1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor LSM hooks. 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15 #include <linux/lsm_hooks.h> 16 #include <linux/moduleparam.h> 17 #include <linux/mm.h> 18 #include <linux/mman.h> 19 #include <linux/mount.h> 20 #include <linux/namei.h> 21 #include <linux/ptrace.h> 22 #include <linux/ctype.h> 23 #include <linux/sysctl.h> 24 #include <linux/audit.h> 25 #include <linux/user_namespace.h> 26 #include <net/sock.h> 27 28 #include "include/apparmor.h" 29 #include "include/apparmorfs.h" 30 #include "include/audit.h" 31 #include "include/capability.h" 32 #include "include/cred.h" 33 #include "include/file.h" 34 #include "include/ipc.h" 35 #include "include/net.h" 36 #include "include/path.h" 37 #include "include/label.h" 38 #include "include/policy.h" 39 #include "include/policy_ns.h" 40 #include "include/procattr.h" 41 #include "include/mount.h" 42 #include "include/secid.h" 43 44 /* Flag indicating whether initialization completed */ 45 int apparmor_initialized; 46 47 DEFINE_PER_CPU(struct aa_buffers, aa_buffers); 48 49 50 /* 51 * LSM hook functions 52 */ 53 54 /* 55 * put the associated labels 56 */ 57 static void apparmor_cred_free(struct cred *cred) 58 { 59 aa_put_label(cred_label(cred)); 60 cred_label(cred) = NULL; 61 } 62 63 /* 64 * allocate the apparmor part of blank credentials 65 */ 66 static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 67 { 68 cred_label(cred) = NULL; 69 return 0; 70 } 71 72 /* 73 * prepare new cred label for modification by prepare_cred block 74 */ 75 static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 76 gfp_t gfp) 77 { 78 cred_label(new) = aa_get_newest_label(cred_label(old)); 79 return 0; 80 } 81 82 /* 83 * transfer the apparmor data to a blank set of creds 84 */ 85 static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 86 { 87 cred_label(new) = aa_get_newest_label(cred_label(old)); 88 } 89 90 static void apparmor_task_free(struct task_struct *task) 91 { 92 93 aa_free_task_ctx(task_ctx(task)); 94 task_ctx(task) = NULL; 95 } 96 97 static int apparmor_task_alloc(struct task_struct *task, 98 unsigned long clone_flags) 99 { 100 struct aa_task_ctx *new = aa_alloc_task_ctx(GFP_KERNEL); 101 102 if (!new) 103 return -ENOMEM; 104 105 aa_dup_task_ctx(new, task_ctx(current)); 106 task_ctx(task) = new; 107 108 return 0; 109 } 110 111 static int apparmor_ptrace_access_check(struct task_struct *child, 112 unsigned int mode) 113 { 114 struct aa_label *tracer, *tracee; 115 int error; 116 117 tracer = begin_current_label_crit_section(); 118 tracee = aa_get_task_label(child); 119 error = aa_may_ptrace(tracer, tracee, 120 mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE); 121 aa_put_label(tracee); 122 end_current_label_crit_section(tracer); 123 124 return error; 125 } 126 127 static int apparmor_ptrace_traceme(struct task_struct *parent) 128 { 129 struct aa_label *tracer, *tracee; 130 int error; 131 132 tracee = begin_current_label_crit_section(); 133 tracer = aa_get_task_label(parent); 134 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); 135 aa_put_label(tracer); 136 end_current_label_crit_section(tracee); 137 138 return error; 139 } 140 141 /* Derived from security/commoncap.c:cap_capget */ 142 static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, 143 kernel_cap_t *inheritable, kernel_cap_t *permitted) 144 { 145 struct aa_label *label; 146 const struct cred *cred; 147 148 rcu_read_lock(); 149 cred = __task_cred(target); 150 label = aa_get_newest_cred_label(cred); 151 152 /* 153 * cap_capget is stacked ahead of this and will 154 * initialize effective and permitted. 155 */ 156 if (!unconfined(label)) { 157 struct aa_profile *profile; 158 struct label_it i; 159 160 label_for_each_confined(i, label, profile) { 161 if (COMPLAIN_MODE(profile)) 162 continue; 163 *effective = cap_intersect(*effective, 164 profile->caps.allow); 165 *permitted = cap_intersect(*permitted, 166 profile->caps.allow); 167 } 168 } 169 rcu_read_unlock(); 170 aa_put_label(label); 171 172 return 0; 173 } 174 175 static int apparmor_capable(const struct cred *cred, struct user_namespace *ns, 176 int cap, int audit) 177 { 178 struct aa_label *label; 179 int error = 0; 180 181 label = aa_get_newest_cred_label(cred); 182 if (!unconfined(label)) 183 error = aa_capable(label, cap, audit); 184 aa_put_label(label); 185 186 return error; 187 } 188 189 /** 190 * common_perm - basic common permission check wrapper fn for paths 191 * @op: operation being checked 192 * @path: path to check permission of (NOT NULL) 193 * @mask: requested permissions mask 194 * @cond: conditional info for the permission request (NOT NULL) 195 * 196 * Returns: %0 else error code if error or permission denied 197 */ 198 static int common_perm(const char *op, const struct path *path, u32 mask, 199 struct path_cond *cond) 200 { 201 struct aa_label *label; 202 int error = 0; 203 204 label = __begin_current_label_crit_section(); 205 if (!unconfined(label)) 206 error = aa_path_perm(op, label, path, 0, mask, cond); 207 __end_current_label_crit_section(label); 208 209 return error; 210 } 211 212 /** 213 * common_perm_cond - common permission wrapper around inode cond 214 * @op: operation being checked 215 * @path: location to check (NOT NULL) 216 * @mask: requested permissions mask 217 * 218 * Returns: %0 else error code if error or permission denied 219 */ 220 static int common_perm_cond(const char *op, const struct path *path, u32 mask) 221 { 222 struct path_cond cond = { d_backing_inode(path->dentry)->i_uid, 223 d_backing_inode(path->dentry)->i_mode 224 }; 225 226 if (!path_mediated_fs(path->dentry)) 227 return 0; 228 229 return common_perm(op, path, mask, &cond); 230 } 231 232 /** 233 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry 234 * @op: operation being checked 235 * @dir: directory of the dentry (NOT NULL) 236 * @dentry: dentry to check (NOT NULL) 237 * @mask: requested permissions mask 238 * @cond: conditional info for the permission request (NOT NULL) 239 * 240 * Returns: %0 else error code if error or permission denied 241 */ 242 static int common_perm_dir_dentry(const char *op, const struct path *dir, 243 struct dentry *dentry, u32 mask, 244 struct path_cond *cond) 245 { 246 struct path path = { .mnt = dir->mnt, .dentry = dentry }; 247 248 return common_perm(op, &path, mask, cond); 249 } 250 251 /** 252 * common_perm_rm - common permission wrapper for operations doing rm 253 * @op: operation being checked 254 * @dir: directory that the dentry is in (NOT NULL) 255 * @dentry: dentry being rm'd (NOT NULL) 256 * @mask: requested permission mask 257 * 258 * Returns: %0 else error code if error or permission denied 259 */ 260 static int common_perm_rm(const char *op, const struct path *dir, 261 struct dentry *dentry, u32 mask) 262 { 263 struct inode *inode = d_backing_inode(dentry); 264 struct path_cond cond = { }; 265 266 if (!inode || !path_mediated_fs(dentry)) 267 return 0; 268 269 cond.uid = inode->i_uid; 270 cond.mode = inode->i_mode; 271 272 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 273 } 274 275 /** 276 * common_perm_create - common permission wrapper for operations doing create 277 * @op: operation being checked 278 * @dir: directory that dentry will be created in (NOT NULL) 279 * @dentry: dentry to create (NOT NULL) 280 * @mask: request permission mask 281 * @mode: created file mode 282 * 283 * Returns: %0 else error code if error or permission denied 284 */ 285 static int common_perm_create(const char *op, const struct path *dir, 286 struct dentry *dentry, u32 mask, umode_t mode) 287 { 288 struct path_cond cond = { current_fsuid(), mode }; 289 290 if (!path_mediated_fs(dir->dentry)) 291 return 0; 292 293 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 294 } 295 296 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry) 297 { 298 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); 299 } 300 301 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry, 302 umode_t mode) 303 { 304 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, 305 S_IFDIR); 306 } 307 308 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry) 309 { 310 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); 311 } 312 313 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, 314 umode_t mode, unsigned int dev) 315 { 316 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); 317 } 318 319 static int apparmor_path_truncate(const struct path *path) 320 { 321 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR); 322 } 323 324 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, 325 const char *old_name) 326 { 327 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, 328 S_IFLNK); 329 } 330 331 static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir, 332 struct dentry *new_dentry) 333 { 334 struct aa_label *label; 335 int error = 0; 336 337 if (!path_mediated_fs(old_dentry)) 338 return 0; 339 340 label = begin_current_label_crit_section(); 341 if (!unconfined(label)) 342 error = aa_path_link(label, old_dentry, new_dir, new_dentry); 343 end_current_label_crit_section(label); 344 345 return error; 346 } 347 348 static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry, 349 const struct path *new_dir, struct dentry *new_dentry) 350 { 351 struct aa_label *label; 352 int error = 0; 353 354 if (!path_mediated_fs(old_dentry)) 355 return 0; 356 357 label = begin_current_label_crit_section(); 358 if (!unconfined(label)) { 359 struct path old_path = { .mnt = old_dir->mnt, 360 .dentry = old_dentry }; 361 struct path new_path = { .mnt = new_dir->mnt, 362 .dentry = new_dentry }; 363 struct path_cond cond = { d_backing_inode(old_dentry)->i_uid, 364 d_backing_inode(old_dentry)->i_mode 365 }; 366 367 error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0, 368 MAY_READ | AA_MAY_GETATTR | MAY_WRITE | 369 AA_MAY_SETATTR | AA_MAY_DELETE, 370 &cond); 371 if (!error) 372 error = aa_path_perm(OP_RENAME_DEST, label, &new_path, 373 0, MAY_WRITE | AA_MAY_SETATTR | 374 AA_MAY_CREATE, &cond); 375 376 } 377 end_current_label_crit_section(label); 378 379 return error; 380 } 381 382 static int apparmor_path_chmod(const struct path *path, umode_t mode) 383 { 384 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD); 385 } 386 387 static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid) 388 { 389 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN); 390 } 391 392 static int apparmor_inode_getattr(const struct path *path) 393 { 394 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 395 } 396 397 static int apparmor_file_open(struct file *file, const struct cred *cred) 398 { 399 struct aa_file_ctx *fctx = file_ctx(file); 400 struct aa_label *label; 401 int error = 0; 402 403 if (!path_mediated_fs(file->f_path.dentry)) 404 return 0; 405 406 /* If in exec, permission is handled by bprm hooks. 407 * Cache permissions granted by the previous exec check, with 408 * implicit read and executable mmap which are required to 409 * actually execute the image. 410 */ 411 if (current->in_execve) { 412 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; 413 return 0; 414 } 415 416 label = aa_get_newest_cred_label(cred); 417 if (!unconfined(label)) { 418 struct inode *inode = file_inode(file); 419 struct path_cond cond = { inode->i_uid, inode->i_mode }; 420 421 error = aa_path_perm(OP_OPEN, label, &file->f_path, 0, 422 aa_map_file_to_perms(file), &cond); 423 /* todo cache full allowed permissions set and state */ 424 fctx->allow = aa_map_file_to_perms(file); 425 } 426 aa_put_label(label); 427 428 return error; 429 } 430 431 static int apparmor_file_alloc_security(struct file *file) 432 { 433 int error = 0; 434 435 /* freed by apparmor_file_free_security */ 436 struct aa_label *label = begin_current_label_crit_section(); 437 file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL); 438 if (!file_ctx(file)) 439 error = -ENOMEM; 440 end_current_label_crit_section(label); 441 442 return error; 443 } 444 445 static void apparmor_file_free_security(struct file *file) 446 { 447 aa_free_file_ctx(file_ctx(file)); 448 } 449 450 static int common_file_perm(const char *op, struct file *file, u32 mask) 451 { 452 struct aa_label *label; 453 int error = 0; 454 455 /* don't reaudit files closed during inheritance */ 456 if (file->f_path.dentry == aa_null.dentry) 457 return -EACCES; 458 459 label = __begin_current_label_crit_section(); 460 error = aa_file_perm(op, label, file, mask); 461 __end_current_label_crit_section(label); 462 463 return error; 464 } 465 466 static int apparmor_file_receive(struct file *file) 467 { 468 return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file)); 469 } 470 471 static int apparmor_file_permission(struct file *file, int mask) 472 { 473 return common_file_perm(OP_FPERM, file, mask); 474 } 475 476 static int apparmor_file_lock(struct file *file, unsigned int cmd) 477 { 478 u32 mask = AA_MAY_LOCK; 479 480 if (cmd == F_WRLCK) 481 mask |= MAY_WRITE; 482 483 return common_file_perm(OP_FLOCK, file, mask); 484 } 485 486 static int common_mmap(const char *op, struct file *file, unsigned long prot, 487 unsigned long flags) 488 { 489 int mask = 0; 490 491 if (!file || !file_ctx(file)) 492 return 0; 493 494 if (prot & PROT_READ) 495 mask |= MAY_READ; 496 /* 497 * Private mappings don't require write perms since they don't 498 * write back to the files 499 */ 500 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE)) 501 mask |= MAY_WRITE; 502 if (prot & PROT_EXEC) 503 mask |= AA_EXEC_MMAP; 504 505 return common_file_perm(op, file, mask); 506 } 507 508 static int apparmor_mmap_file(struct file *file, unsigned long reqprot, 509 unsigned long prot, unsigned long flags) 510 { 511 return common_mmap(OP_FMMAP, file, prot, flags); 512 } 513 514 static int apparmor_file_mprotect(struct vm_area_struct *vma, 515 unsigned long reqprot, unsigned long prot) 516 { 517 return common_mmap(OP_FMPROT, vma->vm_file, prot, 518 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); 519 } 520 521 static int apparmor_sb_mount(const char *dev_name, const struct path *path, 522 const char *type, unsigned long flags, void *data) 523 { 524 struct aa_label *label; 525 int error = 0; 526 527 /* Discard magic */ 528 if ((flags & MS_MGC_MSK) == MS_MGC_VAL) 529 flags &= ~MS_MGC_MSK; 530 531 flags &= ~AA_MS_IGNORE_MASK; 532 533 label = __begin_current_label_crit_section(); 534 if (!unconfined(label)) { 535 if (flags & MS_REMOUNT) 536 error = aa_remount(label, path, flags, data); 537 else if (flags & MS_BIND) 538 error = aa_bind_mount(label, path, dev_name, flags); 539 else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | 540 MS_UNBINDABLE)) 541 error = aa_mount_change_type(label, path, flags); 542 else if (flags & MS_MOVE) 543 error = aa_move_mount(label, path, dev_name); 544 else 545 error = aa_new_mount(label, dev_name, path, type, 546 flags, data); 547 } 548 __end_current_label_crit_section(label); 549 550 return error; 551 } 552 553 static int apparmor_sb_umount(struct vfsmount *mnt, int flags) 554 { 555 struct aa_label *label; 556 int error = 0; 557 558 label = __begin_current_label_crit_section(); 559 if (!unconfined(label)) 560 error = aa_umount(label, mnt, flags); 561 __end_current_label_crit_section(label); 562 563 return error; 564 } 565 566 static int apparmor_sb_pivotroot(const struct path *old_path, 567 const struct path *new_path) 568 { 569 struct aa_label *label; 570 int error = 0; 571 572 label = aa_get_current_label(); 573 if (!unconfined(label)) 574 error = aa_pivotroot(label, old_path, new_path); 575 aa_put_label(label); 576 577 return error; 578 } 579 580 static int apparmor_getprocattr(struct task_struct *task, char *name, 581 char **value) 582 { 583 int error = -ENOENT; 584 /* released below */ 585 const struct cred *cred = get_task_cred(task); 586 struct aa_task_ctx *ctx = task_ctx(current); 587 struct aa_label *label = NULL; 588 589 if (strcmp(name, "current") == 0) 590 label = aa_get_newest_label(cred_label(cred)); 591 else if (strcmp(name, "prev") == 0 && ctx->previous) 592 label = aa_get_newest_label(ctx->previous); 593 else if (strcmp(name, "exec") == 0 && ctx->onexec) 594 label = aa_get_newest_label(ctx->onexec); 595 else 596 error = -EINVAL; 597 598 if (label) 599 error = aa_getprocattr(label, value); 600 601 aa_put_label(label); 602 put_cred(cred); 603 604 return error; 605 } 606 607 static int apparmor_setprocattr(const char *name, void *value, 608 size_t size) 609 { 610 char *command, *largs = NULL, *args = value; 611 size_t arg_size; 612 int error; 613 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR); 614 615 if (size == 0) 616 return -EINVAL; 617 618 /* AppArmor requires that the buffer must be null terminated atm */ 619 if (args[size - 1] != '\0') { 620 /* null terminate */ 621 largs = args = kmalloc(size + 1, GFP_KERNEL); 622 if (!args) 623 return -ENOMEM; 624 memcpy(args, value, size); 625 args[size] = '\0'; 626 } 627 628 error = -EINVAL; 629 args = strim(args); 630 command = strsep(&args, " "); 631 if (!args) 632 goto out; 633 args = skip_spaces(args); 634 if (!*args) 635 goto out; 636 637 arg_size = size - (args - (largs ? largs : (char *) value)); 638 if (strcmp(name, "current") == 0) { 639 if (strcmp(command, "changehat") == 0) { 640 error = aa_setprocattr_changehat(args, arg_size, 641 AA_CHANGE_NOFLAGS); 642 } else if (strcmp(command, "permhat") == 0) { 643 error = aa_setprocattr_changehat(args, arg_size, 644 AA_CHANGE_TEST); 645 } else if (strcmp(command, "changeprofile") == 0) { 646 error = aa_change_profile(args, AA_CHANGE_NOFLAGS); 647 } else if (strcmp(command, "permprofile") == 0) { 648 error = aa_change_profile(args, AA_CHANGE_TEST); 649 } else if (strcmp(command, "stack") == 0) { 650 error = aa_change_profile(args, AA_CHANGE_STACK); 651 } else 652 goto fail; 653 } else if (strcmp(name, "exec") == 0) { 654 if (strcmp(command, "exec") == 0) 655 error = aa_change_profile(args, AA_CHANGE_ONEXEC); 656 else if (strcmp(command, "stack") == 0) 657 error = aa_change_profile(args, (AA_CHANGE_ONEXEC | 658 AA_CHANGE_STACK)); 659 else 660 goto fail; 661 } else 662 /* only support the "current" and "exec" process attributes */ 663 goto fail; 664 665 if (!error) 666 error = size; 667 out: 668 kfree(largs); 669 return error; 670 671 fail: 672 aad(&sa)->label = begin_current_label_crit_section(); 673 aad(&sa)->info = name; 674 aad(&sa)->error = error = -EINVAL; 675 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL); 676 end_current_label_crit_section(aad(&sa)->label); 677 goto out; 678 } 679 680 /** 681 * apparmor_bprm_committing_creds - do task cleanup on committing new creds 682 * @bprm: binprm for the exec (NOT NULL) 683 */ 684 static void apparmor_bprm_committing_creds(struct linux_binprm *bprm) 685 { 686 struct aa_label *label = aa_current_raw_label(); 687 struct aa_label *new_label = cred_label(bprm->cred); 688 689 /* bail out if unconfined or not changing profile */ 690 if ((new_label->proxy == label->proxy) || 691 (unconfined(new_label))) 692 return; 693 694 aa_inherit_files(bprm->cred, current->files); 695 696 current->pdeath_signal = 0; 697 698 /* reset soft limits and set hard limits for the new label */ 699 __aa_transition_rlimits(label, new_label); 700 } 701 702 /** 703 * apparmor_bprm_committed_cred - do cleanup after new creds committed 704 * @bprm: binprm for the exec (NOT NULL) 705 */ 706 static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) 707 { 708 /* clear out temporary/transitional state from the context */ 709 aa_clear_task_ctx_trans(task_ctx(current)); 710 711 return; 712 } 713 714 static void apparmor_task_getsecid(struct task_struct *p, u32 *secid) 715 { 716 struct aa_label *label = aa_get_task_label(p); 717 *secid = label->secid; 718 aa_put_label(label); 719 } 720 721 static int apparmor_task_setrlimit(struct task_struct *task, 722 unsigned int resource, struct rlimit *new_rlim) 723 { 724 struct aa_label *label = __begin_current_label_crit_section(); 725 int error = 0; 726 727 if (!unconfined(label)) 728 error = aa_task_setrlimit(label, task, resource, new_rlim); 729 __end_current_label_crit_section(label); 730 731 return error; 732 } 733 734 static int apparmor_task_kill(struct task_struct *target, struct siginfo *info, 735 int sig, const struct cred *cred) 736 { 737 struct aa_label *cl, *tl; 738 int error; 739 740 if (cred) { 741 /* 742 * Dealing with USB IO specific behavior 743 */ 744 cl = aa_get_newest_cred_label(cred); 745 tl = aa_get_task_label(target); 746 error = aa_may_signal(cl, tl, sig); 747 aa_put_label(cl); 748 aa_put_label(tl); 749 return error; 750 } 751 752 cl = __begin_current_label_crit_section(); 753 tl = aa_get_task_label(target); 754 error = aa_may_signal(cl, tl, sig); 755 aa_put_label(tl); 756 __end_current_label_crit_section(cl); 757 758 return error; 759 } 760 761 /** 762 * apparmor_sk_alloc_security - allocate and attach the sk_security field 763 */ 764 static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags) 765 { 766 struct aa_sk_ctx *ctx; 767 768 ctx = kzalloc(sizeof(*ctx), flags); 769 if (!ctx) 770 return -ENOMEM; 771 772 SK_CTX(sk) = ctx; 773 774 return 0; 775 } 776 777 /** 778 * apparmor_sk_free_security - free the sk_security field 779 */ 780 static void apparmor_sk_free_security(struct sock *sk) 781 { 782 struct aa_sk_ctx *ctx = SK_CTX(sk); 783 784 SK_CTX(sk) = NULL; 785 aa_put_label(ctx->label); 786 aa_put_label(ctx->peer); 787 kfree(ctx); 788 } 789 790 /** 791 * apparmor_clone_security - clone the sk_security field 792 */ 793 static void apparmor_sk_clone_security(const struct sock *sk, 794 struct sock *newsk) 795 { 796 struct aa_sk_ctx *ctx = SK_CTX(sk); 797 struct aa_sk_ctx *new = SK_CTX(newsk); 798 799 new->label = aa_get_label(ctx->label); 800 new->peer = aa_get_label(ctx->peer); 801 } 802 803 /** 804 * apparmor_socket_create - check perms before creating a new socket 805 */ 806 static int apparmor_socket_create(int family, int type, int protocol, int kern) 807 { 808 struct aa_label *label; 809 int error = 0; 810 811 AA_BUG(in_interrupt()); 812 813 label = begin_current_label_crit_section(); 814 if (!(kern || unconfined(label))) 815 error = af_select(family, 816 create_perm(label, family, type, protocol), 817 aa_af_perm(label, OP_CREATE, AA_MAY_CREATE, 818 family, type, protocol)); 819 end_current_label_crit_section(label); 820 821 return error; 822 } 823 824 /** 825 * apparmor_socket_post_create - setup the per-socket security struct 826 * 827 * Note: 828 * - kernel sockets currently labeled unconfined but we may want to 829 * move to a special kernel label 830 * - socket may not have sk here if created with sock_create_lite or 831 * sock_alloc. These should be accept cases which will be handled in 832 * sock_graft. 833 */ 834 static int apparmor_socket_post_create(struct socket *sock, int family, 835 int type, int protocol, int kern) 836 { 837 struct aa_label *label; 838 839 if (kern) { 840 struct aa_ns *ns = aa_get_current_ns(); 841 842 label = aa_get_label(ns_unconfined(ns)); 843 aa_put_ns(ns); 844 } else 845 label = aa_get_current_label(); 846 847 if (sock->sk) { 848 struct aa_sk_ctx *ctx = SK_CTX(sock->sk); 849 850 aa_put_label(ctx->label); 851 ctx->label = aa_get_label(label); 852 } 853 aa_put_label(label); 854 855 return 0; 856 } 857 858 /** 859 * apparmor_socket_bind - check perms before bind addr to socket 860 */ 861 static int apparmor_socket_bind(struct socket *sock, 862 struct sockaddr *address, int addrlen) 863 { 864 AA_BUG(!sock); 865 AA_BUG(!sock->sk); 866 AA_BUG(!address); 867 AA_BUG(in_interrupt()); 868 869 return af_select(sock->sk->sk_family, 870 bind_perm(sock, address, addrlen), 871 aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk)); 872 } 873 874 /** 875 * apparmor_socket_connect - check perms before connecting @sock to @address 876 */ 877 static int apparmor_socket_connect(struct socket *sock, 878 struct sockaddr *address, int addrlen) 879 { 880 AA_BUG(!sock); 881 AA_BUG(!sock->sk); 882 AA_BUG(!address); 883 AA_BUG(in_interrupt()); 884 885 return af_select(sock->sk->sk_family, 886 connect_perm(sock, address, addrlen), 887 aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk)); 888 } 889 890 /** 891 * apparmor_socket_list - check perms before allowing listen 892 */ 893 static int apparmor_socket_listen(struct socket *sock, int backlog) 894 { 895 AA_BUG(!sock); 896 AA_BUG(!sock->sk); 897 AA_BUG(in_interrupt()); 898 899 return af_select(sock->sk->sk_family, 900 listen_perm(sock, backlog), 901 aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk)); 902 } 903 904 /** 905 * apparmor_socket_accept - check perms before accepting a new connection. 906 * 907 * Note: while @newsock is created and has some information, the accept 908 * has not been done. 909 */ 910 static int apparmor_socket_accept(struct socket *sock, struct socket *newsock) 911 { 912 AA_BUG(!sock); 913 AA_BUG(!sock->sk); 914 AA_BUG(!newsock); 915 AA_BUG(in_interrupt()); 916 917 return af_select(sock->sk->sk_family, 918 accept_perm(sock, newsock), 919 aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk)); 920 } 921 922 static int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock, 923 struct msghdr *msg, int size) 924 { 925 AA_BUG(!sock); 926 AA_BUG(!sock->sk); 927 AA_BUG(!msg); 928 AA_BUG(in_interrupt()); 929 930 return af_select(sock->sk->sk_family, 931 msg_perm(op, request, sock, msg, size), 932 aa_sk_perm(op, request, sock->sk)); 933 } 934 935 /** 936 * apparmor_socket_sendmsg - check perms before sending msg to another socket 937 */ 938 static int apparmor_socket_sendmsg(struct socket *sock, 939 struct msghdr *msg, int size) 940 { 941 return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size); 942 } 943 944 /** 945 * apparmor_socket_recvmsg - check perms before receiving a message 946 */ 947 static int apparmor_socket_recvmsg(struct socket *sock, 948 struct msghdr *msg, int size, int flags) 949 { 950 return aa_sock_msg_perm(OP_RECVMSG, AA_MAY_RECEIVE, sock, msg, size); 951 } 952 953 /* revaliation, get/set attr, shutdown */ 954 static int aa_sock_perm(const char *op, u32 request, struct socket *sock) 955 { 956 AA_BUG(!sock); 957 AA_BUG(!sock->sk); 958 AA_BUG(in_interrupt()); 959 960 return af_select(sock->sk->sk_family, 961 sock_perm(op, request, sock), 962 aa_sk_perm(op, request, sock->sk)); 963 } 964 965 /** 966 * apparmor_socket_getsockname - check perms before getting the local address 967 */ 968 static int apparmor_socket_getsockname(struct socket *sock) 969 { 970 return aa_sock_perm(OP_GETSOCKNAME, AA_MAY_GETATTR, sock); 971 } 972 973 /** 974 * apparmor_socket_getpeername - check perms before getting remote address 975 */ 976 static int apparmor_socket_getpeername(struct socket *sock) 977 { 978 return aa_sock_perm(OP_GETPEERNAME, AA_MAY_GETATTR, sock); 979 } 980 981 /* revaliation, get/set attr, opt */ 982 static int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock, 983 int level, int optname) 984 { 985 AA_BUG(!sock); 986 AA_BUG(!sock->sk); 987 AA_BUG(in_interrupt()); 988 989 return af_select(sock->sk->sk_family, 990 opt_perm(op, request, sock, level, optname), 991 aa_sk_perm(op, request, sock->sk)); 992 } 993 994 /** 995 * apparmor_getsockopt - check perms before getting socket options 996 */ 997 static int apparmor_socket_getsockopt(struct socket *sock, int level, 998 int optname) 999 { 1000 return aa_sock_opt_perm(OP_GETSOCKOPT, AA_MAY_GETOPT, sock, 1001 level, optname); 1002 } 1003 1004 /** 1005 * apparmor_setsockopt - check perms before setting socket options 1006 */ 1007 static int apparmor_socket_setsockopt(struct socket *sock, int level, 1008 int optname) 1009 { 1010 return aa_sock_opt_perm(OP_SETSOCKOPT, AA_MAY_SETOPT, sock, 1011 level, optname); 1012 } 1013 1014 /** 1015 * apparmor_socket_shutdown - check perms before shutting down @sock conn 1016 */ 1017 static int apparmor_socket_shutdown(struct socket *sock, int how) 1018 { 1019 return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock); 1020 } 1021 1022 /** 1023 * apparmor_socket_sock_recv_skb - check perms before associating skb to sk 1024 * 1025 * Note: can not sleep may be called with locks held 1026 * 1027 * dont want protocol specific in __skb_recv_datagram() 1028 * to deny an incoming connection socket_sock_rcv_skb() 1029 */ 1030 static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 1031 { 1032 return 0; 1033 } 1034 1035 1036 static struct aa_label *sk_peer_label(struct sock *sk) 1037 { 1038 struct aa_sk_ctx *ctx = SK_CTX(sk); 1039 1040 if (ctx->peer) 1041 return ctx->peer; 1042 1043 return ERR_PTR(-ENOPROTOOPT); 1044 } 1045 1046 /** 1047 * apparmor_socket_getpeersec_stream - get security context of peer 1048 * 1049 * Note: for tcp only valid if using ipsec or cipso on lan 1050 */ 1051 static int apparmor_socket_getpeersec_stream(struct socket *sock, 1052 char __user *optval, 1053 int __user *optlen, 1054 unsigned int len) 1055 { 1056 char *name; 1057 int slen, error = 0; 1058 struct aa_label *label; 1059 struct aa_label *peer; 1060 1061 label = begin_current_label_crit_section(); 1062 peer = sk_peer_label(sock->sk); 1063 if (IS_ERR(peer)) { 1064 error = PTR_ERR(peer); 1065 goto done; 1066 } 1067 slen = aa_label_asxprint(&name, labels_ns(label), peer, 1068 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS | 1069 FLAG_HIDDEN_UNCONFINED, GFP_KERNEL); 1070 /* don't include terminating \0 in slen, it breaks some apps */ 1071 if (slen < 0) { 1072 error = -ENOMEM; 1073 } else { 1074 if (slen > len) { 1075 error = -ERANGE; 1076 } else if (copy_to_user(optval, name, slen)) { 1077 error = -EFAULT; 1078 goto out; 1079 } 1080 if (put_user(slen, optlen)) 1081 error = -EFAULT; 1082 out: 1083 kfree(name); 1084 1085 } 1086 1087 done: 1088 end_current_label_crit_section(label); 1089 1090 return error; 1091 } 1092 1093 /** 1094 * apparmor_socket_getpeersec_dgram - get security label of packet 1095 * @sock: the peer socket 1096 * @skb: packet data 1097 * @secid: pointer to where to put the secid of the packet 1098 * 1099 * Sets the netlabel socket state on sk from parent 1100 */ 1101 static int apparmor_socket_getpeersec_dgram(struct socket *sock, 1102 struct sk_buff *skb, u32 *secid) 1103 1104 { 1105 /* TODO: requires secid support */ 1106 return -ENOPROTOOPT; 1107 } 1108 1109 /** 1110 * apparmor_sock_graft - Initialize newly created socket 1111 * @sk: child sock 1112 * @parent: parent socket 1113 * 1114 * Note: could set off of SOCK_CTX(parent) but need to track inode and we can 1115 * just set sk security information off of current creating process label 1116 * Labeling of sk for accept case - probably should be sock based 1117 * instead of task, because of the case where an implicitly labeled 1118 * socket is shared by different tasks. 1119 */ 1120 static void apparmor_sock_graft(struct sock *sk, struct socket *parent) 1121 { 1122 struct aa_sk_ctx *ctx = SK_CTX(sk); 1123 1124 if (!ctx->label) 1125 ctx->label = aa_get_current_label(); 1126 } 1127 1128 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { 1129 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), 1130 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), 1131 LSM_HOOK_INIT(capget, apparmor_capget), 1132 LSM_HOOK_INIT(capable, apparmor_capable), 1133 1134 LSM_HOOK_INIT(sb_mount, apparmor_sb_mount), 1135 LSM_HOOK_INIT(sb_umount, apparmor_sb_umount), 1136 LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot), 1137 1138 LSM_HOOK_INIT(path_link, apparmor_path_link), 1139 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink), 1140 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink), 1141 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir), 1142 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir), 1143 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod), 1144 LSM_HOOK_INIT(path_rename, apparmor_path_rename), 1145 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod), 1146 LSM_HOOK_INIT(path_chown, apparmor_path_chown), 1147 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate), 1148 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr), 1149 1150 LSM_HOOK_INIT(file_open, apparmor_file_open), 1151 LSM_HOOK_INIT(file_receive, apparmor_file_receive), 1152 LSM_HOOK_INIT(file_permission, apparmor_file_permission), 1153 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security), 1154 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security), 1155 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file), 1156 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect), 1157 LSM_HOOK_INIT(file_lock, apparmor_file_lock), 1158 1159 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), 1160 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), 1161 1162 LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security), 1163 LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security), 1164 LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security), 1165 1166 LSM_HOOK_INIT(socket_create, apparmor_socket_create), 1167 LSM_HOOK_INIT(socket_post_create, apparmor_socket_post_create), 1168 LSM_HOOK_INIT(socket_bind, apparmor_socket_bind), 1169 LSM_HOOK_INIT(socket_connect, apparmor_socket_connect), 1170 LSM_HOOK_INIT(socket_listen, apparmor_socket_listen), 1171 LSM_HOOK_INIT(socket_accept, apparmor_socket_accept), 1172 LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg), 1173 LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg), 1174 LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname), 1175 LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername), 1176 LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt), 1177 LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt), 1178 LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown), 1179 LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb), 1180 LSM_HOOK_INIT(socket_getpeersec_stream, 1181 apparmor_socket_getpeersec_stream), 1182 LSM_HOOK_INIT(socket_getpeersec_dgram, 1183 apparmor_socket_getpeersec_dgram), 1184 LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), 1185 1186 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), 1187 LSM_HOOK_INIT(cred_free, apparmor_cred_free), 1188 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare), 1189 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer), 1190 1191 LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds), 1192 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds), 1193 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds), 1194 1195 LSM_HOOK_INIT(task_free, apparmor_task_free), 1196 LSM_HOOK_INIT(task_alloc, apparmor_task_alloc), 1197 LSM_HOOK_INIT(task_getsecid, apparmor_task_getsecid), 1198 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), 1199 LSM_HOOK_INIT(task_kill, apparmor_task_kill), 1200 1201 LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx), 1202 LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid), 1203 LSM_HOOK_INIT(release_secctx, apparmor_release_secctx), 1204 }; 1205 1206 /* 1207 * AppArmor sysfs module parameters 1208 */ 1209 1210 static int param_set_aabool(const char *val, const struct kernel_param *kp); 1211 static int param_get_aabool(char *buffer, const struct kernel_param *kp); 1212 #define param_check_aabool param_check_bool 1213 static const struct kernel_param_ops param_ops_aabool = { 1214 .flags = KERNEL_PARAM_OPS_FL_NOARG, 1215 .set = param_set_aabool, 1216 .get = param_get_aabool 1217 }; 1218 1219 static int param_set_aauint(const char *val, const struct kernel_param *kp); 1220 static int param_get_aauint(char *buffer, const struct kernel_param *kp); 1221 #define param_check_aauint param_check_uint 1222 static const struct kernel_param_ops param_ops_aauint = { 1223 .set = param_set_aauint, 1224 .get = param_get_aauint 1225 }; 1226 1227 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp); 1228 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); 1229 #define param_check_aalockpolicy param_check_bool 1230 static const struct kernel_param_ops param_ops_aalockpolicy = { 1231 .flags = KERNEL_PARAM_OPS_FL_NOARG, 1232 .set = param_set_aalockpolicy, 1233 .get = param_get_aalockpolicy 1234 }; 1235 1236 static int param_set_audit(const char *val, const struct kernel_param *kp); 1237 static int param_get_audit(char *buffer, const struct kernel_param *kp); 1238 1239 static int param_set_mode(const char *val, const struct kernel_param *kp); 1240 static int param_get_mode(char *buffer, const struct kernel_param *kp); 1241 1242 /* Flag values, also controllable via /sys/module/apparmor/parameters 1243 * We define special types as we want to do additional mediation. 1244 */ 1245 1246 /* AppArmor global enforcement switch - complain, enforce, kill */ 1247 enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; 1248 module_param_call(mode, param_set_mode, param_get_mode, 1249 &aa_g_profile_mode, S_IRUSR | S_IWUSR); 1250 1251 /* whether policy verification hashing is enabled */ 1252 bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); 1253 #ifdef CONFIG_SECURITY_APPARMOR_HASH 1254 module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); 1255 #endif 1256 1257 /* Debug mode */ 1258 bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES); 1259 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); 1260 1261 /* Audit mode */ 1262 enum audit_mode aa_g_audit; 1263 module_param_call(audit, param_set_audit, param_get_audit, 1264 &aa_g_audit, S_IRUSR | S_IWUSR); 1265 1266 /* Determines if audit header is included in audited messages. This 1267 * provides more context if the audit daemon is not running 1268 */ 1269 bool aa_g_audit_header = true; 1270 module_param_named(audit_header, aa_g_audit_header, aabool, 1271 S_IRUSR | S_IWUSR); 1272 1273 /* lock out loading/removal of policy 1274 * TODO: add in at boot loading of policy, which is the only way to 1275 * load policy, if lock_policy is set 1276 */ 1277 bool aa_g_lock_policy; 1278 module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy, 1279 S_IRUSR | S_IWUSR); 1280 1281 /* Syscall logging mode */ 1282 bool aa_g_logsyscall; 1283 module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); 1284 1285 /* Maximum pathname length before accesses will start getting rejected */ 1286 unsigned int aa_g_path_max = 2 * PATH_MAX; 1287 module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); 1288 1289 /* Determines how paranoid loading of policy is and how much verification 1290 * on the loaded policy is done. 1291 * DEPRECATED: read only as strict checking of load is always done now 1292 * that none root users (user namespaces) can load policy. 1293 */ 1294 bool aa_g_paranoid_load = true; 1295 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); 1296 1297 /* Boot time disable flag */ 1298 static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; 1299 module_param_named(enabled, apparmor_enabled, bool, S_IRUGO); 1300 1301 static int __init apparmor_enabled_setup(char *str) 1302 { 1303 unsigned long enabled; 1304 int error = kstrtoul(str, 0, &enabled); 1305 if (!error) 1306 apparmor_enabled = enabled ? 1 : 0; 1307 return 1; 1308 } 1309 1310 __setup("apparmor=", apparmor_enabled_setup); 1311 1312 /* set global flag turning off the ability to load policy */ 1313 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) 1314 { 1315 if (!apparmor_enabled) 1316 return -EINVAL; 1317 if (apparmor_initialized && !policy_admin_capable(NULL)) 1318 return -EPERM; 1319 return param_set_bool(val, kp); 1320 } 1321 1322 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) 1323 { 1324 if (!apparmor_enabled) 1325 return -EINVAL; 1326 if (apparmor_initialized && !policy_view_capable(NULL)) 1327 return -EPERM; 1328 return param_get_bool(buffer, kp); 1329 } 1330 1331 static int param_set_aabool(const char *val, const struct kernel_param *kp) 1332 { 1333 if (!apparmor_enabled) 1334 return -EINVAL; 1335 if (apparmor_initialized && !policy_admin_capable(NULL)) 1336 return -EPERM; 1337 return param_set_bool(val, kp); 1338 } 1339 1340 static int param_get_aabool(char *buffer, const struct kernel_param *kp) 1341 { 1342 if (!apparmor_enabled) 1343 return -EINVAL; 1344 if (apparmor_initialized && !policy_view_capable(NULL)) 1345 return -EPERM; 1346 return param_get_bool(buffer, kp); 1347 } 1348 1349 static int param_set_aauint(const char *val, const struct kernel_param *kp) 1350 { 1351 int error; 1352 1353 if (!apparmor_enabled) 1354 return -EINVAL; 1355 /* file is ro but enforce 2nd line check */ 1356 if (apparmor_initialized) 1357 return -EPERM; 1358 1359 error = param_set_uint(val, kp); 1360 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max); 1361 1362 return error; 1363 } 1364 1365 static int param_get_aauint(char *buffer, const struct kernel_param *kp) 1366 { 1367 if (!apparmor_enabled) 1368 return -EINVAL; 1369 if (apparmor_initialized && !policy_view_capable(NULL)) 1370 return -EPERM; 1371 return param_get_uint(buffer, kp); 1372 } 1373 1374 static int param_get_audit(char *buffer, const struct kernel_param *kp) 1375 { 1376 if (!apparmor_enabled) 1377 return -EINVAL; 1378 if (apparmor_initialized && !policy_view_capable(NULL)) 1379 return -EPERM; 1380 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); 1381 } 1382 1383 static int param_set_audit(const char *val, const struct kernel_param *kp) 1384 { 1385 int i; 1386 1387 if (!apparmor_enabled) 1388 return -EINVAL; 1389 if (!val) 1390 return -EINVAL; 1391 if (apparmor_initialized && !policy_admin_capable(NULL)) 1392 return -EPERM; 1393 1394 i = match_string(audit_mode_names, AUDIT_MAX_INDEX, val); 1395 if (i < 0) 1396 return -EINVAL; 1397 1398 aa_g_audit = i; 1399 return 0; 1400 } 1401 1402 static int param_get_mode(char *buffer, const struct kernel_param *kp) 1403 { 1404 if (!apparmor_enabled) 1405 return -EINVAL; 1406 if (apparmor_initialized && !policy_view_capable(NULL)) 1407 return -EPERM; 1408 1409 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]); 1410 } 1411 1412 static int param_set_mode(const char *val, const struct kernel_param *kp) 1413 { 1414 int i; 1415 1416 if (!apparmor_enabled) 1417 return -EINVAL; 1418 if (!val) 1419 return -EINVAL; 1420 if (apparmor_initialized && !policy_admin_capable(NULL)) 1421 return -EPERM; 1422 1423 i = match_string(aa_profile_mode_names, APPARMOR_MODE_NAMES_MAX_INDEX, 1424 val); 1425 if (i < 0) 1426 return -EINVAL; 1427 1428 aa_g_profile_mode = i; 1429 return 0; 1430 } 1431 1432 /* 1433 * AppArmor init functions 1434 */ 1435 1436 /** 1437 * set_init_ctx - set a task context and profile on the first task. 1438 * 1439 * TODO: allow setting an alternate profile than unconfined 1440 */ 1441 static int __init set_init_ctx(void) 1442 { 1443 struct cred *cred = (struct cred *)current->real_cred; 1444 struct aa_task_ctx *ctx; 1445 1446 ctx = aa_alloc_task_ctx(GFP_KERNEL); 1447 if (!ctx) 1448 return -ENOMEM; 1449 1450 cred_label(cred) = aa_get_label(ns_unconfined(root_ns)); 1451 task_ctx(current) = ctx; 1452 1453 return 0; 1454 } 1455 1456 static void destroy_buffers(void) 1457 { 1458 u32 i, j; 1459 1460 for_each_possible_cpu(i) { 1461 for_each_cpu_buffer(j) { 1462 kfree(per_cpu(aa_buffers, i).buf[j]); 1463 per_cpu(aa_buffers, i).buf[j] = NULL; 1464 } 1465 } 1466 } 1467 1468 static int __init alloc_buffers(void) 1469 { 1470 u32 i, j; 1471 1472 for_each_possible_cpu(i) { 1473 for_each_cpu_buffer(j) { 1474 char *buffer; 1475 1476 if (cpu_to_node(i) > num_online_nodes()) 1477 /* fallback to kmalloc for offline nodes */ 1478 buffer = kmalloc(aa_g_path_max, GFP_KERNEL); 1479 else 1480 buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL, 1481 cpu_to_node(i)); 1482 if (!buffer) { 1483 destroy_buffers(); 1484 return -ENOMEM; 1485 } 1486 per_cpu(aa_buffers, i).buf[j] = buffer; 1487 } 1488 } 1489 1490 return 0; 1491 } 1492 1493 #ifdef CONFIG_SYSCTL 1494 static int apparmor_dointvec(struct ctl_table *table, int write, 1495 void __user *buffer, size_t *lenp, loff_t *ppos) 1496 { 1497 if (!policy_admin_capable(NULL)) 1498 return -EPERM; 1499 if (!apparmor_enabled) 1500 return -EINVAL; 1501 1502 return proc_dointvec(table, write, buffer, lenp, ppos); 1503 } 1504 1505 static struct ctl_path apparmor_sysctl_path[] = { 1506 { .procname = "kernel", }, 1507 { } 1508 }; 1509 1510 static struct ctl_table apparmor_sysctl_table[] = { 1511 { 1512 .procname = "unprivileged_userns_apparmor_policy", 1513 .data = &unprivileged_userns_apparmor_policy, 1514 .maxlen = sizeof(int), 1515 .mode = 0600, 1516 .proc_handler = apparmor_dointvec, 1517 }, 1518 { } 1519 }; 1520 1521 static int __init apparmor_init_sysctl(void) 1522 { 1523 return register_sysctl_paths(apparmor_sysctl_path, 1524 apparmor_sysctl_table) ? 0 : -ENOMEM; 1525 } 1526 #else 1527 static inline int apparmor_init_sysctl(void) 1528 { 1529 return 0; 1530 } 1531 #endif /* CONFIG_SYSCTL */ 1532 1533 static int __init apparmor_init(void) 1534 { 1535 int error; 1536 1537 if (!apparmor_enabled || !security_module_enable("apparmor")) { 1538 aa_info_message("AppArmor disabled by boot time parameter"); 1539 apparmor_enabled = false; 1540 return 0; 1541 } 1542 1543 error = aa_setup_dfa_engine(); 1544 if (error) { 1545 AA_ERROR("Unable to setup dfa engine\n"); 1546 goto alloc_out; 1547 } 1548 1549 error = aa_alloc_root_ns(); 1550 if (error) { 1551 AA_ERROR("Unable to allocate default profile namespace\n"); 1552 goto alloc_out; 1553 } 1554 1555 error = apparmor_init_sysctl(); 1556 if (error) { 1557 AA_ERROR("Unable to register sysctls\n"); 1558 goto alloc_out; 1559 1560 } 1561 1562 error = alloc_buffers(); 1563 if (error) { 1564 AA_ERROR("Unable to allocate work buffers\n"); 1565 goto buffers_out; 1566 } 1567 1568 error = set_init_ctx(); 1569 if (error) { 1570 AA_ERROR("Failed to set context on init task\n"); 1571 aa_free_root_ns(); 1572 goto buffers_out; 1573 } 1574 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), 1575 "apparmor"); 1576 1577 /* Report that AppArmor successfully initialized */ 1578 apparmor_initialized = 1; 1579 if (aa_g_profile_mode == APPARMOR_COMPLAIN) 1580 aa_info_message("AppArmor initialized: complain mode enabled"); 1581 else if (aa_g_profile_mode == APPARMOR_KILL) 1582 aa_info_message("AppArmor initialized: kill mode enabled"); 1583 else 1584 aa_info_message("AppArmor initialized"); 1585 1586 return error; 1587 1588 buffers_out: 1589 destroy_buffers(); 1590 1591 alloc_out: 1592 aa_destroy_aafs(); 1593 aa_teardown_dfa_engine(); 1594 1595 apparmor_enabled = false; 1596 return error; 1597 } 1598 1599 security_initcall(apparmor_init); 1600