xref: /openbmc/linux/security/apparmor/path.c (revision 3213486f) 
1 /*
2  * AppArmor security module
3  *
4  * This file contains AppArmor function for pathnames
5  *
6  * Copyright (C) 1998-2008 Novell/SUSE
7  * Copyright 2009-2010 Canonical Ltd.
8  *
9  * This program is free software; you can redistribute it and/or
10  * modify it under the terms of the GNU General Public License as
11  * published by the Free Software Foundation, version 2 of the
12  * License.
13  */
14 
15 #include <linux/magic.h>
16 #include <linux/mount.h>
17 #include <linux/namei.h>
18 #include <linux/nsproxy.h>
19 #include <linux/path.h>
20 #include <linux/sched.h>
21 #include <linux/slab.h>
22 #include <linux/fs_struct.h>
23 
24 #include "include/apparmor.h"
25 #include "include/path.h"
26 #include "include/policy.h"
27 
28 /* modified from dcache.c */
29 static int prepend(char **buffer, int buflen, const char *str, int namelen)
30 {
31 	buflen -= namelen;
32 	if (buflen < 0)
33 		return -ENAMETOOLONG;
34 	*buffer -= namelen;
35 	memcpy(*buffer, str, namelen);
36 	return 0;
37 }
38 
39 #define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT)
40 
41 /* If the path is not connected to the expected root,
42  * check if it is a sysctl and handle specially else remove any
43  * leading / that __d_path may have returned.
44  * Unless
45  *     specifically directed to connect the path,
46  * OR
47  *     if in a chroot and doing chroot relative paths and the path
48  *     resolves to the namespace root (would be connected outside
49  *     of chroot) and specifically directed to connect paths to
50  *     namespace root.
51  */
52 static int disconnect(const struct path *path, char *buf, char **name,
53 		      int flags, const char *disconnected)
54 {
55 	int error = 0;
56 
57 	if (!(flags & PATH_CONNECT_PATH) &&
58 	    !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
59 	      our_mnt(path->mnt))) {
60 		/* disconnected path, don't return pathname starting
61 		 * with '/'
62 		 */
63 		error = -EACCES;
64 		if (**name == '/')
65 			*name = *name + 1;
66 	} else {
67 		if (**name != '/')
68 			/* CONNECT_PATH with missing root */
69 			error = prepend(name, *name - buf, "/", 1);
70 		if (!error && disconnected)
71 			error = prepend(name, *name - buf, disconnected,
72 					strlen(disconnected));
73 	}
74 
75 	return error;
76 }
77 
78 /**
79  * d_namespace_path - lookup a name associated with a given path
80  * @path: path to lookup  (NOT NULL)
81  * @buf:  buffer to store path to  (NOT NULL)
82  * @name: Returns - pointer for start of path name with in @buf (NOT NULL)
83  * @flags: flags controlling path lookup
84  * @disconnected: string to prefix to disconnected paths
85  *
86  * Handle path name lookup.
87  *
88  * Returns: %0 else error code if path lookup fails
89  *          When no error the path name is returned in @name which points to
90  *          to a position in @buf
91  */
92 static int d_namespace_path(const struct path *path, char *buf, char **name,
93 			    int flags, const char *disconnected)
94 {
95 	char *res;
96 	int error = 0;
97 	int connected = 1;
98 	int isdir = (flags & PATH_IS_DIR) ? 1 : 0;
99 	int buflen = aa_g_path_max - isdir;
100 
101 	if (path->mnt->mnt_flags & MNT_INTERNAL) {
102 		/* it's not mounted anywhere */
103 		res = dentry_path(path->dentry, buf, buflen);
104 		*name = res;
105 		if (IS_ERR(res)) {
106 			*name = buf;
107 			return PTR_ERR(res);
108 		}
109 		if (path->dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
110 		    strncmp(*name, "/sys/", 5) == 0) {
111 			/* TODO: convert over to using a per namespace
112 			 * control instead of hard coded /proc
113 			 */
114 			error = prepend(name, *name - buf, "/proc", 5);
115 			goto out;
116 		} else
117 			error = disconnect(path, buf, name, flags,
118 					   disconnected);
119 		goto out;
120 	}
121 
122 	/* resolve paths relative to chroot?*/
123 	if (flags & PATH_CHROOT_REL) {
124 		struct path root;
125 		get_fs_root(current->fs, &root);
126 		res = __d_path(path, &root, buf, buflen);
127 		path_put(&root);
128 	} else {
129 		res = d_absolute_path(path, buf, buflen);
130 		if (!our_mnt(path->mnt))
131 			connected = 0;
132 	}
133 
134 	/* handle error conditions - and still allow a partial path to
135 	 * be returned.
136 	 */
137 	if (!res || IS_ERR(res)) {
138 		if (PTR_ERR(res) == -ENAMETOOLONG) {
139 			error = -ENAMETOOLONG;
140 			*name = buf;
141 			goto out;
142 		}
143 		connected = 0;
144 		res = dentry_path_raw(path->dentry, buf, buflen);
145 		if (IS_ERR(res)) {
146 			error = PTR_ERR(res);
147 			*name = buf;
148 			goto out;
149 		};
150 	} else if (!our_mnt(path->mnt))
151 		connected = 0;
152 
153 	*name = res;
154 
155 	if (!connected)
156 		error = disconnect(path, buf, name, flags, disconnected);
157 
158 	/* Handle two cases:
159 	 * 1. A deleted dentry && profile is not allowing mediation of deleted
160 	 * 2. On some filesystems, newly allocated dentries appear to the
161 	 *    security_path hooks as a deleted dentry except without an inode
162 	 *    allocated.
163 	 */
164 	if (d_unlinked(path->dentry) && d_is_positive(path->dentry) &&
165 	    !(flags & (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED))) {
166 			error = -ENOENT;
167 			goto out;
168 	}
169 
170 out:
171 	/*
172 	 * Append "/" to the pathname.  The root directory is a special
173 	 * case; it already ends in slash.
174 	 */
175 	if (!error && isdir && ((*name)[1] != '\0' || (*name)[0] != '/'))
176 		strcpy(&buf[aa_g_path_max - 2], "/");
177 
178 	return error;
179 }
180 
181 /**
182  * aa_path_name - get the pathname to a buffer ensure dir / is appended
183  * @path: path the file  (NOT NULL)
184  * @flags: flags controlling path name generation
185  * @buffer: buffer to put name in (NOT NULL)
186  * @name: Returns - the generated path name if !error (NOT NULL)
187  * @info: Returns - information on why the path lookup failed (MAYBE NULL)
188  * @disconnected: string to prepend to disconnected paths
189  *
190  * @name is a pointer to the beginning of the pathname (which usually differs
191  * from the beginning of the buffer), or NULL.  If there is an error @name
192  * may contain a partial or invalid name that can be used for audit purposes,
193  * but it can not be used for mediation.
194  *
195  * We need PATH_IS_DIR to indicate whether the file is a directory or not
196  * because the file may not yet exist, and so we cannot check the inode's
197  * file type.
198  *
199  * Returns: %0 else error code if could retrieve name
200  */
201 int aa_path_name(const struct path *path, int flags, char *buffer,
202 		 const char **name, const char **info, const char *disconnected)
203 {
204 	char *str = NULL;
205 	int error = d_namespace_path(path, buffer, &str, flags, disconnected);
206 
207 	if (info && error) {
208 		if (error == -ENOENT)
209 			*info = "Failed name lookup - deleted entry";
210 		else if (error == -EACCES)
211 			*info = "Failed name lookup - disconnected path";
212 		else if (error == -ENAMETOOLONG)
213 			*info = "Failed name lookup - name too long";
214 		else
215 			*info = "Failed name lookup";
216 	}
217 
218 	*name = str;
219 
220 	return error;
221 }
222