apparmor: add ns being viewed as a param to policy_view_capable()

Prepare for a tighter pairing of user namespaces and apparmor policy namespaces, by making the ns to be viewed available and checking that the user namespace level is the same as the policy ns level. This strict pairing will be relaxed once true support of user namespaces lands. Signed-off-by: John Johansen <john.johansen@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2017-01-16 00:42:50 -0800
committer: John Johansen <john.johansen@canonical.com> 2017-01-16 01:18:39 -0800
commit: 2bd8dbbf22fe9eb2a99273436f815d49ceb23a8f (patch)
tree: 17cdd607014ece52ccafbbc472750b3d25a9f566 /security
parent: a6f233003b1af70132619bca386dfae1862a45e8 (diff)
4 files changed, 35 insertions, 8 deletions
diff --git a/security/apparmor/include/context.h b/security/apparmor/include/context.h
index a0acc2390fae..d378bff47ccd 100644
--- a/security/apparmor/include/context.h
+++ b/security/apparmor/include/context.h
@@ -20,6 +20,7 @@
 #include <linux/sched.h>
 
 #include "policy.h"
+#include "policy_ns.h"
 
 #define cred_cxt(X) (X)->security
 #define current_cxt() cred_cxt(current_cred())
@@ -162,6 +163,11 @@ static inline struct aa_profile *aa_current_profile(void)
 	return cxt->profile;
 }
 
+static inline struct aa_ns *aa_get_current_ns(void)
+{
+	return aa_get_ns(__aa_current_profile()->ns);
+}
+
 /**
  * aa_clear_task_cxt_trans - clear transition tracking info from the cxt
  * @cxt: task context to clear (NOT NULL)
diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
index 8fcfb3c78d21..b0b65c525bcc 100644
--- a/security/apparmor/include/policy.h
+++ b/security/apparmor/include/policy.h
@@ -33,6 +33,8 @@
 
 struct aa_ns;
 
+extern int unprivileged_userns_apparmor_policy;
+
 extern const char *const aa_profile_mode_names[];
 #define APPARMOR_MODE_NAMES_MAX_INDEX 4
 
@@ -297,7 +299,7 @@ static inline int AUDIT_MODE(struct aa_profile *profile)
 	return profile->audit;
 }
 
-bool policy_view_capable(void);
+bool policy_view_capable(struct aa_ns *ns);
 bool policy_admin_capable(void);
 bool aa_may_manage_policy(int op);
 
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index f852cd626f2e..f83ba33651a0 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -745,7 +745,7 @@ static int param_set_aalockpolicy(const char *val, const struct kernel_param *kp
 
 static int param_get_aalockpolicy(char *buffer, const struct kernel_param *kp)
 {
-	if (!policy_view_capable())
+	if (!policy_view_capable(NULL))
 		return -EPERM;
 	return param_get_bool(buffer, kp);
 }
@@ -759,7 +759,7 @@ static int param_set_aabool(const char *val, const struct kernel_param *kp)
 
 static int param_get_aabool(char *buffer, const struct kernel_param *kp)
 {
-	if (!policy_view_capable())
+	if (!policy_view_capable(NULL))
 		return -EPERM;
 	return param_get_bool(buffer, kp);
 }
@@ -773,14 +773,14 @@ static int param_set_aauint(const char *val, const struct kernel_param *kp)
 
 static int param_get_aauint(char *buffer, const struct kernel_param *kp)
 {
-	if (!policy_view_capable())
+	if (!policy_view_capable(NULL))
 		return -EPERM;
 	return param_get_uint(buffer, kp);
 }
 
 static int param_get_audit(char *buffer, struct kernel_param *kp)
 {
-	if (!policy_view_capable())
+	if (!policy_view_capable(NULL))
 		return -EPERM;
 
 	if (!apparmor_enabled)
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
index 0125de6061fd..f092c04c7c4e 100644
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -76,6 +76,7 @@
 #include <linux/slab.h>
 #include <linux/spinlock.h>
 #include <linux/string.h>
+#include <linux/user_namespace.h>
 
 #include "include/apparmor.h"
 #include "include/capability.h"
@@ -89,6 +90,7 @@
 #include "include/policy_unpack.h"
 #include "include/resource.h"
 
+int unprivileged_userns_apparmor_policy = 1;
 
 const char *const aa_profile_mode_names[] = {
 	"enforce",
@@ -607,20 +609,37 @@ static int audit_policy(struct aa_profile *profile, int op, gfp_t gfp,
 			&sa, NULL);
 }
 
-bool policy_view_capable(void)
+/**
+ * policy_view_capable - check if viewing policy in at @ns is allowed
+ * ns: namespace being viewed by current task (may be NULL)
+ * Returns: true if viewing policy is allowed
+ *
+ * If @ns is NULL then the namespace being viewed is assumed to be the
+ * tasks current namespace.
+ */
+bool policy_view_capable(struct aa_ns *ns)
 {
 	struct user_namespace *user_ns = current_user_ns();
+	struct aa_ns *view_ns = aa_get_current_ns();
+	bool root_in_user_ns = uid_eq(current_euid(), make_kuid(user_ns, 0)) ||
+			       in_egroup_p(make_kgid(user_ns, 0));
 	bool response = false;
+	if (!ns)
+		ns = view_ns;
 
-	if (ns_capable(user_ns, CAP_MAC_ADMIN))
+	if (root_in_user_ns && aa_ns_visible(view_ns, ns, true) &&
+	    (user_ns == &init_user_ns ||
+	     (unprivileged_userns_apparmor_policy != 0 &&
+	      user_ns->level == view_ns->level)))
 		response = true;
+	aa_put_ns(view_ns);
 
 	return response;
 }
 
 bool policy_admin_capable(void)
 {
-	return policy_view_capable() && !aa_g_lock_policy;
+	return policy_view_capable(NULL) && !aa_g_lock_policy;
 }
 
 /**
author	John Johansen <john.johansen@canonical.com>	2017-01-16 00:42:50 -0800
committer	John Johansen <john.johansen@canonical.com>	2017-01-16 01:18:39 -0800
commit	2bd8dbbf22fe9eb2a99273436f815d49ceb23a8f (patch)
tree	17cdd607014ece52ccafbbc472750b3d25a9f566 /security
parent	a6f233003b1af70132619bca386dfae1862a45e8 (diff)