1
// SPDX-License-Identifier: GPL-2.0-only
2
/*
3
 * AppArmor security module
4
 *
5
 * This file contains AppArmor LSM hooks.
6
 *
7
 * Copyright (C) 1998-2008 Novell/SUSE
8
 * Copyright 2009-2010 Canonical Ltd.
9
 */
10

11
#include <linux/lsm_hooks.h>
12
#include <linux/moduleparam.h>
13
#include <linux/mm.h>
14
#include <linux/mman.h>
15
#include <linux/mount.h>
16
#include <linux/namei.h>
17
#include <linux/ptrace.h>
18
#include <linux/ctype.h>
19
#include <linux/sysctl.h>
20
#include <linux/audit.h>
21
#include <linux/user_namespace.h>
22
#include <linux/netfilter_ipv4.h>
23
#include <linux/netfilter_ipv6.h>
24
#include <linux/zstd.h>
25
#include <net/sock.h>
26
#include <uapi/linux/mount.h>
27
#include <uapi/linux/lsm.h>
28

29
#include "include/af_unix.h"
30
#include "include/apparmor.h"
31
#include "include/apparmorfs.h"
32
#include "include/audit.h"
33
#include "include/capability.h"
34
#include "include/cred.h"
35
#include "include/crypto.h"
36
#include "include/file.h"
37
#include "include/ipc.h"
38
#include "include/net.h"
39
#include "include/path.h"
40
#include "include/label.h"
41
#include "include/policy.h"
42
#include "include/policy_ns.h"
43
#include "include/procattr.h"
44
#include "include/mount.h"
45
#include "include/secid.h"
46

47
/* Flag indicating whether initialization completed */
48
int apparmor_initialized;
49

50
union aa_buffer {
51
	struct list_head list;
52
	DECLARE_FLEX_ARRAY(char, buffer);
53
};
54

55
struct aa_local_cache {
56
	unsigned int hold;
57
	unsigned int count;
58
	struct list_head head;
59
};
60

61
#define RESERVE_COUNT 2
62
static int reserve_count = RESERVE_COUNT;
63
static int buffer_count;
64

65
static LIST_HEAD(aa_global_buffers);
66
static DEFINE_SPINLOCK(aa_buffers_lock);
67
static DEFINE_PER_CPU(struct aa_local_cache, aa_local_buffers);
68

69
/*
70
 * LSM hook functions
71
 */
72

73
/*
74
 * put the associated labels
75
 */
76
static void apparmor_cred_free(struct cred *cred)
77
{
78
	aa_put_label(cred_label(cred));
79
	set_cred_label(cred, NULL);
80
}
81

82
/*
83
 * allocate the apparmor part of blank credentials
84
 */
85
static int apparmor_cred_alloc_blank(struct cred *cred, gfp_t gfp)
86
{
87
	set_cred_label(cred, NULL);
88
	return 0;
89
}
90

91
/*
92
 * prepare new cred label for modification by prepare_cred block
93
 */
94
static int apparmor_cred_prepare(struct cred *new, const struct cred *old,
95
				 gfp_t gfp)
96
{
97
	set_cred_label(new, aa_get_newest_label(cred_label(old)));
98
	return 0;
99
}
100

101
/*
102
 * transfer the apparmor data to a blank set of creds
103
 */
104
static void apparmor_cred_transfer(struct cred *new, const struct cred *old)
105
{
106
	set_cred_label(new, aa_get_newest_label(cred_label(old)));
107
}
108

109
static void apparmor_task_free(struct task_struct *task)
110
{
111

112
	aa_free_task_ctx(task_ctx(task));
113
}
114

115
static int apparmor_task_alloc(struct task_struct *task,
116
			       u64 clone_flags)
117
{
118
	struct aa_task_ctx *new = task_ctx(task);
119

120
	aa_dup_task_ctx(new, task_ctx(current));
121

122
	return 0;
123
}
124

125
static int apparmor_ptrace_access_check(struct task_struct *child,
126
					unsigned int mode)
127
{
128
	struct aa_label *tracer, *tracee;
129
	const struct cred *cred;
130
	int error;
131
	bool needput;
132

133
	cred = get_task_cred(child);
134
	tracee = cred_label(cred);	/* ref count on cred */
135
	tracer = __begin_current_label_crit_section(&needput);
136
	error = aa_may_ptrace(current_cred(), tracer, cred, tracee,
137
			(mode & PTRACE_MODE_READ) ? AA_PTRACE_READ
138
						  : AA_PTRACE_TRACE);
139
	__end_current_label_crit_section(tracer, needput);
140
	put_cred(cred);
141

142
	return error;
143
}
144

145
static int apparmor_ptrace_traceme(struct task_struct *parent)
146
{
147
	struct aa_label *tracer, *tracee;
148
	const struct cred *cred;
149
	int error;
150
	bool needput;
151

152
	tracee = __begin_current_label_crit_section(&needput);
153
	cred = get_task_cred(parent);
154
	tracer = cred_label(cred);	/* ref count on cred */
155
	error = aa_may_ptrace(cred, tracer, current_cred(), tracee,
156
			      AA_PTRACE_TRACE);
157
	put_cred(cred);
158
	__end_current_label_crit_section(tracee, needput);
159

160
	return error;
161
}
162

163
/* Derived from security/commoncap.c:cap_capget */
164
static int apparmor_capget(const struct task_struct *target, kernel_cap_t *effective,
165
			   kernel_cap_t *inheritable, kernel_cap_t *permitted)
166
{
167
	struct aa_label *label;
168
	const struct cred *cred;
169

170
	rcu_read_lock();
171
	cred = __task_cred(target);
172
	label = aa_get_newest_cred_label(cred);
173

174
	/*
175
	 * cap_capget is stacked ahead of this and will
176
	 * initialize effective and permitted.
177
	 */
178
	if (!unconfined(label)) {
179
		struct aa_profile *profile;
180
		struct label_it i;
181

182
		label_for_each_confined(i, label, profile) {
183
			kernel_cap_t allowed;
184

185
			allowed = aa_profile_capget(profile);
186
			*effective = cap_intersect(*effective, allowed);
187
			*permitted = cap_intersect(*permitted, allowed);
188
		}
189
	}
190
	rcu_read_unlock();
191
	aa_put_label(label);
192

193
	return 0;
194
}
195

196
static int apparmor_capable(const struct cred *cred, struct user_namespace *ns,
197
			    int cap, unsigned int opts)
198
{
199
	struct aa_label *label;
200
	int error = 0;
201

202
	label = aa_get_newest_cred_label(cred);
203
	if (!unconfined(label))
204
		error = aa_capable(cred, label, cap, opts);
205
	aa_put_label(label);
206

207
	return error;
208
}
209

210
/**
211
 * common_perm - basic common permission check wrapper fn for paths
212
 * @op: operation being checked
213
 * @path: path to check permission of  (NOT NULL)
214
 * @mask: requested permissions mask
215
 * @cond: conditional info for the permission request  (NOT NULL)
216
 *
217
 * Returns: %0 else error code if error or permission denied
218
 */
219
static int common_perm(const char *op, const struct path *path, u32 mask,
220
		       struct path_cond *cond)
221
{
222
	struct aa_label *label;
223
	int error = 0;
224
	bool needput;
225

226
	label = __begin_current_label_crit_section(&needput);
227
	if (!unconfined(label))
228
		error = aa_path_perm(op, current_cred(), label, path, 0, mask,
229
				     cond);
230
	__end_current_label_crit_section(label, needput);
231

232
	return error;
233
}
234

235
/**
236
 * common_perm_cond - common permission wrapper around inode cond
237
 * @op: operation being checked
238
 * @path: location to check (NOT NULL)
239
 * @mask: requested permissions mask
240
 *
241
 * Returns: %0 else error code if error or permission denied
242
 */
243
static int common_perm_cond(const char *op, const struct path *path, u32 mask)
244
{
245
	vfsuid_t vfsuid = i_uid_into_vfsuid(mnt_idmap(path->mnt),
246
					    d_backing_inode(path->dentry));
247
	struct path_cond cond = {
248
		vfsuid_into_kuid(vfsuid),
249
		d_backing_inode(path->dentry)->i_mode
250
	};
251

252
	if (!path_mediated_fs(path->dentry))
253
		return 0;
254

255
	return common_perm(op, path, mask, &cond);
256
}
257

258
/**
259
 * common_perm_dir_dentry - common permission wrapper when path is dir, dentry
260
 * @op: operation being checked
261
 * @dir: directory of the dentry  (NOT NULL)
262
 * @dentry: dentry to check  (NOT NULL)
263
 * @mask: requested permissions mask
264
 * @cond: conditional info for the permission request  (NOT NULL)
265
 *
266
 * Returns: %0 else error code if error or permission denied
267
 */
268
static int common_perm_dir_dentry(const char *op, const struct path *dir,
269
				  struct dentry *dentry, u32 mask,
270
				  struct path_cond *cond)
271
{
272
	struct path path = { .mnt = dir->mnt, .dentry = dentry };
273

274
	return common_perm(op, &path, mask, cond);
275
}
276

277
/**
278
 * common_perm_rm - common permission wrapper for operations doing rm
279
 * @op: operation being checked
280
 * @dir: directory that the dentry is in  (NOT NULL)
281
 * @dentry: dentry being rm'd  (NOT NULL)
282
 * @mask: requested permission mask
283
 *
284
 * Returns: %0 else error code if error or permission denied
285
 */
286
static int common_perm_rm(const char *op, const struct path *dir,
287
			  struct dentry *dentry, u32 mask)
288
{
289
	struct inode *inode = d_backing_inode(dentry);
290
	struct path_cond cond = { };
291
	vfsuid_t vfsuid;
292

293
	if (!inode || !path_mediated_fs(dentry))
294
		return 0;
295

296
	vfsuid = i_uid_into_vfsuid(mnt_idmap(dir->mnt), inode);
297
	cond.uid = vfsuid_into_kuid(vfsuid);
298
	cond.mode = inode->i_mode;
299

300
	return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
301
}
302

303
/**
304
 * common_perm_create - common permission wrapper for operations doing create
305
 * @op: operation being checked
306
 * @dir: directory that dentry will be created in  (NOT NULL)
307
 * @dentry: dentry to create   (NOT NULL)
308
 * @mask: request permission mask
309
 * @mode: created file mode
310
 *
311
 * Returns: %0 else error code if error or permission denied
312
 */
313
static int common_perm_create(const char *op, const struct path *dir,
314
			      struct dentry *dentry, u32 mask, umode_t mode)
315
{
316
	struct path_cond cond = { current_fsuid(), mode };
317

318
	if (!path_mediated_fs(dir->dentry))
319
		return 0;
320

321
	return common_perm_dir_dentry(op, dir, dentry, mask, &cond);
322
}
323

324
static int apparmor_path_unlink(const struct path *dir, struct dentry *dentry)
325
{
326
	return common_perm_rm(OP_UNLINK, dir, dentry, AA_MAY_DELETE);
327
}
328

329
static int apparmor_path_mkdir(const struct path *dir, struct dentry *dentry,
330
			       umode_t mode)
331
{
332
	return common_perm_create(OP_MKDIR, dir, dentry, AA_MAY_CREATE,
333
				  S_IFDIR);
334
}
335

336
static int apparmor_path_rmdir(const struct path *dir, struct dentry *dentry)
337
{
338
	return common_perm_rm(OP_RMDIR, dir, dentry, AA_MAY_DELETE);
339
}
340

341
static int apparmor_path_mknod(const struct path *dir, struct dentry *dentry,
342
			       umode_t mode, unsigned int dev)
343
{
344
	return common_perm_create(OP_MKNOD, dir, dentry, AA_MAY_CREATE, mode);
345
}
346

347
static int apparmor_path_truncate(const struct path *path)
348
{
349
	return common_perm_cond(OP_TRUNC, path, MAY_WRITE | AA_MAY_SETATTR);
350
}
351

352
static int apparmor_file_truncate(struct file *file)
353
{
354
	return apparmor_path_truncate(&file->f_path);
355
}
356

357
static int apparmor_path_symlink(const struct path *dir, struct dentry *dentry,
358
				 const char *old_name)
359
{
360
	return common_perm_create(OP_SYMLINK, dir, dentry, AA_MAY_CREATE,
361
				  S_IFLNK);
362
}
363

364
static int apparmor_path_link(struct dentry *old_dentry, const struct path *new_dir,
365
			      struct dentry *new_dentry)
366
{
367
	struct aa_label *label;
368
	int error = 0;
369

370
	if (!path_mediated_fs(old_dentry))
371
		return 0;
372

373
	label = begin_current_label_crit_section();
374
	if (!unconfined(label))
375
		error = aa_path_link(current_cred(), label, old_dentry, new_dir,
376
				     new_dentry);
377
	end_current_label_crit_section(label);
378

379
	return error;
380
}
381

382
static int apparmor_path_rename(const struct path *old_dir, struct dentry *old_dentry,
383
				const struct path *new_dir, struct dentry *new_dentry,
384
				const unsigned int flags)
385
{
386
	struct aa_label *label;
387
	int error = 0;
388

389
	if (!path_mediated_fs(old_dentry))
390
		return 0;
391
	if ((flags & RENAME_EXCHANGE) && !path_mediated_fs(new_dentry))
392
		return 0;
393

394
	label = begin_current_label_crit_section();
395
	if (!unconfined(label)) {
396
		struct mnt_idmap *idmap = mnt_idmap(old_dir->mnt);
397
		vfsuid_t vfsuid;
398
		struct path old_path = { .mnt = old_dir->mnt,
399
					 .dentry = old_dentry };
400
		struct path new_path = { .mnt = new_dir->mnt,
401
					 .dentry = new_dentry };
402
		struct path_cond cond = {
403
			.mode = d_backing_inode(old_dentry)->i_mode
404
		};
405
		vfsuid = i_uid_into_vfsuid(idmap, d_backing_inode(old_dentry));
406
		cond.uid = vfsuid_into_kuid(vfsuid);
407

408
		if (flags & RENAME_EXCHANGE) {
409
			struct path_cond cond_exchange = {
410
				.mode = d_backing_inode(new_dentry)->i_mode,
411
			};
412
			vfsuid = i_uid_into_vfsuid(idmap, d_backing_inode(old_dentry));
413
			cond_exchange.uid = vfsuid_into_kuid(vfsuid);
414

415
			error = aa_path_perm(OP_RENAME_SRC, current_cred(),
416
					     label, &new_path, 0,
417
					     MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
418
					     AA_MAY_SETATTR | AA_MAY_DELETE,
419
					     &cond_exchange);
420
			if (!error)
421
				error = aa_path_perm(OP_RENAME_DEST, current_cred(),
422
						     label, &old_path,
423
						     0, MAY_WRITE | AA_MAY_SETATTR |
424
						     AA_MAY_CREATE, &cond_exchange);
425
		}
426

427
		if (!error)
428
			error = aa_path_perm(OP_RENAME_SRC, current_cred(),
429
					     label, &old_path, 0,
430
					     MAY_READ | AA_MAY_GETATTR | MAY_WRITE |
431
					     AA_MAY_SETATTR | AA_MAY_DELETE,
432
					     &cond);
433
		if (!error)
434
			error = aa_path_perm(OP_RENAME_DEST, current_cred(),
435
					     label, &new_path,
436
					     0, MAY_WRITE | AA_MAY_SETATTR |
437
					     AA_MAY_CREATE, &cond);
438

439
	}
440
	end_current_label_crit_section(label);
441

442
	return error;
443
}
444

445
static int apparmor_path_chmod(const struct path *path, umode_t mode)
446
{
447
	return common_perm_cond(OP_CHMOD, path, AA_MAY_CHMOD);
448
}
449

450
static int apparmor_path_chown(const struct path *path, kuid_t uid, kgid_t gid)
451
{
452
	return common_perm_cond(OP_CHOWN, path, AA_MAY_CHOWN);
453
}
454

455
static int apparmor_inode_getattr(const struct path *path)
456
{
457
	return common_perm_cond(OP_GETATTR, path, AA_MAY_GETATTR);
458
}
459

460
static int apparmor_file_open(struct file *file)
461
{
462
	struct aa_file_ctx *fctx = file_ctx(file);
463
	struct aa_label *label;
464
	int error = 0;
465
	bool needput;
466

467
	if (!path_mediated_fs(file->f_path.dentry))
468
		return 0;
469

470
	/* If in exec, permission is handled by bprm hooks.
471
	 * Cache permissions granted by the previous exec check, with
472
	 * implicit read and executable mmap which are required to
473
	 * actually execute the image.
474
	 *
475
	 * Illogically, FMODE_EXEC is in f_flags, not f_mode.
476
	 */
477
	if (file->f_flags & __FMODE_EXEC) {
478
		fctx->allow = MAY_EXEC | MAY_READ | AA_EXEC_MMAP;
479
		return 0;
480
	}
481

482
	label = aa_get_newest_cred_label_condref(file->f_cred, &needput);
483
	if (!unconfined(label)) {
484
		struct mnt_idmap *idmap = file_mnt_idmap(file);
485
		struct inode *inode = file_inode(file);
486
		vfsuid_t vfsuid;
487
		struct path_cond cond = {
488
			.mode = inode->i_mode,
489
		};
490
		vfsuid = i_uid_into_vfsuid(idmap, inode);
491
		cond.uid = vfsuid_into_kuid(vfsuid);
492

493
		error = aa_path_perm(OP_OPEN, file->f_cred,
494
				     label, &file->f_path, 0,
495
				     aa_map_file_to_perms(file), &cond);
496
		/* todo cache full allowed permissions set and state */
497
		fctx->allow = aa_map_file_to_perms(file);
498
	}
499
	aa_put_label_condref(label, needput);
500

501
	return error;
502
}
503

504
static int apparmor_file_alloc_security(struct file *file)
505
{
506
	struct aa_file_ctx *ctx = file_ctx(file);
507
	struct aa_label *label = begin_current_label_crit_section();
508

509
	spin_lock_init(&ctx->lock);
510
	rcu_assign_pointer(ctx->label, aa_get_label(label));
511
	end_current_label_crit_section(label);
512
	return 0;
513
}
514

515
static void apparmor_file_free_security(struct file *file)
516
{
517
	struct aa_file_ctx *ctx = file_ctx(file);
518

519
	if (ctx)
520
		aa_put_label(rcu_access_pointer(ctx->label));
521
}
522

523
static int common_file_perm(const char *op, struct file *file, u32 mask,
524
			    bool in_atomic)
525
{
526
	struct aa_label *label;
527
	int error = 0;
528
	bool needput;
529

530
	/* don't reaudit files closed during inheritance */
531
	if (unlikely(file->f_path.dentry == aa_null.dentry))
532
		return -EACCES;
533

534
	label = __begin_current_label_crit_section(&needput);
535
	error = aa_file_perm(op, current_cred(), label, file, mask, in_atomic);
536
	__end_current_label_crit_section(label, needput);
537

538
	return error;
539
}
540

541
static int apparmor_file_receive(struct file *file)
542
{
543
	return common_file_perm(OP_FRECEIVE, file, aa_map_file_to_perms(file),
544
				false);
545
}
546

547
static int apparmor_file_permission(struct file *file, int mask)
548
{
549
	return common_file_perm(OP_FPERM, file, mask, false);
550
}
551

552
static int apparmor_file_lock(struct file *file, unsigned int cmd)
553
{
554
	u32 mask = AA_MAY_LOCK;
555

556
	if (cmd == F_WRLCK)
557
		mask |= MAY_WRITE;
558

559
	return common_file_perm(OP_FLOCK, file, mask, false);
560
}
561

562
static int common_mmap(const char *op, struct file *file, unsigned long prot,
563
		       unsigned long flags, bool in_atomic)
564
{
565
	int mask = 0;
566

567
	if (!file || !file_ctx(file))
568
		return 0;
569

570
	if (prot & PROT_READ)
571
		mask |= MAY_READ;
572
	/*
573
	 * Private mappings don't require write perms since they don't
574
	 * write back to the files
575
	 */
576
	if ((prot & PROT_WRITE) && !(flags & MAP_PRIVATE))
577
		mask |= MAY_WRITE;
578
	if (prot & PROT_EXEC)
579
		mask |= AA_EXEC_MMAP;
580

581
	return common_file_perm(op, file, mask, in_atomic);
582
}
583

584
static int apparmor_mmap_file(struct file *file, unsigned long reqprot,
585
			      unsigned long prot, unsigned long flags)
586
{
587
	return common_mmap(OP_FMMAP, file, prot, flags, GFP_ATOMIC);
588
}
589

590
static int apparmor_file_mprotect(struct vm_area_struct *vma,
591
				  unsigned long reqprot, unsigned long prot)
592
{
593
	return common_mmap(OP_FMPROT, vma->vm_file, prot,
594
			   !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0,
595
			   false);
596
}
597

598
#ifdef CONFIG_IO_URING
599
static const char *audit_uring_mask(u32 mask)
600
{
601
	if (mask & AA_MAY_CREATE_SQPOLL)
602
		return "sqpoll";
603
	if (mask & AA_MAY_OVERRIDE_CRED)
604
		return "override_creds";
605
	return "";
606
}
607

608
static void audit_uring_cb(struct audit_buffer *ab, void *va)
609
{
610
	struct apparmor_audit_data *ad = aad_of_va(va);
611

612
	if (ad->request & AA_URING_PERM_MASK) {
613
		audit_log_format(ab, " requested=\"%s\"",
614
				 audit_uring_mask(ad->request));
615
		if (ad->denied & AA_URING_PERM_MASK) {
616
			audit_log_format(ab, " denied=\"%s\"",
617
					 audit_uring_mask(ad->denied));
618
		}
619
	}
620
	if (ad->uring.target) {
621
		audit_log_format(ab, " tcontext=");
622
		aa_label_xaudit(ab, labels_ns(ad->subj_label),
623
				ad->uring.target,
624
				FLAGS_NONE, GFP_ATOMIC);
625
	}
626
}
627

628
static int profile_uring(struct aa_profile *profile, u32 request,
629
			 struct aa_label *new, int cap,
630
			 struct apparmor_audit_data *ad)
631
{
632
	unsigned int state;
633
	struct aa_ruleset *rules;
634
	int error = 0;
635

636
	AA_BUG(!profile);
637

638
	rules = profile->label.rules[0];
639
	state = RULE_MEDIATES(rules, AA_CLASS_IO_URING);
640
	if (state) {
641
		struct aa_perms perms = { };
642

643
		if (new) {
644
			aa_label_match(profile, rules, new, state,
645
				       false, request, &perms);
646
		} else {
647
			perms = *aa_lookup_perms(rules->policy, state);
648
		}
649
		aa_apply_modes_to_perms(profile, &perms);
650
		error = aa_check_perms(profile, &perms, request, ad,
651
				       audit_uring_cb);
652
	}
653

654
	return error;
655
}
656

657
/**
658
 * apparmor_uring_override_creds - check the requested cred override
659
 * @new: the target creds
660
 *
661
 * Check to see if the current task is allowed to override it's credentials
662
 * to service an io_uring operation.
663
 */
664
static int apparmor_uring_override_creds(const struct cred *new)
665
{
666
	struct aa_profile *profile;
667
	struct aa_label *label;
668
	int error;
669
	bool needput;
670
	DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_IO_URING,
671
			  OP_URING_OVERRIDE);
672

673
	ad.uring.target = cred_label(new);
674
	label = __begin_current_label_crit_section(&needput);
675
	error = fn_for_each(label, profile,
676
			profile_uring(profile, AA_MAY_OVERRIDE_CRED,
677
				      cred_label(new), CAP_SYS_ADMIN, &ad));
678
	__end_current_label_crit_section(label, needput);
679

680
	return error;
681
}
682

683
/**
684
 * apparmor_uring_sqpoll - check if a io_uring polling thread can be created
685
 *
686
 * Check to see if the current task is allowed to create a new io_uring
687
 * kernel polling thread.
688
 */
689
static int apparmor_uring_sqpoll(void)
690
{
691
	struct aa_profile *profile;
692
	struct aa_label *label;
693
	int error;
694
	bool needput;
695
	DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_IO_URING,
696
			  OP_URING_SQPOLL);
697

698
	label = __begin_current_label_crit_section(&needput);
699
	error = fn_for_each(label, profile,
700
			profile_uring(profile, AA_MAY_CREATE_SQPOLL,
701
				      NULL, CAP_SYS_ADMIN, &ad));
702
	__end_current_label_crit_section(label, needput);
703

704
	return error;
705
}
706
#endif /* CONFIG_IO_URING */
707

708
static int apparmor_sb_mount(const char *dev_name, const struct path *path,
709
			     const char *type, unsigned long flags, void *data)
710
{
711
	struct aa_label *label;
712
	int error = 0;
713
	bool needput;
714

715
	/* Discard magic */
716
	if ((flags & MS_MGC_MSK) == MS_MGC_VAL)
717
		flags &= ~MS_MGC_MSK;
718

719
	flags &= ~AA_MS_IGNORE_MASK;
720

721
	label = __begin_current_label_crit_section(&needput);
722
	if (!unconfined(label)) {
723
		if (flags & MS_REMOUNT)
724
			error = aa_remount(current_cred(), label, path, flags,
725
					   data);
726
		else if (flags & MS_BIND)
727
			error = aa_bind_mount(current_cred(), label, path,
728
					      dev_name, flags);
729
		else if (flags & (MS_SHARED | MS_PRIVATE | MS_SLAVE |
730
				  MS_UNBINDABLE))
731
			error = aa_mount_change_type(current_cred(), label,
732
						     path, flags);
733
		else if (flags & MS_MOVE)
734
			error = aa_move_mount_old(current_cred(), label, path,
735
						  dev_name);
736
		else
737
			error = aa_new_mount(current_cred(), label, dev_name,
738
					     path, type, flags, data);
739
	}
740
	__end_current_label_crit_section(label, needput);
741

742
	return error;
743
}
744

745
static int apparmor_move_mount(const struct path *from_path,
746
			       const struct path *to_path)
747
{
748
	struct aa_label *label;
749
	int error = 0;
750
	bool needput;
751

752
	label = __begin_current_label_crit_section(&needput);
753
	if (!unconfined(label))
754
		error = aa_move_mount(current_cred(), label, from_path,
755
				      to_path);
756
	__end_current_label_crit_section(label, needput);
757

758
	return error;
759
}
760

761
static int apparmor_sb_umount(struct vfsmount *mnt, int flags)
762
{
763
	struct aa_label *label;
764
	int error = 0;
765
	bool needput;
766

767
	label = __begin_current_label_crit_section(&needput);
768
	if (!unconfined(label))
769
		error = aa_umount(current_cred(), label, mnt, flags);
770
	__end_current_label_crit_section(label, needput);
771

772
	return error;
773
}
774

775
static int apparmor_sb_pivotroot(const struct path *old_path,
776
				 const struct path *new_path)
777
{
778
	struct aa_label *label;
779
	int error = 0;
780

781
	label = aa_get_current_label();
782
	if (!unconfined(label))
783
		error = aa_pivotroot(current_cred(), label, old_path, new_path);
784
	aa_put_label(label);
785

786
	return error;
787
}
788

789
static int apparmor_getselfattr(unsigned int attr, struct lsm_ctx __user *lx,
790
				u32 *size, u32 flags)
791
{
792
	int error = -ENOENT;
793
	struct aa_task_ctx *ctx = task_ctx(current);
794
	struct aa_label *label = NULL;
795
	char *value = NULL;
796

797
	switch (attr) {
798
	case LSM_ATTR_CURRENT:
799
		label = aa_get_newest_label(cred_label(current_cred()));
800
		break;
801
	case LSM_ATTR_PREV:
802
		if (ctx->previous)
803
			label = aa_get_newest_label(ctx->previous);
804
		break;
805
	case LSM_ATTR_EXEC:
806
		if (ctx->onexec)
807
			label = aa_get_newest_label(ctx->onexec);
808
		break;
809
	default:
810
		error = -EOPNOTSUPP;
811
		break;
812
	}
813

814
	if (label) {
815
		error = aa_getprocattr(label, &value, false);
816
		if (error > 0)
817
			error = lsm_fill_user_ctx(lx, size, value, error,
818
						  LSM_ID_APPARMOR, 0);
819
		kfree(value);
820
	}
821

822
	aa_put_label(label);
823

824
	if (error < 0)
825
		return error;
826
	return 1;
827
}
828

829
static int apparmor_getprocattr(struct task_struct *task, const char *name,
830
				char **value)
831
{
832
	int error = -ENOENT;
833
	/* released below */
834
	const struct cred *cred = get_task_cred(task);
835
	struct aa_task_ctx *ctx = task_ctx(current);
836
	struct aa_label *label = NULL;
837

838
	if (strcmp(name, "current") == 0)
839
		label = aa_get_newest_label(cred_label(cred));
840
	else if (strcmp(name, "prev") == 0  && ctx->previous)
841
		label = aa_get_newest_label(ctx->previous);
842
	else if (strcmp(name, "exec") == 0 && ctx->onexec)
843
		label = aa_get_newest_label(ctx->onexec);
844
	else
845
		error = -EINVAL;
846

847
	if (label)
848
		error = aa_getprocattr(label, value, true);
849

850
	aa_put_label(label);
851
	put_cred(cred);
852

853
	return error;
854
}
855

856
static int do_setattr(u64 attr, void *value, size_t size)
857
{
858
	char *command, *largs = NULL, *args = value;
859
	size_t arg_size;
860
	int error;
861
	DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE,
862
			  OP_SETPROCATTR);
863

864
	if (size == 0)
865
		return -EINVAL;
866

867
	/* AppArmor requires that the buffer must be null terminated atm */
868
	if (args[size - 1] != '\0') {
869
		/* null terminate */
870
		largs = args = kmalloc(size + 1, GFP_KERNEL);
871
		if (!args)
872
			return -ENOMEM;
873
		memcpy(args, value, size);
874
		args[size] = '\0';
875
	}
876

877
	error = -EINVAL;
878
	args = strim(args);
879
	command = strsep(&args, " ");
880
	if (!args)
881
		goto out;
882
	args = skip_spaces(args);
883
	if (!*args)
884
		goto out;
885

886
	arg_size = size - (args - (largs ? largs : (char *) value));
887
	if (attr == LSM_ATTR_CURRENT) {
888
		if (strcmp(command, "changehat") == 0) {
889
			error = aa_setprocattr_changehat(args, arg_size,
890
							 AA_CHANGE_NOFLAGS);
891
		} else if (strcmp(command, "permhat") == 0) {
892
			error = aa_setprocattr_changehat(args, arg_size,
893
							 AA_CHANGE_TEST);
894
		} else if (strcmp(command, "changeprofile") == 0) {
895
			error = aa_change_profile(args, AA_CHANGE_NOFLAGS);
896
		} else if (strcmp(command, "permprofile") == 0) {
897
			error = aa_change_profile(args, AA_CHANGE_TEST);
898
		} else if (strcmp(command, "stack") == 0) {
899
			error = aa_change_profile(args, AA_CHANGE_STACK);
900
		} else
901
			goto fail;
902
	} else if (attr == LSM_ATTR_EXEC) {
903
		if (strcmp(command, "exec") == 0)
904
			error = aa_change_profile(args, AA_CHANGE_ONEXEC);
905
		else if (strcmp(command, "stack") == 0)
906
			error = aa_change_profile(args, (AA_CHANGE_ONEXEC |
907
							 AA_CHANGE_STACK));
908
		else
909
			goto fail;
910
	} else
911
		/* only support the "current" and "exec" process attributes */
912
		goto fail;
913

914
	if (!error)
915
		error = size;
916
out:
917
	kfree(largs);
918
	return error;
919

920
fail:
921
	ad.subj_label = begin_current_label_crit_section();
922
	if (attr == LSM_ATTR_CURRENT)
923
		ad.info = "current";
924
	else if (attr == LSM_ATTR_EXEC)
925
		ad.info = "exec";
926
	else
927
		ad.info = "invalid";
928
	ad.error = error = -EINVAL;
929
	aa_audit_msg(AUDIT_APPARMOR_DENIED, &ad, NULL);
930
	end_current_label_crit_section(ad.subj_label);
931
	goto out;
932
}
933

934
static int apparmor_setselfattr(unsigned int attr, struct lsm_ctx *ctx,
935
				u32 size, u32 flags)
936
{
937
	int rc;
938

939
	if (attr != LSM_ATTR_CURRENT && attr != LSM_ATTR_EXEC)
940
		return -EOPNOTSUPP;
941

942
	rc = do_setattr(attr, ctx->ctx, ctx->ctx_len);
943
	if (rc > 0)
944
		return 0;
945
	return rc;
946
}
947

948
static int apparmor_setprocattr(const char *name, void *value,
949
				size_t size)
950
{
951
	int attr = lsm_name_to_attr(name);
952

953
	if (attr)
954
		return do_setattr(attr, value, size);
955
	return -EINVAL;
956
}
957

958
/**
959
 * apparmor_bprm_committing_creds - do task cleanup on committing new creds
960
 * @bprm: binprm for the exec  (NOT NULL)
961
 */
962
static void apparmor_bprm_committing_creds(const struct linux_binprm *bprm)
963
{
964
	struct aa_label *label = aa_current_raw_label();
965
	struct aa_label *new_label = cred_label(bprm->cred);
966

967
	/* bail out if unconfined or not changing profile */
968
	if ((new_label->proxy == label->proxy) ||
969
	    (unconfined(new_label)))
970
		return;
971

972
	aa_inherit_files(bprm->cred, current->files);
973

974
	current->pdeath_signal = 0;
975

976
	/* reset soft limits and set hard limits for the new label */
977
	__aa_transition_rlimits(label, new_label);
978
}
979

980
/**
981
 * apparmor_bprm_committed_creds() - do cleanup after new creds committed
982
 * @bprm: binprm for the exec  (NOT NULL)
983
 */
984
static void apparmor_bprm_committed_creds(const struct linux_binprm *bprm)
985
{
986
	/* clear out temporary/transitional state from the context */
987
	aa_clear_task_ctx_trans(task_ctx(current));
988

989
	return;
990
}
991

992
static void apparmor_current_getlsmprop_subj(struct lsm_prop *prop)
993
{
994
	struct aa_label *label;
995
	bool needput;
996

997
	label = __begin_current_label_crit_section(&needput);
998
	prop->apparmor.label = label;
999
	__end_current_label_crit_section(label, needput);
1000
}
1001

1002
static void apparmor_task_getlsmprop_obj(struct task_struct *p,
1003
					  struct lsm_prop *prop)
1004
{
1005
	struct aa_label *label = aa_get_task_label(p);
1006

1007
	prop->apparmor.label = label;
1008
	aa_put_label(label);
1009
}
1010

1011
static int apparmor_task_setrlimit(struct task_struct *task,
1012
		unsigned int resource, struct rlimit *new_rlim)
1013
{
1014
	struct aa_label *label;
1015
	int error = 0;
1016
	bool needput;
1017

1018
	label = __begin_current_label_crit_section(&needput);
1019

1020
	if (!unconfined(label))
1021
		error = aa_task_setrlimit(current_cred(), label, task,
1022
					  resource, new_rlim);
1023
	__end_current_label_crit_section(label, needput);
1024

1025
	return error;
1026
}
1027

1028
static int apparmor_task_kill(struct task_struct *target, struct kernel_siginfo *info,
1029
			      int sig, const struct cred *cred)
1030
{
1031
	const struct cred *tc;
1032
	struct aa_label *cl, *tl;
1033
	int error;
1034
	bool needput;
1035

1036
	tc = get_task_cred(target);
1037
	tl = aa_get_newest_cred_label(tc);
1038
	if (cred) {
1039
		/*
1040
		 * Dealing with USB IO specific behavior
1041
		 */
1042
		cl = aa_get_newest_cred_label(cred);
1043
		error = aa_may_signal(cred, cl, tc, tl, sig);
1044
		aa_put_label(cl);
1045
	} else {
1046
		cl = __begin_current_label_crit_section(&needput);
1047
		error = aa_may_signal(current_cred(), cl, tc, tl, sig);
1048
		__end_current_label_crit_section(cl, needput);
1049
	}
1050
	aa_put_label(tl);
1051
	put_cred(tc);
1052

1053
	return error;
1054
}
1055

1056
static int apparmor_userns_create(const struct cred *cred)
1057
{
1058
	struct aa_label *label;
1059
	struct aa_profile *profile;
1060
	int error = 0;
1061
	DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_TASK, AA_CLASS_NS,
1062
			  OP_USERNS_CREATE);
1063

1064
	ad.subj_cred = current_cred();
1065

1066
	label = begin_current_label_crit_section();
1067
	if (!unconfined(label)) {
1068
		error = fn_for_each(label, profile,
1069
				    aa_profile_ns_perm(profile, &ad,
1070
						       AA_USERNS_CREATE));
1071
	}
1072
	end_current_label_crit_section(label);
1073

1074
	return error;
1075
}
1076

1077
static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t gfp)
1078
{
1079
	struct aa_sk_ctx *ctx = aa_sock(sk);
1080
	struct aa_label *label;
1081
	bool needput;
1082

1083
	label = __begin_current_label_crit_section(&needput);
1084
	//spin_lock_init(&ctx->lock);
1085
	rcu_assign_pointer(ctx->label, aa_get_label(label));
1086
	rcu_assign_pointer(ctx->peer, NULL);
1087
	rcu_assign_pointer(ctx->peer_lastupdate, NULL);
1088
	__end_current_label_crit_section(label, needput);
1089
	return 0;
1090
}
1091

1092
static void apparmor_sk_free_security(struct sock *sk)
1093
{
1094
	struct aa_sk_ctx *ctx = aa_sock(sk);
1095

1096
	/* dead these won't be updated any more */
1097
	aa_put_label(rcu_dereference_protected(ctx->label, true));
1098
	aa_put_label(rcu_dereference_protected(ctx->peer, true));
1099
	aa_put_label(rcu_dereference_protected(ctx->peer_lastupdate, true));
1100
}
1101

1102
/**
1103
 * apparmor_sk_clone_security - clone the sk_security field
1104
 * @sk: sock to have security cloned
1105
 * @newsk: sock getting clone
1106
 */
1107
static void apparmor_sk_clone_security(const struct sock *sk,
1108
				       struct sock *newsk)
1109
{
1110
	struct aa_sk_ctx *ctx = aa_sock(sk);
1111
	struct aa_sk_ctx *new = aa_sock(newsk);
1112

1113
	/* not actually in use yet */
1114
	if (rcu_access_pointer(ctx->label) != rcu_access_pointer(new->label)) {
1115
		aa_put_label(rcu_dereference_protected(new->label, true));
1116
		rcu_assign_pointer(new->label, aa_get_label_rcu(&ctx->label));
1117
	}
1118

1119
	if (rcu_access_pointer(ctx->peer) != rcu_access_pointer(new->peer)) {
1120
		aa_put_label(rcu_dereference_protected(new->peer, true));
1121
		rcu_assign_pointer(new->peer, aa_get_label_rcu(&ctx->peer));
1122
	}
1123

1124
	if (rcu_access_pointer(ctx->peer_lastupdate) != rcu_access_pointer(new->peer_lastupdate)) {
1125
		aa_put_label(rcu_dereference_protected(new->peer_lastupdate, true));
1126
		rcu_assign_pointer(new->peer_lastupdate,
1127
				   aa_get_label_rcu(&ctx->peer_lastupdate));
1128
	}
1129
}
1130

1131
static int unix_connect_perm(const struct cred *cred, struct aa_label *label,
1132
			     struct sock *sk, struct sock *peer_sk)
1133
{
1134
	struct aa_sk_ctx *peer_ctx = aa_sock(peer_sk);
1135
	int error;
1136

1137
	error = aa_unix_peer_perm(cred, label, OP_CONNECT,
1138
				(AA_MAY_CONNECT | AA_MAY_SEND | AA_MAY_RECEIVE),
1139
				  sk, peer_sk,
1140
				  rcu_dereference_protected(peer_ctx->label,
1141
				     lockdep_is_held(&unix_sk(peer_sk)->lock)));
1142
	if (!is_unix_fs(peer_sk)) {
1143
		last_error(error,
1144
			   aa_unix_peer_perm(cred,
1145
				rcu_dereference_protected(peer_ctx->label,
1146
				     lockdep_is_held(&unix_sk(peer_sk)->lock)),
1147
				OP_CONNECT,
1148
				(AA_MAY_ACCEPT | AA_MAY_SEND | AA_MAY_RECEIVE),
1149
							  peer_sk, sk, label));
1150
	}
1151

1152
	return error;
1153
}
1154

1155
/* lockdep check in unix_connect_perm - push sks here to check */
1156
static void unix_connect_peers(struct aa_sk_ctx *sk_ctx,
1157
			       struct aa_sk_ctx *peer_ctx)
1158
{
1159
	/* Cross reference the peer labels for SO_PEERSEC */
1160
	struct aa_label *label = rcu_dereference_protected(sk_ctx->label, true);
1161

1162
	aa_get_label(label);
1163
	aa_put_label(rcu_dereference_protected(peer_ctx->peer,
1164
					     true));
1165
	rcu_assign_pointer(peer_ctx->peer, label);	/* transfer cnt */
1166

1167
	label = aa_get_label(rcu_dereference_protected(peer_ctx->label,
1168
					     true));
1169
	//spin_unlock(&peer_ctx->lock);
1170

1171
	//spin_lock(&sk_ctx->lock);
1172
	aa_put_label(rcu_dereference_protected(sk_ctx->peer,
1173
					       true));
1174
	aa_put_label(rcu_dereference_protected(sk_ctx->peer_lastupdate,
1175
					       true));
1176

1177
	rcu_assign_pointer(sk_ctx->peer, aa_get_label(label));
1178
	rcu_assign_pointer(sk_ctx->peer_lastupdate, label);     /* transfer cnt */
1179
	//spin_unlock(&sk_ctx->lock);
1180
}
1181

1182
/**
1183
 * apparmor_unix_stream_connect - check perms before making unix domain conn
1184
 * @sk: sk attempting to connect
1185
 * @peer_sk: sk that is accepting the connection
1186
 * @newsk: new sk created for this connection
1187
 * peer is locked when this hook is called
1188
 *
1189
 * Return:
1190
 *   0 if connection is permitted
1191
 *   error code on denial or failure
1192
 */
1193
static int apparmor_unix_stream_connect(struct sock *sk, struct sock *peer_sk,
1194
					struct sock *newsk)
1195
{
1196
	struct aa_sk_ctx *sk_ctx = aa_sock(sk);
1197
	struct aa_sk_ctx *peer_ctx = aa_sock(peer_sk);
1198
	struct aa_sk_ctx *new_ctx = aa_sock(newsk);
1199
	struct aa_label *label;
1200
	int error;
1201
	bool needput;
1202

1203
	label = __begin_current_label_crit_section(&needput);
1204
	error = unix_connect_perm(current_cred(), label, sk, peer_sk);
1205
	__end_current_label_crit_section(label, needput);
1206

1207
	if (error)
1208
		return error;
1209

1210
	/* newsk doesn't go through post_create, but does go through
1211
	 * security_sk_alloc()
1212
	 */
1213
	rcu_assign_pointer(new_ctx->label,
1214
			   aa_get_label(rcu_dereference_protected(peer_ctx->label,
1215
								  true)));
1216

1217
	/* Cross reference the peer labels for SO_PEERSEC */
1218
	unix_connect_peers(sk_ctx, new_ctx);
1219

1220
	return 0;
1221
}
1222

1223
/**
1224
 * apparmor_unix_may_send - check perms before conn or sending unix dgrams
1225
 * @sock: socket sending the message
1226
 * @peer: socket message is being send to
1227
 *
1228
 * Performs bidirectional permission checks for Unix domain socket communication:
1229
 * 1. Verifies sender has AA_MAY_SEND to target socket
1230
 * 2. Verifies receiver has AA_MAY_RECEIVE from source socket
1231
 *
1232
 * sock and peer are locked when this hook is called
1233
 * called by: dgram_connect peer setup but path not copied to newsk
1234
 *
1235
 * Return:
1236
 *   0 if transmission is permitted
1237
 *   error code on denial or failure
1238
 */
1239
static int apparmor_unix_may_send(struct socket *sock, struct socket *peer)
1240
{
1241
	struct aa_sk_ctx *peer_ctx = aa_sock(peer->sk);
1242
	struct aa_label *label;
1243
	int error;
1244
	bool needput;
1245

1246
	label = __begin_current_label_crit_section(&needput);
1247
	error = xcheck(aa_unix_peer_perm(current_cred(),
1248
				label, OP_SENDMSG, AA_MAY_SEND,
1249
				sock->sk, peer->sk,
1250
				rcu_dereference_protected(peer_ctx->label,
1251
							  true)),
1252
		       aa_unix_peer_perm(peer->file ? peer->file->f_cred : NULL,
1253
				rcu_dereference_protected(peer_ctx->label,
1254
							  true),
1255
				OP_SENDMSG, AA_MAY_RECEIVE, peer->sk,
1256
				sock->sk, label));
1257
	__end_current_label_crit_section(label, needput);
1258

1259
	return error;
1260
}
1261

1262
static int apparmor_socket_create(int family, int type, int protocol, int kern)
1263
{
1264
	struct aa_label *label;
1265
	int error = 0;
1266

1267
	AA_BUG(in_interrupt());
1268

1269
	if (kern)
1270
		return 0;
1271

1272
	label = begin_current_label_crit_section();
1273
	if (!unconfined(label)) {
1274
		if (family == PF_UNIX)
1275
			error = aa_unix_create_perm(label, family, type,
1276
						    protocol);
1277
		else
1278
			error = aa_af_perm(current_cred(), label, OP_CREATE,
1279
					   AA_MAY_CREATE, family, type,
1280
					   protocol);
1281
	}
1282
	end_current_label_crit_section(label);
1283

1284
	return error;
1285
}
1286

1287
/**
1288
 * apparmor_socket_post_create - setup the per-socket security struct
1289
 * @sock: socket that is being setup
1290
 * @family: family of socket being created
1291
 * @type: type of the socket
1292
 * @protocol: protocol of the socket
1293
 * @kern: socket is a special kernel socket
1294
 *
1295
 * Note:
1296
 * -   kernel sockets labeled kernel_t used to use unconfined
1297
 * -   socket may not have sk here if created with sock_create_lite or
1298
 *     sock_alloc. These should be accept cases which will be handled in
1299
 *     sock_graft.
1300
 */
1301
static int apparmor_socket_post_create(struct socket *sock, int family,
1302
				       int type, int protocol, int kern)
1303
{
1304
	struct aa_label *label;
1305

1306
	if (kern) {
1307
		label = aa_get_label(kernel_t);
1308
	} else
1309
		label = aa_get_current_label();
1310

1311
	if (sock->sk) {
1312
		struct aa_sk_ctx *ctx = aa_sock(sock->sk);
1313

1314
		/* still not live */
1315
		aa_put_label(rcu_dereference_protected(ctx->label, true));
1316
		rcu_assign_pointer(ctx->label, aa_get_label(label));
1317
	}
1318
	aa_put_label(label);
1319

1320
	return 0;
1321
}
1322

1323
static int apparmor_socket_socketpair(struct socket *socka,
1324
				      struct socket *sockb)
1325
{
1326
	struct aa_sk_ctx *a_ctx = aa_sock(socka->sk);
1327
	struct aa_sk_ctx *b_ctx = aa_sock(sockb->sk);
1328
	struct aa_label *label;
1329

1330
	/* socks not live yet - initial values set in sk_alloc */
1331
	label = begin_current_label_crit_section();
1332
	if (rcu_access_pointer(a_ctx->label) != label) {
1333
		AA_BUG("a_ctx != label");
1334
		aa_put_label(rcu_dereference_protected(a_ctx->label, true));
1335
		rcu_assign_pointer(a_ctx->label, aa_get_label(label));
1336
	}
1337
	if (rcu_access_pointer(b_ctx->label) != label) {
1338
		AA_BUG("b_ctx != label");
1339
		aa_put_label(rcu_dereference_protected(b_ctx->label, true));
1340
		rcu_assign_pointer(b_ctx->label, aa_get_label(label));
1341
	}
1342

1343
	if (socka->sk->sk_family == PF_UNIX) {
1344
		/* unix socket pairs by-pass unix_stream_connect */
1345
		unix_connect_peers(a_ctx, b_ctx);
1346
	}
1347
	end_current_label_crit_section(label);
1348

1349
	return 0;
1350
}
1351

1352
/**
1353
 * apparmor_socket_bind - check perms before bind addr to socket
1354
 * @sock: socket to bind the address to (must be non-NULL)
1355
 * @address: address that is being bound (must be non-NULL)
1356
 * @addrlen: length of @address
1357
 *
1358
 * Performs security checks before allowing a socket to bind to an address.
1359
 * Handles Unix domain sockets specially through aa_unix_bind_perm().
1360
 * For other socket families, uses generic permission check via aa_sk_perm().
1361
 *
1362
 * Return:
1363
 *   0 if binding is permitted
1364
 *   error code on denial or invalid parameters
1365
 */
1366
static int apparmor_socket_bind(struct socket *sock,
1367
				struct sockaddr *address, int addrlen)
1368
{
1369
	AA_BUG(!sock);
1370
	AA_BUG(!sock->sk);
1371
	AA_BUG(!address);
1372
	AA_BUG(in_interrupt());
1373

1374
	if (sock->sk->sk_family == PF_UNIX)
1375
		return aa_unix_bind_perm(sock, address, addrlen);
1376
	return aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk);
1377
}
1378

1379
static int apparmor_socket_connect(struct socket *sock,
1380
				   struct sockaddr *address, int addrlen)
1381
{
1382
	AA_BUG(!sock);
1383
	AA_BUG(!sock->sk);
1384
	AA_BUG(!address);
1385
	AA_BUG(in_interrupt());
1386

1387
	/* PF_UNIX goes through unix_stream_connect && unix_may_send */
1388
	if (sock->sk->sk_family == PF_UNIX)
1389
		return 0;
1390
	return aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk);
1391
}
1392

1393
static int apparmor_socket_listen(struct socket *sock, int backlog)
1394
{
1395
	AA_BUG(!sock);
1396
	AA_BUG(!sock->sk);
1397
	AA_BUG(in_interrupt());
1398

1399
	if (sock->sk->sk_family == PF_UNIX)
1400
		return aa_unix_listen_perm(sock, backlog);
1401
	return aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk);
1402
}
1403

1404
/*
1405
 * Note: while @newsock is created and has some information, the accept
1406
 *       has not been done.
1407
 */
1408
static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
1409
{
1410
	AA_BUG(!sock);
1411
	AA_BUG(!sock->sk);
1412
	AA_BUG(!newsock);
1413
	AA_BUG(in_interrupt());
1414

1415
	if (sock->sk->sk_family == PF_UNIX)
1416
		return aa_unix_accept_perm(sock, newsock);
1417
	return aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk);
1418
}
1419

1420
static int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock,
1421
			    struct msghdr *msg, int size)
1422
{
1423
	AA_BUG(!sock);
1424
	AA_BUG(!sock->sk);
1425
	AA_BUG(!msg);
1426
	AA_BUG(in_interrupt());
1427

1428
	/* PF_UNIX goes through unix_may_send */
1429
	if (sock->sk->sk_family == PF_UNIX)
1430
		return 0;
1431
	return aa_sk_perm(op, request, sock->sk);
1432
}
1433

1434
static int apparmor_socket_sendmsg(struct socket *sock,
1435
				   struct msghdr *msg, int size)
1436
{
1437
	return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size);
1438
}
1439

1440
static int apparmor_socket_recvmsg(struct socket *sock,
1441
				   struct msghdr *msg, int size, int flags)
1442
{
1443
	return aa_sock_msg_perm(OP_RECVMSG, AA_MAY_RECEIVE, sock, msg, size);
1444
}
1445

1446
/* revaliation, get/set attr, shutdown */
1447
static int aa_sock_perm(const char *op, u32 request, struct socket *sock)
1448
{
1449
	AA_BUG(!sock);
1450
	AA_BUG(!sock->sk);
1451
	AA_BUG(in_interrupt());
1452

1453
	if (sock->sk->sk_family == PF_UNIX)
1454
		return aa_unix_sock_perm(op, request, sock);
1455
	return aa_sk_perm(op, request, sock->sk);
1456
}
1457

1458
static int apparmor_socket_getsockname(struct socket *sock)
1459
{
1460
	return aa_sock_perm(OP_GETSOCKNAME, AA_MAY_GETATTR, sock);
1461
}
1462

1463
static int apparmor_socket_getpeername(struct socket *sock)
1464
{
1465
	return aa_sock_perm(OP_GETPEERNAME, AA_MAY_GETATTR, sock);
1466
}
1467

1468
/* revaliation, get/set attr, opt */
1469
static int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock,
1470
			    int level, int optname)
1471
{
1472
	AA_BUG(!sock);
1473
	AA_BUG(!sock->sk);
1474
	AA_BUG(in_interrupt());
1475

1476
	if (sock->sk->sk_family == PF_UNIX)
1477
		return aa_unix_opt_perm(op, request, sock, level, optname);
1478
	return aa_sk_perm(op, request, sock->sk);
1479
}
1480

1481
static int apparmor_socket_getsockopt(struct socket *sock, int level,
1482
				      int optname)
1483
{
1484
	return aa_sock_opt_perm(OP_GETSOCKOPT, AA_MAY_GETOPT, sock,
1485
				level, optname);
1486
}
1487

1488
static int apparmor_socket_setsockopt(struct socket *sock, int level,
1489
				      int optname)
1490
{
1491
	return aa_sock_opt_perm(OP_SETSOCKOPT, AA_MAY_SETOPT, sock,
1492
				level, optname);
1493
}
1494

1495
static int apparmor_socket_shutdown(struct socket *sock, int how)
1496
{
1497
	return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock);
1498
}
1499

1500
#ifdef CONFIG_NETWORK_SECMARK
1501
/**
1502
 * apparmor_socket_sock_rcv_skb - check perms before associating skb to sk
1503
 * @sk: sk to associate @skb with
1504
 * @skb: skb to check for perms
1505
 *
1506
 * Note: can not sleep may be called with locks held
1507
 *
1508
 * dont want protocol specific in __skb_recv_datagram()
1509
 * to deny an incoming connection  socket_sock_rcv_skb()
1510
 */
1511
static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
1512
{
1513
	struct aa_sk_ctx *ctx = aa_sock(sk);
1514
	int error;
1515

1516
	if (!skb->secmark)
1517
		return 0;
1518

1519
	/*
1520
	 * If reach here before socket_post_create hook is called, in which
1521
	 * case label is null, drop the packet.
1522
	 */
1523
	if (!rcu_access_pointer(ctx->label))
1524
		return -EACCES;
1525

1526
	rcu_read_lock();
1527
	error = apparmor_secmark_check(rcu_dereference(ctx->label), OP_RECVMSG,
1528
				       AA_MAY_RECEIVE, skb->secmark, sk);
1529
	rcu_read_unlock();
1530

1531
	return error;
1532
}
1533
#endif
1534

1535

1536
static struct aa_label *sk_peer_get_label(struct sock *sk)
1537
{
1538
	struct aa_sk_ctx *ctx = aa_sock(sk);
1539
	struct aa_label *label = ERR_PTR(-ENOPROTOOPT);
1540

1541
	if (rcu_access_pointer(ctx->peer))
1542
		return aa_get_label_rcu(&ctx->peer);
1543

1544
	if (sk->sk_family != PF_UNIX)
1545
		return ERR_PTR(-ENOPROTOOPT);
1546

1547
	return label;
1548
}
1549

1550
/**
1551
 * apparmor_socket_getpeersec_stream - get security context of peer
1552
 * @sock: socket that we are trying to get the peer context of
1553
 * @optval: output - buffer to copy peer name to
1554
 * @optlen: output - size of copied name in @optval
1555
 * @len: size of @optval buffer
1556
 * Returns: 0 on success, -errno of failure
1557
 *
1558
 * Note: for tcp only valid if using ipsec or cipso on lan
1559
 */
1560
static int apparmor_socket_getpeersec_stream(struct socket *sock,
1561
					     sockptr_t optval, sockptr_t optlen,
1562
					     unsigned int len)
1563
{
1564
	char *name = NULL;
1565
	int slen, error = 0;
1566
	struct aa_label *label;
1567
	struct aa_label *peer;
1568

1569
	peer = sk_peer_get_label(sock->sk);
1570
	if (IS_ERR(peer)) {
1571
		error = PTR_ERR(peer);
1572
		goto done;
1573
	}
1574
	label = begin_current_label_crit_section();
1575
	slen = aa_label_asxprint(&name, labels_ns(label), peer,
1576
				 FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
1577
				 FLAG_HIDDEN_UNCONFINED, GFP_KERNEL);
1578
	/* don't include terminating \0 in slen, it breaks some apps */
1579
	if (slen < 0) {
1580
		error = -ENOMEM;
1581
		goto done_put;
1582
	}
1583
	if (slen > len) {
1584
		error = -ERANGE;
1585
		goto done_len;
1586
	}
1587

1588
	if (copy_to_sockptr(optval, name, slen))
1589
		error = -EFAULT;
1590
done_len:
1591
	if (copy_to_sockptr(optlen, &slen, sizeof(slen)))
1592
		error = -EFAULT;
1593

1594
done_put:
1595
	end_current_label_crit_section(label);
1596
	aa_put_label(peer);
1597
done:
1598
	kfree(name);
1599
	return error;
1600
}
1601

1602
/**
1603
 * apparmor_socket_getpeersec_dgram - get security label of packet
1604
 * @sock: the peer socket
1605
 * @skb: packet data
1606
 * @secid: pointer to where to put the secid of the packet
1607
 *
1608
 * Sets the netlabel socket state on sk from parent
1609
 */
1610
static int apparmor_socket_getpeersec_dgram(struct socket *sock,
1611
					    struct sk_buff *skb, u32 *secid)
1612

1613
{
1614
	/* TODO: requires secid support */
1615
	return -ENOPROTOOPT;
1616
}
1617

1618
/**
1619
 * apparmor_sock_graft - Initialize newly created socket
1620
 * @sk: child sock
1621
 * @parent: parent socket
1622
 *
1623
 * Note: could set off of SOCK_CTX(parent) but need to track inode and we can
1624
 *       just set sk security information off of current creating process label
1625
 *       Labeling of sk for accept case - probably should be sock based
1626
 *       instead of task, because of the case where an implicitly labeled
1627
 *       socket is shared by different tasks.
1628
 */
1629
static void apparmor_sock_graft(struct sock *sk, struct socket *parent)
1630
{
1631
	struct aa_sk_ctx *ctx = aa_sock(sk);
1632

1633
	/* setup - not live */
1634
	if (!rcu_access_pointer(ctx->label))
1635
		rcu_assign_pointer(ctx->label, aa_get_current_label());
1636
}
1637

1638
#ifdef CONFIG_NETWORK_SECMARK
1639
static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb,
1640
				      struct request_sock *req)
1641
{
1642
	struct aa_sk_ctx *ctx = aa_sock(sk);
1643
	int error;
1644

1645
	if (!skb->secmark)
1646
		return 0;
1647

1648
	rcu_read_lock();
1649
	error = apparmor_secmark_check(rcu_dereference(ctx->label), OP_CONNECT,
1650
				       AA_MAY_CONNECT, skb->secmark, sk);
1651
	rcu_read_unlock();
1652

1653
	return error;
1654
}
1655
#endif
1656

1657
/*
1658
 * The cred blob is a pointer to, not an instance of, an aa_label.
1659
 */
1660
struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = {
1661
	.lbs_cred = sizeof(struct aa_label *),
1662
	.lbs_file = sizeof(struct aa_file_ctx),
1663
	.lbs_task = sizeof(struct aa_task_ctx),
1664
	.lbs_sock = sizeof(struct aa_sk_ctx),
1665
};
1666

1667
static const struct lsm_id apparmor_lsmid = {
1668
	.name = "apparmor",
1669
	.id = LSM_ID_APPARMOR,
1670
};
1671

1672
static struct security_hook_list apparmor_hooks[] __ro_after_init = {
1673
	LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
1674
	LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
1675
	LSM_HOOK_INIT(capget, apparmor_capget),
1676
	LSM_HOOK_INIT(capable, apparmor_capable),
1677

1678
	LSM_HOOK_INIT(move_mount, apparmor_move_mount),
1679
	LSM_HOOK_INIT(sb_mount, apparmor_sb_mount),
1680
	LSM_HOOK_INIT(sb_umount, apparmor_sb_umount),
1681
	LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot),
1682

1683
	LSM_HOOK_INIT(path_link, apparmor_path_link),
1684
	LSM_HOOK_INIT(path_unlink, apparmor_path_unlink),
1685
	LSM_HOOK_INIT(path_symlink, apparmor_path_symlink),
1686
	LSM_HOOK_INIT(path_mkdir, apparmor_path_mkdir),
1687
	LSM_HOOK_INIT(path_rmdir, apparmor_path_rmdir),
1688
	LSM_HOOK_INIT(path_mknod, apparmor_path_mknod),
1689
	LSM_HOOK_INIT(path_rename, apparmor_path_rename),
1690
	LSM_HOOK_INIT(path_chmod, apparmor_path_chmod),
1691
	LSM_HOOK_INIT(path_chown, apparmor_path_chown),
1692
	LSM_HOOK_INIT(path_truncate, apparmor_path_truncate),
1693
	LSM_HOOK_INIT(inode_getattr, apparmor_inode_getattr),
1694

1695
	LSM_HOOK_INIT(file_open, apparmor_file_open),
1696
	LSM_HOOK_INIT(file_receive, apparmor_file_receive),
1697
	LSM_HOOK_INIT(file_permission, apparmor_file_permission),
1698
	LSM_HOOK_INIT(file_alloc_security, apparmor_file_alloc_security),
1699
	LSM_HOOK_INIT(file_free_security, apparmor_file_free_security),
1700
	LSM_HOOK_INIT(mmap_file, apparmor_mmap_file),
1701
	LSM_HOOK_INIT(file_mprotect, apparmor_file_mprotect),
1702
	LSM_HOOK_INIT(file_lock, apparmor_file_lock),
1703
	LSM_HOOK_INIT(file_truncate, apparmor_file_truncate),
1704

1705
	LSM_HOOK_INIT(getselfattr, apparmor_getselfattr),
1706
	LSM_HOOK_INIT(setselfattr, apparmor_setselfattr),
1707
	LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
1708
	LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
1709

1710
	LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security),
1711
	LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security),
1712
	LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security),
1713

1714
	LSM_HOOK_INIT(unix_stream_connect, apparmor_unix_stream_connect),
1715
	LSM_HOOK_INIT(unix_may_send, apparmor_unix_may_send),
1716

1717
	LSM_HOOK_INIT(socket_create, apparmor_socket_create),
1718
	LSM_HOOK_INIT(socket_post_create, apparmor_socket_post_create),
1719
	LSM_HOOK_INIT(socket_socketpair, apparmor_socket_socketpair),
1720
	LSM_HOOK_INIT(socket_bind, apparmor_socket_bind),
1721
	LSM_HOOK_INIT(socket_connect, apparmor_socket_connect),
1722
	LSM_HOOK_INIT(socket_listen, apparmor_socket_listen),
1723
	LSM_HOOK_INIT(socket_accept, apparmor_socket_accept),
1724
	LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg),
1725
	LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg),
1726
	LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname),
1727
	LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername),
1728
	LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt),
1729
	LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt),
1730
	LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown),
1731
#ifdef CONFIG_NETWORK_SECMARK
1732
	LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb),
1733
#endif
1734
	LSM_HOOK_INIT(socket_getpeersec_stream,
1735
		      apparmor_socket_getpeersec_stream),
1736
	LSM_HOOK_INIT(socket_getpeersec_dgram,
1737
		      apparmor_socket_getpeersec_dgram),
1738
	LSM_HOOK_INIT(sock_graft, apparmor_sock_graft),
1739
#ifdef CONFIG_NETWORK_SECMARK
1740
	LSM_HOOK_INIT(inet_conn_request, apparmor_inet_conn_request),
1741
#endif
1742

1743
	LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
1744
	LSM_HOOK_INIT(cred_free, apparmor_cred_free),
1745
	LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
1746
	LSM_HOOK_INIT(cred_transfer, apparmor_cred_transfer),
1747

1748
	LSM_HOOK_INIT(bprm_creds_for_exec, apparmor_bprm_creds_for_exec),
1749
	LSM_HOOK_INIT(bprm_committing_creds, apparmor_bprm_committing_creds),
1750
	LSM_HOOK_INIT(bprm_committed_creds, apparmor_bprm_committed_creds),
1751

1752
	LSM_HOOK_INIT(task_free, apparmor_task_free),
1753
	LSM_HOOK_INIT(task_alloc, apparmor_task_alloc),
1754
	LSM_HOOK_INIT(current_getlsmprop_subj,
1755
		      apparmor_current_getlsmprop_subj),
1756
	LSM_HOOK_INIT(task_getlsmprop_obj, apparmor_task_getlsmprop_obj),
1757
	LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
1758
	LSM_HOOK_INIT(task_kill, apparmor_task_kill),
1759
	LSM_HOOK_INIT(userns_create, apparmor_userns_create),
1760

1761
#ifdef CONFIG_AUDIT
1762
	LSM_HOOK_INIT(audit_rule_init, aa_audit_rule_init),
1763
	LSM_HOOK_INIT(audit_rule_known, aa_audit_rule_known),
1764
	LSM_HOOK_INIT(audit_rule_match, aa_audit_rule_match),
1765
	LSM_HOOK_INIT(audit_rule_free, aa_audit_rule_free),
1766
#endif
1767

1768
	LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx),
1769
	LSM_HOOK_INIT(lsmprop_to_secctx, apparmor_lsmprop_to_secctx),
1770
	LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid),
1771
	LSM_HOOK_INIT(release_secctx, apparmor_release_secctx),
1772

1773
#ifdef CONFIG_IO_URING
1774
	LSM_HOOK_INIT(uring_override_creds, apparmor_uring_override_creds),
1775
	LSM_HOOK_INIT(uring_sqpoll, apparmor_uring_sqpoll),
1776
#endif
1777
};
1778

1779
/*
1780
 * AppArmor sysfs module parameters
1781
 */
1782

1783
static int param_set_aabool(const char *val, const struct kernel_param *kp);
1784
static int param_get_aabool(char *buffer, const struct kernel_param *kp);
1785
#define param_check_aabool param_check_bool
1786
static const struct kernel_param_ops param_ops_aabool = {
1787
	.flags = KERNEL_PARAM_OPS_FL_NOARG,
1788
	.set = param_set_aabool,
1789
	.get = param_get_aabool
1790
};
1791

1792
static int param_set_aauint(const char *val, const struct kernel_param *kp);
1793
static int param_get_aauint(char *buffer, const struct kernel_param *kp);
1794
#define param_check_aauint param_check_uint
1795
static const struct kernel_param_ops param_ops_aauint = {
1796
	.set = param_set_aauint,
1797
	.get = param_get_aauint
1798
};
1799

1800
static int param_set_aacompressionlevel(const char *val,
1801
					const struct kernel_param *kp);
1802
static int param_get_aacompressionlevel(char *buffer,
1803
					const struct kernel_param *kp);
1804
#define param_check_aacompressionlevel param_check_int
1805
static const struct kernel_param_ops param_ops_aacompressionlevel = {
1806
	.set = param_set_aacompressionlevel,
1807
	.get = param_get_aacompressionlevel
1808
};
1809

1810
static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp);
1811
static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp);
1812
#define param_check_aalockpolicy param_check_bool
1813
static const struct kernel_param_ops param_ops_aalockpolicy = {
1814
	.flags = KERNEL_PARAM_OPS_FL_NOARG,
1815
	.set = param_set_aalockpolicy,
1816
	.get = param_get_aalockpolicy
1817
};
1818

1819
static int param_set_debug(const char *val, const struct kernel_param *kp);
1820
static int param_get_debug(char *buffer, const struct kernel_param *kp);
1821

1822
static int param_set_audit(const char *val, const struct kernel_param *kp);
1823
static int param_get_audit(char *buffer, const struct kernel_param *kp);
1824

1825
static int param_set_mode(const char *val, const struct kernel_param *kp);
1826
static int param_get_mode(char *buffer, const struct kernel_param *kp);
1827

1828
/* Flag values, also controllable via /sys/module/apparmor/parameters
1829
 * We define special types as we want to do additional mediation.
1830
 */
1831

1832
/* AppArmor global enforcement switch - complain, enforce, kill */
1833
enum profile_mode aa_g_profile_mode = APPARMOR_ENFORCE;
1834
module_param_call(mode, param_set_mode, param_get_mode,
1835
		  &aa_g_profile_mode, S_IRUSR | S_IWUSR);
1836

1837
/* whether policy verification hashing is enabled */
1838
bool aa_g_hash_policy = IS_ENABLED(CONFIG_SECURITY_APPARMOR_HASH_DEFAULT);
1839
#ifdef CONFIG_SECURITY_APPARMOR_HASH
1840
module_param_named(hash_policy, aa_g_hash_policy, aabool, S_IRUSR | S_IWUSR);
1841
#endif
1842

1843
/* whether policy exactly as loaded is retained for debug and checkpointing */
1844
bool aa_g_export_binary = IS_ENABLED(CONFIG_SECURITY_APPARMOR_EXPORT_BINARY);
1845
#ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY
1846
module_param_named(export_binary, aa_g_export_binary, aabool, 0600);
1847
#endif
1848

1849
/* policy loaddata compression level */
1850
int aa_g_rawdata_compression_level = AA_DEFAULT_CLEVEL;
1851
module_param_named(rawdata_compression_level, aa_g_rawdata_compression_level,
1852
		   aacompressionlevel, 0400);
1853

1854
/* Debug mode */
1855
int aa_g_debug;
1856
module_param_call(debug, param_set_debug, param_get_debug,
1857
		  &aa_g_debug, 0600);
1858

1859
/* Audit mode */
1860
enum audit_mode aa_g_audit;
1861
module_param_call(audit, param_set_audit, param_get_audit,
1862
		  &aa_g_audit, S_IRUSR | S_IWUSR);
1863

1864
/* Determines if audit header is included in audited messages.  This
1865
 * provides more context if the audit daemon is not running
1866
 */
1867
bool aa_g_audit_header = true;
1868
module_param_named(audit_header, aa_g_audit_header, aabool,
1869
		   S_IRUSR | S_IWUSR);
1870

1871
/* lock out loading/removal of policy
1872
 * TODO: add in at boot loading of policy, which is the only way to
1873
 *       load policy, if lock_policy is set
1874
 */
1875
bool aa_g_lock_policy;
1876
module_param_named(lock_policy, aa_g_lock_policy, aalockpolicy,
1877
		   S_IRUSR | S_IWUSR);
1878

1879
/* Syscall logging mode */
1880
bool aa_g_logsyscall;
1881
module_param_named(logsyscall, aa_g_logsyscall, aabool, S_IRUSR | S_IWUSR);
1882

1883
/* Maximum pathname length before accesses will start getting rejected */
1884
unsigned int aa_g_path_max = 2 * PATH_MAX;
1885
module_param_named(path_max, aa_g_path_max, aauint, S_IRUSR);
1886

1887
/* Determines how paranoid loading of policy is and how much verification
1888
 * on the loaded policy is done.
1889
 * DEPRECATED: read only as strict checking of load is always done now
1890
 * that none root users (user namespaces) can load policy.
1891
 */
1892
bool aa_g_paranoid_load = IS_ENABLED(CONFIG_SECURITY_APPARMOR_PARANOID_LOAD);
1893
module_param_named(paranoid_load, aa_g_paranoid_load, aabool, S_IRUGO);
1894

1895
static int param_get_aaintbool(char *buffer, const struct kernel_param *kp);
1896
static int param_set_aaintbool(const char *val, const struct kernel_param *kp);
1897
#define param_check_aaintbool param_check_int
1898
static const struct kernel_param_ops param_ops_aaintbool = {
1899
	.set = param_set_aaintbool,
1900
	.get = param_get_aaintbool
1901
};
1902
/* Boot time disable flag */
1903
static int apparmor_enabled __ro_after_init = 1;
1904
module_param_named(enabled, apparmor_enabled, aaintbool, 0444);
1905

1906
static int __init apparmor_enabled_setup(char *str)
1907
{
1908
	unsigned long enabled;
1909
	int error = kstrtoul(str, 0, &enabled);
1910
	if (!error)
1911
		apparmor_enabled = enabled ? 1 : 0;
1912
	return 1;
1913
}
1914

1915
__setup("apparmor=", apparmor_enabled_setup);
1916

1917
/* set global flag turning off the ability to load policy */
1918
static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp)
1919
{
1920
	if (!apparmor_enabled)
1921
		return -EINVAL;
1922
	if (apparmor_initialized && !aa_current_policy_admin_capable(NULL))
1923
		return -EPERM;
1924
	return param_set_bool(val, kp);
1925
}
1926

1927
static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
1928
{
1929
	if (!apparmor_enabled)
1930
		return -EINVAL;
1931
	if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
1932
		return -EPERM;
1933
	return param_get_bool(buffer, kp);
1934
}
1935

1936
static int param_set_aabool(const char *val, const struct kernel_param *kp)
1937
{
1938
	if (!apparmor_enabled)
1939
		return -EINVAL;
1940
	if (apparmor_initialized && !aa_current_policy_admin_capable(NULL))
1941
		return -EPERM;
1942
	return param_set_bool(val, kp);
1943
}
1944

1945
static int param_get_aabool(char *buffer, const struct kernel_param *kp)
1946
{
1947
	if (!apparmor_enabled)
1948
		return -EINVAL;
1949
	if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
1950
		return -EPERM;
1951
	return param_get_bool(buffer, kp);
1952
}
1953

1954
static int param_set_aauint(const char *val, const struct kernel_param *kp)
1955
{
1956
	int error;
1957

1958
	if (!apparmor_enabled)
1959
		return -EINVAL;
1960
	/* file is ro but enforce 2nd line check */
1961
	if (apparmor_initialized)
1962
		return -EPERM;
1963

1964
	error = param_set_uint(val, kp);
1965
	aa_g_path_max = max_t(uint32_t, aa_g_path_max, sizeof(union aa_buffer));
1966
	pr_info("AppArmor: buffer size set to %d bytes\n", aa_g_path_max);
1967

1968
	return error;
1969
}
1970

1971
static int param_get_aauint(char *buffer, const struct kernel_param *kp)
1972
{
1973
	if (!apparmor_enabled)
1974
		return -EINVAL;
1975
	if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
1976
		return -EPERM;
1977
	return param_get_uint(buffer, kp);
1978
}
1979

1980
/* Can only be set before AppArmor is initialized (i.e. on boot cmdline). */
1981
static int param_set_aaintbool(const char *val, const struct kernel_param *kp)
1982
{
1983
	struct kernel_param kp_local;
1984
	bool value;
1985
	int error;
1986

1987
	if (apparmor_initialized)
1988
		return -EPERM;
1989

1990
	/* Create local copy, with arg pointing to bool type. */
1991
	value = !!*((int *)kp->arg);
1992
	memcpy(&kp_local, kp, sizeof(kp_local));
1993
	kp_local.arg = &value;
1994

1995
	error = param_set_bool(val, &kp_local);
1996
	if (!error)
1997
		*((int *)kp->arg) = *((bool *)kp_local.arg);
1998
	return error;
1999
}
2000

2001
/*
2002
 * To avoid changing /sys/module/apparmor/parameters/enabled from Y/N to
2003
 * 1/0, this converts the "int that is actually bool" back to bool for
2004
 * display in the /sys filesystem, while keeping it "int" for the LSM
2005
 * infrastructure.
2006
 */
2007
static int param_get_aaintbool(char *buffer, const struct kernel_param *kp)
2008
{
2009
	struct kernel_param kp_local;
2010
	bool value;
2011

2012
	/* Create local copy, with arg pointing to bool type. */
2013
	value = !!*((int *)kp->arg);
2014
	memcpy(&kp_local, kp, sizeof(kp_local));
2015
	kp_local.arg = &value;
2016

2017
	return param_get_bool(buffer, &kp_local);
2018
}
2019

2020
static int param_set_aacompressionlevel(const char *val,
2021
					const struct kernel_param *kp)
2022
{
2023
	int error;
2024

2025
	if (!apparmor_enabled)
2026
		return -EINVAL;
2027
	if (apparmor_initialized)
2028
		return -EPERM;
2029

2030
	error = param_set_int(val, kp);
2031

2032
	aa_g_rawdata_compression_level = clamp(aa_g_rawdata_compression_level,
2033
					       AA_MIN_CLEVEL, AA_MAX_CLEVEL);
2034
	pr_info("AppArmor: policy rawdata compression level set to %d\n",
2035
		aa_g_rawdata_compression_level);
2036

2037
	return error;
2038
}
2039

2040
static int param_get_aacompressionlevel(char *buffer,
2041
					const struct kernel_param *kp)
2042
{
2043
	if (!apparmor_enabled)
2044
		return -EINVAL;
2045
	if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
2046
		return -EPERM;
2047
	return param_get_int(buffer, kp);
2048
}
2049

2050
static int param_get_debug(char *buffer, const struct kernel_param *kp)
2051
{
2052
	if (!apparmor_enabled)
2053
		return -EINVAL;
2054
	if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
2055
		return -EPERM;
2056
	return aa_print_debug_params(buffer);
2057
}
2058

2059
static int param_set_debug(const char *val, const struct kernel_param *kp)
2060
{
2061
	int i;
2062

2063
	if (!apparmor_enabled)
2064
		return -EINVAL;
2065
	if (!val)
2066
		return -EINVAL;
2067
	if (apparmor_initialized && !aa_current_policy_admin_capable(NULL))
2068
		return -EPERM;
2069

2070
	i = aa_parse_debug_params(val);
2071
	if (i == DEBUG_PARSE_ERROR)
2072
		return -EINVAL;
2073

2074
	aa_g_debug = i;
2075
	return 0;
2076
}
2077

2078
static int param_get_audit(char *buffer, const struct kernel_param *kp)
2079
{
2080
	if (!apparmor_enabled)
2081
		return -EINVAL;
2082
	if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
2083
		return -EPERM;
2084
	return sprintf(buffer, "%s", audit_mode_names[aa_g_audit]);
2085
}
2086

2087
static int param_set_audit(const char *val, const struct kernel_param *kp)
2088
{
2089
	int i;
2090

2091
	if (!apparmor_enabled)
2092
		return -EINVAL;
2093
	if (!val)
2094
		return -EINVAL;
2095
	if (apparmor_initialized && !aa_current_policy_admin_capable(NULL))
2096
		return -EPERM;
2097

2098
	i = match_string(audit_mode_names, AUDIT_MAX_INDEX, val);
2099
	if (i < 0)
2100
		return -EINVAL;
2101

2102
	aa_g_audit = i;
2103
	return 0;
2104
}
2105

2106
static int param_get_mode(char *buffer, const struct kernel_param *kp)
2107
{
2108
	if (!apparmor_enabled)
2109
		return -EINVAL;
2110
	if (apparmor_initialized && !aa_current_policy_view_capable(NULL))
2111
		return -EPERM;
2112

2113
	return sprintf(buffer, "%s", aa_profile_mode_names[aa_g_profile_mode]);
2114
}
2115

2116
static int param_set_mode(const char *val, const struct kernel_param *kp)
2117
{
2118
	int i;
2119

2120
	if (!apparmor_enabled)
2121
		return -EINVAL;
2122
	if (!val)
2123
		return -EINVAL;
2124
	if (apparmor_initialized && !aa_current_policy_admin_capable(NULL))
2125
		return -EPERM;
2126

2127
	i = match_string(aa_profile_mode_names, APPARMOR_MODE_NAMES_MAX_INDEX,
2128
			 val);
2129
	if (i < 0)
2130
		return -EINVAL;
2131

2132
	aa_g_profile_mode = i;
2133
	return 0;
2134
}
2135

2136
char *aa_get_buffer(bool in_atomic)
2137
{
2138
	union aa_buffer *aa_buf;
2139
	struct aa_local_cache *cache;
2140
	bool try_again = true;
2141
	gfp_t flags = (GFP_KERNEL | __GFP_RETRY_MAYFAIL | __GFP_NOWARN);
2142

2143
	/* use per cpu cached buffers first */
2144
	cache = get_cpu_ptr(&aa_local_buffers);
2145
	if (!list_empty(&cache->head)) {
2146
		aa_buf = list_first_entry(&cache->head, union aa_buffer, list);
2147
		list_del(&aa_buf->list);
2148
		cache->hold--;
2149
		cache->count--;
2150
		put_cpu_ptr(&aa_local_buffers);
2151
		return &aa_buf->buffer[0];
2152
	}
2153
	put_cpu_ptr(&aa_local_buffers);
2154

2155
	if (!spin_trylock(&aa_buffers_lock)) {
2156
		cache = get_cpu_ptr(&aa_local_buffers);
2157
		cache->hold += 1;
2158
		put_cpu_ptr(&aa_local_buffers);
2159
		spin_lock(&aa_buffers_lock);
2160
	} else {
2161
		cache = get_cpu_ptr(&aa_local_buffers);
2162
		put_cpu_ptr(&aa_local_buffers);
2163
	}
2164
retry:
2165
	if (buffer_count > reserve_count ||
2166
	    (in_atomic && !list_empty(&aa_global_buffers))) {
2167
		aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer,
2168
					  list);
2169
		list_del(&aa_buf->list);
2170
		buffer_count--;
2171
		spin_unlock(&aa_buffers_lock);
2172
		return aa_buf->buffer;
2173
	}
2174
	if (in_atomic) {
2175
		/*
2176
		 * out of reserve buffers and in atomic context so increase
2177
		 * how many buffers to keep in reserve
2178
		 */
2179
		reserve_count++;
2180
		flags = GFP_ATOMIC;
2181
	}
2182
	spin_unlock(&aa_buffers_lock);
2183

2184
	if (!in_atomic)
2185
		might_sleep();
2186
	aa_buf = kmalloc(aa_g_path_max, flags);
2187
	if (!aa_buf) {
2188
		if (try_again) {
2189
			try_again = false;
2190
			spin_lock(&aa_buffers_lock);
2191
			goto retry;
2192
		}
2193
		pr_warn_once("AppArmor: Failed to allocate a memory buffer.\n");
2194
		return NULL;
2195
	}
2196
	return aa_buf->buffer;
2197
}
2198

2199
void aa_put_buffer(char *buf)
2200
{
2201
	union aa_buffer *aa_buf;
2202
	struct aa_local_cache *cache;
2203

2204
	if (!buf)
2205
		return;
2206
	aa_buf = container_of(buf, union aa_buffer, buffer[0]);
2207

2208
	cache = get_cpu_ptr(&aa_local_buffers);
2209
	if (!cache->hold) {
2210
		put_cpu_ptr(&aa_local_buffers);
2211

2212
		if (spin_trylock(&aa_buffers_lock)) {
2213
			/* put back on global list */
2214
			list_add(&aa_buf->list, &aa_global_buffers);
2215
			buffer_count++;
2216
			spin_unlock(&aa_buffers_lock);
2217
			cache = get_cpu_ptr(&aa_local_buffers);
2218
			put_cpu_ptr(&aa_local_buffers);
2219
			return;
2220
		}
2221
		/* contention on global list, fallback to percpu */
2222
		cache = get_cpu_ptr(&aa_local_buffers);
2223
		cache->hold += 1;
2224
	}
2225

2226
	/* cache in percpu list */
2227
	list_add(&aa_buf->list, &cache->head);
2228
	cache->count++;
2229
	put_cpu_ptr(&aa_local_buffers);
2230
}
2231

2232
/*
2233
 * AppArmor init functions
2234
 */
2235

2236
/**
2237
 * set_init_ctx - set a task context and profile on the first task.
2238
 *
2239
 * TODO: allow setting an alternate profile than unconfined
2240
 */
2241
static int __init set_init_ctx(void)
2242
{
2243
	struct cred *cred = (__force struct cred *)current->real_cred;
2244

2245
	set_cred_label(cred, aa_get_label(ns_unconfined(root_ns)));
2246

2247
	return 0;
2248
}
2249

2250
static void destroy_buffers(void)
2251
{
2252
	union aa_buffer *aa_buf;
2253

2254
	spin_lock(&aa_buffers_lock);
2255
	while (!list_empty(&aa_global_buffers)) {
2256
		aa_buf = list_first_entry(&aa_global_buffers, union aa_buffer,
2257
					 list);
2258
		list_del(&aa_buf->list);
2259
		spin_unlock(&aa_buffers_lock);
2260
		kfree(aa_buf);
2261
		spin_lock(&aa_buffers_lock);
2262
	}
2263
	spin_unlock(&aa_buffers_lock);
2264
}
2265

2266
static int __init alloc_buffers(void)
2267
{
2268
	union aa_buffer *aa_buf;
2269
	int i, num;
2270

2271
	/*
2272
	 * per cpu set of cached allocated buffers used to help reduce
2273
	 * lock contention
2274
	 */
2275
	for_each_possible_cpu(i) {
2276
		per_cpu(aa_local_buffers, i).hold = 0;
2277
		per_cpu(aa_local_buffers, i).count = 0;
2278
		INIT_LIST_HEAD(&per_cpu(aa_local_buffers, i).head);
2279
	}
2280
	/*
2281
	 * A function may require two buffers at once. Usually the buffers are
2282
	 * used for a short period of time and are shared. On UP kernel buffers
2283
	 * two should be enough, with more CPUs it is possible that more
2284
	 * buffers will be used simultaneously. The preallocated pool may grow.
2285
	 * This preallocation has also the side-effect that AppArmor will be
2286
	 * disabled early at boot if aa_g_path_max is extremely high.
2287
	 */
2288
	if (num_online_cpus() > 1)
2289
		num = 4 + RESERVE_COUNT;
2290
	else
2291
		num = 2 + RESERVE_COUNT;
2292

2293
	for (i = 0; i < num; i++) {
2294

2295
		aa_buf = kmalloc(aa_g_path_max, GFP_KERNEL |
2296
				 __GFP_RETRY_MAYFAIL | __GFP_NOWARN);
2297
		if (!aa_buf) {
2298
			destroy_buffers();
2299
			return -ENOMEM;
2300
		}
2301
		aa_put_buffer(aa_buf->buffer);
2302
	}
2303
	return 0;
2304
}
2305

2306
#ifdef CONFIG_SYSCTL
2307
static int apparmor_dointvec(const struct ctl_table *table, int write,
2308
			     void *buffer, size_t *lenp, loff_t *ppos)
2309
{
2310
	if (!aa_current_policy_admin_capable(NULL))
2311
		return -EPERM;
2312
	if (!apparmor_enabled)
2313
		return -EINVAL;
2314

2315
	return proc_dointvec(table, write, buffer, lenp, ppos);
2316
}
2317

2318
static const struct ctl_table apparmor_sysctl_table[] = {
2319
#ifdef CONFIG_USER_NS
2320
	{
2321
		.procname       = "unprivileged_userns_apparmor_policy",
2322
		.data           = &unprivileged_userns_apparmor_policy,
2323
		.maxlen         = sizeof(int),
2324
		.mode           = 0600,
2325
		.proc_handler   = apparmor_dointvec,
2326
	},
2327
#endif /* CONFIG_USER_NS */
2328
	{
2329
		.procname       = "apparmor_display_secid_mode",
2330
		.data           = &apparmor_display_secid_mode,
2331
		.maxlen         = sizeof(int),
2332
		.mode           = 0600,
2333
		.proc_handler   = apparmor_dointvec,
2334
	},
2335
	{
2336
		.procname       = "apparmor_restrict_unprivileged_unconfined",
2337
		.data           = &aa_unprivileged_unconfined_restricted,
2338
		.maxlen         = sizeof(int),
2339
		.mode           = 0600,
2340
		.proc_handler   = apparmor_dointvec,
2341
	},
2342
};
2343

2344
static int __init apparmor_init_sysctl(void)
2345
{
2346
	return register_sysctl("kernel", apparmor_sysctl_table) ? 0 : -ENOMEM;
2347
}
2348
#else
2349
static inline int apparmor_init_sysctl(void)
2350
{
2351
	return 0;
2352
}
2353
#endif /* CONFIG_SYSCTL */
2354

2355
#if defined(CONFIG_NETFILTER) && defined(CONFIG_NETWORK_SECMARK)
2356
static unsigned int apparmor_ip_postroute(void *priv,
2357
					  struct sk_buff *skb,
2358
					  const struct nf_hook_state *state)
2359
{
2360
	struct aa_sk_ctx *ctx;
2361
	struct sock *sk;
2362
	int error;
2363

2364
	if (!skb->secmark)
2365
		return NF_ACCEPT;
2366

2367
	sk = skb_to_full_sk(skb);
2368
	if (sk == NULL)
2369
		return NF_ACCEPT;
2370

2371
	ctx = aa_sock(sk);
2372
	rcu_read_lock();
2373
	error = apparmor_secmark_check(rcu_dereference(ctx->label), OP_SENDMSG,
2374
				       AA_MAY_SEND, skb->secmark, sk);
2375
	rcu_read_unlock();
2376
	if (!error)
2377
		return NF_ACCEPT;
2378

2379
	return NF_DROP_ERR(-ECONNREFUSED);
2380

2381
}
2382

2383
static const struct nf_hook_ops apparmor_nf_ops[] = {
2384
	{
2385
		.hook =         apparmor_ip_postroute,
2386
		.pf =           NFPROTO_IPV4,
2387
		.hooknum =      NF_INET_POST_ROUTING,
2388
		.priority =     NF_IP_PRI_SELINUX_FIRST,
2389
	},
2390
#if IS_ENABLED(CONFIG_IPV6)
2391
	{
2392
		.hook =         apparmor_ip_postroute,
2393
		.pf =           NFPROTO_IPV6,
2394
		.hooknum =      NF_INET_POST_ROUTING,
2395
		.priority =     NF_IP6_PRI_SELINUX_FIRST,
2396
	},
2397
#endif
2398
};
2399

2400
static int __net_init apparmor_nf_register(struct net *net)
2401
{
2402
	return nf_register_net_hooks(net, apparmor_nf_ops,
2403
				    ARRAY_SIZE(apparmor_nf_ops));
2404
}
2405

2406
static void __net_exit apparmor_nf_unregister(struct net *net)
2407
{
2408
	nf_unregister_net_hooks(net, apparmor_nf_ops,
2409
				ARRAY_SIZE(apparmor_nf_ops));
2410
}
2411

2412
static struct pernet_operations apparmor_net_ops = {
2413
	.init = apparmor_nf_register,
2414
	.exit = apparmor_nf_unregister,
2415
};
2416

2417
static int __init apparmor_nf_ip_init(void)
2418
{
2419
	int err;
2420

2421
	if (!apparmor_enabled)
2422
		return 0;
2423

2424
	err = register_pernet_subsys(&apparmor_net_ops);
2425
	if (err)
2426
		panic("Apparmor: register_pernet_subsys: error %d\n", err);
2427

2428
	return 0;
2429
}
2430
#endif
2431

2432
static char nulldfa_src[] __aligned(8) = {
2433
	#include "nulldfa.in"
2434
};
2435
static struct aa_dfa *nulldfa;
2436

2437
static char stacksplitdfa_src[] __aligned(8) = {
2438
	#include "stacksplitdfa.in"
2439
};
2440
struct aa_dfa *stacksplitdfa;
2441
struct aa_policydb *nullpdb;
2442

2443
static int __init aa_setup_dfa_engine(void)
2444
{
2445
	int error = -ENOMEM;
2446

2447
	nullpdb = aa_alloc_pdb(GFP_KERNEL);
2448
	if (!nullpdb)
2449
		return -ENOMEM;
2450

2451
	nulldfa = aa_dfa_unpack(nulldfa_src, sizeof(nulldfa_src),
2452
			    TO_ACCEPT1_FLAG(YYTD_DATA32) |
2453
			    TO_ACCEPT2_FLAG(YYTD_DATA32));
2454
	if (IS_ERR(nulldfa)) {
2455
		error = PTR_ERR(nulldfa);
2456
		goto fail;
2457
	}
2458
	nullpdb->dfa = aa_get_dfa(nulldfa);
2459
	nullpdb->perms = kcalloc(2, sizeof(struct aa_perms), GFP_KERNEL);
2460
	if (!nullpdb->perms)
2461
		goto fail;
2462
	nullpdb->size = 2;
2463

2464
	stacksplitdfa = aa_dfa_unpack(stacksplitdfa_src,
2465
				      sizeof(stacksplitdfa_src),
2466
				      TO_ACCEPT1_FLAG(YYTD_DATA32) |
2467
				      TO_ACCEPT2_FLAG(YYTD_DATA32));
2468
	if (IS_ERR(stacksplitdfa)) {
2469
		error = PTR_ERR(stacksplitdfa);
2470
		goto fail;
2471
	}
2472

2473
	return 0;
2474

2475
fail:
2476
	aa_put_pdb(nullpdb);
2477
	aa_put_dfa(nulldfa);
2478
	nullpdb = NULL;
2479
	nulldfa = NULL;
2480
	stacksplitdfa = NULL;
2481

2482
	return error;
2483
}
2484

2485
static void __init aa_teardown_dfa_engine(void)
2486
{
2487
	aa_put_dfa(stacksplitdfa);
2488
	aa_put_dfa(nulldfa);
2489
	aa_put_pdb(nullpdb);
2490
	nullpdb = NULL;
2491
	stacksplitdfa = NULL;
2492
	nulldfa = NULL;
2493
}
2494

2495
static int __init apparmor_init(void)
2496
{
2497
	int error;
2498

2499
	error = aa_setup_dfa_engine();
2500
	if (error) {
2501
		AA_ERROR("Unable to setup dfa engine\n");
2502
		goto alloc_out;
2503
	}
2504

2505
	error = aa_alloc_root_ns();
2506
	if (error) {
2507
		AA_ERROR("Unable to allocate default profile namespace\n");
2508
		goto alloc_out;
2509
	}
2510

2511
	error = apparmor_init_sysctl();
2512
	if (error) {
2513
		AA_ERROR("Unable to register sysctls\n");
2514
		goto alloc_out;
2515

2516
	}
2517

2518
	error = alloc_buffers();
2519
	if (error) {
2520
		AA_ERROR("Unable to allocate work buffers\n");
2521
		goto alloc_out;
2522
	}
2523

2524
	error = set_init_ctx();
2525
	if (error) {
2526
		AA_ERROR("Failed to set context on init task\n");
2527
		aa_free_root_ns();
2528
		goto buffers_out;
2529
	}
2530
	security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
2531
				&apparmor_lsmid);
2532

2533
	/* Inform the audit system that secctx is used */
2534
	audit_cfg_lsm(&apparmor_lsmid, AUDIT_CFG_LSM_SECCTX_SUBJECT);
2535

2536
	/* Report that AppArmor successfully initialized */
2537
	apparmor_initialized = 1;
2538
	if (aa_g_profile_mode == APPARMOR_COMPLAIN)
2539
		aa_info_message("AppArmor initialized: complain mode enabled");
2540
	else if (aa_g_profile_mode == APPARMOR_KILL)
2541
		aa_info_message("AppArmor initialized: kill mode enabled");
2542
	else
2543
		aa_info_message("AppArmor initialized");
2544

2545
	return error;
2546

2547
buffers_out:
2548
	destroy_buffers();
2549
alloc_out:
2550
	aa_destroy_aafs();
2551
	aa_teardown_dfa_engine();
2552

2553
	apparmor_enabled = false;
2554
	return error;
2555
}
2556

2557
DEFINE_LSM(apparmor) = {
2558
	.id = &apparmor_lsmid,
2559
	.flags = LSM_FLAG_LEGACY_MAJOR | LSM_FLAG_EXCLUSIVE,
2560
	.enabled = &apparmor_enabled,
2561
	.blobs = &apparmor_blob_sizes,
2562
	.init = apparmor_init,
2563
	.initcall_fs = aa_create_aafs,
2564
#if defined(CONFIG_NETFILTER) && defined(CONFIG_NETWORK_SECMARK)
2565
	.initcall_device = apparmor_nf_ip_init,
2566
#endif
2567
#ifdef CONFIG_SECURITY_APPARMOR_HASH
2568
	.initcall_late = init_profile_hash,
2569
#endif
2570
};
2571

2572