// SPDX-License-Identifier: GPL-2.0-only
/*
* AppArmor security module
*
* This file contains AppArmor policy manipulation functions
*
* Copyright (C) 1998-2008 Novell/SUSE
* Copyright 2009-2010 Canonical Ltd.
*
* AppArmor policy is based around profiles, which contain the rules a
* task is confined by. Every task in the system has a profile attached
* to it determined either by matching "unconfined" tasks against the
* visible set of profiles or by following a profiles attachment rules.
*
* Each profile exists in a profile namespace which is a container of
* visible profiles. Each namespace contains a special "unconfined" profile,
* which doesn't enforce any confinement on a task beyond DAC.
*
* Namespace and profile names can be written together in either
* of two syntaxes.
* :namespace:profile - used by kernel interfaces for easy detection
* namespace://profile - used by policy
*
* Profile names can not start with : or @ or ^ and may not contain \0
*
* Reserved profile names
* unconfined - special automatically generated unconfined profile
* inherit - special name to indicate profile inheritance
* null-XXXX-YYYY - special automatically generated learning profiles
*
* Namespace names may not start with / or @ and may not contain \0 or :
* Reserved namespace names
* user-XXXX - user defined profiles
*
* a // in a profile or namespace name indicates a hierarchical name with the
* name before the // being the parent and the name after the child.
*
* Profile and namespace hierarchies serve two different but similar purposes.
* The namespace contains the set of visible profiles that are considered
* for attachment. The hierarchy of namespaces allows for virtualizing
* the namespace so that for example a chroot can have its own set of profiles
* which may define some local user namespaces.
* The profile hierarchy severs two distinct purposes,
* - it allows for sub profiles or hats, which allows an application to run
* subprograms under its own profile with different restriction than it
* self, and not have it use the system profile.
* eg. if a mail program starts an editor, the policy might make the
* restrictions tighter on the editor tighter than the mail program,
* and definitely different than general editor restrictions
* - it allows for binary hierarchy of profiles, so that execution history
* is preserved. This feature isn't exploited by AppArmor reference policy
* but is allowed. NOTE: this is currently suboptimal because profile
* aliasing is not currently implemented so that a profile for each
* level must be defined.
* eg. /bin/bash///bin/ls as a name would indicate /bin/ls was started
* from /bin/bash
*
* A profile or namespace name that can contain one or more // separators
* is referred to as an hname (hierarchical).
* eg. /bin/bash//bin/ls
*
* An fqname is a name that may contain both namespace and profile hnames.
* eg. :ns:/bin/bash//bin/ls
*
* NOTES:
* - locking of profile lists is currently fairly coarse. All profile
* lists within a namespace use the namespace lock.
* FIXME: move profile lists to using rcu_lists
*/
#include <linux/slab.h>
#include <linux/spinlock.h>
#include <linux/string.h>
#include <linux/cred.h>
#include <linux/rculist.h>
#include <linux/user_namespace.h>
#include "include/apparmor.h"
#include "include/capability.h"
#include "include/cred.h"
#include "include/file.h"
#include "include/ipc.h"
#include "include/match.h"
#include "include/path.h"
#include "include/policy.h"
#include "include/policy_ns.h"
#include "include/policy_unpack.h"
#include "include/resource.h"
int unprivileged_userns_apparmor_policy = 1;
const char *const aa_profile_mode_names[] = {
"enforce",
"complain",
"kill",
"unconfined",
};
/**
* __add_profile - add a profiles to list and label tree
* @list: list to add it to (NOT NULL)
* @profile: the profile to add (NOT NULL)
*
* refcount @profile, should be put by __list_remove_profile
*
* Requires: namespace lock be held, or list not be shared
*/
static void __add_profile(struct list_head *list, struct aa_profile *profile)
{
struct aa_label *l;
AA_BUG(!list);
AA_BUG(!profile);
AA_BUG(!profile->ns);
AA_BUG(!mutex_is_locked(&profile->ns->lock));
list_add_rcu(&profile->base.list, list);
/* get list reference */
aa_get_profile(profile);
l = aa_label_insert(&profile->ns->labels, &profile->label);
AA_BUG(l != &profile->label);
aa_put_label(l);
}
/**
* __list_remove_profile - remove a profile from the list it is on
* @profile: the profile to remove (NOT NULL)
*
* remove a profile from the list, warning generally removal should
* be done with __replace_profile as most profile removals are
* replacements to the unconfined profile.
*
* put @profile list refcount
*
* Requires: namespace lock be held, or list not have been live
*/
static void __list_remove_profile(struct aa_profile *profile)
{
AA_BUG(!profile);
AA_BUG(!profile->ns);
AA_BUG(!mutex_is_locked(&profile->ns->lock));
list_del_rcu(&profile->base.list);
aa_put_profile(profile);
}
/**
* __remove_profile - remove old profile, and children
* @profile: profile to be replaced (NOT NULL)
*
* Requires: namespace list lock be held, or list not be shared
*/
static void __remove_profile(struct aa_profile *profile)
{
AA_BUG(!profile);
AA_BUG(!profile->ns);
AA_BUG(!mutex_is_locked(&profile->ns->lock));
/* release any children lists first */
__aa_profile_list_release(&profile->base.profiles);
/* released by free_profile */
aa_label_remove(&profile->label);
__aafs_profile_rmdir(profile);
__list_remove_profile(profile);
}
/**
* __aa_profile_list_release - remove all profiles on the list and put refs
* @head: list of profiles (NOT NULL)
*
* Requires: namespace lock be held
*/
void __aa_profile_list_release(struct list_head *head)
{
struct aa_profile *profile, *tmp