2019-06-01 10:08:55 +02:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
2010-07-29 14:48:04 -07:00
|
|
|
/*
|
|
|
|
|
* AppArmor security module
|
|
|
|
|
*
|
|
|
|
|
* This file contains AppArmor mediation of files
|
|
|
|
|
*
|
|
|
|
|
* Copyright (C) 1998-2008 Novell/SUSE
|
|
|
|
|
* Copyright 2009-2010 Canonical Ltd.
|
|
|
|
|
*/
|
|
|
|
|
|
2017-06-09 11:58:42 -07:00
|
|
|
#include <linux/tty.h>
|
|
|
|
|
#include <linux/fdtable.h>
|
|
|
|
|
#include <linux/file.h>
|
2021-01-21 14:19:44 +01:00
|
|
|
#include <linux/fs.h>
|
|
|
|
|
#include <linux/mount.h>
|
2017-06-09 11:58:42 -07:00
|
|
|
|
apparmor: add fine grained af_unix mediation
Extend af_unix mediation to support fine grained controls based on
the type (abstract, anonymous, fs), the address, and the labeling
on the socket.
This allows for using socket addresses to label and the socket and
control which subjects can communicate.
The unix rule format follows standard apparmor rules except that fs
based unix sockets can be mediated by existing file rules. None fs
unix sockets can be mediated by a unix socket rule. Where The address
of an abstract unix domain socket begins with the @ character, similar
to how they are reported (as paths) by netstat -x. The address then
follows and may contain pattern matching and any characters including
the null character. In apparmor null characters must be specified by
using an escape sequence \000 or \x00. The pattern matching is the
same as is used by file path matching so * will not match / even
though it has no special meaning with in an abstract socket name. Eg.
allow unix addr=@*,
Autobound unix domain sockets have a unix sun_path assigned to them by
the kernel, as such specifying a policy based address is not possible.
The autobinding of sockets can be controlled by specifying the special
auto keyword. Eg.
allow unix addr=auto,
To indicate that the rule only applies to auto binding of unix domain
sockets. It is important to note this only applies to the bind
permission as once the socket is bound to an address it is
indistinguishable from a socket that have an addr bound with a
specified name. When the auto keyword is used with other permissions
or as part of a peer addr it will be replaced with a pattern that can
match an autobound socket. Eg. For some kernels
allow unix rw addr=auto,
It is important to note, this pattern may match abstract sockets that
were not autobound but have an addr that fits what is generated by the
kernel when autobinding a socket.
Anonymous unix domain sockets have no sun_path associated with the
socket address, however it can be specified with the special none
keyword to indicate the rule only applies to anonymous unix domain
sockets. Eg.
allow unix addr=none,
If the address component of a rule is not specified then the rule
applies to autobind, abstract and anonymous sockets.
The label on the socket can be compared using the standard label=
rule conditional. Eg.
allow unix addr=@foo peer=(label=bar),
see man apparmor.d for full syntax description.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-09-07 12:46:30 -07:00
|
|
|
#include "include/af_unix.h"
|
2010-07-29 14:48:04 -07:00
|
|
|
#include "include/apparmor.h"
|
|
|
|
|
#include "include/audit.h"
|
2017-10-11 01:04:48 -07:00
|
|
|
#include "include/cred.h"
|
2010-07-29 14:48:04 -07:00
|
|
|
#include "include/file.h"
|
|
|
|
|
#include "include/match.h"
|
2017-07-18 23:18:33 -07:00
|
|
|
#include "include/net.h"
|
2010-07-29 14:48:04 -07:00
|
|
|
#include "include/path.h"
|
|
|
|
|
#include "include/policy.h"
|
2017-06-09 14:59:51 -07:00
|
|
|
#include "include/label.h"
|
2010-07-29 14:48:04 -07:00
|
|
|
|
2017-05-26 15:07:22 -07:00
|
|
|
static u32 map_mask_to_chr_mask(u32 mask)
|
|
|
|
|
{
|
|
|
|
|
u32 m = mask & PERMS_CHRS_MASK;
|
|
|
|
|
|
|
|
|
|
if (mask & AA_MAY_GETATTR)
|
|
|
|
|
m |= MAY_READ;
|
|
|
|
|
if (mask & (AA_MAY_SETATTR | AA_MAY_CHMOD | AA_MAY_CHOWN))
|
|
|
|
|
m |= MAY_WRITE;
|
|
|
|
|
|
|
|
|
|
return m;
|
|
|
|
|
}
|
2010-07-29 14:48:04 -07:00
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* file_audit_cb - call back for file specific audit fields
|
|
|
|
|
* @ab: audit_buffer (NOT NULL)
|
|
|
|
|
* @va: audit struct to audit values of (NOT NULL)
|
|
|
|
|
*/
|
|
|
|
|
static void file_audit_cb(struct audit_buffer *ab, void *va)
|
|
|
|
|
{
|
|
|
|
|
struct common_audit_data *sa = va;
|
2022-09-14 00:20:12 -07:00
|
|
|
struct apparmor_audit_data *ad = aad(sa);
|
2022-09-19 20:48:48 -07:00
|
|
|
kuid_t fsuid = ad->subj_cred ? ad->subj_cred->fsuid : current_fsuid();
|
2020-07-13 15:51:59 -04:00
|
|
|
char str[10];
|
2010-07-29 14:48:04 -07:00
|
|
|
|
2022-09-14 00:20:12 -07:00
|
|
|
if (ad->request & AA_AUDIT_FILE_MASK) {
|
2020-07-13 15:51:59 -04:00
|
|
|
aa_perm_mask_to_str(str, sizeof(str), aa_file_perm_chrs,
|
2022-09-14 00:20:12 -07:00
|
|
|
map_mask_to_chr_mask(ad->request));
|
2020-07-13 15:51:59 -04:00
|
|
|
audit_log_format(ab, " requested_mask=\"%s\"", str);
|
2010-07-29 14:48:04 -07:00
|
|
|
}
|
2022-09-14 00:20:12 -07:00
|
|
|
if (ad->denied & AA_AUDIT_FILE_MASK) {
|
2020-07-13 15:51:59 -04:00
|
|
|
aa_perm_mask_to_str(str, sizeof(str), aa_file_perm_chrs,
|
2022-09-14 00:20:12 -07:00
|
|
|
map_mask_to_chr_mask(ad->denied));
|
2020-07-13 15:51:59 -04:00
|
|
|
audit_log_format(ab, " denied_mask=\"%s\"", str);
|
2010-07-29 14:48:04 -07:00
|
|
|
}
|
2022-09-14 00:20:12 -07:00
|
|
|
if (ad->request & AA_AUDIT_FILE_MASK) {
|
2012-02-07 16:33:13 -08:00
|
|
|
audit_log_format(ab, " fsuid=%d",
|
|
|
|
|
from_kuid(&init_user_ns, fsuid));
|
|
|
|
|
audit_log_format(ab, " ouid=%d",
|
2022-09-14 00:20:12 -07:00
|
|
|
from_kuid(&init_user_ns, ad->fs.ouid));
|
2010-07-29 14:48:04 -07:00
|
|
|
}
|
|
|
|
|
|
2022-09-14 00:20:12 -07:00
|
|
|
if (ad->peer) {
|
2017-06-09 15:48:20 -07:00
|
|
|
audit_log_format(ab, " target=");
|
2022-09-19 00:46:09 -07:00
|
|
|
aa_label_xaudit(ab, labels_ns(ad->subj_label), ad->peer,
|
2019-04-05 15:34:58 +02:00
|
|
|
FLAG_VIEW_SUBNS, GFP_KERNEL);
|
2022-09-14 00:20:12 -07:00
|
|
|
} else if (ad->fs.target) {
|
2010-07-29 14:48:04 -07:00
|
|
|
audit_log_format(ab, " target=");
|
2022-09-14 00:20:12 -07:00
|
|
|
audit_log_untrustedstring(ab, ad->fs.target);
|
2010-07-29 14:48:04 -07:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* aa_audit_file - handle the auditing of file operations
|
2022-09-19 20:48:48 -07:00
|
|
|
* @subj_cred: cred of the subject
|
2010-07-29 14:48:04 -07:00
|
|
|
* @profile: the profile being enforced (NOT NULL)
|
|
|
|
|
* @perms: the permissions computed for the request (NOT NULL)
|
|
|
|
|
* @op: operation being mediated
|
|
|
|
|
* @request: permissions requested
|
|
|
|
|
* @name: name of object being mediated (MAYBE NULL)
|
|
|
|
|
* @target: name of target (MAYBE NULL)
|
2017-06-09 15:48:20 -07:00
|
|
|
* @tlabel: target label (MAY BE NULL)
|
2010-07-29 14:48:04 -07:00
|
|
|
* @ouid: object uid
|
|
|
|
|
* @info: extra information message (MAYBE NULL)
|
|
|
|
|
* @error: 0 if operation allowed else failure error code
|
|
|
|
|
*
|
|
|
|
|
* Returns: %0 or error on failure
|
|
|
|
|
*/
|
2022-09-19 20:48:48 -07:00
|
|
|
int aa_audit_file(const struct cred *subj_cred,
|
|
|
|
|
struct aa_profile *profile, struct aa_perms *perms,
|
2017-01-16 00:43:02 -08:00
|
|
|
const char *op, u32 request, const char *name,
|
2017-06-09 15:48:20 -07:00
|
|
|
const char *target, struct aa_label *tlabel,
|
|
|
|
|
kuid_t ouid, const char *info, int error)
|
2010-07-29 14:48:04 -07:00
|
|
|
{
|
|
|
|
|
int type = AUDIT_APPARMOR_AUTO;
|
2022-09-14 00:20:12 -07:00
|
|
|
DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_TASK, AA_CLASS_FILE, op);
|
|
|
|
|
|
2022-09-19 20:48:48 -07:00
|
|
|
ad.subj_cred = subj_cred;
|
2022-09-14 00:20:12 -07:00
|
|
|
ad.request = request;
|
|
|
|
|
ad.name = name;
|
|
|
|
|
ad.fs.target = target;
|
|
|
|
|
ad.peer = tlabel;
|
|
|
|
|
ad.fs.ouid = ouid;
|
|
|
|
|
ad.info = info;
|
|
|
|
|
ad.error = error;
|
|
|
|
|
ad.common.u.tsk = NULL;
|
|
|
|
|
|
|
|
|
|
if (likely(!ad.error)) {
|
2010-07-29 14:48:04 -07:00
|
|
|
u32 mask = perms->audit;
|
|
|
|
|
|
|
|
|
|
if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
|
|
|
|
|
mask = 0xffff;
|
|
|
|
|
|
|
|
|
|
/* mask off perms that are not being force audited */
|
2022-09-14 00:20:12 -07:00
|
|
|
ad.request &= mask;
|
2010-07-29 14:48:04 -07:00
|
|
|
|
2022-09-14 00:20:12 -07:00
|
|
|
if (likely(!ad.request))
|
2010-07-29 14:48:04 -07:00
|
|
|
return 0;
|
|
|
|
|
type = AUDIT_APPARMOR_AUDIT;
|
|
|
|
|
} else {
|
|
|
|
|
/* only report permissions that were denied */
|
2022-09-14 00:20:12 -07:00
|
|
|
ad.request = ad.request & ~perms->allow;
|
|
|
|
|
AA_BUG(!ad.request);
|
2010-07-29 14:48:04 -07:00
|
|
|
|
2022-09-14 00:20:12 -07:00
|
|
|
if (ad.request & perms->kill)
|
2010-07-29 14:48:04 -07:00
|
|
|
type = AUDIT_APPARMOR_KILL;
|
|
|
|
|
|
|
|
|
|
/* quiet known rejects, assumes quiet and kill do not overlap */
|
2022-09-14 00:20:12 -07:00
|
|
|
if ((ad.request & perms->quiet) &&
|
2010-07-29 14:48:04 -07:00
|
|
|
AUDIT_MODE(profile) != AUDIT_NOQUIET &&
|
|
|
|
|
AUDIT_MODE(profile) != AUDIT_ALL)
|
2022-09-14 00:20:12 -07:00
|
|
|
ad.request &= ~perms->quiet;
|
2010-07-29 14:48:04 -07:00
|
|
|
|
2022-09-14 00:20:12 -07:00
|
|
|
if (!ad.request)
|
|
|
|
|
return ad.error;
|
2010-07-29 14:48:04 -07:00
|
|
|
}
|
|
|
|
|
|
2022-09-14 00:20:12 -07:00
|
|
|
ad.denied = ad.request & ~perms->allow;
|
|
|
|
|
return aa_audit(type, profile, &ad, file_audit_cb);
|
2010-07-29 14:48:04 -07:00
|
|
|
}
|
|
|
|
|
|
2022-09-19 20:48:48 -07:00
|
|
|
static int path_name(const char *op, const struct cred *subj_cred,
|
|
|
|
|
struct aa_label *label,
|
2017-06-09 16:02:25 -07:00
|
|
|
const struct path *path, int flags, char *buffer,
|
|
|
|
|
const char **name, struct path_cond *cond, u32 request)
|
|
|
|
|
{
|
|
|
|
|
struct aa_profile *profile;
|
|
|
|
|
const char *info = NULL;
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
error = aa_path_name(path, flags, buffer, name, &info,
|
|
|
|
|
labels_profile(label)->disconnected);
|
|
|
|
|
if (error) {
|
|
|
|
|
fn_for_each_confined(label, profile,
|
2022-09-19 20:48:48 -07:00
|
|
|
aa_audit_file(subj_cred,
|
|
|
|
|
profile, &nullperms, op, request, *name,
|
2017-06-09 16:02:25 -07:00
|
|
|
NULL, NULL, cond->uid, info, error));
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2023-01-02 12:45:12 -08:00
|
|
|
struct aa_perms default_perms = {};
|
2010-07-29 14:48:04 -07:00
|
|
|
/**
|
2025-01-21 10:44:44 +08:00
|
|
|
* aa_lookup_condperms - convert dfa compressed perms to internal perms
|
2023-07-23 02:30:33 -07:00
|
|
|
* @subj_uid: uid to use for subject owner test
|
|
|
|
|
* @rules: the aa_policydb to lookup perms for (NOT NULL)
|
2010-07-29 14:48:04 -07:00
|
|
|
* @state: state in dfa
|
|
|
|
|
* @cond: conditions to consider (NOT NULL)
|
|
|
|
|
*
|
2020-03-30 16:43:29 -04:00
|
|
|
* TODO: convert from dfa + state to permission entry
|
2010-07-29 14:48:04 -07:00
|
|
|
*
|
2020-03-30 16:43:29 -04:00
|
|
|
* Returns: a pointer to a file permission set
|
2010-07-29 14:48:04 -07:00
|
|
|
*/
|
2023-07-23 02:30:33 -07:00
|
|
|
struct aa_perms *aa_lookup_condperms(kuid_t subj_uid, struct aa_policydb *rules,
|
|
|
|
|
aa_state_t state, struct path_cond *cond)
|
2010-07-29 14:48:04 -07:00
|
|
|
{
|
2023-07-23 02:30:33 -07:00
|
|
|
unsigned int index = ACCEPT_TABLE(rules->dfa)[state];
|
2010-07-29 14:48:04 -07:00
|
|
|
|
2023-07-23 02:30:33 -07:00
|
|
|
if (!(rules->perms))
|
2020-03-30 16:43:29 -04:00
|
|
|
return &default_perms;
|
2010-07-29 14:48:04 -07:00
|
|
|
|
2023-07-23 02:30:33 -07:00
|
|
|
if ((ACCEPT_TABLE2(rules->dfa)[state] & ACCEPT_FLAG_OWNER)) {
|
|
|
|
|
if (uid_eq(subj_uid, cond->uid))
|
|
|
|
|
return &(rules->perms[index]);
|
|
|
|
|
return &(rules->perms[index + 1]);
|
|
|
|
|
}
|
2010-07-29 14:48:04 -07:00
|
|
|
|
2023-07-23 02:30:33 -07:00
|
|
|
return &(rules->perms[index]);
|
2010-07-29 14:48:04 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* aa_str_perms - find permission that match @name
|
2023-06-25 09:13:42 +08:00
|
|
|
* @file_rules: the aa_policydb to match against (NOT NULL)
|
|
|
|
|
* @start: state to start matching in
|
2010-07-29 14:48:04 -07:00
|
|
|
* @name: string to match against dfa (NOT NULL)
|
|
|
|
|
* @cond: conditions to consider for permission set computation (NOT NULL)
|
|
|
|
|
* @perms: Returns - the permissions found when matching @name
|
|
|
|
|
*
|
|
|
|
|
* Returns: the final state in @dfa when beginning @start and walking @name
|
|
|
|
|
*/
|
2022-01-17 13:43:49 -08:00
|
|
|
aa_state_t aa_str_perms(struct aa_policydb *file_rules, aa_state_t start,
|
|
|
|
|
const char *name, struct path_cond *cond,
|
|
|
|
|
struct aa_perms *perms)
|
2010-07-29 14:48:04 -07:00
|
|
|
{
|
2022-01-17 13:43:49 -08:00
|
|
|
aa_state_t state;
|
2020-03-30 16:43:29 -04:00
|
|
|
state = aa_dfa_match(file_rules->dfa, start, name);
|
2023-07-23 02:30:33 -07:00
|
|
|
*perms = *(aa_lookup_condperms(current_fsuid(), file_rules, state,
|
|
|
|
|
cond));
|
2010-07-29 14:48:04 -07:00
|
|
|
|
|
|
|
|
return state;
|
|
|
|
|
}
|
|
|
|
|
|
apparmor: add fine grained af_unix mediation
Extend af_unix mediation to support fine grained controls based on
the type (abstract, anonymous, fs), the address, and the labeling
on the socket.
This allows for using socket addresses to label and the socket and
control which subjects can communicate.
The unix rule format follows standard apparmor rules except that fs
based unix sockets can be mediated by existing file rules. None fs
unix sockets can be mediated by a unix socket rule. Where The address
of an abstract unix domain socket begins with the @ character, similar
to how they are reported (as paths) by netstat -x. The address then
follows and may contain pattern matching and any characters including
the null character. In apparmor null characters must be specified by
using an escape sequence \000 or \x00. The pattern matching is the
same as is used by file path matching so * will not match / even
though it has no special meaning with in an abstract socket name. Eg.
allow unix addr=@*,
Autobound unix domain sockets have a unix sun_path assigned to them by
the kernel, as such specifying a policy based address is not possible.
The autobinding of sockets can be controlled by specifying the special
auto keyword. Eg.
allow unix addr=auto,
To indicate that the rule only applies to auto binding of unix domain
sockets. It is important to note this only applies to the bind
permission as once the socket is bound to an address it is
indistinguishable from a socket that have an addr bound with a
specified name. When the auto keyword is used with other permissions
or as part of a peer addr it will be replaced with a pattern that can
match an autobound socket. Eg. For some kernels
allow unix rw addr=auto,
It is important to note, this pattern may match abstract sockets that
were not autobound but have an addr that fits what is generated by the
kernel when autobinding a socket.
Anonymous unix domain sockets have no sun_path associated with the
socket address, however it can be specified with the special none
keyword to indicate the rule only applies to anonymous unix domain
sockets. Eg.
allow unix addr=none,
If the address component of a rule is not specified then the rule
applies to autobind, abstract and anonymous sockets.
The label on the socket can be compared using the standard label=
rule conditional. Eg.
allow unix addr=@foo peer=(label=bar),
see man apparmor.d for full syntax description.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-09-07 12:46:30 -07:00
|
|
|
int __aa_path_perm(const char *op, const struct cred *subj_cred,
|
|
|
|
|
struct aa_profile *profile, const char *name,
|
|
|
|
|
u32 request, struct path_cond *cond, int flags,
|
|
|
|
|
struct aa_perms *perms)
|
2010-07-29 14:48:04 -07:00
|
|
|
{
|
2025-02-17 01:46:37 -08:00
|
|
|
struct aa_ruleset *rules = profile->label.rules[0];
|
2017-06-09 16:02:25 -07:00
|
|
|
int e = 0;
|
|
|
|
|
|
apparmor: add fine grained af_unix mediation
Extend af_unix mediation to support fine grained controls based on
the type (abstract, anonymous, fs), the address, and the labeling
on the socket.
This allows for using socket addresses to label and the socket and
control which subjects can communicate.
The unix rule format follows standard apparmor rules except that fs
based unix sockets can be mediated by existing file rules. None fs
unix sockets can be mediated by a unix socket rule. Where The address
of an abstract unix domain socket begins with the @ character, similar
to how they are reported (as paths) by netstat -x. The address then
follows and may contain pattern matching and any characters including
the null character. In apparmor null characters must be specified by
using an escape sequence \000 or \x00. The pattern matching is the
same as is used by file path matching so * will not match / even
though it has no special meaning with in an abstract socket name. Eg.
allow unix addr=@*,
Autobound unix domain sockets have a unix sun_path assigned to them by
the kernel, as such specifying a policy based address is not possible.
The autobinding of sockets can be controlled by specifying the special
auto keyword. Eg.
allow unix addr=auto,
To indicate that the rule only applies to auto binding of unix domain
sockets. It is important to note this only applies to the bind
permission as once the socket is bound to an address it is
indistinguishable from a socket that have an addr bound with a
specified name. When the auto keyword is used with other permissions
or as part of a peer addr it will be replaced with a pattern that can
match an autobound socket. Eg. For some kernels
allow unix rw addr=auto,
It is important to note, this pattern may match abstract sockets that
were not autobound but have an addr that fits what is generated by the
kernel when autobinding a socket.
Anonymous unix domain sockets have no sun_path associated with the
socket address, however it can be specified with the special none
keyword to indicate the rule only applies to anonymous unix domain
sockets. Eg.
allow unix addr=none,
If the address component of a rule is not specified then the rule
applies to autobind, abstract and anonymous sockets.
The label on the socket can be compared using the standard label=
rule conditional. Eg.
allow unix addr=@foo peer=(label=bar),
see man apparmor.d for full syntax description.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-09-07 12:46:30 -07:00
|
|
|
if (profile_unconfined(profile) ||
|
2024-10-12 04:43:34 -07:00
|
|
|
((flags & PATH_SOCK_COND) && !RULE_MEDIATES_v9NET(rules)))
|
2017-06-09 16:02:25 -07:00
|
|
|
return 0;
|
2023-04-28 05:32:52 -07:00
|
|
|
aa_str_perms(rules->file, rules->file->start[AA_CLASS_FILE],
|
2020-11-19 10:37:48 -08:00
|
|
|
name, cond, perms);
|
2017-06-09 16:02:25 -07:00
|
|
|
if (request & ~perms->allow)
|
|
|
|
|
e = -EACCES;
|
2022-09-19 20:48:48 -07:00
|
|
|
return aa_audit_file(subj_cred,
|
|
|
|
|
profile, perms, op, request, name, NULL, NULL,
|
2017-06-09 16:02:25 -07:00
|
|
|
cond->uid, NULL, e);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2022-09-19 20:48:48 -07:00
|
|
|
static int profile_path_perm(const char *op, const struct cred *subj_cred,
|
|
|
|
|
struct aa_profile *profile,
|
2017-06-09 16:02:25 -07:00
|
|
|
const struct path *path, char *buffer, u32 request,
|
|
|
|
|
struct path_cond *cond, int flags,
|
|
|
|
|
struct aa_perms *perms)
|
|
|
|
|
{
|
|
|
|
|
const char *name;
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
if (profile_unconfined(profile))
|
|
|
|
|
return 0;
|
|
|
|
|
|
2022-09-19 20:48:48 -07:00
|
|
|
error = path_name(op, subj_cred, &profile->label, path,
|
2017-06-09 16:02:25 -07:00
|
|
|
flags | profile->path_flags, buffer, &name, cond,
|
|
|
|
|
request);
|
|
|
|
|
if (error)
|
|
|
|
|
return error;
|
2022-09-19 20:48:48 -07:00
|
|
|
return __aa_path_perm(op, subj_cred, profile, name, request, cond,
|
|
|
|
|
flags, perms);
|
2010-07-29 14:48:04 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* aa_path_perm - do permissions check & audit for @path
|
|
|
|
|
* @op: operation being checked
|
2022-09-19 20:48:48 -07:00
|
|
|
* @subj_cred: subject cred
|
2017-06-09 16:02:25 -07:00
|
|
|
* @label: profile being enforced (NOT NULL)
|
2010-07-29 14:48:04 -07:00
|
|
|
* @path: path to check permissions of (NOT NULL)
|
|
|
|
|
* @flags: any additional path flags beyond what the profile specifies
|
|
|
|
|
* @request: requested permissions
|
|
|
|
|
* @cond: conditional info for this request (NOT NULL)
|
|
|
|
|
*
|
|
|
|
|
* Returns: %0 else error if access denied or other error
|
|
|
|
|
*/
|
2022-09-19 20:48:48 -07:00
|
|
|
int aa_path_perm(const char *op, const struct cred *subj_cred,
|
|
|
|
|
struct aa_label *label,
|
2017-01-16 00:43:01 -08:00
|
|
|
const struct path *path, int flags, u32 request,
|
|
|
|
|
struct path_cond *cond)
|
2010-07-29 14:48:04 -07:00
|
|
|
{
|
2017-05-29 12:19:39 -07:00
|
|
|
struct aa_perms perms = {};
|
2017-06-09 16:02:25 -07:00
|
|
|
struct aa_profile *profile;
|
|
|
|
|
char *buffer = NULL;
|
2010-07-29 14:48:04 -07:00
|
|
|
int error;
|
|
|
|
|
|
2017-06-09 16:02:25 -07:00
|
|
|
flags |= PATH_DELEGATE_DELETED | (S_ISDIR(cond->mode) ? PATH_IS_DIR :
|
|
|
|
|
0);
|
2019-09-14 03:34:06 -07:00
|
|
|
buffer = aa_get_buffer(false);
|
2019-05-03 16:12:21 +02:00
|
|
|
if (!buffer)
|
|
|
|
|
return -ENOMEM;
|
2017-06-09 16:02:25 -07:00
|
|
|
error = fn_for_each_confined(label, profile,
|
2022-09-19 20:48:48 -07:00
|
|
|
profile_path_perm(op, subj_cred, profile, path, buffer,
|
|
|
|
|
request, cond, flags, &perms));
|
2017-06-09 16:02:25 -07:00
|
|
|
|
2019-05-03 16:12:21 +02:00
|
|
|
aa_put_buffer(buffer);
|
2010-07-29 14:48:04 -07:00
|
|
|
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* xindex_is_subset - helper for aa_path_link
|
|
|
|
|
* @link: link permission set
|
|
|
|
|
* @target: target permission set
|
|
|
|
|
*
|
|
|
|
|
* test target x permissions are equal OR a subset of link x permissions
|
|
|
|
|
* this is done as part of the subset test, where a hardlink must have
|
|
|
|
|
* a subset of permissions that the target has.
|
|
|
|
|
*
|
2020-04-28 19:52:21 +08:00
|
|
|
* Returns: true if subset else false
|
2010-07-29 14:48:04 -07:00
|
|
|
*/
|
|
|
|
|
static inline bool xindex_is_subset(u32 link, u32 target)
|
|
|
|
|
{
|
|
|
|
|
if (((link & ~AA_X_UNSAFE) != (target & ~AA_X_UNSAFE)) ||
|
|
|
|
|
((link & AA_X_UNSAFE) && !(target & AA_X_UNSAFE)))
|
2020-04-28 19:52:21 +08:00
|
|
|
return false;
|
2010-07-29 14:48:04 -07:00
|
|
|
|
2020-04-28 19:52:21 +08:00
|
|
|
return true;
|
2010-07-29 14:48:04 -07:00
|
|
|
}
|
|
|
|
|
|
2022-09-19 20:48:48 -07:00
|
|
|
static int profile_path_link(const struct cred *subj_cred,
|
|
|
|
|
struct aa_profile *profile,
|
2017-06-09 16:06:21 -07:00
|
|
|
const struct path *link, char *buffer,
|
|
|
|
|
const struct path *target, char *buffer2,
|
|
|
|
|
struct path_cond *cond)
|
2010-07-29 14:48:04 -07:00
|
|
|
{
|
2025-02-17 01:46:37 -08:00
|
|
|
struct aa_ruleset *rules = profile->label.rules[0];
|
2017-06-09 16:06:21 -07:00
|
|
|
const char *lname, *tname = NULL;
|
|
|
|
|
struct aa_perms lperms = {}, perms;
|
|
|
|
|
const char *info = NULL;
|
2010-07-29 14:48:04 -07:00
|
|
|
u32 request = AA_MAY_LINK;
|
2022-01-17 13:43:49 -08:00
|
|
|
aa_state_t state;
|
2010-07-29 14:48:04 -07:00
|
|
|
int error;
|
|
|
|
|
|
2022-09-19 20:48:48 -07:00
|
|
|
error = path_name(OP_LINK, subj_cred, &profile->label, link,
|
|
|
|
|
profile->path_flags,
|
2017-06-09 16:06:21 -07:00
|
|
|
buffer, &lname, cond, AA_MAY_LINK);
|
2010-07-29 14:48:04 -07:00
|
|
|
if (error)
|
|
|
|
|
goto audit;
|
|
|
|
|
|
|
|
|
|
/* buffer2 freed below, tname is pointer in buffer2 */
|
2022-09-19 20:48:48 -07:00
|
|
|
error = path_name(OP_LINK, subj_cred, &profile->label, target,
|
|
|
|
|
profile->path_flags,
|
2017-06-09 16:06:21 -07:00
|
|
|
buffer2, &tname, cond, AA_MAY_LINK);
|
2010-07-29 14:48:04 -07:00
|
|
|
if (error)
|
|
|
|
|
goto audit;
|
|
|
|
|
|
|
|
|
|
error = -EACCES;
|
|
|
|
|
/* aa_str_perms - handles the case of the dfa being NULL */
|
2023-04-28 05:32:52 -07:00
|
|
|
state = aa_str_perms(rules->file,
|
|
|
|
|
rules->file->start[AA_CLASS_FILE], lname,
|
2017-06-09 16:06:21 -07:00
|
|
|
cond, &lperms);
|
2010-07-29 14:48:04 -07:00
|
|
|
|
|
|
|
|
if (!(lperms.allow & AA_MAY_LINK))
|
|
|
|
|
goto audit;
|
|
|
|
|
|
|
|
|
|
/* test to see if target can be paired with link */
|
2023-04-28 05:32:52 -07:00
|
|
|
state = aa_dfa_null_transition(rules->file->dfa, state);
|
|
|
|
|
aa_str_perms(rules->file, state, tname, cond, &perms);
|
2010-07-29 14:48:04 -07:00
|
|
|
|
|
|
|
|
/* force audit/quiet masks for link are stored in the second entry
|
|
|
|
|
* in the link pair.
|
|
|
|
|
*/
|
|
|
|
|
lperms.audit = perms.audit;
|
|
|
|
|
lperms.quiet = perms.quiet;
|
|
|
|
|
lperms.kill = perms.kill;
|
|
|
|
|
|
|
|
|
|
if (!(perms.allow & AA_MAY_LINK)) {
|
|
|
|
|
info = "target restricted";
|
2017-06-09 16:06:21 -07:00
|
|
|
lperms = perms;
|
2010-07-29 14:48:04 -07:00
|
|
|
goto audit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* done if link subset test is not required */
|
|
|
|
|
if (!(perms.allow & AA_LINK_SUBSET))
|
|
|
|
|
goto done_tests;
|
|
|
|
|
|
2017-06-09 16:06:21 -07:00
|
|
|
/* Do link perm subset test requiring allowed permission on link are
|
|
|
|
|
* a subset of the allowed permissions on target.
|
2010-07-29 14:48:04 -07:00
|
|
|
*/
|
2023-04-28 05:32:52 -07:00
|
|
|
aa_str_perms(rules->file, rules->file->start[AA_CLASS_FILE],
|
2020-11-19 10:37:48 -08:00
|
|
|
tname, cond, &perms);
|
2010-07-29 14:48:04 -07:00
|
|
|
|
|
|
|
|
/* AA_MAY_LINK is not considered in the subset test */
|
|
|
|
|
request = lperms.allow & ~AA_MAY_LINK;
|
|
|
|
|
lperms.allow &= perms.allow | AA_MAY_LINK;
|
|
|
|
|
|
|
|
|
|
request |= AA_AUDIT_FILE_MASK & (lperms.allow & ~perms.allow);
|
|
|
|
|
if (request & ~lperms.allow) {
|
|
|
|
|
goto audit;
|
|
|
|
|
} else if ((lperms.allow & MAY_EXEC) &&
|
|
|
|
|
!xindex_is_subset(lperms.xindex, perms.xindex)) {
|
|
|
|
|
lperms.allow &= ~MAY_EXEC;
|
|
|
|
|
request |= MAY_EXEC;
|
|
|
|
|
info = "link not subset of target";
|
|
|
|
|
goto audit;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
done_tests:
|
|
|
|
|
error = 0;
|
|
|
|
|
|
|
|
|
|
audit:
|
2022-09-19 20:48:48 -07:00
|
|
|
return aa_audit_file(subj_cred,
|
|
|
|
|
profile, &lperms, OP_LINK, request, lname, tname,
|
2017-06-09 16:06:21 -07:00
|
|
|
NULL, cond->uid, info, error);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* aa_path_link - Handle hard link permission check
|
2022-09-19 20:48:48 -07:00
|
|
|
* @subj_cred: subject cred
|
2017-06-09 16:06:21 -07:00
|
|
|
* @label: the label being enforced (NOT NULL)
|
|
|
|
|
* @old_dentry: the target dentry (NOT NULL)
|
|
|
|
|
* @new_dir: directory the new link will be created in (NOT NULL)
|
|
|
|
|
* @new_dentry: the link being created (NOT NULL)
|
|
|
|
|
*
|
|
|
|
|
* Handle the permission test for a link & target pair. Permission
|
|
|
|
|
* is encoded as a pair where the link permission is determined
|
|
|
|
|
* first, and if allowed, the target is tested. The target test
|
|
|
|
|
* is done from the point of the link match (not start of DFA)
|
|
|
|
|
* making the target permission dependent on the link permission match.
|
|
|
|
|
*
|
|
|
|
|
* The subset test if required forces that permissions granted
|
|
|
|
|
* on link are a subset of the permission granted to target.
|
|
|
|
|
*
|
|
|
|
|
* Returns: %0 if allowed else error
|
|
|
|
|
*/
|
2022-09-19 20:48:48 -07:00
|
|
|
int aa_path_link(const struct cred *subj_cred,
|
|
|
|
|
struct aa_label *label, struct dentry *old_dentry,
|
2017-06-09 16:06:21 -07:00
|
|
|
const struct path *new_dir, struct dentry *new_dentry)
|
|
|
|
|
{
|
2017-06-20 14:50:36 +10:00
|
|
|
struct path link = { .mnt = new_dir->mnt, .dentry = new_dentry };
|
|
|
|
|
struct path target = { .mnt = new_dir->mnt, .dentry = old_dentry };
|
2025-04-16 18:42:08 -04:00
|
|
|
struct inode *inode = d_backing_inode(old_dentry);
|
|
|
|
|
vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_idmap(target.mnt), inode);
|
2017-06-09 16:06:21 -07:00
|
|
|
struct path_cond cond = {
|
2025-04-16 18:42:08 -04:00
|
|
|
.uid = vfsuid_into_kuid(vfsuid),
|
|
|
|
|
.mode = inode->i_mode,
|
2017-06-09 16:06:21 -07:00
|
|
|
};
|
|
|
|
|
char *buffer = NULL, *buffer2 = NULL;
|
|
|
|
|
struct aa_profile *profile;
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
/* buffer freed below, lname is pointer in buffer */
|
2019-09-14 03:34:06 -07:00
|
|
|
buffer = aa_get_buffer(false);
|
|
|
|
|
buffer2 = aa_get_buffer(false);
|
2019-05-03 16:12:21 +02:00
|
|
|
error = -ENOMEM;
|
|
|
|
|
if (!buffer || !buffer2)
|
|
|
|
|
goto out;
|
|
|
|
|
|
2017-06-09 16:06:21 -07:00
|
|
|
error = fn_for_each_confined(label, profile,
|
2022-09-19 20:48:48 -07:00
|
|
|
profile_path_link(subj_cred, profile, &link, buffer,
|
|
|
|
|
&target, buffer2, &cond));
|
2019-05-03 16:12:21 +02:00
|
|
|
out:
|
|
|
|
|
aa_put_buffer(buffer);
|
|
|
|
|
aa_put_buffer(buffer2);
|
2010-07-29 14:48:04 -07:00
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-09 16:19:02 -07:00
|
|
|
static void update_file_ctx(struct aa_file_ctx *fctx, struct aa_label *label,
|
|
|
|
|
u32 request)
|
|
|
|
|
{
|
|
|
|
|
struct aa_label *l, *old;
|
|
|
|
|
|
|
|
|
|
/* update caching of label on file_ctx */
|
|
|
|
|
spin_lock(&fctx->lock);
|
|
|
|
|
old = rcu_dereference_protected(fctx->label,
|
2018-10-02 22:39:01 -07:00
|
|
|
lockdep_is_held(&fctx->lock));
|
2017-06-09 16:19:02 -07:00
|
|
|
l = aa_label_merge(old, label, GFP_ATOMIC);
|
|
|
|
|
if (l) {
|
|
|
|
|
if (l != old) {
|
|
|
|
|
rcu_assign_pointer(fctx->label, l);
|
|
|
|
|
aa_put_label(old);
|
|
|
|
|
} else
|
|
|
|
|
aa_put_label(l);
|
|
|
|
|
fctx->allow |= request;
|
|
|
|
|
}
|
|
|
|
|
spin_unlock(&fctx->lock);
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-19 20:48:48 -07:00
|
|
|
static int __file_path_perm(const char *op, const struct cred *subj_cred,
|
|
|
|
|
struct aa_label *label,
|
2017-06-09 16:19:02 -07:00
|
|
|
struct aa_label *flabel, struct file *file,
|
2019-09-14 03:34:06 -07:00
|
|
|
u32 request, u32 denied, bool in_atomic)
|
2017-06-09 16:19:02 -07:00
|
|
|
{
|
|
|
|
|
struct aa_profile *profile;
|
|
|
|
|
struct aa_perms perms = {};
|
2023-01-13 12:49:30 +01:00
|
|
|
vfsuid_t vfsuid = i_uid_into_vfsuid(file_mnt_idmap(file),
|
2022-06-26 18:06:01 +02:00
|
|
|
file_inode(file));
|
2017-06-09 16:19:02 -07:00
|
|
|
struct path_cond cond = {
|
2022-06-26 18:06:01 +02:00
|
|
|
.uid = vfsuid_into_kuid(vfsuid),
|
2017-06-09 16:19:02 -07:00
|
|
|
.mode = file_inode(file)->i_mode
|
|
|
|
|
};
|
|
|
|
|
char *buffer;
|
|
|
|
|
int flags, error;
|
|
|
|
|
|
|
|
|
|
/* revalidation due to label out of date. No revocation at this time */
|
|
|
|
|
if (!denied && aa_label_is_subset(flabel, label))
|
|
|
|
|
/* TODO: check for revocation on stale profiles */
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
flags = PATH_DELEGATE_DELETED | (S_ISDIR(cond.mode) ? PATH_IS_DIR : 0);
|
2019-09-14 03:34:06 -07:00
|
|
|
buffer = aa_get_buffer(in_atomic);
|
2019-05-03 16:12:21 +02:00
|
|
|
if (!buffer)
|
|
|
|
|
return -ENOMEM;
|
2017-06-09 16:19:02 -07:00
|
|
|
|
|
|
|
|
/* check every profile in task label not in current cache */
|
|
|
|
|
error = fn_for_each_not_in_set(flabel, label, profile,
|
2022-09-19 20:48:48 -07:00
|
|
|
profile_path_perm(op, subj_cred, profile,
|
|
|
|
|
&file->f_path, buffer,
|
2017-06-09 16:19:02 -07:00
|
|
|
request, &cond, flags, &perms));
|
|
|
|
|
if (denied && !error) {
|
|
|
|
|
/*
|
|
|
|
|
* check every profile in file label that was not tested
|
|
|
|
|
* in the initial check above.
|
|
|
|
|
*
|
|
|
|
|
* TODO: cache full perms so this only happens because of
|
|
|
|
|
* conditionals
|
|
|
|
|
* TODO: don't audit here
|
|
|
|
|
*/
|
|
|
|
|
if (label == flabel)
|
|
|
|
|
error = fn_for_each(label, profile,
|
2022-09-19 20:48:48 -07:00
|
|
|
profile_path_perm(op, subj_cred,
|
|
|
|
|
profile, &file->f_path,
|
2017-06-09 16:19:02 -07:00
|
|
|
buffer, request, &cond, flags,
|
|
|
|
|
&perms));
|
|
|
|
|
else
|
|
|
|
|
error = fn_for_each_not_in_set(label, flabel, profile,
|
2022-09-19 20:48:48 -07:00
|
|
|
profile_path_perm(op, subj_cred,
|
|
|
|
|
profile, &file->f_path,
|
2017-06-09 16:19:02 -07:00
|
|
|
buffer, request, &cond, flags,
|
|
|
|
|
&perms));
|
|
|
|
|
}
|
|
|
|
|
if (!error)
|
|
|
|
|
update_file_ctx(file_ctx(file), label, request);
|
|
|
|
|
|
2019-05-03 16:12:21 +02:00
|
|
|
aa_put_buffer(buffer);
|
2017-06-09 16:19:02 -07:00
|
|
|
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-19 20:48:48 -07:00
|
|
|
static int __file_sock_perm(const char *op, const struct cred *subj_cred,
|
|
|
|
|
struct aa_label *label,
|
2017-07-18 23:18:33 -07:00
|
|
|
struct aa_label *flabel, struct file *file,
|
|
|
|
|
u32 request, u32 denied)
|
|
|
|
|
{
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
/* revalidation due to label out of date. No revocation at this time */
|
|
|
|
|
if (!denied && aa_label_is_subset(flabel, label))
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
/* TODO: improve to skip profiles cached in flabel */
|
apparmor: add fine grained af_unix mediation
Extend af_unix mediation to support fine grained controls based on
the type (abstract, anonymous, fs), the address, and the labeling
on the socket.
This allows for using socket addresses to label and the socket and
control which subjects can communicate.
The unix rule format follows standard apparmor rules except that fs
based unix sockets can be mediated by existing file rules. None fs
unix sockets can be mediated by a unix socket rule. Where The address
of an abstract unix domain socket begins with the @ character, similar
to how they are reported (as paths) by netstat -x. The address then
follows and may contain pattern matching and any characters including
the null character. In apparmor null characters must be specified by
using an escape sequence \000 or \x00. The pattern matching is the
same as is used by file path matching so * will not match / even
though it has no special meaning with in an abstract socket name. Eg.
allow unix addr=@*,
Autobound unix domain sockets have a unix sun_path assigned to them by
the kernel, as such specifying a policy based address is not possible.
The autobinding of sockets can be controlled by specifying the special
auto keyword. Eg.
allow unix addr=auto,
To indicate that the rule only applies to auto binding of unix domain
sockets. It is important to note this only applies to the bind
permission as once the socket is bound to an address it is
indistinguishable from a socket that have an addr bound with a
specified name. When the auto keyword is used with other permissions
or as part of a peer addr it will be replaced with a pattern that can
match an autobound socket. Eg. For some kernels
allow unix rw addr=auto,
It is important to note, this pattern may match abstract sockets that
were not autobound but have an addr that fits what is generated by the
kernel when autobinding a socket.
Anonymous unix domain sockets have no sun_path associated with the
socket address, however it can be specified with the special none
keyword to indicate the rule only applies to anonymous unix domain
sockets. Eg.
allow unix addr=none,
If the address component of a rule is not specified then the rule
applies to autobind, abstract and anonymous sockets.
The label on the socket can be compared using the standard label=
rule conditional. Eg.
allow unix addr=@foo peer=(label=bar),
see man apparmor.d for full syntax description.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-09-07 12:46:30 -07:00
|
|
|
error = aa_sock_file_perm(subj_cred, label, op, request, file);
|
2017-07-18 23:18:33 -07:00
|
|
|
if (denied) {
|
|
|
|
|
/* TODO: improve to skip profiles checked above */
|
|
|
|
|
/* check every profile in file label to is cached */
|
2022-09-19 20:48:48 -07:00
|
|
|
last_error(error, aa_sock_file_perm(subj_cred, flabel, op,
|
apparmor: add fine grained af_unix mediation
Extend af_unix mediation to support fine grained controls based on
the type (abstract, anonymous, fs), the address, and the labeling
on the socket.
This allows for using socket addresses to label and the socket and
control which subjects can communicate.
The unix rule format follows standard apparmor rules except that fs
based unix sockets can be mediated by existing file rules. None fs
unix sockets can be mediated by a unix socket rule. Where The address
of an abstract unix domain socket begins with the @ character, similar
to how they are reported (as paths) by netstat -x. The address then
follows and may contain pattern matching and any characters including
the null character. In apparmor null characters must be specified by
using an escape sequence \000 or \x00. The pattern matching is the
same as is used by file path matching so * will not match / even
though it has no special meaning with in an abstract socket name. Eg.
allow unix addr=@*,
Autobound unix domain sockets have a unix sun_path assigned to them by
the kernel, as such specifying a policy based address is not possible.
The autobinding of sockets can be controlled by specifying the special
auto keyword. Eg.
allow unix addr=auto,
To indicate that the rule only applies to auto binding of unix domain
sockets. It is important to note this only applies to the bind
permission as once the socket is bound to an address it is
indistinguishable from a socket that have an addr bound with a
specified name. When the auto keyword is used with other permissions
or as part of a peer addr it will be replaced with a pattern that can
match an autobound socket. Eg. For some kernels
allow unix rw addr=auto,
It is important to note, this pattern may match abstract sockets that
were not autobound but have an addr that fits what is generated by the
kernel when autobinding a socket.
Anonymous unix domain sockets have no sun_path associated with the
socket address, however it can be specified with the special none
keyword to indicate the rule only applies to anonymous unix domain
sockets. Eg.
allow unix addr=none,
If the address component of a rule is not specified then the rule
applies to autobind, abstract and anonymous sockets.
The label on the socket can be compared using the standard label=
rule conditional. Eg.
allow unix addr=@foo peer=(label=bar),
see man apparmor.d for full syntax description.
Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-09-07 12:46:30 -07:00
|
|
|
request, file));
|
2017-07-18 23:18:33 -07:00
|
|
|
}
|
|
|
|
|
if (!error)
|
|
|
|
|
update_file_ctx(file_ctx(file), label, request);
|
|
|
|
|
|
|
|
|
|
return error;
|
|
|
|
|
}
|
|
|
|
|
|
2024-01-19 01:23:55 -08:00
|
|
|
/* for now separate fn to indicate semantics of the check */
|
|
|
|
|
static bool __file_is_delegated(struct aa_label *obj_label)
|
|
|
|
|
{
|
|
|
|
|
return unconfined(obj_label);
|
|
|
|
|
}
|
|
|
|
|
|
2025-06-19 22:11:52 -07:00
|
|
|
static bool __unix_needs_revalidation(struct file *file, struct aa_label *label,
|
|
|
|
|
u32 request)
|
|
|
|
|
{
|
|
|
|
|
struct socket *sock = (struct socket *) file->private_data;
|
|
|
|
|
|
|
|
|
|
lockdep_assert_in_rcu_read_lock();
|
|
|
|
|
|
|
|
|
|
if (!S_ISSOCK(file_inode(file)->i_mode))
|
|
|
|
|
return false;
|
|
|
|
|
if (request & NET_PEER_MASK)
|
|
|
|
|
return false;
|
|
|
|
|
if (sock->sk->sk_family == PF_UNIX) {
|
|
|
|
|
struct aa_sk_ctx *ctx = aa_sock(sock->sk);
|
|
|
|
|
|
|
|
|
|
if (rcu_access_pointer(ctx->peer) !=
|
|
|
|
|
rcu_access_pointer(ctx->peer_lastupdate))
|
|
|
|
|
return true;
|
|
|
|
|
return !__aa_subj_label_is_cached(rcu_dereference(ctx->label),
|
|
|
|
|
label);
|
|
|
|
|
}
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
|
2010-07-29 14:48:04 -07:00
|
|
|
/**
|
|
|
|
|
* aa_file_perm - do permission revalidation check & audit for @file
|
|
|
|
|
* @op: operation being checked
|
2022-09-19 20:48:48 -07:00
|
|
|
* @subj_cred: subject cred
|
2017-06-09 14:59:51 -07:00
|
|
|
* @label: label being enforced (NOT NULL)
|
2010-07-29 14:48:04 -07:00
|
|
|
* @file: file to revalidate access permissions on (NOT NULL)
|
|
|
|
|
* @request: requested permissions
|
2019-09-14 03:34:06 -07:00
|
|
|
* @in_atomic: whether allocations need to be done in atomic context
|
2010-07-29 14:48:04 -07:00
|
|
|
*
|
|
|
|
|
* Returns: %0 if access allowed else error
|
|
|
|
|
*/
|
2022-09-19 20:48:48 -07:00
|
|
|
int aa_file_perm(const char *op, const struct cred *subj_cred,
|
|
|
|
|
struct aa_label *label, struct file *file,
|
2019-09-14 03:34:06 -07:00
|
|
|
u32 request, bool in_atomic)
|
2010-07-29 14:48:04 -07:00
|
|
|
{
|
2017-06-09 14:59:51 -07:00
|
|
|
struct aa_file_ctx *fctx;
|
|
|
|
|
struct aa_label *flabel;
|
|
|
|
|
u32 denied;
|
|
|
|
|
int error = 0;
|
|
|
|
|
|
|
|
|
|
AA_BUG(!label);
|
|
|
|
|
AA_BUG(!file);
|
|
|
|
|
|
|
|
|
|
fctx = file_ctx(file);
|
|
|
|
|
|
|
|
|
|
rcu_read_lock();
|
2019-12-18 11:04:07 -08:00
|
|
|
flabel = rcu_dereference(fctx->label);
|
2017-06-09 14:59:51 -07:00
|
|
|
AA_BUG(!flabel);
|
|
|
|
|
|
|
|
|
|
/* revalidate access, if task is unconfined, or the cached cred
|
|
|
|
|
* doesn't match or if the request is for more permissions than
|
|
|
|
|
* was granted.
|
|
|
|
|
*
|
|
|
|
|
* Note: the test for !unconfined(flabel) is to handle file
|
|
|
|
|
* delegation from unconfined tasks
|
|
|
|
|
*/
|
|
|
|
|
denied = request & ~fctx->allow;
|
2024-01-19 01:23:55 -08:00
|
|
|
if (unconfined(label) || __file_is_delegated(flabel) ||
|
2025-06-19 22:11:52 -07:00
|
|
|
__unix_needs_revalidation(file, label, request) ||
|
|
|
|
|
(!denied && __aa_subj_label_is_cached(label, flabel))) {
|
2019-12-18 11:04:07 -08:00
|
|
|
rcu_read_unlock();
|
2017-06-09 14:59:51 -07:00
|
|
|
goto done;
|
2019-12-18 11:04:07 -08:00
|
|
|
}
|
2017-06-09 14:59:51 -07:00
|
|
|
|
2025-06-19 22:11:52 -07:00
|
|
|
/* slow path - revalidate access */
|
2019-12-18 11:04:07 -08:00
|
|
|
flabel = aa_get_newest_label(flabel);
|
|
|
|
|
rcu_read_unlock();
|
2017-06-09 14:59:51 -07:00
|
|
|
|
2025-05-27 23:03:43 -04:00
|
|
|
if (path_mediated_fs(file->f_path.dentry))
|
2022-09-19 20:48:48 -07:00
|
|
|
error = __file_path_perm(op, subj_cred, label, flabel, file,
|
|
|
|
|
request, denied, in_atomic);
|
2010-07-29 14:48:04 -07:00
|
|
|
|
2017-07-18 23:18:33 -07:00
|
|
|
else if (S_ISSOCK(file_inode(file)->i_mode))
|
2022-09-19 20:48:48 -07:00
|
|
|
error = __file_sock_perm(op, subj_cred, label, flabel, file,
|
|
|
|
|
request, denied);
|
2019-09-13 22:24:23 -07:00
|
|
|
aa_put_label(flabel);
|
2019-12-18 11:04:07 -08:00
|
|
|
|
|
|
|
|
done:
|
2017-06-09 14:59:51 -07:00
|
|
|
return error;
|
2010-07-29 14:48:04 -07:00
|
|
|
}
|
2017-06-09 11:58:42 -07:00
|
|
|
|
2022-09-19 20:48:48 -07:00
|
|
|
static void revalidate_tty(const struct cred *subj_cred, struct aa_label *label)
|
2017-06-09 11:58:42 -07:00
|
|
|
{
|
|
|
|
|
struct tty_struct *tty;
|
|
|
|
|
int drop_tty = 0;
|
|
|
|
|
|
|
|
|
|
tty = get_current_tty();
|
|
|
|
|
if (!tty)
|
|
|
|
|
return;
|
|
|
|
|
|
|
|
|
|
spin_lock(&tty->files_lock);
|
|
|
|
|
if (!list_empty(&tty->tty_files)) {
|
|
|
|
|
struct tty_file_private *file_priv;
|
|
|
|
|
struct file *file;
|
|
|
|
|
/* TODO: Revalidate access to controlling tty. */
|
|
|
|
|
file_priv = list_first_entry(&tty->tty_files,
|
|
|
|
|
struct tty_file_private, list);
|
|
|
|
|
file = file_priv->file;
|
|
|
|
|
|
2022-09-19 20:48:48 -07:00
|
|
|
if (aa_file_perm(OP_INHERIT, subj_cred, label, file,
|
|
|
|
|
MAY_READ | MAY_WRITE, IN_ATOMIC))
|
2017-06-09 11:58:42 -07:00
|
|
|
drop_tty = 1;
|
|
|
|
|
}
|
|
|
|
|
spin_unlock(&tty->files_lock);
|
|
|
|
|
tty_kref_put(tty);
|
|
|
|
|
|
|
|
|
|
if (drop_tty)
|
|
|
|
|
no_tty();
|
|
|
|
|
}
|
|
|
|
|
|
2022-09-19 20:48:48 -07:00
|
|
|
struct cred_label {
|
|
|
|
|
const struct cred *cred;
|
|
|
|
|
struct aa_label *label;
|
|
|
|
|
};
|
|
|
|
|
|
2017-06-09 11:58:42 -07:00
|
|
|
static int match_file(const void *p, struct file *file, unsigned int fd)
|
|
|
|
|
{
|
2022-09-19 20:48:48 -07:00
|
|
|
struct cred_label *cl = (struct cred_label *)p;
|
2017-06-09 11:58:42 -07:00
|
|
|
|
2022-09-19 20:48:48 -07:00
|
|
|
if (aa_file_perm(OP_INHERIT, cl->cred, cl->label, file,
|
|
|
|
|
aa_map_file_to_perms(file), IN_ATOMIC))
|
2017-06-09 11:58:42 -07:00
|
|
|
return fd + 1;
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
/* based on selinux's flush_unauthorized_files */
|
|
|
|
|
void aa_inherit_files(const struct cred *cred, struct files_struct *files)
|
|
|
|
|
{
|
2017-06-09 08:14:28 -07:00
|
|
|
struct aa_label *label = aa_get_newest_cred_label(cred);
|
2022-09-19 20:48:48 -07:00
|
|
|
struct cred_label cl = {
|
|
|
|
|
.cred = cred,
|
|
|
|
|
.label = label,
|
|
|
|
|
};
|
2017-06-09 11:58:42 -07:00
|
|
|
struct file *devnull = NULL;
|
|
|
|
|
unsigned int n;
|
|
|
|
|
|
2022-09-19 20:48:48 -07:00
|
|
|
revalidate_tty(cred, label);
|
2017-06-09 11:58:42 -07:00
|
|
|
|
|
|
|
|
/* Revalidate access to inherited open files. */
|
2022-09-19 20:48:48 -07:00
|
|
|
n = iterate_fd(files, 0, match_file, &cl);
|
2017-06-09 11:58:42 -07:00
|
|
|
if (!n) /* none found? */
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
devnull = dentry_open(&aa_null, O_RDWR, cred);
|
|
|
|
|
if (IS_ERR(devnull))
|
|
|
|
|
devnull = NULL;
|
|
|
|
|
/* replace all the matching ones with this */
|
|
|
|
|
do {
|
|
|
|
|
replace_fd(n - 1, devnull, 0);
|
2022-09-19 20:48:48 -07:00
|
|
|
} while ((n = iterate_fd(files, n, match_file, &cl)) != 0);
|
2017-06-09 11:58:42 -07:00
|
|
|
if (devnull)
|
|
|
|
|
fput(devnull);
|
|
|
|
|
out:
|
2017-06-09 08:14:28 -07:00
|
|
|
aa_put_label(label);
|
2017-06-09 11:58:42 -07:00
|
|
|
}
|