Updated AppArmor with a newer backported AppArmor release by UBports
This commit is contained in:
Nathan
121
security/apparmor/include/af_unix.h
Normal file
121
security/apparmor/include/af_unix.h
Normal file
@@ -0,0 +1,121 @@
|
||||
/*
|
||||
* AppArmor security module
|
||||
*
|
||||
* This file contains AppArmor af_unix fine grained mediation
|
||||
*
|
||||
* Copyright 2014 Canonical Ltd.
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU General Public License as
|
||||
* published by the Free Software Foundation, version 2 of the
|
||||
* License.
|
||||
*/
|
||||
#ifndef __AA_AF_UNIX_H
|
||||
|
||||
#include <net/af_unix.h>
|
||||
|
||||
#include "label.h"
|
||||
//#include "include/net.h"
|
||||
|
||||
#define unix_addr_len(L) ((L) - sizeof(sa_family_t))
|
||||
#define unix_abstract_name_len(L) (unix_addr_len(L) - 1)
|
||||
#define unix_abstract_len(U) (unix_abstract_name_len((U)->addr->len))
|
||||
#define addr_unix_abstract_name(B) ((B)[0] == 0)
|
||||
#define addr_unix_anonymous(U) (addr_unix_len(U) <= 0)
|
||||
#define addr_unix_abstract(U) (!addr_unix_anonymous(U) && addr_unix_abstract_name((U)->addr))
|
||||
//#define unix_addr_fs(U) (!unix_addr_anonymous(U) && !unix_addr_abstract_name((U)->addr))
|
||||
|
||||
#define unix_addr(A) ((struct sockaddr_un *)(A))
|
||||
#define unix_addr_anon(A, L) ((A) && unix_addr_len(L) <= 0)
|
||||
#define unix_addr_fs(A, L) (!unix_addr_anon(A, L) && !addr_unix_abstract_name(unix_addr(A)->sun_path))
|
||||
|
||||
#define UNIX_ANONYMOUS(U) (!unix_sk(U)->addr)
|
||||
/* from net/unix/af_unix.c */
|
||||
#define UNIX_ABSTRACT(U) (!UNIX_ANONYMOUS(U) && \
|
||||
unix_sk(U)->addr->hash < UNIX_HASH_SIZE)
|
||||
#define UNIX_FS(U) (!UNIX_ANONYMOUS(U) && unix_sk(U)->addr->name->sun_path[0])
|
||||
#define unix_peer(sk) (unix_sk(sk)->peer)
|
||||
#define unix_connected(S) ((S)->state == SS_CONNECTED)
|
||||
|
||||
static inline void print_unix_addr(struct sockaddr_un *A, int L)
|
||||
{
|
||||
char *buf = (A) ? (char *) &(A)->sun_path : NULL;
|
||||
int len = unix_addr_len(L);
|
||||
if (!buf || len <= 0)
|
||||
printk(" <anonymous>");
|
||||
else if (buf[0])
|
||||
printk(" %s", buf);
|
||||
else
|
||||
/* abstract name len includes leading \0 */
|
||||
printk(" %d @%.*s", len - 1, len - 1, buf+1);
|
||||
};
|
||||
|
||||
/*
|
||||
printk("%s: %s: f %d, t %d, p %d", __FUNCTION__, \
|
||||
#SK , \
|
||||
*/
|
||||
#define print_unix_sk(SK) \
|
||||
do { \
|
||||
struct unix_sock *u = unix_sk(SK); \
|
||||
printk("%s: f %d, t %d, p %d", #SK , \
|
||||
(SK)->sk_family, (SK)->sk_type, (SK)->sk_protocol); \
|
||||
if (u->addr) \
|
||||
print_unix_addr(u->addr->name, u->addr->len); \
|
||||
else \
|
||||
print_unix_addr(NULL, sizeof(sa_family_t)); \
|
||||
/* printk("\n");*/ \
|
||||
} while (0)
|
||||
|
||||
#define print_sk(SK) \
|
||||
do { \
|
||||
if (!(SK)) { \
|
||||
printk("%s: %s is null\n", __FUNCTION__, #SK); \
|
||||
} else if ((SK)->sk_family == PF_UNIX) { \
|
||||
print_unix_sk(SK); \
|
||||
printk("\n"); \
|
||||
} else { \
|
||||
printk("%s: %s: family %d\n", __FUNCTION__, #SK , \
|
||||
(SK)->sk_family); \
|
||||
} \
|
||||
} while (0)
|
||||
|
||||
#define print_sock_addr(U) \
|
||||
do { \
|
||||
printk("%s:\n", __FUNCTION__); \
|
||||
printk(" sock %s:", sock_cxt && sock_cxt->label && sock_cxt->label->hname ? sock_cxt->label->hname : "<null>"); print_sk(sock); \
|
||||
printk(" other %s:", other_cxt && other_cxt->label && other_cxt->label->hname ? other_cxt->label->hname : "<null>"); print_sk(other); \
|
||||
printk(" new %s", new_cxt && new_cxt->label && new_cxt->label->hname ? new_cxt->label->hname : "<null>"); print_sk(newsk); \
|
||||
} while (0)
|
||||
|
||||
|
||||
#define DEFINE_AUDIT_UNIX(NAME, OP, SK, T, P) \
|
||||
struct lsm_network_audit NAME ## _net = { .sk = (SK), \
|
||||
.family = (AF_UNIX)}; \
|
||||
DEFINE_AUDIT_DATA(NAME, LSM_AUDIT_DATA_NONE, OP); \
|
||||
NAME.u.net = &(NAME ## _net); \
|
||||
aad(&NAME)->net.type = (T); \
|
||||
aad(&NAME)->net.protocol = (P)
|
||||
|
||||
|
||||
int aa_unix_peer_perm(struct aa_label *label, int op, u32 request,
|
||||
struct sock *sk, struct sock *peer_sk,
|
||||
struct aa_label *peer_label);
|
||||
int aa_unix_label_sk_perm(struct aa_label *label, int op, u32 request,
|
||||
struct sock *sk);
|
||||
int aa_unix_sock_perm(int op, u32 request, struct socket *sock);
|
||||
int aa_unix_create_perm(struct aa_label *label, int family, int type,
|
||||
int protocol);
|
||||
int aa_unix_bind_perm(struct socket *sock, struct sockaddr *address,
|
||||
int addrlen);
|
||||
int aa_unix_connect_perm(struct socket *sock, struct sockaddr *address,
|
||||
int addrlen);
|
||||
int aa_unix_listen_perm(struct socket *sock, int backlog);
|
||||
int aa_unix_accept_perm(struct socket *sock, struct socket *newsock);
|
||||
int aa_unix_msg_perm(int op, u32 request, struct socket *sock,
|
||||
struct msghdr *msg, int size);
|
||||
int aa_unix_opt_perm(int op, u32 request, struct socket *sock, int level,
|
||||
int optname);
|
||||
int aa_unix_file_perm(struct aa_label *label, int op, u32 request,
|
||||
struct socket *sock);
|
||||
|
||||
#endif /* __AA_AF_UNIX_H */
|
||||
Reference in New Issue
Block a user