1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * AppArmor security module |
4 | * |
5 | * This file contains AppArmor resource mediation and attachment |
6 | * |
7 | * Copyright (C) 1998-2008 Novell/SUSE |
8 | * Copyright 2009-2010 Canonical Ltd. |
9 | */ |
10 | |
11 | #include <linux/audit.h> |
12 | #include <linux/security.h> |
13 | |
14 | #include "include/audit.h" |
15 | #include "include/cred.h" |
16 | #include "include/resource.h" |
17 | #include "include/policy.h" |
18 | |
19 | /* |
20 | * Table of rlimit names: we generate it from resource.h. |
21 | */ |
22 | #include "rlim_names.h" |
23 | |
24 | struct aa_sfs_entry aa_sfs_entry_rlimit[] = { |
25 | AA_SFS_FILE_STRING("mask" , AA_SFS_RLIMIT_MASK), |
26 | { } |
27 | }; |
28 | |
29 | /* audit callback for resource specific fields */ |
30 | static void audit_cb(struct audit_buffer *ab, void *va) |
31 | { |
32 | struct common_audit_data *sa = va; |
33 | struct apparmor_audit_data *ad = aad(sa); |
34 | |
35 | audit_log_format(ab, fmt: " rlimit=%s value=%lu" , |
36 | rlim_names[ad->rlim.rlim], ad->rlim.max); |
37 | if (ad->peer) { |
38 | audit_log_format(ab, fmt: " peer=" ); |
39 | aa_label_xaudit(ab, labels_ns(ad->subj_label), label: ad->peer, |
40 | FLAGS_NONE, GFP_ATOMIC); |
41 | } |
42 | } |
43 | |
44 | /** |
45 | * audit_resource - audit setting resource limit |
46 | * @subj_cred: cred setting the resource |
47 | * @profile: profile being enforced (NOT NULL) |
48 | * @resource: rlimit being auditing |
49 | * @value: value being set |
50 | * @peer: aa_albel of the task being set |
51 | * @info: info being auditing |
52 | * @error: error value |
53 | * |
54 | * Returns: 0 or ad->error else other error code on failure |
55 | */ |
56 | static int audit_resource(const struct cred *subj_cred, |
57 | struct aa_profile *profile, unsigned int resource, |
58 | unsigned long value, struct aa_label *peer, |
59 | const char *info, int error) |
60 | { |
61 | DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_RLIMITS, |
62 | OP_SETRLIMIT); |
63 | |
64 | ad.subj_cred = subj_cred; |
65 | ad.rlim.rlim = resource; |
66 | ad.rlim.max = value; |
67 | ad.peer = peer; |
68 | ad.info = info; |
69 | ad.error = error; |
70 | |
71 | return aa_audit(type: AUDIT_APPARMOR_AUTO, profile, ad: &ad, cb: audit_cb); |
72 | } |
73 | |
74 | /** |
75 | * aa_map_resource - map compiled policy resource to internal # |
76 | * @resource: flattened policy resource number |
77 | * |
78 | * Returns: resource # for the current architecture. |
79 | * |
80 | * rlimit resource can vary based on architecture, map the compiled policy |
81 | * resource # to the internal representation for the architecture. |
82 | */ |
83 | int aa_map_resource(int resource) |
84 | { |
85 | return rlim_map[resource]; |
86 | } |
87 | |
88 | static int profile_setrlimit(const struct cred *subj_cred, |
89 | struct aa_profile *profile, unsigned int resource, |
90 | struct rlimit *new_rlim) |
91 | { |
92 | struct aa_ruleset *rules = list_first_entry(&profile->rules, |
93 | typeof(*rules), list); |
94 | int e = 0; |
95 | |
96 | if (rules->rlimits.mask & (1 << resource) && new_rlim->rlim_max > |
97 | rules->rlimits.limits[resource].rlim_max) |
98 | e = -EACCES; |
99 | return audit_resource(subj_cred, profile, resource, value: new_rlim->rlim_max, |
100 | NULL, NULL, error: e); |
101 | } |
102 | |
103 | /** |
104 | * aa_task_setrlimit - test permission to set an rlimit |
105 | * @subj_cred: cred setting the limit |
106 | * @label: label confining the task (NOT NULL) |
107 | * @task: task the resource is being set on |
108 | * @resource: the resource being set |
109 | * @new_rlim: the new resource limit (NOT NULL) |
110 | * |
111 | * Control raising the processes hard limit. |
112 | * |
113 | * Returns: 0 or error code if setting resource failed |
114 | */ |
115 | int aa_task_setrlimit(const struct cred *subj_cred, struct aa_label *label, |
116 | struct task_struct *task, |
117 | unsigned int resource, struct rlimit *new_rlim) |
118 | { |
119 | struct aa_profile *profile; |
120 | struct aa_label *peer; |
121 | int error = 0; |
122 | |
123 | rcu_read_lock(); |
124 | peer = aa_get_newest_cred_label(__task_cred(task)); |
125 | rcu_read_unlock(); |
126 | |
127 | /* TODO: extend resource control to handle other (non current) |
128 | * profiles. AppArmor rules currently have the implicit assumption |
129 | * that the task is setting the resource of a task confined with |
130 | * the same profile or that the task setting the resource of another |
131 | * task has CAP_SYS_RESOURCE. |
132 | */ |
133 | |
134 | if (label != peer && |
135 | aa_capable(subj_cred, label, CAP_SYS_RESOURCE, CAP_OPT_NOAUDIT) != 0) |
136 | error = fn_for_each(label, profile, |
137 | audit_resource(subj_cred, profile, resource, |
138 | new_rlim->rlim_max, peer, |
139 | "cap_sys_resource" , -EACCES)); |
140 | else |
141 | error = fn_for_each_confined(label, profile, |
142 | profile_setrlimit(subj_cred, profile, resource, |
143 | new_rlim)); |
144 | aa_put_label(l: peer); |
145 | |
146 | return error; |
147 | } |
148 | |
149 | /** |
150 | * __aa_transition_rlimits - apply new profile rlimits |
151 | * @old_l: old label on task (NOT NULL) |
152 | * @new_l: new label with rlimits to apply (NOT NULL) |
153 | */ |
154 | void __aa_transition_rlimits(struct aa_label *old_l, struct aa_label *new_l) |
155 | { |
156 | unsigned int mask = 0; |
157 | struct rlimit *rlim, *initrlim; |
158 | struct aa_profile *old, *new; |
159 | struct label_it i; |
160 | |
161 | old = labels_profile(old_l); |
162 | new = labels_profile(new_l); |
163 | |
164 | /* for any rlimits the profile controlled, reset the soft limit |
165 | * to the lesser of the tasks hard limit and the init tasks soft limit |
166 | */ |
167 | label_for_each_confined(i, old_l, old) { |
168 | struct aa_ruleset *rules = list_first_entry(&old->rules, |
169 | typeof(*rules), |
170 | list); |
171 | if (rules->rlimits.mask) { |
172 | int j; |
173 | |
174 | for (j = 0, mask = 1; j < RLIM_NLIMITS; j++, |
175 | mask <<= 1) { |
176 | if (rules->rlimits.mask & mask) { |
177 | rlim = current->signal->rlim + j; |
178 | initrlim = init_task.signal->rlim + j; |
179 | rlim->rlim_cur = min(rlim->rlim_max, |
180 | initrlim->rlim_cur); |
181 | } |
182 | } |
183 | } |
184 | } |
185 | |
186 | /* set any new hard limits as dictated by the new profile */ |
187 | label_for_each_confined(i, new_l, new) { |
188 | struct aa_ruleset *rules = list_first_entry(&new->rules, |
189 | typeof(*rules), |
190 | list); |
191 | int j; |
192 | |
193 | if (!rules->rlimits.mask) |
194 | continue; |
195 | for (j = 0, mask = 1; j < RLIM_NLIMITS; j++, mask <<= 1) { |
196 | if (!(rules->rlimits.mask & mask)) |
197 | continue; |
198 | |
199 | rlim = current->signal->rlim + j; |
200 | rlim->rlim_max = min(rlim->rlim_max, |
201 | rules->rlimits.limits[j].rlim_max); |
202 | /* soft limit should not exceed hard limit */ |
203 | rlim->rlim_cur = min(rlim->rlim_cur, rlim->rlim_max); |
204 | } |
205 | } |
206 | } |
207 | |