1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * AppArmor security module |
4 | * |
5 | * This file contains AppArmor mediation of files |
6 | * |
7 | * Copyright (C) 1998-2008 Novell/SUSE |
8 | * Copyright 2009-2017 Canonical Ltd. |
9 | */ |
10 | |
11 | #include <linux/fs.h> |
12 | #include <linux/mount.h> |
13 | #include <linux/namei.h> |
14 | #include <uapi/linux/mount.h> |
15 | |
16 | #include "include/apparmor.h" |
17 | #include "include/audit.h" |
18 | #include "include/cred.h" |
19 | #include "include/domain.h" |
20 | #include "include/file.h" |
21 | #include "include/match.h" |
22 | #include "include/mount.h" |
23 | #include "include/path.h" |
24 | #include "include/policy.h" |
25 | |
26 | |
27 | static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags) |
28 | { |
29 | if (flags & MS_RDONLY) |
30 | audit_log_format(ab, fmt: "ro" ); |
31 | else |
32 | audit_log_format(ab, fmt: "rw" ); |
33 | if (flags & MS_NOSUID) |
34 | audit_log_format(ab, fmt: ", nosuid" ); |
35 | if (flags & MS_NODEV) |
36 | audit_log_format(ab, fmt: ", nodev" ); |
37 | if (flags & MS_NOEXEC) |
38 | audit_log_format(ab, fmt: ", noexec" ); |
39 | if (flags & MS_SYNCHRONOUS) |
40 | audit_log_format(ab, fmt: ", sync" ); |
41 | if (flags & MS_REMOUNT) |
42 | audit_log_format(ab, fmt: ", remount" ); |
43 | if (flags & MS_MANDLOCK) |
44 | audit_log_format(ab, fmt: ", mand" ); |
45 | if (flags & MS_DIRSYNC) |
46 | audit_log_format(ab, fmt: ", dirsync" ); |
47 | if (flags & MS_NOATIME) |
48 | audit_log_format(ab, fmt: ", noatime" ); |
49 | if (flags & MS_NODIRATIME) |
50 | audit_log_format(ab, fmt: ", nodiratime" ); |
51 | if (flags & MS_BIND) |
52 | audit_log_format(ab, fmt: flags & MS_REC ? ", rbind" : ", bind" ); |
53 | if (flags & MS_MOVE) |
54 | audit_log_format(ab, fmt: ", move" ); |
55 | if (flags & MS_SILENT) |
56 | audit_log_format(ab, fmt: ", silent" ); |
57 | if (flags & MS_POSIXACL) |
58 | audit_log_format(ab, fmt: ", acl" ); |
59 | if (flags & MS_UNBINDABLE) |
60 | audit_log_format(ab, fmt: flags & MS_REC ? ", runbindable" : |
61 | ", unbindable" ); |
62 | if (flags & MS_PRIVATE) |
63 | audit_log_format(ab, fmt: flags & MS_REC ? ", rprivate" : |
64 | ", private" ); |
65 | if (flags & MS_SLAVE) |
66 | audit_log_format(ab, fmt: flags & MS_REC ? ", rslave" : |
67 | ", slave" ); |
68 | if (flags & MS_SHARED) |
69 | audit_log_format(ab, fmt: flags & MS_REC ? ", rshared" : |
70 | ", shared" ); |
71 | if (flags & MS_RELATIME) |
72 | audit_log_format(ab, fmt: ", relatime" ); |
73 | if (flags & MS_I_VERSION) |
74 | audit_log_format(ab, fmt: ", iversion" ); |
75 | if (flags & MS_STRICTATIME) |
76 | audit_log_format(ab, fmt: ", strictatime" ); |
77 | if (flags & MS_NOUSER) |
78 | audit_log_format(ab, fmt: ", nouser" ); |
79 | } |
80 | |
81 | /** |
82 | * audit_cb - call back for mount specific audit fields |
83 | * @ab: audit_buffer (NOT NULL) |
84 | * @va: audit struct to audit values of (NOT NULL) |
85 | */ |
86 | static void audit_cb(struct audit_buffer *ab, void *va) |
87 | { |
88 | struct common_audit_data *sa = va; |
89 | struct apparmor_audit_data *ad = aad(sa); |
90 | |
91 | if (ad->mnt.type) { |
92 | audit_log_format(ab, fmt: " fstype=" ); |
93 | audit_log_untrustedstring(ab, string: ad->mnt.type); |
94 | } |
95 | if (ad->mnt.src_name) { |
96 | audit_log_format(ab, fmt: " srcname=" ); |
97 | audit_log_untrustedstring(ab, string: ad->mnt.src_name); |
98 | } |
99 | if (ad->mnt.trans) { |
100 | audit_log_format(ab, fmt: " trans=" ); |
101 | audit_log_untrustedstring(ab, string: ad->mnt.trans); |
102 | } |
103 | if (ad->mnt.flags) { |
104 | audit_log_format(ab, fmt: " flags=\"" ); |
105 | audit_mnt_flags(ab, flags: ad->mnt.flags); |
106 | audit_log_format(ab, fmt: "\"" ); |
107 | } |
108 | if (ad->mnt.data) { |
109 | audit_log_format(ab, fmt: " options=" ); |
110 | audit_log_untrustedstring(ab, string: ad->mnt.data); |
111 | } |
112 | } |
113 | |
114 | /** |
115 | * audit_mount - handle the auditing of mount operations |
116 | * @subj_cred: cred of the subject |
117 | * @profile: the profile being enforced (NOT NULL) |
118 | * @op: operation being mediated (NOT NULL) |
119 | * @name: name of object being mediated (MAYBE NULL) |
120 | * @src_name: src_name of object being mediated (MAYBE_NULL) |
121 | * @type: type of filesystem (MAYBE_NULL) |
122 | * @trans: name of trans (MAYBE NULL) |
123 | * @flags: filesystem independent mount flags |
124 | * @data: filesystem mount flags |
125 | * @request: permissions requested |
126 | * @perms: the permissions computed for the request (NOT NULL) |
127 | * @info: extra information message (MAYBE NULL) |
128 | * @error: 0 if operation allowed else failure error code |
129 | * |
130 | * Returns: %0 or error on failure |
131 | */ |
132 | static int audit_mount(const struct cred *subj_cred, |
133 | struct aa_profile *profile, const char *op, |
134 | const char *name, const char *src_name, |
135 | const char *type, const char *trans, |
136 | unsigned long flags, const void *data, u32 request, |
137 | struct aa_perms *perms, const char *info, int error) |
138 | { |
139 | int audit_type = AUDIT_APPARMOR_AUTO; |
140 | DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op); |
141 | |
142 | if (likely(!error)) { |
143 | u32 mask = perms->audit; |
144 | |
145 | if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL)) |
146 | mask = 0xffff; |
147 | |
148 | /* mask off perms that are not being force audited */ |
149 | request &= mask; |
150 | |
151 | if (likely(!request)) |
152 | return 0; |
153 | audit_type = AUDIT_APPARMOR_AUDIT; |
154 | } else { |
155 | /* only report permissions that were denied */ |
156 | request = request & ~perms->allow; |
157 | |
158 | if (request & perms->kill) |
159 | audit_type = AUDIT_APPARMOR_KILL; |
160 | |
161 | /* quiet known rejects, assumes quiet and kill do not overlap */ |
162 | if ((request & perms->quiet) && |
163 | AUDIT_MODE(profile) != AUDIT_NOQUIET && |
164 | AUDIT_MODE(profile) != AUDIT_ALL) |
165 | request &= ~perms->quiet; |
166 | |
167 | if (!request) |
168 | return error; |
169 | } |
170 | |
171 | ad.subj_cred = subj_cred; |
172 | ad.name = name; |
173 | ad.mnt.src_name = src_name; |
174 | ad.mnt.type = type; |
175 | ad.mnt.trans = trans; |
176 | ad.mnt.flags = flags; |
177 | if (data && (perms->audit & AA_AUDIT_DATA)) |
178 | ad.mnt.data = data; |
179 | ad.info = info; |
180 | ad.error = error; |
181 | |
182 | return aa_audit(type: audit_type, profile, ad: &ad, cb: audit_cb); |
183 | } |
184 | |
185 | /** |
186 | * match_mnt_flags - Do an ordered match on mount flags |
187 | * @dfa: dfa to match against |
188 | * @state: state to start in |
189 | * @flags: mount flags to match against |
190 | * |
191 | * Mount flags are encoded as an ordered match. This is done instead of |
192 | * checking against a simple bitmask, to allow for logical operations |
193 | * on the flags. |
194 | * |
195 | * Returns: next state after flags match |
196 | */ |
197 | static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state, |
198 | unsigned long flags) |
199 | { |
200 | unsigned int i; |
201 | |
202 | for (i = 0; i <= 31 ; ++i) { |
203 | if ((1 << i) & flags) |
204 | state = aa_dfa_next(dfa, state, c: i + 1); |
205 | } |
206 | |
207 | return state; |
208 | } |
209 | |
210 | static const char * const mnt_info_table[] = { |
211 | "match succeeded" , |
212 | "failed mntpnt match" , |
213 | "failed srcname match" , |
214 | "failed type match" , |
215 | "failed flags match" , |
216 | "failed data match" , |
217 | "failed perms check" |
218 | }; |
219 | |
220 | /* |
221 | * Returns 0 on success else element that match failed in, this is the |
222 | * index into the mnt_info_table above |
223 | */ |
224 | static int do_match_mnt(struct aa_policydb *policy, aa_state_t start, |
225 | const char *mntpnt, const char *devname, |
226 | const char *type, unsigned long flags, |
227 | void *data, bool binary, struct aa_perms *perms) |
228 | { |
229 | aa_state_t state; |
230 | |
231 | AA_BUG(!policy); |
232 | AA_BUG(!policy->dfa); |
233 | AA_BUG(!policy->perms); |
234 | AA_BUG(!perms); |
235 | |
236 | state = aa_dfa_match(dfa: policy->dfa, start, str: mntpnt); |
237 | state = aa_dfa_null_transition(dfa: policy->dfa, start: state); |
238 | if (!state) |
239 | return 1; |
240 | |
241 | if (devname) |
242 | state = aa_dfa_match(dfa: policy->dfa, start: state, str: devname); |
243 | state = aa_dfa_null_transition(dfa: policy->dfa, start: state); |
244 | if (!state) |
245 | return 2; |
246 | |
247 | if (type) |
248 | state = aa_dfa_match(dfa: policy->dfa, start: state, str: type); |
249 | state = aa_dfa_null_transition(dfa: policy->dfa, start: state); |
250 | if (!state) |
251 | return 3; |
252 | |
253 | state = match_mnt_flags(dfa: policy->dfa, state, flags); |
254 | if (!state) |
255 | return 4; |
256 | *perms = *aa_lookup_perms(policy, state); |
257 | if (perms->allow & AA_MAY_MOUNT) |
258 | return 0; |
259 | |
260 | /* only match data if not binary and the DFA flags data is expected */ |
261 | if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) { |
262 | state = aa_dfa_null_transition(dfa: policy->dfa, start: state); |
263 | if (!state) |
264 | return 4; |
265 | |
266 | state = aa_dfa_match(dfa: policy->dfa, start: state, str: data); |
267 | if (!state) |
268 | return 5; |
269 | *perms = *aa_lookup_perms(policy, state); |
270 | if (perms->allow & AA_MAY_MOUNT) |
271 | return 0; |
272 | } |
273 | |
274 | /* failed at perms check, don't confuse with flags match */ |
275 | return 6; |
276 | } |
277 | |
278 | |
279 | static int path_flags(struct aa_profile *profile, const struct path *path) |
280 | { |
281 | AA_BUG(!profile); |
282 | AA_BUG(!path); |
283 | |
284 | return profile->path_flags | |
285 | (S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0); |
286 | } |
287 | |
288 | /** |
289 | * match_mnt_path_str - handle path matching for mount |
290 | * @subj_cred: cred of confined subject |
291 | * @profile: the confining profile |
292 | * @mntpath: for the mntpnt (NOT NULL) |
293 | * @buffer: buffer to be used to lookup mntpath |
294 | * @devname: string for the devname/src_name (MAY BE NULL OR ERRPTR) |
295 | * @type: string for the dev type (MAYBE NULL) |
296 | * @flags: mount flags to match |
297 | * @data: fs mount data (MAYBE NULL) |
298 | * @binary: whether @data is binary |
299 | * @devinfo: error str if (IS_ERR(@devname)) |
300 | * |
301 | * Returns: 0 on success else error |
302 | */ |
303 | static int match_mnt_path_str(const struct cred *subj_cred, |
304 | struct aa_profile *profile, |
305 | const struct path *mntpath, char *buffer, |
306 | const char *devname, const char *type, |
307 | unsigned long flags, void *data, bool binary, |
308 | const char *devinfo) |
309 | { |
310 | struct aa_perms perms = { }; |
311 | const char *mntpnt = NULL, *info = NULL; |
312 | struct aa_ruleset *rules = list_first_entry(&profile->rules, |
313 | typeof(*rules), list); |
314 | int pos, error; |
315 | |
316 | AA_BUG(!profile); |
317 | AA_BUG(!mntpath); |
318 | AA_BUG(!buffer); |
319 | |
320 | if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) |
321 | return 0; |
322 | |
323 | error = aa_path_name(path: mntpath, flags: path_flags(profile, path: mntpath), buffer, |
324 | name: &mntpnt, info: &info, disconnected: profile->disconnected); |
325 | if (error) |
326 | goto audit; |
327 | if (IS_ERR(ptr: devname)) { |
328 | error = PTR_ERR(ptr: devname); |
329 | devname = NULL; |
330 | info = devinfo; |
331 | goto audit; |
332 | } |
333 | |
334 | error = -EACCES; |
335 | pos = do_match_mnt(policy: rules->policy, |
336 | start: rules->policy->start[AA_CLASS_MOUNT], |
337 | mntpnt, devname, type, flags, data, binary, perms: &perms); |
338 | if (pos) { |
339 | info = mnt_info_table[pos]; |
340 | goto audit; |
341 | } |
342 | error = 0; |
343 | |
344 | audit: |
345 | return audit_mount(subj_cred, profile, OP_MOUNT, name: mntpnt, src_name: devname, |
346 | type, NULL, |
347 | flags, data, AA_MAY_MOUNT, perms: &perms, info, error); |
348 | } |
349 | |
350 | /** |
351 | * match_mnt - handle path matching for mount |
352 | * @subj_cred: cred of the subject |
353 | * @profile: the confining profile |
354 | * @path: for the mntpnt (NOT NULL) |
355 | * @buffer: buffer to be used to lookup mntpath |
356 | * @devpath: path devname/src_name (MAYBE NULL) |
357 | * @devbuffer: buffer to be used to lookup devname/src_name |
358 | * @type: string for the dev type (MAYBE NULL) |
359 | * @flags: mount flags to match |
360 | * @data: fs mount data (MAYBE NULL) |
361 | * @binary: whether @data is binary |
362 | * |
363 | * Returns: 0 on success else error |
364 | */ |
365 | static int match_mnt(const struct cred *subj_cred, |
366 | struct aa_profile *profile, const struct path *path, |
367 | char *buffer, const struct path *devpath, char *devbuffer, |
368 | const char *type, unsigned long flags, void *data, |
369 | bool binary) |
370 | { |
371 | const char *devname = NULL, *info = NULL; |
372 | struct aa_ruleset *rules = list_first_entry(&profile->rules, |
373 | typeof(*rules), list); |
374 | int error = -EACCES; |
375 | |
376 | AA_BUG(!profile); |
377 | AA_BUG(devpath && !devbuffer); |
378 | |
379 | if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) |
380 | return 0; |
381 | |
382 | if (devpath) { |
383 | error = aa_path_name(path: devpath, flags: path_flags(profile, path: devpath), |
384 | buffer: devbuffer, name: &devname, info: &info, |
385 | disconnected: profile->disconnected); |
386 | if (error) |
387 | devname = ERR_PTR(error); |
388 | } |
389 | |
390 | return match_mnt_path_str(subj_cred, profile, mntpath: path, buffer, devname, |
391 | type, flags, data, binary, devinfo: info); |
392 | } |
393 | |
394 | int aa_remount(const struct cred *subj_cred, |
395 | struct aa_label *label, const struct path *path, |
396 | unsigned long flags, void *data) |
397 | { |
398 | struct aa_profile *profile; |
399 | char *buffer = NULL; |
400 | bool binary; |
401 | int error; |
402 | |
403 | AA_BUG(!label); |
404 | AA_BUG(!path); |
405 | |
406 | binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA; |
407 | |
408 | buffer = aa_get_buffer(in_atomic: false); |
409 | if (!buffer) |
410 | return -ENOMEM; |
411 | error = fn_for_each_confined(label, profile, |
412 | match_mnt(subj_cred, profile, path, buffer, NULL, |
413 | NULL, NULL, |
414 | flags, data, binary)); |
415 | aa_put_buffer(buf: buffer); |
416 | |
417 | return error; |
418 | } |
419 | |
420 | int aa_bind_mount(const struct cred *subj_cred, |
421 | struct aa_label *label, const struct path *path, |
422 | const char *dev_name, unsigned long flags) |
423 | { |
424 | struct aa_profile *profile; |
425 | char *buffer = NULL, *old_buffer = NULL; |
426 | struct path old_path; |
427 | int error; |
428 | |
429 | AA_BUG(!label); |
430 | AA_BUG(!path); |
431 | |
432 | if (!dev_name || !*dev_name) |
433 | return -EINVAL; |
434 | |
435 | flags &= MS_REC | MS_BIND; |
436 | |
437 | error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path); |
438 | if (error) |
439 | return error; |
440 | |
441 | buffer = aa_get_buffer(in_atomic: false); |
442 | old_buffer = aa_get_buffer(in_atomic: false); |
443 | error = -ENOMEM; |
444 | if (!buffer || !old_buffer) |
445 | goto out; |
446 | |
447 | error = fn_for_each_confined(label, profile, |
448 | match_mnt(subj_cred, profile, path, buffer, &old_path, |
449 | old_buffer, NULL, flags, NULL, false)); |
450 | out: |
451 | aa_put_buffer(buf: buffer); |
452 | aa_put_buffer(buf: old_buffer); |
453 | path_put(&old_path); |
454 | |
455 | return error; |
456 | } |
457 | |
458 | int aa_mount_change_type(const struct cred *subj_cred, |
459 | struct aa_label *label, const struct path *path, |
460 | unsigned long flags) |
461 | { |
462 | struct aa_profile *profile; |
463 | char *buffer = NULL; |
464 | int error; |
465 | |
466 | AA_BUG(!label); |
467 | AA_BUG(!path); |
468 | |
469 | /* These are the flags allowed by do_change_type() */ |
470 | flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE | |
471 | MS_UNBINDABLE); |
472 | |
473 | buffer = aa_get_buffer(in_atomic: false); |
474 | if (!buffer) |
475 | return -ENOMEM; |
476 | error = fn_for_each_confined(label, profile, |
477 | match_mnt(subj_cred, profile, path, buffer, NULL, |
478 | NULL, NULL, |
479 | flags, NULL, false)); |
480 | aa_put_buffer(buf: buffer); |
481 | |
482 | return error; |
483 | } |
484 | |
485 | int aa_move_mount(const struct cred *subj_cred, |
486 | struct aa_label *label, const struct path *from_path, |
487 | const struct path *to_path) |
488 | { |
489 | struct aa_profile *profile; |
490 | char *to_buffer = NULL, *from_buffer = NULL; |
491 | int error; |
492 | |
493 | AA_BUG(!label); |
494 | AA_BUG(!from_path); |
495 | AA_BUG(!to_path); |
496 | |
497 | to_buffer = aa_get_buffer(in_atomic: false); |
498 | from_buffer = aa_get_buffer(in_atomic: false); |
499 | error = -ENOMEM; |
500 | if (!to_buffer || !from_buffer) |
501 | goto out; |
502 | |
503 | if (!our_mnt(mnt: from_path->mnt)) |
504 | /* moving a mount detached from the namespace */ |
505 | from_path = NULL; |
506 | error = fn_for_each_confined(label, profile, |
507 | match_mnt(subj_cred, profile, to_path, to_buffer, |
508 | from_path, from_buffer, |
509 | NULL, MS_MOVE, NULL, false)); |
510 | out: |
511 | aa_put_buffer(buf: to_buffer); |
512 | aa_put_buffer(buf: from_buffer); |
513 | |
514 | return error; |
515 | } |
516 | |
517 | int aa_move_mount_old(const struct cred *subj_cred, struct aa_label *label, |
518 | const struct path *path, const char *orig_name) |
519 | { |
520 | struct path old_path; |
521 | int error; |
522 | |
523 | if (!orig_name || !*orig_name) |
524 | return -EINVAL; |
525 | error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path); |
526 | if (error) |
527 | return error; |
528 | |
529 | error = aa_move_mount(subj_cred, label, from_path: &old_path, to_path: path); |
530 | path_put(&old_path); |
531 | |
532 | return error; |
533 | } |
534 | |
535 | int aa_new_mount(const struct cred *subj_cred, struct aa_label *label, |
536 | const char *dev_name, const struct path *path, |
537 | const char *type, unsigned long flags, void *data) |
538 | { |
539 | struct aa_profile *profile; |
540 | char *buffer = NULL, *dev_buffer = NULL; |
541 | bool binary = true; |
542 | int error; |
543 | int requires_dev = 0; |
544 | struct path tmp_path, *dev_path = NULL; |
545 | |
546 | AA_BUG(!label); |
547 | AA_BUG(!path); |
548 | |
549 | if (type) { |
550 | struct file_system_type *fstype; |
551 | |
552 | fstype = get_fs_type(name: type); |
553 | if (!fstype) |
554 | return -ENODEV; |
555 | binary = fstype->fs_flags & FS_BINARY_MOUNTDATA; |
556 | requires_dev = fstype->fs_flags & FS_REQUIRES_DEV; |
557 | put_filesystem(fs: fstype); |
558 | |
559 | if (requires_dev) { |
560 | if (!dev_name || !*dev_name) |
561 | return -ENOENT; |
562 | |
563 | error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path); |
564 | if (error) |
565 | return error; |
566 | dev_path = &tmp_path; |
567 | } |
568 | } |
569 | |
570 | buffer = aa_get_buffer(in_atomic: false); |
571 | if (!buffer) { |
572 | error = -ENOMEM; |
573 | goto out; |
574 | } |
575 | if (dev_path) { |
576 | dev_buffer = aa_get_buffer(in_atomic: false); |
577 | if (!dev_buffer) { |
578 | error = -ENOMEM; |
579 | goto out; |
580 | } |
581 | error = fn_for_each_confined(label, profile, |
582 | match_mnt(subj_cred, profile, path, buffer, |
583 | dev_path, dev_buffer, |
584 | type, flags, data, binary)); |
585 | } else { |
586 | error = fn_for_each_confined(label, profile, |
587 | match_mnt_path_str(subj_cred, profile, path, |
588 | buffer, dev_name, |
589 | type, flags, data, binary, NULL)); |
590 | } |
591 | |
592 | out: |
593 | aa_put_buffer(buf: buffer); |
594 | aa_put_buffer(buf: dev_buffer); |
595 | if (dev_path) |
596 | path_put(dev_path); |
597 | |
598 | return error; |
599 | } |
600 | |
601 | static int profile_umount(const struct cred *subj_cred, |
602 | struct aa_profile *profile, const struct path *path, |
603 | char *buffer) |
604 | { |
605 | struct aa_ruleset *rules = list_first_entry(&profile->rules, |
606 | typeof(*rules), list); |
607 | struct aa_perms perms = { }; |
608 | const char *name = NULL, *info = NULL; |
609 | aa_state_t state; |
610 | int error; |
611 | |
612 | AA_BUG(!profile); |
613 | AA_BUG(!path); |
614 | |
615 | if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) |
616 | return 0; |
617 | |
618 | error = aa_path_name(path, flags: path_flags(profile, path), buffer, name: &name, |
619 | info: &info, disconnected: profile->disconnected); |
620 | if (error) |
621 | goto audit; |
622 | |
623 | state = aa_dfa_match(dfa: rules->policy->dfa, |
624 | start: rules->policy->start[AA_CLASS_MOUNT], |
625 | str: name); |
626 | perms = *aa_lookup_perms(policy: rules->policy, state); |
627 | if (AA_MAY_UMOUNT & ~perms.allow) |
628 | error = -EACCES; |
629 | |
630 | audit: |
631 | return audit_mount(subj_cred, profile, OP_UMOUNT, name, NULL, NULL, |
632 | NULL, flags: 0, NULL, |
633 | AA_MAY_UMOUNT, perms: &perms, info, error); |
634 | } |
635 | |
636 | int aa_umount(const struct cred *subj_cred, struct aa_label *label, |
637 | struct vfsmount *mnt, int flags) |
638 | { |
639 | struct aa_profile *profile; |
640 | char *buffer = NULL; |
641 | int error; |
642 | struct path path = { .mnt = mnt, .dentry = mnt->mnt_root }; |
643 | |
644 | AA_BUG(!label); |
645 | AA_BUG(!mnt); |
646 | |
647 | buffer = aa_get_buffer(in_atomic: false); |
648 | if (!buffer) |
649 | return -ENOMEM; |
650 | |
651 | error = fn_for_each_confined(label, profile, |
652 | profile_umount(subj_cred, profile, &path, buffer)); |
653 | aa_put_buffer(buf: buffer); |
654 | |
655 | return error; |
656 | } |
657 | |
658 | /* helper fn for transition on pivotroot |
659 | * |
660 | * Returns: label for transition or ERR_PTR. Does not return NULL |
661 | */ |
662 | static struct aa_label *build_pivotroot(const struct cred *subj_cred, |
663 | struct aa_profile *profile, |
664 | const struct path *new_path, |
665 | char *new_buffer, |
666 | const struct path *old_path, |
667 | char *old_buffer) |
668 | { |
669 | struct aa_ruleset *rules = list_first_entry(&profile->rules, |
670 | typeof(*rules), list); |
671 | const char *old_name, *new_name = NULL, *info = NULL; |
672 | const char *trans_name = NULL; |
673 | struct aa_perms perms = { }; |
674 | aa_state_t state; |
675 | int error; |
676 | |
677 | AA_BUG(!profile); |
678 | AA_BUG(!new_path); |
679 | AA_BUG(!old_path); |
680 | |
681 | if (profile_unconfined(profile) || |
682 | !RULE_MEDIATES(rules, AA_CLASS_MOUNT)) |
683 | return aa_get_newest_label(l: &profile->label); |
684 | |
685 | error = aa_path_name(path: old_path, flags: path_flags(profile, path: old_path), |
686 | buffer: old_buffer, name: &old_name, info: &info, |
687 | disconnected: profile->disconnected); |
688 | if (error) |
689 | goto audit; |
690 | error = aa_path_name(path: new_path, flags: path_flags(profile, path: new_path), |
691 | buffer: new_buffer, name: &new_name, info: &info, |
692 | disconnected: profile->disconnected); |
693 | if (error) |
694 | goto audit; |
695 | |
696 | error = -EACCES; |
697 | state = aa_dfa_match(dfa: rules->policy->dfa, |
698 | start: rules->policy->start[AA_CLASS_MOUNT], |
699 | str: new_name); |
700 | state = aa_dfa_null_transition(dfa: rules->policy->dfa, start: state); |
701 | state = aa_dfa_match(dfa: rules->policy->dfa, start: state, str: old_name); |
702 | perms = *aa_lookup_perms(policy: rules->policy, state); |
703 | |
704 | if (AA_MAY_PIVOTROOT & perms.allow) |
705 | error = 0; |
706 | |
707 | audit: |
708 | error = audit_mount(subj_cred, profile, OP_PIVOTROOT, name: new_name, |
709 | src_name: old_name, |
710 | NULL, trans: trans_name, flags: 0, NULL, AA_MAY_PIVOTROOT, |
711 | perms: &perms, info, error); |
712 | if (error) |
713 | return ERR_PTR(error); |
714 | |
715 | return aa_get_newest_label(l: &profile->label); |
716 | } |
717 | |
718 | int aa_pivotroot(const struct cred *subj_cred, struct aa_label *label, |
719 | const struct path *old_path, |
720 | const struct path *new_path) |
721 | { |
722 | struct aa_profile *profile; |
723 | struct aa_label *target = NULL; |
724 | char *old_buffer = NULL, *new_buffer = NULL, *info = NULL; |
725 | int error; |
726 | |
727 | AA_BUG(!label); |
728 | AA_BUG(!old_path); |
729 | AA_BUG(!new_path); |
730 | |
731 | old_buffer = aa_get_buffer(in_atomic: false); |
732 | new_buffer = aa_get_buffer(in_atomic: false); |
733 | error = -ENOMEM; |
734 | if (!old_buffer || !new_buffer) |
735 | goto out; |
736 | target = fn_label_build(label, profile, GFP_KERNEL, |
737 | build_pivotroot(subj_cred, profile, new_path, |
738 | new_buffer, |
739 | old_path, old_buffer)); |
740 | if (!target) { |
741 | info = "label build failed" ; |
742 | error = -ENOMEM; |
743 | goto fail; |
744 | } else if (!IS_ERR(ptr: target)) { |
745 | error = aa_replace_current_label(label: target); |
746 | if (error) { |
747 | /* TODO: audit target */ |
748 | aa_put_label(l: target); |
749 | goto out; |
750 | } |
751 | aa_put_label(l: target); |
752 | } else |
753 | /* already audited error */ |
754 | error = PTR_ERR(ptr: target); |
755 | out: |
756 | aa_put_buffer(buf: old_buffer); |
757 | aa_put_buffer(buf: new_buffer); |
758 | |
759 | return error; |
760 | |
761 | fail: |
762 | /* TODO: add back in auditing of new_name and old_name */ |
763 | error = fn_for_each(label, profile, |
764 | audit_mount(subj_cred, profile, OP_PIVOTROOT, |
765 | NULL /*new_name */, |
766 | NULL /* old_name */, |
767 | NULL, NULL, |
768 | 0, NULL, AA_MAY_PIVOTROOT, &nullperms, info, |
769 | error)); |
770 | goto out; |
771 | } |
772 | |