diff options
Diffstat (limited to 'security/apparmor/net.c')
-rw-r--r-- | security/apparmor/net.c | 159 |
1 files changed, 0 insertions, 159 deletions
diff --git a/security/apparmor/net.c b/security/apparmor/net.c deleted file mode 100644 index 1e6629001cf..00000000000 --- a/security/apparmor/net.c +++ /dev/null @@ -1,159 +0,0 @@ -/* - * AppArmor security module - * - * This file contains AppArmor network mediation - * - * Copyright (C) 1998-2008 Novell/SUSE - * Copyright 2009-2012 Canonical Ltd. - * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License as - * published by the Free Software Foundation, version 2 of the - * License. - */ - -#include "include/apparmor.h" -#include "include/audit.h" -#include "include/context.h" -#include "include/net.h" -#include "include/policy.h" - -#include "net_names.h" - -struct aa_fs_entry aa_fs_entry_network[] = { - AA_FS_FILE_STRING("af_mask", AA_FS_AF_MASK), - { } -}; - -/* audit callback for net specific fields */ -static void audit_cb(struct audit_buffer *ab, void *va) -{ - struct common_audit_data *sa = va; - - audit_log_format(ab, " family="); - if (address_family_names[sa->u.net->family]) { - audit_log_string(ab, address_family_names[sa->u.net->family]); - } else { - audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family); - } - audit_log_format(ab, " sock_type="); - if (sock_type_names[sa->aad->net.type]) { - audit_log_string(ab, sock_type_names[sa->aad->net.type]); - } else { - audit_log_format(ab, "\"unknown(%d)\"", sa->aad->net.type); - } - audit_log_format(ab, " protocol=%d", sa->aad->net.protocol); -} - -/** - * audit_net - audit network access - * @profile: profile being enforced (NOT NULL) - * @op: operation being checked - * @family: network family - * @type: network type - * @protocol: network protocol - * @sk: socket auditing is being applied to - * @error: error code for failure else 0 - * - * Returns: %0 or sa->error else other errorcode on failure - */ -static int audit_net(struct aa_profile *profile, int op, u16 family, int type, - int protocol, struct sock *sk, int error) -{ - int audit_type = AUDIT_APPARMOR_AUTO; - struct common_audit_data sa; - if (sk) { - COMMON_AUDIT_DATA_INIT(&sa, NET); - } else { - COMMON_AUDIT_DATA_INIT(&sa, NONE); - } - /* todo fill in socket addr info */ - - sa.aad->op = op, - sa.u.net->family = family; - sa.u.net->sk = sk; - sa.aad->net.type = type; - sa.aad->net.protocol = protocol; - sa.aad->error = error; - - if (likely(!sa.aad->error)) { - u16 audit_mask = profile->net.audit[sa.u.net->family]; - if (likely((AUDIT_MODE(profile) != AUDIT_ALL) && - !(1 << sa.aad->net.type & audit_mask))) - return 0; - audit_type = AUDIT_APPARMOR_AUDIT; - } else { - u16 quiet_mask = profile->net.quiet[sa.u.net->family]; - u16 kill_mask = 0; - u16 denied = (1 << sa.aad->net.type) & ~quiet_mask; - - if (denied & kill_mask) - audit_type = AUDIT_APPARMOR_KILL; - - if ((denied & quiet_mask) && - AUDIT_MODE(profile) != AUDIT_NOQUIET && - AUDIT_MODE(profile) != AUDIT_ALL) - return COMPLAIN_MODE(profile) ? 0 : sa.aad->error; - } - - return aa_audit(audit_type, profile, GFP_KERNEL, &sa, audit_cb); -} - -/** - * aa_net_perm - very course network access check - * @op: operation being checked - * @profile: profile being enforced (NOT NULL) - * @family: network family - * @type: network type - * @protocol: network protocol - * - * Returns: %0 else error if permission denied - */ -int aa_net_perm(int op, struct aa_profile *profile, u16 family, int type, - int protocol, struct sock *sk) -{ - u16 family_mask; - int error; - - if ((family < 0) || (family >= AF_MAX)) - return -EINVAL; - - if ((type < 0) || (type >= SOCK_MAX)) - return -EINVAL; - - /* unix domain and netlink sockets are handled by ipc */ - if (family == AF_UNIX || family == AF_NETLINK) - return 0; - - family_mask = profile->net.allow[family]; - - error = (family_mask & (1 << type)) ? 0 : -EACCES; - - return audit_net(profile, op, family, type, protocol, sk, error); -} - -/** - * aa_revalidate_sk - Revalidate access to a sock - * @op: operation being checked - * @sk: sock being revalidated (NOT NULL) - * - * Returns: %0 else error if permission denied - */ -int aa_revalidate_sk(int op, struct sock *sk) -{ - struct aa_profile *profile; - int error = 0; - - /* aa_revalidate_sk should not be called from interrupt context - * don't mediate these calls as they are not task related - */ - if (in_interrupt()) - return 0; - - profile = __aa_current_profile(); - if (!unconfined(profile)) - error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type, - sk->sk_protocol, sk); - - return error; -} |