Commit 80a17a5f authored by Linus Torvalds's avatar Linus Torvalds

Merge tag 'apparmor-pr-2018-04-10' of...

Merge tag 'apparmor-pr-2018-04-10' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor updates from John Johansen:
 "Features:
  - add base infrastructure for socket mediation. ABI bump and
    additional checks to ensure only v8 compliant policy uses socket af
    mediation.
  - improve and cleanup dfa verification
  - improve profile attachment logic
     - improve overlapping expression handling
     - add the xattr matching to the attachment logic
  - improve signal mediation handling with stacked labels
  - improve handling of no_new_privs in a label stack

  Cleanups and changes:
  - use dfa to parse string split
  - bounded version of label_parse
  - proper line wrap nulldfa.in
  - split context out into task and cred naming to better match usage
  - simplify code in aafs

  Bug fixes:
  - fix display of .ns_name for containers
  - fix resource audit messages when auditing peer
  - fix logging of the existence test for signals
  - fix resource audit messages when auditing peer
  - fix display of .ns_name for containers
  - fix an error code in verify_table_headers()
  - fix memory leak on buffer on error exit path
  - fix error returns checks by making size a ssize_t"

* tag 'apparmor-pr-2018-04-10' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (36 commits)
  apparmor: fix memory leak on buffer on error exit path
  apparmor: fix dangling symlinks to policy rawdata after replacement
  apparmor: Fix an error code in verify_table_headers()
  apparmor: fix error returns checks by making size a ssize_t
  apparmor: update MAINTAINERS file git and wiki locations
  apparmor: remove POLICY_MEDIATES_SAFE
  apparmor: add base infastructure for socket mediation
  apparmor: improve overlapping domain attachment resolution
  apparmor: convert attaching profiles via xattrs to use dfa matching
  apparmor: Add support for attaching profiles via xattr, presence and value
  apparmor: cleanup: simplify code to get ns symlink name
  apparmor: cleanup create_aafs() error path
  apparmor: dfa split verification of table headers
  apparmor: dfa add support for state differential encoding
  apparmor: dfa move character match into a macro
  apparmor: update domain transitions that are subsets of confinement at nnp
  apparmor: move context.h to cred.h
  apparmor: move task related defines and fns to task.X files
  apparmor: cleanup, drop unused fn __aa_task_is_confined()
  apparmor: cleanup fixup description of aa_replace_profiles
  ...
parents edda4153 588558eb
...@@ -934,8 +934,8 @@ F: drivers/char/apm-emulation.c ...@@ -934,8 +934,8 @@ F: drivers/char/apm-emulation.c
APPARMOR SECURITY MODULE APPARMOR SECURITY MODULE
M: John Johansen <john.johansen@canonical.com> M: John Johansen <john.johansen@canonical.com>
L: apparmor@lists.ubuntu.com (subscribers-only, general discussion) L: apparmor@lists.ubuntu.com (subscribers-only, general discussion)
W: apparmor.wiki.kernel.org W: wiki.apparmor.net
T: git git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git T: git git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
S: Supported S: Supported
F: security/apparmor/ F: security/apparmor/
F: Documentation/admin-guide/LSM/apparmor.rst F: Documentation/admin-guide/LSM/apparmor.rst
......
# #
# Generated include files # Generated include files
# #
net_names.h
capability_names.h capability_names.h
rlim_names.h rlim_names.h
...@@ -3,13 +3,46 @@ ...@@ -3,13 +3,46 @@
# #
obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \ apparmor-y := apparmorfs.o audit.o capability.o task.o ipc.o lib.o match.o \
path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \ path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
resource.o secid.o file.o policy_ns.o label.o mount.o resource.o secid.o file.o policy_ns.o label.o mount.o net.o
apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o
clean-files := capability_names.h rlim_names.h clean-files := capability_names.h rlim_names.h net_names.h
# Build a lower case string table of address family names
# Transform lines from
# #define AF_LOCAL 1 /* POSIX name for AF_UNIX */
# #define AF_INET 2 /* Internet IP Protocol */
# to
# [1] = "local",
# [2] = "inet",
#
# and build the securityfs entries for the mapping.
# Transforms lines from
# #define AF_INET 2 /* Internet IP Protocol */
# to
# #define AA_SFS_AF_MASK "local inet"
quiet_cmd_make-af = GEN $@
cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
sed $< >>$@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \
's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
echo "};" >> $@ ;\
printf '%s' '\#define AA_SFS_AF_MASK "' >> $@ ;\
sed -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \
's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/\L\1/p'\
$< | tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
# Build a lower case string table of sock type names
# Transform lines from
# SOCK_STREAM = 1,
# to
# [1] = "stream",
quiet_cmd_make-sock = GEN $@
cmd_make-sock = echo "static const char *sock_type_names[] = {" >> $@ ;\
sed $^ >>$@ -r -n \
-e 's/^\tSOCK_([A-Z0-9_]+)[\t]+=[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
echo "};" >> $@
# Build a lower case string table of capability names # Build a lower case string table of capability names
# Transforms lines from # Transforms lines from
...@@ -62,6 +95,7 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \ ...@@ -62,6 +95,7 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@ tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
$(obj)/capability.o : $(obj)/capability_names.h $(obj)/capability.o : $(obj)/capability_names.h
$(obj)/net.o : $(obj)/net_names.h
$(obj)/resource.o : $(obj)/rlim_names.h $(obj)/resource.o : $(obj)/rlim_names.h
$(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \ $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
$(src)/Makefile $(src)/Makefile
...@@ -69,3 +103,8 @@ $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \ ...@@ -69,3 +103,8 @@ $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
$(obj)/rlim_names.h : $(srctree)/include/uapi/asm-generic/resource.h \ $(obj)/rlim_names.h : $(srctree)/include/uapi/asm-generic/resource.h \
$(src)/Makefile $(src)/Makefile
$(call cmd,make-rlim) $(call cmd,make-rlim)
$(obj)/net_names.h : $(srctree)/include/linux/socket.h \
$(srctree)/include/linux/net.h \
$(src)/Makefile
$(call cmd,make-af)
$(call cmd,make-sock)
This diff is collapsed.
...@@ -19,7 +19,7 @@ ...@@ -19,7 +19,7 @@
#include "include/apparmor.h" #include "include/apparmor.h"
#include "include/capability.h" #include "include/capability.h"
#include "include/context.h" #include "include/cred.h"
#include "include/policy.h" #include "include/policy.h"
#include "include/audit.h" #include "include/audit.h"
......
This diff is collapsed.
...@@ -18,9 +18,10 @@ ...@@ -18,9 +18,10 @@
#include "include/apparmor.h" #include "include/apparmor.h"
#include "include/audit.h" #include "include/audit.h"
#include "include/context.h" #include "include/cred.h"
#include "include/file.h" #include "include/file.h"
#include "include/match.h" #include "include/match.h"
#include "include/net.h"
#include "include/path.h" #include "include/path.h"
#include "include/policy.h" #include "include/policy.h"
#include "include/label.h" #include "include/label.h"
...@@ -560,6 +561,32 @@ static int __file_path_perm(const char *op, struct aa_label *label, ...@@ -560,6 +561,32 @@ static int __file_path_perm(const char *op, struct aa_label *label,
return error; return error;
} }
static int __file_sock_perm(const char *op, struct aa_label *label,
struct aa_label *flabel, struct file *file,
u32 request, u32 denied)
{
struct socket *sock = (struct socket *) file->private_data;
int error;
AA_BUG(!sock);
/* revalidation due to label out of date. No revocation at this time */
if (!denied && aa_label_is_subset(flabel, label))
return 0;
/* TODO: improve to skip profiles cached in flabel */
error = aa_sock_file_perm(label, op, request, sock);
if (denied) {
/* TODO: improve to skip profiles checked above */
/* check every profile in file label to is cached */
last_error(error, aa_sock_file_perm(flabel, op, request, sock));
}
if (!error)
update_file_ctx(file_ctx(file), label, request);
return error;
}
/** /**
* aa_file_perm - do permission revalidation check & audit for @file * aa_file_perm - do permission revalidation check & audit for @file
* @op: operation being checked * @op: operation being checked
...@@ -604,6 +631,9 @@ int aa_file_perm(const char *op, struct aa_label *label, struct file *file, ...@@ -604,6 +631,9 @@ int aa_file_perm(const char *op, struct aa_label *label, struct file *file,
error = __file_path_perm(op, label, flabel, file, request, error = __file_path_perm(op, label, flabel, file, request,
denied); denied);
else if (S_ISSOCK(file_inode(file)->i_mode))
error = __file_sock_perm(op, label, flabel, file, request,
denied);
done: done:
rcu_read_unlock(); rcu_read_unlock();
......
...@@ -24,12 +24,13 @@ ...@@ -24,12 +24,13 @@
#define AA_CLASS_UNKNOWN 1 #define AA_CLASS_UNKNOWN 1
#define AA_CLASS_FILE 2 #define AA_CLASS_FILE 2
#define AA_CLASS_CAP 3 #define AA_CLASS_CAP 3
#define AA_CLASS_NET 4 #define AA_CLASS_DEPRECATED 4
#define AA_CLASS_RLIMITS 5 #define AA_CLASS_RLIMITS 5
#define AA_CLASS_DOMAIN 6 #define AA_CLASS_DOMAIN 6
#define AA_CLASS_MOUNT 7 #define AA_CLASS_MOUNT 7
#define AA_CLASS_PTRACE 9 #define AA_CLASS_PTRACE 9
#define AA_CLASS_SIGNAL 10 #define AA_CLASS_SIGNAL 10
#define AA_CLASS_NET 14
#define AA_CLASS_LABEL 16 #define AA_CLASS_LABEL 16
#define AA_CLASS_LAST AA_CLASS_LABEL #define AA_CLASS_LAST AA_CLASS_LABEL
......
...@@ -126,7 +126,20 @@ struct apparmor_audit_data { ...@@ -126,7 +126,20 @@ struct apparmor_audit_data {
const char *target; const char *target;
kuid_t ouid; kuid_t ouid;
} fs; } fs;
struct {
int rlim;
unsigned long max;
} rlim;
struct {
int signal; int signal;
int unmappedsig;
};
struct {
int type, protocol;
struct sock *peer_sk;
void *addr;
int addrlen;
} net;
}; };
}; };
struct { struct {
...@@ -134,10 +147,6 @@ struct apparmor_audit_data { ...@@ -134,10 +147,6 @@ struct apparmor_audit_data {
const char *ns; const char *ns;
long pos; long pos;
} iface; } iface;
struct {
int rlim;
unsigned long max;
} rlim;
struct { struct {
const char *src_name; const char *src_name;
const char *type; const char *type;
......
...@@ -21,38 +21,9 @@ ...@@ -21,38 +21,9 @@
#include "label.h" #include "label.h"
#include "policy_ns.h" #include "policy_ns.h"
#include "task.h"
#define cred_ctx(X) ((X)->security) #define cred_label(X) ((X)->security)
#define current_ctx() cred_ctx(current_cred())
/**
* struct aa_task_ctx - primary label for confined tasks
* @label: the current label (NOT NULL)
* @exec: label to transition to on next exec (MAYBE NULL)
* @previous: label the task may return to (MAYBE NULL)
* @token: magic value the task must know for returning to @previous
*
* Contains the task's current label (which could change due to
* change_hat). Plus the hat_magic needed during change_hat.
*
* TODO: make so a task can be confined by a stack of contexts
*/
struct aa_task_ctx {
struct aa_label *label;
struct aa_label *onexec;
struct aa_label *previous;
u64 token;
};
struct aa_task_ctx *aa_alloc_task_context(gfp_t flags);
void aa_free_task_context(struct aa_task_ctx *ctx);
void aa_dup_task_context(struct aa_task_ctx *new,
const struct aa_task_ctx *old);
int aa_replace_current_label(struct aa_label *label);
int aa_set_current_onexec(struct aa_label *label, bool stack);
int aa_set_current_hat(struct aa_label *label, u64 token);
int aa_restore_previous_label(u64 cookie);
struct aa_label *aa_get_task_label(struct task_struct *task);
/** /**
...@@ -65,10 +36,10 @@ struct aa_label *aa_get_task_label(struct task_struct *task); ...@@ -65,10 +36,10 @@ struct aa_label *aa_get_task_label(struct task_struct *task);
*/ */
static inline struct aa_label *aa_cred_raw_label(const struct cred *cred) static inline struct aa_label *aa_cred_raw_label(const struct cred *cred)
{ {
struct aa_task_ctx *ctx = cred_ctx(cred); struct aa_label *label = cred_label(cred);
AA_BUG(!ctx || !ctx->label); AA_BUG(!label);
return ctx->label; return label;
} }
/** /**
...@@ -95,17 +66,6 @@ static inline struct aa_label *__aa_task_raw_label(struct task_struct *task) ...@@ -95,17 +66,6 @@ static inline struct aa_label *__aa_task_raw_label(struct task_struct *task)
return aa_cred_raw_label(__task_cred(task)); return aa_cred_raw_label(__task_cred(task));
} }
/**
* __aa_task_is_confined - determine if @task has any confinement
* @task: task to check confinement of (NOT NULL)
*
* If @task != current needs to be called in RCU safe critical section
*/
static inline bool __aa_task_is_confined(struct task_struct *task)
{
return !unconfined(__aa_task_raw_label(task));
}
/** /**
* aa_current_raw_label - find the current tasks confining label * aa_current_raw_label - find the current tasks confining label
* *
...@@ -213,17 +173,4 @@ static inline struct aa_ns *aa_get_current_ns(void) ...@@ -213,17 +173,4 @@ static inline struct aa_ns *aa_get_current_ns(void)
return ns; return ns;
} }
/**
* aa_clear_task_ctx_trans - clear transition tracking info from the ctx
* @ctx: task context to clear (NOT NULL)
*/
static inline void aa_clear_task_ctx_trans(struct aa_task_ctx *ctx)
{
aa_put_label(ctx->previous);
aa_put_label(ctx->onexec);
ctx->previous = NULL;
ctx->onexec = NULL;
ctx->token = 0;
}
#endif /* __AA_CONTEXT_H */ #endif /* __AA_CONTEXT_H */
...@@ -327,9 +327,37 @@ void aa_label_audit(struct audit_buffer *ab, struct aa_label *label, gfp_t gfp); ...@@ -327,9 +327,37 @@ void aa_label_audit(struct audit_buffer *ab, struct aa_label *label, gfp_t gfp);
void aa_label_seq_print(struct seq_file *f, struct aa_label *label, gfp_t gfp); void aa_label_seq_print(struct seq_file *f, struct aa_label *label, gfp_t gfp);
void aa_label_printk(struct aa_label *label, gfp_t gfp); void aa_label_printk(struct aa_label *label, gfp_t gfp);
struct aa_label *aa_label_strn_parse(struct aa_label *base, const char *str,
size_t n, gfp_t gfp, bool create,
bool force_stack);
struct aa_label *aa_label_parse(struct aa_label *base, const char *str, struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
gfp_t gfp, bool create, bool force_stack); gfp_t gfp, bool create, bool force_stack);
static inline const char *aa_label_strn_split(const char *str, int n)
{
const char *pos;
unsigned int state;
state = aa_dfa_matchn_until(stacksplitdfa, DFA_START, str, n, &pos);
if (!ACCEPT_TABLE(stacksplitdfa)[state])
return NULL;
return pos - 3;
}
static inline const char *aa_label_str_split(const char *str)
{
const char *pos;
unsigned int state;
state = aa_dfa_match_until(stacksplitdfa, DFA_START, str, &pos);
if (!ACCEPT_TABLE(stacksplitdfa)[state])
return NULL;
return pos - 3;
}
struct aa_perms; struct aa_perms;
int aa_label_match(struct aa_profile *profile, struct aa_label *label, int aa_label_match(struct aa_profile *profile, struct aa_label *label,
......
...@@ -40,6 +40,7 @@ ...@@ -40,6 +40,7 @@
*/ */
#define YYTH_MAGIC 0x1B5E783D #define YYTH_MAGIC 0x1B5E783D
#define YYTH_FLAG_DIFF_ENCODE 1
struct table_set_header { struct table_set_header {
u32 th_magic; /* YYTH_MAGIC */ u32 th_magic; /* YYTH_MAGIC */
...@@ -101,6 +102,7 @@ struct aa_dfa { ...@@ -101,6 +102,7 @@ struct aa_dfa {
}; };
extern struct aa_dfa *nulldfa; extern struct aa_dfa *nulldfa;
extern struct aa_dfa *stacksplitdfa;
#define byte_to_byte(X) (X) #define byte_to_byte(X) (X)
...@@ -129,9 +131,32 @@ unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start, ...@@ -129,9 +131,32 @@ unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
const char *str); const char *str);
unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state, unsigned int aa_dfa_next(struct aa_dfa *dfa, unsigned int state,
const char c); const char c);
unsigned int aa_dfa_match_until(struct aa_dfa *dfa, unsigned int start,
const char *str, const char **retpos);
unsigned int aa_dfa_matchn_until(struct aa_dfa *dfa, unsigned int start,
const char *str, int n, const char **retpos);
void aa_dfa_free_kref(struct kref *kref); void aa_dfa_free_kref(struct kref *kref);
#define WB_HISTORY_SIZE 8
struct match_workbuf {
unsigned int count;
unsigned int pos;
unsigned int len;
unsigned int size; /* power of 2, same as history size */
unsigned int history[WB_HISTORY_SIZE];
};
#define DEFINE_MATCH_WB(N) \
struct match_workbuf N = { \
.count = 0, \
.pos = 0, \
.len = 0, \
.size = WB_HISTORY_SIZE, \
}
unsigned int aa_dfa_leftmatch(struct aa_dfa *dfa, unsigned int start,
const char *str, unsigned int *count);
/** /**
* aa_get_dfa - increment refcount on dfa @p * aa_get_dfa - increment refcount on dfa @p
* @dfa: dfa (MAYBE NULL) * @dfa: dfa (MAYBE NULL)
...@@ -159,4 +184,7 @@ static inline void aa_put_dfa(struct aa_dfa *dfa) ...@@ -159,4 +184,7 @@ static inline void aa_put_dfa(struct aa_dfa *dfa)
kref_put(&dfa->count, aa_dfa_free_kref); kref_put(&dfa->count, aa_dfa_free_kref);
} }
#define MATCH_FLAG_DIFF_ENCODE 0x80000000
#define MARK_DIFF_ENCODE 0x40000000
#endif /* __AA_MATCH_H */ #endif /* __AA_MATCH_H */
/*
* AppArmor security module
*
* This file contains AppArmor network mediation definitions.
*
* Copyright (C) 1998-2008 Novell/SUSE
* Copyright 2009-2017 Canonical Ltd.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the
* License.
*/
#ifndef __AA_NET_H
#define __AA_NET_H
#include <net/sock.h>
#include <linux/path.h>
#include "apparmorfs.h"
#include "label.h"
#include "perms.h"
#include "policy.h"
#define AA_MAY_SEND AA_MAY_WRITE
#define AA_MAY_RECEIVE AA_MAY_READ
#define AA_MAY_SHUTDOWN AA_MAY_DELETE
#define AA_MAY_CONNECT AA_MAY_OPEN
#define AA_MAY_ACCEPT 0x00100000
#define AA_MAY_BIND 0x00200000
#define AA_MAY_LISTEN 0x00400000
#define AA_MAY_SETOPT 0x01000000
#define AA_MAY_GETOPT 0x02000000
#define NET_PERMS_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE | \
AA_MAY_SHUTDOWN | AA_MAY_BIND | AA_MAY_LISTEN | \
AA_MAY_CONNECT | AA_MAY_ACCEPT | AA_MAY_SETATTR | \
AA_MAY_GETATTR | AA_MAY_SETOPT | AA_MAY_GETOPT)
#define NET_FS_PERMS (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE | \
AA_MAY_SHUTDOWN | AA_MAY_CONNECT | AA_MAY_RENAME |\
AA_MAY_SETATTR | AA_MAY_GETATTR | AA_MAY_CHMOD | \
AA_MAY_CHOWN | AA_MAY_CHGRP | AA_MAY_LOCK | \
AA_MAY_MPROT)
#define NET_PEER_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CONNECT | \
AA_MAY_ACCEPT)
struct aa_sk_ctx {
struct aa_label *label;
struct aa_label *peer;
};
#define SK_CTX(X) ((X)->sk_security)
#define SOCK_ctx(X) SOCK_INODE(X)->i_security
#define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \
struct lsm_network_audit NAME ## _net = { .sk = (SK), \
.family = (F)}; \
DEFINE_AUDIT_DATA(NAME, \
((SK) && (F) != AF_UNIX) ? LSM_AUDIT_DATA_NET : \
LSM_AUDIT_DATA_NONE, \
OP); \
NAME.u.net = &(NAME ## _net); \
aad(&NAME)->net.type = (T); \
aad(&NAME)->net.protocol = (P)
#define DEFINE_AUDIT_SK(NAME, OP, SK) \
DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type, \
(SK)->sk_protocol)
#define af_select(FAMILY, FN, DEF_FN) \
({ \
int __e; \
switch ((FAMILY)) { \
default: \
__e = DEF_FN; \
} \
__e; \
})
extern struct aa_sfs_entry aa_sfs_entry_network[];
void audit_net_cb(struct audit_buffer *ab, void *va);
int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
u32 request, u16 family, int type);
int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
int type, int protocol);
static inline int aa_profile_af_sk_perm(struct aa_profile *profile,
struct common_audit_data *sa,
u32 request,
struct sock *sk)
{
return aa_profile_af_perm(profile, sa, request, sk->sk_family,
sk->sk_type);
}
int aa_sk_perm(const char *op, u32 request, struct sock *sk);
int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
struct socket *sock);
#endif /* __AA_NET_H */
...@@ -138,9 +138,10 @@ extern struct aa_perms allperms; ...@@ -138,9 +138,10 @@ extern struct aa_perms allperms;
void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask); void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask);
void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask); void aa_audit_perm_names(struct audit_buffer *ab, const char * const *names,
u32 mask);
void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs, void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
u32 chrsmask, const char **names, u32 namesmask); u32 chrsmask, const char * const *names, u32 namesmask);
void aa_apply_modes_to_perms(struct aa_profile *profile, void aa_apply_modes_to_perms(struct aa_profile *profile,
struct aa_perms *perms); struct aa_perms *perms);
void aa_compute_perms(struct aa_dfa *dfa, unsigned int state, void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
......
...@@ -30,6 +30,7 @@ ...@@ -30,6 +30,7 @@
#include "file.h" #include "file.h"
#include "lib.h" #include "lib.h"
#include "label.h" #include "label.h"
#include "net.h"
#include "perms.h" #include "perms.h"
#include "resource.h" #include "resource.h"
...@@ -148,6 +149,10 @@ struct aa_profile { ...@@ -148,6 +149,10 @@ struct aa_profile {
struct aa_policydb policy; struct aa_policydb policy;
struct aa_file_rules file; struct aa_file_rules file;
struct aa_caps caps; struct aa_caps caps;
int xattr_count;
char **xattrs;
struct aa_rlimit rlimits; struct aa_rlimit rlimits;
struct aa_loaddata *rawdata; struct aa_loaddata *rawdata;
...@@ -209,15 +214,15 @@ static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p) ...@@ -209,15 +214,15 @@ static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p)
return labels_profile(aa_get_newest_label(&p->label)); return labels_profile(aa_get_newest_label(&p->label));
} }
#define PROFILE_MEDIATES(P, T) ((P)->policy.start[(T)]) #define PROFILE_MEDIATES(P, T) ((P)->policy.start[(unsigned char) (T)])
/* safe version of POLICY_MEDIATES for full range input */ static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile,
static inline unsigned int PROFILE_MEDIATES_SAFE(struct aa_profile *profile, u16 AF) {
unsigned char class) unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
{ __be16 be_af = cpu_to_be16(AF);
if (profile->policy.dfa)
return aa_dfa_match_len(profile->policy.dfa, if (!state)
profile->policy.start[0], &class, 1);
return 0; return 0;
return aa_dfa_match_len(profile->policy.dfa, state, (char *) &be_af, 2);
} }
/** /**
......
...@@ -70,7 +70,7 @@ struct aa_loaddata { ...@@ -70,7 +70,7 @@ struct aa_loaddata {
int abi; int abi;
unsigned char *hash; unsigned char *hash;
char data[]; char *data;
}; };
int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, const char **ns); int aa_unpack(struct aa_loaddata *udata, struct list_head *lh, const char **ns);
......
...@@ -2,6 +2,9 @@ ...@@ -2,6 +2,9 @@
#define SIGUNKNOWN 0 #define SIGUNKNOWN 0
#define MAXMAPPED_SIG 35 #define MAXMAPPED_SIG 35
#define MAXMAPPED_SIGNAME (MAXMAPPED_SIG + 1)
#define SIGRT_BASE 128
/* provide a mapping of arch signal to internal signal # for mediation /* provide a mapping of arch signal to internal signal # for mediation
* those that are always an alias SIGCLD for SIGCLHD and SIGPOLL for SIGIO * those that are always an alias SIGCLD for SIGCLHD and SIGPOLL for SIGIO
* map to the same entry those that may/or may not get a separate entry * map to the same entry those that may/or may not get a separate entry
...@@ -56,7 +59,7 @@ static const int sig_map[MAXMAPPED_SIG] = { ...@@ -56,7 +59,7 @@ static const int sig_map[MAXMAPPED_SIG] = {
}; };
/* this table is ordered post sig_map[sig] mapping */ /* this table is ordered post sig_map[sig] mapping */
static const char *const sig_names[MAXMAPPED_SIG + 1] = { static const char *const sig_names[MAXMAPPED_SIGNAME] = {
"unknown", "unknown",
"hup", "hup",
"int", "int",
......
/*
* AppArmor security module
*
* This file contains AppArmor task related definitions and mediation
*
* Copyright 2017 Canonical Ltd.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the
* License.
*/
#ifndef __AA_TASK_H
#define __AA_TASK_H
#define task_ctx(X) ((X)->security)
/*
* struct aa_task_ctx - information for current task label change
* @nnp: snapshot of label at time of no_new_privs
* @onexec: profile to transition to on next exec (MAY BE NULL)
* @previous: profile the task may return to (MAY BE NULL)
* @token: magic value the task must know for returning to @previous_profile
*/
struct aa_task_ctx {
struct aa_label *nnp;
struct aa_label *onexec;
struct aa_label *previous;
u64 token;
};
int aa_replace_current_label(struct aa_label *label);
int aa_set_current_onexec(struct aa_label *label, bool stack);
int aa_set_current_hat(struct aa_label *label, u64 token);
int aa_restore_previous_label(u64 cookie);
struct aa_label *aa_get_task_label(struct task_struct *task);
/**
* aa_alloc_task_ctx - allocate a new task_ctx
* @flags: gfp flags for allocation
*
* Returns: allocated buffer or NULL on failure
*/
static inline struct aa_task_ctx *aa_alloc_task_ctx(gfp_t flags)
{
return kzalloc(sizeof(struct aa_task_ctx), flags);
}
/**
* aa_free_task_ctx - free a task_ctx
* @ctx: task_ctx to free (MAYBE NULL)
*/
static inline void aa_free_task_ctx(struct aa_task_ctx *ctx)
{
if (ctx) {
aa_put_label(ctx->nnp);
aa_put_label(ctx->previous);
aa_put_label(ctx->onexec);
kzfree(ctx);
}
}
/**
* aa_dup_task_ctx - duplicate a task context, incrementing reference counts
* @new: a blank task context (NOT NULL)
* @old: the task context to copy (NOT NULL)
*/
static inline void aa_dup_task_ctx(struct aa_task_ctx *new,
const struct aa_task_ctx *old)
{
*new = *old;
aa_get_label(new->nnp);
aa_get_label(new->previous);
aa_get_label(new->onexec);
}
/**
* aa_clear_task_ctx_trans - clear transition tracking info from the ctx
* @ctx: task context to clear (NOT NULL)
*/
static inline void aa_clear_task_ctx_trans(struct aa_task_ctx *ctx)
{
AA_BUG(!ctx);
aa_put_label(ctx->previous);
aa_put_label(ctx->onexec);
ctx->previous = NULL;
ctx->onexec = NULL;
ctx->token = 0;
}
#endif /* __AA_TASK_H */
...@@ -17,7 +17,7 @@ ...@@ -17,7 +17,7 @@
#include "include/audit.h" #include "include/audit.h"
#include "include/capability.h" #include "include/capability.h"
#include "include/context.h" #include "include/cred.h"
#include "include/policy.h" #include "include/policy.h"
#include "include/ipc.h" #include "include/ipc.h"
#include "include/sig_names.h" #include "include/sig_names.h"
...@@ -138,7 +138,7 @@ static inline int map_signal_num(int sig) ...@@ -138,7 +138,7 @@ static inline int map_signal_num(int sig)
if (sig > SIGRTMAX) if (sig > SIGRTMAX)
return SIGUNKNOWN; return SIGUNKNOWN;
else if (sig >= SIGRTMIN) else if (sig >= SIGRTMIN)
return sig - SIGRTMIN + 128; /* rt sigs mapped to 128 */ return sig - SIGRTMIN + SIGRT_BASE;
else if (sig < MAXMAPPED_SIG) else if (sig < MAXMAPPED_SIG)
return sig_map[sig]; return sig_map[sig];
return SIGUNKNOWN; return SIGUNKNOWN;
...@@ -174,60 +174,48 @@ static void audit_signal_cb(struct audit_buffer *ab, void *va) ...@@ -174,60 +174,48 @@ static void audit_signal_cb(struct audit_buffer *ab, void *va)
audit_signal_mask(ab, aad(sa)->denied); audit_signal_mask(ab, aad(sa)->denied);
} }
} }
if (aad(sa)->signal < MAXMAPPED_SIG) if (aad(sa)->signal == SIGUNKNOWN)
audit_log_format(ab, "signal=unknown(%d)",
aad(sa)->unmappedsig);
else if (aad(sa)->signal < MAXMAPPED_SIGNAME)
audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]); audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]);
else else
audit_log_format(ab, " signal=rtmin+%d", audit_log_format(ab, " signal=rtmin+%d",
aad(sa)->signal - 128); aad(sa)->signal - SIGRT_BASE);
audit_log_format(ab, " peer="); audit_log_format(ab, " peer=");
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer, aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
FLAGS_NONE, GFP_ATOMIC); FLAGS_NONE, GFP_ATOMIC);
} }
/* TODO: update to handle compound name&name2, conditionals */
static void profile_match_signal(struct aa_profile *profile, const char *label,
int signal, struct aa_perms *perms)
{
unsigned int state;
/* TODO: secondary cache check <profile, profile, perm> */
state = aa_dfa_next(profile->policy.dfa,
profile->policy.start[AA_CLASS_SIGNAL],
signal);
state = aa_dfa_match(profile->policy.dfa, state, label);
aa_compute_perms(profile->policy.dfa, state, perms);
}
static int profile_signal_perm(struct aa_profile *profile, static int profile_signal_perm(struct aa_profile *profile,
struct aa_profile *peer, u32 request, struct aa_label *peer, u32 request,
struct common_audit_data *sa) struct common_audit_data *sa)
{ {
struct aa_perms perms; struct aa_perms perms;
unsigned int state;
if (profile_unconfined(profile) || if (profile_unconfined(profile) ||
!PROFILE_MEDIATES(profile, AA_CLASS_SIGNAL)) !PROFILE_MEDIATES(profile, AA_CLASS_SIGNAL))
return 0; return 0;
aad(sa)->peer = &peer->label; aad(sa)->peer = peer;
profile_match_signal(profile, peer->base.hname, aad(sa)->signal, /* TODO: secondary cache check <profile, profile, perm> */
&perms); state = aa_dfa_next(profile->policy.dfa,
profile->policy.start[AA_CLASS_SIGNAL],
aad(sa)->signal);
aa_label_match(profile, peer, state, false, request, &perms);
aa_apply_modes_to_perms(profile, &perms); aa_apply_modes_to_perms(profile, &perms);
return aa_check_perms(profile, &perms, request, sa, audit_signal_cb); return aa_check_perms(profile, &perms, request, sa, audit_signal_cb);
} }
static int aa_signal_cross_perm(struct aa_profile *sender,
struct aa_profile *target,
struct common_audit_data *sa)
{
return xcheck(profile_signal_perm(sender, target, MAY_WRITE, sa),
profile_signal_perm(target, sender, MAY_READ, sa));
}
int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig) int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig)
{ {
struct aa_profile *profile;
DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SIGNAL); DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SIGNAL);
aad(&sa)->signal = map_signal_num(sig); aad(&sa)->signal = map_signal_num(sig);
return xcheck_labels_profiles(sender, target, aa_signal_cross_perm, aad(&sa)->unmappedsig = sig;
&sa); return xcheck_labels(sender, target, profile,
profile_signal_perm(profile, target, MAY_WRITE, &sa),
profile_signal_perm(profile, sender, MAY_READ, &sa));
} }
...@@ -16,7 +16,7 @@ ...@@ -16,7 +16,7 @@
#include <linux/sort.h> #include <linux/sort.h>
#include "include/apparmor.h" #include "include/apparmor.h"
#include "include/context.h" #include "include/cred.h"
#include "include/label.h" #include "include/label.h"
#include "include/policy.h" #include "include/policy.h"
#include "include/secid.h" #include "include/secid.h"
...@@ -1808,14 +1808,17 @@ void aa_label_printk(struct aa_label *label, gfp_t gfp) ...@@ -1808,14 +1808,17 @@ void aa_label_printk(struct aa_label *label, gfp_t gfp)
aa_put_ns(ns); aa_put_ns(ns);
} }
static int label_count_str_entries(const char *str) static int label_count_strn_entries(const char *str, size_t n)
{ {
const char *end = str + n;
const char *split; const char *split;
int count = 1; int count = 1;
AA_BUG(!str); AA_BUG(!str);
for (split = strstr(str, "//&"); split; split = strstr(str, "//&")) { for (split = aa_label_strn_split(str, end - str);
split;
split = aa_label_strn_split(str, end - str)) {
count++; count++;
str = split + 3; str = split + 3;
} }
...@@ -1843,9 +1846,10 @@ static struct aa_profile *fqlookupn_profile(struct aa_label *base, ...@@ -1843,9 +1846,10 @@ static struct aa_profile *fqlookupn_profile(struct aa_label *base,
} }
/** /**
* aa_label_parse - parse, validate and convert a text string to a label * aa_label_strn_parse - parse, validate and convert a text string to a label
* @base: base label to use for lookups (NOT NULL) * @base: base label to use for lookups (NOT NULL)
* @str: null terminated text string (NOT NULL) * @str: null terminated text string (NOT NULL)
* @n: length of str to parse, will stop at \0 if encountered before n
* @gfp: allocation type * @gfp: allocation type
* @create: true if should create compound labels if they don't exist * @create: true if should create compound labels if they don't exist
* @force_stack: true if should stack even if no leading & * @force_stack: true if should stack even if no leading &
...@@ -1853,19 +1857,24 @@ static struct aa_profile *fqlookupn_profile(struct aa_label *base, ...@@ -1853,19 +1857,24 @@ static struct aa_profile *fqlookupn_profile(struct aa_label *base,
* Returns: the matching refcounted label if present * Returns: the matching refcounted label if present
* else ERRPTR * else ERRPTR
*/ */
struct aa_label *aa_label_parse(struct aa_label *base, const char *str, struct aa_label *aa_label_strn_parse(struct aa_label *base, const char *str,
gfp_t gfp, bool create, bool force_stack) size_t n, gfp_t gfp, bool create,
bool force_stack)
{ {
DEFINE_VEC(profile, vec); DEFINE_VEC(profile, vec);
struct aa_label *label, *currbase = base; struct aa_label *label, *currbase = base;
int i, len, stack = 0, error; int i, len, stack = 0, error;
char *split; const char *end = str + n;
const char *split;
AA_BUG(!base); AA_BUG(!base);
AA_BUG(!str); AA_BUG(!str);
str = skip_spaces(str); str = skipn_spaces(str, n);
len = label_count_str_entries(str); if (str == NULL || (*str == '=' && base != &root_ns->unconfined->label))
return ERR_PTR(-EINVAL);
len = label_count_strn_entries(str, end - str);
if (*str == '&' || force_stack) { if (*str == '&' || force_stack) {
/* stack on top of base */ /* stack on top of base */
stack = base->size; stack = base->size;
...@@ -1873,8 +1882,6 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str, ...@@ -1873,8 +1882,6 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
if (*str == '&') if (*str == '&')
str++; str++;
} }
if (*str == '=')
base = &root_ns->unconfined->label;
error = vec_setup(profile, vec, len, gfp); error = vec_setup(profile, vec, len, gfp);
if (error) if (error)
...@@ -1883,7 +1890,8 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str, ...@@ -1883,7 +1890,8 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
for (i = 0; i < stack; i++) for (i = 0; i < stack; i++)
vec[i] = aa_get_profile(base->vec[i]); vec[i] = aa_get_profile(base->vec[i]);
for (split = strstr(str, "//&"), i = stack; split && i < len; i++) { for (split = aa_label_strn_split(str, end - str), i = stack;
split && i < len; i++) {
vec[i] = fqlookupn_profile(base, currbase, str, split - str); vec[i] = fqlookupn_profile(base, currbase, str, split - str);
if (!vec[i]) if (!vec[i])
goto fail; goto fail;
...@@ -1894,11 +1902,11 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str, ...@@ -1894,11 +1902,11 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
if (vec[i]->ns != labels_ns(currbase)) if (vec[i]->ns != labels_ns(currbase))
currbase = &vec[i]->label; currbase = &vec[i]->label;
str = split + 3; str = split + 3;
split = strstr(str, "//&"); split = aa_label_strn_split(str, end - str);
} }
/* last element doesn't have a split */ /* last element doesn't have a split */
if (i < len) { if (i < len) {
vec[i] = fqlookupn_profile(base, currbase, str, strlen(str)); vec[i] = fqlookupn_profile(base, currbase, str, end - str);
if (!vec[i]) if (!vec[i])
goto fail; goto fail;
} }
...@@ -1930,6 +1938,12 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str, ...@@ -1930,6 +1938,12 @@ struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
goto out; goto out;
} }
struct aa_label *aa_label_parse(struct aa_label *base, const char *str,
gfp_t gfp, bool create, bool force_stack)
{
return aa_label_strn_parse(base, str, strlen(str), gfp, create,
force_stack);
}
/** /**
* aa_labelset_destroy - remove all labels from the label set * aa_labelset_destroy - remove all labels from the label set
......
...@@ -211,7 +211,8 @@ void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask) ...@@ -211,7 +211,8 @@ void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask)
*str = '\0'; *str = '\0';
} }
void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask) void aa_audit_perm_names(struct audit_buffer *ab, const char * const *names,
u32 mask)
{ {
const char *fmt = "%s"; const char *fmt = "%s";
unsigned int i, perm = 1; unsigned int i, perm = 1;
...@@ -229,7 +230,7 @@ void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask) ...@@ -229,7 +230,7 @@ void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask)
} }
void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs, void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
u32 chrsmask, const char **names, u32 namesmask) u32 chrsmask, const char * const *names, u32 namesmask)
{ {
char str[33]; char str[33];
......
This diff is collapsed.
This diff is collapsed.
...@@ -18,7 +18,7 @@ ...@@ -18,7 +18,7 @@
#include "include/apparmor.h" #include "include/apparmor.h"
#include "include/audit.h" #include "include/audit.h"
#include "include/context.h" #include "include/cred.h"
#include "include/domain.h" #include "include/domain.h"
#include "include/file.h" #include "include/file.h"
#include "include/match.h" #include "include/match.h"
......
/*
* AppArmor security module
*
* This file contains AppArmor network mediation
*
* Copyright (C) 1998-2008 Novell/SUSE
* Copyright 2009-2017 Canonical Ltd.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the
* License.
*/
#include "include/apparmor.h"
#include "include/audit.h"
#include "include/cred.h"
#include "include/label.h"
#include "include/net.h"
#include "include/policy.h"
#include "net_names.h"
struct aa_sfs_entry aa_sfs_entry_network[] = {
AA_SFS_FILE_STRING("af_mask", AA_SFS_AF_MASK),
{ }
};
static const char * const net_mask_names[] = {
"unknown",
"send",
"receive",
"unknown",
"create",
"shutdown",
"connect",
"unknown",
"setattr",
"getattr",
"setcred",
"getcred",
"chmod",
"chown",
"chgrp",
"lock",
"mmap",
"mprot",
"unknown",
"unknown",
"accept",
"bind",
"listen",
"unknown",
"setopt",
"getopt",
"unknown",
"unknown",
"unknown",
"unknown",
"unknown",
"unknown",
};
/* audit callback for net specific fields */
void audit_net_cb(struct audit_buffer *ab, void *va)
{
struct common_audit_data *sa = va;
audit_log_format(ab, " family=");
if (address_family_names[sa->u.net->family])
audit_log_string(ab, address_family_names[sa->u.net->family]);
else
audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family);
audit_log_format(ab, " sock_type=");
if (sock_type_names[aad(sa)->net.type])
audit_log_string(ab, sock_type_names[aad(sa)->net.type]);
else
audit_log_format(ab, "\"unknown(%d)\"", aad(sa)->net.type);
audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
if (aad(sa)->request & NET_PERMS_MASK) {
audit_log_format(ab, " requested_mask=");
aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0,
net_mask_names, NET_PERMS_MASK);
if (aad(sa)->denied & NET_PERMS_MASK) {
audit_log_format(ab, " denied_mask=");
aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0,
net_mask_names, NET_PERMS_MASK);
}
}
if (aad(sa)->peer) {
audit_log_format(ab, " peer=");
aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
FLAGS_NONE, GFP_ATOMIC);
}
}
/* Generic af perm */
int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
u32 request, u16 family, int type)
{
struct aa_perms perms = { };
unsigned int state;
__be16 buffer[2];
AA_BUG(family >= AF_MAX);
AA_BUG(type < 0 || type >= SOCK_MAX);
if (profile_unconfined(profile))
return 0;
state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
if (!state)
return 0;
buffer[0] = cpu_to_be16(family);
buffer[1] = cpu_to_be16((u16) type);
state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer,
4);
aa_compute_perms(profile->policy.dfa, state, &perms);
aa_apply_modes_to_perms(profile, &perms);
return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
}
int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
int type, int protocol)
{
struct aa_profile *profile;
DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol);
return fn_for_each_confined(label, profile,
aa_profile_af_perm(profile, &sa, request, family,
type));
}
static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request,
struct sock *sk)
{
struct aa_profile *profile;
DEFINE_AUDIT_SK(sa, op, sk);
AA_BUG(!label);
AA_BUG(!sk);
if (unconfined(label))
return 0;
return fn_for_each_confined(label, profile,
aa_profile_af_sk_perm(profile, &sa, request, sk));
}
int aa_sk_perm(const char *op, u32 request, struct sock *sk)
{
struct aa_label *label;
int error;
AA_BUG(!sk);
AA_BUG(in_interrupt());
/* TODO: switch to begin_current_label ???? */
label = begin_current_label_crit_section();
error = aa_label_sk_perm(label, op, request, sk);
end_current_label_crit_section(label);
return error;
}
int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
struct socket *sock)
{
AA_BUG(!label);
AA_BUG(!sock);
AA_BUG(!sock->sk);
return aa_label_sk_perm(label, op, request, sock->sk);
}
This diff is collapsed.
...@@ -82,7 +82,7 @@ ...@@ -82,7 +82,7 @@
#include "include/apparmor.h" #include "include/apparmor.h"
#include "include/capability.h" #include "include/capability.h"
#include "include/context.h" #include "include/cred.h"
#include "include/file.h" #include "include/file.h"
#include "include/ipc.h" #include "include/ipc.h"
#include "include/match.h" #include "include/match.h"
...@@ -210,6 +210,7 @@ static void aa_free_data(void *ptr, void *arg) ...@@ -210,6 +210,7 @@ static void aa_free_data(void *ptr, void *arg)
void aa_free_profile(struct aa_profile *profile) void aa_free_profile(struct aa_profile *profile)
{ {
struct rhashtable *rht; struct rhashtable *rht;
int i;
AA_DEBUG("%s(%p)\n", __func__, profile); AA_DEBUG("%s(%p)\n", __func__, profile);
...@@ -227,6 +228,9 @@ void aa_free_profile(struct aa_profile *profile) ...@@ -227,6 +228,9 @@ void aa_free_profile(struct aa_profile *profile)
aa_free_cap_rules(&profile->caps); aa_free_cap_rules(&profile->caps);
aa_free_rlimit_rules(&profile->rlimits); aa_free_rlimit_rules(&profile->rlimits);
for (i = 0; i < profile->xattr_count; i++)
kzfree(profile->xattrs[i]);
kzfree(profile->xattrs);
kzfree(profile->dirname); kzfree(profile->dirname);
aa_put_dfa(profile->xmatch); aa_put_dfa(profile->xmatch);
aa_put_dfa(profile->policy.dfa); aa_put_dfa(profile->policy.dfa);
...@@ -845,8 +849,9 @@ static struct aa_profile *update_to_newest_parent(struct aa_profile *new) ...@@ -845,8 +849,9 @@ static struct aa_profile *update_to_newest_parent(struct aa_profile *new)
* @udata: serialized data stream (NOT NULL) * @udata: serialized data stream (NOT NULL)
* *
* unpack and replace a profile on the profile list and uses of that profile * unpack and replace a profile on the profile list and uses of that profile
* by any aa_task_ctx. If the profile does not exist on the profile list * by any task creds via invalidating the old version of the profile, which
* it is added. * tasks will notice to update their own cred. If the profile does not exist
* on the profile list it is added.
* *
* Returns: size of data consumed else error code on failure. * Returns: size of data consumed else error code on failure.
*/ */
......
...@@ -21,7 +21,7 @@ ...@@ -21,7 +21,7 @@
#include <linux/string.h> #include <linux/string.h>
#include "include/apparmor.h" #include "include/apparmor.h"
#include "include/context.h" #include "include/cred.h"
#include "include/policy_ns.h" #include "include/policy_ns.h"
#include "include/label.h" #include "include/label.h"
#include "include/policy.h" #include "include/policy.h"
......
...@@ -23,7 +23,7 @@ ...@@ -23,7 +23,7 @@
#include "include/apparmor.h" #include "include/apparmor.h"
#include "include/audit.h" #include "include/audit.h"
#include "include/context.h" #include "include/cred.h"
#include "include/crypto.h" #include "include/crypto.h"
#include "include/match.h" #include "include/match.h"
#include "include/path.h" #include "include/path.h"
...@@ -37,7 +37,8 @@ ...@@ -37,7 +37,8 @@
#define v5 5 /* base version */ #define v5 5 /* base version */
#define v6 6 /* per entry policydb mediation check */ #define v6 6 /* per entry policydb mediation check */
#define v7 7 /* full network masking */ #define v7 7
#define v8 8 /* full network masking */
/* /*
* The AppArmor interface treats data as a type byte followed by the * The AppArmor interface treats data as a type byte followed by the
...@@ -164,8 +165,9 @@ static void do_loaddata_free(struct work_struct *work) ...@@ -164,8 +165,9 @@ static void do_loaddata_free(struct work_struct *work)
} }
kzfree(d->hash); kzfree(d->hash);
kfree(d->name); kzfree(d->name);
kvfree(d); kvfree(d->data);
kzfree(d);
} }
void aa_loaddata_kref(struct kref *kref) void aa_loaddata_kref(struct kref *kref)
...@@ -180,10 +182,16 @@ void aa_loaddata_kref(struct kref *kref) ...@@ -180,10 +182,16 @@ void aa_loaddata_kref(struct kref *kref)
struct aa_loaddata *aa_loaddata_alloc(size_t size) struct aa_loaddata *aa_loaddata_alloc(size_t size)
{ {
struct aa_loaddata *d = kvzalloc(sizeof(*d) + size, GFP_KERNEL); struct aa_loaddata *d;
d = kzalloc(sizeof(*d), GFP_KERNEL);
if (d == NULL) if (d == NULL)
return ERR_PTR(-ENOMEM); return ERR_PTR(-ENOMEM);
d->data = kvzalloc(size, GFP_KERNEL);
if (!d->data) {
kfree(d);
return ERR_PTR(-ENOMEM);
}
kref_init(&d->count); kref_init(&d->count);
INIT_LIST_HEAD(&d->list); INIT_LIST_HEAD(&d->list);
...@@ -196,6 +204,15 @@ static bool inbounds(struct aa_ext *e, size_t size) ...@@ -196,6 +204,15 @@ static bool inbounds(struct aa_ext *e, size_t size)
return (size <= e->end - e->pos); return (size <= e->end - e->pos);
} }
static void *kvmemdup(const void *src, size_t len)
{
void *p = kvmalloc(len, GFP_KERNEL);
if (p)
memcpy(p, src, len);
return p;
}
/** /**
* aa_u16_chunck - test and do bounds checking for a u16 size based chunk * aa_u16_chunck - test and do bounds checking for a u16 size based chunk
* @e: serialized data read head (NOT NULL) * @e: serialized data read head (NOT NULL)
...@@ -515,6 +532,35 @@ static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile) ...@@ -515,6 +532,35 @@ static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile)
return 0; return 0;
} }
static bool unpack_xattrs(struct aa_ext *e, struct aa_profile *profile)
{
void *pos = e->pos;
if (unpack_nameX(e, AA_STRUCT, "xattrs")) {
int i, size;
size = unpack_array(e, NULL);
profile->xattr_count = size;
profile->xattrs = kcalloc(size, sizeof(char *), GFP_KERNEL);
if (!profile->xattrs)
goto fail;
for (i = 0; i < size; i++) {
if (!unpack_strdup(e, &profile->xattrs[i], NULL))
goto fail;
}
if (!unpack_nameX(e, AA_ARRAYEND, NULL))
goto fail;
if (!unpack_nameX(e, AA_STRUCTEND, NULL))
goto fail;
}
return 1;
fail:
e->pos = pos;
return 0;
}
static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile) static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile)
{ {
void *pos = e->pos; void *pos = e->pos;
...@@ -549,15 +595,6 @@ static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile) ...@@ -549,15 +595,6 @@ static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile)
return 0; return 0;
} }
static void *kvmemdup(const void *src, size_t len)
{
void *p = kvmalloc(len, GFP_KERNEL);
if (p)
memcpy(p, src, len);
return p;
}
static u32 strhash(const void *data, u32 len, u32 seed) static u32 strhash(const void *data, u32 len, u32 seed)
{ {
const char * const *key = data; const char * const *key = data;
...@@ -712,6 +749,11 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name) ...@@ -712,6 +749,11 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
goto fail; goto fail;
} }
if (!unpack_xattrs(e, profile)) {
info = "failed to unpack profile xattrs";
goto fail;
}
if (!unpack_rlimits(e, profile)) { if (!unpack_rlimits(e, profile)) {
info = "failed to unpack profile rlimits"; info = "failed to unpack profile rlimits";
goto fail; goto fail;
......
...@@ -13,7 +13,7 @@ ...@@ -13,7 +13,7 @@
*/ */
#include "include/apparmor.h" #include "include/apparmor.h"
#include "include/context.h" #include "include/cred.h"
#include "include/policy.h" #include "include/policy.h"
#include "include/policy_ns.h" #include "include/policy_ns.h"
#include "include/domain.h" #include "include/domain.h"
......
...@@ -16,7 +16,7 @@ ...@@ -16,7 +16,7 @@
#include <linux/security.h> #include <linux/security.h>
#include "include/audit.h" #include "include/audit.h"
#include "include/context.h" #include "include/cred.h"
#include "include/resource.h" #include "include/resource.h"
#include "include/policy.h" #include "include/policy.h"
......
/* 0x1 [^\000]*[^/\000]//& */ 0x1B, 0x5E, 0x78, 0x3D, 0x00, 0x00,
0x00, 0x18, 0x00, 0x00, 0x04, 0xD8, 0x00, 0x00, 0x6E, 0x6F, 0x74,
0x66, 0x6C, 0x65, 0x78, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x04,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x02, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x02, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00,
0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x02, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x02,
0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x02, 0x00, 0x08, 0x00,
0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x05, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x03, 0x00,
0x04, 0x00, 0x01, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x02, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x05, 0x00, 0x00, 0x00, 0x01, 0x00,
0x02, 0x00, 0x03, 0x00, 0x04, 0x00, 0x05, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x02, 0x00, 0x03, 0x00, 0x04,
0x00, 0x05, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00
/* /*
* AppArmor security module * AppArmor security module
* *
* This file contains AppArmor functions used to manipulate object security * This file contains AppArmor task related definitions and mediation
* contexts.
* *
* Copyright (C) 1998-2008 Novell/SUSE * Copyright 2017 Canonical Ltd.
* Copyright 2009-2010 Canonical Ltd.
* *
* This program is free software; you can redistribute it and/or * This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License as * modify it under the terms of the GNU General Public License as
* published by the Free Software Foundation, version 2 of the * published by the Free Software Foundation, version 2 of the
* License. * License.
* *
*
* AppArmor sets confinement on every task, via the the aa_task_ctx and
* the aa_task_ctx.label, both of which are required and are not allowed
* to be NULL. The aa_task_ctx is not reference counted and is unique
* to each cred (which is reference count). The label pointed to by
* the task_ctx is reference counted.
*
* TODO * TODO
* If a task uses change_hat it currently does not return to the old * If a task uses change_hat it currently does not return to the old
* cred or task context but instead creates a new one. Ideally the task * cred or task context but instead creates a new one. Ideally the task
* should return to the previous cred if it has not been modified. * should return to the previous cred if it has not been modified.
*
*/ */
#include "include/context.h" #include "include/cred.h"
#include "include/policy.h" #include "include/task.h"
/**
* aa_alloc_task_context - allocate a new task_ctx
* @flags: gfp flags for allocation
*
* Returns: allocated buffer or NULL on failure
*/
struct aa_task_ctx *aa_alloc_task_context(gfp_t flags)
{
return kzalloc(sizeof(struct aa_task_ctx), flags);
}
/**
* aa_free_task_context - free a task_ctx
* @ctx: task_ctx to free (MAYBE NULL)
*/
void aa_free_task_context(struct aa_task_ctx *ctx)
{
if (ctx) {
aa_put_label(ctx->label);
aa_put_label(ctx->previous);
aa_put_label(ctx->onexec);
kzfree(ctx);
}
}
/**
* aa_dup_task_context - duplicate a task context, incrementing reference counts
* @new: a blank task context (NOT NULL)
* @old: the task context to copy (NOT NULL)
*/
void aa_dup_task_context(struct aa_task_ctx *new, const struct aa_task_ctx *old)
{
*new = *old;
aa_get_label(new->label);
aa_get_label(new->previous);
aa_get_label(new->onexec);
}
/** /**
* aa_get_task_label - Get another task's label * aa_get_task_label - Get another task's label
...@@ -93,11 +44,13 @@ struct aa_label *aa_get_task_label(struct task_struct *task) ...@@ -93,11 +44,13 @@ struct aa_label *aa_get_task_label(struct task_struct *task)
*/ */
int aa_replace_current_label(struct aa_label *label) int aa_replace_current_label(struct aa_label *label)
{ {
struct aa_task_ctx *ctx = current_ctx(); struct aa_label *old = aa_current_raw_label();
struct aa_task_ctx *ctx = task_ctx(current);
struct cred *new; struct cred *new;
AA_BUG(!label); AA_BUG(!label);
if (ctx->label == label) if (old == label)
return 0; return 0;
if (current_cred() != current_real_cred()) if (current_cred() != current_real_cred())
...@@ -107,27 +60,34 @@ int aa_replace_current_label(struct aa_label *label) ...@@ -107,27 +60,34 @@ int aa_replace_current_label(struct aa_label *label)
if (!new) if (!new)
return -ENOMEM; return -ENOMEM;
ctx = cred_ctx(new); if (ctx->nnp && label_is_stale(ctx->nnp)) {
if (unconfined(label) || (labels_ns(ctx->label) != labels_ns(label))) struct aa_label *tmp = ctx->nnp;
/* if switching to unconfined or a different label namespace
ctx->nnp = aa_get_newest_label(tmp);
aa_put_label(tmp);
}
if (unconfined(label) || (labels_ns(old) != labels_ns(label)))
/*
* if switching to unconfined or a different label namespace
* clear out context state * clear out context state
*/ */
aa_clear_task_ctx_trans(ctx); aa_clear_task_ctx_trans(task_ctx(current));
/* /*
* be careful switching ctx->profile, when racing replacement it * be careful switching cred label, when racing replacement it
* is possible that ctx->profile->proxy->profile is the reference * is possible that the cred labels's->proxy->label is the reference
* keeping @profile valid, so make sure to get its reference before * keeping @label valid, so make sure to get its reference before
* dropping the reference on ctx->profile * dropping the reference on the cred's label
*/ */
aa_get_label(label); aa_get_label(label);
aa_put_label(ctx->label); aa_put_label(cred_label(new));
ctx->label = label; cred_label(new) = label;
commit_creds(new); commit_creds(new);
return 0; return 0;
} }
/** /**
* aa_set_current_onexec - set the tasks change_profile to happen onexec * aa_set_current_onexec - set the tasks change_profile to happen onexec
* @label: system label to set at exec (MAYBE NULL to clear value) * @label: system label to set at exec (MAYBE NULL to clear value)
...@@ -136,18 +96,13 @@ int aa_replace_current_label(struct aa_label *label) ...@@ -136,18 +96,13 @@ int aa_replace_current_label(struct aa_label *label)
*/ */
int aa_set_current_onexec(struct aa_label *label, bool stack) int aa_set_current_onexec(struct aa_label *label, bool stack)
{ {
struct aa_task_ctx *ctx; struct aa_task_ctx *ctx = task_ctx(current);
struct cred *new = prepare_creds();
if (!new)
return -ENOMEM;
ctx = cred_ctx(new);
aa_get_label(label); aa_get_label(label);
aa_clear_task_ctx_trans(ctx); aa_put_label(ctx->onexec);
ctx->onexec = label; ctx->onexec = label;
ctx->token = stack; ctx->token = stack;
commit_creds(new);
return 0; return 0;
} }
...@@ -163,25 +118,27 @@ int aa_set_current_onexec(struct aa_label *label, bool stack) ...@@ -163,25 +118,27 @@ int aa_set_current_onexec(struct aa_label *label, bool stack)
*/ */
int aa_set_current_hat(struct aa_label *label, u64 token) int aa_set_current_hat(struct aa_label *label, u64 token)
{ {
struct aa_task_ctx *ctx; struct aa_task_ctx *ctx = task_ctx(current);
struct cred *new = prepare_creds(); struct cred *new;
new = prepare_creds();
if (!new) if (!new)
return -ENOMEM; return -ENOMEM;
AA_BUG(!label); AA_BUG(!label);
ctx = cred_ctx(new);
if (!ctx->previous) { if (!ctx->previous) {
/* transfer refcount */ /* transfer refcount */
ctx->previous = ctx->label; ctx->previous = cred_label(new);
ctx->token = token; ctx->token = token;
} else if (ctx->token == token) { } else if (ctx->token == token) {
aa_put_label(ctx->label); aa_put_label(cred_label(new));
} else { } else {
/* previous_profile && ctx->token != token */ /* previous_profile && ctx->token != token */
abort_creds(new); abort_creds(new);
return -EACCES; return -EACCES;
} }
ctx->label = aa_get_newest_label(label);
cred_label(new) = aa_get_newest_label(label);
/* clear exec on switching context */ /* clear exec on switching context */
aa_put_label(ctx->onexec); aa_put_label(ctx->onexec);
ctx->onexec = NULL; ctx->onexec = NULL;
...@@ -201,28 +158,26 @@ int aa_set_current_hat(struct aa_label *label, u64 token) ...@@ -201,28 +158,26 @@ int aa_set_current_hat(struct aa_label *label, u64 token)
*/ */
int aa_restore_previous_label(u64 token) int aa_restore_previous_label(u64 token)
{ {
struct aa_task_ctx *ctx; struct aa_task_ctx *ctx = task_ctx(current);
struct cred *new = prepare_creds(); struct cred *new;
if (!new)
return -ENOMEM;
ctx = cred_ctx(new); if (ctx->token != token)
if (ctx->token != token) {
abort_creds(new);
return -EACCES; return -EACCES;
}
/* ignore restores when there is no saved label */ /* ignore restores when there is no saved label */
if (!ctx->previous) { if (!ctx->previous)
abort_creds(new);
return 0; return 0;
}
aa_put_label(ctx->label); new = prepare_creds();
ctx->label = aa_get_newest_label(ctx->previous); if (!new)
AA_BUG(!ctx->label); return -ENOMEM;
aa_put_label(cred_label(new));
cred_label(new) = aa_get_newest_label(ctx->previous);
AA_BUG(!cred_label(new));
/* clear exec && prev information when restoring to previous context */ /* clear exec && prev information when restoring to previous context */
aa_clear_task_ctx_trans(ctx); aa_clear_task_ctx_trans(ctx);
commit_creds(new); commit_creds(new);
return 0; return 0;
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment