1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor policy attachment and domain transitions 5 * 6 * Copyright (C) 2002-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15 #include <linux/errno.h> 16 #include <linux/fdtable.h> 17 #include <linux/file.h> 18 #include <linux/mount.h> 19 #include <linux/syscalls.h> 20 #include <linux/tracehook.h> 21 #include <linux/personality.h> 22 23 #include "include/audit.h" 24 #include "include/apparmorfs.h" 25 #include "include/context.h" 26 #include "include/domain.h" 27 #include "include/file.h" 28 #include "include/ipc.h" 29 #include "include/match.h" 30 #include "include/path.h" 31 #include "include/policy.h" 32 33 /** 34 * aa_free_domain_entries - free entries in a domain table 35 * @domain: the domain table to free (MAYBE NULL) 36 */ 37 void aa_free_domain_entries(struct aa_domain *domain) 38 { 39 int i; 40 if (domain) { 41 if (!domain->table) 42 return; 43 44 for (i = 0; i < domain->size; i++) 45 kzfree(domain->table[i]); 46 kzfree(domain->table); 47 domain->table = NULL; 48 } 49 } 50 51 /** 52 * may_change_ptraced_domain - check if can change profile on ptraced task 53 * @task: task we want to change profile of (NOT NULL) 54 * @to_profile: profile to change to (NOT NULL) 55 * 56 * Check if the task is ptraced and if so if the tracing task is allowed 57 * to trace the new domain 58 * 59 * Returns: %0 or error if change not allowed 60 */ 61 static int may_change_ptraced_domain(struct task_struct *task, 62 struct aa_profile *to_profile) 63 { 64 struct task_struct *tracer; 65 struct aa_profile *tracerp = NULL; 66 int error = 0; 67 68 rcu_read_lock(); 69 tracer = ptrace_parent(task); 70 if (tracer) 71 /* released below */ 72 tracerp = aa_get_task_profile(tracer); 73 74 /* not ptraced */ 75 if (!tracer || unconfined(tracerp)) 76 goto out; 77 78 error = aa_may_ptrace(tracer, tracerp, to_profile, PTRACE_MODE_ATTACH); 79 80 out: 81 rcu_read_unlock(); 82 aa_put_profile(tracerp); 83 84 return error; 85 } 86 87 /** 88 * change_profile_perms - find permissions for change_profile 89 * @profile: the current profile (NOT NULL) 90 * @ns: the namespace being switched to (NOT NULL) 91 * @name: the name of the profile to change to (NOT NULL) 92 * @request: requested perms 93 * @start: state to start matching in 94 * 95 * Returns: permission set 96 */ 97 static struct file_perms change_profile_perms(struct aa_profile *profile, 98 struct aa_namespace *ns, 99 const char *name, u32 request, 100 unsigned int start) 101 { 102 struct file_perms perms; 103 struct path_cond cond = { }; 104 unsigned int state; 105 106 if (unconfined(profile)) { 107 perms.allow = AA_MAY_CHANGE_PROFILE | AA_MAY_ONEXEC; 108 perms.audit = perms.quiet = perms.kill = 0; 109 return perms; 110 } else if (!profile->file.dfa) { 111 return nullperms; 112 } else if ((ns == profile->ns)) { 113 /* try matching against rules with out namespace prepended */ 114 aa_str_perms(profile->file.dfa, start, name, &cond, &perms); 115 if (COMBINED_PERM_MASK(perms) & request) 116 return perms; 117 } 118 119 /* try matching with namespace name and then profile */ 120 state = aa_dfa_match(profile->file.dfa, start, ns->base.name); 121 state = aa_dfa_match_len(profile->file.dfa, state, ":", 1); 122 aa_str_perms(profile->file.dfa, state, name, &cond, &perms); 123 124 return perms; 125 } 126 127 /** 128 * __attach_match_ - find an attachment match 129 * @name - to match against (NOT NULL) 130 * @head - profile list to walk (NOT NULL) 131 * 132 * Do a linear search on the profiles in the list. There is a matching 133 * preference where an exact match is preferred over a name which uses 134 * expressions to match, and matching expressions with the greatest 135 * xmatch_len are preferred. 136 * 137 * Requires: @head not be shared or have appropriate locks held 138 * 139 * Returns: profile or NULL if no match found 140 */ 141 static struct aa_profile *__attach_match(const char *name, 142 struct list_head *head) 143 { 144 int len = 0; 145 struct aa_profile *profile, *candidate = NULL; 146 147 list_for_each_entry_rcu(profile, head, base.list) { 148 if (profile->flags & PFLAG_NULL) 149 continue; 150 if (profile->xmatch && profile->xmatch_len > len) { 151 unsigned int state = aa_dfa_match(profile->xmatch, 152 DFA_START, name); 153 u32 perm = dfa_user_allow(profile->xmatch, state); 154 /* any accepting state means a valid match. */ 155 if (perm & MAY_EXEC) { 156 candidate = profile; 157 len = profile->xmatch_len; 158 } 159 } else if (!strcmp(profile->base.name, name)) 160 /* exact non-re match, no more searching required */ 161 return profile; 162 } 163 164 return candidate; 165 } 166 167 /** 168 * find_attach - do attachment search for unconfined processes 169 * @ns: the current namespace (NOT NULL) 170 * @list: list to search (NOT NULL) 171 * @name: the executable name to match against (NOT NULL) 172 * 173 * Returns: profile or NULL if no match found 174 */ 175 static struct aa_profile *find_attach(struct aa_namespace *ns, 176 struct list_head *list, const char *name) 177 { 178 struct aa_profile *profile; 179 180 rcu_read_lock(); 181 profile = aa_get_profile(__attach_match(name, list)); 182 rcu_read_unlock(); 183 184 return profile; 185 } 186 187 /** 188 * separate_fqname - separate the namespace and profile names 189 * @fqname: the fqname name to split (NOT NULL) 190 * @ns_name: the namespace name if it exists (NOT NULL) 191 * 192 * This is the xtable equivalent routine of aa_split_fqname. It finds the 193 * split in an xtable fqname which contains an embedded \0 instead of a : 194 * if a namespace is specified. This is done so the xtable is constant and 195 * isn't re-split on every lookup. 196 * 197 * Either the profile or namespace name may be optional but if the namespace 198 * is specified the profile name termination must be present. This results 199 * in the following possible encodings: 200 * profile_name\0 201 * :ns_name\0profile_name\0 202 * :ns_name\0\0 203 * 204 * NOTE: the xtable fqname is pre-validated at load time in unpack_trans_table 205 * 206 * Returns: profile name if it is specified else NULL 207 */ 208 static const char *separate_fqname(const char *fqname, const char **ns_name) 209 { 210 const char *name; 211 212 if (fqname[0] == ':') { 213 /* In this case there is guaranteed to be two \0 terminators 214 * in the string. They are verified at load time by 215 * by unpack_trans_table 216 */ 217 *ns_name = fqname + 1; /* skip : */ 218 name = *ns_name + strlen(*ns_name) + 1; 219 if (!*name) 220 name = NULL; 221 } else { 222 *ns_name = NULL; 223 name = fqname; 224 } 225 226 return name; 227 } 228 229 static const char *next_name(int xtype, const char *name) 230 { 231 return NULL; 232 } 233 234 /** 235 * x_table_lookup - lookup an x transition name via transition table 236 * @profile: current profile (NOT NULL) 237 * @xindex: index into x transition table 238 * 239 * Returns: refcounted profile, or NULL on failure (MAYBE NULL) 240 */ 241 static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex) 242 { 243 struct aa_profile *new_profile = NULL; 244 struct aa_namespace *ns = profile->ns; 245 u32 xtype = xindex & AA_X_TYPE_MASK; 246 int index = xindex & AA_X_INDEX_MASK; 247 const char *name; 248 249 /* index is guaranteed to be in range, validated at load time */ 250 for (name = profile->file.trans.table[index]; !new_profile && name; 251 name = next_name(xtype, name)) { 252 struct aa_namespace *new_ns; 253 const char *xname = NULL; 254 255 new_ns = NULL; 256 if (xindex & AA_X_CHILD) { 257 /* release by caller */ 258 new_profile = aa_find_child(profile, name); 259 continue; 260 } else if (*name == ':') { 261 /* switching namespace */ 262 const char *ns_name; 263 xname = name = separate_fqname(name, &ns_name); 264 if (!xname) 265 /* no name so use profile name */ 266 xname = profile->base.hname; 267 if (*ns_name == '@') { 268 /* TODO: variable support */ 269 ; 270 } 271 /* released below */ 272 new_ns = aa_find_namespace(ns, ns_name); 273 if (!new_ns) 274 continue; 275 } else if (*name == '@') { 276 /* TODO: variable support */ 277 continue; 278 } else { 279 /* basic namespace lookup */ 280 xname = name; 281 } 282 283 /* released by caller */ 284 new_profile = aa_lookup_profile(new_ns ? new_ns : ns, xname); 285 aa_put_namespace(new_ns); 286 } 287 288 /* released by caller */ 289 return new_profile; 290 } 291 292 /** 293 * x_to_profile - get target profile for a given xindex 294 * @profile: current profile (NOT NULL) 295 * @name: name to lookup (NOT NULL) 296 * @xindex: index into x transition table 297 * 298 * find profile for a transition index 299 * 300 * Returns: refcounted profile or NULL if not found available 301 */ 302 static struct aa_profile *x_to_profile(struct aa_profile *profile, 303 const char *name, u32 xindex) 304 { 305 struct aa_profile *new_profile = NULL; 306 struct aa_namespace *ns = profile->ns; 307 u32 xtype = xindex & AA_X_TYPE_MASK; 308 309 switch (xtype) { 310 case AA_X_NONE: 311 /* fail exec unless ix || ux fallback - handled by caller */ 312 return NULL; 313 case AA_X_NAME: 314 if (xindex & AA_X_CHILD) 315 /* released by caller */ 316 new_profile = find_attach(ns, &profile->base.profiles, 317 name); 318 else 319 /* released by caller */ 320 new_profile = find_attach(ns, &ns->base.profiles, 321 name); 322 break; 323 case AA_X_TABLE: 324 /* released by caller */ 325 new_profile = x_table_lookup(profile, xindex); 326 break; 327 } 328 329 /* released by caller */ 330 return new_profile; 331 } 332 333 /** 334 * apparmor_bprm_set_creds - set the new creds on the bprm struct 335 * @bprm: binprm for the exec (NOT NULL) 336 * 337 * Returns: %0 or error on failure 338 */ 339 int apparmor_bprm_set_creds(struct linux_binprm *bprm) 340 { 341 struct aa_task_cxt *cxt; 342 struct aa_profile *profile, *new_profile = NULL; 343 struct aa_namespace *ns; 344 char *buffer = NULL; 345 unsigned int state; 346 struct file_perms perms = {}; 347 struct path_cond cond = { 348 file_inode(bprm->file)->i_uid, 349 file_inode(bprm->file)->i_mode 350 }; 351 const char *name = NULL, *target = NULL, *info = NULL; 352 int error = cap_bprm_set_creds(bprm); 353 if (error) 354 return error; 355 356 if (bprm->cred_prepared) 357 return 0; 358 359 cxt = cred_cxt(bprm->cred); 360 BUG_ON(!cxt); 361 362 profile = aa_get_newest_profile(cxt->profile); 363 /* 364 * get the namespace from the replacement profile as replacement 365 * can change the namespace 366 */ 367 ns = profile->ns; 368 state = profile->file.start; 369 370 /* buffer freed below, name is pointer into buffer */ 371 error = aa_path_name(&bprm->file->f_path, profile->path_flags, &buffer, 372 &name, &info); 373 if (error) { 374 if (unconfined(profile) || 375 (profile->flags & PFLAG_IX_ON_NAME_ERROR)) 376 error = 0; 377 name = bprm->filename; 378 goto audit; 379 } 380 381 /* Test for onexec first as onexec directives override other 382 * x transitions. 383 */ 384 if (unconfined(profile)) { 385 /* unconfined task */ 386 if (cxt->onexec) 387 /* change_profile on exec already been granted */ 388 new_profile = aa_get_profile(cxt->onexec); 389 else 390 new_profile = find_attach(ns, &ns->base.profiles, name); 391 if (!new_profile) 392 goto cleanup; 393 /* 394 * NOTE: Domain transitions from unconfined are allowed 395 * even when no_new_privs is set because this aways results 396 * in a further reduction of permissions. 397 */ 398 goto apply; 399 } 400 401 /* find exec permissions for name */ 402 state = aa_str_perms(profile->file.dfa, state, name, &cond, &perms); 403 if (cxt->onexec) { 404 struct file_perms cp; 405 info = "change_profile onexec"; 406 if (!(perms.allow & AA_MAY_ONEXEC)) 407 goto audit; 408 409 /* test if this exec can be paired with change_profile onexec. 410 * onexec permission is linked to exec with a standard pairing 411 * exec\0change_profile 412 */ 413 state = aa_dfa_null_transition(profile->file.dfa, state); 414 cp = change_profile_perms(profile, cxt->onexec->ns, 415 cxt->onexec->base.name, 416 AA_MAY_ONEXEC, state); 417 418 if (!(cp.allow & AA_MAY_ONEXEC)) 419 goto audit; 420 new_profile = aa_get_newest_profile(cxt->onexec); 421 goto apply; 422 } 423 424 if (perms.allow & MAY_EXEC) { 425 /* exec permission determine how to transition */ 426 new_profile = x_to_profile(profile, name, perms.xindex); 427 if (!new_profile) { 428 if (perms.xindex & AA_X_INHERIT) { 429 /* (p|c|n)ix - don't change profile but do 430 * use the newest version, which was picked 431 * up above when getting profile 432 */ 433 info = "ix fallback"; 434 new_profile = aa_get_profile(profile); 435 goto x_clear; 436 } else if (perms.xindex & AA_X_UNCONFINED) { 437 new_profile = aa_get_newest_profile(ns->unconfined); 438 info = "ux fallback"; 439 } else { 440 error = -ENOENT; 441 info = "profile not found"; 442 /* remove MAY_EXEC to audit as failure */ 443 perms.allow &= ~MAY_EXEC; 444 } 445 } 446 } else if (COMPLAIN_MODE(profile)) { 447 /* no exec permission - are we in learning mode */ 448 new_profile = aa_new_null_profile(profile, 0); 449 if (!new_profile) { 450 error = -ENOMEM; 451 info = "could not create null profile"; 452 } else { 453 error = -EACCES; 454 target = new_profile->base.hname; 455 } 456 perms.xindex |= AA_X_UNSAFE; 457 } else 458 /* fail exec */ 459 error = -EACCES; 460 461 /* 462 * Policy has specified a domain transition, if no_new_privs then 463 * fail the exec. 464 */ 465 if (bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) { 466 aa_put_profile(new_profile); 467 error = -EPERM; 468 goto cleanup; 469 } 470 471 if (!new_profile) 472 goto audit; 473 474 if (bprm->unsafe & LSM_UNSAFE_SHARE) { 475 /* FIXME: currently don't mediate shared state */ 476 ; 477 } 478 479 if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) { 480 error = may_change_ptraced_domain(current, new_profile); 481 if (error) { 482 aa_put_profile(new_profile); 483 goto audit; 484 } 485 } 486 487 /* Determine if secure exec is needed. 488 * Can be at this point for the following reasons: 489 * 1. unconfined switching to confined 490 * 2. confined switching to different confinement 491 * 3. confined switching to unconfined 492 * 493 * Cases 2 and 3 are marked as requiring secure exec 494 * (unless policy specified "unsafe exec") 495 * 496 * bprm->unsafe is used to cache the AA_X_UNSAFE permission 497 * to avoid having to recompute in secureexec 498 */ 499 if (!(perms.xindex & AA_X_UNSAFE)) { 500 AA_DEBUG("scrubbing environment variables for %s profile=%s\n", 501 name, new_profile->base.hname); 502 bprm->unsafe |= AA_SECURE_X_NEEDED; 503 } 504 apply: 505 target = new_profile->base.hname; 506 /* when transitioning profiles clear unsafe personality bits */ 507 bprm->per_clear |= PER_CLEAR_ON_SETID; 508 509 x_clear: 510 aa_put_profile(cxt->profile); 511 /* transfer new profile reference will be released when cxt is freed */ 512 cxt->profile = new_profile; 513 514 /* clear out all temporary/transitional state from the context */ 515 aa_clear_task_cxt_trans(cxt); 516 517 audit: 518 error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC, 519 name, target, cond.uid, info, error); 520 521 cleanup: 522 aa_put_profile(profile); 523 kfree(buffer); 524 525 return error; 526 } 527 528 /** 529 * apparmor_bprm_secureexec - determine if secureexec is needed 530 * @bprm: binprm for exec (NOT NULL) 531 * 532 * Returns: %1 if secureexec is needed else %0 533 */ 534 int apparmor_bprm_secureexec(struct linux_binprm *bprm) 535 { 536 int ret = cap_bprm_secureexec(bprm); 537 538 /* the decision to use secure exec is computed in set_creds 539 * and stored in bprm->unsafe. 540 */ 541 if (!ret && (bprm->unsafe & AA_SECURE_X_NEEDED)) 542 ret = 1; 543 544 return ret; 545 } 546 547 /** 548 * apparmor_bprm_committing_creds - do task cleanup on committing new creds 549 * @bprm: binprm for the exec (NOT NULL) 550 */ 551 void apparmor_bprm_committing_creds(struct linux_binprm *bprm) 552 { 553 struct aa_profile *profile = __aa_current_profile(); 554 struct aa_task_cxt *new_cxt = cred_cxt(bprm->cred); 555 556 /* bail out if unconfined or not changing profile */ 557 if ((new_cxt->profile == profile) || 558 (unconfined(new_cxt->profile))) 559 return; 560 561 current->pdeath_signal = 0; 562 563 /* reset soft limits and set hard limits for the new profile */ 564 __aa_transition_rlimits(profile, new_cxt->profile); 565 } 566 567 /** 568 * apparmor_bprm_commited_cred - do cleanup after new creds committed 569 * @bprm: binprm for the exec (NOT NULL) 570 */ 571 void apparmor_bprm_committed_creds(struct linux_binprm *bprm) 572 { 573 /* TODO: cleanup signals - ipc mediation */ 574 return; 575 } 576 577 /* 578 * Functions for self directed profile change 579 */ 580 581 /** 582 * new_compound_name - create an hname with @n2 appended to @n1 583 * @n1: base of hname (NOT NULL) 584 * @n2: name to append (NOT NULL) 585 * 586 * Returns: new name or NULL on error 587 */ 588 static char *new_compound_name(const char *n1, const char *n2) 589 { 590 char *name = kmalloc(strlen(n1) + strlen(n2) + 3, GFP_KERNEL); 591 if (name) 592 sprintf(name, "%s//%s", n1, n2); 593 return name; 594 } 595 596 /** 597 * aa_change_hat - change hat to/from subprofile 598 * @hats: vector of hat names to try changing into (MAYBE NULL if @count == 0) 599 * @count: number of hat names in @hats 600 * @token: magic value to validate the hat change 601 * @permtest: true if this is just a permission test 602 * 603 * Change to the first profile specified in @hats that exists, and store 604 * the @hat_magic in the current task context. If the count == 0 and the 605 * @token matches that stored in the current task context, return to the 606 * top level profile. 607 * 608 * Returns %0 on success, error otherwise. 609 */ 610 int aa_change_hat(const char *hats[], int count, u64 token, bool permtest) 611 { 612 const struct cred *cred; 613 struct aa_task_cxt *cxt; 614 struct aa_profile *profile, *previous_profile, *hat = NULL; 615 char *name = NULL; 616 int i; 617 struct file_perms perms = {}; 618 const char *target = NULL, *info = NULL; 619 int error = 0; 620 621 /* 622 * Fail explicitly requested domain transitions if no_new_privs. 623 * There is no exception for unconfined as change_hat is not 624 * available. 625 */ 626 if (current->no_new_privs) 627 return -EPERM; 628 629 /* released below */ 630 cred = get_current_cred(); 631 cxt = cred_cxt(cred); 632 profile = aa_cred_profile(cred); 633 previous_profile = cxt->previous; 634 635 if (unconfined(profile)) { 636 info = "unconfined"; 637 error = -EPERM; 638 goto audit; 639 } 640 641 if (count) { 642 /* attempting to change into a new hat or switch to a sibling */ 643 struct aa_profile *root; 644 if (PROFILE_IS_HAT(profile)) 645 root = aa_get_profile_rcu(&profile->parent); 646 else 647 root = aa_get_profile(profile); 648 649 /* find first matching hat */ 650 for (i = 0; i < count && !hat; i++) 651 /* released below */ 652 hat = aa_find_child(root, hats[i]); 653 if (!hat) { 654 if (!COMPLAIN_MODE(root) || permtest) { 655 if (list_empty(&root->base.profiles)) 656 error = -ECHILD; 657 else 658 error = -ENOENT; 659 aa_put_profile(root); 660 goto out; 661 } 662 663 /* 664 * In complain mode and failed to match any hats. 665 * Audit the failure is based off of the first hat 666 * supplied. This is done due how userspace 667 * interacts with change_hat. 668 * 669 * TODO: Add logging of all failed hats 670 */ 671 672 /* freed below */ 673 name = new_compound_name(root->base.hname, hats[0]); 674 aa_put_profile(root); 675 target = name; 676 /* released below */ 677 hat = aa_new_null_profile(profile, 1); 678 if (!hat) { 679 info = "failed null profile create"; 680 error = -ENOMEM; 681 goto audit; 682 } 683 } else { 684 aa_put_profile(root); 685 target = hat->base.hname; 686 if (!PROFILE_IS_HAT(hat)) { 687 info = "target not hat"; 688 error = -EPERM; 689 goto audit; 690 } 691 } 692 693 error = may_change_ptraced_domain(current, hat); 694 if (error) { 695 info = "ptraced"; 696 error = -EPERM; 697 goto audit; 698 } 699 700 if (!permtest) { 701 error = aa_set_current_hat(hat, token); 702 if (error == -EACCES) 703 /* kill task in case of brute force attacks */ 704 perms.kill = AA_MAY_CHANGEHAT; 705 else if (name && !error) 706 /* reset error for learning of new hats */ 707 error = -ENOENT; 708 } 709 } else if (previous_profile) { 710 /* Return to saved profile. Kill task if restore fails 711 * to avoid brute force attacks 712 */ 713 target = previous_profile->base.hname; 714 error = aa_restore_previous_profile(token); 715 perms.kill = AA_MAY_CHANGEHAT; 716 } else 717 /* ignore restores when there is no saved profile */ 718 goto out; 719 720 audit: 721 if (!permtest) 722 error = aa_audit_file(profile, &perms, GFP_KERNEL, 723 OP_CHANGE_HAT, AA_MAY_CHANGEHAT, NULL, 724 target, GLOBAL_ROOT_UID, info, error); 725 726 out: 727 aa_put_profile(hat); 728 kfree(name); 729 put_cred(cred); 730 731 return error; 732 } 733 734 /** 735 * aa_change_profile - perform a one-way profile transition 736 * @ns_name: name of the profile namespace to change to (MAYBE NULL) 737 * @hname: name of profile to change to (MAYBE NULL) 738 * @onexec: whether this transition is to take place immediately or at exec 739 * @permtest: true if this is just a permission test 740 * 741 * Change to new profile @name. Unlike with hats, there is no way 742 * to change back. If @name isn't specified the current profile name is 743 * used. 744 * If @onexec then the transition is delayed until 745 * the next exec. 746 * 747 * Returns %0 on success, error otherwise. 748 */ 749 int aa_change_profile(const char *ns_name, const char *hname, bool onexec, 750 bool permtest) 751 { 752 const struct cred *cred; 753 struct aa_profile *profile, *target = NULL; 754 struct aa_namespace *ns = NULL; 755 struct file_perms perms = {}; 756 const char *name = NULL, *info = NULL; 757 int op, error = 0; 758 u32 request; 759 760 if (!hname && !ns_name) 761 return -EINVAL; 762 763 if (onexec) { 764 request = AA_MAY_ONEXEC; 765 op = OP_CHANGE_ONEXEC; 766 } else { 767 request = AA_MAY_CHANGE_PROFILE; 768 op = OP_CHANGE_PROFILE; 769 } 770 771 cred = get_current_cred(); 772 profile = aa_cred_profile(cred); 773 774 /* 775 * Fail explicitly requested domain transitions if no_new_privs 776 * and not unconfined. 777 * Domain transitions from unconfined are allowed even when 778 * no_new_privs is set because this aways results in a reduction 779 * of permissions. 780 */ 781 if (current->no_new_privs && !unconfined(profile)) { 782 put_cred(cred); 783 return -EPERM; 784 } 785 786 if (ns_name) { 787 /* released below */ 788 ns = aa_find_namespace(profile->ns, ns_name); 789 if (!ns) { 790 /* we don't create new namespace in complain mode */ 791 name = ns_name; 792 info = "namespace not found"; 793 error = -ENOENT; 794 goto audit; 795 } 796 } else 797 /* released below */ 798 ns = aa_get_namespace(profile->ns); 799 800 /* if the name was not specified, use the name of the current profile */ 801 if (!hname) { 802 if (unconfined(profile)) 803 hname = ns->unconfined->base.hname; 804 else 805 hname = profile->base.hname; 806 } 807 808 perms = change_profile_perms(profile, ns, hname, request, 809 profile->file.start); 810 if (!(perms.allow & request)) { 811 error = -EACCES; 812 goto audit; 813 } 814 815 /* released below */ 816 target = aa_lookup_profile(ns, hname); 817 if (!target) { 818 info = "profile not found"; 819 error = -ENOENT; 820 if (permtest || !COMPLAIN_MODE(profile)) 821 goto audit; 822 /* released below */ 823 target = aa_new_null_profile(profile, 0); 824 if (!target) { 825 info = "failed null profile create"; 826 error = -ENOMEM; 827 goto audit; 828 } 829 } 830 831 /* check if tracing task is allowed to trace target domain */ 832 error = may_change_ptraced_domain(current, target); 833 if (error) { 834 info = "ptrace prevents transition"; 835 goto audit; 836 } 837 838 if (permtest) 839 goto audit; 840 841 if (onexec) 842 error = aa_set_current_onexec(target); 843 else 844 error = aa_replace_current_profile(target); 845 846 audit: 847 if (!permtest) 848 error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request, 849 name, hname, GLOBAL_ROOT_UID, info, error); 850 851 aa_put_namespace(ns); 852 aa_put_profile(target); 853 put_cred(cred); 854 855 return error; 856 } 857