2 * AppArmor security module
4 * This file contains AppArmor policy attachment and domain transitions
6 * Copyright (C) 2002-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
15 #include <linux/errno.h>
16 #include <linux/fdtable.h>
17 #include <linux/file.h>
18 #include <linux/mount.h>
19 #include <linux/syscalls.h>
20 #include <linux/tracehook.h>
21 #include <linux/personality.h>
23 #include "include/audit.h"
24 #include "include/apparmorfs.h"
25 #include "include/context.h"
26 #include "include/domain.h"
27 #include "include/file.h"
28 #include "include/ipc.h"
29 #include "include/match.h"
30 #include "include/path.h"
31 #include "include/policy.h"
34 * aa_free_domain_entries - free entries in a domain table
35 * @domain: the domain table to free (MAYBE NULL)
37 void aa_free_domain_entries(struct aa_domain
*domain
)
44 for (i
= 0; i
< domain
->size
; i
++)
45 kzfree(domain
->table
[i
]);
46 kzfree(domain
->table
);
52 * may_change_ptraced_domain - check if can change profile on ptraced task
53 * @task: task we want to change profile of (NOT NULL)
54 * @to_profile: profile to change to (NOT NULL)
56 * Check if the task is ptraced and if so if the tracing task is allowed
57 * to trace the new domain
59 * Returns: %0 or error if change not allowed
61 static int may_change_ptraced_domain(struct task_struct
*task
,
62 struct aa_profile
*to_profile
)
64 struct task_struct
*tracer
;
65 const struct cred
*cred
= NULL
;
66 struct aa_profile
*tracerp
= NULL
;
70 tracer
= tracehook_tracer_task(task
);
73 cred
= get_task_cred(tracer
);
74 tracerp
= aa_cred_profile(cred
);
78 if (!tracer
|| unconfined(tracerp
))
81 error
= aa_may_ptrace(tracer
, tracerp
, to_profile
, PTRACE_MODE_ATTACH
);
92 * change_profile_perms - find permissions for change_profile
93 * @profile: the current profile (NOT NULL)
94 * @ns: the namespace being switched to (NOT NULL)
95 * @name: the name of the profile to change to (NOT NULL)
96 * @request: requested perms
97 * @start: state to start matching in
99 * Returns: permission set
101 static struct file_perms
change_profile_perms(struct aa_profile
*profile
,
102 struct aa_namespace
*ns
,
103 const char *name
, u32 request
,
106 struct file_perms perms
;
107 struct path_cond cond
= { };
110 if (unconfined(profile
)) {
111 perms
.allow
= AA_MAY_CHANGE_PROFILE
| AA_MAY_ONEXEC
;
112 perms
.audit
= perms
.quiet
= perms
.kill
= 0;
114 } else if (!profile
->file
.dfa
) {
116 } else if ((ns
== profile
->ns
)) {
117 /* try matching against rules with out namespace prepended */
118 aa_str_perms(profile
->file
.dfa
, start
, name
, &cond
, &perms
);
119 if (COMBINED_PERM_MASK(perms
) & request
)
123 /* try matching with namespace name and then profile */
124 state
= aa_dfa_match(profile
->file
.dfa
, start
, ns
->base
.name
);
125 state
= aa_dfa_match_len(profile
->file
.dfa
, state
, ":", 1);
126 aa_str_perms(profile
->file
.dfa
, state
, name
, &cond
, &perms
);
132 * __attach_match_ - find an attachment match
133 * @name - to match against (NOT NULL)
134 * @head - profile list to walk (NOT NULL)
136 * Do a linear search on the profiles in the list. There is a matching
137 * preference where an exact match is preferred over a name which uses
138 * expressions to match, and matching expressions with the greatest
139 * xmatch_len are preferred.
141 * Requires: @head not be shared or have appropriate locks held
143 * Returns: profile or NULL if no match found
145 static struct aa_profile
*__attach_match(const char *name
,
146 struct list_head
*head
)
149 struct aa_profile
*profile
, *candidate
= NULL
;
151 list_for_each_entry(profile
, head
, base
.list
) {
152 if (profile
->flags
& PFLAG_NULL
)
154 if (profile
->xmatch
&& profile
->xmatch_len
> len
) {
155 unsigned int state
= aa_dfa_match(profile
->xmatch
,
157 u32 perm
= dfa_user_allow(profile
->xmatch
, state
);
158 /* any accepting state means a valid match. */
159 if (perm
& MAY_EXEC
) {
161 len
= profile
->xmatch_len
;
163 } else if (!strcmp(profile
->base
.name
, name
))
164 /* exact non-re match, no more searching required */
172 * find_attach - do attachment search for unconfined processes
173 * @ns: the current namespace (NOT NULL)
174 * @list: list to search (NOT NULL)
175 * @name: the executable name to match against (NOT NULL)
177 * Returns: profile or NULL if no match found
179 static struct aa_profile
*find_attach(struct aa_namespace
*ns
,
180 struct list_head
*list
, const char *name
)
182 struct aa_profile
*profile
;
184 read_lock(&ns
->lock
);
185 profile
= aa_get_profile(__attach_match(name
, list
));
186 read_unlock(&ns
->lock
);
192 * separate_fqname - separate the namespace and profile names
193 * @fqname: the fqname name to split (NOT NULL)
194 * @ns_name: the namespace name if it exists (NOT NULL)
196 * This is the xtable equivalent routine of aa_split_fqname. It finds the
197 * split in an xtable fqname which contains an embedded \0 instead of a :
198 * if a namespace is specified. This is done so the xtable is constant and
199 * isn't re-split on every lookup.
201 * Either the profile or namespace name may be optional but if the namespace
202 * is specified the profile name termination must be present. This results
203 * in the following possible encodings:
205 * :ns_name\0profile_name\0
208 * NOTE: the xtable fqname is pre-validated at load time in unpack_trans_table
210 * Returns: profile name if it is specified else NULL
212 static const char *separate_fqname(const char *fqname
, const char **ns_name
)
216 if (fqname
[0] == ':') {
217 /* In this case there is guaranteed to be two \0 terminators
218 * in the string. They are verified at load time by
219 * by unpack_trans_table
221 *ns_name
= fqname
+ 1; /* skip : */
222 name
= *ns_name
+ strlen(*ns_name
) + 1;
233 static const char *next_name(int xtype
, const char *name
)
239 * x_table_lookup - lookup an x transition name via transition table
240 * @profile: current profile (NOT NULL)
241 * @xindex: index into x transition table
243 * Returns: refcounted profile, or NULL on failure (MAYBE NULL)
245 static struct aa_profile
*x_table_lookup(struct aa_profile
*profile
, u32 xindex
)
247 struct aa_profile
*new_profile
= NULL
;
248 struct aa_namespace
*ns
= profile
->ns
;
249 u32 xtype
= xindex
& AA_X_TYPE_MASK
;
250 int index
= xindex
& AA_X_INDEX_MASK
;
253 /* index is guaranteed to be in range, validated at load time */
254 for (name
= profile
->file
.trans
.table
[index
]; !new_profile
&& name
;
255 name
= next_name(xtype
, name
)) {
256 struct aa_namespace
*new_ns
;
257 const char *xname
= NULL
;
260 if (xindex
& AA_X_CHILD
) {
261 /* release by caller */
262 new_profile
= aa_find_child(profile
, name
);
264 } else if (*name
== ':') {
265 /* switching namespace */
267 xname
= name
= separate_fqname(name
, &ns_name
);
269 /* no name so use profile name */
270 xname
= profile
->base
.hname
;
271 if (*ns_name
== '@') {
272 /* TODO: variable support */
276 new_ns
= aa_find_namespace(ns
, ns_name
);
279 } else if (*name
== '@') {
280 /* TODO: variable support */
283 /* basic namespace lookup */
287 /* released by caller */
288 new_profile
= aa_lookup_profile(new_ns
? new_ns
: ns
, xname
);
289 aa_put_namespace(new_ns
);
292 /* released by caller */
297 * x_to_profile - get target profile for a given xindex
298 * @profile: current profile (NOT NULL)
299 * @name: name to lookup (NOT NULL)
300 * @xindex: index into x transition table
302 * find profile for a transition index
304 * Returns: refcounted profile or NULL if not found available
306 static struct aa_profile
*x_to_profile(struct aa_profile
*profile
,
307 const char *name
, u32 xindex
)
309 struct aa_profile
*new_profile
= NULL
;
310 struct aa_namespace
*ns
= profile
->ns
;
311 u32 xtype
= xindex
& AA_X_TYPE_MASK
;
315 /* fail exec unless ix || ux fallback - handled by caller */
318 if (xindex
& AA_X_CHILD
)
319 /* released by caller */
320 new_profile
= find_attach(ns
, &profile
->base
.profiles
,
323 /* released by caller */
324 new_profile
= find_attach(ns
, &ns
->base
.profiles
,
328 /* released by caller */
329 new_profile
= x_table_lookup(profile
, xindex
);
333 /* released by caller */
338 * apparmor_bprm_set_creds - set the new creds on the bprm struct
339 * @bprm: binprm for the exec (NOT NULL)
341 * Returns: %0 or error on failure
343 int apparmor_bprm_set_creds(struct linux_binprm
*bprm
)
345 struct aa_task_cxt
*cxt
;
346 struct aa_profile
*profile
, *new_profile
= NULL
;
347 struct aa_namespace
*ns
;
350 struct file_perms perms
= {};
351 struct path_cond cond
= {
352 bprm
->file
->f_path
.dentry
->d_inode
->i_uid
,
353 bprm
->file
->f_path
.dentry
->d_inode
->i_mode
355 const char *name
= NULL
, *target
= NULL
, *info
= NULL
;
356 int error
= cap_bprm_set_creds(bprm
);
360 if (bprm
->cred_prepared
)
363 cxt
= bprm
->cred
->security
;
366 profile
= aa_get_profile(aa_newest_version(cxt
->profile
));
368 * get the namespace from the replacement profile as replacement
369 * can change the namespace
372 state
= profile
->file
.start
;
374 /* buffer freed below, name is pointer into buffer */
375 error
= aa_get_name(&bprm
->file
->f_path
, profile
->path_flags
, &buffer
,
379 (PFLAG_IX_ON_NAME_ERROR
| PFLAG_UNCONFINED
))
381 info
= "Exec failed name resolution";
382 name
= bprm
->filename
;
386 /* Test for onexec first as onexec directives override other
389 if (unconfined(profile
)) {
390 /* unconfined task */
392 /* change_profile on exec already been granted */
393 new_profile
= aa_get_profile(cxt
->onexec
);
395 new_profile
= find_attach(ns
, &ns
->base
.profiles
, name
);
401 /* find exec permissions for name */
402 state
= aa_str_perms(profile
->file
.dfa
, state
, name
, &cond
, &perms
);
404 struct file_perms cp
;
405 info
= "change_profile onexec";
406 if (!(perms
.allow
& AA_MAY_ONEXEC
))
409 /* test if this exec can be paired with change_profile onexec.
410 * onexec permission is linked to exec with a standard pairing
411 * exec\0change_profile
413 state
= aa_dfa_null_transition(profile
->file
.dfa
, state
);
414 cp
= change_profile_perms(profile
, cxt
->onexec
->ns
, name
,
415 AA_MAY_ONEXEC
, state
);
417 if (!(cp
.allow
& AA_MAY_ONEXEC
))
419 new_profile
= aa_get_profile(aa_newest_version(cxt
->onexec
));
423 if (perms
.allow
& MAY_EXEC
) {
424 /* exec permission determine how to transition */
425 new_profile
= x_to_profile(profile
, name
, perms
.xindex
);
427 if (perms
.xindex
& AA_X_INHERIT
) {
428 /* (p|c|n)ix - don't change profile but do
429 * use the newest version, which was picked
430 * up above when getting profile
432 info
= "ix fallback";
433 new_profile
= aa_get_profile(profile
);
435 } else if (perms
.xindex
& AA_X_UNCONFINED
) {
436 new_profile
= aa_get_profile(ns
->unconfined
);
437 info
= "ux fallback";
440 info
= "profile not found";
443 } else if (COMPLAIN_MODE(profile
)) {
444 /* no exec permission - are we in learning mode */
445 new_profile
= aa_new_null_profile(profile
, 0);
448 info
= "could not create null profile";
451 target
= new_profile
->base
.hname
;
453 perms
.xindex
|= AA_X_UNSAFE
;
461 if (bprm
->unsafe
& LSM_UNSAFE_SHARE
) {
462 /* FIXME: currently don't mediate shared state */
466 if (bprm
->unsafe
& (LSM_UNSAFE_PTRACE
| LSM_UNSAFE_PTRACE_CAP
)) {
467 error
= may_change_ptraced_domain(current
, new_profile
);
469 aa_put_profile(new_profile
);
474 /* Determine if secure exec is needed.
475 * Can be at this point for the following reasons:
476 * 1. unconfined switching to confined
477 * 2. confined switching to different confinement
478 * 3. confined switching to unconfined
480 * Cases 2 and 3 are marked as requiring secure exec
481 * (unless policy specified "unsafe exec")
483 * bprm->unsafe is used to cache the AA_X_UNSAFE permission
484 * to avoid having to recompute in secureexec
486 if (!(perms
.xindex
& AA_X_UNSAFE
)) {
487 AA_DEBUG("scrubbing environment variables for %s profile=%s\n",
488 name
, new_profile
->base
.hname
);
489 bprm
->unsafe
|= AA_SECURE_X_NEEDED
;
492 target
= new_profile
->base
.hname
;
493 /* when transitioning profiles clear unsafe personality bits */
494 bprm
->per_clear
|= PER_CLEAR_ON_SETID
;
497 aa_put_profile(cxt
->profile
);
498 /* transfer new profile reference will be released when cxt is freed */
499 cxt
->profile
= new_profile
;
501 /* clear out all temporary/transitional state from the context */
502 aa_put_profile(cxt
->previous
);
503 aa_put_profile(cxt
->onexec
);
504 cxt
->previous
= NULL
;
509 error
= aa_audit_file(profile
, &perms
, GFP_KERNEL
, OP_EXEC
, MAY_EXEC
,
510 name
, target
, cond
.uid
, info
, error
);
513 aa_put_profile(profile
);
520 * apparmor_bprm_secureexec - determine if secureexec is needed
521 * @bprm: binprm for exec (NOT NULL)
523 * Returns: %1 if secureexec is needed else %0
525 int apparmor_bprm_secureexec(struct linux_binprm
*bprm
)
527 int ret
= cap_bprm_secureexec(bprm
);
529 /* the decision to use secure exec is computed in set_creds
530 * and stored in bprm->unsafe.
532 if (!ret
&& (bprm
->unsafe
& AA_SECURE_X_NEEDED
))
539 * apparmor_bprm_committing_creds - do task cleanup on committing new creds
540 * @bprm: binprm for the exec (NOT NULL)
542 void apparmor_bprm_committing_creds(struct linux_binprm
*bprm
)
544 struct aa_profile
*profile
= __aa_current_profile();
545 struct aa_task_cxt
*new_cxt
= bprm
->cred
->security
;
547 /* bail out if unconfined or not changing profile */
548 if ((new_cxt
->profile
== profile
) ||
549 (unconfined(new_cxt
->profile
)))
552 current
->pdeath_signal
= 0;
554 /* reset soft limits and set hard limits for the new profile */
555 __aa_transition_rlimits(profile
, new_cxt
->profile
);
559 * apparmor_bprm_commited_cred - do cleanup after new creds committed
560 * @bprm: binprm for the exec (NOT NULL)
562 void apparmor_bprm_committed_creds(struct linux_binprm
*bprm
)
564 /* TODO: cleanup signals - ipc mediation */
569 * Functions for self directed profile change
573 * new_compound_name - create an hname with @n2 appended to @n1
574 * @n1: base of hname (NOT NULL)
575 * @n2: name to append (NOT NULL)
577 * Returns: new name or NULL on error
579 static char *new_compound_name(const char *n1
, const char *n2
)
581 char *name
= kmalloc(strlen(n1
) + strlen(n2
) + 3, GFP_KERNEL
);
583 sprintf(name
, "%s//%s", n1
, n2
);
588 * aa_change_hat - change hat to/from subprofile
589 * @hats: vector of hat names to try changing into (MAYBE NULL if @count == 0)
590 * @count: number of hat names in @hats
591 * @token: magic value to validate the hat change
592 * @permtest: true if this is just a permission test
594 * Change to the first profile specified in @hats that exists, and store
595 * the @hat_magic in the current task context. If the count == 0 and the
596 * @token matches that stored in the current task context, return to the
599 * Returns %0 on success, error otherwise.
601 int aa_change_hat(const char *hats
[], int count
, u64 token
, bool permtest
)
603 const struct cred
*cred
;
604 struct aa_task_cxt
*cxt
;
605 struct aa_profile
*profile
, *previous_profile
, *hat
= NULL
;
608 struct file_perms perms
= {};
609 const char *target
= NULL
, *info
= NULL
;
613 cred
= get_current_cred();
614 cxt
= cred
->security
;
615 profile
= aa_cred_profile(cred
);
616 previous_profile
= cxt
->previous
;
618 if (unconfined(profile
)) {
625 /* attempting to change into a new hat or switch to a sibling */
626 struct aa_profile
*root
;
627 root
= PROFILE_IS_HAT(profile
) ? profile
->parent
: profile
;
629 /* find first matching hat */
630 for (i
= 0; i
< count
&& !hat
; i
++)
632 hat
= aa_find_child(root
, hats
[i
]);
634 if (!COMPLAIN_MODE(root
) || permtest
) {
635 if (list_empty(&root
->base
.profiles
))
643 * In complain mode and failed to match any hats.
644 * Audit the failure is based off of the first hat
645 * supplied. This is done due how userspace
646 * interacts with change_hat.
648 * TODO: Add logging of all failed hats
652 name
= new_compound_name(root
->base
.hname
, hats
[0]);
655 hat
= aa_new_null_profile(profile
, 1);
657 info
= "failed null profile create";
662 target
= hat
->base
.hname
;
663 if (!PROFILE_IS_HAT(hat
)) {
664 info
= "target not hat";
670 error
= may_change_ptraced_domain(current
, hat
);
678 error
= aa_set_current_hat(hat
, token
);
679 if (error
== -EACCES
)
680 /* kill task in case of brute force attacks */
681 perms
.kill
= AA_MAY_CHANGEHAT
;
682 else if (name
&& !error
)
683 /* reset error for learning of new hats */
686 } else if (previous_profile
) {
687 /* Return to saved profile. Kill task if restore fails
688 * to avoid brute force attacks
690 target
= previous_profile
->base
.hname
;
691 error
= aa_restore_previous_profile(token
);
692 perms
.kill
= AA_MAY_CHANGEHAT
;
694 /* ignore restores when there is no saved profile */
699 error
= aa_audit_file(profile
, &perms
, GFP_KERNEL
,
700 OP_CHANGE_HAT
, AA_MAY_CHANGEHAT
, NULL
,
701 target
, 0, info
, error
);
712 * aa_change_profile - perform a one-way profile transition
713 * @ns_name: name of the profile namespace to change to (MAYBE NULL)
714 * @hname: name of profile to change to (MAYBE NULL)
715 * @onexec: whether this transition is to take place immediately or at exec
716 * @permtest: true if this is just a permission test
718 * Change to new profile @name. Unlike with hats, there is no way
719 * to change back. If @name isn't specified the current profile name is
721 * If @onexec then the transition is delayed until
724 * Returns %0 on success, error otherwise.
726 int aa_change_profile(const char *ns_name
, const char *hname
, bool onexec
,
729 const struct cred
*cred
;
730 struct aa_task_cxt
*cxt
;
731 struct aa_profile
*profile
, *target
= NULL
;
732 struct aa_namespace
*ns
= NULL
;
733 struct file_perms perms
= {};
734 const char *name
= NULL
, *info
= NULL
;
738 if (!hname
&& !ns_name
)
742 request
= AA_MAY_ONEXEC
;
743 op
= OP_CHANGE_ONEXEC
;
745 request
= AA_MAY_CHANGE_PROFILE
;
746 op
= OP_CHANGE_PROFILE
;
749 cred
= get_current_cred();
750 cxt
= cred
->security
;
751 profile
= aa_cred_profile(cred
);
755 ns
= aa_find_namespace(profile
->ns
, ns_name
);
757 /* we don't create new namespace in complain mode */
759 info
= "namespace not found";
765 ns
= aa_get_namespace(profile
->ns
);
767 /* if the name was not specified, use the name of the current profile */
769 if (unconfined(profile
))
770 hname
= ns
->unconfined
->base
.hname
;
772 hname
= profile
->base
.hname
;
775 perms
= change_profile_perms(profile
, ns
, hname
, request
,
776 profile
->file
.start
);
777 if (!(perms
.allow
& request
)) {
783 target
= aa_lookup_profile(ns
, hname
);
785 info
= "profile not found";
787 if (permtest
|| !COMPLAIN_MODE(profile
))
790 target
= aa_new_null_profile(profile
, 0);
792 info
= "failed null profile create";
798 /* check if tracing task is allowed to trace target domain */
799 error
= may_change_ptraced_domain(current
, target
);
801 info
= "ptrace prevents transition";
809 error
= aa_set_current_onexec(target
);
811 error
= aa_replace_current_profile(target
);
815 error
= aa_audit_file(profile
, &perms
, GFP_KERNEL
, op
, request
,
816 name
, hname
, 0, info
, error
);
818 aa_put_namespace(ns
);
819 aa_put_profile(target
);