linux/security/apparmor/domain.c

1521 lines
41 KiB
C
Raw Normal View History

// SPDX-License-Identifier: GPL-2.0-only
/*
* AppArmor security module
*
* This file contains AppArmor policy attachment and domain transitions
*
* Copyright (C) 2002-2008 Novell/SUSE
* Copyright 2009-2010 Canonical Ltd.
*/
#include <linux/errno.h>
#include <linux/fs.h>
#include <linux/file.h>
#include <linux/mount.h>
#include <linux/syscalls.h>
#include <linux/personality.h>
#include <linux/xattr.h>
#include <linux/user_namespace.h>
#include "include/audit.h"
#include "include/apparmorfs.h"
#include "include/cred.h"
#include "include/domain.h"
#include "include/file.h"
#include "include/ipc.h"
#include "include/match.h"
#include "include/path.h"
#include "include/policy.h"
#include "include/policy_ns.h"
/**
* may_change_ptraced_domain - check if can change profile on ptraced task
* @to_cred: cred of task changing domain
* @to_label: profile to change to (NOT NULL)
* @info: message if there is an error
*
* Check if current is ptraced and if so if the tracing task is allowed
* to trace the new domain
*
* Returns: %0 or error if change not allowed
*/
static int may_change_ptraced_domain(const struct cred *to_cred,
struct aa_label *to_label,
const char **info)
{
struct task_struct *tracer;
struct aa_label *tracerl = NULL;
const struct cred *tracer_cred = NULL;
int error = 0;
rcu_read_lock();
tracer = ptrace_parent(current);
if (tracer) {
/* released below */
tracerl = aa_get_task_label(tracer);
tracer_cred = get_task_cred(tracer);
}
/* not ptraced */
if (!tracer || unconfined(tracerl))
goto out;
error = aa_may_ptrace(tracer_cred, tracerl, to_cred, to_label,
PTRACE_MODE_ATTACH);
out:
rcu_read_unlock();
aa_put_label(tracerl);
put_cred(tracer_cred);
if (error)
*info = "ptrace prevents transition";
return error;
}
/**** TODO: dedup to aa_label_match - needs perm and dfa, merging
* specifically this is an exact copy of aa_label_match except
* aa_compute_perms is replaced with aa_compute_fperms
* and policy->dfa with file->dfa
****/
/* match a profile and its associated ns component if needed
* Assumes visibility test has already been done.
* If a subns profile is not to be matched should be prescreened with
* visibility test.
*/
static inline aa_state_t match_component(struct aa_profile *profile,
struct aa_profile *tp,
bool stack, aa_state_t state)
{
struct aa_ruleset *rules = list_first_entry(&profile->rules,
typeof(*rules), list);
const char *ns_name;
if (stack)
state = aa_dfa_match(rules->file->dfa, state, "&");
if (profile->ns == tp->ns)
return aa_dfa_match(rules->file->dfa, state, tp->base.hname);
/* try matching with namespace name and then profile */
ns_name = aa_ns_name(profile->ns, tp->ns, true);
state = aa_dfa_match_len(rules->file->dfa, state, ":", 1);
state = aa_dfa_match(rules->file->dfa, state, ns_name);
state = aa_dfa_match_len(rules->file->dfa, state, ":", 1);
return aa_dfa_match(rules->file->dfa, state, tp->base.hname);
}
/**
* label_compound_match - find perms for full compound label
* @profile: profile to find perms for
* @label: label to check access permissions for
* @stack: whether this is a stacking request
* @state: state to start match in
* @subns: whether to do permission checks on components in a subns
* @request: permissions to request
* @perms: perms struct to set
*
* Returns: 0 on success else ERROR
*
* For the label A//&B//&C this does the perm match for A//&B//&C
* @perms should be preinitialized with allperms OR a previous permission
* check to be stacked.
*/
static int label_compound_match(struct aa_profile *profile,
struct aa_label *label, bool stack,
aa_state_t state, bool subns, u32 request,
struct aa_perms *perms)
{
struct aa_ruleset *rules = list_first_entry(&profile->rules,
typeof(*rules), list);
struct aa_profile *tp;
struct label_it i;
struct path_cond cond = { };
/* find first subcomponent that is visible */
label_for_each(i, label, tp) {
if (!aa_ns_visible(profile->ns, tp->ns, subns))
continue;
state = match_component(profile, tp, stack, state);
if (!state)
goto fail;
goto next;
}
/* no component visible */
*perms = allperms;
return 0;
next:
label_for_each_cont(i, label, tp) {
if (!aa_ns_visible(profile->ns, tp->ns, subns))
continue;
state = aa_dfa_match(rules->file->dfa, state, "//&");
state = match_component(profile, tp, false, state);
if (!state)
goto fail;
}
*perms = *(aa_lookup_fperms(rules->file, state, &cond));
aa_apply_modes_to_perms(profile, perms);
if ((perms->allow & request) != request)
return -EACCES;
return 0;
fail:
*perms = nullperms;
return -EACCES;
}
/**
* label_components_match - find perms for all subcomponents of a label
* @profile: profile to find perms for
* @label: label to check access permissions for
* @stack: whether this is a stacking request
* @start: state to start match in
* @subns: whether to do permission checks on components in a subns
* @request: permissions to request
* @perms: an initialized perms struct to add accumulation to
*
* Returns: 0 on success else ERROR
*
* For the label A//&B//&C this does the perm match for each of A and B and C
* @perms should be preinitialized with allperms OR a previous permission
* check to be stacked.
*/
static int label_components_match(struct aa_profile *profile,
struct aa_label *label, bool stack,
aa_state_t start, bool subns, u32 request,
struct aa_perms *perms)
{
struct aa_ruleset *rules = list_first_entry(&profile->rules,
typeof(*rules), list);
struct aa_profile *tp;
struct label_it i;
struct aa_perms tmp;
struct path_cond cond = { };
aa_state_t state = 0;
/* find first subcomponent to test */
label_for_each(i, label, tp) {
if (!aa_ns_visible(profile->ns, tp->ns, subns))
continue;
state = match_component(profile, tp, stack, start);
if (!state)
goto fail;
goto next;
}
/* no subcomponents visible - no change in perms */
return 0;
next:
tmp = *(aa_lookup_fperms(rules->file, state, &cond));
aa_apply_modes_to_perms(profile, &tmp);
aa_perms_accum(perms, &tmp);
label_for_each_cont(i, label, tp) {
if (!aa_ns_visible(profile->ns, tp->ns, subns))
continue;
state = match_component(profile, tp, stack, start);
if (!state)
goto fail;
tmp = *(aa_lookup_fperms(rules->file, state, &cond));
aa_apply_modes_to_perms(profile, &tmp);
aa_perms_accum(perms, &tmp);
}
if ((perms->allow & request) != request)
return -EACCES;
return 0;
fail:
*perms = nullperms;
return -EACCES;
}
/**
* label_match - do a multi-component label match
* @profile: profile to match against (NOT NULL)
* @label: label to match (NOT NULL)
* @stack: whether this is a stacking request
* @state: state to start in
* @subns: whether to match subns components
* @request: permission request
* @perms: Returns computed perms (NOT NULL)
*
* Returns: the state the match finished in, may be the none matching state
*/
static int label_match(struct aa_profile *profile, struct aa_label *label,
bool stack, aa_state_t state, bool subns, u32 request,
struct aa_perms *perms)
{
int error;
*perms = nullperms;
error = label_compound_match(profile, label, stack, state, subns,
request, perms);
if (!error)
return error;
*perms = allperms;
return label_components_match(profile, label, stack, state, subns,
request, perms);
}
/******* end TODO: dedup *****/
/**
* change_profile_perms - find permissions for change_profile
* @profile: the current profile (NOT NULL)
* @target: label to transition to (NOT NULL)
* @stack: whether this is a stacking request
* @request: requested perms
* @start: state to start matching in
* @perms: Returns computed perms (NOT NULL)
*
*
* Returns: permission set
*
* currently only matches full label A//&B//&C or individual components A, B, C
* not arbitrary combinations. Eg. A//&B, C
*/
static int change_profile_perms(struct aa_profile *profile,
struct aa_label *target, bool stack,
u32 request, aa_state_t start,
struct aa_perms *perms)
{
if (profile_unconfined(profile)) {
perms->allow = AA_MAY_CHANGE_PROFILE | AA_MAY_ONEXEC;
perms->audit = perms->quiet = perms->kill = 0;
return 0;
}
/* TODO: add profile in ns screening */
return label_match(profile, target, stack, start, true, request, perms);
}
/**
* aa_xattrs_match - check whether a file matches the xattrs defined in profile
* @bprm: binprm struct for the process to validate
* @profile: profile to match against (NOT NULL)
* @state: state to start match in
*
* Returns: number of extended attributes that matched, or < 0 on error
*/
static int aa_xattrs_match(const struct linux_binprm *bprm,
struct aa_profile *profile, aa_state_t state)
{
int i;
struct dentry *d;
char *value = NULL;
struct aa_attachment *attach = &profile->attach;
+ Features - switch to zstd compression for profile raw data + Cleanups - Simplify obtain the newest label on a cred - remove useless static inline functions - compute permission conversion on policy unpack - refactor code to share common permissins - refactor unpack to group policy backwards compatiblity code - add __init annotation to aa_{setup/teardown}_dfa_engine() + Bug Fixes - fix a memleak in - multi_transaction_new() - free_ruleset() - unpack_profile() - alloc_ns() - fix lockdep warning when removing a namespace - fix regression in stacking due to label flags - fix loading of child before parent - fix kernel-doc comments that differ from fns - fix spelling errors in comments - store return value of unpack_perms_table() to signed variable -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEE7cSDD705q2rFEEf7BS82cBjVw9gFAmOZwywACgkQBS82cBjV w9jBjRAAmj4gyK0L3eGY4IV2BpvnkHwHY4lOObJulTwILOOj0Pz8CJqRCa/HDCGj aOlnwqksPsAjadzzfi58D6TnT+3fOuskbcMgTyvX5jraTXPrUl90+hXorbXKuLrw iaX6QxW8soNW/s3oJhrC2HxbIhGA9VpVnmQpVZpJMmz5bU2xmzL62FCN8x88kytr 9CygaudPrvwYJf5pPd62p7ltj2S6lFwZ6dVCyiDQGTc+Gyng4G8p4MCfI1CwMMyo mAUeeRnoeeBwH3tSy/Wsr72jPKjsMASpcMHo3ns/dVSw/ug2FYYToZbfxT/uAa6O WVHfS1Kv/5afG9xxyfocWecd+Yp3lsXq9F+q36uOT9NeJmlej9aJr5sWMcvV3sru QVNN7tFZbHqCnLhpl6RDH/NiguweNYQXrl2lukXZe/FKu/KDasFIOzL+IAt2TqZE 3mWrha7Q7j/gdBw8+fHHGtXCx0NSQlz1oFLo/y/mI7ztwUPJsBYbH5+108iP0ys/ 7Kd+jkYRucJB4upGH4meQbN6f/rrs3+m/b/j0Q8RCFHAs2f+mYZeN/JOHCo0T4YH KO1W60846fPs+7yZTVxWYFpR/kIuXksyxMWpEEZFFtF4MNoaeM1uypBWqm/JmKYr 8oDtEyiOd/qmZnWRcuO3/bmdoJUZY1zTXWA0dlScYc8vR4KC+EE= =6GKy -----END PGP SIGNATURE----- Merge tag 'apparmor-pr-2022-12-14' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor Pull apparmor updates from John Johansen: "Features: - switch to zstd compression for profile raw data Cleanups: - simplify obtaining the newest label on a cred - remove useless static inline functions - compute permission conversion on policy unpack - refactor code to share common permissins - refactor unpack to group policy backwards compatiblity code - add __init annotation to aa_{setup/teardown}_dfa_engine() Bug Fixes: - fix a memleak in - multi_transaction_new() - free_ruleset() - unpack_profile() - alloc_ns() - fix lockdep warning when removing a namespace - fix regression in stacking due to label flags - fix loading of child before parent - fix kernel-doc comments that differ from fns - fix spelling errors in comments - store return value of unpack_perms_table() to signed variable" * tag 'apparmor-pr-2022-12-14' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (64 commits) apparmor: Fix uninitialized symbol 'array_size' in policy_unpack_test.c apparmor: Add __init annotation to aa_{setup/teardown}_dfa_engine() apparmor: Fix memleak in alloc_ns() apparmor: Fix memleak issue in unpack_profile() apparmor: fix a memleak in free_ruleset() apparmor: Fix spelling of function name in comment block apparmor: Use pointer to struct aa_label for lbs_cred AppArmor: Fix kernel-doc LSM: Fix kernel-doc AppArmor: Fix kernel-doc apparmor: Fix loading of child before parent apparmor: refactor code that alloc null profiles apparmor: fix obsoleted comments for aa_getprocattr() and audit_resource() apparmor: remove useless static inline functions apparmor: Fix unpack_profile() warn: passing zero to 'ERR_PTR' apparmor: fix uninitialize table variable in error in unpack_trans_table apparmor: store return value of unpack_perms_table() to signed variable apparmor: Fix kunit test for out of bounds array apparmor: Fix decompression of rawdata for read back to userspace apparmor: Fix undefined references to zstd_ symbols ...
2022-12-14 21:42:09 +00:00
int size, value_size = 0, ret = attach->xattr_count;
if (!bprm || !attach->xattr_count)
return 0;
might_sleep();
/* transition from exec match to xattr set */
state = aa_dfa_outofband_transition(attach->xmatch->dfa, state);
d = bprm->file->f_path.dentry;
for (i = 0; i < attach->xattr_count; i++) {
size = vfs_getxattr_alloc(&nop_mnt_idmap, d, attach->xattrs[i],
&value, value_size, GFP_KERNEL);
if (size >= 0) {
u32 index, perm;
/*
* Check the xattr presence before value. This ensure
* that not present xattr can be distinguished from a 0
* length value or rule that matches any value
*/
state = aa_dfa_null_transition(attach->xmatch->dfa,
state);
/* Check xattr value */
state = aa_dfa_match_len(attach->xmatch->dfa, state,
value, size);
index = ACCEPT_TABLE(attach->xmatch->dfa)[state];
perm = attach->xmatch->perms[index].allow;
if (!(perm & MAY_EXEC)) {
ret = -EINVAL;
goto out;
}
}
/* transition to next element */
state = aa_dfa_outofband_transition(attach->xmatch->dfa, state);
if (size < 0) {
/*
* No xattr match, so verify if transition to
* next element was valid. IFF so the xattr
* was optional.
*/
if (!state) {
ret = -EINVAL;
goto out;
}
/* don't count missing optional xattr as matched */
ret--;
}
}
out:
kfree(value);
return ret;
}
/**
* find_attach - do attachment search for unconfined processes
* @bprm: binprm structure of transitioning task
* @ns: the current namespace (NOT NULL)
* @head: profile list to walk (NOT NULL)
* @name: to match against (NOT NULL)
* @info: info message if there was an error (NOT NULL)
*
* Do a linear search on the profiles in the list. There is a matching
* preference where an exact match is preferred over a name which uses
* expressions to match, and matching expressions with the greatest
* xmatch_len are preferred.
*
* Requires: @head not be shared or have appropriate locks held
*
* Returns: label or NULL if no match found
*/
static struct aa_label *find_attach(const struct linux_binprm *bprm,
struct aa_ns *ns, struct list_head *head,
const char *name, const char **info)
{
int candidate_len = 0, candidate_xattrs = 0;
bool conflict = false;
struct aa_profile *profile, *candidate = NULL;
AA_BUG(!name);
AA_BUG(!head);
rcu_read_lock();
restart:
list_for_each_entry_rcu(profile, head, base.list) {
struct aa_attachment *attach = &profile->attach;
if (profile->label.flags & FLAG_NULL &&
&profile->label == ns_unconfined(profile->ns))
continue;
/* Find the "best" matching profile. Profiles must
* match the path and extended attributes (if any)
* associated with the file. A more specific path
* match will be preferred over a less specific one,
* and a match with more matching extended attributes
* will be preferred over one with fewer. If the best
* match has both the same level of path specificity
* and the same number of matching extended attributes
* as another profile, signal a conflict and refuse to
* match.
*/
if (attach->xmatch->dfa) {
unsigned int count;
aa_state_t state;
u32 index, perm;
state = aa_dfa_leftmatch(attach->xmatch->dfa,
attach->xmatch->start[AA_CLASS_XMATCH],
name, &count);
index = ACCEPT_TABLE(attach->xmatch->dfa)[state];
perm = attach->xmatch->perms[index].allow;
/* any accepting state means a valid match. */
if (perm & MAY_EXEC) {
int ret = 0;
if (count < candidate_len)
continue;
if (bprm && attach->xattr_count) {
long rev = READ_ONCE(ns->revision);
if (!aa_get_profile_not0(profile))
goto restart;
rcu_read_unlock();
ret = aa_xattrs_match(bprm, profile,
state);
rcu_read_lock();
aa_put_profile(profile);
if (rev !=
READ_ONCE(ns->revision))
/* policy changed */
goto restart;
/*
* Fail matching if the xattrs don't
* match
*/
if (ret < 0)
continue;
}
/*
* TODO: allow for more flexible best match
*
* The new match isn't more specific
* than the current best match
*/
if (count == candidate_len &&
ret <= candidate_xattrs) {
/* Match is equivalent, so conflict */
if (ret == candidate_xattrs)
conflict = true;
continue;
}
/* Either the same length with more matching
* xattrs, or a longer match
*/
candidate = profile;
candidate_len = max(count, attach->xmatch_len);
candidate_xattrs = ret;
conflict = false;
}
} else if (!strcmp(profile->base.name, name)) {
/*
* old exact non-re match, without conditionals such
* as xattrs. no more searching required
*/
candidate = profile;
goto out;
}
}
if (!candidate || conflict) {
if (conflict)
*info = "conflicting profile attachments";
rcu_read_unlock();
return NULL;
}
out:
candidate = aa_get_newest_profile(candidate);
rcu_read_unlock();
return &candidate->label;
}
static const char *next_name(int xtype, const char *name)
{
return NULL;
}
/**
* x_table_lookup - lookup an x transition name via transition table
* @profile: current profile (NOT NULL)
* @xindex: index into x transition table
* @name: returns: name tested to find label (NOT NULL)
*
* Returns: refcounted label, or NULL on failure (MAYBE NULL)
*/
apparmor: add mount mediation Add basic mount mediation. That allows controlling based on basic mount parameters. It does not include special mount parameters for apparmor, super block labeling, or any triggers for apparmor namespace parameter modifications on pivot root. default userspace policy rules have the form of MOUNT RULE = ( MOUNT | REMOUNT | UMOUNT ) MOUNT = [ QUALIFIERS ] 'mount' [ MOUNT CONDITIONS ] [ SOURCE FILEGLOB ] [ '->' MOUNTPOINT FILEGLOB ] REMOUNT = [ QUALIFIERS ] 'remount' [ MOUNT CONDITIONS ] MOUNTPOINT FILEGLOB UMOUNT = [ QUALIFIERS ] 'umount' [ MOUNT CONDITIONS ] MOUNTPOINT FILEGLOB MOUNT CONDITIONS = [ ( 'fstype' | 'vfstype' ) ( '=' | 'in' ) MOUNT FSTYPE EXPRESSION ] [ 'options' ( '=' | 'in' ) MOUNT FLAGS EXPRESSION ] MOUNT FSTYPE EXPRESSION = ( MOUNT FSTYPE LIST | MOUNT EXPRESSION ) MOUNT FSTYPE LIST = Comma separated list of valid filesystem and virtual filesystem types (eg ext4, debugfs, etc) MOUNT FLAGS EXPRESSION = ( MOUNT FLAGS LIST | MOUNT EXPRESSION ) MOUNT FLAGS LIST = Comma separated list of MOUNT FLAGS. MOUNT FLAGS = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' | 'noexec' | 'exec' | 'sync' | 'async' | 'remount' | 'mand' | 'nomand' | 'dirsync' | 'noatime' | 'atime' | 'nodiratime' | 'diratime' | 'bind' | 'rbind' | 'move' | 'verbose' | 'silent' | 'loud' | 'acl' | 'noacl' | 'unbindable' | 'runbindable' | 'private' | 'rprivate' | 'slave' | 'rslave' | 'shared' | 'rshared' | 'relatime' | 'norelatime' | 'iversion' | 'noiversion' | 'strictatime' | 'nouser' | 'user' ) MOUNT EXPRESSION = ( ALPHANUMERIC | AARE ) ... PIVOT ROOT RULE = [ QUALIFIERS ] pivot_root [ oldroot=OLD PUT FILEGLOB ] [ NEW ROOT FILEGLOB ] SOURCE FILEGLOB = FILEGLOB MOUNTPOINT FILEGLOB = FILEGLOB eg. mount, mount /dev/foo, mount options=ro /dev/foo -> /mnt/, mount options in (ro,atime) /dev/foo -> /mnt/, mount options=ro options=atime, Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2017-07-19 06:04:47 +00:00
struct aa_label *x_table_lookup(struct aa_profile *profile, u32 xindex,
const char **name)
{
struct aa_ruleset *rules = list_first_entry(&profile->rules,
typeof(*rules), list);
struct aa_label *label = NULL;
u32 xtype = xindex & AA_X_TYPE_MASK;
int index = xindex & AA_X_INDEX_MASK;
AA_BUG(!name);
/* index is guaranteed to be in range, validated at load time */
/* TODO: move lookup parsing to unpack time so this is a straight
* index into the resultant label
*/
for (*name = rules->file->trans.table[index]; !label && *name;
*name = next_name(xtype, *name)) {
if (xindex & AA_X_CHILD) {
struct aa_profile *new_profile;
/* release by caller */
new_profile = aa_find_child(profile, *name);
if (new_profile)
label = &new_profile->label;
continue;
}
label = aa_label_parse(&profile->label, *name, GFP_KERNEL,
true, false);
if (IS_ERR(label))
label = NULL;
}
/* released by caller */
return label;
}
/**
* x_to_label - get target label for a given xindex
* @profile: current profile (NOT NULL)
* @bprm: binprm structure of transitioning task
* @name: name to lookup (NOT NULL)
* @xindex: index into x transition table
* @lookupname: returns: name used in lookup if one was specified (NOT NULL)
* @info: info message if there was an error (NOT NULL)
*
* find label for a transition index
*
* Returns: refcounted label or NULL if not found available
*/
static struct aa_label *x_to_label(struct aa_profile *profile,
const struct linux_binprm *bprm,
const char *name, u32 xindex,
const char **lookupname,
const char **info)
{
struct aa_ruleset *rules = list_first_entry(&profile->rules,
typeof(*rules), list);
struct aa_label *new = NULL;
struct aa_ns *ns = profile->ns;
u32 xtype = xindex & AA_X_TYPE_MASK;
const char *stack = NULL;
switch (xtype) {
case AA_X_NONE:
/* fail exec unless ix || ux fallback - handled by caller */
*lookupname = NULL;
break;
case AA_X_TABLE:
/* TODO: fix when perm mapping done at unload */
stack = rules->file->trans.table[xindex & AA_X_INDEX_MASK];
if (*stack != '&') {
/* released by caller */
new = x_table_lookup(profile, xindex, lookupname);
stack = NULL;
break;
}
fallthrough; /* to X_NAME */
case AA_X_NAME:
if (xindex & AA_X_CHILD)
/* released by caller */
new = find_attach(bprm, ns, &profile->base.profiles,
name, info);
else
/* released by caller */
new = find_attach(bprm, ns, &ns->base.profiles,
name, info);
*lookupname = name;
break;
}
if (!new) {
if (xindex & AA_X_INHERIT) {
/* (p|c|n)ix - don't change profile but do
* use the newest version
*/
*info = "ix fallback";
/* no profile && no error */
new = aa_get_newest_label(&profile->label);
} else if (xindex & AA_X_UNCONFINED) {
new = aa_get_newest_label(ns_unconfined(profile->ns));
*info = "ux fallback";
}
}
if (new && stack) {
/* base the stack on post domain transition */
struct aa_label *base = new;
new = aa_label_parse(base, stack, GFP_KERNEL, true, false);
if (IS_ERR(new))
new = NULL;
aa_put_label(base);
}
/* released by caller */
return new;
}
static struct aa_label *profile_transition(const struct cred *subj_cred,
struct aa_profile *profile,
const struct linux_binprm *bprm,
char *buffer, struct path_cond *cond,
bool *secure_exec)
{
struct aa_ruleset *rules = list_first_entry(&profile->rules,
typeof(*rules), list);
struct aa_label *new = NULL;
const char *info = NULL, *name = NULL, *target = NULL;
aa_state_t state = rules->file->start[AA_CLASS_FILE];
struct aa_perms perms = {};
bool nonewprivs = false;
int error = 0;
AA_BUG(!profile);
AA_BUG(!bprm);
AA_BUG(!buffer);
error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,
&name, &info, profile->disconnected);
if (error) {
if (profile_unconfined(profile) ||
(profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
AA_DEBUG("name lookup ix on error");
error = 0;
new = aa_get_newest_label(&profile->label);
}
name = bprm->filename;
goto audit;
}
if (profile_unconfined(profile)) {
new = find_attach(bprm, profile->ns,
&profile->ns->base.profiles, name, &info);
if (new) {
AA_DEBUG("unconfined attached to new label");
return new;
}
AA_DEBUG("unconfined exec no attachment");
return aa_get_newest_label(&profile->label);
}
/* find exec permissions for name */
state = aa_str_perms(rules->file, state, name, cond, &perms);
if (perms.allow & MAY_EXEC) {
/* exec permission determine how to transition */
new = x_to_label(profile, bprm, name, perms.xindex, &target,
&info);
if (new && new->proxy == profile->label.proxy && info) {
/* hack ix fallback - improve how this is detected */
goto audit;
} else if (!new) {
error = -EACCES;
info = "profile transition not found";
/* remove MAY_EXEC to audit as failure */
perms.allow &= ~MAY_EXEC;
}
} else if (COMPLAIN_MODE(profile)) {
/* no exec permission - learning mode */
apparmor: fix locking when creating a new complain profile. Break the per cpu buffer atomic section when creating a new null complain profile. In learning mode this won't matter and we can safely re-aquire the buffer. This fixes the following lockdep BUG trace nov. 14 14:09:09 cyclope audit[7152]: AVC apparmor="ALLOWED" operation="exec" profile="/usr/sbin/sssd" name="/usr/sbin/adcli" pid=7152 comm="sssd_be" requested_mask="x" denied_mask="x" fsuid=0 ouid=0 target="/usr/sbin/sssd//null-/usr/sbin/adcli" nov. 14 14:09:09 cyclope kernel: BUG: sleeping function called from invalid context at kernel/locking/mutex.c:747 nov. 14 14:09:09 cyclope kernel: in_atomic(): 1, irqs_disabled(): 0, pid: 7152, name: sssd_be nov. 14 14:09:09 cyclope kernel: 1 lock held by sssd_be/7152: nov. 14 14:09:09 cyclope kernel: #0: (&sig->cred_guard_mutex){....}, at: [<ffffffff8182d53e>] prepare_bprm_creds+0x4e/0x100 nov. 14 14:09:09 cyclope kernel: CPU: 3 PID: 7152 Comm: sssd_be Not tainted 4.14.0prahal+intel #150 nov. 14 14:09:09 cyclope kernel: Hardware name: LENOVO 20CDCTO1WW/20CDCTO1WW, BIOS GQET53WW (1.33 ) 09/15/2017 nov. 14 14:09:09 cyclope kernel: Call Trace: nov. 14 14:09:09 cyclope kernel: dump_stack+0xb0/0x135 nov. 14 14:09:09 cyclope kernel: ? _atomic_dec_and_lock+0x15b/0x15b nov. 14 14:09:09 cyclope kernel: ? lockdep_print_held_locks+0xc4/0x130 nov. 14 14:09:09 cyclope kernel: ___might_sleep+0x29c/0x320 nov. 14 14:09:09 cyclope kernel: ? rq_clock+0xf0/0xf0 nov. 14 14:09:09 cyclope kernel: ? __kernel_text_address+0xd/0x40 nov. 14 14:09:09 cyclope kernel: __might_sleep+0x95/0x190 nov. 14 14:09:09 cyclope kernel: ? aa_new_null_profile+0x50a/0x960 nov. 14 14:09:09 cyclope kernel: __mutex_lock+0x13e/0x1a20 nov. 14 14:09:09 cyclope kernel: ? aa_new_null_profile+0x50a/0x960 nov. 14 14:09:09 cyclope kernel: ? save_stack+0x43/0xd0 nov. 14 14:09:09 cyclope kernel: ? kmem_cache_alloc_trace+0x13f/0x290 nov. 14 14:09:09 cyclope kernel: ? mutex_lock_io_nested+0x1880/0x1880 nov. 14 14:09:09 cyclope kernel: ? profile_transition+0x932/0x2d40 nov. 14 14:09:09 cyclope kernel: ? apparmor_bprm_set_creds+0x1479/0x1f70 nov. 14 14:09:09 cyclope kernel: ? security_bprm_set_creds+0x5a/0x80 nov. 14 14:09:09 cyclope kernel: ? prepare_binprm+0x366/0x980 nov. 14 14:09:09 cyclope kernel: ? do_execveat_common.isra.30+0x12a9/0x2350 nov. 14 14:09:09 cyclope kernel: ? SyS_execve+0x2c/0x40 nov. 14 14:09:09 cyclope kernel: ? do_syscall_64+0x228/0x650 nov. 14 14:09:09 cyclope kernel: ? entry_SYSCALL64_slow_path+0x25/0x25 nov. 14 14:09:09 cyclope kernel: ? deactivate_slab.isra.62+0x49d/0x5e0 nov. 14 14:09:09 cyclope kernel: ? save_stack_trace+0x16/0x20 nov. 14 14:09:09 cyclope kernel: ? init_object+0x88/0x90 nov. 14 14:09:09 cyclope kernel: ? ___slab_alloc+0x520/0x590 nov. 14 14:09:09 cyclope kernel: ? ___slab_alloc+0x520/0x590 nov. 14 14:09:09 cyclope kernel: ? aa_alloc_proxy+0xab/0x200 nov. 14 14:09:09 cyclope kernel: ? lock_downgrade+0x7e0/0x7e0 nov. 14 14:09:09 cyclope kernel: ? memcg_kmem_get_cache+0x970/0x970 nov. 14 14:09:09 cyclope kernel: ? kasan_unpoison_shadow+0x35/0x50 nov. 14 14:09:09 cyclope kernel: ? kasan_unpoison_shadow+0x35/0x50 nov. 14 14:09:09 cyclope kernel: ? kasan_kmalloc+0xad/0xe0 nov. 14 14:09:09 cyclope kernel: ? aa_alloc_proxy+0xab/0x200 nov. 14 14:09:09 cyclope kernel: ? kmem_cache_alloc_trace+0x13f/0x290 nov. 14 14:09:09 cyclope kernel: ? aa_alloc_proxy+0xab/0x200 nov. 14 14:09:09 cyclope kernel: ? aa_alloc_proxy+0xab/0x200 nov. 14 14:09:09 cyclope kernel: ? _raw_spin_unlock+0x22/0x30 nov. 14 14:09:09 cyclope kernel: ? vec_find+0xa0/0xa0 nov. 14 14:09:09 cyclope kernel: ? aa_label_init+0x6f/0x230 nov. 14 14:09:09 cyclope kernel: ? __label_insert+0x3e0/0x3e0 nov. 14 14:09:09 cyclope kernel: ? kmem_cache_alloc_trace+0x13f/0x290 nov. 14 14:09:09 cyclope kernel: ? aa_alloc_profile+0x58/0x200 nov. 14 14:09:09 cyclope kernel: mutex_lock_nested+0x16/0x20 nov. 14 14:09:09 cyclope kernel: ? mutex_lock_nested+0x16/0x20 nov. 14 14:09:09 cyclope kernel: aa_new_null_profile+0x50a/0x960 nov. 14 14:09:09 cyclope kernel: ? aa_fqlookupn_profile+0xdc0/0xdc0 nov. 14 14:09:09 cyclope kernel: ? aa_compute_fperms+0x4b5/0x640 nov. 14 14:09:09 cyclope kernel: ? disconnect.isra.2+0x1b0/0x1b0 nov. 14 14:09:09 cyclope kernel: ? aa_str_perms+0x8d/0xe0 nov. 14 14:09:09 cyclope kernel: profile_transition+0x932/0x2d40 nov. 14 14:09:09 cyclope kernel: ? up_read+0x1a/0x40 nov. 14 14:09:09 cyclope kernel: ? ext4_xattr_get+0x15c/0xaf0 [ext4] nov. 14 14:09:09 cyclope kernel: ? x_table_lookup+0x190/0x190 nov. 14 14:09:09 cyclope kernel: ? ext4_xattr_ibody_get+0x590/0x590 [ext4] nov. 14 14:09:09 cyclope kernel: ? sched_clock+0x9/0x10 nov. 14 14:09:09 cyclope kernel: ? sched_clock+0x9/0x10 nov. 14 14:09:09 cyclope kernel: ? ext4_xattr_security_get+0x1a/0x20 [ext4] nov. 14 14:09:09 cyclope kernel: ? __vfs_getxattr+0x6d/0xa0 nov. 14 14:09:09 cyclope kernel: ? get_vfs_caps_from_disk+0x114/0x720 nov. 14 14:09:09 cyclope kernel: ? sched_clock+0x9/0x10 nov. 14 14:09:09 cyclope kernel: ? sched_clock+0x9/0x10 nov. 14 14:09:09 cyclope kernel: ? tsc_resume+0x10/0x10 nov. 14 14:09:09 cyclope kernel: ? get_vfs_caps_from_disk+0x720/0x720 nov. 14 14:09:09 cyclope kernel: ? native_sched_clock_from_tsc+0x201/0x2b0 nov. 14 14:09:09 cyclope kernel: ? sched_clock+0x9/0x10 nov. 14 14:09:09 cyclope kernel: ? sched_clock_cpu+0x1b/0x170 nov. 14 14:09:09 cyclope kernel: ? find_held_lock+0x3c/0x1e0 nov. 14 14:09:09 cyclope kernel: ? rb_insert_color_cached+0x1660/0x1660 nov. 14 14:09:09 cyclope kernel: apparmor_bprm_set_creds+0x1479/0x1f70 nov. 14 14:09:09 cyclope kernel: ? sched_clock+0x9/0x10 nov. 14 14:09:09 cyclope kernel: ? handle_onexec+0x31d0/0x31d0 nov. 14 14:09:09 cyclope kernel: ? tsc_resume+0x10/0x10 nov. 14 14:09:09 cyclope kernel: ? graph_lock+0xd0/0xd0 nov. 14 14:09:09 cyclope kernel: ? tsc_resume+0x10/0x10 nov. 14 14:09:09 cyclope kernel: ? sched_clock_cpu+0x1b/0x170 nov. 14 14:09:09 cyclope kernel: ? sched_clock+0x9/0x10 nov. 14 14:09:09 cyclope kernel: ? sched_clock+0x9/0x10 nov. 14 14:09:09 cyclope kernel: ? sched_clock_cpu+0x1b/0x170 nov. 14 14:09:09 cyclope kernel: ? find_held_lock+0x3c/0x1e0 nov. 14 14:09:09 cyclope kernel: security_bprm_set_creds+0x5a/0x80 nov. 14 14:09:09 cyclope kernel: prepare_binprm+0x366/0x980 nov. 14 14:09:09 cyclope kernel: ? install_exec_creds+0x150/0x150 nov. 14 14:09:09 cyclope kernel: ? __might_fault+0x89/0xb0 nov. 14 14:09:09 cyclope kernel: ? up_read+0x40/0x40 nov. 14 14:09:09 cyclope kernel: ? get_user_arg_ptr.isra.18+0x2c/0x70 nov. 14 14:09:09 cyclope kernel: ? count.isra.20.constprop.32+0x7c/0xf0 nov. 14 14:09:09 cyclope kernel: do_execveat_common.isra.30+0x12a9/0x2350 nov. 14 14:09:09 cyclope kernel: ? prepare_bprm_creds+0x100/0x100 nov. 14 14:09:09 cyclope kernel: ? _raw_spin_unlock+0x22/0x30 nov. 14 14:09:09 cyclope kernel: ? deactivate_slab.isra.62+0x49d/0x5e0 nov. 14 14:09:09 cyclope kernel: ? save_stack_trace+0x16/0x20 nov. 14 14:09:09 cyclope kernel: ? init_object+0x88/0x90 nov. 14 14:09:09 cyclope kernel: ? ___slab_alloc+0x520/0x590 nov. 14 14:09:09 cyclope kernel: ? ___slab_alloc+0x520/0x590 nov. 14 14:09:09 cyclope kernel: ? kasan_check_write+0x14/0x20 nov. 14 14:09:09 cyclope kernel: ? memcg_kmem_get_cache+0x970/0x970 nov. 14 14:09:09 cyclope kernel: ? kasan_unpoison_shadow+0x35/0x50 nov. 14 14:09:09 cyclope kernel: ? glob_match+0x730/0x730 nov. 14 14:09:09 cyclope kernel: ? kmem_cache_alloc+0x225/0x280 nov. 14 14:09:09 cyclope kernel: ? getname_flags+0xb8/0x510 nov. 14 14:09:09 cyclope kernel: ? mm_fault_error+0x2e0/0x2e0 nov. 14 14:09:09 cyclope kernel: ? getname_flags+0xf6/0x510 nov. 14 14:09:09 cyclope kernel: ? ptregs_sys_vfork+0x10/0x10 nov. 14 14:09:09 cyclope kernel: SyS_execve+0x2c/0x40 nov. 14 14:09:09 cyclope kernel: do_syscall_64+0x228/0x650 nov. 14 14:09:09 cyclope kernel: ? syscall_return_slowpath+0x2f0/0x2f0 nov. 14 14:09:09 cyclope kernel: ? syscall_return_slowpath+0x167/0x2f0 nov. 14 14:09:09 cyclope kernel: ? prepare_exit_to_usermode+0x220/0x220 nov. 14 14:09:09 cyclope kernel: ? prepare_exit_to_usermode+0xda/0x220 nov. 14 14:09:09 cyclope kernel: ? perf_trace_sys_enter+0x1060/0x1060 nov. 14 14:09:09 cyclope kernel: ? __put_user_4+0x1c/0x30 nov. 14 14:09:09 cyclope kernel: entry_SYSCALL64_slow_path+0x25/0x25 nov. 14 14:09:09 cyclope kernel: RIP: 0033:0x7f9320f23637 nov. 14 14:09:09 cyclope kernel: RSP: 002b:00007fff783be338 EFLAGS: 00000202 ORIG_RAX: 000000000000003b nov. 14 14:09:09 cyclope kernel: RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f9320f23637 nov. 14 14:09:09 cyclope kernel: RDX: 0000558c35002a70 RSI: 0000558c3505bd10 RDI: 0000558c35018b90 nov. 14 14:09:09 cyclope kernel: RBP: 0000558c34b63ae8 R08: 0000558c3505bd10 R09: 0000000000000080 nov. 14 14:09:09 cyclope kernel: R10: 0000000000000095 R11: 0000000000000202 R12: 0000000000000001 nov. 14 14:09:09 cyclope kernel: R13: 0000558c35018b90 R14: 0000558c3505bd18 R15: 0000558c3505bd10 Fixes: 4227c333f65c ("apparmor: Move path lookup to using preallocated buffers") BugLink: http://bugs.launchpad.net/bugs/173228 Reported-by: Alban Browaeys <prahal@yahoo.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-11-21 06:26:12 +00:00
struct aa_profile *new_profile = NULL;
new_profile = aa_new_learning_profile(profile, false, name,
GFP_KERNEL);
if (!new_profile) {
error = -ENOMEM;
info = "could not create null profile";
} else {
error = -EACCES;
new = &new_profile->label;
}
perms.xindex |= AA_X_UNSAFE;
} else
/* fail exec */
error = -EACCES;
if (!new)
goto audit;
if (!(perms.xindex & AA_X_UNSAFE)) {
if (DEBUG_ON) {
dbg_printk("apparmor: scrubbing environment variables"
" for %s profile=", name);
aa_label_printk(new, GFP_KERNEL);
dbg_printk("\n");
}
*secure_exec = true;
}
audit:
aa_audit_file(subj_cred, profile, &perms, OP_EXEC, MAY_EXEC, name,
target, new,
cond->uid, info, error);
if (!new || nonewprivs) {
aa_put_label(new);
return ERR_PTR(error);
}
return new;
}
static int profile_onexec(const struct cred *subj_cred,
struct aa_profile *profile, struct aa_label *onexec,
bool stack, const struct linux_binprm *bprm,
char *buffer, struct path_cond *cond,
bool *secure_exec)
{
struct aa_ruleset *rules = list_first_entry(&profile->rules,
typeof(*rules), list);
aa_state_t state = rules->file->start[AA_CLASS_FILE];
struct aa_perms perms = {};
const char *xname = NULL, *info = "change_profile onexec";
int error = -EACCES;
AA_BUG(!profile);
AA_BUG(!onexec);
AA_BUG(!bprm);
AA_BUG(!buffer);
if (profile_unconfined(profile)) {
/* change_profile on exec already granted */
/*
* NOTE: Domain transitions from unconfined are allowed
* even when no_new_privs is set because this aways results
* in a further reduction of permissions.
*/
return 0;
}
error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer,
&xname, &info, profile->disconnected);
if (error) {
if (profile_unconfined(profile) ||
(profile->label.flags & FLAG_IX_ON_NAME_ERROR)) {
AA_DEBUG("name lookup ix on error");
error = 0;
}
xname = bprm->filename;
goto audit;
}
/* find exec permissions for name */
state = aa_str_perms(rules->file, state, xname, cond, &perms);
if (!(perms.allow & AA_MAY_ONEXEC)) {
info = "no change_onexec valid for executable";
goto audit;
}
/* test if this exec can be paired with change_profile onexec.
* onexec permission is linked to exec with a standard pairing
* exec\0change_profile
*/
state = aa_dfa_null_transition(rules->file->dfa, state);
error = change_profile_perms(profile, onexec, stack, AA_MAY_ONEXEC,
state, &perms);
if (error) {
perms.allow &= ~AA_MAY_ONEXEC;
goto audit;
}
if (!(perms.xindex & AA_X_UNSAFE)) {
if (DEBUG_ON) {
dbg_printk("apparmor: scrubbing environment "
"variables for %s label=", xname);
aa_label_printk(onexec, GFP_KERNEL);
dbg_printk("\n");
}
*secure_exec = true;
}
audit:
return aa_audit_file(subj_cred, profile, &perms, OP_EXEC,
AA_MAY_ONEXEC, xname,
NULL, onexec, cond->uid, info, error);
}
/* ensure none ns domain transitions are correctly applied with onexec */
static struct aa_label *handle_onexec(const struct cred *subj_cred,
struct aa_label *label,
struct aa_label *onexec, bool stack,
const struct linux_binprm *bprm,
char *buffer, struct path_cond *cond,
bool *unsafe)
{
struct aa_profile *profile;
struct aa_label *new;
int error;
AA_BUG(!label);
AA_BUG(!onexec);
AA_BUG(!bprm);
AA_BUG(!buffer);
if (!stack) {
error = fn_for_each_in_ns(label, profile,
profile_onexec(subj_cred, profile, onexec, stack,
bprm, buffer, cond, unsafe));
if (error)
return ERR_PTR(error);
new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
aa_get_newest_label(onexec),
profile_transition(subj_cred, profile, bprm,
buffer,
cond, unsafe));
} else {
/* TODO: determine how much we want to loosen this */
error = fn_for_each_in_ns(label, profile,
profile_onexec(subj_cred, profile, onexec, stack, bprm,
buffer, cond, unsafe));
if (error)
return ERR_PTR(error);
new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
aa_label_merge(&profile->label, onexec,
GFP_KERNEL),
profile_transition(subj_cred, profile, bprm,
buffer,
cond, unsafe));
}
if (new)
return new;
/* TODO: get rid of GLOBAL_ROOT_UID */
error = fn_for_each_in_ns(label, profile,
aa_audit_file(subj_cred, profile, &nullperms,
OP_CHANGE_ONEXEC,
AA_MAY_ONEXEC, bprm->filename, NULL,
onexec, GLOBAL_ROOT_UID,
"failed to build target label", -ENOMEM));
return ERR_PTR(error);
}
/**
* apparmor_bprm_creds_for_exec - Update the new creds on the bprm struct
* @bprm: binprm for the exec (NOT NULL)
*
* Returns: %0 or error on failure
*
* TODO: once the other paths are done see if we can't refactor into a fn
*/
int apparmor_bprm_creds_for_exec(struct linux_binprm *bprm)
{
struct aa_task_ctx *ctx;
struct aa_label *label, *new = NULL;
const struct cred *subj_cred;
struct aa_profile *profile;
char *buffer = NULL;
const char *info = NULL;
int error = 0;
bool unsafe = false;
vfsuid_t vfsuid = i_uid_into_vfsuid(file_mnt_idmap(bprm->file),
file_inode(bprm->file));
struct path_cond cond = {
vfsuid_into_kuid(vfsuid),
file_inode(bprm->file)->i_mode
};
subj_cred = current_cred();
ctx = task_ctx(current);
AA_BUG(!cred_label(bprm->cred));
AA_BUG(!ctx);
label = aa_get_newest_label(cred_label(bprm->cred));
/*
* Detect no new privs being set, and store the label it
* occurred under. Ideally this would happen when nnp
* is set but there isn't a good way to do that yet.
*
* Testing for unconfined must be done before the subset test
*/
if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) && !unconfined(label) &&
!ctx->nnp)
ctx->nnp = aa_get_label(label);
/* buffer freed below, name is pointer into buffer */
buffer = aa_get_buffer(false);
if (!buffer) {
error = -ENOMEM;
goto done;
}
/* Test for onexec first as onexec override other x transitions. */
if (ctx->onexec)
new = handle_onexec(subj_cred, label, ctx->onexec, ctx->token,
bprm, buffer, &cond, &unsafe);
else
new = fn_label_build(label, profile, GFP_KERNEL,
profile_transition(subj_cred, profile, bprm,
buffer,
&cond, &unsafe));
AA_BUG(!new);
if (IS_ERR(new)) {
error = PTR_ERR(new);
goto done;
} else if (!new) {
error = -ENOMEM;
goto done;
}
/* Policy has specified a domain transitions. If no_new_privs and
* confined ensure the transition is to confinement that is subset
* of the confinement when the task entered no new privs.
*
* NOTE: Domain transitions from unconfined and to stacked
* subsets are allowed even when no_new_privs is set because this
* aways results in a further reduction of permissions.
*/
if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) &&
!unconfined(label) &&
!aa_label_is_unconfined_subset(new, ctx->nnp)) {
error = -EPERM;
info = "no new privs";
goto audit;
}
if (bprm->unsafe & LSM_UNSAFE_SHARE) {
/* FIXME: currently don't mediate shared state */
;
}
if (bprm->unsafe & (LSM_UNSAFE_PTRACE)) {
/* TODO: test needs to be profile of label to new */
error = may_change_ptraced_domain(bprm->cred, new, &info);
if (error)
goto audit;
}
if (unsafe) {
if (DEBUG_ON) {
dbg_printk("scrubbing environment variables for %s "
"label=", bprm->filename);
aa_label_printk(new, GFP_KERNEL);
dbg_printk("\n");
}
bprm->secureexec = 1;
}
if (label->proxy != new->proxy) {
/* when transitioning clear unsafe personality bits */
if (DEBUG_ON) {
dbg_printk("apparmor: clearing unsafe personality "
"bits. %s label=", bprm->filename);
aa_label_printk(new, GFP_KERNEL);
dbg_printk("\n");
}
bprm->per_clear |= PER_CLEAR_ON_SETID;
}
aa_put_label(cred_label(bprm->cred));
/* transfer reference, released when cred is freed */
set_cred_label(bprm->cred, new);
done:
aa_put_label(label);
aa_put_buffer(buffer);
return error;
audit:
error = fn_for_each(label, profile,
aa_audit_file(current_cred(), profile, &nullperms,
OP_EXEC, MAY_EXEC,
bprm->filename, NULL, new,
vfsuid_into_kuid(vfsuid), info, error));
aa_put_label(new);
goto done;
}
/*
* Functions for self directed profile change
*/
/* helper fn for change_hat
*
* Returns: label for hat transition OR ERR_PTR. Does NOT return NULL
*/
static struct aa_label *build_change_hat(const struct cred *subj_cred,
struct aa_profile *profile,
const char *name, bool sibling)
{
struct aa_profile *root, *hat = NULL;
const char *info = NULL;
int error = 0;
if (sibling && PROFILE_IS_HAT(profile)) {
root = aa_get_profile_rcu(&profile->parent);
} else if (!sibling && !PROFILE_IS_HAT(profile)) {
root = aa_get_profile(profile);
} else {
info = "conflicting target types";
error = -EPERM;
goto audit;
}
hat = aa_find_child(root, name);
if (!hat) {
error = -ENOENT;
if (COMPLAIN_MODE(profile)) {
hat = aa_new_learning_profile(profile, true, name,
GFP_KERNEL);
if (!hat) {
info = "failed null profile create";
error = -ENOMEM;
}
}
}
aa_put_profile(root);
audit:
aa_audit_file(subj_cred, profile, &nullperms, OP_CHANGE_HAT,
AA_MAY_CHANGEHAT,
name, hat ? hat->base.hname : NULL,
hat ? &hat->label : NULL, GLOBAL_ROOT_UID, info,
error);
if (!hat || (error && error != -ENOENT))
return ERR_PTR(error);
/* if hat && error - complain mode, already audited and we adjust for
* complain mode allow by returning hat->label
*/
return &hat->label;
}
/* helper fn for changing into a hat
*
* Returns: label for hat transition or ERR_PTR. Does not return NULL
*/
static struct aa_label *change_hat(const struct cred *subj_cred,
struct aa_label *label, const char *hats[],
int count, int flags)
{
struct aa_profile *profile, *root, *hat = NULL;
struct aa_label *new;
struct label_it it;
bool sibling = false;
const char *name, *info = NULL;
int i, error;
AA_BUG(!label);
AA_BUG(!hats);
AA_BUG(count < 1);
if (PROFILE_IS_HAT(labels_profile(label)))
sibling = true;
/*find first matching hat */
for (i = 0; i < count && !hat; i++) {
name = hats[i];
label_for_each_in_ns(it, labels_ns(label), label, profile) {
if (sibling && PROFILE_IS_HAT(profile)) {
root = aa_get_profile_rcu(&profile->parent);
} else if (!sibling && !PROFILE_IS_HAT(profile)) {
root = aa_get_profile(profile);
} else { /* conflicting change type */
info = "conflicting targets types";
error = -EPERM;
goto fail;
}
hat = aa_find_child(root, name);
aa_put_profile(root);
if (!hat) {
if (!COMPLAIN_MODE(profile))
goto outer_continue;
/* complain mode succeed as if hat */
} else if (!PROFILE_IS_HAT(hat)) {
info = "target not hat";
error = -EPERM;
aa_put_profile(hat);
goto fail;
}
aa_put_profile(hat);
}
/* found a hat for all profiles in ns */
goto build;
outer_continue:
;
}
/* no hats that match, find appropriate error
*
* In complain mode audit of the failure is based off of the first
* hat supplied. This is done due how userspace interacts with
* change_hat.
*/
name = NULL;
label_for_each_in_ns(it, labels_ns(label), label, profile) {
if (!list_empty(&profile->base.profiles)) {
info = "hat not found";
error = -ENOENT;
goto fail;
}
}
info = "no hats defined";
error = -ECHILD;
fail:
label_for_each_in_ns(it, labels_ns(label), label, profile) {
/*
* no target as it has failed to be found or built
*
* change_hat uses probing and should not log failures
* related to missing hats
*/
/* TODO: get rid of GLOBAL_ROOT_UID */
if (count > 1 || COMPLAIN_MODE(profile)) {
aa_audit_file(subj_cred, profile, &nullperms,
OP_CHANGE_HAT,
AA_MAY_CHANGEHAT, name, NULL, NULL,
GLOBAL_ROOT_UID, info, error);
}
}
return ERR_PTR(error);
build:
new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
build_change_hat(subj_cred, profile, name,
sibling),
aa_get_label(&profile->label));
if (!new) {
info = "label build failed";
error = -ENOMEM;
goto fail;
} /* else if (IS_ERR) build_change_hat has logged error so return new */
return new;
}
/**
* aa_change_hat - change hat to/from subprofile
* @hats: vector of hat names to try changing into (MAYBE NULL if @count == 0)
* @count: number of hat names in @hats
* @token: magic value to validate the hat change
* @flags: flags affecting behavior of the change
*
* Returns %0 on success, error otherwise.
*
* Change to the first profile specified in @hats that exists, and store
* the @hat_magic in the current task context. If the count == 0 and the
* @token matches that stored in the current task context, return to the
* top level profile.
*
* change_hat only applies to profiles in the current ns, and each profile
* in the ns must make the same transition otherwise change_hat will fail.
*/
int aa_change_hat(const char *hats[], int count, u64 token, int flags)
{
const struct cred *subj_cred;
struct aa_task_ctx *ctx = task_ctx(current);
struct aa_label *label, *previous, *new = NULL, *target = NULL;
struct aa_profile *profile;
struct aa_perms perms = {};
const char *info = NULL;
int error = 0;
/* released below */
subj_cred = get_current_cred();
label = aa_get_newest_cred_label(subj_cred);
previous = aa_get_newest_label(ctx->previous);
/*
* Detect no new privs being set, and store the label it
* occurred under. Ideally this would happen when nnp
* is set but there isn't a good way to do that yet.
*
* Testing for unconfined must be done before the subset test
*/
if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp)
ctx->nnp = aa_get_label(label);
if (unconfined(label)) {
info = "unconfined can not change_hat";
error = -EPERM;
goto fail;
}
if (count) {
new = change_hat(subj_cred, label, hats, count, flags);
AA_BUG(!new);
if (IS_ERR(new)) {
error = PTR_ERR(new);
new = NULL;
/* already audited */
goto out;
}
/* target cred is the same as current except new label */
error = may_change_ptraced_domain(subj_cred, new, &info);
if (error)
goto fail;
/*
* no new privs prevents domain transitions that would
* reduce restrictions.
*/
if (task_no_new_privs(current) && !unconfined(label) &&
!aa_label_is_unconfined_subset(new, ctx->nnp)) {
/* not an apparmor denial per se, so don't log it */
AA_DEBUG("no_new_privs - change_hat denied");
error = -EPERM;
goto out;
}
if (flags & AA_CHANGE_TEST)
goto out;
target = new;
error = aa_set_current_hat(new, token);
if (error == -EACCES)
/* kill task in case of brute force attacks */
goto kill;
} else if (previous && !(flags & AA_CHANGE_TEST)) {
/*
* no new privs prevents domain transitions that would
* reduce restrictions.
*/
if (task_no_new_privs(current) && !unconfined(label) &&
!aa_label_is_unconfined_subset(previous, ctx->nnp)) {
/* not an apparmor denial per se, so don't log it */
AA_DEBUG("no_new_privs - change_hat denied");
error = -EPERM;
goto out;
}
/* Return to saved label. Kill task if restore fails
* to avoid brute force attacks
*/
target = previous;
error = aa_restore_previous_label(token);
if (error) {
if (error == -EACCES)
goto kill;
goto fail;
}
} /* else ignore @flags && restores when there is no saved profile */
out:
aa_put_label(new);
aa_put_label(previous);
aa_put_label(label);
put_cred(subj_cred);
return error;
kill:
info = "failed token match";
perms.kill = AA_MAY_CHANGEHAT;
fail:
fn_for_each_in_ns(label, profile,
aa_audit_file(subj_cred, profile, &perms, OP_CHANGE_HAT,
AA_MAY_CHANGEHAT, NULL, NULL, target,
GLOBAL_ROOT_UID, info, error));
goto out;
}
static int change_profile_perms_wrapper(const char *op, const char *name,
const struct cred *subj_cred,
struct aa_profile *profile,
struct aa_label *target, bool stack,
u32 request, struct aa_perms *perms)
{
struct aa_ruleset *rules = list_first_entry(&profile->rules,
typeof(*rules), list);
const char *info = NULL;
int error = 0;
if (!error)
error = change_profile_perms(profile, target, stack, request,
rules->file->start[AA_CLASS_FILE],
perms);
if (error)
error = aa_audit_file(subj_cred, profile, perms, op, request,
name,
NULL, target, GLOBAL_ROOT_UID, info,
error);
return error;
}
static const char *stack_msg = "change_profile unprivileged unconfined converted to stacking";
/**
* aa_change_profile - perform a one-way profile transition
* @fqname: name of profile may include namespace (NOT NULL)
* @flags: flags affecting change behavior
*
* Change to new profile @name. Unlike with hats, there is no way
* to change back. If @name isn't specified the current profile name is
* used.
* If @onexec then the transition is delayed until
* the next exec.
*
* Returns %0 on success, error otherwise.
*/
int aa_change_profile(const char *fqname, int flags)
{
struct aa_label *label, *new = NULL, *target = NULL;
struct aa_profile *profile;
struct aa_perms perms = {};
const char *info = NULL;
const char *auditname = fqname; /* retain leading & if stack */
bool stack = flags & AA_CHANGE_STACK;
struct aa_task_ctx *ctx = task_ctx(current);
const struct cred *subj_cred = get_current_cred();
int error = 0;
char *op;
u32 request;
label = aa_get_current_label();
/*
* Detect no new privs being set, and store the label it
* occurred under. Ideally this would happen when nnp
* is set but there isn't a good way to do that yet.
*
* Testing for unconfined must be done before the subset test
*/
if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp)
ctx->nnp = aa_get_label(label);
if (!fqname || !*fqname) {
aa_put_label(label);
AA_DEBUG("no profile name");
return -EINVAL;
}
if (flags & AA_CHANGE_ONEXEC) {
request = AA_MAY_ONEXEC;
if (stack)
op = OP_STACK_ONEXEC;
else
op = OP_CHANGE_ONEXEC;
} else {
request = AA_MAY_CHANGE_PROFILE;
if (stack)
op = OP_STACK;
else
op = OP_CHANGE_PROFILE;
}
/* This should move to a per profile test. Requires pushing build
* into callback
*/
if (!stack && unconfined(label) &&
label == &labels_ns(label)->unconfined->label &&
aa_unprivileged_unconfined_restricted &&
/* TODO: refactor so this check is a fn */
cap_capable(current_cred(), &init_user_ns, CAP_MAC_OVERRIDE,
CAP_OPT_NOAUDIT)) {
/* regardless of the request in this case apparmor
* stacks against unconfined so admin set policy can't be
* by-passed
*/
stack = true;
perms.audit = request;
(void) fn_for_each_in_ns(label, profile,
aa_audit_file(subj_cred, profile, &perms, op,
request, auditname, NULL, target,
GLOBAL_ROOT_UID, stack_msg, 0));
perms.audit = 0;
}
if (*fqname == '&') {
stack = true;
/* don't have label_parse() do stacking */
fqname++;
}
target = aa_label_parse(label, fqname, GFP_KERNEL, true, false);
if (IS_ERR(target)) {
struct aa_profile *tprofile;
info = "label not found";
error = PTR_ERR(target);
target = NULL;
/*
* TODO: fixme using labels_profile is not right - do profile
* per complain profile
*/
if ((flags & AA_CHANGE_TEST) ||
!COMPLAIN_MODE(labels_profile(label)))
goto audit;
/* released below */
tprofile = aa_new_learning_profile(labels_profile(label), false,
fqname, GFP_KERNEL);
if (!tprofile) {
info = "failed null profile create";
error = -ENOMEM;
goto audit;
}
target = &tprofile->label;
goto check;
}
/*
* self directed transitions only apply to current policy ns
* TODO: currently requiring perms for stacking and straight change
* stacking doesn't strictly need this. Determine how much
* we want to loosen this restriction for stacking
*
* if (!stack) {
*/
error = fn_for_each_in_ns(label, profile,
change_profile_perms_wrapper(op, auditname,
subj_cred,
profile, target, stack,
request, &perms));
if (error)
/* auditing done in change_profile_perms_wrapper */
goto out;
/* } */
check:
/* check if tracing task is allowed to trace target domain */
error = may_change_ptraced_domain(subj_cred, target, &info);
if (error && !fn_for_each_in_ns(label, profile,
COMPLAIN_MODE(profile)))
goto audit;
/* TODO: add permission check to allow this
* if ((flags & AA_CHANGE_ONEXEC) && !current_is_single_threaded()) {
* info = "not a single threaded task";
* error = -EACCES;
* goto audit;
* }
*/
if (flags & AA_CHANGE_TEST)
goto out;
/* stacking is always a subset, so only check the nonstack case */
if (!stack) {
new = fn_label_build_in_ns(label, profile, GFP_KERNEL,
aa_get_label(target),
aa_get_label(&profile->label));
/*
* no new privs prevents domain transitions that would
* reduce restrictions.
*/
if (task_no_new_privs(current) && !unconfined(label) &&
!aa_label_is_unconfined_subset(new, ctx->nnp)) {
/* not an apparmor denial per se, so don't log it */
AA_DEBUG("no_new_privs - change_hat denied");
error = -EPERM;
goto out;
}
}
if (!(flags & AA_CHANGE_ONEXEC)) {
/* only transition profiles in the current ns */
if (stack)
new = aa_label_merge(label, target, GFP_KERNEL);
if (IS_ERR_OR_NULL(new)) {
info = "failed to build target label";
if (!new)
error = -ENOMEM;
else
error = PTR_ERR(new);
new = NULL;
perms.allow = 0;
goto audit;
}
error = aa_replace_current_label(new);
} else {
if (new) {
aa_put_label(new);
new = NULL;
}
/* full transition will be built in exec path */
aa_set_current_onexec(target, stack);
}
audit:
error = fn_for_each_in_ns(label, profile,
aa_audit_file(subj_cred,
profile, &perms, op, request, auditname,
NULL, new ? new : target,
GLOBAL_ROOT_UID, info, error));
out:
aa_put_label(new);
aa_put_label(target);
aa_put_label(label);
put_cred(subj_cred);
return error;
}