security/apparmor/net.c

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * AppArmor security module
   4  *
   5  * This file contains AppArmor network mediation
   6  *
   7  * Copyright (C) 1998-2008 Novell/SUSE
   8  * Copyright 2009-2017 Canonical Ltd.
   9  */
  10
  11 #include "include/apparmor.h"
  12 #include "include/audit.h"
  13 #include "include/cred.h"
  14 #include "include/label.h"
  15 #include "include/net.h"
  16 #include "include/policy.h"
  17 #include "include/secid.h"
  18
  19 #include "net_names.h"
  20
  21
  22 struct aa_sfs_entry aa_sfs_entry_network[] = {
  23         AA_SFS_FILE_STRING("af_mask",   AA_SFS_AF_MASK),
  24         { }
  25 };
  26
  27 static const char * const net_mask_names[] = {
  28         "unknown",
  29         "send",
  30         "receive",
  31         "unknown",
  32
  33         "create",
  34         "shutdown",
  35         "connect",
  36         "unknown",
  37
  38         "setattr",
  39         "getattr",
  40         "setcred",
  41         "getcred",
  42
  43         "chmod",
  44         "chown",
  45         "chgrp",
  46         "lock",
  47
  48         "mmap",
  49         "mprot",
  50         "unknown",
  51         "unknown",
  52
  53         "accept",
  54         "bind",
  55         "listen",
  56         "unknown",
  57
  58         "setopt",
  59         "getopt",
  60         "unknown",
  61         "unknown",
  62
  63         "unknown",
  64         "unknown",
  65         "unknown",
  66         "unknown",
  67 };
  68
  69
  70 /* audit callback for net specific fields */
  71 void audit_net_cb(struct audit_buffer *ab, void *va)
  72 {
  73         struct common_audit_data *sa = va;
  74         struct apparmor_audit_data *ad = aad(sa);
  75
  76         if (address_family_names[sa->u.net->family])
  77                 audit_log_format(ab, " family=\"%s\"",
  78                                  address_family_names[sa->u.net->family]);
  79         else
  80                 audit_log_format(ab, " family=\"unknown(%d)\"",
  81                                  sa->u.net->family);
  82         if (sock_type_names[ad->net.type])
  83                 audit_log_format(ab, " sock_type=\"%s\"",
  84                                  sock_type_names[ad->net.type]);
  85         else
  86                 audit_log_format(ab, " sock_type=\"unknown(%d)\"",
  87                                  ad->net.type);
  88         audit_log_format(ab, " protocol=%d", ad->net.protocol);
  89
  90         if (ad->request & NET_PERMS_MASK) {
  91                 audit_log_format(ab, " requested_mask=");
  92                 aa_audit_perm_mask(ab, ad->request, NULL, 0,
  93                                    net_mask_names, NET_PERMS_MASK);
  94
  95                 if (ad->denied & NET_PERMS_MASK) {
  96                         audit_log_format(ab, " denied_mask=");
  97                         aa_audit_perm_mask(ab, ad->denied, NULL, 0,
  98                                            net_mask_names, NET_PERMS_MASK);
  99                 }
 100         }
 101         if (ad->peer) {
 102                 audit_log_format(ab, " peer=");
 103                 aa_label_xaudit(ab, labels_ns(ad->subj_label), ad->peer,
 104                                 FLAGS_NONE, GFP_ATOMIC);
 105         }
 106 }
 107
 108 /* Generic af perm */
 109 int aa_profile_af_perm(struct aa_profile *profile,
 110                        struct apparmor_audit_data *ad, u32 request, u16 family,
 111                        int type)
 112 {
 113         struct aa_ruleset *rules = list_first_entry(&profile->rules,
 114                                                     typeof(*rules), list);
 115         struct aa_perms perms = { };
 116         aa_state_t state;
 117         __be16 buffer[2];
 118
 119         AA_BUG(family >= AF_MAX);
 120         AA_BUG(type < 0 || type >= SOCK_MAX);
 121
 122         if (profile_unconfined(profile))
 123                 return 0;
 124         state = RULE_MEDIATES(rules, AA_CLASS_NET);
 125         if (!state)
 126                 return 0;
 127
 128         buffer[0] = cpu_to_be16(family);
 129         buffer[1] = cpu_to_be16((u16) type);
 130         state = aa_dfa_match_len(rules->policy->dfa, state, (char *) &buffer,
 131                                  4);
 132         perms = *aa_lookup_perms(rules->policy, state);
 133         aa_apply_modes_to_perms(profile, &perms);
 134
 135         return aa_check_perms(profile, &perms, request, ad, audit_net_cb);
 136 }
 137
 138 int aa_af_perm(const struct cred *subj_cred, struct aa_label *label,
 139                const char *op, u32 request, u16 family, int type, int protocol)
 140 {
 141         struct aa_profile *profile;
 142         DEFINE_AUDIT_NET(ad, op, NULL, family, type, protocol);
 143
 144         return fn_for_each_confined(label, profile,
 145                         aa_profile_af_perm(profile, &ad, request, family,
 146                                            type));
 147 }
 148
 149 static int aa_label_sk_perm(const struct cred *subj_cred,
 150                             struct aa_label *label,
 151                             const char *op, u32 request,
 152                             struct sock *sk)
 153 {
 154         struct aa_sk_ctx *ctx = SK_CTX(sk);
 155         int error = 0;
 156
 157         AA_BUG(!label);
 158         AA_BUG(!sk);
 159
 160         if (ctx->label != kernel_t && !unconfined(label)) {
 161                 struct aa_profile *profile;
 162                 DEFINE_AUDIT_SK(ad, op, sk);
 163
 164                 ad.subj_cred = subj_cred;
 165                 error = fn_for_each_confined(label, profile,
 166                             aa_profile_af_sk_perm(profile, &ad, request, sk));
 167         }
 168
 169         return error;
 170 }
 171
 172 int aa_sk_perm(const char *op, u32 request, struct sock *sk)
 173 {
 174         struct aa_label *label;
 175         int error;
 176
 177         AA_BUG(!sk);
 178         AA_BUG(in_interrupt());
 179
 180         /* TODO: switch to begin_current_label ???? */
 181         label = begin_current_label_crit_section();
 182         error = aa_label_sk_perm(current_cred(), label, op, request, sk);
 183         end_current_label_crit_section(label);
 184
 185         return error;
 186 }
 187
 188
 189 int aa_sock_file_perm(const struct cred *subj_cred, struct aa_label *label,
 190                       const char *op, u32 request, struct socket *sock)
 191 {
 192         AA_BUG(!label);
 193         AA_BUG(!sock);
 194         AA_BUG(!sock->sk);
 195
 196         return aa_label_sk_perm(subj_cred, label, op, request, sock->sk);
 197 }
 198
 199 #ifdef CONFIG_NETWORK_SECMARK
 200 static int apparmor_secmark_init(struct aa_secmark *secmark)
 201 {
 202         struct aa_label *label;
 203
 204         if (secmark->label[0] == '*') {
 205                 secmark->secid = AA_SECID_WILDCARD;
 206                 return 0;
 207         }
 208
 209         label = aa_label_strn_parse(&root_ns->unconfined->label,
 210                                     secmark->label, strlen(secmark->label),
 211                                     GFP_ATOMIC, false, false);
 212
 213         if (IS_ERR(label))
 214                 return PTR_ERR(label);
 215
 216         secmark->secid = label->secid;
 217
 218         return 0;
 219 }
 220
 221 static int aa_secmark_perm(struct aa_profile *profile, u32 request, u32 secid,
 222                            struct apparmor_audit_data *ad)
 223 {
 224         int i, ret;
 225         struct aa_perms perms = { };
 226         struct aa_ruleset *rules = list_first_entry(&profile->rules,
 227                                                     typeof(*rules), list);
 228
 229         if (rules->secmark_count == 0)
 230                 return 0;
 231
 232         for (i = 0; i < rules->secmark_count; i++) {
 233                 if (!rules->secmark[i].secid) {
 234                         ret = apparmor_secmark_init(&rules->secmark[i]);
 235                         if (ret)
 236                                 return ret;
 237                 }
 238
 239                 if (rules->secmark[i].secid == secid ||
 240                     rules->secmark[i].secid == AA_SECID_WILDCARD) {
 241                         if (rules->secmark[i].deny)
 242                                 perms.deny = ALL_PERMS_MASK;
 243                         else
 244                                 perms.allow = ALL_PERMS_MASK;
 245
 246                         if (rules->secmark[i].audit)
 247                                 perms.audit = ALL_PERMS_MASK;
 248                 }
 249         }
 250
 251         aa_apply_modes_to_perms(profile, &perms);
 252
 253         return aa_check_perms(profile, &perms, request, ad, audit_net_cb);
 254 }
 255
 256 int apparmor_secmark_check(struct aa_label *label, char *op, u32 request,
 257                            u32 secid, const struct sock *sk)
 258 {
 259         struct aa_profile *profile;
 260         DEFINE_AUDIT_SK(ad, op, sk);
 261
 262         return fn_for_each_confined(label, profile,
 263                                     aa_secmark_perm(profile, request, secid,
 264                                                     &ad));
 265 }
 266 #endif