162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only
262306a36Sopenharmony_ci/*
362306a36Sopenharmony_ci * AppArmor security module
462306a36Sopenharmony_ci *
562306a36Sopenharmony_ci * This file contains AppArmor function for pathnames
662306a36Sopenharmony_ci *
762306a36Sopenharmony_ci * Copyright (C) 1998-2008 Novell/SUSE
862306a36Sopenharmony_ci * Copyright 2009-2010 Canonical Ltd.
962306a36Sopenharmony_ci */
1062306a36Sopenharmony_ci
1162306a36Sopenharmony_ci#include <linux/magic.h>
1262306a36Sopenharmony_ci#include <linux/mount.h>
1362306a36Sopenharmony_ci#include <linux/namei.h>
1462306a36Sopenharmony_ci#include <linux/nsproxy.h>
1562306a36Sopenharmony_ci#include <linux/path.h>
1662306a36Sopenharmony_ci#include <linux/sched.h>
1762306a36Sopenharmony_ci#include <linux/slab.h>
1862306a36Sopenharmony_ci#include <linux/fs_struct.h>
1962306a36Sopenharmony_ci
2062306a36Sopenharmony_ci#include "include/apparmor.h"
2162306a36Sopenharmony_ci#include "include/path.h"
2262306a36Sopenharmony_ci#include "include/policy.h"
2362306a36Sopenharmony_ci
2462306a36Sopenharmony_ci/* modified from dcache.c */
2562306a36Sopenharmony_cistatic int prepend(char **buffer, int buflen, const char *str, int namelen)
2662306a36Sopenharmony_ci{
2762306a36Sopenharmony_ci	buflen -= namelen;
2862306a36Sopenharmony_ci	if (buflen < 0)
2962306a36Sopenharmony_ci		return -ENAMETOOLONG;
3062306a36Sopenharmony_ci	*buffer -= namelen;
3162306a36Sopenharmony_ci	memcpy(*buffer, str, namelen);
3262306a36Sopenharmony_ci	return 0;
3362306a36Sopenharmony_ci}
3462306a36Sopenharmony_ci
3562306a36Sopenharmony_ci#define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT)
3662306a36Sopenharmony_ci
3762306a36Sopenharmony_ci/* If the path is not connected to the expected root,
3862306a36Sopenharmony_ci * check if it is a sysctl and handle specially else remove any
3962306a36Sopenharmony_ci * leading / that __d_path may have returned.
4062306a36Sopenharmony_ci * Unless
4162306a36Sopenharmony_ci *     specifically directed to connect the path,
4262306a36Sopenharmony_ci * OR
4362306a36Sopenharmony_ci *     if in a chroot and doing chroot relative paths and the path
4462306a36Sopenharmony_ci *     resolves to the namespace root (would be connected outside
4562306a36Sopenharmony_ci *     of chroot) and specifically directed to connect paths to
4662306a36Sopenharmony_ci *     namespace root.
4762306a36Sopenharmony_ci */
4862306a36Sopenharmony_cistatic int disconnect(const struct path *path, char *buf, char **name,
4962306a36Sopenharmony_ci		      int flags, const char *disconnected)
5062306a36Sopenharmony_ci{
5162306a36Sopenharmony_ci	int error = 0;
5262306a36Sopenharmony_ci
5362306a36Sopenharmony_ci	if (!(flags & PATH_CONNECT_PATH) &&
5462306a36Sopenharmony_ci	    !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
5562306a36Sopenharmony_ci	      our_mnt(path->mnt))) {
5662306a36Sopenharmony_ci		/* disconnected path, don't return pathname starting
5762306a36Sopenharmony_ci		 * with '/'
5862306a36Sopenharmony_ci		 */
5962306a36Sopenharmony_ci		error = -EACCES;
6062306a36Sopenharmony_ci		if (**name == '/')
6162306a36Sopenharmony_ci			*name = *name + 1;
6262306a36Sopenharmony_ci	} else {
6362306a36Sopenharmony_ci		if (**name != '/')
6462306a36Sopenharmony_ci			/* CONNECT_PATH with missing root */
6562306a36Sopenharmony_ci			error = prepend(name, *name - buf, "/", 1);
6662306a36Sopenharmony_ci		if (!error && disconnected)
6762306a36Sopenharmony_ci			error = prepend(name, *name - buf, disconnected,
6862306a36Sopenharmony_ci					strlen(disconnected));
6962306a36Sopenharmony_ci	}
7062306a36Sopenharmony_ci
7162306a36Sopenharmony_ci	return error;
7262306a36Sopenharmony_ci}
7362306a36Sopenharmony_ci
7462306a36Sopenharmony_ci/**
7562306a36Sopenharmony_ci * d_namespace_path - lookup a name associated with a given path
7662306a36Sopenharmony_ci * @path: path to lookup  (NOT NULL)
7762306a36Sopenharmony_ci * @buf:  buffer to store path to  (NOT NULL)
7862306a36Sopenharmony_ci * @name: Returns - pointer for start of path name with in @buf (NOT NULL)
7962306a36Sopenharmony_ci * @flags: flags controlling path lookup
8062306a36Sopenharmony_ci * @disconnected: string to prefix to disconnected paths
8162306a36Sopenharmony_ci *
8262306a36Sopenharmony_ci * Handle path name lookup.
8362306a36Sopenharmony_ci *
8462306a36Sopenharmony_ci * Returns: %0 else error code if path lookup fails
8562306a36Sopenharmony_ci *          When no error the path name is returned in @name which points to
8662306a36Sopenharmony_ci *          a position in @buf
8762306a36Sopenharmony_ci */
8862306a36Sopenharmony_cistatic int d_namespace_path(const struct path *path, char *buf, char **name,
8962306a36Sopenharmony_ci			    int flags, const char *disconnected)
9062306a36Sopenharmony_ci{
9162306a36Sopenharmony_ci	char *res;
9262306a36Sopenharmony_ci	int error = 0;
9362306a36Sopenharmony_ci	int connected = 1;
9462306a36Sopenharmony_ci	int isdir = (flags & PATH_IS_DIR) ? 1 : 0;
9562306a36Sopenharmony_ci	int buflen = aa_g_path_max - isdir;
9662306a36Sopenharmony_ci
9762306a36Sopenharmony_ci	if (path->mnt->mnt_flags & MNT_INTERNAL) {
9862306a36Sopenharmony_ci		/* it's not mounted anywhere */
9962306a36Sopenharmony_ci		res = dentry_path(path->dentry, buf, buflen);
10062306a36Sopenharmony_ci		*name = res;
10162306a36Sopenharmony_ci		if (IS_ERR(res)) {
10262306a36Sopenharmony_ci			*name = buf;
10362306a36Sopenharmony_ci			return PTR_ERR(res);
10462306a36Sopenharmony_ci		}
10562306a36Sopenharmony_ci		if (path->dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
10662306a36Sopenharmony_ci		    strncmp(*name, "/sys/", 5) == 0) {
10762306a36Sopenharmony_ci			/* TODO: convert over to using a per namespace
10862306a36Sopenharmony_ci			 * control instead of hard coded /proc
10962306a36Sopenharmony_ci			 */
11062306a36Sopenharmony_ci			error = prepend(name, *name - buf, "/proc", 5);
11162306a36Sopenharmony_ci			goto out;
11262306a36Sopenharmony_ci		} else
11362306a36Sopenharmony_ci			error = disconnect(path, buf, name, flags,
11462306a36Sopenharmony_ci					   disconnected);
11562306a36Sopenharmony_ci		goto out;
11662306a36Sopenharmony_ci	}
11762306a36Sopenharmony_ci
11862306a36Sopenharmony_ci	/* resolve paths relative to chroot?*/
11962306a36Sopenharmony_ci	if (flags & PATH_CHROOT_REL) {
12062306a36Sopenharmony_ci		struct path root;
12162306a36Sopenharmony_ci		get_fs_root(current->fs, &root);
12262306a36Sopenharmony_ci		res = __d_path(path, &root, buf, buflen);
12362306a36Sopenharmony_ci		path_put(&root);
12462306a36Sopenharmony_ci	} else {
12562306a36Sopenharmony_ci		res = d_absolute_path(path, buf, buflen);
12662306a36Sopenharmony_ci		if (!our_mnt(path->mnt))
12762306a36Sopenharmony_ci			connected = 0;
12862306a36Sopenharmony_ci	}
12962306a36Sopenharmony_ci
13062306a36Sopenharmony_ci	/* handle error conditions - and still allow a partial path to
13162306a36Sopenharmony_ci	 * be returned.
13262306a36Sopenharmony_ci	 */
13362306a36Sopenharmony_ci	if (!res || IS_ERR(res)) {
13462306a36Sopenharmony_ci		if (PTR_ERR(res) == -ENAMETOOLONG) {
13562306a36Sopenharmony_ci			error = -ENAMETOOLONG;
13662306a36Sopenharmony_ci			*name = buf;
13762306a36Sopenharmony_ci			goto out;
13862306a36Sopenharmony_ci		}
13962306a36Sopenharmony_ci		connected = 0;
14062306a36Sopenharmony_ci		res = dentry_path_raw(path->dentry, buf, buflen);
14162306a36Sopenharmony_ci		if (IS_ERR(res)) {
14262306a36Sopenharmony_ci			error = PTR_ERR(res);
14362306a36Sopenharmony_ci			*name = buf;
14462306a36Sopenharmony_ci			goto out;
14562306a36Sopenharmony_ci		}
14662306a36Sopenharmony_ci	} else if (!our_mnt(path->mnt))
14762306a36Sopenharmony_ci		connected = 0;
14862306a36Sopenharmony_ci
14962306a36Sopenharmony_ci	*name = res;
15062306a36Sopenharmony_ci
15162306a36Sopenharmony_ci	if (!connected)
15262306a36Sopenharmony_ci		error = disconnect(path, buf, name, flags, disconnected);
15362306a36Sopenharmony_ci
15462306a36Sopenharmony_ci	/* Handle two cases:
15562306a36Sopenharmony_ci	 * 1. A deleted dentry && profile is not allowing mediation of deleted
15662306a36Sopenharmony_ci	 * 2. On some filesystems, newly allocated dentries appear to the
15762306a36Sopenharmony_ci	 *    security_path hooks as a deleted dentry except without an inode
15862306a36Sopenharmony_ci	 *    allocated.
15962306a36Sopenharmony_ci	 */
16062306a36Sopenharmony_ci	if (d_unlinked(path->dentry) && d_is_positive(path->dentry) &&
16162306a36Sopenharmony_ci	    !(flags & (PATH_MEDIATE_DELETED | PATH_DELEGATE_DELETED))) {
16262306a36Sopenharmony_ci			error = -ENOENT;
16362306a36Sopenharmony_ci			goto out;
16462306a36Sopenharmony_ci	}
16562306a36Sopenharmony_ci
16662306a36Sopenharmony_ciout:
16762306a36Sopenharmony_ci	/*
16862306a36Sopenharmony_ci	 * Append "/" to the pathname.  The root directory is a special
16962306a36Sopenharmony_ci	 * case; it already ends in slash.
17062306a36Sopenharmony_ci	 */
17162306a36Sopenharmony_ci	if (!error && isdir && ((*name)[1] != '\0' || (*name)[0] != '/'))
17262306a36Sopenharmony_ci		strcpy(&buf[aa_g_path_max - 2], "/");
17362306a36Sopenharmony_ci
17462306a36Sopenharmony_ci	return error;
17562306a36Sopenharmony_ci}
17662306a36Sopenharmony_ci
17762306a36Sopenharmony_ci/**
17862306a36Sopenharmony_ci * aa_path_name - get the pathname to a buffer ensure dir / is appended
17962306a36Sopenharmony_ci * @path: path the file  (NOT NULL)
18062306a36Sopenharmony_ci * @flags: flags controlling path name generation
18162306a36Sopenharmony_ci * @buffer: buffer to put name in (NOT NULL)
18262306a36Sopenharmony_ci * @name: Returns - the generated path name if !error (NOT NULL)
18362306a36Sopenharmony_ci * @info: Returns - information on why the path lookup failed (MAYBE NULL)
18462306a36Sopenharmony_ci * @disconnected: string to prepend to disconnected paths
18562306a36Sopenharmony_ci *
18662306a36Sopenharmony_ci * @name is a pointer to the beginning of the pathname (which usually differs
18762306a36Sopenharmony_ci * from the beginning of the buffer), or NULL.  If there is an error @name
18862306a36Sopenharmony_ci * may contain a partial or invalid name that can be used for audit purposes,
18962306a36Sopenharmony_ci * but it can not be used for mediation.
19062306a36Sopenharmony_ci *
19162306a36Sopenharmony_ci * We need PATH_IS_DIR to indicate whether the file is a directory or not
19262306a36Sopenharmony_ci * because the file may not yet exist, and so we cannot check the inode's
19362306a36Sopenharmony_ci * file type.
19462306a36Sopenharmony_ci *
19562306a36Sopenharmony_ci * Returns: %0 else error code if could retrieve name
19662306a36Sopenharmony_ci */
19762306a36Sopenharmony_ciint aa_path_name(const struct path *path, int flags, char *buffer,
19862306a36Sopenharmony_ci		 const char **name, const char **info, const char *disconnected)
19962306a36Sopenharmony_ci{
20062306a36Sopenharmony_ci	char *str = NULL;
20162306a36Sopenharmony_ci	int error = d_namespace_path(path, buffer, &str, flags, disconnected);
20262306a36Sopenharmony_ci
20362306a36Sopenharmony_ci	if (info && error) {
20462306a36Sopenharmony_ci		if (error == -ENOENT)
20562306a36Sopenharmony_ci			*info = "Failed name lookup - deleted entry";
20662306a36Sopenharmony_ci		else if (error == -EACCES)
20762306a36Sopenharmony_ci			*info = "Failed name lookup - disconnected path";
20862306a36Sopenharmony_ci		else if (error == -ENAMETOOLONG)
20962306a36Sopenharmony_ci			*info = "Failed name lookup - name too long";
21062306a36Sopenharmony_ci		else
21162306a36Sopenharmony_ci			*info = "Failed name lookup";
21262306a36Sopenharmony_ci	}
21362306a36Sopenharmony_ci
21462306a36Sopenharmony_ci	*name = str;
21562306a36Sopenharmony_ci
21662306a36Sopenharmony_ci	return error;
21762306a36Sopenharmony_ci}
218