1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76#include <linux/slab.h>
77#include <linux/spinlock.h>
78#include <linux/string.h>
79
80#include "include/apparmor.h"
81#include "include/capability.h"
82#include "include/context.h"
83#include "include/file.h"
84#include "include/ipc.h"
85#include "include/match.h"
86#include "include/path.h"
87#include "include/policy.h"
88#include "include/policy_unpack.h"
89#include "include/resource.h"
90#include "include/sid.h"
91
92
93
94struct aa_namespace *root_ns;
95
96const char *const profile_mode_names[] = {
97 "enforce",
98 "complain",
99 "kill",
100};
101
102
103
104
105
106
107
108static const char *hname_tail(const char *hname)
109{
110 char *split;
111 hname = strim((char *)hname);
112 for (split = strstr(hname, "//"); split; split = strstr(hname, "//"))
113 hname = split + 2;
114
115 return hname;
116}
117
118
119
120
121
122
123
124
125
126
127
128static bool policy_init(struct aa_policy *policy, const char *prefix,
129 const char *name)
130{
131
132 if (prefix) {
133 policy->hname = kmalloc(strlen(prefix) + strlen(name) + 3,
134 GFP_KERNEL);
135 if (policy->hname)
136 sprintf(policy->hname, "%s//%s", prefix, name);
137 } else
138 policy->hname = kstrdup(name, GFP_KERNEL);
139 if (!policy->hname)
140 return 0;
141
142 policy->name = (char *)hname_tail(policy->hname);
143 INIT_LIST_HEAD(&policy->list);
144 INIT_LIST_HEAD(&policy->profiles);
145 kref_init(&policy->count);
146
147 return 1;
148}
149
150
151
152
153
154static void policy_destroy(struct aa_policy *policy)
155{
156
157 if (!list_empty(&policy->profiles)) {
158 AA_ERROR("%s: internal error, "
159 "policy '%s' still contains profiles\n",
160 __func__, policy->name);
161 BUG();
162 }
163 if (!list_empty(&policy->list)) {
164 AA_ERROR("%s: internal error, policy '%s' still on list\n",
165 __func__, policy->name);
166 BUG();
167 }
168
169
170 kzfree(policy->hname);
171}
172
173
174
175
176
177
178
179
180
181
182static struct aa_policy *__policy_find(struct list_head *head, const char *name)
183{
184 struct aa_policy *policy;
185
186 list_for_each_entry(policy, head, list) {
187 if (!strcmp(policy->name, name))
188 return policy;
189 }
190 return NULL;
191}
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206static struct aa_policy *__policy_strn_find(struct list_head *head,
207 const char *str, int len)
208{
209 struct aa_policy *policy;
210
211 list_for_each_entry(policy, head, list) {
212 if (aa_strneq(policy->name, str, len))
213 return policy;
214 }
215
216 return NULL;
217}
218
219
220
221
222
223static const char *hidden_ns_name = "---";
224
225
226
227
228
229
230
231bool aa_ns_visible(struct aa_namespace *curr, struct aa_namespace *view)
232{
233 if (curr == view)
234 return true;
235
236 for ( ; view; view = view->parent) {
237 if (view->parent == curr)
238 return true;
239 }
240 return false;
241}
242
243
244
245
246
247
248
249
250const char *aa_ns_name(struct aa_namespace *curr, struct aa_namespace *view)
251{
252
253 if (curr == view)
254 return "";
255
256 if (aa_ns_visible(curr, view)) {
257
258
259
260
261
262
263 return view->base.hname + strlen(curr->base.hname) + 2;
264 } else
265 return hidden_ns_name;
266}
267
268
269
270
271
272
273
274
275static struct aa_namespace *alloc_namespace(const char *prefix,
276 const char *name)
277{
278 struct aa_namespace *ns;
279
280 ns = kzalloc(sizeof(*ns), GFP_KERNEL);
281 AA_DEBUG("%s(%p)\n", __func__, ns);
282 if (!ns)
283 return NULL;
284 if (!policy_init(&ns->base, prefix, name))
285 goto fail_ns;
286
287 INIT_LIST_HEAD(&ns->sub_ns);
288 rwlock_init(&ns->lock);
289
290
291 ns->unconfined = aa_alloc_profile("unconfined");
292 if (!ns->unconfined)
293 goto fail_unconfined;
294
295 ns->unconfined->sid = aa_alloc_sid();
296 ns->unconfined->flags = PFLAG_UNCONFINED | PFLAG_IX_ON_NAME_ERROR |
297 PFLAG_IMMUTABLE;
298
299
300
301
302
303
304 ns->unconfined->ns = aa_get_namespace(ns);
305
306 return ns;
307
308fail_unconfined:
309 kzfree(ns->base.hname);
310fail_ns:
311 kzfree(ns);
312 return NULL;
313}
314
315
316
317
318
319
320
321
322static void free_namespace(struct aa_namespace *ns)
323{
324 if (!ns)
325 return;
326
327 policy_destroy(&ns->base);
328 aa_put_namespace(ns->parent);
329
330 if (ns->unconfined && ns->unconfined->ns == ns)
331 ns->unconfined->ns = NULL;
332
333 aa_put_profile(ns->unconfined);
334 kzfree(ns);
335}
336
337
338
339
340
341void aa_free_namespace_kref(struct kref *kref)
342{
343 free_namespace(container_of(kref, struct aa_namespace, base.count));
344}
345
346
347
348
349
350
351
352
353
354
355static struct aa_namespace *__aa_find_namespace(struct list_head *head,
356 const char *name)
357{
358 return (struct aa_namespace *)__policy_find(head, name);
359}
360
361
362
363
364
365
366
367
368
369
370
371struct aa_namespace *aa_find_namespace(struct aa_namespace *root,
372 const char *name)
373{
374 struct aa_namespace *ns = NULL;
375
376 read_lock(&root->lock);
377 ns = aa_get_namespace(__aa_find_namespace(&root->sub_ns, name));
378 read_unlock(&root->lock);
379
380 return ns;
381}
382
383
384
385
386
387
388
389static struct aa_namespace *aa_prepare_namespace(const char *name)
390{
391 struct aa_namespace *ns, *root;
392
393 root = aa_current_profile()->ns;
394
395 write_lock(&root->lock);
396
397
398 if (!name) {
399
400 ns = aa_get_namespace(root);
401 goto out;
402 }
403
404
405
406 ns = aa_get_namespace(__aa_find_namespace(&root->sub_ns, name));
407 if (!ns) {
408
409 struct aa_namespace *new_ns;
410 write_unlock(&root->lock);
411 new_ns = alloc_namespace(root->base.hname, name);
412 if (!new_ns)
413 return NULL;
414 write_lock(&root->lock);
415
416 ns = __aa_find_namespace(&root->sub_ns, name);
417 if (!ns) {
418
419 new_ns->parent = aa_get_namespace(root);
420
421 list_add(&new_ns->base.list, &root->sub_ns);
422
423 ns = aa_get_namespace(new_ns);
424 } else {
425
426 free_namespace(new_ns);
427
428 aa_get_namespace(ns);
429 }
430 }
431out:
432 write_unlock(&root->lock);
433
434
435 return ns;
436}
437
438
439
440
441
442
443
444
445
446
447static void __list_add_profile(struct list_head *list,
448 struct aa_profile *profile)
449{
450 list_add(&profile->base.list, list);
451
452 aa_get_profile(profile);
453}
454
455
456
457
458
459
460
461
462
463
464
465
466
467static void __list_remove_profile(struct aa_profile *profile)
468{
469 list_del_init(&profile->base.list);
470 if (!(profile->flags & PFLAG_NO_LIST_REF))
471
472 aa_put_profile(profile);
473}
474
475
476
477
478
479
480
481
482
483
484
485
486
487static void __replace_profile(struct aa_profile *old, struct aa_profile *new)
488{
489 struct aa_policy *policy;
490 struct aa_profile *child, *tmp;
491
492 if (old->parent)
493 policy = &old->parent->base;
494 else
495 policy = &old->ns->base;
496
497
498 new->parent = aa_get_profile(old->parent);
499 new->ns = aa_get_namespace(old->ns);
500 new->sid = old->sid;
501 __list_add_profile(&policy->profiles, new);
502
503 list_for_each_entry_safe(child, tmp, &old->base.profiles, base.list) {
504 aa_put_profile(child->parent);
505 child->parent = aa_get_profile(new);
506
507 list_move(&child->base.list, &new->base.profiles);
508 }
509
510
511 old->replacedby = aa_get_profile(new);
512 __list_remove_profile(old);
513}
514
515static void __profile_list_release(struct list_head *head);
516
517
518
519
520
521
522
523static void __remove_profile(struct aa_profile *profile)
524{
525
526 __profile_list_release(&profile->base.profiles);
527
528 profile->replacedby = aa_get_profile(profile->ns->unconfined);
529 __list_remove_profile(profile);
530}
531
532
533
534
535
536
537
538static void __profile_list_release(struct list_head *head)
539{
540 struct aa_profile *profile, *tmp;
541 list_for_each_entry_safe(profile, tmp, head, base.list)
542 __remove_profile(profile);
543}
544
545static void __ns_list_release(struct list_head *head);
546
547
548
549
550
551static void destroy_namespace(struct aa_namespace *ns)
552{
553 if (!ns)
554 return;
555
556 write_lock(&ns->lock);
557
558 __profile_list_release(&ns->base.profiles);
559
560
561 __ns_list_release(&ns->sub_ns);
562
563 write_unlock(&ns->lock);
564}
565
566
567
568
569
570
571
572static void __remove_namespace(struct aa_namespace *ns)
573{
574 struct aa_profile *unconfined = ns->unconfined;
575
576
577 list_del_init(&ns->base.list);
578
579
580
581
582
583
584
585 if (ns->parent)
586 ns->unconfined = aa_get_profile(ns->parent->unconfined);
587
588 destroy_namespace(ns);
589
590
591 aa_put_profile(unconfined);
592
593 aa_put_namespace(ns);
594}
595
596
597
598
599
600
601
602static void __ns_list_release(struct list_head *head)
603{
604 struct aa_namespace *ns, *tmp;
605 list_for_each_entry_safe(ns, tmp, head, base.list)
606 __remove_namespace(ns);
607
608}
609
610
611
612
613
614
615
616int __init aa_alloc_root_ns(void)
617{
618
619 root_ns = alloc_namespace(NULL, "root");
620 if (!root_ns)
621 return -ENOMEM;
622
623 return 0;
624}
625
626
627
628
629void __init aa_free_root_ns(void)
630 {
631 struct aa_namespace *ns = root_ns;
632 root_ns = NULL;
633
634 destroy_namespace(ns);
635 aa_put_namespace(ns);
636}
637
638
639
640
641
642
643
644struct aa_profile *aa_alloc_profile(const char *hname)
645{
646 struct aa_profile *profile;
647
648
649 profile = kzalloc(sizeof(*profile), GFP_KERNEL);
650 if (!profile)
651 return NULL;
652
653 if (!policy_init(&profile->base, NULL, hname)) {
654 kzfree(profile);
655 return NULL;
656 }
657
658
659 return profile;
660}
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat)
677{
678 struct aa_profile *profile = NULL;
679 char *name;
680 u32 sid = aa_alloc_sid();
681
682
683 name = kmalloc(strlen(parent->base.hname) + 2 + 7 + 8, GFP_KERNEL);
684 if (!name)
685 goto fail;
686 sprintf(name, "%s//null-%x", parent->base.hname, sid);
687
688 profile = aa_alloc_profile(name);
689 kfree(name);
690 if (!profile)
691 goto fail;
692
693 profile->sid = sid;
694 profile->mode = APPARMOR_COMPLAIN;
695 profile->flags = PFLAG_NULL;
696 if (hat)
697 profile->flags |= PFLAG_HAT;
698
699
700 profile->parent = aa_get_profile(parent);
701 profile->ns = aa_get_namespace(parent->ns);
702
703 write_lock(&profile->ns->lock);
704 __list_add_profile(&parent->base.profiles, profile);
705 write_unlock(&profile->ns->lock);
706
707
708 return profile;
709
710fail:
711 aa_free_sid(sid);
712 return NULL;
713}
714
715
716
717
718
719
720
721
722
723
724
725static void free_profile(struct aa_profile *profile)
726{
727 struct aa_profile *p;
728
729 AA_DEBUG("%s(%p)\n", __func__, profile);
730
731 if (!profile)
732 return;
733
734 if (!list_empty(&profile->base.list)) {
735 AA_ERROR("%s: internal error, "
736 "profile '%s' still on ns list\n",
737 __func__, profile->base.name);
738 BUG();
739 }
740
741
742 policy_destroy(&profile->base);
743 aa_put_profile(profile->parent);
744
745 aa_put_namespace(profile->ns);
746 kzfree(profile->rename);
747
748 aa_free_file_rules(&profile->file);
749 aa_free_cap_rules(&profile->caps);
750 aa_free_rlimit_rules(&profile->rlimits);
751
752 aa_free_sid(profile->sid);
753 aa_put_dfa(profile->xmatch);
754 aa_put_dfa(profile->policy.dfa);
755
756
757
758
759
760
761
762
763 for (p = profile->replacedby; p; ) {
764 if (atomic_dec_and_test(&p->base.count.refcount)) {
765
766 struct aa_profile *next = p->replacedby;
767
768 p->replacedby = NULL;
769
770 free_profile(p);
771
772
773 p = next;
774 } else
775 break;
776 }
777
778 kzfree(profile);
779}
780
781
782
783
784
785void aa_free_profile_kref(struct kref *kref)
786{
787 struct aa_profile *p = container_of(kref, struct aa_profile,
788 base.count);
789
790 free_profile(p);
791}
792
793
794
795
796
797
798
799
800
801
802
803
804static struct aa_profile *__find_child(struct list_head *head, const char *name)
805{
806 return (struct aa_profile *)__policy_find(head, name);
807}
808
809
810
811
812
813
814
815
816
817
818
819static struct aa_profile *__strn_find_child(struct list_head *head,
820 const char *name, int len)
821{
822 return (struct aa_profile *)__policy_strn_find(head, name, len);
823}
824
825
826
827
828
829
830
831
832struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name)
833{
834 struct aa_profile *profile;
835
836 read_lock(&parent->ns->lock);
837 profile = aa_get_profile(__find_child(&parent->base.profiles, name));
838 read_unlock(&parent->ns->lock);
839
840
841 return profile;
842}
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857static struct aa_policy *__lookup_parent(struct aa_namespace *ns,
858 const char *hname)
859{
860 struct aa_policy *policy;
861 struct aa_profile *profile = NULL;
862 char *split;
863
864 policy = &ns->base;
865
866 for (split = strstr(hname, "//"); split;) {
867 profile = __strn_find_child(&policy->profiles, hname,
868 split - hname);
869 if (!profile)
870 return NULL;
871 policy = &profile->base;
872 hname = split + 2;
873 split = strstr(hname, "//");
874 }
875 if (!profile)
876 return &ns->base;
877 return &profile->base;
878}
879
880
881
882
883
884
885
886
887
888
889
890
891static struct aa_profile *__lookup_profile(struct aa_policy *base,
892 const char *hname)
893{
894 struct aa_profile *profile = NULL;
895 char *split;
896
897 for (split = strstr(hname, "//"); split;) {
898 profile = __strn_find_child(&base->profiles, hname,
899 split - hname);
900 if (!profile)
901 return NULL;
902
903 base = &profile->base;
904 hname = split + 2;
905 split = strstr(hname, "//");
906 }
907
908 profile = __find_child(&base->profiles, hname);
909
910 return profile;
911}
912
913
914
915
916
917
918
919
920struct aa_profile *aa_lookup_profile(struct aa_namespace *ns, const char *hname)
921{
922 struct aa_profile *profile;
923
924 read_lock(&ns->lock);
925 profile = aa_get_profile(__lookup_profile(&ns->base, hname));
926 read_unlock(&ns->lock);
927
928
929 if (!profile && strcmp(hname, "unconfined") == 0)
930 profile = aa_get_profile(ns->unconfined);
931
932
933 return profile;
934}
935
936
937
938
939
940
941
942
943
944static int replacement_allowed(struct aa_profile *profile, int noreplace,
945 const char **info)
946{
947 if (profile) {
948 if (profile->flags & PFLAG_IMMUTABLE) {
949 *info = "cannot replace immutible profile";
950 return -EPERM;
951 } else if (noreplace) {
952 *info = "profile already exists";
953 return -EEXIST;
954 }
955 }
956 return 0;
957}
958
959
960
961
962
963
964
965
966
967static void __add_new_profile(struct aa_namespace *ns, struct aa_policy *policy,
968 struct aa_profile *profile)
969{
970 if (policy != &ns->base)
971
972 profile->parent = aa_get_profile((struct aa_profile *) policy);
973 __list_add_profile(&policy->profiles, profile);
974
975 profile->sid = aa_alloc_sid();
976 profile->ns = aa_get_namespace(ns);
977}
978
979
980
981
982
983
984
985
986
987
988
989static int audit_policy(int op, gfp_t gfp, const char *name, const char *info,
990 int error)
991{
992 struct common_audit_data sa;
993 struct apparmor_audit_data aad = {0,};
994 sa.type = LSM_AUDIT_DATA_NONE;
995 sa.aad = &aad;
996 aad.op = op;
997 aad.name = name;
998 aad.info = info;
999 aad.error = error;
1000
1001 return aa_audit(AUDIT_APPARMOR_STATUS, __aa_current_profile(), gfp,
1002 &sa, NULL);
1003}
1004
1005
1006
1007
1008
1009
1010
1011bool aa_may_manage_policy(int op)
1012{
1013
1014 if (aa_g_lock_policy) {
1015 audit_policy(op, GFP_KERNEL, NULL, "policy_locked", -EACCES);
1016 return 0;
1017 }
1018
1019 if (!capable(CAP_MAC_ADMIN)) {
1020 audit_policy(op, GFP_KERNEL, NULL, "not policy admin", -EACCES);
1021 return 0;
1022 }
1023
1024 return 1;
1025}
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)
1040{
1041 struct aa_policy *policy;
1042 struct aa_profile *old_profile = NULL, *new_profile = NULL;
1043 struct aa_profile *rename_profile = NULL;
1044 struct aa_namespace *ns = NULL;
1045 const char *ns_name, *name = NULL, *info = NULL;
1046 int op = OP_PROF_REPL;
1047 ssize_t error;
1048
1049
1050 new_profile = aa_unpack(udata, size, &ns_name);
1051 if (IS_ERR(new_profile)) {
1052 error = PTR_ERR(new_profile);
1053 new_profile = NULL;
1054 goto fail;
1055 }
1056
1057
1058 ns = aa_prepare_namespace(ns_name);
1059 if (!ns) {
1060 info = "failed to prepare namespace";
1061 error = -ENOMEM;
1062 name = ns_name;
1063 goto fail;
1064 }
1065
1066 name = new_profile->base.hname;
1067
1068 write_lock(&ns->lock);
1069
1070 policy = __lookup_parent(ns, new_profile->base.hname);
1071
1072 if (!policy) {
1073 info = "parent does not exist";
1074 error = -ENOENT;
1075 goto audit;
1076 }
1077
1078 old_profile = __find_child(&policy->profiles, new_profile->base.name);
1079
1080 aa_get_profile(old_profile);
1081
1082 if (new_profile->rename) {
1083 rename_profile = __lookup_profile(&ns->base,
1084 new_profile->rename);
1085
1086 aa_get_profile(rename_profile);
1087
1088 if (!rename_profile) {
1089 info = "profile to rename does not exist";
1090 name = new_profile->rename;
1091 error = -ENOENT;
1092 goto audit;
1093 }
1094 }
1095
1096 error = replacement_allowed(old_profile, noreplace, &info);
1097 if (error)
1098 goto audit;
1099
1100 error = replacement_allowed(rename_profile, noreplace, &info);
1101 if (error)
1102 goto audit;
1103
1104audit:
1105 if (!old_profile && !rename_profile)
1106 op = OP_PROF_LOAD;
1107
1108 error = audit_policy(op, GFP_ATOMIC, name, info, error);
1109
1110 if (!error) {
1111 if (rename_profile)
1112 __replace_profile(rename_profile, new_profile);
1113 if (old_profile) {
1114
1115
1116
1117 if (rename_profile)
1118 aa_free_sid(new_profile->sid);
1119 __replace_profile(old_profile, new_profile);
1120 }
1121 if (!(old_profile || rename_profile))
1122 __add_new_profile(ns, policy, new_profile);
1123 }
1124 write_unlock(&ns->lock);
1125
1126out:
1127 aa_put_namespace(ns);
1128 aa_put_profile(rename_profile);
1129 aa_put_profile(old_profile);
1130 aa_put_profile(new_profile);
1131 if (error)
1132 return error;
1133 return size;
1134
1135fail:
1136 error = audit_policy(op, GFP_KERNEL, name, info, error);
1137 goto out;
1138}
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152ssize_t aa_remove_profiles(char *fqname, size_t size)
1153{
1154 struct aa_namespace *root, *ns = NULL;
1155 struct aa_profile *profile = NULL;
1156 const char *name = fqname, *info = NULL;
1157 ssize_t error = 0;
1158
1159 if (*fqname == 0) {
1160 info = "no profile specified";
1161 error = -ENOENT;
1162 goto fail;
1163 }
1164
1165 root = aa_current_profile()->ns;
1166
1167 if (fqname[0] == ':') {
1168 char *ns_name;
1169 name = aa_split_fqname(fqname, &ns_name);
1170 if (ns_name) {
1171
1172 ns = aa_find_namespace(root, ns_name);
1173 if (!ns) {
1174 info = "namespace does not exist";
1175 error = -ENOENT;
1176 goto fail;
1177 }
1178 }
1179 } else
1180
1181 ns = aa_get_namespace(root);
1182
1183 if (!name) {
1184
1185 write_lock(&ns->parent->lock);
1186 __remove_namespace(ns);
1187 write_unlock(&ns->parent->lock);
1188 } else {
1189
1190 write_lock(&ns->lock);
1191 profile = aa_get_profile(__lookup_profile(&ns->base, name));
1192 if (!profile) {
1193 error = -ENOENT;
1194 info = "profile does not exist";
1195 goto fail_ns_lock;
1196 }
1197 name = profile->base.hname;
1198 __remove_profile(profile);
1199 write_unlock(&ns->lock);
1200 }
1201
1202
1203 (void) audit_policy(OP_PROF_RM, GFP_KERNEL, name, info, error);
1204 aa_put_namespace(ns);
1205 aa_put_profile(profile);
1206 return size;
1207
1208fail_ns_lock:
1209 write_unlock(&ns->lock);
1210 aa_put_namespace(ns);
1211
1212fail:
1213 (void) audit_policy(OP_PROF_RM, GFP_KERNEL, name, info, error);
1214 return error;
1215}
1216