linux-pinenote/security/apparmor/capability.c

/*
 * AppArmor security module
 *
 * This file contains AppArmor capability mediation functions
 *
 * Copyright (C) 1998-2008 Novell/SUSE
 * Copyright 2009-2010 Canonical Ltd.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, version 2 of the
 * License.
 */

#include <linux/capability.h>
#include <linux/errno.h>
#include <linux/gfp.h>

#include "include/apparmor.h"
#include "include/capability.h"
#include "include/context.h"
#include "include/policy.h"
#include "include/audit.h"

/*
 * Table of capability names: we generate it from capabilities.h.
 */
#include "capability_names.h"

struct audit_cache {
	struct aa_profile *profile;
	kernel_cap_t caps;
};

static DEFINE_PER_CPU(struct audit_cache, audit_cache);

/**
 * audit_cb - call back for capability components of audit struct
 * @ab - audit buffer   (NOT NULL)
 * @va - audit struct to audit data from  (NOT NULL)
 */
static void audit_cb(struct audit_buffer *ab, void *va)
{
	struct common_audit_data *sa = va;
	audit_log_format(ab, " capname=");
	audit_log_untrustedstring(ab, capability_names[sa->u.cap]);
}

/**
 * audit_caps - audit a capability
 * @profile: profile confining task (NOT NULL)
 * @task: task capability test was performed against (NOT NULL)
 * @cap: capability tested
 * @error: error code returned by test
 *
 * Do auditing of capability and handle, audit/complain/kill modes switching
 * and duplicate message elimination.
 *
 * Returns: 0 or sa->error on success,  error code on failure
 */
static int audit_caps(struct aa_profile *profile, struct task_struct *task,
		      int cap, int error)
{
	struct audit_cache *ent;
	int type = AUDIT_APPARMOR_AUTO;
	struct common_audit_data sa;
	struct apparmor_audit_data aad = {0,};
	sa.type = LSM_AUDIT_DATA_CAP;
	sa.aad = &aad;
	sa.u.cap = cap;
	sa.aad->tsk = task;
	sa.aad->op = OP_CAPABLE;
	sa.aad->error = error;

	if (likely(!error)) {
		/* test if auditing is being forced */
		if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
			   !cap_raised(profile->caps.audit, cap)))
			return 0;
		type = AUDIT_APPARMOR_AUDIT;
	} else if (KILL_MODE(profile) ||
		   cap_raised(profile->caps.kill, cap)) {
		type = AUDIT_APPARMOR_KILL;
	} else if (cap_raised(profile->caps.quiet, cap) &&
		   AUDIT_MODE(profile) != AUDIT_NOQUIET &&
		   AUDIT_MODE(profile) != AUDIT_ALL) {
		/* quiet auditing */
		return error;
	}

	/* Do simple duplicate message elimination */
	ent = &get_cpu_var(audit_cache);
	if (profile == ent->profile && cap_raised(ent->caps, cap)) {
		put_cpu_var(audit_cache);
		if (COMPLAIN_MODE(profile))
			return complain_error(error);
		return error;
	} else {
		aa_put_profile(ent->profile);
		ent->profile = aa_get_profile(profile);
		cap_raise(ent->caps, cap);
	}
	put_cpu_var(audit_cache);

	return aa_audit(type, profile, GFP_ATOMIC, &sa, audit_cb);
}

/**
 * profile_capable - test if profile allows use of capability @cap
 * @profile: profile being enforced    (NOT NULL, NOT unconfined)
 * @cap: capability to test if allowed
 *
 * Returns: 0 if allowed else -EPERM
 */
static int profile_capable(struct aa_profile *profile, int cap)
{
	return cap_raised(profile->caps.allow, cap) ? 0 : -EPERM;
}

/**
 * aa_capable - test permission to use capability
 * @task: task doing capability test against (NOT NULL)
 * @profile: profile confining @task (NOT NULL)
 * @cap: capability to be tested
 * @audit: whether an audit record should be generated
 *
 * Look up capability in profile capability set.
 *
 * Returns: 0 on success, or else an error code.
 */
int aa_capable(struct task_struct *task, struct aa_profile *profile, int cap,
	       int audit)
{
	int error = profile_capable(profile, cap);

	if (!audit) {
		if (COMPLAIN_MODE(profile))
			return complain_error(error);
		return error;
	}

	return audit_caps(profile, task, cap, error);
}
AppArmor: mediation of non file objects ipc: AppArmor ipc is currently limited to mediation done by file mediation and basic ptrace tests. Improved mediation is a wip. rlimits: AppArmor provides basic abilities to set and control rlimits at a per profile level. Only resources specified in a profile are controled or set. AppArmor rules set the hard limit to a value <= to the current hard limit (ie. they can not currently raise hard limits), and if necessary will lower the soft limit to the new hard limit value. AppArmor does not track resource limits to reset them when a profile is left so that children processes inherit the limits set by the parent even if they are not confined by the same profile. Capabilities: AppArmor provides a per profile mask of capabilities, that will further restrict. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-29 14:48:05 -07:00			`/*`
			`* AppArmor security module`
			`*`
			`* This file contains AppArmor capability mediation functions`
			`*`
			`* Copyright (C) 1998-2008 Novell/SUSE`
			`* Copyright 2009-2010 Canonical Ltd.`
			`*`
			`* This program is free software; you can redistribute it and/or`
			`* modify it under the terms of the GNU General Public License as`
			`* published by the Free Software Foundation, version 2 of the`
			`* License.`
			`*/`

			`#include <linux/capability.h>`
			`#include <linux/errno.h>`
			`#include <linux/gfp.h>`

			`#include "include/apparmor.h"`
			`#include "include/capability.h"`
			`#include "include/context.h"`
			`#include "include/policy.h"`
			`#include "include/audit.h"`

			`/*`
			`* Table of capability names: we generate it from capabilities.h.`
			`*/`
			`#include "capability_names.h"`

			`struct audit_cache {`
			`struct aa_profile *profile;`
			`kernel_cap_t caps;`
			`};`

			`static DEFINE_PER_CPU(struct audit_cache, audit_cache);`

			`/**`
			`* audit_cb - call back for capability components of audit struct`
			`* @ab - audit buffer (NOT NULL)`
			`* @va - audit struct to audit data from (NOT NULL)`
			`*/`
			`static void audit_cb(struct audit_buffer ab, void va)`
			`{`
			`struct common_audit_data *sa = va;`
			`audit_log_format(ab, " capname=");`
			`audit_log_untrustedstring(ab, capability_names[sa->u.cap]);`
			`}`

			`/**`
			`* audit_caps - audit a capability`
			`* @profile: profile confining task (NOT NULL)`
			`* @task: task capability test was performed against (NOT NULL)`
			`* @cap: capability tested`
			`* @error: error code returned by test`
			`*`
			`* Do auditing of capability and handle, audit/complain/kill modes switching`
			`* and duplicate message elimination.`
			`*`
			`* Returns: 0 or sa->error on success, error code on failure`
			`*/`
			`static int audit_caps(struct aa_profile profile, struct task_struct task,`
			`int cap, int error)`
			`{`
			`struct audit_cache *ent;`
			`int type = AUDIT_APPARMOR_AUTO;`
			`struct common_audit_data sa;`
LSM: shrink sizeof LSM specific portion of common_audit_data Linus found that the gigantic size of the common audit data caused a big perf hit on something as simple as running stat() in a loop. This patch requires LSMs to declare the LSM specific portion separately rather than doing it in a union. Thus each LSM can be responsible for shrinking their portion and don't have to pay a penalty just because other LSMs have a bigger space requirement. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2012-04-03 09:37:02 -07:00			`struct apparmor_audit_data aad = {0,};`
LSM: do not initialize common_audit_data to 0 It isn't needed. If you don't set the type of the data associated with that type it is a pretty obvious programming bug. So why waste the cycles? Signed-off-by: Eric Paris <eparis@redhat.com> 2012-04-04 15:01:43 -04:00			`sa.type = LSM_AUDIT_DATA_CAP;`
LSM: shrink sizeof LSM specific portion of common_audit_data Linus found that the gigantic size of the common audit data caused a big perf hit on something as simple as running stat() in a loop. This patch requires LSMs to declare the LSM specific portion separately rather than doing it in a union. Thus each LSM can be responsible for shrinking their portion and don't have to pay a penalty just because other LSMs have a bigger space requirement. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2012-04-03 09:37:02 -07:00			`sa.aad = &aad;`
AppArmor: mediation of non file objects ipc: AppArmor ipc is currently limited to mediation done by file mediation and basic ptrace tests. Improved mediation is a wip. rlimits: AppArmor provides basic abilities to set and control rlimits at a per profile level. Only resources specified in a profile are controled or set. AppArmor rules set the hard limit to a value <= to the current hard limit (ie. they can not currently raise hard limits), and if necessary will lower the soft limit to the new hard limit value. AppArmor does not track resource limits to reset them when a profile is left so that children processes inherit the limits set by the parent even if they are not confined by the same profile. Capabilities: AppArmor provides a per profile mask of capabilities, that will further restrict. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-29 14:48:05 -07:00			`sa.u.cap = cap;`
apparmor: move task from common_audit_data to apparmor_audit_data apparmor is the only LSM that uses the common_audit_data tsk field. Instead of making all LSMs pay for the stack space move the aa usage into the apparmor_audit_data. Signed-off-by: Eric Paris <eparis@redhat.com> 2012-04-04 15:01:42 -04:00			`sa.aad->tsk = task;`
LSM: shrink sizeof LSM specific portion of common_audit_data Linus found that the gigantic size of the common audit data caused a big perf hit on something as simple as running stat() in a loop. This patch requires LSMs to declare the LSM specific portion separately rather than doing it in a union. Thus each LSM can be responsible for shrinking their portion and don't have to pay a penalty just because other LSMs have a bigger space requirement. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> 2012-04-03 09:37:02 -07:00			`sa.aad->op = OP_CAPABLE;`
			`sa.aad->error = error;`
AppArmor: mediation of non file objects ipc: AppArmor ipc is currently limited to mediation done by file mediation and basic ptrace tests. Improved mediation is a wip. rlimits: AppArmor provides basic abilities to set and control rlimits at a per profile level. Only resources specified in a profile are controled or set. AppArmor rules set the hard limit to a value <= to the current hard limit (ie. they can not currently raise hard limits), and if necessary will lower the soft limit to the new hard limit value. AppArmor does not track resource limits to reset them when a profile is left so that children processes inherit the limits set by the parent even if they are not confined by the same profile. Capabilities: AppArmor provides a per profile mask of capabilities, that will further restrict. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org> 2010-07-29 14:48:05 -07:00
			`if (likely(!error)) {`
			`/* test if auditing is being forced */`
			`if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&`
			`!cap_raised(profile->caps.audit, cap)))`
			`return 0;`
			`type = AUDIT_APPARMOR_AUDIT;`
			`} else if (KILL_MODE(profile) \|\|`
			`cap_raised(profile->caps.kill, cap)) {`
			`type = AUDIT_APPARMOR_KILL;`
			`} else if (cap_raised(profile->caps.quiet, cap) &&`
			`AUDIT_MODE(profile) != AUDIT_NOQUIET &&`
			`AUDIT_MODE(profile) != AUDIT_ALL) {`
			`/* quiet auditing */`
			`return error;`
			`}`

			`/* Do simple duplicate message elimination */`
			`ent = &get_cpu_var(audit_cache);`
			`if (profile == ent->profile && cap_raised(ent->caps, cap)) {`
			`put_cpu_var(audit_cache);`
			`if (COMPLAIN_MODE(profile))`
			`return complain_error(error);`
			`return error;`
			`} else {`
			`aa_put_profile(ent->profile);`
			`ent->profile = aa_get_profile(profile);`
			`cap_raise(ent->caps, cap);`
			`}`
			`put_cpu_var(audit_cache);`

			`return aa_audit(type, profile, GFP_ATOMIC, &sa, audit_cb);`
			`}`

			`/**`
			`* profile_capable - test if profile allows use of capability @cap`
			`* @profile: profile being enforced (NOT NULL, NOT unconfined)`
			`* @cap: capability to test if allowed`
			`*`
			`* Returns: 0 if allowed else -EPERM`
			`*/`
			`static int profile_capable(struct aa_profile *profile, int cap)`
			`{`
			`return cap_raised(profile->caps.allow, cap) ? 0 : -EPERM;`
			`}`

			`/**`
			`* aa_capable - test permission to use capability`
			`* @task: task doing capability test against (NOT NULL)`
			`* @profile: profile confining @task (NOT NULL)`
			`* @cap: capability to be tested`
			`* @audit: whether an audit record should be generated`
			`*`
			`* Look up capability in profile capability set.`
			`*`
			`* Returns: 0 on success, or else an error code.`
			`*/`
			`int aa_capable(struct task_struct task, struct aa_profile profile, int cap,`
			`int audit)`
			`{`
			`int error = profile_capable(profile, cap);`

			`if (!audit) {`
			`if (COMPLAIN_MODE(profile))`
			`return complain_error(error);`
			`return error;`
			`}`

			`return audit_caps(profile, task, cap, error);`
			`}`