1/*
  2 * AppArmor security module
  3 *
  4 * This file contains AppArmor network mediation
  5 *
  6 * Copyright (C) 1998-2008 Novell/SUSE
  7 * Copyright 2009-2017 Canonical Ltd.
  8 *
  9 * This program is free software; you can redistribute it and/or
 10 * modify it under the terms of the GNU General Public License as
 11 * published by the Free Software Foundation, version 2 of the
 12 * License.
 13 */
 14
 15#include "include/apparmor.h"
 16#include "include/audit.h"
 17#include "include/cred.h"
 18#include "include/label.h"
 19#include "include/net.h"
 20#include "include/policy.h"
 
 21
 22#include "net_names.h"
 23
 24
 25struct aa_sfs_entry aa_sfs_entry_network[] = {
 26	AA_SFS_FILE_STRING("af_mask",	AA_SFS_AF_MASK),
 27	{ }
 28};
 29
 30static const char * const net_mask_names[] = {
 31	"unknown",
 32	"send",
 33	"receive",
 34	"unknown",
 35
 36	"create",
 37	"shutdown",
 38	"connect",
 39	"unknown",
 40
 41	"setattr",
 42	"getattr",
 43	"setcred",
 44	"getcred",
 45
 46	"chmod",
 47	"chown",
 48	"chgrp",
 49	"lock",
 50
 51	"mmap",
 52	"mprot",
 53	"unknown",
 54	"unknown",
 55
 56	"accept",
 57	"bind",
 58	"listen",
 59	"unknown",
 60
 61	"setopt",
 62	"getopt",
 63	"unknown",
 64	"unknown",
 65
 66	"unknown",
 67	"unknown",
 68	"unknown",
 69	"unknown",
 70};
 71
 72
 73/* audit callback for net specific fields */
 74void audit_net_cb(struct audit_buffer *ab, void *va)
 75{
 76	struct common_audit_data *sa = va;
 77
 78	audit_log_format(ab, " family=");
 79	if (address_family_names[sa->u.net->family])
 80		audit_log_string(ab, address_family_names[sa->u.net->family]);
 
 81	else
 82		audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family);
 83	audit_log_format(ab, " sock_type=");
 84	if (sock_type_names[aad(sa)->net.type])
 85		audit_log_string(ab, sock_type_names[aad(sa)->net.type]);
 
 86	else
 87		audit_log_format(ab, "\"unknown(%d)\"", aad(sa)->net.type);
 
 88	audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
 89
 90	if (aad(sa)->request & NET_PERMS_MASK) {
 91		audit_log_format(ab, " requested_mask=");
 92		aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0,
 93				   net_mask_names, NET_PERMS_MASK);
 94
 95		if (aad(sa)->denied & NET_PERMS_MASK) {
 96			audit_log_format(ab, " denied_mask=");
 97			aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0,
 98					   net_mask_names, NET_PERMS_MASK);
 99		}
100	}
101	if (aad(sa)->peer) {
102		audit_log_format(ab, " peer=");
103		aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
104				FLAGS_NONE, GFP_ATOMIC);
105	}
106}
107
108/* Generic af perm */
109int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
110		       u32 request, u16 family, int type)
111{
112	struct aa_perms perms = { };
113	unsigned int state;
114	__be16 buffer[2];
115
116	AA_BUG(family >= AF_MAX);
117	AA_BUG(type < 0 || type >= SOCK_MAX);
118
119	if (profile_unconfined(profile))
120		return 0;
121	state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
122	if (!state)
123		return 0;
124
125	buffer[0] = cpu_to_be16(family);
126	buffer[1] = cpu_to_be16((u16) type);
127	state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer,
128				 4);
129	aa_compute_perms(profile->policy.dfa, state, &perms);
130	aa_apply_modes_to_perms(profile, &perms);
131
132	return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
133}
134
135int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
136	       int type, int protocol)
137{
138	struct aa_profile *profile;
139	DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol);
140
141	return fn_for_each_confined(label, profile,
142			aa_profile_af_perm(profile, &sa, request, family,
143					   type));
144}
145
146static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request,
147			    struct sock *sk)
148{
149	struct aa_profile *profile;
150	DEFINE_AUDIT_SK(sa, op, sk);
151
152	AA_BUG(!label);
153	AA_BUG(!sk);
154
155	if (unconfined(label))
156		return 0;
 
157
158	return fn_for_each_confined(label, profile,
159			aa_profile_af_sk_perm(profile, &sa, request, sk));
 
 
 
160}
161
162int aa_sk_perm(const char *op, u32 request, struct sock *sk)
163{
164	struct aa_label *label;
165	int error;
166
167	AA_BUG(!sk);
168	AA_BUG(in_interrupt());
169
170	/* TODO: switch to begin_current_label ???? */
171	label = begin_current_label_crit_section();
172	error = aa_label_sk_perm(label, op, request, sk);
173	end_current_label_crit_section(label);
174
175	return error;
176}
177
178
179int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
180		      struct socket *sock)
181{
182	AA_BUG(!label);
183	AA_BUG(!sock);
184	AA_BUG(!sock->sk);
185
186	return aa_label_sk_perm(label, op, request, sock->sk);
187}

  1// SPDX-License-Identifier: GPL-2.0-only
  2/*
  3 * AppArmor security module
  4 *
  5 * This file contains AppArmor network mediation
  6 *
  7 * Copyright (C) 1998-2008 Novell/SUSE
  8 * Copyright 2009-2017 Canonical Ltd.
 
 
 
 
 
  9 */
 10
 11#include "include/apparmor.h"
 12#include "include/audit.h"
 13#include "include/cred.h"
 14#include "include/label.h"
 15#include "include/net.h"
 16#include "include/policy.h"
 17#include "include/secid.h"
 18
 19#include "net_names.h"
 20
 21
 22struct aa_sfs_entry aa_sfs_entry_network[] = {
 23	AA_SFS_FILE_STRING("af_mask",	AA_SFS_AF_MASK),
 24	{ }
 25};
 26
 27static const char * const net_mask_names[] = {
 28	"unknown",
 29	"send",
 30	"receive",
 31	"unknown",
 32
 33	"create",
 34	"shutdown",
 35	"connect",
 36	"unknown",
 37
 38	"setattr",
 39	"getattr",
 40	"setcred",
 41	"getcred",
 42
 43	"chmod",
 44	"chown",
 45	"chgrp",
 46	"lock",
 47
 48	"mmap",
 49	"mprot",
 50	"unknown",
 51	"unknown",
 52
 53	"accept",
 54	"bind",
 55	"listen",
 56	"unknown",
 57
 58	"setopt",
 59	"getopt",
 60	"unknown",
 61	"unknown",
 62
 63	"unknown",
 64	"unknown",
 65	"unknown",
 66	"unknown",
 67};
 68
 69
 70/* audit callback for net specific fields */
 71void audit_net_cb(struct audit_buffer *ab, void *va)
 72{
 73	struct common_audit_data *sa = va;
 74
 
 75	if (address_family_names[sa->u.net->family])
 76		audit_log_format(ab, " family=\"%s\"",
 77				 address_family_names[sa->u.net->family]);
 78	else
 79		audit_log_format(ab, " family=\"unknown(%d)\"",
 80				 sa->u.net->family);
 81	if (sock_type_names[aad(sa)->net.type])
 82		audit_log_format(ab, " sock_type=\"%s\"",
 83				 sock_type_names[aad(sa)->net.type]);
 84	else
 85		audit_log_format(ab, " sock_type=\"unknown(%d)\"",
 86				 aad(sa)->net.type);
 87	audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
 88
 89	if (aad(sa)->request & NET_PERMS_MASK) {
 90		audit_log_format(ab, " requested_mask=");
 91		aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0,
 92				   net_mask_names, NET_PERMS_MASK);
 93
 94		if (aad(sa)->denied & NET_PERMS_MASK) {
 95			audit_log_format(ab, " denied_mask=");
 96			aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0,
 97					   net_mask_names, NET_PERMS_MASK);
 98		}
 99	}
100	if (aad(sa)->peer) {
101		audit_log_format(ab, " peer=");
102		aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
103				FLAGS_NONE, GFP_ATOMIC);
104	}
105}
106
107/* Generic af perm */
108int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
109		       u32 request, u16 family, int type)
110{
111	struct aa_perms perms = { };
112	unsigned int state;
113	__be16 buffer[2];
114
115	AA_BUG(family >= AF_MAX);
116	AA_BUG(type < 0 || type >= SOCK_MAX);
117
118	if (profile_unconfined(profile))
119		return 0;
120	state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
121	if (!state)
122		return 0;
123
124	buffer[0] = cpu_to_be16(family);
125	buffer[1] = cpu_to_be16((u16) type);
126	state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer,
127				 4);
128	aa_compute_perms(profile->policy.dfa, state, &perms);
129	aa_apply_modes_to_perms(profile, &perms);
130
131	return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
132}
133
134int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
135	       int type, int protocol)
136{
137	struct aa_profile *profile;
138	DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol);
139
140	return fn_for_each_confined(label, profile,
141			aa_profile_af_perm(profile, &sa, request, family,
142					   type));
143}
144
145static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request,
146			    struct sock *sk)
147{
148	int error = 0;
 
149
150	AA_BUG(!label);
151	AA_BUG(!sk);
152
153	if (!unconfined(label)) {
154		struct aa_profile *profile;
155		DEFINE_AUDIT_SK(sa, op, sk);
156
157		error = fn_for_each_confined(label, profile,
158			    aa_profile_af_sk_perm(profile, &sa, request, sk));
159	}
160
161	return error;
162}
163
164int aa_sk_perm(const char *op, u32 request, struct sock *sk)
165{
166	struct aa_label *label;
167	int error;
168
169	AA_BUG(!sk);
170	AA_BUG(in_interrupt());
171
172	/* TODO: switch to begin_current_label ???? */
173	label = begin_current_label_crit_section();
174	error = aa_label_sk_perm(label, op, request, sk);
175	end_current_label_crit_section(label);
176
177	return error;
178}
179
180
181int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
182		      struct socket *sock)
183{
184	AA_BUG(!label);
185	AA_BUG(!sock);
186	AA_BUG(!sock->sk);
187
188	return aa_label_sk_perm(label, op, request, sock->sk);
189}
190
191#ifdef CONFIG_NETWORK_SECMARK
192static int apparmor_secmark_init(struct aa_secmark *secmark)
193{
194	struct aa_label *label;
195
196	if (secmark->label[0] == '*') {
197		secmark->secid = AA_SECID_WILDCARD;
198		return 0;
199	}
200
201	label = aa_label_strn_parse(&root_ns->unconfined->label,
202				    secmark->label, strlen(secmark->label),
203				    GFP_ATOMIC, false, false);
204
205	if (IS_ERR(label))
206		return PTR_ERR(label);
207
208	secmark->secid = label->secid;
209
210	return 0;
211}
212
213static int aa_secmark_perm(struct aa_profile *profile, u32 request, u32 secid,
214			   struct common_audit_data *sa)
215{
216	int i, ret;
217	struct aa_perms perms = { };
218
219	if (profile->secmark_count == 0)
220		return 0;
221
222	for (i = 0; i < profile->secmark_count; i++) {
223		if (!profile->secmark[i].secid) {
224			ret = apparmor_secmark_init(&profile->secmark[i]);
225			if (ret)
226				return ret;
227		}
228
229		if (profile->secmark[i].secid == secid ||
230		    profile->secmark[i].secid == AA_SECID_WILDCARD) {
231			if (profile->secmark[i].deny)
232				perms.deny = ALL_PERMS_MASK;
233			else
234				perms.allow = ALL_PERMS_MASK;
235
236			if (profile->secmark[i].audit)
237				perms.audit = ALL_PERMS_MASK;
238		}
239	}
240
241	aa_apply_modes_to_perms(profile, &perms);
242
243	return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
244}
245
246int apparmor_secmark_check(struct aa_label *label, char *op, u32 request,
247			   u32 secid, const struct sock *sk)
248{
249	struct aa_profile *profile;
250	DEFINE_AUDIT_SK(sa, op, sk);
251
252	return fn_for_each_confined(label, profile,
253				    aa_secmark_perm(profile, request, secid,
254						    &sa));
255}
256#endif