CoCalc -- perms.h

GitHub Repository: torvalds/linux
Path: blob/master/security/apparmor/include/perms.h
²⁶⁴²⁴ views
1
/* SPDX-License-Identifier: GPL-2.0-only */
2
/*
3
 * AppArmor security module
4
 *
5
 * This file contains AppArmor basic permission sets definitions.
6
 *
7
 * Copyright 2017 Canonical Ltd.
8
 */
9

10
#ifndef __AA_PERM_H
11
#define __AA_PERM_H
12

13
#include <linux/fs.h>
14
#include "label.h"
15

16
#define AA_MAY_EXEC		MAY_EXEC
17
#define AA_MAY_WRITE		MAY_WRITE
18
#define AA_MAY_READ		MAY_READ
19
#define AA_MAY_APPEND		MAY_APPEND
20

21
#define AA_MAY_CREATE		0x0010
22
#define AA_MAY_DELETE		0x0020
23
#define AA_MAY_OPEN		0x0040
24
#define AA_MAY_RENAME		0x0080		/* pair */
25

26
#define AA_MAY_SETATTR		0x0100		/* meta write */
27
#define AA_MAY_GETATTR		0x0200		/* meta read */
28
#define AA_MAY_SETCRED		0x0400		/* security cred/attr */
29
#define AA_MAY_GETCRED		0x0800
30

31
#define AA_MAY_CHMOD		0x1000		/* pair */
32
#define AA_MAY_CHOWN		0x2000		/* pair */
33
#define AA_MAY_CHGRP		0x4000		/* pair */
34
#define AA_MAY_LOCK		0x8000		/* LINK_SUBSET overlaid */
35

36
#define AA_EXEC_MMAP		0x00010000
37
#define AA_MAY_MPROT		0x00020000	/* extend conditions */
38
#define AA_MAY_LINK		0x00040000	/* pair */
39
#define AA_MAY_SNAPSHOT		0x00080000	/* pair */
40

41
#define AA_MAY_DELEGATE
42
#define AA_CONT_MATCH		0x08000000
43

44
#define AA_MAY_STACK		0x10000000
45
#define AA_MAY_ONEXEC		0x20000000 /* either stack or change_profile */
46
#define AA_MAY_CHANGE_PROFILE	0x40000000
47
#define AA_MAY_CHANGEHAT	0x80000000
48

49
#define AA_LINK_SUBSET		AA_MAY_LOCK	/* overlaid */
50

51
#define AA_MAY_CREATE_SQPOLL   AA_MAY_CREATE
52
#define AA_MAY_OVERRIDE_CRED   AA_MAY_APPEND
53
#define AA_URING_PERM_MASK     (AA_MAY_OVERRIDE_CRED | AA_MAY_CREATE_SQPOLL)
54

55
#define PERMS_CHRS_MASK (MAY_READ | MAY_WRITE | AA_MAY_CREATE |		\
56
			 AA_MAY_DELETE | AA_MAY_LINK | AA_MAY_LOCK |	\
57
			 AA_MAY_EXEC | AA_EXEC_MMAP | AA_MAY_APPEND)
58

59
#define PERMS_NAMES_MASK (PERMS_CHRS_MASK | AA_MAY_OPEN | AA_MAY_RENAME |     \
60
			  AA_MAY_SETATTR | AA_MAY_GETATTR | AA_MAY_SETCRED | \
61
			  AA_MAY_GETCRED | AA_MAY_CHMOD | AA_MAY_CHOWN | \
62
			  AA_MAY_CHGRP | AA_MAY_MPROT | AA_MAY_SNAPSHOT | \
63
			  AA_MAY_STACK | AA_MAY_ONEXEC |		\
64
			  AA_MAY_CHANGE_PROFILE | AA_MAY_CHANGEHAT)
65

66
extern const char aa_file_perm_chrs[];
67
extern const char *aa_file_perm_names[];
68

69
struct aa_perms {
70
	u32 allow;
71
	u32 deny;	/* explicit deny, or conflict if allow also set */
72

73
	u32 subtree;	/* allow perm on full subtree only when allow is set */
74
	u32 cond;	/* set only when ~allow and ~deny */
75

76
	u32 kill;	/* set only when ~allow | deny */
77
	u32 complain;	/* accumulates only used when ~allow & ~deny */
78
	u32 prompt;	/* accumulates only used when ~allow & ~deny */
79

80
	u32 audit;	/* set only when allow is set */
81
	u32 quiet;	/* set only when ~allow | deny */
82
	u32 hide;	/* set only when  ~allow | deny */
83

84

85
	u32 xindex;
86
	u32 tag;	/* tag string index, if present */
87
	u32 label;	/* label string index, if present */
88
};
89

90
/*
91
 * Indexes are broken into a 24 bit index and 8 bit flag.
92
 * For the index to be valid there must be a value in the flag
93
 */
94
#define AA_INDEX_MASK			0x00ffffff
95
#define AA_INDEX_FLAG_MASK		0xff000000
96
#define AA_INDEX_NONE			0
97

98
#define ALL_PERMS_MASK 0xffffffff
99
extern struct aa_perms nullperms;
100
extern struct aa_perms allperms;
101

102
/**
103
 * aa_perms_accum_raw - accumulate perms with out masking off overlapping perms
104
 * @accum: perms struct to accumulate into
105
 * @addend: perms struct to add to @accum
106
 */
107
static inline void aa_perms_accum_raw(struct aa_perms *accum,
108
				      struct aa_perms *addend)
109
{
110
	accum->deny |= addend->deny;
111
	accum->allow &= addend->allow & ~addend->deny;
112
	accum->audit |= addend->audit & addend->allow;
113
	accum->quiet &= addend->quiet & ~addend->allow;
114
	accum->kill |= addend->kill & ~addend->allow;
115
	accum->complain |= addend->complain & ~addend->allow & ~addend->deny;
116
	accum->cond |= addend->cond & ~addend->allow & ~addend->deny;
117
	accum->hide &= addend->hide & ~addend->allow;
118
	accum->prompt |= addend->prompt & ~addend->allow & ~addend->deny;
119
	accum->subtree |= addend->subtree & ~addend->deny;
120

121
	if (!accum->xindex)
122
		accum->xindex = addend->xindex;
123
	if (!accum->tag)
124
		accum->tag = addend->tag;
125
	if (!accum->label)
126
		accum->label = addend->label;
127
}
128

129
/**
130
 * aa_perms_accum - accumulate perms, masking off overlapping perms
131
 * @accum: perms struct to accumulate into
132
 * @addend: perms struct to add to @accum
133
 */
134
static inline void aa_perms_accum(struct aa_perms *accum,
135
				  struct aa_perms *addend)
136
{
137
	accum->deny |= addend->deny;
138
	accum->allow &= addend->allow & ~accum->deny;
139
	accum->audit |= addend->audit & accum->allow;
140
	accum->quiet &= addend->quiet & ~accum->allow;
141
	accum->kill |= addend->kill & ~accum->allow;
142
	accum->complain |= addend->complain & ~accum->allow & ~accum->deny;
143
	accum->cond |= addend->cond & ~accum->allow & ~accum->deny;
144
	accum->hide &= addend->hide & ~accum->allow;
145
	accum->prompt |= addend->prompt & ~accum->allow & ~accum->deny;
146
	accum->subtree &= addend->subtree & ~accum->deny;
147

148
	if (!accum->xindex)
149
		accum->xindex = addend->xindex;
150
	if (!accum->tag)
151
		accum->tag = addend->tag;
152
	if (!accum->label)
153
		accum->label = addend->label;
154
}
155

156
#define xcheck(FN1, FN2)	\
157
({				\
158
	int e, error = FN1;	\
159
	e = FN2;		\
160
	if (e)			\
161
		error = e;	\
162
	error;			\
163
})
164

165

166
/*
167
 * TODO: update for labels pointing to labels instead of profiles
168
 * TODO: optimize the walk, currently does subwalk of L2 for each P in L1
169
 * gah this doesn't allow for label compound check!!!!
170
 */
171
#define xcheck_ns_profile_profile(P1, P2, FN, args...)		\
172
({								\
173
	int ____e = 0;						\
174
	if (P1->ns == P2->ns)					\
175
		____e = FN((P1), (P2), args);			\
176
	(____e);						\
177
})
178

179
#define xcheck_ns_profile_label(P, L, FN, args...)		\
180
({								\
181
	struct aa_profile *__p2;				\
182
	fn_for_each((L), __p2,					\
183
		    xcheck_ns_profile_profile((P), __p2, (FN), args));	\
184
})
185

186
#define xcheck_ns_labels(L1, L2, FN, args...)			\
187
({								\
188
	struct aa_profile *__p1;				\
189
	fn_for_each((L1), __p1, FN(__p1, (L2), args));		\
190
})
191

192
/* Do the cross check but applying FN at the profiles level */
193
#define xcheck_labels_profiles(L1, L2, FN, args...)		\
194
	xcheck_ns_labels((L1), (L2), xcheck_ns_profile_label, (FN), args)
195

196
#define xcheck_labels(L1, L2, P, FN1, FN2)			\
197
	xcheck(fn_for_each((L1), (P), (FN1)), fn_for_each((L2), (P), (FN2)))
198

199

200
extern struct aa_perms default_perms;
201

202

203
void aa_perm_mask_to_str(char *str, size_t str_size, const char *chrs,
204
			 u32 mask);
205
void aa_audit_perm_names(struct audit_buffer *ab, const char * const *names,
206
			 u32 mask);
207
void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
208
			u32 chrsmask, const char * const *names, u32 namesmask);
209
void aa_apply_modes_to_perms(struct aa_profile *profile,
210
			     struct aa_perms *perms);
211
void aa_perms_accum(struct aa_perms *accum, struct aa_perms *addend);
212
void aa_perms_accum_raw(struct aa_perms *accum, struct aa_perms *addend);
213
void aa_profile_match_label(struct aa_profile *profile,
214
			    struct aa_ruleset *rules, struct aa_label *label,
215
			    int type, u32 request, struct aa_perms *perms);
216
int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms,
217
		   u32 request, struct apparmor_audit_data *ad,
218
		   void (*cb)(struct audit_buffer *, void *));
219
#endif /* __AA_PERM_H */
220

221
Product

Resources

Company
