]> Git Repo - linux.git/blame - security/apparmor/domain.c
projects / linux.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
apparmor: move change_hat mediation to using labels
[linux.git] / security / apparmor / domain.c
CommitLineData
898127c3
JJ		 1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor policy attachment and domain transitions
5 *
6 * Copyright (C) 2002-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
15#include <linux/errno.h>
16#include <linux/fdtable.h>
17#include <linux/file.h>
18#include <linux/mount.h>
19#include <linux/syscalls.h>
20#include <linux/tracehook.h>
21#include <linux/personality.h>
22
23#include "include/audit.h"
24#include "include/apparmorfs.h"
25#include "include/context.h"
26#include "include/domain.h"
27#include "include/file.h"
28#include "include/ipc.h"
29#include "include/match.h"
30#include "include/path.h"
31#include "include/policy.h"
cff281f6 32#include "include/policy_ns.h"
898127c3
JJ		 33
34/**
35 * aa_free_domain_entries - free entries in a domain table
36 * @domain: the domain table to free (MAYBE NULL)
37 */
38void aa_free_domain_entries(struct aa_domain *domain)
39{
40 int i;
41 if (domain) {
42 if (!domain->table)
43 return;
44
45 for (i = 0; i < domain->size; i++)
46 kzfree(domain->table[i]);
47 kzfree(domain->table);
48 domain->table = NULL;
49 }
50}
51
52/**
53 * may_change_ptraced_domain - check if can change profile on ptraced task
b2d09ae4
JJ		 54 * @to_label: profile to change to (NOT NULL)
55 * @info: message if there is an error
898127c3 56 *
51775fe7 57 * Check if current is ptraced and if so if the tracing task is allowed
898127c3
JJ		 58 * to trace the new domain
59 *
60 * Returns: %0 or error if change not allowed
61 */
b2d09ae4
JJ		 62static int may_change_ptraced_domain(struct aa_label *to_label,
63 const char **info)
898127c3
JJ		 64{
65 struct task_struct *tracer;
637f688d 66 struct aa_label *tracerl = NULL;
898127c3
JJ		 67 int error = 0;
68
69 rcu_read_lock();
51775fe7 70 tracer = ptrace_parent(current);
3cfcc19e 71 if (tracer)
898127c3 72 /* released below */
637f688d 73 tracerl = aa_get_task_label(tracer);
898127c3
JJ		 74
75 /* not ptraced */
637f688d 76 if (!tracer || unconfined(tracerl))
898127c3
JJ		 77 goto out;
78
b2d09ae4 79 error = aa_may_ptrace(tracerl, to_label, PTRACE_MODE_ATTACH);
898127c3
JJ		 80
81out:
04fdc099 82 rcu_read_unlock();
637f688d 83 aa_put_label(tracerl);
898127c3 84
b2d09ae4
JJ		 85 if (error)
86 *info = "ptrace prevents transition";
898127c3
JJ		 87 return error;
88}
89
93c98a48
JJ		 90/**** TODO: dedup to aa_label_match - needs perm and dfa, merging
91 * specifically this is an exact copy of aa_label_match except
92 * aa_compute_perms is replaced with aa_compute_fperms
93 * and policy.dfa with file.dfa
94 ****/
95/* match a profile and its associated ns component if needed
96 * Assumes visibility test has already been done.
97 * If a subns profile is not to be matched should be prescreened with
98 * visibility test.
99 */
100static inline unsigned int match_component(struct aa_profile *profile,
101 struct aa_profile *tp,
102 bool stack, unsigned int state)
103{
104 const char *ns_name;
105
106 if (stack)
107 state = aa_dfa_match(profile->file.dfa, state, "&");
108 if (profile->ns == tp->ns)
109 return aa_dfa_match(profile->file.dfa, state, tp->base.hname);
110
111 /* try matching with namespace name and then profile */
112 ns_name = aa_ns_name(profile->ns, tp->ns, true);
113 state = aa_dfa_match_len(profile->file.dfa, state, ":", 1);
114 state = aa_dfa_match(profile->file.dfa, state, ns_name);
115 state = aa_dfa_match_len(profile->file.dfa, state, ":", 1);
116 return aa_dfa_match(profile->file.dfa, state, tp->base.hname);
117}
118
119/**
120 * label_compound_match - find perms for full compound label
121 * @profile: profile to find perms for
122 * @label: label to check access permissions for
123 * @stack: whether this is a stacking request
124 * @start: state to start match in
125 * @subns: whether to do permission checks on components in a subns
126 * @request: permissions to request
127 * @perms: perms struct to set
128 *
129 * Returns: 0 on success else ERROR
130 *
131 * For the label A//&B//&C this does the perm match for A//&B//&C
132 * @perms should be preinitialized with allperms OR a previous permission
133 * check to be stacked.
134 */
135static int label_compound_match(struct aa_profile *profile,
136 struct aa_label *label, bool stack,
137 unsigned int state, bool subns, u32 request,
138 struct aa_perms *perms)
139{
140 struct aa_profile *tp;
141 struct label_it i;
142 struct path_cond cond = { };
143
144 /* find first subcomponent that is visible */
145 label_for_each(i, label, tp) {
146 if (!aa_ns_visible(profile->ns, tp->ns, subns))
147 continue;
148 state = match_component(profile, tp, stack, state);
149 if (!state)
150 goto fail;
151 goto next;
152 }
153
154 /* no component visible */
155 *perms = allperms;
156 return 0;
157
158next:
159 label_for_each_cont(i, label, tp) {
160 if (!aa_ns_visible(profile->ns, tp->ns, subns))
161 continue;
162 state = aa_dfa_match(profile->file.dfa, state, "//&");
163 state = match_component(profile, tp, false, state);
164 if (!state)
165 goto fail;
166 }
167 *perms = aa_compute_fperms(profile->file.dfa, state, &cond);
168 aa_apply_modes_to_perms(profile, perms);
169 if ((perms->allow & request) != request)
170 return -EACCES;
171
172 return 0;
173
174fail:
175 *perms = nullperms;
176 return -EACCES;
177}
178
179/**
180 * label_components_match - find perms for all subcomponents of a label
181 * @profile: profile to find perms for
182 * @label: label to check access permissions for
183 * @stack: whether this is a stacking request
184 * @start: state to start match in
185 * @subns: whether to do permission checks on components in a subns
186 * @request: permissions to request
187 * @perms: an initialized perms struct to add accumulation to
188 *
189 * Returns: 0 on success else ERROR
190 *
191 * For the label A//&B//&C this does the perm match for each of A and B and C
192 * @perms should be preinitialized with allperms OR a previous permission
193 * check to be stacked.
194 */
195static int label_components_match(struct aa_profile *profile,
196 struct aa_label *label, bool stack,
197 unsigned int start, bool subns, u32 request,
198 struct aa_perms *perms)
199{
200 struct aa_profile *tp;
201 struct label_it i;
202 struct aa_perms tmp;
203 struct path_cond cond = { };
204 unsigned int state = 0;
205
206 /* find first subcomponent to test */
207 label_for_each(i, label, tp) {
208 if (!aa_ns_visible(profile->ns, tp->ns, subns))
209 continue;
210 state = match_component(profile, tp, stack, start);
211 if (!state)
212 goto fail;
213 goto next;
214 }
215
216 /* no subcomponents visible - no change in perms */
217 return 0;
218
219next:
220 tmp = aa_compute_fperms(profile->file.dfa, state, &cond);
221 aa_apply_modes_to_perms(profile, &tmp);
222 aa_perms_accum(perms, &tmp);
223 label_for_each_cont(i, label, tp) {
224 if (!aa_ns_visible(profile->ns, tp->ns, subns))
225 continue;
226 state = match_component(profile, tp, stack, start);
227 if (!state)
228 goto fail;
229 tmp = aa_compute_fperms(profile->file.dfa, state, &cond);
230 aa_apply_modes_to_perms(profile, &tmp);
231 aa_perms_accum(perms, &tmp);
232 }
233
234 if ((perms->allow & request) != request)
235 return -EACCES;
236
237 return 0;
238
239fail:
240 *perms = nullperms;
241 return -EACCES;
242}
243
244/**
245 * label_match - do a multi-component label match
246 * @profile: profile to match against (NOT NULL)
247 * @label: label to match (NOT NULL)
248 * @stack: whether this is a stacking request
249 * @state: state to start in
250 * @subns: whether to match subns components
251 * @request: permission request
252 * @perms: Returns computed perms (NOT NULL)
253 *
254 * Returns: the state the match finished in, may be the none matching state
255 */
256static int label_match(struct aa_profile *profile, struct aa_label *label,
257 bool stack, unsigned int state, bool subns, u32 request,
258 struct aa_perms *perms)
259{
260 int error;
261
262 *perms = nullperms;
263 error = label_compound_match(profile, label, stack, state, subns,
264 request, perms);
265 if (!error)
266 return error;
267
268 *perms = allperms;
269 return label_components_match(profile, label, stack, state, subns,
270 request, perms);
271}
272
273/******* end TODO: dedup *****/
274
898127c3
JJ		 275/**
276 * change_profile_perms - find permissions for change_profile
277 * @profile: the current profile (NOT NULL)
93c98a48
JJ		 278 * @target: label to transition to (NOT NULL)
279 * @stack: whether this is a stacking request
898127c3
JJ		 280 * @request: requested perms
281 * @start: state to start matching in
282 *
93c98a48 283 *
898127c3 284 * Returns: permission set
93c98a48
JJ		 285 *
286 * currently only matches full label A//&B//&C or individual components A, B, C
287 * not arbitrary combinations. Eg. A//&B, C
898127c3 288 */
93c98a48
JJ		 289static int change_profile_perms(struct aa_profile *profile,
290 struct aa_label *target, bool stack,
291 u32 request, unsigned int start,
292 struct aa_perms *perms)
293{
294 if (profile_unconfined(profile)) {
295 perms->allow = AA_MAY_CHANGE_PROFILE | AA_MAY_ONEXEC;
296 perms->audit = perms->quiet = perms->kill = 0;
297 return 0;
298 }
299
300 /* TODO: add profile in ns screening */
301 return label_match(profile, target, stack, start, true, request, perms);
302}
303
304static struct aa_perms change_profile_perms_wrapper(struct aa_profile *profile,
305 struct aa_profile *target,
306 u32 request,
307 unsigned int start)
898127c3 308{
2d679f3c 309 struct aa_perms perms;
898127c3 310
637f688d 311 if (profile_unconfined(profile)) {
898127c3
JJ		 312 perms.allow = AA_MAY_CHANGE_PROFILE | AA_MAY_ONEXEC;
313 perms.audit = perms.quiet = perms.kill = 0;
314 return perms;
898127c3
JJ		 315 }
316
93c98a48
JJ		 317 if (change_profile_perms(profile, &target->label, false, request,
318 start, &perms))
319 return nullperms;
898127c3
JJ		 320
321 return perms;
322}
323
324/**
325 * __attach_match_ - find an attachment match
326 * @name - to match against (NOT NULL)
327 * @head - profile list to walk (NOT NULL)
328 *
329 * Do a linear search on the profiles in the list. There is a matching
330 * preference where an exact match is preferred over a name which uses
331 * expressions to match, and matching expressions with the greatest
332 * xmatch_len are preferred.
333 *
334 * Requires: @head not be shared or have appropriate locks held
335 *
336 * Returns: profile or NULL if no match found
337 */
338static struct aa_profile *__attach_match(const char *name,
339 struct list_head *head)
340{
341 int len = 0;
342 struct aa_profile *profile, *candidate = NULL;
343
01e2b670 344 list_for_each_entry_rcu(profile, head, base.list) {
637f688d 345 if (profile->label.flags & FLAG_NULL)
898127c3
JJ		 346 continue;
347 if (profile->xmatch && profile->xmatch_len > len) {
348 unsigned int state = aa_dfa_match(profile->xmatch,
349 DFA_START, name);
350 u32 perm = dfa_user_allow(profile->xmatch, state);
351 /* any accepting state means a valid match. */
352 if (perm & MAY_EXEC) {
353 candidate = profile;
354 len = profile->xmatch_len;
355 }
356 } else if (!strcmp(profile->base.name, name))
357 /* exact non-re match, no more searching required */
358 return profile;
359 }
360
361 return candidate;
362}
363
364/**
365 * find_attach - do attachment search for unconfined processes
366 * @ns: the current namespace (NOT NULL)
367 * @list: list to search (NOT NULL)
368 * @name: the executable name to match against (NOT NULL)
369 *
93c98a48 370 * Returns: label or NULL if no match found
898127c3 371 */
93c98a48
JJ		 372static struct aa_label *find_attach(struct aa_ns *ns, struct list_head *list,
373 const char *name)
898127c3
JJ		 374{
375 struct aa_profile *profile;
376
01e2b670 377 rcu_read_lock();
898127c3 378 profile = aa_get_profile(__attach_match(name, list));
01e2b670 379 rcu_read_unlock();
898127c3 380
93c98a48 381 return profile ? &profile->label : NULL;
898127c3
JJ		 382}
383
384static const char *next_name(int xtype, const char *name)
385{
386 return NULL;
387}
388
389/**
390 * x_table_lookup - lookup an x transition name via transition table
391 * @profile: current profile (NOT NULL)
392 * @xindex: index into x transition table
93c98a48 393 * @name: returns: name tested to find label (NOT NULL)
898127c3 394 *
93c98a48 395 * Returns: refcounted label, or NULL on failure (MAYBE NULL)
898127c3 396 */
93c98a48
JJ		 397static struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex,
398 const char **name)
898127c3 399{
93c98a48 400 struct aa_label *label = NULL;
898127c3
JJ		 401 u32 xtype = xindex & AA_X_TYPE_MASK;
402 int index = xindex & AA_X_INDEX_MASK;
898127c3 403
93c98a48 404 AA_BUG(!name);
898127c3 405
93c98a48
JJ		 406 /* index is guaranteed to be in range, validated at load time */
407 /* TODO: move lookup parsing to unpack time so this is a straight
408 * index into the resultant label
409 */
410 for (*name = profile->file.trans.table[index]; !label && *name;
411 *name = next_name(xtype, *name)) {
898127c3 412 if (xindex & AA_X_CHILD) {
93c98a48 413 struct aa_profile *new_profile;
898127c3 414 /* release by caller */
93c98a48
JJ		 415 new_profile = aa_find_child(profile, *name);
416 if (new_profile)
417 label = &new_profile->label;
898127c3 418 continue;
898127c3 419 }
93c98a48
JJ		 420 label = aa_label_parse(&profile->label, *name, GFP_ATOMIC,
421 true, false);
422 if (IS_ERR(label))
423 label = NULL;
898127c3
JJ		 424 }
425
426 /* released by caller */
93c98a48
JJ		 427
428 return label;
898127c3
JJ		 429}
430
431/**
93c98a48 432 * x_to_label - get target label for a given xindex
898127c3
JJ		 433 * @profile: current profile (NOT NULL)
434 * @name: name to lookup (NOT NULL)
435 * @xindex: index into x transition table
93c98a48 436 * @lookupname: returns: name used in lookup if one was specified (NOT NULL)
898127c3 437 *
93c98a48 438 * find label for a transition index
898127c3 439 *
93c98a48 440 * Returns: refcounted label or NULL if not found available
898127c3 441 */
93c98a48
JJ		 442static struct aa_label *x_to_label(struct aa_profile *profile,
443 const char *name, u32 xindex,
444 const char **lookupname,
445 const char **info)
898127c3 446{
93c98a48 447 struct aa_label *new = NULL;
98849dff 448 struct aa_ns *ns = profile->ns;
898127c3 449 u32 xtype = xindex & AA_X_TYPE_MASK;
93c98a48 450 const char *stack = NULL;
898127c3
JJ		 451
452 switch (xtype) {
453 case AA_X_NONE:
454 /* fail exec unless ix || ux fallback - handled by caller */
93c98a48
JJ		 455 *lookupname = NULL;
456 break;
457 case AA_X_TABLE:
458 /* TODO: fix when perm mapping done at unload */
459 stack = profile->file.trans.table[xindex & AA_X_INDEX_MASK];
460 if (*stack != '&') {
461 /* released by caller */
462 new = x_table_lookup(profile, xindex, lookupname);
463 stack = NULL;
464 break;
465 }
466 /* fall through to X_NAME */
898127c3
JJ		 467 case AA_X_NAME:
468 if (xindex & AA_X_CHILD)
469 /* released by caller */
93c98a48
JJ		 470 new = find_attach(ns, &profile->base.profiles,
471 name);
898127c3
JJ		 472 else
473 /* released by caller */
93c98a48
JJ		 474 new = find_attach(ns, &ns->base.profiles,
475 name);
476 *lookupname = name;
898127c3
JJ		 477 break;
478 }
479
93c98a48
JJ		 480 if (!new) {
481 if (xindex & AA_X_INHERIT) {
482 /* (p|c|n)ix - don't change profile but do
483 * use the newest version
484 */
485 *info = "ix fallback";
486 /* no profile && no error */
487 new = aa_get_newest_label(&profile->label);
488 } else if (xindex & AA_X_UNCONFINED) {
489 new = aa_get_newest_label(ns_unconfined(profile->ns));
490 *info = "ux fallback";
491 }
492 }
493
494 if (new && stack) {
495 /* base the stack on post domain transition */
496 struct aa_label *base = new;
497
498 new = aa_label_parse(base, stack, GFP_ATOMIC, true, false);
499 if (IS_ERR(new))
500 new = NULL;
501 aa_put_label(base);
502 }
503
898127c3 504 /* released by caller */
93c98a48 505 return new;
898127c3
JJ		 506}
507
93c98a48
JJ		 508static struct aa_label *profile_transition(struct aa_profile *profile,
509 const struct linux_binprm *bprm,
510 char *buffer, struct path_cond *cond,
511 bool *secure_exec)
898127c3 512{
93c98a48
JJ		 513 struct aa_label *new = NULL;
514 const char *info = NULL, *name = NULL, *target = NULL;
515 unsigned int state = profile->file.start;
2d679f3c 516 struct aa_perms perms = {};
93c98a48 517 bool nonewprivs = false;
b1d9e6b0 518 int error = 0;
898127c3 519
93c98a48
JJ		 520 AA_BUG(!profile);
521 AA_BUG(!bprm);
522 AA_BUG(!buffer);
898127c3 523
4227c333 524 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,
72c8a768 525 &name, &info, profile->disconnected);
898127c3 526 if (error) {
637f688d 527 if (profile_unconfined(profile) ||
93c98a48
JJ		 528 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
529 AA_DEBUG("name lookup ix on error");
898127c3 530 error = 0;
93c98a48
JJ		 531 new = aa_get_newest_label(&profile->label);
532 }
898127c3
JJ		 533 name = bprm->filename;
534 goto audit;
535 }
536
637f688d 537 if (profile_unconfined(profile)) {
93c98a48
JJ		 538 new = find_attach(profile->ns, &profile->ns->base.profiles,
539 name);
540 if (new) {
541 AA_DEBUG("unconfined attached to new label");
542 return new;
543 }
544 AA_DEBUG("unconfined exec no attachment");
545 return aa_get_newest_label(&profile->label);
898127c3
JJ		 546 }
547
548 /* find exec permissions for name */
93c98a48 549 state = aa_str_perms(profile->file.dfa, state, name, cond, &perms);
898127c3
JJ		 550 if (perms.allow & MAY_EXEC) {
551 /* exec permission determine how to transition */
93c98a48
JJ		 552 new = x_to_label(profile, name, perms.xindex, &target, &info);
553 if (new && new->proxy == profile->label.proxy && info) {
554 /* hack ix fallback - improve how this is detected */
555 goto audit;
556 } else if (!new) {
557 error = -EACCES;
558 info = "profile transition not found";
559 /* remove MAY_EXEC to audit as failure */
560 perms.allow &= ~MAY_EXEC;
898127c3
JJ		 561 }
562 } else if (COMPLAIN_MODE(profile)) {
93c98a48
JJ		 563 /* no exec permission - learning mode */
564 struct aa_profile *new_profile = aa_new_null_profile(profile,
565 false, name,
566 GFP_ATOMIC);
898127c3
JJ		 567 if (!new_profile) {
568 error = -ENOMEM;
569 info = "could not create null profile";
93c98a48 570 } else {
898127c3 571 error = -EACCES;
93c98a48
JJ		 572 new = &new_profile->label;
573 }
898127c3
JJ		 574 perms.xindex |= AA_X_UNSAFE;
575 } else
576 /* fail exec */
577 error = -EACCES;
578
93c98a48
JJ		 579 if (!new)
580 goto audit;
581
582 /* Policy has specified a domain transitions. if no_new_privs and
583 * confined and not transitioning to the current domain fail.
584 *
585 * NOTE: Domain transitions from unconfined and to stritly stacked
586 * subsets are allowed even when no_new_privs is set because this
587 * aways results in a further reduction of permissions.
c29bceb3 588 */
93c98a48
JJ		 589 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) &&
590 !profile_unconfined(profile) &&
591 !aa_label_is_subset(new, &profile->label)) {
c29bceb3 592 error = -EPERM;
93c98a48
JJ		 593 info = "no new privs";
594 nonewprivs = true;
595 perms.allow &= ~MAY_EXEC;
596 goto audit;
597 }
598
599 if (!(perms.xindex & AA_X_UNSAFE)) {
600 if (DEBUG_ON) {
601 dbg_printk("apparmor: scrubbing environment variables"
602 " for %s profile=", name);
603 aa_label_printk(new, GFP_ATOMIC);
604 dbg_printk("\n");
605 }
606 *secure_exec = true;
c29bceb3
JJ		 607 }
608
93c98a48
JJ		 609audit:
610 aa_audit_file(profile, &perms, OP_EXEC, MAY_EXEC, name, target, new,
611 cond->uid, info, error);
612 if (!new || nonewprivs) {
613 aa_put_label(new);
614 return ERR_PTR(error);
615 }
616
617 return new;
618}
619
620static int profile_onexec(struct aa_profile *profile, struct aa_label *onexec,
621 bool stack, const struct linux_binprm *bprm,
622 char *buffer, struct path_cond *cond,
623 bool *secure_exec)
624{
625 unsigned int state = profile->file.start;
626 struct aa_perms perms = {};
627 const char *xname = NULL, *info = "change_profile onexec";
628 int error = -EACCES;
629
630 AA_BUG(!profile);
631 AA_BUG(!onexec);
632 AA_BUG(!bprm);
633 AA_BUG(!buffer);
634
635 if (profile_unconfined(profile)) {
636 /* change_profile on exec already granted */
637 /*
638 * NOTE: Domain transitions from unconfined are allowed
639 * even when no_new_privs is set because this aways results
640 * in a further reduction of permissions.
641 */
642 return 0;
643 }
644
645 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,
646 &xname, &info, profile->disconnected);
647 if (error) {
648 if (profile_unconfined(profile) ||
649 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
650 AA_DEBUG("name lookup ix on error");
651 error = 0;
652 }
653 xname = bprm->filename;
898127c3 654 goto audit;
93c98a48
JJ		 655 }
656
657 /* find exec permissions for name */
658 state = aa_str_perms(profile->file.dfa, state, xname, cond, &perms);
659 if (!(perms.allow & AA_MAY_ONEXEC)) {
660 info = "no change_onexec valid for executable";
661 goto audit;
662 }
663 /* test if this exec can be paired with change_profile onexec.
664 * onexec permission is linked to exec with a standard pairing
665 * exec\0change_profile
666 */
667 state = aa_dfa_null_transition(profile->file.dfa, state);
668 error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC,
669 state, &perms);
670 if (error) {
671 perms.allow &= ~AA_MAY_ONEXEC;
672 goto audit;
673 }
674 /* Policy has specified a domain transitions. if no_new_privs and
675 * confined and not transitioning to the current domain fail.
676 *
677 * NOTE: Domain transitions from unconfined and to stritly stacked
678 * subsets are allowed even when no_new_privs is set because this
679 * aways results in a further reduction of permissions.
680 */
681 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) &&
682 !profile_unconfined(profile) &&
683 !aa_label_is_subset(onexec, &profile->label)) {
684 error = -EPERM;
685 info = "no new privs";
686 perms.allow &= ~AA_MAY_ONEXEC;
687 goto audit;
688 }
689
690 if (!(perms.xindex & AA_X_UNSAFE)) {
691 if (DEBUG_ON) {
692 dbg_printk("apparmor: scrubbing environment "
693 "variables for %s label=", xname);
694 aa_label_printk(onexec, GFP_ATOMIC);
695 dbg_printk("\n");
696 }
697 *secure_exec = true;
698 }
699
700audit:
701 return aa_audit_file(profile, &perms, OP_EXEC, AA_MAY_ONEXEC, xname,
702 NULL, onexec, cond->uid, info, error);
703}
704
705/* ensure none ns domain transitions are correctly applied with onexec */
706
707static struct aa_label *handle_onexec(struct aa_label *label,
708 struct aa_label *onexec, bool stack,
709 const struct linux_binprm *bprm,
710 char *buffer, struct path_cond *cond,
711 bool *unsafe)
712{
713 struct aa_profile *profile;
714 struct aa_label *new;
715 int error;
716
717 AA_BUG(!label);
718 AA_BUG(!onexec);
719 AA_BUG(!bprm);
720 AA_BUG(!buffer);
721
722 if (!stack) {
723 error = fn_for_each_in_ns(label, profile,
724 profile_onexec(profile, onexec, stack,
725 bprm, buffer, cond, unsafe));
726 if (error)
727 return ERR_PTR(error);
728 new = fn_label_build_in_ns(label, profile, GFP_ATOMIC,
729 aa_get_newest_label(onexec),
730 profile_transition(profile, bprm, buffer,
731 cond, unsafe));
732
733 } else {
734 /* TODO: determine how much we want to losen this */
735 error = fn_for_each_in_ns(label, profile,
736 profile_onexec(profile, onexec, stack, bprm,
737 buffer, cond, unsafe));
738 if (error)
739 return ERR_PTR(error);
740 new = fn_label_build_in_ns(label, profile, GFP_ATOMIC,
741 aa_label_merge(&profile->label, onexec,
742 GFP_ATOMIC),
743 profile_transition(profile, bprm, buffer,
744 cond, unsafe));
745 }
746
747 if (new)
748 return new;
749
750 /* TODO: get rid of GLOBAL_ROOT_UID */
751 error = fn_for_each_in_ns(label, profile,
752 aa_audit_file(profile, &nullperms, OP_CHANGE_ONEXEC,
753 AA_MAY_ONEXEC, bprm->filename, NULL,
754 onexec, GLOBAL_ROOT_UID,
755 "failed to build target label", -ENOMEM));
756 return ERR_PTR(error);
757}
758
759/**
760 * apparmor_bprm_set_creds - set the new creds on the bprm struct
761 * @bprm: binprm for the exec (NOT NULL)
762 *
763 * Returns: %0 or error on failure
764 *
765 * TODO: once the other paths are done see if we can't refactor into a fn
766 */
767int apparmor_bprm_set_creds(struct linux_binprm *bprm)
768{
769 struct aa_task_ctx *ctx;
770 struct aa_label *label, *new = NULL;
771 struct aa_profile *profile;
772 char *buffer = NULL;
773 const char *info = NULL;
774 int error = 0;
775 bool unsafe = false;
776 struct path_cond cond = {
777 file_inode(bprm->file)->i_uid,
778 file_inode(bprm->file)->i_mode
779 };
780
781 if (bprm->cred_prepared)
782 return 0;
783
784 ctx = cred_ctx(bprm->cred);
785 AA_BUG(!ctx);
786
787 label = aa_get_newest_label(ctx->label);
788
789 /* buffer freed below, name is pointer into buffer */
790 get_buffers(buffer);
791 /* Test for onexec first as onexec override other x transitions. */
792 if (ctx->onexec)
793 new = handle_onexec(label, ctx->onexec, ctx->token,
794 bprm, buffer, &cond, &unsafe);
795 else
796 new = fn_label_build(label, profile, GFP_ATOMIC,
797 profile_transition(profile, bprm, buffer,
798 &cond, &unsafe));
799
800 AA_BUG(!new);
801 if (IS_ERR(new)) {
802 error = PTR_ERR(new);
803 goto done;
804 } else if (!new) {
805 error = -ENOMEM;
806 goto done;
807 }
808
809 /* TODO: Add ns level no_new_privs subset test */
898127c3
JJ		 810
811 if (bprm->unsafe & LSM_UNSAFE_SHARE) {
812 /* FIXME: currently don't mediate shared state */
813 ;
814 }
815
93c98a48
JJ		 816 if (bprm->unsafe & (LSM_UNSAFE_PTRACE)) {
817 /* TODO: test needs to be profile of label to new */
818 error = may_change_ptraced_domain(new, &info);
f7da2de0 819 if (error)
898127c3 820 goto audit;
898127c3
JJ		 821 }
822
93c98a48
JJ		 823 if (unsafe) {
824 if (DEBUG_ON) {
825 dbg_printk("scrubbing environment variables for %s "
826 "label=", bprm->filename);
827 aa_label_printk(new, GFP_ATOMIC);
828 dbg_printk("\n");
829 }
898127c3
JJ		 830 bprm->unsafe |= AA_SECURE_X_NEEDED;
831 }
898127c3 832
93c98a48
JJ		 833 if (label->proxy != new->proxy) {
834 /* when transitioning clear unsafe personality bits */
835 if (DEBUG_ON) {
836 dbg_printk("apparmor: clearing unsafe personality "
837 "bits. %s label=", bprm->filename);
838 aa_label_printk(new, GFP_ATOMIC);
839 dbg_printk("\n");
840 }
841 bprm->per_clear |= PER_CLEAR_ON_SETID;
842 }
637f688d 843 aa_put_label(ctx->label);
93c98a48
JJ		 844 /* transfer reference, released when ctx is freed */
845 ctx->label = new;
898127c3 846
93c98a48
JJ		 847done:
848 /* clear out temporary/transitional state from the context */
55a26ebf 849 aa_clear_task_ctx_trans(ctx);
898127c3 850
637f688d 851 aa_put_label(label);
4227c333 852 put_buffers(buffer);
898127c3
JJ		 853
854 return error;
93c98a48
JJ		 855
856audit:
857 error = fn_for_each(label, profile,
858 aa_audit_file(profile, &nullperms, OP_EXEC, MAY_EXEC,
859 bprm->filename, NULL, new,
860 file_inode(bprm->file)->i_uid, info,
861 error));
862 aa_put_label(new);
863 goto done;
898127c3
JJ		 864}
865
866/**
867 * apparmor_bprm_secureexec - determine if secureexec is needed
868 * @bprm: binprm for exec (NOT NULL)
869 *
870 * Returns: %1 if secureexec is needed else %0
871 */
872int apparmor_bprm_secureexec(struct linux_binprm *bprm)
873{
898127c3
JJ		 874 /* the decision to use secure exec is computed in set_creds
875 * and stored in bprm->unsafe.
876 */
b1d9e6b0
CS		 877 if (bprm->unsafe & AA_SECURE_X_NEEDED)
878 return 1;
898127c3 879
b1d9e6b0 880 return 0;
898127c3
JJ		 881}
882
898127c3
JJ		 883/*
884 * Functions for self directed profile change
885 */
886
89dbf196
JJ		 887
888/* helper fn for change_hat
898127c3 889 *
89dbf196 890 * Returns: label for hat transition OR ERR_PTR. Does NOT return NULL
898127c3 891 */
89dbf196
JJ		 892static struct aa_label *build_change_hat(struct aa_profile *profile,
893 const char *name, bool sibling)
898127c3 894{
89dbf196
JJ		 895 struct aa_profile *root, *hat = NULL;
896 const char *info = NULL;
897 int error = 0;
898
899 if (sibling && PROFILE_IS_HAT(profile)) {
900 root = aa_get_profile_rcu(&profile->parent);
901 } else if (!sibling && !PROFILE_IS_HAT(profile)) {
902 root = aa_get_profile(profile);
903 } else {
904 info = "conflicting target types";
905 error = -EPERM;
906 goto audit;
907 }
908
909 hat = aa_find_child(root, name);
910 if (!hat) {
911 error = -ENOENT;
912 if (COMPLAIN_MODE(profile)) {
913 hat = aa_new_null_profile(profile, true, name,
914 GFP_KERNEL);
915 if (!hat) {
916 info = "failed null profile create";
917 error = -ENOMEM;
918 }
919 }
920 }
921 aa_put_profile(root);
922
923audit:
924 aa_audit_file(profile, &nullperms, OP_CHANGE_HAT, AA_MAY_CHANGEHAT,
925 name, hat ? hat->base.hname : NULL,
926 hat ? &hat->label : NULL, GLOBAL_ROOT_UID, NULL,
927 error);
928 if (!hat || (error && error != -ENOENT))
929 return ERR_PTR(error);
930 /* if hat && error - complain mode, already audited and we adjust for
931 * complain mode allow by returning hat->label
932 */
933 return &hat->label;
934}
935
936/* helper fn for changing into a hat
937 *
938 * Returns: label for hat transition or ERR_PTR. Does not return NULL
939 */
940static struct aa_label *change_hat(struct aa_label *label, const char *hats[],
941 int count, int flags)
942{
943 struct aa_profile *profile, *root, *hat = NULL;
944 struct aa_label *new;
945 struct label_it it;
946 bool sibling = false;
947 const char *name, *info = NULL;
948 int i, error;
949
950 AA_BUG(!label);
951 AA_BUG(!hats);
952 AA_BUG(count < 1);
953
954 if (PROFILE_IS_HAT(labels_profile(label)))
955 sibling = true;
956
957 /*find first matching hat */
958 for (i = 0; i < count && !hat; i++) {
959 name = hats[i];
960 label_for_each_in_ns(it, labels_ns(label), label, profile) {
961 if (sibling && PROFILE_IS_HAT(profile)) {
962 root = aa_get_profile_rcu(&profile->parent);
963 } else if (!sibling && !PROFILE_IS_HAT(profile)) {
964 root = aa_get_profile(profile);
965 } else { /* conflicting change type */
966 info = "conflicting targets types";
967 error = -EPERM;
968 goto fail;
969 }
970 hat = aa_find_child(root, name);
971 aa_put_profile(root);
972 if (!hat) {
973 if (!COMPLAIN_MODE(profile))
974 goto outer_continue;
975 /* complain mode succeed as if hat */
976 } else if (!PROFILE_IS_HAT(hat)) {
977 info = "target not hat";
978 error = -EPERM;
979 aa_put_profile(hat);
980 goto fail;
981 }
982 aa_put_profile(hat);
983 }
984 /* found a hat for all profiles in ns */
985 goto build;
986outer_continue:
987 ;
988 }
989 /* no hats that match, find appropriate error
990 *
991 * In complain mode audit of the failure is based off of the first
992 * hat supplied. This is done due how userspace interacts with
993 * change_hat.
994 */
995 name = NULL;
996 label_for_each_in_ns(it, labels_ns(label), label, profile) {
997 if (!list_empty(&profile->base.profiles)) {
998 info = "hat not found";
999 error = -ENOENT;
1000 goto fail;
1001 }
1002 }
1003 info = "no hats defined";
1004 error = -ECHILD;
1005
1006fail:
1007 label_for_each_in_ns(it, labels_ns(label), label, profile) {
1008 /*
1009 * no target as it has failed to be found or built
1010 *
1011 * change_hat uses probing and should not log failures
1012 * related to missing hats
1013 */
1014 /* TODO: get rid of GLOBAL_ROOT_UID */
1015 if (count > 1 || COMPLAIN_MODE(profile)) {
1016 aa_audit_file(profile, &nullperms, OP_CHANGE_HAT,
1017 AA_MAY_CHANGEHAT, name, NULL, NULL,
1018 GLOBAL_ROOT_UID, info, error);
1019 }
1020 }
1021 return ERR_PTR(error);
1022
1023build:
1024 new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
1025 build_change_hat(profile, name, sibling),
1026 aa_get_label(&profile->label));
1027 if (!new) {
1028 info = "label build failed";
1029 error = -ENOMEM;
1030 goto fail;
1031 } /* else if (IS_ERR) build_change_hat has logged error so return new */
1032
1033 return new;
898127c3
JJ		 1034}
1035
1036/**
1037 * aa_change_hat - change hat to/from subprofile
1038 * @hats: vector of hat names to try changing into (MAYBE NULL if @count == 0)
1039 * @count: number of hat names in @hats
1040 * @token: magic value to validate the hat change
df8073c6 1041 * @flags: flags affecting behavior of the change
898127c3 1042 *
89dbf196
JJ		 1043 * Returns %0 on success, error otherwise.
1044 *
898127c3
JJ		 1045 * Change to the first profile specified in @hats that exists, and store
1046 * the @hat_magic in the current task context. If the count == 0 and the
1047 * @token matches that stored in the current task context, return to the
1048 * top level profile.
1049 *
89dbf196
JJ		 1050 * change_hat only applies to profiles in the current ns, and each profile
1051 * in the ns must make the same transition otherwise change_hat will fail.
898127c3 1052 */
df8073c6 1053int aa_change_hat(const char *hats[], int count, u64 token, int flags)
898127c3
JJ		 1054{
1055 const struct cred *cred;
55a26ebf 1056 struct aa_task_ctx *ctx;
89dbf196
JJ		 1057 struct aa_label *label, *previous, *new = NULL, *target = NULL;
1058 struct aa_profile *profile;
2d679f3c 1059 struct aa_perms perms = {};
89dbf196 1060 const char *info = NULL;
898127c3
JJ		 1061 int error = 0;
1062
c29bceb3
JJ		 1063 /*
1064 * Fail explicitly requested domain transitions if no_new_privs.
1065 * There is no exception for unconfined as change_hat is not
1066 * available.
1067 */
89dbf196
JJ		 1068 if (task_no_new_privs(current)) {
1069 /* not an apparmor denial per se, so don't log it */
1070 AA_DEBUG("no_new_privs - change_hat denied");
c29bceb3 1071 return -EPERM;
89dbf196 1072 }
c29bceb3 1073
898127c3
JJ		 1074 /* released below */
1075 cred = get_current_cred();
55a26ebf 1076 ctx = cred_ctx(cred);
637f688d 1077 label = aa_get_newest_cred_label(cred);
89dbf196 1078 previous = aa_get_newest_label(ctx->previous);
898127c3 1079
637f688d 1080 if (unconfined(label)) {
89dbf196 1081 info = "unconfined can not change_hat";
898127c3 1082 error = -EPERM;
89dbf196 1083 goto fail;
898127c3
JJ		 1084 }
1085
1086 if (count) {
89dbf196
JJ		 1087 new = change_hat(label, hats, count, flags);
1088 AA_BUG(!new);
1089 if (IS_ERR(new)) {
1090 error = PTR_ERR(new);
1091 new = NULL;
1092 /* already audited */
1093 goto out;
898127c3
JJ		 1094 }
1095
89dbf196
JJ		 1096 error = may_change_ptraced_domain(new, &info);
1097 if (error)
1098 goto fail;
898127c3 1099
89dbf196
JJ		 1100 if (flags & AA_CHANGE_TEST)
1101 goto out;
1102
1103 target = new;
1104 error = aa_set_current_hat(new, token);
1105 if (error == -EACCES)
1106 /* kill task in case of brute force attacks */
1107 goto kill;
1108 } else if (previous && !(flags & AA_CHANGE_TEST)) {
1109 /* Return to saved label. Kill task if restore fails
898127c3
JJ		 1110 * to avoid brute force attacks
1111 */
89dbf196 1112 target = previous;
637f688d 1113 error = aa_restore_previous_label(token);
89dbf196
JJ		 1114 if (error) {
1115 if (error == -EACCES)
1116 goto kill;
1117 goto fail;
1118 }
1119 } /* else ignore @flags && restores when there is no saved profile */
898127c3
JJ		 1120
1121out:
89dbf196
JJ		 1122 aa_put_label(new);
1123 aa_put_label(previous);
637f688d 1124 aa_put_label(label);
898127c3
JJ		 1125 put_cred(cred);
1126
1127 return error;
89dbf196
JJ		 1128
1129kill:
1130 info = "failed token match";
1131 perms.kill = AA_MAY_CHANGEHAT;
1132
1133fail:
1134 fn_for_each_in_ns(label, profile,
1135 aa_audit_file(profile, &perms, OP_CHANGE_HAT,
1136 AA_MAY_CHANGEHAT, NULL, NULL, target,
1137 GLOBAL_ROOT_UID, info, error));
1138
1139 goto out;
898127c3
JJ		 1140}
1141
89dbf196
JJ		 1142
1143
898127c3
JJ		 1144/**
1145 * aa_change_profile - perform a one-way profile transition
aa9a39ad 1146 * @fqname: name of profile may include namespace (NOT NULL)
898127c3 1147 * @onexec: whether this transition is to take place immediately or at exec
df8073c6 1148 * @flags: flags affecting change behavior
898127c3
JJ		 1149 *
1150 * Change to new profile @name. Unlike with hats, there is no way
1151 * to change back. If @name isn't specified the current profile name is
1152 * used.
1153 * If @onexec then the transition is delayed until
1154 * the next exec.
1155 *
1156 * Returns %0 on success, error otherwise.
1157 */
df8073c6 1158int aa_change_profile(const char *fqname, int flags)
898127c3
JJ		 1159{
1160 const struct cred *cred;
637f688d 1161 struct aa_label *label;
898127c3 1162 struct aa_profile *profile, *target = NULL;
2d679f3c 1163 struct aa_perms perms = {};
aa9a39ad 1164 const char *info = NULL, *op;
47f6e5cc 1165 int error = 0;
898127c3
JJ		 1166 u32 request;
1167
aa9a39ad
JJ		 1168 if (!fqname || !*fqname) {
1169 AA_DEBUG("no profile name");
898127c3 1170 return -EINVAL;
aa9a39ad 1171 }
898127c3 1172
df8073c6 1173 if (flags & AA_CHANGE_ONEXEC) {
898127c3
JJ		 1174 request = AA_MAY_ONEXEC;
1175 op = OP_CHANGE_ONEXEC;
1176 } else {
1177 request = AA_MAY_CHANGE_PROFILE;
1178 op = OP_CHANGE_PROFILE;
1179 }
1180
1181 cred = get_current_cred();
637f688d
JJ		 1182 label = aa_get_newest_cred_label(cred);
1183 profile = labels_profile(label);
898127c3 1184
c29bceb3
JJ		 1185 /*
1186 * Fail explicitly requested domain transitions if no_new_privs
1187 * and not unconfined.
1188 * Domain transitions from unconfined are allowed even when
1189 * no_new_privs is set because this aways results in a reduction
1190 * of permissions.
1191 */
637f688d 1192 if (task_no_new_privs(current) && !profile_unconfined(profile)) {
c29bceb3
JJ		 1193 put_cred(cred);
1194 return -EPERM;
1195 }
1196
637f688d 1197 target = aa_fqlookupn_profile(label, fqname, strlen(fqname));
898127c3
JJ		 1198 if (!target) {
1199 info = "profile not found";
1200 error = -ENOENT;
df8073c6
JJ		 1201 if ((flags & AA_CHANGE_TEST) ||
1202 !COMPLAIN_MODE(profile))
898127c3
JJ		 1203 goto audit;
1204 /* released below */
aa9a39ad
JJ		 1205 target = aa_new_null_profile(profile, false, fqname,
1206 GFP_KERNEL);
898127c3
JJ		 1207 if (!target) {
1208 info = "failed null profile create";
1209 error = -ENOMEM;
1210 goto audit;
1211 }
1212 }
1213
93c98a48
JJ		 1214 perms = change_profile_perms_wrapper(profile, target, request,
1215 profile->file.start);
aa9a39ad
JJ		 1216 if (!(perms.allow & request)) {
1217 error = -EACCES;
1218 goto audit;
1219 }
1220
898127c3 1221 /* check if tracing task is allowed to trace target domain */
b2d09ae4 1222 error = may_change_ptraced_domain(&target->label, &info);
898127c3
JJ		 1223 if (error) {
1224 info = "ptrace prevents transition";
1225 goto audit;
1226 }
1227
df8073c6 1228 if (flags & AA_CHANGE_TEST)
898127c3
JJ		 1229 goto audit;
1230
df8073c6 1231 if (flags & AA_CHANGE_ONEXEC)
637f688d 1232 error = aa_set_current_onexec(&target->label, 0);
898127c3 1233 else
637f688d 1234 error = aa_replace_current_label(&target->label);
898127c3
JJ		 1235
1236audit:
df8073c6 1237 if (!(flags & AA_CHANGE_TEST))
aa9a39ad 1238 error = aa_audit_file(profile, &perms, op, request, NULL,
98c3d182
JJ		 1239 fqname, NULL, GLOBAL_ROOT_UID, info,
1240 error);
898127c3 1241
898127c3 1242 aa_put_profile(target);
637f688d 1243 aa_put_label(label);
898127c3
JJ		 1244 put_cred(cred);
1245
1246 return error;
1247}
Empty description
This page took 0.578169 seconds and 4 git commands to generate.