Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/security/apparmor/capability.c
26378 views
1
// SPDX-License-Identifier: GPL-2.0-only

2
/*

3
 * AppArmor security module

4
 *

5
 * This file contains AppArmor capability mediation functions

6
 *

7
 * Copyright (C) 1998-2008 Novell/SUSE

8
 * Copyright 2009-2010 Canonical Ltd.

9
 */

10


11
#include <linux/capability.h>

12
#include <linux/errno.h>

13
#include <linux/gfp.h>

14
#include <linux/security.h>

15
#include <linux/timekeeping.h>

16


17
#include "include/apparmor.h"

18
#include "include/capability.h"

19
#include "include/cred.h"

20
#include "include/policy.h"

21
#include "include/audit.h"

22


23
/*

24
 * Table of capability names: we generate it from capabilities.h.

25
 */

26
#include "capability_names.h"

27


28
struct aa_sfs_entry aa_sfs_entry_caps[] = {

29
	AA_SFS_FILE_STRING("mask", AA_SFS_CAPS_MASK),

30
	AA_SFS_FILE_BOOLEAN("extended", 1),

31
	{ }

32
};

33


34
struct audit_cache {

35
	const struct cred *ad_subj_cred;

36
	/* Capabilities go from 0 to CAP_LAST_CAP */

37
	u64 ktime_ns_expiration[CAP_LAST_CAP+1];

38
};

39


40
static DEFINE_PER_CPU(struct audit_cache, audit_cache);

41


42
/**

43
 * audit_cb - call back for capability components of audit struct

44
 * @ab: audit buffer   (NOT NULL)

45
 * @va: audit struct to audit data from  (NOT NULL)

46
 */

47
static void audit_cb(struct audit_buffer *ab, void *va)

48
{

49
	struct common_audit_data *sa = va;

50


51
	audit_log_format(ab, " capname=");

52
	audit_log_untrustedstring(ab, capability_names[sa->u.cap]);

53
}

54


55
/**

56
 * audit_caps - audit a capability

57
 * @ad: audit data

58
 * @profile: profile being tested for confinement (NOT NULL)

59
 * @cap: capability tested

60
 * @error: error code returned by test

61
 *

62
 * Do auditing of capability and handle, audit/complain/kill modes switching

63
 * and duplicate message elimination.

64
 *

65
 * Returns: 0 or ad->error on success,  error code on failure

66
 */

67
static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile,

68
		      int cap, int error)

69
{

70
	const u64 AUDIT_CACHE_TIMEOUT_NS = 1000*1000*1000; /* 1 second */

71


72
	struct aa_ruleset *rules = profile->label.rules[0];

73
	struct audit_cache *ent;

74
	int type = AUDIT_APPARMOR_AUTO;

75


76
	ad->error = error;

77


78
	if (likely(!error)) {

79
		/* test if auditing is being forced */

80
		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&

81
			   !cap_raised(rules->caps.audit, cap)))

82
			return 0;

83
		type = AUDIT_APPARMOR_AUDIT;

84
	} else if (KILL_MODE(profile) ||

85
		   cap_raised(rules->caps.kill, cap)) {

86
		type = AUDIT_APPARMOR_KILL;

87
	} else if (cap_raised(rules->caps.quiet, cap) &&

88
		   AUDIT_MODE(profile) != AUDIT_NOQUIET &&

89
		   AUDIT_MODE(profile) != AUDIT_ALL) {

90
		/* quiet auditing */

91
		return error;

92
	}

93


94
	/* Do simple duplicate message elimination */

95
	ent = &get_cpu_var(audit_cache);

96
	/* If the capability was never raised the timestamp check would also catch that */

97
	if (ad->subj_cred == ent->ad_subj_cred && ktime_get_ns() <= ent->ktime_ns_expiration[cap]) {

98
		put_cpu_var(audit_cache);

99
		if (COMPLAIN_MODE(profile))

100
			return complain_error(error);

101
		return error;

102
	} else {

103
		put_cred(ent->ad_subj_cred);

104
		ent->ad_subj_cred = get_cred(ad->subj_cred);

105
		ent->ktime_ns_expiration[cap] = ktime_get_ns() + AUDIT_CACHE_TIMEOUT_NS;

106
	}

107
	put_cpu_var(audit_cache);

108


109
	return aa_audit(type, profile, ad, audit_cb);

110
}

111


112
/**

113
 * profile_capable - test if profile allows use of capability @cap

114
 * @profile: profile being enforced    (NOT NULL, NOT unconfined)

115
 * @cap: capability to test if allowed

116
 * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated

117
 * @ad: audit data (NOT NULL)

118
 *

119
 * Returns: 0 if allowed else -EPERM

120
 */

121
static int profile_capable(struct aa_profile *profile, int cap,

122
			   unsigned int opts, struct apparmor_audit_data *ad)

123
{

124
	struct aa_ruleset *rules = profile->label.rules[0];

125
	aa_state_t state;

126
	int error;

127


128
	state = RULE_MEDIATES(rules, ad->class);

129
	if (state) {

130
		struct aa_perms perms = { };

131
		u32 request;

132


133
		/* caps broken into 256 x 32 bit permission chunks */

134
		state = aa_dfa_next(rules->policy->dfa, state, cap >> 5);

135
		request = 1 << (cap & 0x1f);

136
		perms = *aa_lookup_perms(rules->policy, state);

137
		aa_apply_modes_to_perms(profile, &perms);

138


139
		if (opts & CAP_OPT_NOAUDIT) {

140
			if (perms.complain & request)

141
				ad->info = "optional: no audit";

142
			else

143
				ad = NULL;

144
		}

145
		return aa_check_perms(profile, &perms, request, ad,

146
				      audit_cb);

147
	}

148


149
	/* fallback to old caps mediation that doesn't support conditionals */

150
	if (cap_raised(rules->caps.allow, cap) &&

151
	    !cap_raised(rules->caps.denied, cap))

152
		error = 0;

153
	else

154
		error = -EPERM;

155


156
	if (opts & CAP_OPT_NOAUDIT) {

157
		if (!COMPLAIN_MODE(profile))

158
			return error;

159
		/* audit the cap request in complain mode but note that it

160
		 * should be optional.

161
		 */

162
		ad->info = "optional: no audit";

163
	}

164


165
	return audit_caps(ad, profile, cap, error);

166
}

167


168
/**

169
 * aa_capable - test permission to use capability

170
 * @subj_cred: cred we are testing capability against

171
 * @label: label being tested for capability (NOT NULL)

172
 * @cap: capability to be tested

173
 * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated

174
 *

175
 * Look up capability in profile capability set.

176
 *

177
 * Returns: 0 on success, or else an error code.

178
 */

179
int aa_capable(const struct cred *subj_cred, struct aa_label *label,

180
	       int cap, unsigned int opts)

181
{

182
	struct aa_profile *profile;

183
	int error = 0;

184
	DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_CAP, AA_CLASS_CAP, OP_CAPABLE);

185


186
	ad.subj_cred = subj_cred;

187
	ad.common.u.cap = cap;

188
	error = fn_for_each_confined(label, profile,

189
			profile_capable(profile, cap, opts, &ad));

190


191
	return error;

192
}

193


194
kernel_cap_t aa_profile_capget(struct aa_profile *profile)

195
{

196
	struct aa_ruleset *rules = profile->label.rules[0];

197
	aa_state_t state;

198


199
	state = RULE_MEDIATES(rules, AA_CLASS_CAP);

200
	if (state) {

201
		kernel_cap_t caps = CAP_EMPTY_SET;

202
		int i;

203


204
		/* caps broken into up to 256, 32 bit permission chunks */

205
		for (i = 0; i < (CAP_LAST_CAP >> 5); i++) {

206
			struct aa_perms perms = { };

207
			aa_state_t tmp;

208


209
			tmp = aa_dfa_next(rules->policy->dfa, state, i);

210
			perms = *aa_lookup_perms(rules->policy, tmp);

211
			aa_apply_modes_to_perms(profile, &perms);

212
			caps.val |= ((u64)(perms.allow)) << (i * 5);

213
			caps.val |= ((u64)(perms.complain)) << (i * 5);

214
		}

215
		return caps;

216
	}

217


218
	/* fallback to old caps */

219
	if (COMPLAIN_MODE(profile))

220
		return CAP_FULL_SET;

221


222
	return rules->caps.allow;

223
}

224


225