Merge tag 'apparmor-pr-2019-12-03' of...

	select SECURITY_PATH

	select SECURITYFS

	select SECURITY_NETWORK

	select ZLIB_INFLATE

	select ZLIB_DEFLATE

	default n

	help

	  This enables the AppArmor security module.

#include <linux/fs.h>

#include <linux/fs_context.h>

#include <linux/poll.h>

#include <linux/zlib.h>

#include <uapi/linux/major.h>

#include <uapi/linux/magic.h>

 * support fns

 */

struct rawdata_f_data {

	struct aa_loaddata *loaddata;

};

#define RAWDATA_F_DATA_BUF(p) (char *)(p + 1)

static void rawdata_f_data_free(struct rawdata_f_data *private)

{

	if (!private)

		return;

	aa_put_loaddata(private->loaddata);

	kvfree(private);

}

static struct rawdata_f_data *rawdata_f_data_alloc(size_t size)

{

	struct rawdata_f_data *ret;

	if (size > SIZE_MAX - sizeof(*ret))

		return ERR_PTR(-EINVAL);

	ret = kvzalloc(sizeof(*ret) + size, GFP_KERNEL);

	if (!ret)

		return ERR_PTR(-ENOMEM);

	return ret;

}

/**

 * aa_mangle_name - mangle a profile name to std profile layout form

 * @name: profile name to mangle  (NOT NULL)

	return 0;

}

static int seq_rawdata_compressed_size_show(struct seq_file *seq, void *v)

{

	struct aa_loaddata *data = seq->private;

	seq_printf(seq, "%zu\n", data->compressed_size);

	return 0;

}

SEQ_RAWDATA_FOPS(abi);

SEQ_RAWDATA_FOPS(revision);

SEQ_RAWDATA_FOPS(hash);

SEQ_RAWDATA_FOPS(compressed_size);

static int deflate_decompress(char *src, size_t slen, char *dst, size_t dlen)

{

	int error;

	struct z_stream_s strm;

	if (aa_g_rawdata_compression_level == 0) {

		if (dlen < slen)

			return -EINVAL;

		memcpy(dst, src, slen);

		return 0;

	}

	memset(&strm, 0, sizeof(strm));

	strm.workspace = kvzalloc(zlib_inflate_workspacesize(), GFP_KERNEL);

	if (!strm.workspace)

		return -ENOMEM;

	strm.next_in = src;

	strm.avail_in = slen;

	error = zlib_inflateInit(&strm);

	if (error != Z_OK) {

		error = -ENOMEM;

		goto fail_inflate_init;

	}

	strm.next_out = dst;

	strm.avail_out = dlen;

	error = zlib_inflate(&strm, Z_FINISH);

	if (error != Z_STREAM_END)

		error = -EINVAL;

	else

		error = 0;

	zlib_inflateEnd(&strm);

fail_inflate_init:

	kvfree(strm.workspace);

	return error;

}

static ssize_t rawdata_read(struct file *file, char __user *buf, size_t size,

			    loff_t *ppos)

{

	struct aa_loaddata *rawdata = file->private_data;

	struct rawdata_f_data *private = file->private_data;

	return simple_read_from_buffer(buf, size, ppos, rawdata->data,

				       rawdata->size);

	return simple_read_from_buffer(buf, size, ppos,

				       RAWDATA_F_DATA_BUF(private),

				       private->loaddata->size);

}

static int rawdata_release(struct inode *inode, struct file *file)

{

	aa_put_loaddata(file->private_data);

	rawdata_f_data_free(file->private_data);

	return 0;

}

static int rawdata_open(struct inode *inode, struct file *file)

{

	int error;

	struct aa_loaddata *loaddata;

	struct rawdata_f_data *private;

	if (!policy_view_capable(NULL))

		return -EACCES;

	file->private_data = __aa_get_loaddata(inode->i_private);

	if (!file->private_data)

	loaddata = __aa_get_loaddata(inode->i_private);

	if (!loaddata)

		/* lost race: this entry is being reaped */

		return -ENOENT;

	private = rawdata_f_data_alloc(loaddata->size);

	if (IS_ERR(private)) {

		error = PTR_ERR(private);

		goto fail_private_alloc;

	}

	private->loaddata = loaddata;

	error = deflate_decompress(loaddata->data, loaddata->compressed_size,

				   RAWDATA_F_DATA_BUF(private),

				   loaddata->size);

	if (error)

		goto fail_decompress;

	file->private_data = private;

	return 0;

fail_decompress:

	rawdata_f_data_free(private);

	return error;

fail_private_alloc:

	aa_put_loaddata(loaddata);

	return error;

}

static const struct file_operations rawdata_fops = {

		rawdata->dents[AAFS_LOADDATA_HASH] = dent;

	}

	dent = aafs_create_file("compressed_size", S_IFREG | 0444, dir,

				rawdata,

				&seq_rawdata_compressed_size_fops);

	if (IS_ERR(dent))

		goto fail;

	rawdata->dents[AAFS_LOADDATA_COMPRESSED_SIZE] = dent;

	dent = aafs_create_file("raw_data", S_IFREG | 0444,

				      dir, rawdata, &rawdata_fops);

	if (IS_ERR(dent))

				label = &new_profile->label;

			continue;

		}

		label = aa_label_parse(&profile->label, *name, GFP_ATOMIC,

		label = aa_label_parse(&profile->label, *name, GFP_KERNEL,

				       true, false);

		if (IS_ERR(label))

			label = NULL;

		/* base the stack on post domain transition */

		struct aa_label *base = new;

		new = aa_label_parse(base, stack, GFP_ATOMIC, true, false);

		new = aa_label_parse(base, stack, GFP_KERNEL, true, false);

		if (IS_ERR(new))

			new = NULL;

		aa_put_label(base);

	} else if (COMPLAIN_MODE(profile)) {

		/* no exec permission - learning mode */

		struct aa_profile *new_profile = NULL;

		char *n = kstrdup(name, GFP_ATOMIC);

		if (n) {

			/* name is ptr into buffer */

			long pos = name - buffer;

			/* break per cpu buffer hold */

			put_buffers(buffer);

			new_profile = aa_new_null_profile(profile, false, n,

		new_profile = aa_new_null_profile(profile, false, name,

						  GFP_KERNEL);

			get_buffers(buffer);

			name = buffer + pos;

			strcpy((char *)name, n);

			kfree(n);

		}

		if (!new_profile) {

			error = -ENOMEM;

			info = "could not create null profile";

		if (DEBUG_ON) {

			dbg_printk("apparmor: scrubbing environment variables"

				   " for %s profile=", name);

			aa_label_printk(new, GFP_ATOMIC);

			aa_label_printk(new, GFP_KERNEL);

			dbg_printk("\n");

		}

		*secure_exec = true;

		if (DEBUG_ON) {

			dbg_printk("apparmor: scrubbing environment "

				   "variables for %s label=", xname);

			aa_label_printk(onexec, GFP_ATOMIC);

			aa_label_printk(onexec, GFP_KERNEL);

			dbg_printk("\n");

		}

		*secure_exec = true;

					       bprm, buffer, cond, unsafe));

		if (error)

			return ERR_PTR(error);

		new = fn_label_build_in_ns(label, profile, GFP_ATOMIC,

		new = fn_label_build_in_ns(label, profile, GFP_KERNEL,

				aa_get_newest_label(onexec),

				profile_transition(profile, bprm, buffer,

						   cond, unsafe));

					       buffer, cond, unsafe));

		if (error)

			return ERR_PTR(error);

		new = fn_label_build_in_ns(label, profile, GFP_ATOMIC,

		new = fn_label_build_in_ns(label, profile, GFP_KERNEL,

				aa_label_merge(&profile->label, onexec,

					       GFP_ATOMIC),

					       GFP_KERNEL),

				profile_transition(profile, bprm, buffer,

						   cond, unsafe));

	}

		ctx->nnp = aa_get_label(label);

	/* buffer freed below, name is pointer into buffer */

	get_buffers(buffer);

	buffer = aa_get_buffer(false);

	if (!buffer) {

		error = -ENOMEM;

		goto done;

	}

	/* Test for onexec first as onexec override other x transitions. */

	if (ctx->onexec)

		new = handle_onexec(label, ctx->onexec, ctx->token,

				    bprm, buffer, &cond, &unsafe);

	else

		new = fn_label_build(label, profile, GFP_ATOMIC,

		new = fn_label_build(label, profile, GFP_KERNEL,

				profile_transition(profile, bprm, buffer,

						   &cond, &unsafe));

		if (DEBUG_ON) {

			dbg_printk("scrubbing environment variables for %s "

				   "label=", bprm->filename);

			aa_label_printk(new, GFP_ATOMIC);

			aa_label_printk(new, GFP_KERNEL);

			dbg_printk("\n");

		}

		bprm->secureexec = 1;

		if (DEBUG_ON) {

			dbg_printk("apparmor: clearing unsafe personality "

				   "bits. %s label=", bprm->filename);

			aa_label_printk(new, GFP_ATOMIC);

			aa_label_printk(new, GFP_KERNEL);

			dbg_printk("\n");

		}

		bprm->per_clear |= PER_CLEAR_ON_SETID;

done:

	aa_put_label(label);

	put_buffers(buffer);

	aa_put_buffer(buffer);

	return error;

	if (aad(sa)->peer) {

		audit_log_format(ab, " target=");

		aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,

				FLAG_VIEW_SUBNS, GFP_ATOMIC);

				FLAG_VIEW_SUBNS, GFP_KERNEL);

	} else if (aad(sa)->fs.target) {

		audit_log_format(ab, " target=");

		audit_log_untrustedstring(ab, aad(sa)->fs.target);

	flags |= PATH_DELEGATE_DELETED | (S_ISDIR(cond->mode) ? PATH_IS_DIR :

								0);

	get_buffers(buffer);

	buffer = aa_get_buffer(false);

	if (!buffer)

		return -ENOMEM;

	error = fn_for_each_confined(label, profile,

			profile_path_perm(op, profile, path, buffer, request,

					  cond, flags, &perms));

	put_buffers(buffer);

	aa_put_buffer(buffer);

	return error;

}

	int error;

	/* buffer freed below, lname is pointer in buffer */

	get_buffers(buffer, buffer2);

	buffer = aa_get_buffer(false);

	buffer2 = aa_get_buffer(false);

	error = -ENOMEM;

	if (!buffer || !buffer2)

		goto out;

	error = fn_for_each_confined(label, profile,

			profile_path_link(profile, &link, buffer, &target,

					  buffer2, &cond));

	put_buffers(buffer, buffer2);

out:

	aa_put_buffer(buffer);

	aa_put_buffer(buffer2);

	return error;

}

static int __file_path_perm(const char *op, struct aa_label *label,

			    struct aa_label *flabel, struct file *file,

			    u32 request, u32 denied)

			    u32 request, u32 denied, bool in_atomic)

{

	struct aa_profile *profile;

	struct aa_perms perms = {};

		return 0;

	flags = PATH_DELEGATE_DELETED | (S_ISDIR(cond.mode) ? PATH_IS_DIR : 0);

	get_buffers(buffer);

	buffer = aa_get_buffer(in_atomic);

	if (!buffer)

		return -ENOMEM;

	/* check every profile in task label not in current cache */

	error = fn_for_each_not_in_set(flabel, label, profile,

	if (!error)

		update_file_ctx(file_ctx(file), label, request);

	put_buffers(buffer);

	aa_put_buffer(buffer);

	return error;

}

 * @label: label being enforced   (NOT NULL)

 * @file: file to revalidate access permissions on  (NOT NULL)

 * @request: requested permissions

 * @in_atomic: whether allocations need to be done in atomic context

 *

 * Returns: %0 if access allowed else error

 */

int aa_file_perm(const char *op, struct aa_label *label, struct file *file,

		 u32 request)

		 u32 request, bool in_atomic)

{

	struct aa_file_ctx *fctx;

	struct aa_label *flabel;

	fctx = file_ctx(file);

	rcu_read_lock();

	flabel  = rcu_dereference(fctx->label);

	flabel  = aa_get_newest_label(rcu_dereference(fctx->label));

	rcu_read_unlock();

	AA_BUG(!flabel);

	/* revalidate access, if task is unconfined, or the cached cred

	if (file->f_path.mnt && path_mediated_fs(file->f_path.dentry))

		error = __file_path_perm(op, label, flabel, file, request,

					 denied);

					 denied, in_atomic);

	else if (S_ISSOCK(file_inode(file)->i_mode))

		error = __file_sock_perm(op, label, flabel, file, request,

					 denied);

done:

	rcu_read_unlock();

	aa_put_label(flabel);

	return error;

}

					     struct tty_file_private, list);

		file = file_priv->file;

		if (aa_file_perm(OP_INHERIT, label, file, MAY_READ | MAY_WRITE))

		if (aa_file_perm(OP_INHERIT, label, file, MAY_READ | MAY_WRITE,

				 IN_ATOMIC))

			drop_tty = 1;

	}

	spin_unlock(&tty->files_lock);

{

	struct aa_label *label = (struct aa_label *)p;

	if (aa_file_perm(OP_INHERIT, label, file, aa_map_file_to_perms(file)))

	if (aa_file_perm(OP_INHERIT, label, file, aa_map_file_to_perms(file),

			 IN_ATOMIC))

		return fd + 1;

	return 0;

}

extern bool aa_g_audit_header;

extern bool aa_g_debug;

extern bool aa_g_hash_policy;

extern int aa_g_rawdata_compression_level;

extern bool aa_g_lock_policy;

extern bool aa_g_logsyscall;

extern bool aa_g_paranoid_load;