1 // SPDX-License-Identifier: GPL-2.0-only
3 * AppArmor security module
5 * This file contains AppArmor policy attachment and domain transitions
7 * Copyright (C) 2002-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
11 #include <linux/errno.h>
12 #include <linux/fdtable.h>
13 #include <linux/file.h>
14 #include <linux/mount.h>
15 #include <linux/syscalls.h>
16 #include <linux/tracehook.h>
17 #include <linux/personality.h>
18 #include <linux/xattr.h>
20 #include "include/audit.h"
21 #include "include/apparmorfs.h"
22 #include "include/cred.h"
23 #include "include/domain.h"
24 #include "include/file.h"
25 #include "include/ipc.h"
26 #include "include/match.h"
27 #include "include/path.h"
28 #include "include/policy.h"
29 #include "include/policy_ns.h"
32 * aa_free_domain_entries - free entries in a domain table
33 * @domain: the domain table to free (MAYBE NULL)
35 void aa_free_domain_entries(struct aa_domain
*domain
)
42 for (i
= 0; i
< domain
->size
; i
++)
43 kzfree(domain
->table
[i
]);
44 kzfree(domain
->table
);
50 * may_change_ptraced_domain - check if can change profile on ptraced task
51 * @to_label: profile to change to (NOT NULL)
52 * @info: message if there is an error
54 * Check if current is ptraced and if so if the tracing task is allowed
55 * to trace the new domain
57 * Returns: %0 or error if change not allowed
59 static int may_change_ptraced_domain(struct aa_label
*to_label
,
62 struct task_struct
*tracer
;
63 struct aa_label
*tracerl
= NULL
;
67 tracer
= ptrace_parent(current
);
70 tracerl
= aa_get_task_label(tracer
);
73 if (!tracer
|| unconfined(tracerl
))
76 error
= aa_may_ptrace(tracerl
, to_label
, PTRACE_MODE_ATTACH
);
80 aa_put_label(tracerl
);
83 *info
= "ptrace prevents transition";
87 /**** TODO: dedup to aa_label_match - needs perm and dfa, merging
88 * specifically this is an exact copy of aa_label_match except
89 * aa_compute_perms is replaced with aa_compute_fperms
90 * and policy.dfa with file.dfa
92 /* match a profile and its associated ns component if needed
93 * Assumes visibility test has already been done.
94 * If a subns profile is not to be matched should be prescreened with
97 static inline unsigned int match_component(struct aa_profile
*profile
,
98 struct aa_profile
*tp
,
99 bool stack
, unsigned int state
)
104 state
= aa_dfa_match(profile
->file
.dfa
, state
, "&");
105 if (profile
->ns
== tp
->ns
)
106 return aa_dfa_match(profile
->file
.dfa
, state
, tp
->base
.hname
);
108 /* try matching with namespace name and then profile */
109 ns_name
= aa_ns_name(profile
->ns
, tp
->ns
, true);
110 state
= aa_dfa_match_len(profile
->file
.dfa
, state
, ":", 1);
111 state
= aa_dfa_match(profile
->file
.dfa
, state
, ns_name
);
112 state
= aa_dfa_match_len(profile
->file
.dfa
, state
, ":", 1);
113 return aa_dfa_match(profile
->file
.dfa
, state
, tp
->base
.hname
);
117 * label_compound_match - find perms for full compound label
118 * @profile: profile to find perms for
119 * @label: label to check access permissions for
120 * @stack: whether this is a stacking request
121 * @start: state to start match in
122 * @subns: whether to do permission checks on components in a subns
123 * @request: permissions to request
124 * @perms: perms struct to set
126 * Returns: 0 on success else ERROR
128 * For the label A//&B//&C this does the perm match for A//&B//&C
129 * @perms should be preinitialized with allperms OR a previous permission
130 * check to be stacked.
132 static int label_compound_match(struct aa_profile
*profile
,
133 struct aa_label
*label
, bool stack
,
134 unsigned int state
, bool subns
, u32 request
,
135 struct aa_perms
*perms
)
137 struct aa_profile
*tp
;
139 struct path_cond cond
= { };
141 /* find first subcomponent that is visible */
142 label_for_each(i
, label
, tp
) {
143 if (!aa_ns_visible(profile
->ns
, tp
->ns
, subns
))
145 state
= match_component(profile
, tp
, stack
, state
);
151 /* no component visible */
156 label_for_each_cont(i
, label
, tp
) {
157 if (!aa_ns_visible(profile
->ns
, tp
->ns
, subns
))
159 state
= aa_dfa_match(profile
->file
.dfa
, state
, "//&");
160 state
= match_component(profile
, tp
, false, state
);
164 *perms
= aa_compute_fperms(profile
->file
.dfa
, state
, &cond
);
165 aa_apply_modes_to_perms(profile
, perms
);
166 if ((perms
->allow
& request
) != request
)
177 * label_components_match - find perms for all subcomponents of a label
178 * @profile: profile to find perms for
179 * @label: label to check access permissions for
180 * @stack: whether this is a stacking request
181 * @start: state to start match in
182 * @subns: whether to do permission checks on components in a subns
183 * @request: permissions to request
184 * @perms: an initialized perms struct to add accumulation to
186 * Returns: 0 on success else ERROR
188 * For the label A//&B//&C this does the perm match for each of A and B and C
189 * @perms should be preinitialized with allperms OR a previous permission
190 * check to be stacked.
192 static int label_components_match(struct aa_profile
*profile
,
193 struct aa_label
*label
, bool stack
,
194 unsigned int start
, bool subns
, u32 request
,
195 struct aa_perms
*perms
)
197 struct aa_profile
*tp
;
200 struct path_cond cond
= { };
201 unsigned int state
= 0;
203 /* find first subcomponent to test */
204 label_for_each(i
, label
, tp
) {
205 if (!aa_ns_visible(profile
->ns
, tp
->ns
, subns
))
207 state
= match_component(profile
, tp
, stack
, start
);
213 /* no subcomponents visible - no change in perms */
217 tmp
= aa_compute_fperms(profile
->file
.dfa
, state
, &cond
);
218 aa_apply_modes_to_perms(profile
, &tmp
);
219 aa_perms_accum(perms
, &tmp
);
220 label_for_each_cont(i
, label
, tp
) {
221 if (!aa_ns_visible(profile
->ns
, tp
->ns
, subns
))
223 state
= match_component(profile
, tp
, stack
, start
);
226 tmp
= aa_compute_fperms(profile
->file
.dfa
, state
, &cond
);
227 aa_apply_modes_to_perms(profile
, &tmp
);
228 aa_perms_accum(perms
, &tmp
);
231 if ((perms
->allow
& request
) != request
)
242 * label_match - do a multi-component label match
243 * @profile: profile to match against (NOT NULL)
244 * @label: label to match (NOT NULL)
245 * @stack: whether this is a stacking request
246 * @state: state to start in
247 * @subns: whether to match subns components
248 * @request: permission request
249 * @perms: Returns computed perms (NOT NULL)
251 * Returns: the state the match finished in, may be the none matching state
253 static int label_match(struct aa_profile
*profile
, struct aa_label
*label
,
254 bool stack
, unsigned int state
, bool subns
, u32 request
,
255 struct aa_perms
*perms
)
260 error
= label_compound_match(profile
, label
, stack
, state
, subns
,
266 return label_components_match(profile
, label
, stack
, state
, subns
,
270 /******* end TODO: dedup *****/
273 * change_profile_perms - find permissions for change_profile
274 * @profile: the current profile (NOT NULL)
275 * @target: label to transition to (NOT NULL)
276 * @stack: whether this is a stacking request
277 * @request: requested perms
278 * @start: state to start matching in
281 * Returns: permission set
283 * currently only matches full label A//&B//&C or individual components A, B, C
284 * not arbitrary combinations. Eg. A//&B, C
286 static int change_profile_perms(struct aa_profile
*profile
,
287 struct aa_label
*target
, bool stack
,
288 u32 request
, unsigned int start
,
289 struct aa_perms
*perms
)
291 if (profile_unconfined(profile
)) {
292 perms
->allow
= AA_MAY_CHANGE_PROFILE
| AA_MAY_ONEXEC
;
293 perms
->audit
= perms
->quiet
= perms
->kill
= 0;
297 /* TODO: add profile in ns screening */
298 return label_match(profile
, target
, stack
, start
, true, request
, perms
);
302 * aa_xattrs_match - check whether a file matches the xattrs defined in profile
303 * @bprm: binprm struct for the process to validate
304 * @profile: profile to match against (NOT NULL)
305 * @state: state to start match in
307 * Returns: number of extended attributes that matched, or < 0 on error
309 static int aa_xattrs_match(const struct linux_binprm
*bprm
,
310 struct aa_profile
*profile
, unsigned int state
)
316 int value_size
= 0, ret
= profile
->xattr_count
;
318 if (!bprm
|| !profile
->xattr_count
)
322 /* transition from exec match to xattr set */
323 state
= aa_dfa_null_transition(profile
->xmatch
, state
);
325 d
= bprm
->file
->f_path
.dentry
;
327 for (i
= 0; i
< profile
->xattr_count
; i
++) {
328 size
= vfs_getxattr_alloc(d
, profile
->xattrs
[i
], &value
,
329 value_size
, GFP_KERNEL
);
333 /* Check the xattr value, not just presence */
334 state
= aa_dfa_match_len(profile
->xmatch
, state
, value
,
336 perm
= dfa_user_allow(profile
->xmatch
, state
);
337 if (!(perm
& MAY_EXEC
)) {
342 /* transition to next element */
343 state
= aa_dfa_null_transition(profile
->xmatch
, state
);
346 * No xattr match, so verify if transition to
347 * next element was valid. IFF so the xattr
354 /* don't count missing optional xattr as matched */
365 * find_attach - do attachment search for unconfined processes
366 * @bprm - binprm structure of transitioning task
367 * @ns: the current namespace (NOT NULL)
368 * @head - profile list to walk (NOT NULL)
369 * @name - to match against (NOT NULL)
370 * @info - info message if there was an error (NOT NULL)
372 * Do a linear search on the profiles in the list. There is a matching
373 * preference where an exact match is preferred over a name which uses
374 * expressions to match, and matching expressions with the greatest
375 * xmatch_len are preferred.
377 * Requires: @head not be shared or have appropriate locks held
379 * Returns: label or NULL if no match found
381 static struct aa_label
*find_attach(const struct linux_binprm
*bprm
,
382 struct aa_ns
*ns
, struct list_head
*head
,
383 const char *name
, const char **info
)
385 int candidate_len
= 0, candidate_xattrs
= 0;
386 bool conflict
= false;
387 struct aa_profile
*profile
, *candidate
= NULL
;
394 list_for_each_entry_rcu(profile
, head
, base
.list
) {
395 if (profile
->label
.flags
& FLAG_NULL
&&
396 &profile
->label
== ns_unconfined(profile
->ns
))
399 /* Find the "best" matching profile. Profiles must
400 * match the path and extended attributes (if any)
401 * associated with the file. A more specific path
402 * match will be preferred over a less specific one,
403 * and a match with more matching extended attributes
404 * will be preferred over one with fewer. If the best
405 * match has both the same level of path specificity
406 * and the same number of matching extended attributes
407 * as another profile, signal a conflict and refuse to
410 if (profile
->xmatch
) {
411 unsigned int state
, count
;
414 state
= aa_dfa_leftmatch(profile
->xmatch
, DFA_START
,
416 perm
= dfa_user_allow(profile
->xmatch
, state
);
417 /* any accepting state means a valid match. */
418 if (perm
& MAY_EXEC
) {
421 if (count
< candidate_len
)
424 if (bprm
&& profile
->xattr_count
) {
425 long rev
= READ_ONCE(ns
->revision
);
427 if (!aa_get_profile_not0(profile
))
430 ret
= aa_xattrs_match(bprm
, profile
,
433 aa_put_profile(profile
);
435 READ_ONCE(ns
->revision
))
439 * Fail matching if the xattrs don't
446 * TODO: allow for more flexible best match
448 * The new match isn't more specific
449 * than the current best match
451 if (count
== candidate_len
&&
452 ret
<= candidate_xattrs
) {
453 /* Match is equivalent, so conflict */
454 if (ret
== candidate_xattrs
)
459 /* Either the same length with more matching
460 * xattrs, or a longer match
463 candidate_len
= profile
->xmatch_len
;
464 candidate_xattrs
= ret
;
467 } else if (!strcmp(profile
->base
.name
, name
)) {
469 * old exact non-re match, without conditionals such
470 * as xattrs. no more searching required
477 if (!candidate
|| conflict
) {
479 *info
= "conflicting profile attachments";
485 candidate
= aa_get_newest_profile(candidate
);
488 return &candidate
->label
;
491 static const char *next_name(int xtype
, const char *name
)
497 * x_table_lookup - lookup an x transition name via transition table
498 * @profile: current profile (NOT NULL)
499 * @xindex: index into x transition table
500 * @name: returns: name tested to find label (NOT NULL)
502 * Returns: refcounted label, or NULL on failure (MAYBE NULL)
504 struct aa_label
*x_table_lookup(struct aa_profile
*profile
, u32 xindex
,
507 struct aa_label
*label
= NULL
;
508 u32 xtype
= xindex
& AA_X_TYPE_MASK
;
509 int index
= xindex
& AA_X_INDEX_MASK
;
513 /* index is guaranteed to be in range, validated at load time */
514 /* TODO: move lookup parsing to unpack time so this is a straight
515 * index into the resultant label
517 for (*name
= profile
->file
.trans
.table
[index
]; !label
&& *name
;
518 *name
= next_name(xtype
, *name
)) {
519 if (xindex
& AA_X_CHILD
) {
520 struct aa_profile
*new_profile
;
521 /* release by caller */
522 new_profile
= aa_find_child(profile
, *name
);
524 label
= &new_profile
->label
;
527 label
= aa_label_parse(&profile
->label
, *name
, GFP_KERNEL
,
533 /* released by caller */
539 * x_to_label - get target label for a given xindex
540 * @profile: current profile (NOT NULL)
541 * @bprm: binprm structure of transitioning task
542 * @name: name to lookup (NOT NULL)
543 * @xindex: index into x transition table
544 * @lookupname: returns: name used in lookup if one was specified (NOT NULL)
546 * find label for a transition index
548 * Returns: refcounted label or NULL if not found available
550 static struct aa_label
*x_to_label(struct aa_profile
*profile
,
551 const struct linux_binprm
*bprm
,
552 const char *name
, u32 xindex
,
553 const char **lookupname
,
556 struct aa_label
*new = NULL
;
557 struct aa_ns
*ns
= profile
->ns
;
558 u32 xtype
= xindex
& AA_X_TYPE_MASK
;
559 const char *stack
= NULL
;
563 /* fail exec unless ix || ux fallback - handled by caller */
567 /* TODO: fix when perm mapping done at unload */
568 stack
= profile
->file
.trans
.table
[xindex
& AA_X_INDEX_MASK
];
570 /* released by caller */
571 new = x_table_lookup(profile
, xindex
, lookupname
);
575 /* fall through - to X_NAME */
577 if (xindex
& AA_X_CHILD
)
578 /* released by caller */
579 new = find_attach(bprm
, ns
, &profile
->base
.profiles
,
582 /* released by caller */
583 new = find_attach(bprm
, ns
, &ns
->base
.profiles
,
590 if (xindex
& AA_X_INHERIT
) {
591 /* (p|c|n)ix - don't change profile but do
592 * use the newest version
594 *info
= "ix fallback";
595 /* no profile && no error */
596 new = aa_get_newest_label(&profile
->label
);
597 } else if (xindex
& AA_X_UNCONFINED
) {
598 new = aa_get_newest_label(ns_unconfined(profile
->ns
));
599 *info
= "ux fallback";
604 /* base the stack on post domain transition */
605 struct aa_label
*base
= new;
607 new = aa_label_parse(base
, stack
, GFP_KERNEL
, true, false);
613 /* released by caller */
617 static struct aa_label
*profile_transition(struct aa_profile
*profile
,
618 const struct linux_binprm
*bprm
,
619 char *buffer
, struct path_cond
*cond
,
622 struct aa_label
*new = NULL
;
623 struct aa_profile
*component
;
625 const char *info
= NULL
, *name
= NULL
, *target
= NULL
;
626 unsigned int state
= profile
->file
.start
;
627 struct aa_perms perms
= {};
628 bool nonewprivs
= false;
635 error
= aa_path_name(&bprm
->file
->f_path
, profile
->path_flags
, buffer
,
636 &name
, &info
, profile
->disconnected
);
638 if (profile_unconfined(profile
) ||
639 (profile
->label
.flags
& FLAG_IX_ON_NAME_ERROR
)) {
640 AA_DEBUG("name lookup ix on error");
642 new = aa_get_newest_label(&profile
->label
);
644 name
= bprm
->filename
;
648 if (profile_unconfined(profile
)) {
649 new = find_attach(bprm
, profile
->ns
,
650 &profile
->ns
->base
.profiles
, name
, &info
);
652 AA_DEBUG("unconfined attached to new label");
655 AA_DEBUG("unconfined exec no attachment");
656 return aa_get_newest_label(&profile
->label
);
659 /* find exec permissions for name */
660 state
= aa_str_perms(profile
->file
.dfa
, state
, name
, cond
, &perms
);
661 if (perms
.allow
& MAY_EXEC
) {
662 /* exec permission determine how to transition */
663 new = x_to_label(profile
, bprm
, name
, perms
.xindex
, &target
,
665 if (new && new->proxy
== profile
->label
.proxy
&& info
) {
666 /* hack ix fallback - improve how this is detected */
670 info
= "profile transition not found";
671 /* remove MAY_EXEC to audit as failure */
672 perms
.allow
&= ~MAY_EXEC
;
674 /* verify that each component's xattr requirements are
675 * met, and fail execution otherwise
677 label_for_each(i
, new, component
) {
678 if (aa_xattrs_match(bprm
, component
, state
) <
681 info
= "required xattrs not present";
682 perms
.allow
&= ~MAY_EXEC
;
689 } else if (COMPLAIN_MODE(profile
)) {
690 /* no exec permission - learning mode */
691 struct aa_profile
*new_profile
= NULL
;
693 new_profile
= aa_new_null_profile(profile
, false, name
,
697 info
= "could not create null profile";
700 new = &new_profile
->label
;
702 perms
.xindex
|= AA_X_UNSAFE
;
711 if (!(perms
.xindex
& AA_X_UNSAFE
)) {
713 dbg_printk("apparmor: scrubbing environment variables"
714 " for %s profile=", name
);
715 aa_label_printk(new, GFP_KERNEL
);
722 aa_audit_file(profile
, &perms
, OP_EXEC
, MAY_EXEC
, name
, target
, new,
723 cond
->uid
, info
, error
);
724 if (!new || nonewprivs
) {
726 return ERR_PTR(error
);
732 static int profile_onexec(struct aa_profile
*profile
, struct aa_label
*onexec
,
733 bool stack
, const struct linux_binprm
*bprm
,
734 char *buffer
, struct path_cond
*cond
,
737 unsigned int state
= profile
->file
.start
;
738 struct aa_perms perms
= {};
739 const char *xname
= NULL
, *info
= "change_profile onexec";
747 if (profile_unconfined(profile
)) {
748 /* change_profile on exec already granted */
750 * NOTE: Domain transitions from unconfined are allowed
751 * even when no_new_privs is set because this aways results
752 * in a further reduction of permissions.
757 error
= aa_path_name(&bprm
->file
->f_path
, profile
->path_flags
, buffer
,
758 &xname
, &info
, profile
->disconnected
);
760 if (profile_unconfined(profile
) ||
761 (profile
->label
.flags
& FLAG_IX_ON_NAME_ERROR
)) {
762 AA_DEBUG("name lookup ix on error");
765 xname
= bprm
->filename
;
769 /* find exec permissions for name */
770 state
= aa_str_perms(profile
->file
.dfa
, state
, xname
, cond
, &perms
);
771 if (!(perms
.allow
& AA_MAY_ONEXEC
)) {
772 info
= "no change_onexec valid for executable";
775 /* test if this exec can be paired with change_profile onexec.
776 * onexec permission is linked to exec with a standard pairing
777 * exec\0change_profile
779 state
= aa_dfa_null_transition(profile
->file
.dfa
, state
);
780 error
= change_profile_perms(profile
, onexec
, stack
, AA_MAY_ONEXEC
,
783 perms
.allow
&= ~AA_MAY_ONEXEC
;
787 if (!(perms
.xindex
& AA_X_UNSAFE
)) {
789 dbg_printk("apparmor: scrubbing environment "
790 "variables for %s label=", xname
);
791 aa_label_printk(onexec
, GFP_KERNEL
);
798 return aa_audit_file(profile
, &perms
, OP_EXEC
, AA_MAY_ONEXEC
, xname
,
799 NULL
, onexec
, cond
->uid
, info
, error
);
802 /* ensure none ns domain transitions are correctly applied with onexec */
804 static struct aa_label
*handle_onexec(struct aa_label
*label
,
805 struct aa_label
*onexec
, bool stack
,
806 const struct linux_binprm
*bprm
,
807 char *buffer
, struct path_cond
*cond
,
810 struct aa_profile
*profile
;
811 struct aa_label
*new;
820 error
= fn_for_each_in_ns(label
, profile
,
821 profile_onexec(profile
, onexec
, stack
,
822 bprm
, buffer
, cond
, unsafe
));
824 return ERR_PTR(error
);
825 new = fn_label_build_in_ns(label
, profile
, GFP_KERNEL
,
826 aa_get_newest_label(onexec
),
827 profile_transition(profile
, bprm
, buffer
,
831 /* TODO: determine how much we want to loosen this */
832 error
= fn_for_each_in_ns(label
, profile
,
833 profile_onexec(profile
, onexec
, stack
, bprm
,
834 buffer
, cond
, unsafe
));
836 return ERR_PTR(error
);
837 new = fn_label_build_in_ns(label
, profile
, GFP_KERNEL
,
838 aa_label_merge(&profile
->label
, onexec
,
840 profile_transition(profile
, bprm
, buffer
,
847 /* TODO: get rid of GLOBAL_ROOT_UID */
848 error
= fn_for_each_in_ns(label
, profile
,
849 aa_audit_file(profile
, &nullperms
, OP_CHANGE_ONEXEC
,
850 AA_MAY_ONEXEC
, bprm
->filename
, NULL
,
851 onexec
, GLOBAL_ROOT_UID
,
852 "failed to build target label", -ENOMEM
));
853 return ERR_PTR(error
);
857 * apparmor_bprm_set_creds - set the new creds on the bprm struct
858 * @bprm: binprm for the exec (NOT NULL)
860 * Returns: %0 or error on failure
862 * TODO: once the other paths are done see if we can't refactor into a fn
864 int apparmor_bprm_set_creds(struct linux_binprm
*bprm
)
866 struct aa_task_ctx
*ctx
;
867 struct aa_label
*label
, *new = NULL
;
868 struct aa_profile
*profile
;
870 const char *info
= NULL
;
873 struct path_cond cond
= {
874 file_inode(bprm
->file
)->i_uid
,
875 file_inode(bprm
->file
)->i_mode
878 if (bprm
->called_set_creds
)
881 ctx
= task_ctx(current
);
882 AA_BUG(!cred_label(bprm
->cred
));
885 label
= aa_get_newest_label(cred_label(bprm
->cred
));
888 * Detect no new privs being set, and store the label it
889 * occurred under. Ideally this would happen when nnp
890 * is set but there isn't a good way to do that yet.
892 * Testing for unconfined must be done before the subset test
894 if ((bprm
->unsafe
& LSM_UNSAFE_NO_NEW_PRIVS
) && !unconfined(label
) &&
896 ctx
->nnp
= aa_get_label(label
);
898 /* buffer freed below, name is pointer into buffer */
899 buffer
= aa_get_buffer(false);
905 /* Test for onexec first as onexec override other x transitions. */
907 new = handle_onexec(label
, ctx
->onexec
, ctx
->token
,
908 bprm
, buffer
, &cond
, &unsafe
);
910 new = fn_label_build(label
, profile
, GFP_KERNEL
,
911 profile_transition(profile
, bprm
, buffer
,
916 error
= PTR_ERR(new);
923 /* Policy has specified a domain transitions. If no_new_privs and
924 * confined ensure the transition is to confinement that is subset
925 * of the confinement when the task entered no new privs.
927 * NOTE: Domain transitions from unconfined and to stacked
928 * subsets are allowed even when no_new_privs is set because this
929 * aways results in a further reduction of permissions.
931 if ((bprm
->unsafe
& LSM_UNSAFE_NO_NEW_PRIVS
) &&
932 !unconfined(label
) &&
933 !aa_label_is_unconfined_subset(new, ctx
->nnp
)) {
935 info
= "no new privs";
939 if (bprm
->unsafe
& LSM_UNSAFE_SHARE
) {
940 /* FIXME: currently don't mediate shared state */
944 if (bprm
->unsafe
& (LSM_UNSAFE_PTRACE
)) {
945 /* TODO: test needs to be profile of label to new */
946 error
= may_change_ptraced_domain(new, &info
);
953 dbg_printk("scrubbing environment variables for %s "
954 "label=", bprm
->filename
);
955 aa_label_printk(new, GFP_KERNEL
);
958 bprm
->secureexec
= 1;
961 if (label
->proxy
!= new->proxy
) {
962 /* when transitioning clear unsafe personality bits */
964 dbg_printk("apparmor: clearing unsafe personality "
965 "bits. %s label=", bprm
->filename
);
966 aa_label_printk(new, GFP_KERNEL
);
969 bprm
->per_clear
|= PER_CLEAR_ON_SETID
;
971 aa_put_label(cred_label(bprm
->cred
));
972 /* transfer reference, released when cred is freed */
973 set_cred_label(bprm
->cred
, new);
977 aa_put_buffer(buffer
);
982 error
= fn_for_each(label
, profile
,
983 aa_audit_file(profile
, &nullperms
, OP_EXEC
, MAY_EXEC
,
984 bprm
->filename
, NULL
, new,
985 file_inode(bprm
->file
)->i_uid
, info
,
992 * Functions for self directed profile change
996 /* helper fn for change_hat
998 * Returns: label for hat transition OR ERR_PTR. Does NOT return NULL
1000 static struct aa_label
*build_change_hat(struct aa_profile
*profile
,
1001 const char *name
, bool sibling
)
1003 struct aa_profile
*root
, *hat
= NULL
;
1004 const char *info
= NULL
;
1007 if (sibling
&& PROFILE_IS_HAT(profile
)) {
1008 root
= aa_get_profile_rcu(&profile
->parent
);
1009 } else if (!sibling
&& !PROFILE_IS_HAT(profile
)) {
1010 root
= aa_get_profile(profile
);
1012 info
= "conflicting target types";
1017 hat
= aa_find_child(root
, name
);
1020 if (COMPLAIN_MODE(profile
)) {
1021 hat
= aa_new_null_profile(profile
, true, name
,
1024 info
= "failed null profile create";
1029 aa_put_profile(root
);
1032 aa_audit_file(profile
, &nullperms
, OP_CHANGE_HAT
, AA_MAY_CHANGEHAT
,
1033 name
, hat
? hat
->base
.hname
: NULL
,
1034 hat
? &hat
->label
: NULL
, GLOBAL_ROOT_UID
, info
,
1036 if (!hat
|| (error
&& error
!= -ENOENT
))
1037 return ERR_PTR(error
);
1038 /* if hat && error - complain mode, already audited and we adjust for
1039 * complain mode allow by returning hat->label
1044 /* helper fn for changing into a hat
1046 * Returns: label for hat transition or ERR_PTR. Does not return NULL
1048 static struct aa_label
*change_hat(struct aa_label
*label
, const char *hats
[],
1049 int count
, int flags
)
1051 struct aa_profile
*profile
, *root
, *hat
= NULL
;
1052 struct aa_label
*new;
1054 bool sibling
= false;
1055 const char *name
, *info
= NULL
;
1062 if (PROFILE_IS_HAT(labels_profile(label
)))
1065 /*find first matching hat */
1066 for (i
= 0; i
< count
&& !hat
; i
++) {
1068 label_for_each_in_ns(it
, labels_ns(label
), label
, profile
) {
1069 if (sibling
&& PROFILE_IS_HAT(profile
)) {
1070 root
= aa_get_profile_rcu(&profile
->parent
);
1071 } else if (!sibling
&& !PROFILE_IS_HAT(profile
)) {
1072 root
= aa_get_profile(profile
);
1073 } else { /* conflicting change type */
1074 info
= "conflicting targets types";
1078 hat
= aa_find_child(root
, name
);
1079 aa_put_profile(root
);
1081 if (!COMPLAIN_MODE(profile
))
1082 goto outer_continue
;
1083 /* complain mode succeed as if hat */
1084 } else if (!PROFILE_IS_HAT(hat
)) {
1085 info
= "target not hat";
1087 aa_put_profile(hat
);
1090 aa_put_profile(hat
);
1092 /* found a hat for all profiles in ns */
1097 /* no hats that match, find appropriate error
1099 * In complain mode audit of the failure is based off of the first
1100 * hat supplied. This is done due how userspace interacts with
1104 label_for_each_in_ns(it
, labels_ns(label
), label
, profile
) {
1105 if (!list_empty(&profile
->base
.profiles
)) {
1106 info
= "hat not found";
1111 info
= "no hats defined";
1115 label_for_each_in_ns(it
, labels_ns(label
), label
, profile
) {
1117 * no target as it has failed to be found or built
1119 * change_hat uses probing and should not log failures
1120 * related to missing hats
1122 /* TODO: get rid of GLOBAL_ROOT_UID */
1123 if (count
> 1 || COMPLAIN_MODE(profile
)) {
1124 aa_audit_file(profile
, &nullperms
, OP_CHANGE_HAT
,
1125 AA_MAY_CHANGEHAT
, name
, NULL
, NULL
,
1126 GLOBAL_ROOT_UID
, info
, error
);
1129 return ERR_PTR(error
);
1132 new = fn_label_build_in_ns(label
, profile
, GFP_KERNEL
,
1133 build_change_hat(profile
, name
, sibling
),
1134 aa_get_label(&profile
->label
));
1136 info
= "label build failed";
1139 } /* else if (IS_ERR) build_change_hat has logged error so return new */
1145 * aa_change_hat - change hat to/from subprofile
1146 * @hats: vector of hat names to try changing into (MAYBE NULL if @count == 0)
1147 * @count: number of hat names in @hats
1148 * @token: magic value to validate the hat change
1149 * @flags: flags affecting behavior of the change
1151 * Returns %0 on success, error otherwise.
1153 * Change to the first profile specified in @hats that exists, and store
1154 * the @hat_magic in the current task context. If the count == 0 and the
1155 * @token matches that stored in the current task context, return to the
1156 * top level profile.
1158 * change_hat only applies to profiles in the current ns, and each profile
1159 * in the ns must make the same transition otherwise change_hat will fail.
1161 int aa_change_hat(const char *hats
[], int count
, u64 token
, int flags
)
1163 const struct cred
*cred
;
1164 struct aa_task_ctx
*ctx
= task_ctx(current
);
1165 struct aa_label
*label
, *previous
, *new = NULL
, *target
= NULL
;
1166 struct aa_profile
*profile
;
1167 struct aa_perms perms
= {};
1168 const char *info
= NULL
;
1171 /* released below */
1172 cred
= get_current_cred();
1173 label
= aa_get_newest_cred_label(cred
);
1174 previous
= aa_get_newest_label(ctx
->previous
);
1177 * Detect no new privs being set, and store the label it
1178 * occurred under. Ideally this would happen when nnp
1179 * is set but there isn't a good way to do that yet.
1181 * Testing for unconfined must be done before the subset test
1183 if (task_no_new_privs(current
) && !unconfined(label
) && !ctx
->nnp
)
1184 ctx
->nnp
= aa_get_label(label
);
1186 if (unconfined(label
)) {
1187 info
= "unconfined can not change_hat";
1193 new = change_hat(label
, hats
, count
, flags
);
1196 error
= PTR_ERR(new);
1198 /* already audited */
1202 error
= may_change_ptraced_domain(new, &info
);
1207 * no new privs prevents domain transitions that would
1208 * reduce restrictions.
1210 if (task_no_new_privs(current
) && !unconfined(label
) &&
1211 !aa_label_is_unconfined_subset(new, ctx
->nnp
)) {
1212 /* not an apparmor denial per se, so don't log it */
1213 AA_DEBUG("no_new_privs - change_hat denied");
1218 if (flags
& AA_CHANGE_TEST
)
1222 error
= aa_set_current_hat(new, token
);
1223 if (error
== -EACCES
)
1224 /* kill task in case of brute force attacks */
1226 } else if (previous
&& !(flags
& AA_CHANGE_TEST
)) {
1228 * no new privs prevents domain transitions that would
1229 * reduce restrictions.
1231 if (task_no_new_privs(current
) && !unconfined(label
) &&
1232 !aa_label_is_unconfined_subset(previous
, ctx
->nnp
)) {
1233 /* not an apparmor denial per se, so don't log it */
1234 AA_DEBUG("no_new_privs - change_hat denied");
1239 /* Return to saved label. Kill task if restore fails
1240 * to avoid brute force attacks
1243 error
= aa_restore_previous_label(token
);
1245 if (error
== -EACCES
)
1249 } /* else ignore @flags && restores when there is no saved profile */
1253 aa_put_label(previous
);
1254 aa_put_label(label
);
1260 info
= "failed token match";
1261 perms
.kill
= AA_MAY_CHANGEHAT
;
1264 fn_for_each_in_ns(label
, profile
,
1265 aa_audit_file(profile
, &perms
, OP_CHANGE_HAT
,
1266 AA_MAY_CHANGEHAT
, NULL
, NULL
, target
,
1267 GLOBAL_ROOT_UID
, info
, error
));
1273 static int change_profile_perms_wrapper(const char *op
, const char *name
,
1274 struct aa_profile
*profile
,
1275 struct aa_label
*target
, bool stack
,
1276 u32 request
, struct aa_perms
*perms
)
1278 const char *info
= NULL
;
1282 error
= change_profile_perms(profile
, target
, stack
, request
,
1283 profile
->file
.start
, perms
);
1285 error
= aa_audit_file(profile
, perms
, op
, request
, name
,
1286 NULL
, target
, GLOBAL_ROOT_UID
, info
,
1293 * aa_change_profile - perform a one-way profile transition
1294 * @fqname: name of profile may include namespace (NOT NULL)
1295 * @onexec: whether this transition is to take place immediately or at exec
1296 * @flags: flags affecting change behavior
1298 * Change to new profile @name. Unlike with hats, there is no way
1299 * to change back. If @name isn't specified the current profile name is
1301 * If @onexec then the transition is delayed until
1304 * Returns %0 on success, error otherwise.
1306 int aa_change_profile(const char *fqname
, int flags
)
1308 struct aa_label
*label
, *new = NULL
, *target
= NULL
;
1309 struct aa_profile
*profile
;
1310 struct aa_perms perms
= {};
1311 const char *info
= NULL
;
1312 const char *auditname
= fqname
; /* retain leading & if stack */
1313 bool stack
= flags
& AA_CHANGE_STACK
;
1314 struct aa_task_ctx
*ctx
= task_ctx(current
);
1319 label
= aa_get_current_label();
1322 * Detect no new privs being set, and store the label it
1323 * occurred under. Ideally this would happen when nnp
1324 * is set but there isn't a good way to do that yet.
1326 * Testing for unconfined must be done before the subset test
1328 if (task_no_new_privs(current
) && !unconfined(label
) && !ctx
->nnp
)
1329 ctx
->nnp
= aa_get_label(label
);
1331 if (!fqname
|| !*fqname
) {
1332 aa_put_label(label
);
1333 AA_DEBUG("no profile name");
1337 if (flags
& AA_CHANGE_ONEXEC
) {
1338 request
= AA_MAY_ONEXEC
;
1340 op
= OP_STACK_ONEXEC
;
1342 op
= OP_CHANGE_ONEXEC
;
1344 request
= AA_MAY_CHANGE_PROFILE
;
1348 op
= OP_CHANGE_PROFILE
;
1351 if (*fqname
== '&') {
1353 /* don't have label_parse() do stacking */
1356 target
= aa_label_parse(label
, fqname
, GFP_KERNEL
, true, false);
1357 if (IS_ERR(target
)) {
1358 struct aa_profile
*tprofile
;
1360 info
= "label not found";
1361 error
= PTR_ERR(target
);
1364 * TODO: fixme using labels_profile is not right - do profile
1365 * per complain profile
1367 if ((flags
& AA_CHANGE_TEST
) ||
1368 !COMPLAIN_MODE(labels_profile(label
)))
1370 /* released below */
1371 tprofile
= aa_new_null_profile(labels_profile(label
), false,
1372 fqname
, GFP_KERNEL
);
1374 info
= "failed null profile create";
1378 target
= &tprofile
->label
;
1383 * self directed transitions only apply to current policy ns
1384 * TODO: currently requiring perms for stacking and straight change
1385 * stacking doesn't strictly need this. Determine how much
1386 * we want to loosen this restriction for stacking
1390 error
= fn_for_each_in_ns(label
, profile
,
1391 change_profile_perms_wrapper(op
, auditname
,
1392 profile
, target
, stack
,
1395 /* auditing done in change_profile_perms_wrapper */
1401 /* check if tracing task is allowed to trace target domain */
1402 error
= may_change_ptraced_domain(target
, &info
);
1403 if (error
&& !fn_for_each_in_ns(label
, profile
,
1404 COMPLAIN_MODE(profile
)))
1407 /* TODO: add permission check to allow this
1408 * if ((flags & AA_CHANGE_ONEXEC) && !current_is_single_threaded()) {
1409 * info = "not a single threaded task";
1414 if (flags
& AA_CHANGE_TEST
)
1417 /* stacking is always a subset, so only check the nonstack case */
1419 new = fn_label_build_in_ns(label
, profile
, GFP_KERNEL
,
1420 aa_get_label(target
),
1421 aa_get_label(&profile
->label
));
1423 * no new privs prevents domain transitions that would
1424 * reduce restrictions.
1426 if (task_no_new_privs(current
) && !unconfined(label
) &&
1427 !aa_label_is_unconfined_subset(new, ctx
->nnp
)) {
1428 /* not an apparmor denial per se, so don't log it */
1429 AA_DEBUG("no_new_privs - change_hat denied");
1435 if (!(flags
& AA_CHANGE_ONEXEC
)) {
1436 /* only transition profiles in the current ns */
1438 new = aa_label_merge(label
, target
, GFP_KERNEL
);
1439 if (IS_ERR_OR_NULL(new)) {
1440 info
= "failed to build target label";
1444 error
= PTR_ERR(new);
1449 error
= aa_replace_current_label(new);
1456 /* full transition will be built in exec path */
1457 error
= aa_set_current_onexec(target
, stack
);
1461 error
= fn_for_each_in_ns(label
, profile
,
1462 aa_audit_file(profile
, &perms
, op
, request
, auditname
,
1463 NULL
, new ? new : target
,
1464 GLOBAL_ROOT_UID
, info
, error
));
1468 aa_put_label(target
);
1469 aa_put_label(label
);