Commit | Line | Data |
---|---|---|
cdff2642 JJ |
1 | /* |
2 | * AppArmor security module | |
3 | * | |
4 | * This file contains AppArmor function for pathnames | |
5 | * | |
6 | * Copyright (C) 1998-2008 Novell/SUSE | |
7 | * Copyright 2009-2010 Canonical Ltd. | |
8 | * | |
9 | * This program is free software; you can redistribute it and/or | |
10 | * modify it under the terms of the GNU General Public License as | |
11 | * published by the Free Software Foundation, version 2 of the | |
12 | * License. | |
13 | */ | |
14 | ||
15 | #include <linux/magic.h> | |
cdff2642 JJ |
16 | #include <linux/mount.h> |
17 | #include <linux/namei.h> | |
18 | #include <linux/nsproxy.h> | |
19 | #include <linux/path.h> | |
20 | #include <linux/sched.h> | |
21 | #include <linux/slab.h> | |
22 | #include <linux/fs_struct.h> | |
23 | ||
24 | #include "include/apparmor.h" | |
25 | #include "include/path.h" | |
26 | #include "include/policy.h" | |
27 | ||
28 | ||
29 | /* modified from dcache.c */ | |
30 | static int prepend(char **buffer, int buflen, const char *str, int namelen) | |
31 | { | |
32 | buflen -= namelen; | |
33 | if (buflen < 0) | |
34 | return -ENAMETOOLONG; | |
35 | *buffer -= namelen; | |
36 | memcpy(*buffer, str, namelen); | |
37 | return 0; | |
38 | } | |
39 | ||
40 | #define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT) | |
41 | ||
42 | /** | |
43 | * d_namespace_path - lookup a name associated with a given path | |
44 | * @path: path to lookup (NOT NULL) | |
45 | * @buf: buffer to store path to (NOT NULL) | |
46 | * @buflen: length of @buf | |
47 | * @name: Returns - pointer for start of path name with in @buf (NOT NULL) | |
48 | * @flags: flags controlling path lookup | |
49 | * | |
50 | * Handle path name lookup. | |
51 | * | |
52 | * Returns: %0 else error code if path lookup fails | |
53 | * When no error the path name is returned in @name which points to | |
54 | * to a position in @buf | |
55 | */ | |
56 | static int d_namespace_path(struct path *path, char *buf, int buflen, | |
57 | char **name, int flags) | |
58 | { | |
cdff2642 | 59 | char *res; |
02125a82 AV |
60 | int error = 0; |
61 | int connected = 1; | |
cdff2642 | 62 | |
02125a82 AV |
63 | if (path->mnt->mnt_flags & MNT_INTERNAL) { |
64 | /* it's not mounted anywhere */ | |
65 | res = dentry_path(path->dentry, buf, buflen); | |
66 | *name = res; | |
67 | if (IS_ERR(res)) { | |
68 | *name = buf; | |
69 | return PTR_ERR(res); | |
70 | } | |
71 | if (path->dentry->d_sb->s_magic == PROC_SUPER_MAGIC && | |
72 | strncmp(*name, "/sys/", 5) == 0) { | |
73 | /* TODO: convert over to using a per namespace | |
74 | * control instead of hard coded /proc | |
75 | */ | |
76 | return prepend(name, *name - buf, "/proc", 5); | |
77 | } | |
78 | return 0; | |
79 | } | |
80 | ||
81 | /* resolve paths relative to chroot?*/ | |
cdff2642 | 82 | if (flags & PATH_CHROOT_REL) { |
02125a82 | 83 | struct path root; |
44672e4f | 84 | get_fs_root(current->fs, &root); |
02125a82 | 85 | res = __d_path(path, &root, buf, buflen); |
02125a82 | 86 | path_put(&root); |
3372b68a | 87 | } else { |
28042fab | 88 | res = d_absolute_path(path, buf, buflen); |
3372b68a JJ |
89 | if (!our_mnt(path->mnt)) |
90 | connected = 0; | |
91 | } | |
cdff2642 | 92 | |
cdff2642 JJ |
93 | /* handle error conditions - and still allow a partial path to |
94 | * be returned. | |
95 | */ | |
3372b68a JJ |
96 | if (!res || IS_ERR(res)) { |
97 | connected = 0; | |
fbba8d89 JJ |
98 | res = dentry_path_raw(path->dentry, buf, buflen); |
99 | if (IS_ERR(res)) { | |
100 | error = PTR_ERR(res); | |
101 | *name = buf; | |
102 | goto out; | |
103 | }; | |
104 | } else if (!our_mnt(path->mnt)) | |
02125a82 | 105 | connected = 0; |
cdff2642 | 106 | |
fbba8d89 JJ |
107 | *name = res; |
108 | ||
e819ff51 JJ |
109 | /* Handle two cases: |
110 | * 1. A deleted dentry && profile is not allowing mediation of deleted | |
111 | * 2. On some filesystems, newly allocated dentries appear to the | |
112 | * security_path hooks as a deleted dentry except without an inode | |
113 | * allocated. | |
114 | */ | |
115 | if (d_unlinked(path->dentry) && path->dentry->d_inode && | |
116 | !(flags & PATH_MEDIATE_DELETED)) { | |
cdff2642 JJ |
117 | error = -ENOENT; |
118 | goto out; | |
cdff2642 JJ |
119 | } |
120 | ||
02125a82 | 121 | /* If the path is not connected to the expected root, |
cdff2642 JJ |
122 | * check if it is a sysctl and handle specially else remove any |
123 | * leading / that __d_path may have returned. | |
124 | * Unless | |
125 | * specifically directed to connect the path, | |
126 | * OR | |
127 | * if in a chroot and doing chroot relative paths and the path | |
128 | * resolves to the namespace root (would be connected outside | |
129 | * of chroot) and specifically directed to connect paths to | |
130 | * namespace root. | |
131 | */ | |
132 | if (!connected) { | |
02125a82 | 133 | if (!(flags & PATH_CONNECT_PATH) && |
cdff2642 | 134 | !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) && |
02125a82 | 135 | our_mnt(path->mnt))) { |
cdff2642 JJ |
136 | /* disconnected path, don't return pathname starting |
137 | * with '/' | |
138 | */ | |
ef9a7622 | 139 | error = -EACCES; |
cdff2642 JJ |
140 | if (*res == '/') |
141 | *name = res + 1; | |
142 | } | |
143 | } | |
144 | ||
145 | out: | |
cdff2642 JJ |
146 | return error; |
147 | } | |
148 | ||
149 | /** | |
150 | * get_name_to_buffer - get the pathname to a buffer ensure dir / is appended | |
151 | * @path: path to get name for (NOT NULL) | |
152 | * @flags: flags controlling path lookup | |
153 | * @buffer: buffer to put name in (NOT NULL) | |
154 | * @size: size of buffer | |
155 | * @name: Returns - contains position of path name in @buffer (NOT NULL) | |
156 | * | |
157 | * Returns: %0 else error on failure | |
158 | */ | |
159 | static int get_name_to_buffer(struct path *path, int flags, char *buffer, | |
160 | int size, char **name) | |
161 | { | |
162 | int adjust = (flags & PATH_IS_DIR) ? 1 : 0; | |
163 | int error = d_namespace_path(path, buffer, size - adjust, name, flags); | |
164 | ||
165 | if (!error && (flags & PATH_IS_DIR) && (*name)[1] != '\0') | |
166 | /* | |
167 | * Append "/" to the pathname. The root directory is a special | |
168 | * case; it already ends in slash. | |
169 | */ | |
170 | strcpy(&buffer[size - 2], "/"); | |
171 | ||
172 | return error; | |
173 | } | |
174 | ||
175 | /** | |
176 | * aa_get_name - compute the pathname of a file | |
177 | * @path: path the file (NOT NULL) | |
178 | * @flags: flags controlling path name generation | |
179 | * @buffer: buffer that aa_get_name() allocated (NOT NULL) | |
180 | * @name: Returns - the generated path name if !error (NOT NULL) | |
181 | * | |
182 | * @name is a pointer to the beginning of the pathname (which usually differs | |
183 | * from the beginning of the buffer), or NULL. If there is an error @name | |
184 | * may contain a partial or invalid name that can be used for audit purposes, | |
185 | * but it can not be used for mediation. | |
186 | * | |
187 | * We need PATH_IS_DIR to indicate whether the file is a directory or not | |
188 | * because the file may not yet exist, and so we cannot check the inode's | |
189 | * file type. | |
190 | * | |
191 | * Returns: %0 else error code if could retrieve name | |
192 | */ | |
193 | int aa_get_name(struct path *path, int flags, char **buffer, const char **name) | |
194 | { | |
195 | char *buf, *str = NULL; | |
196 | int size = 256; | |
197 | int error; | |
198 | ||
199 | *name = NULL; | |
200 | *buffer = NULL; | |
201 | for (;;) { | |
202 | /* freed by caller */ | |
203 | buf = kmalloc(size, GFP_KERNEL); | |
204 | if (!buf) | |
205 | return -ENOMEM; | |
206 | ||
207 | error = get_name_to_buffer(path, flags, buf, size, &str); | |
208 | if (error != -ENAMETOOLONG) | |
209 | break; | |
210 | ||
211 | kfree(buf); | |
212 | size <<= 1; | |
213 | if (size > aa_g_path_max) | |
214 | return -ENAMETOOLONG; | |
215 | } | |
216 | *buffer = buf; | |
217 | *name = str; | |
218 | ||
219 | return error; | |
220 | } |