1/* SPDX-License-Identifier: GPL-2.0-only */ 2/* 3 * AppArmor security module 4 * 5 * This file contains AppArmor policy definitions. 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 */ 10 11#ifndef __AA_POLICY_H 12#define __AA_POLICY_H 13 14#include <linux/capability.h> 15#include <linux/cred.h> 16#include <linux/kref.h> 17#include <linux/rhashtable.h> 18#include <linux/sched.h> 19#include <linux/slab.h> 20#include <linux/socket.h> 21 22#include "apparmor.h" 23#include "audit.h" 24#include "capability.h" 25#include "domain.h" 26#include "file.h" 27#include "lib.h" 28#include "label.h" 29#include "net.h" 30#include "perms.h" 31#include "resource.h" 32 33 34struct aa_ns; 35 36extern int unprivileged_userns_apparmor_policy; 37extern int aa_unprivileged_unconfined_restricted; 38 39extern const char *const aa_profile_mode_names[]; 40#define APPARMOR_MODE_NAMES_MAX_INDEX 4 41 42#define PROFILE_MODE(_profile, _mode) \ 43 ((aa_g_profile_mode == (_mode)) || \ 44 ((_profile)->mode == (_mode))) 45 46#define COMPLAIN_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_COMPLAIN) 47 48#define USER_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_USER) 49 50#define KILL_MODE(_profile) PROFILE_MODE((_profile), APPARMOR_KILL) 51 52#define PROFILE_IS_HAT(_profile) ((_profile)->label.flags & FLAG_HAT) 53 54#define CHECK_DEBUG1(_profile) ((_profile)->label.flags & FLAG_DEBUG1) 55 56#define CHECK_DEBUG2(_profile) ((_profile)->label.flags & FLAG_DEBUG2) 57 58#define profile_is_stale(_profile) (label_is_stale(&(_profile)->label)) 59 60#define on_list_rcu(X) (!list_empty(X) && (X)->prev != LIST_POISON2) 61 62/* 63 * FIXME: currently need a clean way to replace and remove profiles as a 64 * set. It should be done at the namespace level. 65 * Either, with a set of profiles loaded at the namespace level or via 66 * a mark and remove marked interface. 67 */ 68enum profile_mode { 69 APPARMOR_ENFORCE, /* enforce access rules */ 70 APPARMOR_COMPLAIN, /* allow and log access violations */ 71 APPARMOR_KILL, /* kill task on access violation */ 72 APPARMOR_UNCONFINED, /* profile set to unconfined */ 73 APPARMOR_USER, /* modified complain mode to userspace */ 74}; 75 76 77/* struct aa_policydb - match engine for a policy 78 * count: refcount for the pdb 79 * dfa: dfa pattern match 80 * perms: table of permissions 81 * strs: table of strings, index by x 82 * start: set of start states for the different classes of data 83 */ 84struct aa_policydb { 85 struct kref count; 86 struct aa_dfa *dfa; 87 struct { 88 struct aa_perms *perms; 89 u32 size; 90 }; 91 struct aa_str_table trans; 92 aa_state_t start[AA_CLASS_LAST + 1]; 93}; 94 95extern struct aa_policydb *nullpdb; 96 97struct aa_policydb *aa_alloc_pdb(gfp_t gfp); 98void aa_pdb_free_kref(struct kref *kref); 99 100/** 101 * aa_get_pdb - increment refcount on @pdb 102 * @pdb: policydb (MAYBE NULL) 103 * 104 * Returns: pointer to @pdb if @pdb is NULL will return NULL 105 * Requires: @pdb must be held with valid refcount when called 106 */ 107static inline struct aa_policydb *aa_get_pdb(struct aa_policydb *pdb) 108{ 109 if (pdb) 110 kref_get(&(pdb->count)); 111 112 return pdb; 113} 114 115/** 116 * aa_put_pdb - put a pdb refcount 117 * @pdb: pdb to put refcount (MAYBE NULL) 118 * 119 * Requires: if @pdb != NULL that a valid refcount be held 120 */ 121static inline void aa_put_pdb(struct aa_policydb *pdb) 122{ 123 if (pdb) 124 kref_put(&pdb->count, aa_pdb_free_kref); 125} 126 127static inline struct aa_perms *aa_lookup_perms(struct aa_policydb *policy, 128 aa_state_t state) 129{ 130 unsigned int index = ACCEPT_TABLE(policy->dfa)[state]; 131 132 if (!(policy->perms)) 133 return &default_perms; 134 135 return &(policy->perms[index]); 136} 137 138 139/* struct aa_data - generic data structure 140 * key: name for retrieving this data 141 * size: size of data in bytes 142 * data: binary data 143 * head: reserved for rhashtable 144 */ 145struct aa_data { 146 char *key; 147 u32 size; 148 char *data; 149 struct rhash_head head; 150}; 151 152/* struct aa_ruleset - data covering mediation rules 153 * @list: list the rule is on 154 * @size: the memory consumed by this ruleset 155 * @policy: general match rules governing policy 156 * @file: The set of rules governing basic file access and domain transitions 157 * @caps: capabilities for the profile 158 * @rlimits: rlimits for the profile 159 * @secmark_count: number of secmark entries 160 * @secmark: secmark label match info 161 */ 162struct aa_ruleset { 163 struct list_head list; 164 165 int size; 166 167 /* TODO: merge policy and file */ 168 struct aa_policydb *policy; 169 struct aa_policydb *file; 170 struct aa_caps caps; 171 172 struct aa_rlimit rlimits; 173 174 int secmark_count; 175 struct aa_secmark *secmark; 176}; 177 178/* struct aa_attachment - data and rules for a profiles attachment 179 * @list: 180 * @xmatch_str: human readable attachment string 181 * @xmatch: optional extended matching for unconfined executables names 182 * @xmatch_len: xmatch prefix len, used to determine xmatch priority 183 * @xattr_count: number of xattrs in table 184 * @xattrs: table of xattrs 185 */ 186struct aa_attachment { 187 const char *xmatch_str; 188 struct aa_policydb *xmatch; 189 unsigned int xmatch_len; 190 int xattr_count; 191 char **xattrs; 192}; 193 194/* struct aa_profile - basic confinement data 195 * @base - base components of the profile (name, refcount, lists, lock ...) 196 * @label - label this profile is an extension of 197 * @parent: parent of profile 198 * @ns: namespace the profile is in 199 * @rename: optional profile name that this profile renamed 200 * 201 * @audit: the auditing mode of the profile 202 * @mode: the enforcement mode of the profile 203 * @path_flags: flags controlling path generation behavior 204 * @disconnected: what to prepend if attach_disconnected is specified 205 * @attach: attachment rules for the profile 206 * @rules: rules to be enforced 207 * 208 * @dents: dentries for the profiles file entries in apparmorfs 209 * @dirname: name of the profile dir in apparmorfs 210 * @data: hashtable for free-form policy aa_data 211 * 212 * The AppArmor profile contains the basic confinement data. Each profile 213 * has a name, and exists in a namespace. The @name and @exec_match are 214 * used to determine profile attachment against unconfined tasks. All other 215 * attachments are determined by profile X transition rules. 216 * 217 * Profiles have a hierarchy where hats and children profiles keep 218 * a reference to their parent. 219 * 220 * Profile names can not begin with a : and can not contain the \0 221 * character. If a profile name begins with / it will be considered when 222 * determining profile attachment on "unconfined" tasks. 223 */ 224struct aa_profile { 225 struct aa_policy base; 226 struct aa_profile __rcu *parent; 227 228 struct aa_ns *ns; 229 const char *rename; 230 231 enum audit_mode audit; 232 long mode; 233 u32 path_flags; 234 const char *disconnected; 235 236 struct aa_attachment attach; 237 struct list_head rules; 238 239 struct aa_loaddata *rawdata; 240 unsigned char *hash; 241 char *dirname; 242 struct dentry *dents[AAFS_PROF_SIZEOF]; 243 struct rhashtable *data; 244 struct aa_label label; 245}; 246 247extern enum profile_mode aa_g_profile_mode; 248 249#define AA_MAY_LOAD_POLICY AA_MAY_APPEND 250#define AA_MAY_REPLACE_POLICY AA_MAY_WRITE 251#define AA_MAY_REMOVE_POLICY AA_MAY_DELETE 252 253#define profiles_ns(P) ((P)->ns) 254#define name_is_shared(A, B) ((A)->hname && (A)->hname == (B)->hname) 255 256struct aa_ruleset *aa_alloc_ruleset(gfp_t gfp); 257struct aa_profile *aa_alloc_profile(const char *name, struct aa_proxy *proxy, 258 gfp_t gfp); 259struct aa_profile *aa_alloc_null(struct aa_profile *parent, const char *name, 260 gfp_t gfp); 261struct aa_profile *aa_new_learning_profile(struct aa_profile *parent, bool hat, 262 const char *base, gfp_t gfp); 263void aa_free_profile(struct aa_profile *profile); 264struct aa_profile *aa_find_child(struct aa_profile *parent, const char *name); 265struct aa_profile *aa_lookupn_profile(struct aa_ns *ns, const char *hname, 266 size_t n); 267struct aa_profile *aa_lookup_profile(struct aa_ns *ns, const char *name); 268struct aa_profile *aa_fqlookupn_profile(struct aa_label *base, 269 const char *fqname, size_t n); 270 271ssize_t aa_replace_profiles(struct aa_ns *view, struct aa_label *label, 272 u32 mask, struct aa_loaddata *udata); 273ssize_t aa_remove_profiles(struct aa_ns *view, struct aa_label *label, 274 char *name, size_t size); 275void __aa_profile_list_release(struct list_head *head); 276 277#define profile_unconfined(X) ((X)->mode == APPARMOR_UNCONFINED) 278 279/** 280 * aa_get_newest_profile - simple wrapper fn to wrap the label version 281 * @p: profile (NOT NULL) 282 * 283 * Returns refcount to newest version of the profile (maybe @p) 284 * 285 * Requires: @p must be held with a valid refcount 286 */ 287static inline struct aa_profile *aa_get_newest_profile(struct aa_profile *p) 288{ 289 return labels_profile(aa_get_newest_label(&p->label)); 290} 291 292static inline aa_state_t RULE_MEDIATES(struct aa_ruleset *rules, 293 unsigned char class) 294{ 295 if (class <= AA_CLASS_LAST) 296 return rules->policy->start[class]; 297 else 298 return aa_dfa_match_len(rules->policy->dfa, 299 rules->policy->start[0], &class, 1); 300} 301 302static inline aa_state_t RULE_MEDIATES_AF(struct aa_ruleset *rules, u16 AF) 303{ 304 aa_state_t state = RULE_MEDIATES(rules, AA_CLASS_NET); 305 __be16 be_af = cpu_to_be16(AF); 306 307 if (!state) 308 return DFA_NOMATCH; 309 return aa_dfa_match_len(rules->policy->dfa, state, (char *) &be_af, 2); 310} 311 312static inline aa_state_t ANY_RULE_MEDIATES(struct list_head *head, 313 unsigned char class) 314{ 315 struct aa_ruleset *rule; 316 317 /* TODO: change to list walk */ 318 rule = list_first_entry(head, typeof(*rule), list); 319 return RULE_MEDIATES(rule, class); 320} 321 322/** 323 * aa_get_profile - increment refcount on profile @p 324 * @p: profile (MAYBE NULL) 325 * 326 * Returns: pointer to @p if @p is NULL will return NULL 327 * Requires: @p must be held with valid refcount when called 328 */ 329static inline struct aa_profile *aa_get_profile(struct aa_profile *p) 330{ 331 if (p) 332 kref_get(&(p->label.count)); 333 334 return p; 335} 336 337/** 338 * aa_get_profile_not0 - increment refcount on profile @p found via lookup 339 * @p: profile (MAYBE NULL) 340 * 341 * Returns: pointer to @p if @p is NULL will return NULL 342 * Requires: @p must be held with valid refcount when called 343 */ 344static inline struct aa_profile *aa_get_profile_not0(struct aa_profile *p) 345{ 346 if (p && kref_get_unless_zero(&p->label.count)) 347 return p; 348 349 return NULL; 350} 351 352/** 353 * aa_get_profile_rcu - increment a refcount profile that can be replaced 354 * @p: pointer to profile that can be replaced (NOT NULL) 355 * 356 * Returns: pointer to a refcounted profile. 357 * else NULL if no profile 358 */ 359static inline struct aa_profile *aa_get_profile_rcu(struct aa_profile __rcu **p) 360{ 361 struct aa_profile *c; 362 363 rcu_read_lock(); 364 do { 365 c = rcu_dereference(*p); 366 } while (c && !kref_get_unless_zero(&c->label.count)); 367 rcu_read_unlock(); 368 369 return c; 370} 371 372/** 373 * aa_put_profile - decrement refcount on profile @p 374 * @p: profile (MAYBE NULL) 375 */ 376static inline void aa_put_profile(struct aa_profile *p) 377{ 378 if (p) 379 kref_put(&p->label.count, aa_label_kref); 380} 381 382static inline int AUDIT_MODE(struct aa_profile *profile) 383{ 384 if (aa_g_audit != AUDIT_NORMAL) 385 return aa_g_audit; 386 387 return profile->audit; 388} 389 390bool aa_policy_view_capable(const struct cred *subj_cred, 391 struct aa_label *label, struct aa_ns *ns); 392bool aa_policy_admin_capable(const struct cred *subj_cred, 393 struct aa_label *label, struct aa_ns *ns); 394int aa_may_manage_policy(const struct cred *subj_cred, 395 struct aa_label *label, struct aa_ns *ns, 396 u32 mask); 397bool aa_current_policy_view_capable(struct aa_ns *ns); 398bool aa_current_policy_admin_capable(struct aa_ns *ns); 399 400#endif /* __AA_POLICY_H */ 401