]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - security/apparmor/af_unix.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
commoncap: Handle memory allocation failure.
[mirror_ubuntu-bionic-kernel.git] / security / apparmor / af_unix.c
CommitLineData
e59011c9
JJ		 1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor af_unix fine grained mediation
5 *
6 * Copyright 2014 Canonical Ltd.
7 *
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License as
10 * published by the Free Software Foundation, version 2 of the
11 * License.
12 */
13
14#include <net/tcp_states.h>
15
16#include "include/af_unix.h"
17#include "include/apparmor.h"
18#include "include/context.h"
19#include "include/file.h"
20#include "include/label.h"
21#include "include/path.h"
22#include "include/policy.h"
23
24static inline struct sock *aa_sock(struct unix_sock *u)
25{
26 return &u->sk;
27}
28
29static inline int unix_fs_perm(const char *op, u32 mask, struct aa_label *label,
30 struct unix_sock *u, int flags)
31{
32 AA_BUG(!label);
33 AA_BUG(!u);
34 AA_BUG(!UNIX_FS(aa_sock(u)));
35
36 if (unconfined(label) || !LABEL_MEDIATES(label, AA_CLASS_FILE))
37 return 0;
38
39 mask &= NET_FS_PERMS;
40 if (!u->path.dentry) {
41 struct path_cond cond = { };
42 struct aa_perms perms = { };
43 struct aa_profile *profile;
44
45 /* socket path has been cleared because it is being shutdown
46 * can only fall back to original sun_path request
47 */
48 struct aa_sk_ctx *ctx = SK_CTX(&u->sk);
49 if (ctx->path.dentry)
50 return aa_path_perm(op, label, &ctx->path, flags, mask,
51 &cond);
52 return fn_for_each_confined(label, profile,
53 ((flags | profile->path_flags) & PATH_MEDIATE_DELETED) ?
54 __aa_path_perm(op, profile,
55 u->addr->name->sun_path, mask,
56 &cond, flags, &perms) :
57 aa_audit_file(profile, &nullperms, op, mask,
58 u->addr->name->sun_path, NULL,
59 NULL, cond.uid,
60 "Failed name lookup - "
61 "deleted entry", -EACCES));
62 } else {
63 /* the sunpath may not be valid for this ns so use the path */
64 struct path_cond cond = { u->path.dentry->d_inode->i_uid,
65 u->path.dentry->d_inode->i_mode
66 };
67
68 return aa_path_perm(op, label, &u->path, flags, mask, &cond);
69 }
70
71 return 0;
72}
73
74/* passing in state returned by PROFILE_MEDIATES_AF */
75static unsigned int match_to_prot(struct aa_profile *profile,
76 unsigned int state, int type, int protocol,
77 const char **info)
78{
79 __be16 buffer[2];
80 buffer[0] = cpu_to_be16(type);
81 buffer[1] = cpu_to_be16(protocol);
82 state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer,
83 4);
84 if (!state)
85 *info = "failed type and protocol match";
86 return state;
87}
88
89static unsigned int match_addr(struct aa_profile *profile, unsigned int state,
90 struct sockaddr_un *addr, int addrlen)
91{
92 if (addr)
93 /* include leading \0 */
94 state = aa_dfa_match_len(profile->policy.dfa, state,
95 addr->sun_path,
96 unix_addr_len(addrlen));
97 else
98 /* anonymous end point */
99 state = aa_dfa_match_len(profile->policy.dfa, state, "\x01",
100 1);
101 /* todo change to out of band */
102 state = aa_dfa_null_transition(profile->policy.dfa, state);
103 return state;
104}
105
106static unsigned int match_to_local(struct aa_profile *profile,
107 unsigned int state, int type, int protocol,
108 struct sockaddr_un *addr, int addrlen,
109 const char **info)
110{
111 state = match_to_prot(profile, state, type, protocol, info);
112 if (state) {
113 state = match_addr(profile, state, addr, addrlen);
114 if (state) {
115 /* todo: local label matching */
116 state = aa_dfa_null_transition(profile->policy.dfa,
117 state);
118 if (!state)
119 *info = "failed local label match";
120 } else
121 *info = "failed local address match";
122 }
123
124 return state;
125}
126
127static unsigned int match_to_sk(struct aa_profile *profile,
128 unsigned int state, struct unix_sock *u,
129 const char **info)
130{
131 struct sockaddr_un *addr = NULL;
132 int addrlen = 0;
133
134 if (u->addr) {
135 addr = u->addr->name;
136 addrlen = u->addr->len;
137 }
138
139 return match_to_local(profile, state, u->sk.sk_type, u->sk.sk_protocol,
140 addr, addrlen, info);
141}
142
143#define CMD_ADDR 1
144#define CMD_LISTEN 2
145#define CMD_OPT 4
146
147static inline unsigned int match_to_cmd(struct aa_profile *profile,
148 unsigned int state, struct unix_sock *u,
149 char cmd, const char **info)
150{
151 state = match_to_sk(profile, state, u, info);
152 if (state) {
153 state = aa_dfa_match_len(profile->policy.dfa, state, &cmd, 1);
154 if (!state)
155 *info = "failed cmd selection match";
156 }
157
158 return state;
159}
160
161static inline unsigned int match_to_peer(struct aa_profile *profile,
162 unsigned int state,
163 struct unix_sock *u,
164 struct sockaddr_un *peer_addr,
165 int peer_addrlen,
166 const char **info)
167{
168 state = match_to_cmd(profile, state, u, CMD_ADDR, info);
169 if (state) {
170 state = match_addr(profile, state, peer_addr, peer_addrlen);
171 if (!state)
172 *info = "failed peer address match";
173 }
174 return state;
175}
176
177static int do_perms(struct aa_profile *profile, unsigned int state, u32 request,
178 struct common_audit_data *sa)
179{
180 struct aa_perms perms;
181
182 AA_BUG(!profile);
183
184 aa_compute_perms(profile->policy.dfa, state, &perms);
185 aa_apply_modes_to_perms(profile, &perms);
186 return aa_check_perms(profile, &perms, request, sa,
187 audit_net_cb);
188}
189
190static int match_label(struct aa_profile *profile, struct aa_profile *peer,
191 unsigned int state, u32 request,
192 struct common_audit_data *sa)
193{
194 AA_BUG(!profile);
195 AA_BUG(!peer);
196
197 aad(sa)->peer = &peer->label;
198
199 if (state) {
200 state = aa_dfa_match(profile->policy.dfa, state,
201 peer->base.hname);
202 if (!state)
203 aad(sa)->info = "failed peer label match";
204 }
205 return do_perms(profile, state, request, sa);
206}
207
208
209/* unix sock creation comes before we know if the socket will be an fs
210 * socket
211 * v6 - semantics are handled by mapping in profile load
212 * v7 - semantics require sock create for tasks creating an fs socket.
213 */
214static int profile_create_perm(struct aa_profile *profile, int family,
215 int type, int protocol)
216{
217 unsigned int state;
218 DEFINE_AUDIT_NET(sa, OP_CREATE, NULL, family, type, protocol);
219
220 AA_BUG(!profile);
221 AA_BUG(profile_unconfined(profile));
222
223 if ((state = PROFILE_MEDIATES_AF(profile, AF_UNIX))) {
224 state = match_to_prot(profile, state, type, protocol,
225 &aad(&sa)->info);
226 return do_perms(profile, state, AA_MAY_CREATE, &sa);
227 }
228
229 return aa_profile_af_perm(profile, &sa, AA_MAY_CREATE, family, type);
230}
231
232int aa_unix_create_perm(struct aa_label *label, int family, int type,
233 int protocol)
234{
235 struct aa_profile *profile;
236
237 if (unconfined(label))
238 return 0;
239
240 return fn_for_each_confined(label, profile,
241 profile_create_perm(profile, family, type, protocol));
242}
243
244
245static inline int profile_sk_perm(struct aa_profile *profile, const char *op,
246 u32 request, struct sock *sk)
247{
248 unsigned int state;
249 DEFINE_AUDIT_SK(sa, op, sk);
250
251 AA_BUG(!profile);
252 AA_BUG(!sk);
253 AA_BUG(UNIX_FS(sk));
254 AA_BUG(profile_unconfined(profile));
255
256 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
257 if (state) {
258 state = match_to_sk(profile, state, unix_sk(sk),
259 &aad(&sa)->info);
260 return do_perms(profile, state, request, &sa);
261 }
262
263 return aa_profile_af_sk_perm(profile, &sa, request, sk);
264}
265
266int aa_unix_label_sk_perm(struct aa_label *label, const char *op, u32 request,
267 struct sock *sk)
268{
269 struct aa_profile *profile;
270
271 return fn_for_each_confined(label, profile,
272 profile_sk_perm(profile, op, request, sk));
273}
274
275static int unix_label_sock_perm(struct aa_label *label, const char *op, u32 request,
276 struct socket *sock)
277{
278 if (unconfined(label))
279 return 0;
280 if (UNIX_FS(sock->sk))
281 return unix_fs_perm(op, request, label, unix_sk(sock->sk), 0);
282
283 return aa_unix_label_sk_perm(label, op, request, sock->sk);
284}
285
286/* revaliation, get/set attr */
287int aa_unix_sock_perm(const char *op, u32 request, struct socket *sock)
288{
289 struct aa_label *label;
290 int error;
291
292 label = begin_current_label_crit_section();
293 error = unix_label_sock_perm(label, op, request, sock);
294 end_current_label_crit_section(label);
295
296 return error;
297}
298
299static int profile_bind_perm(struct aa_profile *profile, struct sock *sk,
300 struct sockaddr *addr, int addrlen)
301{
302 unsigned int state;
303 DEFINE_AUDIT_SK(sa, OP_BIND, sk);
304
305 AA_BUG(!profile);
306 AA_BUG(!sk);
307 AA_BUG(addr->sa_family != AF_UNIX);
308 AA_BUG(profile_unconfined(profile));
309 AA_BUG(unix_addr_fs(addr, addrlen));
310
311 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
312 if (state) {
313 /* bind for abstract socket */
314 aad(&sa)->net.addr = unix_addr(addr);
315 aad(&sa)->net.addrlen = addrlen;
316
317 state = match_to_local(profile, state,
318 sk->sk_type, sk->sk_protocol,
319 unix_addr(addr), addrlen,
320 &aad(&sa)->info);
321 return do_perms(profile, state, AA_MAY_BIND, &sa);
322 }
323
324 return aa_profile_af_sk_perm(profile, &sa, AA_MAY_BIND, sk);
325}
326
327int aa_unix_bind_perm(struct socket *sock, struct sockaddr *address,
328 int addrlen)
329{
330 struct aa_profile *profile;
331 struct aa_label *label;
332 int error = 0;
333
334 label = begin_current_label_crit_section();
335 /* fs bind is handled by mknod */
336 if (!(unconfined(label) || unix_addr_fs(address, addrlen)))
337 error = fn_for_each_confined(label, profile,
338 profile_bind_perm(profile, sock->sk, address,
339 addrlen));
340 end_current_label_crit_section(label);
341
342 return error;
343}
344
345int aa_unix_connect_perm(struct socket *sock, struct sockaddr *address,
346 int addrlen)
347{
348 /* unix connections are covered by the
349 * - unix_stream_connect (stream) and unix_may_send hooks (dgram)
350 * - fs connect is handled by open
351 */
352 return 0;
353}
354
355static int profile_listen_perm(struct aa_profile *profile, struct sock *sk,
356 int backlog)
357{
358 unsigned int state;
359 DEFINE_AUDIT_SK(sa, OP_LISTEN, sk);
360
361 AA_BUG(!profile);
362 AA_BUG(!sk);
363 AA_BUG(UNIX_FS(sk));
364 AA_BUG(profile_unconfined(profile));
365
366 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
367 if (state) {
368 __be16 b = cpu_to_be16(backlog);
369
370 state = match_to_cmd(profile, state, unix_sk(sk), CMD_LISTEN,
371 &aad(&sa)->info);
372 if (state) {
373 state = aa_dfa_match_len(profile->policy.dfa, state,
374 (char *) &b, 2);
375 if (!state)
376 aad(&sa)->info = "failed listen backlog match";
377 }
378 return do_perms(profile, state, AA_MAY_LISTEN, &sa);
379 }
380
381 return aa_profile_af_sk_perm(profile, &sa, AA_MAY_LISTEN, sk);
382}
383
384int aa_unix_listen_perm(struct socket *sock, int backlog)
385{
386 struct aa_profile *profile;
387 struct aa_label *label;
388 int error = 0;
389
390 label = begin_current_label_crit_section();
391 if (!(unconfined(label) || UNIX_FS(sock->sk)))
392 error = fn_for_each_confined(label, profile,
393 profile_listen_perm(profile, sock->sk,
394 backlog));
395 end_current_label_crit_section(label);
396
397 return error;
398}
399
400
401static inline int profile_accept_perm(struct aa_profile *profile,
402 struct sock *sk,
403 struct sock *newsk)
404{
405 unsigned int state;
406 DEFINE_AUDIT_SK(sa, OP_ACCEPT, sk);
407
408 AA_BUG(!profile);
409 AA_BUG(!sk);
410 AA_BUG(UNIX_FS(sk));
411 AA_BUG(profile_unconfined(profile));
412
413 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
414 if (state) {
415 state = match_to_sk(profile, state, unix_sk(sk),
416 &aad(&sa)->info);
417 return do_perms(profile, state, AA_MAY_ACCEPT, &sa);
418 }
419
420 return aa_profile_af_sk_perm(profile, &sa, AA_MAY_ACCEPT, sk);
421}
422
423/* ability of sock to connect, not peer address binding */
424int aa_unix_accept_perm(struct socket *sock, struct socket *newsock)
425{
426 struct aa_profile *profile;
427 struct aa_label *label;
428 int error = 0;
429
430 label = begin_current_label_crit_section();
431 if (!(unconfined(label) || UNIX_FS(sock->sk)))
432 error = fn_for_each_confined(label, profile,
433 profile_accept_perm(profile, sock->sk,
434 newsock->sk));
435 end_current_label_crit_section(label);
436
437 return error;
438}
439
440
441/* dgram handled by unix_may_sendmsg, right to send on stream done at connect
442 * could do per msg unix_stream here
443 */
444/* sendmsg, recvmsg */
445int aa_unix_msg_perm(const char *op, u32 request, struct socket *sock,
446 struct msghdr *msg, int size)
447{
448 return 0;
449}
450
451
452static int profile_opt_perm(struct aa_profile *profile, const char *op, u32 request,
453 struct sock *sk, int level, int optname)
454{
455 unsigned int state;
456 DEFINE_AUDIT_SK(sa, op, sk);
457
458 AA_BUG(!profile);
459 AA_BUG(!sk);
460 AA_BUG(UNIX_FS(sk));
461 AA_BUG(profile_unconfined(profile));
462
463 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
464 if (state) {
465 __be16 b = cpu_to_be16(optname);
466
467 state = match_to_cmd(profile, state, unix_sk(sk), CMD_OPT,
468 &aad(&sa)->info);
469 if (state) {
470 state = aa_dfa_match_len(profile->policy.dfa, state,
471 (char *) &b, 2);
472 if (!state)
473 aad(&sa)->info = "failed sockopt match";
474 }
475 return do_perms(profile, state, request, &sa);
476 }
477
478 return aa_profile_af_sk_perm(profile, &sa, request, sk);
479}
480
481int aa_unix_opt_perm(const char *op, u32 request, struct socket *sock, int level,
482 int optname)
483{
484 struct aa_profile *profile;
485 struct aa_label *label;
486 int error = 0;
487
488 label = begin_current_label_crit_section();
489 if (!(unconfined(label) || UNIX_FS(sock->sk)))
490 error = fn_for_each_confined(label, profile,
491 profile_opt_perm(profile, op, request,
492 sock->sk, level, optname));
493 end_current_label_crit_section(label);
494
495 return error;
496}
497
498/* null peer_label is allowed, in which case the peer_sk label is used */
499static int profile_peer_perm(struct aa_profile *profile, const char *op, u32 request,
500 struct sock *sk, struct sock *peer_sk,
501 struct aa_label *peer_label,
502 struct common_audit_data *sa)
503{
504 unsigned int state;
505
506 AA_BUG(!profile);
507 AA_BUG(profile_unconfined(profile));
508 AA_BUG(!sk);
509 AA_BUG(!peer_sk);
510 AA_BUG(UNIX_FS(peer_sk));
511
512 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
513 if (state) {
514 struct aa_sk_ctx *peer_ctx = SK_CTX(peer_sk);
515 struct aa_profile *peerp;
516 struct sockaddr_un *addr = NULL;
517 int len = 0;
518 if (unix_sk(peer_sk)->addr) {
519 addr = unix_sk(peer_sk)->addr->name;
520 len = unix_sk(peer_sk)->addr->len;
521 }
522 state = match_to_peer(profile, state, unix_sk(sk),
523 addr, len, &aad(sa)->info);
524 if (!peer_label)
525 peer_label = peer_ctx->label;
526 return fn_for_each_in_ns(peer_label, peerp,
527 match_label(profile, peerp, state, request,
528 sa));
529 }
530
531 return aa_profile_af_sk_perm(profile, sa, request, sk);
532}
533
534/**
535 *
536 * Requires: lock held on both @sk and @peer_sk
537 */
538int aa_unix_peer_perm(struct aa_label *label, const char *op, u32 request,
539 struct sock *sk, struct sock *peer_sk,
540 struct aa_label *peer_label)
541{
542 struct unix_sock *peeru = unix_sk(peer_sk);
543 struct unix_sock *u = unix_sk(sk);
544
545 AA_BUG(!label);
546 AA_BUG(!sk);
547 AA_BUG(!peer_sk);
548
549 if (UNIX_FS(aa_sock(peeru)))
550 return unix_fs_perm(op, request, label, peeru, 0);
551 else if (UNIX_FS(aa_sock(u)))
552 return unix_fs_perm(op, request, label, u, 0);
553 else {
554 struct aa_profile *profile;
555 DEFINE_AUDIT_SK(sa, op, sk);
556 aad(&sa)->net.peer_sk = peer_sk;
557
558 /* TODO: ns!!! */
559 if (!net_eq(sock_net(sk), sock_net(peer_sk))) {
560 ;
561 }
562
563 if (unconfined(label))
564 return 0;
565
566 return fn_for_each_confined(label, profile,
567 profile_peer_perm(profile, op, request, sk,
568 peer_sk, peer_label, &sa));
569 }
570}
571
572
573/* from net/unix/af_unix.c */
574static void unix_state_double_lock(struct sock *sk1, struct sock *sk2)
575{
576 if (unlikely(sk1 == sk2) || !sk2) {
577 unix_state_lock(sk1);
578 return;
579 }
580 if (sk1 < sk2) {
581 unix_state_lock(sk1);
582 unix_state_lock_nested(sk2);
583 } else {
584 unix_state_lock(sk2);
585 unix_state_lock_nested(sk1);
586 }
587}
588
589static void unix_state_double_unlock(struct sock *sk1, struct sock *sk2)
590{
591 if (unlikely(sk1 == sk2) || !sk2) {
592 unix_state_unlock(sk1);
593 return;
594 }
595 unix_state_unlock(sk1);
596 unix_state_unlock(sk2);
597}
598
599int aa_unix_file_perm(struct aa_label *label, const char *op, u32 request,
600 struct socket *sock)
601{
602 struct sock *peer_sk = NULL;
603 u32 sk_req = request & ~NET_PEER_MASK;
604 int error = 0;
605
606 AA_BUG(!label);
607 AA_BUG(!sock);
608 AA_BUG(!sock->sk);
609 AA_BUG(sock->sk->sk_family != AF_UNIX);
610
611 /* TODO: update sock label with new task label */
612 unix_state_lock(sock->sk);
613 peer_sk = unix_peer(sock->sk);
614 if (peer_sk)
615 sock_hold(peer_sk);
616 if (!unix_connected(sock) && sk_req) {
617 error = unix_label_sock_perm(label, op, sk_req, sock);
618 if (!error) {
619 // update label
620 }
621 }
622 unix_state_unlock(sock->sk);
623 if (!peer_sk)
624 return error;
625
626 unix_state_double_lock(sock->sk, peer_sk);
627 if (UNIX_FS(sock->sk)) {
628 error = unix_fs_perm(op, request, label, unix_sk(sock->sk),
629 PATH_SOCK_COND);
630 } else if (UNIX_FS(peer_sk)) {
631 error = unix_fs_perm(op, request, label, unix_sk(peer_sk),
632 PATH_SOCK_COND);
633 } else {
634 struct aa_sk_ctx *pctx = SK_CTX(peer_sk);
635 if (sk_req)
636 error = aa_unix_label_sk_perm(label, op, sk_req,
637 sock->sk);
638 last_error(error,
639 xcheck(aa_unix_peer_perm(label, op,
640 MAY_READ | MAY_WRITE,
641 sock->sk, peer_sk, NULL),
642 aa_unix_peer_perm(pctx->label, op,
643 MAY_READ | MAY_WRITE,
644 peer_sk, sock->sk, label)));
645 }
646
647 unix_state_double_unlock(sock->sk, peer_sk);
648 sock_put(peer_sk);
649
650 return error;
651}
ubuntu-bionic-kernel mirror