1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor mediation of files 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2017 Canonical Ltd. 9 */ 10 11 #include <linux/fs.h> 12 #include <linux/mount.h> 13 #include <linux/namei.h> 14 #include <uapi/linux/mount.h> 15 16 #include "include/apparmor.h" 17 #include "include/audit.h" 18 #include "include/cred.h" 19 #include "include/domain.h" 20 #include "include/file.h" 21 #include "include/match.h" 22 #include "include/mount.h" 23 #include "include/path.h" 24 #include "include/policy.h" 25 26 27 static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags) 28 { 29 if (flags & MS_RDONLY) 30 audit_log_format(ab, "ro"); 31 else 32 audit_log_format(ab, "rw"); 33 if (flags & MS_NOSUID) 34 audit_log_format(ab, ", nosuid"); 35 if (flags & MS_NODEV) 36 audit_log_format(ab, ", nodev"); 37 if (flags & MS_NOEXEC) 38 audit_log_format(ab, ", noexec"); 39 if (flags & MS_SYNCHRONOUS) 40 audit_log_format(ab, ", sync"); 41 if (flags & MS_REMOUNT) 42 audit_log_format(ab, ", remount"); 43 if (flags & MS_MANDLOCK) 44 audit_log_format(ab, ", mand"); 45 if (flags & MS_DIRSYNC) 46 audit_log_format(ab, ", dirsync"); 47 if (flags & MS_NOATIME) 48 audit_log_format(ab, ", noatime"); 49 if (flags & MS_NODIRATIME) 50 audit_log_format(ab, ", nodiratime"); 51 if (flags & MS_BIND) 52 audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind"); 53 if (flags & MS_MOVE) 54 audit_log_format(ab, ", move"); 55 if (flags & MS_SILENT) 56 audit_log_format(ab, ", silent"); 57 if (flags & MS_POSIXACL) 58 audit_log_format(ab, ", acl"); 59 if (flags & MS_UNBINDABLE) 60 audit_log_format(ab, flags & MS_REC ? ", runbindable" : 61 ", unbindable"); 62 if (flags & MS_PRIVATE) 63 audit_log_format(ab, flags & MS_REC ? ", rprivate" : 64 ", private"); 65 if (flags & MS_SLAVE) 66 audit_log_format(ab, flags & MS_REC ? ", rslave" : 67 ", slave"); 68 if (flags & MS_SHARED) 69 audit_log_format(ab, flags & MS_REC ? ", rshared" : 70 ", shared"); 71 if (flags & MS_RELATIME) 72 audit_log_format(ab, ", relatime"); 73 if (flags & MS_I_VERSION) 74 audit_log_format(ab, ", iversion"); 75 if (flags & MS_STRICTATIME) 76 audit_log_format(ab, ", strictatime"); 77 if (flags & MS_NOUSER) 78 audit_log_format(ab, ", nouser"); 79 } 80 81 /** 82 * audit_cb - call back for mount specific audit fields 83 * @ab: audit_buffer (NOT NULL) 84 * @va: audit struct to audit values of (NOT NULL) 85 */ 86 static void audit_cb(struct audit_buffer *ab, void *va) 87 { 88 struct common_audit_data *sa = va; 89 90 if (aad(sa)->mnt.type) { 91 audit_log_format(ab, " fstype="); 92 audit_log_untrustedstring(ab, aad(sa)->mnt.type); 93 } 94 if (aad(sa)->mnt.src_name) { 95 audit_log_format(ab, " srcname="); 96 audit_log_untrustedstring(ab, aad(sa)->mnt.src_name); 97 } 98 if (aad(sa)->mnt.trans) { 99 audit_log_format(ab, " trans="); 100 audit_log_untrustedstring(ab, aad(sa)->mnt.trans); 101 } 102 if (aad(sa)->mnt.flags) { 103 audit_log_format(ab, " flags=\""); 104 audit_mnt_flags(ab, aad(sa)->mnt.flags); 105 audit_log_format(ab, "\""); 106 } 107 if (aad(sa)->mnt.data) { 108 audit_log_format(ab, " options="); 109 audit_log_untrustedstring(ab, aad(sa)->mnt.data); 110 } 111 } 112 113 /** 114 * audit_mount - handle the auditing of mount operations 115 * @profile: the profile being enforced (NOT NULL) 116 * @op: operation being mediated (NOT NULL) 117 * @name: name of object being mediated (MAYBE NULL) 118 * @src_name: src_name of object being mediated (MAYBE_NULL) 119 * @type: type of filesystem (MAYBE_NULL) 120 * @trans: name of trans (MAYBE NULL) 121 * @flags: filesystem independent mount flags 122 * @data: filesystem mount flags 123 * @request: permissions requested 124 * @perms: the permissions computed for the request (NOT NULL) 125 * @info: extra information message (MAYBE NULL) 126 * @error: 0 if operation allowed else failure error code 127 * 128 * Returns: %0 or error on failure 129 */ 130 static int audit_mount(struct aa_profile *profile, const char *op, 131 const char *name, const char *src_name, 132 const char *type, const char *trans, 133 unsigned long flags, const void *data, u32 request, 134 struct aa_perms *perms, const char *info, int error) 135 { 136 int audit_type = AUDIT_APPARMOR_AUTO; 137 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op); 138 139 if (likely(!error)) { 140 u32 mask = perms->audit; 141 142 if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL)) 143 mask = 0xffff; 144 145 /* mask off perms that are not being force audited */ 146 request &= mask; 147 148 if (likely(!request)) 149 return 0; 150 audit_type = AUDIT_APPARMOR_AUDIT; 151 } else { 152 /* only report permissions that were denied */ 153 request = request & ~perms->allow; 154 155 if (request & perms->kill) 156 audit_type = AUDIT_APPARMOR_KILL; 157 158 /* quiet known rejects, assumes quiet and kill do not overlap */ 159 if ((request & perms->quiet) && 160 AUDIT_MODE(profile) != AUDIT_NOQUIET && 161 AUDIT_MODE(profile) != AUDIT_ALL) 162 request &= ~perms->quiet; 163 164 if (!request) 165 return error; 166 } 167 168 aad(&sa)->name = name; 169 aad(&sa)->mnt.src_name = src_name; 170 aad(&sa)->mnt.type = type; 171 aad(&sa)->mnt.trans = trans; 172 aad(&sa)->mnt.flags = flags; 173 if (data && (perms->audit & AA_AUDIT_DATA)) 174 aad(&sa)->mnt.data = data; 175 aad(&sa)->info = info; 176 aad(&sa)->error = error; 177 178 return aa_audit(audit_type, profile, &sa, audit_cb); 179 } 180 181 /** 182 * match_mnt_flags - Do an ordered match on mount flags 183 * @dfa: dfa to match against 184 * @state: state to start in 185 * @flags: mount flags to match against 186 * 187 * Mount flags are encoded as an ordered match. This is done instead of 188 * checking against a simple bitmask, to allow for logical operations 189 * on the flags. 190 * 191 * Returns: next state after flags match 192 */ 193 static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state, 194 unsigned long flags) 195 { 196 unsigned int i; 197 198 for (i = 0; i <= 31 ; ++i) { 199 if ((1 << i) & flags) 200 state = aa_dfa_next(dfa, state, i + 1); 201 } 202 203 return state; 204 } 205 206 static const char * const mnt_info_table[] = { 207 "match succeeded", 208 "failed mntpnt match", 209 "failed srcname match", 210 "failed type match", 211 "failed flags match", 212 "failed data match", 213 "failed perms check" 214 }; 215 216 /* 217 * Returns 0 on success else element that match failed in, this is the 218 * index into the mnt_info_table above 219 */ 220 static int do_match_mnt(struct aa_policydb *policy, aa_state_t start, 221 const char *mntpnt, const char *devname, 222 const char *type, unsigned long flags, 223 void *data, bool binary, struct aa_perms *perms) 224 { 225 aa_state_t state; 226 227 AA_BUG(!policy); 228 AA_BUG(!policy->dfa); 229 AA_BUG(!policy->perms); 230 AA_BUG(!perms); 231 232 state = aa_dfa_match(policy->dfa, start, mntpnt); 233 state = aa_dfa_null_transition(policy->dfa, state); 234 if (!state) 235 return 1; 236 237 if (devname) 238 state = aa_dfa_match(policy->dfa, state, devname); 239 state = aa_dfa_null_transition(policy->dfa, state); 240 if (!state) 241 return 2; 242 243 if (type) 244 state = aa_dfa_match(policy->dfa, state, type); 245 state = aa_dfa_null_transition(policy->dfa, state); 246 if (!state) 247 return 3; 248 249 state = match_mnt_flags(policy->dfa, state, flags); 250 if (!state) 251 return 4; 252 *perms = *aa_lookup_perms(policy, state); 253 if (perms->allow & AA_MAY_MOUNT) 254 return 0; 255 256 /* only match data if not binary and the DFA flags data is expected */ 257 if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) { 258 state = aa_dfa_null_transition(policy->dfa, state); 259 if (!state) 260 return 4; 261 262 state = aa_dfa_match(policy->dfa, state, data); 263 if (!state) 264 return 5; 265 *perms = *aa_lookup_perms(policy, state); 266 if (perms->allow & AA_MAY_MOUNT) 267 return 0; 268 } 269 270 /* failed at perms check, don't confuse with flags match */ 271 return 6; 272 } 273 274 275 static int path_flags(struct aa_profile *profile, const struct path *path) 276 { 277 AA_BUG(!profile); 278 AA_BUG(!path); 279 280 return profile->path_flags | 281 (S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0); 282 } 283 284 /** 285 * match_mnt_path_str - handle path matching for mount 286 * @profile: the confining profile 287 * @mntpath: for the mntpnt (NOT NULL) 288 * @buffer: buffer to be used to lookup mntpath 289 * @devname: string for the devname/src_name (MAY BE NULL OR ERRPTR) 290 * @type: string for the dev type (MAYBE NULL) 291 * @flags: mount flags to match 292 * @data: fs mount data (MAYBE NULL) 293 * @binary: whether @data is binary 294 * @devinfo: error str if (IS_ERR(@devname)) 295 * 296 * Returns: 0 on success else error 297 */ 298 static int match_mnt_path_str(struct aa_profile *profile, 299 const struct path *mntpath, char *buffer, 300 const char *devname, const char *type, 301 unsigned long flags, void *data, bool binary, 302 const char *devinfo) 303 { 304 struct aa_perms perms = { }; 305 const char *mntpnt = NULL, *info = NULL; 306 struct aa_ruleset *rules = list_first_entry(&profile->rules, 307 typeof(*rules), list); 308 int pos, error; 309 310 AA_BUG(!profile); 311 AA_BUG(!mntpath); 312 AA_BUG(!buffer); 313 314 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) 315 return 0; 316 317 error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer, 318 &mntpnt, &info, profile->disconnected); 319 if (error) 320 goto audit; 321 if (IS_ERR(devname)) { 322 error = PTR_ERR(devname); 323 devname = NULL; 324 info = devinfo; 325 goto audit; 326 } 327 328 error = -EACCES; 329 pos = do_match_mnt(&rules->policy, 330 rules->policy.start[AA_CLASS_MOUNT], 331 mntpnt, devname, type, flags, data, binary, &perms); 332 if (pos) { 333 info = mnt_info_table[pos]; 334 goto audit; 335 } 336 error = 0; 337 338 audit: 339 return audit_mount(profile, OP_MOUNT, mntpnt, devname, type, NULL, 340 flags, data, AA_MAY_MOUNT, &perms, info, error); 341 } 342 343 /** 344 * match_mnt - handle path matching for mount 345 * @profile: the confining profile 346 * @path: for the mntpnt (NOT NULL) 347 * @buffer: buffer to be used to lookup mntpath 348 * @devpath: path devname/src_name (MAYBE NULL) 349 * @devbuffer: buffer to be used to lookup devname/src_name 350 * @type: string for the dev type (MAYBE NULL) 351 * @flags: mount flags to match 352 * @data: fs mount data (MAYBE NULL) 353 * @binary: whether @data is binary 354 * 355 * Returns: 0 on success else error 356 */ 357 static int match_mnt(struct aa_profile *profile, const struct path *path, 358 char *buffer, const struct path *devpath, char *devbuffer, 359 const char *type, unsigned long flags, void *data, 360 bool binary) 361 { 362 const char *devname = NULL, *info = NULL; 363 struct aa_ruleset *rules = list_first_entry(&profile->rules, 364 typeof(*rules), list); 365 int error = -EACCES; 366 367 AA_BUG(!profile); 368 AA_BUG(devpath && !devbuffer); 369 370 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) 371 return 0; 372 373 if (devpath) { 374 error = aa_path_name(devpath, path_flags(profile, devpath), 375 devbuffer, &devname, &info, 376 profile->disconnected); 377 if (error) 378 devname = ERR_PTR(error); 379 } 380 381 return match_mnt_path_str(profile, path, buffer, devname, type, flags, 382 data, binary, info); 383 } 384 385 int aa_remount(struct aa_label *label, const struct path *path, 386 unsigned long flags, void *data) 387 { 388 struct aa_profile *profile; 389 char *buffer = NULL; 390 bool binary; 391 int error; 392 393 AA_BUG(!label); 394 AA_BUG(!path); 395 396 binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA; 397 398 buffer = aa_get_buffer(false); 399 if (!buffer) 400 return -ENOMEM; 401 error = fn_for_each_confined(label, profile, 402 match_mnt(profile, path, buffer, NULL, NULL, NULL, 403 flags, data, binary)); 404 aa_put_buffer(buffer); 405 406 return error; 407 } 408 409 int aa_bind_mount(struct aa_label *label, const struct path *path, 410 const char *dev_name, unsigned long flags) 411 { 412 struct aa_profile *profile; 413 char *buffer = NULL, *old_buffer = NULL; 414 struct path old_path; 415 int error; 416 417 AA_BUG(!label); 418 AA_BUG(!path); 419 420 if (!dev_name || !*dev_name) 421 return -EINVAL; 422 423 flags &= MS_REC | MS_BIND; 424 425 error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path); 426 if (error) 427 return error; 428 429 buffer = aa_get_buffer(false); 430 old_buffer = aa_get_buffer(false); 431 error = -ENOMEM; 432 if (!buffer || !old_buffer) 433 goto out; 434 435 error = fn_for_each_confined(label, profile, 436 match_mnt(profile, path, buffer, &old_path, old_buffer, 437 NULL, flags, NULL, false)); 438 out: 439 aa_put_buffer(buffer); 440 aa_put_buffer(old_buffer); 441 path_put(&old_path); 442 443 return error; 444 } 445 446 int aa_mount_change_type(struct aa_label *label, const struct path *path, 447 unsigned long flags) 448 { 449 struct aa_profile *profile; 450 char *buffer = NULL; 451 int error; 452 453 AA_BUG(!label); 454 AA_BUG(!path); 455 456 /* These are the flags allowed by do_change_type() */ 457 flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE | 458 MS_UNBINDABLE); 459 460 buffer = aa_get_buffer(false); 461 if (!buffer) 462 return -ENOMEM; 463 error = fn_for_each_confined(label, profile, 464 match_mnt(profile, path, buffer, NULL, NULL, NULL, 465 flags, NULL, false)); 466 aa_put_buffer(buffer); 467 468 return error; 469 } 470 471 int aa_move_mount(struct aa_label *label, const struct path *path, 472 const char *orig_name) 473 { 474 struct aa_profile *profile; 475 char *buffer = NULL, *old_buffer = NULL; 476 struct path old_path; 477 int error; 478 479 AA_BUG(!label); 480 AA_BUG(!path); 481 482 if (!orig_name || !*orig_name) 483 return -EINVAL; 484 485 error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path); 486 if (error) 487 return error; 488 489 buffer = aa_get_buffer(false); 490 old_buffer = aa_get_buffer(false); 491 error = -ENOMEM; 492 if (!buffer || !old_buffer) 493 goto out; 494 error = fn_for_each_confined(label, profile, 495 match_mnt(profile, path, buffer, &old_path, old_buffer, 496 NULL, MS_MOVE, NULL, false)); 497 out: 498 aa_put_buffer(buffer); 499 aa_put_buffer(old_buffer); 500 path_put(&old_path); 501 502 return error; 503 } 504 505 int aa_new_mount(struct aa_label *label, const char *dev_name, 506 const struct path *path, const char *type, unsigned long flags, 507 void *data) 508 { 509 struct aa_profile *profile; 510 char *buffer = NULL, *dev_buffer = NULL; 511 bool binary = true; 512 int error; 513 int requires_dev = 0; 514 struct path tmp_path, *dev_path = NULL; 515 516 AA_BUG(!label); 517 AA_BUG(!path); 518 519 if (type) { 520 struct file_system_type *fstype; 521 522 fstype = get_fs_type(type); 523 if (!fstype) 524 return -ENODEV; 525 binary = fstype->fs_flags & FS_BINARY_MOUNTDATA; 526 requires_dev = fstype->fs_flags & FS_REQUIRES_DEV; 527 put_filesystem(fstype); 528 529 if (requires_dev) { 530 if (!dev_name || !*dev_name) 531 return -ENOENT; 532 533 error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path); 534 if (error) 535 return error; 536 dev_path = &tmp_path; 537 } 538 } 539 540 buffer = aa_get_buffer(false); 541 if (!buffer) { 542 error = -ENOMEM; 543 goto out; 544 } 545 if (dev_path) { 546 dev_buffer = aa_get_buffer(false); 547 if (!dev_buffer) { 548 error = -ENOMEM; 549 goto out; 550 } 551 error = fn_for_each_confined(label, profile, 552 match_mnt(profile, path, buffer, dev_path, dev_buffer, 553 type, flags, data, binary)); 554 } else { 555 error = fn_for_each_confined(label, profile, 556 match_mnt_path_str(profile, path, buffer, dev_name, 557 type, flags, data, binary, NULL)); 558 } 559 560 out: 561 aa_put_buffer(buffer); 562 aa_put_buffer(dev_buffer); 563 if (dev_path) 564 path_put(dev_path); 565 566 return error; 567 } 568 569 static int profile_umount(struct aa_profile *profile, const struct path *path, 570 char *buffer) 571 { 572 struct aa_ruleset *rules = list_first_entry(&profile->rules, 573 typeof(*rules), list); 574 struct aa_perms perms = { }; 575 const char *name = NULL, *info = NULL; 576 aa_state_t state; 577 int error; 578 579 AA_BUG(!profile); 580 AA_BUG(!path); 581 582 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) 583 return 0; 584 585 error = aa_path_name(path, path_flags(profile, path), buffer, &name, 586 &info, profile->disconnected); 587 if (error) 588 goto audit; 589 590 state = aa_dfa_match(rules->policy.dfa, 591 rules->policy.start[AA_CLASS_MOUNT], 592 name); 593 perms = *aa_lookup_perms(&rules->policy, state); 594 if (AA_MAY_UMOUNT & ~perms.allow) 595 error = -EACCES; 596 597 audit: 598 return audit_mount(profile, OP_UMOUNT, name, NULL, NULL, NULL, 0, NULL, 599 AA_MAY_UMOUNT, &perms, info, error); 600 } 601 602 int aa_umount(struct aa_label *label, struct vfsmount *mnt, int flags) 603 { 604 struct aa_profile *profile; 605 char *buffer = NULL; 606 int error; 607 struct path path = { .mnt = mnt, .dentry = mnt->mnt_root }; 608 609 AA_BUG(!label); 610 AA_BUG(!mnt); 611 612 buffer = aa_get_buffer(false); 613 if (!buffer) 614 return -ENOMEM; 615 616 error = fn_for_each_confined(label, profile, 617 profile_umount(profile, &path, buffer)); 618 aa_put_buffer(buffer); 619 620 return error; 621 } 622 623 /* helper fn for transition on pivotroot 624 * 625 * Returns: label for transition or ERR_PTR. Does not return NULL 626 */ 627 static struct aa_label *build_pivotroot(struct aa_profile *profile, 628 const struct path *new_path, 629 char *new_buffer, 630 const struct path *old_path, 631 char *old_buffer) 632 { 633 struct aa_ruleset *rules = list_first_entry(&profile->rules, 634 typeof(*rules), list); 635 const char *old_name, *new_name = NULL, *info = NULL; 636 const char *trans_name = NULL; 637 struct aa_perms perms = { }; 638 aa_state_t state; 639 int error; 640 641 AA_BUG(!profile); 642 AA_BUG(!new_path); 643 AA_BUG(!old_path); 644 645 if (profile_unconfined(profile) || 646 !RULE_MEDIATES(rules, AA_CLASS_MOUNT)) 647 return aa_get_newest_label(&profile->label); 648 649 error = aa_path_name(old_path, path_flags(profile, old_path), 650 old_buffer, &old_name, &info, 651 profile->disconnected); 652 if (error) 653 goto audit; 654 error = aa_path_name(new_path, path_flags(profile, new_path), 655 new_buffer, &new_name, &info, 656 profile->disconnected); 657 if (error) 658 goto audit; 659 660 error = -EACCES; 661 state = aa_dfa_match(rules->policy.dfa, 662 rules->policy.start[AA_CLASS_MOUNT], 663 new_name); 664 state = aa_dfa_null_transition(rules->policy.dfa, state); 665 state = aa_dfa_match(rules->policy.dfa, state, old_name); 666 perms = *aa_lookup_perms(&rules->policy, state); 667 668 if (AA_MAY_PIVOTROOT & perms.allow) 669 error = 0; 670 671 audit: 672 error = audit_mount(profile, OP_PIVOTROOT, new_name, old_name, 673 NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT, 674 &perms, info, error); 675 if (error) 676 return ERR_PTR(error); 677 678 return aa_get_newest_label(&profile->label); 679 } 680 681 int aa_pivotroot(struct aa_label *label, const struct path *old_path, 682 const struct path *new_path) 683 { 684 struct aa_profile *profile; 685 struct aa_label *target = NULL; 686 char *old_buffer = NULL, *new_buffer = NULL, *info = NULL; 687 int error; 688 689 AA_BUG(!label); 690 AA_BUG(!old_path); 691 AA_BUG(!new_path); 692 693 old_buffer = aa_get_buffer(false); 694 new_buffer = aa_get_buffer(false); 695 error = -ENOMEM; 696 if (!old_buffer || !new_buffer) 697 goto out; 698 target = fn_label_build(label, profile, GFP_KERNEL, 699 build_pivotroot(profile, new_path, new_buffer, 700 old_path, old_buffer)); 701 if (!target) { 702 info = "label build failed"; 703 error = -ENOMEM; 704 goto fail; 705 } else if (!IS_ERR(target)) { 706 error = aa_replace_current_label(target); 707 if (error) { 708 /* TODO: audit target */ 709 aa_put_label(target); 710 goto out; 711 } 712 aa_put_label(target); 713 } else 714 /* already audited error */ 715 error = PTR_ERR(target); 716 out: 717 aa_put_buffer(old_buffer); 718 aa_put_buffer(new_buffer); 719 720 return error; 721 722 fail: 723 /* TODO: add back in auditing of new_name and old_name */ 724 error = fn_for_each(label, profile, 725 audit_mount(profile, OP_PIVOTROOT, NULL /*new_name */, 726 NULL /* old_name */, 727 NULL, NULL, 728 0, NULL, AA_MAY_PIVOTROOT, &nullperms, info, 729 error)); 730 goto out; 731 } 732