]>
Commit | Line | Data |
---|---|---|
695b0eb9 JJ |
1 | /* |
2 | * AppArmor security module | |
3 | * | |
4 | * This file contains AppArmor network mediation | |
5 | * | |
6 | * Copyright (C) 1998-2008 Novell/SUSE | |
7 | * Copyright 2009-2017 Canonical Ltd. | |
8 | * | |
9 | * This program is free software; you can redistribute it and/or | |
10 | * modify it under the terms of the GNU General Public License as | |
11 | * published by the Free Software Foundation, version 2 of the | |
12 | * License. | |
13 | */ | |
14 | ||
fd1cafbb | 15 | #include "include/af_unix.h" |
695b0eb9 JJ |
16 | #include "include/apparmor.h" |
17 | #include "include/audit.h" | |
18 | #include "include/context.h" | |
19 | #include "include/label.h" | |
20 | #include "include/net.h" | |
21 | #include "include/policy.h" | |
22 | ||
23 | #include "net_names.h" | |
24 | ||
25 | ||
26 | struct aa_sfs_entry aa_sfs_entry_network[] = { | |
27 | AA_SFS_FILE_STRING("af_mask", AA_SFS_AF_MASK), | |
fd1cafbb | 28 | AA_SFS_FILE_BOOLEAN("af_unix", 1), |
695b0eb9 JJ |
29 | { } |
30 | }; | |
31 | ||
32 | static const char * const net_mask_names[] = { | |
33 | "unknown", | |
34 | "send", | |
35 | "receive", | |
36 | "unknown", | |
37 | ||
38 | "create", | |
39 | "shutdown", | |
40 | "connect", | |
41 | "unknown", | |
42 | ||
43 | "setattr", | |
44 | "getattr", | |
45 | "setcred", | |
46 | "getcred", | |
47 | ||
48 | "chmod", | |
49 | "chown", | |
50 | "chgrp", | |
51 | "lock", | |
52 | ||
53 | "mmap", | |
54 | "mprot", | |
55 | "unknown", | |
56 | "unknown", | |
57 | ||
58 | "accept", | |
59 | "bind", | |
60 | "listen", | |
61 | "unknown", | |
62 | ||
63 | "setopt", | |
64 | "getopt", | |
65 | "unknown", | |
66 | "unknown", | |
67 | ||
68 | "unknown", | |
69 | "unknown", | |
70 | "unknown", | |
71 | "unknown", | |
72 | }; | |
73 | ||
fd1cafbb JJ |
74 | static void audit_unix_addr(struct audit_buffer *ab, const char *str, |
75 | struct sockaddr_un *addr, int addrlen) | |
76 | { | |
77 | int len = unix_addr_len(addrlen); | |
78 | ||
79 | if (!addr || len <= 0) { | |
80 | audit_log_format(ab, " %s=none", str); | |
81 | } else if (addr->sun_path[0]) { | |
82 | audit_log_format(ab, " %s=", str); | |
83 | audit_log_untrustedstring(ab, addr->sun_path); | |
84 | } else { | |
85 | audit_log_format(ab, " %s=\"@", str); | |
86 | if (audit_string_contains_control(&addr->sun_path[1], len - 1)) | |
87 | audit_log_n_hex(ab, &addr->sun_path[1], len - 1); | |
88 | else | |
89 | audit_log_format(ab, "%.*s", len - 1, | |
90 | &addr->sun_path[1]); | |
91 | audit_log_format(ab, "\""); | |
92 | } | |
93 | } | |
94 | ||
95 | static void audit_unix_sk_addr(struct audit_buffer *ab, const char *str, | |
96 | struct sock *sk) | |
97 | { | |
98 | struct unix_sock *u = unix_sk(sk); | |
99 | if (u && u->addr) | |
100 | audit_unix_addr(ab, str, u->addr->name, u->addr->len); | |
101 | else | |
102 | audit_unix_addr(ab, str, NULL, 0); | |
103 | } | |
695b0eb9 JJ |
104 | |
105 | /* audit callback for net specific fields */ | |
106 | void audit_net_cb(struct audit_buffer *ab, void *va) | |
107 | { | |
108 | struct common_audit_data *sa = va; | |
109 | ||
110 | audit_log_format(ab, " family="); | |
111 | if (address_family_names[sa->u.net->family]) | |
112 | audit_log_string(ab, address_family_names[sa->u.net->family]); | |
113 | else | |
114 | audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family); | |
115 | audit_log_format(ab, " sock_type="); | |
116 | if (sock_type_names[aad(sa)->net.type]) | |
117 | audit_log_string(ab, sock_type_names[aad(sa)->net.type]); | |
118 | else | |
119 | audit_log_format(ab, "\"unknown(%d)\"", aad(sa)->net.type); | |
120 | audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol); | |
121 | ||
122 | if (aad(sa)->request & NET_PERMS_MASK) { | |
123 | audit_log_format(ab, " requested_mask="); | |
124 | aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0, | |
125 | net_mask_names, NET_PERMS_MASK); | |
126 | ||
127 | if (aad(sa)->denied & NET_PERMS_MASK) { | |
128 | audit_log_format(ab, " denied_mask="); | |
129 | aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0, | |
130 | net_mask_names, NET_PERMS_MASK); | |
131 | } | |
132 | } | |
fd1cafbb JJ |
133 | if (sa->u.net->family == AF_UNIX) { |
134 | if ((aad(sa)->request & ~NET_PEER_MASK) && aad(sa)->net.addr) | |
135 | audit_unix_addr(ab, "addr", | |
136 | unix_addr(aad(sa)->net.addr), | |
137 | aad(sa)->net.addrlen); | |
138 | else | |
139 | audit_unix_sk_addr(ab, "addr", sa->u.net->sk); | |
140 | if (aad(sa)->request & NET_PEER_MASK) { | |
141 | if (aad(sa)->net.addr) | |
142 | audit_unix_addr(ab, "peer_addr", | |
143 | unix_addr(aad(sa)->net.addr), | |
144 | aad(sa)->net.addrlen); | |
145 | else | |
146 | audit_unix_sk_addr(ab, "peer_addr", | |
147 | aad(sa)->net.peer_sk); | |
148 | } | |
149 | } | |
695b0eb9 JJ |
150 | if (aad(sa)->peer) { |
151 | audit_log_format(ab, " peer="); | |
152 | aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer, | |
153 | FLAGS_NONE, GFP_ATOMIC); | |
154 | } | |
155 | } | |
156 | ||
157 | ||
158 | /* Generic af perm */ | |
159 | int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa, | |
160 | u32 request, u16 family, int type) | |
161 | { | |
162 | struct aa_perms perms = { }; | |
163 | ||
164 | AA_BUG(family >= AF_MAX); | |
165 | AA_BUG(type < 0 || type >= SOCK_MAX); | |
166 | ||
167 | if (profile_unconfined(profile)) | |
168 | return 0; | |
169 | ||
170 | perms.allow = (profile->net.allow[family] & (1 << type)) ? | |
171 | ALL_PERMS_MASK : 0; | |
172 | perms.audit = (profile->net.audit[family] & (1 << type)) ? | |
173 | ALL_PERMS_MASK : 0; | |
174 | perms.quiet = (profile->net.quiet[family] & (1 << type)) ? | |
175 | ALL_PERMS_MASK : 0; | |
176 | aa_apply_modes_to_perms(profile, &perms); | |
177 | ||
178 | return aa_check_perms(profile, &perms, request, sa, audit_net_cb); | |
179 | } | |
180 | ||
181 | int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family, | |
182 | int type, int protocol) | |
183 | { | |
184 | struct aa_profile *profile; | |
185 | DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol); | |
186 | ||
187 | return fn_for_each_confined(label, profile, | |
188 | aa_profile_af_perm(profile, &sa, request, family, | |
189 | type)); | |
190 | } | |
191 | ||
192 | static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request, | |
193 | struct sock *sk) | |
194 | { | |
195 | struct aa_profile *profile; | |
196 | DEFINE_AUDIT_SK(sa, op, sk); | |
197 | ||
198 | AA_BUG(!label); | |
199 | AA_BUG(!sk); | |
200 | ||
201 | if (unconfined(label)) | |
202 | return 0; | |
203 | ||
204 | return fn_for_each_confined(label, profile, | |
205 | aa_profile_af_sk_perm(profile, &sa, request, sk)); | |
206 | } | |
207 | ||
208 | int aa_sk_perm(const char *op, u32 request, struct sock *sk) | |
209 | { | |
210 | struct aa_label *label; | |
211 | int error; | |
212 | ||
213 | AA_BUG(!sk); | |
214 | AA_BUG(in_interrupt()); | |
215 | ||
216 | /* TODO: switch to begin_current_label ???? */ | |
217 | label = begin_current_label_crit_section(); | |
218 | error = aa_label_sk_perm(label, op, request, sk); | |
219 | end_current_label_crit_section(label); | |
220 | ||
221 | return error; | |
222 | } | |
223 | ||
fd1cafbb JJ |
224 | #define af_select(FAMILY, FN, DEF_FN) \ |
225 | ({ \ | |
226 | int __e; \ | |
227 | switch ((FAMILY)) { \ | |
228 | case AF_UNIX: \ | |
229 | __e = aa_unix_ ## FN; \ | |
230 | break; \ | |
231 | default: \ | |
232 | __e = DEF_FN; \ | |
233 | } \ | |
234 | __e; \ | |
235 | }) | |
236 | ||
237 | /* TODO: push into lsm.c ???? */ | |
238 | ||
239 | /* revaliation, get/set attr, shutdown */ | |
240 | int aa_sock_perm(const char *op, u32 request, struct socket *sock) | |
241 | { | |
242 | AA_BUG(!sock); | |
243 | AA_BUG(!sock->sk); | |
244 | AA_BUG(in_interrupt()); | |
245 | ||
246 | return af_select(sock->sk->sk_family, | |
247 | sock_perm(op, request, sock), | |
248 | aa_sk_perm(op, request, sock->sk)); | |
249 | } | |
250 | ||
251 | int aa_sock_create_perm(struct aa_label *label, int family, int type, | |
252 | int protocol) | |
253 | { | |
254 | AA_BUG(!label); | |
255 | /* TODO: .... */ | |
256 | AA_BUG(in_interrupt()); | |
257 | ||
258 | return af_select(family, | |
259 | create_perm(label, family, type, protocol), | |
260 | aa_af_perm(label, OP_CREATE, AA_MAY_CREATE, family, | |
261 | type, protocol)); | |
262 | } | |
263 | ||
264 | int aa_sock_bind_perm(struct socket *sock, struct sockaddr *address, | |
265 | int addrlen) | |
266 | { | |
267 | AA_BUG(!sock); | |
268 | AA_BUG(!sock->sk); | |
269 | AA_BUG(!address); | |
270 | /* TODO: .... */ | |
271 | AA_BUG(in_interrupt()); | |
272 | ||
273 | return af_select(sock->sk->sk_family, | |
274 | bind_perm(sock, address, addrlen), | |
275 | aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk)); | |
276 | } | |
277 | ||
278 | int aa_sock_connect_perm(struct socket *sock, struct sockaddr *address, | |
279 | int addrlen) | |
280 | { | |
281 | AA_BUG(!sock); | |
282 | AA_BUG(!sock->sk); | |
283 | AA_BUG(!address); | |
284 | /* TODO: .... */ | |
285 | AA_BUG(in_interrupt()); | |
286 | ||
287 | return af_select(sock->sk->sk_family, | |
288 | connect_perm(sock, address, addrlen), | |
289 | aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk)); | |
290 | } | |
291 | ||
292 | int aa_sock_listen_perm(struct socket *sock, int backlog) | |
293 | { | |
294 | AA_BUG(!sock); | |
295 | AA_BUG(!sock->sk); | |
296 | /* TODO: .... */ | |
297 | AA_BUG(in_interrupt()); | |
298 | ||
299 | return af_select(sock->sk->sk_family, | |
300 | listen_perm(sock, backlog), | |
301 | aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk)); | |
302 | } | |
303 | ||
304 | /* ability of sock to connect, not peer address binding */ | |
305 | int aa_sock_accept_perm(struct socket *sock, struct socket *newsock) | |
306 | { | |
307 | AA_BUG(!sock); | |
308 | AA_BUG(!sock->sk); | |
309 | AA_BUG(!newsock); | |
310 | /* TODO: .... */ | |
311 | AA_BUG(in_interrupt()); | |
312 | ||
313 | return af_select(sock->sk->sk_family, | |
314 | accept_perm(sock, newsock), | |
315 | aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk)); | |
316 | } | |
317 | ||
318 | /* sendmsg, recvmsg */ | |
319 | int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock, | |
320 | struct msghdr *msg, int size) | |
321 | { | |
322 | AA_BUG(!sock); | |
323 | AA_BUG(!sock->sk); | |
324 | AA_BUG(!msg); | |
325 | /* TODO: .... */ | |
326 | AA_BUG(in_interrupt()); | |
327 | ||
328 | return af_select(sock->sk->sk_family, | |
329 | msg_perm(op, request, sock, msg, size), | |
330 | aa_sk_perm(op, request, sock->sk)); | |
331 | } | |
332 | ||
333 | /* revaliation, get/set attr, opt */ | |
334 | int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock, int level, | |
335 | int optname) | |
336 | { | |
337 | AA_BUG(!sock); | |
338 | AA_BUG(!sock->sk); | |
339 | AA_BUG(in_interrupt()); | |
340 | ||
341 | return af_select(sock->sk->sk_family, | |
342 | opt_perm(op, request, sock, level, optname), | |
343 | aa_sk_perm(op, request, sock->sk)); | |
344 | } | |
695b0eb9 JJ |
345 | |
346 | int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request, | |
347 | struct socket *sock) | |
348 | { | |
349 | AA_BUG(!label); | |
350 | AA_BUG(!sock); | |
351 | AA_BUG(!sock->sk); | |
352 | ||
fd1cafbb JJ |
353 | return af_select(sock->sk->sk_family, |
354 | file_perm(label, op, request, sock), | |
355 | aa_label_sk_perm(label, op, request, sock->sk)); | |
695b0eb9 | 356 | } |