1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor capability mediation functions 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15 #include <linux/capability.h> 16 #include <linux/errno.h> 17 #include <linux/gfp.h> 18 #include <linux/security.h> 19 20 #include "include/apparmor.h" 21 #include "include/capability.h" 22 #include "include/context.h" 23 #include "include/policy.h" 24 #include "include/audit.h" 25 26 /* 27 * Table of capability names: we generate it from capabilities.h. 28 */ 29 #include "capability_names.h" 30 31 struct aa_sfs_entry aa_sfs_entry_caps[] = { 32 AA_SFS_FILE_STRING("mask", AA_SFS_CAPS_MASK), 33 { } 34 }; 35 36 struct audit_cache { 37 struct aa_profile *profile; 38 kernel_cap_t caps; 39 }; 40 41 static DEFINE_PER_CPU(struct audit_cache, audit_cache); 42 43 /** 44 * audit_cb - call back for capability components of audit struct 45 * @ab - audit buffer (NOT NULL) 46 * @va - audit struct to audit data from (NOT NULL) 47 */ 48 static void audit_cb(struct audit_buffer *ab, void *va) 49 { 50 struct common_audit_data *sa = va; 51 52 audit_log_format(ab, " capname="); 53 audit_log_untrustedstring(ab, capability_names[sa->u.cap]); 54 } 55 56 /** 57 * audit_caps - audit a capability 58 * @sa: audit data 59 * @profile: profile being tested for confinement (NOT NULL) 60 * @cap: capability tested 61 * @error: error code returned by test 62 * 63 * Do auditing of capability and handle, audit/complain/kill modes switching 64 * and duplicate message elimination. 65 * 66 * Returns: 0 or sa->error on success, error code on failure 67 */ 68 static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile, 69 int cap, int error) 70 { 71 struct audit_cache *ent; 72 int type = AUDIT_APPARMOR_AUTO; 73 74 aad(sa)->error = error; 75 76 if (likely(!error)) { 77 /* test if auditing is being forced */ 78 if (likely((AUDIT_MODE(profile) != AUDIT_ALL) && 79 !cap_raised(profile->caps.audit, cap))) 80 return 0; 81 type = AUDIT_APPARMOR_AUDIT; 82 } else if (KILL_MODE(profile) || 83 cap_raised(profile->caps.kill, cap)) { 84 type = AUDIT_APPARMOR_KILL; 85 } else if (cap_raised(profile->caps.quiet, cap) && 86 AUDIT_MODE(profile) != AUDIT_NOQUIET && 87 AUDIT_MODE(profile) != AUDIT_ALL) { 88 /* quiet auditing */ 89 return error; 90 } 91 92 /* Do simple duplicate message elimination */ 93 ent = &get_cpu_var(audit_cache); 94 if (profile == ent->profile && cap_raised(ent->caps, cap)) { 95 put_cpu_var(audit_cache); 96 if (COMPLAIN_MODE(profile)) 97 return complain_error(error); 98 return error; 99 } else { 100 aa_put_profile(ent->profile); 101 ent->profile = aa_get_profile(profile); 102 cap_raise(ent->caps, cap); 103 } 104 put_cpu_var(audit_cache); 105 106 return aa_audit(type, profile, sa, audit_cb); 107 } 108 109 /** 110 * profile_capable - test if profile allows use of capability @cap 111 * @profile: profile being enforced (NOT NULL, NOT unconfined) 112 * @cap: capability to test if allowed 113 * @audit: whether an audit record should be generated 114 * @sa: audit data (MAY BE NULL indicating no auditing) 115 * 116 * Returns: 0 if allowed else -EPERM 117 */ 118 static int profile_capable(struct aa_profile *profile, int cap, int audit, 119 struct common_audit_data *sa) 120 { 121 int error; 122 123 if (cap_raised(profile->caps.allow, cap) && 124 !cap_raised(profile->caps.denied, cap)) 125 error = 0; 126 else 127 error = -EPERM; 128 129 if (audit == SECURITY_CAP_NOAUDIT) { 130 if (!COMPLAIN_MODE(profile)) 131 return error; 132 /* audit the cap request in complain mode but note that it 133 * should be optional. 134 */ 135 aad(sa)->info = "optional: no audit"; 136 } 137 138 return audit_caps(sa, profile, cap, error); 139 } 140 141 /** 142 * aa_capable - test permission to use capability 143 * @label: label being tested for capability (NOT NULL) 144 * @cap: capability to be tested 145 * @audit: whether an audit record should be generated 146 * 147 * Look up capability in profile capability set. 148 * 149 * Returns: 0 on success, or else an error code. 150 */ 151 int aa_capable(struct aa_label *label, int cap, int audit) 152 { 153 struct aa_profile *profile; 154 int error = 0; 155 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, OP_CAPABLE); 156 157 sa.u.cap = cap; 158 error = fn_for_each_confined(label, profile, 159 profile_capable(profile, cap, audit, &sa)); 160 161 return error; 162 } 163