1 | /* SPDX-License-Identifier: GPL-2.0-only */ |
2 | /* |
3 | * AppArmor security module |
4 | * |
5 | * This file contains AppArmor network mediation definitions. |
6 | * |
7 | * Copyright (C) 1998-2008 Novell/SUSE |
8 | * Copyright 2009-2017 Canonical Ltd. |
9 | */ |
10 | |
11 | #ifndef __AA_NET_H |
12 | #define __AA_NET_H |
13 | |
14 | #include <net/sock.h> |
15 | #include <linux/path.h> |
16 | |
17 | #include "apparmorfs.h" |
18 | #include "label.h" |
19 | #include "perms.h" |
20 | #include "policy.h" |
21 | |
22 | #define AA_MAY_SEND AA_MAY_WRITE |
23 | #define AA_MAY_RECEIVE AA_MAY_READ |
24 | |
25 | #define AA_MAY_SHUTDOWN AA_MAY_DELETE |
26 | |
27 | #define AA_MAY_CONNECT AA_MAY_OPEN |
28 | #define AA_MAY_ACCEPT 0x00100000 |
29 | |
30 | #define AA_MAY_BIND 0x00200000 |
31 | #define AA_MAY_LISTEN 0x00400000 |
32 | |
33 | #define AA_MAY_SETOPT 0x01000000 |
34 | #define AA_MAY_GETOPT 0x02000000 |
35 | |
36 | #define NET_PERMS_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE | \ |
37 | AA_MAY_SHUTDOWN | AA_MAY_BIND | AA_MAY_LISTEN | \ |
38 | AA_MAY_CONNECT | AA_MAY_ACCEPT | AA_MAY_SETATTR | \ |
39 | AA_MAY_GETATTR | AA_MAY_SETOPT | AA_MAY_GETOPT) |
40 | |
41 | #define NET_FS_PERMS (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE | \ |
42 | AA_MAY_SHUTDOWN | AA_MAY_CONNECT | AA_MAY_RENAME |\ |
43 | AA_MAY_SETATTR | AA_MAY_GETATTR | AA_MAY_CHMOD | \ |
44 | AA_MAY_CHOWN | AA_MAY_CHGRP | AA_MAY_LOCK | \ |
45 | AA_MAY_MPROT) |
46 | |
47 | #define NET_PEER_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CONNECT | \ |
48 | AA_MAY_ACCEPT) |
49 | struct aa_sk_ctx { |
50 | struct aa_label *label; |
51 | struct aa_label *peer; |
52 | }; |
53 | |
54 | #define SK_CTX(X) ((X)->sk_security) |
55 | static inline struct aa_sk_ctx *aa_sock(const struct sock *sk) |
56 | { |
57 | return sk->sk_security; |
58 | } |
59 | |
60 | #define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \ |
61 | struct lsm_network_audit NAME ## _net = { .sk = (SK), \ |
62 | .family = (F)}; \ |
63 | DEFINE_AUDIT_DATA(NAME, \ |
64 | ((SK) && (F) != AF_UNIX) ? LSM_AUDIT_DATA_NET : \ |
65 | LSM_AUDIT_DATA_NONE, \ |
66 | AA_CLASS_NET, \ |
67 | OP); \ |
68 | NAME.common.u.net = &(NAME ## _net); \ |
69 | NAME.net.type = (T); \ |
70 | NAME.net.protocol = (P) |
71 | |
72 | #define DEFINE_AUDIT_SK(NAME, OP, SK) \ |
73 | DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type, \ |
74 | (SK)->sk_protocol) |
75 | |
76 | |
77 | #define af_select(FAMILY, FN, DEF_FN) \ |
78 | ({ \ |
79 | int __e; \ |
80 | switch ((FAMILY)) { \ |
81 | default: \ |
82 | __e = DEF_FN; \ |
83 | } \ |
84 | __e; \ |
85 | }) |
86 | |
87 | struct aa_secmark { |
88 | u8 audit; |
89 | u8 deny; |
90 | u32 secid; |
91 | char *label; |
92 | }; |
93 | |
94 | extern struct aa_sfs_entry aa_sfs_entry_network[]; |
95 | |
96 | void audit_net_cb(struct audit_buffer *ab, void *va); |
97 | int aa_profile_af_perm(struct aa_profile *profile, |
98 | struct apparmor_audit_data *ad, |
99 | u32 request, u16 family, int type); |
100 | int aa_af_perm(const struct cred *subj_cred, struct aa_label *label, |
101 | const char *op, u32 request, u16 family, |
102 | int type, int protocol); |
103 | static inline int aa_profile_af_sk_perm(struct aa_profile *profile, |
104 | struct apparmor_audit_data *ad, |
105 | u32 request, |
106 | struct sock *sk) |
107 | { |
108 | return aa_profile_af_perm(profile, ad, request, family: sk->sk_family, |
109 | type: sk->sk_type); |
110 | } |
111 | int aa_sk_perm(const char *op, u32 request, struct sock *sk); |
112 | |
113 | int aa_sock_file_perm(const struct cred *subj_cred, struct aa_label *label, |
114 | const char *op, u32 request, |
115 | struct socket *sock); |
116 | |
117 | int apparmor_secmark_check(struct aa_label *label, char *op, u32 request, |
118 | u32 secid, const struct sock *sk); |
119 | |
120 | #endif /* __AA_NET_H */ |
121 | |