519 lines
14 KiB
Plaintext
519 lines
14 KiB
Plaintext
From: John Johansen <john.johansen@canonical.com>
|
|
Date: Mon, 4 Oct 2010 15:03:36 -0700
|
|
Subject: AppArmor: compatibility patch for v5 network control
|
|
Patch-mainline: 2.6.37?
|
|
|
|
Add compatibility for v5 network rules.
|
|
|
|
Signed-off-by: John Johansen <john.johansen@canonical.com>
|
|
Acked-by: Jeff Mahoney <jeffm@suse.com>
|
|
---
|
|
include/linux/lsm_audit.h | 4
|
|
security/apparmor/Makefile | 6 +
|
|
security/apparmor/include/net.h | 40 ++++++++
|
|
security/apparmor/include/policy.h | 3
|
|
security/apparmor/lsm.c | 112 ++++++++++++++++++++++
|
|
security/apparmor/net.c | 170 ++++++++++++++++++++++++++++++++++
|
|
security/apparmor/policy.c | 1
|
|
security/apparmor/policy_unpack.c | 48 +++++++++
|
|
8 files changed, 381 insertions(+), 2 deletions(-)
|
|
create mode 100644 security/apparmor/include/net.h
|
|
create mode 100644 security/apparmor/net.c
|
|
|
|
--- a/include/linux/lsm_audit.h
|
|
+++ b/include/linux/lsm_audit.h
|
|
@@ -123,6 +123,10 @@ struct common_audit_data {
|
|
u32 denied;
|
|
uid_t ouid;
|
|
} fs;
|
|
+ struct {
|
|
+ int type, protocol;
|
|
+ struct sock *sk;
|
|
+ } net;
|
|
};
|
|
} apparmor_audit_data;
|
|
#endif
|
|
--- a/security/apparmor/Makefile
|
|
+++ b/security/apparmor/Makefile
|
|
@@ -4,17 +4,21 @@ obj-$(CONFIG_SECURITY_APPARMOR) += appar
|
|
|
|
apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
|
|
path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
|
|
- resource.o sid.o file.o
|
|
+ resource.o sid.o file.o net.o
|
|
|
|
clean-files: capability_names.h af_names.h
|
|
|
|
quiet_cmd_make-caps = GEN $@
|
|
cmd_make-caps = echo "static const char *capability_names[] = {" > $@ ; sed -n -e "/CAP_FS_MASK/d" -e "s/^\#define[ \\t]\\+CAP_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@
|
|
|
|
+quiet_cmd_make-af = GEN $@
|
|
+cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ; sed -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "s/^\#define[ \\t]\\+AF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@
|
|
+
|
|
quiet_cmd_make-rlim = GEN $@
|
|
cmd_make-rlim = echo "static const char *rlim_names[] = {" > $@ ; sed -n --e "/AF_MAX/d" -e "s/^\# \\?define[ \\t]\\+RLIMIT_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@ ; echo "static const int rlim_map[] = {" >> $@ ; sed -n -e "/AF_MAX/d" -e "s/^\# \\?define[ \\t]\\+\\(RLIMIT_[A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/\\1,/p" $< >> $@ ; echo "};" >> $@
|
|
|
|
$(obj)/capability.o : $(obj)/capability_names.h
|
|
+$(obj)/net.o : $(obj)/af_names.h
|
|
$(obj)/resource.o : $(obj)/rlim_names.h
|
|
$(obj)/capability_names.h : $(srctree)/include/linux/capability.h
|
|
$(call cmd,make-caps)
|
|
--- /dev/null
|
|
+++ b/security/apparmor/include/net.h
|
|
@@ -0,0 +1,40 @@
|
|
+/*
|
|
+ * AppArmor security module
|
|
+ *
|
|
+ * This file contains AppArmor network mediation definitions.
|
|
+ *
|
|
+ * Copyright (C) 1998-2008 Novell/SUSE
|
|
+ * Copyright 2009-2010 Canonical Ltd.
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU General Public License as
|
|
+ * published by the Free Software Foundation, version 2 of the
|
|
+ * License.
|
|
+ */
|
|
+
|
|
+#ifndef __AA_NET_H
|
|
+#define __AA_NET_H
|
|
+
|
|
+#include <net/sock.h>
|
|
+
|
|
+/* struct aa_net - network confinement data
|
|
+ * @allowed: basic network families permissions
|
|
+ * @audit_network: which network permissions to force audit
|
|
+ * @quiet_network: which network permissions to quiet rejects
|
|
+ */
|
|
+struct aa_net {
|
|
+ u16 allow[AF_MAX];
|
|
+ u16 audit[AF_MAX];
|
|
+ u16 quiet[AF_MAX];
|
|
+};
|
|
+
|
|
+extern int aa_net_perm(int op, struct aa_profile *profile, u16 family,
|
|
+ int type, int protocol, struct sock *sk);
|
|
+extern int aa_revalidate_sk(int op, struct sock *sk);
|
|
+
|
|
+static inline void aa_free_net_rules(struct aa_net *new)
|
|
+{
|
|
+ /* NOP */
|
|
+}
|
|
+
|
|
+#endif /* __AA_NET_H */
|
|
--- a/security/apparmor/include/policy.h
|
|
+++ b/security/apparmor/include/policy.h
|
|
@@ -27,6 +27,7 @@
|
|
#include "capability.h"
|
|
#include "domain.h"
|
|
#include "file.h"
|
|
+#include "net.h"
|
|
#include "resource.h"
|
|
|
|
extern const char *profile_mode_names[];
|
|
@@ -145,6 +146,7 @@ struct aa_namespace {
|
|
* @size: the memory consumed by this profiles rules
|
|
* @file: The set of rules governing basic file access and domain transitions
|
|
* @caps: capabilities for the profile
|
|
+ * @net: network controls for the profile
|
|
* @rlimits: rlimits for the profile
|
|
*
|
|
* The AppArmor profile contains the basic confinement data. Each profile
|
|
@@ -181,6 +183,7 @@ struct aa_profile {
|
|
|
|
struct aa_file_rules file;
|
|
struct aa_caps caps;
|
|
+ struct aa_net net;
|
|
struct aa_rlimit rlimits;
|
|
};
|
|
|
|
--- a/security/apparmor/lsm.c
|
|
+++ b/security/apparmor/lsm.c
|
|
@@ -31,6 +31,7 @@
|
|
#include "include/context.h"
|
|
#include "include/file.h"
|
|
#include "include/ipc.h"
|
|
+#include "include/net.h"
|
|
#include "include/path.h"
|
|
#include "include/policy.h"
|
|
#include "include/procattr.h"
|
|
@@ -619,6 +620,104 @@ static int apparmor_task_setrlimit(struc
|
|
return error;
|
|
}
|
|
|
|
+static int apparmor_socket_create(int family, int type, int protocol, int kern)
|
|
+{
|
|
+ struct aa_profile *profile;
|
|
+ int error = 0;
|
|
+
|
|
+ if (kern)
|
|
+ return 0;
|
|
+
|
|
+ profile = __aa_current_profile();
|
|
+ if (!unconfined(profile))
|
|
+ error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
|
|
+ NULL);
|
|
+ return error;
|
|
+}
|
|
+
|
|
+static int apparmor_socket_bind(struct socket *sock,
|
|
+ struct sockaddr *address, int addrlen)
|
|
+{
|
|
+ struct sock *sk = sock->sk;
|
|
+
|
|
+ return aa_revalidate_sk(OP_BIND, sk);
|
|
+}
|
|
+
|
|
+static int apparmor_socket_connect(struct socket *sock,
|
|
+ struct sockaddr *address, int addrlen)
|
|
+{
|
|
+ struct sock *sk = sock->sk;
|
|
+
|
|
+ return aa_revalidate_sk(OP_CONNECT, sk);
|
|
+}
|
|
+
|
|
+static int apparmor_socket_listen(struct socket *sock, int backlog)
|
|
+{
|
|
+ struct sock *sk = sock->sk;
|
|
+
|
|
+ return aa_revalidate_sk(OP_LISTEN, sk);
|
|
+}
|
|
+
|
|
+static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
|
|
+{
|
|
+ struct sock *sk = sock->sk;
|
|
+
|
|
+ return aa_revalidate_sk(OP_ACCEPT, sk);
|
|
+}
|
|
+
|
|
+static int apparmor_socket_sendmsg(struct socket *sock,
|
|
+ struct msghdr *msg, int size)
|
|
+{
|
|
+ struct sock *sk = sock->sk;
|
|
+
|
|
+ return aa_revalidate_sk(OP_SENDMSG, sk);
|
|
+}
|
|
+
|
|
+static int apparmor_socket_recvmsg(struct socket *sock,
|
|
+ struct msghdr *msg, int size, int flags)
|
|
+{
|
|
+ struct sock *sk = sock->sk;
|
|
+
|
|
+ return aa_revalidate_sk(OP_RECVMSG, sk);
|
|
+}
|
|
+
|
|
+static int apparmor_socket_getsockname(struct socket *sock)
|
|
+{
|
|
+ struct sock *sk = sock->sk;
|
|
+
|
|
+ return aa_revalidate_sk(OP_GETSOCKNAME, sk);
|
|
+}
|
|
+
|
|
+static int apparmor_socket_getpeername(struct socket *sock)
|
|
+{
|
|
+ struct sock *sk = sock->sk;
|
|
+
|
|
+ return aa_revalidate_sk(OP_GETPEERNAME, sk);
|
|
+}
|
|
+
|
|
+static int apparmor_socket_getsockopt(struct socket *sock, int level,
|
|
+ int optname)
|
|
+{
|
|
+ struct sock *sk = sock->sk;
|
|
+
|
|
+ return aa_revalidate_sk(OP_GETSOCKOPT, sk);
|
|
+}
|
|
+
|
|
+static int apparmor_socket_setsockopt(struct socket *sock, int level,
|
|
+ int optname)
|
|
+{
|
|
+ struct sock *sk = sock->sk;
|
|
+
|
|
+ return aa_revalidate_sk(OP_SETSOCKOPT, sk);
|
|
+}
|
|
+
|
|
+static int apparmor_socket_shutdown(struct socket *sock, int how)
|
|
+{
|
|
+ struct sock *sk = sock->sk;
|
|
+
|
|
+ return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk);
|
|
+}
|
|
+
|
|
static struct security_operations apparmor_ops = {
|
|
.name = "apparmor",
|
|
|
|
@@ -650,6 +749,19 @@ static struct security_operations apparm
|
|
.getprocattr = apparmor_getprocattr,
|
|
.setprocattr = apparmor_setprocattr,
|
|
|
|
+ .socket_create = apparmor_socket_create,
|
|
+ .socket_bind = apparmor_socket_bind,
|
|
+ .socket_connect = apparmor_socket_connect,
|
|
+ .socket_listen = apparmor_socket_listen,
|
|
+ .socket_accept = apparmor_socket_accept,
|
|
+ .socket_sendmsg = apparmor_socket_sendmsg,
|
|
+ .socket_recvmsg = apparmor_socket_recvmsg,
|
|
+ .socket_getsockname = apparmor_socket_getsockname,
|
|
+ .socket_getpeername = apparmor_socket_getpeername,
|
|
+ .socket_getsockopt = apparmor_socket_getsockopt,
|
|
+ .socket_setsockopt = apparmor_socket_setsockopt,
|
|
+ .socket_shutdown = apparmor_socket_shutdown,
|
|
+
|
|
.cred_alloc_blank = apparmor_cred_alloc_blank,
|
|
.cred_free = apparmor_cred_free,
|
|
.cred_prepare = apparmor_cred_prepare,
|
|
--- /dev/null
|
|
+++ b/security/apparmor/net.c
|
|
@@ -0,0 +1,170 @@
|
|
+/*
|
|
+ * AppArmor security module
|
|
+ *
|
|
+ * This file contains AppArmor network mediation
|
|
+ *
|
|
+ * Copyright (C) 1998-2008 Novell/SUSE
|
|
+ * Copyright 2009-2010 Canonical Ltd.
|
|
+ *
|
|
+ * This program is free software; you can redistribute it and/or
|
|
+ * modify it under the terms of the GNU General Public License as
|
|
+ * published by the Free Software Foundation, version 2 of the
|
|
+ * License.
|
|
+ */
|
|
+
|
|
+#include "include/apparmor.h"
|
|
+#include "include/audit.h"
|
|
+#include "include/context.h"
|
|
+#include "include/net.h"
|
|
+#include "include/policy.h"
|
|
+
|
|
+#include "af_names.h"
|
|
+
|
|
+static const char *sock_type_names[] = {
|
|
+ "unknown(0)",
|
|
+ "stream",
|
|
+ "dgram",
|
|
+ "raw",
|
|
+ "rdm",
|
|
+ "seqpacket",
|
|
+ "dccp",
|
|
+ "unknown(7)",
|
|
+ "unknown(8)",
|
|
+ "unknown(9)",
|
|
+ "packet",
|
|
+};
|
|
+
|
|
+/* audit callback for net specific fields */
|
|
+static void audit_cb(struct audit_buffer *ab, void *va)
|
|
+{
|
|
+ struct common_audit_data *sa = va;
|
|
+
|
|
+ audit_log_format(ab, " family=");
|
|
+ if (address_family_names[sa->u.net.family]) {
|
|
+ audit_log_string(ab, address_family_names[sa->u.net.family]);
|
|
+ } else {
|
|
+ audit_log_format(ab, " \"unknown(%d)\"", sa->u.net.family);
|
|
+ }
|
|
+
|
|
+ audit_log_format(ab, " sock_type=");
|
|
+ if (sock_type_names[sa->aad.net.type]) {
|
|
+ audit_log_string(ab, sock_type_names[sa->aad.net.type]);
|
|
+ } else {
|
|
+ audit_log_format(ab, "\"unknown(%d)\"", sa->aad.net.type);
|
|
+ }
|
|
+
|
|
+ audit_log_format(ab, " protocol=%d", sa->aad.net.protocol);
|
|
+}
|
|
+
|
|
+/**
|
|
+ * audit_net - audit network access
|
|
+ * @profile: profile being enforced (NOT NULL)
|
|
+ * @op: operation being checked
|
|
+ * @family: network family
|
|
+ * @type: network type
|
|
+ * @protocol: network protocol
|
|
+ * @sk: socket auditing is being applied to
|
|
+ * @error: error code for failure else 0
|
|
+ *
|
|
+ * Returns: %0 or sa->error else other errorcode on failure
|
|
+ */
|
|
+static int audit_net(struct aa_profile *profile, int op, u16 family, int type,
|
|
+ int protocol, struct sock *sk, int error)
|
|
+{
|
|
+ int audit_type = AUDIT_APPARMOR_AUTO;
|
|
+ struct common_audit_data sa;
|
|
+ if (sk) {
|
|
+ COMMON_AUDIT_DATA_INIT(&sa, NET);
|
|
+ } else {
|
|
+ COMMON_AUDIT_DATA_INIT(&sa, NONE);
|
|
+ }
|
|
+ /* todo fill in socket addr info */
|
|
+
|
|
+ sa.aad.op = op,
|
|
+ sa.u.net.family = family;
|
|
+ sa.u.net.sk = sk;
|
|
+ sa.aad.net.type = type;
|
|
+ sa.aad.net.protocol = protocol;
|
|
+ sa.aad.error = error;
|
|
+
|
|
+ if (likely(!sa.aad.error)) {
|
|
+ u16 audit_mask = profile->net.audit[sa.u.net.family];
|
|
+ if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
|
|
+ !(1 << sa.aad.net.type & audit_mask)))
|
|
+ return 0;
|
|
+ audit_type = AUDIT_APPARMOR_AUDIT;
|
|
+ } else {
|
|
+ u16 quiet_mask = profile->net.quiet[sa.u.net.family];
|
|
+ u16 kill_mask = 0;
|
|
+ u16 denied = (1 << sa.aad.net.type) & ~quiet_mask;
|
|
+
|
|
+ if (denied & kill_mask)
|
|
+ audit_type = AUDIT_APPARMOR_KILL;
|
|
+
|
|
+ if ((denied & quiet_mask) &&
|
|
+ AUDIT_MODE(profile) != AUDIT_NOQUIET &&
|
|
+ AUDIT_MODE(profile) != AUDIT_ALL)
|
|
+ return COMPLAIN_MODE(profile) ? 0 : sa.aad.error;
|
|
+ }
|
|
+
|
|
+ return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb);
|
|
+}
|
|
+
|
|
+/**
|
|
+ * aa_net_perm - very course network access check
|
|
+ * @op: operation being checked
|
|
+ * @profile: profile being enforced (NOT NULL)
|
|
+ * @family: network family
|
|
+ * @type: network type
|
|
+ * @protocol: network protocol
|
|
+ *
|
|
+ * Returns: %0 else error if permission denied
|
|
+ */
|
|
+int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type,
|
|
+ int protocol, struct sock *sk)
|
|
+{
|
|
+ u16 family_mask;
|
|
+ int error;
|
|
+
|
|
+ if ((family < 0) || (family >= AF_MAX))
|
|
+ return -EINVAL;
|
|
+
|
|
+ if ((type < 0) || (type >= SOCK_MAX))
|
|
+ return -EINVAL;
|
|
+
|
|
+ /* unix domain and netlink sockets are handled by ipc */
|
|
+ if (family == AF_UNIX || family == AF_NETLINK)
|
|
+ return 0;
|
|
+
|
|
+ family_mask = profile->net.allow[family];
|
|
+
|
|
+ error = (family_mask & (1 << type)) ? 0 : -EACCES;
|
|
+
|
|
+ return audit_net(profile, op, family, type, protocol, sk, error);
|
|
+}
|
|
+
|
|
+/**
|
|
+ * aa_revalidate_sk - Revalidate access to a sock
|
|
+ * @op: operation being checked
|
|
+ * @sk: sock being revalidated (NOT NULL)
|
|
+ *
|
|
+ * Returns: %0 else error if permission denied
|
|
+ */
|
|
+int aa_revalidate_sk(int op, struct sock *sk)
|
|
+{
|
|
+ struct aa_profile *profile;
|
|
+ int error = 0;
|
|
+
|
|
+ /* aa_revalidate_sk should not be called from interrupt context
|
|
+ * don't mediate these calls as they are not task related
|
|
+ */
|
|
+ if (in_interrupt())
|
|
+ return 0;
|
|
+
|
|
+ profile = __aa_current_profile();
|
|
+ if (!unconfined(profile))
|
|
+ error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
|
|
+ sk->sk_protocol, sk);
|
|
+
|
|
+ return error;
|
|
+}
|
|
--- a/security/apparmor/policy.c
|
|
+++ b/security/apparmor/policy.c
|
|
@@ -745,6 +745,7 @@ static void free_profile(struct aa_profi
|
|
|
|
aa_free_file_rules(&profile->file);
|
|
aa_free_cap_rules(&profile->caps);
|
|
+ aa_free_net_rules(&profile->net);
|
|
aa_free_rlimit_rules(&profile->rlimits);
|
|
|
|
aa_free_sid(profile->sid);
|
|
--- a/security/apparmor/policy_unpack.c
|
|
+++ b/security/apparmor/policy_unpack.c
|
|
@@ -190,6 +190,19 @@ fail:
|
|
return 0;
|
|
}
|
|
|
|
+static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
|
|
+{
|
|
+ if (unpack_nameX(e, AA_U16, name)) {
|
|
+ if (!inbounds(e, sizeof(u16)))
|
|
+ return 0;
|
|
+ if (data)
|
|
+ *data = le16_to_cpu(get_unaligned((u16 *) e->pos));
|
|
+ e->pos += sizeof(u16);
|
|
+ return 1;
|
|
+ }
|
|
+ return 0;
|
|
+}
|
|
+
|
|
static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
|
|
{
|
|
if (unpack_nameX(e, AA_U32, name)) {
|
|
@@ -468,7 +481,8 @@ static struct aa_profile *unpack_profile
|
|
{
|
|
struct aa_profile *profile = NULL;
|
|
const char *name = NULL;
|
|
- int error = -EPROTO;
|
|
+ size_t size = 0;
|
|
+ int i, error = -EPROTO;
|
|
kernel_cap_t tmpcap;
|
|
u32 tmp;
|
|
|
|
@@ -559,6 +573,38 @@ static struct aa_profile *unpack_profile
|
|
if (!unpack_rlimits(e, profile))
|
|
goto fail;
|
|
|
|
+ size = unpack_array(e, "net_allowed_af");
|
|
+ if (size) {
|
|
+
|
|
+ for (i = 0; i < size; i++) {
|
|
+ /* discard extraneous rules that this kernel will
|
|
+ * never request
|
|
+ */
|
|
+ if (i > AF_MAX) {
|
|
+ u16 tmp;
|
|
+ if (!unpack_u16(e, &tmp, NULL) ||
|
|
+ !unpack_u16(e, &tmp, NULL) ||
|
|
+ !unpack_u16(e, &tmp, NULL))
|
|
+ goto fail;
|
|
+ continue;
|
|
+ }
|
|
+ if (!unpack_u16(e, &profile->net.allow[i], NULL))
|
|
+ goto fail;
|
|
+ if (!unpack_u16(e, &profile->net.audit[i], NULL))
|
|
+ goto fail;
|
|
+ if (!unpack_u16(e, &profile->net.quiet[i], NULL))
|
|
+ goto fail;
|
|
+ }
|
|
+ if (!unpack_nameX(e, AA_ARRAYEND, NULL))
|
|
+ goto fail;
|
|
+ /*
|
|
+ * allow unix domain and netlink sockets they are handled
|
|
+ * by IPC
|
|
+ */
|
|
+ }
|
|
+ profile->net.allow[AF_UNIX] = 0xffff;
|
|
+ profile->net.allow[AF_NETLINK] = 0xffff;
|
|
+
|
|
/* get file rules */
|
|
profile->file.dfa = unpack_dfa(e);
|
|
if (IS_ERR(profile->file.dfa)) {
|