apparmor: add the ability to mediate signals

Add signal mediation where the signal can be mediated based on the signal, direction, or the label or the peer/target. The signal perms are verified on a cross check to ensure policy consistency in the case of incremental policy load/replacement. The optimization of skipping the cross check when policy is guaranteed to be consistent (single compile unit) remains to be done. policy rules have the form of SIGNAL_RULE = [ QUALIFIERS ] 'signal' [ SIGNAL ACCESS PERMISSIONS ] [ SIGNAL SET ] [ SIGNAL PEER ] SIGNAL ACCESS PERMISSIONS = SIGNAL ACCESS | SIGNAL ACCESS LIST SIGNAL ACCESS LIST = '(' Comma or space separated list of SIGNAL ACCESS ')' SIGNAL ACCESS = ( 'r' | 'w' | 'rw' | 'read' | 'write' | 'send' | 'receive' ) SIGNAL SET = 'set' '=' '(' SIGNAL LIST ')' SIGNAL LIST = Comma or space separated list of SIGNALS SIGNALS = ( 'hup' | 'int' | 'quit' | 'ill' | 'trap' | 'abrt' | 'bus' | 'fpe' | 'kill' | 'usr1' | 'segv' | 'usr2' | 'pipe' | 'alrm' | 'term' | 'stkflt' | 'chld' | 'cont' | 'stop' | 'stp' | 'ttin' | 'ttou' | 'urg' | 'xcpu' | 'xfsz' | 'vtalrm' | 'prof' | 'winch' | 'io' | 'pwr' | 'sys' | 'emt' | 'exists' | 'rtmin+0' ... 'rtmin+32' ) SIGNAL PEER = 'peer' '=' AARE eg. signal, # allow all signals signal send set=(hup, kill) peer=foo, Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
author: John Johansen <john.johansen@canonical.com> 2017-07-19 01:56:22 -0400
committer: John Johansen <john.johansen@canonical.com> 2017-09-22 16:00:57 -0400
commit: cd1dbf76b23d5ab2cba5e657fe20b1e236a408cc (patch)
tree: 20a0180f2c6620b46a738946d943d00752eb4844 /security/apparmor/include
parent: c5561700c9cb951ec3a33a0914c840423b09d7c9 (diff)
4 files changed, 104 insertions, 0 deletions
diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h
index aaf893f4e4f5..962a20a75e01 100644
--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
@@ -28,6 +28,7 @@
 #define AA_CLASS_RLIMITS        5
 #define AA_CLASS_DOMAIN         6
 #define AA_CLASS_PTRACE         9
+#define AA_CLASS_SIGNAL         10
 #define AA_CLASS_LABEL          16
 #define AA_CLASS_LAST           AA_CLASS_LABEL
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
index c68839a44351..d9a156ae11b9 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -86,6 +86,7 @@ enum audit_type {
 #define OP_SHUTDOWN "socket_shutdown"
 #define OP_PTRACE "ptrace"
+#define OP_SIGNAL "signal"
 #define OP_EXEC "exec"
@@ -126,6 +127,7 @@ struct apparmor_audit_data {
                        long pos;
                        const char *ns;
                } iface;
+                int signal;
                struct {
                        int rlim;
                        unsigned long max;
diff --git a/security/apparmor/include/ipc.h b/security/apparmor/include/ipc.h
index 656fdb81c8a0..5ffc218d1e74 100644
--- a/security/apparmor/include/ipc.h
+++ b/security/apparmor/include/ipc.h
@@ -27,8 +27,14 @@ struct aa_profile;
 #define AA_PTRACE_PERM_MASK (AA_PTRACE_READ | AA_PTRACE_TRACE | \
                             AA_MAY_BE_READ | AA_MAY_BE_TRACED)
+#define AA_SIGNAL_PERM_MASK (MAY_READ | MAY_WRITE)
+#define AA_SFS_SIG_MASK "hup int quit ill trap abrt bus fpe kill usr1 " \
+        "segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg " \
+        "xcpu xfsz vtalrm prof winch io pwr sys emt lost"
 int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
                  u32 request);
+int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig);
 #endif /* __AA_IPC_H */
diff --git a/security/apparmor/include/sig_names.h b/security/apparmor/include/sig_names.h
new file mode 100644
index 000000000000..0d4395f231ca
--- /dev/null
+++ b/security/apparmor/include/sig_names.h
@@ -0,0 +1,95 @@
+#include <linux/signal.h>
+#define SIGUNKNOWN 0
+#define MAXMAPPED_SIG 35
+/* provide a mapping of arch signal to internal signal # for mediation
+ * those that are always an alias SIGCLD for SIGCLHD and SIGPOLL for SIGIO
+ * map to the same entry those that may/or may not get a separate entry
+ */
+static const int sig_map[MAXMAPPED_SIG] = {
+        [0] = MAXMAPPED_SIG,    /* existence test */
+        [SIGHUP] = 1,
+        [SIGINT] = 2,
+        [SIGQUIT] = 3,
+        [SIGILL] = 4,
+        [SIGTRAP] = 5,          /* -, 5, - */
+        [SIGABRT] = 6,          /*  SIGIOT: -, 6, - */
+        [SIGBUS] = 7,           /* 10, 7, 10 */
+        [SIGFPE] = 8,
+        [SIGKILL] = 9,
+        [SIGUSR1] = 10,         /* 30, 10, 16 */
+        [SIGSEGV] = 11,
+        [SIGUSR2] = 12,         /* 31, 12, 17 */
+        [SIGPIPE] = 13,
+        [SIGALRM] = 14,
+        [SIGTERM] = 15,
+        [SIGSTKFLT] = 16,       /* -, 16, - */
+        [SIGCHLD] = 17,         /* 20, 17, 18.  SIGCHLD -, -, 18 */
+        [SIGCONT] = 18,         /* 19, 18, 25 */
+        [SIGSTOP] = 19,         /* 17, 19, 23 */
+        [SIGTSTP] = 20,         /* 18, 20, 24 */
+        [SIGTTIN] = 21,         /* 21, 21, 26 */
+        [SIGTTOU] = 22,         /* 22, 22, 27 */
+        [SIGURG] = 23,          /* 16, 23, 21 */
+        [SIGXCPU] = 24,         /* 24, 24, 30 */
+        [SIGXFSZ] = 25,         /* 25, 25, 31 */
+        [SIGVTALRM] = 26,       /* 26, 26, 28 */
+        [SIGPROF] = 27,         /* 27, 27, 29 */
+        [SIGWINCH] = 28,        /* 28, 28, 20 */
+        [SIGIO] = 29,           /* SIGPOLL: 23, 29, 22 */
+        [SIGPWR] = 30,          /* 29, 30, 19.  SIGINFO 29, -, - */
+#ifdef SIGSYS
+        [SIGSYS] = 31,          /* 12, 31, 12. often SIG LOST/UNUSED */
+#endif
+#ifdef SIGEMT
+        [SIGEMT] = 32,          /* 7, - , 7 */
+#endif
+#if defined(SIGLOST) && SIGPWR != SIGLOST               /* sparc */
+        [SIGLOST] = 33,         /* unused on Linux */
+#endif
+#if defined(SIGLOST) && defined(SIGSYS) && SIGLOST != SIGSYS
+        [SIGUNUSED] = 34,       /* -, 31, - */
+#endif
+};
+/* this table is ordered post sig_map[sig] mapping */
+static const char *const sig_names[MAXMAPPED_SIG + 1] = {
+        "unknown",
+        "hup",
+        "int",
+        "quit",
+        "ill",
+        "trap",
+        "abrt",
+        "bus",
+        "fpe",
+        "kill",
+        "usr1",
+        "segv",
+        "usr2",
+        "pipe",
+        "alrm",
+        "term",
+        "stkflt",
+        "chld",
+        "cont",
+        "stop",
+        "stp",
+        "ttin",
+        "ttou",
+        "urg",
+        "xcpu",
+        "xfsz",
+        "vtalrm",
+        "prof",
+        "winch",
+        "io",
+        "pwr",
+        "sys",
+        "emt",
+        "lost",
+        "unused",
+        "exists",       /* always last existence test mapped to MAXMAPPED_SIG */
+};
author	John Johansen <john.johansen@canonical.com>	2017-07-19 01:56:22 -0400
committer	John Johansen <john.johansen@canonical.com>	2017-09-22 16:00:57 -0400
commit	cd1dbf76b23d5ab2cba5e657fe20b1e236a408cc (patch)
tree	20a0180f2c6620b46a738946d943d00752eb4844 /security/apparmor/include
parent	c5561700c9cb951ec3a33a0914c840423b09d7c9 (diff)

diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h index aaf893f4e4f5..962a20a75e01 100644 --- a/security/apparmor/include/apparmor.h +++ b/security/apparmor/include/apparmor.h
@@ -28,6 +28,7 @@
28	#define AA_CLASS_RLIMITS 5	28	#define AA_CLASS_RLIMITS 5
29	#define AA_CLASS_DOMAIN 6	29	#define AA_CLASS_DOMAIN 6
30	#define AA_CLASS_PTRACE 9	30	#define AA_CLASS_PTRACE 9
		31	#define AA_CLASS_SIGNAL 10
31	#define AA_CLASS_LABEL 16	32	#define AA_CLASS_LABEL 16
32		33
33	#define AA_CLASS_LAST AA_CLASS_LABEL	34	#define AA_CLASS_LAST AA_CLASS_LABEL


diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index c68839a44351..d9a156ae11b9 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h
@@ -86,6 +86,7 @@ enum audit_type {
86	#define OP_SHUTDOWN "socket_shutdown"	86	#define OP_SHUTDOWN "socket_shutdown"
87		87
88	#define OP_PTRACE "ptrace"	88	#define OP_PTRACE "ptrace"
		89	#define OP_SIGNAL "signal"
89		90
90	#define OP_EXEC "exec"	91	#define OP_EXEC "exec"
91		92
@@ -126,6 +127,7 @@ struct apparmor_audit_data {
126	long pos;	127	long pos;
127	const char *ns;	128	const char *ns;
128	} iface;	129	} iface;
		130	int signal;
129	struct {	131	struct {
130	int rlim;	132	int rlim;
131	unsigned long max;	133	unsigned long max;


diff --git a/security/apparmor/include/ipc.h b/security/apparmor/include/ipc.h index 656fdb81c8a0..5ffc218d1e74 100644 --- a/security/apparmor/include/ipc.h +++ b/security/apparmor/include/ipc.h
@@ -27,8 +27,14 @@ struct aa_profile;
27		27
28	#define AA_PTRACE_PERM_MASK (AA_PTRACE_READ \| AA_PTRACE_TRACE \| \	28	#define AA_PTRACE_PERM_MASK (AA_PTRACE_READ \| AA_PTRACE_TRACE \| \
29	AA_MAY_BE_READ \| AA_MAY_BE_TRACED)	29	AA_MAY_BE_READ \| AA_MAY_BE_TRACED)
		30	#define AA_SIGNAL_PERM_MASK (MAY_READ \| MAY_WRITE)
		31
		32	#define AA_SFS_SIG_MASK "hup int quit ill trap abrt bus fpe kill usr1 " \
		33	"segv usr2 pipe alrm term stkflt chld cont stop stp ttin ttou urg " \
		34	"xcpu xfsz vtalrm prof winch io pwr sys emt lost"
30		35
31	int aa_may_ptrace(struct aa_label tracer, struct aa_label tracee,	36	int aa_may_ptrace(struct aa_label tracer, struct aa_label tracee,
32	u32 request);	37	u32 request);
		38	int aa_may_signal(struct aa_label sender, struct aa_label target, int sig);
33		39
34	#endif /* __AA_IPC_H */	40	#endif /* __AA_IPC_H */


diff --git a/security/apparmor/include/sig_names.h b/security/apparmor/include/sig_names.h new file mode 100644 index 000000000000..0d4395f231ca --- /dev/null +++ b/security/apparmor/include/sig_names.h
@@ -0,0 +1,95 @@
		1	#include <linux/signal.h>
		2
		3	#define SIGUNKNOWN 0
		4	#define MAXMAPPED_SIG 35
		5	/* provide a mapping of arch signal to internal signal # for mediation
		6	* those that are always an alias SIGCLD for SIGCLHD and SIGPOLL for SIGIO
		7	* map to the same entry those that may/or may not get a separate entry
		8	*/
		9	static const int sig_map[MAXMAPPED_SIG] = {
		10	[0] = MAXMAPPED_SIG, /* existence test */
		11	[SIGHUP] = 1,
		12	[SIGINT] = 2,
		13	[SIGQUIT] = 3,
		14	[SIGILL] = 4,
		15	[SIGTRAP] = 5, /* -, 5, - */
		16	[SIGABRT] = 6, /* SIGIOT: -, 6, - */
		17	[SIGBUS] = 7, /* 10, 7, 10 */
		18	[SIGFPE] = 8,
		19	[SIGKILL] = 9,
		20	[SIGUSR1] = 10, /* 30, 10, 16 */
		21	[SIGSEGV] = 11,
		22	[SIGUSR2] = 12, /* 31, 12, 17 */
		23	[SIGPIPE] = 13,
		24	[SIGALRM] = 14,
		25	[SIGTERM] = 15,
		26	[SIGSTKFLT] = 16, /* -, 16, - */
		27	[SIGCHLD] = 17, /* 20, 17, 18. SIGCHLD -, -, 18 */
		28	[SIGCONT] = 18, /* 19, 18, 25 */
		29	[SIGSTOP] = 19, /* 17, 19, 23 */
		30	[SIGTSTP] = 20, /* 18, 20, 24 */
		31	[SIGTTIN] = 21, /* 21, 21, 26 */
		32	[SIGTTOU] = 22, /* 22, 22, 27 */
		33	[SIGURG] = 23, /* 16, 23, 21 */
		34	[SIGXCPU] = 24, /* 24, 24, 30 */
		35	[SIGXFSZ] = 25, /* 25, 25, 31 */
		36	[SIGVTALRM] = 26, /* 26, 26, 28 */
		37	[SIGPROF] = 27, /* 27, 27, 29 */
		38	[SIGWINCH] = 28, /* 28, 28, 20 */
		39	[SIGIO] = 29, /* SIGPOLL: 23, 29, 22 */
		40	[SIGPWR] = 30, /* 29, 30, 19. SIGINFO 29, -, - */
		41	#ifdef SIGSYS
		42	[SIGSYS] = 31, /* 12, 31, 12. often SIG LOST/UNUSED */
		43	#endif
		44	#ifdef SIGEMT
		45	[SIGEMT] = 32, /* 7, - , 7 */
		46	#endif
		47	#if defined(SIGLOST) && SIGPWR != SIGLOST /* sparc */
		48	[SIGLOST] = 33, /* unused on Linux */
		49	#endif
		50	#if defined(SIGLOST) && defined(SIGSYS) && SIGLOST != SIGSYS
		51	[SIGUNUSED] = 34, /* -, 31, - */
		52	#endif
		53	};
		54
		55	/* this table is ordered post sig_map[sig] mapping */
		56	static const char *const sig_names[MAXMAPPED_SIG + 1] = {
		57	"unknown",
		58	"hup",
		59	"int",
		60	"quit",
		61	"ill",
		62	"trap",
		63	"abrt",
		64	"bus",
		65	"fpe",
		66	"kill",
		67	"usr1",
		68	"segv",
		69	"usr2",
		70	"pipe",
		71	"alrm",
		72	"term",
		73	"stkflt",
		74	"chld",
		75	"cont",
		76	"stop",
		77	"stp",
		78	"ttin",
		79	"ttou",
		80	"urg",
		81	"xcpu",
		82	"xfsz",
		83	"vtalrm",
		84	"prof",
		85	"winch",
		86	"io",
		87	"pwr",
		88	"sys",
		89	"emt",
		90	"lost",
		91	"unused",
		92
		93	"exists", /* always last existence test mapped to MAXMAPPED_SIG */
		94	};
		95