tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Revert "apparmor: add base infastructure for socket mediation"

This reverts commit 651e28c5537abb39076d3949fb7618536f1d242e.

This caused a regression:
"The specific problem is that dnsmasq refuses to start on openSUSE Leap
42.2. The specific cause is that and attempt to open a PF_LOCAL socket
gets EACCES. This means that networking doesn't function on a system
with a 4.14-rc2 system."

Sadly, the developers involved seemed to be in denial for several weeks
about this, delaying the revert. This has not been a good release for
the security subsystem, and this area needs to change development
practices.

Reported-and-bisected-by: James Bottomley <James.Bottomley@hansenpartnership.com>
Tracked-by: Thorsten Leemhuis <regressions@leemhuis.info>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Linus Torvalds 80c094a4 56782550

+16 -840
-1
security/apparmor/.gitignore
··· 1 1 # 2 2 # Generated include files 3 3 # 4 - net_names.h 5 4 capability_names.h 6 5 rlim_names.h
+2 -41
security/apparmor/Makefile
··· 4 4 5 5 apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \ 6 6 path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \ 7 - resource.o secid.o file.o policy_ns.o label.o mount.o net.o 7 + resource.o secid.o file.o policy_ns.o label.o mount.o 8 8 apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o 9 9 10 - clean-files := capability_names.h rlim_names.h net_names.h 10 + clean-files := capability_names.h rlim_names.h 11 11 12 - # Build a lower case string table of address family names 13 - # Transform lines from 14 - # #define AF_LOCAL 1 /* POSIX name for AF_UNIX */ 15 - # #define AF_INET 2 /* Internet IP Protocol */ 16 - # to 17 - # [1] = "local", 18 - # [2] = "inet", 19 - # 20 - # and build the securityfs entries for the mapping. 21 - # Transforms lines from 22 - # #define AF_INET 2 /* Internet IP Protocol */ 23 - # to 24 - # #define AA_SFS_AF_MASK "local inet" 25 - quiet_cmd_make-af = GEN $@ 26 - cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\ 27 - sed $< >>$@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \ 28 - 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\ 29 - echo "};" >> $@ ;\ 30 - printf '%s' '\#define AA_SFS_AF_MASK "' >> $@ ;\ 31 - sed -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \ 32 - 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/\L\1/p'\ 33 - $< | tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@ 34 - 35 - # Build a lower case string table of sock type names 36 - # Transform lines from 37 - # SOCK_STREAM = 1, 38 - # to 39 - # [1] = "stream", 40 - quiet_cmd_make-sock = GEN $@ 41 - cmd_make-sock = echo "static const char *sock_type_names[] = {" >> $@ ;\ 42 - sed $^ >>$@ -r -n \ 43 - -e 's/^\tSOCK_([A-Z0-9_]+)[\t]+=[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\ 44 - echo "};" >> $@ 45 12 46 13 # Build a lower case string table of capability names 47 14 # Transforms lines from ··· 61 94 tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@ 62 95 63 96 $(obj)/capability.o : $(obj)/capability_names.h 64 - $(obj)/net.o : $(obj)/net_names.h 65 97 $(obj)/resource.o : $(obj)/rlim_names.h 66 98 $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \ 67 99 $(src)/Makefile ··· 68 102 $(obj)/rlim_names.h : $(srctree)/include/uapi/asm-generic/resource.h \ 69 103 $(src)/Makefile 70 104 $(call cmd,make-rlim) 71 - $(obj)/net_names.h : $(srctree)/include/linux/socket.h \ 72 - $(srctree)/include/linux/net.h \ 73 - $(src)/Makefile 74 - $(call cmd,make-af) 75 - $(call cmd,make-sock)
-1
security/apparmor/apparmorfs.c
··· 2202 2202 AA_SFS_DIR("policy", aa_sfs_entry_policy), 2203 2203 AA_SFS_DIR("domain", aa_sfs_entry_domain), 2204 2204 AA_SFS_DIR("file", aa_sfs_entry_file), 2205 - AA_SFS_DIR("network", aa_sfs_entry_network), 2206 2205 AA_SFS_DIR("mount", aa_sfs_entry_mount), 2207 2206 AA_SFS_DIR("namespaces", aa_sfs_entry_ns), 2208 2207 AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK),
-30
security/apparmor/file.c
··· 21 21 #include "include/context.h" 22 22 #include "include/file.h" 23 23 #include "include/match.h" 24 - #include "include/net.h" 25 24 #include "include/path.h" 26 25 #include "include/policy.h" 27 26 #include "include/label.h" ··· 566 567 return error; 567 568 } 568 569 569 - static int __file_sock_perm(const char *op, struct aa_label *label, 570 - struct aa_label *flabel, struct file *file, 571 - u32 request, u32 denied) 572 - { 573 - struct socket *sock = (struct socket *) file->private_data; 574 - int error; 575 - 576 - AA_BUG(!sock); 577 - 578 - /* revalidation due to label out of date. No revocation at this time */ 579 - if (!denied && aa_label_is_subset(flabel, label)) 580 - return 0; 581 - 582 - /* TODO: improve to skip profiles cached in flabel */ 583 - error = aa_sock_file_perm(label, op, request, sock); 584 - if (denied) { 585 - /* TODO: improve to skip profiles checked above */ 586 - /* check every profile in file label to is cached */ 587 - last_error(error, aa_sock_file_perm(flabel, op, request, sock)); 588 - } 589 - if (!error) 590 - update_file_ctx(file_ctx(file), label, request); 591 - 592 - return error; 593 - } 594 - 595 570 /** 596 571 * aa_file_perm - do permission revalidation check & audit for @file 597 572 * @op: operation being checked ··· 610 637 error = __file_path_perm(op, label, flabel, file, request, 611 638 denied); 612 639 613 - else if (S_ISSOCK(file_inode(file)->i_mode)) 614 - error = __file_sock_perm(op, label, flabel, file, request, 615 - denied); 616 640 done: 617 641 rcu_read_unlock(); 618 642
+9 -17
security/apparmor/include/audit.h
··· 121 121 /* these entries require a custom callback fn */ 122 122 struct { 123 123 struct aa_label *peer; 124 - union { 125 - struct { 126 - kuid_t ouid; 127 - const char *target; 128 - } fs; 129 - struct { 130 - int type, protocol; 131 - struct sock *peer_sk; 132 - void *addr; 133 - int addrlen; 134 - } net; 135 - int signal; 136 - struct { 137 - int rlim; 138 - unsigned long max; 139 - } rlim; 140 - }; 124 + struct { 125 + const char *target; 126 + kuid_t ouid; 127 + } fs; 141 128 }; 142 129 struct { 143 130 struct aa_profile *profile; 144 131 const char *ns; 145 132 long pos; 146 133 } iface; 134 + int signal; 135 + struct { 136 + int rlim; 137 + unsigned long max; 138 + } rlim; 147 139 struct { 148 140 const char *src_name; 149 141 const char *type;
-114
security/apparmor/include/net.h
··· 1 - /* 2 - * AppArmor security module 3 - * 4 - * This file contains AppArmor network mediation definitions. 5 - * 6 - * Copyright (C) 1998-2008 Novell/SUSE 7 - * Copyright 2009-2017 Canonical Ltd. 8 - * 9 - * This program is free software; you can redistribute it and/or 10 - * modify it under the terms of the GNU General Public License as 11 - * published by the Free Software Foundation, version 2 of the 12 - * License. 13 - */ 14 - 15 - #ifndef __AA_NET_H 16 - #define __AA_NET_H 17 - 18 - #include <net/sock.h> 19 - #include <linux/path.h> 20 - 21 - #include "apparmorfs.h" 22 - #include "label.h" 23 - #include "perms.h" 24 - #include "policy.h" 25 - 26 - #define AA_MAY_SEND AA_MAY_WRITE 27 - #define AA_MAY_RECEIVE AA_MAY_READ 28 - 29 - #define AA_MAY_SHUTDOWN AA_MAY_DELETE 30 - 31 - #define AA_MAY_CONNECT AA_MAY_OPEN 32 - #define AA_MAY_ACCEPT 0x00100000 33 - 34 - #define AA_MAY_BIND 0x00200000 35 - #define AA_MAY_LISTEN 0x00400000 36 - 37 - #define AA_MAY_SETOPT 0x01000000 38 - #define AA_MAY_GETOPT 0x02000000 39 - 40 - #define NET_PERMS_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE | \ 41 - AA_MAY_SHUTDOWN | AA_MAY_BIND | AA_MAY_LISTEN | \ 42 - AA_MAY_CONNECT | AA_MAY_ACCEPT | AA_MAY_SETATTR | \ 43 - AA_MAY_GETATTR | AA_MAY_SETOPT | AA_MAY_GETOPT) 44 - 45 - #define NET_FS_PERMS (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE | \ 46 - AA_MAY_SHUTDOWN | AA_MAY_CONNECT | AA_MAY_RENAME |\ 47 - AA_MAY_SETATTR | AA_MAY_GETATTR | AA_MAY_CHMOD | \ 48 - AA_MAY_CHOWN | AA_MAY_CHGRP | AA_MAY_LOCK | \ 49 - AA_MAY_MPROT) 50 - 51 - #define NET_PEER_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CONNECT | \ 52 - AA_MAY_ACCEPT) 53 - struct aa_sk_ctx { 54 - struct aa_label *label; 55 - struct aa_label *peer; 56 - struct path path; 57 - }; 58 - 59 - #define SK_CTX(X) ((X)->sk_security) 60 - #define SOCK_ctx(X) SOCK_INODE(X)->i_security 61 - #define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \ 62 - struct lsm_network_audit NAME ## _net = { .sk = (SK), \ 63 - .family = (F)}; \ 64 - DEFINE_AUDIT_DATA(NAME, \ 65 - ((SK) && (F) != AF_UNIX) ? LSM_AUDIT_DATA_NET : \ 66 - LSM_AUDIT_DATA_NONE, \ 67 - OP); \ 68 - NAME.u.net = &(NAME ## _net); \ 69 - aad(&NAME)->net.type = (T); \ 70 - aad(&NAME)->net.protocol = (P) 71 - 72 - #define DEFINE_AUDIT_SK(NAME, OP, SK) \ 73 - DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type, \ 74 - (SK)->sk_protocol) 75 - 76 - /* struct aa_net - network confinement data 77 - * @allow: basic network families permissions 78 - * @audit: which network permissions to force audit 79 - * @quiet: which network permissions to quiet rejects 80 - */ 81 - struct aa_net { 82 - u16 allow[AF_MAX]; 83 - u16 audit[AF_MAX]; 84 - u16 quiet[AF_MAX]; 85 - }; 86 - 87 - 88 - extern struct aa_sfs_entry aa_sfs_entry_network[]; 89 - 90 - void audit_net_cb(struct audit_buffer *ab, void *va); 91 - int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa, 92 - u32 request, u16 family, int type); 93 - int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family, 94 - int type, int protocol); 95 - static inline int aa_profile_af_sk_perm(struct aa_profile *profile, 96 - struct common_audit_data *sa, 97 - u32 request, 98 - struct sock *sk) 99 - { 100 - return aa_profile_af_perm(profile, sa, request, sk->sk_family, 101 - sk->sk_type); 102 - } 103 - int aa_sk_perm(const char *op, u32 request, struct sock *sk); 104 - 105 - int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request, 106 - struct socket *sock); 107 - 108 - 109 - static inline void aa_free_net_rules(struct aa_net *new) 110 - { 111 - /* NOP */ 112 - } 113 - 114 - #endif /* __AA_NET_H */
+2 -3
security/apparmor/include/perms.h
··· 135 135 136 136 137 137 void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask); 138 - void aa_audit_perm_names(struct audit_buffer *ab, const char * const *names, 139 - u32 mask); 138 + void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask); 140 139 void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs, 141 - u32 chrsmask, const char * const *names, u32 namesmask); 140 + u32 chrsmask, const char **names, u32 namesmask); 142 141 void aa_apply_modes_to_perms(struct aa_profile *profile, 143 142 struct aa_perms *perms); 144 143 void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
-13
security/apparmor/include/policy.h
··· 30 30 #include "file.h" 31 31 #include "lib.h" 32 32 #include "label.h" 33 - #include "net.h" 34 33 #include "perms.h" 35 34 #include "resource.h" 36 35 ··· 111 112 * @policy: general match rules governing policy 112 113 * @file: The set of rules governing basic file access and domain transitions 113 114 * @caps: capabilities for the profile 114 - * @net: network controls for the profile 115 115 * @rlimits: rlimits for the profile 116 116 * 117 117 * @dents: dentries for the profiles file entries in apparmorfs ··· 148 150 struct aa_policydb policy; 149 151 struct aa_file_rules file; 150 152 struct aa_caps caps; 151 - struct aa_net net; 152 153 struct aa_rlimit rlimits; 153 154 154 155 struct aa_loaddata *rawdata; ··· 218 221 return aa_dfa_match_len(profile->policy.dfa, 219 222 profile->policy.start[0], &class, 1); 220 223 return 0; 221 - } 222 - 223 - static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile, 224 - u16 AF) { 225 - unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET); 226 - u16 be_af = cpu_to_be16(AF); 227 - 228 - if (!state) 229 - return 0; 230 - return aa_dfa_match_len(profile->policy.dfa, state, (char *) &be_af, 2); 231 224 } 232 225 233 226 /**
+2 -3
security/apparmor/lib.c
··· 211 211 *str = '\0'; 212 212 } 213 213 214 - void aa_audit_perm_names(struct audit_buffer *ab, const char * const *names, 215 - u32 mask) 214 + void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask) 216 215 { 217 216 const char *fmt = "%s"; 218 217 unsigned int i, perm = 1; ··· 229 230 } 230 231 231 232 void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs, 232 - u32 chrsmask, const char * const *names, u32 namesmask) 233 + u32 chrsmask, const char **names, u32 namesmask) 233 234 { 234 235 char str[33]; 235 236
-387
security/apparmor/lsm.c
··· 33 33 #include "include/context.h" 34 34 #include "include/file.h" 35 35 #include "include/ipc.h" 36 - #include "include/net.h" 37 36 #include "include/path.h" 38 37 #include "include/label.h" 39 38 #include "include/policy.h" ··· 736 737 return error; 737 738 } 738 739 739 - /** 740 - * apparmor_sk_alloc_security - allocate and attach the sk_security field 741 - */ 742 - static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags) 743 - { 744 - struct aa_sk_ctx *ctx; 745 - 746 - ctx = kzalloc(sizeof(*ctx), flags); 747 - if (!ctx) 748 - return -ENOMEM; 749 - 750 - SK_CTX(sk) = ctx; 751 - 752 - return 0; 753 - } 754 - 755 - /** 756 - * apparmor_sk_free_security - free the sk_security field 757 - */ 758 - static void apparmor_sk_free_security(struct sock *sk) 759 - { 760 - struct aa_sk_ctx *ctx = SK_CTX(sk); 761 - 762 - SK_CTX(sk) = NULL; 763 - aa_put_label(ctx->label); 764 - aa_put_label(ctx->peer); 765 - path_put(&ctx->path); 766 - kfree(ctx); 767 - } 768 - 769 - /** 770 - * apparmor_clone_security - clone the sk_security field 771 - */ 772 - static void apparmor_sk_clone_security(const struct sock *sk, 773 - struct sock *newsk) 774 - { 775 - struct aa_sk_ctx *ctx = SK_CTX(sk); 776 - struct aa_sk_ctx *new = SK_CTX(newsk); 777 - 778 - new->label = aa_get_label(ctx->label); 779 - new->peer = aa_get_label(ctx->peer); 780 - new->path = ctx->path; 781 - path_get(&new->path); 782 - } 783 - 784 - static int aa_sock_create_perm(struct aa_label *label, int family, int type, 785 - int protocol) 786 - { 787 - AA_BUG(!label); 788 - AA_BUG(in_interrupt()); 789 - 790 - return aa_af_perm(label, OP_CREATE, AA_MAY_CREATE, family, type, 791 - protocol); 792 - } 793 - 794 - 795 - /** 796 - * apparmor_socket_create - check perms before creating a new socket 797 - */ 798 - static int apparmor_socket_create(int family, int type, int protocol, int kern) 799 - { 800 - struct aa_label *label; 801 - int error = 0; 802 - 803 - label = begin_current_label_crit_section(); 804 - if (!(kern || unconfined(label))) 805 - error = aa_sock_create_perm(label, family, type, protocol); 806 - end_current_label_crit_section(label); 807 - 808 - return error; 809 - } 810 - 811 - /** 812 - * apparmor_socket_post_create - setup the per-socket security struct 813 - * 814 - * Note: 815 - * - kernel sockets currently labeled unconfined but we may want to 816 - * move to a special kernel label 817 - * - socket may not have sk here if created with sock_create_lite or 818 - * sock_alloc. These should be accept cases which will be handled in 819 - * sock_graft. 820 - */ 821 - static int apparmor_socket_post_create(struct socket *sock, int family, 822 - int type, int protocol, int kern) 823 - { 824 - struct aa_label *label; 825 - 826 - if (kern) { 827 - struct aa_ns *ns = aa_get_current_ns(); 828 - 829 - label = aa_get_label(ns_unconfined(ns)); 830 - aa_put_ns(ns); 831 - } else 832 - label = aa_get_current_label(); 833 - 834 - if (sock->sk) { 835 - struct aa_sk_ctx *ctx = SK_CTX(sock->sk); 836 - 837 - aa_put_label(ctx->label); 838 - ctx->label = aa_get_label(label); 839 - } 840 - aa_put_label(label); 841 - 842 - return 0; 843 - } 844 - 845 - /** 846 - * apparmor_socket_bind - check perms before bind addr to socket 847 - */ 848 - static int apparmor_socket_bind(struct socket *sock, 849 - struct sockaddr *address, int addrlen) 850 - { 851 - AA_BUG(!sock); 852 - AA_BUG(!sock->sk); 853 - AA_BUG(!address); 854 - AA_BUG(in_interrupt()); 855 - 856 - return aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk); 857 - } 858 - 859 - /** 860 - * apparmor_socket_connect - check perms before connecting @sock to @address 861 - */ 862 - static int apparmor_socket_connect(struct socket *sock, 863 - struct sockaddr *address, int addrlen) 864 - { 865 - AA_BUG(!sock); 866 - AA_BUG(!sock->sk); 867 - AA_BUG(!address); 868 - AA_BUG(in_interrupt()); 869 - 870 - return aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk); 871 - } 872 - 873 - /** 874 - * apparmor_socket_list - check perms before allowing listen 875 - */ 876 - static int apparmor_socket_listen(struct socket *sock, int backlog) 877 - { 878 - AA_BUG(!sock); 879 - AA_BUG(!sock->sk); 880 - AA_BUG(in_interrupt()); 881 - 882 - return aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk); 883 - } 884 - 885 - /** 886 - * apparmor_socket_accept - check perms before accepting a new connection. 887 - * 888 - * Note: while @newsock is created and has some information, the accept 889 - * has not been done. 890 - */ 891 - static int apparmor_socket_accept(struct socket *sock, struct socket *newsock) 892 - { 893 - AA_BUG(!sock); 894 - AA_BUG(!sock->sk); 895 - AA_BUG(!newsock); 896 - AA_BUG(in_interrupt()); 897 - 898 - return aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk); 899 - } 900 - 901 - static int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock, 902 - struct msghdr *msg, int size) 903 - { 904 - AA_BUG(!sock); 905 - AA_BUG(!sock->sk); 906 - AA_BUG(!msg); 907 - AA_BUG(in_interrupt()); 908 - 909 - return aa_sk_perm(op, request, sock->sk); 910 - } 911 - 912 - /** 913 - * apparmor_socket_sendmsg - check perms before sending msg to another socket 914 - */ 915 - static int apparmor_socket_sendmsg(struct socket *sock, 916 - struct msghdr *msg, int size) 917 - { 918 - return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size); 919 - } 920 - 921 - /** 922 - * apparmor_socket_recvmsg - check perms before receiving a message 923 - */ 924 - static int apparmor_socket_recvmsg(struct socket *sock, 925 - struct msghdr *msg, int size, int flags) 926 - { 927 - return aa_sock_msg_perm(OP_RECVMSG, AA_MAY_RECEIVE, sock, msg, size); 928 - } 929 - 930 - /* revaliation, get/set attr, shutdown */ 931 - static int aa_sock_perm(const char *op, u32 request, struct socket *sock) 932 - { 933 - AA_BUG(!sock); 934 - AA_BUG(!sock->sk); 935 - AA_BUG(in_interrupt()); 936 - 937 - return aa_sk_perm(op, request, sock->sk); 938 - } 939 - 940 - /** 941 - * apparmor_socket_getsockname - check perms before getting the local address 942 - */ 943 - static int apparmor_socket_getsockname(struct socket *sock) 944 - { 945 - return aa_sock_perm(OP_GETSOCKNAME, AA_MAY_GETATTR, sock); 946 - } 947 - 948 - /** 949 - * apparmor_socket_getpeername - check perms before getting remote address 950 - */ 951 - static int apparmor_socket_getpeername(struct socket *sock) 952 - { 953 - return aa_sock_perm(OP_GETPEERNAME, AA_MAY_GETATTR, sock); 954 - } 955 - 956 - /* revaliation, get/set attr, opt */ 957 - static int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock, 958 - int level, int optname) 959 - { 960 - AA_BUG(!sock); 961 - AA_BUG(!sock->sk); 962 - AA_BUG(in_interrupt()); 963 - 964 - return aa_sk_perm(op, request, sock->sk); 965 - } 966 - 967 - /** 968 - * apparmor_getsockopt - check perms before getting socket options 969 - */ 970 - static int apparmor_socket_getsockopt(struct socket *sock, int level, 971 - int optname) 972 - { 973 - return aa_sock_opt_perm(OP_GETSOCKOPT, AA_MAY_GETOPT, sock, 974 - level, optname); 975 - } 976 - 977 - /** 978 - * apparmor_setsockopt - check perms before setting socket options 979 - */ 980 - static int apparmor_socket_setsockopt(struct socket *sock, int level, 981 - int optname) 982 - { 983 - return aa_sock_opt_perm(OP_SETSOCKOPT, AA_MAY_SETOPT, sock, 984 - level, optname); 985 - } 986 - 987 - /** 988 - * apparmor_socket_shutdown - check perms before shutting down @sock conn 989 - */ 990 - static int apparmor_socket_shutdown(struct socket *sock, int how) 991 - { 992 - return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock); 993 - } 994 - 995 - /** 996 - * apparmor_socket_sock_recv_skb - check perms before associating skb to sk 997 - * 998 - * Note: can not sleep may be called with locks held 999 - * 1000 - * dont want protocol specific in __skb_recv_datagram() 1001 - * to deny an incoming connection socket_sock_rcv_skb() 1002 - */ 1003 - static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb) 1004 - { 1005 - return 0; 1006 - } 1007 - 1008 - 1009 - static struct aa_label *sk_peer_label(struct sock *sk) 1010 - { 1011 - struct aa_sk_ctx *ctx = SK_CTX(sk); 1012 - 1013 - if (ctx->peer) 1014 - return ctx->peer; 1015 - 1016 - return ERR_PTR(-ENOPROTOOPT); 1017 - } 1018 - 1019 - /** 1020 - * apparmor_socket_getpeersec_stream - get security context of peer 1021 - * 1022 - * Note: for tcp only valid if using ipsec or cipso on lan 1023 - */ 1024 - static int apparmor_socket_getpeersec_stream(struct socket *sock, 1025 - char __user *optval, 1026 - int __user *optlen, 1027 - unsigned int len) 1028 - { 1029 - char *name; 1030 - int slen, error = 0; 1031 - struct aa_label *label; 1032 - struct aa_label *peer; 1033 - 1034 - label = begin_current_label_crit_section(); 1035 - peer = sk_peer_label(sock->sk); 1036 - if (IS_ERR(peer)) { 1037 - error = PTR_ERR(peer); 1038 - goto done; 1039 - } 1040 - slen = aa_label_asxprint(&name, labels_ns(label), peer, 1041 - FLAG_SHOW_MODE | FLAG_VIEW_SUBNS | 1042 - FLAG_HIDDEN_UNCONFINED, GFP_KERNEL); 1043 - /* don't include terminating \0 in slen, it breaks some apps */ 1044 - if (slen < 0) { 1045 - error = -ENOMEM; 1046 - } else { 1047 - if (slen > len) { 1048 - error = -ERANGE; 1049 - } else if (copy_to_user(optval, name, slen)) { 1050 - error = -EFAULT; 1051 - goto out; 1052 - } 1053 - if (put_user(slen, optlen)) 1054 - error = -EFAULT; 1055 - out: 1056 - kfree(name); 1057 - 1058 - } 1059 - 1060 - done: 1061 - end_current_label_crit_section(label); 1062 - 1063 - return error; 1064 - } 1065 - 1066 - /** 1067 - * apparmor_socket_getpeersec_dgram - get security label of packet 1068 - * @sock: the peer socket 1069 - * @skb: packet data 1070 - * @secid: pointer to where to put the secid of the packet 1071 - * 1072 - * Sets the netlabel socket state on sk from parent 1073 - */ 1074 - static int apparmor_socket_getpeersec_dgram(struct socket *sock, 1075 - struct sk_buff *skb, u32 *secid) 1076 - 1077 - { 1078 - /* TODO: requires secid support */ 1079 - return -ENOPROTOOPT; 1080 - } 1081 - 1082 - /** 1083 - * apparmor_sock_graft - Initialize newly created socket 1084 - * @sk: child sock 1085 - * @parent: parent socket 1086 - * 1087 - * Note: could set off of SOCK_CTX(parent) but need to track inode and we can 1088 - * just set sk security information off of current creating process label 1089 - * Labeling of sk for accept case - probably should be sock based 1090 - * instead of task, because of the case where an implicitly labeled 1091 - * socket is shared by different tasks. 1092 - */ 1093 - static void apparmor_sock_graft(struct sock *sk, struct socket *parent) 1094 - { 1095 - struct aa_sk_ctx *ctx = SK_CTX(sk); 1096 - 1097 - if (!ctx->label) 1098 - ctx->label = aa_get_current_label(); 1099 - } 1100 - 1101 740 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = { 1102 741 LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check), 1103 742 LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme), ··· 769 1132 770 1133 LSM_HOOK_INIT(getprocattr, apparmor_getprocattr), 771 1134 LSM_HOOK_INIT(setprocattr, apparmor_setprocattr), 772 - 773 - LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security), 774 - LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security), 775 - LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security), 776 - 777 - LSM_HOOK_INIT(socket_create, apparmor_socket_create), 778 - LSM_HOOK_INIT(socket_post_create, apparmor_socket_post_create), 779 - LSM_HOOK_INIT(socket_bind, apparmor_socket_bind), 780 - LSM_HOOK_INIT(socket_connect, apparmor_socket_connect), 781 - LSM_HOOK_INIT(socket_listen, apparmor_socket_listen), 782 - LSM_HOOK_INIT(socket_accept, apparmor_socket_accept), 783 - LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg), 784 - LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg), 785 - LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname), 786 - LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername), 787 - LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt), 788 - LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt), 789 - LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown), 790 - LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb), 791 - LSM_HOOK_INIT(socket_getpeersec_stream, 792 - apparmor_socket_getpeersec_stream), 793 - LSM_HOOK_INIT(socket_getpeersec_dgram, 794 - apparmor_socket_getpeersec_dgram), 795 - LSM_HOOK_INIT(sock_graft, apparmor_sock_graft), 796 1135 797 1136 LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank), 798 1137 LSM_HOOK_INIT(cred_free, apparmor_cred_free),
-184
security/apparmor/net.c
··· 1 - /* 2 - * AppArmor security module 3 - * 4 - * This file contains AppArmor network mediation 5 - * 6 - * Copyright (C) 1998-2008 Novell/SUSE 7 - * Copyright 2009-2017 Canonical Ltd. 8 - * 9 - * This program is free software; you can redistribute it and/or 10 - * modify it under the terms of the GNU General Public License as 11 - * published by the Free Software Foundation, version 2 of the 12 - * License. 13 - */ 14 - 15 - #include "include/apparmor.h" 16 - #include "include/audit.h" 17 - #include "include/context.h" 18 - #include "include/label.h" 19 - #include "include/net.h" 20 - #include "include/policy.h" 21 - 22 - #include "net_names.h" 23 - 24 - 25 - struct aa_sfs_entry aa_sfs_entry_network[] = { 26 - AA_SFS_FILE_STRING("af_mask", AA_SFS_AF_MASK), 27 - { } 28 - }; 29 - 30 - static const char * const net_mask_names[] = { 31 - "unknown", 32 - "send", 33 - "receive", 34 - "unknown", 35 - 36 - "create", 37 - "shutdown", 38 - "connect", 39 - "unknown", 40 - 41 - "setattr", 42 - "getattr", 43 - "setcred", 44 - "getcred", 45 - 46 - "chmod", 47 - "chown", 48 - "chgrp", 49 - "lock", 50 - 51 - "mmap", 52 - "mprot", 53 - "unknown", 54 - "unknown", 55 - 56 - "accept", 57 - "bind", 58 - "listen", 59 - "unknown", 60 - 61 - "setopt", 62 - "getopt", 63 - "unknown", 64 - "unknown", 65 - 66 - "unknown", 67 - "unknown", 68 - "unknown", 69 - "unknown", 70 - }; 71 - 72 - 73 - /* audit callback for net specific fields */ 74 - void audit_net_cb(struct audit_buffer *ab, void *va) 75 - { 76 - struct common_audit_data *sa = va; 77 - 78 - audit_log_format(ab, " family="); 79 - if (address_family_names[sa->u.net->family]) 80 - audit_log_string(ab, address_family_names[sa->u.net->family]); 81 - else 82 - audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family); 83 - audit_log_format(ab, " sock_type="); 84 - if (sock_type_names[aad(sa)->net.type]) 85 - audit_log_string(ab, sock_type_names[aad(sa)->net.type]); 86 - else 87 - audit_log_format(ab, "\"unknown(%d)\"", aad(sa)->net.type); 88 - audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol); 89 - 90 - if (aad(sa)->request & NET_PERMS_MASK) { 91 - audit_log_format(ab, " requested_mask="); 92 - aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0, 93 - net_mask_names, NET_PERMS_MASK); 94 - 95 - if (aad(sa)->denied & NET_PERMS_MASK) { 96 - audit_log_format(ab, " denied_mask="); 97 - aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0, 98 - net_mask_names, NET_PERMS_MASK); 99 - } 100 - } 101 - if (aad(sa)->peer) { 102 - audit_log_format(ab, " peer="); 103 - aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer, 104 - FLAGS_NONE, GFP_ATOMIC); 105 - } 106 - } 107 - 108 - 109 - /* Generic af perm */ 110 - int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa, 111 - u32 request, u16 family, int type) 112 - { 113 - struct aa_perms perms = { }; 114 - 115 - AA_BUG(family >= AF_MAX); 116 - AA_BUG(type < 0 || type >= SOCK_MAX); 117 - 118 - if (profile_unconfined(profile)) 119 - return 0; 120 - 121 - perms.allow = (profile->net.allow[family] & (1 << type)) ? 122 - ALL_PERMS_MASK : 0; 123 - perms.audit = (profile->net.audit[family] & (1 << type)) ? 124 - ALL_PERMS_MASK : 0; 125 - perms.quiet = (profile->net.quiet[family] & (1 << type)) ? 126 - ALL_PERMS_MASK : 0; 127 - aa_apply_modes_to_perms(profile, &perms); 128 - 129 - return aa_check_perms(profile, &perms, request, sa, audit_net_cb); 130 - } 131 - 132 - int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family, 133 - int type, int protocol) 134 - { 135 - struct aa_profile *profile; 136 - DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol); 137 - 138 - return fn_for_each_confined(label, profile, 139 - aa_profile_af_perm(profile, &sa, request, family, 140 - type)); 141 - } 142 - 143 - static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request, 144 - struct sock *sk) 145 - { 146 - struct aa_profile *profile; 147 - DEFINE_AUDIT_SK(sa, op, sk); 148 - 149 - AA_BUG(!label); 150 - AA_BUG(!sk); 151 - 152 - if (unconfined(label)) 153 - return 0; 154 - 155 - return fn_for_each_confined(label, profile, 156 - aa_profile_af_sk_perm(profile, &sa, request, sk)); 157 - } 158 - 159 - int aa_sk_perm(const char *op, u32 request, struct sock *sk) 160 - { 161 - struct aa_label *label; 162 - int error; 163 - 164 - AA_BUG(!sk); 165 - AA_BUG(in_interrupt()); 166 - 167 - /* TODO: switch to begin_current_label ???? */ 168 - label = begin_current_label_crit_section(); 169 - error = aa_label_sk_perm(label, op, request, sk); 170 - end_current_label_crit_section(label); 171 - 172 - return error; 173 - } 174 - 175 - 176 - int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request, 177 - struct socket *sock) 178 - { 179 - AA_BUG(!label); 180 - AA_BUG(!sock); 181 - AA_BUG(!sock->sk); 182 - 183 - return aa_label_sk_perm(label, op, request, sock->sk); 184 - }
+1 -46
security/apparmor/policy_unpack.c
··· 275 275 return 0; 276 276 } 277 277 278 - static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name) 279 - { 280 - if (unpack_nameX(e, AA_U16, name)) { 281 - if (!inbounds(e, sizeof(u16))) 282 - return 0; 283 - if (data) 284 - *data = le16_to_cpu(get_unaligned((__le16 *) e->pos)); 285 - e->pos += sizeof(u16); 286 - return 1; 287 - } 288 - return 0; 289 - } 290 - 291 278 static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name) 292 279 { 293 280 if (unpack_nameX(e, AA_U32, name)) { ··· 584 597 struct aa_profile *profile = NULL; 585 598 const char *tmpname, *tmpns = NULL, *name = NULL; 586 599 const char *info = "failed to unpack profile"; 587 - size_t size = 0, ns_len; 600 + size_t ns_len; 588 601 struct rhashtable_params params = { 0 }; 589 602 char *key = NULL; 590 603 struct aa_data *data; ··· 715 728 if (!unpack_rlimits(e, profile)) { 716 729 info = "failed to unpack profile rlimits"; 717 730 goto fail; 718 - } 719 - 720 - size = unpack_array(e, "net_allowed_af"); 721 - if (size) { 722 - 723 - for (i = 0; i < size; i++) { 724 - /* discard extraneous rules that this kernel will 725 - * never request 726 - */ 727 - if (i >= AF_MAX) { 728 - u16 tmp; 729 - 730 - if (!unpack_u16(e, &tmp, NULL) || 731 - !unpack_u16(e, &tmp, NULL) || 732 - !unpack_u16(e, &tmp, NULL)) 733 - goto fail; 734 - continue; 735 - } 736 - if (!unpack_u16(e, &profile->net.allow[i], NULL)) 737 - goto fail; 738 - if (!unpack_u16(e, &profile->net.audit[i], NULL)) 739 - goto fail; 740 - if (!unpack_u16(e, &profile->net.quiet[i], NULL)) 741 - goto fail; 742 - } 743 - if (!unpack_nameX(e, AA_ARRAYEND, NULL)) 744 - goto fail; 745 - } 746 - if (VERSION_LT(e->version, v7)) { 747 - /* pre v7 policy always allowed these */ 748 - profile->net.allow[AF_UNIX] = 0xffff; 749 - profile->net.allow[AF_NETLINK] = 0xffff; 750 731 } 751 732 752 733 if (unpack_nameX(e, AA_STRUCT, "policydb")) {