2010-07-29 14:48:00 -07:00
/*
* AppArmor security module
*
* This file contains AppArmor policy manipulation functions
*
* Copyright ( C ) 1998 - 2008 Novell / SUSE
* Copyright 2009 - 2010 Canonical Ltd .
*
* This program is free software ; you can redistribute it and / or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation , version 2 of the
* License .
*
*
* AppArmor policy is based around profiles , which contain the rules a
* task is confined by . Every task in the system has a profile attached
* to it determined either by matching " unconfined " tasks against the
* visible set of profiles or by following a profiles attachment rules .
*
* Each profile exists in a profile namespace which is a container of
* visible profiles . Each namespace contains a special " unconfined " profile ,
* which doesn ' t enforce any confinement on a task beyond DAC .
*
* Namespace and profile names can be written together in either
* of two syntaxes .
* : namespace : profile - used by kernel interfaces for easy detection
* namespace : //profile - used by policy
*
* Profile names can not start with : or @ or ^ and may not contain \ 0
*
* Reserved profile names
* unconfined - special automatically generated unconfined profile
* inherit - special name to indicate profile inheritance
* null - XXXX - YYYY - special automatically generated learning profiles
*
* Namespace names may not start with / or @ and may not contain \ 0 or :
* Reserved namespace names
* user - XXXX - user defined profiles
*
* a // in a profile or namespace name indicates a hierarchical name with the
* name before the // being the parent and the name after the child.
*
* Profile and namespace hierarchies serve two different but similar purposes .
* The namespace contains the set of visible profiles that are considered
* for attachment . The hierarchy of namespaces allows for virtualizing
* the namespace so that for example a chroot can have its own set of profiles
* which may define some local user namespaces .
* The profile hierarchy severs two distinct purposes ,
* - it allows for sub profiles or hats , which allows an application to run
* subprograms under its own profile with different restriction than it
* self , and not have it use the system profile .
* eg . if a mail program starts an editor , the policy might make the
* restrictions tighter on the editor tighter than the mail program ,
* and definitely different than general editor restrictions
* - it allows for binary hierarchy of profiles , so that execution history
* is preserved . This feature isn ' t exploited by AppArmor reference policy
* but is allowed . NOTE : this is currently suboptimal because profile
* aliasing is not currently implemented so that a profile for each
* level must be defined .
* eg . / bin / bash ///bin/ls as a name would indicate /bin/ls was started
* from / bin / bash
*
* A profile or namespace name that can contain one or more // separators
* is referred to as an hname ( hierarchical ) .
* eg . / bin / bash //bin/ls
*
* An fqname is a name that may contain both namespace and profile hnames .
* eg . : ns : / bin / bash //bin/ls
*
* NOTES :
* - locking of profile lists is currently fairly coarse . All profile
* lists within a namespace use the namespace lock .
* FIXME : move profile lists to using rcu_lists
*/
# include <linux/slab.h>
# include <linux/spinlock.h>
# include <linux/string.h>
# include "include/apparmor.h"
# include "include/capability.h"
# include "include/context.h"
# include "include/file.h"
# include "include/ipc.h"
# include "include/match.h"
# include "include/path.h"
# include "include/policy.h"
2017-01-16 00:42:15 -08:00
# include "include/policy_ns.h"
2010-07-29 14:48:00 -07:00
# include "include/policy_unpack.h"
# include "include/resource.h"
2013-07-10 21:13:43 -07:00
const char * const aa_profile_mode_names [ ] = {
2010-07-29 14:48:00 -07:00
" enforce " ,
" complain " ,
" kill " ,
2013-07-10 21:12:43 -07:00
" unconfined " ,
2010-07-29 14:48:00 -07:00
} ;
2017-01-16 00:42:15 -08:00
/* requires profile list write lock held */
2017-01-16 00:42:19 -08:00
void __aa_update_proxy ( struct aa_profile * orig , struct aa_profile * new )
2010-07-29 14:48:00 -07:00
{
2017-01-16 00:42:15 -08:00
struct aa_profile * tmp ;
2010-07-29 14:48:00 -07:00
2017-01-16 00:42:19 -08:00
tmp = rcu_dereference_protected ( orig - > proxy - > profile ,
2017-01-16 00:42:15 -08:00
mutex_is_locked ( & orig - > ns - > lock ) ) ;
2017-01-16 00:42:19 -08:00
rcu_assign_pointer ( orig - > proxy - > profile , aa_get_profile ( new ) ) ;
2017-01-16 00:42:18 -08:00
orig - > flags | = PFLAG_STALE ;
2017-01-16 00:42:15 -08:00
aa_put_profile ( tmp ) ;
2010-07-29 14:48:00 -07:00
}
/**
* __list_add_profile - add a profile to a list
* @ list : list to add it to ( NOT NULL )
* @ profile : the profile to add ( NOT NULL )
*
* refcount @ profile , should be put by __list_remove_profile
*
* Requires : namespace lock be held , or list not be shared
*/
static void __list_add_profile ( struct list_head * list ,
struct aa_profile * profile )
{
2013-07-10 21:06:43 -07:00
list_add_rcu ( & profile - > base . list , list ) ;
2010-07-29 14:48:00 -07:00
/* get list reference */
aa_get_profile ( profile ) ;
}
/**
* __list_remove_profile - remove a profile from the list it is on
* @ profile : the profile to remove ( NOT NULL )
*
* remove a profile from the list , warning generally removal should
* be done with __replace_profile as most profile removals are
* replacements to the unconfined profile .
*
* put @ profile list refcount
*
* Requires : namespace lock be held , or list not have been live
*/
static void __list_remove_profile ( struct aa_profile * profile )
{
2013-07-10 21:06:43 -07:00
list_del_rcu ( & profile - > base . list ) ;
aa_put_profile ( profile ) ;
2010-07-29 14:48:00 -07:00
}
/**
* __remove_profile - remove old profile , and children
* @ profile : profile to be replaced ( NOT NULL )
*
* Requires : namespace list lock be held , or list not be shared
*/
static void __remove_profile ( struct aa_profile * profile )
{
/* release any children lists first */
2017-01-16 00:42:15 -08:00
__aa_profile_list_release ( & profile - > base . profiles ) ;
2010-07-29 14:48:00 -07:00
/* released by free_profile */
2017-01-16 00:42:19 -08:00
__aa_update_proxy ( profile , profile - > ns - > unconfined ) ;
2013-07-10 21:13:43 -07:00
__aa_fs_profile_rmdir ( profile ) ;
2010-07-29 14:48:00 -07:00
__list_remove_profile ( profile ) ;
}
/**
2017-01-16 00:42:15 -08:00
* __aa_profile_list_release - remove all profiles on the list and put refs
2010-07-29 14:48:00 -07:00
* @ head : list of profiles ( NOT NULL )
*
* Requires : namespace lock be held
*/
2017-01-16 00:42:15 -08:00
void __aa_profile_list_release ( struct list_head * head )
2010-07-29 14:48:00 -07:00
{
struct aa_profile * profile , * tmp ;
list_for_each_entry_safe ( profile , tmp , head , base . list )
__remove_profile ( profile ) ;
}
2013-07-10 21:07:43 -07:00
2017-01-16 00:42:19 -08:00
static void free_proxy ( struct aa_proxy * p )
2013-07-10 21:07:43 -07:00
{
2017-01-16 00:42:19 -08:00
if ( p ) {
2013-09-29 08:39:22 -07:00
/* r->profile will not be updated any more as r is dead */
2017-01-16 00:42:19 -08:00
aa_put_profile ( rcu_dereference_protected ( p - > profile , true ) ) ;
kzfree ( p ) ;
2013-07-10 21:07:43 -07:00
}
}
2017-01-16 00:42:19 -08:00
void aa_free_proxy_kref ( struct kref * kref )
2013-07-10 21:07:43 -07:00
{
2017-01-16 00:42:19 -08:00
struct aa_proxy * p = container_of ( kref , struct aa_proxy , count ) ;
free_proxy ( p ) ;
2013-07-10 21:07:43 -07:00
}
2010-07-29 14:48:00 -07:00
/**
2013-07-10 21:11:43 -07:00
* aa_free_profile - free a profile
2010-07-29 14:48:00 -07:00
* @ profile : the profile to free ( MAYBE NULL )
*
* Free a profile , its hats and null_profile . All references to the profile ,
* its hats and null_profile must have been put .
*
* If the profile was referenced from a task context , free_profile ( ) will
* be called from an rcu callback routine , so we must not sleep here .
*/
2013-07-10 21:11:43 -07:00
void aa_free_profile ( struct aa_profile * profile )
2010-07-29 14:48:00 -07:00
{
AA_DEBUG ( " %s(%p) \n " , __func__ , profile ) ;
if ( ! profile )
return ;
/* free children profiles */
2017-01-16 00:42:14 -08:00
aa_policy_destroy ( & profile - > base ) ;
2013-07-10 21:06:43 -07:00
aa_put_profile ( rcu_access_pointer ( profile - > parent ) ) ;
2010-07-29 14:48:00 -07:00
2017-01-16 00:42:16 -08:00
aa_put_ns ( profile - > ns ) ;
2010-07-29 14:48:00 -07:00
kzfree ( profile - > rename ) ;
aa_free_file_rules ( & profile - > file ) ;
aa_free_cap_rules ( & profile - > caps ) ;
aa_free_rlimit_rules ( & profile - > rlimits ) ;
2013-07-10 21:13:43 -07:00
kzfree ( profile - > dirname ) ;
2010-07-29 14:48:00 -07:00
aa_put_dfa ( profile - > xmatch ) ;
2012-02-16 07:07:53 -08:00
aa_put_dfa ( profile - > policy . dfa ) ;
2017-01-16 00:42:19 -08:00
aa_put_proxy ( profile - > proxy ) ;
2010-07-29 14:48:00 -07:00
2013-10-14 11:44:34 -07:00
kzfree ( profile - > hash ) ;
2010-07-29 14:48:00 -07:00
kzfree ( profile ) ;
}
2013-07-10 21:06:43 -07:00
/**
* aa_free_profile_rcu - free aa_profile by rcu ( called by aa_free_profile_kref )
* @ head : rcu_head callback for freeing of a profile ( NOT NULL )
*/
static void aa_free_profile_rcu ( struct rcu_head * head )
{
2013-07-10 21:10:43 -07:00
struct aa_profile * p = container_of ( head , struct aa_profile , rcu ) ;
if ( p - > flags & PFLAG_NS_COUNT )
2017-01-16 00:42:16 -08:00
aa_free_ns ( p - > ns ) ;
2013-07-10 21:10:43 -07:00
else
2013-07-10 21:11:43 -07:00
aa_free_profile ( p ) ;
2013-07-10 21:06:43 -07:00
}
2010-07-29 14:48:00 -07:00
/**
* aa_free_profile_kref - free aa_profile by kref ( called by aa_put_profile )
* @ kr : kref callback for freeing of a profile ( NOT NULL )
*/
void aa_free_profile_kref ( struct kref * kref )
{
2013-07-10 21:08:43 -07:00
struct aa_profile * p = container_of ( kref , struct aa_profile , count ) ;
2013-07-10 21:10:43 -07:00
call_rcu ( & p - > rcu , aa_free_profile_rcu ) ;
2010-07-29 14:48:00 -07:00
}
2013-02-18 16:11:34 -08:00
/**
* aa_alloc_profile - allocate , initialize and return a new profile
* @ hname : name of the profile ( NOT NULL )
2017-01-16 00:42:35 -08:00
* @ gfp : allocation type
2013-02-18 16:11:34 -08:00
*
* Returns : refcount profile or NULL on failure
*/
2017-01-16 00:42:35 -08:00
struct aa_profile * aa_alloc_profile ( const char * hname , gfp_t gfp )
2013-02-18 16:11:34 -08:00
{
struct aa_profile * profile ;
/* freed by free_profile - usually through aa_put_profile */
2017-01-16 00:42:35 -08:00
profile = kzalloc ( sizeof ( * profile ) , gfp ) ;
2013-02-18 16:11:34 -08:00
if ( ! profile )
return NULL ;
2017-01-16 00:42:35 -08:00
profile - > proxy = kzalloc ( sizeof ( struct aa_proxy ) , gfp ) ;
2017-01-16 00:42:19 -08:00
if ( ! profile - > proxy )
2013-07-10 21:07:43 -07:00
goto fail ;
2017-01-16 00:42:19 -08:00
kref_init ( & profile - > proxy - > count ) ;
2013-07-10 21:07:43 -07:00
2017-01-16 00:42:35 -08:00
if ( ! aa_policy_init ( & profile - > base , NULL , hname , gfp ) )
2013-07-10 21:07:43 -07:00
goto fail ;
2013-07-10 21:08:43 -07:00
kref_init ( & profile - > count ) ;
2013-02-18 16:11:34 -08:00
/* refcount released by caller */
return profile ;
2013-07-10 21:07:43 -07:00
fail :
2017-01-16 00:42:19 -08:00
kzfree ( profile - > proxy ) ;
2013-07-10 21:07:43 -07:00
kzfree ( profile ) ;
return NULL ;
2013-02-18 16:11:34 -08:00
}
/**
2017-01-16 00:42:36 -08:00
* aa_new_null_profile - create or find a null - X learning profile
2013-02-18 16:11:34 -08:00
* @ parent : profile that caused this profile to be created ( NOT NULL )
* @ hat : true if the null - learning profile is a hat
2017-01-16 00:42:36 -08:00
* @ base : name to base the null profile off of
* @ gfp : type of allocation
2013-02-18 16:11:34 -08:00
*
2017-01-16 00:42:36 -08:00
* Find / Create a null - complain mode profile used in learning mode . The
* name of the profile is unique and follows the format of parent //null-XXX.
* where XXX is based on the @ name or if that fails or is not supplied
* a unique number
2013-02-18 16:11:34 -08:00
*
* null profiles are added to the profile list but the list does not
* hold a count on them so that they are automatically released when
* not in use .
*
* Returns : new refcounted profile else NULL on failure
*/
2017-01-16 00:42:36 -08:00
struct aa_profile * aa_new_null_profile ( struct aa_profile * parent , bool hat ,
const char * base , gfp_t gfp )
2013-02-18 16:11:34 -08:00
{
2017-01-16 00:42:36 -08:00
struct aa_profile * profile ;
2013-02-18 16:11:34 -08:00
char * name ;
2017-01-16 00:42:36 -08:00
AA_BUG ( ! parent ) ;
if ( base ) {
name = kmalloc ( strlen ( parent - > base . hname ) + 8 + strlen ( base ) ,
gfp ) ;
if ( name ) {
sprintf ( name , " %s//null-%s " , parent - > base . hname , base ) ;
goto name ;
}
/* fall through to try shorter uniq */
}
name = kmalloc ( strlen ( parent - > base . hname ) + 2 + 7 + 8 , gfp ) ;
2013-02-18 16:11:34 -08:00
if ( ! name )
2017-01-16 00:42:36 -08:00
return NULL ;
sprintf ( name , " %s//null-%x " , parent - > base . hname ,
atomic_inc_return ( & parent - > ns - > uniq_null ) ) ;
2013-02-18 16:11:34 -08:00
2017-01-16 00:42:36 -08:00
name :
/* lookup to see if this is a dup creation */
profile = aa_find_child ( parent , basename ( name ) ) ;
if ( profile )
goto out ;
profile = aa_alloc_profile ( name , gfp ) ;
2013-02-18 16:11:34 -08:00
if ( ! profile )
goto fail ;
profile - > mode = APPARMOR_COMPLAIN ;
2017-01-16 00:42:36 -08:00
profile - > flags | = PFLAG_NULL ;
2013-02-18 16:11:34 -08:00
if ( hat )
profile - > flags | = PFLAG_HAT ;
2017-01-16 00:42:36 -08:00
profile - > path_flags = parent - > path_flags ;
2013-02-18 16:11:34 -08:00
/* released on free_profile */
2013-07-10 21:06:43 -07:00
rcu_assign_pointer ( profile - > parent , aa_get_profile ( parent ) ) ;
2017-01-16 00:42:16 -08:00
profile - > ns = aa_get_ns ( parent - > ns ) ;
2017-01-16 00:42:42 -08:00
profile - > file . dfa = aa_get_dfa ( nulldfa ) ;
profile - > policy . dfa = aa_get_dfa ( nulldfa ) ;
2013-02-18 16:11:34 -08:00
2013-07-10 21:06:43 -07:00
mutex_lock ( & profile - > ns - > lock ) ;
2013-02-18 16:11:34 -08:00
__list_add_profile ( & parent - > base . profiles , profile ) ;
2013-07-10 21:06:43 -07:00
mutex_unlock ( & profile - > ns - > lock ) ;
2013-02-18 16:11:34 -08:00
/* refcount released by caller */
2017-01-16 00:42:36 -08:00
out :
kfree ( name ) ;
2013-02-18 16:11:34 -08:00
return profile ;
fail :
2017-01-16 00:42:36 -08:00
kfree ( name ) ;
aa_free_profile ( profile ) ;
2013-02-18 16:11:34 -08:00
return NULL ;
}
2010-07-29 14:48:00 -07:00
/* TODO: profile accounting - setup in remove */
/**
* __find_child - find a profile on @ head list with a name matching @ name
* @ head : list to search ( NOT NULL )
* @ name : name of profile ( NOT NULL )
*
2013-07-10 21:06:43 -07:00
* Requires : rcu_read_lock be held
2010-07-29 14:48:00 -07:00
*
* Returns : unrefcounted profile ptr , or NULL if not found
*/
static struct aa_profile * __find_child ( struct list_head * head , const char * name )
{
return ( struct aa_profile * ) __policy_find ( head , name ) ;
}
/**
* __strn_find_child - find a profile on @ head list using substring of @ name
* @ head : list to search ( NOT NULL )
* @ name : name of profile ( NOT NULL )
* @ len : length of @ name substring to match
*
2013-07-10 21:06:43 -07:00
* Requires : rcu_read_lock be held
2010-07-29 14:48:00 -07:00
*
* Returns : unrefcounted profile ptr , or NULL if not found
*/
static struct aa_profile * __strn_find_child ( struct list_head * head ,
const char * name , int len )
{
return ( struct aa_profile * ) __policy_strn_find ( head , name , len ) ;
}
/**
* aa_find_child - find a profile by @ name in @ parent
* @ parent : profile to search ( NOT NULL )
* @ name : profile name to search for ( NOT NULL )
*
* Returns : a refcounted profile or NULL if not found
*/
struct aa_profile * aa_find_child ( struct aa_profile * parent , const char * name )
{
struct aa_profile * profile ;
2013-07-10 21:06:43 -07:00
rcu_read_lock ( ) ;
2015-12-16 18:09:10 -08:00
do {
profile = __find_child ( & parent - > base . profiles , name ) ;
} while ( profile & & ! aa_get_profile_not0 ( profile ) ) ;
2013-07-10 21:06:43 -07:00
rcu_read_unlock ( ) ;
2010-07-29 14:48:00 -07:00
/* refcount released by caller */
return profile ;
}
/**
* __lookup_parent - lookup the parent of a profile of name @ hname
* @ ns : namespace to lookup profile in ( NOT NULL )
* @ hname : hierarchical profile name to find parent of ( NOT NULL )
*
* Lookups up the parent of a fully qualified profile name , the profile
* that matches hname does not need to exist , in general this
* is used to load a new profile .
*
2013-07-10 21:06:43 -07:00
* Requires : rcu_read_lock be held
2010-07-29 14:48:00 -07:00
*
* Returns : unrefcounted policy or NULL if not found
*/
2017-01-16 00:42:16 -08:00
static struct aa_policy * __lookup_parent ( struct aa_ns * ns ,
2010-07-29 14:48:00 -07:00
const char * hname )
{
struct aa_policy * policy ;
struct aa_profile * profile = NULL ;
char * split ;
policy = & ns - > base ;
for ( split = strstr ( hname , " // " ) ; split ; ) {
profile = __strn_find_child ( & policy - > profiles , hname ,
split - hname ) ;
if ( ! profile )
return NULL ;
policy = & profile - > base ;
hname = split + 2 ;
split = strstr ( hname , " // " ) ;
}
if ( ! profile )
return & ns - > base ;
return & profile - > base ;
}
/**
2017-01-16 00:42:21 -08:00
* __lookupn_profile - lookup the profile matching @ hname
2010-07-29 14:48:00 -07:00
* @ base : base list to start looking up profile name from ( NOT NULL )
* @ hname : hierarchical profile name ( NOT NULL )
2017-01-16 00:42:21 -08:00
* @ n : length of @ hname
2010-07-29 14:48:00 -07:00
*
2013-07-10 21:06:43 -07:00
* Requires : rcu_read_lock be held
2010-07-29 14:48:00 -07:00
*
* Returns : unrefcounted profile pointer or NULL if not found
*
* Do a relative name lookup , recursing through profile tree .
*/
2017-01-16 00:42:21 -08:00
static struct aa_profile * __lookupn_profile ( struct aa_policy * base ,
const char * hname , size_t n )
2010-07-29 14:48:00 -07:00
{
struct aa_profile * profile = NULL ;
2017-01-16 00:42:21 -08:00
const char * split ;
2010-07-29 14:48:00 -07:00
2017-01-16 00:42:21 -08:00
for ( split = strnstr ( hname , " // " , n ) ; split ;
split = strnstr ( hname , " // " , n ) ) {
2010-07-29 14:48:00 -07:00
profile = __strn_find_child ( & base - > profiles , hname ,
split - hname ) ;
if ( ! profile )
return NULL ;
base = & profile - > base ;
2017-01-16 00:42:21 -08:00
n - = split + 2 - hname ;
2010-07-29 14:48:00 -07:00
hname = split + 2 ;
}
2017-01-16 00:42:21 -08:00
if ( n )
return __strn_find_child ( & base - > profiles , hname , n ) ;
return NULL ;
}
2010-07-29 14:48:00 -07:00
2017-01-16 00:42:21 -08:00
static struct aa_profile * __lookup_profile ( struct aa_policy * base ,
const char * hname )
{
return __lookupn_profile ( base , hname , strlen ( hname ) ) ;
2010-07-29 14:48:00 -07:00
}
/**
* aa_lookup_profile - find a profile by its full or partial name
* @ ns : the namespace to start from ( NOT NULL )
* @ hname : name to do lookup on . Does not contain namespace prefix ( NOT NULL )
2017-01-16 00:42:21 -08:00
* @ n : size of @ hname
2010-07-29 14:48:00 -07:00
*
* Returns : refcounted profile or NULL if not found
*/
2017-01-16 00:42:21 -08:00
struct aa_profile * aa_lookupn_profile ( struct aa_ns * ns , const char * hname ,
size_t n )
2010-07-29 14:48:00 -07:00
{
struct aa_profile * profile ;
2013-07-10 21:06:43 -07:00
rcu_read_lock ( ) ;
do {
2017-01-16 00:42:21 -08:00
profile = __lookupn_profile ( & ns - > base , hname , n ) ;
2013-07-10 21:06:43 -07:00
} while ( profile & & ! aa_get_profile_not0 ( profile ) ) ;
rcu_read_unlock ( ) ;
2010-07-29 14:48:00 -07:00
2012-05-16 11:00:05 -07:00
/* the unconfined profile is not in the regular profile list */
2017-01-16 00:42:21 -08:00
if ( ! profile & & strncmp ( hname , " unconfined " , n ) = = 0 )
2013-07-10 21:08:43 -07:00
profile = aa_get_newest_profile ( ns - > unconfined ) ;
2012-05-16 11:00:05 -07:00
2010-07-29 14:48:00 -07:00
/* refcount released by caller */
return profile ;
}
2017-01-16 00:42:21 -08:00
struct aa_profile * aa_lookup_profile ( struct aa_ns * ns , const char * hname )
{
return aa_lookupn_profile ( ns , hname , strlen ( hname ) ) ;
}
2017-01-16 00:42:24 -08:00
struct aa_profile * aa_fqlookupn_profile ( struct aa_profile * base ,
const char * fqname , size_t n )
{
struct aa_profile * profile ;
struct aa_ns * ns ;
const char * name , * ns_name ;
size_t ns_len ;
name = aa_splitn_fqname ( fqname , n , & ns_name , & ns_len ) ;
if ( ns_name ) {
ns = aa_findn_ns ( base - > ns , ns_name , ns_len ) ;
if ( ! ns )
return NULL ;
} else
ns = aa_get_ns ( base - > ns ) ;
if ( name )
profile = aa_lookupn_profile ( ns , name , n - ( name - fqname ) ) ;
else if ( ns )
/* default profile for ns, currently unconfined */
profile = aa_get_newest_profile ( ns - > unconfined ) ;
else
profile = NULL ;
aa_put_ns ( ns ) ;
return profile ;
}
2010-07-29 14:48:00 -07:00
/**
* replacement_allowed - test to see if replacement is allowed
* @ profile : profile to test if it can be replaced ( MAYBE NULL )
* @ noreplace : true if replacement shouldn ' t be allowed but addition is okay
* @ info : Returns - info about why replacement failed ( NOT NULL )
*
* Returns : % 0 if replacement allowed else error code
*/
static int replacement_allowed ( struct aa_profile * profile , int noreplace ,
const char * * info )
{
if ( profile ) {
if ( profile - > flags & PFLAG_IMMUTABLE ) {
* info = " cannot replace immutible profile " ;
return - EPERM ;
} else if ( noreplace ) {
* info = " profile already exists " ;
return - EEXIST ;
}
}
return 0 ;
}
/**
* aa_audit_policy - Do auditing of policy changes
* @ op : policy operation being performed
* @ gfp : memory allocation flags
* @ name : name of profile being manipulated ( NOT NULL )
* @ info : any extra information to be audited ( MAYBE NULL )
* @ error : error code
*
* Returns : the error to be returned after audit is done
*/
static int audit_policy ( int op , gfp_t gfp , const char * name , const char * info ,
int error )
{
struct common_audit_data sa ;
2012-04-03 09:37:02 -07:00
struct apparmor_audit_data aad = { 0 , } ;
2012-04-04 15:01:43 -04:00
sa . type = LSM_AUDIT_DATA_NONE ;
2012-04-03 09:37:02 -07:00
sa . aad = & aad ;
aad . op = op ;
aad . name = name ;
aad . info = info ;
aad . error = error ;
2010-07-29 14:48:00 -07:00
return aa_audit ( AUDIT_APPARMOR_STATUS , __aa_current_profile ( ) , gfp ,
& sa , NULL ) ;
}
2016-06-22 18:01:08 -07:00
bool policy_view_capable ( void )
{
struct user_namespace * user_ns = current_user_ns ( ) ;
bool response = false ;
if ( ns_capable ( user_ns , CAP_MAC_ADMIN ) )
response = true ;
return response ;
}
bool policy_admin_capable ( void )
{
return policy_view_capable ( ) & & ! aa_g_lock_policy ;
}
2010-07-29 14:48:00 -07:00
/**
* aa_may_manage_policy - can the current task manage policy
* @ op : the policy manipulation operation being done
*
* Returns : true if the task is allowed to manipulate policy
*/
bool aa_may_manage_policy ( int op )
{
/* check if loading policy is locked out */
if ( aa_g_lock_policy ) {
audit_policy ( op , GFP_KERNEL , NULL , " policy_locked " , - EACCES ) ;
return 0 ;
}
2016-06-22 18:01:08 -07:00
if ( ! policy_admin_capable ( ) ) {
2010-07-29 14:48:00 -07:00
audit_policy ( op , GFP_KERNEL , NULL , " not policy admin " , - EACCES ) ;
return 0 ;
}
return 1 ;
}
2013-07-10 21:05:43 -07:00
static struct aa_profile * __list_lookup_parent ( struct list_head * lh ,
struct aa_profile * profile )
{
2017-01-16 00:42:29 -08:00
const char * base = basename ( profile - > base . hname ) ;
2013-07-10 21:05:43 -07:00
long len = base - profile - > base . hname ;
struct aa_load_ent * ent ;
/* parent won't have trailing // so remove from len */
if ( len < = 2 )
return NULL ;
len - = 2 ;
list_for_each_entry ( ent , lh , list ) {
if ( ent - > new = = profile )
continue ;
if ( strncmp ( ent - > new - > base . hname , profile - > base . hname , len ) = =
0 & & ent - > new - > base . hname [ len ] = = 0 )
return ent - > new ;
}
return NULL ;
}
/**
* __replace_profile - replace @ old with @ new on a list
* @ old : profile to be replaced ( NOT NULL )
* @ new : profile to replace @ old with ( NOT NULL )
2017-01-16 00:42:19 -08:00
* @ share_proxy : transfer @ old - > proxy to @ new
2013-07-10 21:05:43 -07:00
*
* Will duplicate and refcount elements that @ new inherits from @ old
* and will inherit @ old children .
*
* refcount @ new for list , put @ old list refcount
*
* Requires : namespace list lock be held , or list not be shared
*/
2013-07-10 21:07:43 -07:00
static void __replace_profile ( struct aa_profile * old , struct aa_profile * new ,
2017-01-16 00:42:19 -08:00
bool share_proxy )
2013-07-10 21:05:43 -07:00
{
struct aa_profile * child , * tmp ;
if ( ! list_empty ( & old - > base . profiles ) ) {
LIST_HEAD ( lh ) ;
2013-07-10 21:06:43 -07:00
list_splice_init_rcu ( & old - > base . profiles , & lh , synchronize_rcu ) ;
2013-07-10 21:05:43 -07:00
list_for_each_entry_safe ( child , tmp , & lh , base . list ) {
struct aa_profile * p ;
list_del_init ( & child - > base . list ) ;
p = __find_child ( & new - > base . profiles , child - > base . name ) ;
if ( p ) {
/* @p replaces @child */
2017-01-16 00:42:19 -08:00
__replace_profile ( child , p , share_proxy ) ;
2013-07-10 21:05:43 -07:00
continue ;
}
/* inherit @child and its children */
/* TODO: update hname of inherited children */
/* list refcount transferred to @new */
2013-07-10 21:13:43 -07:00
p = aa_deref_parent ( child ) ;
2013-07-10 21:06:43 -07:00
rcu_assign_pointer ( child - > parent , aa_get_profile ( new ) ) ;
list_add_rcu ( & child - > base . list , & new - > base . profiles ) ;
aa_put_profile ( p ) ;
2013-07-10 21:05:43 -07:00
}
}
2013-07-10 21:06:43 -07:00
if ( ! rcu_access_pointer ( new - > parent ) ) {
2013-07-10 21:13:43 -07:00
struct aa_profile * parent = aa_deref_parent ( old ) ;
2013-07-10 21:06:43 -07:00
rcu_assign_pointer ( new - > parent , aa_get_profile ( parent ) ) ;
}
2017-01-16 00:42:19 -08:00
__aa_update_proxy ( old , new ) ;
if ( share_proxy ) {
aa_put_proxy ( new - > proxy ) ;
new - > proxy = aa_get_proxy ( old - > proxy ) ;
} else if ( ! rcu_access_pointer ( new - > proxy - > profile ) )
/* aafs interface uses proxy */
rcu_assign_pointer ( new - > proxy - > profile ,
2013-07-10 21:13:43 -07:00
aa_get_profile ( new ) ) ;
__aa_fs_profile_migrate_dents ( old , new ) ;
2013-07-10 21:05:43 -07:00
if ( list_empty ( & new - > base . list ) ) {
/* new is not on a list already */
2013-07-10 21:06:43 -07:00
list_replace_rcu ( & old - > base . list , & new - > base . list ) ;
2013-07-10 21:05:43 -07:00
aa_get_profile ( new ) ;
aa_put_profile ( old ) ;
} else
__list_remove_profile ( old ) ;
}
/**
* __lookup_replace - lookup replacement information for a profile
* @ ns - namespace the lookup occurs in
* @ hname - name of profile to lookup
* @ noreplace - true if not replacing an existing profile
* @ p - Returns : profile to be replaced
* @ info - Returns : info string on why lookup failed
*
* Returns : profile to replace ( no ref ) on success else ptr error
*/
2017-01-16 00:42:16 -08:00
static int __lookup_replace ( struct aa_ns * ns , const char * hname ,
2013-07-10 21:05:43 -07:00
bool noreplace , struct aa_profile * * p ,
const char * * info )
{
* p = aa_get_profile ( __lookup_profile ( & ns - > base , hname ) ) ;
if ( * p ) {
int error = replacement_allowed ( * p , noreplace , info ) ;
if ( error ) {
* info = " profile can not be replaced " ;
return error ;
}
}
return 0 ;
}
2010-07-29 14:48:00 -07:00
/**
* aa_replace_profiles - replace profile ( s ) on the profile list
2017-01-16 00:42:34 -08:00
* @ view : namespace load is viewed from
2010-07-29 14:48:00 -07:00
* @ udata : serialized data stream ( NOT NULL )
* @ size : size of the serialized data stream
* @ noreplace : true if only doing addition , no replacement allowed
*
* unpack and replace a profile on the profile list and uses of that profile
* by any aa_task_cxt . If the profile does not exist on the profile list
* it is added .
*
* Returns : size of data consumed else error code on failure .
*/
2017-01-16 00:42:34 -08:00
ssize_t aa_replace_profiles ( struct aa_ns * view , void * udata , size_t size ,
bool noreplace )
2010-07-29 14:48:00 -07:00
{
2016-04-16 14:16:50 -07:00
const char * ns_name , * info = NULL ;
2017-01-16 00:42:16 -08:00
struct aa_ns * ns = NULL ;
2013-07-10 21:05:43 -07:00
struct aa_load_ent * ent , * tmp ;
2010-07-29 14:48:00 -07:00
int op = OP_PROF_REPL ;
ssize_t error ;
2013-07-10 21:05:43 -07:00
LIST_HEAD ( lh ) ;
2010-07-29 14:48:00 -07:00
/* released below */
2013-07-10 21:05:43 -07:00
error = aa_unpack ( udata , size , & lh , & ns_name ) ;
if ( error )
goto out ;
2010-07-29 14:48:00 -07:00
/* released below */
2017-01-16 00:42:34 -08:00
ns = aa_prepare_ns ( view , ns_name ) ;
2010-07-29 14:48:00 -07:00
if ( ! ns ) {
2016-04-16 14:16:50 -07:00
error = audit_policy ( op , GFP_KERNEL , ns_name ,
" failed to prepare namespace " , - ENOMEM ) ;
goto free ;
2010-07-29 14:48:00 -07:00
}
2013-07-10 21:06:43 -07:00
mutex_lock ( & ns - > lock ) ;
2013-07-10 21:05:43 -07:00
/* setup parent and ns info */
list_for_each_entry ( ent , & lh , list ) {
struct aa_policy * policy ;
error = __lookup_replace ( ns , ent - > new - > base . hname , noreplace ,
& ent - > old , & info ) ;
if ( error )
goto fail_lock ;
if ( ent - > new - > rename ) {
error = __lookup_replace ( ns , ent - > new - > rename ,
noreplace , & ent - > rename ,
& info ) ;
if ( error )
goto fail_lock ;
2010-07-29 14:48:00 -07:00
}
2013-07-10 21:05:43 -07:00
/* released when @new is freed */
2017-01-16 00:42:16 -08:00
ent - > new - > ns = aa_get_ns ( ns ) ;
2013-07-10 21:05:43 -07:00
if ( ent - > old | | ent - > rename )
continue ;
/* no ref on policy only use inside lock */
policy = __lookup_parent ( ns , ent - > new - > base . hname ) ;
if ( ! policy ) {
struct aa_profile * p ;
p = __list_lookup_parent ( & lh , ent - > new ) ;
if ( ! p ) {
error = - ENOENT ;
info = " parent does not exist " ;
goto fail_lock ;
}
2013-07-10 21:06:43 -07:00
rcu_assign_pointer ( ent - > new - > parent , aa_get_profile ( p ) ) ;
} else if ( policy ! = & ns - > base ) {
2013-07-10 21:05:43 -07:00
/* released on profile replacement or free_profile */
2013-07-10 21:06:43 -07:00
struct aa_profile * p = ( struct aa_profile * ) policy ;
rcu_assign_pointer ( ent - > new - > parent , aa_get_profile ( p ) ) ;
}
2013-07-10 21:05:43 -07:00
}
2010-07-29 14:48:00 -07:00
2013-07-10 21:13:43 -07:00
/* create new fs entries for introspection if needed */
list_for_each_entry ( ent , & lh , list ) {
if ( ent - > old ) {
/* inherit old interface files */
/* if (ent->rename)
TODO : support rename */
/* } else if (ent->rename) {
TODO : support rename */
} else {
struct dentry * parent ;
if ( rcu_access_pointer ( ent - > new - > parent ) ) {
struct aa_profile * p ;
p = aa_deref_parent ( ent - > new ) ;
parent = prof_child_dir ( p ) ;
} else
parent = ns_subprofs_dir ( ent - > new - > ns ) ;
error = __aa_fs_profile_mkdir ( ent - > new , parent ) ;
}
if ( error ) {
info = " failed to create " ;
goto fail_lock ;
}
}
/* Done with checks that may fail - do actual replacement */
2013-07-10 21:05:43 -07:00
list_for_each_entry_safe ( ent , tmp , & lh , list ) {
list_del_init ( & ent - > list ) ;
op = ( ! ent - > old & & ! ent - > rename ) ? OP_PROF_LOAD : OP_PROF_REPL ;
2016-04-16 14:19:38 -07:00
audit_policy ( op , GFP_ATOMIC , ent - > new - > base . hname , NULL , error ) ;
2013-07-10 21:05:43 -07:00
if ( ent - > old ) {
2013-07-10 21:07:43 -07:00
__replace_profile ( ent - > old , ent - > new , 1 ) ;
2013-07-10 21:13:43 -07:00
if ( ent - > rename ) {
2017-01-16 00:42:19 -08:00
/* aafs interface uses proxy */
struct aa_proxy * r = ent - > new - > proxy ;
2013-07-10 21:13:43 -07:00
rcu_assign_pointer ( r - > profile ,
aa_get_profile ( ent - > new ) ) ;
2013-07-10 21:07:43 -07:00
__replace_profile ( ent - > rename , ent - > new , 0 ) ;
2013-07-10 21:13:43 -07:00
}
2013-07-10 21:05:43 -07:00
} else if ( ent - > rename ) {
2017-01-16 00:42:19 -08:00
/* aafs interface uses proxy */
rcu_assign_pointer ( ent - > new - > proxy - > profile ,
2013-07-10 21:13:43 -07:00
aa_get_profile ( ent - > new ) ) ;
2013-07-10 21:07:43 -07:00
__replace_profile ( ent - > rename , ent - > new , 0 ) ;
2013-07-10 21:05:43 -07:00
} else if ( ent - > new - > parent ) {
2013-07-10 21:06:43 -07:00
struct aa_profile * parent , * newest ;
2013-07-10 21:13:43 -07:00
parent = aa_deref_parent ( ent - > new ) ;
2013-07-10 21:07:43 -07:00
newest = aa_get_newest_profile ( parent ) ;
2013-07-10 21:06:43 -07:00
2013-07-10 21:05:43 -07:00
/* parent replaced in this atomic set? */
2013-07-10 21:06:43 -07:00
if ( newest ! = parent ) {
aa_get_profile ( newest ) ;
rcu_assign_pointer ( ent - > new - > parent , newest ) ;
2016-04-16 13:59:02 -07:00
aa_put_profile ( parent ) ;
2016-04-11 16:55:10 -07:00
}
2017-01-16 00:42:19 -08:00
/* aafs interface uses proxy */
rcu_assign_pointer ( ent - > new - > proxy - > profile ,
2013-07-10 21:13:43 -07:00
aa_get_profile ( ent - > new ) ) ;
2016-04-11 16:57:19 -07:00
__list_add_profile ( & newest - > base . profiles , ent - > new ) ;
2016-04-11 16:55:10 -07:00
aa_put_profile ( newest ) ;
2013-07-10 21:13:43 -07:00
} else {
2017-01-16 00:42:19 -08:00
/* aafs interface uses proxy */
rcu_assign_pointer ( ent - > new - > proxy - > profile ,
2013-07-10 21:13:43 -07:00
aa_get_profile ( ent - > new ) ) ;
2013-07-10 21:05:43 -07:00
__list_add_profile ( & ns - > base . profiles , ent - > new ) ;
2013-07-10 21:13:43 -07:00
}
2013-07-10 21:05:43 -07:00
aa_load_ent_free ( ent ) ;
2010-07-29 14:48:00 -07:00
}
2013-07-10 21:06:43 -07:00
mutex_unlock ( & ns - > lock ) ;
2010-07-29 14:48:00 -07:00
out :
2017-01-16 00:42:16 -08:00
aa_put_ns ( ns ) ;
2013-07-10 21:05:43 -07:00
2010-07-29 14:48:00 -07:00
if ( error )
return error ;
return size ;
2013-07-10 21:05:43 -07:00
fail_lock :
2013-07-10 21:06:43 -07:00
mutex_unlock ( & ns - > lock ) ;
2013-07-10 21:05:43 -07:00
2016-04-16 14:16:50 -07:00
/* audit cause of failure */
op = ( ! ent - > old ) ? OP_PROF_LOAD : OP_PROF_REPL ;
audit_policy ( op , GFP_KERNEL , ent - > new - > base . hname , info , error ) ;
/* audit status that rest of profiles in the atomic set failed too */
info = " valid profile in failed atomic policy load " ;
list_for_each_entry ( tmp , & lh , list ) {
if ( tmp = = ent ) {
info = " unchecked profile in failed atomic policy load " ;
/* skip entry that caused failure */
continue ;
}
op = ( ! ent - > old ) ? OP_PROF_LOAD : OP_PROF_REPL ;
audit_policy ( op , GFP_KERNEL , tmp - > new - > base . hname , info , error ) ;
}
free :
2013-07-10 21:05:43 -07:00
list_for_each_entry_safe ( ent , tmp , & lh , list ) {
list_del_init ( & ent - > list ) ;
aa_load_ent_free ( ent ) ;
}
2010-07-29 14:48:00 -07:00
goto out ;
}
/**
* aa_remove_profiles - remove profile ( s ) from the system
* @ fqname : name of the profile or namespace to remove ( NOT NULL )
* @ size : size of the name
*
* Remove a profile or sub namespace from the current namespace , so that
* they can not be found anymore and mark them as replaced by unconfined
*
* NOTE : removing confinement does not restore rlimits to preconfinemnet values
*
* Returns : size of data consume else error code if fails
*/
ssize_t aa_remove_profiles ( char * fqname , size_t size )
{
2017-01-16 00:42:16 -08:00
struct aa_ns * root , * ns = NULL ;
2010-07-29 14:48:00 -07:00
struct aa_profile * profile = NULL ;
const char * name = fqname , * info = NULL ;
ssize_t error = 0 ;
if ( * fqname = = 0 ) {
info = " no profile specified " ;
error = - ENOENT ;
goto fail ;
}
root = aa_current_profile ( ) - > ns ;
if ( fqname [ 0 ] = = ' : ' ) {
char * ns_name ;
name = aa_split_fqname ( fqname , & ns_name ) ;
2013-02-21 01:14:17 -08:00
/* released below */
2017-01-16 00:42:16 -08:00
ns = aa_find_ns ( root , ns_name ) ;
2013-02-21 01:14:17 -08:00
if ( ! ns ) {
info = " namespace does not exist " ;
error = - ENOENT ;
goto fail ;
2010-07-29 14:48:00 -07:00
}
} else
/* released below */
2017-01-16 00:42:16 -08:00
ns = aa_get_ns ( root ) ;
2010-07-29 14:48:00 -07:00
if ( ! name ) {
/* remove namespace - can only happen if fqname[0] == ':' */
2013-07-10 21:06:43 -07:00
mutex_lock ( & ns - > parent - > lock ) ;
2017-01-16 00:42:16 -08:00
__aa_remove_ns ( ns ) ;
2013-07-10 21:06:43 -07:00
mutex_unlock ( & ns - > parent - > lock ) ;
2010-07-29 14:48:00 -07:00
} else {
/* remove profile */
2013-07-10 21:06:43 -07:00
mutex_lock ( & ns - > lock ) ;
2010-07-29 14:48:00 -07:00
profile = aa_get_profile ( __lookup_profile ( & ns - > base , name ) ) ;
if ( ! profile ) {
error = - ENOENT ;
info = " profile does not exist " ;
goto fail_ns_lock ;
}
name = profile - > base . hname ;
__remove_profile ( profile ) ;
2013-07-10 21:06:43 -07:00
mutex_unlock ( & ns - > lock ) ;
2010-07-29 14:48:00 -07:00
}
/* don't fail removal if audit fails */
( void ) audit_policy ( OP_PROF_RM , GFP_KERNEL , name , info , error ) ;
2017-01-16 00:42:16 -08:00
aa_put_ns ( ns ) ;
2010-07-29 14:48:00 -07:00
aa_put_profile ( profile ) ;
return size ;
fail_ns_lock :
2013-07-10 21:06:43 -07:00
mutex_unlock ( & ns - > lock ) ;
2017-01-16 00:42:16 -08:00
aa_put_ns ( ns ) ;
2010-07-29 14:48:00 -07:00
fail :
( void ) audit_policy ( OP_PROF_RM , GFP_KERNEL , name , info , error ) ;
return error ;
}