/* * The apparmor filesystem interface used for policy load and introspection * The interface is split into two main components based on their function * a securityfs component: * used for static files that are always available, and which allows * userspace to specify the location of the security filesystem. * * fns and data are prefixed with * aa_sfs_ * * an apparmorfs component: * used loaded policy content and introspection. It is not part of a * regular mounted filesystem and is available only through the magic * policy symlink in the root of the securityfs apparmor/ directory. * Tasks queries will be magically redirected to the correct portion * of the policy tree based on their confinement. * * fns and data are prefixed with * aafs_ * * The aa_fs_ prefix is used to indicate the fn is used by both the * securityfs and apparmorfs filesystems.
*/
if (size > SIZE_MAX - sizeof(*ret)) return ERR_PTR(-EINVAL);
ret = kvzalloc(sizeof(*ret) + size, GFP_KERNEL); if (!ret) return ERR_PTR(-ENOMEM);
return ret;
} #endif
/** * mangle_name - mangle a profile name to std profile layout form * @name: profile name to mangle (NOT NULL) * @target: buffer to store mangled name, same length as @name (MAYBE NULL) * * Returns: length of mangled name
*/ staticint mangle_name(constchar *name, char *target)
{ char *t = target;
while (*name == '/' || *name == '.')
name++;
if (target) { for (; *name; name++) { if (*name == '/')
*(t)++ = '.'; elseif (isspace(*name))
*(t)++ = '_'; elseif (isalnum(*name) || strchr("._-", *name))
*(t)++ = *name;
}
*t = 0;
} else { int len = 0; for (; *name; name++) { if (isalnum(*name) || isspace(*name) ||
strchr("/._-", *name))
len++;
}
return len;
}
return t - target;
}
/* * aafs - core fns and data for the policy tree
*/
/** * __aafs_setup_d_inode - basic inode setup for apparmorfs * @dir: parent directory for the dentry * @dentry: dentry we are setting the inode up for * @mode: permissions the file should have * @data: data to store on inode.i_private, available in open() * @link: if symlink, symlink target string * @fops: struct file_operations that should be used * @iops: struct of inode_operations that should be used
*/ staticint __aafs_setup_d_inode(struct inode *dir, struct dentry *dentry,
umode_t mode, void *data, char *link, conststruct file_operations *fops, conststruct inode_operations *iops)
{ struct inode *inode = new_inode(dir->i_sb);
/** * aafs_create - create a dentry in the apparmorfs filesystem * * @name: name of dentry to create * @mode: permissions the file should have * @parent: parent directory for this dentry * @data: data to store on inode.i_private, available in open() * @link: if symlink, symlink target string * @fops: struct file_operations that should be used for * @iops: struct of inode_operations that should be used * * This is the basic "create a xxx" function for apparmorfs. * * Returns a pointer to a dentry if it succeeds, that must be free with * aafs_remove(). Will return ERR_PTR on failure.
*/ staticstruct dentry *aafs_create(constchar *name, umode_t mode, struct dentry *parent, void *data, void *link, conststruct file_operations *fops, conststruct inode_operations *iops)
{ struct dentry *dentry; struct inode *dir; int error;
/** * aafs_create_file - create a file in the apparmorfs filesystem * * @name: name of dentry to create * @mode: permissions the file should have * @parent: parent directory for this dentry * @data: data to store on inode.i_private, available in open() * @fops: struct file_operations that should be used for * * see aafs_create
*/ staticstruct dentry *aafs_create_file(constchar *name, umode_t mode, struct dentry *parent, void *data, conststruct file_operations *fops)
{ return aafs_create(name, mode, parent, data, NULL, fops, NULL);
}
/** * aafs_create_dir - create a directory in the apparmorfs filesystem * * @name: name of dentry to create * @parent: parent directory for this dentry * * see aafs_create
*/ staticstruct dentry *aafs_create_dir(constchar *name, struct dentry *parent)
{ return aafs_create(name, S_IFDIR | 0755, parent, NULL, NULL, NULL,
NULL);
}
/** * aafs_remove - removes a file or directory from the apparmorfs filesystem * * @dentry: dentry of the file/directory/symlink to removed.
*/ staticvoid aafs_remove(struct dentry *dentry)
{ struct inode *dir;
if (!dentry || IS_ERR(dentry)) return;
dir = d_inode(dentry->d_parent);
inode_lock(dir); if (simple_positive(dentry)) { if (d_is_dir(dentry))
simple_rmdir(dir, dentry); else
simple_unlink(dir, dentry);
d_delete(dentry);
dput(dentry);
}
inode_unlock(dir);
simple_release_fs(&aafs_mnt, &aafs_count);
}
/* * aa_fs - policy load/replace/remove
*/
/** * aa_simple_write_to_buffer - common routine for getting policy from user * @userbuf: user buffer to copy data from (NOT NULL) * @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size) * @copy_size: size of data to copy from user buffer * @pos: position write is at in the file (NOT NULL) * * Returns: kernel buffer containing copy of user buffer data or an * ERR_PTR on failure.
*/ staticstruct aa_loaddata *aa_simple_write_to_buffer(constchar __user *userbuf,
size_t alloc_size,
size_t copy_size,
loff_t *pos)
{ struct aa_loaddata *data;
AA_BUG(copy_size > alloc_size);
if (*pos != 0) /* only writes from pos 0, that is complete writes */ return ERR_PTR(-ESPIPE);
/* freed by caller to simple_write_to_buffer */
data = aa_loaddata_alloc(alloc_size); if (IS_ERR(data)) return data;
/* high level check about policy management - fine grained in * below after unpack
*/
error = aa_may_manage_policy(current_cred(), label, ns, mask); if (error) goto end_section;
label = begin_current_label_crit_section(); /* high level check about policy management - fine grained in * below after unpack
*/
error = aa_may_manage_policy(current_cred(), label, ns,
AA_MAY_REMOVE_POLICY); if (error) goto out;
/* * aa_remove_profile needs a null terminated string so 1 extra * byte is allocated and the copied data is null terminated.
*/
data = aa_simple_write_to_buffer(buf, size + 1, size, pos);
if (profile_unconfined(profile)) return; if (rules->file->dfa && *match_str == AA_CLASS_FILE) {
state = aa_dfa_match_len(rules->file->dfa,
rules->file->start[AA_CLASS_FILE],
match_str + 1, match_len - 1); if (state) { struct path_cond cond = { };
tmp = *(aa_lookup_condperms(current_fsuid(),
rules->file, state, &cond));
}
} elseif (rules->policy->dfa) { if (!RULE_MEDIATES(rules, *match_str)) return; /* no change to current perms */ /* old user space does not correctly detect dbus mediation * support so we may get dbus policy and requests when * the abi doesn't support it. This can cause mediation * regressions, so explicitly test for this situation.
*/ if (*match_str == AA_CLASS_DBUS &&
!RULE_MEDIATES_v9NET(rules)) return; /* no change to current perms */
state = aa_dfa_match_len(rules->policy->dfa,
rules->policy->start[0],
match_str, match_len); if (state)
tmp = *aa_lookup_perms(rules->policy, state);
}
aa_apply_modes_to_perms(profile, &tmp);
aa_perms_accum_raw(perms, &tmp);
}
/** * query_data - queries a policy and writes its data to buf * @buf: the resulting data is stored here (NOT NULL) * @buf_len: size of buf * @query: query string used to retrieve data * @query_len: size of query including second NUL byte * * The buffers pointed to by buf and query may overlap. The query buffer is * parsed before buf is written to. * * The query should look like "<LABEL>\0<KEY>\0", where <LABEL> is the name of * the security confinement context and <KEY> is the name of the data to * retrieve. <LABEL> and <KEY> must not be NUL-terminated. * * Don't expect the contents of buf to be preserved on failure. * * Returns: number of characters written to buf or -errno on failure
*/ static ssize_t query_data(char *buf, size_t buf_len, char *query, size_t query_len)
{ char *out; constchar *key; struct label_it i; struct aa_label *label, *curr; struct aa_profile *profile; struct aa_data *data;
u32 bytes, blocks;
__le32 outle32;
if (!query_len) return -EINVAL; /* need a query */
key = query + strnlen(query, query_len) + 1; if (key + 1 >= query + query_len) return -EINVAL; /* not enough space for a non-empty key */ if (key + strnlen(key, query + query_len - key) >= query + query_len) return -EINVAL; /* must end with NUL */
if (buf_len < sizeof(bytes) + sizeof(blocks)) return -EINVAL; /* not enough space */
/* We are going to leave space for two numbers. The first is the total * number of bytes we are writing after the first number. This is so * users can read the full output without reallocation. * * The second number is the number of data blocks we're writing. An * application might be confined by multiple policies having data in * the same key.
*/
memset(buf, 0, sizeof(bytes) + sizeof(blocks));
out = buf + sizeof(bytes) + sizeof(blocks);
blocks = 0;
label_for_each_confined(i, label, profile) { if (!profile->data) continue;
data = rhashtable_lookup_fast(profile->data, &key,
profile->data->p);
if (data) { if (out + sizeof(outle32) + data->size > buf +
buf_len) {
aa_put_label(label); return -EINVAL; /* not enough space */
}
outle32 = __cpu_to_le32(data->size);
memcpy(out, &outle32, sizeof(outle32));
out += sizeof(outle32);
memcpy(out, data->data, data->size);
out += data->size;
blocks++;
}
}
aa_put_label(label);
/** * query_label - queries a label and writes permissions to buf * @buf: the resulting permissions string is stored here (NOT NULL) * @buf_len: size of buf * @query: binary query string to match against the dfa * @query_len: size of query * @view_only: only compute for querier's view * * The buffers pointed to by buf and query may overlap. The query buffer is * parsed before buf is written to. * * The query should look like "LABEL_NAME\0DFA_STRING" where LABEL_NAME is * the name of the label, in the current namespace, that is to be queried and * DFA_STRING is a binary string to match against the label(s)'s DFA. * * LABEL_NAME must be NUL terminated. DFA_STRING may contain NUL characters * but must *not* be NUL terminated. * * Returns: number of characters written to buf or -errno on failure
*/ static ssize_t query_label(char *buf, size_t buf_len, char *query, size_t query_len, bool view_only)
{ struct aa_profile *profile; struct aa_label *label, *curr; char *label_name, *match_str;
size_t label_name_len, match_len; struct aa_perms perms; struct label_it i;
/** * The extra byte is to account for the null byte between the * profile name and dfa string. profile_name_len is greater * than zero and less than query_len, so a byte can be safely * added or subtracted.
*/
match_str = label_name + label_name_len + 1;
match_len = query_len - label_name_len - 1;
/* * Transaction based IO. * The file expects a write which triggers the transaction, and then * possibly a read(s) which collects the result - which is stored in a * file-local buffer. Once a new write is performed, a new set of results * are stored in the file-local buffer.
*/ struct multi_transaction { struct kref count;
ssize_t size; char data[];
};
/** * aa_write_access - generic permissions and data query * @file: pointer to open apparmorfs/access file * @ubuf: user buffer containing the complete query string (NOT NULL) * @count: size of ubuf * @ppos: position in the file (MUST BE ZERO) * * Allows for one permissions or data query per open(), write(), and read() * sequence. The only queries currently supported are label-based queries for * permissions or data. * * For permissions queries, ubuf must begin with "label\0", followed by the * profile query specific format described in the query_label() function * documentation. * * For data queries, ubuf must have the form "data\0<LABEL>\0<KEY>\0", where * <LABEL> is the name of the security confinement context and <KEY> is the * name of the data to retrieve. * * Returns: number of bytes written or -errno on failure
*/ static ssize_t aa_write_access(struct file *file, constchar __user *ubuf,
size_t count, loff_t *ppos)
{ struct multi_transaction *t;
ssize_t len;
if (*ppos) return -ESPIPE;
t = multi_transaction_new(file, ubuf, count); if (IS_ERR(t)) return PTR_ERR(t);
staticvoid remove_rawdata_dents(struct aa_loaddata *rawdata)
{ int i;
for (i = 0; i < AAFS_LOADDATA_NDENTS; i++) { if (!IS_ERR_OR_NULL(rawdata->dents[i])) { /* no refcounts on i_private */
aafs_remove(rawdata->dents[i]);
rawdata->dents[i] = NULL;
}
}
}
/* * just use ns revision dir was originally created at. This is * under ns->lock and if load is successful revision will be * bumped and is guaranteed to be unique
*/
rawdata->name = kasprintf(GFP_KERNEL, "%ld", ns->revision); if (!rawdata->name) return -ENOMEM;
dir = aafs_create_dir(rawdata->name, ns_subdata_dir(ns)); if (IS_ERR(dir)) /* ->name freed when rawdata freed */ return PTR_ERR(dir);
rawdata->dents[AAFS_LOADDATA_DIR] = dir;
/* we have to unlock and then relock to get locking order right * for pin_fs
*/
inode_unlock(dir);
error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count);
mutex_lock_nested(&parent->lock, parent->level);
inode_lock_nested(dir, I_MUTEX_PARENT); if (error) goto out;
parent = aa_get_ns(dir->i_private); /* rmdir calls the generic securityfs functions to remove files * from the apparmor dir. It is up to the apparmor ns locking * to avoid races.
*/
inode_unlock(dir);
inode_unlock(dentry->d_inode);
if (ns_subns_dir(ns)) {
sub = d_inode(ns_subns_dir(ns))->i_private;
aa_put_ns(sub);
} if (ns_subload(ns)) {
sub = d_inode(ns_subload(ns))->i_private;
aa_put_ns(sub);
} if (ns_subreplace(ns)) {
sub = d_inode(ns_subreplace(ns))->i_private;
aa_put_ns(sub);
} if (ns_subremove(ns)) {
sub = d_inode(ns_subremove(ns))->i_private;
aa_put_ns(sub);
} if (ns_subrevision(ns)) {
sub = d_inode(ns_subrevision(ns))->i_private;
aa_put_ns(sub);
}
for (i = AAFS_NS_SIZEOF - 1; i >= 0; --i) {
aafs_remove(ns->dents[i]);
ns->dents[i] = NULL;
}
}
/* use create_dentry so we can supply private data */
dent = aafs_create("namespaces", S_IFDIR | 0755, dir, ns, NULL, NULL,
&ns_dir_inode_operations); if (IS_ERR(dent)) return PTR_ERR(dent);
aa_get_ns(ns);
ns_subns_dir(ns) = dent;
return 0;
}
/* * Requires: @ns->lock held
*/ int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, constchar *name, struct dentry *dent)
{ struct aa_ns *sub; struct aa_profile *child; struct dentry *dir; int error;
/** * __next_ns - find the next namespace to list * @root: root namespace to stop search at (NOT NULL) * @ns: current ns position (NOT NULL) * * Find the next namespace from @ns under @root and handle all locking needed * while switching current namespace. * * Returns: next namespace or NULL if at last namespace under @root * Requires: ns->parent->lock to be held * NOTE: will not unlock root->lock
*/ staticstruct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns)
{ struct aa_ns *parent, *next;
/* is next namespace a child */ if (!list_empty(&ns->sub_ns)) {
next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
mutex_lock_nested(&next->lock, next->level); return next;
}
/* check if the next ns is a sibling, parent, gp, .. */
parent = ns->parent; while (ns != root) {
mutex_unlock(&ns->lock);
next = list_next_entry(ns, base.list); if (!list_entry_is_head(next, &parent->sub_ns, base.list)) {
mutex_lock_nested(&next->lock, next->level); return next;
}
ns = parent;
parent = parent->parent;
}
return NULL;
}
/** * __first_profile - find the first profile in a namespace * @root: namespace that is root of profiles being displayed (NOT NULL) * @ns: namespace to start in (NOT NULL) * * Returns: unrefcounted profile or NULL if no profile * Requires: profile->ns.lock to be held
*/ staticstruct aa_profile *__first_profile(struct aa_ns *root, struct aa_ns *ns)
{
AA_BUG(!root);
AA_BUG(ns && !mutex_is_locked(&ns->lock));
for (; ns; ns = __next_ns(root, ns)) { if (!list_empty(&ns->base.profiles)) return list_first_entry(&ns->base.profiles, struct aa_profile, base.list);
} return NULL;
}
/** * __next_profile - step to the next profile in a profile tree * @p: current profile in tree (NOT NULL) * * Perform a depth first traversal on the profile tree in a namespace * * Returns: next profile or NULL if done * Requires: profile->ns.lock to be held
*/ staticstruct aa_profile *__next_profile(struct aa_profile *p)
{ struct aa_profile *parent; struct aa_ns *ns = p->ns;
AA_BUG(!mutex_is_locked(&profiles_ns(p)->lock));
/* is next profile a child */ if (!list_empty(&p->base.profiles)) return list_first_entry(&p->base.profiles, typeof(*p),
base.list);
/* is next profile a sibling, parent sibling, gp, sibling, .. */
parent = rcu_dereference_protected(p->parent,
mutex_is_locked(&p->ns->lock)); while (parent) {
p = list_next_entry(p, base.list); if (!list_entry_is_head(p, &parent->base.profiles, base.list)) return p;
p = parent;
parent = rcu_dereference_protected(parent->parent,
mutex_is_locked(&parent->ns->lock));
}
/* is next another profile in the namespace */
p = list_next_entry(p, base.list); if (!list_entry_is_head(p, &ns->base.profiles, base.list)) return p;
return NULL;
}
/** * next_profile - step to the next profile in where ever it may be * @root: root namespace (NOT NULL) * @profile: current profile (NOT NULL) * * Returns: next profile or NULL if there isn't one
*/ staticstruct aa_profile *next_profile(struct aa_ns *root, struct aa_profile *profile)
{ struct aa_profile *next = __next_profile(profile); if (next) return next;
/* finished all profiles in namespace move to next namespace */ return __first_profile(root, __next_ns(root, profile->ns));
}
/** * p_start - start a depth first traversal of profile tree * @f: seq_file to fill * @pos: current position * * Returns: first profile under current namespace or NULL if none found * * acquires first ns->lock
*/ staticvoid *p_start(struct seq_file *f, loff_t *pos)
{ struct aa_profile *profile = NULL; struct aa_ns *root = aa_get_current_ns();
loff_t l = *pos;
f->private = root;
/* find the first profile */
mutex_lock_nested(&root->lock, root->level);
profile = __first_profile(root, root);
/* skip to position */ for (; profile && l > 0; l--)
profile = next_profile(root, profile);
return profile;
}
/** * p_next - read the next profile entry * @f: seq_file to fill * @p: profile previously returned * @pos: current position * * Returns: next profile after @p or NULL if none * * may acquire/release locks in namespace tree as necessary
*/ staticvoid *p_next(struct seq_file *f, void *p, loff_t *pos)
{ struct aa_profile *profile = p; struct aa_ns *ns = f->private;
(*pos)++;
return next_profile(ns, profile);
}
/** * p_stop - stop depth first traversal * @f: seq_file we are filling * @p: the last profile written * * Release all locking done by p_start/p_next on namespace tree
*/ staticvoid p_stop(struct seq_file *f, void *p)
{ struct aa_profile *profile = p; struct aa_ns *root = f->private, *ns;
if (profile) { for (ns = profile->ns; ns && ns != root; ns = ns->parent)
mutex_unlock(&ns->lock);
}
mutex_unlock(&root->lock);
aa_put_ns(root);
}
/** * seq_show_profile - show a profile entry * @f: seq_file to file * @p: current position (profile) (NOT NULL) * * Returns: error on failure
*/ staticint seq_show_profile(struct seq_file *f, void *p)
{ struct aa_profile *profile = (struct aa_profile *)p; struct aa_ns *root = f->private;
/** * entry_create_file - create a file entry in the apparmor securityfs * @fs_file: aa_sfs_entry to build an entry for (NOT NULL) * @parent: the parent dentry in the securityfs * * Use entry_remove_file to remove entries created with this fn.
*/ staticint __init entry_create_file(struct aa_sfs_entry *fs_file, struct dentry *parent)
{ int error = 0;
staticvoid __init entry_remove_dir(struct aa_sfs_entry *fs_dir); /** * entry_create_dir - recursively create a directory entry in the securityfs * @fs_dir: aa_sfs_entry (and all child entries) to build (NOT NULL) * @parent: the parent dentry in the securityfs * * Use entry_remove_dir to remove entries created with this fn.
*/ staticint __init entry_create_dir(struct aa_sfs_entry *fs_dir, struct dentry *parent)
{ struct aa_sfs_entry *fs_file; struct dentry *dir; int error;
dir = securityfs_create_dir(fs_dir->name, parent); if (IS_ERR(dir)) return PTR_ERR(dir);
fs_dir->dentry = dir;
for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) { if (fs_file->v_type == AA_SFS_TYPE_DIR)
error = entry_create_dir(fs_file, fs_dir->dentry); else
error = entry_create_file(fs_file, fs_dir->dentry); if (error) goto failed;
}
return 0;
failed:
entry_remove_dir(fs_dir);
return error;
}
/** * entry_remove_file - drop a single file entry in the apparmor securityfs * @fs_file: aa_sfs_entry to detach from the securityfs (NOT NULL)
*/ staticvoid __init entry_remove_file(struct aa_sfs_entry *fs_file)
{ if (!fs_file->dentry) return;
¤ Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.0.65Bemerkung:
(vorverarbeitet)
¤
Die Informationen auf dieser Webseite wurden
nach bestem Wissen sorgfältig zusammengestellt. Es wird jedoch weder Vollständigkeit, noch Richtigkeit,
noch Qualität der bereit gestellten Informationen zugesichert.
Bemerkung:
Die farbliche Syntaxdarstellung und die Messung sind noch experimentell.
