lsm.c 50 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * AppArmor security module
  4. *
  5. * This file contains AppArmor LSM hooks.
  6. *
  7. * Copyright (C) 1998-2008 Novell/SUSE
  8. * Copyright 2009-2010 Canonical Ltd.
  9. */
  10. #include <linux/lsm_hooks.h>
  11. #include <linux/moduleparam.h>
  12. #include <linux/mm.h>
  13. #include <linux/mman.h>
  14. #include <linux/mount.h>
  15. #include <linux/namei.h>
  16. #include <linux/ptrace.h>
  17. #include <linux/ctype.h>
  18. #include <linux/sysctl.h>
  19. #include <linux/audit.h>
  20. #include <linux/user_namespace.h>
  21. #include <linux/netfilter_ipv4.h>
  22. #include <linux/netfilter_ipv6.h>
  23. #include <linux/zlib.h>
  24. #include <net/sock.h>
  25. #include <uapi/linux/mount.h>
  26. #include "include/apparmor.h"
  27. #include "include/apparmorfs.h"
  28. #include "include/audit.h"
  29. #include "include/capability.h"
  30. #include "include/cred.h"
  31. #include "include/file.h"
  32. #include "include/ipc.h"
  33. #include "include/net.h"
  34. #include "include/path.h"
  35. #include "include/label.h"
  36. #include "include/policy.h"
  37. #include "include/policy_ns.h"
  38. #include "include/procattr.h"
  39. #include "include/mount.h"
  40. #include "include/secid.h"
  41. /* Flag indicating whether initialization completed */
  42. int apparmor_initialized;
  43. union aa_buffer {
  44. struct list_head list;
  45. char buffer[1];
  46. };
  47. #define RESERVE_COUNT 2
  48. static int reserve_count = RESERVE_COUNT;
  49. static int buffer_count;
  50. static LIST_HEAD(aa_global_buffers);
  51. static DEFINE_SPINLOCK(aa_buffers_lock);
  52. /*
  53. * LSM hook functions
  54. */
  55. /*
  56. * put the associated labels
  57. */
  58. static void apparmor_cred_free(struct cred *cred)
  59. {
  60. aa_put_label(cred_label(cred));
  61. set_cred_label(cred, NULL);
  62. }
  63. /*
  64. * allocate the apparmor part of blank credentials
  65. */
  66. static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
  67. {
  68. set_cred_label(cred, NULL);
  69. return 0;
  70. }
  71. /*
  72. * prepare new cred label for modification by prepare_cred block
  73. */
  74. static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
  75. gfp_t gfp)
  76. {
  77. set_cred_label(new, aa_get_newest_label(cred_label(old)));
  78. return 0;
  79. }
  80. /*
  81. * transfer the apparmor data to a blank set of creds
  82. */
  83. static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
  84. {
  85. set_cred_label(new, aa_get_newest_label(cred_label(old)));
  86. }
  87. static void apparmor_task_free(struct task_struct *task)
  88. {
  89. aa_free_task_ctx(task_ctx(task));
  90. }
  91. static int apparmor_task_alloc(struct task_struct *task,
  92. unsigned long clone_flags)
  93. {
  94. struct aa_task_ctx *new = task_ctx(task);
  95. aa_dup_task_ctx(new, task_ctx(current));
  96. return 0;
  97. }
  98. static int apparmor_ptrace_access_check(struct task_struct *child,
  99. unsigned int mode)
  100. {
  101. struct aa_label *tracer, *tracee;
  102. int error;
  103. tracer = __begin_current_label_crit_section();
  104. tracee = aa_get_task_label(child);
  105. error = aa_may_ptrace(tracer, tracee,
  106. (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ
  107. : AA_PTRACE_TRACE);
  108. aa_put_label(tracee);
  109. __end_current_label_crit_section(tracer);
  110. return error;
  111. }
  112. static int apparmor_ptrace_traceme(struct task_struct *parent)
  113. {
  114. struct aa_label *tracer, *tracee;
  115. int error;
  116. tracee = __begin_current_label_crit_section();
  117. tracer = aa_get_task_label(parent);
  118. error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
  119. aa_put_label(tracer);
  120. __end_current_label_crit_section(tracee);
  121. return error;
  122. }
  123. /* Derived from security/commoncap.c:cap_capget */
  124. static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
  125. kernel_cap_t *inheritable, kernel_cap_t *permitted)
  126. {
  127. struct aa_label *label;
  128. const struct cred *cred;
  129. rcu_read_lock();
  130. cred = __task_cred(target);
  131. label = aa_get_newest_cred_label(cred);
  132. /*
  133. * cap_capget is stacked ahead of this and will
  134. * initialize effective and permitted.
  135. */
  136. if (!unconfined(label)) {
  137. struct aa_profile *profile;
  138. struct label_it i;
  139. label_for_each_confined(i, label, profile) {
  140. if (COMPLAIN_MODE(profile))
  141. continue;
  142. *effective = cap_intersect(*effective,
  143. profile->caps.allow);
  144. *permitted = cap_intersect(*permitted,
  145. profile->caps.allow);
  146. }
  147. }
  148. rcu_read_unlock();
  149. aa_put_label(label);
  150. return 0;
  151. }
  152. static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
  153. int cap, unsigned int opts)
  154. {
  155. struct aa_label *label;
  156. int error = 0;
  157. label = aa_get_newest_cred_label(cred);
  158. if (!unconfined(label))
  159. error = aa_capable(label, cap, opts);
  160. aa_put_label(label);
  161. return error;
  162. }
  163. /**
  164. * common_perm - basic common permission check wrapper fn for paths
  165. * @op: operation being checked
  166. * @path: path to check permission of (NOT NULL)
  167. * @mask: requested permissions mask
  168. * @cond: conditional info for the permission request (NOT NULL)
  169. *
  170. * Returns: %0 else error code if error or permission denied
  171. */
  172. static int common_perm(const char *op, const struct path *path, u32 mask,
  173. struct path_cond *cond)
  174. {
  175. struct aa_label *label;
  176. int error = 0;
  177. label = __begin_current_label_crit_section();
  178. if (!unconfined(label))
  179. error = aa_path_perm(op, label, path, 0, mask, cond);
  180. __end_current_label_crit_section(label);
  181. return error;
  182. }
  183. /**
  184. * common_perm_cond - common permission wrapper around inode cond
  185. * @op: operation being checked
  186. * @path: location to check (NOT NULL)
  187. * @mask: requested permissions mask
  188. *
  189. * Returns: %0 else error code if error or permission denied
  190. */
  191. static int common_perm_cond(const char *op, const struct path *path, u32 mask)
  192. {
  193. struct user_namespace *mnt_userns = mnt_user_ns(path->mnt);
  194. struct path_cond cond = {
  195. i_uid_into_mnt(mnt_userns, d_backing_inode(path->dentry)),
  196. d_backing_inode(path->dentry)->i_mode
  197. };
  198. if (!path_mediated_fs(path->dentry))
  199. return 0;
  200. return common_perm(op, path, mask, &cond);
  201. }
  202. /**
  203. * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
  204. * @op: operation being checked
  205. * @dir: directory of the dentry (NOT NULL)
  206. * @dentry: dentry to check (NOT NULL)
  207. * @mask: requested permissions mask
  208. * @cond: conditional info for the permission request (NOT NULL)
  209. *
  210. * Returns: %0 else error code if error or permission denied
  211. */
  212. static int common_perm_dir_dentry(const char *op, const struct path *dir,
  213. struct dentry *dentry, u32 mask,
  214. struct path_cond *cond)
  215. {
  216. struct path path = { .mnt = dir->mnt, .dentry = dentry };
  217. return common_perm(op, &path, mask, cond);
  218. }
  219. /**
  220. * common_perm_rm - common permission wrapper for operations doing rm
  221. * @op: operation being checked
  222. * @dir: directory that the dentry is in (NOT NULL)
  223. * @dentry: dentry being rm'd (NOT NULL)
  224. * @mask: requested permission mask
  225. *
  226. * Returns: %0 else error code if error or permission denied
  227. */
  228. static int common_perm_rm(const char *op, const struct path *dir,
  229. struct dentry *dentry, u32 mask)
  230. {
  231. struct inode *inode = d_backing_inode(dentry);
  232. struct user_namespace *mnt_userns = mnt_user_ns(dir->mnt);
  233. struct path_cond cond = { };
  234. if (!inode || !path_mediated_fs(dentry))
  235. return 0;
  236. cond.uid = i_uid_into_mnt(mnt_userns, inode);
  237. cond.mode = inode->i_mode;
  238. return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
  239. }
  240. /**
  241. * common_perm_create - common permission wrapper for operations doing create
  242. * @op: operation being checked
  243. * @dir: directory that dentry will be created in (NOT NULL)
  244. * @dentry: dentry to create (NOT NULL)
  245. * @mask: request permission mask
  246. * @mode: created file mode
  247. *
  248. * Returns: %0 else error code if error or permission denied
  249. */
  250. static int common_perm_create(const char *op, const struct path *dir,
  251. struct dentry *dentry, u32 mask, umode_t mode)
  252. {
  253. struct path_cond cond = { current_fsuid(), mode };
  254. if (!path_mediated_fs(dir->dentry))
  255. return 0;
  256. return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
  257. }
  258. static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry)
  259. {
  260. return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE);
  261. }
  262. static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry,
  263. umode_t mode)
  264. {
  265. return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE,
  266. S_IFDIR);
  267. }
  268. static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry)
  269. {
  270. return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE);
  271. }
  272. static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
  273. umode_t mode, unsigned int dev)
  274. {
  275. return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
  276. }
  277. static int apparmor_path_truncate(const struct path *path)
  278. {
  279. return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR);
  280. }
  281. static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
  282. const char *old_name)
  283. {
  284. return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE,
  285. S_IFLNK);
  286. }
  287. static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir,
  288. struct dentry *new_dentry)
  289. {
  290. struct aa_label *label;
  291. int error = 0;
  292. if (!path_mediated_fs(old_dentry))
  293. return 0;
  294. label = begin_current_label_crit_section();
  295. if (!unconfined(label))
  296. error = aa_path_link(label, old_dentry, new_dir, new_dentry);
  297. end_current_label_crit_section(label);
  298. return error;
  299. }
  300. static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry,
  301. const struct path *new_dir, struct dentry *new_dentry,
  302. const unsigned int flags)
  303. {
  304. struct aa_label *label;
  305. int error = 0;
  306. if (!path_mediated_fs(old_dentry))
  307. return 0;
  308. if ((flags & RENAME_EXCHANGE) && !path_mediated_fs(new_dentry))
  309. return 0;
  310. label = begin_current_label_crit_section();
  311. if (!unconfined(label)) {
  312. struct user_namespace *mnt_userns = mnt_user_ns(old_dir->mnt);
  313. struct path old_path = { .mnt = old_dir->mnt,
  314. .dentry = old_dentry };
  315. struct path new_path = { .mnt = new_dir->mnt,
  316. .dentry = new_dentry };
  317. struct path_cond cond = {
  318. i_uid_into_mnt(mnt_userns, d_backing_inode(old_dentry)),
  319. d_backing_inode(old_dentry)->i_mode
  320. };
  321. if (flags & RENAME_EXCHANGE) {
  322. struct path_cond cond_exchange = {
  323. i_uid_into_mnt(mnt_userns, d_backing_inode(new_dentry)),
  324. d_backing_inode(new_dentry)->i_mode
  325. };
  326. error = aa_path_perm(OP_RENAME_SRC, label, &new_path, 0,
  327. MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
  328. AA_MAY_SETATTR | AA_MAY_DELETE,
  329. &cond_exchange);
  330. if (!error)
  331. error = aa_path_perm(OP_RENAME_DEST, label, &old_path,
  332. 0, MAY_WRITE | AA_MAY_SETATTR |
  333. AA_MAY_CREATE, &cond_exchange);
  334. }
  335. if (!error)
  336. error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0,
  337. MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
  338. AA_MAY_SETATTR | AA_MAY_DELETE,
  339. &cond);
  340. if (!error)
  341. error = aa_path_perm(OP_RENAME_DEST, label, &new_path,
  342. 0, MAY_WRITE | AA_MAY_SETATTR |
  343. AA_MAY_CREATE, &cond);
  344. }
  345. end_current_label_crit_section(label);
  346. return error;
  347. }
  348. static int apparmor_path_chmod(const struct path *path, umode_t mode)
  349. {
  350. return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD);
  351. }
  352. static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
  353. {
  354. return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN);
  355. }
  356. static int apparmor_inode_getattr(const struct path *path)
  357. {
  358. return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR);
  359. }
  360. static int apparmor_file_open(struct file *file)
  361. {
  362. struct aa_file_ctx *fctx = file_ctx(file);
  363. struct aa_label *label;
  364. int error = 0;
  365. if (!path_mediated_fs(file->f_path.dentry))
  366. return 0;
  367. /* If in exec, permission is handled by bprm hooks.
  368. * Cache permissions granted by the previous exec check, with
  369. * implicit read and executable mmap which are required to
  370. * actually execute the image.
  371. */
  372. if (current->in_execve) {
  373. fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
  374. return 0;
  375. }
  376. label = aa_get_newest_cred_label(file->f_cred);
  377. if (!unconfined(label)) {
  378. struct user_namespace *mnt_userns = file_mnt_user_ns(file);
  379. struct inode *inode = file_inode(file);
  380. struct path_cond cond = {
  381. i_uid_into_mnt(mnt_userns, inode),
  382. inode->i_mode
  383. };
  384. error = aa_path_perm(OP_OPEN, label, &file->f_path, 0,
  385. aa_map_file_to_perms(file), &cond);
  386. /* todo cache full allowed permissions set and state */
  387. fctx->allow = aa_map_file_to_perms(file);
  388. }
  389. aa_put_label(label);
  390. return error;
  391. }
  392. static int apparmor_file_alloc_security(struct file *file)
  393. {
  394. struct aa_file_ctx *ctx = file_ctx(file);
  395. struct aa_label *label = begin_current_label_crit_section();
  396. spin_lock_init(&ctx->lock);
  397. rcu_assign_pointer(ctx->label, aa_get_label(label));
  398. end_current_label_crit_section(label);
  399. return 0;
  400. }
  401. static void apparmor_file_free_security(struct file *file)
  402. {
  403. struct aa_file_ctx *ctx = file_ctx(file);
  404. if (ctx)
  405. aa_put_label(rcu_access_pointer(ctx->label));
  406. }
  407. static int common_file_perm(const char *op, struct file *file, u32 mask,
  408. bool in_atomic)
  409. {
  410. struct aa_label *label;
  411. int error = 0;
  412. /* don't reaudit files closed during inheritance */
  413. if (file->f_path.dentry == aa_null.dentry)
  414. return -EACCES;
  415. label = __begin_current_label_crit_section();
  416. error = aa_file_perm(op, label, file, mask, in_atomic);
  417. __end_current_label_crit_section(label);
  418. return error;
  419. }
  420. static int apparmor_file_receive(struct file *file)
  421. {
  422. return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file),
  423. false);
  424. }
  425. static int apparmor_file_permission(struct file *file, int mask)
  426. {
  427. return common_file_perm(OP_FPERM, file, mask, false);
  428. }
  429. static int apparmor_file_lock(struct file *file, unsigned int cmd)
  430. {
  431. u32 mask = AA_MAY_LOCK;
  432. if (cmd == F_WRLCK)
  433. mask |= MAY_WRITE;
  434. return common_file_perm(OP_FLOCK, file, mask, false);
  435. }
  436. static int common_mmap(const char *op, struct file *file, unsigned long prot,
  437. unsigned long flags, bool in_atomic)
  438. {
  439. int mask = 0;
  440. if (!file || !file_ctx(file))
  441. return 0;
  442. if (prot & PROT_READ)
  443. mask |= MAY_READ;
  444. /*
  445. * Private mappings don't require write perms since they don't
  446. * write back to the files
  447. */
  448. if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
  449. mask |= MAY_WRITE;
  450. if (prot & PROT_EXEC)
  451. mask |= AA_EXEC_MMAP;
  452. return common_file_perm(op, file, mask, in_atomic);
  453. }
  454. static int apparmor_mmap_file(struct file *file, unsigned long reqprot,
  455. unsigned long prot, unsigned long flags)
  456. {
  457. return common_mmap(OP_FMMAP, file, prot, flags, GFP_ATOMIC);
  458. }
  459. static int apparmor_file_mprotect(struct vm_area_struct *vma,
  460. unsigned long reqprot, unsigned long prot)
  461. {
  462. return common_mmap(OP_FMPROT, vma->vm_file, prot,
  463. !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0,
  464. false);
  465. }
  466. static int apparmor_sb_mount(const char *dev_name, const struct path *path,
  467. const char *type, unsigned long flags, void *data)
  468. {
  469. struct aa_label *label;
  470. int error = 0;
  471. /* Discard magic */
  472. if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
  473. flags &= ~MS_MGC_MSK;
  474. flags &= ~AA_MS_IGNORE_MASK;
  475. label = __begin_current_label_crit_section();
  476. if (!unconfined(label)) {
  477. if (flags & MS_REMOUNT)
  478. error = aa_remount(label, path, flags, data);
  479. else if (flags & MS_BIND)
  480. error = aa_bind_mount(label, path, dev_name, flags);
  481. else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE |
  482. MS_UNBINDABLE))
  483. error = aa_mount_change_type(label, path, flags);
  484. else if (flags & MS_MOVE)
  485. error = aa_move_mount(label, path, dev_name);
  486. else
  487. error = aa_new_mount(label, dev_name, path, type,
  488. flags, data);
  489. }
  490. __end_current_label_crit_section(label);
  491. return error;
  492. }
  493. static int apparmor_sb_umount(struct vfsmount *mnt, int flags)
  494. {
  495. struct aa_label *label;
  496. int error = 0;
  497. label = __begin_current_label_crit_section();
  498. if (!unconfined(label))
  499. error = aa_umount(label, mnt, flags);
  500. __end_current_label_crit_section(label);
  501. return error;
  502. }
  503. static int apparmor_sb_pivotroot(const struct path *old_path,
  504. const struct path *new_path)
  505. {
  506. struct aa_label *label;
  507. int error = 0;
  508. label = aa_get_current_label();
  509. if (!unconfined(label))
  510. error = aa_pivotroot(label, old_path, new_path);
  511. aa_put_label(label);
  512. return error;
  513. }
  514. static int apparmor_getprocattr(struct task_struct *task, const char *name,
  515. char **value)
  516. {
  517. int error = -ENOENT;
  518. /* released below */
  519. const struct cred *cred = get_task_cred(task);
  520. struct aa_task_ctx *ctx = task_ctx(current);
  521. struct aa_label *label = NULL;
  522. if (strcmp(name, "current") == 0)
  523. label = aa_get_newest_label(cred_label(cred));
  524. else if (strcmp(name, "prev") == 0 && ctx->previous)
  525. label = aa_get_newest_label(ctx->previous);
  526. else if (strcmp(name, "exec") == 0 && ctx->onexec)
  527. label = aa_get_newest_label(ctx->onexec);
  528. else
  529. error = -EINVAL;
  530. if (label)
  531. error = aa_getprocattr(label, value);
  532. aa_put_label(label);
  533. put_cred(cred);
  534. return error;
  535. }
  536. static int apparmor_setprocattr(const char *name, void *value,
  537. size_t size)
  538. {
  539. char *command, *largs = NULL, *args = value;
  540. size_t arg_size;
  541. int error;
  542. DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR);
  543. if (size == 0)
  544. return -EINVAL;
  545. /* AppArmor requires that the buffer must be null terminated atm */
  546. if (args[size - 1] != '\0') {
  547. /* null terminate */
  548. largs = args = kmalloc(size + 1, GFP_KERNEL);
  549. if (!args)
  550. return -ENOMEM;
  551. memcpy(args, value, size);
  552. args[size] = '\0';
  553. }
  554. error = -EINVAL;
  555. args = strim(args);
  556. command = strsep(&args, " ");
  557. if (!args)
  558. goto out;
  559. args = skip_spaces(args);
  560. if (!*args)
  561. goto out;
  562. arg_size = size - (args - (largs ? largs : (char *) value));
  563. if (strcmp(name, "current") == 0) {
  564. if (strcmp(command, "changehat") == 0) {
  565. error = aa_setprocattr_changehat(args, arg_size,
  566. AA_CHANGE_NOFLAGS);
  567. } else if (strcmp(command, "permhat") == 0) {
  568. error = aa_setprocattr_changehat(args, arg_size,
  569. AA_CHANGE_TEST);
  570. } else if (strcmp(command, "changeprofile") == 0) {
  571. error = aa_change_profile(args, AA_CHANGE_NOFLAGS);
  572. } else if (strcmp(command, "permprofile") == 0) {
  573. error = aa_change_profile(args, AA_CHANGE_TEST);
  574. } else if (strcmp(command, "stack") == 0) {
  575. error = aa_change_profile(args, AA_CHANGE_STACK);
  576. } else
  577. goto fail;
  578. } else if (strcmp(name, "exec") == 0) {
  579. if (strcmp(command, "exec") == 0)
  580. error = aa_change_profile(args, AA_CHANGE_ONEXEC);
  581. else if (strcmp(command, "stack") == 0)
  582. error = aa_change_profile(args, (AA_CHANGE_ONEXEC |
  583. AA_CHANGE_STACK));
  584. else
  585. goto fail;
  586. } else
  587. /* only support the "current" and "exec" process attributes */
  588. goto fail;
  589. if (!error)
  590. error = size;
  591. out:
  592. kfree(largs);
  593. return error;
  594. fail:
  595. aad(&sa)->label = begin_current_label_crit_section();
  596. aad(&sa)->info = name;
  597. aad(&sa)->error = error = -EINVAL;
  598. aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
  599. end_current_label_crit_section(aad(&sa)->label);
  600. goto out;
  601. }
  602. /**
  603. * apparmor_bprm_committing_creds - do task cleanup on committing new creds
  604. * @bprm: binprm for the exec (NOT NULL)
  605. */
  606. static void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
  607. {
  608. struct aa_label *label = aa_current_raw_label();
  609. struct aa_label *new_label = cred_label(bprm->cred);
  610. /* bail out if unconfined or not changing profile */
  611. if ((new_label->proxy == label->proxy) ||
  612. (unconfined(new_label)))
  613. return;
  614. aa_inherit_files(bprm->cred, current->files);
  615. current->pdeath_signal = 0;
  616. /* reset soft limits and set hard limits for the new label */
  617. __aa_transition_rlimits(label, new_label);
  618. }
  619. /**
  620. * apparmor_bprm_committed_cred - do cleanup after new creds committed
  621. * @bprm: binprm for the exec (NOT NULL)
  622. */
  623. static void apparmor_bprm_committed_creds(struct linux_binprm *bprm)
  624. {
  625. /* clear out temporary/transitional state from the context */
  626. aa_clear_task_ctx_trans(task_ctx(current));
  627. return;
  628. }
  629. static void apparmor_current_getsecid_subj(u32 *secid)
  630. {
  631. struct aa_label *label = aa_get_current_label();
  632. *secid = label->secid;
  633. aa_put_label(label);
  634. }
  635. static void apparmor_task_getsecid_obj(struct task_struct *p, u32 *secid)
  636. {
  637. struct aa_label *label = aa_get_task_label(p);
  638. *secid = label->secid;
  639. aa_put_label(label);
  640. }
  641. static int apparmor_task_setrlimit(struct task_struct *task,
  642. unsigned int resource, struct rlimit *new_rlim)
  643. {
  644. struct aa_label *label = __begin_current_label_crit_section();
  645. int error = 0;
  646. if (!unconfined(label))
  647. error = aa_task_setrlimit(label, task, resource, new_rlim);
  648. __end_current_label_crit_section(label);
  649. return error;
  650. }
  651. static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo *info,
  652. int sig, const struct cred *cred)
  653. {
  654. struct aa_label *cl, *tl;
  655. int error;
  656. if (cred) {
  657. /*
  658. * Dealing with USB IO specific behavior
  659. */
  660. cl = aa_get_newest_cred_label(cred);
  661. tl = aa_get_task_label(target);
  662. error = aa_may_signal(cl, tl, sig);
  663. aa_put_label(cl);
  664. aa_put_label(tl);
  665. return error;
  666. }
  667. cl = __begin_current_label_crit_section();
  668. tl = aa_get_task_label(target);
  669. error = aa_may_signal(cl, tl, sig);
  670. aa_put_label(tl);
  671. __end_current_label_crit_section(cl);
  672. return error;
  673. }
  674. /**
  675. * apparmor_sk_alloc_security - allocate and attach the sk_security field
  676. */
  677. static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags)
  678. {
  679. struct aa_sk_ctx *ctx;
  680. ctx = kzalloc(sizeof(*ctx), flags);
  681. if (!ctx)
  682. return -ENOMEM;
  683. SK_CTX(sk) = ctx;
  684. return 0;
  685. }
  686. /**
  687. * apparmor_sk_free_security - free the sk_security field
  688. */
  689. static void apparmor_sk_free_security(struct sock *sk)
  690. {
  691. struct aa_sk_ctx *ctx = SK_CTX(sk);
  692. SK_CTX(sk) = NULL;
  693. aa_put_label(ctx->label);
  694. aa_put_label(ctx->peer);
  695. kfree(ctx);
  696. }
  697. /**
  698. * apparmor_sk_clone_security - clone the sk_security field
  699. */
  700. static void apparmor_sk_clone_security(const struct sock *sk,
  701. struct sock *newsk)
  702. {
  703. struct aa_sk_ctx *ctx = SK_CTX(sk);
  704. struct aa_sk_ctx *new = SK_CTX(newsk);
  705. if (new->label)
  706. aa_put_label(new->label);
  707. new->label = aa_get_label(ctx->label);
  708. if (new->peer)
  709. aa_put_label(new->peer);
  710. new->peer = aa_get_label(ctx->peer);
  711. }
  712. /**
  713. * apparmor_socket_create - check perms before creating a new socket
  714. */
  715. static int apparmor_socket_create(int family, int type, int protocol, int kern)
  716. {
  717. struct aa_label *label;
  718. int error = 0;
  719. AA_BUG(in_interrupt());
  720. label = begin_current_label_crit_section();
  721. if (!(kern || unconfined(label)))
  722. error = af_select(family,
  723. create_perm(label, family, type, protocol),
  724. aa_af_perm(label, OP_CREATE, AA_MAY_CREATE,
  725. family, type, protocol));
  726. end_current_label_crit_section(label);
  727. return error;
  728. }
  729. /**
  730. * apparmor_socket_post_create - setup the per-socket security struct
  731. *
  732. * Note:
  733. * - kernel sockets currently labeled unconfined but we may want to
  734. * move to a special kernel label
  735. * - socket may not have sk here if created with sock_create_lite or
  736. * sock_alloc. These should be accept cases which will be handled in
  737. * sock_graft.
  738. */
  739. static int apparmor_socket_post_create(struct socket *sock, int family,
  740. int type, int protocol, int kern)
  741. {
  742. struct aa_label *label;
  743. if (kern) {
  744. label = aa_get_label(kernel_t);
  745. } else
  746. label = aa_get_current_label();
  747. if (sock->sk) {
  748. struct aa_sk_ctx *ctx = SK_CTX(sock->sk);
  749. aa_put_label(ctx->label);
  750. ctx->label = aa_get_label(label);
  751. }
  752. aa_put_label(label);
  753. return 0;
  754. }
  755. /**
  756. * apparmor_socket_bind - check perms before bind addr to socket
  757. */
  758. static int apparmor_socket_bind(struct socket *sock,
  759. struct sockaddr *address, int addrlen)
  760. {
  761. AA_BUG(!sock);
  762. AA_BUG(!sock->sk);
  763. AA_BUG(!address);
  764. AA_BUG(in_interrupt());
  765. return af_select(sock->sk->sk_family,
  766. bind_perm(sock, address, addrlen),
  767. aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk));
  768. }
  769. /**
  770. * apparmor_socket_connect - check perms before connecting @sock to @address
  771. */
  772. static int apparmor_socket_connect(struct socket *sock,
  773. struct sockaddr *address, int addrlen)
  774. {
  775. AA_BUG(!sock);
  776. AA_BUG(!sock->sk);
  777. AA_BUG(!address);
  778. AA_BUG(in_interrupt());
  779. return af_select(sock->sk->sk_family,
  780. connect_perm(sock, address, addrlen),
  781. aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk));
  782. }
  783. /**
  784. * apparmor_socket_listen - check perms before allowing listen
  785. */
  786. static int apparmor_socket_listen(struct socket *sock, int backlog)
  787. {
  788. AA_BUG(!sock);
  789. AA_BUG(!sock->sk);
  790. AA_BUG(in_interrupt());
  791. return af_select(sock->sk->sk_family,
  792. listen_perm(sock, backlog),
  793. aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk));
  794. }
  795. /**
  796. * apparmor_socket_accept - check perms before accepting a new connection.
  797. *
  798. * Note: while @newsock is created and has some information, the accept
  799. * has not been done.
  800. */
  801. static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
  802. {
  803. AA_BUG(!sock);
  804. AA_BUG(!sock->sk);
  805. AA_BUG(!newsock);
  806. AA_BUG(in_interrupt());
  807. return af_select(sock->sk->sk_family,
  808. accept_perm(sock, newsock),
  809. aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk));
  810. }
  811. static int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock,
  812. struct msghdr *msg, int size)
  813. {
  814. AA_BUG(!sock);
  815. AA_BUG(!sock->sk);
  816. AA_BUG(!msg);
  817. AA_BUG(in_interrupt());
  818. return af_select(sock->sk->sk_family,
  819. msg_perm(op, request, sock, msg, size),
  820. aa_sk_perm(op, request, sock->sk));
  821. }
  822. /**
  823. * apparmor_socket_sendmsg - check perms before sending msg to another socket
  824. */
  825. static int apparmor_socket_sendmsg(struct socket *sock,
  826. struct msghdr *msg, int size)
  827. {
  828. return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size);
  829. }
  830. /**
  831. * apparmor_socket_recvmsg - check perms before receiving a message
  832. */
  833. static int apparmor_socket_recvmsg(struct socket *sock,
  834. struct msghdr *msg, int size, int flags)
  835. {
  836. return aa_sock_msg_perm(OP_RECVMSG, AA_MAY_RECEIVE, sock, msg, size);
  837. }
  838. /* revaliation, get/set attr, shutdown */
  839. static int aa_sock_perm(const char *op, u32 request, struct socket *sock)
  840. {
  841. AA_BUG(!sock);
  842. AA_BUG(!sock->sk);
  843. AA_BUG(in_interrupt());
  844. return af_select(sock->sk->sk_family,
  845. sock_perm(op, request, sock),
  846. aa_sk_perm(op, request, sock->sk));
  847. }
  848. /**
  849. * apparmor_socket_getsockname - check perms before getting the local address
  850. */
  851. static int apparmor_socket_getsockname(struct socket *sock)
  852. {
  853. return aa_sock_perm(OP_GETSOCKNAME, AA_MAY_GETATTR, sock);
  854. }
  855. /**
  856. * apparmor_socket_getpeername - check perms before getting remote address
  857. */
  858. static int apparmor_socket_getpeername(struct socket *sock)
  859. {
  860. return aa_sock_perm(OP_GETPEERNAME, AA_MAY_GETATTR, sock);
  861. }
  862. /* revaliation, get/set attr, opt */
  863. static int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock,
  864. int level, int optname)
  865. {
  866. AA_BUG(!sock);
  867. AA_BUG(!sock->sk);
  868. AA_BUG(in_interrupt());
  869. return af_select(sock->sk->sk_family,
  870. opt_perm(op, request, sock, level, optname),
  871. aa_sk_perm(op, request, sock->sk));
  872. }
  873. /**
  874. * apparmor_socket_getsockopt - check perms before getting socket options
  875. */
  876. static int apparmor_socket_getsockopt(struct socket *sock, int level,
  877. int optname)
  878. {
  879. return aa_sock_opt_perm(OP_GETSOCKOPT, AA_MAY_GETOPT, sock,
  880. level, optname);
  881. }
  882. /**
  883. * apparmor_socket_setsockopt - check perms before setting socket options
  884. */
  885. static int apparmor_socket_setsockopt(struct socket *sock, int level,
  886. int optname)
  887. {
  888. return aa_sock_opt_perm(OP_SETSOCKOPT, AA_MAY_SETOPT, sock,
  889. level, optname);
  890. }
  891. /**
  892. * apparmor_socket_shutdown - check perms before shutting down @sock conn
  893. */
  894. static int apparmor_socket_shutdown(struct socket *sock, int how)
  895. {
  896. return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock);
  897. }
  898. #ifdef CONFIG_NETWORK_SECMARK
  899. /**
  900. * apparmor_socket_sock_rcv_skb - check perms before associating skb to sk
  901. *
  902. * Note: can not sleep may be called with locks held
  903. *
  904. * dont want protocol specific in __skb_recv_datagram()
  905. * to deny an incoming connection socket_sock_rcv_skb()
  906. */
  907. static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
  908. {
  909. struct aa_sk_ctx *ctx = SK_CTX(sk);
  910. if (!skb->secmark)
  911. return 0;
  912. return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE,
  913. skb->secmark, sk);
  914. }
  915. #endif
  916. static struct aa_label *sk_peer_label(struct sock *sk)
  917. {
  918. struct aa_sk_ctx *ctx = SK_CTX(sk);
  919. if (ctx->peer)
  920. return ctx->peer;
  921. return ERR_PTR(-ENOPROTOOPT);
  922. }
  923. /**
  924. * apparmor_socket_getpeersec_stream - get security context of peer
  925. *
  926. * Note: for tcp only valid if using ipsec or cipso on lan
  927. */
  928. static int apparmor_socket_getpeersec_stream(struct socket *sock,
  929. char __user *optval,
  930. int __user *optlen,
  931. unsigned int len)
  932. {
  933. char *name;
  934. int slen, error = 0;
  935. struct aa_label *label;
  936. struct aa_label *peer;
  937. label = begin_current_label_crit_section();
  938. peer = sk_peer_label(sock->sk);
  939. if (IS_ERR(peer)) {
  940. error = PTR_ERR(peer);
  941. goto done;
  942. }
  943. slen = aa_label_asxprint(&name, labels_ns(label), peer,
  944. FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
  945. FLAG_HIDDEN_UNCONFINED, GFP_KERNEL);
  946. /* don't include terminating \0 in slen, it breaks some apps */
  947. if (slen < 0) {
  948. error = -ENOMEM;
  949. } else {
  950. if (slen > len) {
  951. error = -ERANGE;
  952. } else if (copy_to_user(optval, name, slen)) {
  953. error = -EFAULT;
  954. goto out;
  955. }
  956. if (put_user(slen, optlen))
  957. error = -EFAULT;
  958. out:
  959. kfree(name);
  960. }
  961. done:
  962. end_current_label_crit_section(label);
  963. return error;
  964. }
  965. /**
  966. * apparmor_socket_getpeersec_dgram - get security label of packet
  967. * @sock: the peer socket
  968. * @skb: packet data
  969. * @secid: pointer to where to put the secid of the packet
  970. *
  971. * Sets the netlabel socket state on sk from parent
  972. */
  973. static int apparmor_socket_getpeersec_dgram(struct socket *sock,
  974. struct sk_buff *skb, u32 *secid)
  975. {
  976. /* TODO: requires secid support */
  977. return -ENOPROTOOPT;
  978. }
  979. /**
  980. * apparmor_sock_graft - Initialize newly created socket
  981. * @sk: child sock
  982. * @parent: parent socket
  983. *
  984. * Note: could set off of SOCK_CTX(parent) but need to track inode and we can
  985. * just set sk security information off of current creating process label
  986. * Labeling of sk for accept case - probably should be sock based
  987. * instead of task, because of the case where an implicitly labeled
  988. * socket is shared by different tasks.
  989. */
  990. static void apparmor_sock_graft(struct sock *sk, struct socket *parent)
  991. {
  992. struct aa_sk_ctx *ctx = SK_CTX(sk);
  993. if (!ctx->label)
  994. ctx->label = aa_get_current_label();
  995. }
  996. #ifdef CONFIG_NETWORK_SECMARK
  997. static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
  998. struct request_sock *req)
  999. {
  1000. struct aa_sk_ctx *ctx = SK_CTX(sk);
  1001. if (!skb->secmark)
  1002. return 0;
  1003. return apparmor_secmark_check(ctx->label, OP_CONNECT, AA_MAY_CONNECT,
  1004. skb->secmark, sk);
  1005. }
  1006. #endif
  1007. /*
  1008. * The cred blob is a pointer to, not an instance of, an aa_label.
  1009. */
  1010. struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
  1011. .lbs_cred = sizeof(struct aa_label *),
  1012. .lbs_file = sizeof(struct aa_file_ctx),
  1013. .lbs_task = sizeof(struct aa_task_ctx),
  1014. };
  1015. static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
  1016. LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
  1017. LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
  1018. LSM_HOOK_INIT(capget, apparmor_capget),
  1019. LSM_HOOK_INIT(capable, apparmor_capable),
  1020. LSM_HOOK_INIT(sb_mount, apparmor_sb_mount),
  1021. LSM_HOOK_INIT(sb_umount, apparmor_sb_umount),
  1022. LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot),
  1023. LSM_HOOK_INIT(path_link, apparmor_path_link),
  1024. LSM_HOOK_INIT(path_unlink, apparmor_path_unlink),
  1025. LSM_HOOK_INIT(path_symlink, apparmor_path_symlink),
  1026. LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir),
  1027. LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir),
  1028. LSM_HOOK_INIT(path_mknod, apparmor_path_mknod),
  1029. LSM_HOOK_INIT(path_rename, apparmor_path_rename),
  1030. LSM_HOOK_INIT(path_chmod, apparmor_path_chmod),
  1031. LSM_HOOK_INIT(path_chown, apparmor_path_chown),
  1032. LSM_HOOK_INIT(path_truncate, apparmor_path_truncate),
  1033. LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr),
  1034. LSM_HOOK_INIT(file_open, apparmor_file_open),
  1035. LSM_HOOK_INIT(file_receive, apparmor_file_receive),
  1036. LSM_HOOK_INIT(file_permission, apparmor_file_permission),
  1037. LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security),
  1038. LSM_HOOK_INIT(file_free_security, apparmor_file_free_security),
  1039. LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
  1040. LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
  1041. LSM_HOOK_INIT(file_lock, apparmor_file_lock),
  1042. LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
  1043. LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
  1044. LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security),
  1045. LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security),
  1046. LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security),
  1047. LSM_HOOK_INIT(socket_create, apparmor_socket_create),
  1048. LSM_HOOK_INIT(socket_post_create, apparmor_socket_post_create),
  1049. LSM_HOOK_INIT(socket_bind, apparmor_socket_bind),
  1050. LSM_HOOK_INIT(socket_connect, apparmor_socket_connect),
  1051. LSM_HOOK_INIT(socket_listen, apparmor_socket_listen),
  1052. LSM_HOOK_INIT(socket_accept, apparmor_socket_accept),
  1053. LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg),
  1054. LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg),
  1055. LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname),
  1056. LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername),
  1057. LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt),
  1058. LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt),
  1059. LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown),
  1060. #ifdef CONFIG_NETWORK_SECMARK
  1061. LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb),
  1062. #endif
  1063. LSM_HOOK_INIT(socket_getpeersec_stream,
  1064. apparmor_socket_getpeersec_stream),
  1065. LSM_HOOK_INIT(socket_getpeersec_dgram,
  1066. apparmor_socket_getpeersec_dgram),
  1067. LSM_HOOK_INIT(sock_graft, apparmor_sock_graft),
  1068. #ifdef CONFIG_NETWORK_SECMARK
  1069. LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request),
  1070. #endif
  1071. LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
  1072. LSM_HOOK_INIT(cred_free, apparmor_cred_free),
  1073. LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
  1074. LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),
  1075. LSM_HOOK_INIT(bprm_creds_for_exec, apparmor_bprm_creds_for_exec),
  1076. LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
  1077. LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
  1078. LSM_HOOK_INIT(task_free, apparmor_task_free),
  1079. LSM_HOOK_INIT(task_alloc, apparmor_task_alloc),
  1080. LSM_HOOK_INIT(current_getsecid_subj, apparmor_current_getsecid_subj),
  1081. LSM_HOOK_INIT(task_getsecid_obj, apparmor_task_getsecid_obj),
  1082. LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
  1083. LSM_HOOK_INIT(task_kill, apparmor_task_kill),
  1084. #ifdef CONFIG_AUDIT
  1085. LSM_HOOK_INIT(audit_rule_init, aa_audit_rule_init),
  1086. LSM_HOOK_INIT(audit_rule_known, aa_audit_rule_known),
  1087. LSM_HOOK_INIT(audit_rule_match, aa_audit_rule_match),
  1088. LSM_HOOK_INIT(audit_rule_free, aa_audit_rule_free),
  1089. #endif
  1090. LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx),
  1091. LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid),
  1092. LSM_HOOK_INIT(release_secctx, apparmor_release_secctx),
  1093. };
  1094. /*
  1095. * AppArmor sysfs module parameters
  1096. */
  1097. static int param_set_aabool(const char *val, const struct kernel_param *kp);
  1098. static int param_get_aabool(char *buffer, const struct kernel_param *kp);
  1099. #define param_check_aabool param_check_bool
  1100. static const struct kernel_param_ops param_ops_aabool = {
  1101. .flags = KERNEL_PARAM_OPS_FL_NOARG,
  1102. .set = param_set_aabool,
  1103. .get = param_get_aabool
  1104. };
  1105. static int param_set_aauint(const char *val, const struct kernel_param *kp);
  1106. static int param_get_aauint(char *buffer, const struct kernel_param *kp);
  1107. #define param_check_aauint param_check_uint
  1108. static const struct kernel_param_ops param_ops_aauint = {
  1109. .set = param_set_aauint,
  1110. .get = param_get_aauint
  1111. };
  1112. static int param_set_aacompressionlevel(const char *val,
  1113. const struct kernel_param *kp);
  1114. static int param_get_aacompressionlevel(char *buffer,
  1115. const struct kernel_param *kp);
  1116. #define param_check_aacompressionlevel param_check_int
  1117. static const struct kernel_param_ops param_ops_aacompressionlevel = {
  1118. .set = param_set_aacompressionlevel,
  1119. .get = param_get_aacompressionlevel
  1120. };
  1121. static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
  1122. static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
  1123. #define param_check_aalockpolicy param_check_bool
  1124. static const struct kernel_param_ops param_ops_aalockpolicy = {
  1125. .flags = KERNEL_PARAM_OPS_FL_NOARG,
  1126. .set = param_set_aalockpolicy,
  1127. .get = param_get_aalockpolicy
  1128. };
  1129. static int param_set_audit(const char *val, const struct kernel_param *kp);
  1130. static int param_get_audit(char *buffer, const struct kernel_param *kp);
  1131. static int param_set_mode(const char *val, const struct kernel_param *kp);
  1132. static int param_get_mode(char *buffer, const struct kernel_param *kp);
  1133. /* Flag values, also controllable via /sys/module/apparmor/parameters
  1134. * We define special types as we want to do additional mediation.
  1135. */
  1136. /* AppArmor global enforcement switch - complain, enforce, kill */
  1137. enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
  1138. module_param_call(mode, param_set_mode, param_get_mode,
  1139. &aa_g_profile_mode, S_IRUSR | S_IWUSR);
  1140. /* whether policy verification hashing is enabled */
  1141. bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
  1142. #ifdef CONFIG_SECURITY_APPARMOR_HASH
  1143. module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
  1144. #endif
  1145. /* whether policy exactly as loaded is retained for debug and checkpointing */
  1146. bool aa_g_export_binary = IS_ENABLED(CONFIG_SECURITY_APPARMOR_EXPORT_BINARY);
  1147. #ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY
  1148. module_param_named(export_binary, aa_g_export_binary, aabool, 0600);
  1149. #endif
  1150. /* policy loaddata compression level */
  1151. int aa_g_rawdata_compression_level = Z_DEFAULT_COMPRESSION;
  1152. module_param_named(rawdata_compression_level, aa_g_rawdata_compression_level,
  1153. aacompressionlevel, 0400);
  1154. /* Debug mode */
  1155. bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES);
  1156. module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
  1157. /* Audit mode */
  1158. enum audit_mode aa_g_audit;
  1159. module_param_call(audit, param_set_audit, param_get_audit,
  1160. &aa_g_audit, S_IRUSR | S_IWUSR);
  1161. /* Determines if audit header is included in audited messages. This
  1162. * provides more context if the audit daemon is not running
  1163. */
  1164. bool aa_g_audit_header = true;
  1165. module_param_named(audit_header, aa_g_audit_header, aabool,
  1166. S_IRUSR | S_IWUSR);
  1167. /* lock out loading/removal of policy
  1168. * TODO: add in at boot loading of policy, which is the only way to
  1169. * load policy, if lock_policy is set
  1170. */
  1171. bool aa_g_lock_policy;
  1172. module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy,
  1173. S_IRUSR | S_IWUSR);
  1174. /* Syscall logging mode */
  1175. bool aa_g_logsyscall;
  1176. module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
  1177. /* Maximum pathname length before accesses will start getting rejected */
  1178. unsigned int aa_g_path_max = 2 * PATH_MAX;
  1179. module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
  1180. /* Determines how paranoid loading of policy is and how much verification
  1181. * on the loaded policy is done.
  1182. * DEPRECATED: read only as strict checking of load is always done now
  1183. * that none root users (user namespaces) can load policy.
  1184. */
  1185. bool aa_g_paranoid_load = IS_ENABLED(CONFIG_SECURITY_APPARMOR_PARANOID_LOAD);
  1186. module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
  1187. static int param_get_aaintbool(char *buffer, const struct kernel_param *kp);
  1188. static int param_set_aaintbool(const char *val, const struct kernel_param *kp);
  1189. #define param_check_aaintbool param_check_int
  1190. static const struct kernel_param_ops param_ops_aaintbool = {
  1191. .set = param_set_aaintbool,
  1192. .get = param_get_aaintbool
  1193. };
  1194. /* Boot time disable flag */
  1195. static int apparmor_enabled __lsm_ro_after_init = 1;
  1196. module_param_named(enabled, apparmor_enabled, aaintbool, 0444);
  1197. static int __init apparmor_enabled_setup(char *str)
  1198. {
  1199. unsigned long enabled;
  1200. int error = kstrtoul(str, 0, &enabled);
  1201. if (!error)
  1202. apparmor_enabled = enabled ? 1 : 0;
  1203. return 1;
  1204. }
  1205. __setup("apparmor=", apparmor_enabled_setup);
  1206. /* set global flag turning off the ability to load policy */
  1207. static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
  1208. {
  1209. if (!apparmor_enabled)
  1210. return -EINVAL;
  1211. if (apparmor_initialized && !aa_current_policy_admin_capable(NULL))
  1212. return -EPERM;
  1213. return param_set_bool(val, kp);
  1214. }
  1215. static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
  1216. {
  1217. if (!apparmor_enabled)
  1218. return -EINVAL;
  1219. if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
  1220. return -EPERM;
  1221. return param_get_bool(buffer, kp);
  1222. }
  1223. static int param_set_aabool(const char *val, const struct kernel_param *kp)
  1224. {
  1225. if (!apparmor_enabled)
  1226. return -EINVAL;
  1227. if (apparmor_initialized && !aa_current_policy_admin_capable(NULL))
  1228. return -EPERM;
  1229. return param_set_bool(val, kp);
  1230. }
  1231. static int param_get_aabool(char *buffer, const struct kernel_param *kp)
  1232. {
  1233. if (!apparmor_enabled)
  1234. return -EINVAL;
  1235. if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
  1236. return -EPERM;
  1237. return param_get_bool(buffer, kp);
  1238. }
  1239. static int param_set_aauint(const char *val, const struct kernel_param *kp)
  1240. {
  1241. int error;
  1242. if (!apparmor_enabled)
  1243. return -EINVAL;
  1244. /* file is ro but enforce 2nd line check */
  1245. if (apparmor_initialized)
  1246. return -EPERM;
  1247. error = param_set_uint(val, kp);
  1248. aa_g_path_max = max_t(uint32_t, aa_g_path_max, sizeof(union aa_buffer));
  1249. pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max);
  1250. return error;
  1251. }
  1252. static int param_get_aauint(char *buffer, const struct kernel_param *kp)
  1253. {
  1254. if (!apparmor_enabled)
  1255. return -EINVAL;
  1256. if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
  1257. return -EPERM;
  1258. return param_get_uint(buffer, kp);
  1259. }
  1260. /* Can only be set before AppArmor is initialized (i.e. on boot cmdline). */
  1261. static int param_set_aaintbool(const char *val, const struct kernel_param *kp)
  1262. {
  1263. struct kernel_param kp_local;
  1264. bool value;
  1265. int error;
  1266. if (apparmor_initialized)
  1267. return -EPERM;
  1268. /* Create local copy, with arg pointing to bool type. */
  1269. value = !!*((int *)kp->arg);
  1270. memcpy(&kp_local, kp, sizeof(kp_local));
  1271. kp_local.arg = &value;
  1272. error = param_set_bool(val, &kp_local);
  1273. if (!error)
  1274. *((int *)kp->arg) = *((bool *)kp_local.arg);
  1275. return error;
  1276. }
  1277. /*
  1278. * To avoid changing /sys/module/apparmor/parameters/enabled from Y/N to
  1279. * 1/0, this converts the "int that is actually bool" back to bool for
  1280. * display in the /sys filesystem, while keeping it "int" for the LSM
  1281. * infrastructure.
  1282. */
  1283. static int param_get_aaintbool(char *buffer, const struct kernel_param *kp)
  1284. {
  1285. struct kernel_param kp_local;
  1286. bool value;
  1287. /* Create local copy, with arg pointing to bool type. */
  1288. value = !!*((int *)kp->arg);
  1289. memcpy(&kp_local, kp, sizeof(kp_local));
  1290. kp_local.arg = &value;
  1291. return param_get_bool(buffer, &kp_local);
  1292. }
  1293. static int param_set_aacompressionlevel(const char *val,
  1294. const struct kernel_param *kp)
  1295. {
  1296. int error;
  1297. if (!apparmor_enabled)
  1298. return -EINVAL;
  1299. if (apparmor_initialized)
  1300. return -EPERM;
  1301. error = param_set_int(val, kp);
  1302. aa_g_rawdata_compression_level = clamp(aa_g_rawdata_compression_level,
  1303. Z_NO_COMPRESSION,
  1304. Z_BEST_COMPRESSION);
  1305. pr_info("AppArmor: policy rawdata compression level set to %u\n",
  1306. aa_g_rawdata_compression_level);
  1307. return error;
  1308. }
  1309. static int param_get_aacompressionlevel(char *buffer,
  1310. const struct kernel_param *kp)
  1311. {
  1312. if (!apparmor_enabled)
  1313. return -EINVAL;
  1314. if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
  1315. return -EPERM;
  1316. return param_get_int(buffer, kp);
  1317. }
  1318. static int param_get_audit(char *buffer, const struct kernel_param *kp)
  1319. {
  1320. if (!apparmor_enabled)
  1321. return -EINVAL;
  1322. if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
  1323. return -EPERM;
  1324. return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
  1325. }
  1326. static int param_set_audit(const char *val, const struct kernel_param *kp)
  1327. {
  1328. int i;
  1329. if (!apparmor_enabled)
  1330. return -EINVAL;
  1331. if (!val)
  1332. return -EINVAL;
  1333. if (apparmor_initialized && !aa_current_policy_admin_capable(NULL))
  1334. return -EPERM;
  1335. i = match_string(audit_mode_names, AUDIT_MAX_INDEX, val);
  1336. if (i < 0)
  1337. return -EINVAL;
  1338. aa_g_audit = i;
  1339. return 0;
  1340. }
  1341. static int param_get_mode(char *buffer, const struct kernel_param *kp)
  1342. {
  1343. if (!apparmor_enabled)
  1344. return -EINVAL;
  1345. if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
  1346. return -EPERM;
  1347. return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
  1348. }
  1349. static int param_set_mode(const char *val, const struct kernel_param *kp)
  1350. {
  1351. int i;
  1352. if (!apparmor_enabled)
  1353. return -EINVAL;
  1354. if (!val)
  1355. return -EINVAL;
  1356. if (apparmor_initialized && !aa_current_policy_admin_capable(NULL))
  1357. return -EPERM;
  1358. i = match_string(aa_profile_mode_names, APPARMOR_MODE_NAMES_MAX_INDEX,
  1359. val);
  1360. if (i < 0)
  1361. return -EINVAL;
  1362. aa_g_profile_mode = i;
  1363. return 0;
  1364. }
  1365. char *aa_get_buffer(bool in_atomic)
  1366. {
  1367. union aa_buffer *aa_buf;
  1368. bool try_again = true;
  1369. gfp_t flags = (GFP_KERNEL | __GFP_RETRY_MAYFAIL | __GFP_NOWARN);
  1370. retry:
  1371. spin_lock(&aa_buffers_lock);
  1372. if (buffer_count > reserve_count ||
  1373. (in_atomic && !list_empty(&aa_global_buffers))) {
  1374. aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer,
  1375. list);
  1376. list_del(&aa_buf->list);
  1377. buffer_count--;
  1378. spin_unlock(&aa_buffers_lock);
  1379. return &aa_buf->buffer[0];
  1380. }
  1381. if (in_atomic) {
  1382. /*
  1383. * out of reserve buffers and in atomic context so increase
  1384. * how many buffers to keep in reserve
  1385. */
  1386. reserve_count++;
  1387. flags = GFP_ATOMIC;
  1388. }
  1389. spin_unlock(&aa_buffers_lock);
  1390. if (!in_atomic)
  1391. might_sleep();
  1392. aa_buf = kmalloc(aa_g_path_max, flags);
  1393. if (!aa_buf) {
  1394. if (try_again) {
  1395. try_again = false;
  1396. goto retry;
  1397. }
  1398. pr_warn_once("AppArmor: Failed to allocate a memory buffer.\n");
  1399. return NULL;
  1400. }
  1401. return &aa_buf->buffer[0];
  1402. }
  1403. void aa_put_buffer(char *buf)
  1404. {
  1405. union aa_buffer *aa_buf;
  1406. if (!buf)
  1407. return;
  1408. aa_buf = container_of(buf, union aa_buffer, buffer[0]);
  1409. spin_lock(&aa_buffers_lock);
  1410. list_add(&aa_buf->list, &aa_global_buffers);
  1411. buffer_count++;
  1412. spin_unlock(&aa_buffers_lock);
  1413. }
  1414. /*
  1415. * AppArmor init functions
  1416. */
  1417. /**
  1418. * set_init_ctx - set a task context and profile on the first task.
  1419. *
  1420. * TODO: allow setting an alternate profile than unconfined
  1421. */
  1422. static int __init set_init_ctx(void)
  1423. {
  1424. struct cred *cred = (__force struct cred *)current->real_cred;
  1425. set_cred_label(cred, aa_get_label(ns_unconfined(root_ns)));
  1426. return 0;
  1427. }
  1428. static void destroy_buffers(void)
  1429. {
  1430. union aa_buffer *aa_buf;
  1431. spin_lock(&aa_buffers_lock);
  1432. while (!list_empty(&aa_global_buffers)) {
  1433. aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer,
  1434. list);
  1435. list_del(&aa_buf->list);
  1436. spin_unlock(&aa_buffers_lock);
  1437. kfree(aa_buf);
  1438. spin_lock(&aa_buffers_lock);
  1439. }
  1440. spin_unlock(&aa_buffers_lock);
  1441. }
  1442. static int __init alloc_buffers(void)
  1443. {
  1444. union aa_buffer *aa_buf;
  1445. int i, num;
  1446. /*
  1447. * A function may require two buffers at once. Usually the buffers are
  1448. * used for a short period of time and are shared. On UP kernel buffers
  1449. * two should be enough, with more CPUs it is possible that more
  1450. * buffers will be used simultaneously. The preallocated pool may grow.
  1451. * This preallocation has also the side-effect that AppArmor will be
  1452. * disabled early at boot if aa_g_path_max is extremly high.
  1453. */
  1454. if (num_online_cpus() > 1)
  1455. num = 4 + RESERVE_COUNT;
  1456. else
  1457. num = 2 + RESERVE_COUNT;
  1458. for (i = 0; i < num; i++) {
  1459. aa_buf = kmalloc(aa_g_path_max, GFP_KERNEL |
  1460. __GFP_RETRY_MAYFAIL | __GFP_NOWARN);
  1461. if (!aa_buf) {
  1462. destroy_buffers();
  1463. return -ENOMEM;
  1464. }
  1465. aa_put_buffer(&aa_buf->buffer[0]);
  1466. }
  1467. return 0;
  1468. }
  1469. #ifdef CONFIG_SYSCTL
  1470. static int apparmor_dointvec(struct ctl_table *table, int write,
  1471. void *buffer, size_t *lenp, loff_t *ppos)
  1472. {
  1473. if (!aa_current_policy_admin_capable(NULL))
  1474. return -EPERM;
  1475. if (!apparmor_enabled)
  1476. return -EINVAL;
  1477. return proc_dointvec(table, write, buffer, lenp, ppos);
  1478. }
  1479. static struct ctl_path apparmor_sysctl_path[] = {
  1480. { .procname = "kernel", },
  1481. { }
  1482. };
  1483. static struct ctl_table apparmor_sysctl_table[] = {
  1484. {
  1485. .procname = "unprivileged_userns_apparmor_policy",
  1486. .data = &unprivileged_userns_apparmor_policy,
  1487. .maxlen = sizeof(int),
  1488. .mode = 0600,
  1489. .proc_handler = apparmor_dointvec,
  1490. },
  1491. {
  1492. .procname = "apparmor_display_secid_mode",
  1493. .data = &apparmor_display_secid_mode,
  1494. .maxlen = sizeof(int),
  1495. .mode = 0600,
  1496. .proc_handler = apparmor_dointvec,
  1497. },
  1498. { }
  1499. };
  1500. static int __init apparmor_init_sysctl(void)
  1501. {
  1502. return register_sysctl_paths(apparmor_sysctl_path,
  1503. apparmor_sysctl_table) ? 0 : -ENOMEM;
  1504. }
  1505. #else
  1506. static inline int apparmor_init_sysctl(void)
  1507. {
  1508. return 0;
  1509. }
  1510. #endif /* CONFIG_SYSCTL */
  1511. #if defined(CONFIG_NETFILTER) && defined(CONFIG_NETWORK_SECMARK)
  1512. static unsigned int apparmor_ip_postroute(void *priv,
  1513. struct sk_buff *skb,
  1514. const struct nf_hook_state *state)
  1515. {
  1516. struct aa_sk_ctx *ctx;
  1517. struct sock *sk;
  1518. if (!skb->secmark)
  1519. return NF_ACCEPT;
  1520. sk = skb_to_full_sk(skb);
  1521. if (sk == NULL)
  1522. return NF_ACCEPT;
  1523. ctx = SK_CTX(sk);
  1524. if (!apparmor_secmark_check(ctx->label, OP_SENDMSG, AA_MAY_SEND,
  1525. skb->secmark, sk))
  1526. return NF_ACCEPT;
  1527. return NF_DROP_ERR(-ECONNREFUSED);
  1528. }
  1529. static const struct nf_hook_ops apparmor_nf_ops[] = {
  1530. {
  1531. .hook = apparmor_ip_postroute,
  1532. .pf = NFPROTO_IPV4,
  1533. .hooknum = NF_INET_POST_ROUTING,
  1534. .priority = NF_IP_PRI_SELINUX_FIRST,
  1535. },
  1536. #if IS_ENABLED(CONFIG_IPV6)
  1537. {
  1538. .hook = apparmor_ip_postroute,
  1539. .pf = NFPROTO_IPV6,
  1540. .hooknum = NF_INET_POST_ROUTING,
  1541. .priority = NF_IP6_PRI_SELINUX_FIRST,
  1542. },
  1543. #endif
  1544. };
  1545. static int __net_init apparmor_nf_register(struct net *net)
  1546. {
  1547. return nf_register_net_hooks(net, apparmor_nf_ops,
  1548. ARRAY_SIZE(apparmor_nf_ops));
  1549. }
  1550. static void __net_exit apparmor_nf_unregister(struct net *net)
  1551. {
  1552. nf_unregister_net_hooks(net, apparmor_nf_ops,
  1553. ARRAY_SIZE(apparmor_nf_ops));
  1554. }
  1555. static struct pernet_operations apparmor_net_ops = {
  1556. .init = apparmor_nf_register,
  1557. .exit = apparmor_nf_unregister,
  1558. };
  1559. static int __init apparmor_nf_ip_init(void)
  1560. {
  1561. int err;
  1562. if (!apparmor_enabled)
  1563. return 0;
  1564. err = register_pernet_subsys(&apparmor_net_ops);
  1565. if (err)
  1566. panic("Apparmor: register_pernet_subsys: error %d\n", err);
  1567. return 0;
  1568. }
  1569. __initcall(apparmor_nf_ip_init);
  1570. #endif
  1571. static int __init apparmor_init(void)
  1572. {
  1573. int error;
  1574. error = aa_setup_dfa_engine();
  1575. if (error) {
  1576. AA_ERROR("Unable to setup dfa engine\n");
  1577. goto alloc_out;
  1578. }
  1579. error = aa_alloc_root_ns();
  1580. if (error) {
  1581. AA_ERROR("Unable to allocate default profile namespace\n");
  1582. goto alloc_out;
  1583. }
  1584. error = apparmor_init_sysctl();
  1585. if (error) {
  1586. AA_ERROR("Unable to register sysctls\n");
  1587. goto alloc_out;
  1588. }
  1589. error = alloc_buffers();
  1590. if (error) {
  1591. AA_ERROR("Unable to allocate work buffers\n");
  1592. goto alloc_out;
  1593. }
  1594. error = set_init_ctx();
  1595. if (error) {
  1596. AA_ERROR("Failed to set context on init task\n");
  1597. aa_free_root_ns();
  1598. goto buffers_out;
  1599. }
  1600. security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
  1601. "apparmor");
  1602. /* Report that AppArmor successfully initialized */
  1603. apparmor_initialized = 1;
  1604. if (aa_g_profile_mode == APPARMOR_COMPLAIN)
  1605. aa_info_message("AppArmor initialized: complain mode enabled");
  1606. else if (aa_g_profile_mode == APPARMOR_KILL)
  1607. aa_info_message("AppArmor initialized: kill mode enabled");
  1608. else
  1609. aa_info_message("AppArmor initialized");
  1610. return error;
  1611. buffers_out:
  1612. destroy_buffers();
  1613. alloc_out:
  1614. aa_destroy_aafs();
  1615. aa_teardown_dfa_engine();
  1616. apparmor_enabled = false;
  1617. return error;
  1618. }
  1619. DEFINE_LSM(apparmor) = {
  1620. .name = "apparmor",
  1621. .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
  1622. .enabled = &apparmor_enabled,
  1623. .blobs = &apparmor_blob_sizes,
  1624. .init = apparmor_init,
  1625. };