2
* AppArmor security module
4
* This file contains AppArmor /sys/kernel/security/apparmor interface functions
6
* Copyright (C) 1998-2008 Novell/SUSE
7
* Copyright 2009-2010 Canonical Ltd.
9
* This program is free software; you can redistribute it and/or
10
* modify it under the terms of the GNU General Public License as
11
* published by the Free Software Foundation, version 2 of the
15
#include <linux/security.h>
16
#include <linux/vmalloc.h>
17
#include <linux/module.h>
18
#include <linux/seq_file.h>
19
#include <linux/uaccess.h>
20
#include <linux/namei.h>
22
#include "include/apparmor.h"
23
#include "include/apparmorfs.h"
24
#include "include/audit.h"
25
#include "include/context.h"
26
#include "include/policy.h"
29
* aa_simple_write_to_buffer - common routine for getting policy from user
30
* @op: operation doing the user buffer copy
31
* @userbuf: user buffer to copy data from (NOT NULL)
32
* @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size)
33
* @copy_size: size of data to copy from user buffer
34
* @pos: position write is at in the file (NOT NULL)
36
* Returns: kernel buffer containing copy of user buffer data or an
39
static char *aa_simple_write_to_buffer(int op, const char __user *userbuf,
40
size_t alloc_size, size_t copy_size,
45
BUG_ON(copy_size > alloc_size);
48
/* only writes from pos 0, that is complete writes */
49
return ERR_PTR(-ESPIPE);
52
* Don't allow profile load/replace/remove from profiles that don't
55
if (!aa_may_manage_policy(op))
56
return ERR_PTR(-EACCES);
58
/* freed by caller to simple_write_to_buffer */
59
data = kvmalloc(alloc_size);
61
return ERR_PTR(-ENOMEM);
63
if (copy_from_user(data, userbuf, copy_size)) {
65
return ERR_PTR(-EFAULT);
72
/* .load file hook fn to load policy */
73
static ssize_t profile_load(struct file *f, const char __user *buf, size_t size,
79
data = aa_simple_write_to_buffer(OP_PROF_LOAD, buf, size, size, pos);
81
error = PTR_ERR(data);
83
error = aa_replace_profiles(data, size, PROF_ADD);
90
static const struct file_operations aa_fs_profile_load = {
91
.write = profile_load,
92
.llseek = default_llseek,
95
/* .replace file hook fn to load and/or replace policy */
96
static ssize_t profile_replace(struct file *f, const char __user *buf,
97
size_t size, loff_t *pos)
102
data = aa_simple_write_to_buffer(OP_PROF_REPL, buf, size, size, pos);
103
error = PTR_ERR(data);
105
error = aa_replace_profiles(data, size, PROF_REPLACE);
112
static const struct file_operations aa_fs_profile_replace = {
113
.write = profile_replace,
114
.llseek = default_llseek,
117
/* .remove file hook fn to remove loaded policy */
118
static ssize_t profile_remove(struct file *f, const char __user *buf,
119
size_t size, loff_t *pos)
125
* aa_remove_profile needs a null terminated string so 1 extra
126
* byte is allocated and the copied data is null terminated.
128
data = aa_simple_write_to_buffer(OP_PROF_RM, buf, size + 1, size, pos);
130
error = PTR_ERR(data);
133
error = aa_remove_profiles(data, size);
140
static const struct file_operations aa_fs_profile_remove = {
141
.write = profile_remove,
142
.llseek = default_llseek,
145
/** Base file system setup **/
147
static struct dentry *aa_fs_dentry __initdata;
149
static void __init aafs_remove(const char *name)
151
struct dentry *dentry;
153
dentry = lookup_one_len(name, aa_fs_dentry, strlen(name));
154
if (!IS_ERR(dentry)) {
155
securityfs_remove(dentry);
161
* aafs_create - create an entry in the apparmor filesystem
162
* @name: name of the entry (NOT NULL)
163
* @mask: file permission mask of the file
164
* @fops: file operations for the file (NOT NULL)
166
* Used aafs_remove to remove entries created with this fn.
168
static int __init aafs_create(const char *name, int mask,
169
const struct file_operations *fops)
171
struct dentry *dentry;
173
dentry = securityfs_create_file(name, S_IFREG | mask, aa_fs_dentry,
176
return IS_ERR(dentry) ? PTR_ERR(dentry) : 0;
180
* aa_destroy_aafs - cleanup and free aafs
182
* releases dentries allocated by aa_create_aafs
184
void __init aa_destroy_aafs(void)
187
aafs_remove(".remove");
188
aafs_remove(".replace");
189
aafs_remove(".load");
191
securityfs_remove(aa_fs_dentry);
197
* aa_create_aafs - create the apparmor security filesystem
199
* dentries created here are released by aa_destroy_aafs
201
* Returns: error on failure
203
static int __init aa_create_aafs(void)
207
if (!apparmor_initialized)
211
AA_ERROR("%s: AppArmor securityfs already exists\n", __func__);
215
aa_fs_dentry = securityfs_create_dir("apparmor", NULL);
216
if (IS_ERR(aa_fs_dentry)) {
217
error = PTR_ERR(aa_fs_dentry);
222
error = aafs_create(".load", 0640, &aa_fs_profile_load);
225
error = aafs_create(".replace", 0640, &aa_fs_profile_replace);
228
error = aafs_create(".remove", 0640, &aa_fs_profile_remove);
232
/* TODO: add support for apparmorfs_null and apparmorfs_mnt */
234
/* Report that AppArmor fs is enabled */
235
aa_info_message("AppArmor Filesystem Enabled");
240
AA_ERROR("Error creating AppArmor securityfs\n");
244
fs_initcall(aa_create_aafs);