summaryrefslogtreecommitdiff
path: root/security/apparmor/include
AgeCommit message (Collapse)Author
2024-07-29lsm: infrastructure management of the sock securityCasey Schaufler
Move management of the sock->sk_security blob out of the individual security modules and into the security infrastructure. Instead of allocating the blobs from within the modules the modules tell the infrastructure how much space is required, and the space is allocated there. Acked-by: Paul Moore <paul@paul-moore.com> Reviewed-by: Kees Cook <keescook@chromium.org> Reviewed-by: John Johansen <john.johansen@canonical.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> [PM: subject tweak] Signed-off-by: Paul Moore <paul@paul-moore.com>
2024-07-27Merge tag 'apparmor-pr-2024-07-25' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor Pull apparmor updates from John Johansen: "Cleanups - optimization: try to avoid refing the label in apparmor_file_open - remove useless static inline function is_deleted - use kvfree_sensitive to free data->data - fix typo in kernel doc Bug fixes: - unpack transition table if dfa is not present - test: add MODULE_DESCRIPTION() - take nosymfollow flag into account - fix possible NULL pointer dereference - fix null pointer deref when receiving skb during sock creation" * tag 'apparmor-pr-2024-07-25' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: apparmor: unpack transition table if dfa is not present apparmor: try to avoid refing the label in apparmor_file_open apparmor: test: add MODULE_DESCRIPTION() apparmor: take nosymfollow flag into account apparmor: fix possible NULL pointer dereference apparmor: fix typo in kernel doc apparmor: remove useless static inline function is_deleted apparmor: use kvfree_sensitive to free data->data apparmor: Fix null pointer deref when receiving skb during sock creation
2024-07-24apparmor: try to avoid refing the label in apparmor_file_openMateusz Guzik
If the label is not stale (which is the common case), the fact that the passed file object holds a reference can be leverged to avoid the ref/unref cycle. Doing so reduces performance impact of apparmor on parallel open() invocations. When benchmarking on a 24-core vm using will-it-scale's open1_process ("Separate file open"), the results are (ops/s): before: 6092196 after: 8309726 (+36%) Signed-off-by: Mateusz Guzik <mjguzik@gmail.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2024-06-13ima: Avoid blocking in RCU read-side critical sectionGUO Zihua
A panic happens in ima_match_policy: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 PGD 42f873067 P4D 0 Oops: 0000 [#1] SMP NOPTI CPU: 5 PID: 1286325 Comm: kubeletmonit.sh Kdump: loaded Tainted: P Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.0.0 02/06/2015 RIP: 0010:ima_match_policy+0x84/0x450 Code: 49 89 fc 41 89 cf 31 ed 89 44 24 14 eb 1c 44 39 7b 18 74 26 41 83 ff 05 74 20 48 8b 1b 48 3b 1d f2 b9 f4 00 0f 84 9c 01 00 00 <44> 85 73 10 74 ea 44 8b 6b 14 41 f6 c5 01 75 d4 41 f6 c5 02 74 0f RSP: 0018:ff71570009e07a80 EFLAGS: 00010207 RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000200 RDX: ffffffffad8dc7c0 RSI: 0000000024924925 RDI: ff3e27850dea2000 RBP: 0000000000000000 R08: 0000000000000000 R09: ffffffffabfce739 R10: ff3e27810cc42400 R11: 0000000000000000 R12: ff3e2781825ef970 R13: 00000000ff3e2785 R14: 000000000000000c R15: 0000000000000001 FS: 00007f5195b51740(0000) GS:ff3e278b12d40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000010 CR3: 0000000626d24002 CR4: 0000000000361ee0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 Call Trace: ima_get_action+0x22/0x30 process_measurement+0xb0/0x830 ? page_add_file_rmap+0x15/0x170 ? alloc_set_pte+0x269/0x4c0 ? prep_new_page+0x81/0x140 ? simple_xattr_get+0x75/0xa0 ? selinux_file_open+0x9d/0xf0 ima_file_check+0x64/0x90 path_openat+0x571/0x1720 do_filp_open+0x9b/0x110 ? page_counter_try_charge+0x57/0xc0 ? files_cgroup_alloc_fd+0x38/0x60 ? __alloc_fd+0xd4/0x250 ? do_sys_open+0x1bd/0x250 do_sys_open+0x1bd/0x250 do_syscall_64+0x5d/0x1d0 entry_SYSCALL_64_after_hwframe+0x65/0xca Commit c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") introduced call to ima_lsm_copy_rule within a RCU read-side critical section which contains kmalloc with GFP_KERNEL. This implies a possible sleep and violates limitations of RCU read-side critical sections on non-PREEMPT systems. Sleeping within RCU read-side critical section might cause synchronize_rcu() returning early and break RCU protection, allowing a UAF to happen. The root cause of this issue could be described as follows: | Thread A | Thread B | | |ima_match_policy | | | rcu_read_lock | |ima_lsm_update_rule | | | synchronize_rcu | | | | kmalloc(GFP_KERNEL)| | | sleep | ==> synchronize_rcu returns early | kfree(entry) | | | | entry = entry->next| ==> UAF happens and entry now becomes NULL (or could be anything). | | entry->action | ==> Accessing entry might cause panic. To fix this issue, we are converting all kmalloc that is called within RCU read-side critical section to use GFP_ATOMIC. Fixes: c7423dbdbc9e ("ima: Handle -ESTALE returned by ima_filter_rule_match()") Cc: stable@vger.kernel.org Signed-off-by: GUO Zihua <guozihua@huawei.com> Acked-by: John Johansen <john.johansen@canonical.com> Reviewed-by: Mimi Zohar <zohar@linux.ibm.com> Reviewed-by: Casey Schaufler <casey@schaufler-ca.com> [PM: fixed missing comment, long lines, !CONFIG_IMA_LSM_RULES case] Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-11-12AppArmor: Add selfattr hooksCasey Schaufler
Add hooks for setselfattr and getselfattr. These hooks are not very different from their setprocattr and getprocattr equivalents, and much of the code is shared. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Acked-by: John Johansen <john.johansen@canonical.com> [PM: forward ported beyond v6.6 due merge window changes] Signed-off-by: Paul Moore <paul@paul-moore.com>
2023-10-18apparmor: Fix regression in mount mediationJohn Johansen
commit 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around") introduced a new move_mount(2) system call and a corresponding new LSM security_move_mount hook but did not implement this hook for any existing LSM. This creates a regression for AppArmor mediation of mount. This patch provides a base mapping of the move_mount syscall to the existing mount mediation. In the future we may introduce additional mediations around the new mount calls. Fixes: 2db154b3ea8e ("vfs: syscall: Add move_mount(2) to move mounts around") CC: stable@vger.kernel.org Reported-by: Andreas Steinmetz <anstein99@googlemail.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-18apparmor: add io_uring mediationGeorgia Garcia
For now, the io_uring mediation is limited to sqpoll and override_creds. Signed-off-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-18apparmor: add user namespace creation mediationJohn Johansen
Unprivileged user namespace creation is often used as a first step in privilege escalation attacks. Instead of disabling it at the sysrq level, which blocks its legitimate use as for setting up a sandbox, allow control on a per domain basis. This allows an admin to quickly lock down a system while also still allowing legitimate use. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-18apparmor: allow restricting unprivileged change_profileJohn Johansen
unprivileged unconfined can use change_profile to alter the confinement set by the mac admin. Allow restricting unprivileged unconfined by still allowing change_profile but stacking the change against unconfined. This allows unconfined to still apply system policy but allows the task to enter the new confinement. If unprivileged unconfined is required a sysctl is provided to switch to the previous behavior. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-18apparmor: refcount the pdbJohn Johansen
With the move to permission tables the dfa is no longer a stand alone entity when used, needing a minimum of a permission table. However it still could be shared among different pdbs each using a different permission table. Instead of duping the permission table when sharing a pdb, add a refcount to the pdb so it can be easily shared. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-18apparmor: pass cred through to audit info.John Johansen
The cred is needed to properly audit some messages, and will be needed in the future for uid conditional mediation. So pass it through to where the apparmor_audit_data struct gets defined. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-18apparmor: rename audit_data->label to audit_data->subj_labelJohn Johansen
rename audit_data's label field to subj_label to better reflect its use. Also at the same time drop unneeded assignments to ->subj_label as the later call to aa_check_perms will do the assignment if needed. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-18apparmor: combine common_audit_data and apparmor_audit_dataJohn Johansen
Everywhere where common_audit_data is used apparmor audit_data is also used. We can simplify the code and drop the use of the aad macro everywhere by combining the two structures. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-18apparmor: rename SK_CTX() to aa_sock and make it an inline fnJohn Johansen
In preparation for LSM stacking rework the macro to an inline fn Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-10-15apparmor: remove unused functions in policy_ns.c/.hXiu Jianfeng
These functions are not used now, remove them. Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-08-08apparmor: remove unused PROF_* macrosGONG, Ruiqi
The last usage of PROF_{ADD,REPLACE} were removed by commit 18e99f191a8e ("apparmor: provide finer control over policy management"). So remove these two unused macros. Signed-off-by: GONG, Ruiqi <gongruiqi1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-08-08apparmor: cleanup unused functions in file.hXiu Jianfeng
After changes in commit 33bf60cabcc7 ("LSM: Infrastructure management of the file security"), aa_alloc_file_ctx() and aa_free_file_ctx() are no longer used, so remove them, and also remove aa_get_file_label() because it seems that it's never been used before. Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-08-08apparmor: cleanup unused declarations in policy.hXiu Jianfeng
The implementions of these declarations do not exist, remove them all. Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-07-09apparmor: remove unused macroGONG, Ruiqi
SOCK_ctx() doesn't seem to be used anywhere in the code, so remove it. Signed-off-by: GONG, Ruiqi <gongruiqi@huaweicloud.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-07-09apparmor: make aa_set_current_onexec return voidQuanfa Fu
Change the return type to void since it always return 0, and no need to do the checking in aa_set_current_onexec. Signed-off-by: Quanfa Fu <quanfafu@gmail.com> Reviewed-by: "Tyler Hicks (Microsoft)" <code@tyhicks.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2023-06-26apparmor: Free up __cleanup() namePeter Zijlstra
In order to use __cleanup for __attribute__((__cleanup__(func))) the name must not be used for anything else. Avoid the conflict. Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org> Acked-by: John Johansen <john.johansen@canonical.com> Link: https://lkml.kernel.org/r/20230612093537.536441207%40infradead.org
2022-12-14Merge tag 'apparmor-pr-2022-12-14' of ↵Linus Torvalds
git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor Pull apparmor updates from John Johansen: "Features: - switch to zstd compression for profile raw data Cleanups: - simplify obtaining the newest label on a cred - remove useless static inline functions - compute permission conversion on policy unpack - refactor code to share common permissins - refactor unpack to group policy backwards compatiblity code - add __init annotation to aa_{setup/teardown}_dfa_engine() Bug Fixes: - fix a memleak in - multi_transaction_new() - free_ruleset() - unpack_profile() - alloc_ns() - fix lockdep warning when removing a namespace - fix regression in stacking due to label flags - fix loading of child before parent - fix kernel-doc comments that differ from fns - fix spelling errors in comments - store return value of unpack_perms_table() to signed variable" * tag 'apparmor-pr-2022-12-14' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (64 commits) apparmor: Fix uninitialized symbol 'array_size' in policy_unpack_test.c apparmor: Add __init annotation to aa_{setup/teardown}_dfa_engine() apparmor: Fix memleak in alloc_ns() apparmor: Fix memleak issue in unpack_profile() apparmor: fix a memleak in free_ruleset() apparmor: Fix spelling of function name in comment block apparmor: Use pointer to struct aa_label for lbs_cred AppArmor: Fix kernel-doc LSM: Fix kernel-doc AppArmor: Fix kernel-doc apparmor: Fix loading of child before parent apparmor: refactor code that alloc null profiles apparmor: fix obsoleted comments for aa_getprocattr() and audit_resource() apparmor: remove useless static inline functions apparmor: Fix unpack_profile() warn: passing zero to 'ERR_PTR' apparmor: fix uninitialize table variable in error in unpack_trans_table apparmor: store return value of unpack_perms_table() to signed variable apparmor: Fix kunit test for out of bounds array apparmor: Fix decompression of rawdata for read back to userspace apparmor: Fix undefined references to zstd_ symbols ...
2022-12-12apparmor: test: make static symbols visible during kunit testingRae Moar
Use macros, VISIBLE_IF_KUNIT and EXPORT_SYMBOL_IF_KUNIT, to allow static symbols to be conditionally set to be visible during apparmor_policy_unpack_test, which removes the need to include the testing file in the implementation file. Change the namespace of the symbols that are now conditionally visible (by adding the prefix aa_) to avoid confusion with symbols of the same name. Allow the test to be built as a module and namespace the module name from policy_unpack_test to apparmor_policy_unpack_test to improve clarity of the module name. Provide an example of how static symbols can be dealt with in testing. Signed-off-by: Rae Moar <rmoar@google.com> Reviewed-by: David Gow <davidgow@google.com> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
2022-10-24apparmor: refactor code that alloc null profilesJohn Johansen
Bother unconfined and learning profiles use the null profile as their base. Refactor so they are share a common base routine. This doesn't save much atm but will be important when the feature set of the parent is inherited. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: Fix undefined references to zstd_ symbolsJohn Johansen
Unfortunately the switch to using zstd compression did not properly ifdef all the code that uses zstd_ symbols. So that if exporting of binary policy is disabled in the config the compile will fail with the following errors security/apparmor/lsm.c:1545: undefined reference to `zstd_min_clevel' aarch64-linux-ld: security/apparmor/lsm.c:1545: undefined reference to `zstd_max_clevel' Reported-by: kernel test robot <lkp@intel.com> Fixes: 52ccc20c652b ("apparmor: use zstd compression for profile data") Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Jon Tourville <jon.tourville@canonical.com>
2022-10-03apparmor: make __aa_path_perm() staticXiu Jianfeng
Make __aa_path_perm() static as it's only used inside apparmor/file.c. Signed-off-by: Xiu Jianfeng <xiujianfeng@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: Simplify obtain the newest label on a credGaosheng Cui
In aa_get_task_label(), aa_get_newest_cred_label(__task_cred(task)) can do the same things as aa_get_newest_label(__aa_task_raw_label(task)), so we can replace it and remove __aa_task_raw_label() to simplify the code. Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: rework profile->rules to be a listJohn Johansen
Convert profile->rules to a list as the next step towards supporting multiple rulesets in a profile. For this step only support a single list entry item. The logic for iterating the list will come as a separate step. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: refactor profile rules and attachmentsJohn Johansen
In preparation for moving from a single set of rules and a single attachment to multiple rulesets and attachments separate from the profile refactor attachment information and ruleset info into their own structures. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: cleanup: move perm accumulation into perms.hJohn Johansen
Perm accumulation is going to be used much more frequently so let the compiler figure out if it can be optimized when used. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: make sure perm indexes are accumulatedJohn Johansen
accumulate permission indexes on a first encountered basis. This favors original rulesets so that new ones can not override without profile replacement. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: add the ability for policy to specify a permission tableJohn Johansen
Currently permissions are encoded in the dfa accept entries that are then mapped to an internal permission structure. This limits the permissions that userspace can specify, so allow userspace to directly specify the permission table. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: add user mode flagJohn Johansen
Allow the profile to contain a user mode prompt flag. This works similar to complain mode but will try to send messages to a userspace daemon. If the daemon is not present or timesout regular informent will occur. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: add mediation class information to auditingJohn Johansen
Audit messages currently don't contain the mediation class which can make them less clear than they should be in some circumstances. With newer mediation classes coming this potential confusion will become worse. Fix this by adding the mediatin class to the messages. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: extend permissions to support a label and tag stringJohn Johansen
add indexes for label and tag entries. Rename the domain table to the str_table as its a shared string table with label and tags. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: isolate policy backwards compatibility to its own fileJohn Johansen
The details of mapping old policy into newer policy formats clutters up the unpack code and makes it possible to accidentally use old mappings in code, so isolate the mapping code into its own file. This will become more important when the dfa remapping code lands, as it will greatly expand the compat code base. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: extend xindex sizeJohn Johansen
Allow the xindex to have 2^24 entries. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: move dfa perm macros into policy_unpackJohn Johansen
Now that the permission remapping macros aren't needed anywhere except during profile unpack, move them. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: preparse for state being more than just an integerJohn Johansen
Convert from an unsigned int to a state_t for state position. This is a step in prepping for the state position carrying some additional flags, and a limited form of backtracking to support variables. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: convert policy lookup to use accept as an indexJohn Johansen
Remap polidydb dfa accept table from embedded perms to an index, and then move the perm lookup to use the accept entry as an index into the perm table. This is done so that the perm table can be separated from the dfa, allowing dfa accept to index to share expanded permission sets. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: cleanup shared permission structJohn Johansen
The shared permissions struct has the stop field which is unneeded and the "reserved" subtree field commented which is needed. Also reorganize so that the entries are logically grouped. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: convert xmatch to using the new shared policydb structJohn Johansen
continue permission unification by converting xmatch to use the policydb struct that is used by the other profile dfas. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: combine file_rules and aa_policydb into a single shared structJohn Johansen
file_rules and policydb are almost the same and will need the same features in the future so combine them. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: compute policydb permission on profile loadJohn Johansen
Rather than computing policydb permissions for each access permissions can be computed once on profile load and stored for lookup. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: convert xmatch to use aa_perms structureJohn Johansen
Convert xmatch from using perms encoded in the accept entry of the dfa to the common external aa_perms in a table. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: move fperm computation into policy_unpackJohn Johansen
fperm computation is only needed during policy_unpack so move the code there to isolate it fromt the run time code. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: compute xmatch permissions on profile loadMike Salvatore
Rather than computing xmatch permissions each time access is requested, these permissions can be computed once on profile load and stored for lookup. Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: compute file permissions on profile loadMike Salvatore
Rather than computing file permissions for each file access, file permissions can be computed once on profile load and stored for lookup. Signed-off-by: Mike Salvatore <mike.salvatore@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-10-03apparmor: reserve mediation classesJohn Johansen
Reserve mediation classes that exist in out of tree development branches or are used by userspace mediation helpers. Signed-off-by: John Johansen <john.johansen@canonical.com>
2022-07-19apparmor: move ptrace mediation to more logical task.{h,c}John Johansen
AppArmor split out task oriented controls to their own logical file a while ago. Ptrace mediation is better grouped with task than ipc, so move it. Signed-off-by: John Johansen <john.johansen@canonical.com>