6 files changed, 508 insertions, 0 deletions
diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
new file mode 100644
index 000000000000..9982c48def4e
--- /dev/null
+++ b/security/apparmor/capability.c
@@ -0,0 +1,141 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor capability mediation functions
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+#include <linux/capability.h>
+#include <linux/errno.h>
+#include <linux/gfp.h>
+#include "include/apparmor.h"
+#include "include/capability.h"
+#include "include/context.h"
+#include "include/policy.h"
+#include "include/audit.h"
+/*
+ * Table of capability names: we generate it from capabilities.h.
+ */
+#include "capability_names.h"
+struct audit_cache {
+        struct aa_profile *profile;
+        kernel_cap_t caps;
+};
+static DEFINE_PER_CPU(struct audit_cache, audit_cache);
+/**
+ * audit_cb - call back for capability components of audit struct
+ * @ab - audit buffer   (NOT NULL)
+ * @va - audit struct to audit data from  (NOT NULL)
+ */
+static void audit_cb(struct audit_buffer *ab, void *va)
+{
+        struct common_audit_data *sa = va;
+        audit_log_format(ab, " capname=");
+        audit_log_untrustedstring(ab, capability_names[sa->u.cap]);
+}
+/**
+ * audit_caps - audit a capability
+ * @profile: profile confining task (NOT NULL)
+ * @task: task capability test was performed against (NOT NULL)
+ * @cap: capability tested
+ * @error: error code returned by test
+ *
+ * Do auditing of capability and handle, audit/complain/kill modes switching
+ * and duplicate message elimination.
+ *
+ * Returns: 0 or sa->error on success,  error code on failure
+ */
+static int audit_caps(struct aa_profile *profile, struct task_struct *task,
+                      int cap, int error)
+{
+        struct audit_cache *ent;
+        int type = AUDIT_APPARMOR_AUTO;
+        struct common_audit_data sa;
+        COMMON_AUDIT_DATA_INIT(&sa, CAP);
+        sa.tsk = task;
+        sa.u.cap = cap;
+        sa.aad.op = OP_CAPABLE;
+        sa.aad.error = error;
+        if (likely(!error)) {
+                /* test if auditing is being forced */
+                if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
+                           !cap_raised(profile->caps.audit, cap)))
+                        return 0;
+                type = AUDIT_APPARMOR_AUDIT;
+        } else if (KILL_MODE(profile) ||
+                   cap_raised(profile->caps.kill, cap)) {
+                type = AUDIT_APPARMOR_KILL;
+        } else if (cap_raised(profile->caps.quiet, cap) &&
+                   AUDIT_MODE(profile) != AUDIT_NOQUIET &&
+                   AUDIT_MODE(profile) != AUDIT_ALL) {
+                /* quiet auditing */
+                return error;
+        }
+        /* Do simple duplicate message elimination */
+        ent = &get_cpu_var(audit_cache);
+        if (profile == ent->profile && cap_raised(ent->caps, cap)) {
+                put_cpu_var(audit_cache);
+                if (COMPLAIN_MODE(profile))
+                        return complain_error(error);
+                return error;
+        } else {
+                aa_put_profile(ent->profile);
+                ent->profile = aa_get_profile(profile);
+                cap_raise(ent->caps, cap);
+        }
+        put_cpu_var(audit_cache);
+        return aa_audit(type, profile, GFP_ATOMIC, &sa, audit_cb);
+}
+/**
+ * profile_capable - test if profile allows use of capability @cap
+ * @profile: profile being enforced    (NOT NULL, NOT unconfined)
+ * @cap: capability to test if allowed
+ *
+ * Returns: 0 if allowed else -EPERM
+ */
+static int profile_capable(struct aa_profile *profile, int cap)
+{
+        return cap_raised(profile->caps.allow, cap) ? 0 : -EPERM;
+}
+/**
+ * aa_capable - test permission to use capability
+ * @task: task doing capability test against (NOT NULL)
+ * @profile: profile confining @task (NOT NULL)
+ * @cap: capability to be tested
+ * @audit: whether an audit record should be generated
+ *
+ * Look up capability in profile capability set.
+ *
+ * Returns: 0 on success, or else an error code.
+ */
+int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap,
+               int audit)
+{
+        int error = profile_capable(profile, cap);
+        if (!audit) {
+                if (COMPLAIN_MODE(profile))
+                        return complain_error(error);
+                return error;
+        }
+        return audit_caps(profile, task, cap, error);
+}
diff --git a/security/apparmor/include/capability.h b/security/apparmor/include/capability.h
new file mode 100644
index 000000000000..c24d2959ea02
--- /dev/null
+++ b/security/apparmor/include/capability.h
@@ -0,0 +1,45 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor capability mediation definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+#ifndef __AA_CAPABILITY_H
+#define __AA_CAPABILITY_H
+#include <linux/sched.h>
+struct aa_profile;
+/* aa_caps - confinement data for capabilities
+ * @allowed: capabilities mask
+ * @audit: caps that are to be audited
+ * @quiet: caps that should not be audited
+ * @kill: caps that when requested will result in the task being killed
+ * @extended: caps that are subject finer grained mediation
+ */
+struct aa_caps {
+        kernel_cap_t allow;
+        kernel_cap_t audit;
+        kernel_cap_t quiet;
+        kernel_cap_t kill;
+        kernel_cap_t extended;
+};
+int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap,
+               int audit);
+static inline void aa_free_cap_rules(struct aa_caps *caps)
+{
+        /* NOP */
+}
+#endif /* __AA_CAPBILITY_H */
diff --git a/security/apparmor/include/ipc.h b/security/apparmor/include/ipc.h
new file mode 100644
index 000000000000..aeda0fbc8b2f
--- /dev/null
+++ b/security/apparmor/include/ipc.h
@@ -0,0 +1,28 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor ipc mediation function definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+#ifndef __AA_IPC_H
+#define __AA_IPC_H
+#include <linux/sched.h>
+struct aa_profile;
+int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer,
+                  struct aa_profile *tracee, unsigned int mode);
+int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee,
+              unsigned int mode);
+#endif /* __AA_IPC_H */
diff --git a/security/apparmor/include/resource.h b/security/apparmor/include/resource.h
new file mode 100644
index 000000000000..3c88be946494
--- /dev/null
+++ b/security/apparmor/include/resource.h
@@ -0,0 +1,46 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor resource limits function definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+#ifndef __AA_RESOURCE_H
+#define __AA_RESOURCE_H
+#include <linux/resource.h>
+#include <linux/sched.h>
+struct aa_profile;
+/* struct aa_rlimit - rlimit settings for the profile
+ * @mask: which hard limits to set
+ * @limits: rlimit values that override task limits
+ *
+ * AppArmor rlimits are used to set confined task rlimits.  Only the
+ * limits specified in @mask will be controlled by apparmor.
+ */
+struct aa_rlimit {
+        unsigned int mask;
+        struct rlimit limits[RLIM_NLIMITS];
+};
+int aa_map_resource(int resource);
+int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource,
+                      struct rlimit *new_rlim);
+void __aa_transition_rlimits(struct aa_profile *old, struct aa_profile *new);
+static inline void aa_free_rlimit_rules(struct aa_rlimit *rlims)
+{
+        /* NOP */
+}
+#endif /* __AA_RESOURCE_H */
diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c
new file mode 100644
index 000000000000..9013a78a1663
--- /dev/null
+++ b/security/apparmor/ipc.c
@@ -0,0 +1,114 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor ipc mediation
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+#include <linux/gfp.h>
+#include <linux/ptrace.h>
+#include "include/audit.h"
+#include "include/capability.h"
+#include "include/context.h"
+#include "include/policy.h"
+/* call back to audit ptrace fields */
+static void audit_cb(struct audit_buffer *ab, void *va)
+{
+        struct common_audit_data *sa = va;
+        audit_log_format(ab, " target=");
+        audit_log_untrustedstring(ab, sa->aad.target);
+}
+/**
+ * aa_audit_ptrace - do auditing for ptrace
+ * @profile: profile being enforced  (NOT NULL)
+ * @target: profile being traced (NOT NULL)
+ * @error: error condition
+ *
+ * Returns: %0 or error code
+ */
+static int aa_audit_ptrace(struct aa_profile *profile,
+                           struct aa_profile *target, int error)
+{
+        struct common_audit_data sa;
+        COMMON_AUDIT_DATA_INIT(&sa, NONE);
+        sa.aad.op = OP_PTRACE;
+        sa.aad.target = target;
+        sa.aad.error = error;
+        return aa_audit(AUDIT_APPARMOR_AUTO, profile, GFP_ATOMIC, &sa,
+                        audit_cb);
+}
+/**
+ * aa_may_ptrace - test if tracer task can trace the tracee
+ * @tracer_task: task who will do the tracing  (NOT NULL)
+ * @tracer: profile of the task doing the tracing  (NOT NULL)
+ * @tracee: task to be traced
+ * @mode: whether PTRACE_MODE_READ || PTRACE_MODE_ATTACH
+ *
+ * Returns: %0 else error code if permission denied or error
+ */
+int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer,
+                  struct aa_profile *tracee, unsigned int mode)
+{
+        /* TODO: currently only based on capability, not extended ptrace
+         *       rules,
+         *       Test mode for PTRACE_MODE_READ || PTRACE_MODE_ATTACH
+         */
+        if (unconfined(tracer) || tracer == tracee)
+                return 0;
+        /* log this capability request */
+        return aa_capable(tracer_task, tracer, CAP_SYS_PTRACE, 1);
+}
+/**
+ * aa_ptrace - do ptrace permission check and auditing
+ * @tracer: task doing the tracing (NOT NULL)
+ * @tracee: task being traced (NOT NULL)
+ * @mode: ptrace mode either PTRACE_MODE_READ || PTRACE_MODE_ATTACH
+ *
+ * Returns: %0 else error code if permission denied or error
+ */
+int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee,
+              unsigned int mode)
+{
+        /*
+         * tracer can ptrace tracee when
+         * - tracer is unconfined ||
+         *   - tracer is in complain mode
+         *   - tracer has rules allowing it to trace tracee currently this is:
+         *       - confined by the same profile ||
+         *       - tracer profile has CAP_SYS_PTRACE
+         */
+        struct aa_profile *tracer_p;
+        /* cred released below */
+        const struct cred *cred = get_task_cred(tracer);
+        int error = 0;
+        tracer_p = aa_cred_profile(cred);
+        if (!unconfined(tracer_p)) {
+                /* lcred released below */
+                struct cred *lcred = get_task_cred(tracee);
+                struct aa_profile *tracee_p = aa_cred_profile(lcred);
+                error = aa_may_ptrace(tracer, tracer_p, tracee_p, mode);
+                error = aa_audit_ptrace(tracer_p, tracee_p, error);
+                put_cred(lcred);
+        }
+        put_cred(cred);
+        return error;
+}
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
new file mode 100644
index 000000000000..4a368f1fd36d
--- /dev/null
+++ b/security/apparmor/resource.c
@@ -0,0 +1,134 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor resource mediation and attachment
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+#include <linux/audit.h>
+#include "include/audit.h"
+#include "include/resource.h"
+#include "include/policy.h"
+/*
+ * Table of rlimit names: we generate it from resource.h.
+ */
+#include "rlim_names.h"
+/* audit callback for resource specific fields */
+static void audit_cb(struct audit_buffer *ab, void *va)
+{
+        struct common_audit_data *sa = va;
+        audit_log_format(ab, " rlimit=%s value=%lu",
+                         rlim_names[sa->aad.rlim.rlim], sa->aad.rlim.max);
+}
+/**
+ * audit_resource - audit setting resource limit
+ * @profile: profile being enforced  (NOT NULL)
+ * @resoure: rlimit being auditing
+ * @value: value being set
+ * @error: error value
+ *
+ * Returns: 0 or sa->error else other error code on failure
+ */
+static int audit_resource(struct aa_profile *profile, unsigned int resource,
+                          unsigned long value, int error)
+{
+        struct common_audit_data sa;
+        COMMON_AUDIT_DATA_INIT(&sa, NONE);
+        sa.aad.op = OP_SETRLIMIT,
+        sa.aad.rlim.rlim = resource;
+        sa.aad.rlim.max = value;
+        sa.aad.error = error;
+        return aa_audit(AUDIT_APPARMOR_AUTO, profile, GFP_KERNEL, &sa,
+                        audit_cb);
+}
+/**
+ * aa_map_resouce - map compiled policy resource to internal #
+ * @resource: flattened policy resource number
+ *
+ * Returns: resource # for the current architecture.
+ *
+ * rlimit resource can vary based on architecture, map the compiled policy
+ * resource # to the internal representation for the architecture.
+ */
+int aa_map_resource(int resource)
+{
+        return rlim_map[resource];
+}
+/**
+ * aa_task_setrlimit - test permission to set an rlimit
+ * @profile - profile confining the task  (NOT NULL)
+ * @resource - the resource being set
+ * @new_rlim - the new resource limit  (NOT NULL)
+ *
+ * Control raising the processes hard limit.
+ *
+ * Returns: 0 or error code if setting resource failed
+ */
+int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource,
+                      struct rlimit *new_rlim)
+{
+        int error = 0;
+        if (profile->rlimits.mask & (1 << resource) &&
+            new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max)
+                error = audit_resource(profile, resource, new_rlim->rlim_max,
+                        -EACCES);
+        return error;
+}
+/**
+ * __aa_transition_rlimits - apply new profile rlimits
+ * @old: old profile on task  (NOT NULL)
+ * @new: new profile with rlimits to apply  (NOT NULL)
+ */
+void __aa_transition_rlimits(struct aa_profile *old, struct aa_profile *new)
+{
+        unsigned int mask = 0;
+        struct rlimit *rlim, *initrlim;
+        int i;
+        /* for any rlimits the profile controlled reset the soft limit
+         * to the less of the tasks hard limit and the init tasks soft limit
+         */
+        if (old->rlimits.mask) {
+                for (i = 0, mask = 1; i < RLIM_NLIMITS; i++, mask <<= 1) {
+                        if (old->rlimits.mask & mask) {
+                                rlim = current->signal->rlim + i;
+                                initrlim = init_task.signal->rlim + i;
+                                rlim->rlim_cur = min(rlim->rlim_max,
+                                                     initrlim->rlim_cur);
+                        }
+                }
+        }
+        /* set any new hard limits as dictated by the new profile */
+        if (!new->rlimits.mask)
+                return;
+        for (i = 0, mask = 1; i < RLIM_NLIMITS; i++, mask <<= 1) {
+                if (!(new->rlimits.mask & mask))
+                        continue;
+                rlim = current->signal->rlim + i;
+                rlim->rlim_max = min(rlim->rlim_max,
+                                     new->rlimits.limits[i].rlim_max);
+                /* soft limit should not exceed hard limit */
+                rlim->rlim_cur = min(rlim->rlim_cur, rlim->rlim_max);
+        }
+}

diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c new file mode 100644 index 000000000000..9982c48def4e --- /dev/null +++ b/security/apparmor/capability.c
@@ -0,0 +1,141 @@
	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor capability mediation functions
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#include <linux/capability.h>
	16	#include <linux/errno.h>
	17	#include <linux/gfp.h>
	18
	19	#include "include/apparmor.h"
	20	#include "include/capability.h"
	21	#include "include/context.h"
	22	#include "include/policy.h"
	23	#include "include/audit.h"
	24
	25	/*
	26	* Table of capability names: we generate it from capabilities.h.
	27	*/
	28	#include "capability_names.h"
	29
	30	struct audit_cache {
	31	struct aa_profile *profile;
	32	kernel_cap_t caps;
	33	};
	34
	35	static DEFINE_PER_CPU(struct audit_cache, audit_cache);
	36
	37	/**
	38	* audit_cb - call back for capability components of audit struct
	39	* @ab - audit buffer (NOT NULL)
	40	* @va - audit struct to audit data from (NOT NULL)
	41	*/
	42	static void audit_cb(struct audit_buffer ab, void va)
	43	{
	44	struct common_audit_data *sa = va;
	45	audit_log_format(ab, " capname=");
	46	audit_log_untrustedstring(ab, capability_names[sa->u.cap]);
	47	}
	48
	49	/**
	50	* audit_caps - audit a capability
	51	* @profile: profile confining task (NOT NULL)
	52	* @task: task capability test was performed against (NOT NULL)
	53	* @cap: capability tested
	54	* @error: error code returned by test
	55	*
	56	* Do auditing of capability and handle, audit/complain/kill modes switching
	57	* and duplicate message elimination.
	58	*
	59	* Returns: 0 or sa->error on success, error code on failure
	60	*/
	61	static int audit_caps(struct aa_profile profile, struct task_struct task,
	62	int cap, int error)
	63	{
	64	struct audit_cache *ent;
	65	int type = AUDIT_APPARMOR_AUTO;
	66	struct common_audit_data sa;
	67	COMMON_AUDIT_DATA_INIT(&sa, CAP);
	68	sa.tsk = task;
	69	sa.u.cap = cap;
	70	sa.aad.op = OP_CAPABLE;
	71	sa.aad.error = error;
	72
	73	if (likely(!error)) {
	74	/* test if auditing is being forced */
	75	if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
	76	!cap_raised(profile->caps.audit, cap)))
	77	return 0;
	78	type = AUDIT_APPARMOR_AUDIT;
	79	} else if (KILL_MODE(profile) \|\|
	80	cap_raised(profile->caps.kill, cap)) {
	81	type = AUDIT_APPARMOR_KILL;
	82	} else if (cap_raised(profile->caps.quiet, cap) &&
	83	AUDIT_MODE(profile) != AUDIT_NOQUIET &&
	84	AUDIT_MODE(profile) != AUDIT_ALL) {
	85	/* quiet auditing */
	86	return error;
	87	}
	88
	89	/* Do simple duplicate message elimination */
	90	ent = &get_cpu_var(audit_cache);
	91	if (profile == ent->profile && cap_raised(ent->caps, cap)) {
	92	put_cpu_var(audit_cache);
	93	if (COMPLAIN_MODE(profile))
	94	return complain_error(error);
	95	return error;
	96	} else {
	97	aa_put_profile(ent->profile);
	98	ent->profile = aa_get_profile(profile);
	99	cap_raise(ent->caps, cap);
	100	}
	101	put_cpu_var(audit_cache);
	102
	103	return aa_audit(type, profile, GFP_ATOMIC, &sa, audit_cb);
	104	}
	105
	106	/**
	107	* profile_capable - test if profile allows use of capability @cap
	108	* @profile: profile being enforced (NOT NULL, NOT unconfined)
	109	* @cap: capability to test if allowed
	110	*
	111	* Returns: 0 if allowed else -EPERM
	112	*/
	113	static int profile_capable(struct aa_profile *profile, int cap)
	114	{
	115	return cap_raised(profile->caps.allow, cap) ? 0 : -EPERM;
	116	}
	117
	118	/**
	119	* aa_capable - test permission to use capability
	120	* @task: task doing capability test against (NOT NULL)
	121	* @profile: profile confining @task (NOT NULL)
	122	* @cap: capability to be tested
	123	* @audit: whether an audit record should be generated
	124	*
	125	* Look up capability in profile capability set.
	126	*
	127	* Returns: 0 on success, or else an error code.
	128	*/
	129	int aa_capable(struct task_struct task, struct aa_profile profile, int cap,
	130	int audit)
	131	{
	132	int error = profile_capable(profile, cap);
	133
	134	if (!audit) {
	135	if (COMPLAIN_MODE(profile))
	136	return complain_error(error);
	137	return error;
	138	}
	139
	140	return audit_caps(profile, task, cap, error);
	141	}


diff --git a/security/apparmor/include/capability.h b/security/apparmor/include/capability.h new file mode 100644 index 000000000000..c24d2959ea02 --- /dev/null +++ b/security/apparmor/include/capability.h
@@ -0,0 +1,45 @@
	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor capability mediation definitions.
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#ifndef __AA_CAPABILITY_H
	16	#define __AA_CAPABILITY_H
	17
	18	#include <linux/sched.h>
	19
	20	struct aa_profile;
	21
	22	/* aa_caps - confinement data for capabilities
	23	* @allowed: capabilities mask
	24	* @audit: caps that are to be audited
	25	* @quiet: caps that should not be audited
	26	* @kill: caps that when requested will result in the task being killed
	27	* @extended: caps that are subject finer grained mediation
	28	*/
	29	struct aa_caps {
	30	kernel_cap_t allow;
	31	kernel_cap_t audit;
	32	kernel_cap_t quiet;
	33	kernel_cap_t kill;
	34	kernel_cap_t extended;
	35	};
	36
	37	int aa_capable(struct task_struct task, struct aa_profile profile, int cap,
	38	int audit);
	39
	40	static inline void aa_free_cap_rules(struct aa_caps *caps)
	41	{
	42	/* NOP */
	43	}
	44
	45	#endif /* __AA_CAPBILITY_H */


diff --git a/security/apparmor/include/ipc.h b/security/apparmor/include/ipc.h new file mode 100644 index 000000000000..aeda0fbc8b2f --- /dev/null +++ b/security/apparmor/include/ipc.h
@@ -0,0 +1,28 @@
	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor ipc mediation function definitions.
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#ifndef __AA_IPC_H
	16	#define __AA_IPC_H
	17
	18	#include <linux/sched.h>
	19
	20	struct aa_profile;
	21
	22	int aa_may_ptrace(struct task_struct tracer_task, struct aa_profile tracer,
	23	struct aa_profile *tracee, unsigned int mode);
	24
	25	int aa_ptrace(struct task_struct tracer, struct task_struct tracee,
	26	unsigned int mode);
	27
	28	#endif /* __AA_IPC_H */


diff --git a/security/apparmor/include/resource.h b/security/apparmor/include/resource.h new file mode 100644 index 000000000000..3c88be946494 --- /dev/null +++ b/security/apparmor/include/resource.h
@@ -0,0 +1,46 @@
	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor resource limits function definitions.
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#ifndef __AA_RESOURCE_H
	16	#define __AA_RESOURCE_H
	17
	18	#include <linux/resource.h>
	19	#include <linux/sched.h>
	20
	21	struct aa_profile;
	22
	23	/* struct aa_rlimit - rlimit settings for the profile
	24	* @mask: which hard limits to set
	25	* @limits: rlimit values that override task limits
	26	*
	27	* AppArmor rlimits are used to set confined task rlimits. Only the
	28	* limits specified in @mask will be controlled by apparmor.
	29	*/
	30	struct aa_rlimit {
	31	unsigned int mask;
	32	struct rlimit limits[RLIM_NLIMITS];
	33	};
	34
	35	int aa_map_resource(int resource);
	36	int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource,
	37	struct rlimit *new_rlim);
	38
	39	void __aa_transition_rlimits(struct aa_profile old, struct aa_profile new);
	40
	41	static inline void aa_free_rlimit_rules(struct aa_rlimit *rlims)
	42	{
	43	/* NOP */
	44	}
	45
	46	#endif /* __AA_RESOURCE_H */


diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c new file mode 100644 index 000000000000..9013a78a1663 --- /dev/null +++ b/security/apparmor/ipc.c
@@ -0,0 +1,114 @@
	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor ipc mediation
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#include <linux/gfp.h>
	16	#include <linux/ptrace.h>
	17
	18	#include "include/audit.h"
	19	#include "include/capability.h"
	20	#include "include/context.h"
	21	#include "include/policy.h"
	22
	23	/* call back to audit ptrace fields */
	24	static void audit_cb(struct audit_buffer ab, void va)
	25	{
	26	struct common_audit_data *sa = va;
	27	audit_log_format(ab, " target=");
	28	audit_log_untrustedstring(ab, sa->aad.target);
	29	}
	30
	31	/**
	32	* aa_audit_ptrace - do auditing for ptrace
	33	* @profile: profile being enforced (NOT NULL)
	34	* @target: profile being traced (NOT NULL)
	35	* @error: error condition
	36	*
	37	* Returns: %0 or error code
	38	*/
	39	static int aa_audit_ptrace(struct aa_profile *profile,
	40	struct aa_profile *target, int error)
	41	{
	42	struct common_audit_data sa;
	43	COMMON_AUDIT_DATA_INIT(&sa, NONE);
	44	sa.aad.op = OP_PTRACE;
	45	sa.aad.target = target;
	46	sa.aad.error = error;
	47
	48	return aa_audit(AUDIT_APPARMOR_AUTO, profile, GFP_ATOMIC, &sa,
	49	audit_cb);
	50	}
	51
	52	/**
	53	* aa_may_ptrace - test if tracer task can trace the tracee
	54	* @tracer_task: task who will do the tracing (NOT NULL)
	55	* @tracer: profile of the task doing the tracing (NOT NULL)
	56	* @tracee: task to be traced
	57	* @mode: whether PTRACE_MODE_READ \|\| PTRACE_MODE_ATTACH
	58	*
	59	* Returns: %0 else error code if permission denied or error
	60	*/
	61	int aa_may_ptrace(struct task_struct tracer_task, struct aa_profile tracer,
	62	struct aa_profile *tracee, unsigned int mode)
	63	{
	64	/* TODO: currently only based on capability, not extended ptrace
	65	* rules,
	66	* Test mode for PTRACE_MODE_READ \|\| PTRACE_MODE_ATTACH
	67	*/
	68
	69	if (unconfined(tracer) \|\| tracer == tracee)
	70	return 0;
	71	/* log this capability request */
	72	return aa_capable(tracer_task, tracer, CAP_SYS_PTRACE, 1);
	73	}
	74
	75	/**
	76	* aa_ptrace - do ptrace permission check and auditing
	77	* @tracer: task doing the tracing (NOT NULL)
	78	* @tracee: task being traced (NOT NULL)
	79	* @mode: ptrace mode either PTRACE_MODE_READ \|\| PTRACE_MODE_ATTACH
	80	*
	81	* Returns: %0 else error code if permission denied or error
	82	*/
	83	int aa_ptrace(struct task_struct tracer, struct task_struct tracee,
	84	unsigned int mode)
	85	{
	86	/*
	87	* tracer can ptrace tracee when
	88	* - tracer is unconfined \|\|
	89	* - tracer is in complain mode
	90	* - tracer has rules allowing it to trace tracee currently this is:
	91	* - confined by the same profile \|\|
	92	* - tracer profile has CAP_SYS_PTRACE
	93	*/
	94
	95	struct aa_profile *tracer_p;
	96	/* cred released below */
	97	const struct cred *cred = get_task_cred(tracer);
	98	int error = 0;
	99	tracer_p = aa_cred_profile(cred);
	100
	101	if (!unconfined(tracer_p)) {
	102	/* lcred released below */
	103	struct cred *lcred = get_task_cred(tracee);
	104	struct aa_profile *tracee_p = aa_cred_profile(lcred);
	105
	106	error = aa_may_ptrace(tracer, tracer_p, tracee_p, mode);
	107	error = aa_audit_ptrace(tracer_p, tracee_p, error);
	108
	109	put_cred(lcred);
	110	}
	111	put_cred(cred);
	112
	113	return error;
	114	}


diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c new file mode 100644 index 000000000000..4a368f1fd36d --- /dev/null +++ b/security/apparmor/resource.c
@@ -0,0 +1,134 @@
	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor resource mediation and attachment
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#include <linux/audit.h>
	16
	17	#include "include/audit.h"
	18	#include "include/resource.h"
	19	#include "include/policy.h"
	20
	21	/*
	22	* Table of rlimit names: we generate it from resource.h.
	23	*/
	24	#include "rlim_names.h"
	25
	26	/* audit callback for resource specific fields */
	27	static void audit_cb(struct audit_buffer ab, void va)
	28	{
	29	struct common_audit_data *sa = va;
	30
	31	audit_log_format(ab, " rlimit=%s value=%lu",
	32	rlim_names[sa->aad.rlim.rlim], sa->aad.rlim.max);
	33	}
	34
	35	/**
	36	* audit_resource - audit setting resource limit
	37	* @profile: profile being enforced (NOT NULL)
	38	* @resoure: rlimit being auditing
	39	* @value: value being set
	40	* @error: error value
	41	*
	42	* Returns: 0 or sa->error else other error code on failure
	43	*/
	44	static int audit_resource(struct aa_profile *profile, unsigned int resource,
	45	unsigned long value, int error)
	46	{
	47	struct common_audit_data sa;
	48
	49	COMMON_AUDIT_DATA_INIT(&sa, NONE);
	50	sa.aad.op = OP_SETRLIMIT,
	51	sa.aad.rlim.rlim = resource;
	52	sa.aad.rlim.max = value;
	53	sa.aad.error = error;
	54	return aa_audit(AUDIT_APPARMOR_AUTO, profile, GFP_KERNEL, &sa,
	55	audit_cb);
	56	}
	57
	58	/**
	59	* aa_map_resouce - map compiled policy resource to internal #
	60	* @resource: flattened policy resource number
	61	*
	62	* Returns: resource # for the current architecture.
	63	*
	64	* rlimit resource can vary based on architecture, map the compiled policy
	65	* resource # to the internal representation for the architecture.
	66	*/
	67	int aa_map_resource(int resource)
	68	{
	69	return rlim_map[resource];
	70	}
	71
	72	/**
	73	* aa_task_setrlimit - test permission to set an rlimit
	74	* @profile - profile confining the task (NOT NULL)
	75	* @resource - the resource being set
	76	* @new_rlim - the new resource limit (NOT NULL)
	77	*
	78	* Control raising the processes hard limit.
	79	*
	80	* Returns: 0 or error code if setting resource failed
	81	*/
	82	int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource,
	83	struct rlimit *new_rlim)
	84	{
	85	int error = 0;
	86
	87	if (profile->rlimits.mask & (1 << resource) &&
	88	new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max)
	89
	90	error = audit_resource(profile, resource, new_rlim->rlim_max,
	91	-EACCES);
	92
	93	return error;
	94	}
	95
	96	/**
	97	* __aa_transition_rlimits - apply new profile rlimits
	98	* @old: old profile on task (NOT NULL)
	99	* @new: new profile with rlimits to apply (NOT NULL)
	100	*/
	101	void __aa_transition_rlimits(struct aa_profile old, struct aa_profile new)
	102	{
	103	unsigned int mask = 0;
	104	struct rlimit rlim, initrlim;
	105	int i;
	106
	107	/* for any rlimits the profile controlled reset the soft limit
	108	* to the less of the tasks hard limit and the init tasks soft limit
	109	*/
	110	if (old->rlimits.mask) {
	111	for (i = 0, mask = 1; i < RLIM_NLIMITS; i++, mask <<= 1) {
	112	if (old->rlimits.mask & mask) {
	113	rlim = current->signal->rlim + i;
	114	initrlim = init_task.signal->rlim + i;
	115	rlim->rlim_cur = min(rlim->rlim_max,
	116	initrlim->rlim_cur);
	117	}
	118	}
	119	}
	120
	121	/* set any new hard limits as dictated by the new profile */
	122	if (!new->rlimits.mask)
	123	return;
	124	for (i = 0, mask = 1; i < RLIM_NLIMITS; i++, mask <<= 1) {
	125	if (!(new->rlimits.mask & mask))
	126	continue;
	127
	128	rlim = current->signal->rlim + i;
	129	rlim->rlim_max = min(rlim->rlim_max,
	130	new->rlimits.limits[i].rlim_max);
	131	/* soft limit should not exceed hard limit */
	132	rlim->rlim_cur = min(rlim->rlim_cur, rlim->rlim_max);
	133	}
	134	}