1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor LSM hooks. 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15 #include <linux/lsm_hooks.h> 16 #include <linux/moduleparam.h> 17 #include <linux/mm.h> 18 #include <linux/mman.h> 19 #include <linux/mount.h> 20 #include <linux/namei.h> 21 #include <linux/ptrace.h> 22 #include <linux/ctype.h> 23 #include <linux/sysctl.h> 24 #include <linux/audit.h> 25 #include <linux/user_namespace.h> 26 #include <linux/kmemleak.h> 27 #include <net/sock.h> 28 29 #include "include/apparmor.h" 30 #include "include/apparmorfs.h" 31 #include "include/audit.h" 32 #include "include/capability.h" 33 #include "include/context.h" 34 #include "include/file.h" 35 #include "include/ipc.h" 36 #include "include/path.h" 37 #include "include/label.h" 38 #include "include/policy.h" 39 #include "include/policy_ns.h" 40 #include "include/procattr.h" 41 #include "include/mount.h" 42 43 /* Flag indicating whether initialization completed */ 44 int apparmor_initialized; 45 46 DEFINE_PER_CPU(struct aa_buffers, aa_buffers); 47 48 49 /* 50 * LSM hook functions 51 */ 52 53 /* 54 * free the associated aa_task_ctx and put its labels 55 */ 56 static void apparmor_cred_free(struct cred *cred) 57 { 58 aa_free_task_context(cred_ctx(cred)); 59 cred_ctx(cred) = NULL; 60 } 61 62 /* 63 * allocate the apparmor part of blank credentials 64 */ 65 static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 66 { 67 /* freed by apparmor_cred_free */ 68 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp); 69 70 if (!ctx) 71 return -ENOMEM; 72 73 cred_ctx(cred) = ctx; 74 return 0; 75 } 76 77 /* 78 * prepare new aa_task_ctx for modification by prepare_cred block 79 */ 80 static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 81 gfp_t gfp) 82 { 83 /* freed by apparmor_cred_free */ 84 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp); 85 86 if (!ctx) 87 return -ENOMEM; 88 89 aa_dup_task_context(ctx, cred_ctx(old)); 90 cred_ctx(new) = ctx; 91 return 0; 92 } 93 94 /* 95 * transfer the apparmor data to a blank set of creds 96 */ 97 static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 98 { 99 const struct aa_task_ctx *old_ctx = cred_ctx(old); 100 struct aa_task_ctx *new_ctx = cred_ctx(new); 101 102 aa_dup_task_context(new_ctx, old_ctx); 103 } 104 105 static int apparmor_ptrace_access_check(struct task_struct *child, 106 unsigned int mode) 107 { 108 struct aa_label *tracer, *tracee; 109 int error; 110 111 tracer = begin_current_label_crit_section(); 112 tracee = aa_get_task_label(child); 113 error = aa_may_ptrace(tracer, tracee, 114 mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE); 115 aa_put_label(tracee); 116 end_current_label_crit_section(tracer); 117 118 return error; 119 } 120 121 static int apparmor_ptrace_traceme(struct task_struct *parent) 122 { 123 struct aa_label *tracer, *tracee; 124 int error; 125 126 tracee = begin_current_label_crit_section(); 127 tracer = aa_get_task_label(parent); 128 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); 129 aa_put_label(tracer); 130 end_current_label_crit_section(tracee); 131 132 return error; 133 } 134 135 /* Derived from security/commoncap.c:cap_capget */ 136 static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, 137 kernel_cap_t *inheritable, kernel_cap_t *permitted) 138 { 139 struct aa_label *label; 140 const struct cred *cred; 141 142 rcu_read_lock(); 143 cred = __task_cred(target); 144 label = aa_get_newest_cred_label(cred); 145 146 /* 147 * cap_capget is stacked ahead of this and will 148 * initialize effective and permitted. 149 */ 150 if (!unconfined(label)) { 151 struct aa_profile *profile; 152 struct label_it i; 153 154 label_for_each_confined(i, label, profile) { 155 if (COMPLAIN_MODE(profile)) 156 continue; 157 *effective = cap_intersect(*effective, 158 profile->caps.allow); 159 *permitted = cap_intersect(*permitted, 160 profile->caps.allow); 161 } 162 } 163 rcu_read_unlock(); 164 aa_put_label(label); 165 166 return 0; 167 } 168 169 static int apparmor_capable(const struct cred *cred, struct user_namespace *ns, 170 int cap, int audit) 171 { 172 struct aa_label *label; 173 int error = 0; 174 175 label = aa_get_newest_cred_label(cred); 176 if (!unconfined(label)) 177 error = aa_capable(label, cap, audit); 178 aa_put_label(label); 179 180 return error; 181 } 182 183 /** 184 * common_perm - basic common permission check wrapper fn for paths 185 * @op: operation being checked 186 * @path: path to check permission of (NOT NULL) 187 * @mask: requested permissions mask 188 * @cond: conditional info for the permission request (NOT NULL) 189 * 190 * Returns: %0 else error code if error or permission denied 191 */ 192 static int common_perm(const char *op, const struct path *path, u32 mask, 193 struct path_cond *cond) 194 { 195 struct aa_label *label; 196 int error = 0; 197 198 label = __begin_current_label_crit_section(); 199 if (!unconfined(label)) 200 error = aa_path_perm(op, label, path, 0, mask, cond); 201 __end_current_label_crit_section(label); 202 203 return error; 204 } 205 206 /** 207 * common_perm_cond - common permission wrapper around inode cond 208 * @op: operation being checked 209 * @path: location to check (NOT NULL) 210 * @mask: requested permissions mask 211 * 212 * Returns: %0 else error code if error or permission denied 213 */ 214 static int common_perm_cond(const char *op, const struct path *path, u32 mask) 215 { 216 struct path_cond cond = { d_backing_inode(path->dentry)->i_uid, 217 d_backing_inode(path->dentry)->i_mode 218 }; 219 220 if (!path_mediated_fs(path->dentry)) 221 return 0; 222 223 return common_perm(op, path, mask, &cond); 224 } 225 226 /** 227 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry 228 * @op: operation being checked 229 * @dir: directory of the dentry (NOT NULL) 230 * @dentry: dentry to check (NOT NULL) 231 * @mask: requested permissions mask 232 * @cond: conditional info for the permission request (NOT NULL) 233 * 234 * Returns: %0 else error code if error or permission denied 235 */ 236 static int common_perm_dir_dentry(const char *op, const struct path *dir, 237 struct dentry *dentry, u32 mask, 238 struct path_cond *cond) 239 { 240 struct path path = { .mnt = dir->mnt, .dentry = dentry }; 241 242 return common_perm(op, &path, mask, cond); 243 } 244 245 /** 246 * common_perm_rm - common permission wrapper for operations doing rm 247 * @op: operation being checked 248 * @dir: directory that the dentry is in (NOT NULL) 249 * @dentry: dentry being rm'd (NOT NULL) 250 * @mask: requested permission mask 251 * 252 * Returns: %0 else error code if error or permission denied 253 */ 254 static int common_perm_rm(const char *op, const struct path *dir, 255 struct dentry *dentry, u32 mask) 256 { 257 struct inode *inode = d_backing_inode(dentry); 258 struct path_cond cond = { }; 259 260 if (!inode || !path_mediated_fs(dentry)) 261 return 0; 262 263 cond.uid = inode->i_uid; 264 cond.mode = inode->i_mode; 265 266 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 267 } 268 269 /** 270 * common_perm_create - common permission wrapper for operations doing create 271 * @op: operation being checked 272 * @dir: directory that dentry will be created in (NOT NULL) 273 * @dentry: dentry to create (NOT NULL) 274 * @mask: request permission mask 275 * @mode: created file mode 276 * 277 * Returns: %0 else error code if error or permission denied 278 */ 279 static int common_perm_create(const char *op, const struct path *dir, 280 struct dentry *dentry, u32 mask, umode_t mode) 281 { 282 struct path_cond cond = { current_fsuid(), mode }; 283 284 if (!path_mediated_fs(dir->dentry)) 285 return 0; 286 287 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 288 } 289 290 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry) 291 { 292 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); 293 } 294 295 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry, 296 umode_t mode) 297 { 298 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, 299 S_IFDIR); 300 } 301 302 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry) 303 { 304 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); 305 } 306 307 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, 308 umode_t mode, unsigned int dev) 309 { 310 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); 311 } 312 313 static int apparmor_path_truncate(const struct path *path) 314 { 315 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR); 316 } 317 318 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, 319 const char *old_name) 320 { 321 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, 322 S_IFLNK); 323 } 324 325 static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir, 326 struct dentry *new_dentry) 327 { 328 struct aa_label *label; 329 int error = 0; 330 331 if (!path_mediated_fs(old_dentry)) 332 return 0; 333 334 label = begin_current_label_crit_section(); 335 if (!unconfined(label)) 336 error = aa_path_link(label, old_dentry, new_dir, new_dentry); 337 end_current_label_crit_section(label); 338 339 return error; 340 } 341 342 static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry, 343 const struct path *new_dir, struct dentry *new_dentry) 344 { 345 struct aa_label *label; 346 int error = 0; 347 348 if (!path_mediated_fs(old_dentry)) 349 return 0; 350 351 label = begin_current_label_crit_section(); 352 if (!unconfined(label)) { 353 struct path old_path = { .mnt = old_dir->mnt, 354 .dentry = old_dentry }; 355 struct path new_path = { .mnt = new_dir->mnt, 356 .dentry = new_dentry }; 357 struct path_cond cond = { d_backing_inode(old_dentry)->i_uid, 358 d_backing_inode(old_dentry)->i_mode 359 }; 360 361 error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0, 362 MAY_READ | AA_MAY_GETATTR | MAY_WRITE | 363 AA_MAY_SETATTR | AA_MAY_DELETE, 364 &cond); 365 if (!error) 366 error = aa_path_perm(OP_RENAME_DEST, label, &new_path, 367 0, MAY_WRITE | AA_MAY_SETATTR | 368 AA_MAY_CREATE, &cond); 369 370 } 371 end_current_label_crit_section(label); 372 373 return error; 374 } 375 376 static int apparmor_path_chmod(const struct path *path, umode_t mode) 377 { 378 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD); 379 } 380 381 static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid) 382 { 383 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN); 384 } 385 386 static int apparmor_inode_getattr(const struct path *path) 387 { 388 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 389 } 390 391 static int apparmor_file_open(struct file *file, const struct cred *cred) 392 { 393 struct aa_file_ctx *fctx = file_ctx(file); 394 struct aa_label *label; 395 int error = 0; 396 397 if (!path_mediated_fs(file->f_path.dentry)) 398 return 0; 399 400 /* If in exec, permission is handled by bprm hooks. 401 * Cache permissions granted by the previous exec check, with 402 * implicit read and executable mmap which are required to 403 * actually execute the image. 404 */ 405 if (current->in_execve) { 406 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; 407 return 0; 408 } 409 410 label = aa_get_newest_cred_label(cred); 411 if (!unconfined(label)) { 412 struct inode *inode = file_inode(file); 413 struct path_cond cond = { inode->i_uid, inode->i_mode }; 414 415 error = aa_path_perm(OP_OPEN, label, &file->f_path, 0, 416 aa_map_file_to_perms(file), &cond); 417 /* todo cache full allowed permissions set and state */ 418 fctx->allow = aa_map_file_to_perms(file); 419 } 420 aa_put_label(label); 421 422 return error; 423 } 424 425 static int apparmor_file_alloc_security(struct file *file) 426 { 427 int error = 0; 428 429 /* freed by apparmor_file_free_security */ 430 struct aa_label *label = begin_current_label_crit_section(); 431 file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL); 432 if (!file_ctx(file)) 433 error = -ENOMEM; 434 end_current_label_crit_section(label); 435 436 return error; 437 } 438 439 static void apparmor_file_free_security(struct file *file) 440 { 441 aa_free_file_ctx(file_ctx(file)); 442 } 443 444 static int common_file_perm(const char *op, struct file *file, u32 mask) 445 { 446 struct aa_label *label; 447 int error = 0; 448 449 /* don't reaudit files closed during inheritance */ 450 if (file->f_path.dentry == aa_null.dentry) 451 return -EACCES; 452 453 label = __begin_current_label_crit_section(); 454 error = aa_file_perm(op, label, file, mask); 455 __end_current_label_crit_section(label); 456 457 return error; 458 } 459 460 static int apparmor_file_receive(struct file *file) 461 { 462 return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file)); 463 } 464 465 static int apparmor_file_permission(struct file *file, int mask) 466 { 467 return common_file_perm(OP_FPERM, file, mask); 468 } 469 470 static int apparmor_file_lock(struct file *file, unsigned int cmd) 471 { 472 u32 mask = AA_MAY_LOCK; 473 474 if (cmd == F_WRLCK) 475 mask |= MAY_WRITE; 476 477 return common_file_perm(OP_FLOCK, file, mask); 478 } 479 480 static int common_mmap(const char *op, struct file *file, unsigned long prot, 481 unsigned long flags) 482 { 483 int mask = 0; 484 485 if (!file || !file_ctx(file)) 486 return 0; 487 488 if (prot & PROT_READ) 489 mask |= MAY_READ; 490 /* 491 * Private mappings don't require write perms since they don't 492 * write back to the files 493 */ 494 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE)) 495 mask |= MAY_WRITE; 496 if (prot & PROT_EXEC) 497 mask |= AA_EXEC_MMAP; 498 499 return common_file_perm(op, file, mask); 500 } 501 502 static int apparmor_mmap_file(struct file *file, unsigned long reqprot, 503 unsigned long prot, unsigned long flags) 504 { 505 return common_mmap(OP_FMMAP, file, prot, flags); 506 } 507 508 static int apparmor_file_mprotect(struct vm_area_struct *vma, 509 unsigned long reqprot, unsigned long prot) 510 { 511 return common_mmap(OP_FMPROT, vma->vm_file, prot, 512 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); 513 } 514 515 static int apparmor_sb_mount(const char *dev_name, const struct path *path, 516 const char *type, unsigned long flags, void *data) 517 { 518 struct aa_label *label; 519 int error = 0; 520 521 /* Discard magic */ 522 if ((flags & MS_MGC_MSK) == MS_MGC_VAL) 523 flags &= ~MS_MGC_MSK; 524 525 flags &= ~AA_MS_IGNORE_MASK; 526 527 label = __begin_current_label_crit_section(); 528 if (!unconfined(label)) { 529 if (flags & MS_REMOUNT) 530 error = aa_remount(label, path, flags, data); 531 else if (flags & MS_BIND) 532 error = aa_bind_mount(label, path, dev_name, flags); 533 else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | 534 MS_UNBINDABLE)) 535 error = aa_mount_change_type(label, path, flags); 536 else if (flags & MS_MOVE) 537 error = aa_move_mount(label, path, dev_name); 538 else 539 error = aa_new_mount(label, dev_name, path, type, 540 flags, data); 541 } 542 __end_current_label_crit_section(label); 543 544 return error; 545 } 546 547 static int apparmor_sb_umount(struct vfsmount *mnt, int flags) 548 { 549 struct aa_label *label; 550 int error = 0; 551 552 label = __begin_current_label_crit_section(); 553 if (!unconfined(label)) 554 error = aa_umount(label, mnt, flags); 555 __end_current_label_crit_section(label); 556 557 return error; 558 } 559 560 static int apparmor_sb_pivotroot(const struct path *old_path, 561 const struct path *new_path) 562 { 563 struct aa_label *label; 564 int error = 0; 565 566 label = aa_get_current_label(); 567 if (!unconfined(label)) 568 error = aa_pivotroot(label, old_path, new_path); 569 aa_put_label(label); 570 571 return error; 572 } 573 574 static int apparmor_getprocattr(struct task_struct *task, char *name, 575 char **value) 576 { 577 int error = -ENOENT; 578 /* released below */ 579 const struct cred *cred = get_task_cred(task); 580 struct aa_task_ctx *ctx = cred_ctx(cred); 581 struct aa_label *label = NULL; 582 583 if (strcmp(name, "current") == 0) 584 label = aa_get_newest_label(ctx->label); 585 else if (strcmp(name, "prev") == 0 && ctx->previous) 586 label = aa_get_newest_label(ctx->previous); 587 else if (strcmp(name, "exec") == 0 && ctx->onexec) 588 label = aa_get_newest_label(ctx->onexec); 589 else 590 error = -EINVAL; 591 592 if (label) 593 error = aa_getprocattr(label, value); 594 595 aa_put_label(label); 596 put_cred(cred); 597 598 return error; 599 } 600 601 static int apparmor_setprocattr(const char *name, void *value, 602 size_t size) 603 { 604 char *command, *largs = NULL, *args = value; 605 size_t arg_size; 606 int error; 607 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR); 608 609 if (size == 0) 610 return -EINVAL; 611 612 /* AppArmor requires that the buffer must be null terminated atm */ 613 if (args[size - 1] != '\0') { 614 /* null terminate */ 615 largs = args = kmalloc(size + 1, GFP_KERNEL); 616 if (!args) 617 return -ENOMEM; 618 memcpy(args, value, size); 619 args[size] = '\0'; 620 } 621 622 error = -EINVAL; 623 args = strim(args); 624 command = strsep(&args, " "); 625 if (!args) 626 goto out; 627 args = skip_spaces(args); 628 if (!*args) 629 goto out; 630 631 arg_size = size - (args - (largs ? largs : (char *) value)); 632 if (strcmp(name, "current") == 0) { 633 if (strcmp(command, "changehat") == 0) { 634 error = aa_setprocattr_changehat(args, arg_size, 635 AA_CHANGE_NOFLAGS); 636 } else if (strcmp(command, "permhat") == 0) { 637 error = aa_setprocattr_changehat(args, arg_size, 638 AA_CHANGE_TEST); 639 } else if (strcmp(command, "changeprofile") == 0) { 640 error = aa_change_profile(args, AA_CHANGE_NOFLAGS); 641 } else if (strcmp(command, "permprofile") == 0) { 642 error = aa_change_profile(args, AA_CHANGE_TEST); 643 } else if (strcmp(command, "stack") == 0) { 644 error = aa_change_profile(args, AA_CHANGE_STACK); 645 } else 646 goto fail; 647 } else if (strcmp(name, "exec") == 0) { 648 if (strcmp(command, "exec") == 0) 649 error = aa_change_profile(args, AA_CHANGE_ONEXEC); 650 else if (strcmp(command, "stack") == 0) 651 error = aa_change_profile(args, (AA_CHANGE_ONEXEC | 652 AA_CHANGE_STACK)); 653 else 654 goto fail; 655 } else 656 /* only support the "current" and "exec" process attributes */ 657 goto fail; 658 659 if (!error) 660 error = size; 661 out: 662 kfree(largs); 663 return error; 664 665 fail: 666 aad(&sa)->label = begin_current_label_crit_section(); 667 aad(&sa)->info = name; 668 aad(&sa)->error = error = -EINVAL; 669 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL); 670 end_current_label_crit_section(aad(&sa)->label); 671 goto out; 672 } 673 674 /** 675 * apparmor_bprm_committing_creds - do task cleanup on committing new creds 676 * @bprm: binprm for the exec (NOT NULL) 677 */ 678 static void apparmor_bprm_committing_creds(struct linux_binprm *bprm) 679 { 680 struct aa_label *label = aa_current_raw_label(); 681 struct aa_task_ctx *new_ctx = cred_ctx(bprm->cred); 682 683 /* bail out if unconfined or not changing profile */ 684 if ((new_ctx->label->proxy == label->proxy) || 685 (unconfined(new_ctx->label))) 686 return; 687 688 aa_inherit_files(bprm->cred, current->files); 689 690 current->pdeath_signal = 0; 691 692 /* reset soft limits and set hard limits for the new label */ 693 __aa_transition_rlimits(label, new_ctx->label); 694 } 695 696 /** 697 * apparmor_bprm_committed_cred - do cleanup after new creds committed 698 * @bprm: binprm for the exec (NOT NULL) 699 */ 700 static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) 701 { 702 /* TODO: cleanup signals - ipc mediation */ 703 return; 704 } 705 706 static int apparmor_task_setrlimit(struct task_struct *task, 707 unsigned int resource, struct rlimit *new_rlim) 708 { 709 struct aa_label *label = __begin_current_label_crit_section(); 710 int error = 0; 711 712 if (!unconfined(label)) 713 error = aa_task_setrlimit(label, task, resource, new_rlim); 714 __end_current_label_crit_section(label); 715 716 return error; 717 } 718 719 static int apparmor_task_kill(struct task_struct *target, struct siginfo *info, 720 int sig, u32 secid) 721 { 722 struct aa_label *cl, *tl; 723 int error; 724 725 if (secid) 726 /* TODO: after secid to label mapping is done. 727 * Dealing with USB IO specific behavior 728 */ 729 return 0; 730 cl = __begin_current_label_crit_section(); 731 tl = aa_get_task_label(target); 732 error = aa_may_signal(cl, tl, sig); 733 aa_put_label(tl); 734 __end_current_label_crit_section(cl); 735 736 return error; 737 } 738 739 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { 740 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), 741 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), 742 LSM_HOOK_INIT(capget, apparmor_capget), 743 LSM_HOOK_INIT(capable, apparmor_capable), 744 745 LSM_HOOK_INIT(sb_mount, apparmor_sb_mount), 746 LSM_HOOK_INIT(sb_umount, apparmor_sb_umount), 747 LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot), 748 749 LSM_HOOK_INIT(path_link, apparmor_path_link), 750 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink), 751 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink), 752 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir), 753 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir), 754 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod), 755 LSM_HOOK_INIT(path_rename, apparmor_path_rename), 756 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod), 757 LSM_HOOK_INIT(path_chown, apparmor_path_chown), 758 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate), 759 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr), 760 761 LSM_HOOK_INIT(file_open, apparmor_file_open), 762 LSM_HOOK_INIT(file_receive, apparmor_file_receive), 763 LSM_HOOK_INIT(file_permission, apparmor_file_permission), 764 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security), 765 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security), 766 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file), 767 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect), 768 LSM_HOOK_INIT(file_lock, apparmor_file_lock), 769 770 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), 771 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), 772 773 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), 774 LSM_HOOK_INIT(cred_free, apparmor_cred_free), 775 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare), 776 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer), 777 778 LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds), 779 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds), 780 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds), 781 782 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), 783 LSM_HOOK_INIT(task_kill, apparmor_task_kill), 784 }; 785 786 /* 787 * AppArmor sysfs module parameters 788 */ 789 790 static int param_set_aabool(const char *val, const struct kernel_param *kp); 791 static int param_get_aabool(char *buffer, const struct kernel_param *kp); 792 #define param_check_aabool param_check_bool 793 static const struct kernel_param_ops param_ops_aabool = { 794 .flags = KERNEL_PARAM_OPS_FL_NOARG, 795 .set = param_set_aabool, 796 .get = param_get_aabool 797 }; 798 799 static int param_set_aauint(const char *val, const struct kernel_param *kp); 800 static int param_get_aauint(char *buffer, const struct kernel_param *kp); 801 #define param_check_aauint param_check_uint 802 static const struct kernel_param_ops param_ops_aauint = { 803 .set = param_set_aauint, 804 .get = param_get_aauint 805 }; 806 807 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp); 808 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); 809 #define param_check_aalockpolicy param_check_bool 810 static const struct kernel_param_ops param_ops_aalockpolicy = { 811 .flags = KERNEL_PARAM_OPS_FL_NOARG, 812 .set = param_set_aalockpolicy, 813 .get = param_get_aalockpolicy 814 }; 815 816 static int param_set_audit(const char *val, const struct kernel_param *kp); 817 static int param_get_audit(char *buffer, const struct kernel_param *kp); 818 819 static int param_set_mode(const char *val, const struct kernel_param *kp); 820 static int param_get_mode(char *buffer, const struct kernel_param *kp); 821 822 /* Flag values, also controllable via /sys/module/apparmor/parameters 823 * We define special types as we want to do additional mediation. 824 */ 825 826 /* AppArmor global enforcement switch - complain, enforce, kill */ 827 enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; 828 module_param_call(mode, param_set_mode, param_get_mode, 829 &aa_g_profile_mode, S_IRUSR | S_IWUSR); 830 831 /* whether policy verification hashing is enabled */ 832 bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); 833 #ifdef CONFIG_SECURITY_APPARMOR_HASH 834 module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); 835 #endif 836 837 /* Debug mode */ 838 bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES); 839 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); 840 841 /* Audit mode */ 842 enum audit_mode aa_g_audit; 843 module_param_call(audit, param_set_audit, param_get_audit, 844 &aa_g_audit, S_IRUSR | S_IWUSR); 845 846 /* Determines if audit header is included in audited messages. This 847 * provides more context if the audit daemon is not running 848 */ 849 bool aa_g_audit_header = true; 850 module_param_named(audit_header, aa_g_audit_header, aabool, 851 S_IRUSR | S_IWUSR); 852 853 /* lock out loading/removal of policy 854 * TODO: add in at boot loading of policy, which is the only way to 855 * load policy, if lock_policy is set 856 */ 857 bool aa_g_lock_policy; 858 module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy, 859 S_IRUSR | S_IWUSR); 860 861 /* Syscall logging mode */ 862 bool aa_g_logsyscall; 863 module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); 864 865 /* Maximum pathname length before accesses will start getting rejected */ 866 unsigned int aa_g_path_max = 2 * PATH_MAX; 867 module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); 868 869 /* Determines how paranoid loading of policy is and how much verification 870 * on the loaded policy is done. 871 * DEPRECATED: read only as strict checking of load is always done now 872 * that none root users (user namespaces) can load policy. 873 */ 874 bool aa_g_paranoid_load = true; 875 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); 876 877 /* Boot time disable flag */ 878 static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; 879 module_param_named(enabled, apparmor_enabled, bool, S_IRUGO); 880 881 static int __init apparmor_enabled_setup(char *str) 882 { 883 unsigned long enabled; 884 int error = kstrtoul(str, 0, &enabled); 885 if (!error) 886 apparmor_enabled = enabled ? 1 : 0; 887 return 1; 888 } 889 890 __setup("apparmor=", apparmor_enabled_setup); 891 892 /* set global flag turning off the ability to load policy */ 893 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) 894 { 895 if (!apparmor_enabled) 896 return -EINVAL; 897 if (apparmor_initialized && !policy_admin_capable(NULL)) 898 return -EPERM; 899 return param_set_bool(val, kp); 900 } 901 902 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) 903 { 904 if (!apparmor_enabled) 905 return -EINVAL; 906 if (apparmor_initialized && !policy_view_capable(NULL)) 907 return -EPERM; 908 return param_get_bool(buffer, kp); 909 } 910 911 static int param_set_aabool(const char *val, const struct kernel_param *kp) 912 { 913 if (!apparmor_enabled) 914 return -EINVAL; 915 if (apparmor_initialized && !policy_admin_capable(NULL)) 916 return -EPERM; 917 return param_set_bool(val, kp); 918 } 919 920 static int param_get_aabool(char *buffer, const struct kernel_param *kp) 921 { 922 if (!apparmor_enabled) 923 return -EINVAL; 924 if (apparmor_initialized && !policy_view_capable(NULL)) 925 return -EPERM; 926 return param_get_bool(buffer, kp); 927 } 928 929 static int param_set_aauint(const char *val, const struct kernel_param *kp) 930 { 931 int error; 932 933 if (!apparmor_enabled) 934 return -EINVAL; 935 /* file is ro but enforce 2nd line check */ 936 if (apparmor_initialized) 937 return -EPERM; 938 939 error = param_set_uint(val, kp); 940 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max); 941 942 return error; 943 } 944 945 static int param_get_aauint(char *buffer, const struct kernel_param *kp) 946 { 947 if (!apparmor_enabled) 948 return -EINVAL; 949 if (apparmor_initialized && !policy_view_capable(NULL)) 950 return -EPERM; 951 return param_get_uint(buffer, kp); 952 } 953 954 static int param_get_audit(char *buffer, const struct kernel_param *kp) 955 { 956 if (!apparmor_enabled) 957 return -EINVAL; 958 if (apparmor_initialized && !policy_view_capable(NULL)) 959 return -EPERM; 960 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); 961 } 962 963 static int param_set_audit(const char *val, const struct kernel_param *kp) 964 { 965 int i; 966 967 if (!apparmor_enabled) 968 return -EINVAL; 969 if (!val) 970 return -EINVAL; 971 if (apparmor_initialized && !policy_admin_capable(NULL)) 972 return -EPERM; 973 974 for (i = 0; i < AUDIT_MAX_INDEX; i++) { 975 if (strcmp(val, audit_mode_names[i]) == 0) { 976 aa_g_audit = i; 977 return 0; 978 } 979 } 980 981 return -EINVAL; 982 } 983 984 static int param_get_mode(char *buffer, const struct kernel_param *kp) 985 { 986 if (!apparmor_enabled) 987 return -EINVAL; 988 if (apparmor_initialized && !policy_view_capable(NULL)) 989 return -EPERM; 990 991 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]); 992 } 993 994 static int param_set_mode(const char *val, const struct kernel_param *kp) 995 { 996 int i; 997 998 if (!apparmor_enabled) 999 return -EINVAL; 1000 if (!val) 1001 return -EINVAL; 1002 if (apparmor_initialized && !policy_admin_capable(NULL)) 1003 return -EPERM; 1004 1005 for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) { 1006 if (strcmp(val, aa_profile_mode_names[i]) == 0) { 1007 aa_g_profile_mode = i; 1008 return 0; 1009 } 1010 } 1011 1012 return -EINVAL; 1013 } 1014 1015 /* 1016 * AppArmor init functions 1017 */ 1018 1019 /** 1020 * set_init_ctx - set a task context and profile on the first task. 1021 * 1022 * TODO: allow setting an alternate profile than unconfined 1023 */ 1024 static int __init set_init_ctx(void) 1025 { 1026 struct cred *cred = (struct cred *)current->real_cred; 1027 struct aa_task_ctx *ctx; 1028 1029 ctx = aa_alloc_task_context(GFP_KERNEL); 1030 if (!ctx) 1031 return -ENOMEM; 1032 1033 ctx->label = aa_get_label(ns_unconfined(root_ns)); 1034 cred_ctx(cred) = ctx; 1035 1036 return 0; 1037 } 1038 1039 static void destroy_buffers(void) 1040 { 1041 u32 i, j; 1042 1043 for_each_possible_cpu(i) { 1044 for_each_cpu_buffer(j) { 1045 kfree(per_cpu(aa_buffers, i).buf[j]); 1046 per_cpu(aa_buffers, i).buf[j] = NULL; 1047 } 1048 } 1049 } 1050 1051 static int __init alloc_buffers(void) 1052 { 1053 u32 i, j; 1054 1055 for_each_possible_cpu(i) { 1056 for_each_cpu_buffer(j) { 1057 char *buffer; 1058 1059 if (cpu_to_node(i) > num_online_nodes()) 1060 /* fallback to kmalloc for offline nodes */ 1061 buffer = kmalloc(aa_g_path_max, GFP_KERNEL); 1062 else 1063 buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL, 1064 cpu_to_node(i)); 1065 if (!buffer) { 1066 destroy_buffers(); 1067 return -ENOMEM; 1068 } 1069 per_cpu(aa_buffers, i).buf[j] = buffer; 1070 } 1071 } 1072 1073 return 0; 1074 } 1075 1076 #ifdef CONFIG_SYSCTL 1077 static int apparmor_dointvec(struct ctl_table *table, int write, 1078 void __user *buffer, size_t *lenp, loff_t *ppos) 1079 { 1080 if (!policy_admin_capable(NULL)) 1081 return -EPERM; 1082 if (!apparmor_enabled) 1083 return -EINVAL; 1084 1085 return proc_dointvec(table, write, buffer, lenp, ppos); 1086 } 1087 1088 static struct ctl_path apparmor_sysctl_path[] = { 1089 { .procname = "kernel", }, 1090 { } 1091 }; 1092 1093 static struct ctl_table apparmor_sysctl_table[] = { 1094 { 1095 .procname = "unprivileged_userns_apparmor_policy", 1096 .data = &unprivileged_userns_apparmor_policy, 1097 .maxlen = sizeof(int), 1098 .mode = 0600, 1099 .proc_handler = apparmor_dointvec, 1100 }, 1101 { } 1102 }; 1103 1104 static int __init apparmor_init_sysctl(void) 1105 { 1106 return register_sysctl_paths(apparmor_sysctl_path, 1107 apparmor_sysctl_table) ? 0 : -ENOMEM; 1108 } 1109 #else 1110 static inline int apparmor_init_sysctl(void) 1111 { 1112 return 0; 1113 } 1114 #endif /* CONFIG_SYSCTL */ 1115 1116 static int __init apparmor_init(void) 1117 { 1118 int error; 1119 1120 if (!apparmor_enabled || !security_module_enable("apparmor")) { 1121 aa_info_message("AppArmor disabled by boot time parameter"); 1122 apparmor_enabled = false; 1123 return 0; 1124 } 1125 1126 error = aa_setup_dfa_engine(); 1127 if (error) { 1128 AA_ERROR("Unable to setup dfa engine\n"); 1129 goto alloc_out; 1130 } 1131 1132 error = aa_alloc_root_ns(); 1133 if (error) { 1134 AA_ERROR("Unable to allocate default profile namespace\n"); 1135 goto alloc_out; 1136 } 1137 1138 error = apparmor_init_sysctl(); 1139 if (error) { 1140 AA_ERROR("Unable to register sysctls\n"); 1141 goto alloc_out; 1142 1143 } 1144 1145 error = alloc_buffers(); 1146 if (error) { 1147 AA_ERROR("Unable to allocate work buffers\n"); 1148 goto buffers_out; 1149 } 1150 1151 error = set_init_ctx(); 1152 if (error) { 1153 AA_ERROR("Failed to set context on init task\n"); 1154 aa_free_root_ns(); 1155 goto buffers_out; 1156 } 1157 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), 1158 "apparmor"); 1159 1160 /* Report that AppArmor successfully initialized */ 1161 apparmor_initialized = 1; 1162 if (aa_g_profile_mode == APPARMOR_COMPLAIN) 1163 aa_info_message("AppArmor initialized: complain mode enabled"); 1164 else if (aa_g_profile_mode == APPARMOR_KILL) 1165 aa_info_message("AppArmor initialized: kill mode enabled"); 1166 else 1167 aa_info_message("AppArmor initialized"); 1168 1169 return error; 1170 1171 buffers_out: 1172 destroy_buffers(); 1173 1174 alloc_out: 1175 aa_destroy_aafs(); 1176 aa_teardown_dfa_engine(); 1177 1178 apparmor_enabled = false; 1179 return error; 1180 } 1181 1182 security_initcall(apparmor_init); 1183