2 * AppArmor security module
4 * This file contains AppArmor function for pathnames
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
15 #include <linux/magic.h>
16 #include <linux/mnt_namespace.h>
17 #include <linux/mount.h>
18 #include <linux/namei.h>
19 #include <linux/nsproxy.h>
20 #include <linux/path.h>
21 #include <linux/sched.h>
22 #include <linux/slab.h>
23 #include <linux/fs_struct.h>
25 #include "include/apparmor.h"
26 #include "include/path.h"
27 #include "include/policy.h"
30 /* modified from dcache.c */
31 static int prepend(char **buffer, int buflen, const char *str, int namelen)
37 memcpy(*buffer, str, namelen);
41 #define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT)
44 * d_namespace_path - lookup a name associated with a given path
45 * @path: path to lookup (NOT NULL)
46 * @buf: buffer to store path to (NOT NULL)
47 * @buflen: length of @buf
48 * @name: Returns - pointer for start of path name with in @buf (NOT NULL)
49 * @flags: flags controlling path lookup
51 * Handle path name lookup.
53 * Returns: %0 else error code if path lookup fails
54 * When no error the path name is returned in @name which points to
55 * to a position in @buf
57 static int d_namespace_path(struct path *path, char *buf, int buflen,
58 char **name, int flags)
60 struct path root, tmp;
62 int deleted, connected;
65 /* Get the root we want to resolve too */
66 if (flags & PATH_CHROOT_REL) {
67 /* resolve paths relative to chroot */
68 read_lock(¤t->fs->lock);
69 root = current->fs->root;
72 read_unlock(¤t->fs->lock);
74 /* resolve paths relative to namespace */
75 root.mnt = current->nsproxy->mnt_ns->root;
76 root.dentry = root.mnt->mnt_root;
81 spin_lock(&dcache_lock);
82 /* There is a race window between path lookup here and the
83 * need to strip the " (deleted) string that __d_path applies
84 * Detect the race and relookup the path
86 * The stripping of (deleted) is a hack that could be removed
87 * with an updated __d_path
91 deleted = d_unlinked(path->dentry);
92 res = __d_path(path, &tmp, buf, buflen);
94 } while (deleted != d_unlinked(path->dentry));
95 spin_unlock(&dcache_lock);
98 /* handle error conditions - and still allow a partial path to
102 error = PTR_ERR(res);
107 /* On some filesystems, newly allocated dentries appear to the
108 * security_path hooks as a deleted dentry except without an
111 * Remove the appended deleted text and return as string for
112 * normal mediation, or auditing. The (deleted) string is
113 * guaranteed to be added in this case, so just strip it.
115 buf[buflen - 11] = 0; /* - (len(" (deleted)") +\0) */
117 if (path->dentry->d_inode && !(flags & PATH_MEDIATE_DELETED)) {
123 /* Determine if the path is connected to the expected root */
124 connected = tmp.dentry == root.dentry && tmp.mnt == root.mnt;
126 /* If the path is not connected,
127 * check if it is a sysctl and handle specially else remove any
128 * leading / that __d_path may have returned.
130 * specifically directed to connect the path,
132 * if in a chroot and doing chroot relative paths and the path
133 * resolves to the namespace root (would be connected outside
134 * of chroot) and specifically directed to connect paths to
138 /* is the disconnect path a sysctl? */
139 if (tmp.dentry->d_sb->s_magic == PROC_SUPER_MAGIC &&
140 strncmp(*name, "/sys/", 5) == 0) {
141 /* TODO: convert over to using a per namespace
142 * control instead of hard coded /proc
144 error = prepend(name, *name - buf, "/proc", 5);
145 } else if (!(flags & PATH_CONNECT_PATH) &&
146 !(((flags & CHROOT_NSCONNECT) == CHROOT_NSCONNECT) &&
147 (tmp.mnt == current->nsproxy->mnt_ns->root &&
148 tmp.dentry == tmp.mnt->mnt_root))) {
149 /* disconnected path, don't return pathname starting
165 * get_name_to_buffer - get the pathname to a buffer ensure dir / is appended
166 * @path: path to get name for (NOT NULL)
167 * @flags: flags controlling path lookup
168 * @buffer: buffer to put name in (NOT NULL)
169 * @size: size of buffer
170 * @name: Returns - contains position of path name in @buffer (NOT NULL)
172 * Returns: %0 else error on failure
174 static int get_name_to_buffer(struct path *path, int flags, char *buffer,
175 int size, char **name)
177 int adjust = (flags & PATH_IS_DIR) ? 1 : 0;
178 int error = d_namespace_path(path, buffer, size - adjust, name, flags);
180 if (!error && (flags & PATH_IS_DIR) && (*name)[1] != '\0')
182 * Append "/" to the pathname. The root directory is a special
183 * case; it already ends in slash.
185 strcpy(&buffer[size - 2], "/");
191 * aa_get_name - compute the pathname of a file
192 * @path: path the file (NOT NULL)
193 * @flags: flags controlling path name generation
194 * @buffer: buffer that aa_get_name() allocated (NOT NULL)
195 * @name: Returns - the generated path name if !error (NOT NULL)
197 * @name is a pointer to the beginning of the pathname (which usually differs
198 * from the beginning of the buffer), or NULL. If there is an error @name
199 * may contain a partial or invalid name that can be used for audit purposes,
200 * but it can not be used for mediation.
202 * We need PATH_IS_DIR to indicate whether the file is a directory or not
203 * because the file may not yet exist, and so we cannot check the inode's
206 * Returns: %0 else error code if could retrieve name
208 int aa_get_name(struct path *path, int flags, char **buffer, const char **name)
210 char *buf, *str = NULL;
217 /* freed by caller */
218 buf = kmalloc(size, GFP_KERNEL);
222 error = get_name_to_buffer(path, flags, buf, size, &str);
223 if (error != -ENAMETOOLONG)
228 if (size > aa_g_path_max)
229 return -ENAMETOOLONG;