Linux Audio

Check our new training course

Open Menu / security / apparmor / ipc.c
Loading...
v6.13.7
  1// SPDX-License-Identifier: GPL-2.0-only
  2/*
  3 * AppArmor security module
  4 *
  5 * This file contains AppArmor ipc mediation
  6 *
  7 * Copyright (C) 1998-2008 Novell/SUSE
  8 * Copyright 2009-2017 Canonical Ltd.
  9 */
 10
 11#include <linux/gfp.h>
 12
 13#include "include/audit.h"
 14#include "include/capability.h"
 15#include "include/cred.h"
 16#include "include/policy.h"
 17#include "include/ipc.h"
 18#include "include/sig_names.h"
 19
 20
 21static inline int map_signal_num(int sig)
 22{
 23	if (sig > SIGRTMAX)
 24		return SIGUNKNOWN;
 25	else if (sig >= SIGRTMIN)
 26		return sig - SIGRTMIN + SIGRT_BASE;
 27	else if (sig < MAXMAPPED_SIG)
 28		return sig_map[sig];
 29	return SIGUNKNOWN;
 30}
 31
 32/**
 33 * audit_signal_mask - convert mask to permission string
 34 * @mask: permission mask to convert
 35 *
 36 * Returns: pointer to static string
 37 */
 38static const char *audit_signal_mask(u32 mask)
 39{
 40	if (mask & MAY_READ)
 41		return "receive";
 42	if (mask & MAY_WRITE)
 43		return "send";
 44	return "";
 45}
 46
 47/**
 48 * audit_signal_cb() - call back for signal specific audit fields
 49 * @ab: audit_buffer  (NOT NULL)
 50 * @va: audit struct to audit values of  (NOT NULL)
 51 */
 52static void audit_signal_cb(struct audit_buffer *ab, void *va)
 53{
 54	struct common_audit_data *sa = va;
 55	struct apparmor_audit_data *ad = aad(sa);
 56
 57	if (ad->request & AA_SIGNAL_PERM_MASK) {
 58		audit_log_format(ab, " requested_mask=\"%s\"",
 59				 audit_signal_mask(ad->request));
 60		if (ad->denied & AA_SIGNAL_PERM_MASK) {
 61			audit_log_format(ab, " denied_mask=\"%s\"",
 62					 audit_signal_mask(ad->denied));
 63		}
 64	}
 65	if (ad->signal == SIGUNKNOWN)
 66		audit_log_format(ab, "signal=unknown(%d)",
 67				 ad->unmappedsig);
 68	else if (ad->signal < MAXMAPPED_SIGNAME)
 69		audit_log_format(ab, " signal=%s", sig_names[ad->signal]);
 70	else
 71		audit_log_format(ab, " signal=rtmin+%d",
 72				 ad->signal - SIGRT_BASE);
 73	audit_log_format(ab, " peer=");
 74	aa_label_xaudit(ab, labels_ns(ad->subj_label), ad->peer,
 75			FLAGS_NONE, GFP_ATOMIC);
 76}
 77
 78static int profile_signal_perm(const struct cred *cred,
 79			       struct aa_profile *profile,
 80			       struct aa_label *peer, u32 request,
 81			       struct apparmor_audit_data *ad)
 82{
 83	struct aa_ruleset *rules = list_first_entry(&profile->rules,
 84						    typeof(*rules), list);
 85	struct aa_perms perms;
 86	aa_state_t state;
 87
 88	if (profile_unconfined(profile) ||
 89	    !ANY_RULE_MEDIATES(&profile->rules, AA_CLASS_SIGNAL))
 90		return 0;
 91
 92	ad->subj_cred = cred;
 93	ad->peer = peer;
 94	/* TODO: secondary cache check <profile, profile, perm> */
 95	state = aa_dfa_next(rules->policy->dfa,
 96			    rules->policy->start[AA_CLASS_SIGNAL],
 97			    ad->signal);
 98	aa_label_match(profile, rules, peer, state, false, request, &perms);
 99	aa_apply_modes_to_perms(profile, &perms);
100	return aa_check_perms(profile, &perms, request, ad, audit_signal_cb);
101}
102
103int aa_may_signal(const struct cred *subj_cred, struct aa_label *sender,
104		  const struct cred *target_cred, struct aa_label *target,
105		  int sig)
106{
107	struct aa_profile *profile;
108	DEFINE_AUDIT_DATA(ad, LSM_AUDIT_DATA_NONE, AA_CLASS_SIGNAL, OP_SIGNAL);
109
110	ad.signal = map_signal_num(sig);
111	ad.unmappedsig = sig;
112	return xcheck_labels(sender, target, profile,
113			     profile_signal_perm(subj_cred, profile, target,
114						 MAY_WRITE, &ad),
115			     profile_signal_perm(target_cred, profile, sender,
116						 MAY_READ, &ad));
117}
v6.2
  1// SPDX-License-Identifier: GPL-2.0-only
  2/*
  3 * AppArmor security module
  4 *
  5 * This file contains AppArmor ipc mediation
  6 *
  7 * Copyright (C) 1998-2008 Novell/SUSE
  8 * Copyright 2009-2017 Canonical Ltd.
  9 */
 10
 11#include <linux/gfp.h>
 12
 13#include "include/audit.h"
 14#include "include/capability.h"
 15#include "include/cred.h"
 16#include "include/policy.h"
 17#include "include/ipc.h"
 18#include "include/sig_names.h"
 19
 20
 21static inline int map_signal_num(int sig)
 22{
 23	if (sig > SIGRTMAX)
 24		return SIGUNKNOWN;
 25	else if (sig >= SIGRTMIN)
 26		return sig - SIGRTMIN + SIGRT_BASE;
 27	else if (sig < MAXMAPPED_SIG)
 28		return sig_map[sig];
 29	return SIGUNKNOWN;
 30}
 31
 32/**
 33 * audit_signal_mask - convert mask to permission string
 34 * @mask: permission mask to convert
 35 *
 36 * Returns: pointer to static string
 37 */
 38static const char *audit_signal_mask(u32 mask)
 39{
 40	if (mask & MAY_READ)
 41		return "receive";
 42	if (mask & MAY_WRITE)
 43		return "send";
 44	return "";
 45}
 46
 47/**
 48 * audit_signal_cb() - call back for signal specific audit fields
 49 * @ab: audit_buffer  (NOT NULL)
 50 * @va: audit struct to audit values of  (NOT NULL)
 51 */
 52static void audit_signal_cb(struct audit_buffer *ab, void *va)
 53{
 54	struct common_audit_data *sa = va;
 
 55
 56	if (aad(sa)->request & AA_SIGNAL_PERM_MASK) {
 57		audit_log_format(ab, " requested_mask=\"%s\"",
 58				 audit_signal_mask(aad(sa)->request));
 59		if (aad(sa)->denied & AA_SIGNAL_PERM_MASK) {
 60			audit_log_format(ab, " denied_mask=\"%s\"",
 61					 audit_signal_mask(aad(sa)->denied));
 62		}
 63	}
 64	if (aad(sa)->signal == SIGUNKNOWN)
 65		audit_log_format(ab, "signal=unknown(%d)",
 66				 aad(sa)->unmappedsig);
 67	else if (aad(sa)->signal < MAXMAPPED_SIGNAME)
 68		audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]);
 69	else
 70		audit_log_format(ab, " signal=rtmin+%d",
 71				 aad(sa)->signal - SIGRT_BASE);
 72	audit_log_format(ab, " peer=");
 73	aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
 74			FLAGS_NONE, GFP_ATOMIC);
 75}
 76
 77static int profile_signal_perm(struct aa_profile *profile,
 
 78			       struct aa_label *peer, u32 request,
 79			       struct common_audit_data *sa)
 80{
 81	struct aa_ruleset *rules = list_first_entry(&profile->rules,
 82						    typeof(*rules), list);
 83	struct aa_perms perms;
 84	aa_state_t state;
 85
 86	if (profile_unconfined(profile) ||
 87	    !ANY_RULE_MEDIATES(&profile->rules, AA_CLASS_SIGNAL))
 88		return 0;
 89
 90	aad(sa)->peer = peer;
 
 91	/* TODO: secondary cache check <profile, profile, perm> */
 92	state = aa_dfa_next(rules->policy.dfa,
 93			    rules->policy.start[AA_CLASS_SIGNAL],
 94			    aad(sa)->signal);
 95	aa_label_match(profile, rules, peer, state, false, request, &perms);
 96	aa_apply_modes_to_perms(profile, &perms);
 97	return aa_check_perms(profile, &perms, request, sa, audit_signal_cb);
 98}
 99
100int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig)
 
 
101{
102	struct aa_profile *profile;
103	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_SIGNAL, OP_SIGNAL);
104
105	aad(&sa)->signal = map_signal_num(sig);
106	aad(&sa)->unmappedsig = sig;
107	return xcheck_labels(sender, target, profile,
108			profile_signal_perm(profile, target, MAY_WRITE, &sa),
109			profile_signal_perm(profile, sender, MAY_READ, &sa));
 
 
110}