2
* Copyright (C) 2002-2005 Novell/SUSE
4
* This program is free software; you can redistribute it and/or
5
* modify it under the terms of the GNU General Public License as
6
* published by the Free Software Foundation, version 2 of the
9
* http://forge.novell.com/modules/xfmod/project/?apparmor
11
* Immunix AppArmor LSM interface
14
#include <linux/security.h>
15
#include <linux/module.h>
17
#include <linux/mman.h>
22
/* struct subdomain write update lock (read side is RCU). */
23
spinlock_t sd_lock = SPIN_LOCK_UNLOCKED;
25
/* point to the apparmor module */
26
struct module *aa_module = NULL;
28
/* secondary ops if apparmor is stacked */
29
static struct security_operations *aa_secondary_ops = NULL;
30
static DEFINE_MUTEX(aa_secondary_lock);
33
#define AA_SECONDARY(ERROR, FN, ARGS...) \
35
struct security_operations *__f1; \
37
__f1 = rcu_dereference(aa_secondary_ops); \
39
(!(ERROR) && unlikely(__f1) && __f1->FN) ? __f1->FN(ARGS) : (ERROR); \
42
#define AA_SECONDARY(ERROR, FN, ARGS...) \
44
struct security_operations *__f1; \
47
__f1 = rcu_dereference(aa_secondary_ops); \
48
if (unlikely(__f1) && __f1->FN) \
49
(ERROR) = __f1->FN(ARGS); \
56
/* Flag values, also controllable via apparmorfs/control.
57
* We explicitly do not allow these to be modifiable when exported via
58
* /sys/modules/parameters, as we want to do additional mediation and
59
* don't want to add special path code. */
61
/* Complain mode -- in complain mode access failures result in auditing only
62
* and task is allowed access. audit events are processed by userspace to
63
* generate policy. Default is 'enforce' (0).
64
* Value is also togglable per profile and referenced when global value is
67
int apparmor_complain = 0;
68
module_param_named(complain, apparmor_complain, int, S_IRUSR);
69
MODULE_PARM_DESC(apparmor_complain, "Toggle AppArmor complain mode");
72
int apparmor_debug = 0;
73
module_param_named(debug, apparmor_debug, int, S_IRUSR);
74
MODULE_PARM_DESC(apparmor_debug, "Toggle AppArmor debug mode");
77
int apparmor_audit = 0;
78
module_param_named(audit, apparmor_audit, int, S_IRUSR);
79
MODULE_PARM_DESC(apparmor_audit, "Toggle AppArmor audit mode");
81
/* Syscall logging mode */
82
int apparmor_logsyscall = 0;
83
module_param_named(logsyscall, apparmor_logsyscall, int, S_IRUSR);
84
MODULE_PARM_DESC(apparmor_logsyscall, "Toggle AppArmor logsyscall mode");
87
static int __init aa_getopt_complain(char *str)
89
get_option(&str, &apparmor_complain);
92
__setup("apparmor_complain=", aa_getopt_complain);
94
static int __init aa_getopt_debug(char *str)
96
get_option(&str, &apparmor_debug);
99
__setup("apparmor_debug=", aa_getopt_debug);
101
static int __init aa_getopt_audit(char *str)
103
get_option(&str, &apparmor_audit);
106
__setup("apparmor_audit=", aa_getopt_audit);
108
static int __init aa_getopt_logsyscall(char *str)
110
get_option(&str, &apparmor_logsyscall);
113
__setup("apparmor_logsyscall=", aa_getopt_logsyscall);
116
static int apparmor_ptrace(struct task_struct *parent,
117
struct task_struct *child)
120
struct aaprofile *active;
122
error = cap_ptrace(parent, child);
124
active = get_task_active_aaprofile(parent);
126
if (!error && active)
127
error = aa_audit_syscallreject(active, GFP_ATOMIC,
130
put_aaprofile(active);
135
static int apparmor_capget(struct task_struct *target,
136
kernel_cap_t *effective,
137
kernel_cap_t *inheritable,
138
kernel_cap_t *permitted)
140
return cap_capget(target, effective, inheritable, permitted);
143
static int apparmor_capset_check(struct task_struct *target,
144
kernel_cap_t *effective,
145
kernel_cap_t *inheritable,
146
kernel_cap_t *permitted)
148
return cap_capset_check(target, effective, inheritable, permitted);
151
static void apparmor_capset_set(struct task_struct *target,
152
kernel_cap_t *effective,
153
kernel_cap_t *inheritable,
154
kernel_cap_t *permitted)
156
cap_capset_set(target, effective, inheritable, permitted);
160
static int apparmor_capable(struct task_struct *tsk, int cap)
164
/* cap_capable returns 0 on success, else -EPERM */
165
error = cap_capable(tsk, cap);
168
struct aaprofile *active;
170
active = get_task_active_aaprofile(tsk);
173
error = aa_capability(active, cap);
175
put_aaprofile(active);
181
static int apparmor_sysctl(struct ctl_table *table, int op)
184
struct aaprofile *active;
186
active = get_active_aaprofile();
188
if ((op & 002) && active && !capable(CAP_SYS_ADMIN))
189
error = aa_audit_syscallreject(active, GFP_ATOMIC,
190
AA_SYSCALL_SYSCTL_WRITE);
192
put_aaprofile(active);
197
static int apparmor_syslog(int type)
199
return cap_syslog(type);
202
static int apparmor_netlink_send(struct sock *sk, struct sk_buff *skb)
204
return cap_netlink_send(sk, skb);
207
static int apparmor_netlink_recv(struct sk_buff *skb, int cap)
209
return cap_netlink_recv(skb, cap);
212
static void apparmor_bprm_apply_creds(struct linux_binprm *bprm, int unsafe)
214
cap_bprm_apply_creds(bprm, unsafe);
218
static int apparmor_bprm_set_security(struct linux_binprm *bprm)
220
/* handle capability bits with setuid, etc */
221
cap_bprm_set_security(bprm);
222
/* already set based on script name */
225
return aa_register(bprm);
228
static int apparmor_bprm_secureexec(struct linux_binprm *bprm)
230
int ret = cap_bprm_secureexec(bprm);
233
(unsigned long)bprm->security & AA_SECURE_EXEC_NEEDED) {
234
AA_DEBUG("%s: secureexec required for %s\n",
235
__FUNCTION__, bprm->filename);
242
static int apparmor_sb_mount(char *dev_name, struct nameidata *nd, char *type,
243
unsigned long flags, void *data)
246
struct aaprofile *active;
248
active = get_active_aaprofile();
251
error = aa_audit_syscallreject(active, GFP_ATOMIC,
254
put_aaprofile(active);
259
static int apparmor_umount(struct vfsmount *mnt, int flags)
262
struct aaprofile *active;
264
active = get_active_aaprofile();
267
error = aa_audit_syscallreject(active, GFP_ATOMIC,
270
put_aaprofile(active);
275
static int apparmor_inode_mkdir(struct inode *inode, struct dentry *dentry,
278
struct aaprofile *active;
281
active = get_active_aaprofile();
284
error = aa_perm_dir(active, dentry, aa_dir_mkdir);
286
put_aaprofile(active);
291
static int apparmor_inode_rmdir(struct inode *inode, struct dentry *dentry)
293
struct aaprofile *active;
296
active = get_active_aaprofile();
299
error = aa_perm_dir(active, dentry, aa_dir_rmdir);
301
put_aaprofile(active);
306
static int apparmor_inode_create(struct inode *inode, struct dentry *dentry,
309
struct aaprofile *active;
312
active = get_active_aaprofile();
314
/* At a minimum, need write perm to create */
316
error = aa_perm_dentry(active, dentry, MAY_WRITE);
318
put_aaprofile(active);
323
static int apparmor_inode_link(struct dentry *old_dentry, struct inode *inode,
324
struct dentry *new_dentry)
327
struct aaprofile *active;
329
active = get_active_aaprofile();
332
error = aa_link(active, new_dentry, old_dentry);
334
put_aaprofile(active);
339
static int apparmor_inode_unlink(struct inode *inode, struct dentry *dentry)
341
struct aaprofile *active;
344
active = get_active_aaprofile();
347
error = aa_perm_dentry(active, dentry, MAY_WRITE);
349
put_aaprofile(active);
354
static int apparmor_inode_symlink(struct inode *dir, struct dentry *dentry,
355
const char *old_name)
357
struct aaprofile *active;
360
active = get_active_aaprofile();
363
error = aa_perm_dentry(active, dentry, MAY_WRITE);
365
put_aaprofile(active);
370
static int apparmor_inode_mknod(struct inode *inode, struct dentry *dentry,
373
struct aaprofile *active;
376
active = get_active_aaprofile();
379
error = aa_perm_dentry(active, dentry, MAY_WRITE);
381
put_aaprofile(active);
386
static int apparmor_inode_rename(struct inode *old_inode,
387
struct dentry *old_dentry,
388
struct inode *new_inode,
389
struct dentry *new_dentry)
391
struct aaprofile *active;
394
active = get_active_aaprofile();
397
error = aa_perm_dentry(active, old_dentry, MAY_READ |
401
error = aa_perm_dentry(active, new_dentry,
405
put_aaprofile(active);
410
static int apparmor_inode_permission(struct inode *inode, int mask,
411
struct nameidata *nd)
415
/* Do not perform check on pipes or sockets
416
* Same as apparmor_file_permission
418
if (mediated_filesystem(inode)) {
419
struct aaprofile *active;
421
active = get_active_aaprofile();
423
error = aa_perm_nameidata(active, nd, mask);
424
put_aaprofile(active);
427
error = AA_SECONDARY(error, inode_permission, inode, mask, nd);
432
static int apparmor_inode_setattr(struct dentry *dentry, struct iattr *iattr)
436
if (mediated_filesystem(dentry->d_inode)) {
437
struct aaprofile *active;
439
active = get_active_aaprofile();
441
* Mediate any attempt to change attributes of a file
442
* (chmod, chown, chgrp, etc)
445
error = aa_attr(active, dentry, iattr);
447
put_aaprofile(active);
453
static int apparmor_inode_setxattr(struct dentry *dentry, char *name,
454
void *value, size_t size, int flags)
458
if (mediated_filesystem(dentry->d_inode)) {
459
struct aaprofile *active;
461
active = get_active_aaprofile();
463
error = aa_xattr(active, dentry, name, aa_xattr_set);
464
put_aaprofile(active);
470
static int apparmor_inode_getxattr(struct dentry *dentry, char *name)
474
if (mediated_filesystem(dentry->d_inode)) {
475
struct aaprofile *active;
477
active = get_active_aaprofile();
479
error = aa_xattr(active, dentry, name, aa_xattr_get);
480
put_aaprofile(active);
485
static int apparmor_inode_listxattr(struct dentry *dentry)
489
if (mediated_filesystem(dentry->d_inode)) {
490
struct aaprofile *active;
492
active = get_active_aaprofile();
494
error = aa_xattr(active, dentry, NULL, aa_xattr_list);
495
put_aaprofile(active);
501
static int apparmor_inode_removexattr(struct dentry *dentry, char *name)
505
if (mediated_filesystem(dentry->d_inode)) {
506
struct aaprofile *active;
508
active = get_active_aaprofile();
510
error = aa_xattr(active, dentry, name,
512
put_aaprofile(active);
518
static int apparmor_file_permission(struct file *file, int mask)
520
struct aaprofile *active;
524
aaf = (struct aafile *)file->f_security;
525
/* bail out early if this isn't a mediated file */
526
if (!aaf || !mediated_filesystem(file->f_dentry->d_inode))
529
active = get_active_aaprofile();
530
if (active && aaf->profile != active)
531
error = aa_perm(active, file->f_dentry, file->f_vfsmnt,
532
mask & (MAY_EXEC | MAY_WRITE | MAY_READ), 1);
533
put_aaprofile(active);
539
static int apparmor_file_alloc_security(struct file *file)
541
struct aaprofile *active;
544
active = get_active_aaprofile();
547
aaf = kmalloc(sizeof(struct aafile), GFP_KERNEL);
550
aaf->type = aa_file_default;
551
aaf->profile = get_aaprofile(active);
555
file->f_security = aaf;
557
put_aaprofile(active);
562
static void apparmor_file_free_security(struct file *file)
564
struct aafile *aaf = (struct aafile *)file->f_security;
567
put_aaprofile(aaf->profile);
572
static inline int aa_mmap(struct file *file, unsigned long prot,
575
int error = 0, mask = 0;
576
struct aaprofile *active;
579
active = get_active_aaprofile();
580
if (!active || !file ||
581
!(aaf = (struct aafile *)file->f_security) ||
582
aaf->type == aa_file_shmem)
585
if (prot & PROT_READ)
588
/* Private mappings don't require write perms since they don't
589
* write back to the files */
590
if (prot & PROT_WRITE && !(flags & MAP_PRIVATE))
592
if (prot & PROT_EXEC)
593
mask |= AA_EXEC_MMAP;
595
AA_DEBUG("%s: 0x%x\n", __FUNCTION__, mask);
598
error = aa_perm(active, file->f_dentry, file->f_vfsmnt, mask,
601
put_aaprofile(active);
607
static int apparmor_file_mmap(struct file *file, unsigned long reqprot,
608
unsigned long prot, unsigned long flags)
610
return aa_mmap(file, prot, flags);
613
static int apparmor_file_mprotect(struct vm_area_struct *vma,
614
unsigned long reqprot, unsigned long prot)
616
return aa_mmap(vma->vm_file, prot,
617
!(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0);
620
static int apparmor_task_alloc_security(struct task_struct *p)
625
static void apparmor_task_free_security(struct task_struct *p)
630
static int apparmor_task_post_setuid(uid_t id0, uid_t id1, uid_t id2,
633
return cap_task_post_setuid(id0, id1, id2, flags);
636
static void apparmor_task_reparent_to_init(struct task_struct *p)
638
cap_task_reparent_to_init(p);
642
static int apparmor_shm_shmat(struct shmid_kernel *shp, char __user *shmaddr,
645
struct aafile *aaf = (struct aafile *)shp->shm_file->f_security;
648
aaf->type = aa_file_shmem;
653
static int apparmor_getprocattr(struct task_struct *p, char *name, char **value)
657
struct aaprofile *active;
659
/* AppArmor only supports the "current" process attribute */
660
if (strcmp(name, "current") != 0) {
665
/* must be task querying itself or admin */
666
if (current != p && !capable(CAP_SYS_ADMIN)) {
671
active = get_task_active_aaprofile(p);
672
error = aa_getprocattr(active, value, &len);
673
put_aaprofile(active);
681
static int apparmor_setprocattr(struct task_struct *p, char *name, void *value,
684
const char *cmd_changehat = "changehat ",
685
*cmd_setprofile = "setprofile ";
687
int error = -EACCES; /* default to a perm denied */
688
char *cmd = (char *)value;
690
/* only support messages to current */
691
if (strcmp(name, "current") != 0) {
701
/* CHANGE HAT -- switch task into a subhat (subprofile) if defined */
702
if (size > strlen(cmd_changehat) &&
703
strncmp(cmd, cmd_changehat, strlen(cmd_changehat)) == 0) {
704
char *hatinfo = cmd + strlen(cmd_changehat);
705
size_t infosize = size - strlen(cmd_changehat);
707
/* Only the current process may change it's hat */
709
AA_WARN("%s: Attempt by foreign task %s(%d) "
710
"[user %d] to changehat of task %s(%d)\n",
722
error = aa_setprocattr_changehat(hatinfo, infosize);
724
/* success, set return to #bytes in orig request */
727
/* SET NEW PROFILE */
728
} else if (size > strlen(cmd_setprofile) &&
729
strncmp(cmd, cmd_setprofile, strlen(cmd_setprofile)) == 0) {
730
struct aaprofile *active;
732
/* only an unconfined process with admin capabilities
733
* may change the profile of another task
736
if (!capable(CAP_SYS_ADMIN)) {
737
AA_WARN("%s: Unprivileged attempt by task %s(%d) "
738
"[user %d] to assign profile to task %s(%d)\n",
749
active = get_active_aaprofile();
751
char *profile = cmd + strlen(cmd_setprofile);
752
size_t profilesize = size - strlen(cmd_setprofile);
754
error = aa_setprocattr_setprofile(p, profile, profilesize);
757
* set return to #bytes in orig request
761
AA_WARN("%s: Attempt by confined task %s(%d) "
762
"[user %d] to assign profile to task %s(%d)\n",
772
put_aaprofile(active);
774
/* unknown operation */
775
AA_WARN("%s: Unknown setprocattr command '%.*s' by task %s(%d) "
776
"[user %d] for task %s(%d)\n",
778
size < 16 ? (int)size : 16,
793
int apparmor_register_subsecurity(const char *name,
794
struct security_operations *ops)
798
if (mutex_lock_interruptible(&aa_secondary_lock))
801
/* allow dazuko and capability to stack. The stacking with
802
* capability is fake however in that non of capabilities hooks
803
* get called, since apparmor already composes capability using
806
if (!aa_secondary_ops && (strcmp(name, "dazuko") == 0 ||
807
strcmp(name, "capability") == 0)){
808
/* The apparmor module needs to be pinned while a secondary is
811
if (try_module_get(aa_module)) {
812
aa_secondary_ops = ops;
813
AA_INFO("Registered secondary security module: %s.\n",
819
AA_WARN("Unable to register %s as a secondary security "
823
mutex_unlock(&aa_secondary_lock);
827
int apparmor_unregister_subsecurity(const char *name,
828
struct security_operations *ops)
832
if (mutex_lock_interruptible(&aa_secondary_lock))
835
if (aa_secondary_ops && aa_secondary_ops == ops) {
836
rcu_assign_pointer(aa_secondary_ops, NULL);
838
module_put(aa_module);
839
AA_INFO("Unregistered secondary security module: %s\n", name);
841
AA_WARN("Unable to unregister secondary security module %s\n",
845
mutex_unlock(&aa_secondary_lock);
849
struct security_operations apparmor_ops = {
850
.ptrace = apparmor_ptrace,
851
.capget = apparmor_capget,
852
.capset_check = apparmor_capset_check,
853
.capset_set = apparmor_capset_set,
854
.sysctl = apparmor_sysctl,
855
.capable = apparmor_capable,
856
.syslog = apparmor_syslog,
858
.netlink_send = apparmor_netlink_send,
859
.netlink_recv = apparmor_netlink_recv,
861
.bprm_apply_creds = apparmor_bprm_apply_creds,
862
.bprm_set_security = apparmor_bprm_set_security,
863
.bprm_secureexec = apparmor_bprm_secureexec,
865
.sb_mount = apparmor_sb_mount,
866
.sb_umount = apparmor_umount,
868
.inode_mkdir = apparmor_inode_mkdir,
869
.inode_rmdir = apparmor_inode_rmdir,
870
.inode_create = apparmor_inode_create,
871
.inode_link = apparmor_inode_link,
872
.inode_unlink = apparmor_inode_unlink,
873
.inode_symlink = apparmor_inode_symlink,
874
.inode_mknod = apparmor_inode_mknod,
875
.inode_rename = apparmor_inode_rename,
876
.inode_permission = apparmor_inode_permission,
877
.inode_setattr = apparmor_inode_setattr,
878
.inode_setxattr = apparmor_inode_setxattr,
879
.inode_getxattr = apparmor_inode_getxattr,
880
.inode_listxattr = apparmor_inode_listxattr,
881
.inode_removexattr = apparmor_inode_removexattr,
882
.file_permission = apparmor_file_permission,
883
.file_alloc_security = apparmor_file_alloc_security,
884
.file_free_security = apparmor_file_free_security,
885
.file_mmap = apparmor_file_mmap,
886
.file_mprotect = apparmor_file_mprotect,
888
.task_alloc_security = apparmor_task_alloc_security,
889
.task_free_security = apparmor_task_free_security,
890
.task_post_setuid = apparmor_task_post_setuid,
891
.task_reparent_to_init = apparmor_task_reparent_to_init,
893
.shm_shmat = apparmor_shm_shmat,
895
.getprocattr = apparmor_getprocattr,
896
.setprocattr = apparmor_setprocattr,
898
.register_security = apparmor_register_subsecurity,
899
.unregister_security = apparmor_unregister_subsecurity,
902
static int __init apparmor_init(void)
905
const char *complainmsg = ": complainmode enabled";
907
if ((error = create_apparmorfs())) {
908
AA_ERROR("Unable to activate AppArmor filesystem\n");
912
if ((error = alloc_null_complain_profile())){
913
AA_ERROR("Unable to allocate null complain profile\n");
917
if ((error = register_security(&apparmor_ops))) {
918
AA_ERROR("Unable to load AppArmor\n");
919
goto register_security_out;
922
AA_INFO("AppArmor initialized%s\n",
923
apparmor_complain ? complainmsg : "");
924
aa_audit_message(NULL, GFP_KERNEL, 0,
925
"AppArmor initialized%s\n",
926
apparmor_complain ? complainmsg : "");
928
aa_module = THIS_MODULE;
932
register_security_out:
933
free_null_complain_profile();
936
(void)destroy_apparmorfs();
943
static int apparmor_exit_removeall_iter(struct subdomain *sd, void *cookie)
945
/* spin_lock(&sd_lock) held here */
947
if (__aa_is_confined(sd)) {
948
AA_DEBUG("%s: Dropping profiles %s(%d) "
949
"profile %s(%p) active %s(%p)\n",
951
sd->task->comm, sd->task->pid,
952
BASE_PROFILE(sd->active)->name,
953
BASE_PROFILE(sd->active),
954
sd->active->name, sd->active);
955
aa_switch_unconfined(sd);
961
static void __exit apparmor_exit(void)
965
/* Remove profiles from the global profile list.
966
* This is just for tidyness as there is no way to reference this
967
* list once the AppArmor lsm hooks are detached (below)
969
aa_profilelist_release();
971
/* Remove profiles from active tasks
972
* If this is not done, if module is reloaded after being removed,
973
* old profiles (still refcounted in memory) will become 'magically'
977
spin_lock_irqsave(&sd_lock, flags);
978
aa_subdomainlist_iterate(apparmor_exit_removeall_iter, NULL);
979
spin_unlock_irqrestore(&sd_lock, flags);
981
/* Free up list of active subdomain */
982
aa_subdomainlist_release();
984
free_null_complain_profile();
986
destroy_apparmorfs();
988
if (unregister_security(&apparmor_ops))
989
AA_WARN("Unable to properly unregister AppArmor\n");
991
/* delay for an rcu cycle to make ensure that profiles pending
992
* destruction in the rcu callback are freed.
996
AA_INFO("AppArmor protection removed\n");
997
aa_audit_message(NULL, GFP_KERNEL, 0,
998
"AppArmor protection removed\n");
1001
module_init(apparmor_init);
1002
module_exit(apparmor_exit);
1004
MODULE_VERSION(APPARMOR_VERSION);
1005
MODULE_DESCRIPTION("AppArmor process confinement");
1006
MODULE_AUTHOR("Tony Jones <tonyj@suse.de>");
1007
MODULE_LICENSE("GPL");