capability.c 6.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * AppArmor security module
  4. *
  5. * This file contains AppArmor capability mediation functions
  6. *
  7. * Copyright (C) 1998-2008 Novell/SUSE
  8. * Copyright 2009-2010 Canonical Ltd.
  9. */
  10. #include <linux/capability.h>
  11. #include <linux/errno.h>
  12. #include <linux/gfp.h>
  13. #include <linux/security.h>
  14. #include <linux/timekeeping.h>
  15. #include "include/apparmor.h"
  16. #include "include/capability.h"
  17. #include "include/cred.h"
  18. #include "include/policy.h"
  19. #include "include/audit.h"
  20. /*
  21. * Table of capability names: we generate it from capabilities.h.
  22. */
  23. #include "capability_names.h"
  24. struct aa_sfs_entry aa_sfs_entry_caps[] = {
  25. AA_SFS_FILE_STRING("mask", AA_SFS_CAPS_MASK),
  26. AA_SFS_FILE_BOOLEAN("extended", 1),
  27. { }
  28. };
  29. struct audit_cache {
  30. const struct cred *ad_subj_cred;
  31. /* Capabilities go from 0 to CAP_LAST_CAP */
  32. u64 ktime_ns_expiration[CAP_LAST_CAP+1];
  33. };
  34. static DEFINE_PER_CPU(struct audit_cache, audit_cache);
  35. /**
  36. * audit_cb - call back for capability components of audit struct
  37. * @ab: audit buffer (NOT NULL)
  38. * @va: audit struct to audit data from (NOT NULL)
  39. */
  40. static void audit_cb(struct audit_buffer *ab, void *va)
  41. {
  42. struct common_audit_data *sa = va;
  43. audit_log_format(ab, " capname=");
  44. audit_log_untrustedstring(ab, capability_names[sa->u.cap]);
  45. }
  46. /**
  47. * audit_caps - audit a capability
  48. * @ad: audit data
  49. * @profile: profile being tested for confinement (NOT NULL)
  50. * @cap: capability tested
  51. * @error: error code returned by test
  52. *
  53. * Do auditing of capability and handle, audit/complain/kill modes switching
  54. * and duplicate message elimination.
  55. *
  56. * Returns: 0 or ad->error on success, error code on failure
  57. */
  58. static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile,
  59. int cap, int error)
  60. {
  61. const u64 AUDIT_CACHE_TIMEOUT_NS = 1000*1000*1000; /* 1 second */
  62. struct aa_ruleset *rules = profile->label.rules[0];
  63. struct audit_cache *ent;
  64. int type = AUDIT_APPARMOR_AUTO;
  65. ad->error = error;
  66. if (likely(!error)) {
  67. /* test if auditing is being forced */
  68. if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
  69. !cap_raised(rules->caps.audit, cap)))
  70. return 0;
  71. type = AUDIT_APPARMOR_AUDIT;
  72. } else if (KILL_MODE(profile) ||
  73. cap_raised(rules->caps.kill, cap)) {
  74. type = AUDIT_APPARMOR_KILL;
  75. } else if (cap_raised(rules->caps.quiet, cap) &&
  76. AUDIT_MODE(profile) != AUDIT_NOQUIET &&
  77. AUDIT_MODE(profile) != AUDIT_ALL) {
  78. /* quiet auditing */
  79. return error;
  80. }
  81. /* Do simple duplicate message elimination */
  82. ent = &get_cpu_var(audit_cache);
  83. /* If the capability was never raised the timestamp check would also catch that */
  84. if (ad->subj_cred == ent->ad_subj_cred && ktime_get_ns() <= ent->ktime_ns_expiration[cap]) {
  85. put_cpu_var(audit_cache);
  86. if (COMPLAIN_MODE(profile))
  87. return complain_error(error);
  88. return error;
  89. } else {
  90. put_cred(ent->ad_subj_cred);
  91. ent->ad_subj_cred = get_cred(ad->subj_cred);
  92. ent->ktime_ns_expiration[cap] = ktime_get_ns() + AUDIT_CACHE_TIMEOUT_NS;
  93. }
  94. put_cpu_var(audit_cache);
  95. return aa_audit(type, profile, ad, audit_cb);
  96. }
  97. /**
  98. * profile_capable - test if profile allows use of capability @cap
  99. * @profile: profile being enforced (NOT NULL, NOT unconfined)
  100. * @cap: capability to test if allowed
  101. * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated
  102. * @ad: audit data (NOT NULL)
  103. *
  104. * Returns: 0 if allowed else -EPERM
  105. */
  106. static int profile_capable(struct aa_profile *profile, int cap,
  107. unsigned int opts, struct apparmor_audit_data *ad)
  108. {
  109. struct aa_ruleset *rules = profile->label.rules[0];
  110. aa_state_t state;
  111. int error;
  112. state = RULE_MEDIATES(rules, ad->class);
  113. if (state) {
  114. struct aa_perms perms = { };
  115. u32 request;
  116. /* caps broken into 256 x 32 bit permission chunks */
  117. state = aa_dfa_next(rules->policy->dfa, state, cap >> 5);
  118. request = 1 << (cap & 0x1f);
  119. perms = *aa_lookup_perms(rules->policy, state);
  120. aa_apply_modes_to_perms(profile, &perms);
  121. if (opts & CAP_OPT_NOAUDIT) {
  122. if (perms.complain & request)
  123. ad->info = "optional: no audit";
  124. else
  125. ad = NULL;
  126. }
  127. return aa_check_perms(profile, &perms, request, ad,
  128. audit_cb);
  129. }
  130. /* fallback to old caps mediation that doesn't support conditionals */
  131. if (cap_raised(rules->caps.allow, cap) &&
  132. !cap_raised(rules->caps.denied, cap))
  133. error = 0;
  134. else
  135. error = -EPERM;
  136. if (opts & CAP_OPT_NOAUDIT) {
  137. if (!COMPLAIN_MODE(profile))
  138. return error;
  139. /* audit the cap request in complain mode but note that it
  140. * should be optional.
  141. */
  142. ad->info = "optional: no audit";
  143. }
  144. return audit_caps(ad, profile, cap, error);
  145. }
  146. /**
  147. * aa_capable - test permission to use capability
  148. * @subj_cred: cred we are testing capability against
  149. * @label: label being tested for capability (NOT NULL)
  150. * @cap: capability to be tested
  151. * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated
  152. *
  153. * Look up capability in profile capability set.
  154. *
  155. * Returns: 0 on success, or else an error code.
  156. */
  157. int aa_capable(const struct cred *subj_cred, struct aa_label *label,
  158. int cap, unsigned int opts)
  159. {
  160. struct aa_profile *profile;
  161. int error = 0;
  162. DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_CAP, AA_CLASS_CAP, OP_CAPABLE);
  163. ad.subj_cred = subj_cred;
  164. ad.common.u.cap = cap;
  165. error = fn_for_each_confined(label, profile,
  166. profile_capable(profile, cap, opts, &ad));
  167. return error;
  168. }
  169. kernel_cap_t aa_profile_capget(struct aa_profile *profile)
  170. {
  171. struct aa_ruleset *rules = profile->label.rules[0];
  172. aa_state_t state;
  173. state = RULE_MEDIATES(rules, AA_CLASS_CAP);
  174. if (state) {
  175. kernel_cap_t caps = CAP_EMPTY_SET;
  176. int i;
  177. /* caps broken into up to 256, 32 bit permission chunks */
  178. for (i = 0; i < (CAP_LAST_CAP >> 5); i++) {
  179. struct aa_perms perms = { };
  180. aa_state_t tmp;
  181. tmp = aa_dfa_next(rules->policy->dfa, state, i);
  182. perms = *aa_lookup_perms(rules->policy, tmp);
  183. aa_apply_modes_to_perms(profile, &perms);
  184. caps.val |= ((u64)(perms.allow)) << (i * 5);
  185. caps.val |= ((u64)(perms.complain)) << (i * 5);
  186. }
  187. return caps;
  188. }
  189. /* fallback to old caps */
  190. if (COMPLAIN_MODE(profile))
  191. return CAP_FULL_SET;
  192. return rules->caps.allow;
  193. }