net.c 5.5 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * AppArmor security module
  4. *
  5. * This file contains AppArmor network mediation
  6. *
  7. * Copyright (C) 1998-2008 Novell/SUSE
  8. * Copyright 2009-2017 Canonical Ltd.
  9. */
  10. #include "include/apparmor.h"
  11. #include "include/audit.h"
  12. #include "include/cred.h"
  13. #include "include/label.h"
  14. #include "include/net.h"
  15. #include "include/policy.h"
  16. #include "include/secid.h"
  17. #include "net_names.h"
  18. struct aa_sfs_entry aa_sfs_entry_network[] = {
  19. AA_SFS_FILE_STRING("af_mask", AA_SFS_AF_MASK),
  20. { }
  21. };
  22. static const char * const net_mask_names[] = {
  23. "unknown",
  24. "send",
  25. "receive",
  26. "unknown",
  27. "create",
  28. "shutdown",
  29. "connect",
  30. "unknown",
  31. "setattr",
  32. "getattr",
  33. "setcred",
  34. "getcred",
  35. "chmod",
  36. "chown",
  37. "chgrp",
  38. "lock",
  39. "mmap",
  40. "mprot",
  41. "unknown",
  42. "unknown",
  43. "accept",
  44. "bind",
  45. "listen",
  46. "unknown",
  47. "setopt",
  48. "getopt",
  49. "unknown",
  50. "unknown",
  51. "unknown",
  52. "unknown",
  53. "unknown",
  54. "unknown",
  55. };
  56. /* audit callback for net specific fields */
  57. void audit_net_cb(struct audit_buffer *ab, void *va)
  58. {
  59. struct common_audit_data *sa = va;
  60. if (address_family_names[sa->u.net->family])
  61. audit_log_format(ab, " family=\"%s\"",
  62. address_family_names[sa->u.net->family]);
  63. else
  64. audit_log_format(ab, " family=\"unknown(%d)\"",
  65. sa->u.net->family);
  66. if (sock_type_names[aad(sa)->net.type])
  67. audit_log_format(ab, " sock_type=\"%s\"",
  68. sock_type_names[aad(sa)->net.type]);
  69. else
  70. audit_log_format(ab, " sock_type=\"unknown(%d)\"",
  71. aad(sa)->net.type);
  72. audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
  73. if (aad(sa)->request & NET_PERMS_MASK) {
  74. audit_log_format(ab, " requested_mask=");
  75. aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0,
  76. net_mask_names, NET_PERMS_MASK);
  77. if (aad(sa)->denied & NET_PERMS_MASK) {
  78. audit_log_format(ab, " denied_mask=");
  79. aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0,
  80. net_mask_names, NET_PERMS_MASK);
  81. }
  82. }
  83. if (aad(sa)->peer) {
  84. audit_log_format(ab, " peer=");
  85. aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
  86. FLAGS_NONE, GFP_ATOMIC);
  87. }
  88. }
  89. /* Generic af perm */
  90. int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
  91. u32 request, u16 family, int type)
  92. {
  93. struct aa_perms perms = { };
  94. unsigned int state;
  95. __be16 buffer[2];
  96. AA_BUG(family >= AF_MAX);
  97. AA_BUG(type < 0 || type >= SOCK_MAX);
  98. if (profile_unconfined(profile))
  99. return 0;
  100. state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
  101. if (!state)
  102. return 0;
  103. buffer[0] = cpu_to_be16(family);
  104. buffer[1] = cpu_to_be16((u16) type);
  105. state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer,
  106. 4);
  107. aa_compute_perms(profile->policy.dfa, state, &perms);
  108. aa_apply_modes_to_perms(profile, &perms);
  109. return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
  110. }
  111. int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
  112. int type, int protocol)
  113. {
  114. struct aa_profile *profile;
  115. DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol);
  116. return fn_for_each_confined(label, profile,
  117. aa_profile_af_perm(profile, &sa, request, family,
  118. type));
  119. }
  120. static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request,
  121. struct sock *sk)
  122. {
  123. struct aa_sk_ctx *ctx = SK_CTX(sk);
  124. int error = 0;
  125. AA_BUG(!label);
  126. AA_BUG(!sk);
  127. if (ctx->label != kernel_t && !unconfined(label)) {
  128. struct aa_profile *profile;
  129. DEFINE_AUDIT_SK(sa, op, sk);
  130. error = fn_for_each_confined(label, profile,
  131. aa_profile_af_sk_perm(profile, &sa, request, sk));
  132. }
  133. return error;
  134. }
  135. int aa_sk_perm(const char *op, u32 request, struct sock *sk)
  136. {
  137. struct aa_label *label;
  138. int error;
  139. AA_BUG(!sk);
  140. AA_BUG(in_interrupt());
  141. /* TODO: switch to begin_current_label ???? */
  142. label = begin_current_label_crit_section();
  143. error = aa_label_sk_perm(label, op, request, sk);
  144. end_current_label_crit_section(label);
  145. return error;
  146. }
  147. int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
  148. struct socket *sock)
  149. {
  150. AA_BUG(!label);
  151. AA_BUG(!sock);
  152. AA_BUG(!sock->sk);
  153. return aa_label_sk_perm(label, op, request, sock->sk);
  154. }
  155. #ifdef CONFIG_NETWORK_SECMARK
  156. static int apparmor_secmark_init(struct aa_secmark *secmark)
  157. {
  158. struct aa_label *label;
  159. if (secmark->label[0] == '*') {
  160. secmark->secid = AA_SECID_WILDCARD;
  161. return 0;
  162. }
  163. label = aa_label_strn_parse(&root_ns->unconfined->label,
  164. secmark->label, strlen(secmark->label),
  165. GFP_ATOMIC, false, false);
  166. if (IS_ERR(label))
  167. return PTR_ERR(label);
  168. secmark->secid = label->secid;
  169. return 0;
  170. }
  171. static int aa_secmark_perm(struct aa_profile *profile, u32 request, u32 secid,
  172. struct common_audit_data *sa)
  173. {
  174. int i, ret;
  175. struct aa_perms perms = { };
  176. if (profile->secmark_count == 0)
  177. return 0;
  178. for (i = 0; i < profile->secmark_count; i++) {
  179. if (!profile->secmark[i].secid) {
  180. ret = apparmor_secmark_init(&profile->secmark[i]);
  181. if (ret)
  182. return ret;
  183. }
  184. if (profile->secmark[i].secid == secid ||
  185. profile->secmark[i].secid == AA_SECID_WILDCARD) {
  186. if (profile->secmark[i].deny)
  187. perms.deny = ALL_PERMS_MASK;
  188. else
  189. perms.allow = ALL_PERMS_MASK;
  190. if (profile->secmark[i].audit)
  191. perms.audit = ALL_PERMS_MASK;
  192. }
  193. }
  194. aa_apply_modes_to_perms(profile, &perms);
  195. return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
  196. }
  197. int apparmor_secmark_check(struct aa_label *label, char *op, u32 request,
  198. u32 secid, const struct sock *sk)
  199. {
  200. struct aa_profile *profile;
  201. DEFINE_AUDIT_SK(sa, op, sk);
  202. return fn_for_each_confined(label, profile,
  203. aa_secmark_perm(profile, request, secid,
  204. &sa));
  205. }
  206. #endif