apparmor: make sure unix socket labeling is correctly updated.

jrjohansen · jrjohansen · commit 88fec3526e84 · 2025-07-20T02:19:27.000-07:00
When a unix socket is passed into a different confinement domain make sure its cached mediation labeling is updated to correctly reflect which domains are using the socket. Fixes: c05e705 ("apparmor: add fine grained af_unix mediation") Signed-off-by: John Johansen <john.johansen@canonical.com>
diff --git a/security/apparmor/af_unix.c b/security/apparmor/af_unix.c
@@ -646,6 +646,67 @@ int aa_unix_peer_perm(const struct cred *subj_cred,
 			      peer_label);
 }
 
+/* sk_plabel for comparison only */
+static void update_sk_ctx(struct sock *sk, struct aa_label *label,
+			  struct aa_label *plabel)
+{
+	struct aa_label *l, *old;
+	struct aa_sk_ctx *ctx = aa_sock(sk);
+	bool update_sk;
+
+	rcu_read_lock();
+	update_sk = (plabel &&
+		     (plabel != rcu_access_pointer(ctx->peer_lastupdate) ||
+		      !aa_label_is_subset(plabel, rcu_dereference(ctx->peer)))) ||
+	  !__aa_subj_label_is_cached(label, rcu_dereference(ctx->label));
+	rcu_read_unlock();
+	if (!update_sk)
+		return;
+
+	spin_lock(&unix_sk(sk)->lock);
+	old = rcu_dereference_protected(ctx->label,
+					lockdep_is_held(&unix_sk(sk)->lock));
+	l = aa_label_merge(old, label, GFP_ATOMIC);
+	if (l) {
+		if (l != old) {
+			rcu_assign_pointer(ctx->label, l);
+			aa_put_label(old);
+		} else
+			aa_put_label(l);
+	}
+	if (plabel && rcu_access_pointer(ctx->peer_lastupdate) != plabel) {
+		old = rcu_dereference_protected(ctx->peer, lockdep_is_held(&unix_sk(sk)->lock));
+
+		if (old == plabel) {
+			rcu_assign_pointer(ctx->peer_lastupdate, plabel);
+		} else if (aa_label_is_subset(plabel, old)) {
+			rcu_assign_pointer(ctx->peer_lastupdate, plabel);
+			rcu_assign_pointer(ctx->peer, aa_get_label(plabel));
+			aa_put_label(old);
+		} /* else race or a subset - don't update */
+	}
+	spin_unlock(&unix_sk(sk)->lock);
+}
+
+static void update_peer_ctx(struct sock *sk, struct aa_sk_ctx *ctx,
+			    struct aa_label *label)
+{
+	struct aa_label *l, *old;
+
+	spin_lock(&unix_sk(sk)->lock);
+	old = rcu_dereference_protected(ctx->peer,
+					lockdep_is_held(&unix_sk(sk)->lock));
+	l = aa_label_merge(old, label, GFP_ATOMIC);
+	if (l) {
+		if (l != old) {
+			rcu_assign_pointer(ctx->peer, l);
+			aa_put_label(old);
+		} else
+			aa_put_label(l);
+	}
+	spin_unlock(&unix_sk(sk)->lock);
+}
+
 /* This fn is only checked if something has changed in the security
  * boundaries. Otherwise cached info off file is sufficient
  */
@@ -655,6 +716,7 @@ int aa_unix_file_perm(const struct cred *subj_cred, struct aa_label *label,
 	struct socket *sock = (struct socket *) file->private_data;
 	struct sockaddr_un *addr, *peer_addr;
 	int addrlen, peer_addrlen;
+	struct aa_label *plabel = NULL;
 	struct sock *peer_sk = NULL;
 	u32 sk_req = request & ~NET_PEER_MASK;
 	struct path path;
@@ -666,7 +728,6 @@ int aa_unix_file_perm(const struct cred *subj_cred, struct aa_label *label,
 	AA_BUG(!sock->sk);
 	AA_BUG(sock->sk->sk_family != PF_UNIX);
 
-	/* TODO: update sock label with new task label */
 	/* investigate only using lock via unix_peer_get()
 	 * addr only needs the memory barrier, but need to investigate
 	 * path
@@ -701,8 +762,12 @@ int aa_unix_file_perm(const struct cred *subj_cred, struct aa_label *label,
 			   unix_fs_perm(op, request, subj_cred, label,
 					is_unix_fs(peer_sk) ? &peer_path : NULL));
 	} else if (!is_sk_fs) {
+		struct aa_label *plabel;
 		struct aa_sk_ctx *pctx = aa_sock(peer_sk);
 
+		rcu_read_lock();
+		plabel = aa_get_label_rcu(&pctx->label);
+		rcu_read_unlock();
 		/* no fs check of aa_unix_peer_perm because conditions above
 		 * ensure they will never be done
 		 */
@@ -713,18 +778,26 @@ int aa_unix_file_perm(const struct cred *subj_cred, struct aa_label *label,
 					      peer_addr, peer_addrlen,
 					      is_unix_fs(peer_sk) ?
 							&peer_path : NULL,
-					      pctx->label),
-			       unix_peer_perm(file->f_cred, pctx->label, op,
+					      plabel),
+			       unix_peer_perm(file->f_cred, plabel, op,
 					      MAY_READ | MAY_WRITE, peer_sk,
 					      is_unix_fs(peer_sk) ?
 							&peer_path : NULL,
 					      addr, addrlen,
 					      is_sk_fs ? &path : NULL,
 					      label)));
+		if (!error && !__aa_subj_label_is_cached(plabel, label))
+			update_peer_ctx(peer_sk, pctx, label);
 	}
 	sock_put(peer_sk);
 
 out:
 
+	/* update peer cache to latest successful perm check */
+	if (error == 0)
+		update_sk_ctx(sock->sk, label, plabel);
+	aa_put_label(plabel);
+
 	return error;
 }
+
diff --git a/security/apparmor/file.c b/security/apparmor/file.c
@@ -561,19 +561,35 @@ static int __file_sock_perm(const char *op, const struct cred *subj_cred,
 	return error;
 }
 
-/* wrapper fn to indicate semantics of the check */
-static bool __subj_label_is_cached(struct aa_label *subj_label,
-			    struct aa_label *obj_label)
-{
-	return aa_label_is_subset(obj_label, subj_label);
-}
-
 /* for now separate fn to indicate semantics of the check */
 static bool __file_is_delegated(struct aa_label *obj_label)
 {
 	return unconfined(obj_label);
 }
 
+static bool __unix_needs_revalidation(struct file *file, struct aa_label *label,
+				      u32 request)
+{
+	struct socket *sock = (struct socket *) file->private_data;
+
+	lockdep_assert_in_rcu_read_lock();
+
+	if (!S_ISSOCK(file_inode(file)->i_mode))
+		return false;
+	if (request & NET_PEER_MASK)
+		return false;
+	if (sock->sk->sk_family == PF_UNIX) {
+		struct aa_sk_ctx *ctx = aa_sock(sock->sk);
+
+		if (rcu_access_pointer(ctx->peer) !=
+		    rcu_access_pointer(ctx->peer_lastupdate))
+			return true;
+		return !__aa_subj_label_is_cached(rcu_dereference(ctx->label),
+						  label);
+	}
+	return false;
+}
+
 /**
  * aa_file_perm - do permission revalidation check & audit for @file
  * @op: operation being checked
@@ -612,14 +628,15 @@ int aa_file_perm(const char *op, const struct cred *subj_cred,
 	 */
 	denied = request & ~fctx->allow;
 	if (unconfined(label) || __file_is_delegated(flabel) ||
-	    (!denied && __subj_label_is_cached(label, flabel))) {
+	    __unix_needs_revalidation(file, label, request) ||
+	    (!denied && __aa_subj_label_is_cached(label, flabel))) {
 		rcu_read_unlock();
 		goto done;
 	}
 
+	/* slow path - revalidate access */
 	flabel  = aa_get_newest_label(flabel);
 	rcu_read_unlock();
-	/* TODO: label cross check */
 
 	if (file->f_path.mnt && path_mediated_fs(file->f_path.dentry))
 		error = __file_path_perm(op, subj_cred, label, flabel, file,
diff --git a/security/apparmor/include/label.h b/security/apparmor/include/label.h
@@ -415,6 +415,13 @@ static inline void aa_put_label(struct aa_label *l)
 		kref_put(&l->count, aa_label_kref);
 }
 
+/* wrapper fn to indicate semantics of the check */
+static inline bool __aa_subj_label_is_cached(struct aa_label *subj_label,
+					  struct aa_label *obj_label)
+{
+	return aa_label_is_subset(obj_label, subj_label);
+}
+
 
 struct aa_proxy *aa_alloc_proxy(struct aa_label *l, gfp_t gfp);
 void aa_proxy_kref(struct kref *kref);
diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
@@ -47,8 +47,9 @@
 #define NET_PEER_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CONNECT |	\
 		       AA_MAY_ACCEPT)
 struct aa_sk_ctx {
-	struct aa_label *label;
-	struct aa_label *peer;
+	struct aa_label __rcu *label;
+	struct aa_label __rcu *peer;
+	struct aa_label __rcu *peer_lastupdate;	/* ptr cmp only, no deref */
 };
 
 static inline struct aa_sk_ctx *aa_sock(const struct sock *sk)
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
diff --git a/security/apparmor/net.c b/security/apparmor/net.c
