Merge tag 'apparmor-pr-2023-11-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor

Pull apparmor updates from John Johansen: "This adds initial support for mediating io_uring and userns creation. Adds a new restriction that tightens the use of change_profile, and a couple of optimizations to reduce performance bottle necks that have been found when retrieving the current task's secid and allocating work buffers. The majority of the patch set continues cleaning up and simplifying the code (fixing comments, removing now dead functions, and macros etc). Finally there are 4 bug fixes, with the regression fix having had a couple months of testing. Features: - optimize retrieving current task secid - add base io_uring mediation - add base userns mediation - improve buffer allocation - allow restricting unprivilege change_profile Cleanups: - Fix kernel doc comments - remove unused declarations - remove unused functions - remove unneeded #ifdef - remove unused macros - mark fns static - cleanup fn with unused return values - cleanup audit data - pass cred through to audit data - refcount the pdb instead of using duplicates - make SK_CTX macro an inline fn - some comment cleanups Bug fixes: - fix regression in mount mediation - fix invalid refenece - use passed in gfp flags - advertise avaiability of extended perms and disconnected.path" * tag 'apparmor-pr-2023-11-03' of git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor: (39 commits) apparmor: Fix some kernel-doc comments apparmor: Fix one kernel-doc comment apparmor: Fix some kernel-doc comments apparmor: mark new functions static apparmor: Fix regression in mount mediation apparmor: cache buffers on percpu list if there is lock contention apparmor: add io_uring mediation apparmor: add user namespace creation mediation apparmor: allow restricting unprivileged change_profile apparmor: advertise disconnected.path is available apparmor: refcount the pdb apparmor: provide separate audit messages for file and policy checks apparmor: pass cred through to audit info. apparmor: rename audit_data->label to audit_data->subj_label apparmor: combine common_audit_data and apparmor_audit_data apparmor: rename SK_CTX() to aa_sock and make it an inline fn apparmor: Optimize retrieving current task secid apparmor: remove unused functions in policy_ns.c/.h apparmor: remove unneeded #ifdef in decompress_zstd() apparmor: fix invalid reference on profile->disconnected ...
author: Linus Torvalds <torvalds@linux-foundation.org> 2023-11-03 22:48:17 +0300
committer: Linus Torvalds <torvalds@linux-foundation.org> 2023-11-03 22:48:17 +0300
commit: 6bdfe2d88b9ff8b0cce32ce87cd47c0e9d665f48 (patch)
tree: a8a43da53fa84ce69adfb252ddbdaa38fc15e303 /security/apparmor/task.c
parent: 136cc1e1f5be75f57f1e0404b94ee1c8792cb07d (diff)
parent: 6cede10161be00d129a24e8b84c2674785a32cf8 (diff)
download: linux-6bdfe2d88b9ff8b0cce32ce87cd47c0e9d665f48.tar.xz
1 files changed, 75 insertions, 29 deletions
diff --git a/security/apparmor/task.c b/security/apparmor/task.c
index 84d16a29bfcb..f29a2e80e6bf 100644
--- a/security/apparmor/task.c
+++ b/security/apparmor/task.c
@@ -93,9 +93,8 @@ int aa_replace_current_label(struct aa_label *label)
  * aa_set_current_onexec - set the tasks change_profile to happen onexec
  * @label: system label to set at exec  (MAYBE NULL to clear value)
  * @stack: whether stacking should be done
- * Returns: 0 or error on failure
  */
-int aa_set_current_onexec(struct aa_label *label, bool stack)
+void aa_set_current_onexec(struct aa_label *label, bool stack)
 {
 	struct aa_task_ctx *ctx = task_ctx(current);
 
@@ -103,8 +102,6 @@ int aa_set_current_onexec(struct aa_label *label, bool stack)
 	aa_put_label(ctx->onexec);
 	ctx->onexec = label;
 	ctx->token = stack;
-
-	return 0;
 }
 
 /**
@@ -208,70 +205,75 @@ static const char *audit_ptrace_mask(u32 mask)
 static void audit_ptrace_cb(struct audit_buffer *ab, void *va)
 {
 	struct common_audit_data *sa = va;
+	struct apparmor_audit_data *ad = aad(sa);
 
-	if (aad(sa)->request & AA_PTRACE_PERM_MASK) {
+	if (ad->request & AA_PTRACE_PERM_MASK) {
 		audit_log_format(ab, " requested_mask=\"%s\"",
-				 audit_ptrace_mask(aad(sa)->request));
+				 audit_ptrace_mask(ad->request));
 
-		if (aad(sa)->denied & AA_PTRACE_PERM_MASK) {
+		if (ad->denied & AA_PTRACE_PERM_MASK) {
 			audit_log_format(ab, " denied_mask=\"%s\"",
-					 audit_ptrace_mask(aad(sa)->denied));
+					 audit_ptrace_mask(ad->denied));
 		}
 	}
 	audit_log_format(ab, " peer=");
-	aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
+	aa_label_xaudit(ab, labels_ns(ad->subj_label), ad->peer,
 			FLAGS_NONE, GFP_ATOMIC);
 }
 
 /* assumes check for RULE_MEDIATES is already done */
 /* TODO: conditionals */
-static int profile_ptrace_perm(struct aa_profile *profile,
-			     struct aa_label *peer, u32 request,
-			     struct common_audit_data *sa)
+static int profile_ptrace_perm(const struct cred *cred,
+			       struct aa_profile *profile,
+			       struct aa_label *peer, u32 request,
+			       struct apparmor_audit_data *ad)
 {
 	struct aa_ruleset *rules = list_first_entry(&profile->rules,
 						    typeof(*rules), list);
 	struct aa_perms perms = { };
 
-	aad(sa)->peer = peer;
+	ad->subj_cred = cred;
+	ad->peer = peer;
 	aa_profile_match_label(profile, rules, peer, AA_CLASS_PTRACE, request,
 			       &perms);
 	aa_apply_modes_to_perms(profile, &perms);
-	return aa_check_perms(profile, &perms, request, sa, audit_ptrace_cb);
+	return aa_check_perms(profile, &perms, request, ad, audit_ptrace_cb);
 }
 
-static int profile_tracee_perm(struct aa_profile *tracee,
+static int profile_tracee_perm(const struct cred *cred,
+			       struct aa_profile *tracee,
 			       struct aa_label *tracer, u32 request,
-			       struct common_audit_data *sa)
+			       struct apparmor_audit_data *ad)
 {
 	if (profile_unconfined(tracee) || unconfined(tracer) ||
 	    !ANY_RULE_MEDIATES(&tracee->rules, AA_CLASS_PTRACE))
 		return 0;
 
-	return profile_ptrace_perm(tracee, tracer, request, sa);
+	return profile_ptrace_perm(cred, tracee, tracer, request, ad);
 }
 
-static int profile_tracer_perm(struct aa_profile *tracer,
+static int profile_tracer_perm(const struct cred *cred,
+			       struct aa_profile *tracer,
 			       struct aa_label *tracee, u32 request,
-			       struct common_audit_data *sa)
+			       struct apparmor_audit_data *ad)
 {
 	if (profile_unconfined(tracer))
 		return 0;
 
 	if (ANY_RULE_MEDIATES(&tracer->rules, AA_CLASS_PTRACE))
-		return profile_ptrace_perm(tracer, tracee, request, sa);
+		return profile_ptrace_perm(cred, tracer, tracee, request, ad);
 
 	/* profile uses the old style capability check for ptrace */
 	if (&tracer->label == tracee)
 		return 0;
 
-	aad(sa)->label = &tracer->label;
-	aad(sa)->peer = tracee;
-	aad(sa)->request = 0;
-	aad(sa)->error = aa_capable(&tracer->label, CAP_SYS_PTRACE,
-				    CAP_OPT_NONE);
+	ad->subj_label = &tracer->label;
+	ad->peer = tracee;
+	ad->request = 0;
+	ad->error = aa_capable(cred, &tracer->label, CAP_SYS_PTRACE,
+			       CAP_OPT_NONE);
 
-	return aa_audit(AUDIT_APPARMOR_AUTO, tracer, sa, audit_ptrace_cb);
+	return aa_audit(AUDIT_APPARMOR_AUTO, tracer, ad, audit_ptrace_cb);
 }
 
 /**
@@ -282,7 +284,8 @@ static int profile_tracer_perm(struct aa_profile *tracer,
  *
  * Returns: %0 else error code if permission denied or error
  */
-int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
+int aa_may_ptrace(const struct cred *tracer_cred, struct aa_label *tracer,
+		  const struct cred *tracee_cred, struct aa_label *tracee,
 		  u32 request)
 {
 	struct aa_profile *profile;
@@ -290,6 +293,49 @@ int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
 	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_PTRACE, OP_PTRACE);
 
 	return xcheck_labels(tracer, tracee, profile,
-			profile_tracer_perm(profile, tracee, request, &sa),
-			profile_tracee_perm(profile, tracer, xrequest, &sa));
+			profile_tracer_perm(tracer_cred, profile, tracee,
+					    request, &sa),
+			profile_tracee_perm(tracee_cred, profile, tracer,
+					    xrequest, &sa));
+}
+
+/* call back to audit ptrace fields */
+static void audit_ns_cb(struct audit_buffer *ab, void *va)
+{
+	struct apparmor_audit_data *ad = aad_of_va(va);
+
+	if (ad->request & AA_USERNS_CREATE)
+		audit_log_format(ab, " requested=\"userns_create\"");
+
+	if (ad->denied & AA_USERNS_CREATE)
+		audit_log_format(ab, " denied=\"userns_create\"");
+}
+
+int aa_profile_ns_perm(struct aa_profile *profile,
+		       struct apparmor_audit_data *ad,
+		       u32 request)
+{
+	struct aa_perms perms = { };
+	int error = 0;
+
+	ad->subj_label = &profile->label;
+	ad->request = request;
+
+	if (!profile_unconfined(profile)) {
+		struct aa_ruleset *rules = list_first_entry(&profile->rules,
+							    typeof(*rules),
+							    list);
+		aa_state_t state;
+
+		state = RULE_MEDIATES(rules, ad->class);
+		if (!state)
+			/* TODO: add flag to complain about unmediated */
+			return 0;
+		perms = *aa_lookup_perms(rules->policy, state);
+		aa_apply_modes_to_perms(profile, &perms);
+		error = aa_check_perms(profile, &perms, request, ad,
+				       audit_ns_cb);
+	}
+
+	return error;
 }
author	Linus Torvalds <torvalds@linux-foundation.org>	2023-11-03 22:48:17 +0300
committer	Linus Torvalds <torvalds@linux-foundation.org>	2023-11-03 22:48:17 +0300
commit	6bdfe2d88b9ff8b0cce32ce87cd47c0e9d665f48 (patch)
tree	a8a43da53fa84ce69adfb252ddbdaa38fc15e303 /security/apparmor/task.c
parent	136cc1e1f5be75f57f1e0404b94ee1c8792cb07d (diff)
parent	6cede10161be00d129a24e8b84c2674785a32cf8 (diff)
download	linux-6bdfe2d88b9ff8b0cce32ce87cd47c0e9d665f48.tar.xz