aboutsummaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorJohn Johansen <john.johansen@canonical.com>2010-07-29 17:47:59 -0400
committerJames Morris <jmorris@namei.org>2010-08-02 01:35:12 -0400
commitc75afcd153f6147d3b094f45a1d87e5df7f4f053 (patch)
tree4d072c7b76a1e198427716f66a46712e508d4597 /security
parent67012e8209df95a8290d135753ff5145431a666e (diff)
AppArmor: contexts used in attaching policy to system objects
AppArmor contexts attach profiles and state to tasks, files, etc. when a direct profile reference is not sufficient. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/apparmor/context.c216
-rw-r--r--security/apparmor/include/context.h154
2 files changed, 370 insertions, 0 deletions
diff --git a/security/apparmor/context.c b/security/apparmor/context.c
new file mode 100644
index 000000000000..8a9b5027c813
--- /dev/null
+++ b/security/apparmor/context.c
@@ -0,0 +1,216 @@
1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor functions used to manipulate object security
5 * contexts.
6 *
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
9 *
10 * This program is free software; you can redistribute it and/or
11 * modify it under the terms of the GNU General Public License as
12 * published by the Free Software Foundation, version 2 of the
13 * License.
14 *
15 *
16 * AppArmor sets confinement on every task, via the the aa_task_cxt and
17 * the aa_task_cxt.profile, both of which are required and are not allowed
18 * to be NULL. The aa_task_cxt is not reference counted and is unique
19 * to each cred (which is reference count). The profile pointed to by
20 * the task_cxt is reference counted.
21 *
22 * TODO
23 * If a task uses change_hat it currently does not return to the old
24 * cred or task context but instead creates a new one. Ideally the task
25 * should return to the previous cred if it has not been modified.
26 *
27 */
28
29#include "include/context.h"
30#include "include/policy.h"
31
32/**
33 * aa_alloc_task_context - allocate a new task_cxt
34 * @flags: gfp flags for allocation
35 *
36 * Returns: allocated buffer or NULL on failure
37 */
38struct aa_task_cxt *aa_alloc_task_context(gfp_t flags)
39{
40 return kzalloc(sizeof(struct aa_task_cxt), flags);
41}
42
43/**
44 * aa_free_task_context - free a task_cxt
45 * @cxt: task_cxt to free (MAYBE NULL)
46 */
47void aa_free_task_context(struct aa_task_cxt *cxt)
48{
49 if (cxt) {
50 aa_put_profile(cxt->profile);
51 aa_put_profile(cxt->previous);
52 aa_put_profile(cxt->onexec);
53
54 kzfree(cxt);
55 }
56}
57
58/**
59 * aa_dup_task_context - duplicate a task context, incrementing reference counts
60 * @new: a blank task context (NOT NULL)
61 * @old: the task context to copy (NOT NULL)
62 */
63void aa_dup_task_context(struct aa_task_cxt *new, const struct aa_task_cxt *old)
64{
65 *new = *old;
66 aa_get_profile(new->profile);
67 aa_get_profile(new->previous);
68 aa_get_profile(new->onexec);
69}
70
71/**
72 * aa_replace_current_profile - replace the current tasks profiles
73 * @profile: new profile (NOT NULL)
74 *
75 * Returns: 0 or error on failure
76 */
77int aa_replace_current_profile(struct aa_profile *profile)
78{
79 struct aa_task_cxt *cxt = current_cred()->security;
80 struct cred *new;
81 BUG_ON(!profile);
82
83 if (cxt->profile == profile)
84 return 0;
85
86 new = prepare_creds();
87 if (!new)
88 return -ENOMEM;
89
90 cxt = new->security;
91 if (unconfined(profile) || (cxt->profile->ns != profile->ns)) {
92 /* if switching to unconfined or a different profile namespace
93 * clear out context state
94 */
95 aa_put_profile(cxt->previous);
96 aa_put_profile(cxt->onexec);
97 cxt->previous = NULL;
98 cxt->onexec = NULL;
99 cxt->token = 0;
100 }
101 /* be careful switching cxt->profile, when racing replacement it
102 * is possible that cxt->profile->replacedby is the reference keeping
103 * @profile valid, so make sure to get its reference before dropping
104 * the reference on cxt->profile */
105 aa_get_profile(profile);
106 aa_put_profile(cxt->profile);
107 cxt->profile = profile;
108
109 commit_creds(new);
110 return 0;
111}
112
113/**
114 * aa_set_current_onexec - set the tasks change_profile to happen onexec
115 * @profile: system profile to set at exec (MAYBE NULL to clear value)
116 *
117 * Returns: 0 or error on failure
118 */
119int aa_set_current_onexec(struct aa_profile *profile)
120{
121 struct aa_task_cxt *cxt;
122 struct cred *new = prepare_creds();
123 if (!new)
124 return -ENOMEM;
125
126 cxt = new->security;
127 aa_get_profile(profile);
128 aa_put_profile(cxt->onexec);
129 cxt->onexec = profile;
130
131 commit_creds(new);
132 return 0;
133}
134
135/**
136 * aa_set_current_hat - set the current tasks hat
137 * @profile: profile to set as the current hat (NOT NULL)
138 * @token: token value that must be specified to change from the hat
139 *
140 * Do switch of tasks hat. If the task is currently in a hat
141 * validate the token to match.
142 *
143 * Returns: 0 or error on failure
144 */
145int aa_set_current_hat(struct aa_profile *profile, u64 token)
146{
147 struct aa_task_cxt *cxt;
148 struct cred *new = prepare_creds();
149 if (!new)
150 return -ENOMEM;
151 BUG_ON(!profile);
152
153 cxt = new->security;
154 if (!cxt->previous) {
155 /* transfer refcount */
156 cxt->previous = cxt->profile;
157 cxt->token = token;
158 } else if (cxt->token == token) {
159 aa_put_profile(cxt->profile);
160 } else {
161 /* previous_profile && cxt->token != token */
162 abort_creds(new);
163 return -EACCES;
164 }
165 cxt->profile = aa_get_profile(aa_newest_version(profile));
166 /* clear exec on switching context */
167 aa_put_profile(cxt->onexec);
168 cxt->onexec = NULL;
169
170 commit_creds(new);
171 return 0;
172}
173
174/**
175 * aa_restore_previous_profile - exit from hat context restoring the profile
176 * @token: the token that must be matched to exit hat context
177 *
178 * Attempt to return out of a hat to the previous profile. The token
179 * must match the stored token value.
180 *
181 * Returns: 0 or error of failure
182 */
183int aa_restore_previous_profile(u64 token)
184{
185 struct aa_task_cxt *cxt;
186 struct cred *new = prepare_creds();
187 if (!new)
188 return -ENOMEM;
189
190 cxt = new->security;
191 if (cxt->token != token) {
192 abort_creds(new);
193 return -EACCES;
194 }
195 /* ignore restores when there is no saved profile */
196 if (!cxt->previous) {
197 abort_creds(new);
198 return 0;
199 }
200
201 aa_put_profile(cxt->profile);
202 cxt->profile = aa_newest_version(cxt->previous);
203 BUG_ON(!cxt->profile);
204 if (unlikely(cxt->profile != cxt->previous)) {
205 aa_get_profile(cxt->profile);
206 aa_put_profile(cxt->previous);
207 }
208 /* clear exec && prev information when restoring to previous context */
209 cxt->previous = NULL;
210 cxt->token = 0;
211 aa_put_profile(cxt->onexec);
212 cxt->onexec = NULL;
213
214 commit_creds(new);
215 return 0;
216}
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
new file mode 100644
index 000000000000..a9cbee4d9e48
--- /dev/null
+++ b/security/apparmor/include/context.h
@@ -0,0 +1,154 @@
1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor contexts used to associate "labels" to objects.
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
15#ifndef __AA_CONTEXT_H
16#define __AA_CONTEXT_H
17
18#include <linux/cred.h>
19#include <linux/slab.h>
20#include <linux/sched.h>
21
22#include "policy.h"
23
24/* struct aa_file_cxt - the AppArmor context the file was opened in
25 * @perms: the permission the file was opened with
26 *
27 * The file_cxt could currently be directly stored in file->f_security
28 * as the profile reference is now stored in the f_cred. However the
29 * cxt struct will expand in the future so we keep the struct.
30 */
31struct aa_file_cxt {
32 u16 allow;
33};
34
35/**
36 * aa_alloc_file_context - allocate file_cxt
37 * @gfp: gfp flags for allocation
38 *
39 * Returns: file_cxt or NULL on failure
40 */
41static inline struct aa_file_cxt *aa_alloc_file_context(gfp_t gfp)
42{
43 return kzalloc(sizeof(struct aa_file_cxt), gfp);
44}
45
46/**
47 * aa_free_file_context - free a file_cxt
48 * @cxt: file_cxt to free (MAYBE_NULL)
49 */
50static inline void aa_free_file_context(struct aa_file_cxt *cxt)
51{
52 if (cxt)
53 kzfree(cxt);
54}
55
56/**
57 * struct aa_task_cxt - primary label for confined tasks
58 * @profile: the current profile (NOT NULL)
59 * @exec: profile to transition to on next exec (MAYBE NULL)
60 * @previous: profile the task may return to (MAYBE NULL)
61 * @token: magic value the task must know for returning to @previous_profile
62 *
63 * Contains the task's current profile (which could change due to
64 * change_hat). Plus the hat_magic needed during change_hat.
65 *
66 * TODO: make so a task can be confined by a stack of contexts
67 */
68struct aa_task_cxt {
69 struct aa_profile *profile;
70 struct aa_profile *onexec;
71 struct aa_profile *previous;
72 u64 token;
73};
74
75struct aa_task_cxt *aa_alloc_task_context(gfp_t flags);
76void aa_free_task_context(struct aa_task_cxt *cxt);
77void aa_dup_task_context(struct aa_task_cxt *new,
78 const struct aa_task_cxt *old);
79int aa_replace_current_profile(struct aa_profile *profile);
80int aa_set_current_onexec(struct aa_profile *profile);
81int aa_set_current_hat(struct aa_profile *profile, u64 token);
82int aa_restore_previous_profile(u64 cookie);
83
84/**
85 * __aa_task_is_confined - determine if @task has any confinement
86 * @task: task to check confinement of (NOT NULL)
87 *
88 * If @task != current needs to be called in RCU safe critical section
89 */
90static inline bool __aa_task_is_confined(struct task_struct *task)
91{
92 struct aa_task_cxt *cxt = __task_cred(task)->security;
93
94 BUG_ON(!cxt || !cxt->profile);
95 if (unconfined(aa_newest_version(cxt->profile)))
96 return 0;
97
98 return 1;
99}
100
101/**
102 * aa_cred_profile - obtain cred's profiles
103 * @cred: cred to obtain profiles from (NOT NULL)
104 *
105 * Returns: confining profile
106 *
107 * does NOT increment reference count
108 */
109static inline struct aa_profile *aa_cred_profile(const struct cred *cred)
110{
111 struct aa_task_cxt *cxt = cred->security;
112 BUG_ON(!cxt || !cxt->profile);
113 return aa_newest_version(cxt->profile);
114}
115
116/**
117 * __aa_current_profile - find the current tasks confining profile
118 *
119 * Returns: up to date confining profile or the ns unconfined profile (NOT NULL)
120 *
121 * This fn will not update the tasks cred to the most up to date version
122 * of the profile so it is safe to call when inside of locks.
123 */
124static inline struct aa_profile *__aa_current_profile(void)
125{
126 return aa_cred_profile(current_cred());
127}
128
129/**
130 * aa_current_profile - find the current tasks confining profile and do updates
131 *
132 * Returns: up to date confining profile or the ns unconfined profile (NOT NULL)
133 *
134 * This fn will update the tasks cred structure if the profile has been
135 * replaced. Not safe to call inside locks
136 */
137static inline struct aa_profile *aa_current_profile(void)
138{
139 const struct aa_task_cxt *cxt = current_cred()->security;
140 struct aa_profile *profile;
141 BUG_ON(!cxt || !cxt->profile);
142
143 profile = aa_newest_version(cxt->profile);
144 /*
145 * Whether or not replacement succeeds, use newest profile so
146 * there is no need to update it after replacement.
147 */
148 if (unlikely((cxt->profile != profile)))
149 aa_replace_current_profile(profile);
150
151 return profile;
152}
153
154#endif /* __AA_CONTEXT_H */