1 /* 2 * AppArmor security module 3 * 4 * This file contains AppArmor mediation of files 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2017 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15 #include <linux/fs.h> 16 #include <linux/mount.h> 17 #include <linux/namei.h> 18 19 #include "include/apparmor.h" 20 #include "include/audit.h" 21 #include "include/context.h" 22 #include "include/domain.h" 23 #include "include/file.h" 24 #include "include/match.h" 25 #include "include/mount.h" 26 #include "include/path.h" 27 #include "include/policy.h" 28 29 30 static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags) 31 { 32 if (flags & MS_RDONLY) 33 audit_log_format(ab, "ro"); 34 else 35 audit_log_format(ab, "rw"); 36 if (flags & MS_NOSUID) 37 audit_log_format(ab, ", nosuid"); 38 if (flags & MS_NODEV) 39 audit_log_format(ab, ", nodev"); 40 if (flags & MS_NOEXEC) 41 audit_log_format(ab, ", noexec"); 42 if (flags & MS_SYNCHRONOUS) 43 audit_log_format(ab, ", sync"); 44 if (flags & MS_REMOUNT) 45 audit_log_format(ab, ", remount"); 46 if (flags & MS_MANDLOCK) 47 audit_log_format(ab, ", mand"); 48 if (flags & MS_DIRSYNC) 49 audit_log_format(ab, ", dirsync"); 50 if (flags & MS_NOATIME) 51 audit_log_format(ab, ", noatime"); 52 if (flags & MS_NODIRATIME) 53 audit_log_format(ab, ", nodiratime"); 54 if (flags & MS_BIND) 55 audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind"); 56 if (flags & MS_MOVE) 57 audit_log_format(ab, ", move"); 58 if (flags & MS_SILENT) 59 audit_log_format(ab, ", silent"); 60 if (flags & MS_POSIXACL) 61 audit_log_format(ab, ", acl"); 62 if (flags & MS_UNBINDABLE) 63 audit_log_format(ab, flags & MS_REC ? ", runbindable" : 64 ", unbindable"); 65 if (flags & MS_PRIVATE) 66 audit_log_format(ab, flags & MS_REC ? ", rprivate" : 67 ", private"); 68 if (flags & MS_SLAVE) 69 audit_log_format(ab, flags & MS_REC ? ", rslave" : 70 ", slave"); 71 if (flags & MS_SHARED) 72 audit_log_format(ab, flags & MS_REC ? ", rshared" : 73 ", shared"); 74 if (flags & MS_RELATIME) 75 audit_log_format(ab, ", relatime"); 76 if (flags & MS_I_VERSION) 77 audit_log_format(ab, ", iversion"); 78 if (flags & MS_STRICTATIME) 79 audit_log_format(ab, ", strictatime"); 80 if (flags & MS_NOUSER) 81 audit_log_format(ab, ", nouser"); 82 } 83 84 /** 85 * audit_cb - call back for mount specific audit fields 86 * @ab: audit_buffer (NOT NULL) 87 * @va: audit struct to audit values of (NOT NULL) 88 */ 89 static void audit_cb(struct audit_buffer *ab, void *va) 90 { 91 struct common_audit_data *sa = va; 92 93 if (aad(sa)->mnt.type) { 94 audit_log_format(ab, " fstype="); 95 audit_log_untrustedstring(ab, aad(sa)->mnt.type); 96 } 97 if (aad(sa)->mnt.src_name) { 98 audit_log_format(ab, " srcname="); 99 audit_log_untrustedstring(ab, aad(sa)->mnt.src_name); 100 } 101 if (aad(sa)->mnt.trans) { 102 audit_log_format(ab, " trans="); 103 audit_log_untrustedstring(ab, aad(sa)->mnt.trans); 104 } 105 if (aad(sa)->mnt.flags) { 106 audit_log_format(ab, " flags=\""); 107 audit_mnt_flags(ab, aad(sa)->mnt.flags); 108 audit_log_format(ab, "\""); 109 } 110 if (aad(sa)->mnt.data) { 111 audit_log_format(ab, " options="); 112 audit_log_untrustedstring(ab, aad(sa)->mnt.data); 113 } 114 } 115 116 /** 117 * audit_mount - handle the auditing of mount operations 118 * @profile: the profile being enforced (NOT NULL) 119 * @op: operation being mediated (NOT NULL) 120 * @name: name of object being mediated (MAYBE NULL) 121 * @src_name: src_name of object being mediated (MAYBE_NULL) 122 * @type: type of filesystem (MAYBE_NULL) 123 * @trans: name of trans (MAYBE NULL) 124 * @flags: filesystem idependent mount flags 125 * @data: filesystem mount flags 126 * @request: permissions requested 127 * @perms: the permissions computed for the request (NOT NULL) 128 * @info: extra information message (MAYBE NULL) 129 * @error: 0 if operation allowed else failure error code 130 * 131 * Returns: %0 or error on failure 132 */ 133 static int audit_mount(struct aa_profile *profile, const char *op, 134 const char *name, const char *src_name, 135 const char *type, const char *trans, 136 unsigned long flags, const void *data, u32 request, 137 struct aa_perms *perms, const char *info, int error) 138 { 139 int audit_type = AUDIT_APPARMOR_AUTO; 140 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, op); 141 142 if (likely(!error)) { 143 u32 mask = perms->audit; 144 145 if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL)) 146 mask = 0xffff; 147 148 /* mask off perms that are not being force audited */ 149 request &= mask; 150 151 if (likely(!request)) 152 return 0; 153 audit_type = AUDIT_APPARMOR_AUDIT; 154 } else { 155 /* only report permissions that were denied */ 156 request = request & ~perms->allow; 157 158 if (request & perms->kill) 159 audit_type = AUDIT_APPARMOR_KILL; 160 161 /* quiet known rejects, assumes quiet and kill do not overlap */ 162 if ((request & perms->quiet) && 163 AUDIT_MODE(profile) != AUDIT_NOQUIET && 164 AUDIT_MODE(profile) != AUDIT_ALL) 165 request &= ~perms->quiet; 166 167 if (!request) 168 return error; 169 } 170 171 aad(&sa)->name = name; 172 aad(&sa)->mnt.src_name = src_name; 173 aad(&sa)->mnt.type = type; 174 aad(&sa)->mnt.trans = trans; 175 aad(&sa)->mnt.flags = flags; 176 if (data && (perms->audit & AA_AUDIT_DATA)) 177 aad(&sa)->mnt.data = data; 178 aad(&sa)->info = info; 179 aad(&sa)->error = error; 180 181 return aa_audit(audit_type, profile, &sa, audit_cb); 182 } 183 184 /** 185 * match_mnt_flags - Do an ordered match on mount flags 186 * @dfa: dfa to match against 187 * @state: state to start in 188 * @flags: mount flags to match against 189 * 190 * Mount flags are encoded as an ordered match. This is done instead of 191 * checking against a simple bitmask, to allow for logical operations 192 * on the flags. 193 * 194 * Returns: next state after flags match 195 */ 196 static unsigned int match_mnt_flags(struct aa_dfa *dfa, unsigned int state, 197 unsigned long flags) 198 { 199 unsigned int i; 200 201 for (i = 0; i <= 31 ; ++i) { 202 if ((1 << i) & flags) 203 state = aa_dfa_next(dfa, state, i + 1); 204 } 205 206 return state; 207 } 208 209 /** 210 * compute_mnt_perms - compute mount permission associated with @state 211 * @dfa: dfa to match against (NOT NULL) 212 * @state: state match finished in 213 * 214 * Returns: mount permissions 215 */ 216 static struct aa_perms compute_mnt_perms(struct aa_dfa *dfa, 217 unsigned int state) 218 { 219 struct aa_perms perms = { 220 .allow = dfa_user_allow(dfa, state), 221 .audit = dfa_user_audit(dfa, state), 222 .quiet = dfa_user_quiet(dfa, state), 223 .xindex = dfa_user_xindex(dfa, state), 224 }; 225 226 return perms; 227 } 228 229 static const char * const mnt_info_table[] = { 230 "match succeeded", 231 "failed mntpnt match", 232 "failed srcname match", 233 "failed type match", 234 "failed flags match", 235 "failed data match" 236 }; 237 238 /* 239 * Returns 0 on success else element that match failed in, this is the 240 * index into the mnt_info_table above 241 */ 242 static int do_match_mnt(struct aa_dfa *dfa, unsigned int start, 243 const char *mntpnt, const char *devname, 244 const char *type, unsigned long flags, 245 void *data, bool binary, struct aa_perms *perms) 246 { 247 unsigned int state; 248 249 AA_BUG(!dfa); 250 AA_BUG(!perms); 251 252 state = aa_dfa_match(dfa, start, mntpnt); 253 state = aa_dfa_null_transition(dfa, state); 254 if (!state) 255 return 1; 256 257 if (devname) 258 state = aa_dfa_match(dfa, state, devname); 259 state = aa_dfa_null_transition(dfa, state); 260 if (!state) 261 return 2; 262 263 if (type) 264 state = aa_dfa_match(dfa, state, type); 265 state = aa_dfa_null_transition(dfa, state); 266 if (!state) 267 return 3; 268 269 state = match_mnt_flags(dfa, state, flags); 270 if (!state) 271 return 4; 272 *perms = compute_mnt_perms(dfa, state); 273 if (perms->allow & AA_MAY_MOUNT) 274 return 0; 275 276 /* only match data if not binary and the DFA flags data is expected */ 277 if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) { 278 state = aa_dfa_null_transition(dfa, state); 279 if (!state) 280 return 4; 281 282 state = aa_dfa_match(dfa, state, data); 283 if (!state) 284 return 5; 285 *perms = compute_mnt_perms(dfa, state); 286 if (perms->allow & AA_MAY_MOUNT) 287 return 0; 288 } 289 290 /* failed at end of flags match */ 291 return 4; 292 } 293 294 295 static int path_flags(struct aa_profile *profile, const struct path *path) 296 { 297 AA_BUG(!profile); 298 AA_BUG(!path); 299 300 return profile->path_flags | 301 (S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0); 302 } 303 304 /** 305 * match_mnt_path_str - handle path matching for mount 306 * @profile: the confining profile 307 * @mntpath: for the mntpnt (NOT NULL) 308 * @buffer: buffer to be used to lookup mntpath 309 * @devnme: string for the devname/src_name (MAY BE NULL OR ERRPTR) 310 * @type: string for the dev type (MAYBE NULL) 311 * @flags: mount flags to match 312 * @data: fs mount data (MAYBE NULL) 313 * @binary: whether @data is binary 314 * @devinfo: error str if (IS_ERR(@devname)) 315 * 316 * Returns: 0 on success else error 317 */ 318 static int match_mnt_path_str(struct aa_profile *profile, 319 const struct path *mntpath, char *buffer, 320 const char *devname, const char *type, 321 unsigned long flags, void *data, bool binary, 322 const char *devinfo) 323 { 324 struct aa_perms perms = { }; 325 const char *mntpnt = NULL, *info = NULL; 326 int pos, error; 327 328 AA_BUG(!profile); 329 AA_BUG(!mntpath); 330 AA_BUG(!buffer); 331 332 error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer, 333 &mntpnt, &info, profile->disconnected); 334 if (error) 335 goto audit; 336 if (IS_ERR(devname)) { 337 error = PTR_ERR(devname); 338 devname = NULL; 339 info = devinfo; 340 goto audit; 341 } 342 343 error = -EACCES; 344 pos = do_match_mnt(profile->policy.dfa, 345 profile->policy.start[AA_CLASS_MOUNT], 346 mntpnt, devname, type, flags, data, binary, &perms); 347 if (pos) { 348 info = mnt_info_table[pos]; 349 goto audit; 350 } 351 error = 0; 352 353 audit: 354 return audit_mount(profile, OP_MOUNT, mntpnt, devname, type, NULL, 355 flags, data, AA_MAY_MOUNT, &perms, info, error); 356 } 357 358 /** 359 * match_mnt - handle path matching for mount 360 * @profile: the confining profile 361 * @mntpath: for the mntpnt (NOT NULL) 362 * @buffer: buffer to be used to lookup mntpath 363 * @devpath: path devname/src_name (MAYBE NULL) 364 * @devbuffer: buffer to be used to lookup devname/src_name 365 * @type: string for the dev type (MAYBE NULL) 366 * @flags: mount flags to match 367 * @data: fs mount data (MAYBE NULL) 368 * @binary: whether @data is binary 369 * 370 * Returns: 0 on success else error 371 */ 372 static int match_mnt(struct aa_profile *profile, const struct path *path, 373 char *buffer, struct path *devpath, char *devbuffer, 374 const char *type, unsigned long flags, void *data, 375 bool binary) 376 { 377 const char *devname = NULL, *info = NULL; 378 int error = -EACCES; 379 380 AA_BUG(!profile); 381 AA_BUG(devpath && !devbuffer); 382 383 if (devpath) { 384 error = aa_path_name(devpath, path_flags(profile, devpath), 385 devbuffer, &devname, &info, 386 profile->disconnected); 387 if (error) 388 devname = ERR_PTR(error); 389 } 390 391 return match_mnt_path_str(profile, path, buffer, devname, type, flags, 392 data, binary, info); 393 } 394 395 int aa_remount(struct aa_label *label, const struct path *path, 396 unsigned long flags, void *data) 397 { 398 struct aa_profile *profile; 399 char *buffer = NULL; 400 bool binary; 401 int error; 402 403 AA_BUG(!label); 404 AA_BUG(!path); 405 406 binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA; 407 408 get_buffers(buffer); 409 error = fn_for_each_confined(label, profile, 410 match_mnt(profile, path, buffer, NULL, NULL, NULL, 411 flags, data, binary)); 412 put_buffers(buffer); 413 414 return error; 415 } 416 417 int aa_bind_mount(struct aa_label *label, const struct path *path, 418 const char *dev_name, unsigned long flags) 419 { 420 struct aa_profile *profile; 421 char *buffer = NULL, *old_buffer = NULL; 422 struct path old_path; 423 int error; 424 425 AA_BUG(!label); 426 AA_BUG(!path); 427 428 if (!dev_name || !*dev_name) 429 return -EINVAL; 430 431 flags &= MS_REC | MS_BIND; 432 433 error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path); 434 if (error) 435 return error; 436 437 get_buffers(buffer, old_buffer); 438 error = fn_for_each_confined(label, profile, 439 match_mnt(profile, path, buffer, &old_path, old_buffer, 440 NULL, flags, NULL, false)); 441 put_buffers(buffer, old_buffer); 442 path_put(&old_path); 443 444 return error; 445 } 446 447 int aa_mount_change_type(struct aa_label *label, const struct path *path, 448 unsigned long flags) 449 { 450 struct aa_profile *profile; 451 char *buffer = NULL; 452 int error; 453 454 AA_BUG(!label); 455 AA_BUG(!path); 456 457 /* These are the flags allowed by do_change_type() */ 458 flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE | 459 MS_UNBINDABLE); 460 461 get_buffers(buffer); 462 error = fn_for_each_confined(label, profile, 463 match_mnt(profile, path, buffer, NULL, NULL, NULL, 464 flags, NULL, false)); 465 put_buffers(buffer); 466 467 return error; 468 } 469 470 int aa_move_mount(struct aa_label *label, const struct path *path, 471 const char *orig_name) 472 { 473 struct aa_profile *profile; 474 char *buffer = NULL, *old_buffer = NULL; 475 struct path old_path; 476 int error; 477 478 AA_BUG(!label); 479 AA_BUG(!path); 480 481 if (!orig_name || !*orig_name) 482 return -EINVAL; 483 484 error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path); 485 if (error) 486 return error; 487 488 get_buffers(buffer, old_buffer); 489 error = fn_for_each_confined(label, profile, 490 match_mnt(profile, path, buffer, &old_path, old_buffer, 491 NULL, MS_MOVE, NULL, false)); 492 put_buffers(buffer, old_buffer); 493 path_put(&old_path); 494 495 return error; 496 } 497 498 int aa_new_mount(struct aa_label *label, const char *dev_name, 499 const struct path *path, const char *type, unsigned long flags, 500 void *data) 501 { 502 struct aa_profile *profile; 503 char *buffer = NULL, *dev_buffer = NULL; 504 bool binary = true; 505 int error; 506 int requires_dev = 0; 507 struct path tmp_path, *dev_path = NULL; 508 509 AA_BUG(!label); 510 AA_BUG(!path); 511 512 if (type) { 513 struct file_system_type *fstype; 514 515 fstype = get_fs_type(type); 516 if (!fstype) 517 return -ENODEV; 518 binary = fstype->fs_flags & FS_BINARY_MOUNTDATA; 519 requires_dev = fstype->fs_flags & FS_REQUIRES_DEV; 520 put_filesystem(fstype); 521 522 if (requires_dev) { 523 if (!dev_name || !*dev_name) 524 return -ENOENT; 525 526 error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path); 527 if (error) 528 return error; 529 dev_path = &tmp_path; 530 } 531 } 532 533 get_buffers(buffer, dev_buffer); 534 if (dev_path) { 535 error = fn_for_each_confined(label, profile, 536 match_mnt(profile, path, buffer, dev_path, dev_buffer, 537 type, flags, data, binary)); 538 } else { 539 error = fn_for_each_confined(label, profile, 540 match_mnt_path_str(profile, path, buffer, dev_name, 541 type, flags, data, binary, NULL)); 542 } 543 put_buffers(buffer, dev_buffer); 544 if (dev_path) 545 path_put(dev_path); 546 547 return error; 548 } 549 550 static int profile_umount(struct aa_profile *profile, struct path *path, 551 char *buffer) 552 { 553 struct aa_perms perms = { }; 554 const char *name = NULL, *info = NULL; 555 unsigned int state; 556 int error; 557 558 AA_BUG(!profile); 559 AA_BUG(!path); 560 561 error = aa_path_name(path, path_flags(profile, path), buffer, &name, 562 &info, profile->disconnected); 563 if (error) 564 goto audit; 565 566 state = aa_dfa_match(profile->policy.dfa, 567 profile->policy.start[AA_CLASS_MOUNT], 568 name); 569 perms = compute_mnt_perms(profile->policy.dfa, state); 570 if (AA_MAY_UMOUNT & ~perms.allow) 571 error = -EACCES; 572 573 audit: 574 return audit_mount(profile, OP_UMOUNT, name, NULL, NULL, NULL, 0, NULL, 575 AA_MAY_UMOUNT, &perms, info, error); 576 } 577 578 int aa_umount(struct aa_label *label, struct vfsmount *mnt, int flags) 579 { 580 struct aa_profile *profile; 581 char *buffer = NULL; 582 int error; 583 struct path path = { .mnt = mnt, .dentry = mnt->mnt_root }; 584 585 AA_BUG(!label); 586 AA_BUG(!mnt); 587 588 get_buffers(buffer); 589 error = fn_for_each_confined(label, profile, 590 profile_umount(profile, &path, buffer)); 591 put_buffers(buffer); 592 593 return error; 594 } 595 596 /* helper fn for transition on pivotroot 597 * 598 * Returns: label for transition or ERR_PTR. Does not return NULL 599 */ 600 static struct aa_label *build_pivotroot(struct aa_profile *profile, 601 const struct path *new_path, 602 char *new_buffer, 603 const struct path *old_path, 604 char *old_buffer) 605 { 606 const char *old_name, *new_name = NULL, *info = NULL; 607 const char *trans_name = NULL; 608 struct aa_perms perms = { }; 609 unsigned int state; 610 int error; 611 612 AA_BUG(!profile); 613 AA_BUG(!new_path); 614 AA_BUG(!old_path); 615 616 if (profile_unconfined(profile)) 617 return aa_get_newest_label(&profile->label); 618 619 error = aa_path_name(old_path, path_flags(profile, old_path), 620 old_buffer, &old_name, &info, 621 profile->disconnected); 622 if (error) 623 goto audit; 624 error = aa_path_name(new_path, path_flags(profile, new_path), 625 new_buffer, &new_name, &info, 626 profile->disconnected); 627 if (error) 628 goto audit; 629 630 error = -EACCES; 631 state = aa_dfa_match(profile->policy.dfa, 632 profile->policy.start[AA_CLASS_MOUNT], 633 new_name); 634 state = aa_dfa_null_transition(profile->policy.dfa, state); 635 state = aa_dfa_match(profile->policy.dfa, state, old_name); 636 perms = compute_mnt_perms(profile->policy.dfa, state); 637 638 if (AA_MAY_PIVOTROOT & perms.allow) 639 error = 0; 640 641 audit: 642 error = audit_mount(profile, OP_PIVOTROOT, new_name, old_name, 643 NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT, 644 &perms, info, error); 645 if (error) 646 return ERR_PTR(error); 647 648 return aa_get_newest_label(&profile->label); 649 } 650 651 int aa_pivotroot(struct aa_label *label, const struct path *old_path, 652 const struct path *new_path) 653 { 654 struct aa_profile *profile; 655 struct aa_label *target = NULL; 656 char *old_buffer = NULL, *new_buffer = NULL, *info = NULL; 657 int error; 658 659 AA_BUG(!label); 660 AA_BUG(!old_path); 661 AA_BUG(!new_path); 662 663 get_buffers(old_buffer, new_buffer); 664 target = fn_label_build(label, profile, GFP_ATOMIC, 665 build_pivotroot(profile, new_path, new_buffer, 666 old_path, old_buffer)); 667 if (!target) { 668 info = "label build failed"; 669 error = -ENOMEM; 670 goto fail; 671 } else if (!IS_ERR(target)) { 672 error = aa_replace_current_label(target); 673 if (error) { 674 /* TODO: audit target */ 675 aa_put_label(target); 676 goto out; 677 } 678 } else 679 /* already audited error */ 680 error = PTR_ERR(target); 681 out: 682 put_buffers(old_buffer, new_buffer); 683 684 return error; 685 686 fail: 687 /* TODO: add back in auditing of new_name and old_name */ 688 error = fn_for_each(label, profile, 689 audit_mount(profile, OP_PIVOTROOT, NULL /*new_name */, 690 NULL /* old_name */, 691 NULL, NULL, 692 0, NULL, AA_MAY_PIVOTROOT, &nullperms, info, 693 error)); 694 goto out; 695 } 696