diff options
Diffstat (limited to 'security/apparmor/lsm.c')
-rw-r--r-- | security/apparmor/lsm.c | 939 |
1 files changed, 939 insertions, 0 deletions
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c new file mode 100644 index 000000000000..7daf0d528037 --- /dev/null +++ b/security/apparmor/lsm.c | |||
@@ -0,0 +1,939 @@ | |||
1 | /* | ||
2 | * AppArmor security module | ||
3 | * | ||
4 | * This file contains AppArmor LSM hooks. | ||
5 | * | ||
6 | * Copyright (C) 1998-2008 Novell/SUSE | ||
7 | * Copyright 2009-2010 Canonical Ltd. | ||
8 | * | ||
9 | * This program is free software; you can redistribute it and/or | ||
10 | * modify it under the terms of the GNU General Public License as | ||
11 | * published by the Free Software Foundation, version 2 of the | ||
12 | * License. | ||
13 | */ | ||
14 | |||
15 | #include <linux/security.h> | ||
16 | #include <linux/moduleparam.h> | ||
17 | #include <linux/mm.h> | ||
18 | #include <linux/mman.h> | ||
19 | #include <linux/mount.h> | ||
20 | #include <linux/namei.h> | ||
21 | #include <linux/ptrace.h> | ||
22 | #include <linux/ctype.h> | ||
23 | #include <linux/sysctl.h> | ||
24 | #include <linux/audit.h> | ||
25 | #include <net/sock.h> | ||
26 | |||
27 | #include "include/apparmor.h" | ||
28 | #include "include/apparmorfs.h" | ||
29 | #include "include/audit.h" | ||
30 | #include "include/capability.h" | ||
31 | #include "include/context.h" | ||
32 | #include "include/file.h" | ||
33 | #include "include/ipc.h" | ||
34 | #include "include/path.h" | ||
35 | #include "include/policy.h" | ||
36 | #include "include/procattr.h" | ||
37 | |||
38 | /* Flag indicating whether initialization completed */ | ||
39 | int apparmor_initialized __initdata; | ||
40 | |||
41 | /* | ||
42 | * LSM hook functions | ||
43 | */ | ||
44 | |||
45 | /* | ||
46 | * free the associated aa_task_cxt and put its profiles | ||
47 | */ | ||
48 | static void apparmor_cred_free(struct cred *cred) | ||
49 | { | ||
50 | aa_free_task_context(cred->security); | ||
51 | cred->security = NULL; | ||
52 | } | ||
53 | |||
54 | /* | ||
55 | * allocate the apparmor part of blank credentials | ||
56 | */ | ||
57 | static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) | ||
58 | { | ||
59 | /* freed by apparmor_cred_free */ | ||
60 | struct aa_task_cxt *cxt = aa_alloc_task_context(gfp); | ||
61 | if (!cxt) | ||
62 | return -ENOMEM; | ||
63 | |||
64 | cred->security = cxt; | ||
65 | return 0; | ||
66 | } | ||
67 | |||
68 | /* | ||
69 | * prepare new aa_task_cxt for modification by prepare_cred block | ||
70 | */ | ||
71 | static int apparmor_cred_prepare(struct cred *new, const struct cred *old, | ||
72 | gfp_t gfp) | ||
73 | { | ||
74 | /* freed by apparmor_cred_free */ | ||
75 | struct aa_task_cxt *cxt = aa_alloc_task_context(gfp); | ||
76 | if (!cxt) | ||
77 | return -ENOMEM; | ||
78 | |||
79 | aa_dup_task_context(cxt, old->security); | ||
80 | new->security = cxt; | ||
81 | return 0; | ||
82 | } | ||
83 | |||
84 | /* | ||
85 | * transfer the apparmor data to a blank set of creds | ||
86 | */ | ||
87 | static void apparmor_cred_transfer(struct cred *new, const struct cred *old) | ||
88 | { | ||
89 | const struct aa_task_cxt *old_cxt = old->security; | ||
90 | struct aa_task_cxt *new_cxt = new->security; | ||
91 | |||
92 | aa_dup_task_context(new_cxt, old_cxt); | ||
93 | } | ||
94 | |||
95 | static int apparmor_ptrace_access_check(struct task_struct *child, | ||
96 | unsigned int mode) | ||
97 | { | ||
98 | int error = cap_ptrace_access_check(child, mode); | ||
99 | if (error) | ||
100 | return error; | ||
101 | |||
102 | return aa_ptrace(current, child, mode); | ||
103 | } | ||
104 | |||
105 | static int apparmor_ptrace_traceme(struct task_struct *parent) | ||
106 | { | ||
107 | int error = cap_ptrace_traceme(parent); | ||
108 | if (error) | ||
109 | return error; | ||
110 | |||
111 | return aa_ptrace(parent, current, PTRACE_MODE_ATTACH); | ||
112 | } | ||
113 | |||
114 | /* Derived from security/commoncap.c:cap_capget */ | ||
115 | static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, | ||
116 | kernel_cap_t *inheritable, kernel_cap_t *permitted) | ||
117 | { | ||
118 | struct aa_profile *profile; | ||
119 | const struct cred *cred; | ||
120 | |||
121 | rcu_read_lock(); | ||
122 | cred = __task_cred(target); | ||
123 | profile = aa_cred_profile(cred); | ||
124 | |||
125 | *effective = cred->cap_effective; | ||
126 | *inheritable = cred->cap_inheritable; | ||
127 | *permitted = cred->cap_permitted; | ||
128 | |||
129 | if (!unconfined(profile)) { | ||
130 | *effective = cap_intersect(*effective, profile->caps.allow); | ||
131 | *permitted = cap_intersect(*permitted, profile->caps.allow); | ||
132 | } | ||
133 | rcu_read_unlock(); | ||
134 | |||
135 | return 0; | ||
136 | } | ||
137 | |||
138 | static int apparmor_capable(struct task_struct *task, const struct cred *cred, | ||
139 | int cap, int audit) | ||
140 | { | ||
141 | struct aa_profile *profile; | ||
142 | /* cap_capable returns 0 on success, else -EPERM */ | ||
143 | int error = cap_capable(task, cred, cap, audit); | ||
144 | if (!error) { | ||
145 | profile = aa_cred_profile(cred); | ||
146 | if (!unconfined(profile)) | ||
147 | error = aa_capable(task, profile, cap, audit); | ||
148 | } | ||
149 | return error; | ||
150 | } | ||
151 | |||
152 | /** | ||
153 | * common_perm - basic common permission check wrapper fn for paths | ||
154 | * @op: operation being checked | ||
155 | * @path: path to check permission of (NOT NULL) | ||
156 | * @mask: requested permissions mask | ||
157 | * @cond: conditional info for the permission request (NOT NULL) | ||
158 | * | ||
159 | * Returns: %0 else error code if error or permission denied | ||
160 | */ | ||
161 | static int common_perm(int op, struct path *path, u32 mask, | ||
162 | struct path_cond *cond) | ||
163 | { | ||
164 | struct aa_profile *profile; | ||
165 | int error = 0; | ||
166 | |||
167 | profile = __aa_current_profile(); | ||
168 | if (!unconfined(profile)) | ||
169 | error = aa_path_perm(op, profile, path, 0, mask, cond); | ||
170 | |||
171 | return error; | ||
172 | } | ||
173 | |||
174 | /** | ||
175 | * common_perm_dir_dentry - common permission wrapper when path is dir, dentry | ||
176 | * @op: operation being checked | ||
177 | * @dir: directory of the dentry (NOT NULL) | ||
178 | * @dentry: dentry to check (NOT NULL) | ||
179 | * @mask: requested permissions mask | ||
180 | * @cond: conditional info for the permission request (NOT NULL) | ||
181 | * | ||
182 | * Returns: %0 else error code if error or permission denied | ||
183 | */ | ||
184 | static int common_perm_dir_dentry(int op, struct path *dir, | ||
185 | struct dentry *dentry, u32 mask, | ||
186 | struct path_cond *cond) | ||
187 | { | ||
188 | struct path path = { dir->mnt, dentry }; | ||
189 | |||
190 | return common_perm(op, &path, mask, cond); | ||
191 | } | ||
192 | |||
193 | /** | ||
194 | * common_perm_mnt_dentry - common permission wrapper when mnt, dentry | ||
195 | * @op: operation being checked | ||
196 | * @mnt: mount point of dentry (NOT NULL) | ||
197 | * @dentry: dentry to check (NOT NULL) | ||
198 | * @mask: requested permissions mask | ||
199 | * | ||
200 | * Returns: %0 else error code if error or permission denied | ||
201 | */ | ||
202 | static int common_perm_mnt_dentry(int op, struct vfsmount *mnt, | ||
203 | struct dentry *dentry, u32 mask) | ||
204 | { | ||
205 | struct path path = { mnt, dentry }; | ||
206 | struct path_cond cond = { dentry->d_inode->i_uid, | ||
207 | dentry->d_inode->i_mode | ||
208 | }; | ||
209 | |||
210 | return common_perm(op, &path, mask, &cond); | ||
211 | } | ||
212 | |||
213 | /** | ||
214 | * common_perm_rm - common permission wrapper for operations doing rm | ||
215 | * @op: operation being checked | ||
216 | * @dir: directory that the dentry is in (NOT NULL) | ||
217 | * @dentry: dentry being rm'd (NOT NULL) | ||
218 | * @mask: requested permission mask | ||
219 | * | ||
220 | * Returns: %0 else error code if error or permission denied | ||
221 | */ | ||
222 | static int common_perm_rm(int op, struct path *dir, | ||
223 | struct dentry *dentry, u32 mask) | ||
224 | { | ||
225 | struct inode *inode = dentry->d_inode; | ||
226 | struct path_cond cond = { }; | ||
227 | |||
228 | if (!inode || !dir->mnt || !mediated_filesystem(inode)) | ||
229 | return 0; | ||
230 | |||
231 | cond.uid = inode->i_uid; | ||
232 | cond.mode = inode->i_mode; | ||
233 | |||
234 | return common_perm_dir_dentry(op, dir, dentry, mask, &cond); | ||
235 | } | ||
236 | |||
237 | /** | ||
238 | * common_perm_create - common permission wrapper for operations doing create | ||
239 | * @op: operation being checked | ||
240 | * @dir: directory that dentry will be created in (NOT NULL) | ||
241 | * @dentry: dentry to create (NOT NULL) | ||
242 | * @mask: request permission mask | ||
243 | * @mode: created file mode | ||
244 | * | ||
245 | * Returns: %0 else error code if error or permission denied | ||
246 | */ | ||
247 | static int common_perm_create(int op, struct path *dir, struct dentry *dentry, | ||
248 | u32 mask, umode_t mode) | ||
249 | { | ||
250 | struct path_cond cond = { current_fsuid(), mode }; | ||
251 | |||
252 | if (!dir->mnt || !mediated_filesystem(dir->dentry->d_inode)) | ||
253 | return 0; | ||
254 | |||
255 | return common_perm_dir_dentry(op, dir, dentry, mask, &cond); | ||
256 | } | ||
257 | |||
258 | static int apparmor_path_unlink(struct path *dir, struct dentry *dentry) | ||
259 | { | ||
260 | return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); | ||
261 | } | ||
262 | |||
263 | static int apparmor_path_mkdir(struct path *dir, struct dentry *dentry, | ||
264 | int mode) | ||
265 | { | ||
266 | return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, | ||
267 | S_IFDIR); | ||
268 | } | ||
269 | |||
270 | static int apparmor_path_rmdir(struct path *dir, struct dentry *dentry) | ||
271 | { | ||
272 | return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); | ||
273 | } | ||
274 | |||
275 | static int apparmor_path_mknod(struct path *dir, struct dentry *dentry, | ||
276 | int mode, unsigned int dev) | ||
277 | { | ||
278 | return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); | ||
279 | } | ||
280 | |||
281 | static int apparmor_path_truncate(struct path *path, loff_t length, | ||
282 | unsigned int time_attrs) | ||
283 | { | ||
284 | struct path_cond cond = { path->dentry->d_inode->i_uid, | ||
285 | path->dentry->d_inode->i_mode | ||
286 | }; | ||
287 | |||
288 | if (!path->mnt || !mediated_filesystem(path->dentry->d_inode)) | ||
289 | return 0; | ||
290 | |||
291 | return common_perm(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE, | ||
292 | &cond); | ||
293 | } | ||
294 | |||
295 | static int apparmor_path_symlink(struct path *dir, struct dentry *dentry, | ||
296 | const char *old_name) | ||
297 | { | ||
298 | return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, | ||
299 | S_IFLNK); | ||
300 | } | ||
301 | |||
302 | static int apparmor_path_link(struct dentry *old_dentry, struct path *new_dir, | ||
303 | struct dentry *new_dentry) | ||
304 | { | ||
305 | struct aa_profile *profile; | ||
306 | int error = 0; | ||
307 | |||
308 | if (!mediated_filesystem(old_dentry->d_inode)) | ||
309 | return 0; | ||
310 | |||
311 | profile = aa_current_profile(); | ||
312 | if (!unconfined(profile)) | ||
313 | error = aa_path_link(profile, old_dentry, new_dir, new_dentry); | ||
314 | return error; | ||
315 | } | ||
316 | |||
317 | static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry, | ||
318 | struct path *new_dir, struct dentry *new_dentry) | ||
319 | { | ||
320 | struct aa_profile *profile; | ||
321 | int error = 0; | ||
322 | |||
323 | if (!mediated_filesystem(old_dentry->d_inode)) | ||
324 | return 0; | ||
325 | |||
326 | profile = aa_current_profile(); | ||
327 | if (!unconfined(profile)) { | ||
328 | struct path old_path = { old_dir->mnt, old_dentry }; | ||
329 | struct path new_path = { new_dir->mnt, new_dentry }; | ||
330 | struct path_cond cond = { old_dentry->d_inode->i_uid, | ||
331 | old_dentry->d_inode->i_mode | ||
332 | }; | ||
333 | |||
334 | error = aa_path_perm(OP_RENAME_SRC, profile, &old_path, 0, | ||
335 | MAY_READ | AA_MAY_META_READ | MAY_WRITE | | ||
336 | AA_MAY_META_WRITE | AA_MAY_DELETE, | ||
337 | &cond); | ||
338 | if (!error) | ||
339 | error = aa_path_perm(OP_RENAME_DEST, profile, &new_path, | ||
340 | 0, MAY_WRITE | AA_MAY_META_WRITE | | ||
341 | AA_MAY_CREATE, &cond); | ||
342 | |||
343 | } | ||
344 | return error; | ||
345 | } | ||
346 | |||
347 | static int apparmor_path_chmod(struct dentry *dentry, struct vfsmount *mnt, | ||
348 | mode_t mode) | ||
349 | { | ||
350 | if (!mediated_filesystem(dentry->d_inode)) | ||
351 | return 0; | ||
352 | |||
353 | return common_perm_mnt_dentry(OP_CHMOD, mnt, dentry, AA_MAY_CHMOD); | ||
354 | } | ||
355 | |||
356 | static int apparmor_path_chown(struct path *path, uid_t uid, gid_t gid) | ||
357 | { | ||
358 | struct path_cond cond = { path->dentry->d_inode->i_uid, | ||
359 | path->dentry->d_inode->i_mode | ||
360 | }; | ||
361 | |||
362 | if (!mediated_filesystem(path->dentry->d_inode)) | ||
363 | return 0; | ||
364 | |||
365 | return common_perm(OP_CHOWN, path, AA_MAY_CHOWN, &cond); | ||
366 | } | ||
367 | |||
368 | static int apparmor_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) | ||
369 | { | ||
370 | if (!mediated_filesystem(dentry->d_inode)) | ||
371 | return 0; | ||
372 | |||
373 | return common_perm_mnt_dentry(OP_GETATTR, mnt, dentry, | ||
374 | AA_MAY_META_READ); | ||
375 | } | ||
376 | |||
377 | static int apparmor_dentry_open(struct file *file, const struct cred *cred) | ||
378 | { | ||
379 | struct aa_file_cxt *fcxt = file->f_security; | ||
380 | struct aa_profile *profile; | ||
381 | int error = 0; | ||
382 | |||
383 | if (!mediated_filesystem(file->f_path.dentry->d_inode)) | ||
384 | return 0; | ||
385 | |||
386 | /* If in exec, permission is handled by bprm hooks. | ||
387 | * Cache permissions granted by the previous exec check, with | ||
388 | * implicit read and executable mmap which are required to | ||
389 | * actually execute the image. | ||
390 | */ | ||
391 | if (current->in_execve) { | ||
392 | fcxt->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; | ||
393 | return 0; | ||
394 | } | ||
395 | |||
396 | profile = aa_cred_profile(cred); | ||
397 | if (!unconfined(profile)) { | ||
398 | struct inode *inode = file->f_path.dentry->d_inode; | ||
399 | struct path_cond cond = { inode->i_uid, inode->i_mode }; | ||
400 | |||
401 | error = aa_path_perm(OP_OPEN, profile, &file->f_path, 0, | ||
402 | aa_map_file_to_perms(file), &cond); | ||
403 | /* todo cache full allowed permissions set and state */ | ||
404 | fcxt->allow = aa_map_file_to_perms(file); | ||
405 | } | ||
406 | |||
407 | return error; | ||
408 | } | ||
409 | |||
410 | static int apparmor_file_alloc_security(struct file *file) | ||
411 | { | ||
412 | /* freed by apparmor_file_free_security */ | ||
413 | file->f_security = aa_alloc_file_context(GFP_KERNEL); | ||
414 | if (!file->f_security) | ||
415 | return -ENOMEM; | ||
416 | return 0; | ||
417 | |||
418 | } | ||
419 | |||
420 | static void apparmor_file_free_security(struct file *file) | ||
421 | { | ||
422 | struct aa_file_cxt *cxt = file->f_security; | ||
423 | |||
424 | aa_free_file_context(cxt); | ||
425 | } | ||
426 | |||
427 | static int common_file_perm(int op, struct file *file, u32 mask) | ||
428 | { | ||
429 | struct aa_file_cxt *fcxt = file->f_security; | ||
430 | struct aa_profile *profile, *fprofile = aa_cred_profile(file->f_cred); | ||
431 | int error = 0; | ||
432 | |||
433 | BUG_ON(!fprofile); | ||
434 | |||
435 | if (!file->f_path.mnt || | ||
436 | !mediated_filesystem(file->f_path.dentry->d_inode)) | ||
437 | return 0; | ||
438 | |||
439 | profile = __aa_current_profile(); | ||
440 | |||
441 | /* revalidate access, if task is unconfined, or the cached cred | ||
442 | * doesn't match or if the request is for more permissions than | ||
443 | * was granted. | ||
444 | * | ||
445 | * Note: the test for !unconfined(fprofile) is to handle file | ||
446 | * delegation from unconfined tasks | ||
447 | */ | ||
448 | if (!unconfined(profile) && !unconfined(fprofile) && | ||
449 | ((fprofile != profile) || (mask & ~fcxt->allow))) | ||
450 | error = aa_file_perm(op, profile, file, mask); | ||
451 | |||
452 | return error; | ||
453 | } | ||
454 | |||
455 | static int apparmor_file_permission(struct file *file, int mask) | ||
456 | { | ||
457 | return common_file_perm(OP_FPERM, file, mask); | ||
458 | } | ||
459 | |||
460 | static int apparmor_file_lock(struct file *file, unsigned int cmd) | ||
461 | { | ||
462 | u32 mask = AA_MAY_LOCK; | ||
463 | |||
464 | if (cmd == F_WRLCK) | ||
465 | mask |= MAY_WRITE; | ||
466 | |||
467 | return common_file_perm(OP_FLOCK, file, mask); | ||
468 | } | ||
469 | |||
470 | static int common_mmap(int op, struct file *file, unsigned long prot, | ||
471 | unsigned long flags) | ||
472 | { | ||
473 | struct dentry *dentry; | ||
474 | int mask = 0; | ||
475 | |||
476 | if (!file || !file->f_security) | ||
477 | return 0; | ||
478 | |||
479 | if (prot & PROT_READ) | ||
480 | mask |= MAY_READ; | ||
481 | /* | ||
482 | * Private mappings don't require write perms since they don't | ||
483 | * write back to the files | ||
484 | */ | ||
485 | if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE)) | ||
486 | mask |= MAY_WRITE; | ||
487 | if (prot & PROT_EXEC) | ||
488 | mask |= AA_EXEC_MMAP; | ||
489 | |||
490 | dentry = file->f_path.dentry; | ||
491 | return common_file_perm(op, file, mask); | ||
492 | } | ||
493 | |||
494 | static int apparmor_file_mmap(struct file *file, unsigned long reqprot, | ||
495 | unsigned long prot, unsigned long flags, | ||
496 | unsigned long addr, unsigned long addr_only) | ||
497 | { | ||
498 | int rc = 0; | ||
499 | |||
500 | /* do DAC check */ | ||
501 | rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); | ||
502 | if (rc || addr_only) | ||
503 | return rc; | ||
504 | |||
505 | return common_mmap(OP_FMMAP, file, prot, flags); | ||
506 | } | ||
507 | |||
508 | static int apparmor_file_mprotect(struct vm_area_struct *vma, | ||
509 | unsigned long reqprot, unsigned long prot) | ||
510 | { | ||
511 | return common_mmap(OP_FMPROT, vma->vm_file, prot, | ||
512 | !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); | ||
513 | } | ||
514 | |||
515 | static int apparmor_getprocattr(struct task_struct *task, char *name, | ||
516 | char **value) | ||
517 | { | ||
518 | int error = -ENOENT; | ||
519 | struct aa_profile *profile; | ||
520 | /* released below */ | ||
521 | const struct cred *cred = get_task_cred(task); | ||
522 | struct aa_task_cxt *cxt = cred->security; | ||
523 | profile = aa_cred_profile(cred); | ||
524 | |||
525 | if (strcmp(name, "current") == 0) | ||
526 | error = aa_getprocattr(aa_newest_version(cxt->profile), | ||
527 | value); | ||
528 | else if (strcmp(name, "prev") == 0 && cxt->previous) | ||
529 | error = aa_getprocattr(aa_newest_version(cxt->previous), | ||
530 | value); | ||
531 | else if (strcmp(name, "exec") == 0 && cxt->onexec) | ||
532 | error = aa_getprocattr(aa_newest_version(cxt->onexec), | ||
533 | value); | ||
534 | else | ||
535 | error = -EINVAL; | ||
536 | |||
537 | put_cred(cred); | ||
538 | |||
539 | return error; | ||
540 | } | ||
541 | |||
542 | static int apparmor_setprocattr(struct task_struct *task, char *name, | ||
543 | void *value, size_t size) | ||
544 | { | ||
545 | char *command, *args = value; | ||
546 | size_t arg_size; | ||
547 | int error; | ||
548 | |||
549 | if (size == 0) | ||
550 | return -EINVAL; | ||
551 | /* args points to a PAGE_SIZE buffer, AppArmor requires that | ||
552 | * the buffer must be null terminated or have size <= PAGE_SIZE -1 | ||
553 | * so that AppArmor can null terminate them | ||
554 | */ | ||
555 | if (args[size - 1] != '\0') { | ||
556 | if (size == PAGE_SIZE) | ||
557 | return -EINVAL; | ||
558 | args[size] = '\0'; | ||
559 | } | ||
560 | |||
561 | /* task can only write its own attributes */ | ||
562 | if (current != task) | ||
563 | return -EACCES; | ||
564 | |||
565 | args = value; | ||
566 | args = strim(args); | ||
567 | command = strsep(&args, " "); | ||
568 | if (!args) | ||
569 | return -EINVAL; | ||
570 | args = skip_spaces(args); | ||
571 | if (!*args) | ||
572 | return -EINVAL; | ||
573 | |||
574 | arg_size = size - (args - (char *) value); | ||
575 | if (strcmp(name, "current") == 0) { | ||
576 | if (strcmp(command, "changehat") == 0) { | ||
577 | error = aa_setprocattr_changehat(args, arg_size, | ||
578 | !AA_DO_TEST); | ||
579 | } else if (strcmp(command, "permhat") == 0) { | ||
580 | error = aa_setprocattr_changehat(args, arg_size, | ||
581 | AA_DO_TEST); | ||
582 | } else if (strcmp(command, "changeprofile") == 0) { | ||
583 | error = aa_setprocattr_changeprofile(args, !AA_ONEXEC, | ||
584 | !AA_DO_TEST); | ||
585 | } else if (strcmp(command, "permprofile") == 0) { | ||
586 | error = aa_setprocattr_changeprofile(args, !AA_ONEXEC, | ||
587 | AA_DO_TEST); | ||
588 | } else if (strcmp(command, "permipc") == 0) { | ||
589 | error = aa_setprocattr_permipc(args); | ||
590 | } else { | ||
591 | struct common_audit_data sa; | ||
592 | COMMON_AUDIT_DATA_INIT(&sa, NONE); | ||
593 | sa.aad.op = OP_SETPROCATTR; | ||
594 | sa.aad.info = name; | ||
595 | sa.aad.error = -EINVAL; | ||
596 | return aa_audit(AUDIT_APPARMOR_DENIED, NULL, GFP_KERNEL, | ||
597 | &sa, NULL); | ||
598 | } | ||
599 | } else if (strcmp(name, "exec") == 0) { | ||
600 | error = aa_setprocattr_changeprofile(args, AA_ONEXEC, | ||
601 | !AA_DO_TEST); | ||
602 | } else { | ||
603 | /* only support the "current" and "exec" process attributes */ | ||
604 | return -EINVAL; | ||
605 | } | ||
606 | if (!error) | ||
607 | error = size; | ||
608 | return error; | ||
609 | } | ||
610 | |||
611 | static int apparmor_task_setrlimit(unsigned int resource, | ||
612 | struct rlimit *new_rlim) | ||
613 | { | ||
614 | struct aa_profile *profile = aa_current_profile(); | ||
615 | int error = 0; | ||
616 | |||
617 | if (!unconfined(profile)) | ||
618 | error = aa_task_setrlimit(profile, resource, new_rlim); | ||
619 | |||
620 | return error; | ||
621 | } | ||
622 | |||
623 | static struct security_operations apparmor_ops = { | ||
624 | .name = "apparmor", | ||
625 | |||
626 | .ptrace_access_check = apparmor_ptrace_access_check, | ||
627 | .ptrace_traceme = apparmor_ptrace_traceme, | ||
628 | .capget = apparmor_capget, | ||
629 | .capable = apparmor_capable, | ||
630 | |||
631 | .path_link = apparmor_path_link, | ||
632 | .path_unlink = apparmor_path_unlink, | ||
633 | .path_symlink = apparmor_path_symlink, | ||
634 | .path_mkdir = apparmor_path_mkdir, | ||
635 | .path_rmdir = apparmor_path_rmdir, | ||
636 | .path_mknod = apparmor_path_mknod, | ||
637 | .path_rename = apparmor_path_rename, | ||
638 | .path_chmod = apparmor_path_chmod, | ||
639 | .path_chown = apparmor_path_chown, | ||
640 | .path_truncate = apparmor_path_truncate, | ||
641 | .dentry_open = apparmor_dentry_open, | ||
642 | .inode_getattr = apparmor_inode_getattr, | ||
643 | |||
644 | .file_permission = apparmor_file_permission, | ||
645 | .file_alloc_security = apparmor_file_alloc_security, | ||
646 | .file_free_security = apparmor_file_free_security, | ||
647 | .file_mmap = apparmor_file_mmap, | ||
648 | .file_mprotect = apparmor_file_mprotect, | ||
649 | .file_lock = apparmor_file_lock, | ||
650 | |||
651 | .getprocattr = apparmor_getprocattr, | ||
652 | .setprocattr = apparmor_setprocattr, | ||
653 | |||
654 | .cred_alloc_blank = apparmor_cred_alloc_blank, | ||
655 | .cred_free = apparmor_cred_free, | ||
656 | .cred_prepare = apparmor_cred_prepare, | ||
657 | .cred_transfer = apparmor_cred_transfer, | ||
658 | |||
659 | .bprm_set_creds = apparmor_bprm_set_creds, | ||
660 | .bprm_committing_creds = apparmor_bprm_committing_creds, | ||
661 | .bprm_committed_creds = apparmor_bprm_committed_creds, | ||
662 | .bprm_secureexec = apparmor_bprm_secureexec, | ||
663 | |||
664 | .task_setrlimit = apparmor_task_setrlimit, | ||
665 | }; | ||
666 | |||
667 | /* | ||
668 | * AppArmor sysfs module parameters | ||
669 | */ | ||
670 | |||
671 | static int param_set_aabool(const char *val, struct kernel_param *kp); | ||
672 | static int param_get_aabool(char *buffer, struct kernel_param *kp); | ||
673 | #define param_check_aabool(name, p) __param_check(name, p, int) | ||
674 | |||
675 | static int param_set_aauint(const char *val, struct kernel_param *kp); | ||
676 | static int param_get_aauint(char *buffer, struct kernel_param *kp); | ||
677 | #define param_check_aauint(name, p) __param_check(name, p, int) | ||
678 | |||
679 | static int param_set_aalockpolicy(const char *val, struct kernel_param *kp); | ||
680 | static int param_get_aalockpolicy(char *buffer, struct kernel_param *kp); | ||
681 | #define param_check_aalockpolicy(name, p) __param_check(name, p, int) | ||
682 | |||
683 | static int param_set_audit(const char *val, struct kernel_param *kp); | ||
684 | static int param_get_audit(char *buffer, struct kernel_param *kp); | ||
685 | #define param_check_audit(name, p) __param_check(name, p, int) | ||
686 | |||
687 | static int param_set_mode(const char *val, struct kernel_param *kp); | ||
688 | static int param_get_mode(char *buffer, struct kernel_param *kp); | ||
689 | #define param_check_mode(name, p) __param_check(name, p, int) | ||
690 | |||
691 | /* Flag values, also controllable via /sys/module/apparmor/parameters | ||
692 | * We define special types as we want to do additional mediation. | ||
693 | */ | ||
694 | |||
695 | /* AppArmor global enforcement switch - complain, enforce, kill */ | ||
696 | enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; | ||
697 | module_param_call(mode, param_set_mode, param_get_mode, | ||
698 | &aa_g_profile_mode, S_IRUSR | S_IWUSR); | ||
699 | |||
700 | /* Debug mode */ | ||
701 | int aa_g_debug; | ||
702 | module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); | ||
703 | |||
704 | /* Audit mode */ | ||
705 | enum audit_mode aa_g_audit; | ||
706 | module_param_call(audit, param_set_audit, param_get_audit, | ||
707 | &aa_g_audit, S_IRUSR | S_IWUSR); | ||
708 | |||
709 | /* Determines if audit header is included in audited messages. This | ||
710 | * provides more context if the audit daemon is not running | ||
711 | */ | ||
712 | int aa_g_audit_header = 1; | ||
713 | module_param_named(audit_header, aa_g_audit_header, aabool, | ||
714 | S_IRUSR | S_IWUSR); | ||
715 | |||
716 | /* lock out loading/removal of policy | ||
717 | * TODO: add in at boot loading of policy, which is the only way to | ||
718 | * load policy, if lock_policy is set | ||
719 | */ | ||
720 | int aa_g_lock_policy; | ||
721 | module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy, | ||
722 | S_IRUSR | S_IWUSR); | ||
723 | |||
724 | /* Syscall logging mode */ | ||
725 | int aa_g_logsyscall; | ||
726 | module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); | ||
727 | |||
728 | /* Maximum pathname length before accesses will start getting rejected */ | ||
729 | unsigned int aa_g_path_max = 2 * PATH_MAX; | ||
730 | module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR); | ||
731 | |||
732 | /* Determines how paranoid loading of policy is and how much verification | ||
733 | * on the loaded policy is done. | ||
734 | */ | ||
735 | int aa_g_paranoid_load = 1; | ||
736 | module_param_named(paranoid_load, aa_g_paranoid_load, aabool, | ||
737 | S_IRUSR | S_IWUSR); | ||
738 | |||
739 | /* Boot time disable flag */ | ||
740 | static unsigned int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; | ||
741 | module_param_named(enabled, apparmor_enabled, aabool, S_IRUSR); | ||
742 | |||
743 | static int __init apparmor_enabled_setup(char *str) | ||
744 | { | ||
745 | unsigned long enabled; | ||
746 | int error = strict_strtoul(str, 0, &enabled); | ||
747 | if (!error) | ||
748 | apparmor_enabled = enabled ? 1 : 0; | ||
749 | return 1; | ||
750 | } | ||
751 | |||
752 | __setup("apparmor=", apparmor_enabled_setup); | ||
753 | |||
754 | /* set global flag turning off the ability to load policy */ | ||
755 | static int param_set_aalockpolicy(const char *val, struct kernel_param *kp) | ||
756 | { | ||
757 | if (!capable(CAP_MAC_ADMIN)) | ||
758 | return -EPERM; | ||
759 | if (aa_g_lock_policy) | ||
760 | return -EACCES; | ||
761 | return param_set_bool(val, kp); | ||
762 | } | ||
763 | |||
764 | static int param_get_aalockpolicy(char *buffer, struct kernel_param *kp) | ||
765 | { | ||
766 | if (!capable(CAP_MAC_ADMIN)) | ||
767 | return -EPERM; | ||
768 | return param_get_bool(buffer, kp); | ||
769 | } | ||
770 | |||
771 | static int param_set_aabool(const char *val, struct kernel_param *kp) | ||
772 | { | ||
773 | if (!capable(CAP_MAC_ADMIN)) | ||
774 | return -EPERM; | ||
775 | return param_set_bool(val, kp); | ||
776 | } | ||
777 | |||
778 | static int param_get_aabool(char *buffer, struct kernel_param *kp) | ||
779 | { | ||
780 | if (!capable(CAP_MAC_ADMIN)) | ||
781 | return -EPERM; | ||
782 | return param_get_bool(buffer, kp); | ||
783 | } | ||
784 | |||
785 | static int param_set_aauint(const char *val, struct kernel_param *kp) | ||
786 | { | ||
787 | if (!capable(CAP_MAC_ADMIN)) | ||
788 | return -EPERM; | ||
789 | return param_set_uint(val, kp); | ||
790 | } | ||
791 | |||
792 | static int param_get_aauint(char *buffer, struct kernel_param *kp) | ||
793 | { | ||
794 | if (!capable(CAP_MAC_ADMIN)) | ||
795 | return -EPERM; | ||
796 | return param_get_uint(buffer, kp); | ||
797 | } | ||
798 | |||
799 | static int param_get_audit(char *buffer, struct kernel_param *kp) | ||
800 | { | ||
801 | if (!capable(CAP_MAC_ADMIN)) | ||
802 | return -EPERM; | ||
803 | |||
804 | if (!apparmor_enabled) | ||
805 | return -EINVAL; | ||
806 | |||
807 | return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); | ||
808 | } | ||
809 | |||
810 | static int param_set_audit(const char *val, struct kernel_param *kp) | ||
811 | { | ||
812 | int i; | ||
813 | if (!capable(CAP_MAC_ADMIN)) | ||
814 | return -EPERM; | ||
815 | |||
816 | if (!apparmor_enabled) | ||
817 | return -EINVAL; | ||
818 | |||
819 | if (!val) | ||
820 | return -EINVAL; | ||
821 | |||
822 | for (i = 0; i < AUDIT_MAX_INDEX; i++) { | ||
823 | if (strcmp(val, audit_mode_names[i]) == 0) { | ||
824 | aa_g_audit = i; | ||
825 | return 0; | ||
826 | } | ||
827 | } | ||
828 | |||
829 | return -EINVAL; | ||
830 | } | ||
831 | |||
832 | static int param_get_mode(char *buffer, struct kernel_param *kp) | ||
833 | { | ||
834 | if (!capable(CAP_MAC_ADMIN)) | ||
835 | return -EPERM; | ||
836 | |||
837 | if (!apparmor_enabled) | ||
838 | return -EINVAL; | ||
839 | |||
840 | return sprintf(buffer, "%s", profile_mode_names[aa_g_profile_mode]); | ||
841 | } | ||
842 | |||
843 | static int param_set_mode(const char *val, struct kernel_param *kp) | ||
844 | { | ||
845 | int i; | ||
846 | if (!capable(CAP_MAC_ADMIN)) | ||
847 | return -EPERM; | ||
848 | |||
849 | if (!apparmor_enabled) | ||
850 | return -EINVAL; | ||
851 | |||
852 | if (!val) | ||
853 | return -EINVAL; | ||
854 | |||
855 | for (i = 0; i < APPARMOR_NAMES_MAX_INDEX; i++) { | ||
856 | if (strcmp(val, profile_mode_names[i]) == 0) { | ||
857 | aa_g_profile_mode = i; | ||
858 | return 0; | ||
859 | } | ||
860 | } | ||
861 | |||
862 | return -EINVAL; | ||
863 | } | ||
864 | |||
865 | /* | ||
866 | * AppArmor init functions | ||
867 | */ | ||
868 | |||
869 | /** | ||
870 | * set_init_cxt - set a task context and profile on the first task. | ||
871 | * | ||
872 | * TODO: allow setting an alternate profile than unconfined | ||
873 | */ | ||
874 | static int __init set_init_cxt(void) | ||
875 | { | ||
876 | struct cred *cred = (struct cred *)current->real_cred; | ||
877 | struct aa_task_cxt *cxt; | ||
878 | |||
879 | cxt = aa_alloc_task_context(GFP_KERNEL); | ||
880 | if (!cxt) | ||
881 | return -ENOMEM; | ||
882 | |||
883 | cxt->profile = aa_get_profile(root_ns->unconfined); | ||
884 | cred->security = cxt; | ||
885 | |||
886 | return 0; | ||
887 | } | ||
888 | |||
889 | static int __init apparmor_init(void) | ||
890 | { | ||
891 | int error; | ||
892 | |||
893 | if (!apparmor_enabled || !security_module_enable(&apparmor_ops)) { | ||
894 | aa_info_message("AppArmor disabled by boot time parameter"); | ||
895 | apparmor_enabled = 0; | ||
896 | return 0; | ||
897 | } | ||
898 | |||
899 | error = aa_alloc_root_ns(); | ||
900 | if (error) { | ||
901 | AA_ERROR("Unable to allocate default profile namespace\n"); | ||
902 | goto alloc_out; | ||
903 | } | ||
904 | |||
905 | error = set_init_cxt(); | ||
906 | if (error) { | ||
907 | AA_ERROR("Failed to set context on init task\n"); | ||
908 | goto register_security_out; | ||
909 | } | ||
910 | |||
911 | error = register_security(&apparmor_ops); | ||
912 | if (error) { | ||
913 | AA_ERROR("Unable to register AppArmor\n"); | ||
914 | goto register_security_out; | ||
915 | } | ||
916 | |||
917 | /* Report that AppArmor successfully initialized */ | ||
918 | apparmor_initialized = 1; | ||
919 | if (aa_g_profile_mode == APPARMOR_COMPLAIN) | ||
920 | aa_info_message("AppArmor initialized: complain mode enabled"); | ||
921 | else if (aa_g_profile_mode == APPARMOR_KILL) | ||
922 | aa_info_message("AppArmor initialized: kill mode enabled"); | ||
923 | else | ||
924 | aa_info_message("AppArmor initialized"); | ||
925 | |||
926 | return error; | ||
927 | |||
928 | register_security_out: | ||
929 | aa_free_root_ns(); | ||
930 | |||
931 | alloc_out: | ||
932 | aa_destroy_aafs(); | ||
933 | |||
934 | apparmor_enabled = 0; | ||
935 | return error; | ||
936 | |||
937 | } | ||
938 | |||
939 | security_initcall(apparmor_init); | ||