1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * AppArmor security module
4  *
5  * This file contains AppArmor capability mediation functions
6  *
7  * Copyright (C) 1998-2008 Novell/SUSE
8  * Copyright 2009-2010 Canonical Ltd.
9  */
10 
11 #include <linux/capability.h>
12 #include <linux/errno.h>
13 #include <linux/gfp.h>
14 #include <linux/security.h>
15 
16 #include "include/apparmor.h"
17 #include "include/capability.h"
18 #include "include/cred.h"
19 #include "include/policy.h"
20 #include "include/audit.h"
21 
22 /*
23  * Table of capability names: we generate it from capabilities.h.
24  */
25 #include "capability_names.h"
26 
27 struct aa_sfs_entry aa_sfs_entry_caps[] = {
28 	AA_SFS_FILE_STRING("mask", AA_SFS_CAPS_MASK),
29 	{ }
30 };
31 
32 struct audit_cache {
33 	struct aa_profile *profile;
34 	kernel_cap_t caps;
35 };
36 
37 static DEFINE_PER_CPU(struct audit_cache, audit_cache);
38 
39 /**
40  * audit_cb - call back for capability components of audit struct
41  * @ab - audit buffer   (NOT NULL)
42  * @va - audit struct to audit data from  (NOT NULL)
43  */
44 static void audit_cb(struct audit_buffer *ab, void *va)
45 {
46 	struct common_audit_data *sa = va;
47 
48 	audit_log_format(ab, " capname=");
49 	audit_log_untrustedstring(ab, capability_names[sa->u.cap]);
50 }
51 
52 /**
53  * audit_caps - audit a capability
54  * @as: audit data
55  * @profile: profile being tested for confinement (NOT NULL)
56  * @cap: capability tested
57  * @error: error code returned by test
58  *
59  * Do auditing of capability and handle, audit/complain/kill modes switching
60  * and duplicate message elimination.
61  *
62  * Returns: 0 or ad->error on success,  error code on failure
63  */
64 static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile,
65 		      int cap, int error)
66 {
67 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
68 						    typeof(*rules), list);
69 	struct audit_cache *ent;
70 	int type = AUDIT_APPARMOR_AUTO;
71 
72 	ad->error = error;
73 
74 	if (likely(!error)) {
75 		/* test if auditing is being forced */
76 		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
77 			   !cap_raised(rules->caps.audit, cap)))
78 			return 0;
79 		type = AUDIT_APPARMOR_AUDIT;
80 	} else if (KILL_MODE(profile) ||
81 		   cap_raised(rules->caps.kill, cap)) {
82 		type = AUDIT_APPARMOR_KILL;
83 	} else if (cap_raised(rules->caps.quiet, cap) &&
84 		   AUDIT_MODE(profile) != AUDIT_NOQUIET &&
85 		   AUDIT_MODE(profile) != AUDIT_ALL) {
86 		/* quiet auditing */
87 		return error;
88 	}
89 
90 	/* Do simple duplicate message elimination */
91 	ent = &get_cpu_var(audit_cache);
92 	if (profile == ent->profile && cap_raised(ent->caps, cap)) {
93 		put_cpu_var(audit_cache);
94 		if (COMPLAIN_MODE(profile))
95 			return complain_error(error);
96 		return error;
97 	} else {
98 		aa_put_profile(ent->profile);
99 		ent->profile = aa_get_profile(profile);
100 		cap_raise(ent->caps, cap);
101 	}
102 	put_cpu_var(audit_cache);
103 
104 	return aa_audit(type, profile, ad, audit_cb);
105 }
106 
107 /**
108  * profile_capable - test if profile allows use of capability @cap
109  * @profile: profile being enforced    (NOT NULL, NOT unconfined)
110  * @cap: capability to test if allowed
111  * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated
112  * @ad: audit data (MAY BE NULL indicating no auditing)
113  *
114  * Returns: 0 if allowed else -EPERM
115  */
116 static int profile_capable(struct aa_profile *profile, int cap,
117 			   unsigned int opts, struct apparmor_audit_data *ad)
118 {
119 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
120 						    typeof(*rules), list);
121 	int error;
122 
123 	if (cap_raised(rules->caps.allow, cap) &&
124 	    !cap_raised(rules->caps.denied, cap))
125 		error = 0;
126 	else
127 		error = -EPERM;
128 
129 	if (opts & CAP_OPT_NOAUDIT) {
130 		if (!COMPLAIN_MODE(profile))
131 			return error;
132 		/* audit the cap request in complain mode but note that it
133 		 * should be optional.
134 		 */
135 		ad->info = "optional: no audit";
136 	}
137 
138 	return audit_caps(ad, profile, cap, error);
139 }
140 
141 /**
142  * aa_capable - test permission to use capability
143  * @subj_cread: cred we are testing capability against
144  * @label: label being tested for capability (NOT NULL)
145  * @cap: capability to be tested
146  * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated
147  *
148  * Look up capability in profile capability set.
149  *
150  * Returns: 0 on success, or else an error code.
151  */
152 int aa_capable(const struct cred *subj_cred, struct aa_label *label,
153 	       int cap, unsigned int opts)
154 {
155 	struct aa_profile *profile;
156 	int error = 0;
157 	DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_CAP, AA_CLASS_CAP, OP_CAPABLE);
158 
159 	ad.subj_cred = subj_cred;
160 	ad.common.u.cap = cap;
161 	error = fn_for_each_confined(label, profile,
162 			profile_capable(profile, cap, opts, &ad));
163 
164 	return error;
165 }
166