1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor LSM hooks. 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15 #include <linux/lsm_hooks.h> 16 #include <linux/moduleparam.h> 17 #include <linux/mm.h> 18 #include <linux/mman.h> 19 #include <linux/mount.h> 20 #include <linux/namei.h> 21 #include <linux/ptrace.h> 22 #include <linux/ctype.h> 23 #include <linux/sysctl.h> 24 #include <linux/audit.h> 25 #include <linux/user_namespace.h> 26 #include <linux/kmemleak.h> 27 #include <net/sock.h> 28 29 #include "include/apparmor.h" 30 #include "include/apparmorfs.h" 31 #include "include/audit.h" 32 #include "include/capability.h" 33 #include "include/context.h" 34 #include "include/file.h" 35 #include "include/ipc.h" 36 #include "include/path.h" 37 #include "include/label.h" 38 #include "include/policy.h" 39 #include "include/policy_ns.h" 40 #include "include/procattr.h" 41 42 /* Flag indicating whether initialization completed */ 43 int apparmor_initialized; 44 45 DEFINE_PER_CPU(struct aa_buffers, aa_buffers); 46 47 48 /* 49 * LSM hook functions 50 */ 51 52 /* 53 * free the associated aa_task_ctx and put its labels 54 */ 55 static void apparmor_cred_free(struct cred *cred) 56 { 57 aa_free_task_context(cred_ctx(cred)); 58 cred_ctx(cred) = NULL; 59 } 60 61 /* 62 * allocate the apparmor part of blank credentials 63 */ 64 static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 65 { 66 /* freed by apparmor_cred_free */ 67 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp); 68 69 if (!ctx) 70 return -ENOMEM; 71 72 cred_ctx(cred) = ctx; 73 return 0; 74 } 75 76 /* 77 * prepare new aa_task_ctx for modification by prepare_cred block 78 */ 79 static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 80 gfp_t gfp) 81 { 82 /* freed by apparmor_cred_free */ 83 struct aa_task_ctx *ctx = aa_alloc_task_context(gfp); 84 85 if (!ctx) 86 return -ENOMEM; 87 88 aa_dup_task_context(ctx, cred_ctx(old)); 89 cred_ctx(new) = ctx; 90 return 0; 91 } 92 93 /* 94 * transfer the apparmor data to a blank set of creds 95 */ 96 static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 97 { 98 const struct aa_task_ctx *old_ctx = cred_ctx(old); 99 struct aa_task_ctx *new_ctx = cred_ctx(new); 100 101 aa_dup_task_context(new_ctx, old_ctx); 102 } 103 104 static int apparmor_ptrace_access_check(struct task_struct *child, 105 unsigned int mode) 106 { 107 struct aa_label *tracer, *tracee; 108 int error; 109 110 tracer = begin_current_label_crit_section(); 111 tracee = aa_get_task_label(child); 112 error = aa_may_ptrace(tracer, tracee, 113 mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE); 114 aa_put_label(tracee); 115 end_current_label_crit_section(tracer); 116 117 return error; 118 } 119 120 static int apparmor_ptrace_traceme(struct task_struct *parent) 121 { 122 struct aa_label *tracer, *tracee; 123 int error; 124 125 tracee = begin_current_label_crit_section(); 126 tracer = aa_get_task_label(parent); 127 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE); 128 aa_put_label(tracer); 129 end_current_label_crit_section(tracee); 130 131 return error; 132 } 133 134 /* Derived from security/commoncap.c:cap_capget */ 135 static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, 136 kernel_cap_t *inheritable, kernel_cap_t *permitted) 137 { 138 struct aa_label *label; 139 const struct cred *cred; 140 141 rcu_read_lock(); 142 cred = __task_cred(target); 143 label = aa_get_newest_cred_label(cred); 144 145 /* 146 * cap_capget is stacked ahead of this and will 147 * initialize effective and permitted. 148 */ 149 if (!unconfined(label)) { 150 struct aa_profile *profile; 151 struct label_it i; 152 153 label_for_each_confined(i, label, profile) { 154 if (COMPLAIN_MODE(profile)) 155 continue; 156 *effective = cap_intersect(*effective, 157 profile->caps.allow); 158 *permitted = cap_intersect(*permitted, 159 profile->caps.allow); 160 } 161 } 162 rcu_read_unlock(); 163 aa_put_label(label); 164 165 return 0; 166 } 167 168 static int apparmor_capable(const struct cred *cred, struct user_namespace *ns, 169 int cap, int audit) 170 { 171 struct aa_label *label; 172 int error = 0; 173 174 label = aa_get_newest_cred_label(cred); 175 if (!unconfined(label)) 176 error = aa_capable(label, cap, audit); 177 aa_put_label(label); 178 179 return error; 180 } 181 182 /** 183 * common_perm - basic common permission check wrapper fn for paths 184 * @op: operation being checked 185 * @path: path to check permission of (NOT NULL) 186 * @mask: requested permissions mask 187 * @cond: conditional info for the permission request (NOT NULL) 188 * 189 * Returns: %0 else error code if error or permission denied 190 */ 191 static int common_perm(const char *op, const struct path *path, u32 mask, 192 struct path_cond *cond) 193 { 194 struct aa_label *label; 195 int error = 0; 196 197 label = __begin_current_label_crit_section(); 198 if (!unconfined(label)) 199 error = aa_path_perm(op, label, path, 0, mask, cond); 200 __end_current_label_crit_section(label); 201 202 return error; 203 } 204 205 /** 206 * common_perm_cond - common permission wrapper around inode cond 207 * @op: operation being checked 208 * @path: location to check (NOT NULL) 209 * @mask: requested permissions mask 210 * 211 * Returns: %0 else error code if error or permission denied 212 */ 213 static int common_perm_cond(const char *op, const struct path *path, u32 mask) 214 { 215 struct path_cond cond = { d_backing_inode(path->dentry)->i_uid, 216 d_backing_inode(path->dentry)->i_mode 217 }; 218 219 if (!path_mediated_fs(path->dentry)) 220 return 0; 221 222 return common_perm(op, path, mask, &cond); 223 } 224 225 /** 226 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry 227 * @op: operation being checked 228 * @dir: directory of the dentry (NOT NULL) 229 * @dentry: dentry to check (NOT NULL) 230 * @mask: requested permissions mask 231 * @cond: conditional info for the permission request (NOT NULL) 232 * 233 * Returns: %0 else error code if error or permission denied 234 */ 235 static int common_perm_dir_dentry(const char *op, const struct path *dir, 236 struct dentry *dentry, u32 mask, 237 struct path_cond *cond) 238 { 239 struct path path = { .mnt = dir->mnt, .dentry = dentry }; 240 241 return common_perm(op, &path, mask, cond); 242 } 243 244 /** 245 * common_perm_rm - common permission wrapper for operations doing rm 246 * @op: operation being checked 247 * @dir: directory that the dentry is in (NOT NULL) 248 * @dentry: dentry being rm'd (NOT NULL) 249 * @mask: requested permission mask 250 * 251 * Returns: %0 else error code if error or permission denied 252 */ 253 static int common_perm_rm(const char *op, const struct path *dir, 254 struct dentry *dentry, u32 mask) 255 { 256 struct inode *inode = d_backing_inode(dentry); 257 struct path_cond cond = { }; 258 259 if (!inode || !path_mediated_fs(dentry)) 260 return 0; 261 262 cond.uid = inode->i_uid; 263 cond.mode = inode->i_mode; 264 265 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 266 } 267 268 /** 269 * common_perm_create - common permission wrapper for operations doing create 270 * @op: operation being checked 271 * @dir: directory that dentry will be created in (NOT NULL) 272 * @dentry: dentry to create (NOT NULL) 273 * @mask: request permission mask 274 * @mode: created file mode 275 * 276 * Returns: %0 else error code if error or permission denied 277 */ 278 static int common_perm_create(const char *op, const struct path *dir, 279 struct dentry *dentry, u32 mask, umode_t mode) 280 { 281 struct path_cond cond = { current_fsuid(), mode }; 282 283 if (!path_mediated_fs(dir->dentry)) 284 return 0; 285 286 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 287 } 288 289 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry) 290 { 291 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); 292 } 293 294 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry, 295 umode_t mode) 296 { 297 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, 298 S_IFDIR); 299 } 300 301 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry) 302 { 303 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); 304 } 305 306 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, 307 umode_t mode, unsigned int dev) 308 { 309 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); 310 } 311 312 static int apparmor_path_truncate(const struct path *path) 313 { 314 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR); 315 } 316 317 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, 318 const char *old_name) 319 { 320 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, 321 S_IFLNK); 322 } 323 324 static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir, 325 struct dentry *new_dentry) 326 { 327 struct aa_label *label; 328 int error = 0; 329 330 if (!path_mediated_fs(old_dentry)) 331 return 0; 332 333 label = begin_current_label_crit_section(); 334 if (!unconfined(label)) 335 error = aa_path_link(label, old_dentry, new_dir, new_dentry); 336 end_current_label_crit_section(label); 337 338 return error; 339 } 340 341 static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry, 342 const struct path *new_dir, struct dentry *new_dentry) 343 { 344 struct aa_label *label; 345 int error = 0; 346 347 if (!path_mediated_fs(old_dentry)) 348 return 0; 349 350 label = begin_current_label_crit_section(); 351 if (!unconfined(label)) { 352 struct path old_path = { .mnt = old_dir->mnt, 353 .dentry = old_dentry }; 354 struct path new_path = { .mnt = new_dir->mnt, 355 .dentry = new_dentry }; 356 struct path_cond cond = { d_backing_inode(old_dentry)->i_uid, 357 d_backing_inode(old_dentry)->i_mode 358 }; 359 360 error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0, 361 MAY_READ | AA_MAY_GETATTR | MAY_WRITE | 362 AA_MAY_SETATTR | AA_MAY_DELETE, 363 &cond); 364 if (!error) 365 error = aa_path_perm(OP_RENAME_DEST, label, &new_path, 366 0, MAY_WRITE | AA_MAY_SETATTR | 367 AA_MAY_CREATE, &cond); 368 369 } 370 end_current_label_crit_section(label); 371 372 return error; 373 } 374 375 static int apparmor_path_chmod(const struct path *path, umode_t mode) 376 { 377 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD); 378 } 379 380 static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid) 381 { 382 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN); 383 } 384 385 static int apparmor_inode_getattr(const struct path *path) 386 { 387 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR); 388 } 389 390 static int apparmor_file_open(struct file *file, const struct cred *cred) 391 { 392 struct aa_file_ctx *fctx = file_ctx(file); 393 struct aa_label *label; 394 int error = 0; 395 396 if (!path_mediated_fs(file->f_path.dentry)) 397 return 0; 398 399 /* If in exec, permission is handled by bprm hooks. 400 * Cache permissions granted by the previous exec check, with 401 * implicit read and executable mmap which are required to 402 * actually execute the image. 403 */ 404 if (current->in_execve) { 405 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; 406 return 0; 407 } 408 409 label = aa_get_newest_cred_label(cred); 410 if (!unconfined(label)) { 411 struct inode *inode = file_inode(file); 412 struct path_cond cond = { inode->i_uid, inode->i_mode }; 413 414 error = aa_path_perm(OP_OPEN, label, &file->f_path, 0, 415 aa_map_file_to_perms(file), &cond); 416 /* todo cache full allowed permissions set and state */ 417 fctx->allow = aa_map_file_to_perms(file); 418 } 419 aa_put_label(label); 420 421 return error; 422 } 423 424 static int apparmor_file_alloc_security(struct file *file) 425 { 426 int error = 0; 427 428 /* freed by apparmor_file_free_security */ 429 struct aa_label *label = begin_current_label_crit_section(); 430 file->f_security = aa_alloc_file_ctx(label, GFP_KERNEL); 431 if (!file_ctx(file)) 432 error = -ENOMEM; 433 end_current_label_crit_section(label); 434 435 return error; 436 } 437 438 static void apparmor_file_free_security(struct file *file) 439 { 440 aa_free_file_ctx(file_ctx(file)); 441 } 442 443 static int common_file_perm(const char *op, struct file *file, u32 mask) 444 { 445 struct aa_label *label; 446 int error = 0; 447 448 /* don't reaudit files closed during inheritance */ 449 if (file->f_path.dentry == aa_null.dentry) 450 return -EACCES; 451 452 label = __begin_current_label_crit_section(); 453 error = aa_file_perm(op, label, file, mask); 454 __end_current_label_crit_section(label); 455 456 return error; 457 } 458 459 static int apparmor_file_receive(struct file *file) 460 { 461 return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file)); 462 } 463 464 static int apparmor_file_permission(struct file *file, int mask) 465 { 466 return common_file_perm(OP_FPERM, file, mask); 467 } 468 469 static int apparmor_file_lock(struct file *file, unsigned int cmd) 470 { 471 u32 mask = AA_MAY_LOCK; 472 473 if (cmd == F_WRLCK) 474 mask |= MAY_WRITE; 475 476 return common_file_perm(OP_FLOCK, file, mask); 477 } 478 479 static int common_mmap(const char *op, struct file *file, unsigned long prot, 480 unsigned long flags) 481 { 482 int mask = 0; 483 484 if (!file || !file_ctx(file)) 485 return 0; 486 487 if (prot & PROT_READ) 488 mask |= MAY_READ; 489 /* 490 * Private mappings don't require write perms since they don't 491 * write back to the files 492 */ 493 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE)) 494 mask |= MAY_WRITE; 495 if (prot & PROT_EXEC) 496 mask |= AA_EXEC_MMAP; 497 498 return common_file_perm(op, file, mask); 499 } 500 501 static int apparmor_mmap_file(struct file *file, unsigned long reqprot, 502 unsigned long prot, unsigned long flags) 503 { 504 return common_mmap(OP_FMMAP, file, prot, flags); 505 } 506 507 static int apparmor_file_mprotect(struct vm_area_struct *vma, 508 unsigned long reqprot, unsigned long prot) 509 { 510 return common_mmap(OP_FMPROT, vma->vm_file, prot, 511 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); 512 } 513 514 static int apparmor_getprocattr(struct task_struct *task, char *name, 515 char **value) 516 { 517 int error = -ENOENT; 518 /* released below */ 519 const struct cred *cred = get_task_cred(task); 520 struct aa_task_ctx *ctx = cred_ctx(cred); 521 struct aa_label *label = NULL; 522 523 if (strcmp(name, "current") == 0) 524 label = aa_get_newest_label(ctx->label); 525 else if (strcmp(name, "prev") == 0 && ctx->previous) 526 label = aa_get_newest_label(ctx->previous); 527 else if (strcmp(name, "exec") == 0 && ctx->onexec) 528 label = aa_get_newest_label(ctx->onexec); 529 else 530 error = -EINVAL; 531 532 if (label) 533 error = aa_getprocattr(label, value); 534 535 aa_put_label(label); 536 put_cred(cred); 537 538 return error; 539 } 540 541 static int apparmor_setprocattr(const char *name, void *value, 542 size_t size) 543 { 544 char *command, *largs = NULL, *args = value; 545 size_t arg_size; 546 int error; 547 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR); 548 549 if (size == 0) 550 return -EINVAL; 551 552 /* AppArmor requires that the buffer must be null terminated atm */ 553 if (args[size - 1] != '\0') { 554 /* null terminate */ 555 largs = args = kmalloc(size + 1, GFP_KERNEL); 556 if (!args) 557 return -ENOMEM; 558 memcpy(args, value, size); 559 args[size] = '\0'; 560 } 561 562 error = -EINVAL; 563 args = strim(args); 564 command = strsep(&args, " "); 565 if (!args) 566 goto out; 567 args = skip_spaces(args); 568 if (!*args) 569 goto out; 570 571 arg_size = size - (args - (largs ? largs : (char *) value)); 572 if (strcmp(name, "current") == 0) { 573 if (strcmp(command, "changehat") == 0) { 574 error = aa_setprocattr_changehat(args, arg_size, 575 AA_CHANGE_NOFLAGS); 576 } else if (strcmp(command, "permhat") == 0) { 577 error = aa_setprocattr_changehat(args, arg_size, 578 AA_CHANGE_TEST); 579 } else if (strcmp(command, "changeprofile") == 0) { 580 error = aa_change_profile(args, AA_CHANGE_NOFLAGS); 581 } else if (strcmp(command, "permprofile") == 0) { 582 error = aa_change_profile(args, AA_CHANGE_TEST); 583 } else if (strcmp(command, "stack") == 0) { 584 error = aa_change_profile(args, AA_CHANGE_STACK); 585 } else 586 goto fail; 587 } else if (strcmp(name, "exec") == 0) { 588 if (strcmp(command, "exec") == 0) 589 error = aa_change_profile(args, AA_CHANGE_ONEXEC); 590 else if (strcmp(command, "stack") == 0) 591 error = aa_change_profile(args, (AA_CHANGE_ONEXEC | 592 AA_CHANGE_STACK)); 593 else 594 goto fail; 595 } else 596 /* only support the "current" and "exec" process attributes */ 597 goto fail; 598 599 if (!error) 600 error = size; 601 out: 602 kfree(largs); 603 return error; 604 605 fail: 606 aad(&sa)->label = begin_current_label_crit_section(); 607 aad(&sa)->info = name; 608 aad(&sa)->error = error = -EINVAL; 609 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL); 610 end_current_label_crit_section(aad(&sa)->label); 611 goto out; 612 } 613 614 /** 615 * apparmor_bprm_committing_creds - do task cleanup on committing new creds 616 * @bprm: binprm for the exec (NOT NULL) 617 */ 618 static void apparmor_bprm_committing_creds(struct linux_binprm *bprm) 619 { 620 struct aa_label *label = aa_current_raw_label(); 621 struct aa_task_ctx *new_ctx = cred_ctx(bprm->cred); 622 623 /* bail out if unconfined or not changing profile */ 624 if ((new_ctx->label->proxy == label->proxy) || 625 (unconfined(new_ctx->label))) 626 return; 627 628 aa_inherit_files(bprm->cred, current->files); 629 630 current->pdeath_signal = 0; 631 632 /* reset soft limits and set hard limits for the new label */ 633 __aa_transition_rlimits(label, new_ctx->label); 634 } 635 636 /** 637 * apparmor_bprm_committed_cred - do cleanup after new creds committed 638 * @bprm: binprm for the exec (NOT NULL) 639 */ 640 static void apparmor_bprm_committed_creds(struct linux_binprm *bprm) 641 { 642 /* TODO: cleanup signals - ipc mediation */ 643 return; 644 } 645 646 static int apparmor_task_setrlimit(struct task_struct *task, 647 unsigned int resource, struct rlimit *new_rlim) 648 { 649 struct aa_label *label = __begin_current_label_crit_section(); 650 int error = 0; 651 652 if (!unconfined(label)) 653 error = aa_task_setrlimit(label, task, resource, new_rlim); 654 __end_current_label_crit_section(label); 655 656 return error; 657 } 658 659 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { 660 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), 661 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), 662 LSM_HOOK_INIT(capget, apparmor_capget), 663 LSM_HOOK_INIT(capable, apparmor_capable), 664 665 LSM_HOOK_INIT(path_link, apparmor_path_link), 666 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink), 667 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink), 668 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir), 669 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir), 670 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod), 671 LSM_HOOK_INIT(path_rename, apparmor_path_rename), 672 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod), 673 LSM_HOOK_INIT(path_chown, apparmor_path_chown), 674 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate), 675 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr), 676 677 LSM_HOOK_INIT(file_open, apparmor_file_open), 678 LSM_HOOK_INIT(file_receive, apparmor_file_receive), 679 LSM_HOOK_INIT(file_permission, apparmor_file_permission), 680 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security), 681 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security), 682 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file), 683 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect), 684 LSM_HOOK_INIT(file_lock, apparmor_file_lock), 685 686 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), 687 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), 688 689 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), 690 LSM_HOOK_INIT(cred_free, apparmor_cred_free), 691 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare), 692 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer), 693 694 LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds), 695 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds), 696 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds), 697 LSM_HOOK_INIT(bprm_secureexec, apparmor_bprm_secureexec), 698 699 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit), 700 }; 701 702 /* 703 * AppArmor sysfs module parameters 704 */ 705 706 static int param_set_aabool(const char *val, const struct kernel_param *kp); 707 static int param_get_aabool(char *buffer, const struct kernel_param *kp); 708 #define param_check_aabool param_check_bool 709 static const struct kernel_param_ops param_ops_aabool = { 710 .flags = KERNEL_PARAM_OPS_FL_NOARG, 711 .set = param_set_aabool, 712 .get = param_get_aabool 713 }; 714 715 static int param_set_aauint(const char *val, const struct kernel_param *kp); 716 static int param_get_aauint(char *buffer, const struct kernel_param *kp); 717 #define param_check_aauint param_check_uint 718 static const struct kernel_param_ops param_ops_aauint = { 719 .set = param_set_aauint, 720 .get = param_get_aauint 721 }; 722 723 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp); 724 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); 725 #define param_check_aalockpolicy param_check_bool 726 static const struct kernel_param_ops param_ops_aalockpolicy = { 727 .flags = KERNEL_PARAM_OPS_FL_NOARG, 728 .set = param_set_aalockpolicy, 729 .get = param_get_aalockpolicy 730 }; 731 732 static int param_set_audit(const char *val, struct kernel_param *kp); 733 static int param_get_audit(char *buffer, struct kernel_param *kp); 734 735 static int param_set_mode(const char *val, struct kernel_param *kp); 736 static int param_get_mode(char *buffer, struct kernel_param *kp); 737 738 /* Flag values, also controllable via /sys/module/apparmor/parameters 739 * We define special types as we want to do additional mediation. 740 */ 741 742 /* AppArmor global enforcement switch - complain, enforce, kill */ 743 enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; 744 module_param_call(mode, param_set_mode, param_get_mode, 745 &aa_g_profile_mode, S_IRUSR | S_IWUSR); 746 747 /* whether policy verification hashing is enabled */ 748 bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT); 749 #ifdef CONFIG_SECURITY_APPARMOR_HASH 750 module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR); 751 #endif 752 753 /* Debug mode */ 754 bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES); 755 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); 756 757 /* Audit mode */ 758 enum audit_mode aa_g_audit; 759 module_param_call(audit, param_set_audit, param_get_audit, 760 &aa_g_audit, S_IRUSR | S_IWUSR); 761 762 /* Determines if audit header is included in audited messages. This 763 * provides more context if the audit daemon is not running 764 */ 765 bool aa_g_audit_header = 1; 766 module_param_named(audit_header, aa_g_audit_header, aabool, 767 S_IRUSR | S_IWUSR); 768 769 /* lock out loading/removal of policy 770 * TODO: add in at boot loading of policy, which is the only way to 771 * load policy, if lock_policy is set 772 */ 773 bool aa_g_lock_policy; 774 module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy, 775 S_IRUSR | S_IWUSR); 776 777 /* Syscall logging mode */ 778 bool aa_g_logsyscall; 779 module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); 780 781 /* Maximum pathname length before accesses will start getting rejected */ 782 unsigned int aa_g_path_max = 2 * PATH_MAX; 783 module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR); 784 785 /* Determines how paranoid loading of policy is and how much verification 786 * on the loaded policy is done. 787 * DEPRECATED: read only as strict checking of load is always done now 788 * that none root users (user namespaces) can load policy. 789 */ 790 bool aa_g_paranoid_load = 1; 791 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO); 792 793 /* Boot time disable flag */ 794 static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; 795 module_param_named(enabled, apparmor_enabled, bool, S_IRUGO); 796 797 static int __init apparmor_enabled_setup(char *str) 798 { 799 unsigned long enabled; 800 int error = kstrtoul(str, 0, &enabled); 801 if (!error) 802 apparmor_enabled = enabled ? 1 : 0; 803 return 1; 804 } 805 806 __setup("apparmor=", apparmor_enabled_setup); 807 808 /* set global flag turning off the ability to load policy */ 809 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) 810 { 811 if (!apparmor_enabled) 812 return -EINVAL; 813 if (apparmor_initialized && !policy_admin_capable(NULL)) 814 return -EPERM; 815 return param_set_bool(val, kp); 816 } 817 818 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) 819 { 820 if (!apparmor_enabled) 821 return -EINVAL; 822 if (apparmor_initialized && !policy_view_capable(NULL)) 823 return -EPERM; 824 return param_get_bool(buffer, kp); 825 } 826 827 static int param_set_aabool(const char *val, const struct kernel_param *kp) 828 { 829 if (!apparmor_enabled) 830 return -EINVAL; 831 if (apparmor_initialized && !policy_admin_capable(NULL)) 832 return -EPERM; 833 return param_set_bool(val, kp); 834 } 835 836 static int param_get_aabool(char *buffer, const struct kernel_param *kp) 837 { 838 if (!apparmor_enabled) 839 return -EINVAL; 840 if (apparmor_initialized && !policy_view_capable(NULL)) 841 return -EPERM; 842 return param_get_bool(buffer, kp); 843 } 844 845 static int param_set_aauint(const char *val, const struct kernel_param *kp) 846 { 847 int error; 848 849 if (!apparmor_enabled) 850 return -EINVAL; 851 /* file is ro but enforce 2nd line check */ 852 if (apparmor_initialized) 853 return -EPERM; 854 855 error = param_set_uint(val, kp); 856 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max); 857 858 return error; 859 } 860 861 static int param_get_aauint(char *buffer, const struct kernel_param *kp) 862 { 863 if (!apparmor_enabled) 864 return -EINVAL; 865 if (apparmor_initialized && !policy_view_capable(NULL)) 866 return -EPERM; 867 return param_get_uint(buffer, kp); 868 } 869 870 static int param_get_audit(char *buffer, struct kernel_param *kp) 871 { 872 if (!apparmor_enabled) 873 return -EINVAL; 874 if (apparmor_initialized && !policy_view_capable(NULL)) 875 return -EPERM; 876 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); 877 } 878 879 static int param_set_audit(const char *val, struct kernel_param *kp) 880 { 881 int i; 882 883 if (!apparmor_enabled) 884 return -EINVAL; 885 if (!val) 886 return -EINVAL; 887 if (apparmor_initialized && !policy_admin_capable(NULL)) 888 return -EPERM; 889 890 for (i = 0; i < AUDIT_MAX_INDEX; i++) { 891 if (strcmp(val, audit_mode_names[i]) == 0) { 892 aa_g_audit = i; 893 return 0; 894 } 895 } 896 897 return -EINVAL; 898 } 899 900 static int param_get_mode(char *buffer, struct kernel_param *kp) 901 { 902 if (!apparmor_enabled) 903 return -EINVAL; 904 if (apparmor_initialized && !policy_view_capable(NULL)) 905 return -EPERM; 906 907 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]); 908 } 909 910 static int param_set_mode(const char *val, struct kernel_param *kp) 911 { 912 int i; 913 914 if (!apparmor_enabled) 915 return -EINVAL; 916 if (!val) 917 return -EINVAL; 918 if (apparmor_initialized && !policy_admin_capable(NULL)) 919 return -EPERM; 920 921 for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) { 922 if (strcmp(val, aa_profile_mode_names[i]) == 0) { 923 aa_g_profile_mode = i; 924 return 0; 925 } 926 } 927 928 return -EINVAL; 929 } 930 931 /* 932 * AppArmor init functions 933 */ 934 935 /** 936 * set_init_ctx - set a task context and profile on the first task. 937 * 938 * TODO: allow setting an alternate profile than unconfined 939 */ 940 static int __init set_init_ctx(void) 941 { 942 struct cred *cred = (struct cred *)current->real_cred; 943 struct aa_task_ctx *ctx; 944 945 ctx = aa_alloc_task_context(GFP_KERNEL); 946 if (!ctx) 947 return -ENOMEM; 948 949 ctx->label = aa_get_label(ns_unconfined(root_ns)); 950 cred_ctx(cred) = ctx; 951 952 return 0; 953 } 954 955 static void destroy_buffers(void) 956 { 957 u32 i, j; 958 959 for_each_possible_cpu(i) { 960 for_each_cpu_buffer(j) { 961 kfree(per_cpu(aa_buffers, i).buf[j]); 962 per_cpu(aa_buffers, i).buf[j] = NULL; 963 } 964 } 965 } 966 967 static int __init alloc_buffers(void) 968 { 969 u32 i, j; 970 971 for_each_possible_cpu(i) { 972 for_each_cpu_buffer(j) { 973 char *buffer; 974 975 if (cpu_to_node(i) > num_online_nodes()) 976 /* fallback to kmalloc for offline nodes */ 977 buffer = kmalloc(aa_g_path_max, GFP_KERNEL); 978 else 979 buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL, 980 cpu_to_node(i)); 981 if (!buffer) { 982 destroy_buffers(); 983 return -ENOMEM; 984 } 985 per_cpu(aa_buffers, i).buf[j] = buffer; 986 } 987 } 988 989 return 0; 990 } 991 992 #ifdef CONFIG_SYSCTL 993 static int apparmor_dointvec(struct ctl_table *table, int write, 994 void __user *buffer, size_t *lenp, loff_t *ppos) 995 { 996 if (!policy_admin_capable(NULL)) 997 return -EPERM; 998 if (!apparmor_enabled) 999 return -EINVAL; 1000 1001 return proc_dointvec(table, write, buffer, lenp, ppos); 1002 } 1003 1004 static struct ctl_path apparmor_sysctl_path[] = { 1005 { .procname = "kernel", }, 1006 { } 1007 }; 1008 1009 static struct ctl_table apparmor_sysctl_table[] = { 1010 { 1011 .procname = "unprivileged_userns_apparmor_policy", 1012 .data = &unprivileged_userns_apparmor_policy, 1013 .maxlen = sizeof(int), 1014 .mode = 0600, 1015 .proc_handler = apparmor_dointvec, 1016 }, 1017 { } 1018 }; 1019 1020 static int __init apparmor_init_sysctl(void) 1021 { 1022 return register_sysctl_paths(apparmor_sysctl_path, 1023 apparmor_sysctl_table) ? 0 : -ENOMEM; 1024 } 1025 #else 1026 static inline int apparmor_init_sysctl(void) 1027 { 1028 return 0; 1029 } 1030 #endif /* CONFIG_SYSCTL */ 1031 1032 static int __init apparmor_init(void) 1033 { 1034 int error; 1035 1036 if (!apparmor_enabled || !security_module_enable("apparmor")) { 1037 aa_info_message("AppArmor disabled by boot time parameter"); 1038 apparmor_enabled = 0; 1039 return 0; 1040 } 1041 1042 error = aa_setup_dfa_engine(); 1043 if (error) { 1044 AA_ERROR("Unable to setup dfa engine\n"); 1045 goto alloc_out; 1046 } 1047 1048 error = aa_alloc_root_ns(); 1049 if (error) { 1050 AA_ERROR("Unable to allocate default profile namespace\n"); 1051 goto alloc_out; 1052 } 1053 1054 error = apparmor_init_sysctl(); 1055 if (error) { 1056 AA_ERROR("Unable to register sysctls\n"); 1057 goto alloc_out; 1058 1059 } 1060 1061 error = alloc_buffers(); 1062 if (error) { 1063 AA_ERROR("Unable to allocate work buffers\n"); 1064 goto buffers_out; 1065 } 1066 1067 error = set_init_ctx(); 1068 if (error) { 1069 AA_ERROR("Failed to set context on init task\n"); 1070 aa_free_root_ns(); 1071 goto buffers_out; 1072 } 1073 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks), 1074 "apparmor"); 1075 1076 /* Report that AppArmor successfully initialized */ 1077 apparmor_initialized = 1; 1078 if (aa_g_profile_mode == APPARMOR_COMPLAIN) 1079 aa_info_message("AppArmor initialized: complain mode enabled"); 1080 else if (aa_g_profile_mode == APPARMOR_KILL) 1081 aa_info_message("AppArmor initialized: kill mode enabled"); 1082 else 1083 aa_info_message("AppArmor initialized"); 1084 1085 return error; 1086 1087 buffers_out: 1088 destroy_buffers(); 1089 1090 alloc_out: 1091 aa_destroy_aafs(); 1092 aa_teardown_dfa_engine(); 1093 1094 apparmor_enabled = 0; 1095 return error; 1096 } 1097 1098 security_initcall(apparmor_init); 1099