-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/06/2012 06:03 PM, John Johansen wrote: > On 04/06/2012 02:30 PM, Jeff Mahoney wrote: >> Hi all - >> > Hey Jeff > >> Here's a patch to implement network rule debugging for >> apparmor_parser. >> > thanks, > >> I have already integrated our AppArmor network extensions with >> 3.4-rc1 and can post those if there is interest in including them >> upstream. We've been dragging around the network rule code for a >> while already. >> > oh please do, there are network extension/improvement patches that > are a work in progress, if things work out we should have much > better networking support in the 3.0 release. > > Out of curiosity what patches did you use for 3.4? I have been > meaning to send you the revisions to the compatibility patches for > 3.4.
I'm using the attached. They're a rework of the ones we were carrying for 12.1 and earlier to use the new file infrastructure. > >> Please CC me on replies as I'm not on the list. >> >> -Jeff >> >> --- >> >> While integrating 3.4-rc1, I ran into a problem where network >> rules weren't being processed. It ultimately boiled down to a >> kernel issue but I found it useful to see what the parser thought >> it was working with. Since the parser already has a debugging >> mode that will show things like capabilities, it was an obvious >> extension to add network rules. >> >> Signed-off-by: Jeff Mahoney <[email protected]> > > There are a couple of compile warnings that I will fix but other > than that it looks good to me Oops. Sorry about that. I did some last minute cleanups that removed those two variables, and I suppose count should be unsigned. - -Jeff > Acked-by: John Johansen <[email protected]> > >> --- parser/parser_misc.c | 104 >> ++++++++++++++++++++++++++++++++++++++++++++++++++- 1 file >> changed, 103 insertions(+), 1 deletion(-) >> >> --- a/parser/parser_misc.c +++ b/parser/parser_misc.c @@ -178,7 >> +178,13 @@ struct network_tuple { >> >> /* used by af_name.h to auto generate table entries for "name", >> AF_NAME * pair */ -#define AA_GEN_NET_ENT(name, AF) {name, AF, >> "stream", SOCK_STREAM, "", 0xffffff}, {name, AF, "dgram", >> SOCK_DGRAM, "", 0xffffff}, {name, AF, "seqpacket", >> SOCK_SEQPACKET, "", 0xffffff}, {name, AF, "rdm", SOCK_RDM, "", >> 0xffffff}, {name, AF, "raw", SOCK_RAW, "", 0xffffff}, {name, AF, >> "packet", SOCK_PACKET, "", 0xffffff}, +#define >> AA_GEN_NET_ENT(name, AF) \ + {name, AF, "stream", SOCK_STREAM, >> "", 0xffffff}, \ + {name, AF, "dgram", SOCK_DGRAM, "", >> 0xffffff}, \ + {name, AF, "seqpacket", SOCK_SEQPACKET, "", >> 0xffffff}, \ + {name, AF, "rdm", SOCK_RDM, "", >> 0xffffff}, \ + {name, AF, "raw", SOCK_RAW, "", >> 0xffffff}, \ + {name, AF, "packet", SOCK_PACKET, "", >> 0xffffff}, /*FIXME: missing {name, AF, "dccp", SOCK_DCCP, "", >> 0xfffffff}, */ >> >> static struct network_tuple network_mappings[] = { @@ -908,6 >> +914,100 @@ void debug_capabilities(struct codomain >> __debug_capabilities(cod->set_caps, "Set Capabilities"); } >> >> +const char *sock_types[] = { + [0] = "none", + [SOCK_STREAM] = >> "stream", + [SOCK_DGRAM] = "dgram", + [SOCK_RAW] = "raw", + >> [SOCK_RDM] = "rdm", + [SOCK_SEQPACKET] = "seqpacket", + >> [SOCK_PACKET] = "packet", + /* + * See comment above + >> [SOCK_DCCP] = "dccp", + */ +}; +#define ALL_TYPES 0x43e + +#undef >> AA_GEN_NET_ENT +#define AA_GEN_NET_ENT(name, AF) [AF] = name, + >> +static const char *network_families[] = { +#include >> "af_names.h" +}; + +void __debug_network(unsigned int *array, >> const char *name) +{ + int count = >> sizeof(sock_types)/sizeof(sock_types[0]); + unsigned int mask = >> ~((1 << count) -1); + unsigned int i, j; + int none = 1; + size_t >> af_max = get_af_max(); + + for (i = AF_UNSPEC; i < af_max; i++) + >> if (array[i]) { + none = 0; + break; >> + } + + if (none) + >> return; + + printf("%s: ", name); + + /* This can only be set by >> an unqualified network rule */ + if (array[AF_UNSPEC]) { + >> printf("<all>\n"); + return; + } + + for (i = 0; i < af_max; >> i++) { + if (array[i]) { + const char *fam >> = >> network_families[i]; + int brackets = 0; + >> if (fam) + >> printf("%s ", fam); + else + >> printf("#%u ", i); + + /* All >> types/protocols */ + if (array[i] == 0xffffffff || array[i] >> == >> ALL_TYPES) + continue; + + >> printf("{ "); + + for (j = 0; j >> < count; j++) { + const char *type; + >> if (array[i] & (1 << >> j)) { + type = sock_types[j]; + >> if (type) + >> printf("%s ", type); + else + >> printf("#%u ", j); + >> } >> + } + if (array[i] & mask) + >> printf("#%x ", array[i] & >> mask); + + printf("} "); + } + } + >> printf("\n"); +} + +void >> debug_network(struct codomain *cod) +{ + if >> (cod->network_allowed) + __debug_network(cod->network_allowed, >> "Network"); + if (cod->audit_network) + >> __debug_network(cod->audit_network, "Audit Net"); + if >> (cod->deny_network) + __debug_network(cod->deny_network, "Deny >> Net"); + if (cod->quiet_network) + >> __debug_network(cod->quiet_network, "Quiet Net"); + +} + void >> debug_cod_list(struct codomain *cod) { if (cod->namespace) @@ >> -925,6 +1025,8 @@ void debug_cod_list(struct codomain *cod >> debug_capabilities(cod); >> >> + debug_network(cod); + if (cod->entries) >> debug_cod_entries(cod->entries); >> > > - -- Jeff Mahoney SUSE Labs -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.18 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPf2vBAAoJEB57S2MheeWydnIP/08C9dRwklkI/Z0EvFYMCwB3 yiN1A45h1bEuyOGDeonekyCmVD03XlagBSiRLFptM3qLDYeI7l3HarckhaI4nU81 +PXZkmnDyBq3hhaxGCZuD+Ajkq3OpP8YfDF0oH3/cZzK8RRyNXD9E/vaDverj3Y3 iWhH7BNzPAUEc8OaBhkJ2cPMFhPEfHfUnvwHO6w/e/d5rYcWJaUBJmb0CaWhAKW4 9YQN5rI+V7NMf5EFeZoPVMl7/PaKLdW2IK4Nw3BvthNSirRjpFQLRhaaKLqQW5Nb Cg/qDYbZgNMDVly9z0yWawyHb4VEbLqeWqNbd2V2BS4R6rncti/F9kcL4tIYqi0P R7Dw7t4923QD6/RQ4RC00F7iKQvsKNwZc5Y8JAYitnTLZQa8eSmTMv3w4G7hilPa U0HW9msPhC410IYzxf5ZxiXznnWnbVVJ5G9bkzVslLk5GrGxGLb8s/nFiV/eOdFB 4kBBo3DJQLq1nYFuk3WQfMQs8y2dz/y7TW/ph5LjtON1N5MM2Yd1cGACw2al7fhE PUkApZU00mtcIasbdXcZ2PIu5/7PfsFXe8XkWifcw46LWNuO5jQ52Z+AHImAZkEY RtlYtYmljqS5W80BwnCfw2IF9wEkYnn5WU89glCCFF9+JJfG7GAFdMfsyK2Ifbac WWolrtGLdaXdQ1QVSS8N =RwLl -----END PGP SIGNATURE-----
From: John Johansen <[email protected]> Date: Mon, 4 Oct 2010 15:03:36 -0700 Subject: AppArmor: compatibility patch for v5 network control Patch-mainline: Uncertain Add compatibility for v5 network rules. Signed-off-by: John Johansen <[email protected]> Acked-by: Jeff Mahoney <[email protected]> --- include/linux/lsm_audit.h | 4 security/apparmor/Makefile | 10 +- security/apparmor/apparmorfs.c | 3 security/apparmor/include/net.h | 40 ++++++++ security/apparmor/include/policy.h | 3 security/apparmor/lsm.c | 112 ++++++++++++++++++++++++ security/apparmor/net.c | 170 +++++++++++++++++++++++++++++++++++++ security/apparmor/policy.c | 1 security/apparmor/policy_unpack.c | 46 ++++++++++ 9 files changed, 387 insertions(+), 2 deletions(-) create mode 100644 security/apparmor/include/net.h create mode 100644 security/apparmor/net.c --- a/include/linux/lsm_audit.h +++ b/include/linux/lsm_audit.h @@ -123,6 +123,10 @@ struct common_audit_data { u32 denied; uid_t ouid; } fs; + struct { + int type, protocol; + struct sock *sk; + } net; }; } apparmor_audit_data; #endif --- a/security/apparmor/Makefile +++ b/security/apparmor/Makefile @@ -4,9 +4,9 @@ obj-$(CONFIG_SECURITY_APPARMOR) += appar apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \ path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \ - resource.o sid.o file.o + resource.o sid.o file.o net.o -clean-files := capability_names.h rlim_names.h +clean-files := capability_names.h rlim_names.h af_names.h # Build a lower case string table of capability names @@ -20,6 +20,9 @@ cmd_make-caps = echo "static const char -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/[\2] = "\L\1",/p';\ echo "};" >> $@ +quiet_cmd_make-af = GEN $@ +cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ; sed -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "s/^\#define[ \\t]\\+AF_\\([A-Z0-9_]\\+\\)[ \\t]\\+\\([0-9]\\+\\)\\(.*\\)\$$/[\\2] = \"\\1\",/p" $< | tr A-Z a-z >> $@ ; echo "};" >> $@ + # Build a lower case string table of rlimit names. # Transforms lines from @@ -56,6 +59,7 @@ cmd_make-rlim = echo "static const char tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@ $(obj)/capability.o : $(obj)/capability_names.h +$(obj)/net.o : $(obj)/af_names.h $(obj)/resource.o : $(obj)/rlim_names.h $(obj)/capability_names.h : $(srctree)/include/linux/capability.h \ $(src)/Makefile @@ -63,3 +67,5 @@ $(obj)/capability_names.h : $(srctree)/i $(obj)/rlim_names.h : $(srctree)/include/asm-generic/resource.h \ $(src)/Makefile $(call cmd,make-rlim) +$(obj)/af_names.h : $(srctree)/include/linux/socket.h + $(call cmd,make-af) --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -203,6 +203,7 @@ static struct aa_fs_entry aa_fs_entry_fe AA_FS_DIR("file", aa_fs_entry_file), AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK), AA_FS_DIR("rlimit", aa_fs_entry_rlimit), + AA_FS_FILE_BOOLEAN("network", 1), { } }; @@ -211,6 +212,8 @@ static struct aa_fs_entry aa_fs_entry_ap AA_FS_FILE_FOPS(".replace", 0640, &aa_fs_profile_replace), AA_FS_FILE_FOPS(".remove", 0640, &aa_fs_profile_remove), AA_FS_DIR("features", aa_fs_entry_features), + AA_FS_FILE_STRING("matching", "pattern=aadfa audit perms=crwxamlk/ " + "user::other"), { } }; --- /dev/null +++ b/security/apparmor/include/net.h @@ -0,0 +1,40 @@ +/* + * AppArmor security module + * + * This file contains AppArmor network mediation definitions. + * + * Copyright (C) 1998-2008 Novell/SUSE + * Copyright 2009-2010 Canonical Ltd. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + */ + +#ifndef __AA_NET_H +#define __AA_NET_H + +#include <net/sock.h> + +/* struct aa_net - network confinement data + * @allowed: basic network families permissions + * @audit_network: which network permissions to force audit + * @quiet_network: which network permissions to quiet rejects + */ +struct aa_net { + u16 allow[AF_MAX]; + u16 audit[AF_MAX]; + u16 quiet[AF_MAX]; +}; + +extern int aa_net_perm(int op, struct aa_profile *profile, u16 family, + int type, int protocol, struct sock *sk); +extern int aa_revalidate_sk(int op, struct sock *sk); + +static inline void aa_free_net_rules(struct aa_net *new) +{ + /* NOP */ +} + +#endif /* __AA_NET_H */ --- a/security/apparmor/include/policy.h +++ b/security/apparmor/include/policy.h @@ -27,6 +27,7 @@ #include "capability.h" #include "domain.h" #include "file.h" +#include "net.h" #include "resource.h" extern const char *const profile_mode_names[]; @@ -157,6 +158,7 @@ struct aa_policydb { * @policy: general match rules governing policy * @file: The set of rules governing basic file access and domain transitions * @caps: capabilities for the profile + * @net: network controls for the profile * @rlimits: rlimits for the profile * * The AppArmor profile contains the basic confinement data. Each profile @@ -194,6 +196,7 @@ struct aa_profile { struct aa_policydb policy; struct aa_file_rules file; struct aa_caps caps; + struct aa_net net; struct aa_rlimit rlimits; }; --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -32,6 +32,7 @@ #include "include/context.h" #include "include/file.h" #include "include/ipc.h" +#include "include/net.h" #include "include/path.h" #include "include/policy.h" #include "include/procattr.h" @@ -620,6 +621,104 @@ static int apparmor_task_setrlimit(struc return error; } +static int apparmor_socket_create(int family, int type, int protocol, int kern) +{ + struct aa_profile *profile; + int error = 0; + + if (kern) + return 0; + + profile = __aa_current_profile(); + if (!unconfined(profile)) + error = aa_net_perm(OP_CREATE, profile, family, type, protocol, + NULL); + return error; +} + +static int apparmor_socket_bind(struct socket *sock, + struct sockaddr *address, int addrlen) +{ + struct sock *sk = sock->sk; + + return aa_revalidate_sk(OP_BIND, sk); +} + +static int apparmor_socket_connect(struct socket *sock, + struct sockaddr *address, int addrlen) +{ + struct sock *sk = sock->sk; + + return aa_revalidate_sk(OP_CONNECT, sk); +} + +static int apparmor_socket_listen(struct socket *sock, int backlog) +{ + struct sock *sk = sock->sk; + + return aa_revalidate_sk(OP_LISTEN, sk); +} + +static int apparmor_socket_accept(struct socket *sock, struct socket *newsock) +{ + struct sock *sk = sock->sk; + + return aa_revalidate_sk(OP_ACCEPT, sk); +} + +static int apparmor_socket_sendmsg(struct socket *sock, + struct msghdr *msg, int size) +{ + struct sock *sk = sock->sk; + + return aa_revalidate_sk(OP_SENDMSG, sk); +} + +static int apparmor_socket_recvmsg(struct socket *sock, + struct msghdr *msg, int size, int flags) +{ + struct sock *sk = sock->sk; + + return aa_revalidate_sk(OP_RECVMSG, sk); +} + +static int apparmor_socket_getsockname(struct socket *sock) +{ + struct sock *sk = sock->sk; + + return aa_revalidate_sk(OP_GETSOCKNAME, sk); +} + +static int apparmor_socket_getpeername(struct socket *sock) +{ + struct sock *sk = sock->sk; + + return aa_revalidate_sk(OP_GETPEERNAME, sk); +} + +static int apparmor_socket_getsockopt(struct socket *sock, int level, + int optname) +{ + struct sock *sk = sock->sk; + + return aa_revalidate_sk(OP_GETSOCKOPT, sk); +} + +static int apparmor_socket_setsockopt(struct socket *sock, int level, + int optname) +{ + struct sock *sk = sock->sk; + + return aa_revalidate_sk(OP_SETSOCKOPT, sk); +} + +static int apparmor_socket_shutdown(struct socket *sock, int how) +{ + struct sock *sk = sock->sk; + + return aa_revalidate_sk(OP_SOCK_SHUTDOWN, sk); +} + static struct security_operations apparmor_ops = { .name = "apparmor", @@ -651,6 +750,19 @@ static struct security_operations apparm .getprocattr = apparmor_getprocattr, .setprocattr = apparmor_setprocattr, + .socket_create = apparmor_socket_create, + .socket_bind = apparmor_socket_bind, + .socket_connect = apparmor_socket_connect, + .socket_listen = apparmor_socket_listen, + .socket_accept = apparmor_socket_accept, + .socket_sendmsg = apparmor_socket_sendmsg, + .socket_recvmsg = apparmor_socket_recvmsg, + .socket_getsockname = apparmor_socket_getsockname, + .socket_getpeername = apparmor_socket_getpeername, + .socket_getsockopt = apparmor_socket_getsockopt, + .socket_setsockopt = apparmor_socket_setsockopt, + .socket_shutdown = apparmor_socket_shutdown, + .cred_alloc_blank = apparmor_cred_alloc_blank, .cred_free = apparmor_cred_free, .cred_prepare = apparmor_cred_prepare, --- /dev/null +++ b/security/apparmor/net.c @@ -0,0 +1,170 @@ +/* + * AppArmor security module + * + * This file contains AppArmor network mediation + * + * Copyright (C) 1998-2008 Novell/SUSE + * Copyright 2009-2010 Canonical Ltd. + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License as + * published by the Free Software Foundation, version 2 of the + * License. + */ + +#include "include/apparmor.h" +#include "include/audit.h" +#include "include/context.h" +#include "include/net.h" +#include "include/policy.h" + +#include "af_names.h" + +static const char *sock_type_names[] = { + "unknown(0)", + "stream", + "dgram", + "raw", + "rdm", + "seqpacket", + "dccp", + "unknown(7)", + "unknown(8)", + "unknown(9)", + "packet", +}; + +/* audit callback for net specific fields */ +static void audit_cb(struct audit_buffer *ab, void *va) +{ + struct common_audit_data *sa = va; + + audit_log_format(ab, " family="); + if (address_family_names[sa->u.net.family]) { + audit_log_string(ab, address_family_names[sa->u.net.family]); + } else { + audit_log_format(ab, " \"unknown(%d)\"", sa->u.net.family); + } + + audit_log_format(ab, " sock_type="); + if (sock_type_names[sa->aad.net.type]) { + audit_log_string(ab, sock_type_names[sa->aad.net.type]); + } else { + audit_log_format(ab, "\"unknown(%d)\"", sa->aad.net.type); + } + + audit_log_format(ab, " protocol=%d", sa->aad.net.protocol); +} + +/** + * audit_net - audit network access + * @profile: profile being enforced (NOT NULL) + * @op: operation being checked + * @family: network family + * @type: network type + * @protocol: network protocol + * @sk: socket auditing is being applied to + * @error: error code for failure else 0 + * + * Returns: %0 or sa->error else other errorcode on failure + */ +static int audit_net(struct aa_profile *profile, int op, u16 family, int type, + int protocol, struct sock *sk, int error) +{ + int audit_type = AUDIT_APPARMOR_AUTO; + struct common_audit_data sa; + if (sk) { + COMMON_AUDIT_DATA_INIT(&sa, NET); + } else { + COMMON_AUDIT_DATA_INIT(&sa, NONE); + } + /* todo fill in socket addr info */ + + sa.aad.op = op, + sa.u.net.family = family; + sa.u.net.sk = sk; + sa.aad.net.type = type; + sa.aad.net.protocol = protocol; + sa.aad.error = error; + + if (likely(!sa.aad.error)) { + u16 audit_mask = profile->net.audit[sa.u.net.family]; + if (likely((AUDIT_MODE(profile) != AUDIT_ALL) && + !(1 << sa.aad.net.type & audit_mask))) + return 0; + audit_type = AUDIT_APPARMOR_AUDIT; + } else { + u16 quiet_mask = profile->net.quiet[sa.u.net.family]; + u16 kill_mask = 0; + u16 denied = (1 << sa.aad.net.type) & ~quiet_mask; + + if (denied & kill_mask) + audit_type = AUDIT_APPARMOR_KILL; + + if ((denied & quiet_mask) && + AUDIT_MODE(profile) != AUDIT_NOQUIET && + AUDIT_MODE(profile) != AUDIT_ALL) + return COMPLAIN_MODE(profile) ? 0 : sa.aad.error; + } + + return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb); +} + +/** + * aa_net_perm - very course network access check + * @op: operation being checked + * @profile: profile being enforced (NOT NULL) + * @family: network family + * @type: network type + * @protocol: network protocol + * + * Returns: %0 else error if permission denied + */ +int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type, + int protocol, struct sock *sk) +{ + u16 family_mask; + int error; + + if ((family < 0) || (family >= AF_MAX)) + return -EINVAL; + + if ((type < 0) || (type >= SOCK_MAX)) + return -EINVAL; + + /* unix domain and netlink sockets are handled by ipc */ + if (family == AF_UNIX || family == AF_NETLINK) + return 0; + + family_mask = profile->net.allow[family]; + + error = (family_mask & (1 << type)) ? 0 : -EACCES; + + return audit_net(profile, op, family, type, protocol, sk, error); +} + +/** + * aa_revalidate_sk - Revalidate access to a sock + * @op: operation being checked + * @sk: sock being revalidated (NOT NULL) + * + * Returns: %0 else error if permission denied + */ +int aa_revalidate_sk(int op, struct sock *sk) +{ + struct aa_profile *profile; + int error = 0; + + /* aa_revalidate_sk should not be called from interrupt context + * don't mediate these calls as they are not task related + */ + if (in_interrupt()) + return 0; + + profile = __aa_current_profile(); + if (!unconfined(profile)) + error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type, + sk->sk_protocol, sk); + + return error; +} --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -745,6 +745,7 @@ static void free_profile(struct aa_profi aa_free_file_rules(&profile->file); aa_free_cap_rules(&profile->caps); + aa_free_net_rules(&profile->net); aa_free_rlimit_rules(&profile->rlimits); aa_free_sid(profile->sid); --- a/security/apparmor/policy_unpack.c +++ b/security/apparmor/policy_unpack.c @@ -191,6 +191,19 @@ fail: return 0; } +static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name) +{ + if (unpack_nameX(e, AA_U16, name)) { + if (!inbounds(e, sizeof(u16))) + return 0; + if (data) + *data = le16_to_cpu(get_unaligned((u16 *) e->pos)); + e->pos += sizeof(u16); + return 1; + } + return 0; +} + static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name) { if (unpack_nameX(e, AA_U32, name)) { @@ -469,6 +482,7 @@ static struct aa_profile *unpack_profile { struct aa_profile *profile = NULL; const char *name = NULL; + size_t size = 0; int i, error = -EPROTO; kernel_cap_t tmpcap; u32 tmp; @@ -562,6 +576,38 @@ static struct aa_profile *unpack_profile if (!unpack_rlimits(e, profile)) goto fail; + size = unpack_array(e, "net_allowed_af"); + if (size) { + + for (i = 0; i < size; i++) { + /* discard extraneous rules that this kernel will + * never request + */ + if (i > AF_MAX) { + u16 tmp; + if (!unpack_u16(e, &tmp, NULL) || + !unpack_u16(e, &tmp, NULL) || + !unpack_u16(e, &tmp, NULL)) + goto fail; + continue; + } + if (!unpack_u16(e, &profile->net.allow[i], NULL)) + goto fail; + if (!unpack_u16(e, &profile->net.audit[i], NULL)) + goto fail; + if (!unpack_u16(e, &profile->net.quiet[i], NULL)) + goto fail; + } + if (!unpack_nameX(e, AA_ARRAYEND, NULL)) + goto fail; + /* + * allow unix domain and netlink sockets they are handled + * by IPC + */ + } + profile->net.allow[AF_UNIX] = 0xffff; + profile->net.allow[AF_NETLINK] = 0xffff; + if (unpack_nameX(e, AA_STRUCT, "policydb")) { /* generic policy dfa - optional and may be NULL */ profile->policy.dfa = unpack_dfa(e);
From: Jeff Mahoney <[email protected]> Subject: apparmor: Add "profiles" list to sysfs Patch-mainline: Needs review In order to shut apparmor back down, we need to get a list of loaded profiles. This patch re-adds the profiles list. Signed-off-by: Jeff Mahoney <[email protected]> --- security/apparmor/apparmorfs.c | 227 +++++++++++++++++++++++++++++++++++++++++ 1 file changed, 227 insertions(+) --- a/security/apparmor/apparmorfs.c +++ b/security/apparmor/apparmorfs.c @@ -144,6 +144,232 @@ static const struct file_operations aa_f .llseek = default_llseek, }; +/** + * __next_namespace - find the next namespace to list + * @root: root namespace to stop search at (NOT NULL) + * @ns: current ns position (NOT NULL) + * + * Find the next namespace from @ns under @root and handle all locking needed + * while switching current namespace. + * + * Returns: next namespace or NULL if at last namespace under @root + * NOTE: will not unlock root->lock + */ +static struct aa_namespace *__next_namespace(struct aa_namespace *root, + struct aa_namespace *ns) +{ + struct aa_namespace *parent; + + /* is next namespace a child */ + if (!list_empty(&ns->sub_ns)) { + struct aa_namespace *next; + next = list_first_entry(&ns->sub_ns, typeof(*ns), base.list); + read_lock(&next->lock); + return next; + } + + /* check if the next ns is a sibling, parent, gp, .. */ + parent = ns->parent; + while (parent) { + read_unlock(&ns->lock); + list_for_each_entry_continue(ns, &parent->sub_ns, base.list) { + read_lock(&ns->lock); + return ns; + } + if (parent == root) + return NULL; + ns = parent; + parent = parent->parent; + } + + return NULL; +} + +/** + * __first_profile - find the first profile in a namespace + * @root: namespace that is root of profiles being displayed (NOT NULL) + * @ns: namespace to start in (NOT NULL) + * + * Returns: unrefcounted profile or NULL if no profile + */ +static struct aa_profile *__first_profile(struct aa_namespace *root, + struct aa_namespace *ns) +{ + for ( ; ns; ns = __next_namespace(root, ns)) { + if (!list_empty(&ns->base.profiles)) + return list_first_entry(&ns->base.profiles, + struct aa_profile, base.list); + } + return NULL; +} + +/** + * __next_profile - step to the next profile in a profile tree + * @profile: current profile in tree (NOT NULL) + * + * Perform a depth first taversal on the profile tree in a namespace + * + * Returns: next profile or NULL if done + * Requires: profile->ns.lock to be held + */ +static struct aa_profile *__next_profile(struct aa_profile *p) +{ + struct aa_profile *parent; + struct aa_namespace *ns = p->ns; + + /* is next profile a child */ + if (!list_empty(&p->base.profiles)) + return list_first_entry(&p->base.profiles, typeof(*p), + base.list); + + /* is next profile a sibling, parent sibling, gp, subling, .. */ + parent = p->parent; + while (parent) { + list_for_each_entry_continue(p, &parent->base.profiles, + base.list) + return p; + p = parent; + parent = parent->parent; + } + + /* is next another profile in the namespace */ + list_for_each_entry_continue(p, &ns->base.profiles, base.list) + return p; + + return NULL; +} + +/** + * next_profile - step to the next profile in where ever it may be + * @root: root namespace (NOT NULL) + * @profile: current profile (NOT NULL) + * + * Returns: next profile or NULL if there isn't one + */ +static struct aa_profile *next_profile(struct aa_namespace *root, + struct aa_profile *profile) +{ + struct aa_profile *next = __next_profile(profile); + if (next) + return next; + + /* finished all profiles in namespace move to next namespace */ + return __first_profile(root, __next_namespace(root, profile->ns)); +} + +/** + * p_start - start a depth first traversal of profile tree + * @f: seq_file to fill + * @pos: current position + * + * Returns: first profile under current namespace or NULL if none found + * + * acquires first ns->lock + */ +static void *p_start(struct seq_file *f, loff_t *pos) + __acquires(root->lock) +{ + struct aa_profile *profile = NULL; + struct aa_namespace *root = aa_current_profile()->ns; + loff_t l = *pos; + f->private = aa_get_namespace(root); + + + /* find the first profile */ + read_lock(&root->lock); + profile = __first_profile(root, root); + + /* skip to position */ + for (; profile && l > 0; l--) + profile = next_profile(root, profile); + + return profile; +} + +/** + * p_next - read the next profile entry + * @f: seq_file to fill + * @p: profile previously returned + * @pos: current position + * + * Returns: next profile after @p or NULL if none + * + * may acquire/release locks in namespace tree as necessary + */ +static void *p_next(struct seq_file *f, void *p, loff_t *pos) +{ + struct aa_profile *profile = p; + struct aa_namespace *root = f->private; + (*pos)++; + + return next_profile(root, profile); +} + +/** + * p_stop - stop depth first traversal + * @f: seq_file we are filling + * @p: the last profile writen + * + * Release all locking done by p_start/p_next on namespace tree + */ +static void p_stop(struct seq_file *f, void *p) + __releases(root->lock) +{ + struct aa_profile *profile = p; + struct aa_namespace *root = f->private, *ns; + + if (profile) { + for (ns = profile->ns; ns && ns != root; ns = ns->parent) + read_unlock(&ns->lock); + } + read_unlock(&root->lock); + aa_put_namespace(root); +} + +/** + * seq_show_profile - show a profile entry + * @f: seq_file to file + * @p: current position (profile) (NOT NULL) + * + * Returns: error on failure + */ +static int seq_show_profile(struct seq_file *f, void *p) +{ + struct aa_profile *profile = (struct aa_profile *)p; + struct aa_namespace *root = f->private; + + if (profile->ns != root) + seq_printf(f, ":%s://", aa_ns_name(root, profile->ns)); + seq_printf(f, "%s (%s)\n", profile->base.hname, + COMPLAIN_MODE(profile) ? "complain" : "enforce"); + + return 0; +} + +static const struct seq_operations aa_fs_profiles_op = { + .start = p_start, + .next = p_next, + .stop = p_stop, + .show = seq_show_profile, +}; + +static int profiles_open(struct inode *inode, struct file *file) +{ + return seq_open(file, &aa_fs_profiles_op); +} + +static int profiles_release(struct inode *inode, struct file *file) +{ + return seq_release(inode, file); +} + +static const struct file_operations aa_fs_profiles_fops = { + .open = profiles_open, + .read = seq_read, + .llseek = seq_lseek, + .release = profiles_release, +}; + static int aa_fs_seq_show(struct seq_file *seq, void *v) { struct aa_fs_entry *fs_file = seq->private; @@ -214,6 +440,7 @@ static struct aa_fs_entry aa_fs_entry_ap AA_FS_DIR("features", aa_fs_entry_features), AA_FS_FILE_STRING("matching", "pattern=aadfa audit perms=crwxamlk/ " "user::other"), + AA_FS_FILE_FOPS("profiles", 0440, &aa_fs_profiles_fops), { } };
-- AppArmor mailing list [email protected] Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/apparmor
