[v13,09/11] AppArmor: Add selfattr hooks
Commit Message
Add hooks for setselfattr and getselfattr. These hooks are not very
different from their setprocattr and getprocattr equivalents, and
much of the code is shared.
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: John Johansen <john.johansen@canonical.com>
---
security/apparmor/include/procattr.h | 2 +-
security/apparmor/lsm.c | 91 ++++++++++++++++++++++++++--
security/apparmor/procattr.c | 10 +--
3 files changed, 92 insertions(+), 11 deletions(-)
Comments
On 8/2/23 10:44, Casey Schaufler wrote:
> Add hooks for setselfattr and getselfattr. These hooks are not very
> different from their setprocattr and getprocattr equivalents, and
> much of the code is shared.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> Cc: John Johansen <john.johansen@canonical.com>
Acked-by: John Johansen <john.johansen@canonical.com>
> ---
> security/apparmor/include/procattr.h | 2 +-
> security/apparmor/lsm.c | 91 ++++++++++++++++++++++++++--
> security/apparmor/procattr.c | 10 +--
> 3 files changed, 92 insertions(+), 11 deletions(-)
>
> diff --git a/security/apparmor/include/procattr.h b/security/apparmor/include/procattr.h
> index 31689437e0e1..03dbfdb2f2c0 100644
> --- a/security/apparmor/include/procattr.h
> +++ b/security/apparmor/include/procattr.h
> @@ -11,7 +11,7 @@
> #ifndef __AA_PROCATTR_H
> #define __AA_PROCATTR_H
>
> -int aa_getprocattr(struct aa_label *label, char **string);
> +int aa_getprocattr(struct aa_label *label, char **string, bool newline);
> int aa_setprocattr_changehat(char *args, size_t size, int flags);
>
> #endif /* __AA_PROCATTR_H */
> diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
> index bfd049c3fd22..cd54e5ecb46a 100644
> --- a/security/apparmor/lsm.c
> +++ b/security/apparmor/lsm.c
> @@ -630,6 +630,55 @@ static int apparmor_sb_pivotroot(const struct path *old_path,
> return error;
> }
>
> +static int apparmor_getselfattr(unsigned int attr, struct lsm_ctx __user *lx,
> + size_t *size, u32 flags)
> +{
> + int error = -ENOENT;
> + struct aa_task_ctx *ctx = task_ctx(current);
> + struct aa_label *label = NULL;
> + size_t total_len = 0;
> + char *value;
> +
> + switch (attr) {
> + case LSM_ATTR_CURRENT:
> + label = aa_get_newest_label(cred_label(current_cred()));
> + break;
> + case LSM_ATTR_PREV:
> + if (ctx->previous)
> + label = aa_get_newest_label(ctx->previous);
> + break;
> + case LSM_ATTR_EXEC:
> + if (ctx->onexec)
> + label = aa_get_newest_label(ctx->onexec);
> + break;
> + default:
> + error = -EOPNOTSUPP;
> + break;
> + }
> +
> + if (label) {
> + error = aa_getprocattr(label, &value, false);
> + if (error > 0) {
> + total_len = ALIGN(struct_size(lx, ctx, error), 8);
> + if (total_len > *size)
> + error = -E2BIG;
> + else if (lx)
> + error = lsm_fill_user_ctx(lx, value, error,
> + LSM_ID_APPARMOR, 0);
> + else
> + error = 1;
> + }
> + kfree(value);
> + }
> +
> + aa_put_label(label);
> +
> + *size = total_len;
> + if (error < 0)
> + return error;
> + return 1;
> +}
> +
> static int apparmor_getprocattr(struct task_struct *task, const char *name,
> char **value)
> {
> @@ -649,7 +698,7 @@ static int apparmor_getprocattr(struct task_struct *task, const char *name,
> error = -EINVAL;
>
> if (label)
> - error = aa_getprocattr(label, value);
> + error = aa_getprocattr(label, value, true);
>
> aa_put_label(label);
> put_cred(cred);
> @@ -657,8 +706,7 @@ static int apparmor_getprocattr(struct task_struct *task, const char *name,
> return error;
> }
>
> -static int apparmor_setprocattr(const char *name, void *value,
> - size_t size)
> +static int do_setattr(u64 attr, void *value, size_t size)
> {
> char *command, *largs = NULL, *args = value;
> size_t arg_size;
> @@ -689,7 +737,7 @@ static int apparmor_setprocattr(const char *name, void *value,
> goto out;
>
> arg_size = size - (args - (largs ? largs : (char *) value));
> - if (strcmp(name, "current") == 0) {
> + if (attr == LSM_ATTR_CURRENT) {
> if (strcmp(command, "changehat") == 0) {
> error = aa_setprocattr_changehat(args, arg_size,
> AA_CHANGE_NOFLAGS);
> @@ -704,7 +752,7 @@ static int apparmor_setprocattr(const char *name, void *value,
> error = aa_change_profile(args, AA_CHANGE_STACK);
> } else
> goto fail;
> - } else if (strcmp(name, "exec") == 0) {
> + } else if (attr == LSM_ATTR_EXEC) {
> if (strcmp(command, "exec") == 0)
> error = aa_change_profile(args, AA_CHANGE_ONEXEC);
> else if (strcmp(command, "stack") == 0)
> @@ -724,13 +772,42 @@ static int apparmor_setprocattr(const char *name, void *value,
>
> fail:
> aad(&sa)->label = begin_current_label_crit_section();
> - aad(&sa)->info = name;
> + if (attr == LSM_ATTR_CURRENT)
> + aad(&sa)->info = "current";
> + else if (attr == LSM_ATTR_EXEC)
> + aad(&sa)->info = "exec";
> + else
> + aad(&sa)->info = "invalid";
> aad(&sa)->error = error = -EINVAL;
> aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
> end_current_label_crit_section(aad(&sa)->label);
> goto out;
> }
>
> +static int apparmor_setselfattr(unsigned int attr, struct lsm_ctx *ctx,
> + size_t size, u32 flags)
> +{
> + int rc;
> +
> + if (attr != LSM_ATTR_CURRENT && attr != LSM_ATTR_EXEC)
> + return -EOPNOTSUPP;
> +
> + rc = do_setattr(attr, ctx->ctx, ctx->ctx_len);
> + if (rc > 0)
> + return 0;
> + return rc;
> +}
> +
> +static int apparmor_setprocattr(const char *name, void *value,
> + size_t size)
> +{
> + int attr = lsm_name_to_attr(name);
> +
> + if (attr)
> + return do_setattr(attr, value, size);
> + return -EINVAL;
> +}
> +
> /**
> * apparmor_bprm_committing_creds - do task cleanup on committing new creds
> * @bprm: binprm for the exec (NOT NULL)
> @@ -1253,6 +1330,8 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = {
> LSM_HOOK_INIT(file_lock, apparmor_file_lock),
> LSM_HOOK_INIT(file_truncate, apparmor_file_truncate),
>
> + LSM_HOOK_INIT(getselfattr, apparmor_getselfattr),
> + LSM_HOOK_INIT(setselfattr, apparmor_setselfattr),
> LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
> LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
>
> diff --git a/security/apparmor/procattr.c b/security/apparmor/procattr.c
> index 197d41f9c32b..e3857e3d7c6c 100644
> --- a/security/apparmor/procattr.c
> +++ b/security/apparmor/procattr.c
> @@ -20,6 +20,7 @@
> * aa_getprocattr - Return the label information for @label
> * @label: the label to print label info about (NOT NULL)
> * @string: Returns - string containing the label info (NOT NULL)
> + * @newline: indicates that a newline should be added
> *
> * Requires: label != NULL && string != NULL
> *
> @@ -27,7 +28,7 @@
> *
> * Returns: size of string placed in @string else error code on failure
> */
> -int aa_getprocattr(struct aa_label *label, char **string)
> +int aa_getprocattr(struct aa_label *label, char **string, bool newline)
> {
> struct aa_ns *ns = labels_ns(label);
> struct aa_ns *current_ns = aa_get_current_ns();
> @@ -57,11 +58,12 @@ int aa_getprocattr(struct aa_label *label, char **string)
> return len;
> }
>
> - (*string)[len] = '\n';
> - (*string)[len + 1] = 0;
> + if (newline)
> + (*string)[len++] = '\n';
> + (*string)[len] = 0;
>
> aa_put_ns(current_ns);
> - return len + 1;
> + return len;
> }
>
> /**
@@ -11,7 +11,7 @@
#ifndef __AA_PROCATTR_H
#define __AA_PROCATTR_H
-int aa_getprocattr(struct aa_label *label, char **string);
+int aa_getprocattr(struct aa_label *label, char **string, bool newline);
int aa_setprocattr_changehat(char *args, size_t size, int flags);
#endif /* __AA_PROCATTR_H */
@@ -630,6 +630,55 @@ static int apparmor_sb_pivotroot(const struct path *old_path,
return error;
}
+static int apparmor_getselfattr(unsigned int attr, struct lsm_ctx __user *lx,
+ size_t *size, u32 flags)
+{
+ int error = -ENOENT;
+ struct aa_task_ctx *ctx = task_ctx(current);
+ struct aa_label *label = NULL;
+ size_t total_len = 0;
+ char *value;
+
+ switch (attr) {
+ case LSM_ATTR_CURRENT:
+ label = aa_get_newest_label(cred_label(current_cred()));
+ break;
+ case LSM_ATTR_PREV:
+ if (ctx->previous)
+ label = aa_get_newest_label(ctx->previous);
+ break;
+ case LSM_ATTR_EXEC:
+ if (ctx->onexec)
+ label = aa_get_newest_label(ctx->onexec);
+ break;
+ default:
+ error = -EOPNOTSUPP;
+ break;
+ }
+
+ if (label) {
+ error = aa_getprocattr(label, &value, false);
+ if (error > 0) {
+ total_len = ALIGN(struct_size(lx, ctx, error), 8);
+ if (total_len > *size)
+ error = -E2BIG;
+ else if (lx)
+ error = lsm_fill_user_ctx(lx, value, error,
+ LSM_ID_APPARMOR, 0);
+ else
+ error = 1;
+ }
+ kfree(value);
+ }
+
+ aa_put_label(label);
+
+ *size = total_len;
+ if (error < 0)
+ return error;
+ return 1;
+}
+
static int apparmor_getprocattr(struct task_struct *task, const char *name,
char **value)
{
@@ -649,7 +698,7 @@ static int apparmor_getprocattr(struct task_struct *task, const char *name,
error = -EINVAL;
if (label)
- error = aa_getprocattr(label, value);
+ error = aa_getprocattr(label, value, true);
aa_put_label(label);
put_cred(cred);
@@ -657,8 +706,7 @@ static int apparmor_getprocattr(struct task_struct *task, const char *name,
return error;
}
-static int apparmor_setprocattr(const char *name, void *value,
- size_t size)
+static int do_setattr(u64 attr, void *value, size_t size)
{
char *command, *largs = NULL, *args = value;
size_t arg_size;
@@ -689,7 +737,7 @@ static int apparmor_setprocattr(const char *name, void *value,
goto out;
arg_size = size - (args - (largs ? largs : (char *) value));
- if (strcmp(name, "current") == 0) {
+ if (attr == LSM_ATTR_CURRENT) {
if (strcmp(command, "changehat") == 0) {
error = aa_setprocattr_changehat(args, arg_size,
AA_CHANGE_NOFLAGS);
@@ -704,7 +752,7 @@ static int apparmor_setprocattr(const char *name, void *value,
error = aa_change_profile(args, AA_CHANGE_STACK);
} else
goto fail;
- } else if (strcmp(name, "exec") == 0) {
+ } else if (attr == LSM_ATTR_EXEC) {
if (strcmp(command, "exec") == 0)
error = aa_change_profile(args, AA_CHANGE_ONEXEC);
else if (strcmp(command, "stack") == 0)
@@ -724,13 +772,42 @@ static int apparmor_setprocattr(const char *name, void *value,
fail:
aad(&sa)->label = begin_current_label_crit_section();
- aad(&sa)->info = name;
+ if (attr == LSM_ATTR_CURRENT)
+ aad(&sa)->info = "current";
+ else if (attr == LSM_ATTR_EXEC)
+ aad(&sa)->info = "exec";
+ else
+ aad(&sa)->info = "invalid";
aad(&sa)->error = error = -EINVAL;
aa_audit_msg(AUDIT_APPARMOR_DENIED, &sa, NULL);
end_current_label_crit_section(aad(&sa)->label);
goto out;
}
+static int apparmor_setselfattr(unsigned int attr, struct lsm_ctx *ctx,
+ size_t size, u32 flags)
+{
+ int rc;
+
+ if (attr != LSM_ATTR_CURRENT && attr != LSM_ATTR_EXEC)
+ return -EOPNOTSUPP;
+
+ rc = do_setattr(attr, ctx->ctx, ctx->ctx_len);
+ if (rc > 0)
+ return 0;
+ return rc;
+}
+
+static int apparmor_setprocattr(const char *name, void *value,
+ size_t size)
+{
+ int attr = lsm_name_to_attr(name);
+
+ if (attr)
+ return do_setattr(attr, value, size);
+ return -EINVAL;
+}
+
/**
* apparmor_bprm_committing_creds - do task cleanup on committing new creds
* @bprm: binprm for the exec (NOT NULL)
@@ -1253,6 +1330,8 @@ static struct security_hook_list apparmor_hooks[] __ro_after_init = {
LSM_HOOK_INIT(file_lock, apparmor_file_lock),
LSM_HOOK_INIT(file_truncate, apparmor_file_truncate),
+ LSM_HOOK_INIT(getselfattr, apparmor_getselfattr),
+ LSM_HOOK_INIT(setselfattr, apparmor_setselfattr),
LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
@@ -20,6 +20,7 @@
* aa_getprocattr - Return the label information for @label
* @label: the label to print label info about (NOT NULL)
* @string: Returns - string containing the label info (NOT NULL)
+ * @newline: indicates that a newline should be added
*
* Requires: label != NULL && string != NULL
*
@@ -27,7 +28,7 @@
*
* Returns: size of string placed in @string else error code on failure
*/
-int aa_getprocattr(struct aa_label *label, char **string)
+int aa_getprocattr(struct aa_label *label, char **string, bool newline)
{
struct aa_ns *ns = labels_ns(label);
struct aa_ns *current_ns = aa_get_current_ns();
@@ -57,11 +58,12 @@ int aa_getprocattr(struct aa_label *label, char **string)
return len;
}
- (*string)[len] = '\n';
- (*string)[len + 1] = 0;
+ if (newline)
+ (*string)[len++] = '\n';
+ (*string)[len] = 0;
aa_put_ns(current_ns);
- return len + 1;
+ return len;
}
/**