162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * AppArmor security module 462306a36Sopenharmony_ci * 562306a36Sopenharmony_ci * This file contains AppArmor /proc/<pid>/attr/ interface functions 662306a36Sopenharmony_ci * 762306a36Sopenharmony_ci * Copyright (C) 1998-2008 Novell/SUSE 862306a36Sopenharmony_ci * Copyright 2009-2010 Canonical Ltd. 962306a36Sopenharmony_ci */ 1062306a36Sopenharmony_ci 1162306a36Sopenharmony_ci#include "include/apparmor.h" 1262306a36Sopenharmony_ci#include "include/cred.h" 1362306a36Sopenharmony_ci#include "include/policy.h" 1462306a36Sopenharmony_ci#include "include/policy_ns.h" 1562306a36Sopenharmony_ci#include "include/domain.h" 1662306a36Sopenharmony_ci#include "include/procattr.h" 1762306a36Sopenharmony_ci 1862306a36Sopenharmony_ci 1962306a36Sopenharmony_ci/** 2062306a36Sopenharmony_ci * aa_getprocattr - Return the label information for @label 2162306a36Sopenharmony_ci * @label: the label to print label info about (NOT NULL) 2262306a36Sopenharmony_ci * @string: Returns - string containing the label info (NOT NULL) 2362306a36Sopenharmony_ci * 2462306a36Sopenharmony_ci * Requires: label != NULL && string != NULL 2562306a36Sopenharmony_ci * 2662306a36Sopenharmony_ci * Creates a string containing the label information for @label. 2762306a36Sopenharmony_ci * 2862306a36Sopenharmony_ci * Returns: size of string placed in @string else error code on failure 2962306a36Sopenharmony_ci */ 3062306a36Sopenharmony_ciint aa_getprocattr(struct aa_label *label, char **string) 3162306a36Sopenharmony_ci{ 3262306a36Sopenharmony_ci struct aa_ns *ns = labels_ns(label); 3362306a36Sopenharmony_ci struct aa_ns *current_ns = aa_get_current_ns(); 3462306a36Sopenharmony_ci int len; 3562306a36Sopenharmony_ci 3662306a36Sopenharmony_ci if (!aa_ns_visible(current_ns, ns, true)) { 3762306a36Sopenharmony_ci aa_put_ns(current_ns); 3862306a36Sopenharmony_ci return -EACCES; 3962306a36Sopenharmony_ci } 4062306a36Sopenharmony_ci 4162306a36Sopenharmony_ci len = aa_label_snxprint(NULL, 0, current_ns, label, 4262306a36Sopenharmony_ci FLAG_SHOW_MODE | FLAG_VIEW_SUBNS | 4362306a36Sopenharmony_ci FLAG_HIDDEN_UNCONFINED); 4462306a36Sopenharmony_ci AA_BUG(len < 0); 4562306a36Sopenharmony_ci 4662306a36Sopenharmony_ci *string = kmalloc(len + 2, GFP_KERNEL); 4762306a36Sopenharmony_ci if (!*string) { 4862306a36Sopenharmony_ci aa_put_ns(current_ns); 4962306a36Sopenharmony_ci return -ENOMEM; 5062306a36Sopenharmony_ci } 5162306a36Sopenharmony_ci 5262306a36Sopenharmony_ci len = aa_label_snxprint(*string, len + 2, current_ns, label, 5362306a36Sopenharmony_ci FLAG_SHOW_MODE | FLAG_VIEW_SUBNS | 5462306a36Sopenharmony_ci FLAG_HIDDEN_UNCONFINED); 5562306a36Sopenharmony_ci if (len < 0) { 5662306a36Sopenharmony_ci aa_put_ns(current_ns); 5762306a36Sopenharmony_ci return len; 5862306a36Sopenharmony_ci } 5962306a36Sopenharmony_ci 6062306a36Sopenharmony_ci (*string)[len] = '\n'; 6162306a36Sopenharmony_ci (*string)[len + 1] = 0; 6262306a36Sopenharmony_ci 6362306a36Sopenharmony_ci aa_put_ns(current_ns); 6462306a36Sopenharmony_ci return len + 1; 6562306a36Sopenharmony_ci} 6662306a36Sopenharmony_ci 6762306a36Sopenharmony_ci/** 6862306a36Sopenharmony_ci * split_token_from_name - separate a string of form <token>^<name> 6962306a36Sopenharmony_ci * @op: operation being checked 7062306a36Sopenharmony_ci * @args: string to parse (NOT NULL) 7162306a36Sopenharmony_ci * @token: stores returned parsed token value (NOT NULL) 7262306a36Sopenharmony_ci * 7362306a36Sopenharmony_ci * Returns: start position of name after token else NULL on failure 7462306a36Sopenharmony_ci */ 7562306a36Sopenharmony_cistatic char *split_token_from_name(const char *op, char *args, u64 *token) 7662306a36Sopenharmony_ci{ 7762306a36Sopenharmony_ci char *name; 7862306a36Sopenharmony_ci 7962306a36Sopenharmony_ci *token = simple_strtoull(args, &name, 16); 8062306a36Sopenharmony_ci if ((name == args) || *name != '^') { 8162306a36Sopenharmony_ci AA_ERROR("%s: Invalid input '%s'", op, args); 8262306a36Sopenharmony_ci return ERR_PTR(-EINVAL); 8362306a36Sopenharmony_ci } 8462306a36Sopenharmony_ci 8562306a36Sopenharmony_ci name++; /* skip ^ */ 8662306a36Sopenharmony_ci if (!*name) 8762306a36Sopenharmony_ci name = NULL; 8862306a36Sopenharmony_ci return name; 8962306a36Sopenharmony_ci} 9062306a36Sopenharmony_ci 9162306a36Sopenharmony_ci/** 9262306a36Sopenharmony_ci * aa_setprocattr_changehat - handle procattr interface to change_hat 9362306a36Sopenharmony_ci * @args: args received from writing to /proc/<pid>/attr/current (NOT NULL) 9462306a36Sopenharmony_ci * @size: size of the args 9562306a36Sopenharmony_ci * @flags: set of flags governing behavior 9662306a36Sopenharmony_ci * 9762306a36Sopenharmony_ci * Returns: %0 or error code if change_hat fails 9862306a36Sopenharmony_ci */ 9962306a36Sopenharmony_ciint aa_setprocattr_changehat(char *args, size_t size, int flags) 10062306a36Sopenharmony_ci{ 10162306a36Sopenharmony_ci char *hat; 10262306a36Sopenharmony_ci u64 token; 10362306a36Sopenharmony_ci const char *hats[16]; /* current hard limit on # of names */ 10462306a36Sopenharmony_ci int count = 0; 10562306a36Sopenharmony_ci 10662306a36Sopenharmony_ci hat = split_token_from_name(OP_CHANGE_HAT, args, &token); 10762306a36Sopenharmony_ci if (IS_ERR(hat)) 10862306a36Sopenharmony_ci return PTR_ERR(hat); 10962306a36Sopenharmony_ci 11062306a36Sopenharmony_ci if (!hat && !token) { 11162306a36Sopenharmony_ci AA_ERROR("change_hat: Invalid input, NULL hat and NULL magic"); 11262306a36Sopenharmony_ci return -EINVAL; 11362306a36Sopenharmony_ci } 11462306a36Sopenharmony_ci 11562306a36Sopenharmony_ci if (hat) { 11662306a36Sopenharmony_ci /* set up hat name vector, args guaranteed null terminated 11762306a36Sopenharmony_ci * at args[size] by setprocattr. 11862306a36Sopenharmony_ci * 11962306a36Sopenharmony_ci * If there are multiple hat names in the buffer each is 12062306a36Sopenharmony_ci * separated by a \0. Ie. userspace writes them pre tokenized 12162306a36Sopenharmony_ci */ 12262306a36Sopenharmony_ci char *end = args + size; 12362306a36Sopenharmony_ci for (count = 0; (hat < end) && count < 16; ++count) { 12462306a36Sopenharmony_ci char *next = hat + strlen(hat) + 1; 12562306a36Sopenharmony_ci hats[count] = hat; 12662306a36Sopenharmony_ci AA_DEBUG("%s: (pid %d) Magic 0x%llx count %d hat '%s'\n" 12762306a36Sopenharmony_ci , __func__, current->pid, token, count, hat); 12862306a36Sopenharmony_ci hat = next; 12962306a36Sopenharmony_ci } 13062306a36Sopenharmony_ci } else 13162306a36Sopenharmony_ci AA_DEBUG("%s: (pid %d) Magic 0x%llx count %d Hat '%s'\n", 13262306a36Sopenharmony_ci __func__, current->pid, token, count, "<NULL>"); 13362306a36Sopenharmony_ci 13462306a36Sopenharmony_ci return aa_change_hat(hats, count, token, flags); 13562306a36Sopenharmony_ci} 136