1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor LSM hooks. 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 */ 10 11 #include <linux/lsm_hooks.h> 12 #include <linux/moduleparam.h> 13 #include <linux/mm.h> 14 #include <linux/mman.h> 15 #include <linux/mount.h> 16 #include <linux/namei.h> 17 #include <linux/ptrace.h> 18 #include <linux/ctype.h> 19 #include <linux/sysctl.h> 20 #include <linux/audit.h> 21 #include <linux/user_namespace.h> 22 #include <linux/netfilter_ipv4.h> 23 #include <linux/netfilter_ipv6.h> 24 #include <linux/zstd.h> 25 #include <net/sock.h> 26 #include <uapi/linux/mount.h> 27 28 #include "include/apparmor.h" 29 #include "include/apparmorfs.h" 30 #include "include/audit.h" 31 #include "include/capability.h" 32 #include "include/cred.h" 33 #include "include/file.h" 34 #include "include/ipc.h" 35 #include "include/net.h" 36 #include "include/path.h" 37 #include "include/label.h" 38 #include "include/policy.h" 39 #include "include/policy_ns.h" 40 #include "include/procattr.h" 41 #include "include/mount.h" 42 #include "include/secid.h" 43 44 /* Flag indicating whether initialization completed */ 45 int apparmor_initialized; 46 47 union aa_buffer { 48 struct list_head list; 49 char buffer[1]; 50 }; 51 52 #define RESERVE_COUNT 2 53 static int reserve_count = RESERVE_COUNT; 54 static int buffer_count; 55 56 static LIST_HEAD(aa_global_buffers); 57 static DEFINE_SPINLOCK(aa_buffers_lock); 58 59 /* 60 * LSM hook functions 61 */ 62 63 /* 64 * put the associated labels 65 */ 66 static void apparmor_cred_free(struct cred *cred) 67 { 68 aa_put_label(cred_label(cred)); 69 set_cred_label(cred, NULL); 70 } 71 72 /* 73 * allocate the apparmor part of blank credentials 74 */ 75 static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 76 { 77 set_cred_label(cred, NULL); 78 return 0; 79 } 80 81 /* 82 * prepare new cred label for modification by prepare_cred block 83 */ 84 static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 85 gfp_t gfp) 86 { 87 set_cred_label(new, aa_get_newest_label(cred_label(old))); 88 return 0; 89 } 90 91 /* 92 * transfer the apparmor data to a blank set of creds 93 */ 94 static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 95 { 96 set_cred_label(new, aa_get_newest_label(cred_label(old))); 97 } 98 99 static void apparmor_task_free(struct task_struct *task) 100 { 101 102 aa_free_task_ctx(task_ctx(task)); 103 } 104 105 static int apparmor_task_alloc(struct task_struct *task, 106 unsigned long clone_flags) 107 { 108 struct aa_task_ctx *new = task_ctx(task); 109 110 aa_dup_task_ctx(new, task_ctx(current)); 111 112 return 0; 113 } 114 115 static int apparmor_ptrace_access_check(struct task_struct *child, 116 unsigned int mode) 117 { 118 struct aa_label *tracer, *tracee; 119 int error; 120 121 tracer = __begin_current_label_crit_section(); 122 tracee = aa_get_task_label(child); 123 error = aa_may_ptrace(tracer, tracee, 124 (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ 125 : AA_PTRACE_TRACE); 126 aa_put_label(tracee); 127 __end_current_label_crit_section(tracer); 128 129 return error; 130 } 131 132 static int apparmor_ptrace_traceme(struct task_struct *parent) 133 { 134 struct aa_label *tracer, *tracee; 135 int error; 136 137 tracee = __begin_current_label_crit_section(); 138 tracer = aa_get_task_label(parent); 139 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); 140 aa_put_label(tracer); 141 __end_current_label_crit_section(tracee); 142 143 return error; 144 } 145 146 /* Derived from security/commoncap.c:cap_capget */ 147 static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, 148 kernel_cap_t *inheritable, kernel_cap_t *permitted) 149 { 150 struct aa_label *label; 151 const struct cred *cred; 152 153 rcu_read_lock(); 154 cred = __task_cred(target); 155 label = aa_get_newest_cred_label(cred); 156 157 /* 158 * cap_capget is stacked ahead of this and will 159 * initialize effective and permitted. 160 */ 161 if (!unconfined(label)) { 162 struct aa_profile *profile; 163 struct label_it i; 164 165 label_for_each_confined(i, label, profile) { 166 struct aa_ruleset *rules; 167 if (COMPLAIN_MODE(profile)) 168 continue; 169 rules = list_first_entry(&profile->rules, 170 typeof(*rules), list); 171 *effective = cap_intersect(*effective, 172 rules->caps.allow); 173 *permitted = cap_intersect(*permitted, 174 rules->caps.allow); 175 } 176 } 177 rcu_read_unlock(); 178 aa_put_label(label); 179 180 return 0; 181 } 182 183 static int apparmor_capable(const struct cred *cred, struct user_namespace *ns, 184 int cap, unsigned int opts) 185 { 186 struct aa_label *label; 187 int error = 0; 188 189 label = aa_get_newest_cred_label(cred); 190 if (!unconfined(label)) 191 error = aa_capable(label, cap, opts); 192 aa_put_label(label); 193 194 return error; 195 } 196 197 /** 198 * common_perm - basic common permission check wrapper fn for paths 199 * @op: operation being checked 200 * @path: path to check permission of (NOT NULL) 201 * @mask: requested permissions mask 202 * @cond: conditional info for the permission request (NOT NULL) 203 * 204 * Returns: %0 else error code if error or permission denied 205 */ 206 static int common_perm(const char *op, const struct path *path, u32 mask, 207 struct path_cond *cond) 208 { 209 struct aa_label *label; 210 int error = 0; 211 212 label = __begin_current_label_crit_section(); 213 if (!unconfined(label)) 214 error = aa_path_perm(op, label, path, 0, mask, cond); 215 __end_current_label_crit_section(label); 216 217 return error; 218 } 219 220 /** 221 * common_perm_cond - common permission wrapper around inode cond 222 * @op: operation being checked 223 * @path: location to check (NOT NULL) 224 * @mask: requested permissions mask 225 * 226 * Returns: %0 else error code if error or permission denied 227 */ 228 static int common_perm_cond(const char *op, const struct path *path, u32 mask) 229 { 230 vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_idmap(path->mnt), 231 d_backing_inode(path->dentry)); 232 struct path_cond cond = { 233 vfsuid_into_kuid(vfsuid), 234 d_backing_inode(path->dentry)->i_mode 235 }; 236 237 if (!path_mediated_fs(path->dentry)) 238 return 0; 239 240 return common_perm(op, path, mask, &cond); 241 } 242 243 /** 244 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry 245 * @op: operation being checked 246 * @dir: directory of the dentry (NOT NULL) 247 * @dentry: dentry to check (NOT NULL) 248 * @mask: requested permissions mask 249 * @cond: conditional info for the permission request (NOT NULL) 250 * 251 * Returns: %0 else error code if error or permission denied 252 */ 253 static int common_perm_dir_dentry(const char *op, const struct path *dir, 254 struct dentry *dentry, u32 mask, 255 struct path_cond *cond) 256 { 257 struct path path = { .mnt = dir->mnt, .dentry = dentry }; 258 259 return common_perm(op, &path, mask, cond); 260 } 261 262 /** 263 * common_perm_rm - common permission wrapper for operations doing rm 264 * @op: operation being checked 265 * @dir: directory that the dentry is in (NOT NULL) 266 * @dentry: dentry being rm'd (NOT NULL) 267 * @mask: requested permission mask 268 * 269 * Returns: %0 else error code if error or permission denied 270 */ 271 static int common_perm_rm(const char *op, const struct path *dir, 272 struct dentry *dentry, u32 mask) 273 { 274 struct inode *inode = d_backing_inode(dentry); 275 struct path_cond cond = { }; 276 vfsuid_t vfsuid; 277 278 if (!inode || !path_mediated_fs(dentry)) 279 return 0; 280 281 vfsuid = i_uid_into_vfsuid(mnt_idmap(dir->mnt), inode); 282 cond.uid = vfsuid_into_kuid(vfsuid); 283 cond.mode = inode->i_mode; 284 285 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 286 } 287 288 /** 289 * common_perm_create - common permission wrapper for operations doing create 290 * @op: operation being checked 291 * @dir: directory that dentry will be created in (NOT NULL) 292 * @dentry: dentry to create (NOT NULL) 293 * @mask: request permission mask 294 * @mode: created file mode 295 * 296 * Returns: %0 else error code if error or permission denied 297 */ 298 static int common_perm_create(const char *op, const struct path *dir, 299 struct dentry *dentry, u32 mask, umode_t mode) 300 { 301 struct path_cond cond = { current_fsuid(), mode }; 302 303 if (!path_mediated_fs(dir->dentry)) 304 return 0; 305 306 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 307 } 308 309 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry) 310 { 311 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); 312 } 313 314 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry, 315 umode_t mode) 316 { 317 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, 318 S_IFDIR); 319 } 320 321 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry) 322 { 323 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); 324 } 325 326 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, 327 umode_t mode, unsigned int dev) 328 { 329 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); 330 } 331 332 static int apparmor_path_truncate(const struct path *path) 333 { 334 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR); 335 } 336 337 static int apparmor_file_truncate(struct file *file) 338 { 339 return apparmor_path_truncate(&file->f_path); 340 } 341 342 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, 343 const char *old_name) 344 { 345 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, 346 S_IFLNK); 347 } 348 349 static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir, 350 struct dentry *new_dentry) 351 { 352 struct aa_label *label; 353 int error = 0; 354 355 if (!path_mediated_fs(old_dentry)) 356 return 0; 357 358 label = begin_current_label_crit_section(); 359 if (!unconfined(label)) 360 error = aa_path_link(label, old_dentry, new_dir, new_dentry); 361 end_current_label_crit_section(label); 362 363 return error; 364 } 365 366 static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry, 367 const struct path *new_dir, struct dentry *new_dentry, 368 const unsigned int flags) 369 { 370 struct aa_label *label; 371 int error = 0; 372 373 if (!path_mediated_fs(old_dentry)) 374 return 0; 375 if ((flags & RENAME_EXCHANGE) && !path_mediated_fs(new_dentry)) 376 return 0; 377 378 label = begin_current_label_crit_section(); 379 if (!unconfined(label)) { 380 struct mnt_idmap *idmap = mnt_idmap(old_dir->mnt); 381 vfsuid_t vfsuid; 382 struct path old_path = { .mnt = old_dir->mnt, 383 .dentry = old_dentry }; 384 struct path new_path = { .mnt = new_dir->mnt, 385 .dentry = new_dentry }; 386 struct path_cond cond = { 387 .mode = d_backing_inode(old_dentry)->i_mode 388 }; 389 vfsuid = i_uid_into_vfsuid(idmap, d_backing_inode(old_dentry)); 390 cond.uid = vfsuid_into_kuid(vfsuid); 391 392 if (flags & RENAME_EXCHANGE) { 393 struct path_cond cond_exchange = { 394 .mode = d_backing_inode(new_dentry)->i_mode, 395 }; 396 vfsuid = i_uid_into_vfsuid(idmap, d_backing_inode(old_dentry)); 397 cond_exchange.uid = vfsuid_into_kuid(vfsuid); 398 399 error = aa_path_perm(OP_RENAME_SRC, label, &new_path, 0, 400 MAY_READ | AA_MAY_GETATTR | MAY_WRITE | 401 AA_MAY_SETATTR | AA_MAY_DELETE, 402 &cond_exchange); 403 if (!error) 404 error = aa_path_perm(OP_RENAME_DEST, label, &old_path, 405 0, MAY_WRITE | AA_MAY_SETATTR | 406 AA_MAY_CREATE, &cond_exchange); 407 } 408 409 if (!error) 410 error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0, 411 MAY_READ | AA_MAY_GETATTR | MAY_WRITE | 412 AA_MAY_SETATTR | AA_MAY_DELETE, 413 &cond); 414 if (!error) 415 error = aa_path_perm(OP_RENAME_DEST, label, &new_path, 416 0, MAY_WRITE | AA_MAY_SETATTR | 417 AA_MAY_CREATE, &cond); 418 419 } 420 end_current_label_crit_section(label); 421 422 return error; 423 } 424 425 static int apparmor_path_chmod(const struct path *path, umode_t mode) 426 { 427 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD); 428 } 429 430 static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid) 431 { 432 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN); 433 } 434 435 static int apparmor_inode_getattr(const struct path *path) 436 { 437 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 438 } 439 440 static int apparmor_file_open(struct file *file) 441 { 442 struct aa_file_ctx *fctx = file_ctx(file); 443 struct aa_label *label; 444 int error = 0; 445 446 if (!path_mediated_fs(file->f_path.dentry)) 447 return 0; 448 449 /* If in exec, permission is handled by bprm hooks. 450 * Cache permissions granted by the previous exec check, with 451 * implicit read and executable mmap which are required to 452 * actually execute the image. 453 */ 454 if (current->in_execve) { 455 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; 456 return 0; 457 } 458 459 label = aa_get_newest_cred_label(file->f_cred); 460 if (!unconfined(label)) { 461 struct mnt_idmap *idmap = file_mnt_idmap(file); 462 struct inode *inode = file_inode(file); 463 vfsuid_t vfsuid; 464 struct path_cond cond = { 465 .mode = inode->i_mode, 466 }; 467 vfsuid = i_uid_into_vfsuid(idmap, inode); 468 cond.uid = vfsuid_into_kuid(vfsuid); 469 470 error = aa_path_perm(OP_OPEN, label, &file->f_path, 0, 471 aa_map_file_to_perms(file), &cond); 472 /* todo cache full allowed permissions set and state */ 473 fctx->allow = aa_map_file_to_perms(file); 474 } 475 aa_put_label(label); 476 477 return error; 478 } 479 480 static int apparmor_file_alloc_security(struct file *file) 481 { 482 struct aa_file_ctx *ctx = file_ctx(file); 483 struct aa_label *label = begin_current_label_crit_section(); 484 485 spin_lock_init(&ctx->lock); 486 rcu_assign_pointer(ctx->label, aa_get_label(label)); 487 end_current_label_crit_section(label); 488 return 0; 489 } 490 491 static void apparmor_file_free_security(struct file *file) 492 { 493 struct aa_file_ctx *ctx = file_ctx(file); 494 495 if (ctx) 496 aa_put_label(rcu_access_pointer(ctx->label)); 497 } 498 499 static int common_file_perm(const char *op, struct file *file, u32 mask, 500 bool in_atomic) 501 { 502 struct aa_label *label; 503 int error = 0; 504 505 /* don't reaudit files closed during inheritance */ 506 if (file->f_path.dentry == aa_null.dentry) 507 return -EACCES; 508 509 label = __begin_current_label_crit_section(); 510 error = aa_file_perm(op, label, file, mask, in_atomic); 511 __end_current_label_crit_section(label); 512 513 return error; 514 } 515 516 static int apparmor_file_receive(struct file *file) 517 { 518 return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file), 519 false); 520 } 521 522 static int apparmor_file_permission(struct file *file, int mask) 523 { 524 return common_file_perm(OP_FPERM, file, mask, false); 525 } 526 527 static int apparmor_file_lock(struct file *file, unsigned int cmd) 528 { 529 u32 mask = AA_MAY_LOCK; 530 531 if (cmd == F_WRLCK) 532 mask |= MAY_WRITE; 533 534 return common_file_perm(OP_FLOCK, file, mask, false); 535 } 536 537 static int common_mmap(const char *op, struct file *file, unsigned long prot, 538 unsigned long flags, bool in_atomic) 539 { 540 int mask = 0; 541 542 if (!file || !file_ctx(file)) 543 return 0; 544 545 if (prot & PROT_READ) 546 mask |= MAY_READ; 547 /* 548 * Private mappings don't require write perms since they don't 549 * write back to the files 550 */ 551 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE)) 552 mask |= MAY_WRITE; 553 if (prot & PROT_EXEC) 554 mask |= AA_EXEC_MMAP; 555 556 return common_file_perm(op, file, mask, in_atomic); 557 } 558 559 static int apparmor_mmap_file(struct file *file, unsigned long reqprot, 560 unsigned long prot, unsigned long flags) 561 { 562 return common_mmap(OP_FMMAP, file, prot, flags, GFP_ATOMIC); 563 } 564 565 static int apparmor_file_mprotect(struct vm_area_struct *vma, 566 unsigned long reqprot, unsigned long prot) 567 { 568 return common_mmap(OP_FMPROT, vma->vm_file, prot, 569 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0, 570 false); 571 } 572 573 static int apparmor_sb_mount(const char *dev_name, const struct path *path, 574 const char *type, unsigned long flags, void *data) 575 { 576 struct aa_label *label; 577 int error = 0; 578 579 /* Discard magic */ 580 if ((flags & MS_MGC_MSK) == MS_MGC_VAL) 581 flags &= ~MS_MGC_MSK; 582 583 flags &= ~AA_MS_IGNORE_MASK; 584 585 label = __begin_current_label_crit_section(); 586 if (!unconfined(label)) { 587 if (flags & MS_REMOUNT) 588 error = aa_remount(label, path, flags, data); 589 else if (flags & MS_BIND) 590 error = aa_bind_mount(label, path, dev_name, flags); 591 else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE | 592 MS_UNBINDABLE)) 593 error = aa_mount_change_type(label, path, flags); 594 else if (flags & MS_MOVE) 595 error = aa_move_mount(label, path, dev_name); 596 else 597 error = aa_new_mount(label, dev_name, path, type, 598 flags, data); 599 } 600 __end_current_label_crit_section(label); 601 602 return error; 603 } 604 605 static int apparmor_sb_umount(struct vfsmount *mnt, int flags) 606 { 607 struct aa_label *label; 608 int error = 0; 609 610 label = __begin_current_label_crit_section(); 611 if (!unconfined(label)) 612 error = aa_umount(label, mnt, flags); 613 __end_current_label_crit_section(label); 614 615 return error; 616 } 617 618 static int apparmor_sb_pivotroot(const struct path *old_path, 619 const struct path *new_path) 620 { 621 struct aa_label *label; 622 int error = 0; 623 624 label = aa_get_current_label(); 625 if (!unconfined(label)) 626 error = aa_pivotroot(label, old_path, new_path); 627 aa_put_label(label); 628 629 return error; 630 } 631 632 static int apparmor_getprocattr(struct task_struct *task, const char *name, 633 char **value) 634 { 635 int error = -ENOENT; 636 /* released below */ 637 const struct cred *cred = get_task_cred(task); 638 struct aa_task_ctx *ctx = task_ctx(current); 639 struct aa_label *label = NULL; 640 641 if (strcmp(name, "current") == 0) 642 label = aa_get_newest_label(cred_label(cred)); 643 else if (strcmp(name, "prev") == 0 && ctx->previous) 644 label = aa_get_newest_label(ctx->previous); 645 else if (strcmp(name, "exec") == 0 && ctx->onexec) 646 label = aa_get_newest_label(ctx->onexec); 647 else 648 error = -EINVAL; 649 650 if (label) 651 error = aa_getprocattr(label, value); 652 653 aa_put_label(label); 654 put_cred(cred); 655 656 return error; 657 } 658 659 static int apparmor_setprocattr(const char *name, void *value, 660 size_t size) 661 { 662 char *command, *largs = NULL, *args = value; 663 size_t arg_size; 664 int error; 665 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, 666 OP_SETPROCATTR); 667 668 if (size == 0) 669 return -EINVAL; 670 671 /* AppArmor requires that the buffer must be null terminated atm */ 672 if (args[size - 1] != '\0') { 673 /* null terminate */ 674 largs = args = kmalloc(size + 1, GFP_KERNEL); 675 if (!args) 676 return -ENOMEM; 677 memcpy(args, value, size); 678 args[size] = '\0'; 679 } 680 681 error = -EINVAL; 682 args = strim(args); 683 command = strsep(&args, " "); 684 if (!args) 685 goto out; 686 args = skip_spaces(args); 687 if (!*args) 688 goto out; 689 690 arg_size = size - (args - (largs ? largs : (char *) value)); 691 if (strcmp(name, "current") == 0) { 692 if (strcmp(command, "changehat") == 0) { 693 error = aa_setprocattr_changehat(args, arg_size, 694 AA_CHANGE_NOFLAGS); 695 } else if (strcmp(command, "permhat") == 0) { 696 error = aa_setprocattr_changehat(args, arg_size, 697 AA_CHANGE_TEST); 698 } else if (strcmp(command, "changeprofile") == 0) { 699 error = aa_change_profile(args, AA_CHANGE_NOFLAGS); 700 } else if (strcmp(command, "permprofile") == 0) { 701 error = aa_change_profile(args, AA_CHANGE_TEST); 702 } else if (strcmp(command, "stack") == 0) { 703 error = aa_change_profile(args, AA_CHANGE_STACK); 704 } else 705 goto fail; 706 } else if (strcmp(name, "exec") == 0) { 707 if (strcmp(command, "exec") == 0) 708 error = aa_change_profile(args, AA_CHANGE_ONEXEC); 709 else if (strcmp(command, "stack") == 0) 710 error = aa_change_profile(args, (AA_CHANGE_ONEXEC | 711 AA_CHANGE_STACK)); 712 else 713 goto fail; 714 } else 715 /* only support the "current" and "exec" process attributes */ 716 goto fail; 717 718 if (!error) 719 error = size; 720 out: 721 kfree(largs); 722 return error; 723 724 fail: 725 aad(&sa)->label = begin_current_label_crit_section(); 726 aad(&sa)->info = name; 727 aad(&sa)->error = error = -EINVAL; 728 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL); 729 end_current_label_crit_section(aad(&sa)->label); 730 goto out; 731 } 732 733 /** 734 * apparmor_bprm_committing_creds - do task cleanup on committing new creds 735 * @bprm: binprm for the exec (NOT NULL) 736 */ 737 static void apparmor_bprm_committing_creds(struct linux_binprm *bprm) 738 { 739 struct aa_label *label = aa_current_raw_label(); 740 struct aa_label *new_label = cred_label(bprm->cred); 741 742 /* bail out if unconfined or not changing profile */ 743 if ((new_label->proxy == label->proxy) || 744 (unconfined(new_label))) 745 return; 746 747 aa_inherit_files(bprm->cred, current->files); 748 749 current->pdeath_signal = 0; 750 751 /* reset soft limits and set hard limits for the new label */ 752 __aa_transition_rlimits(label, new_label); 753 } 754 755 /** 756 * apparmor_bprm_committed_creds() - do cleanup after new creds committed 757 * @bprm: binprm for the exec (NOT NULL) 758 */ 759 static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) 760 { 761 /* clear out temporary/transitional state from the context */ 762 aa_clear_task_ctx_trans(task_ctx(current)); 763 764 return; 765 } 766 767 static void apparmor_current_getsecid_subj(u32 *secid) 768 { 769 struct aa_label *label = aa_get_current_label(); 770 *secid = label->secid; 771 aa_put_label(label); 772 } 773 774 static void apparmor_task_getsecid_obj(struct task_struct *p, u32 *secid) 775 { 776 struct aa_label *label = aa_get_task_label(p); 777 *secid = label->secid; 778 aa_put_label(label); 779 } 780 781 static int apparmor_task_setrlimit(struct task_struct *task, 782 unsigned int resource, struct rlimit *new_rlim) 783 { 784 struct aa_label *label = __begin_current_label_crit_section(); 785 int error = 0; 786 787 if (!unconfined(label)) 788 error = aa_task_setrlimit(label, task, resource, new_rlim); 789 __end_current_label_crit_section(label); 790 791 return error; 792 } 793 794 static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo *info, 795 int sig, const struct cred *cred) 796 { 797 struct aa_label *cl, *tl; 798 int error; 799 800 if (cred) { 801 /* 802 * Dealing with USB IO specific behavior 803 */ 804 cl = aa_get_newest_cred_label(cred); 805 tl = aa_get_task_label(target); 806 error = aa_may_signal(cl, tl, sig); 807 aa_put_label(cl); 808 aa_put_label(tl); 809 return error; 810 } 811 812 cl = __begin_current_label_crit_section(); 813 tl = aa_get_task_label(target); 814 error = aa_may_signal(cl, tl, sig); 815 aa_put_label(tl); 816 __end_current_label_crit_section(cl); 817 818 return error; 819 } 820 821 /** 822 * apparmor_sk_alloc_security - allocate and attach the sk_security field 823 */ 824 static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags) 825 { 826 struct aa_sk_ctx *ctx; 827 828 ctx = kzalloc(sizeof(*ctx), flags); 829 if (!ctx) 830 return -ENOMEM; 831 832 SK_CTX(sk) = ctx; 833 834 return 0; 835 } 836 837 /** 838 * apparmor_sk_free_security - free the sk_security field 839 */ 840 static void apparmor_sk_free_security(struct sock *sk) 841 { 842 struct aa_sk_ctx *ctx = SK_CTX(sk); 843 844 SK_CTX(sk) = NULL; 845 aa_put_label(ctx->label); 846 aa_put_label(ctx->peer); 847 kfree(ctx); 848 } 849 850 /** 851 * apparmor_sk_clone_security - clone the sk_security field 852 */ 853 static void apparmor_sk_clone_security(const struct sock *sk, 854 struct sock *newsk) 855 { 856 struct aa_sk_ctx *ctx = SK_CTX(sk); 857 struct aa_sk_ctx *new = SK_CTX(newsk); 858 859 if (new->label) 860 aa_put_label(new->label); 861 new->label = aa_get_label(ctx->label); 862 863 if (new->peer) 864 aa_put_label(new->peer); 865 new->peer = aa_get_label(ctx->peer); 866 } 867 868 /** 869 * apparmor_socket_create - check perms before creating a new socket 870 */ 871 static int apparmor_socket_create(int family, int type, int protocol, int kern) 872 { 873 struct aa_label *label; 874 int error = 0; 875 876 AA_BUG(in_interrupt()); 877 878 label = begin_current_label_crit_section(); 879 if (!(kern || unconfined(label))) 880 error = af_select(family, 881 create_perm(label, family, type, protocol), 882 aa_af_perm(label, OP_CREATE, AA_MAY_CREATE, 883 family, type, protocol)); 884 end_current_label_crit_section(label); 885 886 return error; 887 } 888 889 /** 890 * apparmor_socket_post_create - setup the per-socket security struct 891 * 892 * Note: 893 * - kernel sockets currently labeled unconfined but we may want to 894 * move to a special kernel label 895 * - socket may not have sk here if created with sock_create_lite or 896 * sock_alloc. These should be accept cases which will be handled in 897 * sock_graft. 898 */ 899 static int apparmor_socket_post_create(struct socket *sock, int family, 900 int type, int protocol, int kern) 901 { 902 struct aa_label *label; 903 904 if (kern) { 905 label = aa_get_label(kernel_t); 906 } else 907 label = aa_get_current_label(); 908 909 if (sock->sk) { 910 struct aa_sk_ctx *ctx = SK_CTX(sock->sk); 911 912 aa_put_label(ctx->label); 913 ctx->label = aa_get_label(label); 914 } 915 aa_put_label(label); 916 917 return 0; 918 } 919 920 /** 921 * apparmor_socket_bind - check perms before bind addr to socket 922 */ 923 static int apparmor_socket_bind(struct socket *sock, 924 struct sockaddr *address, int addrlen) 925 { 926 AA_BUG(!sock); 927 AA_BUG(!sock->sk); 928 AA_BUG(!address); 929 AA_BUG(in_interrupt()); 930 931 return af_select(sock->sk->sk_family, 932 bind_perm(sock, address, addrlen), 933 aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk)); 934 } 935 936 /** 937 * apparmor_socket_connect - check perms before connecting @sock to @address 938 */ 939 static int apparmor_socket_connect(struct socket *sock, 940 struct sockaddr *address, int addrlen) 941 { 942 AA_BUG(!sock); 943 AA_BUG(!sock->sk); 944 AA_BUG(!address); 945 AA_BUG(in_interrupt()); 946 947 return af_select(sock->sk->sk_family, 948 connect_perm(sock, address, addrlen), 949 aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk)); 950 } 951 952 /** 953 * apparmor_socket_listen - check perms before allowing listen 954 */ 955 static int apparmor_socket_listen(struct socket *sock, int backlog) 956 { 957 AA_BUG(!sock); 958 AA_BUG(!sock->sk); 959 AA_BUG(in_interrupt()); 960 961 return af_select(sock->sk->sk_family, 962 listen_perm(sock, backlog), 963 aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk)); 964 } 965 966 /** 967 * apparmor_socket_accept - check perms before accepting a new connection. 968 * 969 * Note: while @newsock is created and has some information, the accept 970 * has not been done. 971 */ 972 static int apparmor_socket_accept(struct socket *sock, struct socket *newsock) 973 { 974 AA_BUG(!sock); 975 AA_BUG(!sock->sk); 976 AA_BUG(!newsock); 977 AA_BUG(in_interrupt()); 978 979 return af_select(sock->sk->sk_family, 980 accept_perm(sock, newsock), 981 aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk)); 982 } 983 984 static int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock, 985 struct msghdr *msg, int size) 986 { 987 AA_BUG(!sock); 988 AA_BUG(!sock->sk); 989 AA_BUG(!msg); 990 AA_BUG(in_interrupt()); 991 992 return af_select(sock->sk->sk_family, 993 msg_perm(op, request, sock, msg, size), 994 aa_sk_perm(op, request, sock->sk)); 995 } 996 997 /** 998 * apparmor_socket_sendmsg - check perms before sending msg to another socket 999 */ 1000 static int apparmor_socket_sendmsg(struct socket *sock, 1001 struct msghdr *msg, int size) 1002 { 1003 return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size); 1004 } 1005 1006 /** 1007 * apparmor_socket_recvmsg - check perms before receiving a message 1008 */ 1009 static int apparmor_socket_recvmsg(struct socket *sock, 1010 struct msghdr *msg, int size, int flags) 1011 { 1012 return aa_sock_msg_perm(OP_RECVMSG, AA_MAY_RECEIVE, sock, msg, size); 1013 } 1014 1015 /* revaliation, get/set attr, shutdown */ 1016 static int aa_sock_perm(const char *op, u32 request, struct socket *sock) 1017 { 1018 AA_BUG(!sock); 1019 AA_BUG(!sock->sk); 1020 AA_BUG(in_interrupt()); 1021 1022 return af_select(sock->sk->sk_family, 1023 sock_perm(op, request, sock), 1024 aa_sk_perm(op, request, sock->sk)); 1025 } 1026 1027 /** 1028 * apparmor_socket_getsockname - check perms before getting the local address 1029 */ 1030 static int apparmor_socket_getsockname(struct socket *sock) 1031 { 1032 return aa_sock_perm(OP_GETSOCKNAME, AA_MAY_GETATTR, sock); 1033 } 1034 1035 /** 1036 * apparmor_socket_getpeername - check perms before getting remote address 1037 */ 1038 static int apparmor_socket_getpeername(struct socket *sock) 1039 { 1040 return aa_sock_perm(OP_GETPEERNAME, AA_MAY_GETATTR, sock); 1041 } 1042 1043 /* revaliation, get/set attr, opt */ 1044 static int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock, 1045 int level, int optname) 1046 { 1047 AA_BUG(!sock); 1048 AA_BUG(!sock->sk); 1049 AA_BUG(in_interrupt()); 1050 1051 return af_select(sock->sk->sk_family, 1052 opt_perm(op, request, sock, level, optname), 1053 aa_sk_perm(op, request, sock->sk)); 1054 } 1055 1056 /** 1057 * apparmor_socket_getsockopt - check perms before getting socket options 1058 */ 1059 static int apparmor_socket_getsockopt(struct socket *sock, int level, 1060 int optname) 1061 { 1062 return aa_sock_opt_perm(OP_GETSOCKOPT, AA_MAY_GETOPT, sock, 1063 level, optname); 1064 } 1065 1066 /** 1067 * apparmor_socket_setsockopt - check perms before setting socket options 1068 */ 1069 static int apparmor_socket_setsockopt(struct socket *sock, int level, 1070 int optname) 1071 { 1072 return aa_sock_opt_perm(OP_SETSOCKOPT, AA_MAY_SETOPT, sock, 1073 level, optname); 1074 } 1075 1076 /** 1077 * apparmor_socket_shutdown - check perms before shutting down @sock conn 1078 */ 1079 static int apparmor_socket_shutdown(struct socket *sock, int how) 1080 { 1081 return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock); 1082 } 1083 1084 #ifdef CONFIG_NETWORK_SECMARK 1085 /** 1086 * apparmor_socket_sock_rcv_skb - check perms before associating skb to sk 1087 * 1088 * Note: can not sleep may be called with locks held 1089 * 1090 * dont want protocol specific in __skb_recv_datagram() 1091 * to deny an incoming connection socket_sock_rcv_skb() 1092 */ 1093 static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 1094 { 1095 struct aa_sk_ctx *ctx = SK_CTX(sk); 1096 1097 if (!skb->secmark) 1098 return 0; 1099 1100 return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE, 1101 skb->secmark, sk); 1102 } 1103 #endif 1104 1105 1106 static struct aa_label *sk_peer_label(struct sock *sk) 1107 { 1108 struct aa_sk_ctx *ctx = SK_CTX(sk); 1109 1110 if (ctx->peer) 1111 return ctx->peer; 1112 1113 return ERR_PTR(-ENOPROTOOPT); 1114 } 1115 1116 /** 1117 * apparmor_socket_getpeersec_stream - get security context of peer 1118 * 1119 * Note: for tcp only valid if using ipsec or cipso on lan 1120 */ 1121 static int apparmor_socket_getpeersec_stream(struct socket *sock, 1122 sockptr_t optval, sockptr_t optlen, 1123 unsigned int len) 1124 { 1125 char *name = NULL; 1126 int slen, error = 0; 1127 struct aa_label *label; 1128 struct aa_label *peer; 1129 1130 label = begin_current_label_crit_section(); 1131 peer = sk_peer_label(sock->sk); 1132 if (IS_ERR(peer)) { 1133 error = PTR_ERR(peer); 1134 goto done; 1135 } 1136 slen = aa_label_asxprint(&name, labels_ns(label), peer, 1137 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS | 1138 FLAG_HIDDEN_UNCONFINED, GFP_KERNEL); 1139 /* don't include terminating \0 in slen, it breaks some apps */ 1140 if (slen < 0) { 1141 error = -ENOMEM; 1142 goto done; 1143 } 1144 if (slen > len) { 1145 error = -ERANGE; 1146 goto done_len; 1147 } 1148 1149 if (copy_to_sockptr(optval, name, slen)) 1150 error = -EFAULT; 1151 done_len: 1152 if (copy_to_sockptr(optlen, &slen, sizeof(slen))) 1153 error = -EFAULT; 1154 done: 1155 end_current_label_crit_section(label); 1156 kfree(name); 1157 return error; 1158 } 1159 1160 /** 1161 * apparmor_socket_getpeersec_dgram - get security label of packet 1162 * @sock: the peer socket 1163 * @skb: packet data 1164 * @secid: pointer to where to put the secid of the packet 1165 * 1166 * Sets the netlabel socket state on sk from parent 1167 */ 1168 static int apparmor_socket_getpeersec_dgram(struct socket *sock, 1169 struct sk_buff *skb, u32 *secid) 1170 1171 { 1172 /* TODO: requires secid support */ 1173 return -ENOPROTOOPT; 1174 } 1175 1176 /** 1177 * apparmor_sock_graft - Initialize newly created socket 1178 * @sk: child sock 1179 * @parent: parent socket 1180 * 1181 * Note: could set off of SOCK_CTX(parent) but need to track inode and we can 1182 * just set sk security information off of current creating process label 1183 * Labeling of sk for accept case - probably should be sock based 1184 * instead of task, because of the case where an implicitly labeled 1185 * socket is shared by different tasks. 1186 */ 1187 static void apparmor_sock_graft(struct sock *sk, struct socket *parent) 1188 { 1189 struct aa_sk_ctx *ctx = SK_CTX(sk); 1190 1191 if (!ctx->label) 1192 ctx->label = aa_get_current_label(); 1193 } 1194 1195 #ifdef CONFIG_NETWORK_SECMARK 1196 static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb, 1197 struct request_sock *req) 1198 { 1199 struct aa_sk_ctx *ctx = SK_CTX(sk); 1200 1201 if (!skb->secmark) 1202 return 0; 1203 1204 return apparmor_secmark_check(ctx->label, OP_CONNECT, AA_MAY_CONNECT, 1205 skb->secmark, sk); 1206 } 1207 #endif 1208 1209 /* 1210 * The cred blob is a pointer to, not an instance of, an aa_label. 1211 */ 1212 struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = { 1213 .lbs_cred = sizeof(struct aa_label *), 1214 .lbs_file = sizeof(struct aa_file_ctx), 1215 .lbs_task = sizeof(struct aa_task_ctx), 1216 }; 1217 1218 static struct security_hook_list apparmor_hooks[] __ro_after_init = { 1219 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), 1220 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), 1221 LSM_HOOK_INIT(capget, apparmor_capget), 1222 LSM_HOOK_INIT(capable, apparmor_capable), 1223 1224 LSM_HOOK_INIT(sb_mount, apparmor_sb_mount), 1225 LSM_HOOK_INIT(sb_umount, apparmor_sb_umount), 1226 LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot), 1227 1228 LSM_HOOK_INIT(path_link, apparmor_path_link), 1229 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink), 1230 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink), 1231 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir), 1232 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir), 1233 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod), 1234 LSM_HOOK_INIT(path_rename, apparmor_path_rename), 1235 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod), 1236 LSM_HOOK_INIT(path_chown, apparmor_path_chown), 1237 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate), 1238 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr), 1239 1240 LSM_HOOK_INIT(file_open, apparmor_file_open), 1241 LSM_HOOK_INIT(file_receive, apparmor_file_receive), 1242 LSM_HOOK_INIT(file_permission, apparmor_file_permission), 1243 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security), 1244 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security), 1245 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file), 1246 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect), 1247 LSM_HOOK_INIT(file_lock, apparmor_file_lock), 1248 LSM_HOOK_INIT(file_truncate, apparmor_file_truncate), 1249 1250 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), 1251 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), 1252 1253 LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security), 1254 LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security), 1255 LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security), 1256 1257 LSM_HOOK_INIT(socket_create, apparmor_socket_create), 1258 LSM_HOOK_INIT(socket_post_create, apparmor_socket_post_create), 1259 LSM_HOOK_INIT(socket_bind, apparmor_socket_bind), 1260 LSM_HOOK_INIT(socket_connect, apparmor_socket_connect), 1261 LSM_HOOK_INIT(socket_listen, apparmor_socket_listen), 1262 LSM_HOOK_INIT(socket_accept, apparmor_socket_accept), 1263 LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg), 1264 LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg), 1265 LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname), 1266 LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername), 1267 LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt), 1268 LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt), 1269 LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown), 1270 #ifdef CONFIG_NETWORK_SECMARK 1271 LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb), 1272 #endif 1273 LSM_HOOK_INIT(socket_getpeersec_stream, 1274 apparmor_socket_getpeersec_stream), 1275 LSM_HOOK_INIT(socket_getpeersec_dgram, 1276 apparmor_socket_getpeersec_dgram), 1277 LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), 1278 #ifdef CONFIG_NETWORK_SECMARK 1279 LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request), 1280 #endif 1281 1282 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), 1283 LSM_HOOK_INIT(cred_free, apparmor_cred_free), 1284 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare), 1285 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer), 1286 1287 LSM_HOOK_INIT(bprm_creds_for_exec, apparmor_bprm_creds_for_exec), 1288 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds), 1289 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds), 1290 1291 LSM_HOOK_INIT(task_free, apparmor_task_free), 1292 LSM_HOOK_INIT(task_alloc, apparmor_task_alloc), 1293 LSM_HOOK_INIT(current_getsecid_subj, apparmor_current_getsecid_subj), 1294 LSM_HOOK_INIT(task_getsecid_obj, apparmor_task_getsecid_obj), 1295 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), 1296 LSM_HOOK_INIT(task_kill, apparmor_task_kill), 1297 1298 #ifdef CONFIG_AUDIT 1299 LSM_HOOK_INIT(audit_rule_init, aa_audit_rule_init), 1300 LSM_HOOK_INIT(audit_rule_known, aa_audit_rule_known), 1301 LSM_HOOK_INIT(audit_rule_match, aa_audit_rule_match), 1302 LSM_HOOK_INIT(audit_rule_free, aa_audit_rule_free), 1303 #endif 1304 1305 LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx), 1306 LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid), 1307 LSM_HOOK_INIT(release_secctx, apparmor_release_secctx), 1308 }; 1309 1310 /* 1311 * AppArmor sysfs module parameters 1312 */ 1313 1314 static int param_set_aabool(const char *val, const struct kernel_param *kp); 1315 static int param_get_aabool(char *buffer, const struct kernel_param *kp); 1316 #define param_check_aabool param_check_bool 1317 static const struct kernel_param_ops param_ops_aabool = { 1318 .flags = KERNEL_PARAM_OPS_FL_NOARG, 1319 .set = param_set_aabool, 1320 .get = param_get_aabool 1321 }; 1322 1323 static int param_set_aauint(const char *val, const struct kernel_param *kp); 1324 static int param_get_aauint(char *buffer, const struct kernel_param *kp); 1325 #define param_check_aauint param_check_uint 1326 static const struct kernel_param_ops param_ops_aauint = { 1327 .set = param_set_aauint, 1328 .get = param_get_aauint 1329 }; 1330 1331 static int param_set_aacompressionlevel(const char *val, 1332 const struct kernel_param *kp); 1333 static int param_get_aacompressionlevel(char *buffer, 1334 const struct kernel_param *kp); 1335 #define param_check_aacompressionlevel param_check_int 1336 static const struct kernel_param_ops param_ops_aacompressionlevel = { 1337 .set = param_set_aacompressionlevel, 1338 .get = param_get_aacompressionlevel 1339 }; 1340 1341 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp); 1342 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); 1343 #define param_check_aalockpolicy param_check_bool 1344 static const struct kernel_param_ops param_ops_aalockpolicy = { 1345 .flags = KERNEL_PARAM_OPS_FL_NOARG, 1346 .set = param_set_aalockpolicy, 1347 .get = param_get_aalockpolicy 1348 }; 1349 1350 static int param_set_audit(const char *val, const struct kernel_param *kp); 1351 static int param_get_audit(char *buffer, const struct kernel_param *kp); 1352 1353 static int param_set_mode(const char *val, const struct kernel_param *kp); 1354 static int param_get_mode(char *buffer, const struct kernel_param *kp); 1355 1356 /* Flag values, also controllable via /sys/module/apparmor/parameters 1357 * We define special types as we want to do additional mediation. 1358 */ 1359 1360 /* AppArmor global enforcement switch - complain, enforce, kill */ 1361 enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; 1362 module_param_call(mode, param_set_mode, param_get_mode, 1363 &aa_g_profile_mode, S_IRUSR | S_IWUSR); 1364 1365 /* whether policy verification hashing is enabled */ 1366 bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); 1367 #ifdef CONFIG_SECURITY_APPARMOR_HASH 1368 module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); 1369 #endif 1370 1371 /* whether policy exactly as loaded is retained for debug and checkpointing */ 1372 bool aa_g_export_binary = IS_ENABLED(CONFIG_SECURITY_APPARMOR_EXPORT_BINARY); 1373 #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY 1374 module_param_named(export_binary, aa_g_export_binary, aabool, 0600); 1375 #endif 1376 1377 /* policy loaddata compression level */ 1378 int aa_g_rawdata_compression_level = AA_DEFAULT_CLEVEL; 1379 module_param_named(rawdata_compression_level, aa_g_rawdata_compression_level, 1380 aacompressionlevel, 0400); 1381 1382 /* Debug mode */ 1383 bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES); 1384 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); 1385 1386 /* Audit mode */ 1387 enum audit_mode aa_g_audit; 1388 module_param_call(audit, param_set_audit, param_get_audit, 1389 &aa_g_audit, S_IRUSR | S_IWUSR); 1390 1391 /* Determines if audit header is included in audited messages. This 1392 * provides more context if the audit daemon is not running 1393 */ 1394 bool aa_g_audit_header = true; 1395 module_param_named(audit_header, aa_g_audit_header, aabool, 1396 S_IRUSR | S_IWUSR); 1397 1398 /* lock out loading/removal of policy 1399 * TODO: add in at boot loading of policy, which is the only way to 1400 * load policy, if lock_policy is set 1401 */ 1402 bool aa_g_lock_policy; 1403 module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy, 1404 S_IRUSR | S_IWUSR); 1405 1406 /* Syscall logging mode */ 1407 bool aa_g_logsyscall; 1408 module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); 1409 1410 /* Maximum pathname length before accesses will start getting rejected */ 1411 unsigned int aa_g_path_max = 2 * PATH_MAX; 1412 module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); 1413 1414 /* Determines how paranoid loading of policy is and how much verification 1415 * on the loaded policy is done. 1416 * DEPRECATED: read only as strict checking of load is always done now 1417 * that none root users (user namespaces) can load policy. 1418 */ 1419 bool aa_g_paranoid_load = IS_ENABLED(CONFIG_SECURITY_APPARMOR_PARANOID_LOAD); 1420 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); 1421 1422 static int param_get_aaintbool(char *buffer, const struct kernel_param *kp); 1423 static int param_set_aaintbool(const char *val, const struct kernel_param *kp); 1424 #define param_check_aaintbool param_check_int 1425 static const struct kernel_param_ops param_ops_aaintbool = { 1426 .set = param_set_aaintbool, 1427 .get = param_get_aaintbool 1428 }; 1429 /* Boot time disable flag */ 1430 static int apparmor_enabled __ro_after_init = 1; 1431 module_param_named(enabled, apparmor_enabled, aaintbool, 0444); 1432 1433 static int __init apparmor_enabled_setup(char *str) 1434 { 1435 unsigned long enabled; 1436 int error = kstrtoul(str, 0, &enabled); 1437 if (!error) 1438 apparmor_enabled = enabled ? 1 : 0; 1439 return 1; 1440 } 1441 1442 __setup("apparmor=", apparmor_enabled_setup); 1443 1444 /* set global flag turning off the ability to load policy */ 1445 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) 1446 { 1447 if (!apparmor_enabled) 1448 return -EINVAL; 1449 if (apparmor_initialized && !aa_current_policy_admin_capable(NULL)) 1450 return -EPERM; 1451 return param_set_bool(val, kp); 1452 } 1453 1454 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) 1455 { 1456 if (!apparmor_enabled) 1457 return -EINVAL; 1458 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1459 return -EPERM; 1460 return param_get_bool(buffer, kp); 1461 } 1462 1463 static int param_set_aabool(const char *val, const struct kernel_param *kp) 1464 { 1465 if (!apparmor_enabled) 1466 return -EINVAL; 1467 if (apparmor_initialized && !aa_current_policy_admin_capable(NULL)) 1468 return -EPERM; 1469 return param_set_bool(val, kp); 1470 } 1471 1472 static int param_get_aabool(char *buffer, const struct kernel_param *kp) 1473 { 1474 if (!apparmor_enabled) 1475 return -EINVAL; 1476 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1477 return -EPERM; 1478 return param_get_bool(buffer, kp); 1479 } 1480 1481 static int param_set_aauint(const char *val, const struct kernel_param *kp) 1482 { 1483 int error; 1484 1485 if (!apparmor_enabled) 1486 return -EINVAL; 1487 /* file is ro but enforce 2nd line check */ 1488 if (apparmor_initialized) 1489 return -EPERM; 1490 1491 error = param_set_uint(val, kp); 1492 aa_g_path_max = max_t(uint32_t, aa_g_path_max, sizeof(union aa_buffer)); 1493 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max); 1494 1495 return error; 1496 } 1497 1498 static int param_get_aauint(char *buffer, const struct kernel_param *kp) 1499 { 1500 if (!apparmor_enabled) 1501 return -EINVAL; 1502 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1503 return -EPERM; 1504 return param_get_uint(buffer, kp); 1505 } 1506 1507 /* Can only be set before AppArmor is initialized (i.e. on boot cmdline). */ 1508 static int param_set_aaintbool(const char *val, const struct kernel_param *kp) 1509 { 1510 struct kernel_param kp_local; 1511 bool value; 1512 int error; 1513 1514 if (apparmor_initialized) 1515 return -EPERM; 1516 1517 /* Create local copy, with arg pointing to bool type. */ 1518 value = !!*((int *)kp->arg); 1519 memcpy(&kp_local, kp, sizeof(kp_local)); 1520 kp_local.arg = &value; 1521 1522 error = param_set_bool(val, &kp_local); 1523 if (!error) 1524 *((int *)kp->arg) = *((bool *)kp_local.arg); 1525 return error; 1526 } 1527 1528 /* 1529 * To avoid changing /sys/module/apparmor/parameters/enabled from Y/N to 1530 * 1/0, this converts the "int that is actually bool" back to bool for 1531 * display in the /sys filesystem, while keeping it "int" for the LSM 1532 * infrastructure. 1533 */ 1534 static int param_get_aaintbool(char *buffer, const struct kernel_param *kp) 1535 { 1536 struct kernel_param kp_local; 1537 bool value; 1538 1539 /* Create local copy, with arg pointing to bool type. */ 1540 value = !!*((int *)kp->arg); 1541 memcpy(&kp_local, kp, sizeof(kp_local)); 1542 kp_local.arg = &value; 1543 1544 return param_get_bool(buffer, &kp_local); 1545 } 1546 1547 static int param_set_aacompressionlevel(const char *val, 1548 const struct kernel_param *kp) 1549 { 1550 int error; 1551 1552 if (!apparmor_enabled) 1553 return -EINVAL; 1554 if (apparmor_initialized) 1555 return -EPERM; 1556 1557 error = param_set_int(val, kp); 1558 1559 aa_g_rawdata_compression_level = clamp(aa_g_rawdata_compression_level, 1560 AA_MIN_CLEVEL, AA_MAX_CLEVEL); 1561 pr_info("AppArmor: policy rawdata compression level set to %d\n", 1562 aa_g_rawdata_compression_level); 1563 1564 return error; 1565 } 1566 1567 static int param_get_aacompressionlevel(char *buffer, 1568 const struct kernel_param *kp) 1569 { 1570 if (!apparmor_enabled) 1571 return -EINVAL; 1572 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1573 return -EPERM; 1574 return param_get_int(buffer, kp); 1575 } 1576 1577 static int param_get_audit(char *buffer, const struct kernel_param *kp) 1578 { 1579 if (!apparmor_enabled) 1580 return -EINVAL; 1581 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1582 return -EPERM; 1583 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); 1584 } 1585 1586 static int param_set_audit(const char *val, const struct kernel_param *kp) 1587 { 1588 int i; 1589 1590 if (!apparmor_enabled) 1591 return -EINVAL; 1592 if (!val) 1593 return -EINVAL; 1594 if (apparmor_initialized && !aa_current_policy_admin_capable(NULL)) 1595 return -EPERM; 1596 1597 i = match_string(audit_mode_names, AUDIT_MAX_INDEX, val); 1598 if (i < 0) 1599 return -EINVAL; 1600 1601 aa_g_audit = i; 1602 return 0; 1603 } 1604 1605 static int param_get_mode(char *buffer, const struct kernel_param *kp) 1606 { 1607 if (!apparmor_enabled) 1608 return -EINVAL; 1609 if (apparmor_initialized && !aa_current_policy_view_capable(NULL)) 1610 return -EPERM; 1611 1612 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]); 1613 } 1614 1615 static int param_set_mode(const char *val, const struct kernel_param *kp) 1616 { 1617 int i; 1618 1619 if (!apparmor_enabled) 1620 return -EINVAL; 1621 if (!val) 1622 return -EINVAL; 1623 if (apparmor_initialized && !aa_current_policy_admin_capable(NULL)) 1624 return -EPERM; 1625 1626 i = match_string(aa_profile_mode_names, APPARMOR_MODE_NAMES_MAX_INDEX, 1627 val); 1628 if (i < 0) 1629 return -EINVAL; 1630 1631 aa_g_profile_mode = i; 1632 return 0; 1633 } 1634 1635 char *aa_get_buffer(bool in_atomic) 1636 { 1637 union aa_buffer *aa_buf; 1638 bool try_again = true; 1639 gfp_t flags = (GFP_KERNEL | __GFP_RETRY_MAYFAIL | __GFP_NOWARN); 1640 1641 retry: 1642 spin_lock(&aa_buffers_lock); 1643 if (buffer_count > reserve_count || 1644 (in_atomic && !list_empty(&aa_global_buffers))) { 1645 aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer, 1646 list); 1647 list_del(&aa_buf->list); 1648 buffer_count--; 1649 spin_unlock(&aa_buffers_lock); 1650 return &aa_buf->buffer[0]; 1651 } 1652 if (in_atomic) { 1653 /* 1654 * out of reserve buffers and in atomic context so increase 1655 * how many buffers to keep in reserve 1656 */ 1657 reserve_count++; 1658 flags = GFP_ATOMIC; 1659 } 1660 spin_unlock(&aa_buffers_lock); 1661 1662 if (!in_atomic) 1663 might_sleep(); 1664 aa_buf = kmalloc(aa_g_path_max, flags); 1665 if (!aa_buf) { 1666 if (try_again) { 1667 try_again = false; 1668 goto retry; 1669 } 1670 pr_warn_once("AppArmor: Failed to allocate a memory buffer.\n"); 1671 return NULL; 1672 } 1673 return &aa_buf->buffer[0]; 1674 } 1675 1676 void aa_put_buffer(char *buf) 1677 { 1678 union aa_buffer *aa_buf; 1679 1680 if (!buf) 1681 return; 1682 aa_buf = container_of(buf, union aa_buffer, buffer[0]); 1683 1684 spin_lock(&aa_buffers_lock); 1685 list_add(&aa_buf->list, &aa_global_buffers); 1686 buffer_count++; 1687 spin_unlock(&aa_buffers_lock); 1688 } 1689 1690 /* 1691 * AppArmor init functions 1692 */ 1693 1694 /** 1695 * set_init_ctx - set a task context and profile on the first task. 1696 * 1697 * TODO: allow setting an alternate profile than unconfined 1698 */ 1699 static int __init set_init_ctx(void) 1700 { 1701 struct cred *cred = (__force struct cred *)current->real_cred; 1702 1703 set_cred_label(cred, aa_get_label(ns_unconfined(root_ns))); 1704 1705 return 0; 1706 } 1707 1708 static void destroy_buffers(void) 1709 { 1710 union aa_buffer *aa_buf; 1711 1712 spin_lock(&aa_buffers_lock); 1713 while (!list_empty(&aa_global_buffers)) { 1714 aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer, 1715 list); 1716 list_del(&aa_buf->list); 1717 spin_unlock(&aa_buffers_lock); 1718 kfree(aa_buf); 1719 spin_lock(&aa_buffers_lock); 1720 } 1721 spin_unlock(&aa_buffers_lock); 1722 } 1723 1724 static int __init alloc_buffers(void) 1725 { 1726 union aa_buffer *aa_buf; 1727 int i, num; 1728 1729 /* 1730 * A function may require two buffers at once. Usually the buffers are 1731 * used for a short period of time and are shared. On UP kernel buffers 1732 * two should be enough, with more CPUs it is possible that more 1733 * buffers will be used simultaneously. The preallocated pool may grow. 1734 * This preallocation has also the side-effect that AppArmor will be 1735 * disabled early at boot if aa_g_path_max is extremly high. 1736 */ 1737 if (num_online_cpus() > 1) 1738 num = 4 + RESERVE_COUNT; 1739 else 1740 num = 2 + RESERVE_COUNT; 1741 1742 for (i = 0; i < num; i++) { 1743 1744 aa_buf = kmalloc(aa_g_path_max, GFP_KERNEL | 1745 __GFP_RETRY_MAYFAIL | __GFP_NOWARN); 1746 if (!aa_buf) { 1747 destroy_buffers(); 1748 return -ENOMEM; 1749 } 1750 aa_put_buffer(&aa_buf->buffer[0]); 1751 } 1752 return 0; 1753 } 1754 1755 #ifdef CONFIG_SYSCTL 1756 static int apparmor_dointvec(struct ctl_table *table, int write, 1757 void *buffer, size_t *lenp, loff_t *ppos) 1758 { 1759 if (!aa_current_policy_admin_capable(NULL)) 1760 return -EPERM; 1761 if (!apparmor_enabled) 1762 return -EINVAL; 1763 1764 return proc_dointvec(table, write, buffer, lenp, ppos); 1765 } 1766 1767 static struct ctl_table apparmor_sysctl_table[] = { 1768 { 1769 .procname = "unprivileged_userns_apparmor_policy", 1770 .data = &unprivileged_userns_apparmor_policy, 1771 .maxlen = sizeof(int), 1772 .mode = 0600, 1773 .proc_handler = apparmor_dointvec, 1774 }, 1775 { 1776 .procname = "apparmor_display_secid_mode", 1777 .data = &apparmor_display_secid_mode, 1778 .maxlen = sizeof(int), 1779 .mode = 0600, 1780 .proc_handler = apparmor_dointvec, 1781 }, 1782 1783 { } 1784 }; 1785 1786 static int __init apparmor_init_sysctl(void) 1787 { 1788 return register_sysctl("kernel", apparmor_sysctl_table) ? 0 : -ENOMEM; 1789 } 1790 #else 1791 static inline int apparmor_init_sysctl(void) 1792 { 1793 return 0; 1794 } 1795 #endif /* CONFIG_SYSCTL */ 1796 1797 #if defined(CONFIG_NETFILTER) && defined(CONFIG_NETWORK_SECMARK) 1798 static unsigned int apparmor_ip_postroute(void *priv, 1799 struct sk_buff *skb, 1800 const struct nf_hook_state *state) 1801 { 1802 struct aa_sk_ctx *ctx; 1803 struct sock *sk; 1804 1805 if (!skb->secmark) 1806 return NF_ACCEPT; 1807 1808 sk = skb_to_full_sk(skb); 1809 if (sk == NULL) 1810 return NF_ACCEPT; 1811 1812 ctx = SK_CTX(sk); 1813 if (!apparmor_secmark_check(ctx->label, OP_SENDMSG, AA_MAY_SEND, 1814 skb->secmark, sk)) 1815 return NF_ACCEPT; 1816 1817 return NF_DROP_ERR(-ECONNREFUSED); 1818 1819 } 1820 1821 static const struct nf_hook_ops apparmor_nf_ops[] = { 1822 { 1823 .hook = apparmor_ip_postroute, 1824 .pf = NFPROTO_IPV4, 1825 .hooknum = NF_INET_POST_ROUTING, 1826 .priority = NF_IP_PRI_SELINUX_FIRST, 1827 }, 1828 #if IS_ENABLED(CONFIG_IPV6) 1829 { 1830 .hook = apparmor_ip_postroute, 1831 .pf = NFPROTO_IPV6, 1832 .hooknum = NF_INET_POST_ROUTING, 1833 .priority = NF_IP6_PRI_SELINUX_FIRST, 1834 }, 1835 #endif 1836 }; 1837 1838 static int __net_init apparmor_nf_register(struct net *net) 1839 { 1840 return nf_register_net_hooks(net, apparmor_nf_ops, 1841 ARRAY_SIZE(apparmor_nf_ops)); 1842 } 1843 1844 static void __net_exit apparmor_nf_unregister(struct net *net) 1845 { 1846 nf_unregister_net_hooks(net, apparmor_nf_ops, 1847 ARRAY_SIZE(apparmor_nf_ops)); 1848 } 1849 1850 static struct pernet_operations apparmor_net_ops = { 1851 .init = apparmor_nf_register, 1852 .exit = apparmor_nf_unregister, 1853 }; 1854 1855 static int __init apparmor_nf_ip_init(void) 1856 { 1857 int err; 1858 1859 if (!apparmor_enabled) 1860 return 0; 1861 1862 err = register_pernet_subsys(&apparmor_net_ops); 1863 if (err) 1864 panic("Apparmor: register_pernet_subsys: error %d\n", err); 1865 1866 return 0; 1867 } 1868 __initcall(apparmor_nf_ip_init); 1869 #endif 1870 1871 static int __init apparmor_init(void) 1872 { 1873 int error; 1874 1875 error = aa_setup_dfa_engine(); 1876 if (error) { 1877 AA_ERROR("Unable to setup dfa engine\n"); 1878 goto alloc_out; 1879 } 1880 1881 error = aa_alloc_root_ns(); 1882 if (error) { 1883 AA_ERROR("Unable to allocate default profile namespace\n"); 1884 goto alloc_out; 1885 } 1886 1887 error = apparmor_init_sysctl(); 1888 if (error) { 1889 AA_ERROR("Unable to register sysctls\n"); 1890 goto alloc_out; 1891 1892 } 1893 1894 error = alloc_buffers(); 1895 if (error) { 1896 AA_ERROR("Unable to allocate work buffers\n"); 1897 goto alloc_out; 1898 } 1899 1900 error = set_init_ctx(); 1901 if (error) { 1902 AA_ERROR("Failed to set context on init task\n"); 1903 aa_free_root_ns(); 1904 goto buffers_out; 1905 } 1906 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), 1907 "apparmor"); 1908 1909 /* Report that AppArmor successfully initialized */ 1910 apparmor_initialized = 1; 1911 if (aa_g_profile_mode == APPARMOR_COMPLAIN) 1912 aa_info_message("AppArmor initialized: complain mode enabled"); 1913 else if (aa_g_profile_mode == APPARMOR_KILL) 1914 aa_info_message("AppArmor initialized: kill mode enabled"); 1915 else 1916 aa_info_message("AppArmor initialized"); 1917 1918 return error; 1919 1920 buffers_out: 1921 destroy_buffers(); 1922 alloc_out: 1923 aa_destroy_aafs(); 1924 aa_teardown_dfa_engine(); 1925 1926 apparmor_enabled = false; 1927 return error; 1928 } 1929 1930 DEFINE_LSM(apparmor) = { 1931 .name = "apparmor", 1932 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE, 1933 .enabled = &apparmor_enabled, 1934 .blobs = &apparmor_blob_sizes, 1935 .init = apparmor_init, 1936 }; 1937