apparmor: add base infastructure for socket mediation

version 2 - Force an abi break. Network mediation will only be available in v8 abi complaint policy. Provide a basic mediation of sockets. This is not a full net mediation but just whether a spcific family of socket can be used by an application, along with setting up some basic infrastructure for network mediation to follow. the user space rule hav the basic form of NETWORK RULE = [ QUALIFIERS ] 'network' [ DOMAIN ] [ TYPE | PROTOCOL ] DOMAIN = ( 'inet' | 'ax25' | 'ipx' | 'appletalk' | 'netrom' | 'bridge' | 'atmpvc' | 'x25' | 'inet6' | 'rose' | 'netbeui' | 'security' | 'key' | 'packet' | 'ash' | 'econet' | 'atmsvc' | 'sna' | 'irda' | 'pppox' | 'wanpipe' | 'bluetooth' | 'netlink' | 'unix' | 'rds' | 'llc' | 'can' | 'tipc' | 'iucv' | 'rxrpc' | 'isdn' | 'phonet' | 'ieee802154' | 'caif' | 'alg' | 'nfc' | 'vsock' | 'mpls' | 'ib' | 'kcm' ) ',' TYPE = ( 'stream' | 'dgram' | 'seqpacket' | 'rdm' | 'raw' | 'packet' ) PROTOCOL = ( 'tcp' | 'udp' | 'icmp' ) eg. network, network inet, Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2017-07-19 02:18:33 -0400
committer: John Johansen <john.johansen@canonical.com> 2018-03-13 20:25:48 -0400
commit: 56974a6fcfef69ee0825bd66ed13e92070ac5224 (patch)
tree: 852fc5a667d889d6673960448578260e6e060584 /security/apparmor/include/net.h
parent: 21f606610502ef56f9180b1529fc7e02957564c8 (diff)
1 files changed, 106 insertions, 0 deletions
diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
new file mode 100644
index 000000000000..ec7228e857a9
--- /dev/null
+++ b/security/apparmor/include/net.h
@@ -0,0 +1,106 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor network mediation definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2017 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+#ifndef __AA_NET_H
+#define __AA_NET_H
+#include <net/sock.h>
+#include <linux/path.h>
+#include "apparmorfs.h"
+#include "label.h"
+#include "perms.h"
+#include "policy.h"
+#define AA_MAY_SEND             AA_MAY_WRITE
+#define AA_MAY_RECEIVE          AA_MAY_READ
+#define AA_MAY_SHUTDOWN         AA_MAY_DELETE
+#define AA_MAY_CONNECT          AA_MAY_OPEN
+#define AA_MAY_ACCEPT           0x00100000
+#define AA_MAY_BIND             0x00200000
+#define AA_MAY_LISTEN           0x00400000
+#define AA_MAY_SETOPT           0x01000000
+#define AA_MAY_GETOPT           0x02000000
+#define NET_PERMS_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE |    \
+                        AA_MAY_SHUTDOWN | AA_MAY_BIND | AA_MAY_LISTEN |   \
+                        AA_MAY_CONNECT | AA_MAY_ACCEPT | AA_MAY_SETATTR | \
+                        AA_MAY_GETATTR | AA_MAY_SETOPT | AA_MAY_GETOPT)
+#define NET_FS_PERMS (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE |    \
+                      AA_MAY_SHUTDOWN | AA_MAY_CONNECT | AA_MAY_RENAME |\
+                      AA_MAY_SETATTR | AA_MAY_GETATTR | AA_MAY_CHMOD |  \
+                      AA_MAY_CHOWN | AA_MAY_CHGRP | AA_MAY_LOCK |       \
+                      AA_MAY_MPROT)
+#define NET_PEER_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CONNECT |  \
+                       AA_MAY_ACCEPT)
+struct aa_sk_ctx {
+        struct aa_label *label;
+        struct aa_label *peer;
+};
+#define SK_CTX(X) ((X)->sk_security)
+#define SOCK_ctx(X) SOCK_INODE(X)->i_security
+#define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P)                           \
+        struct lsm_network_audit NAME ## _net = { .sk = (SK),             \
+                                                  .family = (F)};         \
+        DEFINE_AUDIT_DATA(NAME,                                           \
+                          ((SK) && (F) != AF_UNIX) ? LSM_AUDIT_DATA_NET : \
+                                                     LSM_AUDIT_DATA_NONE, \
+                          OP);                                            \
+        NAME.u.net = &(NAME ## _net);                                     \
+        aad(&NAME)->net.type = (T);                                       \
+        aad(&NAME)->net.protocol = (P)
+#define DEFINE_AUDIT_SK(NAME, OP, SK)                                   \
+        DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type,  \
+                         (SK)->sk_protocol)
+#define af_select(FAMILY, FN, DEF_FN)           \
+({                                              \
+        int __e;                                \
+        switch ((FAMILY)) {                     \
+        default:                                \
+                __e = DEF_FN;                   \
+        }                                       \
+        __e;                                    \
+})
+extern struct aa_sfs_entry aa_sfs_entry_network[];
+void audit_net_cb(struct audit_buffer *ab, void *va);
+int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
+                       u32 request, u16 family, int type);
+int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
+               int type, int protocol);
+static inline int aa_profile_af_sk_perm(struct aa_profile *profile,
+                                        struct common_audit_data *sa,
+                                        u32 request,
+                                        struct sock *sk)
+{
+        return aa_profile_af_perm(profile, sa, request, sk->sk_family,
+                                  sk->sk_type);
+}
+int aa_sk_perm(const char *op, u32 request, struct sock *sk);
+int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
+                      struct socket *sock);
+#endif /* __AA_NET_H */
author	John Johansen <john.johansen@canonical.com>	2017-07-19 02:18:33 -0400
committer	John Johansen <john.johansen@canonical.com>	2018-03-13 20:25:48 -0400
commit	56974a6fcfef69ee0825bd66ed13e92070ac5224 (patch)
tree	852fc5a667d889d6673960448578260e6e060584 /security/apparmor/include/net.h
parent	21f606610502ef56f9180b1529fc7e02957564c8 (diff)

diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h new file mode 100644 index 000000000000..ec7228e857a9 --- /dev/null +++ b/security/apparmor/include/net.h
@@ -0,0 +1,106 @@
	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor network mediation definitions.
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2017 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#ifndef __AA_NET_H
	16	#define __AA_NET_H
	17
	18	#include <net/sock.h>
	19	#include <linux/path.h>
	20
	21	#include "apparmorfs.h"
	22	#include "label.h"
	23	#include "perms.h"
	24	#include "policy.h"
	25
	26	#define AA_MAY_SEND AA_MAY_WRITE
	27	#define AA_MAY_RECEIVE AA_MAY_READ
	28
	29	#define AA_MAY_SHUTDOWN AA_MAY_DELETE
	30
	31	#define AA_MAY_CONNECT AA_MAY_OPEN
	32	#define AA_MAY_ACCEPT 0x00100000
	33
	34	#define AA_MAY_BIND 0x00200000
	35	#define AA_MAY_LISTEN 0x00400000
	36
	37	#define AA_MAY_SETOPT 0x01000000
	38	#define AA_MAY_GETOPT 0x02000000
	39
	40	#define NET_PERMS_MASK (AA_MAY_SEND \| AA_MAY_RECEIVE \| AA_MAY_CREATE \| \
	41	AA_MAY_SHUTDOWN \| AA_MAY_BIND \| AA_MAY_LISTEN \| \
	42	AA_MAY_CONNECT \| AA_MAY_ACCEPT \| AA_MAY_SETATTR \| \
	43	AA_MAY_GETATTR \| AA_MAY_SETOPT \| AA_MAY_GETOPT)
	44
	45	#define NET_FS_PERMS (AA_MAY_SEND \| AA_MAY_RECEIVE \| AA_MAY_CREATE \| \
	46	AA_MAY_SHUTDOWN \| AA_MAY_CONNECT \| AA_MAY_RENAME \|\
	47	AA_MAY_SETATTR \| AA_MAY_GETATTR \| AA_MAY_CHMOD \| \
	48	AA_MAY_CHOWN \| AA_MAY_CHGRP \| AA_MAY_LOCK \| \
	49	AA_MAY_MPROT)
	50
	51	#define NET_PEER_MASK (AA_MAY_SEND \| AA_MAY_RECEIVE \| AA_MAY_CONNECT \| \
	52	AA_MAY_ACCEPT)
	53	struct aa_sk_ctx {
	54	struct aa_label *label;
	55	struct aa_label *peer;
	56	};
	57
	58	#define SK_CTX(X) ((X)->sk_security)
	59	#define SOCK_ctx(X) SOCK_INODE(X)->i_security
	60	#define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \
	61	struct lsm_network_audit NAME ## _net = { .sk = (SK), \
	62	.family = (F)}; \
	63	DEFINE_AUDIT_DATA(NAME, \
	64	((SK) && (F) != AF_UNIX) ? LSM_AUDIT_DATA_NET : \
	65	LSM_AUDIT_DATA_NONE, \
	66	OP); \
	67	NAME.u.net = &(NAME ## _net); \
	68	aad(&NAME)->net.type = (T); \
	69	aad(&NAME)->net.protocol = (P)
	70
	71	#define DEFINE_AUDIT_SK(NAME, OP, SK) \
	72	DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type, \
	73	(SK)->sk_protocol)
	74
	75
	76	#define af_select(FAMILY, FN, DEF_FN) \
	77	({ \
	78	int __e; \
	79	switch ((FAMILY)) { \
	80	default: \
	81	__e = DEF_FN; \
	82	} \
	83	__e; \
	84	})
	85
	86	extern struct aa_sfs_entry aa_sfs_entry_network[];
	87
	88	void audit_net_cb(struct audit_buffer ab, void va);
	89	int aa_profile_af_perm(struct aa_profile profile, struct common_audit_data sa,
	90	u32 request, u16 family, int type);
	91	int aa_af_perm(struct aa_label label, const char op, u32 request, u16 family,
	92	int type, int protocol);
	93	static inline int aa_profile_af_sk_perm(struct aa_profile *profile,
	94	struct common_audit_data *sa,
	95	u32 request,
	96	struct sock *sk)
	97	{
	98	return aa_profile_af_perm(profile, sa, request, sk->sk_family,
	99	sk->sk_type);
	100	}
	101	int aa_sk_perm(const char op, u32 request, struct sock sk);
	102
	103	int aa_sock_file_perm(struct aa_label label, const char op, u32 request,
	104	struct socket *sock);
	105
	106	#endif /* __AA_NET_H */