diff options
Diffstat (limited to 'security')
-rw-r--r-- | security/apparmor/include/apparmor.h | 92 | ||||
-rw-r--r-- | security/apparmor/include/path.h | 31 | ||||
-rw-r--r-- | security/apparmor/lib.c | 133 | ||||
-rw-r--r-- | security/apparmor/path.c | 235 |
4 files changed, 491 insertions, 0 deletions
diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h new file mode 100644 index 000000000000..38ccaea08204 --- /dev/null +++ b/security/apparmor/include/apparmor.h | |||
@@ -0,0 +1,92 @@ | |||
1 | /* | ||
2 | * AppArmor security module | ||
3 | * | ||
4 | * This file contains AppArmor basic global and lib definitions | ||
5 | * | ||
6 | * Copyright (C) 1998-2008 Novell/SUSE | ||
7 | * Copyright 2009-2010 Canonical Ltd. | ||
8 | * | ||
9 | * This program is free software; you can redistribute it and/or | ||
10 | * modify it under the terms of the GNU General Public License as | ||
11 | * published by the Free Software Foundation, version 2 of the | ||
12 | * License. | ||
13 | */ | ||
14 | |||
15 | #ifndef __APPARMOR_H | ||
16 | #define __APPARMOR_H | ||
17 | |||
18 | #include <linux/fs.h> | ||
19 | |||
20 | #include "match.h" | ||
21 | |||
22 | /* Control parameters settable through module/boot flags */ | ||
23 | extern enum audit_mode aa_g_audit; | ||
24 | extern int aa_g_audit_header; | ||
25 | extern int aa_g_debug; | ||
26 | extern int aa_g_lock_policy; | ||
27 | extern int aa_g_logsyscall; | ||
28 | extern int aa_g_paranoid_load; | ||
29 | extern unsigned int aa_g_path_max; | ||
30 | |||
31 | /* | ||
32 | * DEBUG remains global (no per profile flag) since it is mostly used in sysctl | ||
33 | * which is not related to profile accesses. | ||
34 | */ | ||
35 | |||
36 | #define AA_DEBUG(fmt, args...) \ | ||
37 | do { \ | ||
38 | if (aa_g_debug && printk_ratelimit()) \ | ||
39 | printk(KERN_DEBUG "AppArmor: " fmt, ##args); \ | ||
40 | } while (0) | ||
41 | |||
42 | #define AA_ERROR(fmt, args...) \ | ||
43 | do { \ | ||
44 | if (printk_ratelimit()) \ | ||
45 | printk(KERN_ERR "AppArmor: " fmt, ##args); \ | ||
46 | } while (0) | ||
47 | |||
48 | /* Flag indicating whether initialization completed */ | ||
49 | extern int apparmor_initialized __initdata; | ||
50 | |||
51 | /* fn's in lib */ | ||
52 | char *aa_split_fqname(char *args, char **ns_name); | ||
53 | void aa_info_message(const char *str); | ||
54 | void *kvmalloc(size_t size); | ||
55 | void kvfree(void *buffer); | ||
56 | |||
57 | |||
58 | /** | ||
59 | * aa_strneq - compare null terminated @str to a non null terminated substring | ||
60 | * @str: a null terminated string | ||
61 | * @sub: a substring, not necessarily null terminated | ||
62 | * @len: length of @sub to compare | ||
63 | * | ||
64 | * The @str string must be full consumed for this to be considered a match | ||
65 | */ | ||
66 | static inline bool aa_strneq(const char *str, const char *sub, int len) | ||
67 | { | ||
68 | return !strncmp(str, sub, len) && !str[len]; | ||
69 | } | ||
70 | |||
71 | /** | ||
72 | * aa_dfa_null_transition - step to next state after null character | ||
73 | * @dfa: the dfa to match against | ||
74 | * @start: the state of the dfa to start matching in | ||
75 | * | ||
76 | * aa_dfa_null_transition transitions to the next state after a null | ||
77 | * character which is not used in standard matching and is only | ||
78 | * used to separate pairs. | ||
79 | */ | ||
80 | static inline unsigned int aa_dfa_null_transition(struct aa_dfa *dfa, | ||
81 | unsigned int start) | ||
82 | { | ||
83 | /* the null transition only needs the string's null terminator byte */ | ||
84 | return aa_dfa_match_len(dfa, start, "", 1); | ||
85 | } | ||
86 | |||
87 | static inline bool mediated_filesystem(struct inode *inode) | ||
88 | { | ||
89 | return !(inode->i_sb->s_flags & MS_NOUSER); | ||
90 | } | ||
91 | |||
92 | #endif /* __APPARMOR_H */ | ||
diff --git a/security/apparmor/include/path.h b/security/apparmor/include/path.h new file mode 100644 index 000000000000..27b327a7fae5 --- /dev/null +++ b/security/apparmor/include/path.h | |||
@@ -0,0 +1,31 @@ | |||
1 | /* | ||
2 | * AppArmor security module | ||
3 | * | ||
4 | * This file contains AppArmor basic path manipulation function definitions. | ||
5 | * | ||
6 | * Copyright (C) 1998-2008 Novell/SUSE | ||
7 | * Copyright 2009-2010 Canonical Ltd. | ||
8 | * | ||
9 | * This program is free software; you can redistribute it and/or | ||
10 | * modify it under the terms of the GNU General Public License as | ||
11 | * published by the Free Software Foundation, version 2 of the | ||
12 | * License. | ||
13 | */ | ||
14 | |||
15 | #ifndef __AA_PATH_H | ||
16 | #define __AA_PATH_H | ||
17 | |||
18 | |||
19 | enum path_flags { | ||
20 | PATH_IS_DIR = 0x1, /* path is a directory */ | ||
21 | PATH_CONNECT_PATH = 0x4, /* connect disconnected paths to / */ | ||
22 | PATH_CHROOT_REL = 0x8, /* do path lookup relative to chroot */ | ||
23 | PATH_CHROOT_NSCONNECT = 0x10, /* connect paths that are at ns root */ | ||
24 | |||
25 | PATH_DELEGATE_DELETED = 0x08000, /* delegate deleted files */ | ||
26 | PATH_MEDIATE_DELETED = 0x10000, /* mediate deleted paths */ | ||
27 | }; | ||
28 | |||
29 | int aa_get_name(struct path *path, int flags, char **buffer, const char **name); | ||
30 | |||
31 | #endif /* __AA_PATH_H */ | ||
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c new file mode 100644 index 000000000000..6e85cdb4303f --- /dev/null +++ b/security/apparmor/lib.c | |||
@@ -0,0 +1,133 @@ | |||
1 | /* | ||
2 | * AppArmor security module | ||
3 | * | ||
4 | * This file contains basic common functions used in AppArmor | ||
5 | * | ||
6 | * Copyright (C) 1998-2008 Novell/SUSE | ||
7 | * Copyright 2009-2010 Canonical Ltd. | ||
8 | * | ||
9 | * This program is free software; you can redistribute it and/or | ||
10 | * modify it under the terms of the GNU General Public License as | ||
11 | * published by the Free Software Foundation, version 2 of the | ||
12 | * License. | ||
13 | */ | ||
14 | |||
15 | #include <linux/slab.h> | ||
16 | #include <linux/string.h> | ||
17 | #include <linux/vmalloc.h> | ||
18 | |||
19 | #include "include/audit.h" | ||
20 | |||
21 | |||
22 | /** | ||
23 | * aa_split_fqname - split a fqname into a profile and namespace name | ||
24 | * @fqname: a full qualified name in namespace profile format (NOT NULL) | ||
25 | * @ns_name: pointer to portion of the string containing the ns name (NOT NULL) | ||
26 | * | ||
27 | * Returns: profile name or NULL if one is not specified | ||
28 | * | ||
29 | * Split a namespace name from a profile name (see policy.c for naming | ||
30 | * description). If a portion of the name is missing it returns NULL for | ||
31 | * that portion. | ||
32 | * | ||
33 | * NOTE: may modify the @fqname string. The pointers returned point | ||
34 | * into the @fqname string. | ||
35 | */ | ||
36 | char *aa_split_fqname(char *fqname, char **ns_name) | ||
37 | { | ||
38 | char *name = strim(fqname); | ||
39 | |||
40 | *ns_name = NULL; | ||
41 | if (name[0] == ':') { | ||
42 | char *split = strchr(&name[1], ':'); | ||
43 | if (split) { | ||
44 | /* overwrite ':' with \0 */ | ||
45 | *split = 0; | ||
46 | name = skip_spaces(split + 1); | ||
47 | } else | ||
48 | /* a ns name without a following profile is allowed */ | ||
49 | name = NULL; | ||
50 | *ns_name = &name[1]; | ||
51 | } | ||
52 | if (name && *name == 0) | ||
53 | name = NULL; | ||
54 | |||
55 | return name; | ||
56 | } | ||
57 | |||
58 | /** | ||
59 | * aa_info_message - log a none profile related status message | ||
60 | * @str: message to log | ||
61 | */ | ||
62 | void aa_info_message(const char *str) | ||
63 | { | ||
64 | if (audit_enabled) { | ||
65 | struct common_audit_data sa; | ||
66 | COMMON_AUDIT_DATA_INIT(&sa, NONE); | ||
67 | sa.aad.info = str; | ||
68 | aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, NULL); | ||
69 | } | ||
70 | printk(KERN_INFO "AppArmor: %s\n", str); | ||
71 | } | ||
72 | |||
73 | /** | ||
74 | * kvmalloc - do allocation preferring kmalloc but falling back to vmalloc | ||
75 | * @size: size of allocation | ||
76 | * | ||
77 | * Return: allocated buffer or NULL if failed | ||
78 | * | ||
79 | * It is possible that policy being loaded from the user is larger than | ||
80 | * what can be allocated by kmalloc, in those cases fall back to vmalloc. | ||
81 | */ | ||
82 | void *kvmalloc(size_t size) | ||
83 | { | ||
84 | void *buffer = NULL; | ||
85 | |||
86 | if (size == 0) | ||
87 | return NULL; | ||
88 | |||
89 | /* do not attempt kmalloc if we need more than 16 pages at once */ | ||
90 | if (size <= (16*PAGE_SIZE)) | ||
91 | buffer = kmalloc(size, GFP_NOIO | __GFP_NOWARN); | ||
92 | if (!buffer) { | ||
93 | /* see kvfree for why size must be at least work_struct size | ||
94 | * when allocated via vmalloc | ||
95 | */ | ||
96 | if (size < sizeof(struct work_struct)) | ||
97 | size = sizeof(struct work_struct); | ||
98 | buffer = vmalloc(size); | ||
99 | } | ||
100 | return buffer; | ||
101 | } | ||
102 | |||
103 | /** | ||
104 | * do_vfree - workqueue routine for freeing vmalloced memory | ||
105 | * @work: data to be freed | ||
106 | * | ||
107 | * The work_struct is overlaid to the data being freed, as at the point | ||
108 | * the work is scheduled the data is no longer valid, be its freeing | ||
109 | * needs to be delayed until safe. | ||
110 | */ | ||
111 | static void do_vfree(struct work_struct *work) | ||
112 | { | ||
113 | vfree(work); | ||
114 | } | ||
115 | |||
116 | /** | ||
117 | * kvfree - free an allocation do by kvmalloc | ||
118 | * @buffer: buffer to free (MAYBE_NULL) | ||
119 | * | ||
120 | * Free a buffer allocated by kvmalloc | ||
121 | */ | ||
122 | void kvfree(void *buffer) | ||
123 | { | ||
124 | if (is_vmalloc_addr(buffer)) { | ||
125 | /* Data is no longer valid so just use the allocated space | ||
126 | * as the work_struct | ||
127 | */ | ||
128 | struct work_struct *work = (struct work_struct *) buffer; | ||
129 | INIT_WORK(work, do_vfree); | ||
130 | schedule_work(work); | ||
131 | } else | ||
132 | kfree(buffer); | ||
133 | } | ||
diff --git a/security/apparmor/path.c b/security/apparmor/path.c new file mode 100644 index 000000000000..96bab9469d48 --- /dev/null +++ b/security/apparmor/path.c | |||
@@ -0,0 +1,235 @@ | |||
1 | /* | ||
2 | * AppArmor security module | ||
3 | * | ||
4 | * This file contains AppArmor function for pathnames | ||
5 | * | ||
6 | * Copyright (C) 1998-2008 Novell/SUSE | ||
7 | * Copyright 2009-2010 Canonical Ltd. | ||
8 | * | ||
9 | * This program is free software; you can redistribute it and/or | ||
10 | * modify it under the terms of the GNU General Public License as | ||
11 | * published by the Free Software Foundation, version 2 of the | ||
12 | * License. | ||
13 | */ | ||
14 | |||
15 | #include <linux/magic.h> | ||
16 | #include <linux/mnt_namespace.h> | ||
17 | #include <linux/mount.h> | ||
18 | #include <linux/namei.h> | ||
19 | #include <linux/nsproxy.h> | ||
20 | #include <linux/path.h> | ||
21 | #include <linux/sched.h> | ||
22 | #include <linux/slab.h> | ||
23 | #include <linux/fs_struct.h> | ||
24 | |||
25 | #include "include/apparmor.h" | ||
26 | #include "include/path.h" | ||
27 | #include "include/policy.h" | ||
28 | |||
29 | |||
30 | /* modified from dcache.c */ | ||
31 | static int prepend(char **buffer, int buflen, const char *str, int namelen) | ||
32 | { | ||
33 | buflen -= namelen; | ||
34 | if (buflen < 0) | ||
35 | return -ENAMETOOLONG; | ||
36 | *buffer -= namelen; | ||
37 | memcpy(*buffer, str, namelen); | ||
38 | return 0; | ||
39 | } | ||
40 | |||
41 | #define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT) | ||
42 | |||
43 | /** | ||
44 | * d_namespace_path - lookup a name associated with a given path | ||
45 | * @path: path to lookup (NOT NULL) | ||
46 | * @buf: buffer to store path to (NOT NULL) | ||
47 | * @buflen: length of @buf | ||
48 | * @name: Returns - pointer for start of path name with in @buf (NOT NULL) | ||
49 | * @flags: flags controlling path lookup | ||
50 | * | ||
51 | * Handle path name lookup. | ||
52 | * | ||
53 | * Returns: %0 else error code if path lookup fails | ||
54 | * When no error the path name is returned in @name which points to | ||
55 | * to a position in @buf | ||
56 | */ | ||
57 | static int d_namespace_path(struct path *path, char *buf, int buflen, | ||
58 | char **name, int flags) | ||
59 | { | ||
60 | struct path root, tmp; | ||
61 | char *res; | ||
62 | int deleted, connected; | ||
63 | int error = 0; | ||
64 | |||
65 | /* Get the root we want to resolve too */ | ||
66 | if (flags & PATH_CHROOT_REL) { | ||
67 | /* resolve paths relative to chroot */ | ||
68 | read_lock(¤t->fs->lock); | ||
69 | root = current->fs->root; | ||
70 | /* released below */ | ||
71 | path_get(&root); | ||
72 | read_unlock(¤t->fs->lock); | ||
73 | } else { | ||
74 | /* resolve paths relative to namespace */ | ||
75 | root.mnt = current->nsproxy->mnt_ns->root; | ||
76 | root.dentry = root.mnt->mnt_root; | ||
77 | /* released below */ | ||
78 | path_get(&root); | ||
79 | } | ||
80 | |||
81 | spin_lock(&dcache_lock); | ||
82 | /* There is a race window between path lookup here and the | ||
83 | * need to strip the " (deleted) string that __d_path applies | ||
84 | * Detect the race and relookup the path | ||
85 | * | ||
86 | * The stripping of (deleted) is a hack that could be removed | ||
87 | * with an updated __d_path | ||
88 | */ | ||
89 | do { | ||
90 | tmp = root; | ||
91 | deleted = d_unlinked(path->dentry); | ||
92 | res = __d_path(path, &tmp, buf, buflen); | ||
93 | |||
94 | } while (deleted != d_unlinked(path->dentry)); | ||
95 | spin_unlock(&dcache_lock); | ||
96 | |||
97 | *name = res; | ||
98 | /* handle error conditions - and still allow a partial path to | ||
99 | * be returned. | ||
100 | */ | ||
101 | if (IS_ERR(res)) { | ||
102 | error = PTR_ERR(res); | ||
103 | *name = buf; | ||
104 | goto out; | ||
105 | } | ||
106 | if (deleted) { | ||
107 | /* On some filesystems, newly allocated dentries appear to the | ||
108 | * security_path hooks as a deleted dentry except without an | ||
109 | * inode allocated. | ||
110 | * | ||
111 | * Remove the appended deleted text and return as string for | ||
112 | * normal mediation, or auditing. The (deleted) string is | ||
113 | * guaranteed to be added in this case, so just strip it. | ||
114 | */ | ||
115 | buf[buflen - 11] = 0; /* - (len(" (deleted)") +\0) */ | ||
116 | |||
117 | if (path->dentry->d_inode && !(flags & PATH_MEDIATE_DELETED)) { | ||
118 | error = -ENOENT; | ||
119 | goto out; | ||
120 | } | ||
121 | } | ||
122 | |||
123 | /* Determine if the path is connected to the expected root */ | ||
124 | connected = tmp.dentry == root.dentry && tmp.mnt == root.mnt; | ||
125 | |||
126 | /* If the path is not connected, | ||
127 | * check if it is a sysctl and handle specially else remove any | ||
128 | * leading / that __d_path may have returned. | ||
129 | * Unless | ||
130 | * specifically directed to connect the path, | ||
131 | * OR | ||
132 | * if in a chroot and doing chroot relative paths and the path | ||
133 | * resolves to the namespace root (would be connected outside | ||
134 | * of chroot) and specifically directed to connect paths to | ||
135 | * namespace root. | ||
136 | */ | ||
137 | if (!connected) { | ||
138 | /* is the disconnect path a sysctl? */ | ||
139 | if (tmp.dentry->d_sb->s_magic == PROC_SUPER_MAGIC && | ||
140 | strncmp(*name, "/sys/", 5) == 0) { | ||
141 | /* TODO: convert over to using a per namespace | ||
142 | * control instead of hard coded /proc | ||
143 | */ | ||
144 | error = prepend(name, *name - buf, "/proc", 5); | ||
145 | } else if (!(flags & PATH_CONNECT_PATH) && | ||
146 | !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) && | ||
147 | (tmp.mnt == current->nsproxy->mnt_ns->root && | ||
148 | tmp.dentry == tmp.mnt->mnt_root))) { | ||
149 | /* disconnected path, don't return pathname starting | ||
150 | * with '/' | ||
151 | */ | ||
152 | error = -ESTALE; | ||
153 | if (*res == '/') | ||
154 | *name = res + 1; | ||
155 | } | ||
156 | } | ||
157 | |||
158 | out: | ||
159 | path_put(&root); | ||
160 | |||
161 | return error; | ||
162 | } | ||
163 | |||
164 | /** | ||
165 | * get_name_to_buffer - get the pathname to a buffer ensure dir / is appended | ||
166 | * @path: path to get name for (NOT NULL) | ||
167 | * @flags: flags controlling path lookup | ||
168 | * @buffer: buffer to put name in (NOT NULL) | ||
169 | * @size: size of buffer | ||
170 | * @name: Returns - contains position of path name in @buffer (NOT NULL) | ||
171 | * | ||
172 | * Returns: %0 else error on failure | ||
173 | */ | ||
174 | static int get_name_to_buffer(struct path *path, int flags, char *buffer, | ||
175 | int size, char **name) | ||
176 | { | ||
177 | int adjust = (flags & PATH_IS_DIR) ? 1 : 0; | ||
178 | int error = d_namespace_path(path, buffer, size - adjust, name, flags); | ||
179 | |||
180 | if (!error && (flags & PATH_IS_DIR) && (*name)[1] != '\0') | ||
181 | /* | ||
182 | * Append "/" to the pathname. The root directory is a special | ||
183 | * case; it already ends in slash. | ||
184 | */ | ||
185 | strcpy(&buffer[size - 2], "/"); | ||
186 | |||
187 | return error; | ||
188 | } | ||
189 | |||
190 | /** | ||
191 | * aa_get_name - compute the pathname of a file | ||
192 | * @path: path the file (NOT NULL) | ||
193 | * @flags: flags controlling path name generation | ||
194 | * @buffer: buffer that aa_get_name() allocated (NOT NULL) | ||
195 | * @name: Returns - the generated path name if !error (NOT NULL) | ||
196 | * | ||
197 | * @name is a pointer to the beginning of the pathname (which usually differs | ||
198 | * from the beginning of the buffer), or NULL. If there is an error @name | ||
199 | * may contain a partial or invalid name that can be used for audit purposes, | ||
200 | * but it can not be used for mediation. | ||
201 | * | ||
202 | * We need PATH_IS_DIR to indicate whether the file is a directory or not | ||
203 | * because the file may not yet exist, and so we cannot check the inode's | ||
204 | * file type. | ||
205 | * | ||
206 | * Returns: %0 else error code if could retrieve name | ||
207 | */ | ||
208 | int aa_get_name(struct path *path, int flags, char **buffer, const char **name) | ||
209 | { | ||
210 | char *buf, *str = NULL; | ||
211 | int size = 256; | ||
212 | int error; | ||
213 | |||
214 | *name = NULL; | ||
215 | *buffer = NULL; | ||
216 | for (;;) { | ||
217 | /* freed by caller */ | ||
218 | buf = kmalloc(size, GFP_KERNEL); | ||
219 | if (!buf) | ||
220 | return -ENOMEM; | ||
221 | |||
222 | error = get_name_to_buffer(path, flags, buf, size, &str); | ||
223 | if (error != -ENAMETOOLONG) | ||
224 | break; | ||
225 | |||
226 | kfree(buf); | ||
227 | size <<= 1; | ||
228 | if (size > aa_g_path_max) | ||
229 | return -ENAMETOOLONG; | ||
230 | } | ||
231 | *buffer = buf; | ||
232 | *name = str; | ||
233 | |||
234 | return error; | ||
235 | } | ||