security/apparmor/include/policy.h at v6.4-rc3 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / security / apparmor / include / policy.h
at v6.4-rc3 380 lines 11 kB view raw
  1/* SPDX-License-Identifier: GPL-2.0-only */
  2/*
  3 * AppArmor security module
  4 *
  5 * This file contains AppArmor policy definitions.
  6 *
  7 * Copyright (C) 1998-2008 Novell/SUSE
  8 * Copyright 2009-2010 Canonical Ltd.
  9 */
 10
 11#ifndef __AA_POLICY_H
 12#define __AA_POLICY_H
 13
 14#include <linux/capability.h>
 15#include <linux/cred.h>
 16#include <linux/kref.h>
 17#include <linux/rhashtable.h>
 18#include <linux/sched.h>
 19#include <linux/slab.h>
 20#include <linux/socket.h>
 21
 22#include "apparmor.h"
 23#include "audit.h"
 24#include "capability.h"
 25#include "domain.h"
 26#include "file.h"
 27#include "lib.h"
 28#include "label.h"
 29#include "net.h"
 30#include "perms.h"
 31#include "resource.h"
 32
 33
 34struct aa_ns;
 35
 36extern int unprivileged_userns_apparmor_policy;
 37
 38extern const char *const aa_profile_mode_names[];
 39#define APPARMOR_MODE_NAMES_MAX_INDEX 4
 40
 41#define PROFILE_MODE(_profile, _mode)		\
 42	((aa_g_profile_mode == (_mode)) ||	\
 43	 ((_profile)->mode == (_mode)))
 44
 45#define COMPLAIN_MODE(_profile)	PROFILE_MODE((_profile), APPARMOR_COMPLAIN)
 46
 47#define USER_MODE(_profile)	PROFILE_MODE((_profile), APPARMOR_USER)
 48
 49#define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL)
 50
 51#define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT)
 52
 53#define CHECK_DEBUG1(_profile) ((_profile)->label.flags & FLAG_DEBUG1)
 54
 55#define CHECK_DEBUG2(_profile) ((_profile)->label.flags & FLAG_DEBUG2)
 56
 57#define profile_is_stale(_profile) (label_is_stale(&(_profile)->label))
 58
 59#define on_list_rcu(X) (!list_empty(X) && (X)->prev != LIST_POISON2)
 60
 61/*
 62 * FIXME: currently need a clean way to replace and remove profiles as a
 63 * set.  It should be done at the namespace level.
 64 * Either, with a set of profiles loaded at the namespace level or via
 65 * a mark and remove marked interface.
 66 */
 67enum profile_mode {
 68	APPARMOR_ENFORCE,	/* enforce access rules */
 69	APPARMOR_COMPLAIN,	/* allow and log access violations */
 70	APPARMOR_KILL,		/* kill task on access violation */
 71	APPARMOR_UNCONFINED,	/* profile set to unconfined */
 72	APPARMOR_USER,		/* modified complain mode to userspace */
 73};
 74
 75
 76/* struct aa_policydb - match engine for a policy
 77 * dfa: dfa pattern match
 78 * perms: table of permissions
 79 * strs: table of strings, index by x
 80 * start: set of start states for the different classes of data
 81 */
 82struct aa_policydb {
 83	struct aa_dfa *dfa;
 84	struct {
 85		struct aa_perms *perms;
 86		u32 size;
 87	};
 88	struct aa_str_table trans;
 89	aa_state_t start[AA_CLASS_LAST + 1];
 90};
 91
 92static inline void aa_destroy_policydb(struct aa_policydb *policy)
 93{
 94	aa_put_dfa(policy->dfa);
 95	if (policy->perms)
 96		kvfree(policy->perms);
 97	aa_free_str_table(&policy->trans);
 98
 99}
100
101static inline struct aa_perms *aa_lookup_perms(struct aa_policydb *policy,
102					       aa_state_t state)
103{
104	unsigned int index = ACCEPT_TABLE(policy->dfa)[state];
105
106	if (!(policy->perms))
107		return &default_perms;
108
109	return &(policy->perms[index]);
110}
111
112
113/* struct aa_data - generic data structure
114 * key: name for retrieving this data
115 * size: size of data in bytes
116 * data: binary data
117 * head: reserved for rhashtable
118 */
119struct aa_data {
120	char *key;
121	u32 size;
122	char *data;
123	struct rhash_head head;
124};
125
126/* struct aa_ruleset - data covering mediation rules
127 * @list: list the rule is on
128 * @size: the memory consumed by this ruleset
129 * @policy: general match rules governing policy
130 * @file: The set of rules governing basic file access and domain transitions
131 * @caps: capabilities for the profile
132 * @rlimits: rlimits for the profile
133 * @secmark_count: number of secmark entries
134 * @secmark: secmark label match info
135 */
136struct aa_ruleset {
137	struct list_head list;
138
139	int size;
140
141	/* TODO: merge policy and file */
142	struct aa_policydb policy;
143	struct aa_policydb file;
144	struct aa_caps caps;
145
146	struct aa_rlimit rlimits;
147
148	int secmark_count;
149	struct aa_secmark *secmark;
150};
151
152/* struct aa_attachment - data and rules for a profiles attachment
153 * @list:
154 * @xmatch_str: human readable attachment string
155 * @xmatch: optional extended matching for unconfined executables names
156 * @xmatch_len: xmatch prefix len, used to determine xmatch priority
157 * @xattr_count: number of xattrs in table
158 * @xattrs: table of xattrs
159 */
160struct aa_attachment {
161	const char *xmatch_str;
162	struct aa_policydb xmatch;
163	unsigned int xmatch_len;
164	int xattr_count;
165	char **xattrs;
166};
167
168/* struct aa_profile - basic confinement data
169 * @base - base components of the profile (name, refcount, lists, lock ...)
170 * @label - label this profile is an extension of
171 * @parent: parent of profile
172 * @ns: namespace the profile is in
173 * @rename: optional profile name that this profile renamed
174 *
175 * @audit: the auditing mode of the profile
176 * @mode: the enforcement mode of the profile
177 * @path_flags: flags controlling path generation behavior
178 * @disconnected: what to prepend if attach_disconnected is specified
179 * @attach: attachment rules for the profile
180 * @rules: rules to be enforced
181 *
182 * @dents: dentries for the profiles file entries in apparmorfs
183 * @dirname: name of the profile dir in apparmorfs
184 * @data: hashtable for free-form policy aa_data
185 *
186 * The AppArmor profile contains the basic confinement data.  Each profile
187 * has a name, and exists in a namespace.  The @name and @exec_match are
188 * used to determine profile attachment against unconfined tasks.  All other
189 * attachments are determined by profile X transition rules.
190 *
191 * Profiles have a hierarchy where hats and children profiles keep
192 * a reference to their parent.
193 *
194 * Profile names can not begin with a : and can not contain the \0
195 * character.  If a profile name begins with / it will be considered when
196 * determining profile attachment on "unconfined" tasks.
197 */
198struct aa_profile {
199	struct aa_policy base;
200	struct aa_profile __rcu *parent;
201
202	struct aa_ns *ns;
203	const char *rename;
204
205	enum audit_mode audit;
206	long mode;
207	u32 path_flags;
208	const char *disconnected;
209
210	struct aa_attachment attach;
211	struct list_head rules;
212
213	struct aa_loaddata *rawdata;
214	unsigned char *hash;
215	char *dirname;
216	struct dentry *dents[AAFS_PROF_SIZEOF];
217	struct rhashtable *data;
218	struct aa_label label;
219};
220
221extern enum profile_mode aa_g_profile_mode;
222
223#define AA_MAY_LOAD_POLICY	AA_MAY_APPEND
224#define AA_MAY_REPLACE_POLICY	AA_MAY_WRITE
225#define AA_MAY_REMOVE_POLICY	AA_MAY_DELETE
226
227#define profiles_ns(P) ((P)->ns)
228#define name_is_shared(A, B) ((A)->hname && (A)->hname == (B)->hname)
229
230void aa_add_profile(struct aa_policy *common, struct aa_profile *profile);
231
232
233void aa_free_proxy_kref(struct kref *kref);
234struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp);
235struct aa_profile *aa_alloc_profile(const char *name, struct aa_proxy *proxy,
236				    gfp_t gfp);
237struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
238				 gfp_t gfp);
239struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat,
240					   const char *base, gfp_t gfp);
241void aa_free_profile(struct aa_profile *profile);
242void aa_free_profile_kref(struct kref *kref);
243struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name);
244struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname,
245				      size_t n);
246struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *name);
247struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
248					const char *fqname, size_t n);
249struct aa_profile *aa_match_profile(struct aa_ns *ns, const char *name);
250
251ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_label *label,
252			    u32 mask, struct aa_loaddata *udata);
253ssize_t aa_remove_profiles(struct aa_ns *view, struct aa_label *label,
254			   char *name, size_t size);
255void __aa_profile_list_release(struct list_head *head);
256
257#define PROF_ADD 1
258#define PROF_REPLACE 0
259
260#define profile_unconfined(X) ((X)->mode == APPARMOR_UNCONFINED)
261
262/**
263 * aa_get_newest_profile - simple wrapper fn to wrap the label version
264 * @p: profile (NOT NULL)
265 *
266 * Returns refcount to newest version of the profile (maybe @p)
267 *
268 * Requires: @p must be held with a valid refcount
269 */
270static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p)
271{
272	return labels_profile(aa_get_newest_label(&p->label));
273}
274
275static inline aa_state_t RULE_MEDIATES(struct aa_ruleset *rules,
276				       unsigned char class)
277{
278	if (class <= AA_CLASS_LAST)
279		return rules->policy.start[class];
280	else
281		return aa_dfa_match_len(rules->policy.dfa,
282					rules->policy.start[0], &class, 1);
283}
284
285static inline aa_state_t RULE_MEDIATES_AF(struct aa_ruleset *rules, u16 AF)
286{
287	aa_state_t state = RULE_MEDIATES(rules, AA_CLASS_NET);
288	__be16 be_af = cpu_to_be16(AF);
289
290	if (!state)
291		return DFA_NOMATCH;
292	return aa_dfa_match_len(rules->policy.dfa, state, (char *) &be_af, 2);
293}
294
295static inline aa_state_t ANY_RULE_MEDIATES(struct list_head *head,
296					   unsigned char class)
297{
298	struct aa_ruleset *rule;
299
300	/* TODO: change to list walk */
301	rule = list_first_entry(head, typeof(*rule), list);
302	return RULE_MEDIATES(rule, class);
303}
304
305/**
306 * aa_get_profile - increment refcount on profile @p
307 * @p: profile  (MAYBE NULL)
308 *
309 * Returns: pointer to @p if @p is NULL will return NULL
310 * Requires: @p must be held with valid refcount when called
311 */
312static inline struct aa_profile *aa_get_profile(struct aa_profile *p)
313{
314	if (p)
315		kref_get(&(p->label.count));
316
317	return p;
318}
319
320/**
321 * aa_get_profile_not0 - increment refcount on profile @p found via lookup
322 * @p: profile  (MAYBE NULL)
323 *
324 * Returns: pointer to @p if @p is NULL will return NULL
325 * Requires: @p must be held with valid refcount when called
326 */
327static inline struct aa_profile *aa_get_profile_not0(struct aa_profile *p)
328{
329	if (p && kref_get_unless_zero(&p->label.count))
330		return p;
331
332	return NULL;
333}
334
335/**
336 * aa_get_profile_rcu - increment a refcount profile that can be replaced
337 * @p: pointer to profile that can be replaced (NOT NULL)
338 *
339 * Returns: pointer to a refcounted profile.
340 *     else NULL if no profile
341 */
342static inline struct aa_profile *aa_get_profile_rcu(struct aa_profile __rcu **p)
343{
344	struct aa_profile *c;
345
346	rcu_read_lock();
347	do {
348		c = rcu_dereference(*p);
349	} while (c && !kref_get_unless_zero(&c->label.count));
350	rcu_read_unlock();
351
352	return c;
353}
354
355/**
356 * aa_put_profile - decrement refcount on profile @p
357 * @p: profile  (MAYBE NULL)
358 */
359static inline void aa_put_profile(struct aa_profile *p)
360{
361	if (p)
362		kref_put(&p->label.count, aa_label_kref);
363}
364
365static inline int AUDIT_MODE(struct aa_profile *profile)
366{
367	if (aa_g_audit != AUDIT_NORMAL)
368		return aa_g_audit;
369
370	return profile->audit;
371}
372
373bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns);
374bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns);
375int aa_may_manage_policy(struct aa_label *label, struct aa_ns *ns,
376			 u32 mask);
377bool aa_current_policy_view_capable(struct aa_ns *ns);
378bool aa_current_policy_admin_capable(struct aa_ns *ns);
379
380#endif /* __AA_POLICY_H */