Lines Matching +full:build +full:- +full:rules
1 // SPDX-License-Identifier: GPL-2.0-only
7 * Copyright (C) 2002-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
33 * may_change_ptraced_domain - check if can change profile on ptraced task
77 /**** TODO: dedup to aa_label_match - needs perm and dfa, merging
80 * and policy->dfa with file->dfa
91 struct aa_ruleset *rules = list_first_entry(&profile->rules, in match_component() local
92 typeof(*rules), list); in match_component()
96 state = aa_dfa_match(rules->file->dfa, state, "&"); in match_component()
97 if (profile->ns == tp->ns) in match_component()
98 return aa_dfa_match(rules->file->dfa, state, tp->base.hname); in match_component()
101 ns_name = aa_ns_name(profile->ns, tp->ns, true); in match_component()
102 state = aa_dfa_match_len(rules->file->dfa, state, ":", 1); in match_component()
103 state = aa_dfa_match(rules->file->dfa, state, ns_name); in match_component()
104 state = aa_dfa_match_len(rules->file->dfa, state, ":", 1); in match_component()
105 return aa_dfa_match(rules->file->dfa, state, tp->base.hname); in match_component()
109 * label_compound_match - find perms for full compound label
129 struct aa_ruleset *rules = list_first_entry(&profile->rules, in label_compound_match() local
130 typeof(*rules), list); in label_compound_match()
137 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_compound_match()
151 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_compound_match()
153 state = aa_dfa_match(rules->file->dfa, state, "//&"); in label_compound_match()
158 *perms = *(aa_lookup_fperms(rules->file, state, &cond)); in label_compound_match()
160 if ((perms->allow & request) != request) in label_compound_match()
161 return -EACCES; in label_compound_match()
167 return -EACCES; in label_compound_match()
171 * label_components_match - find perms for all subcomponents of a label
191 struct aa_ruleset *rules = list_first_entry(&profile->rules, in label_components_match() local
192 typeof(*rules), list); in label_components_match()
201 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_components_match()
209 /* no subcomponents visible - no change in perms */ in label_components_match()
213 tmp = *(aa_lookup_fperms(rules->file, state, &cond)); in label_components_match()
217 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_components_match()
222 tmp = *(aa_lookup_fperms(rules->file, state, &cond)); in label_components_match()
227 if ((perms->allow & request) != request) in label_components_match()
228 return -EACCES; in label_components_match()
234 return -EACCES; in label_components_match()
238 * label_match - do a multi-component label match
269 * change_profile_perms - find permissions for change_profile
289 perms->allow = AA_MAY_CHANGE_PROFILE | AA_MAY_ONEXEC; in change_profile_perms()
290 perms->audit = perms->quiet = perms->kill = 0; in change_profile_perms()
299 * aa_xattrs_match - check whether a file matches the xattrs defined in profile
312 struct aa_attachment *attach = &profile->attach; in aa_xattrs_match()
313 int size, value_size = 0, ret = attach->xattr_count; in aa_xattrs_match()
315 if (!bprm || !attach->xattr_count) in aa_xattrs_match()
320 state = aa_dfa_outofband_transition(attach->xmatch->dfa, state); in aa_xattrs_match()
321 d = bprm->file->f_path.dentry; in aa_xattrs_match()
323 for (i = 0; i < attach->xattr_count; i++) { in aa_xattrs_match()
324 size = vfs_getxattr_alloc(&nop_mnt_idmap, d, attach->xattrs[i], in aa_xattrs_match()
334 state = aa_dfa_null_transition(attach->xmatch->dfa, in aa_xattrs_match()
337 state = aa_dfa_match_len(attach->xmatch->dfa, state, in aa_xattrs_match()
339 index = ACCEPT_TABLE(attach->xmatch->dfa)[state]; in aa_xattrs_match()
340 perm = attach->xmatch->perms[index].allow; in aa_xattrs_match()
342 ret = -EINVAL; in aa_xattrs_match()
347 state = aa_dfa_outofband_transition(attach->xmatch->dfa, state); in aa_xattrs_match()
355 ret = -EINVAL; in aa_xattrs_match()
359 ret--; in aa_xattrs_match()
369 * find_attach - do attachment search for unconfined processes
399 struct aa_attachment *attach = &profile->attach; in find_attach()
401 if (profile->label.flags & FLAG_NULL && in find_attach()
402 &profile->label == ns_unconfined(profile->ns)) in find_attach()
416 if (attach->xmatch->dfa) { in find_attach()
421 state = aa_dfa_leftmatch(attach->xmatch->dfa, in find_attach()
422 attach->xmatch->start[AA_CLASS_XMATCH], in find_attach()
424 index = ACCEPT_TABLE(attach->xmatch->dfa)[state]; in find_attach()
425 perm = attach->xmatch->perms[index].allow; in find_attach()
433 if (bprm && attach->xattr_count) { in find_attach()
434 long rev = READ_ONCE(ns->revision); in find_attach()
444 READ_ONCE(ns->revision)) in find_attach()
472 candidate_len = max(count, attach->xmatch_len); in find_attach()
476 } else if (!strcmp(profile->base.name, name)) { in find_attach()
478 * old exact non-re match, without conditionals such in find_attach()
497 return &candidate->label; in find_attach()
506 * x_table_lookup - lookup an x transition name via transition table
516 struct aa_ruleset *rules = list_first_entry(&profile->rules, in x_table_lookup() local
517 typeof(*rules), list); in x_table_lookup()
528 for (*name = rules->file->trans.table[index]; !label && *name; in x_table_lookup()
535 label = &new_profile->label; in x_table_lookup()
538 label = aa_label_parse(&profile->label, *name, GFP_KERNEL, in x_table_lookup()
550 * x_to_label - get target label for a given xindex
568 struct aa_ruleset *rules = list_first_entry(&profile->rules, in x_to_label() local
569 typeof(*rules), list); in x_to_label()
571 struct aa_ns *ns = profile->ns; in x_to_label()
577 /* fail exec unless ix || ux fallback - handled by caller */ in x_to_label()
582 stack = rules->file->trans.table[xindex & AA_X_INDEX_MASK]; in x_to_label()
593 new = find_attach(bprm, ns, &profile->base.profiles, in x_to_label()
597 new = find_attach(bprm, ns, &ns->base.profiles, in x_to_label()
605 /* (p|c|n)ix - don't change profile but do in x_to_label()
610 new = aa_get_newest_label(&profile->label); in x_to_label()
612 new = aa_get_newest_label(ns_unconfined(profile->ns)); in x_to_label()
637 struct aa_ruleset *rules = list_first_entry(&profile->rules, in profile_transition() local
638 typeof(*rules), list); in profile_transition()
641 aa_state_t state = rules->file->start[AA_CLASS_FILE]; in profile_transition()
650 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer, in profile_transition()
651 &name, &info, profile->disconnected); in profile_transition()
654 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) { in profile_transition()
657 new = aa_get_newest_label(&profile->label); in profile_transition()
659 name = bprm->filename; in profile_transition()
664 new = find_attach(bprm, profile->ns, in profile_transition()
665 &profile->ns->base.profiles, name, &info); in profile_transition()
671 return aa_get_newest_label(&profile->label); in profile_transition()
675 state = aa_str_perms(rules->file, state, name, cond, &perms); in profile_transition()
680 if (new && new->proxy == profile->label.proxy && info) { in profile_transition()
681 /* hack ix fallback - improve how this is detected */ in profile_transition()
684 error = -EACCES; in profile_transition()
690 /* no exec permission - learning mode */ in profile_transition()
696 error = -ENOMEM; in profile_transition()
699 error = -EACCES; in profile_transition()
700 new = &new_profile->label; in profile_transition()
705 error = -EACCES; in profile_transition()
724 cond->uid, info, error); in profile_transition()
739 struct aa_ruleset *rules = list_first_entry(&profile->rules, in profile_onexec() local
740 typeof(*rules), list); in profile_onexec()
741 aa_state_t state = rules->file->start[AA_CLASS_FILE]; in profile_onexec()
744 int error = -EACCES; in profile_onexec()
761 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer, in profile_onexec()
762 &xname, &info, profile->disconnected); in profile_onexec()
765 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) { in profile_onexec()
769 xname = bprm->filename; in profile_onexec()
774 state = aa_str_perms(rules->file, state, xname, cond, &perms); in profile_onexec()
783 state = aa_dfa_null_transition(rules->file->dfa, state); in profile_onexec()
804 NULL, onexec, cond->uid, info, error); in profile_onexec()
845 aa_label_merge(&profile->label, onexec, in handle_onexec()
859 AA_MAY_ONEXEC, bprm->filename, NULL, in handle_onexec()
861 "failed to build target label", -ENOMEM)); in handle_onexec()
866 * apparmor_bprm_creds_for_exec - Update the new creds on the bprm struct
883 vfsuid_t vfsuid = i_uid_into_vfsuid(file_mnt_idmap(bprm->file), in apparmor_bprm_creds_for_exec()
884 file_inode(bprm->file)); in apparmor_bprm_creds_for_exec()
887 file_inode(bprm->file)->i_mode in apparmor_bprm_creds_for_exec()
892 AA_BUG(!cred_label(bprm->cred)); in apparmor_bprm_creds_for_exec()
895 label = aa_get_newest_label(cred_label(bprm->cred)); in apparmor_bprm_creds_for_exec()
904 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) && !unconfined(label) && in apparmor_bprm_creds_for_exec()
905 !ctx->nnp) in apparmor_bprm_creds_for_exec()
906 ctx->nnp = aa_get_label(label); in apparmor_bprm_creds_for_exec()
911 error = -ENOMEM; in apparmor_bprm_creds_for_exec()
916 if (ctx->onexec) in apparmor_bprm_creds_for_exec()
917 new = handle_onexec(subj_cred, label, ctx->onexec, ctx->token, in apparmor_bprm_creds_for_exec()
930 error = -ENOMEM; in apparmor_bprm_creds_for_exec()
942 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) && in apparmor_bprm_creds_for_exec()
944 !aa_label_is_unconfined_subset(new, ctx->nnp)) { in apparmor_bprm_creds_for_exec()
945 error = -EPERM; in apparmor_bprm_creds_for_exec()
950 if (bprm->unsafe & LSM_UNSAFE_SHARE) { in apparmor_bprm_creds_for_exec()
955 if (bprm->unsafe & (LSM_UNSAFE_PTRACE)) { in apparmor_bprm_creds_for_exec()
957 error = may_change_ptraced_domain(bprm->cred, new, &info); in apparmor_bprm_creds_for_exec()
965 "label=", bprm->filename); in apparmor_bprm_creds_for_exec()
969 bprm->secureexec = 1; in apparmor_bprm_creds_for_exec()
972 if (label->proxy != new->proxy) { in apparmor_bprm_creds_for_exec()
976 "bits. %s label=", bprm->filename); in apparmor_bprm_creds_for_exec()
980 bprm->per_clear |= PER_CLEAR_ON_SETID; in apparmor_bprm_creds_for_exec()
982 aa_put_label(cred_label(bprm->cred)); in apparmor_bprm_creds_for_exec()
984 set_cred_label(bprm->cred, new); in apparmor_bprm_creds_for_exec()
996 bprm->filename, NULL, new, in apparmor_bprm_creds_for_exec()
1020 root = aa_get_profile_rcu(&profile->parent); in build_change_hat()
1025 error = -EPERM; in build_change_hat()
1031 error = -ENOENT; in build_change_hat()
1037 error = -ENOMEM; in build_change_hat()
1046 name, hat ? hat->base.hname : NULL, in build_change_hat()
1047 hat ? &hat->label : NULL, GLOBAL_ROOT_UID, info, in build_change_hat()
1049 if (!hat || (error && error != -ENOENT)) in build_change_hat()
1051 /* if hat && error - complain mode, already audited and we adjust for in build_change_hat()
1052 * complain mode allow by returning hat->label in build_change_hat()
1054 return &hat->label; in build_change_hat()
1084 root = aa_get_profile_rcu(&profile->parent); in change_hat()
1089 error = -EPERM; in change_hat()
1100 error = -EPERM; in change_hat()
1107 goto build; in change_hat()
1119 if (!list_empty(&profile->base.profiles)) { in change_hat()
1121 error = -ENOENT; in change_hat()
1126 error = -ECHILD; in change_hat()
1146 build: in change_hat()
1150 aa_get_label(&profile->label)); in change_hat()
1152 info = "label build failed"; in change_hat()
1153 error = -ENOMEM; in change_hat()
1161 * aa_change_hat - change hat to/from subprofile
1190 previous = aa_get_newest_label(ctx->previous); in aa_change_hat()
1199 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp) in aa_change_hat()
1200 ctx->nnp = aa_get_label(label); in aa_change_hat()
1204 error = -EPERM; in aa_change_hat()
1228 !aa_label_is_unconfined_subset(new, ctx->nnp)) { in aa_change_hat()
1230 AA_DEBUG("no_new_privs - change_hat denied"); in aa_change_hat()
1231 error = -EPERM; in aa_change_hat()
1240 if (error == -EACCES) in aa_change_hat()
1249 !aa_label_is_unconfined_subset(previous, ctx->nnp)) { in aa_change_hat()
1251 AA_DEBUG("no_new_privs - change_hat denied"); in aa_change_hat()
1252 error = -EPERM; in aa_change_hat()
1262 if (error == -EACCES) in aa_change_hat()
1296 struct aa_ruleset *rules = list_first_entry(&profile->rules, in change_profile_perms_wrapper() local
1297 typeof(*rules), list); in change_profile_perms_wrapper()
1303 rules->file->start[AA_CLASS_FILE], in change_profile_perms_wrapper()
1317 * aa_change_profile - perform a one-way profile transition
1352 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp) in aa_change_profile()
1353 ctx->nnp = aa_get_label(label); in aa_change_profile()
1358 return -EINVAL; in aa_change_profile()
1375 /* This should move to a per profile test. Requires pushing build in aa_change_profile()
1379 label == &labels_ns(label)->unconfined->label && in aa_change_profile()
1386 * by-passed in aa_change_profile()
1410 * TODO: fixme using labels_profile is not right - do profile in aa_change_profile()
1421 error = -ENOMEM; in aa_change_profile()
1424 target = &tprofile->label; in aa_change_profile()
1457 * error = -EACCES; in aa_change_profile()
1468 aa_get_label(&profile->label)); in aa_change_profile()
1474 !aa_label_is_unconfined_subset(new, ctx->nnp)) { in aa_change_profile()
1476 AA_DEBUG("no_new_privs - change_hat denied"); in aa_change_profile()
1477 error = -EPERM; in aa_change_profile()
1487 info = "failed to build target label"; in aa_change_profile()
1489 error = -ENOMEM; in aa_change_profile()