file.c 21 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * AppArmor security module
  4. *
  5. * This file contains AppArmor mediation of files
  6. *
  7. * Copyright (C) 1998-2008 Novell/SUSE
  8. * Copyright 2009-2010 Canonical Ltd.
  9. */
  10. #include <linux/tty.h>
  11. #include <linux/fdtable.h>
  12. #include <linux/file.h>
  13. #include <linux/fs.h>
  14. #include <linux/mount.h>
  15. #include "include/af_unix.h"
  16. #include "include/apparmor.h"
  17. #include "include/audit.h"
  18. #include "include/cred.h"
  19. #include "include/file.h"
  20. #include "include/match.h"
  21. #include "include/net.h"
  22. #include "include/path.h"
  23. #include "include/policy.h"
  24. #include "include/label.h"
  25. static u32 map_mask_to_chr_mask(u32 mask)
  26. {
  27. u32 m = mask & PERMS_CHRS_MASK;
  28. if (mask & AA_MAY_GETATTR)
  29. m |= MAY_READ;
  30. if (mask & (AA_MAY_SETATTR | AA_MAY_CHMOD | AA_MAY_CHOWN))
  31. m |= MAY_WRITE;
  32. return m;
  33. }
  34. /**
  35. * file_audit_cb - call back for file specific audit fields
  36. * @ab: audit_buffer (NOT NULL)
  37. * @va: audit struct to audit values of (NOT NULL)
  38. */
  39. static void file_audit_cb(struct audit_buffer *ab, void *va)
  40. {
  41. struct common_audit_data *sa = va;
  42. struct apparmor_audit_data *ad = aad(sa);
  43. kuid_t fsuid = ad->subj_cred ? ad->subj_cred->fsuid : current_fsuid();
  44. char str[10];
  45. if (ad->request & AA_AUDIT_FILE_MASK) {
  46. aa_perm_mask_to_str(str, sizeof(str), aa_file_perm_chrs,
  47. map_mask_to_chr_mask(ad->request));
  48. audit_log_format(ab, " requested_mask=\"%s\"", str);
  49. }
  50. if (ad->denied & AA_AUDIT_FILE_MASK) {
  51. aa_perm_mask_to_str(str, sizeof(str), aa_file_perm_chrs,
  52. map_mask_to_chr_mask(ad->denied));
  53. audit_log_format(ab, " denied_mask=\"%s\"", str);
  54. }
  55. if (ad->request & AA_AUDIT_FILE_MASK) {
  56. audit_log_format(ab, " fsuid=%d",
  57. from_kuid(&init_user_ns, fsuid));
  58. audit_log_format(ab, " ouid=%d",
  59. from_kuid(&init_user_ns, ad->fs.ouid));
  60. }
  61. if (ad->peer) {
  62. audit_log_format(ab, " target=");
  63. aa_label_xaudit(ab, labels_ns(ad->subj_label), ad->peer,
  64. FLAG_VIEW_SUBNS, GFP_KERNEL);
  65. } else if (ad->fs.target) {
  66. audit_log_format(ab, " target=");
  67. audit_log_untrustedstring(ab, ad->fs.target);
  68. }
  69. }
  70. /**
  71. * aa_audit_file - handle the auditing of file operations
  72. * @subj_cred: cred of the subject
  73. * @profile: the profile being enforced (NOT NULL)
  74. * @perms: the permissions computed for the request (NOT NULL)
  75. * @op: operation being mediated
  76. * @request: permissions requested
  77. * @name: name of object being mediated (MAYBE NULL)
  78. * @target: name of target (MAYBE NULL)
  79. * @tlabel: target label (MAY BE NULL)
  80. * @ouid: object uid
  81. * @info: extra information message (MAYBE NULL)
  82. * @error: 0 if operation allowed else failure error code
  83. *
  84. * Returns: %0 or error on failure
  85. */
  86. int aa_audit_file(const struct cred *subj_cred,
  87. struct aa_profile *profile, struct aa_perms *perms,
  88. const char *op, u32 request, const char *name,
  89. const char *target, struct aa_label *tlabel,
  90. kuid_t ouid, const char *info, int error)
  91. {
  92. int type = AUDIT_APPARMOR_AUTO;
  93. DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_TASK, AA_CLASS_FILE, op);
  94. ad.subj_cred = subj_cred;
  95. ad.request = request;
  96. ad.tags = perms->tag;
  97. ad.name = name;
  98. ad.fs.target = target;
  99. ad.peer = tlabel;
  100. ad.fs.ouid = ouid;
  101. ad.info = info;
  102. ad.error = error;
  103. ad.common.u.tsk = NULL;
  104. if (likely(!ad.error)) {
  105. u32 mask = perms->audit;
  106. if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
  107. mask = 0xffff;
  108. /* mask off perms that are not being force audited */
  109. ad.request &= mask;
  110. if (likely(!ad.request))
  111. return 0;
  112. type = AUDIT_APPARMOR_AUDIT;
  113. } else {
  114. /* only report permissions that were denied */
  115. ad.request = ad.request & ~perms->allow;
  116. AA_BUG(!ad.request);
  117. if (ad.request & perms->kill)
  118. type = AUDIT_APPARMOR_KILL;
  119. /* quiet known rejects, assumes quiet and kill do not overlap */
  120. if ((ad.request & perms->quiet) &&
  121. AUDIT_MODE(profile) != AUDIT_NOQUIET &&
  122. AUDIT_MODE(profile) != AUDIT_ALL)
  123. ad.request &= ~perms->quiet;
  124. if (!ad.request)
  125. return ad.error;
  126. }
  127. ad.denied = ad.request & ~perms->allow;
  128. return aa_audit(type, profile, &ad, file_audit_cb);
  129. }
  130. static int path_name(const char *op, const struct cred *subj_cred,
  131. struct aa_label *label,
  132. const struct path *path, int flags, char *buffer,
  133. const char **name, struct path_cond *cond, u32 request)
  134. {
  135. struct aa_profile *profile;
  136. const char *info = NULL;
  137. int error;
  138. /* don't reaudit files closed during inheritance */
  139. if (unlikely(path->dentry == aa_null.dentry))
  140. error = -EACCES;
  141. else
  142. error = aa_path_name(path, flags, buffer, name, &info,
  143. labels_profile(label)->disconnected);
  144. if (error) {
  145. fn_for_each_confined(label, profile,
  146. aa_audit_file(subj_cred,
  147. profile, &nullperms, op, request, *name,
  148. NULL, NULL, cond->uid, info, error));
  149. return error;
  150. }
  151. return 0;
  152. }
  153. struct aa_perms default_perms = {};
  154. /**
  155. * aa_lookup_condperms - convert dfa compressed perms to internal perms
  156. * @subj_uid: uid to use for subject owner test
  157. * @rules: the aa_policydb to lookup perms for (NOT NULL)
  158. * @state: state in dfa
  159. * @cond: conditions to consider (NOT NULL)
  160. *
  161. * TODO: convert from dfa + state to permission entry
  162. *
  163. * Returns: a pointer to a file permission set
  164. */
  165. struct aa_perms *aa_lookup_condperms(kuid_t subj_uid, struct aa_policydb *rules,
  166. aa_state_t state, struct path_cond *cond)
  167. {
  168. unsigned int index = ACCEPT_TABLE(rules->dfa)[state];
  169. if (!(rules->perms))
  170. return &default_perms;
  171. if ((ACCEPT_TABLE2(rules->dfa)[state] & ACCEPT_FLAG_OWNER)) {
  172. if (uid_eq(subj_uid, cond->uid))
  173. return &(rules->perms[index]);
  174. return &(rules->perms[index + 1]);
  175. }
  176. return &(rules->perms[index]);
  177. }
  178. /**
  179. * aa_str_perms - find permission that match @name
  180. * @file_rules: the aa_policydb to match against (NOT NULL)
  181. * @start: state to start matching in
  182. * @name: string to match against dfa (NOT NULL)
  183. * @cond: conditions to consider for permission set computation (NOT NULL)
  184. * @perms: Returns - the permissions found when matching @name
  185. *
  186. * Returns: the final state in @dfa when beginning @start and walking @name
  187. */
  188. aa_state_t aa_str_perms(struct aa_policydb *file_rules, aa_state_t start,
  189. const char *name, struct path_cond *cond,
  190. struct aa_perms *perms)
  191. {
  192. aa_state_t state;
  193. state = aa_dfa_match(file_rules->dfa, start, name);
  194. *perms = *(aa_lookup_condperms(current_fsuid(), file_rules, state,
  195. cond));
  196. return state;
  197. }
  198. int __aa_path_perm(const char *op, const struct cred *subj_cred,
  199. struct aa_profile *profile, const char *name,
  200. u32 request, struct path_cond *cond, int flags,
  201. struct aa_perms *perms)
  202. {
  203. struct aa_ruleset *rules = profile->label.rules[0];
  204. int e = 0;
  205. if (profile_unconfined(profile) ||
  206. ((flags & PATH_SOCK_COND) && !RULE_MEDIATES_v9NET(rules)))
  207. return 0;
  208. aa_str_perms(rules->file, rules->file->start[AA_CLASS_FILE],
  209. name, cond, perms);
  210. if (request & ~perms->allow)
  211. e = -EACCES;
  212. return aa_audit_file(subj_cred,
  213. profile, perms, op, request, name, NULL, NULL,
  214. cond->uid, NULL, e);
  215. }
  216. static int profile_path_perm(const char *op, const struct cred *subj_cred,
  217. struct aa_profile *profile,
  218. const struct path *path, char *buffer, u32 request,
  219. struct path_cond *cond, int flags,
  220. struct aa_perms *perms)
  221. {
  222. const char *name;
  223. int error;
  224. if (profile_unconfined(profile))
  225. return 0;
  226. error = path_name(op, subj_cred, &profile->label, path,
  227. flags | profile->path_flags, buffer, &name, cond,
  228. request);
  229. if (error)
  230. return error;
  231. return __aa_path_perm(op, subj_cred, profile, name, request, cond,
  232. flags, perms);
  233. }
  234. /**
  235. * aa_path_perm - do permissions check & audit for @path
  236. * @op: operation being checked
  237. * @subj_cred: subject cred
  238. * @label: profile being enforced (NOT NULL)
  239. * @path: path to check permissions of (NOT NULL)
  240. * @flags: any additional path flags beyond what the profile specifies
  241. * @request: requested permissions
  242. * @cond: conditional info for this request (NOT NULL)
  243. *
  244. * Returns: %0 else error if access denied or other error
  245. */
  246. int aa_path_perm(const char *op, const struct cred *subj_cred,
  247. struct aa_label *label,
  248. const struct path *path, int flags, u32 request,
  249. struct path_cond *cond)
  250. {
  251. struct aa_perms perms = {};
  252. struct aa_profile *profile;
  253. char *buffer = NULL;
  254. int error;
  255. flags |= PATH_DELEGATE_DELETED | (S_ISDIR(cond->mode) ? PATH_IS_DIR :
  256. 0);
  257. buffer = aa_get_buffer(false);
  258. if (!buffer)
  259. return -ENOMEM;
  260. error = fn_for_each_confined(label, profile,
  261. profile_path_perm(op, subj_cred, profile, path, buffer,
  262. request, cond, flags, &perms));
  263. aa_put_buffer(buffer);
  264. return error;
  265. }
  266. /**
  267. * xindex_is_subset - helper for aa_path_link
  268. * @link: link permission set
  269. * @target: target permission set
  270. *
  271. * test target x permissions are equal OR a subset of link x permissions
  272. * this is done as part of the subset test, where a hardlink must have
  273. * a subset of permissions that the target has.
  274. *
  275. * Returns: true if subset else false
  276. */
  277. static inline bool xindex_is_subset(u32 link, u32 target)
  278. {
  279. if (((link & ~AA_X_UNSAFE) != (target & ~AA_X_UNSAFE)) ||
  280. ((link & AA_X_UNSAFE) && !(target & AA_X_UNSAFE)))
  281. return false;
  282. return true;
  283. }
  284. static int profile_path_link(const struct cred *subj_cred,
  285. struct aa_profile *profile,
  286. const struct path *link, char *buffer,
  287. const struct path *target, char *buffer2,
  288. struct path_cond *cond)
  289. {
  290. struct aa_ruleset *rules = profile->label.rules[0];
  291. const char *lname, *tname = NULL;
  292. struct aa_perms lperms = {}, perms;
  293. const char *info = NULL;
  294. u32 request = AA_MAY_LINK;
  295. aa_state_t state;
  296. int error;
  297. error = path_name(OP_LINK, subj_cred, &profile->label, link,
  298. profile->path_flags,
  299. buffer, &lname, cond, AA_MAY_LINK);
  300. if (error)
  301. goto audit;
  302. /* buffer2 freed below, tname is pointer in buffer2 */
  303. error = path_name(OP_LINK, subj_cred, &profile->label, target,
  304. profile->path_flags,
  305. buffer2, &tname, cond, AA_MAY_LINK);
  306. if (error)
  307. goto audit;
  308. error = -EACCES;
  309. /* aa_str_perms - handles the case of the dfa being NULL */
  310. state = aa_str_perms(rules->file,
  311. rules->file->start[AA_CLASS_FILE], lname,
  312. cond, &lperms);
  313. if (!(lperms.allow & AA_MAY_LINK))
  314. goto audit;
  315. /* test to see if target can be paired with link */
  316. state = aa_dfa_null_transition(rules->file->dfa, state);
  317. aa_str_perms(rules->file, state, tname, cond, &perms);
  318. /* force audit/quiet masks for link are stored in the second entry
  319. * in the link pair.
  320. */
  321. lperms.audit = perms.audit;
  322. lperms.quiet = perms.quiet;
  323. lperms.kill = perms.kill;
  324. if (!(perms.allow & AA_MAY_LINK)) {
  325. info = "target restricted";
  326. lperms = perms;
  327. goto audit;
  328. }
  329. /* done if link subset test is not required */
  330. if (!(perms.allow & AA_LINK_SUBSET))
  331. goto done_tests;
  332. /* Do link perm subset test requiring allowed permission on link are
  333. * a subset of the allowed permissions on target.
  334. */
  335. aa_str_perms(rules->file, rules->file->start[AA_CLASS_FILE],
  336. tname, cond, &perms);
  337. /* AA_MAY_LINK is not considered in the subset test */
  338. request = lperms.allow & ~AA_MAY_LINK;
  339. lperms.allow &= perms.allow | AA_MAY_LINK;
  340. request |= AA_AUDIT_FILE_MASK & (lperms.allow & ~perms.allow);
  341. if (request & ~lperms.allow) {
  342. goto audit;
  343. } else if ((lperms.allow & MAY_EXEC) &&
  344. !xindex_is_subset(lperms.xindex, perms.xindex)) {
  345. lperms.allow &= ~MAY_EXEC;
  346. request |= MAY_EXEC;
  347. info = "link not subset of target";
  348. goto audit;
  349. }
  350. done_tests:
  351. error = 0;
  352. audit:
  353. return aa_audit_file(subj_cred,
  354. profile, &lperms, OP_LINK, request, lname, tname,
  355. NULL, cond->uid, info, error);
  356. }
  357. /**
  358. * aa_path_link - Handle hard link permission check
  359. * @subj_cred: subject cred
  360. * @label: the label being enforced (NOT NULL)
  361. * @old_dentry: the target dentry (NOT NULL)
  362. * @new_dir: directory the new link will be created in (NOT NULL)
  363. * @new_dentry: the link being created (NOT NULL)
  364. *
  365. * Handle the permission test for a link & target pair. Permission
  366. * is encoded as a pair where the link permission is determined
  367. * first, and if allowed, the target is tested. The target test
  368. * is done from the point of the link match (not start of DFA)
  369. * making the target permission dependent on the link permission match.
  370. *
  371. * The subset test if required forces that permissions granted
  372. * on link are a subset of the permission granted to target.
  373. *
  374. * Returns: %0 if allowed else error
  375. */
  376. int aa_path_link(const struct cred *subj_cred,
  377. struct aa_label *label, struct dentry *old_dentry,
  378. const struct path *new_dir, struct dentry *new_dentry)
  379. {
  380. struct path link = { .mnt = new_dir->mnt, .dentry = new_dentry };
  381. struct path target = { .mnt = new_dir->mnt, .dentry = old_dentry };
  382. struct inode *inode = d_backing_inode(old_dentry);
  383. vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_idmap(target.mnt), inode);
  384. struct path_cond cond = {
  385. .uid = vfsuid_into_kuid(vfsuid),
  386. .mode = inode->i_mode,
  387. };
  388. char *buffer = NULL, *buffer2 = NULL;
  389. struct aa_profile *profile;
  390. int error;
  391. /* buffer freed below, lname is pointer in buffer */
  392. buffer = aa_get_buffer(false);
  393. buffer2 = aa_get_buffer(false);
  394. error = -ENOMEM;
  395. if (!buffer || !buffer2)
  396. goto out;
  397. error = fn_for_each_confined(label, profile,
  398. profile_path_link(subj_cred, profile, &link, buffer,
  399. &target, buffer2, &cond));
  400. out:
  401. aa_put_buffer(buffer);
  402. aa_put_buffer(buffer2);
  403. return error;
  404. }
  405. static void update_file_ctx(struct aa_file_ctx *fctx, struct aa_label *label,
  406. u32 request)
  407. {
  408. struct aa_label *l, *old;
  409. /* update caching of label on file_ctx */
  410. spin_lock(&fctx->lock);
  411. old = rcu_dereference_protected(fctx->label,
  412. lockdep_is_held(&fctx->lock));
  413. l = aa_label_merge(old, label, GFP_ATOMIC);
  414. if (l) {
  415. if (l != old) {
  416. rcu_assign_pointer(fctx->label, l);
  417. aa_put_label(old);
  418. } else
  419. aa_put_label(l);
  420. fctx->allow |= request;
  421. }
  422. spin_unlock(&fctx->lock);
  423. }
  424. static int __file_path_perm(const char *op, const struct cred *subj_cred,
  425. struct aa_label *label,
  426. struct aa_label *flabel, struct file *file,
  427. u32 request, u32 denied, bool in_atomic)
  428. {
  429. struct aa_profile *profile;
  430. struct aa_perms perms = {};
  431. vfsuid_t vfsuid = i_uid_into_vfsuid(file_mnt_idmap(file),
  432. file_inode(file));
  433. struct path_cond cond = {
  434. .uid = vfsuid_into_kuid(vfsuid),
  435. .mode = file_inode(file)->i_mode
  436. };
  437. char *buffer;
  438. int flags, error;
  439. /* revalidation due to label out of date. No revocation at this time */
  440. if (!denied && aa_label_is_subset(flabel, label))
  441. /* TODO: check for revocation on stale profiles */
  442. return 0;
  443. flags = PATH_DELEGATE_DELETED | (S_ISDIR(cond.mode) ? PATH_IS_DIR : 0);
  444. buffer = aa_get_buffer(in_atomic);
  445. if (!buffer)
  446. return -ENOMEM;
  447. /* check every profile in task label not in current cache */
  448. error = fn_for_each_not_in_set(flabel, label, profile,
  449. profile_path_perm(op, subj_cred, profile,
  450. &file->f_path, buffer,
  451. request, &cond, flags, &perms));
  452. if (denied && !error) {
  453. /*
  454. * check every profile in file label that was not tested
  455. * in the initial check above.
  456. *
  457. * TODO: cache full perms so this only happens because of
  458. * conditionals
  459. * TODO: don't audit here
  460. */
  461. if (label == flabel)
  462. error = fn_for_each(label, profile,
  463. profile_path_perm(op, subj_cred,
  464. profile, &file->f_path,
  465. buffer, request, &cond, flags,
  466. &perms));
  467. else
  468. error = fn_for_each_not_in_set(label, flabel, profile,
  469. profile_path_perm(op, subj_cred,
  470. profile, &file->f_path,
  471. buffer, request, &cond, flags,
  472. &perms));
  473. }
  474. if (!error)
  475. update_file_ctx(file_ctx(file), label, request);
  476. aa_put_buffer(buffer);
  477. return error;
  478. }
  479. static int __file_sock_perm(const char *op, const struct cred *subj_cred,
  480. struct aa_label *label,
  481. struct aa_label *flabel, struct file *file,
  482. u32 request, u32 denied)
  483. {
  484. int error;
  485. /* revalidation due to label out of date. No revocation at this time */
  486. if (!denied && aa_label_is_subset(flabel, label))
  487. return 0;
  488. /* TODO: improve to skip profiles cached in flabel */
  489. error = aa_sock_file_perm(subj_cred, label, op, request, file);
  490. if (denied) {
  491. /* TODO: improve to skip profiles checked above */
  492. /* check every profile in file label to is cached */
  493. last_error(error, aa_sock_file_perm(subj_cred, flabel, op,
  494. request, file));
  495. }
  496. if (!error)
  497. update_file_ctx(file_ctx(file), label, request);
  498. return error;
  499. }
  500. /* for now separate fn to indicate semantics of the check */
  501. static bool __file_is_delegated(struct aa_label *obj_label)
  502. {
  503. return unconfined(obj_label);
  504. }
  505. static bool __is_unix_file(struct file *file)
  506. {
  507. struct socket *sock = (struct socket *) file->private_data;
  508. lockdep_assert_in_rcu_read_lock();
  509. if (!S_ISSOCK(file_inode(file)->i_mode))
  510. return false;
  511. /* sock and sock->sk can be NULL for sockets being set up or torn down */
  512. if (!sock || !sock->sk)
  513. return false;
  514. if (sock->sk->sk_family == PF_UNIX)
  515. return true;
  516. return false;
  517. }
  518. static bool __unix_needs_revalidation(struct file *file, struct aa_label *label,
  519. u32 request)
  520. {
  521. struct socket *sock = (struct socket *) file->private_data;
  522. AA_BUG(!__is_unix_file(file));
  523. lockdep_assert_in_rcu_read_lock();
  524. struct aa_sk_ctx *skctx = aa_sock(sock->sk);
  525. if (rcu_access_pointer(skctx->peer) !=
  526. rcu_access_pointer(skctx->peer_lastupdate))
  527. return true;
  528. return !__aa_subj_label_is_cached(rcu_dereference(skctx->label), label);
  529. }
  530. /**
  531. * aa_file_perm - do permission revalidation check & audit for @file
  532. * @op: operation being checked
  533. * @subj_cred: subject cred
  534. * @label: label being enforced (NOT NULL)
  535. * @file: file to revalidate access permissions on (NOT NULL)
  536. * @request: requested permissions
  537. * @in_atomic: whether allocations need to be done in atomic context
  538. *
  539. * Returns: %0 if access allowed else error
  540. */
  541. int aa_file_perm(const char *op, const struct cred *subj_cred,
  542. struct aa_label *label, struct file *file,
  543. u32 request, bool in_atomic)
  544. {
  545. struct aa_file_ctx *fctx;
  546. struct aa_label *flabel;
  547. u32 denied;
  548. int error = 0;
  549. AA_BUG(!label);
  550. AA_BUG(!file);
  551. /* don't reaudit files closed during inheritance */
  552. if (unlikely(file->f_path.dentry == aa_null.dentry))
  553. return -EACCES;
  554. fctx = file_ctx(file);
  555. rcu_read_lock();
  556. flabel = rcu_dereference(fctx->label);
  557. AA_BUG(!flabel);
  558. /* revalidate access, if task is unconfined, or the cached cred
  559. * doesn't match or if the request is for more permissions than
  560. * was granted.
  561. *
  562. * Note: the test for !unconfined(flabel) is to handle file
  563. * delegation from unconfined tasks
  564. */
  565. denied = request & ~fctx->allow;
  566. if (unconfined(label) || __file_is_delegated(flabel) ||
  567. (!denied && __is_unix_file(file) && !__unix_needs_revalidation(file, label, request)) ||
  568. (!denied && __aa_subj_label_is_cached(label, flabel))) {
  569. rcu_read_unlock();
  570. goto done;
  571. }
  572. /* slow path - revalidate access */
  573. flabel = aa_get_newest_label(flabel);
  574. rcu_read_unlock();
  575. if (path_mediated_fs(file->f_path.dentry))
  576. error = __file_path_perm(op, subj_cred, label, flabel, file,
  577. request, denied, in_atomic);
  578. else if (S_ISSOCK(file_inode(file)->i_mode))
  579. error = __file_sock_perm(op, subj_cred, label, flabel, file,
  580. request, denied);
  581. aa_put_label(flabel);
  582. done:
  583. return error;
  584. }
  585. static void revalidate_tty(const struct cred *subj_cred, struct aa_label *label)
  586. {
  587. struct tty_struct *tty;
  588. int drop_tty = 0;
  589. tty = get_current_tty();
  590. if (!tty)
  591. return;
  592. spin_lock(&tty->files_lock);
  593. if (!list_empty(&tty->tty_files)) {
  594. struct tty_file_private *file_priv;
  595. struct file *file;
  596. /* TODO: Revalidate access to controlling tty. */
  597. file_priv = list_first_entry(&tty->tty_files,
  598. struct tty_file_private, list);
  599. file = file_priv->file;
  600. if (aa_file_perm(OP_INHERIT, subj_cred, label, file,
  601. MAY_READ | MAY_WRITE, IN_ATOMIC))
  602. drop_tty = 1;
  603. }
  604. spin_unlock(&tty->files_lock);
  605. tty_kref_put(tty);
  606. if (drop_tty)
  607. no_tty();
  608. }
  609. struct cred_label {
  610. const struct cred *cred;
  611. struct aa_label *label;
  612. };
  613. static int match_file(const void *p, struct file *file, unsigned int fd)
  614. {
  615. struct cred_label *cl = (struct cred_label *)p;
  616. if (aa_file_perm(OP_INHERIT, cl->cred, cl->label, file,
  617. aa_map_file_to_perms(file), IN_ATOMIC))
  618. return fd + 1;
  619. return 0;
  620. }
  621. /* based on selinux's flush_unauthorized_files */
  622. void aa_inherit_files(const struct cred *cred, struct files_struct *files)
  623. {
  624. struct aa_label *label = aa_get_newest_cred_label(cred);
  625. struct cred_label cl = {
  626. .cred = cred,
  627. .label = label,
  628. };
  629. struct file *devnull = NULL;
  630. unsigned int n;
  631. revalidate_tty(cred, label);
  632. /* Revalidate access to inherited open files. */
  633. n = iterate_fd(files, 0, match_file, &cl);
  634. if (!n) /* none found? */
  635. goto out;
  636. devnull = dentry_open(&aa_null, O_RDWR, cred);
  637. if (IS_ERR(devnull))
  638. devnull = NULL;
  639. /* replace all the matching ones with this */
  640. do {
  641. replace_fd(n - 1, devnull, 0);
  642. } while ((n = iterate_fd(files, n, match_file, &cl)) != 0);
  643. if (devnull)
  644. fput(devnull);
  645. out:
  646. aa_put_label(label);
  647. }