Commit 637f688d authored by John Johansen's avatar John Johansen

apparmor: switch from profiles to using labels on contexts

Begin the actual switch to using domain labels by storing them on
the context and converting the label to a singular profile where
possible.
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent f1bd9041
......@@ -4,7 +4,7 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
resource.o secid.o file.o policy_ns.o
resource.o secid.o file.o policy_ns.o label.o
apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o
clean-files := capability_names.h rlim_names.h
......
This diff is collapsed.
......@@ -77,14 +77,24 @@ static void audit_pre(struct audit_buffer *ab, void *ca)
audit_log_format(ab, " error=%d", aad(sa)->error);
}
if (aad(sa)->profile) {
struct aa_profile *profile = aad(sa)->profile;
if (profile->ns != root_ns) {
audit_log_format(ab, " namespace=");
audit_log_untrustedstring(ab, profile->ns->base.hname);
if (aad(sa)->label) {
struct aa_label *label = aad(sa)->label;
if (label_isprofile(label)) {
struct aa_profile *profile = labels_profile(label);
if (profile->ns != root_ns) {
audit_log_format(ab, " namespace=");
audit_log_untrustedstring(ab,
profile->ns->base.hname);
}
audit_log_format(ab, " profile=");
audit_log_untrustedstring(ab, profile->base.hname);
} else {
audit_log_format(ab, " label=");
aa_label_xaudit(ab, root_ns, label, FLAG_VIEW_SUBNS,
GFP_ATOMIC);
}
audit_log_format(ab, " profile=");
audit_log_untrustedstring(ab, profile->base.hname);
}
if (aad(sa)->name) {
......@@ -139,8 +149,7 @@ int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,
if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
type = AUDIT_APPARMOR_KILL;
if (!unconfined(profile))
aad(sa)->profile = profile;
aad(sa)->label = &profile->label;
aa_audit_msg(type, sa, cb);
......
......@@ -14,9 +14,9 @@
*
*
* AppArmor sets confinement on every task, via the the aa_task_ctx and
* the aa_task_ctx.profile, both of which are required and are not allowed
* the aa_task_ctx.label, both of which are required and are not allowed
* to be NULL. The aa_task_ctx is not reference counted and is unique
* to each cred (which is reference count). The profile pointed to by
* to each cred (which is reference count). The label pointed to by
* the task_ctx is reference counted.
*
* TODO
......@@ -47,9 +47,9 @@ struct aa_task_ctx *aa_alloc_task_context(gfp_t flags)
void aa_free_task_context(struct aa_task_ctx *ctx)
{
if (ctx) {
aa_put_profile(ctx->profile);
aa_put_profile(ctx->previous);
aa_put_profile(ctx->onexec);
aa_put_label(ctx->label);
aa_put_label(ctx->previous);
aa_put_label(ctx->onexec);
kzfree(ctx);
}
......@@ -63,41 +63,41 @@ void aa_free_task_context(struct aa_task_ctx *ctx)
void aa_dup_task_context(struct aa_task_ctx *new, const struct aa_task_ctx *old)
{
*new = *old;
aa_get_profile(new->profile);
aa_get_profile(new->previous);
aa_get_profile(new->onexec);
aa_get_label(new->label);
aa_get_label(new->previous);
aa_get_label(new->onexec);
}
/**
* aa_get_task_profile - Get another task's profile
* aa_get_task_label - Get another task's label
* @task: task to query (NOT NULL)
*
* Returns: counted reference to @task's profile
* Returns: counted reference to @task's label
*/
struct aa_profile *aa_get_task_profile(struct task_struct *task)
struct aa_label *aa_get_task_label(struct task_struct *task)
{
struct aa_profile *p;
struct aa_label *p;
rcu_read_lock();
p = aa_get_newest_profile(__aa_task_raw_profile(task));
p = aa_get_newest_label(__aa_task_raw_label(task));
rcu_read_unlock();
return p;
}
/**
* aa_replace_current_profile - replace the current tasks profiles
* @profile: new profile (NOT NULL)
* aa_replace_current_label - replace the current tasks label
* @label: new label (NOT NULL)
*
* Returns: 0 or error on failure
*/
int aa_replace_current_profile(struct aa_profile *profile)
int aa_replace_current_label(struct aa_label *label)
{
struct aa_task_ctx *ctx = current_ctx();
struct cred *new;
AA_BUG(!profile);
AA_BUG(!label);
if (ctx->profile == profile)
if (ctx->label == label)
return 0;
if (current_cred() != current_real_cred())
......@@ -108,8 +108,8 @@ int aa_replace_current_profile(struct aa_profile *profile)
return -ENOMEM;
ctx = cred_ctx(new);
if (unconfined(profile) || (ctx->profile->ns != profile->ns))
/* if switching to unconfined or a different profile namespace
if (unconfined(label) || (labels_ns(ctx->label) != labels_ns(label)))
/* if switching to unconfined or a different label namespace
* clear out context state
*/
aa_clear_task_ctx_trans(ctx);
......@@ -120,9 +120,9 @@ int aa_replace_current_profile(struct aa_profile *profile)
* keeping @profile valid, so make sure to get its reference before
* dropping the reference on ctx->profile
*/
aa_get_profile(profile);
aa_put_profile(ctx->profile);
ctx->profile = profile;
aa_get_label(label);
aa_put_label(ctx->label);
ctx->label = label;
commit_creds(new);
return 0;
......@@ -130,11 +130,11 @@ int aa_replace_current_profile(struct aa_profile *profile)
/**
* aa_set_current_onexec - set the tasks change_profile to happen onexec
* @profile: system profile to set at exec (MAYBE NULL to clear value)
*
* @label: system label to set at exec (MAYBE NULL to clear value)
* @stack: whether stacking should be done
* Returns: 0 or error on failure
*/
int aa_set_current_onexec(struct aa_profile *profile)
int aa_set_current_onexec(struct aa_label *label, bool stack)
{
struct aa_task_ctx *ctx;
struct cred *new = prepare_creds();
......@@ -142,9 +142,10 @@ int aa_set_current_onexec(struct aa_profile *profile)
return -ENOMEM;
ctx = cred_ctx(new);
aa_get_profile(profile);
aa_put_profile(ctx->onexec);
ctx->onexec = profile;
aa_get_label(label);
aa_clear_task_ctx_trans(ctx);
ctx->onexec = label;
ctx->token = stack;
commit_creds(new);
return 0;
......@@ -152,7 +153,7 @@ int aa_set_current_onexec(struct aa_profile *profile)
/**
* aa_set_current_hat - set the current tasks hat
* @profile: profile to set as the current hat (NOT NULL)
* @label: label to set as the current hat (NOT NULL)
* @token: token value that must be specified to change from the hat
*
* Do switch of tasks hat. If the task is currently in a hat
......@@ -160,29 +161,29 @@ int aa_set_current_onexec(struct aa_profile *profile)
*
* Returns: 0 or error on failure
*/
int aa_set_current_hat(struct aa_profile *profile, u64 token)
int aa_set_current_hat(struct aa_label *label, u64 token)
{
struct aa_task_ctx *ctx;
struct cred *new = prepare_creds();
if (!new)
return -ENOMEM;
AA_BUG(!profile);
AA_BUG(!label);
ctx = cred_ctx(new);
if (!ctx->previous) {
/* transfer refcount */
ctx->previous = ctx->profile;
ctx->previous = ctx->label;
ctx->token = token;
} else if (ctx->token == token) {
aa_put_profile(ctx->profile);
aa_put_label(ctx->label);
} else {
/* previous_profile && ctx->token != token */
abort_creds(new);
return -EACCES;
}
ctx->profile = aa_get_newest_profile(profile);
ctx->label = aa_get_newest_label(label);
/* clear exec on switching context */
aa_put_profile(ctx->onexec);
aa_put_label(ctx->onexec);
ctx->onexec = NULL;
commit_creds(new);
......@@ -190,15 +191,15 @@ int aa_set_current_hat(struct aa_profile *profile, u64 token)
}
/**
* aa_restore_previous_profile - exit from hat context restoring the profile
* aa_restore_previous_label - exit from hat context restoring previous label
* @token: the token that must be matched to exit hat context
*
* Attempt to return out of a hat to the previous profile. The token
* Attempt to return out of a hat to the previous label. The token
* must match the stored token value.
*
* Returns: 0 or error of failure
*/
int aa_restore_previous_profile(u64 token)
int aa_restore_previous_label(u64 token)
{
struct aa_task_ctx *ctx;
struct cred *new = prepare_creds();
......@@ -210,15 +211,15 @@ int aa_restore_previous_profile(u64 token)
abort_creds(new);
return -EACCES;
}
/* ignore restores when there is no saved profile */
/* ignore restores when there is no saved label */
if (!ctx->previous) {
abort_creds(new);
return 0;
}
aa_put_profile(ctx->profile);
ctx->profile = aa_get_newest_profile(ctx->previous);
AA_BUG(!ctx->profile);
aa_put_label(ctx->label);
ctx->label = aa_get_newest_label(ctx->previous);
AA_BUG(!ctx->label);
/* clear exec && prev information when restoring to previous context */
aa_clear_task_ctx_trans(ctx);
......
......@@ -61,24 +61,25 @@ void aa_free_domain_entries(struct aa_domain *domain)
static int may_change_ptraced_domain(struct aa_profile *to_profile)
{
struct task_struct *tracer;
struct aa_profile *tracerp = NULL;
struct aa_label *tracerl = NULL;
int error = 0;
rcu_read_lock();
tracer = ptrace_parent(current);
if (tracer)
/* released below */
tracerp = aa_get_task_profile(tracer);
tracerl = aa_get_task_label(tracer);
/* not ptraced */
if (!tracer || unconfined(tracerp))
if (!tracer || unconfined(tracerl))
goto out;
error = aa_may_ptrace(tracerp, to_profile, PTRACE_MODE_ATTACH);
error = aa_may_ptrace(labels_profile(tracerl), to_profile,
PTRACE_MODE_ATTACH);
out:
rcu_read_unlock();
aa_put_profile(tracerp);
aa_put_label(tracerl);
return error;
}
......@@ -102,7 +103,7 @@ static struct aa_perms change_profile_perms(struct aa_profile *profile,
struct path_cond cond = { };
unsigned int state;
if (unconfined(profile)) {
if (profile_unconfined(profile)) {
perms.allow = AA_MAY_CHANGE_PROFILE | AA_MAY_ONEXEC;
perms.audit = perms.quiet = perms.kill = 0;
return perms;
......@@ -144,7 +145,7 @@ static struct aa_profile *__attach_match(const char *name,
struct aa_profile *profile, *candidate = NULL;
list_for_each_entry_rcu(profile, head, base.list) {
if (profile->flags & PFLAG_NULL)
if (profile->label.flags & FLAG_NULL)
continue;
if (profile->xmatch && profile->xmatch_len > len) {
unsigned int state = aa_dfa_match(profile->xmatch,
......@@ -338,6 +339,7 @@ static struct aa_profile *x_to_profile(struct aa_profile *profile,
int apparmor_bprm_set_creds(struct linux_binprm *bprm)
{
struct aa_task_ctx *ctx;
struct aa_label *label;
struct aa_profile *profile, *new_profile = NULL;
struct aa_ns *ns;
char *buffer = NULL;
......@@ -356,7 +358,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
ctx = cred_ctx(bprm->cred);
AA_BUG(!ctx);
profile = aa_get_newest_profile(ctx->profile);
label = aa_get_newest_label(ctx->label);
profile = labels_profile(label);
/* buffer freed below, name is pointer into buffer */
get_buffers(buffer);
......@@ -370,8 +373,8 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,
&name, &info, profile->disconnected);
if (error) {
if (unconfined(profile) ||
(profile->flags & PFLAG_IX_ON_NAME_ERROR))
if (profile_unconfined(profile) ||
(profile->label.flags & FLAG_IX_ON_NAME_ERROR))
error = 0;
name = bprm->filename;
goto audit;
......@@ -380,11 +383,11 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
/* Test for onexec first as onexec directives override other
* x transitions.
*/
if (unconfined(profile)) {
if (profile_unconfined(profile)) {
/* unconfined task */
if (ctx->onexec)
/* change_profile on exec already been granted */
new_profile = aa_get_profile(ctx->onexec);
new_profile = labels_profile(aa_get_label(ctx->onexec));
else
new_profile = find_attach(ns, &ns->base.profiles, name);
if (!new_profile)
......@@ -402,7 +405,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
if (ctx->onexec) {
struct aa_perms cp;
info = "change_profile onexec";
new_profile = aa_get_newest_profile(ctx->onexec);
new_profile = labels_profile(aa_get_newest_label(ctx->onexec));
if (!(perms.allow & AA_MAY_ONEXEC))
goto audit;
......@@ -411,9 +414,9 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
* exec\0change_profile
*/
state = aa_dfa_null_transition(profile->file.dfa, state);
cp = change_profile_perms(profile, ctx->onexec->ns,
ctx->onexec->base.name,
AA_MAY_ONEXEC, state);
cp = change_profile_perms(profile, labels_ns(ctx->onexec),
labels_profile(ctx->onexec)->base.name,
AA_MAY_ONEXEC, state);
if (!(cp.allow & AA_MAY_ONEXEC))
goto audit;
......@@ -501,9 +504,9 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
bprm->per_clear |= PER_CLEAR_ON_SETID;
x_clear:
aa_put_profile(ctx->profile);
aa_put_label(ctx->label);
/* transfer new profile reference will be released when ctx is freed */
ctx->profile = new_profile;
ctx->label = &new_profile->label;
new_profile = NULL;
/* clear out all temporary/transitional state from the context */
......@@ -516,7 +519,7 @@ int apparmor_bprm_set_creds(struct linux_binprm *bprm)
cleanup:
aa_put_profile(new_profile);
aa_put_profile(profile);
aa_put_label(label);
put_buffers(buffer);
return error;
......@@ -576,7 +579,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
{
const struct cred *cred;
struct aa_task_ctx *ctx;
struct aa_profile *profile, *previous_profile, *hat = NULL;
struct aa_label *label, *previous_label;
struct aa_profile *profile, *hat = NULL;
char *name = NULL;
int i;
struct aa_perms perms = {};
......@@ -594,10 +598,11 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
/* released below */
cred = get_current_cred();
ctx = cred_ctx(cred);
profile = aa_get_newest_cred_profile(cred);
previous_profile = aa_get_newest_profile(ctx->previous);
label = aa_get_newest_cred_label(cred);
previous_label = aa_get_newest_label(ctx->previous);
profile = labels_profile(label);
if (unconfined(profile)) {
if (unconfined(label)) {
info = "unconfined";
error = -EPERM;
goto audit;
......@@ -664,7 +669,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
}
if (!(flags & AA_CHANGE_TEST)) {
error = aa_set_current_hat(hat, token);
error = aa_set_current_hat(&hat->label, token);
if (error == -EACCES)
/* kill task in case of brute force attacks */
perms.kill = AA_MAY_CHANGEHAT;
......@@ -672,12 +677,12 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
/* reset error for learning of new hats */
error = -ENOENT;
}
} else if (previous_profile) {
} else if (previous_label) {
/* Return to saved profile. Kill task if restore fails
* to avoid brute force attacks
*/
target = previous_profile->base.hname;
error = aa_restore_previous_profile(token);
target = previous_label->hname;
error = aa_restore_previous_label(token);
perms.kill = AA_MAY_CHANGEHAT;
} else
/* ignore restores when there is no saved profile */
......@@ -692,8 +697,8 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
out:
aa_put_profile(hat);
kfree(name);
aa_put_profile(profile);
aa_put_profile(previous_profile);
aa_put_label(label);
aa_put_label(previous_label);
put_cred(cred);
return error;
......@@ -716,6 +721,7 @@ int aa_change_hat(const char *hats[], int count, u64 token, int flags)
int aa_change_profile(const char *fqname, int flags)
{
const struct cred *cred;
struct aa_label *label;
struct aa_profile *profile, *target = NULL;
struct aa_perms perms = {};
const char *info = NULL, *op;
......@@ -736,7 +742,8 @@ int aa_change_profile(const char *fqname, int flags)
}
cred = get_current_cred();
profile = aa_get_newest_cred_profile(cred);
label = aa_get_newest_cred_label(cred);
profile = labels_profile(label);
/*
* Fail explicitly requested domain transitions if no_new_privs
......@@ -745,12 +752,12 @@ int aa_change_profile(const char *fqname, int flags)
* no_new_privs is set because this aways results in a reduction
* of permissions.
*/
if (task_no_new_privs(current) && !unconfined(profile)) {
if (task_no_new_privs(current) && !profile_unconfined(profile)) {
put_cred(cred);
return -EPERM;
}
target = aa_fqlookupn_profile(profile, fqname, strlen(fqname));
target = aa_fqlookupn_profile(label, fqname, strlen(fqname));
if (!target) {
info = "profile not found";
error = -ENOENT;
......@@ -785,9 +792,9 @@ int aa_change_profile(const char *fqname, int flags)
goto audit;
if (flags & AA_CHANGE_ONEXEC)
error = aa_set_current_onexec(target);
error = aa_set_current_onexec(&target->label, 0);
else
error = aa_replace_current_profile(target);
error = aa_replace_current_label(&target->label);
audit:
if (!(flags & AA_CHANGE_TEST))
......@@ -795,7 +802,7 @@ int aa_change_profile(const char *fqname, int flags)
fqname, GLOBAL_ROOT_UID, info, error);
aa_put_profile(target);
aa_put_profile(profile);
aa_put_label(label);
put_cred(cred);
return error;
......
......@@ -451,7 +451,7 @@ int aa_file_perm(const char *op, struct aa_profile *profile, struct file *file,
request, &cond);
}
static void revalidate_tty(struct aa_profile *profile)
static void revalidate_tty(struct aa_label *label)
{
struct tty_struct *tty;
int drop_tty = 0;
......@@ -469,7 +469,7 @@ static void revalidate_tty(struct aa_profile *profile)
struct tty_file_private, list);
file = file_priv->file;
if (aa_file_perm(OP_INHERIT, profile, file,
if (aa_file_perm(OP_INHERIT, labels_profile(label), file,
MAY_READ | MAY_WRITE))
drop_tty = 1;
}
......@@ -482,9 +482,9 @@ static void revalidate_tty(struct aa_profile *profile)
static int match_file(const void *p, struct file *file, unsigned int fd)
{
struct aa_profile *profile = (struct aa_profile *)p;
struct aa_label *label = (struct aa_label *)p;
if (aa_file_perm(OP_INHERIT, profile, file,
if (aa_file_perm(OP_INHERIT, labels_profile(label), file,
aa_map_file_to_perms(file)))
return fd + 1;
return 0;
......@@ -494,14 +494,14 @@ static int match_file(const void *p, struct file *file, unsigned int fd)
/* based on selinux's flush_unauthorized_files */
void aa_inherit_files(const struct cred *cred, struct files_struct *files)
{
struct aa_profile *profile = aa_get_newest_cred_profile(cred);
struct aa_label *label = aa_get_newest_cred_label(cred);
struct file *devnull = NULL;
unsigned int n;
revalidate_tty(profile);
revalidate_tty(label);
/* Revalidate access to inherited open files. */
n = iterate_fd(files, 0, match_file, profile);
n = iterate_fd(files, 0, match_file, label);
if (!n) /* none found? */
goto out;
......@@ -511,9 +511,9 @@ void aa_inherit_files(const struct cred *cred, struct files_struct *files)
/* replace all the matching ones with this */
do {
replace_fd(n - 1, devnull, 0);
} while ((n = iterate_fd(files, n, match_file, profile)) != 0);
} while ((n = iterate_fd(files, n, match_file, label)) != 0);
if (devnull)
fput(devnull);
out:
aa_put_profile(profile);
aa_put_label(label);
}
......@@ -4,7 +4,7 @@
* This file contains AppArmor basic global
*
* Copyright (C) 1998-2008 Novell/SUSE
* Copyright 2009-2010 Canonical Ltd.
* Copyright 2009-2017 Canonical Ltd.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
......@@ -27,8 +27,9 @@
#define AA_CLASS_NET 4
#define AA_CLASS_RLIMITS 5
#define AA_CLASS_DOMAIN 6
#define AA_CLASS_LABEL 16
#define AA_CLASS_LAST AA_CLASS_DOMAIN
#define AA_CLASS_LAST AA_CLASS_LABEL
/* Control parameters settable through module/boot flags */
extern enum audit_mode aa_g_audit;
......
......@@ -22,8 +22,7 @@
#include <linux/slab.h>
#include "file.h"
struct aa_profile;
#include "label.h"
extern const char *const audit_mode_names[];
#define AUDIT_MAX_INDEX 5
......@@ -103,9 +102,9 @@ enum audit_type {
struct apparmor_audit_data {
int error;
const char *op;
int type;
void *profile;
const char *op;
struct aa_label *label;
const char *name;
const char *info;
u32 request;
......@@ -113,7 +112,7 @@ struct apparmor_audit_data {
union {
/* these entries require a custom callback fn */
struct {
struct aa_profile *peer;
struct aa_label *peer;
struct {
const char *target;
kuid_t ouid;
......
This diff is collapsed.
......@@ -15,6 +15,7 @@
#define __AA_PERM_H
#include <linux/fs.h>
#include "label.h"
#define AA_MAY_EXEC MAY_EXEC
#define AA_MAY_WRITE MAY_WRITE
......@@ -101,5 +102,14 @@ void aa_apply_modes_to_perms(struct aa_profile *profile,
struct aa_perms *perms);
void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
struct aa_perms *perms);
void aa_perms_accum(struct aa_perms *accum, struct aa_perms *addend);
void aa_perms_accum_raw(struct aa_perms *accum, struct aa_perms *addend);
void aa_profile_match_label(struct aa_profile *profile, struct aa_label *label,
int type, u32 request, struct aa_perms *perms);
int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target,
u32 request, int type, u32 *deny,
struct common_audit_data *sa);
int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms,
u32 request, struct common_audit_data *sa,
void (*cb)(struct audit_buffer *, void *));
#endif /* __AA_PERM_H */
......@@ -29,6 +29,7 @@
#include "domain.h"
#include "file.h"
#include "lib.h"
#include "label.h"
#include "perms.h"
#include "resource.h"
......@@ -48,9 +49,9 @@ extern const char *const aa_profile_mode_names[];
#define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL)
#define PROFILE_IS_HAT(_profile) ((_profile)->flags & PFLAG_HAT)
#define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT)
#define profile_is_stale(_profile) ((_profile)->flags & PFLAG_STALE)
#define profile_is_stale(_profile) (label_is_stale(&(_profile)->label))
#define on_list_rcu(X) (!list_empty(X) && (X)->prev != LIST_POISON2)
......@@ -67,22 +68,6 @@ enum profile_mode {
APPARMOR_UNCONFINED, /* profile set to unconfined */
};
enum profile_flags {
PFLAG_HAT = 1, /* profile is a hat */
PFLAG_NULL = 4, /* profile is null learning profile */
PFLAG_IX_ON_NAME_ERROR = 8, /* fallback to ix on name lookup fail */
PFLAG_IMMUTABLE = 0x10, /* don't allow changes/replacement */
PFLAG_USER_DEFINED = 0x20, /* user based profile - lower privs */
PFLAG_NO_LIST_REF = 0x40, /* list doesn't keep profile ref */
PFLAG_OLD_NULL_TRANS = 0x100, /* use // as the null transition */
PFLAG_STALE = 0x200, /* profile replaced/removed */
PFLAG_NS_COUNT = 0x400, /* carries NS ref count */
/* These flags must correspond with PATH_flags */
PFLAG_MEDIATE_DELETED = 0x10000, /* mediate instead delegate deleted */
};
struct aa_profile;
/* struct aa_policydb - match engine for a policy
* dfa: dfa pattern match
......@@ -95,11 +80,6 @@ struct aa_policydb {
};
struct aa_proxy {
struct kref count;
struct aa_profile __rcu *profile;
};
/* struct aa_data - generic data structure
* key: name for retrieving this data
* size: size of data in bytes
......@@ -116,18 +96,15 @@ struct aa_data {
/* struct aa_profile - basic confinement data
* @base - base components of the profile (name, refcount, lists, lock ...)
* @count: reference count of the obj
* @rcu: rcu head used when removing from @list
* @label - label this profile is an extension of
* @parent: parent of profile
* @ns: namespace the profile is in
* @proxy: is set to the profile that replaced this profile
* @rename: optional profile name that this profile renamed
* @attach: human readable attachment string
* @xmatch: optional extended matching for unconfined executables names
* @xmatch_len: xmatch prefix len, used to determine xmatch priority
* @audit: the auditing mode of the profile
* @mode: the enforcement mode of the profile
* @flags: flags controlling profile behavior
* @path_flags: flags controlling path generation behavior
* @disconnected: what to prepend if attach_disconnected is specified
* @size: the memory consumed by this profiles rules
......@@ -145,8 +122,6 @@ struct aa_data {
* used to determine profile attachment against unconfined tasks. All other
* attachments are determined by profile X transition rules.
*
* The @proxy struct is write protected by the profile lock.
*
* Profiles have a hierarchy where hats and children profiles keep
* a reference to their parent.
*
......@@ -156,12 +131,9 @@ struct aa_data {
*/
struct aa_profile {
struct aa_policy base;
struct kref count;
struct rcu_head rcu;
struct aa_profile __rcu *parent;
struct aa_ns *ns;
struct aa_proxy *proxy;
const char *rename;
const char *attach;
......@@ -169,7 +141,6 @@ struct aa_profile {
int xmatch_len;
enum audit_mode audit;
long mode;
long flags;
u32 path_flags;
const char *disconnected;
int size;
......@@ -184,6 +155,7 @@ struct aa_profile {
char *dirname;
struct dentry *dents[AAFS_PROF_SIZEOF];
struct rhashtable *data;
struct aa_label label;
};
extern enum profile_mode aa_g_profile_mode;
......@@ -192,13 +164,15 @@ extern enum profile_mode aa_g_profile_mode;
#define AA_MAY_REPLACE_POLICY AA_MAY_WRITE
#define AA_MAY_REMOVE_POLICY AA_MAY_DELETE
void __aa_update_proxy(struct aa_profile *orig, struct aa_profile *new);
#define profiles_ns(P) ((P)->ns)
#define name_is_shared(A, B) ((A)->hname && (A)->hname == (B)->hname)
void aa_add_profile(struct aa_policy *common, struct aa_profile *profile);
void aa_free_proxy_kref(struct kref *kref);
struct aa_profile *aa_alloc_profile(const char *name, gfp_t gfp);
struct aa_profile *aa_alloc_profile(const char *name, struct aa_proxy *proxy,
gfp_t gfp);
struct aa_profile *aa_new_null_profile(struct aa_profile *parent, bool hat,
const char *base, gfp_t gfp);
void aa_free_profile(struct aa_profile *profile);
......@@ -207,20 +181,33 @@ struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name);
struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname,
size_t n);
struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *name);
struct aa_profile *aa_fqlookupn_profile(struct aa_profile *base,
struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
const char *fqname, size_t n);
struct aa_profile *aa_match_profile(struct aa_ns *ns, const char *name);
ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_profile *profile,
ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_label *label,
u32 mask, struct aa_loaddata *udata);
ssize_t aa_remove_profiles(struct aa_ns *view, struct aa_profile *profile,
char *name, size_t size);
ssize_t aa_remove_profiles(struct aa_ns *view, struct aa_label *label,
char *name, size_t size);
void __aa_profile_list_release(struct list_head *head);
#define PROF_ADD 1
#define PROF_REPLACE 0
#define unconfined(X) ((X)->mode == APPARMOR_UNCONFINED)
#define profile_unconfined(X) ((X)->mode == APPARMOR_UNCONFINED)
/**
* aa_get_newest_profile - simple wrapper fn to wrap the label version
* @p: profile (NOT NULL)
*
* Returns refcount to newest version of the profile (maybe @p)
*
* Requires: @p must be held with a valid refcount
*/
static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p)
{
return labels_profile(aa_get_newest_label(&p->label));
}
#define PROFILE_MEDIATES(P, T) ((P)->policy.start[(T)])
/* safe version of POLICY_MEDIATES for full range input */
......@@ -243,7 +230,7 @@ static inline unsigned int PROFILE_MEDIATES_SAFE(struct aa_profile *profile,
static inline struct aa_profile *aa_get_profile(struct aa_profile *p)
{
if (p)
kref_get(&(p->count));
kref_get(&(p->label.count));
return p;
}
......@@ -257,7 +244,7 @@ static inline struct aa_profile *aa_get_profile(struct aa_profile *p)
*/
static inline struct aa_profile *aa_get_profile_not0(struct aa_profile *p)
{
if (p && kref_get_unless_zero(&p->count))
if (p && kref_get_unless_zero(&p->label.count))
return p;
return NULL;
......@@ -277,31 +264,12 @@ static inline struct aa_profile *aa_get_profile_rcu(struct aa_profile __rcu **p)
rcu_read_lock();
do {
c = rcu_dereference(*p);
} while (c && !kref_get_unless_zero(&c->count));
} while (c && !kref_get_unless_zero(&c->label.count));
rcu_read_unlock();
return c;
}
/**
* aa_get_newest_profile - find the newest version of @profile
* @profile: the profile to check for newer versions of
*
* Returns: refcounted newest version of @profile taking into account
* replacement, renames and removals
* return @profile.
*/
static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p)
{
if (!p)
return NULL;
if (profile_is_stale(p))
return aa_get_profile_rcu(&p->proxy->profile);
return aa_get_profile(p);
}
/**
* aa_put_profile - decrement refcount on profile @p
* @p: profile (MAYBE NULL)
......@@ -309,21 +277,7 @@ static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p)
static inline void aa_put_profile(struct aa_profile *p)
{
if (p)
kref_put(&p->count, aa_free_profile_kref);
}
static inline struct aa_proxy *aa_get_proxy(struct aa_proxy *p)
{
if (p)
kref_get(&(p->count));
return p;
}
static inline void aa_put_proxy(struct aa_proxy *p)
{
if (p)
kref_put(&p->count, aa_free_proxy_kref);
kref_put(&p->label.count, aa_label_kref);
}
static inline int AUDIT_MODE(struct aa_profile *profile)
......@@ -336,7 +290,7 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
bool policy_view_capable(struct aa_ns *ns);
bool policy_admin_capable(struct aa_ns *ns);
int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns,
int aa_may_manage_policy(struct aa_label *label, struct aa_ns *ns,
u32 mask);
#endif /* __AA_POLICY_H */
......@@ -19,6 +19,7 @@
#include "apparmor.h"
#include "apparmorfs.h"
#include "label.h"
#include "policy.h"
......@@ -71,6 +72,7 @@ struct aa_ns {
long revision;
wait_queue_head_t wait;
struct aa_labelset labels;
struct list_head rawdata_list;
struct dentry *dents[AAFS_NS_SIZEOF];
......@@ -80,6 +82,8 @@ extern struct aa_ns *root_ns;
extern const char *aa_hidden_ns_name;
#define ns_unconfined(NS) (&(NS)->unconfined->label)
bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns);
const char *aa_ns_name(struct aa_ns *parent, struct aa_ns *child, bool subns);
void aa_free_ns(struct aa_ns *ns);
......
......@@ -22,11 +22,12 @@
#include "include/ipc.h"
/* call back to audit ptrace fields */
static void audit_cb(struct audit_buffer *ab, void *va)
static void audit_ptrace_cb(struct audit_buffer *ab, void *va)
{
struct common_audit_data *sa = va;
audit_log_format(ab, " peer=");
audit_log_untrustedstring(ab, aad(sa)->peer->base.hname);
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
FLAGS_NONE, GFP_ATOMIC);
}
/**
......@@ -42,10 +43,10 @@ static int aa_audit_ptrace(struct aa_profile *profile,
{
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_PTRACE);
aad(&sa)->peer = target;
aad(&sa)->peer = &target->label;
aad(&sa)->error = error;
return aa_audit(AUDIT_APPARMOR_AUTO, profile, &sa, audit_cb);
return aa_audit(AUDIT_APPARMOR_AUTO, profile, &sa, audit_ptrace_cb);
}
/**
......@@ -64,7 +65,7 @@ int aa_may_ptrace(struct aa_profile *tracer, struct aa_profile *tracee,
* Test mode for PTRACE_MODE_READ || PTRACE_MODE_ATTACH
*/
if (unconfined(tracer) || tracer == tracee)
if (profile_unconfined(tracer) || tracer == tracee)
return 0;
/* log this capability request */
return aa_capable(tracer, CAP_SYS_PTRACE, 1);
......@@ -90,18 +91,22 @@ int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee,
* - tracer profile has CAP_SYS_PTRACE
*/
struct aa_profile *tracer_p = aa_get_task_profile(tracer);
struct aa_label *tracer_l = aa_get_task_label(tracer);
int error = 0;
if (!unconfined(tracer_p)) {
struct aa_profile *tracee_p = aa_get_task_profile(tracee);
if (!unconfined(tracer_l)) {
struct aa_label *tracee_l = aa_get_task_label(tracee);
error = aa_may_ptrace(tracer_p, tracee_p, mode);
error = aa_audit_ptrace(tracer_p, tracee_p, error);
error = aa_may_ptrace(labels_profile(tracer_l),
labels_profile(tracee_l),
mode);
error = aa_audit_ptrace(labels_profile(tracer_l),
labels_profile(tracee_l),
error);
aa_put_profile(tracee_p);
aa_put_label(tracee_l);
}
aa_put_profile(tracer_p);
aa_put_label(tracer_l);
return error;
}
......@@ -246,6 +246,32 @@ void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
audit_log_format(ab, "\"");
}
/**
* aa_audit_perms_cb - generic callback fn for auditing perms
* @ab: audit buffer (NOT NULL)
* @va: audit struct to audit values of (NOT NULL)
*/
static void aa_audit_perms_cb(struct audit_buffer *ab, void *va)
{
struct common_audit_data *sa = va;
if (aad(sa)->request) {
audit_log_format(ab, " requested_mask=");
aa_audit_perm_mask(ab, aad(sa)->request, aa_file_perm_chrs,
PERMS_CHRS_MASK, aa_file_perm_names,
PERMS_NAMES_MASK);
}
if (aad(sa)->denied) {
audit_log_format(ab, "denied_mask=");
aa_audit_perm_mask(ab, aad(sa)->denied, aa_file_perm_chrs,
PERMS_CHRS_MASK, aa_file_perm_names,
PERMS_NAMES_MASK);
}
audit_log_format(ab, " peer=");
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
FLAGS_NONE, GFP_ATOMIC);
}
/**
* aa_apply_modes_to_perms - apply namespace and profile flags to perms
* @profile: that perms where computed from
......@@ -309,6 +335,143 @@ void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
// perms->xindex = dfa_user_xindex(dfa, state);
}
/**
* aa_perms_accum_raw - accumulate perms with out masking off overlapping perms
* @accum - perms struct to accumulate into
* @addend - perms struct to add to @accum
*/
void aa_perms_accum_raw(struct aa_perms *accum, struct aa_perms *addend)
{
accum->deny |= addend->deny;
accum->allow &= addend->allow & ~addend->deny;
accum->audit |= addend->audit & addend->allow;
accum->quiet &= addend->quiet & ~addend->allow;
accum->kill |= addend->kill & ~addend->allow;
accum->stop |= addend->stop & ~addend->allow;
accum->complain |= addend->complain & ~addend->allow & ~addend->deny;
accum->cond |= addend->cond & ~addend->allow & ~addend->deny;
accum->hide &= addend->hide & ~addend->allow;
accum->prompt |= addend->prompt & ~addend->allow & ~addend->deny;
}
/**
* aa_perms_accum - accumulate perms, masking off overlapping perms
* @accum - perms struct to accumulate into
* @addend - perms struct to add to @accum
*/
void aa_perms_accum(struct aa_perms *accum, struct aa_perms *addend)
{
accum->deny |= addend->deny;
accum->allow &= addend->allow & ~accum->deny;
accum->audit |= addend->audit & accum->allow;
accum->quiet &= addend->quiet & ~accum->allow;
accum->kill |= addend->kill & ~accum->allow;
accum->stop |= addend->stop & ~accum->allow;
accum->complain |= addend->complain & ~accum->allow & ~accum->deny;
accum->cond |= addend->cond & ~accum->allow & ~accum->deny;
accum->hide &= addend->hide & ~accum->allow;
accum->prompt |= addend->prompt & ~accum->allow & ~accum->deny;
}
void aa_profile_match_label(struct aa_profile *profile, struct aa_label *label,
int type, u32 request, struct aa_perms *perms)
{
/* TODO: doesn't yet handle extended types */
unsigned int state;
state = aa_dfa_next(profile->policy.dfa,
profile->policy.start[AA_CLASS_LABEL],
type);
aa_label_match(profile, label, state, false, request, perms);
}
/* currently unused */
int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target,
u32 request, int type, u32 *deny,
struct common_audit_data *sa)
{
struct aa_perms perms;
aad(sa)->label = &profile->label;
aad(sa)->peer = &target->label;
aad(sa)->request = request;
aa_profile_match_label(profile, &target->label, type, request, &perms);
aa_apply_modes_to_perms(profile, &perms);
*deny |= request & perms.deny;
return aa_check_perms(profile, &perms, request, sa, aa_audit_perms_cb);
}
/**
* aa_check_perms - do audit mode selection based on perms set
* @profile: profile being checked
* @perms: perms computed for the request
* @request: requested perms
* @deny: Returns: explicit deny set
* @sa: initialized audit structure (MAY BE NULL if not auditing)
* @cb: callback fn for tpye specific fields (MAY BE NULL)
*
* Returns: 0 if permission else error code
*
* Note: profile audit modes need to be set before calling by setting the
* perm masks appropriately.
*
* If not auditing then complain mode is not enabled and the
* error code will indicate whether there was an explicit deny
* with a positive value.
*/
int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms,
u32 request, struct common_audit_data *sa,
void (*cb)(struct audit_buffer *, void *))
{
int type, error;
bool stop = false;
u32 denied = request & (~perms->allow | perms->deny);
if (likely(!denied)) {
/* mask off perms that are not being force audited */
request &= perms->audit;
if (!request || !sa)
return 0;
type = AUDIT_APPARMOR_AUDIT;
error = 0;
} else {
error = -EACCES;
if (denied & perms->kill)
type = AUDIT_APPARMOR_KILL;
else if (denied == (denied & perms->complain))
type = AUDIT_APPARMOR_ALLOWED;
else
type = AUDIT_APPARMOR_DENIED;
if (denied & perms->stop)
stop = true;
if (denied == (denied & perms->hide))
error = -ENOENT;
denied &= ~perms->quiet;
if (!sa || !denied)
return error;
}
if (sa) {
aad(sa)->label = &profile->label;
aad(sa)->request = request;
aad(sa)->denied = denied;
aad(sa)->error = error;
aa_audit_msg(type, sa, cb);
}
if (type == AUDIT_APPARMOR_ALLOWED)
error = 0;
return error;
}
/**
* aa_policy_init - initialize a policy structure
* @policy: policy to initialize (NOT NULL)
......
This diff is collapsed.
This diff is collapsed.
......@@ -23,6 +23,7 @@
#include "include/apparmor.h"
#include "include/context.h"
#include "include/policy_ns.h"
#include "include/label.h"
#include "include/policy.h"
/* root profile namespace */
......@@ -104,12 +105,12 @@ static struct aa_ns *alloc_ns(const char *prefix, const char *name)
init_waitqueue_head(&ns->wait);
/* released by aa_free_ns() */
ns->unconfined = aa_alloc_profile("unconfined", GFP_KERNEL);
ns->unconfined = aa_alloc_profile("unconfined", NULL, GFP_KERNEL);
if (!ns->unconfined)
goto fail_unconfined;
ns->unconfined->flags = PFLAG_IX_ON_NAME_ERROR |
PFLAG_IMMUTABLE | PFLAG_NS_COUNT;
ns->unconfined->label.flags |= FLAG_IX_ON_NAME_ERROR |
FLAG_IMMUTIBLE | FLAG_NS_COUNT | FLAG_UNCONFINED;
ns->unconfined->mode = APPARMOR_UNCONFINED;
/* ns and ns->unconfined share ns->unconfined refcount */
......@@ -117,6 +118,8 @@ static struct aa_ns *alloc_ns(const char *prefix, const char *name)
atomic_set(&ns->uniq_null, 0);
aa_labelset_init(&ns->labels);
return ns;
fail_unconfined:
......@@ -139,6 +142,7 @@ void aa_free_ns(struct aa_ns *ns)
return;
aa_policy_destroy(&ns->base);
aa_labelset_destroy(&ns->labels);
aa_put_ns(ns->parent);
ns->unconfined->ns = NULL;
......@@ -337,8 +341,14 @@ static void destroy_ns(struct aa_ns *ns)
/* release all sub namespaces */
__ns_list_release(&ns->sub_ns);
if (ns->parent)
__aa_update_proxy(ns->unconfined, ns->parent->unconfined);
if (ns->parent) {
unsigned long flags;
write_lock_irqsave(&ns->labels.lock, flags);
__aa_proxy_redirect(ns_unconfined(ns),
ns_unconfined(ns->parent));
write_unlock_irqrestore(&ns->labels.lock, flags);
}
__aafs_ns_rmdir(ns);
mutex_unlock(&ns->lock);
}
......
......@@ -26,6 +26,7 @@
#include "include/context.h"
#include "include/crypto.h"
#include "include/match.h"
#include "include/path.h"
#include "include/policy.h"
#include "include/policy_unpack.h"
......@@ -107,7 +108,7 @@ static int audit_iface(struct aa_profile *new, const char *ns_name,
const char *name, const char *info, struct aa_ext *e,
int error)
{
struct aa_profile *profile = aa_current_raw_profile();
struct aa_profile *profile = labels_profile(aa_current_raw_label());
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, NULL);
if (e)
aad(&sa)->iface.pos = e->pos - e->start;
......@@ -602,7 +603,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
name = tmpname;
}
profile = aa_alloc_profile(name, GFP_KERNEL);
profile = aa_alloc_profile(name, NULL, GFP_KERNEL);
if (!profile)
return ERR_PTR(-ENOMEM);
......@@ -635,7 +636,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
if (!unpack_u32(e, &tmp, NULL))
goto fail;
if (tmp & PACKED_FLAG_HAT)
profile->flags |= PFLAG_HAT;
profile->label.flags |= FLAG_HAT;
if (!unpack_u32(e, &tmp, NULL))
goto fail;
if (tmp == PACKED_MODE_COMPLAIN || (e->version & FORCE_COMPLAIN_FLAG))
......@@ -654,10 +655,11 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
/* path_flags is optional */
if (unpack_u32(e, &profile->path_flags, "path_flags"))
profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED;
profile->path_flags |= profile->label.flags &
PATH_MEDIATE_DELETED;
else
/* set a default value if path_flags field is not present */
profile->path_flags = PFLAG_MEDIATE_DELETED;
profile->path_flags = PATH_MEDIATE_DELETED;
if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL))
goto fail;
......
......@@ -55,7 +55,7 @@ int aa_getprocattr(struct aa_profile *profile, char **string)
ns_len += 4;
/* unconfined profiles don't have a mode string appended */
if (!unconfined(profile))
if (!profile_unconfined(profile))
mode_len = strlen(mode_str) + 3; /* + 3 for _() */
name_len = strlen(profile->base.hname);
......@@ -69,7 +69,7 @@ int aa_getprocattr(struct aa_profile *profile, char **string)
sprintf(s, ":%s://", ns_name);
s += ns_len;
}
if (unconfined(profile))
if (profile_unconfined(profile))
/* mode string not being appended */
sprintf(s, "%s\n", profile->base.hname);
else
......
......@@ -86,11 +86,11 @@ int aa_map_resource(int resource)
int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task,
unsigned int resource, struct rlimit *new_rlim)
{
struct aa_profile *task_profile;
struct aa_label *task_label;
int error = 0;
rcu_read_lock();
task_profile = aa_get_newest_cred_profile((__task_cred(task)));
task_label = aa_get_newest_cred_label((__task_cred(task)));
rcu_read_unlock();
/* TODO: extend resource control to handle other (non current)
......@@ -99,13 +99,13 @@ int aa_task_setrlimit(struct aa_profile *profile, struct task_struct *task,
* the same profile or that the task setting the resource of another
* task has CAP_SYS_RESOURCE.
*/
if ((profile != task_profile &&
if ((profile != labels_profile(task_label) &&
aa_capable(profile, CAP_SYS_RESOURCE, 1)) ||
(profile->rlimits.mask & (1 << resource) &&
new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max))
error = -EACCES;
aa_put_profile(task_profile);
aa_put_label(task_label);
return audit_resource(profile, resource, new_rlim->rlim_max, error);
}
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment