net.h source code [linux/security/apparmor/include/net.h]

1	/ SPDX-License-Identifier: GPL-2.0-only /
2	/*
3	* AppArmor security module
4	*
5	* This file contains AppArmor network mediation definitions.
6	*
7	* Copyright (C) 1998-2008 Novell/SUSE
8	* Copyright 2009-2017 Canonical Ltd.
9	*/
10
11	#ifndef __AA_NET_H
12	#define __AA_NET_H
13
14	#include <net/sock.h>
15	#include <linux/path.h>
16
17	#include "apparmorfs.h"
18	#include "label.h"
19	#include "perms.h"
20	#include "policy.h"
21
22	#define AA_MAY_SEND AA_MAY_WRITE
23	#define AA_MAY_RECEIVE AA_MAY_READ
24
25	#define AA_MAY_SHUTDOWN AA_MAY_DELETE
26
27	#define AA_MAY_CONNECT AA_MAY_OPEN
28	#define AA_MAY_ACCEPT 0x00100000
29
30	#define AA_MAY_BIND 0x00200000
31	#define AA_MAY_LISTEN 0x00400000
32
33	#define AA_MAY_SETOPT 0x01000000
34	#define AA_MAY_GETOPT 0x02000000
35
36	#define NET_PERMS_MASK (AA_MAY_SEND \| AA_MAY_RECEIVE \| AA_MAY_CREATE \| \
37	AA_MAY_SHUTDOWN \| AA_MAY_BIND \| AA_MAY_LISTEN \| \
38	AA_MAY_CONNECT \| AA_MAY_ACCEPT \| AA_MAY_SETATTR \| \
39	AA_MAY_GETATTR \| AA_MAY_SETOPT \| AA_MAY_GETOPT)
40
41	#define NET_FS_PERMS (AA_MAY_SEND \| AA_MAY_RECEIVE \| AA_MAY_CREATE \| \
42	AA_MAY_SHUTDOWN \| AA_MAY_CONNECT \| AA_MAY_RENAME \|\
43	AA_MAY_SETATTR \| AA_MAY_GETATTR \| AA_MAY_CHMOD \| \
44	AA_MAY_CHOWN \| AA_MAY_CHGRP \| AA_MAY_LOCK \| \
45	AA_MAY_MPROT)
46
47	#define NET_PEER_MASK (AA_MAY_SEND \| AA_MAY_RECEIVE \| AA_MAY_CONNECT \| \
48	AA_MAY_ACCEPT)
49	struct aa_sk_ctx {
50	struct aa_label *label;
51	struct aa_label *peer;
52	};
53
54	#define SK_CTX(X) ((X)->sk_security)
55	static inline struct aa_sk_ctx aa_sock(const* struct sock *sk)
56	{
57	return sk->sk_security;
58	}
59
60	#define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \
61	struct lsm_network_audit NAME ## _net = { .sk = (SK), \
62	.family = (F)}; \
63	DEFINE_AUDIT_DATA(NAME, \
64	((SK) && (F) != AF_UNIX) ? LSM_AUDIT_DATA_NET : \
65	LSM_AUDIT_DATA_NONE, \
66	AA_CLASS_NET, \
67	OP); \
68	NAME.common.u.net = &(NAME ## _net); \
69	NAME.net.type = (T); \
70	NAME.net.protocol = (P)
71
72	#define DEFINE_AUDIT_SK(NAME, OP, SK) \
73	DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type, \
74	(SK)->sk_protocol)
75
76
77	#define af_select(FAMILY, FN, DEF_FN) \
78	({ \
79	int __e; \
80	switch ((FAMILY)) { \
81	default: \
82	__e = DEF_FN; \
83	} \
84	__e; \
85	})
86
87	struct aa_secmark {
88	u8 audit;
89	u8 deny;
90	u32 secid;
91	char *label;
92	};
93
94	extern struct aa_sfs_entry aa_sfs_entry_network[];
95
96	void audit_net_cb(struct audit_buffer ab, void* *va);
97	int aa_profile_af_perm(struct aa_profile *profile,
98	struct apparmor_audit_data *ad,
99	u32 request, u16 family, int type);
100	int aa_af_perm(const struct cred subj_cred, struct* aa_label *label,
101	const char *op, u32 request, u16 family,
102	int type, int protocol);
103	static inline int aa_profile_af_sk_perm(struct aa_profile *profile,
104	struct apparmor_audit_data *ad,
105	u32 request,
106	struct sock *sk)
107	{
108	return aa_profile_af_perm(profile, ad, request, family: sk->sk_family,
109	type: sk->sk_type);
110	}
111	int aa_sk_perm(const char op, u32 request, struct* sock *sk);
112
113	int aa_sock_file_perm(const struct cred subj_cred, struct* aa_label *label,
114	const char *op, u32 request,
115	struct socket *sock);
116
117	int apparmor_secmark_check(struct aa_label label, char* *op, u32 request,
118	u32 secid, const struct sock *sk);
119
120	#endif /* __AA_NET_H */
121

source code of linux/security/apparmor/include/net.h