Lines Matching +full:build +full:- +full:rules
1 // SPDX-License-Identifier: GPL-2.0-only
7 * Copyright (C) 2002-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
33 * may_change_ptraced_domain - check if can change profile on ptraced task
70 /**** TODO: dedup to aa_label_match - needs perm and dfa, merging
84 struct aa_ruleset *rules = list_first_entry(&profile->rules, in match_component() local
85 typeof(*rules), list); in match_component()
89 state = aa_dfa_match(rules->file.dfa, state, "&"); in match_component()
90 if (profile->ns == tp->ns) in match_component()
91 return aa_dfa_match(rules->file.dfa, state, tp->base.hname); in match_component()
94 ns_name = aa_ns_name(profile->ns, tp->ns, true); in match_component()
95 state = aa_dfa_match_len(rules->file.dfa, state, ":", 1); in match_component()
96 state = aa_dfa_match(rules->file.dfa, state, ns_name); in match_component()
97 state = aa_dfa_match_len(rules->file.dfa, state, ":", 1); in match_component()
98 return aa_dfa_match(rules->file.dfa, state, tp->base.hname); in match_component()
102 * label_compound_match - find perms for full compound label
122 struct aa_ruleset *rules = list_first_entry(&profile->rules, in label_compound_match() local
123 typeof(*rules), list); in label_compound_match()
130 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_compound_match()
144 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_compound_match()
146 state = aa_dfa_match(rules->file.dfa, state, "//&"); in label_compound_match()
151 *perms = *(aa_lookup_fperms(&(rules->file), state, &cond)); in label_compound_match()
153 if ((perms->allow & request) != request) in label_compound_match()
154 return -EACCES; in label_compound_match()
160 return -EACCES; in label_compound_match()
164 * label_components_match - find perms for all subcomponents of a label
184 struct aa_ruleset *rules = list_first_entry(&profile->rules, in label_components_match() local
185 typeof(*rules), list); in label_components_match()
194 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_components_match()
202 /* no subcomponents visible - no change in perms */ in label_components_match()
206 tmp = *(aa_lookup_fperms(&(rules->file), state, &cond)); in label_components_match()
210 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_components_match()
215 tmp = *(aa_lookup_fperms(&(rules->file), state, &cond)); in label_components_match()
220 if ((perms->allow & request) != request) in label_components_match()
221 return -EACCES; in label_components_match()
227 return -EACCES; in label_components_match()
231 * label_match - do a multi-component label match
262 * change_profile_perms - find permissions for change_profile
281 perms->allow = AA_MAY_CHANGE_PROFILE | AA_MAY_ONEXEC; in change_profile_perms()
282 perms->audit = perms->quiet = perms->kill = 0; in change_profile_perms()
291 * aa_xattrs_match - check whether a file matches the xattrs defined in profile
304 struct aa_attachment *attach = &profile->attach; in aa_xattrs_match()
305 int size, value_size = 0, ret = attach->xattr_count; in aa_xattrs_match()
307 if (!bprm || !attach->xattr_count) in aa_xattrs_match()
312 state = aa_dfa_outofband_transition(attach->xmatch.dfa, state); in aa_xattrs_match()
313 d = bprm->file->f_path.dentry; in aa_xattrs_match()
315 for (i = 0; i < attach->xattr_count; i++) { in aa_xattrs_match()
316 size = vfs_getxattr_alloc(&nop_mnt_idmap, d, attach->xattrs[i], in aa_xattrs_match()
326 state = aa_dfa_null_transition(attach->xmatch.dfa, in aa_xattrs_match()
329 state = aa_dfa_match_len(attach->xmatch.dfa, state, in aa_xattrs_match()
331 index = ACCEPT_TABLE(attach->xmatch.dfa)[state]; in aa_xattrs_match()
332 perm = attach->xmatch.perms[index].allow; in aa_xattrs_match()
334 ret = -EINVAL; in aa_xattrs_match()
339 state = aa_dfa_outofband_transition(attach->xmatch.dfa, state); in aa_xattrs_match()
347 ret = -EINVAL; in aa_xattrs_match()
351 ret--; in aa_xattrs_match()
361 * find_attach - do attachment search for unconfined processes
362 * @bprm - binprm structure of transitioning task
364 * @head - profile list to walk (NOT NULL)
365 * @name - to match against (NOT NULL)
366 * @info - info message if there was an error (NOT NULL)
391 struct aa_attachment *attach = &profile->attach; in find_attach()
393 if (profile->label.flags & FLAG_NULL && in find_attach()
394 &profile->label == ns_unconfined(profile->ns)) in find_attach()
408 if (attach->xmatch.dfa) { in find_attach()
413 state = aa_dfa_leftmatch(attach->xmatch.dfa, in find_attach()
414 attach->xmatch.start[AA_CLASS_XMATCH], in find_attach()
416 index = ACCEPT_TABLE(attach->xmatch.dfa)[state]; in find_attach()
417 perm = attach->xmatch.perms[index].allow; in find_attach()
425 if (bprm && attach->xattr_count) { in find_attach()
426 long rev = READ_ONCE(ns->revision); in find_attach()
436 READ_ONCE(ns->revision)) in find_attach()
464 candidate_len = max(count, attach->xmatch_len); in find_attach()
468 } else if (!strcmp(profile->base.name, name)) { in find_attach()
470 * old exact non-re match, without conditionals such in find_attach()
489 return &candidate->label; in find_attach()
498 * x_table_lookup - lookup an x transition name via transition table
508 struct aa_ruleset *rules = list_first_entry(&profile->rules, in x_table_lookup() local
509 typeof(*rules), list); in x_table_lookup()
520 for (*name = rules->file.trans.table[index]; !label && *name; in x_table_lookup()
527 label = &new_profile->label; in x_table_lookup()
530 label = aa_label_parse(&profile->label, *name, GFP_KERNEL, in x_table_lookup()
542 * x_to_label - get target label for a given xindex
559 struct aa_ruleset *rules = list_first_entry(&profile->rules, in x_to_label() local
560 typeof(*rules), list); in x_to_label()
562 struct aa_ns *ns = profile->ns; in x_to_label()
568 /* fail exec unless ix || ux fallback - handled by caller */ in x_to_label()
573 stack = rules->file.trans.table[xindex & AA_X_INDEX_MASK]; in x_to_label()
584 new = find_attach(bprm, ns, &profile->base.profiles, in x_to_label()
588 new = find_attach(bprm, ns, &ns->base.profiles, in x_to_label()
596 /* (p|c|n)ix - don't change profile but do in x_to_label()
601 new = aa_get_newest_label(&profile->label); in x_to_label()
603 new = aa_get_newest_label(ns_unconfined(profile->ns)); in x_to_label()
627 struct aa_ruleset *rules = list_first_entry(&profile->rules, in profile_transition() local
628 typeof(*rules), list); in profile_transition()
631 aa_state_t state = rules->file.start[AA_CLASS_FILE]; in profile_transition()
640 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer, in profile_transition()
641 &name, &info, profile->disconnected); in profile_transition()
644 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) { in profile_transition()
647 new = aa_get_newest_label(&profile->label); in profile_transition()
649 name = bprm->filename; in profile_transition()
654 new = find_attach(bprm, profile->ns, in profile_transition()
655 &profile->ns->base.profiles, name, &info); in profile_transition()
661 return aa_get_newest_label(&profile->label); in profile_transition()
665 state = aa_str_perms(&(rules->file), state, name, cond, &perms); in profile_transition()
670 if (new && new->proxy == profile->label.proxy && info) { in profile_transition()
671 /* hack ix fallback - improve how this is detected */ in profile_transition()
674 error = -EACCES; in profile_transition()
680 /* no exec permission - learning mode */ in profile_transition()
686 error = -ENOMEM; in profile_transition()
689 error = -EACCES; in profile_transition()
690 new = &new_profile->label; in profile_transition()
695 error = -EACCES; in profile_transition()
713 cond->uid, info, error); in profile_transition()
727 struct aa_ruleset *rules = list_first_entry(&profile->rules, in profile_onexec() local
728 typeof(*rules), list); in profile_onexec()
729 aa_state_t state = rules->file.start[AA_CLASS_FILE]; in profile_onexec()
732 int error = -EACCES; in profile_onexec()
749 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer, in profile_onexec()
750 &xname, &info, profile->disconnected); in profile_onexec()
753 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) { in profile_onexec()
757 xname = bprm->filename; in profile_onexec()
762 state = aa_str_perms(&(rules->file), state, xname, cond, &perms); in profile_onexec()
771 state = aa_dfa_null_transition(rules->file.dfa, state); in profile_onexec()
791 NULL, onexec, cond->uid, info, error); in profile_onexec()
830 aa_label_merge(&profile->label, onexec, in handle_onexec()
842 AA_MAY_ONEXEC, bprm->filename, NULL, in handle_onexec()
844 "failed to build target label", -ENOMEM)); in handle_onexec()
849 * apparmor_bprm_creds_for_exec - Update the new creds on the bprm struct
865 vfsuid_t vfsuid = i_uid_into_vfsuid(file_mnt_idmap(bprm->file), in apparmor_bprm_creds_for_exec()
866 file_inode(bprm->file)); in apparmor_bprm_creds_for_exec()
869 file_inode(bprm->file)->i_mode in apparmor_bprm_creds_for_exec()
873 AA_BUG(!cred_label(bprm->cred)); in apparmor_bprm_creds_for_exec()
876 label = aa_get_newest_label(cred_label(bprm->cred)); in apparmor_bprm_creds_for_exec()
885 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) && !unconfined(label) && in apparmor_bprm_creds_for_exec()
886 !ctx->nnp) in apparmor_bprm_creds_for_exec()
887 ctx->nnp = aa_get_label(label); in apparmor_bprm_creds_for_exec()
892 error = -ENOMEM; in apparmor_bprm_creds_for_exec()
897 if (ctx->onexec) in apparmor_bprm_creds_for_exec()
898 new = handle_onexec(label, ctx->onexec, ctx->token, in apparmor_bprm_creds_for_exec()
910 error = -ENOMEM; in apparmor_bprm_creds_for_exec()
922 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) && in apparmor_bprm_creds_for_exec()
924 !aa_label_is_unconfined_subset(new, ctx->nnp)) { in apparmor_bprm_creds_for_exec()
925 error = -EPERM; in apparmor_bprm_creds_for_exec()
930 if (bprm->unsafe & LSM_UNSAFE_SHARE) { in apparmor_bprm_creds_for_exec()
935 if (bprm->unsafe & (LSM_UNSAFE_PTRACE)) { in apparmor_bprm_creds_for_exec()
945 "label=", bprm->filename); in apparmor_bprm_creds_for_exec()
949 bprm->secureexec = 1; in apparmor_bprm_creds_for_exec()
952 if (label->proxy != new->proxy) { in apparmor_bprm_creds_for_exec()
956 "bits. %s label=", bprm->filename); in apparmor_bprm_creds_for_exec()
960 bprm->per_clear |= PER_CLEAR_ON_SETID; in apparmor_bprm_creds_for_exec()
962 aa_put_label(cred_label(bprm->cred)); in apparmor_bprm_creds_for_exec()
964 set_cred_label(bprm->cred, new); in apparmor_bprm_creds_for_exec()
975 bprm->filename, NULL, new, in apparmor_bprm_creds_for_exec()
998 root = aa_get_profile_rcu(&profile->parent); in build_change_hat()
1003 error = -EPERM; in build_change_hat()
1009 error = -ENOENT; in build_change_hat()
1015 error = -ENOMEM; in build_change_hat()
1023 name, hat ? hat->base.hname : NULL, in build_change_hat()
1024 hat ? &hat->label : NULL, GLOBAL_ROOT_UID, info, in build_change_hat()
1026 if (!hat || (error && error != -ENOENT)) in build_change_hat()
1028 /* if hat && error - complain mode, already audited and we adjust for in build_change_hat()
1029 * complain mode allow by returning hat->label in build_change_hat()
1031 return &hat->label; in build_change_hat()
1060 root = aa_get_profile_rcu(&profile->parent); in change_hat()
1065 error = -EPERM; in change_hat()
1076 error = -EPERM; in change_hat()
1083 goto build; in change_hat()
1095 if (!list_empty(&profile->base.profiles)) { in change_hat()
1097 error = -ENOENT; in change_hat()
1102 error = -ECHILD; in change_hat()
1121 build: in change_hat()
1124 aa_get_label(&profile->label)); in change_hat()
1126 info = "label build failed"; in change_hat()
1127 error = -ENOMEM; in change_hat()
1135 * aa_change_hat - change hat to/from subprofile
1164 previous = aa_get_newest_label(ctx->previous); in aa_change_hat()
1173 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp) in aa_change_hat()
1174 ctx->nnp = aa_get_label(label); in aa_change_hat()
1178 error = -EPERM; in aa_change_hat()
1201 !aa_label_is_unconfined_subset(new, ctx->nnp)) { in aa_change_hat()
1203 AA_DEBUG("no_new_privs - change_hat denied"); in aa_change_hat()
1204 error = -EPERM; in aa_change_hat()
1213 if (error == -EACCES) in aa_change_hat()
1222 !aa_label_is_unconfined_subset(previous, ctx->nnp)) { in aa_change_hat()
1224 AA_DEBUG("no_new_privs - change_hat denied"); in aa_change_hat()
1225 error = -EPERM; in aa_change_hat()
1235 if (error == -EACCES) in aa_change_hat()
1268 struct aa_ruleset *rules = list_first_entry(&profile->rules, in change_profile_perms_wrapper() local
1269 typeof(*rules), list); in change_profile_perms_wrapper()
1275 rules->file.start[AA_CLASS_FILE], in change_profile_perms_wrapper()
1286 * aa_change_profile - perform a one-way profile transition
1320 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp) in aa_change_profile()
1321 ctx->nnp = aa_get_label(label); in aa_change_profile()
1326 return -EINVAL; in aa_change_profile()
1356 * TODO: fixme using labels_profile is not right - do profile in aa_change_profile()
1367 error = -ENOMEM; in aa_change_profile()
1370 target = &tprofile->label; in aa_change_profile()
1402 * error = -EACCES; in aa_change_profile()
1413 aa_get_label(&profile->label)); in aa_change_profile()
1419 !aa_label_is_unconfined_subset(new, ctx->nnp)) { in aa_change_profile()
1421 AA_DEBUG("no_new_privs - change_hat denied"); in aa_change_profile()
1422 error = -EPERM; in aa_change_profile()
1432 info = "failed to build target label"; in aa_change_profile()
1434 error = -ENOMEM; in aa_change_profile()