1 /* SPDX-License-Identifier: GPL-2.0-only */ 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor policy definitions. 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 */ 10 11 #ifndef __AA_POLICY_H 12 #define __AA_POLICY_H 13 14 #include <linux/capability.h> 15 #include <linux/cred.h> 16 #include <linux/kref.h> 17 #include <linux/rhashtable.h> 18 #include <linux/sched.h> 19 #include <linux/slab.h> 20 #include <linux/socket.h> 21 22 #include "apparmor.h" 23 #include "audit.h" 24 #include "capability.h" 25 #include "domain.h" 26 #include "file.h" 27 #include "lib.h" 28 #include "label.h" 29 #include "net.h" 30 #include "perms.h" 31 #include "resource.h" 32 33 34 struct aa_ns; 35 36 extern int unprivileged_userns_apparmor_policy; 37 38 extern const char *const aa_profile_mode_names[]; 39 #define APPARMOR_MODE_NAMES_MAX_INDEX 4 40 41 #define PROFILE_MODE(_profile, _mode) \ 42 ((aa_g_profile_mode == (_mode)) || \ 43 ((_profile)->mode == (_mode))) 44 45 #define COMPLAIN_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_COMPLAIN) 46 47 #define USER_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_USER) 48 49 #define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL) 50 51 #define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT) 52 53 #define CHECK_DEBUG1(_profile) ((_profile)->label.flags & FLAG_DEBUG1) 54 55 #define CHECK_DEBUG2(_profile) ((_profile)->label.flags & FLAG_DEBUG2) 56 57 #define profile_is_stale(_profile) (label_is_stale(&(_profile)->label)) 58 59 #define on_list_rcu(X) (!list_empty(X) && (X)->prev != LIST_POISON2) 60 61 /* 62 * FIXME: currently need a clean way to replace and remove profiles as a 63 * set. It should be done at the namespace level. 64 * Either, with a set of profiles loaded at the namespace level or via 65 * a mark and remove marked interface. 66 */ 67 enum profile_mode { 68 APPARMOR_ENFORCE, /* enforce access rules */ 69 APPARMOR_COMPLAIN, /* allow and log access violations */ 70 APPARMOR_KILL, /* kill task on access violation */ 71 APPARMOR_UNCONFINED, /* profile set to unconfined */ 72 APPARMOR_USER, /* modified complain mode to userspace */ 73 }; 74 75 76 /* struct aa_policydb - match engine for a policy 77 * dfa: dfa pattern match 78 * perms: table of permissions 79 * strs: table of strings, index by x 80 * start: set of start states for the different classes of data 81 */ 82 struct aa_policydb { 83 struct aa_dfa *dfa; 84 struct { 85 struct aa_perms *perms; 86 u32 size; 87 }; 88 struct aa_str_table trans; 89 aa_state_t start[AA_CLASS_LAST + 1]; 90 }; 91 92 static inline void aa_destroy_policydb(struct aa_policydb *policy) 93 { 94 aa_put_dfa(policy->dfa); 95 if (policy->perms) 96 kvfree(policy->perms); 97 aa_free_str_table(&policy->trans); 98 99 } 100 101 static inline struct aa_perms *aa_lookup_perms(struct aa_policydb *policy, 102 aa_state_t state) 103 { 104 unsigned int index = ACCEPT_TABLE(policy->dfa)[state]; 105 106 if (!(policy->perms)) 107 return &default_perms; 108 109 return &(policy->perms[index]); 110 } 111 112 113 /* struct aa_data - generic data structure 114 * key: name for retrieving this data 115 * size: size of data in bytes 116 * data: binary data 117 * head: reserved for rhashtable 118 */ 119 struct aa_data { 120 char *key; 121 u32 size; 122 char *data; 123 struct rhash_head head; 124 }; 125 126 /* struct aa_ruleset - data covering mediation rules 127 * @list: list the rule is on 128 * @size: the memory consumed by this ruleset 129 * @policy: general match rules governing policy 130 * @file: The set of rules governing basic file access and domain transitions 131 * @caps: capabilities for the profile 132 * @rlimits: rlimits for the profile 133 * @secmark_count: number of secmark entries 134 * @secmark: secmark label match info 135 */ 136 struct aa_ruleset { 137 struct list_head list; 138 139 int size; 140 141 /* TODO: merge policy and file */ 142 struct aa_policydb policy; 143 struct aa_policydb file; 144 struct aa_caps caps; 145 146 struct aa_rlimit rlimits; 147 148 int secmark_count; 149 struct aa_secmark *secmark; 150 }; 151 152 /* struct aa_attachment - data and rules for a profiles attachment 153 * @list: 154 * @xmatch_str: human readable attachment string 155 * @xmatch: optional extended matching for unconfined executables names 156 * @xmatch_len: xmatch prefix len, used to determine xmatch priority 157 * @xattr_count: number of xattrs in table 158 * @xattrs: table of xattrs 159 */ 160 struct aa_attachment { 161 const char *xmatch_str; 162 struct aa_policydb xmatch; 163 unsigned int xmatch_len; 164 int xattr_count; 165 char **xattrs; 166 }; 167 168 /* struct aa_profile - basic confinement data 169 * @base - base components of the profile (name, refcount, lists, lock ...) 170 * @label - label this profile is an extension of 171 * @parent: parent of profile 172 * @ns: namespace the profile is in 173 * @rename: optional profile name that this profile renamed 174 * 175 * @audit: the auditing mode of the profile 176 * @mode: the enforcement mode of the profile 177 * @path_flags: flags controlling path generation behavior 178 * @disconnected: what to prepend if attach_disconnected is specified 179 * @attach: attachment rules for the profile 180 * @rules: rules to be enforced 181 * 182 * @dents: dentries for the profiles file entries in apparmorfs 183 * @dirname: name of the profile dir in apparmorfs 184 * @data: hashtable for free-form policy aa_data 185 * 186 * The AppArmor profile contains the basic confinement data. Each profile 187 * has a name, and exists in a namespace. The @name and @exec_match are 188 * used to determine profile attachment against unconfined tasks. All other 189 * attachments are determined by profile X transition rules. 190 * 191 * Profiles have a hierarchy where hats and children profiles keep 192 * a reference to their parent. 193 * 194 * Profile names can not begin with a : and can not contain the \0 195 * character. If a profile name begins with / it will be considered when 196 * determining profile attachment on "unconfined" tasks. 197 */ 198 struct aa_profile { 199 struct aa_policy base; 200 struct aa_profile __rcu *parent; 201 202 struct aa_ns *ns; 203 const char *rename; 204 205 enum audit_mode audit; 206 long mode; 207 u32 path_flags; 208 const char *disconnected; 209 210 struct aa_attachment attach; 211 struct list_head rules; 212 213 struct aa_loaddata *rawdata; 214 unsigned char *hash; 215 char *dirname; 216 struct dentry *dents[AAFS_PROF_SIZEOF]; 217 struct rhashtable *data; 218 struct aa_label label; 219 }; 220 221 extern enum profile_mode aa_g_profile_mode; 222 223 #define AA_MAY_LOAD_POLICY AA_MAY_APPEND 224 #define AA_MAY_REPLACE_POLICY AA_MAY_WRITE 225 #define AA_MAY_REMOVE_POLICY AA_MAY_DELETE 226 227 #define profiles_ns(P) ((P)->ns) 228 #define name_is_shared(A, B) ((A)->hname && (A)->hname == (B)->hname) 229 230 void aa_add_profile(struct aa_policy *common, struct aa_profile *profile); 231 232 233 void aa_free_proxy_kref(struct kref *kref); 234 struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp); 235 struct aa_profile *aa_alloc_profile(const char *name, struct aa_proxy *proxy, 236 gfp_t gfp); 237 struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name, 238 gfp_t gfp); 239 struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat, 240 const char *base, gfp_t gfp); 241 void aa_free_profile(struct aa_profile *profile); 242 void aa_free_profile_kref(struct kref *kref); 243 struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name); 244 struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname, 245 size_t n); 246 struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *name); 247 struct aa_profile *aa_fqlookupn_profile(struct aa_label *base, 248 const char *fqname, size_t n); 249 struct aa_profile *aa_match_profile(struct aa_ns *ns, const char *name); 250 251 ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_label *label, 252 u32 mask, struct aa_loaddata *udata); 253 ssize_t aa_remove_profiles(struct aa_ns *view, struct aa_label *label, 254 char *name, size_t size); 255 void __aa_profile_list_release(struct list_head *head); 256 257 #define PROF_ADD 1 258 #define PROF_REPLACE 0 259 260 #define profile_unconfined(X) ((X)->mode == APPARMOR_UNCONFINED) 261 262 /** 263 * aa_get_newest_profile - simple wrapper fn to wrap the label version 264 * @p: profile (NOT NULL) 265 * 266 * Returns refcount to newest version of the profile (maybe @p) 267 * 268 * Requires: @p must be held with a valid refcount 269 */ 270 static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p) 271 { 272 return labels_profile(aa_get_newest_label(&p->label)); 273 } 274 275 static inline aa_state_t RULE_MEDIATES(struct aa_ruleset *rules, 276 unsigned char class) 277 { 278 if (class <= AA_CLASS_LAST) 279 return rules->policy.start[class]; 280 else 281 return aa_dfa_match_len(rules->policy.dfa, 282 rules->policy.start[0], &class, 1); 283 } 284 285 static inline aa_state_t RULE_MEDIATES_AF(struct aa_ruleset *rules, u16 AF) 286 { 287 aa_state_t state = RULE_MEDIATES(rules, AA_CLASS_NET); 288 __be16 be_af = cpu_to_be16(AF); 289 290 if (!state) 291 return DFA_NOMATCH; 292 return aa_dfa_match_len(rules->policy.dfa, state, (char *) &be_af, 2); 293 } 294 295 static inline aa_state_t ANY_RULE_MEDIATES(struct list_head *head, 296 unsigned char class) 297 { 298 struct aa_ruleset *rule; 299 300 /* TODO: change to list walk */ 301 rule = list_first_entry(head, typeof(*rule), list); 302 return RULE_MEDIATES(rule, class); 303 } 304 305 /** 306 * aa_get_profile - increment refcount on profile @p 307 * @p: profile (MAYBE NULL) 308 * 309 * Returns: pointer to @p if @p is NULL will return NULL 310 * Requires: @p must be held with valid refcount when called 311 */ 312 static inline struct aa_profile *aa_get_profile(struct aa_profile *p) 313 { 314 if (p) 315 kref_get(&(p->label.count)); 316 317 return p; 318 } 319 320 /** 321 * aa_get_profile_not0 - increment refcount on profile @p found via lookup 322 * @p: profile (MAYBE NULL) 323 * 324 * Returns: pointer to @p if @p is NULL will return NULL 325 * Requires: @p must be held with valid refcount when called 326 */ 327 static inline struct aa_profile *aa_get_profile_not0(struct aa_profile *p) 328 { 329 if (p && kref_get_unless_zero(&p->label.count)) 330 return p; 331 332 return NULL; 333 } 334 335 /** 336 * aa_get_profile_rcu - increment a refcount profile that can be replaced 337 * @p: pointer to profile that can be replaced (NOT NULL) 338 * 339 * Returns: pointer to a refcounted profile. 340 * else NULL if no profile 341 */ 342 static inline struct aa_profile *aa_get_profile_rcu(struct aa_profile __rcu **p) 343 { 344 struct aa_profile *c; 345 346 rcu_read_lock(); 347 do { 348 c = rcu_dereference(*p); 349 } while (c && !kref_get_unless_zero(&c->label.count)); 350 rcu_read_unlock(); 351 352 return c; 353 } 354 355 /** 356 * aa_put_profile - decrement refcount on profile @p 357 * @p: profile (MAYBE NULL) 358 */ 359 static inline void aa_put_profile(struct aa_profile *p) 360 { 361 if (p) 362 kref_put(&p->label.count, aa_label_kref); 363 } 364 365 static inline int AUDIT_MODE(struct aa_profile *profile) 366 { 367 if (aa_g_audit != AUDIT_NORMAL) 368 return aa_g_audit; 369 370 return profile->audit; 371 } 372 373 bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns); 374 bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns); 375 int aa_may_manage_policy(struct aa_label *label, struct aa_ns *ns, 376 u32 mask); 377 bool aa_current_policy_view_capable(struct aa_ns *ns); 378 bool aa_current_policy_admin_capable(struct aa_ns *ns); 379 380 #endif /* __AA_POLICY_H */ 381