1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor mediation of files 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2017 Canonical Ltd. 9 */ 10 11 #include <linux/fs.h> 12 #include <linux/mount.h> 13 #include <linux/namei.h> 14 #include <uapi/linux/mount.h> 15 16 #include "include/apparmor.h" 17 #include "include/audit.h" 18 #include "include/cred.h" 19 #include "include/domain.h" 20 #include "include/file.h" 21 #include "include/match.h" 22 #include "include/mount.h" 23 #include "include/path.h" 24 #include "include/policy.h" 25 26 27 static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags) 28 { 29 if (flags & MS_RDONLY) 30 audit_log_format(ab, "ro"); 31 else 32 audit_log_format(ab, "rw"); 33 if (flags & MS_NOSUID) 34 audit_log_format(ab, ", nosuid"); 35 if (flags & MS_NODEV) 36 audit_log_format(ab, ", nodev"); 37 if (flags & MS_NOEXEC) 38 audit_log_format(ab, ", noexec"); 39 if (flags & MS_SYNCHRONOUS) 40 audit_log_format(ab, ", sync"); 41 if (flags & MS_REMOUNT) 42 audit_log_format(ab, ", remount"); 43 if (flags & MS_MANDLOCK) 44 audit_log_format(ab, ", mand"); 45 if (flags & MS_DIRSYNC) 46 audit_log_format(ab, ", dirsync"); 47 if (flags & MS_NOATIME) 48 audit_log_format(ab, ", noatime"); 49 if (flags & MS_NODIRATIME) 50 audit_log_format(ab, ", nodiratime"); 51 if (flags & MS_BIND) 52 audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind"); 53 if (flags & MS_MOVE) 54 audit_log_format(ab, ", move"); 55 if (flags & MS_SILENT) 56 audit_log_format(ab, ", silent"); 57 if (flags & MS_POSIXACL) 58 audit_log_format(ab, ", acl"); 59 if (flags & MS_UNBINDABLE) 60 audit_log_format(ab, flags & MS_REC ? ", runbindable" : 61 ", unbindable"); 62 if (flags & MS_PRIVATE) 63 audit_log_format(ab, flags & MS_REC ? ", rprivate" : 64 ", private"); 65 if (flags & MS_SLAVE) 66 audit_log_format(ab, flags & MS_REC ? ", rslave" : 67 ", slave"); 68 if (flags & MS_SHARED) 69 audit_log_format(ab, flags & MS_REC ? ", rshared" : 70 ", shared"); 71 if (flags & MS_RELATIME) 72 audit_log_format(ab, ", relatime"); 73 if (flags & MS_I_VERSION) 74 audit_log_format(ab, ", iversion"); 75 if (flags & MS_STRICTATIME) 76 audit_log_format(ab, ", strictatime"); 77 if (flags & MS_NOUSER) 78 audit_log_format(ab, ", nouser"); 79 } 80 81 /** 82 * audit_cb - call back for mount specific audit fields 83 * @ab: audit_buffer (NOT NULL) 84 * @va: audit struct to audit values of (NOT NULL) 85 */ 86 static void audit_cb(struct audit_buffer *ab, void *va) 87 { 88 struct common_audit_data *sa = va; 89 struct apparmor_audit_data *ad = aad(sa); 90 91 if (ad->mnt.type) { 92 audit_log_format(ab, " fstype="); 93 audit_log_untrustedstring(ab, ad->mnt.type); 94 } 95 if (ad->mnt.src_name) { 96 audit_log_format(ab, " srcname="); 97 audit_log_untrustedstring(ab, ad->mnt.src_name); 98 } 99 if (ad->mnt.trans) { 100 audit_log_format(ab, " trans="); 101 audit_log_untrustedstring(ab, ad->mnt.trans); 102 } 103 if (ad->mnt.flags) { 104 audit_log_format(ab, " flags=\""); 105 audit_mnt_flags(ab, ad->mnt.flags); 106 audit_log_format(ab, "\""); 107 } 108 if (ad->mnt.data) { 109 audit_log_format(ab, " options="); 110 audit_log_untrustedstring(ab, ad->mnt.data); 111 } 112 } 113 114 /** 115 * audit_mount - handle the auditing of mount operations 116 * @profile: the profile being enforced (NOT NULL) 117 * @op: operation being mediated (NOT NULL) 118 * @name: name of object being mediated (MAYBE NULL) 119 * @src_name: src_name of object being mediated (MAYBE_NULL) 120 * @type: type of filesystem (MAYBE_NULL) 121 * @trans: name of trans (MAYBE NULL) 122 * @flags: filesystem independent mount flags 123 * @data: filesystem mount flags 124 * @request: permissions requested 125 * @perms: the permissions computed for the request (NOT NULL) 126 * @info: extra information message (MAYBE NULL) 127 * @error: 0 if operation allowed else failure error code 128 * 129 * Returns: %0 or error on failure 130 */ 131 static int audit_mount(struct aa_profile *profile, const char *op, 132 const char *name, const char *src_name, 133 const char *type, const char *trans, 134 unsigned long flags, const void *data, u32 request, 135 struct aa_perms *perms, const char *info, int error) 136 { 137 int audit_type = AUDIT_APPARMOR_AUTO; 138 DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op); 139 140 if (likely(!error)) { 141 u32 mask = perms->audit; 142 143 if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL)) 144 mask = 0xffff; 145 146 /* mask off perms that are not being force audited */ 147 request &= mask; 148 149 if (likely(!request)) 150 return 0; 151 audit_type = AUDIT_APPARMOR_AUDIT; 152 } else { 153 /* only report permissions that were denied */ 154 request = request & ~perms->allow; 155 156 if (request & perms->kill) 157 audit_type = AUDIT_APPARMOR_KILL; 158 159 /* quiet known rejects, assumes quiet and kill do not overlap */ 160 if ((request & perms->quiet) && 161 AUDIT_MODE(profile) != AUDIT_NOQUIET && 162 AUDIT_MODE(profile) != AUDIT_ALL) 163 request &= ~perms->quiet; 164 165 if (!request) 166 return error; 167 } 168 169 ad.name = name; 170 ad.mnt.src_name = src_name; 171 ad.mnt.type = type; 172 ad.mnt.trans = trans; 173 ad.mnt.flags = flags; 174 if (data && (perms->audit & AA_AUDIT_DATA)) 175 ad.mnt.data = data; 176 ad.info = info; 177 ad.error = error; 178 179 return aa_audit(audit_type, profile, &ad, audit_cb); 180 } 181 182 /** 183 * match_mnt_flags - Do an ordered match on mount flags 184 * @dfa: dfa to match against 185 * @state: state to start in 186 * @flags: mount flags to match against 187 * 188 * Mount flags are encoded as an ordered match. This is done instead of 189 * checking against a simple bitmask, to allow for logical operations 190 * on the flags. 191 * 192 * Returns: next state after flags match 193 */ 194 static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state, 195 unsigned long flags) 196 { 197 unsigned int i; 198 199 for (i = 0; i <= 31 ; ++i) { 200 if ((1 << i) & flags) 201 state = aa_dfa_next(dfa, state, i + 1); 202 } 203 204 return state; 205 } 206 207 static const char * const mnt_info_table[] = { 208 "match succeeded", 209 "failed mntpnt match", 210 "failed srcname match", 211 "failed type match", 212 "failed flags match", 213 "failed data match", 214 "failed perms check" 215 }; 216 217 /* 218 * Returns 0 on success else element that match failed in, this is the 219 * index into the mnt_info_table above 220 */ 221 static int do_match_mnt(struct aa_policydb *policy, aa_state_t start, 222 const char *mntpnt, const char *devname, 223 const char *type, unsigned long flags, 224 void *data, bool binary, struct aa_perms *perms) 225 { 226 aa_state_t state; 227 228 AA_BUG(!policy); 229 AA_BUG(!policy->dfa); 230 AA_BUG(!policy->perms); 231 AA_BUG(!perms); 232 233 state = aa_dfa_match(policy->dfa, start, mntpnt); 234 state = aa_dfa_null_transition(policy->dfa, state); 235 if (!state) 236 return 1; 237 238 if (devname) 239 state = aa_dfa_match(policy->dfa, state, devname); 240 state = aa_dfa_null_transition(policy->dfa, state); 241 if (!state) 242 return 2; 243 244 if (type) 245 state = aa_dfa_match(policy->dfa, state, type); 246 state = aa_dfa_null_transition(policy->dfa, state); 247 if (!state) 248 return 3; 249 250 state = match_mnt_flags(policy->dfa, state, flags); 251 if (!state) 252 return 4; 253 *perms = *aa_lookup_perms(policy, state); 254 if (perms->allow & AA_MAY_MOUNT) 255 return 0; 256 257 /* only match data if not binary and the DFA flags data is expected */ 258 if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) { 259 state = aa_dfa_null_transition(policy->dfa, state); 260 if (!state) 261 return 4; 262 263 state = aa_dfa_match(policy->dfa, state, data); 264 if (!state) 265 return 5; 266 *perms = *aa_lookup_perms(policy, state); 267 if (perms->allow & AA_MAY_MOUNT) 268 return 0; 269 } 270 271 /* failed at perms check, don't confuse with flags match */ 272 return 6; 273 } 274 275 276 static int path_flags(struct aa_profile *profile, const struct path *path) 277 { 278 AA_BUG(!profile); 279 AA_BUG(!path); 280 281 return profile->path_flags | 282 (S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0); 283 } 284 285 /** 286 * match_mnt_path_str - handle path matching for mount 287 * @profile: the confining profile 288 * @mntpath: for the mntpnt (NOT NULL) 289 * @buffer: buffer to be used to lookup mntpath 290 * @devname: string for the devname/src_name (MAY BE NULL OR ERRPTR) 291 * @type: string for the dev type (MAYBE NULL) 292 * @flags: mount flags to match 293 * @data: fs mount data (MAYBE NULL) 294 * @binary: whether @data is binary 295 * @devinfo: error str if (IS_ERR(@devname)) 296 * 297 * Returns: 0 on success else error 298 */ 299 static int match_mnt_path_str(struct aa_profile *profile, 300 const struct path *mntpath, char *buffer, 301 const char *devname, const char *type, 302 unsigned long flags, void *data, bool binary, 303 const char *devinfo) 304 { 305 struct aa_perms perms = { }; 306 const char *mntpnt = NULL, *info = NULL; 307 struct aa_ruleset *rules = list_first_entry(&profile->rules, 308 typeof(*rules), list); 309 int pos, error; 310 311 AA_BUG(!profile); 312 AA_BUG(!mntpath); 313 AA_BUG(!buffer); 314 315 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) 316 return 0; 317 318 error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer, 319 &mntpnt, &info, profile->disconnected); 320 if (error) 321 goto audit; 322 if (IS_ERR(devname)) { 323 error = PTR_ERR(devname); 324 devname = NULL; 325 info = devinfo; 326 goto audit; 327 } 328 329 error = -EACCES; 330 pos = do_match_mnt(&rules->policy, 331 rules->policy.start[AA_CLASS_MOUNT], 332 mntpnt, devname, type, flags, data, binary, &perms); 333 if (pos) { 334 info = mnt_info_table[pos]; 335 goto audit; 336 } 337 error = 0; 338 339 audit: 340 return audit_mount(profile, OP_MOUNT, mntpnt, devname, type, NULL, 341 flags, data, AA_MAY_MOUNT, &perms, info, error); 342 } 343 344 /** 345 * match_mnt - handle path matching for mount 346 * @profile: the confining profile 347 * @path: for the mntpnt (NOT NULL) 348 * @buffer: buffer to be used to lookup mntpath 349 * @devpath: path devname/src_name (MAYBE NULL) 350 * @devbuffer: buffer to be used to lookup devname/src_name 351 * @type: string for the dev type (MAYBE NULL) 352 * @flags: mount flags to match 353 * @data: fs mount data (MAYBE NULL) 354 * @binary: whether @data is binary 355 * 356 * Returns: 0 on success else error 357 */ 358 static int match_mnt(struct aa_profile *profile, const struct path *path, 359 char *buffer, const struct path *devpath, char *devbuffer, 360 const char *type, unsigned long flags, void *data, 361 bool binary) 362 { 363 const char *devname = NULL, *info = NULL; 364 struct aa_ruleset *rules = list_first_entry(&profile->rules, 365 typeof(*rules), list); 366 int error = -EACCES; 367 368 AA_BUG(!profile); 369 AA_BUG(devpath && !devbuffer); 370 371 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) 372 return 0; 373 374 if (devpath) { 375 error = aa_path_name(devpath, path_flags(profile, devpath), 376 devbuffer, &devname, &info, 377 profile->disconnected); 378 if (error) 379 devname = ERR_PTR(error); 380 } 381 382 return match_mnt_path_str(profile, path, buffer, devname, type, flags, 383 data, binary, info); 384 } 385 386 int aa_remount(struct aa_label *label, const struct path *path, 387 unsigned long flags, void *data) 388 { 389 struct aa_profile *profile; 390 char *buffer = NULL; 391 bool binary; 392 int error; 393 394 AA_BUG(!label); 395 AA_BUG(!path); 396 397 binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA; 398 399 buffer = aa_get_buffer(false); 400 if (!buffer) 401 return -ENOMEM; 402 error = fn_for_each_confined(label, profile, 403 match_mnt(profile, path, buffer, NULL, NULL, NULL, 404 flags, data, binary)); 405 aa_put_buffer(buffer); 406 407 return error; 408 } 409 410 int aa_bind_mount(struct aa_label *label, const struct path *path, 411 const char *dev_name, unsigned long flags) 412 { 413 struct aa_profile *profile; 414 char *buffer = NULL, *old_buffer = NULL; 415 struct path old_path; 416 int error; 417 418 AA_BUG(!label); 419 AA_BUG(!path); 420 421 if (!dev_name || !*dev_name) 422 return -EINVAL; 423 424 flags &= MS_REC | MS_BIND; 425 426 error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path); 427 if (error) 428 return error; 429 430 buffer = aa_get_buffer(false); 431 old_buffer = aa_get_buffer(false); 432 error = -ENOMEM; 433 if (!buffer || !old_buffer) 434 goto out; 435 436 error = fn_for_each_confined(label, profile, 437 match_mnt(profile, path, buffer, &old_path, old_buffer, 438 NULL, flags, NULL, false)); 439 out: 440 aa_put_buffer(buffer); 441 aa_put_buffer(old_buffer); 442 path_put(&old_path); 443 444 return error; 445 } 446 447 int aa_mount_change_type(struct aa_label *label, const struct path *path, 448 unsigned long flags) 449 { 450 struct aa_profile *profile; 451 char *buffer = NULL; 452 int error; 453 454 AA_BUG(!label); 455 AA_BUG(!path); 456 457 /* These are the flags allowed by do_change_type() */ 458 flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE | 459 MS_UNBINDABLE); 460 461 buffer = aa_get_buffer(false); 462 if (!buffer) 463 return -ENOMEM; 464 error = fn_for_each_confined(label, profile, 465 match_mnt(profile, path, buffer, NULL, NULL, NULL, 466 flags, NULL, false)); 467 aa_put_buffer(buffer); 468 469 return error; 470 } 471 472 int aa_move_mount(struct aa_label *label, const struct path *path, 473 const char *orig_name) 474 { 475 struct aa_profile *profile; 476 char *buffer = NULL, *old_buffer = NULL; 477 struct path old_path; 478 int error; 479 480 AA_BUG(!label); 481 AA_BUG(!path); 482 483 if (!orig_name || !*orig_name) 484 return -EINVAL; 485 486 error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path); 487 if (error) 488 return error; 489 490 buffer = aa_get_buffer(false); 491 old_buffer = aa_get_buffer(false); 492 error = -ENOMEM; 493 if (!buffer || !old_buffer) 494 goto out; 495 error = fn_for_each_confined(label, profile, 496 match_mnt(profile, path, buffer, &old_path, old_buffer, 497 NULL, MS_MOVE, NULL, false)); 498 out: 499 aa_put_buffer(buffer); 500 aa_put_buffer(old_buffer); 501 path_put(&old_path); 502 503 return error; 504 } 505 506 int aa_new_mount(struct aa_label *label, const char *dev_name, 507 const struct path *path, const char *type, unsigned long flags, 508 void *data) 509 { 510 struct aa_profile *profile; 511 char *buffer = NULL, *dev_buffer = NULL; 512 bool binary = true; 513 int error; 514 int requires_dev = 0; 515 struct path tmp_path, *dev_path = NULL; 516 517 AA_BUG(!label); 518 AA_BUG(!path); 519 520 if (type) { 521 struct file_system_type *fstype; 522 523 fstype = get_fs_type(type); 524 if (!fstype) 525 return -ENODEV; 526 binary = fstype->fs_flags & FS_BINARY_MOUNTDATA; 527 requires_dev = fstype->fs_flags & FS_REQUIRES_DEV; 528 put_filesystem(fstype); 529 530 if (requires_dev) { 531 if (!dev_name || !*dev_name) 532 return -ENOENT; 533 534 error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path); 535 if (error) 536 return error; 537 dev_path = &tmp_path; 538 } 539 } 540 541 buffer = aa_get_buffer(false); 542 if (!buffer) { 543 error = -ENOMEM; 544 goto out; 545 } 546 if (dev_path) { 547 dev_buffer = aa_get_buffer(false); 548 if (!dev_buffer) { 549 error = -ENOMEM; 550 goto out; 551 } 552 error = fn_for_each_confined(label, profile, 553 match_mnt(profile, path, buffer, dev_path, dev_buffer, 554 type, flags, data, binary)); 555 } else { 556 error = fn_for_each_confined(label, profile, 557 match_mnt_path_str(profile, path, buffer, dev_name, 558 type, flags, data, binary, NULL)); 559 } 560 561 out: 562 aa_put_buffer(buffer); 563 aa_put_buffer(dev_buffer); 564 if (dev_path) 565 path_put(dev_path); 566 567 return error; 568 } 569 570 static int profile_umount(struct aa_profile *profile, const struct path *path, 571 char *buffer) 572 { 573 struct aa_ruleset *rules = list_first_entry(&profile->rules, 574 typeof(*rules), list); 575 struct aa_perms perms = { }; 576 const char *name = NULL, *info = NULL; 577 aa_state_t state; 578 int error; 579 580 AA_BUG(!profile); 581 AA_BUG(!path); 582 583 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) 584 return 0; 585 586 error = aa_path_name(path, path_flags(profile, path), buffer, &name, 587 &info, profile->disconnected); 588 if (error) 589 goto audit; 590 591 state = aa_dfa_match(rules->policy.dfa, 592 rules->policy.start[AA_CLASS_MOUNT], 593 name); 594 perms = *aa_lookup_perms(&rules->policy, state); 595 if (AA_MAY_UMOUNT & ~perms.allow) 596 error = -EACCES; 597 598 audit: 599 return audit_mount(profile, OP_UMOUNT, name, NULL, NULL, NULL, 0, NULL, 600 AA_MAY_UMOUNT, &perms, info, error); 601 } 602 603 int aa_umount(struct aa_label *label, struct vfsmount *mnt, int flags) 604 { 605 struct aa_profile *profile; 606 char *buffer = NULL; 607 int error; 608 struct path path = { .mnt = mnt, .dentry = mnt->mnt_root }; 609 610 AA_BUG(!label); 611 AA_BUG(!mnt); 612 613 buffer = aa_get_buffer(false); 614 if (!buffer) 615 return -ENOMEM; 616 617 error = fn_for_each_confined(label, profile, 618 profile_umount(profile, &path, buffer)); 619 aa_put_buffer(buffer); 620 621 return error; 622 } 623 624 /* helper fn for transition on pivotroot 625 * 626 * Returns: label for transition or ERR_PTR. Does not return NULL 627 */ 628 static struct aa_label *build_pivotroot(struct aa_profile *profile, 629 const struct path *new_path, 630 char *new_buffer, 631 const struct path *old_path, 632 char *old_buffer) 633 { 634 struct aa_ruleset *rules = list_first_entry(&profile->rules, 635 typeof(*rules), list); 636 const char *old_name, *new_name = NULL, *info = NULL; 637 const char *trans_name = NULL; 638 struct aa_perms perms = { }; 639 aa_state_t state; 640 int error; 641 642 AA_BUG(!profile); 643 AA_BUG(!new_path); 644 AA_BUG(!old_path); 645 646 if (profile_unconfined(profile) || 647 !RULE_MEDIATES(rules, AA_CLASS_MOUNT)) 648 return aa_get_newest_label(&profile->label); 649 650 error = aa_path_name(old_path, path_flags(profile, old_path), 651 old_buffer, &old_name, &info, 652 profile->disconnected); 653 if (error) 654 goto audit; 655 error = aa_path_name(new_path, path_flags(profile, new_path), 656 new_buffer, &new_name, &info, 657 profile->disconnected); 658 if (error) 659 goto audit; 660 661 error = -EACCES; 662 state = aa_dfa_match(rules->policy.dfa, 663 rules->policy.start[AA_CLASS_MOUNT], 664 new_name); 665 state = aa_dfa_null_transition(rules->policy.dfa, state); 666 state = aa_dfa_match(rules->policy.dfa, state, old_name); 667 perms = *aa_lookup_perms(&rules->policy, state); 668 669 if (AA_MAY_PIVOTROOT & perms.allow) 670 error = 0; 671 672 audit: 673 error = audit_mount(profile, OP_PIVOTROOT, new_name, old_name, 674 NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT, 675 &perms, info, error); 676 if (error) 677 return ERR_PTR(error); 678 679 return aa_get_newest_label(&profile->label); 680 } 681 682 int aa_pivotroot(struct aa_label *label, const struct path *old_path, 683 const struct path *new_path) 684 { 685 struct aa_profile *profile; 686 struct aa_label *target = NULL; 687 char *old_buffer = NULL, *new_buffer = NULL, *info = NULL; 688 int error; 689 690 AA_BUG(!label); 691 AA_BUG(!old_path); 692 AA_BUG(!new_path); 693 694 old_buffer = aa_get_buffer(false); 695 new_buffer = aa_get_buffer(false); 696 error = -ENOMEM; 697 if (!old_buffer || !new_buffer) 698 goto out; 699 target = fn_label_build(label, profile, GFP_KERNEL, 700 build_pivotroot(profile, new_path, new_buffer, 701 old_path, old_buffer)); 702 if (!target) { 703 info = "label build failed"; 704 error = -ENOMEM; 705 goto fail; 706 } else if (!IS_ERR(target)) { 707 error = aa_replace_current_label(target); 708 if (error) { 709 /* TODO: audit target */ 710 aa_put_label(target); 711 goto out; 712 } 713 aa_put_label(target); 714 } else 715 /* already audited error */ 716 error = PTR_ERR(target); 717 out: 718 aa_put_buffer(old_buffer); 719 aa_put_buffer(new_buffer); 720 721 return error; 722 723 fail: 724 /* TODO: add back in auditing of new_name and old_name */ 725 error = fn_for_each(label, profile, 726 audit_mount(profile, OP_PIVOTROOT, NULL /*new_name */, 727 NULL /* old_name */, 728 NULL, NULL, 729 0, NULL, AA_MAY_PIVOTROOT, &nullperms, info, 730 error)); 731 goto out; 732 } 733