security/apparmor/net.c

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * AppArmor security module
   4  *
   5  * This file contains AppArmor network mediation
   6  *
   7  * Copyright (C) 1998-2008 Novell/SUSE
   8  * Copyright 2009-2017 Canonical Ltd.
   9  */
  10
  11 #include "include/apparmor.h"
  12 #include "include/audit.h"
  13 #include "include/cred.h"
  14 #include "include/label.h"
  15 #include "include/net.h"
  16 #include "include/policy.h"
  17 #include "include/secid.h"
  18
  19 #include "net_names.h"
  20
  21
  22 struct aa_sfs_entry aa_sfs_entry_network[] = {
  23         AA_SFS_FILE_STRING("af_mask",   AA_SFS_AF_MASK),
  24         { }
  25 };
  26
  27 static const char * const net_mask_names[] = {
  28         "unknown",
  29         "send",
  30         "receive",
  31         "unknown",
  32
  33         "create",
  34         "shutdown",
  35         "connect",
  36         "unknown",
  37
  38         "setattr",
  39         "getattr",
  40         "setcred",
  41         "getcred",
  42
  43         "chmod",
  44         "chown",
  45         "chgrp",
  46         "lock",
  47
  48         "mmap",
  49         "mprot",
  50         "unknown",
  51         "unknown",
  52
  53         "accept",
  54         "bind",
  55         "listen",
  56         "unknown",
  57
  58         "setopt",
  59         "getopt",
  60         "unknown",
  61         "unknown",
  62
  63         "unknown",
  64         "unknown",
  65         "unknown",
  66         "unknown",
  67 };
  68
  69
  70 /* audit callback for net specific fields */
  71 void audit_net_cb(struct audit_buffer *ab, void *va)
  72 {
  73         struct common_audit_data *sa = va;
  74
  75         if (address_family_names[sa->u.net->family])
  76                 audit_log_format(ab, " family=\"%s\"",
  77                                  address_family_names[sa->u.net->family]);
  78         else
  79                 audit_log_format(ab, " family=\"unknown(%d)\"",
  80                                  sa->u.net->family);
  81         if (sock_type_names[aad(sa)->net.type])
  82                 audit_log_format(ab, " sock_type=\"%s\"",
  83                                  sock_type_names[aad(sa)->net.type]);
  84         else
  85                 audit_log_format(ab, " sock_type=\"unknown(%d)\"",
  86                                  aad(sa)->net.type);
  87         audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
  88
  89         if (aad(sa)->request & NET_PERMS_MASK) {
  90                 audit_log_format(ab, " requested_mask=");
  91                 aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0,
  92                                    net_mask_names, NET_PERMS_MASK);
  93
  94                 if (aad(sa)->denied & NET_PERMS_MASK) {
  95                         audit_log_format(ab, " denied_mask=");
  96                         aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0,
  97                                            net_mask_names, NET_PERMS_MASK);
  98                 }
  99         }
 100         if (aad(sa)->peer) {
 101                 audit_log_format(ab, " peer=");
 102                 aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
 103                                 FLAGS_NONE, GFP_ATOMIC);
 104         }
 105 }
 106
 107 /* Generic af perm */
 108 int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
 109                        u32 request, u16 family, int type)
 110 {
 111         struct aa_ruleset *rules = list_first_entry(&profile->rules,
 112                                                     typeof(*rules), list);
 113         struct aa_perms perms = { };
 114         aa_state_t state;
 115         __be16 buffer[2];
 116
 117         AA_BUG(family >= AF_MAX);
 118         AA_BUG(type < 0 || type >= SOCK_MAX);
 119
 120         if (profile_unconfined(profile))
 121                 return 0;
 122         state = RULE_MEDIATES(rules, AA_CLASS_NET);
 123         if (!state)
 124                 return 0;
 125
 126         buffer[0] = cpu_to_be16(family);
 127         buffer[1] = cpu_to_be16((u16) type);
 128         state = aa_dfa_match_len(rules->policy.dfa, state, (char *) &buffer,
 129                                  4);
 130         perms = *aa_lookup_perms(&rules->policy, state);
 131         aa_apply_modes_to_perms(profile, &perms);
 132
 133         return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
 134 }
 135
 136 int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
 137                int type, int protocol)
 138 {
 139         struct aa_profile *profile;
 140         DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol);
 141
 142         return fn_for_each_confined(label, profile,
 143                         aa_profile_af_perm(profile, &sa, request, family,
 144                                            type));
 145 }
 146
 147 static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request,
 148                             struct sock *sk)
 149 {
 150         struct aa_sk_ctx *ctx = SK_CTX(sk);
 151         int error = 0;
 152
 153         AA_BUG(!label);
 154         AA_BUG(!sk);
 155
 156         if (ctx->label != kernel_t && !unconfined(label)) {
 157                 struct aa_profile *profile;
 158                 DEFINE_AUDIT_SK(sa, op, sk);
 159
 160                 error = fn_for_each_confined(label, profile,
 161                             aa_profile_af_sk_perm(profile, &sa, request, sk));
 162         }
 163
 164         return error;
 165 }
 166
 167 int aa_sk_perm(const char *op, u32 request, struct sock *sk)
 168 {
 169         struct aa_label *label;
 170         int error;
 171
 172         AA_BUG(!sk);
 173         AA_BUG(in_interrupt());
 174
 175         /* TODO: switch to begin_current_label ???? */
 176         label = begin_current_label_crit_section();
 177         error = aa_label_sk_perm(label, op, request, sk);
 178         end_current_label_crit_section(label);
 179
 180         return error;
 181 }
 182
 183
 184 int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
 185                       struct socket *sock)
 186 {
 187         AA_BUG(!label);
 188         AA_BUG(!sock);
 189         AA_BUG(!sock->sk);
 190
 191         return aa_label_sk_perm(label, op, request, sock->sk);
 192 }
 193
 194 #ifdef CONFIG_NETWORK_SECMARK
 195 static int apparmor_secmark_init(struct aa_secmark *secmark)
 196 {
 197         struct aa_label *label;
 198
 199         if (secmark->label[0] == '*') {
 200                 secmark->secid = AA_SECID_WILDCARD;
 201                 return 0;
 202         }
 203
 204         label = aa_label_strn_parse(&root_ns->unconfined->label,
 205                                     secmark->label, strlen(secmark->label),
 206                                     GFP_ATOMIC, false, false);
 207
 208         if (IS_ERR(label))
 209                 return PTR_ERR(label);
 210
 211         secmark->secid = label->secid;
 212
 213         return 0;
 214 }
 215
 216 static int aa_secmark_perm(struct aa_profile *profile, u32 request, u32 secid,
 217                            struct common_audit_data *sa)
 218 {
 219         int i, ret;
 220         struct aa_perms perms = { };
 221         struct aa_ruleset *rules = list_first_entry(&profile->rules,
 222                                                     typeof(*rules), list);
 223
 224         if (rules->secmark_count == 0)
 225                 return 0;
 226
 227         for (i = 0; i < rules->secmark_count; i++) {
 228                 if (!rules->secmark[i].secid) {
 229                         ret = apparmor_secmark_init(&rules->secmark[i]);
 230                         if (ret)
 231                                 return ret;
 232                 }
 233
 234                 if (rules->secmark[i].secid == secid ||
 235                     rules->secmark[i].secid == AA_SECID_WILDCARD) {
 236                         if (rules->secmark[i].deny)
 237                                 perms.deny = ALL_PERMS_MASK;
 238                         else
 239                                 perms.allow = ALL_PERMS_MASK;
 240
 241                         if (rules->secmark[i].audit)
 242                                 perms.audit = ALL_PERMS_MASK;
 243                 }
 244         }
 245
 246         aa_apply_modes_to_perms(profile, &perms);
 247
 248         return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
 249 }
 250
 251 int apparmor_secmark_check(struct aa_label *label, char *op, u32 request,
 252                            u32 secid, const struct sock *sk)
 253 {
 254         struct aa_profile *profile;
 255         DEFINE_AUDIT_SK(sa, op, sk);
 256
 257         return fn_for_each_confined(label, profile,
 258                                     aa_secmark_perm(profile, request, secid,
 259                                                     &sa));
 260 }
 261 #endif