1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor /sys/kernel/security/apparmor interface functions 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 */ 10 11 #include <linux/ctype.h> 12 #include <linux/security.h> 13 #include <linux/vmalloc.h> 14 #include <linux/init.h> 15 #include <linux/seq_file.h> 16 #include <linux/uaccess.h> 17 #include <linux/mount.h> 18 #include <linux/namei.h> 19 #include <linux/capability.h> 20 #include <linux/rcupdate.h> 21 #include <linux/fs.h> 22 #include <linux/fs_context.h> 23 #include <linux/poll.h> 24 #include <uapi/linux/major.h> 25 #include <uapi/linux/magic.h> 26 27 #include "include/apparmor.h" 28 #include "include/apparmorfs.h" 29 #include "include/audit.h" 30 #include "include/cred.h" 31 #include "include/crypto.h" 32 #include "include/ipc.h" 33 #include "include/label.h" 34 #include "include/policy.h" 35 #include "include/policy_ns.h" 36 #include "include/resource.h" 37 #include "include/policy_unpack.h" 38 39 /* 40 * The apparmor filesystem interface used for policy load and introspection 41 * The interface is split into two main components based on their function 42 * a securityfs component: 43 * used for static files that are always available, and which allows 44 * userspace to specificy the location of the security filesystem. 45 * 46 * fns and data are prefixed with 47 * aa_sfs_ 48 * 49 * an apparmorfs component: 50 * used loaded policy content and introspection. It is not part of a 51 * regular mounted filesystem and is available only through the magic 52 * policy symlink in the root of the securityfs apparmor/ directory. 53 * Tasks queries will be magically redirected to the correct portion 54 * of the policy tree based on their confinement. 55 * 56 * fns and data are prefixed with 57 * aafs_ 58 * 59 * The aa_fs_ prefix is used to indicate the fn is used by both the 60 * securityfs and apparmorfs filesystems. 61 */ 62 63 64 /* 65 * support fns 66 */ 67 68 /** 69 * aa_mangle_name - mangle a profile name to std profile layout form 70 * @name: profile name to mangle (NOT NULL) 71 * @target: buffer to store mangled name, same length as @name (MAYBE NULL) 72 * 73 * Returns: length of mangled name 74 */ mangle_name(const char * name,char * target)75 static int mangle_name(const char *name, char *target) 76 { 77 char *t = target; 78 79 while (*name == '/' || *name == '.') 80 name++; 81 82 if (target) { 83 for (; *name; name++) { 84 if (*name == '/') 85 *(t)++ = '.'; 86 else if (isspace(*name)) 87 *(t)++ = '_'; 88 else if (isalnum(*name) || strchr("._-", *name)) 89 *(t)++ = *name; 90 } 91 92 *t = 0; 93 } else { 94 int len = 0; 95 for (; *name; name++) { 96 if (isalnum(*name) || isspace(*name) || 97 strchr("/._-", *name)) 98 len++; 99 } 100 101 return len; 102 } 103 104 return t - target; 105 } 106 107 108 /* 109 * aafs - core fns and data for the policy tree 110 */ 111 112 #define AAFS_NAME "apparmorfs" 113 static struct vfsmount *aafs_mnt; 114 static int aafs_count; 115 116 aafs_show_path(struct seq_file * seq,struct dentry * dentry)117 static int aafs_show_path(struct seq_file *seq, struct dentry *dentry) 118 { 119 seq_printf(seq, "%s:[%lu]", AAFS_NAME, d_inode(dentry)->i_ino); 120 return 0; 121 } 122 aafs_free_inode(struct inode * inode)123 static void aafs_free_inode(struct inode *inode) 124 { 125 if (S_ISLNK(inode->i_mode)) 126 kfree(inode->i_link); 127 free_inode_nonrcu(inode); 128 } 129 130 static const struct super_operations aafs_super_ops = { 131 .statfs = simple_statfs, 132 .free_inode = aafs_free_inode, 133 .show_path = aafs_show_path, 134 }; 135 apparmorfs_fill_super(struct super_block * sb,struct fs_context * fc)136 static int apparmorfs_fill_super(struct super_block *sb, struct fs_context *fc) 137 { 138 static struct tree_descr files[] = { {""} }; 139 int error; 140 141 error = simple_fill_super(sb, AAFS_MAGIC, files); 142 if (error) 143 return error; 144 sb->s_op = &aafs_super_ops; 145 146 return 0; 147 } 148 apparmorfs_get_tree(struct fs_context * fc)149 static int apparmorfs_get_tree(struct fs_context *fc) 150 { 151 return get_tree_single(fc, apparmorfs_fill_super); 152 } 153 154 static const struct fs_context_operations apparmorfs_context_ops = { 155 .get_tree = apparmorfs_get_tree, 156 }; 157 apparmorfs_init_fs_context(struct fs_context * fc)158 static int apparmorfs_init_fs_context(struct fs_context *fc) 159 { 160 fc->ops = &apparmorfs_context_ops; 161 return 0; 162 } 163 164 static struct file_system_type aafs_ops = { 165 .owner = THIS_MODULE, 166 .name = AAFS_NAME, 167 .init_fs_context = apparmorfs_init_fs_context, 168 .kill_sb = kill_anon_super, 169 }; 170 171 /** 172 * __aafs_setup_d_inode - basic inode setup for apparmorfs 173 * @dir: parent directory for the dentry 174 * @dentry: dentry we are seting the inode up for 175 * @mode: permissions the file should have 176 * @data: data to store on inode.i_private, available in open() 177 * @link: if symlink, symlink target string 178 * @fops: struct file_operations that should be used 179 * @iops: struct of inode_operations that should be used 180 */ __aafs_setup_d_inode(struct inode * dir,struct dentry * dentry,umode_t mode,void * data,char * link,const struct file_operations * fops,const struct inode_operations * iops)181 static int __aafs_setup_d_inode(struct inode *dir, struct dentry *dentry, 182 umode_t mode, void *data, char *link, 183 const struct file_operations *fops, 184 const struct inode_operations *iops) 185 { 186 struct inode *inode = new_inode(dir->i_sb); 187 188 AA_BUG(!dir); 189 AA_BUG(!dentry); 190 191 if (!inode) 192 return -ENOMEM; 193 194 inode->i_ino = get_next_ino(); 195 inode->i_mode = mode; 196 inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode); 197 inode->i_private = data; 198 if (S_ISDIR(mode)) { 199 inode->i_op = iops ? iops : &simple_dir_inode_operations; 200 inode->i_fop = &simple_dir_operations; 201 inc_nlink(inode); 202 inc_nlink(dir); 203 } else if (S_ISLNK(mode)) { 204 inode->i_op = iops ? iops : &simple_symlink_inode_operations; 205 inode->i_link = link; 206 } else { 207 inode->i_fop = fops; 208 } 209 d_instantiate(dentry, inode); 210 dget(dentry); 211 212 return 0; 213 } 214 215 /** 216 * aafs_create - create a dentry in the apparmorfs filesystem 217 * 218 * @name: name of dentry to create 219 * @mode: permissions the file should have 220 * @parent: parent directory for this dentry 221 * @data: data to store on inode.i_private, available in open() 222 * @link: if symlink, symlink target string 223 * @fops: struct file_operations that should be used for 224 * @iops: struct of inode_operations that should be used 225 * 226 * This is the basic "create a xxx" function for apparmorfs. 227 * 228 * Returns a pointer to a dentry if it succeeds, that must be free with 229 * aafs_remove(). Will return ERR_PTR on failure. 230 */ aafs_create(const char * name,umode_t mode,struct dentry * parent,void * data,void * link,const struct file_operations * fops,const struct inode_operations * iops)231 static struct dentry *aafs_create(const char *name, umode_t mode, 232 struct dentry *parent, void *data, void *link, 233 const struct file_operations *fops, 234 const struct inode_operations *iops) 235 { 236 struct dentry *dentry; 237 struct inode *dir; 238 int error; 239 240 AA_BUG(!name); 241 AA_BUG(!parent); 242 243 if (!(mode & S_IFMT)) 244 mode = (mode & S_IALLUGO) | S_IFREG; 245 246 error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count); 247 if (error) 248 return ERR_PTR(error); 249 250 dir = d_inode(parent); 251 252 inode_lock(dir); 253 dentry = lookup_one_len(name, parent, strlen(name)); 254 if (IS_ERR(dentry)) { 255 error = PTR_ERR(dentry); 256 goto fail_lock; 257 } 258 259 if (d_really_is_positive(dentry)) { 260 error = -EEXIST; 261 goto fail_dentry; 262 } 263 264 error = __aafs_setup_d_inode(dir, dentry, mode, data, link, fops, iops); 265 if (error) 266 goto fail_dentry; 267 inode_unlock(dir); 268 269 return dentry; 270 271 fail_dentry: 272 dput(dentry); 273 274 fail_lock: 275 inode_unlock(dir); 276 simple_release_fs(&aafs_mnt, &aafs_count); 277 278 return ERR_PTR(error); 279 } 280 281 /** 282 * aafs_create_file - create a file in the apparmorfs filesystem 283 * 284 * @name: name of dentry to create 285 * @mode: permissions the file should have 286 * @parent: parent directory for this dentry 287 * @data: data to store on inode.i_private, available in open() 288 * @fops: struct file_operations that should be used for 289 * 290 * see aafs_create 291 */ aafs_create_file(const char * name,umode_t mode,struct dentry * parent,void * data,const struct file_operations * fops)292 static struct dentry *aafs_create_file(const char *name, umode_t mode, 293 struct dentry *parent, void *data, 294 const struct file_operations *fops) 295 { 296 return aafs_create(name, mode, parent, data, NULL, fops, NULL); 297 } 298 299 /** 300 * aafs_create_dir - create a directory in the apparmorfs filesystem 301 * 302 * @name: name of dentry to create 303 * @parent: parent directory for this dentry 304 * 305 * see aafs_create 306 */ aafs_create_dir(const char * name,struct dentry * parent)307 static struct dentry *aafs_create_dir(const char *name, struct dentry *parent) 308 { 309 return aafs_create(name, S_IFDIR | 0755, parent, NULL, NULL, NULL, 310 NULL); 311 } 312 313 /** 314 * aafs_create_symlink - create a symlink in the apparmorfs filesystem 315 * @name: name of dentry to create 316 * @parent: parent directory for this dentry 317 * @target: if symlink, symlink target string 318 * @private: private data 319 * @iops: struct of inode_operations that should be used 320 * 321 * If @target parameter is %NULL, then the @iops parameter needs to be 322 * setup to handle .readlink and .get_link inode_operations. 323 */ aafs_create_symlink(const char * name,struct dentry * parent,const char * target,void * private,const struct inode_operations * iops)324 static struct dentry *aafs_create_symlink(const char *name, 325 struct dentry *parent, 326 const char *target, 327 void *private, 328 const struct inode_operations *iops) 329 { 330 struct dentry *dent; 331 char *link = NULL; 332 333 if (target) { 334 if (!link) 335 return ERR_PTR(-ENOMEM); 336 } 337 dent = aafs_create(name, S_IFLNK | 0444, parent, private, link, NULL, 338 iops); 339 if (IS_ERR(dent)) 340 kfree(link); 341 342 return dent; 343 } 344 345 /** 346 * aafs_remove - removes a file or directory from the apparmorfs filesystem 347 * 348 * @dentry: dentry of the file/directory/symlink to removed. 349 */ aafs_remove(struct dentry * dentry)350 static void aafs_remove(struct dentry *dentry) 351 { 352 struct inode *dir; 353 354 if (!dentry || IS_ERR(dentry)) 355 return; 356 357 dir = d_inode(dentry->d_parent); 358 inode_lock(dir); 359 if (simple_positive(dentry)) { 360 if (d_is_dir(dentry)) 361 simple_rmdir(dir, dentry); 362 else 363 simple_unlink(dir, dentry); 364 d_delete(dentry); 365 dput(dentry); 366 } 367 inode_unlock(dir); 368 simple_release_fs(&aafs_mnt, &aafs_count); 369 } 370 371 372 /* 373 * aa_fs - policy load/replace/remove 374 */ 375 376 /** 377 * aa_simple_write_to_buffer - common routine for getting policy from user 378 * @userbuf: user buffer to copy data from (NOT NULL) 379 * @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size) 380 * @copy_size: size of data to copy from user buffer 381 * @pos: position write is at in the file (NOT NULL) 382 * 383 * Returns: kernel buffer containing copy of user buffer data or an 384 * ERR_PTR on failure. 385 */ aa_simple_write_to_buffer(const char __user * userbuf,size_t alloc_size,size_t copy_size,loff_t * pos)386 static struct aa_loaddata *aa_simple_write_to_buffer(const char __user *userbuf, 387 size_t alloc_size, 388 size_t copy_size, 389 loff_t *pos) 390 { 391 struct aa_loaddata *data; 392 393 AA_BUG(copy_size > alloc_size); 394 395 if (*pos != 0) 396 /* only writes from pos 0, that is complete writes */ 397 return ERR_PTR(-ESPIPE); 398 399 /* freed by caller to simple_write_to_buffer */ 400 data = aa_loaddata_alloc(alloc_size); 401 if (IS_ERR(data)) 402 return data; 403 404 data->size = copy_size; 405 if (copy_from_user(data->data, userbuf, copy_size)) { 406 kvfree(data); 407 return ERR_PTR(-EFAULT); 408 } 409 410 return data; 411 } 412 policy_update(u32 mask,const char __user * buf,size_t size,loff_t * pos,struct aa_ns * ns)413 static ssize_t policy_update(u32 mask, const char __user *buf, size_t size, 414 loff_t *pos, struct aa_ns *ns) 415 { 416 struct aa_loaddata *data; 417 struct aa_label *label; 418 ssize_t error; 419 420 label = begin_current_label_crit_section(); 421 422 /* high level check about policy management - fine grained in 423 * below after unpack 424 */ 425 error = aa_may_manage_policy(label, ns, mask); 426 if (error) 427 return error; 428 429 data = aa_simple_write_to_buffer(buf, size, size, pos); 430 error = PTR_ERR(data); 431 if (!IS_ERR(data)) { 432 error = aa_replace_profiles(ns, label, mask, data); 433 aa_put_loaddata(data); 434 } 435 end_current_label_crit_section(label); 436 437 return error; 438 } 439 440 /* .load file hook fn to load policy */ profile_load(struct file * f,const char __user * buf,size_t size,loff_t * pos)441 static ssize_t profile_load(struct file *f, const char __user *buf, size_t size, 442 loff_t *pos) 443 { 444 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); 445 int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns); 446 447 aa_put_ns(ns); 448 449 return error; 450 } 451 452 static const struct file_operations aa_fs_profile_load = { 453 .write = profile_load, 454 .llseek = default_llseek, 455 }; 456 457 /* .replace file hook fn to load and/or replace policy */ profile_replace(struct file * f,const char __user * buf,size_t size,loff_t * pos)458 static ssize_t profile_replace(struct file *f, const char __user *buf, 459 size_t size, loff_t *pos) 460 { 461 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); 462 int error = policy_update(AA_MAY_LOAD_POLICY | AA_MAY_REPLACE_POLICY, 463 buf, size, pos, ns); 464 aa_put_ns(ns); 465 466 return error; 467 } 468 469 static const struct file_operations aa_fs_profile_replace = { 470 .write = profile_replace, 471 .llseek = default_llseek, 472 }; 473 474 /* .remove file hook fn to remove loaded policy */ profile_remove(struct file * f,const char __user * buf,size_t size,loff_t * pos)475 static ssize_t profile_remove(struct file *f, const char __user *buf, 476 size_t size, loff_t *pos) 477 { 478 struct aa_loaddata *data; 479 struct aa_label *label; 480 ssize_t error; 481 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); 482 483 label = begin_current_label_crit_section(); 484 /* high level check about policy management - fine grained in 485 * below after unpack 486 */ 487 error = aa_may_manage_policy(label, ns, AA_MAY_REMOVE_POLICY); 488 if (error) 489 goto out; 490 491 /* 492 * aa_remove_profile needs a null terminated string so 1 extra 493 * byte is allocated and the copied data is null terminated. 494 */ 495 data = aa_simple_write_to_buffer(buf, size + 1, size, pos); 496 497 error = PTR_ERR(data); 498 if (!IS_ERR(data)) { 499 data->data[size] = 0; 500 error = aa_remove_profiles(ns, label, data->data, size); 501 aa_put_loaddata(data); 502 } 503 out: 504 end_current_label_crit_section(label); 505 aa_put_ns(ns); 506 return error; 507 } 508 509 static const struct file_operations aa_fs_profile_remove = { 510 .write = profile_remove, 511 .llseek = default_llseek, 512 }; 513 514 struct aa_revision { 515 struct aa_ns *ns; 516 long last_read; 517 }; 518 519 /* revision file hook fn for policy loads */ ns_revision_release(struct inode * inode,struct file * file)520 static int ns_revision_release(struct inode *inode, struct file *file) 521 { 522 struct aa_revision *rev = file->private_data; 523 524 if (rev) { 525 aa_put_ns(rev->ns); 526 kfree(rev); 527 } 528 529 return 0; 530 } 531 ns_revision_read(struct file * file,char __user * buf,size_t size,loff_t * ppos)532 static ssize_t ns_revision_read(struct file *file, char __user *buf, 533 size_t size, loff_t *ppos) 534 { 535 struct aa_revision *rev = file->private_data; 536 char buffer[32]; 537 long last_read; 538 int avail; 539 540 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 541 last_read = rev->last_read; 542 if (last_read == rev->ns->revision) { 543 mutex_unlock(&rev->ns->lock); 544 if (file->f_flags & O_NONBLOCK) 545 return -EAGAIN; 546 if (wait_event_interruptible(rev->ns->wait, 547 last_read != 548 READ_ONCE(rev->ns->revision))) 549 return -ERESTARTSYS; 550 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 551 } 552 553 avail = sprintf(buffer, "%ld\n", rev->ns->revision); 554 if (*ppos + size > avail) { 555 rev->last_read = rev->ns->revision; 556 *ppos = 0; 557 } 558 mutex_unlock(&rev->ns->lock); 559 560 return simple_read_from_buffer(buf, size, ppos, buffer, avail); 561 } 562 ns_revision_open(struct inode * inode,struct file * file)563 static int ns_revision_open(struct inode *inode, struct file *file) 564 { 565 struct aa_revision *rev = kzalloc(sizeof(*rev), GFP_KERNEL); 566 567 if (!rev) 568 return -ENOMEM; 569 570 rev->ns = aa_get_ns(inode->i_private); 571 if (!rev->ns) 572 rev->ns = aa_get_current_ns(); 573 file->private_data = rev; 574 575 return 0; 576 } 577 ns_revision_poll(struct file * file,poll_table * pt)578 static __poll_t ns_revision_poll(struct file *file, poll_table *pt) 579 { 580 struct aa_revision *rev = file->private_data; 581 __poll_t mask = 0; 582 583 if (rev) { 584 mutex_lock_nested(&rev->ns->lock, rev->ns->level); 585 poll_wait(file, &rev->ns->wait, pt); 586 if (rev->last_read < rev->ns->revision) 587 mask |= EPOLLIN | EPOLLRDNORM; 588 mutex_unlock(&rev->ns->lock); 589 } 590 591 return mask; 592 } 593 __aa_bump_ns_revision(struct aa_ns * ns)594 void __aa_bump_ns_revision(struct aa_ns *ns) 595 { 596 ns->revision++; 597 wake_up_interruptible(&ns->wait); 598 } 599 600 static const struct file_operations aa_fs_ns_revision_fops = { 601 .owner = THIS_MODULE, 602 .open = ns_revision_open, 603 .poll = ns_revision_poll, 604 .read = ns_revision_read, 605 .llseek = generic_file_llseek, 606 .release = ns_revision_release, 607 }; 608 profile_query_cb(struct aa_profile * profile,struct aa_perms * perms,const char * match_str,size_t match_len)609 static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms, 610 const char *match_str, size_t match_len) 611 { 612 struct aa_perms tmp = { }; 613 struct aa_dfa *dfa; 614 unsigned int state = 0; 615 616 if (profile_unconfined(profile)) 617 return; 618 if (profile->file.dfa && *match_str == AA_CLASS_FILE) { 619 dfa = profile->file.dfa; 620 state = aa_dfa_match_len(dfa, profile->file.start, 621 match_str + 1, match_len - 1); 622 if (state) { 623 struct path_cond cond = { }; 624 625 tmp = aa_compute_fperms(dfa, state, &cond); 626 } 627 } else if (profile->policy.dfa) { 628 if (!PROFILE_MEDIATES(profile, *match_str)) 629 return; /* no change to current perms */ 630 dfa = profile->policy.dfa; 631 state = aa_dfa_match_len(dfa, profile->policy.start[0], 632 match_str, match_len); 633 if (state) 634 aa_compute_perms(dfa, state, &tmp); 635 } 636 aa_apply_modes_to_perms(profile, &tmp); 637 aa_perms_accum_raw(perms, &tmp); 638 } 639 640 641 /** 642 * query_data - queries a policy and writes its data to buf 643 * @buf: the resulting data is stored here (NOT NULL) 644 * @buf_len: size of buf 645 * @query: query string used to retrieve data 646 * @query_len: size of query including second NUL byte 647 * 648 * The buffers pointed to by buf and query may overlap. The query buffer is 649 * parsed before buf is written to. 650 * 651 * The query should look like "<LABEL>\0<KEY>\0", where <LABEL> is the name of 652 * the security confinement context and <KEY> is the name of the data to 653 * retrieve. <LABEL> and <KEY> must not be NUL-terminated. 654 * 655 * Don't expect the contents of buf to be preserved on failure. 656 * 657 * Returns: number of characters written to buf or -errno on failure 658 */ query_data(char * buf,size_t buf_len,char * query,size_t query_len)659 static ssize_t query_data(char *buf, size_t buf_len, 660 char *query, size_t query_len) 661 { 662 char *out; 663 const char *key; 664 struct label_it i; 665 struct aa_label *label, *curr; 666 struct aa_profile *profile; 667 struct aa_data *data; 668 u32 bytes, blocks; 669 __le32 outle32; 670 671 if (!query_len) 672 return -EINVAL; /* need a query */ 673 674 key = query + strnlen(query, query_len) + 1; 675 if (key + 1 >= query + query_len) 676 return -EINVAL; /* not enough space for a non-empty key */ 677 if (key + strnlen(key, query + query_len - key) >= query + query_len) 678 return -EINVAL; /* must end with NUL */ 679 680 if (buf_len < sizeof(bytes) + sizeof(blocks)) 681 return -EINVAL; /* not enough space */ 682 683 curr = begin_current_label_crit_section(); 684 label = aa_label_parse(curr, query, GFP_KERNEL, false, false); 685 end_current_label_crit_section(curr); 686 if (IS_ERR(label)) 687 return PTR_ERR(label); 688 689 /* We are going to leave space for two numbers. The first is the total 690 * number of bytes we are writing after the first number. This is so 691 * users can read the full output without reallocation. 692 * 693 * The second number is the number of data blocks we're writing. An 694 * application might be confined by multiple policies having data in 695 * the same key. 696 */ 697 memset(buf, 0, sizeof(bytes) + sizeof(blocks)); 698 out = buf + sizeof(bytes) + sizeof(blocks); 699 700 blocks = 0; 701 label_for_each_confined(i, label, profile) { 702 if (!profile->data) 703 continue; 704 705 data = rhashtable_lookup_fast(profile->data, &key, 706 profile->data->p); 707 708 if (data) { 709 if (out + sizeof(outle32) + data->size > buf + 710 buf_len) { 711 aa_put_label(label); 712 return -EINVAL; /* not enough space */ 713 } 714 outle32 = __cpu_to_le32(data->size); 715 memcpy(out, &outle32, sizeof(outle32)); 716 out += sizeof(outle32); 717 memcpy(out, data->data, data->size); 718 out += data->size; 719 blocks++; 720 } 721 } 722 aa_put_label(label); 723 724 outle32 = __cpu_to_le32(out - buf - sizeof(bytes)); 725 memcpy(buf, &outle32, sizeof(outle32)); 726 outle32 = __cpu_to_le32(blocks); 727 memcpy(buf + sizeof(bytes), &outle32, sizeof(outle32)); 728 729 return out - buf; 730 } 731 732 /** 733 * query_label - queries a label and writes permissions to buf 734 * @buf: the resulting permissions string is stored here (NOT NULL) 735 * @buf_len: size of buf 736 * @query: binary query string to match against the dfa 737 * @query_len: size of query 738 * @view_only: only compute for querier's view 739 * 740 * The buffers pointed to by buf and query may overlap. The query buffer is 741 * parsed before buf is written to. 742 * 743 * The query should look like "LABEL_NAME\0DFA_STRING" where LABEL_NAME is 744 * the name of the label, in the current namespace, that is to be queried and 745 * DFA_STRING is a binary string to match against the label(s)'s DFA. 746 * 747 * LABEL_NAME must be NUL terminated. DFA_STRING may contain NUL characters 748 * but must *not* be NUL terminated. 749 * 750 * Returns: number of characters written to buf or -errno on failure 751 */ query_label(char * buf,size_t buf_len,char * query,size_t query_len,bool view_only)752 static ssize_t query_label(char *buf, size_t buf_len, 753 char *query, size_t query_len, bool view_only) 754 { 755 struct aa_profile *profile; 756 struct aa_label *label, *curr; 757 char *label_name, *match_str; 758 size_t label_name_len, match_len; 759 struct aa_perms perms; 760 struct label_it i; 761 762 if (!query_len) 763 return -EINVAL; 764 765 label_name = query; 766 label_name_len = strnlen(query, query_len); 767 if (!label_name_len || label_name_len == query_len) 768 return -EINVAL; 769 770 /** 771 * The extra byte is to account for the null byte between the 772 * profile name and dfa string. profile_name_len is greater 773 * than zero and less than query_len, so a byte can be safely 774 * added or subtracted. 775 */ 776 match_str = label_name + label_name_len + 1; 777 match_len = query_len - label_name_len - 1; 778 779 curr = begin_current_label_crit_section(); 780 label = aa_label_parse(curr, label_name, GFP_KERNEL, false, false); 781 end_current_label_crit_section(curr); 782 if (IS_ERR(label)) 783 return PTR_ERR(label); 784 785 perms = allperms; 786 if (view_only) { 787 label_for_each_in_ns(i, labels_ns(label), label, profile) { 788 profile_query_cb(profile, &perms, match_str, match_len); 789 } 790 } else { 791 label_for_each(i, label, profile) { 792 profile_query_cb(profile, &perms, match_str, match_len); 793 } 794 } 795 aa_put_label(label); 796 797 return scnprintf(buf, buf_len, 798 "allow 0x%08x\ndeny 0x%08x\naudit 0x%08x\nquiet 0x%08x\n", 799 perms.allow, perms.deny, perms.audit, perms.quiet); 800 } 801 802 /* 803 * Transaction based IO. 804 * The file expects a write which triggers the transaction, and then 805 * possibly a read(s) which collects the result - which is stored in a 806 * file-local buffer. Once a new write is performed, a new set of results 807 * are stored in the file-local buffer. 808 */ 809 struct multi_transaction { 810 struct kref count; 811 ssize_t size; 812 char data[0]; 813 }; 814 815 #define MULTI_TRANSACTION_LIMIT (PAGE_SIZE - sizeof(struct multi_transaction)) 816 /* TODO: replace with per file lock */ 817 static DEFINE_SPINLOCK(multi_transaction_lock); 818 multi_transaction_kref(struct kref * kref)819 static void multi_transaction_kref(struct kref *kref) 820 { 821 struct multi_transaction *t; 822 823 t = container_of(kref, struct multi_transaction, count); 824 free_page((unsigned long) t); 825 } 826 827 static struct multi_transaction * get_multi_transaction(struct multi_transaction * t)828 get_multi_transaction(struct multi_transaction *t) 829 { 830 if (t) 831 kref_get(&(t->count)); 832 833 return t; 834 } 835 put_multi_transaction(struct multi_transaction * t)836 static void put_multi_transaction(struct multi_transaction *t) 837 { 838 if (t) 839 kref_put(&(t->count), multi_transaction_kref); 840 } 841 842 /* does not increment @new's count */ multi_transaction_set(struct file * file,struct multi_transaction * new,size_t n)843 static void multi_transaction_set(struct file *file, 844 struct multi_transaction *new, size_t n) 845 { 846 struct multi_transaction *old; 847 848 AA_BUG(n > MULTI_TRANSACTION_LIMIT); 849 850 new->size = n; 851 spin_lock(&multi_transaction_lock); 852 old = (struct multi_transaction *) file->private_data; 853 file->private_data = new; 854 spin_unlock(&multi_transaction_lock); 855 put_multi_transaction(old); 856 } 857 multi_transaction_new(struct file * file,const char __user * buf,size_t size)858 static struct multi_transaction *multi_transaction_new(struct file *file, 859 const char __user *buf, 860 size_t size) 861 { 862 struct multi_transaction *t; 863 864 if (size > MULTI_TRANSACTION_LIMIT - 1) 865 return ERR_PTR(-EFBIG); 866 867 t = (struct multi_transaction *)get_zeroed_page(GFP_KERNEL); 868 if (!t) 869 return ERR_PTR(-ENOMEM); 870 kref_init(&t->count); 871 if (copy_from_user(t->data, buf, size)) 872 return ERR_PTR(-EFAULT); 873 874 return t; 875 } 876 multi_transaction_read(struct file * file,char __user * buf,size_t size,loff_t * pos)877 static ssize_t multi_transaction_read(struct file *file, char __user *buf, 878 size_t size, loff_t *pos) 879 { 880 struct multi_transaction *t; 881 ssize_t ret; 882 883 spin_lock(&multi_transaction_lock); 884 t = get_multi_transaction(file->private_data); 885 spin_unlock(&multi_transaction_lock); 886 if (!t) 887 return 0; 888 889 ret = simple_read_from_buffer(buf, size, pos, t->data, t->size); 890 put_multi_transaction(t); 891 892 return ret; 893 } 894 multi_transaction_release(struct inode * inode,struct file * file)895 static int multi_transaction_release(struct inode *inode, struct file *file) 896 { 897 put_multi_transaction(file->private_data); 898 899 return 0; 900 } 901 902 #define QUERY_CMD_LABEL "label\0" 903 #define QUERY_CMD_LABEL_LEN 6 904 #define QUERY_CMD_PROFILE "profile\0" 905 #define QUERY_CMD_PROFILE_LEN 8 906 #define QUERY_CMD_LABELALL "labelall\0" 907 #define QUERY_CMD_LABELALL_LEN 9 908 #define QUERY_CMD_DATA "data\0" 909 #define QUERY_CMD_DATA_LEN 5 910 911 /** 912 * aa_write_access - generic permissions and data query 913 * @file: pointer to open apparmorfs/access file 914 * @ubuf: user buffer containing the complete query string (NOT NULL) 915 * @count: size of ubuf 916 * @ppos: position in the file (MUST BE ZERO) 917 * 918 * Allows for one permissions or data query per open(), write(), and read() 919 * sequence. The only queries currently supported are label-based queries for 920 * permissions or data. 921 * 922 * For permissions queries, ubuf must begin with "label\0", followed by the 923 * profile query specific format described in the query_label() function 924 * documentation. 925 * 926 * For data queries, ubuf must have the form "data\0<LABEL>\0<KEY>\0", where 927 * <LABEL> is the name of the security confinement context and <KEY> is the 928 * name of the data to retrieve. 929 * 930 * Returns: number of bytes written or -errno on failure 931 */ aa_write_access(struct file * file,const char __user * ubuf,size_t count,loff_t * ppos)932 static ssize_t aa_write_access(struct file *file, const char __user *ubuf, 933 size_t count, loff_t *ppos) 934 { 935 struct multi_transaction *t; 936 ssize_t len; 937 938 if (*ppos) 939 return -ESPIPE; 940 941 t = multi_transaction_new(file, ubuf, count); 942 if (IS_ERR(t)) 943 return PTR_ERR(t); 944 945 if (count > QUERY_CMD_PROFILE_LEN && 946 !memcmp(t->data, QUERY_CMD_PROFILE, QUERY_CMD_PROFILE_LEN)) { 947 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 948 t->data + QUERY_CMD_PROFILE_LEN, 949 count - QUERY_CMD_PROFILE_LEN, true); 950 } else if (count > QUERY_CMD_LABEL_LEN && 951 !memcmp(t->data, QUERY_CMD_LABEL, QUERY_CMD_LABEL_LEN)) { 952 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 953 t->data + QUERY_CMD_LABEL_LEN, 954 count - QUERY_CMD_LABEL_LEN, true); 955 } else if (count > QUERY_CMD_LABELALL_LEN && 956 !memcmp(t->data, QUERY_CMD_LABELALL, 957 QUERY_CMD_LABELALL_LEN)) { 958 len = query_label(t->data, MULTI_TRANSACTION_LIMIT, 959 t->data + QUERY_CMD_LABELALL_LEN, 960 count - QUERY_CMD_LABELALL_LEN, false); 961 } else if (count > QUERY_CMD_DATA_LEN && 962 !memcmp(t->data, QUERY_CMD_DATA, QUERY_CMD_DATA_LEN)) { 963 len = query_data(t->data, MULTI_TRANSACTION_LIMIT, 964 t->data + QUERY_CMD_DATA_LEN, 965 count - QUERY_CMD_DATA_LEN); 966 } else 967 len = -EINVAL; 968 969 if (len < 0) { 970 put_multi_transaction(t); 971 return len; 972 } 973 974 multi_transaction_set(file, t, len); 975 976 return count; 977 } 978 979 static const struct file_operations aa_sfs_access = { 980 .write = aa_write_access, 981 .read = multi_transaction_read, 982 .release = multi_transaction_release, 983 .llseek = generic_file_llseek, 984 }; 985 aa_sfs_seq_show(struct seq_file * seq,void * v)986 static int aa_sfs_seq_show(struct seq_file *seq, void *v) 987 { 988 struct aa_sfs_entry *fs_file = seq->private; 989 990 if (!fs_file) 991 return 0; 992 993 switch (fs_file->v_type) { 994 case AA_SFS_TYPE_BOOLEAN: 995 seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no"); 996 break; 997 case AA_SFS_TYPE_STRING: 998 seq_printf(seq, "%s\n", fs_file->v.string); 999 break; 1000 case AA_SFS_TYPE_U64: 1001 seq_printf(seq, "%#08lx\n", fs_file->v.u64); 1002 break; 1003 default: 1004 /* Ignore unpritable entry types. */ 1005 break; 1006 } 1007 1008 return 0; 1009 } 1010 aa_sfs_seq_open(struct inode * inode,struct file * file)1011 static int aa_sfs_seq_open(struct inode *inode, struct file *file) 1012 { 1013 return single_open(file, aa_sfs_seq_show, inode->i_private); 1014 } 1015 1016 const struct file_operations aa_sfs_seq_file_ops = { 1017 .owner = THIS_MODULE, 1018 .open = aa_sfs_seq_open, 1019 .read = seq_read, 1020 .llseek = seq_lseek, 1021 .release = single_release, 1022 }; 1023 1024 /* 1025 * profile based file operations 1026 * policy/profiles/XXXX/profiles/ * 1027 */ 1028 1029 #define SEQ_PROFILE_FOPS(NAME) \ 1030 static int seq_profile_ ##NAME ##_open(struct inode *inode, struct file *file)\ 1031 { \ 1032 return seq_profile_open(inode, file, seq_profile_ ##NAME ##_show); \ 1033 } \ 1034 \ 1035 static const struct file_operations seq_profile_ ##NAME ##_fops = { \ 1036 .owner = THIS_MODULE, \ 1037 .open = seq_profile_ ##NAME ##_open, \ 1038 .read = seq_read, \ 1039 .llseek = seq_lseek, \ 1040 .release = seq_profile_release, \ 1041 } \ 1042 seq_profile_open(struct inode * inode,struct file * file,int (* show)(struct seq_file *,void *))1043 static int seq_profile_open(struct inode *inode, struct file *file, 1044 int (*show)(struct seq_file *, void *)) 1045 { 1046 struct aa_proxy *proxy = aa_get_proxy(inode->i_private); 1047 int error = single_open(file, show, proxy); 1048 1049 if (error) { 1050 file->private_data = NULL; 1051 aa_put_proxy(proxy); 1052 } 1053 1054 return error; 1055 } 1056 seq_profile_release(struct inode * inode,struct file * file)1057 static int seq_profile_release(struct inode *inode, struct file *file) 1058 { 1059 struct seq_file *seq = (struct seq_file *) file->private_data; 1060 if (seq) 1061 aa_put_proxy(seq->private); 1062 return single_release(inode, file); 1063 } 1064 seq_profile_name_show(struct seq_file * seq,void * v)1065 static int seq_profile_name_show(struct seq_file *seq, void *v) 1066 { 1067 struct aa_proxy *proxy = seq->private; 1068 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1069 struct aa_profile *profile = labels_profile(label); 1070 seq_printf(seq, "%s\n", profile->base.name); 1071 aa_put_label(label); 1072 1073 return 0; 1074 } 1075 seq_profile_mode_show(struct seq_file * seq,void * v)1076 static int seq_profile_mode_show(struct seq_file *seq, void *v) 1077 { 1078 struct aa_proxy *proxy = seq->private; 1079 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1080 struct aa_profile *profile = labels_profile(label); 1081 seq_printf(seq, "%s\n", aa_profile_mode_names[profile->mode]); 1082 aa_put_label(label); 1083 1084 return 0; 1085 } 1086 seq_profile_attach_show(struct seq_file * seq,void * v)1087 static int seq_profile_attach_show(struct seq_file *seq, void *v) 1088 { 1089 struct aa_proxy *proxy = seq->private; 1090 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1091 struct aa_profile *profile = labels_profile(label); 1092 if (profile->attach) 1093 seq_printf(seq, "%s\n", profile->attach); 1094 else if (profile->xmatch) 1095 seq_puts(seq, "<unknown>\n"); 1096 else 1097 seq_printf(seq, "%s\n", profile->base.name); 1098 aa_put_label(label); 1099 1100 return 0; 1101 } 1102 seq_profile_hash_show(struct seq_file * seq,void * v)1103 static int seq_profile_hash_show(struct seq_file *seq, void *v) 1104 { 1105 struct aa_proxy *proxy = seq->private; 1106 struct aa_label *label = aa_get_label_rcu(&proxy->label); 1107 struct aa_profile *profile = labels_profile(label); 1108 unsigned int i, size = aa_hash_size(); 1109 1110 if (profile->hash) { 1111 for (i = 0; i < size; i++) 1112 seq_printf(seq, "%.2x", profile->hash[i]); 1113 seq_putc(seq, '\n'); 1114 } 1115 aa_put_label(label); 1116 1117 return 0; 1118 } 1119 1120 SEQ_PROFILE_FOPS(name); 1121 SEQ_PROFILE_FOPS(mode); 1122 SEQ_PROFILE_FOPS(attach); 1123 SEQ_PROFILE_FOPS(hash); 1124 1125 /* 1126 * namespace based files 1127 * several root files and 1128 * policy/ * 1129 */ 1130 1131 #define SEQ_NS_FOPS(NAME) \ 1132 static int seq_ns_ ##NAME ##_open(struct inode *inode, struct file *file) \ 1133 { \ 1134 return single_open(file, seq_ns_ ##NAME ##_show, inode->i_private); \ 1135 } \ 1136 \ 1137 static const struct file_operations seq_ns_ ##NAME ##_fops = { \ 1138 .owner = THIS_MODULE, \ 1139 .open = seq_ns_ ##NAME ##_open, \ 1140 .read = seq_read, \ 1141 .llseek = seq_lseek, \ 1142 .release = single_release, \ 1143 } \ 1144 seq_ns_stacked_show(struct seq_file * seq,void * v)1145 static int seq_ns_stacked_show(struct seq_file *seq, void *v) 1146 { 1147 struct aa_label *label; 1148 1149 label = begin_current_label_crit_section(); 1150 seq_printf(seq, "%s\n", label->size > 1 ? "yes" : "no"); 1151 end_current_label_crit_section(label); 1152 1153 return 0; 1154 } 1155 seq_ns_nsstacked_show(struct seq_file * seq,void * v)1156 static int seq_ns_nsstacked_show(struct seq_file *seq, void *v) 1157 { 1158 struct aa_label *label; 1159 struct aa_profile *profile; 1160 struct label_it it; 1161 int count = 1; 1162 1163 label = begin_current_label_crit_section(); 1164 1165 if (label->size > 1) { 1166 label_for_each(it, label, profile) 1167 if (profile->ns != labels_ns(label)) { 1168 count++; 1169 break; 1170 } 1171 } 1172 1173 seq_printf(seq, "%s\n", count > 1 ? "yes" : "no"); 1174 end_current_label_crit_section(label); 1175 1176 return 0; 1177 } 1178 seq_ns_level_show(struct seq_file * seq,void * v)1179 static int seq_ns_level_show(struct seq_file *seq, void *v) 1180 { 1181 struct aa_label *label; 1182 1183 label = begin_current_label_crit_section(); 1184 seq_printf(seq, "%d\n", labels_ns(label)->level); 1185 end_current_label_crit_section(label); 1186 1187 return 0; 1188 } 1189 seq_ns_name_show(struct seq_file * seq,void * v)1190 static int seq_ns_name_show(struct seq_file *seq, void *v) 1191 { 1192 struct aa_label *label = begin_current_label_crit_section(); 1193 seq_printf(seq, "%s\n", labels_ns(label)->base.name); 1194 end_current_label_crit_section(label); 1195 1196 return 0; 1197 } 1198 1199 SEQ_NS_FOPS(stacked); 1200 SEQ_NS_FOPS(nsstacked); 1201 SEQ_NS_FOPS(level); 1202 SEQ_NS_FOPS(name); 1203 1204 1205 /* policy/raw_data/ * file ops */ 1206 1207 #define SEQ_RAWDATA_FOPS(NAME) \ 1208 static int seq_rawdata_ ##NAME ##_open(struct inode *inode, struct file *file)\ 1209 { \ 1210 return seq_rawdata_open(inode, file, seq_rawdata_ ##NAME ##_show); \ 1211 } \ 1212 \ 1213 static const struct file_operations seq_rawdata_ ##NAME ##_fops = { \ 1214 .owner = THIS_MODULE, \ 1215 .open = seq_rawdata_ ##NAME ##_open, \ 1216 .read = seq_read, \ 1217 .llseek = seq_lseek, \ 1218 .release = seq_rawdata_release, \ 1219 } \ 1220 seq_rawdata_open(struct inode * inode,struct file * file,int (* show)(struct seq_file *,void *))1221 static int seq_rawdata_open(struct inode *inode, struct file *file, 1222 int (*show)(struct seq_file *, void *)) 1223 { 1224 struct aa_loaddata *data = __aa_get_loaddata(inode->i_private); 1225 int error; 1226 1227 if (!data) 1228 /* lost race this ent is being reaped */ 1229 return -ENOENT; 1230 1231 error = single_open(file, show, data); 1232 if (error) { 1233 AA_BUG(file->private_data && 1234 ((struct seq_file *)file->private_data)->private); 1235 aa_put_loaddata(data); 1236 } 1237 1238 return error; 1239 } 1240 seq_rawdata_release(struct inode * inode,struct file * file)1241 static int seq_rawdata_release(struct inode *inode, struct file *file) 1242 { 1243 struct seq_file *seq = (struct seq_file *) file->private_data; 1244 1245 if (seq) 1246 aa_put_loaddata(seq->private); 1247 1248 return single_release(inode, file); 1249 } 1250 seq_rawdata_abi_show(struct seq_file * seq,void * v)1251 static int seq_rawdata_abi_show(struct seq_file *seq, void *v) 1252 { 1253 struct aa_loaddata *data = seq->private; 1254 1255 seq_printf(seq, "v%d\n", data->abi); 1256 1257 return 0; 1258 } 1259 seq_rawdata_revision_show(struct seq_file * seq,void * v)1260 static int seq_rawdata_revision_show(struct seq_file *seq, void *v) 1261 { 1262 struct aa_loaddata *data = seq->private; 1263 1264 seq_printf(seq, "%ld\n", data->revision); 1265 1266 return 0; 1267 } 1268 seq_rawdata_hash_show(struct seq_file * seq,void * v)1269 static int seq_rawdata_hash_show(struct seq_file *seq, void *v) 1270 { 1271 struct aa_loaddata *data = seq->private; 1272 unsigned int i, size = aa_hash_size(); 1273 1274 if (data->hash) { 1275 for (i = 0; i < size; i++) 1276 seq_printf(seq, "%.2x", data->hash[i]); 1277 seq_putc(seq, '\n'); 1278 } 1279 1280 return 0; 1281 } 1282 1283 SEQ_RAWDATA_FOPS(abi); 1284 SEQ_RAWDATA_FOPS(revision); 1285 SEQ_RAWDATA_FOPS(hash); 1286 rawdata_read(struct file * file,char __user * buf,size_t size,loff_t * ppos)1287 static ssize_t rawdata_read(struct file *file, char __user *buf, size_t size, 1288 loff_t *ppos) 1289 { 1290 struct aa_loaddata *rawdata = file->private_data; 1291 1292 return simple_read_from_buffer(buf, size, ppos, rawdata->data, 1293 rawdata->size); 1294 } 1295 rawdata_release(struct inode * inode,struct file * file)1296 static int rawdata_release(struct inode *inode, struct file *file) 1297 { 1298 aa_put_loaddata(file->private_data); 1299 1300 return 0; 1301 } 1302 rawdata_open(struct inode * inode,struct file * file)1303 static int rawdata_open(struct inode *inode, struct file *file) 1304 { 1305 if (!policy_view_capable(NULL)) 1306 return -EACCES; 1307 file->private_data = __aa_get_loaddata(inode->i_private); 1308 if (!file->private_data) 1309 /* lost race: this entry is being reaped */ 1310 return -ENOENT; 1311 1312 return 0; 1313 } 1314 1315 static const struct file_operations rawdata_fops = { 1316 .open = rawdata_open, 1317 .read = rawdata_read, 1318 .llseek = generic_file_llseek, 1319 .release = rawdata_release, 1320 }; 1321 remove_rawdata_dents(struct aa_loaddata * rawdata)1322 static void remove_rawdata_dents(struct aa_loaddata *rawdata) 1323 { 1324 int i; 1325 1326 for (i = 0; i < AAFS_LOADDATA_NDENTS; i++) { 1327 if (!IS_ERR_OR_NULL(rawdata->dents[i])) { 1328 /* no refcounts on i_private */ 1329 aafs_remove(rawdata->dents[i]); 1330 rawdata->dents[i] = NULL; 1331 } 1332 } 1333 } 1334 __aa_fs_remove_rawdata(struct aa_loaddata * rawdata)1335 void __aa_fs_remove_rawdata(struct aa_loaddata *rawdata) 1336 { 1337 AA_BUG(rawdata->ns && !mutex_is_locked(&rawdata->ns->lock)); 1338 1339 if (rawdata->ns) { 1340 remove_rawdata_dents(rawdata); 1341 list_del_init(&rawdata->list); 1342 aa_put_ns(rawdata->ns); 1343 rawdata->ns = NULL; 1344 } 1345 } 1346 __aa_fs_create_rawdata(struct aa_ns * ns,struct aa_loaddata * rawdata)1347 int __aa_fs_create_rawdata(struct aa_ns *ns, struct aa_loaddata *rawdata) 1348 { 1349 struct dentry *dent, *dir; 1350 1351 AA_BUG(!ns); 1352 AA_BUG(!rawdata); 1353 AA_BUG(!mutex_is_locked(&ns->lock)); 1354 AA_BUG(!ns_subdata_dir(ns)); 1355 1356 /* 1357 * just use ns revision dir was originally created at. This is 1358 * under ns->lock and if load is successful revision will be 1359 * bumped and is guaranteed to be unique 1360 */ 1361 rawdata->name = kasprintf(GFP_KERNEL, "%ld", ns->revision); 1362 if (!rawdata->name) 1363 return -ENOMEM; 1364 1365 dir = aafs_create_dir(rawdata->name, ns_subdata_dir(ns)); 1366 if (IS_ERR(dir)) 1367 /* ->name freed when rawdata freed */ 1368 return PTR_ERR(dir); 1369 rawdata->dents[AAFS_LOADDATA_DIR] = dir; 1370 1371 dent = aafs_create_file("abi", S_IFREG | 0444, dir, rawdata, 1372 &seq_rawdata_abi_fops); 1373 if (IS_ERR(dent)) 1374 goto fail; 1375 rawdata->dents[AAFS_LOADDATA_ABI] = dent; 1376 1377 dent = aafs_create_file("revision", S_IFREG | 0444, dir, rawdata, 1378 &seq_rawdata_revision_fops); 1379 if (IS_ERR(dent)) 1380 goto fail; 1381 rawdata->dents[AAFS_LOADDATA_REVISION] = dent; 1382 1383 if (aa_g_hash_policy) { 1384 dent = aafs_create_file("sha1", S_IFREG | 0444, dir, 1385 rawdata, &seq_rawdata_hash_fops); 1386 if (IS_ERR(dent)) 1387 goto fail; 1388 rawdata->dents[AAFS_LOADDATA_HASH] = dent; 1389 } 1390 1391 dent = aafs_create_file("raw_data", S_IFREG | 0444, 1392 dir, rawdata, &rawdata_fops); 1393 if (IS_ERR(dent)) 1394 goto fail; 1395 rawdata->dents[AAFS_LOADDATA_DATA] = dent; 1396 d_inode(dent)->i_size = rawdata->size; 1397 1398 rawdata->ns = aa_get_ns(ns); 1399 list_add(&rawdata->list, &ns->rawdata_list); 1400 /* no refcount on inode rawdata */ 1401 1402 return 0; 1403 1404 fail: 1405 remove_rawdata_dents(rawdata); 1406 1407 return PTR_ERR(dent); 1408 } 1409 1410 /** fns to setup dynamic per profile/namespace files **/ 1411 1412 /** 1413 * 1414 * Requires: @profile->ns->lock held 1415 */ __aafs_profile_rmdir(struct aa_profile * profile)1416 void __aafs_profile_rmdir(struct aa_profile *profile) 1417 { 1418 struct aa_profile *child; 1419 int i; 1420 1421 if (!profile) 1422 return; 1423 1424 list_for_each_entry(child, &profile->base.profiles, base.list) 1425 __aafs_profile_rmdir(child); 1426 1427 for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) { 1428 struct aa_proxy *proxy; 1429 if (!profile->dents[i]) 1430 continue; 1431 1432 proxy = d_inode(profile->dents[i])->i_private; 1433 aafs_remove(profile->dents[i]); 1434 aa_put_proxy(proxy); 1435 profile->dents[i] = NULL; 1436 } 1437 } 1438 1439 /** 1440 * 1441 * Requires: @old->ns->lock held 1442 */ __aafs_profile_migrate_dents(struct aa_profile * old,struct aa_profile * new)1443 void __aafs_profile_migrate_dents(struct aa_profile *old, 1444 struct aa_profile *new) 1445 { 1446 int i; 1447 1448 AA_BUG(!old); 1449 AA_BUG(!new); 1450 AA_BUG(!mutex_is_locked(&profiles_ns(old)->lock)); 1451 1452 for (i = 0; i < AAFS_PROF_SIZEOF; i++) { 1453 new->dents[i] = old->dents[i]; 1454 if (new->dents[i]) 1455 new->dents[i]->d_inode->i_mtime = current_time(new->dents[i]->d_inode); 1456 old->dents[i] = NULL; 1457 } 1458 } 1459 create_profile_file(struct dentry * dir,const char * name,struct aa_profile * profile,const struct file_operations * fops)1460 static struct dentry *create_profile_file(struct dentry *dir, const char *name, 1461 struct aa_profile *profile, 1462 const struct file_operations *fops) 1463 { 1464 struct aa_proxy *proxy = aa_get_proxy(profile->label.proxy); 1465 struct dentry *dent; 1466 1467 dent = aafs_create_file(name, S_IFREG | 0444, dir, proxy, fops); 1468 if (IS_ERR(dent)) 1469 aa_put_proxy(proxy); 1470 1471 return dent; 1472 } 1473 profile_depth(struct aa_profile * profile)1474 static int profile_depth(struct aa_profile *profile) 1475 { 1476 int depth = 0; 1477 1478 rcu_read_lock(); 1479 for (depth = 0; profile; profile = rcu_access_pointer(profile->parent)) 1480 depth++; 1481 rcu_read_unlock(); 1482 1483 return depth; 1484 } 1485 gen_symlink_name(int depth,const char * dirname,const char * fname)1486 static char *gen_symlink_name(int depth, const char *dirname, const char *fname) 1487 { 1488 char *buffer, *s; 1489 int error; 1490 int size = depth * 6 + strlen(dirname) + strlen(fname) + 11; 1491 1492 s = buffer = kmalloc(size, GFP_KERNEL); 1493 if (!buffer) 1494 return ERR_PTR(-ENOMEM); 1495 1496 for (; depth > 0; depth--) { 1497 strcpy(s, "../../"); 1498 s += 6; 1499 size -= 6; 1500 } 1501 1502 error = snprintf(s, size, "raw_data/%s/%s", dirname, fname); 1503 if (error >= size || error < 0) { 1504 kfree(buffer); 1505 return ERR_PTR(-ENAMETOOLONG); 1506 } 1507 1508 return buffer; 1509 } 1510 rawdata_link_cb(void * arg)1511 static void rawdata_link_cb(void *arg) 1512 { 1513 kfree(arg); 1514 } 1515 rawdata_get_link_base(struct dentry * dentry,struct inode * inode,struct delayed_call * done,const char * name)1516 static const char *rawdata_get_link_base(struct dentry *dentry, 1517 struct inode *inode, 1518 struct delayed_call *done, 1519 const char *name) 1520 { 1521 struct aa_proxy *proxy = inode->i_private; 1522 struct aa_label *label; 1523 struct aa_profile *profile; 1524 char *target; 1525 int depth; 1526 1527 if (!dentry) 1528 return ERR_PTR(-ECHILD); 1529 1530 label = aa_get_label_rcu(&proxy->label); 1531 profile = labels_profile(label); 1532 depth = profile_depth(profile); 1533 target = gen_symlink_name(depth, profile->rawdata->name, name); 1534 aa_put_label(label); 1535 1536 if (IS_ERR(target)) 1537 return target; 1538 1539 set_delayed_call(done, rawdata_link_cb, target); 1540 1541 return target; 1542 } 1543 rawdata_get_link_sha1(struct dentry * dentry,struct inode * inode,struct delayed_call * done)1544 static const char *rawdata_get_link_sha1(struct dentry *dentry, 1545 struct inode *inode, 1546 struct delayed_call *done) 1547 { 1548 return rawdata_get_link_base(dentry, inode, done, "sha1"); 1549 } 1550 rawdata_get_link_abi(struct dentry * dentry,struct inode * inode,struct delayed_call * done)1551 static const char *rawdata_get_link_abi(struct dentry *dentry, 1552 struct inode *inode, 1553 struct delayed_call *done) 1554 { 1555 return rawdata_get_link_base(dentry, inode, done, "abi"); 1556 } 1557 rawdata_get_link_data(struct dentry * dentry,struct inode * inode,struct delayed_call * done)1558 static const char *rawdata_get_link_data(struct dentry *dentry, 1559 struct inode *inode, 1560 struct delayed_call *done) 1561 { 1562 return rawdata_get_link_base(dentry, inode, done, "raw_data"); 1563 } 1564 1565 static const struct inode_operations rawdata_link_sha1_iops = { 1566 .get_link = rawdata_get_link_sha1, 1567 }; 1568 1569 static const struct inode_operations rawdata_link_abi_iops = { 1570 .get_link = rawdata_get_link_abi, 1571 }; 1572 static const struct inode_operations rawdata_link_data_iops = { 1573 .get_link = rawdata_get_link_data, 1574 }; 1575 1576 1577 /* 1578 * Requires: @profile->ns->lock held 1579 */ __aafs_profile_mkdir(struct aa_profile * profile,struct dentry * parent)1580 int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent) 1581 { 1582 struct aa_profile *child; 1583 struct dentry *dent = NULL, *dir; 1584 int error; 1585 1586 AA_BUG(!profile); 1587 AA_BUG(!mutex_is_locked(&profiles_ns(profile)->lock)); 1588 1589 if (!parent) { 1590 struct aa_profile *p; 1591 p = aa_deref_parent(profile); 1592 dent = prof_dir(p); 1593 /* adding to parent that previously didn't have children */ 1594 dent = aafs_create_dir("profiles", dent); 1595 if (IS_ERR(dent)) 1596 goto fail; 1597 prof_child_dir(p) = parent = dent; 1598 } 1599 1600 if (!profile->dirname) { 1601 int len, id_len; 1602 len = mangle_name(profile->base.name, NULL); 1603 id_len = snprintf(NULL, 0, ".%ld", profile->ns->uniq_id); 1604 1605 profile->dirname = kmalloc(len + id_len + 1, GFP_KERNEL); 1606 if (!profile->dirname) { 1607 error = -ENOMEM; 1608 goto fail2; 1609 } 1610 1611 mangle_name(profile->base.name, profile->dirname); 1612 sprintf(profile->dirname + len, ".%ld", profile->ns->uniq_id++); 1613 } 1614 1615 dent = aafs_create_dir(profile->dirname, parent); 1616 if (IS_ERR(dent)) 1617 goto fail; 1618 prof_dir(profile) = dir = dent; 1619 1620 dent = create_profile_file(dir, "name", profile, 1621 &seq_profile_name_fops); 1622 if (IS_ERR(dent)) 1623 goto fail; 1624 profile->dents[AAFS_PROF_NAME] = dent; 1625 1626 dent = create_profile_file(dir, "mode", profile, 1627 &seq_profile_mode_fops); 1628 if (IS_ERR(dent)) 1629 goto fail; 1630 profile->dents[AAFS_PROF_MODE] = dent; 1631 1632 dent = create_profile_file(dir, "attach", profile, 1633 &seq_profile_attach_fops); 1634 if (IS_ERR(dent)) 1635 goto fail; 1636 profile->dents[AAFS_PROF_ATTACH] = dent; 1637 1638 if (profile->hash) { 1639 dent = create_profile_file(dir, "sha1", profile, 1640 &seq_profile_hash_fops); 1641 if (IS_ERR(dent)) 1642 goto fail; 1643 profile->dents[AAFS_PROF_HASH] = dent; 1644 } 1645 1646 if (profile->rawdata) { 1647 dent = aafs_create_symlink("raw_sha1", dir, NULL, 1648 profile->label.proxy, 1649 &rawdata_link_sha1_iops); 1650 if (IS_ERR(dent)) 1651 goto fail; 1652 aa_get_proxy(profile->label.proxy); 1653 profile->dents[AAFS_PROF_RAW_HASH] = dent; 1654 1655 dent = aafs_create_symlink("raw_abi", dir, NULL, 1656 profile->label.proxy, 1657 &rawdata_link_abi_iops); 1658 if (IS_ERR(dent)) 1659 goto fail; 1660 aa_get_proxy(profile->label.proxy); 1661 profile->dents[AAFS_PROF_RAW_ABI] = dent; 1662 1663 dent = aafs_create_symlink("raw_data", dir, NULL, 1664 profile->label.proxy, 1665 &rawdata_link_data_iops); 1666 if (IS_ERR(dent)) 1667 goto fail; 1668 aa_get_proxy(profile->label.proxy); 1669 profile->dents[AAFS_PROF_RAW_DATA] = dent; 1670 } 1671 1672 list_for_each_entry(child, &profile->base.profiles, base.list) { 1673 error = __aafs_profile_mkdir(child, prof_child_dir(profile)); 1674 if (error) 1675 goto fail2; 1676 } 1677 1678 return 0; 1679 1680 fail: 1681 error = PTR_ERR(dent); 1682 1683 fail2: 1684 __aafs_profile_rmdir(profile); 1685 1686 return error; 1687 } 1688 ns_mkdir_op(struct inode * dir,struct dentry * dentry,umode_t mode)1689 static int ns_mkdir_op(struct inode *dir, struct dentry *dentry, umode_t mode) 1690 { 1691 struct aa_ns *ns, *parent; 1692 /* TODO: improve permission check */ 1693 struct aa_label *label; 1694 int error; 1695 1696 label = begin_current_label_crit_section(); 1697 error = aa_may_manage_policy(label, NULL, AA_MAY_LOAD_POLICY); 1698 end_current_label_crit_section(label); 1699 if (error) 1700 return error; 1701 1702 parent = aa_get_ns(dir->i_private); 1703 AA_BUG(d_inode(ns_subns_dir(parent)) != dir); 1704 1705 /* we have to unlock and then relock to get locking order right 1706 * for pin_fs 1707 */ 1708 inode_unlock(dir); 1709 error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count); 1710 mutex_lock_nested(&parent->lock, parent->level); 1711 inode_lock_nested(dir, I_MUTEX_PARENT); 1712 if (error) 1713 goto out; 1714 1715 error = __aafs_setup_d_inode(dir, dentry, mode | S_IFDIR, NULL, 1716 NULL, NULL, NULL); 1717 if (error) 1718 goto out_pin; 1719 1720 ns = __aa_find_or_create_ns(parent, READ_ONCE(dentry->d_name.name), 1721 dentry); 1722 if (IS_ERR(ns)) { 1723 error = PTR_ERR(ns); 1724 ns = NULL; 1725 } 1726 1727 aa_put_ns(ns); /* list ref remains */ 1728 out_pin: 1729 if (error) 1730 simple_release_fs(&aafs_mnt, &aafs_count); 1731 out: 1732 mutex_unlock(&parent->lock); 1733 aa_put_ns(parent); 1734 1735 return error; 1736 } 1737 ns_rmdir_op(struct inode * dir,struct dentry * dentry)1738 static int ns_rmdir_op(struct inode *dir, struct dentry *dentry) 1739 { 1740 struct aa_ns *ns, *parent; 1741 /* TODO: improve permission check */ 1742 struct aa_label *label; 1743 int error; 1744 1745 label = begin_current_label_crit_section(); 1746 error = aa_may_manage_policy(label, NULL, AA_MAY_LOAD_POLICY); 1747 end_current_label_crit_section(label); 1748 if (error) 1749 return error; 1750 1751 parent = aa_get_ns(dir->i_private); 1752 /* rmdir calls the generic securityfs functions to remove files 1753 * from the apparmor dir. It is up to the apparmor ns locking 1754 * to avoid races. 1755 */ 1756 inode_unlock(dir); 1757 inode_unlock(dentry->d_inode); 1758 1759 mutex_lock_nested(&parent->lock, parent->level); 1760 ns = aa_get_ns(__aa_findn_ns(&parent->sub_ns, dentry->d_name.name, 1761 dentry->d_name.len)); 1762 if (!ns) { 1763 error = -ENOENT; 1764 goto out; 1765 } 1766 AA_BUG(ns_dir(ns) != dentry); 1767 1768 __aa_remove_ns(ns); 1769 aa_put_ns(ns); 1770 1771 out: 1772 mutex_unlock(&parent->lock); 1773 inode_lock_nested(dir, I_MUTEX_PARENT); 1774 inode_lock(dentry->d_inode); 1775 aa_put_ns(parent); 1776 1777 return error; 1778 } 1779 1780 static const struct inode_operations ns_dir_inode_operations = { 1781 .lookup = simple_lookup, 1782 .mkdir = ns_mkdir_op, 1783 .rmdir = ns_rmdir_op, 1784 }; 1785 __aa_fs_list_remove_rawdata(struct aa_ns * ns)1786 static void __aa_fs_list_remove_rawdata(struct aa_ns *ns) 1787 { 1788 struct aa_loaddata *ent, *tmp; 1789 1790 AA_BUG(!mutex_is_locked(&ns->lock)); 1791 1792 list_for_each_entry_safe(ent, tmp, &ns->rawdata_list, list) 1793 __aa_fs_remove_rawdata(ent); 1794 } 1795 1796 /** 1797 * 1798 * Requires: @ns->lock held 1799 */ __aafs_ns_rmdir(struct aa_ns * ns)1800 void __aafs_ns_rmdir(struct aa_ns *ns) 1801 { 1802 struct aa_ns *sub; 1803 struct aa_profile *child; 1804 int i; 1805 1806 if (!ns) 1807 return; 1808 AA_BUG(!mutex_is_locked(&ns->lock)); 1809 1810 list_for_each_entry(child, &ns->base.profiles, base.list) 1811 __aafs_profile_rmdir(child); 1812 1813 list_for_each_entry(sub, &ns->sub_ns, base.list) { 1814 mutex_lock_nested(&sub->lock, sub->level); 1815 __aafs_ns_rmdir(sub); 1816 mutex_unlock(&sub->lock); 1817 } 1818 1819 __aa_fs_list_remove_rawdata(ns); 1820 1821 if (ns_subns_dir(ns)) { 1822 sub = d_inode(ns_subns_dir(ns))->i_private; 1823 aa_put_ns(sub); 1824 } 1825 if (ns_subload(ns)) { 1826 sub = d_inode(ns_subload(ns))->i_private; 1827 aa_put_ns(sub); 1828 } 1829 if (ns_subreplace(ns)) { 1830 sub = d_inode(ns_subreplace(ns))->i_private; 1831 aa_put_ns(sub); 1832 } 1833 if (ns_subremove(ns)) { 1834 sub = d_inode(ns_subremove(ns))->i_private; 1835 aa_put_ns(sub); 1836 } 1837 if (ns_subrevision(ns)) { 1838 sub = d_inode(ns_subrevision(ns))->i_private; 1839 aa_put_ns(sub); 1840 } 1841 1842 for (i = AAFS_NS_SIZEOF - 1; i >= 0; --i) { 1843 aafs_remove(ns->dents[i]); 1844 ns->dents[i] = NULL; 1845 } 1846 } 1847 1848 /* assumes cleanup in caller */ __aafs_ns_mkdir_entries(struct aa_ns * ns,struct dentry * dir)1849 static int __aafs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir) 1850 { 1851 struct dentry *dent; 1852 1853 AA_BUG(!ns); 1854 AA_BUG(!dir); 1855 1856 dent = aafs_create_dir("profiles", dir); 1857 if (IS_ERR(dent)) 1858 return PTR_ERR(dent); 1859 ns_subprofs_dir(ns) = dent; 1860 1861 dent = aafs_create_dir("raw_data", dir); 1862 if (IS_ERR(dent)) 1863 return PTR_ERR(dent); 1864 ns_subdata_dir(ns) = dent; 1865 1866 dent = aafs_create_file("revision", 0444, dir, ns, 1867 &aa_fs_ns_revision_fops); 1868 if (IS_ERR(dent)) 1869 return PTR_ERR(dent); 1870 aa_get_ns(ns); 1871 ns_subrevision(ns) = dent; 1872 1873 dent = aafs_create_file(".load", 0640, dir, ns, 1874 &aa_fs_profile_load); 1875 if (IS_ERR(dent)) 1876 return PTR_ERR(dent); 1877 aa_get_ns(ns); 1878 ns_subload(ns) = dent; 1879 1880 dent = aafs_create_file(".replace", 0640, dir, ns, 1881 &aa_fs_profile_replace); 1882 if (IS_ERR(dent)) 1883 return PTR_ERR(dent); 1884 aa_get_ns(ns); 1885 ns_subreplace(ns) = dent; 1886 1887 dent = aafs_create_file(".remove", 0640, dir, ns, 1888 &aa_fs_profile_remove); 1889 if (IS_ERR(dent)) 1890 return PTR_ERR(dent); 1891 aa_get_ns(ns); 1892 ns_subremove(ns) = dent; 1893 1894 /* use create_dentry so we can supply private data */ 1895 dent = aafs_create("namespaces", S_IFDIR | 0755, dir, ns, NULL, NULL, 1896 &ns_dir_inode_operations); 1897 if (IS_ERR(dent)) 1898 return PTR_ERR(dent); 1899 aa_get_ns(ns); 1900 ns_subns_dir(ns) = dent; 1901 1902 return 0; 1903 } 1904 1905 /* 1906 * Requires: @ns->lock held 1907 */ __aafs_ns_mkdir(struct aa_ns * ns,struct dentry * parent,const char * name,struct dentry * dent)1908 int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name, 1909 struct dentry *dent) 1910 { 1911 struct aa_ns *sub; 1912 struct aa_profile *child; 1913 struct dentry *dir; 1914 int error; 1915 1916 AA_BUG(!ns); 1917 AA_BUG(!parent); 1918 AA_BUG(!mutex_is_locked(&ns->lock)); 1919 1920 if (!name) 1921 name = ns->base.name; 1922 1923 if (!dent) { 1924 /* create ns dir if it doesn't already exist */ 1925 dent = aafs_create_dir(name, parent); 1926 if (IS_ERR(dent)) 1927 goto fail; 1928 } else 1929 dget(dent); 1930 ns_dir(ns) = dir = dent; 1931 error = __aafs_ns_mkdir_entries(ns, dir); 1932 if (error) 1933 goto fail2; 1934 1935 /* profiles */ 1936 list_for_each_entry(child, &ns->base.profiles, base.list) { 1937 error = __aafs_profile_mkdir(child, ns_subprofs_dir(ns)); 1938 if (error) 1939 goto fail2; 1940 } 1941 1942 /* subnamespaces */ 1943 list_for_each_entry(sub, &ns->sub_ns, base.list) { 1944 mutex_lock_nested(&sub->lock, sub->level); 1945 error = __aafs_ns_mkdir(sub, ns_subns_dir(ns), NULL, NULL); 1946 mutex_unlock(&sub->lock); 1947 if (error) 1948 goto fail2; 1949 } 1950 1951 return 0; 1952 1953 fail: 1954 error = PTR_ERR(dent); 1955 1956 fail2: 1957 __aafs_ns_rmdir(ns); 1958 1959 return error; 1960 } 1961 1962 1963 #define list_entry_is_head(pos, head, member) (&pos->member == (head)) 1964 1965 /** 1966 * __next_ns - find the next namespace to list 1967 * @root: root namespace to stop search at (NOT NULL) 1968 * @ns: current ns position (NOT NULL) 1969 * 1970 * Find the next namespace from @ns under @root and handle all locking needed 1971 * while switching current namespace. 1972 * 1973 * Returns: next namespace or NULL if at last namespace under @root 1974 * Requires: ns->parent->lock to be held 1975 * NOTE: will not unlock root->lock 1976 */ __next_ns(struct aa_ns * root,struct aa_ns * ns)1977 static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns) 1978 { 1979 struct aa_ns *parent, *next; 1980 1981 AA_BUG(!root); 1982 AA_BUG(!ns); 1983 AA_BUG(ns != root && !mutex_is_locked(&ns->parent->lock)); 1984 1985 /* is next namespace a child */ 1986 if (!list_empty(&ns->sub_ns)) { 1987 next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list); 1988 mutex_lock_nested(&next->lock, next->level); 1989 return next; 1990 } 1991 1992 /* check if the next ns is a sibling, parent, gp, .. */ 1993 parent = ns->parent; 1994 while (ns != root) { 1995 mutex_unlock(&ns->lock); 1996 next = list_next_entry(ns, base.list); 1997 if (!list_entry_is_head(next, &parent->sub_ns, base.list)) { 1998 mutex_lock_nested(&next->lock, next->level); 1999 return next; 2000 } 2001 ns = parent; 2002 parent = parent->parent; 2003 } 2004 2005 return NULL; 2006 } 2007 2008 /** 2009 * __first_profile - find the first profile in a namespace 2010 * @root: namespace that is root of profiles being displayed (NOT NULL) 2011 * @ns: namespace to start in (NOT NULL) 2012 * 2013 * Returns: unrefcounted profile or NULL if no profile 2014 * Requires: profile->ns.lock to be held 2015 */ __first_profile(struct aa_ns * root,struct aa_ns * ns)2016 static struct aa_profile *__first_profile(struct aa_ns *root, 2017 struct aa_ns *ns) 2018 { 2019 AA_BUG(!root); 2020 AA_BUG(ns && !mutex_is_locked(&ns->lock)); 2021 2022 for (; ns; ns = __next_ns(root, ns)) { 2023 if (!list_empty(&ns->base.profiles)) 2024 return list_first_entry(&ns->base.profiles, 2025 struct aa_profile, base.list); 2026 } 2027 return NULL; 2028 } 2029 2030 /** 2031 * __next_profile - step to the next profile in a profile tree 2032 * @profile: current profile in tree (NOT NULL) 2033 * 2034 * Perform a depth first traversal on the profile tree in a namespace 2035 * 2036 * Returns: next profile or NULL if done 2037 * Requires: profile->ns.lock to be held 2038 */ __next_profile(struct aa_profile * p)2039 static struct aa_profile *__next_profile(struct aa_profile *p) 2040 { 2041 struct aa_profile *parent; 2042 struct aa_ns *ns = p->ns; 2043 2044 AA_BUG(!mutex_is_locked(&profiles_ns(p)->lock)); 2045 2046 /* is next profile a child */ 2047 if (!list_empty(&p->base.profiles)) 2048 return list_first_entry(&p->base.profiles, typeof(*p), 2049 base.list); 2050 2051 /* is next profile a sibling, parent sibling, gp, sibling, .. */ 2052 parent = rcu_dereference_protected(p->parent, 2053 mutex_is_locked(&p->ns->lock)); 2054 while (parent) { 2055 p = list_next_entry(p, base.list); 2056 if (!list_entry_is_head(p, &parent->base.profiles, base.list)) 2057 return p; 2058 p = parent; 2059 parent = rcu_dereference_protected(parent->parent, 2060 mutex_is_locked(&parent->ns->lock)); 2061 } 2062 2063 /* is next another profile in the namespace */ 2064 p = list_next_entry(p, base.list); 2065 if (!list_entry_is_head(p, &ns->base.profiles, base.list)) 2066 return p; 2067 2068 return NULL; 2069 } 2070 2071 /** 2072 * next_profile - step to the next profile in where ever it may be 2073 * @root: root namespace (NOT NULL) 2074 * @profile: current profile (NOT NULL) 2075 * 2076 * Returns: next profile or NULL if there isn't one 2077 */ next_profile(struct aa_ns * root,struct aa_profile * profile)2078 static struct aa_profile *next_profile(struct aa_ns *root, 2079 struct aa_profile *profile) 2080 { 2081 struct aa_profile *next = __next_profile(profile); 2082 if (next) 2083 return next; 2084 2085 /* finished all profiles in namespace move to next namespace */ 2086 return __first_profile(root, __next_ns(root, profile->ns)); 2087 } 2088 2089 /** 2090 * p_start - start a depth first traversal of profile tree 2091 * @f: seq_file to fill 2092 * @pos: current position 2093 * 2094 * Returns: first profile under current namespace or NULL if none found 2095 * 2096 * acquires first ns->lock 2097 */ p_start(struct seq_file * f,loff_t * pos)2098 static void *p_start(struct seq_file *f, loff_t *pos) 2099 { 2100 struct aa_profile *profile = NULL; 2101 struct aa_ns *root = aa_get_current_ns(); 2102 loff_t l = *pos; 2103 f->private = root; 2104 2105 /* find the first profile */ 2106 mutex_lock_nested(&root->lock, root->level); 2107 profile = __first_profile(root, root); 2108 2109 /* skip to position */ 2110 for (; profile && l > 0; l--) 2111 profile = next_profile(root, profile); 2112 2113 return profile; 2114 } 2115 2116 /** 2117 * p_next - read the next profile entry 2118 * @f: seq_file to fill 2119 * @p: profile previously returned 2120 * @pos: current position 2121 * 2122 * Returns: next profile after @p or NULL if none 2123 * 2124 * may acquire/release locks in namespace tree as necessary 2125 */ p_next(struct seq_file * f,void * p,loff_t * pos)2126 static void *p_next(struct seq_file *f, void *p, loff_t *pos) 2127 { 2128 struct aa_profile *profile = p; 2129 struct aa_ns *ns = f->private; 2130 (*pos)++; 2131 2132 return next_profile(ns, profile); 2133 } 2134 2135 /** 2136 * p_stop - stop depth first traversal 2137 * @f: seq_file we are filling 2138 * @p: the last profile writen 2139 * 2140 * Release all locking done by p_start/p_next on namespace tree 2141 */ p_stop(struct seq_file * f,void * p)2142 static void p_stop(struct seq_file *f, void *p) 2143 { 2144 struct aa_profile *profile = p; 2145 struct aa_ns *root = f->private, *ns; 2146 2147 if (profile) { 2148 for (ns = profile->ns; ns && ns != root; ns = ns->parent) 2149 mutex_unlock(&ns->lock); 2150 } 2151 mutex_unlock(&root->lock); 2152 aa_put_ns(root); 2153 } 2154 2155 /** 2156 * seq_show_profile - show a profile entry 2157 * @f: seq_file to file 2158 * @p: current position (profile) (NOT NULL) 2159 * 2160 * Returns: error on failure 2161 */ seq_show_profile(struct seq_file * f,void * p)2162 static int seq_show_profile(struct seq_file *f, void *p) 2163 { 2164 struct aa_profile *profile = (struct aa_profile *)p; 2165 struct aa_ns *root = f->private; 2166 2167 aa_label_seq_xprint(f, root, &profile->label, 2168 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS, GFP_KERNEL); 2169 seq_putc(f, '\n'); 2170 2171 return 0; 2172 } 2173 2174 static const struct seq_operations aa_sfs_profiles_op = { 2175 .start = p_start, 2176 .next = p_next, 2177 .stop = p_stop, 2178 .show = seq_show_profile, 2179 }; 2180 profiles_open(struct inode * inode,struct file * file)2181 static int profiles_open(struct inode *inode, struct file *file) 2182 { 2183 if (!policy_view_capable(NULL)) 2184 return -EACCES; 2185 2186 return seq_open(file, &aa_sfs_profiles_op); 2187 } 2188 profiles_release(struct inode * inode,struct file * file)2189 static int profiles_release(struct inode *inode, struct file *file) 2190 { 2191 return seq_release(inode, file); 2192 } 2193 2194 static const struct file_operations aa_sfs_profiles_fops = { 2195 .open = profiles_open, 2196 .read = seq_read, 2197 .llseek = seq_lseek, 2198 .release = profiles_release, 2199 }; 2200 2201 2202 /** Base file system setup **/ 2203 static struct aa_sfs_entry aa_sfs_entry_file[] = { 2204 AA_SFS_FILE_STRING("mask", 2205 "create read write exec append mmap_exec link lock"), 2206 { } 2207 }; 2208 2209 static struct aa_sfs_entry aa_sfs_entry_ptrace[] = { 2210 AA_SFS_FILE_STRING("mask", "read trace"), 2211 { } 2212 }; 2213 2214 static struct aa_sfs_entry aa_sfs_entry_signal[] = { 2215 AA_SFS_FILE_STRING("mask", AA_SFS_SIG_MASK), 2216 { } 2217 }; 2218 2219 static struct aa_sfs_entry aa_sfs_entry_attach[] = { 2220 AA_SFS_FILE_BOOLEAN("xattr", 1), 2221 { } 2222 }; 2223 static struct aa_sfs_entry aa_sfs_entry_domain[] = { 2224 AA_SFS_FILE_BOOLEAN("change_hat", 1), 2225 AA_SFS_FILE_BOOLEAN("change_hatv", 1), 2226 AA_SFS_FILE_BOOLEAN("change_onexec", 1), 2227 AA_SFS_FILE_BOOLEAN("change_profile", 1), 2228 AA_SFS_FILE_BOOLEAN("stack", 1), 2229 AA_SFS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1), 2230 AA_SFS_FILE_BOOLEAN("post_nnp_subset", 1), 2231 AA_SFS_FILE_BOOLEAN("computed_longest_left", 1), 2232 AA_SFS_DIR("attach_conditions", aa_sfs_entry_attach), 2233 AA_SFS_FILE_STRING("version", "1.2"), 2234 { } 2235 }; 2236 2237 static struct aa_sfs_entry aa_sfs_entry_versions[] = { 2238 AA_SFS_FILE_BOOLEAN("v5", 1), 2239 AA_SFS_FILE_BOOLEAN("v6", 1), 2240 AA_SFS_FILE_BOOLEAN("v7", 1), 2241 AA_SFS_FILE_BOOLEAN("v8", 1), 2242 { } 2243 }; 2244 2245 static struct aa_sfs_entry aa_sfs_entry_policy[] = { 2246 AA_SFS_DIR("versions", aa_sfs_entry_versions), 2247 AA_SFS_FILE_BOOLEAN("set_load", 1), 2248 { } 2249 }; 2250 2251 static struct aa_sfs_entry aa_sfs_entry_mount[] = { 2252 AA_SFS_FILE_STRING("mask", "mount umount pivot_root"), 2253 { } 2254 }; 2255 2256 static struct aa_sfs_entry aa_sfs_entry_ns[] = { 2257 AA_SFS_FILE_BOOLEAN("profile", 1), 2258 AA_SFS_FILE_BOOLEAN("pivot_root", 0), 2259 { } 2260 }; 2261 2262 static struct aa_sfs_entry aa_sfs_entry_query_label[] = { 2263 AA_SFS_FILE_STRING("perms", "allow deny audit quiet"), 2264 AA_SFS_FILE_BOOLEAN("data", 1), 2265 AA_SFS_FILE_BOOLEAN("multi_transaction", 1), 2266 { } 2267 }; 2268 2269 static struct aa_sfs_entry aa_sfs_entry_query[] = { 2270 AA_SFS_DIR("label", aa_sfs_entry_query_label), 2271 { } 2272 }; 2273 static struct aa_sfs_entry aa_sfs_entry_features[] = { 2274 AA_SFS_DIR("policy", aa_sfs_entry_policy), 2275 AA_SFS_DIR("domain", aa_sfs_entry_domain), 2276 AA_SFS_DIR("file", aa_sfs_entry_file), 2277 AA_SFS_DIR("network_v8", aa_sfs_entry_network), 2278 AA_SFS_DIR("mount", aa_sfs_entry_mount), 2279 AA_SFS_DIR("namespaces", aa_sfs_entry_ns), 2280 AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), 2281 AA_SFS_DIR("rlimit", aa_sfs_entry_rlimit), 2282 AA_SFS_DIR("caps", aa_sfs_entry_caps), 2283 AA_SFS_DIR("ptrace", aa_sfs_entry_ptrace), 2284 AA_SFS_DIR("signal", aa_sfs_entry_signal), 2285 AA_SFS_DIR("query", aa_sfs_entry_query), 2286 { } 2287 }; 2288 2289 static struct aa_sfs_entry aa_sfs_entry_apparmor[] = { 2290 AA_SFS_FILE_FOPS(".access", 0666, &aa_sfs_access), 2291 AA_SFS_FILE_FOPS(".stacked", 0444, &seq_ns_stacked_fops), 2292 AA_SFS_FILE_FOPS(".ns_stacked", 0444, &seq_ns_nsstacked_fops), 2293 AA_SFS_FILE_FOPS(".ns_level", 0444, &seq_ns_level_fops), 2294 AA_SFS_FILE_FOPS(".ns_name", 0444, &seq_ns_name_fops), 2295 AA_SFS_FILE_FOPS("profiles", 0444, &aa_sfs_profiles_fops), 2296 AA_SFS_DIR("features", aa_sfs_entry_features), 2297 { } 2298 }; 2299 2300 static struct aa_sfs_entry aa_sfs_entry = 2301 AA_SFS_DIR("apparmor", aa_sfs_entry_apparmor); 2302 2303 /** 2304 * entry_create_file - create a file entry in the apparmor securityfs 2305 * @fs_file: aa_sfs_entry to build an entry for (NOT NULL) 2306 * @parent: the parent dentry in the securityfs 2307 * 2308 * Use entry_remove_file to remove entries created with this fn. 2309 */ entry_create_file(struct aa_sfs_entry * fs_file,struct dentry * parent)2310 static int __init entry_create_file(struct aa_sfs_entry *fs_file, 2311 struct dentry *parent) 2312 { 2313 int error = 0; 2314 2315 fs_file->dentry = securityfs_create_file(fs_file->name, 2316 S_IFREG | fs_file->mode, 2317 parent, fs_file, 2318 fs_file->file_ops); 2319 if (IS_ERR(fs_file->dentry)) { 2320 error = PTR_ERR(fs_file->dentry); 2321 fs_file->dentry = NULL; 2322 } 2323 return error; 2324 } 2325 2326 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir); 2327 /** 2328 * entry_create_dir - recursively create a directory entry in the securityfs 2329 * @fs_dir: aa_sfs_entry (and all child entries) to build (NOT NULL) 2330 * @parent: the parent dentry in the securityfs 2331 * 2332 * Use entry_remove_dir to remove entries created with this fn. 2333 */ entry_create_dir(struct aa_sfs_entry * fs_dir,struct dentry * parent)2334 static int __init entry_create_dir(struct aa_sfs_entry *fs_dir, 2335 struct dentry *parent) 2336 { 2337 struct aa_sfs_entry *fs_file; 2338 struct dentry *dir; 2339 int error; 2340 2341 dir = securityfs_create_dir(fs_dir->name, parent); 2342 if (IS_ERR(dir)) 2343 return PTR_ERR(dir); 2344 fs_dir->dentry = dir; 2345 2346 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { 2347 if (fs_file->v_type == AA_SFS_TYPE_DIR) 2348 error = entry_create_dir(fs_file, fs_dir->dentry); 2349 else 2350 error = entry_create_file(fs_file, fs_dir->dentry); 2351 if (error) 2352 goto failed; 2353 } 2354 2355 return 0; 2356 2357 failed: 2358 entry_remove_dir(fs_dir); 2359 2360 return error; 2361 } 2362 2363 /** 2364 * entry_remove_file - drop a single file entry in the apparmor securityfs 2365 * @fs_file: aa_sfs_entry to detach from the securityfs (NOT NULL) 2366 */ entry_remove_file(struct aa_sfs_entry * fs_file)2367 static void __init entry_remove_file(struct aa_sfs_entry *fs_file) 2368 { 2369 if (!fs_file->dentry) 2370 return; 2371 2372 securityfs_remove(fs_file->dentry); 2373 fs_file->dentry = NULL; 2374 } 2375 2376 /** 2377 * entry_remove_dir - recursively drop a directory entry from the securityfs 2378 * @fs_dir: aa_sfs_entry (and all child entries) to detach (NOT NULL) 2379 */ entry_remove_dir(struct aa_sfs_entry * fs_dir)2380 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir) 2381 { 2382 struct aa_sfs_entry *fs_file; 2383 2384 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { 2385 if (fs_file->v_type == AA_SFS_TYPE_DIR) 2386 entry_remove_dir(fs_file); 2387 else 2388 entry_remove_file(fs_file); 2389 } 2390 2391 entry_remove_file(fs_dir); 2392 } 2393 2394 /** 2395 * aa_destroy_aafs - cleanup and free aafs 2396 * 2397 * releases dentries allocated by aa_create_aafs 2398 */ aa_destroy_aafs(void)2399 void __init aa_destroy_aafs(void) 2400 { 2401 entry_remove_dir(&aa_sfs_entry); 2402 } 2403 2404 2405 #define NULL_FILE_NAME ".null" 2406 struct path aa_null; 2407 aa_mk_null_file(struct dentry * parent)2408 static int aa_mk_null_file(struct dentry *parent) 2409 { 2410 struct vfsmount *mount = NULL; 2411 struct dentry *dentry; 2412 struct inode *inode; 2413 int count = 0; 2414 int error = simple_pin_fs(parent->d_sb->s_type, &mount, &count); 2415 2416 if (error) 2417 return error; 2418 2419 inode_lock(d_inode(parent)); 2420 dentry = lookup_one_len(NULL_FILE_NAME, parent, strlen(NULL_FILE_NAME)); 2421 if (IS_ERR(dentry)) { 2422 error = PTR_ERR(dentry); 2423 goto out; 2424 } 2425 inode = new_inode(parent->d_inode->i_sb); 2426 if (!inode) { 2427 error = -ENOMEM; 2428 goto out1; 2429 } 2430 2431 inode->i_ino = get_next_ino(); 2432 inode->i_mode = S_IFCHR | S_IRUGO | S_IWUGO; 2433 inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode); 2434 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO, 2435 MKDEV(MEM_MAJOR, 3)); 2436 d_instantiate(dentry, inode); 2437 aa_null.dentry = dget(dentry); 2438 aa_null.mnt = mntget(mount); 2439 2440 error = 0; 2441 2442 out1: 2443 dput(dentry); 2444 out: 2445 inode_unlock(d_inode(parent)); 2446 simple_release_fs(&mount, &count); 2447 return error; 2448 } 2449 2450 2451 policy_get_link(struct dentry * dentry,struct inode * inode,struct delayed_call * done)2452 static const char *policy_get_link(struct dentry *dentry, 2453 struct inode *inode, 2454 struct delayed_call *done) 2455 { 2456 struct aa_ns *ns; 2457 struct path path; 2458 2459 if (!dentry) 2460 return ERR_PTR(-ECHILD); 2461 ns = aa_get_current_ns(); 2462 path.mnt = mntget(aafs_mnt); 2463 path.dentry = dget(ns_dir(ns)); 2464 nd_jump_link(&path); 2465 aa_put_ns(ns); 2466 2467 return NULL; 2468 } 2469 policy_readlink(struct dentry * dentry,char __user * buffer,int buflen)2470 static int policy_readlink(struct dentry *dentry, char __user *buffer, 2471 int buflen) 2472 { 2473 char name[32]; 2474 int res; 2475 2476 res = snprintf(name, sizeof(name), "%s:[%lu]", AAFS_NAME, 2477 d_inode(dentry)->i_ino); 2478 if (res > 0 && res < sizeof(name)) 2479 res = readlink_copy(buffer, buflen, name); 2480 else 2481 res = -ENOENT; 2482 2483 return res; 2484 } 2485 2486 static const struct inode_operations policy_link_iops = { 2487 .readlink = policy_readlink, 2488 .get_link = policy_get_link, 2489 }; 2490 2491 2492 /** 2493 * aa_create_aafs - create the apparmor security filesystem 2494 * 2495 * dentries created here are released by aa_destroy_aafs 2496 * 2497 * Returns: error on failure 2498 */ aa_create_aafs(void)2499 static int __init aa_create_aafs(void) 2500 { 2501 struct dentry *dent; 2502 int error; 2503 2504 if (!apparmor_initialized) 2505 return 0; 2506 2507 if (aa_sfs_entry.dentry) { 2508 AA_ERROR("%s: AppArmor securityfs already exists\n", __func__); 2509 return -EEXIST; 2510 } 2511 2512 /* setup apparmorfs used to virtualize policy/ */ 2513 aafs_mnt = kern_mount(&aafs_ops); 2514 if (IS_ERR(aafs_mnt)) 2515 panic("can't set apparmorfs up\n"); 2516 aafs_mnt->mnt_sb->s_flags &= ~SB_NOUSER; 2517 2518 /* Populate fs tree. */ 2519 error = entry_create_dir(&aa_sfs_entry, NULL); 2520 if (error) 2521 goto error; 2522 2523 dent = securityfs_create_file(".load", 0666, aa_sfs_entry.dentry, 2524 NULL, &aa_fs_profile_load); 2525 if (IS_ERR(dent)) 2526 goto dent_error; 2527 ns_subload(root_ns) = dent; 2528 2529 dent = securityfs_create_file(".replace", 0666, aa_sfs_entry.dentry, 2530 NULL, &aa_fs_profile_replace); 2531 if (IS_ERR(dent)) 2532 goto dent_error; 2533 ns_subreplace(root_ns) = dent; 2534 2535 dent = securityfs_create_file(".remove", 0666, aa_sfs_entry.dentry, 2536 NULL, &aa_fs_profile_remove); 2537 if (IS_ERR(dent)) 2538 goto dent_error; 2539 ns_subremove(root_ns) = dent; 2540 2541 dent = securityfs_create_file("revision", 0444, aa_sfs_entry.dentry, 2542 NULL, &aa_fs_ns_revision_fops); 2543 if (IS_ERR(dent)) 2544 goto dent_error; 2545 ns_subrevision(root_ns) = dent; 2546 2547 /* policy tree referenced by magic policy symlink */ 2548 mutex_lock_nested(&root_ns->lock, root_ns->level); 2549 error = __aafs_ns_mkdir(root_ns, aafs_mnt->mnt_root, ".policy", 2550 aafs_mnt->mnt_root); 2551 mutex_unlock(&root_ns->lock); 2552 if (error) 2553 goto error; 2554 2555 /* magic symlink similar to nsfs redirects based on task policy */ 2556 dent = securityfs_create_symlink("policy", aa_sfs_entry.dentry, 2557 NULL, &policy_link_iops); 2558 if (IS_ERR(dent)) 2559 goto dent_error; 2560 2561 error = aa_mk_null_file(aa_sfs_entry.dentry); 2562 if (error) 2563 goto error; 2564 2565 /* TODO: add default profile to apparmorfs */ 2566 2567 /* Report that AppArmor fs is enabled */ 2568 aa_info_message("AppArmor Filesystem Enabled"); 2569 return 0; 2570 2571 dent_error: 2572 error = PTR_ERR(dent); 2573 error: 2574 aa_destroy_aafs(); 2575 AA_ERROR("Error creating AppArmor securityfs\n"); 2576 return error; 2577 } 2578 2579 fs_initcall(aa_create_aafs); 2580
