[apparmor] [PATCH v3] apparmor: add module mediation
Georgia Garcia
georgia.garcia at canonical.com
Fri Dec 10 19:19:19 UTC 2021
Provide basic mediation for module loading.
The user space rule has the following form:
MODULE RULE = [ QUALIFIERS ] 'module' [ MODE ]
[ PATH | MODULE NAME ]
MODE = ( 'load_data' | 'load_file' | 'request' )
PATH = path to loadable kernel module
MODULE NAME = name of the module to be requested to modprobe
Signed-off-by: Georgia Garcia <georgia.garcia at canonical.com>
---
v2: Replaced %0 by 0 in comments, and fixed typo in the commit message.
v3: I noticed while running the regression tests that kmod_name was
not set on audit.
The parser and the regression tests are available at:
https://gitlab.com/apparmor/apparmor/-/merge_requests/816
---
security/apparmor/Makefile | 3 +-
security/apparmor/apparmorfs.c | 7 +
security/apparmor/include/apparmor.h | 3 +-
security/apparmor/include/audit.h | 1 +
security/apparmor/include/module.h | 24 +++
security/apparmor/lsm.c | 56 ++++++
security/apparmor/module.c | 275 +++++++++++++++++++++++++++
7 files changed, 367 insertions(+), 2 deletions(-)
create mode 100644 security/apparmor/include/module.h
create mode 100644 security/apparmor/module.c
diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
index ff23fcfefe19..932d621ba4b5 100644
--- a/security/apparmor/Makefile
+++ b/security/apparmor/Makefile
@@ -5,7 +5,8 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
apparmor-y := apparmorfs.o audit.o capability.o task.o ipc.o lib.o match.o \
path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
- resource.o secid.o file.o policy_ns.o label.o mount.o net.o
+ resource.o secid.o file.o policy_ns.o label.o mount.o net.o \
+ module.o
apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o
clean-files := capability_names.h rlim_names.h net_names.h
diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
index 2ee3b3d29f10..f35978ad5c34 100644
--- a/security/apparmor/apparmorfs.c
+++ b/security/apparmor/apparmorfs.c
@@ -2357,6 +2357,12 @@ static struct aa_sfs_entry aa_sfs_entry_query[] = {
AA_SFS_DIR("label", aa_sfs_entry_query_label),
{ }
};
+
+static struct aa_sfs_entry aa_sfs_entry_module[] = {
+ AA_SFS_FILE_STRING("mask", "load_data load_file request"),
+ { }
+};
+
static struct aa_sfs_entry aa_sfs_entry_features[] = {
AA_SFS_DIR("policy", aa_sfs_entry_policy),
AA_SFS_DIR("domain", aa_sfs_entry_domain),
@@ -2370,6 +2376,7 @@ static struct aa_sfs_entry aa_sfs_entry_features[] = {
AA_SFS_DIR("ptrace", aa_sfs_entry_ptrace),
AA_SFS_DIR("signal", aa_sfs_entry_signal),
AA_SFS_DIR("query", aa_sfs_entry_query),
+ AA_SFS_DIR("module", aa_sfs_entry_module),
{ }
};
diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
index 1fbabdb565a8..cf8b315dffdc 100644
--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
@@ -28,8 +28,9 @@
#define AA_CLASS_SIGNAL 10
#define AA_CLASS_NET 14
#define AA_CLASS_LABEL 16
+#define AA_CLASS_MODULE 17
-#define AA_CLASS_LAST AA_CLASS_LABEL
+#define AA_CLASS_LAST AA_CLASS_MODULE
/* Control parameters settable through module/boot flags */
extern enum audit_mode aa_g_audit;
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index 18519a4eb67e..222fdc18579b 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -103,6 +103,7 @@ enum audit_type {
#define OP_PROF_LOAD "profile_load"
#define OP_PROF_RM "profile_remove"
+#define OP_MODULE "module"
struct apparmor_audit_data {
int error;
diff --git a/security/apparmor/include/module.h b/security/apparmor/include/module.h
new file mode 100644
index 000000000000..57378d8b5ca2
--- /dev/null
+++ b/security/apparmor/include/module.h
@@ -0,0 +1,24 @@
+/* SPDX-License-Identifier: GPL-2.0-only */
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor module mediation function definitions.
+ *
+ * Copyright 2021 Canonical Ltd.
+ */
+
+#ifndef __AA_MODULE_H
+#define __AA_MODULE_H
+
+#define AA_MAY_LOAD_DATA AA_MAY_WRITE
+#define AA_MAY_LOAD_FILE AA_MAY_CREATE
+#define AA_MAY_REQUEST AA_MAY_APPEND
+#define AA_VALID_MODULE_PERMS (AA_MAY_LOAD_DATA | AA_MAY_LOAD_FILE | \
+ AA_MAY_REQUEST)
+
+int aa_module_from_file(struct aa_label *label, struct file *file,
+ u32 request);
+int aa_module_from_name(struct aa_label *label, char *name,
+ u32 request, int data_type);
+
+#endif /* __AA_MODULE_H */
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index f72406fe1bf2..06d63c8d7de7 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -38,6 +38,7 @@
#include "include/policy.h"
#include "include/policy_ns.h"
#include "include/procattr.h"
+#include "include/module.h"
#include "include/mount.h"
#include "include/secid.h"
@@ -1169,6 +1170,57 @@ static int apparmor_inet_conn_request(const struct sock *sk, struct sk_buff *skb
}
#endif
+static int apparmor_kernel_module_request(char *kmod_name)
+{
+ struct aa_label *label;
+ int error = 0;
+
+ label = __begin_current_label_crit_section();
+ error = aa_module_from_name(label, kmod_name, AA_MAY_REQUEST, LSM_AUDIT_DATA_KMOD);
+ __end_current_label_crit_section(label);
+
+ return error;
+}
+
+static int apparmor_kernel_load_data(enum kernel_load_data_id id,
+ bool contents)
+{
+ struct aa_label *label;
+ int error = 0;
+
+ switch (id) {
+ case LOADING_MODULE:
+ label = __begin_current_label_crit_section();
+ error = aa_module_from_name(label, "", AA_MAY_LOAD_DATA, LSM_AUDIT_DATA_NONE);
+ __end_current_label_crit_section(label);
+ break;
+ default:
+ break;
+ }
+
+ return error;
+}
+
+static int apparmor_kernel_read_file(struct file *file,
+ enum kernel_read_file_id id,
+ bool contents)
+{
+ struct aa_label *label;
+ int error = 0;
+
+ switch (id) {
+ case READING_MODULE:
+ label = __begin_current_label_crit_section();
+ error = aa_module_from_file(label, contents ? file : NULL, AA_MAY_LOAD_FILE);
+ __end_current_label_crit_section(label);
+ break;
+ default:
+ break;
+ }
+
+ return error;
+}
+
/*
* The cred blob is a pointer to, not an instance of, an aa_task_ctx.
*/
@@ -1267,6 +1319,10 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx),
LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid),
LSM_HOOK_INIT(release_secctx, apparmor_release_secctx),
+
+ LSM_HOOK_INIT(kernel_module_request, apparmor_kernel_module_request),
+ LSM_HOOK_INIT(kernel_load_data, apparmor_kernel_load_data),
+ LSM_HOOK_INIT(kernel_read_file, apparmor_kernel_read_file),
};
/*
diff --git a/security/apparmor/module.c b/security/apparmor/module.c
new file mode 100644
index 000000000000..6f714dbf83b6
--- /dev/null
+++ b/security/apparmor/module.c
@@ -0,0 +1,275 @@
+// SPDX-License-Identifier: GPL-2.0-only
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor module mediation
+ *
+ * Copyright 2021 Canonical Ltd.
+ */
+
+#include <linux/gfp.h>
+#include <linux/path.h>
+
+#include "include/audit.h"
+#include "include/module.h"
+#include "include/path.h"
+#include "include/policy.h"
+
+/**
+ * audit_module_mask - convert mask to permission string
+ * @mask: permission mask to convert
+ *
+ * Returns: pointer to static string
+ */
+static const char *audit_module_mask(u32 mask)
+{
+ switch (mask) {
+ case AA_MAY_LOAD_DATA:
+ return "load_data";
+ case AA_MAY_LOAD_FILE:
+ return "load_file";
+ case AA_MAY_REQUEST:
+ return "request";
+ }
+ return "";
+}
+
+/* callback to audit module fields */
+static void audit_module_cb(struct audit_buffer *ab, void *va)
+{
+ struct common_audit_data *sa = va;
+
+ if (aad(sa)->request & AA_VALID_MODULE_PERMS) {
+ audit_log_format(ab, " requested_mask=\"%s\"",
+ audit_module_mask(aad(sa)->request));
+
+ if (aad(sa)->denied & AA_VALID_MODULE_PERMS) {
+ audit_log_format(ab, " denied_mask=\"%s\"",
+ audit_module_mask(aad(sa)->denied));
+ }
+ }
+}
+
+/**
+ * audit_module - handle the auditing of module operations
+ * @profile: the profile being enforced (NOT NULL)
+ * @perms: the permissions computed for the request (NOT NULL)
+ * @request: permissions requested
+ * @name: name of object being mediated (MAY BE NULL)
+ * @info: extra information message (MAY BE NULL)
+ * @error: 0 if operation allowed else failure error code
+ * @data_type: audit data type
+ *
+ * Returns: 0 or error on failure
+ */
+static int audit_module(struct aa_profile *profile, struct aa_perms *perms,
+ u32 request, const char *name, const char *info,
+ int error, int data_type)
+{
+ int type = AUDIT_APPARMOR_AUTO;
+ DEFINE_AUDIT_DATA(sa, data_type, OP_MODULE);
+
+ if (likely(!error)) {
+ u32 mask = perms->audit;
+
+ if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))
+ mask = 0xffff;
+
+ /* mask off perms that are not being force audited */
+ request &= mask;
+
+ if (likely(!request))
+ return 0;
+ type = AUDIT_APPARMOR_AUDIT;
+ } else {
+ /* only report permissions that were denied */
+ request = request & ~perms->allow;
+
+ if (request & perms->kill)
+ type = AUDIT_APPARMOR_KILL;
+
+ /* quiet known rejects, assumes quiet and kill do not overlap */
+ if ((request & perms->quiet) &&
+ AUDIT_MODE(profile) != AUDIT_NOQUIET &&
+ AUDIT_MODE(profile) != AUDIT_ALL)
+ request &= ~perms->quiet;
+
+ if (!request)
+ return error;
+ }
+
+ aad(&sa)->request = request;
+ if (data_type == LSM_AUDIT_DATA_KMOD) {
+ char module_name[MODULE_NAME_LEN];
+ /* copy to remove const */
+ strncpy(module_name, name, MODULE_NAME_LEN - 1);
+ sa.u.kmod_name = module_name;
+ } else
+ aad(&sa)->name = name;
+ aad(&sa)->info = info;
+ aad(&sa)->error = error;
+ aad(&sa)->denied = aad(&sa)->request & ~perms->allow;
+
+ return aa_audit(type, profile, &sa, audit_module_cb);
+}
+
+
+/**
+ * compute_module_perms - compute module permission associated with @state
+ * @dfa: dfa to match against (NOT NULL)
+ * @state: state match finished in
+ *
+ * Returns: module permissions
+ */
+static struct aa_perms compute_module_perms(struct aa_dfa *dfa,
+ unsigned int state)
+{
+ struct aa_perms perms = {
+ .allow = dfa_user_allow(dfa, state),
+ .audit = dfa_user_audit(dfa, state),
+ .quiet = dfa_user_quiet(dfa, state),
+ .xindex = dfa_user_xindex(dfa, state),
+ };
+
+ return perms;
+}
+
+
+/**
+ * audit_module - handle the auditing of module operations
+ * @profile: the profile being enforced (NOT NULL)
+ * @perms: the permissions computed for the request (NOT NULL)
+ * @request: permissions requested
+ * @name: name of object being mediated (MAY BE NULL)
+ * @info: extra information message (MAY BE NULL)
+ * @error: 0 if operation allowed else failure error code
+ * @data_type: audit data type
+ *
+ * Returns: 0 or error on failure
+ */
+static int module_perm(struct aa_profile *profile,
+ const char *name, u32 request,
+ int data_type)
+{
+ int error = 0;
+ struct aa_perms perms = { };
+ unsigned int state;
+
+ if (profile_unconfined(profile))
+ return 0;
+
+ if (!PROFILE_MEDIATES(profile, AA_CLASS_MODULE))
+ return 0;
+
+ state = aa_dfa_match(profile->policy.dfa,
+ profile->policy.start[AA_CLASS_MODULE],
+ name);
+ perms = compute_module_perms(profile->policy.dfa, state);
+
+ if (request & ~perms.allow)
+ error = -EACCES;
+
+ return audit_module(profile, &perms, request, name, NULL,
+ error, data_type);
+}
+
+static int path_module_perm(struct aa_profile *profile,
+ const struct path *path,
+ char *buffer, u32 request)
+{
+ const char *name;
+ const char *info = NULL;
+ int error;
+
+ if (profile_unconfined(profile))
+ return 0;
+
+ error = aa_path_name(path, profile->path_flags, buffer, &name, &info,
+ labels_profile(&profile->label)->disconnected);
+
+ if (error) {
+ return audit_module(profile, &nullperms, request, name, info,
+ error, LSM_AUDIT_DATA_NONE);
+ }
+
+ return module_perm(profile, name, request,
+ LSM_AUDIT_DATA_NONE);
+}
+
+/**
+ * aa_module_from_file - handle module loading through a file
+ * @label: label being enforced (NOT NULL)
+ * @file: file to validate loading permissions on (MAY BE NULL)
+ * @request: permissions requested
+ *
+ * Returns: 0 or error on failure
+ */
+int aa_module_from_file(struct aa_label *label, struct file *file,
+ u32 request)
+{
+ int error = 0;
+ struct aa_profile *profile;
+ char *buffer;
+
+ if (unconfined(label)) {
+ goto done;
+ }
+
+ if (!file) {
+ error = -EPERM;
+ error = fn_for_each(label, profile,
+ audit_module(profile, &nullperms,
+ request, NULL, NULL,
+ error, LSM_AUDIT_DATA_NONE));
+ goto done;
+ }
+
+ buffer = aa_get_buffer(false);
+ if (!buffer)
+ return -ENOMEM;
+
+ error = fn_for_each(label, profile,
+ path_module_perm(profile,
+ &file->f_path,
+ buffer, request));
+ aa_put_buffer(buffer);
+done:
+ return error;
+}
+
+
+static int name_module_perm(struct aa_profile *profile,
+ char *name, u32 request, int data_type)
+{
+ if (profile_unconfined(profile))
+ return 0;
+
+ return module_perm(profile, name, request,
+ data_type);
+}
+
+/**
+ * aa_module_from_file - handle module loading through a file
+ * @label: label being enforced (NOT NULL)
+ * @name: name of object being mediated
+ * @request: permissions requested
+ * @data_type: audit data type
+ *
+ * Returns: 0 or error on failure
+ */
+int aa_module_from_name(struct aa_label *label, char *name,
+ u32 request, int data_type)
+{
+ struct aa_profile *profile;
+ int error = 0;
+
+ if (unconfined(label)) {
+ goto done;
+ }
+
+ error = fn_for_each(label, profile,
+ name_module_perm(profile, name,
+ request, data_type));
+done:
+ return error;
+}
--
2.25.1
More information about the AppArmor
mailing list