projects / mirror_ubuntu-artful-kernel.git / blame
| Commit | Line | Data |
|---|---|---|
| 695b0eb9 JJ |
1 | /* |
| 2 | * AppArmor security module | |
| 3 | * | |
| 4 | * This file contains AppArmor network mediation definitions. | |
| 5 | * | |
| 6 | * Copyright (C) 1998-2008 Novell/SUSE | |
| 7 | * Copyright 2009-2017 Canonical Ltd. | |
| 8 | * | |
| 9 | * This program is free software; you can redistribute it and/or | |
| 10 | * modify it under the terms of the GNU General Public License as | |
| 11 | * published by the Free Software Foundation, version 2 of the | |
| 12 | * License. | |
| 13 | */ | |
| 14 | ||
| 15 | #ifndef __AA_NET_H | |
| 16 | #define __AA_NET_H | |
| 17 | ||
| 18 | #include <net/sock.h> | |
| 19 | #include <linux/path.h> | |
| 4ae2508f | 20 | #include <linux/lsm_hooks.h> |
| 695b0eb9 JJ |
21 | |
| 22 | #include "apparmorfs.h" | |
| 23 | #include "label.h" | |
| 24 | #include "perms.h" | |
| 25 | #include "policy.h" | |
| 26 | ||
| 27 | #define AA_MAY_SEND AA_MAY_WRITE | |
| 28 | #define AA_MAY_RECEIVE AA_MAY_READ | |
| 29 | ||
| 30 | #define AA_MAY_SHUTDOWN AA_MAY_DELETE | |
| 31 | ||
| 32 | #define AA_MAY_CONNECT AA_MAY_OPEN | |
| 33 | #define AA_MAY_ACCEPT 0x00100000 | |
| 34 | ||
| 35 | #define AA_MAY_BIND 0x00200000 | |
| 36 | #define AA_MAY_LISTEN 0x00400000 | |
| 37 | ||
| 38 | #define AA_MAY_SETOPT 0x01000000 | |
| 39 | #define AA_MAY_GETOPT 0x02000000 | |
| 40 | ||
| 41 | #define NET_PERMS_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE | \ | |
| 42 | AA_MAY_SHUTDOWN | AA_MAY_BIND | AA_MAY_LISTEN | \ | |
| 43 | AA_MAY_CONNECT | AA_MAY_ACCEPT | AA_MAY_SETATTR | \ | |
| 44 | AA_MAY_GETATTR | AA_MAY_SETOPT | AA_MAY_GETOPT) | |
| 45 | ||
| 46 | #define NET_FS_PERMS (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE | \ | |
| 47 | AA_MAY_SHUTDOWN | AA_MAY_CONNECT | AA_MAY_RENAME |\ | |
| 48 | AA_MAY_SETATTR | AA_MAY_GETATTR | AA_MAY_CHMOD | \ | |
| 49 | AA_MAY_CHOWN | AA_MAY_CHGRP | AA_MAY_LOCK | \ | |
| 50 | AA_MAY_MPROT) | |
| 51 | ||
| 52 | #define NET_PEER_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CONNECT | \ | |
| 53 | AA_MAY_ACCEPT) | |
| 54 | struct aa_sk_ctx { | |
| 55 | struct aa_label *label; | |
| 56 | struct aa_label *peer; | |
| 57 | struct path path; | |
| 58 | }; | |
| 59 | ||
| 4ae2508f JJ |
60 | extern struct lsm_blob_sizes apparmor_blob_sizes; |
| 61 | static inline struct aa_sk_ctx *apparmor_sock(const struct sock *sk) | |
| 62 | { | |
| 63 | #ifdef CONFIG_SECURITY_STACKING | |
| 64 | return sk->sk_security + apparmor_blob_sizes.lbs_sock; | |
| 65 | #else | |
| 66 | return sk->sk_security; | |
| 67 | #endif | |
| 68 | } | |
| 69 | #define SK_CTX(X) apparmor_sock(X) | |
| 695b0eb9 JJ |
70 | #define SOCK_ctx(X) SOCK_INODE(X)->i_security |
| 71 | #define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \ | |
| 72 | struct lsm_network_audit NAME ## _net = { .sk = (SK), \ | |
| 73 | .family = (F)}; \ | |
| 74 | DEFINE_AUDIT_DATA(NAME, \ | |
| 75 | ((SK) && (F) != AF_UNIX) ? LSM_AUDIT_DATA_NET : \ | |
| 76 | LSM_AUDIT_DATA_NONE, \ | |
| 77 | OP); \ | |
| 78 | NAME.u.net = &(NAME ## _net); \ | |
| 79 | aad(&NAME)->net.type = (T); \ | |
| 80 | aad(&NAME)->net.protocol = (P) | |
| 81 | ||
| 82 | #define DEFINE_AUDIT_SK(NAME, OP, SK) \ | |
| 83 | DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type, \ | |
| 84 | (SK)->sk_protocol) | |
| 85 | ||
| 86 | /* struct aa_net - network confinement data | |
| 87 | * @allow: basic network families permissions | |
| 88 | * @audit: which network permissions to force audit | |
| 89 | * @quiet: which network permissions to quiet rejects | |
| 90 | */ | |
| 91 | struct aa_net { | |
| 92 | u16 allow[AF_MAX]; | |
| 93 | u16 audit[AF_MAX]; | |
| 94 | u16 quiet[AF_MAX]; | |
| 95 | }; | |
| 96 | ||
| 97 | ||
| 98 | extern struct aa_sfs_entry aa_sfs_entry_network[]; | |
| 99 | ||
| 100 | void audit_net_cb(struct audit_buffer *ab, void *va); | |
| 101 | int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa, | |
| 102 | u32 request, u16 family, int type); | |
| 695b0eb9 JJ |
103 | static inline int aa_profile_af_sk_perm(struct aa_profile *profile, |
| 104 | struct common_audit_data *sa, | |
| 105 | u32 request, | |
| 106 | struct sock *sk) | |
| 107 | { | |
| 108 | return aa_profile_af_perm(profile, sa, request, sk->sk_family, | |
| 109 | sk->sk_type); | |
| 110 | } | |
| 695b0eb9 | 111 | |
| fd1cafbb JJ |
112 | int aa_sock_perm(const char *op, u32 request, struct socket *sock); |
| 113 | int aa_sock_create_perm(struct aa_label *label, int family, int type, | |
| 114 | int protocol); | |
| 115 | int aa_sock_bind_perm(struct socket *sock, struct sockaddr *address, | |
| 116 | int addrlen); | |
| 117 | int aa_sock_connect_perm(struct socket *sock, struct sockaddr *address, | |
| 118 | int addrlen); | |
| 119 | int aa_sock_listen_perm(struct socket *sock, int backlog); | |
| 120 | int aa_sock_accept_perm(struct socket *sock, struct socket *newsock); | |
| 121 | int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock, | |
| 122 | struct msghdr *msg, int size); | |
| 123 | int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock, int level, | |
| 124 | int optname); | |
| 695b0eb9 JJ |
125 | int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request, |
| 126 | struct socket *sock); | |
| 127 | ||
| 128 | ||
| 129 | static inline void aa_free_net_rules(struct aa_net *new) | |
| 130 | { | |
| 131 | /* NOP */ | |
| 132 | } | |
| 133 | ||
| 134 | #endif /* __AA_NET_H */ |