lsm.c 28.8 KB
Newer Older
1 2 3 4 5 6 7 8 9 10 11 12 13 14
/*
 * AppArmor security module
 *
 * This file contains AppArmor LSM hooks.
 *
 * Copyright (C) 1998-2008 Novell/SUSE
 * Copyright 2009-2010 Canonical Ltd.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, version 2 of the
 * License.
 */

C
Casey Schaufler 已提交
15
#include <linux/lsm_hooks.h>
16 17 18 19 20 21 22 23 24
#include <linux/moduleparam.h>
#include <linux/mm.h>
#include <linux/mman.h>
#include <linux/mount.h>
#include <linux/namei.h>
#include <linux/ptrace.h>
#include <linux/ctype.h>
#include <linux/sysctl.h>
#include <linux/audit.h>
25
#include <linux/user_namespace.h>
26
#include <linux/kmemleak.h>
27 28 29 30 31 32 33 34 35 36
#include <net/sock.h>

#include "include/apparmor.h"
#include "include/apparmorfs.h"
#include "include/audit.h"
#include "include/capability.h"
#include "include/context.h"
#include "include/file.h"
#include "include/ipc.h"
#include "include/path.h"
37
#include "include/label.h"
38
#include "include/policy.h"
39
#include "include/policy_ns.h"
40 41 42
#include "include/procattr.h"

/* Flag indicating whether initialization completed */
43
int apparmor_initialized;
44

45 46 47
DEFINE_PER_CPU(struct aa_buffers, aa_buffers);


48 49 50 51 52
/*
 * LSM hook functions
 */

/*
53
 * free the associated aa_task_ctx and put its labels
54 55 56
 */
static void apparmor_cred_free(struct cred *cred)
{
57 58
	aa_free_task_context(cred_ctx(cred));
	cred_ctx(cred) = NULL;
59 60 61 62 63 64 65 66
}

/*
 * allocate the apparmor part of blank credentials
 */
static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
{
	/* freed by apparmor_cred_free */
67 68 69
	struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);

	if (!ctx)
70 71
		return -ENOMEM;

72
	cred_ctx(cred) = ctx;
73 74 75 76
	return 0;
}

/*
77
 * prepare new aa_task_ctx for modification by prepare_cred block
78 79 80 81 82
 */
static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
				 gfp_t gfp)
{
	/* freed by apparmor_cred_free */
83 84 85
	struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);

	if (!ctx)
86 87
		return -ENOMEM;

88 89
	aa_dup_task_context(ctx, cred_ctx(old));
	cred_ctx(new) = ctx;
90 91 92 93 94 95 96 97
	return 0;
}

/*
 * transfer the apparmor data to a blank set of creds
 */
static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
{
98 99
	const struct aa_task_ctx *old_ctx = cred_ctx(old);
	struct aa_task_ctx *new_ctx = cred_ctx(new);
100

101
	aa_dup_task_context(new_ctx, old_ctx);
102 103 104 105 106
}

static int apparmor_ptrace_access_check(struct task_struct *child,
					unsigned int mode)
{
107 108 109 110 111 112 113 114 115 116 117
	struct aa_label *tracer, *tracee;
	int error;

	tracer = begin_current_label_crit_section();
	tracee = aa_get_task_label(child);
	error = aa_may_ptrace(tracer, tracee,
		  mode == PTRACE_MODE_READ ? AA_PTRACE_READ : AA_PTRACE_TRACE);
	aa_put_label(tracee);
	end_current_label_crit_section(tracer);

	return error;
118 119 120 121
}

static int apparmor_ptrace_traceme(struct task_struct *parent)
{
122 123 124 125 126 127 128 129 130 131
	struct aa_label *tracer, *tracee;
	int error;

	tracee = begin_current_label_crit_section();
	tracer = aa_get_task_label(parent);
	error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
	aa_put_label(tracer);
	end_current_label_crit_section(tracee);

	return error;
132 133 134 135 136 137
}

/* Derived from security/commoncap.c:cap_capget */
static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
			   kernel_cap_t *inheritable, kernel_cap_t *permitted)
{
138
	struct aa_label *label;
139 140 141 142
	const struct cred *cred;

	rcu_read_lock();
	cred = __task_cred(target);
143
	label = aa_get_newest_cred_label(cred);
144

C
Casey Schaufler 已提交
145 146 147 148
	/*
	 * cap_capget is stacked ahead of this and will
	 * initialize effective and permitted.
	 */
149 150 151 152 153 154 155 156 157 158 159 160
	if (!unconfined(label)) {
		struct aa_profile *profile;
		struct label_it i;

		label_for_each_confined(i, label, profile) {
			if (COMPLAIN_MODE(profile))
				continue;
			*effective = cap_intersect(*effective,
						   profile->caps.allow);
			*permitted = cap_intersect(*permitted,
						   profile->caps.allow);
		}
161 162
	}
	rcu_read_unlock();
163
	aa_put_label(label);
164 165 166 167

	return 0;
}

168 169
static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
			    int cap, int audit)
170
{
171
	struct aa_label *label;
C
Casey Schaufler 已提交
172 173
	int error = 0;

174 175
	label = aa_get_newest_cred_label(cred);
	if (!unconfined(label))
176
		error = aa_capable(label, cap, audit);
177
	aa_put_label(label);
178

179 180 181 182 183 184 185 186 187 188 189 190
	return error;
}

/**
 * common_perm - basic common permission check wrapper fn for paths
 * @op: operation being checked
 * @path: path to check permission of  (NOT NULL)
 * @mask: requested permissions mask
 * @cond: conditional info for the permission request  (NOT NULL)
 *
 * Returns: %0 else error code if error or permission denied
 */
191
static int common_perm(const char *op, const struct path *path, u32 mask,
192 193
		       struct path_cond *cond)
{
194
	struct aa_label *label;
195 196
	int error = 0;

197 198 199 200 201
	label = __begin_current_label_crit_section();
	if (!unconfined(label))
		error = aa_path_perm(op, labels_profile(label), path, 0, mask,
				     cond);
	__end_current_label_crit_section(label);
202 203 204 205 206

	return error;
}

/**
207
 * common_perm_cond - common permission wrapper around inode cond
208
 * @op: operation being checked
209
 * @path: location to check (NOT NULL)
210 211 212 213
 * @mask: requested permissions mask
 *
 * Returns: %0 else error code if error or permission denied
 */
214
static int common_perm_cond(const char *op, const struct path *path, u32 mask)
215
{
216 217 218
	struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
				  d_backing_inode(path->dentry)->i_mode
	};
219

220 221 222 223
	if (!path_mediated_fs(path->dentry))
		return 0;

	return common_perm(op, path, mask, &cond);
224 225 226
}

/**
227
 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
228
 * @op: operation being checked
229 230
 * @dir: directory of the dentry  (NOT NULL)
 * @dentry: dentry to check  (NOT NULL)
231
 * @mask: requested permissions mask
232
 * @cond: conditional info for the permission request  (NOT NULL)
233 234 235
 *
 * Returns: %0 else error code if error or permission denied
 */
236 237 238
static int common_perm_dir_dentry(const char *op, const struct path *dir,
				  struct dentry *dentry, u32 mask,
				  struct path_cond *cond)
239
{
240
	struct path path = { .mnt = dir->mnt, .dentry = dentry };
241

242
	return common_perm(op, &path, mask, cond);
243 244 245 246 247 248 249 250 251 252 253
}

/**
 * common_perm_rm - common permission wrapper for operations doing rm
 * @op: operation being checked
 * @dir: directory that the dentry is in  (NOT NULL)
 * @dentry: dentry being rm'd  (NOT NULL)
 * @mask: requested permission mask
 *
 * Returns: %0 else error code if error or permission denied
 */
254
static int common_perm_rm(const char *op, const struct path *dir,
255 256
			  struct dentry *dentry, u32 mask)
{
257
	struct inode *inode = d_backing_inode(dentry);
258 259
	struct path_cond cond = { };

260
	if (!inode || !path_mediated_fs(dentry))
261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278
		return 0;

	cond.uid = inode->i_uid;
	cond.mode = inode->i_mode;

	return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
}

/**
 * common_perm_create - common permission wrapper for operations doing create
 * @op: operation being checked
 * @dir: directory that dentry will be created in  (NOT NULL)
 * @dentry: dentry to create   (NOT NULL)
 * @mask: request permission mask
 * @mode: created file mode
 *
 * Returns: %0 else error code if error or permission denied
 */
279
static int common_perm_create(const char *op, const struct path *dir,
A
Al Viro 已提交
280
			      struct dentry *dentry, u32 mask, umode_t mode)
281 282 283
{
	struct path_cond cond = { current_fsuid(), mode };

284
	if (!path_mediated_fs(dir->dentry))
285 286 287 288 289
		return 0;

	return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
}

A
Al Viro 已提交
290
static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry)
291 292 293 294
{
	return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE);
}

295
static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry,
A
Al Viro 已提交
296
			       umode_t mode)
297 298 299 300 301
{
	return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE,
				  S_IFDIR);
}

A
Al Viro 已提交
302
static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry)
303 304 305 306
{
	return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE);
}

307
static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
A
Al Viro 已提交
308
			       umode_t mode, unsigned int dev)
309 310 311 312
{
	return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
}

A
Al Viro 已提交
313
static int apparmor_path_truncate(const struct path *path)
314
{
315
	return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR);
316 317
}

318
static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
319 320 321 322 323 324
				 const char *old_name)
{
	return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE,
				  S_IFLNK);
}

A
Al Viro 已提交
325
static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir,
326 327
			      struct dentry *new_dentry)
{
328
	struct aa_label *label;
329 330
	int error = 0;

331
	if (!path_mediated_fs(old_dentry))
332 333
		return 0;

334 335 336 337 338
	label = begin_current_label_crit_section();
	if (!unconfined(label))
		error = aa_path_link(labels_profile(label), old_dentry, new_dir,
				     new_dentry);
	end_current_label_crit_section(label);
339

340 341 342
	return error;
}

A
Al Viro 已提交
343 344
static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry,
				const struct path *new_dir, struct dentry *new_dentry)
345
{
346
	struct aa_label *label;
347 348
	int error = 0;

349
	if (!path_mediated_fs(old_dentry))
350 351
		return 0;

352 353
	label = begin_current_label_crit_section();
	if (!unconfined(label)) {
354 355 356 357
		struct path old_path = { .mnt = old_dir->mnt,
					 .dentry = old_dentry };
		struct path new_path = { .mnt = new_dir->mnt,
					 .dentry = new_dentry };
358 359
		struct path_cond cond = { d_backing_inode(old_dentry)->i_uid,
					  d_backing_inode(old_dentry)->i_mode
360 361
		};

362 363
		error = aa_path_perm(OP_RENAME_SRC, labels_profile(label),
				     &old_path, 0,
364 365
				     MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
				     AA_MAY_SETATTR | AA_MAY_DELETE,
366 367
				     &cond);
		if (!error)
368 369 370
			error = aa_path_perm(OP_RENAME_DEST,
					     labels_profile(label),
					     &new_path,
371
					     0, MAY_WRITE | AA_MAY_SETATTR |
372 373 374
					     AA_MAY_CREATE, &cond);

	}
375
	end_current_label_crit_section(label);
376

377 378 379
	return error;
}

380
static int apparmor_path_chmod(const struct path *path, umode_t mode)
381
{
382
	return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD);
383 384
}

385
static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
386
{
387
	return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN);
388 389
}

390
static int apparmor_inode_getattr(const struct path *path)
391
{
392
	return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR);
393 394
}

395
static int apparmor_file_open(struct file *file, const struct cred *cred)
396
{
397 398
	struct aa_file_ctx *fctx = file_ctx(file);
	struct aa_label *label;
399 400
	int error = 0;

401
	if (!path_mediated_fs(file->f_path.dentry))
402 403 404 405 406 407 408 409
		return 0;

	/* If in exec, permission is handled by bprm hooks.
	 * Cache permissions granted by the previous exec check, with
	 * implicit read and executable mmap which are required to
	 * actually execute the image.
	 */
	if (current->in_execve) {
410
		fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
411 412 413
		return 0;
	}

414 415
	label = aa_get_newest_cred_label(cred);
	if (!unconfined(label)) {
A
Al Viro 已提交
416
		struct inode *inode = file_inode(file);
417 418
		struct path_cond cond = { inode->i_uid, inode->i_mode };

419 420
		error = aa_path_perm(OP_OPEN, labels_profile(label),
				     &file->f_path, 0,
421 422
				     aa_map_file_to_perms(file), &cond);
		/* todo cache full allowed permissions set and state */
423
		fctx->allow = aa_map_file_to_perms(file);
424
	}
425
	aa_put_label(label);
426 427 428 429 430 431

	return error;
}

static int apparmor_file_alloc_security(struct file *file)
{
432 433
	int error = 0;

434
	/* freed by apparmor_file_free_security */
435
	struct aa_label *label = begin_current_label_crit_section();
436 437 438
	file->f_security = aa_alloc_file_ctx(GFP_KERNEL);
	if (!file_ctx(file))
		error = -ENOMEM;
439
	end_current_label_crit_section(label);
440

441
	return error;
442 443 444 445
}

static void apparmor_file_free_security(struct file *file)
{
446
	aa_free_file_ctx(file_ctx(file));
447 448
}

449
static int common_file_perm(const char *op, struct file *file, u32 mask)
450
{
451
	struct aa_file_ctx *fctx = file->f_security;
452
	struct aa_label *label, *flabel;
453 454
	int error = 0;

455 456 457 458
	/* don't reaudit files closed during inheritance */
	if (file->f_path.dentry == aa_null.dentry)
		return -EACCES;

459 460
	flabel = aa_cred_raw_label(file->f_cred);
	AA_BUG(!flabel);
461 462

	if (!file->f_path.mnt ||
463
	    !path_mediated_fs(file->f_path.dentry))
464 465
		return 0;

466
	label = __begin_current_label_crit_section();
467 468 469 470 471 472 473 474

	/* revalidate access, if task is unconfined, or the cached cred
	 * doesn't match or if the request is for more permissions than
	 * was granted.
	 *
	 * Note: the test for !unconfined(fprofile) is to handle file
	 *       delegation from unconfined tasks
	 */
475 476 477 478
	if (!unconfined(label) && !unconfined(flabel) &&
	    ((flabel != label) || (mask & ~fctx->allow)))
		error = aa_file_perm(op, labels_profile(label), file, mask);
	__end_current_label_crit_section(label);
479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497

	return error;
}

static int apparmor_file_permission(struct file *file, int mask)
{
	return common_file_perm(OP_FPERM, file, mask);
}

static int apparmor_file_lock(struct file *file, unsigned int cmd)
{
	u32 mask = AA_MAY_LOCK;

	if (cmd == F_WRLCK)
		mask |= MAY_WRITE;

	return common_file_perm(OP_FLOCK, file, mask);
}

498
static int common_mmap(const char *op, struct file *file, unsigned long prot,
499 500 501 502
		       unsigned long flags)
{
	int mask = 0;

503
	if (!file || !file_ctx(file))
504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519
		return 0;

	if (prot & PROT_READ)
		mask |= MAY_READ;
	/*
	 * Private mappings don't require write perms since they don't
	 * write back to the files
	 */
	if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
		mask |= MAY_WRITE;
	if (prot & PROT_EXEC)
		mask |= AA_EXEC_MMAP;

	return common_file_perm(op, file, mask);
}

520 521
static int apparmor_mmap_file(struct file *file, unsigned long reqprot,
			      unsigned long prot, unsigned long flags)
522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538
{
	return common_mmap(OP_FMMAP, file, prot, flags);
}

static int apparmor_file_mprotect(struct vm_area_struct *vma,
				  unsigned long reqprot, unsigned long prot)
{
	return common_mmap(OP_FMPROT, vma->vm_file, prot,
			   !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
}

static int apparmor_getprocattr(struct task_struct *task, char *name,
				char **value)
{
	int error = -ENOENT;
	/* released below */
	const struct cred *cred = get_task_cred(task);
539
	struct aa_task_ctx *ctx = cred_ctx(cred);
540
	struct aa_label *label = NULL;
541 542

	if (strcmp(name, "current") == 0)
543
		label = aa_get_newest_label(ctx->label);
544
	else if (strcmp(name, "prev") == 0  && ctx->previous)
545
		label = aa_get_newest_label(ctx->previous);
546
	else if (strcmp(name, "exec") == 0 && ctx->onexec)
547
		label = aa_get_newest_label(ctx->onexec);
548 549 550
	else
		error = -EINVAL;

551
	if (label)
552
		error = aa_getprocattr(label, value);
553

554
	aa_put_label(label);
555 556 557 558 559
	put_cred(cred);

	return error;
}

560 561
static int apparmor_setprocattr(const char *name, void *value,
				size_t size)
562
{
563
	char *command, *largs = NULL, *args = value;
564 565
	size_t arg_size;
	int error;
566
	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR);
567 568 569 570

	if (size == 0)
		return -EINVAL;

571 572 573 574 575 576 577 578 579 580 581
	/* AppArmor requires that the buffer must be null terminated atm */
	if (args[size - 1] != '\0') {
		/* null terminate */
		largs = args = kmalloc(size + 1, GFP_KERNEL);
		if (!args)
			return -ENOMEM;
		memcpy(args, value, size);
		args[size] = '\0';
	}

	error = -EINVAL;
582 583 584
	args = strim(args);
	command = strsep(&args, " ");
	if (!args)
585
		goto out;
586 587
	args = skip_spaces(args);
	if (!*args)
588
		goto out;
589

590
	arg_size = size - (args - (largs ? largs : (char *) value));
591 592 593
	if (strcmp(name, "current") == 0) {
		if (strcmp(command, "changehat") == 0) {
			error = aa_setprocattr_changehat(args, arg_size,
594
							 AA_CHANGE_NOFLAGS);
595 596
		} else if (strcmp(command, "permhat") == 0) {
			error = aa_setprocattr_changehat(args, arg_size,
597
							 AA_CHANGE_TEST);
598
		} else if (strcmp(command, "changeprofile") == 0) {
599
			error = aa_change_profile(args, AA_CHANGE_NOFLAGS);
600
		} else if (strcmp(command, "permprofile") == 0) {
601
			error = aa_change_profile(args, AA_CHANGE_TEST);
602 603
		} else
			goto fail;
604
	} else if (strcmp(name, "exec") == 0) {
605
		if (strcmp(command, "exec") == 0)
606
			error = aa_change_profile(args, AA_CHANGE_ONEXEC);
607 608 609
		else
			goto fail;
	} else
610
		/* only support the "current" and "exec" process attributes */
611
		goto fail;
612

613 614
	if (!error)
		error = size;
615 616
out:
	kfree(largs);
617
	return error;
618 619

fail:
620
	aad(&sa)->label = begin_current_label_crit_section();
621 622
	aad(&sa)->info = name;
	aad(&sa)->error = error = -EINVAL;
623
	aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
624
	end_current_label_crit_section(aad(&sa)->label);
625
	goto out;
626 627
}

628 629 630 631 632 633
/**
 * apparmor_bprm_committing_creds - do task cleanup on committing new creds
 * @bprm: binprm for the exec  (NOT NULL)
 */
static void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
{
634
	struct aa_label *label = aa_current_raw_label();
635 636 637
	struct aa_task_ctx *new_ctx = cred_ctx(bprm->cred);

	/* bail out if unconfined or not changing profile */
638 639
	if ((new_ctx->label->proxy == label->proxy) ||
	    (unconfined(new_ctx->label)))
640 641
		return;

642 643
	aa_inherit_files(bprm->cred, current->files);

644 645
	current->pdeath_signal = 0;

646
	/* reset soft limits and set hard limits for the new label */
647
	__aa_transition_rlimits(label, new_ctx->label);
648 649 650 651 652 653 654 655 656 657 658 659
}

/**
 * apparmor_bprm_committed_cred - do cleanup after new creds committed
 * @bprm: binprm for the exec  (NOT NULL)
 */
static void apparmor_bprm_committed_creds(struct linux_binprm *bprm)
{
	/* TODO: cleanup signals - ipc mediation */
	return;
}

660 661
static int apparmor_task_setrlimit(struct task_struct *task,
		unsigned int resource, struct rlimit *new_rlim)
662
{
663
	struct aa_label *label = __begin_current_label_crit_section();
664 665
	int error = 0;

666
	if (!unconfined(label))
667
		error = aa_task_setrlimit(label, task, resource, new_rlim);
668
	__end_current_label_crit_section(label);
669 670 671 672

	return error;
}

673
static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712
	LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
	LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
	LSM_HOOK_INIT(capget, apparmor_capget),
	LSM_HOOK_INIT(capable, apparmor_capable),

	LSM_HOOK_INIT(path_link, apparmor_path_link),
	LSM_HOOK_INIT(path_unlink, apparmor_path_unlink),
	LSM_HOOK_INIT(path_symlink, apparmor_path_symlink),
	LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir),
	LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir),
	LSM_HOOK_INIT(path_mknod, apparmor_path_mknod),
	LSM_HOOK_INIT(path_rename, apparmor_path_rename),
	LSM_HOOK_INIT(path_chmod, apparmor_path_chmod),
	LSM_HOOK_INIT(path_chown, apparmor_path_chown),
	LSM_HOOK_INIT(path_truncate, apparmor_path_truncate),
	LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr),

	LSM_HOOK_INIT(file_open, apparmor_file_open),
	LSM_HOOK_INIT(file_permission, apparmor_file_permission),
	LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security),
	LSM_HOOK_INIT(file_free_security, apparmor_file_free_security),
	LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
	LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
	LSM_HOOK_INIT(file_lock, apparmor_file_lock),

	LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
	LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),

	LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
	LSM_HOOK_INIT(cred_free, apparmor_cred_free),
	LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
	LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),

	LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds),
	LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
	LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
	LSM_HOOK_INIT(bprm_secureexec, apparmor_bprm_secureexec),

	LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
713 714 715 716 717 718
};

/*
 * AppArmor sysfs module parameters
 */

719 720
static int param_set_aabool(const char *val, const struct kernel_param *kp);
static int param_get_aabool(char *buffer, const struct kernel_param *kp);
721
#define param_check_aabool param_check_bool
722
static const struct kernel_param_ops param_ops_aabool = {
723
	.flags = KERNEL_PARAM_OPS_FL_NOARG,
724 725 726
	.set = param_set_aabool,
	.get = param_get_aabool
};
727

728 729
static int param_set_aauint(const char *val, const struct kernel_param *kp);
static int param_get_aauint(char *buffer, const struct kernel_param *kp);
730
#define param_check_aauint param_check_uint
731
static const struct kernel_param_ops param_ops_aauint = {
732 733 734
	.set = param_set_aauint,
	.get = param_get_aauint
};
735

736 737
static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
738
#define param_check_aalockpolicy param_check_bool
739
static const struct kernel_param_ops param_ops_aalockpolicy = {
740
	.flags = KERNEL_PARAM_OPS_FL_NOARG,
741 742 743
	.set = param_set_aalockpolicy,
	.get = param_get_aalockpolicy
};
744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759

static int param_set_audit(const char *val, struct kernel_param *kp);
static int param_get_audit(char *buffer, struct kernel_param *kp);

static int param_set_mode(const char *val, struct kernel_param *kp);
static int param_get_mode(char *buffer, struct kernel_param *kp);

/* Flag values, also controllable via /sys/module/apparmor/parameters
 * We define special types as we want to do additional mediation.
 */

/* AppArmor global enforcement switch - complain, enforce, kill */
enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
module_param_call(mode, param_set_mode, param_get_mode,
		  &aa_g_profile_mode, S_IRUSR | S_IWUSR);

760
/* whether policy verification hashing is enabled */
761
bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
762
#ifdef CONFIG_SECURITY_APPARMOR_HASH
763
module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
764
#endif
765

766
/* Debug mode */
767
bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES);
768 769 770 771 772 773 774 775 776 777
module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);

/* Audit mode */
enum audit_mode aa_g_audit;
module_param_call(audit, param_set_audit, param_get_audit,
		  &aa_g_audit, S_IRUSR | S_IWUSR);

/* Determines if audit header is included in audited messages.  This
 * provides more context if the audit daemon is not running
 */
778
bool aa_g_audit_header = 1;
779 780 781 782 783 784 785
module_param_named(audit_header, aa_g_audit_header, aabool,
		   S_IRUSR | S_IWUSR);

/* lock out loading/removal of policy
 * TODO: add in at boot loading of policy, which is the only way to
 *       load policy, if lock_policy is set
 */
786
bool aa_g_lock_policy;
787 788 789 790
module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy,
		   S_IRUSR | S_IWUSR);

/* Syscall logging mode */
791
bool aa_g_logsyscall;
792 793 794 795
module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);

/* Maximum pathname length before accesses will start getting rejected */
unsigned int aa_g_path_max = 2 * PATH_MAX;
796
module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
797 798 799

/* Determines how paranoid loading of policy is and how much verification
 * on the loaded policy is done.
800 801
 * DEPRECATED: read only as strict checking of load is always done now
 * that none root users (user namespaces) can load policy.
802
 */
803
bool aa_g_paranoid_load = 1;
804
module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
805 806

/* Boot time disable flag */
807
static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
808
module_param_named(enabled, apparmor_enabled, bool, S_IRUGO);
809 810 811 812

static int __init apparmor_enabled_setup(char *str)
{
	unsigned long enabled;
813
	int error = kstrtoul(str, 0, &enabled);
814 815 816 817 818 819 820 821
	if (!error)
		apparmor_enabled = enabled ? 1 : 0;
	return 1;
}

__setup("apparmor=", apparmor_enabled_setup);

/* set global flag turning off the ability to load policy */
822
static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
823
{
824 825 826
	if (!apparmor_enabled)
		return -EINVAL;
	if (apparmor_initialized && !policy_admin_capable(NULL))
827 828 829 830
		return -EPERM;
	return param_set_bool(val, kp);
}

831
static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
832
{
833 834
	if (!apparmor_enabled)
		return -EINVAL;
835 836
	if (apparmor_initialized && !policy_view_capable(NULL))
		return -EPERM;
837 838 839
	return param_get_bool(buffer, kp);
}

840
static int param_set_aabool(const char *val, const struct kernel_param *kp)
841
{
842 843
	if (!apparmor_enabled)
		return -EINVAL;
844 845
	if (apparmor_initialized && !policy_admin_capable(NULL))
		return -EPERM;
846 847 848
	return param_set_bool(val, kp);
}

849
static int param_get_aabool(char *buffer, const struct kernel_param *kp)
850
{
851 852
	if (!apparmor_enabled)
		return -EINVAL;
853 854
	if (apparmor_initialized && !policy_view_capable(NULL))
		return -EPERM;
855 856 857
	return param_get_bool(buffer, kp);
}

858
static int param_set_aauint(const char *val, const struct kernel_param *kp)
859
{
860 861
	int error;

862 863
	if (!apparmor_enabled)
		return -EINVAL;
864 865
	/* file is ro but enforce 2nd line check */
	if (apparmor_initialized)
866
		return -EPERM;
867 868 869 870 871

	error = param_set_uint(val, kp);
	pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max);

	return error;
872 873
}

874
static int param_get_aauint(char *buffer, const struct kernel_param *kp)
875
{
876 877
	if (!apparmor_enabled)
		return -EINVAL;
878 879
	if (apparmor_initialized && !policy_view_capable(NULL))
		return -EPERM;
880 881 882 883 884 885 886
	return param_get_uint(buffer, kp);
}

static int param_get_audit(char *buffer, struct kernel_param *kp)
{
	if (!apparmor_enabled)
		return -EINVAL;
887 888
	if (apparmor_initialized && !policy_view_capable(NULL))
		return -EPERM;
889 890 891 892 893 894 895 896 897 898 899
	return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
}

static int param_set_audit(const char *val, struct kernel_param *kp)
{
	int i;

	if (!apparmor_enabled)
		return -EINVAL;
	if (!val)
		return -EINVAL;
900 901
	if (apparmor_initialized && !policy_admin_capable(NULL))
		return -EPERM;
902 903 904 905 906 907 908 909 910 911 912 913 914 915 916

	for (i = 0; i < AUDIT_MAX_INDEX; i++) {
		if (strcmp(val, audit_mode_names[i]) == 0) {
			aa_g_audit = i;
			return 0;
		}
	}

	return -EINVAL;
}

static int param_get_mode(char *buffer, struct kernel_param *kp)
{
	if (!apparmor_enabled)
		return -EINVAL;
917 918
	if (apparmor_initialized && !policy_view_capable(NULL))
		return -EPERM;
919

920
	return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
921 922 923 924 925 926 927 928 929 930
}

static int param_set_mode(const char *val, struct kernel_param *kp)
{
	int i;

	if (!apparmor_enabled)
		return -EINVAL;
	if (!val)
		return -EINVAL;
931 932
	if (apparmor_initialized && !policy_admin_capable(NULL))
		return -EPERM;
933

934 935
	for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {
		if (strcmp(val, aa_profile_mode_names[i]) == 0) {
936 937 938 939 940 941 942 943 944 945 946 947 948
			aa_g_profile_mode = i;
			return 0;
		}
	}

	return -EINVAL;
}

/*
 * AppArmor init functions
 */

/**
949
 * set_init_ctx - set a task context and profile on the first task.
950 951 952
 *
 * TODO: allow setting an alternate profile than unconfined
 */
953
static int __init set_init_ctx(void)
954 955
{
	struct cred *cred = (struct cred *)current->real_cred;
956
	struct aa_task_ctx *ctx;
957

958 959
	ctx = aa_alloc_task_context(GFP_KERNEL);
	if (!ctx)
960 961
		return -ENOMEM;

962
	ctx->label = aa_get_label(ns_unconfined(root_ns));
963
	cred_ctx(cred) = ctx;
964 965 966 967

	return 0;
}

968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004
static void destroy_buffers(void)
{
	u32 i, j;

	for_each_possible_cpu(i) {
		for_each_cpu_buffer(j) {
			kfree(per_cpu(aa_buffers, i).buf[j]);
			per_cpu(aa_buffers, i).buf[j] = NULL;
		}
	}
}

static int __init alloc_buffers(void)
{
	u32 i, j;

	for_each_possible_cpu(i) {
		for_each_cpu_buffer(j) {
			char *buffer;

			if (cpu_to_node(i) > num_online_nodes())
				/* fallback to kmalloc for offline nodes */
				buffer = kmalloc(aa_g_path_max, GFP_KERNEL);
			else
				buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL,
						      cpu_to_node(i));
			if (!buffer) {
				destroy_buffers();
				return -ENOMEM;
			}
			per_cpu(aa_buffers, i).buf[j] = buffer;
		}
	}

	return 0;
}

1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044
#ifdef CONFIG_SYSCTL
static int apparmor_dointvec(struct ctl_table *table, int write,
			     void __user *buffer, size_t *lenp, loff_t *ppos)
{
	if (!policy_admin_capable(NULL))
		return -EPERM;
	if (!apparmor_enabled)
		return -EINVAL;

	return proc_dointvec(table, write, buffer, lenp, ppos);
}

static struct ctl_path apparmor_sysctl_path[] = {
	{ .procname = "kernel", },
	{ }
};

static struct ctl_table apparmor_sysctl_table[] = {
	{
		.procname       = "unprivileged_userns_apparmor_policy",
		.data           = &unprivileged_userns_apparmor_policy,
		.maxlen         = sizeof(int),
		.mode           = 0600,
		.proc_handler   = apparmor_dointvec,
	},
	{ }
};

static int __init apparmor_init_sysctl(void)
{
	return register_sysctl_paths(apparmor_sysctl_path,
				     apparmor_sysctl_table) ? 0 : -ENOMEM;
}
#else
static inline int apparmor_init_sysctl(void)
{
	return 0;
}
#endif /* CONFIG_SYSCTL */

1045 1046 1047 1048
static int __init apparmor_init(void)
{
	int error;

C
Casey Schaufler 已提交
1049
	if (!apparmor_enabled || !security_module_enable("apparmor")) {
1050 1051 1052 1053 1054
		aa_info_message("AppArmor disabled by boot time parameter");
		apparmor_enabled = 0;
		return 0;
	}

J
John Johansen 已提交
1055 1056 1057 1058 1059 1060
	error = aa_setup_dfa_engine();
	if (error) {
		AA_ERROR("Unable to setup dfa engine\n");
		goto alloc_out;
	}

1061 1062 1063 1064 1065 1066
	error = aa_alloc_root_ns();
	if (error) {
		AA_ERROR("Unable to allocate default profile namespace\n");
		goto alloc_out;
	}

1067 1068 1069 1070 1071 1072 1073
	error = apparmor_init_sysctl();
	if (error) {
		AA_ERROR("Unable to register sysctls\n");
		goto alloc_out;

	}

1074 1075 1076 1077 1078 1079
	error = alloc_buffers();
	if (error) {
		AA_ERROR("Unable to allocate work buffers\n");
		goto buffers_out;
	}

1080
	error = set_init_ctx();
1081 1082
	if (error) {
		AA_ERROR("Failed to set context on init task\n");
C
Casey Schaufler 已提交
1083
		aa_free_root_ns();
1084
		goto buffers_out;
1085
	}
1086 1087
	security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
				"apparmor");
1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099

	/* Report that AppArmor successfully initialized */
	apparmor_initialized = 1;
	if (aa_g_profile_mode == APPARMOR_COMPLAIN)
		aa_info_message("AppArmor initialized: complain mode enabled");
	else if (aa_g_profile_mode == APPARMOR_KILL)
		aa_info_message("AppArmor initialized: kill mode enabled");
	else
		aa_info_message("AppArmor initialized");

	return error;

1100 1101 1102
buffers_out:
	destroy_buffers();

1103 1104
alloc_out:
	aa_destroy_aafs();
J
John Johansen 已提交
1105
	aa_teardown_dfa_engine();
1106 1107 1108 1109 1110 1111

	apparmor_enabled = 0;
	return error;
}

security_initcall(apparmor_init);