1 From 3f980257e048429a1f0a5dbce0b027a93c0781cc Mon Sep 17 00:00:00 2001
2 From: John Johansen <john.johansen@canonical.com>
3 Date: Wed, 4 Aug 2010 04:42:50 -0700
4 Subject: [PATCH] AppArmor: security module v2.6 + compat patches as of 29-07-2010 (security-next)
6 AppArmor v2.6 module as synced to security-next 29-07-2010 backported to
7 2.6.35 + AppArmor 2.4 compatibility patches.
9 Signed-off-by: John Johansen <john.johansen@canonical.com>
11 Documentation/apparmor.txt | 40 +
12 Documentation/kernel-parameters.txt | 8 +
14 include/linux/lsm_audit.h | 31 +
15 security/Kconfig | 6 +
16 security/Makefile | 2 +
17 security/apparmor/.gitignore | 5 +
18 security/apparmor/Kconfig | 40 +
19 security/apparmor/Makefile | 30 +
20 security/apparmor/apparmorfs-24.c | 287 +++++++
21 security/apparmor/apparmorfs.c | 253 ++++++
22 security/apparmor/audit.c | 215 ++++++
23 security/apparmor/capability.c | 141 ++++
24 security/apparmor/context.c | 216 ++++++
25 security/apparmor/domain.c | 823 ++++++++++++++++++++
26 security/apparmor/file.c | 457 +++++++++++
27 security/apparmor/include/apparmor.h | 92 +++
28 security/apparmor/include/apparmorfs.h | 26 +
29 security/apparmor/include/audit.h | 123 +++
30 security/apparmor/include/capability.h | 45 ++
31 security/apparmor/include/context.h | 154 ++++
32 security/apparmor/include/domain.h | 36 +
33 security/apparmor/include/file.h | 217 ++++++
34 security/apparmor/include/ipc.h | 28 +
35 security/apparmor/include/match.h | 132 ++++
36 security/apparmor/include/net.h | 40 +
37 security/apparmor/include/path.h | 31 +
38 security/apparmor/include/policy.h | 308 ++++++++
39 security/apparmor/include/policy_unpack.h | 20 +
40 security/apparmor/include/procattr.h | 26 +
41 security/apparmor/include/resource.h | 46 ++
42 security/apparmor/include/sid.h | 24 +
43 security/apparmor/ipc.c | 114 +++
44 security/apparmor/lib.c | 133 ++++
45 security/apparmor/lsm.c | 1051 +++++++++++++++++++++++++
46 security/apparmor/match.c | 370 +++++++++
47 security/apparmor/net.c | 169 ++++
48 security/apparmor/path.c | 235 ++++++
49 security/apparmor/policy.c | 1185 +++++++++++++++++++++++++++++
50 security/apparmor/policy_unpack.c | 740 ++++++++++++++++++
51 security/apparmor/policy_unpack.c.rej | 11 +
52 security/apparmor/procattr.c | 170 ++++
53 security/apparmor/resource.c | 134 ++++
54 security/apparmor/sid.c | 55 ++
55 44 files changed, 8277 insertions(+), 0 deletions(-)
56 create mode 100644 Documentation/apparmor.txt
57 create mode 100644 security/apparmor/.gitignore
58 create mode 100644 security/apparmor/Kconfig
59 create mode 100644 security/apparmor/Makefile
60 create mode 100644 security/apparmor/apparmorfs-24.c
61 create mode 100644 security/apparmor/apparmorfs.c
62 create mode 100644 security/apparmor/audit.c
63 create mode 100644 security/apparmor/capability.c
64 create mode 100644 security/apparmor/context.c
65 create mode 100644 security/apparmor/domain.c
66 create mode 100644 security/apparmor/file.c
67 create mode 100644 security/apparmor/include/apparmor.h
68 create mode 100644 security/apparmor/include/apparmorfs.h
69 create mode 100644 security/apparmor/include/audit.h
70 create mode 100644 security/apparmor/include/capability.h
71 create mode 100644 security/apparmor/include/context.h
72 create mode 100644 security/apparmor/include/domain.h
73 create mode 100644 security/apparmor/include/file.h
74 create mode 100644 security/apparmor/include/ipc.h
75 create mode 100644 security/apparmor/include/match.h
76 create mode 100644 security/apparmor/include/net.h
77 create mode 100644 security/apparmor/include/path.h
78 create mode 100644 security/apparmor/include/policy.h
79 create mode 100644 security/apparmor/include/policy_unpack.h
80 create mode 100644 security/apparmor/include/procattr.h
81 create mode 100644 security/apparmor/include/resource.h
82 create mode 100644 security/apparmor/include/sid.h
83 create mode 100644 security/apparmor/ipc.c
84 create mode 100644 security/apparmor/lib.c
85 create mode 100644 security/apparmor/lsm.c
86 create mode 100644 security/apparmor/match.c
87 create mode 100644 security/apparmor/net.c
88 create mode 100644 security/apparmor/path.c
89 create mode 100644 security/apparmor/policy.c
90 create mode 100644 security/apparmor/policy_unpack.c
91 create mode 100644 security/apparmor/policy_unpack.c.rej
92 create mode 100644 security/apparmor/procattr.c
93 create mode 100644 security/apparmor/resource.c
94 create mode 100644 security/apparmor/sid.c
96 diff --git a/Documentation/apparmor.txt b/Documentation/apparmor.txt
98 index 0000000..6240438
100 +++ b/Documentation/apparmor.txt
102 +--- What is AppArmor? ---
104 +AppArmor is MAC style security extension for the Linux kernel. It implements
105 +a task centered policy, with task "profiles" being created and loaded
106 +from user space. Tasks on the system that do not have a profile defined for
107 +them run in an unconfined state which is equivalent to standard Linux DAC
110 +--- How to enable/disable ---
112 +set CONFIG_SECURITY_APPARMOR=y
114 +If AppArmor should be selected as the default security module then
115 + set CONFIG_DEFAULT_SECURITY="apparmor"
116 + and CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE=1
120 +If AppArmor is not the default security module it can be enabled by passing
121 +security=apparmor on the kernel's command line.
123 +If AppArmor is the default security module it can be disabled by passing
124 +apparmor=0, security=XXXX (where XXX is valid security module), on the
125 +kernel's command line
127 +For AppArmor to enforce any restrictions beyond standard Linux DAC permissions
128 +policy must be loaded into the kernel from user space (see the Documentation
131 +--- Documentation ---
133 +Documentation can be found on the wiki.
137 +Mailing List - apparmor@lists.ubuntu.com
138 +Wiki - http://apparmor.wiki.kernel.org/
139 +User space tools - https://launchpad.net/apparmor
140 +Kernel module - git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git
142 diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt
143 index 2b2407d..b61f89f 100644
144 --- a/Documentation/kernel-parameters.txt
145 +++ b/Documentation/kernel-parameters.txt
146 @@ -93,6 +93,7 @@ parameter is applicable:
148 SECURITY Different security models are enabled.
149 SELINUX SELinux support is enabled.
150 + APPARMOR AppArmor support is enabled.
151 SERIAL Serial support is enabled.
152 SH SuperH architecture is enabled.
153 SMP The kernel is an SMP kernel.
154 @@ -2312,6 +2313,13 @@ and is between 256 and 4096 characters. It is defined in the file
155 If enabled at boot time, /selinux/disable can be used
156 later to disable prior to initial policy load.
158 + apparmor= [APPARMOR] Disable or enable AppArmor at boot time
159 + Format: { "0" | "1" }
160 + See security/apparmor/Kconfig help text
163 + Default value is set via kernel config option.
165 serialnumber [BUGS=X86-32]
168 diff --git a/MAINTAINERS b/MAINTAINERS
169 index 02f75fc..a8d5851 100644
172 @@ -5061,6 +5061,14 @@ S: Supported
173 F: include/linux/selinux*
176 +APPARMOR SECURITY MODULE
177 +M: John Johansen <john.johansen@canonical.com>
178 +L: apparmor@lists.ubuntu.com (subscribers-only, general discussion)
179 +W: apparmor.wiki.kernel.org
180 +T: git git://git.kernel.org/pub/scm/linux/kernel/git/jj/apparmor-dev.git
182 +F: security/apparmor/
185 M: Jiri Slaby <jirislaby@gmail.com>
187 diff --git a/include/linux/lsm_audit.h b/include/linux/lsm_audit.h
188 index 6907251..3474e45 100644
189 --- a/include/linux/lsm_audit.h
190 +++ b/include/linux/lsm_audit.h
191 @@ -94,6 +94,37 @@ struct common_audit_data {
193 } selinux_audit_data;
195 +#ifdef CONFIG_SECURITY_APPARMOR
214 + const char *target;
220 + int type, protocol;
224 + } apparmor_audit_data;
227 /* these callback will be implemented by a specific LSM */
228 void (*lsm_pre_audit)(struct audit_buffer *, void *);
229 diff --git a/security/Kconfig b/security/Kconfig
230 index 226b955..bd72ae6 100644
231 --- a/security/Kconfig
232 +++ b/security/Kconfig
233 @@ -140,6 +140,7 @@ config LSM_MMAP_MIN_ADDR
234 source security/selinux/Kconfig
235 source security/smack/Kconfig
236 source security/tomoyo/Kconfig
237 +source security/apparmor/Kconfig
239 source security/integrity/ima/Kconfig
241 @@ -148,6 +149,7 @@ choice
242 default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX
243 default DEFAULT_SECURITY_SMACK if SECURITY_SMACK
244 default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO
245 + default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR
246 default DEFAULT_SECURITY_DAC
249 @@ -163,6 +165,9 @@ choice
250 config DEFAULT_SECURITY_TOMOYO
251 bool "TOMOYO" if SECURITY_TOMOYO=y
253 + config DEFAULT_SECURITY_APPARMOR
254 + bool "AppArmor" if SECURITY_APPARMOR=y
256 config DEFAULT_SECURITY_DAC
257 bool "Unix Discretionary Access Controls"
259 @@ -173,6 +178,7 @@ config DEFAULT_SECURITY
260 default "selinux" if DEFAULT_SECURITY_SELINUX
261 default "smack" if DEFAULT_SECURITY_SMACK
262 default "tomoyo" if DEFAULT_SECURITY_TOMOYO
263 + default "apparmor" if DEFAULT_SECURITY_APPARMOR
264 default "" if DEFAULT_SECURITY_DAC
267 diff --git a/security/Makefile b/security/Makefile
268 index da20a19..8bb0fe9 100644
269 --- a/security/Makefile
270 +++ b/security/Makefile
271 @@ -6,6 +6,7 @@ obj-$(CONFIG_KEYS) += keys/
272 subdir-$(CONFIG_SECURITY_SELINUX) += selinux
273 subdir-$(CONFIG_SECURITY_SMACK) += smack
274 subdir-$(CONFIG_SECURITY_TOMOYO) += tomoyo
275 +subdir-$(CONFIG_SECURITY_APPARMOR) += apparmor
277 # always enable default capabilities
279 @@ -19,6 +20,7 @@ obj-$(CONFIG_SECURITY_SELINUX) += selinux/built-in.o
280 obj-$(CONFIG_SECURITY_SMACK) += smack/built-in.o
281 obj-$(CONFIG_AUDIT) += lsm_audit.o
282 obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/built-in.o
283 +obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/built-in.o
284 obj-$(CONFIG_CGROUP_DEVICE) += device_cgroup.o
286 # Object integrity file lists
287 diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore
289 index 0000000..0a0a99f
291 +++ b/security/apparmor/.gitignore
294 +# Generated include files
298 diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig
300 index 0000000..fdf3022
302 +++ b/security/apparmor/Kconfig
304 +config SECURITY_APPARMOR
305 + bool "AppArmor support"
306 + depends on SECURITY
308 + select SECURITY_PATH
310 + select SECURITY_NETWORK
313 + This enables the AppArmor security module.
314 + Required userspace tools (if they are not included in your
315 + distribution) and further information may be found at
316 + http://apparmor.wiki.kernel.org
318 + If you are unsure how to answer this question, answer N.
320 +config SECURITY_APPARMOR_BOOTPARAM_VALUE
321 + int "AppArmor boot parameter default value"
322 + depends on SECURITY_APPARMOR
326 + This option sets the default value for the kernel parameter
327 + 'apparmor', which allows AppArmor to be enabled or disabled
328 + at boot. If this option is set to 0 (zero), the AppArmor
329 + kernel parameter will default to 0, disabling AppArmor at
330 + boot. If this option is set to 1 (one), the AppArmor
331 + kernel parameter will default to 1, enabling AppArmor at
334 + If you are unsure how to answer this question, answer 1.
336 +config SECURITY_APPARMOR_COMPAT_24
337 + bool "Enable AppArmor 2.4 compatability"
338 + depends on SECURITY_APPARMOR
341 + This option enables compatability with AppArmor 2.4. It is
342 + recommended if compatability with older versions of AppArmor
344 diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
346 index 0000000..e5e8968
348 +++ b/security/apparmor/Makefile
350 +# Makefile for AppArmor Linux Security Module
352 +obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
354 +apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
355 + path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
356 + resource.o sid.o file.o net.o
358 +apparmor-$(CONFIG_SECURITY_APPARMOR_COMPAT_24) += apparmorfs-24.o
360 +clean-files: capability_names.h af_names.h
362 +quiet_cmd_make-caps = GEN $@
363 +cmd_make-caps = echo "static const char *capability_names[] = {" > $@ ; sed -n -e "/CAP_FS_MASK/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@
365 +quiet_cmd_make-af = GEN $@
366 +cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ; sed -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "s/^\#define[ \\t]\\+AF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@
368 +quiet_cmd_make-rlim = GEN $@
369 +cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ; sed -n --e "/AF_MAX/d" -e "s/^\# \\?define[ \\t]\\+RLIMIT_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@ ; echo "static const int rlim_map[] = {" >> $@ ; sed -n -e "/AF_MAX/d" -e "s/^\# \\?define[ \\t]\\+\\(RLIMIT_[A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/\\1,/p" $< >> $@ ; echo "};" >> $@
371 +$(obj)/capability.o : $(obj)/capability_names.h
372 +$(obj)/net.o : $(obj)/af_names.h
373 +$(obj)/resource.o : $(obj)/rlim_names.h
374 +$(obj)/capability_names.h : $(srctree)/include/linux/capability.h
375 + $(call cmd,make-caps)
376 +$(obj)/af_names.h : $(srctree)/include/linux/socket.h
377 + $(call cmd,make-af)
378 +$(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h
379 + $(call cmd,make-rlim)
380 diff --git a/security/apparmor/apparmorfs-24.c b/security/apparmor/apparmorfs-24.c
382 index 0000000..dc8c744
384 +++ b/security/apparmor/apparmorfs-24.c
387 + * AppArmor security module
389 + * This file contains AppArmor /sys/kernel/secrutiy/apparmor interface functions
391 + * Copyright (C) 1998-2008 Novell/SUSE
392 + * Copyright 2009-2010 Canonical Ltd.
394 + * This program is free software; you can redistribute it and/or
395 + * modify it under the terms of the GNU General Public License as
396 + * published by the Free Software Foundation, version 2 of the
400 + * This file contain functions providing an interface for <= AppArmor 2.4
401 + * compatibility. It is dependent on CONFIG_SECURITY_APPARMOR_COMPAT_24
402 + * being set (see Makefile).
405 +#include <linux/security.h>
406 +#include <linux/vmalloc.h>
407 +#include <linux/module.h>
408 +#include <linux/seq_file.h>
409 +#include <linux/uaccess.h>
410 +#include <linux/namei.h>
412 +#include "include/apparmor.h"
413 +#include "include/audit.h"
414 +#include "include/context.h"
415 +#include "include/policy.h"
418 +/* apparmor/matching */
419 +static ssize_t aa_matching_read(struct file *file, char __user *buf,
420 + size_t size, loff_t *ppos)
422 + const char matching[] = "pattern=aadfa audit perms=crwxamlk/ "
425 + return simple_read_from_buffer(buf, size, ppos, matching,
426 + sizeof(matching) - 1);
429 +const struct file_operations aa_fs_matching_fops = {
430 + .read = aa_matching_read,
433 +/* apparmor/features */
434 +static ssize_t aa_features_read(struct file *file, char __user *buf,
435 + size_t size, loff_t *ppos)
437 + const char features[] = "file=3.1 capability=2.0 network=1.0 "
438 + "change_hat=1.5 change_profile=1.1 " "aanamespaces=1.1 rlimit=1.1";
440 + return simple_read_from_buffer(buf, size, ppos, features,
441 + sizeof(features) - 1);
444 +const struct file_operations aa_fs_features_fops = {
445 + .read = aa_features_read,
449 + * __next_namespace - find the next namespace to list
450 + * @root: root namespace to stop search at (NOT NULL)
451 + * @ns: current ns position (NOT NULL)
453 + * Find the next namespace from @ns under @root and handle all locking needed
454 + * while switching current namespace.
456 + * Returns: next namespace or NULL if at last namespace under @root
457 + * NOTE: will not unlock root->lock
459 +static struct aa_namespace *__next_namespace(struct aa_namespace *root,
460 + struct aa_namespace *ns)
462 + struct aa_namespace *parent;
464 + /* is next namespace a child */
465 + if (!list_empty(&ns->sub_ns)) {
466 + struct aa_namespace *next;
467 + next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
468 + read_lock(&next->lock);
472 + /* check if the next ns is a sibling, parent, gp, .. */
473 + parent = ns->parent;
475 + read_unlock(&ns->lock);
476 + list_for_each_entry_continue(ns, &parent->sub_ns, base.list) {
477 + read_lock(&ns->lock);
480 + if (parent == root)
483 + parent = parent->parent;
490 + * __first_profile - find the first profile in a namespace
491 + * @root: namespace that is root of profiles being displayed (NOT NULL)
492 + * @ns: namespace to start in (NOT NULL)
494 + * Returns: unrefcounted profile or NULL if no profile
496 +static struct aa_profile *__first_profile(struct aa_namespace *root,
497 + struct aa_namespace *ns)
499 + for ( ; ns; ns = __next_namespace(root, ns)) {
500 + if (!list_empty(&ns->base.profiles))
501 + return list_first_entry(&ns->base.profiles,
502 + struct aa_profile, base.list);
508 + * __next_profile - step to the next profile in a profile tree
509 + * @profile: current profile in tree (NOT NULL)
511 + * Perform a depth first taversal on the profile tree in a namespace
513 + * Returns: next profile or NULL if done
514 + * Requires: profile->ns.lock to be held
516 +static struct aa_profile *__next_profile(struct aa_profile *p)
518 + struct aa_profile *parent;
519 + struct aa_namespace *ns = p->ns;
521 + /* is next profile a child */
522 + if (!list_empty(&p->base.profiles))
523 + return list_first_entry(&p->base.profiles, typeof(*p),
526 + /* is next profile a sibling, parent sibling, gp, subling, .. */
527 + parent = p->parent;
529 + list_for_each_entry_continue(p, &parent->base.profiles,
533 + parent = parent->parent;
536 + /* is next another profile in the namespace */
537 + list_for_each_entry_continue(p, &ns->base.profiles, base.list)
544 + * next_profile - step to the next profile in where ever it may be
545 + * @root: root namespace (NOT NULL)
546 + * @profile: current profile (NOT NULL)
548 + * Returns: next profile or NULL if there isn't one
550 +static struct aa_profile *next_profile(struct aa_namespace *root,
551 + struct aa_profile *profile)
553 + struct aa_profile *next = __next_profile(profile);
557 + /* finished all profiles in namespace move to next namespace */
558 + return __first_profile(root, __next_namespace(root, profile->ns));
562 + * p_start - start a depth first traversal of profile tree
563 + * @f: seq_file to fill
564 + * @pos: current position
566 + * Returns: first profile under current namespace or NULL if none found
568 + * acquires first ns->lock
570 +static void *p_start(struct seq_file *f, loff_t *pos)
571 + __acquires(root->lock)
573 + struct aa_profile *profile = NULL;
574 + struct aa_namespace *root = aa_current_profile()->ns;
576 + f->private = aa_get_namespace(root);
579 + /* find the first profile */
580 + read_lock(&root->lock);
581 + profile = __first_profile(root, root);
583 + /* skip to position */
584 + for (; profile && l > 0; l--)
585 + profile = next_profile(root, profile);
591 + * p_next - read the next profile entry
592 + * @f: seq_file to fill
593 + * @p: profile previously returned
594 + * @pos: current position
596 + * Returns: next profile after @p or NULL if none
598 + * may acquire/release locks in namespace tree as necessary
600 +static void *p_next(struct seq_file *f, void *p, loff_t *pos)
602 + struct aa_profile *profile = p;
603 + struct aa_namespace *root = f->private;
606 + return next_profile(root, profile);
610 + * p_stop - stop depth first traversal
611 + * @f: seq_file we are filling
612 + * @p: the last profile writen
614 + * Release all locking done by p_start/p_next on namespace tree
616 +static void p_stop(struct seq_file *f, void *p)
617 + __releases(root->lock)
619 + struct aa_profile *profile = p;
620 + struct aa_namespace *root = f->private, *ns;
623 + for (ns = profile->ns; ns && ns != root; ns = ns->parent)
624 + read_unlock(&ns->lock);
626 + read_unlock(&root->lock);
627 + aa_put_namespace(root);
631 + * seq_show_profile - show a profile entry
632 + * @f: seq_file to file
633 + * @p: current position (profile) (NOT NULL)
635 + * Returns: error on failure
637 +static int seq_show_profile(struct seq_file *f, void *p)
639 + struct aa_profile *profile = (struct aa_profile *)p;
640 + struct aa_namespace *root = f->private;
642 + if (profile->ns != root)
643 + seq_printf(f, ":%s://", aa_ns_name(root, profile->ns));
644 + seq_printf(f, "%s (%s)\n", profile->base.hname,
645 + COMPLAIN_MODE(profile) ? "complain" : "enforce");
650 +static const struct seq_operations aa_fs_profiles_op = {
654 + .show = seq_show_profile,
657 +static int profiles_open(struct inode *inode, struct file *file)
659 + return seq_open(file, &aa_fs_profiles_op);
662 +static int profiles_release(struct inode *inode, struct file *file)
664 + return seq_release(inode, file);
667 +const struct file_operations aa_fs_profiles_fops = {
668 + .open = profiles_open,
670 + .llseek = seq_lseek,
671 + .release = profiles_release,
673 diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
675 index 0000000..0e27449
677 +++ b/security/apparmor/apparmorfs.c
680 + * AppArmor security module
682 + * This file contains AppArmor /sys/kernel/security/apparmor interface functions
684 + * Copyright (C) 1998-2008 Novell/SUSE
685 + * Copyright 2009-2010 Canonical Ltd.
687 + * This program is free software; you can redistribute it and/or
688 + * modify it under the terms of the GNU General Public License as
689 + * published by the Free Software Foundation, version 2 of the
693 +#include <linux/security.h>
694 +#include <linux/vmalloc.h>
695 +#include <linux/module.h>
696 +#include <linux/seq_file.h>
697 +#include <linux/uaccess.h>
698 +#include <linux/namei.h>
700 +#include "include/apparmor.h"
701 +#include "include/apparmorfs.h"
702 +#include "include/audit.h"
703 +#include "include/context.h"
704 +#include "include/policy.h"
707 + * aa_simple_write_to_buffer - common routine for getting policy from user
708 + * @op: operation doing the user buffer copy
709 + * @userbuf: user buffer to copy data from (NOT NULL)
710 + * @alloc_size: size of user buffer
711 + * @copy_size: size of data to copy from user buffer
712 + * @pos: position write is at in the file (NOT NULL)
714 + * Returns: kernel buffer containing copy of user buffer data or an
715 + * ERR_PTR on failure.
717 +static char *aa_simple_write_to_buffer(int op, const char __user *userbuf,
718 + size_t alloc_size, size_t copy_size,
724 + /* only writes from pos 0, that is complete writes */
725 + return ERR_PTR(-ESPIPE);
728 + * Don't allow profile load/replace/remove from profiles that don't
729 + * have CAP_MAC_ADMIN
731 + if (!aa_may_manage_policy(op))
732 + return ERR_PTR(-EACCES);
734 + /* freed by caller to simple_write_to_buffer */
735 + data = kvmalloc(alloc_size);
737 + return ERR_PTR(-ENOMEM);
739 + if (copy_from_user(data, userbuf, copy_size)) {
741 + return ERR_PTR(-EFAULT);
748 +/* .load file hook fn to load policy */
749 +static ssize_t profile_load(struct file *f, const char __user *buf, size_t size,
755 + data = aa_simple_write_to_buffer(OP_PROF_LOAD, buf, size, size, pos);
757 + error = PTR_ERR(data);
758 + if (!IS_ERR(data)) {
759 + error = aa_replace_profiles(data, size, PROF_ADD);
766 +static const struct file_operations aa_fs_profile_load = {
767 + .write = profile_load
770 +/* .replace file hook fn to load and/or replace policy */
771 +static ssize_t profile_replace(struct file *f, const char __user *buf,
772 + size_t size, loff_t *pos)
777 + data = aa_simple_write_to_buffer(OP_PROF_REPL, buf, size, size, pos);
778 + error = PTR_ERR(data);
779 + if (!IS_ERR(data)) {
780 + error = aa_replace_profiles(data, size, PROF_REPLACE);
787 +static const struct file_operations aa_fs_profile_replace = {
788 + .write = profile_replace
791 +/* .remove file hook fn to remove loaded policy */
792 +static ssize_t profile_remove(struct file *f, const char __user *buf,
793 + size_t size, loff_t *pos)
799 + * aa_remove_profile needs a null terminated string so 1 extra
800 + * byte is allocated and the copied data is null terminated.
802 + data = aa_simple_write_to_buffer(OP_PROF_RM, buf, size + 1, size, pos);
804 + error = PTR_ERR(data);
805 + if (!IS_ERR(data)) {
807 + error = aa_remove_profiles(data, size);
814 +static const struct file_operations aa_fs_profile_remove = {
815 + .write = profile_remove
818 +/** Base file system setup **/
820 +static struct dentry *aa_fs_dentry __initdata;
822 +static void __init aafs_remove(const char *name)
824 + struct dentry *dentry;
826 + dentry = lookup_one_len(name, aa_fs_dentry, strlen(name));
827 + if (!IS_ERR(dentry)) {
828 + securityfs_remove(dentry);
834 + * aafs_create - create an entry in the apparmor filesystem
835 + * @name: name of the entry (NOT NULL)
836 + * @mask: file permission mask of the file
837 + * @fops: file operations for the file (NOT NULL)
839 + * Used aafs_remove to remove entries created with this fn.
841 +static int __init aafs_create(const char *name, int mask,
842 + const struct file_operations *fops)
844 + struct dentry *dentry;
846 + dentry = securityfs_create_file(name, S_IFREG | mask, aa_fs_dentry,
849 + return IS_ERR(dentry) ? PTR_ERR(dentry) : 0;
853 + * aa_destroy_aafs - cleanup and free aafs
855 + * releases dentries allocated by aa_create_aafs
857 +void __init aa_destroy_aafs(void)
859 + if (aa_fs_dentry) {
860 + aafs_remove(".remove");
861 + aafs_remove(".replace");
862 + aafs_remove(".load");
863 +#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
864 + aafs_remove("profiles");
865 + aafs_remove("matching");
866 + aafs_remove("features");
868 + securityfs_remove(aa_fs_dentry);
869 + aa_fs_dentry = NULL;
874 + * aa_create_aafs - create the apparmor security filesystem
876 + * dentries created here are released by aa_destroy_aafs
878 + * Returns: error on failure
880 +int __init aa_create_aafs(void)
884 + if (!apparmor_initialized)
887 + if (aa_fs_dentry) {
888 + AA_ERROR("%s: AppArmor securityfs already exists\n", __func__);
892 + aa_fs_dentry = securityfs_create_dir("apparmor", NULL);
893 + if (IS_ERR(aa_fs_dentry)) {
894 + error = PTR_ERR(aa_fs_dentry);
895 + aa_fs_dentry = NULL;
898 +#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
899 + error = aafs_create("matching", 0444, &aa_fs_matching_fops);
902 + error = aafs_create("features", 0444, &aa_fs_features_fops);
906 + error = aafs_create("profiles", 0440, &aa_fs_profiles_fops);
909 + error = aafs_create(".load", 0640, &aa_fs_profile_load);
912 + error = aafs_create(".replace", 0640, &aa_fs_profile_replace);
915 + error = aafs_create(".remove", 0640, &aa_fs_profile_remove);
919 + /* TODO: add support for apparmorfs_null and apparmorfs_mnt */
921 + /* Report that AppArmor fs is enabled */
922 + aa_info_message("AppArmor Filesystem Enabled");
927 + AA_ERROR("Error creating AppArmor securityfs\n");
931 +fs_initcall(aa_create_aafs);
932 diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
934 index 0000000..96502b2
936 +++ b/security/apparmor/audit.c
939 + * AppArmor security module
941 + * This file contains AppArmor auditing functions
943 + * Copyright (C) 1998-2008 Novell/SUSE
944 + * Copyright 2009-2010 Canonical Ltd.
946 + * This program is free software; you can redistribute it and/or
947 + * modify it under the terms of the GNU General Public License as
948 + * published by the Free Software Foundation, version 2 of the
952 +#include <linux/audit.h>
953 +#include <linux/socket.h>
955 +#include "include/apparmor.h"
956 +#include "include/audit.h"
957 +#include "include/policy.h"
959 +const char *op_table[] = {
1008 + "profile_replace",
1013 +const char *audit_mode_names[] = {
1021 +static char *aa_audit_type[] = {
1032 + * Currently AppArmor auditing is fed straight into the audit framework.
1035 + * netlink interface for complain mode
1036 + * user auditing, - send user auditing to netlink interface
1037 + * system control of whether user audit messages go to system log
1041 + * audit_base - core AppArmor function.
1042 + * @ab: audit buffer to fill (NOT NULL)
1043 + * @ca: audit structure containing data to audit (NOT NULL)
1045 + * Record common AppArmor audit data from @sa
1047 +static void audit_pre(struct audit_buffer *ab, void *ca)
1049 + struct common_audit_data *sa = ca;
1050 + struct task_struct *tsk = sa->tsk ? sa->tsk : current;
1052 + if (aa_g_audit_header) {
1053 + audit_log_format(ab, "apparmor=");
1054 + audit_log_string(ab, aa_audit_type[sa->aad.type]);
1058 + audit_log_format(ab, " operation=");
1059 + audit_log_string(ab, op_table[sa->aad.op]);
1062 + if (sa->aad.info) {
1063 + audit_log_format(ab, " info=");
1064 + audit_log_string(ab, sa->aad.info);
1065 + if (sa->aad.error)
1066 + audit_log_format(ab, " error=%d", sa->aad.error);
1069 + if (sa->aad.profile) {
1070 + struct aa_profile *profile = sa->aad.profile;
1073 + pid = tsk->real_parent->pid;
1074 + rcu_read_unlock();
1075 + audit_log_format(ab, " parent=%d", pid);
1076 + if (profile->ns != root_ns) {
1077 + audit_log_format(ab, " namespace=");
1078 + audit_log_untrustedstring(ab, profile->ns->base.hname);
1080 + audit_log_format(ab, " profile=");
1081 + audit_log_untrustedstring(ab, profile->base.hname);
1084 + if (sa->aad.name) {
1085 + audit_log_format(ab, " name=");
1086 + audit_log_untrustedstring(ab, sa->aad.name);
1091 + * aa_audit_msg - Log a message to the audit subsystem
1092 + * @sa: audit event structure (NOT NULL)
1093 + * @cb: optional callback fn for type specific fields (MAYBE NULL)
1095 +void aa_audit_msg(int type, struct common_audit_data *sa,
1096 + void (*cb) (struct audit_buffer *, void *))
1098 + sa->aad.type = type;
1099 + sa->lsm_pre_audit = audit_pre;
1100 + sa->lsm_post_audit = cb;
1101 + common_lsm_audit(sa);
1105 + * aa_audit - Log a profile based audit event to the audit subsystem
1106 + * @type: audit type for the message
1107 + * @profile: profile to check against (NOT NULL)
1108 + * @gfp: allocation flags to use
1109 + * @sa: audit event (NOT NULL)
1110 + * @cb: optional callback fn for type specific fields (MAYBE NULL)
1112 + * Handle default message switching based off of audit mode flags
1114 + * Returns: error on failure
1116 +int aa_audit(int type, struct aa_profile *profile, gfp_t gfp,
1117 + struct common_audit_data *sa,
1118 + void (*cb) (struct audit_buffer *, void *))
1122 + if (type == AUDIT_APPARMOR_AUTO) {
1123 + if (likely(!sa->aad.error)) {
1124 + if (AUDIT_MODE(profile) != AUDIT_ALL)
1126 + type = AUDIT_APPARMOR_AUDIT;
1127 + } else if (COMPLAIN_MODE(profile))
1128 + type = AUDIT_APPARMOR_ALLOWED;
1130 + type = AUDIT_APPARMOR_DENIED;
1132 + if (AUDIT_MODE(profile) == AUDIT_QUIET ||
1133 + (type == AUDIT_APPARMOR_DENIED &&
1134 + AUDIT_MODE(profile) == AUDIT_QUIET))
1135 + return sa->aad.error;
1137 + if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
1138 + type = AUDIT_APPARMOR_KILL;
1140 + if (!unconfined(profile))
1141 + sa->aad.profile = profile;
1143 + aa_audit_msg(type, sa, cb);
1145 + if (sa->aad.type == AUDIT_APPARMOR_KILL)
1146 + (void)send_sig_info(SIGKILL, NULL, sa->tsk ? sa->tsk : current);
1148 + if (sa->aad.type == AUDIT_APPARMOR_ALLOWED)
1149 + return complain_error(sa->aad.error);
1151 + return sa->aad.error;
1153 diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c
1154 new file mode 100644
1155 index 0000000..9982c48
1157 +++ b/security/apparmor/capability.c
1160 + * AppArmor security module
1162 + * This file contains AppArmor capability mediation functions
1164 + * Copyright (C) 1998-2008 Novell/SUSE
1165 + * Copyright 2009-2010 Canonical Ltd.
1167 + * This program is free software; you can redistribute it and/or
1168 + * modify it under the terms of the GNU General Public License as
1169 + * published by the Free Software Foundation, version 2 of the
1173 +#include <linux/capability.h>
1174 +#include <linux/errno.h>
1175 +#include <linux/gfp.h>
1177 +#include "include/apparmor.h"
1178 +#include "include/capability.h"
1179 +#include "include/context.h"
1180 +#include "include/policy.h"
1181 +#include "include/audit.h"
1184 + * Table of capability names: we generate it from capabilities.h.
1186 +#include "capability_names.h"
1188 +struct audit_cache {
1189 + struct aa_profile *profile;
1190 + kernel_cap_t caps;
1193 +static DEFINE_PER_CPU(struct audit_cache, audit_cache);
1196 + * audit_cb - call back for capability components of audit struct
1197 + * @ab - audit buffer (NOT NULL)
1198 + * @va - audit struct to audit data from (NOT NULL)
1200 +static void audit_cb(struct audit_buffer *ab, void *va)
1202 + struct common_audit_data *sa = va;
1203 + audit_log_format(ab, " capname=");
1204 + audit_log_untrustedstring(ab, capability_names[sa->u.cap]);
1208 + * audit_caps - audit a capability
1209 + * @profile: profile confining task (NOT NULL)
1210 + * @task: task capability test was performed against (NOT NULL)
1211 + * @cap: capability tested
1212 + * @error: error code returned by test
1214 + * Do auditing of capability and handle, audit/complain/kill modes switching
1215 + * and duplicate message elimination.
1217 + * Returns: 0 or sa->error on success, error code on failure
1219 +static int audit_caps(struct aa_profile *profile, struct task_struct *task,
1220 + int cap, int error)
1222 + struct audit_cache *ent;
1223 + int type = AUDIT_APPARMOR_AUTO;
1224 + struct common_audit_data sa;
1225 + COMMON_AUDIT_DATA_INIT(&sa, CAP);
1228 + sa.aad.op = OP_CAPABLE;
1229 + sa.aad.error = error;
1231 + if (likely(!error)) {
1232 + /* test if auditing is being forced */
1233 + if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
1234 + !cap_raised(profile->caps.audit, cap)))
1236 + type = AUDIT_APPARMOR_AUDIT;
1237 + } else if (KILL_MODE(profile) ||
1238 + cap_raised(profile->caps.kill, cap)) {
1239 + type = AUDIT_APPARMOR_KILL;
1240 + } else if (cap_raised(profile->caps.quiet, cap) &&
1241 + AUDIT_MODE(profile) != AUDIT_NOQUIET &&
1242 + AUDIT_MODE(profile) != AUDIT_ALL) {
1243 + /* quiet auditing */
1247 + /* Do simple duplicate message elimination */
1248 + ent = &get_cpu_var(audit_cache);
1249 + if (profile == ent->profile && cap_raised(ent->caps, cap)) {
1250 + put_cpu_var(audit_cache);
1251 + if (COMPLAIN_MODE(profile))
1252 + return complain_error(error);
1255 + aa_put_profile(ent->profile);
1256 + ent->profile = aa_get_profile(profile);
1257 + cap_raise(ent->caps, cap);
1259 + put_cpu_var(audit_cache);
1261 + return aa_audit(type, profile, GFP_ATOMIC, &sa, audit_cb);
1265 + * profile_capable - test if profile allows use of capability @cap
1266 + * @profile: profile being enforced (NOT NULL, NOT unconfined)
1267 + * @cap: capability to test if allowed
1269 + * Returns: 0 if allowed else -EPERM
1271 +static int profile_capable(struct aa_profile *profile, int cap)
1273 + return cap_raised(profile->caps.allow, cap) ? 0 : -EPERM;
1277 + * aa_capable - test permission to use capability
1278 + * @task: task doing capability test against (NOT NULL)
1279 + * @profile: profile confining @task (NOT NULL)
1280 + * @cap: capability to be tested
1281 + * @audit: whether an audit record should be generated
1283 + * Look up capability in profile capability set.
1285 + * Returns: 0 on success, or else an error code.
1287 +int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap,
1290 + int error = profile_capable(profile, cap);
1293 + if (COMPLAIN_MODE(profile))
1294 + return complain_error(error);
1298 + return audit_caps(profile, task, cap, error);
1300 diff --git a/security/apparmor/context.c b/security/apparmor/context.c
1301 new file mode 100644
1302 index 0000000..8a9b502
1304 +++ b/security/apparmor/context.c
1307 + * AppArmor security module
1309 + * This file contains AppArmor functions used to manipulate object security
1312 + * Copyright (C) 1998-2008 Novell/SUSE
1313 + * Copyright 2009-2010 Canonical Ltd.
1315 + * This program is free software; you can redistribute it and/or
1316 + * modify it under the terms of the GNU General Public License as
1317 + * published by the Free Software Foundation, version 2 of the
1321 + * AppArmor sets confinement on every task, via the the aa_task_cxt and
1322 + * the aa_task_cxt.profile, both of which are required and are not allowed
1323 + * to be NULL. The aa_task_cxt is not reference counted and is unique
1324 + * to each cred (which is reference count). The profile pointed to by
1325 + * the task_cxt is reference counted.
1328 + * If a task uses change_hat it currently does not return to the old
1329 + * cred or task context but instead creates a new one. Ideally the task
1330 + * should return to the previous cred if it has not been modified.
1334 +#include "include/context.h"
1335 +#include "include/policy.h"
1338 + * aa_alloc_task_context - allocate a new task_cxt
1339 + * @flags: gfp flags for allocation
1341 + * Returns: allocated buffer or NULL on failure
1343 +struct aa_task_cxt *aa_alloc_task_context(gfp_t flags)
1345 + return kzalloc(sizeof(struct aa_task_cxt), flags);
1349 + * aa_free_task_context - free a task_cxt
1350 + * @cxt: task_cxt to free (MAYBE NULL)
1352 +void aa_free_task_context(struct aa_task_cxt *cxt)
1355 + aa_put_profile(cxt->profile);
1356 + aa_put_profile(cxt->previous);
1357 + aa_put_profile(cxt->onexec);
1364 + * aa_dup_task_context - duplicate a task context, incrementing reference counts
1365 + * @new: a blank task context (NOT NULL)
1366 + * @old: the task context to copy (NOT NULL)
1368 +void aa_dup_task_context(struct aa_task_cxt *new, const struct aa_task_cxt *old)
1371 + aa_get_profile(new->profile);
1372 + aa_get_profile(new->previous);
1373 + aa_get_profile(new->onexec);
1377 + * aa_replace_current_profile - replace the current tasks profiles
1378 + * @profile: new profile (NOT NULL)
1380 + * Returns: 0 or error on failure
1382 +int aa_replace_current_profile(struct aa_profile *profile)
1384 + struct aa_task_cxt *cxt = current_cred()->security;
1388 + if (cxt->profile == profile)
1391 + new = prepare_creds();
1395 + cxt = new->security;
1396 + if (unconfined(profile) || (cxt->profile->ns != profile->ns)) {
1397 + /* if switching to unconfined or a different profile namespace
1398 + * clear out context state
1400 + aa_put_profile(cxt->previous);
1401 + aa_put_profile(cxt->onexec);
1402 + cxt->previous = NULL;
1403 + cxt->onexec = NULL;
1406 + /* be careful switching cxt->profile, when racing replacement it
1407 + * is possible that cxt->profile->replacedby is the reference keeping
1408 + * @profile valid, so make sure to get its reference before dropping
1409 + * the reference on cxt->profile */
1410 + aa_get_profile(profile);
1411 + aa_put_profile(cxt->profile);
1412 + cxt->profile = profile;
1414 + commit_creds(new);
1419 + * aa_set_current_onexec - set the tasks change_profile to happen onexec
1420 + * @profile: system profile to set at exec (MAYBE NULL to clear value)
1422 + * Returns: 0 or error on failure
1424 +int aa_set_current_onexec(struct aa_profile *profile)
1426 + struct aa_task_cxt *cxt;
1427 + struct cred *new = prepare_creds();
1431 + cxt = new->security;
1432 + aa_get_profile(profile);
1433 + aa_put_profile(cxt->onexec);
1434 + cxt->onexec = profile;
1436 + commit_creds(new);
1441 + * aa_set_current_hat - set the current tasks hat
1442 + * @profile: profile to set as the current hat (NOT NULL)
1443 + * @token: token value that must be specified to change from the hat
1445 + * Do switch of tasks hat. If the task is currently in a hat
1446 + * validate the token to match.
1448 + * Returns: 0 or error on failure
1450 +int aa_set_current_hat(struct aa_profile *profile, u64 token)
1452 + struct aa_task_cxt *cxt;
1453 + struct cred *new = prepare_creds();
1458 + cxt = new->security;
1459 + if (!cxt->previous) {
1460 + /* transfer refcount */
1461 + cxt->previous = cxt->profile;
1462 + cxt->token = token;
1463 + } else if (cxt->token == token) {
1464 + aa_put_profile(cxt->profile);
1466 + /* previous_profile && cxt->token != token */
1470 + cxt->profile = aa_get_profile(aa_newest_version(profile));
1471 + /* clear exec on switching context */
1472 + aa_put_profile(cxt->onexec);
1473 + cxt->onexec = NULL;
1475 + commit_creds(new);
1480 + * aa_restore_previous_profile - exit from hat context restoring the profile
1481 + * @token: the token that must be matched to exit hat context
1483 + * Attempt to return out of a hat to the previous profile. The token
1484 + * must match the stored token value.
1486 + * Returns: 0 or error of failure
1488 +int aa_restore_previous_profile(u64 token)
1490 + struct aa_task_cxt *cxt;
1491 + struct cred *new = prepare_creds();
1495 + cxt = new->security;
1496 + if (cxt->token != token) {
1500 + /* ignore restores when there is no saved profile */
1501 + if (!cxt->previous) {
1506 + aa_put_profile(cxt->profile);
1507 + cxt->profile = aa_newest_version(cxt->previous);
1508 + BUG_ON(!cxt->profile);
1509 + if (unlikely(cxt->profile != cxt->previous)) {
1510 + aa_get_profile(cxt->profile);
1511 + aa_put_profile(cxt->previous);
1513 + /* clear exec && prev information when restoring to previous context */
1514 + cxt->previous = NULL;
1516 + aa_put_profile(cxt->onexec);
1517 + cxt->onexec = NULL;
1519 + commit_creds(new);
1522 diff --git a/security/apparmor/domain.c b/security/apparmor/domain.c
1523 new file mode 100644
1524 index 0000000..08bbe63
1526 +++ b/security/apparmor/domain.c
1529 + * AppArmor security module
1531 + * This file contains AppArmor policy attachment and domain transitions
1533 + * Copyright (C) 2002-2008 Novell/SUSE
1534 + * Copyright 2009-2010 Canonical Ltd.
1536 + * This program is free software; you can redistribute it and/or
1537 + * modify it under the terms of the GNU General Public License as
1538 + * published by the Free Software Foundation, version 2 of the
1542 +#include <linux/errno.h>
1543 +#include <linux/fdtable.h>
1544 +#include <linux/file.h>
1545 +#include <linux/mount.h>
1546 +#include <linux/syscalls.h>
1547 +#include <linux/tracehook.h>
1548 +#include <linux/personality.h>
1550 +#include "include/audit.h"
1551 +#include "include/apparmorfs.h"
1552 +#include "include/context.h"
1553 +#include "include/domain.h"
1554 +#include "include/file.h"
1555 +#include "include/ipc.h"
1556 +#include "include/match.h"
1557 +#include "include/path.h"
1558 +#include "include/policy.h"
1561 + * aa_free_domain_entries - free entries in a domain table
1562 + * @domain: the domain table to free (MAYBE NULL)
1564 +void aa_free_domain_entries(struct aa_domain *domain)
1568 + if (!domain->table)
1571 + for (i = 0; i < domain->size; i++)
1572 + kzfree(domain->table[i]);
1573 + kzfree(domain->table);
1574 + domain->table = NULL;
1579 + * may_change_ptraced_domain - check if can change profile on ptraced task
1580 + * @task: task we want to change profile of (NOT NULL)
1581 + * @to_profile: profile to change to (NOT NULL)
1583 + * Check if the task is ptraced and if so if the tracing task is allowed
1584 + * to trace the new domain
1586 + * Returns: %0 or error if change not allowed
1588 +static int may_change_ptraced_domain(struct task_struct *task,
1589 + struct aa_profile *to_profile)
1591 + struct task_struct *tracer;
1592 + struct cred *cred = NULL;
1593 + struct aa_profile *tracerp = NULL;
1597 + tracer = tracehook_tracer_task(task);
1599 + /* released below */
1600 + cred = get_task_cred(tracer);
1601 + tracerp = aa_cred_profile(cred);
1603 + rcu_read_unlock();
1606 + if (!tracer || unconfined(tracerp))
1609 + error = aa_may_ptrace(tracer, tracerp, to_profile, PTRACE_MODE_ATTACH);
1619 + * change_profile_perms - find permissions for change_profile
1620 + * @profile: the current profile (NOT NULL)
1621 + * @ns: the namespace being switched to (NOT NULL)
1622 + * @name: the name of the profile to change to (NOT NULL)
1623 + * @request: requested perms
1624 + * @start: state to start matching in
1626 + * Returns: permission set
1628 +static struct file_perms change_profile_perms(struct aa_profile *profile,
1629 + struct aa_namespace *ns,
1630 + const char *name, u32 request,
1631 + unsigned int start)
1633 + struct file_perms perms;
1634 + struct path_cond cond = { };
1635 + unsigned int state;
1637 + if (unconfined(profile)) {
1638 + perms.allow = AA_MAY_CHANGE_PROFILE | AA_MAY_ONEXEC;
1639 + perms.audit = perms.quiet = perms.kill = 0;
1641 + } else if (!profile->file.dfa) {
1643 + } else if ((ns == profile->ns)) {
1644 + /* try matching against rules with out namespace prepended */
1645 + aa_str_perms(profile->file.dfa, start, name, &cond, &perms);
1646 + if (COMBINED_PERM_MASK(perms) & request)
1650 + /* try matching with namespace name and then profile */
1651 + state = aa_dfa_match(profile->file.dfa, start, ns->base.name);
1652 + state = aa_dfa_match_len(profile->file.dfa, state, ":", 1);
1653 + aa_str_perms(profile->file.dfa, state, name, &cond, &perms);
1659 + * __attach_match_ - find an attachment match
1660 + * @name - to match against (NOT NULL)
1661 + * @head - profile list to walk (NOT NULL)
1663 + * Do a linear search on the profiles in the list. There is a matching
1664 + * preference where an exact match is preferred over a name which uses
1665 + * expressions to match, and matching expressions with the greatest
1666 + * xmatch_len are preferred.
1668 + * Requires: @head not be shared or have appropriate locks held
1670 + * Returns: profile or NULL if no match found
1672 +static struct aa_profile *__attach_match(const char *name,
1673 + struct list_head *head)
1676 + struct aa_profile *profile, *candidate = NULL;
1678 + list_for_each_entry(profile, head, base.list) {
1679 + if (profile->flags & PFLAG_NULL)
1681 + if (profile->xmatch && profile->xmatch_len > len) {
1682 + unsigned int state = aa_dfa_match(profile->xmatch,
1684 + u32 perm = dfa_user_allow(profile->xmatch, state);
1685 + /* any accepting state means a valid match. */
1686 + if (perm & MAY_EXEC) {
1687 + candidate = profile;
1688 + len = profile->xmatch_len;
1690 + } else if (!strcmp(profile->base.name, name))
1691 + /* exact non-re match, no more searching required */
1699 + * find_attach - do attachment search for unconfined processes
1700 + * @ns: the current namespace (NOT NULL)
1701 + * @list: list to search (NOT NULL)
1702 + * @name: the executable name to match against (NOT NULL)
1704 + * Returns: profile or NULL if no match found
1706 +static struct aa_profile *find_attach(struct aa_namespace *ns,
1707 + struct list_head *list, const char *name)
1709 + struct aa_profile *profile;
1711 + read_lock(&ns->lock);
1712 + profile = aa_get_profile(__attach_match(name, list));
1713 + read_unlock(&ns->lock);
1719 + * separate_fqname - separate the namespace and profile names
1720 + * @fqname: the fqname name to split (NOT NULL)
1721 + * @ns_name: the namespace name if it exists (NOT NULL)
1723 + * This is the xtable equivalent routine of aa_split_fqname. It finds the
1724 + * split in an xtable fqname which contains an embedded \0 instead of a :
1725 + * if a namespace is specified. This is done so the xtable is constant and
1726 + * isn't re-split on every lookup.
1728 + * Either the profile or namespace name may be optional but if the namespace
1729 + * is specified the profile name termination must be present. This results
1730 + * in the following possible encodings:
1732 + * :ns_name\0profile_name\0
1735 + * NOTE: the xtable fqname is pre-validated at load time in unpack_trans_table
1737 + * Returns: profile name if it is specified else NULL
1739 +static const char *separate_fqname(const char *fqname, const char **ns_name)
1743 + if (fqname[0] == ':') {
1744 + /* In this case there is guaranteed to be two \0 terminators
1745 + * in the string. They are verified at load time by
1746 + * by unpack_trans_table
1748 + *ns_name = fqname + 1; /* skip : */
1749 + name = *ns_name + strlen(*ns_name) + 1;
1760 +static const char *next_name(int xtype, const char *name)
1766 + * x_table_lookup - lookup an x transition name via transition table
1767 + * @profile: current profile (NOT NULL)
1768 + * @xindex: index into x transition table
1770 + * Returns: refcounted profile, or NULL on failure (MAYBE NULL)
1772 +static struct aa_profile *x_table_lookup(struct aa_profile *profile, u32 xindex)
1774 + struct aa_profile *new_profile = NULL;
1775 + struct aa_namespace *ns = profile->ns;
1776 + u32 xtype = xindex & AA_X_TYPE_MASK;
1777 + int index = xindex & AA_X_INDEX_MASK;
1780 + /* index is guaranteed to be in range, validated at load time */
1781 + for (name = profile->file.trans.table[index]; !new_profile && name;
1782 + name = next_name(xtype, name)) {
1783 + struct aa_namespace *new_ns;
1784 + const char *xname = NULL;
1787 + if (xindex & AA_X_CHILD) {
1788 + /* release by caller */
1789 + new_profile = aa_find_child(profile, name);
1791 + } else if (*name == ':') {
1792 + /* switching namespace */
1793 + const char *ns_name;
1794 + xname = name = separate_fqname(name, &ns_name);
1796 + /* no name so use profile name */
1797 + xname = profile->base.hname;
1798 + if (*ns_name == '@') {
1799 + /* TODO: variable support */
1802 + /* released below */
1803 + new_ns = aa_find_namespace(ns, ns_name);
1806 + } else if (*name == '@') {
1807 + /* TODO: variable support */
1810 + /* basic namespace lookup */
1814 + /* released by caller */
1815 + new_profile = aa_lookup_profile(new_ns ? new_ns : ns, xname);
1816 + aa_put_namespace(new_ns);
1819 + /* released by caller */
1820 + return new_profile;
1824 + * x_to_profile - get target profile for a given xindex
1825 + * @profile: current profile (NOT NULL)
1826 + * @name: name to lookup (NOT NULL)
1827 + * @xindex: index into x transition table
1829 + * find profile for a transition index
1831 + * Returns: refcounted profile or NULL if not found available
1833 +static struct aa_profile *x_to_profile(struct aa_profile *profile,
1834 + const char *name, u32 xindex)
1836 + struct aa_profile *new_profile = NULL;
1837 + struct aa_namespace *ns = profile->ns;
1838 + u32 xtype = xindex & AA_X_TYPE_MASK;
1842 + /* fail exec unless ix || ux fallback - handled by caller */
1845 + if (xindex & AA_X_CHILD)
1846 + /* released by caller */
1847 + new_profile = find_attach(ns, &profile->base.profiles,
1850 + /* released by caller */
1851 + new_profile = find_attach(ns, &ns->base.profiles,
1855 + /* released by caller */
1856 + new_profile = x_table_lookup(profile, xindex);
1860 + /* released by caller */
1861 + return new_profile;
1865 + * apparmor_bprm_set_creds - set the new creds on the bprm struct
1866 + * @bprm: binprm for the exec (NOT NULL)
1868 + * Returns: %0 or error on failure
1870 +int apparmor_bprm_set_creds(struct linux_binprm *bprm)
1872 + struct aa_task_cxt *cxt;
1873 + struct aa_profile *profile, *new_profile = NULL;
1874 + struct aa_namespace *ns;
1875 + char *buffer = NULL;
1876 + unsigned int state;
1877 + struct file_perms perms = {};
1878 + struct path_cond cond = {
1879 + bprm->file->f_path.dentry->d_inode->i_uid,
1880 + bprm->file->f_path.dentry->d_inode->i_mode
1882 + const char *name = NULL, *target = NULL, *info = NULL;
1883 + int error = cap_bprm_set_creds(bprm);
1887 + if (bprm->cred_prepared)
1890 + cxt = bprm->cred->security;
1893 + profile = aa_get_profile(aa_newest_version(cxt->profile));
1895 + * get the namespace from the replacement profile as replacement
1896 + * can change the namespace
1899 + state = profile->file.start;
1901 + /* buffer freed below, name is pointer into buffer */
1902 + error = aa_get_name(&bprm->file->f_path, profile->path_flags, &buffer,
1905 + if (profile->flags &
1906 + (PFLAG_IX_ON_NAME_ERROR | PFLAG_UNCONFINED))
1908 + info = "Exec failed name resolution";
1909 + name = bprm->filename;
1913 + /* Test for onexec first as onexec directives override other
1916 + if (unconfined(profile)) {
1917 + /* unconfined task */
1919 + /* change_profile on exec already been granted */
1920 + new_profile = aa_get_profile(cxt->onexec);
1922 + new_profile = find_attach(ns, &ns->base.profiles, name);
1928 + /* find exec permissions for name */
1929 + state = aa_str_perms(profile->file.dfa, state, name, &cond, &perms);
1930 + if (cxt->onexec) {
1931 + struct file_perms cp;
1932 + info = "change_profile onexec";
1933 + if (!(perms.allow & AA_MAY_ONEXEC))
1936 + /* test if this exec can be paired with change_profile onexec.
1937 + * onexec permission is linked to exec with a standard pairing
1938 + * exec\0change_profile
1940 + state = aa_dfa_null_transition(profile->file.dfa, state);
1941 + cp = change_profile_perms(profile, cxt->onexec->ns, name,
1942 + AA_MAY_ONEXEC, state);
1944 + if (!(cp.allow & AA_MAY_ONEXEC))
1946 + new_profile = aa_get_profile(aa_newest_version(cxt->onexec));
1950 + if (perms.allow & MAY_EXEC) {
1951 + /* exec permission determine how to transition */
1952 + new_profile = x_to_profile(profile, name, perms.xindex);
1953 + if (!new_profile) {
1954 + if (perms.xindex & AA_X_INHERIT) {
1955 + /* (p|c|n)ix - don't change profile but do
1956 + * use the newest version, which was picked
1957 + * up above when getting profile
1959 + info = "ix fallback";
1960 + new_profile = aa_get_profile(profile);
1962 + } else if (perms.xindex & AA_X_UNCONFINED) {
1963 + new_profile = aa_get_profile(ns->unconfined);
1964 + info = "ux fallback";
1967 + info = "profile not found";
1970 + } else if (COMPLAIN_MODE(profile)) {
1971 + /* no exec permission - are we in learning mode */
1972 + new_profile = aa_new_null_profile(profile, 0);
1973 + if (!new_profile) {
1975 + info = "could not create null profile";
1978 + target = new_profile->base.hname;
1980 + perms.xindex |= AA_X_UNSAFE;
1988 + if (bprm->unsafe & LSM_UNSAFE_SHARE) {
1989 + /* FIXME: currently don't mediate shared state */
1993 + if (bprm->unsafe & (LSM_UNSAFE_PTRACE | LSM_UNSAFE_PTRACE_CAP)) {
1994 + error = may_change_ptraced_domain(current, new_profile);
1996 + aa_put_profile(new_profile);
2001 + /* Determine if secure exec is needed.
2002 + * Can be at this point for the following reasons:
2003 + * 1. unconfined switching to confined
2004 + * 2. confined switching to different confinement
2005 + * 3. confined switching to unconfined
2007 + * Cases 2 and 3 are marked as requiring secure exec
2008 + * (unless policy specified "unsafe exec")
2010 + * bprm->unsafe is used to cache the AA_X_UNSAFE permission
2011 + * to avoid having to recompute in secureexec
2013 + if (!(perms.xindex & AA_X_UNSAFE)) {
2014 + AA_DEBUG("scrubbing environment variables for %s profile=%s\n",
2015 + name, new_profile->base.hname);
2016 + bprm->unsafe |= AA_SECURE_X_NEEDED;
2019 + target = new_profile->base.hname;
2020 + /* when transitioning profiles clear unsafe personality bits */
2021 + bprm->per_clear |= PER_CLEAR_ON_SETID;
2024 + aa_put_profile(cxt->profile);
2025 + /* transfer new profile reference will be released when cxt is freed */
2026 + cxt->profile = new_profile;
2028 + /* clear out all temporary/transitional state from the context */
2029 + aa_put_profile(cxt->previous);
2030 + aa_put_profile(cxt->onexec);
2031 + cxt->previous = NULL;
2032 + cxt->onexec = NULL;
2036 + error = aa_audit_file(profile, &perms, GFP_KERNEL, OP_EXEC, MAY_EXEC,
2037 + name, target, cond.uid, info, error);
2040 + aa_put_profile(profile);
2047 + * apparmor_bprm_secureexec - determine if secureexec is needed
2048 + * @bprm: binprm for exec (NOT NULL)
2050 + * Returns: %1 if secureexec is needed else %0
2052 +int apparmor_bprm_secureexec(struct linux_binprm *bprm)
2054 + int ret = cap_bprm_secureexec(bprm);
2056 + /* the decision to use secure exec is computed in set_creds
2057 + * and stored in bprm->unsafe.
2059 + if (!ret && (bprm->unsafe & AA_SECURE_X_NEEDED))
2066 + * apparmor_bprm_committing_creds - do task cleanup on committing new creds
2067 + * @bprm: binprm for the exec (NOT NULL)
2069 +void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
2071 + struct aa_profile *profile = __aa_current_profile();
2072 + struct aa_task_cxt *new_cxt = bprm->cred->security;
2074 + /* bail out if unconfined or not changing profile */
2075 + if ((new_cxt->profile == profile) ||
2076 + (unconfined(new_cxt->profile)))
2079 + current->pdeath_signal = 0;
2081 + /* reset soft limits and set hard limits for the new profile */
2082 + __aa_transition_rlimits(profile, new_cxt->profile);
2086 + * apparmor_bprm_commited_cred - do cleanup after new creds committed
2087 + * @bprm: binprm for the exec (NOT NULL)
2089 +void apparmor_bprm_committed_creds(struct linux_binprm *bprm)
2091 + /* TODO: cleanup signals - ipc mediation */
2096 + * Functions for self directed profile change
2100 + * new_compound_name - create an hname with @n2 appended to @n1
2101 + * @n1: base of hname (NOT NULL)
2102 + * @n2: name to append (NOT NULL)
2104 + * Returns: new name or NULL on error
2106 +static char *new_compound_name(const char *n1, const char *n2)
2108 + char *name = kmalloc(strlen(n1) + strlen(n2) + 3, GFP_KERNEL);
2110 + sprintf(name, "%s//%s", n1, n2);
2115 + * aa_change_hat - change hat to/from subprofile
2116 + * @hats: vector of hat names to try changing into (MAYBE NULL if @count == 0)
2117 + * @count: number of hat names in @hats
2118 + * @token: magic value to validate the hat change
2119 + * @permtest: true if this is just a permission test
2121 + * Change to the first profile specified in @hats that exists, and store
2122 + * the @hat_magic in the current task context. If the count == 0 and the
2123 + * @token matches that stored in the current task context, return to the
2124 + * top level profile.
2126 + * Returns %0 on success, error otherwise.
2128 +int aa_change_hat(const char *hats[], int count, u64 token, bool permtest)
2130 + const struct cred *cred;
2131 + struct aa_task_cxt *cxt;
2132 + struct aa_profile *profile, *previous_profile, *hat = NULL;
2133 + char *name = NULL;
2135 + struct file_perms perms = {};
2136 + const char *target = NULL, *info = NULL;
2139 + /* released below */
2140 + cred = get_current_cred();
2141 + cxt = cred->security;
2142 + profile = aa_cred_profile(cred);
2143 + previous_profile = cxt->previous;
2145 + if (unconfined(profile)) {
2146 + info = "unconfined";
2152 + /* attempting to change into a new hat or switch to a sibling */
2153 + struct aa_profile *root;
2154 + root = PROFILE_IS_HAT(profile) ? profile->parent : profile;
2156 + /* find first matching hat */
2157 + for (i = 0; i < count && !hat; i++)
2158 + /* released below */
2159 + hat = aa_find_child(root, hats[i]);
2161 + if (!COMPLAIN_MODE(root) || permtest) {
2162 + if (list_empty(&root->base.profiles))
2170 + * In complain mode and failed to match any hats.
2171 + * Audit the failure is based off of the first hat
2172 + * supplied. This is done due how userspace
2173 + * interacts with change_hat.
2175 + * TODO: Add logging of all failed hats
2179 + name = new_compound_name(root->base.hname, hats[0]);
2181 + /* released below */
2182 + hat = aa_new_null_profile(profile, 1);
2184 + info = "failed null profile create";
2189 + target = hat->base.hname;
2190 + if (!PROFILE_IS_HAT(hat)) {
2191 + info = "target not hat";
2197 + error = may_change_ptraced_domain(current, hat);
2205 + error = aa_set_current_hat(hat, token);
2206 + if (error == -EACCES)
2207 + /* kill task in case of brute force attacks */
2208 + perms.kill = AA_MAY_CHANGEHAT;
2209 + else if (name && !error)
2210 + /* reset error for learning of new hats */
2213 + } else if (previous_profile) {
2214 + /* Return to saved profile. Kill task if restore fails
2215 + * to avoid brute force attacks
2217 + target = previous_profile->base.hname;
2218 + error = aa_restore_previous_profile(token);
2219 + perms.kill = AA_MAY_CHANGEHAT;
2221 + /* ignore restores when there is no saved profile */
2226 + error = aa_audit_file(profile, &perms, GFP_KERNEL,
2227 + OP_CHANGE_HAT, AA_MAY_CHANGEHAT, NULL,
2228 + target, 0, info, error);
2231 + aa_put_profile(hat);
2239 + * aa_change_profile - perform a one-way profile transition
2240 + * @ns_name: name of the profile namespace to change to (MAYBE NULL)
2241 + * @hname: name of profile to change to (MAYBE NULL)
2242 + * @onexec: whether this transition is to take place immediately or at exec
2243 + * @permtest: true if this is just a permission test
2245 + * Change to new profile @name. Unlike with hats, there is no way
2246 + * to change back. If @name isn't specified the current profile name is
2248 + * If @onexec then the transition is delayed until
2251 + * Returns %0 on success, error otherwise.
2253 +int aa_change_profile(const char *ns_name, const char *hname, bool onexec,
2256 + const struct cred *cred;
2257 + struct aa_task_cxt *cxt;
2258 + struct aa_profile *profile, *target = NULL;
2259 + struct aa_namespace *ns = NULL;
2260 + struct file_perms perms = {};
2261 + const char *name = NULL, *info = NULL;
2262 + int op, error = 0;
2265 + if (!hname && !ns_name)
2269 + request = AA_MAY_ONEXEC;
2270 + op = OP_CHANGE_ONEXEC;
2272 + request = AA_MAY_CHANGE_PROFILE;
2273 + op = OP_CHANGE_PROFILE;
2276 + cred = get_current_cred();
2277 + cxt = cred->security;
2278 + profile = aa_cred_profile(cred);
2281 + /* released below */
2282 + ns = aa_find_namespace(profile->ns, ns_name);
2284 + /* we don't create new namespace in complain mode */
2286 + info = "namespace not found";
2291 + /* released below */
2292 + ns = aa_get_namespace(profile->ns);
2294 + /* if the name was not specified, use the name of the current profile */
2296 + if (unconfined(profile))
2297 + hname = ns->unconfined->base.hname;
2299 + hname = profile->base.hname;
2302 + perms = change_profile_perms(profile, ns, hname, request,
2303 + profile->file.start);
2304 + if (!(perms.allow & request)) {
2309 + /* released below */
2310 + target = aa_lookup_profile(ns, hname);
2312 + info = "profile not found";
2314 + if (permtest || !COMPLAIN_MODE(profile))
2316 + /* released below */
2317 + target = aa_new_null_profile(profile, 0);
2319 + info = "failed null profile create";
2325 + /* check if tracing task is allowed to trace target domain */
2326 + error = may_change_ptraced_domain(current, target);
2328 + info = "ptrace prevents transition";
2336 + error = aa_set_current_onexec(target);
2338 + error = aa_replace_current_profile(target);
2342 + error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request,
2343 + name, hname, 0, info, error);
2345 + aa_put_namespace(ns);
2346 + aa_put_profile(target);
2351 diff --git a/security/apparmor/file.c b/security/apparmor/file.c
2352 new file mode 100644
2353 index 0000000..7312db7
2355 +++ b/security/apparmor/file.c
2358 + * AppArmor security module
2360 + * This file contains AppArmor mediation of files
2362 + * Copyright (C) 1998-2008 Novell/SUSE
2363 + * Copyright 2009-2010 Canonical Ltd.
2365 + * This program is free software; you can redistribute it and/or
2366 + * modify it under the terms of the GNU General Public License as
2367 + * published by the Free Software Foundation, version 2 of the
2371 +#include "include/apparmor.h"
2372 +#include "include/audit.h"
2373 +#include "include/file.h"
2374 +#include "include/match.h"
2375 +#include "include/path.h"
2376 +#include "include/policy.h"
2378 +struct file_perms nullperms;
2382 + * audit_file_mask - convert mask to permission string
2383 + * @buffer: buffer to write string to (NOT NULL)
2384 + * @mask: permission mask to convert
2386 +static void audit_file_mask(struct audit_buffer *ab, u32 mask)
2392 + if (mask & AA_EXEC_MMAP)
2394 + if (mask & (MAY_READ | AA_MAY_META_READ))
2396 + if (mask & (MAY_WRITE | AA_MAY_META_WRITE | AA_MAY_CHMOD |
2399 + else if (mask & MAY_APPEND)
2401 + if (mask & AA_MAY_CREATE)
2403 + if (mask & AA_MAY_DELETE)
2405 + if (mask & AA_MAY_LINK)
2407 + if (mask & AA_MAY_LOCK)
2409 + if (mask & MAY_EXEC)
2413 + audit_log_string(ab, str);
2417 + * file_audit_cb - call back for file specific audit fields
2418 + * @ab: audit_buffer (NOT NULL)
2419 + * @va: audit struct to audit values of (NOT NULL)
2421 +static void file_audit_cb(struct audit_buffer *ab, void *va)
2423 + struct common_audit_data *sa = va;
2424 + uid_t fsuid = current_fsuid();
2426 + if (sa->aad.fs.request & AA_AUDIT_FILE_MASK) {
2427 + audit_log_format(ab, " requested_mask=");
2428 + audit_file_mask(ab, sa->aad.fs.request);
2430 + if (sa->aad.fs.denied & AA_AUDIT_FILE_MASK) {
2431 + audit_log_format(ab, " denied_mask=");
2432 + audit_file_mask(ab, sa->aad.fs.denied);
2434 + if (sa->aad.fs.request & AA_AUDIT_FILE_MASK) {
2435 + audit_log_format(ab, " fsuid=%d", fsuid);
2436 + audit_log_format(ab, " ouid=%d", sa->aad.fs.ouid);
2439 + if (sa->aad.fs.target) {
2440 + audit_log_format(ab, " target=");
2441 + audit_log_untrustedstring(ab, sa->aad.fs.target);
2446 + * aa_audit_file - handle the auditing of file operations
2447 + * @profile: the profile being enforced (NOT NULL)
2448 + * @perms: the permissions computed for the request (NOT NULL)
2449 + * @gfp: allocation flags
2450 + * @op: operation being mediated
2451 + * @request: permissions requested
2452 + * @name: name of object being mediated (MAYBE NULL)
2453 + * @target: name of target (MAYBE NULL)
2454 + * @ouid: object uid
2455 + * @info: extra information message (MAYBE NULL)
2456 + * @error: 0 if operation allowed else failure error code
2458 + * Returns: %0 or error on failure
2460 +int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
2461 + gfp_t gfp, int op, u32 request, const char *name,
2462 + const char *target, uid_t ouid, const char *info, int error)
2464 + int type = AUDIT_APPARMOR_AUTO;
2465 + struct common_audit_data sa;
2466 + COMMON_AUDIT_DATA_INIT(&sa, NONE);
2468 + sa.aad.fs.request = request;
2469 + sa.aad.name = name;
2470 + sa.aad.fs.target = target;
2471 + sa.aad.fs.ouid = ouid;
2472 + sa.aad.info = info;
2473 + sa.aad.error = error;
2475 + if (likely(!sa.aad.error)) {
2476 + u32 mask = perms->audit;
2478 + if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
2481 + /* mask off perms that are not being force audited */
2482 + sa.aad.fs.request &= mask;
2484 + if (likely(!sa.aad.fs.request))
2486 + type = AUDIT_APPARMOR_AUDIT;
2488 + /* only report permissions that were denied */
2489 + sa.aad.fs.request = sa.aad.fs.request & ~perms->allow;
2491 + if (sa.aad.fs.request & perms->kill)
2492 + type = AUDIT_APPARMOR_KILL;
2494 + /* quiet known rejects, assumes quiet and kill do not overlap */
2495 + if ((sa.aad.fs.request & perms->quiet) &&
2496 + AUDIT_MODE(profile) != AUDIT_NOQUIET &&
2497 + AUDIT_MODE(profile) != AUDIT_ALL)
2498 + sa.aad.fs.request &= ~perms->quiet;
2500 + if (!sa.aad.fs.request)
2501 + return COMPLAIN_MODE(profile) ? 0 : sa.aad.error;
2504 + sa.aad.fs.denied = sa.aad.fs.request & ~perms->allow;
2505 + return aa_audit(type, profile, gfp, &sa, file_audit_cb);
2509 + * map_old_perms - map old file perms layout to the new layout
2510 + * @old: permission set in old mapping
2512 + * Returns: new permission mapping
2514 +static u32 map_old_perms(u32 old)
2516 + u32 new = old & 0xf;
2517 + if (old & MAY_READ)
2518 + new |= AA_MAY_META_READ;
2519 + if (old & MAY_WRITE)
2520 + new |= AA_MAY_META_WRITE | AA_MAY_CREATE | AA_MAY_DELETE |
2521 + AA_MAY_CHMOD | AA_MAY_CHOWN;
2523 + new |= AA_MAY_LINK;
2524 + /* the old mapping lock and link_subset flags where overlaid
2525 + * and use was determined by part of a pair that they were in
2528 + new |= AA_MAY_LOCK | AA_LINK_SUBSET;
2529 + if (old & 0x40) /* AA_EXEC_MMAP */
2530 + new |= AA_EXEC_MMAP;
2532 + new |= AA_MAY_META_READ;
2538 + * compute_perms - convert dfa compressed perms to internal perms
2539 + * @dfa: dfa to compute perms for (NOT NULL)
2540 + * @state: state in dfa
2541 + * @cond: conditions to consider (NOT NULL)
2543 + * TODO: convert from dfa + state to permission entry, do computation conversion
2546 + * Returns: computed permission set
2548 +static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state,
2549 + struct path_cond *cond)
2551 + struct file_perms perms;
2553 + /* FIXME: change over to new dfa format
2554 + * currently file perms are encoded in the dfa, new format
2555 + * splits the permissions from the dfa. This mapping can be
2556 + * done at profile load
2560 + if (current_fsuid() == cond->uid) {
2561 + perms.allow = map_old_perms(dfa_user_allow(dfa, state));
2562 + perms.audit = map_old_perms(dfa_user_audit(dfa, state));
2563 + perms.quiet = map_old_perms(dfa_user_quiet(dfa, state));
2564 + perms.xindex = dfa_user_xindex(dfa, state);
2566 + perms.allow = map_old_perms(dfa_other_allow(dfa, state));
2567 + perms.audit = map_old_perms(dfa_other_audit(dfa, state));
2568 + perms.quiet = map_old_perms(dfa_other_quiet(dfa, state));
2569 + perms.xindex = dfa_other_xindex(dfa, state);
2572 + /* change_profile wasn't determined by ownership in old mapping */
2573 + if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
2574 + perms.allow |= AA_MAY_CHANGE_PROFILE;
2580 + * aa_str_perms - find permission that match @name
2581 + * @dfa: to match against (MAYBE NULL)
2582 + * @state: state to start matching in
2583 + * @name: string to match against dfa (NOT NULL)
2584 + * @cond: conditions to consider for permission set computation (NOT NULL)
2585 + * @perms: Returns - the permissions found when matching @name
2587 + * Returns: the final state in @dfa when beginning @start and walking @name
2589 +unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
2590 + const char *name, struct path_cond *cond,
2591 + struct file_perms *perms)
2593 + unsigned int state;
2595 + *perms = nullperms;
2596 + return DFA_NOMATCH;
2599 + state = aa_dfa_match(dfa, start, name);
2600 + *perms = compute_perms(dfa, state, cond);
2606 + * is_deleted - test if a file has been completely unlinked
2607 + * @dentry: dentry of file to test for deletion (NOT NULL)
2609 + * Returns: %1 if deleted else %0
2611 +static inline bool is_deleted(struct dentry *dentry)
2613 + if (d_unlinked(dentry) && dentry->d_inode->i_nlink == 0)
2619 + * aa_path_perm - do permissions check & audit for @path
2620 + * @op: operation being checked
2621 + * @profile: profile being enforced (NOT NULL)
2622 + * @path: path to check permissions of (NOT NULL)
2623 + * @flags: any additional path flags beyond what the profile specifies
2624 + * @request: requested permissions
2625 + * @cond: conditional info for this request (NOT NULL)
2627 + * Returns: %0 else error if access denied or other error
2629 +int aa_path_perm(int op, struct aa_profile *profile, struct path *path,
2630 + int flags, u32 request, struct path_cond *cond)
2632 + char *buffer = NULL;
2633 + struct file_perms perms = {};
2634 + const char *name, *info = NULL;
2637 + flags |= profile->path_flags | (S_ISDIR(cond->mode) ? PATH_IS_DIR : 0);
2638 + error = aa_get_name(path, flags, &buffer, &name);
2640 + if (error == -ENOENT && is_deleted(path->dentry)) {
2641 + /* Access to open files that are deleted are
2642 + * give a pass (implicit delegation)
2645 + perms.allow = request;
2646 + } else if (error == -ENOENT)
2647 + info = "Failed name lookup - deleted entry";
2648 + else if (error == -ESTALE)
2649 + info = "Failed name lookup - disconnected path";
2650 + else if (error == -ENAMETOOLONG)
2651 + info = "Failed name lookup - name too long";
2653 + info = "Failed name lookup";
2655 + aa_str_perms(profile->file.dfa, profile->file.start, name, cond,
2657 + if (request & ~perms.allow)
2660 + error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request, name,
2661 + NULL, cond->uid, info, error);
2668 + * xindex_is_subset - helper for aa_path_link
2669 + * @link: link permission set
2670 + * @target: target permission set
2672 + * test target x permissions are equal OR a subset of link x permissions
2673 + * this is done as part of the subset test, where a hardlink must have
2674 + * a subset of permissions that the target has.
2676 + * Returns: %1 if subset else %0
2678 +static inline bool xindex_is_subset(u32 link, u32 target)
2680 + if (((link & ~AA_X_UNSAFE) != (target & ~AA_X_UNSAFE)) ||
2681 + ((link & AA_X_UNSAFE) && !(target & AA_X_UNSAFE)))
2688 + * aa_path_link - Handle hard link permission check
2689 + * @profile: the profile being enforced (NOT NULL)
2690 + * @old_dentry: the target dentry (NOT NULL)
2691 + * @new_dir: directory the new link will be created in (NOT NULL)
2692 + * @new_dentry: the link being created (NOT NULL)
2694 + * Handle the permission test for a link & target pair. Permission
2695 + * is encoded as a pair where the link permission is determined
2696 + * first, and if allowed, the target is tested. The target test
2697 + * is done from the point of the link match (not start of DFA)
2698 + * making the target permission dependent on the link permission match.
2700 + * The subset test if required forces that permissions granted
2701 + * on link are a subset of the permission granted to target.
2703 + * Returns: %0 if allowed else error
2705 +int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
2706 + struct path *new_dir, struct dentry *new_dentry)
2708 + struct path link = { new_dir->mnt, new_dentry };
2709 + struct path target = { new_dir->mnt, old_dentry };
2710 + struct path_cond cond = {
2711 + old_dentry->d_inode->i_uid,
2712 + old_dentry->d_inode->i_mode
2714 + char *buffer = NULL, *buffer2 = NULL;
2715 + const char *lname, *tname = NULL, *info = NULL;
2716 + struct file_perms lperms, perms;
2717 + u32 request = AA_MAY_LINK;
2718 + unsigned int state;
2721 + lperms = nullperms;
2723 + /* buffer freed below, lname is pointer in buffer */
2724 + error = aa_get_name(&link, profile->path_flags, &buffer, &lname);
2728 + /* buffer2 freed below, tname is pointer in buffer2 */
2729 + error = aa_get_name(&target, profile->path_flags, &buffer2, &tname);
2734 + /* aa_str_perms - handles the case of the dfa being NULL */
2735 + state = aa_str_perms(profile->file.dfa, profile->file.start, lname,
2738 + if (!(lperms.allow & AA_MAY_LINK))
2741 + /* test to see if target can be paired with link */
2742 + state = aa_dfa_null_transition(profile->file.dfa, state);
2743 + aa_str_perms(profile->file.dfa, state, tname, &cond, &perms);
2745 + /* force audit/quiet masks for link are stored in the second entry
2746 + * in the link pair.
2748 + lperms.audit = perms.audit;
2749 + lperms.quiet = perms.quiet;
2750 + lperms.kill = perms.kill;
2752 + if (!(perms.allow & AA_MAY_LINK)) {
2753 + info = "target restricted";
2757 + /* done if link subset test is not required */
2758 + if (!(perms.allow & AA_LINK_SUBSET))
2761 + /* Do link perm subset test requiring allowed permission on link are a
2762 + * subset of the allowed permissions on target.
2764 + aa_str_perms(profile->file.dfa, profile->file.start, tname, &cond,
2767 + /* AA_MAY_LINK is not considered in the subset test */
2768 + request = lperms.allow & ~AA_MAY_LINK;
2769 + lperms.allow &= perms.allow | AA_MAY_LINK;
2771 + request |= AA_AUDIT_FILE_MASK & (lperms.allow & ~perms.allow);
2772 + if (request & ~lperms.allow) {
2774 + } else if ((lperms.allow & MAY_EXEC) &&
2775 + !xindex_is_subset(lperms.xindex, perms.xindex)) {
2776 + lperms.allow &= ~MAY_EXEC;
2777 + request |= MAY_EXEC;
2778 + info = "link not subset of target";
2786 + error = aa_audit_file(profile, &lperms, GFP_KERNEL, OP_LINK, request,
2787 + lname, tname, cond.uid, info, error);
2795 + * aa_file_perm - do permission revalidation check & audit for @file
2796 + * @op: operation being checked
2797 + * @profile: profile being enforced (NOT NULL)
2798 + * @file: file to revalidate access permissions on (NOT NULL)
2799 + * @request: requested permissions
2801 + * Returns: %0 if access allowed else error
2803 +int aa_file_perm(int op, struct aa_profile *profile, struct file *file,
2806 + struct path_cond cond = {
2807 + .uid = file->f_path.dentry->d_inode->i_uid,
2808 + .mode = file->f_path.dentry->d_inode->i_mode
2811 + return aa_path_perm(op, profile, &file->f_path, PATH_DELEGATE_DELETED,
2814 diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
2815 new file mode 100644
2816 index 0000000..38ccaea
2818 +++ b/security/apparmor/include/apparmor.h
2821 + * AppArmor security module
2823 + * This file contains AppArmor basic global and lib definitions
2825 + * Copyright (C) 1998-2008 Novell/SUSE
2826 + * Copyright 2009-2010 Canonical Ltd.
2828 + * This program is free software; you can redistribute it and/or
2829 + * modify it under the terms of the GNU General Public License as
2830 + * published by the Free Software Foundation, version 2 of the
2834 +#ifndef __APPARMOR_H
2835 +#define __APPARMOR_H
2837 +#include <linux/fs.h>
2841 +/* Control parameters settable through module/boot flags */
2842 +extern enum audit_mode aa_g_audit;
2843 +extern int aa_g_audit_header;
2844 +extern int aa_g_debug;
2845 +extern int aa_g_lock_policy;
2846 +extern int aa_g_logsyscall;
2847 +extern int aa_g_paranoid_load;
2848 +extern unsigned int aa_g_path_max;
2851 + * DEBUG remains global (no per profile flag) since it is mostly used in sysctl
2852 + * which is not related to profile accesses.
2855 +#define AA_DEBUG(fmt, args...) \
2857 + if (aa_g_debug && printk_ratelimit()) \
2858 + printk(KERN_DEBUG "AppArmor: " fmt, ##args); \
2861 +#define AA_ERROR(fmt, args...) \
2863 + if (printk_ratelimit()) \
2864 + printk(KERN_ERR "AppArmor: " fmt, ##args); \
2867 +/* Flag indicating whether initialization completed */
2868 +extern int apparmor_initialized __initdata;
2871 +char *aa_split_fqname(char *args, char **ns_name);
2872 +void aa_info_message(const char *str);
2873 +void *kvmalloc(size_t size);
2874 +void kvfree(void *buffer);
2878 + * aa_strneq - compare null terminated @str to a non null terminated substring
2879 + * @str: a null terminated string
2880 + * @sub: a substring, not necessarily null terminated
2881 + * @len: length of @sub to compare
2883 + * The @str string must be full consumed for this to be considered a match
2885 +static inline bool aa_strneq(const char *str, const char *sub, int len)
2887 + return !strncmp(str, sub, len) && !str[len];
2891 + * aa_dfa_null_transition - step to next state after null character
2892 + * @dfa: the dfa to match against
2893 + * @start: the state of the dfa to start matching in
2895 + * aa_dfa_null_transition transitions to the next state after a null
2896 + * character which is not used in standard matching and is only
2897 + * used to separate pairs.
2899 +static inline unsigned int aa_dfa_null_transition(struct aa_dfa *dfa,
2900 + unsigned int start)
2902 + /* the null transition only needs the string's null terminator byte */
2903 + return aa_dfa_match_len(dfa, start, "", 1);
2906 +static inline bool mediated_filesystem(struct inode *inode)
2908 + return !(inode->i_sb->s_flags & MS_NOUSER);
2911 +#endif /* __APPARMOR_H */
2912 diff --git a/security/apparmor/include/apparmorfs.h b/security/apparmor/include/apparmorfs.h
2913 new file mode 100644
2914 index 0000000..14f955c
2916 +++ b/security/apparmor/include/apparmorfs.h
2919 + * AppArmor security module
2921 + * This file contains AppArmor filesystem definitions.
2923 + * Copyright (C) 1998-2008 Novell/SUSE
2924 + * Copyright 2009-2010 Canonical Ltd.
2926 + * This program is free software; you can redistribute it and/or
2927 + * modify it under the terms of the GNU General Public License as
2928 + * published by the Free Software Foundation, version 2 of the
2932 +#ifndef __AA_APPARMORFS_H
2933 +#define __AA_APPARMORFS_H
2935 +extern void __init aa_destroy_aafs(void);
2937 +#ifdef CONFIG_SECURITY_APPARMOR_COMPAT_24
2938 +extern const struct file_operations aa_fs_matching_fops;
2939 +extern const struct file_operations aa_fs_features_fops;
2940 +extern const struct file_operations aa_fs_profiles_fops;
2943 +#endif /* __AA_APPARMORFS_H */
2944 diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
2945 new file mode 100644
2946 index 0000000..1951786
2948 +++ b/security/apparmor/include/audit.h
2951 + * AppArmor security module
2953 + * This file contains AppArmor auditing function definitions.
2955 + * Copyright (C) 1998-2008 Novell/SUSE
2956 + * Copyright 2009-2010 Canonical Ltd.
2958 + * This program is free software; you can redistribute it and/or
2959 + * modify it under the terms of the GNU General Public License as
2960 + * published by the Free Software Foundation, version 2 of the
2964 +#ifndef __AA_AUDIT_H
2965 +#define __AA_AUDIT_H
2967 +#include <linux/audit.h>
2968 +#include <linux/fs.h>
2969 +#include <linux/lsm_audit.h>
2970 +#include <linux/sched.h>
2971 +#include <linux/slab.h>
2977 +extern const char *audit_mode_names[];
2978 +#define AUDIT_MAX_INDEX 5
2980 +#define AUDIT_APPARMOR_AUTO 0 /* auto choose audit message type */
2983 + AUDIT_NORMAL, /* follow normal auditing of accesses */
2984 + AUDIT_QUIET_DENIED, /* quiet all denied access messages */
2985 + AUDIT_QUIET, /* quiet all messages */
2986 + AUDIT_NOQUIET, /* do not quiet audit messages */
2987 + AUDIT_ALL /* audit all accesses */
2991 + AUDIT_APPARMOR_AUDIT,
2992 + AUDIT_APPARMOR_ALLOWED,
2993 + AUDIT_APPARMOR_DENIED,
2994 + AUDIT_APPARMOR_HINT,
2995 + AUDIT_APPARMOR_STATUS,
2996 + AUDIT_APPARMOR_ERROR,
2997 + AUDIT_APPARMOR_KILL
3000 +extern const char *op_table[];
3044 + OP_CHANGE_PROFILE,
3056 +/* define a short hand for apparmor_audit_data portion of common_audit_data */
3057 +#define aad apparmor_audit_data
3059 +void aa_audit_msg(int type, struct common_audit_data *sa,
3060 + void (*cb) (struct audit_buffer *, void *));
3061 +int aa_audit(int type, struct aa_profile *profile, gfp_t gfp,
3062 + struct common_audit_data *sa,
3063 + void (*cb) (struct audit_buffer *, void *));
3065 +static inline int complain_error(int error)
3067 + if (error == -EPERM || error == -EACCES)
3072 +#endif /* __AA_AUDIT_H */
3073 diff --git a/security/apparmor/include/capability.h b/security/apparmor/include/capability.h
3074 new file mode 100644
3075 index 0000000..c24d295
3077 +++ b/security/apparmor/include/capability.h
3080 + * AppArmor security module
3082 + * This file contains AppArmor capability mediation definitions.
3084 + * Copyright (C) 1998-2008 Novell/SUSE
3085 + * Copyright 2009-2010 Canonical Ltd.
3087 + * This program is free software; you can redistribute it and/or
3088 + * modify it under the terms of the GNU General Public License as
3089 + * published by the Free Software Foundation, version 2 of the
3093 +#ifndef __AA_CAPABILITY_H
3094 +#define __AA_CAPABILITY_H
3096 +#include <linux/sched.h>
3100 +/* aa_caps - confinement data for capabilities
3101 + * @allowed: capabilities mask
3102 + * @audit: caps that are to be audited
3103 + * @quiet: caps that should not be audited
3104 + * @kill: caps that when requested will result in the task being killed
3105 + * @extended: caps that are subject finer grained mediation
3108 + kernel_cap_t allow;
3109 + kernel_cap_t audit;
3110 + kernel_cap_t quiet;
3111 + kernel_cap_t kill;
3112 + kernel_cap_t extended;
3115 +int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap,
3118 +static inline void aa_free_cap_rules(struct aa_caps *caps)
3123 +#endif /* __AA_CAPBILITY_H */
3124 diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
3125 new file mode 100644
3126 index 0000000..a9cbee4
3128 +++ b/security/apparmor/include/context.h
3131 + * AppArmor security module
3133 + * This file contains AppArmor contexts used to associate "labels" to objects.
3135 + * Copyright (C) 1998-2008 Novell/SUSE
3136 + * Copyright 2009-2010 Canonical Ltd.
3138 + * This program is free software; you can redistribute it and/or
3139 + * modify it under the terms of the GNU General Public License as
3140 + * published by the Free Software Foundation, version 2 of the
3144 +#ifndef __AA_CONTEXT_H
3145 +#define __AA_CONTEXT_H
3147 +#include <linux/cred.h>
3148 +#include <linux/slab.h>
3149 +#include <linux/sched.h>
3151 +#include "policy.h"
3153 +/* struct aa_file_cxt - the AppArmor context the file was opened in
3154 + * @perms: the permission the file was opened with
3156 + * The file_cxt could currently be directly stored in file->f_security
3157 + * as the profile reference is now stored in the f_cred. However the
3158 + * cxt struct will expand in the future so we keep the struct.
3160 +struct aa_file_cxt {
3165 + * aa_alloc_file_context - allocate file_cxt
3166 + * @gfp: gfp flags for allocation
3168 + * Returns: file_cxt or NULL on failure
3170 +static inline struct aa_file_cxt *aa_alloc_file_context(gfp_t gfp)
3172 + return kzalloc(sizeof(struct aa_file_cxt), gfp);
3176 + * aa_free_file_context - free a file_cxt
3177 + * @cxt: file_cxt to free (MAYBE_NULL)
3179 +static inline void aa_free_file_context(struct aa_file_cxt *cxt)
3186 + * struct aa_task_cxt - primary label for confined tasks
3187 + * @profile: the current profile (NOT NULL)
3188 + * @exec: profile to transition to on next exec (MAYBE NULL)
3189 + * @previous: profile the task may return to (MAYBE NULL)
3190 + * @token: magic value the task must know for returning to @previous_profile
3192 + * Contains the task's current profile (which could change due to
3193 + * change_hat). Plus the hat_magic needed during change_hat.
3195 + * TODO: make so a task can be confined by a stack of contexts
3197 +struct aa_task_cxt {
3198 + struct aa_profile *profile;
3199 + struct aa_profile *onexec;
3200 + struct aa_profile *previous;
3204 +struct aa_task_cxt *aa_alloc_task_context(gfp_t flags);
3205 +void aa_free_task_context(struct aa_task_cxt *cxt);
3206 +void aa_dup_task_context(struct aa_task_cxt *new,
3207 + const struct aa_task_cxt *old);
3208 +int aa_replace_current_profile(struct aa_profile *profile);
3209 +int aa_set_current_onexec(struct aa_profile *profile);
3210 +int aa_set_current_hat(struct aa_profile *profile, u64 token);
3211 +int aa_restore_previous_profile(u64 cookie);
3214 + * __aa_task_is_confined - determine if @task has any confinement
3215 + * @task: task to check confinement of (NOT NULL)
3217 + * If @task != current needs to be called in RCU safe critical section
3219 +static inline bool __aa_task_is_confined(struct task_struct *task)
3221 + struct aa_task_cxt *cxt = __task_cred(task)->security;
3223 + BUG_ON(!cxt || !cxt->profile);
3224 + if (unconfined(aa_newest_version(cxt->profile)))
3231 + * aa_cred_profile - obtain cred's profiles
3232 + * @cred: cred to obtain profiles from (NOT NULL)
3234 + * Returns: confining profile
3236 + * does NOT increment reference count
3238 +static inline struct aa_profile *aa_cred_profile(const struct cred *cred)
3240 + struct aa_task_cxt *cxt = cred->security;
3241 + BUG_ON(!cxt || !cxt->profile);
3242 + return aa_newest_version(cxt->profile);
3246 + * __aa_current_profile - find the current tasks confining profile
3248 + * Returns: up to date confining profile or the ns unconfined profile (NOT NULL)
3250 + * This fn will not update the tasks cred to the most up to date version
3251 + * of the profile so it is safe to call when inside of locks.
3253 +static inline struct aa_profile *__aa_current_profile(void)
3255 + return aa_cred_profile(current_cred());
3259 + * aa_current_profile - find the current tasks confining profile and do updates
3261 + * Returns: up to date confining profile or the ns unconfined profile (NOT NULL)
3263 + * This fn will update the tasks cred structure if the profile has been
3264 + * replaced. Not safe to call inside locks
3266 +static inline struct aa_profile *aa_current_profile(void)
3268 + const struct aa_task_cxt *cxt = current_cred()->security;
3269 + struct aa_profile *profile;
3270 + BUG_ON(!cxt || !cxt->profile);
3272 + profile = aa_newest_version(cxt->profile);
3274 + * Whether or not replacement succeeds, use newest profile so
3275 + * there is no need to update it after replacement.
3277 + if (unlikely((cxt->profile != profile)))
3278 + aa_replace_current_profile(profile);
3283 +#endif /* __AA_CONTEXT_H */
3284 diff --git a/security/apparmor/include/domain.h b/security/apparmor/include/domain.h
3285 new file mode 100644
3286 index 0000000..de04464
3288 +++ b/security/apparmor/include/domain.h
3291 + * AppArmor security module
3293 + * This file contains AppArmor security domain transition function definitions.
3295 + * Copyright (C) 1998-2008 Novell/SUSE
3296 + * Copyright 2009-2010 Canonical Ltd.
3298 + * This program is free software; you can redistribute it and/or
3299 + * modify it under the terms of the GNU General Public License as
3300 + * published by the Free Software Foundation, version 2 of the
3304 +#include <linux/binfmts.h>
3305 +#include <linux/types.h>
3307 +#ifndef __AA_DOMAIN_H
3308 +#define __AA_DOMAIN_H
3315 +int apparmor_bprm_set_creds(struct linux_binprm *bprm);
3316 +int apparmor_bprm_secureexec(struct linux_binprm *bprm);
3317 +void apparmor_bprm_committing_creds(struct linux_binprm *bprm);
3318 +void apparmor_bprm_committed_creds(struct linux_binprm *bprm);
3320 +void aa_free_domain_entries(struct aa_domain *domain);
3321 +int aa_change_hat(const char *hats[], int count, u64 token, bool permtest);
3322 +int aa_change_profile(const char *ns_name, const char *name, bool onexec,
3325 +#endif /* __AA_DOMAIN_H */
3326 diff --git a/security/apparmor/include/file.h b/security/apparmor/include/file.h
3327 new file mode 100644
3328 index 0000000..be36fea
3330 +++ b/security/apparmor/include/file.h
3333 + * AppArmor security module
3335 + * This file contains AppArmor file mediation function definitions.
3337 + * Copyright (C) 1998-2008 Novell/SUSE
3338 + * Copyright 2009-2010 Canonical Ltd.
3340 + * This program is free software; you can redistribute it and/or
3341 + * modify it under the terms of the GNU General Public License as
3342 + * published by the Free Software Foundation, version 2 of the
3346 +#ifndef __AA_FILE_H
3347 +#define __AA_FILE_H
3349 +#include <linux/path.h>
3351 +#include "domain.h"
3357 + * We use MAY_EXEC, MAY_WRITE, MAY_READ, MAY_APPEND and the following flags
3358 + * for profile permissions
3360 +#define AA_MAY_CREATE 0x0010
3361 +#define AA_MAY_DELETE 0x0020
3362 +#define AA_MAY_META_WRITE 0x0040
3363 +#define AA_MAY_META_READ 0x0080
3365 +#define AA_MAY_CHMOD 0x0100
3366 +#define AA_MAY_CHOWN 0x0200
3367 +#define AA_MAY_LOCK 0x0400
3368 +#define AA_EXEC_MMAP 0x0800
3370 +#define AA_MAY_LINK 0x1000
3371 +#define AA_LINK_SUBSET AA_MAY_LOCK /* overlaid */
3372 +#define AA_MAY_ONEXEC 0x40000000 /* exec allows onexec */
3373 +#define AA_MAY_CHANGE_PROFILE 0x80000000
3374 +#define AA_MAY_CHANGEHAT 0x80000000 /* ctrl auditing only */
3376 +#define AA_AUDIT_FILE_MASK (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND |\
3377 + AA_MAY_CREATE | AA_MAY_DELETE | \
3378 + AA_MAY_META_READ | AA_MAY_META_WRITE | \
3379 + AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_LOCK | \
3380 + AA_EXEC_MMAP | AA_MAY_LINK)
3383 + * The xindex is broken into 3 parts
3384 + * - index - an index into either the exec name table or the variable table
3385 + * - exec type - which determines how the executable name and index are used
3386 + * - flags - which modify how the destination name is applied
3388 +#define AA_X_INDEX_MASK 0x03ff
3390 +#define AA_X_TYPE_MASK 0x0c00
3391 +#define AA_X_TYPE_SHIFT 10
3392 +#define AA_X_NONE 0x0000
3393 +#define AA_X_NAME 0x0400 /* use executable name px */
3394 +#define AA_X_TABLE 0x0800 /* use a specified name ->n# */
3396 +#define AA_X_UNSAFE 0x1000
3397 +#define AA_X_CHILD 0x2000 /* make >AA_X_NONE apply to children */
3398 +#define AA_X_INHERIT 0x4000
3399 +#define AA_X_UNCONFINED 0x8000
3401 +/* AA_SECURE_X_NEEDED - is passed in the bprm->unsafe field */
3402 +#define AA_SECURE_X_NEEDED 0x8000
3404 +/* need to make conditional which ones are being set */
3410 +/* struct file_perms - file permission
3411 + * @allow: mask of permissions that are allowed
3412 + * @audit: mask of permissions to force an audit message for
3413 + * @quiet: mask of permissions to quiet audit messages for
3414 + * @kill: mask of permissions that when matched will kill the task
3415 + * @xindex: exec transition index if @allow contains MAY_EXEC
3417 + * The @audit and @queit mask should be mutually exclusive.
3419 +struct file_perms {
3427 +extern struct file_perms nullperms;
3429 +#define COMBINED_PERM_MASK(X) ((X).allow | (X).audit | (X).quiet | (X).kill)
3431 +/* FIXME: split perms from dfa and match this to description
3432 + * also add delegation info.
3434 +static inline u16 dfa_map_xindex(u16 mask)
3436 + u16 old_index = (mask >> 10) & 0xf;
3440 + index |= AA_X_UNSAFE;
3442 + index |= AA_X_INHERIT;
3444 + index |= AA_X_UNCONFINED;
3446 + if (old_index == 1) {
3447 + index |= AA_X_UNCONFINED;
3448 + } else if (old_index == 2) {
3449 + index |= AA_X_NAME;
3450 + } else if (old_index == 3) {
3451 + index |= AA_X_NAME | AA_X_CHILD;
3453 + index |= AA_X_TABLE;
3454 + index |= old_index - 4;
3461 + * map old dfa inline permissions to new format
3463 +#define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \
3464 + ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
3465 +#define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f)
3466 +#define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f)
3467 +#define dfa_user_xindex(dfa, state) \
3468 + (dfa_map_xindex(ACCEPT_TABLE(dfa)[state] & 0x3fff))
3470 +#define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \
3472 + ((ACCEPT_TABLE(dfa)[state]) & 0x80000000))
3473 +#define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f)
3474 +#define dfa_other_quiet(dfa, state) \
3475 + ((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f)
3476 +#define dfa_other_xindex(dfa, state) \
3477 + dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff)
3479 +int aa_audit_file(struct aa_profile *profile, struct file_perms *perms,
3480 + gfp_t gfp, int op, u32 request, const char *name,
3481 + const char *target, uid_t ouid, const char *info, int error);
3484 + * struct aa_file_rules - components used for file rule permissions
3485 + * @dfa: dfa to match path names and conditionals against
3486 + * @perms: permission table indexed by the matched state accept entry of @dfa
3487 + * @trans: transition table for indexed by named x transitions
3489 + * File permission are determined by matching a path against @dfa and then
3490 + * then using the value of the accept entry for the matching state as
3491 + * an index into @perms. If a named exec transition is required it is
3492 + * looked up in the transition table.
3494 +struct aa_file_rules {
3495 + unsigned int start;
3496 + struct aa_dfa *dfa;
3497 + /* struct perms perms; */
3498 + struct aa_domain trans;
3499 + /* TODO: add delegate table */
3502 +unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
3503 + const char *name, struct path_cond *cond,
3504 + struct file_perms *perms);
3506 +int aa_path_perm(int op, struct aa_profile *profile, struct path *path,
3507 + int flags, u32 request, struct path_cond *cond);
3509 +int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry,
3510 + struct path *new_dir, struct dentry *new_dentry);
3512 +int aa_file_perm(int op, struct aa_profile *profile, struct file *file,
3515 +static inline void aa_free_file_rules(struct aa_file_rules *rules)
3517 + aa_put_dfa(rules->dfa);
3518 + aa_free_domain_entries(&rules->trans);
3521 +#define ACC_FMODE(x) (("\000\004\002\006"[(x)&O_ACCMODE]) | (((x) << 1) & 0x40))
3524 +#define MAP_OPEN_FLAGS(x) ((((x) + 1) & O_ACCMODE) ? (x) + 1 : (x))
3527 + * aa_map_file_perms - map file flags to AppArmor permissions
3528 + * @file: open file to map flags to AppArmor permissions
3530 + * Returns: apparmor permission set for the file
3532 +static inline u32 aa_map_file_to_perms(struct file *file)
3534 + int flags = MAP_OPEN_FLAGS(file->f_flags);
3535 + u32 perms = ACC_FMODE(file->f_mode);
3537 + if ((flags & O_APPEND) && (perms & MAY_WRITE))
3538 + perms = (perms & ~MAY_WRITE) | MAY_APPEND;
3539 + /* trunc implies write permission */
3540 + if (flags & O_TRUNC)
3541 + perms |= MAY_WRITE;
3542 + if (flags & O_CREAT)
3543 + perms |= AA_MAY_CREATE;
3548 +#endif /* __AA_FILE_H */
3549 diff --git a/security/apparmor/include/ipc.h b/security/apparmor/include/ipc.h
3550 new file mode 100644
3551 index 0000000..aeda0fb
3553 +++ b/security/apparmor/include/ipc.h
3556 + * AppArmor security module
3558 + * This file contains AppArmor ipc mediation function definitions.
3560 + * Copyright (C) 1998-2008 Novell/SUSE
3561 + * Copyright 2009-2010 Canonical Ltd.
3563 + * This program is free software; you can redistribute it and/or
3564 + * modify it under the terms of the GNU General Public License as
3565 + * published by the Free Software Foundation, version 2 of the
3572 +#include <linux/sched.h>
3576 +int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer,
3577 + struct aa_profile *tracee, unsigned int mode);
3579 +int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee,
3580 + unsigned int mode);
3582 +#endif /* __AA_IPC_H */
3583 diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
3584 new file mode 100644
3585 index 0000000..734a6d3
3587 +++ b/security/apparmor/include/match.h
3590 + * AppArmor security module
3592 + * This file contains AppArmor policy dfa matching engine definitions.
3594 + * Copyright (C) 1998-2008 Novell/SUSE
3595 + * Copyright 2009-2010 Canonical Ltd.
3597 + * This program is free software; you can redistribute it and/or
3598 + * modify it under the terms of the GNU General Public License as
3599 + * published by the Free Software Foundation, version 2 of the
3603 +#ifndef __AA_MATCH_H
3604 +#define __AA_MATCH_H
3606 +#include <linux/workqueue.h>
3608 +#define DFA_NOMATCH 0
3609 +#define DFA_START 1
3611 +#define DFA_VALID_PERM_MASK 0xffffffff
3612 +#define DFA_VALID_PERM2_MASK 0xffffffff
3615 + * The format used for transition tables is based on the GNU flex table
3616 + * file format (--tables-file option; see Table File Format in the flex
3617 + * info pages and the flex sources for documentation). The magic number
3618 + * used in the header is 0x1B5E783D insted of 0xF13C57B1 though, because
3619 + * the YY_ID_CHK (check) and YY_ID_DEF (default) tables are used
3620 + * slightly differently (see the apparmor-parser package).
3623 +#define YYTH_MAGIC 0x1B5E783D
3624 +#define YYTH_DEF_RECURSE 0x1 /* DEF Table is recursive */
3626 +struct table_set_header {
3627 + u32 th_magic; /* YYTH_MAGIC */
3631 + char th_version[];
3634 +/* The YYTD_ID are one less than flex table mappings. The flex id
3635 + * has 1 subtracted at table load time, this allows us to directly use the
3636 + * ID's as indexes.
3638 +#define YYTD_ID_ACCEPT 0
3639 +#define YYTD_ID_BASE 1
3640 +#define YYTD_ID_CHK 2
3641 +#define YYTD_ID_DEF 3
3642 +#define YYTD_ID_EC 4
3643 +#define YYTD_ID_META 5
3644 +#define YYTD_ID_ACCEPT2 6
3645 +#define YYTD_ID_NXT 7
3646 +#define YYTD_ID_TSIZE 8
3648 +#define YYTD_DATA8 1
3649 +#define YYTD_DATA16 2
3650 +#define YYTD_DATA32 4
3651 +#define YYTD_DATA64 8
3653 +/* Each ACCEPT2 table gets 6 dedicated flags, YYTD_DATAX define the
3656 +#define ACCEPT1_FLAGS(X) ((X) & 0x3f)
3657 +#define ACCEPT2_FLAGS(X) ACCEPT1_FLAGS((X) >> YYTD_ID_ACCEPT2)
3658 +#define TO_ACCEPT1_FLAG(X) ACCEPT1_FLAGS(X)
3659 +#define TO_ACCEPT2_FLAG(X) (ACCEPT1_FLAGS(X) << YYTD_ID_ACCEPT2)
3660 +#define DFA_FLAG_VERIFY_STATES 0x1000
3662 +struct table_header {
3670 +#define DEFAULT_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_DEF]->td_data))
3671 +#define BASE_TABLE(DFA) ((u32 *)((DFA)->tables[YYTD_ID_BASE]->td_data))
3672 +#define NEXT_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_NXT]->td_data))
3673 +#define CHECK_TABLE(DFA) ((u16 *)((DFA)->tables[YYTD_ID_CHK]->td_data))
3674 +#define EQUIV_TABLE(DFA) ((u8 *)((DFA)->tables[YYTD_ID_EC]->td_data))
3675 +#define ACCEPT_TABLE(DFA) ((u32 *)((DFA)->tables[YYTD_ID_ACCEPT]->td_data))
3676 +#define ACCEPT_TABLE2(DFA) ((u32 *)((DFA)->tables[YYTD_ID_ACCEPT2]->td_data))
3679 + struct kref count;
3681 + struct table_header *tables[YYTD_ID_TSIZE];
3684 +#define byte_to_byte(X) (X)
3686 +#define UNPACK_ARRAY(TABLE, BLOB, LEN, TYPE, NTOHX) \
3688 + typeof(LEN) __i; \
3689 + TYPE *__t = (TYPE *) TABLE; \
3690 + TYPE *__b = (TYPE *) BLOB; \
3691 + for (__i = 0; __i < LEN; __i++) { \
3692 + __t[__i] = NTOHX(__b[__i]); \
3696 +static inline size_t table_size(size_t len, size_t el_size)
3698 + return ALIGN(sizeof(struct table_header) + len * el_size, 8);
3701 +struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags);
3702 +unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
3703 + const char *str, int len);
3704 +unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
3706 +void aa_dfa_free_kref(struct kref *kref);
3709 + * aa_put_dfa - put a dfa refcount
3710 + * @dfa: dfa to put refcount (MAYBE NULL)
3712 + * Requires: if @dfa != NULL that a valid refcount be held
3714 +static inline void aa_put_dfa(struct aa_dfa *dfa)
3717 + kref_put(&dfa->count, aa_dfa_free_kref);
3720 +#endif /* __AA_MATCH_H */
3721 diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
3722 new file mode 100644
3723 index 0000000..3c7d599
3725 +++ b/security/apparmor/include/net.h
3728 + * AppArmor security module
3730 + * This file contains AppArmor network mediation definitions.
3732 + * Copyright (C) 1998-2008 Novell/SUSE
3733 + * Copyright 2009-2010 Canonical Ltd.
3735 + * This program is free software; you can redistribute it and/or
3736 + * modify it under the terms of the GNU General Public License as
3737 + * published by the Free Software Foundation, version 2 of the
3744 +#include <net/sock.h>
3746 +/* struct aa_net - network confinement data
3747 + * @allowed: basic network families permissions
3748 + * @audit_network: which network permissions to force audit
3749 + * @quiet_network: which network permissions to quiet rejects
3752 + u16 allow[AF_MAX];
3753 + u16 audit[AF_MAX];
3754 + u16 quiet[AF_MAX];
3757 +extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
3758 + int type, int protocol, struct sock *sk);
3759 +extern int aa_revalidate_sk(int op, struct sock *sk);
3761 +static inline void aa_free_net_rules(struct aa_net *new)
3766 +#endif /* __AA_NET_H */
3767 diff --git a/security/apparmor/include/path.h b/security/apparmor/include/path.h
3768 new file mode 100644
3769 index 0000000..27b327a
3771 +++ b/security/apparmor/include/path.h
3774 + * AppArmor security module
3776 + * This file contains AppArmor basic path manipulation function definitions.
3778 + * Copyright (C) 1998-2008 Novell/SUSE
3779 + * Copyright 2009-2010 Canonical Ltd.
3781 + * This program is free software; you can redistribute it and/or
3782 + * modify it under the terms of the GNU General Public License as
3783 + * published by the Free Software Foundation, version 2 of the
3787 +#ifndef __AA_PATH_H
3788 +#define __AA_PATH_H
3792 + PATH_IS_DIR = 0x1, /* path is a directory */
3793 + PATH_CONNECT_PATH = 0x4, /* connect disconnected paths to / */
3794 + PATH_CHROOT_REL = 0x8, /* do path lookup relative to chroot */
3795 + PATH_CHROOT_NSCONNECT = 0x10, /* connect paths that are at ns root */
3797 + PATH_DELEGATE_DELETED = 0x08000, /* delegate deleted files */
3798 + PATH_MEDIATE_DELETED = 0x10000, /* mediate deleted paths */
3801 +int aa_get_name(struct path *path, int flags, char **buffer, const char **name);
3803 +#endif /* __AA_PATH_H */
3804 diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
3805 new file mode 100644
3806 index 0000000..6776929
3808 +++ b/security/apparmor/include/policy.h
3811 + * AppArmor security module
3813 + * This file contains AppArmor policy definitions.
3815 + * Copyright (C) 1998-2008 Novell/SUSE
3816 + * Copyright 2009-2010 Canonical Ltd.
3818 + * This program is free software; you can redistribute it and/or
3819 + * modify it under the terms of the GNU General Public License as
3820 + * published by the Free Software Foundation, version 2 of the
3824 +#ifndef __AA_POLICY_H
3825 +#define __AA_POLICY_H
3827 +#include <linux/capability.h>
3828 +#include <linux/cred.h>
3829 +#include <linux/kref.h>
3830 +#include <linux/sched.h>
3831 +#include <linux/slab.h>
3832 +#include <linux/socket.h>
3834 +#include "apparmor.h"
3836 +#include "capability.h"
3837 +#include "domain.h"
3840 +#include "resource.h"
3842 +extern const char *profile_mode_names[];
3843 +#define APPARMOR_NAMES_MAX_INDEX 3
3845 +#define COMPLAIN_MODE(_profile) \
3846 + ((aa_g_profile_mode == APPARMOR_COMPLAIN) || \
3847 + ((_profile)->mode == APPARMOR_COMPLAIN))
3849 +#define KILL_MODE(_profile) \
3850 + ((aa_g_profile_mode == APPARMOR_KILL) || \
3851 + ((_profile)->mode == APPARMOR_KILL))
3853 +#define PROFILE_IS_HAT(_profile) ((_profile)->flags & PFLAG_HAT)
3856 + * FIXME: currently need a clean way to replace and remove profiles as a
3857 + * set. It should be done at the namespace level.
3858 + * Either, with a set of profiles loaded at the namespace level or via
3859 + * a mark and remove marked interface.
3861 +enum profile_mode {
3862 + APPARMOR_ENFORCE, /* enforce access rules */
3863 + APPARMOR_COMPLAIN, /* allow and log access violations */
3864 + APPARMOR_KILL, /* kill task on access violation */
3867 +enum profile_flags {
3868 + PFLAG_HAT = 1, /* profile is a hat */
3869 + PFLAG_UNCONFINED = 2, /* profile is an unconfined profile */
3870 + PFLAG_NULL = 4, /* profile is null learning profile */
3871 + PFLAG_IX_ON_NAME_ERROR = 8, /* fallback to ix on name lookup fail */
3872 + PFLAG_IMMUTABLE = 0x10, /* don't allow changes/replacement */
3873 + PFLAG_USER_DEFINED = 0x20, /* user based profile - lower privs */
3874 + PFLAG_NO_LIST_REF = 0x40, /* list doesn't keep profile ref */
3875 + PFLAG_OLD_NULL_TRANS = 0x100, /* use // as the null transition */
3877 + /* These flags must correspond with PATH_flags */
3878 + PFLAG_MEDIATE_DELETED = 0x10000, /* mediate instead delegate deleted */
3883 +/* struct aa_policy - common part of both namespaces and profiles
3884 + * @name: name of the object
3885 + * @hname - The hierarchical name
3886 + * @count: reference count of the obj
3887 + * @list: list policy object is on
3888 + * @profiles: head of the profiles list contained in the object
3893 + struct kref count;
3894 + struct list_head list;
3895 + struct list_head profiles;
3898 +/* struct aa_ns_acct - accounting of profiles in namespace
3899 + * @max_size: maximum space allowed for all profiles in namespace
3900 + * @max_count: maximum number of profiles that can be in this namespace
3901 + * @size: current size of profiles
3902 + * @count: current count of profiles (includes null profiles)
3904 +struct aa_ns_acct {
3911 +/* struct aa_namespace - namespace for a set of profiles
3912 + * @base: common policy
3913 + * @parent: parent of namespace
3914 + * @lock: lock for modifying the object
3915 + * @acct: accounting for the namespace
3916 + * @unconfined: special unconfined profile for the namespace
3917 + * @sub_ns: list of namespaces under the current namespace.
3919 + * An aa_namespace defines the set profiles that are searched to determine
3920 + * which profile to attach to a task. Profiles can not be shared between
3921 + * aa_namespaces and profile names within a namespace are guaranteed to be
3922 + * unique. When profiles in separate namespaces have the same name they
3923 + * are NOT considered to be equivalent.
3925 + * Namespaces are hierarchical and only namespaces and profiles below the
3926 + * current namespace are visible.
3928 + * Namespace names must be unique and can not contain the characters :/\0
3930 + * FIXME TODO: add vserver support of namespaces (can it all be done in
3933 +struct aa_namespace {
3934 + struct aa_policy base;
3935 + struct aa_namespace *parent;
3937 + struct aa_ns_acct acct;
3938 + struct aa_profile *unconfined;
3939 + struct list_head sub_ns;
3942 +/* struct aa_profile - basic confinement data
3943 + * @base - base components of the profile (name, refcount, lists, lock ...)
3944 + * @parent: parent of profile
3945 + * @ns: namespace the profile is in
3946 + * @replacedby: is set to the profile that replaced this profile
3947 + * @rename: optional profile name that this profile renamed
3948 + * @xmatch: optional extended matching for unconfined executables names
3949 + * @xmatch_len: xmatch prefix len, used to determine xmatch priority
3950 + * @sid: the unique security id number of this profile
3951 + * @audit: the auditing mode of the profile
3952 + * @mode: the enforcement mode of the profile
3953 + * @flags: flags controlling profile behavior
3954 + * @path_flags: flags controlling path generation behavior
3955 + * @size: the memory consumed by this profiles rules
3956 + * @file: The set of rules governing basic file access and domain transitions
3957 + * @caps: capabilities for the profile
3958 + * @net: network controls for the profile
3959 + * @rlimits: rlimits for the profile
3961 + * The AppArmor profile contains the basic confinement data. Each profile
3962 + * has a name, and exists in a namespace. The @name and @exec_match are
3963 + * used to determine profile attachment against unconfined tasks. All other
3964 + * attachments are determined by profile X transition rules.
3966 + * The @replacedby field is write protected by the profile lock. Reads
3967 + * are assumed to be atomic, and are done without locking.
3969 + * Profiles have a hierarchy where hats and children profiles keep
3970 + * a reference to their parent.
3972 + * Profile names can not begin with a : and can not contain the \0
3973 + * character. If a profile name begins with / it will be considered when
3974 + * determining profile attachment on "unconfined" tasks.
3976 +struct aa_profile {
3977 + struct aa_policy base;
3978 + struct aa_profile *parent;
3980 + struct aa_namespace *ns;
3981 + struct aa_profile *replacedby;
3982 + const char *rename;
3984 + struct aa_dfa *xmatch;
3987 + enum audit_mode audit;
3988 + enum profile_mode mode;
3993 + struct aa_file_rules file;
3994 + struct aa_caps caps;
3995 + struct aa_net net;
3996 + struct aa_rlimit rlimits;
3999 +extern struct aa_namespace *root_ns;
4000 +extern enum profile_mode aa_g_profile_mode;
4002 +void aa_add_profile(struct aa_policy *common, struct aa_profile *profile);
4004 +bool aa_ns_visible(struct aa_namespace *curr, struct aa_namespace *view);
4005 +const char *aa_ns_name(struct aa_namespace *parent, struct aa_namespace *child);
4006 +int aa_alloc_root_ns(void);
4007 +void aa_free_root_ns(void);
4008 +void aa_free_namespace_kref(struct kref *kref);
4010 +struct aa_namespace *aa_find_namespace(struct aa_namespace *root,
4011 + const char *name);
4013 +static inline struct aa_policy *aa_get_common(struct aa_policy *c)
4016 + kref_get(&c->count);
4022 + * aa_get_namespace - increment references count on @ns
4023 + * @ns: namespace to increment reference count of (MAYBE NULL)
4025 + * Returns: pointer to @ns, if @ns is NULL returns NULL
4026 + * Requires: @ns must be held with valid refcount when called
4028 +static inline struct aa_namespace *aa_get_namespace(struct aa_namespace *ns)
4031 + kref_get(&(ns->base.count));
4037 + * aa_put_namespace - decrement refcount on @ns
4038 + * @ns: namespace to put reference of
4040 + * Decrement reference count of @ns and if no longer in use free it
4042 +static inline void aa_put_namespace(struct aa_namespace *ns)
4045 + kref_put(&ns->base.count, aa_free_namespace_kref);
4048 +struct aa_profile *aa_alloc_profile(const char *name);
4049 +struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat);
4050 +void aa_free_profile_kref(struct kref *kref);
4051 +struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name);
4052 +struct aa_profile *aa_lookup_profile(struct aa_namespace *ns, const char *name);
4053 +struct aa_profile *aa_match_profile(struct aa_namespace *ns, const char *name);
4055 +ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace);
4056 +ssize_t aa_remove_profiles(char *name, size_t size);
4059 +#define PROF_REPLACE 0
4061 +#define unconfined(X) ((X)->flags & PFLAG_UNCONFINED)
4064 + * aa_newest_version - find the newest version of @profile
4065 + * @profile: the profile to check for newer versions of (NOT NULL)
4067 + * Returns: newest version of @profile, if @profile is the newest version
4068 + * return @profile.
4070 + * NOTE: the profile returned is not refcounted, The refcount on @profile
4071 + * must be held until the caller decides what to do with the returned newest
4074 +static inline struct aa_profile *aa_newest_version(struct aa_profile *profile)
4076 + while (profile->replacedby)
4077 + profile = profile->replacedby;
4083 + * aa_get_profile - increment refcount on profile @p
4084 + * @p: profile (MAYBE NULL)
4086 + * Returns: pointer to @p if @p is NULL will return NULL
4087 + * Requires: @p must be held with valid refcount when called
4089 +static inline struct aa_profile *aa_get_profile(struct aa_profile *p)
4092 + kref_get(&(p->base.count));
4098 + * aa_put_profile - decrement refcount on profile @p
4099 + * @p: profile (MAYBE NULL)
4101 +static inline void aa_put_profile(struct aa_profile *p)
4104 + kref_put(&p->base.count, aa_free_profile_kref);
4107 +static inline int AUDIT_MODE(struct aa_profile *profile)
4109 + if (aa_g_audit != AUDIT_NORMAL)
4110 + return aa_g_audit;
4112 + return profile->audit;
4115 +bool aa_may_manage_policy(int op);
4117 +#endif /* __AA_POLICY_H */
4118 diff --git a/security/apparmor/include/policy_unpack.h b/security/apparmor/include/policy_unpack.h
4119 new file mode 100644
4120 index 0000000..a2dccca
4122 +++ b/security/apparmor/include/policy_unpack.h
4125 + * AppArmor security module
4127 + * This file contains AppArmor policy loading interface function definitions.
4129 + * Copyright (C) 1998-2008 Novell/SUSE
4130 + * Copyright 2009-2010 Canonical Ltd.
4132 + * This program is free software; you can redistribute it and/or
4133 + * modify it under the terms of the GNU General Public License as
4134 + * published by the Free Software Foundation, version 2 of the
4138 +#ifndef __POLICY_INTERFACE_H
4139 +#define __POLICY_INTERFACE_H
4141 +struct aa_profile *aa_unpack(void *udata, size_t size, const char **ns);
4143 +#endif /* __POLICY_INTERFACE_H */
4144 diff --git a/security/apparmor/include/procattr.h b/security/apparmor/include/procattr.h
4145 new file mode 100644
4146 index 0000000..544aa6b
4148 +++ b/security/apparmor/include/procattr.h
4151 + * AppArmor security module
4153 + * This file contains AppArmor /proc/<pid>/attr/ interface function definitions.
4155 + * Copyright (C) 1998-2008 Novell/SUSE
4156 + * Copyright 2009-2010 Canonical Ltd.
4158 + * This program is free software; you can redistribute it and/or
4159 + * modify it under the terms of the GNU General Public License as
4160 + * published by the Free Software Foundation, version 2 of the
4164 +#ifndef __AA_PROCATTR_H
4165 +#define __AA_PROCATTR_H
4167 +#define AA_DO_TEST 1
4168 +#define AA_ONEXEC 1
4170 +int aa_getprocattr(struct aa_profile *profile, char **string);
4171 +int aa_setprocattr_changehat(char *args, size_t size, int test);
4172 +int aa_setprocattr_changeprofile(char *fqname, bool onexec, int test);
4173 +int aa_setprocattr_permipc(char *fqname);
4175 +#endif /* __AA_PROCATTR_H */
4176 diff --git a/security/apparmor/include/resource.h b/security/apparmor/include/resource.h
4177 new file mode 100644
4178 index 0000000..3c88be9
4180 +++ b/security/apparmor/include/resource.h
4183 + * AppArmor security module
4185 + * This file contains AppArmor resource limits function definitions.
4187 + * Copyright (C) 1998-2008 Novell/SUSE
4188 + * Copyright 2009-2010 Canonical Ltd.
4190 + * This program is free software; you can redistribute it and/or
4191 + * modify it under the terms of the GNU General Public License as
4192 + * published by the Free Software Foundation, version 2 of the
4196 +#ifndef __AA_RESOURCE_H
4197 +#define __AA_RESOURCE_H
4199 +#include <linux/resource.h>
4200 +#include <linux/sched.h>
4204 +/* struct aa_rlimit - rlimit settings for the profile
4205 + * @mask: which hard limits to set
4206 + * @limits: rlimit values that override task limits
4208 + * AppArmor rlimits are used to set confined task rlimits. Only the
4209 + * limits specified in @mask will be controlled by apparmor.
4212 + unsigned int mask;
4213 + struct rlimit limits[RLIM_NLIMITS];
4216 +int aa_map_resource(int resource);
4217 +int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource,
4218 + struct rlimit *new_rlim);
4220 +void __aa_transition_rlimits(struct aa_profile *old, struct aa_profile *new);
4222 +static inline void aa_free_rlimit_rules(struct aa_rlimit *rlims)
4227 +#endif /* __AA_RESOURCE_H */
4228 diff --git a/security/apparmor/include/sid.h b/security/apparmor/include/sid.h
4229 new file mode 100644
4230 index 0000000..020db35
4232 +++ b/security/apparmor/include/sid.h
4235 + * AppArmor security module
4237 + * This file contains AppArmor security identifier (sid) definitions
4239 + * Copyright 2009-2010 Canonical Ltd.
4241 + * This program is free software; you can redistribute it and/or
4242 + * modify it under the terms of the GNU General Public License as
4243 + * published by the Free Software Foundation, version 2 of the
4250 +#include <linux/types.h>
4254 +u32 aa_alloc_sid(void);
4255 +void aa_free_sid(u32 sid);
4257 +#endif /* __AA_SID_H */
4258 diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c
4259 new file mode 100644
4260 index 0000000..9013a78
4262 +++ b/security/apparmor/ipc.c
4265 + * AppArmor security module
4267 + * This file contains AppArmor ipc mediation
4269 + * Copyright (C) 1998-2008 Novell/SUSE
4270 + * Copyright 2009-2010 Canonical Ltd.
4272 + * This program is free software; you can redistribute it and/or
4273 + * modify it under the terms of the GNU General Public License as
4274 + * published by the Free Software Foundation, version 2 of the
4278 +#include <linux/gfp.h>
4279 +#include <linux/ptrace.h>
4281 +#include "include/audit.h"
4282 +#include "include/capability.h"
4283 +#include "include/context.h"
4284 +#include "include/policy.h"
4286 +/* call back to audit ptrace fields */
4287 +static void audit_cb(struct audit_buffer *ab, void *va)
4289 + struct common_audit_data *sa = va;
4290 + audit_log_format(ab, " target=");
4291 + audit_log_untrustedstring(ab, sa->aad.target);
4295 + * aa_audit_ptrace - do auditing for ptrace
4296 + * @profile: profile being enforced (NOT NULL)
4297 + * @target: profile being traced (NOT NULL)
4298 + * @error: error condition
4300 + * Returns: %0 or error code
4302 +static int aa_audit_ptrace(struct aa_profile *profile,
4303 + struct aa_profile *target, int error)
4305 + struct common_audit_data sa;
4306 + COMMON_AUDIT_DATA_INIT(&sa, NONE);
4307 + sa.aad.op = OP_PTRACE;
4308 + sa.aad.target = target;
4309 + sa.aad.error = error;
4311 + return aa_audit(AUDIT_APPARMOR_AUTO, profile, GFP_ATOMIC, &sa,
4316 + * aa_may_ptrace - test if tracer task can trace the tracee
4317 + * @tracer_task: task who will do the tracing (NOT NULL)
4318 + * @tracer: profile of the task doing the tracing (NOT NULL)
4319 + * @tracee: task to be traced
4320 + * @mode: whether PTRACE_MODE_READ || PTRACE_MODE_ATTACH
4322 + * Returns: %0 else error code if permission denied or error
4324 +int aa_may_ptrace(struct task_struct *tracer_task, struct aa_profile *tracer,
4325 + struct aa_profile *tracee, unsigned int mode)
4327 + /* TODO: currently only based on capability, not extended ptrace
4329 + * Test mode for PTRACE_MODE_READ || PTRACE_MODE_ATTACH
4332 + if (unconfined(tracer) || tracer == tracee)
4334 + /* log this capability request */
4335 + return aa_capable(tracer_task, tracer, CAP_SYS_PTRACE, 1);
4339 + * aa_ptrace - do ptrace permission check and auditing
4340 + * @tracer: task doing the tracing (NOT NULL)
4341 + * @tracee: task being traced (NOT NULL)
4342 + * @mode: ptrace mode either PTRACE_MODE_READ || PTRACE_MODE_ATTACH
4344 + * Returns: %0 else error code if permission denied or error
4346 +int aa_ptrace(struct task_struct *tracer, struct task_struct *tracee,
4347 + unsigned int mode)
4350 + * tracer can ptrace tracee when
4351 + * - tracer is unconfined ||
4352 + * - tracer is in complain mode
4353 + * - tracer has rules allowing it to trace tracee currently this is:
4354 + * - confined by the same profile ||
4355 + * - tracer profile has CAP_SYS_PTRACE
4358 + struct aa_profile *tracer_p;
4359 + /* cred released below */
4360 + const struct cred *cred = get_task_cred(tracer);
4362 + tracer_p = aa_cred_profile(cred);
4364 + if (!unconfined(tracer_p)) {
4365 + /* lcred released below */
4366 + struct cred *lcred = get_task_cred(tracee);
4367 + struct aa_profile *tracee_p = aa_cred_profile(lcred);
4369 + error = aa_may_ptrace(tracer, tracer_p, tracee_p, mode);
4370 + error = aa_audit_ptrace(tracer_p, tracee_p, error);
4378 diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c
4379 new file mode 100644
4380 index 0000000..6e85cdb
4382 +++ b/security/apparmor/lib.c
4385 + * AppArmor security module
4387 + * This file contains basic common functions used in AppArmor
4389 + * Copyright (C) 1998-2008 Novell/SUSE
4390 + * Copyright 2009-2010 Canonical Ltd.
4392 + * This program is free software; you can redistribute it and/or
4393 + * modify it under the terms of the GNU General Public License as
4394 + * published by the Free Software Foundation, version 2 of the
4398 +#include <linux/slab.h>
4399 +#include <linux/string.h>
4400 +#include <linux/vmalloc.h>
4402 +#include "include/audit.h"
4406 + * aa_split_fqname - split a fqname into a profile and namespace name
4407 + * @fqname: a full qualified name in namespace profile format (NOT NULL)
4408 + * @ns_name: pointer to portion of the string containing the ns name (NOT NULL)
4410 + * Returns: profile name or NULL if one is not specified
4412 + * Split a namespace name from a profile name (see policy.c for naming
4413 + * description). If a portion of the name is missing it returns NULL for
4416 + * NOTE: may modify the @fqname string. The pointers returned point
4417 + * into the @fqname string.
4419 +char *aa_split_fqname(char *fqname, char **ns_name)
4421 + char *name = strim(fqname);
4424 + if (name[0] == ':') {
4425 + char *split = strchr(&name[1], ':');
4427 + /* overwrite ':' with \0 */
4429 + name = skip_spaces(split + 1);
4431 + /* a ns name without a following profile is allowed */
4433 + *ns_name = &name[1];
4435 + if (name && *name == 0)
4442 + * aa_info_message - log a none profile related status message
4443 + * @str: message to log
4445 +void aa_info_message(const char *str)
4447 + if (audit_enabled) {
4448 + struct common_audit_data sa;
4449 + COMMON_AUDIT_DATA_INIT(&sa, NONE);
4450 + sa.aad.info = str;
4451 + aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, NULL);
4453 + printk(KERN_INFO "AppArmor: %s\n", str);
4457 + * kvmalloc - do allocation preferring kmalloc but falling back to vmalloc
4458 + * @size: size of allocation
4460 + * Return: allocated buffer or NULL if failed
4462 + * It is possible that policy being loaded from the user is larger than
4463 + * what can be allocated by kmalloc, in those cases fall back to vmalloc.
4465 +void *kvmalloc(size_t size)
4467 + void *buffer = NULL;
4472 + /* do not attempt kmalloc if we need more than 16 pages at once */
4473 + if (size <= (16*PAGE_SIZE))
4474 + buffer = kmalloc(size, GFP_NOIO | __GFP_NOWARN);
4476 + /* see kvfree for why size must be at least work_struct size
4477 + * when allocated via vmalloc
4479 + if (size < sizeof(struct work_struct))
4480 + size = sizeof(struct work_struct);
4481 + buffer = vmalloc(size);
4487 + * do_vfree - workqueue routine for freeing vmalloced memory
4488 + * @work: data to be freed
4490 + * The work_struct is overlaid to the data being freed, as at the point
4491 + * the work is scheduled the data is no longer valid, be its freeing
4492 + * needs to be delayed until safe.
4494 +static void do_vfree(struct work_struct *work)
4500 + * kvfree - free an allocation do by kvmalloc
4501 + * @buffer: buffer to free (MAYBE_NULL)
4503 + * Free a buffer allocated by kvmalloc
4505 +void kvfree(void *buffer)
4507 + if (is_vmalloc_addr(buffer)) {
4508 + /* Data is no longer valid so just use the allocated space
4509 + * as the work_struct
4511 + struct work_struct *work = (struct work_struct *) buffer;
4512 + INIT_WORK(work, do_vfree);
4513 + schedule_work(work);
4517 diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
4518 new file mode 100644
4519 index 0000000..e8d0821
4521 +++ b/security/apparmor/lsm.c
4524 + * AppArmor security module
4526 + * This file contains AppArmor LSM hooks.
4528 + * Copyright (C) 1998-2008 Novell/SUSE
4529 + * Copyright 2009-2010 Canonical Ltd.
4531 + * This program is free software; you can redistribute it and/or
4532 + * modify it under the terms of the GNU General Public License as
4533 + * published by the Free Software Foundation, version 2 of the
4537 +#include <linux/security.h>
4538 +#include <linux/moduleparam.h>
4539 +#include <linux/mm.h>
4540 +#include <linux/mman.h>
4541 +#include <linux/mount.h>
4542 +#include <linux/namei.h>
4543 +#include <linux/ptrace.h>
4544 +#include <linux/ctype.h>
4545 +#include <linux/sysctl.h>
4546 +#include <linux/audit.h>
4547 +#include <net/sock.h>
4549 +#include "include/apparmor.h"
4550 +#include "include/apparmorfs.h"
4551 +#include "include/audit.h"
4552 +#include "include/capability.h"
4553 +#include "include/context.h"
4554 +#include "include/file.h"
4555 +#include "include/ipc.h"
4556 +#include "include/net.h"
4557 +#include "include/path.h"
4558 +#include "include/policy.h"
4559 +#include "include/procattr.h"
4561 +/* Flag indicating whether initialization completed */
4562 +int apparmor_initialized __initdata;
4565 + * LSM hook functions
4569 + * free the associated aa_task_cxt and put its profiles
4571 +static void apparmor_cred_free(struct cred *cred)
4573 + aa_free_task_context(cred->security);
4574 + cred->security = NULL;
4578 + * allocate the apparmor part of blank credentials
4580 +static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
4582 + /* freed by apparmor_cred_free */
4583 + struct aa_task_cxt *cxt = aa_alloc_task_context(gfp);
4587 + cred->security = cxt;
4592 + * prepare new aa_task_cxt for modification by prepare_cred block
4594 +static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
4597 + /* freed by apparmor_cred_free */
4598 + struct aa_task_cxt *cxt = aa_alloc_task_context(gfp);
4602 + aa_dup_task_context(cxt, old->security);
4603 + new->security = cxt;
4608 + * transfer the apparmor data to a blank set of creds
4610 +static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
4612 + const struct aa_task_cxt *old_cxt = old->security;
4613 + struct aa_task_cxt *new_cxt = new->security;
4615 + aa_dup_task_context(new_cxt, old_cxt);
4618 +static int apparmor_ptrace_access_check(struct task_struct *child,
4619 + unsigned int mode)
4621 + int error = cap_ptrace_access_check(child, mode);
4625 + return aa_ptrace(current, child, mode);
4628 +static int apparmor_ptrace_traceme(struct task_struct *parent)
4630 + int error = cap_ptrace_traceme(parent);
4634 + return aa_ptrace(parent, current, PTRACE_MODE_ATTACH);
4637 +/* Derived from security/commoncap.c:cap_capget */
4638 +static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
4639 + kernel_cap_t *inheritable, kernel_cap_t *permitted)
4641 + struct aa_profile *profile;
4642 + const struct cred *cred;
4645 + cred = __task_cred(target);
4646 + profile = aa_cred_profile(cred);
4648 + *effective = cred->cap_effective;
4649 + *inheritable = cred->cap_inheritable;
4650 + *permitted = cred->cap_permitted;
4652 + if (!unconfined(profile)) {
4653 + *effective = cap_intersect(*effective, profile->caps.allow);
4654 + *permitted = cap_intersect(*permitted, profile->caps.allow);
4656 + rcu_read_unlock();
4661 +static int apparmor_capable(struct task_struct *task, const struct cred *cred,
4662 + int cap, int audit)
4664 + struct aa_profile *profile;
4665 + /* cap_capable returns 0 on success, else -EPERM */
4666 + int error = cap_capable(task, cred, cap, audit);
4668 + profile = aa_cred_profile(cred);
4669 + if (!unconfined(profile))
4670 + error = aa_capable(task, profile, cap, audit);
4676 + * common_perm - basic common permission check wrapper fn for paths
4677 + * @op: operation being checked
4678 + * @path: path to check permission of (NOT NULL)
4679 + * @mask: requested permissions mask
4680 + * @cond: conditional info for the permission request (NOT NULL)
4682 + * Returns: %0 else error code if error or permission denied
4684 +static int common_perm(int op, struct path *path, u32 mask,
4685 + struct path_cond *cond)
4687 + struct aa_profile *profile;
4690 + profile = __aa_current_profile();
4691 + if (!unconfined(profile))
4692 + error = aa_path_perm(op, profile, path, 0, mask, cond);
4698 + * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
4699 + * @op: operation being checked
4700 + * @dir: directory of the dentry (NOT NULL)
4701 + * @dentry: dentry to check (NOT NULL)
4702 + * @mask: requested permissions mask
4703 + * @cond: conditional info for the permission request (NOT NULL)
4705 + * Returns: %0 else error code if error or permission denied
4707 +static int common_perm_dir_dentry(int op, struct path *dir,
4708 + struct dentry *dentry, u32 mask,
4709 + struct path_cond *cond)
4711 + struct path path = { dir->mnt, dentry };
4713 + return common_perm(op, &path, mask, cond);
4717 + * common_perm_mnt_dentry - common permission wrapper when mnt, dentry
4718 + * @op: operation being checked
4719 + * @mnt: mount point of dentry (NOT NULL)
4720 + * @dentry: dentry to check (NOT NULL)
4721 + * @mask: requested permissions mask
4723 + * Returns: %0 else error code if error or permission denied
4725 +static int common_perm_mnt_dentry(int op, struct vfsmount *mnt,
4726 + struct dentry *dentry, u32 mask)
4728 + struct path path = { mnt, dentry };
4729 + struct path_cond cond = { dentry->d_inode->i_uid,
4730 + dentry->d_inode->i_mode
4733 + return common_perm(op, &path, mask, &cond);
4737 + * common_perm_rm - common permission wrapper for operations doing rm
4738 + * @op: operation being checked
4739 + * @dir: directory that the dentry is in (NOT NULL)
4740 + * @dentry: dentry being rm'd (NOT NULL)
4741 + * @mask: requested permission mask
4743 + * Returns: %0 else error code if error or permission denied
4745 +static int common_perm_rm(int op, struct path *dir,
4746 + struct dentry *dentry, u32 mask)
4748 + struct inode *inode = dentry->d_inode;
4749 + struct path_cond cond = { };
4751 + if (!inode || !dir->mnt || !mediated_filesystem(inode))
4754 + cond.uid = inode->i_uid;
4755 + cond.mode = inode->i_mode;
4757 + return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
4761 + * common_perm_create - common permission wrapper for operations doing create
4762 + * @op: operation being checked
4763 + * @dir: directory that dentry will be created in (NOT NULL)
4764 + * @dentry: dentry to create (NOT NULL)
4765 + * @mask: request permission mask
4766 + * @mode: created file mode
4768 + * Returns: %0 else error code if error or permission denied
4770 +static int common_perm_create(int op, struct path *dir, struct dentry *dentry,
4771 + u32 mask, umode_t mode)
4773 + struct path_cond cond = { current_fsuid(), mode };
4775 + if (!dir->mnt || !mediated_filesystem(dir->dentry->d_inode))
4778 + return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
4781 +static int apparmor_path_unlink(struct path *dir, struct dentry *dentry)
4783 + return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE);
4786 +static int apparmor_path_mkdir(struct path *dir, struct dentry *dentry,
4789 + return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE,
4793 +static int apparmor_path_rmdir(struct path *dir, struct dentry *dentry)
4795 + return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE);
4798 +static int apparmor_path_mknod(struct path *dir, struct dentry *dentry,
4799 + int mode, unsigned int dev)
4801 + return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
4804 +static int apparmor_path_truncate(struct path *path, loff_t length,
4805 + unsigned int time_attrs)
4807 + struct path_cond cond = { path->dentry->d_inode->i_uid,
4808 + path->dentry->d_inode->i_mode
4811 + if (!path->mnt || !mediated_filesystem(path->dentry->d_inode))
4814 + return common_perm(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE,
4818 +static int apparmor_path_symlink(struct path *dir, struct dentry *dentry,
4819 + const char *old_name)
4821 + return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE,
4825 +static int apparmor_path_link(struct dentry *old_dentry, struct path *new_dir,
4826 + struct dentry *new_dentry)
4828 + struct aa_profile *profile;
4831 + if (!mediated_filesystem(old_dentry->d_inode))
4834 + profile = aa_current_profile();
4835 + if (!unconfined(profile))
4836 + error = aa_path_link(profile, old_dentry, new_dir, new_dentry);
4840 +static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry,
4841 + struct path *new_dir, struct dentry *new_dentry)
4843 + struct aa_profile *profile;
4846 + if (!mediated_filesystem(old_dentry->d_inode))
4849 + profile = aa_current_profile();
4850 + if (!unconfined(profile)) {
4851 + struct path old_path = { old_dir->mnt, old_dentry };
4852 + struct path new_path = { new_dir->mnt, new_dentry };
4853 + struct path_cond cond = { old_dentry->d_inode->i_uid,
4854 + old_dentry->d_inode->i_mode
4857 + error = aa_path_perm(OP_RENAME_SRC, profile, &old_path, 0,
4858 + MAY_READ | AA_MAY_META_READ | MAY_WRITE |
4859 + AA_MAY_META_WRITE | AA_MAY_DELETE,
4862 + error = aa_path_perm(OP_RENAME_DEST, profile, &new_path,
4863 + 0, MAY_WRITE | AA_MAY_META_WRITE |
4864 + AA_MAY_CREATE, &cond);
4870 +static int apparmor_path_chmod(struct dentry *dentry, struct vfsmount *mnt,
4873 + if (!mediated_filesystem(dentry->d_inode))
4876 + return common_perm_mnt_dentry(OP_CHMOD, mnt, dentry, AA_MAY_CHMOD);
4879 +static int apparmor_path_chown(struct path *path, uid_t uid, gid_t gid)
4881 + struct path_cond cond = { path->dentry->d_inode->i_uid,
4882 + path->dentry->d_inode->i_mode
4885 + if (!mediated_filesystem(path->dentry->d_inode))
4888 + return common_perm(OP_CHOWN, path, AA_MAY_CHOWN, &cond);
4891 +static int apparmor_inode_getattr(struct vfsmount *mnt, struct dentry *dentry)
4893 + if (!mediated_filesystem(dentry->d_inode))
4896 + return common_perm_mnt_dentry(OP_GETATTR, mnt, dentry,
4897 + AA_MAY_META_READ);
4900 +static int apparmor_dentry_open(struct file *file, const struct cred *cred)
4902 + struct aa_file_cxt *fcxt = file->f_security;
4903 + struct aa_profile *profile;
4906 + if (!mediated_filesystem(file->f_path.dentry->d_inode))
4909 + /* If in exec, permission is handled by bprm hooks.
4910 + * Cache permissions granted by the previous exec check, with
4911 + * implicit read and executable mmap which are required to
4912 + * actually execute the image.
4914 + if (current->in_execve) {
4915 + fcxt->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
4919 + profile = aa_cred_profile(cred);
4920 + if (!unconfined(profile)) {
4921 + struct inode *inode = file->f_path.dentry->d_inode;
4922 + struct path_cond cond = { inode->i_uid, inode->i_mode };
4924 + error = aa_path_perm(OP_OPEN, profile, &file->f_path, 0,
4925 + aa_map_file_to_perms(file), &cond);
4926 + /* todo cache full allowed permissions set and state */
4927 + fcxt->allow = aa_map_file_to_perms(file);
4933 +static int apparmor_file_alloc_security(struct file *file)
4935 + /* freed by apparmor_file_free_security */
4936 + file->f_security = aa_alloc_file_context(GFP_KERNEL);
4937 + if (!file->f_security)
4943 +static void apparmor_file_free_security(struct file *file)
4945 + struct aa_file_cxt *cxt = file->f_security;
4947 + aa_free_file_context(cxt);
4950 +static int common_file_perm(int op, struct file *file, u32 mask)
4952 + struct aa_file_cxt *fcxt = file->f_security;
4953 + struct aa_profile *profile, *fprofile = aa_cred_profile(file->f_cred);
4956 + BUG_ON(!fprofile);
4958 + if (!file->f_path.mnt ||
4959 + !mediated_filesystem(file->f_path.dentry->d_inode))
4962 + profile = __aa_current_profile();
4964 + /* revalidate access, if task is unconfined, or the cached cred
4965 + * doesn't match or if the request is for more permissions than
4968 + * Note: the test for !unconfined(fprofile) is to handle file
4969 + * delegation from unconfined tasks
4971 + if (!unconfined(profile) && !unconfined(fprofile) &&
4972 + ((fprofile != profile) || (mask & ~fcxt->allow)))
4973 + error = aa_file_perm(op, profile, file, mask);
4978 +static int apparmor_file_permission(struct file *file, int mask)
4980 + return common_file_perm(OP_FPERM, file, mask);
4983 +static int apparmor_file_lock(struct file *file, unsigned int cmd)
4985 + u32 mask = AA_MAY_LOCK;
4987 + if (cmd == F_WRLCK)
4988 + mask |= MAY_WRITE;
4990 + return common_file_perm(OP_FLOCK, file, mask);
4993 +static int common_mmap(int op, struct file *file, unsigned long prot,
4994 + unsigned long flags)
4996 + struct dentry *dentry;
4999 + if (!file || !file->f_security)
5002 + if (prot & PROT_READ)
5005 + * Private mappings don't require write perms since they don't
5006 + * write back to the files
5008 + if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
5009 + mask |= MAY_WRITE;
5010 + if (prot & PROT_EXEC)
5011 + mask |= AA_EXEC_MMAP;
5013 + dentry = file->f_path.dentry;
5014 + return common_file_perm(op, file, mask);
5017 +static int apparmor_file_mmap(struct file *file, unsigned long reqprot,
5018 + unsigned long prot, unsigned long flags,
5019 + unsigned long addr, unsigned long addr_only)
5023 + /* do DAC check */
5024 + rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only);
5025 + if (rc || addr_only)
5028 + return common_mmap(OP_FMMAP, file, prot, flags);
5031 +static int apparmor_file_mprotect(struct vm_area_struct *vma,
5032 + unsigned long reqprot, unsigned long prot)
5034 + return common_mmap(OP_FMPROT, vma->vm_file, prot,
5035 + !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
5038 +static int apparmor_getprocattr(struct task_struct *task, char *name,
5041 + int error = -ENOENT;
5042 + struct aa_profile *profile;
5043 + /* released below */
5044 + const struct cred *cred = get_task_cred(task);
5045 + struct aa_task_cxt *cxt = cred->security;
5046 + profile = aa_cred_profile(cred);
5048 + if (strcmp(name, "current") == 0)
5049 + error = aa_getprocattr(aa_newest_version(cxt->profile),
5051 + else if (strcmp(name, "prev") == 0 && cxt->previous)
5052 + error = aa_getprocattr(aa_newest_version(cxt->previous),
5054 + else if (strcmp(name, "exec") == 0 && cxt->onexec)
5055 + error = aa_getprocattr(aa_newest_version(cxt->onexec),
5065 +static int apparmor_setprocattr(struct task_struct *task, char *name,
5066 + void *value, size_t size)
5068 + char *command, *args = value;
5074 + /* args points to a PAGE_SIZE buffer, AppArmor requires that
5075 + * the buffer must be null terminated or have size <= PAGE_SIZE -1
5076 + * so that AppArmor can null terminate them
5078 + if (args[size - 1] != '\0') {
5079 + if (size == PAGE_SIZE)
5081 + args[size] = '\0';
5084 + /* task can only write its own attributes */
5085 + if (current != task)
5089 + args = strim(args);
5090 + command = strsep(&args, " ");
5093 + args = skip_spaces(args);
5097 + arg_size = size - (args - (char *) value);
5098 + if (strcmp(name, "current") == 0) {
5099 + if (strcmp(command, "changehat") == 0) {
5100 + error = aa_setprocattr_changehat(args, arg_size,
5102 + } else if (strcmp(command, "permhat") == 0) {
5103 + error = aa_setprocattr_changehat(args, arg_size,
5105 + } else if (strcmp(command, "changeprofile") == 0) {
5106 + error = aa_setprocattr_changeprofile(args, !AA_ONEXEC,
5108 + } else if (strcmp(command, "permprofile") == 0) {
5109 + error = aa_setprocattr_changeprofile(args, !AA_ONEXEC,
5111 + } else if (strcmp(command, "permipc") == 0) {
5112 + error = aa_setprocattr_permipc(args);
5114 + struct common_audit_data sa;
5115 + COMMON_AUDIT_DATA_INIT(&sa, NONE);
5116 + sa.aad.op = OP_SETPROCATTR;
5117 + sa.aad.info = name;
5118 + sa.aad.error = -EINVAL;
5119 + return aa_audit(AUDIT_APPARMOR_DENIED, NULL, GFP_KERNEL,
5122 + } else if (strcmp(name, "exec") == 0) {
5123 + error = aa_setprocattr_changeprofile(args, AA_ONEXEC,
5126 + /* only support the "current" and "exec" process attributes */
5134 +static int apparmor_task_setrlimit(unsigned int resource,
5135 + struct rlimit *new_rlim)
5137 + struct aa_profile *profile = aa_current_profile();
5140 + if (!unconfined(profile))
5141 + error = aa_task_setrlimit(profile, resource, new_rlim);
5146 +static int apparmor_socket_create(int family, int type, int protocol, int kern)
5148 + struct aa_profile *profile;
5154 + profile = __aa_current_profile();
5155 + if (!unconfined(profile))
5156 + error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
5161 +static int apparmor_socket_bind(struct socket *sock,
5162 + struct sockaddr *address, int addrlen)
5164 + struct sock *sk = sock->sk;
5166 + return aa_revalidate_sk(OP_BIND, sk);
5169 +static int apparmor_socket_connect(struct socket *sock,
5170 + struct sockaddr *address, int addrlen)
5172 + struct sock *sk = sock->sk;
5174 + return aa_revalidate_sk(OP_CONNECT, sk);
5177 +static int apparmor_socket_listen(struct socket *sock, int backlog)
5179 + struct sock *sk = sock->sk;
5181 + return aa_revalidate_sk(OP_LISTEN, sk);
5184 +static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
5186 + struct sock *sk = sock->sk;
5188 + return aa_revalidate_sk(OP_ACCEPT, sk);
5191 +static int apparmor_socket_sendmsg(struct socket *sock,
5192 + struct msghdr *msg, int size)
5194 + struct sock *sk = sock->sk;
5196 + return aa_revalidate_sk(OP_SENDMSG, sk);
5199 +static int apparmor_socket_recvmsg(struct socket *sock,
5200 + struct msghdr *msg, int size, int flags)
5202 + struct sock *sk = sock->sk;
5204 + return aa_revalidate_sk(OP_RECVMSG, sk);
5207 +static int apparmor_socket_getsockname(struct socket *sock)
5209 + struct sock *sk = sock->sk;
5211 + return aa_revalidate_sk(OP_GETSOCKNAME, sk);
5214 +static int apparmor_socket_getpeername(struct socket *sock)
5216 + struct sock *sk = sock->sk;
5218 + return aa_revalidate_sk(OP_GETPEERNAME, sk);
5221 +static int apparmor_socket_getsockopt(struct socket *sock, int level,
5224 + struct sock *sk = sock->sk;
5226 + return aa_revalidate_sk(OP_GETSOCKOPT, sk);
5229 +static int apparmor_socket_setsockopt(struct socket *sock, int level,
5232 + struct sock *sk = sock->sk;
5234 + return aa_revalidate_sk(OP_SETSOCKOPT, sk);
5237 +static int apparmor_socket_shutdown(struct socket *sock, int how)
5239 + struct sock *sk = sock->sk;
5241 + return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
5244 +static struct security_operations apparmor_ops = {
5245 + .name = "apparmor",
5247 + .ptrace_access_check = apparmor_ptrace_access_check,
5248 + .ptrace_traceme = apparmor_ptrace_traceme,
5249 + .capget = apparmor_capget,
5250 + .capable = apparmor_capable,
5252 + .path_link = apparmor_path_link,
5253 + .path_unlink = apparmor_path_unlink,
5254 + .path_symlink = apparmor_path_symlink,
5255 + .path_mkdir = apparmor_path_mkdir,
5256 + .path_rmdir = apparmor_path_rmdir,
5257 + .path_mknod = apparmor_path_mknod,
5258 + .path_rename = apparmor_path_rename,
5259 + .path_chmod = apparmor_path_chmod,
5260 + .path_chown = apparmor_path_chown,
5261 + .path_truncate = apparmor_path_truncate,
5262 + .dentry_open = apparmor_dentry_open,
5263 + .inode_getattr = apparmor_inode_getattr,
5265 + .file_permission = apparmor_file_permission,
5266 + .file_alloc_security = apparmor_file_alloc_security,
5267 + .file_free_security = apparmor_file_free_security,
5268 + .file_mmap = apparmor_file_mmap,
5269 + .file_mprotect = apparmor_file_mprotect,
5270 + .file_lock = apparmor_file_lock,
5272 + .getprocattr = apparmor_getprocattr,
5273 + .setprocattr = apparmor_setprocattr,
5275 + .socket_create = apparmor_socket_create,
5276 + .socket_bind = apparmor_socket_bind,
5277 + .socket_connect = apparmor_socket_connect,
5278 + .socket_listen = apparmor_socket_listen,
5279 + .socket_accept = apparmor_socket_accept,
5280 + .socket_sendmsg = apparmor_socket_sendmsg,
5281 + .socket_recvmsg = apparmor_socket_recvmsg,
5282 + .socket_getsockname = apparmor_socket_getsockname,
5283 + .socket_getpeername = apparmor_socket_getpeername,
5284 + .socket_getsockopt = apparmor_socket_getsockopt,
5285 + .socket_setsockopt = apparmor_socket_setsockopt,
5286 + .socket_shutdown = apparmor_socket_shutdown,
5288 + .cred_alloc_blank = apparmor_cred_alloc_blank,
5289 + .cred_free = apparmor_cred_free,
5290 + .cred_prepare = apparmor_cred_prepare,
5291 + .cred_transfer = apparmor_cred_transfer,
5293 + .bprm_set_creds = apparmor_bprm_set_creds,
5294 + .bprm_committing_creds = apparmor_bprm_committing_creds,
5295 + .bprm_committed_creds = apparmor_bprm_committed_creds,
5296 + .bprm_secureexec = apparmor_bprm_secureexec,
5298 + .task_setrlimit = apparmor_task_setrlimit,
5302 + * AppArmor sysfs module parameters
5305 +static int param_set_aabool(const char *val, struct kernel_param *kp);
5306 +static int param_get_aabool(char *buffer, struct kernel_param *kp);
5307 +#define param_check_aabool(name, p) __param_check(name, p, int)
5309 +static int param_set_aauint(const char *val, struct kernel_param *kp);
5310 +static int param_get_aauint(char *buffer, struct kernel_param *kp);
5311 +#define param_check_aauint(name, p) __param_check(name, p, int)
5313 +static int param_set_aalockpolicy(const char *val, struct kernel_param *kp);
5314 +static int param_get_aalockpolicy(char *buffer, struct kernel_param *kp);
5315 +#define param_check_aalockpolicy(name, p) __param_check(name, p, int)
5317 +static int param_set_audit(const char *val, struct kernel_param *kp);
5318 +static int param_get_audit(char *buffer, struct kernel_param *kp);
5319 +#define param_check_audit(name, p) __param_check(name, p, int)
5321 +static int param_set_mode(const char *val, struct kernel_param *kp);
5322 +static int param_get_mode(char *buffer, struct kernel_param *kp);
5323 +#define param_check_mode(name, p) __param_check(name, p, int)
5325 +/* Flag values, also controllable via /sys/module/apparmor/parameters
5326 + * We define special types as we want to do additional mediation.
5329 +/* AppArmor global enforcement switch - complain, enforce, kill */
5330 +enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
5331 +module_param_call(mode, param_set_mode, param_get_mode,
5332 + &aa_g_profile_mode, S_IRUSR | S_IWUSR);
5336 +module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
5339 +enum audit_mode aa_g_audit;
5340 +module_param_call(audit, param_set_audit, param_get_audit,
5341 + &aa_g_audit, S_IRUSR | S_IWUSR);
5343 +/* Determines if audit header is included in audited messages. This
5344 + * provides more context if the audit daemon is not running
5346 +int aa_g_audit_header = 1;
5347 +module_param_named(audit_header, aa_g_audit_header, aabool,
5348 + S_IRUSR | S_IWUSR);
5350 +/* lock out loading/removal of policy
5351 + * TODO: add in at boot loading of policy, which is the only way to
5352 + * load policy, if lock_policy is set
5354 +int aa_g_lock_policy;
5355 +module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy,
5356 + S_IRUSR | S_IWUSR);
5358 +/* Syscall logging mode */
5359 +int aa_g_logsyscall;
5360 +module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
5362 +/* Maximum pathname length before accesses will start getting rejected */
5363 +unsigned int aa_g_path_max = 2 * PATH_MAX;
5364 +module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR);
5366 +/* Determines how paranoid loading of policy is and how much verification
5367 + * on the loaded policy is done.
5369 +int aa_g_paranoid_load = 1;
5370 +module_param_named(paranoid_load, aa_g_paranoid_load, aabool,
5371 + S_IRUSR | S_IWUSR);
5373 +/* Boot time disable flag */
5374 +static unsigned int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE;
5375 +module_param_named(enabled, apparmor_enabled, aabool, S_IRUSR);
5377 +static int __init apparmor_enabled_setup(char *str)
5379 + unsigned long enabled;
5380 + int error = strict_strtoul(str, 0, &enabled);
5382 + apparmor_enabled = enabled ? 1 : 0;
5386 +__setup("apparmor=", apparmor_enabled_setup);
5388 +/* set global flag turning off the ability to load policy */
5389 +static int param_set_aalockpolicy(const char *val, struct kernel_param *kp)
5391 + if (!capable(CAP_MAC_ADMIN))
5393 + if (aa_g_lock_policy)
5395 + return param_set_bool(val, kp);
5398 +static int param_get_aalockpolicy(char *buffer, struct kernel_param *kp)
5400 + if (!capable(CAP_MAC_ADMIN))
5402 + return param_get_bool(buffer, kp);
5405 +static int param_set_aabool(const char *val, struct kernel_param *kp)
5407 + if (!capable(CAP_MAC_ADMIN))
5409 + return param_set_bool(val, kp);
5412 +static int param_get_aabool(char *buffer, struct kernel_param *kp)
5414 + if (!capable(CAP_MAC_ADMIN))
5416 + return param_get_bool(buffer, kp);
5419 +static int param_set_aauint(const char *val, struct kernel_param *kp)
5421 + if (!capable(CAP_MAC_ADMIN))
5423 + return param_set_uint(val, kp);
5426 +static int param_get_aauint(char *buffer, struct kernel_param *kp)
5428 + if (!capable(CAP_MAC_ADMIN))
5430 + return param_get_uint(buffer, kp);
5433 +static int param_get_audit(char *buffer, struct kernel_param *kp)
5435 + if (!capable(CAP_MAC_ADMIN))
5438 + if (!apparmor_enabled)
5441 + return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
5444 +static int param_set_audit(const char *val, struct kernel_param *kp)
5447 + if (!capable(CAP_MAC_ADMIN))
5450 + if (!apparmor_enabled)
5456 + for (i = 0; i < AUDIT_MAX_INDEX; i++) {
5457 + if (strcmp(val, audit_mode_names[i]) == 0) {
5466 +static int param_get_mode(char *buffer, struct kernel_param *kp)
5468 + if (!capable(CAP_MAC_ADMIN))
5471 + if (!apparmor_enabled)
5474 + return sprintf(buffer, "%s", profile_mode_names[aa_g_profile_mode]);
5477 +static int param_set_mode(const char *val, struct kernel_param *kp)
5480 + if (!capable(CAP_MAC_ADMIN))
5483 + if (!apparmor_enabled)
5489 + for (i = 0; i < APPARMOR_NAMES_MAX_INDEX; i++) {
5490 + if (strcmp(val, profile_mode_names[i]) == 0) {
5491 + aa_g_profile_mode = i;
5500 + * AppArmor init functions
5504 + * set_init_cxt - set a task context and profile on the first task.
5506 + * TODO: allow setting an alternate profile than unconfined
5508 +static int __init set_init_cxt(void)
5510 + struct cred *cred = (struct cred *)current->real_cred;
5511 + struct aa_task_cxt *cxt;
5513 + cxt = aa_alloc_task_context(GFP_KERNEL);
5517 + cxt->profile = aa_get_profile(root_ns->unconfined);
5518 + cred->security = cxt;
5523 +static int __init apparmor_init(void)
5527 + if (!apparmor_enabled || !security_module_enable(&apparmor_ops)) {
5528 + aa_info_message("AppArmor disabled by boot time parameter");
5529 + apparmor_enabled = 0;
5533 + error = aa_alloc_root_ns();
5535 + AA_ERROR("Unable to allocate default profile namespace\n");
5539 + error = set_init_cxt();
5541 + AA_ERROR("Failed to set context on init task\n");
5542 + goto register_security_out;
5545 + error = register_security(&apparmor_ops);
5547 + AA_ERROR("Unable to register AppArmor\n");
5548 + goto register_security_out;
5551 + /* Report that AppArmor successfully initialized */
5552 + apparmor_initialized = 1;
5553 + if (aa_g_profile_mode == APPARMOR_COMPLAIN)
5554 + aa_info_message("AppArmor initialized: complain mode enabled");
5555 + else if (aa_g_profile_mode == APPARMOR_KILL)
5556 + aa_info_message("AppArmor initialized: kill mode enabled");
5558 + aa_info_message("AppArmor initialized");
5562 +register_security_out:
5563 + aa_free_root_ns();
5566 + aa_destroy_aafs();
5568 + apparmor_enabled = 0;
5573 +security_initcall(apparmor_init);
5574 diff --git a/security/apparmor/match.c b/security/apparmor/match.c
5575 new file mode 100644
5576 index 0000000..0248bb3
5578 +++ b/security/apparmor/match.c
5581 + * AppArmor security module
5583 + * This file contains AppArmor dfa based regular expression matching engine
5585 + * Copyright (C) 1998-2008 Novell/SUSE
5586 + * Copyright 2009-2010 Canonical Ltd.
5588 + * This program is free software; you can redistribute it and/or
5589 + * modify it under the terms of the GNU General Public License as
5590 + * published by the Free Software Foundation, version 2 of the
5594 +#include <linux/errno.h>
5595 +#include <linux/kernel.h>
5596 +#include <linux/mm.h>
5597 +#include <linux/slab.h>
5598 +#include <linux/vmalloc.h>
5599 +#include <linux/err.h>
5600 +#include <linux/kref.h>
5602 +#include "include/apparmor.h"
5603 +#include "include/match.h"
5606 + * unpack_table - unpack a dfa table (one of accept, default, base, next check)
5607 + * @blob: data to unpack (NOT NULL)
5608 + * @bsize: size of blob
5610 + * Returns: pointer to table else NULL on failure
5612 + * NOTE: must be freed by kvfree (not kmalloc)
5614 +static struct table_header *unpack_table(char *blob, size_t bsize)
5616 + struct table_header *table = NULL;
5617 + struct table_header th;
5620 + if (bsize < sizeof(struct table_header))
5623 + /* loaded td_id's start at 1, subtract 1 now to avoid doing
5624 + * it every time we use td_id as an index
5626 + th.td_id = be16_to_cpu(*(u16 *) (blob)) - 1;
5627 + th.td_flags = be16_to_cpu(*(u16 *) (blob + 2));
5628 + th.td_lolen = be32_to_cpu(*(u32 *) (blob + 8));
5629 + blob += sizeof(struct table_header);
5631 + if (!(th.td_flags == YYTD_DATA16 || th.td_flags == YYTD_DATA32 ||
5632 + th.td_flags == YYTD_DATA8))
5635 + tsize = table_size(th.td_lolen, th.td_flags);
5636 + if (bsize < tsize)
5639 + /* Pad table allocation for next/check by 256 entries to remain
5640 + * backwards compatible with old (buggy) tools and remain safe without
5643 + if (th.td_id == YYTD_ID_NXT || th.td_id == YYTD_ID_CHK)
5644 + tsize += 256 * th.td_flags;
5646 + table = kvmalloc(tsize);
5648 + /* ensure the pad is clear, else there will be errors */
5649 + memset(table, 0, tsize);
5651 + if (th.td_flags == YYTD_DATA8)
5652 + UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
5653 + u8, byte_to_byte);
5654 + else if (th.td_flags == YYTD_DATA16)
5655 + UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
5656 + u16, be16_to_cpu);
5657 + else if (th.td_flags == YYTD_DATA32)
5658 + UNPACK_ARRAY(table->td_data, blob, th.td_lolen,
5659 + u32, be32_to_cpu);
5665 + /* if table was vmalloced make sure the page tables are synced
5666 + * before it is used, as it goes live to all cpus.
5668 + if (is_vmalloc_addr(table))
5669 + vm_unmap_aliases();
5677 + * verify_dfa - verify that transitions and states in the tables are in bounds.
5678 + * @dfa: dfa to test (NOT NULL)
5679 + * @flags: flags controlling what type of accept table are acceptable
5681 + * Assumes dfa has gone through the first pass verification done by unpacking
5682 + * NOTE: this does not valid accept table values
5684 + * Returns: %0 else error code on failure to verify
5686 +static int verify_dfa(struct aa_dfa *dfa, int flags)
5688 + size_t i, state_count, trans_count;
5689 + int error = -EPROTO;
5691 + /* check that required tables exist */
5692 + if (!(dfa->tables[YYTD_ID_DEF] &&
5693 + dfa->tables[YYTD_ID_BASE] &&
5694 + dfa->tables[YYTD_ID_NXT] && dfa->tables[YYTD_ID_CHK]))
5697 + /* accept.size == default.size == base.size */
5698 + state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
5699 + if (ACCEPT1_FLAGS(flags)) {
5700 + if (!dfa->tables[YYTD_ID_ACCEPT])
5702 + if (state_count != dfa->tables[YYTD_ID_ACCEPT]->td_lolen)
5705 + if (ACCEPT2_FLAGS(flags)) {
5706 + if (!dfa->tables[YYTD_ID_ACCEPT2])
5708 + if (state_count != dfa->tables[YYTD_ID_ACCEPT2]->td_lolen)
5711 + if (state_count != dfa->tables[YYTD_ID_DEF]->td_lolen)
5714 + /* next.size == chk.size */
5715 + trans_count = dfa->tables[YYTD_ID_NXT]->td_lolen;
5716 + if (trans_count != dfa->tables[YYTD_ID_CHK]->td_lolen)
5719 + /* if equivalence classes then its table size must be 256 */
5720 + if (dfa->tables[YYTD_ID_EC] &&
5721 + dfa->tables[YYTD_ID_EC]->td_lolen != 256)
5724 + if (flags & DFA_FLAG_VERIFY_STATES) {
5726 + for (i = 0; i < state_count; i++) {
5727 + if (DEFAULT_TABLE(dfa)[i] >= state_count)
5729 + /* TODO: do check that DEF state recursion terminates */
5730 + if (BASE_TABLE(dfa)[i] + 255 >= trans_count) {
5733 + printk(KERN_WARNING "AppArmor DFA next/check "
5734 + "upper bounds error fixed, upgrade "
5735 + "user space tools \n");
5737 + } else if (BASE_TABLE(dfa)[i] >= trans_count) {
5738 + printk(KERN_ERR "AppArmor DFA next/check upper "
5739 + "bounds error\n");
5744 + for (i = 0; i < trans_count; i++) {
5745 + if (NEXT_TABLE(dfa)[i] >= state_count)
5747 + if (CHECK_TABLE(dfa)[i] >= state_count)
5758 + * dfa_free - free a dfa allocated by aa_dfa_unpack
5759 + * @dfa: the dfa to free (MAYBE NULL)
5761 + * Requires: reference count to dfa == 0
5763 +static void dfa_free(struct aa_dfa *dfa)
5768 + for (i = 0; i < ARRAY_SIZE(dfa->tables); i++) {
5769 + kvfree(dfa->tables[i]);
5770 + dfa->tables[i] = NULL;
5777 + * aa_dfa_free_kref - free aa_dfa by kref (called by aa_put_dfa)
5778 + * @kr: kref callback for freeing of a dfa (NOT NULL)
5780 +void aa_dfa_free_kref(struct kref *kref)
5782 + struct aa_dfa *dfa = container_of(kref, struct aa_dfa, count);
5787 + * aa_dfa_unpack - unpack the binary tables of a serialized dfa
5788 + * @blob: aligned serialized stream of data to unpack (NOT NULL)
5789 + * @size: size of data to unpack
5790 + * @flags: flags controlling what type of accept tables are acceptable
5792 + * Unpack a dfa that has been serialized. To find information on the dfa
5793 + * format look in Documentation/apparmor.txt
5794 + * Assumes the dfa @blob stream has been aligned on a 8 byte boundry
5796 + * Returns: an unpacked dfa ready for matching or ERR_PTR on failure
5798 +struct aa_dfa *aa_dfa_unpack(void *blob, size_t size, int flags)
5801 + int error = -ENOMEM;
5802 + char *data = blob;
5803 + struct table_header *table = NULL;
5804 + struct aa_dfa *dfa = kzalloc(sizeof(struct aa_dfa), GFP_KERNEL);
5808 + kref_init(&dfa->count);
5812 + /* get dfa table set header */
5813 + if (size < sizeof(struct table_set_header))
5816 + if (ntohl(*(u32 *) data) != YYTH_MAGIC)
5819 + hsize = ntohl(*(u32 *) (data + 4));
5823 + dfa->flags = ntohs(*(u16 *) (data + 12));
5827 + while (size > 0) {
5828 + table = unpack_table(data, size);
5832 + switch (table->td_id) {
5833 + case YYTD_ID_ACCEPT:
5834 + if (!(table->td_flags & ACCEPT1_FLAGS(flags)))
5837 + case YYTD_ID_ACCEPT2:
5838 + if (!(table->td_flags & ACCEPT2_FLAGS(flags)))
5841 + case YYTD_ID_BASE:
5842 + if (table->td_flags != YYTD_DATA32)
5848 + if (table->td_flags != YYTD_DATA16)
5852 + if (table->td_flags != YYTD_DATA8)
5858 + /* check for duplicate table entry */
5859 + if (dfa->tables[table->td_id])
5861 + dfa->tables[table->td_id] = table;
5862 + data += table_size(table->td_lolen, table->td_flags);
5863 + size -= table_size(table->td_lolen, table->td_flags);
5867 + error = verify_dfa(dfa, flags);
5876 + return ERR_PTR(error);
5880 + * aa_dfa_match_len - traverse @dfa to find state @str stops at
5881 + * @dfa: the dfa to match @str against (NOT NULL)
5882 + * @start: the state of the dfa to start matching in
5883 + * @str: the string of bytes to match against the dfa (NOT NULL)
5884 + * @len: length of the string of bytes to match
5886 + * aa_dfa_match_len will match @str against the dfa and return the state it
5887 + * finished matching in. The final state can be used to look up the accepting
5888 + * label, or as the start state of a continuing match.
5890 + * This function will happily match again the 0 byte and only finishes
5891 + * when @len input is consumed.
5893 + * Returns: final state reached after input is consumed
5895 +unsigned int aa_dfa_match_len(struct aa_dfa *dfa, unsigned int start,
5896 + const char *str, int len)
5898 + u16 *def = DEFAULT_TABLE(dfa);
5899 + u32 *base = BASE_TABLE(dfa);
5900 + u16 *next = NEXT_TABLE(dfa);
5901 + u16 *check = CHECK_TABLE(dfa);
5902 + unsigned int state = start, pos;
5907 + /* current state is <state>, matching character *str */
5908 + if (dfa->tables[YYTD_ID_EC]) {
5909 + /* Equivalence class table defined */
5910 + u8 *equiv = EQUIV_TABLE(dfa);
5911 + /* default is direct to next state */
5912 + for (; len; len--) {
5913 + pos = base[state] + equiv[(u8) *str++];
5914 + if (check[pos] == state)
5915 + state = next[pos];
5917 + state = def[state];
5920 + /* default is direct to next state */
5921 + for (; len; len--) {
5922 + pos = base[state] + (u8) *str++;
5923 + if (check[pos] == state)
5924 + state = next[pos];
5926 + state = def[state];
5934 + * aa_dfa_next_state - traverse @dfa to find state @str stops at
5935 + * @dfa: the dfa to match @str against (NOT NULL)
5936 + * @start: the state of the dfa to start matching in
5937 + * @str: the null terminated string of bytes to match against the dfa (NOT NULL)
5939 + * aa_dfa_next_state will match @str against the dfa and return the state it
5940 + * finished matching in. The final state can be used to look up the accepting
5941 + * label, or as the start state of a continuing match.
5943 + * Returns: final state reached after input is consumed
5945 +unsigned int aa_dfa_match(struct aa_dfa *dfa, unsigned int start,
5948 + return aa_dfa_match_len(dfa, start, str, strlen(str));
5950 diff --git a/security/apparmor/net.c b/security/apparmor/net.c
5951 new file mode 100644
5952 index 0000000..7c36e82
5954 +++ b/security/apparmor/net.c
5957 + * AppArmor security module
5959 + * This file contains AppArmor network mediation
5961 + * Copyright (C) 1998-2008 Novell/SUSE
5962 + * Copyright 2009-2010 Canonical Ltd.
5964 + * This program is free software; you can redistribute it and/or
5965 + * modify it under the terms of the GNU General Public License as
5966 + * published by the Free Software Foundation, version 2 of the
5970 +#include "include/apparmor.h"
5971 +#include "include/audit.h"
5972 +#include "include/context.h"
5973 +#include "include/net.h"
5974 +#include "include/policy.h"
5976 +#include "af_names.h"
5978 +static const char *sock_type_names[] = {
5992 +/* audit callback for net specific fields */
5993 +static void audit_cb(struct audit_buffer *ab, void *va)
5995 + struct common_audit_data *sa = va;
5997 + audit_log_format(ab, " family=");
5998 + if (address_family_names[sa->u.net.family]) {
5999 + audit_log_string(ab, address_family_names[sa->u.net.family]);
6001 + audit_log_format(ab, " \"unknown(%d)\"", sa->u.net.family);
6004 + audit_log_format(ab, " sock_type=");
6005 + if (sock_type_names[sa->aad.net.type]) {
6006 + audit_log_string(ab, sock_type_names[sa->aad.net.type]);
6008 + audit_log_format(ab, "\"unknown(%d)\"", sa->aad.net.type);
6011 + audit_log_format(ab, " protocol=%d", sa->aad.net.protocol);
6015 + * audit_net - audit network access
6016 + * @profile: profile being enforced (NOT NULL)
6017 + * @op: operation being checked
6018 + * @family: network family
6019 + * @type: network type
6020 + * @protocol: network protocol
6021 + * @sk: socket auditing is being applied to
6022 + * @error: error code for failure else 0
6024 + * Returns: %0 or sa->error else other errorcode on failure
6026 +static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
6027 + int protocol, struct sock *sk, int error)
6029 + int audit_type = AUDIT_APPARMOR_AUTO;
6030 + struct common_audit_data sa;
6032 + COMMON_AUDIT_DATA_INIT(&sa, NET);
6034 + COMMON_AUDIT_DATA_INIT(&sa, NONE);
6036 + /* todo fill in socket addr info */
6039 + sa.u.net.family = family;
6041 + sa.aad.net.type = type;
6042 + sa.aad.net.protocol = protocol;
6044 + if (likely(!sa.aad.error)) {
6045 + u16 audit_mask = profile->net.audit[sa.u.net.family];
6046 + if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
6047 + !(1 << sa.aad.net.type & audit_mask)))
6049 + audit_type = AUDIT_APPARMOR_AUDIT;
6051 + u16 quiet_mask = profile->net.quiet[sa.u.net.family];
6052 + u16 kill_mask = 0;
6053 + u16 denied = (1 << sa.aad.net.type) & ~quiet_mask;
6055 + if (denied & kill_mask)
6056 + audit_type = AUDIT_APPARMOR_KILL;
6058 + if ((denied & quiet_mask) &&
6059 + AUDIT_MODE(profile) != AUDIT_NOQUIET &&
6060 + AUDIT_MODE(profile) != AUDIT_ALL)
6061 + return COMPLAIN_MODE(profile) ? 0 : sa.aad.error;
6064 + return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
6068 + * aa_net_perm - very course network access check
6069 + * @op: operation being checked
6070 + * @profile: profile being enforced (NOT NULL)
6071 + * @family: network family
6072 + * @type: network type
6073 + * @protocol: network protocol
6075 + * Returns: %0 else error if permission denied
6077 +int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
6078 + int protocol, struct sock *sk)
6083 + if ((family < 0) || (family >= AF_MAX))
6086 + if ((type < 0) || (type >= SOCK_MAX))
6089 + /* unix domain and netlink sockets are handled by ipc */
6090 + if (family == AF_UNIX || family == AF_NETLINK)
6093 + family_mask = profile->net.allow[family];
6095 + error = (family_mask & (1 << type)) ? 0 : -EACCES;
6097 + return audit_net(profile, op, family, type, protocol, sk, error);
6101 + * aa_revalidate_sk - Revalidate access to a sock
6102 + * @op: operation being checked
6103 + * @sk: sock being revalidated (NOT NULL)
6105 + * Returns: %0 else error if permission denied
6107 +int aa_revalidate_sk(int op, struct sock *sk)
6109 + struct aa_profile *profile;
6112 + /* aa_revalidate_sk should not be called from interrupt context
6113 + * don't mediate these calls as they are not task related
6115 + if (in_interrupt())
6118 + profile = __aa_current_profile();
6119 + if (!unconfined(profile))
6120 + error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
6121 + sk->sk_protocol, sk);
6125 diff --git a/security/apparmor/path.c b/security/apparmor/path.c
6126 new file mode 100644
6127 index 0000000..96bab94
6129 +++ b/security/apparmor/path.c
6132 + * AppArmor security module
6134 + * This file contains AppArmor function for pathnames
6136 + * Copyright (C) 1998-2008 Novell/SUSE
6137 + * Copyright 2009-2010 Canonical Ltd.
6139 + * This program is free software; you can redistribute it and/or
6140 + * modify it under the terms of the GNU General Public License as
6141 + * published by the Free Software Foundation, version 2 of the
6145 +#include <linux/magic.h>
6146 +#include <linux/mnt_namespace.h>
6147 +#include <linux/mount.h>
6148 +#include <linux/namei.h>
6149 +#include <linux/nsproxy.h>
6150 +#include <linux/path.h>
6151 +#include <linux/sched.h>
6152 +#include <linux/slab.h>
6153 +#include <linux/fs_struct.h>
6155 +#include "include/apparmor.h"
6156 +#include "include/path.h"
6157 +#include "include/policy.h"
6160 +/* modified from dcache.c */
6161 +static int prepend(char **buffer, int buflen, const char *str, int namelen)
6163 + buflen -= namelen;
6165 + return -ENAMETOOLONG;
6166 + *buffer -= namelen;
6167 + memcpy(*buffer, str, namelen);
6171 +#define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT)
6174 + * d_namespace_path - lookup a name associated with a given path
6175 + * @path: path to lookup (NOT NULL)
6176 + * @buf: buffer to store path to (NOT NULL)
6177 + * @buflen: length of @buf
6178 + * @name: Returns - pointer for start of path name with in @buf (NOT NULL)
6179 + * @flags: flags controlling path lookup
6181 + * Handle path name lookup.
6183 + * Returns: %0 else error code if path lookup fails
6184 + * When no error the path name is returned in @name which points to
6185 + * to a position in @buf
6187 +static int d_namespace_path(struct path *path, char *buf, int buflen,
6188 + char **name, int flags)
6190 + struct path root, tmp;
6192 + int deleted, connected;
6195 + /* Get the root we want to resolve too */
6196 + if (flags & PATH_CHROOT_REL) {
6197 + /* resolve paths relative to chroot */
6198 + read_lock(¤t->fs->lock);
6199 + root = current->fs->root;
6200 + /* released below */
6202 + read_unlock(¤t->fs->lock);
6204 + /* resolve paths relative to namespace */
6205 + root.mnt = current->nsproxy->mnt_ns->root;
6206 + root.dentry = root.mnt->mnt_root;
6207 + /* released below */
6211 + spin_lock(&dcache_lock);
6212 + /* There is a race window between path lookup here and the
6213 + * need to strip the " (deleted) string that __d_path applies
6214 + * Detect the race and relookup the path
6216 + * The stripping of (deleted) is a hack that could be removed
6217 + * with an updated __d_path
6221 + deleted = d_unlinked(path->dentry);
6222 + res = __d_path(path, &tmp, buf, buflen);
6224 + } while (deleted != d_unlinked(path->dentry));
6225 + spin_unlock(&dcache_lock);
6228 + /* handle error conditions - and still allow a partial path to
6231 + if (IS_ERR(res)) {
6232 + error = PTR_ERR(res);
6237 + /* On some filesystems, newly allocated dentries appear to the
6238 + * security_path hooks as a deleted dentry except without an
6239 + * inode allocated.
6241 + * Remove the appended deleted text and return as string for
6242 + * normal mediation, or auditing. The (deleted) string is
6243 + * guaranteed to be added in this case, so just strip it.
6245 + buf[buflen - 11] = 0; /* - (len(" (deleted)") +\0) */
6247 + if (path->dentry->d_inode && !(flags & PATH_MEDIATE_DELETED)) {
6253 + /* Determine if the path is connected to the expected root */
6254 + connected = tmp.dentry == root.dentry && tmp.mnt == root.mnt;
6256 + /* If the path is not connected,
6257 + * check if it is a sysctl and handle specially else remove any
6258 + * leading / that __d_path may have returned.
6260 + * specifically directed to connect the path,
6262 + * if in a chroot and doing chroot relative paths and the path
6263 + * resolves to the namespace root (would be connected outside
6264 + * of chroot) and specifically directed to connect paths to
6268 + /* is the disconnect path a sysctl? */
6269 + if (tmp.dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
6270 + strncmp(*name, "/sys/", 5) == 0) {
6271 + /* TODO: convert over to using a per namespace
6272 + * control instead of hard coded /proc
6274 + error = prepend(name, *name - buf, "/proc", 5);
6275 + } else if (!(flags & PATH_CONNECT_PATH) &&
6276 + !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
6277 + (tmp.mnt == current->nsproxy->mnt_ns->root &&
6278 + tmp.dentry == tmp.mnt->mnt_root))) {
6279 + /* disconnected path, don't return pathname starting
6295 + * get_name_to_buffer - get the pathname to a buffer ensure dir / is appended
6296 + * @path: path to get name for (NOT NULL)
6297 + * @flags: flags controlling path lookup
6298 + * @buffer: buffer to put name in (NOT NULL)
6299 + * @size: size of buffer
6300 + * @name: Returns - contains position of path name in @buffer (NOT NULL)
6302 + * Returns: %0 else error on failure
6304 +static int get_name_to_buffer(struct path *path, int flags, char *buffer,
6305 + int size, char **name)
6307 + int adjust = (flags & PATH_IS_DIR) ? 1 : 0;
6308 + int error = d_namespace_path(path, buffer, size - adjust, name, flags);
6310 + if (!error && (flags & PATH_IS_DIR) && (*name)[1] != '\0')
6312 + * Append "/" to the pathname. The root directory is a special
6313 + * case; it already ends in slash.
6315 + strcpy(&buffer[size - 2], "/");
6321 + * aa_get_name - compute the pathname of a file
6322 + * @path: path the file (NOT NULL)
6323 + * @flags: flags controlling path name generation
6324 + * @buffer: buffer that aa_get_name() allocated (NOT NULL)
6325 + * @name: Returns - the generated path name if !error (NOT NULL)
6327 + * @name is a pointer to the beginning of the pathname (which usually differs
6328 + * from the beginning of the buffer), or NULL. If there is an error @name
6329 + * may contain a partial or invalid name that can be used for audit purposes,
6330 + * but it can not be used for mediation.
6332 + * We need PATH_IS_DIR to indicate whether the file is a directory or not
6333 + * because the file may not yet exist, and so we cannot check the inode's
6336 + * Returns: %0 else error code if could retrieve name
6338 +int aa_get_name(struct path *path, int flags, char **buffer, const char **name)
6340 + char *buf, *str = NULL;
6347 + /* freed by caller */
6348 + buf = kmalloc(size, GFP_KERNEL);
6352 + error = get_name_to_buffer(path, flags, buf, size, &str);
6353 + if (error != -ENAMETOOLONG)
6358 + if (size > aa_g_path_max)
6359 + return -ENAMETOOLONG;
6366 diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
6367 new file mode 100644
6368 index 0000000..e3020ed
6370 +++ b/security/apparmor/policy.c
6373 + * AppArmor security module
6375 + * This file contains AppArmor policy manipulation functions
6377 + * Copyright (C) 1998-2008 Novell/SUSE
6378 + * Copyright 2009-2010 Canonical Ltd.
6380 + * This program is free software; you can redistribute it and/or
6381 + * modify it under the terms of the GNU General Public License as
6382 + * published by the Free Software Foundation, version 2 of the
6386 + * AppArmor policy is based around profiles, which contain the rules a
6387 + * task is confined by. Every task in the system has a profile attached
6388 + * to it determined either by matching "unconfined" tasks against the
6389 + * visible set of profiles or by following a profiles attachment rules.
6391 + * Each profile exists in a profile namespace which is a container of
6392 + * visible profiles. Each namespace contains a special "unconfined" profile,
6393 + * which doesn't enforce any confinement on a task beyond DAC.
6395 + * Namespace and profile names can be written together in either
6396 + * of two syntaxes.
6397 + * :namespace:profile - used by kernel interfaces for easy detection
6398 + * namespace://profile - used by policy
6400 + * Profile names can not start with : or @ or ^ and may not contain \0
6402 + * Reserved profile names
6403 + * unconfined - special automatically generated unconfined profile
6404 + * inherit - special name to indicate profile inheritance
6405 + * null-XXXX-YYYY - special automatically generated learning profiles
6407 + * Namespace names may not start with / or @ and may not contain \0 or :
6408 + * Reserved namespace names
6409 + * user-XXXX - user defined profiles
6411 + * a // in a profile or namespace name indicates a hierarchical name with the
6412 + * name before the // being the parent and the name after the child.
6414 + * Profile and namespace hierarchies serve two different but similar purposes.
6415 + * The namespace contains the set of visible profiles that are considered
6416 + * for attachment. The hierarchy of namespaces allows for virtualizing
6417 + * the namespace so that for example a chroot can have its own set of profiles
6418 + * which may define some local user namespaces.
6419 + * The profile hierarchy severs two distinct purposes,
6420 + * - it allows for sub profiles or hats, which allows an application to run
6421 + * subprograms under its own profile with different restriction than it
6422 + * self, and not have it use the system profile.
6423 + * eg. if a mail program starts an editor, the policy might make the
6424 + * restrictions tighter on the editor tighter than the mail program,
6425 + * and definitely different than general editor restrictions
6426 + * - it allows for binary hierarchy of profiles, so that execution history
6427 + * is preserved. This feature isn't exploited by AppArmor reference policy
6428 + * but is allowed. NOTE: this is currently suboptimal because profile
6429 + * aliasing is not currently implemented so that a profile for each
6430 + * level must be defined.
6431 + * eg. /bin/bash///bin/ls as a name would indicate /bin/ls was started
6434 + * A profile or namespace name that can contain one or more // separators
6435 + * is referred to as an hname (hierarchical).
6436 + * eg. /bin/bash//bin/ls
6438 + * An fqname is a name that may contain both namespace and profile hnames.
6439 + * eg. :ns:/bin/bash//bin/ls
6442 + * - locking of profile lists is currently fairly coarse. All profile
6443 + * lists within a namespace use the namespace lock.
6444 + * FIXME: move profile lists to using rcu_lists
6447 +#include <linux/slab.h>
6448 +#include <linux/spinlock.h>
6449 +#include <linux/string.h>
6451 +#include "include/apparmor.h"
6452 +#include "include/capability.h"
6453 +#include "include/context.h"
6454 +#include "include/file.h"
6455 +#include "include/ipc.h"
6456 +#include "include/match.h"
6457 +#include "include/path.h"
6458 +#include "include/policy.h"
6459 +#include "include/policy_unpack.h"
6460 +#include "include/resource.h"
6461 +#include "include/sid.h"
6464 +/* root profile namespace */
6465 +struct aa_namespace *root_ns;
6467 +const char *profile_mode_names[] = {
6474 + * hname_tail - find the last component of an hname
6475 + * @name: hname to find the base profile name component of (NOT NULL)
6477 + * Returns: the tail (base profile name) name component of an hname
6479 +static const char *hname_tail(const char *hname)
6482 + hname = strim((char *)hname);
6483 + for (split = strstr(hname, "//"); split; split = strstr(hname, "//"))
6484 + hname = split + 2;
6490 + * policy_init - initialize a policy structure
6491 + * @policy: policy to initialize (NOT NULL)
6492 + * @prefix: prefix name if any is required. (MAYBE NULL)
6493 + * @name: name of the policy, init will make a copy of it (NOT NULL)
6495 + * Note: this fn creates a copy of strings passed in
6497 + * Returns: true if policy init successful
6499 +static bool policy_init(struct aa_policy *policy, const char *prefix,
6502 + /* freed by policy_free */
6504 + policy->hname = kmalloc(strlen(prefix) + strlen(name) + 3,
6506 + if (policy->hname)
6507 + sprintf(policy->hname, "%s//%s", prefix, name);
6509 + policy->hname = kstrdup(name, GFP_KERNEL);
6510 + if (!policy->hname)
6512 + /* base.name is a substring of fqname */
6513 + policy->name = (char *)hname_tail(policy->hname);
6514 + INIT_LIST_HEAD(&policy->list);
6515 + INIT_LIST_HEAD(&policy->profiles);
6516 + kref_init(&policy->count);
6522 + * policy_destroy - free the elements referenced by @policy
6523 + * @policy: policy that is to have its elements freed (NOT NULL)
6525 +static void policy_destroy(struct aa_policy *policy)
6527 + /* still contains profiles -- invalid */
6528 + if (!list_empty(&policy->profiles)) {
6529 + AA_ERROR("%s: internal error, "
6530 + "policy '%s' still contains profiles\n",
6531 + __func__, policy->name);
6534 + if (!list_empty(&policy->list)) {
6535 + AA_ERROR("%s: internal error, policy '%s' still on list\n",
6536 + __func__, policy->name);
6540 + /* don't free name as its a subset of hname */
6541 + kzfree(policy->hname);
6545 + * __policy_find - find a policy by @name on a policy list
6546 + * @head: list to search (NOT NULL)
6547 + * @name: name to search for (NOT NULL)
6549 + * Requires: correct locks for the @head list be held
6551 + * Returns: unrefcounted policy that match @name or NULL if not found
6553 +static struct aa_policy *__policy_find(struct list_head *head, const char *name)
6555 + struct aa_policy *policy;
6557 + list_for_each_entry(policy, head, list) {
6558 + if (!strcmp(policy->name, name))
6565 + * __policy_strn_find - find a policy that's name matches @len chars of @str
6566 + * @head: list to search (NOT NULL)
6567 + * @str: string to search for (NOT NULL)
6568 + * @len: length of match required
6570 + * Requires: correct locks for the @head list be held
6572 + * Returns: unrefcounted policy that match @str or NULL if not found
6574 + * if @len == strlen(@strlen) then this is equiv to __policy_find
6575 + * other wise it allows searching for policy by a partial match of name
6577 +static struct aa_policy *__policy_strn_find(struct list_head *head,
6578 + const char *str, int len)
6580 + struct aa_policy *policy;
6582 + list_for_each_entry(policy, head, list) {
6583 + if (aa_strneq(policy->name, str, len))
6591 + * Routines for AppArmor namespaces
6594 +static const char *hidden_ns_name = "---";
6596 + * aa_ns_visible - test if @view is visible from @curr
6597 + * @curr: namespace to treat as the parent (NOT NULL)
6598 + * @view: namespace to test if visible from @curr (NOT NULL)
6600 + * Returns: true if @view is visible from @curr else false
6602 +bool aa_ns_visible(struct aa_namespace *curr, struct aa_namespace *view)
6607 + for ( ; view; view = view->parent) {
6608 + if (view->parent == curr)
6615 + * aa_na_name - Find the ns name to display for @view from @curr
6616 + * @curr - current namespace (NOT NULL)
6617 + * @view - namespace attempting to view (NOT NULL)
6619 + * Returns: name of @view visible from @curr
6621 +const char *aa_ns_name(struct aa_namespace *curr, struct aa_namespace *view)
6623 + /* if view == curr then the namespace name isn't displayed */
6627 + if (aa_ns_visible(curr, view)) {
6628 + /* at this point if a ns is visible it is in a view ns
6629 + * thus the curr ns.hname is a prefix of its name.
6630 + * Only output the virtualized portion of the name
6631 + * Add + 2 to skip over // separating curr hname prefix
6632 + * from the visible tail of the views hname
6634 + return view->base.hname + strlen(curr->base.hname) + 2;
6636 + return hidden_ns_name;
6640 + * alloc_namespace - allocate, initialize and return a new namespace
6641 + * @prefix: parent namespace name (MAYBE NULL)
6642 + * @name: a preallocated name (NOT NULL)
6644 + * Returns: refcounted namespace or NULL on failure.
6646 +static struct aa_namespace *alloc_namespace(const char *prefix,
6649 + struct aa_namespace *ns;
6651 + ns = kzalloc(sizeof(*ns), GFP_KERNEL);
6652 + AA_DEBUG("%s(%p)\n", __func__, ns);
6655 + if (!policy_init(&ns->base, prefix, name))
6658 + INIT_LIST_HEAD(&ns->sub_ns);
6659 + rwlock_init(&ns->lock);
6661 + /* released by free_namespace */
6662 + ns->unconfined = aa_alloc_profile("unconfined");
6663 + if (!ns->unconfined)
6664 + goto fail_unconfined;
6666 + ns->unconfined->sid = aa_alloc_sid();
6667 + ns->unconfined->flags = PFLAG_UNCONFINED | PFLAG_IX_ON_NAME_ERROR |
6671 + * released by free_namespace, however __remove_namespace breaks
6672 + * the cyclic references (ns->unconfined, and unconfined->ns) and
6673 + * replaces with refs to parent namespace unconfined
6675 + ns->unconfined->ns = aa_get_namespace(ns);
6680 + kzfree(ns->base.name);
6687 + * free_namespace - free a profile namespace
6688 + * @ns: the namespace to free (MAYBE NULL)
6690 + * Requires: All references to the namespace must have been put, if the
6691 + * namespace was referenced by a profile confining a task,
6693 +static void free_namespace(struct aa_namespace *ns)
6698 + policy_destroy(&ns->base);
6699 + aa_put_namespace(ns->parent);
6701 + if (ns->unconfined && ns->unconfined->ns == ns)
6702 + ns->unconfined->ns = NULL;
6704 + aa_put_profile(ns->unconfined);
6709 + * aa_free_namespace_kref - free aa_namespace by kref (see aa_put_namespace)
6710 + * @kr: kref callback for freeing of a namespace (NOT NULL)
6712 +void aa_free_namespace_kref(struct kref *kref)
6714 + free_namespace(container_of(kref, struct aa_namespace, base.count));
6718 + * __aa_find_namespace - find a namespace on a list by @name
6719 + * @head: list to search for namespace on (NOT NULL)
6720 + * @name: name of namespace to look for (NOT NULL)
6722 + * Returns: unrefcounted namespace
6724 + * Requires: ns lock be held
6726 +static struct aa_namespace *__aa_find_namespace(struct list_head *head,
6729 + return (struct aa_namespace *)__policy_find(head, name);
6733 + * aa_find_namespace - look up a profile namespace on the namespace list
6734 + * @root: namespace to search in (NOT NULL)
6735 + * @name: name of namespace to find (NOT NULL)
6737 + * Returns: a refcounted namespace on the list, or NULL if no namespace
6738 + * called @name exists.
6740 + * refcount released by caller
6742 +struct aa_namespace *aa_find_namespace(struct aa_namespace *root,
6745 + struct aa_namespace *ns = NULL;
6747 + read_lock(&root->lock);
6748 + ns = aa_get_namespace(__aa_find_namespace(&root->sub_ns, name));
6749 + read_unlock(&root->lock);
6755 + * aa_prepare_namespace - find an existing or create a new namespace of @name
6756 + * @name: the namespace to find or add (MAYBE NULL)
6758 + * Returns: refcounted namespace or NULL if failed to create one
6760 +static struct aa_namespace *aa_prepare_namespace(const char *name)
6762 + struct aa_namespace *ns, *root;
6764 + root = aa_current_profile()->ns;
6766 + write_lock(&root->lock);
6768 + /* if name isn't specified the profile is loaded to the current ns */
6770 + /* released by caller */
6771 + ns = aa_get_namespace(root);
6775 + /* try and find the specified ns and if it doesn't exist create it */
6776 + /* released by caller */
6777 + ns = aa_get_namespace(__aa_find_namespace(&root->sub_ns, name));
6779 + /* namespace not found */
6780 + struct aa_namespace *new_ns;
6781 + write_unlock(&root->lock);
6782 + new_ns = alloc_namespace(root->base.hname, name);
6785 + write_lock(&root->lock);
6786 + /* test for race when new_ns was allocated */
6787 + ns = __aa_find_namespace(&root->sub_ns, name);
6789 + /* add parent ref */
6790 + new_ns->parent = aa_get_namespace(root);
6792 + list_add(&new_ns->base.list, &root->sub_ns);
6793 + /* add list ref */
6794 + ns = aa_get_namespace(new_ns);
6796 + /* raced so free the new one */
6797 + free_namespace(new_ns);
6798 + /* get reference on namespace */
6799 + aa_get_namespace(ns);
6803 + write_unlock(&root->lock);
6810 + * __list_add_profile - add a profile to a list
6811 + * @list: list to add it to (NOT NULL)
6812 + * @profile: the profile to add (NOT NULL)
6814 + * refcount @profile, should be put by __list_remove_profile
6816 + * Requires: namespace lock be held, or list not be shared
6818 +static void __list_add_profile(struct list_head *list,
6819 + struct aa_profile *profile)
6821 + list_add(&profile->base.list, list);
6822 + /* get list reference */
6823 + aa_get_profile(profile);
6827 + * __list_remove_profile - remove a profile from the list it is on
6828 + * @profile: the profile to remove (NOT NULL)
6830 + * remove a profile from the list, warning generally removal should
6831 + * be done with __replace_profile as most profile removals are
6832 + * replacements to the unconfined profile.
6834 + * put @profile list refcount
6836 + * Requires: namespace lock be held, or list not have been live
6838 +static void __list_remove_profile(struct aa_profile *profile)
6840 + list_del_init(&profile->base.list);
6841 + if (!(profile->flags & PFLAG_NO_LIST_REF))
6842 + /* release list reference */
6843 + aa_put_profile(profile);
6847 + * __replace_profile - replace @old with @new on a list
6848 + * @old: profile to be replaced (NOT NULL)
6849 + * @new: profile to replace @old with (NOT NULL)
6851 + * Will duplicate and refcount elements that @new inherits from @old
6852 + * and will inherit @old children.
6854 + * refcount @new for list, put @old list refcount
6856 + * Requires: namespace list lock be held, or list not be shared
6858 +static void __replace_profile(struct aa_profile *old, struct aa_profile *new)
6860 + struct aa_policy *policy;
6861 + struct aa_profile *child, *tmp;
6864 + policy = &old->parent->base;
6866 + policy = &old->ns->base;
6868 + /* released when @new is freed */
6869 + new->parent = aa_get_profile(old->parent);
6870 + new->ns = aa_get_namespace(old->ns);
6871 + new->sid = old->sid;
6872 + __list_add_profile(&policy->profiles, new);
6873 + /* inherit children */
6874 + list_for_each_entry_safe(child, tmp, &old->base.profiles, base.list) {
6875 + aa_put_profile(child->parent);
6876 + child->parent = aa_get_profile(new);
6877 + /* list refcount transferred to @new*/
6878 + list_move(&child->base.list, &new->base.profiles);
6881 + /* released by free_profile */
6882 + old->replacedby = aa_get_profile(new);
6883 + __list_remove_profile(old);
6886 +static void __profile_list_release(struct list_head *head);
6889 + * __remove_profile - remove old profile, and children
6890 + * @profile: profile to be replaced (NOT NULL)
6892 + * Requires: namespace list lock be held, or list not be shared
6894 +static void __remove_profile(struct aa_profile *profile)
6896 + /* release any children lists first */
6897 + __profile_list_release(&profile->base.profiles);
6898 + /* released by free_profile */
6899 + profile->replacedby = aa_get_profile(profile->ns->unconfined);
6900 + __list_remove_profile(profile);
6904 + * __profile_list_release - remove all profiles on the list and put refs
6905 + * @head: list of profiles (NOT NULL)
6907 + * Requires: namespace lock be held
6909 +static void __profile_list_release(struct list_head *head)
6911 + struct aa_profile *profile, *tmp;
6912 + list_for_each_entry_safe(profile, tmp, head, base.list)
6913 + __remove_profile(profile);
6916 +static void __ns_list_release(struct list_head *head);
6919 + * destroy_namespace - remove everything contained by @ns
6920 + * @ns: namespace to have it contents removed (NOT NULL)
6922 +static void destroy_namespace(struct aa_namespace *ns)
6927 + write_lock(&ns->lock);
6928 + /* release all profiles in this namespace */
6929 + __profile_list_release(&ns->base.profiles);
6931 + /* release all sub namespaces */
6932 + __ns_list_release(&ns->sub_ns);
6934 + write_unlock(&ns->lock);
6938 + * __remove_namespace - remove a namespace and all its children
6939 + * @ns: namespace to be removed (NOT NULL)
6941 + * Requires: ns->parent->lock be held and ns removed from parent.
6943 +static void __remove_namespace(struct aa_namespace *ns)
6945 + struct aa_profile *unconfined = ns->unconfined;
6947 + /* remove ns from namespace list */
6948 + list_del_init(&ns->base.list);
6951 + * break the ns, unconfined profile cyclic reference and forward
6952 + * all new unconfined profiles requests to the parent namespace
6953 + * This will result in all confined tasks that have a profile
6954 + * being removed, inheriting the parent->unconfined profile.
6957 + ns->unconfined = aa_get_profile(ns->parent->unconfined);
6959 + destroy_namespace(ns);
6961 + /* release original ns->unconfined ref */
6962 + aa_put_profile(unconfined);
6963 + /* release ns->base.list ref, from removal above */
6964 + aa_put_namespace(ns);
6968 + * __ns_list_release - remove all profile namespaces on the list put refs
6969 + * @head: list of profile namespaces (NOT NULL)
6971 + * Requires: namespace lock be held
6973 +static void __ns_list_release(struct list_head *head)
6975 + struct aa_namespace *ns, *tmp;
6976 + list_for_each_entry_safe(ns, tmp, head, base.list)
6977 + __remove_namespace(ns);
6982 + * aa_alloc_root_ns - allocate the root profile namespace
6984 + * Returns: %0 on success else error
6987 +int __init aa_alloc_root_ns(void)
6989 + /* released by aa_free_root_ns - used as list ref*/
6990 + root_ns = alloc_namespace(NULL, "root");
6998 + * aa_free_root_ns - free the root profile namespace
7000 +void __init aa_free_root_ns(void)
7002 + struct aa_namespace *ns = root_ns;
7005 + destroy_namespace(ns);
7006 + aa_put_namespace(ns);
7010 + * aa_alloc_profile - allocate, initialize and return a new profile
7011 + * @hname: name of the profile (NOT NULL)
7013 + * Returns: refcount profile or NULL on failure
7015 +struct aa_profile *aa_alloc_profile(const char *hname)
7017 + struct aa_profile *profile;
7019 + /* freed by free_profile - usually through aa_put_profile */
7020 + profile = kzalloc(sizeof(*profile), GFP_KERNEL);
7024 + if (!policy_init(&profile->base, NULL, hname)) {
7029 + /* refcount released by caller */
7034 + * aa_new_null_profile - create a new null-X learning profile
7035 + * @parent: profile that caused this profile to be created (NOT NULL)
7036 + * @hat: true if the null- learning profile is a hat
7038 + * Create a null- complain mode profile used in learning mode. The name of
7039 + * the profile is unique and follows the format of parent//null-sid.
7041 + * null profiles are added to the profile list but the list does not
7042 + * hold a count on them so that they are automatically released when
7045 + * Returns: new refcounted profile else NULL on failure
7047 +struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat)
7049 + struct aa_profile *profile = NULL;
7051 + u32 sid = aa_alloc_sid();
7054 + name = kmalloc(strlen(parent->base.hname) + 2 + 7 + 8, GFP_KERNEL);
7057 + sprintf(name, "%s//null-%x", parent->base.hname, sid);
7059 + profile = aa_alloc_profile(name);
7064 + profile->sid = sid;
7065 + profile->mode = APPARMOR_COMPLAIN;
7066 + profile->flags = PFLAG_NULL;
7068 + profile->flags |= PFLAG_HAT;
7070 + /* released on free_profile */
7071 + profile->parent = aa_get_profile(parent);
7072 + profile->ns = aa_get_namespace(parent->ns);
7074 + write_lock(&profile->ns->lock);
7075 + __list_add_profile(&parent->base.profiles, profile);
7076 + write_unlock(&profile->ns->lock);
7078 + /* refcount released by caller */
7087 + * free_profile - free a profile
7088 + * @profile: the profile to free (MAYBE NULL)
7090 + * Free a profile, its hats and null_profile. All references to the profile,
7091 + * its hats and null_profile must have been put.
7093 + * If the profile was referenced from a task context, free_profile() will
7094 + * be called from an rcu callback routine, so we must not sleep here.
7096 +static void free_profile(struct aa_profile *profile)
7098 + AA_DEBUG("%s(%p)\n", __func__, profile);
7103 + if (!list_empty(&profile->base.list)) {
7104 + AA_ERROR("%s: internal error, "
7105 + "profile '%s' still on ns list\n",
7106 + __func__, profile->base.name);
7110 + /* free children profiles */
7111 + policy_destroy(&profile->base);
7112 + aa_put_profile(profile->parent);
7114 + aa_put_namespace(profile->ns);
7115 + kzfree(profile->rename);
7117 + aa_free_file_rules(&profile->file);
7118 + aa_free_cap_rules(&profile->caps);
7119 + aa_free_net_rules(&profile->net);
7120 + aa_free_rlimit_rules(&profile->rlimits);
7122 + aa_free_sid(profile->sid);
7123 + aa_put_dfa(profile->xmatch);
7125 + aa_put_profile(profile->replacedby);
7131 + * aa_free_profile_kref - free aa_profile by kref (called by aa_put_profile)
7132 + * @kr: kref callback for freeing of a profile (NOT NULL)
7134 +void aa_free_profile_kref(struct kref *kref)
7136 + struct aa_profile *p = container_of(kref, struct aa_profile,
7142 +/* TODO: profile accounting - setup in remove */
7145 + * __find_child - find a profile on @head list with a name matching @name
7146 + * @head: list to search (NOT NULL)
7147 + * @name: name of profile (NOT NULL)
7149 + * Requires: ns lock protecting list be held
7151 + * Returns: unrefcounted profile ptr, or NULL if not found
7153 +static struct aa_profile *__find_child(struct list_head *head, const char *name)
7155 + return (struct aa_profile *)__policy_find(head, name);
7159 + * __strn_find_child - find a profile on @head list using substring of @name
7160 + * @head: list to search (NOT NULL)
7161 + * @name: name of profile (NOT NULL)
7162 + * @len: length of @name substring to match
7164 + * Requires: ns lock protecting list be held
7166 + * Returns: unrefcounted profile ptr, or NULL if not found
7168 +static struct aa_profile *__strn_find_child(struct list_head *head,
7169 + const char *name, int len)
7171 + return (struct aa_profile *)__policy_strn_find(head, name, len);
7175 + * aa_find_child - find a profile by @name in @parent
7176 + * @parent: profile to search (NOT NULL)
7177 + * @name: profile name to search for (NOT NULL)
7179 + * Returns: a refcounted profile or NULL if not found
7181 +struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name)
7183 + struct aa_profile *profile;
7185 + read_lock(&parent->ns->lock);
7186 + profile = aa_get_profile(__find_child(&parent->base.profiles, name));
7187 + read_unlock(&parent->ns->lock);
7189 + /* refcount released by caller */
7194 + * __lookup_parent - lookup the parent of a profile of name @hname
7195 + * @ns: namespace to lookup profile in (NOT NULL)
7196 + * @hname: hierarchical profile name to find parent of (NOT NULL)
7198 + * Lookups up the parent of a fully qualified profile name, the profile
7199 + * that matches hname does not need to exist, in general this
7200 + * is used to load a new profile.
7202 + * Requires: ns->lock be held
7204 + * Returns: unrefcounted policy or NULL if not found
7206 +static struct aa_policy *__lookup_parent(struct aa_namespace *ns,
7207 + const char *hname)
7209 + struct aa_policy *policy;
7210 + struct aa_profile *profile = NULL;
7213 + policy = &ns->base;
7215 + for (split = strstr(hname, "//"); split;) {
7216 + profile = __strn_find_child(&policy->profiles, hname,
7220 + policy = &profile->base;
7221 + hname = split + 2;
7222 + split = strstr(hname, "//");
7226 + return &profile->base;
7230 + * __lookup_profile - lookup the profile matching @hname
7231 + * @base: base list to start looking up profile name from (NOT NULL)
7232 + * @hname: hierarchical profile name (NOT NULL)
7234 + * Requires: ns->lock be held
7236 + * Returns: unrefcounted profile pointer or NULL if not found
7238 + * Do a relative name lookup, recursing through profile tree.
7240 +static struct aa_profile *__lookup_profile(struct aa_policy *base,
7241 + const char *hname)
7243 + struct aa_profile *profile = NULL;
7246 + for (split = strstr(hname, "//"); split;) {
7247 + profile = __strn_find_child(&base->profiles, hname,
7252 + base = &profile->base;
7253 + hname = split + 2;
7254 + split = strstr(hname, "//");
7257 + profile = __find_child(&base->profiles, hname);
7263 + * aa_lookup_profile - find a profile by its full or partial name
7264 + * @ns: the namespace to start from (NOT NULL)
7265 + * @hname: name to do lookup on. Does not contain namespace prefix (NOT NULL)
7267 + * Returns: refcounted profile or NULL if not found
7269 +struct aa_profile *aa_lookup_profile(struct aa_namespace *ns, const char *hname)
7271 + struct aa_profile *profile;
7273 + read_lock(&ns->lock);
7274 + profile = aa_get_profile(__lookup_profile(&ns->base, hname));
7275 + read_unlock(&ns->lock);
7277 + /* refcount released by caller */
7282 + * replacement_allowed - test to see if replacement is allowed
7283 + * @profile: profile to test if it can be replaced (MAYBE NULL)
7284 + * @noreplace: true if replacement shouldn't be allowed but addition is okay
7285 + * @info: Returns - info about why replacement failed (NOT NULL)
7287 + * Returns: %0 if replacement allowed else error code
7289 +static int replacement_allowed(struct aa_profile *profile, int noreplace,
7290 + const char **info)
7293 + if (profile->flags & PFLAG_IMMUTABLE) {
7294 + *info = "cannot replace immutible profile";
7296 + } else if (noreplace) {
7297 + *info = "profile already exists";
7305 + * __add_new_profile - simple wrapper around __list_add_profile
7306 + * @ns: namespace that profile is being added to (NOT NULL)
7307 + * @policy: the policy container to add the profile to (NOT NULL)
7308 + * @profile: profile to add (NOT NULL)
7310 + * add a profile to a list and do other required basic allocations
7312 +static void __add_new_profile(struct aa_namespace *ns, struct aa_policy *policy,
7313 + struct aa_profile *profile)
7315 + if (policy != &ns->base)
7316 + /* released on profile replacement or free_profile */
7317 + profile->parent = aa_get_profile((struct aa_profile *) policy);
7318 + __list_add_profile(&policy->profiles, profile);
7319 + /* released on free_profile */
7320 + profile->sid = aa_alloc_sid();
7321 + profile->ns = aa_get_namespace(ns);
7325 + * aa_audit_policy - Do auditing of policy changes
7326 + * @op: policy operation being performed
7327 + * @gfp: memory allocation flags
7328 + * @name: name of profile being manipulated (NOT NULL)
7329 + * @info: any extra information to be audited (MAYBE NULL)
7330 + * @error: error code
7332 + * Returns: the error to be returned after audit is done
7334 +static int audit_policy(int op, gfp_t gfp, const char *name, const char *info,
7337 + struct common_audit_data sa;
7338 + COMMON_AUDIT_DATA_INIT(&sa, NONE);
7340 + sa.aad.name = name;
7341 + sa.aad.info = info;
7342 + sa.aad.error = error;
7344 + return aa_audit(AUDIT_APPARMOR_STATUS, __aa_current_profile(), gfp,
7349 + * aa_may_manage_policy - can the current task manage policy
7350 + * @op: the policy manipulation operation being done
7352 + * Returns: true if the task is allowed to manipulate policy
7354 +bool aa_may_manage_policy(int op)
7356 + /* check if loading policy is locked out */
7357 + if (aa_g_lock_policy) {
7358 + audit_policy(op, GFP_KERNEL, NULL, "policy_locked", -EACCES);
7362 + if (!capable(CAP_MAC_ADMIN)) {
7363 + audit_policy(op, GFP_KERNEL, NULL, "not policy admin", -EACCES);
7371 + * aa_replace_profiles - replace profile(s) on the profile list
7372 + * @udata: serialized data stream (NOT NULL)
7373 + * @size: size of the serialized data stream
7374 + * @noreplace: true if only doing addition, no replacement allowed
7376 + * unpack and replace a profile on the profile list and uses of that profile
7377 + * by any aa_task_cxt. If the profile does not exist on the profile list
7380 + * Returns: size of data consumed else error code on failure.
7382 +ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
7384 + struct aa_policy *policy;
7385 + struct aa_profile *old_profile = NULL, *new_profile = NULL;
7386 + struct aa_profile *rename_profile = NULL;
7387 + struct aa_namespace *ns = NULL;
7388 + const char *ns_name, *name = NULL, *info = NULL;
7389 + int op = OP_PROF_REPL;
7392 + /* released below */
7393 + new_profile = aa_unpack(udata, size, &ns_name);
7394 + if (IS_ERR(new_profile)) {
7395 + error = PTR_ERR(new_profile);
7396 + new_profile = NULL;
7400 + /* released below */
7401 + ns = aa_prepare_namespace(ns_name);
7403 + info = "failed to prepare namespace";
7409 + name = new_profile->base.hname;
7411 + write_lock(&ns->lock);
7412 + /* no ref on policy only use inside lock */
7413 + policy = __lookup_parent(ns, new_profile->base.hname);
7416 + info = "parent does not exist";
7421 + old_profile = __find_child(&policy->profiles, new_profile->base.name);
7422 + /* released below */
7423 + aa_get_profile(old_profile);
7425 + if (new_profile->rename) {
7426 + rename_profile = __lookup_profile(&ns->base,
7427 + new_profile->rename);
7428 + /* released below */
7429 + aa_get_profile(rename_profile);
7431 + if (!rename_profile) {
7432 + info = "profile to rename does not exist";
7433 + name = new_profile->rename;
7439 + error = replacement_allowed(old_profile, noreplace, &info);
7443 + error = replacement_allowed(rename_profile, noreplace, &info);
7448 + if (!old_profile && !rename_profile)
7449 + op = OP_PROF_LOAD;
7451 + error = audit_policy(op, GFP_ATOMIC, name, info, error);
7454 + if (rename_profile)
7455 + __replace_profile(rename_profile, new_profile);
7456 + if (old_profile) {
7457 + /* when there are both rename and old profiles
7458 + * inherit old profiles sid
7460 + if (rename_profile)
7461 + aa_free_sid(new_profile->sid);
7462 + __replace_profile(old_profile, new_profile);
7464 + if (!(old_profile || rename_profile))
7465 + __add_new_profile(ns, policy, new_profile);
7467 + write_unlock(&ns->lock);
7470 + aa_put_namespace(ns);
7471 + aa_put_profile(rename_profile);
7472 + aa_put_profile(old_profile);
7473 + aa_put_profile(new_profile);
7479 + error = audit_policy(op, GFP_KERNEL, name, info, error);
7484 + * aa_remove_profiles - remove profile(s) from the system
7485 + * @fqname: name of the profile or namespace to remove (NOT NULL)
7486 + * @size: size of the name
7488 + * Remove a profile or sub namespace from the current namespace, so that
7489 + * they can not be found anymore and mark them as replaced by unconfined
7491 + * NOTE: removing confinement does not restore rlimits to preconfinemnet values
7493 + * Returns: size of data consume else error code if fails
7495 +ssize_t aa_remove_profiles(char *fqname, size_t size)
7497 + struct aa_namespace *root, *ns = NULL;
7498 + struct aa_profile *profile = NULL;
7499 + const char *name = fqname, *info = NULL;
7500 + ssize_t error = 0;
7502 + if (*fqname == 0) {
7503 + info = "no profile specified";
7508 + root = aa_current_profile()->ns;
7510 + if (fqname[0] == ':') {
7512 + name = aa_split_fqname(fqname, &ns_name);
7514 + /* released below */
7515 + ns = aa_find_namespace(root, ns_name);
7517 + info = "namespace does not exist";
7523 + /* released below */
7524 + ns = aa_get_namespace(root);
7526 + write_lock(&ns->lock);
7528 + /* remove namespace - can only happen if fqname[0] == ':' */
7529 + __remove_namespace(ns);
7531 + /* remove profile */
7532 + profile = aa_get_profile(__lookup_profile(&ns->base, name));
7535 + info = "profile does not exist";
7536 + goto fail_ns_lock;
7538 + name = profile->base.hname;
7539 + __remove_profile(profile);
7541 + write_unlock(&ns->lock);
7543 + /* don't fail removal if audit fails */
7544 + (void) audit_policy(OP_PROF_RM, GFP_KERNEL, name, info, error);
7545 + aa_put_namespace(ns);
7546 + aa_put_profile(profile);
7550 + write_unlock(&ns->lock);
7551 + aa_put_namespace(ns);
7554 + (void) audit_policy(OP_PROF_RM, GFP_KERNEL, name, info, error);
7557 diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
7558 new file mode 100644
7559 index 0000000..6b0637b
7561 +++ b/security/apparmor/policy_unpack.c
7564 + * AppArmor security module
7566 + * This file contains AppArmor functions for unpacking policy loaded from
7569 + * Copyright (C) 1998-2008 Novell/SUSE
7570 + * Copyright 2009-2010 Canonical Ltd.
7572 + * This program is free software; you can redistribute it and/or
7573 + * modify it under the terms of the GNU General Public License as
7574 + * published by the Free Software Foundation, version 2 of the
7577 + * AppArmor uses a serialized binary format for loading policy.
7578 + * To find policy format documentation look in Documentation/apparmor.txt
7579 + * All policy is validated before it is used.
7582 +#include <asm/unaligned.h>
7583 +#include <linux/ctype.h>
7584 +#include <linux/errno.h>
7586 +#include "include/apparmor.h"
7587 +#include "include/audit.h"
7588 +#include "include/context.h"
7589 +#include "include/match.h"
7590 +#include "include/policy.h"
7591 +#include "include/policy_unpack.h"
7592 +#include "include/sid.h"
7595 + * The AppArmor interface treats data as a type byte followed by the
7596 + * actual data. The interface has the notion of a a named entry
7597 + * which has a name (AA_NAME typecode followed by name string) followed by
7598 + * the entries typecode and data. Named types allow for optional
7599 + * elements and extensions to be added and tested for without breaking
7600 + * backwards compatibility.
7608 + AA_NAME, /* same as string except it is items name */
7620 + * aa_ext is the read of the buffer containing the serialized profile. The
7621 + * data is copied into a kernel buffer in apparmorfs and then handed off to
7622 + * the unpack routines.
7627 + void *pos; /* pointer to current position in the buffer */
7631 +/* audit callback for unpack fields */
7632 +static void audit_cb(struct audit_buffer *ab, void *va)
7634 + struct common_audit_data *sa = va;
7635 + if (sa->aad.iface.target) {
7636 + struct aa_profile *name = sa->aad.iface.target;
7637 + audit_log_format(ab, " name=");
7638 + audit_log_untrustedstring(ab, name->base.hname);
7640 + if (sa->aad.iface.pos)
7641 + audit_log_format(ab, " offset=%ld", sa->aad.iface.pos);
7645 + * audit_iface - do audit message for policy unpacking/load/replace/remove
7646 + * @new: profile if it has been allocated (MAYBE NULL)
7647 + * @name: name of the profile being manipulated (MAYBE NULL)
7648 + * @info: any extra info about the failure (MAYBE NULL)
7649 + * @e: buffer position info (NOT NULL)
7650 + * @error: error code
7652 + * Returns: %0 or error
7654 +static int audit_iface(struct aa_profile *new, const char *name,
7655 + const char *info, struct aa_ext *e, int error)
7657 + struct aa_profile *profile = __aa_current_profile();
7658 + struct common_audit_data sa;
7659 + COMMON_AUDIT_DATA_INIT(&sa, NONE);
7660 + sa.aad.iface.pos = e->pos - e->start;
7661 + sa.aad.iface.target = new;
7662 + sa.aad.name = name;
7663 + sa.aad.info = info;
7664 + sa.aad.error = error;
7666 + return aa_audit(AUDIT_APPARMOR_STATUS, profile, GFP_KERNEL, &sa,
7670 +/* test if read will be in packed data bounds */
7671 +static bool inbounds(struct aa_ext *e, size_t size)
7673 + return (size <= e->end - e->pos);
7677 + * aa_u16_chunck - test and do bounds checking for a u16 size based chunk
7678 + * @e: serialized data read head (NOT NULL)
7679 + * @chunk: start address for chunk of data (NOT NULL)
7681 + * Returns: the size of chunk found with the read head at the end of the chunk.
7683 +static size_t unpack_u16_chunk(struct aa_ext *e, char **chunk)
7687 + if (!inbounds(e, sizeof(u16)))
7689 + size = le16_to_cpu(get_unaligned((u16 *) e->pos));
7690 + e->pos += sizeof(u16);
7691 + if (!inbounds(e, size))
7698 +/* unpack control byte */
7699 +static bool unpack_X(struct aa_ext *e, enum aa_code code)
7701 + if (!inbounds(e, 1))
7703 + if (*(u8 *) e->pos != code)
7710 + * unpack_nameX - check is the next element is of type X with a name of @name
7711 + * @e: serialized data extent information (NOT NULL)
7712 + * @code: type code
7713 + * @name: name to match to the serialized element. (MAYBE NULL)
7715 + * check that the next serialized data element is of type X and has a tag
7716 + * name @name. If @name is specified then there must be a matching
7717 + * name element in the stream. If @name is NULL any name element will be
7718 + * skipped and only the typecode will be tested.
7720 + * Returns 1 on success (both type code and name tests match) and the read
7721 + * head is advanced past the headers
7723 + * Returns: 0 if either match fails, the read head does not move
7725 +static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
7728 + * May need to reset pos if name or type doesn't match
7730 + void *pos = e->pos;
7732 + * Check for presence of a tagname, and if present name size
7733 + * AA_NAME tag value is a u16.
7735 + if (unpack_X(e, AA_NAME)) {
7737 + size_t size = unpack_u16_chunk(e, &tag);
7738 + /* if a name is specified it must match. otherwise skip tag */
7739 + if (name && (!size || strcmp(name, tag)))
7741 + } else if (name) {
7742 + /* if a name is specified and there is no name tag fail */
7746 + /* now check if type code matches */
7747 + if (unpack_X(e, code))
7755 +static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
7757 + if (unpack_nameX(e, AA_U16, name)) {
7758 + if (!inbounds(e, sizeof(u16)))
7761 + *data = le16_to_cpu(get_unaligned((u16 *) e->pos));
7762 + e->pos += sizeof(u16);
7768 +static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
7770 + if (unpack_nameX(e, AA_U32, name)) {
7771 + if (!inbounds(e, sizeof(u32)))
7774 + *data = le32_to_cpu(get_unaligned((u32 *) e->pos));
7775 + e->pos += sizeof(u32);
7781 +static bool unpack_u64(struct aa_ext *e, u64 *data, const char *name)
7783 + if (unpack_nameX(e, AA_U64, name)) {
7784 + if (!inbounds(e, sizeof(u64)))
7787 + *data = le64_to_cpu(get_unaligned((u64 *) e->pos));
7788 + e->pos += sizeof(u64);
7794 +static size_t unpack_array(struct aa_ext *e, const char *name)
7796 + if (unpack_nameX(e, AA_ARRAY, name)) {
7798 + if (!inbounds(e, sizeof(u16)))
7800 + size = (int)le16_to_cpu(get_unaligned((u16 *) e->pos));
7801 + e->pos += sizeof(u16);
7807 +static size_t unpack_blob(struct aa_ext *e, char **blob, const char *name)
7809 + if (unpack_nameX(e, AA_BLOB, name)) {
7811 + if (!inbounds(e, sizeof(u32)))
7813 + size = le32_to_cpu(get_unaligned((u32 *) e->pos));
7814 + e->pos += sizeof(u32);
7815 + if (inbounds(e, (size_t) size)) {
7824 +static int unpack_str(struct aa_ext *e, const char **string, const char *name)
7828 + void *pos = e->pos;
7830 + if (unpack_nameX(e, AA_STRING, name)) {
7831 + size = unpack_u16_chunk(e, &src_str);
7833 + /* strings are null terminated, length is size - 1 */
7834 + if (src_str[size - 1] != 0)
7836 + *string = src_str;
7846 +static int unpack_strdup(struct aa_ext *e, char **string, const char *name)
7849 + void *pos = e->pos;
7850 + int res = unpack_str(e, &tmp, name);
7856 + *string = kmemdup(tmp, res, GFP_KERNEL);
7866 + * verify_accept - verify the accept tables of a dfa
7867 + * @dfa: dfa to verify accept tables of (NOT NULL)
7868 + * @flags: flags governing dfa
7870 + * Returns: 1 if valid accept tables else 0 if error
7872 +static bool verify_accept(struct aa_dfa *dfa, int flags)
7876 + /* verify accept permissions */
7877 + for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
7878 + int mode = ACCEPT_TABLE(dfa)[i];
7880 + if (mode & ~DFA_VALID_PERM_MASK)
7883 + if (ACCEPT_TABLE2(dfa)[i] & ~DFA_VALID_PERM2_MASK)
7890 + * unpack_dfa - unpack a file rule dfa
7891 + * @e: serialized data extent information (NOT NULL)
7893 + * returns dfa or ERR_PTR or NULL if no dfa
7895 +static struct aa_dfa *unpack_dfa(struct aa_ext *e)
7897 + char *blob = NULL;
7899 + struct aa_dfa *dfa = NULL;
7901 + size = unpack_blob(e, &blob, "aadfa");
7904 + * The dfa is aligned with in the blob to 8 bytes
7905 + * from the beginning of the stream.
7907 + size_t sz = blob - (char *)e->start;
7908 + size_t pad = ALIGN(sz, 8) - sz;
7909 + int flags = TO_ACCEPT1_FLAG(YYTD_DATA32) |
7910 + TO_ACCEPT2_FLAG(YYTD_DATA32);
7913 + if (aa_g_paranoid_load)
7914 + flags |= DFA_FLAG_VERIFY_STATES;
7916 + dfa = aa_dfa_unpack(blob + pad, size - pad, flags);
7921 + if (!verify_accept(dfa, flags))
7929 + return ERR_PTR(-EPROTO);
7933 + * unpack_trans_table - unpack a profile transition table
7934 + * @e: serialized data extent information (NOT NULL)
7935 + * @profile: profile to add the accept table to (NOT NULL)
7937 + * Returns: 1 if table succesfully unpacked
7939 +static bool unpack_trans_table(struct aa_ext *e, struct aa_profile *profile)
7941 + void *pos = e->pos;
7943 + /* exec table is optional */
7944 + if (unpack_nameX(e, AA_STRUCT, "xtable")) {
7947 + size = unpack_array(e, NULL);
7948 + /* currently 4 exec bits and entries 0-3 are reserved iupcx */
7949 + if (size > 16 - 4)
7951 + profile->file.trans.table = kzalloc(sizeof(char *) * size,
7953 + if (!profile->file.trans.table)
7956 + profile->file.trans.size = size;
7957 + for (i = 0; i < size; i++) {
7959 + int c, j, size = unpack_strdup(e, &str, NULL);
7960 + /* unpack_strdup verifies that the last character is
7961 + * null termination byte.
7965 + profile->file.trans.table[i] = str;
7966 + /* verify that name doesn't start with space */
7967 + if (isspace(*str))
7970 + /* count internal # of internal \0 */
7971 + for (c = j = 0; j < size - 2; j++) {
7975 + if (*str == ':') {
7976 + /* beginning with : requires an embedded \0,
7977 + * verify that exactly 1 internal \0 exists
7978 + * trailing \0 already verified by unpack_strdup
7982 + /* first character after : must be valid */
7986 + /* fail - all other cases with embedded \0 */
7989 + if (!unpack_nameX(e, AA_ARRAYEND, NULL))
7991 + if (!unpack_nameX(e, AA_STRUCTEND, NULL))
7997 + aa_free_domain_entries(&profile->file.trans);
8002 +static bool unpack_rlimits(struct aa_ext *e, struct aa_profile *profile)
8004 + void *pos = e->pos;
8006 + /* rlimits are optional */
8007 + if (unpack_nameX(e, AA_STRUCT, "rlimits")) {
8010 + if (!unpack_u32(e, &tmp, NULL))
8012 + profile->rlimits.mask = tmp;
8014 + size = unpack_array(e, NULL);
8015 + if (size > RLIM_NLIMITS)
8017 + for (i = 0; i < size; i++) {
8019 + int a = aa_map_resource(i);
8020 + if (!unpack_u64(e, &tmp, NULL))
8022 + profile->rlimits.limits[a].rlim_max = tmp;
8024 + if (!unpack_nameX(e, AA_ARRAYEND, NULL))
8026 + if (!unpack_nameX(e, AA_STRUCTEND, NULL))
8037 + * unpack_profile - unpack a serialized profile
8038 + * @e: serialized data extent information (NOT NULL)
8040 + * NOTE: unpack profile sets audit struct if there is a failure
8042 +static struct aa_profile *unpack_profile(struct aa_ext *e)
8044 + struct aa_profile *profile = NULL;
8045 + const char *name = NULL;
8047 + int i, error = -EPROTO;
8048 + kernel_cap_t tmpcap;
8051 + /* check that we have the right struct being passed */
8052 + if (!unpack_nameX(e, AA_STRUCT, "profile"))
8054 + if (!unpack_str(e, &name, NULL))
8057 + profile = aa_alloc_profile(name);
8059 + return ERR_PTR(-ENOMEM);
8061 + /* profile renaming is optional */
8062 + (void) unpack_str(e, &profile->rename, "rename");
8064 + /* xmatch is optional and may be NULL */
8065 + profile->xmatch = unpack_dfa(e);
8066 + if (IS_ERR(profile->xmatch)) {
8067 + error = PTR_ERR(profile->xmatch);
8068 + profile->xmatch = NULL;
8071 + /* xmatch_len is not optional if xmatch is set */
8072 + if (profile->xmatch) {
8073 + if (!unpack_u32(e, &tmp, NULL))
8075 + profile->xmatch_len = tmp;
8078 + /* per profile debug flags (complain, audit) */
8079 + if (!unpack_nameX(e, AA_STRUCT, "flags"))
8081 + if (!unpack_u32(e, &tmp, NULL))
8084 + profile->flags |= PFLAG_HAT;
8085 + if (!unpack_u32(e, &tmp, NULL))
8088 + profile->mode = APPARMOR_COMPLAIN;
8089 + if (!unpack_u32(e, &tmp, NULL))
8092 + profile->audit = AUDIT_ALL;
8094 + if (!unpack_nameX(e, AA_STRUCTEND, NULL))
8097 + /* path_flags is optional */
8098 + if (unpack_u32(e, &profile->path_flags, "path_flags"))
8099 + profile->path_flags |= profile->flags & PFLAG_MEDIATE_DELETED;
8101 + /* set a default value if path_flags field is not present */
8102 + profile->path_flags = PFLAG_MEDIATE_DELETED;
8104 + if (!unpack_u32(e, &(profile->caps.allow.cap[0]), NULL))
8106 + if (!unpack_u32(e, &(profile->caps.audit.cap[0]), NULL))
8108 + if (!unpack_u32(e, &(profile->caps.quiet.cap[0]), NULL))
8110 + if (!unpack_u32(e, &tmpcap.cap[0], NULL))
8113 + if (unpack_nameX(e, AA_STRUCT, "caps64")) {
8114 + /* optional upper half of 64 bit caps */
8115 + if (!unpack_u32(e, &(profile->caps.allow.cap[1]), NULL))
8117 + if (!unpack_u32(e, &(profile->caps.audit.cap[1]), NULL))
8119 + if (!unpack_u32(e, &(profile->caps.quiet.cap[1]), NULL))
8121 + if (!unpack_u32(e, &(tmpcap.cap[1]), NULL))
8123 + if (!unpack_nameX(e, AA_STRUCTEND, NULL))
8127 + if (unpack_nameX(e, AA_STRUCT, "capsx")) {
8128 + /* optional extended caps mediation mask */
8129 + if (!unpack_u32(e, &(profile->caps.extended.cap[0]), NULL))
8131 + if (!unpack_u32(e, &(profile->caps.extended.cap[1]), NULL))
8135 + if (!unpack_rlimits(e, profile))
8138 + size = unpack_array(e, "net_allowed_af");
8140 + if (size > AF_MAX)
8143 + for (i = 0; i < size; i++) {
8144 + if (!unpack_u16(e, &profile->net.allow[i], NULL))
8146 + if (!unpack_u16(e, &profile->net.audit[i], NULL))
8148 + if (!unpack_u16(e, &profile->net.quiet[i], NULL))
8151 + if (!unpack_nameX(e, AA_ARRAYEND, NULL))
8154 + * allow unix domain and netlink sockets they are handled
8158 + profile->net.allow[AF_UNIX] = 0xffff;
8159 + profile->net.allow[AF_NETLINK] = 0xffff;
8161 + /* get file rules */
8162 + profile->file.dfa = unpack_dfa(e);
8163 + if (IS_ERR(profile->file.dfa)) {
8164 + error = PTR_ERR(profile->file.dfa);
8165 + profile->file.dfa = NULL;
8169 + if (!unpack_u32(e, &profile->file.start, "dfa_start"))
8170 + /* default start state */
8171 + profile->file.start = DFA_START;
8173 + if (!unpack_trans_table(e, profile))
8176 + if (!unpack_nameX(e, AA_STRUCTEND, NULL))
8186 + audit_iface(profile, name, "failed to unpack profile", e, error);
8187 + aa_put_profile(profile);
8189 + return ERR_PTR(error);
8193 + * verify_head - unpack serialized stream header
8194 + * @e: serialized data read head (NOT NULL)
8195 + * @ns: Returns - namespace if one is specified else NULL (NOT NULL)
8197 + * Returns: error or 0 if header is good
8199 +static int verify_header(struct aa_ext *e, const char **ns)
8201 + int error = -EPROTONOSUPPORT;
8202 + /* get the interface version */
8203 + if (!unpack_u32(e, &e->version, "version")) {
8204 + audit_iface(NULL, NULL, "invalid profile format", e, error);
8208 + /* check that the interface version is currently supported */
8209 + if (e->version != 5) {
8210 + audit_iface(NULL, NULL, "unsupported interface version", e,
8215 + /* read the namespace if present */
8216 + if (!unpack_str(e, ns, "namespace"))
8222 +static bool verify_xindex(int xindex, int table_size)
8225 + xtype = xindex & AA_X_TYPE_MASK;
8226 + index = xindex & AA_X_INDEX_MASK;
8227 + if (xtype == AA_X_TABLE && index > table_size)
8232 +/* verify dfa xindexes are in range of transition tables */
8233 +static bool verify_dfa_xindex(struct aa_dfa *dfa, int table_size)
8236 + for (i = 0; i < dfa->tables[YYTD_ID_ACCEPT]->td_lolen; i++) {
8237 + if (!verify_xindex(dfa_user_xindex(dfa, i), table_size))
8239 + if (!verify_xindex(dfa_other_xindex(dfa, i), table_size))
8246 + * verify_profile - Do post unpack analysis to verify profile consistency
8247 + * @profile: profile to verify (NOT NULL)
8249 + * Returns: 0 if passes verification else error
8251 +static int verify_profile(struct aa_profile *profile)
8253 + if (aa_g_paranoid_load) {
8254 + if (profile->file.dfa &&
8255 + !verify_dfa_xindex(profile->file.dfa,
8256 + profile->file.trans.size)) {
8257 + audit_iface(profile, NULL, "Invalid named transition",
8267 + * aa_unpack - unpack packed binary profile data loaded from user space
8268 + * @udata: user data copied to kmem (NOT NULL)
8269 + * @size: the size of the user data
8270 + * @ns: Returns namespace profile is in if specified else NULL (NOT NULL)
8272 + * Unpack user data and return refcounted allocated profile or ERR_PTR
8274 + * Returns: profile else error pointer if fails to unpack
8276 +struct aa_profile *aa_unpack(void *udata, size_t size, const char **ns)
8278 + struct aa_profile *profile = NULL;
8280 + struct aa_ext e = {
8282 + .end = udata + size,
8286 + error = verify_header(&e, ns);
8288 + return ERR_PTR(error);
8290 + profile = unpack_profile(&e);
8291 + if (IS_ERR(profile))
8294 + error = verify_profile(profile);
8296 + aa_put_profile(profile);
8297 + profile = ERR_PTR(error);
8300 + /* return refcount */
8303 diff --git a/security/apparmor/policy_unpack.c.rej b/security/apparmor/policy_unpack.c.rej
8304 new file mode 100644
8305 index 0000000..5bddfd6
8307 +++ b/security/apparmor/policy_unpack.c.rej
8309 +diff a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c (rejected hunks)
8310 +@@ -473,7 +473,8 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
8312 + struct aa_profile *profile = NULL;
8313 + const char *name = NULL, *info = NULL;
8314 +- int error = -EPROTO;
8316 ++ int i, error = -EPROTO;
8317 + kernel_cap_t tmpcap;
8320 diff --git a/security/apparmor/procattr.c b/security/apparmor/procattr.c
8321 new file mode 100644
8322 index 0000000..04a2cf8
8324 +++ b/security/apparmor/procattr.c
8327 + * AppArmor security module
8329 + * This file contains AppArmor /proc/<pid>/attr/ interface functions
8331 + * Copyright (C) 1998-2008 Novell/SUSE
8332 + * Copyright 2009-2010 Canonical Ltd.
8334 + * This program is free software; you can redistribute it and/or
8335 + * modify it under the terms of the GNU General Public License as
8336 + * published by the Free Software Foundation, version 2 of the
8340 +#include "include/apparmor.h"
8341 +#include "include/context.h"
8342 +#include "include/policy.h"
8343 +#include "include/domain.h"
8347 + * aa_getprocattr - Return the profile information for @profile
8348 + * @profile: the profile to print profile info about (NOT NULL)
8349 + * @string: Returns - string containing the profile info (NOT NULL)
8351 + * Returns: length of @string on success else error on failure
8353 + * Requires: profile != NULL
8355 + * Creates a string containing the namespace_name://profile_name for
8358 + * Returns: size of string placed in @string else error code on failure
8360 +int aa_getprocattr(struct aa_profile *profile, char **string)
8363 + int len = 0, mode_len = 0, ns_len = 0, name_len;
8364 + const char *mode_str = profile_mode_names[profile->mode];
8365 + const char *ns_name = NULL;
8366 + struct aa_namespace *ns = profile->ns;
8367 + struct aa_namespace *current_ns = __aa_current_profile()->ns;
8370 + if (!aa_ns_visible(current_ns, ns))
8373 + ns_name = aa_ns_name(current_ns, ns);
8374 + ns_len = strlen(ns_name);
8376 + /* if the visible ns_name is > 0 increase size for : :// seperator */
8380 + /* unconfined profiles don't have a mode string appended */
8381 + if (!unconfined(profile))
8382 + mode_len = strlen(mode_str) + 3; /* + 3 for _() */
8384 + name_len = strlen(profile->base.hname);
8385 + len = mode_len + ns_len + name_len + 1; /* + 1 for \n */
8386 + s = str = kmalloc(len + 1, GFP_KERNEL); /* + 1 \0 */
8391 + /* skip over prefix current_ns->base.hname and separating // */
8392 + sprintf(s, ":%s://", ns_name);
8395 + if (unconfined(profile))
8396 + /* mode string not being appended */
8397 + sprintf(s, "%s\n", profile->base.hname);
8399 + sprintf(s, "%s (%s)\n", profile->base.hname, mode_str);
8402 + /* NOTE: len does not include \0 of string, not saved as part of file */
8407 + * split_token_from_name - separate a string of form <token>^<name>
8408 + * @op: operation being checked
8409 + * @args: string to parse (NOT NULL)
8410 + * @token: stores returned parsed token value (NOT NULL)
8412 + * Returns: start position of name after token else NULL on failure
8414 +static char *split_token_from_name(int op, char *args, u64 * token)
8418 + *token = simple_strtoull(args, &name, 16);
8419 + if ((name == args) || *name != '^') {
8420 + AA_ERROR("%s: Invalid input '%s'", op_table[op], args);
8421 + return ERR_PTR(-EINVAL);
8424 + name++; /* skip ^ */
8431 + * aa_setprocattr_chagnehat - handle procattr interface to change_hat
8432 + * @args: args received from writing to /proc/<pid>/attr/current (NOT NULL)
8433 + * @size: size of the args
8434 + * @test: true if this is a test of change_hat permissions
8436 + * Returns: %0 or error code if change_hat fails
8438 +int aa_setprocattr_changehat(char *args, size_t size, int test)
8442 + const char *hats[16]; /* current hard limit on # of names */
8445 + hat = split_token_from_name(OP_CHANGE_HAT, args, &token);
8447 + return PTR_ERR(hat);
8449 + if (!hat && !token) {
8450 + AA_ERROR("change_hat: Invalid input, NULL hat and NULL magic");
8455 + /* set up hat name vector, args guaranteed null terminated
8456 + * at args[size] by setprocattr.
8458 + * If there are multiple hat names in the buffer each is
8459 + * separated by a \0. Ie. userspace writes them pre tokenized
8461 + char *end = args + size;
8462 + for (count = 0; (hat < end) && count < 16; ++count) {
8463 + char *next = hat + strlen(hat) + 1;
8464 + hats[count] = hat;
8469 + AA_DEBUG("%s: Magic 0x%llx Hat '%s'\n",
8470 + __func__, token, hat ? hat : NULL);
8472 + return aa_change_hat(hats, count, token, test);
8476 + * aa_setprocattr_changeprofile - handle procattr interface to changeprofile
8477 + * @fqname: args received from writting to /proc/<pid>/attr/current (NOT NULL)
8478 + * @onexec: true if change_profile should be delayed until exec
8479 + * @test: true if this is a test of change_profile permissions
8481 + * Returns: %0 or error code if change_profile fails
8483 +int aa_setprocattr_changeprofile(char *fqname, bool onexec, int test)
8485 + char *name, *ns_name;
8487 + name = aa_split_fqname(fqname, &ns_name);
8488 + return aa_change_profile(ns_name, name, onexec, test);
8491 +int aa_setprocattr_permipc(char *fqname)
8493 + /* TODO: add ipc permission querying */
8496 diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c
8497 new file mode 100644
8498 index 0000000..4a368f1
8500 +++ b/security/apparmor/resource.c
8503 + * AppArmor security module
8505 + * This file contains AppArmor resource mediation and attachment
8507 + * Copyright (C) 1998-2008 Novell/SUSE
8508 + * Copyright 2009-2010 Canonical Ltd.
8510 + * This program is free software; you can redistribute it and/or
8511 + * modify it under the terms of the GNU General Public License as
8512 + * published by the Free Software Foundation, version 2 of the
8516 +#include <linux/audit.h>
8518 +#include "include/audit.h"
8519 +#include "include/resource.h"
8520 +#include "include/policy.h"
8523 + * Table of rlimit names: we generate it from resource.h.
8525 +#include "rlim_names.h"
8527 +/* audit callback for resource specific fields */
8528 +static void audit_cb(struct audit_buffer *ab, void *va)
8530 + struct common_audit_data *sa = va;
8532 + audit_log_format(ab, " rlimit=%s value=%lu",
8533 + rlim_names[sa->aad.rlim.rlim], sa->aad.rlim.max);
8537 + * audit_resource - audit setting resource limit
8538 + * @profile: profile being enforced (NOT NULL)
8539 + * @resoure: rlimit being auditing
8540 + * @value: value being set
8541 + * @error: error value
8543 + * Returns: 0 or sa->error else other error code on failure
8545 +static int audit_resource(struct aa_profile *profile, unsigned int resource,
8546 + unsigned long value, int error)
8548 + struct common_audit_data sa;
8550 + COMMON_AUDIT_DATA_INIT(&sa, NONE);
8551 + sa.aad.op = OP_SETRLIMIT,
8552 + sa.aad.rlim.rlim = resource;
8553 + sa.aad.rlim.max = value;
8554 + sa.aad.error = error;
8555 + return aa_audit(AUDIT_APPARMOR_AUTO, profile, GFP_KERNEL, &sa,
8560 + * aa_map_resouce - map compiled policy resource to internal #
8561 + * @resource: flattened policy resource number
8563 + * Returns: resource # for the current architecture.
8565 + * rlimit resource can vary based on architecture, map the compiled policy
8566 + * resource # to the internal representation for the architecture.
8568 +int aa_map_resource(int resource)
8570 + return rlim_map[resource];
8574 + * aa_task_setrlimit - test permission to set an rlimit
8575 + * @profile - profile confining the task (NOT NULL)
8576 + * @resource - the resource being set
8577 + * @new_rlim - the new resource limit (NOT NULL)
8579 + * Control raising the processes hard limit.
8581 + * Returns: 0 or error code if setting resource failed
8583 +int aa_task_setrlimit(struct aa_profile *profile, unsigned int resource,
8584 + struct rlimit *new_rlim)
8588 + if (profile->rlimits.mask & (1 << resource) &&
8589 + new_rlim->rlim_max > profile->rlimits.limits[resource].rlim_max)
8591 + error = audit_resource(profile, resource, new_rlim->rlim_max,
8598 + * __aa_transition_rlimits - apply new profile rlimits
8599 + * @old: old profile on task (NOT NULL)
8600 + * @new: new profile with rlimits to apply (NOT NULL)
8602 +void __aa_transition_rlimits(struct aa_profile *old, struct aa_profile *new)
8604 + unsigned int mask = 0;
8605 + struct rlimit *rlim, *initrlim;
8608 + /* for any rlimits the profile controlled reset the soft limit
8609 + * to the less of the tasks hard limit and the init tasks soft limit
8611 + if (old->rlimits.mask) {
8612 + for (i = 0, mask = 1; i < RLIM_NLIMITS; i++, mask <<= 1) {
8613 + if (old->rlimits.mask & mask) {
8614 + rlim = current->signal->rlim + i;
8615 + initrlim = init_task.signal->rlim + i;
8616 + rlim->rlim_cur = min(rlim->rlim_max,
8617 + initrlim->rlim_cur);
8622 + /* set any new hard limits as dictated by the new profile */
8623 + if (!new->rlimits.mask)
8625 + for (i = 0, mask = 1; i < RLIM_NLIMITS; i++, mask <<= 1) {
8626 + if (!(new->rlimits.mask & mask))
8629 + rlim = current->signal->rlim + i;
8630 + rlim->rlim_max = min(rlim->rlim_max,
8631 + new->rlimits.limits[i].rlim_max);
8632 + /* soft limit should not exceed hard limit */
8633 + rlim->rlim_cur = min(rlim->rlim_cur, rlim->rlim_max);
8636 diff --git a/security/apparmor/sid.c b/security/apparmor/sid.c
8637 new file mode 100644
8638 index 0000000..f0b34f7
8640 +++ b/security/apparmor/sid.c
8643 + * AppArmor security module
8645 + * This file contains AppArmor security identifier (sid) manipulation fns
8647 + * Copyright 2009-2010 Canonical Ltd.
8649 + * This program is free software; you can redistribute it and/or
8650 + * modify it under the terms of the GNU General Public License as
8651 + * published by the Free Software Foundation, version 2 of the
8655 + * AppArmor allocates a unique sid for every profile loaded. If a profile
8656 + * is replaced it receives the sid of the profile it is replacing.
8658 + * The sid value of 0 is invalid.
8661 +#include <linux/spinlock.h>
8662 +#include <linux/errno.h>
8663 +#include <linux/err.h>
8665 +#include "include/sid.h"
8667 +/* global counter from which sids are allocated */
8668 +static u32 global_sid;
8669 +static DEFINE_SPINLOCK(sid_lock);
8671 +/* TODO FIXME: add sid to profile mapping, and sid recycling */
8674 + * aa_alloc_sid - allocate a new sid for a profile
8676 +u32 aa_alloc_sid(void)
8681 + * TODO FIXME: sid recycling - part of profile mapping table
8683 + spin_lock(&sid_lock);
8684 + sid = (++global_sid);
8685 + spin_unlock(&sid_lock);
8690 + * aa_free_sid - free a sid
8691 + * @sid: sid to free
8693 +void aa_free_sid(u32 sid)