1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor LSM hooks. 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15 #include <linux/lsm_hooks.h> 16 #include <linux/moduleparam.h> 17 #include <linux/mm.h> 18 #include <linux/mman.h> 19 #include <linux/mount.h> 20 #include <linux/namei.h> 21 #include <linux/ptrace.h> 22 #include <linux/ctype.h> 23 #include <linux/sysctl.h> 24 #include <linux/audit.h> 25 #include <linux/user_namespace.h> 26 #include <linux/kmemleak.h> 27 #include <net/sock.h> 28 29 #include "include/apparmor.h" 30 #include "include/apparmorfs.h" 31 #include "include/audit.h" 32 #include "include/capability.h" 33 #include "include/context.h" 34 #include "include/file.h" 35 #include "include/ipc.h" 36 #include "include/net.h" 37 #include "include/path.h" 38 #include "include/label.h" 39 #include "include/policy.h" 40 #include "include/policy_ns.h" 41 #include "include/procattr.h" 42 #include "include/mount.h" 43 44 /* Flag indicating whether initialization completed */ 45 int apparmor_initialized; 46 47 DEFINE_PER_CPU(struct aa_buffers, aa_buffers); 48 49 50 /* 51 * LSM hook functions 52 */ 53 54 /* 55 * free the associated aa_task_ctx and put its labels 56 */ 57 static void apparmor_cred_free(struct cred *cred) 58 { 59 aa_free_task_context(cred_ctx(cred)); 60 cred_ctx(cred) = NULL; 61 } 62 63 /* 64 * allocate the apparmor part of blank credentials 65 */ 66 static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 67 { 68 /* freed by apparmor_cred_free */ 69 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp); 70 71 if (!ctx) 72 return -ENOMEM; 73 74 cred_ctx(cred) = ctx; 75 return 0; 76 } 77 78 /* 79 * prepare new aa_task_ctx for modification by prepare_cred block 80 */ 81 static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 82 gfp_t gfp) 83 { 84 /* freed by apparmor_cred_free */ 85 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp); 86 87 if (!ctx) 88 return -ENOMEM; 89 90 aa_dup_task_context(ctx, cred_ctx(old)); 91 cred_ctx(new) = ctx; 92 return 0; 93 } 94 95 /* 96 * transfer the apparmor data to a blank set of creds 97 */ 98 static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 99 { 100 const struct aa_task_ctx *old_ctx = cred_ctx(old); 101 struct aa_task_ctx *new_ctx = cred_ctx(new); 102 103 aa_dup_task_context(new_ctx, old_ctx); 104 } 105 106 static int apparmor_ptrace_access_check(struct task_struct *child, 107 unsigned int mode) 108 { 109 struct aa_label *tracer, *tracee; 110 int error; 111 112 tracer = begin_current_label_crit_section(); 113 tracee = aa_get_task_label(child); 114 error = aa_may_ptrace(tracer, tracee, 115 mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE); 116 aa_put_label(tracee); 117 end_current_label_crit_section(tracer); 118 119 return error; 120 } 121 122 static int apparmor_ptrace_traceme(struct task_struct *parent) 123 { 124 struct aa_label *tracer, *tracee; 125 int error; 126 127 tracee = begin_current_label_crit_section(); 128 tracer = aa_get_task_label(parent); 129 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); 130 aa_put_label(tracer); 131 end_current_label_crit_section(tracee); 132 133 return error; 134 } 135 136 /* Derived from security/commoncap.c:cap_capget */ 137 static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, 138 kernel_cap_t *inheritable, kernel_cap_t *permitted) 139 { 140 struct aa_label *label; 141 const struct cred *cred; 142 143 rcu_read_lock(); 144 cred = __task_cred(target); 145 label = aa_get_newest_cred_label(cred); 146 147 /* 148 * cap_capget is stacked ahead of this and will 149 * initialize effective and permitted. 150 */ 151 if (!unconfined(label)) { 152 struct aa_profile *profile; 153 struct label_it i; 154 155 label_for_each_confined(i, label, profile) { 156 if (COMPLAIN_MODE(profile)) 157 continue; 158 *effective = cap_intersect(*effective, 159 profile->caps.allow); 160 *permitted = cap_intersect(*permitted, 161 profile->caps.allow); 162 } 163 } 164 rcu_read_unlock(); 165 aa_put_label(label); 166 167 return 0; 168 } 169 170 static int apparmor_capable(const struct cred *cred, struct user_namespace *ns, 171 int cap, int audit) 172 { 173 struct aa_label *label; 174 int error = 0; 175 176 label = aa_get_newest_cred_label(cred); 177 if (!unconfined(label)) 178 error = aa_capable(label, cap, audit); 179 aa_put_label(label); 180 181 return error; 182 } 183 184 /** 185 * common_perm - basic common permission check wrapper fn for paths 186 * @op: operation being checked 187 * @path: path to check permission of (NOT NULL) 188 * @mask: requested permissions mask 189 * @cond: conditional info for the permission request (NOT NULL) 190 * 191 * Returns: %0 else error code if error or permission denied 192 */ 193 static int common_perm(const char *op, const struct path *path, u32 mask, 194 struct path_cond *cond) 195 { 196 struct aa_label *label; 197 int error = 0; 198 199 label = __begin_current_label_crit_section(); 200 if (!unconfined(label)) 201 error = aa_path_perm(op, label, path, 0, mask, cond); 202 __end_current_label_crit_section(label); 203 204 return error; 205 } 206 207 /** 208 * common_perm_cond - common permission wrapper around inode cond 209 * @op: operation being checked 210 * @path: location to check (NOT NULL) 211 * @mask: requested permissions mask 212 * 213 * Returns: %0 else error code if error or permission denied 214 */ 215 static int common_perm_cond(const char *op, const struct path *path, u32 mask) 216 { 217 struct path_cond cond = { d_backing_inode(path->dentry)->i_uid, 218 d_backing_inode(path->dentry)->i_mode 219 }; 220 221 if (!path_mediated_fs(path->dentry)) 222 return 0; 223 224 return common_perm(op, path, mask, &cond); 225 } 226 227 /** 228 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry 229 * @op: operation being checked 230 * @dir: directory of the dentry (NOT NULL) 231 * @dentry: dentry to check (NOT NULL) 232 * @mask: requested permissions mask 233 * @cond: conditional info for the permission request (NOT NULL) 234 * 235 * Returns: %0 else error code if error or permission denied 236 */ 237 static int common_perm_dir_dentry(const char *op, const struct path *dir, 238 struct dentry *dentry, u32 mask, 239 struct path_cond *cond) 240 { 241 struct path path = { .mnt = dir->mnt, .dentry = dentry }; 242 243 return common_perm(op, &path, mask, cond); 244 } 245 246 /** 247 * common_perm_rm - common permission wrapper for operations doing rm 248 * @op: operation being checked 249 * @dir: directory that the dentry is in (NOT NULL) 250 * @dentry: dentry being rm'd (NOT NULL) 251 * @mask: requested permission mask 252 * 253 * Returns: %0 else error code if error or permission denied 254 */ 255 static int common_perm_rm(const char *op, const struct path *dir, 256 struct dentry *dentry, u32 mask) 257 { 258 struct inode *inode = d_backing_inode(dentry); 259 struct path_cond cond = { }; 260 261 if (!inode || !path_mediated_fs(dentry)) 262 return 0; 263 264 cond.uid = inode->i_uid; 265 cond.mode = inode->i_mode; 266 267 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 268 } 269 270 /** 271 * common_perm_create - common permission wrapper for operations doing create 272 * @op: operation being checked 273 * @dir: directory that dentry will be created in (NOT NULL) 274 * @dentry: dentry to create (NOT NULL) 275 * @mask: request permission mask 276 * @mode: created file mode 277 * 278 * Returns: %0 else error code if error or permission denied 279 */ 280 static int common_perm_create(const char *op, const struct path *dir, 281 struct dentry *dentry, u32 mask, umode_t mode) 282 { 283 struct path_cond cond = { current_fsuid(), mode }; 284 285 if (!path_mediated_fs(dir->dentry)) 286 return 0; 287 288 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 289 } 290 291 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry) 292 { 293 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); 294 } 295 296 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry, 297 umode_t mode) 298 { 299 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, 300 S_IFDIR); 301 } 302 303 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry) 304 { 305 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); 306 } 307 308 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, 309 umode_t mode, unsigned int dev) 310 { 311 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); 312 } 313 314 static int apparmor_path_truncate(const struct path *path) 315 { 316 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR); 317 } 318 319 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, 320 const char *old_name) 321 { 322 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, 323 S_IFLNK); 324 } 325 326 static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir, 327 struct dentry *new_dentry) 328 { 329 struct aa_label *label; 330 int error = 0; 331 332 if (!path_mediated_fs(old_dentry)) 333 return 0; 334 335 label = begin_current_label_crit_section(); 336 if (!unconfined(label)) 337 error = aa_path_link(label, old_dentry, new_dir, new_dentry); 338 end_current_label_crit_section(label); 339 340 return error; 341 } 342 343 static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry, 344 const struct path *new_dir, struct dentry *new_dentry) 345 { 346 struct aa_label *label; 347 int error = 0; 348 349 if (!path_mediated_fs(old_dentry)) 350 return 0; 351 352 label = begin_current_label_crit_section(); 353 if (!unconfined(label)) { 354 struct path old_path = { .mnt = old_dir->mnt, 355 .dentry = old_dentry }; 356 struct path new_path = { .mnt = new_dir->mnt, 357 .dentry = new_dentry }; 358 struct path_cond cond = { d_backing_inode(old_dentry)->i_uid, 359 d_backing_inode(old_dentry)->i_mode 360 }; 361 362 error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0, 363 MAY_READ | AA_MAY_GETATTR | MAY_WRITE | 364 AA_MAY_SETATTR | AA_MAY_DELETE, 365 &cond); 366 if (!error) 367 error = aa_path_perm(OP_RENAME_DEST, label, &new_path, 368 0, MAY_WRITE | AA_MAY_SETATTR | 369 AA_MAY_CREATE, &cond); 370 371 } 372 end_current_label_crit_section(label); 373 374 return error; 375 } 376 377 static int apparmor_path_chmod(const struct path *path, umode_t mode) 378 { 379 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD); 380 } 381 382 static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid) 383 { 384 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN); 385 } 386 387 static int apparmor_inode_getattr(const struct path *path) 388 { 389 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 390 } 391 392 static int apparmor_file_open(struct file *file, const struct cred *cred) 393 { 394 struct aa_file_ctx *fctx = file_ctx(file); 395 struct aa_label *label; 396 int error = 0; 397 398 if (!path_mediated_fs(file->f_path.dentry)) 399 return 0; 400 401 /* If in exec, permission is handled by bprm hooks. 402 * Cache permissions granted by the previous exec check, with 403 * implicit read and executable mmap which are required to 404 * actually execute the image. 405 */ 406 if (current->in_execve) { 407 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; 408 return 0; 409 } 410 411 label = aa_get_newest_cred_label(cred); 412 if (!unconfined(label)) { 413 struct inode *inode = file_inode(file); 414 struct path_cond cond = { inode->i_uid, inode->i_mode }; 415 416 error = aa_path_perm(OP_OPEN, label, &file->f_path, 0, 417 aa_map_file_to_perms(file), &cond); 418 /* todo cache full allowed permissions set and state */ 419 fctx->allow = aa_map_file_to_perms(file); 420 } 421 aa_put_label(label); 422 423 return error; 424 } 425 426 static int apparmor_file_alloc_security(struct file *file) 427 { 428 int error = 0; 429 430 /* freed by apparmor_file_free_security */ 431 struct aa_label *label = begin_current_label_crit_section(); 432 file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL); 433 if (!file_ctx(file)) 434 error = -ENOMEM; 435 end_current_label_crit_section(label); 436 437 return error; 438 } 439 440 static void apparmor_file_free_security(struct file *file) 441 { 442 aa_free_file_ctx(file_ctx(file)); 443 } 444 445 static int common_file_perm(const char *op, struct file *file, u32 mask) 446 { 447 struct aa_label *label; 448 int error = 0; 449 450 /* don't reaudit files closed during inheritance */ 451 if (file->f_path.dentry == aa_null.dentry) 452 return -EACCES; 453 454 label = __begin_current_label_crit_section(); 455 error = aa_file_perm(op, label, file, mask); 456 __end_current_label_crit_section(label); 457 458 return error; 459 } 460 461 static int apparmor_file_receive(struct file *file) 462 { 463 return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file)); 464 } 465 466 static int apparmor_file_permission(struct file *file, int mask) 467 { 468 return common_file_perm(OP_FPERM, file, mask); 469 } 470 471 static int apparmor_file_lock(struct file *file, unsigned int cmd) 472 { 473 u32 mask = AA_MAY_LOCK; 474 475 if (cmd == F_WRLCK) 476 mask |= MAY_WRITE; 477 478 return common_file_perm(OP_FLOCK, file, mask); 479 } 480 481 static int common_mmap(const char *op, struct file *file, unsigned long prot, 482 unsigned long flags) 483 { 484 int mask = 0; 485 486 if (!file || !file_ctx(file)) 487 return 0; 488 489 if (prot & PROT_READ) 490 mask |= MAY_READ; 491 /* 492 * Private mappings don't require write perms since they don't 493 * write back to the files 494 */ 495 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE)) 496 mask |= MAY_WRITE; 497 if (prot & PROT_EXEC) 498 mask |= AA_EXEC_MMAP; 499 500 return common_file_perm(op, file, mask); 501 } 502 503 static int apparmor_mmap_file(struct file *file, unsigned long reqprot, 504 unsigned long prot, unsigned long flags) 505 { 506 return common_mmap(OP_FMMAP, file, prot, flags); 507 } 508 509 static int apparmor_file_mprotect(struct vm_area_struct *vma, 510 unsigned long reqprot, unsigned long prot) 511 { 512 return common_mmap(OP_FMPROT, vma->vm_file, prot, 513 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); 514 } 515 516 static int apparmor_sb_mount(const char *dev_name, const struct path *path, 517 const char *type, unsigned long flags, void *data) 518 { 519 struct aa_label *label; 520 int error = 0; 521 522 /* Discard magic */ 523 if ((flags & MS_MGC_MSK) == MS_MGC_VAL) 524 flags &= ~MS_MGC_MSK; 525 526 flags &= ~AA_MS_IGNORE_MASK; 527 528 label = __begin_current_label_crit_section(); 529 if (!unconfined(label)) { 530 if (flags & MS_REMOUNT) 531 error = aa_remount(label, path, flags, data); 532 else if (flags & MS_BIND) 533 error = aa_bind_mount(label, path, dev_name, flags); 534 else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | 535 MS_UNBINDABLE)) 536 error = aa_mount_change_type(label, path, flags); 537 else if (flags & MS_MOVE) 538 error = aa_move_mount(label, path, dev_name); 539 else 540 error = aa_new_mount(label, dev_name, path, type, 541 flags, data); 542 } 543 __end_current_label_crit_section(label); 544 545 return error; 546 } 547 548 static int apparmor_sb_umount(struct vfsmount *mnt, int flags) 549 { 550 struct aa_label *label; 551 int error = 0; 552 553 label = __begin_current_label_crit_section(); 554 if (!unconfined(label)) 555 error = aa_umount(label, mnt, flags); 556 __end_current_label_crit_section(label); 557 558 return error; 559 } 560 561 static int apparmor_sb_pivotroot(const struct path *old_path, 562 const struct path *new_path) 563 { 564 struct aa_label *label; 565 int error = 0; 566 567 label = aa_get_current_label(); 568 if (!unconfined(label)) 569 error = aa_pivotroot(label, old_path, new_path); 570 aa_put_label(label); 571 572 return error; 573 } 574 575 static int apparmor_getprocattr(struct task_struct *task, char *name, 576 char **value) 577 { 578 int error = -ENOENT; 579 /* released below */ 580 const struct cred *cred = get_task_cred(task); 581 struct aa_task_ctx *ctx = cred_ctx(cred); 582 struct aa_label *label = NULL; 583 584 if (strcmp(name, "current") == 0) 585 label = aa_get_newest_label(ctx->label); 586 else if (strcmp(name, "prev") == 0 && ctx->previous) 587 label = aa_get_newest_label(ctx->previous); 588 else if (strcmp(name, "exec") == 0 && ctx->onexec) 589 label = aa_get_newest_label(ctx->onexec); 590 else 591 error = -EINVAL; 592 593 if (label) 594 error = aa_getprocattr(label, value); 595 596 aa_put_label(label); 597 put_cred(cred); 598 599 return error; 600 } 601 602 static int apparmor_setprocattr(const char *name, void *value, 603 size_t size) 604 { 605 char *command, *largs = NULL, *args = value; 606 size_t arg_size; 607 int error; 608 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR); 609 610 if (size == 0) 611 return -EINVAL; 612 613 /* AppArmor requires that the buffer must be null terminated atm */ 614 if (args[size - 1] != '\0') { 615 /* null terminate */ 616 largs = args = kmalloc(size + 1, GFP_KERNEL); 617 if (!args) 618 return -ENOMEM; 619 memcpy(args, value, size); 620 args[size] = '\0'; 621 } 622 623 error = -EINVAL; 624 args = strim(args); 625 command = strsep(&args, " "); 626 if (!args) 627 goto out; 628 args = skip_spaces(args); 629 if (!*args) 630 goto out; 631 632 arg_size = size - (args - (largs ? largs : (char *) value)); 633 if (strcmp(name, "current") == 0) { 634 if (strcmp(command, "changehat") == 0) { 635 error = aa_setprocattr_changehat(args, arg_size, 636 AA_CHANGE_NOFLAGS); 637 } else if (strcmp(command, "permhat") == 0) { 638 error = aa_setprocattr_changehat(args, arg_size, 639 AA_CHANGE_TEST); 640 } else if (strcmp(command, "changeprofile") == 0) { 641 error = aa_change_profile(args, AA_CHANGE_NOFLAGS); 642 } else if (strcmp(command, "permprofile") == 0) { 643 error = aa_change_profile(args, AA_CHANGE_TEST); 644 } else if (strcmp(command, "stack") == 0) { 645 error = aa_change_profile(args, AA_CHANGE_STACK); 646 } else 647 goto fail; 648 } else if (strcmp(name, "exec") == 0) { 649 if (strcmp(command, "exec") == 0) 650 error = aa_change_profile(args, AA_CHANGE_ONEXEC); 651 else if (strcmp(command, "stack") == 0) 652 error = aa_change_profile(args, (AA_CHANGE_ONEXEC | 653 AA_CHANGE_STACK)); 654 else 655 goto fail; 656 } else 657 /* only support the "current" and "exec" process attributes */ 658 goto fail; 659 660 if (!error) 661 error = size; 662 out: 663 kfree(largs); 664 return error; 665 666 fail: 667 aad(&sa)->label = begin_current_label_crit_section(); 668 aad(&sa)->info = name; 669 aad(&sa)->error = error = -EINVAL; 670 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL); 671 end_current_label_crit_section(aad(&sa)->label); 672 goto out; 673 } 674 675 /** 676 * apparmor_bprm_committing_creds - do task cleanup on committing new creds 677 * @bprm: binprm for the exec (NOT NULL) 678 */ 679 static void apparmor_bprm_committing_creds(struct linux_binprm *bprm) 680 { 681 struct aa_label *label = aa_current_raw_label(); 682 struct aa_task_ctx *new_ctx = cred_ctx(bprm->cred); 683 684 /* bail out if unconfined or not changing profile */ 685 if ((new_ctx->label->proxy == label->proxy) || 686 (unconfined(new_ctx->label))) 687 return; 688 689 aa_inherit_files(bprm->cred, current->files); 690 691 current->pdeath_signal = 0; 692 693 /* reset soft limits and set hard limits for the new label */ 694 __aa_transition_rlimits(label, new_ctx->label); 695 } 696 697 /** 698 * apparmor_bprm_committed_cred - do cleanup after new creds committed 699 * @bprm: binprm for the exec (NOT NULL) 700 */ 701 static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) 702 { 703 /* TODO: cleanup signals - ipc mediation */ 704 return; 705 } 706 707 static int apparmor_task_setrlimit(struct task_struct *task, 708 unsigned int resource, struct rlimit *new_rlim) 709 { 710 struct aa_label *label = __begin_current_label_crit_section(); 711 int error = 0; 712 713 if (!unconfined(label)) 714 error = aa_task_setrlimit(label, task, resource, new_rlim); 715 __end_current_label_crit_section(label); 716 717 return error; 718 } 719 720 static int apparmor_task_kill(struct task_struct *target, struct siginfo *info, 721 int sig, u32 secid) 722 { 723 struct aa_label *cl, *tl; 724 int error; 725 726 if (secid) 727 /* TODO: after secid to label mapping is done. 728 * Dealing with USB IO specific behavior 729 */ 730 return 0; 731 cl = __begin_current_label_crit_section(); 732 tl = aa_get_task_label(target); 733 error = aa_may_signal(cl, tl, sig); 734 aa_put_label(tl); 735 __end_current_label_crit_section(cl); 736 737 return error; 738 } 739 740 /** 741 * apparmor_sk_alloc_security - allocate and attach the sk_security field 742 */ 743 static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags) 744 { 745 struct aa_sk_ctx *ctx; 746 747 ctx = kzalloc(sizeof(*ctx), flags); 748 if (!ctx) 749 return -ENOMEM; 750 751 SK_CTX(sk) = ctx; 752 753 return 0; 754 } 755 756 /** 757 * apparmor_sk_free_security - free the sk_security field 758 */ 759 static void apparmor_sk_free_security(struct sock *sk) 760 { 761 struct aa_sk_ctx *ctx = SK_CTX(sk); 762 763 SK_CTX(sk) = NULL; 764 aa_put_label(ctx->label); 765 aa_put_label(ctx->peer); 766 path_put(&ctx->path); 767 kfree(ctx); 768 } 769 770 /** 771 * apparmor_clone_security - clone the sk_security field 772 */ 773 static void apparmor_sk_clone_security(const struct sock *sk, 774 struct sock *newsk) 775 { 776 struct aa_sk_ctx *ctx = SK_CTX(sk); 777 struct aa_sk_ctx *new = SK_CTX(newsk); 778 779 new->label = aa_get_label(ctx->label); 780 new->peer = aa_get_label(ctx->peer); 781 new->path = ctx->path; 782 path_get(&new->path); 783 } 784 785 static int aa_sock_create_perm(struct aa_label *label, int family, int type, 786 int protocol) 787 { 788 AA_BUG(!label); 789 AA_BUG(in_interrupt()); 790 791 return aa_af_perm(label, OP_CREATE, AA_MAY_CREATE, family, type, 792 protocol); 793 } 794 795 796 /** 797 * apparmor_socket_create - check perms before creating a new socket 798 */ 799 static int apparmor_socket_create(int family, int type, int protocol, int kern) 800 { 801 struct aa_label *label; 802 int error = 0; 803 804 label = begin_current_label_crit_section(); 805 if (!(kern || unconfined(label))) 806 error = aa_sock_create_perm(label, family, type, protocol); 807 end_current_label_crit_section(label); 808 809 return error; 810 } 811 812 /** 813 * apparmor_socket_post_create - setup the per-socket security struct 814 * 815 * Note: 816 * - kernel sockets currently labeled unconfined but we may want to 817 * move to a special kernel label 818 * - socket may not have sk here if created with sock_create_lite or 819 * sock_alloc. These should be accept cases which will be handled in 820 * sock_graft. 821 */ 822 static int apparmor_socket_post_create(struct socket *sock, int family, 823 int type, int protocol, int kern) 824 { 825 struct aa_label *label; 826 827 if (kern) { 828 struct aa_ns *ns = aa_get_current_ns(); 829 830 label = aa_get_label(ns_unconfined(ns)); 831 aa_put_ns(ns); 832 } else 833 label = aa_get_current_label(); 834 835 if (sock->sk) { 836 struct aa_sk_ctx *ctx = SK_CTX(sock->sk); 837 838 aa_put_label(ctx->label); 839 ctx->label = aa_get_label(label); 840 } 841 aa_put_label(label); 842 843 return 0; 844 } 845 846 /** 847 * apparmor_socket_bind - check perms before bind addr to socket 848 */ 849 static int apparmor_socket_bind(struct socket *sock, 850 struct sockaddr *address, int addrlen) 851 { 852 AA_BUG(!sock); 853 AA_BUG(!sock->sk); 854 AA_BUG(!address); 855 AA_BUG(in_interrupt()); 856 857 return aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk); 858 } 859 860 /** 861 * apparmor_socket_connect - check perms before connecting @sock to @address 862 */ 863 static int apparmor_socket_connect(struct socket *sock, 864 struct sockaddr *address, int addrlen) 865 { 866 AA_BUG(!sock); 867 AA_BUG(!sock->sk); 868 AA_BUG(!address); 869 AA_BUG(in_interrupt()); 870 871 return aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk); 872 } 873 874 /** 875 * apparmor_socket_list - check perms before allowing listen 876 */ 877 static int apparmor_socket_listen(struct socket *sock, int backlog) 878 { 879 AA_BUG(!sock); 880 AA_BUG(!sock->sk); 881 AA_BUG(in_interrupt()); 882 883 return aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk); 884 } 885 886 /** 887 * apparmor_socket_accept - check perms before accepting a new connection. 888 * 889 * Note: while @newsock is created and has some information, the accept 890 * has not been done. 891 */ 892 static int apparmor_socket_accept(struct socket *sock, struct socket *newsock) 893 { 894 AA_BUG(!sock); 895 AA_BUG(!sock->sk); 896 AA_BUG(!newsock); 897 AA_BUG(in_interrupt()); 898 899 return aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk); 900 } 901 902 static int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock, 903 struct msghdr *msg, int size) 904 { 905 AA_BUG(!sock); 906 AA_BUG(!sock->sk); 907 AA_BUG(!msg); 908 AA_BUG(in_interrupt()); 909 910 return aa_sk_perm(op, request, sock->sk); 911 } 912 913 /** 914 * apparmor_socket_sendmsg - check perms before sending msg to another socket 915 */ 916 static int apparmor_socket_sendmsg(struct socket *sock, 917 struct msghdr *msg, int size) 918 { 919 return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size); 920 } 921 922 /** 923 * apparmor_socket_recvmsg - check perms before receiving a message 924 */ 925 static int apparmor_socket_recvmsg(struct socket *sock, 926 struct msghdr *msg, int size, int flags) 927 { 928 return aa_sock_msg_perm(OP_RECVMSG, AA_MAY_RECEIVE, sock, msg, size); 929 } 930 931 /* revaliation, get/set attr, shutdown */ 932 static int aa_sock_perm(const char *op, u32 request, struct socket *sock) 933 { 934 AA_BUG(!sock); 935 AA_BUG(!sock->sk); 936 AA_BUG(in_interrupt()); 937 938 return aa_sk_perm(op, request, sock->sk); 939 } 940 941 /** 942 * apparmor_socket_getsockname - check perms before getting the local address 943 */ 944 static int apparmor_socket_getsockname(struct socket *sock) 945 { 946 return aa_sock_perm(OP_GETSOCKNAME, AA_MAY_GETATTR, sock); 947 } 948 949 /** 950 * apparmor_socket_getpeername - check perms before getting remote address 951 */ 952 static int apparmor_socket_getpeername(struct socket *sock) 953 { 954 return aa_sock_perm(OP_GETPEERNAME, AA_MAY_GETATTR, sock); 955 } 956 957 /* revaliation, get/set attr, opt */ 958 static int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock, 959 int level, int optname) 960 { 961 AA_BUG(!sock); 962 AA_BUG(!sock->sk); 963 AA_BUG(in_interrupt()); 964 965 return aa_sk_perm(op, request, sock->sk); 966 } 967 968 /** 969 * apparmor_getsockopt - check perms before getting socket options 970 */ 971 static int apparmor_socket_getsockopt(struct socket *sock, int level, 972 int optname) 973 { 974 return aa_sock_opt_perm(OP_GETSOCKOPT, AA_MAY_GETOPT, sock, 975 level, optname); 976 } 977 978 /** 979 * apparmor_setsockopt - check perms before setting socket options 980 */ 981 static int apparmor_socket_setsockopt(struct socket *sock, int level, 982 int optname) 983 { 984 return aa_sock_opt_perm(OP_SETSOCKOPT, AA_MAY_SETOPT, sock, 985 level, optname); 986 } 987 988 /** 989 * apparmor_socket_shutdown - check perms before shutting down @sock conn 990 */ 991 static int apparmor_socket_shutdown(struct socket *sock, int how) 992 { 993 return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock); 994 } 995 996 /** 997 * apparmor_socket_sock_recv_skb - check perms before associating skb to sk 998 * 999 * Note: can not sleep may be called with locks held 1000 * 1001 * dont want protocol specific in __skb_recv_datagram() 1002 * to deny an incoming connection socket_sock_rcv_skb() 1003 */ 1004 static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 1005 { 1006 return 0; 1007 } 1008 1009 1010 static struct aa_label *sk_peer_label(struct sock *sk) 1011 { 1012 struct aa_sk_ctx *ctx = SK_CTX(sk); 1013 1014 if (ctx->peer) 1015 return ctx->peer; 1016 1017 return ERR_PTR(-ENOPROTOOPT); 1018 } 1019 1020 /** 1021 * apparmor_socket_getpeersec_stream - get security context of peer 1022 * 1023 * Note: for tcp only valid if using ipsec or cipso on lan 1024 */ 1025 static int apparmor_socket_getpeersec_stream(struct socket *sock, 1026 char __user *optval, 1027 int __user *optlen, 1028 unsigned int len) 1029 { 1030 char *name; 1031 int slen, error = 0; 1032 struct aa_label *label; 1033 struct aa_label *peer; 1034 1035 label = begin_current_label_crit_section(); 1036 peer = sk_peer_label(sock->sk); 1037 if (IS_ERR(peer)) { 1038 error = PTR_ERR(peer); 1039 goto done; 1040 } 1041 slen = aa_label_asxprint(&name, labels_ns(label), peer, 1042 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS | 1043 FLAG_HIDDEN_UNCONFINED, GFP_KERNEL); 1044 /* don't include terminating \0 in slen, it breaks some apps */ 1045 if (slen < 0) { 1046 error = -ENOMEM; 1047 } else { 1048 if (slen > len) { 1049 error = -ERANGE; 1050 } else if (copy_to_user(optval, name, slen)) { 1051 error = -EFAULT; 1052 goto out; 1053 } 1054 if (put_user(slen, optlen)) 1055 error = -EFAULT; 1056 out: 1057 kfree(name); 1058 1059 } 1060 1061 done: 1062 end_current_label_crit_section(label); 1063 1064 return error; 1065 } 1066 1067 /** 1068 * apparmor_socket_getpeersec_dgram - get security label of packet 1069 * @sock: the peer socket 1070 * @skb: packet data 1071 * @secid: pointer to where to put the secid of the packet 1072 * 1073 * Sets the netlabel socket state on sk from parent 1074 */ 1075 static int apparmor_socket_getpeersec_dgram(struct socket *sock, 1076 struct sk_buff *skb, u32 *secid) 1077 1078 { 1079 /* TODO: requires secid support */ 1080 return -ENOPROTOOPT; 1081 } 1082 1083 /** 1084 * apparmor_sock_graft - Initialize newly created socket 1085 * @sk: child sock 1086 * @parent: parent socket 1087 * 1088 * Note: could set off of SOCK_CTX(parent) but need to track inode and we can 1089 * just set sk security information off of current creating process label 1090 * Labeling of sk for accept case - probably should be sock based 1091 * instead of task, because of the case where an implicitly labeled 1092 * socket is shared by different tasks. 1093 */ 1094 static void apparmor_sock_graft(struct sock *sk, struct socket *parent) 1095 { 1096 struct aa_sk_ctx *ctx = SK_CTX(sk); 1097 1098 if (!ctx->label) 1099 ctx->label = aa_get_current_label(); 1100 } 1101 1102 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { 1103 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), 1104 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), 1105 LSM_HOOK_INIT(capget, apparmor_capget), 1106 LSM_HOOK_INIT(capable, apparmor_capable), 1107 1108 LSM_HOOK_INIT(sb_mount, apparmor_sb_mount), 1109 LSM_HOOK_INIT(sb_umount, apparmor_sb_umount), 1110 LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot), 1111 1112 LSM_HOOK_INIT(path_link, apparmor_path_link), 1113 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink), 1114 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink), 1115 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir), 1116 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir), 1117 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod), 1118 LSM_HOOK_INIT(path_rename, apparmor_path_rename), 1119 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod), 1120 LSM_HOOK_INIT(path_chown, apparmor_path_chown), 1121 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate), 1122 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr), 1123 1124 LSM_HOOK_INIT(file_open, apparmor_file_open), 1125 LSM_HOOK_INIT(file_receive, apparmor_file_receive), 1126 LSM_HOOK_INIT(file_permission, apparmor_file_permission), 1127 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security), 1128 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security), 1129 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file), 1130 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect), 1131 LSM_HOOK_INIT(file_lock, apparmor_file_lock), 1132 1133 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), 1134 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), 1135 1136 LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security), 1137 LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security), 1138 LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security), 1139 1140 LSM_HOOK_INIT(socket_create, apparmor_socket_create), 1141 LSM_HOOK_INIT(socket_post_create, apparmor_socket_post_create), 1142 LSM_HOOK_INIT(socket_bind, apparmor_socket_bind), 1143 LSM_HOOK_INIT(socket_connect, apparmor_socket_connect), 1144 LSM_HOOK_INIT(socket_listen, apparmor_socket_listen), 1145 LSM_HOOK_INIT(socket_accept, apparmor_socket_accept), 1146 LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg), 1147 LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg), 1148 LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname), 1149 LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername), 1150 LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt), 1151 LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt), 1152 LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown), 1153 LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb), 1154 LSM_HOOK_INIT(socket_getpeersec_stream, 1155 apparmor_socket_getpeersec_stream), 1156 LSM_HOOK_INIT(socket_getpeersec_dgram, 1157 apparmor_socket_getpeersec_dgram), 1158 LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), 1159 1160 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), 1161 LSM_HOOK_INIT(cred_free, apparmor_cred_free), 1162 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare), 1163 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer), 1164 1165 LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds), 1166 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds), 1167 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds), 1168 1169 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), 1170 LSM_HOOK_INIT(task_kill, apparmor_task_kill), 1171 }; 1172 1173 /* 1174 * AppArmor sysfs module parameters 1175 */ 1176 1177 static int param_set_aabool(const char *val, const struct kernel_param *kp); 1178 static int param_get_aabool(char *buffer, const struct kernel_param *kp); 1179 #define param_check_aabool param_check_bool 1180 static const struct kernel_param_ops param_ops_aabool = { 1181 .flags = KERNEL_PARAM_OPS_FL_NOARG, 1182 .set = param_set_aabool, 1183 .get = param_get_aabool 1184 }; 1185 1186 static int param_set_aauint(const char *val, const struct kernel_param *kp); 1187 static int param_get_aauint(char *buffer, const struct kernel_param *kp); 1188 #define param_check_aauint param_check_uint 1189 static const struct kernel_param_ops param_ops_aauint = { 1190 .set = param_set_aauint, 1191 .get = param_get_aauint 1192 }; 1193 1194 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp); 1195 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); 1196 #define param_check_aalockpolicy param_check_bool 1197 static const struct kernel_param_ops param_ops_aalockpolicy = { 1198 .flags = KERNEL_PARAM_OPS_FL_NOARG, 1199 .set = param_set_aalockpolicy, 1200 .get = param_get_aalockpolicy 1201 }; 1202 1203 static int param_set_audit(const char *val, struct kernel_param *kp); 1204 static int param_get_audit(char *buffer, struct kernel_param *kp); 1205 1206 static int param_set_mode(const char *val, struct kernel_param *kp); 1207 static int param_get_mode(char *buffer, struct kernel_param *kp); 1208 1209 /* Flag values, also controllable via /sys/module/apparmor/parameters 1210 * We define special types as we want to do additional mediation. 1211 */ 1212 1213 /* AppArmor global enforcement switch - complain, enforce, kill */ 1214 enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; 1215 module_param_call(mode, param_set_mode, param_get_mode, 1216 &aa_g_profile_mode, S_IRUSR | S_IWUSR); 1217 1218 /* whether policy verification hashing is enabled */ 1219 bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); 1220 #ifdef CONFIG_SECURITY_APPARMOR_HASH 1221 module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); 1222 #endif 1223 1224 /* Debug mode */ 1225 bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES); 1226 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); 1227 1228 /* Audit mode */ 1229 enum audit_mode aa_g_audit; 1230 module_param_call(audit, param_set_audit, param_get_audit, 1231 &aa_g_audit, S_IRUSR | S_IWUSR); 1232 1233 /* Determines if audit header is included in audited messages. This 1234 * provides more context if the audit daemon is not running 1235 */ 1236 bool aa_g_audit_header = 1; 1237 module_param_named(audit_header, aa_g_audit_header, aabool, 1238 S_IRUSR | S_IWUSR); 1239 1240 /* lock out loading/removal of policy 1241 * TODO: add in at boot loading of policy, which is the only way to 1242 * load policy, if lock_policy is set 1243 */ 1244 bool aa_g_lock_policy; 1245 module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy, 1246 S_IRUSR | S_IWUSR); 1247 1248 /* Syscall logging mode */ 1249 bool aa_g_logsyscall; 1250 module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); 1251 1252 /* Maximum pathname length before accesses will start getting rejected */ 1253 unsigned int aa_g_path_max = 2 * PATH_MAX; 1254 module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); 1255 1256 /* Determines how paranoid loading of policy is and how much verification 1257 * on the loaded policy is done. 1258 * DEPRECATED: read only as strict checking of load is always done now 1259 * that none root users (user namespaces) can load policy. 1260 */ 1261 bool aa_g_paranoid_load = 1; 1262 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); 1263 1264 /* Boot time disable flag */ 1265 static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; 1266 module_param_named(enabled, apparmor_enabled, bool, S_IRUGO); 1267 1268 static int __init apparmor_enabled_setup(char *str) 1269 { 1270 unsigned long enabled; 1271 int error = kstrtoul(str, 0, &enabled); 1272 if (!error) 1273 apparmor_enabled = enabled ? 1 : 0; 1274 return 1; 1275 } 1276 1277 __setup("apparmor=", apparmor_enabled_setup); 1278 1279 /* set global flag turning off the ability to load policy */ 1280 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) 1281 { 1282 if (!apparmor_enabled) 1283 return -EINVAL; 1284 if (apparmor_initialized && !policy_admin_capable(NULL)) 1285 return -EPERM; 1286 return param_set_bool(val, kp); 1287 } 1288 1289 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) 1290 { 1291 if (!apparmor_enabled) 1292 return -EINVAL; 1293 if (apparmor_initialized && !policy_view_capable(NULL)) 1294 return -EPERM; 1295 return param_get_bool(buffer, kp); 1296 } 1297 1298 static int param_set_aabool(const char *val, const struct kernel_param *kp) 1299 { 1300 if (!apparmor_enabled) 1301 return -EINVAL; 1302 if (apparmor_initialized && !policy_admin_capable(NULL)) 1303 return -EPERM; 1304 return param_set_bool(val, kp); 1305 } 1306 1307 static int param_get_aabool(char *buffer, const struct kernel_param *kp) 1308 { 1309 if (!apparmor_enabled) 1310 return -EINVAL; 1311 if (apparmor_initialized && !policy_view_capable(NULL)) 1312 return -EPERM; 1313 return param_get_bool(buffer, kp); 1314 } 1315 1316 static int param_set_aauint(const char *val, const struct kernel_param *kp) 1317 { 1318 int error; 1319 1320 if (!apparmor_enabled) 1321 return -EINVAL; 1322 /* file is ro but enforce 2nd line check */ 1323 if (apparmor_initialized) 1324 return -EPERM; 1325 1326 error = param_set_uint(val, kp); 1327 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max); 1328 1329 return error; 1330 } 1331 1332 static int param_get_aauint(char *buffer, const struct kernel_param *kp) 1333 { 1334 if (!apparmor_enabled) 1335 return -EINVAL; 1336 if (apparmor_initialized && !policy_view_capable(NULL)) 1337 return -EPERM; 1338 return param_get_uint(buffer, kp); 1339 } 1340 1341 static int param_get_audit(char *buffer, struct kernel_param *kp) 1342 { 1343 if (!apparmor_enabled) 1344 return -EINVAL; 1345 if (apparmor_initialized && !policy_view_capable(NULL)) 1346 return -EPERM; 1347 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); 1348 } 1349 1350 static int param_set_audit(const char *val, struct kernel_param *kp) 1351 { 1352 int i; 1353 1354 if (!apparmor_enabled) 1355 return -EINVAL; 1356 if (!val) 1357 return -EINVAL; 1358 if (apparmor_initialized && !policy_admin_capable(NULL)) 1359 return -EPERM; 1360 1361 for (i = 0; i < AUDIT_MAX_INDEX; i++) { 1362 if (strcmp(val, audit_mode_names[i]) == 0) { 1363 aa_g_audit = i; 1364 return 0; 1365 } 1366 } 1367 1368 return -EINVAL; 1369 } 1370 1371 static int param_get_mode(char *buffer, struct kernel_param *kp) 1372 { 1373 if (!apparmor_enabled) 1374 return -EINVAL; 1375 if (apparmor_initialized && !policy_view_capable(NULL)) 1376 return -EPERM; 1377 1378 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]); 1379 } 1380 1381 static int param_set_mode(const char *val, struct kernel_param *kp) 1382 { 1383 int i; 1384 1385 if (!apparmor_enabled) 1386 return -EINVAL; 1387 if (!val) 1388 return -EINVAL; 1389 if (apparmor_initialized && !policy_admin_capable(NULL)) 1390 return -EPERM; 1391 1392 for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) { 1393 if (strcmp(val, aa_profile_mode_names[i]) == 0) { 1394 aa_g_profile_mode = i; 1395 return 0; 1396 } 1397 } 1398 1399 return -EINVAL; 1400 } 1401 1402 /* 1403 * AppArmor init functions 1404 */ 1405 1406 /** 1407 * set_init_ctx - set a task context and profile on the first task. 1408 * 1409 * TODO: allow setting an alternate profile than unconfined 1410 */ 1411 static int __init set_init_ctx(void) 1412 { 1413 struct cred *cred = (struct cred *)current->real_cred; 1414 struct aa_task_ctx *ctx; 1415 1416 ctx = aa_alloc_task_context(GFP_KERNEL); 1417 if (!ctx) 1418 return -ENOMEM; 1419 1420 ctx->label = aa_get_label(ns_unconfined(root_ns)); 1421 cred_ctx(cred) = ctx; 1422 1423 return 0; 1424 } 1425 1426 static void destroy_buffers(void) 1427 { 1428 u32 i, j; 1429 1430 for_each_possible_cpu(i) { 1431 for_each_cpu_buffer(j) { 1432 kfree(per_cpu(aa_buffers, i).buf[j]); 1433 per_cpu(aa_buffers, i).buf[j] = NULL; 1434 } 1435 } 1436 } 1437 1438 static int __init alloc_buffers(void) 1439 { 1440 u32 i, j; 1441 1442 for_each_possible_cpu(i) { 1443 for_each_cpu_buffer(j) { 1444 char *buffer; 1445 1446 if (cpu_to_node(i) > num_online_nodes()) 1447 /* fallback to kmalloc for offline nodes */ 1448 buffer = kmalloc(aa_g_path_max, GFP_KERNEL); 1449 else 1450 buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL, 1451 cpu_to_node(i)); 1452 if (!buffer) { 1453 destroy_buffers(); 1454 return -ENOMEM; 1455 } 1456 per_cpu(aa_buffers, i).buf[j] = buffer; 1457 } 1458 } 1459 1460 return 0; 1461 } 1462 1463 #ifdef CONFIG_SYSCTL 1464 static int apparmor_dointvec(struct ctl_table *table, int write, 1465 void __user *buffer, size_t *lenp, loff_t *ppos) 1466 { 1467 if (!policy_admin_capable(NULL)) 1468 return -EPERM; 1469 if (!apparmor_enabled) 1470 return -EINVAL; 1471 1472 return proc_dointvec(table, write, buffer, lenp, ppos); 1473 } 1474 1475 static struct ctl_path apparmor_sysctl_path[] = { 1476 { .procname = "kernel", }, 1477 { } 1478 }; 1479 1480 static struct ctl_table apparmor_sysctl_table[] = { 1481 { 1482 .procname = "unprivileged_userns_apparmor_policy", 1483 .data = &unprivileged_userns_apparmor_policy, 1484 .maxlen = sizeof(int), 1485 .mode = 0600, 1486 .proc_handler = apparmor_dointvec, 1487 }, 1488 { } 1489 }; 1490 1491 static int __init apparmor_init_sysctl(void) 1492 { 1493 return register_sysctl_paths(apparmor_sysctl_path, 1494 apparmor_sysctl_table) ? 0 : -ENOMEM; 1495 } 1496 #else 1497 static inline int apparmor_init_sysctl(void) 1498 { 1499 return 0; 1500 } 1501 #endif /* CONFIG_SYSCTL */ 1502 1503 static int __init apparmor_init(void) 1504 { 1505 int error; 1506 1507 if (!apparmor_enabled || !security_module_enable("apparmor")) { 1508 aa_info_message("AppArmor disabled by boot time parameter"); 1509 apparmor_enabled = 0; 1510 return 0; 1511 } 1512 1513 error = aa_setup_dfa_engine(); 1514 if (error) { 1515 AA_ERROR("Unable to setup dfa engine\n"); 1516 goto alloc_out; 1517 } 1518 1519 error = aa_alloc_root_ns(); 1520 if (error) { 1521 AA_ERROR("Unable to allocate default profile namespace\n"); 1522 goto alloc_out; 1523 } 1524 1525 error = apparmor_init_sysctl(); 1526 if (error) { 1527 AA_ERROR("Unable to register sysctls\n"); 1528 goto alloc_out; 1529 1530 } 1531 1532 error = alloc_buffers(); 1533 if (error) { 1534 AA_ERROR("Unable to allocate work buffers\n"); 1535 goto buffers_out; 1536 } 1537 1538 error = set_init_ctx(); 1539 if (error) { 1540 AA_ERROR("Failed to set context on init task\n"); 1541 aa_free_root_ns(); 1542 goto buffers_out; 1543 } 1544 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), 1545 "apparmor"); 1546 1547 /* Report that AppArmor successfully initialized */ 1548 apparmor_initialized = 1; 1549 if (aa_g_profile_mode == APPARMOR_COMPLAIN) 1550 aa_info_message("AppArmor initialized: complain mode enabled"); 1551 else if (aa_g_profile_mode == APPARMOR_KILL) 1552 aa_info_message("AppArmor initialized: kill mode enabled"); 1553 else 1554 aa_info_message("AppArmor initialized"); 1555 1556 return error; 1557 1558 buffers_out: 1559 destroy_buffers(); 1560 1561 alloc_out: 1562 aa_destroy_aafs(); 1563 aa_teardown_dfa_engine(); 1564 1565 apparmor_enabled = 0; 1566 return error; 1567 } 1568 1569 security_initcall(apparmor_init); 1570