1/* 2 * AppArmor security module 3 * 4 * This file contains AppArmor LSM hooks. 5 * 6 * Copyright (C) 1998-2008 Novell/SUSE 7 * Copyright 2009-2010 Canonical Ltd. 8 * 9 * This program is free software; you can redistribute it and/or 10 * modify it under the terms of the GNU General Public License as 11 * published by the Free Software Foundation, version 2 of the 12 * License. 13 */ 14 15#include <linux/security.h> 16#include <linux/moduleparam.h> 17#include <linux/mm.h> 18#include <linux/mman.h> 19#include <linux/mount.h> 20#include <linux/namei.h> 21#include <linux/ptrace.h> 22#include <linux/ctype.h> 23#include <linux/sysctl.h> 24#include <linux/audit.h> 25#include <net/sock.h> 26 27#include "include/apparmor.h" 28#include "include/apparmorfs.h" 29#include "include/audit.h" 30#include "include/capability.h" 31#include "include/context.h" 32#include "include/file.h" 33#include "include/ipc.h" 34#include "include/path.h" 35#include "include/policy.h" 36#include "include/procattr.h" 37 38/* Flag indicating whether initialization completed */ 39int apparmor_initialized __initdata; 40 41/* 42 * LSM hook functions 43 */ 44 45/* 46 * free the associated aa_task_cxt and put its profiles 47 */ 48static void apparmor_cred_free(struct cred *cred) 49{ 50 aa_free_task_context(cred->security); 51 cred->security = NULL; 52} 53 54/* 55 * allocate the apparmor part of blank credentials 56 */ 57static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp) 58{ 59 /* freed by apparmor_cred_free */ 60 struct aa_task_cxt *cxt = aa_alloc_task_context(gfp); 61 if (!cxt) 62 return -ENOMEM; 63 64 cred->security = cxt; 65 return 0; 66} 67 68/* 69 * prepare new aa_task_cxt for modification by prepare_cred block 70 */ 71static int apparmor_cred_prepare(struct cred *new, const struct cred *old, 72 gfp_t gfp) 73{ 74 /* freed by apparmor_cred_free */ 75 struct aa_task_cxt *cxt = aa_alloc_task_context(gfp); 76 if (!cxt) 77 return -ENOMEM; 78 79 aa_dup_task_context(cxt, old->security); 80 new->security = cxt; 81 return 0; 82} 83 84/* 85 * transfer the apparmor data to a blank set of creds 86 */ 87static void apparmor_cred_transfer(struct cred *new, const struct cred *old) 88{ 89 const struct aa_task_cxt *old_cxt = old->security; 90 struct aa_task_cxt *new_cxt = new->security; 91 92 aa_dup_task_context(new_cxt, old_cxt); 93} 94 95static int apparmor_ptrace_access_check(struct task_struct *child, 96 unsigned int mode) 97{ 98 int error = cap_ptrace_access_check(child, mode); 99 if (error) 100 return error; 101 102 return aa_ptrace(current, child, mode); 103} 104 105static int apparmor_ptrace_traceme(struct task_struct *parent) 106{ 107 int error = cap_ptrace_traceme(parent); 108 if (error) 109 return error; 110 111 return aa_ptrace(parent, current, PTRACE_MODE_ATTACH); 112} 113 114/* Derived from security/commoncap.c:cap_capget */ 115static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective, 116 kernel_cap_t *inheritable, kernel_cap_t *permitted) 117{ 118 struct aa_profile *profile; 119 const struct cred *cred; 120 121 rcu_read_lock(); 122 cred = __task_cred(target); 123 profile = aa_cred_profile(cred); 124 125 *effective = cred->cap_effective; 126 *inheritable = cred->cap_inheritable; 127 *permitted = cred->cap_permitted; 128 129 if (!unconfined(profile)) { 130 *effective = cap_intersect(*effective, profile->caps.allow); 131 *permitted = cap_intersect(*permitted, profile->caps.allow); 132 } 133 rcu_read_unlock(); 134 135 return 0; 136} 137 138static int apparmor_capable(struct task_struct *task, const struct cred *cred, 139 int cap, int audit) 140{ 141 struct aa_profile *profile; 142 /* cap_capable returns 0 on success, else -EPERM */ 143 int error = cap_capable(task, cred, cap, audit); 144 if (!error) { 145 profile = aa_cred_profile(cred); 146 if (!unconfined(profile)) 147 error = aa_capable(task, profile, cap, audit); 148 } 149 return error; 150} 151 152/** 153 * common_perm - basic common permission check wrapper fn for paths 154 * @op: operation being checked 155 * @path: path to check permission of (NOT NULL) 156 * @mask: requested permissions mask 157 * @cond: conditional info for the permission request (NOT NULL) 158 * 159 * Returns: %0 else error code if error or permission denied 160 */ 161static int common_perm(int op, struct path *path, u32 mask, 162 struct path_cond *cond) 163{ 164 struct aa_profile *profile; 165 int error = 0; 166 167 profile = __aa_current_profile(); 168 if (!unconfined(profile)) 169 error = aa_path_perm(op, profile, path, 0, mask, cond); 170 171 return error; 172} 173 174/** 175 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry 176 * @op: operation being checked 177 * @dir: directory of the dentry (NOT NULL) 178 * @dentry: dentry to check (NOT NULL) 179 * @mask: requested permissions mask 180 * @cond: conditional info for the permission request (NOT NULL) 181 * 182 * Returns: %0 else error code if error or permission denied 183 */ 184static int common_perm_dir_dentry(int op, struct path *dir, 185 struct dentry *dentry, u32 mask, 186 struct path_cond *cond) 187{ 188 struct path path = { dir->mnt, dentry }; 189 190 return common_perm(op, &path, mask, cond); 191} 192 193/** 194 * common_perm_mnt_dentry - common permission wrapper when mnt, dentry 195 * @op: operation being checked 196 * @mnt: mount point of dentry (NOT NULL) 197 * @dentry: dentry to check (NOT NULL) 198 * @mask: requested permissions mask 199 * 200 * Returns: %0 else error code if error or permission denied 201 */ 202static int common_perm_mnt_dentry(int op, struct vfsmount *mnt, 203 struct dentry *dentry, u32 mask) 204{ 205 struct path path = { mnt, dentry }; 206 struct path_cond cond = { dentry->d_inode->i_uid, 207 dentry->d_inode->i_mode 208 }; 209 210 return common_perm(op, &path, mask, &cond); 211} 212 213/** 214 * common_perm_rm - common permission wrapper for operations doing rm 215 * @op: operation being checked 216 * @dir: directory that the dentry is in (NOT NULL) 217 * @dentry: dentry being rm'd (NOT NULL) 218 * @mask: requested permission mask 219 * 220 * Returns: %0 else error code if error or permission denied 221 */ 222static int common_perm_rm(int op, struct path *dir, 223 struct dentry *dentry, u32 mask) 224{ 225 struct inode *inode = dentry->d_inode; 226 struct path_cond cond = { }; 227 228 if (!inode || !dir->mnt || !mediated_filesystem(inode)) 229 return 0; 230 231 cond.uid = inode->i_uid; 232 cond.mode = inode->i_mode; 233 234 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 235} 236 237/** 238 * common_perm_create - common permission wrapper for operations doing create 239 * @op: operation being checked 240 * @dir: directory that dentry will be created in (NOT NULL) 241 * @dentry: dentry to create (NOT NULL) 242 * @mask: request permission mask 243 * @mode: created file mode 244 * 245 * Returns: %0 else error code if error or permission denied 246 */ 247static int common_perm_create(int op, struct path *dir, struct dentry *dentry, 248 u32 mask, umode_t mode) 249{ 250 struct path_cond cond = { current_fsuid(), mode }; 251 252 if (!dir->mnt || !mediated_filesystem(dir->dentry->d_inode)) 253 return 0; 254 255 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); 256} 257 258static int apparmor_path_unlink(struct path *dir, struct dentry *dentry) 259{ 260 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); 261} 262 263static int apparmor_path_mkdir(struct path *dir, struct dentry *dentry, 264 int mode) 265{ 266 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, 267 S_IFDIR); 268} 269 270static int apparmor_path_rmdir(struct path *dir, struct dentry *dentry) 271{ 272 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); 273} 274 275static int apparmor_path_mknod(struct path *dir, struct dentry *dentry, 276 int mode, unsigned int dev) 277{ 278 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); 279} 280 281static int apparmor_path_truncate(struct path *path) 282{ 283 struct path_cond cond = { path->dentry->d_inode->i_uid, 284 path->dentry->d_inode->i_mode 285 }; 286 287 if (!path->mnt || !mediated_filesystem(path->dentry->d_inode)) 288 return 0; 289 290 return common_perm(OP_TRUNC, path, MAY_WRITE | AA_MAY_META_WRITE, 291 &cond); 292} 293 294static int apparmor_path_symlink(struct path *dir, struct dentry *dentry, 295 const char *old_name) 296{ 297 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, 298 S_IFLNK); 299} 300 301static int apparmor_path_link(struct dentry *old_dentry, struct path *new_dir, 302 struct dentry *new_dentry) 303{ 304 struct aa_profile *profile; 305 int error = 0; 306 307 if (!mediated_filesystem(old_dentry->d_inode)) 308 return 0; 309 310 profile = aa_current_profile(); 311 if (!unconfined(profile)) 312 error = aa_path_link(profile, old_dentry, new_dir, new_dentry); 313 return error; 314} 315 316static int apparmor_path_rename(struct path *old_dir, struct dentry *old_dentry, 317 struct path *new_dir, struct dentry *new_dentry) 318{ 319 struct aa_profile *profile; 320 int error = 0; 321 322 if (!mediated_filesystem(old_dentry->d_inode)) 323 return 0; 324 325 profile = aa_current_profile(); 326 if (!unconfined(profile)) { 327 struct path old_path = { old_dir->mnt, old_dentry }; 328 struct path new_path = { new_dir->mnt, new_dentry }; 329 struct path_cond cond = { old_dentry->d_inode->i_uid, 330 old_dentry->d_inode->i_mode 331 }; 332 333 error = aa_path_perm(OP_RENAME_SRC, profile, &old_path, 0, 334 MAY_READ | AA_MAY_META_READ | MAY_WRITE | 335 AA_MAY_META_WRITE | AA_MAY_DELETE, 336 &cond); 337 if (!error) 338 error = aa_path_perm(OP_RENAME_DEST, profile, &new_path, 339 0, MAY_WRITE | AA_MAY_META_WRITE | 340 AA_MAY_CREATE, &cond); 341 342 } 343 return error; 344} 345 346static int apparmor_path_chmod(struct dentry *dentry, struct vfsmount *mnt, 347 mode_t mode) 348{ 349 if (!mediated_filesystem(dentry->d_inode)) 350 return 0; 351 352 return common_perm_mnt_dentry(OP_CHMOD, mnt, dentry, AA_MAY_CHMOD); 353} 354 355static int apparmor_path_chown(struct path *path, uid_t uid, gid_t gid) 356{ 357 struct path_cond cond = { path->dentry->d_inode->i_uid, 358 path->dentry->d_inode->i_mode 359 }; 360 361 if (!mediated_filesystem(path->dentry->d_inode)) 362 return 0; 363 364 return common_perm(OP_CHOWN, path, AA_MAY_CHOWN, &cond); 365} 366 367static int apparmor_inode_getattr(struct vfsmount *mnt, struct dentry *dentry) 368{ 369 if (!mediated_filesystem(dentry->d_inode)) 370 return 0; 371 372 return common_perm_mnt_dentry(OP_GETATTR, mnt, dentry, 373 AA_MAY_META_READ); 374} 375 376static int apparmor_dentry_open(struct file *file, const struct cred *cred) 377{ 378 struct aa_file_cxt *fcxt = file->f_security; 379 struct aa_profile *profile; 380 int error = 0; 381 382 if (!mediated_filesystem(file->f_path.dentry->d_inode)) 383 return 0; 384 385 /* If in exec, permission is handled by bprm hooks. 386 * Cache permissions granted by the previous exec check, with 387 * implicit read and executable mmap which are required to 388 * actually execute the image. 389 */ 390 if (current->in_execve) { 391 fcxt->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; 392 return 0; 393 } 394 395 profile = aa_cred_profile(cred); 396 if (!unconfined(profile)) { 397 struct inode *inode = file->f_path.dentry->d_inode; 398 struct path_cond cond = { inode->i_uid, inode->i_mode }; 399 400 error = aa_path_perm(OP_OPEN, profile, &file->f_path, 0, 401 aa_map_file_to_perms(file), &cond); 402 /* todo cache full allowed permissions set and state */ 403 fcxt->allow = aa_map_file_to_perms(file); 404 } 405 406 return error; 407} 408 409static int apparmor_file_alloc_security(struct file *file) 410{ 411 /* freed by apparmor_file_free_security */ 412 file->f_security = aa_alloc_file_context(GFP_KERNEL); 413 if (!file->f_security) 414 return -ENOMEM; 415 return 0; 416 417} 418 419static void apparmor_file_free_security(struct file *file) 420{ 421 struct aa_file_cxt *cxt = file->f_security; 422 423 aa_free_file_context(cxt); 424} 425 426static int common_file_perm(int op, struct file *file, u32 mask) 427{ 428 struct aa_file_cxt *fcxt = file->f_security; 429 struct aa_profile *profile, *fprofile = aa_cred_profile(file->f_cred); 430 int error = 0; 431 432 BUG_ON(!fprofile); 433 434 if (!file->f_path.mnt || 435 !mediated_filesystem(file->f_path.dentry->d_inode)) 436 return 0; 437 438 profile = __aa_current_profile(); 439 440 /* revalidate access, if task is unconfined, or the cached cred 441 * doesn't match or if the request is for more permissions than 442 * was granted. 443 * 444 * Note: the test for !unconfined(fprofile) is to handle file 445 * delegation from unconfined tasks 446 */ 447 if (!unconfined(profile) && !unconfined(fprofile) && 448 ((fprofile != profile) || (mask & ~fcxt->allow))) 449 error = aa_file_perm(op, profile, file, mask); 450 451 return error; 452} 453 454static int apparmor_file_permission(struct file *file, int mask) 455{ 456 return common_file_perm(OP_FPERM, file, mask); 457} 458 459static int apparmor_file_lock(struct file *file, unsigned int cmd) 460{ 461 u32 mask = AA_MAY_LOCK; 462 463 if (cmd == F_WRLCK) 464 mask |= MAY_WRITE; 465 466 return common_file_perm(OP_FLOCK, file, mask); 467} 468 469static int common_mmap(int op, struct file *file, unsigned long prot, 470 unsigned long flags) 471{ 472 struct dentry *dentry; 473 int mask = 0; 474 475 if (!file || !file->f_security) 476 return 0; 477 478 if (prot & PROT_READ) 479 mask |= MAY_READ; 480 /* 481 * Private mappings don't require write perms since they don't 482 * write back to the files 483 */ 484 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE)) 485 mask |= MAY_WRITE; 486 if (prot & PROT_EXEC) 487 mask |= AA_EXEC_MMAP; 488 489 dentry = file->f_path.dentry; 490 return common_file_perm(op, file, mask); 491} 492 493static int apparmor_file_mmap(struct file *file, unsigned long reqprot, 494 unsigned long prot, unsigned long flags, 495 unsigned long addr, unsigned long addr_only) 496{ 497 int rc = 0; 498 499 /* do DAC check */ 500 rc = cap_file_mmap(file, reqprot, prot, flags, addr, addr_only); 501 if (rc || addr_only) 502 return rc; 503 504 return common_mmap(OP_FMMAP, file, prot, flags); 505} 506 507static int apparmor_file_mprotect(struct vm_area_struct *vma, 508 unsigned long reqprot, unsigned long prot) 509{ 510 return common_mmap(OP_FMPROT, vma->vm_file, prot, 511 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); 512} 513 514static int apparmor_getprocattr(struct task_struct *task, char *name, 515 char **value) 516{ 517 int error = -ENOENT; 518 struct aa_profile *profile; 519 /* released below */ 520 const struct cred *cred = get_task_cred(task); 521 struct aa_task_cxt *cxt = cred->security; 522 profile = aa_cred_profile(cred); 523 524 if (strcmp(name, "current") == 0) 525 error = aa_getprocattr(aa_newest_version(cxt->profile), 526 value); 527 else if (strcmp(name, "prev") == 0 && cxt->previous) 528 error = aa_getprocattr(aa_newest_version(cxt->previous), 529 value); 530 else if (strcmp(name, "exec") == 0 && cxt->onexec) 531 error = aa_getprocattr(aa_newest_version(cxt->onexec), 532 value); 533 else 534 error = -EINVAL; 535 536 put_cred(cred); 537 538 return error; 539} 540 541static int apparmor_setprocattr(struct task_struct *task, char *name, 542 void *value, size_t size) 543{ 544 char *command, *args = value; 545 size_t arg_size; 546 int error; 547 548 if (size == 0) 549 return -EINVAL; 550 /* args points to a PAGE_SIZE buffer, AppArmor requires that 551 * the buffer must be null terminated or have size <= PAGE_SIZE -1 552 * so that AppArmor can null terminate them 553 */ 554 if (args[size - 1] != '\0') { 555 if (size == PAGE_SIZE) 556 return -EINVAL; 557 args[size] = '\0'; 558 } 559 560 /* task can only write its own attributes */ 561 if (current != task) 562 return -EACCES; 563 564 args = value; 565 args = strim(args); 566 command = strsep(&args, " "); 567 if (!args) 568 return -EINVAL; 569 args = skip_spaces(args); 570 if (!*args) 571 return -EINVAL; 572 573 arg_size = size - (args - (char *) value); 574 if (strcmp(name, "current") == 0) { 575 if (strcmp(command, "changehat") == 0) { 576 error = aa_setprocattr_changehat(args, arg_size, 577 !AA_DO_TEST); 578 } else if (strcmp(command, "permhat") == 0) { 579 error = aa_setprocattr_changehat(args, arg_size, 580 AA_DO_TEST); 581 } else if (strcmp(command, "changeprofile") == 0) { 582 error = aa_setprocattr_changeprofile(args, !AA_ONEXEC, 583 !AA_DO_TEST); 584 } else if (strcmp(command, "permprofile") == 0) { 585 error = aa_setprocattr_changeprofile(args, !AA_ONEXEC, 586 AA_DO_TEST); 587 } else if (strcmp(command, "permipc") == 0) { 588 error = aa_setprocattr_permipc(args); 589 } else { 590 struct common_audit_data sa; 591 COMMON_AUDIT_DATA_INIT(&sa, NONE); 592 sa.aad.op = OP_SETPROCATTR; 593 sa.aad.info = name; 594 sa.aad.error = -EINVAL; 595 return aa_audit(AUDIT_APPARMOR_DENIED, NULL, GFP_KERNEL, 596 &sa, NULL); 597 } 598 } else if (strcmp(name, "exec") == 0) { 599 error = aa_setprocattr_changeprofile(args, AA_ONEXEC, 600 !AA_DO_TEST); 601 } else { 602 /* only support the "current" and "exec" process attributes */ 603 return -EINVAL; 604 } 605 if (!error) 606 error = size; 607 return error; 608} 609 610static int apparmor_task_setrlimit(struct task_struct *task, 611 unsigned int resource, struct rlimit *new_rlim) 612{ 613 struct aa_profile *profile = aa_current_profile(); 614 int error = 0; 615 616 if (!unconfined(profile)) 617 error = aa_task_setrlimit(profile, task, resource, new_rlim); 618 619 return error; 620} 621 622static struct security_operations apparmor_ops = { 623 .name = "apparmor", 624 625 .ptrace_access_check = apparmor_ptrace_access_check, 626 .ptrace_traceme = apparmor_ptrace_traceme, 627 .capget = apparmor_capget, 628 .capable = apparmor_capable, 629 630 .path_link = apparmor_path_link, 631 .path_unlink = apparmor_path_unlink, 632 .path_symlink = apparmor_path_symlink, 633 .path_mkdir = apparmor_path_mkdir, 634 .path_rmdir = apparmor_path_rmdir, 635 .path_mknod = apparmor_path_mknod, 636 .path_rename = apparmor_path_rename, 637 .path_chmod = apparmor_path_chmod, 638 .path_chown = apparmor_path_chown, 639 .path_truncate = apparmor_path_truncate, 640 .dentry_open = apparmor_dentry_open, 641 .inode_getattr = apparmor_inode_getattr, 642 643 .file_permission = apparmor_file_permission, 644 .file_alloc_security = apparmor_file_alloc_security, 645 .file_free_security = apparmor_file_free_security, 646 .file_mmap = apparmor_file_mmap, 647 .file_mprotect = apparmor_file_mprotect, 648 .file_lock = apparmor_file_lock, 649 650 .getprocattr = apparmor_getprocattr, 651 .setprocattr = apparmor_setprocattr, 652 653 .cred_alloc_blank = apparmor_cred_alloc_blank, 654 .cred_free = apparmor_cred_free, 655 .cred_prepare = apparmor_cred_prepare, 656 .cred_transfer = apparmor_cred_transfer, 657 658 .bprm_set_creds = apparmor_bprm_set_creds, 659 .bprm_committing_creds = apparmor_bprm_committing_creds, 660 .bprm_committed_creds = apparmor_bprm_committed_creds, 661 .bprm_secureexec = apparmor_bprm_secureexec, 662 663 .task_setrlimit = apparmor_task_setrlimit, 664}; 665 666/* 667 * AppArmor sysfs module parameters 668 */ 669 670static int param_set_aabool(const char *val, const struct kernel_param *kp); 671static int param_get_aabool(char *buffer, const struct kernel_param *kp); 672#define param_check_aabool(name, p) __param_check(name, p, int) 673static struct kernel_param_ops param_ops_aabool = { 674 .set = param_set_aabool, 675 .get = param_get_aabool 676}; 677 678static int param_set_aauint(const char *val, const struct kernel_param *kp); 679static int param_get_aauint(char *buffer, const struct kernel_param *kp); 680#define param_check_aauint(name, p) __param_check(name, p, int) 681static struct kernel_param_ops param_ops_aauint = { 682 .set = param_set_aauint, 683 .get = param_get_aauint 684}; 685 686static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp); 687static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp); 688#define param_check_aalockpolicy(name, p) __param_check(name, p, int) 689static struct kernel_param_ops param_ops_aalockpolicy = { 690 .set = param_set_aalockpolicy, 691 .get = param_get_aalockpolicy 692}; 693 694static int param_set_audit(const char *val, struct kernel_param *kp); 695static int param_get_audit(char *buffer, struct kernel_param *kp); 696#define param_check_audit(name, p) __param_check(name, p, int) 697 698static int param_set_mode(const char *val, struct kernel_param *kp); 699static int param_get_mode(char *buffer, struct kernel_param *kp); 700#define param_check_mode(name, p) __param_check(name, p, int) 701 702/* Flag values, also controllable via /sys/module/apparmor/parameters 703 * We define special types as we want to do additional mediation. 704 */ 705 706/* AppArmor global enforcement switch - complain, enforce, kill */ 707enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE; 708module_param_call(mode, param_set_mode, param_get_mode, 709 &aa_g_profile_mode, S_IRUSR | S_IWUSR); 710 711/* Debug mode */ 712int aa_g_debug; 713module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR); 714 715/* Audit mode */ 716enum audit_mode aa_g_audit; 717module_param_call(audit, param_set_audit, param_get_audit, 718 &aa_g_audit, S_IRUSR | S_IWUSR); 719 720/* Determines if audit header is included in audited messages. This 721 * provides more context if the audit daemon is not running 722 */ 723int aa_g_audit_header = 1; 724module_param_named(audit_header, aa_g_audit_header, aabool, 725 S_IRUSR | S_IWUSR); 726 727/* lock out loading/removal of policy 728 * TODO: add in at boot loading of policy, which is the only way to 729 * load policy, if lock_policy is set 730 */ 731int aa_g_lock_policy; 732module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy, 733 S_IRUSR | S_IWUSR); 734 735/* Syscall logging mode */ 736int aa_g_logsyscall; 737module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR); 738 739/* Maximum pathname length before accesses will start getting rejected */ 740unsigned int aa_g_path_max = 2 * PATH_MAX; 741module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR | S_IWUSR); 742 743/* Determines how paranoid loading of policy is and how much verification 744 * on the loaded policy is done. 745 */ 746int aa_g_paranoid_load = 1; 747module_param_named(paranoid_load, aa_g_paranoid_load, aabool, 748 S_IRUSR | S_IWUSR); 749 750/* Boot time disable flag */ 751static unsigned int apparmor_enabled = CONFIG_SECURITY_APPARMOR_BOOTPARAM_VALUE; 752module_param_named(enabled, apparmor_enabled, aabool, S_IRUSR); 753 754static int __init apparmor_enabled_setup(char *str) 755{ 756 unsigned long enabled; 757 int error = strict_strtoul(str, 0, &enabled); 758 if (!error) 759 apparmor_enabled = enabled ? 1 : 0; 760 return 1; 761} 762 763__setup("apparmor=", apparmor_enabled_setup); 764 765/* set global flag turning off the ability to load policy */ 766static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp) 767{ 768 if (!capable(CAP_MAC_ADMIN)) 769 return -EPERM; 770 if (aa_g_lock_policy) 771 return -EACCES; 772 return param_set_bool(val, kp); 773} 774 775static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp) 776{ 777 if (!capable(CAP_MAC_ADMIN)) 778 return -EPERM; 779 return param_get_bool(buffer, kp); 780} 781 782static int param_set_aabool(const char *val, const struct kernel_param *kp) 783{ 784 if (!capable(CAP_MAC_ADMIN)) 785 return -EPERM; 786 return param_set_bool(val, kp); 787} 788 789static int param_get_aabool(char *buffer, const struct kernel_param *kp) 790{ 791 if (!capable(CAP_MAC_ADMIN)) 792 return -EPERM; 793 return param_get_bool(buffer, kp); 794} 795 796static int param_set_aauint(const char *val, const struct kernel_param *kp) 797{ 798 if (!capable(CAP_MAC_ADMIN)) 799 return -EPERM; 800 return param_set_uint(val, kp); 801} 802 803static int param_get_aauint(char *buffer, const struct kernel_param *kp) 804{ 805 if (!capable(CAP_MAC_ADMIN)) 806 return -EPERM; 807 return param_get_uint(buffer, kp); 808} 809 810static int param_get_audit(char *buffer, struct kernel_param *kp) 811{ 812 if (!capable(CAP_MAC_ADMIN)) 813 return -EPERM; 814 815 if (!apparmor_enabled) 816 return -EINVAL; 817 818 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]); 819} 820 821static int param_set_audit(const char *val, struct kernel_param *kp) 822{ 823 int i; 824 if (!capable(CAP_MAC_ADMIN)) 825 return -EPERM; 826 827 if (!apparmor_enabled) 828 return -EINVAL; 829 830 if (!val) 831 return -EINVAL; 832 833 for (i = 0; i < AUDIT_MAX_INDEX; i++) { 834 if (strcmp(val, audit_mode_names[i]) == 0) { 835 aa_g_audit = i; 836 return 0; 837 } 838 } 839 840 return -EINVAL; 841} 842 843static int param_get_mode(char *buffer, struct kernel_param *kp) 844{ 845 if (!capable(CAP_MAC_ADMIN)) 846 return -EPERM; 847 848 if (!apparmor_enabled) 849 return -EINVAL; 850 851 return sprintf(buffer, "%s", profile_mode_names[aa_g_profile_mode]); 852} 853 854static int param_set_mode(const char *val, struct kernel_param *kp) 855{ 856 int i; 857 if (!capable(CAP_MAC_ADMIN)) 858 return -EPERM; 859 860 if (!apparmor_enabled) 861 return -EINVAL; 862 863 if (!val) 864 return -EINVAL; 865 866 for (i = 0; i < APPARMOR_NAMES_MAX_INDEX; i++) { 867 if (strcmp(val, profile_mode_names[i]) == 0) { 868 aa_g_profile_mode = i; 869 return 0; 870 } 871 } 872 873 return -EINVAL; 874} 875 876/* 877 * AppArmor init functions 878 */ 879 880/** 881 * set_init_cxt - set a task context and profile on the first task. 882 * 883 * TODO: allow setting an alternate profile than unconfined 884 */ 885static int __init set_init_cxt(void) 886{ 887 struct cred *cred = (struct cred *)current->real_cred; 888 struct aa_task_cxt *cxt; 889 890 cxt = aa_alloc_task_context(GFP_KERNEL); 891 if (!cxt) 892 return -ENOMEM; 893 894 cxt->profile = aa_get_profile(root_ns->unconfined); 895 cred->security = cxt; 896 897 return 0; 898} 899 900static int __init apparmor_init(void) 901{ 902 int error; 903 904 if (!apparmor_enabled || !security_module_enable(&apparmor_ops)) { 905 aa_info_message("AppArmor disabled by boot time parameter"); 906 apparmor_enabled = 0; 907 return 0; 908 } 909 910 error = aa_alloc_root_ns(); 911 if (error) { 912 AA_ERROR("Unable to allocate default profile namespace\n"); 913 goto alloc_out; 914 } 915 916 error = set_init_cxt(); 917 if (error) { 918 AA_ERROR("Failed to set context on init task\n"); 919 goto register_security_out; 920 } 921 922 error = register_security(&apparmor_ops); 923 if (error) { 924 AA_ERROR("Unable to register AppArmor\n"); 925 goto register_security_out; 926 } 927 928 /* Report that AppArmor successfully initialized */ 929 apparmor_initialized = 1; 930 if (aa_g_profile_mode == APPARMOR_COMPLAIN) 931 aa_info_message("AppArmor initialized: complain mode enabled"); 932 else if (aa_g_profile_mode == APPARMOR_KILL) 933 aa_info_message("AppArmor initialized: kill mode enabled"); 934 else 935 aa_info_message("AppArmor initialized"); 936 937 return error; 938 939register_security_out: 940 aa_free_root_ns(); 941 942alloc_out: 943 aa_destroy_aafs(); 944 945 apparmor_enabled = 0; 946 return error; 947 948} 949 950security_initcall(apparmor_init); 951