/* * AppArmor security module * * This file contains AppArmor functions used to manipulate object security * contexts. * * Copyright (C) 1998-2008 Novell/SUSE * Copyright 2009-2010 Canonical Ltd. * * This program is free software; you can redistribute it and/or * modify it under the terms of the GNU General Public License as * published by the Free Software Foundation, version 2 of the * License. * * * AppArmor sets confinement on every task, via the the aa_cred_ctx and * the aa_cred_ctx.label, both of which are required and are not allowed * to be NULL. The aa_cred_ctx is not reference counted and is unique * to each cred (which is reference count). The label pointed to by * the cred_ctx is reference counted. * * TODO * If a task uses change_hat it currently does not return to the old * cred or task context but instead creates a new one. Ideally the task * should return to the previous cred if it has not been modified. * */ #include "include/context.h" #include "include/policy.h" /** * aa_alloc_cred_ctx - allocate a new cred_ctx * @flags: gfp flags for allocation * * Returns: allocated buffer or NULL on failure */ struct aa_cred_ctx *aa_alloc_cred_ctx(gfp_t flags) { return kzalloc(sizeof(struct aa_cred_ctx), flags); } /** * aa_free_cred_ctx - free a cred_ctx * @ctx: cred_ctx to free (MAYBE NULL) */ void aa_free_cred_ctx(struct aa_cred_ctx *ctx) { if (ctx) { aa_put_label(ctx->label); kzfree(ctx); } } /** * aa_dup_cred_ctx - duplicate a task context, incrementing reference counts * @new: a blank task context (NOT NULL) * @old: the task context to copy (NOT NULL) */ void aa_dup_cred_ctx(struct aa_cred_ctx *new, const struct aa_cred_ctx *old) { *new = *old; aa_get_label(new->label); } /** * aa_get_task_label - Get another task's label * @task: task to query (NOT NULL) * * Returns: counted reference to @task's label */ struct aa_label *aa_get_task_label(struct task_struct *task) { struct aa_label *p; rcu_read_lock(); p = aa_get_newest_label(__aa_task_raw_label(task)); rcu_read_unlock(); return p; } /** * aa_alloc_task_ctx - allocate a new task_ctx * @flags: gfp flags for allocation * * Returns: allocated buffer or NULL on failure */ struct aa_task_ctx *aa_alloc_task_ctx(gfp_t flags) { return kzalloc(sizeof(struct aa_task_ctx), flags); } /** * aa_free_task_ctx - free a task_ctx * @ctx: task_ctx to free (MAYBE NULL) */ void aa_free_task_ctx(struct aa_task_ctx *ctx) { if (ctx) { aa_put_label(ctx->previous); aa_put_label(ctx->onexec); kzfree(ctx); } } /** * aa_dup_task_ctx - duplicate a task context, incrementing reference counts * @new: a blank task context (NOT NULL) * @old: the task context to copy (NOT NULL) */ void aa_dup_task_ctx(struct aa_task_ctx *new, const struct aa_task_ctx *old) { *new = *old; aa_get_label(new->previous); aa_get_label(new->onexec); } /** * aa_replace_current_label - replace the current tasks label * @label: new label (NOT NULL) * * Returns: 0 or error on failure */ int aa_replace_current_label(struct aa_label *label) { struct aa_cred_ctx *ctx = current_cred_ctx(); struct cred *new; AA_BUG(!label); if (ctx->label == label) return 0; if (current_cred() != current_real_cred()) return -EBUSY; new = prepare_creds(); if (!new) return -ENOMEM; ctx = cred_ctx(new); if (unconfined(label) || (labels_ns(ctx->label) != labels_ns(label))) /* if switching to unconfined or a different label namespace * clear out context state */ aa_clear_task_ctx_trans(current_task_ctx()); /* * be careful switching ctx->profile, when racing replacement it * is possible that ctx->profile->proxy->profile is the reference * keeping @profile valid, so make sure to get its reference before * dropping the reference on ctx->profile */ aa_get_label(label); aa_put_label(ctx->label); ctx->label = label; commit_creds(new); return 0; } /** * aa_set_current_onexec - set the tasks change_profile to happen onexec * @label: system label to set at exec (MAYBE NULL to clear value) * @stack: whether stacking should be done * Returns: 0 or error on failure */ int aa_set_current_onexec(struct aa_label *label, bool stack) { struct aa_task_ctx *ctx = current_task_ctx(); aa_get_label(label); aa_put_label(ctx->onexec); ctx->onexec = label; ctx->token = stack; return 0; } /** * aa_set_current_hat - set the current tasks hat * @label: label to set as the current hat (NOT NULL) * @token: token value that must be specified to change from the hat * * Do switch of tasks hat. If the task is currently in a hat * validate the token to match. * * Returns: 0 or error on failure */ int aa_set_current_hat(struct aa_label *label, u64 token) { struct aa_task_ctx *tctx = current_task_ctx(); struct aa_cred_ctx *ctx; struct cred *new = prepare_creds(); if (!new) return -ENOMEM; AA_BUG(!label); ctx = cred_ctx(new); if (!tctx->previous) { /* transfer refcount */ tctx->previous = ctx->label; tctx->token = token; } else if (tctx->token == token) { aa_put_label(ctx->label); } else { /* previous_profile && ctx->token != token */ abort_creds(new); return -EACCES; } ctx->label = aa_get_newest_label(label); /* clear exec on switching context */ aa_put_label(tctx->onexec); tctx->onexec = NULL; commit_creds(new); return 0; } /** * aa_restore_previous_label - exit from hat context restoring previous label * @token: the token that must be matched to exit hat context * * Attempt to return out of a hat to the previous label. The token * must match the stored token value. * * Returns: 0 or error of failure */ int aa_restore_previous_label(u64 token) { struct aa_task_ctx *tctx = current_task_ctx(); struct aa_cred_ctx *ctx; struct cred *new; if (tctx->token != token) return -EACCES; /* ignore restores when there is no saved label */ if (!tctx->previous) return 0; new = prepare_creds(); if (!new) return -ENOMEM; ctx = cred_ctx(new); aa_put_label(ctx->label); ctx->label = aa_get_newest_label(tctx->previous); AA_BUG(!ctx->label); /* clear exec && prev information when restoring to previous context */ aa_clear_task_ctx_trans(tctx); commit_creds(new); return 0; }