2 * AppArmor security module
4 * This file contains AppArmor /sys/kernel/security/apparmor interface functions
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
15 #include <linux/ctype.h>
16 #include <linux/security.h>
17 #include <linux/vmalloc.h>
18 #include <linux/module.h>
19 #include <linux/seq_file.h>
20 #include <linux/uaccess.h>
21 #include <linux/mount.h>
22 #include <linux/namei.h>
23 #include <linux/capability.h>
24 #include <linux/rcupdate.h>
26 #include <linux/poll.h>
27 #include <uapi/linux/major.h>
28 #include <uapi/linux/magic.h>
30 #include "include/apparmor.h"
31 #include "include/apparmorfs.h"
32 #include "include/audit.h"
33 #include "include/context.h"
34 #include "include/crypto.h"
35 #include "include/policy_ns.h"
36 #include "include/policy.h"
37 #include "include/policy_ns.h"
38 #include "include/resource.h"
39 #include "include/policy_unpack.h"
42 * The apparmor filesystem interface used for policy load and introspection
43 * The interface is split into two main components based on their function
44 * a securityfs component:
45 * used for static files that are always available, and which allows
46 * userspace to specificy the location of the security filesystem.
48 * fns and data are prefixed with
51 * an apparmorfs component:
52 * used loaded policy content and introspection. It is not part of a
53 * regular mounted filesystem and is available only through the magic
54 * policy symlink in the root of the securityfs apparmor/ directory.
55 * Tasks queries will be magically redirected to the correct portion
56 * of the policy tree based on their confinement.
58 * fns and data are prefixed with
61 * The aa_fs_ prefix is used to indicate the fn is used by both the
62 * securityfs and apparmorfs filesystems.
71 * aa_mangle_name - mangle a profile name to std profile layout form
72 * @name: profile name to mangle (NOT NULL)
73 * @target: buffer to store mangled name, same length as @name (MAYBE NULL)
75 * Returns: length of mangled name
77 static int mangle_name(const char *name, char *target)
81 while (*name == '/' || *name == '.')
85 for (; *name; name++) {
88 else if (isspace(*name))
90 else if (isalnum(*name) || strchr("._-", *name))
97 for (; *name; name++) {
98 if (isalnum(*name) || isspace(*name) ||
99 strchr("/._-", *name))
111 * aafs - core fns and data for the policy tree
114 #define AAFS_NAME "apparmorfs"
115 static struct vfsmount *aafs_mnt;
116 static int aafs_count;
119 static int aafs_show_path(struct seq_file *seq, struct dentry *dentry)
121 struct inode *inode = d_inode(dentry);
123 seq_printf(seq, "%s:[%lu]", AAFS_NAME, inode->i_ino);
127 static void aafs_evict_inode(struct inode *inode)
129 truncate_inode_pages_final(&inode->i_data);
131 if (S_ISLNK(inode->i_mode))
132 kfree(inode->i_link);
135 static const struct super_operations aafs_super_ops = {
136 .statfs = simple_statfs,
137 .evict_inode = aafs_evict_inode,
138 .show_path = aafs_show_path,
141 static int fill_super(struct super_block *sb, void *data, int silent)
143 static struct tree_descr files[] = { {""} };
146 error = simple_fill_super(sb, AAFS_MAGIC, files);
149 sb->s_op = &aafs_super_ops;
154 static struct dentry *aafs_mount(struct file_system_type *fs_type,
155 int flags, const char *dev_name, void *data)
157 return mount_single(fs_type, flags, data, fill_super);
160 static struct file_system_type aafs_ops = {
161 .owner = THIS_MODULE,
164 .kill_sb = kill_anon_super,
168 * __aafs_setup_d_inode - basic inode setup for apparmorfs
169 * @dir: parent directory for the dentry
170 * @dentry: dentry we are seting the inode up for
171 * @mode: permissions the file should have
172 * @data: data to store on inode.i_private, available in open()
173 * @link: if symlink, symlink target string
174 * @fops: struct file_operations that should be used
175 * @iops: struct of inode_operations that should be used
177 static int __aafs_setup_d_inode(struct inode *dir, struct dentry *dentry,
178 umode_t mode, void *data, char *link,
179 const struct file_operations *fops,
180 const struct inode_operations *iops)
182 struct inode *inode = new_inode(dir->i_sb);
190 inode->i_ino = get_next_ino();
191 inode->i_mode = mode;
192 inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode);
193 inode->i_private = data;
195 inode->i_op = iops ? iops : &simple_dir_inode_operations;
196 inode->i_fop = &simple_dir_operations;
199 } else if (S_ISLNK(mode)) {
200 inode->i_op = iops ? iops : &simple_symlink_inode_operations;
201 inode->i_link = link;
205 d_instantiate(dentry, inode);
212 * aafs_create - create a dentry in the apparmorfs filesystem
214 * @name: name of dentry to create
215 * @mode: permissions the file should have
216 * @parent: parent directory for this dentry
217 * @data: data to store on inode.i_private, available in open()
218 * @link: if symlink, symlink target string
219 * @fops: struct file_operations that should be used for
220 * @iops: struct of inode_operations that should be used
222 * This is the basic "create a xxx" function for apparmorfs.
224 * Returns a pointer to a dentry if it succeeds, that must be free with
225 * aafs_remove(). Will return ERR_PTR on failure.
227 static struct dentry *aafs_create(const char *name, umode_t mode,
228 struct dentry *parent, void *data, void *link,
229 const struct file_operations *fops,
230 const struct inode_operations *iops)
232 struct dentry *dentry;
239 if (!(mode & S_IFMT))
240 mode = (mode & S_IALLUGO) | S_IFREG;
242 error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count);
244 return ERR_PTR(error);
246 dir = d_inode(parent);
249 dentry = lookup_one_len(name, parent, strlen(name));
253 if (d_really_is_positive(dentry)) {
258 error = __aafs_setup_d_inode(dir, dentry, mode, data, link, fops, iops);
270 simple_release_fs(&aafs_mnt, &aafs_count);
272 return ERR_PTR(error);
276 * aafs_create_file - create a file in the apparmorfs filesystem
278 * @name: name of dentry to create
279 * @mode: permissions the file should have
280 * @parent: parent directory for this dentry
281 * @data: data to store on inode.i_private, available in open()
282 * @fops: struct file_operations that should be used for
286 static struct dentry *aafs_create_file(const char *name, umode_t mode,
287 struct dentry *parent, void *data,
288 const struct file_operations *fops)
290 return aafs_create(name, mode, parent, data, NULL, fops, NULL);
294 * aafs_create_dir - create a directory in the apparmorfs filesystem
296 * @name: name of dentry to create
297 * @parent: parent directory for this dentry
301 static struct dentry *aafs_create_dir(const char *name, struct dentry *parent)
303 return aafs_create(name, S_IFDIR | 0755, parent, NULL, NULL, NULL,
308 * aafs_create_symlink - create a symlink in the apparmorfs filesystem
309 * @name: name of dentry to create
310 * @parent: parent directory for this dentry
311 * @target: if symlink, symlink target string
312 * @iops: struct of inode_operations that should be used
314 * If @target parameter is %NULL, then the @iops parameter needs to be
315 * setup to handle .readlink and .get_link inode_operations.
317 static struct dentry *aafs_create_symlink(const char *name,
318 struct dentry *parent,
320 const struct inode_operations *iops)
326 link = kstrdup(target, GFP_KERNEL);
328 return ERR_PTR(-ENOMEM);
330 dent = aafs_create(name, S_IFLNK | 0444, parent, NULL, link, NULL,
339 * aafs_remove - removes a file or directory from the apparmorfs filesystem
341 * @dentry: dentry of the file/directory/symlink to removed.
343 static void aafs_remove(struct dentry *dentry)
347 if (!dentry || IS_ERR(dentry))
350 dir = d_inode(dentry->d_parent);
352 if (simple_positive(dentry)) {
353 if (d_is_dir(dentry))
354 simple_rmdir(dir, dentry);
356 simple_unlink(dir, dentry);
360 simple_release_fs(&aafs_mnt, &aafs_count);
365 * aa_fs - policy load/replace/remove
369 * aa_simple_write_to_buffer - common routine for getting policy from user
370 * @userbuf: user buffer to copy data from (NOT NULL)
371 * @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size)
372 * @copy_size: size of data to copy from user buffer
373 * @pos: position write is at in the file (NOT NULL)
375 * Returns: kernel buffer containing copy of user buffer data or an
376 * ERR_PTR on failure.
378 static struct aa_loaddata *aa_simple_write_to_buffer(const char __user *userbuf,
383 struct aa_loaddata *data;
385 AA_BUG(copy_size > alloc_size);
388 /* only writes from pos 0, that is complete writes */
389 return ERR_PTR(-ESPIPE);
391 /* freed by caller to simple_write_to_buffer */
392 data = aa_loaddata_alloc(alloc_size);
396 data->size = copy_size;
397 if (copy_from_user(data->data, userbuf, copy_size)) {
399 return ERR_PTR(-EFAULT);
405 static ssize_t policy_update(u32 mask, const char __user *buf, size_t size,
406 loff_t *pos, struct aa_ns *ns)
409 struct aa_loaddata *data;
410 struct aa_profile *profile = aa_current_profile();
411 /* high level check about policy management - fine grained in
414 error = aa_may_manage_policy(profile, ns, mask);
418 data = aa_simple_write_to_buffer(buf, size, size, pos);
419 error = PTR_ERR(data);
421 error = aa_replace_profiles(ns, profile, mask, data);
422 aa_put_loaddata(data);
428 /* .load file hook fn to load policy */
429 static ssize_t profile_load(struct file *f, const char __user *buf, size_t size,
432 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private);
433 int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns);
440 static const struct file_operations aa_fs_profile_load = {
441 .write = profile_load,
442 .llseek = default_llseek,
445 /* .replace file hook fn to load and/or replace policy */
446 static ssize_t profile_replace(struct file *f, const char __user *buf,
447 size_t size, loff_t *pos)
449 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private);
450 int error = policy_update(AA_MAY_LOAD_POLICY | AA_MAY_REPLACE_POLICY,
457 static const struct file_operations aa_fs_profile_replace = {
458 .write = profile_replace,
459 .llseek = default_llseek,
462 /* .remove file hook fn to remove loaded policy */
463 static ssize_t profile_remove(struct file *f, const char __user *buf,
464 size_t size, loff_t *pos)
466 struct aa_loaddata *data;
467 struct aa_profile *profile;
469 struct aa_ns *ns = aa_get_ns(f->f_inode->i_private);
471 profile = aa_current_profile();
472 /* high level check about policy management - fine grained in
475 error = aa_may_manage_policy(profile, ns, AA_MAY_REMOVE_POLICY);
480 * aa_remove_profile needs a null terminated string so 1 extra
481 * byte is allocated and the copied data is null terminated.
483 data = aa_simple_write_to_buffer(buf, size + 1, size, pos);
485 error = PTR_ERR(data);
487 data->data[size] = 0;
488 error = aa_remove_profiles(ns, profile, data->data, size);
489 aa_put_loaddata(data);
496 static const struct file_operations aa_fs_profile_remove = {
497 .write = profile_remove,
498 .llseek = default_llseek,
506 /* revision file hook fn for policy loads */
507 static int ns_revision_release(struct inode *inode, struct file *file)
509 struct aa_revision *rev = file->private_data;
519 static ssize_t ns_revision_read(struct file *file, char __user *buf,
520 size_t size, loff_t *ppos)
522 struct aa_revision *rev = file->private_data;
527 mutex_lock(&rev->ns->lock);
528 last_read = rev->last_read;
529 if (last_read == rev->ns->revision) {
530 mutex_unlock(&rev->ns->lock);
531 if (file->f_flags & O_NONBLOCK)
533 if (wait_event_interruptible(rev->ns->wait,
535 READ_ONCE(rev->ns->revision)))
537 mutex_lock(&rev->ns->lock);
540 avail = sprintf(buffer, "%ld\n", rev->ns->revision);
541 if (*ppos + size > avail) {
542 rev->last_read = rev->ns->revision;
545 mutex_unlock(&rev->ns->lock);
547 return simple_read_from_buffer(buf, size, ppos, buffer, avail);
550 static int ns_revision_open(struct inode *inode, struct file *file)
552 struct aa_revision *rev = kzalloc(sizeof(*rev), GFP_KERNEL);
557 rev->ns = aa_get_ns(inode->i_private);
559 rev->ns = aa_get_current_ns();
560 file->private_data = rev;
565 static unsigned int ns_revision_poll(struct file *file, poll_table *pt)
567 struct aa_revision *rev = file->private_data;
568 unsigned int mask = 0;
571 mutex_lock(&rev->ns->lock);
572 poll_wait(file, &rev->ns->wait, pt);
573 if (rev->last_read < rev->ns->revision)
574 mask |= POLLIN | POLLRDNORM;
575 mutex_unlock(&rev->ns->lock);
581 void __aa_bump_ns_revision(struct aa_ns *ns)
584 wake_up_interruptible(&ns->wait);
587 static const struct file_operations aa_fs_ns_revision_fops = {
588 .owner = THIS_MODULE,
589 .open = ns_revision_open,
590 .poll = ns_revision_poll,
591 .read = ns_revision_read,
592 .llseek = generic_file_llseek,
593 .release = ns_revision_release,
596 static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms,
597 const char *match_str, size_t match_len)
601 unsigned int state = 0;
603 if (unconfined(profile))
605 if (profile->file.dfa && *match_str == AA_CLASS_FILE) {
606 dfa = profile->file.dfa;
607 state = aa_dfa_match_len(dfa, profile->file.start,
608 match_str + 1, match_len - 1);
611 struct path_cond cond = { };
613 tmp = aa_compute_fperms(dfa, state, &cond);
615 } else if (profile->policy.dfa) {
616 if (!PROFILE_MEDIATES_SAFE(profile, *match_str))
617 return; /* no change to current perms */
618 dfa = profile->policy.dfa;
619 state = aa_dfa_match_len(dfa, profile->policy.start[0],
620 match_str, match_len);
622 aa_compute_perms(dfa, state, &tmp);
626 aa_apply_modes_to_perms(profile, &tmp);
631 * query_data - queries a policy and writes its data to buf
632 * @buf: the resulting data is stored here (NOT NULL)
633 * @buf_len: size of buf
634 * @query: query string used to retrieve data
635 * @query_len: size of query including second NUL byte
637 * The buffers pointed to by buf and query may overlap. The query buffer is
638 * parsed before buf is written to.
640 * The query should look like "<LABEL>\0<KEY>\0", where <LABEL> is the name of
641 * the security confinement context and <KEY> is the name of the data to
642 * retrieve. <LABEL> and <KEY> must not be NUL-terminated.
644 * Don't expect the contents of buf to be preserved on failure.
646 * Returns: number of characters written to buf or -errno on failure
648 static ssize_t query_data(char *buf, size_t buf_len,
649 char *query, size_t query_len)
653 struct aa_profile *profile, *curr;
654 struct aa_data *data;
659 return -EINVAL; /* need a query */
661 key = query + strnlen(query, query_len) + 1;
662 if (key + 1 >= query + query_len)
663 return -EINVAL; /* not enough space for a non-empty key */
664 if (key + strnlen(key, query + query_len - key) >= query + query_len)
665 return -EINVAL; /* must end with NUL */
667 if (buf_len < sizeof(bytes) + sizeof(blocks))
668 return -EINVAL; /* not enough space */
670 curr = aa_current_profile();
671 profile = aa_fqlookupn_profile(curr, query, strnlen(query, query_len));
675 /* We are going to leave space for two numbers. The first is the total
676 * number of bytes we are writing after the first number. This is so
677 * users can read the full output without reallocation.
679 * The second number is the number of data blocks we're writing. An
680 * application might be confined by multiple policies having data in
683 memset(buf, 0, sizeof(bytes) + sizeof(blocks));
684 out = buf + sizeof(bytes) + sizeof(blocks);
688 data = rhashtable_lookup_fast(profile->data, &key,
692 if (out + sizeof(outle32) + data->size > buf + buf_len)
693 return -EINVAL; /* not enough space */
694 outle32 = __cpu_to_le32(data->size);
695 memcpy(out, &outle32, sizeof(outle32));
696 out += sizeof(outle32);
697 memcpy(out, data->data, data->size);
702 aa_put_profile(profile);
704 outle32 = __cpu_to_le32(out - buf - sizeof(bytes));
705 memcpy(buf, &outle32, sizeof(outle32));
706 outle32 = __cpu_to_le32(blocks);
707 memcpy(buf + sizeof(bytes), &outle32, sizeof(outle32));
713 * query_label - queries a label and writes permissions to buf
714 * @buf: the resulting permissions string is stored here (NOT NULL)
715 * @buf_len: size of buf
716 * @query: binary query string to match against the dfa
717 * @query_len: size of query
718 * @view_only: only compute for querier's view
720 * The buffers pointed to by buf and query may overlap. The query buffer is
721 * parsed before buf is written to.
723 * The query should look like "LABEL_NAME\0DFA_STRING" where LABEL_NAME is
724 * the name of the label, in the current namespace, that is to be queried and
725 * DFA_STRING is a binary string to match against the label(s)'s DFA.
727 * LABEL_NAME must be NUL terminated. DFA_STRING may contain NUL characters
728 * but must *not* be NUL terminated.
730 * Returns: number of characters written to buf or -errno on failure
732 static ssize_t query_label(char *buf, size_t buf_len,
733 char *query, size_t query_len, bool view_only)
735 struct aa_profile *profile, *curr;
736 char *label_name, *match_str;
737 size_t label_name_len, match_len;
738 struct aa_perms perms;
744 label_name_len = strnlen(query, query_len);
745 if (!label_name_len || label_name_len == query_len)
749 * The extra byte is to account for the null byte between the
750 * profile name and dfa string. profile_name_len is greater
751 * than zero and less than query_len, so a byte can be safely
752 * added or subtracted.
754 match_str = label_name + label_name_len + 1;
755 match_len = query_len - label_name_len - 1;
757 curr = aa_current_profile();
758 profile = aa_fqlookupn_profile(curr, label_name, label_name_len);
763 profile_query_cb(profile, &perms, match_str, match_len);
765 return scnprintf(buf, buf_len,
766 "allow 0x%08x\ndeny 0x%08x\naudit 0x%08x\nquiet 0x%08x\n",
767 perms.allow, perms.deny, perms.audit, perms.quiet);
771 * Transaction based IO.
772 * The file expects a write which triggers the transaction, and then
773 * possibly a read(s) which collects the result - which is stored in a
774 * file-local buffer. Once a new write is performed, a new set of results
775 * are stored in the file-local buffer.
777 struct multi_transaction {
783 #define MULTI_TRANSACTION_LIMIT (PAGE_SIZE - sizeof(struct multi_transaction))
784 /* TODO: replace with per file lock */
785 static DEFINE_SPINLOCK(multi_transaction_lock);
787 static void multi_transaction_kref(struct kref *kref)
789 struct multi_transaction *t;
791 t = container_of(kref, struct multi_transaction, count);
792 free_page((unsigned long) t);
795 static struct multi_transaction *
796 get_multi_transaction(struct multi_transaction *t)
799 kref_get(&(t->count));
804 static void put_multi_transaction(struct multi_transaction *t)
807 kref_put(&(t->count), multi_transaction_kref);
810 /* does not increment @new's count */
811 static void multi_transaction_set(struct file *file,
812 struct multi_transaction *new, size_t n)
814 struct multi_transaction *old;
816 AA_BUG(n > MULTI_TRANSACTION_LIMIT);
819 spin_lock(&multi_transaction_lock);
820 old = (struct multi_transaction *) file->private_data;
821 file->private_data = new;
822 spin_unlock(&multi_transaction_lock);
823 put_multi_transaction(old);
826 static struct multi_transaction *multi_transaction_new(struct file *file,
827 const char __user *buf,
830 struct multi_transaction *t;
832 if (size > MULTI_TRANSACTION_LIMIT - 1)
833 return ERR_PTR(-EFBIG);
835 t = (struct multi_transaction *)get_zeroed_page(GFP_KERNEL);
837 return ERR_PTR(-ENOMEM);
838 kref_init(&t->count);
839 if (copy_from_user(t->data, buf, size))
840 return ERR_PTR(-EFAULT);
845 static ssize_t multi_transaction_read(struct file *file, char __user *buf,
846 size_t size, loff_t *pos)
848 struct multi_transaction *t;
851 spin_lock(&multi_transaction_lock);
852 t = get_multi_transaction(file->private_data);
853 spin_unlock(&multi_transaction_lock);
857 ret = simple_read_from_buffer(buf, size, pos, t->data, t->size);
858 put_multi_transaction(t);
863 static int multi_transaction_release(struct inode *inode, struct file *file)
865 put_multi_transaction(file->private_data);
870 #define QUERY_CMD_PROFILE "profile\0"
871 #define QUERY_CMD_PROFILE_LEN 8
873 #define QUERY_CMD_DATA "data\0"
874 #define QUERY_CMD_DATA_LEN 5
877 * aa_write_access - generic permissions and data query
878 * @file: pointer to open apparmorfs/access file
879 * @ubuf: user buffer containing the complete query string (NOT NULL)
880 * @count: size of ubuf
881 * @ppos: position in the file (MUST BE ZERO)
883 * Allows for one permissions or data query per open(), write(), and read()
884 * sequence. The only queries currently supported are label-based queries for
885 * permissions or data.
887 * For permissions queries, ubuf must begin with "label\0", followed by the
888 * profile query specific format described in the query_label() function
891 * For data queries, ubuf must have the form "data\0<LABEL>\0<KEY>\0", where
892 * <LABEL> is the name of the security confinement context and <KEY> is the
893 * name of the data to retrieve.
895 * Returns: number of bytes written or -errno on failure
897 static ssize_t aa_write_access(struct file *file, const char __user *ubuf,
898 size_t count, loff_t *ppos)
900 struct multi_transaction *t;
906 t = multi_transaction_new(file, ubuf, count);
910 if (count > QUERY_CMD_PROFILE_LEN &&
911 !memcmp(t->data, QUERY_CMD_PROFILE, QUERY_CMD_PROFILE_LEN)) {
912 len = query_label(t->data, MULTI_TRANSACTION_LIMIT,
913 t->data + QUERY_CMD_PROFILE_LEN,
914 count - QUERY_CMD_PROFILE_LEN, true);
915 } else if (count > QUERY_CMD_DATA_LEN &&
916 !memcmp(t->data, QUERY_CMD_DATA, QUERY_CMD_DATA_LEN)) {
917 len = query_data(t->data, MULTI_TRANSACTION_LIMIT,
918 t->data + QUERY_CMD_DATA_LEN,
919 count - QUERY_CMD_DATA_LEN);
924 put_multi_transaction(t);
928 multi_transaction_set(file, t, len);
933 static const struct file_operations aa_sfs_access = {
934 .write = aa_write_access,
935 .read = multi_transaction_read,
936 .release = multi_transaction_release,
937 .llseek = generic_file_llseek,
940 static int aa_sfs_seq_show(struct seq_file *seq, void *v)
942 struct aa_sfs_entry *fs_file = seq->private;
947 switch (fs_file->v_type) {
948 case AA_SFS_TYPE_BOOLEAN:
949 seq_printf(seq, "%s\n", fs_file->v.boolean ? "yes" : "no");
951 case AA_SFS_TYPE_STRING:
952 seq_printf(seq, "%s\n", fs_file->v.string);
954 case AA_SFS_TYPE_U64:
955 seq_printf(seq, "%#08lx\n", fs_file->v.u64);
958 /* Ignore unpritable entry types. */
965 static int aa_sfs_seq_open(struct inode *inode, struct file *file)
967 return single_open(file, aa_sfs_seq_show, inode->i_private);
970 const struct file_operations aa_sfs_seq_file_ops = {
971 .owner = THIS_MODULE,
972 .open = aa_sfs_seq_open,
975 .release = single_release,
979 * profile based file operations
980 * policy/profiles/XXXX/profiles/ *
983 #define SEQ_PROFILE_FOPS(NAME) \
984 static int seq_profile_ ##NAME ##_open(struct inode *inode, struct file *file)\
986 return seq_profile_open(inode, file, seq_profile_ ##NAME ##_show); \
989 static const struct file_operations seq_profile_ ##NAME ##_fops = { \
990 .owner = THIS_MODULE, \
991 .open = seq_profile_ ##NAME ##_open, \
993 .llseek = seq_lseek, \
994 .release = seq_profile_release, \
997 static int seq_profile_open(struct inode *inode, struct file *file,
998 int (*show)(struct seq_file *, void *))
1000 struct aa_proxy *proxy = aa_get_proxy(inode->i_private);
1001 int error = single_open(file, show, proxy);
1004 file->private_data = NULL;
1005 aa_put_proxy(proxy);
1011 static int seq_profile_release(struct inode *inode, struct file *file)
1013 struct seq_file *seq = (struct seq_file *) file->private_data;
1015 aa_put_proxy(seq->private);
1016 return single_release(inode, file);
1019 static int seq_profile_name_show(struct seq_file *seq, void *v)
1021 struct aa_proxy *proxy = seq->private;
1022 struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile);
1023 seq_printf(seq, "%s\n", profile->base.name);
1024 aa_put_profile(profile);
1029 static int seq_profile_mode_show(struct seq_file *seq, void *v)
1031 struct aa_proxy *proxy = seq->private;
1032 struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile);
1033 seq_printf(seq, "%s\n", aa_profile_mode_names[profile->mode]);
1034 aa_put_profile(profile);
1039 static int seq_profile_attach_show(struct seq_file *seq, void *v)
1041 struct aa_proxy *proxy = seq->private;
1042 struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile);
1043 if (profile->attach)
1044 seq_printf(seq, "%s\n", profile->attach);
1045 else if (profile->xmatch)
1046 seq_puts(seq, "<unknown>\n");
1048 seq_printf(seq, "%s\n", profile->base.name);
1049 aa_put_profile(profile);
1054 static int seq_profile_hash_show(struct seq_file *seq, void *v)
1056 struct aa_proxy *proxy = seq->private;
1057 struct aa_profile *profile = aa_get_profile_rcu(&proxy->profile);
1058 unsigned int i, size = aa_hash_size();
1060 if (profile->hash) {
1061 for (i = 0; i < size; i++)
1062 seq_printf(seq, "%.2x", profile->hash[i]);
1063 seq_putc(seq, '\n');
1065 aa_put_profile(profile);
1070 SEQ_PROFILE_FOPS(name);
1071 SEQ_PROFILE_FOPS(mode);
1072 SEQ_PROFILE_FOPS(attach);
1073 SEQ_PROFILE_FOPS(hash);
1076 * namespace based files
1077 * several root files and
1081 #define SEQ_NS_FOPS(NAME) \
1082 static int seq_ns_ ##NAME ##_open(struct inode *inode, struct file *file) \
1084 return single_open(file, seq_ns_ ##NAME ##_show, inode->i_private); \
1087 static const struct file_operations seq_ns_ ##NAME ##_fops = { \
1088 .owner = THIS_MODULE, \
1089 .open = seq_ns_ ##NAME ##_open, \
1091 .llseek = seq_lseek, \
1092 .release = single_release, \
1095 static int seq_ns_level_show(struct seq_file *seq, void *v)
1097 struct aa_ns *ns = aa_current_profile()->ns;
1099 seq_printf(seq, "%d\n", ns->level);
1104 static int seq_ns_name_show(struct seq_file *seq, void *v)
1106 struct aa_ns *ns = aa_current_profile()->ns;
1108 seq_printf(seq, "%s\n", aa_ns_name(ns, ns, true));
1117 /* policy/raw_data/ * file ops */
1119 #define SEQ_RAWDATA_FOPS(NAME) \
1120 static int seq_rawdata_ ##NAME ##_open(struct inode *inode, struct file *file)\
1122 return seq_rawdata_open(inode, file, seq_rawdata_ ##NAME ##_show); \
1125 static const struct file_operations seq_rawdata_ ##NAME ##_fops = { \
1126 .owner = THIS_MODULE, \
1127 .open = seq_rawdata_ ##NAME ##_open, \
1129 .llseek = seq_lseek, \
1130 .release = seq_rawdata_release, \
1133 static int seq_rawdata_open(struct inode *inode, struct file *file,
1134 int (*show)(struct seq_file *, void *))
1136 struct aa_loaddata *data = __aa_get_loaddata(inode->i_private);
1140 /* lost race this ent is being reaped */
1143 error = single_open(file, show, data);
1145 AA_BUG(file->private_data &&
1146 ((struct seq_file *)file->private_data)->private);
1147 aa_put_loaddata(data);
1153 static int seq_rawdata_release(struct inode *inode, struct file *file)
1155 struct seq_file *seq = (struct seq_file *) file->private_data;
1158 aa_put_loaddata(seq->private);
1160 return single_release(inode, file);
1163 static int seq_rawdata_abi_show(struct seq_file *seq, void *v)
1165 struct aa_loaddata *data = seq->private;
1167 seq_printf(seq, "v%d\n", data->abi);
1172 static int seq_rawdata_revision_show(struct seq_file *seq, void *v)
1174 struct aa_loaddata *data = seq->private;
1176 seq_printf(seq, "%ld\n", data->revision);
1181 static int seq_rawdata_hash_show(struct seq_file *seq, void *v)
1183 struct aa_loaddata *data = seq->private;
1184 unsigned int i, size = aa_hash_size();
1187 for (i = 0; i < size; i++)
1188 seq_printf(seq, "%.2x", data->hash[i]);
1189 seq_putc(seq, '\n');
1195 SEQ_RAWDATA_FOPS(abi);
1196 SEQ_RAWDATA_FOPS(revision);
1197 SEQ_RAWDATA_FOPS(hash);
1199 static ssize_t rawdata_read(struct file *file, char __user *buf, size_t size,
1202 struct aa_loaddata *rawdata = file->private_data;
1204 return simple_read_from_buffer(buf, size, ppos, rawdata->data,
1208 static int rawdata_release(struct inode *inode, struct file *file)
1210 aa_put_loaddata(file->private_data);
1215 static int rawdata_open(struct inode *inode, struct file *file)
1217 if (!policy_view_capable(NULL))
1219 file->private_data = __aa_get_loaddata(inode->i_private);
1220 if (!file->private_data)
1221 /* lost race: this entry is being reaped */
1227 static const struct file_operations rawdata_fops = {
1228 .open = rawdata_open,
1229 .read = rawdata_read,
1230 .llseek = generic_file_llseek,
1231 .release = rawdata_release,
1234 static void remove_rawdata_dents(struct aa_loaddata *rawdata)
1238 for (i = 0; i < AAFS_LOADDATA_NDENTS; i++) {
1239 if (!IS_ERR_OR_NULL(rawdata->dents[i])) {
1240 /* no refcounts on i_private */
1241 aafs_remove(rawdata->dents[i]);
1242 rawdata->dents[i] = NULL;
1247 void __aa_fs_remove_rawdata(struct aa_loaddata *rawdata)
1249 AA_BUG(rawdata->ns && !mutex_is_locked(&rawdata->ns->lock));
1252 remove_rawdata_dents(rawdata);
1253 list_del_init(&rawdata->list);
1254 aa_put_ns(rawdata->ns);
1259 int __aa_fs_create_rawdata(struct aa_ns *ns, struct aa_loaddata *rawdata)
1261 struct dentry *dent, *dir;
1265 AA_BUG(!mutex_is_locked(&ns->lock));
1266 AA_BUG(!ns_subdata_dir(ns));
1269 * just use ns revision dir was originally created at. This is
1270 * under ns->lock and if load is successful revision will be
1271 * bumped and is guaranteed to be unique
1273 rawdata->name = kasprintf(GFP_KERNEL, "%ld", ns->revision);
1277 dir = aafs_create_dir(rawdata->name, ns_subdata_dir(ns));
1279 /* ->name freed when rawdata freed */
1280 return PTR_ERR(dir);
1281 rawdata->dents[AAFS_LOADDATA_DIR] = dir;
1283 dent = aafs_create_file("abi", S_IFREG | 0444, dir, rawdata,
1284 &seq_rawdata_abi_fops);
1287 rawdata->dents[AAFS_LOADDATA_ABI] = dent;
1289 dent = aafs_create_file("revision", S_IFREG | 0444, dir, rawdata,
1290 &seq_rawdata_revision_fops);
1293 rawdata->dents[AAFS_LOADDATA_REVISION] = dent;
1295 if (aa_g_hash_policy) {
1296 dent = aafs_create_file("sha1", S_IFREG | 0444, dir,
1297 rawdata, &seq_rawdata_hash_fops);
1300 rawdata->dents[AAFS_LOADDATA_HASH] = dent;
1303 dent = aafs_create_file("raw_data", S_IFREG | 0444,
1304 dir, rawdata, &rawdata_fops);
1307 rawdata->dents[AAFS_LOADDATA_DATA] = dent;
1308 d_inode(dent)->i_size = rawdata->size;
1310 rawdata->ns = aa_get_ns(ns);
1311 list_add(&rawdata->list, &ns->rawdata_list);
1312 /* no refcount on inode rawdata */
1317 remove_rawdata_dents(rawdata);
1319 return PTR_ERR(dent);
1322 /** fns to setup dynamic per profile/namespace files **/
1326 * Requires: @profile->ns->lock held
1328 void __aafs_profile_rmdir(struct aa_profile *profile)
1330 struct aa_profile *child;
1336 list_for_each_entry(child, &profile->base.profiles, base.list)
1337 __aafs_profile_rmdir(child);
1339 for (i = AAFS_PROF_SIZEOF - 1; i >= 0; --i) {
1340 struct aa_proxy *proxy;
1341 if (!profile->dents[i])
1344 proxy = d_inode(profile->dents[i])->i_private;
1345 aafs_remove(profile->dents[i]);
1346 aa_put_proxy(proxy);
1347 profile->dents[i] = NULL;
1353 * Requires: @old->ns->lock held
1355 void __aafs_profile_migrate_dents(struct aa_profile *old,
1356 struct aa_profile *new)
1360 for (i = 0; i < AAFS_PROF_SIZEOF; i++) {
1361 new->dents[i] = old->dents[i];
1363 new->dents[i]->d_inode->i_mtime = current_time(new->dents[i]->d_inode);
1364 old->dents[i] = NULL;
1368 static struct dentry *create_profile_file(struct dentry *dir, const char *name,
1369 struct aa_profile *profile,
1370 const struct file_operations *fops)
1372 struct aa_proxy *proxy = aa_get_proxy(profile->proxy);
1373 struct dentry *dent;
1375 dent = aafs_create_file(name, S_IFREG | 0444, dir, proxy, fops);
1377 aa_put_proxy(proxy);
1382 static int profile_depth(struct aa_profile *profile)
1387 for (depth = 0; profile; profile = rcu_access_pointer(profile->parent))
1394 static int gen_symlink_name(char *buffer, size_t bsize, int depth,
1395 const char *dirname, const char *fname)
1399 for (; depth > 0; depth--) {
1401 return -ENAMETOOLONG;
1402 strcpy(buffer, "../../");
1407 error = snprintf(buffer, bsize, "raw_data/%s/%s", dirname, fname);
1408 if (error >= bsize || error < 0)
1409 return -ENAMETOOLONG;
1415 * Requires: @profile->ns->lock held
1417 int __aafs_profile_mkdir(struct aa_profile *profile, struct dentry *parent)
1419 struct aa_profile *child;
1420 struct dentry *dent = NULL, *dir;
1424 struct aa_profile *p;
1425 p = aa_deref_parent(profile);
1427 /* adding to parent that previously didn't have children */
1428 dent = aafs_create_dir("profiles", dent);
1431 prof_child_dir(p) = parent = dent;
1434 if (!profile->dirname) {
1436 len = mangle_name(profile->base.name, NULL);
1437 id_len = snprintf(NULL, 0, ".%ld", profile->ns->uniq_id);
1439 profile->dirname = kmalloc(len + id_len + 1, GFP_KERNEL);
1440 if (!profile->dirname) {
1445 mangle_name(profile->base.name, profile->dirname);
1446 sprintf(profile->dirname + len, ".%ld", profile->ns->uniq_id++);
1449 dent = aafs_create_dir(profile->dirname, parent);
1452 prof_dir(profile) = dir = dent;
1454 dent = create_profile_file(dir, "name", profile,
1455 &seq_profile_name_fops);
1458 profile->dents[AAFS_PROF_NAME] = dent;
1460 dent = create_profile_file(dir, "mode", profile,
1461 &seq_profile_mode_fops);
1464 profile->dents[AAFS_PROF_MODE] = dent;
1466 dent = create_profile_file(dir, "attach", profile,
1467 &seq_profile_attach_fops);
1470 profile->dents[AAFS_PROF_ATTACH] = dent;
1472 if (profile->hash) {
1473 dent = create_profile_file(dir, "sha1", profile,
1474 &seq_profile_hash_fops);
1477 profile->dents[AAFS_PROF_HASH] = dent;
1480 if (profile->rawdata) {
1482 int depth = profile_depth(profile);
1484 error = gen_symlink_name(target, sizeof(target), depth,
1485 profile->rawdata->name, "sha1");
1488 dent = aafs_create_symlink("raw_sha1", dir, target, NULL);
1491 profile->dents[AAFS_PROF_RAW_HASH] = dent;
1493 error = gen_symlink_name(target, sizeof(target), depth,
1494 profile->rawdata->name, "abi");
1497 dent = aafs_create_symlink("raw_abi", dir, target, NULL);
1500 profile->dents[AAFS_PROF_RAW_ABI] = dent;
1502 error = gen_symlink_name(target, sizeof(target), depth,
1503 profile->rawdata->name, "raw_data");
1506 dent = aafs_create_symlink("raw_data", dir, target, NULL);
1509 profile->dents[AAFS_PROF_RAW_DATA] = dent;
1512 list_for_each_entry(child, &profile->base.profiles, base.list) {
1513 error = __aafs_profile_mkdir(child, prof_child_dir(profile));
1521 error = PTR_ERR(dent);
1524 __aafs_profile_rmdir(profile);
1529 static int ns_mkdir_op(struct inode *dir, struct dentry *dentry, umode_t mode)
1531 struct aa_ns *ns, *parent;
1532 /* TODO: improve permission check */
1533 struct aa_profile *profile = aa_current_profile();
1534 int error = aa_may_manage_policy(profile, NULL, AA_MAY_LOAD_POLICY);
1539 parent = aa_get_ns(dir->i_private);
1540 AA_BUG(d_inode(ns_subns_dir(parent)) != dir);
1542 /* we have to unlock and then relock to get locking order right
1546 error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count);
1547 mutex_lock(&parent->lock);
1548 inode_lock_nested(dir, I_MUTEX_PARENT);
1552 error = __aafs_setup_d_inode(dir, dentry, mode | S_IFDIR, NULL,
1557 ns = __aa_find_or_create_ns(parent, READ_ONCE(dentry->d_name.name),
1560 error = PTR_ERR(ns);
1564 aa_put_ns(ns); /* list ref remains */
1567 simple_release_fs(&aafs_mnt, &aafs_count);
1569 mutex_unlock(&parent->lock);
1575 static int ns_rmdir_op(struct inode *dir, struct dentry *dentry)
1577 struct aa_ns *ns, *parent;
1578 /* TODO: improve permission check */
1579 struct aa_profile *profile = aa_current_profile();
1580 int error = aa_may_manage_policy(profile, NULL, AA_MAY_LOAD_POLICY);
1585 parent = aa_get_ns(dir->i_private);
1586 /* rmdir calls the generic securityfs functions to remove files
1587 * from the apparmor dir. It is up to the apparmor ns locking
1591 inode_unlock(dentry->d_inode);
1593 mutex_lock(&parent->lock);
1594 ns = aa_get_ns(__aa_findn_ns(&parent->sub_ns, dentry->d_name.name,
1595 dentry->d_name.len));
1600 AA_BUG(ns_dir(ns) != dentry);
1606 mutex_unlock(&parent->lock);
1607 inode_lock_nested(dir, I_MUTEX_PARENT);
1608 inode_lock(dentry->d_inode);
1614 static const struct inode_operations ns_dir_inode_operations = {
1615 .lookup = simple_lookup,
1616 .mkdir = ns_mkdir_op,
1617 .rmdir = ns_rmdir_op,
1620 static void __aa_fs_list_remove_rawdata(struct aa_ns *ns)
1622 struct aa_loaddata *ent, *tmp;
1624 AA_BUG(!mutex_is_locked(&ns->lock));
1626 list_for_each_entry_safe(ent, tmp, &ns->rawdata_list, list)
1627 __aa_fs_remove_rawdata(ent);
1632 * Requires: @ns->lock held
1634 void __aafs_ns_rmdir(struct aa_ns *ns)
1637 struct aa_profile *child;
1643 list_for_each_entry(child, &ns->base.profiles, base.list)
1644 __aafs_profile_rmdir(child);
1646 list_for_each_entry(sub, &ns->sub_ns, base.list) {
1647 mutex_lock(&sub->lock);
1648 __aafs_ns_rmdir(sub);
1649 mutex_unlock(&sub->lock);
1652 __aa_fs_list_remove_rawdata(ns);
1654 if (ns_subns_dir(ns)) {
1655 sub = d_inode(ns_subns_dir(ns))->i_private;
1658 if (ns_subload(ns)) {
1659 sub = d_inode(ns_subload(ns))->i_private;
1662 if (ns_subreplace(ns)) {
1663 sub = d_inode(ns_subreplace(ns))->i_private;
1666 if (ns_subremove(ns)) {
1667 sub = d_inode(ns_subremove(ns))->i_private;
1670 if (ns_subrevision(ns)) {
1671 sub = d_inode(ns_subrevision(ns))->i_private;
1675 for (i = AAFS_NS_SIZEOF - 1; i >= 0; --i) {
1676 aafs_remove(ns->dents[i]);
1677 ns->dents[i] = NULL;
1681 /* assumes cleanup in caller */
1682 static int __aafs_ns_mkdir_entries(struct aa_ns *ns, struct dentry *dir)
1684 struct dentry *dent;
1689 dent = aafs_create_dir("profiles", dir);
1691 return PTR_ERR(dent);
1692 ns_subprofs_dir(ns) = dent;
1694 dent = aafs_create_dir("raw_data", dir);
1696 return PTR_ERR(dent);
1697 ns_subdata_dir(ns) = dent;
1699 dent = aafs_create_file("revision", 0444, dir, ns,
1700 &aa_fs_ns_revision_fops);
1702 return PTR_ERR(dent);
1704 ns_subrevision(ns) = dent;
1706 dent = aafs_create_file(".load", 0640, dir, ns,
1707 &aa_fs_profile_load);
1709 return PTR_ERR(dent);
1711 ns_subload(ns) = dent;
1713 dent = aafs_create_file(".replace", 0640, dir, ns,
1714 &aa_fs_profile_replace);
1716 return PTR_ERR(dent);
1718 ns_subreplace(ns) = dent;
1720 dent = aafs_create_file(".remove", 0640, dir, ns,
1721 &aa_fs_profile_remove);
1723 return PTR_ERR(dent);
1725 ns_subremove(ns) = dent;
1727 /* use create_dentry so we can supply private data */
1728 dent = aafs_create("namespaces", S_IFDIR | 0755, dir, ns, NULL, NULL,
1729 &ns_dir_inode_operations);
1731 return PTR_ERR(dent);
1733 ns_subns_dir(ns) = dent;
1739 * Requires: @ns->lock held
1741 int __aafs_ns_mkdir(struct aa_ns *ns, struct dentry *parent, const char *name,
1742 struct dentry *dent)
1745 struct aa_profile *child;
1751 AA_BUG(!mutex_is_locked(&ns->lock));
1754 name = ns->base.name;
1757 /* create ns dir if it doesn't already exist */
1758 dent = aafs_create_dir(name, parent);
1763 ns_dir(ns) = dir = dent;
1764 error = __aafs_ns_mkdir_entries(ns, dir);
1769 list_for_each_entry(child, &ns->base.profiles, base.list) {
1770 error = __aafs_profile_mkdir(child, ns_subprofs_dir(ns));
1776 list_for_each_entry(sub, &ns->sub_ns, base.list) {
1777 mutex_lock(&sub->lock);
1778 error = __aafs_ns_mkdir(sub, ns_subns_dir(ns), NULL, NULL);
1779 mutex_unlock(&sub->lock);
1787 error = PTR_ERR(dent);
1790 __aafs_ns_rmdir(ns);
1796 #define list_entry_is_head(pos, head, member) (&pos->member == (head))
1799 * __next_ns - find the next namespace to list
1800 * @root: root namespace to stop search at (NOT NULL)
1801 * @ns: current ns position (NOT NULL)
1803 * Find the next namespace from @ns under @root and handle all locking needed
1804 * while switching current namespace.
1806 * Returns: next namespace or NULL if at last namespace under @root
1807 * Requires: ns->parent->lock to be held
1808 * NOTE: will not unlock root->lock
1810 static struct aa_ns *__next_ns(struct aa_ns *root, struct aa_ns *ns)
1812 struct aa_ns *parent, *next;
1814 /* is next namespace a child */
1815 if (!list_empty(&ns->sub_ns)) {
1816 next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list);
1817 mutex_lock(&next->lock);
1821 /* check if the next ns is a sibling, parent, gp, .. */
1822 parent = ns->parent;
1823 while (ns != root) {
1824 mutex_unlock(&ns->lock);
1825 next = list_next_entry(ns, base.list);
1826 if (!list_entry_is_head(next, &parent->sub_ns, base.list)) {
1827 mutex_lock(&next->lock);
1831 parent = parent->parent;
1838 * __first_profile - find the first profile in a namespace
1839 * @root: namespace that is root of profiles being displayed (NOT NULL)
1840 * @ns: namespace to start in (NOT NULL)
1842 * Returns: unrefcounted profile or NULL if no profile
1843 * Requires: profile->ns.lock to be held
1845 static struct aa_profile *__first_profile(struct aa_ns *root,
1848 for (; ns; ns = __next_ns(root, ns)) {
1849 if (!list_empty(&ns->base.profiles))
1850 return list_first_entry(&ns->base.profiles,
1851 struct aa_profile, base.list);
1857 * __next_profile - step to the next profile in a profile tree
1858 * @profile: current profile in tree (NOT NULL)
1860 * Perform a depth first traversal on the profile tree in a namespace
1862 * Returns: next profile or NULL if done
1863 * Requires: profile->ns.lock to be held
1865 static struct aa_profile *__next_profile(struct aa_profile *p)
1867 struct aa_profile *parent;
1868 struct aa_ns *ns = p->ns;
1870 /* is next profile a child */
1871 if (!list_empty(&p->base.profiles))
1872 return list_first_entry(&p->base.profiles, typeof(*p),
1875 /* is next profile a sibling, parent sibling, gp, sibling, .. */
1876 parent = rcu_dereference_protected(p->parent,
1877 mutex_is_locked(&p->ns->lock));
1879 p = list_next_entry(p, base.list);
1880 if (!list_entry_is_head(p, &parent->base.profiles, base.list))
1883 parent = rcu_dereference_protected(parent->parent,
1884 mutex_is_locked(&parent->ns->lock));
1887 /* is next another profile in the namespace */
1888 p = list_next_entry(p, base.list);
1889 if (!list_entry_is_head(p, &ns->base.profiles, base.list))
1896 * next_profile - step to the next profile in where ever it may be
1897 * @root: root namespace (NOT NULL)
1898 * @profile: current profile (NOT NULL)
1900 * Returns: next profile or NULL if there isn't one
1902 static struct aa_profile *next_profile(struct aa_ns *root,
1903 struct aa_profile *profile)
1905 struct aa_profile *next = __next_profile(profile);
1909 /* finished all profiles in namespace move to next namespace */
1910 return __first_profile(root, __next_ns(root, profile->ns));
1914 * p_start - start a depth first traversal of profile tree
1915 * @f: seq_file to fill
1916 * @pos: current position
1918 * Returns: first profile under current namespace or NULL if none found
1920 * acquires first ns->lock
1922 static void *p_start(struct seq_file *f, loff_t *pos)
1924 struct aa_profile *profile = NULL;
1925 struct aa_ns *root = aa_current_profile()->ns;
1927 f->private = aa_get_ns(root);
1930 /* find the first profile */
1931 mutex_lock(&root->lock);
1932 profile = __first_profile(root, root);
1934 /* skip to position */
1935 for (; profile && l > 0; l--)
1936 profile = next_profile(root, profile);
1942 * p_next - read the next profile entry
1943 * @f: seq_file to fill
1944 * @p: profile previously returned
1945 * @pos: current position
1947 * Returns: next profile after @p or NULL if none
1949 * may acquire/release locks in namespace tree as necessary
1951 static void *p_next(struct seq_file *f, void *p, loff_t *pos)
1953 struct aa_profile *profile = p;
1954 struct aa_ns *ns = f->private;
1957 return next_profile(ns, profile);
1961 * p_stop - stop depth first traversal
1962 * @f: seq_file we are filling
1963 * @p: the last profile writen
1965 * Release all locking done by p_start/p_next on namespace tree
1967 static void p_stop(struct seq_file *f, void *p)
1969 struct aa_profile *profile = p;
1970 struct aa_ns *root = f->private, *ns;
1973 for (ns = profile->ns; ns && ns != root; ns = ns->parent)
1974 mutex_unlock(&ns->lock);
1976 mutex_unlock(&root->lock);
1981 * seq_show_profile - show a profile entry
1982 * @f: seq_file to file
1983 * @p: current position (profile) (NOT NULL)
1985 * Returns: error on failure
1987 static int seq_show_profile(struct seq_file *f, void *p)
1989 struct aa_profile *profile = (struct aa_profile *)p;
1990 struct aa_ns *root = f->private;
1992 if (profile->ns != root)
1993 seq_printf(f, ":%s://", aa_ns_name(root, profile->ns, true));
1994 seq_printf(f, "%s (%s)\n", profile->base.hname,
1995 aa_profile_mode_names[profile->mode]);
2000 static const struct seq_operations aa_sfs_profiles_op = {
2004 .show = seq_show_profile,
2007 static int profiles_open(struct inode *inode, struct file *file)
2009 if (!policy_view_capable(NULL))
2012 return seq_open(file, &aa_sfs_profiles_op);
2015 static int profiles_release(struct inode *inode, struct file *file)
2017 return seq_release(inode, file);
2020 static const struct file_operations aa_sfs_profiles_fops = {
2021 .open = profiles_open,
2023 .llseek = seq_lseek,
2024 .release = profiles_release,
2028 /** Base file system setup **/
2029 static struct aa_sfs_entry aa_sfs_entry_file[] = {
2030 AA_SFS_FILE_STRING("mask",
2031 "create read write exec append mmap_exec link lock"),
2035 static struct aa_sfs_entry aa_sfs_entry_domain[] = {
2036 AA_SFS_FILE_BOOLEAN("change_hat", 1),
2037 AA_SFS_FILE_BOOLEAN("change_hatv", 1),
2038 AA_SFS_FILE_BOOLEAN("change_onexec", 1),
2039 AA_SFS_FILE_BOOLEAN("change_profile", 1),
2040 AA_SFS_FILE_BOOLEAN("fix_binfmt_elf_mmap", 1),
2041 AA_SFS_FILE_STRING("version", "1.2"),
2045 static struct aa_sfs_entry aa_sfs_entry_versions[] = {
2046 AA_SFS_FILE_BOOLEAN("v5", 1),
2050 static struct aa_sfs_entry aa_sfs_entry_policy[] = {
2051 AA_SFS_DIR("versions", aa_sfs_entry_versions),
2052 AA_SFS_FILE_BOOLEAN("set_load", 1),
2056 static struct aa_sfs_entry aa_sfs_entry_query_label[] = {
2057 AA_SFS_FILE_STRING("perms", "allow deny audit quiet"),
2058 AA_SFS_FILE_BOOLEAN("data", 1),
2059 AA_SFS_FILE_BOOLEAN("multi_transaction", 1),
2063 static struct aa_sfs_entry aa_sfs_entry_query[] = {
2064 AA_SFS_DIR("label", aa_sfs_entry_query_label),
2067 static struct aa_sfs_entry aa_sfs_entry_features[] = {
2068 AA_SFS_DIR("policy", aa_sfs_entry_policy),
2069 AA_SFS_DIR("domain", aa_sfs_entry_domain),
2070 AA_SFS_DIR("file", aa_sfs_entry_file),
2071 AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK),
2072 AA_SFS_DIR("rlimit", aa_sfs_entry_rlimit),
2073 AA_SFS_DIR("caps", aa_sfs_entry_caps),
2074 AA_SFS_DIR("query", aa_sfs_entry_query),
2078 static struct aa_sfs_entry aa_sfs_entry_apparmor[] = {
2079 AA_SFS_FILE_FOPS(".access", 0640, &aa_sfs_access),
2080 AA_SFS_FILE_FOPS(".ns_level", 0666, &seq_ns_level_fops),
2081 AA_SFS_FILE_FOPS(".ns_name", 0640, &seq_ns_name_fops),
2082 AA_SFS_FILE_FOPS("profiles", 0440, &aa_sfs_profiles_fops),
2083 AA_SFS_DIR("features", aa_sfs_entry_features),
2087 static struct aa_sfs_entry aa_sfs_entry =
2088 AA_SFS_DIR("apparmor", aa_sfs_entry_apparmor);
2091 * entry_create_file - create a file entry in the apparmor securityfs
2092 * @fs_file: aa_sfs_entry to build an entry for (NOT NULL)
2093 * @parent: the parent dentry in the securityfs
2095 * Use entry_remove_file to remove entries created with this fn.
2097 static int __init entry_create_file(struct aa_sfs_entry *fs_file,
2098 struct dentry *parent)
2102 fs_file->dentry = securityfs_create_file(fs_file->name,
2103 S_IFREG | fs_file->mode,
2106 if (IS_ERR(fs_file->dentry)) {
2107 error = PTR_ERR(fs_file->dentry);
2108 fs_file->dentry = NULL;
2113 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir);
2115 * entry_create_dir - recursively create a directory entry in the securityfs
2116 * @fs_dir: aa_sfs_entry (and all child entries) to build (NOT NULL)
2117 * @parent: the parent dentry in the securityfs
2119 * Use entry_remove_dir to remove entries created with this fn.
2121 static int __init entry_create_dir(struct aa_sfs_entry *fs_dir,
2122 struct dentry *parent)
2124 struct aa_sfs_entry *fs_file;
2128 dir = securityfs_create_dir(fs_dir->name, parent);
2130 return PTR_ERR(dir);
2131 fs_dir->dentry = dir;
2133 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) {
2134 if (fs_file->v_type == AA_SFS_TYPE_DIR)
2135 error = entry_create_dir(fs_file, fs_dir->dentry);
2137 error = entry_create_file(fs_file, fs_dir->dentry);
2145 entry_remove_dir(fs_dir);
2151 * entry_remove_file - drop a single file entry in the apparmor securityfs
2152 * @fs_file: aa_sfs_entry to detach from the securityfs (NOT NULL)
2154 static void __init entry_remove_file(struct aa_sfs_entry *fs_file)
2156 if (!fs_file->dentry)
2159 securityfs_remove(fs_file->dentry);
2160 fs_file->dentry = NULL;
2164 * entry_remove_dir - recursively drop a directory entry from the securityfs
2165 * @fs_dir: aa_sfs_entry (and all child entries) to detach (NOT NULL)
2167 static void __init entry_remove_dir(struct aa_sfs_entry *fs_dir)
2169 struct aa_sfs_entry *fs_file;
2171 for (fs_file = fs_dir->v.files; fs_file && fs_file->name; ++fs_file) {
2172 if (fs_file->v_type == AA_SFS_TYPE_DIR)
2173 entry_remove_dir(fs_file);
2175 entry_remove_file(fs_file);
2178 entry_remove_file(fs_dir);
2182 * aa_destroy_aafs - cleanup and free aafs
2184 * releases dentries allocated by aa_create_aafs
2186 void __init aa_destroy_aafs(void)
2188 entry_remove_dir(&aa_sfs_entry);
2192 #define NULL_FILE_NAME ".null"
2193 struct path aa_null;
2195 static int aa_mk_null_file(struct dentry *parent)
2197 struct vfsmount *mount = NULL;
2198 struct dentry *dentry;
2199 struct inode *inode;
2201 int error = simple_pin_fs(parent->d_sb->s_type, &mount, &count);
2206 inode_lock(d_inode(parent));
2207 dentry = lookup_one_len(NULL_FILE_NAME, parent, strlen(NULL_FILE_NAME));
2208 if (IS_ERR(dentry)) {
2209 error = PTR_ERR(dentry);
2212 inode = new_inode(parent->d_inode->i_sb);
2218 inode->i_ino = get_next_ino();
2219 inode->i_mode = S_IFCHR | S_IRUGO | S_IWUGO;
2220 inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode);
2221 init_special_inode(inode, S_IFCHR | S_IRUGO | S_IWUGO,
2222 MKDEV(MEM_MAJOR, 3));
2223 d_instantiate(dentry, inode);
2224 aa_null.dentry = dget(dentry);
2225 aa_null.mnt = mntget(mount);
2232 inode_unlock(d_inode(parent));
2233 simple_release_fs(&mount, &count);
2239 static const char *policy_get_link(struct dentry *dentry,
2240 struct inode *inode,
2241 struct delayed_call *done)
2247 return ERR_PTR(-ECHILD);
2248 ns = aa_get_current_ns();
2249 path.mnt = mntget(aafs_mnt);
2250 path.dentry = dget(ns_dir(ns));
2251 nd_jump_link(&path);
2257 static int ns_get_name(char *buf, size_t size, struct aa_ns *ns,
2258 struct inode *inode)
2260 int res = snprintf(buf, size, "%s:[%lu]", AAFS_NAME, inode->i_ino);
2262 if (res < 0 || res >= size)
2268 static int policy_readlink(struct dentry *dentry, char __user *buffer,
2275 ns = aa_get_current_ns();
2276 res = ns_get_name(name, sizeof(name), ns, d_inode(dentry));
2278 res = readlink_copy(buffer, buflen, name);
2284 static const struct inode_operations policy_link_iops = {
2285 .readlink = policy_readlink,
2286 .get_link = policy_get_link,
2291 * aa_create_aafs - create the apparmor security filesystem
2293 * dentries created here are released by aa_destroy_aafs
2295 * Returns: error on failure
2297 static int __init aa_create_aafs(void)
2299 struct dentry *dent;
2302 if (!apparmor_initialized)
2305 if (aa_sfs_entry.dentry) {
2306 AA_ERROR("%s: AppArmor securityfs already exists\n", __func__);
2310 /* setup apparmorfs used to virtualize policy/ */
2311 aafs_mnt = kern_mount(&aafs_ops);
2312 if (IS_ERR(aafs_mnt))
2313 panic("can't set apparmorfs up\n");
2314 aafs_mnt->mnt_sb->s_flags &= ~MS_NOUSER;
2316 /* Populate fs tree. */
2317 error = entry_create_dir(&aa_sfs_entry, NULL);
2321 dent = securityfs_create_file(".load", 0666, aa_sfs_entry.dentry,
2322 NULL, &aa_fs_profile_load);
2324 error = PTR_ERR(dent);
2327 ns_subload(root_ns) = dent;
2329 dent = securityfs_create_file(".replace", 0666, aa_sfs_entry.dentry,
2330 NULL, &aa_fs_profile_replace);
2332 error = PTR_ERR(dent);
2335 ns_subreplace(root_ns) = dent;
2337 dent = securityfs_create_file(".remove", 0666, aa_sfs_entry.dentry,
2338 NULL, &aa_fs_profile_remove);
2340 error = PTR_ERR(dent);
2343 ns_subremove(root_ns) = dent;
2345 dent = securityfs_create_file("revision", 0444, aa_sfs_entry.dentry,
2346 NULL, &aa_fs_ns_revision_fops);
2348 error = PTR_ERR(dent);
2351 ns_subrevision(root_ns) = dent;
2353 /* policy tree referenced by magic policy symlink */
2354 mutex_lock(&root_ns->lock);
2355 error = __aafs_ns_mkdir(root_ns, aafs_mnt->mnt_root, ".policy",
2356 aafs_mnt->mnt_root);
2357 mutex_unlock(&root_ns->lock);
2361 /* magic symlink similar to nsfs redirects based on task policy */
2362 dent = securityfs_create_symlink("policy", aa_sfs_entry.dentry,
2363 NULL, &policy_link_iops);
2365 error = PTR_ERR(dent);
2369 error = aa_mk_null_file(aa_sfs_entry.dentry);
2373 /* TODO: add default profile to apparmorfs */
2375 /* Report that AppArmor fs is enabled */
2376 aa_info_message("AppArmor Filesystem Enabled");
2381 AA_ERROR("Error creating AppArmor securityfs\n");
2385 fs_initcall(aa_create_aafs);