1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor LSM hooks. 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 */ 10 11 #include <linux/lsm_hooks.h> 12 #include <linux/moduleparam.h> 13 #include <linux/mm.h> 14 #include <linux/mman.h> 15 #include <linux/mount.h> 16 #include <linux/namei.h> 17 #include <linux/ptrace.h> 18 #include <linux/ctype.h> 19 #include <linux/sysctl.h> 20 #include <linux/audit.h> 21 #include <linux/user_namespace.h> 22 #include <linux/netfilter_ipv4.h> 23 #include <linux/netfilter_ipv6.h> 24 #include <linux/zlib.h> 25 #include <net/sock.h> 26 #include <uapi/linux/mount.h> 27 28 #include "include/apparmor.h" 29 #include "include/apparmorfs.h" 30 #include "include/audit.h" 31 #include "include/capability.h" 32 #include "include/cred.h" 33 #include "include/file.h" 34 #include "include/ipc.h" 35 #include "include/net.h" 36 #include "include/path.h" 37 #include "include/label.h" 38 #include "include/policy.h" 39 #include "include/policy_ns.h" 40 #include "include/procattr.h" 41 #include "include/mount.h" 42 #include "include/secid.h" 43 44 /* Flag indicating whether initialization completed */ 45 int apparmor_initialized; 46 47 union aa_buffer { 48 struct list_head list; 49 char buffer[1]; 50 }; 51 52 #define RESERVE_COUNT 2 53 static int reserve_count = RESERVE_COUNT; 54 static int buffer_count; 55 56 static LIST_HEAD(aa_global_buffers); 57 static DEFINE_SPINLOCK(aa_buffers_lock); 58 59 /* 60 * LSM hook functions 61 */ 62 63 /* 64 * put the associated labels 65 */ 66 static void apparmor_cred_free(struct cred *cred) 67 { 68 aa_put_label(cred_label(cred)); 69 set_cred_label(cred, NULL); 70 } 71 72 /* 73 * allocate the apparmor part of blank credentials 74 */ 75 static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 76 { 77 set_cred_label(cred, NULL); 78 return 0; 79 } 80 81 /* 82 * prepare new cred label for modification by prepare_cred block 83 */ 84 static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 85 gfp_t gfp) 86 { 87 set_cred_label(new, aa_get_newest_label(cred_label(old))); 88 return 0; 89 } 90 91 /* 92 * transfer the apparmor data to a blank set of creds 93 */ 94 static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 95 { 96 set_cred_label(new, aa_get_newest_label(cred_label(old))); 97 } 98 99 static void apparmor_task_free(struct task_struct *task) 100 { 101 102 aa_free_task_ctx(task_ctx(task)); 103 } 104 105 static int apparmor_task_alloc(struct task_struct *task, 106 unsigned long clone_flags) 107 { 108 struct aa_task_ctx *new = task_ctx(task); 109 110 aa_dup_task_ctx(new, task_ctx(current)); 111 112 return 0; 113 } 114 115 static int apparmor_ptrace_access_check(struct task_struct *child, 116 unsigned int mode) 117 { 118 struct aa_label *tracer, *tracee; 119 int error; 120 121 tracer = __begin_current_label_crit_section(); 122 tracee = aa_get_task_label(child); 123 error = aa_may_ptrace(tracer, tracee, 124 (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ 125 : AA_PTRACE_TRACE); 126 aa_put_label(tracee); 127 __end_current_label_crit_section(tracer); 128 129 return error; 130 } 131 132 static int apparmor_ptrace_traceme(struct task_struct *parent) 133 { 134 struct aa_label *tracer, *tracee; 135 int error; 136 137 tracee = __begin_current_label_crit_section(); 138 tracer = aa_get_task_label(parent); 139 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); 140 aa_put_label(tracer); 141 __end_current_label_crit_section(tracee); 142 143 return error; 144 } 145 146 /* Derived from security/commoncap.c:cap_capget */ 147 static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, 148 kernel_cap_t *inheritable, kernel_cap_t *permitted) 149 { 150 struct aa_label *label; 151 const struct cred *cred; 152 153 rcu_read_lock(); 154 cred = __task_cred(target); 155 label = aa_get_newest_cred_label(cred); 156 157 /* 158 * cap_capget is stacked ahead of this and will 159 * initialize effective and permitted. 160 */ 161 if (!unconfined(label)) { 162 struct aa_profile *profile; 163 struct label_it i; 164 165 label_for_each_confined(i, label, profile) { 166 if (COMPLAIN_MODE(profile)) 167 continue; 168 *effective = cap_intersect(*effective, 169 profile->caps.allow); 170 *permitted = cap_intersect(*permitted, 171 profile->caps.allow); 172 } 173 } 174 rcu_read_unlock(); 175 aa_put_label(label); 176 177 return 0; 178 } 179 180 static int apparmor_capable(const struct cred *cred, struct user_namespace *ns, 181 int cap, unsigned int opts) 182 { 183 struct aa_label *label; 184 int error = 0; 185 186 label = aa_get_newest_cred_label(cred); 187 if (!unconfined(label)) 188 error = aa_capable(label, cap, opts); 189 aa_put_label(label); 190 191 return error; 192 } 193 194 /** 195 * common_perm - basic common permission check wrapper fn for paths 196 * @op: operation being checked 197 * @path: path to check permission of (NOT NULL) 198 * @mask: requested permissions mask 199 * @cond: conditional info for the permission request (NOT NULL) 200 * 201 * Returns: %0 else error code if error or permission denied 202 */ 203 static int common_perm(const char *op, const struct path *path, u32 mask, 204 struct path_cond *cond) 205 { 206 struct aa_label *label; 207 int error = 0; 208 209 label = __begin_current_label_crit_section(); 210 if (!unconfined(label)) 211 error = aa_path_perm(op, label, path, 0, mask, cond); 212 __end_current_label_crit_section(label); 213 214 return error; 215 } 216 217 /** 218 * common_perm_cond - common permission wrapper around inode cond 219 * @op: operation being checked 220 * @path: location to check (NOT NULL) 221 * @mask: requested permissions mask 222 * 223 * Returns: %0 else error code if error or permission denied 224 */ 225 static int common_perm_cond(const char *op, const struct path *path, u32 mask) 226 { 227 struct path_cond cond = { d_backing_inode(path->dentry)->i_uid, 228 d_backing_inode(path->dentry)->i_mode 229 }; 230 231 if (!path_mediated_fs(path->dentry)) 232 return 0; 233 234 return common_perm(op, path, mask, &cond); 235 } 236 237 /** 238 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry 239 * @op: operation being checked 240 * @dir: directory of the dentry (NOT NULL) 241 * @dentry: dentry to check (NOT NULL) 242 * @mask: requested permissions mask 243 * @cond: conditional info for the permission request (NOT NULL) 244 * 245 * Returns: %0 else error code if error or permission denied 246 */ 247 static int common_perm_dir_dentry(const char *op, const struct path *dir, 248 struct dentry *dentry, u32 mask, 249 struct path_cond *cond) 250 { 251 struct path path = { .mnt = dir->mnt, .dentry = dentry }; 252 253 return common_perm(op, &path, mask, cond); 254 } 255 256 /** 257 * common_perm_rm - common permission wrapper for operations doing rm 258 * @op: operation being checked 259 * @dir: directory that the dentry is in (NOT NULL) 260 * @dentry: dentry being rm'd (NOT NULL) 261 * @mask: requested permission mask 262 * 263 * Returns: %0 else error code if error or permission denied 264 */ 265 static int common_perm_rm(const char *op, const struct path *dir, 266 struct dentry *dentry, u32 mask) 267 { 268 struct inode *inode = d_backing_inode(dentry); 269 struct path_cond cond = { }; 270 271 if (!inode || !path_mediated_fs(dentry)) 272 return 0; 273 274 cond.uid = inode->i_uid; 275 cond.mode = inode->i_mode; 276 277 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 278 } 279 280 /** 281 * common_perm_create - common permission wrapper for operations doing create 282 * @op: operation being checked 283 * @dir: directory that dentry will be created in (NOT NULL) 284 * @dentry: dentry to create (NOT NULL) 285 * @mask: request permission mask 286 * @mode: created file mode 287 * 288 * Returns: %0 else error code if error or permission denied 289 */ 290 static int common_perm_create(const char *op, const struct path *dir, 291 struct dentry *dentry, u32 mask, umode_t mode) 292 { 293 struct path_cond cond = { current_fsuid(), mode }; 294 295 if (!path_mediated_fs(dir->dentry)) 296 return 0; 297 298 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 299 } 300 301 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry) 302 { 303 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); 304 } 305 306 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry, 307 umode_t mode) 308 { 309 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, 310 S_IFDIR); 311 } 312 313 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry) 314 { 315 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); 316 } 317 318 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, 319 umode_t mode, unsigned int dev) 320 { 321 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); 322 } 323 324 static int apparmor_path_truncate(const struct path *path) 325 { 326 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR); 327 } 328 329 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, 330 const char *old_name) 331 { 332 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, 333 S_IFLNK); 334 } 335 336 static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir, 337 struct dentry *new_dentry) 338 { 339 struct aa_label *label; 340 int error = 0; 341 342 if (!path_mediated_fs(old_dentry)) 343 return 0; 344 345 label = begin_current_label_crit_section(); 346 if (!unconfined(label)) 347 error = aa_path_link(label, old_dentry, new_dir, new_dentry); 348 end_current_label_crit_section(label); 349 350 return error; 351 } 352 353 static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry, 354 const struct path *new_dir, struct dentry *new_dentry) 355 { 356 struct aa_label *label; 357 int error = 0; 358 359 if (!path_mediated_fs(old_dentry)) 360 return 0; 361 362 label = begin_current_label_crit_section(); 363 if (!unconfined(label)) { 364 struct path old_path = { .mnt = old_dir->mnt, 365 .dentry = old_dentry }; 366 struct path new_path = { .mnt = new_dir->mnt, 367 .dentry = new_dentry }; 368 struct path_cond cond = { d_backing_inode(old_dentry)->i_uid, 369 d_backing_inode(old_dentry)->i_mode 370 }; 371 372 error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0, 373 MAY_READ | AA_MAY_GETATTR | MAY_WRITE | 374 AA_MAY_SETATTR | AA_MAY_DELETE, 375 &cond); 376 if (!error) 377 error = aa_path_perm(OP_RENAME_DEST, label, &new_path, 378 0, MAY_WRITE | AA_MAY_SETATTR | 379 AA_MAY_CREATE, &cond); 380 381 } 382 end_current_label_crit_section(label); 383 384 return error; 385 } 386 387 static int apparmor_path_chmod(const struct path *path, umode_t mode) 388 { 389 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD); 390 } 391 392 static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid) 393 { 394 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN); 395 } 396 397 static int apparmor_inode_getattr(const struct path *path) 398 { 399 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 400 } 401 402 static int apparmor_file_open(struct file *file) 403 { 404 struct aa_file_ctx *fctx = file_ctx(file); 405 struct aa_label *label; 406 int error = 0; 407 408 if (!path_mediated_fs(file->f_path.dentry)) 409 return 0; 410 411 /* If in exec, permission is handled by bprm hooks. 412 * Cache permissions granted by the previous exec check, with 413 * implicit read and executable mmap which are required to 414 * actually execute the image. 415 */ 416 if (current->in_execve) { 417 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; 418 return 0; 419 } 420 421 label = aa_get_newest_cred_label(file->f_cred); 422 if (!unconfined(label)) { 423 struct inode *inode = file_inode(file); 424 struct path_cond cond = { inode->i_uid, inode->i_mode }; 425 426 error = aa_path_perm(OP_OPEN, label, &file->f_path, 0, 427 aa_map_file_to_perms(file), &cond); 428 /* todo cache full allowed permissions set and state */ 429 fctx->allow = aa_map_file_to_perms(file); 430 } 431 aa_put_label(label); 432 433 return error; 434 } 435 436 static int apparmor_file_alloc_security(struct file *file) 437 { 438 struct aa_file_ctx *ctx = file_ctx(file); 439 struct aa_label *label = begin_current_label_crit_section(); 440 441 spin_lock_init(&ctx->lock); 442 rcu_assign_pointer(ctx->label, aa_get_label(label)); 443 end_current_label_crit_section(label); 444 return 0; 445 } 446 447 static void apparmor_file_free_security(struct file *file) 448 { 449 struct aa_file_ctx *ctx = file_ctx(file); 450 451 if (ctx) 452 aa_put_label(rcu_access_pointer(ctx->label)); 453 } 454 455 static int common_file_perm(const char *op, struct file *file, u32 mask, 456 bool in_atomic) 457 { 458 struct aa_label *label; 459 int error = 0; 460 461 /* don't reaudit files closed during inheritance */ 462 if (file->f_path.dentry == aa_null.dentry) 463 return -EACCES; 464 465 label = __begin_current_label_crit_section(); 466 error = aa_file_perm(op, label, file, mask, in_atomic); 467 __end_current_label_crit_section(label); 468 469 return error; 470 } 471 472 static int apparmor_file_receive(struct file *file) 473 { 474 return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file), 475 false); 476 } 477 478 static int apparmor_file_permission(struct file *file, int mask) 479 { 480 return common_file_perm(OP_FPERM, file, mask, false); 481 } 482 483 static int apparmor_file_lock(struct file *file, unsigned int cmd) 484 { 485 u32 mask = AA_MAY_LOCK; 486 487 if (cmd == F_WRLCK) 488 mask |= MAY_WRITE; 489 490 return common_file_perm(OP_FLOCK, file, mask, false); 491 } 492 493 static int common_mmap(const char *op, struct file *file, unsigned long prot, 494 unsigned long flags, bool in_atomic) 495 { 496 int mask = 0; 497 498 if (!file || !file_ctx(file)) 499 return 0; 500 501 if (prot & PROT_READ) 502 mask |= MAY_READ; 503 /* 504 * Private mappings don't require write perms since they don't 505 * write back to the files 506 */ 507 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE)) 508 mask |= MAY_WRITE; 509 if (prot & PROT_EXEC) 510 mask |= AA_EXEC_MMAP; 511 512 return common_file_perm(op, file, mask, in_atomic); 513 } 514 515 static int apparmor_mmap_file(struct file *file, unsigned long reqprot, 516 unsigned long prot, unsigned long flags) 517 { 518 return common_mmap(OP_FMMAP, file, prot, flags, GFP_ATOMIC); 519 } 520 521 static int apparmor_file_mprotect(struct vm_area_struct *vma, 522 unsigned long reqprot, unsigned long prot) 523 { 524 return common_mmap(OP_FMPROT, vma->vm_file, prot, 525 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0, 526 false); 527 } 528 529 static int apparmor_sb_mount(const char *dev_name, const struct path *path, 530 const char *type, unsigned long flags, void *data) 531 { 532 struct aa_label *label; 533 int error = 0; 534 535 /* Discard magic */ 536 if ((flags & MS_MGC_MSK) == MS_MGC_VAL) 537 flags &= ~MS_MGC_MSK; 538 539 flags &= ~AA_MS_IGNORE_MASK; 540 541 label = __begin_current_label_crit_section(); 542 if (!unconfined(label)) { 543 if (flags & MS_REMOUNT) 544 error = aa_remount(label, path, flags, data); 545 else if (flags & MS_BIND) 546 error = aa_bind_mount(label, path, dev_name, flags); 547 else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | 548 MS_UNBINDABLE)) 549 error = aa_mount_change_type(label, path, flags); 550 else if (flags & MS_MOVE) 551 error = aa_move_mount(label, path, dev_name); 552 else 553 error = aa_new_mount(label, dev_name, path, type, 554 flags, data); 555 } 556 __end_current_label_crit_section(label); 557 558 return error; 559 } 560 561 static int apparmor_sb_umount(struct vfsmount *mnt, int flags) 562 { 563 struct aa_label *label; 564 int error = 0; 565 566 label = __begin_current_label_crit_section(); 567 if (!unconfined(label)) 568 error = aa_umount(label, mnt, flags); 569 __end_current_label_crit_section(label); 570 571 return error; 572 } 573 574 static int apparmor_sb_pivotroot(const struct path *old_path, 575 const struct path *new_path) 576 { 577 struct aa_label *label; 578 int error = 0; 579 580 label = aa_get_current_label(); 581 if (!unconfined(label)) 582 error = aa_pivotroot(label, old_path, new_path); 583 aa_put_label(label); 584 585 return error; 586 } 587 588 static int apparmor_getprocattr(struct task_struct *task, char *name, 589 char **value) 590 { 591 int error = -ENOENT; 592 /* released below */ 593 const struct cred *cred = get_task_cred(task); 594 struct aa_task_ctx *ctx = task_ctx(current); 595 struct aa_label *label = NULL; 596 597 if (strcmp(name, "current") == 0) 598 label = aa_get_newest_label(cred_label(cred)); 599 else if (strcmp(name, "prev") == 0 && ctx->previous) 600 label = aa_get_newest_label(ctx->previous); 601 else if (strcmp(name, "exec") == 0 && ctx->onexec) 602 label = aa_get_newest_label(ctx->onexec); 603 else 604 error = -EINVAL; 605 606 if (label) 607 error = aa_getprocattr(label, value); 608 609 aa_put_label(label); 610 put_cred(cred); 611 612 return error; 613 } 614 615 static int apparmor_setprocattr(const char *name, void *value, 616 size_t size) 617 { 618 char *command, *largs = NULL, *args = value; 619 size_t arg_size; 620 int error; 621 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR); 622 623 if (size == 0) 624 return -EINVAL; 625 626 /* AppArmor requires that the buffer must be null terminated atm */ 627 if (args[size - 1] != '\0') { 628 /* null terminate */ 629 largs = args = kmalloc(size + 1, GFP_KERNEL); 630 if (!args) 631 return -ENOMEM; 632 memcpy(args, value, size); 633 args[size] = '\0'; 634 } 635 636 error = -EINVAL; 637 args = strim(args); 638 command = strsep(&args, " "); 639 if (!args) 640 goto out; 641 args = skip_spaces(args); 642 if (!*args) 643 goto out; 644 645 arg_size = size - (args - (largs ? largs : (char *) value)); 646 if (strcmp(name, "current") == 0) { 647 if (strcmp(command, "changehat") == 0) { 648 error = aa_setprocattr_changehat(args, arg_size, 649 AA_CHANGE_NOFLAGS); 650 } else if (strcmp(command, "permhat") == 0) { 651 error = aa_setprocattr_changehat(args, arg_size, 652 AA_CHANGE_TEST); 653 } else if (strcmp(command, "changeprofile") == 0) { 654 error = aa_change_profile(args, AA_CHANGE_NOFLAGS); 655 } else if (strcmp(command, "permprofile") == 0) { 656 error = aa_change_profile(args, AA_CHANGE_TEST); 657 } else if (strcmp(command, "stack") == 0) { 658 error = aa_change_profile(args, AA_CHANGE_STACK); 659 } else 660 goto fail; 661 } else if (strcmp(name, "exec") == 0) { 662 if (strcmp(command, "exec") == 0) 663 error = aa_change_profile(args, AA_CHANGE_ONEXEC); 664 else if (strcmp(command, "stack") == 0) 665 error = aa_change_profile(args, (AA_CHANGE_ONEXEC | 666 AA_CHANGE_STACK)); 667 else 668 goto fail; 669 } else 670 /* only support the "current" and "exec" process attributes */ 671 goto fail; 672 673 if (!error) 674 error = size; 675 out: 676 kfree(largs); 677 return error; 678 679 fail: 680 aad(&sa)->label = begin_current_label_crit_section(); 681 aad(&sa)->info = name; 682 aad(&sa)->error = error = -EINVAL; 683 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL); 684 end_current_label_crit_section(aad(&sa)->label); 685 goto out; 686 } 687 688 /** 689 * apparmor_bprm_committing_creds - do task cleanup on committing new creds 690 * @bprm: binprm for the exec (NOT NULL) 691 */ 692 static void apparmor_bprm_committing_creds(struct linux_binprm *bprm) 693 { 694 struct aa_label *label = aa_current_raw_label(); 695 struct aa_label *new_label = cred_label(bprm->cred); 696 697 /* bail out if unconfined or not changing profile */ 698 if ((new_label->proxy == label->proxy) || 699 (unconfined(new_label))) 700 return; 701 702 aa_inherit_files(bprm->cred, current->files); 703 704 current->pdeath_signal = 0; 705 706 /* reset soft limits and set hard limits for the new label */ 707 __aa_transition_rlimits(label, new_label); 708 } 709 710 /** 711 * apparmor_bprm_committed_cred - do cleanup after new creds committed 712 * @bprm: binprm for the exec (NOT NULL) 713 */ 714 static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) 715 { 716 /* clear out temporary/transitional state from the context */ 717 aa_clear_task_ctx_trans(task_ctx(current)); 718 719 return; 720 } 721 722 static void apparmor_task_getsecid(struct task_struct *p, u32 *secid) 723 { 724 struct aa_label *label = aa_get_task_label(p); 725 *secid = label->secid; 726 aa_put_label(label); 727 } 728 729 static int apparmor_task_setrlimit(struct task_struct *task, 730 unsigned int resource, struct rlimit *new_rlim) 731 { 732 struct aa_label *label = __begin_current_label_crit_section(); 733 int error = 0; 734 735 if (!unconfined(label)) 736 error = aa_task_setrlimit(label, task, resource, new_rlim); 737 __end_current_label_crit_section(label); 738 739 return error; 740 } 741 742 static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo *info, 743 int sig, const struct cred *cred) 744 { 745 struct aa_label *cl, *tl; 746 int error; 747 748 if (cred) { 749 /* 750 * Dealing with USB IO specific behavior 751 */ 752 cl = aa_get_newest_cred_label(cred); 753 tl = aa_get_task_label(target); 754 error = aa_may_signal(cl, tl, sig); 755 aa_put_label(cl); 756 aa_put_label(tl); 757 return error; 758 } 759 760 cl = __begin_current_label_crit_section(); 761 tl = aa_get_task_label(target); 762 error = aa_may_signal(cl, tl, sig); 763 aa_put_label(tl); 764 __end_current_label_crit_section(cl); 765 766 return error; 767 } 768 769 /** 770 * apparmor_sk_alloc_security - allocate and attach the sk_security field 771 */ 772 static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags) 773 { 774 struct aa_sk_ctx *ctx; 775 776 ctx = kzalloc(sizeof(*ctx), flags); 777 if (!ctx) 778 return -ENOMEM; 779 780 SK_CTX(sk) = ctx; 781 782 return 0; 783 } 784 785 /** 786 * apparmor_sk_free_security - free the sk_security field 787 */ 788 static void apparmor_sk_free_security(struct sock *sk) 789 { 790 struct aa_sk_ctx *ctx = SK_CTX(sk); 791 792 SK_CTX(sk) = NULL; 793 aa_put_label(ctx->label); 794 aa_put_label(ctx->peer); 795 kfree(ctx); 796 } 797 798 /** 799 * apparmor_clone_security - clone the sk_security field 800 */ 801 static void apparmor_sk_clone_security(const struct sock *sk, 802 struct sock *newsk) 803 { 804 struct aa_sk_ctx *ctx = SK_CTX(sk); 805 struct aa_sk_ctx *new = SK_CTX(newsk); 806 807 if (new->label) 808 aa_put_label(new->label); 809 new->label = aa_get_label(ctx->label); 810 811 if (new->peer) 812 aa_put_label(new->peer); 813 new->peer = aa_get_label(ctx->peer); 814 } 815 816 /** 817 * apparmor_socket_create - check perms before creating a new socket 818 */ 819 static int apparmor_socket_create(int family, int type, int protocol, int kern) 820 { 821 struct aa_label *label; 822 int error = 0; 823 824 AA_BUG(in_interrupt()); 825 826 label = begin_current_label_crit_section(); 827 if (!(kern || unconfined(label))) 828 error = af_select(family, 829 create_perm(label, family, type, protocol), 830 aa_af_perm(label, OP_CREATE, AA_MAY_CREATE, 831 family, type, protocol)); 832 end_current_label_crit_section(label); 833 834 return error; 835 } 836 837 /** 838 * apparmor_socket_post_create - setup the per-socket security struct 839 * 840 * Note: 841 * - kernel sockets currently labeled unconfined but we may want to 842 * move to a special kernel label 843 * - socket may not have sk here if created with sock_create_lite or 844 * sock_alloc. These should be accept cases which will be handled in 845 * sock_graft. 846 */ 847 static int apparmor_socket_post_create(struct socket *sock, int family, 848 int type, int protocol, int kern) 849 { 850 struct aa_label *label; 851 852 if (kern) { 853 struct aa_ns *ns = aa_get_current_ns(); 854 855 label = aa_get_label(ns_unconfined(ns)); 856 aa_put_ns(ns); 857 } else 858 label = aa_get_current_label(); 859 860 if (sock->sk) { 861 struct aa_sk_ctx *ctx = SK_CTX(sock->sk); 862 863 aa_put_label(ctx->label); 864 ctx->label = aa_get_label(label); 865 } 866 aa_put_label(label); 867 868 return 0; 869 } 870 871 /** 872 * apparmor_socket_bind - check perms before bind addr to socket 873 */ 874 static int apparmor_socket_bind(struct socket *sock, 875 struct sockaddr *address, int addrlen) 876 { 877 AA_BUG(!sock); 878 AA_BUG(!sock->sk); 879 AA_BUG(!address); 880 AA_BUG(in_interrupt()); 881 882 return af_select(sock->sk->sk_family, 883 bind_perm(sock, address, addrlen), 884 aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk)); 885 } 886 887 /** 888 * apparmor_socket_connect - check perms before connecting @sock to @address 889 */ 890 static int apparmor_socket_connect(struct socket *sock, 891 struct sockaddr *address, int addrlen) 892 { 893 AA_BUG(!sock); 894 AA_BUG(!sock->sk); 895 AA_BUG(!address); 896 AA_BUG(in_interrupt()); 897 898 return af_select(sock->sk->sk_family, 899 connect_perm(sock, address, addrlen), 900 aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk)); 901 } 902 903 /** 904 * apparmor_socket_list - check perms before allowing listen 905 */ 906 static int apparmor_socket_listen(struct socket *sock, int backlog) 907 { 908 AA_BUG(!sock); 909 AA_BUG(!sock->sk); 910 AA_BUG(in_interrupt()); 911 912 return af_select(sock->sk->sk_family, 913 listen_perm(sock, backlog), 914 aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk)); 915 } 916 917 /** 918 * apparmor_socket_accept - check perms before accepting a new connection. 919 * 920 * Note: while @newsock is created and has some information, the accept 921 * has not been done. 922 */ 923 static int apparmor_socket_accept(struct socket *sock, struct socket *newsock) 924 { 925 AA_BUG(!sock); 926 AA_BUG(!sock->sk); 927 AA_BUG(!newsock); 928 AA_BUG(in_interrupt()); 929 930 return af_select(sock->sk->sk_family, 931 accept_perm(sock, newsock), 932 aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk)); 933 } 934 935 static int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock, 936 struct msghdr *msg, int size) 937 { 938 AA_BUG(!sock); 939 AA_BUG(!sock->sk); 940 AA_BUG(!msg); 941 AA_BUG(in_interrupt()); 942 943 return af_select(sock->sk->sk_family, 944 msg_perm(op, request, sock, msg, size), 945 aa_sk_perm(op, request, sock->sk)); 946 } 947 948 /** 949 * apparmor_socket_sendmsg - check perms before sending msg to another socket 950 */ 951 static int apparmor_socket_sendmsg(struct socket *sock, 952 struct msghdr *msg, int size) 953 { 954 return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size); 955 } 956 957 /** 958 * apparmor_socket_recvmsg - check perms before receiving a message 959 */ 960 static int apparmor_socket_recvmsg(struct socket *sock, 961 struct msghdr *msg, int size, int flags) 962 { 963 return aa_sock_msg_perm(OP_RECVMSG, AA_MAY_RECEIVE, sock, msg, size); 964 } 965 966 /* revaliation, get/set attr, shutdown */ 967 static int aa_sock_perm(const char *op, u32 request, struct socket *sock) 968 { 969 AA_BUG(!sock); 970 AA_BUG(!sock->sk); 971 AA_BUG(in_interrupt()); 972 973 return af_select(sock->sk->sk_family, 974 sock_perm(op, request, sock), 975 aa_sk_perm(op, request, sock->sk)); 976 } 977 978 /** 979 * apparmor_socket_getsockname - check perms before getting the local address 980 */ 981 static int apparmor_socket_getsockname(struct socket *sock) 982 { 983 return aa_sock_perm(OP_GETSOCKNAME, AA_MAY_GETATTR, sock); 984 } 985 986 /** 987 * apparmor_socket_getpeername - check perms before getting remote address 988 */ 989 static int apparmor_socket_getpeername(struct socket *sock) 990 { 991 return aa_sock_perm(OP_GETPEERNAME, AA_MAY_GETATTR, sock); 992 } 993 994 /* revaliation, get/set attr, opt */ 995 static int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock, 996 int level, int optname) 997 { 998 AA_BUG(!sock); 999 AA_BUG(!sock->sk); 1000 AA_BUG(in_interrupt()); 1001 1002 return af_select(sock->sk->sk_family, 1003 opt_perm(op, request, sock, level, optname), 1004 aa_sk_perm(op, request, sock->sk)); 1005 } 1006 1007 /** 1008 * apparmor_getsockopt - check perms before getting socket options 1009 */ 1010 static int apparmor_socket_getsockopt(struct socket *sock, int level, 1011 int optname) 1012 { 1013 return aa_sock_opt_perm(OP_GETSOCKOPT, AA_MAY_GETOPT, sock, 1014 level, optname); 1015 } 1016 1017 /** 1018 * apparmor_setsockopt - check perms before setting socket options 1019 */ 1020 static int apparmor_socket_setsockopt(struct socket *sock, int level, 1021 int optname) 1022 { 1023 return aa_sock_opt_perm(OP_SETSOCKOPT, AA_MAY_SETOPT, sock, 1024 level, optname); 1025 } 1026 1027 /** 1028 * apparmor_socket_shutdown - check perms before shutting down @sock conn 1029 */ 1030 static int apparmor_socket_shutdown(struct socket *sock, int how) 1031 { 1032 return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock); 1033 } 1034 1035 #ifdef CONFIG_NETWORK_SECMARK 1036 /** 1037 * apparmor_socket_sock_recv_skb - check perms before associating skb to sk 1038 * 1039 * Note: can not sleep may be called with locks held 1040 * 1041 * dont want protocol specific in __skb_recv_datagram() 1042 * to deny an incoming connection socket_sock_rcv_skb() 1043 */ 1044 static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 1045 { 1046 struct aa_sk_ctx *ctx = SK_CTX(sk); 1047 1048 if (!skb->secmark) 1049 return 0; 1050 1051 return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE, 1052 skb->secmark, sk); 1053 } 1054 #endif 1055 1056 1057 static struct aa_label *sk_peer_label(struct sock *sk) 1058 { 1059 struct aa_sk_ctx *ctx = SK_CTX(sk); 1060 1061 if (ctx->peer) 1062 return ctx->peer; 1063 1064 return ERR_PTR(-ENOPROTOOPT); 1065 } 1066 1067 /** 1068 * apparmor_socket_getpeersec_stream - get security context of peer 1069 * 1070 * Note: for tcp only valid if using ipsec or cipso on lan 1071 */ 1072 static int apparmor_socket_getpeersec_stream(struct socket *sock, 1073 char __user *optval, 1074 int __user *optlen, 1075 unsigned int len) 1076 { 1077 char *name; 1078 int slen, error = 0; 1079 struct aa_label *label; 1080 struct aa_label *peer; 1081 1082 label = begin_current_label_crit_section(); 1083 peer = sk_peer_label(sock->sk); 1084 if (IS_ERR(peer)) { 1085 error = PTR_ERR(peer); 1086 goto done; 1087 } 1088 slen = aa_label_asxprint(&name, labels_ns(label), peer, 1089 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS | 1090 FLAG_HIDDEN_UNCONFINED, GFP_KERNEL); 1091 /* don't include terminating \0 in slen, it breaks some apps */ 1092 if (slen < 0) { 1093 error = -ENOMEM; 1094 } else { 1095 if (slen > len) { 1096 error = -ERANGE; 1097 } else if (copy_to_user(optval, name, slen)) { 1098 error = -EFAULT; 1099 goto out; 1100 } 1101 if (put_user(slen, optlen)) 1102 error = -EFAULT; 1103 out: 1104 kfree(name); 1105 1106 } 1107 1108 done: 1109 end_current_label_crit_section(label); 1110 1111 return error; 1112 } 1113 1114 /** 1115 * apparmor_socket_getpeersec_dgram - get security label of packet 1116 * @sock: the peer socket 1117 * @skb: packet data 1118 * @secid: pointer to where to put the secid of the packet 1119 * 1120 * Sets the netlabel socket state on sk from parent 1121 */ 1122 static int apparmor_socket_getpeersec_dgram(struct socket *sock, 1123 struct sk_buff *skb, u32 *secid) 1124 1125 { 1126 /* TODO: requires secid support */ 1127 return -ENOPROTOOPT; 1128 } 1129 1130 /** 1131 * apparmor_sock_graft - Initialize newly created socket 1132 * @sk: child sock 1133 * @parent: parent socket 1134 * 1135 * Note: could set off of SOCK_CTX(parent) but need to track inode and we can 1136 * just set sk security information off of current creating process label 1137 * Labeling of sk for accept case - probably should be sock based 1138 * instead of task, because of the case where an implicitly labeled 1139 * socket is shared by different tasks. 1140 */ 1141 static void apparmor_sock_graft(struct sock *sk, struct socket *parent) 1142 { 1143 struct aa_sk_ctx *ctx = SK_CTX(sk); 1144 1145 if (!ctx->label) 1146 ctx->label = aa_get_current_label(); 1147 } 1148 1149 #ifdef CONFIG_NETWORK_SECMARK 1150 static int apparmor_inet_conn_request(struct sock *sk, struct sk_buff *skb, 1151 struct request_sock *req) 1152 { 1153 struct aa_sk_ctx *ctx = SK_CTX(sk); 1154 1155 if (!skb->secmark) 1156 return 0; 1157 1158 return apparmor_secmark_check(ctx->label, OP_CONNECT, AA_MAY_CONNECT, 1159 skb->secmark, sk); 1160 } 1161 #endif 1162 1163 /* 1164 * The cred blob is a pointer to, not an instance of, an aa_task_ctx. 1165 */ 1166 struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = { 1167 .lbs_cred = sizeof(struct aa_task_ctx *), 1168 .lbs_file = sizeof(struct aa_file_ctx), 1169 .lbs_task = sizeof(struct aa_task_ctx), 1170 }; 1171 1172 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { 1173 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), 1174 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), 1175 LSM_HOOK_INIT(capget, apparmor_capget), 1176 LSM_HOOK_INIT(capable, apparmor_capable), 1177 1178 LSM_HOOK_INIT(sb_mount, apparmor_sb_mount), 1179 LSM_HOOK_INIT(sb_umount, apparmor_sb_umount), 1180 LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot), 1181 1182 LSM_HOOK_INIT(path_link, apparmor_path_link), 1183 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink), 1184 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink), 1185 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir), 1186 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir), 1187 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod), 1188 LSM_HOOK_INIT(path_rename, apparmor_path_rename), 1189 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod), 1190 LSM_HOOK_INIT(path_chown, apparmor_path_chown), 1191 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate), 1192 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr), 1193 1194 LSM_HOOK_INIT(file_open, apparmor_file_open), 1195 LSM_HOOK_INIT(file_receive, apparmor_file_receive), 1196 LSM_HOOK_INIT(file_permission, apparmor_file_permission), 1197 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security), 1198 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security), 1199 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file), 1200 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect), 1201 LSM_HOOK_INIT(file_lock, apparmor_file_lock), 1202 1203 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), 1204 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), 1205 1206 LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security), 1207 LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security), 1208 LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security), 1209 1210 LSM_HOOK_INIT(socket_create, apparmor_socket_create), 1211 LSM_HOOK_INIT(socket_post_create, apparmor_socket_post_create), 1212 LSM_HOOK_INIT(socket_bind, apparmor_socket_bind), 1213 LSM_HOOK_INIT(socket_connect, apparmor_socket_connect), 1214 LSM_HOOK_INIT(socket_listen, apparmor_socket_listen), 1215 LSM_HOOK_INIT(socket_accept, apparmor_socket_accept), 1216 LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg), 1217 LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg), 1218 LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname), 1219 LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername), 1220 LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt), 1221 LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt), 1222 LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown), 1223 #ifdef CONFIG_NETWORK_SECMARK 1224 LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb), 1225 #endif 1226 LSM_HOOK_INIT(socket_getpeersec_stream, 1227 apparmor_socket_getpeersec_stream), 1228 LSM_HOOK_INIT(socket_getpeersec_dgram, 1229 apparmor_socket_getpeersec_dgram), 1230 LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), 1231 #ifdef CONFIG_NETWORK_SECMARK 1232 LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request), 1233 #endif 1234 1235 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), 1236 LSM_HOOK_INIT(cred_free, apparmor_cred_free), 1237 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare), 1238 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer), 1239 1240 LSM_HOOK_INIT(bprm_creds_for_exec, apparmor_bprm_creds_for_exec), 1241 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds), 1242 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds), 1243 1244 LSM_HOOK_INIT(task_free, apparmor_task_free), 1245 LSM_HOOK_INIT(task_alloc, apparmor_task_alloc), 1246 LSM_HOOK_INIT(task_getsecid, apparmor_task_getsecid), 1247 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), 1248 LSM_HOOK_INIT(task_kill, apparmor_task_kill), 1249 1250 #ifdef CONFIG_AUDIT 1251 LSM_HOOK_INIT(audit_rule_init, aa_audit_rule_init), 1252 LSM_HOOK_INIT(audit_rule_known, aa_audit_rule_known), 1253 LSM_HOOK_INIT(audit_rule_match, aa_audit_rule_match), 1254 LSM_HOOK_INIT(audit_rule_free, aa_audit_rule_free), 1255 #endif 1256 1257 LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx), 1258 LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid), 1259 LSM_HOOK_INIT(release_secctx, apparmor_release_secctx), 1260 }; 1261 1262 /* 1263 * AppArmor sysfs module parameters 1264 */ 1265 1266 static int param_set_aabool(const char *val, const struct kernel_param *kp); 1267 static int param_get_aabool(char *buffer, const struct kernel_param *kp); 1268 #define param_check_aabool param_check_bool 1269 static const struct kernel_param_ops param_ops_aabool = { 1270 .flags = KERNEL_PARAM_OPS_FL_NOARG, 1271 .set = param_set_aabool, 1272 .get = param_get_aabool 1273 }; 1274 1275 static int param_set_aauint(const char *val, const struct kernel_param *kp); 1276 static int param_get_aauint(char *buffer, const struct kernel_param *kp); 1277 #define param_check_aauint param_check_uint 1278 static const struct kernel_param_ops param_ops_aauint = { 1279 .set = param_set_aauint, 1280 .get = param_get_aauint 1281 }; 1282 1283 static int param_set_aacompressionlevel(const char *val, 1284 const struct kernel_param *kp); 1285 static int param_get_aacompressionlevel(char *buffer, 1286 const struct kernel_param *kp); 1287 #define param_check_aacompressionlevel param_check_int 1288 static const struct kernel_param_ops param_ops_aacompressionlevel = { 1289 .set = param_set_aacompressionlevel, 1290 .get = param_get_aacompressionlevel 1291 }; 1292 1293 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp); 1294 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); 1295 #define param_check_aalockpolicy param_check_bool 1296 static const struct kernel_param_ops param_ops_aalockpolicy = { 1297 .flags = KERNEL_PARAM_OPS_FL_NOARG, 1298 .set = param_set_aalockpolicy, 1299 .get = param_get_aalockpolicy 1300 }; 1301 1302 static int param_set_audit(const char *val, const struct kernel_param *kp); 1303 static int param_get_audit(char *buffer, const struct kernel_param *kp); 1304 1305 static int param_set_mode(const char *val, const struct kernel_param *kp); 1306 static int param_get_mode(char *buffer, const struct kernel_param *kp); 1307 1308 /* Flag values, also controllable via /sys/module/apparmor/parameters 1309 * We define special types as we want to do additional mediation. 1310 */ 1311 1312 /* AppArmor global enforcement switch - complain, enforce, kill */ 1313 enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; 1314 module_param_call(mode, param_set_mode, param_get_mode, 1315 &aa_g_profile_mode, S_IRUSR | S_IWUSR); 1316 1317 /* whether policy verification hashing is enabled */ 1318 bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); 1319 #ifdef CONFIG_SECURITY_APPARMOR_HASH 1320 module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); 1321 #endif 1322 1323 /* policy loaddata compression level */ 1324 int aa_g_rawdata_compression_level = Z_DEFAULT_COMPRESSION; 1325 module_param_named(rawdata_compression_level, aa_g_rawdata_compression_level, 1326 aacompressionlevel, 0400); 1327 1328 /* Debug mode */ 1329 bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES); 1330 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); 1331 1332 /* Audit mode */ 1333 enum audit_mode aa_g_audit; 1334 module_param_call(audit, param_set_audit, param_get_audit, 1335 &aa_g_audit, S_IRUSR | S_IWUSR); 1336 1337 /* Determines if audit header is included in audited messages. This 1338 * provides more context if the audit daemon is not running 1339 */ 1340 bool aa_g_audit_header = true; 1341 module_param_named(audit_header, aa_g_audit_header, aabool, 1342 S_IRUSR | S_IWUSR); 1343 1344 /* lock out loading/removal of policy 1345 * TODO: add in at boot loading of policy, which is the only way to 1346 * load policy, if lock_policy is set 1347 */ 1348 bool aa_g_lock_policy; 1349 module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy, 1350 S_IRUSR | S_IWUSR); 1351 1352 /* Syscall logging mode */ 1353 bool aa_g_logsyscall; 1354 module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); 1355 1356 /* Maximum pathname length before accesses will start getting rejected */ 1357 unsigned int aa_g_path_max = 2 * PATH_MAX; 1358 module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); 1359 1360 /* Determines how paranoid loading of policy is and how much verification 1361 * on the loaded policy is done. 1362 * DEPRECATED: read only as strict checking of load is always done now 1363 * that none root users (user namespaces) can load policy. 1364 */ 1365 bool aa_g_paranoid_load = true; 1366 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); 1367 1368 static int param_get_aaintbool(char *buffer, const struct kernel_param *kp); 1369 static int param_set_aaintbool(const char *val, const struct kernel_param *kp); 1370 #define param_check_aaintbool param_check_int 1371 static const struct kernel_param_ops param_ops_aaintbool = { 1372 .set = param_set_aaintbool, 1373 .get = param_get_aaintbool 1374 }; 1375 /* Boot time disable flag */ 1376 static int apparmor_enabled __lsm_ro_after_init = 1; 1377 module_param_named(enabled, apparmor_enabled, aaintbool, 0444); 1378 1379 static int __init apparmor_enabled_setup(char *str) 1380 { 1381 unsigned long enabled; 1382 int error = kstrtoul(str, 0, &enabled); 1383 if (!error) 1384 apparmor_enabled = enabled ? 1 : 0; 1385 return 1; 1386 } 1387 1388 __setup("apparmor=", apparmor_enabled_setup); 1389 1390 /* set global flag turning off the ability to load policy */ 1391 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) 1392 { 1393 if (!apparmor_enabled) 1394 return -EINVAL; 1395 if (apparmor_initialized && !policy_admin_capable(NULL)) 1396 return -EPERM; 1397 return param_set_bool(val, kp); 1398 } 1399 1400 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) 1401 { 1402 if (!apparmor_enabled) 1403 return -EINVAL; 1404 if (apparmor_initialized && !policy_view_capable(NULL)) 1405 return -EPERM; 1406 return param_get_bool(buffer, kp); 1407 } 1408 1409 static int param_set_aabool(const char *val, const struct kernel_param *kp) 1410 { 1411 if (!apparmor_enabled) 1412 return -EINVAL; 1413 if (apparmor_initialized && !policy_admin_capable(NULL)) 1414 return -EPERM; 1415 return param_set_bool(val, kp); 1416 } 1417 1418 static int param_get_aabool(char *buffer, const struct kernel_param *kp) 1419 { 1420 if (!apparmor_enabled) 1421 return -EINVAL; 1422 if (apparmor_initialized && !policy_view_capable(NULL)) 1423 return -EPERM; 1424 return param_get_bool(buffer, kp); 1425 } 1426 1427 static int param_set_aauint(const char *val, const struct kernel_param *kp) 1428 { 1429 int error; 1430 1431 if (!apparmor_enabled) 1432 return -EINVAL; 1433 /* file is ro but enforce 2nd line check */ 1434 if (apparmor_initialized) 1435 return -EPERM; 1436 1437 error = param_set_uint(val, kp); 1438 aa_g_path_max = max_t(uint32_t, aa_g_path_max, sizeof(union aa_buffer)); 1439 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max); 1440 1441 return error; 1442 } 1443 1444 static int param_get_aauint(char *buffer, const struct kernel_param *kp) 1445 { 1446 if (!apparmor_enabled) 1447 return -EINVAL; 1448 if (apparmor_initialized && !policy_view_capable(NULL)) 1449 return -EPERM; 1450 return param_get_uint(buffer, kp); 1451 } 1452 1453 /* Can only be set before AppArmor is initialized (i.e. on boot cmdline). */ 1454 static int param_set_aaintbool(const char *val, const struct kernel_param *kp) 1455 { 1456 struct kernel_param kp_local; 1457 bool value; 1458 int error; 1459 1460 if (apparmor_initialized) 1461 return -EPERM; 1462 1463 /* Create local copy, with arg pointing to bool type. */ 1464 value = !!*((int *)kp->arg); 1465 memcpy(&kp_local, kp, sizeof(kp_local)); 1466 kp_local.arg = &value; 1467 1468 error = param_set_bool(val, &kp_local); 1469 if (!error) 1470 *((int *)kp->arg) = *((bool *)kp_local.arg); 1471 return error; 1472 } 1473 1474 /* 1475 * To avoid changing /sys/module/apparmor/parameters/enabled from Y/N to 1476 * 1/0, this converts the "int that is actually bool" back to bool for 1477 * display in the /sys filesystem, while keeping it "int" for the LSM 1478 * infrastructure. 1479 */ 1480 static int param_get_aaintbool(char *buffer, const struct kernel_param *kp) 1481 { 1482 struct kernel_param kp_local; 1483 bool value; 1484 1485 /* Create local copy, with arg pointing to bool type. */ 1486 value = !!*((int *)kp->arg); 1487 memcpy(&kp_local, kp, sizeof(kp_local)); 1488 kp_local.arg = &value; 1489 1490 return param_get_bool(buffer, &kp_local); 1491 } 1492 1493 static int param_set_aacompressionlevel(const char *val, 1494 const struct kernel_param *kp) 1495 { 1496 int error; 1497 1498 if (!apparmor_enabled) 1499 return -EINVAL; 1500 if (apparmor_initialized) 1501 return -EPERM; 1502 1503 error = param_set_int(val, kp); 1504 1505 aa_g_rawdata_compression_level = clamp(aa_g_rawdata_compression_level, 1506 Z_NO_COMPRESSION, 1507 Z_BEST_COMPRESSION); 1508 pr_info("AppArmor: policy rawdata compression level set to %u\n", 1509 aa_g_rawdata_compression_level); 1510 1511 return error; 1512 } 1513 1514 static int param_get_aacompressionlevel(char *buffer, 1515 const struct kernel_param *kp) 1516 { 1517 if (!apparmor_enabled) 1518 return -EINVAL; 1519 if (apparmor_initialized && !policy_view_capable(NULL)) 1520 return -EPERM; 1521 return param_get_int(buffer, kp); 1522 } 1523 1524 static int param_get_audit(char *buffer, const struct kernel_param *kp) 1525 { 1526 if (!apparmor_enabled) 1527 return -EINVAL; 1528 if (apparmor_initialized && !policy_view_capable(NULL)) 1529 return -EPERM; 1530 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); 1531 } 1532 1533 static int param_set_audit(const char *val, const struct kernel_param *kp) 1534 { 1535 int i; 1536 1537 if (!apparmor_enabled) 1538 return -EINVAL; 1539 if (!val) 1540 return -EINVAL; 1541 if (apparmor_initialized && !policy_admin_capable(NULL)) 1542 return -EPERM; 1543 1544 i = match_string(audit_mode_names, AUDIT_MAX_INDEX, val); 1545 if (i < 0) 1546 return -EINVAL; 1547 1548 aa_g_audit = i; 1549 return 0; 1550 } 1551 1552 static int param_get_mode(char *buffer, const struct kernel_param *kp) 1553 { 1554 if (!apparmor_enabled) 1555 return -EINVAL; 1556 if (apparmor_initialized && !policy_view_capable(NULL)) 1557 return -EPERM; 1558 1559 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]); 1560 } 1561 1562 static int param_set_mode(const char *val, const struct kernel_param *kp) 1563 { 1564 int i; 1565 1566 if (!apparmor_enabled) 1567 return -EINVAL; 1568 if (!val) 1569 return -EINVAL; 1570 if (apparmor_initialized && !policy_admin_capable(NULL)) 1571 return -EPERM; 1572 1573 i = match_string(aa_profile_mode_names, APPARMOR_MODE_NAMES_MAX_INDEX, 1574 val); 1575 if (i < 0) 1576 return -EINVAL; 1577 1578 aa_g_profile_mode = i; 1579 return 0; 1580 } 1581 1582 char *aa_get_buffer(bool in_atomic) 1583 { 1584 union aa_buffer *aa_buf; 1585 bool try_again = true; 1586 gfp_t flags = (GFP_KERNEL | __GFP_RETRY_MAYFAIL | __GFP_NOWARN); 1587 1588 retry: 1589 spin_lock(&aa_buffers_lock); 1590 if (buffer_count > reserve_count || 1591 (in_atomic && !list_empty(&aa_global_buffers))) { 1592 aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer, 1593 list); 1594 list_del(&aa_buf->list); 1595 buffer_count--; 1596 spin_unlock(&aa_buffers_lock); 1597 return &aa_buf->buffer[0]; 1598 } 1599 if (in_atomic) { 1600 /* 1601 * out of reserve buffers and in atomic context so increase 1602 * how many buffers to keep in reserve 1603 */ 1604 reserve_count++; 1605 flags = GFP_ATOMIC; 1606 } 1607 spin_unlock(&aa_buffers_lock); 1608 1609 if (!in_atomic) 1610 might_sleep(); 1611 aa_buf = kmalloc(aa_g_path_max, flags); 1612 if (!aa_buf) { 1613 if (try_again) { 1614 try_again = false; 1615 goto retry; 1616 } 1617 pr_warn_once("AppArmor: Failed to allocate a memory buffer.\n"); 1618 return NULL; 1619 } 1620 return &aa_buf->buffer[0]; 1621 } 1622 1623 void aa_put_buffer(char *buf) 1624 { 1625 union aa_buffer *aa_buf; 1626 1627 if (!buf) 1628 return; 1629 aa_buf = container_of(buf, union aa_buffer, buffer[0]); 1630 1631 spin_lock(&aa_buffers_lock); 1632 list_add(&aa_buf->list, &aa_global_buffers); 1633 buffer_count++; 1634 spin_unlock(&aa_buffers_lock); 1635 } 1636 1637 /* 1638 * AppArmor init functions 1639 */ 1640 1641 /** 1642 * set_init_ctx - set a task context and profile on the first task. 1643 * 1644 * TODO: allow setting an alternate profile than unconfined 1645 */ 1646 static int __init set_init_ctx(void) 1647 { 1648 struct cred *cred = (__force struct cred *)current->real_cred; 1649 1650 set_cred_label(cred, aa_get_label(ns_unconfined(root_ns))); 1651 1652 return 0; 1653 } 1654 1655 static void destroy_buffers(void) 1656 { 1657 union aa_buffer *aa_buf; 1658 1659 spin_lock(&aa_buffers_lock); 1660 while (!list_empty(&aa_global_buffers)) { 1661 aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer, 1662 list); 1663 list_del(&aa_buf->list); 1664 spin_unlock(&aa_buffers_lock); 1665 kfree(aa_buf); 1666 spin_lock(&aa_buffers_lock); 1667 } 1668 spin_unlock(&aa_buffers_lock); 1669 } 1670 1671 static int __init alloc_buffers(void) 1672 { 1673 union aa_buffer *aa_buf; 1674 int i, num; 1675 1676 /* 1677 * A function may require two buffers at once. Usually the buffers are 1678 * used for a short period of time and are shared. On UP kernel buffers 1679 * two should be enough, with more CPUs it is possible that more 1680 * buffers will be used simultaneously. The preallocated pool may grow. 1681 * This preallocation has also the side-effect that AppArmor will be 1682 * disabled early at boot if aa_g_path_max is extremly high. 1683 */ 1684 if (num_online_cpus() > 1) 1685 num = 4 + RESERVE_COUNT; 1686 else 1687 num = 2 + RESERVE_COUNT; 1688 1689 for (i = 0; i < num; i++) { 1690 1691 aa_buf = kmalloc(aa_g_path_max, GFP_KERNEL | 1692 __GFP_RETRY_MAYFAIL | __GFP_NOWARN); 1693 if (!aa_buf) { 1694 destroy_buffers(); 1695 return -ENOMEM; 1696 } 1697 aa_put_buffer(&aa_buf->buffer[0]); 1698 } 1699 return 0; 1700 } 1701 1702 #ifdef CONFIG_SYSCTL 1703 static int apparmor_dointvec(struct ctl_table *table, int write, 1704 void *buffer, size_t *lenp, loff_t *ppos) 1705 { 1706 if (!policy_admin_capable(NULL)) 1707 return -EPERM; 1708 if (!apparmor_enabled) 1709 return -EINVAL; 1710 1711 return proc_dointvec(table, write, buffer, lenp, ppos); 1712 } 1713 1714 static struct ctl_path apparmor_sysctl_path[] = { 1715 { .procname = "kernel", }, 1716 { } 1717 }; 1718 1719 static struct ctl_table apparmor_sysctl_table[] = { 1720 { 1721 .procname = "unprivileged_userns_apparmor_policy", 1722 .data = &unprivileged_userns_apparmor_policy, 1723 .maxlen = sizeof(int), 1724 .mode = 0600, 1725 .proc_handler = apparmor_dointvec, 1726 }, 1727 { } 1728 }; 1729 1730 static int __init apparmor_init_sysctl(void) 1731 { 1732 return register_sysctl_paths(apparmor_sysctl_path, 1733 apparmor_sysctl_table) ? 0 : -ENOMEM; 1734 } 1735 #else 1736 static inline int apparmor_init_sysctl(void) 1737 { 1738 return 0; 1739 } 1740 #endif /* CONFIG_SYSCTL */ 1741 1742 #if defined(CONFIG_NETFILTER) && defined(CONFIG_NETWORK_SECMARK) 1743 static unsigned int apparmor_ip_postroute(void *priv, 1744 struct sk_buff *skb, 1745 const struct nf_hook_state *state) 1746 { 1747 struct aa_sk_ctx *ctx; 1748 struct sock *sk; 1749 1750 if (!skb->secmark) 1751 return NF_ACCEPT; 1752 1753 sk = skb_to_full_sk(skb); 1754 if (sk == NULL) 1755 return NF_ACCEPT; 1756 1757 ctx = SK_CTX(sk); 1758 if (!apparmor_secmark_check(ctx->label, OP_SENDMSG, AA_MAY_SEND, 1759 skb->secmark, sk)) 1760 return NF_ACCEPT; 1761 1762 return NF_DROP_ERR(-ECONNREFUSED); 1763 1764 } 1765 1766 static unsigned int apparmor_ipv4_postroute(void *priv, 1767 struct sk_buff *skb, 1768 const struct nf_hook_state *state) 1769 { 1770 return apparmor_ip_postroute(priv, skb, state); 1771 } 1772 1773 #if IS_ENABLED(CONFIG_IPV6) 1774 static unsigned int apparmor_ipv6_postroute(void *priv, 1775 struct sk_buff *skb, 1776 const struct nf_hook_state *state) 1777 { 1778 return apparmor_ip_postroute(priv, skb, state); 1779 } 1780 #endif 1781 1782 static const struct nf_hook_ops apparmor_nf_ops[] = { 1783 { 1784 .hook = apparmor_ipv4_postroute, 1785 .pf = NFPROTO_IPV4, 1786 .hooknum = NF_INET_POST_ROUTING, 1787 .priority = NF_IP_PRI_SELINUX_FIRST, 1788 }, 1789 #if IS_ENABLED(CONFIG_IPV6) 1790 { 1791 .hook = apparmor_ipv6_postroute, 1792 .pf = NFPROTO_IPV6, 1793 .hooknum = NF_INET_POST_ROUTING, 1794 .priority = NF_IP6_PRI_SELINUX_FIRST, 1795 }, 1796 #endif 1797 }; 1798 1799 static int __net_init apparmor_nf_register(struct net *net) 1800 { 1801 int ret; 1802 1803 ret = nf_register_net_hooks(net, apparmor_nf_ops, 1804 ARRAY_SIZE(apparmor_nf_ops)); 1805 return ret; 1806 } 1807 1808 static void __net_exit apparmor_nf_unregister(struct net *net) 1809 { 1810 nf_unregister_net_hooks(net, apparmor_nf_ops, 1811 ARRAY_SIZE(apparmor_nf_ops)); 1812 } 1813 1814 static struct pernet_operations apparmor_net_ops = { 1815 .init = apparmor_nf_register, 1816 .exit = apparmor_nf_unregister, 1817 }; 1818 1819 static int __init apparmor_nf_ip_init(void) 1820 { 1821 int err; 1822 1823 if (!apparmor_enabled) 1824 return 0; 1825 1826 err = register_pernet_subsys(&apparmor_net_ops); 1827 if (err) 1828 panic("Apparmor: register_pernet_subsys: error %d\n", err); 1829 1830 return 0; 1831 } 1832 __initcall(apparmor_nf_ip_init); 1833 #endif 1834 1835 static int __init apparmor_init(void) 1836 { 1837 int error; 1838 1839 aa_secids_init(); 1840 1841 error = aa_setup_dfa_engine(); 1842 if (error) { 1843 AA_ERROR("Unable to setup dfa engine\n"); 1844 goto alloc_out; 1845 } 1846 1847 error = aa_alloc_root_ns(); 1848 if (error) { 1849 AA_ERROR("Unable to allocate default profile namespace\n"); 1850 goto alloc_out; 1851 } 1852 1853 error = apparmor_init_sysctl(); 1854 if (error) { 1855 AA_ERROR("Unable to register sysctls\n"); 1856 goto alloc_out; 1857 1858 } 1859 1860 error = alloc_buffers(); 1861 if (error) { 1862 AA_ERROR("Unable to allocate work buffers\n"); 1863 goto alloc_out; 1864 } 1865 1866 error = set_init_ctx(); 1867 if (error) { 1868 AA_ERROR("Failed to set context on init task\n"); 1869 aa_free_root_ns(); 1870 goto buffers_out; 1871 } 1872 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), 1873 "apparmor"); 1874 1875 /* Report that AppArmor successfully initialized */ 1876 apparmor_initialized = 1; 1877 if (aa_g_profile_mode == APPARMOR_COMPLAIN) 1878 aa_info_message("AppArmor initialized: complain mode enabled"); 1879 else if (aa_g_profile_mode == APPARMOR_KILL) 1880 aa_info_message("AppArmor initialized: kill mode enabled"); 1881 else 1882 aa_info_message("AppArmor initialized"); 1883 1884 return error; 1885 1886 buffers_out: 1887 destroy_buffers(); 1888 alloc_out: 1889 aa_destroy_aafs(); 1890 aa_teardown_dfa_engine(); 1891 1892 apparmor_enabled = false; 1893 return error; 1894 } 1895 1896 DEFINE_LSM(apparmor) = { 1897 .name = "apparmor", 1898 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 1899 .enabled = &apparmor_enabled, 1900 .blobs = &apparmor_blob_sizes, 1901 .init = apparmor_init, 1902 }; 1903