Lines Matching +full:build +full:- +full:rules
1 // SPDX-License-Identifier: GPL-2.0-only
7 * Copyright (C) 2002-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
32 * may_change_ptraced_domain - check if can change profile on ptraced task
76 /**** TODO: dedup to aa_label_match - needs perm and dfa, merging
79 * and policy->dfa with file->dfa
90 struct aa_ruleset *rules = list_first_entry(&profile->rules, in match_component() local
91 typeof(*rules), list); in match_component()
95 state = aa_dfa_match(rules->file->dfa, state, "&"); in match_component()
96 if (profile->ns == tp->ns) in match_component()
97 return aa_dfa_match(rules->file->dfa, state, tp->base.hname); in match_component()
100 ns_name = aa_ns_name(profile->ns, tp->ns, true); in match_component()
101 state = aa_dfa_match_len(rules->file->dfa, state, ":", 1); in match_component()
102 state = aa_dfa_match(rules->file->dfa, state, ns_name); in match_component()
103 state = aa_dfa_match_len(rules->file->dfa, state, ":", 1); in match_component()
104 return aa_dfa_match(rules->file->dfa, state, tp->base.hname); in match_component()
108 * label_compound_match - find perms for full compound label
128 struct aa_ruleset *rules = list_first_entry(&profile->rules, in label_compound_match() local
129 typeof(*rules), list); in label_compound_match()
136 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_compound_match()
150 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_compound_match()
152 state = aa_dfa_match(rules->file->dfa, state, "//&"); in label_compound_match()
157 *perms = *(aa_lookup_fperms(rules->file, state, &cond)); in label_compound_match()
159 if ((perms->allow & request) != request) in label_compound_match()
160 return -EACCES; in label_compound_match()
166 return -EACCES; in label_compound_match()
170 * label_components_match - find perms for all subcomponents of a label
190 struct aa_ruleset *rules = list_first_entry(&profile->rules, in label_components_match() local
191 typeof(*rules), list); in label_components_match()
200 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_components_match()
208 /* no subcomponents visible - no change in perms */ in label_components_match()
212 tmp = *(aa_lookup_fperms(rules->file, state, &cond)); in label_components_match()
216 if (!aa_ns_visible(profile->ns, tp->ns, subns)) in label_components_match()
221 tmp = *(aa_lookup_fperms(rules->file, state, &cond)); in label_components_match()
226 if ((perms->allow & request) != request) in label_components_match()
227 return -EACCES; in label_components_match()
233 return -EACCES; in label_components_match()
237 * label_match - do a multi-component label match
268 * change_profile_perms - find permissions for change_profile
288 perms->allow = AA_MAY_CHANGE_PROFILE | AA_MAY_ONEXEC; in change_profile_perms()
289 perms->audit = perms->quiet = perms->kill = 0; in change_profile_perms()
298 * aa_xattrs_match - check whether a file matches the xattrs defined in profile
311 struct aa_attachment *attach = &profile->attach; in aa_xattrs_match()
312 int size, value_size = 0, ret = attach->xattr_count; in aa_xattrs_match()
314 if (!bprm || !attach->xattr_count) in aa_xattrs_match()
319 state = aa_dfa_outofband_transition(attach->xmatch->dfa, state); in aa_xattrs_match()
320 d = bprm->file->f_path.dentry; in aa_xattrs_match()
322 for (i = 0; i < attach->xattr_count; i++) { in aa_xattrs_match()
323 size = vfs_getxattr_alloc(&nop_mnt_idmap, d, attach->xattrs[i], in aa_xattrs_match()
333 state = aa_dfa_null_transition(attach->xmatch->dfa, in aa_xattrs_match()
336 state = aa_dfa_match_len(attach->xmatch->dfa, state, in aa_xattrs_match()
338 index = ACCEPT_TABLE(attach->xmatch->dfa)[state]; in aa_xattrs_match()
339 perm = attach->xmatch->perms[index].allow; in aa_xattrs_match()
341 ret = -EINVAL; in aa_xattrs_match()
346 state = aa_dfa_outofband_transition(attach->xmatch->dfa, state); in aa_xattrs_match()
354 ret = -EINVAL; in aa_xattrs_match()
358 ret--; in aa_xattrs_match()
368 * find_attach - do attachment search for unconfined processes
398 struct aa_attachment *attach = &profile->attach; in find_attach()
400 if (profile->label.flags & FLAG_NULL && in find_attach()
401 &profile->label == ns_unconfined(profile->ns)) in find_attach()
415 if (attach->xmatch->dfa) { in find_attach()
420 state = aa_dfa_leftmatch(attach->xmatch->dfa, in find_attach()
421 attach->xmatch->start[AA_CLASS_XMATCH], in find_attach()
423 index = ACCEPT_TABLE(attach->xmatch->dfa)[state]; in find_attach()
424 perm = attach->xmatch->perms[index].allow; in find_attach()
432 if (bprm && attach->xattr_count) { in find_attach()
433 long rev = READ_ONCE(ns->revision); in find_attach()
443 READ_ONCE(ns->revision)) in find_attach()
471 candidate_len = max(count, attach->xmatch_len); in find_attach()
475 } else if (!strcmp(profile->base.name, name)) { in find_attach()
477 * old exact non-re match, without conditionals such in find_attach()
496 return &candidate->label; in find_attach()
505 * x_table_lookup - lookup an x transition name via transition table
515 struct aa_ruleset *rules = list_first_entry(&profile->rules, in x_table_lookup() local
516 typeof(*rules), list); in x_table_lookup()
527 for (*name = rules->file->trans.table[index]; !label && *name; in x_table_lookup()
534 label = &new_profile->label; in x_table_lookup()
537 label = aa_label_parse(&profile->label, *name, GFP_KERNEL, in x_table_lookup()
549 * x_to_label - get target label for a given xindex
567 struct aa_ruleset *rules = list_first_entry(&profile->rules, in x_to_label() local
568 typeof(*rules), list); in x_to_label()
570 struct aa_ns *ns = profile->ns; in x_to_label()
576 /* fail exec unless ix || ux fallback - handled by caller */ in x_to_label()
581 stack = rules->file->trans.table[xindex & AA_X_INDEX_MASK]; in x_to_label()
592 new = find_attach(bprm, ns, &profile->base.profiles, in x_to_label()
596 new = find_attach(bprm, ns, &ns->base.profiles, in x_to_label()
604 /* (p|c|n)ix - don't change profile but do in x_to_label()
609 new = aa_get_newest_label(&profile->label); in x_to_label()
611 new = aa_get_newest_label(ns_unconfined(profile->ns)); in x_to_label()
636 struct aa_ruleset *rules = list_first_entry(&profile->rules, in profile_transition() local
637 typeof(*rules), list); in profile_transition()
641 aa_state_t state = rules->file->start[AA_CLASS_FILE]; in profile_transition()
650 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer, in profile_transition()
651 &name, &info, profile->disconnected); in profile_transition()
654 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) { in profile_transition()
657 new = aa_get_newest_label(&profile->label); in profile_transition()
659 name = bprm->filename; in profile_transition()
664 new = find_attach(bprm, profile->ns, in profile_transition()
665 &profile->ns->base.profiles, name, &info); in profile_transition()
671 return aa_get_newest_label(&profile->label); in profile_transition()
675 state = aa_str_perms(rules->file, state, name, cond, &perms); in profile_transition()
680 if (new && new->proxy == profile->label.proxy && info) { in profile_transition()
681 /* hack ix fallback - improve how this is detected */ in profile_transition()
691 error = -EACCES; in profile_transition()
695 /* no exec permission - learning mode */ in profile_transition()
699 error = -ENOMEM; in profile_transition()
702 error = -EACCES; in profile_transition()
703 new = &new_profile->label; in profile_transition()
708 error = -EACCES; in profile_transition()
727 cond->uid, info, error); in profile_transition()
742 struct aa_ruleset *rules = list_first_entry(&profile->rules, in profile_onexec() local
743 typeof(*rules), list); in profile_onexec()
744 aa_state_t state = rules->file->start[AA_CLASS_FILE]; in profile_onexec()
747 int error = -EACCES; in profile_onexec()
764 error = aa_path_name(&bprm->file->f_path, profile->path_flags, buffer, in profile_onexec()
765 &xname, &info, profile->disconnected); in profile_onexec()
768 (profile->label.flags & FLAG_IX_ON_NAME_ERROR)) { in profile_onexec()
772 xname = bprm->filename; in profile_onexec()
777 state = aa_str_perms(rules->file, state, xname, cond, &perms); in profile_onexec()
786 state = aa_dfa_null_transition(rules->file->dfa, state); in profile_onexec()
807 NULL, onexec, cond->uid, info, error); in profile_onexec()
836 stack ? aa_label_merge(&profile->label, onexec, in handle_onexec()
848 AA_MAY_ONEXEC, bprm->filename, NULL, in handle_onexec()
850 "failed to build target label", -ENOMEM)); in handle_onexec()
855 * apparmor_bprm_creds_for_exec - Update the new creds on the bprm struct
872 vfsuid_t vfsuid = i_uid_into_vfsuid(file_mnt_idmap(bprm->file), in apparmor_bprm_creds_for_exec()
873 file_inode(bprm->file)); in apparmor_bprm_creds_for_exec()
876 file_inode(bprm->file)->i_mode in apparmor_bprm_creds_for_exec()
881 AA_BUG(!cred_label(bprm->cred)); in apparmor_bprm_creds_for_exec()
884 label = aa_get_newest_label(cred_label(bprm->cred)); in apparmor_bprm_creds_for_exec()
893 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) && !unconfined(label) && in apparmor_bprm_creds_for_exec()
894 !ctx->nnp) in apparmor_bprm_creds_for_exec()
895 ctx->nnp = aa_get_label(label); in apparmor_bprm_creds_for_exec()
900 error = -ENOMEM; in apparmor_bprm_creds_for_exec()
905 if (ctx->onexec) in apparmor_bprm_creds_for_exec()
906 new = handle_onexec(subj_cred, label, ctx->onexec, ctx->token, in apparmor_bprm_creds_for_exec()
919 error = -ENOMEM; in apparmor_bprm_creds_for_exec()
931 if ((bprm->unsafe & LSM_UNSAFE_NO_NEW_PRIVS) && in apparmor_bprm_creds_for_exec()
933 !aa_label_is_unconfined_subset(new, ctx->nnp)) { in apparmor_bprm_creds_for_exec()
934 error = -EPERM; in apparmor_bprm_creds_for_exec()
939 if (bprm->unsafe & LSM_UNSAFE_SHARE) { in apparmor_bprm_creds_for_exec()
944 if (bprm->unsafe & (LSM_UNSAFE_PTRACE)) { in apparmor_bprm_creds_for_exec()
946 error = may_change_ptraced_domain(bprm->cred, new, &info); in apparmor_bprm_creds_for_exec()
954 bprm->filename); in apparmor_bprm_creds_for_exec()
958 bprm->secureexec = 1; in apparmor_bprm_creds_for_exec()
961 if (label->proxy != new->proxy) { in apparmor_bprm_creds_for_exec()
965 bprm->filename); in apparmor_bprm_creds_for_exec()
969 bprm->per_clear |= PER_CLEAR_ON_SETID; in apparmor_bprm_creds_for_exec()
971 aa_put_label(cred_label(bprm->cred)); in apparmor_bprm_creds_for_exec()
973 set_cred_label(bprm->cred, new); in apparmor_bprm_creds_for_exec()
985 bprm->filename, NULL, new, in apparmor_bprm_creds_for_exec()
1009 root = aa_get_profile_rcu(&profile->parent); in build_change_hat()
1014 error = -EPERM; in build_change_hat()
1020 error = -ENOENT; in build_change_hat()
1026 error = -ENOMEM; in build_change_hat()
1035 name, hat ? hat->base.hname : NULL, in build_change_hat()
1036 hat ? &hat->label : NULL, GLOBAL_ROOT_UID, info, in build_change_hat()
1038 if (!hat || (error && error != -ENOENT)) in build_change_hat()
1040 /* if hat && error - complain mode, already audited and we adjust for in build_change_hat()
1041 * complain mode allow by returning hat->label in build_change_hat()
1043 return &hat->label; in build_change_hat()
1073 root = aa_get_profile_rcu(&profile->parent); in change_hat()
1078 error = -EPERM; in change_hat()
1089 error = -EPERM; in change_hat()
1096 goto build; in change_hat()
1108 if (!list_empty(&profile->base.profiles)) { in change_hat()
1110 error = -ENOENT; in change_hat()
1115 error = -ECHILD; in change_hat()
1135 build: in change_hat()
1139 aa_get_label(&profile->label)); in change_hat()
1141 info = "label build failed"; in change_hat()
1142 error = -ENOMEM; in change_hat()
1150 * aa_change_hat - change hat to/from subprofile
1179 previous = aa_get_newest_label(ctx->previous); in aa_change_hat()
1188 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp) in aa_change_hat()
1189 ctx->nnp = aa_get_label(label); in aa_change_hat()
1193 error = -EPERM; in aa_change_hat()
1217 !aa_label_is_unconfined_subset(new, ctx->nnp)) { in aa_change_hat()
1219 AA_DEBUG("no_new_privs - change_hat denied"); in aa_change_hat()
1220 error = -EPERM; in aa_change_hat()
1229 if (error == -EACCES) in aa_change_hat()
1238 !aa_label_is_unconfined_subset(previous, ctx->nnp)) { in aa_change_hat()
1240 AA_DEBUG("no_new_privs - change_hat denied"); in aa_change_hat()
1241 error = -EPERM; in aa_change_hat()
1251 if (error == -EACCES) in aa_change_hat()
1285 struct aa_ruleset *rules = list_first_entry(&profile->rules, in change_profile_perms_wrapper() local
1286 typeof(*rules), list); in change_profile_perms_wrapper()
1292 rules->file->start[AA_CLASS_FILE], in change_profile_perms_wrapper()
1306 * aa_change_profile - perform a one-way profile transition
1341 if (task_no_new_privs(current) && !unconfined(label) && !ctx->nnp) in aa_change_profile()
1342 ctx->nnp = aa_get_label(label); in aa_change_profile()
1347 return -EINVAL; in aa_change_profile()
1364 /* This should move to a per profile test. Requires pushing build in aa_change_profile()
1368 label == &labels_ns(label)->unconfined->label && in aa_change_profile()
1375 * by-passed in aa_change_profile()
1399 * TODO: fixme using labels_profile is not right - do profile in aa_change_profile()
1410 error = -ENOMEM; in aa_change_profile()
1413 target = &tprofile->label; in aa_change_profile()
1446 * error = -EACCES; in aa_change_profile()
1457 aa_get_label(&profile->label)); in aa_change_profile()
1463 !aa_label_is_unconfined_subset(new, ctx->nnp)) { in aa_change_profile()
1465 AA_DEBUG("no_new_privs - change_hat denied"); in aa_change_profile()
1466 error = -EPERM; in aa_change_profile()
1476 info = "failed to build target label"; in aa_change_profile()
1478 error = -ENOMEM; in aa_change_profile()