[thirdparty/linux.git] / security / apparmor / net.c

/*
 * AppArmor security module
 *
 * This file contains AppArmor network mediation
 *
 * Copyright (C) 1998-2008 Novell/SUSE
 * Copyright 2009-2017 Canonical Ltd.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, version 2 of the
 * License.
 */

#include "include/apparmor.h"
#include "include/audit.h"
#include "include/cred.h"
#include "include/label.h"
#include "include/net.h"
#include "include/policy.h"
#include "include/secid.h"

#include "net_names.h"


struct aa_sfs_entry aa_sfs_entry_network[] = {
	AA_SFS_FILE_STRING("af_mask",	AA_SFS_AF_MASK),
	{ }
};

static const char * const net_mask_names[] = {
	"unknown",
	"send",
	"receive",
	"unknown",

	"create",
	"shutdown",
	"connect",
	"unknown",

	"setattr",
	"getattr",
	"setcred",
	"getcred",

	"chmod",
	"chown",
	"chgrp",
	"lock",

	"mmap",
	"mprot",
	"unknown",
	"unknown",

	"accept",
	"bind",
	"listen",
	"unknown",

	"setopt",
	"getopt",
	"unknown",
	"unknown",

	"unknown",
	"unknown",
	"unknown",
	"unknown",
};


/* audit callback for net specific fields */
void audit_net_cb(struct audit_buffer *ab, void *va)
{
	struct common_audit_data *sa = va;

	audit_log_format(ab, " family=");
	if (address_family_names[sa->u.net->family])
		audit_log_string(ab, address_family_names[sa->u.net->family]);
	else
		audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family);
	audit_log_format(ab, " sock_type=");
	if (sock_type_names[aad(sa)->net.type])
		audit_log_string(ab, sock_type_names[aad(sa)->net.type]);
	else
		audit_log_format(ab, "\"unknown(%d)\"", aad(sa)->net.type);
	audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);

	if (aad(sa)->request & NET_PERMS_MASK) {
		audit_log_format(ab, " requested_mask=");
		aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0,
				   net_mask_names, NET_PERMS_MASK);

		if (aad(sa)->denied & NET_PERMS_MASK) {
			audit_log_format(ab, " denied_mask=");
			aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0,
					   net_mask_names, NET_PERMS_MASK);
		}
	}
	if (aad(sa)->peer) {
		audit_log_format(ab, " peer=");
		aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
				FLAGS_NONE, GFP_ATOMIC);
	}
}

/* Generic af perm */
int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
		       u32 request, u16 family, int type)
{
	struct aa_perms perms = { };
	unsigned int state;
	__be16 buffer[2];

	AA_BUG(family >= AF_MAX);
	AA_BUG(type < 0 || type >= SOCK_MAX);

	if (profile_unconfined(profile))
		return 0;
	state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
	if (!state)
		return 0;

	buffer[0] = cpu_to_be16(family);
	buffer[1] = cpu_to_be16((u16) type);
	state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer,
				 4);
	aa_compute_perms(profile->policy.dfa, state, &perms);
	aa_apply_modes_to_perms(profile, &perms);

	return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
}

int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
	       int type, int protocol)
{
	struct aa_profile *profile;
	DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol);

	return fn_for_each_confined(label, profile,
			aa_profile_af_perm(profile, &sa, request, family,
					   type));
}

static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request,
			    struct sock *sk)
{
	int error = 0;

	AA_BUG(!label);
	AA_BUG(!sk);

	if (!unconfined(label)) {
		struct aa_profile *profile;
		DEFINE_AUDIT_SK(sa, op, sk);

		error = fn_for_each_confined(label, profile,
			    aa_profile_af_sk_perm(profile, &sa, request, sk));
	}

	return error;
}

int aa_sk_perm(const char *op, u32 request, struct sock *sk)
{
	struct aa_label *label;
	int error;

	AA_BUG(!sk);
	AA_BUG(in_interrupt());

	/* TODO: switch to begin_current_label ???? */
	label = begin_current_label_crit_section();
	error = aa_label_sk_perm(label, op, request, sk);
	end_current_label_crit_section(label);

	return error;
}


int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
		      struct socket *sock)
{
	AA_BUG(!label);
	AA_BUG(!sock);
	AA_BUG(!sock->sk);

	return aa_label_sk_perm(label, op, request, sock->sk);
}

#ifdef CONFIG_NETWORK_SECMARK
static int apparmor_secmark_init(struct aa_secmark *secmark)
{
	struct aa_label *label;

	if (secmark->label[0] == '*') {
		secmark->secid = AA_SECID_WILDCARD;
		return 0;
	}

	label = aa_label_strn_parse(&root_ns->unconfined->label,
				    secmark->label, strlen(secmark->label),
				    GFP_ATOMIC, false, false);

	if (IS_ERR(label))
		return PTR_ERR(label);

	secmark->secid = label->secid;

	return 0;
}

static int aa_secmark_perm(struct aa_profile *profile, u32 request, u32 secid,
			   struct common_audit_data *sa, struct sock *sk)
{
	int i, ret;
	struct aa_perms perms = { };

	if (profile->secmark_count == 0)
		return 0;

	for (i = 0; i < profile->secmark_count; i++) {
		if (!profile->secmark[i].secid) {
			ret = apparmor_secmark_init(&profile->secmark[i]);
			if (ret)
				return ret;
		}

		if (profile->secmark[i].secid == secid ||
		    profile->secmark[i].secid == AA_SECID_WILDCARD) {
			if (profile->secmark[i].deny)
				perms.deny = ALL_PERMS_MASK;
			else
				perms.allow = ALL_PERMS_MASK;

			if (profile->secmark[i].audit)
				perms.audit = ALL_PERMS_MASK;
		}
	}

	aa_apply_modes_to_perms(profile, &perms);

	return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
}

int apparmor_secmark_check(struct aa_label *label, char *op, u32 request,
			   u32 secid, struct sock *sk)
{
	struct aa_profile *profile;
	DEFINE_AUDIT_SK(sa, op, sk);

	return fn_for_each_confined(label, profile,
				    aa_secmark_perm(profile, request, secid,
						    &sa, sk));
}
#endif
Commit	Line	Data
56974a6f JJ	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor network mediation
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2017 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#include "include/apparmor.h"
	16	#include "include/audit.h"
	17	#include "include/cred.h"
	18	#include "include/label.h"
	19	#include "include/net.h"
	20	#include "include/policy.h"
ab9f2115	21	#include "include/secid.h"
56974a6f JJ	22
	23	#include "net_names.h"
	24
	25
	26	struct aa_sfs_entry aa_sfs_entry_network[] = {
	27	AA_SFS_FILE_STRING("af_mask", AA_SFS_AF_MASK),
	28	{ }
	29	};
	30
	31	static const char * const net_mask_names[] = {
	32	"unknown",
	33	"send",
	34	"receive",
	35	"unknown",
	36
	37	"create",
	38	"shutdown",
	39	"connect",
	40	"unknown",
	41
	42	"setattr",
	43	"getattr",
	44	"setcred",
	45	"getcred",
	46
	47	"chmod",
	48	"chown",
	49	"chgrp",
	50	"lock",
	51
	52	"mmap",
	53	"mprot",
	54	"unknown",
	55	"unknown",
	56
	57	"accept",
	58	"bind",
	59	"listen",
	60	"unknown",
	61
	62	"setopt",
	63	"getopt",
	64	"unknown",
	65	"unknown",
	66
	67	"unknown",
	68	"unknown",
	69	"unknown",
	70	"unknown",
	71	};
	72
	73
	74	/* audit callback for net specific fields */
	75	void audit_net_cb(struct audit_buffer ab, void va)
	76	{
	77	struct common_audit_data *sa = va;
	78
	79	audit_log_format(ab, " family=");
	80	if (address_family_names[sa->u.net->family])
	81	audit_log_string(ab, address_family_names[sa->u.net->family]);
	82	else
	83	audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family);
	84	audit_log_format(ab, " sock_type=");
	85	if (sock_type_names[aad(sa)->net.type])
86	audit_log_string(ab, sock_type_names[aad(sa)->net.type]);
87	else
88	audit_log_format(ab, "\"unknown(%d)\"", aad(sa)->net.type);
89	audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
90
91	if (aad(sa)->request & NET_PERMS_MASK) {
92	audit_log_format(ab, " requested_mask=");
93	aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0,
94	net_mask_names, NET_PERMS_MASK);
95
96	if (aad(sa)->denied & NET_PERMS_MASK) {
97	audit_log_format(ab, " denied_mask=");
98	aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0,
99	net_mask_names, NET_PERMS_MASK);
100	}
101	}
102	if (aad(sa)->peer) {
103	audit_log_format(ab, " peer=");
104	aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
105	FLAGS_NONE, GFP_ATOMIC);
106	}
107	}
108
109	/* Generic af perm */
110	int aa_profile_af_perm(struct aa_profile profile, struct common_audit_data sa,
111	u32 request, u16 family, int type)
112	{
113	struct aa_perms perms = { };
114	unsigned int state;
115	__be16 buffer[2];
116
117	AA_BUG(family >= AF_MAX);
118	AA_BUG(type < 0 \|\| type >= SOCK_MAX);
119
120	if (profile_unconfined(profile))
121	return 0;
122	state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
123	if (!state)
124	return 0;
125
126	buffer[0] = cpu_to_be16(family);
127	buffer[1] = cpu_to_be16((u16) type);
128	state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer,
129	4);
130	aa_compute_perms(profile->policy.dfa, state, &perms);
131	aa_apply_modes_to_perms(profile, &perms);
132
133	return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
134	}
135
136	int aa_af_perm(struct aa_label label, const char op, u32 request, u16 family,
137	int type, int protocol)
138	{
139	struct aa_profile *profile;
140	DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol);
141
142	return fn_for_each_confined(label, profile,
143	aa_profile_af_perm(profile, &sa, request, family,
144	type));
145	}
146
147	static int aa_label_sk_perm(struct aa_label label, const char op, u32 request,
148	struct sock *sk)
149	{
5f997580	150	int error = 0;
56974a6f JJ	151
	152	AA_BUG(!label);
	153	AA_BUG(!sk);
	154
5f997580 TJ	155	if (!unconfined(label)) {
	156	struct aa_profile *profile;
	157	DEFINE_AUDIT_SK(sa, op, sk);
56974a6f	158
5f997580 TJ	159	error = fn_for_each_confined(label, profile,
	160	aa_profile_af_sk_perm(profile, &sa, request, sk));
	161	}
	162
	163	return error;
56974a6f JJ	164	}
	165
	166	int aa_sk_perm(const char op, u32 request, struct sock sk)
	167	{
	168	struct aa_label *label;
	169	int error;
	170
	171	AA_BUG(!sk);
	172	AA_BUG(in_interrupt());
	173
	174	/* TODO: switch to begin_current_label ???? */
	175	label = begin_current_label_crit_section();
	176	error = aa_label_sk_perm(label, op, request, sk);
	177	end_current_label_crit_section(label);
	178
	179	return error;
	180	}
	181
	182
	183	int aa_sock_file_perm(struct aa_label label, const char op, u32 request,
	184	struct socket *sock)
	185	{
	186	AA_BUG(!label);
	187	AA_BUG(!sock);
	188	AA_BUG(!sock->sk);
	189
	190	return aa_label_sk_perm(label, op, request, sock->sk);
	191	}
ab9f2115	192
e1af4779	193	#ifdef CONFIG_NETWORK_SECMARK
ab9f2115 MG	194	static int apparmor_secmark_init(struct aa_secmark *secmark)
	195	{
	196	struct aa_label *label;
	197
	198	if (secmark->label[0] == '*') {
	199	secmark->secid = AA_SECID_WILDCARD;
	200	return 0;
	201	}
	202
	203	label = aa_label_strn_parse(&root_ns->unconfined->label,
	204	secmark->label, strlen(secmark->label),
	205	GFP_ATOMIC, false, false);
	206
	207	if (IS_ERR(label))
	208	return PTR_ERR(label);
	209
	210	secmark->secid = label->secid;
	211
	212	return 0;
	213	}
	214
	215	static int aa_secmark_perm(struct aa_profile *profile, u32 request, u32 secid,
	216	struct common_audit_data sa, struct sock sk)
	217	{
	218	int i, ret;
	219	struct aa_perms perms = { };
	220
	221	if (profile->secmark_count == 0)
	222	return 0;
	223
	224	for (i = 0; i < profile->secmark_count; i++) {
	225	if (!profile->secmark[i].secid) {
	226	ret = apparmor_secmark_init(&profile->secmark[i]);
	227	if (ret)
	228	return ret;
	229	}
	230
	231	if (profile->secmark[i].secid == secid \|\|
	232	profile->secmark[i].secid == AA_SECID_WILDCARD) {
	233	if (profile->secmark[i].deny)
	234	perms.deny = ALL_PERMS_MASK;
	235	else
	236	perms.allow = ALL_PERMS_MASK;
	237
	238	if (profile->secmark[i].audit)
	239	perms.audit = ALL_PERMS_MASK;
	240	}
	241	}
	242
	243	aa_apply_modes_to_perms(profile, &perms);
	244
	245	return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
	246	}
	247
	248	int apparmor_secmark_check(struct aa_label label, char op, u32 request,
	249	u32 secid, struct sock *sk)
	250	{
	251	struct aa_profile *profile;
	252	DEFINE_AUDIT_SK(sa, op, sk);
	253
	254	return fn_for_each_confined(label, profile,
	255	aa_secmark_perm(profile, request, secid,
	256	&sa, sk));
	257	}
e1af4779	258	#endif