Merge branch 'linus' into locking/core, to resolve conflicts
Conflicts: include/linux/compiler-clang.h include/linux/compiler-gcc.h include/linux/compiler-intel.h include/uapi/linux/stddef.h Signed-off-by: Ingo Molnar <mingo@kernel.org>
This commit is contained in:
Ingo Molnar
@@ -121,29 +121,21 @@ struct apparmor_audit_data {
|
||||
/* these entries require a custom callback fn */
|
||||
struct {
|
||||
struct aa_label *peer;
|
||||
union {
|
||||
struct {
|
||||
kuid_t ouid;
|
||||
const char *target;
|
||||
} fs;
|
||||
struct {
|
||||
int type, protocol;
|
||||
struct sock *peer_sk;
|
||||
void *addr;
|
||||
int addrlen;
|
||||
} net;
|
||||
int signal;
|
||||
struct {
|
||||
int rlim;
|
||||
unsigned long max;
|
||||
} rlim;
|
||||
};
|
||||
struct {
|
||||
const char *target;
|
||||
kuid_t ouid;
|
||||
} fs;
|
||||
};
|
||||
struct {
|
||||
struct aa_profile *profile;
|
||||
const char *ns;
|
||||
long pos;
|
||||
} iface;
|
||||
int signal;
|
||||
struct {
|
||||
int rlim;
|
||||
unsigned long max;
|
||||
} rlim;
|
||||
struct {
|
||||
const char *src_name;
|
||||
const char *type;
|
||||
|
||||
@@ -1,114 +0,0 @@
|
||||
/*
|
||||
* AppArmor security module
|
||||
*
|
||||
* This file contains AppArmor network mediation definitions.
|
||||
*
|
||||
* Copyright (C) 1998-2008 Novell/SUSE
|
||||
* Copyright 2009-2017 Canonical Ltd.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License as
|
||||
* published by the Free Software Foundation, version 2 of the
|
||||
* License.
|
||||
*/
|
||||
|
||||
#ifndef __AA_NET_H
|
||||
#define __AA_NET_H
|
||||
|
||||
#include <net/sock.h>
|
||||
#include <linux/path.h>
|
||||
|
||||
#include "apparmorfs.h"
|
||||
#include "label.h"
|
||||
#include "perms.h"
|
||||
#include "policy.h"
|
||||
|
||||
#define AA_MAY_SEND AA_MAY_WRITE
|
||||
#define AA_MAY_RECEIVE AA_MAY_READ
|
||||
|
||||
#define AA_MAY_SHUTDOWN AA_MAY_DELETE
|
||||
|
||||
#define AA_MAY_CONNECT AA_MAY_OPEN
|
||||
#define AA_MAY_ACCEPT 0x00100000
|
||||
|
||||
#define AA_MAY_BIND 0x00200000
|
||||
#define AA_MAY_LISTEN 0x00400000
|
||||
|
||||
#define AA_MAY_SETOPT 0x01000000
|
||||
#define AA_MAY_GETOPT 0x02000000
|
||||
|
||||
#define NET_PERMS_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE | \
|
||||
AA_MAY_SHUTDOWN | AA_MAY_BIND | AA_MAY_LISTEN | \
|
||||
AA_MAY_CONNECT | AA_MAY_ACCEPT | AA_MAY_SETATTR | \
|
||||
AA_MAY_GETATTR | AA_MAY_SETOPT | AA_MAY_GETOPT)
|
||||
|
||||
#define NET_FS_PERMS (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE | \
|
||||
AA_MAY_SHUTDOWN | AA_MAY_CONNECT | AA_MAY_RENAME |\
|
||||
AA_MAY_SETATTR | AA_MAY_GETATTR | AA_MAY_CHMOD | \
|
||||
AA_MAY_CHOWN | AA_MAY_CHGRP | AA_MAY_LOCK | \
|
||||
AA_MAY_MPROT)
|
||||
|
||||
#define NET_PEER_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CONNECT | \
|
||||
AA_MAY_ACCEPT)
|
||||
struct aa_sk_ctx {
|
||||
struct aa_label *label;
|
||||
struct aa_label *peer;
|
||||
struct path path;
|
||||
};
|
||||
|
||||
#define SK_CTX(X) ((X)->sk_security)
|
||||
#define SOCK_ctx(X) SOCK_INODE(X)->i_security
|
||||
#define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \
|
||||
struct lsm_network_audit NAME ## _net = { .sk = (SK), \
|
||||
.family = (F)}; \
|
||||
DEFINE_AUDIT_DATA(NAME, \
|
||||
((SK) && (F) != AF_UNIX) ? LSM_AUDIT_DATA_NET : \
|
||||
LSM_AUDIT_DATA_NONE, \
|
||||
OP); \
|
||||
NAME.u.net = &(NAME ## _net); \
|
||||
aad(&NAME)->net.type = (T); \
|
||||
aad(&NAME)->net.protocol = (P)
|
||||
|
||||
#define DEFINE_AUDIT_SK(NAME, OP, SK) \
|
||||
DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type, \
|
||||
(SK)->sk_protocol)
|
||||
|
||||
/* struct aa_net - network confinement data
|
||||
* @allow: basic network families permissions
|
||||
* @audit: which network permissions to force audit
|
||||
* @quiet: which network permissions to quiet rejects
|
||||
*/
|
||||
struct aa_net {
|
||||
u16 allow[AF_MAX];
|
||||
u16 audit[AF_MAX];
|
||||
u16 quiet[AF_MAX];
|
||||
};
|
||||
|
||||
|
||||
extern struct aa_sfs_entry aa_sfs_entry_network[];
|
||||
|
||||
void audit_net_cb(struct audit_buffer *ab, void *va);
|
||||
int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
|
||||
u32 request, u16 family, int type);
|
||||
int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
|
||||
int type, int protocol);
|
||||
static inline int aa_profile_af_sk_perm(struct aa_profile *profile,
|
||||
struct common_audit_data *sa,
|
||||
u32 request,
|
||||
struct sock *sk)
|
||||
{
|
||||
return aa_profile_af_perm(profile, sa, request, sk->sk_family,
|
||||
sk->sk_type);
|
||||
}
|
||||
int aa_sk_perm(const char *op, u32 request, struct sock *sk);
|
||||
|
||||
int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
|
||||
struct socket *sock);
|
||||
|
||||
|
||||
static inline void aa_free_net_rules(struct aa_net *new)
|
||||
{
|
||||
/* NOP */
|
||||
}
|
||||
|
||||
#endif /* __AA_NET_H */
|
||||
@@ -135,10 +135,9 @@ extern struct aa_perms allperms;
|
||||
|
||||
|
||||
void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask);
|
||||
void aa_audit_perm_names(struct audit_buffer *ab, const char * const *names,
|
||||
u32 mask);
|
||||
void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask);
|
||||
void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
|
||||
u32 chrsmask, const char * const *names, u32 namesmask);
|
||||
u32 chrsmask, const char **names, u32 namesmask);
|
||||
void aa_apply_modes_to_perms(struct aa_profile *profile,
|
||||
struct aa_perms *perms);
|
||||
void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
|
||||
|
||||
@@ -30,7 +30,6 @@
|
||||
#include "file.h"
|
||||
#include "lib.h"
|
||||
#include "label.h"
|
||||
#include "net.h"
|
||||
#include "perms.h"
|
||||
#include "resource.h"
|
||||
|
||||
@@ -112,7 +111,6 @@ struct aa_data {
|
||||
* @policy: general match rules governing policy
|
||||
* @file: The set of rules governing basic file access and domain transitions
|
||||
* @caps: capabilities for the profile
|
||||
* @net: network controls for the profile
|
||||
* @rlimits: rlimits for the profile
|
||||
*
|
||||
* @dents: dentries for the profiles file entries in apparmorfs
|
||||
@@ -150,7 +148,6 @@ struct aa_profile {
|
||||
struct aa_policydb policy;
|
||||
struct aa_file_rules file;
|
||||
struct aa_caps caps;
|
||||
struct aa_net net;
|
||||
struct aa_rlimit rlimits;
|
||||
|
||||
struct aa_loaddata *rawdata;
|
||||
@@ -223,16 +220,6 @@ static inline unsigned int PROFILE_MEDIATES_SAFE(struct aa_profile *profile,
|
||||
return 0;
|
||||
}
|
||||
|
||||
static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile,
|
||||
u16 AF) {
|
||||
unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
|
||||
u16 be_af = cpu_to_be16(AF);
|
||||
|
||||
if (!state)
|
||||
return 0;
|
||||
return aa_dfa_match_len(profile->policy.dfa, state, (char *) &be_af, 2);
|
||||
}
|
||||
|
||||
/**
|
||||
* aa_get_profile - increment refcount on profile @p
|
||||
* @p: profile (MAYBE NULL)
|
||||
|
||||
Reference in New Issue
Block a user