]>
Commit | Line | Data |
---|---|---|
695b0eb9 JJ |
1 | /* |
2 | * AppArmor security module | |
3 | * | |
4 | * This file contains AppArmor network mediation definitions. | |
5 | * | |
6 | * Copyright (C) 1998-2008 Novell/SUSE | |
7 | * Copyright 2009-2017 Canonical Ltd. | |
8 | * | |
9 | * This program is free software; you can redistribute it and/or | |
10 | * modify it under the terms of the GNU General Public License as | |
11 | * published by the Free Software Foundation, version 2 of the | |
12 | * License. | |
13 | */ | |
14 | ||
15 | #ifndef __AA_NET_H | |
16 | #define __AA_NET_H | |
17 | ||
18 | #include <net/sock.h> | |
19 | #include <linux/path.h> | |
4ae2508f | 20 | #include <linux/lsm_hooks.h> |
695b0eb9 JJ |
21 | |
22 | #include "apparmorfs.h" | |
23 | #include "label.h" | |
24 | #include "perms.h" | |
25 | #include "policy.h" | |
26 | ||
27 | #define AA_MAY_SEND AA_MAY_WRITE | |
28 | #define AA_MAY_RECEIVE AA_MAY_READ | |
29 | ||
30 | #define AA_MAY_SHUTDOWN AA_MAY_DELETE | |
31 | ||
32 | #define AA_MAY_CONNECT AA_MAY_OPEN | |
33 | #define AA_MAY_ACCEPT 0x00100000 | |
34 | ||
35 | #define AA_MAY_BIND 0x00200000 | |
36 | #define AA_MAY_LISTEN 0x00400000 | |
37 | ||
38 | #define AA_MAY_SETOPT 0x01000000 | |
39 | #define AA_MAY_GETOPT 0x02000000 | |
40 | ||
41 | #define NET_PERMS_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE | \ | |
42 | AA_MAY_SHUTDOWN | AA_MAY_BIND | AA_MAY_LISTEN | \ | |
43 | AA_MAY_CONNECT | AA_MAY_ACCEPT | AA_MAY_SETATTR | \ | |
44 | AA_MAY_GETATTR | AA_MAY_SETOPT | AA_MAY_GETOPT) | |
45 | ||
46 | #define NET_FS_PERMS (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE | \ | |
47 | AA_MAY_SHUTDOWN | AA_MAY_CONNECT | AA_MAY_RENAME |\ | |
48 | AA_MAY_SETATTR | AA_MAY_GETATTR | AA_MAY_CHMOD | \ | |
49 | AA_MAY_CHOWN | AA_MAY_CHGRP | AA_MAY_LOCK | \ | |
50 | AA_MAY_MPROT) | |
51 | ||
52 | #define NET_PEER_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CONNECT | \ | |
53 | AA_MAY_ACCEPT) | |
54 | struct aa_sk_ctx { | |
55 | struct aa_label *label; | |
56 | struct aa_label *peer; | |
57 | struct path path; | |
58 | }; | |
59 | ||
4ae2508f JJ |
60 | extern struct lsm_blob_sizes apparmor_blob_sizes; |
61 | static inline struct aa_sk_ctx *apparmor_sock(const struct sock *sk) | |
62 | { | |
63 | #ifdef CONFIG_SECURITY_STACKING | |
64 | return sk->sk_security + apparmor_blob_sizes.lbs_sock; | |
65 | #else | |
66 | return sk->sk_security; | |
67 | #endif | |
68 | } | |
69 | #define SK_CTX(X) apparmor_sock(X) | |
695b0eb9 JJ |
70 | #define SOCK_ctx(X) SOCK_INODE(X)->i_security |
71 | #define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \ | |
72 | struct lsm_network_audit NAME ## _net = { .sk = (SK), \ | |
73 | .family = (F)}; \ | |
74 | DEFINE_AUDIT_DATA(NAME, \ | |
75 | ((SK) && (F) != AF_UNIX) ? LSM_AUDIT_DATA_NET : \ | |
76 | LSM_AUDIT_DATA_NONE, \ | |
77 | OP); \ | |
78 | NAME.u.net = &(NAME ## _net); \ | |
79 | aad(&NAME)->net.type = (T); \ | |
80 | aad(&NAME)->net.protocol = (P) | |
81 | ||
82 | #define DEFINE_AUDIT_SK(NAME, OP, SK) \ | |
83 | DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type, \ | |
84 | (SK)->sk_protocol) | |
85 | ||
86 | /* struct aa_net - network confinement data | |
87 | * @allow: basic network families permissions | |
88 | * @audit: which network permissions to force audit | |
89 | * @quiet: which network permissions to quiet rejects | |
90 | */ | |
91 | struct aa_net { | |
92 | u16 allow[AF_MAX]; | |
93 | u16 audit[AF_MAX]; | |
94 | u16 quiet[AF_MAX]; | |
95 | }; | |
96 | ||
97 | ||
98 | extern struct aa_sfs_entry aa_sfs_entry_network[]; | |
99 | ||
100 | void audit_net_cb(struct audit_buffer *ab, void *va); | |
101 | int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa, | |
102 | u32 request, u16 family, int type); | |
695b0eb9 JJ |
103 | static inline int aa_profile_af_sk_perm(struct aa_profile *profile, |
104 | struct common_audit_data *sa, | |
105 | u32 request, | |
106 | struct sock *sk) | |
107 | { | |
108 | return aa_profile_af_perm(profile, sa, request, sk->sk_family, | |
109 | sk->sk_type); | |
110 | } | |
695b0eb9 | 111 | |
fd1cafbb JJ |
112 | int aa_sock_perm(const char *op, u32 request, struct socket *sock); |
113 | int aa_sock_create_perm(struct aa_label *label, int family, int type, | |
114 | int protocol); | |
115 | int aa_sock_bind_perm(struct socket *sock, struct sockaddr *address, | |
116 | int addrlen); | |
117 | int aa_sock_connect_perm(struct socket *sock, struct sockaddr *address, | |
118 | int addrlen); | |
119 | int aa_sock_listen_perm(struct socket *sock, int backlog); | |
120 | int aa_sock_accept_perm(struct socket *sock, struct socket *newsock); | |
121 | int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock, | |
122 | struct msghdr *msg, int size); | |
123 | int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock, int level, | |
124 | int optname); | |
695b0eb9 JJ |
125 | int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request, |
126 | struct socket *sock); | |
127 | ||
128 | ||
129 | static inline void aa_free_net_rules(struct aa_net *new) | |
130 | { | |
131 | /* NOP */ | |
132 | } | |
133 | ||
134 | #endif /* __AA_NET_H */ |