// SPDX-License-Identifier: GPL-2.0-only /* * AppArmor security module * * This file contains AppArmor mediation of files * * Copyright (C) 1998-2008 Novell/SUSE * Copyright 2009-2017 Canonical Ltd. */ #include <linux/fs.h> #include <linux/mount.h> #include <linux/namei.h> #include <uapi/linux/mount.h> #include "include/apparmor.h" #include "include/audit.h" #include "include/cred.h" #include "include/domain.h" #include "include/file.h" #include "include/match.h" #include "include/mount.h" #include "include/path.h" #include "include/policy.h" static void audit_mnt_flags(struct audit_buffer *ab, unsigned long flags) { … } /** * audit_cb - call back for mount specific audit fields * @ab: audit_buffer (NOT NULL) * @va: audit struct to audit values of (NOT NULL) */ static void audit_cb(struct audit_buffer *ab, void *va) { … } /** * audit_mount - handle the auditing of mount operations * @subj_cred: cred of the subject * @profile: the profile being enforced (NOT NULL) * @op: operation being mediated (NOT NULL) * @name: name of object being mediated (MAYBE NULL) * @src_name: src_name of object being mediated (MAYBE_NULL) * @type: type of filesystem (MAYBE_NULL) * @trans: name of trans (MAYBE NULL) * @flags: filesystem independent mount flags * @data: filesystem mount flags * @request: permissions requested * @perms: the permissions computed for the request (NOT NULL) * @info: extra information message (MAYBE NULL) * @error: 0 if operation allowed else failure error code * * Returns: %0 or error on failure */ static int audit_mount(const struct cred *subj_cred, struct aa_profile *profile, const char *op, const char *name, const char *src_name, const char *type, const char *trans, unsigned long flags, const void *data, u32 request, struct aa_perms *perms, const char *info, int error) { … } /** * match_mnt_flags - Do an ordered match on mount flags * @dfa: dfa to match against * @state: state to start in * @flags: mount flags to match against * * Mount flags are encoded as an ordered match. This is done instead of * checking against a simple bitmask, to allow for logical operations * on the flags. * * Returns: next state after flags match */ static aa_state_t match_mnt_flags(struct aa_dfa *dfa, aa_state_t state, unsigned long flags) { … } static const char * const mnt_info_table[] = …; /* * Returns 0 on success else element that match failed in, this is the * index into the mnt_info_table above */ static int do_match_mnt(struct aa_policydb *policy, aa_state_t start, const char *mntpnt, const char *devname, const char *type, unsigned long flags, void *data, bool binary, struct aa_perms *perms) { … } static int path_flags(struct aa_profile *profile, const struct path *path) { … } /** * match_mnt_path_str - handle path matching for mount * @subj_cred: cred of confined subject * @profile: the confining profile * @mntpath: for the mntpnt (NOT NULL) * @buffer: buffer to be used to lookup mntpath * @devname: string for the devname/src_name (MAY BE NULL OR ERRPTR) * @type: string for the dev type (MAYBE NULL) * @flags: mount flags to match * @data: fs mount data (MAYBE NULL) * @binary: whether @data is binary * @devinfo: error str if (IS_ERR(@devname)) * * Returns: 0 on success else error */ static int match_mnt_path_str(const struct cred *subj_cred, struct aa_profile *profile, const struct path *mntpath, char *buffer, const char *devname, const char *type, unsigned long flags, void *data, bool binary, const char *devinfo) { … } /** * match_mnt - handle path matching for mount * @subj_cred: cred of the subject * @profile: the confining profile * @path: for the mntpnt (NOT NULL) * @buffer: buffer to be used to lookup mntpath * @devpath: path devname/src_name (MAYBE NULL) * @devbuffer: buffer to be used to lookup devname/src_name * @type: string for the dev type (MAYBE NULL) * @flags: mount flags to match * @data: fs mount data (MAYBE NULL) * @binary: whether @data is binary * * Returns: 0 on success else error */ static int match_mnt(const struct cred *subj_cred, struct aa_profile *profile, const struct path *path, char *buffer, const struct path *devpath, char *devbuffer, const char *type, unsigned long flags, void *data, bool binary) { … } int aa_remount(const struct cred *subj_cred, struct aa_label *label, const struct path *path, unsigned long flags, void *data) { … } int aa_bind_mount(const struct cred *subj_cred, struct aa_label *label, const struct path *path, const char *dev_name, unsigned long flags) { … } int aa_mount_change_type(const struct cred *subj_cred, struct aa_label *label, const struct path *path, unsigned long flags) { … } int aa_move_mount(const struct cred *subj_cred, struct aa_label *label, const struct path *from_path, const struct path *to_path) { … } int aa_move_mount_old(const struct cred *subj_cred, struct aa_label *label, const struct path *path, const char *orig_name) { … } int aa_new_mount(const struct cred *subj_cred, struct aa_label *label, const char *dev_name, const struct path *path, const char *type, unsigned long flags, void *data) { … } static int profile_umount(const struct cred *subj_cred, struct aa_profile *profile, const struct path *path, char *buffer) { … } int aa_umount(const struct cred *subj_cred, struct aa_label *label, struct vfsmount *mnt, int flags) { … } /* helper fn for transition on pivotroot * * Returns: label for transition or ERR_PTR. Does not return NULL */ static struct aa_label *build_pivotroot(const struct cred *subj_cred, struct aa_profile *profile, const struct path *new_path, char *new_buffer, const struct path *old_path, char *old_buffer) { … } int aa_pivotroot(const struct cred *subj_cred, struct aa_label *label, const struct path *old_path, const struct path *new_path) { … }
Codebase Browser
linux