2 * AppArmor security module
4 * This file contains AppArmor network mediation
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2017 Canonical Ltd.
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
15 #include "include/apparmor.h"
16 #include "include/audit.h"
17 #include "include/context.h"
18 #include "include/label.h"
19 #include "include/net.h"
20 #include "include/policy.h"
22 #include "net_names.h"
25 struct aa_sfs_entry aa_sfs_entry_network
[] = {
26 AA_SFS_FILE_STRING("af_mask", AA_SFS_AF_MASK
),
30 static const char * const net_mask_names
[] = {
73 /* audit callback for net specific fields */
74 void audit_net_cb(struct audit_buffer
*ab
, void *va
)
76 struct common_audit_data
*sa
= va
;
78 audit_log_format(ab
, " family=");
79 if (address_family_names
[sa
->u
.net
->family
])
80 audit_log_string(ab
, address_family_names
[sa
->u
.net
->family
]);
82 audit_log_format(ab
, "\"unknown(%d)\"", sa
->u
.net
->family
);
83 audit_log_format(ab
, " sock_type=");
84 if (sock_type_names
[aad(sa
)->net
.type
])
85 audit_log_string(ab
, sock_type_names
[aad(sa
)->net
.type
]);
87 audit_log_format(ab
, "\"unknown(%d)\"", aad(sa
)->net
.type
);
88 audit_log_format(ab
, " protocol=%d", aad(sa
)->net
.protocol
);
90 if (aad(sa
)->request
& NET_PERMS_MASK
) {
91 audit_log_format(ab
, " requested_mask=");
92 aa_audit_perm_mask(ab
, aad(sa
)->request
, NULL
, 0,
93 net_mask_names
, NET_PERMS_MASK
);
95 if (aad(sa
)->denied
& NET_PERMS_MASK
) {
96 audit_log_format(ab
, " denied_mask=");
97 aa_audit_perm_mask(ab
, aad(sa
)->denied
, NULL
, 0,
98 net_mask_names
, NET_PERMS_MASK
);
102 audit_log_format(ab
, " peer=");
103 aa_label_xaudit(ab
, labels_ns(aad(sa
)->label
), aad(sa
)->peer
,
104 FLAGS_NONE
, GFP_ATOMIC
);
109 /* Generic af perm */
110 int aa_profile_af_perm(struct aa_profile
*profile
, struct common_audit_data
*sa
,
111 u32 request
, u16 family
, int type
)
113 struct aa_perms perms
= { };
115 AA_BUG(family
>= AF_MAX
);
116 AA_BUG(type
< 0 || type
>= SOCK_MAX
);
118 if (profile_unconfined(profile
))
121 perms
.allow
= (profile
->net
.allow
[family
] & (1 << type
)) ?
123 perms
.audit
= (profile
->net
.audit
[family
] & (1 << type
)) ?
125 perms
.quiet
= (profile
->net
.quiet
[family
] & (1 << type
)) ?
127 aa_apply_modes_to_perms(profile
, &perms
);
129 return aa_check_perms(profile
, &perms
, request
, sa
, audit_net_cb
);
132 int aa_af_perm(struct aa_label
*label
, const char *op
, u32 request
, u16 family
,
133 int type
, int protocol
)
135 struct aa_profile
*profile
;
136 DEFINE_AUDIT_NET(sa
, op
, NULL
, family
, type
, protocol
);
138 return fn_for_each_confined(label
, profile
,
139 aa_profile_af_perm(profile
, &sa
, request
, family
,
143 static int aa_label_sk_perm(struct aa_label
*label
, const char *op
, u32 request
,
146 struct aa_profile
*profile
;
147 DEFINE_AUDIT_SK(sa
, op
, sk
);
152 if (unconfined(label
))
155 return fn_for_each_confined(label
, profile
,
156 aa_profile_af_sk_perm(profile
, &sa
, request
, sk
));
159 int aa_sk_perm(const char *op
, u32 request
, struct sock
*sk
)
161 struct aa_label
*label
;
165 AA_BUG(in_interrupt());
167 /* TODO: switch to begin_current_label ???? */
168 label
= begin_current_label_crit_section();
169 error
= aa_label_sk_perm(label
, op
, request
, sk
);
170 end_current_label_crit_section(label
);
176 int aa_sock_file_perm(struct aa_label
*label
, const char *op
, u32 request
,
183 return aa_label_sk_perm(label
, op
, request
, sock
->sk
);