Author | Tokens | Token Proportion | Commits | Commit Proportion |
---|---|---|---|---|
John Johansen | 3552 | 95.77% | 32 | 76.19% |
Sebastian Andrzej Siewior | 136 | 3.67% | 2 | 4.76% |
Alexander Mikhalitsyn | 8 | 0.22% | 1 | 2.38% |
Al Viro | 3 | 0.08% | 2 | 4.76% |
David Howells | 3 | 0.08% | 1 | 2.38% |
Kees Cook | 3 | 0.08% | 1 | 2.38% |
Thomas Gleixner | 2 | 0.05% | 1 | 2.38% |
Stephen Rothwell | 1 | 0.03% | 1 | 2.38% |
Patrick Steinhardt | 1 | 0.03% | 1 | 2.38% |
Total | 3709 | 42 |
// SPDX-License-Identifier: GPL-2.0-only /* * AppArmor security module * * This file contains AppArmor mediation of files * * Copyright (C) 1998-2008 Novell/SUSE * Copyright 2009-2017 Canonical Ltd. */ #include <linux/fs.h> #include <linux/mount.h> #include <linux/namei.h> #include <uapi/linux/mount.h> #include "include/apparmor.h" #include "include/audit.h" #include "include/cred.h" #include "include/domain.h" #include "include/file.h" #include "include/match.h" #include "include/mount.h" #include "include/path.h" #include "include/policy.h" static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags) { if (flags & MS_RDONLY) audit_log_format(ab, "ro"); else audit_log_format(ab, "rw"); if (flags & MS_NOSUID) audit_log_format(ab, ", nosuid"); if (flags & MS_NODEV) audit_log_format(ab, ", nodev"); if (flags & MS_NOEXEC) audit_log_format(ab, ", noexec"); if (flags & MS_SYNCHRONOUS) audit_log_format(ab, ", sync"); if (flags & MS_REMOUNT) audit_log_format(ab, ", remount"); if (flags & MS_MANDLOCK) audit_log_format(ab, ", mand"); if (flags & MS_DIRSYNC) audit_log_format(ab, ", dirsync"); if (flags & MS_NOSYMFOLLOW) audit_log_format(ab, ", nosymfollow"); if (flags & MS_NOATIME) audit_log_format(ab, ", noatime"); if (flags & MS_NODIRATIME) audit_log_format(ab, ", nodiratime"); if (flags & MS_BIND) audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind"); if (flags & MS_MOVE) audit_log_format(ab, ", move"); if (flags & MS_SILENT) audit_log_format(ab, ", silent"); if (flags & MS_POSIXACL) audit_log_format(ab, ", acl"); if (flags & MS_UNBINDABLE) audit_log_format(ab, flags & MS_REC ? ", runbindable" : ", unbindable"); if (flags & MS_PRIVATE) audit_log_format(ab, flags & MS_REC ? ", rprivate" : ", private"); if (flags & MS_SLAVE) audit_log_format(ab, flags & MS_REC ? ", rslave" : ", slave"); if (flags & MS_SHARED) audit_log_format(ab, flags & MS_REC ? ", rshared" : ", shared"); if (flags & MS_RELATIME) audit_log_format(ab, ", relatime"); if (flags & MS_I_VERSION) audit_log_format(ab, ", iversion"); if (flags & MS_STRICTATIME) audit_log_format(ab, ", strictatime"); if (flags & MS_NOUSER) audit_log_format(ab, ", nouser"); } /** * audit_cb - call back for mount specific audit fields * @ab: audit_buffer (NOT NULL) * @va: audit struct to audit values of (NOT NULL) */ static void audit_cb(struct audit_buffer *ab, void *va) { struct common_audit_data *sa = va; struct apparmor_audit_data *ad = aad(sa); if (ad->mnt.type) { audit_log_format(ab, " fstype="); audit_log_untrustedstring(ab, ad->mnt.type); } if (ad->mnt.src_name) { audit_log_format(ab, " srcname="); audit_log_untrustedstring(ab, ad->mnt.src_name); } if (ad->mnt.trans) { audit_log_format(ab, " trans="); audit_log_untrustedstring(ab, ad->mnt.trans); } if (ad->mnt.flags) { audit_log_format(ab, " flags=\""); audit_mnt_flags(ab, ad->mnt.flags); audit_log_format(ab, "\""); } if (ad->mnt.data) { audit_log_format(ab, " options="); audit_log_untrustedstring(ab, ad->mnt.data); } } /** * audit_mount - handle the auditing of mount operations * @subj_cred: cred of the subject * @profile: the profile being enforced (NOT NULL) * @op: operation being mediated (NOT NULL) * @name: name of object being mediated (MAYBE NULL) * @src_name: src_name of object being mediated (MAYBE_NULL) * @type: type of filesystem (MAYBE_NULL) * @trans: name of trans (MAYBE NULL) * @flags: filesystem independent mount flags * @data: filesystem mount flags * @request: permissions requested * @perms: the permissions computed for the request (NOT NULL) * @info: extra information message (MAYBE NULL) * @error: 0 if operation allowed else failure error code * * Returns: %0 or error on failure */ static int audit_mount(const struct cred *subj_cred, struct aa_profile *profile, const char *op, const char *name, const char *src_name, const char *type, const char *trans, unsigned long flags, const void *data, u32 request, struct aa_perms *perms, const char *info, int error) { int audit_type = AUDIT_APPARMOR_AUTO; DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op); if (likely(!error)) { u32 mask = perms->audit; if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL)) mask = 0xffff; /* mask off perms that are not being force audited */ request &= mask; if (likely(!request)) return 0; audit_type = AUDIT_APPARMOR_AUDIT; } else { /* only report permissions that were denied */ request = request & ~perms->allow; if (request & perms->kill) audit_type = AUDIT_APPARMOR_KILL; /* quiet known rejects, assumes quiet and kill do not overlap */ if ((request & perms->quiet) && AUDIT_MODE(profile) != AUDIT_NOQUIET && AUDIT_MODE(profile) != AUDIT_ALL) request &= ~perms->quiet; if (!request) return error; } ad.subj_cred = subj_cred; ad.name = name; ad.mnt.src_name = src_name; ad.mnt.type = type; ad.mnt.trans = trans; ad.mnt.flags = flags; if (data && (perms->audit & AA_AUDIT_DATA)) ad.mnt.data = data; ad.info = info; ad.error = error; return aa_audit(audit_type, profile, &ad, audit_cb); } /** * match_mnt_flags - Do an ordered match on mount flags * @dfa: dfa to match against * @state: state to start in * @flags: mount flags to match against * * Mount flags are encoded as an ordered match. This is done instead of * checking against a simple bitmask, to allow for logical operations * on the flags. * * Returns: next state after flags match */ static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state, unsigned long flags) { unsigned int i; for (i = 0; i <= 31 ; ++i) { if ((1 << i) & flags) state = aa_dfa_next(dfa, state, i + 1); } return state; } static const char * const mnt_info_table[] = { "match succeeded", "failed mntpnt match", "failed srcname match", "failed type match", "failed flags match", "failed data match", "failed perms check" }; /* * Returns 0 on success else element that match failed in, this is the * index into the mnt_info_table above */ static int do_match_mnt(struct aa_policydb *policy, aa_state_t start, const char *mntpnt, const char *devname, const char *type, unsigned long flags, void *data, bool binary, struct aa_perms *perms) { aa_state_t state; AA_BUG(!policy); AA_BUG(!policy->dfa); AA_BUG(!policy->perms); AA_BUG(!perms); state = aa_dfa_match(policy->dfa, start, mntpnt); state = aa_dfa_null_transition(policy->dfa, state); if (!state) return 1; if (devname) state = aa_dfa_match(policy->dfa, state, devname); state = aa_dfa_null_transition(policy->dfa, state); if (!state) return 2; if (type) state = aa_dfa_match(policy->dfa, state, type); state = aa_dfa_null_transition(policy->dfa, state); if (!state) return 3; state = match_mnt_flags(policy->dfa, state, flags); if (!state) return 4; *perms = *aa_lookup_perms(policy, state); if (perms->allow & AA_MAY_MOUNT) return 0; /* only match data if not binary and the DFA flags data is expected */ if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) { state = aa_dfa_null_transition(policy->dfa, state); if (!state) return 4; state = aa_dfa_match(policy->dfa, state, data); if (!state) return 5; *perms = *aa_lookup_perms(policy, state); if (perms->allow & AA_MAY_MOUNT) return 0; } /* failed at perms check, don't confuse with flags match */ return 6; } static int path_flags(struct aa_profile *profile, const struct path *path) { AA_BUG(!profile); AA_BUG(!path); return profile->path_flags | (S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0); } /** * match_mnt_path_str - handle path matching for mount * @subj_cred: cred of confined subject * @profile: the confining profile * @mntpath: for the mntpnt (NOT NULL) * @buffer: buffer to be used to lookup mntpath * @devname: string for the devname/src_name (MAY BE NULL OR ERRPTR) * @type: string for the dev type (MAYBE NULL) * @flags: mount flags to match * @data: fs mount data (MAYBE NULL) * @binary: whether @data is binary * @devinfo: error str if (IS_ERR(@devname)) * * Returns: 0 on success else error */ static int match_mnt_path_str(const struct cred *subj_cred, struct aa_profile *profile, const struct path *mntpath, char *buffer, const char *devname, const char *type, unsigned long flags, void *data, bool binary, const char *devinfo) { struct aa_perms perms = { }; const char *mntpnt = NULL, *info = NULL; struct aa_ruleset *rules = list_first_entry(&profile->rules, typeof(*rules), list); int pos, error; AA_BUG(!profile); AA_BUG(!mntpath); AA_BUG(!buffer); if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) return 0; error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer, &mntpnt, &info, profile->disconnected); if (error) goto audit; if (IS_ERR(devname)) { error = PTR_ERR(devname); devname = NULL; info = devinfo; goto audit; } error = -EACCES; pos = do_match_mnt(rules->policy, rules->policy->start[AA_CLASS_MOUNT], mntpnt, devname, type, flags, data, binary, &perms); if (pos) { info = mnt_info_table[pos]; goto audit; } error = 0; audit: return audit_mount(subj_cred, profile, OP_MOUNT, mntpnt, devname, type, NULL, flags, data, AA_MAY_MOUNT, &perms, info, error); } /** * match_mnt - handle path matching for mount * @subj_cred: cred of the subject * @profile: the confining profile * @path: for the mntpnt (NOT NULL) * @buffer: buffer to be used to lookup mntpath * @devpath: path devname/src_name (MAYBE NULL) * @devbuffer: buffer to be used to lookup devname/src_name * @type: string for the dev type (MAYBE NULL) * @flags: mount flags to match * @data: fs mount data (MAYBE NULL) * @binary: whether @data is binary * * Returns: 0 on success else error */ static int match_mnt(const struct cred *subj_cred, struct aa_profile *profile, const struct path *path, char *buffer, const struct path *devpath, char *devbuffer, const char *type, unsigned long flags, void *data, bool binary) { const char *devname = NULL, *info = NULL; struct aa_ruleset *rules = list_first_entry(&profile->rules, typeof(*rules), list); int error = -EACCES; AA_BUG(!profile); AA_BUG(devpath && !devbuffer); if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) return 0; if (devpath) { error = aa_path_name(devpath, path_flags(profile, devpath), devbuffer, &devname, &info, profile->disconnected); if (error) devname = ERR_PTR(error); } return match_mnt_path_str(subj_cred, profile, path, buffer, devname, type, flags, data, binary, info); } int aa_remount(const struct cred *subj_cred, struct aa_label *label, const struct path *path, unsigned long flags, void *data) { struct aa_profile *profile; char *buffer = NULL; bool binary; int error; AA_BUG(!label); AA_BUG(!path); binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA; buffer = aa_get_buffer(false); if (!buffer) return -ENOMEM; error = fn_for_each_confined(label, profile, match_mnt(subj_cred, profile, path, buffer, NULL, NULL, NULL, flags, data, binary)); aa_put_buffer(buffer); return error; } int aa_bind_mount(const struct cred *subj_cred, struct aa_label *label, const struct path *path, const char *dev_name, unsigned long flags) { struct aa_profile *profile; char *buffer = NULL, *old_buffer = NULL; struct path old_path; int error; AA_BUG(!label); AA_BUG(!path); if (!dev_name || !*dev_name) return -EINVAL; flags &= MS_REC | MS_BIND; error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path); if (error) return error; buffer = aa_get_buffer(false); old_buffer = aa_get_buffer(false); error = -ENOMEM; if (!buffer || !old_buffer) goto out; error = fn_for_each_confined(label, profile, match_mnt(subj_cred, profile, path, buffer, &old_path, old_buffer, NULL, flags, NULL, false)); out: aa_put_buffer(buffer); aa_put_buffer(old_buffer); path_put(&old_path); return error; } int aa_mount_change_type(const struct cred *subj_cred, struct aa_label *label, const struct path *path, unsigned long flags) { struct aa_profile *profile; char *buffer = NULL; int error; AA_BUG(!label); AA_BUG(!path); /* These are the flags allowed by do_change_type() */ flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE | MS_UNBINDABLE); buffer = aa_get_buffer(false); if (!buffer) return -ENOMEM; error = fn_for_each_confined(label, profile, match_mnt(subj_cred, profile, path, buffer, NULL, NULL, NULL, flags, NULL, false)); aa_put_buffer(buffer); return error; } int aa_move_mount(const struct cred *subj_cred, struct aa_label *label, const struct path *from_path, const struct path *to_path) { struct aa_profile *profile; char *to_buffer = NULL, *from_buffer = NULL; int error; AA_BUG(!label); AA_BUG(!from_path); AA_BUG(!to_path); to_buffer = aa_get_buffer(false); from_buffer = aa_get_buffer(false); error = -ENOMEM; if (!to_buffer || !from_buffer) goto out; if (!our_mnt(from_path->mnt)) /* moving a mount detached from the namespace */ from_path = NULL; error = fn_for_each_confined(label, profile, match_mnt(subj_cred, profile, to_path, to_buffer, from_path, from_buffer, NULL, MS_MOVE, NULL, false)); out: aa_put_buffer(to_buffer); aa_put_buffer(from_buffer); return error; } int aa_move_mount_old(const struct cred *subj_cred, struct aa_label *label, const struct path *path, const char *orig_name) { struct path old_path; int error; if (!orig_name || !*orig_name) return -EINVAL; error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path); if (error) return error; error = aa_move_mount(subj_cred, label, &old_path, path); path_put(&old_path); return error; } int aa_new_mount(const struct cred *subj_cred, struct aa_label *label, const char *dev_name, const struct path *path, const char *type, unsigned long flags, void *data) { struct aa_profile *profile; char *buffer = NULL, *dev_buffer = NULL; bool binary = true; int error; int requires_dev = 0; struct path tmp_path, *dev_path = NULL; AA_BUG(!label); AA_BUG(!path); if (type) { struct file_system_type *fstype; fstype = get_fs_type(type); if (!fstype) return -ENODEV; binary = fstype->fs_flags & FS_BINARY_MOUNTDATA; requires_dev = fstype->fs_flags & FS_REQUIRES_DEV; put_filesystem(fstype); if (requires_dev) { if (!dev_name || !*dev_name) return -ENOENT; error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path); if (error) return error; dev_path = &tmp_path; } } buffer = aa_get_buffer(false); if (!buffer) { error = -ENOMEM; goto out; } if (dev_path) { dev_buffer = aa_get_buffer(false); if (!dev_buffer) { error = -ENOMEM; goto out; } error = fn_for_each_confined(label, profile, match_mnt(subj_cred, profile, path, buffer, dev_path, dev_buffer, type, flags, data, binary)); } else { error = fn_for_each_confined(label, profile, match_mnt_path_str(subj_cred, profile, path, buffer, dev_name, type, flags, data, binary, NULL)); } out: aa_put_buffer(buffer); aa_put_buffer(dev_buffer); if (dev_path) path_put(dev_path); return error; } static int profile_umount(const struct cred *subj_cred, struct aa_profile *profile, const struct path *path, char *buffer) { struct aa_ruleset *rules = list_first_entry(&profile->rules, typeof(*rules), list); struct aa_perms perms = { }; const char *name = NULL, *info = NULL; aa_state_t state; int error; AA_BUG(!profile); AA_BUG(!path); if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT)) return 0; error = aa_path_name(path, path_flags(profile, path), buffer, &name, &info, profile->disconnected); if (error) goto audit; state = aa_dfa_match(rules->policy->dfa, rules->policy->start[AA_CLASS_MOUNT], name); perms = *aa_lookup_perms(rules->policy, state); if (AA_MAY_UMOUNT & ~perms.allow) error = -EACCES; audit: return audit_mount(subj_cred, profile, OP_UMOUNT, name, NULL, NULL, NULL, 0, NULL, AA_MAY_UMOUNT, &perms, info, error); } int aa_umount(const struct cred *subj_cred, struct aa_label *label, struct vfsmount *mnt, int flags) { struct aa_profile *profile; char *buffer = NULL; int error; struct path path = { .mnt = mnt, .dentry = mnt->mnt_root }; AA_BUG(!label); AA_BUG(!mnt); buffer = aa_get_buffer(false); if (!buffer) return -ENOMEM; error = fn_for_each_confined(label, profile, profile_umount(subj_cred, profile, &path, buffer)); aa_put_buffer(buffer); return error; } /* helper fn for transition on pivotroot * * Returns: label for transition or ERR_PTR. Does not return NULL */ static struct aa_label *build_pivotroot(const struct cred *subj_cred, struct aa_profile *profile, const struct path *new_path, char *new_buffer, const struct path *old_path, char *old_buffer) { struct aa_ruleset *rules = list_first_entry(&profile->rules, typeof(*rules), list); const char *old_name, *new_name = NULL, *info = NULL; const char *trans_name = NULL; struct aa_perms perms = { }; aa_state_t state; int error; AA_BUG(!profile); AA_BUG(!new_path); AA_BUG(!old_path); if (profile_unconfined(profile) || !RULE_MEDIATES(rules, AA_CLASS_MOUNT)) return aa_get_newest_label(&profile->label); error = aa_path_name(old_path, path_flags(profile, old_path), old_buffer, &old_name, &info, profile->disconnected); if (error) goto audit; error = aa_path_name(new_path, path_flags(profile, new_path), new_buffer, &new_name, &info, profile->disconnected); if (error) goto audit; error = -EACCES; state = aa_dfa_match(rules->policy->dfa, rules->policy->start[AA_CLASS_MOUNT], new_name); state = aa_dfa_null_transition(rules->policy->dfa, state); state = aa_dfa_match(rules->policy->dfa, state, old_name); perms = *aa_lookup_perms(rules->policy, state); if (AA_MAY_PIVOTROOT & perms.allow) error = 0; audit: error = audit_mount(subj_cred, profile, OP_PIVOTROOT, new_name, old_name, NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT, &perms, info, error); if (error) return ERR_PTR(error); return aa_get_newest_label(&profile->label); } int aa_pivotroot(const struct cred *subj_cred, struct aa_label *label, const struct path *old_path, const struct path *new_path) { struct aa_profile *profile; struct aa_label *target = NULL; char *old_buffer = NULL, *new_buffer = NULL, *info = NULL; int error; AA_BUG(!label); AA_BUG(!old_path); AA_BUG(!new_path); old_buffer = aa_get_buffer(false); new_buffer = aa_get_buffer(false); error = -ENOMEM; if (!old_buffer || !new_buffer) goto out; target = fn_label_build(label, profile, GFP_KERNEL, build_pivotroot(subj_cred, profile, new_path, new_buffer, old_path, old_buffer)); if (!target) { info = "label build failed"; error = -ENOMEM; goto fail; } else if (!IS_ERR(target)) { error = aa_replace_current_label(target); if (error) { /* TODO: audit target */ aa_put_label(target); goto out; } aa_put_label(target); } else /* already audited error */ error = PTR_ERR(target); out: aa_put_buffer(old_buffer); aa_put_buffer(new_buffer); return error; fail: /* TODO: add back in auditing of new_name and old_name */ error = fn_for_each(label, profile, audit_mount(subj_cred, profile, OP_PIVOTROOT, NULL /*new_name */, NULL /* old_name */, NULL, NULL, 0, NULL, AA_MAY_PIVOTROOT, &nullperms, info, error)); goto out; }
Information contained on this website is for historical information purposes only and does not indicate or represent copyright ownership.
Created with Cregit http://github.com/cregit/cregit
Version 2.0-RC1