1 files changed, 114 insertions, 0 deletions
diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
new file mode 100644
index 000000000000..140c8efcf364
--- /dev/null
+++ b/security/apparmor/include/net.h
@@ -0,0 +1,114 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor network mediation definitions.
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2017 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+#ifndef __AA_NET_H
+#define __AA_NET_H
+#include <net/sock.h>
+#include <linux/path.h>
+#include "apparmorfs.h"
+#include "label.h"
+#include "perms.h"
+#include "policy.h"
+#define AA_MAY_SEND             AA_MAY_WRITE
+#define AA_MAY_RECEIVE          AA_MAY_READ
+#define AA_MAY_SHUTDOWN         AA_MAY_DELETE
+#define AA_MAY_CONNECT          AA_MAY_OPEN
+#define AA_MAY_ACCEPT           0x00100000
+#define AA_MAY_BIND             0x00200000
+#define AA_MAY_LISTEN           0x00400000
+#define AA_MAY_SETOPT           0x01000000
+#define AA_MAY_GETOPT           0x02000000
+#define NET_PERMS_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE |    \
+                        AA_MAY_SHUTDOWN | AA_MAY_BIND | AA_MAY_LISTEN |   \
+                        AA_MAY_CONNECT | AA_MAY_ACCEPT | AA_MAY_SETATTR | \
+                        AA_MAY_GETATTR | AA_MAY_SETOPT | AA_MAY_GETOPT)
+#define NET_FS_PERMS (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE |    \
+                      AA_MAY_SHUTDOWN | AA_MAY_CONNECT | AA_MAY_RENAME |\
+                      AA_MAY_SETATTR | AA_MAY_GETATTR | AA_MAY_CHMOD |  \
+                      AA_MAY_CHOWN | AA_MAY_CHGRP | AA_MAY_LOCK |       \
+                      AA_MAY_MPROT)
+#define NET_PEER_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CONNECT |  \
+                       AA_MAY_ACCEPT)
+struct aa_sk_ctx {
+        struct aa_label *label;
+        struct aa_label *peer;
+        struct path path;
+};
+#define SK_CTX(X) ((X)->sk_security)
+#define SOCK_ctx(X) SOCK_INODE(X)->i_security
+#define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P)                           \
+        struct lsm_network_audit NAME ## _net = { .sk = (SK),             \
+                                                  .family = (F)};         \
+        DEFINE_AUDIT_DATA(NAME,                                           \
+                          ((SK) && (F) != AF_UNIX) ? LSM_AUDIT_DATA_NET : \
+                                                     LSM_AUDIT_DATA_NONE, \
+                          OP);                                            \
+        NAME.u.net = &(NAME ## _net);                                     \
+        aad(&NAME)->net.type = (T);                                       \
+        aad(&NAME)->net.protocol = (P)
+#define DEFINE_AUDIT_SK(NAME, OP, SK)                                   \
+        DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type,  \
+                         (SK)->sk_protocol)
+/* struct aa_net - network confinement data
+ * @allow: basic network families permissions
+ * @audit: which network permissions to force audit
+ * @quiet: which network permissions to quiet rejects
+ */
+struct aa_net {
+        u16 allow[AF_MAX];
+        u16 audit[AF_MAX];
+        u16 quiet[AF_MAX];
+};
+extern struct aa_sfs_entry aa_sfs_entry_network[];
+void audit_net_cb(struct audit_buffer *ab, void *va);
+int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
+                       u32 request, u16 family, int type);
+int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
+               int type, int protocol);
+static inline int aa_profile_af_sk_perm(struct aa_profile *profile,
+                                        struct common_audit_data *sa,
+                                        u32 request,
+                                        struct sock *sk)
+{
+        return aa_profile_af_perm(profile, sa, request, sk->sk_family,
+                                  sk->sk_type);
+}
+int aa_sk_perm(const char *op, u32 request, struct sock *sk);
+int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
+                      struct socket *sock);
+static inline void aa_free_net_rules(struct aa_net *new)
+{
+        /* NOP */
+}
+#endif /* __AA_NET_H */

diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h new file mode 100644 index 000000000000..140c8efcf364 --- /dev/null +++ b/security/apparmor/include/net.h
@@ -0,0 +1,114 @@
	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor network mediation definitions.
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2017 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#ifndef __AA_NET_H
	16	#define __AA_NET_H
	17
	18	#include <net/sock.h>
	19	#include <linux/path.h>
	20
	21	#include "apparmorfs.h"
	22	#include "label.h"
	23	#include "perms.h"
	24	#include "policy.h"
	25
	26	#define AA_MAY_SEND AA_MAY_WRITE
	27	#define AA_MAY_RECEIVE AA_MAY_READ
	28
	29	#define AA_MAY_SHUTDOWN AA_MAY_DELETE
	30
	31	#define AA_MAY_CONNECT AA_MAY_OPEN
	32	#define AA_MAY_ACCEPT 0x00100000
	33
	34	#define AA_MAY_BIND 0x00200000
	35	#define AA_MAY_LISTEN 0x00400000
	36
	37	#define AA_MAY_SETOPT 0x01000000
	38	#define AA_MAY_GETOPT 0x02000000
	39
	40	#define NET_PERMS_MASK (AA_MAY_SEND \| AA_MAY_RECEIVE \| AA_MAY_CREATE \| \
	41	AA_MAY_SHUTDOWN \| AA_MAY_BIND \| AA_MAY_LISTEN \| \
	42	AA_MAY_CONNECT \| AA_MAY_ACCEPT \| AA_MAY_SETATTR \| \
	43	AA_MAY_GETATTR \| AA_MAY_SETOPT \| AA_MAY_GETOPT)
	44
	45	#define NET_FS_PERMS (AA_MAY_SEND \| AA_MAY_RECEIVE \| AA_MAY_CREATE \| \
	46	AA_MAY_SHUTDOWN \| AA_MAY_CONNECT \| AA_MAY_RENAME \|\
	47	AA_MAY_SETATTR \| AA_MAY_GETATTR \| AA_MAY_CHMOD \| \
	48	AA_MAY_CHOWN \| AA_MAY_CHGRP \| AA_MAY_LOCK \| \
	49	AA_MAY_MPROT)
	50
	51	#define NET_PEER_MASK (AA_MAY_SEND \| AA_MAY_RECEIVE \| AA_MAY_CONNECT \| \
	52	AA_MAY_ACCEPT)
	53	struct aa_sk_ctx {
	54	struct aa_label *label;
	55	struct aa_label *peer;
	56	struct path path;
	57	};
	58
	59	#define SK_CTX(X) ((X)->sk_security)
	60	#define SOCK_ctx(X) SOCK_INODE(X)->i_security
	61	#define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \
	62	struct lsm_network_audit NAME ## _net = { .sk = (SK), \
	63	.family = (F)}; \
	64	DEFINE_AUDIT_DATA(NAME, \
	65	((SK) && (F) != AF_UNIX) ? LSM_AUDIT_DATA_NET : \
	66	LSM_AUDIT_DATA_NONE, \
	67	OP); \
	68	NAME.u.net = &(NAME ## _net); \
	69	aad(&NAME)->net.type = (T); \
	70	aad(&NAME)->net.protocol = (P)
	71
	72	#define DEFINE_AUDIT_SK(NAME, OP, SK) \
	73	DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type, \
	74	(SK)->sk_protocol)
	75
	76	/* struct aa_net - network confinement data
	77	* @allow: basic network families permissions
	78	* @audit: which network permissions to force audit
	79	* @quiet: which network permissions to quiet rejects
	80	*/
	81	struct aa_net {
	82	u16 allow[AF_MAX];
	83	u16 audit[AF_MAX];
	84	u16 quiet[AF_MAX];
	85	};
	86
	87
	88	extern struct aa_sfs_entry aa_sfs_entry_network[];
	89
	90	void audit_net_cb(struct audit_buffer ab, void va);
	91	int aa_profile_af_perm(struct aa_profile profile, struct common_audit_data sa,
	92	u32 request, u16 family, int type);
	93	int aa_af_perm(struct aa_label label, const char op, u32 request, u16 family,
	94	int type, int protocol);
	95	static inline int aa_profile_af_sk_perm(struct aa_profile *profile,
	96	struct common_audit_data *sa,
	97	u32 request,
	98	struct sock *sk)
	99	{
	100	return aa_profile_af_perm(profile, sa, request, sk->sk_family,
	101	sk->sk_type);
	102	}
	103	int aa_sk_perm(const char op, u32 request, struct sock sk);
	104
	105	int aa_sock_file_perm(struct aa_label label, const char op, u32 request,
	106	struct socket *sock);
	107
	108
	109	static inline void aa_free_net_rules(struct aa_net *new)
	110	{
	111	/* NOP */
	112	}
	113
	114	#endif /* __AA_NET_H */