18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * AppArmor security module 48c2ecf20Sopenharmony_ci * 58c2ecf20Sopenharmony_ci * This file contains AppArmor function for pathnames 68c2ecf20Sopenharmony_ci * 78c2ecf20Sopenharmony_ci * Copyright (C) 1998-2008 Novell/SUSE 88c2ecf20Sopenharmony_ci * Copyright 2009-2010 Canonical Ltd. 98c2ecf20Sopenharmony_ci */ 108c2ecf20Sopenharmony_ci 118c2ecf20Sopenharmony_ci#include <linux/magic.h> 128c2ecf20Sopenharmony_ci#include <linux/mount.h> 138c2ecf20Sopenharmony_ci#include <linux/namei.h> 148c2ecf20Sopenharmony_ci#include <linux/nsproxy.h> 158c2ecf20Sopenharmony_ci#include <linux/path.h> 168c2ecf20Sopenharmony_ci#include <linux/sched.h> 178c2ecf20Sopenharmony_ci#include <linux/slab.h> 188c2ecf20Sopenharmony_ci#include <linux/fs_struct.h> 198c2ecf20Sopenharmony_ci 208c2ecf20Sopenharmony_ci#include "include/apparmor.h" 218c2ecf20Sopenharmony_ci#include "include/path.h" 228c2ecf20Sopenharmony_ci#include "include/policy.h" 238c2ecf20Sopenharmony_ci 248c2ecf20Sopenharmony_ci/* modified from dcache.c */ 258c2ecf20Sopenharmony_cistatic int prepend(char **buffer, int buflen, const char *str, int namelen) 268c2ecf20Sopenharmony_ci{ 278c2ecf20Sopenharmony_ci buflen -= namelen; 288c2ecf20Sopenharmony_ci if (buflen < 0) 298c2ecf20Sopenharmony_ci return -ENAMETOOLONG; 308c2ecf20Sopenharmony_ci *buffer -= namelen; 318c2ecf20Sopenharmony_ci memcpy(*buffer, str, namelen); 328c2ecf20Sopenharmony_ci return 0; 338c2ecf20Sopenharmony_ci} 348c2ecf20Sopenharmony_ci 358c2ecf20Sopenharmony_ci#define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT) 368c2ecf20Sopenharmony_ci 378c2ecf20Sopenharmony_ci/* If the path is not connected to the expected root, 388c2ecf20Sopenharmony_ci * check if it is a sysctl and handle specially else remove any 398c2ecf20Sopenharmony_ci * leading / that __d_path may have returned. 408c2ecf20Sopenharmony_ci * Unless 418c2ecf20Sopenharmony_ci * specifically directed to connect the path, 428c2ecf20Sopenharmony_ci * OR 438c2ecf20Sopenharmony_ci * if in a chroot and doing chroot relative paths and the path 448c2ecf20Sopenharmony_ci * resolves to the namespace root (would be connected outside 458c2ecf20Sopenharmony_ci * of chroot) and specifically directed to connect paths to 468c2ecf20Sopenharmony_ci * namespace root. 478c2ecf20Sopenharmony_ci */ 488c2ecf20Sopenharmony_cistatic int disconnect(const struct path *path, char *buf, char **name, 498c2ecf20Sopenharmony_ci int flags, const char *disconnected) 508c2ecf20Sopenharmony_ci{ 518c2ecf20Sopenharmony_ci int error = 0; 528c2ecf20Sopenharmony_ci 538c2ecf20Sopenharmony_ci if (!(flags & PATH_CONNECT_PATH) && 548c2ecf20Sopenharmony_ci !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) && 558c2ecf20Sopenharmony_ci our_mnt(path->mnt))) { 568c2ecf20Sopenharmony_ci /* disconnected path, don't return pathname starting 578c2ecf20Sopenharmony_ci * with '/' 588c2ecf20Sopenharmony_ci */ 598c2ecf20Sopenharmony_ci error = -EACCES; 608c2ecf20Sopenharmony_ci if (**name == '/') 618c2ecf20Sopenharmony_ci *name = *name + 1; 628c2ecf20Sopenharmony_ci } else { 638c2ecf20Sopenharmony_ci if (**name != '/') 648c2ecf20Sopenharmony_ci /* CONNECT_PATH with missing root */ 658c2ecf20Sopenharmony_ci error = prepend(name, *name - buf, "/", 1); 668c2ecf20Sopenharmony_ci if (!error && disconnected) 678c2ecf20Sopenharmony_ci error = prepend(name, *name - buf, disconnected, 688c2ecf20Sopenharmony_ci strlen(disconnected)); 698c2ecf20Sopenharmony_ci } 708c2ecf20Sopenharmony_ci 718c2ecf20Sopenharmony_ci return error; 728c2ecf20Sopenharmony_ci} 738c2ecf20Sopenharmony_ci 748c2ecf20Sopenharmony_ci/** 758c2ecf20Sopenharmony_ci * d_namespace_path - lookup a name associated with a given path 768c2ecf20Sopenharmony_ci * @path: path to lookup (NOT NULL) 778c2ecf20Sopenharmony_ci * @buf: buffer to store path to (NOT NULL) 788c2ecf20Sopenharmony_ci * @name: Returns - pointer for start of path name with in @buf (NOT NULL) 798c2ecf20Sopenharmony_ci * @flags: flags controlling path lookup 808c2ecf20Sopenharmony_ci * @disconnected: string to prefix to disconnected paths 818c2ecf20Sopenharmony_ci * 828c2ecf20Sopenharmony_ci * Handle path name lookup. 838c2ecf20Sopenharmony_ci * 848c2ecf20Sopenharmony_ci * Returns: %0 else error code if path lookup fails 858c2ecf20Sopenharmony_ci * When no error the path name is returned in @name which points to 868c2ecf20Sopenharmony_ci * to a position in @buf 878c2ecf20Sopenharmony_ci */ 888c2ecf20Sopenharmony_cistatic int d_namespace_path(const struct path *path, char *buf, char **name, 898c2ecf20Sopenharmony_ci int flags, const char *disconnected) 908c2ecf20Sopenharmony_ci{ 918c2ecf20Sopenharmony_ci char *res; 928c2ecf20Sopenharmony_ci int error = 0; 938c2ecf20Sopenharmony_ci int connected = 1; 948c2ecf20Sopenharmony_ci int isdir = (flags & PATH_IS_DIR) ? 1 : 0; 958c2ecf20Sopenharmony_ci int buflen = aa_g_path_max - isdir; 968c2ecf20Sopenharmony_ci 978c2ecf20Sopenharmony_ci if (path->mnt->mnt_flags & MNT_INTERNAL) { 988c2ecf20Sopenharmony_ci /* it's not mounted anywhere */ 998c2ecf20Sopenharmony_ci res = dentry_path(path->dentry, buf, buflen); 1008c2ecf20Sopenharmony_ci *name = res; 1018c2ecf20Sopenharmony_ci if (IS_ERR(res)) { 1028c2ecf20Sopenharmony_ci *name = buf; 1038c2ecf20Sopenharmony_ci return PTR_ERR(res); 1048c2ecf20Sopenharmony_ci } 1058c2ecf20Sopenharmony_ci if (path->dentry->d_sb->s_magic == PROC_SUPER_MAGIC && 1068c2ecf20Sopenharmony_ci strncmp(*name, "/sys/", 5) == 0) { 1078c2ecf20Sopenharmony_ci /* TODO: convert over to using a per namespace 1088c2ecf20Sopenharmony_ci * control instead of hard coded /proc 1098c2ecf20Sopenharmony_ci */ 1108c2ecf20Sopenharmony_ci error = prepend(name, *name - buf, "/proc", 5); 1118c2ecf20Sopenharmony_ci goto out; 1128c2ecf20Sopenharmony_ci } else 1138c2ecf20Sopenharmony_ci error = disconnect(path, buf, name, flags, 1148c2ecf20Sopenharmony_ci disconnected); 1158c2ecf20Sopenharmony_ci goto out; 1168c2ecf20Sopenharmony_ci } 1178c2ecf20Sopenharmony_ci 1188c2ecf20Sopenharmony_ci /* resolve paths relative to chroot?*/ 1198c2ecf20Sopenharmony_ci if (flags & PATH_CHROOT_REL) { 1208c2ecf20Sopenharmony_ci struct path root; 1218c2ecf20Sopenharmony_ci get_fs_root(current->fs, &root); 1228c2ecf20Sopenharmony_ci res = __d_path(path, &root, buf, buflen); 1238c2ecf20Sopenharmony_ci path_put(&root); 1248c2ecf20Sopenharmony_ci } else { 1258c2ecf20Sopenharmony_ci res = d_absolute_path(path, buf, buflen); 1268c2ecf20Sopenharmony_ci if (!our_mnt(path->mnt)) 1278c2ecf20Sopenharmony_ci connected = 0; 1288c2ecf20Sopenharmony_ci } 1298c2ecf20Sopenharmony_ci 1308c2ecf20Sopenharmony_ci /* handle error conditions - and still allow a partial path to 1318c2ecf20Sopenharmony_ci * be returned. 1328c2ecf20Sopenharmony_ci */ 1338c2ecf20Sopenharmony_ci if (!res || IS_ERR(res)) { 1348c2ecf20Sopenharmony_ci if (PTR_ERR(res) == -ENAMETOOLONG) { 1358c2ecf20Sopenharmony_ci error = -ENAMETOOLONG; 1368c2ecf20Sopenharmony_ci *name = buf; 1378c2ecf20Sopenharmony_ci goto out; 1388c2ecf20Sopenharmony_ci } 1398c2ecf20Sopenharmony_ci connected = 0; 1408c2ecf20Sopenharmony_ci res = dentry_path_raw(path->dentry, buf, buflen); 1418c2ecf20Sopenharmony_ci if (IS_ERR(res)) { 1428c2ecf20Sopenharmony_ci error = PTR_ERR(res); 1438c2ecf20Sopenharmony_ci *name = buf; 1448c2ecf20Sopenharmony_ci goto out; 1458c2ecf20Sopenharmony_ci } 1468c2ecf20Sopenharmony_ci } else if (!our_mnt(path->mnt)) 1478c2ecf20Sopenharmony_ci connected = 0; 1488c2ecf20Sopenharmony_ci 1498c2ecf20Sopenharmony_ci *name = res; 1508c2ecf20Sopenharmony_ci 1518c2ecf20Sopenharmony_ci if (!connected) 1528c2ecf20Sopenharmony_ci error = disconnect(path, buf, name, flags, disconnected); 1538c2ecf20Sopenharmony_ci 1548c2ecf20Sopenharmony_ci /* Handle two cases: 1558c2ecf20Sopenharmony_ci * 1. A deleted dentry && profile is not allowing mediation of deleted 1568c2ecf20Sopenharmony_ci * 2. On some filesystems, newly allocated dentries appear to the 1578c2ecf20Sopenharmony_ci * security_path hooks as a deleted dentry except without an inode 1588c2ecf20Sopenharmony_ci * allocated. 1598c2ecf20Sopenharmony_ci */ 1608c2ecf20Sopenharmony_ci if (d_unlinked(path->dentry) && d_is_positive(path->dentry) && 1618c2ecf20Sopenharmony_ci !(flags & (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED))) { 1628c2ecf20Sopenharmony_ci error = -ENOENT; 1638c2ecf20Sopenharmony_ci goto out; 1648c2ecf20Sopenharmony_ci } 1658c2ecf20Sopenharmony_ci 1668c2ecf20Sopenharmony_ciout: 1678c2ecf20Sopenharmony_ci /* 1688c2ecf20Sopenharmony_ci * Append "/" to the pathname. The root directory is a special 1698c2ecf20Sopenharmony_ci * case; it already ends in slash. 1708c2ecf20Sopenharmony_ci */ 1718c2ecf20Sopenharmony_ci if (!error && isdir && ((*name)[1] != '\0' || (*name)[0] != '/')) 1728c2ecf20Sopenharmony_ci strcpy(&buf[aa_g_path_max - 2], "/"); 1738c2ecf20Sopenharmony_ci 1748c2ecf20Sopenharmony_ci return error; 1758c2ecf20Sopenharmony_ci} 1768c2ecf20Sopenharmony_ci 1778c2ecf20Sopenharmony_ci/** 1788c2ecf20Sopenharmony_ci * aa_path_name - get the pathname to a buffer ensure dir / is appended 1798c2ecf20Sopenharmony_ci * @path: path the file (NOT NULL) 1808c2ecf20Sopenharmony_ci * @flags: flags controlling path name generation 1818c2ecf20Sopenharmony_ci * @buffer: buffer to put name in (NOT NULL) 1828c2ecf20Sopenharmony_ci * @name: Returns - the generated path name if !error (NOT NULL) 1838c2ecf20Sopenharmony_ci * @info: Returns - information on why the path lookup failed (MAYBE NULL) 1848c2ecf20Sopenharmony_ci * @disconnected: string to prepend to disconnected paths 1858c2ecf20Sopenharmony_ci * 1868c2ecf20Sopenharmony_ci * @name is a pointer to the beginning of the pathname (which usually differs 1878c2ecf20Sopenharmony_ci * from the beginning of the buffer), or NULL. If there is an error @name 1888c2ecf20Sopenharmony_ci * may contain a partial or invalid name that can be used for audit purposes, 1898c2ecf20Sopenharmony_ci * but it can not be used for mediation. 1908c2ecf20Sopenharmony_ci * 1918c2ecf20Sopenharmony_ci * We need PATH_IS_DIR to indicate whether the file is a directory or not 1928c2ecf20Sopenharmony_ci * because the file may not yet exist, and so we cannot check the inode's 1938c2ecf20Sopenharmony_ci * file type. 1948c2ecf20Sopenharmony_ci * 1958c2ecf20Sopenharmony_ci * Returns: %0 else error code if could retrieve name 1968c2ecf20Sopenharmony_ci */ 1978c2ecf20Sopenharmony_ciint aa_path_name(const struct path *path, int flags, char *buffer, 1988c2ecf20Sopenharmony_ci const char **name, const char **info, const char *disconnected) 1998c2ecf20Sopenharmony_ci{ 2008c2ecf20Sopenharmony_ci char *str = NULL; 2018c2ecf20Sopenharmony_ci int error = d_namespace_path(path, buffer, &str, flags, disconnected); 2028c2ecf20Sopenharmony_ci 2038c2ecf20Sopenharmony_ci if (info && error) { 2048c2ecf20Sopenharmony_ci if (error == -ENOENT) 2058c2ecf20Sopenharmony_ci *info = "Failed name lookup - deleted entry"; 2068c2ecf20Sopenharmony_ci else if (error == -EACCES) 2078c2ecf20Sopenharmony_ci *info = "Failed name lookup - disconnected path"; 2088c2ecf20Sopenharmony_ci else if (error == -ENAMETOOLONG) 2098c2ecf20Sopenharmony_ci *info = "Failed name lookup - name too long"; 2108c2ecf20Sopenharmony_ci else 2118c2ecf20Sopenharmony_ci *info = "Failed name lookup"; 2128c2ecf20Sopenharmony_ci } 2138c2ecf20Sopenharmony_ci 2148c2ecf20Sopenharmony_ci *name = str; 2158c2ecf20Sopenharmony_ci 2168c2ecf20Sopenharmony_ci return error; 2178c2ecf20Sopenharmony_ci} 218