2 * AppArmor security module
4 * This file contains AppArmor network mediation
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2014 Canonical Ltd.
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
15 #include "include/af_unix.h"
16 #include "include/apparmor.h"
17 #include "include/audit.h"
18 #include "include/context.h"
19 #include "include/label.h"
20 #include "include/net.h"
21 #include "include/policy.h"
23 #include "net_names.h"
26 struct aa_fs_entry aa_fs_entry_network
[] = {
27 AA_FS_FILE_STRING("af_mask", AA_FS_AF_MASK
),
28 AA_FS_FILE_BOOLEAN("af_unix", 1),
32 static const char *net_mask_names
[] = {
74 static void audit_unix_addr(struct audit_buffer
*ab
, const char *str
,
75 struct sockaddr_un
*addr
, int addrlen
)
77 int len
= unix_addr_len(addrlen
);
79 if (!addr
|| len
<= 0) {
80 audit_log_format(ab
, " %s=none", str
);
81 } else if (addr
->sun_path
[0]) {
82 audit_log_format(ab
, " %s=", str
);
83 audit_log_untrustedstring(ab
, addr
->sun_path
);
85 audit_log_format(ab
, " %s=\"@", str
);
86 if (audit_string_contains_control(&addr
->sun_path
[1], len
- 1))
87 audit_log_n_hex(ab
, &addr
->sun_path
[1], len
- 1);
89 audit_log_format(ab
, "%.*s", len
- 1,
91 audit_log_format(ab
, "\"");
95 static void audit_unix_sk_addr(struct audit_buffer
*ab
, const char *str
,
98 struct unix_sock
*u
= unix_sk(sk
);
100 audit_unix_addr(ab
, str
, u
->addr
->name
, u
->addr
->len
);
102 audit_unix_addr(ab
, str
, NULL
, 0);
105 /* audit callback for net specific fields */
106 void audit_net_cb(struct audit_buffer
*ab
, void *va
)
108 struct common_audit_data
*sa
= va
;
110 audit_log_format(ab
, " family=");
111 if (address_family_names
[sa
->u
.net
->family
]) {
112 audit_log_string(ab
, address_family_names
[sa
->u
.net
->family
]);
114 audit_log_format(ab
, "\"unknown(%d)\"", sa
->u
.net
->family
);
116 audit_log_format(ab
, " sock_type=");
117 if (sock_type_names
[aad(sa
)->net
.type
]) {
118 audit_log_string(ab
, sock_type_names
[aad(sa
)->net
.type
]);
120 audit_log_format(ab
, "\"unknown(%d)\"", aad(sa
)->net
.type
);
122 audit_log_format(ab
, " protocol=%d", aad(sa
)->net
.protocol
);
124 if (aad(sa
)->request
& NET_PERMS_MASK
) {
125 audit_log_format(ab
, " requested_mask=");
126 aa_audit_perm_mask(ab
, aad(sa
)->request
, NULL
, 0,
127 net_mask_names
, NET_PERMS_MASK
);
129 if (aad(sa
)->denied
& NET_PERMS_MASK
) {
130 audit_log_format(ab
, " denied_mask=");
131 aa_audit_perm_mask(ab
, aad(sa
)->denied
, NULL
, 0,
132 net_mask_names
, NET_PERMS_MASK
);
135 if (sa
->u
.net
->family
== AF_UNIX
) {
136 if ((aad(sa
)->request
& ~NET_PEER_MASK
) && aad(sa
)->net
.addr
)
137 audit_unix_addr(ab
, "addr",
138 unix_addr(aad(sa
)->net
.addr
),
139 aad(sa
)->net
.addrlen
);
141 audit_unix_sk_addr(ab
, "addr", sa
->u
.net
->sk
);
142 if (aad(sa
)->request
& NET_PEER_MASK
) {
143 if (aad(sa
)->net
.addr
)
144 audit_unix_addr(ab
, "peer_addr",
145 unix_addr(aad(sa
)->net
.addr
),
146 aad(sa
)->net
.addrlen
);
148 audit_unix_sk_addr(ab
, "peer_addr",
149 aad(sa
)->net
.peer_sk
);
153 audit_log_format(ab
, " peer=");
154 aa_label_xaudit(ab
, labels_ns(aad(sa
)->label
), aad(sa
)->peer
,
155 FLAGS_NONE
, GFP_ATOMIC
);
160 /* Generic af perm */
161 int aa_profile_af_perm(struct aa_profile
*profile
, struct common_audit_data
*sa
,
162 u32 request
, u16 family
, int type
)
164 struct aa_perms perms
= { };
166 AA_BUG(family
>= AF_MAX
);
167 AA_BUG(type
< 0 && type
>= SOCK_MAX
);
169 if (profile_unconfined(profile
))
172 perms
.allow
= (profile
->net
.allow
[family
] & (1 << type
)) ?
174 perms
.audit
= (profile
->net
.audit
[family
] & (1 << type
)) ?
176 perms
.quiet
= (profile
->net
.quiet
[family
] & (1 << type
)) ?
178 aa_apply_modes_to_perms(profile
, &perms
);
180 return aa_check_perms(profile
, &perms
, request
, sa
, audit_net_cb
);
183 static int aa_af_perm(struct aa_label
*label
, const char *op
, u32 request
,
184 u16 family
, int type
, int protocol
)
186 struct aa_profile
*profile
;
187 DEFINE_AUDIT_NET(sa
, op
, NULL
, family
, type
, protocol
);
189 return fn_for_each_confined(label
, profile
,
190 aa_profile_af_perm(profile
, &sa
, request
, family
, type
));
193 static int aa_label_sk_perm(struct aa_label
*label
, const char *op
, u32 request
,
196 struct aa_profile
*profile
;
197 DEFINE_AUDIT_SK(sa
, op
, sk
);
202 if (unconfined(label
))
205 return fn_for_each_confined(label
, profile
,
206 aa_profile_af_sk_perm(profile
, &sa
, request
, sk
));
209 static int aa_sk_perm(const char *op
, u32 request
, struct sock
*sk
)
211 struct aa_label
*label
;
215 AA_BUG(in_interrupt());
217 /* TODO: switch to begin_current_label ???? */
218 label
= aa_begin_current_label(DO_UPDATE
);
219 error
= aa_label_sk_perm(label
, op
, request
, sk
);
220 aa_end_current_label(label
);
225 #define af_select(FAMILY, FN, DEF_FN) \
228 switch ((FAMILY)) { \
230 __e = aa_unix_ ## FN; \
238 /* TODO: push into lsm.c ???? */
240 /* revaliation, get/set attr, shutdown */
241 int aa_sock_perm(const char *op
, u32 request
, struct socket
*sock
)
245 AA_BUG(in_interrupt());
247 return af_select(sock
->sk
->sk_family
,
248 sock_perm(op
, request
, sock
),
249 aa_sk_perm(op
, request
, sock
->sk
));
252 int aa_sock_create_perm(struct aa_label
*label
, int family
, int type
,
257 AA_BUG(in_interrupt());
259 return af_select(family
,
260 create_perm(label
, family
, type
, protocol
),
261 aa_af_perm(label
, OP_CREATE
, AA_MAY_CREATE
, family
,
265 int aa_sock_bind_perm(struct socket
*sock
, struct sockaddr
*address
,
272 AA_BUG(in_interrupt());
274 return af_select(sock
->sk
->sk_family
,
275 bind_perm(sock
, address
, addrlen
),
276 aa_sk_perm(OP_BIND
, AA_MAY_BIND
, sock
->sk
));
279 int aa_sock_connect_perm(struct socket
*sock
, struct sockaddr
*address
,
286 AA_BUG(in_interrupt());
288 return af_select(sock
->sk
->sk_family
,
289 connect_perm(sock
, address
, addrlen
),
290 aa_sk_perm(OP_CONNECT
, AA_MAY_CONNECT
, sock
->sk
));
293 int aa_sock_listen_perm(struct socket
*sock
, int backlog
)
298 AA_BUG(in_interrupt());
300 return af_select(sock
->sk
->sk_family
,
301 listen_perm(sock
, backlog
),
302 aa_sk_perm(OP_LISTEN
, AA_MAY_LISTEN
, sock
->sk
));
305 /* ability of sock to connect, not peer address binding */
306 int aa_sock_accept_perm(struct socket
*sock
, struct socket
*newsock
)
312 AA_BUG(in_interrupt());
314 return af_select(sock
->sk
->sk_family
,
315 accept_perm(sock
, newsock
),
316 aa_sk_perm(OP_ACCEPT
, AA_MAY_ACCEPT
, sock
->sk
));
319 /* sendmsg, recvmsg */
320 int aa_sock_msg_perm(const char *op
, u32 request
, struct socket
*sock
,
321 struct msghdr
*msg
, int size
)
327 AA_BUG(in_interrupt());
329 return af_select(sock
->sk
->sk_family
,
330 msg_perm(op
, request
, sock
, msg
, size
),
331 aa_sk_perm(op
, request
, sock
->sk
));
334 /* revaliation, get/set attr, opt */
335 int aa_sock_opt_perm(const char *op
, u32 request
, struct socket
*sock
, int level
,
340 AA_BUG(in_interrupt());
342 return af_select(sock
->sk
->sk_family
,
343 opt_perm(op
, request
, sock
, level
, optname
),
344 aa_sk_perm(op
, request
, sock
->sk
));
347 int aa_sock_file_perm(struct aa_label
*label
, const char *op
, u32 request
,
354 return af_select(sock
->sk
->sk_family
,
355 file_perm(label
, op
, request
, sock
),
356 aa_label_sk_perm(label
, op
, request
, sock
->sk
));