Gitiles
Code Review Sign In
review.shift-gmbh.com / SHIFTPHONES / mainline / linux / af249fce390ffe2d4938b56c78fae41a21eed5e2 / . / security / apparmor / task.c
blob: d17130ee6795df3f907f494ff5e5d495e8389f44 [file] [log] [blame]
Thomas Gleixnerb886d83c2019-06-01 10:08:55 +0200[diff] [blame]1// SPDX-License-Identifier: GPL-2.0-only
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]2/*
3 * AppArmor security module
4 *
John Johansende62de52017-10-08 00:43:02 -0700[diff] [blame]5 * This file contains AppArmor task related definitions and mediation
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]6 *
John Johansende62de52017-10-08 00:43:02 -0700[diff] [blame]7 * Copyright 2017 Canonical Ltd.
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]8 *
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]9 * TODO
10 * If a task uses change_hat it currently does not return to the old
11 * cred or task context but instead creates a new one. Ideally the task
12 * should return to the previous cred if it has not been modified.
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]13 */
14
John Johansend8889d42017-10-11 01:04:48 -0700[diff] [blame]15#include "include/cred.h"
John Johansende62de52017-10-08 00:43:02 -0700[diff] [blame]16#include "include/task.h"
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]17
18/**
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]19 * aa_get_task_label - Get another task's label
John Johansen3cfcc192013-02-18 16:03:34 -0800[diff] [blame]20 * @task: task to query (NOT NULL)
21 *
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]22 * Returns: counted reference to @task's label
John Johansen3cfcc192013-02-18 16:03:34 -0800[diff] [blame]23 */
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]24struct aa_label *aa_get_task_label(struct task_struct *task)
John Johansen3cfcc192013-02-18 16:03:34 -0800[diff] [blame]25{
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]26 struct aa_label *p;
John Johansen3cfcc192013-02-18 16:03:34 -0800[diff] [blame]27
28 rcu_read_lock();
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]29 p = aa_get_newest_label(__aa_task_raw_label(task));
John Johansen3cfcc192013-02-18 16:03:34 -0800[diff] [blame]30 rcu_read_unlock();
31
32 return p;
33}
34
35/**
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]36 * aa_replace_current_label - replace the current tasks label
37 * @label: new label (NOT NULL)
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]38 *
39 * Returns: 0 or error on failure
40 */
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]41int aa_replace_current_label(struct aa_label *label)
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]42{
John Johansend9087c42017-01-27 03:53:53 -0800[diff] [blame]43 struct aa_label *old = aa_current_raw_label();
John Johansen9fcf78c2017-10-08 18:26:19 -0700[diff] [blame]44 struct aa_task_ctx *ctx = task_ctx(current);
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]45 struct cred *new;
John Johansend9087c42017-01-27 03:53:53 -0800[diff] [blame]46
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]47 AA_BUG(!label);
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]48
John Johansend9087c42017-01-27 03:53:53 -0800[diff] [blame]49 if (old == label)
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]50 return 0;
51
John Johansena20aa952017-01-16 00:42:59 -0800[diff] [blame]52 if (current_cred() != current_real_cred())
53 return -EBUSY;
54
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]55 new = prepare_creds();
56 if (!new)
57 return -ENOMEM;
58
John Johansen9fcf78c2017-10-08 18:26:19 -0700[diff] [blame]59 if (ctx->nnp && label_is_stale(ctx->nnp)) {
60 struct aa_label *tmp = ctx->nnp;
61
62 ctx->nnp = aa_get_newest_label(tmp);
63 aa_put_label(tmp);
64 }
John Johansend9087c42017-01-27 03:53:53 -0800[diff] [blame]65 if (unconfined(label) || (labels_ns(old) != labels_ns(label)))
66 /*
67 * if switching to unconfined or a different label namespace
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]68 * clear out context state
69 */
John Johansende62de52017-10-08 00:43:02 -0700[diff] [blame]70 aa_clear_task_ctx_trans(task_ctx(current));
John Johansen7a2871b2013-02-18 16:05:34 -0800[diff] [blame]71
John Johansen55a26eb2017-01-16 00:43:00 -0800[diff] [blame]72 /*
John Johansend9087c42017-01-27 03:53:53 -0800[diff] [blame]73 * be careful switching cred label, when racing replacement it
74 * is possible that the cred labels's->proxy->label is the reference
75 * keeping @label valid, so make sure to get its reference before
76 * dropping the reference on the cred's label
John Johansen55a26eb2017-01-16 00:43:00 -0800[diff] [blame]77 */
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]78 aa_get_label(label);
John Johansend9087c42017-01-27 03:53:53 -0800[diff] [blame]79 aa_put_label(cred_label(new));
Casey Schaufler69b5a442018-09-21 17:17:59 -0700[diff] [blame]80 set_cred_label(new, label);
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]81
82 commit_creds(new);
83 return 0;
84}
85
John Johansende62de52017-10-08 00:43:02 -0700[diff] [blame]86
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]87/**
88 * aa_set_current_onexec - set the tasks change_profile to happen onexec
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]89 * @label: system label to set at exec (MAYBE NULL to clear value)
90 * @stack: whether stacking should be done
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]91 * Returns: 0 or error on failure
92 */
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]93int aa_set_current_onexec(struct aa_label *label, bool stack)
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]94{
John Johansende62de52017-10-08 00:43:02 -0700[diff] [blame]95 struct aa_task_ctx *ctx = task_ctx(current);
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]96
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]97 aa_get_label(label);
John Johansen3b529a72017-01-20 01:59:25 -0800[diff] [blame]98 aa_put_label(ctx->onexec);
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]99 ctx->onexec = label;
100 ctx->token = stack;
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]101
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]102 return 0;
103}
104
105/**
106 * aa_set_current_hat - set the current tasks hat
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]107 * @label: label to set as the current hat (NOT NULL)
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]108 * @token: token value that must be specified to change from the hat
109 *
110 * Do switch of tasks hat. If the task is currently in a hat
111 * validate the token to match.
112 *
113 * Returns: 0 or error on failure
114 */
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]115int aa_set_current_hat(struct aa_label *label, u64 token)
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]116{
John Johansende62de52017-10-08 00:43:02 -0700[diff] [blame]117 struct aa_task_ctx *ctx = task_ctx(current);
John Johansend9087c42017-01-27 03:53:53 -0800[diff] [blame]118 struct cred *new;
John Johansen3b529a72017-01-20 01:59:25 -0800[diff] [blame]119
John Johansend9087c42017-01-27 03:53:53 -0800[diff] [blame]120 new = prepare_creds();
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]121 if (!new)
122 return -ENOMEM;
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]123 AA_BUG(!label);
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]124
John Johansenf1752212017-01-27 04:09:40 -0800[diff] [blame]125 if (!ctx->previous) {
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]126 /* transfer refcount */
John Johansenf1752212017-01-27 04:09:40 -0800[diff] [blame]127 ctx->previous = cred_label(new);
128 ctx->token = token;
129 } else if (ctx->token == token) {
John Johansend9087c42017-01-27 03:53:53 -0800[diff] [blame]130 aa_put_label(cred_label(new));
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]131 } else {
John Johansen55a26eb2017-01-16 00:43:00 -0800[diff] [blame]132 /* previous_profile && ctx->token != token */
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]133 abort_creds(new);
134 return -EACCES;
135 }
John Johansen3b529a72017-01-20 01:59:25 -0800[diff] [blame]136
Casey Schaufler69b5a442018-09-21 17:17:59 -0700[diff] [blame]137 set_cred_label(new, aa_get_newest_label(label));
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]138 /* clear exec on switching context */
John Johansenf1752212017-01-27 04:09:40 -0800[diff] [blame]139 aa_put_label(ctx->onexec);
140 ctx->onexec = NULL;
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]141
142 commit_creds(new);
143 return 0;
144}
145
146/**
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]147 * aa_restore_previous_label - exit from hat context restoring previous label
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]148 * @token: the token that must be matched to exit hat context
149 *
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]150 * Attempt to return out of a hat to the previous label. The token
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]151 * must match the stored token value.
152 *
153 * Returns: 0 or error of failure
154 */
John Johansen637f6882017-06-09 08:14:28 -0700[diff] [blame]155int aa_restore_previous_label(u64 token)
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]156{
John Johansende62de52017-10-08 00:43:02 -0700[diff] [blame]157 struct aa_task_ctx *ctx = task_ctx(current);
John Johansen3b529a72017-01-20 01:59:25 -0800[diff] [blame]158 struct cred *new;
159
John Johansenf1752212017-01-27 04:09:40 -0800[diff] [blame]160 if (ctx->token != token)
John Johansen3b529a72017-01-20 01:59:25 -0800[diff] [blame]161 return -EACCES;
162 /* ignore restores when there is no saved label */
John Johansenf1752212017-01-27 04:09:40 -0800[diff] [blame]163 if (!ctx->previous)
John Johansen3b529a72017-01-20 01:59:25 -0800[diff] [blame]164 return 0;
165
166 new = prepare_creds();
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]167 if (!new)
168 return -ENOMEM;
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]169
John Johansend9087c42017-01-27 03:53:53 -0800[diff] [blame]170 aa_put_label(cred_label(new));
Casey Schaufler69b5a442018-09-21 17:17:59 -0700[diff] [blame]171 set_cred_label(new, aa_get_newest_label(ctx->previous));
John Johansend9087c42017-01-27 03:53:53 -0800[diff] [blame]172 AA_BUG(!cred_label(new));
John Johansen7a2871b2013-02-18 16:05:34 -0800[diff] [blame]173 /* clear exec && prev information when restoring to previous context */
John Johansenf1752212017-01-27 04:09:40 -0800[diff] [blame]174 aa_clear_task_ctx_trans(ctx);
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]175
176 commit_creds(new);
John Johansen3b529a72017-01-20 01:59:25 -0800[diff] [blame]177
John Johansenc75afcd2010-07-29 14:47:59 -0700[diff] [blame]178 return 0;
179}