security/apparmor/path.c

   1 /*
   2  * AppArmor security module
   3  *
   4  * This file contains AppArmor function for pathnames
   5  *
   6  * Copyright (C) 1998-2008 Novell/SUSE
   7  * Copyright 2009-2010 Canonical Ltd.
   8  *
   9  * This program is free software; you can redistribute it and/or
  10  * modify it under the terms of the GNU General Public License as
  11  * published by the Free Software Foundation, version 2 of the
  12  * License.
  13  */
  14
  15 #include <linux/magic.h>
  16 #include <linux/mnt_namespace.h>
  17 #include <linux/mount.h>
  18 #include <linux/namei.h>
  19 #include <linux/nsproxy.h>
  20 #include <linux/path.h>
  21 #include <linux/sched.h>
  22 #include <linux/slab.h>
  23 #include <linux/fs_struct.h>
  24
  25 #include "include/apparmor.h"
  26 #include "include/path.h"
  27 #include "include/policy.h"
  28
  29
  30 /* modified from dcache.c */
  31 static int prepend(char **buffer, int buflen, const char *str, int namelen)
  32 {
  33         buflen -= namelen;
  34         if (buflen < 0)
  35                 return -ENAMETOOLONG;
  36         *buffer -= namelen;
  37         memcpy(*buffer, str, namelen);
  38         return 0;
  39 }
  40
  41 #define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT)
  42
  43 /**
  44  * d_namespace_path - lookup a name associated with a given path
  45  * @path: path to lookup  (NOT NULL)
  46  * @buf:  buffer to store path to  (NOT NULL)
  47  * @buflen: length of @buf
  48  * @name: Returns - pointer for start of path name with in @buf (NOT NULL)
  49  * @flags: flags controlling path lookup
  50  *
  51  * Handle path name lookup.
  52  *
  53  * Returns: %0 else error code if path lookup fails
  54  *          When no error the path name is returned in @name which points to
  55  *          to a position in @buf
  56  */
  57 static int d_namespace_path(struct path *path, char *buf, int buflen,
  58                             char **name, int flags)
  59 {
  60         struct path root, tmp;
  61         char *res;
  62         int deleted, connected;
  63         int error = 0;
  64
  65         /* Get the root we want to resolve too, released below */
  66         if (flags & PATH_CHROOT_REL) {
  67                 /* resolve paths relative to chroot */
  68                 get_fs_root(current->fs, &root);
  69         } else {
  70                 /* resolve paths relative to namespace */
  71                 root.mnt = current->nsproxy->mnt_ns->root;
  72                 root.dentry = root.mnt->mnt_root;
  73                 path_get(&root);
  74         }
  75
  76         spin_lock(&dcache_lock);
  77         /* There is a race window between path lookup here and the
  78          * need to strip the " (deleted) string that __d_path applies
  79          * Detect the race and relookup the path
  80          *
  81          * The stripping of (deleted) is a hack that could be removed
  82          * with an updated __d_path
  83          */
  84         do {
  85                 tmp = root;
  86                 deleted = d_unlinked(path->dentry);
  87                 res = __d_path(path, &tmp, buf, buflen);
  88
  89         } while (deleted != d_unlinked(path->dentry));
  90         spin_unlock(&dcache_lock);
  91
  92         *name = res;
  93         /* handle error conditions - and still allow a partial path to
  94          * be returned.
  95          */
  96         if (IS_ERR(res)) {
  97                 error = PTR_ERR(res);
  98                 *name = buf;
  99                 goto out;
 100         }
 101         if (deleted) {
 102                 /* On some filesystems, newly allocated dentries appear to the
 103                  * security_path hooks as a deleted dentry except without an
 104                  * inode allocated.
 105                  *
 106                  * Remove the appended deleted text and return as string for
 107                  * normal mediation, or auditing.  The (deleted) string is
 108                  * guaranteed to be added in this case, so just strip it.
 109                  */
 110                 buf[buflen - 11] = 0;   /* - (len(" (deleted)") +\0) */
 111
 112                 if (path->dentry->d_inode && !(flags & PATH_MEDIATE_DELETED)) {
 113                         error = -ENOENT;
 114                         goto out;
 115                 }
 116         }
 117
 118         /* Determine if the path is connected to the expected root */
 119         connected = tmp.dentry == root.dentry && tmp.mnt == root.mnt;
 120
 121         /* If the path is not connected,
 122          * check if it is a sysctl and handle specially else remove any
 123          * leading / that __d_path may have returned.
 124          * Unless
 125          *     specifically directed to connect the path,
 126          * OR
 127          *     if in a chroot and doing chroot relative paths and the path
 128          *     resolves to the namespace root (would be connected outside
 129          *     of chroot) and specifically directed to connect paths to
 130          *     namespace root.
 131          */
 132         if (!connected) {
 133                 /* is the disconnect path a sysctl? */
 134                 if (tmp.dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
 135                     strncmp(*name, "/sys/", 5) == 0) {
 136                         /* TODO: convert over to using a per namespace
 137                          * control instead of hard coded /proc
 138                          */
 139                         error = prepend(name, *name - buf, "/proc", 5);
 140                 } else if (!(flags & PATH_CONNECT_PATH) &&
 141                            !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
 142                              (tmp.mnt == current->nsproxy->mnt_ns->root &&
 143                               tmp.dentry == tmp.mnt->mnt_root))) {
 144                         /* disconnected path, don't return pathname starting
 145                          * with '/'
 146                          */
 147                         error = -ESTALE;
 148                         if (*res == '/')
 149                                 *name = res + 1;
 150                 }
 151         }
 152
 153 out:
 154         path_put(&root);
 155
 156         return error;
 157 }
 158
 159 /**
 160  * get_name_to_buffer - get the pathname to a buffer ensure dir / is appended
 161  * @path: path to get name for  (NOT NULL)
 162  * @flags: flags controlling path lookup
 163  * @buffer: buffer to put name in  (NOT NULL)
 164  * @size: size of buffer
 165  * @name: Returns - contains position of path name in @buffer (NOT NULL)
 166  *
 167  * Returns: %0 else error on failure
 168  */
 169 static int get_name_to_buffer(struct path *path, int flags, char *buffer,
 170                               int size, char **name)
 171 {
 172         int adjust = (flags & PATH_IS_DIR) ? 1 : 0;
 173         int error = d_namespace_path(path, buffer, size - adjust, name, flags);
 174
 175         if (!error && (flags & PATH_IS_DIR) && (*name)[1] != '\0')
 176                 /*
 177                  * Append "/" to the pathname.  The root directory is a special
 178                  * case; it already ends in slash.
 179                  */
 180                 strcpy(&buffer[size - 2], "/");
 181
 182         return error;
 183 }
 184
 185 /**
 186  * aa_get_name - compute the pathname of a file
 187  * @path: path the file  (NOT NULL)
 188  * @flags: flags controlling path name generation
 189  * @buffer: buffer that aa_get_name() allocated  (NOT NULL)
 190  * @name: Returns - the generated path name if !error (NOT NULL)
 191  *
 192  * @name is a pointer to the beginning of the pathname (which usually differs
 193  * from the beginning of the buffer), or NULL.  If there is an error @name
 194  * may contain a partial or invalid name that can be used for audit purposes,
 195  * but it can not be used for mediation.
 196  *
 197  * We need PATH_IS_DIR to indicate whether the file is a directory or not
 198  * because the file may not yet exist, and so we cannot check the inode's
 199  * file type.
 200  *
 201  * Returns: %0 else error code if could retrieve name
 202  */
 203 int aa_get_name(struct path *path, int flags, char **buffer, const char **name)
 204 {
 205         char *buf, *str = NULL;
 206         int size = 256;
 207         int error;
 208
 209         *name = NULL;
 210         *buffer = NULL;
 211         for (;;) {
 212                 /* freed by caller */
 213                 buf = kmalloc(size, GFP_KERNEL);
 214                 if (!buf)
 215                         return -ENOMEM;
 216
 217                 error = get_name_to_buffer(path, flags, buf, size, &str);
 218                 if (error != -ENAMETOOLONG)
 219                         break;
 220
 221                 kfree(buf);
 222                 size <<= 1;
 223                 if (size > aa_g_path_max)
 224                         return -ENAMETOOLONG;
 225         }
 226         *buffer = buf;
 227         *name = str;
 228
 229         return error;
 230 }