Commit graph

23 commits

Author SHA1 Message Date
John Johansen
999b4f0aa2 AppArmor: Fix locking from removal of profile namespace
The locking for profile namespace removal is wrong, when removing a
profile namespace, it needs to be removed from its parent's list.
Lock the parent of namespace list instead of the namespace being removed.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-09-08 09:19:34 +10:00
John Johansen
04ccd53f09 AppArmor: Fix splitting an fqname into separate namespace and profile names
As per Dan Carpenter <error27@gmail.com>
  If we have a ns name without a following profile then in the original
  code it did "*ns_name = &name[1];".  "name" is NULL so "*ns_name" is
  0x1.  That isn't useful and could cause an oops when this function is
  called from aa_remove_profiles().

Beyond this the assignment of the namespace name was wrong in the case
where the profile name was provided as it was being set to &name[1]
after name  = skip_spaces(split + 1);

Move the ns_name assignment before updating name for the split and
also add skip_spaces, making the interface more robust.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-09-08 09:19:31 +10:00
John Johansen
3a2dc8382a AppArmor: Fix security_task_setrlimit logic for 2.6.36 changes
2.6.36 introduced the abilitiy to specify the task that is having its
rlimits set.  Update mediation to ensure that confined tasks can only
set their own group_leader as expected by current policy.

Add TODO note about extending policy to support setting other tasks
rlimits.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-09-08 09:19:29 +10:00
John Johansen
e819ff519b AppArmor: Drop hack to remove appended " (deleted)" string
The 2.6.36 kernel has refactored __d_path() so that it no longer appends
" (deleted)" to unlinked paths.  So drop the hack that was used to detect
and remove the appended string.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-09-08 09:19:24 +10:00
Linus Torvalds
145c3ae46b Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs-2.6:
  fs: brlock vfsmount_lock
  fs: scale files_lock
  lglock: introduce special lglock and brlock spin locks
  tty: fix fu_list abuse
  fs: cleanup files_lock locking
  fs: remove extra lookup in __lookup_hash
  fs: fs_struct rwlock to spinlock
  apparmor: use task path helpers
  fs: dentry allocation consolidation
  fs: fix do_lookup false negative
  mbcache: Limit the maximum number of cache entries
  hostfs ->follow_link() braino
  hostfs: dumb (and usually harmless) tpyo - strncpy instead of strlcpy
  remove SWRITE* I/O types
  kill BH_Ordered flag
  vfs: update ctime when changing the file's permission by setfacl
  cramfs: only unlock new inodes
  fix reiserfs_evict_inode end_writeback second call
2010-08-18 09:35:08 -07:00
Nick Piggin
44672e4fbd apparmor: use task path helpers
apparmor: use task path helpers

Signed-off-by: Nick Piggin <npiggin@kernel.dk>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
2010-08-18 08:35:46 -04:00
Jiri Slaby
7cb4dc9fc9 AppArmor: fix task_setrlimit prototype
After rlimits tree was merged we get the following errors:
security/apparmor/lsm.c:663:2: warning: initialization from incompatible pointer type

It is because AppArmor was merged in the meantime, but uses the old
prototype. So fix it by adding struct task_struct as a first parameter
of apparmor_task_setrlimit.

NOTE that this is ONLY a compilation warning fix (and crashes caused
by that). It needs proper handling in AppArmor depending on who is the
'task'.

Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-08-17 08:06:09 +10:00
Stephen Rothwell
101d6c826f AppArmor: update for module_param_named API change
Fixes these build errors:
security/apparmor/lsm.c:701: error: 'param_ops_aabool' undeclared here (not in a function)
security/apparmor/lsm.c:721: error: 'param_ops_aalockpolicy' undeclared here (not in a function)
security/apparmor/lsm.c:729: error: 'param_ops_aauint' undeclared here (not in a function)

Signed-off-by: Stephen Rothwell <sfr@canb.auug.org.au>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2010-08-11 23:04:14 +09:30
Randy Dunlap
06c22dadc6 apparmor: depends on NET
SECURITY_APPARMOR should depend on NET since AUDIT needs
(depends on) NET.

Fixes 70-80 errors that occur when CONFIG_NET is not enabled,
but APPARMOR selects AUDIT without qualification.  E.g.:

audit.c:(.text+0x33361): undefined reference to `netlink_unicast'
(.text+0x333df): undefined reference to `netlink_unicast'
audit.c:(.text+0x3341d): undefined reference to `skb_queue_tail'
audit.c:(.text+0x33424): undefined reference to `kfree_skb'
audit.c:(.text+0x334cb): undefined reference to `kfree_skb'
audit.c:(.text+0x33597): undefined reference to `skb_put'
audit.c:(.text+0x3369b): undefined reference to `__alloc_skb'
audit.c:(.text+0x336d7): undefined reference to `kfree_skb'
(.text+0x3374c): undefined reference to `__alloc_skb'
auditfilter.c:(.text+0x35305): undefined reference to `skb_queue_tail'
lsm_audit.c:(.text+0x2873): undefined reference to `init_net'
lsm_audit.c:(.text+0x2878): undefined reference to `dev_get_by_index'

Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-08-05 07:36:51 -04:00
James Morris
77c80e6b2f AppArmor: fix build warnings for non-const use of get_task_cred
Fix build warnings for non-const use of get_task_cred.

Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02 15:49:00 +10:00
John Johansen
016d825fe0 AppArmor: Enable configuring and building of the AppArmor security module
Kconfig and Makefiles to enable configuration and building of AppArmor.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02 15:38:39 +10:00
James Morris
4d6ec10bb4 AppArmor: update path_truncate method to latest version
Remove extraneous path_truncate arguments from the AppArmor hook,
as they've been removed from the LSM API.

Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02 15:38:37 +10:00
John Johansen
c88d4c7b04 AppArmor: core policy routines
The basic routines and defines for AppArmor policy.  AppArmor policy
is defined by a few basic components.
      profiles - the basic unit of confinement contain all the information
                 to enforce policy on a task

                 Profiles tend to be named after an executable that they
                 will attach to but this is not required.
      namespaces - a container for a set of profiles that will be used
                 during attachment and transitions between profiles.
      sids - which provide a unique id for each profile

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02 15:38:37 +10:00
John Johansen
736ec752d9 AppArmor: policy routines for loading and unpacking policy
AppArmor policy is loaded in a platform independent flattened binary
stream.  Verify and unpack the data converting it to the internal
format needed for enforcement.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02 15:38:36 +10:00
John Johansen
0ed3b28ab8 AppArmor: mediation of non file objects
ipc:
AppArmor ipc is currently limited to mediation done by file mediation
and basic ptrace tests.  Improved mediation is a wip.

rlimits:
AppArmor provides basic abilities to set and control rlimits at
a per profile level.  Only resources specified in a profile are controled
or set.  AppArmor rules set the hard limit to a value <= to the current
hard limit (ie. they can not currently raise hard limits), and if
necessary will lower the soft limit to the new hard limit value.

AppArmor does not track resource limits to reset them when a profile
is left so that children processes inherit the limits set by the
parent even if they are not confined by the same profile.

Capabilities:  AppArmor provides a per profile mask of capabilities,
that will further restrict.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02 15:38:35 +10:00
John Johansen
b5e95b4868 AppArmor: LSM interface, and security module initialization
AppArmor hooks to interface with the LSM, module parameters and module
initialization.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02 15:38:35 +10:00
John Johansen
898127c34e AppArmor: functions for domain transitions
AppArmor routines for controling domain transitions, which can occur at
exec or through self directed change_profile/change_hat calls.

Unconfined tasks are checked at exec against the profiles in the confining
profile namespace to determine if a profile should be attached to the task.

Confined tasks execs are controlled by the profile which provides rules
determining which execs are allowed and if so which profiles should be
transitioned to.

Self directed domain transitions allow a task to request transition
to a given profile.  If the transition is allowed then the profile will
be applied, either immeditately or at exec time depending on the request.
Immeditate self directed transitions have several security limitations
but have uses in setting up stub transition profiles and other limited
cases.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02 15:35:14 +10:00
John Johansen
6380bd8ddf AppArmor: file enforcement routines
AppArmor does files enforcement via pathname matching.  Matching is done
at file open using a dfa match engine.  Permission is against the final
file object not parent directories, ie. the traversal of directories
as part of the file match is implicitly allowed.  In the case of nonexistant
files (creation) permissions are checked against the target file not the
directory.  eg. In case of creating the file /dir/new, permissions are
checked against the match /dir/new not against /dir/.

The permissions for matches are currently stored in the dfa accept table,
but this will change to allow for dfa reuse and also to allow for sharing
of wider accept states.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02 15:35:14 +10:00
John Johansen
63e2b42377 AppArmor: userspace interfaces
The /proc/<pid>/attr/* interface is used for process introspection and
commands.  While the apparmorfs interface is used for global introspection
and loading and removing policy.

The interface currently only contains the files necessary for loading
policy, and will be extended in the future to include sysfs style
single per file introspection inteface.

The old AppArmor 2.4 interface files have been removed into a compatibility
patch, that distros can use to maintain backwards compatibility.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02 15:35:13 +10:00
John Johansen
e06f75a6a2 AppArmor: dfa match engine
A basic dfa matching engine based off the dfa engine in the Dragon
Book.  It uses simple row comb compression with a check field.

This allows AppArmor to do pattern matching in linear time, and also
avoids stack issues that an nfa based engine may have.  The dfa
engine uses a byte based comparison, with all values being valid.
Any potential character encoding are handled user side when the dfa
tables are created.  By convention AppArmor uses \0 to separate two
dependent path matches since \0 is not a valid path character
(this is done in the link permission check).

The dfa tables are generated in user space and are verified at load
time to be internally consistent.

There are several future improvements planned for the dfa engine:
* The dfa engine may be converted to a hybrid nfa-dfa engine, with
  a fixed size limited stack.  This would allow for size time
  tradeoffs, by inserting limited nfa states to help control
  state explosion that can occur with dfas.
* The dfa engine may pickup the ability to do limited dynamic
  variable matching, instead of fixing all variables at policy
  load time.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02 15:35:13 +10:00
John Johansen
c75afcd153 AppArmor: contexts used in attaching policy to system objects
AppArmor contexts attach profiles and state to tasks, files, etc. when
a direct profile reference is not sufficient.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02 15:35:12 +10:00
John Johansen
67012e8209 AppArmor: basic auditing infrastructure.
Update lsm_audit for AppArmor specific data, and add the core routines for
AppArmor uses for auditing.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02 15:35:11 +10:00
John Johansen
cdff264264 AppArmor: misc. base functions and defines
Miscellaneous functions and defines needed by AppArmor, including
the base path resolution routines.

Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02 15:35:11 +10:00