Commit | Line | Data |
---|---|---|
6380bd8d JJ |
1 | /* |
2 | * AppArmor security module | |
3 | * | |
4 | * This file contains AppArmor mediation of files | |
5 | * | |
6 | * Copyright (C) 1998-2008 Novell/SUSE | |
7 | * Copyright 2009-2010 Canonical Ltd. | |
8 | * | |
9 | * This program is free software; you can redistribute it and/or | |
10 | * modify it under the terms of the GNU General Public License as | |
11 | * published by the Free Software Foundation, version 2 of the | |
12 | * License. | |
13 | */ | |
14 | ||
15 | #include "include/apparmor.h" | |
16 | #include "include/audit.h" | |
17 | #include "include/file.h" | |
18 | #include "include/match.h" | |
19 | #include "include/path.h" | |
20 | #include "include/policy.h" | |
21 | ||
22 | struct file_perms nullperms; | |
23 | ||
24 | ||
25 | /** | |
26 | * audit_file_mask - convert mask to permission string | |
27 | * @buffer: buffer to write string to (NOT NULL) | |
28 | * @mask: permission mask to convert | |
29 | */ | |
30 | static void audit_file_mask(struct audit_buffer *ab, u32 mask) | |
31 | { | |
32 | char str[10]; | |
33 | ||
34 | char *m = str; | |
35 | ||
36 | if (mask & AA_EXEC_MMAP) | |
37 | *m++ = 'm'; | |
38 | if (mask & (MAY_READ | AA_MAY_META_READ)) | |
39 | *m++ = 'r'; | |
40 | if (mask & (MAY_WRITE | AA_MAY_META_WRITE | AA_MAY_CHMOD | | |
41 | AA_MAY_CHOWN)) | |
42 | *m++ = 'w'; | |
43 | else if (mask & MAY_APPEND) | |
44 | *m++ = 'a'; | |
45 | if (mask & AA_MAY_CREATE) | |
46 | *m++ = 'c'; | |
47 | if (mask & AA_MAY_DELETE) | |
48 | *m++ = 'd'; | |
49 | if (mask & AA_MAY_LINK) | |
50 | *m++ = 'l'; | |
51 | if (mask & AA_MAY_LOCK) | |
52 | *m++ = 'k'; | |
53 | if (mask & MAY_EXEC) | |
54 | *m++ = 'x'; | |
55 | *m = '\0'; | |
56 | ||
57 | audit_log_string(ab, str); | |
58 | } | |
59 | ||
60 | /** | |
61 | * file_audit_cb - call back for file specific audit fields | |
62 | * @ab: audit_buffer (NOT NULL) | |
63 | * @va: audit struct to audit values of (NOT NULL) | |
64 | */ | |
65 | static void file_audit_cb(struct audit_buffer *ab, void *va) | |
66 | { | |
67 | struct common_audit_data *sa = va; | |
2db81452 | 68 | kuid_t fsuid = current_fsuid(); |
6380bd8d | 69 | |
3b3b0e4f | 70 | if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { |
6380bd8d | 71 | audit_log_format(ab, " requested_mask="); |
3b3b0e4f | 72 | audit_file_mask(ab, sa->aad->fs.request); |
6380bd8d | 73 | } |
3b3b0e4f | 74 | if (sa->aad->fs.denied & AA_AUDIT_FILE_MASK) { |
6380bd8d | 75 | audit_log_format(ab, " denied_mask="); |
3b3b0e4f | 76 | audit_file_mask(ab, sa->aad->fs.denied); |
6380bd8d | 77 | } |
3b3b0e4f | 78 | if (sa->aad->fs.request & AA_AUDIT_FILE_MASK) { |
2db81452 EB |
79 | audit_log_format(ab, " fsuid=%d", |
80 | from_kuid(&init_user_ns, fsuid)); | |
81 | audit_log_format(ab, " ouid=%d", | |
82 | from_kuid(&init_user_ns, sa->aad->fs.ouid)); | |
6380bd8d JJ |
83 | } |
84 | ||
3b3b0e4f | 85 | if (sa->aad->fs.target) { |
6380bd8d | 86 | audit_log_format(ab, " target="); |
3b3b0e4f | 87 | audit_log_untrustedstring(ab, sa->aad->fs.target); |
6380bd8d JJ |
88 | } |
89 | } | |
90 | ||
91 | /** | |
92 | * aa_audit_file - handle the auditing of file operations | |
93 | * @profile: the profile being enforced (NOT NULL) | |
94 | * @perms: the permissions computed for the request (NOT NULL) | |
95 | * @gfp: allocation flags | |
96 | * @op: operation being mediated | |
97 | * @request: permissions requested | |
98 | * @name: name of object being mediated (MAYBE NULL) | |
99 | * @target: name of target (MAYBE NULL) | |
100 | * @ouid: object uid | |
101 | * @info: extra information message (MAYBE NULL) | |
102 | * @error: 0 if operation allowed else failure error code | |
103 | * | |
104 | * Returns: %0 or error on failure | |
105 | */ | |
106 | int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, | |
107 | gfp_t gfp, int op, u32 request, const char *name, | |
2db81452 | 108 | const char *target, kuid_t ouid, const char *info, int error) |
6380bd8d JJ |
109 | { |
110 | int type = AUDIT_APPARMOR_AUTO; | |
111 | struct common_audit_data sa; | |
3b3b0e4f | 112 | struct apparmor_audit_data aad = {0,}; |
50c205f5 | 113 | sa.type = LSM_AUDIT_DATA_NONE; |
3b3b0e4f EP |
114 | sa.aad = &aad; |
115 | aad.op = op, | |
116 | aad.fs.request = request; | |
117 | aad.name = name; | |
118 | aad.fs.target = target; | |
119 | aad.fs.ouid = ouid; | |
120 | aad.info = info; | |
121 | aad.error = error; | |
122 | ||
123 | if (likely(!sa.aad->error)) { | |
6380bd8d JJ |
124 | u32 mask = perms->audit; |
125 | ||
126 | if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL)) | |
127 | mask = 0xffff; | |
128 | ||
129 | /* mask off perms that are not being force audited */ | |
3b3b0e4f | 130 | sa.aad->fs.request &= mask; |
6380bd8d | 131 | |
3b3b0e4f | 132 | if (likely(!sa.aad->fs.request)) |
6380bd8d JJ |
133 | return 0; |
134 | type = AUDIT_APPARMOR_AUDIT; | |
135 | } else { | |
136 | /* only report permissions that were denied */ | |
3b3b0e4f | 137 | sa.aad->fs.request = sa.aad->fs.request & ~perms->allow; |
6380bd8d | 138 | |
3b3b0e4f | 139 | if (sa.aad->fs.request & perms->kill) |
6380bd8d JJ |
140 | type = AUDIT_APPARMOR_KILL; |
141 | ||
142 | /* quiet known rejects, assumes quiet and kill do not overlap */ | |
3b3b0e4f | 143 | if ((sa.aad->fs.request & perms->quiet) && |
6380bd8d JJ |
144 | AUDIT_MODE(profile) != AUDIT_NOQUIET && |
145 | AUDIT_MODE(profile) != AUDIT_ALL) | |
3b3b0e4f | 146 | sa.aad->fs.request &= ~perms->quiet; |
6380bd8d | 147 | |
3b3b0e4f EP |
148 | if (!sa.aad->fs.request) |
149 | return COMPLAIN_MODE(profile) ? 0 : sa.aad->error; | |
6380bd8d JJ |
150 | } |
151 | ||
3b3b0e4f | 152 | sa.aad->fs.denied = sa.aad->fs.request & ~perms->allow; |
6380bd8d JJ |
153 | return aa_audit(type, profile, gfp, &sa, file_audit_cb); |
154 | } | |
155 | ||
156 | /** | |
157 | * map_old_perms - map old file perms layout to the new layout | |
158 | * @old: permission set in old mapping | |
159 | * | |
160 | * Returns: new permission mapping | |
161 | */ | |
162 | static u32 map_old_perms(u32 old) | |
163 | { | |
164 | u32 new = old & 0xf; | |
165 | if (old & MAY_READ) | |
166 | new |= AA_MAY_META_READ; | |
167 | if (old & MAY_WRITE) | |
168 | new |= AA_MAY_META_WRITE | AA_MAY_CREATE | AA_MAY_DELETE | | |
169 | AA_MAY_CHMOD | AA_MAY_CHOWN; | |
170 | if (old & 0x10) | |
171 | new |= AA_MAY_LINK; | |
172 | /* the old mapping lock and link_subset flags where overlaid | |
173 | * and use was determined by part of a pair that they were in | |
174 | */ | |
175 | if (old & 0x20) | |
176 | new |= AA_MAY_LOCK | AA_LINK_SUBSET; | |
177 | if (old & 0x40) /* AA_EXEC_MMAP */ | |
178 | new |= AA_EXEC_MMAP; | |
179 | ||
6380bd8d JJ |
180 | return new; |
181 | } | |
182 | ||
183 | /** | |
184 | * compute_perms - convert dfa compressed perms to internal perms | |
185 | * @dfa: dfa to compute perms for (NOT NULL) | |
186 | * @state: state in dfa | |
187 | * @cond: conditions to consider (NOT NULL) | |
188 | * | |
189 | * TODO: convert from dfa + state to permission entry, do computation conversion | |
190 | * at load time. | |
191 | * | |
192 | * Returns: computed permission set | |
193 | */ | |
194 | static struct file_perms compute_perms(struct aa_dfa *dfa, unsigned int state, | |
195 | struct path_cond *cond) | |
196 | { | |
197 | struct file_perms perms; | |
198 | ||
199 | /* FIXME: change over to new dfa format | |
200 | * currently file perms are encoded in the dfa, new format | |
201 | * splits the permissions from the dfa. This mapping can be | |
202 | * done at profile load | |
203 | */ | |
204 | perms.kill = 0; | |
205 | ||
2db81452 | 206 | if (uid_eq(current_fsuid(), cond->uid)) { |
6380bd8d JJ |
207 | perms.allow = map_old_perms(dfa_user_allow(dfa, state)); |
208 | perms.audit = map_old_perms(dfa_user_audit(dfa, state)); | |
209 | perms.quiet = map_old_perms(dfa_user_quiet(dfa, state)); | |
210 | perms.xindex = dfa_user_xindex(dfa, state); | |
211 | } else { | |
212 | perms.allow = map_old_perms(dfa_other_allow(dfa, state)); | |
213 | perms.audit = map_old_perms(dfa_other_audit(dfa, state)); | |
214 | perms.quiet = map_old_perms(dfa_other_quiet(dfa, state)); | |
215 | perms.xindex = dfa_other_xindex(dfa, state); | |
216 | } | |
38305a4b | 217 | perms.allow |= AA_MAY_META_READ; |
6380bd8d JJ |
218 | |
219 | /* change_profile wasn't determined by ownership in old mapping */ | |
220 | if (ACCEPT_TABLE(dfa)[state] & 0x80000000) | |
221 | perms.allow |= AA_MAY_CHANGE_PROFILE; | |
0421ea91 JJ |
222 | if (ACCEPT_TABLE(dfa)[state] & 0x40000000) |
223 | perms.allow |= AA_MAY_ONEXEC; | |
6380bd8d JJ |
224 | |
225 | return perms; | |
226 | } | |
227 | ||
228 | /** | |
229 | * aa_str_perms - find permission that match @name | |
230 | * @dfa: to match against (MAYBE NULL) | |
231 | * @state: state to start matching in | |
232 | * @name: string to match against dfa (NOT NULL) | |
233 | * @cond: conditions to consider for permission set computation (NOT NULL) | |
234 | * @perms: Returns - the permissions found when matching @name | |
235 | * | |
236 | * Returns: the final state in @dfa when beginning @start and walking @name | |
237 | */ | |
238 | unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start, | |
239 | const char *name, struct path_cond *cond, | |
240 | struct file_perms *perms) | |
241 | { | |
242 | unsigned int state; | |
243 | if (!dfa) { | |
244 | *perms = nullperms; | |
245 | return DFA_NOMATCH; | |
246 | } | |
247 | ||
248 | state = aa_dfa_match(dfa, start, name); | |
249 | *perms = compute_perms(dfa, state, cond); | |
250 | ||
251 | return state; | |
252 | } | |
253 | ||
254 | /** | |
255 | * is_deleted - test if a file has been completely unlinked | |
256 | * @dentry: dentry of file to test for deletion (NOT NULL) | |
257 | * | |
258 | * Returns: %1 if deleted else %0 | |
259 | */ | |
260 | static inline bool is_deleted(struct dentry *dentry) | |
261 | { | |
c6f493d6 | 262 | if (d_unlinked(dentry) && d_backing_inode(dentry)->i_nlink == 0) |
6380bd8d JJ |
263 | return 1; |
264 | return 0; | |
265 | } | |
266 | ||
267 | /** | |
268 | * aa_path_perm - do permissions check & audit for @path | |
269 | * @op: operation being checked | |
270 | * @profile: profile being enforced (NOT NULL) | |
271 | * @path: path to check permissions of (NOT NULL) | |
272 | * @flags: any additional path flags beyond what the profile specifies | |
273 | * @request: requested permissions | |
274 | * @cond: conditional info for this request (NOT NULL) | |
275 | * | |
276 | * Returns: %0 else error if access denied or other error | |
277 | */ | |
278 | int aa_path_perm(int op, struct aa_profile *profile, struct path *path, | |
279 | int flags, u32 request, struct path_cond *cond) | |
280 | { | |
281 | char *buffer = NULL; | |
282 | struct file_perms perms = {}; | |
283 | const char *name, *info = NULL; | |
284 | int error; | |
285 | ||
286 | flags |= profile->path_flags | (S_ISDIR(cond->mode) ? PATH_IS_DIR : 0); | |
57fa1e18 | 287 | error = aa_path_name(path, flags, &buffer, &name, &info); |
6380bd8d JJ |
288 | if (error) { |
289 | if (error == -ENOENT && is_deleted(path->dentry)) { | |
290 | /* Access to open files that are deleted are | |
291 | * give a pass (implicit delegation) | |
292 | */ | |
293 | error = 0; | |
57fa1e18 | 294 | info = NULL; |
6380bd8d | 295 | perms.allow = request; |
57fa1e18 | 296 | } |
6380bd8d JJ |
297 | } else { |
298 | aa_str_perms(profile->file.dfa, profile->file.start, name, cond, | |
299 | &perms); | |
300 | if (request & ~perms.allow) | |
301 | error = -EACCES; | |
302 | } | |
303 | error = aa_audit_file(profile, &perms, GFP_KERNEL, op, request, name, | |
304 | NULL, cond->uid, info, error); | |
305 | kfree(buffer); | |
306 | ||
307 | return error; | |
308 | } | |
309 | ||
310 | /** | |
311 | * xindex_is_subset - helper for aa_path_link | |
312 | * @link: link permission set | |
313 | * @target: target permission set | |
314 | * | |
315 | * test target x permissions are equal OR a subset of link x permissions | |
316 | * this is done as part of the subset test, where a hardlink must have | |
317 | * a subset of permissions that the target has. | |
318 | * | |
319 | * Returns: %1 if subset else %0 | |
320 | */ | |
321 | static inline bool xindex_is_subset(u32 link, u32 target) | |
322 | { | |
323 | if (((link & ~AA_X_UNSAFE) != (target & ~AA_X_UNSAFE)) || | |
324 | ((link & AA_X_UNSAFE) && !(target & AA_X_UNSAFE))) | |
325 | return 0; | |
326 | ||
327 | return 1; | |
328 | } | |
329 | ||
330 | /** | |
331 | * aa_path_link - Handle hard link permission check | |
332 | * @profile: the profile being enforced (NOT NULL) | |
333 | * @old_dentry: the target dentry (NOT NULL) | |
334 | * @new_dir: directory the new link will be created in (NOT NULL) | |
335 | * @new_dentry: the link being created (NOT NULL) | |
336 | * | |
337 | * Handle the permission test for a link & target pair. Permission | |
338 | * is encoded as a pair where the link permission is determined | |
339 | * first, and if allowed, the target is tested. The target test | |
340 | * is done from the point of the link match (not start of DFA) | |
341 | * making the target permission dependent on the link permission match. | |
342 | * | |
343 | * The subset test if required forces that permissions granted | |
344 | * on link are a subset of the permission granted to target. | |
345 | * | |
346 | * Returns: %0 if allowed else error | |
347 | */ | |
348 | int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry, | |
349 | struct path *new_dir, struct dentry *new_dentry) | |
350 | { | |
351 | struct path link = { new_dir->mnt, new_dentry }; | |
352 | struct path target = { new_dir->mnt, old_dentry }; | |
353 | struct path_cond cond = { | |
c6f493d6 DH |
354 | d_backing_inode(old_dentry)->i_uid, |
355 | d_backing_inode(old_dentry)->i_mode | |
6380bd8d JJ |
356 | }; |
357 | char *buffer = NULL, *buffer2 = NULL; | |
358 | const char *lname, *tname = NULL, *info = NULL; | |
359 | struct file_perms lperms, perms; | |
360 | u32 request = AA_MAY_LINK; | |
361 | unsigned int state; | |
362 | int error; | |
363 | ||
364 | lperms = nullperms; | |
365 | ||
366 | /* buffer freed below, lname is pointer in buffer */ | |
57fa1e18 JJ |
367 | error = aa_path_name(&link, profile->path_flags, &buffer, &lname, |
368 | &info); | |
6380bd8d JJ |
369 | if (error) |
370 | goto audit; | |
371 | ||
372 | /* buffer2 freed below, tname is pointer in buffer2 */ | |
57fa1e18 JJ |
373 | error = aa_path_name(&target, profile->path_flags, &buffer2, &tname, |
374 | &info); | |
6380bd8d JJ |
375 | if (error) |
376 | goto audit; | |
377 | ||
378 | error = -EACCES; | |
379 | /* aa_str_perms - handles the case of the dfa being NULL */ | |
380 | state = aa_str_perms(profile->file.dfa, profile->file.start, lname, | |
381 | &cond, &lperms); | |
382 | ||
383 | if (!(lperms.allow & AA_MAY_LINK)) | |
384 | goto audit; | |
385 | ||
386 | /* test to see if target can be paired with link */ | |
387 | state = aa_dfa_null_transition(profile->file.dfa, state); | |
388 | aa_str_perms(profile->file.dfa, state, tname, &cond, &perms); | |
389 | ||
390 | /* force audit/quiet masks for link are stored in the second entry | |
391 | * in the link pair. | |
392 | */ | |
393 | lperms.audit = perms.audit; | |
394 | lperms.quiet = perms.quiet; | |
395 | lperms.kill = perms.kill; | |
396 | ||
397 | if (!(perms.allow & AA_MAY_LINK)) { | |
398 | info = "target restricted"; | |
399 | goto audit; | |
400 | } | |
401 | ||
402 | /* done if link subset test is not required */ | |
403 | if (!(perms.allow & AA_LINK_SUBSET)) | |
404 | goto done_tests; | |
405 | ||
406 | /* Do link perm subset test requiring allowed permission on link are a | |
407 | * subset of the allowed permissions on target. | |
408 | */ | |
409 | aa_str_perms(profile->file.dfa, profile->file.start, tname, &cond, | |
410 | &perms); | |
411 | ||
412 | /* AA_MAY_LINK is not considered in the subset test */ | |
413 | request = lperms.allow & ~AA_MAY_LINK; | |
414 | lperms.allow &= perms.allow | AA_MAY_LINK; | |
415 | ||
416 | request |= AA_AUDIT_FILE_MASK & (lperms.allow & ~perms.allow); | |
417 | if (request & ~lperms.allow) { | |
418 | goto audit; | |
419 | } else if ((lperms.allow & MAY_EXEC) && | |
420 | !xindex_is_subset(lperms.xindex, perms.xindex)) { | |
421 | lperms.allow &= ~MAY_EXEC; | |
422 | request |= MAY_EXEC; | |
423 | info = "link not subset of target"; | |
424 | goto audit; | |
425 | } | |
426 | ||
427 | done_tests: | |
428 | error = 0; | |
429 | ||
430 | audit: | |
431 | error = aa_audit_file(profile, &lperms, GFP_KERNEL, OP_LINK, request, | |
432 | lname, tname, cond.uid, info, error); | |
433 | kfree(buffer); | |
434 | kfree(buffer2); | |
435 | ||
436 | return error; | |
437 | } | |
438 | ||
439 | /** | |
440 | * aa_file_perm - do permission revalidation check & audit for @file | |
441 | * @op: operation being checked | |
442 | * @profile: profile being enforced (NOT NULL) | |
443 | * @file: file to revalidate access permissions on (NOT NULL) | |
444 | * @request: requested permissions | |
445 | * | |
446 | * Returns: %0 if access allowed else error | |
447 | */ | |
448 | int aa_file_perm(int op, struct aa_profile *profile, struct file *file, | |
449 | u32 request) | |
450 | { | |
451 | struct path_cond cond = { | |
496ad9aa AV |
452 | .uid = file_inode(file)->i_uid, |
453 | .mode = file_inode(file)->i_mode | |
6380bd8d JJ |
454 | }; |
455 | ||
456 | return aa_path_perm(op, profile, &file->f_path, PATH_DELEGATE_DELETED, | |
457 | request, &cond); | |
458 | } |