2 * AppArmor security module
4 * This file contains AppArmor /sys/kernel/security/apparmor interface functions
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
15 #include <linux/ctype.h>
16 #include <linux/security.h>
17 #include <linux/vmalloc.h>
18 #include <linux/module.h>
19 #include <linux/seq_file.h>
20 #include <linux/uaccess.h>
21 #include <linux/mount.h>
22 #include <linux/namei.h>
23 #include <linux/capability.h>
24 #include <linux/rcupdate.h>
26 #include <linux/poll.h>
27 #include <uapi/linux/major.h>
28 #include <uapi/linux/magic.h>
30 #include "include/apparmor.h"
31 #include "include/apparmorfs.h"
32 #include "include/audit.h"
33 #include "include/context.h"
34 #include "include/crypto.h"
35 #include "include/policy_ns.h"
36 #include "include/policy.h"
37 #include "include/policy_ns.h"
38 #include "include/resource.h"
39 #include "include/policy_unpack.h"
42 * The apparmor filesystem interface used for policy load and introspection
43 * The interface is split into two main components based on their function
44 * a securityfs component:
45 * used for static files that are always available, and which allows
46 * userspace to specificy the location of the security filesystem.
48 * fns and data are prefixed with
51 * an apparmorfs component:
52 * used loaded policy content and introspection. It is not part of a
53 * regular mounted filesystem and is available only through the magic
54 * policy symlink in the root of the securityfs apparmor/ directory.
55 * Tasks queries will be magically redirected to the correct portion
56 * of the policy tree based on their confinement.
58 * fns and data are prefixed with
61 * The aa_fs_ prefix is used to indicate the fn is used by both the
62 * securityfs and apparmorfs filesystems.
71 * aa_mangle_name - mangle a profile name to std profile layout form
72 * @name: profile name to mangle (NOT NULL)
73 * @target: buffer to store mangled name, same length as @name (MAYBE NULL)
75 * Returns: length of mangled name
77 static int mangle_name(const char *name, char *target)
81 while (*name == '/' || *name == '.')
85 for (; *name; name++) {
88 else if (isspace(*name))
90 else if (isalnum(*name) || strchr("._-", *name))
97 for (; *name; name++) {
98 if (isalnum(*name) || isspace(*name) ||
99 strchr("/._-", *name))
111 * aafs - core fns and data for the policy tree
114 #define AAFS_NAME "apparmorfs"
115 static struct vfsmount *aafs_mnt;
116 static int aafs_count;
119 static int aafs_show_path(struct seq_file *seq, struct dentry *dentry)
121 struct inode *inode = d_inode(dentry);
123 seq_printf(seq, "%s:[%lu]", AAFS_NAME, inode->i_ino);
127 static void aafs_evict_inode(struct inode *inode)
129 truncate_inode_pages_final(&inode->i_data);
131 if (S_ISLNK(inode->i_mode))
132 kfree(inode->i_link);
135 static const struct super_operations aafs_super_ops = {
136 .statfs = simple_statfs,
137 .evict_inode = aafs_evict_inode,
138 .show_path = aafs_show_path,
141 static int fill_super(struct super_block *sb, void *data, int silent)
143 static struct tree_descr files[] = { {""} };
146 error = simple_fill_super(sb, AAFS_MAGIC, files);
149 sb->s_op = &aafs_super_ops;
154 static struct dentry *aafs_mount(struct file_system_type *fs_type,
155 int flags, const char *dev_name, void *data)
157 return mount_single(fs_type, flags, data, fill_super);
160 static struct file_system_type aafs_ops = {
161 .owner = THIS_MODULE,
164 .kill_sb = kill_anon_super,
168 * __aafs_setup_d_inode - basic inode setup for apparmorfs
169 * @dir: parent directory for the dentry
170 * @dentry: dentry we are seting the inode up for
171 * @mode: permissions the file should have
172 * @data: data to store on inode.i_private, available in open()
173 * @link: if symlink, symlink target string
174 * @fops: struct file_operations that should be used
175 * @iops: struct of inode_operations that should be used
177 static int __aafs_setup_d_inode(struct inode *dir, struct dentry *dentry,
178 umode_t mode, void *data, char *link,
179 const struct file_operations *fops,
180 const struct inode_operations *iops)
182 struct inode *inode = new_inode(dir->i_sb);
190 inode->i_ino = get_next_ino();
191 inode->i_mode = mode;
192 inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode);
193 inode->i_private = data;
195 inode->i_op = iops ? iops : &simple_dir_inode_operations;
196 inode->i_fop = &simple_dir_operations;
199 } else if (S_ISLNK(mode)) {
200 inode->i_op = iops ? iops : &simple_symlink_inode_operations;
201 inode->i_link = link;
205 d_instantiate(dentry, inode);
212 * aafs_create - create a dentry in the apparmorfs filesystem
214 * @name: name of dentry to create
215 * @mode: permissions the file should have
216 * @parent: parent directory for this dentry
217 * @data: data to store on inode.i_private, available in open()
218 * @link: if symlink, symlink target string
219 * @fops: struct file_operations that should be used for
220 * @iops: struct of inode_operations that should be used
222 * This is the basic "create a xxx" function for apparmorfs.
224 * Returns a pointer to a dentry if it succeeds, that must be free with
225 * aafs_remove(). Will return ERR_PTR on failure.
227 static struct dentry *aafs_create(const char *name, umode_t mode,
228 struct dentry *parent, void *data, void *link,
229 const struct file_operations *fops,
230 const struct inode_operations *iops)
232 struct dentry *dentry;
239 if (!(mode & S_IFMT))
240 mode = (mode & S_IALLUGO) | S_IFREG;
242 error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count);
244 return ERR_PTR(error);
246 dir = d_inode(parent);
249 dentry = lookup_one_len(name, parent, strlen(name));
253 if (d_really_is_positive(dentry)) {
258 error = __aafs_setup_d_inode(dir, dentry, mode, data, link, fops, iops);
270 simple_release_fs(&aafs_mnt, &aafs_count);
272 return ERR_PTR(error);
276 * aafs_create_file - create a file in the apparmorfs filesystem
278 * @name: name of dentry to create
279 * @mode: permissions the file should have
280 * @parent: parent directory for this dentry
281 * @data: data to store on inode.i_private, available in open()
282 * @fops: struct file_operations that should be used for
286 static struct dentry *aafs_create_file(const char *name, umode_t mode,
287 struct dentry *parent, void *data,
288 const struct file_operations *fops)
290 return aafs_create(name, mode, parent, data, NULL, fops, NULL);
294 * aafs_create_dir - create a directory in the apparmorfs filesystem
296 * @name: name of dentry to create
297 * @parent: parent directory for this dentry
301 static struct dentry *aafs_create_dir(const char *name, struct dentry *parent)
303 return aafs_create(name, S_IFDIR | 0755, parent, NULL, NULL, NULL,
308 * aafs_create_symlink - create a symlink in the apparmorfs filesystem
309 * @name: name of dentry to create
310 * @parent: parent directory for this dentry
311 * @target: if symlink, symlink target string
312 * @iops: struct of inode_operations that should be used
314 * If @target parameter is %NULL, then the @iops parameter needs to be
315 * setup to handle .readlink and .get_link inode_operations.
317 static struct dentry *aafs_create_symlink(const char *name,
318 struct dentry *parent,
320 const struct inode_operations *iops)
326 link = kstrdup(target, GFP_KERNEL);
328 return ERR_PTR(-ENOMEM);
330 dent = aafs_create(name, S_IFLNK | 0444, parent, NULL, link, NULL,
339 * aafs_remove - removes a file or directory from the apparmorfs filesystem
341 * @dentry: dentry of the file/directory/symlink to removed.
343 static void aafs_remove(struct dentry *dentry)
347 if (!dentry || IS_ERR(dentry))
350 dir = d_inode(dentry->d_parent);
352 if (simple_positive(dentry)) {
353 if (d_is_dir(dentry))
354 simple_rmdir(dir, dentry);
356 simple_unlink(dir, dentry);
360 simple_release_fs(&aafs_mnt, &aafs_count);
365 * aa_fs - policy load/replace/remove
369 * aa_simple_write_to_buffer - common routine for getting policy from user
370 * @userbuf: user buffer to copy data from (NOT NULL)
371 * @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size)
372 * @copy_size: size of data to copy from user buffer
373 * @pos: position write is at in the file (NOT NULL)
375 * Returns: kernel buffer containing copy of user buffer data or an
376 * ERR_PTR on failure.
378 static struct aa_loaddata *aa_simple_write_to_buffer(const char __user *userbuf,
383 struct aa_loaddata *data;
385 AA_BUG(copy_size > alloc_size);
388 /* only writes from pos 0, that is complete writes */
389 return ERR_PTR(-ESPIPE);
391 /* freed by caller to simple_write_to_buffer */
392 data = aa_loaddata_alloc(alloc_size);
396 data->size = copy_size;
397 if (copy_from_user(data->data, userbuf, copy_size)) {
399 return ERR_PTR(-EFAULT);
405 static ssize_t policy_update(u32 mask, const char __user *buf, size_t size,
406 loff_t *pos, struct aa_ns *ns)
409 struct aa_loaddata *data;
410 struct aa_profile *profile = aa_current_profile();
411 /* high level check about policy management - fine grained in
414 error = aa_may_manage_policy(profile, ns, mask);
418 data = aa_simple_write_to_buffer(buf, size, size, pos);
419 error = PTR_ERR(data);
421 error = aa_replace_profiles(ns ? ns : profile->ns, profile,
423 aa_put_loaddata(data);
429 /* .load file hook fn to load policy */
430 static ssize_t profile_load(struct file *f, const char __user *buf, size_t size,
433 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private);
434 int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns);
441 static const struct file_operations aa_fs_profile_load = {
442 .write = profile_load,
443 .llseek = default_llseek,
446 /* .replace file hook fn to load and/or replace policy */
447 static ssize_t profile_replace(struct file *f, const char __user *buf,
448 size_t size, loff_t *pos)
450 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private);
451 int error = policy_update(AA_MAY_LOAD_POLICY | AA_MAY_REPLACE_POLICY,
458 static const struct file_operations aa_fs_profile_replace = {
459 .write = profile_replace,
460 .llseek = default_llseek,
463 /* .remove file hook fn to remove loaded policy */
464 static ssize_t profile_remove(struct file *f, const char __user *buf,
465 size_t size, loff_t *pos)
467 struct aa_loaddata *data;
468 struct aa_profile *profile;
470 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private);
472 profile = aa_current_profile();
473 /* high level check about policy management - fine grained in
476 error = aa_may_manage_policy(profile, ns, AA_MAY_REMOVE_POLICY);
481 * aa_remove_profile needs a null terminated string so 1 extra
482 * byte is allocated and the copied data is null terminated.
484 data = aa_simple_write_to_buffer(buf, size + 1, size, pos);
486 error = PTR_ERR(data);
488 data->data[size] = 0;
489 error = aa_remove_profiles(ns ? ns : profile->ns, profile,
491 aa_put_loaddata(data);
498 static const struct file_operations aa_fs_profile_remove = {
499 .write = profile_remove,
500 .llseek = default_llseek,
508 /* revision file hook fn for policy loads */
509 static int ns_revision_release(struct inode *inode, struct file *file)
511 struct aa_revision *rev = file->private_data;
521 static ssize_t ns_revision_read(struct file *file, char __user *buf,
522 size_t size, loff_t *ppos)
524 struct aa_revision *rev = file->private_data;
529 mutex_lock(&rev->ns->lock);
530 last_read = rev->last_read;
531 if (last_read == rev->ns->revision) {
532 mutex_unlock(&rev->ns->lock);
533 if (file->f_flags & O_NONBLOCK)
535 if (wait_event_interruptible(rev->ns->wait,
537 READ_ONCE(rev->ns->revision)))
539 mutex_lock(&rev->ns->lock);
542 avail = sprintf(buffer, "%ld\n", rev->ns->revision);
543 if (*ppos + size > avail) {
544 rev->last_read = rev->ns->revision;
547 mutex_unlock(&rev->ns->lock);
549 return simple_read_from_buffer(buf, size, ppos, buffer, avail);
552 static int ns_revision_open(struct inode *inode, struct file *file)
554 struct aa_revision *rev = kzalloc(sizeof(*rev), GFP_KERNEL);
559 rev->ns = aa_get_ns(inode->i_private);
561 rev->ns = aa_get_current_ns();
562 file->private_data = rev;
567 static unsigned int ns_revision_poll(struct file *file, poll_table *pt)
569 struct aa_revision *rev = file->private_data;
570 unsigned int mask = 0;
573 mutex_lock(&rev->ns->lock);
574 poll_wait(file, &rev->ns->wait, pt);
575 if (rev->last_read < rev->ns->revision)
576 mask |= POLLIN | POLLRDNORM;
577 mutex_unlock(&rev->ns->lock);
583 void __aa_bump_ns_revision(struct aa_ns *ns)
586 wake_up_interruptible(&ns->wait);
589 static const struct file_operations aa_fs_ns_revision_fops = {
590 .owner = THIS_MODULE,
591 .open = ns_revision_open,
592 .poll = ns_revision_poll,
593 .read = ns_revision_read,
594 .llseek = generic_file_llseek,
595 .release = ns_revision_release,
598 static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms,
599 const char *match_str, size_t match_len)
603 unsigned int state = 0;
605 if (unconfined(profile))
607 if (profile->file.dfa && *match_str == AA_CLASS_FILE) {
608 dfa = profile->file.dfa;
609 state = aa_dfa_match_len(dfa, profile->file.start,
610 match_str + 1, match_len - 1);
613 struct path_cond cond = { };
615 tmp = aa_compute_fperms(dfa, state, &cond);
617 } else if (profile->policy.dfa) {
618 if (!PROFILE_MEDIATES_SAFE(profile, *match_str))
619 return; /* no change to current perms */
620 dfa = profile->policy.dfa;
621 state = aa_dfa_match_len(dfa, profile->policy.start[0],
622 match_str, match_len);
624 aa_compute_perms(dfa, state, &tmp);
628 aa_apply_modes_to_perms(profile, &tmp);
633 * query_data - queries a policy and writes its data to buf
634 * @buf: the resulting data is stored here (NOT NULL)
635 * @buf_len: size of buf
636 * @query: query string used to retrieve data
637 * @query_len: size of query including second NUL byte
639 * The buffers pointed to by buf and query may overlap. The query buffer is
640 * parsed before buf is written to.
642 * The query should look like "<LABEL>\0<KEY>\0", where <LABEL> is the name of
643 * the security confinement context and <KEY> is the name of the data to
644 * retrieve. <LABEL> and <KEY> must not be NUL-terminated.
646 * Don't expect the contents of buf to be preserved on failure.
648 * Returns: number of characters written to buf or -errno on failure
650 static ssize_t query_data(char *buf, size_t buf_len,
651 char *query, size_t query_len)
655 struct aa_profile *profile;
656 struct aa_data *data;
661 return -EINVAL; /* need a query */
663 key = query + strnlen(query, query_len) + 1;
664 if (key + 1 >= query + query_len)
665 return -EINVAL; /* not enough space for a non-empty key */
666 if (key + strnlen(key, query + query_len - key) >= query + query_len)
667 return -EINVAL; /* must end with NUL */
669 if (buf_len < sizeof(bytes) + sizeof(blocks))
670 return -EINVAL; /* not enough space */
672 profile = aa_current_profile();
674 /* We are going to leave space for two numbers. The first is the total
675 * number of bytes we are writing after the first number. This is so
676 * users can read the full output without reallocation.
678 * The second number is the number of data blocks we're writing. An
679 * application might be confined by multiple policies having data in
682 memset(buf, 0, sizeof(bytes) + sizeof(blocks));
683 out = buf + sizeof(bytes) + sizeof(blocks);
687 data = rhashtable_lookup_fast(profile->data, &key,
691 if (out + sizeof(outle32) + data->size > buf + buf_len)
692 return -EINVAL; /* not enough space */
693 outle32 = __cpu_to_le32(data->size);
694 memcpy(out, &outle32, sizeof(outle32));
695 out += sizeof(outle32);
696 memcpy(out, data->data, data->size);
702 outle32 = __cpu_to_le32(out - buf - sizeof(bytes));
703 memcpy(buf, &outle32, sizeof(outle32));
704 outle32 = __cpu_to_le32(blocks);
705 memcpy(buf + sizeof(bytes), &outle32, sizeof(outle32));
711 * query_label - queries a label and writes permissions to buf
712 * @buf: the resulting permissions string is stored here (NOT NULL)
713 * @buf_len: size of buf
714 * @query: binary query string to match against the dfa
715 * @query_len: size of query
716 * @view_only: only compute for querier's view
718 * The buffers pointed to by buf and query may overlap. The query buffer is
719 * parsed before buf is written to.
721 * The query should look like "LABEL_NAME\0DFA_STRING" where LABEL_NAME is
722 * the name of the label, in the current namespace, that is to be queried and
723 * DFA_STRING is a binary string to match against the label(s)'s DFA.
725 * LABEL_NAME must be NUL terminated. DFA_STRING may contain NUL characters
726 * but must *not* be NUL terminated.
728 * Returns: number of characters written to buf or -errno on failure
730 static ssize_t query_label(char *buf, size_t buf_len,
731 char *query, size_t query_len, bool view_only)
733 struct aa_profile *profile, *curr;
734 char *label_name, *match_str;
735 size_t label_name_len, match_len;
736 struct aa_perms perms;
742 label_name_len = strnlen(query, query_len);
743 if (!label_name_len || label_name_len == query_len)
747 * The extra byte is to account for the null byte between the
748 * profile name and dfa string. profile_name_len is greater
749 * than zero and less than query_len, so a byte can be safely
750 * added or subtracted.
752 match_str = label_name + label_name_len + 1;
753 match_len = query_len - label_name_len - 1;
755 curr = aa_current_profile();
756 profile = aa_fqlookupn_profile(curr, label_name, label_name_len);
761 profile_query_cb(profile, &perms, match_str, match_len);
763 return scnprintf(buf, buf_len,
764 "allow 0x%08x\ndeny 0x%08x\naudit 0x%08x\nquiet 0x%08x\n",
765 perms.allow, perms.deny, perms.audit, perms.quiet);
769 * Transaction based IO.
770 * The file expects a write which triggers the transaction, and then
771 * possibly a read(s) which collects the result - which is stored in a
772 * file-local buffer. Once a new write is performed, a new set of results
773 * are stored in the file-local buffer.
775 struct multi_transaction {
781 #define MULTI_TRANSACTION_LIMIT (PAGE_SIZE - sizeof(struct multi_transaction))
782 /* TODO: replace with per file lock */
783 static DEFINE_SPINLOCK(multi_transaction_lock);
785 static void multi_transaction_kref(struct kref *kref)
787 struct multi_transaction *t;
789 t = container_of(kref, struct multi_transaction, count);
790 free_page((unsigned long) t);
793 static struct multi_transaction *
794 get_multi_transaction(struct multi_transaction *t)
797 kref_get(&(t->count));
802 static void put_multi_transaction(struct multi_transaction *t)
805 kref_put(&(t->count), multi_transaction_kref);
808 /* does not increment @new's count */
809 static void multi_transaction_set(struct file *file,
810 struct multi_transaction *new, size_t n)
812 struct multi_transaction *old;
814 AA_BUG(n > MULTI_TRANSACTION_LIMIT);
817 spin_lock(&multi_transaction_lock);
818 old = (struct multi_transaction *) file->private_data;
819 file->private_data = new;
820 spin_unlock(&multi_transaction_lock);
821 put_multi_transaction(old);
824 static struct multi_transaction *multi_transaction_new(struct file *file,
825 const char __user *buf,
828 struct multi_transaction *t;
830 if (size > MULTI_TRANSACTION_LIMIT - 1)
831 return ERR_PTR(-EFBIG);
833 t = (struct multi_transaction *)get_zeroed_page(GFP_KERNEL);
835 return ERR_PTR(-ENOMEM);
836 kref_init(&t->count);
837 if (copy_from_user(t->data, buf, size))
838 return ERR_PTR(-EFAULT);
843 static ssize_t multi_transaction_read(struct file *file, char __user *buf,
844 size_t size, loff_t *pos)
846 struct multi_transaction *t;
849 spin_lock(&multi_transaction_lock);
850 t = get_multi_transaction(file->private_data);
851 spin_unlock(&multi_transaction_lock);
855 ret = simple_read_from_buffer(buf, size, pos, t->data, t->size);
856 put_multi_transaction(t);
861 static int multi_transaction_release(struct inode *inode, struct file *file)
863 put_multi_transaction(file->private_data);
868 #define QUERY_CMD_PROFILE "profile\0"
869 #define QUERY_CMD_PROFILE_LEN 8
871 #define QUERY_CMD_DATA "data\0"
872 #define QUERY_CMD_DATA_LEN 5
875 * aa_write_access - generic permissions and data query
876 * @file: pointer to open apparmorfs/access file
877 * @ubuf: user buffer containing the complete query string (NOT NULL)
878 * @count: size of ubuf
879 * @ppos: position in the file (MUST BE ZERO)
881 * Allows for one permissions or data query per open(), write(), and read()
882 * sequence. The only queries currently supported are label-based queries for
883 * permissions or data.
885 * For permissions queries, ubuf must begin with "label\0", followed by the
886 * profile query specific format described in the query_label() function
889 * For data queries, ubuf must have the form "data\0<LABEL>\0<KEY>\0", where
890 * <LABEL> is the name of the security confinement context and <KEY> is the
891 * name of the data to retrieve.
893 * Returns: number of bytes written or -errno on failure
895 static ssize_t aa_write_access(struct file *file, const char __user *ubuf,
896 size_t count, loff_t *ppos)
898 struct multi_transaction *t;
904 t = multi_transaction_new(file, ubuf, count);
908 if (count > QUERY_CMD_PROFILE_LEN &&
909 !memcmp(t->data, QUERY_CMD_PROFILE, QUERY_CMD_PROFILE_LEN)) {
910 len = query_label(t->data, MULTI_TRANSACTION_LIMIT,
911 t->data + QUERY_CMD_PROFILE_LEN,
912 count - QUERY_CMD_PROFILE_LEN, true);
913 } else if (count > QUERY_CMD_DATA_LEN &&
914 !memcmp(t->data, QUERY_CMD_DATA, QUERY_CMD_DATA_LEN)) {
915 len = query_data(t->data, MULTI_TRANSACTION_LIMIT,
916 t->data + QUERY_CMD_DATA_LEN,
917 count - QUERY_CMD_DATA_LEN);
922 put_multi_transaction(t);
926 multi_transaction_set(file, t, len);
931 static const struct file_operations aa_sfs_access = {
932 .write = aa_write_access,
933 .read = multi_transaction_read,
934 .release = multi_transaction_release,
935 .llseek = generic_file_llseek,
938 static int aa_sfs_seq_show(struct seq_file *seq, void *v)
940 struct aa_sfs_entry *fs_file = seq->private;
945 switch (fs_file->v_type) {
946 case AA_SFS_TYPE_BOOLEAN:
947 seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no");
949 case AA_SFS_TYPE_STRING:
950 seq_printf(seq, "%s\n", fs_file->v.string);
952 case AA_SFS_TYPE_U64:
953 seq_printf(seq, "%#08lx\n", fs_file->v.u64);
956 /* Ignore unpritable entry types. */
963 static int aa_sfs_seq_open(struct inode *inode, struct file *file)
965 return single_open(file, aa_sfs_seq_show, inode->i_private);
968 const struct file_operations aa_sfs_seq_file_ops = {
969 .owner = THIS_MODULE,
970 .open = aa_sfs_seq_open,
973 .release = single_release,
977 * profile based file operations
978 * policy/profiles/XXXX/profiles/ *
981 #define SEQ_PROFILE_FOPS(NAME) \
982 static int seq_profile_ ##NAME ##_open(struct inode *inode, struct file *file)\
984 return seq_profile_open(inode, file, seq_profile_ ##NAME ##_show); \
987 static const struct file_operations seq_profile_ ##NAME ##_fops = { \
988 .owner = THIS_MODULE, \
989 .open = seq_profile_ ##NAME ##_open, \
991 .llseek = seq_lseek, \
992 .release = seq_profile_release, \
995 static int seq_profile_open(struct inode *inode, struct file *file,
996 int (*show)(struct seq_file *, void *))
998 struct aa_proxy *proxy = aa_get_proxy(inode->i_private);
999 int error = single_open(file, show, proxy);
1002 file->private_data = NULL;
1003 aa_put_proxy(proxy);
1009 static int seq_profile_release(struct inode *inode, struct file *file)
1011 struct seq_file *seq = (struct seq_file *) file->private_data;
1013 aa_put_proxy(seq->private);
1014 return single_release(inode, file);
1017 static int seq_profile_name_show(struct seq_file *seq, void *v)
1019 struct aa_proxy *proxy = seq->private;
1020 struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile);
1021 seq_printf(seq, "%s\n", profile->base.name);
1022 aa_put_profile(profile);
1027 static int seq_profile_mode_show(struct seq_file *seq, void *v)
1029 struct aa_proxy *proxy = seq->private;
1030 struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile);
1031 seq_printf(seq, "%s\n", aa_profile_mode_names[profile->mode]);
1032 aa_put_profile(profile);
1037 static int seq_profile_attach_show(struct seq_file *seq, void *v)
1039 struct aa_proxy *proxy = seq->private;
1040 struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile);
1041 if (profile->attach)
1042 seq_printf(seq, "%s\n", profile->attach);
1043 else if (profile->xmatch)
1044 seq_puts(seq, "<unknown>\n");
1046 seq_printf(seq, "%s\n", profile->base.name);
1047 aa_put_profile(profile);
1052 static int seq_profile_hash_show(struct seq_file *seq, void *v)
1054 struct aa_proxy *proxy = seq->private;
1055 struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile);
1056 unsigned int i, size = aa_hash_size();
1058 if (profile->hash) {
1059 for (i = 0; i < size; i++)
1060 seq_printf(seq, "%.2x", profile->hash[i]);
1061 seq_putc(seq, '\n');
1063 aa_put_profile(profile);
1068 SEQ_PROFILE_FOPS(name);
1069 SEQ_PROFILE_FOPS(mode);
1070 SEQ_PROFILE_FOPS(attach);
1071 SEQ_PROFILE_FOPS(hash);
1074 * namespace based files
1075 * several root files and
1079 #define SEQ_NS_FOPS(NAME) \
1080 static int seq_ns_ ##NAME ##_open(struct inode *inode, struct file *file) \
1082 return single_open(file, seq_ns_ ##NAME ##_show, inode->i_private); \
1085 static const struct file_operations seq_ns_ ##NAME ##_fops = { \
1086 .owner = THIS_MODULE, \
1087 .open = seq_ns_ ##NAME ##_open, \
1089 .llseek = seq_lseek, \
1090 .release = single_release, \
1093 static int seq_ns_level_show(struct seq_file *seq, void *v)
1095 struct aa_ns *ns = aa_current_profile()->ns;
1097 seq_printf(seq, "%d\n", ns->level);
1102 static int seq_ns_name_show(struct seq_file *seq, void *v)
1104 struct aa_ns *ns = aa_current_profile()->ns;
1106 seq_printf(seq, "%s\n", ns->base.name);
1115 /* policy/raw_data/ * file ops */
1117 #define SEQ_RAWDATA_FOPS(NAME) \
1118 static int seq_rawdata_ ##NAME ##_open(struct inode *inode, struct file *file)\
1120 return seq_rawdata_open(inode, file, seq_rawdata_ ##NAME ##_show); \
1123 static const struct file_operations seq_rawdata_ ##NAME ##_fops = { \
1124 .owner = THIS_MODULE, \
1125 .open = seq_rawdata_ ##NAME ##_open, \
1127 .llseek = seq_lseek, \
1128 .release = seq_rawdata_release, \
1131 static int seq_rawdata_open(struct inode *inode, struct file *file,
1132 int (*show)(struct seq_file *, void *))
1134 struct aa_loaddata *data = __aa_get_loaddata(inode->i_private);
1138 /* lost race this ent is being reaped */
1141 error = single_open(file, show, data);
1143 AA_BUG(file->private_data &&
1144 ((struct seq_file *)file->private_data)->private);
1145 aa_put_loaddata(data);
1151 static int seq_rawdata_release(struct inode *inode, struct file *file)
1153 struct seq_file *seq = (struct seq_file *) file->private_data;
1156 aa_put_loaddata(seq->private);
1158 return single_release(inode, file);
1161 static int seq_rawdata_abi_show(struct seq_file *seq, void *v)
1163 struct aa_loaddata *data = seq->private;
1165 seq_printf(seq, "v%d\n", data->abi);
1170 static int seq_rawdata_revision_show(struct seq_file *seq, void *v)
1172 struct aa_loaddata *data = seq->private;
1174 seq_printf(seq, "%ld\n", data->revision);
1179 static int seq_rawdata_hash_show(struct seq_file *seq, void *v)
1181 struct aa_loaddata *data = seq->private;
1182 unsigned int i, size = aa_hash_size();
1185 for (i = 0; i < size; i++)
1186 seq_printf(seq, "%.2x", data->hash[i]);
1187 seq_putc(seq, '\n');
1193 SEQ_RAWDATA_FOPS(abi);
1194 SEQ_RAWDATA_FOPS(revision);
1195 SEQ_RAWDATA_FOPS(hash);
1197 static ssize_t rawdata_read(struct file *file, char __user *buf, size_t size,
1200 struct aa_loaddata *rawdata = file->private_data;
1202 return simple_read_from_buffer(buf, size, ppos, rawdata->data,
1206 static int rawdata_release(struct inode *inode, struct file *file)
1208 aa_put_loaddata(file->private_data);
1213 static int rawdata_open(struct inode *inode, struct file *file)
1215 if (!policy_view_capable(NULL))
1217 file->private_data = __aa_get_loaddata(inode->i_private);
1218 if (!file->private_data)
1219 /* lost race: this entry is being reaped */
1225 static const struct file_operations rawdata_fops = {
1226 .open = rawdata_open,
1227 .read = rawdata_read,
1228 .llseek = generic_file_llseek,
1229 .release = rawdata_release,
1232 static void remove_rawdata_dents(struct aa_loaddata *rawdata)
1236 for (i = 0; i < AAFS_LOADDATA_NDENTS; i++) {
1237 if (!IS_ERR_OR_NULL(rawdata->dents[i])) {
1238 /* no refcounts on i_private */
1239 aafs_remove(rawdata->dents[i]);
1240 rawdata->dents[i] = NULL;
1245 void __aa_fs_remove_rawdata(struct aa_loaddata *rawdata)
1247 AA_BUG(rawdata->ns && !mutex_is_locked(&rawdata->ns->lock));
1250 remove_rawdata_dents(rawdata);
1251 list_del_init(&rawdata->list);
1252 aa_put_ns(rawdata->ns);
1257 int __aa_fs_create_rawdata(struct aa_ns *ns, struct aa_loaddata *rawdata)
1259 struct dentry *dent, *dir;
1263 AA_BUG(!mutex_is_locked(&ns->lock));
1264 AA_BUG(!ns_subdata_dir(ns));
1267 * just use ns revision dir was originally created at. This is
1268 * under ns->lock and if load is successful revision will be
1269 * bumped and is guaranteed to be unique
1271 rawdata->name = kasprintf(GFP_KERNEL, "%ld", ns->revision);
1275 dir = aafs_create_dir(rawdata->name, ns_subdata_dir(ns));
1277 /* ->name freed when rawdata freed */
1278 return PTR_ERR(dir);
1279 rawdata->dents[AAFS_LOADDATA_DIR] = dir;
1281 dent = aafs_create_file("abi", S_IFREG | 0444, dir, rawdata,
1282 &seq_rawdata_abi_fops);
1285 rawdata->dents[AAFS_LOADDATA_ABI] = dent;
1287 dent = aafs_create_file("revision", S_IFREG | 0444, dir, rawdata,
1288 &seq_rawdata_revision_fops);
1291 rawdata->dents[AAFS_LOADDATA_REVISION] = dent;
1293 if (aa_g_hash_policy) {
1294 dent = aafs_create_file("sha1", S_IFREG | 0444, dir,
1295 rawdata, &seq_rawdata_hash_fops);
1298 rawdata->dents[AAFS_LOADDATA_HASH] = dent;
1301 dent = aafs_create_file("raw_data", S_IFREG | 0444,
1302 dir, rawdata, &rawdata_fops);
1305 rawdata->dents[AAFS_LOADDATA_DATA] = dent;
1306 d_inode(dent)->i_size = rawdata->size;
1308 rawdata->ns = aa_get_ns(ns);
1309 list_add(&rawdata->list, &ns->rawdata_list);
1310 /* no refcount on inode rawdata */
1315 remove_rawdata_dents(rawdata);
1317 return PTR_ERR(dent);
1320 /** fns to setup dynamic per profile/namespace files **/
1324 * Requires: @profile->ns->lock held
1326 void __aafs_profile_rmdir(struct aa_profile *profile)
1328 struct aa_profile *child;
1334 list_for_each_entry(child, &profile->base.profiles, base.list)
1335 __aafs_profile_rmdir(child);
1337 for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) {
1338 struct aa_proxy *proxy;
1339 if (!profile->dents[i])
1342 proxy = d_inode(profile->dents[i])->i_private;
1343 aafs_remove(profile->dents[i]);
1344 aa_put_proxy(proxy);
1345 profile->dents[i] = NULL;
1351 * Requires: @old->ns->lock held
1353 void __aafs_profile_migrate_dents(struct aa_profile *old,
1354 struct aa_profile *new)
1358 for (i = 0; i < AAFS_PROF_SIZEOF; i++) {
1359 new->dents[i] = old->dents[i];
1361 new->dents[i]->d_inode->i_mtime = current_time(new->dents[i]->d_inode);
1362 old->dents[i] = NULL;
1366 static struct dentry *create_profile_file(struct dentry *dir, const char *name,
1367 struct aa_profile *profile,
1368 const struct file_operations *fops)
1370 struct aa_proxy *proxy = aa_get_proxy(profile->proxy);
1371 struct dentry *dent;
1373 dent = aafs_create_file(name, S_IFREG | 0444, dir, proxy, fops);
1375 aa_put_proxy(proxy);
1380 static int profile_depth(struct aa_profile *profile)
1385 for (depth = 0; profile; profile = rcu_access_pointer(profile->parent))
1392 static int gen_symlink_name(char *buffer, size_t bsize, int depth,
1393 const char *dirname, const char *fname)
1397 for (; depth > 0; depth--) {
1399 return -ENAMETOOLONG;
1400 strcpy(buffer, "../../");
1405 error = snprintf(buffer, bsize, "raw_data/%s/%s", dirname, fname);
1406 if (error >= bsize || error < 0)
1407 return -ENAMETOOLONG;
1413 * Requires: @profile->ns->lock held
1415 int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent)
1417 struct aa_profile *child;
1418 struct dentry *dent = NULL, *dir;
1422 struct aa_profile *p;
1423 p = aa_deref_parent(profile);
1425 /* adding to parent that previously didn't have children */
1426 dent = aafs_create_dir("profiles", dent);
1429 prof_child_dir(p) = parent = dent;
1432 if (!profile->dirname) {
1434 len = mangle_name(profile->base.name, NULL);
1435 id_len = snprintf(NULL, 0, ".%ld", profile->ns->uniq_id);
1437 profile->dirname = kmalloc(len + id_len + 1, GFP_KERNEL);
1438 if (!profile->dirname) {
1443 mangle_name(profile->base.name, profile->dirname);
1444 sprintf(profile->dirname + len, ".%ld", profile->ns->uniq_id++);
1447 dent = aafs_create_dir(profile->dirname, parent);
1450 prof_dir(profile) = dir = dent;
1452 dent = create_profile_file(dir, "name", profile,
1453 &seq_profile_name_fops);
1456 profile->dents[AAFS_PROF_NAME] = dent;
1458 dent = create_profile_file(dir, "mode", profile,
1459 &seq_profile_mode_fops);
1462 profile->dents[AAFS_PROF_MODE] = dent;
1464 dent = create_profile_file(dir, "attach", profile,
1465 &seq_profile_attach_fops);
1468 profile->dents[AAFS_PROF_ATTACH] = dent;
1470 if (profile->hash) {
1471 dent = create_profile_file(dir, "sha1", profile,
1472 &seq_profile_hash_fops);
1475 profile->dents[AAFS_PROF_HASH] = dent;
1478 if (profile->rawdata) {
1480 int depth = profile_depth(profile);
1482 error = gen_symlink_name(target, sizeof(target), depth,
1483 profile->rawdata->name, "sha1");
1486 dent = aafs_create_symlink("raw_sha1", dir, target, NULL);
1489 profile->dents[AAFS_PROF_RAW_HASH] = dent;
1491 error = gen_symlink_name(target, sizeof(target), depth,
1492 profile->rawdata->name, "abi");
1495 dent = aafs_create_symlink("raw_abi", dir, target, NULL);
1498 profile->dents[AAFS_PROF_RAW_ABI] = dent;
1500 error = gen_symlink_name(target, sizeof(target), depth,
1501 profile->rawdata->name, "raw_data");
1504 dent = aafs_create_symlink("raw_data", dir, target, NULL);
1507 profile->dents[AAFS_PROF_RAW_DATA] = dent;
1510 list_for_each_entry(child, &profile->base.profiles, base.list) {
1511 error = __aafs_profile_mkdir(child, prof_child_dir(profile));
1519 error = PTR_ERR(dent);
1522 __aafs_profile_rmdir(profile);
1527 static int ns_mkdir_op(struct inode *dir, struct dentry *dentry, umode_t mode)
1529 struct aa_ns *ns, *parent;
1530 /* TODO: improve permission check */
1531 struct aa_profile *profile = aa_current_profile();
1532 int error = aa_may_manage_policy(profile, NULL, AA_MAY_LOAD_POLICY);
1537 parent = aa_get_ns(dir->i_private);
1538 AA_BUG(d_inode(ns_subns_dir(parent)) != dir);
1540 /* we have to unlock and then relock to get locking order right
1544 error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count);
1545 mutex_lock(&parent->lock);
1546 inode_lock_nested(dir, I_MUTEX_PARENT);
1550 error = __aafs_setup_d_inode(dir, dentry, mode | S_IFDIR, NULL,
1555 ns = __aa_find_or_create_ns(parent, READ_ONCE(dentry->d_name.name),
1558 error = PTR_ERR(ns);
1562 aa_put_ns(ns); /* list ref remains */
1565 simple_release_fs(&aafs_mnt, &aafs_count);
1567 mutex_unlock(&parent->lock);
1573 static int ns_rmdir_op(struct inode *dir, struct dentry *dentry)
1575 struct aa_ns *ns, *parent;
1576 /* TODO: improve permission check */
1577 struct aa_profile *profile = aa_current_profile();
1578 int error = aa_may_manage_policy(profile, NULL, AA_MAY_LOAD_POLICY);
1583 parent = aa_get_ns(dir->i_private);
1584 /* rmdir calls the generic securityfs functions to remove files
1585 * from the apparmor dir. It is up to the apparmor ns locking
1589 inode_unlock(dentry->d_inode);
1591 mutex_lock(&parent->lock);
1592 ns = aa_get_ns(__aa_findn_ns(&parent->sub_ns, dentry->d_name.name,
1593 dentry->d_name.len));
1598 AA_BUG(ns_dir(ns) != dentry);
1604 mutex_unlock(&parent->lock);
1605 inode_lock_nested(dir, I_MUTEX_PARENT);
1606 inode_lock(dentry->d_inode);
1612 static const struct inode_operations ns_dir_inode_operations = {
1613 .lookup = simple_lookup,
1614 .mkdir = ns_mkdir_op,
1615 .rmdir = ns_rmdir_op,
1618 static void __aa_fs_list_remove_rawdata(struct aa_ns *ns)
1620 struct aa_loaddata *ent, *tmp;
1622 AA_BUG(!mutex_is_locked(&ns->lock));
1624 list_for_each_entry_safe(ent, tmp, &ns->rawdata_list, list)
1625 __aa_fs_remove_rawdata(ent);
1630 * Requires: @ns->lock held
1632 void __aafs_ns_rmdir(struct aa_ns *ns)
1635 struct aa_profile *child;
1641 list_for_each_entry(child, &ns->base.profiles, base.list)
1642 __aafs_profile_rmdir(child);
1644 list_for_each_entry(sub, &ns->sub_ns, base.list) {
1645 mutex_lock(&sub->lock);
1646 __aafs_ns_rmdir(sub);
1647 mutex_unlock(&sub->lock);
1650 __aa_fs_list_remove_rawdata(ns);
1652 if (ns_subns_dir(ns)) {
1653 sub = d_inode(ns_subns_dir(ns))->i_private;
1656 if (ns_subload(ns)) {
1657 sub = d_inode(ns_subload(ns))->i_private;
1660 if (ns_subreplace(ns)) {
1661 sub = d_inode(ns_subreplace(ns))->i_private;
1664 if (ns_subremove(ns)) {
1665 sub = d_inode(ns_subremove(ns))->i_private;
1668 if (ns_subrevision(ns)) {
1669 sub = d_inode(ns_subrevision(ns))->i_private;
1673 for (i = AAFS_NS_SIZEOF - 1; i >= 0; --i) {
1674 aafs_remove(ns->dents[i]);
1675 ns->dents[i] = NULL;
1679 /* assumes cleanup in caller */
1680 static int __aafs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir)
1682 struct dentry *dent;
1687 dent = aafs_create_dir("profiles", dir);
1689 return PTR_ERR(dent);
1690 ns_subprofs_dir(ns) = dent;
1692 dent = aafs_create_dir("raw_data", dir);
1694 return PTR_ERR(dent);
1695 ns_subdata_dir(ns) = dent;
1697 dent = aafs_create_file("revision", 0444, dir, ns,
1698 &aa_fs_ns_revision_fops);
1700 return PTR_ERR(dent);
1702 ns_subrevision(ns) = dent;
1704 dent = aafs_create_file(".load", 0640, dir, ns,
1705 &aa_fs_profile_load);
1707 return PTR_ERR(dent);
1709 ns_subload(ns) = dent;
1711 dent = aafs_create_file(".replace", 0640, dir, ns,
1712 &aa_fs_profile_replace);
1714 return PTR_ERR(dent);
1716 ns_subreplace(ns) = dent;
1718 dent = aafs_create_file(".remove", 0640, dir, ns,
1719 &aa_fs_profile_remove);
1721 return PTR_ERR(dent);
1723 ns_subremove(ns) = dent;
1725 /* use create_dentry so we can supply private data */
1726 dent = aafs_create("namespaces", S_IFDIR | 0755, dir, ns, NULL, NULL,
1727 &ns_dir_inode_operations);
1729 return PTR_ERR(dent);
1731 ns_subns_dir(ns) = dent;
1737 * Requires: @ns->lock held
1739 int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name,
1740 struct dentry *dent)
1743 struct aa_profile *child;
1749 AA_BUG(!mutex_is_locked(&ns->lock));
1752 name = ns->base.name;
1755 /* create ns dir if it doesn't already exist */
1756 dent = aafs_create_dir(name, parent);
1761 ns_dir(ns) = dir = dent;
1762 error = __aafs_ns_mkdir_entries(ns, dir);
1767 list_for_each_entry(child, &ns->base.profiles, base.list) {
1768 error = __aafs_profile_mkdir(child, ns_subprofs_dir(ns));
1774 list_for_each_entry(sub, &ns->sub_ns, base.list) {
1775 mutex_lock(&sub->lock);
1776 error = __aafs_ns_mkdir(sub, ns_subns_dir(ns), NULL, NULL);
1777 mutex_unlock(&sub->lock);
1785 error = PTR_ERR(dent);
1788 __aafs_ns_rmdir(ns);
1794 #define list_entry_is_head(pos, head, member) (&pos->member == (head))
1797 * __next_ns - find the next namespace to list
1798 * @root: root namespace to stop search at (NOT NULL)
1799 * @ns: current ns position (NOT NULL)
1801 * Find the next namespace from @ns under @root and handle all locking needed
1802 * while switching current namespace.
1804 * Returns: next namespace or NULL if at last namespace under @root
1805 * Requires: ns->parent->lock to be held
1806 * NOTE: will not unlock root->lock
1808 static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns)
1810 struct aa_ns *parent, *next;
1812 /* is next namespace a child */
1813 if (!list_empty(&ns->sub_ns)) {
1814 next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
1815 mutex_lock(&next->lock);
1819 /* check if the next ns is a sibling, parent, gp, .. */
1820 parent = ns->parent;
1821 while (ns != root) {
1822 mutex_unlock(&ns->lock);
1823 next = list_next_entry(ns, base.list);
1824 if (!list_entry_is_head(next, &parent->sub_ns, base.list)) {
1825 mutex_lock(&next->lock);
1829 parent = parent->parent;
1836 * __first_profile - find the first profile in a namespace
1837 * @root: namespace that is root of profiles being displayed (NOT NULL)
1838 * @ns: namespace to start in (NOT NULL)
1840 * Returns: unrefcounted profile or NULL if no profile
1841 * Requires: profile->ns.lock to be held
1843 static struct aa_profile *__first_profile(struct aa_ns *root,
1846 for (; ns; ns = __next_ns(root, ns)) {
1847 if (!list_empty(&ns->base.profiles))
1848 return list_first_entry(&ns->base.profiles,
1849 struct aa_profile, base.list);
1855 * __next_profile - step to the next profile in a profile tree
1856 * @profile: current profile in tree (NOT NULL)
1858 * Perform a depth first traversal on the profile tree in a namespace
1860 * Returns: next profile or NULL if done
1861 * Requires: profile->ns.lock to be held
1863 static struct aa_profile *__next_profile(struct aa_profile *p)
1865 struct aa_profile *parent;
1866 struct aa_ns *ns = p->ns;
1868 /* is next profile a child */
1869 if (!list_empty(&p->base.profiles))
1870 return list_first_entry(&p->base.profiles, typeof(*p),
1873 /* is next profile a sibling, parent sibling, gp, sibling, .. */
1874 parent = rcu_dereference_protected(p->parent,
1875 mutex_is_locked(&p->ns->lock));
1877 p = list_next_entry(p, base.list);
1878 if (!list_entry_is_head(p, &parent->base.profiles, base.list))
1881 parent = rcu_dereference_protected(parent->parent,
1882 mutex_is_locked(&parent->ns->lock));
1885 /* is next another profile in the namespace */
1886 p = list_next_entry(p, base.list);
1887 if (!list_entry_is_head(p, &ns->base.profiles, base.list))
1894 * next_profile - step to the next profile in where ever it may be
1895 * @root: root namespace (NOT NULL)
1896 * @profile: current profile (NOT NULL)
1898 * Returns: next profile or NULL if there isn't one
1900 static struct aa_profile *next_profile(struct aa_ns *root,
1901 struct aa_profile *profile)
1903 struct aa_profile *next = __next_profile(profile);
1907 /* finished all profiles in namespace move to next namespace */
1908 return __first_profile(root, __next_ns(root, profile->ns));
1912 * p_start - start a depth first traversal of profile tree
1913 * @f: seq_file to fill
1914 * @pos: current position
1916 * Returns: first profile under current namespace or NULL if none found
1918 * acquires first ns->lock
1920 static void *p_start(struct seq_file *f, loff_t *pos)
1922 struct aa_profile *profile = NULL;
1923 struct aa_ns *root = aa_current_profile()->ns;
1925 f->private = aa_get_ns(root);
1928 /* find the first profile */
1929 mutex_lock(&root->lock);
1930 profile = __first_profile(root, root);
1932 /* skip to position */
1933 for (; profile && l > 0; l--)
1934 profile = next_profile(root, profile);
1940 * p_next - read the next profile entry
1941 * @f: seq_file to fill
1942 * @p: profile previously returned
1943 * @pos: current position
1945 * Returns: next profile after @p or NULL if none
1947 * may acquire/release locks in namespace tree as necessary
1949 static void *p_next(struct seq_file *f, void *p, loff_t *pos)
1951 struct aa_profile *profile = p;
1952 struct aa_ns *ns = f->private;
1955 return next_profile(ns, profile);
1959 * p_stop - stop depth first traversal
1960 * @f: seq_file we are filling
1961 * @p: the last profile writen
1963 * Release all locking done by p_start/p_next on namespace tree
1965 static void p_stop(struct seq_file *f, void *p)
1967 struct aa_profile *profile = p;
1968 struct aa_ns *root = f->private, *ns;
1971 for (ns = profile->ns; ns && ns != root; ns = ns->parent)
1972 mutex_unlock(&ns->lock);
1974 mutex_unlock(&root->lock);
1979 * seq_show_profile - show a profile entry
1980 * @f: seq_file to file
1981 * @p: current position (profile) (NOT NULL)
1983 * Returns: error on failure
1985 static int seq_show_profile(struct seq_file *f, void *p)
1987 struct aa_profile *profile = (struct aa_profile *)p;
1988 struct aa_ns *root = f->private;
1990 if (profile->ns != root)
1991 seq_printf(f, ":%s://", aa_ns_name(root, profile->ns, true));
1992 seq_printf(f, "%s (%s)\n", profile->base.hname,
1993 aa_profile_mode_names[profile->mode]);
1998 static const struct seq_operations aa_sfs_profiles_op = {
2002 .show = seq_show_profile,
2005 static int profiles_open(struct inode *inode, struct file *file)
2007 if (!policy_view_capable(NULL))
2010 return seq_open(file, &aa_sfs_profiles_op);
2013 static int profiles_release(struct inode *inode, struct file *file)
2015 return seq_release(inode, file);
2018 static const struct file_operations aa_sfs_profiles_fops = {
2019 .open = profiles_open,
2021 .llseek = seq_lseek,
2022 .release = profiles_release,
2026 /** Base file system setup **/
2027 static struct aa_sfs_entry aa_sfs_entry_file[] = {
2028 AA_SFS_FILE_STRING("mask",
2029 "create read write exec append mmap_exec link lock"),
2033 static struct aa_sfs_entry aa_sfs_entry_domain[] = {
2034 AA_SFS_FILE_BOOLEAN("change_hat", 1),
2035 AA_SFS_FILE_BOOLEAN("change_hatv", 1),
2036 AA_SFS_FILE_BOOLEAN("change_onexec", 1),
2037 AA_SFS_FILE_BOOLEAN("change_profile", 1),
2038 AA_SFS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1),
2039 AA_SFS_FILE_STRING("version", "1.2"),
2043 static struct aa_sfs_entry aa_sfs_entry_versions[] = {
2044 AA_SFS_FILE_BOOLEAN("v5", 1),
2048 static struct aa_sfs_entry aa_sfs_entry_policy[] = {
2049 AA_SFS_DIR("versions", aa_sfs_entry_versions),
2050 AA_SFS_FILE_BOOLEAN("set_load", 1),
2054 static struct aa_sfs_entry aa_sfs_entry_query_label[] = {
2055 AA_SFS_FILE_STRING("perms", "allow deny audit quiet"),
2056 AA_SFS_FILE_BOOLEAN("data", 1),
2057 AA_SFS_FILE_BOOLEAN("multi_transaction", 1),
2061 static struct aa_sfs_entry aa_sfs_entry_query[] = {
2062 AA_SFS_DIR("label", aa_sfs_entry_query_label),
2065 static struct aa_sfs_entry aa_sfs_entry_features[] = {
2066 AA_SFS_DIR("policy", aa_sfs_entry_policy),
2067 AA_SFS_DIR("domain", aa_sfs_entry_domain),
2068 AA_SFS_DIR("file", aa_sfs_entry_file),
2069 AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK),
2070 AA_SFS_DIR("rlimit", aa_sfs_entry_rlimit),
2071 AA_SFS_DIR("caps", aa_sfs_entry_caps),
2072 AA_SFS_DIR("query", aa_sfs_entry_query),
2076 static struct aa_sfs_entry aa_sfs_entry_apparmor[] = {
2077 AA_SFS_FILE_FOPS(".access", 0640, &aa_sfs_access),
2078 AA_SFS_FILE_FOPS(".ns_level", 0666, &seq_ns_level_fops),
2079 AA_SFS_FILE_FOPS(".ns_name", 0640, &seq_ns_name_fops),
2080 AA_SFS_FILE_FOPS("profiles", 0440, &aa_sfs_profiles_fops),
2081 AA_SFS_DIR("features", aa_sfs_entry_features),
2085 static struct aa_sfs_entry aa_sfs_entry =
2086 AA_SFS_DIR("apparmor", aa_sfs_entry_apparmor);
2089 * entry_create_file - create a file entry in the apparmor securityfs
2090 * @fs_file: aa_sfs_entry to build an entry for (NOT NULL)
2091 * @parent: the parent dentry in the securityfs
2093 * Use entry_remove_file to remove entries created with this fn.
2095 static int __init entry_create_file(struct aa_sfs_entry *fs_file,
2096 struct dentry *parent)
2100 fs_file->dentry = securityfs_create_file(fs_file->name,
2101 S_IFREG | fs_file->mode,
2104 if (IS_ERR(fs_file->dentry)) {
2105 error = PTR_ERR(fs_file->dentry);
2106 fs_file->dentry = NULL;
2111 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir);
2113 * entry_create_dir - recursively create a directory entry in the securityfs
2114 * @fs_dir: aa_sfs_entry (and all child entries) to build (NOT NULL)
2115 * @parent: the parent dentry in the securityfs
2117 * Use entry_remove_dir to remove entries created with this fn.
2119 static int __init entry_create_dir(struct aa_sfs_entry *fs_dir,
2120 struct dentry *parent)
2122 struct aa_sfs_entry *fs_file;
2126 dir = securityfs_create_dir(fs_dir->name, parent);
2128 return PTR_ERR(dir);
2129 fs_dir->dentry = dir;
2131 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) {
2132 if (fs_file->v_type == AA_SFS_TYPE_DIR)
2133 error = entry_create_dir(fs_file, fs_dir->dentry);
2135 error = entry_create_file(fs_file, fs_dir->dentry);
2143 entry_remove_dir(fs_dir);
2149 * entry_remove_file - drop a single file entry in the apparmor securityfs
2150 * @fs_file: aa_sfs_entry to detach from the securityfs (NOT NULL)
2152 static void __init entry_remove_file(struct aa_sfs_entry *fs_file)
2154 if (!fs_file->dentry)
2157 securityfs_remove(fs_file->dentry);
2158 fs_file->dentry = NULL;
2162 * entry_remove_dir - recursively drop a directory entry from the securityfs
2163 * @fs_dir: aa_sfs_entry (and all child entries) to detach (NOT NULL)
2165 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir)
2167 struct aa_sfs_entry *fs_file;
2169 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) {
2170 if (fs_file->v_type == AA_SFS_TYPE_DIR)
2171 entry_remove_dir(fs_file);
2173 entry_remove_file(fs_file);
2176 entry_remove_file(fs_dir);
2180 * aa_destroy_aafs - cleanup and free aafs
2182 * releases dentries allocated by aa_create_aafs
2184 void __init aa_destroy_aafs(void)
2186 entry_remove_dir(&aa_sfs_entry);
2190 #define NULL_FILE_NAME ".null"
2191 struct path aa_null;
2193 static int aa_mk_null_file(struct dentry *parent)
2195 struct vfsmount *mount = NULL;
2196 struct dentry *dentry;
2197 struct inode *inode;
2199 int error = simple_pin_fs(parent->d_sb->s_type, &mount, &count);
2204 inode_lock(d_inode(parent));
2205 dentry = lookup_one_len(NULL_FILE_NAME, parent, strlen(NULL_FILE_NAME));
2206 if (IS_ERR(dentry)) {
2207 error = PTR_ERR(dentry);
2210 inode = new_inode(parent->d_inode->i_sb);
2216 inode->i_ino = get_next_ino();
2217 inode->i_mode = S_IFCHR | S_IRUGO | S_IWUGO;
2218 inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode);
2219 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO,
2220 MKDEV(MEM_MAJOR, 3));
2221 d_instantiate(dentry, inode);
2222 aa_null.dentry = dget(dentry);
2223 aa_null.mnt = mntget(mount);
2230 inode_unlock(d_inode(parent));
2231 simple_release_fs(&mount, &count);
2237 static const char *policy_get_link(struct dentry *dentry,
2238 struct inode *inode,
2239 struct delayed_call *done)
2245 return ERR_PTR(-ECHILD);
2246 ns = aa_get_current_ns();
2247 path.mnt = mntget(aafs_mnt);
2248 path.dentry = dget(ns_dir(ns));
2249 nd_jump_link(&path);
2255 static int ns_get_name(char *buf, size_t size, struct aa_ns *ns,
2256 struct inode *inode)
2258 int res = snprintf(buf, size, "%s:[%lu]", AAFS_NAME, inode->i_ino);
2260 if (res < 0 || res >= size)
2266 static int policy_readlink(struct dentry *dentry, char __user *buffer,
2273 ns = aa_get_current_ns();
2274 res = ns_get_name(name, sizeof(name), ns, d_inode(dentry));
2276 res = readlink_copy(buffer, buflen, name);
2282 static const struct inode_operations policy_link_iops = {
2283 .readlink = policy_readlink,
2284 .get_link = policy_get_link,
2289 * aa_create_aafs - create the apparmor security filesystem
2291 * dentries created here are released by aa_destroy_aafs
2293 * Returns: error on failure
2295 static int __init aa_create_aafs(void)
2297 struct dentry *dent;
2300 if (!apparmor_initialized)
2303 if (aa_sfs_entry.dentry) {
2304 AA_ERROR("%s: AppArmor securityfs already exists\n", __func__);
2308 /* setup apparmorfs used to virtualize policy/ */
2309 aafs_mnt = kern_mount(&aafs_ops);
2310 if (IS_ERR(aafs_mnt))
2311 panic("can't set apparmorfs up\n");
2312 aafs_mnt->mnt_sb->s_flags &= ~MS_NOUSER;
2314 /* Populate fs tree. */
2315 error = entry_create_dir(&aa_sfs_entry, NULL);
2319 dent = securityfs_create_file(".load", 0666, aa_sfs_entry.dentry,
2320 NULL, &aa_fs_profile_load);
2322 error = PTR_ERR(dent);
2325 ns_subload(root_ns) = dent;
2327 dent = securityfs_create_file(".replace", 0666, aa_sfs_entry.dentry,
2328 NULL, &aa_fs_profile_replace);
2330 error = PTR_ERR(dent);
2333 ns_subreplace(root_ns) = dent;
2335 dent = securityfs_create_file(".remove", 0666, aa_sfs_entry.dentry,
2336 NULL, &aa_fs_profile_remove);
2338 error = PTR_ERR(dent);
2341 ns_subremove(root_ns) = dent;
2343 dent = securityfs_create_file("revision", 0444, aa_sfs_entry.dentry,
2344 NULL, &aa_fs_ns_revision_fops);
2346 error = PTR_ERR(dent);
2349 ns_subrevision(root_ns) = dent;
2351 /* policy tree referenced by magic policy symlink */
2352 mutex_lock(&root_ns->lock);
2353 error = __aafs_ns_mkdir(root_ns, aafs_mnt->mnt_root, ".policy",
2354 aafs_mnt->mnt_root);
2355 mutex_unlock(&root_ns->lock);
2359 /* magic symlink similar to nsfs redirects based on task policy */
2360 dent = securityfs_create_symlink("policy", aa_sfs_entry.dentry,
2361 NULL, &policy_link_iops);
2363 error = PTR_ERR(dent);
2367 error = aa_mk_null_file(aa_sfs_entry.dentry);
2371 /* TODO: add default profile to apparmorfs */
2373 /* Report that AppArmor fs is enabled */
2374 aa_info_message("AppArmor Filesystem Enabled");
2379 AA_ERROR("Error creating AppArmor securityfs\n");
2383 fs_initcall(aa_create_aafs);