1 /* SPDX-License-Identifier: GPL-2.0-only */
3 * AppArmor security module
5 * This file contains AppArmor policy definitions.
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
14 #include <linux/capability.h>
15 #include <linux/cred.h>
16 #include <linux/kref.h>
17 #include <linux/rhashtable.h>
18 #include <linux/sched.h>
19 #include <linux/slab.h>
20 #include <linux/socket.h>
24 #include "capability.h"
36 extern int unprivileged_userns_apparmor_policy;
38 extern const char *const aa_profile_mode_names[];
39 #define APPARMOR_MODE_NAMES_MAX_INDEX 4
41 #define PROFILE_MODE(_profile, _mode) \
42 ((aa_g_profile_mode == (_mode)) || \
43 ((_profile)->mode == (_mode)))
45 #define COMPLAIN_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_COMPLAIN)
47 #define USER_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_USER)
49 #define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL)
51 #define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT)
53 #define CHECK_DEBUG1(_profile) ((_profile)->label.flags & FLAG_DEBUG1)
55 #define CHECK_DEBUG2(_profile) ((_profile)->label.flags & FLAG_DEBUG2)
57 #define profile_is_stale(_profile) (label_is_stale(&(_profile)->label))
59 #define on_list_rcu(X) (!list_empty(X) && (X)->prev != LIST_POISON2)
62 * FIXME: currently need a clean way to replace and remove profiles as a
63 * set. It should be done at the namespace level.
64 * Either, with a set of profiles loaded at the namespace level or via
65 * a mark and remove marked interface.
68 APPARMOR_ENFORCE, /* enforce access rules */
69 APPARMOR_COMPLAIN, /* allow and log access violations */
70 APPARMOR_KILL, /* kill task on access violation */
71 APPARMOR_UNCONFINED, /* profile set to unconfined */
72 APPARMOR_USER, /* modified complain mode to userspace */
76 /* struct aa_policydb - match engine for a policy
77 * dfa: dfa pattern match
78 * perms: table of permissions
79 * strs: table of strings, index by x
80 * start: set of start states for the different classes of data
85 struct aa_perms *perms;
88 struct aa_str_table trans;
89 aa_state_t start[AA_CLASS_LAST + 1];
92 static inline void aa_destroy_policydb(struct aa_policydb *policy)
94 aa_put_dfa(policy->dfa);
96 kvfree(policy->perms);
97 aa_free_str_table(&policy->trans);
101 static inline struct aa_perms *aa_lookup_perms(struct aa_policydb *policy,
104 unsigned int index = ACCEPT_TABLE(policy->dfa)[state];
106 if (!(policy->perms))
107 return &default_perms;
109 return &(policy->perms[index]);
113 /* struct aa_data - generic data structure
114 * key: name for retrieving this data
115 * size: size of data in bytes
117 * head: reserved for rhashtable
123 struct rhash_head head;
126 /* struct aa_ruleset - data covering mediation rules
127 * @list: list the rule is on
128 * @size: the memory consumed by this ruleset
129 * @policy: general match rules governing policy
130 * @file: The set of rules governing basic file access and domain transitions
131 * @caps: capabilities for the profile
132 * @rlimits: rlimits for the profile
133 * @secmark_count: number of secmark entries
134 * @secmark: secmark label match info
137 struct list_head list;
141 /* TODO: merge policy and file */
142 struct aa_policydb policy;
143 struct aa_policydb file;
146 struct aa_rlimit rlimits;
149 struct aa_secmark *secmark;
152 /* struct aa_attachment - data and rules for a profiles attachment
154 * @xmatch_str: human readable attachment string
155 * @xmatch: optional extended matching for unconfined executables names
156 * @xmatch_len: xmatch prefix len, used to determine xmatch priority
157 * @xattr_count: number of xattrs in table
158 * @xattrs: table of xattrs
160 struct aa_attachment {
161 const char *xmatch_str;
162 struct aa_policydb xmatch;
163 unsigned int xmatch_len;
168 /* struct aa_profile - basic confinement data
169 * @base - base components of the profile (name, refcount, lists, lock ...)
170 * @label - label this profile is an extension of
171 * @parent: parent of profile
172 * @ns: namespace the profile is in
173 * @rename: optional profile name that this profile renamed
175 * @audit: the auditing mode of the profile
176 * @mode: the enforcement mode of the profile
177 * @path_flags: flags controlling path generation behavior
178 * @disconnected: what to prepend if attach_disconnected is specified
179 * @attach: attachment rules for the profile
180 * @rules: rules to be enforced
182 * @dents: dentries for the profiles file entries in apparmorfs
183 * @dirname: name of the profile dir in apparmorfs
184 * @data: hashtable for free-form policy aa_data
186 * The AppArmor profile contains the basic confinement data. Each profile
187 * has a name, and exists in a namespace. The @name and @exec_match are
188 * used to determine profile attachment against unconfined tasks. All other
189 * attachments are determined by profile X transition rules.
191 * Profiles have a hierarchy where hats and children profiles keep
192 * a reference to their parent.
194 * Profile names can not begin with a : and can not contain the \0
195 * character. If a profile name begins with / it will be considered when
196 * determining profile attachment on "unconfined" tasks.
199 struct aa_policy base;
200 struct aa_profile __rcu *parent;
205 enum audit_mode audit;
208 const char *disconnected;
210 struct aa_attachment attach;
211 struct list_head rules;
213 struct aa_loaddata *rawdata;
216 struct dentry *dents[AAFS_PROF_SIZEOF];
217 struct rhashtable *data;
218 struct aa_label label;
221 extern enum profile_mode aa_g_profile_mode;
223 #define AA_MAY_LOAD_POLICY AA_MAY_APPEND
224 #define AA_MAY_REPLACE_POLICY AA_MAY_WRITE
225 #define AA_MAY_REMOVE_POLICY AA_MAY_DELETE
227 #define profiles_ns(P) ((P)->ns)
228 #define name_is_shared(A, B) ((A)->hname && (A)->hname == (B)->hname)
230 void aa_add_profile(struct aa_policy *common, struct aa_profile *profile);
233 void aa_free_proxy_kref(struct kref *kref);
234 struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp);
235 struct aa_profile *aa_alloc_profile(const char *name, struct aa_proxy *proxy,
237 struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name,
239 struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat,
240 const char *base, gfp_t gfp);
241 void aa_free_profile(struct aa_profile *profile);
242 void aa_free_profile_kref(struct kref *kref);
243 struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name);
244 struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname,
246 struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *name);
247 struct aa_profile *aa_fqlookupn_profile(struct aa_label *base,
248 const char *fqname, size_t n);
249 struct aa_profile *aa_match_profile(struct aa_ns *ns, const char *name);
251 ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_label *label,
252 u32 mask, struct aa_loaddata *udata);
253 ssize_t aa_remove_profiles(struct aa_ns *view, struct aa_label *label,
254 char *name, size_t size);
255 void __aa_profile_list_release(struct list_head *head);
258 #define PROF_REPLACE 0
260 #define profile_unconfined(X) ((X)->mode == APPARMOR_UNCONFINED)
263 * aa_get_newest_profile - simple wrapper fn to wrap the label version
264 * @p: profile (NOT NULL)
266 * Returns refcount to newest version of the profile (maybe @p)
268 * Requires: @p must be held with a valid refcount
270 static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p)
272 return labels_profile(aa_get_newest_label(&p->label));
275 static inline aa_state_t RULE_MEDIATES(struct aa_ruleset *rules,
278 if (class <= AA_CLASS_LAST)
279 return rules->policy.start[class];
281 return aa_dfa_match_len(rules->policy.dfa,
282 rules->policy.start[0], &class, 1);
285 static inline aa_state_t RULE_MEDIATES_AF(struct aa_ruleset *rules, u16 AF)
287 aa_state_t state = RULE_MEDIATES(rules, AA_CLASS_NET);
288 __be16 be_af = cpu_to_be16(AF);
292 return aa_dfa_match_len(rules->policy.dfa, state, (char *) &be_af, 2);
295 static inline aa_state_t ANY_RULE_MEDIATES(struct list_head *head,
298 struct aa_ruleset *rule;
300 /* TODO: change to list walk */
301 rule = list_first_entry(head, typeof(*rule), list);
302 return RULE_MEDIATES(rule, class);
306 * aa_get_profile - increment refcount on profile @p
307 * @p: profile (MAYBE NULL)
309 * Returns: pointer to @p if @p is NULL will return NULL
310 * Requires: @p must be held with valid refcount when called
312 static inline struct aa_profile *aa_get_profile(struct aa_profile *p)
315 kref_get(&(p->label.count));
321 * aa_get_profile_not0 - increment refcount on profile @p found via lookup
322 * @p: profile (MAYBE NULL)
324 * Returns: pointer to @p if @p is NULL will return NULL
325 * Requires: @p must be held with valid refcount when called
327 static inline struct aa_profile *aa_get_profile_not0(struct aa_profile *p)
329 if (p && kref_get_unless_zero(&p->label.count))
336 * aa_get_profile_rcu - increment a refcount profile that can be replaced
337 * @p: pointer to profile that can be replaced (NOT NULL)
339 * Returns: pointer to a refcounted profile.
340 * else NULL if no profile
342 static inline struct aa_profile *aa_get_profile_rcu(struct aa_profile __rcu **p)
344 struct aa_profile *c;
348 c = rcu_dereference(*p);
349 } while (c && !kref_get_unless_zero(&c->label.count));
356 * aa_put_profile - decrement refcount on profile @p
357 * @p: profile (MAYBE NULL)
359 static inline void aa_put_profile(struct aa_profile *p)
362 kref_put(&p->label.count, aa_label_kref);
365 static inline int AUDIT_MODE(struct aa_profile *profile)
367 if (aa_g_audit != AUDIT_NORMAL)
370 return profile->audit;
373 bool aa_policy_view_capable(struct aa_label *label, struct aa_ns *ns);
374 bool aa_policy_admin_capable(struct aa_label *label, struct aa_ns *ns);
375 int aa_may_manage_policy(struct aa_label *label, struct aa_ns *ns,
377 bool aa_current_policy_view_capable(struct aa_ns *ns);
378 bool aa_current_policy_admin_capable(struct aa_ns *ns);
380 #endif /* __AA_POLICY_H */