1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor LSM hooks. 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 */ 10 11 #include <linux/lsm_hooks.h> 12 #include <linux/moduleparam.h> 13 #include <linux/mm.h> 14 #include <linux/mman.h> 15 #include <linux/mount.h> 16 #include <linux/namei.h> 17 #include <linux/ptrace.h> 18 #include <linux/ctype.h> 19 #include <linux/sysctl.h> 20 #include <linux/audit.h> 21 #include <linux/user_namespace.h> 22 #include <linux/netfilter_ipv4.h> 23 #include <linux/netfilter_ipv6.h> 24 #include <linux/zstd.h> 25 #include <net/sock.h> 26 #include <uapi/linux/mount.h> 27 28 #include "include/apparmor.h" 29 #include "include/apparmorfs.h" 30 #include "include/audit.h" 31 #include "include/capability.h" 32 #include "include/cred.h" 33 #include "include/file.h" 34 #include "include/ipc.h" 35 #include "include/net.h" 36 #include "include/path.h" 37 #include "include/label.h" 38 #include "include/policy.h" 39 #include "include/policy_ns.h" 40 #include "include/procattr.h" 41 #include "include/mount.h" 42 #include "include/secid.h" 43 44 /* Flag indicating whether initialization completed */ 45 int apparmor_initialized; 46 47 union aa_buffer { 48 struct list_head list; 49 DECLARE_FLEX_ARRAY(char, buffer); 50 }; 51 52 #define RESERVE_COUNT 2 53 static int reserve_count = RESERVE_COUNT; 54 static int buffer_count; 55 56 static LIST_HEAD(aa_global_buffers); 57 static DEFINE_SPINLOCK(aa_buffers_lock); 58 59 /* 60 * LSM hook functions 61 */ 62 63 /* 64 * put the associated labels 65 */ 66 static void apparmor_cred_free(struct cred *cred) 67 { 68 aa_put_label(cred_label(cred)); 69 set_cred_label(cred, NULL); 70 } 71 72 /* 73 * allocate the apparmor part of blank credentials 74 */ 75 static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 76 { 77 set_cred_label(cred, NULL); 78 return 0; 79 } 80 81 /* 82 * prepare new cred label for modification by prepare_cred block 83 */ 84 static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 85 gfp_t gfp) 86 { 87 set_cred_label(new, aa_get_newest_label(cred_label(old))); 88 return 0; 89 } 90 91 /* 92 * transfer the apparmor data to a blank set of creds 93 */ 94 static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 95 { 96 set_cred_label(new, aa_get_newest_label(cred_label(old))); 97 } 98 99 static void apparmor_task_free(struct task_struct *task) 100 { 101 102 aa_free_task_ctx(task_ctx(task)); 103 } 104 105 static int apparmor_task_alloc(struct task_struct *task, 106 unsigned long clone_flags) 107 { 108 struct aa_task_ctx *new = task_ctx(task); 109 110 aa_dup_task_ctx(new, task_ctx(current)); 111 112 return 0; 113 } 114 115 static int apparmor_ptrace_access_check(struct task_struct *child, 116 unsigned int mode) 117 { 118 struct aa_label *tracer, *tracee; 119 const struct cred *cred; 120 int error; 121 122 cred = get_task_cred(child); 123 tracee = cred_label(cred); /* ref count on cred */ 124 tracer = __begin_current_label_crit_section(); 125 error = aa_may_ptrace(current_cred(), tracer, cred, tracee, 126 (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ 127 : AA_PTRACE_TRACE); 128 __end_current_label_crit_section(tracer); 129 put_cred(cred); 130 131 return error; 132 } 133 134 static int apparmor_ptrace_traceme(struct task_struct *parent) 135 { 136 struct aa_label *tracer, *tracee; 137 const struct cred *cred; 138 int error; 139 140 tracee = __begin_current_label_crit_section(); 141 cred = get_task_cred(parent); 142 tracer = cred_label(cred); /* ref count on cred */ 143 error = aa_may_ptrace(cred, tracer, current_cred(), tracee, 144 AA_PTRACE_TRACE); 145 put_cred(cred); 146 __end_current_label_crit_section(tracee); 147 148 return error; 149 } 150 151 /* Derived from security/commoncap.c:cap_capget */ 152 static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, 153 kernel_cap_t *inheritable, kernel_cap_t *permitted) 154 { 155 struct aa_label *label; 156 const struct cred *cred; 157 158 rcu_read_lock(); 159 cred = __task_cred(target); 160 label = aa_get_newest_cred_label(cred); 161 162 /* 163 * cap_capget is stacked ahead of this and will 164 * initialize effective and permitted. 165 */ 166 if (!unconfined(label)) { 167 struct aa_profile *profile; 168 struct label_it i; 169 170 label_for_each_confined(i, label, profile) { 171 struct aa_ruleset *rules; 172 if (COMPLAIN_MODE(profile)) 173 continue; 174 rules = list_first_entry(&profile->rules, 175 typeof(*rules), list); 176 *effective = cap_intersect(*effective, 177 rules->caps.allow); 178 *permitted = cap_intersect(*permitted, 179 rules->caps.allow); 180 } 181 } 182 rcu_read_unlock(); 183 aa_put_label(label); 184 185 return 0; 186 } 187 188 static int apparmor_capable(const struct cred *cred, struct user_namespace *ns, 189 int cap, unsigned int opts) 190 { 191 struct aa_label *label; 192 int error = 0; 193 194 label = aa_get_newest_cred_label(cred); 195 if (!unconfined(label)) 196 error = aa_capable(cred, label, cap, opts); 197 aa_put_label(label); 198 199 return error; 200 } 201 202 /** 203 * common_perm - basic common permission check wrapper fn for paths 204 * @op: operation being checked 205 * @path: path to check permission of (NOT NULL) 206 * @mask: requested permissions mask 207 * @cond: conditional info for the permission request (NOT NULL) 208 * 209 * Returns: %0 else error code if error or permission denied 210 */ 211 static int common_perm(const char *op, const struct path *path, u32 mask, 212 struct path_cond *cond) 213 { 214 struct aa_label *label; 215 int error = 0; 216 217 label = __begin_current_label_crit_section(); 218 if (!unconfined(label)) 219 error = aa_path_perm(op, current_cred(), label, path, 0, mask, 220 cond); 221 __end_current_label_crit_section(label); 222 223 return error; 224 } 225 226 /** 227 * common_perm_cond - common permission wrapper around inode cond 228 * @op: operation being checked 229 * @path: location to check (NOT NULL) 230 * @mask: requested permissions mask 231 * 232 * Returns: %0 else error code if error or permission denied 233 */ 234 static int common_perm_cond(const char *op, const struct path *path, u32 mask) 235 { 236 vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_idmap(path->mnt), 237 d_backing_inode(path->dentry)); 238 struct path_cond cond = { 239 vfsuid_into_kuid(vfsuid), 240 d_backing_inode(path->dentry)->i_mode 241 }; 242 243 if (!path_mediated_fs(path->dentry)) 244 return 0; 245 246 return common_perm(op, path, mask, &cond); 247 } 248 249 /** 250 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry 251 * @op: operation being checked 252 * @dir: directory of the dentry (NOT NULL) 253 * @dentry: dentry to check (NOT NULL) 254 * @mask: requested permissions mask 255 * @cond: conditional info for the permission request (NOT NULL) 256 * 257 * Returns: %0 else error code if error or permission denied 258 */ 259 static int common_perm_dir_dentry(const char *op, const struct path *dir, 260 struct dentry *dentry, u32 mask, 261 struct path_cond *cond) 262 { 263 struct path path = { .mnt = dir->mnt, .dentry = dentry }; 264 265 return common_perm(op, &path, mask, cond); 266 } 267 268 /** 269 * common_perm_rm - common permission wrapper for operations doing rm 270 * @op: operation being checked 271 * @dir: directory that the dentry is in (NOT NULL) 272 * @dentry: dentry being rm'd (NOT NULL) 273 * @mask: requested permission mask 274 * 275 * Returns: %0 else error code if error or permission denied 276 */ 277 static int common_perm_rm(const char *op, const struct path *dir, 278 struct dentry *dentry, u32 mask) 279 { 280 struct inode *inode = d_backing_inode(dentry); 281 struct path_cond cond = { }; 282 vfsuid_t vfsuid; 283 284 if (!inode || !path_mediated_fs(dentry)) 285 return 0; 286 287 vfsuid = i_uid_into_vfsuid(mnt_idmap(dir->mnt), inode); 288 cond.uid = vfsuid_into_kuid(vfsuid); 289 cond.mode = inode->i_mode; 290 291 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 292 } 293 294 /** 295 * common_perm_create - common permission wrapper for operations doing create 296 * @op: operation being checked 297 * @dir: directory that dentry will be created in (NOT NULL) 298 * @dentry: dentry to create (NOT NULL) 299 * @mask: request permission mask 300 * @mode: created file mode 301 * 302 * Returns: %0 else error code if error or permission denied 303 */ 304 static int common_perm_create(const char *op, const struct path *dir, 305 struct dentry *dentry, u32 mask, umode_t mode) 306 { 307 struct path_cond cond = { current_fsuid(), mode }; 308 309 if (!path_mediated_fs(dir->dentry)) 310 return 0; 311 312 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 313 } 314 315 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry) 316 { 317 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); 318 } 319 320 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry, 321 umode_t mode) 322 { 323 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, 324 S_IFDIR); 325 } 326 327 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry) 328 { 329 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); 330 } 331 332 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, 333 umode_t mode, unsigned int dev) 334 { 335 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); 336 } 337 338 static int apparmor_path_truncate(const struct path *path) 339 { 340 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR); 341 } 342 343 static int apparmor_file_truncate(struct file *file) 344 { 345 return apparmor_path_truncate(&file->f_path); 346 } 347 348 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, 349 const char *old_name) 350 { 351 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, 352 S_IFLNK); 353 } 354 355 static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir, 356 struct dentry *new_dentry) 357 { 358 struct aa_label *label; 359 int error = 0; 360 361 if (!path_mediated_fs(old_dentry)) 362 return 0; 363 364 label = begin_current_label_crit_section(); 365 if (!unconfined(label)) 366 error = aa_path_link(current_cred(), label, old_dentry, new_dir, 367 new_dentry); 368 end_current_label_crit_section(label); 369 370 return error; 371 } 372 373 static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry, 374 const struct path *new_dir, struct dentry *new_dentry, 375 const unsigned int flags) 376 { 377 struct aa_label *label; 378 int error = 0; 379 380 if (!path_mediated_fs(old_dentry)) 381 return 0; 382 if ((flags & RENAME_EXCHANGE) && !path_mediated_fs(new_dentry)) 383 return 0; 384 385 label = begin_current_label_crit_section(); 386 if (!unconfined(label)) { 387 struct mnt_idmap *idmap = mnt_idmap(old_dir->mnt); 388 vfsuid_t vfsuid; 389 struct path old_path = { .mnt = old_dir->mnt, 390 .dentry = old_dentry }; 391 struct path new_path = { .mnt = new_dir->mnt, 392 .dentry = new_dentry }; 393 struct path_cond cond = { 394 .mode = d_backing_inode(old_dentry)->i_mode 395 }; 396 vfsuid = i_uid_into_vfsuid(idmap, d_backing_inode(old_dentry)); 397 cond.uid = vfsuid_into_kuid(vfsuid); 398 399 if (flags & RENAME_EXCHANGE) { 400 struct path_cond cond_exchange = { 401 .mode = d_backing_inode(new_dentry)->i_mode, 402 }; 403 vfsuid = i_uid_into_vfsuid(idmap, d_backing_inode(old_dentry)); 404 cond_exchange.uid = vfsuid_into_kuid(vfsuid); 405 406 error = aa_path_perm(OP_RENAME_SRC, current_cred(), 407 label, &new_path, 0, 408 MAY_READ | AA_MAY_GETATTR | MAY_WRITE | 409 AA_MAY_SETATTR | AA_MAY_DELETE, 410 &cond_exchange); 411 if (!error) 412 error = aa_path_perm(OP_RENAME_DEST, current_cred(), 413 label, &old_path, 414 0, MAY_WRITE | AA_MAY_SETATTR | 415 AA_MAY_CREATE, &cond_exchange); 416 } 417 418 if (!error) 419 error = aa_path_perm(OP_RENAME_SRC, current_cred(), 420 label, &old_path, 0, 421 MAY_READ | AA_MAY_GETATTR | MAY_WRITE | 422 AA_MAY_SETATTR | AA_MAY_DELETE, 423 &cond); 424 if (!error) 425 error = aa_path_perm(OP_RENAME_DEST, current_cred(), 426 label, &new_path, 427 0, MAY_WRITE | AA_MAY_SETATTR | 428 AA_MAY_CREATE, &cond); 429 430 } 431 end_current_label_crit_section(label); 432 433 return error; 434 } 435 436 static int apparmor_path_chmod(const struct path *path, umode_t mode) 437 { 438 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD); 439 } 440 441 static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid) 442 { 443 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN); 444 } 445 446 static int apparmor_inode_getattr(const struct path *path) 447 { 448 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 449 } 450 451 static int apparmor_file_open(struct file *file) 452 { 453 struct aa_file_ctx *fctx = file_ctx(file); 454 struct aa_label *label; 455 int error = 0; 456 457 if (!path_mediated_fs(file->f_path.dentry)) 458 return 0; 459 460 /* If in exec, permission is handled by bprm hooks. 461 * Cache permissions granted by the previous exec check, with 462 * implicit read and executable mmap which are required to 463 * actually execute the image. 464 */ 465 if (current->in_execve) { 466 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; 467 return 0; 468 } 469 470 label = aa_get_newest_cred_label(file->f_cred); 471 if (!unconfined(label)) { 472 struct mnt_idmap *idmap = file_mnt_idmap(file); 473 struct inode *inode = file_inode(file); 474 vfsuid_t vfsuid; 475 struct path_cond cond = { 476 .mode = inode->i_mode, 477 }; 478 vfsuid = i_uid_into_vfsuid(idmap, inode); 479 cond.uid = vfsuid_into_kuid(vfsuid); 480 481 error = aa_path_perm(OP_OPEN, file->f_cred, 482 label, &file->f_path, 0, 483 aa_map_file_to_perms(file), &cond); 484 /* todo cache full allowed permissions set and state */ 485 fctx->allow = aa_map_file_to_perms(file); 486 } 487 aa_put_label(label); 488 489 return error; 490 } 491 492 static int apparmor_file_alloc_security(struct file *file) 493 { 494 struct aa_file_ctx *ctx = file_ctx(file); 495 struct aa_label *label = begin_current_label_crit_section(); 496 497 spin_lock_init(&ctx->lock); 498 rcu_assign_pointer(ctx->label, aa_get_label(label)); 499 end_current_label_crit_section(label); 500 return 0; 501 } 502 503 static void apparmor_file_free_security(struct file *file) 504 { 505 struct aa_file_ctx *ctx = file_ctx(file); 506 507 if (ctx) 508 aa_put_label(rcu_access_pointer(ctx->label)); 509 } 510 511 static int common_file_perm(const char *op, struct file *file, u32 mask, 512 bool in_atomic) 513 { 514 struct aa_label *label; 515 int error = 0; 516 517 /* don't reaudit files closed during inheritance */ 518 if (file->f_path.dentry == aa_null.dentry) 519 return -EACCES; 520 521 label = __begin_current_label_crit_section(); 522 error = aa_file_perm(op, current_cred(), label, file, mask, in_atomic); 523 __end_current_label_crit_section(label); 524 525 return error; 526 } 527 528 static int apparmor_file_receive(struct file *file) 529 { 530 return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file), 531 false); 532 } 533 534 static int apparmor_file_permission(struct file *file, int mask) 535 { 536 return common_file_perm(OP_FPERM, file, mask, false); 537 } 538 539 static int apparmor_file_lock(struct file *file, unsigned int cmd) 540 { 541 u32 mask = AA_MAY_LOCK; 542 543 if (cmd == F_WRLCK) 544 mask |= MAY_WRITE; 545 546 return common_file_perm(OP_FLOCK, file, mask, false); 547 } 548 549 static int common_mmap(const char *op, struct file *file, unsigned long prot, 550 unsigned long flags, bool in_atomic) 551 { 552 int mask = 0; 553 554 if (!file || !file_ctx(file)) 555 return 0; 556 557 if (prot & PROT_READ) 558 mask |= MAY_READ; 559 /* 560 * Private mappings don't require write perms since they don't 561 * write back to the files 562 */ 563 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE)) 564 mask |= MAY_WRITE; 565 if (prot & PROT_EXEC) 566 mask |= AA_EXEC_MMAP; 567 568 return common_file_perm(op, file, mask, in_atomic); 569 } 570 571 static int apparmor_mmap_file(struct file *file, unsigned long reqprot, 572 unsigned long prot, unsigned long flags) 573 { 574 return common_mmap(OP_FMMAP, file, prot, flags, GFP_ATOMIC); 575 } 576 577 static int apparmor_file_mprotect(struct vm_area_struct *vma, 578 unsigned long reqprot, unsigned long prot) 579 { 580 return common_mmap(OP_FMPROT, vma->vm_file, prot, 581 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0, 582 false); 583 } 584 585 #ifdef CONFIG_IO_URING 586 static const char *audit_uring_mask(u32 mask) 587 { 588 if (mask & AA_MAY_CREATE_SQPOLL) 589 return "sqpoll"; 590 if (mask & AA_MAY_OVERRIDE_CRED) 591 return "override_creds"; 592 return ""; 593 } 594 595 static void audit_uring_cb(struct audit_buffer *ab, void *va) 596 { 597 struct apparmor_audit_data *ad = aad_of_va(va); 598 599 if (ad->request & AA_URING_PERM_MASK) { 600 audit_log_format(ab, " requested=\"%s\"", 601 audit_uring_mask(ad->request)); 602 if (ad->denied & AA_URING_PERM_MASK) { 603 audit_log_format(ab, " denied=\"%s\"", 604 audit_uring_mask(ad->denied)); 605 } 606 } 607 if (ad->uring.target) { 608 audit_log_format(ab, " tcontext="); 609 aa_label_xaudit(ab, labels_ns(ad->subj_label), 610 ad->uring.target, 611 FLAGS_NONE, GFP_ATOMIC); 612 } 613 } 614 615 static int profile_uring(struct aa_profile *profile, u32 request, 616 struct aa_label *new, int cap, 617 struct apparmor_audit_data *ad) 618 { 619 unsigned int state; 620 struct aa_ruleset *rules; 621 int error = 0; 622 623 AA_BUG(!profile); 624 625 rules = list_first_entry(&profile->rules, typeof(*rules), list); 626 state = RULE_MEDIATES(rules, AA_CLASS_IO_URING); 627 if (state) { 628 struct aa_perms perms = { }; 629 630 if (new) { 631 aa_label_match(profile, rules, new, state, 632 false, request, &perms); 633 } else { 634 perms = *aa_lookup_perms(rules->policy, state); 635 } 636 aa_apply_modes_to_perms(profile, &perms); 637 error = aa_check_perms(profile, &perms, request, ad, 638 audit_uring_cb); 639 } 640 641 return error; 642 } 643 644 /** 645 * apparmor_uring_override_creds - check the requested cred override 646 * @new: the target creds 647 * 648 * Check to see if the current task is allowed to override it's credentials 649 * to service an io_uring operation. 650 */ 651 int apparmor_uring_override_creds(const struct cred *new) 652 { 653 struct aa_profile *profile; 654 struct aa_label *label; 655 int error; 656 DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_IO_URING, 657 OP_URING_OVERRIDE); 658 659 ad.uring.target = cred_label(new); 660 label = __begin_current_label_crit_section(); 661 error = fn_for_each(label, profile, 662 profile_uring(profile, AA_MAY_OVERRIDE_CRED, 663 cred_label(new), CAP_SYS_ADMIN, &ad)); 664 __end_current_label_crit_section(label); 665 666 return error; 667 } 668 669 /** 670 * apparmor_uring_sqpoll - check if a io_uring polling thread can be created 671 * 672 * Check to see if the current task is allowed to create a new io_uring 673 * kernel polling thread. 674 */ 675 int apparmor_uring_sqpoll(void) 676 { 677 struct aa_profile *profile; 678 struct aa_label *label; 679 int error; 680 DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_IO_URING, 681 OP_URING_SQPOLL); 682 683 label = __begin_current_label_crit_section(); 684 error = fn_for_each(label, profile, 685 profile_uring(profile, AA_MAY_CREATE_SQPOLL, 686 NULL, CAP_SYS_ADMIN, &ad)); 687 __end_current_label_crit_section(label); 688 689 return error; 690 } 691 #endif /* CONFIG_IO_URING */ 692 693 static int apparmor_sb_mount(const char *dev_name, const struct path *path, 694 const char *type, unsigned long flags, void *data) 695 { 696 struct aa_label *label; 697 int error = 0; 698 699 /* Discard magic */ 700 if ((flags & MS_MGC_MSK) == MS_MGC_VAL) 701 flags &= ~MS_MGC_MSK; 702 703 flags &= ~AA_MS_IGNORE_MASK; 704 705 label = __begin_current_label_crit_section(); 706 if (!unconfined(label)) { 707 if (flags & MS_REMOUNT) 708 error = aa_remount(current_cred(), label, path, flags, 709 data); 710 else if (flags & MS_BIND) 711 error = aa_bind_mount(current_cred(), label, path, 712 dev_name, flags); 713 else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | 714 MS_UNBINDABLE)) 715 error = aa_mount_change_type(current_cred(), label, 716 path, flags); 717 else if (flags & MS_MOVE) 718 error = aa_move_mount(current_cred(), label, path, 719 dev_name); 720 else 721 error = aa_new_mount(current_cred(), label, dev_name, 722 path, type, flags, data); 723 } 724 __end_current_label_crit_section(label); 725 726 return error; 727 } 728 729 static int apparmor_sb_umount(struct vfsmount *mnt, int flags) 730 { 731 struct aa_label *label; 732 int error = 0; 733 734 label = __begin_current_label_crit_section(); 735 if (!unconfined(label)) 736 error = aa_umount(current_cred(), label, mnt, flags); 737 __end_current_label_crit_section(label); 738 739 return error; 740 } 741 742 static int apparmor_sb_pivotroot(const struct path *old_path, 743 const struct path *new_path) 744 { 745 struct aa_label *label; 746 int error = 0; 747 748 label = aa_get_current_label(); 749 if (!unconfined(label)) 750 error = aa_pivotroot(current_cred(), label, old_path, new_path); 751 aa_put_label(label); 752 753 return error; 754 } 755 756 static int apparmor_getprocattr(struct task_struct *task, const char *name, 757 char **value) 758 { 759 int error = -ENOENT; 760 /* released below */ 761 const struct cred *cred = get_task_cred(task); 762 struct aa_task_ctx *ctx = task_ctx(current); 763 struct aa_label *label = NULL; 764 765 if (strcmp(name, "current") == 0) 766 label = aa_get_newest_label(cred_label(cred)); 767 else if (strcmp(name, "prev") == 0 && ctx->previous) 768 label = aa_get_newest_label(ctx->previous); 769 else if (strcmp(name, "exec") == 0 && ctx->onexec) 770 label = aa_get_newest_label(ctx->onexec); 771 else 772 error = -EINVAL; 773 774 if (label) 775 error = aa_getprocattr(label, value); 776 777 aa_put_label(label); 778 put_cred(cred); 779 780 return error; 781 } 782 783 static int apparmor_setprocattr(const char *name, void *value, 784 size_t size) 785 { 786 char *command, *largs = NULL, *args = value; 787 size_t arg_size; 788 int error; 789 DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, 790 OP_SETPROCATTR); 791 792 if (size == 0) 793 return -EINVAL; 794 795 /* AppArmor requires that the buffer must be null terminated atm */ 796 if (args[size - 1] != '\0') { 797 /* null terminate */ 798 largs = args = kmalloc(size + 1, GFP_KERNEL); 799 if (!args) 800 return -ENOMEM; 801 memcpy(args, value, size); 802 args[size] = '\0'; 803 } 804 805 error = -EINVAL; 806 args = strim(args); 807 command = strsep(&args, " "); 808 if (!args) 809 goto out; 810 args = skip_spaces(args); 811 if (!*args) 812 goto out; 813 814 arg_size = size - (args - (largs ? largs : (char *) value)); 815 if (strcmp(name, "current") == 0) { 816 if (strcmp(command, "changehat") == 0) { 817 error = aa_setprocattr_changehat(args, arg_size, 818 AA_CHANGE_NOFLAGS); 819 } else if (strcmp(command, "permhat") == 0) { 820 error = aa_setprocattr_changehat(args, arg_size, 821 AA_CHANGE_TEST); 822 } else if (strcmp(command, "changeprofile") == 0) { 823 error = aa_change_profile(args, AA_CHANGE_NOFLAGS); 824 } else if (strcmp(command, "permprofile") == 0) { 825 error = aa_change_profile(args, AA_CHANGE_TEST); 826 } else if (strcmp(command, "stack") == 0) { 827 error = aa_change_profile(args, AA_CHANGE_STACK); 828 } else 829 goto fail; 830 } else if (strcmp(name, "exec") == 0) { 831 if (strcmp(command, "exec") == 0) 832 error = aa_change_profile(args, AA_CHANGE_ONEXEC); 833 else if (strcmp(command, "stack") == 0) 834 error = aa_change_profile(args, (AA_CHANGE_ONEXEC | 835 AA_CHANGE_STACK)); 836 else 837 goto fail; 838 } else 839 /* only support the "current" and "exec" process attributes */ 840 goto fail; 841 842 if (!error) 843 error = size; 844 out: 845 kfree(largs); 846 return error; 847 848 fail: 849 ad.subj_label = begin_current_label_crit_section(); 850 ad.info = name; 851 ad.error = error = -EINVAL; 852 aa_audit_msg(AUDIT_APPARMOR_DENIED, &ad, NULL); 853 end_current_label_crit_section(ad.subj_label); 854 goto out; 855 } 856 857 /** 858 * apparmor_bprm_committing_creds - do task cleanup on committing new creds 859 * @bprm: binprm for the exec (NOT NULL) 860 */ 861 static void apparmor_bprm_committing_creds(struct linux_binprm *bprm) 862 { 863 struct aa_label *label = aa_current_raw_label(); 864 struct aa_label *new_label = cred_label(bprm->cred); 865 866 /* bail out if unconfined or not changing profile */ 867 if ((new_label->proxy == label->proxy) || 868 (unconfined(new_label))) 869 return; 870 871 aa_inherit_files(bprm->cred, current->files); 872 873 current->pdeath_signal = 0; 874 875 /* reset soft limits and set hard limits for the new label */ 876 __aa_transition_rlimits(label, new_label); 877 } 878 879 /** 880 * apparmor_bprm_committed_creds() - do cleanup after new creds committed 881 * @bprm: binprm for the exec (NOT NULL) 882 */ 883 static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) 884 { 885 /* clear out temporary/transitional state from the context */ 886 aa_clear_task_ctx_trans(task_ctx(current)); 887 888 return; 889 } 890 891 static void apparmor_current_getsecid_subj(u32 *secid) 892 { 893 struct aa_label *label = __begin_current_label_crit_section(); 894 *secid = label->secid; 895 __end_current_label_crit_section(label); 896 } 897 898 static void apparmor_task_getsecid_obj(struct task_struct *p, u32 *secid) 899 { 900 struct aa_label *label = aa_get_task_label(p); 901 *secid = label->secid; 902 aa_put_label(label); 903 } 904 905 static int apparmor_task_setrlimit(struct task_struct *task, 906 unsigned int resource, struct rlimit *new_rlim) 907 { 908 struct aa_label *label = __begin_current_label_crit_section(); 909 int error = 0; 910 911 if (!unconfined(label)) 912 error = aa_task_setrlimit(current_cred(), label, task, 913 resource, new_rlim); 914 __end_current_label_crit_section(label); 915 916 return error; 917 } 918 919 static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo *info, 920 int sig, const struct cred *cred) 921 { 922 const struct cred *tc; 923 struct aa_label *cl, *tl; 924 int error; 925 926 tc = get_task_cred(target); 927 tl = aa_get_newest_cred_label(tc); 928 if (cred) { 929 /* 930 * Dealing with USB IO specific behavior 931 */ 932 cl = aa_get_newest_cred_label(cred); 933 error = aa_may_signal(cred, cl, tc, tl, sig); 934 aa_put_label(cl); 935 return error; 936 } else { 937 cl = __begin_current_label_crit_section(); 938 error = aa_may_signal(current_cred(), cl, tc, tl, sig); 939 __end_current_label_crit_section(cl); 940 } 941 aa_put_label(tl); 942 put_cred(tc); 943 944 return error; 945 } 946 947 static int apparmor_userns_create(const struct cred *cred) 948 { 949 struct aa_label *label; 950 struct aa_profile *profile; 951 int error = 0; 952 DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_TASK, AA_CLASS_NS, 953 OP_USERNS_CREATE); 954 955 ad.subj_cred = current_cred(); 956 957 label = begin_current_label_crit_section(); 958 if (!unconfined(label)) { 959 error = fn_for_each(label, profile, 960 aa_profile_ns_perm(profile, &ad, 961 AA_USERNS_CREATE)); 962 } 963 end_current_label_crit_section(label); 964 965 return error; 966 } 967 968 /** 969 * apparmor_sk_alloc_security - allocate and attach the sk_security field 970 */ 971 static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags) 972 { 973 struct aa_sk_ctx *ctx; 974 975 ctx = kzalloc(sizeof(*ctx), flags); 976 if (!ctx) 977 return -ENOMEM; 978 979 sk->sk_security = ctx; 980 981 return 0; 982 } 983 984 /** 985 * apparmor_sk_free_security - free the sk_security field 986 */ 987 static void apparmor_sk_free_security(struct sock *sk) 988 { 989 struct aa_sk_ctx *ctx = aa_sock(sk); 990 991 sk->sk_security = NULL; 992 aa_put_label(ctx->label); 993 aa_put_label(ctx->peer); 994 kfree(ctx); 995 } 996 997 /** 998 * apparmor_sk_clone_security - clone the sk_security field 999 */ 1000 static void apparmor_sk_clone_security(const struct sock *sk, 1001 struct sock *newsk) 1002 { 1003 struct aa_sk_ctx *ctx = aa_sock(sk); 1004 struct aa_sk_ctx *new = aa_sock(newsk); 1005 1006 if (new->label) 1007 aa_put_label(new->label); 1008 new->label = aa_get_label(ctx->label); 1009 1010 if (new->peer) 1011 aa_put_label(new->peer); 1012 new->peer = aa_get_label(ctx->peer); 1013 } 1014 1015 /** 1016 * apparmor_socket_create - check perms before creating a new socket 1017 */ 1018 static int apparmor_socket_create(int family, int type, int protocol, int kern) 1019 { 1020 struct aa_label *label; 1021 int error = 0; 1022 1023 AA_BUG(in_interrupt()); 1024 1025 label = begin_current_label_crit_section(); 1026 if (!(kern || unconfined(label))) 1027 error = af_select(family, 1028 create_perm(label, family, type, protocol), 1029 aa_af_perm(current_cred(), label, 1030 OP_CREATE, AA_MAY_CREATE, 1031 family, type, protocol)); 1032 end_current_label_crit_section(label); 1033 1034 return error; 1035 } 1036 1037 /** 1038 * apparmor_socket_post_create - setup the per-socket security struct 1039 * 1040 * Note: 1041 * - kernel sockets currently labeled unconfined but we may want to 1042 * move to a special kernel label 1043 * - socket may not have sk here if created with sock_create_lite or 1044 * sock_alloc. These should be accept cases which will be handled in 1045 * sock_graft. 1046 */ 1047 static int apparmor_socket_post_create(struct socket *sock, int family, 1048 int type, int protocol, int kern) 1049 { 1050 struct aa_label *label; 1051 1052 if (kern) { 1053 label = aa_get_label(kernel_t); 1054 } else 1055 label = aa_get_current_label(); 1056 1057 if (sock->sk) { 1058 struct aa_sk_ctx *ctx = aa_sock(sock->sk); 1059 1060 aa_put_label(ctx->label); 1061 ctx->label = aa_get_label(label); 1062 } 1063 aa_put_label(label); 1064 1065 return 0; 1066 } 1067 1068 /** 1069 * apparmor_socket_bind - check perms before bind addr to socket 1070 */ 1071 static int apparmor_socket_bind(struct socket *sock, 1072 struct sockaddr *address, int addrlen) 1073 { 1074 AA_BUG(!sock); 1075 AA_BUG(!sock->sk); 1076 AA_BUG(!address); 1077 AA_BUG(in_interrupt()); 1078 1079 return af_select(sock->sk->sk_family, 1080 bind_perm(sock, address, addrlen), 1081 aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk)); 1082 } 1083 1084 /** 1085 * apparmor_socket_connect - check perms before connecting @sock to @address 1086 */ 1087 static int apparmor_socket_connect(struct socket *sock, 1088 struct sockaddr *address, int addrlen) 1089 { 1090 AA_BUG(!sock); 1091 AA_BUG(!sock->sk); 1092 AA_BUG(!address); 1093 AA_BUG(in_interrupt()); 1094 1095 return af_select(sock->sk->sk_family, 1096 connect_perm(sock, address, addrlen), 1097 aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk)); 1098 } 1099 1100 /** 1101 * apparmor_socket_listen - check perms before allowing listen 1102 */ 1103 static int apparmor_socket_listen(struct socket *sock, int backlog) 1104 { 1105 AA_BUG(!sock); 1106 AA_BUG(!sock->sk); 1107 AA_BUG(in_interrupt()); 1108 1109 return af_select(sock->sk->sk_family, 1110 listen_perm(sock, backlog), 1111 aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk)); 1112 } 1113 1114 /** 1115 * apparmor_socket_accept - check perms before accepting a new connection. 1116 * 1117 * Note: while @newsock is created and has some information, the accept 1118 * has not been done. 1119 */ 1120 static int apparmor_socket_accept(struct socket *sock, struct socket *newsock) 1121 { 1122 AA_BUG(!sock); 1123 AA_BUG(!sock->sk); 1124 AA_BUG(!newsock); 1125 AA_BUG(in_interrupt()); 1126 1127 return af_select(sock->sk->sk_family, 1128 accept_perm(sock, newsock), 1129 aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk)); 1130 } 1131 1132 static int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock, 1133 struct msghdr *msg, int size) 1134 { 1135 AA_BUG(!sock); 1136 AA_BUG(!sock->sk); 1137 AA_BUG(!msg); 1138 AA_BUG(in_interrupt()); 1139 1140 return af_select(sock->sk->sk_family, 1141 msg_perm(op, request, sock, msg, size), 1142 aa_sk_perm(op, request, sock->sk)); 1143 } 1144 1145 /** 1146 * apparmor_socket_sendmsg - check perms before sending msg to another socket 1147 */ 1148 static int apparmor_socket_sendmsg(struct socket *sock, 1149 struct msghdr *msg, int size) 1150 { 1151 return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size); 1152 } 1153 1154 /** 1155 * apparmor_socket_recvmsg - check perms before receiving a message 1156 */ 1157 static int apparmor_socket_recvmsg(struct socket *sock, 1158 struct msghdr *msg, int size, int flags) 1159 { 1160 return aa_sock_msg_perm(OP_RECVMSG, AA_MAY_RECEIVE, sock, msg, size); 1161 } 1162 1163 /* revaliation, get/set attr, shutdown */ 1164 static int aa_sock_perm(const char *op, u32 request, struct socket *sock) 1165 { 1166 AA_BUG(!sock); 1167 AA_BUG(!sock->sk); 1168 AA_BUG(in_interrupt()); 1169 1170 return af_select(sock->sk->sk_family, 1171 sock_perm(op, request, sock), 1172 aa_sk_perm(op, request, sock->sk)); 1173 } 1174 1175 /** 1176 * apparmor_socket_getsockname - check perms before getting the local address 1177 */ 1178 static int apparmor_socket_getsockname(struct socket *sock) 1179 { 1180 return aa_sock_perm(OP_GETSOCKNAME, AA_MAY_GETATTR, sock); 1181 } 1182 1183 /** 1184 * apparmor_socket_getpeername - check perms before getting remote address 1185 */ 1186 static int apparmor_socket_getpeername(struct socket *sock) 1187 { 1188 return aa_sock_perm(OP_GETPEERNAME, AA_MAY_GETATTR, sock); 1189 } 1190 1191 /* revaliation, get/set attr, opt */ 1192 static int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock, 1193 int level, int optname) 1194 { 1195 AA_BUG(!sock); 1196 AA_BUG(!sock->sk); 1197 AA_BUG(in_interrupt()); 1198 1199 return af_select(sock->sk->sk_family, 1200 opt_perm(op, request, sock, level, optname), 1201 aa_sk_perm(op, request, sock->sk)); 1202 } 1203 1204 /** 1205 * apparmor_socket_getsockopt - check perms before getting socket options 1206 */ 1207 static int apparmor_socket_getsockopt(struct socket *sock, int level, 1208 int optname) 1209 { 1210 return aa_sock_opt_perm(OP_GETSOCKOPT, AA_MAY_GETOPT, sock, 1211 level, optname); 1212 } 1213 1214 /** 1215 * apparmor_socket_setsockopt - check perms before setting socket options 1216 */ 1217 static int apparmor_socket_setsockopt(struct socket *sock, int level, 1218 int optname) 1219 { 1220 return aa_sock_opt_perm(OP_SETSOCKOPT, AA_MAY_SETOPT, sock, 1221 level, optname); 1222 } 1223 1224 /** 1225 * apparmor_socket_shutdown - check perms before shutting down @sock conn 1226 */ 1227 static int apparmor_socket_shutdown(struct socket *sock, int how) 1228 { 1229 return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock); 1230 } 1231 1232 #ifdef CONFIG_NETWORK_SECMARK 1233 /** 1234 * apparmor_socket_sock_rcv_skb - check perms before associating skb to sk 1235 * 1236 * Note: can not sleep may be called with locks held 1237 * 1238 * dont want protocol specific in __skb_recv_datagram() 1239 * to deny an incoming connection socket_sock_rcv_skb() 1240 */ 1241 static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 1242 { 1243 struct aa_sk_ctx *ctx = aa_sock(sk); 1244 1245 if (!skb->secmark) 1246 return 0; 1247 1248 return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE, 1249 skb->secmark, sk); 1250 } 1251 #endif 1252 1253 1254 static struct aa_label *sk_peer_label(struct sock *sk) 1255 { 1256 struct aa_sk_ctx *ctx = aa_sock(sk); 1257 1258 if (ctx->peer) 1259 return ctx->peer; 1260 1261 return ERR_PTR(-ENOPROTOOPT); 1262 } 1263 1264 /** 1265 * apparmor_socket_getpeersec_stream - get security context of peer 1266 * 1267 * Note: for tcp only valid if using ipsec or cipso on lan 1268 */ 1269 static int apparmor_socket_getpeersec_stream(struct socket *sock, 1270 sockptr_t optval, sockptr_t optlen, 1271 unsigned int len) 1272 { 1273 char *name = NULL; 1274 int slen, error = 0; 1275 struct aa_label *label; 1276 struct aa_label *peer; 1277 1278 label = begin_current_label_crit_section(); 1279 peer = sk_peer_label(sock->sk); 1280 if (IS_ERR(peer)) { 1281 error = PTR_ERR(peer); 1282 goto done; 1283 } 1284 slen = aa_label_asxprint(&name, labels_ns(label), peer, 1285 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS | 1286 FLAG_HIDDEN_UNCONFINED, GFP_KERNEL); 1287 /* don't include terminating \0 in slen, it breaks some apps */ 1288 if (slen < 0) { 1289 error = -ENOMEM; 1290 goto done; 1291 } 1292 if (slen > len) { 1293 error = -ERANGE; 1294 goto done_len; 1295 } 1296 1297 if (copy_to_sockptr(optval, name, slen)) 1298 error = -EFAULT; 1299 done_len: 1300 if (copy_to_sockptr(optlen, &slen, sizeof(slen))) 1301 error = -EFAULT; 1302 done: 1303 end_current_label_crit_section(label); 1304 kfree(name); 1305 return error; 1306 } 1307 1308 /** 1309 * apparmor_socket_getpeersec_dgram - get security label of packet 1310 * @sock: the peer socket 1311 * @skb: packet data 1312 * @secid: pointer to where to put the secid of the packet 1313 * 1314 * Sets the netlabel socket state on sk from parent 1315 */ 1316 static int apparmor_socket_getpeersec_dgram(struct socket *sock, 1317 struct sk_buff *skb, u32 *secid) 1318 1319 { 1320 /* TODO: requires secid support */ 1321 return -ENOPROTOOPT; 1322 } 1323 1324 /** 1325 * apparmor_sock_graft - Initialize newly created socket 1326 * @sk: child sock 1327 * @parent: parent socket 1328 * 1329 * Note: could set off of SOCK_CTX(parent) but need to track inode and we can 1330 * just set sk security information off of current creating process label 1331 * Labeling of sk for accept case - probably should be sock based 1332 * instead of task, because of the case where an implicitly labeled 1333 * socket is shared by different tasks. 1334 */ 1335 static void apparmor_sock_graft(struct sock *sk, struct socket *parent) 1336 { 1337 struct aa_sk_ctx *ctx = aa_sock(sk); 1338 1339 if (!ctx->label) 1340 ctx->label = aa_get_current_label(); 1341 } 1342 1343 #ifdef CONFIG_NETWORK_SECMARK 1344 static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 1345 struct request_sock *req) 1346 { 1347 struct aa_sk_ctx *ctx = aa_sock(sk); 1348 1349 if (!skb->secmark) 1350 return 0; 1351 1352 return apparmor_secmark_check(ctx->label, OP_CONNECT, AA_MAY_CONNECT, 1353 skb->secmark, sk); 1354 } 1355 #endif 1356 1357 /* 1358 * The cred blob is a pointer to, not an instance of, an aa_label. 1359 */ 1360 struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = { 1361 .lbs_cred = sizeof(struct aa_label *), 1362 .lbs_file = sizeof(struct aa_file_ctx), 1363 .lbs_task = sizeof(struct aa_task_ctx), 1364 }; 1365 1366 static struct security_hook_list apparmor_hooks[] __ro_after_init = { 1367 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), 1368 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), 1369 LSM_HOOK_INIT(capget, apparmor_capget), 1370 LSM_HOOK_INIT(capable, apparmor_capable), 1371 1372 LSM_HOOK_INIT(sb_mount, apparmor_sb_mount), 1373 LSM_HOOK_INIT(sb_umount, apparmor_sb_umount), 1374 LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot), 1375 1376 LSM_HOOK_INIT(path_link, apparmor_path_link), 1377 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink), 1378 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink), 1379 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir), 1380 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir), 1381 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod), 1382 LSM_HOOK_INIT(path_rename, apparmor_path_rename), 1383 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod), 1384 LSM_HOOK_INIT(path_chown, apparmor_path_chown), 1385 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate), 1386 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr), 1387 1388 LSM_HOOK_INIT(file_open, apparmor_file_open), 1389 LSM_HOOK_INIT(file_receive, apparmor_file_receive), 1390 LSM_HOOK_INIT(file_permission, apparmor_file_permission), 1391 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security), 1392 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security), 1393 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file), 1394 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect), 1395 LSM_HOOK_INIT(file_lock, apparmor_file_lock), 1396 LSM_HOOK_INIT(file_truncate, apparmor_file_truncate), 1397 1398 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), 1399 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), 1400 1401 LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security), 1402 LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security), 1403 LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security), 1404 1405 LSM_HOOK_INIT(socket_create, apparmor_socket_create), 1406 LSM_HOOK_INIT(socket_post_create, apparmor_socket_post_create), 1407 LSM_HOOK_INIT(socket_bind, apparmor_socket_bind), 1408 LSM_HOOK_INIT(socket_connect, apparmor_socket_connect), 1409 LSM_HOOK_INIT(socket_listen, apparmor_socket_listen), 1410 LSM_HOOK_INIT(socket_accept, apparmor_socket_accept), 1411 LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg), 1412 LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg), 1413 LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname), 1414 LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername), 1415 LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt), 1416 LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt), 1417 LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown), 1418 #ifdef CONFIG_NETWORK_SECMARK 1419 LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb), 1420 #endif 1421 LSM_HOOK_INIT(socket_getpeersec_stream, 1422 apparmor_socket_getpeersec_stream), 1423 LSM_HOOK_INIT(socket_getpeersec_dgram, 1424 apparmor_socket_getpeersec_dgram), 1425 LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), 1426 #ifdef CONFIG_NETWORK_SECMARK 1427 LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request), 1428 #endif 1429 1430 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), 1431 LSM_HOOK_INIT(cred_free, apparmor_cred_free), 1432 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare), 1433 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer), 1434 1435 LSM_HOOK_INIT(bprm_creds_for_exec, apparmor_bprm_creds_for_exec), 1436 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds), 1437 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds), 1438 1439 LSM_HOOK_INIT(task_free, apparmor_task_free), 1440 LSM_HOOK_INIT(task_alloc, apparmor_task_alloc), 1441 LSM_HOOK_INIT(current_getsecid_subj, apparmor_current_getsecid_subj), 1442 LSM_HOOK_INIT(task_getsecid_obj, apparmor_task_getsecid_obj), 1443 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), 1444 LSM_HOOK_INIT(task_kill, apparmor_task_kill), 1445 LSM_HOOK_INIT(userns_create, apparmor_userns_create), 1446 1447 #ifdef CONFIG_AUDIT 1448 LSM_HOOK_INIT(audit_rule_init, aa_audit_rule_init), 1449 LSM_HOOK_INIT(audit_rule_known, aa_audit_rule_known), 1450 LSM_HOOK_INIT(audit_rule_match, aa_audit_rule_match), 1451 LSM_HOOK_INIT(audit_rule_free, aa_audit_rule_free), 1452 #endif 1453 1454 LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx), 1455 LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid), 1456 LSM_HOOK_INIT(release_secctx, apparmor_release_secctx), 1457 1458 #ifdef CONFIG_IO_URING 1459 LSM_HOOK_INIT(uring_override_creds, apparmor_uring_override_creds), 1460 LSM_HOOK_INIT(uring_sqpoll, apparmor_uring_sqpoll), 1461 #endif 1462 }; 1463 1464 /* 1465 * AppArmor sysfs module parameters 1466 */ 1467 1468 static int param_set_aabool(const char *val, const struct kernel_param *kp); 1469 static int param_get_aabool(char *buffer, const struct kernel_param *kp); 1470 #define param_check_aabool param_check_bool 1471 static const struct kernel_param_ops param_ops_aabool = { 1472 .flags = KERNEL_PARAM_OPS_FL_NOARG, 1473 .set = param_set_aabool, 1474 .get = param_get_aabool 1475 }; 1476 1477 static int param_set_aauint(const char *val, const struct kernel_param *kp); 1478 static int param_get_aauint(char *buffer, const struct kernel_param *kp); 1479 #define param_check_aauint param_check_uint 1480 static const struct kernel_param_ops param_ops_aauint = { 1481 .set = param_set_aauint, 1482 .get = param_get_aauint 1483 }; 1484 1485 static int param_set_aacompressionlevel(const char *val, 1486 const struct kernel_param *kp); 1487 static int param_get_aacompressionlevel(char *buffer, 1488 const struct kernel_param *kp); 1489 #define param_check_aacompressionlevel param_check_int 1490 static const struct kernel_param_ops param_ops_aacompressionlevel = { 1491 .set = param_set_aacompressionlevel, 1492 .get = param_get_aacompressionlevel 1493 }; 1494 1495 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp); 1496 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); 1497 #define param_check_aalockpolicy param_check_bool 1498 static const struct kernel_param_ops param_ops_aalockpolicy = { 1499 .flags = KERNEL_PARAM_OPS_FL_NOARG, 1500 .set = param_set_aalockpolicy, 1501 .get = param_get_aalockpolicy 1502 }; 1503 1504 static int param_set_audit(const char *val, const struct kernel_param *kp); 1505 static int param_get_audit(char *buffer, const struct kernel_param *kp); 1506 1507 static int param_set_mode(const char *val, const struct kernel_param *kp); 1508 static int param_get_mode(char *buffer, const struct kernel_param *kp); 1509 1510 /* Flag values, also controllable via /sys/module/apparmor/parameters 1511 * We define special types as we want to do additional mediation. 1512 */ 1513 1514 /* AppArmor global enforcement switch - complain, enforce, kill */ 1515 enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; 1516 module_param_call(mode, param_set_mode, param_get_mode, 1517 &aa_g_profile_mode, S_IRUSR | S_IWUSR); 1518 1519 /* whether policy verification hashing is enabled */ 1520 bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); 1521 #ifdef CONFIG_SECURITY_APPARMOR_HASH 1522 module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); 1523 #endif 1524 1525 /* whether policy exactly as loaded is retained for debug and checkpointing */ 1526 bool aa_g_export_binary = IS_ENABLED(CONFIG_SECURITY_APPARMOR_EXPORT_BINARY); 1527 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1528 module_param_named(export_binary, aa_g_export_binary, aabool, 0600); 1529 #endif 1530 1531 /* policy loaddata compression level */ 1532 int aa_g_rawdata_compression_level = AA_DEFAULT_CLEVEL; 1533 module_param_named(rawdata_compression_level, aa_g_rawdata_compression_level, 1534 aacompressionlevel, 0400); 1535 1536 /* Debug mode */ 1537 bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES); 1538 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); 1539 1540 /* Audit mode */ 1541 enum audit_mode aa_g_audit; 1542 module_param_call(audit, param_set_audit, param_get_audit, 1543 &aa_g_audit, S_IRUSR | S_IWUSR); 1544 1545 /* Determines if audit header is included in audited messages. This 1546 * provides more context if the audit daemon is not running 1547 */ 1548 bool aa_g_audit_header = true; 1549 module_param_named(audit_header, aa_g_audit_header, aabool, 1550 S_IRUSR | S_IWUSR); 1551 1552 /* lock out loading/removal of policy 1553 * TODO: add in at boot loading of policy, which is the only way to 1554 * load policy, if lock_policy is set 1555 */ 1556 bool aa_g_lock_policy; 1557 module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy, 1558 S_IRUSR | S_IWUSR); 1559 1560 /* Syscall logging mode */ 1561 bool aa_g_logsyscall; 1562 module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); 1563 1564 /* Maximum pathname length before accesses will start getting rejected */ 1565 unsigned int aa_g_path_max = 2 * PATH_MAX; 1566 module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); 1567 1568 /* Determines how paranoid loading of policy is and how much verification 1569 * on the loaded policy is done. 1570 * DEPRECATED: read only as strict checking of load is always done now 1571 * that none root users (user namespaces) can load policy. 1572 */ 1573 bool aa_g_paranoid_load = IS_ENABLED(CONFIG_SECURITY_APPARMOR_PARANOID_LOAD); 1574 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); 1575 1576 static int param_get_aaintbool(char *buffer, const struct kernel_param *kp); 1577 static int param_set_aaintbool(const char *val, const struct kernel_param *kp); 1578 #define param_check_aaintbool param_check_int 1579 static const struct kernel_param_ops param_ops_aaintbool = { 1580 .set = param_set_aaintbool, 1581 .get = param_get_aaintbool 1582 }; 1583 /* Boot time disable flag */ 1584 static int apparmor_enabled __ro_after_init = 1; 1585 module_param_named(enabled, apparmor_enabled, aaintbool, 0444); 1586 1587 static int __init apparmor_enabled_setup(char *str) 1588 { 1589 unsigned long enabled; 1590 int error = kstrtoul(str, 0, &enabled); 1591 if (!error) 1592 apparmor_enabled = enabled ? 1 : 0; 1593 return 1; 1594 } 1595 1596 __setup("apparmor=", apparmor_enabled_setup); 1597 1598 /* set global flag turning off the ability to load policy */ 1599 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) 1600 { 1601 if (!apparmor_enabled) 1602 return -EINVAL; 1603 if (apparmor_initialized && !aa_current_policy_admin_capable(NULL)) 1604 return -EPERM; 1605 return param_set_bool(val, kp); 1606 } 1607 1608 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) 1609 { 1610 if (!apparmor_enabled) 1611 return -EINVAL; 1612 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1613 return -EPERM; 1614 return param_get_bool(buffer, kp); 1615 } 1616 1617 static int param_set_aabool(const char *val, const struct kernel_param *kp) 1618 { 1619 if (!apparmor_enabled) 1620 return -EINVAL; 1621 if (apparmor_initialized && !aa_current_policy_admin_capable(NULL)) 1622 return -EPERM; 1623 return param_set_bool(val, kp); 1624 } 1625 1626 static int param_get_aabool(char *buffer, const struct kernel_param *kp) 1627 { 1628 if (!apparmor_enabled) 1629 return -EINVAL; 1630 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1631 return -EPERM; 1632 return param_get_bool(buffer, kp); 1633 } 1634 1635 static int param_set_aauint(const char *val, const struct kernel_param *kp) 1636 { 1637 int error; 1638 1639 if (!apparmor_enabled) 1640 return -EINVAL; 1641 /* file is ro but enforce 2nd line check */ 1642 if (apparmor_initialized) 1643 return -EPERM; 1644 1645 error = param_set_uint(val, kp); 1646 aa_g_path_max = max_t(uint32_t, aa_g_path_max, sizeof(union aa_buffer)); 1647 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max); 1648 1649 return error; 1650 } 1651 1652 static int param_get_aauint(char *buffer, const struct kernel_param *kp) 1653 { 1654 if (!apparmor_enabled) 1655 return -EINVAL; 1656 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1657 return -EPERM; 1658 return param_get_uint(buffer, kp); 1659 } 1660 1661 /* Can only be set before AppArmor is initialized (i.e. on boot cmdline). */ 1662 static int param_set_aaintbool(const char *val, const struct kernel_param *kp) 1663 { 1664 struct kernel_param kp_local; 1665 bool value; 1666 int error; 1667 1668 if (apparmor_initialized) 1669 return -EPERM; 1670 1671 /* Create local copy, with arg pointing to bool type. */ 1672 value = !!*((int *)kp->arg); 1673 memcpy(&kp_local, kp, sizeof(kp_local)); 1674 kp_local.arg = &value; 1675 1676 error = param_set_bool(val, &kp_local); 1677 if (!error) 1678 *((int *)kp->arg) = *((bool *)kp_local.arg); 1679 return error; 1680 } 1681 1682 /* 1683 * To avoid changing /sys/module/apparmor/parameters/enabled from Y/N to 1684 * 1/0, this converts the "int that is actually bool" back to bool for 1685 * display in the /sys filesystem, while keeping it "int" for the LSM 1686 * infrastructure. 1687 */ 1688 static int param_get_aaintbool(char *buffer, const struct kernel_param *kp) 1689 { 1690 struct kernel_param kp_local; 1691 bool value; 1692 1693 /* Create local copy, with arg pointing to bool type. */ 1694 value = !!*((int *)kp->arg); 1695 memcpy(&kp_local, kp, sizeof(kp_local)); 1696 kp_local.arg = &value; 1697 1698 return param_get_bool(buffer, &kp_local); 1699 } 1700 1701 static int param_set_aacompressionlevel(const char *val, 1702 const struct kernel_param *kp) 1703 { 1704 int error; 1705 1706 if (!apparmor_enabled) 1707 return -EINVAL; 1708 if (apparmor_initialized) 1709 return -EPERM; 1710 1711 error = param_set_int(val, kp); 1712 1713 aa_g_rawdata_compression_level = clamp(aa_g_rawdata_compression_level, 1714 AA_MIN_CLEVEL, AA_MAX_CLEVEL); 1715 pr_info("AppArmor: policy rawdata compression level set to %d\n", 1716 aa_g_rawdata_compression_level); 1717 1718 return error; 1719 } 1720 1721 static int param_get_aacompressionlevel(char *buffer, 1722 const struct kernel_param *kp) 1723 { 1724 if (!apparmor_enabled) 1725 return -EINVAL; 1726 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1727 return -EPERM; 1728 return param_get_int(buffer, kp); 1729 } 1730 1731 static int param_get_audit(char *buffer, const struct kernel_param *kp) 1732 { 1733 if (!apparmor_enabled) 1734 return -EINVAL; 1735 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1736 return -EPERM; 1737 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); 1738 } 1739 1740 static int param_set_audit(const char *val, const struct kernel_param *kp) 1741 { 1742 int i; 1743 1744 if (!apparmor_enabled) 1745 return -EINVAL; 1746 if (!val) 1747 return -EINVAL; 1748 if (apparmor_initialized && !aa_current_policy_admin_capable(NULL)) 1749 return -EPERM; 1750 1751 i = match_string(audit_mode_names, AUDIT_MAX_INDEX, val); 1752 if (i < 0) 1753 return -EINVAL; 1754 1755 aa_g_audit = i; 1756 return 0; 1757 } 1758 1759 static int param_get_mode(char *buffer, const struct kernel_param *kp) 1760 { 1761 if (!apparmor_enabled) 1762 return -EINVAL; 1763 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1764 return -EPERM; 1765 1766 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]); 1767 } 1768 1769 static int param_set_mode(const char *val, const struct kernel_param *kp) 1770 { 1771 int i; 1772 1773 if (!apparmor_enabled) 1774 return -EINVAL; 1775 if (!val) 1776 return -EINVAL; 1777 if (apparmor_initialized && !aa_current_policy_admin_capable(NULL)) 1778 return -EPERM; 1779 1780 i = match_string(aa_profile_mode_names, APPARMOR_MODE_NAMES_MAX_INDEX, 1781 val); 1782 if (i < 0) 1783 return -EINVAL; 1784 1785 aa_g_profile_mode = i; 1786 return 0; 1787 } 1788 1789 char *aa_get_buffer(bool in_atomic) 1790 { 1791 union aa_buffer *aa_buf; 1792 bool try_again = true; 1793 gfp_t flags = (GFP_KERNEL | __GFP_RETRY_MAYFAIL | __GFP_NOWARN); 1794 1795 retry: 1796 spin_lock(&aa_buffers_lock); 1797 if (buffer_count > reserve_count || 1798 (in_atomic && !list_empty(&aa_global_buffers))) { 1799 aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer, 1800 list); 1801 list_del(&aa_buf->list); 1802 buffer_count--; 1803 spin_unlock(&aa_buffers_lock); 1804 return aa_buf->buffer; 1805 } 1806 if (in_atomic) { 1807 /* 1808 * out of reserve buffers and in atomic context so increase 1809 * how many buffers to keep in reserve 1810 */ 1811 reserve_count++; 1812 flags = GFP_ATOMIC; 1813 } 1814 spin_unlock(&aa_buffers_lock); 1815 1816 if (!in_atomic) 1817 might_sleep(); 1818 aa_buf = kmalloc(aa_g_path_max, flags); 1819 if (!aa_buf) { 1820 if (try_again) { 1821 try_again = false; 1822 goto retry; 1823 } 1824 pr_warn_once("AppArmor: Failed to allocate a memory buffer.\n"); 1825 return NULL; 1826 } 1827 return aa_buf->buffer; 1828 } 1829 1830 void aa_put_buffer(char *buf) 1831 { 1832 union aa_buffer *aa_buf; 1833 1834 if (!buf) 1835 return; 1836 aa_buf = container_of(buf, union aa_buffer, buffer[0]); 1837 1838 spin_lock(&aa_buffers_lock); 1839 list_add(&aa_buf->list, &aa_global_buffers); 1840 buffer_count++; 1841 spin_unlock(&aa_buffers_lock); 1842 } 1843 1844 /* 1845 * AppArmor init functions 1846 */ 1847 1848 /** 1849 * set_init_ctx - set a task context and profile on the first task. 1850 * 1851 * TODO: allow setting an alternate profile than unconfined 1852 */ 1853 static int __init set_init_ctx(void) 1854 { 1855 struct cred *cred = (__force struct cred *)current->real_cred; 1856 1857 set_cred_label(cred, aa_get_label(ns_unconfined(root_ns))); 1858 1859 return 0; 1860 } 1861 1862 static void destroy_buffers(void) 1863 { 1864 union aa_buffer *aa_buf; 1865 1866 spin_lock(&aa_buffers_lock); 1867 while (!list_empty(&aa_global_buffers)) { 1868 aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer, 1869 list); 1870 list_del(&aa_buf->list); 1871 spin_unlock(&aa_buffers_lock); 1872 kfree(aa_buf); 1873 spin_lock(&aa_buffers_lock); 1874 } 1875 spin_unlock(&aa_buffers_lock); 1876 } 1877 1878 static int __init alloc_buffers(void) 1879 { 1880 union aa_buffer *aa_buf; 1881 int i, num; 1882 1883 /* 1884 * A function may require two buffers at once. Usually the buffers are 1885 * used for a short period of time and are shared. On UP kernel buffers 1886 * two should be enough, with more CPUs it is possible that more 1887 * buffers will be used simultaneously. The preallocated pool may grow. 1888 * This preallocation has also the side-effect that AppArmor will be 1889 * disabled early at boot if aa_g_path_max is extremly high. 1890 */ 1891 if (num_online_cpus() > 1) 1892 num = 4 + RESERVE_COUNT; 1893 else 1894 num = 2 + RESERVE_COUNT; 1895 1896 for (i = 0; i < num; i++) { 1897 1898 aa_buf = kmalloc(aa_g_path_max, GFP_KERNEL | 1899 __GFP_RETRY_MAYFAIL | __GFP_NOWARN); 1900 if (!aa_buf) { 1901 destroy_buffers(); 1902 return -ENOMEM; 1903 } 1904 aa_put_buffer(aa_buf->buffer); 1905 } 1906 return 0; 1907 } 1908 1909 #ifdef CONFIG_SYSCTL 1910 static int apparmor_dointvec(struct ctl_table *table, int write, 1911 void *buffer, size_t *lenp, loff_t *ppos) 1912 { 1913 if (!aa_current_policy_admin_capable(NULL)) 1914 return -EPERM; 1915 if (!apparmor_enabled) 1916 return -EINVAL; 1917 1918 return proc_dointvec(table, write, buffer, lenp, ppos); 1919 } 1920 1921 static struct ctl_table apparmor_sysctl_table[] = { 1922 #ifdef CONFIG_USER_NS 1923 { 1924 .procname = "unprivileged_userns_apparmor_policy", 1925 .data = &unprivileged_userns_apparmor_policy, 1926 .maxlen = sizeof(int), 1927 .mode = 0600, 1928 .proc_handler = apparmor_dointvec, 1929 }, 1930 #endif /* CONFIG_USER_NS */ 1931 { 1932 .procname = "apparmor_display_secid_mode", 1933 .data = &apparmor_display_secid_mode, 1934 .maxlen = sizeof(int), 1935 .mode = 0600, 1936 .proc_handler = apparmor_dointvec, 1937 }, 1938 { 1939 .procname = "apparmor_restrict_unprivileged_unconfined", 1940 .data = &aa_unprivileged_unconfined_restricted, 1941 .maxlen = sizeof(int), 1942 .mode = 0600, 1943 .proc_handler = apparmor_dointvec, 1944 }, 1945 { } 1946 }; 1947 1948 static int __init apparmor_init_sysctl(void) 1949 { 1950 return register_sysctl("kernel", apparmor_sysctl_table) ? 0 : -ENOMEM; 1951 } 1952 #else 1953 static inline int apparmor_init_sysctl(void) 1954 { 1955 return 0; 1956 } 1957 #endif /* CONFIG_SYSCTL */ 1958 1959 #if defined(CONFIG_NETFILTER) && defined(CONFIG_NETWORK_SECMARK) 1960 static unsigned int apparmor_ip_postroute(void *priv, 1961 struct sk_buff *skb, 1962 const struct nf_hook_state *state) 1963 { 1964 struct aa_sk_ctx *ctx; 1965 struct sock *sk; 1966 1967 if (!skb->secmark) 1968 return NF_ACCEPT; 1969 1970 sk = skb_to_full_sk(skb); 1971 if (sk == NULL) 1972 return NF_ACCEPT; 1973 1974 ctx = aa_sock(sk); 1975 if (!apparmor_secmark_check(ctx->label, OP_SENDMSG, AA_MAY_SEND, 1976 skb->secmark, sk)) 1977 return NF_ACCEPT; 1978 1979 return NF_DROP_ERR(-ECONNREFUSED); 1980 1981 } 1982 1983 static const struct nf_hook_ops apparmor_nf_ops[] = { 1984 { 1985 .hook = apparmor_ip_postroute, 1986 .pf = NFPROTO_IPV4, 1987 .hooknum = NF_INET_POST_ROUTING, 1988 .priority = NF_IP_PRI_SELINUX_FIRST, 1989 }, 1990 #if IS_ENABLED(CONFIG_IPV6) 1991 { 1992 .hook = apparmor_ip_postroute, 1993 .pf = NFPROTO_IPV6, 1994 .hooknum = NF_INET_POST_ROUTING, 1995 .priority = NF_IP6_PRI_SELINUX_FIRST, 1996 }, 1997 #endif 1998 }; 1999 2000 static int __net_init apparmor_nf_register(struct net *net) 2001 { 2002 return nf_register_net_hooks(net, apparmor_nf_ops, 2003 ARRAY_SIZE(apparmor_nf_ops)); 2004 } 2005 2006 static void __net_exit apparmor_nf_unregister(struct net *net) 2007 { 2008 nf_unregister_net_hooks(net, apparmor_nf_ops, 2009 ARRAY_SIZE(apparmor_nf_ops)); 2010 } 2011 2012 static struct pernet_operations apparmor_net_ops = { 2013 .init = apparmor_nf_register, 2014 .exit = apparmor_nf_unregister, 2015 }; 2016 2017 static int __init apparmor_nf_ip_init(void) 2018 { 2019 int err; 2020 2021 if (!apparmor_enabled) 2022 return 0; 2023 2024 err = register_pernet_subsys(&apparmor_net_ops); 2025 if (err) 2026 panic("Apparmor: register_pernet_subsys: error %d\n", err); 2027 2028 return 0; 2029 } 2030 __initcall(apparmor_nf_ip_init); 2031 #endif 2032 2033 static char nulldfa_src[] = { 2034 #include "nulldfa.in" 2035 }; 2036 struct aa_dfa *nulldfa; 2037 2038 static char stacksplitdfa_src[] = { 2039 #include "stacksplitdfa.in" 2040 }; 2041 struct aa_dfa *stacksplitdfa; 2042 struct aa_policydb *nullpdb; 2043 2044 static int __init aa_setup_dfa_engine(void) 2045 { 2046 int error = -ENOMEM; 2047 2048 nullpdb = aa_alloc_pdb(GFP_KERNEL); 2049 if (!nullpdb) 2050 return -ENOMEM; 2051 2052 nulldfa = aa_dfa_unpack(nulldfa_src, sizeof(nulldfa_src), 2053 TO_ACCEPT1_FLAG(YYTD_DATA32) | 2054 TO_ACCEPT2_FLAG(YYTD_DATA32)); 2055 if (IS_ERR(nulldfa)) { 2056 error = PTR_ERR(nulldfa); 2057 goto fail; 2058 } 2059 nullpdb->dfa = aa_get_dfa(nulldfa); 2060 nullpdb->perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL); 2061 if (!nullpdb->perms) 2062 goto fail; 2063 nullpdb->size = 2; 2064 2065 stacksplitdfa = aa_dfa_unpack(stacksplitdfa_src, 2066 sizeof(stacksplitdfa_src), 2067 TO_ACCEPT1_FLAG(YYTD_DATA32) | 2068 TO_ACCEPT2_FLAG(YYTD_DATA32)); 2069 if (IS_ERR(stacksplitdfa)) { 2070 error = PTR_ERR(stacksplitdfa); 2071 goto fail; 2072 } 2073 2074 return 0; 2075 2076 fail: 2077 aa_put_pdb(nullpdb); 2078 aa_put_dfa(nulldfa); 2079 nullpdb = NULL; 2080 nulldfa = NULL; 2081 stacksplitdfa = NULL; 2082 2083 return error; 2084 } 2085 2086 static void __init aa_teardown_dfa_engine(void) 2087 { 2088 aa_put_dfa(stacksplitdfa); 2089 aa_put_dfa(nulldfa); 2090 aa_put_pdb(nullpdb); 2091 nullpdb = NULL; 2092 stacksplitdfa = NULL; 2093 nulldfa = NULL; 2094 } 2095 2096 static int __init apparmor_init(void) 2097 { 2098 int error; 2099 2100 error = aa_setup_dfa_engine(); 2101 if (error) { 2102 AA_ERROR("Unable to setup dfa engine\n"); 2103 goto alloc_out; 2104 } 2105 2106 error = aa_alloc_root_ns(); 2107 if (error) { 2108 AA_ERROR("Unable to allocate default profile namespace\n"); 2109 goto alloc_out; 2110 } 2111 2112 error = apparmor_init_sysctl(); 2113 if (error) { 2114 AA_ERROR("Unable to register sysctls\n"); 2115 goto alloc_out; 2116 2117 } 2118 2119 error = alloc_buffers(); 2120 if (error) { 2121 AA_ERROR("Unable to allocate work buffers\n"); 2122 goto alloc_out; 2123 } 2124 2125 error = set_init_ctx(); 2126 if (error) { 2127 AA_ERROR("Failed to set context on init task\n"); 2128 aa_free_root_ns(); 2129 goto buffers_out; 2130 } 2131 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), 2132 "apparmor"); 2133 2134 /* Report that AppArmor successfully initialized */ 2135 apparmor_initialized = 1; 2136 if (aa_g_profile_mode == APPARMOR_COMPLAIN) 2137 aa_info_message("AppArmor initialized: complain mode enabled"); 2138 else if (aa_g_profile_mode == APPARMOR_KILL) 2139 aa_info_message("AppArmor initialized: kill mode enabled"); 2140 else 2141 aa_info_message("AppArmor initialized"); 2142 2143 return error; 2144 2145 buffers_out: 2146 destroy_buffers(); 2147 alloc_out: 2148 aa_destroy_aafs(); 2149 aa_teardown_dfa_engine(); 2150 2151 apparmor_enabled = false; 2152 return error; 2153 } 2154 2155 DEFINE_LSM(apparmor) = { 2156 .name = "apparmor", 2157 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 2158 .enabled = &apparmor_enabled, 2159 .blobs = &apparmor_blob_sizes, 2160 .init = apparmor_init, 2161 }; 2162