aboutsummaryrefslogtreecommitdiffstats
path: root/security/apparmor
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2010-07-29 17:47:57 -0400
committerJames Morris <jmorris@namei.org>2010-08-02 01:35:11 -0400
commitcdff264264254e0fabc8107a33f3bb75a95e981f (patch)
treea20956e2a7a38e195071ded57fca02e1d1b1314c /security/apparmor
parente6f6a4cc955d626ed26562d98de5766bf1f73526 (diff)
AppArmor: misc. base functions and defines
Miscellaneous functions and defines needed by AppArmor, including the base path resolution routines. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/apparmor')
-rw-r--r--security/apparmor/include/apparmor.h92
-rw-r--r--security/apparmor/include/path.h31
-rw-r--r--security/apparmor/lib.c133
-rw-r--r--security/apparmor/path.c235
4 files changed, 491 insertions, 0 deletions
diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
new file mode 100644
index 000000000000..38ccaea08204
--- /dev/null
+++ b/security/apparmor/include/apparmor.h
@@ -0,0 +1,92 @@
1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor basic global and lib definitions
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
15#ifndef __APPARMOR_H
16#define __APPARMOR_H
17
18#include <linux/fs.h>
19
20#include "match.h"
21
22/* Control parameters settable through module/boot flags */
23extern enum audit_mode aa_g_audit;
24extern int aa_g_audit_header;
25extern int aa_g_debug;
26extern int aa_g_lock_policy;
27extern int aa_g_logsyscall;
28extern int aa_g_paranoid_load;
29extern unsigned int aa_g_path_max;
30
31/*
32 * DEBUG remains global (no per profile flag) since it is mostly used in sysctl
33 * which is not related to profile accesses.
34 */
35
36#define AA_DEBUG(fmt, args...) \
37 do { \
38 if (aa_g_debug && printk_ratelimit()) \
39 printk(KERN_DEBUG "AppArmor: " fmt, ##args); \
40 } while (0)
41
42#define AA_ERROR(fmt, args...) \
43 do { \
44 if (printk_ratelimit()) \
45 printk(KERN_ERR "AppArmor: " fmt, ##args); \
46 } while (0)
47
48/* Flag indicating whether initialization completed */
49extern int apparmor_initialized __initdata;
50
51/* fn's in lib */
52char *aa_split_fqname(char *args, char **ns_name);
53void aa_info_message(const char *str);
54void *kvmalloc(size_t size);
55void kvfree(void *buffer);
56
57
58/**
59 * aa_strneq - compare null terminated @str to a non null terminated substring
60 * @str: a null terminated string
61 * @sub: a substring, not necessarily null terminated
62 * @len: length of @sub to compare
63 *
64 * The @str string must be full consumed for this to be considered a match
65 */
66static inline bool aa_strneq(const char *str, const char *sub, int len)
67{
68 return !strncmp(str, sub, len) && !str[len];
69}
70
71/**
72 * aa_dfa_null_transition - step to next state after null character
73 * @dfa: the dfa to match against
74 * @start: the state of the dfa to start matching in
75 *
76 * aa_dfa_null_transition transitions to the next state after a null
77 * character which is not used in standard matching and is only
78 * used to separate pairs.
79 */
80static inline unsigned int aa_dfa_null_transition(struct aa_dfa *dfa,
81 unsigned int start)
82{
83 /* the null transition only needs the string's null terminator byte */
84 return aa_dfa_match_len(dfa, start, "", 1);
85}
86
87static inline bool mediated_filesystem(struct inode *inode)
88{
89 return !(inode->i_sb->s_flags & MS_NOUSER);
90}
91
92#endif /* __APPARMOR_H */
diff --git a/security/apparmor/include/path.h b/security/apparmor/include/path.h
new file mode 100644
index 000000000000..27b327a7fae5
--- /dev/null
+++ b/security/apparmor/include/path.h
@@ -0,0 +1,31 @@
1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor basic path manipulation function definitions.
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
15#ifndef __AA_PATH_H
16#define __AA_PATH_H
17
18
19enum path_flags {
20 PATH_IS_DIR = 0x1, /* path is a directory */
21 PATH_CONNECT_PATH = 0x4, /* connect disconnected paths to / */
22 PATH_CHROOT_REL = 0x8, /* do path lookup relative to chroot */
23 PATH_CHROOT_NSCONNECT = 0x10, /* connect paths that are at ns root */
24
25 PATH_DELEGATE_DELETED = 0x08000, /* delegate deleted files */
26 PATH_MEDIATE_DELETED = 0x10000, /* mediate deleted paths */
27};
28
29int aa_get_name(struct path *path, int flags, char **buffer, const char **name);
30
31#endif /* __AA_PATH_H */
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
new file mode 100644
index 000000000000..6e85cdb4303f
--- /dev/null
+++ b/security/apparmor/lib.c
@@ -0,0 +1,133 @@
1/*
2 * AppArmor security module
3 *
4 * This file contains basic common functions used in AppArmor
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
15#include <linux/slab.h>
16#include <linux/string.h>
17#include <linux/vmalloc.h>
18
19#include "include/audit.h"
20
21
22/**
23 * aa_split_fqname - split a fqname into a profile and namespace name
24 * @fqname: a full qualified name in namespace profile format (NOT NULL)
25 * @ns_name: pointer to portion of the string containing the ns name (NOT NULL)
26 *
27 * Returns: profile name or NULL if one is not specified
28 *
29 * Split a namespace name from a profile name (see policy.c for naming
30 * description). If a portion of the name is missing it returns NULL for
31 * that portion.
32 *
33 * NOTE: may modify the @fqname string. The pointers returned point
34 * into the @fqname string.
35 */
36char *aa_split_fqname(char *fqname, char **ns_name)
37{
38 char *name = strim(fqname);
39
40 *ns_name = NULL;
41 if (name[0] == ':') {
42 char *split = strchr(&name[1], ':');
43 if (split) {
44 /* overwrite ':' with \0 */
45 *split = 0;
46 name = skip_spaces(split + 1);
47 } else
48 /* a ns name without a following profile is allowed */
49 name = NULL;
50 *ns_name = &name[1];
51 }
52 if (name && *name == 0)
53 name = NULL;
54
55 return name;
56}
57
58/**
59 * aa_info_message - log a none profile related status message
60 * @str: message to log
61 */
62void aa_info_message(const char *str)
63{
64 if (audit_enabled) {
65 struct common_audit_data sa;
66 COMMON_AUDIT_DATA_INIT(&sa, NONE);
67 sa.aad.info = str;
68 aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, NULL);
69 }
70 printk(KERN_INFO "AppArmor: %s\n", str);
71}
72
73/**
74 * kvmalloc - do allocation preferring kmalloc but falling back to vmalloc
75 * @size: size of allocation
76 *
77 * Return: allocated buffer or NULL if failed
78 *
79 * It is possible that policy being loaded from the user is larger than
80 * what can be allocated by kmalloc, in those cases fall back to vmalloc.
81 */
82void *kvmalloc(size_t size)
83{
84 void *buffer = NULL;
85
86 if (size == 0)
87 return NULL;
88
89 /* do not attempt kmalloc if we need more than 16 pages at once */
90 if (size <= (16*PAGE_SIZE))
91 buffer = kmalloc(size, GFP_NOIO | __GFP_NOWARN);
92 if (!buffer) {
93 /* see kvfree for why size must be at least work_struct size
94 * when allocated via vmalloc
95 */
96 if (size < sizeof(struct work_struct))
97 size = sizeof(struct work_struct);
98 buffer = vmalloc(size);
99 }
100 return buffer;
101}
102
103/**
104 * do_vfree - workqueue routine for freeing vmalloced memory
105 * @work: data to be freed
106 *
107 * The work_struct is overlaid to the data being freed, as at the point
108 * the work is scheduled the data is no longer valid, be its freeing
109 * needs to be delayed until safe.
110 */
111static void do_vfree(struct work_struct *work)
112{
113 vfree(work);
114}
115
116/**
117 * kvfree - free an allocation do by kvmalloc
118 * @buffer: buffer to free (MAYBE_NULL)
119 *
120 * Free a buffer allocated by kvmalloc
121 */
122void kvfree(void *buffer)
123{
124 if (is_vmalloc_addr(buffer)) {
125 /* Data is no longer valid so just use the allocated space
126 * as the work_struct
127 */
128 struct work_struct *work = (struct work_struct *) buffer;
129 INIT_WORK(work, do_vfree);
130 schedule_work(work);
131 } else
132 kfree(buffer);
133}
diff --git a/security/apparmor/path.c b/security/apparmor/path.c
new file mode 100644
index 000000000000..96bab9469d48
--- /dev/null
+++ b/security/apparmor/path.c
@@ -0,0 +1,235 @@
1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor function for pathnames
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
15#include <linux/magic.h>
16#include <linux/mnt_namespace.h>
17#include <linux/mount.h>
18#include <linux/namei.h>
19#include <linux/nsproxy.h>
20#include <linux/path.h>
21#include <linux/sched.h>
22#include <linux/slab.h>
23#include <linux/fs_struct.h>
24
25#include "include/apparmor.h"
26#include "include/path.h"
27#include "include/policy.h"
28
29
30/* modified from dcache.c */
31static int prepend(char **buffer, int buflen, const char *str, int namelen)
32{
33 buflen -= namelen;
34 if (buflen < 0)
35 return -ENAMETOOLONG;
36 *buffer -= namelen;
37 memcpy(*buffer, str, namelen);
38 return 0;
39}
40
41#define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT)
42
43/**
44 * d_namespace_path - lookup a name associated with a given path
45 * @path: path to lookup (NOT NULL)
46 * @buf: buffer to store path to (NOT NULL)
47 * @buflen: length of @buf
48 * @name: Returns - pointer for start of path name with in @buf (NOT NULL)
49 * @flags: flags controlling path lookup
50 *
51 * Handle path name lookup.
52 *
53 * Returns: %0 else error code if path lookup fails
54 * When no error the path name is returned in @name which points to
55 * to a position in @buf
56 */
57static int d_namespace_path(struct path *path, char *buf, int buflen,
58 char **name, int flags)
59{
60 struct path root, tmp;
61 char *res;
62 int deleted, connected;
63 int error = 0;
64
65 /* Get the root we want to resolve too */
66 if (flags & PATH_CHROOT_REL) {
67 /* resolve paths relative to chroot */
68 read_lock(&current->fs->lock);
69 root = current->fs->root;
70 /* released below */
71 path_get(&root);
72 read_unlock(&current->fs->lock);
73 } else {
74 /* resolve paths relative to namespace */
75 root.mnt = current->nsproxy->mnt_ns->root;
76 root.dentry = root.mnt->mnt_root;
77 /* released below */
78 path_get(&root);
79 }
80
81 spin_lock(&dcache_lock);
82 /* There is a race window between path lookup here and the
83 * need to strip the " (deleted) string that __d_path applies
84 * Detect the race and relookup the path
85 *
86 * The stripping of (deleted) is a hack that could be removed
87 * with an updated __d_path
88 */
89 do {
90 tmp = root;
91 deleted = d_unlinked(path->dentry);
92 res = __d_path(path, &tmp, buf, buflen);
93
94 } while (deleted != d_unlinked(path->dentry));
95 spin_unlock(&dcache_lock);
96
97 *name = res;
98 /* handle error conditions - and still allow a partial path to
99 * be returned.
100 */
101 if (IS_ERR(res)) {
102 error = PTR_ERR(res);
103 *name = buf;
104 goto out;
105 }
106 if (deleted) {
107 /* On some filesystems, newly allocated dentries appear to the
108 * security_path hooks as a deleted dentry except without an
109 * inode allocated.
110 *
111 * Remove the appended deleted text and return as string for
112 * normal mediation, or auditing. The (deleted) string is
113 * guaranteed to be added in this case, so just strip it.
114 */
115 buf[buflen - 11] = 0; /* - (len(" (deleted)") +\0) */
116
117 if (path->dentry->d_inode && !(flags & PATH_MEDIATE_DELETED)) {
118 error = -ENOENT;
119 goto out;
120 }
121 }
122
123 /* Determine if the path is connected to the expected root */
124 connected = tmp.dentry == root.dentry && tmp.mnt == root.mnt;
125
126 /* If the path is not connected,
127 * check if it is a sysctl and handle specially else remove any
128 * leading / that __d_path may have returned.
129 * Unless
130 * specifically directed to connect the path,
131 * OR
132 * if in a chroot and doing chroot relative paths and the path
133 * resolves to the namespace root (would be connected outside
134 * of chroot) and specifically directed to connect paths to
135 * namespace root.
136 */
137 if (!connected) {
138 /* is the disconnect path a sysctl? */
139 if (tmp.dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
140 strncmp(*name, "/sys/", 5) == 0) {
141 /* TODO: convert over to using a per namespace
142 * control instead of hard coded /proc
143 */
144 error = prepend(name, *name - buf, "/proc", 5);
145 } else if (!(flags & PATH_CONNECT_PATH) &&
146 !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
147 (tmp.mnt == current->nsproxy->mnt_ns->root &&
148 tmp.dentry == tmp.mnt->mnt_root))) {
149 /* disconnected path, don't return pathname starting
150 * with '/'
151 */
152 error = -ESTALE;
153 if (*res == '/')
154 *name = res + 1;
155 }
156 }
157
158out:
159 path_put(&root);
160
161 return error;
162}
163
164/**
165 * get_name_to_buffer - get the pathname to a buffer ensure dir / is appended
166 * @path: path to get name for (NOT NULL)
167 * @flags: flags controlling path lookup
168 * @buffer: buffer to put name in (NOT NULL)
169 * @size: size of buffer
170 * @name: Returns - contains position of path name in @buffer (NOT NULL)
171 *
172 * Returns: %0 else error on failure
173 */
174static int get_name_to_buffer(struct path *path, int flags, char *buffer,
175 int size, char **name)
176{
177 int adjust = (flags & PATH_IS_DIR) ? 1 : 0;
178 int error = d_namespace_path(path, buffer, size - adjust, name, flags);
179
180 if (!error && (flags & PATH_IS_DIR) && (*name)[1] != '\0')
181 /*
182 * Append "/" to the pathname. The root directory is a special
183 * case; it already ends in slash.
184 */
185 strcpy(&buffer[size - 2], "/");
186
187 return error;
188}
189
190/**
191 * aa_get_name - compute the pathname of a file
192 * @path: path the file (NOT NULL)
193 * @flags: flags controlling path name generation
194 * @buffer: buffer that aa_get_name() allocated (NOT NULL)
195 * @name: Returns - the generated path name if !error (NOT NULL)
196 *
197 * @name is a pointer to the beginning of the pathname (which usually differs
198 * from the beginning of the buffer), or NULL. If there is an error @name
199 * may contain a partial or invalid name that can be used for audit purposes,
200 * but it can not be used for mediation.
201 *
202 * We need PATH_IS_DIR to indicate whether the file is a directory or not
203 * because the file may not yet exist, and so we cannot check the inode's
204 * file type.
205 *
206 * Returns: %0 else error code if could retrieve name
207 */
208int aa_get_name(struct path *path, int flags, char **buffer, const char **name)
209{
210 char *buf, *str = NULL;
211 int size = 256;
212 int error;
213
214 *name = NULL;
215 *buffer = NULL;
216 for (;;) {
217 /* freed by caller */
218 buf = kmalloc(size, GFP_KERNEL);
219 if (!buf)
220 return -ENOMEM;
221
222 error = get_name_to_buffer(path, flags, buf, size, &str);
223 if (error != -ENAMETOOLONG)
224 break;
225
226 kfree(buf);
227 size <<= 1;
228 if (size > aa_g_path_max)
229 return -ENAMETOOLONG;
230 }
231 *buffer = buf;
232 *name = str;
233
234 return error;
235}