1 // SPDX-License-Identifier: GPL-2.0-only
3 * AppArmor security module
5 * This file contains AppArmor LSM hooks.
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
11 #include <linux/lsm_hooks.h>
12 #include <linux/moduleparam.h>
14 #include <linux/mman.h>
15 #include <linux/mount.h>
16 #include <linux/namei.h>
17 #include <linux/ptrace.h>
18 #include <linux/ctype.h>
19 #include <linux/sysctl.h>
20 #include <linux/audit.h>
21 #include <linux/user_namespace.h>
22 #include <linux/netfilter_ipv4.h>
23 #include <linux/netfilter_ipv6.h>
24 #include <linux/zlib.h>
26 #include <uapi/linux/mount.h>
28 #include "include/apparmor.h"
29 #include "include/apparmorfs.h"
30 #include "include/audit.h"
31 #include "include/capability.h"
32 #include "include/cred.h"
33 #include "include/file.h"
34 #include "include/ipc.h"
35 #include "include/net.h"
36 #include "include/path.h"
37 #include "include/label.h"
38 #include "include/policy.h"
39 #include "include/policy_ns.h"
40 #include "include/procattr.h"
41 #include "include/mount.h"
42 #include "include/secid.h"
44 /* Flag indicating whether initialization completed */
45 int apparmor_initialized;
48 struct list_head list;
52 #define RESERVE_COUNT 2
53 static int reserve_count = RESERVE_COUNT;
54 static int buffer_count;
56 static LIST_HEAD(aa_global_buffers);
57 static DEFINE_SPINLOCK(aa_buffers_lock);
64 * put the associated labels
66 static void apparmor_cred_free(struct cred *cred)
68 aa_put_label(cred_label(cred));
69 set_cred_label(cred, NULL);
73 * allocate the apparmor part of blank credentials
75 static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
77 set_cred_label(cred, NULL);
82 * prepare new cred label for modification by prepare_cred block
84 static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
87 set_cred_label(new, aa_get_newest_label(cred_label(old)));
92 * transfer the apparmor data to a blank set of creds
94 static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
96 set_cred_label(new, aa_get_newest_label(cred_label(old)));
99 static void apparmor_task_free(struct task_struct *task)
102 aa_free_task_ctx(task_ctx(task));
105 static int apparmor_task_alloc(struct task_struct *task,
106 unsigned long clone_flags)
108 struct aa_task_ctx *new = task_ctx(task);
110 aa_dup_task_ctx(new, task_ctx(current));
115 static int apparmor_ptrace_access_check(struct task_struct *child,
118 struct aa_label *tracer, *tracee;
121 tracer = __begin_current_label_crit_section();
122 tracee = aa_get_task_label(child);
123 error = aa_may_ptrace(tracer, tracee,
124 (mode & PTRACE_MODE_READ) ? AA_PTRACE_READ
126 aa_put_label(tracee);
127 __end_current_label_crit_section(tracer);
132 static int apparmor_ptrace_traceme(struct task_struct *parent)
134 struct aa_label *tracer, *tracee;
137 tracee = __begin_current_label_crit_section();
138 tracer = aa_get_task_label(parent);
139 error = aa_may_ptrace(tracer, tracee, AA_PTRACE_TRACE);
140 aa_put_label(tracer);
141 __end_current_label_crit_section(tracee);
146 /* Derived from security/commoncap.c:cap_capget */
147 static int apparmor_capget(struct task_struct *target, kernel_cap_t *effective,
148 kernel_cap_t *inheritable, kernel_cap_t *permitted)
150 struct aa_label *label;
151 const struct cred *cred;
154 cred = __task_cred(target);
155 label = aa_get_newest_cred_label(cred);
158 * cap_capget is stacked ahead of this and will
159 * initialize effective and permitted.
161 if (!unconfined(label)) {
162 struct aa_profile *profile;
165 label_for_each_confined(i, label, profile) {
166 if (COMPLAIN_MODE(profile))
168 *effective = cap_intersect(*effective,
169 profile->caps.allow);
170 *permitted = cap_intersect(*permitted,
171 profile->caps.allow);
180 static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
181 int cap, unsigned int opts)
183 struct aa_label *label;
186 label = aa_get_newest_cred_label(cred);
187 if (!unconfined(label))
188 error = aa_capable(label, cap, opts);
195 * common_perm - basic common permission check wrapper fn for paths
196 * @op: operation being checked
197 * @path: path to check permission of (NOT NULL)
198 * @mask: requested permissions mask
199 * @cond: conditional info for the permission request (NOT NULL)
201 * Returns: %0 else error code if error or permission denied
203 static int common_perm(const char *op, const struct path *path, u32 mask,
204 struct path_cond *cond)
206 struct aa_label *label;
209 label = __begin_current_label_crit_section();
210 if (!unconfined(label))
211 error = aa_path_perm(op, label, path, 0, mask, cond);
212 __end_current_label_crit_section(label);
218 * common_perm_cond - common permission wrapper around inode cond
219 * @op: operation being checked
220 * @path: location to check (NOT NULL)
221 * @mask: requested permissions mask
223 * Returns: %0 else error code if error or permission denied
225 static int common_perm_cond(const char *op, const struct path *path, u32 mask)
227 struct user_namespace *mnt_userns = mnt_user_ns(path->mnt);
228 struct path_cond cond = {
229 i_uid_into_mnt(mnt_userns, d_backing_inode(path->dentry)),
230 d_backing_inode(path->dentry)->i_mode
233 if (!path_mediated_fs(path->dentry))
236 return common_perm(op, path, mask, &cond);
240 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
241 * @op: operation being checked
242 * @dir: directory of the dentry (NOT NULL)
243 * @dentry: dentry to check (NOT NULL)
244 * @mask: requested permissions mask
245 * @cond: conditional info for the permission request (NOT NULL)
247 * Returns: %0 else error code if error or permission denied
249 static int common_perm_dir_dentry(const char *op, const struct path *dir,
250 struct dentry *dentry, u32 mask,
251 struct path_cond *cond)
253 struct path path = { .mnt = dir->mnt, .dentry = dentry };
255 return common_perm(op, &path, mask, cond);
259 * common_perm_rm - common permission wrapper for operations doing rm
260 * @op: operation being checked
261 * @dir: directory that the dentry is in (NOT NULL)
262 * @dentry: dentry being rm'd (NOT NULL)
263 * @mask: requested permission mask
265 * Returns: %0 else error code if error or permission denied
267 static int common_perm_rm(const char *op, const struct path *dir,
268 struct dentry *dentry, u32 mask)
270 struct inode *inode = d_backing_inode(dentry);
271 struct user_namespace *mnt_userns = mnt_user_ns(dir->mnt);
272 struct path_cond cond = { };
274 if (!inode || !path_mediated_fs(dentry))
277 cond.uid = i_uid_into_mnt(mnt_userns, inode);
278 cond.mode = inode->i_mode;
280 return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
284 * common_perm_create - common permission wrapper for operations doing create
285 * @op: operation being checked
286 * @dir: directory that dentry will be created in (NOT NULL)
287 * @dentry: dentry to create (NOT NULL)
288 * @mask: request permission mask
289 * @mode: created file mode
291 * Returns: %0 else error code if error or permission denied
293 static int common_perm_create(const char *op, const struct path *dir,
294 struct dentry *dentry, u32 mask, umode_t mode)
296 struct path_cond cond = { current_fsuid(), mode };
298 if (!path_mediated_fs(dir->dentry))
301 return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
304 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry)
306 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE);
309 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry,
312 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE,
316 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry)
318 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE);
321 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
322 umode_t mode, unsigned int dev)
324 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
327 static int apparmor_path_truncate(const struct path *path)
329 return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR);
332 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
333 const char *old_name)
335 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE,
339 static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir,
340 struct dentry *new_dentry)
342 struct aa_label *label;
345 if (!path_mediated_fs(old_dentry))
348 label = begin_current_label_crit_section();
349 if (!unconfined(label))
350 error = aa_path_link(label, old_dentry, new_dir, new_dentry);
351 end_current_label_crit_section(label);
356 static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry,
357 const struct path *new_dir, struct dentry *new_dentry)
359 struct aa_label *label;
362 if (!path_mediated_fs(old_dentry))
365 label = begin_current_label_crit_section();
366 if (!unconfined(label)) {
367 struct user_namespace *mnt_userns = mnt_user_ns(old_dir->mnt);
368 struct path old_path = { .mnt = old_dir->mnt,
369 .dentry = old_dentry };
370 struct path new_path = { .mnt = new_dir->mnt,
371 .dentry = new_dentry };
372 struct path_cond cond = {
373 i_uid_into_mnt(mnt_userns, d_backing_inode(old_dentry)),
374 d_backing_inode(old_dentry)->i_mode
377 error = aa_path_perm(OP_RENAME_SRC, label, &old_path, 0,
378 MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
379 AA_MAY_SETATTR | AA_MAY_DELETE,
382 error = aa_path_perm(OP_RENAME_DEST, label, &new_path,
383 0, MAY_WRITE | AA_MAY_SETATTR |
384 AA_MAY_CREATE, &cond);
387 end_current_label_crit_section(label);
392 static int apparmor_path_chmod(const struct path *path, umode_t mode)
394 return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD);
397 static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
399 return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN);
402 static int apparmor_inode_getattr(const struct path *path)
404 return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR);
407 static int apparmor_file_open(struct file *file)
409 struct aa_file_ctx *fctx = file_ctx(file);
410 struct aa_label *label;
413 if (!path_mediated_fs(file->f_path.dentry))
416 /* If in exec, permission is handled by bprm hooks.
417 * Cache permissions granted by the previous exec check, with
418 * implicit read and executable mmap which are required to
419 * actually execute the image.
421 if (current->in_execve) {
422 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
426 label = aa_get_newest_cred_label(file->f_cred);
427 if (!unconfined(label)) {
428 struct user_namespace *mnt_userns = file_mnt_user_ns(file);
429 struct inode *inode = file_inode(file);
430 struct path_cond cond = {
431 i_uid_into_mnt(mnt_userns, inode),
435 error = aa_path_perm(OP_OPEN, label, &file->f_path, 0,
436 aa_map_file_to_perms(file), &cond);
437 /* todo cache full allowed permissions set and state */
438 fctx->allow = aa_map_file_to_perms(file);
445 static int apparmor_file_alloc_security(struct file *file)
447 struct aa_file_ctx *ctx = file_ctx(file);
448 struct aa_label *label = begin_current_label_crit_section();
450 spin_lock_init(&ctx->lock);
451 rcu_assign_pointer(ctx->label, aa_get_label(label));
452 end_current_label_crit_section(label);
456 static void apparmor_file_free_security(struct file *file)
458 struct aa_file_ctx *ctx = file_ctx(file);
461 aa_put_label(rcu_access_pointer(ctx->label));
464 static int common_file_perm(const char *op, struct file *file, u32 mask,
467 struct aa_label *label;
470 /* don't reaudit files closed during inheritance */
471 if (file->f_path.dentry == aa_null.dentry)
474 label = __begin_current_label_crit_section();
475 error = aa_file_perm(op, label, file, mask, in_atomic);
476 __end_current_label_crit_section(label);
481 static int apparmor_file_receive(struct file *file)
483 return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file),
487 static int apparmor_file_permission(struct file *file, int mask)
489 return common_file_perm(OP_FPERM, file, mask, false);
492 static int apparmor_file_lock(struct file *file, unsigned int cmd)
494 u32 mask = AA_MAY_LOCK;
499 return common_file_perm(OP_FLOCK, file, mask, false);
502 static int common_mmap(const char *op, struct file *file, unsigned long prot,
503 unsigned long flags, bool in_atomic)
507 if (!file || !file_ctx(file))
510 if (prot & PROT_READ)
513 * Private mappings don't require write perms since they don't
514 * write back to the files
516 if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
518 if (prot & PROT_EXEC)
519 mask |= AA_EXEC_MMAP;
521 return common_file_perm(op, file, mask, in_atomic);
524 static int apparmor_mmap_file(struct file *file, unsigned long reqprot,
525 unsigned long prot, unsigned long flags)
527 return common_mmap(OP_FMMAP, file, prot, flags, GFP_ATOMIC);
530 static int apparmor_file_mprotect(struct vm_area_struct *vma,
531 unsigned long reqprot, unsigned long prot)
533 return common_mmap(OP_FMPROT, vma->vm_file, prot,
534 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0,
538 static int apparmor_sb_mount(const char *dev_name, const struct path *path,
539 const char *type, unsigned long flags, void *data)
541 struct aa_label *label;
545 if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
546 flags &= ~MS_MGC_MSK;
548 flags &= ~AA_MS_IGNORE_MASK;
550 label = __begin_current_label_crit_section();
551 if (!unconfined(label)) {
552 if (flags & MS_REMOUNT)
553 error = aa_remount(label, path, flags, data);
554 else if (flags & MS_BIND)
555 error = aa_bind_mount(label, path, dev_name, flags);
556 else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE |
558 error = aa_mount_change_type(label, path, flags);
559 else if (flags & MS_MOVE)
560 error = aa_move_mount(label, path, dev_name);
562 error = aa_new_mount(label, dev_name, path, type,
565 __end_current_label_crit_section(label);
570 static int apparmor_sb_umount(struct vfsmount *mnt, int flags)
572 struct aa_label *label;
575 label = __begin_current_label_crit_section();
576 if (!unconfined(label))
577 error = aa_umount(label, mnt, flags);
578 __end_current_label_crit_section(label);
583 static int apparmor_sb_pivotroot(const struct path *old_path,
584 const struct path *new_path)
586 struct aa_label *label;
589 label = aa_get_current_label();
590 if (!unconfined(label))
591 error = aa_pivotroot(label, old_path, new_path);
597 static int apparmor_getprocattr(struct task_struct *task, char *name,
602 const struct cred *cred = get_task_cred(task);
603 struct aa_task_ctx *ctx = task_ctx(current);
604 struct aa_label *label = NULL;
606 if (strcmp(name, "current") == 0)
607 label = aa_get_newest_label(cred_label(cred));
608 else if (strcmp(name, "prev") == 0 && ctx->previous)
609 label = aa_get_newest_label(ctx->previous);
610 else if (strcmp(name, "exec") == 0 && ctx->onexec)
611 label = aa_get_newest_label(ctx->onexec);
616 error = aa_getprocattr(label, value);
624 static int apparmor_setprocattr(const char *name, void *value,
627 char *command, *largs = NULL, *args = value;
630 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR);
635 /* AppArmor requires that the buffer must be null terminated atm */
636 if (args[size - 1] != '\0') {
638 largs = args = kmalloc(size + 1, GFP_KERNEL);
641 memcpy(args, value, size);
647 command = strsep(&args, " ");
650 args = skip_spaces(args);
654 arg_size = size - (args - (largs ? largs : (char *) value));
655 if (strcmp(name, "current") == 0) {
656 if (strcmp(command, "changehat") == 0) {
657 error = aa_setprocattr_changehat(args, arg_size,
659 } else if (strcmp(command, "permhat") == 0) {
660 error = aa_setprocattr_changehat(args, arg_size,
662 } else if (strcmp(command, "changeprofile") == 0) {
663 error = aa_change_profile(args, AA_CHANGE_NOFLAGS);
664 } else if (strcmp(command, "permprofile") == 0) {
665 error = aa_change_profile(args, AA_CHANGE_TEST);
666 } else if (strcmp(command, "stack") == 0) {
667 error = aa_change_profile(args, AA_CHANGE_STACK);
670 } else if (strcmp(name, "exec") == 0) {
671 if (strcmp(command, "exec") == 0)
672 error = aa_change_profile(args, AA_CHANGE_ONEXEC);
673 else if (strcmp(command, "stack") == 0)
674 error = aa_change_profile(args, (AA_CHANGE_ONEXEC |
679 /* only support the "current" and "exec" process attributes */
689 aad(&sa)->label = begin_current_label_crit_section();
690 aad(&sa)->info = name;
691 aad(&sa)->error = error = -EINVAL;
692 aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
693 end_current_label_crit_section(aad(&sa)->label);
698 * apparmor_bprm_committing_creds - do task cleanup on committing new creds
699 * @bprm: binprm for the exec (NOT NULL)
701 static void apparmor_bprm_committing_creds(struct linux_binprm *bprm)
703 struct aa_label *label = aa_current_raw_label();
704 struct aa_label *new_label = cred_label(bprm->cred);
706 /* bail out if unconfined or not changing profile */
707 if ((new_label->proxy == label->proxy) ||
708 (unconfined(new_label)))
711 aa_inherit_files(bprm->cred, current->files);
713 current->pdeath_signal = 0;
715 /* reset soft limits and set hard limits for the new label */
716 __aa_transition_rlimits(label, new_label);
720 * apparmor_bprm_committed_cred - do cleanup after new creds committed
721 * @bprm: binprm for the exec (NOT NULL)
723 static void apparmor_bprm_committed_creds(struct linux_binprm *bprm)
725 /* clear out temporary/transitional state from the context */
726 aa_clear_task_ctx_trans(task_ctx(current));
731 static void apparmor_task_getsecid(struct task_struct *p, u32 *secid)
733 struct aa_label *label = aa_get_task_label(p);
734 *secid = label->secid;
738 static int apparmor_task_setrlimit(struct task_struct *task,
739 unsigned int resource, struct rlimit *new_rlim)
741 struct aa_label *label = __begin_current_label_crit_section();
744 if (!unconfined(label))
745 error = aa_task_setrlimit(label, task, resource, new_rlim);
746 __end_current_label_crit_section(label);
751 static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo *info,
752 int sig, const struct cred *cred)
754 struct aa_label *cl, *tl;
759 * Dealing with USB IO specific behavior
761 cl = aa_get_newest_cred_label(cred);
762 tl = aa_get_task_label(target);
763 error = aa_may_signal(cl, tl, sig);
769 cl = __begin_current_label_crit_section();
770 tl = aa_get_task_label(target);
771 error = aa_may_signal(cl, tl, sig);
773 __end_current_label_crit_section(cl);
779 * apparmor_sk_alloc_security - allocate and attach the sk_security field
781 static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags)
783 struct aa_sk_ctx *ctx;
785 ctx = kzalloc(sizeof(*ctx), flags);
795 * apparmor_sk_free_security - free the sk_security field
797 static void apparmor_sk_free_security(struct sock *sk)
799 struct aa_sk_ctx *ctx = SK_CTX(sk);
802 aa_put_label(ctx->label);
803 aa_put_label(ctx->peer);
808 * apparmor_clone_security - clone the sk_security field
810 static void apparmor_sk_clone_security(const struct sock *sk,
813 struct aa_sk_ctx *ctx = SK_CTX(sk);
814 struct aa_sk_ctx *new = SK_CTX(newsk);
817 aa_put_label(new->label);
818 new->label = aa_get_label(ctx->label);
821 aa_put_label(new->peer);
822 new->peer = aa_get_label(ctx->peer);
826 * apparmor_socket_create - check perms before creating a new socket
828 static int apparmor_socket_create(int family, int type, int protocol, int kern)
830 struct aa_label *label;
833 AA_BUG(in_interrupt());
835 label = begin_current_label_crit_section();
836 if (!(kern || unconfined(label)))
837 error = af_select(family,
838 create_perm(label, family, type, protocol),
839 aa_af_perm(label, OP_CREATE, AA_MAY_CREATE,
840 family, type, protocol));
841 end_current_label_crit_section(label);
847 * apparmor_socket_post_create - setup the per-socket security struct
850 * - kernel sockets currently labeled unconfined but we may want to
851 * move to a special kernel label
852 * - socket may not have sk here if created with sock_create_lite or
853 * sock_alloc. These should be accept cases which will be handled in
856 static int apparmor_socket_post_create(struct socket *sock, int family,
857 int type, int protocol, int kern)
859 struct aa_label *label;
862 struct aa_ns *ns = aa_get_current_ns();
864 label = aa_get_label(ns_unconfined(ns));
867 label = aa_get_current_label();
870 struct aa_sk_ctx *ctx = SK_CTX(sock->sk);
872 aa_put_label(ctx->label);
873 ctx->label = aa_get_label(label);
881 * apparmor_socket_bind - check perms before bind addr to socket
883 static int apparmor_socket_bind(struct socket *sock,
884 struct sockaddr *address, int addrlen)
889 AA_BUG(in_interrupt());
891 return af_select(sock->sk->sk_family,
892 bind_perm(sock, address, addrlen),
893 aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk));
897 * apparmor_socket_connect - check perms before connecting @sock to @address
899 static int apparmor_socket_connect(struct socket *sock,
900 struct sockaddr *address, int addrlen)
905 AA_BUG(in_interrupt());
907 return af_select(sock->sk->sk_family,
908 connect_perm(sock, address, addrlen),
909 aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk));
913 * apparmor_socket_list - check perms before allowing listen
915 static int apparmor_socket_listen(struct socket *sock, int backlog)
919 AA_BUG(in_interrupt());
921 return af_select(sock->sk->sk_family,
922 listen_perm(sock, backlog),
923 aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk));
927 * apparmor_socket_accept - check perms before accepting a new connection.
929 * Note: while @newsock is created and has some information, the accept
932 static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
937 AA_BUG(in_interrupt());
939 return af_select(sock->sk->sk_family,
940 accept_perm(sock, newsock),
941 aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk));
944 static int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock,
945 struct msghdr *msg, int size)
950 AA_BUG(in_interrupt());
952 return af_select(sock->sk->sk_family,
953 msg_perm(op, request, sock, msg, size),
954 aa_sk_perm(op, request, sock->sk));
958 * apparmor_socket_sendmsg - check perms before sending msg to another socket
960 static int apparmor_socket_sendmsg(struct socket *sock,
961 struct msghdr *msg, int size)
963 return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size);
967 * apparmor_socket_recvmsg - check perms before receiving a message
969 static int apparmor_socket_recvmsg(struct socket *sock,
970 struct msghdr *msg, int size, int flags)
972 return aa_sock_msg_perm(OP_RECVMSG, AA_MAY_RECEIVE, sock, msg, size);
975 /* revaliation, get/set attr, shutdown */
976 static int aa_sock_perm(const char *op, u32 request, struct socket *sock)
980 AA_BUG(in_interrupt());
982 return af_select(sock->sk->sk_family,
983 sock_perm(op, request, sock),
984 aa_sk_perm(op, request, sock->sk));
988 * apparmor_socket_getsockname - check perms before getting the local address
990 static int apparmor_socket_getsockname(struct socket *sock)
992 return aa_sock_perm(OP_GETSOCKNAME, AA_MAY_GETATTR, sock);
996 * apparmor_socket_getpeername - check perms before getting remote address
998 static int apparmor_socket_getpeername(struct socket *sock)
1000 return aa_sock_perm(OP_GETPEERNAME, AA_MAY_GETATTR, sock);
1003 /* revaliation, get/set attr, opt */
1004 static int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock,
1005 int level, int optname)
1009 AA_BUG(in_interrupt());
1011 return af_select(sock->sk->sk_family,
1012 opt_perm(op, request, sock, level, optname),
1013 aa_sk_perm(op, request, sock->sk));
1017 * apparmor_getsockopt - check perms before getting socket options
1019 static int apparmor_socket_getsockopt(struct socket *sock, int level,
1022 return aa_sock_opt_perm(OP_GETSOCKOPT, AA_MAY_GETOPT, sock,
1027 * apparmor_setsockopt - check perms before setting socket options
1029 static int apparmor_socket_setsockopt(struct socket *sock, int level,
1032 return aa_sock_opt_perm(OP_SETSOCKOPT, AA_MAY_SETOPT, sock,
1037 * apparmor_socket_shutdown - check perms before shutting down @sock conn
1039 static int apparmor_socket_shutdown(struct socket *sock, int how)
1041 return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock);
1044 #ifdef CONFIG_NETWORK_SECMARK
1046 * apparmor_socket_sock_recv_skb - check perms before associating skb to sk
1048 * Note: can not sleep may be called with locks held
1050 * dont want protocol specific in __skb_recv_datagram()
1051 * to deny an incoming connection socket_sock_rcv_skb()
1053 static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
1055 struct aa_sk_ctx *ctx = SK_CTX(sk);
1060 return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE,
1066 static struct aa_label *sk_peer_label(struct sock *sk)
1068 struct aa_sk_ctx *ctx = SK_CTX(sk);
1073 return ERR_PTR(-ENOPROTOOPT);
1077 * apparmor_socket_getpeersec_stream - get security context of peer
1079 * Note: for tcp only valid if using ipsec or cipso on lan
1081 static int apparmor_socket_getpeersec_stream(struct socket *sock,
1082 char __user *optval,
1087 int slen, error = 0;
1088 struct aa_label *label;
1089 struct aa_label *peer;
1091 label = begin_current_label_crit_section();
1092 peer = sk_peer_label(sock->sk);
1094 error = PTR_ERR(peer);
1097 slen = aa_label_asxprint(&name, labels_ns(label), peer,
1098 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
1099 FLAG_HIDDEN_UNCONFINED, GFP_KERNEL);
1100 /* don't include terminating \0 in slen, it breaks some apps */
1106 } else if (copy_to_user(optval, name, slen)) {
1110 if (put_user(slen, optlen))
1118 end_current_label_crit_section(label);
1124 * apparmor_socket_getpeersec_dgram - get security label of packet
1125 * @sock: the peer socket
1127 * @secid: pointer to where to put the secid of the packet
1129 * Sets the netlabel socket state on sk from parent
1131 static int apparmor_socket_getpeersec_dgram(struct socket *sock,
1132 struct sk_buff *skb, u32 *secid)
1135 /* TODO: requires secid support */
1136 return -ENOPROTOOPT;
1140 * apparmor_sock_graft - Initialize newly created socket
1142 * @parent: parent socket
1144 * Note: could set off of SOCK_CTX(parent) but need to track inode and we can
1145 * just set sk security information off of current creating process label
1146 * Labeling of sk for accept case - probably should be sock based
1147 * instead of task, because of the case where an implicitly labeled
1148 * socket is shared by different tasks.
1150 static void apparmor_sock_graft(struct sock *sk, struct socket *parent)
1152 struct aa_sk_ctx *ctx = SK_CTX(sk);
1155 ctx->label = aa_get_current_label();
1158 #ifdef CONFIG_NETWORK_SECMARK
1159 static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
1160 struct request_sock *req)
1162 struct aa_sk_ctx *ctx = SK_CTX(sk);
1167 return apparmor_secmark_check(ctx->label, OP_CONNECT, AA_MAY_CONNECT,
1173 * The cred blob is a pointer to, not an instance of, an aa_task_ctx.
1175 struct lsm_blob_sizes apparmor_blob_sizes __lsm_ro_after_init = {
1176 .lbs_cred = sizeof(struct aa_task_ctx *),
1177 .lbs_file = sizeof(struct aa_file_ctx),
1178 .lbs_task = sizeof(struct aa_task_ctx),
1181 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
1182 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
1183 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
1184 LSM_HOOK_INIT(capget, apparmor_capget),
1185 LSM_HOOK_INIT(capable, apparmor_capable),
1187 LSM_HOOK_INIT(sb_mount, apparmor_sb_mount),
1188 LSM_HOOK_INIT(sb_umount, apparmor_sb_umount),
1189 LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot),
1191 LSM_HOOK_INIT(path_link, apparmor_path_link),
1192 LSM_HOOK_INIT(path_unlink, apparmor_path_unlink),
1193 LSM_HOOK_INIT(path_symlink, apparmor_path_symlink),
1194 LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir),
1195 LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir),
1196 LSM_HOOK_INIT(path_mknod, apparmor_path_mknod),
1197 LSM_HOOK_INIT(path_rename, apparmor_path_rename),
1198 LSM_HOOK_INIT(path_chmod, apparmor_path_chmod),
1199 LSM_HOOK_INIT(path_chown, apparmor_path_chown),
1200 LSM_HOOK_INIT(path_truncate, apparmor_path_truncate),
1201 LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr),
1203 LSM_HOOK_INIT(file_open, apparmor_file_open),
1204 LSM_HOOK_INIT(file_receive, apparmor_file_receive),
1205 LSM_HOOK_INIT(file_permission, apparmor_file_permission),
1206 LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security),
1207 LSM_HOOK_INIT(file_free_security, apparmor_file_free_security),
1208 LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
1209 LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
1210 LSM_HOOK_INIT(file_lock, apparmor_file_lock),
1212 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
1213 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
1215 LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security),
1216 LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security),
1217 LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security),
1219 LSM_HOOK_INIT(socket_create, apparmor_socket_create),
1220 LSM_HOOK_INIT(socket_post_create, apparmor_socket_post_create),
1221 LSM_HOOK_INIT(socket_bind, apparmor_socket_bind),
1222 LSM_HOOK_INIT(socket_connect, apparmor_socket_connect),
1223 LSM_HOOK_INIT(socket_listen, apparmor_socket_listen),
1224 LSM_HOOK_INIT(socket_accept, apparmor_socket_accept),
1225 LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg),
1226 LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg),
1227 LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname),
1228 LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername),
1229 LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt),
1230 LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt),
1231 LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown),
1232 #ifdef CONFIG_NETWORK_SECMARK
1233 LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb),
1235 LSM_HOOK_INIT(socket_getpeersec_stream,
1236 apparmor_socket_getpeersec_stream),
1237 LSM_HOOK_INIT(socket_getpeersec_dgram,
1238 apparmor_socket_getpeersec_dgram),
1239 LSM_HOOK_INIT(sock_graft, apparmor_sock_graft),
1240 #ifdef CONFIG_NETWORK_SECMARK
1241 LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request),
1244 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
1245 LSM_HOOK_INIT(cred_free, apparmor_cred_free),
1246 LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
1247 LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),
1249 LSM_HOOK_INIT(bprm_creds_for_exec, apparmor_bprm_creds_for_exec),
1250 LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
1251 LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
1253 LSM_HOOK_INIT(task_free, apparmor_task_free),
1254 LSM_HOOK_INIT(task_alloc, apparmor_task_alloc),
1255 LSM_HOOK_INIT(task_getsecid, apparmor_task_getsecid),
1256 LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
1257 LSM_HOOK_INIT(task_kill, apparmor_task_kill),
1260 LSM_HOOK_INIT(audit_rule_init, aa_audit_rule_init),
1261 LSM_HOOK_INIT(audit_rule_known, aa_audit_rule_known),
1262 LSM_HOOK_INIT(audit_rule_match, aa_audit_rule_match),
1263 LSM_HOOK_INIT(audit_rule_free, aa_audit_rule_free),
1266 LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx),
1267 LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid),
1268 LSM_HOOK_INIT(release_secctx, apparmor_release_secctx),
1272 * AppArmor sysfs module parameters
1275 static int param_set_aabool(const char *val, const struct kernel_param *kp);
1276 static int param_get_aabool(char *buffer, const struct kernel_param *kp);
1277 #define param_check_aabool param_check_bool
1278 static const struct kernel_param_ops param_ops_aabool = {
1279 .flags = KERNEL_PARAM_OPS_FL_NOARG,
1280 .set = param_set_aabool,
1281 .get = param_get_aabool
1284 static int param_set_aauint(const char *val, const struct kernel_param *kp);
1285 static int param_get_aauint(char *buffer, const struct kernel_param *kp);
1286 #define param_check_aauint param_check_uint
1287 static const struct kernel_param_ops param_ops_aauint = {
1288 .set = param_set_aauint,
1289 .get = param_get_aauint
1292 static int param_set_aacompressionlevel(const char *val,
1293 const struct kernel_param *kp);
1294 static int param_get_aacompressionlevel(char *buffer,
1295 const struct kernel_param *kp);
1296 #define param_check_aacompressionlevel param_check_int
1297 static const struct kernel_param_ops param_ops_aacompressionlevel = {
1298 .set = param_set_aacompressionlevel,
1299 .get = param_get_aacompressionlevel
1302 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
1303 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
1304 #define param_check_aalockpolicy param_check_bool
1305 static const struct kernel_param_ops param_ops_aalockpolicy = {
1306 .flags = KERNEL_PARAM_OPS_FL_NOARG,
1307 .set = param_set_aalockpolicy,
1308 .get = param_get_aalockpolicy
1311 static int param_set_audit(const char *val, const struct kernel_param *kp);
1312 static int param_get_audit(char *buffer, const struct kernel_param *kp);
1314 static int param_set_mode(const char *val, const struct kernel_param *kp);
1315 static int param_get_mode(char *buffer, const struct kernel_param *kp);
1317 /* Flag values, also controllable via /sys/module/apparmor/parameters
1318 * We define special types as we want to do additional mediation.
1321 /* AppArmor global enforcement switch - complain, enforce, kill */
1322 enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
1323 module_param_call(mode, param_set_mode, param_get_mode,
1324 &aa_g_profile_mode, S_IRUSR | S_IWUSR);
1326 /* whether policy verification hashing is enabled */
1327 bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
1328 #ifdef CONFIG_SECURITY_APPARMOR_HASH
1329 module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
1332 /* policy loaddata compression level */
1333 int aa_g_rawdata_compression_level = Z_DEFAULT_COMPRESSION;
1334 module_param_named(rawdata_compression_level, aa_g_rawdata_compression_level,
1335 aacompressionlevel, 0400);
1338 bool aa_g_debug = IS_ENABLED(CONFIG_SECURITY_APPARMOR_DEBUG_MESSAGES);
1339 module_param_named(debug, aa_g_debug, aabool, S_IRUSR | S_IWUSR);
1342 enum audit_mode aa_g_audit;
1343 module_param_call(audit, param_set_audit, param_get_audit,
1344 &aa_g_audit, S_IRUSR | S_IWUSR);
1346 /* Determines if audit header is included in audited messages. This
1347 * provides more context if the audit daemon is not running
1349 bool aa_g_audit_header = true;
1350 module_param_named(audit_header, aa_g_audit_header, aabool,
1353 /* lock out loading/removal of policy
1354 * TODO: add in at boot loading of policy, which is the only way to
1355 * load policy, if lock_policy is set
1357 bool aa_g_lock_policy;
1358 module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy,
1361 /* Syscall logging mode */
1362 bool aa_g_logsyscall;
1363 module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
1365 /* Maximum pathname length before accesses will start getting rejected */
1366 unsigned int aa_g_path_max = 2 * PATH_MAX;
1367 module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
1369 /* Determines how paranoid loading of policy is and how much verification
1370 * on the loaded policy is done.
1371 * DEPRECATED: read only as strict checking of load is always done now
1372 * that none root users (user namespaces) can load policy.
1374 bool aa_g_paranoid_load = true;
1375 module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
1377 static int param_get_aaintbool(char *buffer, const struct kernel_param *kp);
1378 static int param_set_aaintbool(const char *val, const struct kernel_param *kp);
1379 #define param_check_aaintbool param_check_int
1380 static const struct kernel_param_ops param_ops_aaintbool = {
1381 .set = param_set_aaintbool,
1382 .get = param_get_aaintbool
1384 /* Boot time disable flag */
1385 static int apparmor_enabled __lsm_ro_after_init = 1;
1386 module_param_named(enabled, apparmor_enabled, aaintbool, 0444);
1388 static int __init apparmor_enabled_setup(char *str)
1390 unsigned long enabled;
1391 int error = kstrtoul(str, 0, &enabled);
1393 apparmor_enabled = enabled ? 1 : 0;
1397 __setup("apparmor=", apparmor_enabled_setup);
1399 /* set global flag turning off the ability to load policy */
1400 static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
1402 if (!apparmor_enabled)
1404 if (apparmor_initialized && !policy_admin_capable(NULL))
1406 return param_set_bool(val, kp);
1409 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
1411 if (!apparmor_enabled)
1413 if (apparmor_initialized && !policy_view_capable(NULL))
1415 return param_get_bool(buffer, kp);
1418 static int param_set_aabool(const char *val, const struct kernel_param *kp)
1420 if (!apparmor_enabled)
1422 if (apparmor_initialized && !policy_admin_capable(NULL))
1424 return param_set_bool(val, kp);
1427 static int param_get_aabool(char *buffer, const struct kernel_param *kp)
1429 if (!apparmor_enabled)
1431 if (apparmor_initialized && !policy_view_capable(NULL))
1433 return param_get_bool(buffer, kp);
1436 static int param_set_aauint(const char *val, const struct kernel_param *kp)
1440 if (!apparmor_enabled)
1442 /* file is ro but enforce 2nd line check */
1443 if (apparmor_initialized)
1446 error = param_set_uint(val, kp);
1447 aa_g_path_max = max_t(uint32_t, aa_g_path_max, sizeof(union aa_buffer));
1448 pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max);
1453 static int param_get_aauint(char *buffer, const struct kernel_param *kp)
1455 if (!apparmor_enabled)
1457 if (apparmor_initialized && !policy_view_capable(NULL))
1459 return param_get_uint(buffer, kp);
1462 /* Can only be set before AppArmor is initialized (i.e. on boot cmdline). */
1463 static int param_set_aaintbool(const char *val, const struct kernel_param *kp)
1465 struct kernel_param kp_local;
1469 if (apparmor_initialized)
1472 /* Create local copy, with arg pointing to bool type. */
1473 value = !!*((int *)kp->arg);
1474 memcpy(&kp_local, kp, sizeof(kp_local));
1475 kp_local.arg = &value;
1477 error = param_set_bool(val, &kp_local);
1479 *((int *)kp->arg) = *((bool *)kp_local.arg);
1484 * To avoid changing /sys/module/apparmor/parameters/enabled from Y/N to
1485 * 1/0, this converts the "int that is actually bool" back to bool for
1486 * display in the /sys filesystem, while keeping it "int" for the LSM
1489 static int param_get_aaintbool(char *buffer, const struct kernel_param *kp)
1491 struct kernel_param kp_local;
1494 /* Create local copy, with arg pointing to bool type. */
1495 value = !!*((int *)kp->arg);
1496 memcpy(&kp_local, kp, sizeof(kp_local));
1497 kp_local.arg = &value;
1499 return param_get_bool(buffer, &kp_local);
1502 static int param_set_aacompressionlevel(const char *val,
1503 const struct kernel_param *kp)
1507 if (!apparmor_enabled)
1509 if (apparmor_initialized)
1512 error = param_set_int(val, kp);
1514 aa_g_rawdata_compression_level = clamp(aa_g_rawdata_compression_level,
1516 Z_BEST_COMPRESSION);
1517 pr_info("AppArmor: policy rawdata compression level set to %u\n",
1518 aa_g_rawdata_compression_level);
1523 static int param_get_aacompressionlevel(char *buffer,
1524 const struct kernel_param *kp)
1526 if (!apparmor_enabled)
1528 if (apparmor_initialized && !policy_view_capable(NULL))
1530 return param_get_int(buffer, kp);
1533 static int param_get_audit(char *buffer, const struct kernel_param *kp)
1535 if (!apparmor_enabled)
1537 if (apparmor_initialized && !policy_view_capable(NULL))
1539 return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
1542 static int param_set_audit(const char *val, const struct kernel_param *kp)
1546 if (!apparmor_enabled)
1550 if (apparmor_initialized && !policy_admin_capable(NULL))
1553 i = match_string(audit_mode_names, AUDIT_MAX_INDEX, val);
1561 static int param_get_mode(char *buffer, const struct kernel_param *kp)
1563 if (!apparmor_enabled)
1565 if (apparmor_initialized && !policy_view_capable(NULL))
1568 return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
1571 static int param_set_mode(const char *val, const struct kernel_param *kp)
1575 if (!apparmor_enabled)
1579 if (apparmor_initialized && !policy_admin_capable(NULL))
1582 i = match_string(aa_profile_mode_names, APPARMOR_MODE_NAMES_MAX_INDEX,
1587 aa_g_profile_mode = i;
1591 char *aa_get_buffer(bool in_atomic)
1593 union aa_buffer *aa_buf;
1594 bool try_again = true;
1595 gfp_t flags = (GFP_KERNEL | __GFP_RETRY_MAYFAIL | __GFP_NOWARN);
1598 spin_lock(&aa_buffers_lock);
1599 if (buffer_count > reserve_count ||
1600 (in_atomic && !list_empty(&aa_global_buffers))) {
1601 aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer,
1603 list_del(&aa_buf->list);
1605 spin_unlock(&aa_buffers_lock);
1606 return &aa_buf->buffer[0];
1610 * out of reserve buffers and in atomic context so increase
1611 * how many buffers to keep in reserve
1616 spin_unlock(&aa_buffers_lock);
1620 aa_buf = kmalloc(aa_g_path_max, flags);
1626 pr_warn_once("AppArmor: Failed to allocate a memory buffer.\n");
1629 return &aa_buf->buffer[0];
1632 void aa_put_buffer(char *buf)
1634 union aa_buffer *aa_buf;
1638 aa_buf = container_of(buf, union aa_buffer, buffer[0]);
1640 spin_lock(&aa_buffers_lock);
1641 list_add(&aa_buf->list, &aa_global_buffers);
1643 spin_unlock(&aa_buffers_lock);
1647 * AppArmor init functions
1651 * set_init_ctx - set a task context and profile on the first task.
1653 * TODO: allow setting an alternate profile than unconfined
1655 static int __init set_init_ctx(void)
1657 struct cred *cred = (__force struct cred *)current->real_cred;
1659 set_cred_label(cred, aa_get_label(ns_unconfined(root_ns)));
1664 static void destroy_buffers(void)
1666 union aa_buffer *aa_buf;
1668 spin_lock(&aa_buffers_lock);
1669 while (!list_empty(&aa_global_buffers)) {
1670 aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer,
1672 list_del(&aa_buf->list);
1673 spin_unlock(&aa_buffers_lock);
1675 spin_lock(&aa_buffers_lock);
1677 spin_unlock(&aa_buffers_lock);
1680 static int __init alloc_buffers(void)
1682 union aa_buffer *aa_buf;
1686 * A function may require two buffers at once. Usually the buffers are
1687 * used for a short period of time and are shared. On UP kernel buffers
1688 * two should be enough, with more CPUs it is possible that more
1689 * buffers will be used simultaneously. The preallocated pool may grow.
1690 * This preallocation has also the side-effect that AppArmor will be
1691 * disabled early at boot if aa_g_path_max is extremly high.
1693 if (num_online_cpus() > 1)
1694 num = 4 + RESERVE_COUNT;
1696 num = 2 + RESERVE_COUNT;
1698 for (i = 0; i < num; i++) {
1700 aa_buf = kmalloc(aa_g_path_max, GFP_KERNEL |
1701 __GFP_RETRY_MAYFAIL | __GFP_NOWARN);
1706 aa_put_buffer(&aa_buf->buffer[0]);
1711 #ifdef CONFIG_SYSCTL
1712 static int apparmor_dointvec(struct ctl_table *table, int write,
1713 void *buffer, size_t *lenp, loff_t *ppos)
1715 if (!policy_admin_capable(NULL))
1717 if (!apparmor_enabled)
1720 return proc_dointvec(table, write, buffer, lenp, ppos);
1723 static struct ctl_path apparmor_sysctl_path[] = {
1724 { .procname = "kernel", },
1728 static struct ctl_table apparmor_sysctl_table[] = {
1730 .procname = "unprivileged_userns_apparmor_policy",
1731 .data = &unprivileged_userns_apparmor_policy,
1732 .maxlen = sizeof(int),
1734 .proc_handler = apparmor_dointvec,
1739 static int __init apparmor_init_sysctl(void)
1741 return register_sysctl_paths(apparmor_sysctl_path,
1742 apparmor_sysctl_table) ? 0 : -ENOMEM;
1745 static inline int apparmor_init_sysctl(void)
1749 #endif /* CONFIG_SYSCTL */
1751 #if defined(CONFIG_NETFILTER) && defined(CONFIG_NETWORK_SECMARK)
1752 static unsigned int apparmor_ip_postroute(void *priv,
1753 struct sk_buff *skb,
1754 const struct nf_hook_state *state)
1756 struct aa_sk_ctx *ctx;
1762 sk = skb_to_full_sk(skb);
1767 if (!apparmor_secmark_check(ctx->label, OP_SENDMSG, AA_MAY_SEND,
1771 return NF_DROP_ERR(-ECONNREFUSED);
1775 static unsigned int apparmor_ipv4_postroute(void *priv,
1776 struct sk_buff *skb,
1777 const struct nf_hook_state *state)
1779 return apparmor_ip_postroute(priv, skb, state);
1782 #if IS_ENABLED(CONFIG_IPV6)
1783 static unsigned int apparmor_ipv6_postroute(void *priv,
1784 struct sk_buff *skb,
1785 const struct nf_hook_state *state)
1787 return apparmor_ip_postroute(priv, skb, state);
1791 static const struct nf_hook_ops apparmor_nf_ops[] = {
1793 .hook = apparmor_ipv4_postroute,
1795 .hooknum = NF_INET_POST_ROUTING,
1796 .priority = NF_IP_PRI_SELINUX_FIRST,
1798 #if IS_ENABLED(CONFIG_IPV6)
1800 .hook = apparmor_ipv6_postroute,
1802 .hooknum = NF_INET_POST_ROUTING,
1803 .priority = NF_IP6_PRI_SELINUX_FIRST,
1808 static int __net_init apparmor_nf_register(struct net *net)
1812 ret = nf_register_net_hooks(net, apparmor_nf_ops,
1813 ARRAY_SIZE(apparmor_nf_ops));
1817 static void __net_exit apparmor_nf_unregister(struct net *net)
1819 nf_unregister_net_hooks(net, apparmor_nf_ops,
1820 ARRAY_SIZE(apparmor_nf_ops));
1823 static struct pernet_operations apparmor_net_ops = {
1824 .init = apparmor_nf_register,
1825 .exit = apparmor_nf_unregister,
1828 static int __init apparmor_nf_ip_init(void)
1832 if (!apparmor_enabled)
1835 err = register_pernet_subsys(&apparmor_net_ops);
1837 panic("Apparmor: register_pernet_subsys: error %d\n", err);
1841 __initcall(apparmor_nf_ip_init);
1844 static int __init apparmor_init(void)
1850 error = aa_setup_dfa_engine();
1852 AA_ERROR("Unable to setup dfa engine\n");
1856 error = aa_alloc_root_ns();
1858 AA_ERROR("Unable to allocate default profile namespace\n");
1862 error = apparmor_init_sysctl();
1864 AA_ERROR("Unable to register sysctls\n");
1869 error = alloc_buffers();
1871 AA_ERROR("Unable to allocate work buffers\n");
1875 error = set_init_ctx();
1877 AA_ERROR("Failed to set context on init task\n");
1881 security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
1884 /* Report that AppArmor successfully initialized */
1885 apparmor_initialized = 1;
1886 if (aa_g_profile_mode == APPARMOR_COMPLAIN)
1887 aa_info_message("AppArmor initialized: complain mode enabled");
1888 else if (aa_g_profile_mode == APPARMOR_KILL)
1889 aa_info_message("AppArmor initialized: kill mode enabled");
1891 aa_info_message("AppArmor initialized");
1899 aa_teardown_dfa_engine();
1901 apparmor_enabled = false;
1905 DEFINE_LSM(apparmor) = {
1907 .flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
1908 .enabled = &apparmor_enabled,
1909 .blobs = &apparmor_blob_sizes,
1910 .init = apparmor_init,