Merge tag 'apparmor-pr-2023-11-03' of...

	/* high level check about policy management - fine grained in

	 * below after unpack

	 */

	error = aa_may_manage_policy(label, ns, mask);

	error = aa_may_manage_policy(current_cred(), label, ns, mask);

	if (error)

		goto end_section;

	/* high level check about policy management - fine grained in

	 * below after unpack

	 */

	error = aa_may_manage_policy(label, ns, AA_MAY_REMOVE_POLICY);

	error = aa_may_manage_policy(current_cred(), label, ns,

				     AA_MAY_REMOVE_POLICY);

	if (error)

		goto out;

	if (profile_unconfined(profile))

		return;

	if (rules->file.dfa && *match_str == AA_CLASS_FILE) {

		state = aa_dfa_match_len(rules->file.dfa,

					 rules->file.start[AA_CLASS_FILE],

	if (rules->file->dfa && *match_str == AA_CLASS_FILE) {

		state = aa_dfa_match_len(rules->file->dfa,

					 rules->file->start[AA_CLASS_FILE],

					 match_str + 1, match_len - 1);

		if (state) {

			struct path_cond cond = { };

			tmp = *(aa_lookup_fperms(&(rules->file), state, &cond));

			tmp = *(aa_lookup_fperms(rules->file, state, &cond));

		}

	} else if (rules->policy.dfa) {

	} else if (rules->policy->dfa) {

		if (!RULE_MEDIATES(rules, *match_str))

			return;	/* no change to current perms */

		state = aa_dfa_match_len(rules->policy.dfa,

					 rules->policy.start[0],

		state = aa_dfa_match_len(rules->policy->dfa,

					 rules->policy->start[0],

					 match_str, match_len);

		if (state)

			tmp = *aa_lookup_perms(&rules->policy, state);

			tmp = *aa_lookup_perms(rules->policy, state);

	}

	aa_apply_modes_to_perms(profile, &tmp);

	aa_perms_accum_raw(perms, &tmp);

	struct aa_profile *profile = labels_profile(label);

	if (profile->attach.xmatch_str)

		seq_printf(seq, "%s\n", profile->attach.xmatch_str);

	else if (profile->attach.xmatch.dfa)

	else if (profile->attach.xmatch->dfa)

		seq_puts(seq, "<unknown>\n");

	else

		seq_printf(seq, "%s\n", profile->base.name);

static int decompress_zstd(char *src, size_t slen, char *dst, size_t dlen)

{

#ifdef CONFIG_SECURITY_APPARMOR_EXPORT_BINARY

	if (slen < dlen) {

		const size_t wksp_len = zstd_dctx_workspace_bound();

		zstd_dctx *ctx;

		kvfree(wksp);

		return ret;

	}

#endif

	if (dlen < slen)

		return -EINVAL;

	int error;

	label = begin_current_label_crit_section();

	error = aa_may_manage_policy(label, NULL, AA_MAY_LOAD_POLICY);

	error = aa_may_manage_policy(current_cred(), label, NULL,

				     AA_MAY_LOAD_POLICY);

	end_current_label_crit_section(label);

	if (error)

		return error;

	int error;

	label = begin_current_label_crit_section();

	error = aa_may_manage_policy(label, NULL, AA_MAY_LOAD_POLICY);

	error = aa_may_manage_policy(current_cred(), label, NULL,

				     AA_MAY_LOAD_POLICY);

	end_current_label_crit_section(label);

	if (error)

		return error;

	AA_SFS_FILE_BOOLEAN("post_nnp_subset",	1),

	AA_SFS_FILE_BOOLEAN("computed_longest_left",	1),

	AA_SFS_DIR("attach_conditions",		aa_sfs_entry_attach),

	AA_SFS_FILE_BOOLEAN("disconnected.path",            1),

	AA_SFS_FILE_STRING("version", "1.2"),

	{ }

};

static struct aa_sfs_entry aa_sfs_entry_unconfined[] = {

	AA_SFS_FILE_BOOLEAN("change_profile", 1),

	{ }

};

static struct aa_sfs_entry aa_sfs_entry_versions[] = {

	AA_SFS_FILE_BOOLEAN("v5",	1),

	AA_SFS_FILE_BOOLEAN("v6",	1),

	{ }

};

#define PERMS32STR "allow deny subtree cond kill complain prompt audit quiet hide xindex tag label"

static struct aa_sfs_entry aa_sfs_entry_policy[] = {

	AA_SFS_DIR("versions",			aa_sfs_entry_versions),

	AA_SFS_FILE_BOOLEAN("set_load",		1),

	/* number of out of band transitions supported */

	AA_SFS_FILE_U64("outofband",		MAX_OOB_SUPPORTED),

	AA_SFS_FILE_U64("permstable32_version",	1),

	AA_SFS_FILE_STRING("permstable32", PERMS32STR),

	AA_SFS_DIR("unconfined_restrictions",   aa_sfs_entry_unconfined),

	{ }

};

static struct aa_sfs_entry aa_sfs_entry_ns[] = {

	AA_SFS_FILE_BOOLEAN("profile",		1),

	AA_SFS_FILE_BOOLEAN("pivot_root",	0),

	AA_SFS_FILE_STRING("mask", "userns_create"),

	{ }

};

	AA_SFS_DIR("label",			aa_sfs_entry_query_label),

	{ }

};

static struct aa_sfs_entry aa_sfs_entry_io_uring[] = {

	AA_SFS_FILE_STRING("mask", "sqpoll override_creds"),

	{ }

};

static struct aa_sfs_entry aa_sfs_entry_features[] = {

	AA_SFS_DIR("policy",			aa_sfs_entry_policy),

	AA_SFS_DIR("domain",			aa_sfs_entry_domain),

	AA_SFS_DIR("ptrace",			aa_sfs_entry_ptrace),

	AA_SFS_DIR("signal",			aa_sfs_entry_signal),

	AA_SFS_DIR("query",			aa_sfs_entry_query),

	AA_SFS_DIR("io_uring",			aa_sfs_entry_io_uring),

	{ }

};

	"io_uring",

	"module",

	"lsm",

	"unknown",

	"unknown",

	"namespace",

	"io_uring",

	"unknown",

	"unknown",

	"unknown",

/**

 * audit_pre() - core AppArmor function.

 * @ab: audit buffer to fill (NOT NULL)

 * @ca: audit structure containing data to audit (NOT NULL)

 * @va: audit structure containing data to audit (NOT NULL)

 *

 * Record common AppArmor audit data from @sa

 * Record common AppArmor audit data from @va

 */

static void audit_pre(struct audit_buffer *ab, void *ca)

static void audit_pre(struct audit_buffer *ab, void *va)

{

	struct common_audit_data *sa = ca;

	struct apparmor_audit_data *ad = aad_of_va(va);

	if (aa_g_audit_header) {

		audit_log_format(ab, "apparmor=\"%s\"",

				 aa_audit_type[aad(sa)->type]);

				 aa_audit_type[ad->type]);

	}

	if (aad(sa)->op) {

		audit_log_format(ab, " operation=\"%s\"", aad(sa)->op);

	}

	if (ad->op)

		audit_log_format(ab, " operation=\"%s\"", ad->op);

	if (aad(sa)->class)

	if (ad->class)

		audit_log_format(ab, " class=\"%s\"",

				 aad(sa)->class <= AA_CLASS_LAST ?

				 aa_class_names[aad(sa)->class] :

				 ad->class <= AA_CLASS_LAST ?

				 aa_class_names[ad->class] :

				 "unknown");

	if (aad(sa)->info) {

		audit_log_format(ab, " info=\"%s\"", aad(sa)->info);

		if (aad(sa)->error)

			audit_log_format(ab, " error=%d", aad(sa)->error);

	if (ad->info) {

		audit_log_format(ab, " info=\"%s\"", ad->info);

		if (ad->error)

			audit_log_format(ab, " error=%d", ad->error);

	}

	if (aad(sa)->label) {

		struct aa_label *label = aad(sa)->label;

	if (ad->subj_label) {

		struct aa_label *label = ad->subj_label;

		if (label_isprofile(label)) {

			struct aa_profile *profile = labels_profile(label);

		}

	}

	if (aad(sa)->name) {

	if (ad->name) {

		audit_log_format(ab, " name=");

		audit_log_untrustedstring(ab, aad(sa)->name);

		audit_log_untrustedstring(ab, ad->name);

	}

}

/**

 * aa_audit_msg - Log a message to the audit subsystem

 * @sa: audit event structure (NOT NULL)

 * @type: audit type for the message

 * @ad: audit event structure (NOT NULL)

 * @cb: optional callback fn for type specific fields (MAYBE NULL)

 */

void aa_audit_msg(int type, struct common_audit_data *sa,

void aa_audit_msg(int type, struct apparmor_audit_data *ad,

		  void (*cb) (struct audit_buffer *, void *))

{

	aad(sa)->type = type;

	common_lsm_audit(sa, audit_pre, cb);

	ad->type = type;

	common_lsm_audit(&ad->common, audit_pre, cb);

}

/**

 * aa_audit - Log a profile based audit event to the audit subsystem

 * @type: audit type for the message

 * @profile: profile to check against (NOT NULL)

 * @sa: audit event (NOT NULL)

 * @ad: audit event (NOT NULL)

 * @cb: optional callback fn for type specific fields (MAYBE NULL)

 *

 * Handle default message switching based off of audit mode flags

 *

 * Returns: error on failure

 */

int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,

int aa_audit(int type, struct aa_profile *profile,

	     struct apparmor_audit_data *ad,

	     void (*cb) (struct audit_buffer *, void *))

{

	AA_BUG(!profile);

	if (type == AUDIT_APPARMOR_AUTO) {

		if (likely(!aad(sa)->error)) {

		if (likely(!ad->error)) {

			if (AUDIT_MODE(profile) != AUDIT_ALL)

				return 0;

			type = AUDIT_APPARMOR_AUDIT;

	if (AUDIT_MODE(profile) == AUDIT_QUIET ||

	    (type == AUDIT_APPARMOR_DENIED &&

	     AUDIT_MODE(profile) == AUDIT_QUIET_DENIED))

		return aad(sa)->error;

		return ad->error;

	if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)

		type = AUDIT_APPARMOR_KILL;

	aad(sa)->label = &profile->label;

	ad->subj_label = &profile->label;

	aa_audit_msg(type, sa, cb);

	aa_audit_msg(type, ad, cb);

	if (aad(sa)->type == AUDIT_APPARMOR_KILL)

	if (ad->type == AUDIT_APPARMOR_KILL)

		(void)send_sig_info(SIGKILL, NULL,

			sa->type == LSM_AUDIT_DATA_TASK && sa->u.tsk ?

				    sa->u.tsk : current);

			ad->common.type == LSM_AUDIT_DATA_TASK &&

			ad->common.u.tsk ? ad->common.u.tsk : current);

	if (aad(sa)->type == AUDIT_APPARMOR_ALLOWED)

		return complain_error(aad(sa)->error);

	if (ad->type == AUDIT_APPARMOR_ALLOWED)

		return complain_error(ad->error);

	return aad(sa)->error;

	return ad->error;

}

struct aa_audit_rule {

/**

 * audit_cb - call back for capability components of audit struct

 * @ab - audit buffer   (NOT NULL)

 * @va - audit struct to audit data from  (NOT NULL)

 * @ab: audit buffer   (NOT NULL)

 * @va: audit struct to audit data from  (NOT NULL)

 */

static void audit_cb(struct audit_buffer *ab, void *va)

{

/**

 * audit_caps - audit a capability

 * @sa: audit data

 * @ad: audit data

 * @profile: profile being tested for confinement (NOT NULL)

 * @cap: capability tested

 * @error: error code returned by test

 * Do auditing of capability and handle, audit/complain/kill modes switching

 * and duplicate message elimination.

 *

 * Returns: 0 or sa->error on success,  error code on failure

 * Returns: 0 or ad->error on success,  error code on failure

 */

static int audit_caps(struct common_audit_data *sa, struct aa_profile *profile,

static int audit_caps(struct apparmor_audit_data *ad, struct aa_profile *profile,

		      int cap, int error)

{

	struct aa_ruleset *rules = list_first_entry(&profile->rules,

	struct audit_cache *ent;

	int type = AUDIT_APPARMOR_AUTO;

	aad(sa)->error = error;

	ad->error = error;

	if (likely(!error)) {

		/* test if auditing is being forced */

	}

	put_cpu_var(audit_cache);

	return aa_audit(type, profile, sa, audit_cb);

	return aa_audit(type, profile, ad, audit_cb);

}

/**

 * @profile: profile being enforced    (NOT NULL, NOT unconfined)

 * @cap: capability to test if allowed

 * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated

 * @sa: audit data (MAY BE NULL indicating no auditing)

 * @ad: audit data (MAY BE NULL indicating no auditing)

 *

 * Returns: 0 if allowed else -EPERM

 */

static int profile_capable(struct aa_profile *profile, int cap,

			   unsigned int opts, struct common_audit_data *sa)

			   unsigned int opts, struct apparmor_audit_data *ad)

{

	struct aa_ruleset *rules = list_first_entry(&profile->rules,

						    typeof(*rules), list);

		/* audit the cap request in complain mode but note that it

		 * should be optional.

		 */

		aad(sa)->info = "optional: no audit";

		ad->info = "optional: no audit";

	}

	return audit_caps(sa, profile, cap, error);

	return audit_caps(ad, profile, cap, error);

}

/**

 * aa_capable - test permission to use capability

 * @subj_cred: cred we are testing capability against

 * @label: label being tested for capability (NOT NULL)

 * @cap: capability to be tested

 * @opts: CAP_OPT_NOAUDIT bit determines whether audit record is generated

 *

 * Returns: 0 on success, or else an error code.

 */

int aa_capable(struct aa_label *label, int cap, unsigned int opts)

int aa_capable(const struct cred *subj_cred, struct aa_label *label,

	       int cap, unsigned int opts)

{

	struct aa_profile *profile;

	int error = 0;

	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, AA_CLASS_CAP, OP_CAPABLE);

	DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_CAP, AA_CLASS_CAP, OP_CAPABLE);

	sa.u.cap = cap;

	ad.subj_cred = subj_cred;

	ad.common.u.cap = cap;

	error = fn_for_each_confined(label, profile,

			profile_capable(profile, cap, opts, &sa));

			profile_capable(profile, cap, opts, &ad));

	return error;

}

static void file_audit_cb(struct audit_buffer *ab, void *va)

{

	struct common_audit_data *sa = va;

	kuid_t fsuid = current_fsuid();

	struct apparmor_audit_data *ad = aad(sa);

	kuid_t fsuid = ad->subj_cred ? ad->subj_cred->fsuid : current_fsuid();

	char str[10];

	if (aad(sa)->request & AA_AUDIT_FILE_MASK) {

	if (ad->request & AA_AUDIT_FILE_MASK) {

		aa_perm_mask_to_str(str, sizeof(str), aa_file_perm_chrs,

				    map_mask_to_chr_mask(aad(sa)->request));

				    map_mask_to_chr_mask(ad->request));

		audit_log_format(ab, " requested_mask=\"%s\"", str);

	}

	if (aad(sa)->denied & AA_AUDIT_FILE_MASK) {

	if (ad->denied & AA_AUDIT_FILE_MASK) {

		aa_perm_mask_to_str(str, sizeof(str), aa_file_perm_chrs,

				    map_mask_to_chr_mask(aad(sa)->denied));

				    map_mask_to_chr_mask(ad->denied));

		audit_log_format(ab, " denied_mask=\"%s\"", str);

	}

	if (aad(sa)->request & AA_AUDIT_FILE_MASK) {

	if (ad->request & AA_AUDIT_FILE_MASK) {

		audit_log_format(ab, " fsuid=%d",

				 from_kuid(&init_user_ns, fsuid));

		audit_log_format(ab, " ouid=%d",

				 from_kuid(&init_user_ns, aad(sa)->fs.ouid));

				 from_kuid(&init_user_ns, ad->fs.ouid));

	}

	if (aad(sa)->peer) {

	if (ad->peer) {

		audit_log_format(ab, " target=");

		aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,

		aa_label_xaudit(ab, labels_ns(ad->subj_label), ad->peer,

				FLAG_VIEW_SUBNS, GFP_KERNEL);

	} else if (aad(sa)->fs.target) {

	} else if (ad->fs.target) {

		audit_log_format(ab, " target=");

		audit_log_untrustedstring(ab, aad(sa)->fs.target);

		audit_log_untrustedstring(ab, ad->fs.target);

	}

}

/**

 * aa_audit_file - handle the auditing of file operations

 * @subj_cred: cred of the subject

 * @profile: the profile being enforced  (NOT NULL)

 * @perms: the permissions computed for the request (NOT NULL)

 * @op: operation being mediated

 *

 * Returns: %0 or error on failure

 */

int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,

int aa_audit_file(const struct cred *subj_cred,

		  struct aa_profile *profile, struct aa_perms *perms,

		  const char *op, u32 request, const char *name,

		  const char *target, struct aa_label *tlabel,

		  kuid_t ouid, const char *info, int error)

{

	int type = AUDIT_APPARMOR_AUTO;

	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_TASK, AA_CLASS_FILE, op);

	sa.u.tsk = NULL;

	aad(&sa)->request = request;

	aad(&sa)->name = name;

	aad(&sa)->fs.target = target;

	aad(&sa)->peer = tlabel;

	aad(&sa)->fs.ouid = ouid;

	aad(&sa)->info = info;

	aad(&sa)->error = error;

	sa.u.tsk = NULL;

	if (likely(!aad(&sa)->error)) {

	DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_TASK, AA_CLASS_FILE, op);

	ad.subj_cred = subj_cred;

	ad.request = request;

	ad.name = name;

	ad.fs.target = target;

	ad.peer = tlabel;

	ad.fs.ouid = ouid;

	ad.info = info;

	ad.error = error;

	ad.common.u.tsk = NULL;

	if (likely(!ad.error)) {

		u32 mask = perms->audit;

		if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL))

			mask = 0xffff;

		/* mask off perms that are not being force audited */

		aad(&sa)->request &= mask;

		ad.request &= mask;

		if (likely(!aad(&sa)->request))

		if (likely(!ad.request))

			return 0;

		type = AUDIT_APPARMOR_AUDIT;

	} else {

		/* only report permissions that were denied */

		aad(&sa)->request = aad(&sa)->request & ~perms->allow;

		AA_BUG(!aad(&sa)->request);

		ad.request = ad.request & ~perms->allow;

		AA_BUG(!ad.request);

		if (aad(&sa)->request & perms->kill)

		if (ad.request & perms->kill)

			type = AUDIT_APPARMOR_KILL;

		/* quiet known rejects, assumes quiet and kill do not overlap */

		if ((aad(&sa)->request & perms->quiet) &&

		if ((ad.request & perms->quiet) &&

		    AUDIT_MODE(profile) != AUDIT_NOQUIET &&

		    AUDIT_MODE(profile) != AUDIT_ALL)

			aad(&sa)->request &= ~perms->quiet;

			ad.request &= ~perms->quiet;

		if (!aad(&sa)->request)

			return aad(&sa)->error;

		if (!ad.request)

			return ad.error;

	}

	aad(&sa)->denied = aad(&sa)->request & ~perms->allow;

	return aa_audit(type, profile, &sa, file_audit_cb);

	ad.denied = ad.request & ~perms->allow;

	return aa_audit(type, profile, &ad, file_audit_cb);

}

static int path_name(const char *op, struct aa_label *label,

/**

 * is_deleted - test if a file has been completely unlinked

 * @dentry: dentry of file to test for deletion  (NOT NULL)

 *