Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
awilliam
GitHub Repository: awilliam/linux-vfio
 Path: blob/master/security/apparmor/policy.c
10814 views
1
/*

2
 * AppArmor security module

3
 *

4
 * This file contains AppArmor policy manipulation functions

5
 *

6
 * Copyright (C) 1998-2008 Novell/SUSE

7
 * Copyright 2009-2010 Canonical Ltd.

8
 *

9
 * This program is free software; you can redistribute it and/or

10
 * modify it under the terms of the GNU General Public License as

11
 * published by the Free Software Foundation, version 2 of the

12
 * License.

13
 *

14
 *

15
 * AppArmor policy is based around profiles, which contain the rules a

16
 * task is confined by.  Every task in the system has a profile attached

17
 * to it determined either by matching "unconfined" tasks against the

18
 * visible set of profiles or by following a profiles attachment rules.

19
 *

20
 * Each profile exists in a profile namespace which is a container of

21
 * visible profiles.  Each namespace contains a special "unconfined" profile,

22
 * which doesn't enforce any confinement on a task beyond DAC.

23
 *

24
 * Namespace and profile names can be written together in either

25
 * of two syntaxes.

26
 *	:namespace:profile - used by kernel interfaces for easy detection

27
 *	namespace://profile - used by policy

28
 *

29
 * Profile names can not start with : or @ or ^ and may not contain \0

30
 *

31
 * Reserved profile names

32
 *	unconfined - special automatically generated unconfined profile

33
 *	inherit - special name to indicate profile inheritance

34
 *	null-XXXX-YYYY - special automatically generated learning profiles

35
 *

36
 * Namespace names may not start with / or @ and may not contain \0 or :

37
 * Reserved namespace names

38
 *	user-XXXX - user defined profiles

39
 *

40
 * a // in a profile or namespace name indicates a hierarchical name with the

41
 * name before the // being the parent and the name after the child.

42
 *

43
 * Profile and namespace hierarchies serve two different but similar purposes.

44
 * The namespace contains the set of visible profiles that are considered

45
 * for attachment.  The hierarchy of namespaces allows for virtualizing

46
 * the namespace so that for example a chroot can have its own set of profiles

47
 * which may define some local user namespaces.

48
 * The profile hierarchy severs two distinct purposes,

49
 * -  it allows for sub profiles or hats, which allows an application to run

50
 *    subprograms under its own profile with different restriction than it

51
 *    self, and not have it use the system profile.

52
 *    eg. if a mail program starts an editor, the policy might make the

53
 *        restrictions tighter on the editor tighter than the mail program,

54
 *        and definitely different than general editor restrictions

55
 * - it allows for binary hierarchy of profiles, so that execution history

56
 *   is preserved.  This feature isn't exploited by AppArmor reference policy

57
 *   but is allowed.  NOTE: this is currently suboptimal because profile

58
 *   aliasing is not currently implemented so that a profile for each

59
 *   level must be defined.

60
 *   eg. /bin/bash///bin/ls as a name would indicate /bin/ls was started

61
 *       from /bin/bash

62
 *

63
 *   A profile or namespace name that can contain one or more // separators

64
 *   is referred to as an hname (hierarchical).

65
 *   eg.  /bin/bash//bin/ls

66
 *

67
 *   An fqname is a name that may contain both namespace and profile hnames.

68
 *   eg. :ns:/bin/bash//bin/ls

69
 *

70
 * NOTES:

71
 *   - locking of profile lists is currently fairly coarse.  All profile

72
 *     lists within a namespace use the namespace lock.

73
 * FIXME: move profile lists to using rcu_lists

74
 */

75


76
#include <linux/slab.h>

77
#include <linux/spinlock.h>

78
#include <linux/string.h>

79


80
#include "include/apparmor.h"

81
#include "include/capability.h"

82
#include "include/context.h"

83
#include "include/file.h"

84
#include "include/ipc.h"

85
#include "include/match.h"

86
#include "include/path.h"

87
#include "include/policy.h"

88
#include "include/policy_unpack.h"

89
#include "include/resource.h"

90
#include "include/sid.h"

91


92


93
/* root profile namespace */

94
struct aa_namespace *root_ns;

95


96
const char *profile_mode_names[] = {

97
	"enforce",

98
	"complain",

99
	"kill",

100
};

101


102
/**

103
 * hname_tail - find the last component of an hname

104
 * @name: hname to find the base profile name component of  (NOT NULL)

105
 *

106
 * Returns: the tail (base profile name) name component of an hname

107
 */

108
static const char *hname_tail(const char *hname)

109
{

110
	char *split;

111
	hname = strim((char *)hname);

112
	for (split = strstr(hname, "//"); split; split = strstr(hname, "//"))

113
		hname = split + 2;

114


115
	return hname;

116
}

117


118
/**

119
 * policy_init - initialize a policy structure

120
 * @policy: policy to initialize  (NOT NULL)

121
 * @prefix: prefix name if any is required.  (MAYBE NULL)

122
 * @name: name of the policy, init will make a copy of it  (NOT NULL)

123
 *

124
 * Note: this fn creates a copy of strings passed in

125
 *

126
 * Returns: true if policy init successful

127
 */

128
static bool policy_init(struct aa_policy *policy, const char *prefix,

129
			const char *name)

130
{

131
	/* freed by policy_free */

132
	if (prefix) {

133
		policy->hname = kmalloc(strlen(prefix) + strlen(name) + 3,

134
					GFP_KERNEL);

135
		if (policy->hname)

136
			sprintf(policy->hname, "%s//%s", prefix, name);

137
	} else

138
		policy->hname = kstrdup(name, GFP_KERNEL);

139
	if (!policy->hname)

140
		return 0;

141
	/* base.name is a substring of fqname */

142
	policy->name = (char *)hname_tail(policy->hname);

143
	INIT_LIST_HEAD(&policy->list);

144
	INIT_LIST_HEAD(&policy->profiles);

145
	kref_init(&policy->count);

146


147
	return 1;

148
}

149


150
/**

151
 * policy_destroy - free the elements referenced by @policy

152
 * @policy: policy that is to have its elements freed  (NOT NULL)

153
 */

154
static void policy_destroy(struct aa_policy *policy)

155
{

156
	/* still contains profiles -- invalid */

157
	if (!list_empty(&policy->profiles)) {

158
		AA_ERROR("%s: internal error, "

159
			 "policy '%s' still contains profiles\n",

160
			 __func__, policy->name);

161
		BUG();

162
	}

163
	if (!list_empty(&policy->list)) {

164
		AA_ERROR("%s: internal error, policy '%s' still on list\n",

165
			 __func__, policy->name);

166
		BUG();

167
	}

168


169
	/* don't free name as its a subset of hname */

170
	kzfree(policy->hname);

171
}

172


173
/**

174
 * __policy_find - find a policy by @name on a policy list

175
 * @head: list to search  (NOT NULL)

176
 * @name: name to search for  (NOT NULL)

177
 *

178
 * Requires: correct locks for the @head list be held

179
 *

180
 * Returns: unrefcounted policy that match @name or NULL if not found

181
 */

182
static struct aa_policy *__policy_find(struct list_head *head, const char *name)

183
{

184
	struct aa_policy *policy;

185


186
	list_for_each_entry(policy, head, list) {

187
		if (!strcmp(policy->name, name))

188
			return policy;

189
	}

190
	return NULL;

191
}

192


193
/**

194
 * __policy_strn_find - find a policy that's name matches @len chars of @str

195
 * @head: list to search  (NOT NULL)

196
 * @str: string to search for  (NOT NULL)

197
 * @len: length of match required

198
 *

199
 * Requires: correct locks for the @head list be held

200
 *

201
 * Returns: unrefcounted policy that match @str or NULL if not found

202
 *

203
 * if @len == strlen(@strlen) then this is equiv to __policy_find

204
 * other wise it allows searching for policy by a partial match of name

205
 */

206
static struct aa_policy *__policy_strn_find(struct list_head *head,

207
					    const char *str, int len)

208
{

209
	struct aa_policy *policy;

210


211
	list_for_each_entry(policy, head, list) {

212
		if (aa_strneq(policy->name, str, len))

213
			return policy;

214
	}

215


216
	return NULL;

217
}

218


219
/*

220
 * Routines for AppArmor namespaces

221
 */

222


223
static const char *hidden_ns_name = "---";

224
/**

225
 * aa_ns_visible - test if @view is visible from @curr

226
 * @curr: namespace to treat as the parent (NOT NULL)

227
 * @view:  namespace to test if visible from @curr (NOT NULL)

228
 *

229
 * Returns: true if @view is visible from @curr else false

230
 */

231
bool aa_ns_visible(struct aa_namespace *curr, struct aa_namespace *view)

232
{

233
	if (curr == view)

234
		return true;

235


236
	for ( ; view; view = view->parent) {

237
		if (view->parent == curr)

238
			return true;

239
	}

240
	return false;

241
}

242


243
/**

244
 * aa_na_name - Find the ns name to display for @view from @curr

245
 * @curr - current namespace (NOT NULL)

246
 * @view - namespace attempting to view (NOT NULL)

247
 *

248
 * Returns: name of @view visible from @curr

249
 */

250
const char *aa_ns_name(struct aa_namespace *curr, struct aa_namespace *view)

251
{

252
	/* if view == curr then the namespace name isn't displayed */

253
	if (curr == view)

254
		return "";

255


256
	if (aa_ns_visible(curr, view)) {

257
		/* at this point if a ns is visible it is in a view ns

258
		 * thus the curr ns.hname is a prefix of its name.

259
		 * Only output the virtualized portion of the name

260
		 * Add + 2 to skip over // separating curr hname prefix

261
		 * from the visible tail of the views hname

262
		 */

263
		return view->base.hname + strlen(curr->base.hname) + 2;

264
	} else

265
		return hidden_ns_name;

266
}

267


268
/**

269
 * alloc_namespace - allocate, initialize and return a new namespace

270
 * @prefix: parent namespace name (MAYBE NULL)

271
 * @name: a preallocated name  (NOT NULL)

272
 *

273
 * Returns: refcounted namespace or NULL on failure.

274
 */

275
static struct aa_namespace *alloc_namespace(const char *prefix,

276
					    const char *name)

277
{

278
	struct aa_namespace *ns;

279


280
	ns = kzalloc(sizeof(*ns), GFP_KERNEL);

281
	AA_DEBUG("%s(%p)\n", __func__, ns);

282
	if (!ns)

283
		return NULL;

284
	if (!policy_init(&ns->base, prefix, name))

285
		goto fail_ns;

286


287
	INIT_LIST_HEAD(&ns->sub_ns);

288
	rwlock_init(&ns->lock);

289


290
	/* released by free_namespace */

291
	ns->unconfined = aa_alloc_profile("unconfined");

292
	if (!ns->unconfined)

293
		goto fail_unconfined;

294


295
	ns->unconfined->sid = aa_alloc_sid();

296
	ns->unconfined->flags = PFLAG_UNCONFINED | PFLAG_IX_ON_NAME_ERROR |

297
	    PFLAG_IMMUTABLE;

298


299
	/*

300
	 * released by free_namespace, however __remove_namespace breaks

301
	 * the cyclic references (ns->unconfined, and unconfined->ns) and

302
	 * replaces with refs to parent namespace unconfined

303
	 */

304
	ns->unconfined->ns = aa_get_namespace(ns);

305


306
	return ns;

307


308
fail_unconfined:

309
	kzfree(ns->base.hname);

310
fail_ns:

311
	kzfree(ns);

312
	return NULL;

313
}

314


315
/**

316
 * free_namespace - free a profile namespace

317
 * @ns: the namespace to free  (MAYBE NULL)

318
 *

319
 * Requires: All references to the namespace must have been put, if the

320
 *           namespace was referenced by a profile confining a task,

321
 */

322
static void free_namespace(struct aa_namespace *ns)

323
{

324
	if (!ns)

325
		return;

326


327
	policy_destroy(&ns->base);

328
	aa_put_namespace(ns->parent);

329


330
	if (ns->unconfined && ns->unconfined->ns == ns)

331
		ns->unconfined->ns = NULL;

332


333
	aa_put_profile(ns->unconfined);

334
	kzfree(ns);

335
}

336


337
/**

338
 * aa_free_namespace_kref - free aa_namespace by kref (see aa_put_namespace)

339
 * @kr: kref callback for freeing of a namespace  (NOT NULL)

340
 */

341
void aa_free_namespace_kref(struct kref *kref)

342
{

343
	free_namespace(container_of(kref, struct aa_namespace, base.count));

344
}

345


346
/**

347
 * __aa_find_namespace - find a namespace on a list by @name

348
 * @head: list to search for namespace on  (NOT NULL)

349
 * @name: name of namespace to look for  (NOT NULL)

350
 *

351
 * Returns: unrefcounted namespace

352
 *

353
 * Requires: ns lock be held

354
 */

355
static struct aa_namespace *__aa_find_namespace(struct list_head *head,

356
						const char *name)

357
{

358
	return (struct aa_namespace *)__policy_find(head, name);

359
}

360


361
/**

362
 * aa_find_namespace  -  look up a profile namespace on the namespace list

363
 * @root: namespace to search in  (NOT NULL)

364
 * @name: name of namespace to find  (NOT NULL)

365
 *

366
 * Returns: a refcounted namespace on the list, or NULL if no namespace

367
 *          called @name exists.

368
 *

369
 * refcount released by caller

370
 */

371
struct aa_namespace *aa_find_namespace(struct aa_namespace *root,

372
				       const char *name)

373
{

374
	struct aa_namespace *ns = NULL;

375


376
	read_lock(&root->lock);

377
	ns = aa_get_namespace(__aa_find_namespace(&root->sub_ns, name));

378
	read_unlock(&root->lock);

379


380
	return ns;

381
}

382


383
/**

384
 * aa_prepare_namespace - find an existing or create a new namespace of @name

385
 * @name: the namespace to find or add  (MAYBE NULL)

386
 *

387
 * Returns: refcounted namespace or NULL if failed to create one

388
 */

389
static struct aa_namespace *aa_prepare_namespace(const char *name)

390
{

391
	struct aa_namespace *ns, *root;

392


393
	root = aa_current_profile()->ns;

394


395
	write_lock(&root->lock);

396


397
	/* if name isn't specified the profile is loaded to the current ns */

398
	if (!name) {

399
		/* released by caller */

400
		ns = aa_get_namespace(root);

401
		goto out;

402
	}

403


404
	/* try and find the specified ns and if it doesn't exist create it */

405
	/* released by caller */

406
	ns = aa_get_namespace(__aa_find_namespace(&root->sub_ns, name));

407
	if (!ns) {

408
		/* namespace not found */

409
		struct aa_namespace *new_ns;

410
		write_unlock(&root->lock);

411
		new_ns = alloc_namespace(root->base.hname, name);

412
		if (!new_ns)

413
			return NULL;

414
		write_lock(&root->lock);

415
		/* test for race when new_ns was allocated */

416
		ns = __aa_find_namespace(&root->sub_ns, name);

417
		if (!ns) {

418
			/* add parent ref */

419
			new_ns->parent = aa_get_namespace(root);

420


421
			list_add(&new_ns->base.list, &root->sub_ns);

422
			/* add list ref */

423
			ns = aa_get_namespace(new_ns);

424
		} else {

425
			/* raced so free the new one */

426
			free_namespace(new_ns);

427
			/* get reference on namespace */

428
			aa_get_namespace(ns);

429
		}

430
	}

431
out:

432
	write_unlock(&root->lock);

433


434
	/* return ref */

435
	return ns;

436
}

437


438
/**

439
 * __list_add_profile - add a profile to a list

440
 * @list: list to add it to  (NOT NULL)

441
 * @profile: the profile to add  (NOT NULL)

442
 *

443
 * refcount @profile, should be put by __list_remove_profile

444
 *

445
 * Requires: namespace lock be held, or list not be shared

446
 */

447
static void __list_add_profile(struct list_head *list,

448
			       struct aa_profile *profile)

449
{

450
	list_add(&profile->base.list, list);

451
	/* get list reference */

452
	aa_get_profile(profile);

453
}

454


455
/**

456
 * __list_remove_profile - remove a profile from the list it is on

457
 * @profile: the profile to remove  (NOT NULL)

458
 *

459
 * remove a profile from the list, warning generally removal should

460
 * be done with __replace_profile as most profile removals are

461
 * replacements to the unconfined profile.

462
 *

463
 * put @profile list refcount

464
 *

465
 * Requires: namespace lock be held, or list not have been live

466
 */

467
static void __list_remove_profile(struct aa_profile *profile)

468
{

469
	list_del_init(&profile->base.list);

470
	if (!(profile->flags & PFLAG_NO_LIST_REF))

471
		/* release list reference */

472
		aa_put_profile(profile);

473
}

474


475
/**

476
 * __replace_profile - replace @old with @new on a list

477
 * @old: profile to be replaced  (NOT NULL)

478
 * @new: profile to replace @old with  (NOT NULL)

479
 *

480
 * Will duplicate and refcount elements that @new inherits from @old

481
 * and will inherit @old children.

482
 *

483
 * refcount @new for list, put @old list refcount

484
 *

485
 * Requires: namespace list lock be held, or list not be shared

486
 */

487
static void __replace_profile(struct aa_profile *old, struct aa_profile *new)

488
{

489
	struct aa_policy *policy;

490
	struct aa_profile *child, *tmp;

491


492
	if (old->parent)

493
		policy = &old->parent->base;

494
	else

495
		policy = &old->ns->base;

496


497
	/* released when @new is freed */

498
	new->parent = aa_get_profile(old->parent);

499
	new->ns = aa_get_namespace(old->ns);

500
	new->sid = old->sid;

501
	__list_add_profile(&policy->profiles, new);

502
	/* inherit children */

503
	list_for_each_entry_safe(child, tmp, &old->base.profiles, base.list) {

504
		aa_put_profile(child->parent);

505
		child->parent = aa_get_profile(new);

506
		/* list refcount transferred to @new*/

507
		list_move(&child->base.list, &new->base.profiles);

508
	}

509


510
	/* released by free_profile */

511
	old->replacedby = aa_get_profile(new);

512
	__list_remove_profile(old);

513
}

514


515
static void __profile_list_release(struct list_head *head);

516


517
/**

518
 * __remove_profile - remove old profile, and children

519
 * @profile: profile to be replaced  (NOT NULL)

520
 *

521
 * Requires: namespace list lock be held, or list not be shared

522
 */

523
static void __remove_profile(struct aa_profile *profile)

524
{

525
	/* release any children lists first */

526
	__profile_list_release(&profile->base.profiles);

527
	/* released by free_profile */

528
	profile->replacedby = aa_get_profile(profile->ns->unconfined);

529
	__list_remove_profile(profile);

530
}

531


532
/**

533
 * __profile_list_release - remove all profiles on the list and put refs

534
 * @head: list of profiles  (NOT NULL)

535
 *

536
 * Requires: namespace lock be held

537
 */

538
static void __profile_list_release(struct list_head *head)

539
{

540
	struct aa_profile *profile, *tmp;

541
	list_for_each_entry_safe(profile, tmp, head, base.list)

542
		__remove_profile(profile);

543
}

544


545
static void __ns_list_release(struct list_head *head);

546


547
/**

548
 * destroy_namespace - remove everything contained by @ns

549
 * @ns: namespace to have it contents removed  (NOT NULL)

550
 */

551
static void destroy_namespace(struct aa_namespace *ns)

552
{

553
	if (!ns)

554
		return;

555


556
	write_lock(&ns->lock);

557
	/* release all profiles in this namespace */

558
	__profile_list_release(&ns->base.profiles);

559


560
	/* release all sub namespaces */

561
	__ns_list_release(&ns->sub_ns);

562


563
	write_unlock(&ns->lock);

564
}

565


566
/**

567
 * __remove_namespace - remove a namespace and all its children

568
 * @ns: namespace to be removed  (NOT NULL)

569
 *

570
 * Requires: ns->parent->lock be held and ns removed from parent.

571
 */

572
static void __remove_namespace(struct aa_namespace *ns)

573
{

574
	struct aa_profile *unconfined = ns->unconfined;

575


576
	/* remove ns from namespace list */

577
	list_del_init(&ns->base.list);

578


579
	/*

580
	 * break the ns, unconfined profile cyclic reference and forward

581
	 * all new unconfined profiles requests to the parent namespace

582
	 * This will result in all confined tasks that have a profile

583
	 * being removed, inheriting the parent->unconfined profile.

584
	 */

585
	if (ns->parent)

586
		ns->unconfined = aa_get_profile(ns->parent->unconfined);

587


588
	destroy_namespace(ns);

589


590
	/* release original ns->unconfined ref */

591
	aa_put_profile(unconfined);

592
	/* release ns->base.list ref, from removal above */

593
	aa_put_namespace(ns);

594
}

595


596
/**

597
 * __ns_list_release - remove all profile namespaces on the list put refs

598
 * @head: list of profile namespaces  (NOT NULL)

599
 *

600
 * Requires: namespace lock be held

601
 */

602
static void __ns_list_release(struct list_head *head)

603
{

604
	struct aa_namespace *ns, *tmp;

605
	list_for_each_entry_safe(ns, tmp, head, base.list)

606
		__remove_namespace(ns);

607


608
}

609


610
/**

611
 * aa_alloc_root_ns - allocate the root profile namespace

612
 *

613
 * Returns: %0 on success else error

614
 *

615
 */

616
int __init aa_alloc_root_ns(void)

617
{

618
	/* released by aa_free_root_ns - used as list ref*/

619
	root_ns = alloc_namespace(NULL, "root");

620
	if (!root_ns)

621
		return -ENOMEM;

622


623
	return 0;

624
}

625


626
 /**

627
  * aa_free_root_ns - free the root profile namespace

628
  */

629
void __init aa_free_root_ns(void)

630
 {

631
	 struct aa_namespace *ns = root_ns;

632
	 root_ns = NULL;

633


634
	 destroy_namespace(ns);

635
	 aa_put_namespace(ns);

636
}

637


638
/**

639
 * aa_alloc_profile - allocate, initialize and return a new profile

640
 * @hname: name of the profile  (NOT NULL)

641
 *

642
 * Returns: refcount profile or NULL on failure

643
 */

644
struct aa_profile *aa_alloc_profile(const char *hname)

645
{

646
	struct aa_profile *profile;

647


648
	/* freed by free_profile - usually through aa_put_profile */

649
	profile = kzalloc(sizeof(*profile), GFP_KERNEL);

650
	if (!profile)

651
		return NULL;

652


653
	if (!policy_init(&profile->base, NULL, hname)) {

654
		kzfree(profile);

655
		return NULL;

656
	}

657


658
	/* refcount released by caller */

659
	return profile;

660
}

661


662
/**

663
 * aa_new_null_profile - create a new null-X learning profile

664
 * @parent: profile that caused this profile to be created (NOT NULL)

665
 * @hat: true if the null- learning profile is a hat

666
 *

667
 * Create a null- complain mode profile used in learning mode.  The name of

668
 * the profile is unique and follows the format of parent//null-sid.

669
 *

670
 * null profiles are added to the profile list but the list does not

671
 * hold a count on them so that they are automatically released when

672
 * not in use.

673
 *

674
 * Returns: new refcounted profile else NULL on failure

675
 */

676
struct aa_profile *aa_new_null_profile(struct aa_profile *parent, int hat)

677
{

678
	struct aa_profile *profile = NULL;

679
	char *name;

680
	u32 sid = aa_alloc_sid();

681


682
	/* freed below */

683
	name = kmalloc(strlen(parent->base.hname) + 2 + 7 + 8, GFP_KERNEL);

684
	if (!name)

685
		goto fail;

686
	sprintf(name, "%s//null-%x", parent->base.hname, sid);

687


688
	profile = aa_alloc_profile(name);

689
	kfree(name);

690
	if (!profile)

691
		goto fail;

692


693
	profile->sid = sid;

694
	profile->mode = APPARMOR_COMPLAIN;

695
	profile->flags = PFLAG_NULL;

696
	if (hat)

697
		profile->flags |= PFLAG_HAT;

698


699
	/* released on free_profile */

700
	profile->parent = aa_get_profile(parent);

701
	profile->ns = aa_get_namespace(parent->ns);

702


703
	write_lock(&profile->ns->lock);

704
	__list_add_profile(&parent->base.profiles, profile);

705
	write_unlock(&profile->ns->lock);

706


707
	/* refcount released by caller */

708
	return profile;

709


710
fail:

711
	aa_free_sid(sid);

712
	return NULL;

713
}

714


715
/**

716
 * free_profile - free a profile

717
 * @profile: the profile to free  (MAYBE NULL)

718
 *

719
 * Free a profile, its hats and null_profile. All references to the profile,

720
 * its hats and null_profile must have been put.

721
 *

722
 * If the profile was referenced from a task context, free_profile() will

723
 * be called from an rcu callback routine, so we must not sleep here.

724
 */

725
static void free_profile(struct aa_profile *profile)

726
{

727
	AA_DEBUG("%s(%p)\n", __func__, profile);

728


729
	if (!profile)

730
		return;

731


732
	if (!list_empty(&profile->base.list)) {

733
		AA_ERROR("%s: internal error, "

734
			 "profile '%s' still on ns list\n",

735
			 __func__, profile->base.name);

736
		BUG();

737
	}

738


739
	/* free children profiles */

740
	policy_destroy(&profile->base);

741
	aa_put_profile(profile->parent);

742


743
	aa_put_namespace(profile->ns);

744
	kzfree(profile->rename);

745


746
	aa_free_file_rules(&profile->file);

747
	aa_free_cap_rules(&profile->caps);

748
	aa_free_rlimit_rules(&profile->rlimits);

749


750
	aa_free_sid(profile->sid);

751
	aa_put_dfa(profile->xmatch);

752


753
	aa_put_profile(profile->replacedby);

754


755
	kzfree(profile);

756
}

757


758
/**

759
 * aa_free_profile_kref - free aa_profile by kref (called by aa_put_profile)

760
 * @kr: kref callback for freeing of a profile  (NOT NULL)

761
 */

762
void aa_free_profile_kref(struct kref *kref)

763
{

764
	struct aa_profile *p = container_of(kref, struct aa_profile,

765
					    base.count);

766


767
	free_profile(p);

768
}

769


770
/* TODO: profile accounting - setup in remove */

771


772
/**

773
 * __find_child - find a profile on @head list with a name matching @name

774
 * @head: list to search  (NOT NULL)

775
 * @name: name of profile (NOT NULL)

776
 *

777
 * Requires: ns lock protecting list be held

778
 *

779
 * Returns: unrefcounted profile ptr, or NULL if not found

780
 */

781
static struct aa_profile *__find_child(struct list_head *head, const char *name)

782
{

783
	return (struct aa_profile *)__policy_find(head, name);

784
}

785


786
/**

787
 * __strn_find_child - find a profile on @head list using substring of @name

788
 * @head: list to search  (NOT NULL)

789
 * @name: name of profile (NOT NULL)

790
 * @len: length of @name substring to match

791
 *

792
 * Requires: ns lock protecting list be held

793
 *

794
 * Returns: unrefcounted profile ptr, or NULL if not found

795
 */

796
static struct aa_profile *__strn_find_child(struct list_head *head,

797
					    const char *name, int len)

798
{

799
	return (struct aa_profile *)__policy_strn_find(head, name, len);

800
}

801


802
/**

803
 * aa_find_child - find a profile by @name in @parent

804
 * @parent: profile to search  (NOT NULL)

805
 * @name: profile name to search for  (NOT NULL)

806
 *

807
 * Returns: a refcounted profile or NULL if not found

808
 */

809
struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name)

810
{

811
	struct aa_profile *profile;

812


813
	read_lock(&parent->ns->lock);

814
	profile = aa_get_profile(__find_child(&parent->base.profiles, name));

815
	read_unlock(&parent->ns->lock);

816


817
	/* refcount released by caller */

818
	return profile;

819
}

820


821
/**

822
 * __lookup_parent - lookup the parent of a profile of name @hname

823
 * @ns: namespace to lookup profile in  (NOT NULL)

824
 * @hname: hierarchical profile name to find parent of  (NOT NULL)

825
 *

826
 * Lookups up the parent of a fully qualified profile name, the profile

827
 * that matches hname does not need to exist, in general this

828
 * is used to load a new profile.

829
 *

830
 * Requires: ns->lock be held

831
 *

832
 * Returns: unrefcounted policy or NULL if not found

833
 */

834
static struct aa_policy *__lookup_parent(struct aa_namespace *ns,

835
					 const char *hname)

836
{

837
	struct aa_policy *policy;

838
	struct aa_profile *profile = NULL;

839
	char *split;

840


841
	policy = &ns->base;

842


843
	for (split = strstr(hname, "//"); split;) {

844
		profile = __strn_find_child(&policy->profiles, hname,

845
					    split - hname);

846
		if (!profile)

847
			return NULL;

848
		policy = &profile->base;

849
		hname = split + 2;

850
		split = strstr(hname, "//");

851
	}

852
	if (!profile)

853
		return &ns->base;

854
	return &profile->base;

855
}

856


857
/**

858
 * __lookup_profile - lookup the profile matching @hname

859
 * @base: base list to start looking up profile name from  (NOT NULL)

860
 * @hname: hierarchical profile name  (NOT NULL)

861
 *

862
 * Requires: ns->lock be held

863
 *

864
 * Returns: unrefcounted profile pointer or NULL if not found

865
 *

866
 * Do a relative name lookup, recursing through profile tree.

867
 */

868
static struct aa_profile *__lookup_profile(struct aa_policy *base,

869
					   const char *hname)

870
{

871
	struct aa_profile *profile = NULL;

872
	char *split;

873


874
	for (split = strstr(hname, "//"); split;) {

875
		profile = __strn_find_child(&base->profiles, hname,

876
					    split - hname);

877
		if (!profile)

878
			return NULL;

879


880
		base = &profile->base;

881
		hname = split + 2;

882
		split = strstr(hname, "//");

883
	}

884


885
	profile = __find_child(&base->profiles, hname);

886


887
	return profile;

888
}

889


890
/**

891
 * aa_lookup_profile - find a profile by its full or partial name

892
 * @ns: the namespace to start from (NOT NULL)

893
 * @hname: name to do lookup on.  Does not contain namespace prefix (NOT NULL)

894
 *

895
 * Returns: refcounted profile or NULL if not found

896
 */

897
struct aa_profile *aa_lookup_profile(struct aa_namespace *ns, const char *hname)

898
{

899
	struct aa_profile *profile;

900


901
	read_lock(&ns->lock);

902
	profile = aa_get_profile(__lookup_profile(&ns->base, hname));

903
	read_unlock(&ns->lock);

904


905
	/* refcount released by caller */

906
	return profile;

907
}

908


909
/**

910
 * replacement_allowed - test to see if replacement is allowed

911
 * @profile: profile to test if it can be replaced  (MAYBE NULL)

912
 * @noreplace: true if replacement shouldn't be allowed but addition is okay

913
 * @info: Returns - info about why replacement failed (NOT NULL)

914
 *

915
 * Returns: %0 if replacement allowed else error code

916
 */

917
static int replacement_allowed(struct aa_profile *profile, int noreplace,

918
			       const char **info)

919
{

920
	if (profile) {

921
		if (profile->flags & PFLAG_IMMUTABLE) {

922
			*info = "cannot replace immutible profile";

923
			return -EPERM;

924
		} else if (noreplace) {

925
			*info = "profile already exists";

926
			return -EEXIST;

927
		}

928
	}

929
	return 0;

930
}

931


932
/**

933
 * __add_new_profile - simple wrapper around __list_add_profile

934
 * @ns: namespace that profile is being added to  (NOT NULL)

935
 * @policy: the policy container to add the profile to  (NOT NULL)

936
 * @profile: profile to add  (NOT NULL)

937
 *

938
 * add a profile to a list and do other required basic allocations

939
 */

940
static void __add_new_profile(struct aa_namespace *ns, struct aa_policy *policy,

941
			      struct aa_profile *profile)

942
{

943
	if (policy != &ns->base)

944
		/* released on profile replacement or free_profile */

945
		profile->parent = aa_get_profile((struct aa_profile *) policy);

946
	__list_add_profile(&policy->profiles, profile);

947
	/* released on free_profile */

948
	profile->sid = aa_alloc_sid();

949
	profile->ns = aa_get_namespace(ns);

950
}

951


952
/**

953
 * aa_audit_policy - Do auditing of policy changes

954
 * @op: policy operation being performed

955
 * @gfp: memory allocation flags

956
 * @name: name of profile being manipulated (NOT NULL)

957
 * @info: any extra information to be audited (MAYBE NULL)

958
 * @error: error code

959
 *

960
 * Returns: the error to be returned after audit is done

961
 */

962
static int audit_policy(int op, gfp_t gfp, const char *name, const char *info,

963
			int error)

964
{

965
	struct common_audit_data sa;

966
	COMMON_AUDIT_DATA_INIT(&sa, NONE);

967
	sa.aad.op = op;

968
	sa.aad.name = name;

969
	sa.aad.info = info;

970
	sa.aad.error = error;

971


972
	return aa_audit(AUDIT_APPARMOR_STATUS, __aa_current_profile(), gfp,

973
			&sa, NULL);

974
}

975


976
/**

977
 * aa_may_manage_policy - can the current task manage policy

978
 * @op: the policy manipulation operation being done

979
 *

980
 * Returns: true if the task is allowed to manipulate policy

981
 */

982
bool aa_may_manage_policy(int op)

983
{

984
	/* check if loading policy is locked out */

985
	if (aa_g_lock_policy) {

986
		audit_policy(op, GFP_KERNEL, NULL, "policy_locked", -EACCES);

987
		return 0;

988
	}

989


990
	if (!capable(CAP_MAC_ADMIN)) {

991
		audit_policy(op, GFP_KERNEL, NULL, "not policy admin", -EACCES);

992
		return 0;

993
	}

994


995
	return 1;

996
}

997


998
/**

999
 * aa_replace_profiles - replace profile(s) on the profile list

1000
 * @udata: serialized data stream  (NOT NULL)

1001
 * @size: size of the serialized data stream

1002
 * @noreplace: true if only doing addition, no replacement allowed

1003
 *

1004
 * unpack and replace a profile on the profile list and uses of that profile

1005
 * by any aa_task_cxt.  If the profile does not exist on the profile list

1006
 * it is added.

1007
 *

1008
 * Returns: size of data consumed else error code on failure.

1009
 */

1010
ssize_t aa_replace_profiles(void *udata, size_t size, bool noreplace)

1011
{

1012
	struct aa_policy *policy;

1013
	struct aa_profile *old_profile = NULL, *new_profile = NULL;

1014
	struct aa_profile *rename_profile = NULL;

1015
	struct aa_namespace *ns = NULL;

1016
	const char *ns_name, *name = NULL, *info = NULL;

1017
	int op = OP_PROF_REPL;

1018
	ssize_t error;

1019


1020
	/* released below */

1021
	new_profile = aa_unpack(udata, size, &ns_name);

1022
	if (IS_ERR(new_profile)) {

1023
		error = PTR_ERR(new_profile);

1024
		new_profile = NULL;

1025
		goto fail;

1026
	}

1027


1028
	/* released below */

1029
	ns = aa_prepare_namespace(ns_name);

1030
	if (!ns) {

1031
		info = "failed to prepare namespace";

1032
		error = -ENOMEM;

1033
		name = ns_name;

1034
		goto fail;

1035
	}

1036


1037
	name = new_profile->base.hname;

1038


1039
	write_lock(&ns->lock);

1040
	/* no ref on policy only use inside lock */

1041
	policy = __lookup_parent(ns, new_profile->base.hname);

1042


1043
	if (!policy) {

1044
		info = "parent does not exist";

1045
		error = -ENOENT;

1046
		goto audit;

1047
	}

1048


1049
	old_profile = __find_child(&policy->profiles, new_profile->base.name);

1050
	/* released below */

1051
	aa_get_profile(old_profile);

1052


1053
	if (new_profile->rename) {

1054
		rename_profile = __lookup_profile(&ns->base,

1055
						  new_profile->rename);

1056
		/* released below */

1057
		aa_get_profile(rename_profile);

1058


1059
		if (!rename_profile) {

1060
			info = "profile to rename does not exist";

1061
			name = new_profile->rename;

1062
			error = -ENOENT;

1063
			goto audit;

1064
		}

1065
	}

1066


1067
	error = replacement_allowed(old_profile, noreplace, &info);

1068
	if (error)

1069
		goto audit;

1070


1071
	error = replacement_allowed(rename_profile, noreplace, &info);

1072
	if (error)

1073
		goto audit;

1074


1075
audit:

1076
	if (!old_profile && !rename_profile)

1077
		op = OP_PROF_LOAD;

1078


1079
	error = audit_policy(op, GFP_ATOMIC, name, info, error);

1080


1081
	if (!error) {

1082
		if (rename_profile)

1083
			__replace_profile(rename_profile, new_profile);

1084
		if (old_profile) {

1085
			/* when there are both rename and old profiles

1086
			 * inherit old profiles sid

1087
			 */

1088
			if (rename_profile)

1089
				aa_free_sid(new_profile->sid);

1090
			__replace_profile(old_profile, new_profile);

1091
		}

1092
		if (!(old_profile || rename_profile))

1093
			__add_new_profile(ns, policy, new_profile);

1094
	}

1095
	write_unlock(&ns->lock);

1096


1097
out:

1098
	aa_put_namespace(ns);

1099
	aa_put_profile(rename_profile);

1100
	aa_put_profile(old_profile);

1101
	aa_put_profile(new_profile);

1102
	if (error)

1103
		return error;

1104
	return size;

1105


1106
fail:

1107
	error = audit_policy(op, GFP_KERNEL, name, info, error);

1108
	goto out;

1109
}

1110


1111
/**

1112
 * aa_remove_profiles - remove profile(s) from the system

1113
 * @fqname: name of the profile or namespace to remove  (NOT NULL)

1114
 * @size: size of the name

1115
 *

1116
 * Remove a profile or sub namespace from the current namespace, so that

1117
 * they can not be found anymore and mark them as replaced by unconfined

1118
 *

1119
 * NOTE: removing confinement does not restore rlimits to preconfinemnet values

1120
 *

1121
 * Returns: size of data consume else error code if fails

1122
 */

1123
ssize_t aa_remove_profiles(char *fqname, size_t size)

1124
{

1125
	struct aa_namespace *root, *ns = NULL;

1126
	struct aa_profile *profile = NULL;

1127
	const char *name = fqname, *info = NULL;

1128
	ssize_t error = 0;

1129


1130
	if (*fqname == 0) {

1131
		info = "no profile specified";

1132
		error = -ENOENT;

1133
		goto fail;

1134
	}

1135


1136
	root = aa_current_profile()->ns;

1137


1138
	if (fqname[0] == ':') {

1139
		char *ns_name;

1140
		name = aa_split_fqname(fqname, &ns_name);

1141
		if (ns_name) {

1142
			/* released below */

1143
			ns = aa_find_namespace(root, ns_name);

1144
			if (!ns) {

1145
				info = "namespace does not exist";

1146
				error = -ENOENT;

1147
				goto fail;

1148
			}

1149
		}

1150
	} else

1151
		/* released below */

1152
		ns = aa_get_namespace(root);

1153


1154
	if (!name) {

1155
		/* remove namespace - can only happen if fqname[0] == ':' */

1156
		write_lock(&ns->parent->lock);

1157
		__remove_namespace(ns);

1158
		write_unlock(&ns->parent->lock);

1159
	} else {

1160
		/* remove profile */

1161
		write_lock(&ns->lock);

1162
		profile = aa_get_profile(__lookup_profile(&ns->base, name));

1163
		if (!profile) {

1164
			error = -ENOENT;

1165
			info = "profile does not exist";

1166
			goto fail_ns_lock;

1167
		}

1168
		name = profile->base.hname;

1169
		__remove_profile(profile);

1170
		write_unlock(&ns->lock);

1171
	}

1172


1173
	/* don't fail removal if audit fails */

1174
	(void) audit_policy(OP_PROF_RM, GFP_KERNEL, name, info, error);

1175
	aa_put_namespace(ns);

1176
	aa_put_profile(profile);

1177
	return size;

1178


1179
fail_ns_lock:

1180
	write_unlock(&ns->lock);

1181
	aa_put_namespace(ns);

1182


1183
fail:

1184
	(void) audit_policy(OP_PROF_RM, GFP_KERNEL, name, info, error);

1185
	return error;

1186
}

1187


1188