Lines Matching +full:sig +full:- +full:dir
1 // SPDX-License-Identifier: GPL-2.0-only
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
169 profile->caps.allow); in apparmor_capget()
171 profile->caps.allow); in apparmor_capget()
195 * common_perm - basic common permission check wrapper fn for paths
218 * common_perm_cond - common permission wrapper around inode cond
227 struct user_namespace *mnt_userns = mnt_user_ns(path->mnt); in common_perm_cond()
229 i_uid_into_mnt(mnt_userns, d_backing_inode(path->dentry)), in common_perm_cond()
230 d_backing_inode(path->dentry)->i_mode in common_perm_cond()
233 if (!path_mediated_fs(path->dentry)) in common_perm_cond()
240 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
242 * @dir: directory of the dentry (NOT NULL)
249 static int common_perm_dir_dentry(const char *op, const struct path *dir, in common_perm_dir_dentry() argument
253 struct path path = { .mnt = dir->mnt, .dentry = dentry }; in common_perm_dir_dentry()
259 * common_perm_rm - common permission wrapper for operations doing rm
261 * @dir: directory that the dentry is in (NOT NULL)
267 static int common_perm_rm(const char *op, const struct path *dir, in common_perm_rm() argument
271 struct user_namespace *mnt_userns = mnt_user_ns(dir->mnt); in common_perm_rm()
278 cond.mode = inode->i_mode; in common_perm_rm()
280 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); in common_perm_rm()
284 * common_perm_create - common permission wrapper for operations doing create
286 * @dir: directory that dentry will be created in (NOT NULL)
293 static int common_perm_create(const char *op, const struct path *dir, in common_perm_create() argument
298 if (!path_mediated_fs(dir->dentry)) in common_perm_create()
301 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); in common_perm_create()
304 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry) in apparmor_path_unlink() argument
306 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); in apparmor_path_unlink()
309 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry, in apparmor_path_mkdir() argument
312 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, in apparmor_path_mkdir()
316 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry) in apparmor_path_rmdir() argument
318 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); in apparmor_path_rmdir()
321 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, in apparmor_path_mknod() argument
324 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); in apparmor_path_mknod()
332 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, in apparmor_path_symlink() argument
335 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, in apparmor_path_symlink()
367 struct user_namespace *mnt_userns = mnt_user_ns(old_dir->mnt); in apparmor_path_rename()
368 struct path old_path = { .mnt = old_dir->mnt, in apparmor_path_rename()
370 struct path new_path = { .mnt = new_dir->mnt, in apparmor_path_rename()
374 d_backing_inode(old_dentry)->i_mode in apparmor_path_rename()
413 if (!path_mediated_fs(file->f_path.dentry)) in apparmor_file_open()
421 if (current->in_execve) { in apparmor_file_open()
422 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; in apparmor_file_open()
426 label = aa_get_newest_cred_label(file->f_cred); in apparmor_file_open()
432 inode->i_mode in apparmor_file_open()
435 error = aa_path_perm(OP_OPEN, label, &file->f_path, 0, in apparmor_file_open()
438 fctx->allow = aa_map_file_to_perms(file); in apparmor_file_open()
450 spin_lock_init(&ctx->lock); in apparmor_file_alloc_security()
451 rcu_assign_pointer(ctx->label, aa_get_label(label)); in apparmor_file_alloc_security()
461 aa_put_label(rcu_access_pointer(ctx->label)); in apparmor_file_free_security()
471 if (file->f_path.dentry == aa_null.dentry) in common_file_perm()
472 return -EACCES; in common_file_perm()
533 return common_mmap(OP_FMPROT, vma->vm_file, prot, in apparmor_file_mprotect()
534 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0, in apparmor_file_mprotect()
600 int error = -ENOENT; in apparmor_getprocattr()
608 else if (strcmp(name, "prev") == 0 && ctx->previous) in apparmor_getprocattr()
609 label = aa_get_newest_label(ctx->previous); in apparmor_getprocattr()
610 else if (strcmp(name, "exec") == 0 && ctx->onexec) in apparmor_getprocattr()
611 label = aa_get_newest_label(ctx->onexec); in apparmor_getprocattr()
613 error = -EINVAL; in apparmor_getprocattr()
633 return -EINVAL; in apparmor_setprocattr()
636 if (args[size - 1] != '\0') { in apparmor_setprocattr()
640 return -ENOMEM; in apparmor_setprocattr()
645 error = -EINVAL; in apparmor_setprocattr()
654 arg_size = size - (args - (largs ? largs : (char *) value)); in apparmor_setprocattr()
689 aad(&sa)->label = begin_current_label_crit_section(); in apparmor_setprocattr()
690 aad(&sa)->info = name; in apparmor_setprocattr()
691 aad(&sa)->error = error = -EINVAL; in apparmor_setprocattr()
693 end_current_label_crit_section(aad(&sa)->label); in apparmor_setprocattr()
698 * apparmor_bprm_committing_creds - do task cleanup on committing new creds
704 struct aa_label *new_label = cred_label(bprm->cred); in apparmor_bprm_committing_creds()
707 if ((new_label->proxy == label->proxy) || in apparmor_bprm_committing_creds()
711 aa_inherit_files(bprm->cred, current->files); in apparmor_bprm_committing_creds()
713 current->pdeath_signal = 0; in apparmor_bprm_committing_creds()
720 * apparmor_bprm_committed_cred - do cleanup after new creds committed
734 *secid = label->secid; in apparmor_task_getsecid()
752 int sig, const struct cred *cred) in apparmor_task_kill() argument
763 error = aa_may_signal(cl, tl, sig); in apparmor_task_kill()
771 error = aa_may_signal(cl, tl, sig); in apparmor_task_kill()
779 * apparmor_sk_alloc_security - allocate and attach the sk_security field
787 return -ENOMEM; in apparmor_sk_alloc_security()
795 * apparmor_sk_free_security - free the sk_security field
802 aa_put_label(ctx->label); in apparmor_sk_free_security()
803 aa_put_label(ctx->peer); in apparmor_sk_free_security()
808 * apparmor_clone_security - clone the sk_security field
816 if (new->label) in apparmor_sk_clone_security()
817 aa_put_label(new->label); in apparmor_sk_clone_security()
818 new->label = aa_get_label(ctx->label); in apparmor_sk_clone_security()
820 if (new->peer) in apparmor_sk_clone_security()
821 aa_put_label(new->peer); in apparmor_sk_clone_security()
822 new->peer = aa_get_label(ctx->peer); in apparmor_sk_clone_security()
826 * apparmor_socket_create - check perms before creating a new socket
847 * apparmor_socket_post_create - setup the per-socket security struct
850 * - kernel sockets currently labeled unconfined but we may want to
852 * - socket may not have sk here if created with sock_create_lite or
869 if (sock->sk) { in apparmor_socket_post_create()
870 struct aa_sk_ctx *ctx = SK_CTX(sock->sk); in apparmor_socket_post_create()
872 aa_put_label(ctx->label); in apparmor_socket_post_create()
873 ctx->label = aa_get_label(label); in apparmor_socket_post_create()
881 * apparmor_socket_bind - check perms before bind addr to socket
887 AA_BUG(!sock->sk); in apparmor_socket_bind()
891 return af_select(sock->sk->sk_family, in apparmor_socket_bind()
893 aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk)); in apparmor_socket_bind()
897 * apparmor_socket_connect - check perms before connecting @sock to @address
903 AA_BUG(!sock->sk); in apparmor_socket_connect()
907 return af_select(sock->sk->sk_family, in apparmor_socket_connect()
909 aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk)); in apparmor_socket_connect()
913 * apparmor_socket_list - check perms before allowing listen
918 AA_BUG(!sock->sk); in apparmor_socket_listen()
921 return af_select(sock->sk->sk_family, in apparmor_socket_listen()
923 aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk)); in apparmor_socket_listen()
927 * apparmor_socket_accept - check perms before accepting a new connection.
935 AA_BUG(!sock->sk); in apparmor_socket_accept()
939 return af_select(sock->sk->sk_family, in apparmor_socket_accept()
941 aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk)); in apparmor_socket_accept()
948 AA_BUG(!sock->sk); in aa_sock_msg_perm()
952 return af_select(sock->sk->sk_family, in aa_sock_msg_perm()
954 aa_sk_perm(op, request, sock->sk)); in aa_sock_msg_perm()
958 * apparmor_socket_sendmsg - check perms before sending msg to another socket
967 * apparmor_socket_recvmsg - check perms before receiving a message
979 AA_BUG(!sock->sk); in aa_sock_perm()
982 return af_select(sock->sk->sk_family, in aa_sock_perm()
984 aa_sk_perm(op, request, sock->sk)); in aa_sock_perm()
988 * apparmor_socket_getsockname - check perms before getting the local address
996 * apparmor_socket_getpeername - check perms before getting remote address
1008 AA_BUG(!sock->sk); in aa_sock_opt_perm()
1011 return af_select(sock->sk->sk_family, in aa_sock_opt_perm()
1013 aa_sk_perm(op, request, sock->sk)); in aa_sock_opt_perm()
1017 * apparmor_getsockopt - check perms before getting socket options
1027 * apparmor_setsockopt - check perms before setting socket options
1037 * apparmor_socket_shutdown - check perms before shutting down @sock conn
1046 * apparmor_socket_sock_recv_skb - check perms before associating skb to sk
1057 if (!skb->secmark) in apparmor_socket_sock_rcv_skb()
1060 return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE, in apparmor_socket_sock_rcv_skb()
1061 skb->secmark, sk); in apparmor_socket_sock_rcv_skb()
1070 if (ctx->peer) in sk_peer_label()
1071 return ctx->peer; in sk_peer_label()
1073 return ERR_PTR(-ENOPROTOOPT); in sk_peer_label()
1077 * apparmor_socket_getpeersec_stream - get security context of peer
1092 peer = sk_peer_label(sock->sk); in apparmor_socket_getpeersec_stream()
1102 error = -ENOMEM; in apparmor_socket_getpeersec_stream()
1105 error = -ERANGE; in apparmor_socket_getpeersec_stream()
1107 error = -EFAULT; in apparmor_socket_getpeersec_stream()
1111 error = -EFAULT; in apparmor_socket_getpeersec_stream()
1124 * apparmor_socket_getpeersec_dgram - get security label of packet
1136 return -ENOPROTOOPT; in apparmor_socket_getpeersec_dgram()
1140 * apparmor_sock_graft - Initialize newly created socket
1146 * Labeling of sk for accept case - probably should be sock based
1154 if (!ctx->label) in apparmor_sock_graft()
1155 ctx->label = aa_get_current_label(); in apparmor_sock_graft()
1164 if (!skb->secmark) in apparmor_inet_conn_request()
1167 return apparmor_secmark_check(ctx->label, OP_CONNECT, AA_MAY_CONNECT, in apparmor_inet_conn_request()
1168 skb->secmark, sk); in apparmor_inet_conn_request()
1322 /* AppArmor global enforcement switch - complain, enforce, kill */
1404 return -EINVAL; in param_set_aalockpolicy()
1406 return -EPERM; in param_set_aalockpolicy()
1413 return -EINVAL; in param_get_aalockpolicy()
1415 return -EPERM; in param_get_aalockpolicy()
1422 return -EINVAL; in param_set_aabool()
1424 return -EPERM; in param_set_aabool()
1431 return -EINVAL; in param_get_aabool()
1433 return -EPERM; in param_get_aabool()
1442 return -EINVAL; in param_set_aauint()
1445 return -EPERM; in param_set_aauint()
1457 return -EINVAL; in param_get_aauint()
1459 return -EPERM; in param_get_aauint()
1471 return -EPERM; in param_set_aaintbool()
1474 value = !!*((int *)kp->arg); in param_set_aaintbool()
1480 *((int *)kp->arg) = *((bool *)kp_local.arg); in param_set_aaintbool()
1496 value = !!*((int *)kp->arg); in param_get_aaintbool()
1509 return -EINVAL; in param_set_aacompressionlevel()
1511 return -EPERM; in param_set_aacompressionlevel()
1528 return -EINVAL; in param_get_aacompressionlevel()
1530 return -EPERM; in param_get_aacompressionlevel()
1537 return -EINVAL; in param_get_audit()
1539 return -EPERM; in param_get_audit()
1548 return -EINVAL; in param_set_audit()
1550 return -EINVAL; in param_set_audit()
1552 return -EPERM; in param_set_audit()
1556 return -EINVAL; in param_set_audit()
1565 return -EINVAL; in param_get_mode()
1567 return -EPERM; in param_get_mode()
1577 return -EINVAL; in param_set_mode()
1579 return -EINVAL; in param_set_mode()
1581 return -EPERM; in param_set_mode()
1586 return -EINVAL; in param_set_mode()
1604 list_del(&aa_buf->list); in aa_get_buffer()
1605 buffer_count--; in aa_get_buffer()
1607 return &aa_buf->buffer[0]; in aa_get_buffer()
1630 return &aa_buf->buffer[0]; in aa_get_buffer()
1642 list_add(&aa_buf->list, &aa_global_buffers); in aa_put_buffer()
1652 * set_init_ctx - set a task context and profile on the first task.
1658 struct cred *cred = (__force struct cred *)current->real_cred; in set_init_ctx()
1673 list_del(&aa_buf->list); in destroy_buffers()
1691 * This preallocation has also the side-effect that AppArmor will be in alloc_buffers()
1705 return -ENOMEM; in alloc_buffers()
1707 aa_put_buffer(&aa_buf->buffer[0]); in alloc_buffers()
1717 return -EPERM; in apparmor_dointvec()
1719 return -EINVAL; in apparmor_dointvec()
1743 apparmor_sysctl_table) ? 0 : -ENOMEM; in apparmor_init_sysctl()
1760 if (!skb->secmark) in apparmor_ip_postroute()
1768 if (!apparmor_secmark_check(ctx->label, OP_SENDMSG, AA_MAY_SEND, in apparmor_ip_postroute()
1769 skb->secmark, sk)) in apparmor_ip_postroute()
1772 return NF_DROP_ERR(-ECONNREFUSED); in apparmor_ip_postroute()