1 // SPDX-License-Identifier: GPL-2.0-only
3 * AppArmor security module
5 * This file contains AppArmor mediation of files
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2017 Canonical Ltd.
12 #include <linux/mount.h>
13 #include <linux/namei.h>
14 #include <uapi/linux/mount.h>
16 #include "include/apparmor.h"
17 #include "include/audit.h"
18 #include "include/cred.h"
19 #include "include/domain.h"
20 #include "include/file.h"
21 #include "include/match.h"
22 #include "include/mount.h"
23 #include "include/path.h"
24 #include "include/policy.h"
27 static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags)
29 if (flags & MS_RDONLY)
30 audit_log_format(ab, "ro");
32 audit_log_format(ab, "rw");
33 if (flags & MS_NOSUID)
34 audit_log_format(ab, ", nosuid");
36 audit_log_format(ab, ", nodev");
37 if (flags & MS_NOEXEC)
38 audit_log_format(ab, ", noexec");
39 if (flags & MS_SYNCHRONOUS)
40 audit_log_format(ab, ", sync");
41 if (flags & MS_REMOUNT)
42 audit_log_format(ab, ", remount");
43 if (flags & MS_MANDLOCK)
44 audit_log_format(ab, ", mand");
45 if (flags & MS_DIRSYNC)
46 audit_log_format(ab, ", dirsync");
47 if (flags & MS_NOATIME)
48 audit_log_format(ab, ", noatime");
49 if (flags & MS_NODIRATIME)
50 audit_log_format(ab, ", nodiratime");
52 audit_log_format(ab, flags & MS_REC ? ", rbind" : ", bind");
54 audit_log_format(ab, ", move");
55 if (flags & MS_SILENT)
56 audit_log_format(ab, ", silent");
57 if (flags & MS_POSIXACL)
58 audit_log_format(ab, ", acl");
59 if (flags & MS_UNBINDABLE)
60 audit_log_format(ab, flags & MS_REC ? ", runbindable" :
62 if (flags & MS_PRIVATE)
63 audit_log_format(ab, flags & MS_REC ? ", rprivate" :
66 audit_log_format(ab, flags & MS_REC ? ", rslave" :
68 if (flags & MS_SHARED)
69 audit_log_format(ab, flags & MS_REC ? ", rshared" :
71 if (flags & MS_RELATIME)
72 audit_log_format(ab, ", relatime");
73 if (flags & MS_I_VERSION)
74 audit_log_format(ab, ", iversion");
75 if (flags & MS_STRICTATIME)
76 audit_log_format(ab, ", strictatime");
77 if (flags & MS_NOUSER)
78 audit_log_format(ab, ", nouser");
82 * audit_cb - call back for mount specific audit fields
83 * @ab: audit_buffer (NOT NULL)
84 * @va: audit struct to audit values of (NOT NULL)
86 static void audit_cb(struct audit_buffer *ab, void *va)
88 struct common_audit_data *sa = va;
90 if (aad(sa)->mnt.type) {
91 audit_log_format(ab, " fstype=");
92 audit_log_untrustedstring(ab, aad(sa)->mnt.type);
94 if (aad(sa)->mnt.src_name) {
95 audit_log_format(ab, " srcname=");
96 audit_log_untrustedstring(ab, aad(sa)->mnt.src_name);
98 if (aad(sa)->mnt.trans) {
99 audit_log_format(ab, " trans=");
100 audit_log_untrustedstring(ab, aad(sa)->mnt.trans);
102 if (aad(sa)->mnt.flags) {
103 audit_log_format(ab, " flags=\"");
104 audit_mnt_flags(ab, aad(sa)->mnt.flags);
105 audit_log_format(ab, "\"");
107 if (aad(sa)->mnt.data) {
108 audit_log_format(ab, " options=");
109 audit_log_untrustedstring(ab, aad(sa)->mnt.data);
114 * audit_mount - handle the auditing of mount operations
115 * @profile: the profile being enforced (NOT NULL)
116 * @op: operation being mediated (NOT NULL)
117 * @name: name of object being mediated (MAYBE NULL)
118 * @src_name: src_name of object being mediated (MAYBE_NULL)
119 * @type: type of filesystem (MAYBE_NULL)
120 * @trans: name of trans (MAYBE NULL)
121 * @flags: filesystem independent mount flags
122 * @data: filesystem mount flags
123 * @request: permissions requested
124 * @perms: the permissions computed for the request (NOT NULL)
125 * @info: extra information message (MAYBE NULL)
126 * @error: 0 if operation allowed else failure error code
128 * Returns: %0 or error on failure
130 static int audit_mount(struct aa_profile *profile, const char *op,
131 const char *name, const char *src_name,
132 const char *type, const char *trans,
133 unsigned long flags, const void *data, u32 request,
134 struct aa_perms *perms, const char *info, int error)
136 int audit_type = AUDIT_APPARMOR_AUTO;
137 DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op);
139 if (likely(!error)) {
140 u32 mask = perms->audit;
142 if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
145 /* mask off perms that are not being force audited */
148 if (likely(!request))
150 audit_type = AUDIT_APPARMOR_AUDIT;
152 /* only report permissions that were denied */
153 request = request & ~perms->allow;
155 if (request & perms->kill)
156 audit_type = AUDIT_APPARMOR_KILL;
158 /* quiet known rejects, assumes quiet and kill do not overlap */
159 if ((request & perms->quiet) &&
160 AUDIT_MODE(profile) != AUDIT_NOQUIET &&
161 AUDIT_MODE(profile) != AUDIT_ALL)
162 request &= ~perms->quiet;
168 aad(&sa)->name = name;
169 aad(&sa)->mnt.src_name = src_name;
170 aad(&sa)->mnt.type = type;
171 aad(&sa)->mnt.trans = trans;
172 aad(&sa)->mnt.flags = flags;
173 if (data && (perms->audit & AA_AUDIT_DATA))
174 aad(&sa)->mnt.data = data;
175 aad(&sa)->info = info;
176 aad(&sa)->error = error;
178 return aa_audit(audit_type, profile, &sa, audit_cb);
182 * match_mnt_flags - Do an ordered match on mount flags
183 * @dfa: dfa to match against
184 * @state: state to start in
185 * @flags: mount flags to match against
187 * Mount flags are encoded as an ordered match. This is done instead of
188 * checking against a simple bitmask, to allow for logical operations
191 * Returns: next state after flags match
193 static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state,
198 for (i = 0; i <= 31 ; ++i) {
199 if ((1 << i) & flags)
200 state = aa_dfa_next(dfa, state, i + 1);
206 static const char * const mnt_info_table[] = {
208 "failed mntpnt match",
209 "failed srcname match",
211 "failed flags match",
217 * Returns 0 on success else element that match failed in, this is the
218 * index into the mnt_info_table above
220 static int do_match_mnt(struct aa_policydb *policy, aa_state_t start,
221 const char *mntpnt, const char *devname,
222 const char *type, unsigned long flags,
223 void *data, bool binary, struct aa_perms *perms)
228 AA_BUG(!policy->dfa);
229 AA_BUG(!policy->perms);
232 state = aa_dfa_match(policy->dfa, start, mntpnt);
233 state = aa_dfa_null_transition(policy->dfa, state);
238 state = aa_dfa_match(policy->dfa, state, devname);
239 state = aa_dfa_null_transition(policy->dfa, state);
244 state = aa_dfa_match(policy->dfa, state, type);
245 state = aa_dfa_null_transition(policy->dfa, state);
249 state = match_mnt_flags(policy->dfa, state, flags);
252 *perms = *aa_lookup_perms(policy, state);
253 if (perms->allow & AA_MAY_MOUNT)
256 /* only match data if not binary and the DFA flags data is expected */
257 if (data && !binary && (perms->allow & AA_MNT_CONT_MATCH)) {
258 state = aa_dfa_null_transition(policy->dfa, state);
262 state = aa_dfa_match(policy->dfa, state, data);
265 *perms = *aa_lookup_perms(policy, state);
266 if (perms->allow & AA_MAY_MOUNT)
270 /* failed at perms check, don't confuse with flags match */
275 static int path_flags(struct aa_profile *profile, const struct path *path)
280 return profile->path_flags |
281 (S_ISDIR(path->dentry->d_inode->i_mode) ? PATH_IS_DIR : 0);
285 * match_mnt_path_str - handle path matching for mount
286 * @profile: the confining profile
287 * @mntpath: for the mntpnt (NOT NULL)
288 * @buffer: buffer to be used to lookup mntpath
289 * @devname: string for the devname/src_name (MAY BE NULL OR ERRPTR)
290 * @type: string for the dev type (MAYBE NULL)
291 * @flags: mount flags to match
292 * @data: fs mount data (MAYBE NULL)
293 * @binary: whether @data is binary
294 * @devinfo: error str if (IS_ERR(@devname))
296 * Returns: 0 on success else error
298 static int match_mnt_path_str(struct aa_profile *profile,
299 const struct path *mntpath, char *buffer,
300 const char *devname, const char *type,
301 unsigned long flags, void *data, bool binary,
304 struct aa_perms perms = { };
305 const char *mntpnt = NULL, *info = NULL;
306 struct aa_ruleset *rules = list_first_entry(&profile->rules,
307 typeof(*rules), list);
314 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
317 error = aa_path_name(mntpath, path_flags(profile, mntpath), buffer,
318 &mntpnt, &info, profile->disconnected);
321 if (IS_ERR(devname)) {
322 error = PTR_ERR(devname);
329 pos = do_match_mnt(&rules->policy,
330 rules->policy.start[AA_CLASS_MOUNT],
331 mntpnt, devname, type, flags, data, binary, &perms);
333 info = mnt_info_table[pos];
339 return audit_mount(profile, OP_MOUNT, mntpnt, devname, type, NULL,
340 flags, data, AA_MAY_MOUNT, &perms, info, error);
344 * match_mnt - handle path matching for mount
345 * @profile: the confining profile
346 * @path: for the mntpnt (NOT NULL)
347 * @buffer: buffer to be used to lookup mntpath
348 * @devpath: path devname/src_name (MAYBE NULL)
349 * @devbuffer: buffer to be used to lookup devname/src_name
350 * @type: string for the dev type (MAYBE NULL)
351 * @flags: mount flags to match
352 * @data: fs mount data (MAYBE NULL)
353 * @binary: whether @data is binary
355 * Returns: 0 on success else error
357 static int match_mnt(struct aa_profile *profile, const struct path *path,
358 char *buffer, const struct path *devpath, char *devbuffer,
359 const char *type, unsigned long flags, void *data,
362 const char *devname = NULL, *info = NULL;
363 struct aa_ruleset *rules = list_first_entry(&profile->rules,
364 typeof(*rules), list);
368 AA_BUG(devpath && !devbuffer);
370 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
374 error = aa_path_name(devpath, path_flags(profile, devpath),
375 devbuffer, &devname, &info,
376 profile->disconnected);
378 devname = ERR_PTR(error);
381 return match_mnt_path_str(profile, path, buffer, devname, type, flags,
385 int aa_remount(struct aa_label *label, const struct path *path,
386 unsigned long flags, void *data)
388 struct aa_profile *profile;
396 binary = path->dentry->d_sb->s_type->fs_flags & FS_BINARY_MOUNTDATA;
398 buffer = aa_get_buffer(false);
401 error = fn_for_each_confined(label, profile,
402 match_mnt(profile, path, buffer, NULL, NULL, NULL,
403 flags, data, binary));
404 aa_put_buffer(buffer);
409 int aa_bind_mount(struct aa_label *label, const struct path *path,
410 const char *dev_name, unsigned long flags)
412 struct aa_profile *profile;
413 char *buffer = NULL, *old_buffer = NULL;
414 struct path old_path;
420 if (!dev_name || !*dev_name)
423 flags &= MS_REC | MS_BIND;
425 error = kern_path(dev_name, LOOKUP_FOLLOW|LOOKUP_AUTOMOUNT, &old_path);
429 buffer = aa_get_buffer(false);
430 old_buffer = aa_get_buffer(false);
432 if (!buffer || !old_buffer)
435 error = fn_for_each_confined(label, profile,
436 match_mnt(profile, path, buffer, &old_path, old_buffer,
437 NULL, flags, NULL, false));
439 aa_put_buffer(buffer);
440 aa_put_buffer(old_buffer);
446 int aa_mount_change_type(struct aa_label *label, const struct path *path,
449 struct aa_profile *profile;
456 /* These are the flags allowed by do_change_type() */
457 flags &= (MS_REC | MS_SILENT | MS_SHARED | MS_PRIVATE | MS_SLAVE |
460 buffer = aa_get_buffer(false);
463 error = fn_for_each_confined(label, profile,
464 match_mnt(profile, path, buffer, NULL, NULL, NULL,
465 flags, NULL, false));
466 aa_put_buffer(buffer);
471 int aa_move_mount(struct aa_label *label, const struct path *path,
472 const char *orig_name)
474 struct aa_profile *profile;
475 char *buffer = NULL, *old_buffer = NULL;
476 struct path old_path;
482 if (!orig_name || !*orig_name)
485 error = kern_path(orig_name, LOOKUP_FOLLOW, &old_path);
489 buffer = aa_get_buffer(false);
490 old_buffer = aa_get_buffer(false);
492 if (!buffer || !old_buffer)
494 error = fn_for_each_confined(label, profile,
495 match_mnt(profile, path, buffer, &old_path, old_buffer,
496 NULL, MS_MOVE, NULL, false));
498 aa_put_buffer(buffer);
499 aa_put_buffer(old_buffer);
505 int aa_new_mount(struct aa_label *label, const char *dev_name,
506 const struct path *path, const char *type, unsigned long flags,
509 struct aa_profile *profile;
510 char *buffer = NULL, *dev_buffer = NULL;
513 int requires_dev = 0;
514 struct path tmp_path, *dev_path = NULL;
520 struct file_system_type *fstype;
522 fstype = get_fs_type(type);
525 binary = fstype->fs_flags & FS_BINARY_MOUNTDATA;
526 requires_dev = fstype->fs_flags & FS_REQUIRES_DEV;
527 put_filesystem(fstype);
530 if (!dev_name || !*dev_name)
533 error = kern_path(dev_name, LOOKUP_FOLLOW, &tmp_path);
536 dev_path = &tmp_path;
540 buffer = aa_get_buffer(false);
546 dev_buffer = aa_get_buffer(false);
551 error = fn_for_each_confined(label, profile,
552 match_mnt(profile, path, buffer, dev_path, dev_buffer,
553 type, flags, data, binary));
555 error = fn_for_each_confined(label, profile,
556 match_mnt_path_str(profile, path, buffer, dev_name,
557 type, flags, data, binary, NULL));
561 aa_put_buffer(buffer);
562 aa_put_buffer(dev_buffer);
569 static int profile_umount(struct aa_profile *profile, const struct path *path,
572 struct aa_ruleset *rules = list_first_entry(&profile->rules,
573 typeof(*rules), list);
574 struct aa_perms perms = { };
575 const char *name = NULL, *info = NULL;
582 if (!RULE_MEDIATES(rules, AA_CLASS_MOUNT))
585 error = aa_path_name(path, path_flags(profile, path), buffer, &name,
586 &info, profile->disconnected);
590 state = aa_dfa_match(rules->policy.dfa,
591 rules->policy.start[AA_CLASS_MOUNT],
593 perms = *aa_lookup_perms(&rules->policy, state);
594 if (AA_MAY_UMOUNT & ~perms.allow)
598 return audit_mount(profile, OP_UMOUNT, name, NULL, NULL, NULL, 0, NULL,
599 AA_MAY_UMOUNT, &perms, info, error);
602 int aa_umount(struct aa_label *label, struct vfsmount *mnt, int flags)
604 struct aa_profile *profile;
607 struct path path = { .mnt = mnt, .dentry = mnt->mnt_root };
612 buffer = aa_get_buffer(false);
616 error = fn_for_each_confined(label, profile,
617 profile_umount(profile, &path, buffer));
618 aa_put_buffer(buffer);
623 /* helper fn for transition on pivotroot
625 * Returns: label for transition or ERR_PTR. Does not return NULL
627 static struct aa_label *build_pivotroot(struct aa_profile *profile,
628 const struct path *new_path,
630 const struct path *old_path,
633 struct aa_ruleset *rules = list_first_entry(&profile->rules,
634 typeof(*rules), list);
635 const char *old_name, *new_name = NULL, *info = NULL;
636 const char *trans_name = NULL;
637 struct aa_perms perms = { };
645 if (profile_unconfined(profile) ||
646 !RULE_MEDIATES(rules, AA_CLASS_MOUNT))
647 return aa_get_newest_label(&profile->label);
649 error = aa_path_name(old_path, path_flags(profile, old_path),
650 old_buffer, &old_name, &info,
651 profile->disconnected);
654 error = aa_path_name(new_path, path_flags(profile, new_path),
655 new_buffer, &new_name, &info,
656 profile->disconnected);
661 state = aa_dfa_match(rules->policy.dfa,
662 rules->policy.start[AA_CLASS_MOUNT],
664 state = aa_dfa_null_transition(rules->policy.dfa, state);
665 state = aa_dfa_match(rules->policy.dfa, state, old_name);
666 perms = *aa_lookup_perms(&rules->policy, state);
668 if (AA_MAY_PIVOTROOT & perms.allow)
672 error = audit_mount(profile, OP_PIVOTROOT, new_name, old_name,
673 NULL, trans_name, 0, NULL, AA_MAY_PIVOTROOT,
674 &perms, info, error);
676 return ERR_PTR(error);
678 return aa_get_newest_label(&profile->label);
681 int aa_pivotroot(struct aa_label *label, const struct path *old_path,
682 const struct path *new_path)
684 struct aa_profile *profile;
685 struct aa_label *target = NULL;
686 char *old_buffer = NULL, *new_buffer = NULL, *info = NULL;
693 old_buffer = aa_get_buffer(false);
694 new_buffer = aa_get_buffer(false);
696 if (!old_buffer || !new_buffer)
698 target = fn_label_build(label, profile, GFP_KERNEL,
699 build_pivotroot(profile, new_path, new_buffer,
700 old_path, old_buffer));
702 info = "label build failed";
705 } else if (!IS_ERR(target)) {
706 error = aa_replace_current_label(target);
708 /* TODO: audit target */
709 aa_put_label(target);
712 aa_put_label(target);
714 /* already audited error */
715 error = PTR_ERR(target);
717 aa_put_buffer(old_buffer);
718 aa_put_buffer(new_buffer);
723 /* TODO: add back in auditing of new_name and old_name */
724 error = fn_for_each(label, profile,
725 audit_mount(profile, OP_PIVOTROOT, NULL /*new_name */,
728 0, NULL, AA_MAY_PIVOTROOT, &nullperms, info,
projects / platform / kernel / linux-rpi.git / blob