Received: by 2002:ac0:a594:0:0:0:0:0 with SMTP id m20-v6csp2953242imm; Thu, 24 May 2018 19:47:54 -0700 (PDT) X-Google-Smtp-Source: AB8JxZr7gxP5rDmN4GjvVaZSZmHEIC6Kfj6ryMAQyjAehCH8q90vd8OQyD9ZxWwiHd63baJ7NnZv X-Received: by 2002:a63:2c13:: with SMTP id s19-v6mr325724pgs.427.1527216474381; Thu, 24 May 2018 19:47:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1527216474; cv=none; d=google.com; s=arc-20160816; b=wbElByO5bQk6UXWNDT8GpukcSTfDwXNFLqSOqCwaYhdfxDnLF8arbadLnxkIjpxZF4 3lnKDgfuP5yAinq+i9xslEaagtP2fAKIdMqos+p8HvOrAUP04KxeMWnEmpmR1nCLAB+/ o4R68T/7bQ+F3JHt+jFU1OzinlK9TK/Sdq2gPj8N2IFFOivy3omcVWupPCdmt3iC5UhW lVhW1f+TtJIX4hqEsZads0hWBYcIAC8lCijx7afHgMh9687H8C8MG0PNlCpCnuLWuu6D oGfuK/AAlkghsa6RnfGA1wvEHLw5Kmtxjk03nEfxYTtz1zyBY76C4uVKlBRXNToRPuie mRSw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:cc:to:from :subject:organization:arc-authentication-results; bh=gXobOvLjoGlE2trSGtrrHbo/KFjJ9UCgPW0lt7LjWl0=; b=znwZ1DaSFmnzSIq0b15LG27gAWuOAK1B9Lc/qIK4iVoGK5QYLlm9ieMYuzkUJQuXic PDrHxFDgPKp/xubZlnjTJWNy9dZVjXSAekUb/HUL16+Mn4103q54SS2V/3j8Adt7pN/s 8EBJAiBl+zFQNlkKA8m30WJyrzxNnUn6PXv53/jG4AHOZVbJKG2TG+OUgdiJb1wiiLwJ PU/YrS+7Xbfgmt8jFmhR2AKuYkp/z98ILZryGPSt5hHyVUfsPmw94GdT+sh8KrrktHNX 2kZXuzqWTuWQXzqWubhXJiJ1f56buqBsdlmjrOV+7+vu3xvHeUxEPeItadr6ZPddnzGp KqCg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c2-v6si5762567pgt.310.2018.05.24.19.47.39; Thu, 24 May 2018 19:47:54 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S971791AbeEYAGQ (ORCPT + 99 others); Thu, 24 May 2018 20:06:16 -0400 Received: from mx3-rdu2.redhat.com ([66.187.233.73]:60438 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S971779AbeEYAGL (ORCPT ); Thu, 24 May 2018 20:06:11 -0400 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id AFE164023131; Fri, 25 May 2018 00:06:10 +0000 (UTC) Received: from warthog.procyon.org.uk (ovpn-120-255.rdu2.redhat.com [10.10.120.255]) by smtp.corp.redhat.com (Postfix) with ESMTP id E956D2166BB2; Fri, 25 May 2018 00:06:09 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 Subject: [PATCH 07/32] apparmor: Implement security hooks for the new mount API [ver #8] From: David Howells To: viro@zeniv.linux.org.uk Cc: dhowells@redhat.com, linux-fsdevel@vger.kernel.org, linux-afs@lists.infradead.org, linux-kernel@vger.kernel.org Date: Fri, 25 May 2018 01:06:09 +0100 Message-ID: <152720676944.9073.12871258511399328644.stgit@warthog.procyon.org.uk> In-Reply-To: <152720672288.9073.9868393448836301272.stgit@warthog.procyon.org.uk> References: <152720672288.9073.9868393448836301272.stgit@warthog.procyon.org.uk> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Fri, 25 May 2018 00:06:10 +0000 (UTC) X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Fri, 25 May 2018 00:06:10 +0000 (UTC) for IP:'10.11.54.6' DOMAIN:'int-mx06.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'dhowells@redhat.com' RCPT:'' Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Implement hooks to check the creation of new mountpoints for AppArmor. Unfortunately, the DFA evaluation puts the option data in last, after the details of the mountpoint, so we have to cache the mount options in the fs_context using those hooks till we get to the new mountpoint hook. Signed-off-by: David Howells Acked-by: John Johansen cc: apparmor@lists.ubuntu.com cc: linux-security-module@vger.kernel.org --- security/apparmor/include/mount.h | 11 +++++ security/apparmor/lsm.c | 80 +++++++++++++++++++++++++++++++++++++ security/apparmor/mount.c | 46 +++++++++++++++++++++ 3 files changed, 135 insertions(+), 2 deletions(-) diff --git a/security/apparmor/include/mount.h b/security/apparmor/include/mount.h index 25d6067fa6ef..0441bfae30fa 100644 --- a/security/apparmor/include/mount.h +++ b/security/apparmor/include/mount.h @@ -16,6 +16,7 @@ #include #include +#include #include "domain.h" #include "policy.h" @@ -27,7 +28,13 @@ #define AA_AUDIT_DATA 0x40 #define AA_MNT_CONT_MATCH 0x40 -#define AA_MS_IGNORE_MASK (MS_KERNMOUNT | MS_NOSEC | MS_ACTIVE | MS_BORN) +#define AA_SB_IGNORE_MASK (SB_KERNMOUNT | SB_NOSEC | SB_ACTIVE | SB_BORN) + +struct apparmor_fs_context { + struct fs_context fc; + char *saved_options; + size_t saved_size; +}; int aa_remount(struct aa_label *label, const struct path *path, unsigned long flags, void *data); @@ -45,6 +52,8 @@ int aa_move_mount(struct aa_label *label, const struct path *path, int aa_new_mount(struct aa_label *label, const char *dev_name, const struct path *path, const char *type, unsigned long flags, void *data); +int aa_new_mount_fc(struct aa_label *label, struct fs_context *fc, + const struct path *mountpoint); int aa_umount(struct aa_label *label, struct vfsmount *mnt, int flags); diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 9ebc9e9c3854..bf2401ade80e 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -518,6 +518,78 @@ static int apparmor_file_mprotect(struct vm_area_struct *vma, !(vma->vm_flags & VM_SHARED) ? MAP_PRIVATE : 0); } +static int apparmor_fs_context_alloc(struct fs_context *fc, struct dentry *reference) +{ + struct apparmor_fs_context *afc; + + afc = kzalloc(sizeof(*afc), GFP_KERNEL); + if (!afc) + return -ENOMEM; + + fc->security = afc; + return 0; +} + +static int apparmor_fs_context_dup(struct fs_context *fc, struct fs_context *src_fc) +{ + fc->security = NULL; + return 0; +} + +static void apparmor_fs_context_free(struct fs_context *fc) +{ + struct apparmor_fs_context *afc = fc->security; + + if (afc) { + kfree(afc->saved_options); + kfree(afc); + } +} + +/* + * As a temporary hack, we buffer all the options. The problem is that we need + * to pass them to the DFA evaluator *after* mount point parameters, which + * means deferring the entire check to the sb_mountpoint hook. + */ +static int apparmor_fs_context_parse_option(struct fs_context *fc, char *opt, size_t len) +{ + struct apparmor_fs_context *afc = fc->security; + size_t space = 0; + char *p, *q; + + if (afc->saved_size > 0) + space = 1; + + p = krealloc(afc->saved_options, afc->saved_size + space + len + 1, GFP_KERNEL); + if (!p) + return -ENOMEM; + + q = p + afc->saved_size; + if (q != p) + *q++ = ' '; + memcpy(q, opt, len); + q += len; + *q = 0; + + afc->saved_options = p; + afc->saved_size += 1 + len; + return 0; +} + +static int apparmor_sb_mountpoint(struct fs_context *fc, struct path *mountpoint, + unsigned int mnt_flags) +{ + struct aa_label *label; + int error = 0; + + label = __begin_current_label_crit_section(); + if (!unconfined(label)) + error = aa_new_mount_fc(label, fc, mountpoint); + __end_current_label_crit_section(label); + + return error; +} + static int apparmor_sb_mount(const char *dev_name, const struct path *path, const char *type, unsigned long flags, void *data) { @@ -528,7 +600,7 @@ static int apparmor_sb_mount(const char *dev_name, const struct path *path, if ((flags & MS_MGC_MSK) == MS_MGC_VAL) flags &= ~MS_MGC_MSK; - flags &= ~AA_MS_IGNORE_MASK; + flags &= ~AA_SB_IGNORE_MASK; label = __begin_current_label_crit_section(); if (!unconfined(label)) { @@ -1124,6 +1196,12 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { LSM_HOOK_INIT(capget, apparmor_capget), LSM_HOOK_INIT(capable, apparmor_capable), + LSM_HOOK_INIT(fs_context_alloc, apparmor_fs_context_alloc), + LSM_HOOK_INIT(fs_context_dup, apparmor_fs_context_dup), + LSM_HOOK_INIT(fs_context_free, apparmor_fs_context_free), + LSM_HOOK_INIT(fs_context_parse_option, apparmor_fs_context_parse_option), + LSM_HOOK_INIT(sb_mountpoint, apparmor_sb_mountpoint), + LSM_HOOK_INIT(sb_mount, apparmor_sb_mount), LSM_HOOK_INIT(sb_umount, apparmor_sb_umount), LSM_HOOK_INIT(sb_pivotroot, apparmor_sb_pivotroot), diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c index 45bb769d6cd7..de791134e352 100644 --- a/security/apparmor/mount.c +++ b/security/apparmor/mount.c @@ -554,6 +554,52 @@ int aa_new_mount(struct aa_label *label, const char *dev_name, return error; } +int aa_new_mount_fc(struct aa_label *label, struct fs_context *fc, + const struct path *mountpoint) +{ + struct apparmor_fs_context *afc = fc->security; + struct aa_profile *profile; + char *buffer = NULL, *dev_buffer = NULL; + bool binary; + int error; + struct path tmp_path, *dev_path = NULL; + + AA_BUG(!label); + AA_BUG(!mountpoint); + + binary = fc->fs_type->fs_flags & FS_BINARY_MOUNTDATA; + + if (fc->fs_type->fs_flags & FS_REQUIRES_DEV) { + if (!fc->source) + return -ENOENT; + + error = kern_path(fc->source, LOOKUP_FOLLOW, &tmp_path); + if (error) + return error; + dev_path = &tmp_path; + } + + get_buffers(buffer, dev_buffer); + if (dev_path) { + error = fn_for_each_confined(label, profile, + match_mnt(profile, mountpoint, buffer, dev_path, dev_buffer, + fc->fs_type->name, + fc->sb_flags & ~AA_SB_IGNORE_MASK, + afc->saved_options, binary)); + } else { + error = fn_for_each_confined(label, profile, + match_mnt_path_str(profile, mountpoint, buffer, + fc->source, fc->fs_type->name, + fc->sb_flags & ~AA_SB_IGNORE_MASK, + afc->saved_options, binary, NULL)); + } + put_buffers(buffer, dev_buffer); + if (dev_path) + path_put(dev_path); + + return error; +} + static int profile_umount(struct aa_profile *profile, struct path *path, char *buffer) {