resource.c 5.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * AppArmor security module
  4. *
  5. * This file contains AppArmor resource mediation and attachment
  6. *
  7. * Copyright (C) 1998-2008 Novell/SUSE
  8. * Copyright 2009-2010 Canonical Ltd.
  9. */
  10. #include <linux/audit.h>
  11. #include <linux/security.h>
  12. #include "include/audit.h"
  13. #include "include/cred.h"
  14. #include "include/resource.h"
  15. #include "include/policy.h"
  16. /*
  17. * Table of rlimit names: we generate it from resource.h.
  18. */
  19. #include "rlim_names.h"
  20. struct aa_sfs_entry aa_sfs_entry_rlimit[] = {
  21. AA_SFS_FILE_STRING("mask", AA_SFS_RLIMIT_MASK),
  22. { }
  23. };
  24. /* audit callback for resource specific fields */
  25. static void audit_cb(struct audit_buffer *ab, void *va)
  26. {
  27. struct common_audit_data *sa = va;
  28. struct apparmor_audit_data *ad = aad(sa);
  29. audit_log_format(ab, " rlimit=%s value=%lu",
  30. rlim_names[ad->rlim.rlim], ad->rlim.max);
  31. if (ad->peer) {
  32. audit_log_format(ab, " peer=");
  33. aa_label_xaudit(ab, labels_ns(ad->subj_label), ad->peer,
  34. FLAGS_NONE, GFP_ATOMIC);
  35. }
  36. }
  37. /**
  38. * audit_resource - audit setting resource limit
  39. * @subj_cred: cred setting the resource
  40. * @profile: profile being enforced (NOT NULL)
  41. * @resource: rlimit being auditing
  42. * @value: value being set
  43. * @peer: aa_albel of the task being set
  44. * @info: info being auditing
  45. * @error: error value
  46. *
  47. * Returns: 0 or ad->error else other error code on failure
  48. */
  49. static int audit_resource(const struct cred *subj_cred,
  50. struct aa_profile *profile, unsigned int resource,
  51. unsigned long value, struct aa_label *peer,
  52. const char *info, int error)
  53. {
  54. DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_RLIMITS,
  55. OP_SETRLIMIT);
  56. ad.subj_cred = subj_cred;
  57. ad.rlim.rlim = resource;
  58. ad.rlim.max = value;
  59. ad.peer = peer;
  60. ad.info = info;
  61. ad.error = error;
  62. return aa_audit(AUDIT_APPARMOR_AUTO, profile, &ad, audit_cb);
  63. }
  64. /**
  65. * aa_map_resource - map compiled policy resource to internal #
  66. * @resource: flattened policy resource number
  67. *
  68. * Returns: resource # for the current architecture.
  69. *
  70. * rlimit resource can vary based on architecture, map the compiled policy
  71. * resource # to the internal representation for the architecture.
  72. */
  73. int aa_map_resource(int resource)
  74. {
  75. return rlim_map[resource];
  76. }
  77. static int profile_setrlimit(const struct cred *subj_cred,
  78. struct aa_profile *profile, unsigned int resource,
  79. struct rlimit *new_rlim)
  80. {
  81. struct aa_ruleset *rules = profile->label.rules[0];
  82. int e = 0;
  83. if (rules->rlimits.mask & (1 << resource) && new_rlim->rlim_max >
  84. rules->rlimits.limits[resource].rlim_max)
  85. e = -EACCES;
  86. return audit_resource(subj_cred, profile, resource, new_rlim->rlim_max,
  87. NULL, NULL, e);
  88. }
  89. /**
  90. * aa_task_setrlimit - test permission to set an rlimit
  91. * @subj_cred: cred setting the limit
  92. * @label: label confining the task (NOT NULL)
  93. * @task: task the resource is being set on
  94. * @resource: the resource being set
  95. * @new_rlim: the new resource limit (NOT NULL)
  96. *
  97. * Control raising the processes hard limit.
  98. *
  99. * Returns: 0 or error code if setting resource failed
  100. */
  101. int aa_task_setrlimit(const struct cred *subj_cred, struct aa_label *label,
  102. struct task_struct *task,
  103. unsigned int resource, struct rlimit *new_rlim)
  104. {
  105. struct aa_profile *profile;
  106. struct aa_label *peer;
  107. int error = 0;
  108. rcu_read_lock();
  109. peer = aa_get_newest_cred_label(__task_cred(task));
  110. rcu_read_unlock();
  111. /* TODO: extend resource control to handle other (non current)
  112. * profiles. AppArmor rules currently have the implicit assumption
  113. * that the task is setting the resource of a task confined with
  114. * the same profile or that the task setting the resource of another
  115. * task has CAP_SYS_RESOURCE.
  116. */
  117. if (label != peer &&
  118. aa_capable(subj_cred, label, CAP_SYS_RESOURCE, CAP_OPT_NOAUDIT) != 0)
  119. error = fn_for_each(label, profile,
  120. audit_resource(subj_cred, profile, resource,
  121. new_rlim->rlim_max, peer,
  122. "cap_sys_resource", -EACCES));
  123. else
  124. error = fn_for_each_confined(label, profile,
  125. profile_setrlimit(subj_cred, profile, resource,
  126. new_rlim));
  127. aa_put_label(peer);
  128. return error;
  129. }
  130. /**
  131. * __aa_transition_rlimits - apply new profile rlimits
  132. * @old_l: old label on task (NOT NULL)
  133. * @new_l: new label with rlimits to apply (NOT NULL)
  134. */
  135. void __aa_transition_rlimits(struct aa_label *old_l, struct aa_label *new_l)
  136. {
  137. unsigned int mask = 0;
  138. struct rlimit *rlim, *initrlim;
  139. struct aa_profile *old, *new;
  140. struct label_it i;
  141. old = labels_profile(old_l);
  142. new = labels_profile(new_l);
  143. /* for any rlimits the profile controlled, reset the soft limit
  144. * to the lesser of the tasks hard limit and the init tasks soft limit
  145. */
  146. label_for_each_confined(i, old_l, old) {
  147. struct aa_ruleset *rules = old->label.rules[0];
  148. if (rules->rlimits.mask) {
  149. int j;
  150. for (j = 0, mask = 1; j < RLIM_NLIMITS; j++,
  151. mask <<= 1) {
  152. if (rules->rlimits.mask & mask) {
  153. rlim = current->signal->rlim + j;
  154. initrlim = init_task.signal->rlim + j;
  155. rlim->rlim_cur = min(rlim->rlim_max,
  156. initrlim->rlim_cur);
  157. }
  158. }
  159. }
  160. }
  161. /* set any new hard limits as dictated by the new profile */
  162. label_for_each_confined(i, new_l, new) {
  163. struct aa_ruleset *rules = new->label.rules[0];
  164. int j;
  165. if (!rules->rlimits.mask)
  166. continue;
  167. for (j = 0, mask = 1; j < RLIM_NLIMITS; j++, mask <<= 1) {
  168. if (!(rules->rlimits.mask & mask))
  169. continue;
  170. rlim = current->signal->rlim + j;
  171. rlim->rlim_max = min(rlim->rlim_max,
  172. rules->rlimits.limits[j].rlim_max);
  173. /* soft limit should not exceed hard limit */
  174. rlim->rlim_cur = min(rlim->rlim_cur, rlim->rlim_max);
  175. if (j == RLIMIT_CPU &&
  176. rlim->rlim_cur != RLIM_INFINITY &&
  177. IS_ENABLED(CONFIG_POSIX_TIMERS))
  178. (void) update_rlimit_cpu(current->group_leader,
  179. rlim->rlim_cur);
  180. }
  181. }
  182. }