Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
apparmorfs.c
Go to the documentation of this file.
1 /*
2  * AppArmor security module
3  *
4  * This file contains AppArmor /sys/kernel/security/apparmor interface functions
5  *
6  * Copyright (C) 1998-2008 Novell/SUSE
7  * Copyright 2009-2010 Canonical Ltd.
8  *
9  * This program is free software; you can redistribute it and/or
10  * modify it under the terms of the GNU General Public License as
11  * published by the Free Software Foundation, version 2 of the
12  * License.
13  */
14 
15 #include <linux/security.h>
16 #include <linux/vmalloc.h>
17 #include <linux/module.h>
18 #include <linux/seq_file.h>
19 #include <linux/uaccess.h>
20 #include <linux/namei.h>
21 #include <linux/capability.h>
22 
23 #include "include/apparmor.h"
24 #include "include/apparmorfs.h"
25 #include "include/audit.h"
26 #include "include/context.h"
27 #include "include/policy.h"
28 #include "include/resource.h"
29 
41 static char *aa_simple_write_to_buffer(int op, const char __user *userbuf,
42  size_t alloc_size, size_t copy_size,
43  loff_t *pos)
44 {
45  char *data;
46 
47  BUG_ON(copy_size > alloc_size);
48 
49  if (*pos != 0)
50  /* only writes from pos 0, that is complete writes */
51  return ERR_PTR(-ESPIPE);
52 
53  /*
54  * Don't allow profile load/replace/remove from profiles that don't
55  * have CAP_MAC_ADMIN
56  */
57  if (!aa_may_manage_policy(op))
58  return ERR_PTR(-EACCES);
59 
60  /* freed by caller to simple_write_to_buffer */
61  data = kvmalloc(alloc_size);
62  if (data == NULL)
63  return ERR_PTR(-ENOMEM);
64 
65  if (copy_from_user(data, userbuf, copy_size)) {
66  kvfree(data);
67  return ERR_PTR(-EFAULT);
68  }
69 
70  return data;
71 }
72 
73 
74 /* .load file hook fn to load policy */
75 static ssize_t profile_load(struct file *f, const char __user *buf, size_t size,
76  loff_t *pos)
77 {
78  char *data;
79  ssize_t error;
80 
81  data = aa_simple_write_to_buffer(OP_PROF_LOAD, buf, size, size, pos);
82 
83  error = PTR_ERR(data);
84  if (!IS_ERR(data)) {
85  error = aa_replace_profiles(data, size, PROF_ADD);
86  kvfree(data);
87  }
88 
89  return error;
90 }
91 
92 static const struct file_operations aa_fs_profile_load = {
93  .write = profile_load,
94  .llseek = default_llseek,
95 };
96 
97 /* .replace file hook fn to load and/or replace policy */
98 static ssize_t profile_replace(struct file *f, const char __user *buf,
99  size_t size, loff_t *pos)
100 {
101  char *data;
102  ssize_t error;
103 
104  data = aa_simple_write_to_buffer(OP_PROF_REPL, buf, size, size, pos);
105  error = PTR_ERR(data);
106  if (!IS_ERR(data)) {
107  error = aa_replace_profiles(data, size, PROF_REPLACE);
108  kvfree(data);
109  }
110 
111  return error;
112 }
113 
114 static const struct file_operations aa_fs_profile_replace = {
115  .write = profile_replace,
116  .llseek = default_llseek,
117 };
118 
119 /* .remove file hook fn to remove loaded policy */
120 static ssize_t profile_remove(struct file *f, const char __user *buf,
121  size_t size, loff_t *pos)
122 {
123  char *data;
124  ssize_t error;
125 
126  /*
127  * aa_remove_profile needs a null terminated string so 1 extra
128  * byte is allocated and the copied data is null terminated.
129  */
130  data = aa_simple_write_to_buffer(OP_PROF_RM, buf, size + 1, size, pos);
131 
132  error = PTR_ERR(data);
133  if (!IS_ERR(data)) {
134  data[size] = 0;
135  error = aa_remove_profiles(data, size);
136  kvfree(data);
137  }
138 
139  return error;
140 }
141 
142 static const struct file_operations aa_fs_profile_remove = {
143  .write = profile_remove,
144  .llseek = default_llseek,
145 };
146 
147 static int aa_fs_seq_show(struct seq_file *seq, void *v)
148 {
149  struct aa_fs_entry *fs_file = seq->private;
150 
151  if (!fs_file)
152  return 0;
153 
154  switch (fs_file->v_type) {
155  case AA_FS_TYPE_BOOLEAN:
156  seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no");
157  break;
158  case AA_FS_TYPE_STRING:
159  seq_printf(seq, "%s\n", fs_file->v.string);
160  break;
161  case AA_FS_TYPE_U64:
162  seq_printf(seq, "%#08lx\n", fs_file->v.u64);
163  break;
164  default:
165  /* Ignore unpritable entry types. */
166  break;
167  }
168 
169  return 0;
170 }
171 
172 static int aa_fs_seq_open(struct inode *inode, struct file *file)
173 {
174  return single_open(file, aa_fs_seq_show, inode->i_private);
175 }
176 
177 const struct file_operations aa_fs_seq_file_ops = {
178  .owner = THIS_MODULE,
179  .open = aa_fs_seq_open,
180  .read = seq_read,
181  .llseek = seq_lseek,
182  .release = single_release,
183 };
184 
187 static struct aa_fs_entry aa_fs_entry_file[] = {
188  AA_FS_FILE_STRING("mask", "create read write exec append mmap_exec " \
189  "link lock"),
190  { }
191 };
192 
193 static struct aa_fs_entry aa_fs_entry_domain[] = {
194  AA_FS_FILE_BOOLEAN("change_hat", 1),
195  AA_FS_FILE_BOOLEAN("change_hatv", 1),
196  AA_FS_FILE_BOOLEAN("change_onexec", 1),
197  AA_FS_FILE_BOOLEAN("change_profile", 1),
198  { }
199 };
200 
201 static struct aa_fs_entry aa_fs_entry_features[] = {
202  AA_FS_DIR("domain", aa_fs_entry_domain),
203  AA_FS_DIR("file", aa_fs_entry_file),
204  AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK),
205  AA_FS_DIR("rlimit", aa_fs_entry_rlimit),
206  { }
207 };
208 
209 static struct aa_fs_entry aa_fs_entry_apparmor[] = {
210  AA_FS_FILE_FOPS(".load", 0640, &aa_fs_profile_load),
211  AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace),
212  AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove),
213  AA_FS_DIR("features", aa_fs_entry_features),
214  { }
215 };
216 
217 static struct aa_fs_entry aa_fs_entry =
218  AA_FS_DIR("apparmor", aa_fs_entry_apparmor);
219 
227 static int __init aafs_create_file(struct aa_fs_entry *fs_file,
228  struct dentry *parent)
229 {
230  int error = 0;
231 
232  fs_file->dentry = securityfs_create_file(fs_file->name,
233  S_IFREG | fs_file->mode,
234  parent, fs_file,
235  fs_file->file_ops);
236  if (IS_ERR(fs_file->dentry)) {
237  error = PTR_ERR(fs_file->dentry);
238  fs_file->dentry = NULL;
239  }
240  return error;
241 }
242 
250 static int __init aafs_create_dir(struct aa_fs_entry *fs_dir,
251  struct dentry *parent)
252 {
253  int error;
254  struct aa_fs_entry *fs_file;
255 
256  fs_dir->dentry = securityfs_create_dir(fs_dir->name, parent);
257  if (IS_ERR(fs_dir->dentry)) {
258  error = PTR_ERR(fs_dir->dentry);
259  fs_dir->dentry = NULL;
260  goto failed;
261  }
262 
263  for (fs_file = fs_dir->v.files; fs_file->name; ++fs_file) {
264  if (fs_file->v_type == AA_FS_TYPE_DIR)
265  error = aafs_create_dir(fs_file, fs_dir->dentry);
266  else
267  error = aafs_create_file(fs_file, fs_dir->dentry);
268  if (error)
269  goto failed;
270  }
271 
272  return 0;
273 
274 failed:
275  return error;
276 }
277 
282 static void __init aafs_remove_file(struct aa_fs_entry *fs_file)
283 {
284  if (!fs_file->dentry)
285  return;
286 
287  securityfs_remove(fs_file->dentry);
288  fs_file->dentry = NULL;
289 }
290 
295 static void __init aafs_remove_dir(struct aa_fs_entry *fs_dir)
296 {
297  struct aa_fs_entry *fs_file;
298 
299  for (fs_file = fs_dir->v.files; fs_file->name; ++fs_file) {
300  if (fs_file->v_type == AA_FS_TYPE_DIR)
301  aafs_remove_dir(fs_file);
302  else
303  aafs_remove_file(fs_file);
304  }
305 
306  aafs_remove_file(fs_dir);
307 }
308 
314 void __init aa_destroy_aafs(void)
315 {
316  aafs_remove_dir(&aa_fs_entry);
317 }
318 
326 static int __init aa_create_aafs(void)
327 {
328  int error;
329 
330  if (!apparmor_initialized)
331  return 0;
332 
333  if (aa_fs_entry.dentry) {
334  AA_ERROR("%s: AppArmor securityfs already exists\n", __func__);
335  return -EEXIST;
336  }
337 
338  /* Populate fs tree. */
339  error = aafs_create_dir(&aa_fs_entry, NULL);
340  if (error)
341  goto error;
342 
343  /* TODO: add support for apparmorfs_null and apparmorfs_mnt */
344 
345  /* Report that AppArmor fs is enabled */
346  aa_info_message("AppArmor Filesystem Enabled");
347  return 0;
348 
349 error:
350  aa_destroy_aafs();
351  AA_ERROR("Error creating AppArmor securityfs\n");
352  return error;
353 }
354 
355 fs_initcall(aa_create_aafs);
Generated on Thu Jan 10 2013 15:03:05 for Linux Kernel by   doxygen 1.8.2