security/apparmor/lsm.c at v4.12-rc5

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / security / apparmor / lsm.c
at v4.12-rc5 1021 lines 27 kB view raw
wrap content
   1/*
   2 * AppArmor security module
   3 *
   4 * This file contains AppArmor LSM hooks.
   5 *
   6 * Copyright (C) 1998-2008 Novell/SUSE
   7 * Copyright 2009-2010 Canonical Ltd.
   8 *
   9 * This program is free software; you can redistribute it and/or
  10 * modify it under the terms of the GNU General Public License as
  11 * published by the Free Software Foundation, version 2 of the
  12 * License.
  13 */
  14
  15#include <linux/lsm_hooks.h>
  16#include <linux/moduleparam.h>
  17#include <linux/mm.h>
  18#include <linux/mman.h>
  19#include <linux/mount.h>
  20#include <linux/namei.h>
  21#include <linux/ptrace.h>
  22#include <linux/ctype.h>
  23#include <linux/sysctl.h>
  24#include <linux/audit.h>
  25#include <linux/user_namespace.h>
  26#include <linux/kmemleak.h>
  27#include <net/sock.h>
  28
  29#include "include/apparmor.h"
  30#include "include/apparmorfs.h"
  31#include "include/audit.h"
  32#include "include/capability.h"
  33#include "include/context.h"
  34#include "include/file.h"
  35#include "include/ipc.h"
  36#include "include/path.h"
  37#include "include/policy.h"
  38#include "include/policy_ns.h"
  39#include "include/procattr.h"
  40
  41/* Flag indicating whether initialization completed */
  42int apparmor_initialized;
  43
  44DEFINE_PER_CPU(struct aa_buffers, aa_buffers);
  45
  46
  47/*
  48 * LSM hook functions
  49 */
  50
  51/*
  52 * free the associated aa_task_ctx and put its profiles
  53 */
  54static void apparmor_cred_free(struct cred *cred)
  55{
  56	aa_free_task_context(cred_ctx(cred));
  57	cred_ctx(cred) = NULL;
  58}
  59
  60/*
  61 * allocate the apparmor part of blank credentials
  62 */
  63static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
  64{
  65	/* freed by apparmor_cred_free */
  66	struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
  67
  68	if (!ctx)
  69		return -ENOMEM;
  70
  71	cred_ctx(cred) = ctx;
  72	return 0;
  73}
  74
  75/*
  76 * prepare new aa_task_ctx for modification by prepare_cred block
  77 */
  78static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
  79				 gfp_t gfp)
  80{
  81	/* freed by apparmor_cred_free */
  82	struct aa_task_ctx *ctx = aa_alloc_task_context(gfp);
  83
  84	if (!ctx)
  85		return -ENOMEM;
  86
  87	aa_dup_task_context(ctx, cred_ctx(old));
  88	cred_ctx(new) = ctx;
  89	return 0;
  90}
  91
  92/*
  93 * transfer the apparmor data to a blank set of creds
  94 */
  95static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
  96{
  97	const struct aa_task_ctx *old_ctx = cred_ctx(old);
  98	struct aa_task_ctx *new_ctx = cred_ctx(new);
  99
 100	aa_dup_task_context(new_ctx, old_ctx);
 101}
 102
 103static int apparmor_ptrace_access_check(struct task_struct *child,
 104					unsigned int mode)
 105{
 106	return aa_ptrace(current, child, mode);
 107}
 108
 109static int apparmor_ptrace_traceme(struct task_struct *parent)
 110{
 111	return aa_ptrace(parent, current, PTRACE_MODE_ATTACH);
 112}
 113
 114/* Derived from security/commoncap.c:cap_capget */
 115static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
 116			   kernel_cap_t *inheritable, kernel_cap_t *permitted)
 117{
 118	struct aa_profile *profile;
 119	const struct cred *cred;
 120
 121	rcu_read_lock();
 122	cred = __task_cred(target);
 123	profile = aa_cred_profile(cred);
 124
 125	/*
 126	 * cap_capget is stacked ahead of this and will
 127	 * initialize effective and permitted.
 128	 */
 129	if (!unconfined(profile) && !COMPLAIN_MODE(profile)) {
 130		*effective = cap_intersect(*effective, profile->caps.allow);
 131		*permitted = cap_intersect(*permitted, profile->caps.allow);
 132	}
 133	rcu_read_unlock();
 134
 135	return 0;
 136}
 137
 138static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
 139			    int cap, int audit)
 140{
 141	struct aa_profile *profile;
 142	int error = 0;
 143
 144	profile = aa_cred_profile(cred);
 145	if (!unconfined(profile))
 146		error = aa_capable(profile, cap, audit);
 147	return error;
 148}
 149
 150/**
 151 * common_perm - basic common permission check wrapper fn for paths
 152 * @op: operation being checked
 153 * @path: path to check permission of  (NOT NULL)
 154 * @mask: requested permissions mask
 155 * @cond: conditional info for the permission request  (NOT NULL)
 156 *
 157 * Returns: %0 else error code if error or permission denied
 158 */
 159static int common_perm(const char *op, const struct path *path, u32 mask,
 160		       struct path_cond *cond)
 161{
 162	struct aa_profile *profile;
 163	int error = 0;
 164
 165	profile = __aa_current_profile();
 166	if (!unconfined(profile))
 167		error = aa_path_perm(op, profile, path, 0, mask, cond);
 168
 169	return error;
 170}
 171
 172/**
 173 * common_perm_cond - common permission wrapper around inode cond
 174 * @op: operation being checked
 175 * @path: location to check (NOT NULL)
 176 * @mask: requested permissions mask
 177 *
 178 * Returns: %0 else error code if error or permission denied
 179 */
 180static int common_perm_cond(const char *op, const struct path *path, u32 mask)
 181{
 182	struct path_cond cond = { d_backing_inode(path->dentry)->i_uid,
 183				  d_backing_inode(path->dentry)->i_mode
 184	};
 185
 186	if (!path_mediated_fs(path->dentry))
 187		return 0;
 188
 189	return common_perm(op, path, mask, &cond);
 190}
 191
 192/**
 193 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
 194 * @op: operation being checked
 195 * @dir: directory of the dentry  (NOT NULL)
 196 * @dentry: dentry to check  (NOT NULL)
 197 * @mask: requested permissions mask
 198 * @cond: conditional info for the permission request  (NOT NULL)
 199 *
 200 * Returns: %0 else error code if error or permission denied
 201 */
 202static int common_perm_dir_dentry(const char *op, const struct path *dir,
 203				  struct dentry *dentry, u32 mask,
 204				  struct path_cond *cond)
 205{
 206	struct path path = { .mnt = dir->mnt, .dentry = dentry };
 207
 208	return common_perm(op, &path, mask, cond);
 209}
 210
 211/**
 212 * common_perm_rm - common permission wrapper for operations doing rm
 213 * @op: operation being checked
 214 * @dir: directory that the dentry is in  (NOT NULL)
 215 * @dentry: dentry being rm'd  (NOT NULL)
 216 * @mask: requested permission mask
 217 *
 218 * Returns: %0 else error code if error or permission denied
 219 */
 220static int common_perm_rm(const char *op, const struct path *dir,
 221			  struct dentry *dentry, u32 mask)
 222{
 223	struct inode *inode = d_backing_inode(dentry);
 224	struct path_cond cond = { };
 225
 226	if (!inode || !path_mediated_fs(dentry))
 227		return 0;
 228
 229	cond.uid = inode->i_uid;
 230	cond.mode = inode->i_mode;
 231
 232	return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
 233}
 234
 235/**
 236 * common_perm_create - common permission wrapper for operations doing create
 237 * @op: operation being checked
 238 * @dir: directory that dentry will be created in  (NOT NULL)
 239 * @dentry: dentry to create   (NOT NULL)
 240 * @mask: request permission mask
 241 * @mode: created file mode
 242 *
 243 * Returns: %0 else error code if error or permission denied
 244 */
 245static int common_perm_create(const char *op, const struct path *dir,
 246			      struct dentry *dentry, u32 mask, umode_t mode)
 247{
 248	struct path_cond cond = { current_fsuid(), mode };
 249
 250	if (!path_mediated_fs(dir->dentry))
 251		return 0;
 252
 253	return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
 254}
 255
 256static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry)
 257{
 258	return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE);
 259}
 260
 261static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry,
 262			       umode_t mode)
 263{
 264	return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE,
 265				  S_IFDIR);
 266}
 267
 268static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry)
 269{
 270	return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE);
 271}
 272
 273static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
 274			       umode_t mode, unsigned int dev)
 275{
 276	return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
 277}
 278
 279static int apparmor_path_truncate(const struct path *path)
 280{
 281	return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE);
 282}
 283
 284static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
 285				 const char *old_name)
 286{
 287	return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE,
 288				  S_IFLNK);
 289}
 290
 291static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir,
 292			      struct dentry *new_dentry)
 293{
 294	struct aa_profile *profile;
 295	int error = 0;
 296
 297	if (!path_mediated_fs(old_dentry))
 298		return 0;
 299
 300	profile = aa_current_profile();
 301	if (!unconfined(profile))
 302		error = aa_path_link(profile, old_dentry, new_dir, new_dentry);
 303	return error;
 304}
 305
 306static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry,
 307				const struct path *new_dir, struct dentry *new_dentry)
 308{
 309	struct aa_profile *profile;
 310	int error = 0;
 311
 312	if (!path_mediated_fs(old_dentry))
 313		return 0;
 314
 315	profile = aa_current_profile();
 316	if (!unconfined(profile)) {
 317		struct path old_path = { .mnt = old_dir->mnt,
 318					 .dentry = old_dentry };
 319		struct path new_path = { .mnt = new_dir->mnt,
 320					 .dentry = new_dentry };
 321		struct path_cond cond = { d_backing_inode(old_dentry)->i_uid,
 322					  d_backing_inode(old_dentry)->i_mode
 323		};
 324
 325		error = aa_path_perm(OP_RENAME_SRC, profile, &old_path, 0,
 326				     MAY_READ | AA_MAY_META_READ | MAY_WRITE |
 327				     AA_MAY_META_WRITE | AA_MAY_DELETE,
 328				     &cond);
 329		if (!error)
 330			error = aa_path_perm(OP_RENAME_DEST, profile, &new_path,
 331					     0, MAY_WRITE | AA_MAY_META_WRITE |
 332					     AA_MAY_CREATE, &cond);
 333
 334	}
 335	return error;
 336}
 337
 338static int apparmor_path_chmod(const struct path *path, umode_t mode)
 339{
 340	return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD);
 341}
 342
 343static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
 344{
 345	return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN);
 346}
 347
 348static int apparmor_inode_getattr(const struct path *path)
 349{
 350	return common_perm_cond(OP_GETATTR, path, AA_MAY_META_READ);
 351}
 352
 353static int apparmor_file_open(struct file *file, const struct cred *cred)
 354{
 355	struct aa_file_ctx *fctx = file->f_security;
 356	struct aa_profile *profile;
 357	int error = 0;
 358
 359	if (!path_mediated_fs(file->f_path.dentry))
 360		return 0;
 361
 362	/* If in exec, permission is handled by bprm hooks.
 363	 * Cache permissions granted by the previous exec check, with
 364	 * implicit read and executable mmap which are required to
 365	 * actually execute the image.
 366	 */
 367	if (current->in_execve) {
 368		fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
 369		return 0;
 370	}
 371
 372	profile = aa_cred_profile(cred);
 373	if (!unconfined(profile)) {
 374		struct inode *inode = file_inode(file);
 375		struct path_cond cond = { inode->i_uid, inode->i_mode };
 376
 377		error = aa_path_perm(OP_OPEN, profile, &file->f_path, 0,
 378				     aa_map_file_to_perms(file), &cond);
 379		/* todo cache full allowed permissions set and state */
 380		fctx->allow = aa_map_file_to_perms(file);
 381	}
 382
 383	return error;
 384}
 385
 386static int apparmor_file_alloc_security(struct file *file)
 387{
 388	/* freed by apparmor_file_free_security */
 389	file->f_security = aa_alloc_file_context(GFP_KERNEL);
 390	if (!file->f_security)
 391		return -ENOMEM;
 392	return 0;
 393
 394}
 395
 396static void apparmor_file_free_security(struct file *file)
 397{
 398	struct aa_file_ctx *ctx = file->f_security;
 399
 400	aa_free_file_context(ctx);
 401}
 402
 403static int common_file_perm(const char *op, struct file *file, u32 mask)
 404{
 405	struct aa_file_ctx *fctx = file->f_security;
 406	struct aa_profile *profile, *fprofile = aa_cred_profile(file->f_cred);
 407	int error = 0;
 408
 409	AA_BUG(!fprofile);
 410
 411	if (!file->f_path.mnt ||
 412	    !path_mediated_fs(file->f_path.dentry))
 413		return 0;
 414
 415	profile = __aa_current_profile();
 416
 417	/* revalidate access, if task is unconfined, or the cached cred
 418	 * doesn't match or if the request is for more permissions than
 419	 * was granted.
 420	 *
 421	 * Note: the test for !unconfined(fprofile) is to handle file
 422	 *       delegation from unconfined tasks
 423	 */
 424	if (!unconfined(profile) && !unconfined(fprofile) &&
 425	    ((fprofile != profile) || (mask & ~fctx->allow)))
 426		error = aa_file_perm(op, profile, file, mask);
 427
 428	return error;
 429}
 430
 431static int apparmor_file_permission(struct file *file, int mask)
 432{
 433	return common_file_perm(OP_FPERM, file, mask);
 434}
 435
 436static int apparmor_file_lock(struct file *file, unsigned int cmd)
 437{
 438	u32 mask = AA_MAY_LOCK;
 439
 440	if (cmd == F_WRLCK)
 441		mask |= MAY_WRITE;
 442
 443	return common_file_perm(OP_FLOCK, file, mask);
 444}
 445
 446static int common_mmap(const char *op, struct file *file, unsigned long prot,
 447		       unsigned long flags)
 448{
 449	int mask = 0;
 450
 451	if (!file || !file->f_security)
 452		return 0;
 453
 454	if (prot & PROT_READ)
 455		mask |= MAY_READ;
 456	/*
 457	 * Private mappings don't require write perms since they don't
 458	 * write back to the files
 459	 */
 460	if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
 461		mask |= MAY_WRITE;
 462	if (prot & PROT_EXEC)
 463		mask |= AA_EXEC_MMAP;
 464
 465	return common_file_perm(op, file, mask);
 466}
 467
 468static int apparmor_mmap_file(struct file *file, unsigned long reqprot,
 469			      unsigned long prot, unsigned long flags)
 470{
 471	return common_mmap(OP_FMMAP, file, prot, flags);
 472}
 473
 474static int apparmor_file_mprotect(struct vm_area_struct *vma,
 475				  unsigned long reqprot, unsigned long prot)
 476{
 477	return common_mmap(OP_FMPROT, vma->vm_file, prot,
 478			   !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
 479}
 480
 481static int apparmor_getprocattr(struct task_struct *task, char *name,
 482				char **value)
 483{
 484	int error = -ENOENT;
 485	/* released below */
 486	const struct cred *cred = get_task_cred(task);
 487	struct aa_task_ctx *ctx = cred_ctx(cred);
 488	struct aa_profile *profile = NULL;
 489
 490	if (strcmp(name, "current") == 0)
 491		profile = aa_get_newest_profile(ctx->profile);
 492	else if (strcmp(name, "prev") == 0  && ctx->previous)
 493		profile = aa_get_newest_profile(ctx->previous);
 494	else if (strcmp(name, "exec") == 0 && ctx->onexec)
 495		profile = aa_get_newest_profile(ctx->onexec);
 496	else
 497		error = -EINVAL;
 498
 499	if (profile)
 500		error = aa_getprocattr(profile, value);
 501
 502	aa_put_profile(profile);
 503	put_cred(cred);
 504
 505	return error;
 506}
 507
 508static int apparmor_setprocattr(const char *name, void *value,
 509				size_t size)
 510{
 511	char *command, *largs = NULL, *args = value;
 512	size_t arg_size;
 513	int error;
 514	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR);
 515
 516	if (size == 0)
 517		return -EINVAL;
 518
 519	/* AppArmor requires that the buffer must be null terminated atm */
 520	if (args[size - 1] != '\0') {
 521		/* null terminate */
 522		largs = args = kmalloc(size + 1, GFP_KERNEL);
 523		if (!args)
 524			return -ENOMEM;
 525		memcpy(args, value, size);
 526		args[size] = '\0';
 527	}
 528
 529	error = -EINVAL;
 530	args = strim(args);
 531	command = strsep(&args, " ");
 532	if (!args)
 533		goto out;
 534	args = skip_spaces(args);
 535	if (!*args)
 536		goto out;
 537
 538	arg_size = size - (args - (largs ? largs : (char *) value));
 539	if (strcmp(name, "current") == 0) {
 540		if (strcmp(command, "changehat") == 0) {
 541			error = aa_setprocattr_changehat(args, arg_size,
 542							 !AA_DO_TEST);
 543		} else if (strcmp(command, "permhat") == 0) {
 544			error = aa_setprocattr_changehat(args, arg_size,
 545							 AA_DO_TEST);
 546		} else if (strcmp(command, "changeprofile") == 0) {
 547			error = aa_change_profile(args, !AA_ONEXEC,
 548						  !AA_DO_TEST, false);
 549		} else if (strcmp(command, "permprofile") == 0) {
 550			error = aa_change_profile(args, !AA_ONEXEC, AA_DO_TEST,
 551						  false);
 552		} else
 553			goto fail;
 554	} else if (strcmp(name, "exec") == 0) {
 555		if (strcmp(command, "exec") == 0)
 556			error = aa_change_profile(args, AA_ONEXEC, !AA_DO_TEST,
 557						  false);
 558		else
 559			goto fail;
 560	} else
 561		/* only support the "current" and "exec" process attributes */
 562		goto fail;
 563
 564	if (!error)
 565		error = size;
 566out:
 567	kfree(largs);
 568	return error;
 569
 570fail:
 571	aad(&sa)->profile = aa_current_profile();
 572	aad(&sa)->info = name;
 573	aad(&sa)->error = error = -EINVAL;
 574	aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
 575	goto out;
 576}
 577
 578static int apparmor_task_setrlimit(struct task_struct *task,
 579		unsigned int resource, struct rlimit *new_rlim)
 580{
 581	struct aa_profile *profile = __aa_current_profile();
 582	int error = 0;
 583
 584	if (!unconfined(profile))
 585		error = aa_task_setrlimit(profile, task, resource, new_rlim);
 586
 587	return error;
 588}
 589
 590static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
 591	LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
 592	LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
 593	LSM_HOOK_INIT(capget, apparmor_capget),
 594	LSM_HOOK_INIT(capable, apparmor_capable),
 595
 596	LSM_HOOK_INIT(path_link, apparmor_path_link),
 597	LSM_HOOK_INIT(path_unlink, apparmor_path_unlink),
 598	LSM_HOOK_INIT(path_symlink, apparmor_path_symlink),
 599	LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir),
 600	LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir),
 601	LSM_HOOK_INIT(path_mknod, apparmor_path_mknod),
 602	LSM_HOOK_INIT(path_rename, apparmor_path_rename),
 603	LSM_HOOK_INIT(path_chmod, apparmor_path_chmod),
 604	LSM_HOOK_INIT(path_chown, apparmor_path_chown),
 605	LSM_HOOK_INIT(path_truncate, apparmor_path_truncate),
 606	LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr),
 607
 608	LSM_HOOK_INIT(file_open, apparmor_file_open),
 609	LSM_HOOK_INIT(file_permission, apparmor_file_permission),
 610	LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security),
 611	LSM_HOOK_INIT(file_free_security, apparmor_file_free_security),
 612	LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
 613	LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
 614	LSM_HOOK_INIT(file_lock, apparmor_file_lock),
 615
 616	LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
 617	LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
 618
 619	LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
 620	LSM_HOOK_INIT(cred_free, apparmor_cred_free),
 621	LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
 622	LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),
 623
 624	LSM_HOOK_INIT(bprm_set_creds, apparmor_bprm_set_creds),
 625	LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
 626	LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
 627	LSM_HOOK_INIT(bprm_secureexec, apparmor_bprm_secureexec),
 628
 629	LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
 630};
 631
 632/*
 633 * AppArmor sysfs module parameters
 634 */
 635
 636static int param_set_aabool(const char *val, const struct kernel_param *kp);
 637static int param_get_aabool(char *buffer, const struct kernel_param *kp);
 638#define param_check_aabool param_check_bool
 639static const struct kernel_param_ops param_ops_aabool = {
 640	.flags = KERNEL_PARAM_OPS_FL_NOARG,
 641	.set = param_set_aabool,
 642	.get = param_get_aabool
 643};
 644
 645static int param_set_aauint(const char *val, const struct kernel_param *kp);
 646static int param_get_aauint(char *buffer, const struct kernel_param *kp);
 647#define param_check_aauint param_check_uint
 648static const struct kernel_param_ops param_ops_aauint = {
 649	.set = param_set_aauint,
 650	.get = param_get_aauint
 651};
 652
 653static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
 654static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
 655#define param_check_aalockpolicy param_check_bool
 656static const struct kernel_param_ops param_ops_aalockpolicy = {
 657	.flags = KERNEL_PARAM_OPS_FL_NOARG,
 658	.set = param_set_aalockpolicy,
 659	.get = param_get_aalockpolicy
 660};
 661
 662static int param_set_audit(const char *val, struct kernel_param *kp);
 663static int param_get_audit(char *buffer, struct kernel_param *kp);
 664
 665static int param_set_mode(const char *val, struct kernel_param *kp);
 666static int param_get_mode(char *buffer, struct kernel_param *kp);
 667
 668/* Flag values, also controllable via /sys/module/apparmor/parameters
 669 * We define special types as we want to do additional mediation.
 670 */
 671
 672/* AppArmor global enforcement switch - complain, enforce, kill */
 673enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
 674module_param_call(mode, param_set_mode, param_get_mode,
 675		  &aa_g_profile_mode, S_IRUSR | S_IWUSR);
 676
 677/* whether policy verification hashing is enabled */
 678bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
 679#ifdef CONFIG_SECURITY_APPARMOR_HASH
 680module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
 681#endif
 682
 683/* Debug mode */
 684bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES);
 685module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
 686
 687/* Audit mode */
 688enum audit_mode aa_g_audit;
 689module_param_call(audit, param_set_audit, param_get_audit,
 690		  &aa_g_audit, S_IRUSR | S_IWUSR);
 691
 692/* Determines if audit header is included in audited messages.  This
 693 * provides more context if the audit daemon is not running
 694 */
 695bool aa_g_audit_header = 1;
 696module_param_named(audit_header, aa_g_audit_header, aabool,
 697		   S_IRUSR | S_IWUSR);
 698
 699/* lock out loading/removal of policy
 700 * TODO: add in at boot loading of policy, which is the only way to
 701 *       load policy, if lock_policy is set
 702 */
 703bool aa_g_lock_policy;
 704module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy,
 705		   S_IRUSR | S_IWUSR);
 706
 707/* Syscall logging mode */
 708bool aa_g_logsyscall;
 709module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
 710
 711/* Maximum pathname length before accesses will start getting rejected */
 712unsigned int aa_g_path_max = 2 * PATH_MAX;
 713module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
 714
 715/* Determines how paranoid loading of policy is and how much verification
 716 * on the loaded policy is done.
 717 * DEPRECATED: read only as strict checking of load is always done now
 718 * that none root users (user namespaces) can load policy.
 719 */
 720bool aa_g_paranoid_load = 1;
 721module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
 722
 723/* Boot time disable flag */
 724static bool apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
 725module_param_named(enabled, apparmor_enabled, bool, S_IRUGO);
 726
 727static int __init apparmor_enabled_setup(char *str)
 728{
 729	unsigned long enabled;
 730	int error = kstrtoul(str, 0, &enabled);
 731	if (!error)
 732		apparmor_enabled = enabled ? 1 : 0;
 733	return 1;
 734}
 735
 736__setup("apparmor=", apparmor_enabled_setup);
 737
 738/* set global flag turning off the ability to load policy */
 739static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
 740{
 741	if (!apparmor_enabled)
 742		return -EINVAL;
 743	if (apparmor_initialized && !policy_admin_capable(NULL))
 744		return -EPERM;
 745	return param_set_bool(val, kp);
 746}
 747
 748static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
 749{
 750	if (!apparmor_enabled)
 751		return -EINVAL;
 752	if (apparmor_initialized && !policy_view_capable(NULL))
 753		return -EPERM;
 754	return param_get_bool(buffer, kp);
 755}
 756
 757static int param_set_aabool(const char *val, const struct kernel_param *kp)
 758{
 759	if (!apparmor_enabled)
 760		return -EINVAL;
 761	if (apparmor_initialized && !policy_admin_capable(NULL))
 762		return -EPERM;
 763	return param_set_bool(val, kp);
 764}
 765
 766static int param_get_aabool(char *buffer, const struct kernel_param *kp)
 767{
 768	if (!apparmor_enabled)
 769		return -EINVAL;
 770	if (apparmor_initialized && !policy_view_capable(NULL))
 771		return -EPERM;
 772	return param_get_bool(buffer, kp);
 773}
 774
 775static int param_set_aauint(const char *val, const struct kernel_param *kp)
 776{
 777	if (!apparmor_enabled)
 778		return -EINVAL;
 779	if (apparmor_initialized && !policy_admin_capable(NULL))
 780		return -EPERM;
 781	return param_set_uint(val, kp);
 782}
 783
 784static int param_get_aauint(char *buffer, const struct kernel_param *kp)
 785{
 786	if (!apparmor_enabled)
 787		return -EINVAL;
 788	if (apparmor_initialized && !policy_view_capable(NULL))
 789		return -EPERM;
 790	return param_get_uint(buffer, kp);
 791}
 792
 793static int param_get_audit(char *buffer, struct kernel_param *kp)
 794{
 795	if (!apparmor_enabled)
 796		return -EINVAL;
 797	if (apparmor_initialized && !policy_view_capable(NULL))
 798		return -EPERM;
 799	return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
 800}
 801
 802static int param_set_audit(const char *val, struct kernel_param *kp)
 803{
 804	int i;
 805
 806	if (!apparmor_enabled)
 807		return -EINVAL;
 808	if (!val)
 809		return -EINVAL;
 810	if (apparmor_initialized && !policy_admin_capable(NULL))
 811		return -EPERM;
 812
 813	for (i = 0; i < AUDIT_MAX_INDEX; i++) {
 814		if (strcmp(val, audit_mode_names[i]) == 0) {
 815			aa_g_audit = i;
 816			return 0;
 817		}
 818	}
 819
 820	return -EINVAL;
 821}
 822
 823static int param_get_mode(char *buffer, struct kernel_param *kp)
 824{
 825	if (!apparmor_enabled)
 826		return -EINVAL;
 827	if (apparmor_initialized && !policy_view_capable(NULL))
 828		return -EPERM;
 829
 830	return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
 831}
 832
 833static int param_set_mode(const char *val, struct kernel_param *kp)
 834{
 835	int i;
 836
 837	if (!apparmor_enabled)
 838		return -EINVAL;
 839	if (!val)
 840		return -EINVAL;
 841	if (apparmor_initialized && !policy_admin_capable(NULL))
 842		return -EPERM;
 843
 844	for (i = 0; i < APPARMOR_MODE_NAMES_MAX_INDEX; i++) {
 845		if (strcmp(val, aa_profile_mode_names[i]) == 0) {
 846			aa_g_profile_mode = i;
 847			return 0;
 848		}
 849	}
 850
 851	return -EINVAL;
 852}
 853
 854/*
 855 * AppArmor init functions
 856 */
 857
 858/**
 859 * set_init_ctx - set a task context and profile on the first task.
 860 *
 861 * TODO: allow setting an alternate profile than unconfined
 862 */
 863static int __init set_init_ctx(void)
 864{
 865	struct cred *cred = (struct cred *)current->real_cred;
 866	struct aa_task_ctx *ctx;
 867
 868	ctx = aa_alloc_task_context(GFP_KERNEL);
 869	if (!ctx)
 870		return -ENOMEM;
 871
 872	ctx->profile = aa_get_profile(root_ns->unconfined);
 873	cred_ctx(cred) = ctx;
 874
 875	return 0;
 876}
 877
 878static void destroy_buffers(void)
 879{
 880	u32 i, j;
 881
 882	for_each_possible_cpu(i) {
 883		for_each_cpu_buffer(j) {
 884			kfree(per_cpu(aa_buffers, i).buf[j]);
 885			per_cpu(aa_buffers, i).buf[j] = NULL;
 886		}
 887	}
 888}
 889
 890static int __init alloc_buffers(void)
 891{
 892	u32 i, j;
 893
 894	for_each_possible_cpu(i) {
 895		for_each_cpu_buffer(j) {
 896			char *buffer;
 897
 898			if (cpu_to_node(i) > num_online_nodes())
 899				/* fallback to kmalloc for offline nodes */
 900				buffer = kmalloc(aa_g_path_max, GFP_KERNEL);
 901			else
 902				buffer = kmalloc_node(aa_g_path_max, GFP_KERNEL,
 903						      cpu_to_node(i));
 904			if (!buffer) {
 905				destroy_buffers();
 906				return -ENOMEM;
 907			}
 908			per_cpu(aa_buffers, i).buf[j] = buffer;
 909		}
 910	}
 911
 912	return 0;
 913}
 914
 915#ifdef CONFIG_SYSCTL
 916static int apparmor_dointvec(struct ctl_table *table, int write,
 917			     void __user *buffer, size_t *lenp, loff_t *ppos)
 918{
 919	if (!policy_admin_capable(NULL))
 920		return -EPERM;
 921	if (!apparmor_enabled)
 922		return -EINVAL;
 923
 924	return proc_dointvec(table, write, buffer, lenp, ppos);
 925}
 926
 927static struct ctl_path apparmor_sysctl_path[] = {
 928	{ .procname = "kernel", },
 929	{ }
 930};
 931
 932static struct ctl_table apparmor_sysctl_table[] = {
 933	{
 934		.procname       = "unprivileged_userns_apparmor_policy",
 935		.data           = &unprivileged_userns_apparmor_policy,
 936		.maxlen         = sizeof(int),
 937		.mode           = 0600,
 938		.proc_handler   = apparmor_dointvec,
 939	},
 940	{ }
 941};
 942
 943static int __init apparmor_init_sysctl(void)
 944{
 945	return register_sysctl_paths(apparmor_sysctl_path,
 946				     apparmor_sysctl_table) ? 0 : -ENOMEM;
 947}
 948#else
 949static inline int apparmor_init_sysctl(void)
 950{
 951	return 0;
 952}
 953#endif /* CONFIG_SYSCTL */
 954
 955static int __init apparmor_init(void)
 956{
 957	int error;
 958
 959	if (!apparmor_enabled || !security_module_enable("apparmor")) {
 960		aa_info_message("AppArmor disabled by boot time parameter");
 961		apparmor_enabled = 0;
 962		return 0;
 963	}
 964
 965	error = aa_setup_dfa_engine();
 966	if (error) {
 967		AA_ERROR("Unable to setup dfa engine\n");
 968		goto alloc_out;
 969	}
 970
 971	error = aa_alloc_root_ns();
 972	if (error) {
 973		AA_ERROR("Unable to allocate default profile namespace\n");
 974		goto alloc_out;
 975	}
 976
 977	error = apparmor_init_sysctl();
 978	if (error) {
 979		AA_ERROR("Unable to register sysctls\n");
 980		goto alloc_out;
 981
 982	}
 983
 984	error = alloc_buffers();
 985	if (error) {
 986		AA_ERROR("Unable to allocate work buffers\n");
 987		goto buffers_out;
 988	}
 989
 990	error = set_init_ctx();
 991	if (error) {
 992		AA_ERROR("Failed to set context on init task\n");
 993		aa_free_root_ns();
 994		goto buffers_out;
 995	}
 996	security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
 997				"apparmor");
 998
 999	/* Report that AppArmor successfully initialized */
1000	apparmor_initialized = 1;
1001	if (aa_g_profile_mode == APPARMOR_COMPLAIN)
1002		aa_info_message("AppArmor initialized: complain mode enabled");
1003	else if (aa_g_profile_mode == APPARMOR_KILL)
1004		aa_info_message("AppArmor initialized: kill mode enabled");
1005	else
1006		aa_info_message("AppArmor initialized");
1007
1008	return error;
1009
1010buffers_out:
1011	destroy_buffers();
1012
1013alloc_out:
1014	aa_destroy_aafs();
1015	aa_teardown_dfa_engine();
1016
1017	apparmor_enabled = 0;
1018	return error;
1019}
1020
1021security_initcall(apparmor_init);
Configure Feed

Configure Feed
