lsm.c 24.3 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14
/*
 * AppArmor security module
 *
 * This file contains AppArmor LSM hooks.
 *
 * Copyright (C) 1998-2008 Novell/SUSE
 * Copyright 2009-2010 Canonical Ltd.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, version 2 of the
 * License.
 */

C
Casey Schaufler 已提交
15
#include <linux/lsm_hooks.h>
16 17 18 19 20 21 22 23 24
#include <linux/moduleparam.h>
#include <linux/mm.h>
#include <linux/mman.h>
#include <linux/mount.h>
#include <linux/namei.h>
#include <linux/ptrace.h>
#include <linux/ctype.h>
#include <linux/sysctl.h>
#include <linux/audit.h>
25
#include <linux/user_namespace.h>
26 27 28 29 30 31 32 33 34 35 36
#include <net/sock.h>

#include "include/apparmor.h"
#include "include/apparmorfs.h"
#include "include/audit.h"
#include "include/capability.h"
#include "include/context.h"
#include "include/file.h"
#include "include/ipc.h"
#include "include/path.h"
#include "include/policy.h"
37
#include "include/policy_ns.h"
38 39 40 41 42 43 44 45 46 47
#include "include/procattr.h"

/* Flag indicating whether initialization completed */
int apparmor_initialized __initdata;

/*
 * LSM hook functions
 */

/*
48
 * free the associated aa_task_ctx and put its profiles
49 50 51
 */
static void apparmor_cred_free(struct cred *cred)
{
52 53
	aa_free_task_context(cred_ctx(cred));
	cred_ctx(cred) = NULL;
54 55 56 57 58 59 60 61
}

/*
 * allocate the apparmor part of blank credentials
 */
static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
{
	/* freed by apparmor_cred_free */
62 63 64
	struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);

	if (!ctx)
65 66
		return -ENOMEM;

67
	cred_ctx(cred) = ctx;
68 69 70 71
	return 0;
}

/*
72
 * prepare new aa_task_ctx for modification by prepare_cred block
73 74 75 76 77
 */
static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
				 gfp_t gfp)
{
	/* freed by apparmor_cred_free */
78 79 80
	struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);

	if (!ctx)
81 82
		return -ENOMEM;

83 84
	aa_dup_task_context(ctx, cred_ctx(old));
	cred_ctx(new) = ctx;
85 86 87 88 89 90 91 92
	return 0;
}

/*
 * transfer the apparmor data to a blank set of creds
 */
static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
{
93 94
	const struct aa_task_ctx *old_ctx = cred_ctx(old);
	struct aa_task_ctx *new_ctx = cred_ctx(new);
95

96
	aa_dup_task_context(new_ctx, old_ctx);
97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120
}

static int apparmor_ptrace_access_check(struct task_struct *child,
					unsigned int mode)
{
	return aa_ptrace(current, child, mode);
}

static int apparmor_ptrace_traceme(struct task_struct *parent)
{
	return aa_ptrace(parent, current, PTRACE_MODE_ATTACH);
}

/* Derived from security/commoncap.c:cap_capget */
static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
			   kernel_cap_t *inheritable, kernel_cap_t *permitted)
{
	struct aa_profile *profile;
	const struct cred *cred;

	rcu_read_lock();
	cred = __task_cred(target);
	profile = aa_cred_profile(cred);

C
Casey Schaufler 已提交
121 122 123 124
	/*
	 * cap_capget is stacked ahead of this and will
	 * initialize effective and permitted.
	 */
125
	if (!unconfined(profile) && !COMPLAIN_MODE(profile)) {
126 127 128 129 130 131 132 133
		*effective = cap_intersect(*effective, profile->caps.allow);
		*permitted = cap_intersect(*permitted, profile->caps.allow);
	}
	rcu_read_unlock();

	return 0;
}

134 135
static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
			    int cap, int audit)
136 137
{
	struct aa_profile *profile;
C
Casey Schaufler 已提交
138 139 140 141 142
	int error = 0;

	profile = aa_cred_profile(cred);
	if (!unconfined(profile))
		error = aa_capable(profile, cap, audit);
143 144 145 146 147 148 149 150 151 152 153 154
	return error;
}

/**
 * common_perm - basic common permission check wrapper fn for paths
 * @op: operation being checked
 * @path: path to check permission of  (NOT NULL)
 * @mask: requested permissions mask
 * @cond: conditional info for the permission request  (NOT NULL)
 *
 * Returns: %0 else error code if error or permission denied
 */
155
static int common_perm(const char *op, const struct path *path, u32 mask,
156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177
		       struct path_cond *cond)
{
	struct aa_profile *profile;
	int error = 0;

	profile = __aa_current_profile();
	if (!unconfined(profile))
		error = aa_path_perm(op, profile, path, 0, mask, cond);

	return error;
}

/**
 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
 * @op: operation being checked
 * @dir: directory of the dentry  (NOT NULL)
 * @dentry: dentry to check  (NOT NULL)
 * @mask: requested permissions mask
 * @cond: conditional info for the permission request  (NOT NULL)
 *
 * Returns: %0 else error code if error or permission denied
 */
178
static int common_perm_dir_dentry(const char *op, const struct path *dir,
179 180 181
				  struct dentry *dentry, u32 mask,
				  struct path_cond *cond)
{
182
	struct path path = { .mnt = dir->mnt, .dentry = dentry };
183 184 185 186 187

	return common_perm(op, &path, mask, cond);
}

/**
188
 * common_perm_path - common permission wrapper when mnt, dentry
189
 * @op: operation being checked
190
 * @path: location to check (NOT NULL)
191 192 193 194
 * @mask: requested permissions mask
 *
 * Returns: %0 else error code if error or permission denied
 */
195 196
static inline int common_perm_path(const char *op, const struct path *path,
				   u32 mask)
197
{
198 199
	struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
				  d_backing_inode(path->dentry)->i_mode
200
	};
201
	if (!path_mediated_fs(path->dentry))
202
		return 0;
203

204
	return common_perm(op, path, mask, &cond);
205 206 207 208 209 210 211 212 213 214 215
}

/**
 * common_perm_rm - common permission wrapper for operations doing rm
 * @op: operation being checked
 * @dir: directory that the dentry is in  (NOT NULL)
 * @dentry: dentry being rm'd  (NOT NULL)
 * @mask: requested permission mask
 *
 * Returns: %0 else error code if error or permission denied
 */
216
static int common_perm_rm(const char *op, const struct path *dir,
217 218
			  struct dentry *dentry, u32 mask)
{
219
	struct inode *inode = d_backing_inode(dentry);
220 221
	struct path_cond cond = { };

222
	if (!inode || !path_mediated_fs(dentry))
223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240
		return 0;

	cond.uid = inode->i_uid;
	cond.mode = inode->i_mode;

	return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
}

/**
 * common_perm_create - common permission wrapper for operations doing create
 * @op: operation being checked
 * @dir: directory that dentry will be created in  (NOT NULL)
 * @dentry: dentry to create   (NOT NULL)
 * @mask: request permission mask
 * @mode: created file mode
 *
 * Returns: %0 else error code if error or permission denied
 */
241
static int common_perm_create(const char *op, const struct path *dir,
A
Al Viro 已提交
242
			      struct dentry *dentry, u32 mask, umode_t mode)
243 244 245
{
	struct path_cond cond = { current_fsuid(), mode };

246
	if (!path_mediated_fs(dir->dentry))
247 248 249 250 251
		return 0;

	return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
}

A
Al Viro 已提交
252
static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry)
253 254 255 256
{
	return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE);
}

257
static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry,
A
Al Viro 已提交
258
			       umode_t mode)
259 260 261 262 263
{
	return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE,
				  S_IFDIR);
}

A
Al Viro 已提交
264
static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry)
265 266 267 268
{
	return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE);
}

269
static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
A
Al Viro 已提交
270
			       umode_t mode, unsigned int dev)
271 272 273 274
{
	return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
}

A
Al Viro 已提交
275
static int apparmor_path_truncate(const struct path *path)
276
{
277
	return common_perm_path(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE);
278 279
}

280
static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
281 282 283 284 285 286
				 const char *old_name)
{
	return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE,
				  S_IFLNK);
}

A
Al Viro 已提交
287
static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir,
288 289 290 291 292
			      struct dentry *new_dentry)
{
	struct aa_profile *profile;
	int error = 0;

293
	if (!path_mediated_fs(old_dentry))
294 295 296 297 298 299 300 301
		return 0;

	profile = aa_current_profile();
	if (!unconfined(profile))
		error = aa_path_link(profile, old_dentry, new_dir, new_dentry);
	return error;
}

A
Al Viro 已提交
302 303
static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry,
				const struct path *new_dir, struct dentry *new_dentry)
304 305 306 307
{
	struct aa_profile *profile;
	int error = 0;

308
	if (!path_mediated_fs(old_dentry))
309 310 311 312
		return 0;

	profile = aa_current_profile();
	if (!unconfined(profile)) {
313 314 315 316
		struct path old_path = { .mnt = old_dir->mnt,
					 .dentry = old_dentry };
		struct path new_path = { .mnt = new_dir->mnt,
					 .dentry = new_dentry };
317 318
		struct path_cond cond = { d_backing_inode(old_dentry)->i_uid,
					  d_backing_inode(old_dentry)->i_mode
319 320 321 322 323 324 325 326 327 328 329 330 331 332 333
		};

		error = aa_path_perm(OP_RENAME_SRC, profile, &old_path, 0,
				     MAY_READ | AA_MAY_META_READ | MAY_WRITE |
				     AA_MAY_META_WRITE | AA_MAY_DELETE,
				     &cond);
		if (!error)
			error = aa_path_perm(OP_RENAME_DEST, profile, &new_path,
					     0, MAY_WRITE | AA_MAY_META_WRITE |
					     AA_MAY_CREATE, &cond);

	}
	return error;
}

334
static int apparmor_path_chmod(const struct path *path, umode_t mode)
335
{
336
	return common_perm_path(OP_CHMOD, path, AA_MAY_CHMOD);
337 338
}

339
static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
340
{
341
	return common_perm_path(OP_CHOWN, path, AA_MAY_CHOWN);
342 343
}

344
static int apparmor_inode_getattr(const struct path *path)
345
{
346
	return common_perm_path(OP_GETATTR, path, AA_MAY_META_READ);
347 348
}

349
static int apparmor_file_open(struct file *file, const struct cred *cred)
350
{
351
	struct aa_file_ctx *fctx = file->f_security;
352 353 354
	struct aa_profile *profile;
	int error = 0;

355
	if (!path_mediated_fs(file->f_path.dentry))
356 357 358 359 360 361 362 363
		return 0;

	/* If in exec, permission is handled by bprm hooks.
	 * Cache permissions granted by the previous exec check, with
	 * implicit read and executable mmap which are required to
	 * actually execute the image.
	 */
	if (current->in_execve) {
364
		fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
365 366 367 368 369
		return 0;
	}

	profile = aa_cred_profile(cred);
	if (!unconfined(profile)) {
A
Al Viro 已提交
370
		struct inode *inode = file_inode(file);
371 372 373 374 375
		struct path_cond cond = { inode->i_uid, inode->i_mode };

		error = aa_path_perm(OP_OPEN, profile, &file->f_path, 0,
				     aa_map_file_to_perms(file), &cond);
		/* todo cache full allowed permissions set and state */
376
		fctx->allow = aa_map_file_to_perms(file);
377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393
	}

	return error;
}

static int apparmor_file_alloc_security(struct file *file)
{
	/* freed by apparmor_file_free_security */
	file->f_security = aa_alloc_file_context(GFP_KERNEL);
	if (!file->f_security)
		return -ENOMEM;
	return 0;

}

static void apparmor_file_free_security(struct file *file)
{
394
	struct aa_file_ctx *ctx = file->f_security;
395

396
	aa_free_file_context(ctx);
397 398
}

399
static int common_file_perm(const char *op, struct file *file, u32 mask)
400
{
401
	struct aa_file_ctx *fctx = file->f_security;
402 403 404 405 406 407
	struct aa_profile *profile, *fprofile = aa_cred_profile(file->f_cred);
	int error = 0;

	BUG_ON(!fprofile);

	if (!file->f_path.mnt ||
408
	    !path_mediated_fs(file->f_path.dentry))
409 410 411 412 413 414 415 416 417 418 419 420
		return 0;

	profile = __aa_current_profile();

	/* revalidate access, if task is unconfined, or the cached cred
	 * doesn't match or if the request is for more permissions than
	 * was granted.
	 *
	 * Note: the test for !unconfined(fprofile) is to handle file
	 *       delegation from unconfined tasks
	 */
	if (!unconfined(profile) && !unconfined(fprofile) &&
421
	    ((fprofile != profile) || (mask & ~fctx->allow)))
422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441
		error = aa_file_perm(op, profile, file, mask);

	return error;
}

static int apparmor_file_permission(struct file *file, int mask)
{
	return common_file_perm(OP_FPERM, file, mask);
}

static int apparmor_file_lock(struct file *file, unsigned int cmd)
{
	u32 mask = AA_MAY_LOCK;

	if (cmd == F_WRLCK)
		mask |= MAY_WRITE;

	return common_file_perm(OP_FLOCK, file, mask);
}

442
static int common_mmap(const char *op, struct file *file, unsigned long prot,
443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463
		       unsigned long flags)
{
	int mask = 0;

	if (!file || !file->f_security)
		return 0;

	if (prot & PROT_READ)
		mask |= MAY_READ;
	/*
	 * Private mappings don't require write perms since they don't
	 * write back to the files
	 */
	if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
		mask |= MAY_WRITE;
	if (prot & PROT_EXEC)
		mask |= AA_EXEC_MMAP;

	return common_file_perm(op, file, mask);
}

464 465
static int apparmor_mmap_file(struct file *file, unsigned long reqprot,
			      unsigned long prot, unsigned long flags)
466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482
{
	return common_mmap(OP_FMMAP, file, prot, flags);
}

static int apparmor_file_mprotect(struct vm_area_struct *vma,
				  unsigned long reqprot, unsigned long prot)
{
	return common_mmap(OP_FMPROT, vma->vm_file, prot,
			   !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
}

static int apparmor_getprocattr(struct task_struct *task, char *name,
				char **value)
{
	int error = -ENOENT;
	/* released below */
	const struct cred *cred = get_task_cred(task);
483
	struct aa_task_ctx *ctx = cred_ctx(cred);
484
	struct aa_profile *profile = NULL;
485 486

	if (strcmp(name, "current") == 0)
487 488 489 490 491
		profile = aa_get_newest_profile(ctx->profile);
	else if (strcmp(name, "prev") == 0  && ctx->previous)
		profile = aa_get_newest_profile(ctx->previous);
	else if (strcmp(name, "exec") == 0 && ctx->onexec)
		profile = aa_get_newest_profile(ctx->onexec);
492 493 494
	else
		error = -EINVAL;

495 496 497 498
	if (profile)
		error = aa_getprocattr(profile, value);

	aa_put_profile(profile);
499 500 501 502 503 504 505 506
	put_cred(cred);

	return error;
}

static int apparmor_setprocattr(struct task_struct *task, char *name,
				void *value, size_t size)
{
507
	char *command, *largs = NULL, *args = value;
508 509
	size_t arg_size;
	int error;
510
	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR);
511 512 513 514 515 516 517

	if (size == 0)
		return -EINVAL;
	/* task can only write its own attributes */
	if (current != task)
		return -EACCES;

518 519 520 521 522 523 524 525 526 527 528
	/* AppArmor requires that the buffer must be null terminated atm */
	if (args[size - 1] != '\0') {
		/* null terminate */
		largs = args = kmalloc(size + 1, GFP_KERNEL);
		if (!args)
			return -ENOMEM;
		memcpy(args, value, size);
		args[size] = '\0';
	}

	error = -EINVAL;
529 530 531
	args = strim(args);
	command = strsep(&args, " ");
	if (!args)
532
		goto out;
533 534
	args = skip_spaces(args);
	if (!*args)
535
		goto out;
536

537
	arg_size = size - (args - (largs ? largs : (char *) value));
538 539 540 541 542 543 544 545 546 547 548 549 550
	if (strcmp(name, "current") == 0) {
		if (strcmp(command, "changehat") == 0) {
			error = aa_setprocattr_changehat(args, arg_size,
							 !AA_DO_TEST);
		} else if (strcmp(command, "permhat") == 0) {
			error = aa_setprocattr_changehat(args, arg_size,
							 AA_DO_TEST);
		} else if (strcmp(command, "changeprofile") == 0) {
			error = aa_setprocattr_changeprofile(args, !AA_ONEXEC,
							     !AA_DO_TEST);
		} else if (strcmp(command, "permprofile") == 0) {
			error = aa_setprocattr_changeprofile(args, !AA_ONEXEC,
							     AA_DO_TEST);
551 552
		} else
			goto fail;
553
	} else if (strcmp(name, "exec") == 0) {
554 555 556 557 558 559
		if (strcmp(command, "exec") == 0)
			error = aa_setprocattr_changeprofile(args, AA_ONEXEC,
							     !AA_DO_TEST);
		else
			goto fail;
	} else
560
		/* only support the "current" and "exec" process attributes */
561
		goto fail;
562

563 564
	if (!error)
		error = size;
565 566
out:
	kfree(largs);
567
	return error;
568 569

fail:
570 571 572
	aad(&sa)->profile = aa_current_profile();
	aad(&sa)->info = name;
	aad(&sa)->error = error = -EINVAL;
573
	aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
574
	goto out;
575 576
}

577 578
static int apparmor_task_setrlimit(struct task_struct *task,
		unsigned int resource, struct rlimit *new_rlim)
579
{
580
	struct aa_profile *profile = __aa_current_profile();
581 582 583
	int error = 0;

	if (!unconfined(profile))
584
		error = aa_task_setrlimit(profile, task, resource, new_rlim);
585 586 587 588

	return error;
}

C
Casey Schaufler 已提交
589
static struct security_hook_list apparmor_hooks[] = {
590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628
	LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
	LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
	LSM_HOOK_INIT(capget, apparmor_capget),
	LSM_HOOK_INIT(capable, apparmor_capable),

	LSM_HOOK_INIT(path_link, apparmor_path_link),
	LSM_HOOK_INIT(path_unlink, apparmor_path_unlink),
	LSM_HOOK_INIT(path_symlink, apparmor_path_symlink),
	LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir),
	LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir),
	LSM_HOOK_INIT(path_mknod, apparmor_path_mknod),
	LSM_HOOK_INIT(path_rename, apparmor_path_rename),
	LSM_HOOK_INIT(path_chmod, apparmor_path_chmod),
	LSM_HOOK_INIT(path_chown, apparmor_path_chown),
	LSM_HOOK_INIT(path_truncate, apparmor_path_truncate),
	LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr),

	LSM_HOOK_INIT(file_open, apparmor_file_open),
	LSM_HOOK_INIT(file_permission, apparmor_file_permission),
	LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security),
	LSM_HOOK_INIT(file_free_security, apparmor_file_free_security),
	LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
	LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
	LSM_HOOK_INIT(file_lock, apparmor_file_lock),

	LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
	LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),

	LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
	LSM_HOOK_INIT(cred_free, apparmor_cred_free),
	LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
	LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),

	LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds),
	LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
	LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
	LSM_HOOK_INIT(bprm_secureexec, apparmor_bprm_secureexec),

	LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
629 630 631 632 633 634
};

/*
 * AppArmor sysfs module parameters
 */

635 636
static int param_set_aabool(const char *val, const struct kernel_param *kp);
static int param_get_aabool(char *buffer, const struct kernel_param *kp);
637
#define param_check_aabool param_check_bool
638
static const struct kernel_param_ops param_ops_aabool = {
639
	.flags = KERNEL_PARAM_OPS_FL_NOARG,
640 641 642
	.set = param_set_aabool,
	.get = param_get_aabool
};
643

644 645
static int param_set_aauint(const char *val, const struct kernel_param *kp);
static int param_get_aauint(char *buffer, const struct kernel_param *kp);
646
#define param_check_aauint param_check_uint
647
static const struct kernel_param_ops param_ops_aauint = {
648 649 650
	.set = param_set_aauint,
	.get = param_get_aauint
};
651

652 653
static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
654
#define param_check_aalockpolicy param_check_bool
655
static const struct kernel_param_ops param_ops_aalockpolicy = {
656
	.flags = KERNEL_PARAM_OPS_FL_NOARG,
657 658 659
	.set = param_set_aalockpolicy,
	.get = param_get_aalockpolicy
};
660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675

static int param_set_audit(const char *val, struct kernel_param *kp);
static int param_get_audit(char *buffer, struct kernel_param *kp);

static int param_set_mode(const char *val, struct kernel_param *kp);
static int param_get_mode(char *buffer, struct kernel_param *kp);

/* Flag values, also controllable via /sys/module/apparmor/parameters
 * We define special types as we want to do additional mediation.
 */

/* AppArmor global enforcement switch - complain, enforce, kill */
enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
module_param_call(mode, param_set_mode, param_get_mode,
		  &aa_g_profile_mode, S_IRUSR | S_IWUSR);

676
#ifdef CONFIG_SECURITY_APPARMOR_HASH
677
/* whether policy verification hashing is enabled */
678
bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
679
module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
680
#endif
681

682
/* Debug mode */
683
bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_DEBUG_MESSAGES);
684 685 686 687 688 689 690 691 692 693
module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);

/* Audit mode */
enum audit_mode aa_g_audit;
module_param_call(audit, param_set_audit, param_get_audit,
		  &aa_g_audit, S_IRUSR | S_IWUSR);

/* Determines if audit header is included in audited messages.  This
 * provides more context if the audit daemon is not running
 */
694
bool aa_g_audit_header = 1;
695 696 697 698 699 700 701
module_param_named(audit_header, aa_g_audit_header, aabool,
		   S_IRUSR | S_IWUSR);

/* lock out loading/removal of policy
 * TODO: add in at boot loading of policy, which is the only way to
 *       load policy, if lock_policy is set
 */
702
bool aa_g_lock_policy;
703 704 705 706
module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy,
		   S_IRUSR | S_IWUSR);

/* Syscall logging mode */
707
bool aa_g_logsyscall;
708 709 710 711 712 713 714 715
module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);

/* Maximum pathname length before accesses will start getting rejected */
unsigned int aa_g_path_max = 2 * PATH_MAX;
module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR);

/* Determines how paranoid loading of policy is and how much verification
 * on the loaded policy is done.
716 717
 * DEPRECATED: read only as strict checking of load is always done now
 * that none root users (user namespaces) can load policy.
718
 */
719
bool aa_g_paranoid_load = 1;
720
module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
721 722

/* Boot time disable flag */
723
static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
724
module_param_named(enabled, apparmor_enabled, bool, S_IRUGO);
725 726 727 728

static int __init apparmor_enabled_setup(char *str)
{
	unsigned long enabled;
729
	int error = kstrtoul(str, 0, &enabled);
730 731 732 733 734 735 736 737
	if (!error)
		apparmor_enabled = enabled ? 1 : 0;
	return 1;
}

__setup("apparmor=", apparmor_enabled_setup);

/* set global flag turning off the ability to load policy */
738
static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
739
{
740
	if (!policy_admin_capable(NULL))
741 742 743 744
		return -EPERM;
	return param_set_bool(val, kp);
}

745
static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
746
{
747
	if (!policy_view_capable(NULL))
748 749 750 751
		return -EPERM;
	return param_get_bool(buffer, kp);
}

752
static int param_set_aabool(const char *val, const struct kernel_param *kp)
753
{
754
	if (!policy_admin_capable(NULL))
755 756 757 758
		return -EPERM;
	return param_set_bool(val, kp);
}

759
static int param_get_aabool(char *buffer, const struct kernel_param *kp)
760
{
761
	if (!policy_view_capable(NULL))
762 763 764 765
		return -EPERM;
	return param_get_bool(buffer, kp);
}

766
static int param_set_aauint(const char *val, const struct kernel_param *kp)
767
{
768
	if (!policy_admin_capable(NULL))
769 770 771 772
		return -EPERM;
	return param_set_uint(val, kp);
}

773
static int param_get_aauint(char *buffer, const struct kernel_param *kp)
774
{
775
	if (!policy_view_capable(NULL))
776 777 778 779 780 781
		return -EPERM;
	return param_get_uint(buffer, kp);
}

static int param_get_audit(char *buffer, struct kernel_param *kp)
{
782
	if (!policy_view_capable(NULL))
783 784 785 786 787 788 789 790 791 792 793
		return -EPERM;

	if (!apparmor_enabled)
		return -EINVAL;

	return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
}

static int param_set_audit(const char *val, struct kernel_param *kp)
{
	int i;
794
	if (!policy_admin_capable(NULL))
795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814
		return -EPERM;

	if (!apparmor_enabled)
		return -EINVAL;

	if (!val)
		return -EINVAL;

	for (i = 0; i < AUDIT_MAX_INDEX; i++) {
		if (strcmp(val, audit_mode_names[i]) == 0) {
			aa_g_audit = i;
			return 0;
		}
	}

	return -EINVAL;
}

static int param_get_mode(char *buffer, struct kernel_param *kp)
{
815
	if (!policy_view_capable(NULL))
816 817 818 819 820
		return -EPERM;

	if (!apparmor_enabled)
		return -EINVAL;

821
	return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
822 823 824 825 826
}

static int param_set_mode(const char *val, struct kernel_param *kp)
{
	int i;
827
	if (!policy_admin_capable(NULL))
828 829 830 831 832 833 834 835
		return -EPERM;

	if (!apparmor_enabled)
		return -EINVAL;

	if (!val)
		return -EINVAL;

836 837
	for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {
		if (strcmp(val, aa_profile_mode_names[i]) == 0) {
838 839 840 841 842 843 844 845 846 847 848 849 850
			aa_g_profile_mode = i;
			return 0;
		}
	}

	return -EINVAL;
}

/*
 * AppArmor init functions
 */

/**
851
 * set_init_ctx - set a task context and profile on the first task.
852 853 854
 *
 * TODO: allow setting an alternate profile than unconfined
 */
855
static int __init set_init_ctx(void)
856 857
{
	struct cred *cred = (struct cred *)current->real_cred;
858
	struct aa_task_ctx *ctx;
859

860 861
	ctx = aa_alloc_task_context(GFP_KERNEL);
	if (!ctx)
862 863
		return -ENOMEM;

864 865
	ctx->profile = aa_get_profile(root_ns->unconfined);
	cred_ctx(cred) = ctx;
866 867 868 869 870 871 872 873

	return 0;
}

static int __init apparmor_init(void)
{
	int error;

C
Casey Schaufler 已提交
874
	if (!apparmor_enabled || !security_module_enable("apparmor")) {
875 876 877 878 879
		aa_info_message("AppArmor disabled by boot time parameter");
		apparmor_enabled = 0;
		return 0;
	}

J
John Johansen 已提交
880 881 882 883 884 885
	error = aa_setup_dfa_engine();
	if (error) {
		AA_ERROR("Unable to setup dfa engine\n");
		goto alloc_out;
	}

886 887 888 889 890 891
	error = aa_alloc_root_ns();
	if (error) {
		AA_ERROR("Unable to allocate default profile namespace\n");
		goto alloc_out;
	}

892
	error = set_init_ctx();
893 894
	if (error) {
		AA_ERROR("Failed to set context on init task\n");
C
Casey Schaufler 已提交
895 896
		aa_free_root_ns();
		goto alloc_out;
897
	}
C
Casey Schaufler 已提交
898
	security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks));
899 900 901 902 903 904 905 906 907 908 909 910 911 912

	/* Report that AppArmor successfully initialized */
	apparmor_initialized = 1;
	if (aa_g_profile_mode == APPARMOR_COMPLAIN)
		aa_info_message("AppArmor initialized: complain mode enabled");
	else if (aa_g_profile_mode == APPARMOR_KILL)
		aa_info_message("AppArmor initialized: kill mode enabled");
	else
		aa_info_message("AppArmor initialized");

	return error;

alloc_out:
	aa_destroy_aafs();
J
John Johansen 已提交
913
	aa_teardown_dfa_engine();
914 915 916 917 918 919

	apparmor_enabled = 0;
	return error;
}

security_initcall(apparmor_init);