1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor mediation of files 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2017 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15 #include <linux/fs.h> 16 #include <linux/mount.h> 17 #include <linux/namei.h> 18 19 #include "include/apparmor.h" 20 #include "include/audit.h" 21 #include "include/context.h" 22 #include "include/domain.h" 23 #include "include/file.h" 24 #include "include/match.h" 25 #include "include/mount.h" 26 #include "include/path.h" 27 #include "include/policy.h" 28 29 30 static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags) 31 { 32 if (flags & MS_RDONLY) 33 audit_log_format(ab, "ro"); 34 else 35 audit_log_format(ab, "rw"); 36 if (flags & MS_NOSUID) 37 audit_log_format(ab, ", nosuid"); 38 if (flags & MS_NODEV) 39 audit_log_format(ab, ", nodev"); 40 if (flags & MS_NOEXEC) 41 audit_log_format(ab, ", noexec"); 42 if (flags & MS_SYNCHRONOUS) 43 audit_log_format(ab, ", sync"); 44 if (flags & MS_REMOUNT) 45 audit_log_format(ab, ", remount"); 46 if (flags & MS_MANDLOCK) 47 audit_log_format(ab, ", mand"); 48 if (flags & MS_DIRSYNC) 49 audit_log_format(ab, ", dirsync"); 50 if (flags & MS_NOATIME) 51 audit_log_format(ab, ", noatime"); 52 if (flags & MS_NODIRATIME) 53 audit_log_format(ab, ", nodiratime"); 54 if (flags & MS_BIND) 55 audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind"); 56 if (flags & MS_MOVE) 57 audit_log_format(ab, ", move"); 58 if (flags & MS_SILENT) 59 audit_log_format(ab, ", silent"); 60 if (flags & MS_POSIXACL) 61 audit_log_format(ab, ", acl"); 62 if (flags & MS_UNBINDABLE) 63 audit_log_format(ab, flags & MS_REC ? ", runbindable" : 64 ", unbindable"); 65 if (flags & MS_PRIVATE) 66 audit_log_format(ab, flags & MS_REC ? ", rprivate" : 67 ", private"); 68 if (flags & MS_SLAVE) 69 audit_log_format(ab, flags & MS_REC ? ", rslave" : 70 ", slave"); 71 if (flags & MS_SHARED) 72 audit_log_format(ab, flags & MS_REC ? ", rshared" : 73 ", shared"); 74 if (flags & MS_RELATIME) 75 audit_log_format(ab, ", relatime"); 76 if (flags & MS_I_VERSION) 77 audit_log_format(ab, ", iversion"); 78 if (flags & MS_STRICTATIME) 79 audit_log_format(ab, ", strictatime"); 80 if (flags & MS_NOUSER) 81 audit_log_format(ab, ", nouser"); 82 } 83 84 /** 85 * audit_cb - call back for mount specific audit fields 86 * @ab: audit_buffer (NOT NULL) 87 * @va: audit struct to audit values of (NOT NULL) 88 */ 89 static void audit_cb(struct audit_buffer *ab, void *va) 90 { 91 struct common_audit_data *sa = va; 92 93 if (aad(sa)->mnt.type) { 94 audit_log_format(ab, " fstype="); 95 audit_log_untrustedstring(ab, aad(sa)->mnt.type); 96 } 97 if (aad(sa)->mnt.src_name) { 98 audit_log_format(ab, " srcname="); 99 audit_log_untrustedstring(ab, aad(sa)->mnt.src_name); 100 } 101 if (aad(sa)->mnt.trans) { 102 audit_log_format(ab, " trans="); 103 audit_log_untrustedstring(ab, aad(sa)->mnt.trans); 104 } 105 if (aad(sa)->mnt.flags) { 106 audit_log_format(ab, " flags=\""); 107 audit_mnt_flags(ab, aad(sa)->mnt.flags); 108 audit_log_format(ab, "\""); 109 } 110 if (aad(sa)->mnt.data) { 111 audit_log_format(ab, " options="); 112 audit_log_untrustedstring(ab, aad(sa)->mnt.data); 113 } 114 } 115 116 /** 117 * audit_mount - handle the auditing of mount operations 118 * @profile: the profile being enforced (NOT NULL) 119 * @op: operation being mediated (NOT NULL) 120 * @name: name of object being mediated (MAYBE NULL) 121 * @src_name: src_name of object being mediated (MAYBE_NULL) 122 * @type: type of filesystem (MAYBE_NULL) 123 * @trans: name of trans (MAYBE NULL) 124 * @flags: filesystem idependent mount flags 125 * @data: filesystem mount flags 126 * @request: permissions requested 127 * @perms: the permissions computed for the request (NOT NULL) 128 * @info: extra information message (MAYBE NULL) 129 * @error: 0 if operation allowed else failure error code 130 * 131 * Returns: %0 or error on failure 132 */ 133 static int audit_mount(struct aa_profile *profile, const char *op, 134 const char *name, const char *src_name, 135 const char *type, const char *trans, 136 unsigned long flags, const void *data, u32 request, 137 struct aa_perms *perms, const char *info, int error) 138 { 139 int audit_type = AUDIT_APPARMOR_AUTO; 140 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, op); 141 142 if (likely(!error)) { 143 u32 mask = perms->audit; 144 145 if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL)) 146 mask = 0xffff; 147 148 /* mask off perms that are not being force audited */ 149 request &= mask; 150 151 if (likely(!request)) 152 return 0; 153 audit_type = AUDIT_APPARMOR_AUDIT; 154 } else { 155 /* only report permissions that were denied */ 156 request = request & ~perms->allow; 157 158 if (request & perms->kill) 159 audit_type = AUDIT_APPARMOR_KILL; 160 161 /* quiet known rejects, assumes quiet and kill do not overlap */ 162 if ((request & perms->quiet) && 163 AUDIT_MODE(profile) != AUDIT_NOQUIET && 164 AUDIT_MODE(profile) != AUDIT_ALL) 165 request &= ~perms->quiet; 166 167 if (!request) 168 return error; 169 } 170 171 aad(&sa)->name = name; 172 aad(&sa)->mnt.src_name = src_name; 173 aad(&sa)->mnt.type = type; 174 aad(&sa)->mnt.trans = trans; 175 aad(&sa)->mnt.flags = flags; 176 if (data && (perms->audit & AA_AUDIT_DATA)) 177 aad(&sa)->mnt.data = data; 178 aad(&sa)->info = info; 179 aad(&sa)->error = error; 180 181 return aa_audit(audit_type, profile, &sa, audit_cb); 182 } 183 184 /** 185 * match_mnt_flags - Do an ordered match on mount flags 186 * @dfa: dfa to match against 187 * @state: state to start in 188 * @flags: mount flags to match against 189 * 190 * Mount flags are encoded as an ordered match. This is done instead of 191 * checking against a simple bitmask, to allow for logical operations 192 * on the flags. 193 * 194 * Returns: next state after flags match 195 */ 196 static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state, 197 unsigned long flags) 198 { 199 unsigned int i; 200 201 for (i = 0; i <= 31 ; ++i) { 202 if ((1 << i) & flags) 203 state = aa_dfa_next(dfa, state, i + 1); 204 } 205 206 return state; 207 } 208 209 /** 210 * compute_mnt_perms - compute mount permission associated with @state 211 * @dfa: dfa to match against (NOT NULL) 212 * @state: state match finished in 213 * 214 * Returns: mount permissions 215 */ 216 static struct aa_perms compute_mnt_perms(struct aa_dfa *dfa, 217 unsigned int state) 218 { 219 struct aa_perms perms; 220 221 perms.kill = 0; 222 perms.allow = dfa_user_allow(dfa, state); 223 perms.audit = dfa_user_audit(dfa, state); 224 perms.quiet = dfa_user_quiet(dfa, state); 225 perms.xindex = dfa_user_xindex(dfa, state); 226 227 return perms; 228 } 229 230 static const char * const mnt_info_table[] = { 231 "match succeeded", 232 "failed mntpnt match", 233 "failed srcname match", 234 "failed type match", 235 "failed flags match", 236 "failed data match" 237 }; 238 239 /* 240 * Returns 0 on success else element that match failed in, this is the 241 * index into the mnt_info_table above 242 */ 243 static int do_match_mnt(struct aa_dfa *dfa, unsigned int start, 244 const char *mntpnt, const char *devname, 245 const char *type, unsigned long flags, 246 void *data, bool binary, struct aa_perms *perms) 247 { 248 unsigned int state; 249 250 AA_BUG(!dfa); 251 AA_BUG(!perms); 252 253 state = aa_dfa_match(dfa, start, mntpnt); 254 state = aa_dfa_null_transition(dfa, state); 255 if (!state) 256 return 1; 257 258 if (devname) 259 state = aa_dfa_match(dfa, state, devname); 260 state = aa_dfa_null_transition(dfa, state); 261 if (!state) 262 return 2; 263 264 if (type) 265 state = aa_dfa_match(dfa, state, type); 266 state = aa_dfa_null_transition(dfa, state); 267 if (!state) 268 return 3; 269 270 state = match_mnt_flags(dfa, state, flags); 271 if (!state) 272 return 4; 273 *perms = compute_mnt_perms(dfa, state); 274 if (perms->allow & AA_MAY_MOUNT) 275 return 0; 276 277 /* only match data if not binary and the DFA flags data is expected */ 278 if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) { 279 state = aa_dfa_null_transition(dfa, state); 280 if (!state) 281 return 4; 282 283 state = aa_dfa_match(dfa, state, data); 284 if (!state) 285 return 5; 286 *perms = compute_mnt_perms(dfa, state); 287 if (perms->allow & AA_MAY_MOUNT) 288 return 0; 289 } 290 291 /* failed at end of flags match */ 292 return 4; 293 } 294 295 296 static int path_flags(struct aa_profile *profile, const struct path *path) 297 { 298 AA_BUG(!profile); 299 AA_BUG(!path); 300 301 return profile->path_flags | 302 (S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0); 303 } 304 305 /** 306 * match_mnt_path_str - handle path matching for mount 307 * @profile: the confining profile 308 * @mntpath: for the mntpnt (NOT NULL) 309 * @buffer: buffer to be used to lookup mntpath 310 * @devnme: string for the devname/src_name (MAY BE NULL OR ERRPTR) 311 * @type: string for the dev type (MAYBE NULL) 312 * @flags: mount flags to match 313 * @data: fs mount data (MAYBE NULL) 314 * @binary: whether @data is binary 315 * @devinfo: error str if (IS_ERR(@devname)) 316 * 317 * Returns: 0 on success else error 318 */ 319 static int match_mnt_path_str(struct aa_profile *profile, 320 const struct path *mntpath, char *buffer, 321 const char *devname, const char *type, 322 unsigned long flags, void *data, bool binary, 323 const char *devinfo) 324 { 325 struct aa_perms perms = { }; 326 const char *mntpnt = NULL, *info = NULL; 327 int pos, error; 328 329 AA_BUG(!profile); 330 AA_BUG(!mntpath); 331 AA_BUG(!buffer); 332 333 error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer, 334 &mntpnt, &info, profile->disconnected); 335 if (error) 336 goto audit; 337 if (IS_ERR(devname)) { 338 error = PTR_ERR(devname); 339 devname = NULL; 340 info = devinfo; 341 goto audit; 342 } 343 344 error = -EACCES; 345 pos = do_match_mnt(profile->policy.dfa, 346 profile->policy.start[AA_CLASS_MOUNT], 347 mntpnt, devname, type, flags, data, binary, &perms); 348 if (pos) { 349 info = mnt_info_table[pos]; 350 goto audit; 351 } 352 error = 0; 353 354 audit: 355 return audit_mount(profile, OP_MOUNT, mntpnt, devname, type, NULL, 356 flags, data, AA_MAY_MOUNT, &perms, info, error); 357 } 358 359 /** 360 * match_mnt - handle path matching for mount 361 * @profile: the confining profile 362 * @mntpath: for the mntpnt (NOT NULL) 363 * @buffer: buffer to be used to lookup mntpath 364 * @devpath: path devname/src_name (MAYBE NULL) 365 * @devbuffer: buffer to be used to lookup devname/src_name 366 * @type: string for the dev type (MAYBE NULL) 367 * @flags: mount flags to match 368 * @data: fs mount data (MAYBE NULL) 369 * @binary: whether @data is binary 370 * 371 * Returns: 0 on success else error 372 */ 373 static int match_mnt(struct aa_profile *profile, const struct path *path, 374 char *buffer, struct path *devpath, char *devbuffer, 375 const char *type, unsigned long flags, void *data, 376 bool binary) 377 { 378 const char *devname = NULL, *info = NULL; 379 int error = -EACCES; 380 381 AA_BUG(!profile); 382 AA_BUG(devpath && !devbuffer); 383 384 if (devpath) { 385 error = aa_path_name(devpath, path_flags(profile, devpath), 386 devbuffer, &devname, &info, 387 profile->disconnected); 388 if (error) 389 devname = ERR_PTR(error); 390 } 391 392 return match_mnt_path_str(profile, path, buffer, devname, type, flags, 393 data, binary, info); 394 } 395 396 int aa_remount(struct aa_label *label, const struct path *path, 397 unsigned long flags, void *data) 398 { 399 struct aa_profile *profile; 400 char *buffer = NULL; 401 bool binary; 402 int error; 403 404 AA_BUG(!label); 405 AA_BUG(!path); 406 407 binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA; 408 409 get_buffers(buffer); 410 error = fn_for_each_confined(label, profile, 411 match_mnt(profile, path, buffer, NULL, NULL, NULL, 412 flags, data, binary)); 413 put_buffers(buffer); 414 415 return error; 416 } 417 418 int aa_bind_mount(struct aa_label *label, const struct path *path, 419 const char *dev_name, unsigned long flags) 420 { 421 struct aa_profile *profile; 422 char *buffer = NULL, *old_buffer = NULL; 423 struct path old_path; 424 int error; 425 426 AA_BUG(!label); 427 AA_BUG(!path); 428 429 if (!dev_name || !*dev_name) 430 return -EINVAL; 431 432 flags &= MS_REC | MS_BIND; 433 434 error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path); 435 if (error) 436 return error; 437 438 get_buffers(buffer, old_buffer); 439 error = fn_for_each_confined(label, profile, 440 match_mnt(profile, path, buffer, &old_path, old_buffer, 441 NULL, flags, NULL, false)); 442 put_buffers(buffer, old_buffer); 443 path_put(&old_path); 444 445 return error; 446 } 447 448 int aa_mount_change_type(struct aa_label *label, const struct path *path, 449 unsigned long flags) 450 { 451 struct aa_profile *profile; 452 char *buffer = NULL; 453 int error; 454 455 AA_BUG(!label); 456 AA_BUG(!path); 457 458 /* These are the flags allowed by do_change_type() */ 459 flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE | 460 MS_UNBINDABLE); 461 462 get_buffers(buffer); 463 error = fn_for_each_confined(label, profile, 464 match_mnt(profile, path, buffer, NULL, NULL, NULL, 465 flags, NULL, false)); 466 put_buffers(buffer); 467 468 return error; 469 } 470 471 int aa_move_mount(struct aa_label *label, const struct path *path, 472 const char *orig_name) 473 { 474 struct aa_profile *profile; 475 char *buffer = NULL, *old_buffer = NULL; 476 struct path old_path; 477 int error; 478 479 AA_BUG(!label); 480 AA_BUG(!path); 481 482 if (!orig_name || !*orig_name) 483 return -EINVAL; 484 485 error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path); 486 if (error) 487 return error; 488 489 get_buffers(buffer, old_buffer); 490 error = fn_for_each_confined(label, profile, 491 match_mnt(profile, path, buffer, &old_path, old_buffer, 492 NULL, MS_MOVE, NULL, false)); 493 put_buffers(buffer, old_buffer); 494 path_put(&old_path); 495 496 return error; 497 } 498 499 int aa_new_mount(struct aa_label *label, const char *dev_name, 500 const struct path *path, const char *type, unsigned long flags, 501 void *data) 502 { 503 struct aa_profile *profile; 504 char *buffer = NULL, *dev_buffer = NULL; 505 bool binary = true; 506 int error; 507 int requires_dev = 0; 508 struct path tmp_path, *dev_path = NULL; 509 510 AA_BUG(!label); 511 AA_BUG(!path); 512 513 if (type) { 514 struct file_system_type *fstype; 515 516 fstype = get_fs_type(type); 517 if (!fstype) 518 return -ENODEV; 519 binary = fstype->fs_flags & FS_BINARY_MOUNTDATA; 520 requires_dev = fstype->fs_flags & FS_REQUIRES_DEV; 521 put_filesystem(fstype); 522 523 if (requires_dev) { 524 if (!dev_name || !*dev_name) 525 return -ENOENT; 526 527 error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path); 528 if (error) 529 return error; 530 dev_path = &tmp_path; 531 } 532 } 533 534 get_buffers(buffer, dev_buffer); 535 if (dev_path) { 536 error = fn_for_each_confined(label, profile, 537 match_mnt(profile, path, buffer, dev_path, dev_buffer, 538 type, flags, data, binary)); 539 } else { 540 error = fn_for_each_confined(label, profile, 541 match_mnt_path_str(profile, path, buffer, dev_name, 542 type, flags, data, binary, NULL)); 543 } 544 put_buffers(buffer, dev_buffer); 545 if (dev_path) 546 path_put(dev_path); 547 548 return error; 549 } 550 551 static int profile_umount(struct aa_profile *profile, struct path *path, 552 char *buffer) 553 { 554 struct aa_perms perms = { }; 555 const char *name = NULL, *info = NULL; 556 unsigned int state; 557 int error; 558 559 AA_BUG(!profile); 560 AA_BUG(!path); 561 562 error = aa_path_name(path, path_flags(profile, path), buffer, &name, 563 &info, profile->disconnected); 564 if (error) 565 goto audit; 566 567 state = aa_dfa_match(profile->policy.dfa, 568 profile->policy.start[AA_CLASS_MOUNT], 569 name); 570 perms = compute_mnt_perms(profile->policy.dfa, state); 571 if (AA_MAY_UMOUNT & ~perms.allow) 572 error = -EACCES; 573 574 audit: 575 return audit_mount(profile, OP_UMOUNT, name, NULL, NULL, NULL, 0, NULL, 576 AA_MAY_UMOUNT, &perms, info, error); 577 } 578 579 int aa_umount(struct aa_label *label, struct vfsmount *mnt, int flags) 580 { 581 struct aa_profile *profile; 582 char *buffer = NULL; 583 int error; 584 struct path path = { .mnt = mnt, .dentry = mnt->mnt_root }; 585 586 AA_BUG(!label); 587 AA_BUG(!mnt); 588 589 get_buffers(buffer); 590 error = fn_for_each_confined(label, profile, 591 profile_umount(profile, &path, buffer)); 592 put_buffers(buffer); 593 594 return error; 595 } 596 597 /* helper fn for transition on pivotroot 598 * 599 * Returns: label for transition or ERR_PTR. Does not return NULL 600 */ 601 static struct aa_label *build_pivotroot(struct aa_profile *profile, 602 const struct path *new_path, 603 char *new_buffer, 604 const struct path *old_path, 605 char *old_buffer) 606 { 607 const char *old_name, *new_name = NULL, *info = NULL; 608 const char *trans_name = NULL; 609 struct aa_perms perms = { }; 610 unsigned int state; 611 int error; 612 613 AA_BUG(!profile); 614 AA_BUG(!new_path); 615 AA_BUG(!old_path); 616 617 if (profile_unconfined(profile)) 618 return aa_get_newest_label(&profile->label); 619 620 error = aa_path_name(old_path, path_flags(profile, old_path), 621 old_buffer, &old_name, &info, 622 profile->disconnected); 623 if (error) 624 goto audit; 625 error = aa_path_name(new_path, path_flags(profile, new_path), 626 new_buffer, &new_name, &info, 627 profile->disconnected); 628 if (error) 629 goto audit; 630 631 error = -EACCES; 632 state = aa_dfa_match(profile->policy.dfa, 633 profile->policy.start[AA_CLASS_MOUNT], 634 new_name); 635 state = aa_dfa_null_transition(profile->policy.dfa, state); 636 state = aa_dfa_match(profile->policy.dfa, state, old_name); 637 perms = compute_mnt_perms(profile->policy.dfa, state); 638 639 if (AA_MAY_PIVOTROOT & perms.allow) 640 error = 0; 641 642 audit: 643 error = audit_mount(profile, OP_PIVOTROOT, new_name, old_name, 644 NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT, 645 &perms, info, error); 646 if (error) 647 return ERR_PTR(error); 648 649 return aa_get_newest_label(&profile->label); 650 } 651 652 int aa_pivotroot(struct aa_label *label, const struct path *old_path, 653 const struct path *new_path) 654 { 655 struct aa_profile *profile; 656 struct aa_label *target = NULL; 657 char *old_buffer = NULL, *new_buffer = NULL, *info = NULL; 658 int error; 659 660 AA_BUG(!label); 661 AA_BUG(!old_path); 662 AA_BUG(!new_path); 663 664 get_buffers(old_buffer, new_buffer); 665 target = fn_label_build(label, profile, GFP_ATOMIC, 666 build_pivotroot(profile, new_path, new_buffer, 667 old_path, old_buffer)); 668 if (!target) { 669 info = "label build failed"; 670 error = -ENOMEM; 671 goto fail; 672 } else if (!IS_ERR(target)) { 673 error = aa_replace_current_label(target); 674 if (error) { 675 /* TODO: audit target */ 676 aa_put_label(target); 677 goto out; 678 } 679 } else 680 /* already audited error */ 681 error = PTR_ERR(target); 682 out: 683 put_buffers(old_buffer, new_buffer); 684 685 return error; 686 687 fail: 688 /* TODO: add back in auditing of new_name and old_name */ 689 error = fn_for_each(label, profile, 690 audit_mount(profile, OP_PIVOTROOT, NULL /*new_name */, 691 NULL /* old_name */, 692 NULL, NULL, 693 0, NULL, AA_MAY_PIVOTROOT, &nullperms, info, 694 error)); 695 goto out; 696 } 697