2 * AppArmor security module
4 * This file contains AppArmor function for pathnames
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
15 #include <linux/magic.h>
16 #include <linux/mnt_namespace.h>
17 #include <linux/mount.h>
18 #include <linux/namei.h>
19 #include <linux/nsproxy.h>
20 #include <linux/path.h>
21 #include <linux/sched.h>
22 #include <linux/slab.h>
23 #include <linux/fs_struct.h>
25 #include "include/apparmor.h"
26 #include "include/path.h"
27 #include "include/policy.h"
30 /* modified from dcache.c */
31 static int prepend(char **buffer
, int buflen
, const char *str
, int namelen
)
37 memcpy(*buffer
, str
, namelen
);
41 #define CHROOT_NSCONNECT (PATH_CHROOT_REL | PATH_CHROOT_NSCONNECT)
44 * d_namespace_path - lookup a name associated with a given path
45 * @path: path to lookup (NOT NULL)
46 * @buf: buffer to store path to (NOT NULL)
47 * @buflen: length of @buf
48 * @name: Returns - pointer for start of path name with in @buf (NOT NULL)
49 * @flags: flags controlling path lookup
51 * Handle path name lookup.
53 * Returns: %0 else error code if path lookup fails
54 * When no error the path name is returned in @name which points to
55 * to a position in @buf
57 static int d_namespace_path(struct path
*path
, char *buf
, int buflen
,
58 char **name
, int flags
)
60 struct path root
, tmp
;
62 int deleted
, connected
;
65 /* Get the root we want to resolve too */
66 if (flags
& PATH_CHROOT_REL
) {
67 /* resolve paths relative to chroot */
68 read_lock(¤t
->fs
->lock
);
69 root
= current
->fs
->root
;
72 read_unlock(¤t
->fs
->lock
);
74 /* resolve paths relative to namespace */
75 root
.mnt
= current
->nsproxy
->mnt_ns
->root
;
76 root
.dentry
= root
.mnt
->mnt_root
;
81 spin_lock(&dcache_lock
);
82 /* There is a race window between path lookup here and the
83 * need to strip the " (deleted) string that __d_path applies
84 * Detect the race and relookup the path
86 * The stripping of (deleted) is a hack that could be removed
87 * with an updated __d_path
91 deleted
= d_unlinked(path
->dentry
);
92 res
= __d_path(path
, &tmp
, buf
, buflen
);
94 } while (deleted
!= d_unlinked(path
->dentry
));
95 spin_unlock(&dcache_lock
);
98 /* handle error conditions - and still allow a partial path to
102 error
= PTR_ERR(res
);
107 /* On some filesystems, newly allocated dentries appear to the
108 * security_path hooks as a deleted dentry except without an
111 * Remove the appended deleted text and return as string for
112 * normal mediation, or auditing. The (deleted) string is
113 * guaranteed to be added in this case, so just strip it.
115 buf
[buflen
- 11] = 0; /* - (len(" (deleted)") +\0) */
117 if (path
->dentry
->d_inode
&& !(flags
& PATH_MEDIATE_DELETED
)) {
123 /* Determine if the path is connected to the expected root */
124 connected
= tmp
.dentry
== root
.dentry
&& tmp
.mnt
== root
.mnt
;
126 /* If the path is not connected,
127 * check if it is a sysctl and handle specially else remove any
128 * leading / that __d_path may have returned.
130 * specifically directed to connect the path,
132 * if in a chroot and doing chroot relative paths and the path
133 * resolves to the namespace root (would be connected outside
134 * of chroot) and specifically directed to connect paths to
138 /* is the disconnect path a sysctl? */
139 if (tmp
.dentry
->d_sb
->s_magic
== PROC_SUPER_MAGIC
&&
140 strncmp(*name
, "/sys/", 5) == 0) {
141 /* TODO: convert over to using a per namespace
142 * control instead of hard coded /proc
144 error
= prepend(name
, *name
- buf
, "/proc", 5);
145 } else if (!(flags
& PATH_CONNECT_PATH
) &&
146 !(((flags
& CHROOT_NSCONNECT
) == CHROOT_NSCONNECT
) &&
147 (tmp
.mnt
== current
->nsproxy
->mnt_ns
->root
&&
148 tmp
.dentry
== tmp
.mnt
->mnt_root
))) {
149 /* disconnected path, don't return pathname starting
165 * get_name_to_buffer - get the pathname to a buffer ensure dir / is appended
166 * @path: path to get name for (NOT NULL)
167 * @flags: flags controlling path lookup
168 * @buffer: buffer to put name in (NOT NULL)
169 * @size: size of buffer
170 * @name: Returns - contains position of path name in @buffer (NOT NULL)
172 * Returns: %0 else error on failure
174 static int get_name_to_buffer(struct path
*path
, int flags
, char *buffer
,
175 int size
, char **name
)
177 int adjust
= (flags
& PATH_IS_DIR
) ? 1 : 0;
178 int error
= d_namespace_path(path
, buffer
, size
- adjust
, name
, flags
);
180 if (!error
&& (flags
& PATH_IS_DIR
) && (*name
)[1] != '\0')
182 * Append "/" to the pathname. The root directory is a special
183 * case; it already ends in slash.
185 strcpy(&buffer
[size
- 2], "/");
191 * aa_get_name - compute the pathname of a file
192 * @path: path the file (NOT NULL)
193 * @flags: flags controlling path name generation
194 * @buffer: buffer that aa_get_name() allocated (NOT NULL)
195 * @name: Returns - the generated path name if !error (NOT NULL)
197 * @name is a pointer to the beginning of the pathname (which usually differs
198 * from the beginning of the buffer), or NULL. If there is an error @name
199 * may contain a partial or invalid name that can be used for audit purposes,
200 * but it can not be used for mediation.
202 * We need PATH_IS_DIR to indicate whether the file is a directory or not
203 * because the file may not yet exist, and so we cannot check the inode's
206 * Returns: %0 else error code if could retrieve name
208 int aa_get_name(struct path
*path
, int flags
, char **buffer
, const char **name
)
210 char *buf
, *str
= NULL
;
217 /* freed by caller */
218 buf
= kmalloc(size
, GFP_KERNEL
);
222 error
= get_name_to_buffer(path
, flags
, buf
, size
, &str
);
223 if (error
!= -ENAMETOOLONG
)
228 if (size
> aa_g_path_max
)
229 return -ENAMETOOLONG
;