]>
git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - security/apparmor/af_unix.c
2 * AppArmor security module
4 * This file contains AppArmor af_unix fine grained mediation
6 * Copyright 2014 Canonical Ltd.
8 * This program is free software; you can redistribute it and/or
9 * modify it under the terms of the GNU General Public License as
10 * published by the Free Software Foundation, version 2 of the
14 #include <net/tcp_states.h>
16 #include "include/af_unix.h"
17 #include "include/apparmor.h"
18 #include "include/context.h"
19 #include "include/file.h"
20 #include "include/label.h"
21 #include "include/path.h"
22 #include "include/policy.h"
24 static inline struct sock
*aa_sock(struct unix_sock
*u
)
29 static inline int unix_fs_perm(const char *op
, u32 mask
, struct aa_label
*label
,
30 struct unix_sock
*u
, int flags
)
34 AA_BUG(!UNIX_FS(aa_sock(u
)));
36 if (unconfined(label
) || !LABEL_MEDIATES(label
, AA_CLASS_FILE
))
40 if (!u
->path
.dentry
) {
41 struct path_cond cond
= { };
42 struct aa_perms perms
= { };
43 struct aa_profile
*profile
;
45 /* socket path has been cleared because it is being shutdown
46 * can only fall back to original sun_path request
48 struct aa_sk_ctx
*ctx
= SK_CTX(&u
->sk
);
50 return aa_path_perm(op
, label
, &ctx
->path
, flags
, mask
,
52 return fn_for_each_confined(label
, profile
,
53 ((flags
| profile
->path_flags
) & PATH_MEDIATE_DELETED
) ?
54 __aa_path_perm(op
, profile
,
55 u
->addr
->name
->sun_path
, mask
,
56 &cond
, flags
, &perms
) :
57 aa_audit_file(profile
, &nullperms
, op
, mask
,
58 u
->addr
->name
->sun_path
, NULL
,
60 "Failed name lookup - "
61 "deleted entry", -EACCES
));
63 /* the sunpath may not be valid for this ns so use the path */
64 struct path_cond cond
= { u
->path
.dentry
->d_inode
->i_uid
,
65 u
->path
.dentry
->d_inode
->i_mode
68 return aa_path_perm(op
, label
, &u
->path
, flags
, mask
, &cond
);
74 /* passing in state returned by PROFILE_MEDIATES_AF */
75 static unsigned int match_to_prot(struct aa_profile
*profile
,
76 unsigned int state
, int type
, int protocol
,
80 buffer
[0] = cpu_to_be16(type
);
81 buffer
[1] = cpu_to_be16(protocol
);
82 state
= aa_dfa_match_len(profile
->policy
.dfa
, state
, (char *) &buffer
,
85 *info
= "failed type and protocol match";
89 static unsigned int match_addr(struct aa_profile
*profile
, unsigned int state
,
90 struct sockaddr_un
*addr
, int addrlen
)
93 /* include leading \0 */
94 state
= aa_dfa_match_len(profile
->policy
.dfa
, state
,
96 unix_addr_len(addrlen
));
98 /* anonymous end point */
99 state
= aa_dfa_match_len(profile
->policy
.dfa
, state
, "\x01",
101 /* todo change to out of band */
102 state
= aa_dfa_null_transition(profile
->policy
.dfa
, state
);
106 static unsigned int match_to_local(struct aa_profile
*profile
,
107 unsigned int state
, int type
, int protocol
,
108 struct sockaddr_un
*addr
, int addrlen
,
111 state
= match_to_prot(profile
, state
, type
, protocol
, info
);
113 state
= match_addr(profile
, state
, addr
, addrlen
);
115 /* todo: local label matching */
116 state
= aa_dfa_null_transition(profile
->policy
.dfa
,
119 *info
= "failed local label match";
121 *info
= "failed local address match";
127 static unsigned int match_to_sk(struct aa_profile
*profile
,
128 unsigned int state
, struct unix_sock
*u
,
131 struct sockaddr_un
*addr
= NULL
;
135 addr
= u
->addr
->name
;
136 addrlen
= u
->addr
->len
;
139 return match_to_local(profile
, state
, u
->sk
.sk_type
, u
->sk
.sk_protocol
,
140 addr
, addrlen
, info
);
147 static inline unsigned int match_to_cmd(struct aa_profile
*profile
,
148 unsigned int state
, struct unix_sock
*u
,
149 char cmd
, const char **info
)
151 state
= match_to_sk(profile
, state
, u
, info
);
153 state
= aa_dfa_match_len(profile
->policy
.dfa
, state
, &cmd
, 1);
155 *info
= "failed cmd selection match";
161 static inline unsigned int match_to_peer(struct aa_profile
*profile
,
164 struct sockaddr_un
*peer_addr
,
168 state
= match_to_cmd(profile
, state
, u
, CMD_ADDR
, info
);
170 state
= match_addr(profile
, state
, peer_addr
, peer_addrlen
);
172 *info
= "failed peer address match";
177 static int do_perms(struct aa_profile
*profile
, unsigned int state
, u32 request
,
178 struct common_audit_data
*sa
)
180 struct aa_perms perms
;
184 aa_compute_perms(profile
->policy
.dfa
, state
, &perms
);
185 aa_apply_modes_to_perms(profile
, &perms
);
186 return aa_check_perms(profile
, &perms
, request
, sa
,
190 static int match_label(struct aa_profile
*profile
, struct aa_profile
*peer
,
191 unsigned int state
, u32 request
,
192 struct common_audit_data
*sa
)
197 aad(sa
)->peer
= &peer
->label
;
200 state
= aa_dfa_match(profile
->policy
.dfa
, state
,
203 aad(sa
)->info
= "failed peer label match";
205 return do_perms(profile
, state
, request
, sa
);
209 /* unix sock creation comes before we know if the socket will be an fs
211 * v6 - semantics are handled by mapping in profile load
212 * v7 - semantics require sock create for tasks creating an fs socket.
214 static int profile_create_perm(struct aa_profile
*profile
, int family
,
215 int type
, int protocol
)
218 DEFINE_AUDIT_NET(sa
, OP_CREATE
, NULL
, family
, type
, protocol
);
221 AA_BUG(profile_unconfined(profile
));
223 if ((state
= PROFILE_MEDIATES_AF(profile
, AF_UNIX
))) {
224 state
= match_to_prot(profile
, state
, type
, protocol
,
226 return do_perms(profile
, state
, AA_MAY_CREATE
, &sa
);
229 return aa_profile_af_perm(profile
, &sa
, AA_MAY_CREATE
, family
, type
);
232 int aa_unix_create_perm(struct aa_label
*label
, int family
, int type
,
235 struct aa_profile
*profile
;
237 if (unconfined(label
))
240 return fn_for_each_confined(label
, profile
,
241 profile_create_perm(profile
, family
, type
, protocol
));
245 static inline int profile_sk_perm(struct aa_profile
*profile
, const char *op
,
246 u32 request
, struct sock
*sk
)
249 DEFINE_AUDIT_SK(sa
, op
, sk
);
254 AA_BUG(profile_unconfined(profile
));
256 state
= PROFILE_MEDIATES_AF(profile
, AF_UNIX
);
258 state
= match_to_sk(profile
, state
, unix_sk(sk
),
260 return do_perms(profile
, state
, request
, &sa
);
263 return aa_profile_af_sk_perm(profile
, &sa
, request
, sk
);
266 int aa_unix_label_sk_perm(struct aa_label
*label
, const char *op
, u32 request
,
269 struct aa_profile
*profile
;
271 return fn_for_each_confined(label
, profile
,
272 profile_sk_perm(profile
, op
, request
, sk
));
275 static int unix_label_sock_perm(struct aa_label
*label
, const char *op
, u32 request
,
278 if (unconfined(label
))
280 if (UNIX_FS(sock
->sk
))
281 return unix_fs_perm(op
, request
, label
, unix_sk(sock
->sk
), 0);
283 return aa_unix_label_sk_perm(label
, op
, request
, sock
->sk
);
286 /* revaliation, get/set attr */
287 int aa_unix_sock_perm(const char *op
, u32 request
, struct socket
*sock
)
289 struct aa_label
*label
;
292 label
= begin_current_label_crit_section();
293 error
= unix_label_sock_perm(label
, op
, request
, sock
);
294 end_current_label_crit_section(label
);
299 static int profile_bind_perm(struct aa_profile
*profile
, struct sock
*sk
,
300 struct sockaddr
*addr
, int addrlen
)
303 DEFINE_AUDIT_SK(sa
, OP_BIND
, sk
);
307 AA_BUG(addr
->sa_family
!= AF_UNIX
);
308 AA_BUG(profile_unconfined(profile
));
309 AA_BUG(unix_addr_fs(addr
, addrlen
));
311 state
= PROFILE_MEDIATES_AF(profile
, AF_UNIX
);
313 /* bind for abstract socket */
314 aad(&sa
)->net
.addr
= unix_addr(addr
);
315 aad(&sa
)->net
.addrlen
= addrlen
;
317 state
= match_to_local(profile
, state
,
318 sk
->sk_type
, sk
->sk_protocol
,
319 unix_addr(addr
), addrlen
,
321 return do_perms(profile
, state
, AA_MAY_BIND
, &sa
);
324 return aa_profile_af_sk_perm(profile
, &sa
, AA_MAY_BIND
, sk
);
327 int aa_unix_bind_perm(struct socket
*sock
, struct sockaddr
*address
,
330 struct aa_profile
*profile
;
331 struct aa_label
*label
;
334 label
= begin_current_label_crit_section();
335 /* fs bind is handled by mknod */
336 if (!(unconfined(label
) || unix_addr_fs(address
, addrlen
)))
337 error
= fn_for_each_confined(label
, profile
,
338 profile_bind_perm(profile
, sock
->sk
, address
,
340 end_current_label_crit_section(label
);
345 int aa_unix_connect_perm(struct socket
*sock
, struct sockaddr
*address
,
348 /* unix connections are covered by the
349 * - unix_stream_connect (stream) and unix_may_send hooks (dgram)
350 * - fs connect is handled by open
355 static int profile_listen_perm(struct aa_profile
*profile
, struct sock
*sk
,
359 DEFINE_AUDIT_SK(sa
, OP_LISTEN
, sk
);
364 AA_BUG(profile_unconfined(profile
));
366 state
= PROFILE_MEDIATES_AF(profile
, AF_UNIX
);
368 __be16 b
= cpu_to_be16(backlog
);
370 state
= match_to_cmd(profile
, state
, unix_sk(sk
), CMD_LISTEN
,
373 state
= aa_dfa_match_len(profile
->policy
.dfa
, state
,
376 aad(&sa
)->info
= "failed listen backlog match";
378 return do_perms(profile
, state
, AA_MAY_LISTEN
, &sa
);
381 return aa_profile_af_sk_perm(profile
, &sa
, AA_MAY_LISTEN
, sk
);
384 int aa_unix_listen_perm(struct socket
*sock
, int backlog
)
386 struct aa_profile
*profile
;
387 struct aa_label
*label
;
390 label
= begin_current_label_crit_section();
391 if (!(unconfined(label
) || UNIX_FS(sock
->sk
)))
392 error
= fn_for_each_confined(label
, profile
,
393 profile_listen_perm(profile
, sock
->sk
,
395 end_current_label_crit_section(label
);
401 static inline int profile_accept_perm(struct aa_profile
*profile
,
406 DEFINE_AUDIT_SK(sa
, OP_ACCEPT
, sk
);
411 AA_BUG(profile_unconfined(profile
));
413 state
= PROFILE_MEDIATES_AF(profile
, AF_UNIX
);
415 state
= match_to_sk(profile
, state
, unix_sk(sk
),
417 return do_perms(profile
, state
, AA_MAY_ACCEPT
, &sa
);
420 return aa_profile_af_sk_perm(profile
, &sa
, AA_MAY_ACCEPT
, sk
);
423 /* ability of sock to connect, not peer address binding */
424 int aa_unix_accept_perm(struct socket
*sock
, struct socket
*newsock
)
426 struct aa_profile
*profile
;
427 struct aa_label
*label
;
430 label
= begin_current_label_crit_section();
431 if (!(unconfined(label
) || UNIX_FS(sock
->sk
)))
432 error
= fn_for_each_confined(label
, profile
,
433 profile_accept_perm(profile
, sock
->sk
,
435 end_current_label_crit_section(label
);
441 /* dgram handled by unix_may_sendmsg, right to send on stream done at connect
442 * could do per msg unix_stream here
444 /* sendmsg, recvmsg */
445 int aa_unix_msg_perm(const char *op
, u32 request
, struct socket
*sock
,
446 struct msghdr
*msg
, int size
)
452 static int profile_opt_perm(struct aa_profile
*profile
, const char *op
, u32 request
,
453 struct sock
*sk
, int level
, int optname
)
456 DEFINE_AUDIT_SK(sa
, op
, sk
);
461 AA_BUG(profile_unconfined(profile
));
463 state
= PROFILE_MEDIATES_AF(profile
, AF_UNIX
);
465 __be16 b
= cpu_to_be16(optname
);
467 state
= match_to_cmd(profile
, state
, unix_sk(sk
), CMD_OPT
,
470 state
= aa_dfa_match_len(profile
->policy
.dfa
, state
,
473 aad(&sa
)->info
= "failed sockopt match";
475 return do_perms(profile
, state
, request
, &sa
);
478 return aa_profile_af_sk_perm(profile
, &sa
, request
, sk
);
481 int aa_unix_opt_perm(const char *op
, u32 request
, struct socket
*sock
, int level
,
484 struct aa_profile
*profile
;
485 struct aa_label
*label
;
488 label
= begin_current_label_crit_section();
489 if (!(unconfined(label
) || UNIX_FS(sock
->sk
)))
490 error
= fn_for_each_confined(label
, profile
,
491 profile_opt_perm(profile
, op
, request
,
492 sock
->sk
, level
, optname
));
493 end_current_label_crit_section(label
);
498 /* null peer_label is allowed, in which case the peer_sk label is used */
499 static int profile_peer_perm(struct aa_profile
*profile
, const char *op
, u32 request
,
500 struct sock
*sk
, struct sock
*peer_sk
,
501 struct aa_label
*peer_label
,
502 struct common_audit_data
*sa
)
507 AA_BUG(profile_unconfined(profile
));
510 AA_BUG(UNIX_FS(peer_sk
));
512 state
= PROFILE_MEDIATES_AF(profile
, AF_UNIX
);
514 struct aa_sk_ctx
*peer_ctx
= SK_CTX(peer_sk
);
515 struct aa_profile
*peerp
;
516 struct sockaddr_un
*addr
= NULL
;
518 if (unix_sk(peer_sk
)->addr
) {
519 addr
= unix_sk(peer_sk
)->addr
->name
;
520 len
= unix_sk(peer_sk
)->addr
->len
;
522 state
= match_to_peer(profile
, state
, unix_sk(sk
),
523 addr
, len
, &aad(sa
)->info
);
525 peer_label
= peer_ctx
->label
;
526 return fn_for_each_in_ns(peer_label
, peerp
,
527 match_label(profile
, peerp
, state
, request
,
531 return aa_profile_af_sk_perm(profile
, sa
, request
, sk
);
536 * Requires: lock held on both @sk and @peer_sk
538 int aa_unix_peer_perm(struct aa_label
*label
, const char *op
, u32 request
,
539 struct sock
*sk
, struct sock
*peer_sk
,
540 struct aa_label
*peer_label
)
542 struct unix_sock
*peeru
= unix_sk(peer_sk
);
543 struct unix_sock
*u
= unix_sk(sk
);
549 if (UNIX_FS(aa_sock(peeru
)))
550 return unix_fs_perm(op
, request
, label
, peeru
, 0);
551 else if (UNIX_FS(aa_sock(u
)))
552 return unix_fs_perm(op
, request
, label
, u
, 0);
554 struct aa_profile
*profile
;
555 DEFINE_AUDIT_SK(sa
, op
, sk
);
556 aad(&sa
)->net
.peer_sk
= peer_sk
;
559 if (!net_eq(sock_net(sk
), sock_net(peer_sk
))) {
563 if (unconfined(label
))
566 return fn_for_each_confined(label
, profile
,
567 profile_peer_perm(profile
, op
, request
, sk
,
568 peer_sk
, peer_label
, &sa
));
573 /* from net/unix/af_unix.c */
574 static void unix_state_double_lock(struct sock
*sk1
, struct sock
*sk2
)
576 if (unlikely(sk1
== sk2
) || !sk2
) {
577 unix_state_lock(sk1
);
581 unix_state_lock(sk1
);
582 unix_state_lock_nested(sk2
);
584 unix_state_lock(sk2
);
585 unix_state_lock_nested(sk1
);
589 static void unix_state_double_unlock(struct sock
*sk1
, struct sock
*sk2
)
591 if (unlikely(sk1
== sk2
) || !sk2
) {
592 unix_state_unlock(sk1
);
595 unix_state_unlock(sk1
);
596 unix_state_unlock(sk2
);
599 int aa_unix_file_perm(struct aa_label
*label
, const char *op
, u32 request
,
602 struct sock
*peer_sk
= NULL
;
603 u32 sk_req
= request
& ~NET_PEER_MASK
;
609 AA_BUG(sock
->sk
->sk_family
!= AF_UNIX
);
611 /* TODO: update sock label with new task label */
612 unix_state_lock(sock
->sk
);
613 peer_sk
= unix_peer(sock
->sk
);
616 if (!unix_connected(sock
) && sk_req
) {
617 error
= unix_label_sock_perm(label
, op
, sk_req
, sock
);
622 unix_state_unlock(sock
->sk
);
626 unix_state_double_lock(sock
->sk
, peer_sk
);
627 if (UNIX_FS(sock
->sk
)) {
628 error
= unix_fs_perm(op
, request
, label
, unix_sk(sock
->sk
),
630 } else if (UNIX_FS(peer_sk
)) {
631 error
= unix_fs_perm(op
, request
, label
, unix_sk(peer_sk
),
634 struct aa_sk_ctx
*pctx
= SK_CTX(peer_sk
);
636 error
= aa_unix_label_sk_perm(label
, op
, sk_req
,
639 xcheck(aa_unix_peer_perm(label
, op
,
640 MAY_READ
| MAY_WRITE
,
641 sock
->sk
, peer_sk
, NULL
),
642 aa_unix_peer_perm(pctx
->label
, op
,
643 MAY_READ
| MAY_WRITE
,
644 peer_sk
, sock
->sk
, label
)));
647 unix_state_double_unlock(sock
->sk
, peer_sk
);