]>
Commit | Line | Data |
---|---|---|
b886d83c | 1 | // SPDX-License-Identifier: GPL-2.0-only |
56974a6f JJ |
2 | /* |
3 | * AppArmor security module | |
4 | * | |
5 | * This file contains AppArmor network mediation | |
6 | * | |
7 | * Copyright (C) 1998-2008 Novell/SUSE | |
8 | * Copyright 2009-2017 Canonical Ltd. | |
56974a6f JJ |
9 | */ |
10 | ||
11 | #include "include/apparmor.h" | |
12 | #include "include/audit.h" | |
13 | #include "include/cred.h" | |
14 | #include "include/label.h" | |
15 | #include "include/net.h" | |
16 | #include "include/policy.h" | |
ab9f2115 | 17 | #include "include/secid.h" |
56974a6f JJ |
18 | |
19 | #include "net_names.h" | |
20 | ||
21 | ||
22 | struct aa_sfs_entry aa_sfs_entry_network[] = { | |
23 | AA_SFS_FILE_STRING("af_mask", AA_SFS_AF_MASK), | |
24 | { } | |
25 | }; | |
26 | ||
27 | static const char * const net_mask_names[] = { | |
28 | "unknown", | |
29 | "send", | |
30 | "receive", | |
31 | "unknown", | |
32 | ||
33 | "create", | |
34 | "shutdown", | |
35 | "connect", | |
36 | "unknown", | |
37 | ||
38 | "setattr", | |
39 | "getattr", | |
40 | "setcred", | |
41 | "getcred", | |
42 | ||
43 | "chmod", | |
44 | "chown", | |
45 | "chgrp", | |
46 | "lock", | |
47 | ||
48 | "mmap", | |
49 | "mprot", | |
50 | "unknown", | |
51 | "unknown", | |
52 | ||
53 | "accept", | |
54 | "bind", | |
55 | "listen", | |
56 | "unknown", | |
57 | ||
58 | "setopt", | |
59 | "getopt", | |
60 | "unknown", | |
61 | "unknown", | |
62 | ||
63 | "unknown", | |
64 | "unknown", | |
65 | "unknown", | |
66 | "unknown", | |
67 | }; | |
68 | ||
69 | ||
70 | /* audit callback for net specific fields */ | |
71 | void audit_net_cb(struct audit_buffer *ab, void *va) | |
72 | { | |
73 | struct common_audit_data *sa = va; | |
74 | ||
56974a6f | 75 | if (address_family_names[sa->u.net->family]) |
f1d9b23c RGB |
76 | audit_log_format(ab, " family=\"%s\"", |
77 | address_family_names[sa->u.net->family]); | |
56974a6f | 78 | else |
f1d9b23c RGB |
79 | audit_log_format(ab, " family=\"unknown(%d)\"", |
80 | sa->u.net->family); | |
56974a6f | 81 | if (sock_type_names[aad(sa)->net.type]) |
f1d9b23c RGB |
82 | audit_log_format(ab, " sock_type=\"%s\"", |
83 | sock_type_names[aad(sa)->net.type]); | |
56974a6f | 84 | else |
f1d9b23c RGB |
85 | audit_log_format(ab, " sock_type=\"unknown(%d)\"", |
86 | aad(sa)->net.type); | |
56974a6f JJ |
87 | audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol); |
88 | ||
89 | if (aad(sa)->request & NET_PERMS_MASK) { | |
90 | audit_log_format(ab, " requested_mask="); | |
91 | aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0, | |
92 | net_mask_names, NET_PERMS_MASK); | |
93 | ||
94 | if (aad(sa)->denied & NET_PERMS_MASK) { | |
95 | audit_log_format(ab, " denied_mask="); | |
96 | aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0, | |
97 | net_mask_names, NET_PERMS_MASK); | |
98 | } | |
99 | } | |
100 | if (aad(sa)->peer) { | |
101 | audit_log_format(ab, " peer="); | |
102 | aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer, | |
103 | FLAGS_NONE, GFP_ATOMIC); | |
104 | } | |
105 | } | |
106 | ||
107 | /* Generic af perm */ | |
108 | int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa, | |
109 | u32 request, u16 family, int type) | |
110 | { | |
111 | struct aa_perms perms = { }; | |
112 | unsigned int state; | |
113 | __be16 buffer[2]; | |
114 | ||
115 | AA_BUG(family >= AF_MAX); | |
116 | AA_BUG(type < 0 || type >= SOCK_MAX); | |
117 | ||
118 | if (profile_unconfined(profile)) | |
119 | return 0; | |
120 | state = PROFILE_MEDIATES(profile, AA_CLASS_NET); | |
121 | if (!state) | |
122 | return 0; | |
123 | ||
124 | buffer[0] = cpu_to_be16(family); | |
125 | buffer[1] = cpu_to_be16((u16) type); | |
126 | state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer, | |
127 | 4); | |
128 | aa_compute_perms(profile->policy.dfa, state, &perms); | |
129 | aa_apply_modes_to_perms(profile, &perms); | |
130 | ||
131 | return aa_check_perms(profile, &perms, request, sa, audit_net_cb); | |
132 | } | |
133 | ||
134 | int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family, | |
135 | int type, int protocol) | |
136 | { | |
137 | struct aa_profile *profile; | |
138 | DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol); | |
139 | ||
140 | return fn_for_each_confined(label, profile, | |
141 | aa_profile_af_perm(profile, &sa, request, family, | |
142 | type)); | |
143 | } | |
144 | ||
145 | static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request, | |
146 | struct sock *sk) | |
147 | { | |
5f997580 | 148 | int error = 0; |
56974a6f JJ |
149 | |
150 | AA_BUG(!label); | |
151 | AA_BUG(!sk); | |
152 | ||
5f997580 TJ |
153 | if (!unconfined(label)) { |
154 | struct aa_profile *profile; | |
155 | DEFINE_AUDIT_SK(sa, op, sk); | |
56974a6f | 156 | |
5f997580 TJ |
157 | error = fn_for_each_confined(label, profile, |
158 | aa_profile_af_sk_perm(profile, &sa, request, sk)); | |
159 | } | |
160 | ||
161 | return error; | |
56974a6f JJ |
162 | } |
163 | ||
164 | int aa_sk_perm(const char *op, u32 request, struct sock *sk) | |
165 | { | |
166 | struct aa_label *label; | |
167 | int error; | |
168 | ||
169 | AA_BUG(!sk); | |
170 | AA_BUG(in_interrupt()); | |
171 | ||
172 | /* TODO: switch to begin_current_label ???? */ | |
173 | label = begin_current_label_crit_section(); | |
174 | error = aa_label_sk_perm(label, op, request, sk); | |
175 | end_current_label_crit_section(label); | |
176 | ||
177 | return error; | |
178 | } | |
179 | ||
180 | ||
181 | int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request, | |
182 | struct socket *sock) | |
183 | { | |
184 | AA_BUG(!label); | |
185 | AA_BUG(!sock); | |
186 | AA_BUG(!sock->sk); | |
187 | ||
188 | return aa_label_sk_perm(label, op, request, sock->sk); | |
189 | } | |
ab9f2115 | 190 | |
e1af4779 | 191 | #ifdef CONFIG_NETWORK_SECMARK |
ab9f2115 MG |
192 | static int apparmor_secmark_init(struct aa_secmark *secmark) |
193 | { | |
194 | struct aa_label *label; | |
195 | ||
196 | if (secmark->label[0] == '*') { | |
197 | secmark->secid = AA_SECID_WILDCARD; | |
198 | return 0; | |
199 | } | |
200 | ||
201 | label = aa_label_strn_parse(&root_ns->unconfined->label, | |
202 | secmark->label, strlen(secmark->label), | |
203 | GFP_ATOMIC, false, false); | |
204 | ||
205 | if (IS_ERR(label)) | |
206 | return PTR_ERR(label); | |
207 | ||
208 | secmark->secid = label->secid; | |
209 | ||
210 | return 0; | |
211 | } | |
212 | ||
213 | static int aa_secmark_perm(struct aa_profile *profile, u32 request, u32 secid, | |
214 | struct common_audit_data *sa, struct sock *sk) | |
215 | { | |
216 | int i, ret; | |
217 | struct aa_perms perms = { }; | |
218 | ||
219 | if (profile->secmark_count == 0) | |
220 | return 0; | |
221 | ||
222 | for (i = 0; i < profile->secmark_count; i++) { | |
223 | if (!profile->secmark[i].secid) { | |
224 | ret = apparmor_secmark_init(&profile->secmark[i]); | |
225 | if (ret) | |
226 | return ret; | |
227 | } | |
228 | ||
229 | if (profile->secmark[i].secid == secid || | |
230 | profile->secmark[i].secid == AA_SECID_WILDCARD) { | |
231 | if (profile->secmark[i].deny) | |
232 | perms.deny = ALL_PERMS_MASK; | |
233 | else | |
234 | perms.allow = ALL_PERMS_MASK; | |
235 | ||
236 | if (profile->secmark[i].audit) | |
237 | perms.audit = ALL_PERMS_MASK; | |
238 | } | |
239 | } | |
240 | ||
241 | aa_apply_modes_to_perms(profile, &perms); | |
242 | ||
243 | return aa_check_perms(profile, &perms, request, sa, audit_net_cb); | |
244 | } | |
245 | ||
246 | int apparmor_secmark_check(struct aa_label *label, char *op, u32 request, | |
247 | u32 secid, struct sock *sk) | |
248 | { | |
249 | struct aa_profile *profile; | |
250 | DEFINE_AUDIT_SK(sa, op, sk); | |
251 | ||
252 | return fn_for_each_confined(label, profile, | |
253 | aa_secmark_perm(profile, request, secid, | |
254 | &sa, sk)); | |
255 | } | |
e1af4779 | 256 | #endif |