[net-next-2.6.git] / security / apparmor / path.c

/*
 * AppArmor security module
 *
 * This file contains AppArmor function for pathnames
 *
 * Copyright (C) 1998-2008 Novell/SUSE
 * Copyright 2009-2010 Canonical Ltd.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, version 2 of the
 * License.
 */

#include <linux/magic.h>
#include <linux/mnt_namespace.h>
#include <linux/mount.h>
#include <linux/namei.h>
#include <linux/nsproxy.h>
#include <linux/path.h>
#include <linux/sched.h>
#include <linux/slab.h>
#include <linux/fs_struct.h>

#include "include/apparmor.h"
#include "include/path.h"
#include "include/policy.h"


/* modified from dcache.c */
static int prepend(char **buffer, int buflen, const char *str, int namelen)
{
	buflen -= namelen;
	if (buflen < 0)
		return -ENAMETOOLONG;
	*buffer -= namelen;
	memcpy(*buffer, str, namelen);
	return 0;
}

#define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT)

/**
 * d_namespace_path - lookup a name associated with a given path
 * @path: path to lookup  (NOT NULL)
 * @buf:  buffer to store path to  (NOT NULL)
 * @buflen: length of @buf
 * @name: Returns - pointer for start of path name with in @buf (NOT NULL)
 * @flags: flags controlling path lookup
 *
 * Handle path name lookup.
 *
 * Returns: %0 else error code if path lookup fails
 *          When no error the path name is returned in @name which points to
 *          to a position in @buf
 */
static int d_namespace_path(struct path *path, char *buf, int buflen,
			    char **name, int flags)
{
	struct path root, tmp;
	char *res;
	int deleted, connected;
	int error = 0;

	/* Get the root we want to resolve too, released below */
	if (flags & PATH_CHROOT_REL) {
		/* resolve paths relative to chroot */
		get_fs_root(current->fs, &root);
	} else {
		/* resolve paths relative to namespace */
		root.mnt = current->nsproxy->mnt_ns->root;
		root.dentry = root.mnt->mnt_root;
		path_get(&root);
	}

	spin_lock(&dcache_lock);
	/* There is a race window between path lookup here and the
	 * need to strip the " (deleted) string that __d_path applies
	 * Detect the race and relookup the path
	 *
	 * The stripping of (deleted) is a hack that could be removed
	 * with an updated __d_path
	 */
	do {
		tmp = root;
		deleted = d_unlinked(path->dentry);
		res = __d_path(path, &tmp, buf, buflen);

	} while (deleted != d_unlinked(path->dentry));
	spin_unlock(&dcache_lock);

	*name = res;
	/* handle error conditions - and still allow a partial path to
	 * be returned.
	 */
	if (IS_ERR(res)) {
		error = PTR_ERR(res);
		*name = buf;
		goto out;
	}
	if (deleted) {
		/* On some filesystems, newly allocated dentries appear to the
		 * security_path hooks as a deleted dentry except without an
		 * inode allocated.
		 *
		 * Remove the appended deleted text and return as string for
		 * normal mediation, or auditing.  The (deleted) string is
		 * guaranteed to be added in this case, so just strip it.
		 */
		buf[buflen - 11] = 0;	/* - (len(" (deleted)") +\0) */

		if (path->dentry->d_inode && !(flags & PATH_MEDIATE_DELETED)) {
			error = -ENOENT;
			goto out;
		}
	}

	/* Determine if the path is connected to the expected root */
	connected = tmp.dentry == root.dentry && tmp.mnt == root.mnt;

	/* If the path is not connected,
	 * check if it is a sysctl and handle specially else remove any
	 * leading / that __d_path may have returned.
	 * Unless
	 *     specifically directed to connect the path,
	 * OR
	 *     if in a chroot and doing chroot relative paths and the path
	 *     resolves to the namespace root (would be connected outside
	 *     of chroot) and specifically directed to connect paths to
	 *     namespace root.
	 */
	if (!connected) {
		/* is the disconnect path a sysctl? */
		if (tmp.dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
		    strncmp(*name, "/sys/", 5) == 0) {
			/* TODO: convert over to using a per namespace
			 * control instead of hard coded /proc
			 */
			error = prepend(name, *name - buf, "/proc", 5);
		} else if (!(flags & PATH_CONNECT_PATH) &&
			   !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
			     (tmp.mnt == current->nsproxy->mnt_ns->root &&
			      tmp.dentry == tmp.mnt->mnt_root))) {
			/* disconnected path, don't return pathname starting
			 * with '/'
			 */
			error = -ESTALE;
			if (*res == '/')
				*name = res + 1;
		}
	}

out:
	path_put(&root);

	return error;
}

/**
 * get_name_to_buffer - get the pathname to a buffer ensure dir / is appended
 * @path: path to get name for  (NOT NULL)
 * @flags: flags controlling path lookup
 * @buffer: buffer to put name in  (NOT NULL)
 * @size: size of buffer
 * @name: Returns - contains position of path name in @buffer (NOT NULL)
 *
 * Returns: %0 else error on failure
 */
static int get_name_to_buffer(struct path *path, int flags, char *buffer,
			      int size, char **name)
{
	int adjust = (flags & PATH_IS_DIR) ? 1 : 0;
	int error = d_namespace_path(path, buffer, size - adjust, name, flags);

	if (!error && (flags & PATH_IS_DIR) && (*name)[1] != '\0')
		/*
		 * Append "/" to the pathname.  The root directory is a special
		 * case; it already ends in slash.
		 */
		strcpy(&buffer[size - 2], "/");

	return error;
}

/**
 * aa_get_name - compute the pathname of a file
 * @path: path the file  (NOT NULL)
 * @flags: flags controlling path name generation
 * @buffer: buffer that aa_get_name() allocated  (NOT NULL)
 * @name: Returns - the generated path name if !error (NOT NULL)
 *
 * @name is a pointer to the beginning of the pathname (which usually differs
 * from the beginning of the buffer), or NULL.  If there is an error @name
 * may contain a partial or invalid name that can be used for audit purposes,
 * but it can not be used for mediation.
 *
 * We need PATH_IS_DIR to indicate whether the file is a directory or not
 * because the file may not yet exist, and so we cannot check the inode's
 * file type.
 *
 * Returns: %0 else error code if could retrieve name
 */
int aa_get_name(struct path *path, int flags, char **buffer, const char **name)
{
	char *buf, *str = NULL;
	int size = 256;
	int error;

	*name = NULL;
	*buffer = NULL;
	for (;;) {
		/* freed by caller */
		buf = kmalloc(size, GFP_KERNEL);
		if (!buf)
			return -ENOMEM;

		error = get_name_to_buffer(path, flags, buf, size, &str);
		if (error != -ENAMETOOLONG)
			break;

		kfree(buf);
		size <<= 1;
		if (size > aa_g_path_max)
			return -ENAMETOOLONG;
	}
	*buffer = buf;
	*name = str;

	return error;
}
Commit	Line	Data
cdff2642 JJ	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor function for pathnames
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#include <linux/magic.h>
	16	#include <linux/mnt_namespace.h>
	17	#include <linux/mount.h>
	18	#include <linux/namei.h>
	19	#include <linux/nsproxy.h>
	20	#include <linux/path.h>
	21	#include <linux/sched.h>
	22	#include <linux/slab.h>
	23	#include <linux/fs_struct.h>
	24
	25	#include "include/apparmor.h"
	26	#include "include/path.h"
	27	#include "include/policy.h"
	28
	29
	30	/* modified from dcache.c */
	31	static int prepend(char *buffer, int buflen, const char str, int namelen)
	32	{
	33	buflen -= namelen;
	34	if (buflen < 0)
	35	return -ENAMETOOLONG;
	36	*buffer -= namelen;
	37	memcpy(*buffer, str, namelen);
	38	return 0;
	39	}
	40
	41	#define CHROOT_NSCONNECT (PATH_CHROOT_REL \| PATH_CHROOT_NSCONNECT)
	42
	43	/**
	44	* d_namespace_path - lookup a name associated with a given path
	45	* @path: path to lookup (NOT NULL)
	46	* @buf: buffer to store path to (NOT NULL)
	47	* @buflen: length of @buf
	48	* @name: Returns - pointer for start of path name with in @buf (NOT NULL)
	49	* @flags: flags controlling path lookup
	50	*
	51	* Handle path name lookup.
	52	*
	53	* Returns: %0 else error code if path lookup fails
	54	* When no error the path name is returned in @name which points to
	55	* to a position in @buf
	56	*/
	57	static int d_namespace_path(struct path path, char buf, int buflen,
	58	char **name, int flags)
	59	{
	60	struct path root, tmp;
	61	char *res;
	62	int deleted, connected;
	63	int error = 0;
	64
44672e4f	65	/* Get the root we want to resolve too, released below */
cdff2642 JJ	66	if (flags & PATH_CHROOT_REL) {
cdff2642 JJ	67	/* resolve paths relative to chroot */
44672e4f	68	get_fs_root(current->fs, &root);
cdff2642 JJ	69	} else {
	70	/* resolve paths relative to namespace */
	71	root.mnt = current->nsproxy->mnt_ns->root;
	72	root.dentry = root.mnt->mnt_root;
cdff2642 JJ	73	path_get(&root);
	74	}
	75
	76	spin_lock(&dcache_lock);
	77	/* There is a race window between path lookup here and the
	78	* need to strip the " (deleted) string that __d_path applies
	79	* Detect the race and relookup the path
	80	*
	81	* The stripping of (deleted) is a hack that could be removed
	82	* with an updated __d_path
	83	*/
	84	do {
	85	tmp = root;
	86	deleted = d_unlinked(path->dentry);
	87	res = __d_path(path, &tmp, buf, buflen);
	88
	89	} while (deleted != d_unlinked(path->dentry));
	90	spin_unlock(&dcache_lock);
	91
	92	*name = res;
	93	/* handle error conditions - and still allow a partial path to
	94	* be returned.
	95	*/
	96	if (IS_ERR(res)) {
	97	error = PTR_ERR(res);
	98	*name = buf;
	99	goto out;
	100	}
	101	if (deleted) {
	102	/* On some filesystems, newly allocated dentries appear to the
	103	* security_path hooks as a deleted dentry except without an
	104	* inode allocated.
	105	*
	106	* Remove the appended deleted text and return as string for
	107	* normal mediation, or auditing. The (deleted) string is
	108	* guaranteed to be added in this case, so just strip it.
	109	*/
	110	buf[buflen - 11] = 0; /* - (len(" (deleted)") +\0) */
	111
	112	if (path->dentry->d_inode && !(flags & PATH_MEDIATE_DELETED)) {
	113	error = -ENOENT;
	114	goto out;
	115	}
	116	}
	117
	118	/* Determine if the path is connected to the expected root */
	119	connected = tmp.dentry == root.dentry && tmp.mnt == root.mnt;
	120
	121	/* If the path is not connected,
	122	* check if it is a sysctl and handle specially else remove any
	123	* leading / that __d_path may have returned.
	124	* Unless
	125	* specifically directed to connect the path,
	126	* OR
	127	* if in a chroot and doing chroot relative paths and the path
	128	* resolves to the namespace root (would be connected outside
	129	* of chroot) and specifically directed to connect paths to
	130	* namespace root.
	131	*/
	132	if (!connected) {
	133	/* is the disconnect path a sysctl? */
	134	if (tmp.dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
	135	strncmp(*name, "/sys/", 5) == 0) {
	136	/* TODO: convert over to using a per namespace
137	* control instead of hard coded /proc
138	*/
139	error = prepend(name, *name - buf, "/proc", 5);
140	} else if (!(flags & PATH_CONNECT_PATH) &&
141	!(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
142	(tmp.mnt == current->nsproxy->mnt_ns->root &&
143	tmp.dentry == tmp.mnt->mnt_root))) {
144	/* disconnected path, don't return pathname starting
145	* with '/'
146	*/
147	error = -ESTALE;
148	if (*res == '/')
149	*name = res + 1;
150	}
151	}
152
153	out:
154	path_put(&root);
155
156	return error;
157	}
158
159	/**
160	* get_name_to_buffer - get the pathname to a buffer ensure dir / is appended
161	* @path: path to get name for (NOT NULL)
162	* @flags: flags controlling path lookup
163	* @buffer: buffer to put name in (NOT NULL)
164	* @size: size of buffer
165	* @name: Returns - contains position of path name in @buffer (NOT NULL)
166	*
167	* Returns: %0 else error on failure
168	*/
169	static int get_name_to_buffer(struct path path, int flags, char buffer,
170	int size, char **name)
171	{
172	int adjust = (flags & PATH_IS_DIR) ? 1 : 0;
173	int error = d_namespace_path(path, buffer, size - adjust, name, flags);
174
175	if (!error && (flags & PATH_IS_DIR) && (*name)[1] != '\0')
176	/*
177	* Append "/" to the pathname. The root directory is a special
178	* case; it already ends in slash.
179	*/
180	strcpy(&buffer[size - 2], "/");
181
182	return error;
183	}
184
185	/**
186	* aa_get_name - compute the pathname of a file
187	* @path: path the file (NOT NULL)
188	* @flags: flags controlling path name generation
189	* @buffer: buffer that aa_get_name() allocated (NOT NULL)
190	* @name: Returns - the generated path name if !error (NOT NULL)
191	*
192	* @name is a pointer to the beginning of the pathname (which usually differs
193	* from the beginning of the buffer), or NULL. If there is an error @name
194	* may contain a partial or invalid name that can be used for audit purposes,
195	* but it can not be used for mediation.
196	*
197	* We need PATH_IS_DIR to indicate whether the file is a directory or not
198	* because the file may not yet exist, and so we cannot check the inode's
199	* file type.
200	*
201	* Returns: %0 else error code if could retrieve name
202	*/
203	int aa_get_name(struct path path, int flags, char buffer, const char *name)
204	{
205	char buf, str = NULL;
206	int size = 256;
207	int error;
208
209	*name = NULL;
210	*buffer = NULL;
211	for (;;) {
212	/* freed by caller */
213	buf = kmalloc(size, GFP_KERNEL);
214	if (!buf)
215	return -ENOMEM;
216
217	error = get_name_to_buffer(path, flags, buf, size, &str);
218	if (error != -ENAMETOOLONG)
219	break;
220
221	kfree(buf);
222	size <<= 1;
223	if (size > aa_g_path_max)
224	return -ENAMETOOLONG;
225	}
226	*buffer = buf;
227	*name = str;
228
229	return error;
230	}