d384b0a1a3
Since the parser needs to know which rlimits are known to the kernel, export the list via a mask file in the "rlimit" subdirectory in the securityfs "features" directory. Signed-off-by: Kees Cook <kees@ubuntu.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
356 lines
8.4 KiB
C
356 lines
8.4 KiB
C
/*
|
|
* AppArmor security module
|
|
*
|
|
* This file contains AppArmor /sys/kernel/security/apparmor interface functions
|
|
*
|
|
* Copyright (C) 1998-2008 Novell/SUSE
|
|
* Copyright 2009-2010 Canonical Ltd.
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License as
|
|
* published by the Free Software Foundation, version 2 of the
|
|
* License.
|
|
*/
|
|
|
|
#include <linux/security.h>
|
|
#include <linux/vmalloc.h>
|
|
#include <linux/module.h>
|
|
#include <linux/seq_file.h>
|
|
#include <linux/uaccess.h>
|
|
#include <linux/namei.h>
|
|
#include <linux/capability.h>
|
|
|
|
#include "include/apparmor.h"
|
|
#include "include/apparmorfs.h"
|
|
#include "include/audit.h"
|
|
#include "include/context.h"
|
|
#include "include/policy.h"
|
|
#include "include/resource.h"
|
|
|
|
/**
|
|
* aa_simple_write_to_buffer - common routine for getting policy from user
|
|
* @op: operation doing the user buffer copy
|
|
* @userbuf: user buffer to copy data from (NOT NULL)
|
|
* @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size)
|
|
* @copy_size: size of data to copy from user buffer
|
|
* @pos: position write is at in the file (NOT NULL)
|
|
*
|
|
* Returns: kernel buffer containing copy of user buffer data or an
|
|
* ERR_PTR on failure.
|
|
*/
|
|
static char *aa_simple_write_to_buffer(int op, const char __user *userbuf,
|
|
size_t alloc_size, size_t copy_size,
|
|
loff_t *pos)
|
|
{
|
|
char *data;
|
|
|
|
BUG_ON(copy_size > alloc_size);
|
|
|
|
if (*pos != 0)
|
|
/* only writes from pos 0, that is complete writes */
|
|
return ERR_PTR(-ESPIPE);
|
|
|
|
/*
|
|
* Don't allow profile load/replace/remove from profiles that don't
|
|
* have CAP_MAC_ADMIN
|
|
*/
|
|
if (!aa_may_manage_policy(op))
|
|
return ERR_PTR(-EACCES);
|
|
|
|
/* freed by caller to simple_write_to_buffer */
|
|
data = kvmalloc(alloc_size);
|
|
if (data == NULL)
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
if (copy_from_user(data, userbuf, copy_size)) {
|
|
kvfree(data);
|
|
return ERR_PTR(-EFAULT);
|
|
}
|
|
|
|
return data;
|
|
}
|
|
|
|
|
|
/* .load file hook fn to load policy */
|
|
static ssize_t profile_load(struct file *f, const char __user *buf, size_t size,
|
|
loff_t *pos)
|
|
{
|
|
char *data;
|
|
ssize_t error;
|
|
|
|
data = aa_simple_write_to_buffer(OP_PROF_LOAD, buf, size, size, pos);
|
|
|
|
error = PTR_ERR(data);
|
|
if (!IS_ERR(data)) {
|
|
error = aa_replace_profiles(data, size, PROF_ADD);
|
|
kvfree(data);
|
|
}
|
|
|
|
return error;
|
|
}
|
|
|
|
static const struct file_operations aa_fs_profile_load = {
|
|
.write = profile_load,
|
|
.llseek = default_llseek,
|
|
};
|
|
|
|
/* .replace file hook fn to load and/or replace policy */
|
|
static ssize_t profile_replace(struct file *f, const char __user *buf,
|
|
size_t size, loff_t *pos)
|
|
{
|
|
char *data;
|
|
ssize_t error;
|
|
|
|
data = aa_simple_write_to_buffer(OP_PROF_REPL, buf, size, size, pos);
|
|
error = PTR_ERR(data);
|
|
if (!IS_ERR(data)) {
|
|
error = aa_replace_profiles(data, size, PROF_REPLACE);
|
|
kvfree(data);
|
|
}
|
|
|
|
return error;
|
|
}
|
|
|
|
static const struct file_operations aa_fs_profile_replace = {
|
|
.write = profile_replace,
|
|
.llseek = default_llseek,
|
|
};
|
|
|
|
/* .remove file hook fn to remove loaded policy */
|
|
static ssize_t profile_remove(struct file *f, const char __user *buf,
|
|
size_t size, loff_t *pos)
|
|
{
|
|
char *data;
|
|
ssize_t error;
|
|
|
|
/*
|
|
* aa_remove_profile needs a null terminated string so 1 extra
|
|
* byte is allocated and the copied data is null terminated.
|
|
*/
|
|
data = aa_simple_write_to_buffer(OP_PROF_RM, buf, size + 1, size, pos);
|
|
|
|
error = PTR_ERR(data);
|
|
if (!IS_ERR(data)) {
|
|
data[size] = 0;
|
|
error = aa_remove_profiles(data, size);
|
|
kvfree(data);
|
|
}
|
|
|
|
return error;
|
|
}
|
|
|
|
static const struct file_operations aa_fs_profile_remove = {
|
|
.write = profile_remove,
|
|
.llseek = default_llseek,
|
|
};
|
|
|
|
static int aa_fs_seq_show(struct seq_file *seq, void *v)
|
|
{
|
|
struct aa_fs_entry *fs_file = seq->private;
|
|
|
|
if (!fs_file)
|
|
return 0;
|
|
|
|
switch (fs_file->v_type) {
|
|
case AA_FS_TYPE_BOOLEAN:
|
|
seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no");
|
|
break;
|
|
case AA_FS_TYPE_STRING:
|
|
seq_printf(seq, "%s\n", fs_file->v.string);
|
|
break;
|
|
case AA_FS_TYPE_U64:
|
|
seq_printf(seq, "%#08lx\n", fs_file->v.u64);
|
|
break;
|
|
default:
|
|
/* Ignore unpritable entry types. */
|
|
break;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int aa_fs_seq_open(struct inode *inode, struct file *file)
|
|
{
|
|
return single_open(file, aa_fs_seq_show, inode->i_private);
|
|
}
|
|
|
|
const struct file_operations aa_fs_seq_file_ops = {
|
|
.owner = THIS_MODULE,
|
|
.open = aa_fs_seq_open,
|
|
.read = seq_read,
|
|
.llseek = seq_lseek,
|
|
.release = single_release,
|
|
};
|
|
|
|
/** Base file system setup **/
|
|
|
|
static struct aa_fs_entry aa_fs_entry_file[] = {
|
|
AA_FS_FILE_STRING("mask", "create read write exec append mmap_exec " \
|
|
"link lock"),
|
|
{ }
|
|
};
|
|
|
|
static struct aa_fs_entry aa_fs_entry_domain[] = {
|
|
AA_FS_FILE_BOOLEAN("change_hat", 1),
|
|
AA_FS_FILE_BOOLEAN("change_hatv", 1),
|
|
AA_FS_FILE_BOOLEAN("change_onexec", 1),
|
|
AA_FS_FILE_BOOLEAN("change_profile", 1),
|
|
{ }
|
|
};
|
|
|
|
static struct aa_fs_entry aa_fs_entry_features[] = {
|
|
AA_FS_DIR("domain", aa_fs_entry_domain),
|
|
AA_FS_DIR("file", aa_fs_entry_file),
|
|
AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK),
|
|
AA_FS_DIR("rlimit", aa_fs_entry_rlimit),
|
|
{ }
|
|
};
|
|
|
|
static struct aa_fs_entry aa_fs_entry_apparmor[] = {
|
|
AA_FS_FILE_FOPS(".load", 0640, &aa_fs_profile_load),
|
|
AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace),
|
|
AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove),
|
|
AA_FS_DIR("features", aa_fs_entry_features),
|
|
{ }
|
|
};
|
|
|
|
static struct aa_fs_entry aa_fs_entry =
|
|
AA_FS_DIR("apparmor", aa_fs_entry_apparmor);
|
|
|
|
/**
|
|
* aafs_create_file - create a file entry in the apparmor securityfs
|
|
* @fs_file: aa_fs_entry to build an entry for (NOT NULL)
|
|
* @parent: the parent dentry in the securityfs
|
|
*
|
|
* Use aafs_remove_file to remove entries created with this fn.
|
|
*/
|
|
static int __init aafs_create_file(struct aa_fs_entry *fs_file,
|
|
struct dentry *parent)
|
|
{
|
|
int error = 0;
|
|
|
|
fs_file->dentry = securityfs_create_file(fs_file->name,
|
|
S_IFREG | fs_file->mode,
|
|
parent, fs_file,
|
|
fs_file->file_ops);
|
|
if (IS_ERR(fs_file->dentry)) {
|
|
error = PTR_ERR(fs_file->dentry);
|
|
fs_file->dentry = NULL;
|
|
}
|
|
return error;
|
|
}
|
|
|
|
/**
|
|
* aafs_create_dir - recursively create a directory entry in the securityfs
|
|
* @fs_dir: aa_fs_entry (and all child entries) to build (NOT NULL)
|
|
* @parent: the parent dentry in the securityfs
|
|
*
|
|
* Use aafs_remove_dir to remove entries created with this fn.
|
|
*/
|
|
static int __init aafs_create_dir(struct aa_fs_entry *fs_dir,
|
|
struct dentry *parent)
|
|
{
|
|
int error;
|
|
struct aa_fs_entry *fs_file;
|
|
|
|
fs_dir->dentry = securityfs_create_dir(fs_dir->name, parent);
|
|
if (IS_ERR(fs_dir->dentry)) {
|
|
error = PTR_ERR(fs_dir->dentry);
|
|
fs_dir->dentry = NULL;
|
|
goto failed;
|
|
}
|
|
|
|
for (fs_file = fs_dir->v.files; fs_file->name; ++fs_file) {
|
|
if (fs_file->v_type == AA_FS_TYPE_DIR)
|
|
error = aafs_create_dir(fs_file, fs_dir->dentry);
|
|
else
|
|
error = aafs_create_file(fs_file, fs_dir->dentry);
|
|
if (error)
|
|
goto failed;
|
|
}
|
|
|
|
return 0;
|
|
|
|
failed:
|
|
return error;
|
|
}
|
|
|
|
/**
|
|
* aafs_remove_file - drop a single file entry in the apparmor securityfs
|
|
* @fs_file: aa_fs_entry to detach from the securityfs (NOT NULL)
|
|
*/
|
|
static void __init aafs_remove_file(struct aa_fs_entry *fs_file)
|
|
{
|
|
if (!fs_file->dentry)
|
|
return;
|
|
|
|
securityfs_remove(fs_file->dentry);
|
|
fs_file->dentry = NULL;
|
|
}
|
|
|
|
/**
|
|
* aafs_remove_dir - recursively drop a directory entry from the securityfs
|
|
* @fs_dir: aa_fs_entry (and all child entries) to detach (NOT NULL)
|
|
*/
|
|
static void __init aafs_remove_dir(struct aa_fs_entry *fs_dir)
|
|
{
|
|
struct aa_fs_entry *fs_file;
|
|
|
|
for (fs_file = fs_dir->v.files; fs_file->name; ++fs_file) {
|
|
if (fs_file->v_type == AA_FS_TYPE_DIR)
|
|
aafs_remove_dir(fs_file);
|
|
else
|
|
aafs_remove_file(fs_file);
|
|
}
|
|
|
|
aafs_remove_file(fs_dir);
|
|
}
|
|
|
|
/**
|
|
* aa_destroy_aafs - cleanup and free aafs
|
|
*
|
|
* releases dentries allocated by aa_create_aafs
|
|
*/
|
|
void __init aa_destroy_aafs(void)
|
|
{
|
|
aafs_remove_dir(&aa_fs_entry);
|
|
}
|
|
|
|
/**
|
|
* aa_create_aafs - create the apparmor security filesystem
|
|
*
|
|
* dentries created here are released by aa_destroy_aafs
|
|
*
|
|
* Returns: error on failure
|
|
*/
|
|
static int __init aa_create_aafs(void)
|
|
{
|
|
int error;
|
|
|
|
if (!apparmor_initialized)
|
|
return 0;
|
|
|
|
if (aa_fs_entry.dentry) {
|
|
AA_ERROR("%s: AppArmor securityfs already exists\n", __func__);
|
|
return -EEXIST;
|
|
}
|
|
|
|
/* Populate fs tree. */
|
|
error = aafs_create_dir(&aa_fs_entry, NULL);
|
|
if (error)
|
|
goto error;
|
|
|
|
/* TODO: add support for apparmorfs_null and apparmorfs_mnt */
|
|
|
|
/* Report that AppArmor fs is enabled */
|
|
aa_info_message("AppArmor Filesystem Enabled");
|
|
return 0;
|
|
|
|
error:
|
|
aa_destroy_aafs();
|
|
AA_ERROR("Error creating AppArmor securityfs\n");
|
|
return error;
|
|
}
|
|
|
|
fs_initcall(aa_create_aafs);
|