AppArmor: file enforcement routines

AppArmor does files enforcement via pathname matching. Matching is done at file open using a dfa match engine. Permission is against the final file object not parent directories, ie. the traversal of directories as part of the file match is implicitly allowed. In the case of nonexistant files (creation) permissions are checked against the target file not the directory. eg. In case of creating the file /dir/new, permissions are checked against the match /dir/new not against /dir/. The permissions for matches are currently stored in the dfa accept table, but this will change to allow for dfa reuse and also to allow for sharing of wider accept states. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
author: John Johansen <john.johansen@canonical.com> 2010-07-29 17:48:04 -0400
committer: James Morris <jmorris@namei.org> 2010-08-02 01:35:14 -0400
commit: 6380bd8ddf613b29f478396308b591867d401de4 (patch)
tree: 6d8fc9356a652f8452ccf49e7f79cc700cc2768d /security/apparmor/include
parent: 63e2b423771ab0bc7ad4d407f3f6517c6d05cdc0 (diff)
1 files changed, 217 insertions, 0 deletions
diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
new file mode 100644
index 000000000000..be36feabb16a
--- /dev/null
+++ b/security/apparmor/include/file.h
@@ -0,0 +1,217 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor file mediation function definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+#ifndef __AA_FILE_H
+#define __AA_FILE_H
+#include <linux/path.h>
+#include "domain.h"
+#include "match.h"
+struct aa_profile;
+/*
+ * We use MAY_EXEC, MAY_WRITE, MAY_READ, MAY_APPEND and the following flags
+ * for profile permissions
+ */
+#define AA_MAY_CREATE                  0x0010
+#define AA_MAY_DELETE                  0x0020
+#define AA_MAY_META_WRITE              0x0040
+#define AA_MAY_META_READ               0x0080
+#define AA_MAY_CHMOD                   0x0100
+#define AA_MAY_CHOWN                   0x0200
+#define AA_MAY_LOCK                    0x0400
+#define AA_EXEC_MMAP                   0x0800
+#define AA_MAY_LINK                     0x1000
+#define AA_LINK_SUBSET                  AA_MAY_LOCK     /* overlaid */
+#define AA_MAY_ONEXEC                   0x40000000      /* exec allows onexec */
+#define AA_MAY_CHANGE_PROFILE           0x80000000
+#define AA_MAY_CHANGEHAT                0x80000000      /* ctrl auditing only */
+#define AA_AUDIT_FILE_MASK      (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND |\
+                                 AA_MAY_CREATE | AA_MAY_DELETE |        \
+                                 AA_MAY_META_READ | AA_MAY_META_WRITE | \
+                                 AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_LOCK | \
+                                 AA_EXEC_MMAP | AA_MAY_LINK)
+/*
+ * The xindex is broken into 3 parts
+ * - index - an index into either the exec name table or the variable table
+ * - exec type - which determines how the executable name and index are used
+ * - flags - which modify how the destination name is applied
+ */
+#define AA_X_INDEX_MASK         0x03ff
+#define AA_X_TYPE_MASK          0x0c00
+#define AA_X_TYPE_SHIFT         10
+#define AA_X_NONE               0x0000
+#define AA_X_NAME               0x0400  /* use executable name px */
+#define AA_X_TABLE              0x0800  /* use a specified name ->n# */
+#define AA_X_UNSAFE             0x1000
+#define AA_X_CHILD              0x2000  /* make >AA_X_NONE apply to children */
+#define AA_X_INHERIT            0x4000
+#define AA_X_UNCONFINED         0x8000
+/* AA_SECURE_X_NEEDED - is passed in the bprm->unsafe field */
+#define AA_SECURE_X_NEEDED      0x8000
+/* need to make conditional which ones are being set */
+struct path_cond {
+        uid_t uid;
+        umode_t mode;
+};
+/* struct file_perms - file permission
+ * @allow: mask of permissions that are allowed
+ * @audit: mask of permissions to force an audit message for
+ * @quiet: mask of permissions to quiet audit messages for
+ * @kill: mask of permissions that when matched will kill the task
+ * @xindex: exec transition index if @allow contains MAY_EXEC
+ *
+ * The @audit and @queit mask should be mutually exclusive.
+ */
+struct file_perms {
+        u32 allow;
+        u32 audit;
+        u32 quiet;
+        u32 kill;
+        u16 xindex;
+};
+extern struct file_perms nullperms;
+#define COMBINED_PERM_MASK(X) ((X).allow | (X).audit | (X).quiet | (X).kill)
+/* FIXME: split perms from dfa and match this to description
+ *        also add delegation info.
+ */
+static inline u16 dfa_map_xindex(u16 mask)
+{
+        u16 old_index = (mask >> 10) & 0xf;
+        u16 index = 0;
+        if (mask & 0x100)
+                index |= AA_X_UNSAFE;
+        if (mask & 0x200)
+                index |= AA_X_INHERIT;
+        if (mask & 0x80)
+                index |= AA_X_UNCONFINED;
+        if (old_index == 1) {
+                index |= AA_X_UNCONFINED;
+        } else if (old_index == 2) {
+                index |= AA_X_NAME;
+        } else if (old_index == 3) {
+                index |= AA_X_NAME | AA_X_CHILD;
+        } else {
+                index |= AA_X_TABLE;
+                index |= old_index - 4;
+        }
+        return index;
+}
+/*
+ * map old dfa inline permissions to new format
+ */
+#define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \
+                                    ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
+#define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f)
+#define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f)
+#define dfa_user_xindex(dfa, state) \
+        (dfa_map_xindex(ACCEPT_TABLE(dfa)[state] & 0x3fff))
+#define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \
+                                      0x7f) |                           \
+                                     ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
+#define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f)
+#define dfa_other_quiet(dfa, state) \
+        ((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f)
+#define dfa_other_xindex(dfa, state) \
+        dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
+int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
+                  gfp_t gfp, int op, u32 request, const char *name,
+                  const char *target, uid_t ouid, const char *info, int error);
+/**
+ * struct aa_file_rules - components used for file rule permissions
+ * @dfa: dfa to match path names and conditionals against
+ * @perms: permission table indexed by the matched state accept entry of @dfa
+ * @trans: transition table for indexed by named x transitions
+ *
+ * File permission are determined by matching a path against @dfa and then
+ * then using the value of the accept entry for the matching state as
+ * an index into @perms.  If a named exec transition is required it is
+ * looked up in the transition table.
+ */
+struct aa_file_rules {
+        unsigned int start;
+        struct aa_dfa *dfa;
+        /* struct perms perms; */
+        struct aa_domain trans;
+        /* TODO: add delegate table */
+};
+unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
+                          const char *name, struct path_cond *cond,
+                          struct file_perms *perms);
+int aa_path_perm(int op, struct aa_profile *profile, struct path *path,
+                 int flags, u32 request, struct path_cond *cond);
+int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
+                 struct path *new_dir, struct dentry *new_dentry);
+int aa_file_perm(int op, struct aa_profile *profile, struct file *file,
+                 u32 request);
+static inline void aa_free_file_rules(struct aa_file_rules *rules)
+{
+        aa_put_dfa(rules->dfa);
+        aa_free_domain_entries(&rules->trans);
+}
+#define ACC_FMODE(x) (("\000\004\002\006"[(x)&O_ACCMODE]) | (((x) << 1) & 0x40))
+/* from namei.c */
+#define MAP_OPEN_FLAGS(x) ((((x) + 1) & O_ACCMODE) ? (x) + 1 : (x))
+/**
+ * aa_map_file_perms - map file flags to AppArmor permissions
+ * @file: open file to map flags to AppArmor permissions
+ *
+ * Returns: apparmor permission set for the file
+ */
+static inline u32 aa_map_file_to_perms(struct file *file)
+{
+        int flags = MAP_OPEN_FLAGS(file->f_flags);
+        u32 perms = ACC_FMODE(file->f_mode);
+        if ((flags & O_APPEND) && (perms & MAY_WRITE))
+                perms = (perms & ~MAY_WRITE) | MAY_APPEND;
+        /* trunc implies write permission */
+        if (flags & O_TRUNC)
+                perms |= MAY_WRITE;
+        if (flags & O_CREAT)
+                perms |= AA_MAY_CREATE;
+        return perms;
+}
+#endif /* __AA_FILE_H */
author	John Johansen <john.johansen@canonical.com>	2010-07-29 17:48:04 -0400
committer	James Morris <jmorris@namei.org>	2010-08-02 01:35:14 -0400
commit	6380bd8ddf613b29f478396308b591867d401de4 (patch)
tree	6d8fc9356a652f8452ccf49e7f79cc700cc2768d /security/apparmor/include
parent	63e2b423771ab0bc7ad4d407f3f6517c6d05cdc0 (diff)

diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h new file mode 100644 index 000000000000..be36feabb16a --- /dev/null +++ b/security/apparmor/include/file.h
@@ -0,0 +1,217 @@
	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor file mediation function definitions.
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#ifndef __AA_FILE_H
	16	#define __AA_FILE_H
	17
	18	#include <linux/path.h>
	19
	20	#include "domain.h"
	21	#include "match.h"
	22
	23	struct aa_profile;
	24
	25	/*
	26	* We use MAY_EXEC, MAY_WRITE, MAY_READ, MAY_APPEND and the following flags
	27	* for profile permissions
	28	*/
	29	#define AA_MAY_CREATE 0x0010
	30	#define AA_MAY_DELETE 0x0020
	31	#define AA_MAY_META_WRITE 0x0040
	32	#define AA_MAY_META_READ 0x0080
	33
	34	#define AA_MAY_CHMOD 0x0100
	35	#define AA_MAY_CHOWN 0x0200
	36	#define AA_MAY_LOCK 0x0400
	37	#define AA_EXEC_MMAP 0x0800
	38
	39	#define AA_MAY_LINK 0x1000
	40	#define AA_LINK_SUBSET AA_MAY_LOCK /* overlaid */
	41	#define AA_MAY_ONEXEC 0x40000000 /* exec allows onexec */
	42	#define AA_MAY_CHANGE_PROFILE 0x80000000
	43	#define AA_MAY_CHANGEHAT 0x80000000 /* ctrl auditing only */
	44
	45	#define AA_AUDIT_FILE_MASK (MAY_READ \| MAY_WRITE \| MAY_EXEC \| MAY_APPEND \|\
	46	AA_MAY_CREATE \| AA_MAY_DELETE \| \
	47	AA_MAY_META_READ \| AA_MAY_META_WRITE \| \
	48	AA_MAY_CHMOD \| AA_MAY_CHOWN \| AA_MAY_LOCK \| \
	49	AA_EXEC_MMAP \| AA_MAY_LINK)
	50
	51	/*
	52	* The xindex is broken into 3 parts
	53	* - index - an index into either the exec name table or the variable table
	54	* - exec type - which determines how the executable name and index are used
	55	* - flags - which modify how the destination name is applied
	56	*/
	57	#define AA_X_INDEX_MASK 0x03ff
	58
	59	#define AA_X_TYPE_MASK 0x0c00
	60	#define AA_X_TYPE_SHIFT 10
	61	#define AA_X_NONE 0x0000
	62	#define AA_X_NAME 0x0400 /* use executable name px */
	63	#define AA_X_TABLE 0x0800 /* use a specified name ->n# */
	64
	65	#define AA_X_UNSAFE 0x1000
	66	#define AA_X_CHILD 0x2000 /* make >AA_X_NONE apply to children */
	67	#define AA_X_INHERIT 0x4000
	68	#define AA_X_UNCONFINED 0x8000
	69
	70	/* AA_SECURE_X_NEEDED - is passed in the bprm->unsafe field */
	71	#define AA_SECURE_X_NEEDED 0x8000
	72
	73	/* need to make conditional which ones are being set */
	74	struct path_cond {
	75	uid_t uid;
	76	umode_t mode;
	77	};
	78
	79	/* struct file_perms - file permission
	80	* @allow: mask of permissions that are allowed
	81	* @audit: mask of permissions to force an audit message for
	82	* @quiet: mask of permissions to quiet audit messages for
	83	* @kill: mask of permissions that when matched will kill the task
	84	* @xindex: exec transition index if @allow contains MAY_EXEC
	85	*
	86	* The @audit and @queit mask should be mutually exclusive.
	87	*/
	88	struct file_perms {
	89	u32 allow;
	90	u32 audit;
	91	u32 quiet;
	92	u32 kill;
	93	u16 xindex;
	94	};
	95
	96	extern struct file_perms nullperms;
	97
	98	#define COMBINED_PERM_MASK(X) ((X).allow \| (X).audit \| (X).quiet \| (X).kill)
	99
	100	/* FIXME: split perms from dfa and match this to description
	101	* also add delegation info.
	102	*/
	103	static inline u16 dfa_map_xindex(u16 mask)
	104	{
	105	u16 old_index = (mask >> 10) & 0xf;
	106	u16 index = 0;
	107
	108	if (mask & 0x100)
	109	index \|= AA_X_UNSAFE;
	110	if (mask & 0x200)
	111	index \|= AA_X_INHERIT;
	112	if (mask & 0x80)
	113	index \|= AA_X_UNCONFINED;
	114
	115	if (old_index == 1) {
	116	index \|= AA_X_UNCONFINED;
	117	} else if (old_index == 2) {
	118	index \|= AA_X_NAME;
	119	} else if (old_index == 3) {
	120	index \|= AA_X_NAME \| AA_X_CHILD;
	121	} else {
	122	index \|= AA_X_TABLE;
	123	index \|= old_index - 4;
	124	}
	125
	126	return index;
	127	}
	128
	129	/*
	130	* map old dfa inline permissions to new format
	131	*/
	132	#define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) \| \
	133	((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
	134	#define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f)
	135	#define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f)
	136	#define dfa_user_xindex(dfa, state) \
	137	(dfa_map_xindex(ACCEPT_TABLE(dfa)[state] & 0x3fff))
	138
	139	#define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \
	140	0x7f) \| \
	141	((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
	142	#define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f)
	143	#define dfa_other_quiet(dfa, state) \
	144	((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f)
	145	#define dfa_other_xindex(dfa, state) \
	146	dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
	147
	148	int aa_audit_file(struct aa_profile profile, struct file_perms perms,
	149	gfp_t gfp, int op, u32 request, const char *name,
	150	const char target, uid_t ouid, const char info, int error);
	151
	152	/**
	153	* struct aa_file_rules - components used for file rule permissions
	154	* @dfa: dfa to match path names and conditionals against
	155	* @perms: permission table indexed by the matched state accept entry of @dfa
	156	* @trans: transition table for indexed by named x transitions
	157	*
	158	* File permission are determined by matching a path against @dfa and then
	159	* then using the value of the accept entry for the matching state as
	160	* an index into @perms. If a named exec transition is required it is
	161	* looked up in the transition table.
	162	*/
	163	struct aa_file_rules {
	164	unsigned int start;
	165	struct aa_dfa *dfa;
	166	/* struct perms perms; */
	167	struct aa_domain trans;
	168	/* TODO: add delegate table */
	169	};
	170
	171	unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
	172	const char name, struct path_cond cond,
	173	struct file_perms *perms);
	174
	175	int aa_path_perm(int op, struct aa_profile profile, struct path path,
	176	int flags, u32 request, struct path_cond *cond);
	177
	178	int aa_path_link(struct aa_profile profile, struct dentry old_dentry,
	179	struct path new_dir, struct dentry new_dentry);
	180
	181	int aa_file_perm(int op, struct aa_profile profile, struct file file,
	182	u32 request);
	183
	184	static inline void aa_free_file_rules(struct aa_file_rules *rules)
	185	{
	186	aa_put_dfa(rules->dfa);
	187	aa_free_domain_entries(&rules->trans);
	188	}
	189
	190	#define ACC_FMODE(x) (("\000\004\002\006"[(x)&O_ACCMODE]) \| (((x) << 1) & 0x40))
	191
	192	/* from namei.c */
	193	#define MAP_OPEN_FLAGS(x) ((((x) + 1) & O_ACCMODE) ? (x) + 1 : (x))
	194
	195	/**
	196	* aa_map_file_perms - map file flags to AppArmor permissions
	197	* @file: open file to map flags to AppArmor permissions
	198	*
	199	* Returns: apparmor permission set for the file
	200	*/
	201	static inline u32 aa_map_file_to_perms(struct file *file)
	202	{
	203	int flags = MAP_OPEN_FLAGS(file->f_flags);
	204	u32 perms = ACC_FMODE(file->f_mode);
	205
	206	if ((flags & O_APPEND) && (perms & MAY_WRITE))
	207	perms = (perms & ~MAY_WRITE) \| MAY_APPEND;
	208	/* trunc implies write permission */
	209	if (flags & O_TRUNC)
	210	perms \|= MAY_WRITE;
	211	if (flags & O_CREAT)
	212	perms \|= AA_MAY_CREATE;
	213
	214	return perms;
	215	}
	216
	217	#endif /* __AA_FILE_H */