[mirror_ubuntu-hirsute-kernel.git] / security / apparmor / net.c

// SPDX-License-Identifier: GPL-2.0-only
/*
 * AppArmor security module
 *
 * This file contains AppArmor network mediation
 *
 * Copyright (C) 1998-2008 Novell/SUSE
 * Copyright 2009-2017 Canonical Ltd.
 */

#include "include/apparmor.h"
#include "include/audit.h"
#include "include/cred.h"
#include "include/label.h"
#include "include/net.h"
#include "include/policy.h"
#include "include/secid.h"

#include "net_names.h"


struct aa_sfs_entry aa_sfs_entry_network[] = {
	AA_SFS_FILE_STRING("af_mask",	AA_SFS_AF_MASK),
	{ }
};

static const char * const net_mask_names[] = {
	"unknown",
	"send",
	"receive",
	"unknown",

	"create",
	"shutdown",
	"connect",
	"unknown",

	"setattr",
	"getattr",
	"setcred",
	"getcred",

	"chmod",
	"chown",
	"chgrp",
	"lock",

	"mmap",
	"mprot",
	"unknown",
	"unknown",

	"accept",
	"bind",
	"listen",
	"unknown",

	"setopt",
	"getopt",
	"unknown",
	"unknown",

	"unknown",
	"unknown",
	"unknown",
	"unknown",
};


/* audit callback for net specific fields */
void audit_net_cb(struct audit_buffer *ab, void *va)
{
	struct common_audit_data *sa = va;

	if (address_family_names[sa->u.net->family])
		audit_log_format(ab, " family=\"%s\"",
				 address_family_names[sa->u.net->family]);
	else
		audit_log_format(ab, " family=\"unknown(%d)\"",
				 sa->u.net->family);
	if (sock_type_names[aad(sa)->net.type])
		audit_log_format(ab, " sock_type=\"%s\"",
				 sock_type_names[aad(sa)->net.type]);
	else
		audit_log_format(ab, " sock_type=\"unknown(%d)\"",
				 aad(sa)->net.type);
	audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);

	if (aad(sa)->request & NET_PERMS_MASK) {
		audit_log_format(ab, " requested_mask=");
		aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0,
				   net_mask_names, NET_PERMS_MASK);

		if (aad(sa)->denied & NET_PERMS_MASK) {
			audit_log_format(ab, " denied_mask=");
			aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0,
					   net_mask_names, NET_PERMS_MASK);
		}
	}
	if (aad(sa)->peer) {
		audit_log_format(ab, " peer=");
		aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
				FLAGS_NONE, GFP_ATOMIC);
	}
}

/* Generic af perm */
int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
		       u32 request, u16 family, int type)
{
	struct aa_perms perms = { };
	unsigned int state;
	__be16 buffer[2];

	AA_BUG(family >= AF_MAX);
	AA_BUG(type < 0 || type >= SOCK_MAX);

	if (profile_unconfined(profile))
		return 0;
	state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
	if (!state)
		return 0;

	buffer[0] = cpu_to_be16(family);
	buffer[1] = cpu_to_be16((u16) type);
	state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer,
				 4);
	aa_compute_perms(profile->policy.dfa, state, &perms);
	aa_apply_modes_to_perms(profile, &perms);

	return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
}

int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
	       int type, int protocol)
{
	struct aa_profile *profile;
	DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol);

	return fn_for_each_confined(label, profile,
			aa_profile_af_perm(profile, &sa, request, family,
					   type));
}

static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request,
			    struct sock *sk)
{
	int error = 0;

	AA_BUG(!label);
	AA_BUG(!sk);

	if (!unconfined(label)) {
		struct aa_profile *profile;
		DEFINE_AUDIT_SK(sa, op, sk);

		error = fn_for_each_confined(label, profile,
			    aa_profile_af_sk_perm(profile, &sa, request, sk));
	}

	return error;
}

int aa_sk_perm(const char *op, u32 request, struct sock *sk)
{
	struct aa_label *label;
	int error;

	AA_BUG(!sk);
	AA_BUG(in_interrupt());

	/* TODO: switch to begin_current_label ???? */
	label = begin_current_label_crit_section();
	error = aa_label_sk_perm(label, op, request, sk);
	end_current_label_crit_section(label);

	return error;
}


int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
		      struct socket *sock)
{
	AA_BUG(!label);
	AA_BUG(!sock);
	AA_BUG(!sock->sk);

	return aa_label_sk_perm(label, op, request, sock->sk);
}

#ifdef CONFIG_NETWORK_SECMARK
static int apparmor_secmark_init(struct aa_secmark *secmark)
{
	struct aa_label *label;

	if (secmark->label[0] == '*') {
		secmark->secid = AA_SECID_WILDCARD;
		return 0;
	}

	label = aa_label_strn_parse(&root_ns->unconfined->label,
				    secmark->label, strlen(secmark->label),
				    GFP_ATOMIC, false, false);

	if (IS_ERR(label))
		return PTR_ERR(label);

	secmark->secid = label->secid;

	return 0;
}

static int aa_secmark_perm(struct aa_profile *profile, u32 request, u32 secid,
			   struct common_audit_data *sa, struct sock *sk)
{
	int i, ret;
	struct aa_perms perms = { };

	if (profile->secmark_count == 0)
		return 0;

	for (i = 0; i < profile->secmark_count; i++) {
		if (!profile->secmark[i].secid) {
			ret = apparmor_secmark_init(&profile->secmark[i]);
			if (ret)
				return ret;
		}

		if (profile->secmark[i].secid == secid ||
		    profile->secmark[i].secid == AA_SECID_WILDCARD) {
			if (profile->secmark[i].deny)
				perms.deny = ALL_PERMS_MASK;
			else
				perms.allow = ALL_PERMS_MASK;

			if (profile->secmark[i].audit)
				perms.audit = ALL_PERMS_MASK;
		}
	}

	aa_apply_modes_to_perms(profile, &perms);

	return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
}

int apparmor_secmark_check(struct aa_label *label, char *op, u32 request,
			   u32 secid, struct sock *sk)
{
	struct aa_profile *profile;
	DEFINE_AUDIT_SK(sa, op, sk);

	return fn_for_each_confined(label, profile,
				    aa_secmark_perm(profile, request, secid,
						    &sa, sk));
}
#endif
Commit	Line	Data
b886d83c	1	// SPDX-License-Identifier: GPL-2.0-only
56974a6f JJ	2	/*
	3	* AppArmor security module
	4	*
	5	* This file contains AppArmor network mediation
	6	*
	7	* Copyright (C) 1998-2008 Novell/SUSE
	8	* Copyright 2009-2017 Canonical Ltd.
56974a6f JJ	9	*/
	10
	11	#include "include/apparmor.h"
	12	#include "include/audit.h"
	13	#include "include/cred.h"
	14	#include "include/label.h"
	15	#include "include/net.h"
	16	#include "include/policy.h"
ab9f2115	17	#include "include/secid.h"
56974a6f JJ	18
	19	#include "net_names.h"
	20
	21
	22	struct aa_sfs_entry aa_sfs_entry_network[] = {
	23	AA_SFS_FILE_STRING("af_mask", AA_SFS_AF_MASK),
	24	{ }
	25	};
	26
	27	static const char * const net_mask_names[] = {
	28	"unknown",
	29	"send",
	30	"receive",
	31	"unknown",
	32
	33	"create",
	34	"shutdown",
	35	"connect",
	36	"unknown",
	37
	38	"setattr",
	39	"getattr",
	40	"setcred",
	41	"getcred",
	42
	43	"chmod",
	44	"chown",
	45	"chgrp",
	46	"lock",
	47
	48	"mmap",
	49	"mprot",
	50	"unknown",
	51	"unknown",
	52
	53	"accept",
	54	"bind",
	55	"listen",
	56	"unknown",
	57
	58	"setopt",
	59	"getopt",
	60	"unknown",
	61	"unknown",
	62
	63	"unknown",
	64	"unknown",
	65	"unknown",
	66	"unknown",
	67	};
	68
	69
	70	/* audit callback for net specific fields */
	71	void audit_net_cb(struct audit_buffer ab, void va)
	72	{
	73	struct common_audit_data *sa = va;
	74
56974a6f	75	if (address_family_names[sa->u.net->family])
f1d9b23c RGB	76	audit_log_format(ab, " family=\"%s\"",
f1d9b23c RGB	77	address_family_names[sa->u.net->family]);
56974a6f	78	else
f1d9b23c RGB	79	audit_log_format(ab, " family=\"unknown(%d)\"",
f1d9b23c RGB	80	sa->u.net->family);
56974a6f	81	if (sock_type_names[aad(sa)->net.type])
f1d9b23c RGB	82	audit_log_format(ab, " sock_type=\"%s\"",
f1d9b23c RGB	83	sock_type_names[aad(sa)->net.type]);
56974a6f	84	else
f1d9b23c RGB	85	audit_log_format(ab, " sock_type=\"unknown(%d)\"",
f1d9b23c RGB	86	aad(sa)->net.type);
56974a6f JJ	87	audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
	88
	89	if (aad(sa)->request & NET_PERMS_MASK) {
	90	audit_log_format(ab, " requested_mask=");
	91	aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0,
	92	net_mask_names, NET_PERMS_MASK);
	93
	94	if (aad(sa)->denied & NET_PERMS_MASK) {
	95	audit_log_format(ab, " denied_mask=");
	96	aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0,
	97	net_mask_names, NET_PERMS_MASK);
	98	}
	99	}
	100	if (aad(sa)->peer) {
	101	audit_log_format(ab, " peer=");
	102	aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
	103	FLAGS_NONE, GFP_ATOMIC);
	104	}
	105	}
	106
	107	/* Generic af perm */
	108	int aa_profile_af_perm(struct aa_profile profile, struct common_audit_data sa,
	109	u32 request, u16 family, int type)
	110	{
	111	struct aa_perms perms = { };
	112	unsigned int state;
	113	__be16 buffer[2];
	114
	115	AA_BUG(family >= AF_MAX);
	116	AA_BUG(type < 0 \|\| type >= SOCK_MAX);
	117
	118	if (profile_unconfined(profile))
	119	return 0;
	120	state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
	121	if (!state)
	122	return 0;
	123
	124	buffer[0] = cpu_to_be16(family);
	125	buffer[1] = cpu_to_be16((u16) type);
	126	state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer,
	127	4);
	128	aa_compute_perms(profile->policy.dfa, state, &perms);
	129	aa_apply_modes_to_perms(profile, &perms);
	130
	131	return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
	132	}
	133
	134	int aa_af_perm(struct aa_label label, const char op, u32 request, u16 family,
	135	int type, int protocol)
	136	{
	137	struct aa_profile *profile;
	138	DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol);
	139
	140	return fn_for_each_confined(label, profile,
	141	aa_profile_af_perm(profile, &sa, request, family,
	142	type));
	143	}
	144
	145	static int aa_label_sk_perm(struct aa_label label, const char op, u32 request,
	146	struct sock *sk)
	147	{
5f997580	148	int error = 0;
56974a6f JJ	149
	150	AA_BUG(!label);
	151	AA_BUG(!sk);
	152
5f997580 TJ	153	if (!unconfined(label)) {
	154	struct aa_profile *profile;
	155	DEFINE_AUDIT_SK(sa, op, sk);
56974a6f	156
5f997580 TJ	157	error = fn_for_each_confined(label, profile,
	158	aa_profile_af_sk_perm(profile, &sa, request, sk));
	159	}
	160
	161	return error;
56974a6f JJ	162	}
	163
	164	int aa_sk_perm(const char op, u32 request, struct sock sk)
	165	{
	166	struct aa_label *label;
	167	int error;
	168
	169	AA_BUG(!sk);
	170	AA_BUG(in_interrupt());
	171
	172	/* TODO: switch to begin_current_label ???? */
	173	label = begin_current_label_crit_section();
	174	error = aa_label_sk_perm(label, op, request, sk);
	175	end_current_label_crit_section(label);
	176
	177	return error;
	178	}
	179
	180
	181	int aa_sock_file_perm(struct aa_label label, const char op, u32 request,
	182	struct socket *sock)
	183	{
	184	AA_BUG(!label);
	185	AA_BUG(!sock);
	186	AA_BUG(!sock->sk);
	187
	188	return aa_label_sk_perm(label, op, request, sock->sk);
	189	}
ab9f2115	190
e1af4779	191	#ifdef CONFIG_NETWORK_SECMARK
ab9f2115 MG	192	static int apparmor_secmark_init(struct aa_secmark *secmark)
	193	{
	194	struct aa_label *label;
	195
	196	if (secmark->label[0] == '*') {
	197	secmark->secid = AA_SECID_WILDCARD;
	198	return 0;
	199	}
	200
	201	label = aa_label_strn_parse(&root_ns->unconfined->label,
	202	secmark->label, strlen(secmark->label),
	203	GFP_ATOMIC, false, false);
	204
	205	if (IS_ERR(label))
	206	return PTR_ERR(label);
	207
	208	secmark->secid = label->secid;
	209
	210	return 0;
	211	}
	212
	213	static int aa_secmark_perm(struct aa_profile *profile, u32 request, u32 secid,
	214	struct common_audit_data sa, struct sock sk)
	215	{
	216	int i, ret;
	217	struct aa_perms perms = { };
	218
	219	if (profile->secmark_count == 0)
	220	return 0;
	221
	222	for (i = 0; i < profile->secmark_count; i++) {
	223	if (!profile->secmark[i].secid) {
	224	ret = apparmor_secmark_init(&profile->secmark[i]);
	225	if (ret)
	226	return ret;
	227	}
	228
	229	if (profile->secmark[i].secid == secid \|\|
	230	profile->secmark[i].secid == AA_SECID_WILDCARD) {
	231	if (profile->secmark[i].deny)
	232	perms.deny = ALL_PERMS_MASK;
	233	else
	234	perms.allow = ALL_PERMS_MASK;
	235
	236	if (profile->secmark[i].audit)
	237	perms.audit = ALL_PERMS_MASK;
	238	}
	239	}
	240
	241	aa_apply_modes_to_perms(profile, &perms);
	242
	243	return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
	244	}
	245
	246	int apparmor_secmark_check(struct aa_label label, char op, u32 request,
	247	u32 secid, struct sock *sk)
	248	{
	249	struct aa_profile *profile;
	250	DEFINE_AUDIT_SK(sa, op, sk);
	251
	252	return fn_for_each_confined(label, profile,
	253	aa_secmark_perm(profile, request, secid,
	254	&sa, sk));
	255	}
e1af4779	256	#endif