]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - security/apparmor/net.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
x86/cpu: Make alternative_msr_write work for 32-bit code
[mirror_ubuntu-artful-kernel.git] / security / apparmor / net.c
1 /*
2 * AppArmor security module
3 *
4 * This file contains AppArmor network mediation
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2017 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
15 #include "include/af_unix.h"
16 #include "include/apparmor.h"
17 #include "include/audit.h"
18 #include "include/context.h"
19 #include "include/label.h"
20 #include "include/net.h"
21 #include "include/policy.h"
22
23 #include "net_names.h"
24
25
26 struct aa_sfs_entry aa_sfs_entry_network[] = {
27 AA_SFS_FILE_STRING("af_mask", AA_SFS_AF_MASK),
28 AA_SFS_FILE_BOOLEAN("af_unix", 1),
29 { }
30 };
31
32 static const char * const net_mask_names[] = {
33 "unknown",
34 "send",
35 "receive",
36 "unknown",
37
38 "create",
39 "shutdown",
40 "connect",
41 "unknown",
42
43 "setattr",
44 "getattr",
45 "setcred",
46 "getcred",
47
48 "chmod",
49 "chown",
50 "chgrp",
51 "lock",
52
53 "mmap",
54 "mprot",
55 "unknown",
56 "unknown",
57
58 "accept",
59 "bind",
60 "listen",
61 "unknown",
62
63 "setopt",
64 "getopt",
65 "unknown",
66 "unknown",
67
68 "unknown",
69 "unknown",
70 "unknown",
71 "unknown",
72 };
73
74 static void audit_unix_addr(struct audit_buffer *ab, const char *str,
75 struct sockaddr_un *addr, int addrlen)
76 {
77 int len = unix_addr_len(addrlen);
78
79 if (!addr || len <= 0) {
80 audit_log_format(ab, " %s=none", str);
81 } else if (addr->sun_path[0]) {
82 audit_log_format(ab, " %s=", str);
83 audit_log_untrustedstring(ab, addr->sun_path);
84 } else {
85 audit_log_format(ab, " %s=\"@", str);
86 if (audit_string_contains_control(&addr->sun_path[1], len - 1))
87 audit_log_n_hex(ab, &addr->sun_path[1], len - 1);
88 else
89 audit_log_format(ab, "%.*s", len - 1,
90 &addr->sun_path[1]);
91 audit_log_format(ab, "\"");
92 }
93 }
94
95 static void audit_unix_sk_addr(struct audit_buffer *ab, const char *str,
96 struct sock *sk)
97 {
98 struct unix_sock *u = unix_sk(sk);
99 if (u && u->addr)
100 audit_unix_addr(ab, str, u->addr->name, u->addr->len);
101 else
102 audit_unix_addr(ab, str, NULL, 0);
103 }
104
105 /* audit callback for net specific fields */
106 void audit_net_cb(struct audit_buffer *ab, void *va)
107 {
108 struct common_audit_data *sa = va;
109
110 audit_log_format(ab, " family=");
111 if (address_family_names[sa->u.net->family])
112 audit_log_string(ab, address_family_names[sa->u.net->family]);
113 else
114 audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family);
115 audit_log_format(ab, " sock_type=");
116 if (sock_type_names[aad(sa)->net.type])
117 audit_log_string(ab, sock_type_names[aad(sa)->net.type]);
118 else
119 audit_log_format(ab, "\"unknown(%d)\"", aad(sa)->net.type);
120 audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
121
122 if (aad(sa)->request & NET_PERMS_MASK) {
123 audit_log_format(ab, " requested_mask=");
124 aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0,
125 net_mask_names, NET_PERMS_MASK);
126
127 if (aad(sa)->denied & NET_PERMS_MASK) {
128 audit_log_format(ab, " denied_mask=");
129 aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0,
130 net_mask_names, NET_PERMS_MASK);
131 }
132 }
133 if (sa->u.net->family == AF_UNIX) {
134 if ((aad(sa)->request & ~NET_PEER_MASK) && aad(sa)->net.addr)
135 audit_unix_addr(ab, "addr",
136 unix_addr(aad(sa)->net.addr),
137 aad(sa)->net.addrlen);
138 else
139 audit_unix_sk_addr(ab, "addr", sa->u.net->sk);
140 if (aad(sa)->request & NET_PEER_MASK) {
141 if (aad(sa)->net.addr)
142 audit_unix_addr(ab, "peer_addr",
143 unix_addr(aad(sa)->net.addr),
144 aad(sa)->net.addrlen);
145 else
146 audit_unix_sk_addr(ab, "peer_addr",
147 aad(sa)->net.peer_sk);
148 }
149 }
150 if (aad(sa)->peer) {
151 audit_log_format(ab, " peer=");
152 aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
153 FLAGS_NONE, GFP_ATOMIC);
154 }
155 }
156
157
158 /* Generic af perm */
159 int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
160 u32 request, u16 family, int type)
161 {
162 struct aa_perms perms = { };
163
164 AA_BUG(family >= AF_MAX);
165 AA_BUG(type < 0 || type >= SOCK_MAX);
166
167 if (profile_unconfined(profile))
168 return 0;
169
170 perms.allow = (profile->net.allow[family] & (1 << type)) ?
171 ALL_PERMS_MASK : 0;
172 perms.audit = (profile->net.audit[family] & (1 << type)) ?
173 ALL_PERMS_MASK : 0;
174 perms.quiet = (profile->net.quiet[family] & (1 << type)) ?
175 ALL_PERMS_MASK : 0;
176 aa_apply_modes_to_perms(profile, &perms);
177
178 return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
179 }
180
181 int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
182 int type, int protocol)
183 {
184 struct aa_profile *profile;
185 DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol);
186
187 return fn_for_each_confined(label, profile,
188 aa_profile_af_perm(profile, &sa, request, family,
189 type));
190 }
191
192 static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request,
193 struct sock *sk)
194 {
195 struct aa_profile *profile;
196 DEFINE_AUDIT_SK(sa, op, sk);
197
198 AA_BUG(!label);
199 AA_BUG(!sk);
200
201 if (unconfined(label))
202 return 0;
203
204 return fn_for_each_confined(label, profile,
205 aa_profile_af_sk_perm(profile, &sa, request, sk));
206 }
207
208 int aa_sk_perm(const char *op, u32 request, struct sock *sk)
209 {
210 struct aa_label *label;
211 int error;
212
213 AA_BUG(!sk);
214 AA_BUG(in_interrupt());
215
216 /* TODO: switch to begin_current_label ???? */
217 label = begin_current_label_crit_section();
218 error = aa_label_sk_perm(label, op, request, sk);
219 end_current_label_crit_section(label);
220
221 return error;
222 }
223
224 #define af_select(FAMILY, FN, DEF_FN) \
225 ({ \
226 int __e; \
227 switch ((FAMILY)) { \
228 case AF_UNIX: \
229 __e = aa_unix_ ## FN; \
230 break; \
231 default: \
232 __e = DEF_FN; \
233 } \
234 __e; \
235 })
236
237 /* TODO: push into lsm.c ???? */
238
239 /* revaliation, get/set attr, shutdown */
240 int aa_sock_perm(const char *op, u32 request, struct socket *sock)
241 {
242 AA_BUG(!sock);
243 AA_BUG(!sock->sk);
244 AA_BUG(in_interrupt());
245
246 return af_select(sock->sk->sk_family,
247 sock_perm(op, request, sock),
248 aa_sk_perm(op, request, sock->sk));
249 }
250
251 int aa_sock_create_perm(struct aa_label *label, int family, int type,
252 int protocol)
253 {
254 AA_BUG(!label);
255 /* TODO: .... */
256 AA_BUG(in_interrupt());
257
258 return af_select(family,
259 create_perm(label, family, type, protocol),
260 aa_af_perm(label, OP_CREATE, AA_MAY_CREATE, family,
261 type, protocol));
262 }
263
264 int aa_sock_bind_perm(struct socket *sock, struct sockaddr *address,
265 int addrlen)
266 {
267 AA_BUG(!sock);
268 AA_BUG(!sock->sk);
269 AA_BUG(!address);
270 /* TODO: .... */
271 AA_BUG(in_interrupt());
272
273 return af_select(sock->sk->sk_family,
274 bind_perm(sock, address, addrlen),
275 aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk));
276 }
277
278 int aa_sock_connect_perm(struct socket *sock, struct sockaddr *address,
279 int addrlen)
280 {
281 AA_BUG(!sock);
282 AA_BUG(!sock->sk);
283 AA_BUG(!address);
284 /* TODO: .... */
285 AA_BUG(in_interrupt());
286
287 return af_select(sock->sk->sk_family,
288 connect_perm(sock, address, addrlen),
289 aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk));
290 }
291
292 int aa_sock_listen_perm(struct socket *sock, int backlog)
293 {
294 AA_BUG(!sock);
295 AA_BUG(!sock->sk);
296 /* TODO: .... */
297 AA_BUG(in_interrupt());
298
299 return af_select(sock->sk->sk_family,
300 listen_perm(sock, backlog),
301 aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk));
302 }
303
304 /* ability of sock to connect, not peer address binding */
305 int aa_sock_accept_perm(struct socket *sock, struct socket *newsock)
306 {
307 AA_BUG(!sock);
308 AA_BUG(!sock->sk);
309 AA_BUG(!newsock);
310 /* TODO: .... */
311 AA_BUG(in_interrupt());
312
313 return af_select(sock->sk->sk_family,
314 accept_perm(sock, newsock),
315 aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk));
316 }
317
318 /* sendmsg, recvmsg */
319 int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock,
320 struct msghdr *msg, int size)
321 {
322 AA_BUG(!sock);
323 AA_BUG(!sock->sk);
324 AA_BUG(!msg);
325 /* TODO: .... */
326 AA_BUG(in_interrupt());
327
328 return af_select(sock->sk->sk_family,
329 msg_perm(op, request, sock, msg, size),
330 aa_sk_perm(op, request, sock->sk));
331 }
332
333 /* revaliation, get/set attr, opt */
334 int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock, int level,
335 int optname)
336 {
337 AA_BUG(!sock);
338 AA_BUG(!sock->sk);
339 AA_BUG(in_interrupt());
340
341 return af_select(sock->sk->sk_family,
342 opt_perm(op, request, sock, level, optname),
343 aa_sk_perm(op, request, sock->sk));
344 }
345
346 int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
347 struct socket *sock)
348 {
349 AA_BUG(!label);
350 AA_BUG(!sock);
351 AA_BUG(!sock->sk);
352
353 return af_select(sock->sk->sk_family,
354 file_perm(label, op, request, sock),
355 aa_label_sk_perm(label, op, request, sock->sk));
356 }
Ubuntu Artful kernel mirror