file.c 20 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * AppArmor security module
  4. *
  5. * This file contains AppArmor mediation of files
  6. *
  7. * Copyright (C) 1998-2008 Novell/SUSE
  8. * Copyright 2009-2010 Canonical Ltd.
  9. */
  10. #include <linux/tty.h>
  11. #include <linux/fdtable.h>
  12. #include <linux/file.h>
  13. #include <linux/fs.h>
  14. #include <linux/mount.h>
  15. #include "include/apparmor.h"
  16. #include "include/audit.h"
  17. #include "include/cred.h"
  18. #include "include/file.h"
  19. #include "include/match.h"
  20. #include "include/net.h"
  21. #include "include/path.h"
  22. #include "include/policy.h"
  23. #include "include/label.h"
  24. static u32 map_mask_to_chr_mask(u32 mask)
  25. {
  26. u32 m = mask & PERMS_CHRS_MASK;
  27. if (mask & AA_MAY_GETATTR)
  28. m |= MAY_READ;
  29. if (mask & (AA_MAY_SETATTR | AA_MAY_CHMOD | AA_MAY_CHOWN))
  30. m |= MAY_WRITE;
  31. return m;
  32. }
  33. /**
  34. * file_audit_cb - call back for file specific audit fields
  35. * @ab: audit_buffer (NOT NULL)
  36. * @va: audit struct to audit values of (NOT NULL)
  37. */
  38. static void file_audit_cb(struct audit_buffer *ab, void *va)
  39. {
  40. struct common_audit_data *sa = va;
  41. kuid_t fsuid = current_fsuid();
  42. char str[10];
  43. if (aad(sa)->request & AA_AUDIT_FILE_MASK) {
  44. aa_perm_mask_to_str(str, sizeof(str), aa_file_perm_chrs,
  45. map_mask_to_chr_mask(aad(sa)->request));
  46. audit_log_format(ab, " requested_mask=\"%s\"", str);
  47. }
  48. if (aad(sa)->denied & AA_AUDIT_FILE_MASK) {
  49. aa_perm_mask_to_str(str, sizeof(str), aa_file_perm_chrs,
  50. map_mask_to_chr_mask(aad(sa)->denied));
  51. audit_log_format(ab, " denied_mask=\"%s\"", str);
  52. }
  53. if (aad(sa)->request & AA_AUDIT_FILE_MASK) {
  54. audit_log_format(ab, " fsuid=%d",
  55. from_kuid(&init_user_ns, fsuid));
  56. audit_log_format(ab, " ouid=%d",
  57. from_kuid(&init_user_ns, aad(sa)->fs.ouid));
  58. }
  59. if (aad(sa)->peer) {
  60. audit_log_format(ab, " target=");
  61. aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
  62. FLAG_VIEW_SUBNS, GFP_KERNEL);
  63. } else if (aad(sa)->fs.target) {
  64. audit_log_format(ab, " target=");
  65. audit_log_untrustedstring(ab, aad(sa)->fs.target);
  66. }
  67. }
  68. /**
  69. * aa_audit_file - handle the auditing of file operations
  70. * @profile: the profile being enforced (NOT NULL)
  71. * @perms: the permissions computed for the request (NOT NULL)
  72. * @op: operation being mediated
  73. * @request: permissions requested
  74. * @name: name of object being mediated (MAYBE NULL)
  75. * @target: name of target (MAYBE NULL)
  76. * @tlabel: target label (MAY BE NULL)
  77. * @ouid: object uid
  78. * @info: extra information message (MAYBE NULL)
  79. * @error: 0 if operation allowed else failure error code
  80. *
  81. * Returns: %0 or error on failure
  82. */
  83. int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
  84. const char *op, u32 request, const char *name,
  85. const char *target, struct aa_label *tlabel,
  86. kuid_t ouid, const char *info, int error)
  87. {
  88. int type = AUDIT_APPARMOR_AUTO;
  89. DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_TASK, op);
  90. sa.u.tsk = NULL;
  91. aad(&sa)->request = request;
  92. aad(&sa)->name = name;
  93. aad(&sa)->fs.target = target;
  94. aad(&sa)->peer = tlabel;
  95. aad(&sa)->fs.ouid = ouid;
  96. aad(&sa)->info = info;
  97. aad(&sa)->error = error;
  98. sa.u.tsk = NULL;
  99. if (likely(!aad(&sa)->error)) {
  100. u32 mask = perms->audit;
  101. if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
  102. mask = 0xffff;
  103. /* mask off perms that are not being force audited */
  104. aad(&sa)->request &= mask;
  105. if (likely(!aad(&sa)->request))
  106. return 0;
  107. type = AUDIT_APPARMOR_AUDIT;
  108. } else {
  109. /* only report permissions that were denied */
  110. aad(&sa)->request = aad(&sa)->request & ~perms->allow;
  111. AA_BUG(!aad(&sa)->request);
  112. if (aad(&sa)->request & perms->kill)
  113. type = AUDIT_APPARMOR_KILL;
  114. /* quiet known rejects, assumes quiet and kill do not overlap */
  115. if ((aad(&sa)->request & perms->quiet) &&
  116. AUDIT_MODE(profile) != AUDIT_NOQUIET &&
  117. AUDIT_MODE(profile) != AUDIT_ALL)
  118. aad(&sa)->request &= ~perms->quiet;
  119. if (!aad(&sa)->request)
  120. return aad(&sa)->error;
  121. }
  122. aad(&sa)->denied = aad(&sa)->request & ~perms->allow;
  123. return aa_audit(type, profile, &sa, file_audit_cb);
  124. }
  125. /**
  126. * is_deleted - test if a file has been completely unlinked
  127. * @dentry: dentry of file to test for deletion (NOT NULL)
  128. *
  129. * Returns: true if deleted else false
  130. */
  131. static inline bool is_deleted(struct dentry *dentry)
  132. {
  133. if (d_unlinked(dentry) && d_backing_inode(dentry)->i_nlink == 0)
  134. return true;
  135. return false;
  136. }
  137. static int path_name(const char *op, struct aa_label *label,
  138. const struct path *path, int flags, char *buffer,
  139. const char **name, struct path_cond *cond, u32 request)
  140. {
  141. struct aa_profile *profile;
  142. const char *info = NULL;
  143. int error;
  144. error = aa_path_name(path, flags, buffer, name, &info,
  145. labels_profile(label)->disconnected);
  146. if (error) {
  147. fn_for_each_confined(label, profile,
  148. aa_audit_file(profile, &nullperms, op, request, *name,
  149. NULL, NULL, cond->uid, info, error));
  150. return error;
  151. }
  152. return 0;
  153. }
  154. /**
  155. * map_old_perms - map old file perms layout to the new layout
  156. * @old: permission set in old mapping
  157. *
  158. * Returns: new permission mapping
  159. */
  160. static u32 map_old_perms(u32 old)
  161. {
  162. u32 new = old & 0xf;
  163. if (old & MAY_READ)
  164. new |= AA_MAY_GETATTR | AA_MAY_OPEN;
  165. if (old & MAY_WRITE)
  166. new |= AA_MAY_SETATTR | AA_MAY_CREATE | AA_MAY_DELETE |
  167. AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_OPEN;
  168. if (old & 0x10)
  169. new |= AA_MAY_LINK;
  170. /* the old mapping lock and link_subset flags where overlaid
  171. * and use was determined by part of a pair that they were in
  172. */
  173. if (old & 0x20)
  174. new |= AA_MAY_LOCK | AA_LINK_SUBSET;
  175. if (old & 0x40) /* AA_EXEC_MMAP */
  176. new |= AA_EXEC_MMAP;
  177. return new;
  178. }
  179. /**
  180. * aa_compute_fperms - convert dfa compressed perms to internal perms
  181. * @dfa: dfa to compute perms for (NOT NULL)
  182. * @state: state in dfa
  183. * @cond: conditions to consider (NOT NULL)
  184. *
  185. * TODO: convert from dfa + state to permission entry, do computation conversion
  186. * at load time.
  187. *
  188. * Returns: computed permission set
  189. */
  190. struct aa_perms aa_compute_fperms(struct aa_dfa *dfa, unsigned int state,
  191. struct path_cond *cond)
  192. {
  193. /* FIXME: change over to new dfa format
  194. * currently file perms are encoded in the dfa, new format
  195. * splits the permissions from the dfa. This mapping can be
  196. * done at profile load
  197. */
  198. struct aa_perms perms = { };
  199. if (uid_eq(current_fsuid(), cond->uid)) {
  200. perms.allow = map_old_perms(dfa_user_allow(dfa, state));
  201. perms.audit = map_old_perms(dfa_user_audit(dfa, state));
  202. perms.quiet = map_old_perms(dfa_user_quiet(dfa, state));
  203. perms.xindex = dfa_user_xindex(dfa, state);
  204. } else {
  205. perms.allow = map_old_perms(dfa_other_allow(dfa, state));
  206. perms.audit = map_old_perms(dfa_other_audit(dfa, state));
  207. perms.quiet = map_old_perms(dfa_other_quiet(dfa, state));
  208. perms.xindex = dfa_other_xindex(dfa, state);
  209. }
  210. perms.allow |= AA_MAY_GETATTR;
  211. /* change_profile wasn't determined by ownership in old mapping */
  212. if (ACCEPT_TABLE(dfa)[state] & 0x80000000)
  213. perms.allow |= AA_MAY_CHANGE_PROFILE;
  214. if (ACCEPT_TABLE(dfa)[state] & 0x40000000)
  215. perms.allow |= AA_MAY_ONEXEC;
  216. return perms;
  217. }
  218. /**
  219. * aa_str_perms - find permission that match @name
  220. * @dfa: to match against (MAYBE NULL)
  221. * @state: state to start matching in
  222. * @name: string to match against dfa (NOT NULL)
  223. * @cond: conditions to consider for permission set computation (NOT NULL)
  224. * @perms: Returns - the permissions found when matching @name
  225. *
  226. * Returns: the final state in @dfa when beginning @start and walking @name
  227. */
  228. unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start,
  229. const char *name, struct path_cond *cond,
  230. struct aa_perms *perms)
  231. {
  232. unsigned int state;
  233. state = aa_dfa_match(dfa, start, name);
  234. *perms = aa_compute_fperms(dfa, state, cond);
  235. return state;
  236. }
  237. int __aa_path_perm(const char *op, struct aa_profile *profile, const char *name,
  238. u32 request, struct path_cond *cond, int flags,
  239. struct aa_perms *perms)
  240. {
  241. int e = 0;
  242. if (profile_unconfined(profile))
  243. return 0;
  244. aa_str_perms(profile->file.dfa, profile->file.start, name, cond, perms);
  245. if (request & ~perms->allow)
  246. e = -EACCES;
  247. return aa_audit_file(profile, perms, op, request, name, NULL, NULL,
  248. cond->uid, NULL, e);
  249. }
  250. static int profile_path_perm(const char *op, struct aa_profile *profile,
  251. const struct path *path, char *buffer, u32 request,
  252. struct path_cond *cond, int flags,
  253. struct aa_perms *perms)
  254. {
  255. const char *name;
  256. int error;
  257. if (profile_unconfined(profile))
  258. return 0;
  259. error = path_name(op, &profile->label, path,
  260. flags | profile->path_flags, buffer, &name, cond,
  261. request);
  262. if (error)
  263. return error;
  264. return __aa_path_perm(op, profile, name, request, cond, flags,
  265. perms);
  266. }
  267. /**
  268. * aa_path_perm - do permissions check & audit for @path
  269. * @op: operation being checked
  270. * @label: profile being enforced (NOT NULL)
  271. * @path: path to check permissions of (NOT NULL)
  272. * @flags: any additional path flags beyond what the profile specifies
  273. * @request: requested permissions
  274. * @cond: conditional info for this request (NOT NULL)
  275. *
  276. * Returns: %0 else error if access denied or other error
  277. */
  278. int aa_path_perm(const char *op, struct aa_label *label,
  279. const struct path *path, int flags, u32 request,
  280. struct path_cond *cond)
  281. {
  282. struct aa_perms perms = {};
  283. struct aa_profile *profile;
  284. char *buffer = NULL;
  285. int error;
  286. flags |= PATH_DELEGATE_DELETED | (S_ISDIR(cond->mode) ? PATH_IS_DIR :
  287. 0);
  288. buffer = aa_get_buffer(false);
  289. if (!buffer)
  290. return -ENOMEM;
  291. error = fn_for_each_confined(label, profile,
  292. profile_path_perm(op, profile, path, buffer, request,
  293. cond, flags, &perms));
  294. aa_put_buffer(buffer);
  295. return error;
  296. }
  297. /**
  298. * xindex_is_subset - helper for aa_path_link
  299. * @link: link permission set
  300. * @target: target permission set
  301. *
  302. * test target x permissions are equal OR a subset of link x permissions
  303. * this is done as part of the subset test, where a hardlink must have
  304. * a subset of permissions that the target has.
  305. *
  306. * Returns: true if subset else false
  307. */
  308. static inline bool xindex_is_subset(u32 link, u32 target)
  309. {
  310. if (((link & ~AA_X_UNSAFE) != (target & ~AA_X_UNSAFE)) ||
  311. ((link & AA_X_UNSAFE) && !(target & AA_X_UNSAFE)))
  312. return false;
  313. return true;
  314. }
  315. static int profile_path_link(struct aa_profile *profile,
  316. const struct path *link, char *buffer,
  317. const struct path *target, char *buffer2,
  318. struct path_cond *cond)
  319. {
  320. const char *lname, *tname = NULL;
  321. struct aa_perms lperms = {}, perms;
  322. const char *info = NULL;
  323. u32 request = AA_MAY_LINK;
  324. unsigned int state;
  325. int error;
  326. error = path_name(OP_LINK, &profile->label, link, profile->path_flags,
  327. buffer, &lname, cond, AA_MAY_LINK);
  328. if (error)
  329. goto audit;
  330. /* buffer2 freed below, tname is pointer in buffer2 */
  331. error = path_name(OP_LINK, &profile->label, target, profile->path_flags,
  332. buffer2, &tname, cond, AA_MAY_LINK);
  333. if (error)
  334. goto audit;
  335. error = -EACCES;
  336. /* aa_str_perms - handles the case of the dfa being NULL */
  337. state = aa_str_perms(profile->file.dfa, profile->file.start, lname,
  338. cond, &lperms);
  339. if (!(lperms.allow & AA_MAY_LINK))
  340. goto audit;
  341. /* test to see if target can be paired with link */
  342. state = aa_dfa_null_transition(profile->file.dfa, state);
  343. aa_str_perms(profile->file.dfa, state, tname, cond, &perms);
  344. /* force audit/quiet masks for link are stored in the second entry
  345. * in the link pair.
  346. */
  347. lperms.audit = perms.audit;
  348. lperms.quiet = perms.quiet;
  349. lperms.kill = perms.kill;
  350. if (!(perms.allow & AA_MAY_LINK)) {
  351. info = "target restricted";
  352. lperms = perms;
  353. goto audit;
  354. }
  355. /* done if link subset test is not required */
  356. if (!(perms.allow & AA_LINK_SUBSET))
  357. goto done_tests;
  358. /* Do link perm subset test requiring allowed permission on link are
  359. * a subset of the allowed permissions on target.
  360. */
  361. aa_str_perms(profile->file.dfa, profile->file.start, tname, cond,
  362. &perms);
  363. /* AA_MAY_LINK is not considered in the subset test */
  364. request = lperms.allow & ~AA_MAY_LINK;
  365. lperms.allow &= perms.allow | AA_MAY_LINK;
  366. request |= AA_AUDIT_FILE_MASK & (lperms.allow & ~perms.allow);
  367. if (request & ~lperms.allow) {
  368. goto audit;
  369. } else if ((lperms.allow & MAY_EXEC) &&
  370. !xindex_is_subset(lperms.xindex, perms.xindex)) {
  371. lperms.allow &= ~MAY_EXEC;
  372. request |= MAY_EXEC;
  373. info = "link not subset of target";
  374. goto audit;
  375. }
  376. done_tests:
  377. error = 0;
  378. audit:
  379. return aa_audit_file(profile, &lperms, OP_LINK, request, lname, tname,
  380. NULL, cond->uid, info, error);
  381. }
  382. /**
  383. * aa_path_link - Handle hard link permission check
  384. * @label: the label being enforced (NOT NULL)
  385. * @old_dentry: the target dentry (NOT NULL)
  386. * @new_dir: directory the new link will be created in (NOT NULL)
  387. * @new_dentry: the link being created (NOT NULL)
  388. *
  389. * Handle the permission test for a link & target pair. Permission
  390. * is encoded as a pair where the link permission is determined
  391. * first, and if allowed, the target is tested. The target test
  392. * is done from the point of the link match (not start of DFA)
  393. * making the target permission dependent on the link permission match.
  394. *
  395. * The subset test if required forces that permissions granted
  396. * on link are a subset of the permission granted to target.
  397. *
  398. * Returns: %0 if allowed else error
  399. */
  400. int aa_path_link(struct aa_label *label, struct dentry *old_dentry,
  401. const struct path *new_dir, struct dentry *new_dentry)
  402. {
  403. struct path link = { .mnt = new_dir->mnt, .dentry = new_dentry };
  404. struct path target = { .mnt = new_dir->mnt, .dentry = old_dentry };
  405. struct path_cond cond = {
  406. d_backing_inode(old_dentry)->i_uid,
  407. d_backing_inode(old_dentry)->i_mode
  408. };
  409. char *buffer = NULL, *buffer2 = NULL;
  410. struct aa_profile *profile;
  411. int error;
  412. /* buffer freed below, lname is pointer in buffer */
  413. buffer = aa_get_buffer(false);
  414. buffer2 = aa_get_buffer(false);
  415. error = -ENOMEM;
  416. if (!buffer || !buffer2)
  417. goto out;
  418. error = fn_for_each_confined(label, profile,
  419. profile_path_link(profile, &link, buffer, &target,
  420. buffer2, &cond));
  421. out:
  422. aa_put_buffer(buffer);
  423. aa_put_buffer(buffer2);
  424. return error;
  425. }
  426. static void update_file_ctx(struct aa_file_ctx *fctx, struct aa_label *label,
  427. u32 request)
  428. {
  429. struct aa_label *l, *old;
  430. /* update caching of label on file_ctx */
  431. spin_lock(&fctx->lock);
  432. old = rcu_dereference_protected(fctx->label,
  433. lockdep_is_held(&fctx->lock));
  434. l = aa_label_merge(old, label, GFP_ATOMIC);
  435. if (l) {
  436. if (l != old) {
  437. rcu_assign_pointer(fctx->label, l);
  438. aa_put_label(old);
  439. } else
  440. aa_put_label(l);
  441. fctx->allow |= request;
  442. }
  443. spin_unlock(&fctx->lock);
  444. }
  445. static int __file_path_perm(const char *op, struct aa_label *label,
  446. struct aa_label *flabel, struct file *file,
  447. u32 request, u32 denied, bool in_atomic)
  448. {
  449. struct aa_profile *profile;
  450. struct aa_perms perms = {};
  451. struct path_cond cond = {
  452. .uid = i_uid_into_mnt(file_mnt_user_ns(file), file_inode(file)),
  453. .mode = file_inode(file)->i_mode
  454. };
  455. char *buffer;
  456. int flags, error;
  457. /* revalidation due to label out of date. No revocation at this time */
  458. if (!denied && aa_label_is_subset(flabel, label))
  459. /* TODO: check for revocation on stale profiles */
  460. return 0;
  461. flags = PATH_DELEGATE_DELETED | (S_ISDIR(cond.mode) ? PATH_IS_DIR : 0);
  462. buffer = aa_get_buffer(in_atomic);
  463. if (!buffer)
  464. return -ENOMEM;
  465. /* check every profile in task label not in current cache */
  466. error = fn_for_each_not_in_set(flabel, label, profile,
  467. profile_path_perm(op, profile, &file->f_path, buffer,
  468. request, &cond, flags, &perms));
  469. if (denied && !error) {
  470. /*
  471. * check every profile in file label that was not tested
  472. * in the initial check above.
  473. *
  474. * TODO: cache full perms so this only happens because of
  475. * conditionals
  476. * TODO: don't audit here
  477. */
  478. if (label == flabel)
  479. error = fn_for_each(label, profile,
  480. profile_path_perm(op, profile, &file->f_path,
  481. buffer, request, &cond, flags,
  482. &perms));
  483. else
  484. error = fn_for_each_not_in_set(label, flabel, profile,
  485. profile_path_perm(op, profile, &file->f_path,
  486. buffer, request, &cond, flags,
  487. &perms));
  488. }
  489. if (!error)
  490. update_file_ctx(file_ctx(file), label, request);
  491. aa_put_buffer(buffer);
  492. return error;
  493. }
  494. static int __file_sock_perm(const char *op, struct aa_label *label,
  495. struct aa_label *flabel, struct file *file,
  496. u32 request, u32 denied)
  497. {
  498. struct socket *sock = (struct socket *) file->private_data;
  499. int error;
  500. AA_BUG(!sock);
  501. /* revalidation due to label out of date. No revocation at this time */
  502. if (!denied && aa_label_is_subset(flabel, label))
  503. return 0;
  504. /* TODO: improve to skip profiles cached in flabel */
  505. error = aa_sock_file_perm(label, op, request, sock);
  506. if (denied) {
  507. /* TODO: improve to skip profiles checked above */
  508. /* check every profile in file label to is cached */
  509. last_error(error, aa_sock_file_perm(flabel, op, request, sock));
  510. }
  511. if (!error)
  512. update_file_ctx(file_ctx(file), label, request);
  513. return error;
  514. }
  515. /**
  516. * aa_file_perm - do permission revalidation check & audit for @file
  517. * @op: operation being checked
  518. * @label: label being enforced (NOT NULL)
  519. * @file: file to revalidate access permissions on (NOT NULL)
  520. * @request: requested permissions
  521. * @in_atomic: whether allocations need to be done in atomic context
  522. *
  523. * Returns: %0 if access allowed else error
  524. */
  525. int aa_file_perm(const char *op, struct aa_label *label, struct file *file,
  526. u32 request, bool in_atomic)
  527. {
  528. struct aa_file_ctx *fctx;
  529. struct aa_label *flabel;
  530. u32 denied;
  531. int error = 0;
  532. AA_BUG(!label);
  533. AA_BUG(!file);
  534. fctx = file_ctx(file);
  535. rcu_read_lock();
  536. flabel = rcu_dereference(fctx->label);
  537. AA_BUG(!flabel);
  538. /* revalidate access, if task is unconfined, or the cached cred
  539. * doesn't match or if the request is for more permissions than
  540. * was granted.
  541. *
  542. * Note: the test for !unconfined(flabel) is to handle file
  543. * delegation from unconfined tasks
  544. */
  545. denied = request & ~fctx->allow;
  546. if (unconfined(label) || unconfined(flabel) ||
  547. (!denied && aa_label_is_subset(flabel, label))) {
  548. rcu_read_unlock();
  549. goto done;
  550. }
  551. flabel = aa_get_newest_label(flabel);
  552. rcu_read_unlock();
  553. /* TODO: label cross check */
  554. if (file->f_path.mnt && path_mediated_fs(file->f_path.dentry))
  555. error = __file_path_perm(op, label, flabel, file, request,
  556. denied, in_atomic);
  557. else if (S_ISSOCK(file_inode(file)->i_mode))
  558. error = __file_sock_perm(op, label, flabel, file, request,
  559. denied);
  560. aa_put_label(flabel);
  561. done:
  562. return error;
  563. }
  564. static void revalidate_tty(struct aa_label *label)
  565. {
  566. struct tty_struct *tty;
  567. int drop_tty = 0;
  568. tty = get_current_tty();
  569. if (!tty)
  570. return;
  571. spin_lock(&tty->files_lock);
  572. if (!list_empty(&tty->tty_files)) {
  573. struct tty_file_private *file_priv;
  574. struct file *file;
  575. /* TODO: Revalidate access to controlling tty. */
  576. file_priv = list_first_entry(&tty->tty_files,
  577. struct tty_file_private, list);
  578. file = file_priv->file;
  579. if (aa_file_perm(OP_INHERIT, label, file, MAY_READ | MAY_WRITE,
  580. IN_ATOMIC))
  581. drop_tty = 1;
  582. }
  583. spin_unlock(&tty->files_lock);
  584. tty_kref_put(tty);
  585. if (drop_tty)
  586. no_tty();
  587. }
  588. static int match_file(const void *p, struct file *file, unsigned int fd)
  589. {
  590. struct aa_label *label = (struct aa_label *)p;
  591. if (aa_file_perm(OP_INHERIT, label, file, aa_map_file_to_perms(file),
  592. IN_ATOMIC))
  593. return fd + 1;
  594. return 0;
  595. }
  596. /* based on selinux's flush_unauthorized_files */
  597. void aa_inherit_files(const struct cred *cred, struct files_struct *files)
  598. {
  599. struct aa_label *label = aa_get_newest_cred_label(cred);
  600. struct file *devnull = NULL;
  601. unsigned int n;
  602. revalidate_tty(label);
  603. /* Revalidate access to inherited open files. */
  604. n = iterate_fd(files, 0, match_file, label);
  605. if (!n) /* none found? */
  606. goto out;
  607. devnull = dentry_open(&aa_null, O_RDWR, cred);
  608. if (IS_ERR(devnull))
  609. devnull = NULL;
  610. /* replace all the matching ones with this */
  611. do {
  612. replace_fd(n - 1, devnull, 0);
  613. } while ((n = iterate_fd(files, n, match_file, label)) != 0);
  614. if (devnull)
  615. fput(devnull);
  616. out:
  617. aa_put_label(label);
  618. }