policy.h 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450
  1. /* SPDX-License-Identifier: GPL-2.0-only */
  2. /*
  3. * AppArmor security module
  4. *
  5. * This file contains AppArmor policy definitions.
  6. *
  7. * Copyright (C) 1998-2008 Novell/SUSE
  8. * Copyright 2009-2010 Canonical Ltd.
  9. */
  10. #ifndef __AA_POLICY_H
  11. #define __AA_POLICY_H
  12. #include <linux/capability.h>
  13. #include <linux/cred.h>
  14. #include <linux/kref.h>
  15. #include <linux/rhashtable.h>
  16. #include <linux/sched.h>
  17. #include <linux/slab.h>
  18. #include <linux/socket.h>
  19. #include "apparmor.h"
  20. #include "audit.h"
  21. #include "capability.h"
  22. #include "domain.h"
  23. #include "file.h"
  24. #include "lib.h"
  25. #include "label.h"
  26. #include "net.h"
  27. #include "perms.h"
  28. #include "resource.h"
  29. struct aa_ns;
  30. extern int unprivileged_userns_apparmor_policy;
  31. extern int aa_unprivileged_unconfined_restricted;
  32. extern const char *const aa_profile_mode_names[];
  33. #define APPARMOR_MODE_NAMES_MAX_INDEX 4
  34. #define PROFILE_MODE(_profile, _mode) \
  35. ((aa_g_profile_mode == (_mode)) || \
  36. ((_profile)->mode == (_mode)))
  37. #define COMPLAIN_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_COMPLAIN)
  38. #define USER_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_USER)
  39. #define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL)
  40. #define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT)
  41. #define CHECK_DEBUG1(_profile) ((_profile)->label.flags & FLAG_DEBUG1)
  42. #define CHECK_DEBUG2(_profile) ((_profile)->label.flags & FLAG_DEBUG2)
  43. #define profile_is_stale(_profile) (label_is_stale(&(_profile)->label))
  44. #define on_list_rcu(X) (!list_empty(X) && (X)->prev != LIST_POISON2)
  45. /* flags in the dfa accept2 table */
  46. enum dfa_accept_flags {
  47. ACCEPT_FLAG_OWNER = 1,
  48. };
  49. /*
  50. * FIXME: currently need a clean way to replace and remove profiles as a
  51. * set. It should be done at the namespace level.
  52. * Either, with a set of profiles loaded at the namespace level or via
  53. * a mark and remove marked interface.
  54. */
  55. enum profile_mode {
  56. APPARMOR_ENFORCE, /* enforce access rules */
  57. APPARMOR_COMPLAIN, /* allow and log access violations */
  58. APPARMOR_KILL, /* kill task on access violation */
  59. APPARMOR_UNCONFINED, /* profile set to unconfined */
  60. APPARMOR_USER, /* modified complain mode to userspace */
  61. };
  62. struct aa_tags_header {
  63. u32 mask; /* bit mask matching permissions */
  64. u32 count; /* number of strings per entry */
  65. u32 size; /* size of all strings covered by count */
  66. u32 tags; /* index into string table */
  67. };
  68. struct aa_tags_struct {
  69. struct {
  70. u32 size; /* number of entries in tagsets */
  71. u32 *table; /* indexes into headers & strs */
  72. } sets;
  73. struct {
  74. u32 size; /* number of headers == num of strs */
  75. struct aa_tags_header *table;
  76. } hdrs;
  77. struct aa_str_table strs;
  78. };
  79. /* struct aa_policydb - match engine for a policy
  80. * @count: refcount for the pdb
  81. * @dfa: dfa pattern match
  82. * @perms: table of permissions
  83. * @size: number of entries in @perms
  84. * @trans: table of strings, index by x
  85. * @tags: table of tags that perms->tag indexes
  86. * @start:_states to start in for each class
  87. * start: set of start states for the different classes of data
  88. */
  89. struct aa_policydb {
  90. struct kref count;
  91. struct aa_dfa *dfa;
  92. struct {
  93. struct aa_perms *perms;
  94. u32 size;
  95. };
  96. struct aa_str_table trans;
  97. struct aa_tags_struct tags;
  98. aa_state_t start[AA_CLASS_LAST + 1];
  99. };
  100. extern struct aa_policydb *nullpdb;
  101. void aa_destroy_tags(struct aa_tags_struct *tags);
  102. struct aa_policydb *aa_alloc_pdb(gfp_t gfp);
  103. void aa_pdb_free_kref(struct kref *kref);
  104. /**
  105. * aa_get_pdb - increment refcount on @pdb
  106. * @pdb: policydb (MAYBE NULL)
  107. *
  108. * Returns: pointer to @pdb if @pdb is NULL will return NULL
  109. * Requires: @pdb must be held with valid refcount when called
  110. */
  111. static inline struct aa_policydb *aa_get_pdb(struct aa_policydb *pdb)
  112. {
  113. if (pdb)
  114. kref_get(&(pdb->count));
  115. return pdb;
  116. }
  117. /**
  118. * aa_put_pdb - put a pdb refcount
  119. * @pdb: pdb to put refcount (MAYBE NULL)
  120. *
  121. * Requires: if @pdb != NULL that a valid refcount be held
  122. */
  123. static inline void aa_put_pdb(struct aa_policydb *pdb)
  124. {
  125. if (pdb)
  126. kref_put(&pdb->count, aa_pdb_free_kref);
  127. }
  128. /* lookup perm that doesn't have and object conditional */
  129. static inline struct aa_perms *aa_lookup_perms(struct aa_policydb *policy,
  130. aa_state_t state)
  131. {
  132. unsigned int index = ACCEPT_TABLE(policy->dfa)[state];
  133. if (!(policy->perms))
  134. return &default_perms;
  135. return &(policy->perms[index]);
  136. }
  137. /* struct aa_data - generic data structure
  138. * key: name for retrieving this data
  139. * size: size of data in bytes
  140. * data: binary data
  141. * head: reserved for rhashtable
  142. */
  143. struct aa_data {
  144. char *key;
  145. u32 size;
  146. char *data;
  147. struct rhash_head head;
  148. };
  149. /* struct aa_ruleset - data covering mediation rules
  150. * @list: list the rule is on
  151. * @size: the memory consumed by this ruleset
  152. * @policy: general match rules governing policy
  153. * @file: The set of rules governing basic file access and domain transitions
  154. * @caps: capabilities for the profile
  155. * @rlimits: rlimits for the profile
  156. * @secmark_count: number of secmark entries
  157. * @secmark: secmark label match info
  158. */
  159. struct aa_ruleset {
  160. int size;
  161. /* TODO: merge policy and file */
  162. struct aa_policydb *policy;
  163. struct aa_policydb *file;
  164. struct aa_caps caps;
  165. struct aa_rlimit rlimits;
  166. int secmark_count;
  167. struct aa_secmark *secmark;
  168. };
  169. /* struct aa_attachment - data and rules for a profiles attachment
  170. * @list:
  171. * @xmatch_str: human readable attachment string
  172. * @xmatch: optional extended matching for unconfined executables names
  173. * @xmatch_len: xmatch prefix len, used to determine xmatch priority
  174. * @xattr_count: number of xattrs in table
  175. * @xattrs: table of xattrs
  176. */
  177. struct aa_attachment {
  178. const char *xmatch_str;
  179. struct aa_policydb *xmatch;
  180. unsigned int xmatch_len;
  181. int xattr_count;
  182. char **xattrs;
  183. };
  184. /* struct aa_profile - basic confinement data
  185. * @base - base components of the profile (name, refcount, lists, lock ...)
  186. * @parent: parent of profile
  187. * @ns: namespace the profile is in
  188. * @rename: optional profile name that this profile renamed
  189. *
  190. * @audit: the auditing mode of the profile
  191. * @mode: the enforcement mode of the profile
  192. * @path_flags: flags controlling path generation behavior
  193. * @signal: the signal that should be used when kill is used
  194. * @disconnected: what to prepend if attach_disconnected is specified
  195. * @attach: attachment rules for the profile
  196. * @rules: rules to be enforced
  197. *
  198. * learning_cache: the accesses learned in complain mode
  199. * raw_data: rawdata of the loaded profile policy
  200. * hash: cryptographic hash of the profile
  201. * @dents: dentries for the profiles file entries in apparmorfs
  202. * @dirname: name of the profile dir in apparmorfs
  203. * @dents: set of dentries associated with the profile
  204. * @data: hashtable for free-form policy aa_data
  205. * @label - label this profile is an extension of
  206. * @rules - label with the rule vec on its end
  207. *
  208. * The AppArmor profile contains the basic confinement data. Each profile
  209. * has a name, and exists in a namespace. The @name and @exec_match are
  210. * used to determine profile attachment against unconfined tasks. All other
  211. * attachments are determined by profile X transition rules.
  212. *
  213. * Profiles have a hierarchy where hats and children profiles keep
  214. * a reference to their parent.
  215. *
  216. * Profile names can not begin with a : and can not contain the \0
  217. * character. If a profile name begins with / it will be considered when
  218. * determining profile attachment on "unconfined" tasks.
  219. */
  220. struct aa_profile {
  221. struct aa_policy base;
  222. struct aa_profile __rcu *parent;
  223. struct aa_ns *ns;
  224. const char *rename;
  225. enum audit_mode audit;
  226. long mode;
  227. u32 path_flags;
  228. int signal;
  229. const char *disconnected;
  230. struct aa_attachment attach;
  231. struct aa_loaddata *rawdata;
  232. unsigned char *hash;
  233. char *dirname;
  234. struct dentry *dents[AAFS_PROF_SIZEOF];
  235. struct rhashtable *data;
  236. int n_rules;
  237. /* special - variable length must be last entry in profile */
  238. struct aa_label label;
  239. };
  240. extern enum profile_mode aa_g_profile_mode;
  241. #define AA_MAY_LOAD_POLICY AA_MAY_APPEND
  242. #define AA_MAY_REPLACE_POLICY AA_MAY_WRITE
  243. #define AA_MAY_REMOVE_POLICY AA_MAY_DELETE
  244. #define profiles_ns(P) ((P)->ns)
  245. #define name_is_shared(A, B) ((A)->hname && (A)->hname == (B)->hname)
  246. struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp);
  247. struct aa_profile *aa_alloc_profile(const char *name, struct aa_proxy *proxy,
  248. gfp_t gfp);
  249. struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
  250. gfp_t gfp);
  251. struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat,
  252. const char *base, gfp_t gfp);
  253. void aa_free_profile(struct aa_profile *profile);
  254. struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name);
  255. struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname,
  256. size_t n);
  257. struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
  258. const char *fqname, size_t n);
  259. ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_label *label,
  260. u32 mask, struct aa_loaddata *udata);
  261. ssize_t aa_remove_profiles(struct aa_ns *view, struct aa_label *label,
  262. char *name, size_t size);
  263. void __aa_profile_list_release(struct list_head *head);
  264. #define profile_unconfined(X) ((X)->mode == APPARMOR_UNCONFINED)
  265. /**
  266. * aa_get_newest_profile - simple wrapper fn to wrap the label version
  267. * @p: profile (NOT NULL)
  268. *
  269. * Returns refcount to newest version of the profile (maybe @p)
  270. *
  271. * Requires: @p must be held with a valid refcount
  272. */
  273. static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p)
  274. {
  275. return labels_profile(aa_get_newest_label(&p->label));
  276. }
  277. static inline aa_state_t RULE_MEDIATES(struct aa_ruleset *rules,
  278. unsigned char class)
  279. {
  280. if (class <= AA_CLASS_LAST)
  281. return rules->policy->start[class];
  282. else
  283. return aa_dfa_match_len(rules->policy->dfa,
  284. rules->policy->start[0], &class, 1);
  285. }
  286. static inline aa_state_t RULE_MEDIATES_v9NET(struct aa_ruleset *rules)
  287. {
  288. return RULE_MEDIATES(rules, AA_CLASS_NETV9);
  289. }
  290. static inline aa_state_t RULE_MEDIATES_NET(struct aa_ruleset *rules)
  291. {
  292. /* can not use RULE_MEDIATE_v9AF here, because AF match fail
  293. * can not be distiguished from class match fail, and we only
  294. * fallback to checking older class on class match failure
  295. */
  296. aa_state_t state = RULE_MEDIATES(rules, AA_CLASS_NETV9);
  297. /* fallback and check v7/8 if v9 is NOT mediated */
  298. if (!state)
  299. state = RULE_MEDIATES(rules, AA_CLASS_NET);
  300. return state;
  301. }
  302. void aa_compute_profile_mediates(struct aa_profile *profile);
  303. static inline bool profile_mediates(struct aa_profile *profile,
  304. unsigned char class)
  305. {
  306. return label_mediates(&profile->label, class);
  307. }
  308. static inline bool profile_mediates_safe(struct aa_profile *profile,
  309. unsigned char class)
  310. {
  311. return label_mediates_safe(&profile->label, class);
  312. }
  313. /**
  314. * aa_get_profile - increment refcount on profile @p
  315. * @p: profile (MAYBE NULL)
  316. *
  317. * Returns: pointer to @p if @p is NULL will return NULL
  318. * Requires: @p must be held with valid refcount when called
  319. */
  320. static inline struct aa_profile *aa_get_profile(struct aa_profile *p)
  321. {
  322. if (p)
  323. kref_get(&(p->label.count.count));
  324. return p;
  325. }
  326. /**
  327. * aa_get_profile_not0 - increment refcount on profile @p found via lookup
  328. * @p: profile (MAYBE NULL)
  329. *
  330. * Returns: pointer to @p if @p is NULL will return NULL
  331. * Requires: @p must be held with valid refcount when called
  332. */
  333. static inline struct aa_profile *aa_get_profile_not0(struct aa_profile *p)
  334. {
  335. if (p && kref_get_unless_zero(&p->label.count.count))
  336. return p;
  337. return NULL;
  338. }
  339. /**
  340. * aa_get_profile_rcu - increment a refcount profile that can be replaced
  341. * @p: pointer to profile that can be replaced (NOT NULL)
  342. *
  343. * Returns: pointer to a refcounted profile.
  344. * else NULL if no profile
  345. */
  346. static inline struct aa_profile *aa_get_profile_rcu(struct aa_profile __rcu **p)
  347. {
  348. struct aa_profile *c;
  349. rcu_read_lock();
  350. do {
  351. c = rcu_dereference(*p);
  352. } while (c && !kref_get_unless_zero(&c->label.count.count));
  353. rcu_read_unlock();
  354. return c;
  355. }
  356. /**
  357. * aa_put_profile - decrement refcount on profile @p
  358. * @p: profile (MAYBE NULL)
  359. */
  360. static inline void aa_put_profile(struct aa_profile *p)
  361. {
  362. if (p)
  363. kref_put(&p->label.count.count, aa_label_kref);
  364. }
  365. static inline int AUDIT_MODE(struct aa_profile *profile)
  366. {
  367. if (aa_g_audit != AUDIT_NORMAL)
  368. return aa_g_audit;
  369. return profile->audit;
  370. }
  371. bool aa_policy_view_capable(const struct cred *subj_cred,
  372. struct aa_label *label, struct aa_ns *ns);
  373. bool aa_policy_admin_capable(const struct cred *subj_cred,
  374. struct aa_label *label, struct aa_ns *ns);
  375. int aa_may_manage_policy(const struct cred *subj_cred,
  376. struct aa_label *label, struct aa_ns *ns,
  377. const struct cred *ocred, u32 mask);
  378. bool aa_current_policy_view_capable(struct aa_ns *ns);
  379. bool aa_current_policy_admin_capable(struct aa_ns *ns);
  380. #endif /* __AA_POLICY_H */