kp); 1450 } 1451 1452 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) 1453 { 1454 if (!apparmor_enabled) 1455 return -EINVAL; 1456 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1457 return -EPERM; 1458 return param_get_bool(buffer, kp); 1459 } 1460 1461 static int param_set_aabool(const char *val, const struct kernel_param *kp) 1462 { 1463 if (!apparmor_enabled) 1464 return -EINVAL; 1465 if (apparmor_initialized && !aa_current_policy_admin_capable(NULL)) 1466 return -EPERM; 1467 return param_set_bool(val, kp); 1468 } 1469 1470 static int param_get_aabool(char *buffer, const struct kernel_param *kp) 1471 { 1472 if (!apparmor_enabled) 1473 return -EINVAL; 1474 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1475 return -EPERM; 1476 return param_get_bool(buffer, kp); 1477 } 1478 1479 static int param_set_aauint(const char *val, const struct kernel_param *kp) 1480 { 1481 int error; 1482 1483 if (!apparmor_enabled) 1484 return -EINVAL; 1485 /* file is ro but enforce 2nd line check */ 1486 if (apparmor_initialized) 1487 return -EPERM; 1488 1489 error = param_set_uint(val, kp); 1490 aa_g_path_max = max_t(uint32_t, aa_g_path_max, sizeof(union aa_buffer)); 1491 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max); 1492 1493 return error; 1494 } 1495 1496 static int param_get_aauint(char *buffer, const struct kernel_param *kp) 1497 { 1498 if (!apparmor_enabled) 1499 return -EINVAL; 1500 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1501 return -EPERM; 1502 return param_get_uint(buffer, kp); 1503 } 1504 1505 /* Can only be set before AppArmor is initialized (i.e. on boot cmdline). */ 1506 static int param_set_aaintbool(const char *val, const struct kernel_param *kp) 1507 { 1508 struct kernel_param kp_local; 1509 bool value; 1510 int error; 1511 1512 if (apparmor_initialized) 1513 return -EPERM; 1514 1515 /* Create local copy, with arg pointing to bool type. */ 1516 value = !!*((int *)kp->arg); 1517 memcpy(&kp_local, kp, sizeof(kp_local)); 1518 kp_local.arg = &value; 1519 1520 error = param_set_bool(val, &kp_local); 1521 if (!error) 1522 *((int *)kp->arg) = *((bool *)kp_local.arg); 1523 return error; 1524 } 1525 1526 /* 1527 * To avoid changing /sys/module/apparmor/parameters/enabled from Y/N to 1528 * 1/0, this converts the "int that is actually bool" back to bool for 1529 * display in the /sys filesystem, while keeping it "int" for the LSM 1530 * infrastructure. 1531 */ 1532 static int param_get_aaintbool(char *buffer, const struct kernel_param *kp) 1533 { 1534 struct kernel_param kp_local; 1535 bool value; 1536 1537 /* Create local copy, with arg pointing to bool type. */ 1538 value = !!*((int *)kp->arg); 1539 memcpy(&kp_local, kp, sizeof(kp_local)); 1540 kp_local.arg = &value; 1541 1542 return param_get_bool(buffer, &kp_local); 1543 } 1544 1545 static int param_set_aacompressionlevel(const char *val, 1546 const struct kernel_param *kp) 1547 { 1548 int error; 1549 1550 if (!apparmor_enabled) 1551 return -EINVAL; 1552 if (apparmor_initialized) 1553 return -EPERM; 1554 1555 error = param_set_int(val, kp); 1556 1557 aa_g_rawdata_compression_level = clamp(aa_g_rawdata_compression_level, 1558 Z_NO_COMPRESSION, 1559 Z_BEST_COMPRESSION); 1560 pr_info("AppArmor: policy rawdata compression level set to %u\n", 1561 aa_g_rawdata_compression_level); 1562 1563 return error; 1564 } 1565 1566 static int param_get_aacompressionlevel(char *buffer, 1567 const struct kernel_param *kp) 1568 { 1569 if (!apparmor_enabled) 1570 return -EINVAL; 1571 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1572 return -EPERM; 1573 return param_get_int(buffer, kp); 1574 } 1575 1576 static int param_get_audit(char *buffer, const struct kernel_param *kp) 1577 { 1578 if (!apparmor_enabled) 1579 return -EINVAL; 1580 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1581 return -EPERM; 1582 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); 1583 } 1584 1585 static int param_set_audit(const char *val, const struct kernel_param *kp) 1586 { 1587 int i; 1588 1589 if (!apparmor_enabled) 1590 return -EINVAL; 1591 if (!val) 1592 return -EINVAL; 1593 if (apparmor_initialized && !aa_current_policy_admin_capable(NULL)) 1594 return -EPERM; 1595 1596 i = match_string(audit_mode_names, AUDIT_MAX_INDEX, val); 1597 if (i < 0) 1598 return -EINVAL; 1599 1600 aa_g_audit = i; 1601 return 0; 1602 } 1603 1604 static int param_get_mode(char *buffer, const struct kernel_param *kp) 1605 { 1606 if (!apparmor_enabled) 1607 return -EINVAL; 1608 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1609 return -EPERM; 1610 1611 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]); 1612 } 1613 1614 static int param_set_mode(const char *val, const struct kernel_param *kp) 1615 { 1616 int i; 1617 1618 if (!apparmor_enabled) 1619 return -EINVAL; 1620 if (!val) 1621 return -EINVAL; 1622 if (apparmor_initialized && !aa_current_policy_admin_capable(NULL)) 1623 return -EPERM; 1624 1625 i = match_string(aa_profile_mode_names, APPARMOR_MODE_NAMES_MAX_INDEX, 1626 val); 1627 if (i < 0) 1628 return -EINVAL; 1629 1630 aa_g_profile_mode = i; 1631 return 0; 1632 } 1633 1634 char *aa_get_buffer(bool in_atomic) 1635 { 1636 union aa_buffer *aa_buf; 1637 bool try_again = true; 1638 gfp_t flags = (GFP_KERNEL | __GFP_RETRY_MAYFAIL | __GFP_NOWARN); 1639 1640 retry: 1641 spin_lock(&aa_buffers_lock); 1642 if (buffer_count > reserve_count || 1643 (in_atomic && !list_empty(&aa_global_buffers))) { 1644 aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer, 1645 list); 1646 list_del(&aa_buf->list); 1647 buffer_count--; 1648 spin_unlock(&aa_buffers_lock); 1649 return &aa_buf->buffer[0]; 1650 } 1651 if (in_atomic) { 1652 /* 1653 * out of reserve buffers and in atomic context so increase 1654 * how many buffers to keep in reserve 1655 */ 1656 reserve_count++; 1657 flags = GFP_ATOMIC; 1658 } 1659 spin_unlock(&aa_buffers_lock); 1660 1661 if (!in_atomic) 1662 might_sleep(); 1663 aa_buf = kmalloc(aa_g_path_max, flags); 1664 if (!aa_buf) { 1665 if (try_again) { 1666 try_again = false; 1667 goto retry; 1668 } 1669 pr_warn_once("AppArmor: Failed to allocate a memory buffer.\n"); 1670 return NULL; 1671 } 1672 return &aa_buf->buffer[0]; 1673 } 1674 1675 void aa_put_buffer(char *buf) 1676 { 1677 union aa_buffer *aa_buf; 1678 1679 if (!buf) 1680 return; 1681 aa_buf = container_of(buf, union aa_buffer, buffer[0]); 1682 1683 spin_lock(&aa_buffers_lock); 1684 list_add(&aa_buf->list, &aa_global_buffers); 1685 buffer_count++; 1686 spin_unlock(&aa_buffers_lock); 1687 } 1688 1689 /* 1690 * AppArmor init functions 1691 */ 1692 1693 /** 1694 * set_init_ctx - set a task context and profile on the first task. 1695 * 1696 * TODO: allow setting an alternate profile than unconfined 1697 */ 1698 static int __init set_init_ctx(void) 1699 { 1700 struct cred *cred = (__force struct cred *)current->real_cred; 1701 1702 set_cred_label(cred, aa_get_label(ns_unconfined(root_ns))); 1703 1704 return 0; 1705 } 1706 1707 static void destroy_buffers(void) 1708 { 1709 union aa_buffer *aa_buf; 1710 1711 spin_lock(&aa_buffers_lock); 1712 while (!list_empty(&aa_global_buffers)) { 1713 aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer, 1714 list); 1715 list_del(&aa_buf->list); 1716 spin_unlock(&aa_buffers_lock); 1717 kfree(aa_buf); 1718 spin_lock(&aa_buffers_lock); 1719 } 1720 spin_unlock(&aa_buffers_lock); 1721 } 1722 1723 static int __init alloc_buffers(void) 1724 { 1725 union aa_buffer *aa_buf; 1726 int i, num; 1727 1728 /* 1729 * A function may require two buffers at once. Usually the buffers are 1730 * used for a short period of time and are shared. On UP kernel buffers 1731 * two should be enough, with more CPUs it is possible that more 1732 * buffers will be used simultaneously. The preallocated pool may grow. 1733 * This preallocation has also the side-effect that AppArmor will be 1734 * disabled early at boot if aa_g_path_max is extremly high. 1735 */ 1736 if (num_online_cpus() > 1) 1737 num = 4 + RESERVE_COUNT; 1738 else 1739 num = 2 + RESERVE_COUNT; 1740 1741 for (i = 0; i < num; i++) { 1742 1743 aa_buf = kmalloc(aa_g_path_max, GFP_KERNEL | 1744 __GFP_RETRY_MAYFAIL | __GFP_NOWARN); 1745 if (!aa_buf) { 1746 destroy_buffers(); 1747 return -ENOMEM; 1748 } 1749 aa_put_buffer(&aa_buf->buffer[0]); 1750 } 1751 return 0; 1752 } 1753 1754 #ifdef CONFIG_SYSCTL 1755 static int apparmor_dointvec(struct ctl_table *table, int write, 1756 void *buffer, size_t *lenp, loff_t *ppos) 1757 { 1758 if (!aa_current_policy_admin_capable(NULL)) 1759 return -EPERM; 1760 if (!apparmor_enabled) 1761 return -EINVAL; 1762 1763 return proc_dointvec(table, write, buffer, lenp, ppos); 1764 } 1765 1766 static struct ctl_path apparmor_sysctl_path[] = { 1767 { .procname = "kernel", }, 1768 { } 1769 }; 1770 1771 static struct ctl_table apparmor_sysctl_table[] = { 1772 { 1773 .procname = "unprivileged_userns_apparmor_policy", 1774 .data = &unprivileged_userns_apparmor_policy, 1775 .maxlen = sizeof(int), 1776 .mode = 0600, 1777 .proc_handler = apparmor_dointvec, 1778 }, 1779 { 1780 .procname = "apparmor_display_secid_mode", 1781 .data = &apparmor_display_secid_mode, 1782 .maxlen = sizeof(int), 1783 .mode = 0600, 1784 .proc_handler = apparmor_dointvec, 1785 }, 1786 1787 { } 1788 }; 1789 1790 static int __init apparmor_init_sysctl(void) 1791 { 1792 return register_sysctl_paths(apparmor_sysctl_path, 1793 apparmor_sysctl_table) ? 0 : -ENOMEM; 1794 } 1795 #else 1796 static inline int apparmor_init_sysctl(void) 1797 { 1798 return 0; 1799 } 1800 #endif /* CONFIG_SYSCTL */ 1801 1802 #if defined(CONFIG_NETFILTER) && defined(CONFIG_NETWORK_SECMARK) 1803 static unsigned int apparmor_ip_postroute(void *priv, 1804 struct sk_buff *skb, 1805 const struct nf_hook_state *state) 1806 { 1807 struct aa_sk_ctx *ctx; 1808 struct sock *sk; 1809 1810 if (!skb->secmark) 1811 return NF_ACCEPT; 1812 1813 sk = skb_to_full_sk(skb); 1814 if (sk == NULL) 1815 return NF_ACCEPT; 1816 1817 ctx = SK_CTX(sk); 1818 if (!apparmor_secmark_check(ctx->label, OP_SENDMSG, AA_MAY_SEND, 1819 skb->secmark, sk)) 1820 return NF_ACCEPT; 1821 1822 return NF_DROP_ERR(-ECONNREFUSED); 1823 1824 } 1825 1826 static const struct nf_hook_ops apparmor_nf_ops[] = { 1827 { 1828 .hook = apparmor_ip_postroute, 1829 .pf = NFPROTO_IPV4, 1830 .hooknum = NF_INET_POST_ROUTING, 1831 .priority = NF_IP_PRI_SELINUX_FIRST, 1832 }, 1833 #if IS_ENABLED(CONFIG_IPV6) 1834 { 1835 .hook = apparmor_ip_postroute, 1836 .pf = NFPROTO_IPV6, 1837 .hooknum = NF_INET_POST_ROUTING, 1838 .priority = NF_IP6_PRI_SELINUX_FIRST, 1839 }, 1840 #endif 1841 }; 1842 1843 static int __net_init apparmor_nf_register(struct net *net) 1844 { 1845 return nf_register_net_hooks(net, apparmor_nf_ops, 1846 ARRAY_SIZE(apparmor_nf_ops)); 1847 } 1848 1849 static void __net_exit apparmor_nf_unregister(struct net *net) 1850 { 1851 nf_unregister_net_hooks(net, apparmor_nf_ops, 1852 ARRAY_SIZE(apparmor_nf_ops)); 1853 } 1854 1855 static struct pernet_operations apparmor_net_ops = { 1856 .init = apparmor_nf_register, 1857 .exit = apparmor_nf_unregister, 1858 }; 1859 1860 static int __init apparmor_nf_ip_init(void) 1861 { 1862 int err; 1863 1864 if (!apparmor_enabled) 1865 return 0; 1866 1867 err = register_pernet_subsys(&apparmor_net_ops); 1868 if (err) 1869 panic("Apparmor: register_pernet_subsys: error %d\n", err); 1870 1871 return 0; 1872 } 1873 __initcall(apparmor_nf_ip_init); 1874 #endif 1875 1876 static int __init apparmor_init(void) 1877 { 1878 int error; 1879 1880 error = aa_setup_dfa_engine(); 1881 if (error) { 1882 AA_ERROR("Unable to setup dfa engine\n"); 1883 goto alloc_out; 1884 } 1885 1886 error = aa_alloc_root_ns(); 1887 if (error) { 1888 AA_ERROR("Unable to allocate default profile namespace\n"); 1889 goto alloc_out; 1890 } 1891 1892 error = apparmor_init_sysctl(); 1893 if (error) { 1894 AA_ERROR("Unable to register sysctls\n"); 1895 goto alloc_out; 1896 1897 } 1898 1899 error = alloc_buffers(); 1900 if (error) { 1901 AA_ERROR("Unable to allocate work buffers\n"); 1902 goto alloc_out; 1903 } 1904 1905 error = set_init_ctx(); 1906 if (error) { 1907 AA_ERROR("Failed to set context on init task\n"); 1908 aa_free_root_ns(); 1909 goto buffers_out; 1910 } 1911 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), 1912 "apparmor"); 1913 1914 /* Report that AppArmor successfully initialized */ 1915 apparmor_initialized = 1; 1916 if (aa_g_profile_mode == APPARMOR_COMPLAIN) 1917 aa_info_message("AppArmor initialized: complain mode enabled"); 1918 else if (aa_g_profile_mode == APPARMOR_KILL) 1919 aa_info_message("AppArmor initialized: kill mode enabled"); 1920 else 1921 aa_info_message("AppArmor initialized"); 1922 1923 return error; 1924 1925 buffers_out: 1926 destroy_buffers(); 1927 alloc_out: 1928 aa_destroy_aafs(); 1929 aa_teardown_dfa_engine(); 1930 1931 apparmor_enabled = false; 1932 return error; 1933 } 1934 1935 DEFINE_LSM(apparmor) = { 1936 .name = "apparmor", 1937 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 1938 .enabled = &apparmor_enabled, 1939 .blobs = &apparmor_blob_sizes, 1940 .init = apparmor_init, 1941 }; 1942