1 /* SPDX-License-Identifier: GPL-2.0-only */
2 /*
3  * AppArmor security module
4  *
5  * This file contains AppArmor policy definitions.
6  *
7  * Copyright (C) 1998-2008 Novell/SUSE
8  * Copyright 2009-2010 Canonical Ltd.
9  */
10 
11 #ifndef __AA_POLICY_H
12 #define __AA_POLICY_H
13 
14 #include <linux/capability.h>
15 #include <linux/cred.h>
16 #include <linux/kref.h>
17 #include <linux/rhashtable.h>
18 #include <linux/sched.h>
19 #include <linux/slab.h>
20 #include <linux/socket.h>
21 
22 #include "apparmor.h"
23 #include "audit.h"
24 #include "capability.h"
25 #include "domain.h"
26 #include "file.h"
27 #include "lib.h"
28 #include "label.h"
29 #include "net.h"
30 #include "perms.h"
31 #include "resource.h"
32 
33 
34 struct aa_ns;
35 
36 extern int unprivileged_userns_apparmor_policy;
37 
38 extern const char *const aa_profile_mode_names[];
39 #define APPARMOR_MODE_NAMES_MAX_INDEX 4
40 
41 #define PROFILE_MODE(_profile, _mode)		\
42 	((aa_g_profile_mode == (_mode)) ||	\
43 	 ((_profile)->mode == (_mode)))
44 
45 #define COMPLAIN_MODE(_profile)	PROFILE_MODE((_profile), APPARMOR_COMPLAIN)
46 
47 #define USER_MODE(_profile)	PROFILE_MODE((_profile), APPARMOR_USER)
48 
49 #define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL)
50 
51 #define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT)
52 
53 #define CHECK_DEBUG1(_profile) ((_profile)->label.flags & FLAG_DEBUG1)
54 
55 #define CHECK_DEBUG2(_profile) ((_profile)->label.flags & FLAG_DEBUG2)
56 
57 #define profile_is_stale(_profile) (label_is_stale(&(_profile)->label))
58 
59 #define on_list_rcu(X) (!list_empty(X) && (X)->prev != LIST_POISON2)
60 
61 /*
62  * FIXME: currently need a clean way to replace and remove profiles as a
63  * set.  It should be done at the namespace level.
64  * Either, with a set of profiles loaded at the namespace level or via
65  * a mark and remove marked interface.
66  */
67 enum profile_mode {
68 	APPARMOR_ENFORCE,	/* enforce access rules */
69 	APPARMOR_COMPLAIN,	/* allow and log access violations */
70 	APPARMOR_KILL,		/* kill task on access violation */
71 	APPARMOR_UNCONFINED,	/* profile set to unconfined */
72 	APPARMOR_USER,		/* modified complain mode to userspace */
73 };
74 
75 
76 /* struct aa_policydb - match engine for a policy
77  * dfa: dfa pattern match
78  * perms: table of permissions
79  * strs: table of strings, index by x
80  * start: set of start states for the different classes of data
81  */
82 struct aa_policydb {
83 	struct aa_dfa *dfa;
84 	struct {
85 		struct aa_perms *perms;
86 		u32 size;
87 	};
88 	struct aa_str_table trans;
89 	aa_state_t start[AA_CLASS_LAST + 1];
90 };
91 
92 static inline void aa_destroy_policydb(struct aa_policydb *policy)
93 {
94 	aa_put_dfa(policy->dfa);
95 	if (policy->perms)
96 		kvfree(policy->perms);
97 	aa_free_str_table(&policy->trans);
98 
99 }
100 
101 static inline struct aa_perms *aa_lookup_perms(struct aa_policydb *policy,
102 					       aa_state_t state)
103 {
104 	unsigned int index = ACCEPT_TABLE(policy->dfa)[state];
105 
106 	if (!(policy->perms))
107 		return &default_perms;
108 
109 	return &(policy->perms[index]);
110 }
111 
112 
113 /* struct aa_data - generic data structure
114  * key: name for retrieving this data
115  * size: size of data in bytes
116  * data: binary data
117  * head: reserved for rhashtable
118  */
119 struct aa_data {
120 	char *key;
121 	u32 size;
122 	char *data;
123 	struct rhash_head head;
124 };
125 
126 /* struct aa_ruleset - data covering mediation rules
127  * @list: list the rule is on
128  * @size: the memory consumed by this ruleset
129  * @policy: general match rules governing policy
130  * @file: The set of rules governing basic file access and domain transitions
131  * @caps: capabilities for the profile
132  * @rlimits: rlimits for the profile
133  * @secmark_count: number of secmark entries
134  * @secmark: secmark label match info
135  */
136 struct aa_ruleset {
137 	struct list_head list;
138 
139 	int size;
140 
141 	/* TODO: merge policy and file */
142 	struct aa_policydb policy;
143 	struct aa_policydb file;
144 	struct aa_caps caps;
145 
146 	struct aa_rlimit rlimits;
147 
148 	int secmark_count;
149 	struct aa_secmark *secmark;
150 };
151 
152 /* struct aa_attachment - data and rules for a profiles attachment
153  * @list:
154  * @xmatch_str: human readable attachment string
155  * @xmatch: optional extended matching for unconfined executables names
156  * @xmatch_len: xmatch prefix len, used to determine xmatch priority
157  * @xattr_count: number of xattrs in table
158  * @xattrs: table of xattrs
159  */
160 struct aa_attachment {
161 	const char *xmatch_str;
162 	struct aa_policydb xmatch;
163 	unsigned int xmatch_len;
164 	int xattr_count;
165 	char **xattrs;
166 };
167 
168 /* struct aa_profile - basic confinement data
169  * @base - base components of the profile (name, refcount, lists, lock ...)
170  * @label - label this profile is an extension of
171  * @parent: parent of profile
172  * @ns: namespace the profile is in
173  * @rename: optional profile name that this profile renamed
174  *
175  * @audit: the auditing mode of the profile
176  * @mode: the enforcement mode of the profile
177  * @path_flags: flags controlling path generation behavior
178  * @disconnected: what to prepend if attach_disconnected is specified
179  * @attach: attachment rules for the profile
180  * @rules: rules to be enforced
181  *
182  * @dents: dentries for the profiles file entries in apparmorfs
183  * @dirname: name of the profile dir in apparmorfs
184  * @data: hashtable for free-form policy aa_data
185  *
186  * The AppArmor profile contains the basic confinement data.  Each profile
187  * has a name, and exists in a namespace.  The @name and @exec_match are
188  * used to determine profile attachment against unconfined tasks.  All other
189  * attachments are determined by profile X transition rules.
190  *
191  * Profiles have a hierarchy where hats and children profiles keep
192  * a reference to their parent.
193  *
194  * Profile names can not begin with a : and can not contain the \0
195  * character.  If a profile name begins with / it will be considered when
196  * determining profile attachment on "unconfined" tasks.
197  */
198 struct aa_profile {
199 	struct aa_policy base;
200 	struct aa_profile __rcu *parent;
201 
202 	struct aa_ns *ns;
203 	const char *rename;
204 
205 	enum audit_mode audit;
206 	long mode;
207 	u32 path_flags;
208 	const char *disconnected;
209 
210 	struct aa_attachment attach;
211 	struct list_head rules;
212 
213 	struct aa_loaddata *rawdata;
214 	unsigned char *hash;
215 	char *dirname;
216 	struct dentry *dents[AAFS_PROF_SIZEOF];
217 	struct rhashtable *data;
218 	struct aa_label label;
219 };
220 
221 extern enum profile_mode aa_g_profile_mode;
222 
223 #define AA_MAY_LOAD_POLICY	AA_MAY_APPEND
224 #define AA_MAY_REPLACE_POLICY	AA_MAY_WRITE
225 #define AA_MAY_REMOVE_POLICY	AA_MAY_DELETE
226 
227 #define profiles_ns(P) ((P)->ns)
228 #define name_is_shared(A, B) ((A)->hname && (A)->hname == (B)->hname)
229 
230 void aa_add_profile(struct aa_policy *common, struct aa_profile *profile);
231 
232 
233 void aa_free_proxy_kref(struct kref *kref);
234 struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp);
235 struct aa_profile *aa_alloc_profile(const char *name, struct aa_proxy *proxy,
236 				    gfp_t gfp);
237 struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
238 				 gfp_t gfp);
239 struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat,
240 					   const char *base, gfp_t gfp);
241 void aa_free_profile(struct aa_profile *profile);
242 void aa_free_profile_kref(struct kref *kref);
243 struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name);
244 struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname,
245 				      size_t n);
246 struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *name);
247 struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
248 					const char *fqname, size_t n);
249 struct aa_profile *aa_match_profile(struct aa_ns *ns, const char *name);
250 
251 ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_label *label,
252 			    u32 mask, struct aa_loaddata *udata);
253 ssize_t aa_remove_profiles(struct aa_ns *view, struct aa_label *label,
254 			   char *name, size_t size);
255 void __aa_profile_list_release(struct list_head *head);
256 
257 #define PROF_ADD 1
258 #define PROF_REPLACE 0
259 
260 #define profile_unconfined(X) ((X)->mode == APPARMOR_UNCONFINED)
261 
262 /**
263  * aa_get_newest_profile - simple wrapper fn to wrap the label version
264  * @p: profile (NOT NULL)
265  *
266  * Returns refcount to newest version of the profile (maybe @p)
267  *
268  * Requires: @p must be held with a valid refcount
269  */
270 static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p)
271 {
272 	return labels_profile(aa_get_newest_label(&p->label));
273 }
274 
275 static inline aa_state_t RULE_MEDIATES(struct aa_ruleset *rules,
276 				       unsigned char class)
277 {
278 	if (class <= AA_CLASS_LAST)
279 		return rules->policy.start[class];
280 	else
281 		return aa_dfa_match_len(rules->policy.dfa,
282 					rules->policy.start[0], &class, 1);
283 }
284 
285 static inline aa_state_t RULE_MEDIATES_AF(struct aa_ruleset *rules, u16 AF)
286 {
287 	aa_state_t state = RULE_MEDIATES(rules, AA_CLASS_NET);
288 	__be16 be_af = cpu_to_be16(AF);
289 
290 	if (!state)
291 		return DFA_NOMATCH;
292 	return aa_dfa_match_len(rules->policy.dfa, state, (char *) &be_af, 2);
293 }
294 
295 static inline aa_state_t ANY_RULE_MEDIATES(struct list_head *head,
296 					   unsigned char class)
297 {
298 	struct aa_ruleset *rule;
299 
300 	/* TODO: change to list walk */
301 	rule = list_first_entry(head, typeof(*rule), list);
302 	return RULE_MEDIATES(rule, class);
303 }
304 
305 /**
306  * aa_get_profile - increment refcount on profile @p
307  * @p: profile  (MAYBE NULL)
308  *
309  * Returns: pointer to @p if @p is NULL will return NULL
310  * Requires: @p must be held with valid refcount when called
311  */
312 static inline struct aa_profile *aa_get_profile(struct aa_profile *p)
313 {
314 	if (p)
315 		kref_get(&(p->label.count));
316 
317 	return p;
318 }
319 
320 /**
321  * aa_get_profile_not0 - increment refcount on profile @p found via lookup
322  * @p: profile  (MAYBE NULL)
323  *
324  * Returns: pointer to @p if @p is NULL will return NULL
325  * Requires: @p must be held with valid refcount when called
326  */
327 static inline struct aa_profile *aa_get_profile_not0(struct aa_profile *p)
328 {
329 	if (p && kref_get_unless_zero(&p->label.count))
330 		return p;
331 
332 	return NULL;
333 }
334 
335 /**
336  * aa_get_profile_rcu - increment a refcount profile that can be replaced
337  * @p: pointer to profile that can be replaced (NOT NULL)
338  *
339  * Returns: pointer to a refcounted profile.
340  *     else NULL if no profile
341  */
342 static inline struct aa_profile *aa_get_profile_rcu(struct aa_profile __rcu **p)
343 {
344 	struct aa_profile *c;
345 
346 	rcu_read_lock();
347 	do {
348 		c = rcu_dereference(*p);
349 	} while (c && !kref_get_unless_zero(&c->label.count));
350 	rcu_read_unlock();
351 
352 	return c;
353 }
354 
355 /**
356  * aa_put_profile - decrement refcount on profile @p
357  * @p: profile  (MAYBE NULL)
358  */
359 static inline void aa_put_profile(struct aa_profile *p)
360 {
361 	if (p)
362 		kref_put(&p->label.count, aa_label_kref);
363 }
364 
365 static inline int AUDIT_MODE(struct aa_profile *profile)
366 {
367 	if (aa_g_audit != AUDIT_NORMAL)
368 		return aa_g_audit;
369 
370 	return profile->audit;
371 }
372 
373 bool aa_policy_view_capable(const struct cred *subj_cred,
374 			    struct aa_label *label, struct aa_ns *ns);
375 bool aa_policy_admin_capable(const struct cred *subj_cred,
376 			     struct aa_label *label, struct aa_ns *ns);
377 int aa_may_manage_policy(const struct cred *subj_cred,
378 			 struct aa_label *label, struct aa_ns *ns,
379 			 u32 mask);
380 bool aa_current_policy_view_capable(struct aa_ns *ns);
381 bool aa_current_policy_admin_capable(struct aa_ns *ns);
382 
383 #endif /* __AA_POLICY_H */
384