1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor /sys/kernel/security/apparmor interface functions 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15 #include <linux/ctype.h> 16 #include <linux/security.h> 17 #include <linux/vmalloc.h> 18 #include <linux/module.h> 19 #include <linux/seq_file.h> 20 #include <linux/uaccess.h> 21 #include <linux/mount.h> 22 #include <linux/namei.h> 23 #include <linux/capability.h> 24 #include <linux/rcupdate.h> 25 #include <uapi/linux/major.h> 26 #include <linux/fs.h> 27 28 #include "include/apparmor.h" 29 #include "include/apparmorfs.h" 30 #include "include/audit.h" 31 #include "include/context.h" 32 #include "include/crypto.h" 33 #include "include/policy.h" 34 #include "include/policy_ns.h" 35 #include "include/resource.h" 36 #include "include/policy_unpack.h" 37 38 /** 39 * aa_mangle_name - mangle a profile name to std profile layout form 40 * @name: profile name to mangle (NOT NULL) 41 * @target: buffer to store mangled name, same length as @name (MAYBE NULL) 42 * 43 * Returns: length of mangled name 44 */ 45 static int mangle_name(const char *name, char *target) 46 { 47 char *t = target; 48 49 while (*name == '/' || *name == '.') 50 name++; 51 52 if (target) { 53 for (; *name; name++) { 54 if (*name == '/') 55 *(t)++ = '.'; 56 else if (isspace(*name)) 57 *(t)++ = '_'; 58 else if (isalnum(*name) || strchr("._-", *name)) 59 *(t)++ = *name; 60 } 61 62 *t = 0; 63 } else { 64 int len = 0; 65 for (; *name; name++) { 66 if (isalnum(*name) || isspace(*name) || 67 strchr("/._-", *name)) 68 len++; 69 } 70 71 return len; 72 } 73 74 return t - target; 75 } 76 77 /** 78 * aa_simple_write_to_buffer - common routine for getting policy from user 79 * @userbuf: user buffer to copy data from (NOT NULL) 80 * @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size) 81 * @copy_size: size of data to copy from user buffer 82 * @pos: position write is at in the file (NOT NULL) 83 * 84 * Returns: kernel buffer containing copy of user buffer data or an 85 * ERR_PTR on failure. 86 */ 87 static struct aa_loaddata *aa_simple_write_to_buffer(const char __user *userbuf, 88 size_t alloc_size, 89 size_t copy_size, 90 loff_t *pos) 91 { 92 struct aa_loaddata *data; 93 94 AA_BUG(copy_size > alloc_size); 95 96 if (*pos != 0) 97 /* only writes from pos 0, that is complete writes */ 98 return ERR_PTR(-ESPIPE); 99 100 /* freed by caller to simple_write_to_buffer */ 101 data = kvmalloc(sizeof(*data) + alloc_size, GFP_KERNEL); 102 if (data == NULL) 103 return ERR_PTR(-ENOMEM); 104 kref_init(&data->count); 105 data->size = copy_size; 106 data->hash = NULL; 107 data->abi = 0; 108 109 if (copy_from_user(data->data, userbuf, copy_size)) { 110 kvfree(data); 111 return ERR_PTR(-EFAULT); 112 } 113 114 return data; 115 } 116 117 static ssize_t policy_update(int binop, const char __user *buf, size_t size, 118 loff_t *pos, struct aa_ns *ns) 119 { 120 ssize_t error; 121 struct aa_loaddata *data; 122 struct aa_profile *profile = aa_current_profile(); 123 const char *op = binop == PROF_ADD ? OP_PROF_LOAD : OP_PROF_REPL; 124 /* high level check about policy management - fine grained in 125 * below after unpack 126 */ 127 error = aa_may_manage_policy(profile, ns, op); 128 if (error) 129 return error; 130 131 data = aa_simple_write_to_buffer(buf, size, size, pos); 132 error = PTR_ERR(data); 133 if (!IS_ERR(data)) { 134 error = aa_replace_profiles(ns ? ns : profile->ns, profile, 135 binop, data); 136 aa_put_loaddata(data); 137 } 138 139 return error; 140 } 141 142 /* .load file hook fn to load policy */ 143 static ssize_t profile_load(struct file *f, const char __user *buf, size_t size, 144 loff_t *pos) 145 { 146 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); 147 int error = policy_update(PROF_ADD, buf, size, pos, ns); 148 149 aa_put_ns(ns); 150 151 return error; 152 } 153 154 static const struct file_operations aa_fs_profile_load = { 155 .write = profile_load, 156 .llseek = default_llseek, 157 }; 158 159 /* .replace file hook fn to load and/or replace policy */ 160 static ssize_t profile_replace(struct file *f, const char __user *buf, 161 size_t size, loff_t *pos) 162 { 163 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); 164 int error = policy_update(PROF_REPLACE, buf, size, pos, ns); 165 166 aa_put_ns(ns); 167 168 return error; 169 } 170 171 static const struct file_operations aa_fs_profile_replace = { 172 .write = profile_replace, 173 .llseek = default_llseek, 174 }; 175 176 /* .remove file hook fn to remove loaded policy */ 177 static ssize_t profile_remove(struct file *f, const char __user *buf, 178 size_t size, loff_t *pos) 179 { 180 struct aa_loaddata *data; 181 struct aa_profile *profile; 182 ssize_t error; 183 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); 184 185 profile = aa_current_profile(); 186 /* high level check about policy management - fine grained in 187 * below after unpack 188 */ 189 error = aa_may_manage_policy(profile, ns, OP_PROF_RM); 190 if (error) 191 goto out; 192 193 /* 194 * aa_remove_profile needs a null terminated string so 1 extra 195 * byte is allocated and the copied data is null terminated. 196 */ 197 data = aa_simple_write_to_buffer(buf, size + 1, size, pos); 198 199 error = PTR_ERR(data); 200 if (!IS_ERR(data)) { 201 data->data[size] = 0; 202 error = aa_remove_profiles(ns ? ns : profile->ns, profile, 203 data->data, size); 204 aa_put_loaddata(data); 205 } 206 out: 207 aa_put_ns(ns); 208 return error; 209 } 210 211 static const struct file_operations aa_fs_profile_remove = { 212 .write = profile_remove, 213 .llseek = default_llseek, 214 }; 215 216 /** 217 * query_data - queries a policy and writes its data to buf 218 * @buf: the resulting data is stored here (NOT NULL) 219 * @buf_len: size of buf 220 * @query: query string used to retrieve data 221 * @query_len: size of query including second NUL byte 222 * 223 * The buffers pointed to by buf and query may overlap. The query buffer is 224 * parsed before buf is written to. 225 * 226 * The query should look like "<LABEL>\0<KEY>\0", where <LABEL> is the name of 227 * the security confinement context and <KEY> is the name of the data to 228 * retrieve. <LABEL> and <KEY> must not be NUL-terminated. 229 * 230 * Don't expect the contents of buf to be preserved on failure. 231 * 232 * Returns: number of characters written to buf or -errno on failure 233 */ 234 static ssize_t query_data(char *buf, size_t buf_len, 235 char *query, size_t query_len) 236 { 237 char *out; 238 const char *key; 239 struct aa_profile *profile; 240 struct aa_data *data; 241 u32 bytes, blocks; 242 __le32 outle32; 243 244 if (!query_len) 245 return -EINVAL; /* need a query */ 246 247 key = query + strnlen(query, query_len) + 1; 248 if (key + 1 >= query + query_len) 249 return -EINVAL; /* not enough space for a non-empty key */ 250 if (key + strnlen(key, query + query_len - key) >= query + query_len) 251 return -EINVAL; /* must end with NUL */ 252 253 if (buf_len < sizeof(bytes) + sizeof(blocks)) 254 return -EINVAL; /* not enough space */ 255 256 profile = aa_current_profile(); 257 258 /* We are going to leave space for two numbers. The first is the total 259 * number of bytes we are writing after the first number. This is so 260 * users can read the full output without reallocation. 261 * 262 * The second number is the number of data blocks we're writing. An 263 * application might be confined by multiple policies having data in 264 * the same key. 265 */ 266 memset(buf, 0, sizeof(bytes) + sizeof(blocks)); 267 out = buf + sizeof(bytes) + sizeof(blocks); 268 269 blocks = 0; 270 if (profile->data) { 271 data = rhashtable_lookup_fast(profile->data, &key, 272 profile->data->p); 273 274 if (data) { 275 if (out + sizeof(outle32) + data->size > buf + buf_len) 276 return -EINVAL; /* not enough space */ 277 outle32 = __cpu_to_le32(data->size); 278 memcpy(out, &outle32, sizeof(outle32)); 279 out += sizeof(outle32); 280 memcpy(out, data->data, data->size); 281 out += data->size; 282 blocks++; 283 } 284 } 285 286 outle32 = __cpu_to_le32(out - buf - sizeof(bytes)); 287 memcpy(buf, &outle32, sizeof(outle32)); 288 outle32 = __cpu_to_le32(blocks); 289 memcpy(buf + sizeof(bytes), &outle32, sizeof(outle32)); 290 291 return out - buf; 292 } 293 294 #define QUERY_CMD_DATA "data\0" 295 #define QUERY_CMD_DATA_LEN 5 296 297 /** 298 * aa_write_access - generic permissions and data query 299 * @file: pointer to open apparmorfs/access file 300 * @ubuf: user buffer containing the complete query string (NOT NULL) 301 * @count: size of ubuf 302 * @ppos: position in the file (MUST BE ZERO) 303 * 304 * Allows for one permissions or data query per open(), write(), and read() 305 * sequence. The only queries currently supported are label-based queries for 306 * permissions or data. 307 * 308 * For permissions queries, ubuf must begin with "label\0", followed by the 309 * profile query specific format described in the query_label() function 310 * documentation. 311 * 312 * For data queries, ubuf must have the form "data\0<LABEL>\0<KEY>\0", where 313 * <LABEL> is the name of the security confinement context and <KEY> is the 314 * name of the data to retrieve. 315 * 316 * Returns: number of bytes written or -errno on failure 317 */ 318 static ssize_t aa_write_access(struct file *file, const char __user *ubuf, 319 size_t count, loff_t *ppos) 320 { 321 char *buf; 322 ssize_t len; 323 324 if (*ppos) 325 return -ESPIPE; 326 327 buf = simple_transaction_get(file, ubuf, count); 328 if (IS_ERR(buf)) 329 return PTR_ERR(buf); 330 331 if (count > QUERY_CMD_DATA_LEN && 332 !memcmp(buf, QUERY_CMD_DATA, QUERY_CMD_DATA_LEN)) { 333 len = query_data(buf, SIMPLE_TRANSACTION_LIMIT, 334 buf + QUERY_CMD_DATA_LEN, 335 count - QUERY_CMD_DATA_LEN); 336 } else 337 len = -EINVAL; 338 339 if (len < 0) 340 return len; 341 342 simple_transaction_set(file, len); 343 344 return count; 345 } 346 347 static const struct file_operations aa_fs_access = { 348 .write = aa_write_access, 349 .read = simple_transaction_read, 350 .release = simple_transaction_release, 351 .llseek = generic_file_llseek, 352 }; 353 354 static int aa_fs_seq_show(struct seq_file *seq, void *v) 355 { 356 struct aa_fs_entry *fs_file = seq->private; 357 358 if (!fs_file) 359 return 0; 360 361 switch (fs_file->v_type) { 362 case AA_FS_TYPE_BOOLEAN: 363 seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no"); 364 break; 365 case AA_FS_TYPE_STRING: 366 seq_printf(seq, "%s\n", fs_file->v.string); 367 break; 368 case AA_FS_TYPE_U64: 369 seq_printf(seq, "%#08lx\n", fs_file->v.u64); 370 break; 371 default: 372 /* Ignore unpritable entry types. */ 373 break; 374 } 375 376 return 0; 377 } 378 379 static int aa_fs_seq_open(struct inode *inode, struct file *file) 380 { 381 return single_open(file, aa_fs_seq_show, inode->i_private); 382 } 383 384 const struct file_operations aa_fs_seq_file_ops = { 385 .owner = THIS_MODULE, 386 .open = aa_fs_seq_open, 387 .read = seq_read, 388 .llseek = seq_lseek, 389 .release = single_release, 390 }; 391 392 static int aa_fs_seq_profile_open(struct inode *inode, struct file *file, 393 int (*show)(struct seq_file *, void *)) 394 { 395 struct aa_proxy *proxy = aa_get_proxy(inode->i_private); 396 int error = single_open(file, show, proxy); 397 398 if (error) { 399 file->private_data = NULL; 400 aa_put_proxy(proxy); 401 } 402 403 return error; 404 } 405 406 static int aa_fs_seq_profile_release(struct inode *inode, struct file *file) 407 { 408 struct seq_file *seq = (struct seq_file *) file->private_data; 409 if (seq) 410 aa_put_proxy(seq->private); 411 return single_release(inode, file); 412 } 413 414 static int aa_fs_seq_profname_show(struct seq_file *seq, void *v) 415 { 416 struct aa_proxy *proxy = seq->private; 417 struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile); 418 seq_printf(seq, "%s\n", profile->base.name); 419 aa_put_profile(profile); 420 421 return 0; 422 } 423 424 static int aa_fs_seq_profname_open(struct inode *inode, struct file *file) 425 { 426 return aa_fs_seq_profile_open(inode, file, aa_fs_seq_profname_show); 427 } 428 429 static const struct file_operations aa_fs_profname_fops = { 430 .owner = THIS_MODULE, 431 .open = aa_fs_seq_profname_open, 432 .read = seq_read, 433 .llseek = seq_lseek, 434 .release = aa_fs_seq_profile_release, 435 }; 436 437 static int aa_fs_seq_profmode_show(struct seq_file *seq, void *v) 438 { 439 struct aa_proxy *proxy = seq->private; 440 struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile); 441 seq_printf(seq, "%s\n", aa_profile_mode_names[profile->mode]); 442 aa_put_profile(profile); 443 444 return 0; 445 } 446 447 static int aa_fs_seq_profmode_open(struct inode *inode, struct file *file) 448 { 449 return aa_fs_seq_profile_open(inode, file, aa_fs_seq_profmode_show); 450 } 451 452 static const struct file_operations aa_fs_profmode_fops = { 453 .owner = THIS_MODULE, 454 .open = aa_fs_seq_profmode_open, 455 .read = seq_read, 456 .llseek = seq_lseek, 457 .release = aa_fs_seq_profile_release, 458 }; 459 460 static int aa_fs_seq_profattach_show(struct seq_file *seq, void *v) 461 { 462 struct aa_proxy *proxy = seq->private; 463 struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile); 464 if (profile->attach) 465 seq_printf(seq, "%s\n", profile->attach); 466 else if (profile->xmatch) 467 seq_puts(seq, "<unknown>\n"); 468 else 469 seq_printf(seq, "%s\n", profile->base.name); 470 aa_put_profile(profile); 471 472 return 0; 473 } 474 475 static int aa_fs_seq_profattach_open(struct inode *inode, struct file *file) 476 { 477 return aa_fs_seq_profile_open(inode, file, aa_fs_seq_profattach_show); 478 } 479 480 static const struct file_operations aa_fs_profattach_fops = { 481 .owner = THIS_MODULE, 482 .open = aa_fs_seq_profattach_open, 483 .read = seq_read, 484 .llseek = seq_lseek, 485 .release = aa_fs_seq_profile_release, 486 }; 487 488 static int aa_fs_seq_hash_show(struct seq_file *seq, void *v) 489 { 490 struct aa_proxy *proxy = seq->private; 491 struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile); 492 unsigned int i, size = aa_hash_size(); 493 494 if (profile->hash) { 495 for (i = 0; i < size; i++) 496 seq_printf(seq, "%.2x", profile->hash[i]); 497 seq_puts(seq, "\n"); 498 } 499 aa_put_profile(profile); 500 501 return 0; 502 } 503 504 static int aa_fs_seq_hash_open(struct inode *inode, struct file *file) 505 { 506 return single_open(file, aa_fs_seq_hash_show, inode->i_private); 507 } 508 509 static const struct file_operations aa_fs_seq_hash_fops = { 510 .owner = THIS_MODULE, 511 .open = aa_fs_seq_hash_open, 512 .read = seq_read, 513 .llseek = seq_lseek, 514 .release = single_release, 515 }; 516 517 518 static int aa_fs_seq_show_ns_level(struct seq_file *seq, void *v) 519 { 520 struct aa_ns *ns = aa_current_profile()->ns; 521 522 seq_printf(seq, "%d\n", ns->level); 523 524 return 0; 525 } 526 527 static int aa_fs_seq_open_ns_level(struct inode *inode, struct file *file) 528 { 529 return single_open(file, aa_fs_seq_show_ns_level, inode->i_private); 530 } 531 532 static const struct file_operations aa_fs_ns_level = { 533 .owner = THIS_MODULE, 534 .open = aa_fs_seq_open_ns_level, 535 .read = seq_read, 536 .llseek = seq_lseek, 537 .release = single_release, 538 }; 539 540 static int aa_fs_seq_show_ns_name(struct seq_file *seq, void *v) 541 { 542 struct aa_ns *ns = aa_current_profile()->ns; 543 544 seq_printf(seq, "%s\n", ns->base.name); 545 546 return 0; 547 } 548 549 static int aa_fs_seq_open_ns_name(struct inode *inode, struct file *file) 550 { 551 return single_open(file, aa_fs_seq_show_ns_name, inode->i_private); 552 } 553 554 static const struct file_operations aa_fs_ns_name = { 555 .owner = THIS_MODULE, 556 .open = aa_fs_seq_open_ns_name, 557 .read = seq_read, 558 .llseek = seq_lseek, 559 .release = single_release, 560 }; 561 562 static int rawdata_release(struct inode *inode, struct file *file) 563 { 564 /* TODO: switch to loaddata when profile switched to symlink */ 565 aa_put_loaddata(file->private_data); 566 567 return 0; 568 } 569 570 static int aa_fs_seq_raw_abi_show(struct seq_file *seq, void *v) 571 { 572 struct aa_proxy *proxy = seq->private; 573 struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile); 574 575 if (profile->rawdata->abi) { 576 seq_printf(seq, "v%d", profile->rawdata->abi); 577 seq_puts(seq, "\n"); 578 } 579 aa_put_profile(profile); 580 581 return 0; 582 } 583 584 static int aa_fs_seq_raw_abi_open(struct inode *inode, struct file *file) 585 { 586 return aa_fs_seq_profile_open(inode, file, aa_fs_seq_raw_abi_show); 587 } 588 589 static const struct file_operations aa_fs_seq_raw_abi_fops = { 590 .owner = THIS_MODULE, 591 .open = aa_fs_seq_raw_abi_open, 592 .read = seq_read, 593 .llseek = seq_lseek, 594 .release = aa_fs_seq_profile_release, 595 }; 596 597 static int aa_fs_seq_raw_hash_show(struct seq_file *seq, void *v) 598 { 599 struct aa_proxy *proxy = seq->private; 600 struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile); 601 unsigned int i, size = aa_hash_size(); 602 603 if (profile->rawdata->hash) { 604 for (i = 0; i < size; i++) 605 seq_printf(seq, "%.2x", profile->rawdata->hash[i]); 606 seq_puts(seq, "\n"); 607 } 608 aa_put_profile(profile); 609 610 return 0; 611 } 612 613 static int aa_fs_seq_raw_hash_open(struct inode *inode, struct file *file) 614 { 615 return aa_fs_seq_profile_open(inode, file, aa_fs_seq_raw_hash_show); 616 } 617 618 static const struct file_operations aa_fs_seq_raw_hash_fops = { 619 .owner = THIS_MODULE, 620 .open = aa_fs_seq_raw_hash_open, 621 .read = seq_read, 622 .llseek = seq_lseek, 623 .release = aa_fs_seq_profile_release, 624 }; 625 626 static ssize_t rawdata_read(struct file *file, char __user *buf, size_t size, 627 loff_t *ppos) 628 { 629 struct aa_loaddata *rawdata = file->private_data; 630 631 return simple_read_from_buffer(buf, size, ppos, rawdata->data, 632 rawdata->size); 633 } 634 635 static int rawdata_open(struct inode *inode, struct file *file) 636 { 637 struct aa_proxy *proxy = inode->i_private; 638 struct aa_profile *profile; 639 640 if (!policy_view_capable(NULL)) 641 return -EACCES; 642 profile = aa_get_profile_rcu(&proxy->profile); 643 file->private_data = aa_get_loaddata(profile->rawdata); 644 aa_put_profile(profile); 645 646 return 0; 647 } 648 649 static const struct file_operations aa_fs_rawdata_fops = { 650 .open = rawdata_open, 651 .read = rawdata_read, 652 .llseek = generic_file_llseek, 653 .release = rawdata_release, 654 }; 655 656 /** fns to setup dynamic per profile/namespace files **/ 657 void __aa_fs_profile_rmdir(struct aa_profile *profile) 658 { 659 struct aa_profile *child; 660 int i; 661 662 if (!profile) 663 return; 664 665 list_for_each_entry(child, &profile->base.profiles, base.list) 666 __aa_fs_profile_rmdir(child); 667 668 for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) { 669 struct aa_proxy *proxy; 670 if (!profile->dents[i]) 671 continue; 672 673 proxy = d_inode(profile->dents[i])->i_private; 674 securityfs_remove(profile->dents[i]); 675 aa_put_proxy(proxy); 676 profile->dents[i] = NULL; 677 } 678 } 679 680 void __aa_fs_profile_migrate_dents(struct aa_profile *old, 681 struct aa_profile *new) 682 { 683 int i; 684 685 for (i = 0; i < AAFS_PROF_SIZEOF; i++) { 686 new->dents[i] = old->dents[i]; 687 if (new->dents[i]) 688 new->dents[i]->d_inode->i_mtime = current_time(new->dents[i]->d_inode); 689 old->dents[i] = NULL; 690 } 691 } 692 693 static struct dentry *create_profile_file(struct dentry *dir, const char *name, 694 struct aa_profile *profile, 695 const struct file_operations *fops) 696 { 697 struct aa_proxy *proxy = aa_get_proxy(profile->proxy); 698 struct dentry *dent; 699 700 dent = securityfs_create_file(name, S_IFREG | 0444, dir, proxy, fops); 701 if (IS_ERR(dent)) 702 aa_put_proxy(proxy); 703 704 return dent; 705 } 706 707 /* requires lock be held */ 708 int __aa_fs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) 709 { 710 struct aa_profile *child; 711 struct dentry *dent = NULL, *dir; 712 int error; 713 714 if (!parent) { 715 struct aa_profile *p; 716 p = aa_deref_parent(profile); 717 dent = prof_dir(p); 718 /* adding to parent that previously didn't have children */ 719 dent = securityfs_create_dir("profiles", dent); 720 if (IS_ERR(dent)) 721 goto fail; 722 prof_child_dir(p) = parent = dent; 723 } 724 725 if (!profile->dirname) { 726 int len, id_len; 727 len = mangle_name(profile->base.name, NULL); 728 id_len = snprintf(NULL, 0, ".%ld", profile->ns->uniq_id); 729 730 profile->dirname = kmalloc(len + id_len + 1, GFP_KERNEL); 731 if (!profile->dirname) 732 goto fail; 733 734 mangle_name(profile->base.name, profile->dirname); 735 sprintf(profile->dirname + len, ".%ld", profile->ns->uniq_id++); 736 } 737 738 dent = securityfs_create_dir(profile->dirname, parent); 739 if (IS_ERR(dent)) 740 goto fail; 741 prof_dir(profile) = dir = dent; 742 743 dent = create_profile_file(dir, "name", profile, &aa_fs_profname_fops); 744 if (IS_ERR(dent)) 745 goto fail; 746 profile->dents[AAFS_PROF_NAME] = dent; 747 748 dent = create_profile_file(dir, "mode", profile, &aa_fs_profmode_fops); 749 if (IS_ERR(dent)) 750 goto fail; 751 profile->dents[AAFS_PROF_MODE] = dent; 752 753 dent = create_profile_file(dir, "attach", profile, 754 &aa_fs_profattach_fops); 755 if (IS_ERR(dent)) 756 goto fail; 757 profile->dents[AAFS_PROF_ATTACH] = dent; 758 759 if (profile->hash) { 760 dent = create_profile_file(dir, "sha1", profile, 761 &aa_fs_seq_hash_fops); 762 if (IS_ERR(dent)) 763 goto fail; 764 profile->dents[AAFS_PROF_HASH] = dent; 765 } 766 767 if (profile->rawdata) { 768 dent = create_profile_file(dir, "raw_sha1", profile, 769 &aa_fs_seq_raw_hash_fops); 770 if (IS_ERR(dent)) 771 goto fail; 772 profile->dents[AAFS_PROF_RAW_HASH] = dent; 773 774 dent = create_profile_file(dir, "raw_abi", profile, 775 &aa_fs_seq_raw_abi_fops); 776 if (IS_ERR(dent)) 777 goto fail; 778 profile->dents[AAFS_PROF_RAW_ABI] = dent; 779 780 dent = securityfs_create_file("raw_data", S_IFREG | 0444, dir, 781 profile->proxy, 782 &aa_fs_rawdata_fops); 783 if (IS_ERR(dent)) 784 goto fail; 785 profile->dents[AAFS_PROF_RAW_DATA] = dent; 786 d_inode(dent)->i_size = profile->rawdata->size; 787 aa_get_proxy(profile->proxy); 788 } 789 790 list_for_each_entry(child, &profile->base.profiles, base.list) { 791 error = __aa_fs_profile_mkdir(child, prof_child_dir(profile)); 792 if (error) 793 goto fail2; 794 } 795 796 return 0; 797 798 fail: 799 error = PTR_ERR(dent); 800 801 fail2: 802 __aa_fs_profile_rmdir(profile); 803 804 return error; 805 } 806 807 void __aa_fs_ns_rmdir(struct aa_ns *ns) 808 { 809 struct aa_ns *sub; 810 struct aa_profile *child; 811 int i; 812 813 if (!ns) 814 return; 815 816 list_for_each_entry(child, &ns->base.profiles, base.list) 817 __aa_fs_profile_rmdir(child); 818 819 list_for_each_entry(sub, &ns->sub_ns, base.list) { 820 mutex_lock(&sub->lock); 821 __aa_fs_ns_rmdir(sub); 822 mutex_unlock(&sub->lock); 823 } 824 825 if (ns_subns_dir(ns)) { 826 sub = d_inode(ns_subns_dir(ns))->i_private; 827 aa_put_ns(sub); 828 } 829 if (ns_subload(ns)) { 830 sub = d_inode(ns_subload(ns))->i_private; 831 aa_put_ns(sub); 832 } 833 if (ns_subreplace(ns)) { 834 sub = d_inode(ns_subreplace(ns))->i_private; 835 aa_put_ns(sub); 836 } 837 if (ns_subremove(ns)) { 838 sub = d_inode(ns_subremove(ns))->i_private; 839 aa_put_ns(sub); 840 } 841 842 for (i = AAFS_NS_SIZEOF - 1; i >= 0; --i) { 843 securityfs_remove(ns->dents[i]); 844 ns->dents[i] = NULL; 845 } 846 } 847 848 /* assumes cleanup in caller */ 849 static int __aa_fs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir) 850 { 851 struct dentry *dent; 852 853 AA_BUG(!ns); 854 AA_BUG(!dir); 855 856 dent = securityfs_create_dir("profiles", dir); 857 if (IS_ERR(dent)) 858 return PTR_ERR(dent); 859 ns_subprofs_dir(ns) = dent; 860 861 dent = securityfs_create_dir("raw_data", dir); 862 if (IS_ERR(dent)) 863 return PTR_ERR(dent); 864 ns_subdata_dir(ns) = dent; 865 866 dent = securityfs_create_file(".load", 0640, dir, ns, 867 &aa_fs_profile_load); 868 if (IS_ERR(dent)) 869 return PTR_ERR(dent); 870 aa_get_ns(ns); 871 ns_subload(ns) = dent; 872 873 dent = securityfs_create_file(".replace", 0640, dir, ns, 874 &aa_fs_profile_replace); 875 if (IS_ERR(dent)) 876 return PTR_ERR(dent); 877 aa_get_ns(ns); 878 ns_subreplace(ns) = dent; 879 880 dent = securityfs_create_file(".remove", 0640, dir, ns, 881 &aa_fs_profile_remove); 882 if (IS_ERR(dent)) 883 return PTR_ERR(dent); 884 aa_get_ns(ns); 885 ns_subremove(ns) = dent; 886 887 dent = securityfs_create_dir("namespaces", dir); 888 if (IS_ERR(dent)) 889 return PTR_ERR(dent); 890 aa_get_ns(ns); 891 ns_subns_dir(ns) = dent; 892 893 return 0; 894 } 895 896 int __aa_fs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name) 897 { 898 struct aa_ns *sub; 899 struct aa_profile *child; 900 struct dentry *dent, *dir; 901 int error; 902 903 AA_BUG(!ns); 904 AA_BUG(!parent); 905 AA_BUG(!mutex_is_locked(&ns->lock)); 906 907 if (!name) 908 name = ns->base.name; 909 910 /* create ns dir if it doesn't already exist */ 911 dent = securityfs_create_dir(name, parent); 912 if (IS_ERR(dent)) 913 goto fail; 914 915 ns_dir(ns) = dir = dent; 916 error = __aa_fs_ns_mkdir_entries(ns, dir); 917 if (error) 918 goto fail2; 919 920 /* profiles */ 921 list_for_each_entry(child, &ns->base.profiles, base.list) { 922 error = __aa_fs_profile_mkdir(child, ns_subprofs_dir(ns)); 923 if (error) 924 goto fail2; 925 } 926 927 /* subnamespaces */ 928 list_for_each_entry(sub, &ns->sub_ns, base.list) { 929 mutex_lock(&sub->lock); 930 error = __aa_fs_ns_mkdir(sub, ns_subns_dir(ns), NULL); 931 mutex_unlock(&sub->lock); 932 if (error) 933 goto fail2; 934 } 935 936 return 0; 937 938 fail: 939 error = PTR_ERR(dent); 940 941 fail2: 942 __aa_fs_ns_rmdir(ns); 943 944 return error; 945 } 946 947 948 #define list_entry_is_head(pos, head, member) (&pos->member == (head)) 949 950 /** 951 * __next_ns - find the next namespace to list 952 * @root: root namespace to stop search at (NOT NULL) 953 * @ns: current ns position (NOT NULL) 954 * 955 * Find the next namespace from @ns under @root and handle all locking needed 956 * while switching current namespace. 957 * 958 * Returns: next namespace or NULL if at last namespace under @root 959 * Requires: ns->parent->lock to be held 960 * NOTE: will not unlock root->lock 961 */ 962 static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns) 963 { 964 struct aa_ns *parent, *next; 965 966 /* is next namespace a child */ 967 if (!list_empty(&ns->sub_ns)) { 968 next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list); 969 mutex_lock(&next->lock); 970 return next; 971 } 972 973 /* check if the next ns is a sibling, parent, gp, .. */ 974 parent = ns->parent; 975 while (ns != root) { 976 mutex_unlock(&ns->lock); 977 next = list_next_entry(ns, base.list); 978 if (!list_entry_is_head(next, &parent->sub_ns, base.list)) { 979 mutex_lock(&next->lock); 980 return next; 981 } 982 ns = parent; 983 parent = parent->parent; 984 } 985 986 return NULL; 987 } 988 989 /** 990 * __first_profile - find the first profile in a namespace 991 * @root: namespace that is root of profiles being displayed (NOT NULL) 992 * @ns: namespace to start in (NOT NULL) 993 * 994 * Returns: unrefcounted profile or NULL if no profile 995 * Requires: profile->ns.lock to be held 996 */ 997 static struct aa_profile *__first_profile(struct aa_ns *root, 998 struct aa_ns *ns) 999 { 1000 for (; ns; ns = __next_ns(root, ns)) { 1001 if (!list_empty(&ns->base.profiles)) 1002 return list_first_entry(&ns->base.profiles, 1003 struct aa_profile, base.list); 1004 } 1005 return NULL; 1006 } 1007 1008 /** 1009 * __next_profile - step to the next profile in a profile tree 1010 * @profile: current profile in tree (NOT NULL) 1011 * 1012 * Perform a depth first traversal on the profile tree in a namespace 1013 * 1014 * Returns: next profile or NULL if done 1015 * Requires: profile->ns.lock to be held 1016 */ 1017 static struct aa_profile *__next_profile(struct aa_profile *p) 1018 { 1019 struct aa_profile *parent; 1020 struct aa_ns *ns = p->ns; 1021 1022 /* is next profile a child */ 1023 if (!list_empty(&p->base.profiles)) 1024 return list_first_entry(&p->base.profiles, typeof(*p), 1025 base.list); 1026 1027 /* is next profile a sibling, parent sibling, gp, sibling, .. */ 1028 parent = rcu_dereference_protected(p->parent, 1029 mutex_is_locked(&p->ns->lock)); 1030 while (parent) { 1031 p = list_next_entry(p, base.list); 1032 if (!list_entry_is_head(p, &parent->base.profiles, base.list)) 1033 return p; 1034 p = parent; 1035 parent = rcu_dereference_protected(parent->parent, 1036 mutex_is_locked(&parent->ns->lock)); 1037 } 1038 1039 /* is next another profile in the namespace */ 1040 p = list_next_entry(p, base.list); 1041 if (!list_entry_is_head(p, &ns->base.profiles, base.list)) 1042 return p; 1043 1044 return NULL; 1045 } 1046 1047 /** 1048 * next_profile - step to the next profile in where ever it may be 1049 * @root: root namespace (NOT NULL) 1050 * @profile: current profile (NOT NULL) 1051 * 1052 * Returns: next profile or NULL if there isn't one 1053 */ 1054 static struct aa_profile *next_profile(struct aa_ns *root, 1055 struct aa_profile *profile) 1056 { 1057 struct aa_profile *next = __next_profile(profile); 1058 if (next) 1059 return next; 1060 1061 /* finished all profiles in namespace move to next namespace */ 1062 return __first_profile(root, __next_ns(root, profile->ns)); 1063 } 1064 1065 /** 1066 * p_start - start a depth first traversal of profile tree 1067 * @f: seq_file to fill 1068 * @pos: current position 1069 * 1070 * Returns: first profile under current namespace or NULL if none found 1071 * 1072 * acquires first ns->lock 1073 */ 1074 static void *p_start(struct seq_file *f, loff_t *pos) 1075 { 1076 struct aa_profile *profile = NULL; 1077 struct aa_ns *root = aa_current_profile()->ns; 1078 loff_t l = *pos; 1079 f->private = aa_get_ns(root); 1080 1081 1082 /* find the first profile */ 1083 mutex_lock(&root->lock); 1084 profile = __first_profile(root, root); 1085 1086 /* skip to position */ 1087 for (; profile && l > 0; l--) 1088 profile = next_profile(root, profile); 1089 1090 return profile; 1091 } 1092 1093 /** 1094 * p_next - read the next profile entry 1095 * @f: seq_file to fill 1096 * @p: profile previously returned 1097 * @pos: current position 1098 * 1099 * Returns: next profile after @p or NULL if none 1100 * 1101 * may acquire/release locks in namespace tree as necessary 1102 */ 1103 static void *p_next(struct seq_file *f, void *p, loff_t *pos) 1104 { 1105 struct aa_profile *profile = p; 1106 struct aa_ns *ns = f->private; 1107 (*pos)++; 1108 1109 return next_profile(ns, profile); 1110 } 1111 1112 /** 1113 * p_stop - stop depth first traversal 1114 * @f: seq_file we are filling 1115 * @p: the last profile writen 1116 * 1117 * Release all locking done by p_start/p_next on namespace tree 1118 */ 1119 static void p_stop(struct seq_file *f, void *p) 1120 { 1121 struct aa_profile *profile = p; 1122 struct aa_ns *root = f->private, *ns; 1123 1124 if (profile) { 1125 for (ns = profile->ns; ns && ns != root; ns = ns->parent) 1126 mutex_unlock(&ns->lock); 1127 } 1128 mutex_unlock(&root->lock); 1129 aa_put_ns(root); 1130 } 1131 1132 /** 1133 * seq_show_profile - show a profile entry 1134 * @f: seq_file to file 1135 * @p: current position (profile) (NOT NULL) 1136 * 1137 * Returns: error on failure 1138 */ 1139 static int seq_show_profile(struct seq_file *f, void *p) 1140 { 1141 struct aa_profile *profile = (struct aa_profile *)p; 1142 struct aa_ns *root = f->private; 1143 1144 if (profile->ns != root) 1145 seq_printf(f, ":%s://", aa_ns_name(root, profile->ns, true)); 1146 seq_printf(f, "%s (%s)\n", profile->base.hname, 1147 aa_profile_mode_names[profile->mode]); 1148 1149 return 0; 1150 } 1151 1152 static const struct seq_operations aa_fs_profiles_op = { 1153 .start = p_start, 1154 .next = p_next, 1155 .stop = p_stop, 1156 .show = seq_show_profile, 1157 }; 1158 1159 static int profiles_open(struct inode *inode, struct file *file) 1160 { 1161 if (!policy_view_capable(NULL)) 1162 return -EACCES; 1163 1164 return seq_open(file, &aa_fs_profiles_op); 1165 } 1166 1167 static int profiles_release(struct inode *inode, struct file *file) 1168 { 1169 return seq_release(inode, file); 1170 } 1171 1172 static const struct file_operations aa_fs_profiles_fops = { 1173 .open = profiles_open, 1174 .read = seq_read, 1175 .llseek = seq_lseek, 1176 .release = profiles_release, 1177 }; 1178 1179 1180 /** Base file system setup **/ 1181 static struct aa_fs_entry aa_fs_entry_file[] = { 1182 AA_FS_FILE_STRING("mask", "create read write exec append mmap_exec " \ 1183 "link lock"), 1184 { } 1185 }; 1186 1187 static struct aa_fs_entry aa_fs_entry_domain[] = { 1188 AA_FS_FILE_BOOLEAN("change_hat", 1), 1189 AA_FS_FILE_BOOLEAN("change_hatv", 1), 1190 AA_FS_FILE_BOOLEAN("change_onexec", 1), 1191 AA_FS_FILE_BOOLEAN("change_profile", 1), 1192 AA_FS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1), 1193 AA_FS_FILE_STRING("version", "1.2"), 1194 { } 1195 }; 1196 1197 static struct aa_fs_entry aa_fs_entry_versions[] = { 1198 AA_FS_FILE_BOOLEAN("v5", 1), 1199 { } 1200 }; 1201 1202 static struct aa_fs_entry aa_fs_entry_policy[] = { 1203 AA_FS_DIR("versions", aa_fs_entry_versions), 1204 AA_FS_FILE_BOOLEAN("set_load", 1), 1205 { } 1206 }; 1207 1208 static struct aa_fs_entry aa_fs_entry_features[] = { 1209 AA_FS_DIR("policy", aa_fs_entry_policy), 1210 AA_FS_DIR("domain", aa_fs_entry_domain), 1211 AA_FS_DIR("file", aa_fs_entry_file), 1212 AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), 1213 AA_FS_DIR("rlimit", aa_fs_entry_rlimit), 1214 AA_FS_DIR("caps", aa_fs_entry_caps), 1215 { } 1216 }; 1217 1218 static struct aa_fs_entry aa_fs_entry_apparmor[] = { 1219 AA_FS_FILE_FOPS(".access", 0640, &aa_fs_access), 1220 AA_FS_FILE_FOPS(".ns_level", 0666, &aa_fs_ns_level), 1221 AA_FS_FILE_FOPS(".ns_name", 0640, &aa_fs_ns_name), 1222 AA_FS_FILE_FOPS("profiles", 0440, &aa_fs_profiles_fops), 1223 AA_FS_DIR("features", aa_fs_entry_features), 1224 { } 1225 }; 1226 1227 static struct aa_fs_entry aa_fs_entry = 1228 AA_FS_DIR("apparmor", aa_fs_entry_apparmor); 1229 1230 /** 1231 * aafs_create_file - create a file entry in the apparmor securityfs 1232 * @fs_file: aa_fs_entry to build an entry for (NOT NULL) 1233 * @parent: the parent dentry in the securityfs 1234 * 1235 * Use aafs_remove_file to remove entries created with this fn. 1236 */ 1237 static int __init aafs_create_file(struct aa_fs_entry *fs_file, 1238 struct dentry *parent) 1239 { 1240 int error = 0; 1241 1242 fs_file->dentry = securityfs_create_file(fs_file->name, 1243 S_IFREG | fs_file->mode, 1244 parent, fs_file, 1245 fs_file->file_ops); 1246 if (IS_ERR(fs_file->dentry)) { 1247 error = PTR_ERR(fs_file->dentry); 1248 fs_file->dentry = NULL; 1249 } 1250 return error; 1251 } 1252 1253 static void __init aafs_remove_dir(struct aa_fs_entry *fs_dir); 1254 /** 1255 * aafs_create_dir - recursively create a directory entry in the securityfs 1256 * @fs_dir: aa_fs_entry (and all child entries) to build (NOT NULL) 1257 * @parent: the parent dentry in the securityfs 1258 * 1259 * Use aafs_remove_dir to remove entries created with this fn. 1260 */ 1261 static int __init aafs_create_dir(struct aa_fs_entry *fs_dir, 1262 struct dentry *parent) 1263 { 1264 struct aa_fs_entry *fs_file; 1265 struct dentry *dir; 1266 int error; 1267 1268 dir = securityfs_create_dir(fs_dir->name, parent); 1269 if (IS_ERR(dir)) 1270 return PTR_ERR(dir); 1271 fs_dir->dentry = dir; 1272 1273 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { 1274 if (fs_file->v_type == AA_FS_TYPE_DIR) 1275 error = aafs_create_dir(fs_file, fs_dir->dentry); 1276 else 1277 error = aafs_create_file(fs_file, fs_dir->dentry); 1278 if (error) 1279 goto failed; 1280 } 1281 1282 return 0; 1283 1284 failed: 1285 aafs_remove_dir(fs_dir); 1286 1287 return error; 1288 } 1289 1290 /** 1291 * aafs_remove_file - drop a single file entry in the apparmor securityfs 1292 * @fs_file: aa_fs_entry to detach from the securityfs (NOT NULL) 1293 */ 1294 static void __init aafs_remove_file(struct aa_fs_entry *fs_file) 1295 { 1296 if (!fs_file->dentry) 1297 return; 1298 1299 securityfs_remove(fs_file->dentry); 1300 fs_file->dentry = NULL; 1301 } 1302 1303 /** 1304 * aafs_remove_dir - recursively drop a directory entry from the securityfs 1305 * @fs_dir: aa_fs_entry (and all child entries) to detach (NOT NULL) 1306 */ 1307 static void __init aafs_remove_dir(struct aa_fs_entry *fs_dir) 1308 { 1309 struct aa_fs_entry *fs_file; 1310 1311 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { 1312 if (fs_file->v_type == AA_FS_TYPE_DIR) 1313 aafs_remove_dir(fs_file); 1314 else 1315 aafs_remove_file(fs_file); 1316 } 1317 1318 aafs_remove_file(fs_dir); 1319 } 1320 1321 /** 1322 * aa_destroy_aafs - cleanup and free aafs 1323 * 1324 * releases dentries allocated by aa_create_aafs 1325 */ 1326 void __init aa_destroy_aafs(void) 1327 { 1328 aafs_remove_dir(&aa_fs_entry); 1329 } 1330 1331 1332 #define NULL_FILE_NAME ".null" 1333 struct path aa_null; 1334 1335 static int aa_mk_null_file(struct dentry *parent) 1336 { 1337 struct vfsmount *mount = NULL; 1338 struct dentry *dentry; 1339 struct inode *inode; 1340 int count = 0; 1341 int error = simple_pin_fs(parent->d_sb->s_type, &mount, &count); 1342 1343 if (error) 1344 return error; 1345 1346 inode_lock(d_inode(parent)); 1347 dentry = lookup_one_len(NULL_FILE_NAME, parent, strlen(NULL_FILE_NAME)); 1348 if (IS_ERR(dentry)) { 1349 error = PTR_ERR(dentry); 1350 goto out; 1351 } 1352 inode = new_inode(parent->d_inode->i_sb); 1353 if (!inode) { 1354 error = -ENOMEM; 1355 goto out1; 1356 } 1357 1358 inode->i_ino = get_next_ino(); 1359 inode->i_mode = S_IFCHR | S_IRUGO | S_IWUGO; 1360 inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode); 1361 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, 1362 MKDEV(MEM_MAJOR, 3)); 1363 d_instantiate(dentry, inode); 1364 aa_null.dentry = dget(dentry); 1365 aa_null.mnt = mntget(mount); 1366 1367 error = 0; 1368 1369 out1: 1370 dput(dentry); 1371 out: 1372 inode_unlock(d_inode(parent)); 1373 simple_release_fs(&mount, &count); 1374 return error; 1375 } 1376 1377 /** 1378 * aa_create_aafs - create the apparmor security filesystem 1379 * 1380 * dentries created here are released by aa_destroy_aafs 1381 * 1382 * Returns: error on failure 1383 */ 1384 static int __init aa_create_aafs(void) 1385 { 1386 struct dentry *dent; 1387 int error; 1388 1389 if (!apparmor_initialized) 1390 return 0; 1391 1392 if (aa_fs_entry.dentry) { 1393 AA_ERROR("%s: AppArmor securityfs already exists\n", __func__); 1394 return -EEXIST; 1395 } 1396 1397 /* Populate fs tree. */ 1398 error = aafs_create_dir(&aa_fs_entry, NULL); 1399 if (error) 1400 goto error; 1401 1402 dent = securityfs_create_file(".load", 0666, aa_fs_entry.dentry, 1403 NULL, &aa_fs_profile_load); 1404 if (IS_ERR(dent)) { 1405 error = PTR_ERR(dent); 1406 goto error; 1407 } 1408 ns_subload(root_ns) = dent; 1409 1410 dent = securityfs_create_file(".replace", 0666, aa_fs_entry.dentry, 1411 NULL, &aa_fs_profile_replace); 1412 if (IS_ERR(dent)) { 1413 error = PTR_ERR(dent); 1414 goto error; 1415 } 1416 ns_subreplace(root_ns) = dent; 1417 1418 dent = securityfs_create_file(".remove", 0666, aa_fs_entry.dentry, 1419 NULL, &aa_fs_profile_remove); 1420 if (IS_ERR(dent)) { 1421 error = PTR_ERR(dent); 1422 goto error; 1423 } 1424 ns_subremove(root_ns) = dent; 1425 1426 mutex_lock(&root_ns->lock); 1427 error = __aa_fs_ns_mkdir(root_ns, aa_fs_entry.dentry, "policy"); 1428 mutex_unlock(&root_ns->lock); 1429 1430 if (error) 1431 goto error; 1432 1433 error = aa_mk_null_file(aa_fs_entry.dentry); 1434 if (error) 1435 goto error; 1436 1437 /* TODO: add default profile to apparmorfs */ 1438 1439 /* Report that AppArmor fs is enabled */ 1440 aa_info_message("AppArmor Filesystem Enabled"); 1441 return 0; 1442 1443 error: 1444 aa_destroy_aafs(); 1445 AA_ERROR("Error creating AppArmor securityfs\n"); 1446 return error; 1447 } 1448 1449 fs_initcall(aa_create_aafs); 1450