1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor LSM hooks. 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15 #include <linux/lsm_hooks.h> 16 #include <linux/moduleparam.h> 17 #include <linux/mm.h> 18 #include <linux/mman.h> 19 #include <linux/mount.h> 20 #include <linux/namei.h> 21 #include <linux/ptrace.h> 22 #include <linux/ctype.h> 23 #include <linux/sysctl.h> 24 #include <linux/audit.h> 25 #include <linux/user_namespace.h> 26 #include <net/sock.h> 27 28 #include "include/apparmor.h" 29 #include "include/apparmorfs.h" 30 #include "include/audit.h" 31 #include "include/capability.h" 32 #include "include/cred.h" 33 #include "include/file.h" 34 #include "include/ipc.h" 35 #include "include/net.h" 36 #include "include/path.h" 37 #include "include/label.h" 38 #include "include/policy.h" 39 #include "include/policy_ns.h" 40 #include "include/procattr.h" 41 #include "include/mount.h" 42 #include "include/secid.h" 43 44 /* Flag indicating whether initialization completed */ 45 int apparmor_initialized; 46 47 DEFINE_PER_CPU(struct aa_buffers, aa_buffers); 48 49 50 /* 51 * LSM hook functions 52 */ 53 54 /* 55 * put the associated labels 56 */ 57 static void apparmor_cred_free(struct cred *cred) 58 { 59 aa_put_label(cred_label(cred)); 60 cred_label(cred) = NULL; 61 } 62 63 /* 64 * allocate the apparmor part of blank credentials 65 */ 66 static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 67 { 68 cred_label(cred) = NULL; 69 return 0; 70 } 71 72 /* 73 * prepare new cred label for modification by prepare_cred block 74 */ 75 static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 76 gfp_t gfp) 77 { 78 cred_label(new) = aa_get_newest_label(cred_label(old)); 79 return 0; 80 } 81 82 /* 83 * transfer the apparmor data to a blank set of creds 84 */ 85 static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 86 { 87 cred_label(new) = aa_get_newest_label(cred_label(old)); 88 } 89 90 static void apparmor_task_free(struct task_struct *task) 91 { 92 93 aa_free_task_ctx(task_ctx(task)); 94 task_ctx(task) = NULL; 95 } 96 97 static int apparmor_task_alloc(struct task_struct *task, 98 unsigned long clone_flags) 99 { 100 struct aa_task_ctx *new = aa_alloc_task_ctx(GFP_KERNEL); 101 102 if (!new) 103 return -ENOMEM; 104 105 aa_dup_task_ctx(new, task_ctx(current)); 106 task_ctx(task) = new; 107 108 return 0; 109 } 110 111 static int apparmor_ptrace_access_check(struct task_struct *child, 112 unsigned int mode) 113 { 114 struct aa_label *tracer, *tracee; 115 int error; 116 117 tracer = begin_current_label_crit_section(); 118 tracee = aa_get_task_label(child); 119 error = aa_may_ptrace(tracer, tracee, 120 (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ 121 : AA_PTRACE_TRACE); 122 aa_put_label(tracee); 123 end_current_label_crit_section(tracer); 124 125 return error; 126 } 127 128 static int apparmor_ptrace_traceme(struct task_struct *parent) 129 { 130 struct aa_label *tracer, *tracee; 131 int error; 132 133 tracee = begin_current_label_crit_section(); 134 tracer = aa_get_task_label(parent); 135 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); 136 aa_put_label(tracer); 137 end_current_label_crit_section(tracee); 138 139 return error; 140 } 141 142 /* Derived from security/commoncap.c:cap_capget */ 143 static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, 144 kernel_cap_t *inheritable, kernel_cap_t *permitted) 145 { 146 struct aa_label *label; 147 const struct cred *cred; 148 149 rcu_read_lock(); 150 cred = __task_cred(target); 151 label = aa_get_newest_cred_label(cred); 152 153 /* 154 * cap_capget is stacked ahead of this and will 155 * initialize effective and permitted. 156 */ 157 if (!unconfined(label)) { 158 struct aa_profile *profile; 159 struct label_it i; 160 161 label_for_each_confined(i, label, profile) { 162 if (COMPLAIN_MODE(profile)) 163 continue; 164 *effective = cap_intersect(*effective, 165 profile->caps.allow); 166 *permitted = cap_intersect(*permitted, 167 profile->caps.allow); 168 } 169 } 170 rcu_read_unlock(); 171 aa_put_label(label); 172 173 return 0; 174 } 175 176 static int apparmor_capable(const struct cred *cred, struct user_namespace *ns, 177 int cap, int audit) 178 { 179 struct aa_label *label; 180 int error = 0; 181 182 label = aa_get_newest_cred_label(cred); 183 if (!unconfined(label)) 184 error = aa_capable(label, cap, audit); 185 aa_put_label(label); 186 187 return error; 188 } 189 190 /** 191 * common_perm - basic common permission check wrapper fn for paths 192 * @op: operation being checked 193 * @path: path to check permission of (NOT NULL) 194 * @mask: requested permissions mask 195 * @cond: conditional info for the permission request (NOT NULL) 196 * 197 * Returns: %0 else error code if error or permission denied 198 */ 199 static int common_perm(const char *op, const struct path *path, u32 mask, 200 struct path_cond *cond) 201 { 202 struct aa_label *label; 203 int error = 0; 204 205 label = __begin_current_label_crit_section(); 206 if (!unconfined(label)) 207 error = aa_path_perm(op, label, path, 0, mask, cond); 208 __end_current_label_crit_section(label); 209 210 return error; 211 } 212 213 /** 214 * common_perm_cond - common permission wrapper around inode cond 215 * @op: operation being checked 216 * @path: location to check (NOT NULL) 217 * @mask: requested permissions mask 218 * 219 * Returns: %0 else error code if error or permission denied 220 */ 221 static int common_perm_cond(const char *op, const struct path *path, u32 mask) 222 { 223 struct path_cond cond = { d_backing_inode(path->dentry)->i_uid, 224 d_backing_inode(path->dentry)->i_mode 225 }; 226 227 if (!path_mediated_fs(path->dentry)) 228 return 0; 229 230 return common_perm(op, path, mask, &cond); 231 } 232 233 /** 234 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry 235 * @op: operation being checked 236 * @dir: directory of the dentry (NOT NULL) 237 * @dentry: dentry to check (NOT NULL) 238 * @mask: requested permissions mask 239 * @cond: conditional info for the permission request (NOT NULL) 240 * 241 * Returns: %0 else error code if error or permission denied 242 */ 243 static int common_perm_dir_dentry(const char *op, const struct path *dir, 244 struct dentry *dentry, u32 mask, 245 struct path_cond *cond) 246 { 247 struct path path = { .mnt = dir->mnt, .dentry = dentry }; 248 249 return common_perm(op, &path, mask, cond); 250 } 251 252 /** 253 * common_perm_rm - common permission wrapper for operations doing rm 254 * @op: operation being checked 255 * @dir: directory that the dentry is in (NOT NULL) 256 * @dentry: dentry being rm'd (NOT NULL) 257 * @mask: requested permission mask 258 * 259 * Returns: %0 else error code if error or permission denied 260 */ 261 static int common_perm_rm(const char *op, const struct path *dir, 262 struct dentry *dentry, u32 mask) 263 { 264 struct inode *inode = d_backing_inode(dentry); 265 struct path_cond cond = { }; 266 267 if (!inode || !path_mediated_fs(dentry)) 268 return 0; 269 270 cond.uid = inode->i_uid; 271 cond.mode = inode->i_mode; 272 273 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 274 } 275 276 /** 277 * common_perm_create - common permission wrapper for operations doing create 278 * @op: operation being checked 279 * @dir: directory that dentry will be created in (NOT NULL) 280 * @dentry: dentry to create (NOT NULL) 281 * @mask: request permission mask 282 * @mode: created file mode 283 * 284 * Returns: %0 else error code if error or permission denied 285 */ 286 static int common_perm_create(const char *op, const struct path *dir, 287 struct dentry *dentry, u32 mask, umode_t mode) 288 { 289 struct path_cond cond = { current_fsuid(), mode }; 290 291 if (!path_mediated_fs(dir->dentry)) 292 return 0; 293 294 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 295 } 296 297 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry) 298 { 299 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); 300 } 301 302 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry, 303 umode_t mode) 304 { 305 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, 306 S_IFDIR); 307 } 308 309 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry) 310 { 311 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); 312 } 313 314 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, 315 umode_t mode, unsigned int dev) 316 { 317 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); 318 } 319 320 static int apparmor_path_truncate(const struct path *path) 321 { 322 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR); 323 } 324 325 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, 326 const char *old_name) 327 { 328 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, 329 S_IFLNK); 330 } 331 332 static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir, 333 struct dentry *new_dentry) 334 { 335 struct aa_label *label; 336 int error = 0; 337 338 if (!path_mediated_fs(old_dentry)) 339 return 0; 340 341 label = begin_current_label_crit_section(); 342 if (!unconfined(label)) 343 error = aa_path_link(label, old_dentry, new_dir, new_dentry); 344 end_current_label_crit_section(label); 345 346 return error; 347 } 348 349 static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry, 350 const struct path *new_dir, struct dentry *new_dentry) 351 { 352 struct aa_label *label; 353 int error = 0; 354 355 if (!path_mediated_fs(old_dentry)) 356 return 0; 357 358 label = begin_current_label_crit_section(); 359 if (!unconfined(label)) { 360 struct path old_path = { .mnt = old_dir->mnt, 361 .dentry = old_dentry }; 362 struct path new_path = { .mnt = new_dir->mnt, 363 .dentry = new_dentry }; 364 struct path_cond cond = { d_backing_inode(old_dentry)->i_uid, 365 d_backing_inode(old_dentry)->i_mode 366 }; 367 368 error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0, 369 MAY_READ | AA_MAY_GETATTR | MAY_WRITE | 370 AA_MAY_SETATTR | AA_MAY_DELETE, 371 &cond); 372 if (!error) 373 error = aa_path_perm(OP_RENAME_DEST, label, &new_path, 374 0, MAY_WRITE | AA_MAY_SETATTR | 375 AA_MAY_CREATE, &cond); 376 377 } 378 end_current_label_crit_section(label); 379 380 return error; 381 } 382 383 static int apparmor_path_chmod(const struct path *path, umode_t mode) 384 { 385 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD); 386 } 387 388 static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid) 389 { 390 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN); 391 } 392 393 static int apparmor_inode_getattr(const struct path *path) 394 { 395 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 396 } 397 398 static int apparmor_file_open(struct file *file) 399 { 400 struct aa_file_ctx *fctx = file_ctx(file); 401 struct aa_label *label; 402 int error = 0; 403 404 if (!path_mediated_fs(file->f_path.dentry)) 405 return 0; 406 407 /* If in exec, permission is handled by bprm hooks. 408 * Cache permissions granted by the previous exec check, with 409 * implicit read and executable mmap which are required to 410 * actually execute the image. 411 */ 412 if (current->in_execve) { 413 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; 414 return 0; 415 } 416 417 label = aa_get_newest_cred_label(file->f_cred); 418 if (!unconfined(label)) { 419 struct inode *inode = file_inode(file); 420 struct path_cond cond = { inode->i_uid, inode->i_mode }; 421 422 error = aa_path_perm(OP_OPEN, label, &file->f_path, 0, 423 aa_map_file_to_perms(file), &cond); 424 /* todo cache full allowed permissions set and state */ 425 fctx->allow = aa_map_file_to_perms(file); 426 } 427 aa_put_label(label); 428 429 return error; 430 } 431 432 static int apparmor_file_alloc_security(struct file *file) 433 { 434 int error = 0; 435 436 /* freed by apparmor_file_free_security */ 437 struct aa_label *label = begin_current_label_crit_section(); 438 file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL); 439 if (!file_ctx(file)) 440 error = -ENOMEM; 441 end_current_label_crit_section(label); 442 443 return error; 444 } 445 446 static void apparmor_file_free_security(struct file *file) 447 { 448 aa_free_file_ctx(file_ctx(file)); 449 } 450 451 static int common_file_perm(const char *op, struct file *file, u32 mask) 452 { 453 struct aa_label *label; 454 int error = 0; 455 456 /* don't reaudit files closed during inheritance */ 457 if (file->f_path.dentry == aa_null.dentry) 458 return -EACCES; 459 460 label = __begin_current_label_crit_section(); 461 error = aa_file_perm(op, label, file, mask); 462 __end_current_label_crit_section(label); 463 464 return error; 465 } 466 467 static int apparmor_file_receive(struct file *file) 468 { 469 return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file)); 470 } 471 472 static int apparmor_file_permission(struct file *file, int mask) 473 { 474 return common_file_perm(OP_FPERM, file, mask); 475 } 476 477 static int apparmor_file_lock(struct file *file, unsigned int cmd) 478 { 479 u32 mask = AA_MAY_LOCK; 480 481 if (cmd == F_WRLCK) 482 mask |= MAY_WRITE; 483 484 return common_file_perm(OP_FLOCK, file, mask); 485 } 486 487 static int common_mmap(const char *op, struct file *file, unsigned long prot, 488 unsigned long flags) 489 { 490 int mask = 0; 491 492 if (!file || !file_ctx(file)) 493 return 0; 494 495 if (prot & PROT_READ) 496 mask |= MAY_READ; 497 /* 498 * Private mappings don't require write perms since they don't 499 * write back to the files 500 */ 501 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE)) 502 mask |= MAY_WRITE; 503 if (prot & PROT_EXEC) 504 mask |= AA_EXEC_MMAP; 505 506 return common_file_perm(op, file, mask); 507 } 508 509 static int apparmor_mmap_file(struct file *file, unsigned long reqprot, 510 unsigned long prot, unsigned long flags) 511 { 512 return common_mmap(OP_FMMAP, file, prot, flags); 513 } 514 515 static int apparmor_file_mprotect(struct vm_area_struct *vma, 516 unsigned long reqprot, unsigned long prot) 517 { 518 return common_mmap(OP_FMPROT, vma->vm_file, prot, 519 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); 520 } 521 522 static int apparmor_sb_mount(const char *dev_name, const struct path *path, 523 const char *type, unsigned long flags, void *data) 524 { 525 struct aa_label *label; 526 int error = 0; 527 528 /* Discard magic */ 529 if ((flags & MS_MGC_MSK) == MS_MGC_VAL) 530 flags &= ~MS_MGC_MSK; 531 532 flags &= ~AA_MS_IGNORE_MASK; 533 534 label = __begin_current_label_crit_section(); 535 if (!unconfined(label)) { 536 if (flags & MS_REMOUNT) 537 error = aa_remount(label, path, flags, data); 538 else if (flags & MS_BIND) 539 error = aa_bind_mount(label, path, dev_name, flags); 540 else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | 541 MS_UNBINDABLE)) 542 error = aa_mount_change_type(label, path, flags); 543 else if (flags & MS_MOVE) 544 error = aa_move_mount(label, path, dev_name); 545 else 546 error = aa_new_mount(label, dev_name, path, type, 547 flags, data); 548 } 549 __end_current_label_crit_section(label); 550 551 return error; 552 } 553 554 static int apparmor_sb_umount(struct vfsmount *mnt, int flags) 555 { 556 struct aa_label *label; 557 int error = 0; 558 559 label = __begin_current_label_crit_section(); 560 if (!unconfined(label)) 561 error = aa_umount(label, mnt, flags); 562 __end_current_label_crit_section(label); 563 564 return error; 565 } 566 567 static int apparmor_sb_pivotroot(const struct path *old_path, 568 const struct path *new_path) 569 { 570 struct aa_label *label; 571 int error = 0; 572 573 label = aa_get_current_label(); 574 if (!unconfined(label)) 575 error = aa_pivotroot(label, old_path, new_path); 576 aa_put_label(label); 577 578 return error; 579 } 580 581 static int apparmor_getprocattr(struct task_struct *task, char *name, 582 char **value) 583 { 584 int error = -ENOENT; 585 /* released below */ 586 const struct cred *cred = get_task_cred(task); 587 struct aa_task_ctx *ctx = task_ctx(current); 588 struct aa_label *label = NULL; 589 590 if (strcmp(name, "current") == 0) 591 label = aa_get_newest_label(cred_label(cred)); 592 else if (strcmp(name, "prev") == 0 && ctx->previous) 593 label = aa_get_newest_label(ctx->previous); 594 else if (strcmp(name, "exec") == 0 && ctx->onexec) 595 label = aa_get_newest_label(ctx->onexec); 596 else 597 error = -EINVAL; 598 599 if (label) 600 error = aa_getprocattr(label, value); 601 602 aa_put_label(label); 603 put_cred(cred); 604 605 return error; 606 } 607 608 static int apparmor_setprocattr(const char *name, void *value, 609 size_t size) 610 { 611 char *command, *largs = NULL, *args = value; 612 size_t arg_size; 613 int error; 614 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR); 615 616 if (size == 0) 617 return -EINVAL; 618 619 /* AppArmor requires that the buffer must be null terminated atm */ 620 if (args[size - 1] != '\0') { 621 /* null terminate */ 622 largs = args = kmalloc(size + 1, GFP_KERNEL); 623 if (!args) 624 return -ENOMEM; 625 memcpy(args, value, size); 626 args[size] = '\0'; 627 } 628 629 error = -EINVAL; 630 args = strim(args); 631 command = strsep(&args, " "); 632 if (!args) 633 goto out; 634 args = skip_spaces(args); 635 if (!*args) 636 goto out; 637 638 arg_size = size - (args - (largs ? largs : (char *) value)); 639 if (strcmp(name, "current") == 0) { 640 if (strcmp(command, "changehat") == 0) { 641 error = aa_setprocattr_changehat(args, arg_size, 642 AA_CHANGE_NOFLAGS); 643 } else if (strcmp(command, "permhat") == 0) { 644 error = aa_setprocattr_changehat(args, arg_size, 645 AA_CHANGE_TEST); 646 } else if (strcmp(command, "changeprofile") == 0) { 647 error = aa_change_profile(args, AA_CHANGE_NOFLAGS); 648 } else if (strcmp(command, "permprofile") == 0) { 649 error = aa_change_profile(args, AA_CHANGE_TEST); 650 } else if (strcmp(command, "stack") == 0) { 651 error = aa_change_profile(args, AA_CHANGE_STACK); 652 } else 653 goto fail; 654 } else if (strcmp(name, "exec") == 0) { 655 if (strcmp(command, "exec") == 0) 656 error = aa_change_profile(args, AA_CHANGE_ONEXEC); 657 else if (strcmp(command, "stack") == 0) 658 error = aa_change_profile(args, (AA_CHANGE_ONEXEC | 659 AA_CHANGE_STACK)); 660 else 661 goto fail; 662 } else 663 /* only support the "current" and "exec" process attributes */ 664 goto fail; 665 666 if (!error) 667 error = size; 668 out: 669 kfree(largs); 670 return error; 671 672 fail: 673 aad(&sa)->label = begin_current_label_crit_section(); 674 aad(&sa)->info = name; 675 aad(&sa)->error = error = -EINVAL; 676 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL); 677 end_current_label_crit_section(aad(&sa)->label); 678 goto out; 679 } 680 681 /** 682 * apparmor_bprm_committing_creds - do task cleanup on committing new creds 683 * @bprm: binprm for the exec (NOT NULL) 684 */ 685 static void apparmor_bprm_committing_creds(struct linux_binprm *bprm) 686 { 687 struct aa_label *label = aa_current_raw_label(); 688 struct aa_label *new_label = cred_label(bprm->cred); 689 690 /* bail out if unconfined or not changing profile */ 691 if ((new_label->proxy == label->proxy) || 692 (unconfined(new_label))) 693 return; 694 695 aa_inherit_files(bprm->cred, current->files); 696 697 current->pdeath_signal = 0; 698 699 /* reset soft limits and set hard limits for the new label */ 700 __aa_transition_rlimits(label, new_label); 701 } 702 703 /** 704 * apparmor_bprm_committed_cred - do cleanup after new creds committed 705 * @bprm: binprm for the exec (NOT NULL) 706 */ 707 static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) 708 { 709 /* clear out temporary/transitional state from the context */ 710 aa_clear_task_ctx_trans(task_ctx(current)); 711 712 return; 713 } 714 715 static void apparmor_task_getsecid(struct task_struct *p, u32 *secid) 716 { 717 struct aa_label *label = aa_get_task_label(p); 718 *secid = label->secid; 719 aa_put_label(label); 720 } 721 722 static int apparmor_task_setrlimit(struct task_struct *task, 723 unsigned int resource, struct rlimit *new_rlim) 724 { 725 struct aa_label *label = __begin_current_label_crit_section(); 726 int error = 0; 727 728 if (!unconfined(label)) 729 error = aa_task_setrlimit(label, task, resource, new_rlim); 730 __end_current_label_crit_section(label); 731 732 return error; 733 } 734 735 static int apparmor_task_kill(struct task_struct *target, struct siginfo *info, 736 int sig, const struct cred *cred) 737 { 738 struct aa_label *cl, *tl; 739 int error; 740 741 if (cred) { 742 /* 743 * Dealing with USB IO specific behavior 744 */ 745 cl = aa_get_newest_cred_label(cred); 746 tl = aa_get_task_label(target); 747 error = aa_may_signal(cl, tl, sig); 748 aa_put_label(cl); 749 aa_put_label(tl); 750 return error; 751 } 752 753 cl = __begin_current_label_crit_section(); 754 tl = aa_get_task_label(target); 755 error = aa_may_signal(cl, tl, sig); 756 aa_put_label(tl); 757 __end_current_label_crit_section(cl); 758 759 return error; 760 } 761 762 /** 763 * apparmor_sk_alloc_security - allocate and attach the sk_security field 764 */ 765 static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags) 766 { 767 struct aa_sk_ctx *ctx; 768 769 ctx = kzalloc(sizeof(*ctx), flags); 770 if (!ctx) 771 return -ENOMEM; 772 773 SK_CTX(sk) = ctx; 774 775 return 0; 776 } 777 778 /** 779 * apparmor_sk_free_security - free the sk_security field 780 */ 781 static void apparmor_sk_free_security(struct sock *sk) 782 { 783 struct aa_sk_ctx *ctx = SK_CTX(sk); 784 785 SK_CTX(sk) = NULL; 786 aa_put_label(ctx->label); 787 aa_put_label(ctx->peer); 788 kfree(ctx); 789 } 790 791 /** 792 * apparmor_clone_security - clone the sk_security field 793 */ 794 static void apparmor_sk_clone_security(const struct sock *sk, 795 struct sock *newsk) 796 { 797 struct aa_sk_ctx *ctx = SK_CTX(sk); 798 struct aa_sk_ctx *new = SK_CTX(newsk); 799 800 new->label = aa_get_label(ctx->label); 801 new->peer = aa_get_label(ctx->peer); 802 } 803 804 /** 805 * apparmor_socket_create - check perms before creating a new socket 806 */ 807 static int apparmor_socket_create(int family, int type, int protocol, int kern) 808 { 809 struct aa_label *label; 810 int error = 0; 811 812 AA_BUG(in_interrupt()); 813 814 label = begin_current_label_crit_section(); 815 if (!(kern || unconfined(label))) 816 error = af_select(family, 817 create_perm(label, family, type, protocol), 818 aa_af_perm(label, OP_CREATE, AA_MAY_CREATE, 819 family, type, protocol)); 820 end_current_label_crit_section(label); 821 822 return error; 823 } 824 825 /** 826 * apparmor_socket_post_create - setup the per-socket security struct 827 * 828 * Note: 829 * - kernel sockets currently labeled unconfined but we may want to 830 * move to a special kernel label 831 * - socket may not have sk here if created with sock_create_lite or 832 * sock_alloc. These should be accept cases which will be handled in 833 * sock_graft. 834 */ 835 static int apparmor_socket_post_create(struct socket *sock, int family, 836 int type, int protocol, int kern) 837 { 838 struct aa_label *label; 839 840 if (kern) { 841 struct aa_ns *ns = aa_get_current_ns(); 842 843 label = aa_get_label(ns_unconfined(ns)); 844 aa_put_ns(ns); 845 } else 846 label = aa_get_current_label(); 847 848 if (sock->sk) { 849 struct aa_sk_ctx *ctx = SK_CTX(sock->sk); 850 851 aa_put_label(ctx->label); 852 ctx->label = aa_get_label(label); 853 } 854 aa_put_label(label); 855 856 return 0; 857 } 858 859 /** 860 * apparmor_socket_bind - check perms before bind addr to socket 861 */ 862 static int apparmor_socket_bind(struct socket *sock, 863 struct sockaddr *address, int addrlen) 864 { 865 AA_BUG(!sock); 866 AA_BUG(!sock->sk); 867 AA_BUG(!address); 868 AA_BUG(in_interrupt()); 869 870 return af_select(sock->sk->sk_family, 871 bind_perm(sock, address, addrlen), 872 aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk)); 873 } 874 875 /** 876 * apparmor_socket_connect - check perms before connecting @sock to @address 877 */ 878 static int apparmor_socket_connect(struct socket *sock, 879 struct sockaddr *address, int addrlen) 880 { 881 AA_BUG(!sock); 882 AA_BUG(!sock->sk); 883 AA_BUG(!address); 884 AA_BUG(in_interrupt()); 885 886 return af_select(sock->sk->sk_family, 887 connect_perm(sock, address, addrlen), 888 aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk)); 889 } 890 891 /** 892 * apparmor_socket_list - check perms before allowing listen 893 */ 894 static int apparmor_socket_listen(struct socket *sock, int backlog) 895 { 896 AA_BUG(!sock); 897 AA_BUG(!sock->sk); 898 AA_BUG(in_interrupt()); 899 900 return af_select(sock->sk->sk_family, 901 listen_perm(sock, backlog), 902 aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk)); 903 } 904 905 /** 906 * apparmor_socket_accept - check perms before accepting a new connection. 907 * 908 * Note: while @newsock is created and has some information, the accept 909 * has not been done. 910 */ 911 static int apparmor_socket_accept(struct socket *sock, struct socket *newsock) 912 { 913 AA_BUG(!sock); 914 AA_BUG(!sock->sk); 915 AA_BUG(!newsock); 916 AA_BUG(in_interrupt()); 917 918 return af_select(sock->sk->sk_family, 919 accept_perm(sock, newsock), 920 aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk)); 921 } 922 923 static int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock, 924 struct msghdr *msg, int size) 925 { 926 AA_BUG(!sock); 927 AA_BUG(!sock->sk); 928 AA_BUG(!msg); 929 AA_BUG(in_interrupt()); 930 931 return af_select(sock->sk->sk_family, 932 msg_perm(op, request, sock, msg, size), 933 aa_sk_perm(op, request, sock->sk)); 934 } 935 936 /** 937 * apparmor_socket_sendmsg - check perms before sending msg to another socket 938 */ 939 static int apparmor_socket_sendmsg(struct socket *sock, 940 struct msghdr *msg, int size) 941 { 942 return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size); 943 } 944 945 /** 946 * apparmor_socket_recvmsg - check perms before receiving a message 947 */ 948 static int apparmor_socket_recvmsg(struct socket *sock, 949 struct msghdr *msg, int size, int flags) 950 { 951 return aa_sock_msg_perm(OP_RECVMSG, AA_MAY_RECEIVE, sock, msg, size); 952 } 953 954 /* revaliation, get/set attr, shutdown */ 955 static int aa_sock_perm(const char *op, u32 request, struct socket *sock) 956 { 957 AA_BUG(!sock); 958 AA_BUG(!sock->sk); 959 AA_BUG(in_interrupt()); 960 961 return af_select(sock->sk->sk_family, 962 sock_perm(op, request, sock), 963 aa_sk_perm(op, request, sock->sk)); 964 } 965 966 /** 967 * apparmor_socket_getsockname - check perms before getting the local address 968 */ 969 static int apparmor_socket_getsockname(struct socket *sock) 970 { 971 return aa_sock_perm(OP_GETSOCKNAME, AA_MAY_GETATTR, sock); 972 } 973 974 /** 975 * apparmor_socket_getpeername - check perms before getting remote address 976 */ 977 static int apparmor_socket_getpeername(struct socket *sock) 978 { 979 return aa_sock_perm(OP_GETPEERNAME, AA_MAY_GETATTR, sock); 980 } 981 982 /* revaliation, get/set attr, opt */ 983 static int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock, 984 int level, int optname) 985 { 986 AA_BUG(!sock); 987 AA_BUG(!sock->sk); 988 AA_BUG(in_interrupt()); 989 990 return af_select(sock->sk->sk_family, 991 opt_perm(op, request, sock, level, optname), 992 aa_sk_perm(op, request, sock->sk)); 993 } 994 995 /** 996 * apparmor_getsockopt - check perms before getting socket options 997 */ 998 static int apparmor_socket_getsockopt(struct socket *sock, int level, 999 int optname) 1000 { 1001 return aa_sock_opt_perm(OP_GETSOCKOPT, AA_MAY_GETOPT, sock, 1002 level, optname); 1003 } 1004 1005 /** 1006 * apparmor_setsockopt - check perms before setting socket options 1007 */ 1008 static int apparmor_socket_setsockopt(struct socket *sock, int level, 1009 int optname) 1010 { 1011 return aa_sock_opt_perm(OP_SETSOCKOPT, AA_MAY_SETOPT, sock, 1012 level, optname); 1013 } 1014 1015 /** 1016 * apparmor_socket_shutdown - check perms before shutting down @sock conn 1017 */ 1018 static int apparmor_socket_shutdown(struct socket *sock, int how) 1019 { 1020 return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock); 1021 } 1022 1023 /** 1024 * apparmor_socket_sock_recv_skb - check perms before associating skb to sk 1025 * 1026 * Note: can not sleep may be called with locks held 1027 * 1028 * dont want protocol specific in __skb_recv_datagram() 1029 * to deny an incoming connection socket_sock_rcv_skb() 1030 */ 1031 static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 1032 { 1033 return 0; 1034 } 1035 1036 1037 static struct aa_label *sk_peer_label(struct sock *sk) 1038 { 1039 struct aa_sk_ctx *ctx = SK_CTX(sk); 1040 1041 if (ctx->peer) 1042 return ctx->peer; 1043 1044 return ERR_PTR(-ENOPROTOOPT); 1045 } 1046 1047 /** 1048 * apparmor_socket_getpeersec_stream - get security context of peer 1049 * 1050 * Note: for tcp only valid if using ipsec or cipso on lan 1051 */ 1052 static int apparmor_socket_getpeersec_stream(struct socket *sock, 1053 char __user *optval, 1054 int __user *optlen, 1055 unsigned int len) 1056 { 1057 char *name; 1058 int slen, error = 0; 1059 struct aa_label *label; 1060 struct aa_label *peer; 1061 1062 label = begin_current_label_crit_section(); 1063 peer = sk_peer_label(sock->sk); 1064 if (IS_ERR(peer)) { 1065 error = PTR_ERR(peer); 1066 goto done; 1067 } 1068 slen = aa_label_asxprint(&name, labels_ns(label), peer, 1069 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS | 1070 FLAG_HIDDEN_UNCONFINED, GFP_KERNEL); 1071 /* don't include terminating \0 in slen, it breaks some apps */ 1072 if (slen < 0) { 1073 error = -ENOMEM; 1074 } else { 1075 if (slen > len) { 1076 error = -ERANGE; 1077 } else if (copy_to_user(optval, name, slen)) { 1078 error = -EFAULT; 1079 goto out; 1080 } 1081 if (put_user(slen, optlen)) 1082 error = -EFAULT; 1083 out: 1084 kfree(name); 1085 1086 } 1087 1088 done: 1089 end_current_label_crit_section(label); 1090 1091 return error; 1092 } 1093 1094 /** 1095 * apparmor_socket_getpeersec_dgram - get security label of packet 1096 * @sock: the peer socket 1097 * @skb: packet data 1098 * @secid: pointer to where to put the secid of the packet 1099 * 1100 * Sets the netlabel socket state on sk from parent 1101 */ 1102 static int apparmor_socket_getpeersec_dgram(struct socket *sock, 1103 struct sk_buff *skb, u32 *secid) 1104 1105 { 1106 /* TODO: requires secid support */ 1107 return -ENOPROTOOPT; 1108 } 1109 1110 /** 1111 * apparmor_sock_graft - Initialize newly created socket 1112 * @sk: child sock 1113 * @parent: parent socket 1114 * 1115 * Note: could set off of SOCK_CTX(parent) but need to track inode and we can 1116 * just set sk security information off of current creating process label 1117 * Labeling of sk for accept case - probably should be sock based 1118 * instead of task, because of the case where an implicitly labeled 1119 * socket is shared by different tasks. 1120 */ 1121 static void apparmor_sock_graft(struct sock *sk, struct socket *parent) 1122 { 1123 struct aa_sk_ctx *ctx = SK_CTX(sk); 1124 1125 if (!ctx->label) 1126 ctx->label = aa_get_current_label(); 1127 } 1128 1129 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { 1130 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), 1131 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), 1132 LSM_HOOK_INIT(capget, apparmor_capget), 1133 LSM_HOOK_INIT(capable, apparmor_capable), 1134 1135 LSM_HOOK_INIT(sb_mount, apparmor_sb_mount), 1136 LSM_HOOK_INIT(sb_umount, apparmor_sb_umount), 1137 LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot), 1138 1139 LSM_HOOK_INIT(path_link, apparmor_path_link), 1140 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink), 1141 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink), 1142 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir), 1143 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir), 1144 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod), 1145 LSM_HOOK_INIT(path_rename, apparmor_path_rename), 1146 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod), 1147 LSM_HOOK_INIT(path_chown, apparmor_path_chown), 1148 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate), 1149 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr), 1150 1151 LSM_HOOK_INIT(file_open, apparmor_file_open), 1152 LSM_HOOK_INIT(file_receive, apparmor_file_receive), 1153 LSM_HOOK_INIT(file_permission, apparmor_file_permission), 1154 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security), 1155 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security), 1156 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file), 1157 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect), 1158 LSM_HOOK_INIT(file_lock, apparmor_file_lock), 1159 1160 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), 1161 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), 1162 1163 LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security), 1164 LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security), 1165 LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security), 1166 1167 LSM_HOOK_INIT(socket_create, apparmor_socket_create), 1168 LSM_HOOK_INIT(socket_post_create, apparmor_socket_post_create), 1169 LSM_HOOK_INIT(socket_bind, apparmor_socket_bind), 1170 LSM_HOOK_INIT(socket_connect, apparmor_socket_connect), 1171 LSM_HOOK_INIT(socket_listen, apparmor_socket_listen), 1172 LSM_HOOK_INIT(socket_accept, apparmor_socket_accept), 1173 LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg), 1174 LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg), 1175 LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname), 1176 LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername), 1177 LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt), 1178 LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt), 1179 LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown), 1180 LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb), 1181 LSM_HOOK_INIT(socket_getpeersec_stream, 1182 apparmor_socket_getpeersec_stream), 1183 LSM_HOOK_INIT(socket_getpeersec_dgram, 1184 apparmor_socket_getpeersec_dgram), 1185 LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), 1186 1187 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), 1188 LSM_HOOK_INIT(cred_free, apparmor_cred_free), 1189 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare), 1190 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer), 1191 1192 LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds), 1193 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds), 1194 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds), 1195 1196 LSM_HOOK_INIT(task_free, apparmor_task_free), 1197 LSM_HOOK_INIT(task_alloc, apparmor_task_alloc), 1198 LSM_HOOK_INIT(task_getsecid, apparmor_task_getsecid), 1199 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), 1200 LSM_HOOK_INIT(task_kill, apparmor_task_kill), 1201 1202 #ifdef CONFIG_AUDIT 1203 LSM_HOOK_INIT(audit_rule_init, aa_audit_rule_init), 1204 LSM_HOOK_INIT(audit_rule_known, aa_audit_rule_known), 1205 LSM_HOOK_INIT(audit_rule_match, aa_audit_rule_match), 1206 LSM_HOOK_INIT(audit_rule_free, aa_audit_rule_free), 1207 #endif 1208 1209 LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx), 1210 LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid), 1211 LSM_HOOK_INIT(release_secctx, apparmor_release_secctx), 1212 }; 1213 1214 /* 1215 * AppArmor sysfs module parameters 1216 */ 1217 1218 static int param_set_aabool(const char *val, const struct kernel_param *kp); 1219 static int param_get_aabool(char *buffer, const struct kernel_param *kp); 1220 #define param_check_aabool param_check_bool 1221 static const struct kernel_param_ops param_ops_aabool = { 1222 .flags = KERNEL_PARAM_OPS_FL_NOARG, 1223 .set = param_set_aabool, 1224 .get = param_get_aabool 1225 }; 1226 1227 static int param_set_aauint(const char *val, const struct kernel_param *kp); 1228 static int param_get_aauint(char *buffer, const struct kernel_param *kp); 1229 #define param_check_aauint param_check_uint 1230 static const struct kernel_param_ops param_ops_aauint = { 1231 .set = param_set_aauint, 1232 .get = param_get_aauint 1233 }; 1234 1235 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp); 1236 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); 1237 #define param_check_aalockpolicy param_check_bool 1238 static const struct kernel_param_ops param_ops_aalockpolicy = { 1239 .flags = KERNEL_PARAM_OPS_FL_NOARG, 1240 .set = param_set_aalockpolicy, 1241 .get = param_get_aalockpolicy 1242 }; 1243 1244 static int param_set_audit(const char *val, const struct kernel_param *kp); 1245 static int param_get_audit(char *buffer, const struct kernel_param *kp); 1246 1247 static int param_set_mode(const char *val, const struct kernel_param *kp); 1248 static int param_get_mode(char *buffer, const struct kernel_param *kp); 1249 1250 /* Flag values, also controllable via /sys/module/apparmor/parameters 1251 * We define special types as we want to do additional mediation. 1252 */ 1253 1254 /* AppArmor global enforcement switch - complain, enforce, kill */ 1255 enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; 1256 module_param_call(mode, param_set_mode, param_get_mode, 1257 &aa_g_profile_mode, S_IRUSR | S_IWUSR); 1258 1259 /* whether policy verification hashing is enabled */ 1260 bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); 1261 #ifdef CONFIG_SECURITY_APPARMOR_HASH 1262 module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); 1263 #endif 1264 1265 /* Debug mode */ 1266 bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES); 1267 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); 1268 1269 /* Audit mode */ 1270 enum audit_mode aa_g_audit; 1271 module_param_call(audit, param_set_audit, param_get_audit, 1272 &aa_g_audit, S_IRUSR | S_IWUSR); 1273 1274 /* Determines if audit header is included in audited messages. This 1275 * provides more context if the audit daemon is not running 1276 */ 1277 bool aa_g_audit_header = true; 1278 module_param_named(audit_header, aa_g_audit_header, aabool, 1279 S_IRUSR | S_IWUSR); 1280 1281 /* lock out loading/removal of policy 1282 * TODO: add in at boot loading of policy, which is the only way to 1283 * load policy, if lock_policy is set 1284 */ 1285 bool aa_g_lock_policy; 1286 module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy, 1287 S_IRUSR | S_IWUSR); 1288 1289 /* Syscall logging mode */ 1290 bool aa_g_logsyscall; 1291 module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); 1292 1293 /* Maximum pathname length before accesses will start getting rejected */ 1294 unsigned int aa_g_path_max = 2 * PATH_MAX; 1295 module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); 1296 1297 /* Determines how paranoid loading of policy is and how much verification 1298 * on the loaded policy is done. 1299 * DEPRECATED: read only as strict checking of load is always done now 1300 * that none root users (user namespaces) can load policy. 1301 */ 1302 bool aa_g_paranoid_load = true; 1303 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); 1304 1305 /* Boot time disable flag */ 1306 static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; 1307 module_param_named(enabled, apparmor_enabled, bool, S_IRUGO); 1308 1309 static int __init apparmor_enabled_setup(char *str) 1310 { 1311 unsigned long enabled; 1312 int error = kstrtoul(str, 0, &enabled); 1313 if (!error) 1314 apparmor_enabled = enabled ? 1 : 0; 1315 return 1; 1316 } 1317 1318 __setup("apparmor=", apparmor_enabled_setup); 1319 1320 /* set global flag turning off the ability to load policy */ 1321 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) 1322 { 1323 if (!apparmor_enabled) 1324 return -EINVAL; 1325 if (apparmor_initialized && !policy_admin_capable(NULL)) 1326 return -EPERM; 1327 return param_set_bool(val, kp); 1328 } 1329 1330 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) 1331 { 1332 if (!apparmor_enabled) 1333 return -EINVAL; 1334 if (apparmor_initialized && !policy_view_capable(NULL)) 1335 return -EPERM; 1336 return param_get_bool(buffer, kp); 1337 } 1338 1339 static int param_set_aabool(const char *val, const struct kernel_param *kp) 1340 { 1341 if (!apparmor_enabled) 1342 return -EINVAL; 1343 if (apparmor_initialized && !policy_admin_capable(NULL)) 1344 return -EPERM; 1345 return param_set_bool(val, kp); 1346 } 1347 1348 static int param_get_aabool(char *buffer, const struct kernel_param *kp) 1349 { 1350 if (!apparmor_enabled) 1351 return -EINVAL; 1352 if (apparmor_initialized && !policy_view_capable(NULL)) 1353 return -EPERM; 1354 return param_get_bool(buffer, kp); 1355 } 1356 1357 static int param_set_aauint(const char *val, const struct kernel_param *kp) 1358 { 1359 int error; 1360 1361 if (!apparmor_enabled) 1362 return -EINVAL; 1363 /* file is ro but enforce 2nd line check */ 1364 if (apparmor_initialized) 1365 return -EPERM; 1366 1367 error = param_set_uint(val, kp); 1368 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max); 1369 1370 return error; 1371 } 1372 1373 static int param_get_aauint(char *buffer, const struct kernel_param *kp) 1374 { 1375 if (!apparmor_enabled) 1376 return -EINVAL; 1377 if (apparmor_initialized && !policy_view_capable(NULL)) 1378 return -EPERM; 1379 return param_get_uint(buffer, kp); 1380 } 1381 1382 static int param_get_audit(char *buffer, const struct kernel_param *kp) 1383 { 1384 if (!apparmor_enabled) 1385 return -EINVAL; 1386 if (apparmor_initialized && !policy_view_capable(NULL)) 1387 return -EPERM; 1388 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); 1389 } 1390 1391 static int param_set_audit(const char *val, const struct kernel_param *kp) 1392 { 1393 int i; 1394 1395 if (!apparmor_enabled) 1396 return -EINVAL; 1397 if (!val) 1398 return -EINVAL; 1399 if (apparmor_initialized && !policy_admin_capable(NULL)) 1400 return -EPERM; 1401 1402 i = match_string(audit_mode_names, AUDIT_MAX_INDEX, val); 1403 if (i < 0) 1404 return -EINVAL; 1405 1406 aa_g_audit = i; 1407 return 0; 1408 } 1409 1410 static int param_get_mode(char *buffer, const struct kernel_param *kp) 1411 { 1412 if (!apparmor_enabled) 1413 return -EINVAL; 1414 if (apparmor_initialized && !policy_view_capable(NULL)) 1415 return -EPERM; 1416 1417 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]); 1418 } 1419 1420 static int param_set_mode(const char *val, const struct kernel_param *kp) 1421 { 1422 int i; 1423 1424 if (!apparmor_enabled) 1425 return -EINVAL; 1426 if (!val) 1427 return -EINVAL; 1428 if (apparmor_initialized && !policy_admin_capable(NULL)) 1429 return -EPERM; 1430 1431 i = match_string(aa_profile_mode_names, APPARMOR_MODE_NAMES_MAX_INDEX, 1432 val); 1433 if (i < 0) 1434 return -EINVAL; 1435 1436 aa_g_profile_mode = i; 1437 return 0; 1438 } 1439 1440 /* 1441 * AppArmor init functions 1442 */ 1443 1444 /** 1445 * set_init_ctx - set a task context and profile on the first task. 1446 * 1447 * TODO: allow setting an alternate profile than unconfined 1448 */ 1449 static int __init set_init_ctx(void) 1450 { 1451 struct cred *cred = (struct cred *)current->real_cred; 1452 struct aa_task_ctx *ctx; 1453 1454 ctx = aa_alloc_task_ctx(GFP_KERNEL); 1455 if (!ctx) 1456 return -ENOMEM; 1457 1458 cred_label(cred) = aa_get_label(ns_unconfined(root_ns)); 1459 task_ctx(current) = ctx; 1460 1461 return 0; 1462 } 1463 1464 static void destroy_buffers(void) 1465 { 1466 u32 i, j; 1467 1468 for_each_possible_cpu(i) { 1469 for_each_cpu_buffer(j) { 1470 kfree(per_cpu(aa_buffers, i).buf[j]); 1471 per_cpu(aa_buffers, i).buf[j] = NULL; 1472 } 1473 } 1474 } 1475 1476 static int __init alloc_buffers(void) 1477 { 1478 u32 i, j; 1479 1480 for_each_possible_cpu(i) { 1481 for_each_cpu_buffer(j) { 1482 char *buffer; 1483 1484 if (cpu_to_node(i) > num_online_nodes()) 1485 /* fallback to kmalloc for offline nodes */ 1486 buffer = kmalloc(aa_g_path_max, GFP_KERNEL); 1487 else 1488 buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL, 1489 cpu_to_node(i)); 1490 if (!buffer) { 1491 destroy_buffers(); 1492 return -ENOMEM; 1493 } 1494 per_cpu(aa_buffers, i).buf[j] = buffer; 1495 } 1496 } 1497 1498 return 0; 1499 } 1500 1501 #ifdef CONFIG_SYSCTL 1502 static int apparmor_dointvec(struct ctl_table *table, int write, 1503 void __user *buffer, size_t *lenp, loff_t *ppos) 1504 { 1505 if (!policy_admin_capable(NULL)) 1506 return -EPERM; 1507 if (!apparmor_enabled) 1508 return -EINVAL; 1509 1510 return proc_dointvec(table, write, buffer, lenp, ppos); 1511 } 1512 1513 static struct ctl_path apparmor_sysctl_path[] = { 1514 { .procname = "kernel", }, 1515 { } 1516 }; 1517 1518 static struct ctl_table apparmor_sysctl_table[] = { 1519 { 1520 .procname = "unprivileged_userns_apparmor_policy", 1521 .data = &unprivileged_userns_apparmor_policy, 1522 .maxlen = sizeof(int), 1523 .mode = 0600, 1524 .proc_handler = apparmor_dointvec, 1525 }, 1526 { } 1527 }; 1528 1529 static int __init apparmor_init_sysctl(void) 1530 { 1531 return register_sysctl_paths(apparmor_sysctl_path, 1532 apparmor_sysctl_table) ? 0 : -ENOMEM; 1533 } 1534 #else 1535 static inline int apparmor_init_sysctl(void) 1536 { 1537 return 0; 1538 } 1539 #endif /* CONFIG_SYSCTL */ 1540 1541 static int __init apparmor_init(void) 1542 { 1543 int error; 1544 1545 if (!apparmor_enabled || !security_module_enable("apparmor")) { 1546 aa_info_message("AppArmor disabled by boot time parameter"); 1547 apparmor_enabled = false; 1548 return 0; 1549 } 1550 1551 aa_secids_init(); 1552 1553 error = aa_setup_dfa_engine(); 1554 if (error) { 1555 AA_ERROR("Unable to setup dfa engine\n"); 1556 goto alloc_out; 1557 } 1558 1559 error = aa_alloc_root_ns(); 1560 if (error) { 1561 AA_ERROR("Unable to allocate default profile namespace\n"); 1562 goto alloc_out; 1563 } 1564 1565 error = apparmor_init_sysctl(); 1566 if (error) { 1567 AA_ERROR("Unable to register sysctls\n"); 1568 goto alloc_out; 1569 1570 } 1571 1572 error = alloc_buffers(); 1573 if (error) { 1574 AA_ERROR("Unable to allocate work buffers\n"); 1575 goto buffers_out; 1576 } 1577 1578 error = set_init_ctx(); 1579 if (error) { 1580 AA_ERROR("Failed to set context on init task\n"); 1581 aa_free_root_ns(); 1582 goto buffers_out; 1583 } 1584 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), 1585 "apparmor"); 1586 1587 /* Report that AppArmor successfully initialized */ 1588 apparmor_initialized = 1; 1589 if (aa_g_profile_mode == APPARMOR_COMPLAIN) 1590 aa_info_message("AppArmor initialized: complain mode enabled"); 1591 else if (aa_g_profile_mode == APPARMOR_KILL) 1592 aa_info_message("AppArmor initialized: kill mode enabled"); 1593 else 1594 aa_info_message("AppArmor initialized"); 1595 1596 return error; 1597 1598 buffers_out: 1599 destroy_buffers(); 1600 1601 alloc_out: 1602 aa_destroy_aafs(); 1603 aa_teardown_dfa_engine(); 1604 1605 apparmor_enabled = false; 1606 return error; 1607 } 1608 1609 security_initcall(apparmor_init); 1610