1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor label definitions 5 * 6 * Copyright 2017 Canonical Ltd. 7 * 8 * This program is free software; you can redistribute it and/or 9 * modify it under the terms of the GNU General Public License as 10 * published by the Free Software Foundation, version 2 of the 11 * License. 12 */ 13 14 #include <linux/audit.h> 15 #include <linux/seq_file.h> 16 #include <linux/sort.h> 17 18 #include "include/apparmor.h" 19 #include "include/cred.h" 20 #include "include/label.h" 21 #include "include/policy.h" 22 #include "include/secid.h" 23 24 25 /* 26 * the aa_label represents the set of profiles confining an object 27 * 28 * Labels maintain a reference count to the set of pointers they reference 29 * Labels are ref counted by 30 * tasks and object via the security field/security context off the field 31 * code - will take a ref count on a label if it needs the label 32 * beyond what is possible with an rcu_read_lock. 33 * profiles - each profile is a label 34 * secids - a pinned secid will keep a refcount of the label it is 35 * referencing 36 * objects - inode, files, sockets, ... 37 * 38 * Labels are not ref counted by the label set, so they maybe removed and 39 * freed when no longer in use. 40 * 41 */ 42 43 #define PROXY_POISON 97 44 #define LABEL_POISON 100 45 46 static void free_proxy(struct aa_proxy *proxy) 47 { 48 if (proxy) { 49 /* p->label will not updated any more as p is dead */ 50 aa_put_label(rcu_dereference_protected(proxy->label, true)); 51 memset(proxy, 0, sizeof(*proxy)); 52 RCU_INIT_POINTER(proxy->label, (struct aa_label *)PROXY_POISON); 53 kfree(proxy); 54 } 55 } 56 57 void aa_proxy_kref(struct kref *kref) 58 { 59 struct aa_proxy *proxy = container_of(kref, struct aa_proxy, count); 60 61 free_proxy(proxy); 62 } 63 64 struct aa_proxy *aa_alloc_proxy(struct aa_label *label, gfp_t gfp) 65 { 66 struct aa_proxy *new; 67 68 new = kzalloc(sizeof(struct aa_proxy), gfp); 69 if (new) { 70 kref_init(&new->count); 71 rcu_assign_pointer(new->label, aa_get_label(label)); 72 } 73 return new; 74 } 75 76 /* requires profile list write lock held */ 77 void __aa_proxy_redirect(struct aa_label *orig, struct aa_label *new) 78 { 79 struct aa_label *tmp; 80 81 AA_BUG(!orig); 82 AA_BUG(!new); 83 lockdep_assert_held_exclusive(&labels_set(orig)->lock); 84 85 tmp = rcu_dereference_protected(orig->proxy->label, 86 &labels_ns(orig)->lock); 87 rcu_assign_pointer(orig->proxy->label, aa_get_label(new)); 88 orig->flags |= FLAG_STALE; 89 aa_put_label(tmp); 90 } 91 92 static void __proxy_share(struct aa_label *old, struct aa_label *new) 93 { 94 struct aa_proxy *proxy = new->proxy; 95 96 new->proxy = aa_get_proxy(old->proxy); 97 __aa_proxy_redirect(old, new); 98 aa_put_proxy(proxy); 99 } 100 101 102 /** 103 * ns_cmp - compare ns for label set ordering 104 * @a: ns to compare (NOT NULL) 105 * @b: ns to compare (NOT NULL) 106 * 107 * Returns: <0 if a < b 108 * ==0 if a == b 109 * >0 if a > b 110 */ 111 static int ns_cmp(struct aa_ns *a, struct aa_ns *b) 112 { 113 int res; 114 115 AA_BUG(!a); 116 AA_BUG(!b); 117 AA_BUG(!a->base.hname); 118 AA_BUG(!b->base.hname); 119 120 if (a == b) 121 return 0; 122 123 res = a->level - b->level; 124 if (res) 125 return res; 126 127 return strcmp(a->base.hname, b->base.hname); 128 } 129 130 /** 131 * profile_cmp - profile comparison for set ordering 132 * @a: profile to compare (NOT NULL) 133 * @b: profile to compare (NOT NULL) 134 * 135 * Returns: <0 if a < b 136 * ==0 if a == b 137 * >0 if a > b 138 */ 139 static int profile_cmp(struct aa_profile *a, struct aa_profile *b) 140 { 141 int res; 142 143 AA_BUG(!a); 144 AA_BUG(!b); 145 AA_BUG(!a->ns); 146 AA_BUG(!b->ns); 147 AA_BUG(!a->base.hname); 148 AA_BUG(!b->base.hname); 149 150 if (a == b || a->base.hname == b->base.hname) 151 return 0; 152 res = ns_cmp(a->ns, b->ns); 153 if (res) 154 return res; 155 156 return strcmp(a->base.hname, b->base.hname); 157 } 158 159 /** 160 * vec_cmp - label comparison for set ordering 161 * @a: label to compare (NOT NULL) 162 * @vec: vector of profiles to compare (NOT NULL) 163 * @n: length of @vec 164 * 165 * Returns: <0 if a < vec 166 * ==0 if a == vec 167 * >0 if a > vec 168 */ 169 static int vec_cmp(struct aa_profile **a, int an, struct aa_profile **b, int bn) 170 { 171 int i; 172 173 AA_BUG(!a); 174 AA_BUG(!*a); 175 AA_BUG(!b); 176 AA_BUG(!*b); 177 AA_BUG(an <= 0); 178 AA_BUG(bn <= 0); 179 180 for (i = 0; i < an && i < bn; i++) { 181 int res = profile_cmp(a[i], b[i]); 182 183 if (res != 0) 184 return res; 185 } 186 187 return an - bn; 188 } 189 190 static bool vec_is_stale(struct aa_profile **vec, int n) 191 { 192 int i; 193 194 AA_BUG(!vec); 195 196 for (i = 0; i < n; i++) { 197 if (profile_is_stale(vec[i])) 198 return true; 199 } 200 201 return false; 202 } 203 204 static bool vec_unconfined(struct aa_profile **vec, int n) 205 { 206 int i; 207 208 AA_BUG(!vec); 209 210 for (i = 0; i < n; i++) { 211 if (!profile_unconfined(vec[i])) 212 return false; 213 } 214 215 return true; 216 } 217 218 static int sort_cmp(const void *a, const void *b) 219 { 220 return profile_cmp(*(struct aa_profile **)a, *(struct aa_profile **)b); 221 } 222 223 /* 224 * assumes vec is sorted 225 * Assumes @vec has null terminator at vec[n], and will null terminate 226 * vec[n - dups] 227 */ 228 static inline int unique(struct aa_profile **vec, int n) 229 { 230 int i, pos, dups = 0; 231 232 AA_BUG(n < 1); 233 AA_BUG(!vec); 234 235 pos = 0; 236 for (i = 1; i < n; i++) { 237 int res = profile_cmp(vec[pos], vec[i]); 238 239 AA_BUG(res > 0, "vec not sorted"); 240 if (res == 0) { 241 /* drop duplicate */ 242 aa_put_profile(vec[i]); 243 dups++; 244 continue; 245 } 246 pos++; 247 if (dups) 248 vec[pos] = vec[i]; 249 } 250 251 AA_BUG(dups < 0); 252 253 return dups; 254 } 255 256 /** 257 * aa_vec_unique - canonical sort and unique a list of profiles 258 * @n: number of refcounted profiles in the list (@n > 0) 259 * @vec: list of profiles to sort and merge 260 * 261 * Returns: the number of duplicates eliminated == references put 262 * 263 * If @flags & VEC_FLAG_TERMINATE @vec has null terminator at vec[n], and will 264 * null terminate vec[n - dups] 265 */ 266 int aa_vec_unique(struct aa_profile **vec, int n, int flags) 267 { 268 int i, dups = 0; 269 270 AA_BUG(n < 1); 271 AA_BUG(!vec); 272 273 /* vecs are usually small and inorder, have a fallback for larger */ 274 if (n > 8) { 275 sort(vec, n, sizeof(struct aa_profile *), sort_cmp, NULL); 276 dups = unique(vec, n); 277 goto out; 278 } 279 280 /* insertion sort + unique in one */ 281 for (i = 1; i < n; i++) { 282 struct aa_profile *tmp = vec[i]; 283 int pos, j; 284 285 for (pos = i - 1 - dups; pos >= 0; pos--) { 286 int res = profile_cmp(vec[pos], tmp); 287 288 if (res == 0) { 289 /* drop duplicate entry */ 290 aa_put_profile(tmp); 291 dups++; 292 goto continue_outer; 293 } else if (res < 0) 294 break; 295 } 296 /* pos is at entry < tmp, or index -1. Set to insert pos */ 297 pos++; 298 299 for (j = i - dups; j > pos; j--) 300 vec[j] = vec[j - 1]; 301 vec[pos] = tmp; 302 continue_outer: 303 ; 304 } 305 306 AA_BUG(dups < 0); 307 308 out: 309 if (flags & VEC_FLAG_TERMINATE) 310 vec[n - dups] = NULL; 311 312 return dups; 313 } 314 315 316 static void label_destroy(struct aa_label *label) 317 { 318 struct aa_label *tmp; 319 320 AA_BUG(!label); 321 322 if (!label_isprofile(label)) { 323 struct aa_profile *profile; 324 struct label_it i; 325 326 aa_put_str(label->hname); 327 328 label_for_each(i, label, profile) { 329 aa_put_profile(profile); 330 label->vec[i.i] = (struct aa_profile *) 331 (LABEL_POISON + (long) i.i); 332 } 333 } 334 335 if (rcu_dereference_protected(label->proxy->label, true) == label) 336 rcu_assign_pointer(label->proxy->label, NULL); 337 338 aa_free_secid(label->secid); 339 340 tmp = rcu_dereference_protected(label->proxy->label, true); 341 if (tmp == label) 342 rcu_assign_pointer(label->proxy->label, NULL); 343 344 aa_put_proxy(label->proxy); 345 label->proxy = (struct aa_proxy *) PROXY_POISON + 1; 346 } 347 348 void aa_label_free(struct aa_label *label) 349 { 350 if (!label) 351 return; 352 353 label_destroy(label); 354 kfree(label); 355 } 356 357 static void label_free_switch(struct aa_label *label) 358 { 359 if (label->flags & FLAG_NS_COUNT) 360 aa_free_ns(labels_ns(label)); 361 else if (label_isprofile(label)) 362 aa_free_profile(labels_profile(label)); 363 else 364 aa_label_free(label); 365 } 366 367 static void label_free_rcu(struct rcu_head *head) 368 { 369 struct aa_label *label = container_of(head, struct aa_label, rcu); 370 371 if (label->flags & FLAG_IN_TREE) 372 (void) aa_label_remove(label); 373 label_free_switch(label); 374 } 375 376 void aa_label_kref(struct kref *kref) 377 { 378 struct aa_label *label = container_of(kref, struct aa_label, count); 379 struct aa_ns *ns = labels_ns(label); 380 381 if (!ns) { 382 /* never live, no rcu callback needed, just using the fn */ 383 label_free_switch(label); 384 return; 385 } 386 /* TODO: update labels_profile macro so it works here */ 387 AA_BUG(label_isprofile(label) && 388 on_list_rcu(&label->vec[0]->base.profiles)); 389 AA_BUG(label_isprofile(label) && 390 on_list_rcu(&label->vec[0]->base.list)); 391 392 /* TODO: if compound label and not stale add to reclaim cache */ 393 call_rcu(&label->rcu, label_free_rcu); 394 } 395 396 static void label_free_or_put_new(struct aa_label *label, struct aa_label *new) 397 { 398 if (label != new) 399 /* need to free directly to break circular ref with proxy */ 400 aa_label_free(new); 401 else 402 aa_put_label(new); 403 } 404 405 bool aa_label_init(struct aa_label *label, int size, gfp_t gfp) 406 { 407 AA_BUG(!label); 408 AA_BUG(size < 1); 409 410 if (aa_alloc_secid(label, gfp) < 0) 411 return false; 412 413 label->size = size; /* doesn't include null */ 414 label->vec[size] = NULL; /* null terminate */ 415 kref_init(&label->count); 416 RB_CLEAR_NODE(&label->node); 417 418 return true; 419 } 420 421 /** 422 * aa_label_alloc - allocate a label with a profile vector of @size length 423 * @size: size of profile vector in the label 424 * @proxy: proxy to use OR null if to allocate a new one 425 * @gfp: memory allocation type 426 * 427 * Returns: new label 428 * else NULL if failed 429 */ 430 struct aa_label *aa_label_alloc(int size, struct aa_proxy *proxy, gfp_t gfp) 431 { 432 struct aa_label *new; 433 434 AA_BUG(size < 1); 435 436 /* + 1 for null terminator entry on vec */ 437 new = kzalloc(sizeof(*new) + sizeof(struct aa_profile *) * (size + 1), 438 gfp); 439 AA_DEBUG("%s (%p)\n", __func__, new); 440 if (!new) 441 goto fail; 442 443 if (!aa_label_init(new, size, gfp)) 444 goto fail; 445 446 if (!proxy) { 447 proxy = aa_alloc_proxy(new, gfp); 448 if (!proxy) 449 goto fail; 450 } else 451 aa_get_proxy(proxy); 452 /* just set new's proxy, don't redirect proxy here if it was passed in*/ 453 new->proxy = proxy; 454 455 return new; 456 457 fail: 458 kfree(new); 459 460 return NULL; 461 } 462 463 464 /** 465 * label_cmp - label comparison for set ordering 466 * @a: label to compare (NOT NULL) 467 * @b: label to compare (NOT NULL) 468 * 469 * Returns: <0 if a < b 470 * ==0 if a == b 471 * >0 if a > b 472 */ 473 static int label_cmp(struct aa_label *a, struct aa_label *b) 474 { 475 AA_BUG(!b); 476 477 if (a == b) 478 return 0; 479 480 return vec_cmp(a->vec, a->size, b->vec, b->size); 481 } 482 483 /* helper fn for label_for_each_confined */ 484 int aa_label_next_confined(struct aa_label *label, int i) 485 { 486 AA_BUG(!label); 487 AA_BUG(i < 0); 488 489 for (; i < label->size; i++) { 490 if (!profile_unconfined(label->vec[i])) 491 return i; 492 } 493 494 return i; 495 } 496 497 /** 498 * aa_label_next_not_in_set - return the next profile of @sub not in @set 499 * @I: label iterator 500 * @set: label to test against 501 * @sub: label to if is subset of @set 502 * 503 * Returns: profile in @sub that is not in @set, with iterator set pos after 504 * else NULL if @sub is a subset of @set 505 */ 506 struct aa_profile *__aa_label_next_not_in_set(struct label_it *I, 507 struct aa_label *set, 508 struct aa_label *sub) 509 { 510 AA_BUG(!set); 511 AA_BUG(!I); 512 AA_BUG(I->i < 0); 513 AA_BUG(I->i > set->size); 514 AA_BUG(!sub); 515 AA_BUG(I->j < 0); 516 AA_BUG(I->j > sub->size); 517 518 while (I->j < sub->size && I->i < set->size) { 519 int res = profile_cmp(sub->vec[I->j], set->vec[I->i]); 520 521 if (res == 0) { 522 (I->j)++; 523 (I->i)++; 524 } else if (res > 0) 525 (I->i)++; 526 else 527 return sub->vec[(I->j)++]; 528 } 529 530 if (I->j < sub->size) 531 return sub->vec[(I->j)++]; 532 533 return NULL; 534 } 535 536 /** 537 * aa_label_is_subset - test if @sub is a subset of @set 538 * @set: label to test against 539 * @sub: label to test if is subset of @set 540 * 541 * Returns: true if @sub is subset of @set 542 * else false 543 */ 544 bool aa_label_is_subset(struct aa_label *set, struct aa_label *sub) 545 { 546 struct label_it i = { }; 547 548 AA_BUG(!set); 549 AA_BUG(!sub); 550 551 if (sub == set) 552 return true; 553 554 return __aa_label_next_not_in_set(&i, set, sub) == NULL; 555 } 556 557 558 559 /** 560 * __label_remove - remove @label from the label set 561 * @l: label to remove 562 * @new: label to redirect to 563 * 564 * Requires: labels_set(@label)->lock write_lock 565 * Returns: true if the label was in the tree and removed 566 */ 567 static bool __label_remove(struct aa_label *label, struct aa_label *new) 568 { 569 struct aa_labelset *ls = labels_set(label); 570 571 AA_BUG(!ls); 572 AA_BUG(!label); 573 lockdep_assert_held_exclusive(&ls->lock); 574 575 if (new) 576 __aa_proxy_redirect(label, new); 577 578 if (!label_is_stale(label)) 579 __label_make_stale(label); 580 581 if (label->flags & FLAG_IN_TREE) { 582 rb_erase(&label->node, &ls->root); 583 label->flags &= ~FLAG_IN_TREE; 584 return true; 585 } 586 587 return false; 588 } 589 590 /** 591 * __label_replace - replace @old with @new in label set 592 * @old: label to remove from label set 593 * @new: label to replace @old with 594 * 595 * Requires: labels_set(@old)->lock write_lock 596 * valid ref count be held on @new 597 * Returns: true if @old was in set and replaced by @new 598 * 599 * Note: current implementation requires label set be order in such a way 600 * that @new directly replaces @old position in the set (ie. 601 * using pointer comparison of the label address would not work) 602 */ 603 static bool __label_replace(struct aa_label *old, struct aa_label *new) 604 { 605 struct aa_labelset *ls = labels_set(old); 606 607 AA_BUG(!ls); 608 AA_BUG(!old); 609 AA_BUG(!new); 610 lockdep_assert_held_exclusive(&ls->lock); 611 AA_BUG(new->flags & FLAG_IN_TREE); 612 613 if (!label_is_stale(old)) 614 __label_make_stale(old); 615 616 if (old->flags & FLAG_IN_TREE) { 617 rb_replace_node(&old->node, &new->node, &ls->root); 618 old->flags &= ~FLAG_IN_TREE; 619 new->flags |= FLAG_IN_TREE; 620 return true; 621 } 622 623 return false; 624 } 625 626 /** 627 * __label_insert - attempt to insert @l into a label set 628 * @ls: set of labels to insert @l into (NOT NULL) 629 * @label: new label to insert (NOT NULL) 630 * @replace: whether insertion should replace existing entry that is not stale 631 * 632 * Requires: @ls->lock 633 * caller to hold a valid ref on l 634 * if @replace is true l has a preallocated proxy associated 635 * Returns: @l if successful in inserting @l - with additional refcount 636 * else ref counted equivalent label that is already in the set, 637 * the else condition only happens if @replace is false 638 */ 639 static struct aa_label *__label_insert(struct aa_labelset *ls, 640 struct aa_label *label, bool replace) 641 { 642 struct rb_node **new, *parent = NULL; 643 644 AA_BUG(!ls); 645 AA_BUG(!label); 646 AA_BUG(labels_set(label) != ls); 647 lockdep_assert_held_exclusive(&ls->lock); 648 AA_BUG(label->flags & FLAG_IN_TREE); 649 650 /* Figure out where to put new node */ 651 new = &ls->root.rb_node; 652 while (*new) { 653 struct aa_label *this = rb_entry(*new, struct aa_label, node); 654 int result = label_cmp(label, this); 655 656 parent = *new; 657 if (result == 0) { 658 /* !__aa_get_label means queued for destruction, 659 * so replace in place, however the label has 660 * died before the replacement so do not share 661 * the proxy 662 */ 663 if (!replace && !label_is_stale(this)) { 664 if (__aa_get_label(this)) 665 return this; 666 } else 667 __proxy_share(this, label); 668 AA_BUG(!__label_replace(this, label)); 669 return aa_get_label(label); 670 } else if (result < 0) 671 new = &((*new)->rb_left); 672 else /* (result > 0) */ 673 new = &((*new)->rb_right); 674 } 675 676 /* Add new node and rebalance tree. */ 677 rb_link_node(&label->node, parent, new); 678 rb_insert_color(&label->node, &ls->root); 679 label->flags |= FLAG_IN_TREE; 680 681 return aa_get_label(label); 682 } 683 684 /** 685 * __vec_find - find label that matches @vec in label set 686 * @vec: vec of profiles to find matching label for (NOT NULL) 687 * @n: length of @vec 688 * 689 * Requires: @vec_labelset(vec) lock held 690 * caller to hold a valid ref on l 691 * 692 * Returns: ref counted @label if matching label is in tree 693 * ref counted label that is equiv to @l in tree 694 * else NULL if @vec equiv is not in tree 695 */ 696 static struct aa_label *__vec_find(struct aa_profile **vec, int n) 697 { 698 struct rb_node *node; 699 700 AA_BUG(!vec); 701 AA_BUG(!*vec); 702 AA_BUG(n <= 0); 703 704 node = vec_labelset(vec, n)->root.rb_node; 705 while (node) { 706 struct aa_label *this = rb_entry(node, struct aa_label, node); 707 int result = vec_cmp(this->vec, this->size, vec, n); 708 709 if (result > 0) 710 node = node->rb_left; 711 else if (result < 0) 712 node = node->rb_right; 713 else 714 return __aa_get_label(this); 715 } 716 717 return NULL; 718 } 719 720 /** 721 * __label_find - find label @label in label set 722 * @label: label to find (NOT NULL) 723 * 724 * Requires: labels_set(@label)->lock held 725 * caller to hold a valid ref on l 726 * 727 * Returns: ref counted @label if @label is in tree OR 728 * ref counted label that is equiv to @label in tree 729 * else NULL if @label or equiv is not in tree 730 */ 731 static struct aa_label *__label_find(struct aa_label *label) 732 { 733 AA_BUG(!label); 734 735 return __vec_find(label->vec, label->size); 736 } 737 738 739 /** 740 * aa_label_remove - remove a label from the labelset 741 * @label: label to remove 742 * 743 * Returns: true if @label was removed from the tree 744 * else @label was not in tree so it could not be removed 745 */ 746 bool aa_label_remove(struct aa_label *label) 747 { 748 struct aa_labelset *ls = labels_set(label); 749 unsigned long flags; 750 bool res; 751 752 AA_BUG(!ls); 753 754 write_lock_irqsave(&ls->lock, flags); 755 res = __label_remove(label, ns_unconfined(labels_ns(label))); 756 write_unlock_irqrestore(&ls->lock, flags); 757 758 return res; 759 } 760 761 /** 762 * aa_label_replace - replace a label @old with a new version @new 763 * @old: label to replace 764 * @new: label replacing @old 765 * 766 * Returns: true if @old was in tree and replaced 767 * else @old was not in tree, and @new was not inserted 768 */ 769 bool aa_label_replace(struct aa_label *old, struct aa_label *new) 770 { 771 unsigned long flags; 772 bool res; 773 774 if (name_is_shared(old, new) && labels_ns(old) == labels_ns(new)) { 775 write_lock_irqsave(&labels_set(old)->lock, flags); 776 if (old->proxy != new->proxy) 777 __proxy_share(old, new); 778 else 779 __aa_proxy_redirect(old, new); 780 res = __label_replace(old, new); 781 write_unlock_irqrestore(&labels_set(old)->lock, flags); 782 } else { 783 struct aa_label *l; 784 struct aa_labelset *ls = labels_set(old); 785 786 write_lock_irqsave(&ls->lock, flags); 787 res = __label_remove(old, new); 788 if (labels_ns(old) != labels_ns(new)) { 789 write_unlock_irqrestore(&ls->lock, flags); 790 ls = labels_set(new); 791 write_lock_irqsave(&ls->lock, flags); 792 } 793 l = __label_insert(ls, new, true); 794 res = (l == new); 795 write_unlock_irqrestore(&ls->lock, flags); 796 aa_put_label(l); 797 } 798 799 return res; 800 } 801 802 /** 803 * vec_find - find label @l in label set 804 * @vec: array of profiles to find equiv label for (NOT NULL) 805 * @n: length of @vec 806 * 807 * Returns: refcounted label if @vec equiv is in tree 808 * else NULL if @vec equiv is not in tree 809 */ 810 static struct aa_label *vec_find(struct aa_profile **vec, int n) 811 { 812 struct aa_labelset *ls; 813 struct aa_label *label; 814 unsigned long flags; 815 816 AA_BUG(!vec); 817 AA_BUG(!*vec); 818 AA_BUG(n <= 0); 819 820 ls = vec_labelset(vec, n); 821 read_lock_irqsave(&ls->lock, flags); 822 label = __vec_find(vec, n); 823 read_unlock_irqrestore(&ls->lock, flags); 824 825 return label; 826 } 827 828 /* requires sort and merge done first */ 829 static struct aa_label *vec_create_and_insert_label(struct aa_profile **vec, 830 int len, gfp_t gfp) 831 { 832 struct aa_label *label = NULL; 833 struct aa_labelset *ls; 834 unsigned long flags; 835 struct aa_label *new; 836 int i; 837 838 AA_BUG(!vec); 839 840 if (len == 1) 841 return aa_get_label(&vec[0]->label); 842 843 ls = labels_set(&vec[len - 1]->label); 844 845 /* TODO: enable when read side is lockless 846 * check if label exists before taking locks 847 */ 848 new = aa_label_alloc(len, NULL, gfp); 849 if (!new) 850 return NULL; 851 852 for (i = 0; i < len; i++) 853 new->vec[i] = aa_get_profile(vec[i]); 854 855 write_lock_irqsave(&ls->lock, flags); 856 label = __label_insert(ls, new, false); 857 write_unlock_irqrestore(&ls->lock, flags); 858 label_free_or_put_new(label, new); 859 860 return label; 861 } 862 863 struct aa_label *aa_vec_find_or_create_label(struct aa_profile **vec, int len, 864 gfp_t gfp) 865 { 866 struct aa_label *label = vec_find(vec, len); 867 868 if (label) 869 return label; 870 871 return vec_create_and_insert_label(vec, len, gfp); 872 } 873 874 /** 875 * aa_label_find - find label @label in label set 876 * @label: label to find (NOT NULL) 877 * 878 * Requires: caller to hold a valid ref on l 879 * 880 * Returns: refcounted @label if @label is in tree 881 * refcounted label that is equiv to @label in tree 882 * else NULL if @label or equiv is not in tree 883 */ 884 struct aa_label *aa_label_find(struct aa_label *label) 885 { 886 AA_BUG(!label); 887 888 return vec_find(label->vec, label->size); 889 } 890 891 892 /** 893 * aa_label_insert - insert label @label into @ls or return existing label 894 * @ls - labelset to insert @label into 895 * @label - label to insert 896 * 897 * Requires: caller to hold a valid ref on @label 898 * 899 * Returns: ref counted @label if successful in inserting @label 900 * else ref counted equivalent label that is already in the set 901 */ 902 struct aa_label *aa_label_insert(struct aa_labelset *ls, struct aa_label *label) 903 { 904 struct aa_label *l; 905 unsigned long flags; 906 907 AA_BUG(!ls); 908 AA_BUG(!label); 909 910 /* check if label exists before taking lock */ 911 if (!label_is_stale(label)) { 912 read_lock_irqsave(&ls->lock, flags); 913 l = __label_find(label); 914 read_unlock_irqrestore(&ls->lock, flags); 915 if (l) 916 return l; 917 } 918 919 write_lock_irqsave(&ls->lock, flags); 920 l = __label_insert(ls, label, false); 921 write_unlock_irqrestore(&ls->lock, flags); 922 923 return l; 924 } 925 926 927 /** 928 * aa_label_next_in_merge - find the next profile when merging @a and @b 929 * @I: label iterator 930 * @a: label to merge 931 * @b: label to merge 932 * 933 * Returns: next profile 934 * else null if no more profiles 935 */ 936 struct aa_profile *aa_label_next_in_merge(struct label_it *I, 937 struct aa_label *a, 938 struct aa_label *b) 939 { 940 AA_BUG(!a); 941 AA_BUG(!b); 942 AA_BUG(!I); 943 AA_BUG(I->i < 0); 944 AA_BUG(I->i > a->size); 945 AA_BUG(I->j < 0); 946 AA_BUG(I->j > b->size); 947 948 if (I->i < a->size) { 949 if (I->j < b->size) { 950 int res = profile_cmp(a->vec[I->i], b->vec[I->j]); 951 952 if (res > 0) 953 return b->vec[(I->j)++]; 954 if (res == 0) 955 (I->j)++; 956 } 957 958 return a->vec[(I->i)++]; 959 } 960 961 if (I->j < b->size) 962 return b->vec[(I->j)++]; 963 964 return NULL; 965 } 966 967 /** 968 * label_merge_cmp - cmp of @a merging with @b against @z for set ordering 969 * @a: label to merge then compare (NOT NULL) 970 * @b: label to merge then compare (NOT NULL) 971 * @z: label to compare merge against (NOT NULL) 972 * 973 * Assumes: using the most recent versions of @a, @b, and @z 974 * 975 * Returns: <0 if a < b 976 * ==0 if a == b 977 * >0 if a > b 978 */ 979 static int label_merge_cmp(struct aa_label *a, struct aa_label *b, 980 struct aa_label *z) 981 { 982 struct aa_profile *p = NULL; 983 struct label_it i = { }; 984 int k; 985 986 AA_BUG(!a); 987 AA_BUG(!b); 988 AA_BUG(!z); 989 990 for (k = 0; 991 k < z->size && (p = aa_label_next_in_merge(&i, a, b)); 992 k++) { 993 int res = profile_cmp(p, z->vec[k]); 994 995 if (res != 0) 996 return res; 997 } 998 999 if (p) 1000 return 1; 1001 else if (k < z->size) 1002 return -1; 1003 return 0; 1004 } 1005 1006 /** 1007 * label_merge_insert - create a new label by merging @a and @b 1008 * @new: preallocated label to merge into (NOT NULL) 1009 * @a: label to merge with @b (NOT NULL) 1010 * @b: label to merge with @a (NOT NULL) 1011 * 1012 * Requires: preallocated proxy 1013 * 1014 * Returns: ref counted label either @new if merge is unique 1015 * @a if @b is a subset of @a 1016 * @b if @a is a subset of @b 1017 * 1018 * NOTE: will not use @new if the merge results in @new == @a or @b 1019 * 1020 * Must be used within labelset write lock to avoid racing with 1021 * setting labels stale. 1022 */ 1023 static struct aa_label *label_merge_insert(struct aa_label *new, 1024 struct aa_label *a, 1025 struct aa_label *b) 1026 { 1027 struct aa_label *label; 1028 struct aa_labelset *ls; 1029 struct aa_profile *next; 1030 struct label_it i; 1031 unsigned long flags; 1032 int k = 0, invcount = 0; 1033 bool stale = false; 1034 1035 AA_BUG(!a); 1036 AA_BUG(a->size < 0); 1037 AA_BUG(!b); 1038 AA_BUG(b->size < 0); 1039 AA_BUG(!new); 1040 AA_BUG(new->size < a->size + b->size); 1041 1042 label_for_each_in_merge(i, a, b, next) { 1043 AA_BUG(!next); 1044 if (profile_is_stale(next)) { 1045 new->vec[k] = aa_get_newest_profile(next); 1046 AA_BUG(!new->vec[k]->label.proxy); 1047 AA_BUG(!new->vec[k]->label.proxy->label); 1048 if (next->label.proxy != new->vec[k]->label.proxy) 1049 invcount++; 1050 k++; 1051 stale = true; 1052 } else 1053 new->vec[k++] = aa_get_profile(next); 1054 } 1055 /* set to actual size which is <= allocated len */ 1056 new->size = k; 1057 new->vec[k] = NULL; 1058 1059 if (invcount) { 1060 new->size -= aa_vec_unique(&new->vec[0], new->size, 1061 VEC_FLAG_TERMINATE); 1062 /* TODO: deal with reference labels */ 1063 if (new->size == 1) { 1064 label = aa_get_label(&new->vec[0]->label); 1065 return label; 1066 } 1067 } else if (!stale) { 1068 /* 1069 * merge could be same as a || b, note: it is not possible 1070 * for new->size == a->size == b->size unless a == b 1071 */ 1072 if (k == a->size) 1073 return aa_get_label(a); 1074 else if (k == b->size) 1075 return aa_get_label(b); 1076 } 1077 if (vec_unconfined(new->vec, new->size)) 1078 new->flags |= FLAG_UNCONFINED; 1079 ls = labels_set(new); 1080 write_lock_irqsave(&ls->lock, flags); 1081 label = __label_insert(labels_set(new), new, false); 1082 write_unlock_irqrestore(&ls->lock, flags); 1083 1084 return label; 1085 } 1086 1087 /** 1088 * labelset_of_merge - find which labelset a merged label should be inserted 1089 * @a: label to merge and insert 1090 * @b: label to merge and insert 1091 * 1092 * Returns: labelset that the merged label should be inserted into 1093 */ 1094 static struct aa_labelset *labelset_of_merge(struct aa_label *a, 1095 struct aa_label *b) 1096 { 1097 struct aa_ns *nsa = labels_ns(a); 1098 struct aa_ns *nsb = labels_ns(b); 1099 1100 if (ns_cmp(nsa, nsb) <= 0) 1101 return &nsa->labels; 1102 return &nsb->labels; 1103 } 1104 1105 /** 1106 * __label_find_merge - find label that is equiv to merge of @a and @b 1107 * @ls: set of labels to search (NOT NULL) 1108 * @a: label to merge with @b (NOT NULL) 1109 * @b: label to merge with @a (NOT NULL) 1110 * 1111 * Requires: ls->lock read_lock held 1112 * 1113 * Returns: ref counted label that is equiv to merge of @a and @b 1114 * else NULL if merge of @a and @b is not in set 1115 */ 1116 static struct aa_label *__label_find_merge(struct aa_labelset *ls, 1117 struct aa_label *a, 1118 struct aa_label *b) 1119 { 1120 struct rb_node *node; 1121 1122 AA_BUG(!ls); 1123 AA_BUG(!a); 1124 AA_BUG(!b); 1125 1126 if (a == b) 1127 return __label_find(a); 1128 1129 node = ls->root.rb_node; 1130 while (node) { 1131 struct aa_label *this = container_of(node, struct aa_label, 1132 node); 1133 int result = label_merge_cmp(a, b, this); 1134 1135 if (result < 0) 1136 node = node->rb_left; 1137 else if (result > 0) 1138 node = node->rb_right; 1139 else 1140 return __aa_get_label(this); 1141 } 1142 1143 return NULL; 1144 } 1145 1146 1147 /** 1148 * aa_label_find_merge - find label that is equiv to merge of @a and @b 1149 * @a: label to merge with @b (NOT NULL) 1150 * @b: label to merge with @a (NOT NULL) 1151 * 1152 * Requires: labels be fully constructed with a valid ns 1153 * 1154 * Returns: ref counted label that is equiv to merge of @a and @b 1155 * else NULL if merge of @a and @b is not in set 1156 */ 1157 struct aa_label *aa_label_find_merge(struct aa_label *a, struct aa_label *b) 1158 { 1159 struct aa_labelset *ls; 1160 struct aa_label *label, *ar = NULL, *br = NULL; 1161 unsigned long flags; 1162 1163 AA_BUG(!a); 1164 AA_BUG(!b); 1165 1166 if (label_is_stale(a)) 1167 a = ar = aa_get_newest_label(a); 1168 if (label_is_stale(b)) 1169 b = br = aa_get_newest_label(b); 1170 ls = labelset_of_merge(a, b); 1171 read_lock_irqsave(&ls->lock, flags); 1172 label = __label_find_merge(ls, a, b); 1173 read_unlock_irqrestore(&ls->lock, flags); 1174 aa_put_label(ar); 1175 aa_put_label(br); 1176 1177 return label; 1178 } 1179 1180 /** 1181 * aa_label_merge - attempt to insert new merged label of @a and @b 1182 * @ls: set of labels to insert label into (NOT NULL) 1183 * @a: label to merge with @b (NOT NULL) 1184 * @b: label to merge with @a (NOT NULL) 1185 * @gfp: memory allocation type 1186 * 1187 * Requires: caller to hold valid refs on @a and @b 1188 * labels be fully constructed with a valid ns 1189 * 1190 * Returns: ref counted new label if successful in inserting merge of a & b 1191 * else ref counted equivalent label that is already in the set. 1192 * else NULL if could not create label (-ENOMEM) 1193 */ 1194 struct aa_label *aa_label_merge(struct aa_label *a, struct aa_label *b, 1195 gfp_t gfp) 1196 { 1197 struct aa_label *label = NULL; 1198 1199 AA_BUG(!a); 1200 AA_BUG(!b); 1201 1202 if (a == b) 1203 return aa_get_newest_label(a); 1204 1205 /* TODO: enable when read side is lockless 1206 * check if label exists before taking locks 1207 if (!label_is_stale(a) && !label_is_stale(b)) 1208 label = aa_label_find_merge(a, b); 1209 */ 1210 1211 if (!label) { 1212 struct aa_label *new; 1213 1214 a = aa_get_newest_label(a); 1215 b = aa_get_newest_label(b); 1216 1217 /* could use label_merge_len(a, b), but requires double 1218 * comparison for small savings 1219 */ 1220 new = aa_label_alloc(a->size + b->size, NULL, gfp); 1221 if (!new) 1222 goto out; 1223 1224 label = label_merge_insert(new, a, b); 1225 label_free_or_put_new(label, new); 1226 out: 1227 aa_put_label(a); 1228 aa_put_label(b); 1229 } 1230 1231 return label; 1232 } 1233 1234 static inline bool label_is_visible(struct aa_profile *profile, 1235 struct aa_label *label) 1236 { 1237 return aa_ns_visible(profile->ns, labels_ns(label), true); 1238 } 1239 1240 /* match a profile and its associated ns component if needed 1241 * Assumes visibility test has already been done. 1242 * If a subns profile is not to be matched should be prescreened with 1243 * visibility test. 1244 */ 1245 static inline unsigned int match_component(struct aa_profile *profile, 1246 struct aa_profile *tp, 1247 unsigned int state) 1248 { 1249 const char *ns_name; 1250 1251 if (profile->ns == tp->ns) 1252 return aa_dfa_match(profile->policy.dfa, state, tp->base.hname); 1253 1254 /* try matching with namespace name and then profile */ 1255 ns_name = aa_ns_name(profile->ns, tp->ns, true); 1256 state = aa_dfa_match_len(profile->policy.dfa, state, ":", 1); 1257 state = aa_dfa_match(profile->policy.dfa, state, ns_name); 1258 state = aa_dfa_match_len(profile->policy.dfa, state, ":", 1); 1259 return aa_dfa_match(profile->policy.dfa, state, tp->base.hname); 1260 } 1261 1262 /** 1263 * label_compound_match - find perms for full compound label 1264 * @profile: profile to find perms for 1265 * @label: label to check access permissions for 1266 * @start: state to start match in 1267 * @subns: whether to do permission checks on components in a subns 1268 * @request: permissions to request 1269 * @perms: perms struct to set 1270 * 1271 * Returns: 0 on success else ERROR 1272 * 1273 * For the label A//&B//&C this does the perm match for A//&B//&C 1274 * @perms should be preinitialized with allperms OR a previous permission 1275 * check to be stacked. 1276 */ 1277 static int label_compound_match(struct aa_profile *profile, 1278 struct aa_label *label, 1279 unsigned int state, bool subns, u32 request, 1280 struct aa_perms *perms) 1281 { 1282 struct aa_profile *tp; 1283 struct label_it i; 1284 1285 /* find first subcomponent that is visible */ 1286 label_for_each(i, label, tp) { 1287 if (!aa_ns_visible(profile->ns, tp->ns, subns)) 1288 continue; 1289 state = match_component(profile, tp, state); 1290 if (!state) 1291 goto fail; 1292 goto next; 1293 } 1294 1295 /* no component visible */ 1296 *perms = allperms; 1297 return 0; 1298 1299 next: 1300 label_for_each_cont(i, label, tp) { 1301 if (!aa_ns_visible(profile->ns, tp->ns, subns)) 1302 continue; 1303 state = aa_dfa_match(profile->policy.dfa, state, "//&"); 1304 state = match_component(profile, tp, state); 1305 if (!state) 1306 goto fail; 1307 } 1308 aa_compute_perms(profile->policy.dfa, state, perms); 1309 aa_apply_modes_to_perms(profile, perms); 1310 if ((perms->allow & request) != request) 1311 return -EACCES; 1312 1313 return 0; 1314 1315 fail: 1316 *perms = nullperms; 1317 return state; 1318 } 1319 1320 /** 1321 * label_components_match - find perms for all subcomponents of a label 1322 * @profile: profile to find perms for 1323 * @label: label to check access permissions for 1324 * @start: state to start match in 1325 * @subns: whether to do permission checks on components in a subns 1326 * @request: permissions to request 1327 * @perms: an initialized perms struct to add accumulation to 1328 * 1329 * Returns: 0 on success else ERROR 1330 * 1331 * For the label A//&B//&C this does the perm match for each of A and B and C 1332 * @perms should be preinitialized with allperms OR a previous permission 1333 * check to be stacked. 1334 */ 1335 static int label_components_match(struct aa_profile *profile, 1336 struct aa_label *label, unsigned int start, 1337 bool subns, u32 request, 1338 struct aa_perms *perms) 1339 { 1340 struct aa_profile *tp; 1341 struct label_it i; 1342 struct aa_perms tmp; 1343 unsigned int state = 0; 1344 1345 /* find first subcomponent to test */ 1346 label_for_each(i, label, tp) { 1347 if (!aa_ns_visible(profile->ns, tp->ns, subns)) 1348 continue; 1349 state = match_component(profile, tp, start); 1350 if (!state) 1351 goto fail; 1352 goto next; 1353 } 1354 1355 /* no subcomponents visible - no change in perms */ 1356 return 0; 1357 1358 next: 1359 aa_compute_perms(profile->policy.dfa, state, &tmp); 1360 aa_apply_modes_to_perms(profile, &tmp); 1361 aa_perms_accum(perms, &tmp); 1362 label_for_each_cont(i, label, tp) { 1363 if (!aa_ns_visible(profile->ns, tp->ns, subns)) 1364 continue; 1365 state = match_component(profile, tp, start); 1366 if (!state) 1367 goto fail; 1368 aa_compute_perms(profile->policy.dfa, state, &tmp); 1369 aa_apply_modes_to_perms(profile, &tmp); 1370 aa_perms_accum(perms, &tmp); 1371 } 1372 1373 if ((perms->allow & request) != request) 1374 return -EACCES; 1375 1376 return 0; 1377 1378 fail: 1379 *perms = nullperms; 1380 return -EACCES; 1381 } 1382 1383 /** 1384 * aa_label_match - do a multi-component label match 1385 * @profile: profile to match against (NOT NULL) 1386 * @label: label to match (NOT NULL) 1387 * @state: state to start in 1388 * @subns: whether to match subns components 1389 * @request: permission request 1390 * @perms: Returns computed perms (NOT NULL) 1391 * 1392 * Returns: the state the match finished in, may be the none matching state 1393 */ 1394 int aa_label_match(struct aa_profile *profile, struct aa_label *label, 1395 unsigned int state, bool subns, u32 request, 1396 struct aa_perms *perms) 1397 { 1398 int error = label_compound_match(profile, label, state, subns, request, 1399 perms); 1400 if (!error) 1401 return error; 1402 1403 *perms = allperms; 1404 return label_components_match(profile, label, state, subns, request, 1405 perms); 1406 } 1407 1408 1409 /** 1410 * aa_update_label_name - update a label to have a stored name 1411 * @ns: ns being viewed from (NOT NULL) 1412 * @label: label to update (NOT NULL) 1413 * @gfp: type of memory allocation 1414 * 1415 * Requires: labels_set(label) not locked in caller 1416 * 1417 * note: only updates the label name if it does not have a name already 1418 * and if it is in the labelset 1419 */ 1420 bool aa_update_label_name(struct aa_ns *ns, struct aa_label *label, gfp_t gfp) 1421 { 1422 struct aa_labelset *ls; 1423 unsigned long flags; 1424 char __counted *name; 1425 bool res = false; 1426 1427 AA_BUG(!ns); 1428 AA_BUG(!label); 1429 1430 if (label->hname || labels_ns(label) != ns) 1431 return res; 1432 1433 if (aa_label_acntsxprint(&name, ns, label, FLAGS_NONE, gfp) == -1) 1434 return res; 1435 1436 ls = labels_set(label); 1437 write_lock_irqsave(&ls->lock, flags); 1438 if (!label->hname && label->flags & FLAG_IN_TREE) { 1439 label->hname = name; 1440 res = true; 1441 } else 1442 aa_put_str(name); 1443 write_unlock_irqrestore(&ls->lock, flags); 1444 1445 return res; 1446 } 1447 1448 /* 1449 * cached label name is present and visible 1450 * @label->hname only exists if label is namespace hierachical 1451 */ 1452 static inline bool use_label_hname(struct aa_ns *ns, struct aa_label *label, 1453 int flags) 1454 { 1455 if (label->hname && (!ns || labels_ns(label) == ns) && 1456 !(flags & ~FLAG_SHOW_MODE)) 1457 return true; 1458 1459 return false; 1460 } 1461 1462 /* helper macro for snprint routines */ 1463 #define update_for_len(total, len, size, str) \ 1464 do { \ 1465 AA_BUG(len < 0); \ 1466 total += len; \ 1467 len = min(len, size); \ 1468 size -= len; \ 1469 str += len; \ 1470 } while (0) 1471 1472 /** 1473 * aa_profile_snxprint - print a profile name to a buffer 1474 * @str: buffer to write to. (MAY BE NULL if @size == 0) 1475 * @size: size of buffer 1476 * @view: namespace profile is being viewed from 1477 * @profile: profile to view (NOT NULL) 1478 * @flags: whether to include the mode string 1479 * @prev_ns: last ns printed when used in compound print 1480 * 1481 * Returns: size of name written or would be written if larger than 1482 * available buffer 1483 * 1484 * Note: will not print anything if the profile is not visible 1485 */ 1486 static int aa_profile_snxprint(char *str, size_t size, struct aa_ns *view, 1487 struct aa_profile *profile, int flags, 1488 struct aa_ns **prev_ns) 1489 { 1490 const char *ns_name = NULL; 1491 1492 AA_BUG(!str && size != 0); 1493 AA_BUG(!profile); 1494 1495 if (!view) 1496 view = profiles_ns(profile); 1497 1498 if (view != profile->ns && 1499 (!prev_ns || (*prev_ns != profile->ns))) { 1500 if (prev_ns) 1501 *prev_ns = profile->ns; 1502 ns_name = aa_ns_name(view, profile->ns, 1503 flags & FLAG_VIEW_SUBNS); 1504 if (ns_name == aa_hidden_ns_name) { 1505 if (flags & FLAG_HIDDEN_UNCONFINED) 1506 return snprintf(str, size, "%s", "unconfined"); 1507 return snprintf(str, size, "%s", ns_name); 1508 } 1509 } 1510 1511 if ((flags & FLAG_SHOW_MODE) && profile != profile->ns->unconfined) { 1512 const char *modestr = aa_profile_mode_names[profile->mode]; 1513 1514 if (ns_name) 1515 return snprintf(str, size, ":%s:%s (%s)", ns_name, 1516 profile->base.hname, modestr); 1517 return snprintf(str, size, "%s (%s)", profile->base.hname, 1518 modestr); 1519 } 1520 1521 if (ns_name) 1522 return snprintf(str, size, ":%s:%s", ns_name, 1523 profile->base.hname); 1524 return snprintf(str, size, "%s", profile->base.hname); 1525 } 1526 1527 static const char *label_modename(struct aa_ns *ns, struct aa_label *label, 1528 int flags) 1529 { 1530 struct aa_profile *profile; 1531 struct label_it i; 1532 int mode = -1, count = 0; 1533 1534 label_for_each(i, label, profile) { 1535 if (aa_ns_visible(ns, profile->ns, flags & FLAG_VIEW_SUBNS)) { 1536 if (profile->mode == APPARMOR_UNCONFINED) 1537 /* special case unconfined so stacks with 1538 * unconfined don't report as mixed. ie. 1539 * profile_foo//&:ns1:unconfined (mixed) 1540 */ 1541 continue; 1542 count++; 1543 if (mode == -1) 1544 mode = profile->mode; 1545 else if (mode != profile->mode) 1546 return "mixed"; 1547 } 1548 } 1549 1550 if (count == 0) 1551 return "-"; 1552 if (mode == -1) 1553 /* everything was unconfined */ 1554 mode = APPARMOR_UNCONFINED; 1555 1556 return aa_profile_mode_names[mode]; 1557 } 1558 1559 /* if any visible label is not unconfined the display_mode returns true */ 1560 static inline bool display_mode(struct aa_ns *ns, struct aa_label *label, 1561 int flags) 1562 { 1563 if ((flags & FLAG_SHOW_MODE)) { 1564 struct aa_profile *profile; 1565 struct label_it i; 1566 1567 label_for_each(i, label, profile) { 1568 if (aa_ns_visible(ns, profile->ns, 1569 flags & FLAG_VIEW_SUBNS) && 1570 profile != profile->ns->unconfined) 1571 return true; 1572 } 1573 /* only ns->unconfined in set of profiles in ns */ 1574 return false; 1575 } 1576 1577 return false; 1578 } 1579 1580 /** 1581 * aa_label_snxprint - print a label name to a string buffer 1582 * @str: buffer to write to. (MAY BE NULL if @size == 0) 1583 * @size: size of buffer 1584 * @ns: namespace profile is being viewed from 1585 * @label: label to view (NOT NULL) 1586 * @flags: whether to include the mode string 1587 * 1588 * Returns: size of name written or would be written if larger than 1589 * available buffer 1590 * 1591 * Note: labels do not have to be strictly hierarchical to the ns as 1592 * objects may be shared across different namespaces and thus 1593 * pickup labeling from each ns. If a particular part of the 1594 * label is not visible it will just be excluded. And if none 1595 * of the label is visible "---" will be used. 1596 */ 1597 int aa_label_snxprint(char *str, size_t size, struct aa_ns *ns, 1598 struct aa_label *label, int flags) 1599 { 1600 struct aa_profile *profile; 1601 struct aa_ns *prev_ns = NULL; 1602 struct label_it i; 1603 int count = 0, total = 0; 1604 size_t len; 1605 1606 AA_BUG(!str && size != 0); 1607 AA_BUG(!label); 1608 1609 if (flags & FLAG_ABS_ROOT) { 1610 ns = root_ns; 1611 len = snprintf(str, size, "="); 1612 update_for_len(total, len, size, str); 1613 } else if (!ns) { 1614 ns = labels_ns(label); 1615 } 1616 1617 label_for_each(i, label, profile) { 1618 if (aa_ns_visible(ns, profile->ns, flags & FLAG_VIEW_SUBNS)) { 1619 if (count > 0) { 1620 len = snprintf(str, size, "//&"); 1621 update_for_len(total, len, size, str); 1622 } 1623 len = aa_profile_snxprint(str, size, ns, profile, 1624 flags & FLAG_VIEW_SUBNS, 1625 &prev_ns); 1626 update_for_len(total, len, size, str); 1627 count++; 1628 } 1629 } 1630 1631 if (count == 0) { 1632 if (flags & FLAG_HIDDEN_UNCONFINED) 1633 return snprintf(str, size, "%s", "unconfined"); 1634 return snprintf(str, size, "%s", aa_hidden_ns_name); 1635 } 1636 1637 /* count == 1 && ... is for backwards compat where the mode 1638 * is not displayed for 'unconfined' in the current ns 1639 */ 1640 if (display_mode(ns, label, flags)) { 1641 len = snprintf(str, size, " (%s)", 1642 label_modename(ns, label, flags)); 1643 update_for_len(total, len, size, str); 1644 } 1645 1646 return total; 1647 } 1648 #undef update_for_len 1649 1650 /** 1651 * aa_label_asxprint - allocate a string buffer and print label into it 1652 * @strp: Returns - the allocated buffer with the label name. (NOT NULL) 1653 * @ns: namespace profile is being viewed from 1654 * @label: label to view (NOT NULL) 1655 * @flags: flags controlling what label info is printed 1656 * @gfp: kernel memory allocation type 1657 * 1658 * Returns: size of name written or would be written if larger than 1659 * available buffer 1660 */ 1661 int aa_label_asxprint(char **strp, struct aa_ns *ns, struct aa_label *label, 1662 int flags, gfp_t gfp) 1663 { 1664 int size; 1665 1666 AA_BUG(!strp); 1667 AA_BUG(!label); 1668 1669 size = aa_label_snxprint(NULL, 0, ns, label, flags); 1670 if (size < 0) 1671 return size; 1672 1673 *strp = kmalloc(size + 1, gfp); 1674 if (!*strp) 1675 return -ENOMEM; 1676 return aa_label_snxprint(*strp, size + 1, ns, label, flags); 1677 } 1678 1679 /** 1680 * aa_label_acntsxprint - allocate a __counted string buffer and print label 1681 * @strp: buffer to write to. (MAY BE NULL if @size == 0) 1682 * @ns: namespace profile is being viewed from 1683 * @label: label to view (NOT NULL) 1684 * @flags: flags controlling what label info is printed 1685 * @gfp: kernel memory allocation type 1686 * 1687 * Returns: size of name written or would be written if larger than 1688 * available buffer 1689 */ 1690 int aa_label_acntsxprint(char __counted **strp, struct aa_ns *ns, 1691 struct aa_label *label, int flags, gfp_t gfp) 1692 { 1693 int size; 1694 1695 AA_BUG(!strp); 1696 AA_BUG(!label); 1697 1698 size = aa_label_snxprint(NULL, 0, ns, label, flags); 1699 if (size < 0) 1700 return size; 1701 1702 *strp = aa_str_alloc(size + 1, gfp); 1703 if (!*strp) 1704 return -ENOMEM; 1705 return aa_label_snxprint(*strp, size + 1, ns, label, flags); 1706 } 1707 1708 1709 void aa_label_xaudit(struct audit_buffer *ab, struct aa_ns *ns, 1710 struct aa_label *label, int flags, gfp_t gfp) 1711 { 1712 const char *str; 1713 char *name = NULL; 1714 int len; 1715 1716 AA_BUG(!ab); 1717 AA_BUG(!label); 1718 1719 if (!use_label_hname(ns, label, flags) || 1720 display_mode(ns, label, flags)) { 1721 len = aa_label_asxprint(&name, ns, label, flags, gfp); 1722 if (len == -1) { 1723 AA_DEBUG("label print error"); 1724 return; 1725 } 1726 str = name; 1727 } else { 1728 str = (char *) label->hname; 1729 len = strlen(str); 1730 } 1731 if (audit_string_contains_control(str, len)) 1732 audit_log_n_hex(ab, str, len); 1733 else 1734 audit_log_n_string(ab, str, len); 1735 1736 kfree(name); 1737 } 1738 1739 void aa_label_seq_xprint(struct seq_file *f, struct aa_ns *ns, 1740 struct aa_label *label, int flags, gfp_t gfp) 1741 { 1742 AA_BUG(!f); 1743 AA_BUG(!label); 1744 1745 if (!use_label_hname(ns, label, flags)) { 1746 char *str; 1747 int len; 1748 1749 len = aa_label_asxprint(&str, ns, label, flags, gfp); 1750 if (len == -1) { 1751 AA_DEBUG("label print error"); 1752 return; 1753 } 1754 seq_printf(f, "%s", str); 1755 kfree(str); 1756 } else if (display_mode(ns, label, flags)) 1757 seq_printf(f, "%s (%s)", label->hname, 1758 label_modename(ns, label, flags)); 1759 else 1760 seq_printf(f, "%s", label->hname); 1761 } 1762 1763 void aa_label_xprintk(struct aa_ns *ns, struct aa_label *label, int flags, 1764 gfp_t gfp) 1765 { 1766 AA_BUG(!label); 1767 1768 if (!use_label_hname(ns, label, flags)) { 1769 char *str; 1770 int len; 1771 1772 len = aa_label_asxprint(&str, ns, label, flags, gfp); 1773 if (len == -1) { 1774 AA_DEBUG("label print error"); 1775 return; 1776 } 1777 pr_info("%s", str); 1778 kfree(str); 1779 } else if (display_mode(ns, label, flags)) 1780 pr_info("%s (%s)", label->hname, 1781 label_modename(ns, label, flags)); 1782 else 1783 pr_info("%s", label->hname); 1784 } 1785 1786 void aa_label_audit(struct audit_buffer *ab, struct aa_label *label, gfp_t gfp) 1787 { 1788 struct aa_ns *ns = aa_get_current_ns(); 1789 1790 aa_label_xaudit(ab, ns, label, FLAG_VIEW_SUBNS, gfp); 1791 aa_put_ns(ns); 1792 } 1793 1794 void aa_label_seq_print(struct seq_file *f, struct aa_label *label, gfp_t gfp) 1795 { 1796 struct aa_ns *ns = aa_get_current_ns(); 1797 1798 aa_label_seq_xprint(f, ns, label, FLAG_VIEW_SUBNS, gfp); 1799 aa_put_ns(ns); 1800 } 1801 1802 void aa_label_printk(struct aa_label *label, gfp_t gfp) 1803 { 1804 struct aa_ns *ns = aa_get_current_ns(); 1805 1806 aa_label_xprintk(ns, label, FLAG_VIEW_SUBNS, gfp); 1807 aa_put_ns(ns); 1808 } 1809 1810 static int label_count_strn_entries(const char *str, size_t n) 1811 { 1812 const char *end = str + n; 1813 const char *split; 1814 int count = 1; 1815 1816 AA_BUG(!str); 1817 1818 for (split = aa_label_strn_split(str, end - str); 1819 split; 1820 split = aa_label_strn_split(str, end - str)) { 1821 count++; 1822 str = split + 3; 1823 } 1824 1825 return count; 1826 } 1827 1828 /* 1829 * ensure stacks with components like 1830 * :ns:A//&B 1831 * have :ns: applied to both 'A' and 'B' by making the lookup relative 1832 * to the base if the lookup specifies an ns, else making the stacked lookup 1833 * relative to the last embedded ns in the string. 1834 */ 1835 static struct aa_profile *fqlookupn_profile(struct aa_label *base, 1836 struct aa_label *currentbase, 1837 const char *str, size_t n) 1838 { 1839 const char *first = skipn_spaces(str, n); 1840 1841 if (first && *first == ':') 1842 return aa_fqlookupn_profile(base, str, n); 1843 1844 return aa_fqlookupn_profile(currentbase, str, n); 1845 } 1846 1847 /** 1848 * aa_label_strn_parse - parse, validate and convert a text string to a label 1849 * @base: base label to use for lookups (NOT NULL) 1850 * @str: null terminated text string (NOT NULL) 1851 * @n: length of str to parse, will stop at \0 if encountered before n 1852 * @gfp: allocation type 1853 * @create: true if should create compound labels if they don't exist 1854 * @force_stack: true if should stack even if no leading & 1855 * 1856 * Returns: the matching refcounted label if present 1857 * else ERRPTR 1858 */ 1859 struct aa_label *aa_label_strn_parse(struct aa_label *base, const char *str, 1860 size_t n, gfp_t gfp, bool create, 1861 bool force_stack) 1862 { 1863 DEFINE_VEC(profile, vec); 1864 struct aa_label *label, *currbase = base; 1865 int i, len, stack = 0, error; 1866 const char *end = str + n; 1867 const char *split; 1868 1869 AA_BUG(!base); 1870 AA_BUG(!str); 1871 1872 str = skipn_spaces(str, n); 1873 if (str == NULL || (*str == '=' && base != &root_ns->unconfined->label)) 1874 return ERR_PTR(-EINVAL); 1875 1876 len = label_count_strn_entries(str, end - str); 1877 if (*str == '&' || force_stack) { 1878 /* stack on top of base */ 1879 stack = base->size; 1880 len += stack; 1881 if (*str == '&') 1882 str++; 1883 } 1884 1885 error = vec_setup(profile, vec, len, gfp); 1886 if (error) 1887 return ERR_PTR(error); 1888 1889 for (i = 0; i < stack; i++) 1890 vec[i] = aa_get_profile(base->vec[i]); 1891 1892 for (split = aa_label_strn_split(str, end - str), i = stack; 1893 split && i < len; i++) { 1894 vec[i] = fqlookupn_profile(base, currbase, str, split - str); 1895 if (!vec[i]) 1896 goto fail; 1897 /* 1898 * if component specified a new ns it becomes the new base 1899 * so that subsequent lookups are relative to it 1900 */ 1901 if (vec[i]->ns != labels_ns(currbase)) 1902 currbase = &vec[i]->label; 1903 str = split + 3; 1904 split = aa_label_strn_split(str, end - str); 1905 } 1906 /* last element doesn't have a split */ 1907 if (i < len) { 1908 vec[i] = fqlookupn_profile(base, currbase, str, end - str); 1909 if (!vec[i]) 1910 goto fail; 1911 } 1912 if (len == 1) 1913 /* no need to free vec as len < LOCAL_VEC_ENTRIES */ 1914 return &vec[0]->label; 1915 1916 len -= aa_vec_unique(vec, len, VEC_FLAG_TERMINATE); 1917 /* TODO: deal with reference labels */ 1918 if (len == 1) { 1919 label = aa_get_label(&vec[0]->label); 1920 goto out; 1921 } 1922 1923 if (create) 1924 label = aa_vec_find_or_create_label(vec, len, gfp); 1925 else 1926 label = vec_find(vec, len); 1927 if (!label) 1928 goto fail; 1929 1930 out: 1931 /* use adjusted len from after vec_unique, not original */ 1932 vec_cleanup(profile, vec, len); 1933 return label; 1934 1935 fail: 1936 label = ERR_PTR(-ENOENT); 1937 goto out; 1938 } 1939 1940 struct aa_label *aa_label_parse(struct aa_label *base, const char *str, 1941 gfp_t gfp, bool create, bool force_stack) 1942 { 1943 return aa_label_strn_parse(base, str, strlen(str), gfp, create, 1944 force_stack); 1945 } 1946 1947 /** 1948 * aa_labelset_destroy - remove all labels from the label set 1949 * @ls: label set to cleanup (NOT NULL) 1950 * 1951 * Labels that are removed from the set may still exist beyond the set 1952 * being destroyed depending on their reference counting 1953 */ 1954 void aa_labelset_destroy(struct aa_labelset *ls) 1955 { 1956 struct rb_node *node; 1957 unsigned long flags; 1958 1959 AA_BUG(!ls); 1960 1961 write_lock_irqsave(&ls->lock, flags); 1962 for (node = rb_first(&ls->root); node; node = rb_first(&ls->root)) { 1963 struct aa_label *this = rb_entry(node, struct aa_label, node); 1964 1965 if (labels_ns(this) != root_ns) 1966 __label_remove(this, 1967 ns_unconfined(labels_ns(this)->parent)); 1968 else 1969 __label_remove(this, NULL); 1970 } 1971 write_unlock_irqrestore(&ls->lock, flags); 1972 } 1973 1974 /* 1975 * @ls: labelset to init (NOT NULL) 1976 */ 1977 void aa_labelset_init(struct aa_labelset *ls) 1978 { 1979 AA_BUG(!ls); 1980 1981 rwlock_init(&ls->lock); 1982 ls->root = RB_ROOT; 1983 } 1984 1985 static struct aa_label *labelset_next_stale(struct aa_labelset *ls) 1986 { 1987 struct aa_label *label; 1988 struct rb_node *node; 1989 unsigned long flags; 1990 1991 AA_BUG(!ls); 1992 1993 read_lock_irqsave(&ls->lock, flags); 1994 1995 __labelset_for_each(ls, node) { 1996 label = rb_entry(node, struct aa_label, node); 1997 if ((label_is_stale(label) || 1998 vec_is_stale(label->vec, label->size)) && 1999 __aa_get_label(label)) 2000 goto out; 2001 2002 } 2003 label = NULL; 2004 2005 out: 2006 read_unlock_irqrestore(&ls->lock, flags); 2007 2008 return label; 2009 } 2010 2011 /** 2012 * __label_update - insert updated version of @label into labelset 2013 * @label - the label to update/replace 2014 * 2015 * Returns: new label that is up to date 2016 * else NULL on failure 2017 * 2018 * Requires: @ns lock be held 2019 * 2020 * Note: worst case is the stale @label does not get updated and has 2021 * to be updated at a later time. 2022 */ 2023 static struct aa_label *__label_update(struct aa_label *label) 2024 { 2025 struct aa_label *new, *tmp; 2026 struct aa_labelset *ls; 2027 unsigned long flags; 2028 int i, invcount = 0; 2029 2030 AA_BUG(!label); 2031 AA_BUG(!mutex_is_locked(&labels_ns(label)->lock)); 2032 2033 new = aa_label_alloc(label->size, label->proxy, GFP_KERNEL); 2034 if (!new) 2035 return NULL; 2036 2037 /* 2038 * while holding the ns_lock will stop profile replacement, removal, 2039 * and label updates, label merging and removal can be occurring 2040 */ 2041 ls = labels_set(label); 2042 write_lock_irqsave(&ls->lock, flags); 2043 for (i = 0; i < label->size; i++) { 2044 AA_BUG(!label->vec[i]); 2045 new->vec[i] = aa_get_newest_profile(label->vec[i]); 2046 AA_BUG(!new->vec[i]); 2047 AA_BUG(!new->vec[i]->label.proxy); 2048 AA_BUG(!new->vec[i]->label.proxy->label); 2049 if (new->vec[i]->label.proxy != label->vec[i]->label.proxy) 2050 invcount++; 2051 } 2052 2053 /* updated stale label by being removed/renamed from labelset */ 2054 if (invcount) { 2055 new->size -= aa_vec_unique(&new->vec[0], new->size, 2056 VEC_FLAG_TERMINATE); 2057 /* TODO: deal with reference labels */ 2058 if (new->size == 1) { 2059 tmp = aa_get_label(&new->vec[0]->label); 2060 AA_BUG(tmp == label); 2061 goto remove; 2062 } 2063 if (labels_set(label) != labels_set(new)) { 2064 write_unlock_irqrestore(&ls->lock, flags); 2065 tmp = aa_label_insert(labels_set(new), new); 2066 write_lock_irqsave(&ls->lock, flags); 2067 goto remove; 2068 } 2069 } else 2070 AA_BUG(labels_ns(label) != labels_ns(new)); 2071 2072 tmp = __label_insert(labels_set(label), new, true); 2073 remove: 2074 /* ensure label is removed, and redirected correctly */ 2075 __label_remove(label, tmp); 2076 write_unlock_irqrestore(&ls->lock, flags); 2077 label_free_or_put_new(tmp, new); 2078 2079 return tmp; 2080 } 2081 2082 /** 2083 * __labelset_update - update labels in @ns 2084 * @ns: namespace to update labels in (NOT NULL) 2085 * 2086 * Requires: @ns lock be held 2087 * 2088 * Walk the labelset ensuring that all labels are up to date and valid 2089 * Any label that has a stale component is marked stale and replaced and 2090 * by an updated version. 2091 * 2092 * If failures happen due to memory pressures then stale labels will 2093 * be left in place until the next pass. 2094 */ 2095 static void __labelset_update(struct aa_ns *ns) 2096 { 2097 struct aa_label *label; 2098 2099 AA_BUG(!ns); 2100 AA_BUG(!mutex_is_locked(&ns->lock)); 2101 2102 do { 2103 label = labelset_next_stale(&ns->labels); 2104 if (label) { 2105 struct aa_label *l = __label_update(label); 2106 2107 aa_put_label(l); 2108 aa_put_label(label); 2109 } 2110 } while (label); 2111 } 2112 2113 /** 2114 * __aa_labelset_udate_subtree - update all labels with a stale component 2115 * @ns: ns to start update at (NOT NULL) 2116 * 2117 * Requires: @ns lock be held 2118 * 2119 * Invalidates labels based on @p in @ns and any children namespaces. 2120 */ 2121 void __aa_labelset_update_subtree(struct aa_ns *ns) 2122 { 2123 struct aa_ns *child; 2124 2125 AA_BUG(!ns); 2126 AA_BUG(!mutex_is_locked(&ns->lock)); 2127 2128 __labelset_update(ns); 2129 2130 list_for_each_entry(child, &ns->sub_ns, base.list) { 2131 mutex_lock_nested(&child->lock, child->level); 2132 __aa_labelset_update_subtree(child); 2133 mutex_unlock(&child->lock); 2134 } 2135 } 2136