]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blame - security/apparmor/af_unix.c
projects / mirror_ubuntu-zesty-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
UBUNTU: [Config] updateconfigs after rebase to Ubuntu-4.10.0-17.19
[mirror_ubuntu-zesty-kernel.git] / security / apparmor / af_unix.c
CommitLineData
80594fc2
JJ		 1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor af_unix fine grained mediation
5 *
6 * Copyright 2014 Canonical Ltd.
7 *
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License as
10 * published by the Free Software Foundation, version 2 of the
11 * License.
12 */
13
14#include <net/tcp_states.h>
15
16#include "include/af_unix.h"
17#include "include/apparmor.h"
18#include "include/context.h"
19#include "include/file.h"
20#include "include/label.h"
21#include "include/path.h"
22#include "include/policy.h"
23
24static inline struct sock *aa_sock(struct unix_sock *u)
25{
26 return &u->sk;
27}
28
29static inline int unix_fs_perm(const char *op, u32 mask, struct aa_label *label,
30 struct unix_sock *u, int flags)
31{
32 AA_BUG(!label);
33 AA_BUG(!u);
34 AA_BUG(!UNIX_FS(aa_sock(u)));
35
36 if (unconfined(label) || !LABEL_MEDIATES(label, AA_CLASS_FILE))
37 return 0;
38
39 mask &= NET_FS_PERMS;
40 if (!u->path.dentry) {
41 struct path_cond cond = { };
42 struct aa_perms perms = { };
43 struct aa_profile *profile;
44
45 /* socket path has been cleared because it is being shutdown
46 * can only fall back to original sun_path request
47 */
48 struct aa_sk_ctx *ctx = SK_CTX(&u->sk);
49 if (ctx->path.dentry)
50 return aa_path_perm(op, label, &ctx->path, flags, mask,
51 &cond);
52 return fn_for_each_confined(label, profile,
53 ((flags | profile->path_flags) & PATH_MEDIATE_DELETED) ?
54 __aa_path_perm(op, profile,
55 u->addr->name->sun_path, mask,
56 &cond, flags, &perms) :
57 aa_audit_file(profile, &nullperms, op, mask,
58 u->addr->name->sun_path, NULL,
59 NULL, cond.uid,
60 "Failed name lookup - "
61 "deleted entry", -EACCES));
62 } else {
63 /* the sunpath may not be valid for this ns so use the path */
64 struct path_cond cond = { u->path.dentry->d_inode->i_uid,
65 u->path.dentry->d_inode->i_mode
66 };
67
68 return aa_path_perm(op, label, &u->path, flags, mask, &cond);
69 }
70
71 return 0;
72}
73
74/* passing in state returned by PROFILE_MEDIATES_AF */
75static unsigned int match_to_prot(struct aa_profile *profile,
76 unsigned int state, int type, int protocol,
77 const char **info)
78{
79 u16 buffer[2];
80 buffer[0] = cpu_to_be16(type);
81 buffer[1] = cpu_to_be16(protocol);
82 state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer,
83 4);
84 if (!state)
85 *info = "failed type and protocol match";
86 return state;
87}
88
89static unsigned int match_addr(struct aa_profile *profile, unsigned int state,
90 struct sockaddr_un *addr, int addrlen)
91{
92 if (addr)
93 /* include leading \0 */
94 state = aa_dfa_match_len(profile->policy.dfa, state,
95 addr->sun_path,
96 unix_addr_len(addrlen));
97 else
98 /* anonymous end point */
99 state = aa_dfa_match_len(profile->policy.dfa, state, "\x01",
100 1);
101 /* todo change to out of band */
102 state = aa_dfa_null_transition(profile->policy.dfa, state);
103 return state;
104}
105
106static unsigned int match_to_local(struct aa_profile *profile,
107 unsigned int state, int type, int protocol,
108 struct sockaddr_un *addr, int addrlen,
109 const char **info)
110{
111 state = match_to_prot(profile, state, type, protocol, info);
112 if (state) {
113 state = match_addr(profile, state, addr, addrlen);
114 if (state) {
115 /* todo: local label matching */
116 state = aa_dfa_null_transition(profile->policy.dfa,
117 state);
118 if (!state)
119 *info = "failed local label match";
120 } else
121 *info = "failed local address match";
122 }
123
124 return state;
125}
126
127static unsigned int match_to_sk(struct aa_profile *profile,
128 unsigned int state, struct unix_sock *u,
129 const char **info)
130{
131 struct sockaddr_un *addr = NULL;
132 int addrlen = 0;
133
134 if (u->addr) {
135 addr = u->addr->name;
136 addrlen = u->addr->len;
137 }
138
139 return match_to_local(profile, state, u->sk.sk_type, u->sk.sk_protocol,
140 addr, addrlen, info);
141}
142
143#define CMD_ADDR 1
144#define CMD_LISTEN 2
145#define CMD_OPT 4
146
147static inline unsigned int match_to_cmd(struct aa_profile *profile,
148 unsigned int state, struct unix_sock *u,
149 char cmd, const char **info)
150{
151 state = match_to_sk(profile, state, u, info);
152 if (state) {
153 state = aa_dfa_match_len(profile->policy.dfa, state, &cmd, 1);
154 if (!state)
155 *info = "failed cmd selection match";
156 }
157
158 return state;
159}
160
161static inline unsigned int match_to_peer(struct aa_profile *profile,
162 unsigned int state,
163 struct unix_sock *u,
164 struct sockaddr_un *peer_addr,
165 int peer_addrlen,
166 const char **info)
167{
168 state = match_to_cmd(profile, state, u, CMD_ADDR, info);
169 if (state) {
170 state = match_addr(profile, state, peer_addr, peer_addrlen);
171 if (!state)
172 *info = "failed peer address match";
173 }
174 return state;
175}
176
177static int do_perms(struct aa_profile *profile, unsigned int state, u32 request,
178 struct common_audit_data *sa)
179{
180 struct aa_perms perms;
181
182 AA_BUG(!profile);
183
184 aa_compute_perms(profile->policy.dfa, state, &perms);
185 aa_apply_modes_to_perms(profile, &perms);
186 return aa_check_perms(profile, &perms, request, sa,
187 audit_net_cb);
188}
189
190static int match_label(struct aa_profile *profile, struct aa_profile *peer,
191 unsigned int state, u32 request,
192 struct common_audit_data *sa)
193{
194 AA_BUG(!profile);
195 AA_BUG(!peer);
196
197 aad(sa)->peer = &peer->label;
198
199 if (state) {
200 state = aa_dfa_match(profile->policy.dfa, state, aa_peer_name(peer));
201 if (!state)
202 aad(sa)->info = "failed peer label match";
203 }
204 return do_perms(profile, state, request, sa);
205}
206
207
208/* unix sock creation comes before we know if the socket will be an fs
209 * socket
210 * v6 - semantics are handled by mapping in profile load
211 * v7 - semantics require sock create for tasks creating an fs socket.
212 */
213static int profile_create_perm(struct aa_profile *profile, int family,
214 int type, int protocol)
215{
216 unsigned int state;
217 DEFINE_AUDIT_NET(sa, OP_CREATE, NULL, family, type, protocol);
218
219 AA_BUG(!profile);
220 AA_BUG(profile_unconfined(profile));
221
222 if ((state = PROFILE_MEDIATES_AF(profile, AF_UNIX))) {
223 state = match_to_prot(profile, state, type, protocol,
224 &aad(&sa)->info);
225 return do_perms(profile, state, AA_MAY_CREATE, &sa);
226 }
227
228 return aa_profile_af_perm(profile, &sa, AA_MAY_CREATE, family, type);
229}
230
231int aa_unix_create_perm(struct aa_label *label, int family, int type,
232 int protocol)
233{
234 struct aa_profile *profile;
235
236 if (unconfined(label))
237 return 0;
238
239 return fn_for_each_confined(label, profile,
240 profile_create_perm(profile, family, type, protocol));
241}
242
243
244static inline int profile_sk_perm(struct aa_profile *profile, const char *op,
245 u32 request, struct sock *sk)
246{
247 unsigned int state;
248 DEFINE_AUDIT_SK(sa, op, sk);
249
250 AA_BUG(!profile);
251 AA_BUG(!sk);
252 AA_BUG(UNIX_FS(sk));
253 AA_BUG(profile_unconfined(profile));
254
255 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
256 if (state) {
257 state = match_to_sk(profile, state, unix_sk(sk),
258 &aad(&sa)->info);
259 return do_perms(profile, state, request, &sa);
260 }
261
262 return aa_profile_af_sk_perm(profile, &sa, request, sk);
263}
264
265int aa_unix_label_sk_perm(struct aa_label *label, const char *op, u32 request,
266 struct sock *sk)
267{
268 struct aa_profile *profile;
269
270 return fn_for_each_confined(label, profile,
271 profile_sk_perm(profile, op, request, sk));
272}
273
274static int unix_label_sock_perm(struct aa_label *label, const char *op, u32 request,
275 struct socket *sock)
276{
277 if (unconfined(label))
278 return 0;
279 if (UNIX_FS(sock->sk))
280 return unix_fs_perm(op, request, label, unix_sk(sock->sk), 0);
281
282 return aa_unix_label_sk_perm(label, op, request, sock->sk);
283}
284
285/* revaliation, get/set attr */
286int aa_unix_sock_perm(const char *op, u32 request, struct socket *sock)
287{
288 struct aa_label *label = aa_begin_current_label(DO_UPDATE);
289 int error = unix_label_sock_perm(label, op, request, sock);
290 aa_end_current_label(label);
291
292 return error;
293}
294
295static int profile_bind_perm(struct aa_profile *profile, struct sock *sk,
296 struct sockaddr *addr, int addrlen)
297{
298 unsigned int state;
299 DEFINE_AUDIT_SK(sa, OP_BIND, sk);
300
301 AA_BUG(!profile);
302 AA_BUG(!sk);
303 AA_BUG(addr->sa_family != AF_UNIX);
304 AA_BUG(profile_unconfined(profile));
305 AA_BUG(unix_addr_fs(addr, addrlen));
306
307 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
308 if (state) {
309 /* bind for abstract socket */
310 aad(&sa)->net.addr = unix_addr(addr);
311 aad(&sa)->net.addrlen = addrlen;
312
313 state = match_to_local(profile, state,
314 sk->sk_type, sk->sk_protocol,
315 unix_addr(addr), addrlen,
316 &aad(&sa)->info);
317 return do_perms(profile, state, AA_MAY_BIND, &sa);
318 }
319
320 return aa_profile_af_sk_perm(profile, &sa, AA_MAY_BIND, sk);
321}
322
323int aa_unix_bind_perm(struct socket *sock, struct sockaddr *address,
324 int addrlen)
325{
326 struct aa_profile *profile;
327 struct aa_label *label = aa_begin_current_label(DO_UPDATE);
328 int error = 0;
329
330 /* fs bind is handled by mknod */
331 if (!(unconfined(label) || unix_addr_fs(address, addrlen)))
332 error = fn_for_each_confined(label, profile,
333 profile_bind_perm(profile, sock->sk, address,
334 addrlen));
335 aa_end_current_label(label);
336
337 return error;
338}
339
340int aa_unix_connect_perm(struct socket *sock, struct sockaddr *address,
341 int addrlen)
342{
343 /* unix connections are covered by the
344 * - unix_stream_connect (stream) and unix_may_send hooks (dgram)
345 * - fs connect is handled by open
346 */
347 return 0;
348}
349
350static int profile_listen_perm(struct aa_profile *profile, struct sock *sk,
351 int backlog)
352{
353 unsigned int state;
354 DEFINE_AUDIT_SK(sa, OP_LISTEN, sk);
355
356 AA_BUG(!profile);
357 AA_BUG(!sk);
358 AA_BUG(UNIX_FS(sk));
359 AA_BUG(profile_unconfined(profile));
360
361 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
362 if (state) {
363 u16 b = cpu_to_be16(backlog);
364
365 state = match_to_cmd(profile, state, unix_sk(sk), CMD_LISTEN,
366 &aad(&sa)->info);
367 if (state) {
368 state = aa_dfa_match_len(profile->policy.dfa, state,
369 (char *) &b, 2);
370 if (!state)
371 aad(&sa)->info = "failed listen backlog match";
372 }
373 return do_perms(profile, state, AA_MAY_LISTEN, &sa);
374 }
375
376 return aa_profile_af_sk_perm(profile, &sa, AA_MAY_LISTEN, sk);
377}
378
379int aa_unix_listen_perm(struct socket *sock, int backlog)
380{
381 struct aa_profile *profile;
382 struct aa_label *label = aa_begin_current_label(DO_UPDATE);
383 int error = 0;
384
385 if (!(unconfined(label) || UNIX_FS(sock->sk)))
386 error = fn_for_each_confined(label, profile,
387 profile_listen_perm(profile, sock->sk,
388 backlog));
389 aa_end_current_label(label);
390
391 return error;
392}
393
394
395static inline int profile_accept_perm(struct aa_profile *profile,
396 struct sock *sk,
397 struct sock *newsk)
398{
399 unsigned int state;
400 DEFINE_AUDIT_SK(sa, OP_ACCEPT, sk);
401
402 AA_BUG(!profile);
403 AA_BUG(!sk);
404 AA_BUG(UNIX_FS(sk));
405 AA_BUG(profile_unconfined(profile));
406
407 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
408 if (state) {
409 state = match_to_sk(profile, state, unix_sk(sk),
410 &aad(&sa)->info);
411 return do_perms(profile, state, AA_MAY_ACCEPT, &sa);
412 }
413
414 return aa_profile_af_sk_perm(profile, &sa, AA_MAY_ACCEPT, sk);
415}
416
417/* ability of sock to connect, not peer address binding */
418int aa_unix_accept_perm(struct socket *sock, struct socket *newsock)
419{
420 struct aa_profile *profile;
421 struct aa_label *label = aa_begin_current_label(DO_UPDATE);
422 int error = 0;
423
424 if (!(unconfined(label) || UNIX_FS(sock->sk)))
425 error = fn_for_each_confined(label, profile,
426 profile_accept_perm(profile, sock->sk,
427 newsock->sk));
428 aa_end_current_label(label);
429
430 return error;
431}
432
433
434/* dgram handled by unix_may_sendmsg, right to send on stream done at connect
435 * could do per msg unix_stream here
436 */
437/* sendmsg, recvmsg */
438int aa_unix_msg_perm(const char *op, u32 request, struct socket *sock,
439 struct msghdr *msg, int size)
440{
441 return 0;
442}
443
444
445static int profile_opt_perm(struct aa_profile *profile, const char *op, u32 request,
446 struct sock *sk, int level, int optname)
447{
448 unsigned int state;
449 DEFINE_AUDIT_SK(sa, op, sk);
450
451 AA_BUG(!profile);
452 AA_BUG(!sk);
453 AA_BUG(UNIX_FS(sk));
454 AA_BUG(profile_unconfined(profile));
455
456 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
457 if (state) {
458 u16 b = cpu_to_be16(optname);
459
460 state = match_to_cmd(profile, state, unix_sk(sk), CMD_OPT,
461 &aad(&sa)->info);
462 if (state) {
463 state = aa_dfa_match_len(profile->policy.dfa, state,
464 (char *) &b, 2);
465 if (!state)
466 aad(&sa)->info = "failed sockopt match";
467 }
468 return do_perms(profile, state, request, &sa);
469 }
470
471 return aa_profile_af_sk_perm(profile, &sa, request, sk);
472}
473
474int aa_unix_opt_perm(const char *op, u32 request, struct socket *sock, int level,
475 int optname)
476{
477 struct aa_profile *profile;
478 struct aa_label *label = aa_begin_current_label(DO_UPDATE);
479 int error = 0;
480
481 if (!(unconfined(label) || UNIX_FS(sock->sk)))
482 error = fn_for_each_confined(label, profile,
483 profile_opt_perm(profile, op, request,
484 sock->sk, level, optname));
485 aa_end_current_label(label);
486
487 return error;
488}
489
490/* null peer_label is allowed, in which case the peer_sk label is used */
491static int profile_peer_perm(struct aa_profile *profile, const char *op, u32 request,
492 struct sock *sk, struct sock *peer_sk,
493 struct aa_label *peer_label,
494 struct common_audit_data *sa)
495{
496 unsigned int state;
497
498 AA_BUG(!profile);
499 AA_BUG(profile_unconfined(profile));
500 AA_BUG(!sk);
501 AA_BUG(!peer_sk);
502 AA_BUG(UNIX_FS(peer_sk));
503
504 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
505 if (state) {
506 struct aa_sk_ctx *peer_ctx = SK_CTX(peer_sk);
507 struct aa_profile *peerp;
508 struct sockaddr_un *addr = NULL;
509 int len = 0;
510 if (unix_sk(peer_sk)->addr) {
511 addr = unix_sk(peer_sk)->addr->name;
512 len = unix_sk(peer_sk)->addr->len;
513 }
514 state = match_to_peer(profile, state, unix_sk(sk),
515 addr, len, &aad(sa)->info);
516 if (!peer_label)
517 peer_label = peer_ctx->label;
1c1bc45a 518 return fn_for_each_in_ns(peer_label, peerp,
80594fc2
JJ		 519 match_label(profile, peerp, state, request,
520 sa));
521 }
522
523 return aa_profile_af_sk_perm(profile, sa, request, sk);
524}
525
526/**
527 *
528 * Requires: lock held on both @sk and @peer_sk
529 */
530int aa_unix_peer_perm(struct aa_label *label, const char *op, u32 request,
531 struct sock *sk, struct sock *peer_sk,
532 struct aa_label *peer_label)
533{
534 struct unix_sock *peeru = unix_sk(peer_sk);
535 struct unix_sock *u = unix_sk(sk);
536
537 AA_BUG(!label);
538 AA_BUG(!sk);
539 AA_BUG(!peer_sk);
540
541 if (UNIX_FS(aa_sock(peeru)))
542 return unix_fs_perm(op, request, label, peeru, 0);
543 else if (UNIX_FS(aa_sock(u)))
544 return unix_fs_perm(op, request, label, u, 0);
545 else {
546 struct aa_profile *profile;
547 DEFINE_AUDIT_SK(sa, op, sk);
548 aad(&sa)->net.peer_sk = peer_sk;
549
550 /* TODO: ns!!! */
551 if (!net_eq(sock_net(sk), sock_net(peer_sk))) {
552 ;
553 }
554
555 if (unconfined(label))
556 return 0;
557
558 return fn_for_each_confined(label, profile,
559 profile_peer_perm(profile, op, request, sk,
560 peer_sk, peer_label, &sa));
561 }
562}
563
564
565/* from net/unix/af_unix.c */
566static void unix_state_double_lock(struct sock *sk1, struct sock *sk2)
567{
568 if (unlikely(sk1 == sk2) || !sk2) {
569 unix_state_lock(sk1);
570 return;
571 }
572 if (sk1 < sk2) {
573 unix_state_lock(sk1);
574 unix_state_lock_nested(sk2);
575 } else {
576 unix_state_lock(sk2);
577 unix_state_lock_nested(sk1);
578 }
579}
580
581static void unix_state_double_unlock(struct sock *sk1, struct sock *sk2)
582{
583 if (unlikely(sk1 == sk2) || !sk2) {
584 unix_state_unlock(sk1);
585 return;
586 }
587 unix_state_unlock(sk1);
588 unix_state_unlock(sk2);
589}
590
591int aa_unix_file_perm(struct aa_label *label, const char *op, u32 request,
592 struct socket *sock)
593{
594 struct sock *peer_sk = NULL;
595 u32 sk_req = request & ~NET_PEER_MASK;
596 int error = 0;
597
598 AA_BUG(!label);
599 AA_BUG(!sock);
600 AA_BUG(!sock->sk);
601 AA_BUG(sock->sk->sk_family != AF_UNIX);
602
603 /* TODO: update sock label with new task label */
604 unix_state_lock(sock->sk);
605 peer_sk = unix_peer(sock->sk);
606 if (peer_sk)
607 sock_hold(peer_sk);
608 if (!unix_connected(sock) && sk_req) {
609 error = unix_label_sock_perm(label, op, sk_req, sock);
610 if (!error) {
611 // update label
612 }
613 }
614 unix_state_unlock(sock->sk);
615 if (!peer_sk)
616 return error;
617
618 unix_state_double_lock(sock->sk, peer_sk);
619 if (UNIX_FS(sock->sk)) {
620 error = unix_fs_perm(op, request, label, unix_sk(sock->sk),
621 PATH_SOCK_COND);
622 } else if (UNIX_FS(peer_sk)) {
623 error = unix_fs_perm(op, request, label, unix_sk(peer_sk),
624 PATH_SOCK_COND);
625 } else {
626 struct aa_sk_ctx *pctx = SK_CTX(peer_sk);
627 if (sk_req)
628 error = aa_unix_label_sk_perm(label, op, sk_req,
629 sock->sk);
630 last_error(error,
631 xcheck(aa_unix_peer_perm(label, op,
632 MAY_READ | MAY_WRITE,
633 sock->sk, peer_sk, NULL),
634 aa_unix_peer_perm(pctx->label, op,
635 MAY_READ | MAY_WRITE,
636 peer_sk, sock->sk, label)));
637 }
638
639 unix_state_double_unlock(sock->sk, peer_sk);
640 sock_put(peer_sk);
641
642 return error;
643}
ubuntu-zesty-kernel mirror