apparmor: add support for mapping secids and using secctxes

jrjohansen · jrjohansen · commit c092921219d2 · 2018-05-02T00:48:55.000-07:00
Use a radix tree to provide a map between the secid and the label,
and along with it a basic ability to provide secctx conversion.

Shared/cached secctx will be added later.

Signed-off-by: John Johansen &lt;john.johansen@canonical.com&gt;
diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h
@@ -281,7 +281,7 @@ void __aa_labelset_update_subtree(struct aa_ns *ns);
 
 void aa_label_free(struct aa_label *label);
 void aa_label_kref(struct kref *kref);
-bool aa_label_init(struct aa_label *label, int size);
+bool aa_label_init(struct aa_label *label, int size, gfp_t gfp);
 struct aa_label *aa_label_alloc(int size, struct aa_proxy *proxy, gfp_t gfp);
 
 bool aa_label_is_subset(struct aa_label *set, struct aa_label *sub);
diff --git a/security/apparmor/include/secid.h b/security/apparmor/include/secid.h
@@ -3,7 +3,7 @@
  *
  * This file contains AppArmor security identifier (secid) definitions
  *
- * Copyright 2009-2010 Canonical Ltd.
+ * Copyright 2009-2018 Canonical Ltd.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License as
@@ -14,13 +14,22 @@
 #ifndef __AA_SECID_H
 #define __AA_SECID_H
 
+#include <linux/slab.h>
 #include <linux/types.h>
 
+struct aa_label;
+
 /* secid value that will not be allocated */
 #define AA_SECID_INVALID 0
-#define AA_SECID_ALLOC AA_SECID_INVALID
 
-u32 aa_alloc_secid(void);
+struct aa_label *aa_secid_to_label(u32 secid);
+int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen);
+int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid);
+void apparmor_release_secctx(char *secdata, u32 seclen);
+
+
+u32 aa_alloc_secid(struct aa_label *label, gfp_t gfp);
 void aa_free_secid(u32 secid);
+void aa_secid_update(u32 secid, struct aa_label *label);
 
 #endif /* __AA_SECID_H */
diff --git a/security/apparmor/label.c b/security/apparmor/label.c
@@ -402,12 +402,12 @@ static void label_free_or_put_new(struct aa_label *label, struct aa_label *new)
 		aa_put_label(new);
 }
 
-bool aa_label_init(struct aa_label *label, int size)
+bool aa_label_init(struct aa_label *label, int size, gfp_t gfp)
 {
 	AA_BUG(!label);
 	AA_BUG(size < 1);
 
-	label->secid = aa_alloc_secid();
+	label->secid = aa_alloc_secid(label, gfp);
 	if (label->secid == AA_SECID_INVALID)
 		return false;
 
@@ -441,7 +441,7 @@ struct aa_label *aa_label_alloc(int size, struct aa_proxy *proxy, gfp_t gfp)
 	if (!new)
 		goto fail;
 
-	if (!aa_label_init(new, size))
+	if (!aa_label_init(new, size, gfp))
 		goto fail;
 
 	if (!proxy) {
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
@@ -39,6 +39,7 @@
 #include "include/policy_ns.h"
 #include "include/procattr.h"
 #include "include/mount.h"
+#include "include/secid.h"
 
 /* Flag indicating whether initialization completed */
 int apparmor_initialized;
@@ -1188,6 +1189,10 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
 	LSM_HOOK_INIT(task_alloc, apparmor_task_alloc),
 	LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
 	LSM_HOOK_INIT(task_kill, apparmor_task_kill),
+
+	LSM_HOOK_INIT(secid_to_secctx, apparmor_secid_to_secctx),
+	LSM_HOOK_INIT(secctx_to_secid, apparmor_secctx_to_secid),
+	LSM_HOOK_INIT(release_secctx, apparmor_release_secctx),
 };
 
 /*
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
@@ -268,7 +268,7 @@ struct aa_profile *aa_alloc_profile(const char *hname, struct aa_proxy *proxy,
 
 	if (!aa_policy_init(&profile->base, NULL, hname, gfp))
 		goto fail;
-	if (!aa_label_init(&profile->label, 1))
+	if (!aa_label_init(&profile->label, 1, gfp))
 		goto fail;
 
 	/* update being set needed by fs interface */
diff --git a/security/apparmor/secid.c b/security/apparmor/secid.c
@@ -3,45 +3,226 @@
  *
  * This file contains AppArmor security identifier (secid) manipulation fns
  *
- * Copyright 2009-2010 Canonical Ltd.
+ * Copyright 2009-2017 Canonical Ltd.
  *
  * This program is free software; you can redistribute it and/or
  * modify it under the terms of the GNU General Public License as
  * published by the Free Software Foundation, version 2 of the
  * License.
  *
  *
- * AppArmor allocates a unique secid for every profile loaded.  If a profile
- * is replaced it receives the secid of the profile it is replacing.
- *
- * The secid value of 0 is invalid.
+ * AppArmor allocates a unique secid for every label used. If a label
+ * is replaced it receives the secid of the label it is replacing.
  */
 
-#include <linux/spinlock.h>
 #include <linux/errno.h>
 #include <linux/err.h>
+#include <linux/gfp.h>
+#include <linux/slab.h>
+#include <linux/spinlock.h>
 
+#include "include/cred.h"
+#include "include/lib.h"
 #include "include/secid.h"
+#include "include/label.h"
+#include "include/policy_ns.h"
 
-/* global counter from which secids are allocated */
-static u32 global_secid;
+/*
+ * secids - do not pin labels with a refcount. They rely on the label
+ * properly updating/freeing them
+ *
+ * A singly linked free list is used to track secids that have been
+ * freed and reuse them before allocating new ones
+ */
+
+#define FREE_LIST_HEAD 1
+
+static RADIX_TREE(aa_secids_map, GFP_ATOMIC);
 static DEFINE_SPINLOCK(secid_lock);
+static u32 alloced_secid = FREE_LIST_HEAD;
+static u32 free_list = FREE_LIST_HEAD;
+static unsigned long free_count;
+
+/*
+ * TODO: allow policy to reserve a secid range?
+ * TODO: add secid pinning
+ * TODO: use secid_update in label replace
+ */
+
+#define SECID_MAX U32_MAX
+
+/* TODO: mark free list as exceptional */
+static void *to_ptr(u32 secid)
+{
+	return (void *)
+		((((unsigned long) secid) << RADIX_TREE_EXCEPTIONAL_SHIFT));
+}
+
+static u32 to_secid(void *ptr)
+{
+	return (u32) (((unsigned long) ptr) >> RADIX_TREE_EXCEPTIONAL_SHIFT);
+}
+
+
+/* TODO: tag free_list entries to mark them as different */
+static u32 __pop(struct aa_label *label)
+{
+	u32 secid = free_list;
+	void __rcu **slot;
+	void *entry;
+
+	if (free_list == FREE_LIST_HEAD)
+		return AA_SECID_INVALID;
+
+	slot = radix_tree_lookup_slot(&aa_secids_map, secid);
+	AA_BUG(!slot);
+	entry = radix_tree_deref_slot_protected(slot, &secid_lock);
+	free_list = to_secid(entry);
+	radix_tree_replace_slot(&aa_secids_map, slot, label);
+	free_count--;
+
+	return secid;
+}
+
+static void __push(u32 secid)
+{
+	void __rcu **slot;
+
+	slot = radix_tree_lookup_slot(&aa_secids_map, secid);
+	AA_BUG(!slot);
+	radix_tree_replace_slot(&aa_secids_map, slot, to_ptr(free_list));
+	free_list = secid;
+	free_count++;
+}
+
+static struct aa_label * __secid_update(u32 secid, struct aa_label *label)
+{
+	struct aa_label *old;
+	void __rcu **slot;
+
+	slot = radix_tree_lookup_slot(&aa_secids_map, secid);
+	AA_BUG(!slot);
+	old = radix_tree_deref_slot_protected(slot, &secid_lock);
+	radix_tree_replace_slot(&aa_secids_map, slot, label);
+
+	return old;
+}
+
+/**
+ * aa_secid_update - update a secid mapping to a new label
+ * @secid: secid to update
+ * @label: label the secid will now map to
+ */
+void aa_secid_update(u32 secid, struct aa_label *label)
+{
+	struct aa_label *old;
+	unsigned long flags;
+
+	spin_lock_irqsave(&secid_lock, flags);
+	old = __secid_update(secid, label);
+	spin_unlock_irqrestore(&secid_lock, flags);
+}
+
+/**
+ *
+ * see label for inverse aa_label_to_secid
+ */
+struct aa_label *aa_secid_to_label(u32 secid)
+{
+	struct aa_label *label;
+
+	rcu_read_lock();
+	label = radix_tree_lookup(&aa_secids_map, secid);
+	rcu_read_unlock();
+
+	return label;
+}
+
+int apparmor_secid_to_secctx(u32 secid, char **secdata, u32 *seclen)
+{
+	/* TODO: cache secctx and ref count so we don't have to recreate */
+	struct aa_label *label = aa_secid_to_label(secid);
+
+	AA_BUG(!secdata);
+	AA_BUG(!seclen);
+
+	if (!label)
+		return -EINVAL;
+
+	if (secdata)
+		*seclen = aa_label_asxprint(secdata, root_ns, label,
+					    FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
+					    FLAG_HIDDEN_UNCONFINED |
+					    FLAG_ABS_ROOT, GFP_ATOMIC);
+	else
+		*seclen = aa_label_snxprint(NULL, 0, root_ns, label,
+					    FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
+					    FLAG_HIDDEN_UNCONFINED |
+					    FLAG_ABS_ROOT);
+	if (*seclen < 0)
+		return -ENOMEM;
+
+	return 0;
+}
+
+
+int apparmor_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid)
+{
+	struct aa_label *label;
+
+	label = aa_label_strn_parse(&root_ns->unconfined->label, secdata,
+				    seclen, GFP_KERNEL, false, false);
+	if (IS_ERR(label))
+		return PTR_ERR(label);
+	*secid = label->secid;
+
+	return 0;
+}
+
+void apparmor_release_secctx(char *secdata, u32 seclen)
+{
+	kfree(secdata);
+}
 
-/* TODO FIXME: add secid to profile mapping, and secid recycling */
 
 /**
  * aa_alloc_secid - allocate a new secid for a profile
  */
-u32 aa_alloc_secid(void)
+u32 aa_alloc_secid(struct aa_label *label, gfp_t gfp)
 {
+	unsigned long flags;
 	u32 secid;
 
-	/*
-	 * TODO FIXME: secid recycling - part of profile mapping table
-	 */
-	spin_lock(&secid_lock);
-	secid = (++global_secid);
-	spin_unlock(&secid_lock);
+	/* racey, but at worst causes new allocation instead of reuse */
+	if (free_list == FREE_LIST_HEAD) {
+		bool preload = 0;
+		int res;
+
+retry:
+		if (gfpflags_allow_blocking(gfp) && !radix_tree_preload(gfp))
+			preload = 1;
+		spin_lock_irqsave(&secid_lock, flags);
+		if (alloced_secid != SECID_MAX) {
+			secid = ++alloced_secid;
+			res = radix_tree_insert(&aa_secids_map, secid, label);
+			AA_BUG(res == -EEXIST);
+		} else {
+			secid = AA_SECID_INVALID;
+		}
+		spin_unlock_irqrestore(&secid_lock, flags);
+		if (preload)
+			radix_tree_preload_end();
+	} else {
+		spin_lock_irqsave(&secid_lock, flags);
+		/* remove entry from free list */
+		secid = __pop(label);
+		if (secid == AA_SECID_INVALID) {
+			spin_unlock_irqrestore(&secid_lock, flags);
+			goto retry;
+		}
+		spin_unlock_irqrestore(&secid_lock, flags);
+	}
+
 	return secid;
 }
 
@@ -51,5 +232,9 @@ u32 aa_alloc_secid(void)
  */
 void aa_free_secid(u32 secid)
 {
-	;			/* NOP ATM */
+	unsigned long flags;
+
+	spin_lock_irqsave(&secid_lock, flags);
+	__push(secid);
+	spin_unlock_irqrestore(&secid_lock, flags);
 }
