From 2c3c1048746a4622d8c89a29670120dc8fab93c4 Mon Sep 17 00:00:00 2001 From: Daniel Baumann Date: Sun, 7 Apr 2024 20:49:45 +0200 Subject: Adding upstream version 6.1.76. Signed-off-by: Daniel Baumann --- security/Kconfig | 264 + security/Kconfig.hardening | 358 + security/Makefile | 29 + security/apparmor/.gitignore | 4 + security/apparmor/Kconfig | 123 + security/apparmor/Makefile | 113 + security/apparmor/apparmorfs.c | 2682 +++++++ security/apparmor/audit.c | 247 + security/apparmor/capability.c | 158 + security/apparmor/crypto.c | 123 + security/apparmor/domain.c | 1458 ++++ security/apparmor/file.c | 711 ++ security/apparmor/include/apparmor.h | 46 + security/apparmor/include/apparmorfs.h | 134 + security/apparmor/include/audit.h | 193 + security/apparmor/include/capability.h | 46 + security/apparmor/include/cred.h | 188 + security/apparmor/include/crypto.h | 37 + security/apparmor/include/domain.h | 39 + security/apparmor/include/file.h | 240 + security/apparmor/include/ipc.h | 18 + security/apparmor/include/label.h | 467 ++ security/apparmor/include/lib.h | 298 + security/apparmor/include/match.h | 196 + security/apparmor/include/mount.h | 50 + security/apparmor/include/net.h | 112 + security/apparmor/include/path.h | 32 + security/apparmor/include/perms.h | 156 + security/apparmor/include/policy.h | 315 + security/apparmor/include/policy_ns.h | 165 + security/apparmor/include/policy_unpack.h | 179 + security/apparmor/include/procattr.h | 17 + security/apparmor/include/resource.h | 46 + security/apparmor/include/secid.h | 37 + security/apparmor/include/sig_names.h | 101 + security/apparmor/include/task.h | 98 + security/apparmor/ipc.c | 108 + security/apparmor/label.c | 2163 ++++++ security/apparmor/lib.c | 542 ++ security/apparmor/lsm.c | 1929 +++++ security/apparmor/match.c | 792 ++ security/apparmor/mount.c | 740 ++ security/apparmor/net.c | 257 + security/apparmor/nulldfa.in | 107 + security/apparmor/path.c | 217 + security/apparmor/policy.c | 1209 ++++ security/apparmor/policy_ns.c | 435 ++ security/apparmor/policy_unpack.c | 1237 ++++ security/apparmor/policy_unpack_test.c | 612 ++ security/apparmor/procattr.c | 136 + security/apparmor/resource.c | 187 + security/apparmor/secid.c | 149 + security/apparmor/stacksplitdfa.in | 114 + security/apparmor/task.c | 293 + security/bpf/Makefile | 5 + security/bpf/hooks.c | 34 + security/commoncap.c | 1485 ++++ security/device_cgroup.c | 877 +++ security/inode.c | 350 + security/integrity/Kconfig | 115 + security/integrity/Makefile | 22 + security/integrity/digsig.c | 221 + security/integrity/digsig_asymmetric.c | 157 + security/integrity/evm/Kconfig | 74 + security/integrity/evm/Makefile | 8 + security/integrity/evm/evm.h | 65 + security/integrity/evm/evm_crypto.c | 428 ++ security/integrity/evm/evm_main.c | 919 +++ security/integrity/evm/evm_posix_acl.c | 23 + security/integrity/evm/evm_secfs.c | 334 + security/integrity/iint.c | 261 + security/integrity/ima/Kconfig | 322 + security/integrity/ima/Makefile | 20 + security/integrity/ima/ima.h | 453 ++ security/integrity/ima/ima_api.c | 455 ++ security/integrity/ima/ima_appraise.c | 788 ++ security/integrity/ima/ima_asymmetric_keys.c | 66 + security/integrity/ima/ima_crypto.c | 882 +++ security/integrity/ima/ima_efi.c | 75 + security/integrity/ima/ima_fs.c | 522 ++ security/integrity/ima/ima_init.c | 158 + security/integrity/ima/ima_kexec.c | 166 + security/integrity/ima/ima_main.c | 1100 +++ security/integrity/ima/ima_modsig.c | 151 + security/integrity/ima/ima_mok.c | 49 + security/integrity/ima/ima_policy.c | 2307 ++++++ security/integrity/ima/ima_queue.c | 241 + security/integrity/ima/ima_queue_keys.c | 177 + security/integrity/ima/ima_template.c | 536 ++ security/integrity/ima/ima_template_lib.c | 746 ++ security/integrity/ima/ima_template_lib.h | 69 + security/integrity/integrity.h | 335 + security/integrity/integrity_audit.c | 69 + security/integrity/platform_certs/efi_parser.c | 108 + .../integrity/platform_certs/keyring_handler.c | 85 + .../integrity/platform_certs/keyring_handler.h | 45 + security/integrity/platform_certs/load_ipl_s390.c | 36 + security/integrity/platform_certs/load_powerpc.c | 96 + security/integrity/platform_certs/load_uefi.c | 238 + .../integrity/platform_certs/machine_keyring.c | 77 + .../integrity/platform_certs/platform_keyring.c | 58 + security/keys/Kconfig | 135 + security/keys/Makefile | 32 + security/keys/big_key.c | 290 + security/keys/compat.c | 132 + security/keys/compat_dh.c | 36 + security/keys/dh.c | 333 + security/keys/encrypted-keys/Makefile | 11 + security/keys/encrypted-keys/ecryptfs_format.c | 77 + security/keys/encrypted-keys/ecryptfs_format.h | 27 + security/keys/encrypted-keys/encrypted.c | 1043 +++ security/keys/encrypted-keys/encrypted.h | 67 + security/keys/encrypted-keys/masterkey_trusted.c | 43 + security/keys/gc.c | 380 + security/keys/internal.h | 383 + security/keys/key.c | 1215 ++++ security/keys/keyctl.c | 2026 ++++++ security/keys/keyctl_pkey.c | 327 + security/keys/keyring.c | 1794 +++++ security/keys/permission.c | 123 + security/keys/persistent.c | 167 + security/keys/proc.c | 323 + security/keys/process_keys.c | 965 +++ security/keys/request_key.c | 821 +++ security/keys/request_key_auth.c | 283 + security/keys/sysctl.c | 70 + security/keys/trusted-keys/Kconfig | 38 + security/keys/trusted-keys/Makefile | 16 + security/keys/trusted-keys/tpm2key.asn1 | 11 + security/keys/trusted-keys/trusted_caam.c | 80 + security/keys/trusted-keys/trusted_core.c | 394 + security/keys/trusted-keys/trusted_tee.c | 289 + security/keys/trusted-keys/trusted_tpm1.c | 1074 +++ security/keys/trusted-keys/trusted_tpm2.c | 550 ++ security/keys/user_defined.c | 207 + security/landlock/Kconfig | 21 + security/landlock/Makefile | 4 + security/landlock/common.h | 20 + security/landlock/cred.c | 46 + security/landlock/cred.h | 58 + security/landlock/fs.c | 1205 ++++ security/landlock/fs.h | 71 + security/landlock/limits.h | 27 + security/landlock/object.c | 67 + security/landlock/object.h | 91 + security/landlock/ptrace.c | 120 + security/landlock/ptrace.h | 14 + security/landlock/ruleset.c | 475 ++ security/landlock/ruleset.h | 180 + security/landlock/setup.c | 40 + security/landlock/setup.h | 18 + security/landlock/syscalls.c | 456 ++ security/loadpin/Kconfig | 41 + security/loadpin/Makefile | 2 + security/loadpin/loadpin.c | 435 ++ security/lockdown/Kconfig | 47 + security/lockdown/Makefile | 1 + security/lockdown/lockdown.c | 167 + security/lsm_audit.c | 463 ++ security/min_addr.c | 53 + security/safesetid/Kconfig | 15 + security/safesetid/Makefile | 7 + security/safesetid/lsm.c | 285 + security/safesetid/lsm.h | 73 + security/safesetid/securityfs.c | 345 + security/security.c | 2707 +++++++ security/selinux/.gitignore | 3 + security/selinux/Kconfig | 117 + security/selinux/Makefile | 34 + security/selinux/avc.c | 1222 ++++ security/selinux/hooks.c | 7570 ++++++++++++++++++++ security/selinux/ibpkey.c | 237 + security/selinux/ima.c | 125 + security/selinux/include/audit.h | 60 + security/selinux/include/avc.h | 188 + security/selinux/include/avc_ss.h | 24 + security/selinux/include/classmap.h | 264 + security/selinux/include/conditional.h | 23 + security/selinux/include/ibpkey.h | 34 + security/selinux/include/ima.h | 30 + security/selinux/include/initial_sid_to_string.h | 32 + security/selinux/include/netif.h | 24 + security/selinux/include/netlabel.h | 150 + security/selinux/include/netnode.h | 26 + security/selinux/include/netport.h | 25 + security/selinux/include/objsec.h | 197 + security/selinux/include/policycap.h | 21 + security/selinux/include/policycap_names.h | 19 + security/selinux/include/security.h | 467 ++ security/selinux/include/xfrm.h | 94 + security/selinux/netif.c | 280 + security/selinux/netlabel.c | 615 ++ security/selinux/netlink.c | 121 + security/selinux/netnode.c | 305 + security/selinux/netport.c | 238 + security/selinux/nlmsgtab.c | 218 + security/selinux/selinuxfs.c | 2261 ++++++ security/selinux/ss/avtab.c | 679 ++ security/selinux/ss/avtab.h | 120 + security/selinux/ss/conditional.c | 758 ++ security/selinux/ss/conditional.h | 85 + security/selinux/ss/constraint.h | 63 + security/selinux/ss/context.c | 32 + security/selinux/ss/context.h | 199 + security/selinux/ss/ebitmap.c | 564 ++ security/selinux/ss/ebitmap.h | 154 + security/selinux/ss/hashtab.c | 192 + security/selinux/ss/hashtab.h | 148 + security/selinux/ss/mls.c | 660 ++ security/selinux/ss/mls.h | 116 + security/selinux/ss/mls_types.h | 52 + security/selinux/ss/policydb.c | 3731 ++++++++++ security/selinux/ss/policydb.h | 391 + security/selinux/ss/services.c | 4072 +++++++++++ security/selinux/ss/services.h | 38 + security/selinux/ss/sidtab.c | 628 ++ security/selinux/ss/sidtab.h | 159 + security/selinux/ss/symtab.c | 54 + security/selinux/ss/symtab.h | 27 + security/selinux/status.c | 124 + security/selinux/xfrm.c | 473 ++ security/smack/Kconfig | 55 + security/smack/Makefile | 9 + security/smack/smack.h | 505 ++ security/smack/smack_access.c | 696 ++ security/smack/smack_lsm.c | 5105 +++++++++++++ security/smack/smack_netfilter.c | 80 + security/smack/smackfs.c | 3035 ++++++++ security/tomoyo/.gitignore | 3 + security/tomoyo/Kconfig | 87 + security/tomoyo/Makefile | 16 + security/tomoyo/audit.c | 479 ++ security/tomoyo/common.c | 2870 ++++++++ security/tomoyo/common.h | 1333 ++++ security/tomoyo/condition.c | 1122 +++ security/tomoyo/domain.c | 945 +++ security/tomoyo/environ.c | 123 + security/tomoyo/file.c | 1045 +++ security/tomoyo/gc.c | 670 ++ security/tomoyo/group.c | 209 + security/tomoyo/load_policy.c | 110 + security/tomoyo/memory.c | 207 + security/tomoyo/mount.c | 240 + security/tomoyo/network.c | 777 ++ .../tomoyo/policy/exception_policy.conf.default | 2 + security/tomoyo/realpath.c | 310 + security/tomoyo/securityfs_if.c | 273 + security/tomoyo/tomoyo.c | 602 ++ security/tomoyo/util.c | 1106 +++ security/yama/Kconfig | 14 + security/yama/Makefile | 4 + security/yama/yama_lsm.c | 488 ++ 252 files changed, 108894 insertions(+) create mode 100644 security/Kconfig create mode 100644 security/Kconfig.hardening create mode 100644 security/Makefile create mode 100644 security/apparmor/.gitignore create mode 100644 security/apparmor/Kconfig create mode 100644 security/apparmor/Makefile create mode 100644 security/apparmor/apparmorfs.c create mode 100644 security/apparmor/audit.c create mode 100644 security/apparmor/capability.c create mode 100644 security/apparmor/crypto.c create mode 100644 security/apparmor/domain.c create mode 100644 security/apparmor/file.c create mode 100644 security/apparmor/include/apparmor.h create mode 100644 security/apparmor/include/apparmorfs.h create mode 100644 security/apparmor/include/audit.h create mode 100644 security/apparmor/include/capability.h create mode 100644 security/apparmor/include/cred.h create mode 100644 security/apparmor/include/crypto.h create mode 100644 security/apparmor/include/domain.h create mode 100644 security/apparmor/include/file.h create mode 100644 security/apparmor/include/ipc.h create mode 100644 security/apparmor/include/label.h create mode 100644 security/apparmor/include/lib.h create mode 100644 security/apparmor/include/match.h create mode 100644 security/apparmor/include/mount.h create mode 100644 security/apparmor/include/net.h create mode 100644 security/apparmor/include/path.h create mode 100644 security/apparmor/include/perms.h create mode 100644 security/apparmor/include/policy.h create mode 100644 security/apparmor/include/policy_ns.h create mode 100644 security/apparmor/include/policy_unpack.h create mode 100644 security/apparmor/include/procattr.h create mode 100644 security/apparmor/include/resource.h create mode 100644 security/apparmor/include/secid.h create mode 100644 security/apparmor/include/sig_names.h create mode 100644 security/apparmor/include/task.h create mode 100644 security/apparmor/ipc.c create mode 100644 security/apparmor/label.c create mode 100644 security/apparmor/lib.c create mode 100644 security/apparmor/lsm.c create mode 100644 security/apparmor/match.c create mode 100644 security/apparmor/mount.c create mode 100644 security/apparmor/net.c create mode 100644 security/apparmor/nulldfa.in create mode 100644 security/apparmor/path.c create mode 100644 security/apparmor/policy.c create mode 100644 security/apparmor/policy_ns.c create mode 100644 security/apparmor/policy_unpack.c create mode 100644 security/apparmor/policy_unpack_test.c create mode 100644 security/apparmor/procattr.c create mode 100644 security/apparmor/resource.c create mode 100644 security/apparmor/secid.c create mode 100644 security/apparmor/stacksplitdfa.in create mode 100644 security/apparmor/task.c create mode 100644 security/bpf/Makefile create mode 100644 security/bpf/hooks.c create mode 100644 security/commoncap.c create mode 100644 security/device_cgroup.c create mode 100644 security/inode.c create mode 100644 security/integrity/Kconfig create mode 100644 security/integrity/Makefile create mode 100644 security/integrity/digsig.c create mode 100644 security/integrity/digsig_asymmetric.c create mode 100644 security/integrity/evm/Kconfig create mode 100644 security/integrity/evm/Makefile create mode 100644 security/integrity/evm/evm.h create mode 100644 security/integrity/evm/evm_crypto.c create mode 100644 security/integrity/evm/evm_main.c create mode 100644 security/integrity/evm/evm_posix_acl.c create mode 100644 security/integrity/evm/evm_secfs.c create mode 100644 security/integrity/iint.c create mode 100644 security/integrity/ima/Kconfig create mode 100644 security/integrity/ima/Makefile create mode 100644 security/integrity/ima/ima.h create mode 100644 security/integrity/ima/ima_api.c create mode 100644 security/integrity/ima/ima_appraise.c create mode 100644 security/integrity/ima/ima_asymmetric_keys.c create mode 100644 security/integrity/ima/ima_crypto.c create mode 100644 security/integrity/ima/ima_efi.c create mode 100644 security/integrity/ima/ima_fs.c create mode 100644 security/integrity/ima/ima_init.c create mode 100644 security/integrity/ima/ima_kexec.c create mode 100644 security/integrity/ima/ima_main.c create mode 100644 security/integrity/ima/ima_modsig.c create mode 100644 security/integrity/ima/ima_mok.c create mode 100644 security/integrity/ima/ima_policy.c create mode 100644 security/integrity/ima/ima_queue.c create mode 100644 security/integrity/ima/ima_queue_keys.c create mode 100644 security/integrity/ima/ima_template.c create mode 100644 security/integrity/ima/ima_template_lib.c create mode 100644 security/integrity/ima/ima_template_lib.h create mode 100644 security/integrity/integrity.h create mode 100644 security/integrity/integrity_audit.c create mode 100644 security/integrity/platform_certs/efi_parser.c create mode 100644 security/integrity/platform_certs/keyring_handler.c create mode 100644 security/integrity/platform_certs/keyring_handler.h create mode 100644 security/integrity/platform_certs/load_ipl_s390.c create mode 100644 security/integrity/platform_certs/load_powerpc.c create mode 100644 security/integrity/platform_certs/load_uefi.c create mode 100644 security/integrity/platform_certs/machine_keyring.c create mode 100644 security/integrity/platform_certs/platform_keyring.c create mode 100644 security/keys/Kconfig create mode 100644 security/keys/Makefile create mode 100644 security/keys/big_key.c create mode 100644 security/keys/compat.c create mode 100644 security/keys/compat_dh.c create mode 100644 security/keys/dh.c create mode 100644 security/keys/encrypted-keys/Makefile create mode 100644 security/keys/encrypted-keys/ecryptfs_format.c create mode 100644 security/keys/encrypted-keys/ecryptfs_format.h create mode 100644 security/keys/encrypted-keys/encrypted.c create mode 100644 security/keys/encrypted-keys/encrypted.h create mode 100644 security/keys/encrypted-keys/masterkey_trusted.c create mode 100644 security/keys/gc.c create mode 100644 security/keys/internal.h create mode 100644 security/keys/key.c create mode 100644 security/keys/keyctl.c create mode 100644 security/keys/keyctl_pkey.c create mode 100644 security/keys/keyring.c create mode 100644 security/keys/permission.c create mode 100644 security/keys/persistent.c create mode 100644 security/keys/proc.c create mode 100644 security/keys/process_keys.c create mode 100644 security/keys/request_key.c create mode 100644 security/keys/request_key_auth.c create mode 100644 security/keys/sysctl.c create mode 100644 security/keys/trusted-keys/Kconfig create mode 100644 security/keys/trusted-keys/Makefile create mode 100644 security/keys/trusted-keys/tpm2key.asn1 create mode 100644 security/keys/trusted-keys/trusted_caam.c create mode 100644 security/keys/trusted-keys/trusted_core.c create mode 100644 security/keys/trusted-keys/trusted_tee.c create mode 100644 security/keys/trusted-keys/trusted_tpm1.c create mode 100644 security/keys/trusted-keys/trusted_tpm2.c create mode 100644 security/keys/user_defined.c create mode 100644 security/landlock/Kconfig create mode 100644 security/landlock/Makefile create mode 100644 security/landlock/common.h create mode 100644 security/landlock/cred.c create mode 100644 security/landlock/cred.h create mode 100644 security/landlock/fs.c create mode 100644 security/landlock/fs.h create mode 100644 security/landlock/limits.h create mode 100644 security/landlock/object.c create mode 100644 security/landlock/object.h create mode 100644 security/landlock/ptrace.c create mode 100644 security/landlock/ptrace.h create mode 100644 security/landlock/ruleset.c create mode 100644 security/landlock/ruleset.h create mode 100644 security/landlock/setup.c create mode 100644 security/landlock/setup.h create mode 100644 security/landlock/syscalls.c create mode 100644 security/loadpin/Kconfig create mode 100644 security/loadpin/Makefile create mode 100644 security/loadpin/loadpin.c create mode 100644 security/lockdown/Kconfig create mode 100644 security/lockdown/Makefile create mode 100644 security/lockdown/lockdown.c create mode 100644 security/lsm_audit.c create mode 100644 security/min_addr.c create mode 100644 security/safesetid/Kconfig create mode 100644 security/safesetid/Makefile create mode 100644 security/safesetid/lsm.c create mode 100644 security/safesetid/lsm.h create mode 100644 security/safesetid/securityfs.c create mode 100644 security/security.c create mode 100644 security/selinux/.gitignore create mode 100644 security/selinux/Kconfig create mode 100644 security/selinux/Makefile create mode 100644 security/selinux/avc.c create mode 100644 security/selinux/hooks.c create mode 100644 security/selinux/ibpkey.c create mode 100644 security/selinux/ima.c create mode 100644 security/selinux/include/audit.h create mode 100644 security/selinux/include/avc.h create mode 100644 security/selinux/include/avc_ss.h create mode 100644 security/selinux/include/classmap.h create mode 100644 security/selinux/include/conditional.h create mode 100644 security/selinux/include/ibpkey.h create mode 100644 security/selinux/include/ima.h create mode 100644 security/selinux/include/initial_sid_to_string.h create mode 100644 security/selinux/include/netif.h create mode 100644 security/selinux/include/netlabel.h create mode 100644 security/selinux/include/netnode.h create mode 100644 security/selinux/include/netport.h create mode 100644 security/selinux/include/objsec.h create mode 100644 security/selinux/include/policycap.h create mode 100644 security/selinux/include/policycap_names.h create mode 100644 security/selinux/include/security.h create mode 100644 security/selinux/include/xfrm.h create mode 100644 security/selinux/netif.c create mode 100644 security/selinux/netlabel.c create mode 100644 security/selinux/netlink.c create mode 100644 security/selinux/netnode.c create mode 100644 security/selinux/netport.c create mode 100644 security/selinux/nlmsgtab.c create mode 100644 security/selinux/selinuxfs.c create mode 100644 security/selinux/ss/avtab.c create mode 100644 security/selinux/ss/avtab.h create mode 100644 security/selinux/ss/conditional.c create mode 100644 security/selinux/ss/conditional.h create mode 100644 security/selinux/ss/constraint.h create mode 100644 security/selinux/ss/context.c create mode 100644 security/selinux/ss/context.h create mode 100644 security/selinux/ss/ebitmap.c create mode 100644 security/selinux/ss/ebitmap.h create mode 100644 security/selinux/ss/hashtab.c create mode 100644 security/selinux/ss/hashtab.h create mode 100644 security/selinux/ss/mls.c create mode 100644 security/selinux/ss/mls.h create mode 100644 security/selinux/ss/mls_types.h create mode 100644 security/selinux/ss/policydb.c create mode 100644 security/selinux/ss/policydb.h create mode 100644 security/selinux/ss/services.c create mode 100644 security/selinux/ss/services.h create mode 100644 security/selinux/ss/sidtab.c create mode 100644 security/selinux/ss/sidtab.h create mode 100644 security/selinux/ss/symtab.c create mode 100644 security/selinux/ss/symtab.h create mode 100644 security/selinux/status.c create mode 100644 security/selinux/xfrm.c create mode 100644 security/smack/Kconfig create mode 100644 security/smack/Makefile create mode 100644 security/smack/smack.h create mode 100644 security/smack/smack_access.c create mode 100644 security/smack/smack_lsm.c create mode 100644 security/smack/smack_netfilter.c create mode 100644 security/smack/smackfs.c create mode 100644 security/tomoyo/.gitignore create mode 100644 security/tomoyo/Kconfig create mode 100644 security/tomoyo/Makefile create mode 100644 security/tomoyo/audit.c create mode 100644 security/tomoyo/common.c create mode 100644 security/tomoyo/common.h create mode 100644 security/tomoyo/condition.c create mode 100644 security/tomoyo/domain.c create mode 100644 security/tomoyo/environ.c create mode 100644 security/tomoyo/file.c create mode 100644 security/tomoyo/gc.c create mode 100644 security/tomoyo/group.c create mode 100644 security/tomoyo/load_policy.c create mode 100644 security/tomoyo/memory.c create mode 100644 security/tomoyo/mount.c create mode 100644 security/tomoyo/network.c create mode 100644 security/tomoyo/policy/exception_policy.conf.default create mode 100644 security/tomoyo/realpath.c create mode 100644 security/tomoyo/securityfs_if.c create mode 100644 security/tomoyo/tomoyo.c create mode 100644 security/tomoyo/util.c create mode 100644 security/yama/Kconfig create mode 100644 security/yama/Makefile create mode 100644 security/yama/yama_lsm.c (limited to 'security') diff --git a/security/Kconfig b/security/Kconfig new file mode 100644 index 000000000..e6db09a77 --- /dev/null +++ b/security/Kconfig @@ -0,0 +1,264 @@ +# SPDX-License-Identifier: GPL-2.0-only +# +# Security configuration +# + +menu "Security options" + +source "security/keys/Kconfig" + +config SECURITY_DMESG_RESTRICT + bool "Restrict unprivileged access to the kernel syslog" + default n + help + This enforces restrictions on unprivileged users reading the kernel + syslog via dmesg(8). + + If this option is not selected, no restrictions will be enforced + unless the dmesg_restrict sysctl is explicitly set to (1). + + If you are unsure how to answer this question, answer N. + +config SECURITY + bool "Enable different security models" + depends on SYSFS + depends on MULTIUSER + help + This allows you to choose different security modules to be + configured into your kernel. + + If this option is not selected, the default Linux security + model will be used. + + If you are unsure how to answer this question, answer N. + +config SECURITY_WRITABLE_HOOKS + depends on SECURITY + bool + default n + +config SECURITYFS + bool "Enable the securityfs filesystem" + help + This will build the securityfs filesystem. It is currently used by + various security modules (AppArmor, IMA, SafeSetID, TOMOYO, TPM). + + If you are unsure how to answer this question, answer N. + +config SECURITY_NETWORK + bool "Socket and Networking Security Hooks" + depends on SECURITY + help + This enables the socket and networking security hooks. + If enabled, a security module can use these hooks to + implement socket and networking access controls. + If you are unsure how to answer this question, answer N. + +config SECURITY_INFINIBAND + bool "Infiniband Security Hooks" + depends on SECURITY && INFINIBAND + help + This enables the Infiniband security hooks. + If enabled, a security module can use these hooks to + implement Infiniband access controls. + If you are unsure how to answer this question, answer N. + +config SECURITY_NETWORK_XFRM + bool "XFRM (IPSec) Networking Security Hooks" + depends on XFRM && SECURITY_NETWORK + help + This enables the XFRM (IPSec) networking security hooks. + If enabled, a security module can use these hooks to + implement per-packet access controls based on labels + derived from IPSec policy. Non-IPSec communications are + designated as unlabelled, and only sockets authorized + to communicate unlabelled data can send without using + IPSec. + If you are unsure how to answer this question, answer N. + +config SECURITY_PATH + bool "Security hooks for pathname based access control" + depends on SECURITY + help + This enables the security hooks for pathname based access control. + If enabled, a security module can use these hooks to + implement pathname based access controls. + If you are unsure how to answer this question, answer N. + +config INTEL_TXT + bool "Enable Intel(R) Trusted Execution Technology (Intel(R) TXT)" + depends on HAVE_INTEL_TXT + help + This option enables support for booting the kernel with the + Trusted Boot (tboot) module. This will utilize + Intel(R) Trusted Execution Technology to perform a measured launch + of the kernel. If the system does not support Intel(R) TXT, this + will have no effect. + + Intel TXT will provide higher assurance of system configuration and + initial state as well as data reset protection. This is used to + create a robust initial kernel measurement and verification, which + helps to ensure that kernel security mechanisms are functioning + correctly. This level of protection requires a root of trust outside + of the kernel itself. + + Intel TXT also helps solve real end user concerns about having + confidence that their hardware is running the VMM or kernel that + it was configured with, especially since they may be responsible for + providing such assurances to VMs and services running on it. + + See for more information + about Intel(R) TXT. + See for more information about tboot. + See Documentation/x86/intel_txt.rst for a description of how to enable + Intel TXT support in a kernel boot. + + If you are unsure as to whether this is required, answer N. + +config LSM_MMAP_MIN_ADDR + int "Low address space for LSM to protect from user allocation" + depends on SECURITY && SECURITY_SELINUX + default 32768 if ARM || (ARM64 && COMPAT) + default 65536 + help + This is the portion of low virtual memory which should be protected + from userspace allocation. Keeping a user from writing to low pages + can help reduce the impact of kernel NULL pointer bugs. + + For most ia64, ppc64 and x86 users with lots of address space + a value of 65536 is reasonable and should cause no problems. + On arm and other archs it should not be higher than 32768. + Programs which use vm86 functionality or have some need to map + this low address space will need the permission specific to the + systems running LSM. + +config HAVE_HARDENED_USERCOPY_ALLOCATOR + bool + help + The heap allocator implements __check_heap_object() for + validating memory ranges against heap object sizes in + support of CONFIG_HARDENED_USERCOPY. + +config HARDENED_USERCOPY + bool "Harden memory copies between kernel and userspace" + depends on HAVE_HARDENED_USERCOPY_ALLOCATOR + imply STRICT_DEVMEM + help + This option checks for obviously wrong memory regions when + copying memory to/from the kernel (via copy_to_user() and + copy_from_user() functions) by rejecting memory ranges that + are larger than the specified heap object, span multiple + separately allocated pages, are not on the process stack, + or are part of the kernel text. This prevents entire classes + of heap overflow exploits and similar kernel memory exposures. + +config FORTIFY_SOURCE + bool "Harden common str/mem functions against buffer overflows" + depends on ARCH_HAS_FORTIFY_SOURCE + # https://bugs.llvm.org/show_bug.cgi?id=41459 + depends on !CC_IS_CLANG || CLANG_VERSION >= 120001 + # https://github.com/llvm/llvm-project/issues/53645 + depends on !CC_IS_CLANG || !X86_32 + help + Detect overflows of buffers in common string and memory functions + where the compiler can determine and validate the buffer sizes. + +config STATIC_USERMODEHELPER + bool "Force all usermode helper calls through a single binary" + help + By default, the kernel can call many different userspace + binary programs through the "usermode helper" kernel + interface. Some of these binaries are statically defined + either in the kernel code itself, or as a kernel configuration + option. However, some of these are dynamically created at + runtime, or can be modified after the kernel has started up. + To provide an additional layer of security, route all of these + calls through a single executable that can not have its name + changed. + + Note, it is up to this single binary to then call the relevant + "real" usermode helper binary, based on the first argument + passed to it. If desired, this program can filter and pick + and choose what real programs are called. + + If you wish for all usermode helper programs are to be + disabled, choose this option and then set + STATIC_USERMODEHELPER_PATH to an empty string. + +config STATIC_USERMODEHELPER_PATH + string "Path to the static usermode helper binary" + depends on STATIC_USERMODEHELPER + default "/sbin/usermode-helper" + help + The binary called by the kernel when any usermode helper + program is wish to be run. The "real" application's name will + be in the first argument passed to this program on the command + line. + + If you wish for all usermode helper programs to be disabled, + specify an empty string here (i.e. ""). + +source "security/selinux/Kconfig" +source "security/smack/Kconfig" +source "security/tomoyo/Kconfig" +source "security/apparmor/Kconfig" +source "security/loadpin/Kconfig" +source "security/yama/Kconfig" +source "security/safesetid/Kconfig" +source "security/lockdown/Kconfig" +source "security/landlock/Kconfig" + +source "security/integrity/Kconfig" + +choice + prompt "First legacy 'major LSM' to be initialized" + default DEFAULT_SECURITY_SELINUX if SECURITY_SELINUX + default DEFAULT_SECURITY_SMACK if SECURITY_SMACK + default DEFAULT_SECURITY_TOMOYO if SECURITY_TOMOYO + default DEFAULT_SECURITY_APPARMOR if SECURITY_APPARMOR + default DEFAULT_SECURITY_DAC + + help + This choice is there only for converting CONFIG_DEFAULT_SECURITY + in old kernel configs to CONFIG_LSM in new kernel configs. Don't + change this choice unless you are creating a fresh kernel config, + for this choice will be ignored after CONFIG_LSM has been set. + + Selects the legacy "major security module" that will be + initialized first. Overridden by non-default CONFIG_LSM. + + config DEFAULT_SECURITY_SELINUX + bool "SELinux" if SECURITY_SELINUX=y + + config DEFAULT_SECURITY_SMACK + bool "Simplified Mandatory Access Control" if SECURITY_SMACK=y + + config DEFAULT_SECURITY_TOMOYO + bool "TOMOYO" if SECURITY_TOMOYO=y + + config DEFAULT_SECURITY_APPARMOR + bool "AppArmor" if SECURITY_APPARMOR=y + + config DEFAULT_SECURITY_DAC + bool "Unix Discretionary Access Controls" + +endchoice + +config LSM + string "Ordered list of enabled LSMs" + default "landlock,lockdown,yama,loadpin,safesetid,integrity,smack,selinux,tomoyo,apparmor,bpf" if DEFAULT_SECURITY_SMACK + default "landlock,lockdown,yama,loadpin,safesetid,integrity,apparmor,selinux,smack,tomoyo,bpf" if DEFAULT_SECURITY_APPARMOR + default "landlock,lockdown,yama,loadpin,safesetid,integrity,tomoyo,bpf" if DEFAULT_SECURITY_TOMOYO + default "landlock,lockdown,yama,loadpin,safesetid,integrity,bpf" if DEFAULT_SECURITY_DAC + default "landlock,lockdown,yama,loadpin,safesetid,integrity,selinux,smack,tomoyo,apparmor,bpf" + help + A comma-separated list of LSMs, in initialization order. + Any LSMs left off this list will be ignored. This can be + controlled at boot with the "lsm=" parameter. + + If unsure, leave this as the default. + +source "security/Kconfig.hardening" + +endmenu + diff --git a/security/Kconfig.hardening b/security/Kconfig.hardening new file mode 100644 index 000000000..0f295961e --- /dev/null +++ b/security/Kconfig.hardening @@ -0,0 +1,358 @@ +# SPDX-License-Identifier: GPL-2.0-only +menu "Kernel hardening options" + +config GCC_PLUGIN_STRUCTLEAK + bool + help + While the kernel is built with warnings enabled for any missed + stack variable initializations, this warning is silenced for + anything passed by reference to another function, under the + occasionally misguided assumption that the function will do + the initialization. As this regularly leads to exploitable + flaws, this plugin is available to identify and zero-initialize + such variables, depending on the chosen level of coverage. + + This plugin was originally ported from grsecurity/PaX. More + information at: + * https://grsecurity.net/ + * https://pax.grsecurity.net/ + +menu "Memory initialization" + +config CC_HAS_AUTO_VAR_INIT_PATTERN + def_bool $(cc-option,-ftrivial-auto-var-init=pattern) + +config CC_HAS_AUTO_VAR_INIT_ZERO_BARE + def_bool $(cc-option,-ftrivial-auto-var-init=zero) + +config CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER + # Clang 16 and later warn about using the -enable flag, but it + # is required before then. + def_bool $(cc-option,-ftrivial-auto-var-init=zero -enable-trivial-auto-var-init-zero-knowing-it-will-be-removed-from-clang) + depends on !CC_HAS_AUTO_VAR_INIT_ZERO_BARE + +config CC_HAS_AUTO_VAR_INIT_ZERO + def_bool CC_HAS_AUTO_VAR_INIT_ZERO_BARE || CC_HAS_AUTO_VAR_INIT_ZERO_ENABLER + +choice + prompt "Initialize kernel stack variables at function entry" + default GCC_PLUGIN_STRUCTLEAK_BYREF_ALL if COMPILE_TEST && GCC_PLUGINS + default INIT_STACK_ALL_PATTERN if COMPILE_TEST && CC_HAS_AUTO_VAR_INIT_PATTERN + default INIT_STACK_ALL_ZERO if CC_HAS_AUTO_VAR_INIT_ZERO + default INIT_STACK_NONE + help + This option enables initialization of stack variables at + function entry time. This has the possibility to have the + greatest coverage (since all functions can have their + variables initialized), but the performance impact depends + on the function calling complexity of a given workload's + syscalls. + + This chooses the level of coverage over classes of potentially + uninitialized variables. The selected class of variable will be + initialized before use in a function. + + config INIT_STACK_NONE + bool "no automatic stack variable initialization (weakest)" + help + Disable automatic stack variable initialization. + This leaves the kernel vulnerable to the standard + classes of uninitialized stack variable exploits + and information exposures. + + config GCC_PLUGIN_STRUCTLEAK_USER + bool "zero-init structs marked for userspace (weak)" + # Plugin can be removed once the kernel only supports GCC 12+ + depends on GCC_PLUGINS && !CC_HAS_AUTO_VAR_INIT_ZERO + select GCC_PLUGIN_STRUCTLEAK + help + Zero-initialize any structures on the stack containing + a __user attribute. This can prevent some classes of + uninitialized stack variable exploits and information + exposures, like CVE-2013-2141: + https://git.kernel.org/linus/b9e146d8eb3b9eca + + config GCC_PLUGIN_STRUCTLEAK_BYREF + bool "zero-init structs passed by reference (strong)" + # Plugin can be removed once the kernel only supports GCC 12+ + depends on GCC_PLUGINS && !CC_HAS_AUTO_VAR_INIT_ZERO + depends on !(KASAN && KASAN_STACK) + select GCC_PLUGIN_STRUCTLEAK + help + Zero-initialize any structures on the stack that may + be passed by reference and had not already been + explicitly initialized. This can prevent most classes + of uninitialized stack variable exploits and information + exposures, like CVE-2017-1000410: + https://git.kernel.org/linus/06e7e776ca4d3654 + + As a side-effect, this keeps a lot of variables on the + stack that can otherwise be optimized out, so combining + this with CONFIG_KASAN_STACK can lead to a stack overflow + and is disallowed. + + config GCC_PLUGIN_STRUCTLEAK_BYREF_ALL + bool "zero-init everything passed by reference (very strong)" + # Plugin can be removed once the kernel only supports GCC 12+ + depends on GCC_PLUGINS && !CC_HAS_AUTO_VAR_INIT_ZERO + depends on !(KASAN && KASAN_STACK) + select GCC_PLUGIN_STRUCTLEAK + help + Zero-initialize any stack variables that may be passed + by reference and had not already been explicitly + initialized. This is intended to eliminate all classes + of uninitialized stack variable exploits and information + exposures. + + As a side-effect, this keeps a lot of variables on the + stack that can otherwise be optimized out, so combining + this with CONFIG_KASAN_STACK can lead to a stack overflow + and is disallowed. + + config INIT_STACK_ALL_PATTERN + bool "pattern-init everything (strongest)" + depends on CC_HAS_AUTO_VAR_INIT_PATTERN + depends on !KMSAN + help + Initializes everything on the stack (including padding) + with a specific debug value. This is intended to eliminate + all classes of uninitialized stack variable exploits and + information exposures, even variables that were warned about + having been left uninitialized. + + Pattern initialization is known to provoke many existing bugs + related to uninitialized locals, e.g. pointers receive + non-NULL values, buffer sizes and indices are very big. The + pattern is situation-specific; Clang on 64-bit uses 0xAA + repeating for all types and padding except float and double + which use 0xFF repeating (-NaN). Clang on 32-bit uses 0xFF + repeating for all types and padding. + + config INIT_STACK_ALL_ZERO + bool "zero-init everything (strongest and safest)" + depends on CC_HAS_AUTO_VAR_INIT_ZERO + depends on !KMSAN + help + Initializes everything on the stack (including padding) + with a zero value. This is intended to eliminate all + classes of uninitialized stack variable exploits and + information exposures, even variables that were warned + about having been left uninitialized. + + Zero initialization provides safe defaults for strings + (immediately NUL-terminated), pointers (NULL), indices + (index 0), and sizes (0 length), so it is therefore more + suitable as a production security mitigation than pattern + initialization. + +endchoice + +config GCC_PLUGIN_STRUCTLEAK_VERBOSE + bool "Report forcefully initialized variables" + depends on GCC_PLUGIN_STRUCTLEAK + depends on !COMPILE_TEST # too noisy + help + This option will cause a warning to be printed each time the + structleak plugin finds a variable it thinks needs to be + initialized. Since not all existing initializers are detected + by the plugin, this can produce false positive warnings. + +config GCC_PLUGIN_STACKLEAK + bool "Poison kernel stack before returning from syscalls" + depends on GCC_PLUGINS + depends on HAVE_ARCH_STACKLEAK + help + This option makes the kernel erase the kernel stack before + returning from system calls. This has the effect of leaving + the stack initialized to the poison value, which both reduces + the lifetime of any sensitive stack contents and reduces + potential for uninitialized stack variable exploits or information + exposures (it does not cover functions reaching the same stack + depth as prior functions during the same syscall). This blocks + most uninitialized stack variable attacks, with the performance + impact being driven by the depth of the stack usage, rather than + the function calling complexity. + + The performance impact on a single CPU system kernel compilation + sees a 1% slowdown, other systems and workloads may vary and you + are advised to test this feature on your expected workload before + deploying it. + + This plugin was ported from grsecurity/PaX. More information at: + * https://grsecurity.net/ + * https://pax.grsecurity.net/ + +config GCC_PLUGIN_STACKLEAK_VERBOSE + bool "Report stack depth analysis instrumentation" if EXPERT + depends on GCC_PLUGIN_STACKLEAK + depends on !COMPILE_TEST # too noisy + help + This option will cause a warning to be printed each time the + stackleak plugin finds a function it thinks needs to be + instrumented. This is useful for comparing coverage between + builds. + +config STACKLEAK_TRACK_MIN_SIZE + int "Minimum stack frame size of functions tracked by STACKLEAK" + default 100 + range 0 4096 + depends on GCC_PLUGIN_STACKLEAK + help + The STACKLEAK gcc plugin instruments the kernel code for tracking + the lowest border of the kernel stack (and for some other purposes). + It inserts the stackleak_track_stack() call for the functions with + a stack frame size greater than or equal to this parameter. + If unsure, leave the default value 100. + +config STACKLEAK_METRICS + bool "Show STACKLEAK metrics in the /proc file system" + depends on GCC_PLUGIN_STACKLEAK + depends on PROC_FS + help + If this is set, STACKLEAK metrics for every task are available in + the /proc file system. In particular, /proc//stack_depth + shows the maximum kernel stack consumption for the current and + previous syscalls. Although this information is not precise, it + can be useful for estimating the STACKLEAK performance impact for + your workloads. + +config STACKLEAK_RUNTIME_DISABLE + bool "Allow runtime disabling of kernel stack erasing" + depends on GCC_PLUGIN_STACKLEAK + help + This option provides 'stack_erasing' sysctl, which can be used in + runtime to control kernel stack erasing for kernels built with + CONFIG_GCC_PLUGIN_STACKLEAK. + +config INIT_ON_ALLOC_DEFAULT_ON + bool "Enable heap memory zeroing on allocation by default" + depends on !KMSAN + help + This has the effect of setting "init_on_alloc=1" on the kernel + command line. This can be disabled with "init_on_alloc=0". + When "init_on_alloc" is enabled, all page allocator and slab + allocator memory will be zeroed when allocated, eliminating + many kinds of "uninitialized heap memory" flaws, especially + heap content exposures. The performance impact varies by + workload, but most cases see <1% impact. Some synthetic + workloads have measured as high as 7%. + +config INIT_ON_FREE_DEFAULT_ON + bool "Enable heap memory zeroing on free by default" + depends on !KMSAN + help + This has the effect of setting "init_on_free=1" on the kernel + command line. This can be disabled with "init_on_free=0". + Similar to "init_on_alloc", when "init_on_free" is enabled, + all page allocator and slab allocator memory will be zeroed + when freed, eliminating many kinds of "uninitialized heap memory" + flaws, especially heap content exposures. The primary difference + with "init_on_free" is that data lifetime in memory is reduced, + as anything freed is wiped immediately, making live forensics or + cold boot memory attacks unable to recover freed memory contents. + The performance impact varies by workload, but is more expensive + than "init_on_alloc" due to the negative cache effects of + touching "cold" memory areas. Most cases see 3-5% impact. Some + synthetic workloads have measured as high as 8%. + +config CC_HAS_ZERO_CALL_USED_REGS + def_bool $(cc-option,-fzero-call-used-regs=used-gpr) + # https://github.com/ClangBuiltLinux/linux/issues/1766 + # https://github.com/llvm/llvm-project/issues/59242 + depends on !CC_IS_CLANG || CLANG_VERSION > 150006 + +config ZERO_CALL_USED_REGS + bool "Enable register zeroing on function exit" + depends on CC_HAS_ZERO_CALL_USED_REGS + help + At the end of functions, always zero any caller-used register + contents. This helps ensure that temporary values are not + leaked beyond the function boundary. This means that register + contents are less likely to be available for side channels + and information exposures. Additionally, this helps reduce the + number of useful ROP gadgets by about 20% (and removes compiler + generated "write-what-where" gadgets) in the resulting kernel + image. This has a less than 1% performance impact on most + workloads. Image size growth depends on architecture, and should + be evaluated for suitability. For example, x86_64 grows by less + than 1%, and arm64 grows by about 5%. + +endmenu + +config CC_HAS_RANDSTRUCT + def_bool $(cc-option,-frandomize-layout-seed-file=/dev/null) + # Randstruct was first added in Clang 15, but it isn't safe to use until + # Clang 16 due to https://github.com/llvm/llvm-project/issues/60349 + depends on !CC_IS_CLANG || CLANG_VERSION >= 160000 + +choice + prompt "Randomize layout of sensitive kernel structures" + default RANDSTRUCT_FULL if COMPILE_TEST && (GCC_PLUGINS || CC_HAS_RANDSTRUCT) + default RANDSTRUCT_NONE + help + If you enable this, the layouts of structures that are entirely + function pointers (and have not been manually annotated with + __no_randomize_layout), or structures that have been explicitly + marked with __randomize_layout, will be randomized at compile-time. + This can introduce the requirement of an additional information + exposure vulnerability for exploits targeting these structure + types. + + Enabling this feature will introduce some performance impact, + slightly increase memory usage, and prevent the use of forensic + tools like Volatility against the system (unless the kernel + source tree isn't cleaned after kernel installation). + + The seed used for compilation is in scripts/basic/randomize.seed. + It remains after a "make clean" to allow for external modules to + be compiled with the existing seed and will be removed by a + "make mrproper" or "make distclean". This file should not be made + public, or the structure layout can be determined. + + config RANDSTRUCT_NONE + bool "Disable structure layout randomization" + help + Build normally: no structure layout randomization. + + config RANDSTRUCT_FULL + bool "Fully randomize structure layout" + depends on CC_HAS_RANDSTRUCT || GCC_PLUGINS + select MODVERSIONS if MODULES + help + Fully randomize the member layout of sensitive + structures as much as possible, which may have both a + memory size and performance impact. + + One difference between the Clang and GCC plugin + implementations is the handling of bitfields. The GCC + plugin treats them as fully separate variables, + introducing sometimes significant padding. Clang tries + to keep adjacent bitfields together, but with their bit + ordering randomized. + + config RANDSTRUCT_PERFORMANCE + bool "Limit randomization of structure layout to cache-lines" + depends on GCC_PLUGINS + select MODVERSIONS if MODULES + help + Randomization of sensitive kernel structures will make a + best effort at restricting randomization to cacheline-sized + groups of members. It will further not randomize bitfields + in structures. This reduces the performance hit of RANDSTRUCT + at the cost of weakened randomization. +endchoice + +config RANDSTRUCT + def_bool !RANDSTRUCT_NONE + +config GCC_PLUGIN_RANDSTRUCT + def_bool GCC_PLUGINS && RANDSTRUCT + help + Use GCC plugin to randomize structure layout. + + This plugin was ported from grsecurity/PaX. More + information at: + * https://grsecurity.net/ + * https://pax.grsecurity.net/ + +endmenu diff --git a/security/Makefile b/security/Makefile new file mode 100644 index 000000000..18121f8f8 --- /dev/null +++ b/security/Makefile @@ -0,0 +1,29 @@ +# SPDX-License-Identifier: GPL-2.0 +# +# Makefile for the kernel security code +# + +obj-$(CONFIG_KEYS) += keys/ + +# always enable default capabilities +obj-y += commoncap.o +obj-$(CONFIG_MMU) += min_addr.o + +# Object file lists +obj-$(CONFIG_SECURITY) += security.o +obj-$(CONFIG_SECURITYFS) += inode.o +obj-$(CONFIG_SECURITY_SELINUX) += selinux/ +obj-$(CONFIG_SECURITY_SMACK) += smack/ +obj-$(CONFIG_SECURITY) += lsm_audit.o +obj-$(CONFIG_SECURITY_TOMOYO) += tomoyo/ +obj-$(CONFIG_SECURITY_APPARMOR) += apparmor/ +obj-$(CONFIG_SECURITY_YAMA) += yama/ +obj-$(CONFIG_SECURITY_LOADPIN) += loadpin/ +obj-$(CONFIG_SECURITY_SAFESETID) += safesetid/ +obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ +obj-$(CONFIG_CGROUPS) += device_cgroup.o +obj-$(CONFIG_BPF_LSM) += bpf/ +obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/ + +# Object integrity file lists +obj-$(CONFIG_INTEGRITY) += integrity/ diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore new file mode 100644 index 000000000..6d1eb1c15 --- /dev/null +++ b/security/apparmor/.gitignore @@ -0,0 +1,4 @@ +# SPDX-License-Identifier: GPL-2.0-only +net_names.h +capability_names.h +rlim_names.h diff --git a/security/apparmor/Kconfig b/security/apparmor/Kconfig new file mode 100644 index 000000000..f334e7ccc --- /dev/null +++ b/security/apparmor/Kconfig @@ -0,0 +1,123 @@ +# SPDX-License-Identifier: GPL-2.0-only +config SECURITY_APPARMOR + bool "AppArmor support" + depends on SECURITY && NET + select AUDIT + select SECURITY_PATH + select SECURITYFS + select SECURITY_NETWORK + default n + help + This enables the AppArmor security module. + Required userspace tools (if they are not included in your + distribution) and further information may be found at + http://apparmor.wiki.kernel.org + + If you are unsure how to answer this question, answer N. + +config SECURITY_APPARMOR_DEBUG + bool "Build AppArmor with debug code" + depends on SECURITY_APPARMOR + default n + help + Build apparmor with debugging logic in apparmor. Not all + debugging logic will necessarily be enabled. A submenu will + provide fine grained control of the debug options that are + available. + +config SECURITY_APPARMOR_DEBUG_ASSERTS + bool "Build AppArmor with debugging asserts" + depends on SECURITY_APPARMOR_DEBUG + default y + help + Enable code assertions made with AA_BUG. These are primarily + function entry preconditions but also exist at other key + points. If the assert is triggered it will trigger a WARN + message. + +config SECURITY_APPARMOR_DEBUG_MESSAGES + bool "Debug messages enabled by default" + depends on SECURITY_APPARMOR_DEBUG + default n + help + Set the default value of the apparmor.debug kernel parameter. + When enabled, various debug messages will be logged to + the kernel message buffer. + +config SECURITY_APPARMOR_INTROSPECT_POLICY + bool "Allow loaded policy to be introspected" + depends on SECURITY_APPARMOR + default y + help + This option selects whether introspection of loaded policy + is available to userspace via the apparmor filesystem. This + adds to kernel memory usage. It is required for introspection + of loaded policy, and check point and restore support. It + can be disabled for embedded systems where reducing memory and + cpu is paramount. + +config SECURITY_APPARMOR_HASH + bool "Enable introspection of sha1 hashes for loaded profiles" + depends on SECURITY_APPARMOR_INTROSPECT_POLICY + select CRYPTO + select CRYPTO_SHA1 + default y + help + This option selects whether introspection of loaded policy + hashes is available to userspace via the apparmor + filesystem. This option provides a light weight means of + checking loaded policy. This option adds to policy load + time and can be disabled for small embedded systems. + +config SECURITY_APPARMOR_HASH_DEFAULT + bool "Enable policy hash introspection by default" + depends on SECURITY_APPARMOR_HASH + default y + help + This option selects whether sha1 hashing of loaded policy + is enabled by default. The generation of sha1 hashes for + loaded policy provide system administrators a quick way + to verify that policy in the kernel matches what is expected, + however it can slow down policy load on some devices. In + these cases policy hashing can be disabled by default and + enabled only if needed. + +config SECURITY_APPARMOR_EXPORT_BINARY + bool "Allow exporting the raw binary policy" + depends on SECURITY_APPARMOR_INTROSPECT_POLICY + select ZLIB_INFLATE + select ZLIB_DEFLATE + default y + help + This option allows reading back binary policy as it was loaded. + It increases the amount of kernel memory needed by policy and + also increases policy load time. This option is required for + checkpoint and restore support, and debugging of loaded policy. + +config SECURITY_APPARMOR_PARANOID_LOAD + bool "Perform full verification of loaded policy" + depends on SECURITY_APPARMOR + default y + help + This options allows controlling whether apparmor does a full + verification of loaded policy. This should not be disabled + except for embedded systems where the image is read only, + includes policy, and has some form of integrity check. + Disabling the check will speed up policy loads. + +config SECURITY_APPARMOR_KUNIT_TEST + tristate "Build KUnit tests for policy_unpack.c" if !KUNIT_ALL_TESTS + depends on KUNIT && SECURITY_APPARMOR + default KUNIT_ALL_TESTS + help + This builds the AppArmor KUnit tests. + + KUnit tests run during boot and output the results to the debug log + in TAP format (https://testanything.org/). Only useful for kernel devs + running KUnit test harness and are not for inclusion into a + production build. + + For more information on KUnit and unit tests in general please refer + to the KUnit documentation in Documentation/dev-tools/kunit/. + + If unsure, say N. diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile new file mode 100644 index 000000000..065f4e346 --- /dev/null +++ b/security/apparmor/Makefile @@ -0,0 +1,113 @@ +# SPDX-License-Identifier: GPL-2.0 +# Makefile for AppArmor Linux Security Module +# +obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o + +apparmor-y := apparmorfs.o audit.o capability.o task.o ipc.o lib.o match.o \ + path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \ + resource.o secid.o file.o policy_ns.o label.o mount.o net.o +apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o + +obj-$(CONFIG_SECURITY_APPARMOR_KUNIT_TEST) += apparmor_policy_unpack_test.o +apparmor_policy_unpack_test-objs += policy_unpack_test.o + +clean-files := capability_names.h rlim_names.h net_names.h + +# Build a lower case string table of address family names +# Transform lines from +# #define AF_LOCAL 1 /* POSIX name for AF_UNIX */ +# #define AF_INET 2 /* Internet IP Protocol */ +# to +# [1] = "local", +# [2] = "inet", +# +# and build the securityfs entries for the mapping. +# Transforms lines from +# #define AF_INET 2 /* Internet IP Protocol */ +# to +# #define AA_SFS_AF_MASK "local inet" +quiet_cmd_make-af = GEN $@ +cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\ + sed $< >>$@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \ + 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\ + echo "};" >> $@ ;\ + printf '%s' '\#define AA_SFS_AF_MASK "' >> $@ ;\ + sed -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \ + 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/\L\1/p'\ + $< | tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@ + +# Build a lower case string table of sock type names +# Transform lines from +# SOCK_STREAM = 1, +# to +# [1] = "stream", +quiet_cmd_make-sock = GEN $@ +cmd_make-sock = echo "static const char *sock_type_names[] = {" >> $@ ;\ + sed $^ >>$@ -r -n \ + -e 's/^\tSOCK_([A-Z0-9_]+)[\t]+=[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\ + echo "};" >> $@ + +# Build a lower case string table of capability names +# Transforms lines from +# #define CAP_DAC_OVERRIDE 1 +# to +# [1] = "dac_override", +quiet_cmd_make-caps = GEN $@ +cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\ + sed $< >>$@ -r -n -e '/CAP_FS_MASK/d' \ + -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\ + echo "};" >> $@ ;\ + printf '%s' '\#define AA_SFS_CAPS_MASK "' >> $@ ;\ + sed $< -r -n -e '/CAP_FS_MASK/d' \ + -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/\L\1/p' | \ + tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@ + + +# Build a lower case string table of rlimit names. +# Transforms lines from +# #define RLIMIT_STACK 3 /* max stack size */ +# to +# [RLIMIT_STACK] = "stack", +# +# and build a second integer table (with the second sed cmd), that maps +# RLIMIT defines to the order defined in asm-generic/resource.h This is +# required by policy load to map policy ordering of RLIMITs to internal +# ordering for architectures that redefine an RLIMIT. +# Transforms lines from +# #define RLIMIT_STACK 3 /* max stack size */ +# to +# RLIMIT_STACK, +# +# and build the securityfs entries for the mapping. +# Transforms lines from +# #define RLIMIT_FSIZE 1 /* Maximum filesize */ +# #define RLIMIT_STACK 3 /* max stack size */ +# to +# #define AA_SFS_RLIMIT_MASK "fsize stack" +quiet_cmd_make-rlim = GEN $@ +cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \ + > $@ ;\ + sed $< >> $@ -r -n \ + -e 's/^\# ?define[ \t]+(RLIMIT_([A-Z0-9_]+)).*/[\1] = "\L\2",/p';\ + echo "};" >> $@ ;\ + echo "static const int rlim_map[RLIM_NLIMITS] = {" >> $@ ;\ + sed -r -n "s/^\# ?define[ \t]+(RLIMIT_[A-Z0-9_]+).*/\1,/p" $< >> $@ ;\ + echo "};" >> $@ ; \ + printf '%s' '\#define AA_SFS_RLIMIT_MASK "' >> $@ ;\ + sed -r -n 's/^\# ?define[ \t]+RLIMIT_([A-Z0-9_]+).*/\L\1/p' $< | \ + tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@ + +$(obj)/capability.o : $(obj)/capability_names.h +$(obj)/net.o : $(obj)/net_names.h +$(obj)/resource.o : $(obj)/rlim_names.h +$(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \ + $(src)/Makefile + $(call cmd,make-caps) +$(obj)/rlim_names.h : $(srctree)/include/uapi/asm-generic/resource.h \ + $(src)/Makefile + $(call cmd,make-rlim) +$(obj)/net_names.h : $(srctree)/include/linux/socket.h \ + $(srctree)/include/linux/net.h \ + $(src)/Makefile + $(call cmd,make-af) + $(call cmd,make-sock) diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c new file mode 100644 index 000000000..7160e7aa5 --- /dev/null +++ b/security/apparmor/apparmorfs.c @@ -0,0 +1,2682 @@ +// SPDX-License-Identifier: GPL-2.0-only +/* + * AppArmor security module + * + * This file contains AppArmor /sys/kernel/security/apparmor interface functions + * + * Copyright (C) 1998-2008 Novell/SUSE + * Copyright 2009-2010 Canonical Ltd. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +#include "include/apparmor.h" +#include "include/apparmorfs.h" +#include "include/audit.h" +#include "include/cred.h" +#include "include/crypto.h" +#include "include/ipc.h" +#include "include/label.h" +#include "include/policy.h" +#include "include/policy_ns.h" +#include "include/resource.h" +#include "include/policy_unpack.h" +#include "include/task.h" + +/* + * The apparmor filesystem interface used for policy load and introspection + * The interface is split into two main components based on their function + * a securityfs component: + * used for static files that are always available, and which allows + * userspace to specificy the location of the security filesystem. + * + * fns and data are prefixed with + * aa_sfs_ + * + * an apparmorfs component: + * used loaded policy content and introspection. It is not part of a + * regular mounted filesystem and is available only through the magic + * policy symlink in the root of the securityfs apparmor/ directory. + * Tasks queries will be magically redirected to the correct portion + * of the policy tree based on their confinement. + * + * fns and data are prefixed with + * aafs_ + * + * The aa_fs_ prefix is used to indicate the fn is used by both the + * securityfs and apparmorfs filesystems. + */ + + +/* + * support fns + */ + +struct rawdata_f_data { + struct aa_loaddata *loaddata; +}; + +#ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY +#define RAWDATA_F_DATA_BUF(p) (char *)(p + 1) + +static void rawdata_f_data_free(struct rawdata_f_data *private) +{ + if (!private) + return; + + aa_put_loaddata(private->loaddata); + kvfree(private); +} + +static struct rawdata_f_data *rawdata_f_data_alloc(size_t size) +{ + struct rawdata_f_data *ret; + + if (size > SIZE_MAX - sizeof(*ret)) + return ERR_PTR(-EINVAL); + + ret = kvzalloc(sizeof(*ret) + size, GFP_KERNEL); + if (!ret) + return ERR_PTR(-ENOMEM); + + return ret; +} +#endif + +/** + * mangle_name - mangle a profile name to std profile layout form + * @name: profile name to mangle (NOT NULL) + * @target: buffer to store mangled name, same length as @name (MAYBE NULL) + * + * Returns: length of mangled name + */ +static int mangle_name(const char *name, char *target) +{ + char *t = target; + + while (*name == '/' || *name == '.') + name++; + + if (target) { + for (; *name; name++) { + if (*name == '/') + *(t)++ = '.'; + else if (isspace(*name)) + *(t)++ = '_'; + else if (isalnum(*name) || strchr("._-", *name)) + *(t)++ = *name; + } + + *t = 0; + } else { + int len = 0; + for (; *name; name++) { + if (isalnum(*name) || isspace(*name) || + strchr("/._-", *name)) + len++; + } + + return len; + } + + return t - target; +} + + +/* + * aafs - core fns and data for the policy tree + */ + +#define AAFS_NAME "apparmorfs" +static struct vfsmount *aafs_mnt; +static int aafs_count; + + +static int aafs_show_path(struct seq_file *seq, struct dentry *dentry) +{ + seq_printf(seq, "%s:[%lu]", AAFS_NAME, d_inode(dentry)->i_ino); + return 0; +} + +static void aafs_free_inode(struct inode *inode) +{ + if (S_ISLNK(inode->i_mode)) + kfree(inode->i_link); + free_inode_nonrcu(inode); +} + +static const struct super_operations aafs_super_ops = { + .statfs = simple_statfs, + .free_inode = aafs_free_inode, + .show_path = aafs_show_path, +}; + +static int apparmorfs_fill_super(struct super_block *sb, struct fs_context *fc) +{ + static struct tree_descr files[] = { {""} }; + int error; + + error = simple_fill_super(sb, AAFS_MAGIC, files); + if (error) + return error; + sb->s_op = &aafs_super_ops; + + return 0; +} + +static int apparmorfs_get_tree(struct fs_context *fc) +{ + return get_tree_single(fc, apparmorfs_fill_super); +} + +static const struct fs_context_operations apparmorfs_context_ops = { + .get_tree = apparmorfs_get_tree, +}; + +static int apparmorfs_init_fs_context(struct fs_context *fc) +{ + fc->ops = &apparmorfs_context_ops; + return 0; +} + +static struct file_system_type aafs_ops = { + .owner = THIS_MODULE, + .name = AAFS_NAME, + .init_fs_context = apparmorfs_init_fs_context, + .kill_sb = kill_anon_super, +}; + +/** + * __aafs_setup_d_inode - basic inode setup for apparmorfs + * @dir: parent directory for the dentry + * @dentry: dentry we are seting the inode up for + * @mode: permissions the file should have + * @data: data to store on inode.i_private, available in open() + * @link: if symlink, symlink target string + * @fops: struct file_operations that should be used + * @iops: struct of inode_operations that should be used + */ +static int __aafs_setup_d_inode(struct inode *dir, struct dentry *dentry, + umode_t mode, void *data, char *link, + const struct file_operations *fops, + const struct inode_operations *iops) +{ + struct inode *inode = new_inode(dir->i_sb); + + AA_BUG(!dir); + AA_BUG(!dentry); + + if (!inode) + return -ENOMEM; + + inode->i_ino = get_next_ino(); + inode->i_mode = mode; + inode->i_atime = inode->i_mtime = inode->i_ctime = current_time(inode); + inode->i_private = data; + if (S_ISDIR(mode)) { + inode->i_op = iops ? iops : &simple_dir_inode_operations; + inode->i_fop = &simple_dir_operations; + inc_nlink(inode); + inc_nlink(dir); + } else if (S_ISLNK(mode)) { + inode->i_op = iops ? iops : &simple_symlink_inode_operations; + inode->i_link = link; + } else { + inode->i_fop = fops; + } + d_instantiate(dentry, inode); + dget(dentry); + + return 0; +} + +/** + * aafs_create - create a dentry in the apparmorfs filesystem + * + * @name: name of dentry to create + * @mode: permissions the file should have + * @parent: parent directory for this dentry + * @data: data to store on inode.i_private, available in open() + * @link: if symlink, symlink target string + * @fops: struct file_operations that should be used for + * @iops: struct of inode_operations that should be used + * + * This is the basic "create a xxx" function for apparmorfs. + * + * Returns a pointer to a dentry if it succeeds, that must be free with + * aafs_remove(). Will return ERR_PTR on failure. + */ +static struct dentry *aafs_create(const char *name, umode_t mode, + struct dentry *parent, void *data, void *link, + const struct file_operations *fops, + const struct inode_operations *iops) +{ + struct dentry *dentry; + struct inode *dir; + int error; + + AA_BUG(!name); + AA_BUG(!parent); + + if (!(mode & S_IFMT)) + mode = (mode & S_IALLUGO) | S_IFREG; + + error = simple_pin_fs(&aafs_ops, &aafs_mnt, &aafs_count); + if (error) + return ERR_PTR(error); + + dir = d_inode(parent); + + inode_lock(dir); + dentry = lookup_one_len(name, parent, strlen(name)); + if (IS_ERR(dentry)) { + error = PTR_ERR(dentry); + goto fail_lock; + } + + if (d_really_is_positive(dentry)) { + error = -EEXIST; + goto fail_dentry; + } + + error = __aafs_setup_d_inode(dir, dentry, mode, data, link, fops, iops); + if (error) + goto fail_dentry; + inode_unlock(dir); + + return dentry; + +fail_dentry: + dput(dentry); + +fail_lock: + inode_unlock(dir); + simple_release_fs(&aafs_mnt, &aafs_count); + + return ERR_PTR(error); +} + +/** + * aafs_create_file - create a file in the apparmorfs filesystem + * + * @name: name of dentry to create + * @mode: permissions the file should have + * @parent: parent directory for this dentry + * @data: data to store on inode.i_private, available in open() + * @fops: struct file_operations that should be used for + * + * see aafs_create + */ +static struct dentry *aafs_create_file(const char *name, umode_t mode, + struct dentry *parent, void *data, + const struct file_operations *fops) +{ + return aafs_create(name, mode, parent, data, NULL, fops, NULL); +} + +/** + * aafs_create_dir - create a directory in the apparmorfs filesystem + * + * @name: name of dentry to create + * @parent: parent directory for this dentry + * + * see aafs_create + */ +static struct dentry *aafs_create_dir(const char *name, struct dentry *parent) +{ + return aafs_create(name, S_IFDIR | 0755, parent, NULL, NULL, NULL, + NULL); +} + +/** + * aafs_remove - removes a file or directory from the apparmorfs filesystem + * + * @dentry: dentry of the file/directory/symlink to removed. + */ +static void aafs_remove(struct dentry *dentry) +{ + struct inode *dir; + + if (!dentry || IS_ERR(dentry)) + return; + + dir = d_inode(dentry->d_parent); + inode_lock(dir); + if (simple_positive(dentry)) { + if (d_is_dir(dentry)) + simple_rmdir(dir, dentry); + else + simple_unlink(dir, dentry); + d_delete(dentry); + dput(dentry); + } + inode_unlock(dir); + simple_release_fs(&aafs_mnt, &aafs_count); +} + + +/* + * aa_fs - policy load/replace/remove + */ + +/** + * aa_simple_write_to_buffer - common routine for getting policy from user + * @userbuf: user buffer to copy data from (NOT NULL) + * @alloc_size: size of user buffer (REQUIRES: @alloc_size >= @copy_size) + * @copy_size: size of data to copy from user buffer + * @pos: position write is at in the file (NOT NULL) + * + * Returns: kernel buffer containing copy of user buffer data or an + * ERR_PTR on failure. + */ +static struct aa_loaddata *aa_simple_write_to_buffer(const char __user *userbuf, + size_t alloc_size, + size_t copy_size, + loff_t *pos) +{ + struct aa_loaddata *data; + + AA_BUG(copy_size > alloc_size); + + if (*pos != 0) + /* only writes from pos 0, that is complete writes */ + return ERR_PTR(-ESPIPE); + + /* freed by caller to simple_write_to_buffer */ + data = aa_loaddata_alloc(alloc_size); + if (IS_ERR(data)) + return data; + + data->size = copy_size; + if (copy_from_user(data->data, userbuf, copy_size)) { + aa_put_loaddata(data); + return ERR_PTR(-EFAULT); + } + + return data; +} + +static ssize_t policy_update(u32 mask, const char __user *buf, size_t size, + loff_t *pos, struct aa_ns *ns) +{ + struct aa_loaddata *data; + struct aa_label *label; + ssize_t error; + + label = begin_current_label_crit_section(); + + /* high level check about policy management - fine grained in + * below after unpack + */ + error = aa_may_manage_policy(label, ns, mask); + if (error) + goto end_section; + + data = aa_simple_write_to_buffer(buf, size, size, pos); + error = PTR_ERR(data); + if (!IS_ERR(data)) { + error = aa_replace_profiles(ns, label, mask, data); + aa_put_loaddata(data); + } +end_section: + end_current_label_crit_section(label); + + return error; +} + +/* .load file hook fn to load policy */ +static ssize_t profile_load(struct file *f, const char __user *buf, size_t size, + loff_t *pos) +{ + struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); + int error = policy_update(AA_MAY_LOAD_POLICY, buf, size, pos, ns); + + aa_put_ns(ns); + + return error; +} + +static const struct file_operations aa_fs_profile_load = { + .write = profile_load, + .llseek = default_llseek, +}; + +/* .replace file hook fn to load and/or replace policy */ +static ssize_t profile_replace(struct file *f, const char __user *buf, + size_t size, loff_t *pos) +{ + struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); + int error = policy_update(AA_MAY_LOAD_POLICY | AA_MAY_REPLACE_POLICY, + buf, size, pos, ns); + aa_put_ns(ns); + + return error; +} + +static const struct file_operations aa_fs_profile_replace = { + .write = profile_replace, + .llseek = default_llseek, +}; + +/* .remove file hook fn to remove loaded policy */ +static ssize_t profile_remove(struct file *f, const char __user *buf, + size_t size, loff_t *pos) +{ + struct aa_loaddata *data; + struct aa_label *label; + ssize_t error; + struct aa_ns *ns = aa_get_ns(f->f_inode->i_private); + + label = begin_current_label_crit_section(); + /* high level check about policy management - fine grained in + * below after unpack + */ + error = aa_may_manage_policy(label, ns, AA_MAY_REMOVE_POLICY); + if (error) + goto out; + + /* + * aa_remove_profile needs a null terminated string so 1 extra + * byte is allocated and the copied data is null terminated. + */ + data = aa_simple_write_to_buffer(buf, size + 1, size, pos); + + error = PTR_ERR(data); + if (!IS_ERR(data)) { + data->data[size] = 0; + error = aa_remove_profiles(ns, label, data->data, size); + aa_put_loaddata(data); + } + out: + end_current_label_crit_section(label); + aa_put_ns(ns); + return error; +} + +static const struct file_operations aa_fs_profile_remove = { + .write = profile_remove, + .llseek = default_llseek, +}; + +struct aa_revision { + struct aa_ns *ns; + long last_read; +}; + +/* revision file hook fn for policy loads */ +static int ns_revision_release(struct inode *inode, struct file *file) +{ + struct aa_revision *rev = file->private_data; + + if (rev) { + aa_put_ns(rev->ns); + kfree(rev); + } + + return 0; +} + +static ssize_t ns_revision_read(struct file *file, char __user *buf, + size_t size, loff_t *ppos) +{ + struct aa_revision *rev = file->private_data; + char buffer[32]; + long last_read; + int avail; + + mutex_lock_nested(&rev->ns->lock, rev->ns->level); + last_read = rev->last_read; + if (last_read == rev->ns->revision) { + mutex_unlock(&rev->ns->lock); + if (file->f_flags & O_NONBLOCK) + return -EAGAIN; + if (wait_event_interruptible(rev->ns->wait, + last_read != + READ_ONCE(rev->ns->revision))) + return -ERESTARTSYS; + mutex_lock_nested(&rev->ns->lock, rev->ns->level); + } + + avail = sprintf(buffer, "%ld\n", rev->ns->revision); + if (*ppos + size > avail) { + rev->last_read = rev->ns->revision; + *ppos = 0; + } + mutex_unlock(&rev->ns->lock); + + return simple_read_from_buffer(buf, size, ppos, buffer, avail); +} + +static int ns_revision_open(struct inode *inode, struct file *file) +{ + struct aa_revision *rev = kzalloc(sizeof(*rev), GFP_KERNEL); + + if (!rev) + return -ENOMEM; + + rev->ns = aa_get_ns(inode->i_private); + if (!rev->ns) + rev->ns = aa_get_current_ns(); + file->private_data = rev; + + return 0; +} + +static __poll_t ns_revision_poll(struct file *file, poll_table *pt) +{ + struct aa_revision *rev = file->private_data; + __poll_t mask = 0; + + if (rev) { + mutex_lock_nested(&rev->ns->lock, rev->ns->level); + poll_wait(file, &rev->ns->wait, pt); + if (rev->last_read < rev->ns->revision) + mask |= EPOLLIN | EPOLLRDNORM; + mutex_unlock(&rev->ns->lock); + } + + return mask; +} + +void __aa_bump_ns_revision(struct aa_ns *ns) +{ + WRITE_ONCE(ns->revision, READ_ONCE(ns->revision) + 1); + wake_up_interruptible(&ns->wait); +} + +static const struct file_operations aa_fs_ns_revision_fops = { + .owner = THIS_MODULE, + .open = ns_revision_open, + .poll = ns_revision_poll, + .read = ns_revision_read, + .llseek = generic_file_llseek, + .release = ns_revision_release, +}; + +static void profile_query_cb(struct aa_profile *profile, struct aa_perms *perms, + const char *match_str, size_t match_len) +{ + struct aa_perms tmp = { }; + struct aa_dfa *dfa; + unsigned int state = 0; + + if (profile_unconfined(profile)) + return; + if (profile->file.dfa && *match_str == AA_CLASS_FILE) { + dfa = profile->file.dfa; + state = aa_dfa_match_len(dfa, profile->file.start, + match_str + 1, match_len - 1); + if (state) { + struct path_cond cond = { }; + + tmp = aa_compute_fperms(dfa, state, &cond); + } + } else if (profile->policy.dfa) { + if (!PROFILE_MEDIATES(profile, *match_str)) + return; /* no change to current perms */ + dfa = profile->policy.dfa; + state = aa_dfa_match_len(dfa, profile->policy.start[0], + match_str, match_len); + if (state) + aa_compute_perms(dfa, state, &tmp); + } + aa_apply_modes_to_perms(profile, &tmp); + aa_perms_accum_raw(perms, &tmp); +} + + +/** + * query_data - queries a policy and writes its data to buf + * @buf: the resulting data is stored here (NOT NULL) + * @buf_len: size of buf + * @query: query string used to retrieve data + * @query_len: size of query including second NUL byte + * + * The buffers pointed to by buf and query may overlap. The query buffer is + * parsed before buf is written to. + * + * The query should look like "