Commit Graph

186 Commits

Author SHA1 Message Date
Matthew Garrett
9caafbe2b4 apparmor: Parse secmark policy
Add support for parsing secmark policy provided by userspace, and
store that in the overall policy.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-10-03 06:18:38 -07:00
Matthew Garrett
617a629c08 apparmor: Add a wildcard secid
Reserve a secid value that we can use as a wildcard, allowing us to
define policy that's expected to match against all secids.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-10-03 06:18:17 -07:00
Jann Horn
1f8266ff58 apparmor: don't try to replace stale label in ptrace access check
As a comment above begin_current_label_crit_section() explains,
begin_current_label_crit_section() must run in sleepable context because
when label_is_stale() is true, aa_replace_current_label() runs, which uses
prepare_creds(), which can sleep.
Until now, the ptrace access check (which runs with a task lock held)
violated this rule.

Also add a might_sleep() assertion to begin_current_label_crit_section(),
because asserts are less likely to be ignored than comments.

Fixes: b2d09ae449 ("apparmor: move ptrace checks to using labels")
Signed-off-by: Jann Horn <jannh@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-09-13 09:44:56 -07:00
Tyler Hicks
7f3ebcf2b1 apparmor: Check buffer bounds when mapping permissions mask
Don't read past the end of the buffer containing permissions
characters or write past the end of the destination string.

Detected by CoverityScan CID#1415361, 1415376 ("Out-of-bounds access")

Fixes: e53cfe6c7c ("apparmor: rework perm mapping to a slightly broader set")
Signed-off-by: Tyler Hicks <tyhicks@canonical.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-07-19 16:24:43 -07:00
John Johansen
a4c3f89c9b apparmor: fixup secid map conversion to using IDR
The IDR conversion did not handle an error case for when allocating a
mapping fails, and it did not ensure that mappings did not allocate or
use a 0 value, which is used as an invalid secid. Which is used when a
mapping fails.

Fixes: 3ae7eb49a2be ("apparmor: Use an IDR to allocate apparmor secids")
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-06-07 01:50:49 -07:00
Matthew Garrett
e79c26d040 apparmor: Add support for audit rule filtering
This patch adds support to Apparmor for integrating with audit rule
filtering. Right now it only handles SUBJ_ROLE, interpreting it as a
single component of a label. This is sufficient to get Apparmor working
with IMA's appraisal rules without any modifications on the IMA side.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-06-07 01:50:47 -07:00
John Johansen
38125c2c2b apparmor: improve get_buffers macro by using get_cpu_ptr
Refactor get_buffers so the cpu_ptr can be obtained in the outer
layer, instead of inside the macro.

This also enables us to cleanup the code and use get_cpu_ptr,
to handle the preempt_disable()

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2018-06-07 01:49:21 -07:00
John Johansen
c092921219 apparmor: add support for mapping secids and using secctxes
Use a radix tree to provide a map between the secid and the label,
and along with it a basic ability to provide secctx conversion.

Shared/cached secctx will be added later.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-05-02 00:48:55 -07:00
Linus Torvalds
80a17a5f50 + Features
- add base infrastructure for socket mediation. ABI bump and
     additional checks to ensure only v8 compliant policy uses
     socket af mediation.
   - improve and cleanup dfa verification
   - improve profile attachment logic
     - improve overlapping expression handling
     - add the xattr matching to the attachment logic
   - improve signal mediation handling with stacked labels
   - improve handling of no_new_privs in a label stack
 
 + Cleanups and changes
   - use dfa to parse string split
   - bounded version of label_parse
   - proper line wrap nulldfa.in
   - split context out into task and cred naming to better match usage
   - simplify code in aafs
 
 + Bug fixes
   - fix display of .ns_name for containers
   - fix resource audit messages when auditing peer
   - fix logging of the existence test for signals
   - fix resource audit messages when auditing peer
   - fix display of .ns_name for containers
   - fix an error code in verify_table_headers()
   - fix memory leak on buffer on error exit path
   - fix error returns checks by making size a ssize_t
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCgAGBQJazWpMAAoJEAUvNnAY1cPY2wwP/2ZmzyITY7xW3Cpz8ynKOTyZ
 hD2ahIjLWxcQwMZUoHXIa4TTK5EThlhKcTa0+sdMJGsIsRyXLoyBcd/VST0F9ZrA
 OWn1uL2ASeNroNw+88P6qU03+cT2eEohM3vvlNy2ud98EBiTyxB6L4VLpy3xDKAd
 zblojxqegRO7WRfEFCR2kHmnrL0Z3oxPBahnuVitfrwO76WFUSM9EYm67Xtf4yjJ
 qQ7ocGdhxiULNdceoIke11e8iNwiQyY4O+E24qVAJw66arxIByMKo+cLjeTxMbZR
 z4/pVd664wiK7mW0In7bJWOfXLJHxHALpuCc82wFgiLPdfSpJzT1nx+Xjaw8DhdZ
 FBoHLpHjJT3dTpYoQTjqtNdvHgXryL/OOllm+I8DPMu/nfcp8qsOru5bEXg+j/90
 CRo1OqrWZhUkKHnQs12QIJS+Gt7qByQB6tDMDbjkIC71vKUWA4wnp7zLZHYd9T0L
 6kZ2aWKiOXM6VRZ5V5HVLhrTajiubyBg3y3Eur4HwuGzquBmxAp1RhS8oiOpgzgW
 jVI92/P2XjhnU9E2J5m+mzjh11i+D51homtz1y4vB53Ye/WLy1S0o4StDAiLfgw3
 q/581V342vl6X46GlgcS5G7QeIkzFiCUe5H3t2/unCRnI+PxabwRmbaTqWq47xzQ
 umwlYfok3ALSzdgnv2sT
 =XhxG
 -----END PGP SIGNATURE-----

Merge tag 'apparmor-pr-2018-04-10' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor updates from John Johansen:
 "Features:
  - add base infrastructure for socket mediation. ABI bump and
    additional checks to ensure only v8 compliant policy uses socket af
    mediation.
  - improve and cleanup dfa verification
  - improve profile attachment logic
     - improve overlapping expression handling
     - add the xattr matching to the attachment logic
  - improve signal mediation handling with stacked labels
  - improve handling of no_new_privs in a label stack

  Cleanups and changes:
  - use dfa to parse string split
  - bounded version of label_parse
  - proper line wrap nulldfa.in
  - split context out into task and cred naming to better match usage
  - simplify code in aafs

  Bug fixes:
  - fix display of .ns_name for containers
  - fix resource audit messages when auditing peer
  - fix logging of the existence test for signals
  - fix resource audit messages when auditing peer
  - fix display of .ns_name for containers
  - fix an error code in verify_table_headers()
  - fix memory leak on buffer on error exit path
  - fix error returns checks by making size a ssize_t"

* tag 'apparmor-pr-2018-04-10' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (36 commits)
  apparmor: fix memory leak on buffer on error exit path
  apparmor: fix dangling symlinks to policy rawdata after replacement
  apparmor: Fix an error code in verify_table_headers()
  apparmor: fix error returns checks by making size a ssize_t
  apparmor: update MAINTAINERS file git and wiki locations
  apparmor: remove POLICY_MEDIATES_SAFE
  apparmor: add base infastructure for socket mediation
  apparmor: improve overlapping domain attachment resolution
  apparmor: convert attaching profiles via xattrs to use dfa matching
  apparmor: Add support for attaching profiles via xattr, presence and value
  apparmor: cleanup: simplify code to get ns symlink name
  apparmor: cleanup create_aafs() error path
  apparmor: dfa split verification of table headers
  apparmor: dfa add support for state differential encoding
  apparmor: dfa move character match into a macro
  apparmor: update domain transitions that are subsets of confinement at nnp
  apparmor: move context.h to cred.h
  apparmor: move task related defines and fns to task.X files
  apparmor: cleanup, drop unused fn __aa_task_is_confined()
  apparmor: cleanup fixup description of aa_replace_profiles
  ...
2018-04-13 15:38:53 -07:00
Alexei Starovoitov
cf14f27f82 macro: introduce COUNT_ARGS() macro
move COUNT_ARGS() macro from apparmor to generic header and extend it
to count till twelve.

COUNT() was an alternative name for this logic, but it's used for
different purpose in many other places.

Similarly for CONCATENATE() macro.

Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2018-03-28 22:55:19 +02:00
John Johansen
b9590ad4c4 apparmor: remove POLICY_MEDIATES_SAFE
The unpack code now makes sure every profile has a dfa so the safe
version of POLICY_MEDIATES is no longer needed.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-03-13 17:25:49 -07:00
John Johansen
56974a6fcf apparmor: add base infastructure for socket mediation
version 2 - Force an abi break. Network mediation will only be
            available in v8 abi complaint policy.

Provide a basic mediation of sockets. This is not a full net mediation
but just whether a spcific family of socket can be used by an
application, along with setting up some basic infrastructure for
network mediation to follow.

the user space rule hav the basic form of
  NETWORK RULE = [ QUALIFIERS ] 'network' [ DOMAIN ]
                 [ TYPE | PROTOCOL ]

  DOMAIN = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' |
             'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' |
	     'netbeui' | 'security' | 'key' | 'packet' | 'ash' |
	     'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' |
	     'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' |
	     'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' |
	     'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' |
	     'vsock' | 'mpls' | 'ib' | 'kcm' ) ','

  TYPE = ( 'stream' | 'dgram' | 'seqpacket' |  'rdm' | 'raw' |
           'packet' )

  PROTOCOL = ( 'tcp' | 'udp' | 'icmp' )

eg.
  network,
  network inet,

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2018-03-13 17:25:48 -07:00
John Johansen
21f6066105 apparmor: improve overlapping domain attachment resolution
Overlapping domain attachments using the current longest left exact
match fail in some simple cases, and with the fix to ensure consistent
behavior by failing unresolvable attachments it becomes important to
do a better job.

eg. under the current match the following are unresolvable where
the alternation is clearly a better match under the most specific
left match rule.
  /**
  /{bin/,}usr/

Use a counting match that detects when a loop in the state machine is
enter, and return the match count to provide a better specific left
match resolution.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:02 -08:00
John Johansen
73f488cd90 apparmor: convert attaching profiles via xattrs to use dfa matching
This converts profile attachment based on xattrs to a fixed extended
conditional using dfa matching.

This has a couple of advantages
- pattern matching can be used for the xattr match

- xattrs can be optional for an attachment or marked as required

- the xattr attachment conditional will be able to be combined with
  other extended conditionals when the flexible extended conditional
  work lands.

The xattr fixed extended conditional is appended to the xmatch
conditional. If an xattr attachment is specified the profile xmatch
will be generated regardless of whether there is a pattern match on
the executable name.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2018-02-09 11:30:02 -08:00
Matthew Garrett
8e51f9087f apparmor: Add support for attaching profiles via xattr, presence and value
Make it possible to tie Apparmor profiles to the presence of one or more
extended attributes, and optionally their values. An example usecase for
this is to automatically transition to a more privileged Apparmor profile
if an executable has a valid IMA signature, which can then be appraised
by the IMA subsystem.

Signed-off-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:02 -08:00
John Johansen
031dcc8f4e apparmor: dfa add support for state differential encoding
State differential encoding can provide better compression for
apparmor policy, without having significant impact on match time.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen
9fcf78cca1 apparmor: update domain transitions that are subsets of confinement at nnp
Domain transition so far have been largely blocked by no new privs,
unless the transition has been provably a subset of the previous
confinement. There was a couple problems with the previous
implementations,

- transitions that weren't explicitly a stack but resulted in a subset
  of confinement were disallowed

- confinement subsets were only calculated from the previous
  confinement instead of the confinement being enforced at the time of
  no new privs, so transitions would have to get progressively
  tighter.

Fix this by detecting and storing a reference to the task's
confinement at the "time" no new privs is set. This reference is then
used to determine whether a transition is a subsystem of the
confinement at the time no new privs was set.

Unfortunately the implementation is less than ideal in that we have to
detect no new privs after the fact when a task attempts a domain
transition. This is adequate for the currently but will not work in a
stacking situation where no new privs could be conceivably be set in
both the "host" and in the container.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen
d8889d49e4 apparmor: move context.h to cred.h
Now that file contexts have been moved into file, and task context
fns() and data have been split from the context, only the cred context
remains in context.h so rename to cred.h to better reflect what it
deals with.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen
de62de59c2 apparmor: move task related defines and fns to task.X files
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen
d065f2f565 apparmor: cleanup, drop unused fn __aa_task_is_confined()
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen
d9087c49d4 apparmor: drop cred_ctx and reference the label directly
With the task domain change information now stored in the task->security
context, the cred->security context only stores the label. We can get
rid of the cred_ctx and directly reference the label, removing a layer
of indirection, and unneeded extra allocations.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen
3b529a7600 apparmor: move task domain change info to task security
The task domain change info is task specific and its and abuse of
the cred to store the information in there. Now that a task->security
field exists store it in the proper place.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen
4d2f8ba3e3 apparmor: rename task_ctx to the more accurate cred_ctx
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen
3acfd5f54c apparmor: audit unknown signal numbers
Allow apparmor to audit the number of a signal that it does not
provide a mapping for and is currently being reported only as
unknown.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen
95652cac83 apparmor: provide a bounded version of label_parse
some label/context sources might not be guaranteed to be null terminiated
provide a size bounded version of label parse to deal with these.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen
6e0654d20e apparmor: use the dfa to do label parse string splitting
The current split scheme is actually wrong in that it splits
  ///&

where that is invalid and should fail. Use the dfa to do a proper
bounded split without having to worry about getting the string
processing right in code.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen
cf65fabc2a apparmor: add first substr match to dfa
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2018-02-09 11:30:01 -08:00
John Johansen
a6a52579e5 apparmor: split load data into management struct and data blob
Splitting the management struct from the actual data blob will allow
us in the future to do some sharing and other data reduction
techniques like replacing the the raw data with compressed data.

Prepare for this by separating the management struct from the data
blob.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:00 -08:00
John Johansen
98cf5bbff4 apparmor: fix logging of the existence test for signals
The existence test is not being properly logged as the signal mapping
maps it to the last entry in the named signal table. This is done
to help catch bugs by making the 0 mapped signal value invalid so
that we can catch the signal value not being filled in.

When fixing the off-by-one comparision logic the reporting of the
existence test was broken, because the logic behind the mapped named
table was hidden. Fix this by adding a define for the name lookup
and using it.

Cc: Stable <stable@vger.kernel.org>
Fixes: f7dc4c9a85 ("apparmor: fix off-by-one comparison on MAXMAPPED_SIG")
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:00 -08:00
John Johansen
b5beb07ad3 apparmor: fix resource audit messages when auditing peer
Resource auditing is using the peer field which is not available
when the rlim data struct is used, because it is a different element
of the same union. Accessing peer during resource auditing could
cause garbage log entries or even oops the kernel.

Move the rlim data block into the same struct as the peer field
so they can be used together.

CC: <stable@vger.kernel.org>
Fixes: 86b92cb782 ("apparmor: move resource checks to using labels")
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-02-09 11:30:00 -08:00
John Johansen
0dda0b3fb2 apparmor: fix ptrace label match when matching stacked labels
Given a label with a profile stack of
  A//&B or A//&C ...

A ptrace rule should be able to specify a generic trace pattern with
a rule like

  ptrace trace A//&**,

however this is failing because while the correct label match routine
is called, it is being done post label decomposition so it is always
being done against a profile instead of the stacked label.

To fix this refactor the cross check to pass the full peer label in to
the label_match.

Fixes: 290f458a4f ("apparmor: allow ptrace checks to be finer grained than just capability")
Cc: Stable <stable@vger.kernel.org>
Reported-by: Matthew Garrett <mjg59@google.com>
Tested-by: Matthew Garrett <mjg59@google.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-01-12 15:49:59 -08:00
Linus Torvalds
df8ba95c57 bug fixes:
- apparmor: fix oops in audit_signal_cb hook
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCgAGBQJaICSrAAoJEAUvNnAY1cPYqJwQAJ7HevfF1/jFGHMJF7cv557H
 8+oux675tr1g5MC0QdkkjPaF/0UbIEktnJaxAId/oCzY7wU/GRiz3iFrsKZC2RVu
 pfvhZ5dqzYblwiqD1d2soIHexO0QnlAkV+monAHM9VbmPK45A6PJn8/2KTUYG7J2
 O/XPp7W5G/fdjVG8zoiX+7Y7P9a+gKLMYQOtM0lxwMhlt5jXzozyuWvFiZ8S8jvw
 F0HrymQGoNeHRfhIhsesP6rNDAW8ywH6702NtQOU/dyHO13I+4zW/PkWQNNwAu7W
 Lg/8xEv5km3eA7H1qtFMSlSSl1T67BGRdo7CQ2kkWE6O6ne+LsbO+P/bFKV1v/9l
 WrLZlPSm5AlW2kWpTInZ1CWqggLUxB7p/jrNH5EJBBuqWAqdmbdHygKThdrT51Vc
 goSPvL/WjnZoJjMyOt3nrDSVvMip0XRD24X7ey2sgdqjkVOLHcLNCWS4iLps4wcb
 4GLQguR7Hf/a6dbSqsdelStQDVw5JIYKrRffnITX9qgi4Ul+Jj99Qxwhh88CGKu/
 8/7ka0/pT5Ag2VcxWGwUbEroHNBU6mj9iBH2wLdvVXBM6TPS3CvjKlulVMXkKjZY
 66k8ZLzEfbHsU3nAW5qVHAp9mm3vmTfSJOVXh83LrKQt/o2lIdzJhZucjWm+qFxu
 Sd0wk4wp679dtWgXKIdd
 =xfD+
 -----END PGP SIGNATURE-----

Merge tag 'apparmor-pr-2017-11-30' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor bugfix from John Johansen:
 "Fix oops in audit_signal_cb hook marked for stable"

* tag 'apparmor-pr-2017-11-30' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: fix oops in audit_signal_cb hook
2017-11-30 18:56:41 -05:00
John Johansen
b12cbb2158 apparmor: fix oops in audit_signal_cb hook
The apparmor_audit_data struct ordering got messed up during a merge
conflict, resulting in the signal integer and peer pointer being in
a union instead of a struct.

For most of the 4.13 and 4.14 life cycle, this was hidden by
commit 651e28c553 ("apparmor: add base infastructure for socket
mediation") which fixed the apparmor_audit_data struct when its data
was added. When that commit was reverted in -rc7 the signal audit bug
was exposed, and unfortunately it never showed up in any of the
testing until after 4.14 was released. Shaun Khan, Zephaniah
E. Loss-Cutler-Hull filed nearly simultaneous bug reports (with
different oopes, the smaller of which is included below).

Full credit goes to Tetsuo Handa for jumping on this as well and
noticing the audit data struct problem and reporting it.

[   76.178568] BUG: unable to handle kernel paging request at
ffffffff0eee3bc0
[   76.178579] IP: audit_signal_cb+0x6c/0xe0
[   76.178581] PGD 1a640a067 P4D 1a640a067 PUD 0
[   76.178586] Oops: 0000 [] PREEMPT SMP
[   76.178589] Modules linked in: fuse rfcomm bnep usblp uvcvideo btusb
btrtl btbcm btintel bluetooth ecdh_generic ip6table_filter ip6_tables
xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack
iptable_filter ip_tables x_tables intel_rapl joydev wmi_bmof serio_raw
iwldvm iwlwifi shpchp kvm_intel kvm irqbypass autofs4 algif_skcipher
nls_iso8859_1 nls_cp437 crc32_pclmul ghash_clmulni_intel
[   76.178620] CPU: 0 PID: 10675 Comm: pidgin Not tainted
4.14.0-f1-dirty 
[   76.178623] Hardware name: Hewlett-Packard HP EliteBook Folio
9470m/18DF, BIOS 68IBD Ver. F.62 10/22/2015
[   76.178625] task: ffff9c7a94c31dc0 task.stack: ffffa09b02a4c000
[   76.178628] RIP: 0010:audit_signal_cb+0x6c/0xe0
[   76.178631] RSP: 0018:ffffa09b02a4fc08 EFLAGS: 00010292
[   76.178634] RAX: ffffa09b02a4fd60 RBX: ffff9c7aee0741f8 RCX:
0000000000000000
[   76.178636] RDX: ffffffffee012290 RSI: 0000000000000006 RDI:
ffff9c7a9493d800
[   76.178638] RBP: ffffa09b02a4fd40 R08: 000000000000004d R09:
ffffa09b02a4fc46
[   76.178641] R10: ffffa09b02a4fcb8 R11: ffff9c7ab44f5072 R12:
ffffa09b02a4fd40
[   76.178643] R13: ffffffff9e447be0 R14: ffff9c7a94c31dc0 R15:
0000000000000001
[   76.178646] FS:  00007f8b11ba2a80(0000) GS:ffff9c7afea00000(0000)
knlGS:0000000000000000
[   76.178648] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   76.178650] CR2: ffffffff0eee3bc0 CR3: 00000003d5209002 CR4:
00000000001606f0
[   76.178652] Call Trace:
[   76.178660]  common_lsm_audit+0x1da/0x780
[   76.178665]  ? d_absolute_path+0x60/0x90
[   76.178669]  ? aa_check_perms+0xcd/0xe0
[   76.178672]  aa_check_perms+0xcd/0xe0
[   76.178675]  profile_signal_perm.part.0+0x90/0xa0
[   76.178679]  aa_may_signal+0x16e/0x1b0
[   76.178686]  apparmor_task_kill+0x51/0x120
[   76.178690]  security_task_kill+0x44/0x60
[   76.178695]  group_send_sig_info+0x25/0x60
[   76.178699]  kill_pid_info+0x36/0x60
[   76.178703]  SYSC_kill+0xdb/0x180
[   76.178707]  ? preempt_count_sub+0x92/0xd0
[   76.178712]  ? _raw_write_unlock_irq+0x13/0x30
[   76.178716]  ? task_work_run+0x6a/0x90
[   76.178720]  ? exit_to_usermode_loop+0x80/0xa0
[   76.178723]  entry_SYSCALL_64_fastpath+0x13/0x94
[   76.178727] RIP: 0033:0x7f8b0e58b767
[   76.178729] RSP: 002b:00007fff19efd4d8 EFLAGS: 00000206 ORIG_RAX:
000000000000003e
[   76.178732] RAX: ffffffffffffffda RBX: 0000557f3e3c2050 RCX:
00007f8b0e58b767
[   76.178735] RDX: 0000000000000000 RSI: 0000000000000000 RDI:
000000000000263b
[   76.178737] RBP: 0000000000000000 R08: 0000557f3e3c2270 R09:
0000000000000001
[   76.178739] R10: 000000000000022d R11: 0000000000000206 R12:
0000000000000000
[   76.178741] R13: 0000000000000001 R14: 0000557f3e3c13c0 R15:
0000000000000000
[   76.178745] Code: 48 8b 55 18 48 89 df 41 b8 20 00 08 01 5b 5d 48 8b
42 10 48 8b 52 30 48 63 48 4c 48 8b 44 c8 48 31 c9 48 8b 70 38 e9 f4 fd
00 00 <48> 8b 14 d5 40 27 e5 9e 48 c7 c6 7d 07 19 9f 48 89 df e8 fd 35
[   76.178794] RIP: audit_signal_cb+0x6c/0xe0 RSP: ffffa09b02a4fc08
[   76.178796] CR2: ffffffff0eee3bc0
[   76.178799] ---[ end trace 514af9529297f1a3 ]---

Fixes: cd1dbf76b2 ("apparmor: add the ability to mediate signals")
Reported-by: Zephaniah E. Loss-Cutler-Hull <warp-spam_kernel@aehallh.com>
Reported-by: Shuah Khan <shuahkh@osg.samsung.com>
Suggested-by: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Tested-by: Ivan Kozik <ivan@ludios.org>
Tested-by: Zephaniah E. Loss-Cutler-Hull <warp-spam_kernel@aehallh.com>
Tested-by: Christian Boltz <apparmor@cboltz.de>
Tested-by: Shuah Khan <shuahkh@osg.samsung.com>
Cc: stable@vger.kernel.org
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-11-27 14:38:15 -08:00
Linus Torvalds
1751e8a6cb Rename superblock flags (MS_xyz -> SB_xyz)
This is a pure automated search-and-replace of the internal kernel
superblock flags.

The s_flags are now called SB_*, with the names and the values for the
moment mirroring the MS_* flags that they're equivalent to.

Note how the MS_xyz flags are the ones passed to the mount system call,
while the SB_xyz flags are what we then use in sb->s_flags.

The script to do this was:

    # places to look in; re security/*: it generally should *not* be
    # touched (that stuff parses mount(2) arguments directly), but
    # there are two places where we really deal with superblock flags.
    FILES="drivers/mtd drivers/staging/lustre fs ipc mm \
            include/linux/fs.h include/uapi/linux/bfs_fs.h \
            security/apparmor/apparmorfs.c security/apparmor/include/lib.h"
    # the list of MS_... constants
    SYMS="RDONLY NOSUID NODEV NOEXEC SYNCHRONOUS REMOUNT MANDLOCK \
          DIRSYNC NOATIME NODIRATIME BIND MOVE REC VERBOSE SILENT \
          POSIXACL UNBINDABLE PRIVATE SLAVE SHARED RELATIME KERNMOUNT \
          I_VERSION STRICTATIME LAZYTIME SUBMOUNT NOREMOTELOCK NOSEC BORN \
          ACTIVE NOUSER"

    SED_PROG=
    for i in $SYMS; do SED_PROG="$SED_PROG -e s/MS_$i/SB_$i/g"; done

    # we want files that contain at least one of MS_...,
    # with fs/namespace.c and fs/pnode.c excluded.
    L=$(for i in $SYMS; do git grep -w -l MS_$i $FILES; done| sort|uniq|grep -v '^fs/namespace.c'|grep -v '^fs/pnode.c')

    for f in $L; do sed -i $f $SED_PROG; done

Requested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-11-27 13:05:09 -08:00
Ingo Molnar
8c5db92a70 Merge branch 'linus' into locking/core, to resolve conflicts
Conflicts:
	include/linux/compiler-clang.h
	include/linux/compiler-gcc.h
	include/linux/compiler-intel.h
	include/uapi/linux/stddef.h

Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-11-07 10:32:44 +01:00
Linus Torvalds
80c094a47d Revert "apparmor: add base infastructure for socket mediation"
This reverts commit 651e28c553.

This caused a regression:
 "The specific problem is that dnsmasq refuses to start on openSUSE Leap
  42.2.  The specific cause is that and attempt to open a PF_LOCAL socket
  gets EACCES.  This means that networking doesn't function on a system
  with a 4.14-rc2 system."

Sadly, the developers involved seemed to be in denial for several weeks
about this, delaying the revert.  This has not been a good release for
the security subsystem, and this area needs to change development
practices.

Reported-and-bisected-by: James Bottomley <James.Bottomley@hansenpartnership.com>
Tracked-by: Thorsten Leemhuis <regressions@leemhuis.info>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2017-10-26 19:35:35 +02:00
Will Deacon
26c4eb192c locking/rwsem, security/apparmor: Replace homebrew use of write_can_lock() with lockdep
The lockdep subsystem provides a robust way to assert that a lock is
held, so use that instead of write_can_lock, which can give incorrect
results for qrwlocks.

Signed-off-by: Will Deacon <will.deacon@arm.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: paulmck@linux.vnet.ibm.com
Link: http://lkml.kernel.org/r/1507055129-12300-1-git-send-email-will.deacon@arm.com
Signed-off-by: Ingo Molnar <mingo@kernel.org>
2017-10-10 11:50:17 +02:00
Linus Torvalds
79444df4e7 + Features
- in preparation for secid mapping add support for absolute root view
     based labels
   - add base infastructure for socket mediation
   - add mount mediation
   - add signal mediation
 
 + minor cleanups and changes
   - be defensive, ensure unconfined profiles have dfas initialized
   - add more debug asserts to apparmorfs
   - enable policy unpacking to audit different reasons for failure
   - cleanup conditional check for label in label_print
   - Redundant condition: prev_ns. in [label.c:1498]
 
 + Bug Fixes
   - fix regression in apparmorfs DAC access permissions
   - fix build failure on sparc caused by undeclared signals
   - fix sparse report of incorrect type assignment when freeing label proxies
   - fix race condition in null profile creation
   - Fix an error code in aafs_create()
   - Fix logical error in verify_header()
   - Fix shadowed local variable in unpack_trans_table()
 -----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCgAGBQJZxZP9AAoJEAUvNnAY1cPY+psP/Rx7Nu2T9kHpotLeyOznrTvK
 iOrFR4Xj1exLNfwUJcjiDcrYRhEdqamduiJvEZinQLPN8vapXfiUmjXIW1sgYJnO
 X6NDeFObo/VJz0L8rZZdJbxykWfGjzQa4zXf177ztMvY+ME9kagOaHowqRom8obv
 5bi83Dc8wjUOVkvmH9yuHHUkI9knXrtUUnYb3xY1kEVlHi1ujElkQvAx1q+IkOw9
 vN74YGTDZCsd+cSRbmhbK7Mur1Q8BDy2EeG1k26Tr7VELmNL8tnsOpJYEiIWOhYl
 Lh1aA3RPGTN0dWfZn2qfB2a1NevFXERaM1zKs1ZNykg+hI4om99gt8mXqe+i+Kuc
 qoWF59NF426mmywSYjKOMHGPBooVAiGmKPRjsIee6HTV4bGkcxYsYiV/VcrS9J9V
 dpCBBU0stnGpStwfSBL5JWwMMilJSkSETX7XLxJ5lhhHhi7jM2Dd9aAkbIPcQYPD
 v2XjKxW2tOhxmEaige/rS2s7rbxBlLhJ8MR07FR8znL0idILAufnWlLeqJG1X9rO
 FBbqqyTqyx8ca5v1c751jTXZ39cArVmlwnw2ZNjEaXrGaTsIssYPC5B9poSU/OlT
 IAYQe9sZndqFn1Lom0gbdTe3RTnR4/22uNQYW/3TG3JP52ui0wQZFNJtRCP3mmIq
 bFlKKqVkAKETun8WyUfz
 =iDCd
 -----END PGP SIGNATURE-----

Merge tag 'apparmor-pr-2017-09-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor updates from John Johansen:
 "This is the apparmor pull request, similar to SELinux and seccomp.

  It's the same series that I was sent to James' security tree + one
  regression fix that was found after the series was sent to James and
  would have been sent for v4.14-rc2.

  Features:
  - in preparation for secid mapping add support for absolute root view
    based labels
  - add base infastructure for socket mediation
  - add mount mediation
  - add signal mediation

  minor cleanups and changes:
  - be defensive, ensure unconfined profiles have dfas initialized
  - add more debug asserts to apparmorfs
  - enable policy unpacking to audit different reasons for failure
  - cleanup conditional check for label in label_print
  - Redundant condition: prev_ns. in [label.c:1498]

  Bug Fixes:
  - fix regression in apparmorfs DAC access permissions
  - fix build failure on sparc caused by undeclared signals
  - fix sparse report of incorrect type assignment when freeing label proxies
  - fix race condition in null profile creation
  - Fix an error code in aafs_create()
  - Fix logical error in verify_header()
  - Fix shadowed local variable in unpack_trans_table()"

* tag 'apparmor-pr-2017-09-22' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor:
  apparmor: fix apparmorfs DAC access permissions
  apparmor: fix build failure on sparc caused by undeclared signals
  apparmor: fix incorrect type assignment when freeing proxies
  apparmor: ensure unconfined profiles have dfas initialized
  apparmor: fix race condition in null profile creation
  apparmor: move new_null_profile to after profile lookup fns()
  apparmor: add base infastructure for socket mediation
  apparmor: add more debug asserts to apparmorfs
  apparmor: make policy_unpack able to audit different info messages
  apparmor: add support for absolute root view based labels
  apparmor: cleanup conditional check for label in label_print
  apparmor: add mount mediation
  apparmor: add the ability to mediate signals
  apparmor: Redundant condition: prev_ns. in [label.c:1498]
  apparmor: Fix an error code in aafs_create()
  apparmor: Fix logical error in verify_header()
  apparmor: Fix shadowed local variable in unpack_trans_table()
2017-09-23 05:33:29 -10:00
John Johansen
b1545dba09 apparmor: fix build failure on sparc caused by undeclared signals
In file included from security/apparmor/ipc.c:23:0:
  security/apparmor/include/sig_names.h:26:3: error: 'SIGSTKFLT' undeclared here (not in a function)
    [SIGSTKFLT] = 16, /* -, 16, - */
     ^
  security/apparmor/include/sig_names.h:26:3: error: array index in initializer not of integer type
  security/apparmor/include/sig_names.h:26:3: note: (near initialization for 'sig_map')
  security/apparmor/include/sig_names.h:51:3: error: 'SIGUNUSED' undeclared here (not in a function)
    [SIGUNUSED] = 34, /* -, 31, - */
     ^
  security/apparmor/include/sig_names.h:51:3: error: array index in initializer not of integer type
  security/apparmor/include/sig_names.h:51:3: note: (near initialization for 'sig_map')

Reported-by: Stephen Rothwell <sfr@canb.auug.org.au>
Fixes: c6bf1adaecaa ("apparmor: add the ability to mediate signals")
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-09-22 13:00:58 -07:00
John Johansen
651e28c553 apparmor: add base infastructure for socket mediation
Provide a basic mediation of sockets. This is not a full net mediation
but just whether a spcific family of socket can be used by an
application, along with setting up some basic infrastructure for
network mediation to follow.

the user space rule hav the basic form of
  NETWORK RULE = [ QUALIFIERS ] 'network' [ DOMAIN ]
                 [ TYPE | PROTOCOL ]

  DOMAIN = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' |
             'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' |
	     'netbeui' | 'security' | 'key' | 'packet' | 'ash' |
	     'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' |
	     'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' |
	     'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' |
	     'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' |
	     'vsock' | 'mpls' | 'ib' | 'kcm' ) ','

  TYPE = ( 'stream' | 'dgram' | 'seqpacket' |  'rdm' | 'raw' |
           'packet' )

  PROTOCOL = ( 'tcp' | 'udp' | 'icmp' )

eg.
  network,
  network inet,

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2017-09-22 13:00:58 -07:00
John Johansen
2410aa96d6 apparmor: make policy_unpack able to audit different info messages
Switch unpack auditing to using the generic name field in the audit
struct and make it so we can start adding new info messages about
why an unpack failed.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2017-09-22 13:00:58 -07:00
John Johansen
26b7899510 apparmor: add support for absolute root view based labels
With apparmor policy virtualization based on policy namespace View's
we don't generally want/need absolute root based views, however there
are cases like debugging and some secid based conversions where
using a root based view is important.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2017-09-22 13:00:58 -07:00
John Johansen
2ea3ffb778 apparmor: add mount mediation
Add basic mount mediation. That allows controlling based on basic
mount parameters. It does not include special mount parameters for
apparmor, super block labeling, or any triggers for apparmor namespace
parameter modifications on pivot root.

default userspace policy rules have the form of
  MOUNT RULE = ( MOUNT | REMOUNT | UMOUNT )

  MOUNT = [ QUALIFIERS ] 'mount' [ MOUNT CONDITIONS ] [ SOURCE FILEGLOB ]
          [ '->' MOUNTPOINT FILEGLOB ]

  REMOUNT = [ QUALIFIERS ] 'remount' [ MOUNT CONDITIONS ]
            MOUNTPOINT FILEGLOB

  UMOUNT = [ QUALIFIERS ] 'umount' [ MOUNT CONDITIONS ] MOUNTPOINT FILEGLOB

  MOUNT CONDITIONS = [ ( 'fstype' | 'vfstype' ) ( '=' | 'in' )
                       MOUNT FSTYPE EXPRESSION ]
		       [ 'options' ( '=' | 'in' ) MOUNT FLAGS EXPRESSION ]

  MOUNT FSTYPE EXPRESSION = ( MOUNT FSTYPE LIST | MOUNT EXPRESSION )

  MOUNT FSTYPE LIST = Comma separated list of valid filesystem and
                      virtual filesystem types (eg ext4, debugfs, etc)

  MOUNT FLAGS EXPRESSION = ( MOUNT FLAGS LIST | MOUNT EXPRESSION )

  MOUNT FLAGS LIST = Comma separated list of MOUNT FLAGS.

  MOUNT FLAGS = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' |
                  'noexec' | 'exec' | 'sync' | 'async' | 'remount' |
		  'mand' | 'nomand' | 'dirsync' | 'noatime' | 'atime' |
		  'nodiratime' | 'diratime' | 'bind' | 'rbind' | 'move' |
		  'verbose' | 'silent' | 'loud' | 'acl' | 'noacl' |
		  'unbindable' | 'runbindable' | 'private' | 'rprivate' |
		  'slave' | 'rslave' | 'shared' | 'rshared' |
		  'relatime' | 'norelatime' | 'iversion' | 'noiversion' |
		  'strictatime' | 'nouser' | 'user' )

  MOUNT EXPRESSION = ( ALPHANUMERIC | AARE ) ...

  PIVOT ROOT RULE = [ QUALIFIERS ] pivot_root [ oldroot=OLD PUT FILEGLOB ]
                    [ NEW ROOT FILEGLOB ]

  SOURCE FILEGLOB = FILEGLOB

  MOUNTPOINT FILEGLOB = FILEGLOB

eg.
  mount,
  mount /dev/foo,
  mount options=ro /dev/foo -> /mnt/,
  mount options in (ro,atime) /dev/foo -> /mnt/,
  mount options=ro options=atime,

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2017-09-22 13:00:57 -07:00
John Johansen
cd1dbf76b2 apparmor: add the ability to mediate signals
Add signal mediation where the signal can be mediated based on the
signal, direction, or the label or the peer/target. The signal perms
are verified on a cross check to ensure policy consistency in the case
of incremental policy load/replacement.

The optimization of skipping the cross check when policy is guaranteed
to be consistent (single compile unit) remains to be done.

policy rules have the form of
  SIGNAL_RULE = [ QUALIFIERS ] 'signal' [ SIGNAL ACCESS PERMISSIONS ]
                [ SIGNAL SET ] [ SIGNAL PEER ]

  SIGNAL ACCESS PERMISSIONS = SIGNAL ACCESS | SIGNAL ACCESS LIST

  SIGNAL ACCESS LIST = '(' Comma or space separated list of SIGNAL
                           ACCESS ')'

  SIGNAL ACCESS = ( 'r' | 'w' | 'rw' | 'read' | 'write' | 'send' |
                    'receive' )

  SIGNAL SET = 'set' '=' '(' SIGNAL LIST ')'

  SIGNAL LIST = Comma or space separated list of SIGNALS

  SIGNALS = ( 'hup' | 'int' | 'quit' | 'ill' | 'trap' | 'abrt' |
              'bus' | 'fpe' | 'kill' | 'usr1' | 'segv' | 'usr2' |
	      'pipe' | 'alrm' | 'term' | 'stkflt' | 'chld' | 'cont' |
	      'stop' | 'stp' | 'ttin' | 'ttou' | 'urg' | 'xcpu' |
	      'xfsz' | 'vtalrm' | 'prof' | 'winch' | 'io' | 'pwr' |
	      'sys' | 'emt' | 'exists' | 'rtmin+0' ... 'rtmin+32'
            )

  SIGNAL PEER = 'peer' '=' AARE

eg.
  signal,                                 # allow all signals
  signal send set=(hup, kill) peer=foo,

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2017-09-22 13:00:57 -07:00
Kees Cook
993b3ab064 apparmor: Refactor to remove bprm_secureexec hook
The AppArmor bprm_secureexec hook can be merged with the bprm_set_creds
hook since it's dealing with the same information, and all of the details
are finalized during the first call to the bprm_set_creds hook via
prepare_binprm() (subsequent calls due to binfmt_script, etc, are ignored
via bprm->called_set_creds).

Here, all the comments describe how secureexec is actually calculated
during bprm_set_creds, so this actually does it, drops the bprm flag that
was being used internally by AppArmor, and drops the bprm_secureexec hook.

Signed-off-by: Kees Cook <keescook@chromium.org>
Acked-by: John Johansen <john.johansen@canonical.com>
Reviewed-by: James Morris <james.l.morris@oracle.com>
Acked-by: Serge Hallyn <serge@hallyn.com>
2017-08-01 12:03:06 -07:00
John Johansen
40cde7fcc3 apparmor: add domain label stacking info to apparmorfs
Now that the domain label transition is complete advertise it to
userspace.

Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10 17:11:47 -07:00
John Johansen
93c98a484c apparmor: move exec domain mediation to using labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10 17:11:46 -07:00
John Johansen
064dc9472f apparmor: mediate files when they are received
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10 17:11:45 -07:00
John Johansen
8014370f12 apparmor: move path_link mediation to using labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10 17:11:44 -07:00
John Johansen
aebd873e8d apparmor: refactor path name lookup and permission checks around labels
Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10 17:11:43 -07:00