policy.c 40 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * AppArmor security module
  4. *
  5. * This file contains AppArmor policy manipulation functions
  6. *
  7. * Copyright (C) 1998-2008 Novell/SUSE
  8. * Copyright 2009-2010 Canonical Ltd.
  9. *
  10. * AppArmor policy is based around profiles, which contain the rules a
  11. * task is confined by. Every task in the system has a profile attached
  12. * to it determined either by matching "unconfined" tasks against the
  13. * visible set of profiles or by following a profiles attachment rules.
  14. *
  15. * Each profile exists in a profile namespace which is a container of
  16. * visible profiles. Each namespace contains a special "unconfined" profile,
  17. * which doesn't enforce any confinement on a task beyond DAC.
  18. *
  19. * Namespace and profile names can be written together in either
  20. * of two syntaxes.
  21. * :namespace:profile - used by kernel interfaces for easy detection
  22. * namespace://profile - used by policy
  23. *
  24. * Profile names can not start with : or @ or ^ and may not contain \0
  25. *
  26. * Reserved profile names
  27. * unconfined - special automatically generated unconfined profile
  28. * inherit - special name to indicate profile inheritance
  29. * null-XXXX-YYYY - special automatically generated learning profiles
  30. *
  31. * Namespace names may not start with / or @ and may not contain \0 or :
  32. * Reserved namespace names
  33. * user-XXXX - user defined profiles
  34. *
  35. * a // in a profile or namespace name indicates a hierarchical name with the
  36. * name before the // being the parent and the name after the child.
  37. *
  38. * Profile and namespace hierarchies serve two different but similar purposes.
  39. * The namespace contains the set of visible profiles that are considered
  40. * for attachment. The hierarchy of namespaces allows for virtualizing
  41. * the namespace so that for example a chroot can have its own set of profiles
  42. * which may define some local user namespaces.
  43. * The profile hierarchy severs two distinct purposes,
  44. * - it allows for sub profiles or hats, which allows an application to run
  45. * subprograms under its own profile with different restriction than it
  46. * self, and not have it use the system profile.
  47. * eg. if a mail program starts an editor, the policy might make the
  48. * restrictions tighter on the editor tighter than the mail program,
  49. * and definitely different than general editor restrictions
  50. * - it allows for binary hierarchy of profiles, so that execution history
  51. * is preserved. This feature isn't exploited by AppArmor reference policy
  52. * but is allowed. NOTE: this is currently suboptimal because profile
  53. * aliasing is not currently implemented so that a profile for each
  54. * level must be defined.
  55. * eg. /bin/bash///bin/ls as a name would indicate /bin/ls was started
  56. * from /bin/bash
  57. *
  58. * A profile or namespace name that can contain one or more // separators
  59. * is referred to as an hname (hierarchical).
  60. * eg. /bin/bash//bin/ls
  61. *
  62. * An fqname is a name that may contain both namespace and profile hnames.
  63. * eg. :ns:/bin/bash//bin/ls
  64. *
  65. * NOTES:
  66. * - locking of profile lists is currently fairly coarse. All profile
  67. * lists within a namespace use the namespace lock.
  68. * FIXME: move profile lists to using rcu_lists
  69. */
  70. #include <linux/slab.h>
  71. #include <linux/spinlock.h>
  72. #include <linux/string.h>
  73. #include <linux/cred.h>
  74. #include <linux/rculist.h>
  75. #include <linux/user_namespace.h>
  76. #include "include/apparmor.h"
  77. #include "include/capability.h"
  78. #include "include/cred.h"
  79. #include "include/file.h"
  80. #include "include/ipc.h"
  81. #include "include/match.h"
  82. #include "include/path.h"
  83. #include "include/policy.h"
  84. #include "include/policy_ns.h"
  85. #include "include/policy_unpack.h"
  86. #include "include/resource.h"
  87. int unprivileged_userns_apparmor_policy = 1;
  88. int aa_unprivileged_unconfined_restricted;
  89. const char *const aa_profile_mode_names[] = {
  90. "enforce",
  91. "complain",
  92. "kill",
  93. "unconfined",
  94. "user",
  95. };
  96. void aa_destroy_tags(struct aa_tags_struct *tags)
  97. {
  98. kfree_sensitive(tags->hdrs.table);
  99. kfree_sensitive(tags->sets.table);
  100. aa_destroy_str_table(&tags->strs);
  101. memset(tags, 0, sizeof(*tags));
  102. }
  103. static void aa_free_pdb(struct aa_policydb *pdb)
  104. {
  105. if (pdb) {
  106. aa_put_dfa(pdb->dfa);
  107. kvfree(pdb->perms);
  108. aa_destroy_str_table(&pdb->trans);
  109. aa_destroy_tags(&pdb->tags);
  110. kfree(pdb);
  111. }
  112. }
  113. /**
  114. * aa_pdb_free_kref - free aa_policydb by kref (called by aa_put_pdb)
  115. * @kref: kref callback for freeing of a dfa (NOT NULL)
  116. */
  117. void aa_pdb_free_kref(struct kref *kref)
  118. {
  119. struct aa_policydb *pdb = container_of(kref, struct aa_policydb, count);
  120. aa_free_pdb(pdb);
  121. }
  122. struct aa_policydb *aa_alloc_pdb(gfp_t gfp)
  123. {
  124. struct aa_policydb *pdb = kzalloc_obj(struct aa_policydb, gfp);
  125. if (!pdb)
  126. return NULL;
  127. kref_init(&pdb->count);
  128. return pdb;
  129. }
  130. /**
  131. * __add_profile - add a profiles to list and label tree
  132. * @list: list to add it to (NOT NULL)
  133. * @profile: the profile to add (NOT NULL)
  134. *
  135. * refcount @profile, should be put by __list_remove_profile
  136. *
  137. * Requires: namespace lock be held, or list not be shared
  138. */
  139. static void __add_profile(struct list_head *list, struct aa_profile *profile)
  140. {
  141. struct aa_label *l;
  142. AA_BUG(!list);
  143. AA_BUG(!profile);
  144. AA_BUG(!profile->ns);
  145. AA_BUG(!mutex_is_locked(&profile->ns->lock));
  146. list_add_rcu(&profile->base.list, list);
  147. /* get list reference */
  148. aa_get_profile(profile);
  149. l = aa_label_insert(&profile->ns->labels, &profile->label);
  150. AA_BUG(l != &profile->label);
  151. aa_put_label(l);
  152. }
  153. /**
  154. * __list_remove_profile - remove a profile from the list it is on
  155. * @profile: the profile to remove (NOT NULL)
  156. *
  157. * remove a profile from the list, warning generally removal should
  158. * be done with __replace_profile as most profile removals are
  159. * replacements to the unconfined profile.
  160. *
  161. * put @profile list refcount
  162. *
  163. * Requires: namespace lock be held, or list not have been live
  164. */
  165. static void __list_remove_profile(struct aa_profile *profile)
  166. {
  167. AA_BUG(!profile);
  168. AA_BUG(!profile->ns);
  169. AA_BUG(!mutex_is_locked(&profile->ns->lock));
  170. list_del_rcu(&profile->base.list);
  171. aa_put_profile(profile);
  172. }
  173. /**
  174. * __remove_profile - remove profile, and children
  175. * @profile: profile to be removed (NOT NULL)
  176. *
  177. * Requires: namespace list lock be held, or list not be shared
  178. */
  179. static void __remove_profile(struct aa_profile *profile)
  180. {
  181. struct aa_profile *curr, *to_remove;
  182. AA_BUG(!profile);
  183. AA_BUG(!profile->ns);
  184. AA_BUG(!mutex_is_locked(&profile->ns->lock));
  185. /* release any children lists first */
  186. if (!list_empty(&profile->base.profiles)) {
  187. curr = list_first_entry(&profile->base.profiles, struct aa_profile, base.list);
  188. while (curr != profile) {
  189. while (!list_empty(&curr->base.profiles))
  190. curr = list_first_entry(&curr->base.profiles,
  191. struct aa_profile, base.list);
  192. to_remove = curr;
  193. if (!list_is_last(&to_remove->base.list,
  194. &aa_deref_parent(curr)->base.profiles))
  195. curr = list_next_entry(to_remove, base.list);
  196. else
  197. curr = aa_deref_parent(curr);
  198. /* released by free_profile */
  199. aa_label_remove(&to_remove->label);
  200. __aafs_profile_rmdir(to_remove);
  201. __list_remove_profile(to_remove);
  202. }
  203. }
  204. /* released by free_profile */
  205. aa_label_remove(&profile->label);
  206. __aafs_profile_rmdir(profile);
  207. __list_remove_profile(profile);
  208. }
  209. /**
  210. * __aa_profile_list_release - remove all profiles on the list and put refs
  211. * @head: list of profiles (NOT NULL)
  212. *
  213. * Requires: namespace lock be held
  214. */
  215. void __aa_profile_list_release(struct list_head *head)
  216. {
  217. struct aa_profile *profile, *tmp;
  218. list_for_each_entry_safe(profile, tmp, head, base.list)
  219. __remove_profile(profile);
  220. }
  221. /**
  222. * aa_free_data - free a data blob
  223. * @ptr: data to free
  224. * @arg: unused
  225. */
  226. static void aa_free_data(void *ptr, void *arg)
  227. {
  228. struct aa_data *data = ptr;
  229. if (!ptr)
  230. return;
  231. kvfree_sensitive(data->data, data->size);
  232. kfree_sensitive(data->key);
  233. kfree_sensitive(data);
  234. }
  235. static void free_attachment(struct aa_attachment *attach)
  236. {
  237. int i;
  238. if (!attach)
  239. return;
  240. for (i = 0; i < attach->xattr_count; i++)
  241. kfree_sensitive(attach->xattrs[i]);
  242. kfree_sensitive(attach->xattrs);
  243. aa_put_pdb(attach->xmatch);
  244. }
  245. static void free_ruleset(struct aa_ruleset *rules)
  246. {
  247. int i;
  248. if (!rules)
  249. return;
  250. aa_put_pdb(rules->file);
  251. aa_put_pdb(rules->policy);
  252. aa_free_cap_rules(&rules->caps);
  253. aa_free_rlimit_rules(&rules->rlimits);
  254. for (i = 0; i < rules->secmark_count; i++)
  255. kfree_sensitive(rules->secmark[i].label);
  256. kfree_sensitive(rules->secmark);
  257. kfree_sensitive(rules);
  258. }
  259. struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp)
  260. {
  261. struct aa_ruleset *rules;
  262. rules = kzalloc_obj(*rules, gfp);
  263. return rules;
  264. }
  265. /**
  266. * aa_free_profile - free a profile
  267. * @profile: the profile to free (MAYBE NULL)
  268. *
  269. * Free a profile, its hats and null_profile. All references to the profile,
  270. * its hats and null_profile must have been put.
  271. *
  272. * If the profile was referenced from a task context, free_profile() will
  273. * be called from an rcu callback routine, so we must not sleep here.
  274. */
  275. void aa_free_profile(struct aa_profile *profile)
  276. {
  277. struct rhashtable *rht;
  278. AA_DEBUG(DEBUG_POLICY, "%s(%p)\n", __func__, profile);
  279. if (!profile)
  280. return;
  281. /* free children profiles */
  282. aa_policy_destroy(&profile->base);
  283. aa_put_profile(rcu_access_pointer(profile->parent));
  284. aa_put_ns(profile->ns);
  285. kfree_sensitive(profile->rename);
  286. kfree_sensitive(profile->disconnected);
  287. free_attachment(&profile->attach);
  288. /*
  289. * at this point there are no tasks that can have a reference
  290. * to rules
  291. */
  292. for (int i = 0; i < profile->n_rules; i++)
  293. free_ruleset(profile->label.rules[i]);
  294. kfree_sensitive(profile->dirname);
  295. if (profile->data) {
  296. rht = profile->data;
  297. profile->data = NULL;
  298. rhashtable_free_and_destroy(rht, aa_free_data, NULL);
  299. kfree_sensitive(rht);
  300. }
  301. kfree_sensitive(profile->hash);
  302. aa_put_profile_loaddata(profile->rawdata);
  303. aa_label_destroy(&profile->label);
  304. kfree_sensitive(profile);
  305. }
  306. /**
  307. * aa_alloc_profile - allocate, initialize and return a new profile
  308. * @hname: name of the profile (NOT NULL)
  309. * @proxy: proxy to use OR null if to allocate a new one
  310. * @gfp: allocation type
  311. *
  312. * Returns: refcount profile or NULL on failure
  313. */
  314. struct aa_profile *aa_alloc_profile(const char *hname, struct aa_proxy *proxy,
  315. gfp_t gfp)
  316. {
  317. struct aa_profile *profile;
  318. /* freed by free_profile - usually through aa_put_profile
  319. * this adds space for a single ruleset in the rules section of the
  320. * label
  321. */
  322. profile = kzalloc_flex(*profile, label.rules, 1, gfp);
  323. if (!profile)
  324. return NULL;
  325. if (!aa_policy_init(&profile->base, NULL, hname, gfp))
  326. goto fail;
  327. if (!aa_label_init(&profile->label, 1, gfp))
  328. goto fail;
  329. /* allocate the first ruleset, but leave it empty */
  330. profile->label.rules[0] = aa_alloc_ruleset(gfp);
  331. if (!profile->label.rules[0])
  332. goto fail;
  333. profile->n_rules = 1;
  334. /* update being set needed by fs interface */
  335. if (!proxy) {
  336. proxy = aa_alloc_proxy(&profile->label, gfp);
  337. if (!proxy)
  338. goto fail;
  339. } else
  340. aa_get_proxy(proxy);
  341. profile->label.proxy = proxy;
  342. profile->label.hname = profile->base.hname;
  343. profile->label.flags |= FLAG_PROFILE;
  344. profile->label.vec[0] = profile;
  345. profile->signal = SIGKILL;
  346. /* refcount released by caller */
  347. return profile;
  348. fail:
  349. aa_free_profile(profile);
  350. return NULL;
  351. }
  352. static inline bool ANY_RULE_MEDIATES(struct aa_profile *profile,
  353. unsigned char class)
  354. {
  355. int i;
  356. for (i = 0; i < profile->n_rules; i++) {
  357. if (RULE_MEDIATES(profile->label.rules[i], class))
  358. return true;
  359. }
  360. return false;
  361. }
  362. /* set of rules that are mediated by unconfined */
  363. static int unconfined_mediates[] = { AA_CLASS_NS, AA_CLASS_IO_URING, 0 };
  364. /* must be called after profile rulesets and start information is setup */
  365. void aa_compute_profile_mediates(struct aa_profile *profile)
  366. {
  367. int c;
  368. if (profile_unconfined(profile)) {
  369. int *pos;
  370. for (pos = unconfined_mediates; *pos; pos++) {
  371. if (ANY_RULE_MEDIATES(profile, *pos))
  372. profile->label.mediates |= ((u64) 1) << AA_CLASS_NS;
  373. }
  374. return;
  375. }
  376. for (c = 0; c <= AA_CLASS_LAST; c++) {
  377. if (ANY_RULE_MEDIATES(profile, c))
  378. profile->label.mediates |= ((u64) 1) << c;
  379. }
  380. }
  381. /* TODO: profile accounting - setup in remove */
  382. /**
  383. * __strn_find_child - find a profile on @head list using substring of @name
  384. * @head: list to search (NOT NULL)
  385. * @name: name of profile (NOT NULL)
  386. * @len: length of @name substring to match
  387. *
  388. * Requires: rcu_read_lock be held
  389. *
  390. * Returns: unrefcounted profile ptr, or NULL if not found
  391. */
  392. static struct aa_profile *__strn_find_child(struct list_head *head,
  393. const char *name, int len)
  394. {
  395. return (struct aa_profile *)__policy_strn_find(head, name, len);
  396. }
  397. /**
  398. * __find_child - find a profile on @head list with a name matching @name
  399. * @head: list to search (NOT NULL)
  400. * @name: name of profile (NOT NULL)
  401. *
  402. * Requires: rcu_read_lock be held
  403. *
  404. * Returns: unrefcounted profile ptr, or NULL if not found
  405. */
  406. static struct aa_profile *__find_child(struct list_head *head, const char *name)
  407. {
  408. return __strn_find_child(head, name, strlen(name));
  409. }
  410. /**
  411. * aa_find_child - find a profile by @name in @parent
  412. * @parent: profile to search (NOT NULL)
  413. * @name: profile name to search for (NOT NULL)
  414. *
  415. * Returns: a refcounted profile or NULL if not found
  416. */
  417. struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name)
  418. {
  419. struct aa_profile *profile;
  420. rcu_read_lock();
  421. do {
  422. profile = __find_child(&parent->base.profiles, name);
  423. } while (profile && !aa_get_profile_not0(profile));
  424. rcu_read_unlock();
  425. /* refcount released by caller */
  426. return profile;
  427. }
  428. /**
  429. * __lookup_parent - lookup the parent of a profile of name @hname
  430. * @ns: namespace to lookup profile in (NOT NULL)
  431. * @hname: hierarchical profile name to find parent of (NOT NULL)
  432. *
  433. * Lookups up the parent of a fully qualified profile name, the profile
  434. * that matches hname does not need to exist, in general this
  435. * is used to load a new profile.
  436. *
  437. * Requires: rcu_read_lock be held
  438. *
  439. * Returns: unrefcounted policy or NULL if not found
  440. */
  441. static struct aa_policy *__lookup_parent(struct aa_ns *ns,
  442. const char *hname)
  443. {
  444. struct aa_policy *policy;
  445. struct aa_profile *profile = NULL;
  446. char *split;
  447. policy = &ns->base;
  448. for (split = strstr(hname, "//"); split;) {
  449. profile = __strn_find_child(&policy->profiles, hname,
  450. split - hname);
  451. if (!profile)
  452. return NULL;
  453. policy = &profile->base;
  454. hname = split + 2;
  455. split = strstr(hname, "//");
  456. }
  457. if (!profile)
  458. return &ns->base;
  459. return &profile->base;
  460. }
  461. /**
  462. * __create_missing_ancestors - create place holders for missing ancestors
  463. * @ns: namespace to lookup profile in (NOT NULL)
  464. * @hname: hierarchical profile name to find parent of (NOT NULL)
  465. * @gfp: type of allocation.
  466. *
  467. * Requires: ns mutex lock held
  468. *
  469. * Return: unrefcounted parent policy on success or %NULL if error creating
  470. * place holder profiles.
  471. */
  472. static struct aa_policy *__create_missing_ancestors(struct aa_ns *ns,
  473. const char *hname,
  474. gfp_t gfp)
  475. {
  476. struct aa_policy *policy;
  477. struct aa_profile *parent, *profile = NULL;
  478. char *split;
  479. AA_BUG(!ns);
  480. AA_BUG(!hname);
  481. policy = &ns->base;
  482. for (split = strstr(hname, "//"); split;) {
  483. parent = profile;
  484. profile = __strn_find_child(&policy->profiles, hname,
  485. split - hname);
  486. if (!profile) {
  487. const char *name = kstrndup(hname, split - hname,
  488. gfp);
  489. if (!name)
  490. return NULL;
  491. profile = aa_alloc_null(parent, name, gfp);
  492. kfree(name);
  493. if (!profile)
  494. return NULL;
  495. if (!parent)
  496. profile->ns = aa_get_ns(ns);
  497. }
  498. policy = &profile->base;
  499. hname = split + 2;
  500. split = strstr(hname, "//");
  501. }
  502. if (!profile)
  503. return &ns->base;
  504. return &profile->base;
  505. }
  506. /**
  507. * __lookupn_profile - lookup the profile matching @hname
  508. * @base: base list to start looking up profile name from (NOT NULL)
  509. * @hname: hierarchical profile name (NOT NULL)
  510. * @n: length of @hname
  511. *
  512. * Requires: rcu_read_lock be held
  513. *
  514. * Returns: unrefcounted profile pointer or NULL if not found
  515. *
  516. * Do a relative name lookup, recursing through profile tree.
  517. */
  518. static struct aa_profile *__lookupn_profile(struct aa_policy *base,
  519. const char *hname, size_t n)
  520. {
  521. struct aa_profile *profile = NULL;
  522. const char *split;
  523. for (split = strnstr(hname, "//", n); split;
  524. split = strnstr(hname, "//", n)) {
  525. profile = __strn_find_child(&base->profiles, hname,
  526. split - hname);
  527. if (!profile)
  528. return NULL;
  529. base = &profile->base;
  530. n -= split + 2 - hname;
  531. hname = split + 2;
  532. }
  533. if (n)
  534. return __strn_find_child(&base->profiles, hname, n);
  535. return NULL;
  536. }
  537. static struct aa_profile *__lookup_profile(struct aa_policy *base,
  538. const char *hname)
  539. {
  540. return __lookupn_profile(base, hname, strlen(hname));
  541. }
  542. /**
  543. * aa_lookupn_profile - find a profile by its full or partial name
  544. * @ns: the namespace to start from (NOT NULL)
  545. * @hname: name to do lookup on. Does not contain namespace prefix (NOT NULL)
  546. * @n: size of @hname
  547. *
  548. * Returns: refcounted profile or NULL if not found
  549. */
  550. struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname,
  551. size_t n)
  552. {
  553. struct aa_profile *profile;
  554. rcu_read_lock();
  555. do {
  556. profile = __lookupn_profile(&ns->base, hname, n);
  557. } while (profile && !aa_get_profile_not0(profile));
  558. rcu_read_unlock();
  559. /* the unconfined profile is not in the regular profile list */
  560. if (!profile && strncmp(hname, "unconfined", n) == 0)
  561. profile = aa_get_newest_profile(ns->unconfined);
  562. /* refcount released by caller */
  563. return profile;
  564. }
  565. struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
  566. const char *fqname, size_t n)
  567. {
  568. struct aa_profile *profile;
  569. struct aa_ns *ns;
  570. const char *name, *ns_name;
  571. size_t ns_len;
  572. name = aa_splitn_fqname(fqname, n, &ns_name, &ns_len);
  573. if (ns_name) {
  574. ns = aa_lookupn_ns(labels_ns(base), ns_name, ns_len);
  575. if (!ns)
  576. return NULL;
  577. } else
  578. ns = aa_get_ns(labels_ns(base));
  579. if (name)
  580. profile = aa_lookupn_profile(ns, name, n - (name - fqname));
  581. else if (ns)
  582. /* default profile for ns, currently unconfined */
  583. profile = aa_get_newest_profile(ns->unconfined);
  584. else
  585. profile = NULL;
  586. aa_put_ns(ns);
  587. return profile;
  588. }
  589. struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
  590. gfp_t gfp)
  591. {
  592. struct aa_profile *profile;
  593. struct aa_ruleset *rules;
  594. profile = aa_alloc_profile(name, NULL, gfp);
  595. if (!profile)
  596. return NULL;
  597. /* TODO: ideally we should inherit abi from parent */
  598. profile->label.flags |= FLAG_NULL;
  599. profile->attach.xmatch = aa_get_pdb(nullpdb);
  600. rules = profile->label.rules[0];
  601. rules->file = aa_get_pdb(nullpdb);
  602. rules->policy = aa_get_pdb(nullpdb);
  603. aa_compute_profile_mediates(profile);
  604. if (parent) {
  605. profile->path_flags = parent->path_flags;
  606. /* override/inherit what is mediated from parent */
  607. profile->label.mediates = parent->label.mediates;
  608. /* released on free_profile */
  609. rcu_assign_pointer(profile->parent, aa_get_profile(parent));
  610. profile->ns = aa_get_ns(parent->ns);
  611. }
  612. return profile;
  613. }
  614. /**
  615. * aa_new_learning_profile - create or find a null-X learning profile
  616. * @parent: profile that caused this profile to be created (NOT NULL)
  617. * @hat: true if the null- learning profile is a hat
  618. * @base: name to base the null profile off of
  619. * @gfp: type of allocation
  620. *
  621. * Find/Create a null- complain mode profile used in learning mode. The
  622. * name of the profile is unique and follows the format of parent//null-XXX.
  623. * where XXX is based on the @name or if that fails or is not supplied
  624. * a unique number
  625. *
  626. * null profiles are added to the profile list but the list does not
  627. * hold a count on them so that they are automatically released when
  628. * not in use.
  629. *
  630. * Returns: new refcounted profile else NULL on failure
  631. */
  632. struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat,
  633. const char *base, gfp_t gfp)
  634. {
  635. struct aa_profile *p, *profile;
  636. const char *bname;
  637. char *name = NULL;
  638. size_t name_sz;
  639. AA_BUG(!parent);
  640. if (base) {
  641. name_sz = strlen(parent->base.hname) + 8 + strlen(base);
  642. name = kmalloc(name_sz, gfp);
  643. if (name) {
  644. snprintf(name, name_sz, "%s//null-%s",
  645. parent->base.hname, base);
  646. goto name;
  647. }
  648. /* fall through to try shorter uniq */
  649. }
  650. name_sz = strlen(parent->base.hname) + 2 + 7 + 8;
  651. name = kmalloc(name_sz, gfp);
  652. if (!name)
  653. return NULL;
  654. snprintf(name, name_sz, "%s//null-%x", parent->base.hname,
  655. atomic_inc_return(&parent->ns->uniq_null));
  656. name:
  657. /* lookup to see if this is a dup creation */
  658. bname = basename(name);
  659. profile = aa_find_child(parent, bname);
  660. if (profile)
  661. goto out;
  662. profile = aa_alloc_null(parent, name, gfp);
  663. if (!profile)
  664. goto fail;
  665. profile->mode = APPARMOR_COMPLAIN;
  666. if (hat)
  667. profile->label.flags |= FLAG_HAT;
  668. mutex_lock_nested(&profile->ns->lock, profile->ns->level);
  669. p = __find_child(&parent->base.profiles, bname);
  670. if (p) {
  671. aa_free_profile(profile);
  672. profile = aa_get_profile(p);
  673. } else {
  674. __add_profile(&parent->base.profiles, profile);
  675. }
  676. mutex_unlock(&profile->ns->lock);
  677. /* refcount released by caller */
  678. out:
  679. kfree(name);
  680. return profile;
  681. fail:
  682. kfree(name);
  683. aa_free_profile(profile);
  684. return NULL;
  685. }
  686. /**
  687. * replacement_allowed - test to see if replacement is allowed
  688. * @profile: profile to test if it can be replaced (MAYBE NULL)
  689. * @noreplace: true if replacement shouldn't be allowed but addition is okay
  690. * @info: Returns - info about why replacement failed (NOT NULL)
  691. *
  692. * Returns: %0 if replacement allowed else error code
  693. */
  694. static int replacement_allowed(struct aa_profile *profile, int noreplace,
  695. const char **info)
  696. {
  697. if (profile) {
  698. if (profile->label.flags & FLAG_IMMUTIBLE) {
  699. *info = "cannot replace immutable profile";
  700. return -EPERM;
  701. } else if (noreplace) {
  702. *info = "profile already exists";
  703. return -EEXIST;
  704. }
  705. }
  706. return 0;
  707. }
  708. /* audit callback for net specific fields */
  709. static void audit_cb(struct audit_buffer *ab, void *va)
  710. {
  711. struct common_audit_data *sa = va;
  712. struct apparmor_audit_data *ad = aad(sa);
  713. if (ad->iface.ns) {
  714. audit_log_format(ab, " ns=");
  715. audit_log_untrustedstring(ab, ad->iface.ns);
  716. }
  717. }
  718. /**
  719. * audit_policy - Do auditing of policy changes
  720. * @subj_label: label to check if it can manage policy
  721. * @op: policy operation being performed
  722. * @ns_name: name of namespace being manipulated
  723. * @name: name of profile being manipulated (NOT NULL)
  724. * @info: any extra information to be audited (MAYBE NULL)
  725. * @error: error code
  726. *
  727. * Returns: the error to be returned after audit is done
  728. */
  729. static int audit_policy(struct aa_label *subj_label, const char *op,
  730. const char *ns_name, const char *name,
  731. const char *info, int error)
  732. {
  733. DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, op);
  734. ad.iface.ns = ns_name;
  735. ad.name = name;
  736. ad.info = info;
  737. ad.error = error;
  738. ad.subj_label = subj_label;
  739. aa_audit_msg(AUDIT_APPARMOR_STATUS, &ad, audit_cb);
  740. return error;
  741. }
  742. /* don't call out to other LSMs in the stack for apparmor policy admin
  743. * permissions
  744. */
  745. static int policy_ns_capable(const struct cred *subj_cred,
  746. struct aa_label *label,
  747. struct user_namespace *userns, int cap)
  748. {
  749. int err;
  750. /* check for MAC_ADMIN cap in cred */
  751. err = cap_capable(subj_cred, userns, cap, CAP_OPT_NONE);
  752. if (!err)
  753. err = aa_capable(subj_cred, label, cap, CAP_OPT_NONE);
  754. return err;
  755. }
  756. /**
  757. * aa_policy_view_capable - check if viewing policy in at @ns is allowed
  758. * @subj_cred: cred of subject
  759. * @label: label that is trying to view policy in ns
  760. * @ns: namespace being viewed by @label (may be NULL if @label's ns)
  761. *
  762. * Returns: true if viewing policy is allowed
  763. *
  764. * If @ns is NULL then the namespace being viewed is assumed to be the
  765. * tasks current namespace.
  766. */
  767. bool aa_policy_view_capable(const struct cred *subj_cred,
  768. struct aa_label *label, struct aa_ns *ns)
  769. {
  770. struct user_namespace *user_ns = subj_cred->user_ns;
  771. struct aa_ns *view_ns = labels_view(label);
  772. bool root_in_user_ns = uid_eq(current_euid(), make_kuid(user_ns, 0)) ||
  773. in_egroup_p(make_kgid(user_ns, 0));
  774. bool response = false;
  775. if (!ns)
  776. ns = view_ns;
  777. if (root_in_user_ns && aa_ns_visible(view_ns, ns, true) &&
  778. (user_ns == &init_user_ns ||
  779. (unprivileged_userns_apparmor_policy != 0 &&
  780. user_ns->level == view_ns->level)))
  781. response = true;
  782. return response;
  783. }
  784. bool aa_policy_admin_capable(const struct cred *subj_cred,
  785. struct aa_label *label, struct aa_ns *ns)
  786. {
  787. struct user_namespace *user_ns = subj_cred->user_ns;
  788. bool capable = policy_ns_capable(subj_cred, label, user_ns,
  789. CAP_MAC_ADMIN) == 0;
  790. AA_DEBUG(DEBUG_POLICY, "cap_mac_admin? %d\n", capable);
  791. AA_DEBUG(DEBUG_POLICY, "policy locked? %d\n", aa_g_lock_policy);
  792. return aa_policy_view_capable(subj_cred, label, ns) && capable &&
  793. !aa_g_lock_policy;
  794. }
  795. bool aa_current_policy_view_capable(struct aa_ns *ns)
  796. {
  797. struct aa_label *label;
  798. bool needput, res;
  799. label = __begin_current_label_crit_section(&needput);
  800. res = aa_policy_view_capable(current_cred(), label, ns);
  801. __end_current_label_crit_section(label, needput);
  802. return res;
  803. }
  804. bool aa_current_policy_admin_capable(struct aa_ns *ns)
  805. {
  806. struct aa_label *label;
  807. bool needput, res;
  808. label = __begin_current_label_crit_section(&needput);
  809. res = aa_policy_admin_capable(current_cred(), label, ns);
  810. __end_current_label_crit_section(label, needput);
  811. return res;
  812. }
  813. static bool is_subset_of_obj_privilege(const struct cred *cred,
  814. struct aa_label *label,
  815. const struct cred *ocred)
  816. {
  817. if (cred == ocred)
  818. return true;
  819. if (!aa_label_is_subset(label, cred_label(ocred)))
  820. return false;
  821. /* don't allow crossing userns for now */
  822. if (cred->user_ns != ocred->user_ns)
  823. return false;
  824. if (!cap_issubset(cred->cap_inheritable, ocred->cap_inheritable))
  825. return false;
  826. if (!cap_issubset(cred->cap_permitted, ocred->cap_permitted))
  827. return false;
  828. if (!cap_issubset(cred->cap_effective, ocred->cap_effective))
  829. return false;
  830. if (!cap_issubset(cred->cap_bset, ocred->cap_bset))
  831. return false;
  832. if (!cap_issubset(cred->cap_ambient, ocred->cap_ambient))
  833. return false;
  834. return true;
  835. }
  836. /**
  837. * aa_may_manage_policy - can the current task manage policy
  838. * @subj_cred: subjects cred
  839. * @label: label to check if it can manage policy
  840. * @ns: namespace being managed by @label (may be NULL if @label's ns)
  841. * @ocred: object cred if request is coming from an open object
  842. * @mask: contains the policy manipulation operation being done
  843. *
  844. * Returns: 0 if the task is allowed to manipulate policy else error
  845. */
  846. int aa_may_manage_policy(const struct cred *subj_cred, struct aa_label *label,
  847. struct aa_ns *ns, const struct cred *ocred, u32 mask)
  848. {
  849. const char *op;
  850. if (mask & AA_MAY_REMOVE_POLICY)
  851. op = OP_PROF_RM;
  852. else if (mask & AA_MAY_REPLACE_POLICY)
  853. op = OP_PROF_REPL;
  854. else
  855. op = OP_PROF_LOAD;
  856. /* check if loading policy is locked out */
  857. if (aa_g_lock_policy)
  858. return audit_policy(label, op, NULL, NULL, "policy_locked",
  859. -EACCES);
  860. if (ocred && !is_subset_of_obj_privilege(subj_cred, label, ocred))
  861. return audit_policy(label, op, NULL, NULL,
  862. "not privileged for target profile",
  863. -EACCES);
  864. if (!aa_policy_admin_capable(subj_cred, label, ns))
  865. return audit_policy(label, op, NULL, NULL, "not policy admin",
  866. -EACCES);
  867. /* TODO: add fine grained mediation of policy loads */
  868. return 0;
  869. }
  870. static struct aa_profile *__list_lookup_parent(struct list_head *lh,
  871. struct aa_profile *profile)
  872. {
  873. const char *base = basename(profile->base.hname);
  874. long len = base - profile->base.hname;
  875. struct aa_load_ent *ent;
  876. /* parent won't have trailing // so remove from len */
  877. if (len <= 2)
  878. return NULL;
  879. len -= 2;
  880. list_for_each_entry(ent, lh, list) {
  881. if (ent->new == profile)
  882. continue;
  883. if (strncmp(ent->new->base.hname, profile->base.hname, len) ==
  884. 0 && ent->new->base.hname[len] == 0)
  885. return ent->new;
  886. }
  887. return NULL;
  888. }
  889. /**
  890. * __replace_profile - replace @old with @new on a list
  891. * @old: profile to be replaced (NOT NULL)
  892. * @new: profile to replace @old with (NOT NULL)
  893. *
  894. * Will duplicate and refcount elements that @new inherits from @old
  895. * and will inherit @old children.
  896. *
  897. * refcount @new for list, put @old list refcount
  898. *
  899. * Requires: namespace list lock be held, or list not be shared
  900. */
  901. static void __replace_profile(struct aa_profile *old, struct aa_profile *new)
  902. {
  903. struct aa_profile *child, *tmp;
  904. if (!list_empty(&old->base.profiles)) {
  905. LIST_HEAD(lh);
  906. list_splice_init_rcu(&old->base.profiles, &lh, synchronize_rcu);
  907. list_for_each_entry_safe(child, tmp, &lh, base.list) {
  908. struct aa_profile *p;
  909. list_del_init(&child->base.list);
  910. p = __find_child(&new->base.profiles, child->base.name);
  911. if (p) {
  912. /* @p replaces @child */
  913. __replace_profile(child, p);
  914. continue;
  915. }
  916. /* inherit @child and its children */
  917. /* TODO: update hname of inherited children */
  918. /* list refcount transferred to @new */
  919. p = aa_deref_parent(child);
  920. rcu_assign_pointer(child->parent, aa_get_profile(new));
  921. list_add_rcu(&child->base.list, &new->base.profiles);
  922. aa_put_profile(p);
  923. }
  924. }
  925. if (!rcu_access_pointer(new->parent)) {
  926. struct aa_profile *parent = aa_deref_parent(old);
  927. rcu_assign_pointer(new->parent, aa_get_profile(parent));
  928. }
  929. aa_label_replace(&old->label, &new->label);
  930. /* migrate dents must come after label replacement b/c update */
  931. __aafs_profile_migrate_dents(old, new);
  932. if (list_empty(&new->base.list)) {
  933. /* new is not on a list already */
  934. list_replace_rcu(&old->base.list, &new->base.list);
  935. aa_get_profile(new);
  936. aa_put_profile(old);
  937. } else
  938. __list_remove_profile(old);
  939. }
  940. /**
  941. * __lookup_replace - lookup replacement information for a profile
  942. * @ns: namespace the lookup occurs in
  943. * @hname: name of profile to lookup
  944. * @noreplace: true if not replacing an existing profile
  945. * @p: Returns - profile to be replaced
  946. * @info: Returns - info string on why lookup failed
  947. *
  948. * Returns: profile to replace (no ref) on success else ptr error
  949. */
  950. static int __lookup_replace(struct aa_ns *ns, const char *hname,
  951. bool noreplace, struct aa_profile **p,
  952. const char **info)
  953. {
  954. *p = aa_get_profile(__lookup_profile(&ns->base, hname));
  955. if (*p) {
  956. int error = replacement_allowed(*p, noreplace, info);
  957. if (error) {
  958. *info = "profile can not be replaced";
  959. return error;
  960. }
  961. }
  962. return 0;
  963. }
  964. static void share_name(struct aa_profile *old, struct aa_profile *new)
  965. {
  966. aa_put_str(new->base.hname);
  967. aa_get_str(old->base.hname);
  968. new->base.hname = old->base.hname;
  969. new->base.name = old->base.name;
  970. new->label.hname = old->label.hname;
  971. }
  972. /* Update to newest version of parent after previous replacements
  973. * Returns: unrefcount newest version of parent
  974. */
  975. static struct aa_profile *update_to_newest_parent(struct aa_profile *new)
  976. {
  977. struct aa_profile *parent, *newest;
  978. parent = rcu_dereference_protected(new->parent,
  979. mutex_is_locked(&new->ns->lock));
  980. newest = aa_get_newest_profile(parent);
  981. /* parent replaced in this atomic set? */
  982. if (newest != parent) {
  983. aa_put_profile(parent);
  984. rcu_assign_pointer(new->parent, newest);
  985. } else
  986. aa_put_profile(newest);
  987. return newest;
  988. }
  989. /**
  990. * aa_replace_profiles - replace profile(s) on the profile list
  991. * @policy_ns: namespace load is occurring on
  992. * @label: label that is attempting to load/replace policy
  993. * @mask: permission mask
  994. * @udata: serialized data stream (NOT NULL)
  995. *
  996. * unpack and replace a profile on the profile list and uses of that profile
  997. * by any task creds via invalidating the old version of the profile, which
  998. * tasks will notice to update their own cred. If the profile does not exist
  999. * on the profile list it is added.
  1000. *
  1001. * Returns: size of data consumed else error code on failure.
  1002. */
  1003. ssize_t aa_replace_profiles(struct aa_ns *policy_ns, struct aa_label *label,
  1004. u32 mask, struct aa_loaddata *udata)
  1005. {
  1006. const char *ns_name = NULL, *info = NULL;
  1007. struct aa_ns *ns = NULL;
  1008. struct aa_load_ent *ent, *tmp;
  1009. struct aa_loaddata *rawdata_ent;
  1010. const char *op;
  1011. ssize_t count, error;
  1012. LIST_HEAD(lh);
  1013. op = mask & AA_MAY_REPLACE_POLICY ? OP_PROF_REPL : OP_PROF_LOAD;
  1014. aa_get_profile_loaddata(udata);
  1015. /* released below */
  1016. error = aa_unpack(udata, &lh, &ns_name);
  1017. if (error)
  1018. goto out;
  1019. /* ensure that profiles are all for the same ns
  1020. * TODO: update locking to remove this constraint. All profiles in
  1021. * the load set must succeed as a set or the load will
  1022. * fail. Sort ent list and take ns locks in hierarchy order
  1023. */
  1024. count = 0;
  1025. list_for_each_entry(ent, &lh, list) {
  1026. if (ns_name) {
  1027. if (ent->ns_name &&
  1028. strcmp(ent->ns_name, ns_name) != 0) {
  1029. info = "policy load has mixed namespaces";
  1030. error = -EACCES;
  1031. goto fail;
  1032. }
  1033. } else if (ent->ns_name) {
  1034. if (count) {
  1035. info = "policy load has mixed namespaces";
  1036. error = -EACCES;
  1037. goto fail;
  1038. }
  1039. ns_name = ent->ns_name;
  1040. ent->ns_name = NULL;
  1041. } else
  1042. count++;
  1043. }
  1044. if (ns_name) {
  1045. ns = aa_prepare_ns(policy_ns ? policy_ns : labels_ns(label),
  1046. ns_name);
  1047. if (IS_ERR(ns)) {
  1048. op = OP_PROF_LOAD;
  1049. info = "failed to prepare namespace";
  1050. error = PTR_ERR(ns);
  1051. ns = NULL;
  1052. ent = NULL;
  1053. goto fail;
  1054. }
  1055. } else
  1056. ns = aa_get_ns(policy_ns ? policy_ns : labels_ns(label));
  1057. mutex_lock_nested(&ns->lock, ns->level);
  1058. /* check for duplicate rawdata blobs: space and file dedup */
  1059. if (!list_empty(&ns->rawdata_list)) {
  1060. list_for_each_entry(rawdata_ent, &ns->rawdata_list, list) {
  1061. if (aa_rawdata_eq(rawdata_ent, udata)) {
  1062. struct aa_loaddata *tmp;
  1063. tmp = aa_get_profile_loaddata(rawdata_ent);
  1064. /* check we didn't fail the race */
  1065. if (tmp) {
  1066. aa_put_profile_loaddata(udata);
  1067. udata = tmp;
  1068. break;
  1069. }
  1070. }
  1071. }
  1072. }
  1073. /* setup parent and ns info */
  1074. list_for_each_entry(ent, &lh, list) {
  1075. struct aa_policy *policy;
  1076. struct aa_profile *p;
  1077. if (aa_g_export_binary)
  1078. ent->new->rawdata = aa_get_profile_loaddata(udata);
  1079. error = __lookup_replace(ns, ent->new->base.hname,
  1080. !(mask & AA_MAY_REPLACE_POLICY),
  1081. &ent->old, &info);
  1082. if (error)
  1083. goto fail_lock;
  1084. if (ent->new->rename) {
  1085. error = __lookup_replace(ns, ent->new->rename,
  1086. !(mask & AA_MAY_REPLACE_POLICY),
  1087. &ent->rename, &info);
  1088. if (error)
  1089. goto fail_lock;
  1090. }
  1091. /* released when @new is freed */
  1092. ent->new->ns = aa_get_ns(ns);
  1093. if (ent->old || ent->rename)
  1094. continue;
  1095. /* no ref on policy only use inside lock */
  1096. p = NULL;
  1097. policy = __lookup_parent(ns, ent->new->base.hname);
  1098. if (!policy) {
  1099. /* first check for parent in the load set */
  1100. p = __list_lookup_parent(&lh, ent->new);
  1101. if (!p) {
  1102. /*
  1103. * fill in missing parent with null
  1104. * profile that doesn't have
  1105. * permissions. This allows for
  1106. * individual profile loading where
  1107. * the child is loaded before the
  1108. * parent, and outside of the current
  1109. * atomic set. This unfortunately can
  1110. * happen with some userspaces. The
  1111. * null profile will be replaced once
  1112. * the parent is loaded.
  1113. */
  1114. policy = __create_missing_ancestors(ns,
  1115. ent->new->base.hname,
  1116. GFP_KERNEL);
  1117. if (!policy) {
  1118. error = -ENOENT;
  1119. info = "parent does not exist";
  1120. goto fail_lock;
  1121. }
  1122. }
  1123. }
  1124. if (!p && policy != &ns->base)
  1125. /* released on profile replacement or free_profile */
  1126. p = (struct aa_profile *) policy;
  1127. rcu_assign_pointer(ent->new->parent, aa_get_profile(p));
  1128. }
  1129. /* create new fs entries for introspection if needed */
  1130. if (!udata->dents[AAFS_LOADDATA_DIR] && aa_g_export_binary) {
  1131. error = __aa_fs_create_rawdata(ns, udata);
  1132. if (error) {
  1133. info = "failed to create raw_data dir and files";
  1134. ent = NULL;
  1135. goto fail_lock;
  1136. }
  1137. }
  1138. list_for_each_entry(ent, &lh, list) {
  1139. if (!ent->old) {
  1140. struct dentry *parent;
  1141. if (rcu_access_pointer(ent->new->parent)) {
  1142. struct aa_profile *p;
  1143. p = aa_deref_parent(ent->new);
  1144. parent = prof_child_dir(p);
  1145. } else
  1146. parent = ns_subprofs_dir(ent->new->ns);
  1147. error = __aafs_profile_mkdir(ent->new, parent);
  1148. }
  1149. if (error) {
  1150. info = "failed to create";
  1151. goto fail_lock;
  1152. }
  1153. }
  1154. /* Done with checks that may fail - do actual replacement */
  1155. __aa_bump_ns_revision(ns);
  1156. if (aa_g_export_binary)
  1157. __aa_loaddata_update(udata, ns->revision);
  1158. list_for_each_entry_safe(ent, tmp, &lh, list) {
  1159. list_del_init(&ent->list);
  1160. op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL;
  1161. if (ent->old && ent->old->rawdata == ent->new->rawdata &&
  1162. ent->new->rawdata) {
  1163. /* dedup actual profile replacement */
  1164. audit_policy(label, op, ns_name, ent->new->base.hname,
  1165. "same as current profile, skipping",
  1166. error);
  1167. /* break refcount cycle with proxy. */
  1168. aa_put_proxy(ent->new->label.proxy);
  1169. ent->new->label.proxy = NULL;
  1170. goto skip;
  1171. }
  1172. /*
  1173. * TODO: finer dedup based on profile range in data. Load set
  1174. * can differ but profile may remain unchanged
  1175. */
  1176. audit_policy(label, op, ns_name, ent->new->base.hname, NULL,
  1177. error);
  1178. if (ent->old) {
  1179. share_name(ent->old, ent->new);
  1180. __replace_profile(ent->old, ent->new);
  1181. } else {
  1182. struct list_head *lh;
  1183. if (rcu_access_pointer(ent->new->parent)) {
  1184. struct aa_profile *parent;
  1185. parent = update_to_newest_parent(ent->new);
  1186. lh = &parent->base.profiles;
  1187. } else
  1188. lh = &ns->base.profiles;
  1189. __add_profile(lh, ent->new);
  1190. }
  1191. skip:
  1192. aa_load_ent_free(ent);
  1193. }
  1194. __aa_labelset_update_subtree(ns);
  1195. mutex_unlock(&ns->lock);
  1196. out:
  1197. aa_put_ns(ns);
  1198. aa_put_profile_loaddata(udata);
  1199. kfree(ns_name);
  1200. if (error)
  1201. return error;
  1202. return udata->size;
  1203. fail_lock:
  1204. mutex_unlock(&ns->lock);
  1205. /* audit cause of failure */
  1206. op = (ent && !ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
  1207. fail:
  1208. audit_policy(label, op, ns_name, ent ? ent->new->base.hname : NULL,
  1209. info, error);
  1210. /* audit status that rest of profiles in the atomic set failed too */
  1211. info = "valid profile in failed atomic policy load";
  1212. list_for_each_entry(tmp, &lh, list) {
  1213. if (tmp == ent) {
  1214. info = "unchecked profile in failed atomic policy load";
  1215. /* skip entry that caused failure */
  1216. continue;
  1217. }
  1218. op = (!tmp->old) ? OP_PROF_LOAD : OP_PROF_REPL;
  1219. audit_policy(label, op, ns_name, tmp->new->base.hname, info,
  1220. error);
  1221. }
  1222. list_for_each_entry_safe(ent, tmp, &lh, list) {
  1223. list_del_init(&ent->list);
  1224. aa_load_ent_free(ent);
  1225. }
  1226. goto out;
  1227. }
  1228. /**
  1229. * aa_remove_profiles - remove profile(s) from the system
  1230. * @policy_ns: namespace the remove is being done from
  1231. * @subj: label attempting to remove policy
  1232. * @fqname: name of the profile or namespace to remove (NOT NULL)
  1233. * @size: size of the name
  1234. *
  1235. * Remove a profile or sub namespace from the current namespace, so that
  1236. * they can not be found anymore and mark them as replaced by unconfined
  1237. *
  1238. * NOTE: removing confinement does not restore rlimits to preconfinement values
  1239. *
  1240. * Returns: size of data consume else error code if fails
  1241. */
  1242. ssize_t aa_remove_profiles(struct aa_ns *policy_ns, struct aa_label *subj,
  1243. char *fqname, size_t size)
  1244. {
  1245. struct aa_ns *ns = NULL;
  1246. struct aa_profile *profile = NULL;
  1247. const char *name = fqname, *info = NULL;
  1248. const char *ns_name = NULL;
  1249. ssize_t error = 0;
  1250. if (*fqname == 0) {
  1251. info = "no profile specified";
  1252. error = -ENOENT;
  1253. goto fail;
  1254. }
  1255. if (fqname[0] == ':') {
  1256. size_t ns_len;
  1257. name = aa_splitn_fqname(fqname, size, &ns_name, &ns_len);
  1258. /* released below */
  1259. ns = aa_lookupn_ns(policy_ns ? policy_ns : labels_ns(subj),
  1260. ns_name, ns_len);
  1261. if (!ns) {
  1262. info = "namespace does not exist";
  1263. error = -ENOENT;
  1264. goto fail;
  1265. }
  1266. } else
  1267. /* released below */
  1268. ns = aa_get_ns(policy_ns ? policy_ns : labels_ns(subj));
  1269. if (!name) {
  1270. /* remove namespace - can only happen if fqname[0] == ':' */
  1271. mutex_lock_nested(&ns->parent->lock, ns->parent->level);
  1272. __aa_bump_ns_revision(ns);
  1273. __aa_remove_ns(ns);
  1274. mutex_unlock(&ns->parent->lock);
  1275. } else {
  1276. /* remove profile */
  1277. mutex_lock_nested(&ns->lock, ns->level);
  1278. profile = aa_get_profile(__lookup_profile(&ns->base, name));
  1279. if (!profile) {
  1280. error = -ENOENT;
  1281. info = "profile does not exist";
  1282. goto fail_ns_lock;
  1283. }
  1284. name = profile->base.hname;
  1285. __aa_bump_ns_revision(ns);
  1286. __remove_profile(profile);
  1287. __aa_labelset_update_subtree(ns);
  1288. mutex_unlock(&ns->lock);
  1289. }
  1290. /* don't fail removal if audit fails */
  1291. (void) audit_policy(subj, OP_PROF_RM, ns_name, name, info,
  1292. error);
  1293. aa_put_ns(ns);
  1294. aa_put_profile(profile);
  1295. return size;
  1296. fail_ns_lock:
  1297. mutex_unlock(&ns->lock);
  1298. aa_put_ns(ns);
  1299. fail:
  1300. (void) audit_policy(subj, OP_PROF_RM, ns_name, name, info,
  1301. error);
  1302. return error;
  1303. }