apparmor: add base infastructure for socket mediation (56974a6f) · Commits · e / devices / android_kernel_fairphone_FP4

security/apparmor/.gitignore

+1 −0

Original line number	Diff line number	Diff line
		#
		# Generated include files
		#
		net_names.h
		capability_names.h
		rlim_names.h

security/apparmor/Makefile

+41 −2

Original line number	Diff line number	Diff line
		@@ -5,11 +5,44 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o

		apparmor-y := apparmorfs.o audit.o capability.o task.o ipc.o lib.o match.o \
		path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
		resource.o secid.o file.o policy_ns.o label.o mount.o
		resource.o secid.o file.o policy_ns.o label.o mount.o net.o
		apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o

		clean-files := capability_names.h rlim_names.h
		clean-files := capability_names.h rlim_names.h net_names.h

		# Build a lower case string table of address family names
		# Transform lines from
		# #define AF_LOCAL 1 /* POSIX name for AF_UNIX */
		# #define AF_INET 2 /* Internet IP Protocol */
		# to
		# [1] = "local",
		# [2] = "inet",
		#
		# and build the securityfs entries for the mapping.
		# Transforms lines from
		# #define AF_INET 2 /* Internet IP Protocol */
		# to
		# #define AA_SFS_AF_MASK "local inet"
		quiet_cmd_make-af = GEN $@
		cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
		sed $< >>$@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \
		's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
		echo "};" >> $@ ;\
		printf '%s' '\#define AA_SFS_AF_MASK "' >> $@ ;\
		sed -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \
		's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/\L\1/p'\
		$< \| tr '\n' ' ' \| sed -e 's/ $$/"\n/' >> $@

		# Build a lower case string table of sock type names
		# Transform lines from
		# SOCK_STREAM = 1,
		# to
		# [1] = "stream",
		quiet_cmd_make-sock = GEN $@
		cmd_make-sock = echo "static const char *sock_type_names[] = {" >> $@ ;\
		sed $^ >>$@ -r -n \
		-e 's/^\tSOCK_([A-Z0-9_]+)[\t]+=[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
		echo "};" >> $@

		# Build a lower case string table of capability names
		# Transforms lines from
		@@ -62,6 +95,7 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
		tr '\n' ' ' \| sed -e 's/ $$/"\n/' >> $@

		$(obj)/capability.o : $(obj)/capability_names.h
		$(obj)/net.o : $(obj)/net_names.h
		$(obj)/resource.o : $(obj)/rlim_names.h
		$(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
		$(src)/Makefile
		@@ -69,3 +103,8 @@ $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
		$(obj)/rlim_names.h : $(srctree)/include/uapi/asm-generic/resource.h \
		$(src)/Makefile
		$(call cmd,make-rlim)
		$(obj)/net_names.h : $(srctree)/include/linux/socket.h \
		$(srctree)/include/linux/net.h \
		$(src)/Makefile
		$(call cmd,make-af)
		$(call cmd,make-sock)

security/apparmor/apparmorfs.c

+2 −0

Original line number	Diff line number	Diff line
		@@ -2169,6 +2169,7 @@ static struct aa_sfs_entry aa_sfs_entry_versions[] = {
		AA_SFS_FILE_BOOLEAN("v5", 1),
		AA_SFS_FILE_BOOLEAN("v6", 1),
		AA_SFS_FILE_BOOLEAN("v7", 1),
		AA_SFS_FILE_BOOLEAN("v8", 1),
		{ }
		};

		@@ -2204,6 +2205,7 @@ static struct aa_sfs_entry aa_sfs_entry_features[] = {
		AA_SFS_DIR("policy", aa_sfs_entry_policy),
		AA_SFS_DIR("domain", aa_sfs_entry_domain),
		AA_SFS_DIR("file", aa_sfs_entry_file),
		AA_SFS_DIR("network_v8", aa_sfs_entry_network),
		AA_SFS_DIR("mount", aa_sfs_entry_mount),
		AA_SFS_DIR("namespaces", aa_sfs_entry_ns),
		AA_SFS_FILE_U64("capability", VFS_CAP_FLAGS_MASK),

security/apparmor/file.c

+30 −0

Original line number	Diff line number	Diff line
		@@ -21,6 +21,7 @@
		#include "include/cred.h"
		#include "include/file.h"
		#include "include/match.h"
		#include "include/net.h"
		#include "include/path.h"
		#include "include/policy.h"
		#include "include/label.h"
		@@ -560,6 +561,32 @@ static int __file_path_perm(const char op, struct aa_label label,
		return error;
		}

		static int __file_sock_perm(const char op, struct aa_label label,
		struct aa_label flabel, struct file file,
		u32 request, u32 denied)
		{
		struct socket sock = (struct socket ) file->private_data;
		int error;

		AA_BUG(!sock);

		/* revalidation due to label out of date. No revocation at this time */
		if (!denied && aa_label_is_subset(flabel, label))
		return 0;

		/* TODO: improve to skip profiles cached in flabel */
		error = aa_sock_file_perm(label, op, request, sock);
		if (denied) {
		/* TODO: improve to skip profiles checked above */
		/* check every profile in file label to is cached */
		last_error(error, aa_sock_file_perm(flabel, op, request, sock));
		}
		if (!error)
		update_file_ctx(file_ctx(file), label, request);

		return error;
		}

		/**
		* aa_file_perm - do permission revalidation check & audit for @file
		* @op: operation being checked
		@@ -604,6 +631,9 @@ int aa_file_perm(const char op, struct aa_label label, struct file *file,
		error = __file_path_perm(op, label, flabel, file, request,
		denied);

		else if (S_ISSOCK(file_inode(file)->i_mode))
		error = __file_sock_perm(op, label, flabel, file, request,
		denied);
		done:
		rcu_read_unlock();

security/apparmor/include/apparmor.h

+2 −1

Original line number	Diff line number	Diff line
		@@ -24,12 +24,13 @@
		#define AA_CLASS_UNKNOWN 1
		#define AA_CLASS_FILE 2
		#define AA_CLASS_CAP 3
		#define AA_CLASS_NET 4
		#define AA_CLASS_DEPRECATED 4
		#define AA_CLASS_RLIMITS 5
		#define AA_CLASS_DOMAIN 6
		#define AA_CLASS_MOUNT 7
		#define AA_CLASS_PTRACE 9
		#define AA_CLASS_SIGNAL 10
		#define AA_CLASS_NET 14
		#define AA_CLASS_LABEL 16

		#define AA_CLASS_LAST AA_CLASS_LABEL