]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - security/apparmor/af_unix.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
x86/pti: Unbreak EFI old_memmap
[mirror_ubuntu-artful-kernel.git] / security / apparmor / af_unix.c
1 /*
2 * AppArmor security module
3 *
4 * This file contains AppArmor af_unix fine grained mediation
5 *
6 * Copyright 2014 Canonical Ltd.
7 *
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License as
10 * published by the Free Software Foundation, version 2 of the
11 * License.
12 */
13
14 #include <net/tcp_states.h>
15
16 #include "include/af_unix.h"
17 #include "include/apparmor.h"
18 #include "include/context.h"
19 #include "include/file.h"
20 #include "include/label.h"
21 #include "include/path.h"
22 #include "include/policy.h"
23
24 static inline struct sock *aa_sock(struct unix_sock *u)
25 {
26 return &u->sk;
27 }
28
29 static inline int unix_fs_perm(const char *op, u32 mask, struct aa_label *label,
30 struct unix_sock *u, int flags)
31 {
32 AA_BUG(!label);
33 AA_BUG(!u);
34 AA_BUG(!UNIX_FS(aa_sock(u)));
35
36 if (unconfined(label) || !LABEL_MEDIATES(label, AA_CLASS_FILE))
37 return 0;
38
39 mask &= NET_FS_PERMS;
40 if (!u->path.dentry) {
41 struct path_cond cond = { };
42 struct aa_perms perms = { };
43 struct aa_profile *profile;
44
45 /* socket path has been cleared because it is being shutdown
46 * can only fall back to original sun_path request
47 */
48 struct aa_sk_ctx *ctx = SK_CTX(&u->sk);
49 if (ctx->path.dentry)
50 return aa_path_perm(op, label, &ctx->path, flags, mask,
51 &cond);
52 return fn_for_each_confined(label, profile,
53 ((flags | profile->path_flags) & PATH_MEDIATE_DELETED) ?
54 __aa_path_perm(op, profile,
55 u->addr->name->sun_path, mask,
56 &cond, flags, &perms) :
57 aa_audit_file(profile, &nullperms, op, mask,
58 u->addr->name->sun_path, NULL,
59 NULL, cond.uid,
60 "Failed name lookup - "
61 "deleted entry", -EACCES));
62 } else {
63 /* the sunpath may not be valid for this ns so use the path */
64 struct path_cond cond = { u->path.dentry->d_inode->i_uid,
65 u->path.dentry->d_inode->i_mode
66 };
67
68 return aa_path_perm(op, label, &u->path, flags, mask, &cond);
69 }
70
71 return 0;
72 }
73
74 /* passing in state returned by PROFILE_MEDIATES_AF */
75 static unsigned int match_to_prot(struct aa_profile *profile,
76 unsigned int state, int type, int protocol,
77 const char **info)
78 {
79 __be16 buffer[2];
80 buffer[0] = cpu_to_be16(type);
81 buffer[1] = cpu_to_be16(protocol);
82 state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer,
83 4);
84 if (!state)
85 *info = "failed type and protocol match";
86 return state;
87 }
88
89 static unsigned int match_addr(struct aa_profile *profile, unsigned int state,
90 struct sockaddr_un *addr, int addrlen)
91 {
92 if (addr)
93 /* include leading \0 */
94 state = aa_dfa_match_len(profile->policy.dfa, state,
95 addr->sun_path,
96 unix_addr_len(addrlen));
97 else
98 /* anonymous end point */
99 state = aa_dfa_match_len(profile->policy.dfa, state, "\x01",
100 1);
101 /* todo change to out of band */
102 state = aa_dfa_null_transition(profile->policy.dfa, state);
103 return state;
104 }
105
106 static unsigned int match_to_local(struct aa_profile *profile,
107 unsigned int state, int type, int protocol,
108 struct sockaddr_un *addr, int addrlen,
109 const char **info)
110 {
111 state = match_to_prot(profile, state, type, protocol, info);
112 if (state) {
113 state = match_addr(profile, state, addr, addrlen);
114 if (state) {
115 /* todo: local label matching */
116 state = aa_dfa_null_transition(profile->policy.dfa,
117 state);
118 if (!state)
119 *info = "failed local label match";
120 } else
121 *info = "failed local address match";
122 }
123
124 return state;
125 }
126
127 static unsigned int match_to_sk(struct aa_profile *profile,
128 unsigned int state, struct unix_sock *u,
129 const char **info)
130 {
131 struct sockaddr_un *addr = NULL;
132 int addrlen = 0;
133
134 if (u->addr) {
135 addr = u->addr->name;
136 addrlen = u->addr->len;
137 }
138
139 return match_to_local(profile, state, u->sk.sk_type, u->sk.sk_protocol,
140 addr, addrlen, info);
141 }
142
143 #define CMD_ADDR 1
144 #define CMD_LISTEN 2
145 #define CMD_OPT 4
146
147 static inline unsigned int match_to_cmd(struct aa_profile *profile,
148 unsigned int state, struct unix_sock *u,
149 char cmd, const char **info)
150 {
151 state = match_to_sk(profile, state, u, info);
152 if (state) {
153 state = aa_dfa_match_len(profile->policy.dfa, state, &cmd, 1);
154 if (!state)
155 *info = "failed cmd selection match";
156 }
157
158 return state;
159 }
160
161 static inline unsigned int match_to_peer(struct aa_profile *profile,
162 unsigned int state,
163 struct unix_sock *u,
164 struct sockaddr_un *peer_addr,
165 int peer_addrlen,
166 const char **info)
167 {
168 state = match_to_cmd(profile, state, u, CMD_ADDR, info);
169 if (state) {
170 state = match_addr(profile, state, peer_addr, peer_addrlen);
171 if (!state)
172 *info = "failed peer address match";
173 }
174 return state;
175 }
176
177 static int do_perms(struct aa_profile *profile, unsigned int state, u32 request,
178 struct common_audit_data *sa)
179 {
180 struct aa_perms perms;
181
182 AA_BUG(!profile);
183
184 aa_compute_perms(profile->policy.dfa, state, &perms);
185 aa_apply_modes_to_perms(profile, &perms);
186 return aa_check_perms(profile, &perms, request, sa,
187 audit_net_cb);
188 }
189
190 static int match_label(struct aa_profile *profile, struct aa_profile *peer,
191 unsigned int state, u32 request,
192 struct common_audit_data *sa)
193 {
194 AA_BUG(!profile);
195 AA_BUG(!peer);
196
197 aad(sa)->peer = &peer->label;
198
199 if (state) {
200 state = aa_dfa_match(profile->policy.dfa, state,
201 peer->base.hname);
202 if (!state)
203 aad(sa)->info = "failed peer label match";
204 }
205 return do_perms(profile, state, request, sa);
206 }
207
208
209 /* unix sock creation comes before we know if the socket will be an fs
210 * socket
211 * v6 - semantics are handled by mapping in profile load
212 * v7 - semantics require sock create for tasks creating an fs socket.
213 */
214 static int profile_create_perm(struct aa_profile *profile, int family,
215 int type, int protocol)
216 {
217 unsigned int state;
218 DEFINE_AUDIT_NET(sa, OP_CREATE, NULL, family, type, protocol);
219
220 AA_BUG(!profile);
221 AA_BUG(profile_unconfined(profile));
222
223 if ((state = PROFILE_MEDIATES_AF(profile, AF_UNIX))) {
224 state = match_to_prot(profile, state, type, protocol,
225 &aad(&sa)->info);
226 return do_perms(profile, state, AA_MAY_CREATE, &sa);
227 }
228
229 return aa_profile_af_perm(profile, &sa, AA_MAY_CREATE, family, type);
230 }
231
232 int aa_unix_create_perm(struct aa_label *label, int family, int type,
233 int protocol)
234 {
235 struct aa_profile *profile;
236
237 if (unconfined(label))
238 return 0;
239
240 return fn_for_each_confined(label, profile,
241 profile_create_perm(profile, family, type, protocol));
242 }
243
244
245 static inline int profile_sk_perm(struct aa_profile *profile, const char *op,
246 u32 request, struct sock *sk)
247 {
248 unsigned int state;
249 DEFINE_AUDIT_SK(sa, op, sk);
250
251 AA_BUG(!profile);
252 AA_BUG(!sk);
253 AA_BUG(UNIX_FS(sk));
254 AA_BUG(profile_unconfined(profile));
255
256 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
257 if (state) {
258 state = match_to_sk(profile, state, unix_sk(sk),
259 &aad(&sa)->info);
260 return do_perms(profile, state, request, &sa);
261 }
262
263 return aa_profile_af_sk_perm(profile, &sa, request, sk);
264 }
265
266 int aa_unix_label_sk_perm(struct aa_label *label, const char *op, u32 request,
267 struct sock *sk)
268 {
269 struct aa_profile *profile;
270
271 return fn_for_each_confined(label, profile,
272 profile_sk_perm(profile, op, request, sk));
273 }
274
275 static int unix_label_sock_perm(struct aa_label *label, const char *op, u32 request,
276 struct socket *sock)
277 {
278 if (unconfined(label))
279 return 0;
280 if (UNIX_FS(sock->sk))
281 return unix_fs_perm(op, request, label, unix_sk(sock->sk), 0);
282
283 return aa_unix_label_sk_perm(label, op, request, sock->sk);
284 }
285
286 /* revaliation, get/set attr */
287 int aa_unix_sock_perm(const char *op, u32 request, struct socket *sock)
288 {
289 struct aa_label *label;
290 int error;
291
292 label = begin_current_label_crit_section();
293 error = unix_label_sock_perm(label, op, request, sock);
294 end_current_label_crit_section(label);
295
296 return error;
297 }
298
299 static int profile_bind_perm(struct aa_profile *profile, struct sock *sk,
300 struct sockaddr *addr, int addrlen)
301 {
302 unsigned int state;
303 DEFINE_AUDIT_SK(sa, OP_BIND, sk);
304
305 AA_BUG(!profile);
306 AA_BUG(!sk);
307 AA_BUG(addr->sa_family != AF_UNIX);
308 AA_BUG(profile_unconfined(profile));
309 AA_BUG(unix_addr_fs(addr, addrlen));
310
311 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
312 if (state) {
313 /* bind for abstract socket */
314 aad(&sa)->net.addr = unix_addr(addr);
315 aad(&sa)->net.addrlen = addrlen;
316
317 state = match_to_local(profile, state,
318 sk->sk_type, sk->sk_protocol,
319 unix_addr(addr), addrlen,
320 &aad(&sa)->info);
321 return do_perms(profile, state, AA_MAY_BIND, &sa);
322 }
323
324 return aa_profile_af_sk_perm(profile, &sa, AA_MAY_BIND, sk);
325 }
326
327 int aa_unix_bind_perm(struct socket *sock, struct sockaddr *address,
328 int addrlen)
329 {
330 struct aa_profile *profile;
331 struct aa_label *label;
332 int error = 0;
333
334 label = begin_current_label_crit_section();
335 /* fs bind is handled by mknod */
336 if (!(unconfined(label) || unix_addr_fs(address, addrlen)))
337 error = fn_for_each_confined(label, profile,
338 profile_bind_perm(profile, sock->sk, address,
339 addrlen));
340 end_current_label_crit_section(label);
341
342 return error;
343 }
344
345 int aa_unix_connect_perm(struct socket *sock, struct sockaddr *address,
346 int addrlen)
347 {
348 /* unix connections are covered by the
349 * - unix_stream_connect (stream) and unix_may_send hooks (dgram)
350 * - fs connect is handled by open
351 */
352 return 0;
353 }
354
355 static int profile_listen_perm(struct aa_profile *profile, struct sock *sk,
356 int backlog)
357 {
358 unsigned int state;
359 DEFINE_AUDIT_SK(sa, OP_LISTEN, sk);
360
361 AA_BUG(!profile);
362 AA_BUG(!sk);
363 AA_BUG(UNIX_FS(sk));
364 AA_BUG(profile_unconfined(profile));
365
366 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
367 if (state) {
368 __be16 b = cpu_to_be16(backlog);
369
370 state = match_to_cmd(profile, state, unix_sk(sk), CMD_LISTEN,
371 &aad(&sa)->info);
372 if (state) {
373 state = aa_dfa_match_len(profile->policy.dfa, state,
374 (char *) &b, 2);
375 if (!state)
376 aad(&sa)->info = "failed listen backlog match";
377 }
378 return do_perms(profile, state, AA_MAY_LISTEN, &sa);
379 }
380
381 return aa_profile_af_sk_perm(profile, &sa, AA_MAY_LISTEN, sk);
382 }
383
384 int aa_unix_listen_perm(struct socket *sock, int backlog)
385 {
386 struct aa_profile *profile;
387 struct aa_label *label;
388 int error = 0;
389
390 label = begin_current_label_crit_section();
391 if (!(unconfined(label) || UNIX_FS(sock->sk)))
392 error = fn_for_each_confined(label, profile,
393 profile_listen_perm(profile, sock->sk,
394 backlog));
395 end_current_label_crit_section(label);
396
397 return error;
398 }
399
400
401 static inline int profile_accept_perm(struct aa_profile *profile,
402 struct sock *sk,
403 struct sock *newsk)
404 {
405 unsigned int state;
406 DEFINE_AUDIT_SK(sa, OP_ACCEPT, sk);
407
408 AA_BUG(!profile);
409 AA_BUG(!sk);
410 AA_BUG(UNIX_FS(sk));
411 AA_BUG(profile_unconfined(profile));
412
413 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
414 if (state) {
415 state = match_to_sk(profile, state, unix_sk(sk),
416 &aad(&sa)->info);
417 return do_perms(profile, state, AA_MAY_ACCEPT, &sa);
418 }
419
420 return aa_profile_af_sk_perm(profile, &sa, AA_MAY_ACCEPT, sk);
421 }
422
423 /* ability of sock to connect, not peer address binding */
424 int aa_unix_accept_perm(struct socket *sock, struct socket *newsock)
425 {
426 struct aa_profile *profile;
427 struct aa_label *label;
428 int error = 0;
429
430 label = begin_current_label_crit_section();
431 if (!(unconfined(label) || UNIX_FS(sock->sk)))
432 error = fn_for_each_confined(label, profile,
433 profile_accept_perm(profile, sock->sk,
434 newsock->sk));
435 end_current_label_crit_section(label);
436
437 return error;
438 }
439
440
441 /* dgram handled by unix_may_sendmsg, right to send on stream done at connect
442 * could do per msg unix_stream here
443 */
444 /* sendmsg, recvmsg */
445 int aa_unix_msg_perm(const char *op, u32 request, struct socket *sock,
446 struct msghdr *msg, int size)
447 {
448 return 0;
449 }
450
451
452 static int profile_opt_perm(struct aa_profile *profile, const char *op, u32 request,
453 struct sock *sk, int level, int optname)
454 {
455 unsigned int state;
456 DEFINE_AUDIT_SK(sa, op, sk);
457
458 AA_BUG(!profile);
459 AA_BUG(!sk);
460 AA_BUG(UNIX_FS(sk));
461 AA_BUG(profile_unconfined(profile));
462
463 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
464 if (state) {
465 __be16 b = cpu_to_be16(optname);
466
467 state = match_to_cmd(profile, state, unix_sk(sk), CMD_OPT,
468 &aad(&sa)->info);
469 if (state) {
470 state = aa_dfa_match_len(profile->policy.dfa, state,
471 (char *) &b, 2);
472 if (!state)
473 aad(&sa)->info = "failed sockopt match";
474 }
475 return do_perms(profile, state, request, &sa);
476 }
477
478 return aa_profile_af_sk_perm(profile, &sa, request, sk);
479 }
480
481 int aa_unix_opt_perm(const char *op, u32 request, struct socket *sock, int level,
482 int optname)
483 {
484 struct aa_profile *profile;
485 struct aa_label *label;
486 int error = 0;
487
488 label = begin_current_label_crit_section();
489 if (!(unconfined(label) || UNIX_FS(sock->sk)))
490 error = fn_for_each_confined(label, profile,
491 profile_opt_perm(profile, op, request,
492 sock->sk, level, optname));
493 end_current_label_crit_section(label);
494
495 return error;
496 }
497
498 /* null peer_label is allowed, in which case the peer_sk label is used */
499 static int profile_peer_perm(struct aa_profile *profile, const char *op, u32 request,
500 struct sock *sk, struct sock *peer_sk,
501 struct aa_label *peer_label,
502 struct common_audit_data *sa)
503 {
504 unsigned int state;
505
506 AA_BUG(!profile);
507 AA_BUG(profile_unconfined(profile));
508 AA_BUG(!sk);
509 AA_BUG(!peer_sk);
510 AA_BUG(UNIX_FS(peer_sk));
511
512 state = PROFILE_MEDIATES_AF(profile, AF_UNIX);
513 if (state) {
514 struct aa_sk_ctx *peer_ctx = SK_CTX(peer_sk);
515 struct aa_profile *peerp;
516 struct sockaddr_un *addr = NULL;
517 int len = 0;
518 if (unix_sk(peer_sk)->addr) {
519 addr = unix_sk(peer_sk)->addr->name;
520 len = unix_sk(peer_sk)->addr->len;
521 }
522 state = match_to_peer(profile, state, unix_sk(sk),
523 addr, len, &aad(sa)->info);
524 if (!peer_label)
525 peer_label = peer_ctx->label;
526 return fn_for_each_in_ns(peer_label, peerp,
527 match_label(profile, peerp, state, request,
528 sa));
529 }
530
531 return aa_profile_af_sk_perm(profile, sa, request, sk);
532 }
533
534 /**
535 *
536 * Requires: lock held on both @sk and @peer_sk
537 */
538 int aa_unix_peer_perm(struct aa_label *label, const char *op, u32 request,
539 struct sock *sk, struct sock *peer_sk,
540 struct aa_label *peer_label)
541 {
542 struct unix_sock *peeru = unix_sk(peer_sk);
543 struct unix_sock *u = unix_sk(sk);
544
545 AA_BUG(!label);
546 AA_BUG(!sk);
547 AA_BUG(!peer_sk);
548
549 if (UNIX_FS(aa_sock(peeru)))
550 return unix_fs_perm(op, request, label, peeru, 0);
551 else if (UNIX_FS(aa_sock(u)))
552 return unix_fs_perm(op, request, label, u, 0);
553 else {
554 struct aa_profile *profile;
555 DEFINE_AUDIT_SK(sa, op, sk);
556 aad(&sa)->net.peer_sk = peer_sk;
557
558 /* TODO: ns!!! */
559 if (!net_eq(sock_net(sk), sock_net(peer_sk))) {
560 ;
561 }
562
563 if (unconfined(label))
564 return 0;
565
566 return fn_for_each_confined(label, profile,
567 profile_peer_perm(profile, op, request, sk,
568 peer_sk, peer_label, &sa));
569 }
570 }
571
572
573 /* from net/unix/af_unix.c */
574 static void unix_state_double_lock(struct sock *sk1, struct sock *sk2)
575 {
576 if (unlikely(sk1 == sk2) || !sk2) {
577 unix_state_lock(sk1);
578 return;
579 }
580 if (sk1 < sk2) {
581 unix_state_lock(sk1);
582 unix_state_lock_nested(sk2);
583 } else {
584 unix_state_lock(sk2);
585 unix_state_lock_nested(sk1);
586 }
587 }
588
589 static void unix_state_double_unlock(struct sock *sk1, struct sock *sk2)
590 {
591 if (unlikely(sk1 == sk2) || !sk2) {
592 unix_state_unlock(sk1);
593 return;
594 }
595 unix_state_unlock(sk1);
596 unix_state_unlock(sk2);
597 }
598
599 int aa_unix_file_perm(struct aa_label *label, const char *op, u32 request,
600 struct socket *sock)
601 {
602 struct sock *peer_sk = NULL;
603 u32 sk_req = request & ~NET_PEER_MASK;
604 int error = 0;
605
606 AA_BUG(!label);
607 AA_BUG(!sock);
608 AA_BUG(!sock->sk);
609 AA_BUG(sock->sk->sk_family != AF_UNIX);
610
611 /* TODO: update sock label with new task label */
612 unix_state_lock(sock->sk);
613 peer_sk = unix_peer(sock->sk);
614 if (peer_sk)
615 sock_hold(peer_sk);
616 if (!unix_connected(sock) && sk_req) {
617 error = unix_label_sock_perm(label, op, sk_req, sock);
618 if (!error) {
619 // update label
620 }
621 }
622 unix_state_unlock(sock->sk);
623 if (!peer_sk)
624 return error;
625
626 unix_state_double_lock(sock->sk, peer_sk);
627 if (UNIX_FS(sock->sk)) {
628 error = unix_fs_perm(op, request, label, unix_sk(sock->sk),
629 PATH_SOCK_COND);
630 } else if (UNIX_FS(peer_sk)) {
631 error = unix_fs_perm(op, request, label, unix_sk(peer_sk),
632 PATH_SOCK_COND);
633 } else {
634 struct aa_sk_ctx *pctx = SK_CTX(peer_sk);
635 if (sk_req)
636 error = aa_unix_label_sk_perm(label, op, sk_req,
637 sock->sk);
638 last_error(error,
639 xcheck(aa_unix_peer_perm(label, op,
640 MAY_READ | MAY_WRITE,
641 sock->sk, peer_sk, NULL),
642 aa_unix_peer_perm(pctx->label, op,
643 MAY_READ | MAY_WRITE,
644 peer_sk, sock->sk, label)));
645 }
646
647 unix_state_double_unlock(sock->sk, peer_sk);
648 sock_put(peer_sk);
649
650 return error;
651 }
Ubuntu Artful kernel mirror