]> git.proxmox.com Git - mirror_ubuntu-zesty-kernel.git/blob - security/apparmor/net.c
projects / mirror_ubuntu-zesty-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
UBUNTU: Ubuntu-raspi2-4.10.0-1017.20
[mirror_ubuntu-zesty-kernel.git] / security / apparmor / net.c
1 /*
2 * AppArmor security module
3 *
4 * This file contains AppArmor network mediation
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2014 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
15 #include "include/af_unix.h"
16 #include "include/apparmor.h"
17 #include "include/audit.h"
18 #include "include/context.h"
19 #include "include/label.h"
20 #include "include/net.h"
21 #include "include/policy.h"
22
23 #include "net_names.h"
24
25
26 struct aa_fs_entry aa_fs_entry_network[] = {
27 AA_FS_FILE_STRING("af_mask", AA_FS_AF_MASK),
28 AA_FS_FILE_BOOLEAN("af_unix", 1),
29 { }
30 };
31
32 static const char *net_mask_names[] = {
33 "unknown",
34 "send",
35 "receive",
36 "unknown",
37
38 "create",
39 "shutdown",
40 "connect",
41 "unknown",
42
43 "setattr",
44 "getattr",
45 "setcred",
46 "getcred",
47
48 "chmod",
49 "chown",
50 "chgrp",
51 "lock",
52
53 "mmap",
54 "mprot",
55 "unknown",
56 "unknown",
57
58 "accept",
59 "bind",
60 "listen",
61 "unknown",
62
63 "setopt",
64 "getopt",
65 "unknown",
66 "unknown",
67
68 "unknown",
69 "unknown",
70 "unknown",
71 "unknown",
72 };
73
74 static void audit_unix_addr(struct audit_buffer *ab, const char *str,
75 struct sockaddr_un *addr, int addrlen)
76 {
77 int len = unix_addr_len(addrlen);
78
79 if (!addr || len <= 0) {
80 audit_log_format(ab, " %s=none", str);
81 } else if (addr->sun_path[0]) {
82 audit_log_format(ab, " %s=", str);
83 audit_log_untrustedstring(ab, addr->sun_path);
84 } else {
85 audit_log_format(ab, " %s=\"@", str);
86 if (audit_string_contains_control(&addr->sun_path[1], len - 1))
87 audit_log_n_hex(ab, &addr->sun_path[1], len - 1);
88 else
89 audit_log_format(ab, "%.*s", len - 1,
90 &addr->sun_path[1]);
91 audit_log_format(ab, "\"");
92 }
93 }
94
95 static void audit_unix_sk_addr(struct audit_buffer *ab, const char *str,
96 struct sock *sk)
97 {
98 struct unix_sock *u = unix_sk(sk);
99 if (u && u->addr)
100 audit_unix_addr(ab, str, u->addr->name, u->addr->len);
101 else
102 audit_unix_addr(ab, str, NULL, 0);
103 }
104
105 /* audit callback for net specific fields */
106 void audit_net_cb(struct audit_buffer *ab, void *va)
107 {
108 struct common_audit_data *sa = va;
109
110 audit_log_format(ab, " family=");
111 if (address_family_names[sa->u.net->family]) {
112 audit_log_string(ab, address_family_names[sa->u.net->family]);
113 } else {
114 audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family);
115 }
116 audit_log_format(ab, " sock_type=");
117 if (sock_type_names[aad(sa)->net.type]) {
118 audit_log_string(ab, sock_type_names[aad(sa)->net.type]);
119 } else {
120 audit_log_format(ab, "\"unknown(%d)\"", aad(sa)->net.type);
121 }
122 audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
123
124 if (aad(sa)->request & NET_PERMS_MASK) {
125 audit_log_format(ab, " requested_mask=");
126 aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0,
127 net_mask_names, NET_PERMS_MASK);
128
129 if (aad(sa)->denied & NET_PERMS_MASK) {
130 audit_log_format(ab, " denied_mask=");
131 aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0,
132 net_mask_names, NET_PERMS_MASK);
133 }
134 }
135 if (sa->u.net->family == AF_UNIX) {
136 if ((aad(sa)->request & ~NET_PEER_MASK) && aad(sa)->net.addr)
137 audit_unix_addr(ab, "addr",
138 unix_addr(aad(sa)->net.addr),
139 aad(sa)->net.addrlen);
140 else
141 audit_unix_sk_addr(ab, "addr", sa->u.net->sk);
142 if (aad(sa)->request & NET_PEER_MASK) {
143 if (aad(sa)->net.addr)
144 audit_unix_addr(ab, "peer_addr",
145 unix_addr(aad(sa)->net.addr),
146 aad(sa)->net.addrlen);
147 else
148 audit_unix_sk_addr(ab, "peer_addr",
149 aad(sa)->net.peer_sk);
150 }
151 }
152 if (aad(sa)->peer) {
153 audit_log_format(ab, " peer=");
154 aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
155 FLAGS_NONE, GFP_ATOMIC);
156 }
157 }
158
159
160 /* Generic af perm */
161 int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
162 u32 request, u16 family, int type)
163 {
164 struct aa_perms perms = { };
165
166 AA_BUG(family >= AF_MAX);
167 AA_BUG(type < 0 && type >= SOCK_MAX);
168
169 if (profile_unconfined(profile))
170 return 0;
171
172 perms.allow = (profile->net.allow[family] & (1 << type)) ?
173 ALL_PERMS_MASK : 0;
174 perms.audit = (profile->net.audit[family] & (1 << type)) ?
175 ALL_PERMS_MASK : 0;
176 perms.quiet = (profile->net.quiet[family] & (1 << type)) ?
177 ALL_PERMS_MASK : 0;
178 aa_apply_modes_to_perms(profile, &perms);
179
180 return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
181 }
182
183 static int aa_af_perm(struct aa_label *label, const char *op, u32 request,
184 u16 family, int type, int protocol)
185 {
186 struct aa_profile *profile;
187 DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol);
188
189 return fn_for_each_confined(label, profile,
190 aa_profile_af_perm(profile, &sa, request, family, type));
191 }
192
193 static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request,
194 struct sock *sk)
195 {
196 struct aa_profile *profile;
197 DEFINE_AUDIT_SK(sa, op, sk);
198
199 AA_BUG(!label);
200 AA_BUG(!sk);
201
202 if (unconfined(label))
203 return 0;
204
205 return fn_for_each_confined(label, profile,
206 aa_profile_af_sk_perm(profile, &sa, request, sk));
207 }
208
209 static int aa_sk_perm(const char *op, u32 request, struct sock *sk)
210 {
211 struct aa_label *label;
212 int error;
213
214 AA_BUG(!sk);
215 AA_BUG(in_interrupt());
216
217 /* TODO: switch to begin_current_label ???? */
218 label = aa_begin_current_label(DO_UPDATE);
219 error = aa_label_sk_perm(label, op, request, sk);
220 aa_end_current_label(label);
221
222 return error;
223 }
224
225 #define af_select(FAMILY, FN, DEF_FN) \
226 ({ \
227 int __e; \
228 switch ((FAMILY)) { \
229 case AF_UNIX: \
230 __e = aa_unix_ ## FN; \
231 break; \
232 default: \
233 __e = DEF_FN; \
234 } \
235 __e; \
236 })
237
238 /* TODO: push into lsm.c ???? */
239
240 /* revaliation, get/set attr, shutdown */
241 int aa_sock_perm(const char *op, u32 request, struct socket *sock)
242 {
243 AA_BUG(!sock);
244 AA_BUG(!sock->sk);
245 AA_BUG(in_interrupt());
246
247 return af_select(sock->sk->sk_family,
248 sock_perm(op, request, sock),
249 aa_sk_perm(op, request, sock->sk));
250 }
251
252 int aa_sock_create_perm(struct aa_label *label, int family, int type,
253 int protocol)
254 {
255 AA_BUG(!label);
256 /* TODO: .... */
257 AA_BUG(in_interrupt());
258
259 return af_select(family,
260 create_perm(label, family, type, protocol),
261 aa_af_perm(label, OP_CREATE, AA_MAY_CREATE, family,
262 type, protocol));
263 }
264
265 int aa_sock_bind_perm(struct socket *sock, struct sockaddr *address,
266 int addrlen)
267 {
268 AA_BUG(!sock);
269 AA_BUG(!sock->sk);
270 AA_BUG(!address);
271 /* TODO: .... */
272 AA_BUG(in_interrupt());
273
274 return af_select(sock->sk->sk_family,
275 bind_perm(sock, address, addrlen),
276 aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk));
277 }
278
279 int aa_sock_connect_perm(struct socket *sock, struct sockaddr *address,
280 int addrlen)
281 {
282 AA_BUG(!sock);
283 AA_BUG(!sock->sk);
284 AA_BUG(!address);
285 /* TODO: .... */
286 AA_BUG(in_interrupt());
287
288 return af_select(sock->sk->sk_family,
289 connect_perm(sock, address, addrlen),
290 aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk));
291 }
292
293 int aa_sock_listen_perm(struct socket *sock, int backlog)
294 {
295 AA_BUG(!sock);
296 AA_BUG(!sock->sk);
297 /* TODO: .... */
298 AA_BUG(in_interrupt());
299
300 return af_select(sock->sk->sk_family,
301 listen_perm(sock, backlog),
302 aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk));
303 }
304
305 /* ability of sock to connect, not peer address binding */
306 int aa_sock_accept_perm(struct socket *sock, struct socket *newsock)
307 {
308 AA_BUG(!sock);
309 AA_BUG(!sock->sk);
310 AA_BUG(!newsock);
311 /* TODO: .... */
312 AA_BUG(in_interrupt());
313
314 return af_select(sock->sk->sk_family,
315 accept_perm(sock, newsock),
316 aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk));
317 }
318
319 /* sendmsg, recvmsg */
320 int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock,
321 struct msghdr *msg, int size)
322 {
323 AA_BUG(!sock);
324 AA_BUG(!sock->sk);
325 AA_BUG(!msg);
326 /* TODO: .... */
327 AA_BUG(in_interrupt());
328
329 return af_select(sock->sk->sk_family,
330 msg_perm(op, request, sock, msg, size),
331 aa_sk_perm(op, request, sock->sk));
332 }
333
334 /* revaliation, get/set attr, opt */
335 int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock, int level,
336 int optname)
337 {
338 AA_BUG(!sock);
339 AA_BUG(!sock->sk);
340 AA_BUG(in_interrupt());
341
342 return af_select(sock->sk->sk_family,
343 opt_perm(op, request, sock, level, optname),
344 aa_sk_perm(op, request, sock->sk));
345 }
346
347 int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
348 struct socket *sock)
349 {
350 AA_BUG(!label);
351 AA_BUG(!sock);
352 AA_BUG(!sock->sk);
353
354 return af_select(sock->sk->sk_family,
355 file_perm(label, op, request, sock),
356 aa_label_sk_perm(label, op, request, sock->sk));
357 }
ubuntu-zesty-kernel mirror