mirror of
https://github.com/torvalds/linux.git
synced 2024-11-29 07:31:29 +00:00
90c436a64a
The cred is needed to properly audit some messages, and will be needed in the future for uid conditional mediation. So pass it through to where the apparmor_audit_data struct gets defined. Reviewed-by: Georgia Garcia <georgia.garcia@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
121 lines
3.2 KiB
C
121 lines
3.2 KiB
C
/* SPDX-License-Identifier: GPL-2.0-only */
|
|
/*
|
|
* AppArmor security module
|
|
*
|
|
* This file contains AppArmor network mediation definitions.
|
|
*
|
|
* Copyright (C) 1998-2008 Novell/SUSE
|
|
* Copyright 2009-2017 Canonical Ltd.
|
|
*/
|
|
|
|
#ifndef __AA_NET_H
|
|
#define __AA_NET_H
|
|
|
|
#include <net/sock.h>
|
|
#include <linux/path.h>
|
|
|
|
#include "apparmorfs.h"
|
|
#include "label.h"
|
|
#include "perms.h"
|
|
#include "policy.h"
|
|
|
|
#define AA_MAY_SEND AA_MAY_WRITE
|
|
#define AA_MAY_RECEIVE AA_MAY_READ
|
|
|
|
#define AA_MAY_SHUTDOWN AA_MAY_DELETE
|
|
|
|
#define AA_MAY_CONNECT AA_MAY_OPEN
|
|
#define AA_MAY_ACCEPT 0x00100000
|
|
|
|
#define AA_MAY_BIND 0x00200000
|
|
#define AA_MAY_LISTEN 0x00400000
|
|
|
|
#define AA_MAY_SETOPT 0x01000000
|
|
#define AA_MAY_GETOPT 0x02000000
|
|
|
|
#define NET_PERMS_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE | \
|
|
AA_MAY_SHUTDOWN | AA_MAY_BIND | AA_MAY_LISTEN | \
|
|
AA_MAY_CONNECT | AA_MAY_ACCEPT | AA_MAY_SETATTR | \
|
|
AA_MAY_GETATTR | AA_MAY_SETOPT | AA_MAY_GETOPT)
|
|
|
|
#define NET_FS_PERMS (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE | \
|
|
AA_MAY_SHUTDOWN | AA_MAY_CONNECT | AA_MAY_RENAME |\
|
|
AA_MAY_SETATTR | AA_MAY_GETATTR | AA_MAY_CHMOD | \
|
|
AA_MAY_CHOWN | AA_MAY_CHGRP | AA_MAY_LOCK | \
|
|
AA_MAY_MPROT)
|
|
|
|
#define NET_PEER_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CONNECT | \
|
|
AA_MAY_ACCEPT)
|
|
struct aa_sk_ctx {
|
|
struct aa_label *label;
|
|
struct aa_label *peer;
|
|
};
|
|
|
|
#define SK_CTX(X) ((X)->sk_security)
|
|
static inline struct aa_sk_ctx *aa_sock(const struct sock *sk)
|
|
{
|
|
return sk->sk_security;
|
|
}
|
|
|
|
#define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \
|
|
struct lsm_network_audit NAME ## _net = { .sk = (SK), \
|
|
.family = (F)}; \
|
|
DEFINE_AUDIT_DATA(NAME, \
|
|
((SK) && (F) != AF_UNIX) ? LSM_AUDIT_DATA_NET : \
|
|
LSM_AUDIT_DATA_NONE, \
|
|
AA_CLASS_NET, \
|
|
OP); \
|
|
NAME.common.u.net = &(NAME ## _net); \
|
|
NAME.net.type = (T); \
|
|
NAME.net.protocol = (P)
|
|
|
|
#define DEFINE_AUDIT_SK(NAME, OP, SK) \
|
|
DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type, \
|
|
(SK)->sk_protocol)
|
|
|
|
|
|
#define af_select(FAMILY, FN, DEF_FN) \
|
|
({ \
|
|
int __e; \
|
|
switch ((FAMILY)) { \
|
|
default: \
|
|
__e = DEF_FN; \
|
|
} \
|
|
__e; \
|
|
})
|
|
|
|
struct aa_secmark {
|
|
u8 audit;
|
|
u8 deny;
|
|
u32 secid;
|
|
char *label;
|
|
};
|
|
|
|
extern struct aa_sfs_entry aa_sfs_entry_network[];
|
|
|
|
void audit_net_cb(struct audit_buffer *ab, void *va);
|
|
int aa_profile_af_perm(struct aa_profile *profile,
|
|
struct apparmor_audit_data *ad,
|
|
u32 request, u16 family, int type);
|
|
int aa_af_perm(const struct cred *subj_cred, struct aa_label *label,
|
|
const char *op, u32 request, u16 family,
|
|
int type, int protocol);
|
|
static inline int aa_profile_af_sk_perm(struct aa_profile *profile,
|
|
struct apparmor_audit_data *ad,
|
|
u32 request,
|
|
struct sock *sk)
|
|
{
|
|
return aa_profile_af_perm(profile, ad, request, sk->sk_family,
|
|
sk->sk_type);
|
|
}
|
|
int aa_sk_perm(const char *op, u32 request, struct sock *sk);
|
|
|
|
int aa_sock_file_perm(const struct cred *subj_cred, struct aa_label *label,
|
|
const char *op, u32 request,
|
|
struct socket *sock);
|
|
|
|
int apparmor_secmark_check(struct aa_label *label, char *op, u32 request,
|
|
u32 secid, const struct sock *sk);
|
|
|
|
#endif /* __AA_NET_H */
|