summaryrefslogtreecommitdiffstats
path: root/security/apparmor/policy.c
Commit message (Collapse)AuthorAgeFilesLines
* apparmor: fix checkpatch error in Parse secmark policyJohn Johansen2018-11-011-1/+1
| | | | | | | Fix missed spacing error reported by checkpatch for 9caafbe2b4cf ("Parse secmark policy") Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: Parse secmark policyMatthew Garrett2018-10-031-0/+3
| | | | | | | | Add support for parsing secmark policy provided by userspace, and store that in the overall policy. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: fix memory leak when deduping profile loadJohn Johansen2018-06-071-0/+3
| | | | | | | | | | | | | AppArmor is leaking the newly loaded profile and its proxy when the profile is an exact match to the currently loaded version. In this case the dedup check results in the profile being skipped and put without dealing with the proxy ref thus not breaking a circular refcount and causing a leak. BugLink: http://bugs.launchpad.net/bugs/1750594 Fixes: 5d5182cae401 ("apparmor: move to per loaddata files, instead of replicating in profiles") Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: fix typo "preconfinement"Zygmunt Krynicki2018-05-031-1/+1
| | | | | | Signed-off-by: Zygmunt Krynicki <zygmunt.krynicki@canonical.com> Acked-by: Christian Boltz <apparmor@cboltz.de> Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: add support for mapping secids and using secctxesJohn Johansen2018-05-021-1/+1
| | | | | | | | | Use a radix tree to provide a map between the secid and the label, and along with it a basic ability to provide secctx conversion. Shared/cached secctx will be added later. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: convert attaching profiles via xattrs to use dfa matchingJohn Johansen2018-02-091-5/+1
| | | | | | | | | | | | | | | | | | | | | | This converts profile attachment based on xattrs to a fixed extended conditional using dfa matching. This has a couple of advantages - pattern matching can be used for the xattr match - xattrs can be optional for an attachment or marked as required - the xattr attachment conditional will be able to be combined with other extended conditionals when the flexible extended conditional work lands. The xattr fixed extended conditional is appended to the xmatch conditional. If an xattr attachment is specified the profile xmatch will be generated regardless of whether there is a pattern match on the executable name. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
* apparmor: Add support for attaching profiles via xattr, presence and valueMatthew Garrett2018-02-091-0/+8
| | | | | | | | | | | Make it possible to tie Apparmor profiles to the presence of one or more extended attributes, and optionally their values. An example usecase for this is to automatically transition to a more privileged Apparmor profile if an executable has a valid IMA signature, which can then be appraised by the IMA subsystem. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: move context.h to cred.hJohn Johansen2018-02-091-1/+1
| | | | | | | | | Now that file contexts have been moved into file, and task context fns() and data have been split from the context, only the cred context remains in context.h so rename to cred.h to better reflect what it deals with. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: cleanup fixup description of aa_replace_profilesJohn Johansen2018-02-091-2/+3
| | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: rename task_ctx to the more accurate cred_ctxJohn Johansen2018-02-091-1/+1
| | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: fix possible recursive lock warning in __aa_create_nsJohn Johansen2017-11-211-4/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Use mutex_lock_nested to provide lockdep the parent child lock ordering of the tree. This fixes the lockdep Warning [ 305.275177] ============================================ [ 305.275178] WARNING: possible recursive locking detected [ 305.275179] 4.14.0-rc7+ #320 Not tainted [ 305.275180] -------------------------------------------- [ 305.275181] apparmor_parser/1339 is trying to acquire lock: [ 305.275182] (&ns->lock){+.+.}, at: [<ffffffff970544dd>] __aa_create_ns+0x6d/0x1e0 [ 305.275187] but task is already holding lock: [ 305.275187] (&ns->lock){+.+.}, at: [<ffffffff97054b5d>] aa_prepare_ns+0x3d/0xd0 [ 305.275190] other info that might help us debug this: [ 305.275191] Possible unsafe locking scenario: [ 305.275192] CPU0 [ 305.275193] ---- [ 305.275193] lock(&ns->lock); [ 305.275194] lock(&ns->lock); [ 305.275195] *** DEADLOCK *** [ 305.275196] May be due to missing lock nesting notation [ 305.275198] 2 locks held by apparmor_parser/1339: [ 305.275198] #0: (sb_writers#10){.+.+}, at: [<ffffffff96e9c6b7>] vfs_write+0x1a7/0x1d0 [ 305.275202] #1: (&ns->lock){+.+.}, at: [<ffffffff97054b5d>] aa_prepare_ns+0x3d/0xd0 [ 305.275205] stack backtrace: [ 305.275207] CPU: 1 PID: 1339 Comm: apparmor_parser Not tainted 4.14.0-rc7+ #320 [ 305.275208] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.1-1ubuntu1 04/01/2014 [ 305.275209] Call Trace: [ 305.275212] dump_stack+0x85/0xcb [ 305.275214] __lock_acquire+0x141c/0x1460 [ 305.275216] ? __aa_create_ns+0x6d/0x1e0 [ 305.275218] ? ___slab_alloc+0x183/0x540 [ 305.275219] ? ___slab_alloc+0x183/0x540 [ 305.275221] lock_acquire+0xed/0x1e0 [ 305.275223] ? lock_acquire+0xed/0x1e0 [ 305.275224] ? __aa_create_ns+0x6d/0x1e0 [ 305.275227] __mutex_lock+0x89/0x920 [ 305.275228] ? __aa_create_ns+0x6d/0x1e0 [ 305.275230] ? trace_hardirqs_on_caller+0x11f/0x190 [ 305.275231] ? __aa_create_ns+0x6d/0x1e0 [ 305.275233] ? __lockdep_init_map+0x57/0x1d0 [ 305.275234] ? lockdep_init_map+0x9/0x10 [ 305.275236] ? __rwlock_init+0x32/0x60 [ 305.275238] mutex_lock_nested+0x1b/0x20 [ 305.275240] ? mutex_lock_nested+0x1b/0x20 [ 305.275241] __aa_create_ns+0x6d/0x1e0 [ 305.275243] aa_prepare_ns+0xc2/0xd0 [ 305.275245] aa_replace_profiles+0x168/0xf30 [ 305.275247] ? __might_fault+0x85/0x90 [ 305.275250] policy_update+0xb9/0x380 [ 305.275252] profile_load+0x7e/0x90 [ 305.275254] __vfs_write+0x28/0x150 [ 305.275256] ? rcu_read_lock_sched_held+0x72/0x80 [ 305.275257] ? rcu_sync_lockdep_assert+0x2f/0x60 [ 305.275259] ? __sb_start_write+0xdc/0x1c0 [ 305.275261] ? vfs_write+0x1a7/0x1d0 [ 305.275262] vfs_write+0xca/0x1d0 [ 305.275264] ? trace_hardirqs_on_caller+0x11f/0x190 [ 305.275266] SyS_write+0x49/0xa0 [ 305.275268] entry_SYSCALL_64_fastpath+0x23/0xc2 [ 305.275271] RIP: 0033:0x7fa6b22e8c74 [ 305.275272] RSP: 002b:00007ffeaaee6288 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 305.275273] RAX: ffffffffffffffda RBX: 00007ffeaaee62a4 RCX: 00007fa6b22e8c74 [ 305.275274] RDX: 0000000000000a51 RSI: 00005566a8198c10 RDI: 0000000000000004 [ 305.275275] RBP: 0000000000000a39 R08: 0000000000000a51 R09: 0000000000000000 [ 305.275276] R10: 0000000000000000 R11: 0000000000000246 R12: 00005566a8198c10 [ 305.275277] R13: 0000000000000004 R14: 00005566a72ecb88 R15: 00005566a72ec3a8 Fixes: 73688d1ed0b8 ("apparmor: refactor prepare_ns() and make usable from different views") Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: fix leak of null profile name if profile allocation failsJohn Johansen2017-11-211-1/+2
| | | | | | Fixes: d07881d2edb0 ("apparmor: move new_null_profile to after profile lookup fns()") Reported-by: Seth Arnold <seth.arnold@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: fix race condition in null profile creationJohn Johansen2017-09-221-3/+11
| | | | | | | | | | | There is a race when null- profile is being created between the initial lookup/creation of the profile and lock/addition of the profile. This could result in multiple version of a profile being added to the list which need to be removed/replaced. Since these are learning profile their is no affect on mediation. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: move new_null_profile to after profile lookup fns()John Johansen2017-09-221-79/+79
| | | | | | | new_null_profile will need to use some of the profile lookup fns() so move instead of doing forward fn declarations. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: switch from profiles to using labels on contextsJohn Johansen2017-06-101-118/+90
| | | | | | | | Begin the actual switch to using domain labels by storing them on the context and converting the label to a singular profile where possible. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: cleanup remove unused and not fully implemented profile renameJohn Johansen2017-06-101-37/+2
| | | | | | | Remove the partially implemented code, until this can be properly implemented. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: refactor updating profiles to the newest parentJohn Johansen2017-06-101-4/+31
| | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: share profile name on replacementJohn Johansen2017-06-101-0/+9
| | | | | | The profile names are the same, leverage this. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: fix policy load/remove semanticsJohn Johansen2017-06-101-11/+11
| | | | | | | | | The namespace being passed into the replace/remove profiles fns() is not the view, but the namespace specified by the inode from the file hook (if present) or the loading tasks ns, if accessing the top level virtualized load/replace file interface. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: add namespace lookup fns()John Johansen2017-06-101-4/+6
| | | | | | | | | | | Currently lookups are restricted to a single ns component in the path. However when namespaces are allowed to have separate views, and scopes this will not be sufficient, as it will be possible to have a multiple component ns path in scope. Add some ns lookup fns() to allow this and use them. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: cleanup __find_child()John Johansen2017-06-101-8/+8
| | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: provide finer control over policy managementJohn Johansen2017-06-101-13/+22
| | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: rename apparmor file fns and data to indicate useJohn Johansen2017-06-081-3/+3
| | | | | | | | | | | | | prefixes are used for fns/data that are not static to apparmorfs.c with the prefixes being aafs - special magic apparmorfs for policy namespace data aa_sfs - for fns/data that go into securityfs aa_fs - for fns/data that may be used in the either of aafs or securityfs Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
* apparmor: move to per loaddata files, instead of replicating in profilesJohn Johansen2017-06-081-1/+45
| | | | | | | | | | The loaddata sets cover more than just a single profile and should be tracked at the ns level. Move the load data files under the namespace and reference the files from the profiles via a symlink. Signed-off-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Seth Arnold <seth.arnold@canonical.com> Reviewed-by: Kees Cook <keescook@chromium.org>
* apparmor: fix invalid reference to index variable of iterator line 836John Johansen2017-04-071-2/+4
| | | | | | | | | | | Once the loop on lines 836-853 is complete and exits normally, ent is a pointer to the dummy list head value. The derefernces accessible from eg the goto fail on line 860 or the various goto fail_lock's afterwards thus seem incorrect. Reported-by: Julia Lawall <julia.lawall@lip6.fr> Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <james.l.morris@oracle.com>
* sched/headers: Prepare to use <linux/rcuupdate.h> instead of ↵Ingo Molnar2017-03-021-0/+1
| | | | | | | | | | | | | | | | <linux/rculist.h> in <linux/sched.h> We don't actually need the full rculist.h header in sched.h anymore, we will be able to include the smaller rcupdate.h header instead. But first update code that relied on the implicit header inclusion. Acked-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Mike Galbraith <efault@gmx.de> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: linux-kernel@vger.kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org>
* sched/headers: Prepare to remove <linux/cred.h> inclusion from <linux/sched.h>Ingo Molnar2017-03-021-0/+1
| | | | | | | | | | | | | | | | Add #include <linux/cred.h> dependencies to all .c files rely on sched.h doing that for them. Note that even if the count where we need to add extra headers seems high, it's still a net win, because <linux/sched.h> is included in over 2,200 files ... Acked-by: Linus Torvalds <torvalds@linux-foundation.org> Cc: Mike Galbraith <efault@gmx.de> Cc: Peter Zijlstra <peterz@infradead.org> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: linux-kernel@vger.kernel.org Signed-off-by: Ingo Molnar <mingo@kernel.org>
* apparmor: sysctl to enable unprivileged user ns AppArmor policy loadingTyler Hicks2017-01-161-1/+0
| | | | | | | | | | | | If this sysctl is set to non-zero and a process with CAP_MAC_ADMIN in the root namespace has created an AppArmor policy namespace, unprivileged processes will be able to change to a profile in the newly created AppArmor policy namespace and, if the profile allows CAP_MAC_ADMIN and appropriate file permissions, will be able to load policy in the respective policy namespace. Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: support querying extended trusted helper extra dataWilliam Hua2017-01-161-0/+23
| | | | | | | | | Allow a profile to carry extra data that can be queried via userspace. This provides a means to store extra data in a profile that a trusted helper can extract and use from live policy. Signed-off-by: William Hua <william.hua@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: change aad apparmor_audit_data macro to a fn macroJohn Johansen2017-01-161-23/+19
| | | | | | | | | | | The aad macro can replace aad strings when it is not intended to. Switch to a fn macro so it is only applied when intended. Also at the same time cleanup audit_data initialization by putting common boiler plate behind a macro, and dropping the gfp_t parameter which will become useless. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: change op from int to const char *John Johansen2017-01-161-3/+4
| | | | | | | | | | Having ops be an integer that is an index into an op name table is awkward and brittle. Every op change requires an edit for both the op constant and a string in the table. Instead switch to using const strings directly, eliminating the need for the table that needs to be kept in sync. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: rename context abreviation cxt to the more standard ctxJohn Johansen2017-01-161-1/+1
| | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: pass the subject profile into profile replace/removeJohn Johansen2017-01-161-11/+14
| | | | | | | This is just setup for new ns specific .load, .replace, .remove interface files. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: audit policy ns specified in policy loadJohn Johansen2017-01-161-14/+40
| | | | | | | Verify that profiles in a load set specify the same policy ns and audit the name of the policy ns that policy is being loaded for. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: allow introspecting the loaded policy pre internal transformJohn Johansen2017-01-161-7/+7
| | | | | | | | Store loaded policy and allow introspecting it through apparmorfs. This has several uses from debugging, policy validation, and policy checkpoint and restore for containers. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: add ns name to the audit data for policy loadsJohn Johansen2017-01-161-10/+24
| | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: add profile and ns params to aa_may_manage_policy()John Johansen2017-01-161-12/+10
| | | | | | | | Policy management will be expanded beyond traditional unconfined root. This will require knowning the profile of the task doing the management and the ns view. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: add ns being viewed as a param to policy_admin_capable()John Johansen2017-01-161-3/+9
| | | | | | | Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: add ns being viewed as a param to policy_view_capable()John Johansen2017-01-161-3/+22
| | | | | | | | | | | Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available and checking that the user namespace level is the same as the policy ns level. This strict pairing will be relaxed once true support of user namespaces lands. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: allow specifying the profile doing the managementJohn Johansen2017-01-161-11/+21
| | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: Make aa_remove_profile() callable from a different viewJohn Johansen2017-01-161-3/+4
| | | | | | This is prep work for fs operations being able to remove namespaces. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: add a default null dfaJohn Johansen2017-01-161-0/+2
| | | | | | | | | | | Instead of testing whether a given dfa exists in every code path, have a default null dfa that is used when loaded policy doesn't provide a dfa. This will let us get rid of special casing and avoid dereference bugs when special casing is missed. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: name null-XXX profiles after the executableJohn Johansen2017-01-161-13/+40
| | | | | | | | When possible its better to name a learning profile after the missing profile in question. This allows for both more informative names and for profile reuse. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: pass gfp_t parameter into profile allocationJohn Johansen2017-01-161-5/+6
| | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: refactor prepare_ns() and make usable from different viewsJohn Johansen2017-01-161-2/+4
| | | | | | | | prepare_ns() will need to be called from alternate views, and namespaces will need to be created via different interfaces. So refactor and allow specifying the view ns. Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: pass gfp param into aa_policy_init()John Johansen2017-01-161-1/+1
| | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: rename hname_tail to basenameJohn Johansen2017-01-161-1/+1
| | | | | | Rename to the shorter and more familiar shell cmd name Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: add fn to lookup profiles by fqnameJohn Johansen2017-01-161-0/+29
| | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: add strn version of lookup_profile fnJohn Johansen2017-01-161-11/+25
| | | | Signed-off-by: John Johansen <john.johansen@canonical.com>
* apparmor: rename replacedby to proxyJohn Johansen2017-01-161-35/+35
| | | | | | Proxy is shorter and a better fit than replaceby, so rename it. Signed-off-by: John Johansen <john.johansen@canonical.com>
OpenPOWER on IntegriCloud