2
* Copyright (C) 2002-2005 Novell/SUSE
4
* This program is free software; you can redistribute it and/or
5
* modify it under the terms of the GNU General Public License as
6
* published by the Free Software Foundation, version 2 of the
12
#include <linux/security.h>
13
#include <linux/namei.h>
14
#include <linux/audit.h>
17
#include "aamatch/match.h"
23
* Used when an attempt is made to changehat into a non-existant
24
* subhat. In the NULL profile, no file access is allowed
25
* (currently full network access is allowed). Using a NULL
26
* profile ensures that active is always non zero.
28
* Leaving the NULL profile is by either successfully changehatting
29
* into a sibling hat, or changehatting back to the parent (NULL hat).
31
struct sdprofile *null_profile;
33
/* NULL complain profile
35
* Used when in complain mode, to emit Permitting messages for non-existant
36
* profiles and hats. This is necessary because of selective mode, in which
37
* case we need a complain null_profile and enforce null_profile
39
* The null_complain_profile cannot be statically allocated, because it
40
* can be associated to files which keep their reference even if subdomain is
43
struct sdprofile *null_complain_profile;
45
/***************************
46
* PRIVATE UTILITY FUNCTIONS
47
**************************/
51
* @dentry: pointer to dentry
52
* @error: error number
53
* @dtype: type of dentry
55
* Display error message when a dentry translation error occured
57
static void dentry_xlate_error(struct dentry *dentry, int error, char *dtype)
59
const unsigned int len = 16;
62
if (dentry->d_inode) {
63
snprintf(buf, len, "%lu", dentry->d_inode->i_ino);
65
strncpy(buf, "<negative>", len);
69
SD_ERROR("An error occured while translating %s %p "
70
"inode# %s to a pathname. Error %d\n",
79
* @name: name of file to check permission
80
* @mask: permission mask requested for file
82
* Determine if request is for write access to /proc/self/attr/current
84
static inline int sd_taskattr_access(const char *procrelname)
87
* assumes a 32bit pid, which requires max 10 decimal digits to represent
88
* sizeof includes trailing \0
90
char buf[sizeof("/attr/current") + 10];
91
const int maxbuflen = sizeof(buf);
93
snprintf(buf, maxbuflen, "%d/attr/current", current->pid);
94
buf[maxbuflen - 1] = 0;
96
return strcmp(buf, procrelname) == 0;
100
* sd_file_mode - get full mode for file entry from profile
104
static inline int sd_file_mode(struct sdprofile *profile, const char *name)
106
struct sd_entry *entry;
109
SD_DEBUG("%s: %s\n", __FUNCTION__, name);
111
SD_DEBUG("%s: no name\n", __FUNCTION__);
116
SD_DEBUG("%s: no profile\n", __FUNCTION__);
119
list_for_each_entry(entry, &profile->file_entry, list) {
120
if (sdmatch_match(name, entry->filename,
121
entry->entry_type, entry->extradata))
129
* sd_get_execmode - calculate what qualifier to apply to an exec
130
* @sd: subdomain to search
131
* @name: name of file to exec
132
* @xmod: pointer to a execution mode bit for the rule that was matched
133
* if the rule has no execuition qualifier {pui} then
134
* SD_MAY_EXEC is returned indicating a naked x
135
* if the has an exec qualifier then only the qualifier bit {pui}
136
* is returned (SD_MAY_EXEC) is not set.
137
* @unsafe: true if secure_exec should be overridden
140
* if unable to find profile or there are conflicting pattern matches.
141
* *xmod - is not modified
142
* *unsafe - is not modified
146
* *xmod = SD_MAY_EXEC
148
* if exec rule matched
149
* if the rule has an execution mode qualifier {pui} then
150
* *xmod = the execution qualifier of the rule {pui}
152
* *xmod = SD_MAY_EXEC
153
* unsafe = presence of unsafe flag
155
static inline int sd_get_execmode(struct subdomain *sd, const char *name,
156
int *xmod, int *unsafe)
158
struct sdprofile *profile;
159
struct sd_entry *entry;
160
struct sd_entry *match = NULL;
162
int pattern_match_invalid = 0, rc = 0;
165
if (!__sd_is_confined(sd)) {
166
SD_DEBUG("%s: not confined\n", __FUNCTION__);
170
profile = sd->active;
172
/* search list of profiles with 'x' permission
173
* this will also include entries with 'p', 'u' and 'i'
176
* If we find a pattern match we will keep looking for an exact match
177
* If we find conflicting pattern matches we will flag (while still
178
* looking for an exact match). If all we have is a conflict, FALSE
182
list_for_each_entry(entry, &profile->file_entryp[POS_SD_MAY_EXEC],
183
listp[POS_SD_MAY_EXEC]) {
184
if (!pattern_match_invalid &&
185
entry->entry_type == sd_entry_pattern &&
186
sdmatch_match(name, entry->filename,
187
entry->entry_type, entry->extradata)) {
189
SD_EXEC_UNSAFE_MASK(entry->mode) !=
190
SD_EXEC_UNSAFE_MASK(match->mode))
191
pattern_match_invalid = 1;
193
/* keep searching for an exact match */
195
} else if ((entry->entry_type == sd_entry_literal ||
196
(!pattern_match_invalid &&
197
entry->entry_type == sd_entry_tailglob)) &&
198
sdmatch_match(name, entry->filename,
201
if (entry->entry_type == sd_entry_literal) {
202
/* got an exact match -- there can be only
203
* one, asserted at profile load time
206
pattern_match_invalid = 0;
210
SD_EXEC_UNSAFE_MASK(entry->mode) !=
211
SD_EXEC_UNSAFE_MASK(match->mode))
212
pattern_match_invalid = 1;
214
/* got a tailglob match, keep searching
223
rc = match && !pattern_match_invalid;
226
int mode = SD_EXEC_MASK(match->mode);
228
/* check for qualifiers, if present
229
* we just return the qualifier
231
if (mode & ~SD_MAY_EXEC)
232
mode = mode & ~SD_MAY_EXEC;
235
*unsafe = (match->mode & SD_EXEC_UNSAFE);
237
SD_DEBUG("%s: Unable to find execute entry in profile "
241
} else if (pattern_match_invalid) {
242
SD_WARN("%s: Inconsistency in profile %s. "
243
"Two (or more) patterns specify conflicting exec "
244
"qualifiers ('u', 'i' or 'p') for image %s\n",
260
* @mask: requested mask
261
* @inode: potential directory inode
263
* This fn performs pre-verification of the requested mask
264
* We ignore append. Previously we required 'w' on a dir to add a file.
265
* No longer. Now we require 'w' on just the file itself. Traversal 'x' is
266
* also ignored for directories.
268
* Returned value of 0 indicates no need to perform a perm check.
270
static inline int sd_filter_mask(int mask, struct inode *inode)
273
int elim = MAY_APPEND;
275
if (inode && S_ISDIR(inode->i_mode))
276
elim |= (MAY_EXEC | MAY_WRITE);
284
static inline void sd_permerror2result(int perm_result, struct sd_audit *sa)
286
if (perm_result == 0) { /* success */
289
} else { /* -ve internal error code or +ve mask of denied perms */
291
sa->errorcode = perm_result;
295
/*************************
296
* MAIN INTERNAL FUNCTIONS
297
************************/
300
* sd_file_perm - calculate access mode for file
301
* @subdomain: current subdomain
302
* @name: name of file to calculate mode for
303
* @mask: permission mask requested for file
305
* Search the sd_entry list in @profile.
306
* Search looking to verify all permissions passed in mask.
307
* Perform the search by looking at the partitioned list of entries, one
308
* partition per permission bit.
310
* Return 0 on success, else mask of non-allowed permissions
312
static unsigned int sd_file_perm(struct subdomain *sd, const char *name,
315
struct sdprofile *profile;
316
int i, error = 0, mode;
318
#define PROCPFX "/proc/"
319
#define PROCLEN sizeof(PROCPFX) - 1
321
SD_DEBUG("%s: %s 0x%x\n", __FUNCTION__, name, mask);
323
/* should not enter with other than R/W/M/X/L */
325
~(SD_MAY_READ | SD_MAY_WRITE | SD_MAY_EXEC |
326
SD_EXEC_MMAP | SD_MAY_LINK));
329
if (!__sd_is_confined(sd)) {
330
/* exit with access allowed */
331
SD_DEBUG("%s: not confined\n", __FUNCTION__);
335
/* Special case access to /proc/self/attr/current
336
* Currently we only allow access if opened O_WRONLY
338
if (mask == MAY_WRITE && strncmp(PROCPFX, name, PROCLEN) == 0 &&
339
sd_taskattr_access(name + PROCLEN))
342
profile = sd->active;
346
/* iterate over partition, one permission bit at a time */
347
for (i = 0; i <= POS_SD_FILE_MAX; i++) {
348
struct sd_entry *entry;
350
/* do we have to accumulate this bit?
351
* or have we already accumulated it (shortcut below)? */
352
if (!(mask & (1 << i)) || mode & (1 << i))
355
list_for_each_entry(entry, &profile->file_entryp[i],
357
if (sdmatch_match(name, entry->filename,
358
entry->entry_type, entry->extradata)) {
359
/* Shortcut, accumulate all bits present */
363
* Mask bits are overloaded
364
* MAY_{EXEC,WRITE,READ,APPEND} are used by
365
* kernel, other values are used locally only.
367
if ((mode & mask) == mask) {
368
SD_DEBUG("MATCH! %s=0x%x [total mode=0x%x]\n",
377
/* return permissions not satisfied */
378
error = mask & ~mode;
385
* sd_link_perm - test permission to link to a file
386
* @sd: current subdomain
387
* @link: name of link being created
388
* @target: name of target to be linked to
390
* Look up permission mode on both @link and @target. @link must have same
391
* permission mode as @target. At least @link must have the link bit enabled.
392
* Return 0 on success, error otherwise.
394
static int sd_link_perm(struct subdomain *sd,
395
const char *link, const char *target)
397
int l_mode, t_mode, ret;
398
struct sdprofile *profile = sd->active;
400
l_mode = sd_file_mode(profile, link);
401
if (l_mode & SD_MAY_LINK) {
402
/* mask off link bit */
403
l_mode &= ~SD_MAY_LINK;
405
t_mode = sd_file_mode(profile, target);
406
t_mode &= ~SD_MAY_LINK;
408
ret = (l_mode == t_mode);
418
* @sd: current subdomain
419
* @dentry: requested dentry
420
* @mask: mask of requested operations
421
* @pname: pointer to hold matched pathname (if any)
423
* Helper function. Obtain pathname for specified dentry. Verify if profile
424
* authorizes mask operations on pathname (due to lack of vfsmnt it is sadly
425
* necessary to search mountpoints in namespace -- when nameidata is passed
426
* more fully, this code can go away). If more than one mountpoint matches
427
* but none satisfy the profile, only the first pathname (mountpoint) is
428
* returned for subsequent logging.
430
* Return 0 (success), +ve (mask of permissions not satisfied) or -ve (system
431
* error, most likely -ENOMEM).
433
static int _sd_perm_dentry(struct subdomain *sd, struct dentry *dentry,
434
int mask, const char **pname)
436
char *name = NULL, *failed_name = NULL;
437
struct sd_path_data data;
438
int error = 0, failed_error = 0, sdpath_error,
439
sdcomplain = SUBDOMAIN_COMPLAIN(sd);
441
/* search all paths to dentry */
443
sd_path_begin(dentry, &data);
445
name = sd_path_getname(&data);
447
/* error here is 0 (success) or +ve (mask of perms) */
448
error = sd_file_perm(sd, name, mask);
450
/* access via any path is enough */
451
if (sdcomplain || error == 0)
452
break; /* Caller must free name */
454
/* Already have an path that failed? */
459
failed_error = error;
464
if ((sdpath_error = sd_path_end(&data)) != 0) {
465
dentry_xlate_error(dentry, sdpath_error, "dentry");
467
WARN_ON(name); /* name should not be set if error */
468
error = sdpath_error;
472
sd_put_name(failed_name);
475
error = failed_error;
483
/**************************
484
* GLOBAL UTILITY FUNCTIONS
485
*************************/
488
* alloc_nullprofiles - Allocate null profiles
490
int alloc_nullprofiles(void)
492
null_profile = alloc_sdprofile();
493
null_complain_profile = alloc_sdprofile();
495
if (!null_profile || !null_complain_profile)
498
null_profile->name = kstrdup("null-profile", GFP_KERNEL);
499
null_complain_profile->name =
500
kstrdup("null-complain-profile", GFP_KERNEL);
502
if (!null_profile->name ||
503
!null_complain_profile->name)
506
get_sdprofile(null_profile);
507
get_sdprofile(null_complain_profile);
508
null_complain_profile->flags.complain = 1;
513
/* free_sdprofile is safe for freeing partially constructed objects */
514
free_sdprofile(null_profile);
515
free_sdprofile(null_complain_profile);
516
null_profile = null_complain_profile = NULL;
521
* free_nullprofiles - Free null profiles
523
void free_nullprofiles(void)
525
put_sdprofile(null_complain_profile);
526
put_sdprofile(null_profile);
527
null_profile = null_complain_profile = NULL;
531
* sd_audit_message - Log a message to the audit subsystem
532
* @sd: current subdomain
533
* @gfp: allocation flags
534
* @flags: audit flags
537
int sd_audit_message(struct subdomain *sd, unsigned int gfp, int flags,
538
const char *fmt, ...)
543
sa.type = SD_AUDITTYPE_MSG;
545
va_start(sa.vaval, fmt);
549
sa.result = 0; /* fake failure: force message to be logged */
551
ret = sd_audit(sd, &sa);
559
* sd_audit_syscallreject - Log a syscall rejection to the audit subsystem
560
* @sd: current subdomain
561
* @msg: string describing syscall being rejected
562
* @gfp: memory allocation flags
564
int sd_audit_syscallreject(struct subdomain *sd, unsigned int gfp,
570
if (!syscall_is_cached(call)) {
571
sa.type = SD_AUDITTYPE_SYSCALL;
572
sa.name = syscall_to_name(call);
576
sa.result = 0; /* failure */
578
error = sd_audit(sd, &sa);
580
add_to_cached_syscalls(call);
586
* sd_audit - Log an audit event to the audit subsystem
587
* @sd: current subdomain
590
int sd_audit(struct subdomain *sd, const struct sd_audit *sa)
592
struct audit_buffer *ab = NULL;
593
struct audit_context *ctx;
600
opspec_error = -EACCES;
602
const unsigned int gfp_mask = sa->gfp_mask;
604
WARN_ON(sa->type >= SD_AUDITTYPE__END);
607
* sa->result: 1 success, 0 failure
608
* sa->errorcode: success: 0
609
* failure: +ve mask of failed permissions or -ve
613
if (likely(sa->result)) {
614
if (likely(!SUBDOMAIN_AUDIT(sd))) {
622
} else if (sa->errorcode < 0) {
623
audit_log(current->audit_context, gfp_mask, AUDIT_SD,
624
"Internal error auditing event type %d (error %d)",
625
sa->type, sa->errorcode);
626
SD_ERROR("Internal error auditing event type %d (error %d)\n",
627
sa->type, sa->errorcode);
628
error = sa->errorcode;
630
} else if (sa->type == SD_AUDITTYPE_SYSCALL) {
631
/* Currently SD_AUDITTYPE_SYSCALL is for rejects only.
632
* Values set by sd_audit_syscallreject will get us here.
634
logcls = "REJECTING";
636
sdcomplain = SUBDOMAIN_COMPLAIN(sd);
637
logcls = sdcomplain ? "PERMITTING" : "REJECTING";
640
/* test if event has already been logged and cached used to log
641
* only first time event occurs.
643
if (sa->type == SD_AUDITTYPE_CAP) {
644
if (cap_is_cached(sa->ival)) {
645
opspec_error = -EPERM;
650
/* In future extend w/ per-profile flags
651
* (flags |= sa->active->flags)
654
if (subdomain_logsyscall)
655
flags |= SD_AUDITFLAG_AUDITSS_SYSCALL;
658
/* Force full audit syscall logging regardless of global setting if
659
* we are rejecting a syscall
661
if (sa->type == SD_AUDITTYPE_SYSCALL) {
662
ctx = current->audit_context;
664
ctx = (flags & SD_AUDITFLAG_AUDITSS_SYSCALL) ?
665
current->audit_context : NULL;
668
ab = audit_log_start(ctx, gfp_mask, AUDIT_SD);
671
SD_ERROR("Unable to log event (%d) to audit subsys\n",
678
/* messages get special handling */
679
if (sa->type == SD_AUDITTYPE_MSG) {
680
audit_log_vformat(ab, sa->name, sa->vaval);
688
audit_log_format(ab, "%s ", logcls); /* REJECTING/ALLOWING/etc */
690
if (sa->type == SD_AUDITTYPE_FILE) {
691
int perm = sdaudit ? sa->ival : sa->errorcode;
693
audit_log_format(ab, "%s%s%s%s%s access to %s ",
694
perm & SD_EXEC_MMAP ? "m" : "",
695
perm & SD_MAY_READ ? "r" : "",
696
perm & SD_MAY_WRITE ? "w" : "",
697
perm & SD_MAY_EXEC ? "x" : "",
698
perm & SD_MAY_LINK ? "l" : "",
701
opspec_error = -EPERM;
703
} else if (sa->type == SD_AUDITTYPE_DIR) {
704
audit_log_format(ab, "%s on %s ",
705
sa->ival == SD_DIR_MKDIR ? "mkdir" : "rmdir",
708
} else if (sa->type == SD_AUDITTYPE_ATTR) {
709
struct iattr *iattr = (struct iattr*)sa->pval;
712
"attribute (%s%s%s%s%s%s%s) change to %s ",
713
iattr->ia_valid & ATTR_MODE ? "mode," : "",
714
iattr->ia_valid & ATTR_UID ? "uid," : "",
715
iattr->ia_valid & ATTR_GID ? "gid," : "",
716
iattr->ia_valid & ATTR_SIZE ? "size," : "",
717
((iattr->ia_valid & ATTR_ATIME_SET) ||
718
(iattr->ia_valid & ATTR_ATIME)) ? "atime," : "",
719
((iattr->ia_valid & ATTR_MTIME_SET) ||
720
(iattr->ia_valid & ATTR_MTIME)) ? "mtime," : "",
721
iattr->ia_valid & ATTR_CTIME ? "ctime," : "",
724
} else if (sa->type == SD_AUDITTYPE_XATTR) {
736
case SD_XATTR_REMOVE:
737
fmt = "xattr remove";
740
fmt = "xattr <unknown>";
744
audit_log_format(ab, "%s on %s ", fmt, sa->name);
746
} else if (sa->type == SD_AUDITTYPE_LINK) {
748
"link access from %s to %s ",
752
} else if (sa->type == SD_AUDITTYPE_CAP) {
754
"access to capability '%s' ",
755
capability_to_name(sa->ival));
756
add_to_cached_caps(sa->ival);
757
opspec_error = -EPERM;
758
} else if (sa->type == SD_AUDITTYPE_SYSCALL) {
759
audit_log_format(ab, "access to syscall '%s' ", sa->name);
761
opspec_error = -EPERM;
763
/* -EINVAL -- will WARN_ON above */
767
audit_log_format(ab, "(%s(%d) profile %s active %s)",
768
current->comm, current->pid,
769
sd->profile->name, sd->active->name);
777
error = sa->result ? 0 : opspec_error;
784
* sd_get_name - retrieve fully qualified path name
785
* @dentry: relative path element
786
* @mnt: where in tree
788
* Returns fully qualified path name on sucess, NULL on failure.
789
* sd_put_name must be used to free allocated buffer.
791
char *sd_get_name(struct dentry *dentry, struct vfsmount *mnt)
795
page = (char *)__get_free_page(GFP_KERNEL);
797
name = ERR_PTR(-ENOMEM);
801
name = d_path(dentry, mnt, page, PAGE_SIZE);
803
/* check for (deleted) that d_path appends to pathnames if the dentry
804
* has been removed from the cache.
805
* The size > deleted_size and strcmp checks are redundant safe guards.
808
free_page((unsigned long)page);
810
const char deleted_str[] = " (deleted)";
811
const size_t deleted_size = sizeof(deleted_str) - 1;
814
if (!IS_ROOT(dentry) && d_unhashed(dentry) &&
815
size > deleted_size &&
816
strcmp(name + size - deleted_size, deleted_str) == 0)
817
name[size - deleted_size] = '\0';
819
SD_DEBUG("%s: full_path=%s\n", __FUNCTION__, name);
826
/***********************************
827
* GLOBAL PERMISSION CHECK FUNCTIONS
828
***********************************/
831
* sd_attr - check whether attribute change allowed
832
* @sd: subdomain to check against to check against
833
* @dentry: file to check
834
* @iattr: attribute changes requested
836
int sd_attr(struct subdomain *sd, struct dentry *dentry, struct iattr *iattr)
838
int error = 0, permerror;
841
if (!__sd_is_confined(sd))
844
sa.type = SD_AUDITTYPE_ATTR;
847
sa.gfp_mask = GFP_KERNEL;
849
permerror = _sd_perm_dentry(sd, dentry, MAY_WRITE, &sa.name);
850
sd_permerror2result(permerror, &sa);
852
error = sd_audit(sd, &sa);
854
sd_put_name(sa.name);
860
int sd_xattr(struct subdomain *sd, struct dentry *dentry, const char *xattr,
863
int error = 0, permerror, mask = 0;
866
/* if not confined or empty mask permission granted */
867
if (!__sd_is_confined(sd))
870
if (xattroptype == SD_XATTR_GET || xattroptype == SD_XATTR_LIST)
872
else if (xattroptype == SD_XATTR_SET || xattroptype == SD_XATTR_REMOVE)
875
sa.type = SD_AUDITTYPE_XATTR;
876
sa.ival = xattroptype;
879
sa.gfp_mask = GFP_KERNEL;
881
permerror = _sd_perm_dentry(sd, dentry, mask, &sa.name);
882
sd_permerror2result(permerror, &sa);
884
error = sd_audit(sd, &sa);
886
sd_put_name(sa.name);
893
* sd_perm - basic subdomain permissions check
894
* @sd: subdomain to check against
897
* @mask: access mode requested
899
* Determine if access (mask) for dentry is authorized by subdomain sd.
900
* Result, 0 (success), -ve (error)
902
int sd_perm(struct subdomain *sd, struct dentry *dentry, struct vfsmount *mnt,
905
int error = 0, permerror;
908
if (!__sd_is_confined(sd))
911
if ((mask = sd_filter_mask(mask, dentry->d_inode)) == 0)
914
sa.type = SD_AUDITTYPE_FILE;
915
sa.name = sd_get_name(dentry, mnt);
918
sa.gfp_mask = GFP_KERNEL;
920
if (IS_ERR(sa.name)) {
921
permerror = PTR_ERR(sa.name);
924
permerror = sd_file_perm(sd, sa.name, mask);
927
sd_permerror2result(permerror, &sa);
929
error = sd_audit(sd, &sa);
931
sd_put_name(sa.name);
938
* sd_perm_nameidata: interface to sd_perm accepting nameidata
939
* @sd: subdomain to check against
940
* @nd: namespace data (for vfsmnt and dentry)
941
* @mask: access mode requested
943
int sd_perm_nameidata(struct subdomain *sd, struct nameidata *nd, int mask)
948
error = sd_perm(sd, nd->dentry, nd->mnt, mask);
954
* sd_perm_dentry - file permissions interface when no vfsmnt available
955
* @sd: current subdomain
956
* @dentry: requested dentry
957
* @mask: access mode requested
959
* Determine if access (mask) for dentry is authorized by subdomain sd.
960
* Result, 0 (success), -ve (error)
962
int sd_perm_dentry(struct subdomain *sd, struct dentry *dentry, int mask)
964
int error = 0, permerror;
967
if (!__sd_is_confined(sd))
970
if ((mask = sd_filter_mask(mask, dentry->d_inode)) == 0)
973
sa.type = SD_AUDITTYPE_FILE;
976
sa.gfp_mask = GFP_KERNEL;
978
permerror = _sd_perm_dentry(sd, dentry, mask, &sa.name);
979
sd_permerror2result(permerror, &sa);
981
error = sd_audit(sd, &sa);
983
sd_put_name(sa.name);
991
* @sd: current subdomain
992
* @dentry: requested dentry
993
* @mode: SD_DIR_MKDIR or SD_DIR_RMDIR
995
* Determine if directory operation (make/remove) for dentry is authorized
997
* Result, 0 (success), -ve (error)
999
int sd_perm_dir(struct subdomain *sd, struct dentry *dentry, int diroptype)
1001
int error = 0, permerror, mask;
1004
BUG_ON(diroptype != SD_DIR_MKDIR && diroptype != SD_DIR_RMDIR);
1006
if (!__sd_is_confined(sd))
1011
sa.type = SD_AUDITTYPE_DIR;
1012
sa.ival = diroptype;
1014
sa.gfp_mask = GFP_KERNEL;
1016
permerror = _sd_perm_dentry(sd, dentry, mask, &sa.name);
1017
sd_permerror2result(permerror, &sa);
1019
error = sd_audit(sd, &sa);
1021
sd_put_name(sa.name);
1028
* sd_capability - test permission to use capability
1029
* @sd: subdomain to check against
1030
* @cap: capability to be tested
1032
* Look up capability in active profile capability set.
1033
* Return 0 (success), -EPERM (error)
1035
int sd_capability(struct subdomain *sd, int cap)
1039
if (__sd_is_confined(sd)) {
1042
sa.type = SD_AUDITTYPE_CAP;
1047
sa.result = cap_raised(sd->active->capabilities, cap);
1048
sa.gfp_mask = GFP_ATOMIC;
1050
error = sd_audit(sd, &sa);
1057
* sd_link - hard link check
1058
* @link: dentry for link being created
1059
* @target: dentry for link target
1060
* @sd: subdomain to check against
1062
* Checks link permissions for all possible name combinations. This is
1063
* particularly ugly. Returns 0 on sucess, error otherwise.
1065
int sd_link(struct subdomain *sd, struct dentry *link, struct dentry *target)
1067
char *iname = NULL, *oname = NULL,
1068
*failed_iname = NULL, *failed_oname = NULL;
1069
unsigned int result = 0;
1070
int error, sdpath_error, errorcode = 0, match = 0,
1071
sdcomplain = SUBDOMAIN_COMPLAIN(sd);
1072
struct sd_path_data idata, odata;
1075
if (!__sd_is_confined(sd))
1078
/* Perform nested lookup for names.
1079
* This is necessary in the case where /dev/block is mounted
1080
* multiple times, i.e /dev/block->/a and /dev/block->/b
1081
* This allows us to detect links where src/dest are on different
1082
* mounts. N.B no support yet for links across bind mounts of
1083
* the form mount -bind /mnt/subpath /mnt2
1085
* Getting direct access to vfsmounts (via nameidata) for link and
1086
* target would allow all this uglyness to go away.
1088
* If more than one mountpoint matches but none satisfy the profile,
1089
* only the first pathname (mountpoint) is logged.
1092
sd_path_begin2(target, link, &odata);
1094
oname = sd_path_getname(&odata);
1096
sd_path_begin(target, &idata);
1098
iname = sd_path_getname(&idata);
1100
result = sd_link_perm(sd, oname, iname);
1102
/* access via any path is enough */
1103
if (result || sdcomplain) {
1108
/* Already have an path that failed? */
1112
failed_iname = iname;
1113
failed_oname = oname;
1116
} while (iname && !match);
1118
/* should not be possible if we matched */
1119
if ((sdpath_error = sd_path_end(&idata)) != 0) {
1120
dentry_xlate_error(target, sdpath_error,
1121
"inner dentry [link]");
1123
/* name should not be set if error */
1126
errorcode = sdpath_error;
1129
/* don't release if we're saving it */
1130
if (!match && failed_oname != oname)
1133
} while (oname && !match);
1135
if (errorcode != 0) {
1137
(void)sd_path_end(&odata);
1138
} else if ((sdpath_error = sd_path_end(&odata)) != 0) {
1139
dentry_xlate_error(link, sdpath_error, "outer dentry [link]");
1141
errorcode = sdpath_error;
1144
if (errorcode != 0) {
1145
/* inner or outer error */
1147
} else if (!match) {
1148
/* failed to match */
1153
iname = failed_iname;
1154
oname = failed_oname;
1157
sa.type = SD_AUDITTYPE_LINK;
1158
sa.name = oname; /* link */
1159
sa.pval = iname; /* target */
1161
sa.errorcode = errorcode;
1163
sa.gfp_mask = GFP_KERNEL;
1165
error = sd_audit(sd, &sa);
1167
if (failed_oname != oname)
1168
sd_put_name(failed_oname);
1169
if (failed_iname != iname)
1170
sd_put_name(failed_iname);
1178
/**********************************
1179
* GLOBAL PROCESS RELATED FUNCTIONS
1180
*********************************/
1183
* sd_fork - create a new subdomain
1186
* Create a new subdomain for newly created process @p if it's parent
1187
* is already confined. Otherwise a subdomain will be lazily allocated
1188
* for the child if it subsequently execs (in sd_register).
1189
* Return 0 on sucess.
1192
int sd_fork(struct task_struct *p)
1194
struct subdomain *sd = SD_SUBDOMAIN(current->security);
1195
struct subdomain *newsd = NULL;
1197
SD_DEBUG("%s\n", __FUNCTION__);
1199
if (__sd_is_confined(sd)) {
1200
unsigned long flags;
1202
newsd = alloc_subdomain(p);
1207
/* Can get away with a read rather than write lock here
1208
* as we just allocated newsd above, so we can guarantee
1209
* that it's active/profile are null and therefore a replace
1212
read_lock_irqsave(&sd_lock, flags);
1213
sd_switch(newsd, sd->profile, sd->active);
1214
newsd->sd_hat_magic = sd->sd_hat_magic;
1215
read_unlock_irqrestore(&sd_lock, flags);
1217
if (SUBDOMAIN_COMPLAIN(sd) &&
1218
sd->active == null_complain_profile)
1219
LOG_HINT(sd, GFP_KERNEL, HINT_FORK,
1220
"pid=%d child=%d\n",
1221
current->pid, p->pid);
1223
p->security = newsd;
1228
* sd_register - register a new program
1229
* @filp: file of program being registered
1231
* Try to register a new program during execve(). This should give the
1232
* new program a valid subdomain.
1234
* This _used_ to be a really simple piece of code :-(
1237
int sd_register(struct linux_binprm *bprm)
1240
struct file *filp = bprm->file;
1241
struct subdomain *sd, sdcopy;
1242
struct sdprofile *newprofile = NULL, unconstrained_flag;
1243
int error = -ENOMEM,
1246
findprofile_mandatory = 0,
1250
SD_DEBUG("%s\n", __FUNCTION__);
1252
sd = get_sdcopy(&sdcopy);
1254
filename = sd_get_name(filp->f_dentry, filp->f_vfsmnt);
1255
if (IS_ERR(filename)) {
1256
SD_WARN("%s: Failed to get filename\n", __FUNCTION__);
1262
if (!__sd_is_confined(sd)) {
1263
/* Unconfined task, load profile if it exists */
1268
complain = SUBDOMAIN_COMPLAIN(sd);
1270
/* Confined task, determine what mode inherit, unconstrained or
1271
* mandatory to load new profile
1273
if (sd_get_execmode(sd, filename, &exec_mode, &unsafe_exec)) {
1274
switch (exec_mode) {
1275
case SD_EXEC_INHERIT:
1276
/* do nothing - setting of profile
1277
* already handed in sd_fork
1279
SD_DEBUG("%s: INHERIT %s\n",
1284
case SD_EXEC_UNCONSTRAINED:
1285
SD_DEBUG("%s: UNCONSTRAINED %s\n",
1289
/* unload profile */
1290
newprofile = &unconstrained_flag;
1293
case SD_EXEC_PROFILE:
1294
SD_DEBUG("%s: PROFILE %s\n",
1299
findprofile_mandatory = 1;
1303
/* this should not happen, entries
1304
* with just EXEC only should be
1305
* rejected at profile load time
1307
SD_ERROR("%s: Rejecting exec(2) of image '%s'. "
1308
"SD_MAY_EXEC without exec qualifier invalid "
1309
"(%s(%d) profile %s active %s\n",
1312
current->comm, current->pid,
1313
sd->profile->name, sd->active->name);
1318
SD_ERROR("%s: Rejecting exec(2) of image '%s'. "
1319
"Unknown exec qualifier %x "
1320
"(%s (pid %d) profile %s active %s)\n",
1324
current->comm, current->pid,
1325
sd->profile->name, sd->active->name);
1330
} else if (complain) {
1331
/* There was no entry in calling profile
1332
* describing mode to execute image in.
1333
* Drop into null-profile (disabling secure exec).
1335
newprofile = get_sdprofile(null_complain_profile);
1338
SD_WARN("%s: Rejecting exec(2) of image '%s'. "
1339
"Unable to determine exec qualifier "
1340
"(%s (pid %d) profile %s active %s)\n",
1343
current->comm, current->pid,
1344
sd->profile->name, sd->active->name);
1353
/* Locate new profile */
1354
newprofile = sd_profilelist_find(filename);
1356
SD_DEBUG("%s: setting profile %s\n",
1357
__FUNCTION__, newprofile->name);
1358
} else if (findprofile_mandatory) {
1359
/* Profile (mandatory) could not be found */
1362
LOG_HINT(sd, GFP_KERNEL, HINT_MANDPROF,
1363
"image=%s pid=%d profile=%s active=%s\n",
1369
newprofile = get_sdprofile(null_complain_profile);
1371
SD_WARN("REJECTING exec(2) of image '%s'. "
1372
"Profile mandatory and not found "
1373
"(%s(%d) profile %s active %s)\n",
1375
current->comm, current->pid,
1376
sd->profile->name, sd->active->name);
1380
/* Profile (non-mandatory) could not be found */
1382
/* Only way we can get into this code is if task
1386
BUG_ON(__sd_is_confined(sd));
1388
SD_DEBUG("%s: No profile found for exec image %s\n",
1395
/* Apply profile if necessary */
1397
struct subdomain *latest_sd, *lazy_sd = NULL;
1398
unsigned long flags;
1400
if (newprofile == &unconstrained_flag)
1403
/* grab a write lock
1405
* - Task may be presently unconfined (have no sd). In which
1406
* case we have to lazily allocate one. Note we may be raced
1407
* to this allocation by a setprofile.
1409
* - sd is a refcounted copy of the subdomain (get_sdcopy) and
1410
* not the actual subdomain. This allows us to not have to
1411
* hold a read lock around all this code. However, we need to
1412
* change the actual subdomain, not the copy.
1414
* - If newprofile points to an actual profile (result of
1415
* sd_profilelist_find above), this profile may have been
1416
* replaced. We need to fix it up. Doing this to avoid
1417
* having to hold a write lock around all this code.
1421
lazy_sd = alloc_subdomain(current);
1424
write_lock_irqsave(&sd_lock, flags);
1426
latest_sd = SD_SUBDOMAIN(current->security);
1430
/* raced by setprofile (created latest_sd) */
1431
free_subdomain(lazy_sd);
1436
latest_sd = lazy_sd;
1437
current->security = lazy_sd;
1439
SD_ERROR("%s: Failed to allocate subdomain\n",
1443
write_unlock_irqrestore(&sd_lock, flags);
1448
/* Determine if profile we found earlier is stale.
1449
* If so, reobtain it. N.B stale flag should never be
1450
* set on null_complain profile.
1452
if (newprofile && unlikely(newprofile->isstale)) {
1453
BUG_ON(newprofile == null_complain_profile);
1455
/* drop refcnt obtained from earlier get_sdprofile */
1456
put_sdprofile(newprofile);
1458
newprofile = sd_profilelist_find(filename);
1461
/* Race, profile was removed, not replaced.
1462
* Redo with error checking
1464
write_unlock_irqrestore(&sd_lock, flags);
1469
/* Handle confined exec.
1470
* Can be at this point for the following reasons:
1471
* 1. unconfined switching to confined
1472
* 2. confined switching to different confinement
1473
* 3. confined switching to unconfined
1475
* Cases 2 and 3 are marked as requiring secure exec
1476
* (unless policy specified "unsafe exec")
1478
if (__sd_is_confined(latest_sd) && !unsafe_exec) {
1479
unsigned long bprm_flags;
1481
bprm_flags = SD_SECURE_EXEC_NEEDED;
1482
bprm->security = (void*)
1483
((unsigned long)bprm->security | bprm_flags);
1486
sd_switch(latest_sd, newprofile, newprofile);
1487
put_sdprofile(newprofile);
1489
if (complain && newprofile == null_complain_profile)
1490
LOG_HINT(latest_sd, GFP_ATOMIC, HINT_CHGPROF,
1494
write_unlock_irqrestore(&sd_lock, flags);
1498
sd_put_name(filename);
1508
* sd_release - release the task's subdomain
1509
* @p: task being released
1511
* This is called after a task has exited and the parent has reaped it.
1512
* p->security must be !NULL. The @p->security blob is freed.
1514
void sd_release(struct task_struct *p)
1516
struct subdomain *sd = SD_SUBDOMAIN(p->security);
1519
sd_subdomainlist_remove(sd);
1521
/* release profiles */
1522
put_sdprofile(sd->profile);
1523
put_sdprofile(sd->active);
1528
/*****************************
1529
* GLOBAL SUBPROFILE FUNCTIONS
1530
****************************/
1533
* do_change_hat - actually switch hats
1534
* @name: name of hat to swtich to
1535
* @sd: current subdomain
1537
* Switch to a new hat. Return 0 on success, error otherwise.
1539
static inline int do_change_hat(const char *hat_name, struct subdomain *sd)
1541
struct sdprofile *sub;
1542
struct sdprofile *p = sd->active;
1545
sub = __sd_find_profile(hat_name, &sd->profile->sub);
1551
/* There is no such subprofile change to a NULL profile.
1552
* The NULL profile grants no file access.
1554
* This feature is used by changehat_apache.
1556
* N.B from the null-profile the task can still changehat back
1557
* out to the parent profile (assuming magic != NULL)
1559
if (SUBDOMAIN_COMPLAIN(sd)) {
1560
LOG_HINT(sd, GFP_ATOMIC, HINT_UNKNOWN_HAT,
1562
"profile=%s active=%s\n",
1567
sd->active = get_sdprofile(null_complain_profile);
1569
SD_DEBUG("%s: Unknown hatname '%s'. "
1570
"Changing to NULL profile "
1571
"(%s(%d) profile %s active %s)\n",
1574
current->comm, current->pid,
1575
sd->profile->name, sd->active->name);
1577
sd->active = get_sdprofile(null_profile);
1587
* sd_change_hat - change hat to/from subprofile
1588
* @hat_name: specifies hat to change to
1589
* @hat_magic: token to validate hat change
1591
* Change to new @hat_name when current hat is top level profile, and store
1592
* the @hat_magic in the current subdomain. If the new @hat_name is
1593
* NULL, and the @hat_magic matches that stored in the current subdomain
1594
* return to original top level profile. Returns 0 on success, error
1597
#define IN_SUBPROFILE(sd) ((sd)->profile != (sd)->active)
1598
int sd_change_hat(const char *hat_name, __u32 hat_magic)
1600
struct subdomain *sd = SD_SUBDOMAIN(current->security);
1603
SD_DEBUG("%s: %p, 0x%x (pid %d)\n",
1605
hat_name, hat_magic,
1608
/* Dump out above debugging in WARN mode if we are in AUDIT mode */
1609
if (SUBDOMAIN_AUDIT(sd)) {
1610
SD_WARN("%s: %s, 0x%x (pid %d)\n",
1611
__FUNCTION__, hat_name ? hat_name : "NULL",
1612
hat_magic, current->pid);
1615
/* no subdomain: changehat into the null_profile, since the process
1616
has no subdomain do_change_hat won't find a match which will cause
1617
a changehat to null_profile. We could short circuit this but since
1618
the subdprofile (hat) list is empty we would save very little. */
1620
/* check to see if an unconfined process is doing a changehat. */
1621
if (!__sd_is_confined(sd)) {
1626
/* check to see if the confined process has any hats. */
1627
if (list_empty(&sd->profile->sub) && !SUBDOMAIN_COMPLAIN(sd)) {
1632
/* Check whether current domain is parent
1633
* or one of the sibling children
1635
if (sd->profile == sd->active) {
1640
SD_DEBUG("%s: switching to %s, 0x%x\n",
1646
* N.B hat_magic == 0 has a special meaning
1647
* this indicates that the task may never changehat
1648
* back to it's parent, it will stay in this subhat
1649
* (or null-profile, if the hat doesn't exist) until
1650
* the task terminates
1652
sd->sd_hat_magic = hat_magic;
1653
error = do_change_hat(hat_name, sd);
1655
/* Got here via changehat(NULL, magic)
1657
* We used to simply update the magic cookie.
1658
* That's an odd behaviour, so just do nothing.
1663
* child -- check to make sure magic is same as what was
1664
* passed when we switched into this profile,
1665
* Handle special casing of NULL magic which confines task
1666
* to subprofile and prohibits further changehats
1668
if (hat_magic == sd->sd_hat_magic && sd->sd_hat_magic) {
1671
* Got here via changehat(NULL, magic)
1672
* Return from subprofile, back to parent
1674
put_sdprofile(sd->active);
1675
sd->active = get_sdprofile(sd->profile);
1677
/* Reset hat_magic to zero.
1678
* New value will be passed on next changehat
1680
sd->sd_hat_magic = 0;
1682
/* change to another (sibling) profile */
1683
error = do_change_hat(hat_name, sd);
1685
} else if (sd->sd_hat_magic) {
1686
SD_ERROR("KILLING process %s(%d) "
1687
"Invalid change_hat() magic# 0x%x "
1688
"(hatname %s profile %s active %s)\n",
1689
current->comm, current->pid,
1691
hat_name ? hat_name : "NULL",
1692
sd->profile->name, sd->active->name);
1694
/* terminate current process */
1695
(void)send_sig_info(SIGKILL, NULL, current);
1696
} else { /* sd->sd_hat_magic == NULL */
1697
SD_ERROR("KILLING process %s(%d) "
1698
"Task was confined to current subprofile "
1699
"(profile %s active %s)\n",
1700
current->comm, current->pid,
1701
sd->profile->name, sd->active->name);
1703
/* terminate current process */
1704
(void)send_sig_info(SIGKILL, NULL, current);