2 * AppArmor security module
4 * This file contains AppArmor network mediation
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2017 Canonical Ltd.
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
15 #include "include/af_unix.h"
16 #include "include/apparmor.h"
17 #include "include/audit.h"
18 #include "include/context.h"
19 #include "include/label.h"
20 #include "include/net.h"
21 #include "include/policy.h"
23 #include "net_names.h"
26 struct aa_sfs_entry aa_sfs_entry_network
[] = {
27 AA_SFS_FILE_STRING("af_mask", AA_SFS_AF_MASK
),
28 AA_SFS_FILE_BOOLEAN("af_unix", 1),
32 static const char * const net_mask_names
[] = {
74 static void audit_unix_addr(struct audit_buffer
*ab
, const char *str
,
75 struct sockaddr_un
*addr
, int addrlen
)
77 int len
= unix_addr_len(addrlen
);
79 if (!addr
|| len
<= 0) {
80 audit_log_format(ab
, " %s=none", str
);
81 } else if (addr
->sun_path
[0]) {
82 audit_log_format(ab
, " %s=", str
);
83 audit_log_untrustedstring(ab
, addr
->sun_path
);
85 audit_log_format(ab
, " %s=\"@", str
);
86 if (audit_string_contains_control(&addr
->sun_path
[1], len
- 1))
87 audit_log_n_hex(ab
, &addr
->sun_path
[1], len
- 1);
89 audit_log_format(ab
, "%.*s", len
- 1,
91 audit_log_format(ab
, "\"");
95 static void audit_unix_sk_addr(struct audit_buffer
*ab
, const char *str
,
98 struct unix_sock
*u
= unix_sk(sk
);
100 audit_unix_addr(ab
, str
, u
->addr
->name
, u
->addr
->len
);
102 audit_unix_addr(ab
, str
, NULL
, 0);
105 /* audit callback for net specific fields */
106 void audit_net_cb(struct audit_buffer
*ab
, void *va
)
108 struct common_audit_data
*sa
= va
;
110 audit_log_format(ab
, " family=");
111 if (address_family_names
[sa
->u
.net
->family
])
112 audit_log_string(ab
, address_family_names
[sa
->u
.net
->family
]);
114 audit_log_format(ab
, "\"unknown(%d)\"", sa
->u
.net
->family
);
115 audit_log_format(ab
, " sock_type=");
116 if (sock_type_names
[aad(sa
)->net
.type
])
117 audit_log_string(ab
, sock_type_names
[aad(sa
)->net
.type
]);
119 audit_log_format(ab
, "\"unknown(%d)\"", aad(sa
)->net
.type
);
120 audit_log_format(ab
, " protocol=%d", aad(sa
)->net
.protocol
);
122 if (aad(sa
)->request
& NET_PERMS_MASK
) {
123 audit_log_format(ab
, " requested_mask=");
124 aa_audit_perm_mask(ab
, aad(sa
)->request
, NULL
, 0,
125 net_mask_names
, NET_PERMS_MASK
);
127 if (aad(sa
)->denied
& NET_PERMS_MASK
) {
128 audit_log_format(ab
, " denied_mask=");
129 aa_audit_perm_mask(ab
, aad(sa
)->denied
, NULL
, 0,
130 net_mask_names
, NET_PERMS_MASK
);
133 if (sa
->u
.net
->family
== AF_UNIX
) {
134 if ((aad(sa
)->request
& ~NET_PEER_MASK
) && aad(sa
)->net
.addr
)
135 audit_unix_addr(ab
, "addr",
136 unix_addr(aad(sa
)->net
.addr
),
137 aad(sa
)->net
.addrlen
);
139 audit_unix_sk_addr(ab
, "addr", sa
->u
.net
->sk
);
140 if (aad(sa
)->request
& NET_PEER_MASK
) {
141 if (aad(sa
)->net
.addr
)
142 audit_unix_addr(ab
, "peer_addr",
143 unix_addr(aad(sa
)->net
.addr
),
144 aad(sa
)->net
.addrlen
);
146 audit_unix_sk_addr(ab
, "peer_addr",
147 aad(sa
)->net
.peer_sk
);
151 audit_log_format(ab
, " peer=");
152 aa_label_xaudit(ab
, labels_ns(aad(sa
)->label
), aad(sa
)->peer
,
153 FLAGS_NONE
, GFP_ATOMIC
);
158 /* Generic af perm */
159 int aa_profile_af_perm(struct aa_profile
*profile
, struct common_audit_data
*sa
,
160 u32 request
, u16 family
, int type
)
162 struct aa_perms perms
= { };
164 AA_BUG(family
>= AF_MAX
);
165 AA_BUG(type
< 0 || type
>= SOCK_MAX
);
167 if (profile_unconfined(profile
))
170 perms
.allow
= (profile
->net
.allow
[family
] & (1 << type
)) ?
172 perms
.audit
= (profile
->net
.audit
[family
] & (1 << type
)) ?
174 perms
.quiet
= (profile
->net
.quiet
[family
] & (1 << type
)) ?
176 aa_apply_modes_to_perms(profile
, &perms
);
178 return aa_check_perms(profile
, &perms
, request
, sa
, audit_net_cb
);
181 int aa_af_perm(struct aa_label
*label
, const char *op
, u32 request
, u16 family
,
182 int type
, int protocol
)
184 struct aa_profile
*profile
;
185 DEFINE_AUDIT_NET(sa
, op
, NULL
, family
, type
, protocol
);
187 return fn_for_each_confined(label
, profile
,
188 aa_profile_af_perm(profile
, &sa
, request
, family
,
192 static int aa_label_sk_perm(struct aa_label
*label
, const char *op
, u32 request
,
195 struct aa_profile
*profile
;
196 DEFINE_AUDIT_SK(sa
, op
, sk
);
201 if (unconfined(label
))
204 return fn_for_each_confined(label
, profile
,
205 aa_profile_af_sk_perm(profile
, &sa
, request
, sk
));
208 int aa_sk_perm(const char *op
, u32 request
, struct sock
*sk
)
210 struct aa_label
*label
;
214 AA_BUG(in_interrupt());
216 /* TODO: switch to begin_current_label ???? */
217 label
= begin_current_label_crit_section();
218 error
= aa_label_sk_perm(label
, op
, request
, sk
);
219 end_current_label_crit_section(label
);
224 #define af_select(FAMILY, FN, DEF_FN) \
227 switch ((FAMILY)) { \
229 __e = aa_unix_ ## FN; \
237 /* TODO: push into lsm.c ???? */
239 /* revaliation, get/set attr, shutdown */
240 int aa_sock_perm(const char *op
, u32 request
, struct socket
*sock
)
244 AA_BUG(in_interrupt());
246 return af_select(sock
->sk
->sk_family
,
247 sock_perm(op
, request
, sock
),
248 aa_sk_perm(op
, request
, sock
->sk
));
251 int aa_sock_create_perm(struct aa_label
*label
, int family
, int type
,
256 AA_BUG(in_interrupt());
258 return af_select(family
,
259 create_perm(label
, family
, type
, protocol
),
260 aa_af_perm(label
, OP_CREATE
, AA_MAY_CREATE
, family
,
264 int aa_sock_bind_perm(struct socket
*sock
, struct sockaddr
*address
,
271 AA_BUG(in_interrupt());
273 return af_select(sock
->sk
->sk_family
,
274 bind_perm(sock
, address
, addrlen
),
275 aa_sk_perm(OP_BIND
, AA_MAY_BIND
, sock
->sk
));
278 int aa_sock_connect_perm(struct socket
*sock
, struct sockaddr
*address
,
285 AA_BUG(in_interrupt());
287 return af_select(sock
->sk
->sk_family
,
288 connect_perm(sock
, address
, addrlen
),
289 aa_sk_perm(OP_CONNECT
, AA_MAY_CONNECT
, sock
->sk
));
292 int aa_sock_listen_perm(struct socket
*sock
, int backlog
)
297 AA_BUG(in_interrupt());
299 return af_select(sock
->sk
->sk_family
,
300 listen_perm(sock
, backlog
),
301 aa_sk_perm(OP_LISTEN
, AA_MAY_LISTEN
, sock
->sk
));
304 /* ability of sock to connect, not peer address binding */
305 int aa_sock_accept_perm(struct socket
*sock
, struct socket
*newsock
)
311 AA_BUG(in_interrupt());
313 return af_select(sock
->sk
->sk_family
,
314 accept_perm(sock
, newsock
),
315 aa_sk_perm(OP_ACCEPT
, AA_MAY_ACCEPT
, sock
->sk
));
318 /* sendmsg, recvmsg */
319 int aa_sock_msg_perm(const char *op
, u32 request
, struct socket
*sock
,
320 struct msghdr
*msg
, int size
)
326 AA_BUG(in_interrupt());
328 return af_select(sock
->sk
->sk_family
,
329 msg_perm(op
, request
, sock
, msg
, size
),
330 aa_sk_perm(op
, request
, sock
->sk
));
333 /* revaliation, get/set attr, opt */
334 int aa_sock_opt_perm(const char *op
, u32 request
, struct socket
*sock
, int level
,
339 AA_BUG(in_interrupt());
341 return af_select(sock
->sk
->sk_family
,
342 opt_perm(op
, request
, sock
, level
, optname
),
343 aa_sk_perm(op
, request
, sock
->sk
));
346 int aa_sock_file_perm(struct aa_label
*label
, const char *op
, u32 request
,
353 return af_select(sock
->sk
->sk_family
,
354 file_perm(label
, op
, request
, sock
),
355 aa_label_sk_perm(label
, op
, request
, sock
->sk
));