1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor LSM hooks. 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15 #include <linux/lsm_hooks.h> 16 #include <linux/moduleparam.h> 17 #include <linux/mm.h> 18 #include <linux/mman.h> 19 #include <linux/mount.h> 20 #include <linux/namei.h> 21 #include <linux/ptrace.h> 22 #include <linux/ctype.h> 23 #include <linux/sysctl.h> 24 #include <linux/audit.h> 25 #include <linux/user_namespace.h> 26 #include <linux/kmemleak.h> 27 #include <net/sock.h> 28 29 #include "include/apparmor.h" 30 #include "include/apparmorfs.h" 31 #include "include/audit.h" 32 #include "include/capability.h" 33 #include "include/context.h" 34 #include "include/file.h" 35 #include "include/ipc.h" 36 #include "include/path.h" 37 #include "include/label.h" 38 #include "include/policy.h" 39 #include "include/policy_ns.h" 40 #include "include/procattr.h" 41 42 /* Flag indicating whether initialization completed */ 43 int apparmor_initialized; 44 45 DEFINE_PER_CPU(struct aa_buffers, aa_buffers); 46 47 48 /* 49 * LSM hook functions 50 */ 51 52 /* 53 * free the associated aa_task_ctx and put its labels 54 */ 55 static void apparmor_cred_free(struct cred *cred) 56 { 57 aa_free_task_context(cred_ctx(cred)); 58 cred_ctx(cred) = NULL; 59 } 60 61 /* 62 * allocate the apparmor part of blank credentials 63 */ 64 static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 65 { 66 /* freed by apparmor_cred_free */ 67 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp); 68 69 if (!ctx) 70 return -ENOMEM; 71 72 cred_ctx(cred) = ctx; 73 return 0; 74 } 75 76 /* 77 * prepare new aa_task_ctx for modification by prepare_cred block 78 */ 79 static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 80 gfp_t gfp) 81 { 82 /* freed by apparmor_cred_free */ 83 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp); 84 85 if (!ctx) 86 return -ENOMEM; 87 88 aa_dup_task_context(ctx, cred_ctx(old)); 89 cred_ctx(new) = ctx; 90 return 0; 91 } 92 93 /* 94 * transfer the apparmor data to a blank set of creds 95 */ 96 static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 97 { 98 const struct aa_task_ctx *old_ctx = cred_ctx(old); 99 struct aa_task_ctx *new_ctx = cred_ctx(new); 100 101 aa_dup_task_context(new_ctx, old_ctx); 102 } 103 104 static int apparmor_ptrace_access_check(struct task_struct *child, 105 unsigned int mode) 106 { 107 struct aa_label *tracer, *tracee; 108 int error; 109 110 tracer = begin_current_label_crit_section(); 111 tracee = aa_get_task_label(child); 112 error = aa_may_ptrace(tracer, tracee, 113 mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE); 114 aa_put_label(tracee); 115 end_current_label_crit_section(tracer); 116 117 return error; 118 } 119 120 static int apparmor_ptrace_traceme(struct task_struct *parent) 121 { 122 struct aa_label *tracer, *tracee; 123 int error; 124 125 tracee = begin_current_label_crit_section(); 126 tracer = aa_get_task_label(parent); 127 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); 128 aa_put_label(tracer); 129 end_current_label_crit_section(tracee); 130 131 return error; 132 } 133 134 /* Derived from security/commoncap.c:cap_capget */ 135 static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, 136 kernel_cap_t *inheritable, kernel_cap_t *permitted) 137 { 138 struct aa_label *label; 139 const struct cred *cred; 140 141 rcu_read_lock(); 142 cred = __task_cred(target); 143 label = aa_get_newest_cred_label(cred); 144 145 /* 146 * cap_capget is stacked ahead of this and will 147 * initialize effective and permitted. 148 */ 149 if (!unconfined(label)) { 150 struct aa_profile *profile; 151 struct label_it i; 152 153 label_for_each_confined(i, label, profile) { 154 if (COMPLAIN_MODE(profile)) 155 continue; 156 *effective = cap_intersect(*effective, 157 profile->caps.allow); 158 *permitted = cap_intersect(*permitted, 159 profile->caps.allow); 160 } 161 } 162 rcu_read_unlock(); 163 aa_put_label(label); 164 165 return 0; 166 } 167 168 static int apparmor_capable(const struct cred *cred, struct user_namespace *ns, 169 int cap, int audit) 170 { 171 struct aa_label *label; 172 int error = 0; 173 174 label = aa_get_newest_cred_label(cred); 175 if (!unconfined(label)) 176 error = aa_capable(label, cap, audit); 177 aa_put_label(label); 178 179 return error; 180 } 181 182 /** 183 * common_perm - basic common permission check wrapper fn for paths 184 * @op: operation being checked 185 * @path: path to check permission of (NOT NULL) 186 * @mask: requested permissions mask 187 * @cond: conditional info for the permission request (NOT NULL) 188 * 189 * Returns: %0 else error code if error or permission denied 190 */ 191 static int common_perm(const char *op, const struct path *path, u32 mask, 192 struct path_cond *cond) 193 { 194 struct aa_label *label; 195 int error = 0; 196 197 label = __begin_current_label_crit_section(); 198 if (!unconfined(label)) 199 error = aa_path_perm(op, label, path, 0, mask, cond); 200 __end_current_label_crit_section(label); 201 202 return error; 203 } 204 205 /** 206 * common_perm_cond - common permission wrapper around inode cond 207 * @op: operation being checked 208 * @path: location to check (NOT NULL) 209 * @mask: requested permissions mask 210 * 211 * Returns: %0 else error code if error or permission denied 212 */ 213 static int common_perm_cond(const char *op, const struct path *path, u32 mask) 214 { 215 struct path_cond cond = { d_backing_inode(path->dentry)->i_uid, 216 d_backing_inode(path->dentry)->i_mode 217 }; 218 219 if (!path_mediated_fs(path->dentry)) 220 return 0; 221 222 return common_perm(op, path, mask, &cond); 223 } 224 225 /** 226 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry 227 * @op: operation being checked 228 * @dir: directory of the dentry (NOT NULL) 229 * @dentry: dentry to check (NOT NULL) 230 * @mask: requested permissions mask 231 * @cond: conditional info for the permission request (NOT NULL) 232 * 233 * Returns: %0 else error code if error or permission denied 234 */ 235 static int common_perm_dir_dentry(const char *op, const struct path *dir, 236 struct dentry *dentry, u32 mask, 237 struct path_cond *cond) 238 { 239 struct path path = { .mnt = dir->mnt, .dentry = dentry }; 240 241 return common_perm(op, &path, mask, cond); 242 } 243 244 /** 245 * common_perm_rm - common permission wrapper for operations doing rm 246 * @op: operation being checked 247 * @dir: directory that the dentry is in (NOT NULL) 248 * @dentry: dentry being rm'd (NOT NULL) 249 * @mask: requested permission mask 250 * 251 * Returns: %0 else error code if error or permission denied 252 */ 253 static int common_perm_rm(const char *op, const struct path *dir, 254 struct dentry *dentry, u32 mask) 255 { 256 struct inode *inode = d_backing_inode(dentry); 257 struct path_cond cond = { }; 258 259 if (!inode || !path_mediated_fs(dentry)) 260 return 0; 261 262 cond.uid = inode->i_uid; 263 cond.mode = inode->i_mode; 264 265 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 266 } 267 268 /** 269 * common_perm_create - common permission wrapper for operations doing create 270 * @op: operation being checked 271 * @dir: directory that dentry will be created in (NOT NULL) 272 * @dentry: dentry to create (NOT NULL) 273 * @mask: request permission mask 274 * @mode: created file mode 275 * 276 * Returns: %0 else error code if error or permission denied 277 */ 278 static int common_perm_create(const char *op, const struct path *dir, 279 struct dentry *dentry, u32 mask, umode_t mode) 280 { 281 struct path_cond cond = { current_fsuid(), mode }; 282 283 if (!path_mediated_fs(dir->dentry)) 284 return 0; 285 286 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 287 } 288 289 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry) 290 { 291 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); 292 } 293 294 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry, 295 umode_t mode) 296 { 297 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, 298 S_IFDIR); 299 } 300 301 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry) 302 { 303 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); 304 } 305 306 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, 307 umode_t mode, unsigned int dev) 308 { 309 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); 310 } 311 312 static int apparmor_path_truncate(const struct path *path) 313 { 314 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR); 315 } 316 317 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, 318 const char *old_name) 319 { 320 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, 321 S_IFLNK); 322 } 323 324 static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir, 325 struct dentry *new_dentry) 326 { 327 struct aa_label *label; 328 int error = 0; 329 330 if (!path_mediated_fs(old_dentry)) 331 return 0; 332 333 label = begin_current_label_crit_section(); 334 if (!unconfined(label)) 335 error = aa_path_link(label, old_dentry, new_dir, new_dentry); 336 end_current_label_crit_section(label); 337 338 return error; 339 } 340 341 static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry, 342 const struct path *new_dir, struct dentry *new_dentry) 343 { 344 struct aa_label *label; 345 int error = 0; 346 347 if (!path_mediated_fs(old_dentry)) 348 return 0; 349 350 label = begin_current_label_crit_section(); 351 if (!unconfined(label)) { 352 struct path old_path = { .mnt = old_dir->mnt, 353 .dentry = old_dentry }; 354 struct path new_path = { .mnt = new_dir->mnt, 355 .dentry = new_dentry }; 356 struct path_cond cond = { d_backing_inode(old_dentry)->i_uid, 357 d_backing_inode(old_dentry)->i_mode 358 }; 359 360 error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0, 361 MAY_READ | AA_MAY_GETATTR | MAY_WRITE | 362 AA_MAY_SETATTR | AA_MAY_DELETE, 363 &cond); 364 if (!error) 365 error = aa_path_perm(OP_RENAME_DEST, label, &new_path, 366 0, MAY_WRITE | AA_MAY_SETATTR | 367 AA_MAY_CREATE, &cond); 368 369 } 370 end_current_label_crit_section(label); 371 372 return error; 373 } 374 375 static int apparmor_path_chmod(const struct path *path, umode_t mode) 376 { 377 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD); 378 } 379 380 static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid) 381 { 382 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN); 383 } 384 385 static int apparmor_inode_getattr(const struct path *path) 386 { 387 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 388 } 389 390 static int apparmor_file_open(struct file *file, const struct cred *cred) 391 { 392 struct aa_file_ctx *fctx = file_ctx(file); 393 struct aa_label *label; 394 int error = 0; 395 396 if (!path_mediated_fs(file->f_path.dentry)) 397 return 0; 398 399 /* If in exec, permission is handled by bprm hooks. 400 * Cache permissions granted by the previous exec check, with 401 * implicit read and executable mmap which are required to 402 * actually execute the image. 403 */ 404 if (current->in_execve) { 405 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; 406 return 0; 407 } 408 409 label = aa_get_newest_cred_label(cred); 410 if (!unconfined(label)) { 411 struct inode *inode = file_inode(file); 412 struct path_cond cond = { inode->i_uid, inode->i_mode }; 413 414 error = aa_path_perm(OP_OPEN, label, &file->f_path, 0, 415 aa_map_file_to_perms(file), &cond); 416 /* todo cache full allowed permissions set and state */ 417 fctx->allow = aa_map_file_to_perms(file); 418 } 419 aa_put_label(label); 420 421 return error; 422 } 423 424 static int apparmor_file_alloc_security(struct file *file) 425 { 426 int error = 0; 427 428 /* freed by apparmor_file_free_security */ 429 struct aa_label *label = begin_current_label_crit_section(); 430 file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL); 431 if (!file_ctx(file)) 432 error = -ENOMEM; 433 end_current_label_crit_section(label); 434 435 return error; 436 } 437 438 static void apparmor_file_free_security(struct file *file) 439 { 440 aa_free_file_ctx(file_ctx(file)); 441 } 442 443 static int common_file_perm(const char *op, struct file *file, u32 mask) 444 { 445 struct aa_label *label; 446 int error = 0; 447 448 /* don't reaudit files closed during inheritance */ 449 if (file->f_path.dentry == aa_null.dentry) 450 return -EACCES; 451 452 label = __begin_current_label_crit_section(); 453 error = aa_file_perm(op, label, file, mask); 454 __end_current_label_crit_section(label); 455 456 return error; 457 } 458 459 static int apparmor_file_receive(struct file *file) 460 { 461 return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file)); 462 } 463 464 static int apparmor_file_permission(struct file *file, int mask) 465 { 466 return common_file_perm(OP_FPERM, file, mask); 467 } 468 469 static int apparmor_file_lock(struct file *file, unsigned int cmd) 470 { 471 u32 mask = AA_MAY_LOCK; 472 473 if (cmd == F_WRLCK) 474 mask |= MAY_WRITE; 475 476 return common_file_perm(OP_FLOCK, file, mask); 477 } 478 479 static int common_mmap(const char *op, struct file *file, unsigned long prot, 480 unsigned long flags) 481 { 482 int mask = 0; 483 484 if (!file || !file_ctx(file)) 485 return 0; 486 487 if (prot & PROT_READ) 488 mask |= MAY_READ; 489 /* 490 * Private mappings don't require write perms since they don't 491 * write back to the files 492 */ 493 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE)) 494 mask |= MAY_WRITE; 495 if (prot & PROT_EXEC) 496 mask |= AA_EXEC_MMAP; 497 498 return common_file_perm(op, file, mask); 499 } 500 501 static int apparmor_mmap_file(struct file *file, unsigned long reqprot, 502 unsigned long prot, unsigned long flags) 503 { 504 return common_mmap(OP_FMMAP, file, prot, flags); 505 } 506 507 static int apparmor_file_mprotect(struct vm_area_struct *vma, 508 unsigned long reqprot, unsigned long prot) 509 { 510 return common_mmap(OP_FMPROT, vma->vm_file, prot, 511 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); 512 } 513 514 static int apparmor_getprocattr(struct task_struct *task, char *name, 515 char **value) 516 { 517 int error = -ENOENT; 518 /* released below */ 519 const struct cred *cred = get_task_cred(task); 520 struct aa_task_ctx *ctx = cred_ctx(cred); 521 struct aa_label *label = NULL; 522 523 if (strcmp(name, "current") == 0) 524 label = aa_get_newest_label(ctx->label); 525 else if (strcmp(name, "prev") == 0 && ctx->previous) 526 label = aa_get_newest_label(ctx->previous); 527 else if (strcmp(name, "exec") == 0 && ctx->onexec) 528 label = aa_get_newest_label(ctx->onexec); 529 else 530 error = -EINVAL; 531 532 if (label) 533 error = aa_getprocattr(label, value); 534 535 aa_put_label(label); 536 put_cred(cred); 537 538 return error; 539 } 540 541 static int apparmor_setprocattr(const char *name, void *value, 542 size_t size) 543 { 544 char *command, *largs = NULL, *args = value; 545 size_t arg_size; 546 int error; 547 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR); 548 549 if (size == 0) 550 return -EINVAL; 551 552 /* AppArmor requires that the buffer must be null terminated atm */ 553 if (args[size - 1] != '\0') { 554 /* null terminate */ 555 largs = args = kmalloc(size + 1, GFP_KERNEL); 556 if (!args) 557 return -ENOMEM; 558 memcpy(args, value, size); 559 args[size] = '\0'; 560 } 561 562 error = -EINVAL; 563 args = strim(args); 564 command = strsep(&args, " "); 565 if (!args) 566 goto out; 567 args = skip_spaces(args); 568 if (!*args) 569 goto out; 570 571 arg_size = size - (args - (largs ? largs : (char *) value)); 572 if (strcmp(name, "current") == 0) { 573 if (strcmp(command, "changehat") == 0) { 574 error = aa_setprocattr_changehat(args, arg_size, 575 AA_CHANGE_NOFLAGS); 576 } else if (strcmp(command, "permhat") == 0) { 577 error = aa_setprocattr_changehat(args, arg_size, 578 AA_CHANGE_TEST); 579 } else if (strcmp(command, "changeprofile") == 0) { 580 error = aa_change_profile(args, AA_CHANGE_NOFLAGS); 581 } else if (strcmp(command, "permprofile") == 0) { 582 error = aa_change_profile(args, AA_CHANGE_TEST); 583 } else if (strcmp(command, "stack") == 0) { 584 error = aa_change_profile(args, AA_CHANGE_STACK); 585 } else 586 goto fail; 587 } else if (strcmp(name, "exec") == 0) { 588 if (strcmp(command, "exec") == 0) 589 error = aa_change_profile(args, AA_CHANGE_ONEXEC); 590 else if (strcmp(command, "stack") == 0) 591 error = aa_change_profile(args, (AA_CHANGE_ONEXEC | 592 AA_CHANGE_STACK)); 593 else 594 goto fail; 595 } else 596 /* only support the "current" and "exec" process attributes */ 597 goto fail; 598 599 if (!error) 600 error = size; 601 out: 602 kfree(largs); 603 return error; 604 605 fail: 606 aad(&sa)->label = begin_current_label_crit_section(); 607 aad(&sa)->info = name; 608 aad(&sa)->error = error = -EINVAL; 609 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL); 610 end_current_label_crit_section(aad(&sa)->label); 611 goto out; 612 } 613 614 /** 615 * apparmor_bprm_committing_creds - do task cleanup on committing new creds 616 * @bprm: binprm for the exec (NOT NULL) 617 */ 618 static void apparmor_bprm_committing_creds(struct linux_binprm *bprm) 619 { 620 struct aa_label *label = aa_current_raw_label(); 621 struct aa_task_ctx *new_ctx = cred_ctx(bprm->cred); 622 623 /* bail out if unconfined or not changing profile */ 624 if ((new_ctx->label->proxy == label->proxy) || 625 (unconfined(new_ctx->label))) 626 return; 627 628 aa_inherit_files(bprm->cred, current->files); 629 630 current->pdeath_signal = 0; 631 632 /* reset soft limits and set hard limits for the new label */ 633 __aa_transition_rlimits(label, new_ctx->label); 634 } 635 636 /** 637 * apparmor_bprm_committed_cred - do cleanup after new creds committed 638 * @bprm: binprm for the exec (NOT NULL) 639 */ 640 static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) 641 { 642 /* TODO: cleanup signals - ipc mediation */ 643 return; 644 } 645 646 static int apparmor_task_setrlimit(struct task_struct *task, 647 unsigned int resource, struct rlimit *new_rlim) 648 { 649 struct aa_label *label = __begin_current_label_crit_section(); 650 int error = 0; 651 652 if (!unconfined(label)) 653 error = aa_task_setrlimit(label, task, resource, new_rlim); 654 __end_current_label_crit_section(label); 655 656 return error; 657 } 658 659 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { 660 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), 661 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), 662 LSM_HOOK_INIT(capget, apparmor_capget), 663 LSM_HOOK_INIT(capable, apparmor_capable), 664 665 LSM_HOOK_INIT(path_link, apparmor_path_link), 666 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink), 667 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink), 668 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir), 669 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir), 670 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod), 671 LSM_HOOK_INIT(path_rename, apparmor_path_rename), 672 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod), 673 LSM_HOOK_INIT(path_chown, apparmor_path_chown), 674 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate), 675 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr), 676 677 LSM_HOOK_INIT(file_open, apparmor_file_open), 678 LSM_HOOK_INIT(file_receive, apparmor_file_receive), 679 LSM_HOOK_INIT(file_permission, apparmor_file_permission), 680 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security), 681 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security), 682 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file), 683 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect), 684 LSM_HOOK_INIT(file_lock, apparmor_file_lock), 685 686 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), 687 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), 688 689 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), 690 LSM_HOOK_INIT(cred_free, apparmor_cred_free), 691 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare), 692 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer), 693 694 LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds), 695 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds), 696 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds), 697 698 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), 699 }; 700 701 /* 702 * AppArmor sysfs module parameters 703 */ 704 705 static int param_set_aabool(const char *val, const struct kernel_param *kp); 706 static int param_get_aabool(char *buffer, const struct kernel_param *kp); 707 #define param_check_aabool param_check_bool 708 static const struct kernel_param_ops param_ops_aabool = { 709 .flags = KERNEL_PARAM_OPS_FL_NOARG, 710 .set = param_set_aabool, 711 .get = param_get_aabool 712 }; 713 714 static int param_set_aauint(const char *val, const struct kernel_param *kp); 715 static int param_get_aauint(char *buffer, const struct kernel_param *kp); 716 #define param_check_aauint param_check_uint 717 static const struct kernel_param_ops param_ops_aauint = { 718 .set = param_set_aauint, 719 .get = param_get_aauint 720 }; 721 722 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp); 723 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); 724 #define param_check_aalockpolicy param_check_bool 725 static const struct kernel_param_ops param_ops_aalockpolicy = { 726 .flags = KERNEL_PARAM_OPS_FL_NOARG, 727 .set = param_set_aalockpolicy, 728 .get = param_get_aalockpolicy 729 }; 730 731 static int param_set_audit(const char *val, struct kernel_param *kp); 732 static int param_get_audit(char *buffer, struct kernel_param *kp); 733 734 static int param_set_mode(const char *val, struct kernel_param *kp); 735 static int param_get_mode(char *buffer, struct kernel_param *kp); 736 737 /* Flag values, also controllable via /sys/module/apparmor/parameters 738 * We define special types as we want to do additional mediation. 739 */ 740 741 /* AppArmor global enforcement switch - complain, enforce, kill */ 742 enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; 743 module_param_call(mode, param_set_mode, param_get_mode, 744 &aa_g_profile_mode, S_IRUSR | S_IWUSR); 745 746 /* whether policy verification hashing is enabled */ 747 bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); 748 #ifdef CONFIG_SECURITY_APPARMOR_HASH 749 module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); 750 #endif 751 752 /* Debug mode */ 753 bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES); 754 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); 755 756 /* Audit mode */ 757 enum audit_mode aa_g_audit; 758 module_param_call(audit, param_set_audit, param_get_audit, 759 &aa_g_audit, S_IRUSR | S_IWUSR); 760 761 /* Determines if audit header is included in audited messages. This 762 * provides more context if the audit daemon is not running 763 */ 764 bool aa_g_audit_header = 1; 765 module_param_named(audit_header, aa_g_audit_header, aabool, 766 S_IRUSR | S_IWUSR); 767 768 /* lock out loading/removal of policy 769 * TODO: add in at boot loading of policy, which is the only way to 770 * load policy, if lock_policy is set 771 */ 772 bool aa_g_lock_policy; 773 module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy, 774 S_IRUSR | S_IWUSR); 775 776 /* Syscall logging mode */ 777 bool aa_g_logsyscall; 778 module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); 779 780 /* Maximum pathname length before accesses will start getting rejected */ 781 unsigned int aa_g_path_max = 2 * PATH_MAX; 782 module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); 783 784 /* Determines how paranoid loading of policy is and how much verification 785 * on the loaded policy is done. 786 * DEPRECATED: read only as strict checking of load is always done now 787 * that none root users (user namespaces) can load policy. 788 */ 789 bool aa_g_paranoid_load = 1; 790 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); 791 792 /* Boot time disable flag */ 793 static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; 794 module_param_named(enabled, apparmor_enabled, bool, S_IRUGO); 795 796 static int __init apparmor_enabled_setup(char *str) 797 { 798 unsigned long enabled; 799 int error = kstrtoul(str, 0, &enabled); 800 if (!error) 801 apparmor_enabled = enabled ? 1 : 0; 802 return 1; 803 } 804 805 __setup("apparmor=", apparmor_enabled_setup); 806 807 /* set global flag turning off the ability to load policy */ 808 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) 809 { 810 if (!apparmor_enabled) 811 return -EINVAL; 812 if (apparmor_initialized && !policy_admin_capable(NULL)) 813 return -EPERM; 814 return param_set_bool(val, kp); 815 } 816 817 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) 818 { 819 if (!apparmor_enabled) 820 return -EINVAL; 821 if (apparmor_initialized && !policy_view_capable(NULL)) 822 return -EPERM; 823 return param_get_bool(buffer, kp); 824 } 825 826 static int param_set_aabool(const char *val, const struct kernel_param *kp) 827 { 828 if (!apparmor_enabled) 829 return -EINVAL; 830 if (apparmor_initialized && !policy_admin_capable(NULL)) 831 return -EPERM; 832 return param_set_bool(val, kp); 833 } 834 835 static int param_get_aabool(char *buffer, const struct kernel_param *kp) 836 { 837 if (!apparmor_enabled) 838 return -EINVAL; 839 if (apparmor_initialized && !policy_view_capable(NULL)) 840 return -EPERM; 841 return param_get_bool(buffer, kp); 842 } 843 844 static int param_set_aauint(const char *val, const struct kernel_param *kp) 845 { 846 int error; 847 848 if (!apparmor_enabled) 849 return -EINVAL; 850 /* file is ro but enforce 2nd line check */ 851 if (apparmor_initialized) 852 return -EPERM; 853 854 error = param_set_uint(val, kp); 855 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max); 856 857 return error; 858 } 859 860 static int param_get_aauint(char *buffer, const struct kernel_param *kp) 861 { 862 if (!apparmor_enabled) 863 return -EINVAL; 864 if (apparmor_initialized && !policy_view_capable(NULL)) 865 return -EPERM; 866 return param_get_uint(buffer, kp); 867 } 868 869 static int param_get_audit(char *buffer, struct kernel_param *kp) 870 { 871 if (!apparmor_enabled) 872 return -EINVAL; 873 if (apparmor_initialized && !policy_view_capable(NULL)) 874 return -EPERM; 875 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); 876 } 877 878 static int param_set_audit(const char *val, struct kernel_param *kp) 879 { 880 int i; 881 882 if (!apparmor_enabled) 883 return -EINVAL; 884 if (!val) 885 return -EINVAL; 886 if (apparmor_initialized && !policy_admin_capable(NULL)) 887 return -EPERM; 888 889 for (i = 0; i < AUDIT_MAX_INDEX; i++) { 890 if (strcmp(val, audit_mode_names[i]) == 0) { 891 aa_g_audit = i; 892 return 0; 893 } 894 } 895 896 return -EINVAL; 897 } 898 899 static int param_get_mode(char *buffer, struct kernel_param *kp) 900 { 901 if (!apparmor_enabled) 902 return -EINVAL; 903 if (apparmor_initialized && !policy_view_capable(NULL)) 904 return -EPERM; 905 906 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]); 907 } 908 909 static int param_set_mode(const char *val, struct kernel_param *kp) 910 { 911 int i; 912 913 if (!apparmor_enabled) 914 return -EINVAL; 915 if (!val) 916 return -EINVAL; 917 if (apparmor_initialized && !policy_admin_capable(NULL)) 918 return -EPERM; 919 920 for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) { 921 if (strcmp(val, aa_profile_mode_names[i]) == 0) { 922 aa_g_profile_mode = i; 923 return 0; 924 } 925 } 926 927 return -EINVAL; 928 } 929 930 /* 931 * AppArmor init functions 932 */ 933 934 /** 935 * set_init_ctx - set a task context and profile on the first task. 936 * 937 * TODO: allow setting an alternate profile than unconfined 938 */ 939 static int __init set_init_ctx(void) 940 { 941 struct cred *cred = (struct cred *)current->real_cred; 942 struct aa_task_ctx *ctx; 943 944 ctx = aa_alloc_task_context(GFP_KERNEL); 945 if (!ctx) 946 return -ENOMEM; 947 948 ctx->label = aa_get_label(ns_unconfined(root_ns)); 949 cred_ctx(cred) = ctx; 950 951 return 0; 952 } 953 954 static void destroy_buffers(void) 955 { 956 u32 i, j; 957 958 for_each_possible_cpu(i) { 959 for_each_cpu_buffer(j) { 960 kfree(per_cpu(aa_buffers, i).buf[j]); 961 per_cpu(aa_buffers, i).buf[j] = NULL; 962 } 963 } 964 } 965 966 static int __init alloc_buffers(void) 967 { 968 u32 i, j; 969 970 for_each_possible_cpu(i) { 971 for_each_cpu_buffer(j) { 972 char *buffer; 973 974 if (cpu_to_node(i) > num_online_nodes()) 975 /* fallback to kmalloc for offline nodes */ 976 buffer = kmalloc(aa_g_path_max, GFP_KERNEL); 977 else 978 buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL, 979 cpu_to_node(i)); 980 if (!buffer) { 981 destroy_buffers(); 982 return -ENOMEM; 983 } 984 per_cpu(aa_buffers, i).buf[j] = buffer; 985 } 986 } 987 988 return 0; 989 } 990 991 #ifdef CONFIG_SYSCTL 992 static int apparmor_dointvec(struct ctl_table *table, int write, 993 void __user *buffer, size_t *lenp, loff_t *ppos) 994 { 995 if (!policy_admin_capable(NULL)) 996 return -EPERM; 997 if (!apparmor_enabled) 998 return -EINVAL; 999 1000 return proc_dointvec(table, write, buffer, lenp, ppos); 1001 } 1002 1003 static struct ctl_path apparmor_sysctl_path[] = { 1004 { .procname = "kernel", }, 1005 { } 1006 }; 1007 1008 static struct ctl_table apparmor_sysctl_table[] = { 1009 { 1010 .procname = "unprivileged_userns_apparmor_policy", 1011 .data = &unprivileged_userns_apparmor_policy, 1012 .maxlen = sizeof(int), 1013 .mode = 0600, 1014 .proc_handler = apparmor_dointvec, 1015 }, 1016 { } 1017 }; 1018 1019 static int __init apparmor_init_sysctl(void) 1020 { 1021 return register_sysctl_paths(apparmor_sysctl_path, 1022 apparmor_sysctl_table) ? 0 : -ENOMEM; 1023 } 1024 #else 1025 static inline int apparmor_init_sysctl(void) 1026 { 1027 return 0; 1028 } 1029 #endif /* CONFIG_SYSCTL */ 1030 1031 static int __init apparmor_init(void) 1032 { 1033 int error; 1034 1035 if (!apparmor_enabled || !security_module_enable("apparmor")) { 1036 aa_info_message("AppArmor disabled by boot time parameter"); 1037 apparmor_enabled = 0; 1038 return 0; 1039 } 1040 1041 error = aa_setup_dfa_engine(); 1042 if (error) { 1043 AA_ERROR("Unable to setup dfa engine\n"); 1044 goto alloc_out; 1045 } 1046 1047 error = aa_alloc_root_ns(); 1048 if (error) { 1049 AA_ERROR("Unable to allocate default profile namespace\n"); 1050 goto alloc_out; 1051 } 1052 1053 error = apparmor_init_sysctl(); 1054 if (error) { 1055 AA_ERROR("Unable to register sysctls\n"); 1056 goto alloc_out; 1057 1058 } 1059 1060 error = alloc_buffers(); 1061 if (error) { 1062 AA_ERROR("Unable to allocate work buffers\n"); 1063 goto buffers_out; 1064 } 1065 1066 error = set_init_ctx(); 1067 if (error) { 1068 AA_ERROR("Failed to set context on init task\n"); 1069 aa_free_root_ns(); 1070 goto buffers_out; 1071 } 1072 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), 1073 "apparmor"); 1074 1075 /* Report that AppArmor successfully initialized */ 1076 apparmor_initialized = 1; 1077 if (aa_g_profile_mode == APPARMOR_COMPLAIN) 1078 aa_info_message("AppArmor initialized: complain mode enabled"); 1079 else if (aa_g_profile_mode == APPARMOR_KILL) 1080 aa_info_message("AppArmor initialized: kill mode enabled"); 1081 else 1082 aa_info_message("AppArmor initialized"); 1083 1084 return error; 1085 1086 buffers_out: 1087 destroy_buffers(); 1088 1089 alloc_out: 1090 aa_destroy_aafs(); 1091 aa_teardown_dfa_engine(); 1092 1093 apparmor_enabled = 0; 1094 return error; 1095 } 1096 1097 security_initcall(apparmor_init); 1098