Lines Matching +full:sig +full:- +full:dir +full:- +full:cmd
1 // SPDX-License-Identifier: GPL-2.0-only
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
182 rules = list_first_entry(&profile->rules, in apparmor_capget()
185 rules->caps.allow); in apparmor_capget()
187 rules->caps.allow); in apparmor_capget()
211 * common_perm - basic common permission check wrapper fn for paths
235 * common_perm_cond - common permission wrapper around inode cond
244 vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_idmap(path->mnt), in common_perm_cond()
245 d_backing_inode(path->dentry)); in common_perm_cond()
248 d_backing_inode(path->dentry)->i_mode in common_perm_cond()
251 if (!path_mediated_fs(path->dentry)) in common_perm_cond()
258 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
260 * @dir: directory of the dentry (NOT NULL)
267 static int common_perm_dir_dentry(const char *op, const struct path *dir, in common_perm_dir_dentry() argument
271 struct path path = { .mnt = dir->mnt, .dentry = dentry }; in common_perm_dir_dentry()
277 * common_perm_rm - common permission wrapper for operations doing rm
279 * @dir: directory that the dentry is in (NOT NULL)
285 static int common_perm_rm(const char *op, const struct path *dir, in common_perm_rm() argument
295 vfsuid = i_uid_into_vfsuid(mnt_idmap(dir->mnt), inode); in common_perm_rm()
297 cond.mode = inode->i_mode; in common_perm_rm()
299 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); in common_perm_rm()
303 * common_perm_create - common permission wrapper for operations doing create
305 * @dir: directory that dentry will be created in (NOT NULL)
312 static int common_perm_create(const char *op, const struct path *dir, in common_perm_create() argument
317 if (!path_mediated_fs(dir->dentry)) in common_perm_create()
320 return common_perm_dir_dentry(op, dir, dentry, mask, &cond); in common_perm_create()
323 static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry) in apparmor_path_unlink() argument
325 return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE); in apparmor_path_unlink()
328 static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry, in apparmor_path_mkdir() argument
331 return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE, in apparmor_path_mkdir()
335 static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry) in apparmor_path_rmdir() argument
337 return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE); in apparmor_path_rmdir()
340 static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry, in apparmor_path_mknod() argument
343 return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode); in apparmor_path_mknod()
353 return apparmor_path_truncate(&file->f_path); in apparmor_file_truncate()
356 static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry, in apparmor_path_symlink() argument
359 return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE, in apparmor_path_symlink()
395 struct mnt_idmap *idmap = mnt_idmap(old_dir->mnt); in apparmor_path_rename()
397 struct path old_path = { .mnt = old_dir->mnt, in apparmor_path_rename()
399 struct path new_path = { .mnt = new_dir->mnt, in apparmor_path_rename()
402 .mode = d_backing_inode(old_dentry)->i_mode in apparmor_path_rename()
409 .mode = d_backing_inode(new_dentry)->i_mode, in apparmor_path_rename()
466 if (!path_mediated_fs(file->f_path.dentry)) in apparmor_file_open()
476 if (file->f_flags & __FMODE_EXEC) { in apparmor_file_open()
477 fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP; in apparmor_file_open()
481 label = aa_get_newest_cred_label_condref(file->f_cred, &needput); in apparmor_file_open()
487 .mode = inode->i_mode, in apparmor_file_open()
492 error = aa_path_perm(OP_OPEN, file->f_cred, in apparmor_file_open()
493 label, &file->f_path, 0, in apparmor_file_open()
496 fctx->allow = aa_map_file_to_perms(file); in apparmor_file_open()
508 spin_lock_init(&ctx->lock); in apparmor_file_alloc_security()
509 rcu_assign_pointer(ctx->label, aa_get_label(label)); in apparmor_file_alloc_security()
519 aa_put_label(rcu_access_pointer(ctx->label)); in apparmor_file_free_security()
529 if (file->f_path.dentry == aa_null.dentry) in common_file_perm()
530 return -EACCES; in common_file_perm()
550 static int apparmor_file_lock(struct file *file, unsigned int cmd) in apparmor_file_lock() argument
554 if (cmd == F_WRLCK) in apparmor_file_lock()
591 return common_mmap(OP_FMPROT, vma->vm_file, prot, in apparmor_file_mprotect()
592 !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0, in apparmor_file_mprotect()
610 if (ad->request & AA_URING_PERM_MASK) { in audit_uring_cb()
612 audit_uring_mask(ad->request)); in audit_uring_cb()
613 if (ad->denied & AA_URING_PERM_MASK) { in audit_uring_cb()
615 audit_uring_mask(ad->denied)); in audit_uring_cb()
618 if (ad->uring.target) { in audit_uring_cb()
620 aa_label_xaudit(ab, labels_ns(ad->subj_label), in audit_uring_cb()
621 ad->uring.target, in audit_uring_cb()
636 rules = list_first_entry(&profile->rules, typeof(*rules), list); in profile_uring()
645 perms = *aa_lookup_perms(rules->policy, state); in profile_uring()
656 * apparmor_uring_override_creds - check the requested cred override
681 * apparmor_uring_sqpoll - check if a io_uring polling thread can be created
785 int error = -ENOENT; in apparmor_getselfattr()
795 if (ctx->previous) in apparmor_getselfattr()
796 label = aa_get_newest_label(ctx->previous); in apparmor_getselfattr()
799 if (ctx->onexec) in apparmor_getselfattr()
800 label = aa_get_newest_label(ctx->onexec); in apparmor_getselfattr()
803 error = -EOPNOTSUPP; in apparmor_getselfattr()
825 int error = -ENOENT; in apparmor_getprocattr()
833 else if (strcmp(name, "prev") == 0 && ctx->previous) in apparmor_getprocattr()
834 label = aa_get_newest_label(ctx->previous); in apparmor_getprocattr()
835 else if (strcmp(name, "exec") == 0 && ctx->onexec) in apparmor_getprocattr()
836 label = aa_get_newest_label(ctx->onexec); in apparmor_getprocattr()
838 error = -EINVAL; in apparmor_getprocattr()
858 return -EINVAL; in do_setattr()
861 if (args[size - 1] != '\0') { in do_setattr()
865 return -ENOMEM; in do_setattr()
870 error = -EINVAL; in do_setattr()
879 arg_size = size - (args - (largs ? largs : (char *) value)); in do_setattr()
921 ad.error = error = -EINVAL; in do_setattr()
933 return -EOPNOTSUPP; in apparmor_setselfattr()
935 rc = do_setattr(attr, ctx->ctx, ctx->ctx_len); in apparmor_setselfattr()
948 return -EINVAL; in apparmor_setprocattr()
952 * apparmor_bprm_committing_creds - do task cleanup on committing new creds
958 struct aa_label *new_label = cred_label(bprm->cred); in apparmor_bprm_committing_creds()
961 if ((new_label->proxy == label->proxy) || in apparmor_bprm_committing_creds()
965 aa_inherit_files(bprm->cred, current->files); in apparmor_bprm_committing_creds()
967 current->pdeath_signal = 0; in apparmor_bprm_committing_creds()
974 * apparmor_bprm_committed_creds() - do cleanup after new creds committed
989 prop->apparmor.label = label; in apparmor_current_getlsmprop_subj()
998 prop->apparmor.label = label; in apparmor_task_getlsmprop_obj()
1017 int sig, const struct cred *cred) in apparmor_task_kill() argument
1030 error = aa_may_signal(cred, cl, tc, tl, sig); in apparmor_task_kill()
1034 error = aa_may_signal(current_cred(), cl, tc, tl, sig); in apparmor_task_kill()
1068 aa_put_label(ctx->label); in apparmor_sk_free_security()
1069 aa_put_label(ctx->peer); in apparmor_sk_free_security()
1073 * apparmor_sk_clone_security - clone the sk_security field
1083 if (new->label) in apparmor_sk_clone_security()
1084 aa_put_label(new->label); in apparmor_sk_clone_security()
1085 new->label = aa_get_label(ctx->label); in apparmor_sk_clone_security()
1087 if (new->peer) in apparmor_sk_clone_security()
1088 aa_put_label(new->peer); in apparmor_sk_clone_security()
1089 new->peer = aa_get_label(ctx->peer); in apparmor_sk_clone_security()
1112 * apparmor_socket_post_create - setup the per-socket security struct
1120 * - kernel sockets labeled kernel_t used to use unconfined
1121 * - socket may not have sk here if created with sock_create_lite or
1135 if (sock->sk) { in apparmor_socket_post_create()
1136 struct aa_sk_ctx *ctx = aa_sock(sock->sk); in apparmor_socket_post_create()
1138 aa_put_label(ctx->label); in apparmor_socket_post_create()
1139 ctx->label = aa_get_label(label); in apparmor_socket_post_create()
1150 AA_BUG(!sock->sk); in apparmor_socket_bind()
1154 return af_select(sock->sk->sk_family, in apparmor_socket_bind()
1156 aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk)); in apparmor_socket_bind()
1163 AA_BUG(!sock->sk); in apparmor_socket_connect()
1167 return af_select(sock->sk->sk_family, in apparmor_socket_connect()
1169 aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk)); in apparmor_socket_connect()
1175 AA_BUG(!sock->sk); in apparmor_socket_listen()
1178 return af_select(sock->sk->sk_family, in apparmor_socket_listen()
1180 aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk)); in apparmor_socket_listen()
1190 AA_BUG(!sock->sk); in apparmor_socket_accept()
1194 return af_select(sock->sk->sk_family, in apparmor_socket_accept()
1196 aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk)); in apparmor_socket_accept()
1203 AA_BUG(!sock->sk); in aa_sock_msg_perm()
1207 return af_select(sock->sk->sk_family, in aa_sock_msg_perm()
1209 aa_sk_perm(op, request, sock->sk)); in aa_sock_msg_perm()
1228 AA_BUG(!sock->sk); in aa_sock_perm()
1231 return af_select(sock->sk->sk_family, in aa_sock_perm()
1233 aa_sk_perm(op, request, sock->sk)); in aa_sock_perm()
1251 AA_BUG(!sock->sk); in aa_sock_opt_perm()
1254 return af_select(sock->sk->sk_family, in aa_sock_opt_perm()
1256 aa_sk_perm(op, request, sock->sk)); in aa_sock_opt_perm()
1280 * apparmor_socket_sock_rcv_skb - check perms before associating skb to sk
1293 if (!skb->secmark) in apparmor_socket_sock_rcv_skb()
1300 if (!ctx->label) in apparmor_socket_sock_rcv_skb()
1301 return -EACCES; in apparmor_socket_sock_rcv_skb()
1303 return apparmor_secmark_check(ctx->label, OP_RECVMSG, AA_MAY_RECEIVE, in apparmor_socket_sock_rcv_skb()
1304 skb->secmark, sk); in apparmor_socket_sock_rcv_skb()
1313 if (ctx->peer) in sk_peer_label()
1314 return ctx->peer; in sk_peer_label()
1316 return ERR_PTR(-ENOPROTOOPT); in sk_peer_label()
1320 * apparmor_socket_getpeersec_stream - get security context of peer
1322 * @optval: output - buffer to copy peer name to
1323 * @optlen: output - size of copied name in @optval
1325 * Returns: 0 on success, -errno of failure
1339 peer = sk_peer_label(sock->sk); in apparmor_socket_getpeersec_stream()
1349 error = -ENOMEM; in apparmor_socket_getpeersec_stream()
1353 error = -ERANGE; in apparmor_socket_getpeersec_stream()
1358 error = -EFAULT; in apparmor_socket_getpeersec_stream()
1361 error = -EFAULT; in apparmor_socket_getpeersec_stream()
1369 * apparmor_socket_getpeersec_dgram - get security label of packet
1381 return -ENOPROTOOPT; in apparmor_socket_getpeersec_dgram()
1385 * apparmor_sock_graft - Initialize newly created socket
1391 * Labeling of sk for accept case - probably should be sock based
1399 if (!ctx->label) in apparmor_sock_graft()
1400 ctx->label = aa_get_current_label(); in apparmor_sock_graft()
1409 if (!skb->secmark) in apparmor_inet_conn_request()
1412 return apparmor_secmark_check(ctx->label, OP_CONNECT, AA_MAY_CONNECT, in apparmor_inet_conn_request()
1413 skb->secmark, sk); in apparmor_inet_conn_request()
1584 /* AppArmor global enforcement switch - complain, enforce, kill */
1672 return -EINVAL; in param_set_aalockpolicy()
1674 return -EPERM; in param_set_aalockpolicy()
1681 return -EINVAL; in param_get_aalockpolicy()
1683 return -EPERM; in param_get_aalockpolicy()
1690 return -EINVAL; in param_set_aabool()
1692 return -EPERM; in param_set_aabool()
1699 return -EINVAL; in param_get_aabool()
1701 return -EPERM; in param_get_aabool()
1710 return -EINVAL; in param_set_aauint()
1713 return -EPERM; in param_set_aauint()
1725 return -EINVAL; in param_get_aauint()
1727 return -EPERM; in param_get_aauint()
1739 return -EPERM; in param_set_aaintbool()
1742 value = !!*((int *)kp->arg); in param_set_aaintbool()
1748 *((int *)kp->arg) = *((bool *)kp_local.arg); in param_set_aaintbool()
1764 value = !!*((int *)kp->arg); in param_get_aaintbool()
1777 return -EINVAL; in param_set_aacompressionlevel()
1779 return -EPERM; in param_set_aacompressionlevel()
1795 return -EINVAL; in param_get_aacompressionlevel()
1797 return -EPERM; in param_get_aacompressionlevel()
1804 return -EINVAL; in param_get_audit()
1806 return -EPERM; in param_get_audit()
1815 return -EINVAL; in param_set_audit()
1817 return -EINVAL; in param_set_audit()
1819 return -EPERM; in param_set_audit()
1823 return -EINVAL; in param_set_audit()
1832 return -EINVAL; in param_get_mode()
1834 return -EPERM; in param_get_mode()
1844 return -EINVAL; in param_set_mode()
1846 return -EINVAL; in param_set_mode()
1848 return -EPERM; in param_set_mode()
1853 return -EINVAL; in param_set_mode()
1868 if (!list_empty(&cache->head)) { in aa_get_buffer()
1869 aa_buf = list_first_entry(&cache->head, union aa_buffer, list); in aa_get_buffer()
1870 list_del(&aa_buf->list); in aa_get_buffer()
1871 cache->hold--; in aa_get_buffer()
1872 cache->count--; in aa_get_buffer()
1874 return &aa_buf->buffer[0]; in aa_get_buffer()
1880 cache->hold += 1; in aa_get_buffer()
1892 list_del(&aa_buf->list); in aa_get_buffer()
1893 buffer_count--; in aa_get_buffer()
1895 return aa_buf->buffer; in aa_get_buffer()
1919 return aa_buf->buffer; in aa_get_buffer()
1932 if (!cache->hold) { in aa_put_buffer()
1937 list_add(&aa_buf->list, &aa_global_buffers); in aa_put_buffer()
1946 cache->hold += 1; in aa_put_buffer()
1950 list_add(&aa_buf->list, &cache->head); in aa_put_buffer()
1951 cache->count++; in aa_put_buffer()
1960 * set_init_ctx - set a task context and profile on the first task.
1966 struct cred *cred = (__force struct cred *)current->real_cred; in set_init_ctx()
1981 list_del(&aa_buf->list); in destroy_buffers()
2008 * This preallocation has also the side-effect that AppArmor will be in alloc_buffers()
2022 return -ENOMEM; in alloc_buffers()
2024 aa_put_buffer(aa_buf->buffer); in alloc_buffers()
2034 return -EPERM; in apparmor_dointvec()
2036 return -EINVAL; in apparmor_dointvec()
2069 return register_sysctl("kernel", apparmor_sysctl_table) ? 0 : -ENOMEM; in apparmor_init_sysctl()
2086 if (!skb->secmark) in apparmor_ip_postroute()
2094 if (!apparmor_secmark_check(ctx->label, OP_SENDMSG, AA_MAY_SEND, in apparmor_ip_postroute()
2095 skb->secmark, sk)) in apparmor_ip_postroute()
2098 return NF_DROP_ERR(-ECONNREFUSED); in apparmor_ip_postroute()
2165 int error = -ENOMEM; in aa_setup_dfa_engine()
2169 return -ENOMEM; in aa_setup_dfa_engine()
2178 nullpdb->dfa = aa_get_dfa(nulldfa); in aa_setup_dfa_engine()
2179 nullpdb->perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL); in aa_setup_dfa_engine()
2180 if (!nullpdb->perms) in aa_setup_dfa_engine()
2182 nullpdb->size = 2; in aa_setup_dfa_engine()