1b5e95b48SJohn Johansen /* 2b5e95b48SJohn Johansen * AppArmor security module 3b5e95b48SJohn Johansen * 4b5e95b48SJohn Johansen * This file contains AppArmor LSM hooks. 5b5e95b48SJohn Johansen * 6b5e95b48SJohn Johansen * Copyright (C) 1998-2008 Novell/SUSE 7b5e95b48SJohn Johansen * Copyright 2009-2010 Canonical Ltd. 8b5e95b48SJohn Johansen * 9b5e95b48SJohn Johansen * This program is free software; you can redistribute it and/or 10b5e95b48SJohn Johansen * modify it under the terms of the GNU General Public License as 11b5e95b48SJohn Johansen * published by the Free Software Foundation, version 2 of the 12b5e95b48SJohn Johansen * License. 13b5e95b48SJohn Johansen */ 14b5e95b48SJohn Johansen 15b5e95b48SJohn Johansen #include <linux/security.h> 16b5e95b48SJohn Johansen #include <linux/moduleparam.h> 17b5e95b48SJohn Johansen #include <linux/mm.h> 18b5e95b48SJohn Johansen #include <linux/mman.h> 19b5e95b48SJohn Johansen #include <linux/mount.h> 20b5e95b48SJohn Johansen #include <linux/namei.h> 21b5e95b48SJohn Johansen #include <linux/ptrace.h> 22b5e95b48SJohn Johansen #include <linux/ctype.h> 23b5e95b48SJohn Johansen #include <linux/sysctl.h> 24b5e95b48SJohn Johansen #include <linux/audit.h> 25b5e95b48SJohn Johansen #include <net/sock.h> 26b5e95b48SJohn Johansen 27b5e95b48SJohn Johansen #include "include/apparmor.h" 28b5e95b48SJohn Johansen #include "include/apparmorfs.h" 29b5e95b48SJohn Johansen #include "include/audit.h" 30b5e95b48SJohn Johansen #include "include/capability.h" 31b5e95b48SJohn Johansen #include "include/context.h" 32b5e95b48SJohn Johansen #include "include/file.h" 33b5e95b48SJohn Johansen #include "include/ipc.h" 34b5e95b48SJohn Johansen #include "include/path.h" 35b5e95b48SJohn Johansen #include "include/policy.h" 36b5e95b48SJohn Johansen #include "include/procattr.h" 37b5e95b48SJohn Johansen 38b5e95b48SJohn Johansen /* Flag indicating whether initialization completed */ 39b5e95b48SJohn Johansen int apparmor_initialized __initdata; 40b5e95b48SJohn Johansen 41b5e95b48SJohn Johansen /* 42b5e95b48SJohn Johansen * LSM hook functions 43b5e95b48SJohn Johansen */ 44b5e95b48SJohn Johansen 45b5e95b48SJohn Johansen /* 46b5e95b48SJohn Johansen * free the associated aa_task_cxt and put its profiles 47b5e95b48SJohn Johansen */ 48b5e95b48SJohn Johansen static void apparmor_cred_free(struct cred *cred) 49b5e95b48SJohn Johansen { 50b5e95b48SJohn Johansen aa_free_task_context(cred->security); 51b5e95b48SJohn Johansen cred->security = NULL; 52b5e95b48SJohn Johansen } 53b5e95b48SJohn Johansen 54b5e95b48SJohn Johansen /* 55b5e95b48SJohn Johansen * allocate the apparmor part of blank credentials 56b5e95b48SJohn Johansen */ 57b5e95b48SJohn Johansen static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 58b5e95b48SJohn Johansen { 59b5e95b48SJohn Johansen /* freed by apparmor_cred_free */ 60b5e95b48SJohn Johansen struct aa_task_cxt *cxt = aa_alloc_task_context(gfp); 61b5e95b48SJohn Johansen if (!cxt) 62b5e95b48SJohn Johansen return -ENOMEM; 63b5e95b48SJohn Johansen 64b5e95b48SJohn Johansen cred->security = cxt; 65b5e95b48SJohn Johansen return 0; 66b5e95b48SJohn Johansen } 67b5e95b48SJohn Johansen 68b5e95b48SJohn Johansen /* 69b5e95b48SJohn Johansen * prepare new aa_task_cxt for modification by prepare_cred block 70b5e95b48SJohn Johansen */ 71b5e95b48SJohn Johansen static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 72b5e95b48SJohn Johansen gfp_t gfp) 73b5e95b48SJohn Johansen { 74b5e95b48SJohn Johansen /* freed by apparmor_cred_free */ 75b5e95b48SJohn Johansen struct aa_task_cxt *cxt = aa_alloc_task_context(gfp); 76b5e95b48SJohn Johansen if (!cxt) 77b5e95b48SJohn Johansen return -ENOMEM; 78b5e95b48SJohn Johansen 79b5e95b48SJohn Johansen aa_dup_task_context(cxt, old->security); 80b5e95b48SJohn Johansen new->security = cxt; 81b5e95b48SJohn Johansen return 0; 82b5e95b48SJohn Johansen } 83b5e95b48SJohn Johansen 84b5e95b48SJohn Johansen /* 85b5e95b48SJohn Johansen * transfer the apparmor data to a blank set of creds 86b5e95b48SJohn Johansen */ 87b5e95b48SJohn Johansen static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 88b5e95b48SJohn Johansen { 89b5e95b48SJohn Johansen const struct aa_task_cxt *old_cxt = old->security; 90b5e95b48SJohn Johansen struct aa_task_cxt *new_cxt = new->security; 91b5e95b48SJohn Johansen 92b5e95b48SJohn Johansen aa_dup_task_context(new_cxt, old_cxt); 93b5e95b48SJohn Johansen } 94b5e95b48SJohn Johansen 95b5e95b48SJohn Johansen static int apparmor_ptrace_access_check(struct task_struct *child, 96b5e95b48SJohn Johansen unsigned int mode) 97b5e95b48SJohn Johansen { 98b5e95b48SJohn Johansen int error = cap_ptrace_access_check(child, mode); 99b5e95b48SJohn Johansen if (error) 100b5e95b48SJohn Johansen return error; 101b5e95b48SJohn Johansen 102b5e95b48SJohn Johansen return aa_ptrace(current, child, mode); 103b5e95b48SJohn Johansen } 104b5e95b48SJohn Johansen 105b5e95b48SJohn Johansen static int apparmor_ptrace_traceme(struct task_struct *parent) 106b5e95b48SJohn Johansen { 107b5e95b48SJohn Johansen int error = cap_ptrace_traceme(parent); 108b5e95b48SJohn Johansen if (error) 109b5e95b48SJohn Johansen return error; 110b5e95b48SJohn Johansen 111b5e95b48SJohn Johansen return aa_ptrace(parent, current, PTRACE_MODE_ATTACH); 112b5e95b48SJohn Johansen } 113b5e95b48SJohn Johansen 114b5e95b48SJohn Johansen /* Derived from security/commoncap.c:cap_capget */ 115b5e95b48SJohn Johansen static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, 116b5e95b48SJohn Johansen kernel_cap_t *inheritable, kernel_cap_t *permitted) 117b5e95b48SJohn Johansen { 118b5e95b48SJohn Johansen struct aa_profile *profile; 119b5e95b48SJohn Johansen const struct cred *cred; 120b5e95b48SJohn Johansen 121b5e95b48SJohn Johansen rcu_read_lock(); 122b5e95b48SJohn Johansen cred = __task_cred(target); 123b5e95b48SJohn Johansen profile = aa_cred_profile(cred); 124b5e95b48SJohn Johansen 125b5e95b48SJohn Johansen *effective = cred->cap_effective; 126b5e95b48SJohn Johansen *inheritable = cred->cap_inheritable; 127b5e95b48SJohn Johansen *permitted = cred->cap_permitted; 128b5e95b48SJohn Johansen 129b5e95b48SJohn Johansen if (!unconfined(profile)) { 130b5e95b48SJohn Johansen *effective = cap_intersect(*effective, profile->caps.allow); 131b5e95b48SJohn Johansen *permitted = cap_intersect(*permitted, profile->caps.allow); 132b5e95b48SJohn Johansen } 133b5e95b48SJohn Johansen rcu_read_unlock(); 134b5e95b48SJohn Johansen 135b5e95b48SJohn Johansen return 0; 136b5e95b48SJohn Johansen } 137b5e95b48SJohn Johansen 138b5e95b48SJohn Johansen static int apparmor_capable(struct task_struct *task, const struct cred *cred, 139b5e95b48SJohn Johansen int cap, int audit) 140b5e95b48SJohn Johansen { 141b5e95b48SJohn Johansen struct aa_profile *profile; 142b5e95b48SJohn Johansen /* cap_capable returns 0 on success, else -EPERM */ 143b5e95b48SJohn Johansen int error = cap_capable(task, cred, cap, audit); 144b5e95b48SJohn Johansen if (!error) { 145b5e95b48SJohn Johansen profile = aa_cred_profile(cred); 146b5e95b48SJohn Johansen if (!unconfined(profile)) 147b5e95b48SJohn Johansen error = aa_capable(task, profile, cap, audit); 148b5e95b48SJohn Johansen } 149b5e95b48SJohn Johansen return error; 150b5e95b48SJohn Johansen } 151b5e95b48SJohn Johansen 152b5e95b48SJohn Johansen /** 153b5e95b48SJohn Johansen * common_perm - basic common permission check wrapper fn for paths 154b5e95b48SJohn Johansen * @op: operation being checked 155b5e95b48SJohn Johansen * @path: path to check permission of (NOT NULL) 156b5e95b48SJohn Johansen * @mask: requested permissions mask 157b5e95b48SJohn Johansen * @cond: conditional info for the permission request (NOT NULL) 158b5e95b48SJohn Johansen * 159b5e95b48SJohn Johansen * Returns: %0 else error code if error or permission denied 160b5e95b48SJohn Johansen */ 161b5e95b48SJohn Johansen static int common_perm(int op, struct path *path, u32 mask, 162b5e95b48SJohn Johansen struct path_cond *cond) 163b5e95b48SJohn Johansen { 164b5e95b48SJohn Johansen struct aa_profile *profile; 165b5e95b48SJohn Johansen int error = 0; 166b5e95b48SJohn Johansen 167b5e95b48SJohn Johansen profile = __aa_current_profile(); 168b5e95b48SJohn Johansen if (!unconfined(profile)) 169b5e95b48SJohn Johansen error = aa_path_perm(op, profile, path, 0, mask, cond); 170b5e95b48SJohn Johansen 171b5e95b48SJohn Johansen return error; 172b5e95b48SJohn Johansen } 173b5e95b48SJohn Johansen 174b5e95b48SJohn Johansen /** 175b5e95b48SJohn Johansen * common_perm_dir_dentry - common permission wrapper when path is dir, dentry 176b5e95b48SJohn Johansen * @op: operation being checked 177b5e95b48SJohn Johansen * @dir: directory of the dentry (NOT NULL) 178b5e95b48SJohn Johansen * @dentry: dentry to check (NOT NULL) 179b5e95b48SJohn Johansen * @mask: requested permissions mask 180b5e95b48SJohn Johansen * @cond: conditional info for the permission request (NOT NULL) 181b5e95b48SJohn Johansen * 182b5e95b48SJohn Johansen * Returns: %0 else error code if error or permission denied 183b5e95b48SJohn Johansen */ 184b5e95b48SJohn Johansen static int common_perm_dir_dentry(int op, struct path *dir, 185b5e95b48SJohn Johansen struct dentry *dentry, u32 mask, 186b5e95b48SJohn Johansen struct path_cond *cond) 187b5e95b48SJohn Johansen { 188b5e95b48SJohn Johansen struct path path = { dir->mnt, dentry }; 189b5e95b48SJohn Johansen 190b5e95b48SJohn Johansen return common_perm(op, &path, mask, cond); 191b5e95b48SJohn Johansen } 192b5e95b48SJohn Johansen 193b5e95b48SJohn Johansen /** 194b5e95b48SJohn Johansen * common_perm_mnt_dentry - common permission wrapper when mnt, dentry 195b5e95b48SJohn Johansen * @op: operation being checked 196b5e95b48SJohn Johansen * @mnt: mount point of dentry (NOT NULL) 197b5e95b48SJohn Johansen * @dentry: dentry to check (NOT NULL) 198b5e95b48SJohn Johansen * @mask: requested permissions mask 199b5e95b48SJohn Johansen * 200b5e95b48SJohn Johansen * Returns: %0 else error code if error or permission denied 201b5e95b48SJohn Johansen */ 202b5e95b48SJohn Johansen static int common_perm_mnt_dentry(int op, struct vfsmount *mnt, 203b5e95b48SJohn Johansen struct dentry *dentry, u32 mask) 204b5e95b48SJohn Johansen { 205b5e95b48SJohn Johansen struct path path = { mnt, dentry }; 206b5e95b48SJohn Johansen struct path_cond cond = { dentry->d_inode->i_uid, 207b5e95b48SJohn Johansen dentry->d_inode->i_mode 208b5e95b48SJohn Johansen }; 209b5e95b48SJohn Johansen 210b5e95b48SJohn Johansen return common_perm(op, &path, mask, &cond); 211b5e95b48SJohn Johansen } 212b5e95b48SJohn Johansen 213b5e95b48SJohn Johansen /** 214b5e95b48SJohn Johansen * common_perm_rm - common permission wrapper for operations doing rm 215b5e95b48SJohn Johansen * @op: operation being checked 216b5e95b48SJohn Johansen * @dir: directory that the dentry is in (NOT NULL) 217b5e95b48SJohn Johansen * @dentry: dentry being rm'd (NOT NULL) 218b5e95b48SJohn Johansen * @mask: requested permission mask 219b5e95b48SJohn Johansen * 220b5e95b48SJohn Johansen * Returns: %0 else error code if error or permission denied 221b5e95b48SJohn Johansen */ 222b5e95b48SJohn Johansen static int common_perm_rm(int op, struct path *dir, 223b5e95b48SJohn Johansen struct dentry *dentry, u32 mask) 224b5e95b48SJohn Johansen { 225b5e95b48SJohn Johansen struct inode *inode = dentry->d_inode; 226b5e95b48SJohn Johansen struct path_cond cond = { }; 227b5e95b48SJohn Johansen 228b5e95b48SJohn Johansen if (!inode || !dir->mnt || !mediated_filesystem(inode)) 229b5e95b48SJohn Johansen return 0; 230b5e95b48SJohn Johansen 231b5e95b48SJohn Johansen cond.uid = inode->i_uid; 232b5e95b48SJohn Johansen cond.mode = inode->i_mode; 233b5e95b48SJohn Johansen 234b5e95b48SJohn Johansen return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 235b5e95b48SJohn Johansen } 236b5e95b48SJohn Johansen 237b5e95b48SJohn Johansen /** 238b5e95b48SJohn Johansen * common_perm_create - common permission wrapper for operations doing create 239b5e95b48SJohn Johansen * @op: operation being checked 240b5e95b48SJohn Johansen * @dir: directory that dentry will be created in (NOT NULL) 241b5e95b48SJohn Johansen * @dentry: dentry to create (NOT NULL) 242b5e95b48SJohn Johansen * @mask: request permission mask 243b5e95b48SJohn Johansen * @mode: created file mode 244b5e95b48SJohn Johansen * 245b5e95b48SJohn Johansen * Returns: %0 else error code if error or permission denied 246b5e95b48SJohn Johansen */ 247b5e95b48SJohn Johansen static int common_perm_create(int op, struct path *dir, struct dentry *dentry, 248b5e95b48SJohn Johansen u32 mask, umode_t mode) 249b5e95b48SJohn Johansen { 250b5e95b48SJohn Johansen struct path_cond cond = { current_fsuid(), mode }; 251b5e95b48SJohn Johansen 252b5e95b48SJohn Johansen if (!dir->mnt || !mediated_filesystem(dir->dentry->d_inode)) 253b5e95b48SJohn Johansen return 0; 254b5e95b48SJohn Johansen 255b5e95b48SJohn Johansen return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 256b5e95b48SJohn Johansen } 257b5e95b48SJohn Johansen 258b5e95b48SJohn Johansen static int apparmor_path_unlink(struct path *dir, struct dentry *dentry) 259b5e95b48SJohn Johansen { 260b5e95b48SJohn Johansen return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); 261b5e95b48SJohn Johansen } 262b5e95b48SJohn Johansen 263b5e95b48SJohn Johansen static int apparmor_path_mkdir(struct path *dir, struct dentry *dentry, 264b5e95b48SJohn Johansen int mode) 265b5e95b48SJohn Johansen { 266b5e95b48SJohn Johansen return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, 267b5e95b48SJohn Johansen S_IFDIR); 268b5e95b48SJohn Johansen } 269b5e95b48SJohn Johansen 270b5e95b48SJohn Johansen static int apparmor_path_rmdir(struct path *dir, struct dentry *dentry) 271b5e95b48SJohn Johansen { 272b5e95b48SJohn Johansen return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); 273b5e95b48SJohn Johansen } 274b5e95b48SJohn Johansen 275b5e95b48SJohn Johansen static int apparmor_path_mknod(struct path *dir, struct dentry *dentry, 276b5e95b48SJohn Johansen int mode, unsigned int dev) 277b5e95b48SJohn Johansen { 278b5e95b48SJohn Johansen return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); 279b5e95b48SJohn Johansen } 280b5e95b48SJohn Johansen 2814d6ec10bSJames Morris static int apparmor_path_truncate(struct path *path) 282b5e95b48SJohn Johansen { 283b5e95b48SJohn Johansen struct path_cond cond = { path->dentry->d_inode->i_uid, 284b5e95b48SJohn Johansen path->dentry->d_inode->i_mode 285b5e95b48SJohn Johansen }; 286b5e95b48SJohn Johansen 287b5e95b48SJohn Johansen if (!path->mnt || !mediated_filesystem(path->dentry->d_inode)) 288b5e95b48SJohn Johansen return 0; 289b5e95b48SJohn Johansen 290b5e95b48SJohn Johansen return common_perm(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE, 291b5e95b48SJohn Johansen &cond); 292b5e95b48SJohn Johansen } 293b5e95b48SJohn Johansen 294b5e95b48SJohn Johansen static int apparmor_path_symlink(struct path *dir, struct dentry *dentry, 295b5e95b48SJohn Johansen const char *old_name) 296b5e95b48SJohn Johansen { 297b5e95b48SJohn Johansen return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, 298b5e95b48SJohn Johansen S_IFLNK); 299b5e95b48SJohn Johansen } 300b5e95b48SJohn Johansen 301b5e95b48SJohn Johansen static int apparmor_path_link(struct dentry *old_dentry, struct path *new_dir, 302b5e95b48SJohn Johansen struct dentry *new_dentry) 303b5e95b48SJohn Johansen { 304b5e95b48SJohn Johansen struct aa_profile *profile; 305b5e95b48SJohn Johansen int error = 0; 306b5e95b48SJohn Johansen 307b5e95b48SJohn Johansen if (!mediated_filesystem(old_dentry->d_inode)) 308b5e95b48SJohn Johansen return 0; 309b5e95b48SJohn Johansen 310b5e95b48SJohn Johansen profile = aa_current_profile(); 311b5e95b48SJohn Johansen if (!unconfined(profile)) 312b5e95b48SJohn Johansen error = aa_path_link(profile, old_dentry, new_dir, new_dentry); 313b5e95b48SJohn Johansen return error; 314b5e95b48SJohn Johansen } 315b5e95b48SJohn Johansen 316b5e95b48SJohn Johansen static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry, 317b5e95b48SJohn Johansen struct path *new_dir, struct dentry *new_dentry) 318b5e95b48SJohn Johansen { 319b5e95b48SJohn Johansen struct aa_profile *profile; 320b5e95b48SJohn Johansen int error = 0; 321b5e95b48SJohn Johansen 322b5e95b48SJohn Johansen if (!mediated_filesystem(old_dentry->d_inode)) 323b5e95b48SJohn Johansen return 0; 324b5e95b48SJohn Johansen 325b5e95b48SJohn Johansen profile = aa_current_profile(); 326b5e95b48SJohn Johansen if (!unconfined(profile)) { 327b5e95b48SJohn Johansen struct path old_path = { old_dir->mnt, old_dentry }; 328b5e95b48SJohn Johansen struct path new_path = { new_dir->mnt, new_dentry }; 329b5e95b48SJohn Johansen struct path_cond cond = { old_dentry->d_inode->i_uid, 330b5e95b48SJohn Johansen old_dentry->d_inode->i_mode 331b5e95b48SJohn Johansen }; 332b5e95b48SJohn Johansen 333b5e95b48SJohn Johansen error = aa_path_perm(OP_RENAME_SRC, profile, &old_path, 0, 334b5e95b48SJohn Johansen MAY_READ | AA_MAY_META_READ | MAY_WRITE | 335b5e95b48SJohn Johansen AA_MAY_META_WRITE | AA_MAY_DELETE, 336b5e95b48SJohn Johansen &cond); 337b5e95b48SJohn Johansen if (!error) 338b5e95b48SJohn Johansen error = aa_path_perm(OP_RENAME_DEST, profile, &new_path, 339b5e95b48SJohn Johansen 0, MAY_WRITE | AA_MAY_META_WRITE | 340b5e95b48SJohn Johansen AA_MAY_CREATE, &cond); 341b5e95b48SJohn Johansen 342b5e95b48SJohn Johansen } 343b5e95b48SJohn Johansen return error; 344b5e95b48SJohn Johansen } 345b5e95b48SJohn Johansen 346b5e95b48SJohn Johansen static int apparmor_path_chmod(struct dentry *dentry, struct vfsmount *mnt, 347b5e95b48SJohn Johansen mode_t mode) 348b5e95b48SJohn Johansen { 349b5e95b48SJohn Johansen if (!mediated_filesystem(dentry->d_inode)) 350b5e95b48SJohn Johansen return 0; 351b5e95b48SJohn Johansen 352b5e95b48SJohn Johansen return common_perm_mnt_dentry(OP_CHMOD, mnt, dentry, AA_MAY_CHMOD); 353b5e95b48SJohn Johansen } 354b5e95b48SJohn Johansen 355b5e95b48SJohn Johansen static int apparmor_path_chown(struct path *path, uid_t uid, gid_t gid) 356b5e95b48SJohn Johansen { 357b5e95b48SJohn Johansen struct path_cond cond = { path->dentry->d_inode->i_uid, 358b5e95b48SJohn Johansen path->dentry->d_inode->i_mode 359b5e95b48SJohn Johansen }; 360b5e95b48SJohn Johansen 361b5e95b48SJohn Johansen if (!mediated_filesystem(path->dentry->d_inode)) 362b5e95b48SJohn Johansen return 0; 363b5e95b48SJohn Johansen 364b5e95b48SJohn Johansen return common_perm(OP_CHOWN, path, AA_MAY_CHOWN, &cond); 365b5e95b48SJohn Johansen } 366b5e95b48SJohn Johansen 367b5e95b48SJohn Johansen static int apparmor_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 368b5e95b48SJohn Johansen { 369b5e95b48SJohn Johansen if (!mediated_filesystem(dentry->d_inode)) 370b5e95b48SJohn Johansen return 0; 371b5e95b48SJohn Johansen 372b5e95b48SJohn Johansen return common_perm_mnt_dentry(OP_GETATTR, mnt, dentry, 373b5e95b48SJohn Johansen AA_MAY_META_READ); 374b5e95b48SJohn Johansen } 375b5e95b48SJohn Johansen 376b5e95b48SJohn Johansen static int apparmor_dentry_open(struct file *file, const struct cred *cred) 377b5e95b48SJohn Johansen { 378b5e95b48SJohn Johansen struct aa_file_cxt *fcxt = file->f_security; 379b5e95b48SJohn Johansen struct aa_profile *profile; 380b5e95b48SJohn Johansen int error = 0; 381b5e95b48SJohn Johansen 382b5e95b48SJohn Johansen if (!mediated_filesystem(file->f_path.dentry->d_inode)) 383b5e95b48SJohn Johansen return 0; 384b5e95b48SJohn Johansen 385b5e95b48SJohn Johansen /* If in exec, permission is handled by bprm hooks. 386b5e95b48SJohn Johansen * Cache permissions granted by the previous exec check, with 387b5e95b48SJohn Johansen * implicit read and executable mmap which are required to 388b5e95b48SJohn Johansen * actually execute the image. 389b5e95b48SJohn Johansen */ 390b5e95b48SJohn Johansen if (current->in_execve) { 391b5e95b48SJohn Johansen fcxt->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; 392b5e95b48SJohn Johansen return 0; 393b5e95b48SJohn Johansen } 394b5e95b48SJohn Johansen 395b5e95b48SJohn Johansen profile = aa_cred_profile(cred); 396b5e95b48SJohn Johansen if (!unconfined(profile)) { 397b5e95b48SJohn Johansen struct inode *inode = file->f_path.dentry->d_inode; 398b5e95b48SJohn Johansen struct path_cond cond = { inode->i_uid, inode->i_mode }; 399b5e95b48SJohn Johansen 400b5e95b48SJohn Johansen error = aa_path_perm(OP_OPEN, profile, &file->f_path, 0, 401b5e95b48SJohn Johansen aa_map_file_to_perms(file), &cond); 402b5e95b48SJohn Johansen /* todo cache full allowed permissions set and state */ 403b5e95b48SJohn Johansen fcxt->allow = aa_map_file_to_perms(file); 404b5e95b48SJohn Johansen } 405b5e95b48SJohn Johansen 406b5e95b48SJohn Johansen return error; 407b5e95b48SJohn Johansen } 408b5e95b48SJohn Johansen 409b5e95b48SJohn Johansen static int apparmor_file_alloc_security(struct file *file) 410b5e95b48SJohn Johansen { 411b5e95b48SJohn Johansen /* freed by apparmor_file_free_security */ 412b5e95b48SJohn Johansen file->f_security = aa_alloc_file_context(GFP_KERNEL); 413b5e95b48SJohn Johansen if (!file->f_security) 414b5e95b48SJohn Johansen return -ENOMEM; 415b5e95b48SJohn Johansen return 0; 416b5e95b48SJohn Johansen 417b5e95b48SJohn Johansen } 418b5e95b48SJohn Johansen 419b5e95b48SJohn Johansen static void apparmor_file_free_security(struct file *file) 420b5e95b48SJohn Johansen { 421b5e95b48SJohn Johansen struct aa_file_cxt *cxt = file->f_security; 422b5e95b48SJohn Johansen 423b5e95b48SJohn Johansen aa_free_file_context(cxt); 424b5e95b48SJohn Johansen } 425b5e95b48SJohn Johansen 426b5e95b48SJohn Johansen static int common_file_perm(int op, struct file *file, u32 mask) 427b5e95b48SJohn Johansen { 428b5e95b48SJohn Johansen struct aa_file_cxt *fcxt = file->f_security; 429b5e95b48SJohn Johansen struct aa_profile *profile, *fprofile = aa_cred_profile(file->f_cred); 430b5e95b48SJohn Johansen int error = 0; 431b5e95b48SJohn Johansen 432b5e95b48SJohn Johansen BUG_ON(!fprofile); 433b5e95b48SJohn Johansen 434b5e95b48SJohn Johansen if (!file->f_path.mnt || 435b5e95b48SJohn Johansen !mediated_filesystem(file->f_path.dentry->d_inode)) 436b5e95b48SJohn Johansen return 0; 437b5e95b48SJohn Johansen 438b5e95b48SJohn Johansen profile = __aa_current_profile(); 439b5e95b48SJohn Johansen 440b5e95b48SJohn Johansen /* revalidate access, if task is unconfined, or the cached cred 441b5e95b48SJohn Johansen * doesn't match or if the request is for more permissions than 442b5e95b48SJohn Johansen * was granted. 443b5e95b48SJohn Johansen * 444b5e95b48SJohn Johansen * Note: the test for !unconfined(fprofile) is to handle file 445b5e95b48SJohn Johansen * delegation from unconfined tasks 446b5e95b48SJohn Johansen */ 447b5e95b48SJohn Johansen if (!unconfined(profile) && !unconfined(fprofile) && 448b5e95b48SJohn Johansen ((fprofile != profile) || (mask & ~fcxt->allow))) 449b5e95b48SJohn Johansen error = aa_file_perm(op, profile, file, mask); 450b5e95b48SJohn Johansen 451b5e95b48SJohn Johansen return error; 452b5e95b48SJohn Johansen } 453b5e95b48SJohn Johansen 454b5e95b48SJohn Johansen static int apparmor_file_permission(struct file *file, int mask) 455b5e95b48SJohn Johansen { 456b5e95b48SJohn Johansen return common_file_perm(OP_FPERM, file, mask); 457b5e95b48SJohn Johansen } 458b5e95b48SJohn Johansen 459b5e95b48SJohn Johansen static int apparmor_file_lock(struct file *file, unsigned int cmd) 460b5e95b48SJohn Johansen { 461b5e95b48SJohn Johansen u32 mask = AA_MAY_LOCK; 462b5e95b48SJohn Johansen 463b5e95b48SJohn Johansen if (cmd == F_WRLCK) 464b5e95b48SJohn Johansen mask |= MAY_WRITE; 465b5e95b48SJohn Johansen 466b5e95b48SJohn Johansen return common_file_perm(OP_FLOCK, file, mask); 467b5e95b48SJohn Johansen } 468b5e95b48SJohn Johansen 469b5e95b48SJohn Johansen static int common_mmap(int op, struct file *file, unsigned long prot, 470b5e95b48SJohn Johansen unsigned long flags) 471b5e95b48SJohn Johansen { 472b5e95b48SJohn Johansen struct dentry *dentry; 473b5e95b48SJohn Johansen int mask = 0; 474b5e95b48SJohn Johansen 475b5e95b48SJohn Johansen if (!file || !file->f_security) 476b5e95b48SJohn Johansen return 0; 477b5e95b48SJohn Johansen 478b5e95b48SJohn Johansen if (prot & PROT_READ) 479b5e95b48SJohn Johansen mask |= MAY_READ; 480b5e95b48SJohn Johansen /* 481b5e95b48SJohn Johansen * Private mappings don't require write perms since they don't 482b5e95b48SJohn Johansen * write back to the files 483b5e95b48SJohn Johansen */ 484b5e95b48SJohn Johansen if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE)) 485b5e95b48SJohn Johansen mask |= MAY_WRITE; 486b5e95b48SJohn Johansen if (prot & PROT_EXEC) 487b5e95b48SJohn Johansen mask |= AA_EXEC_MMAP; 488b5e95b48SJohn Johansen 489b5e95b48SJohn Johansen dentry = file->f_path.dentry; 490b5e95b48SJohn Johansen return common_file_perm(op, file, mask); 491b5e95b48SJohn Johansen } 492b5e95b48SJohn Johansen 493b5e95b48SJohn Johansen static int apparmor_file_mmap(struct file *file, unsigned long reqprot, 494b5e95b48SJohn Johansen unsigned long prot, unsigned long flags, 495b5e95b48SJohn Johansen unsigned long addr, unsigned long addr_only) 496b5e95b48SJohn Johansen { 497b5e95b48SJohn Johansen int rc = 0; 498b5e95b48SJohn Johansen 499b5e95b48SJohn Johansen /* do DAC check */ 500b5e95b48SJohn Johansen rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); 501b5e95b48SJohn Johansen if (rc || addr_only) 502b5e95b48SJohn Johansen return rc; 503b5e95b48SJohn Johansen 504b5e95b48SJohn Johansen return common_mmap(OP_FMMAP, file, prot, flags); 505b5e95b48SJohn Johansen } 506b5e95b48SJohn Johansen 507b5e95b48SJohn Johansen static int apparmor_file_mprotect(struct vm_area_struct *vma, 508b5e95b48SJohn Johansen unsigned long reqprot, unsigned long prot) 509b5e95b48SJohn Johansen { 510b5e95b48SJohn Johansen return common_mmap(OP_FMPROT, vma->vm_file, prot, 511b5e95b48SJohn Johansen !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); 512b5e95b48SJohn Johansen } 513b5e95b48SJohn Johansen 514b5e95b48SJohn Johansen static int apparmor_getprocattr(struct task_struct *task, char *name, 515b5e95b48SJohn Johansen char **value) 516b5e95b48SJohn Johansen { 517b5e95b48SJohn Johansen int error = -ENOENT; 518b5e95b48SJohn Johansen struct aa_profile *profile; 519b5e95b48SJohn Johansen /* released below */ 520b5e95b48SJohn Johansen const struct cred *cred = get_task_cred(task); 521b5e95b48SJohn Johansen struct aa_task_cxt *cxt = cred->security; 522b5e95b48SJohn Johansen profile = aa_cred_profile(cred); 523b5e95b48SJohn Johansen 524b5e95b48SJohn Johansen if (strcmp(name, "current") == 0) 525b5e95b48SJohn Johansen error = aa_getprocattr(aa_newest_version(cxt->profile), 526b5e95b48SJohn Johansen value); 527b5e95b48SJohn Johansen else if (strcmp(name, "prev") == 0 && cxt->previous) 528b5e95b48SJohn Johansen error = aa_getprocattr(aa_newest_version(cxt->previous), 529b5e95b48SJohn Johansen value); 530b5e95b48SJohn Johansen else if (strcmp(name, "exec") == 0 && cxt->onexec) 531b5e95b48SJohn Johansen error = aa_getprocattr(aa_newest_version(cxt->onexec), 532b5e95b48SJohn Johansen value); 533b5e95b48SJohn Johansen else 534b5e95b48SJohn Johansen error = -EINVAL; 535b5e95b48SJohn Johansen 536b5e95b48SJohn Johansen put_cred(cred); 537b5e95b48SJohn Johansen 538b5e95b48SJohn Johansen return error; 539b5e95b48SJohn Johansen } 540b5e95b48SJohn Johansen 541b5e95b48SJohn Johansen static int apparmor_setprocattr(struct task_struct *task, char *name, 542b5e95b48SJohn Johansen void *value, size_t size) 543b5e95b48SJohn Johansen { 544b5e95b48SJohn Johansen char *command, *args = value; 545b5e95b48SJohn Johansen size_t arg_size; 546b5e95b48SJohn Johansen int error; 547b5e95b48SJohn Johansen 548b5e95b48SJohn Johansen if (size == 0) 549b5e95b48SJohn Johansen return -EINVAL; 550b5e95b48SJohn Johansen /* args points to a PAGE_SIZE buffer, AppArmor requires that 551b5e95b48SJohn Johansen * the buffer must be null terminated or have size <= PAGE_SIZE -1 552b5e95b48SJohn Johansen * so that AppArmor can null terminate them 553b5e95b48SJohn Johansen */ 554b5e95b48SJohn Johansen if (args[size - 1] != '\0') { 555b5e95b48SJohn Johansen if (size == PAGE_SIZE) 556b5e95b48SJohn Johansen return -EINVAL; 557b5e95b48SJohn Johansen args[size] = '\0'; 558b5e95b48SJohn Johansen } 559b5e95b48SJohn Johansen 560b5e95b48SJohn Johansen /* task can only write its own attributes */ 561b5e95b48SJohn Johansen if (current != task) 562b5e95b48SJohn Johansen return -EACCES; 563b5e95b48SJohn Johansen 564b5e95b48SJohn Johansen args = value; 565b5e95b48SJohn Johansen args = strim(args); 566b5e95b48SJohn Johansen command = strsep(&args, " "); 567b5e95b48SJohn Johansen if (!args) 568b5e95b48SJohn Johansen return -EINVAL; 569b5e95b48SJohn Johansen args = skip_spaces(args); 570b5e95b48SJohn Johansen if (!*args) 571b5e95b48SJohn Johansen return -EINVAL; 572b5e95b48SJohn Johansen 573b5e95b48SJohn Johansen arg_size = size - (args - (char *) value); 574b5e95b48SJohn Johansen if (strcmp(name, "current") == 0) { 575b5e95b48SJohn Johansen if (strcmp(command, "changehat") == 0) { 576b5e95b48SJohn Johansen error = aa_setprocattr_changehat(args, arg_size, 577b5e95b48SJohn Johansen !AA_DO_TEST); 578b5e95b48SJohn Johansen } else if (strcmp(command, "permhat") == 0) { 579b5e95b48SJohn Johansen error = aa_setprocattr_changehat(args, arg_size, 580b5e95b48SJohn Johansen AA_DO_TEST); 581b5e95b48SJohn Johansen } else if (strcmp(command, "changeprofile") == 0) { 582b5e95b48SJohn Johansen error = aa_setprocattr_changeprofile(args, !AA_ONEXEC, 583b5e95b48SJohn Johansen !AA_DO_TEST); 584b5e95b48SJohn Johansen } else if (strcmp(command, "permprofile") == 0) { 585b5e95b48SJohn Johansen error = aa_setprocattr_changeprofile(args, !AA_ONEXEC, 586b5e95b48SJohn Johansen AA_DO_TEST); 587b5e95b48SJohn Johansen } else if (strcmp(command, "permipc") == 0) { 588b5e95b48SJohn Johansen error = aa_setprocattr_permipc(args); 589b5e95b48SJohn Johansen } else { 590b5e95b48SJohn Johansen struct common_audit_data sa; 591b5e95b48SJohn Johansen COMMON_AUDIT_DATA_INIT(&sa, NONE); 592b5e95b48SJohn Johansen sa.aad.op = OP_SETPROCATTR; 593b5e95b48SJohn Johansen sa.aad.info = name; 594b5e95b48SJohn Johansen sa.aad.error = -EINVAL; 595b5e95b48SJohn Johansen return aa_audit(AUDIT_APPARMOR_DENIED, NULL, GFP_KERNEL, 596b5e95b48SJohn Johansen &sa, NULL); 597b5e95b48SJohn Johansen } 598b5e95b48SJohn Johansen } else if (strcmp(name, "exec") == 0) { 599b5e95b48SJohn Johansen error = aa_setprocattr_changeprofile(args, AA_ONEXEC, 600b5e95b48SJohn Johansen !AA_DO_TEST); 601b5e95b48SJohn Johansen } else { 602b5e95b48SJohn Johansen /* only support the "current" and "exec" process attributes */ 603b5e95b48SJohn Johansen return -EINVAL; 604b5e95b48SJohn Johansen } 605b5e95b48SJohn Johansen if (!error) 606b5e95b48SJohn Johansen error = size; 607b5e95b48SJohn Johansen return error; 608b5e95b48SJohn Johansen } 609b5e95b48SJohn Johansen 610b5e95b48SJohn Johansen static int apparmor_task_setrlimit(unsigned int resource, 611b5e95b48SJohn Johansen struct rlimit *new_rlim) 612b5e95b48SJohn Johansen { 613b5e95b48SJohn Johansen struct aa_profile *profile = aa_current_profile(); 614b5e95b48SJohn Johansen int error = 0; 615b5e95b48SJohn Johansen 616b5e95b48SJohn Johansen if (!unconfined(profile)) 617b5e95b48SJohn Johansen error = aa_task_setrlimit(profile, resource, new_rlim); 618b5e95b48SJohn Johansen 619b5e95b48SJohn Johansen return error; 620b5e95b48SJohn Johansen } 621b5e95b48SJohn Johansen 622b5e95b48SJohn Johansen static struct security_operations apparmor_ops = { 623b5e95b48SJohn Johansen .name = "apparmor", 624b5e95b48SJohn Johansen 625b5e95b48SJohn Johansen .ptrace_access_check = apparmor_ptrace_access_check, 626b5e95b48SJohn Johansen .ptrace_traceme = apparmor_ptrace_traceme, 627b5e95b48SJohn Johansen .capget = apparmor_capget, 628b5e95b48SJohn Johansen .capable = apparmor_capable, 629b5e95b48SJohn Johansen 630b5e95b48SJohn Johansen .path_link = apparmor_path_link, 631b5e95b48SJohn Johansen .path_unlink = apparmor_path_unlink, 632b5e95b48SJohn Johansen .path_symlink = apparmor_path_symlink, 633b5e95b48SJohn Johansen .path_mkdir = apparmor_path_mkdir, 634b5e95b48SJohn Johansen .path_rmdir = apparmor_path_rmdir, 635b5e95b48SJohn Johansen .path_mknod = apparmor_path_mknod, 636b5e95b48SJohn Johansen .path_rename = apparmor_path_rename, 637b5e95b48SJohn Johansen .path_chmod = apparmor_path_chmod, 638b5e95b48SJohn Johansen .path_chown = apparmor_path_chown, 639b5e95b48SJohn Johansen .path_truncate = apparmor_path_truncate, 640b5e95b48SJohn Johansen .dentry_open = apparmor_dentry_open, 641b5e95b48SJohn Johansen .inode_getattr = apparmor_inode_getattr, 642b5e95b48SJohn Johansen 643b5e95b48SJohn Johansen .file_permission = apparmor_file_permission, 644b5e95b48SJohn Johansen .file_alloc_security = apparmor_file_alloc_security, 645b5e95b48SJohn Johansen .file_free_security = apparmor_file_free_security, 646b5e95b48SJohn Johansen .file_mmap = apparmor_file_mmap, 647b5e95b48SJohn Johansen .file_mprotect = apparmor_file_mprotect, 648b5e95b48SJohn Johansen .file_lock = apparmor_file_lock, 649b5e95b48SJohn Johansen 650b5e95b48SJohn Johansen .getprocattr = apparmor_getprocattr, 651b5e95b48SJohn Johansen .setprocattr = apparmor_setprocattr, 652b5e95b48SJohn Johansen 653b5e95b48SJohn Johansen .cred_alloc_blank = apparmor_cred_alloc_blank, 654b5e95b48SJohn Johansen .cred_free = apparmor_cred_free, 655b5e95b48SJohn Johansen .cred_prepare = apparmor_cred_prepare, 656b5e95b48SJohn Johansen .cred_transfer = apparmor_cred_transfer, 657b5e95b48SJohn Johansen 658b5e95b48SJohn Johansen .bprm_set_creds = apparmor_bprm_set_creds, 659b5e95b48SJohn Johansen .bprm_committing_creds = apparmor_bprm_committing_creds, 660b5e95b48SJohn Johansen .bprm_committed_creds = apparmor_bprm_committed_creds, 661b5e95b48SJohn Johansen .bprm_secureexec = apparmor_bprm_secureexec, 662b5e95b48SJohn Johansen 663b5e95b48SJohn Johansen .task_setrlimit = apparmor_task_setrlimit, 664b5e95b48SJohn Johansen }; 665b5e95b48SJohn Johansen 666b5e95b48SJohn Johansen /* 667b5e95b48SJohn Johansen * AppArmor sysfs module parameters 668b5e95b48SJohn Johansen */ 669b5e95b48SJohn Johansen 670*101d6c82SStephen Rothwell static int param_set_aabool(const char *val, const struct kernel_param *kp); 671*101d6c82SStephen Rothwell static int param_get_aabool(char *buffer, const struct kernel_param *kp); 672b5e95b48SJohn Johansen #define param_check_aabool(name, p) __param_check(name, p, int) 673*101d6c82SStephen Rothwell static struct kernel_param_ops param_ops_aabool = { 674*101d6c82SStephen Rothwell .set = param_set_aabool, 675*101d6c82SStephen Rothwell .get = param_get_aabool 676*101d6c82SStephen Rothwell }; 677b5e95b48SJohn Johansen 678*101d6c82SStephen Rothwell static int param_set_aauint(const char *val, const struct kernel_param *kp); 679*101d6c82SStephen Rothwell static int param_get_aauint(char *buffer, const struct kernel_param *kp); 680b5e95b48SJohn Johansen #define param_check_aauint(name, p) __param_check(name, p, int) 681*101d6c82SStephen Rothwell static struct kernel_param_ops param_ops_aauint = { 682*101d6c82SStephen Rothwell .set = param_set_aauint, 683*101d6c82SStephen Rothwell .get = param_get_aauint 684*101d6c82SStephen Rothwell }; 685b5e95b48SJohn Johansen 686*101d6c82SStephen Rothwell static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp); 687*101d6c82SStephen Rothwell static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); 688b5e95b48SJohn Johansen #define param_check_aalockpolicy(name, p) __param_check(name, p, int) 689*101d6c82SStephen Rothwell static struct kernel_param_ops param_ops_aalockpolicy = { 690*101d6c82SStephen Rothwell .set = param_set_aalockpolicy, 691*101d6c82SStephen Rothwell .get = param_get_aalockpolicy 692*101d6c82SStephen Rothwell }; 693b5e95b48SJohn Johansen 694b5e95b48SJohn Johansen static int param_set_audit(const char *val, struct kernel_param *kp); 695b5e95b48SJohn Johansen static int param_get_audit(char *buffer, struct kernel_param *kp); 696b5e95b48SJohn Johansen #define param_check_audit(name, p) __param_check(name, p, int) 697b5e95b48SJohn Johansen 698b5e95b48SJohn Johansen static int param_set_mode(const char *val, struct kernel_param *kp); 699b5e95b48SJohn Johansen static int param_get_mode(char *buffer, struct kernel_param *kp); 700b5e95b48SJohn Johansen #define param_check_mode(name, p) __param_check(name, p, int) 701b5e95b48SJohn Johansen 702b5e95b48SJohn Johansen /* Flag values, also controllable via /sys/module/apparmor/parameters 703b5e95b48SJohn Johansen * We define special types as we want to do additional mediation. 704b5e95b48SJohn Johansen */ 705b5e95b48SJohn Johansen 706b5e95b48SJohn Johansen /* AppArmor global enforcement switch - complain, enforce, kill */ 707b5e95b48SJohn Johansen enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; 708b5e95b48SJohn Johansen module_param_call(mode, param_set_mode, param_get_mode, 709b5e95b48SJohn Johansen &aa_g_profile_mode, S_IRUSR | S_IWUSR); 710b5e95b48SJohn Johansen 711b5e95b48SJohn Johansen /* Debug mode */ 712b5e95b48SJohn Johansen int aa_g_debug; 713b5e95b48SJohn Johansen module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); 714b5e95b48SJohn Johansen 715b5e95b48SJohn Johansen /* Audit mode */ 716b5e95b48SJohn Johansen enum audit_mode aa_g_audit; 717b5e95b48SJohn Johansen module_param_call(audit, param_set_audit, param_get_audit, 718b5e95b48SJohn Johansen &aa_g_audit, S_IRUSR | S_IWUSR); 719b5e95b48SJohn Johansen 720b5e95b48SJohn Johansen /* Determines if audit header is included in audited messages. This 721b5e95b48SJohn Johansen * provides more context if the audit daemon is not running 722b5e95b48SJohn Johansen */ 723b5e95b48SJohn Johansen int aa_g_audit_header = 1; 724b5e95b48SJohn Johansen module_param_named(audit_header, aa_g_audit_header, aabool, 725b5e95b48SJohn Johansen S_IRUSR | S_IWUSR); 726b5e95b48SJohn Johansen 727b5e95b48SJohn Johansen /* lock out loading/removal of policy 728b5e95b48SJohn Johansen * TODO: add in at boot loading of policy, which is the only way to 729b5e95b48SJohn Johansen * load policy, if lock_policy is set 730b5e95b48SJohn Johansen */ 731b5e95b48SJohn Johansen int aa_g_lock_policy; 732b5e95b48SJohn Johansen module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy, 733b5e95b48SJohn Johansen S_IRUSR | S_IWUSR); 734b5e95b48SJohn Johansen 735b5e95b48SJohn Johansen /* Syscall logging mode */ 736b5e95b48SJohn Johansen int aa_g_logsyscall; 737b5e95b48SJohn Johansen module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); 738b5e95b48SJohn Johansen 739b5e95b48SJohn Johansen /* Maximum pathname length before accesses will start getting rejected */ 740b5e95b48SJohn Johansen unsigned int aa_g_path_max = 2 * PATH_MAX; 741b5e95b48SJohn Johansen module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR); 742b5e95b48SJohn Johansen 743b5e95b48SJohn Johansen /* Determines how paranoid loading of policy is and how much verification 744b5e95b48SJohn Johansen * on the loaded policy is done. 745b5e95b48SJohn Johansen */ 746b5e95b48SJohn Johansen int aa_g_paranoid_load = 1; 747b5e95b48SJohn Johansen module_param_named(paranoid_load, aa_g_paranoid_load, aabool, 748b5e95b48SJohn Johansen S_IRUSR | S_IWUSR); 749b5e95b48SJohn Johansen 750b5e95b48SJohn Johansen /* Boot time disable flag */ 751b5e95b48SJohn Johansen static unsigned int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; 752b5e95b48SJohn Johansen module_param_named(enabled, apparmor_enabled, aabool, S_IRUSR); 753b5e95b48SJohn Johansen 754b5e95b48SJohn Johansen static int __init apparmor_enabled_setup(char *str) 755b5e95b48SJohn Johansen { 756b5e95b48SJohn Johansen unsigned long enabled; 757b5e95b48SJohn Johansen int error = strict_strtoul(str, 0, &enabled); 758b5e95b48SJohn Johansen if (!error) 759b5e95b48SJohn Johansen apparmor_enabled = enabled ? 1 : 0; 760b5e95b48SJohn Johansen return 1; 761b5e95b48SJohn Johansen } 762b5e95b48SJohn Johansen 763b5e95b48SJohn Johansen __setup("apparmor=", apparmor_enabled_setup); 764b5e95b48SJohn Johansen 765b5e95b48SJohn Johansen /* set global flag turning off the ability to load policy */ 766*101d6c82SStephen Rothwell static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) 767b5e95b48SJohn Johansen { 768b5e95b48SJohn Johansen if (!capable(CAP_MAC_ADMIN)) 769b5e95b48SJohn Johansen return -EPERM; 770b5e95b48SJohn Johansen if (aa_g_lock_policy) 771b5e95b48SJohn Johansen return -EACCES; 772b5e95b48SJohn Johansen return param_set_bool(val, kp); 773b5e95b48SJohn Johansen } 774b5e95b48SJohn Johansen 775*101d6c82SStephen Rothwell static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) 776b5e95b48SJohn Johansen { 777b5e95b48SJohn Johansen if (!capable(CAP_MAC_ADMIN)) 778b5e95b48SJohn Johansen return -EPERM; 779b5e95b48SJohn Johansen return param_get_bool(buffer, kp); 780b5e95b48SJohn Johansen } 781b5e95b48SJohn Johansen 782*101d6c82SStephen Rothwell static int param_set_aabool(const char *val, const struct kernel_param *kp) 783b5e95b48SJohn Johansen { 784b5e95b48SJohn Johansen if (!capable(CAP_MAC_ADMIN)) 785b5e95b48SJohn Johansen return -EPERM; 786b5e95b48SJohn Johansen return param_set_bool(val, kp); 787b5e95b48SJohn Johansen } 788b5e95b48SJohn Johansen 789*101d6c82SStephen Rothwell static int param_get_aabool(char *buffer, const struct kernel_param *kp) 790b5e95b48SJohn Johansen { 791b5e95b48SJohn Johansen if (!capable(CAP_MAC_ADMIN)) 792b5e95b48SJohn Johansen return -EPERM; 793b5e95b48SJohn Johansen return param_get_bool(buffer, kp); 794b5e95b48SJohn Johansen } 795b5e95b48SJohn Johansen 796*101d6c82SStephen Rothwell static int param_set_aauint(const char *val, const struct kernel_param *kp) 797b5e95b48SJohn Johansen { 798b5e95b48SJohn Johansen if (!capable(CAP_MAC_ADMIN)) 799b5e95b48SJohn Johansen return -EPERM; 800b5e95b48SJohn Johansen return param_set_uint(val, kp); 801b5e95b48SJohn Johansen } 802b5e95b48SJohn Johansen 803*101d6c82SStephen Rothwell static int param_get_aauint(char *buffer, const struct kernel_param *kp) 804b5e95b48SJohn Johansen { 805b5e95b48SJohn Johansen if (!capable(CAP_MAC_ADMIN)) 806b5e95b48SJohn Johansen return -EPERM; 807b5e95b48SJohn Johansen return param_get_uint(buffer, kp); 808b5e95b48SJohn Johansen } 809b5e95b48SJohn Johansen 810b5e95b48SJohn Johansen static int param_get_audit(char *buffer, struct kernel_param *kp) 811b5e95b48SJohn Johansen { 812b5e95b48SJohn Johansen if (!capable(CAP_MAC_ADMIN)) 813b5e95b48SJohn Johansen return -EPERM; 814b5e95b48SJohn Johansen 815b5e95b48SJohn Johansen if (!apparmor_enabled) 816b5e95b48SJohn Johansen return -EINVAL; 817b5e95b48SJohn Johansen 818b5e95b48SJohn Johansen return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); 819b5e95b48SJohn Johansen } 820b5e95b48SJohn Johansen 821b5e95b48SJohn Johansen static int param_set_audit(const char *val, struct kernel_param *kp) 822b5e95b48SJohn Johansen { 823b5e95b48SJohn Johansen int i; 824b5e95b48SJohn Johansen if (!capable(CAP_MAC_ADMIN)) 825b5e95b48SJohn Johansen return -EPERM; 826b5e95b48SJohn Johansen 827b5e95b48SJohn Johansen if (!apparmor_enabled) 828b5e95b48SJohn Johansen return -EINVAL; 829b5e95b48SJohn Johansen 830b5e95b48SJohn Johansen if (!val) 831b5e95b48SJohn Johansen return -EINVAL; 832b5e95b48SJohn Johansen 833b5e95b48SJohn Johansen for (i = 0; i < AUDIT_MAX_INDEX; i++) { 834b5e95b48SJohn Johansen if (strcmp(val, audit_mode_names[i]) == 0) { 835b5e95b48SJohn Johansen aa_g_audit = i; 836b5e95b48SJohn Johansen return 0; 837b5e95b48SJohn Johansen } 838b5e95b48SJohn Johansen } 839b5e95b48SJohn Johansen 840b5e95b48SJohn Johansen return -EINVAL; 841b5e95b48SJohn Johansen } 842b5e95b48SJohn Johansen 843b5e95b48SJohn Johansen static int param_get_mode(char *buffer, struct kernel_param *kp) 844b5e95b48SJohn Johansen { 845b5e95b48SJohn Johansen if (!capable(CAP_MAC_ADMIN)) 846b5e95b48SJohn Johansen return -EPERM; 847b5e95b48SJohn Johansen 848b5e95b48SJohn Johansen if (!apparmor_enabled) 849b5e95b48SJohn Johansen return -EINVAL; 850b5e95b48SJohn Johansen 851b5e95b48SJohn Johansen return sprintf(buffer, "%s", profile_mode_names[aa_g_profile_mode]); 852b5e95b48SJohn Johansen } 853b5e95b48SJohn Johansen 854b5e95b48SJohn Johansen static int param_set_mode(const char *val, struct kernel_param *kp) 855b5e95b48SJohn Johansen { 856b5e95b48SJohn Johansen int i; 857b5e95b48SJohn Johansen if (!capable(CAP_MAC_ADMIN)) 858b5e95b48SJohn Johansen return -EPERM; 859b5e95b48SJohn Johansen 860b5e95b48SJohn Johansen if (!apparmor_enabled) 861b5e95b48SJohn Johansen return -EINVAL; 862b5e95b48SJohn Johansen 863b5e95b48SJohn Johansen if (!val) 864b5e95b48SJohn Johansen return -EINVAL; 865b5e95b48SJohn Johansen 866b5e95b48SJohn Johansen for (i = 0; i < APPARMOR_NAMES_MAX_INDEX; i++) { 867b5e95b48SJohn Johansen if (strcmp(val, profile_mode_names[i]) == 0) { 868b5e95b48SJohn Johansen aa_g_profile_mode = i; 869b5e95b48SJohn Johansen return 0; 870b5e95b48SJohn Johansen } 871b5e95b48SJohn Johansen } 872b5e95b48SJohn Johansen 873b5e95b48SJohn Johansen return -EINVAL; 874b5e95b48SJohn Johansen } 875b5e95b48SJohn Johansen 876b5e95b48SJohn Johansen /* 877b5e95b48SJohn Johansen * AppArmor init functions 878b5e95b48SJohn Johansen */ 879b5e95b48SJohn Johansen 880b5e95b48SJohn Johansen /** 881b5e95b48SJohn Johansen * set_init_cxt - set a task context and profile on the first task. 882b5e95b48SJohn Johansen * 883b5e95b48SJohn Johansen * TODO: allow setting an alternate profile than unconfined 884b5e95b48SJohn Johansen */ 885b5e95b48SJohn Johansen static int __init set_init_cxt(void) 886b5e95b48SJohn Johansen { 887b5e95b48SJohn Johansen struct cred *cred = (struct cred *)current->real_cred; 888b5e95b48SJohn Johansen struct aa_task_cxt *cxt; 889b5e95b48SJohn Johansen 890b5e95b48SJohn Johansen cxt = aa_alloc_task_context(GFP_KERNEL); 891b5e95b48SJohn Johansen if (!cxt) 892b5e95b48SJohn Johansen return -ENOMEM; 893b5e95b48SJohn Johansen 894b5e95b48SJohn Johansen cxt->profile = aa_get_profile(root_ns->unconfined); 895b5e95b48SJohn Johansen cred->security = cxt; 896b5e95b48SJohn Johansen 897b5e95b48SJohn Johansen return 0; 898b5e95b48SJohn Johansen } 899b5e95b48SJohn Johansen 900b5e95b48SJohn Johansen static int __init apparmor_init(void) 901b5e95b48SJohn Johansen { 902b5e95b48SJohn Johansen int error; 903b5e95b48SJohn Johansen 904b5e95b48SJohn Johansen if (!apparmor_enabled || !security_module_enable(&apparmor_ops)) { 905b5e95b48SJohn Johansen aa_info_message("AppArmor disabled by boot time parameter"); 906b5e95b48SJohn Johansen apparmor_enabled = 0; 907b5e95b48SJohn Johansen return 0; 908b5e95b48SJohn Johansen } 909b5e95b48SJohn Johansen 910b5e95b48SJohn Johansen error = aa_alloc_root_ns(); 911b5e95b48SJohn Johansen if (error) { 912b5e95b48SJohn Johansen AA_ERROR("Unable to allocate default profile namespace\n"); 913b5e95b48SJohn Johansen goto alloc_out; 914b5e95b48SJohn Johansen } 915b5e95b48SJohn Johansen 916b5e95b48SJohn Johansen error = set_init_cxt(); 917b5e95b48SJohn Johansen if (error) { 918b5e95b48SJohn Johansen AA_ERROR("Failed to set context on init task\n"); 919b5e95b48SJohn Johansen goto register_security_out; 920b5e95b48SJohn Johansen } 921b5e95b48SJohn Johansen 922b5e95b48SJohn Johansen error = register_security(&apparmor_ops); 923b5e95b48SJohn Johansen if (error) { 924b5e95b48SJohn Johansen AA_ERROR("Unable to register AppArmor\n"); 925b5e95b48SJohn Johansen goto register_security_out; 926b5e95b48SJohn Johansen } 927b5e95b48SJohn Johansen 928b5e95b48SJohn Johansen /* Report that AppArmor successfully initialized */ 929b5e95b48SJohn Johansen apparmor_initialized = 1; 930b5e95b48SJohn Johansen if (aa_g_profile_mode == APPARMOR_COMPLAIN) 931b5e95b48SJohn Johansen aa_info_message("AppArmor initialized: complain mode enabled"); 932b5e95b48SJohn Johansen else if (aa_g_profile_mode == APPARMOR_KILL) 933b5e95b48SJohn Johansen aa_info_message("AppArmor initialized: kill mode enabled"); 934b5e95b48SJohn Johansen else 935b5e95b48SJohn Johansen aa_info_message("AppArmor initialized"); 936b5e95b48SJohn Johansen 937b5e95b48SJohn Johansen return error; 938b5e95b48SJohn Johansen 939b5e95b48SJohn Johansen register_security_out: 940b5e95b48SJohn Johansen aa_free_root_ns(); 941b5e95b48SJohn Johansen 942b5e95b48SJohn Johansen alloc_out: 943b5e95b48SJohn Johansen aa_destroy_aafs(); 944b5e95b48SJohn Johansen 945b5e95b48SJohn Johansen apparmor_enabled = 0; 946b5e95b48SJohn Johansen return error; 947b5e95b48SJohn Johansen 948b5e95b48SJohn Johansen } 949b5e95b48SJohn Johansen 950b5e95b48SJohn Johansen security_initcall(apparmor_init); 951