policy.c source code [linux/security/apparmor/policy.c]

1	// SPDX-License-Identifier: GPL-2.0-only
2	/*
3	* AppArmor security module
4	*
5	* This file contains AppArmor policy manipulation functions
6	*
7	* Copyright (C) 1998-2008 Novell/SUSE
8	* Copyright 2009-2010 Canonical Ltd.
9	*
10	* AppArmor policy is based around profiles, which contain the rules a
11	* task is confined by. Every task in the system has a profile attached
12	* to it determined either by matching "unconfined" tasks against the
13	* visible set of profiles or by following a profiles attachment rules.
14	*
15	* Each profile exists in a profile namespace which is a container of
16	* visible profiles. Each namespace contains a special "unconfined" profile,
17	* which doesn't enforce any confinement on a task beyond DAC.
18	*
19	* Namespace and profile names can be written together in either
20	* of two syntaxes.
21	* :namespace:profile - used by kernel interfaces for easy detection
22	* namespace://profile - used by policy
23	*
24	* Profile names can not start with : or @ or ^ and may not contain \0
25	*
26	* Reserved profile names
27	* unconfined - special automatically generated unconfined profile
28	* inherit - special name to indicate profile inheritance
29	* null-XXXX-YYYY - special automatically generated learning profiles
30	*
31	* Namespace names may not start with / or @ and may not contain \0 or :
32	* Reserved namespace names
33	* user-XXXX - user defined profiles
34	*
35	* a // in a profile or namespace name indicates a hierarchical name with the
36	* name before the // being the parent and the name after the child.
37	*
38	* Profile and namespace hierarchies serve two different but similar purposes.
39	* The namespace contains the set of visible profiles that are considered
40	* for attachment. The hierarchy of namespaces allows for virtualizing
41	* the namespace so that for example a chroot can have its own set of profiles
42	* which may define some local user namespaces.
43	* The profile hierarchy severs two distinct purposes,
44	* - it allows for sub profiles or hats, which allows an application to run
45	* subprograms under its own profile with different restriction than it
46	* self, and not have it use the system profile.
47	* eg. if a mail program starts an editor, the policy might make the
48	* restrictions tighter on the editor tighter than the mail program,
49	* and definitely different than general editor restrictions
50	* - it allows for binary hierarchy of profiles, so that execution history
51	* is preserved. This feature isn't exploited by AppArmor reference policy
52	* but is allowed. NOTE: this is currently suboptimal because profile
53	* aliasing is not currently implemented so that a profile for each
54	* level must be defined.
55	* eg. /bin/bash///bin/ls as a name would indicate /bin/ls was started
56	* from /bin/bash
57	*
58	* A profile or namespace name that can contain one or more // separators
59	* is referred to as an hname (hierarchical).
60	* eg. /bin/bash//bin/ls
61	*
62	* An fqname is a name that may contain both namespace and profile hnames.
63	* eg. :ns:/bin/bash//bin/ls
64	*
65	* NOTES:
66	* - locking of profile lists is currently fairly coarse. All profile
67	* lists within a namespace use the namespace lock.
68	* FIXME: move profile lists to using rcu_lists
69	*/
70
71	#include <linux/slab.h>
72	#include <linux/spinlock.h>
73	#include <linux/string.h>
74	#include <linux/cred.h>
75	#include <linux/rculist.h>
76	#include <linux/user_namespace.h>
77
78	#include "include/apparmor.h"
79	#include "include/capability.h"
80	#include "include/cred.h"
81	#include "include/file.h"
82	#include "include/ipc.h"
83	#include "include/match.h"
84	#include "include/path.h"
85	#include "include/policy.h"
86	#include "include/policy_ns.h"
87	#include "include/policy_unpack.h"
88	#include "include/resource.h"
89
90	int unprivileged_userns_apparmor_policy = `1`;
91	int aa_unprivileged_unconfined_restricted;
92
93	const char *const aa_profile_mode_names[] = {
94	"enforce",
95	"complain",
96	"kill",
97	"unconfined",
98	"user",
99	};
100
101
102	static void aa_free_pdb(struct aa_policydb *policy)
103	{
104	if (policy) {
105	aa_put_dfa(dfa: policy->dfa);
106	if (policy->perms)
107	kvfree(addr: policy->perms);
108	aa_free_str_table(table: &policy->trans);
109	}
110	}
111
112	/**
113	* aa_pdb_free_kref - free aa_policydb by kref (called by aa_put_pdb)
114	* @kref: kref callback for freeing of a dfa (NOT NULL)
115	*/
116	void aa_pdb_free_kref(struct kref *kref)
117	{
118	struct aa_policydb pdb = container_of(kref, struct* aa_policydb, count);
119
120	aa_free_pdb(policy: pdb);
121	}
122
123
124	struct aa_policydb *aa_alloc_pdb(gfp_t gfp)
125	{
126	struct aa_policydb pdb = kzalloc(size: sizeof(struct* aa_policydb), flags: gfp);
127
128	if (!pdb)
129	return NULL;
130
131	kref_init(kref: &pdb->count);
132
133	return pdb;
134	}
135
136
137	/**
138	* __add_profile - add a profiles to list and label tree
139	* @list: list to add it to (NOT NULL)
140	* @profile: the profile to add (NOT NULL)
141	*
142	* refcount @profile, should be put by __list_remove_profile
143	*
144	* Requires: namespace lock be held, or list not be shared
145	*/
146	static void __add_profile(struct list_head list, struct* aa_profile *profile)
147	{
148	struct aa_label *l;
149
150	AA_BUG(!list);
151	AA_BUG(!profile);
152	AA_BUG(!profile->ns);
153	AA_BUG(!mutex_is_locked(&profile->ns->lock));
154
155	list_add_rcu(new: &profile->base.list, head: list);
156	/ get list reference /
157	aa_get_profile(p: profile);
158	l = aa_label_insert(ls: &profile->ns->labels, l: &profile->label);
159	AA_BUG(l != &profile->label);
160	aa_put_label(l);
161	}
162
163	/**
164	* __list_remove_profile - remove a profile from the list it is on
165	* @profile: the profile to remove (NOT NULL)
166	*
167	* remove a profile from the list, warning generally removal should
168	* be done with __replace_profile as most profile removals are
169	* replacements to the unconfined profile.
170	*
171	* put @profile list refcount
172	*
173	* Requires: namespace lock be held, or list not have been live
174	*/
175	static void __list_remove_profile(struct aa_profile *profile)
176	{
177	AA_BUG(!profile);
178	AA_BUG(!profile->ns);
179	AA_BUG(!mutex_is_locked(&profile->ns->lock));
180
181	list_del_rcu(entry: &profile->base.list);
182	aa_put_profile(p: profile);
183	}
184
185	/**
186	* __remove_profile - remove old profile, and children
187	* @profile: profile to be replaced (NOT NULL)
188	*
189	* Requires: namespace list lock be held, or list not be shared
190	*/
191	static void __remove_profile(struct aa_profile *profile)
192	{
193	AA_BUG(!profile);
194	AA_BUG(!profile->ns);
195	AA_BUG(!mutex_is_locked(&profile->ns->lock));
196
197	/ release any children lists first /
198	__aa_profile_list_release(head: &profile->base.profiles);
199	/ released by free_profile /
200	aa_label_remove(label: &profile->label);
201	__aafs_profile_rmdir(profile);
202	__list_remove_profile(profile);
203	}
204
205	/**
206	* __aa_profile_list_release - remove all profiles on the list and put refs
207	* @head: list of profiles (NOT NULL)
208	*
209	* Requires: namespace lock be held
210	*/
211	void __aa_profile_list_release(struct list_head *head)
212	{
213	struct aa_profile profile, tmp;
214	list_for_each_entry_safe(profile, tmp, head, base.list)
215	__remove_profile(profile);
216	}
217
218	/**
219	* aa_free_data - free a data blob
220	* @ptr: data to free
221	* @arg: unused
222	*/
223	static void aa_free_data(void ptr, void* *arg)
224	{
225	struct aa_data *data = ptr;
226
227	kfree_sensitive(objp: data->data);
228	kfree_sensitive(objp: data->key);
229	kfree_sensitive(objp: data);
230	}
231
232	static void free_attachment(struct aa_attachment *attach)
233	{
234	int i;
235
236	for (i = `0`; i < attach->xattr_count; i++)
237	kfree_sensitive(objp: attach->xattrs[i]);
238	kfree_sensitive(objp: attach->xattrs);
239	aa_put_pdb(pdb: attach->xmatch);
240	}
241
242	static void free_ruleset(struct aa_ruleset *rules)
243	{
244	int i;
245
246	aa_put_pdb(pdb: rules->file);
247	aa_put_pdb(pdb: rules->policy);
248	aa_free_cap_rules(caps: &rules->caps);
249	aa_free_rlimit_rules(rlims: &rules->rlimits);
250
251	for (i = `0`; i < rules->secmark_count; i++)
252	kfree_sensitive(objp: rules->secmark[i].label);
253	kfree_sensitive(objp: rules->secmark);
254	kfree_sensitive(objp: rules);
255	}
256
257	struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp)
258	{
259	struct aa_ruleset *rules;
260
261	rules = kzalloc(size: sizeof(*rules), flags: gfp);
262	if (rules)
263	INIT_LIST_HEAD(list: &rules->list);
264
265	return rules;
266	}
267
268	/**
269	* aa_free_profile - free a profile
270	* @profile: the profile to free (MAYBE NULL)
271	*
272	* Free a profile, its hats and null_profile. All references to the profile,
273	* its hats and null_profile must have been put.
274	*
275	* If the profile was referenced from a task context, free_profile() will
276	* be called from an rcu callback routine, so we must not sleep here.
277	*/
278	void aa_free_profile(struct aa_profile *profile)
279	{
280	struct aa_ruleset rule, tmp;
281	struct rhashtable *rht;
282
283	AA_DEBUG("%s(%p)\n", __func__, profile);
284
285	if (!profile)
286	return;
287
288	/ free children profiles /
289	aa_policy_destroy(policy: &profile->base);
290	aa_put_profile(rcu_access_pointer(profile->parent));
291
292	aa_put_ns(ns: profile->ns);
293	kfree_sensitive(objp: profile->rename);
294	kfree_sensitive(objp: profile->disconnected);
295
296	free_attachment(attach: &profile->attach);
297
298	/*
299	* at this point there are no tasks that can have a reference
300	* to rules
301	*/
302	list_for_each_entry_safe(rule, tmp, &profile->rules, list) {
303	list_del_init(entry: &rule->list);
304	free_ruleset(rules: rule);
305	}
306	kfree_sensitive(objp: profile->dirname);
307
308	if (profile->data) {
309	rht = profile->data;
310	profile->data = NULL;
311	rhashtable_free_and_destroy(ht: rht, free_fn: aa_free_data, NULL);
312	kfree_sensitive(objp: rht);
313	}
314
315	kfree_sensitive(objp: profile->hash);
316	aa_put_loaddata(data: profile->rawdata);
317	aa_label_destroy(label: &profile->label);
318
319	kfree_sensitive(objp: profile);
320	}
321
322	/**
323	* aa_alloc_profile - allocate, initialize and return a new profile
324	* @hname: name of the profile (NOT NULL)
325	* @proxy: proxy to use OR null if to allocate a new one
326	* @gfp: allocation type
327	*
328	* Returns: refcount profile or NULL on failure
329	*/
330	struct aa_profile aa_alloc_profile(const* char hname, struct* aa_proxy *proxy,
331	gfp_t gfp)
332	{
333	struct aa_profile *profile;
334	struct aa_ruleset *rules;
335
336	/ freed by free_profile - usually through aa_put_profile /
337	profile = kzalloc(struct_size(profile, label.vec, `2`), flags: gfp);
338	if (!profile)
339	return NULL;
340
341	if (!aa_policy_init(policy: &profile->base, NULL, name: hname, gfp))
342	goto fail;
343	if (!aa_label_init(label: &profile->label, size: `1`, gfp))
344	goto fail;
345
346	INIT_LIST_HEAD(list: &profile->rules);
347
348	/ allocate the first ruleset, but leave it empty /
349	rules = aa_alloc_ruleset(gfp);
350	if (!rules)
351	goto fail;
352	list_add(new: &rules->list, head: &profile->rules);
353
354	/ update being set needed by fs interface /
355	if (!proxy) {
356	proxy = aa_alloc_proxy(l: &profile->label, gfp);
357	if (!proxy)
358	goto fail;
359	} else
360	aa_get_proxy(proxy);
361	profile->label.proxy = proxy;
362
363	profile->label.hname = profile->base.hname;
364	profile->label.flags \|= FLAG_PROFILE;
365	profile->label.vec[`0`] = profile;
366
367	/ refcount released by caller /
368	return profile;
369
370	fail:
371	aa_free_profile(profile);
372
373	return NULL;
374	}
375
376	/ TODO: profile accounting - setup in remove /
377
378	/**
379	* __strn_find_child - find a profile on @head list using substring of @name
380	* @head: list to search (NOT NULL)
381	* @name: name of profile (NOT NULL)
382	* @len: length of @name substring to match
383	*
384	* Requires: rcu_read_lock be held
385	*
386	* Returns: unrefcounted profile ptr, or NULL if not found
387	*/
388	static struct aa_profile __strn_find_child(struct* list_head *head,
389	const char name, int* len)
390	{
391	return (struct aa_profile *)__policy_strn_find(head, str: name, len);
392	}
393
394	/**
395	* __find_child - find a profile on @head list with a name matching @name
396	* @head: list to search (NOT NULL)
397	* @name: name of profile (NOT NULL)
398	*
399	* Requires: rcu_read_lock be held
400	*
401	* Returns: unrefcounted profile ptr, or NULL if not found
402	*/
403	static struct aa_profile __find_child(struct* list_head head, const* char *name)
404	{
405	return __strn_find_child(head, name, strlen(name));
406	}
407
408	/**
409	* aa_find_child - find a profile by @name in @parent
410	* @parent: profile to search (NOT NULL)
411	* @name: profile name to search for (NOT NULL)
412	*
413	* Returns: a refcounted profile or NULL if not found
414	*/
415	struct aa_profile aa_find_child(struct* aa_profile parent, const* char *name)
416	{
417	struct aa_profile *profile;
418
419	rcu_read_lock();
420	do {
421	profile = __find_child(head: &parent->base.profiles, name);
422	} while (profile && !aa_get_profile_not0(p: profile));
423	rcu_read_unlock();
424
425	/ refcount released by caller /
426	return profile;
427	}
428
429	/**
430	* __lookup_parent - lookup the parent of a profile of name @hname
431	* @ns: namespace to lookup profile in (NOT NULL)
432	* @hname: hierarchical profile name to find parent of (NOT NULL)
433	*
434	* Lookups up the parent of a fully qualified profile name, the profile
435	* that matches hname does not need to exist, in general this
436	* is used to load a new profile.
437	*
438	* Requires: rcu_read_lock be held
439	*
440	* Returns: unrefcounted policy or NULL if not found
441	*/
442	static struct aa_policy __lookup_parent(struct* aa_ns *ns,
443	const char *hname)
444	{
445	struct aa_policy *policy;
446	struct aa_profile *profile = NULL;
447	char *split;
448
449	policy = &ns->base;
450
451	for (split = strstr(hname, "//"); split;) {
452	profile = __strn_find_child(head: &policy->profiles, name: hname,
453	len: split - hname);
454	if (!profile)
455	return NULL;
456	policy = &profile->base;
457	hname = split + `2`;
458	split = strstr(hname, "//");
459	}
460	if (!profile)
461	return &ns->base;
462	return &profile->base;
463	}
464
465	/**
466	* __create_missing_ancestors - create place holders for missing ancestores
467	* @ns: namespace to lookup profile in (NOT NULL)
468	* @hname: hierarchical profile name to find parent of (NOT NULL)
469	* @gfp: type of allocation.
470	*
471	* Requires: ns mutex lock held
472	*
473	* Return: unrefcounted parent policy on success or %NULL if error creating
474	* place holder profiles.
475	*/
476	static struct aa_policy __create_missing_ancestors(struct* aa_ns *ns,
477	const char *hname,
478	gfp_t gfp)
479	{
480	struct aa_policy *policy;
481	struct aa_profile parent, profile = NULL;
482	char *split;
483
484	AA_BUG(!ns);
485	AA_BUG(!hname);
486
487	policy = &ns->base;
488
489	for (split = strstr(hname, "//"); split;) {
490	parent = profile;
491	profile = __strn_find_child(head: &policy->profiles, name: hname,
492	len: split - hname);
493	if (!profile) {
494	const char *name = kstrndup(s: hname, len: split - hname,
495	gfp);
496	if (!name)
497	return NULL;
498	profile = aa_alloc_null(parent, name, gfp);
499	kfree(objp: name);
500	if (!profile)
501	return NULL;
502	if (!parent)
503	profile->ns = aa_get_ns(ns);
504	}
505	policy = &profile->base;
506	hname = split + `2`;
507	split = strstr(hname, "//");
508	}
509	if (!profile)
510	return &ns->base;
511	return &profile->base;
512	}
513
514	/**
515	* __lookupn_profile - lookup the profile matching @hname
516	* @base: base list to start looking up profile name from (NOT NULL)
517	* @hname: hierarchical profile name (NOT NULL)
518	* @n: length of @hname
519	*
520	* Requires: rcu_read_lock be held
521	*
522	* Returns: unrefcounted profile pointer or NULL if not found
523	*
524	* Do a relative name lookup, recursing through profile tree.
525	*/
526	static struct aa_profile __lookupn_profile(struct* aa_policy *base,
527	const char *hname, size_t n)
528	{
529	struct aa_profile *profile = NULL;
530	const char *split;
531
532	for (split = strnstr(hname, "//", n); split;
533	split = strnstr(hname, "//", n)) {
534	profile = __strn_find_child(head: &base->profiles, name: hname,
535	len: split - hname);
536	if (!profile)
537	return NULL;
538
539	base = &profile->base;
540	n -= split + `2` - hname;
541	hname = split + `2`;
542	}
543
544	if (n)
545	return __strn_find_child(head: &base->profiles, name: hname, len: n);
546	return NULL;
547	}
548
549	static struct aa_profile __lookup_profile(struct* aa_policy *base,
550	const char *hname)
551	{
552	return __lookupn_profile(base, hname, strlen(hname));
553	}
554
555	/**
556	* aa_lookupn_profile - find a profile by its full or partial name
557	* @ns: the namespace to start from (NOT NULL)
558	* @hname: name to do lookup on. Does not contain namespace prefix (NOT NULL)
559	* @n: size of @hname
560	*
561	* Returns: refcounted profile or NULL if not found
562	*/
563	struct aa_profile aa_lookupn_profile(struct* aa_ns ns, const* char *hname,
564	size_t n)
565	{
566	struct aa_profile *profile;
567
568	rcu_read_lock();
569	do {
570	profile = __lookupn_profile(base: &ns->base, hname, n);
571	} while (profile && !aa_get_profile_not0(p: profile));
572	rcu_read_unlock();
573
574	/ the unconfined profile is not in the regular profile list /
575	if (!profile && strncmp(hname, "unconfined", n) == `0`)
576	profile = aa_get_newest_profile(p: ns->unconfined);
577
578	/ refcount released by caller /
579	return profile;
580	}
581
582	struct aa_profile aa_lookup_profile(struct* aa_ns ns, const* char *hname)
583	{
584	return aa_lookupn_profile(ns, hname, strlen(hname));
585	}
586
587	struct aa_profile aa_fqlookupn_profile(struct* aa_label *base,
588	const char *fqname, size_t n)
589	{
590	struct aa_profile *profile;
591	struct aa_ns *ns;
592	const char name, ns_name;
593	size_t ns_len;
594
595	name = aa_splitn_fqname(fqname, n, ns_name: &ns_name, ns_len: &ns_len);
596	if (ns_name) {
597	ns = aa_lookupn_ns(labels_ns(base), name: ns_name, n: ns_len);
598	if (!ns)
599	return NULL;
600	} else
601	ns = aa_get_ns(labels_ns(base));
602
603	if (name)
604	profile = aa_lookupn_profile(ns, hname: name, n: n - (name - fqname));
605	else if (ns)
606	/ default profile for ns, currently unconfined /
607	profile = aa_get_newest_profile(p: ns->unconfined);
608	else
609	profile = NULL;
610	aa_put_ns(ns);
611
612	return profile;
613	}
614
615
616	struct aa_profile aa_alloc_null(struct* aa_profile parent, const* char *name,
617	gfp_t gfp)
618	{
619	struct aa_profile *profile;
620	struct aa_ruleset *rules;
621
622	profile = aa_alloc_profile(hname: name, NULL, gfp);
623	if (!profile)
624	return NULL;
625
626	/ TODO: ideally we should inherit abi from parent /
627	profile->label.flags \|= FLAG_NULL;
628	rules = list_first_entry(&profile->rules, typeof(*rules), list);
629	rules->file = aa_get_pdb(pdb: nullpdb);
630	rules->policy = aa_get_pdb(pdb: nullpdb);
631
632	if (parent) {
633	profile->path_flags = parent->path_flags;
634
635	/ released on free_profile /
636	rcu_assign_pointer(profile->parent, aa_get_profile(parent));
637	profile->ns = aa_get_ns(ns: parent->ns);
638	}
639
640	return profile;
641	}
642
643	/**
644	* aa_new_learning_profile - create or find a null-X learning profile
645	* @parent: profile that caused this profile to be created (NOT NULL)
646	* @hat: true if the null- learning profile is a hat
647	* @base: name to base the null profile off of
648	* @gfp: type of allocation
649	*
650	* Find/Create a null- complain mode profile used in learning mode. The
651	* name of the profile is unique and follows the format of parent//null-XXX.
652	* where XXX is based on the @name or if that fails or is not supplied
653	* a unique number
654	*
655	* null profiles are added to the profile list but the list does not
656	* hold a count on them so that they are automatically released when
657	* not in use.
658	*
659	* Returns: new refcounted profile else NULL on failure
660	*/
661	struct aa_profile aa_new_learning_profile(struct* aa_profile *parent, bool hat,
662	const char *base, gfp_t gfp)
663	{
664	struct aa_profile p, profile;
665	const char *bname;
666	char *name = NULL;
667
668	AA_BUG(!parent);
669
670	if (base) {
671	name = kmalloc(strlen(parent->base.hname) + `8` + strlen(base),
672	flags: gfp);
673	if (name) {
674	sprintf(buf: name, fmt: "%s//null-%s", parent->base.hname, base);
675	goto name;
676	}
677	/ fall through to try shorter uniq /
678	}
679
680	name = kmalloc(strlen(parent->base.hname) + `2` + `7` + `8`, flags: gfp);
681	if (!name)
682	return NULL;
683	sprintf(buf: name, fmt: "%s//null-%x", parent->base.hname,
684	atomic_inc_return(v: &parent->ns->uniq_null));
685
686	name:
687	/ lookup to see if this is a dup creation /
688	bname = basename(hname: name);
689	profile = aa_find_child(parent, name: bname);
690	if (profile)
691	goto out;
692
693	profile = aa_alloc_null(parent, name, gfp);
694	if (!profile)
695	goto fail;
696	profile->mode = APPARMOR_COMPLAIN;
697	if (hat)
698	profile->label.flags \|= FLAG_HAT;
699
700	mutex_lock_nested(lock: &profile->ns->lock, subclass: profile->ns->level);
701	p = __find_child(head: &parent->base.profiles, name: bname);
702	if (p) {
703	aa_free_profile(profile);
704	profile = aa_get_profile(p);
705	} else {
706	__add_profile(list: &parent->base.profiles, profile);
707	}
708	mutex_unlock(lock: &profile->ns->lock);
709
710	/ refcount released by caller /
711	out:
712	kfree(objp: name);
713
714	return profile;
715
716	fail:
717	kfree(objp: name);
718	aa_free_profile(profile);
719	return NULL;
720	}
721
722	/**
723	* replacement_allowed - test to see if replacement is allowed
724	* @profile: profile to test if it can be replaced (MAYBE NULL)
725	* @noreplace: true if replacement shouldn't be allowed but addition is okay
726	* @info: Returns - info about why replacement failed (NOT NULL)
727	*
728	* Returns: %0 if replacement allowed else error code
729	*/
730	static int replacement_allowed(struct aa_profile profile, int* noreplace,
731	const char **info)
732	{
733	if (profile) {
734	if (profile->label.flags & FLAG_IMMUTIBLE) {
735	*info = "cannot replace immutable profile";
736	return -EPERM;
737	} else if (noreplace) {
738	*info = "profile already exists";
739	return -EEXIST;
740	}
741	}
742	return `0`;
743	}
744
745	/ audit callback for net specific fields /
746	static void audit_cb(struct audit_buffer ab, void* *va)
747	{
748	struct common_audit_data *sa = va;
749	struct apparmor_audit_data *ad = aad(sa);
750
751	if (ad->iface.ns) {
752	audit_log_format(ab, fmt: " ns=");
753	audit_log_untrustedstring(ab, string: ad->iface.ns);
754	}
755	}
756
757	/**
758	* audit_policy - Do auditing of policy changes
759	* @subj_label: label to check if it can manage policy
760	* @op: policy operation being performed
761	* @ns_name: name of namespace being manipulated
762	* @name: name of profile being manipulated (NOT NULL)
763	* @info: any extra information to be audited (MAYBE NULL)
764	* @error: error code
765	*
766	* Returns: the error to be returned after audit is done
767	*/
768	static int audit_policy(struct aa_label subj_label, const* char *op,
769	const char ns_name, const* char *name,
770	const char info, int* error)
771	{
772	DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, op);
773
774	ad.iface.ns = ns_name;
775	ad.name = name;
776	ad.info = info;
777	ad.error = error;
778	ad.subj_label = subj_label;
779
780	aa_audit_msg(type: AUDIT_APPARMOR_STATUS, ad: &ad, cb: audit_cb);
781
782	return error;
783	}
784
785	/ don't call out to other LSMs in the stack for apparmor policy admin*
786	* permissions
787	*/
788	static int policy_ns_capable(const struct cred *subj_cred,
789	struct aa_label *label,
790	struct user_namespace userns, int* cap)
791	{
792	int err;
793
794	/ check for MAC_ADMIN cap in cred /
795	err = cap_capable(cred: subj_cred, ns: userns, cap, CAP_OPT_NONE);
796	if (!err)
797	err = aa_capable(subj_cred, label, cap, CAP_OPT_NONE);
798
799	return err;
800	}
801
802	/**
803	* aa_policy_view_capable - check if viewing policy in at @ns is allowed
804	* @subj_cred: cred of subject
805	* @label: label that is trying to view policy in ns
806	* @ns: namespace being viewed by @label (may be NULL if @label's ns)
807	*
808	* Returns: true if viewing policy is allowed
809	*
810	* If @ns is NULL then the namespace being viewed is assumed to be the
811	* tasks current namespace.
812	*/
813	bool aa_policy_view_capable(const struct cred *subj_cred,
814	struct aa_label label, struct* aa_ns *ns)
815	{
816	struct user_namespace *user_ns = subj_cred->user_ns;
817	struct aa_ns *view_ns = labels_view(label);
818	bool root_in_user_ns = uid_eq(current_euid(), right: make_kuid(from: user_ns, uid: `0`)) \|\|
819	in_egroup_p(make_kgid(from: user_ns, gid: `0`));
820	bool response = false;
821	if (!ns)
822	ns = view_ns;
823
824	if (root_in_user_ns && aa_ns_visible(curr: view_ns, view: ns, subns: true) &&
825	(user_ns == &init_user_ns \|\|
826	(unprivileged_userns_apparmor_policy != `0` &&
827	user_ns->level == view_ns->level)))
828	response = true;
829
830	return response;
831	}
832
833	bool aa_policy_admin_capable(const struct cred *subj_cred,
834	struct aa_label label, struct* aa_ns *ns)
835	{
836	struct user_namespace *user_ns = subj_cred->user_ns;
837	bool capable = policy_ns_capable(subj_cred, label, userns: user_ns,
838	CAP_MAC_ADMIN) == `0`;
839
840	AA_DEBUG("cap_mac_admin? %d\n", capable);
841	AA_DEBUG("policy locked? %d\n", aa_g_lock_policy);
842
843	return aa_policy_view_capable(subj_cred, label, ns) && capable &&
844	!aa_g_lock_policy;
845	}
846
847	bool aa_current_policy_view_capable(struct aa_ns *ns)
848	{
849	struct aa_label *label;
850	bool res;
851
852	label = __begin_current_label_crit_section();
853	res = aa_policy_view_capable(current_cred(), label, ns);
854	__end_current_label_crit_section(label);
855
856	return res;
857	}
858
859	bool aa_current_policy_admin_capable(struct aa_ns *ns)
860	{
861	struct aa_label *label;
862	bool res;
863
864	label = __begin_current_label_crit_section();
865	res = aa_policy_admin_capable(current_cred(), label, ns);
866	__end_current_label_crit_section(label);
867
868	return res;
869	}
870
871	/**
872	* aa_may_manage_policy - can the current task manage policy
873	* @subj_cred: subjects cred
874	* @label: label to check if it can manage policy
875	* @ns: namespace being managed by @label (may be NULL if @label's ns)
876	* @mask: contains the policy manipulation operation being done
877	*
878	* Returns: 0 if the task is allowed to manipulate policy else error
879	*/
880	int aa_may_manage_policy(const struct cred subj_cred, struct* aa_label *label,
881	struct aa_ns *ns, u32 mask)
882	{
883	const char *op;
884
885	if (mask & AA_MAY_REMOVE_POLICY)
886	op = OP_PROF_RM;
887	else if (mask & AA_MAY_REPLACE_POLICY)
888	op = OP_PROF_REPL;
889	else
890	op = OP_PROF_LOAD;
891
892	/ check if loading policy is locked out /
893	if (aa_g_lock_policy)
894	return audit_policy(subj_label: label, op, NULL, NULL, info: "policy_locked",
895	error: -EACCES);
896
897	if (!aa_policy_admin_capable(subj_cred, label, ns))
898	return audit_policy(subj_label: label, op, NULL, NULL, info: "not policy admin",
899	error: -EACCES);
900
901	/ TODO: add fine grained mediation of policy loads /
902	return `0`;
903	}
904
905	static struct aa_profile __list_lookup_parent(struct* list_head *lh,
906	struct aa_profile *profile)
907	{
908	const char *base = basename(hname: profile->base.hname);
909	long len = base - profile->base.hname;
910	struct aa_load_ent *ent;
911
912	/ parent won't have trailing // so remove from len /
913	if (len <= `2`)
914	return NULL;
915	len -= `2`;
916
917	list_for_each_entry(ent, lh, list) {
918	if (ent->new == profile)
919	continue;
920	if (strncmp(ent->new->base.hname, profile->base.hname, len) ==
921	`0` && ent->new->base.hname[len] == `0`)
922	return ent->new;
923	}
924
925	return NULL;
926	}
927
928	/**
929	* __replace_profile - replace @old with @new on a list
930	* @old: profile to be replaced (NOT NULL)
931	* @new: profile to replace @old with (NOT NULL)
932	*
933	* Will duplicate and refcount elements that @new inherits from @old
934	* and will inherit @old children.
935	*
936	* refcount @new for list, put @old list refcount
937	*
938	* Requires: namespace list lock be held, or list not be shared
939	*/
940	static void __replace_profile(struct aa_profile old, struct* aa_profile *new)
941	{
942	struct aa_profile child, tmp;
943
944	if (!list_empty(head: &old->base.profiles)) {
945	LIST_HEAD(lh);
946	list_splice_init_rcu(list: &old->base.profiles, head: &lh, sync: synchronize_rcu);
947
948	list_for_each_entry_safe(child, tmp, &lh, base.list) {
949	struct aa_profile *p;
950
951	list_del_init(entry: &child->base.list);
952	p = __find_child(head: &new->base.profiles, name: child->base.name);
953	if (p) {
954	/ @p replaces @child /
955	__replace_profile(old: child, new: p);
956	continue;
957	}
958
959	/ inherit @child and its children /
960	/ TODO: update hname of inherited children /
961	/ list refcount transferred to @new /
962	p = aa_deref_parent(p: child);
963	rcu_assign_pointer(child->parent, aa_get_profile(new));
964	list_add_rcu(new: &child->base.list, head: &new->base.profiles);
965	aa_put_profile(p);
966	}
967	}
968
969	if (!rcu_access_pointer(new->parent)) {
970	struct aa_profile *parent = aa_deref_parent(p: old);
971	rcu_assign_pointer(new->parent, aa_get_profile(parent));
972	}
973	aa_label_replace(old: &old->label, new: &new->label);
974	/ migrate dents must come after label replacement b/c update /
975	__aafs_profile_migrate_dents(old, new);
976
977	if (list_empty(head: &new->base.list)) {
978	/ new is not on a list already /
979	list_replace_rcu(old: &old->base.list, new: &new->base.list);
980	aa_get_profile(p: new);
981	aa_put_profile(p: old);
982	} else
983	__list_remove_profile(profile: old);
984	}
985
986	/**
987	* __lookup_replace - lookup replacement information for a profile
988	* @ns: namespace the lookup occurs in
989	* @hname: name of profile to lookup
990	* @noreplace: true if not replacing an existing profile
991	* @p: Returns - profile to be replaced
992	* @info: Returns - info string on why lookup failed
993	*
994	* Returns: profile to replace (no ref) on success else ptr error
995	*/
996	static int __lookup_replace(struct aa_ns ns, const* char *hname,
997	bool noreplace, struct aa_profile **p,
998	const char **info)
999	{
1000	*p = aa_get_profile(p: __lookup_profile(base: &ns->base, hname));
1001	if (*p) {
1002	int error = replacement_allowed(profile: *p, noreplace, info);
1003	if (error) {
1004	*info = "profile can not be replaced";
1005	return error;
1006	}
1007	}
1008
1009	return `0`;
1010	}
1011
1012	static void share_name(struct aa_profile old, struct* aa_profile *new)
1013	{
1014	aa_put_str(str: new->base.hname);
1015	aa_get_str(str: old->base.hname);
1016	new->base.hname = old->base.hname;
1017	new->base.name = old->base.name;
1018	new->label.hname = old->label.hname;
1019	}
1020
1021	/ Update to newest version of parent after previous replacements*
1022	* Returns: unrefcount newest version of parent
1023	*/
1024	static struct aa_profile update_to_newest_parent(struct* aa_profile *new)
1025	{
1026	struct aa_profile parent, newest;
1027
1028	parent = rcu_dereference_protected(new->parent,
1029	mutex_is_locked(&new->ns->lock));
1030	newest = aa_get_newest_profile(p: parent);
1031
1032	/ parent replaced in this atomic set? /
1033	if (newest != parent) {
1034	aa_put_profile(p: parent);
1035	rcu_assign_pointer(new->parent, newest);
1036	} else
1037	aa_put_profile(p: newest);
1038
1039	return newest;
1040	}
1041
1042	/**
1043	* aa_replace_profiles - replace profile(s) on the profile list
1044	* @policy_ns: namespace load is occurring on
1045	* @label: label that is attempting to load/replace policy
1046	* @mask: permission mask
1047	* @udata: serialized data stream (NOT NULL)
1048	*
1049	* unpack and replace a profile on the profile list and uses of that profile
1050	* by any task creds via invalidating the old version of the profile, which
1051	* tasks will notice to update their own cred. If the profile does not exist
1052	* on the profile list it is added.
1053	*
1054	* Returns: size of data consumed else error code on failure.
1055	*/
1056	ssize_t aa_replace_profiles(struct aa_ns policy_ns, struct* aa_label *label,
1057	u32 mask, struct aa_loaddata *udata)
1058	{
1059	const char ns_name = NULL, info = NULL;
1060	struct aa_ns *ns = NULL;
1061	struct aa_load_ent ent, tmp;
1062	struct aa_loaddata *rawdata_ent;
1063	const char *op;
1064	ssize_t count, error;
1065	LIST_HEAD(lh);
1066
1067	op = mask & AA_MAY_REPLACE_POLICY ? OP_PROF_REPL : OP_PROF_LOAD;
1068	aa_get_loaddata(data: udata);
1069	/ released below /
1070	error = aa_unpack(udata, lh: &lh, ns: &ns_name);
1071	if (error)
1072	goto out;
1073
1074	/ ensure that profiles are all for the same ns*
1075	* TODO: update locking to remove this constaint. All profiles in
1076	* the load set must succeed as a set or the load will
1077	* fail. Sort ent list and take ns locks in hierarchy order
1078	*/
1079	count = `0`;
1080	list_for_each_entry(ent, &lh, list) {
1081	if (ns_name) {
1082	if (ent->ns_name &&
1083	strcmp(ent->ns_name, ns_name) != `0`) {
1084	info = "policy load has mixed namespaces";
1085	error = -EACCES;
1086	goto fail;
1087	}
1088	} else if (ent->ns_name) {
1089	if (count) {
1090	info = "policy load has mixed namespaces";
1091	error = -EACCES;
1092	goto fail;
1093	}
1094	ns_name = ent->ns_name;
1095	} else
1096	count++;
1097	}
1098	if (ns_name) {
1099	ns = aa_prepare_ns(root: policy_ns ? policy_ns : labels_ns(label),
1100	name: ns_name);
1101	if (IS_ERR(ptr: ns)) {
1102	op = OP_PROF_LOAD;
1103	info = "failed to prepare namespace";
1104	error = PTR_ERR(ptr: ns);
1105	ns = NULL;
1106	ent = NULL;
1107	goto fail;
1108	}
1109	} else
1110	ns = aa_get_ns(ns: policy_ns ? policy_ns : labels_ns(label));
1111
1112	mutex_lock_nested(lock: &ns->lock, subclass: ns->level);
1113	/ check for duplicate rawdata blobs: space and file dedup /
1114	if (!list_empty(head: &ns->rawdata_list)) {
1115	list_for_each_entry(rawdata_ent, &ns->rawdata_list, list) {
1116	if (aa_rawdata_eq(l: rawdata_ent, r: udata)) {
1117	struct aa_loaddata *tmp;
1118
1119	tmp = __aa_get_loaddata(data: rawdata_ent);
1120	/ check we didn't fail the race /
1121	if (tmp) {
1122	aa_put_loaddata(data: udata);
1123	udata = tmp;
1124	break;
1125	}
1126	}
1127	}
1128	}
1129	/ setup parent and ns info /
1130	list_for_each_entry(ent, &lh, list) {
1131	struct aa_policy *policy;
1132	struct aa_profile *p;
1133
1134	if (aa_g_export_binary)
1135	ent->new->rawdata = aa_get_loaddata(data: udata);
1136	error = __lookup_replace(ns, hname: ent->new->base.hname,
1137	noreplace: !(mask & AA_MAY_REPLACE_POLICY),
1138	p: &ent->old, info: &info);
1139	if (error)
1140	goto fail_lock;
1141
1142	if (ent->new->rename) {
1143	error = __lookup_replace(ns, hname: ent->new->rename,
1144	noreplace: !(mask & AA_MAY_REPLACE_POLICY),
1145	p: &ent->rename, info: &info);
1146	if (error)
1147	goto fail_lock;
1148	}
1149
1150	/ released when @new is freed /
1151	ent->new->ns = aa_get_ns(ns);
1152
1153	if (ent->old \|\| ent->rename)
1154	continue;
1155
1156	/ no ref on policy only use inside lock /
1157	p = NULL;
1158	policy = __lookup_parent(ns, hname: ent->new->base.hname);
1159	if (!policy) {
1160	/ first check for parent in the load set /
1161	p = __list_lookup_parent(lh: &lh, profile: ent->new);
1162	if (!p) {
1163	/*
1164	* fill in missing parent with null
1165	* profile that doesn't have
1166	* permissions. This allows for
1167	* individual profile loading where
1168	* the child is loaded before the
1169	* parent, and outside of the current
1170	* atomic set. This unfortunately can
1171	* happen with some userspaces. The
1172	* null profile will be replaced once
1173	* the parent is loaded.
1174	*/
1175	policy = __create_missing_ancestors(ns,
1176	hname: ent->new->base.hname,
1177	GFP_KERNEL);
1178	if (!policy) {
1179	error = -ENOENT;
1180	info = "parent does not exist";
1181	goto fail_lock;
1182	}
1183	}
1184	}
1185	if (!p && policy != &ns->base)
1186	/ released on profile replacement or free_profile /
1187	p = (struct aa_profile *) policy;
1188	rcu_assign_pointer(ent->new->parent, aa_get_profile(p));
1189	}
1190
1191	/ create new fs entries for introspection if needed /
1192	if (!udata->dents[AAFS_LOADDATA_DIR] && aa_g_export_binary) {
1193	error = __aa_fs_create_rawdata(ns, rawdata: udata);
1194	if (error) {
1195	info = "failed to create raw_data dir and files";
1196	ent = NULL;
1197	goto fail_lock;
1198	}
1199	}
1200	list_for_each_entry(ent, &lh, list) {
1201	if (!ent->old) {
1202	struct dentry *parent;
1203	if (rcu_access_pointer(ent->new->parent)) {
1204	struct aa_profile *p;
1205	p = aa_deref_parent(p: ent->new);
1206	parent = prof_child_dir(p);
1207	} else
1208	parent = ns_subprofs_dir(ent->new->ns);
1209	error = __aafs_profile_mkdir(profile: ent->new, parent);
1210	}
1211
1212	if (error) {
1213	info = "failed to create";
1214	goto fail_lock;
1215	}
1216	}
1217
1218	/ Done with checks that may fail - do actual replacement /
1219	__aa_bump_ns_revision(ns);
1220	if (aa_g_export_binary)
1221	__aa_loaddata_update(data: udata, revision: ns->revision);
1222	list_for_each_entry_safe(ent, tmp, &lh, list) {
1223	list_del_init(entry: &ent->list);
1224	op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL;
1225
1226	if (ent->old && ent->old->rawdata == ent->new->rawdata &&
1227	ent->new->rawdata) {
1228	/ dedup actual profile replacement /
1229	audit_policy(subj_label: label, op, ns_name, name: ent->new->base.hname,
1230	info: "same as current profile, skipping",
1231	error);
1232	/ break refcount cycle with proxy. /
1233	aa_put_proxy(proxy: ent->new->label.proxy);
1234	ent->new->label.proxy = NULL;
1235	goto skip;
1236	}
1237
1238	/*
1239	* TODO: finer dedup based on profile range in data. Load set
1240	* can differ but profile may remain unchanged
1241	*/
1242	audit_policy(subj_label: label, op, ns_name, name: ent->new->base.hname, NULL,
1243	error);
1244
1245	if (ent->old) {
1246	share_name(old: ent->old, new: ent->new);
1247	__replace_profile(old: ent->old, new: ent->new);
1248	} else {
1249	struct list_head *lh;
1250
1251	if (rcu_access_pointer(ent->new->parent)) {
1252	struct aa_profile *parent;
1253
1254	parent = update_to_newest_parent(new: ent->new);
1255	lh = &parent->base.profiles;
1256	} else
1257	lh = &ns->base.profiles;
1258	__add_profile(list: lh, profile: ent->new);
1259	}
1260	skip:
1261	aa_load_ent_free(ent);
1262	}
1263	__aa_labelset_update_subtree(ns);
1264	mutex_unlock(lock: &ns->lock);
1265
1266	out:
1267	aa_put_ns(ns);
1268	aa_put_loaddata(data: udata);
1269	kfree(objp: ns_name);
1270
1271	if (error)
1272	return error;
1273	return udata->size;
1274
1275	fail_lock:
1276	mutex_unlock(lock: &ns->lock);
1277
1278	/ audit cause of failure /
1279	op = (ent && !ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
1280	fail:
1281	audit_policy(subj_label: label, op, ns_name, name: ent ? ent->new->base.hname : NULL,
1282	info, error);
1283	/ audit status that rest of profiles in the atomic set failed too /
1284	info = "valid profile in failed atomic policy load";
1285	list_for_each_entry(tmp, &lh, list) {
1286	if (tmp == ent) {
1287	info = "unchecked profile in failed atomic policy load";
1288	/ skip entry that caused failure /
1289	continue;
1290	}
1291	op = (!tmp->old) ? OP_PROF_LOAD : OP_PROF_REPL;
1292	audit_policy(subj_label: label, op, ns_name, name: tmp->new->base.hname, info,
1293	error);
1294	}
1295	list_for_each_entry_safe(ent, tmp, &lh, list) {
1296	list_del_init(entry: &ent->list);
1297	aa_load_ent_free(ent);
1298	}
1299
1300	goto out;
1301	}
1302
1303	/**
1304	* aa_remove_profiles - remove profile(s) from the system
1305	* @policy_ns: namespace the remove is being done from
1306	* @subj: label attempting to remove policy
1307	* @fqname: name of the profile or namespace to remove (NOT NULL)
1308	* @size: size of the name
1309	*
1310	* Remove a profile or sub namespace from the current namespace, so that
1311	* they can not be found anymore and mark them as replaced by unconfined
1312	*
1313	* NOTE: removing confinement does not restore rlimits to preconfinement values
1314	*
1315	* Returns: size of data consume else error code if fails
1316	*/
1317	ssize_t aa_remove_profiles(struct aa_ns policy_ns, struct* aa_label *subj,
1318	char *fqname, size_t size)
1319	{
1320	struct aa_ns *ns = NULL;
1321	struct aa_profile *profile = NULL;
1322	const char name = fqname, info = NULL;
1323	const char *ns_name = NULL;
1324	ssize_t error = `0`;
1325
1326	if (*fqname == `0`) {
1327	info = "no profile specified";
1328	error = -ENOENT;
1329	goto fail;
1330	}
1331
1332	if (fqname[`0`] == `':'`) {
1333	size_t ns_len;
1334
1335	name = aa_splitn_fqname(fqname, n: size, ns_name: &ns_name, ns_len: &ns_len);
1336	/ released below /
1337	ns = aa_lookupn_ns(view: policy_ns ? policy_ns : labels_ns(subj),
1338	name: ns_name, n: ns_len);
1339	if (!ns) {
1340	info = "namespace does not exist";
1341	error = -ENOENT;
1342	goto fail;
1343	}
1344	} else
1345	/ released below /
1346	ns = aa_get_ns(ns: policy_ns ? policy_ns : labels_ns(subj));
1347
1348	if (!name) {
1349	/ remove namespace - can only happen if fqname[0] == ':' /
1350	mutex_lock_nested(lock: &ns->parent->lock, subclass: ns->parent->level);
1351	__aa_bump_ns_revision(ns);
1352	__aa_remove_ns(ns);
1353	mutex_unlock(lock: &ns->parent->lock);
1354	} else {
1355	/ remove profile /
1356	mutex_lock_nested(lock: &ns->lock, subclass: ns->level);
1357	profile = aa_get_profile(p: __lookup_profile(base: &ns->base, hname: name));
1358	if (!profile) {
1359	error = -ENOENT;
1360	info = "profile does not exist";
1361	goto fail_ns_lock;
1362	}
1363	name = profile->base.hname;
1364	__aa_bump_ns_revision(ns);
1365	__remove_profile(profile);
1366	__aa_labelset_update_subtree(ns);
1367	mutex_unlock(lock: &ns->lock);
1368	}
1369
1370	/ don't fail removal if audit fails /
1371	(void) audit_policy(subj_label: subj, OP_PROF_RM, ns_name, name, info,
1372	error);
1373	aa_put_ns(ns);
1374	aa_put_profile(p: profile);
1375	return size;
1376
1377	fail_ns_lock:
1378	mutex_unlock(lock: &ns->lock);
1379	aa_put_ns(ns);
1380
1381	fail:
1382	(void) audit_policy(subj_label: subj, OP_PROF_RM, ns_name, name, info,
1383	error);
1384	return error;
1385	}
1386

source code of linux/security/apparmor/policy.c