Back to home page

OSCL-LXR
 
 

     

0001 // SPDX-License-Identifier: GPL-2.0-only
0002 /*
0003  * AppArmor security module
0004  *
0005  * This file contains AppArmor policy manipulation functions
0006  *
0007  * Copyright (C) 1998-2008 Novell/SUSE
0008  * Copyright 2009-2017 Canonical Ltd.
0009  *
0010  * AppArmor policy namespaces, allow for different sets of policies
0011  * to be loaded for tasks within the namespace.
0012  */
0013 
0014 #include <linux/list.h>
0015 #include <linux/mutex.h>
0016 #include <linux/slab.h>
0017 #include <linux/string.h>
0018 
0019 #include "include/apparmor.h"
0020 #include "include/cred.h"
0021 #include "include/policy_ns.h"
0022 #include "include/label.h"
0023 #include "include/policy.h"
0024 
0025 /* kernel label */
0026 struct aa_label *kernel_t;
0027 
0028 /* root profile namespace */
0029 struct aa_ns *root_ns;
0030 const char *aa_hidden_ns_name = "---";
0031 
0032 /**
0033  * aa_ns_visible - test if @view is visible from @curr
0034  * @curr: namespace to treat as the parent (NOT NULL)
0035  * @view: namespace to test if visible from @curr (NOT NULL)
0036  * @subns: whether view of a subns is allowed
0037  *
0038  * Returns: true if @view is visible from @curr else false
0039  */
0040 bool aa_ns_visible(struct aa_ns *curr, struct aa_ns *view, bool subns)
0041 {
0042     if (curr == view)
0043         return true;
0044 
0045     if (!subns)
0046         return false;
0047 
0048     for ( ; view; view = view->parent) {
0049         if (view->parent == curr)
0050             return true;
0051     }
0052 
0053     return false;
0054 }
0055 
0056 /**
0057  * aa_ns_name - Find the ns name to display for @view from @curr
0058  * @curr: current namespace (NOT NULL)
0059  * @view: namespace attempting to view (NOT NULL)
0060  * @subns: are subns visible
0061  *
0062  * Returns: name of @view visible from @curr
0063  */
0064 const char *aa_ns_name(struct aa_ns *curr, struct aa_ns *view, bool subns)
0065 {
0066     /* if view == curr then the namespace name isn't displayed */
0067     if (curr == view)
0068         return "";
0069 
0070     if (aa_ns_visible(curr, view, subns)) {
0071         /* at this point if a ns is visible it is in a view ns
0072          * thus the curr ns.hname is a prefix of its name.
0073          * Only output the virtualized portion of the name
0074          * Add + 2 to skip over // separating curr hname prefix
0075          * from the visible tail of the views hname
0076          */
0077         return view->base.hname + strlen(curr->base.hname) + 2;
0078     }
0079 
0080     return aa_hidden_ns_name;
0081 }
0082 
0083 static struct aa_profile *alloc_unconfined(const char *name)
0084 {
0085     struct aa_profile *profile;
0086 
0087     profile = aa_alloc_profile(name, NULL, GFP_KERNEL);
0088     if (!profile)
0089         return NULL;
0090 
0091     profile->label.flags |= FLAG_IX_ON_NAME_ERROR |
0092         FLAG_IMMUTIBLE | FLAG_NS_COUNT | FLAG_UNCONFINED;
0093     profile->mode = APPARMOR_UNCONFINED;
0094     profile->file.dfa = aa_get_dfa(nulldfa);
0095     profile->policy.dfa = aa_get_dfa(nulldfa);
0096 
0097     return profile;
0098 }
0099 
0100 /**
0101  * alloc_ns - allocate, initialize and return a new namespace
0102  * @prefix: parent namespace name (MAYBE NULL)
0103  * @name: a preallocated name  (NOT NULL)
0104  *
0105  * Returns: refcounted namespace or NULL on failure.
0106  */
0107 static struct aa_ns *alloc_ns(const char *prefix, const char *name)
0108 {
0109     struct aa_ns *ns;
0110 
0111     ns = kzalloc(sizeof(*ns), GFP_KERNEL);
0112     AA_DEBUG("%s(%p)\n", __func__, ns);
0113     if (!ns)
0114         return NULL;
0115     if (!aa_policy_init(&ns->base, prefix, name, GFP_KERNEL))
0116         goto fail_ns;
0117 
0118     INIT_LIST_HEAD(&ns->sub_ns);
0119     INIT_LIST_HEAD(&ns->rawdata_list);
0120     mutex_init(&ns->lock);
0121     init_waitqueue_head(&ns->wait);
0122 
0123     /* released by aa_free_ns() */
0124     ns->unconfined = alloc_unconfined("unconfined");
0125     if (!ns->unconfined)
0126         goto fail_unconfined;
0127     /* ns and ns->unconfined share ns->unconfined refcount */
0128     ns->unconfined->ns = ns;
0129 
0130     atomic_set(&ns->uniq_null, 0);
0131 
0132     aa_labelset_init(&ns->labels);
0133 
0134     return ns;
0135 
0136 fail_unconfined:
0137     kfree_sensitive(ns->base.hname);
0138 fail_ns:
0139     kfree_sensitive(ns);
0140     return NULL;
0141 }
0142 
0143 /**
0144  * aa_free_ns - free a profile namespace
0145  * @ns: the namespace to free  (MAYBE NULL)
0146  *
0147  * Requires: All references to the namespace must have been put, if the
0148  *           namespace was referenced by a profile confining a task,
0149  */
0150 void aa_free_ns(struct aa_ns *ns)
0151 {
0152     if (!ns)
0153         return;
0154 
0155     aa_policy_destroy(&ns->base);
0156     aa_labelset_destroy(&ns->labels);
0157     aa_put_ns(ns->parent);
0158 
0159     ns->unconfined->ns = NULL;
0160     aa_free_profile(ns->unconfined);
0161     kfree_sensitive(ns);
0162 }
0163 
0164 /**
0165  * aa_findn_ns  -  look up a profile namespace on the namespace list
0166  * @root: namespace to search in  (NOT NULL)
0167  * @name: name of namespace to find  (NOT NULL)
0168  * @n: length of @name
0169  *
0170  * Returns: a refcounted namespace on the list, or NULL if no namespace
0171  *          called @name exists.
0172  *
0173  * refcount released by caller
0174  */
0175 struct aa_ns *aa_findn_ns(struct aa_ns *root, const char *name, size_t n)
0176 {
0177     struct aa_ns *ns = NULL;
0178 
0179     rcu_read_lock();
0180     ns = aa_get_ns(__aa_findn_ns(&root->sub_ns, name, n));
0181     rcu_read_unlock();
0182 
0183     return ns;
0184 }
0185 
0186 /**
0187  * aa_find_ns  -  look up a profile namespace on the namespace list
0188  * @root: namespace to search in  (NOT NULL)
0189  * @name: name of namespace to find  (NOT NULL)
0190  *
0191  * Returns: a refcounted namespace on the list, or NULL if no namespace
0192  *          called @name exists.
0193  *
0194  * refcount released by caller
0195  */
0196 struct aa_ns *aa_find_ns(struct aa_ns *root, const char *name)
0197 {
0198     return aa_findn_ns(root, name, strlen(name));
0199 }
0200 
0201 /**
0202  * __aa_lookupn_ns - lookup the namespace matching @hname
0203  * @view: namespace to search in  (NOT NULL)
0204  * @hname: hierarchical ns name  (NOT NULL)
0205  * @n: length of @hname
0206  *
0207  * Requires: rcu_read_lock be held
0208  *
0209  * Returns: unrefcounted ns pointer or NULL if not found
0210  *
0211  * Do a relative name lookup, recursing through profile tree.
0212  */
0213 struct aa_ns *__aa_lookupn_ns(struct aa_ns *view, const char *hname, size_t n)
0214 {
0215     struct aa_ns *ns = view;
0216     const char *split;
0217 
0218     for (split = strnstr(hname, "//", n); split;
0219          split = strnstr(hname, "//", n)) {
0220         ns = __aa_findn_ns(&ns->sub_ns, hname, split - hname);
0221         if (!ns)
0222             return NULL;
0223 
0224         n -= split + 2 - hname;
0225         hname = split + 2;
0226     }
0227 
0228     if (n)
0229         return __aa_findn_ns(&ns->sub_ns, hname, n);
0230     return NULL;
0231 }
0232 
0233 /**
0234  * aa_lookupn_ns  -  look up a policy namespace relative to @view
0235  * @view: namespace to search in  (NOT NULL)
0236  * @name: name of namespace to find  (NOT NULL)
0237  * @n: length of @name
0238  *
0239  * Returns: a refcounted namespace on the list, or NULL if no namespace
0240  *          called @name exists.
0241  *
0242  * refcount released by caller
0243  */
0244 struct aa_ns *aa_lookupn_ns(struct aa_ns *view, const char *name, size_t n)
0245 {
0246     struct aa_ns *ns = NULL;
0247 
0248     rcu_read_lock();
0249     ns = aa_get_ns(__aa_lookupn_ns(view, name, n));
0250     rcu_read_unlock();
0251 
0252     return ns;
0253 }
0254 
0255 static struct aa_ns *__aa_create_ns(struct aa_ns *parent, const char *name,
0256                     struct dentry *dir)
0257 {
0258     struct aa_ns *ns;
0259     int error;
0260 
0261     AA_BUG(!parent);
0262     AA_BUG(!name);
0263     AA_BUG(!mutex_is_locked(&parent->lock));
0264 
0265     ns = alloc_ns(parent->base.hname, name);
0266     if (!ns)
0267         return ERR_PTR(-ENOMEM);
0268     ns->level = parent->level + 1;
0269     mutex_lock_nested(&ns->lock, ns->level);
0270     error = __aafs_ns_mkdir(ns, ns_subns_dir(parent), name, dir);
0271     if (error) {
0272         AA_ERROR("Failed to create interface for ns %s\n",
0273              ns->base.name);
0274         mutex_unlock(&ns->lock);
0275         aa_free_ns(ns);
0276         return ERR_PTR(error);
0277     }
0278     ns->parent = aa_get_ns(parent);
0279     list_add_rcu(&ns->base.list, &parent->sub_ns);
0280     /* add list ref */
0281     aa_get_ns(ns);
0282     mutex_unlock(&ns->lock);
0283 
0284     return ns;
0285 }
0286 
0287 /**
0288  * __aa_find_or_create_ns - create an ns, fail if it already exists
0289  * @parent: the parent of the namespace being created
0290  * @name: the name of the namespace
0291  * @dir: if not null the dir to put the ns entries in
0292  *
0293  * Returns: the a refcounted ns that has been add or an ERR_PTR
0294  */
0295 struct aa_ns *__aa_find_or_create_ns(struct aa_ns *parent, const char *name,
0296                      struct dentry *dir)
0297 {
0298     struct aa_ns *ns;
0299 
0300     AA_BUG(!mutex_is_locked(&parent->lock));
0301 
0302     /* try and find the specified ns */
0303     /* released by caller */
0304     ns = aa_get_ns(__aa_find_ns(&parent->sub_ns, name));
0305     if (!ns)
0306         ns = __aa_create_ns(parent, name, dir);
0307     else
0308         ns = ERR_PTR(-EEXIST);
0309 
0310     /* return ref */
0311     return ns;
0312 }
0313 
0314 /**
0315  * aa_prepare_ns - find an existing or create a new namespace of @name
0316  * @parent: ns to treat as parent
0317  * @name: the namespace to find or add  (NOT NULL)
0318  *
0319  * Returns: refcounted namespace or PTR_ERR if failed to create one
0320  */
0321 struct aa_ns *aa_prepare_ns(struct aa_ns *parent, const char *name)
0322 {
0323     struct aa_ns *ns;
0324 
0325     mutex_lock_nested(&parent->lock, parent->level);
0326     /* try and find the specified ns and if it doesn't exist create it */
0327     /* released by caller */
0328     ns = aa_get_ns(__aa_find_ns(&parent->sub_ns, name));
0329     if (!ns)
0330         ns = __aa_create_ns(parent, name, NULL);
0331     mutex_unlock(&parent->lock);
0332 
0333     /* return ref */
0334     return ns;
0335 }
0336 
0337 static void __ns_list_release(struct list_head *head);
0338 
0339 /**
0340  * destroy_ns - remove everything contained by @ns
0341  * @ns: namespace to have it contents removed  (NOT NULL)
0342  */
0343 static void destroy_ns(struct aa_ns *ns)
0344 {
0345     if (!ns)
0346         return;
0347 
0348     mutex_lock_nested(&ns->lock, ns->level);
0349     /* release all profiles in this namespace */
0350     __aa_profile_list_release(&ns->base.profiles);
0351 
0352     /* release all sub namespaces */
0353     __ns_list_release(&ns->sub_ns);
0354 
0355     if (ns->parent) {
0356         unsigned long flags;
0357 
0358         write_lock_irqsave(&ns->labels.lock, flags);
0359         __aa_proxy_redirect(ns_unconfined(ns),
0360                     ns_unconfined(ns->parent));
0361         write_unlock_irqrestore(&ns->labels.lock, flags);
0362     }
0363     __aafs_ns_rmdir(ns);
0364     mutex_unlock(&ns->lock);
0365 }
0366 
0367 /**
0368  * __aa_remove_ns - remove a namespace and all its children
0369  * @ns: namespace to be removed  (NOT NULL)
0370  *
0371  * Requires: ns->parent->lock be held and ns removed from parent.
0372  */
0373 void __aa_remove_ns(struct aa_ns *ns)
0374 {
0375     /* remove ns from namespace list */
0376     list_del_rcu(&ns->base.list);
0377     destroy_ns(ns);
0378     aa_put_ns(ns);
0379 }
0380 
0381 /**
0382  * __ns_list_release - remove all profile namespaces on the list put refs
0383  * @head: list of profile namespaces  (NOT NULL)
0384  *
0385  * Requires: namespace lock be held
0386  */
0387 static void __ns_list_release(struct list_head *head)
0388 {
0389     struct aa_ns *ns, *tmp;
0390 
0391     list_for_each_entry_safe(ns, tmp, head, base.list)
0392         __aa_remove_ns(ns);
0393 
0394 }
0395 
0396 /**
0397  * aa_alloc_root_ns - allocate the root profile namespace
0398  *
0399  * Returns: %0 on success else error
0400  *
0401  */
0402 int __init aa_alloc_root_ns(void)
0403 {
0404     struct aa_profile *kernel_p;
0405 
0406     /* released by aa_free_root_ns - used as list ref*/
0407     root_ns = alloc_ns(NULL, "root");
0408     if (!root_ns)
0409         return -ENOMEM;
0410 
0411     kernel_p = alloc_unconfined("kernel_t");
0412     if (!kernel_p) {
0413         destroy_ns(root_ns);
0414         aa_free_ns(root_ns);
0415         return -ENOMEM;
0416     }
0417     kernel_t = &kernel_p->label;
0418     root_ns->unconfined->ns = aa_get_ns(root_ns);
0419 
0420     return 0;
0421 }
0422 
0423  /**
0424   * aa_free_root_ns - free the root profile namespace
0425   */
0426 void __init aa_free_root_ns(void)
0427 {
0428      struct aa_ns *ns = root_ns;
0429 
0430      root_ns = NULL;
0431 
0432      aa_label_free(kernel_t);
0433      destroy_ns(ns);
0434      aa_put_ns(ns);
0435 }
Source navigation ] Diff markup ] Identifier search ] general search ]

This page was automatically generated by the 2.1.0 LXR engine.

The LXR team
Valid CSS 2.1! Valid HTML 4.01!