Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
torvalds
GitHub Repository: torvalds/linux
 Path: blob/master/security/apparmor/net.c
26377 views
1
// SPDX-License-Identifier: GPL-2.0-only

2
/*

3
 * AppArmor security module

4
 *

5
 * This file contains AppArmor network mediation

6
 *

7
 * Copyright (C) 1998-2008 Novell/SUSE

8
 * Copyright 2009-2017 Canonical Ltd.

9
 */

10


11
#include "include/af_unix.h"

12
#include "include/apparmor.h"

13
#include "include/audit.h"

14
#include "include/cred.h"

15
#include "include/label.h"

16
#include "include/net.h"

17
#include "include/policy.h"

18
#include "include/secid.h"

19


20
#include "net_names.h"

21


22


23
struct aa_sfs_entry aa_sfs_entry_network[] = {

24
	AA_SFS_FILE_STRING("af_mask",	AA_SFS_AF_MASK),

25
	{ }

26
};

27


28
struct aa_sfs_entry aa_sfs_entry_networkv9[] = {

29
	AA_SFS_FILE_STRING("af_mask",	AA_SFS_AF_MASK),

30
	AA_SFS_FILE_BOOLEAN("af_unix",	1),

31
	{ }

32
};

33


34
static const char * const net_mask_names[] = {

35
	"unknown",

36
	"send",

37
	"receive",

38
	"unknown",

39


40
	"create",

41
	"shutdown",

42
	"connect",

43
	"unknown",

44


45
	"setattr",

46
	"getattr",

47
	"setcred",

48
	"getcred",

49


50
	"chmod",

51
	"chown",

52
	"chgrp",

53
	"lock",

54


55
	"mmap",

56
	"mprot",

57
	"unknown",

58
	"unknown",

59


60
	"accept",

61
	"bind",

62
	"listen",

63
	"unknown",

64


65
	"setopt",

66
	"getopt",

67
	"unknown",

68
	"unknown",

69


70
	"unknown",

71
	"unknown",

72
	"unknown",

73
	"unknown",

74
};

75


76
static void audit_unix_addr(struct audit_buffer *ab, const char *str,

77
			    struct sockaddr_un *addr, int addrlen)

78
{

79
	int len = unix_addr_len(addrlen);

80


81
	if (!addr || len <= 0) {

82
		audit_log_format(ab, " %s=none", str);

83
	} else if (addr->sun_path[0]) {

84
		audit_log_format(ab, " %s=", str);

85
		audit_log_untrustedstring(ab, addr->sun_path);

86
	} else {

87
		audit_log_format(ab, " %s=\"@", str);

88
		if (audit_string_contains_control(&addr->sun_path[1], len - 1))

89
			audit_log_n_hex(ab, &addr->sun_path[1], len - 1);

90
		else

91
			audit_log_format(ab, "%.*s", len - 1,

92
					 &addr->sun_path[1]);

93
		audit_log_format(ab, "\"");

94
	}

95
}

96


97
static void audit_unix_sk_addr(struct audit_buffer *ab, const char *str,

98
			       const struct sock *sk)

99
{

100
	const struct unix_sock *u = unix_sk(sk);

101


102
	if (u && u->addr) {

103
		int addrlen;

104
		struct sockaddr_un *addr = aa_sunaddr(u, &addrlen);

105


106
		audit_unix_addr(ab, str, addr, addrlen);

107
	} else {

108
		audit_unix_addr(ab, str, NULL, 0);

109


110
	}

111
}

112


113
/* audit callback for net specific fields */

114
void audit_net_cb(struct audit_buffer *ab, void *va)

115
{

116
	struct common_audit_data *sa = va;

117
	struct apparmor_audit_data *ad = aad(sa);

118


119
	if (address_family_names[ad->common.u.net->family])

120
		audit_log_format(ab, " family=\"%s\"",

121
				 address_family_names[ad->common.u.net->family]);

122
	else

123
		audit_log_format(ab, " family=\"unknown(%d)\"",

124
				 ad->common.u.net->family);

125
	if (sock_type_names[ad->net.type])

126
		audit_log_format(ab, " sock_type=\"%s\"",

127
				 sock_type_names[ad->net.type]);

128
	else

129
		audit_log_format(ab, " sock_type=\"unknown(%d)\"",

130
				 ad->net.type);

131
	audit_log_format(ab, " protocol=%d", ad->net.protocol);

132


133
	if (ad->request & NET_PERMS_MASK) {

134
		audit_log_format(ab, " requested_mask=");

135
		aa_audit_perm_mask(ab, ad->request, NULL, 0,

136
				   net_mask_names, NET_PERMS_MASK);

137


138
		if (ad->denied & NET_PERMS_MASK) {

139
			audit_log_format(ab, " denied_mask=");

140
			aa_audit_perm_mask(ab, ad->denied, NULL, 0,

141
					   net_mask_names, NET_PERMS_MASK);

142
		}

143
	}

144
	if (ad->common.u.net->family == PF_UNIX) {

145
		if (ad->net.addr || !ad->common.u.net->sk)

146
			audit_unix_addr(ab, "addr",

147
					unix_addr(ad->net.addr),

148
					ad->net.addrlen);

149
		else

150
			audit_unix_sk_addr(ab, "addr", ad->common.u.net->sk);

151
		if (ad->request & NET_PEER_MASK) {

152
			audit_unix_addr(ab, "peer_addr",

153
					unix_addr(ad->net.peer.addr),

154
					ad->net.peer.addrlen);

155
		}

156
	}

157
	if (ad->peer) {

158
		audit_log_format(ab, " peer=");

159
		aa_label_xaudit(ab, labels_ns(ad->subj_label), ad->peer,

160
				FLAGS_NONE, GFP_ATOMIC);

161
	}

162
}

163


164
/* standard permission lookup pattern - supports early bailout */

165
int aa_do_perms(struct aa_profile *profile, struct aa_policydb *policy,

166
		aa_state_t state, u32 request,

167
		struct aa_perms *p, struct apparmor_audit_data *ad)

168
{

169
	struct aa_perms perms;

170


171
	AA_BUG(!profile);

172
	AA_BUG(!policy);

173


174


175
	if (state || !p)

176
		p = aa_lookup_perms(policy, state);

177
	perms = *p;

178
	aa_apply_modes_to_perms(profile, &perms);

179
	return aa_check_perms(profile, &perms, request, ad,

180
			      audit_net_cb);

181
}

182


183
/* only continue match if

184
 *   insufficient current perms at current state

185
 *   indicates there are more perms in later state

186
 * Returns: perms struct if early match

187
 */

188
static struct aa_perms *early_match(struct aa_policydb *policy,

189
				    aa_state_t state, u32 request)

190
{

191
	struct aa_perms *p;

192


193
	p = aa_lookup_perms(policy, state);

194
	if (((p->allow & request) != request) && (p->allow & AA_CONT_MATCH))

195
		return NULL;

196
	return p;

197
}

198


199
static aa_state_t aa_dfa_match_be16(struct aa_dfa *dfa, aa_state_t state,

200
					  u16 data)

201
{

202
	__be16 buffer = cpu_to_be16(data);

203


204
	return aa_dfa_match_len(dfa, state, (char *) &buffer, 2);

205
}

206


207
/**

208
 * aa_match_to_prot - match the af, type, protocol triplet

209
 * @policy: policy being matched

210
 * @state: state to start in

211
 * @request: permissions being requested, ignored if @p == NULL

212
 * @af: socket address family

213
 * @type: socket type

214
 * @protocol: socket protocol

215
 * @p: output - pointer to permission associated with match

216
 * @info: output - pointer to string describing failure

217
 *

218
 * RETURNS: state match stopped in.

219
 *

220
 * If @(p) is assigned a value the returned state will be the

221
 * corresponding state. Will not set @p on failure or if match completes

222
 * only if an early match occurs

223
 */

224
aa_state_t aa_match_to_prot(struct aa_policydb *policy, aa_state_t state,

225
			    u32 request, u16 af, int type, int protocol,

226
			    struct aa_perms **p, const char **info)

227
{

228
	state = aa_dfa_match_be16(policy->dfa, state, (u16)af);

229
	if (!state) {

230
		*info = "failed af match";

231
		return state;

232
	}

233
	state = aa_dfa_match_be16(policy->dfa, state, (u16)type);

234
	if (state) {

235
		if (p)

236
			*p = early_match(policy, state, request);

237
		if (!p || !*p) {

238
			state = aa_dfa_match_be16(policy->dfa, state, (u16)protocol);

239
			if (!state)

240
				*info = "failed protocol match";

241
		}

242
	} else {

243
		*info = "failed type match";

244
	}

245


246
	return state;

247
}

248


249
/* Generic af perm */

250
int aa_profile_af_perm(struct aa_profile *profile,

251
		       struct apparmor_audit_data *ad, u32 request, u16 family,

252
		       int type, int protocol)

253
{

254
	struct aa_ruleset *rules = profile->label.rules[0];

255
	struct aa_perms *p = NULL;

256
	aa_state_t state;

257


258
	AA_BUG(family >= AF_MAX);

259
	AA_BUG(type < 0 || type >= SOCK_MAX);

260
	AA_BUG(profile_unconfined(profile));

261


262
	if (profile_unconfined(profile))

263
		return 0;

264
	state = RULE_MEDIATES_NET(rules);

265
	if (!state)

266
		return 0;

267
	state = aa_match_to_prot(rules->policy, state, request, family, type,

268
				 protocol, &p, &ad->info);

269
	return aa_do_perms(profile, rules->policy, state, request, p, ad);

270
}

271


272
int aa_af_perm(const struct cred *subj_cred, struct aa_label *label,

273
	       const char *op, u32 request, u16 family, int type, int protocol)

274
{

275
	struct aa_profile *profile;

276
	DEFINE_AUDIT_NET(ad, op, subj_cred, NULL, family, type, protocol);

277


278
	return fn_for_each_confined(label, profile,

279
			aa_profile_af_perm(profile, &ad, request, family,

280
					   type, protocol));

281
}

282


283
static int aa_label_sk_perm(const struct cred *subj_cred,

284
			    struct aa_label *label,

285
			    const char *op, u32 request,

286
			    struct sock *sk)

287
{

288
	struct aa_sk_ctx *ctx = aa_sock(sk);

289
	int error = 0;

290


291
	AA_BUG(!label);

292
	AA_BUG(!sk);

293


294
	if (rcu_access_pointer(ctx->label) != kernel_t && !unconfined(label)) {

295
		struct aa_profile *profile;

296
		DEFINE_AUDIT_SK(ad, op, subj_cred, sk);

297


298
		ad.subj_cred = subj_cred;

299
		error = fn_for_each_confined(label, profile,

300
			    aa_profile_af_sk_perm(profile, &ad, request, sk));

301
	}

302


303
	return error;

304
}

305


306
int aa_sk_perm(const char *op, u32 request, struct sock *sk)

307
{

308
	struct aa_label *label;

309
	int error;

310


311
	AA_BUG(!sk);

312
	AA_BUG(in_interrupt());

313


314
	/* TODO: switch to begin_current_label ???? */

315
	label = begin_current_label_crit_section();

316
	error = aa_label_sk_perm(current_cred(), label, op, request, sk);

317
	end_current_label_crit_section(label);

318


319
	return error;

320
}

321


322


323
int aa_sock_file_perm(const struct cred *subj_cred, struct aa_label *label,

324
		      const char *op, u32 request, struct file *file)

325
{

326
	struct socket *sock = (struct socket *) file->private_data;

327


328
	AA_BUG(!label);

329
	AA_BUG(!sock);

330
	AA_BUG(!sock->sk);

331


332
	if (sock->sk->sk_family == PF_UNIX)

333
		return aa_unix_file_perm(subj_cred, label, op, request, file);

334
	return aa_label_sk_perm(subj_cred, label, op, request, sock->sk);

335
}

336


337
#ifdef CONFIG_NETWORK_SECMARK

338
static int apparmor_secmark_init(struct aa_secmark *secmark)

339
{

340
	struct aa_label *label;

341


342
	if (secmark->label[0] == '*') {

343
		secmark->secid = AA_SECID_WILDCARD;

344
		return 0;

345
	}

346


347
	label = aa_label_strn_parse(&root_ns->unconfined->label,

348
				    secmark->label, strlen(secmark->label),

349
				    GFP_ATOMIC, false, false);

350


351
	if (IS_ERR(label))

352
		return PTR_ERR(label);

353


354
	secmark->secid = label->secid;

355


356
	return 0;

357
}

358


359
static int aa_secmark_perm(struct aa_profile *profile, u32 request, u32 secid,

360
			   struct apparmor_audit_data *ad)

361
{

362
	int i, ret;

363
	struct aa_perms perms = { };

364
	struct aa_ruleset *rules = profile->label.rules[0];

365


366
	if (rules->secmark_count == 0)

367
		return 0;

368


369
	for (i = 0; i < rules->secmark_count; i++) {

370
		if (!rules->secmark[i].secid) {

371
			ret = apparmor_secmark_init(&rules->secmark[i]);

372
			if (ret)

373
				return ret;

374
		}

375


376
		if (rules->secmark[i].secid == secid ||

377
		    rules->secmark[i].secid == AA_SECID_WILDCARD) {

378
			if (rules->secmark[i].deny)

379
				perms.deny = ALL_PERMS_MASK;

380
			else

381
				perms.allow = ALL_PERMS_MASK;

382


383
			if (rules->secmark[i].audit)

384
				perms.audit = ALL_PERMS_MASK;

385
		}

386
	}

387


388
	aa_apply_modes_to_perms(profile, &perms);

389


390
	return aa_check_perms(profile, &perms, request, ad, audit_net_cb);

391
}

392


393
int apparmor_secmark_check(struct aa_label *label, char *op, u32 request,

394
			   u32 secid, const struct sock *sk)

395
{

396
	struct aa_profile *profile;

397
	DEFINE_AUDIT_SK(ad, op, NULL, sk);

398


399
	return fn_for_each_confined(label, profile,

400
				    aa_secmark_perm(profile, request, secid,

401
						    &ad));

402
}

403
#endif

404


405