[packages/kernel] - split apparmor patch, it's RPITA updating it as single blob
baggins
baggins at pld-linux.org
Thu Sep 14 22:57:42 CEST 2017
commit 65a88893d9195d5cd9a54a346cd0a7cfffbfbdc8
Author: Jan Rękorajski <baggins at pld-linux.org>
Date: Thu Sep 14 22:56:51 2017 +0200
- split apparmor patch, it's RPITA updating it as single blob
...l-apparmor.patch => kernel-apparmor-mount.patch | 621 ---------------------
kernel-apparmor-net-audit.patch | 32 ++
kernel-apparmor-net.patch | 589 +++++++++++++++++++
kernel.spec | 8 +-
4 files changed, 627 insertions(+), 623 deletions(-)
---
diff --git a/kernel.spec b/kernel.spec
index 2a5da49d..c22ccc43 100644
--- a/kernel.spec
+++ b/kernel.spec
@@ -219,7 +219,9 @@ Patch2003: kernel-regressions.patch
# git://git.kernel.org/pub/scm/linux/kernel/git/jj/linux-apparmor
# branch v4.7-aa2.8-out-of-tree
-Patch5000: kernel-apparmor.patch
+Patch5000: kernel-apparmor-net.patch
+Patch5001: kernel-apparmor-net-audit.patch
+Patch5002: kernel-apparmor-mount.patch
# for rescuecd
# based on ftp://ftp.leg.uct.ac.za/pub/linux/rip/tmpfs_root-2.6.30.diff.gz
@@ -689,7 +691,9 @@ rm -f localversion-rt
%endif
# apparmor
-#%patch5000 -p1
+%patch5000 -p1
+%patch5001 -p1
+%patch5002 -p1
%patch250 -p1
diff --git a/kernel-apparmor.patch b/kernel-apparmor-mount.patch
similarity index 57%
rename from kernel-apparmor.patch
rename to kernel-apparmor-mount.patch
index 539e655a..3c9a0978 100644
--- a/kernel-apparmor.patch
+++ b/kernel-apparmor-mount.patch
@@ -1,624 +1,3 @@
-commit 97b3200925ba627346432edf521d49de8bb018a3
-Author: John Johansen <john.johansen at canonical.com>
-Date: Mon Oct 4 15:03:36 2010 -0700
-
- UBUNTU: SAUCE: AppArmor: basic networking rules
-
- Base support for network mediation.
-
- Signed-off-by: John Johansen <john.johansen at canonical.com>
-
-diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore
-index 9cdec70d72b8..d5b291e94264 100644
---- a/security/apparmor/.gitignore
-+++ b/security/apparmor/.gitignore
-@@ -1,5 +1,6 @@
- #
- # Generated include files
- #
-+net_names.h
- capability_names.h
- rlim_names.h
-diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
-index ad369a7aac24..a7dc10be232d 100644
---- a/security/apparmor/Makefile
-+++ b/security/apparmor/Makefile
-@@ -4,10 +4,10 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
-
- apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
- path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
-- resource.o secid.o file.o policy_ns.o
-+ resource.o secid.o file.o policy_ns.o net.o
- apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o
-
--clean-files := capability_names.h rlim_names.h
-+clean-files := capability_names.h rlim_names.h net_names.h
-
-
- # Build a lower case string table of capability names
-@@ -25,6 +25,38 @@ cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\
- -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/\L\1/p' | \
- tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
-
-+# Build a lower case string table of address family names
-+# Transform lines from
-+# define AF_LOCAL 1 /* POSIX name for AF_UNIX */
-+# #define AF_INET 2 /* Internet IP Protocol */
-+# to
-+# [1] = "local",
-+# [2] = "inet",
-+#
-+# and build the securityfs entries for the mapping.
-+# Transforms lines from
-+# #define AF_INET 2 /* Internet IP Protocol */
-+# to
-+# #define AA_FS_AF_MASK "local inet"
-+quiet_cmd_make-af = GEN $@
-+cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
-+ sed $< >>$@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
-+ 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
-+ echo "};" >> $@ ;\
-+ echo -n '\#define AA_FS_AF_MASK "' >> $@ ;\
-+ sed -r -n 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/\L\1/p'\
-+ $< | tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
-+
-+# Build a lower case string table of sock type names
-+# Transform lines from
-+# SOCK_STREAM = 1,
-+# to
-+# [1] = "stream",
-+quiet_cmd_make-sock = GEN $@
-+cmd_make-sock = echo "static const char *sock_type_names[] = {" >> $@ ;\
-+ sed $^ >>$@ -r -n \
-+ -e 's/^\tSOCK_([A-Z0-9_]+)[\t]+=[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
-+ echo "};" >> $@
-
- # Build a lower case string table of rlimit names.
- # Transforms lines from
-@@ -61,6 +93,7 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
- tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
-
- $(obj)/capability.o : $(obj)/capability_names.h
-+$(obj)/net.o : $(obj)/net_names.h
- $(obj)/resource.o : $(obj)/rlim_names.h
- $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
- $(src)/Makefile
-@@ -68,3 +101,8 @@ $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
- $(obj)/rlim_names.h : $(srctree)/include/uapi/asm-generic/resource.h \
- $(src)/Makefile
- $(call cmd,make-rlim)
-+$(obj)/net_names.h : $(srctree)/include/linux/socket.h \
-+ $(srctree)/include/linux/net.h \
-+ $(src)/Makefile
-+ $(call cmd,make-af)
-+ $(call cmd,make-sock)
-diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
-index 41073f70eb41..4d236736cfb8 100644
---- a/security/apparmor/apparmorfs.c
-+++ b/security/apparmor/apparmorfs.c
-@@ -1209,6 +1209,7 @@ static struct aa_fs_entry aa_fs_entry_features[] = {
- AA_FS_DIR("policy", aa_fs_entry_policy),
- AA_FS_DIR("domain", aa_fs_entry_domain),
- AA_FS_DIR("file", aa_fs_entry_file),
-+ AA_FS_DIR("network", aa_fs_entry_network),
- AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK),
- AA_FS_DIR("rlimit", aa_fs_entry_rlimit),
- AA_FS_DIR("caps", aa_fs_entry_caps),
-diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
-index fdc4774318ba..0df708e8748b 100644
---- a/security/apparmor/include/audit.h
-+++ b/security/apparmor/include/audit.h
-@@ -127,6 +127,10 @@ struct apparmor_audit_data {
- int rlim;
- unsigned long max;
- } rlim;
-+ struct {
-+ int type, protocol;
-+ struct sock *sk;
-+ } net;
- };
- };
-
-diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
-new file mode 100644
-index 000000000000..55da1dad8720
---- /dev/null
-+++ b/security/apparmor/include/net.h
-@@ -0,0 +1,59 @@
-+/*
-+ * AppArmor security module
-+ *
-+ * This file contains AppArmor network mediation definitions.
-+ *
-+ * Copyright (C) 1998-2008 Novell/SUSE
-+ * Copyright 2009-2012 Canonical Ltd.
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public License as
-+ * published by the Free Software Foundation, version 2 of the
-+ * License.
-+ */
-+
-+#ifndef __AA_NET_H
-+#define __AA_NET_H
-+
-+#include <net/sock.h>
-+
-+#include "apparmorfs.h"
-+
-+/* struct aa_net - network confinement data
-+ * @allowed: basic network families permissions
-+ * @audit_network: which network permissions to force audit
-+ * @quiet_network: which network permissions to quiet rejects
-+ */
-+struct aa_net {
-+ u16 allow[AF_MAX];
-+ u16 audit[AF_MAX];
-+ u16 quiet[AF_MAX];
-+};
-+
-+extern struct aa_fs_entry aa_fs_entry_network[];
-+
-+#define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \
-+ struct lsm_network_audit NAME ## _net = { .sk = (SK), \
-+ .family = (F)}; \
-+ DEFINE_AUDIT_DATA(NAME, \
-+ ((SK) && (F) != AF_UNIX) ? LSM_AUDIT_DATA_NET : \
-+ LSM_AUDIT_DATA_NONE, \
-+ OP); \
-+ NAME.u.net = &(NAME ## _net); \
-+ aad(&NAME)->net.type = (T); \
-+ aad(&NAME)->net.protocol = (P)
-+
-+#define DEFINE_AUDIT_SK(NAME, OP, SK) \
-+ DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type, \
-+ (SK)->sk_protocol)
-+
-+extern int aa_net_perm(const char *op, struct aa_profile *profile, u16 family,
-+ int type, int protocol, struct sock *sk);
-+extern int aa_revalidate_sk(const char *op, struct sock *sk);
-+
-+static inline void aa_free_net_rules(struct aa_net *new)
-+{
-+ /* NOP */
-+}
-+
-+#endif /* __AA_NET_H */
-diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
-index 67bc96afe541..a3d18ea8d730 100644
---- a/security/apparmor/include/policy.h
-+++ b/security/apparmor/include/policy.h
-@@ -28,6 +28,7 @@
- #include "capability.h"
- #include "domain.h"
- #include "file.h"
-+#include "net.h"
- #include "lib.h"
- #include "resource.h"
-
-@@ -132,6 +133,7 @@ struct aa_data {
- * @policy: general match rules governing policy
- * @file: The set of rules governing basic file access and domain transitions
- * @caps: capabilities for the profile
-+ * @net: network controls for the profile
- * @rlimits: rlimits for the profile
- *
- * @dents: dentries for the profiles file entries in apparmorfs
-@@ -174,6 +176,7 @@ struct aa_profile {
- struct aa_policydb policy;
- struct aa_file_rules file;
- struct aa_caps caps;
-+ struct aa_net net;
- struct aa_rlimit rlimits;
-
- struct aa_loaddata *rawdata;
-diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
-index 709eacd23909..e3017129a404 100644
---- a/security/apparmor/lsm.c
-+++ b/security/apparmor/lsm.c
-@@ -33,6 +33,7 @@
- #include "include/context.h"
- #include "include/file.h"
- #include "include/ipc.h"
-+#include "include/net.h"
- #include "include/path.h"
- #include "include/policy.h"
- #include "include/policy_ns.h"
-@@ -587,6 +588,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
- return error;
- }
-
-+static int apparmor_socket_create(int family, int type, int protocol, int kern)
-+{
-+ struct aa_profile *profile;
-+ int error = 0;
-+
-+ if (kern)
-+ return 0;
-+
-+ profile = __aa_current_profile();
-+ if (!unconfined(profile))
-+ error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
-+ NULL);
-+ return error;
-+}
-+
-+static int apparmor_socket_bind(struct socket *sock,
-+ struct sockaddr *address, int addrlen)
-+{
-+ struct sock *sk = sock->sk;
-+
-+ return aa_revalidate_sk(OP_BIND, sk);
-+}
-+
-+static int apparmor_socket_connect(struct socket *sock,
-+ struct sockaddr *address, int addrlen)
-+{
-+ struct sock *sk = sock->sk;
-+
-+ return aa_revalidate_sk(OP_CONNECT, sk);
-+}
-+
-+static int apparmor_socket_listen(struct socket *sock, int backlog)
-+{
-+ struct sock *sk = sock->sk;
-+
-+ return aa_revalidate_sk(OP_LISTEN, sk);
-+}
-+
-+static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
-+{
-+ struct sock *sk = sock->sk;
-+
-+ return aa_revalidate_sk(OP_ACCEPT, sk);
-+}
-+
-+static int apparmor_socket_sendmsg(struct socket *sock,
-+ struct msghdr *msg, int size)
-+{
-+ struct sock *sk = sock->sk;
-+
-+ return aa_revalidate_sk(OP_SENDMSG, sk);
-+}
-+
-+static int apparmor_socket_recvmsg(struct socket *sock,
-+ struct msghdr *msg, int size, int flags)
-+{
-+ struct sock *sk = sock->sk;
-+
-+ return aa_revalidate_sk(OP_RECVMSG, sk);
-+}
-+
-+static int apparmor_socket_getsockname(struct socket *sock)
-+{
-+ struct sock *sk = sock->sk;
-+
-+ return aa_revalidate_sk(OP_GETSOCKNAME, sk);
-+}
-+
-+static int apparmor_socket_getpeername(struct socket *sock)
-+{
-+ struct sock *sk = sock->sk;
-+
-+ return aa_revalidate_sk(OP_GETPEERNAME, sk);
-+}
-+
-+static int apparmor_socket_getsockopt(struct socket *sock, int level,
-+ int optname)
-+{
-+ struct sock *sk = sock->sk;
-+
-+ return aa_revalidate_sk(OP_GETSOCKOPT, sk);
-+}
-+
-+static int apparmor_socket_setsockopt(struct socket *sock, int level,
-+ int optname)
-+{
-+ struct sock *sk = sock->sk;
-+
-+ return aa_revalidate_sk(OP_SETSOCKOPT, sk);
-+}
-+
-+static int apparmor_socket_shutdown(struct socket *sock, int how)
-+{
-+ struct sock *sk = sock->sk;
-+
-+ return aa_revalidate_sk(OP_SHUTDOWN, sk);
-+}
-+
- static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
- LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
- LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
-@@ -616,6 +715,19 @@ static struct security_hook_list apparmor_hooks[] = {
- LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
- LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
-
-+ LSM_HOOK_INIT(socket_create, apparmor_socket_create),
-+ LSM_HOOK_INIT(socket_bind, apparmor_socket_bind),
-+ LSM_HOOK_INIT(socket_connect, apparmor_socket_connect),
-+ LSM_HOOK_INIT(socket_listen, apparmor_socket_listen),
-+ LSM_HOOK_INIT(socket_accept, apparmor_socket_accept),
-+ LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg),
-+ LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg),
-+ LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname),
-+ LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername),
-+ LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt),
-+ LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt),
-+ LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown),
-+
- LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
- LSM_HOOK_INIT(cred_free, apparmor_cred_free),
- LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
-diff --git a/security/apparmor/net.c b/security/apparmor/net.c
-new file mode 100644
-index 000000000000..b9c8cd0e882e
---- /dev/null
-+++ b/security/apparmor/net.c
-@@ -0,0 +1,148 @@
-+/*
-+ * AppArmor security module
-+ *
-+ * This file contains AppArmor network mediation
-+ *
-+ * Copyright (C) 1998-2008 Novell/SUSE
-+ * Copyright 2009-2012 Canonical Ltd.
-+ *
-+ * This program is free software; you can redistribute it and/or
-+ * modify it under the terms of the GNU General Public License as
-+ * published by the Free Software Foundation, version 2 of the
-+ * License.
-+ */
-+
-+#include "include/apparmor.h"
-+#include "include/audit.h"
-+#include "include/context.h"
-+#include "include/net.h"
-+#include "include/policy.h"
-+
-+#include "net_names.h"
-+
-+struct aa_fs_entry aa_fs_entry_network[] = {
-+ AA_FS_FILE_STRING("af_mask", AA_FS_AF_MASK),
-+ { }
-+};
-+
-+/* audit callback for net specific fields */
-+static void audit_cb(struct audit_buffer *ab, void *va)
-+{
-+ struct common_audit_data *sa = va;
-+
-+ audit_log_format(ab, " family=");
-+ if (address_family_names[sa->u.net->family]) {
-+ audit_log_string(ab, address_family_names[sa->u.net->family]);
-+ } else {
-+ audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family);
-+ }
-+ audit_log_format(ab, " sock_type=");
-+ if (sock_type_names[aad(sa)->net.type]) {
-+ audit_log_string(ab, sock_type_names[aad(sa)->net.type]);
-+ } else {
-+ audit_log_format(ab, "\"unknown(%d)\"", aad(sa)->net.type);
-+ }
-+ audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
-+}
-+
-+/**
-+ * audit_net - audit network access
-+ * @profile: profile being enforced (NOT NULL)
-+ * @op: operation being checked
-+ * @family: network family
-+ * @type: network type
-+ * @protocol: network protocol
-+ * @sk: socket auditing is being applied to
-+ * @error: error code for failure else 0
-+ *
-+ * Returns: %0 or sa->error else other errorcode on failure
-+ */
-+static int audit_net(struct aa_profile *profile, const char *op, u16 family,
-+ int type, int protocol, struct sock *sk, int error)
-+{
-+ int audit_type = AUDIT_APPARMOR_AUTO;
-+ DEFINE_AUDIT_NET(sa, op, sk, family, type, protocol);
-+
-+ aad(&sa)->error = error;
-+
-+ if (likely(!aad(&sa)->error)) {
-+ u16 audit_mask = profile->net.audit[sa.u.net->family];
-+ if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
-+ !(1 << aad(&sa)->net.type & audit_mask)))
-+ return 0;
-+ audit_type = AUDIT_APPARMOR_AUDIT;
-+ } else {
-+ u16 quiet_mask = profile->net.quiet[sa.u.net->family];
-+ u16 kill_mask = 0;
-+ u16 denied = (1 << aad(&sa)->net.type) & ~quiet_mask;
-+
-+ if (denied & kill_mask)
-+ audit_type = AUDIT_APPARMOR_KILL;
-+
-+ if ((denied & quiet_mask) &&
-+ AUDIT_MODE(profile) != AUDIT_NOQUIET &&
-+ AUDIT_MODE(profile) != AUDIT_ALL)
-+ return COMPLAIN_MODE(profile) ? 0 : aad(&sa)->error;
-+ }
-+
-+ return aa_audit(audit_type, profile, &sa, audit_cb);
-+}
-+
-+/**
-+ * aa_net_perm - very course network access check
-+ * @op: operation being checked
-+ * @profile: profile being enforced (NOT NULL)
-+ * @family: network family
-+ * @type: network type
-+ * @protocol: network protocol
-+ *
-+ * Returns: %0 else error if permission denied
-+ */
-+int aa_net_perm(const char *op, struct aa_profile *profile, u16 family,
-+ int type, int protocol, struct sock *sk)
-+{
-+ u16 family_mask;
-+ int error;
-+
-+ if ((family < 0) || (family >= AF_MAX))
-+ return -EINVAL;
-+
-+ if ((type < 0) || (type >= SOCK_MAX))
-+ return -EINVAL;
-+
-+ /* unix domain and netlink sockets are handled by ipc */
-+ if (family == AF_UNIX || family == AF_NETLINK)
-+ return 0;
-+
-+ family_mask = profile->net.allow[family];
-+
-+ error = (family_mask & (1 << type)) ? 0 : -EACCES;
-+
-+ return audit_net(profile, op, family, type, protocol, sk, error);
-+}
-+
-+/**
-+ * aa_revalidate_sk - Revalidate access to a sock
-+ * @op: operation being checked
-+ * @sk: sock being revalidated (NOT NULL)
-+ *
-+ * Returns: %0 else error if permission denied
-+ */
-+int aa_revalidate_sk(const char *op, struct sock *sk)
-+{
-+ struct aa_profile *profile;
-+ int error = 0;
-+
-+ /* aa_revalidate_sk should not be called from interrupt context
-+ * don't mediate these calls as they are not task related
-+ */
-+ if (in_interrupt())
-+ return 0;
-+
-+ profile = __aa_current_profile();
-+ if (!unconfined(profile))
-+ error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
-+ sk->sk_protocol, sk);
-+
-+ return error;
-+}
-diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
-index def1fbd6bdfd..9fe7b9d4500f 100644
---- a/security/apparmor/policy.c
-+++ b/security/apparmor/policy.c
-@@ -237,6 +237,7 @@ void aa_free_profile(struct aa_profile *profile)
-
- aa_free_file_rules(&profile->file);
- aa_free_cap_rules(&profile->caps);
-+ aa_free_net_rules(&profile->net);
- aa_free_rlimit_rules(&profile->rlimits);
-
- kzfree(profile->dirname);
-diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
-index 2e37c9c26bbd..bc23a5b3b113 100644
---- a/security/apparmor/policy_unpack.c
-+++ b/security/apparmor/policy_unpack.c
-@@ -217,6 +217,19 @@ static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
- return 0;
- }
-
-+static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
-+{
-+ if (unpack_nameX(e, AA_U16, name)) {
-+ if (!inbounds(e, sizeof(u16)))
-+ return 0;
-+ if (data)
-+ *data = le16_to_cpu(get_unaligned((u16 *) e->pos));
-+ e->pos += sizeof(u16);
-+ return 1;
-+ }
-+ return 0;
-+}
-+
- static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
- {
- if (unpack_nameX(e, AA_U32, name)) {
-@@ -519,7 +532,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
- {
- struct aa_profile *profile = NULL;
- const char *tmpname, *tmpns = NULL, *name = NULL;
-- size_t ns_len;
-+ size_t ns_len, size = 0;
- struct rhashtable_params params = { 0 };
- char *key = NULL;
- struct aa_data *data;
-@@ -635,6 +648,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
- if (!unpack_rlimits(e, profile))
- goto fail;
-
-+ size = unpack_array(e, "net_allowed_af");
-+ if (size) {
-+
-+ for (i = 0; i < size; i++) {
-+ /* discard extraneous rules that this kernel will
-+ * never request
-+ */
-+ if (i >= AF_MAX) {
-+ u16 tmp;
-+ if (!unpack_u16(e, &tmp, NULL) ||
-+ !unpack_u16(e, &tmp, NULL) ||
-+ !unpack_u16(e, &tmp, NULL))
-+ goto fail;
-+ continue;
-+ }
-+ if (!unpack_u16(e, &profile->net.allow[i], NULL))
-+ goto fail;
-+ if (!unpack_u16(e, &profile->net.audit[i], NULL))
-+ goto fail;
-+ if (!unpack_u16(e, &profile->net.quiet[i], NULL))
-+ goto fail;
-+ }
-+ if (!unpack_nameX(e, AA_ARRAYEND, NULL))
-+ goto fail;
-+ }
-+ /*
-+ * allow unix domain and netlink sockets they are handled
-+ * by IPC
-+ */
-+ profile->net.allow[AF_UNIX] = 0xffff;
-+ profile->net.allow[AF_NETLINK] = 0xffff;
-+
- if (unpack_nameX(e, AA_STRUCT, "policydb")) {
- /* generic policy dfa - optional and may be NULL */
- profile->policy.dfa = unpack_dfa(e);
-commit b866a43c2897f5469c9d787426144074a3713f6a
-Author: John Johansen <john.johansen at canonical.com>
-Date: Fri Jun 29 17:34:00 2012 -0700
-
- apparmor: Fix quieting of audit messages for network mediation
-
- If a profile specified a quieting of network denials for a given rule by
- either the quiet or deny rule qualifiers, the resultant quiet mask for
- denied requests was applied incorrectly, resulting in two potential bugs.
- 1. The misapplied quiet mask would prevent denials from being correctly
- tested against the kill mask/mode. Thus network access requests that
- should have resulted in the application being killed did not.
-
- 2. The actual quieting of the denied network request was not being applied.
- This would result in network rejections always being logged even when
- they had been specifically marked as quieted.
-
- Signed-off-by: John Johansen <john.johansen at canonical.com>
-
-diff --git a/security/apparmor/net.c b/security/apparmor/net.c
-index b9c8cd0e882e..5ba19ad1d65c 100644
---- a/security/apparmor/net.c
-+++ b/security/apparmor/net.c
-@@ -74,7 +74,7 @@ static int audit_net(struct aa_profile *profile, const char *op, u16 family,
- } else {
- u16 quiet_mask = profile->net.quiet[sa.u.net->family];
- u16 kill_mask = 0;
-- u16 denied = (1 << aad(&sa)->net.type) & ~quiet_mask;
-+ u16 denied = (1 << aad(&sa)->net.type);
-
- if (denied & kill_mask)
- audit_type = AUDIT_APPARMOR_KILL;
commit 4429c3f9522b608300cfe1ae148dc6cdadf3d76c
Author: John Johansen <john.johansen at canonical.com>
Date: Wed May 16 10:58:05 2012 -0700
diff --git a/kernel-apparmor-net-audit.patch b/kernel-apparmor-net-audit.patch
new file mode 100644
index 00000000..99184e6d
--- /dev/null
+++ b/kernel-apparmor-net-audit.patch
@@ -0,0 +1,32 @@
+commit b866a43c2897f5469c9d787426144074a3713f6a
+Author: John Johansen <john.johansen at canonical.com>
+Date: Fri Jun 29 17:34:00 2012 -0700
+
+ apparmor: Fix quieting of audit messages for network mediation
+
+ If a profile specified a quieting of network denials for a given rule by
+ either the quiet or deny rule qualifiers, the resultant quiet mask for
+ denied requests was applied incorrectly, resulting in two potential bugs.
+ 1. The misapplied quiet mask would prevent denials from being correctly
+ tested against the kill mask/mode. Thus network access requests that
+ should have resulted in the application being killed did not.
+
+ 2. The actual quieting of the denied network request was not being applied.
+ This would result in network rejections always being logged even when
+ they had been specifically marked as quieted.
+
+ Signed-off-by: John Johansen <john.johansen at canonical.com>
+
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+index b9c8cd0e882e..5ba19ad1d65c 100644
+--- a/security/apparmor/net.c
++++ b/security/apparmor/net.c
+@@ -74,7 +74,7 @@ static int audit_net(struct aa_profile *profile, const char *op, u16 family,
+ } else {
+ u16 quiet_mask = profile->net.quiet[sa.u.net->family];
+ u16 kill_mask = 0;
+- u16 denied = (1 << aad(&sa)->net.type) & ~quiet_mask;
++ u16 denied = (1 << aad(&sa)->net.type);
+
+ if (denied & kill_mask)
+ audit_type = AUDIT_APPARMOR_KILL;
diff --git a/kernel-apparmor-net.patch b/kernel-apparmor-net.patch
new file mode 100644
index 00000000..21d78494
--- /dev/null
+++ b/kernel-apparmor-net.patch
@@ -0,0 +1,589 @@
+commit 97b3200925ba627346432edf521d49de8bb018a3
+Author: John Johansen <john.johansen at canonical.com>
+Date: Mon Oct 4 15:03:36 2010 -0700
+
+ UBUNTU: SAUCE: AppArmor: basic networking rules
+
+ Base support for network mediation.
+
+ Signed-off-by: John Johansen <john.johansen at canonical.com>
+
+diff --git a/security/apparmor/.gitignore b/security/apparmor/.gitignore
+index 9cdec70d72b8..d5b291e94264 100644
+--- a/security/apparmor/.gitignore
++++ b/security/apparmor/.gitignore
+@@ -1,5 +1,6 @@
+ #
+ # Generated include files
+ #
++net_names.h
+ capability_names.h
+ rlim_names.h
+diff --git a/security/apparmor/Makefile b/security/apparmor/Makefile
+index ad369a7aac24..a7dc10be232d 100644
+--- a/security/apparmor/Makefile
++++ b/security/apparmor/Makefile
+@@ -4,10 +4,10 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
+
+ apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
+ path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
+- resource.o secid.o file.o policy_ns.o
++ resource.o secid.o file.o policy_ns.o net.o
+ apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o
+
+-clean-files := capability_names.h rlim_names.h
++clean-files := capability_names.h rlim_names.h net_names.h
+
+
+ # Build a lower case string table of capability names
+@@ -25,6 +25,38 @@ cmd_make-caps = echo "static const char *const capability_names[] = {" > $@ ;\
+ -e 's/^\#define[ \t]+CAP_([A-Z0-9_]+)[ \t]+([0-9]+)/\L\1/p' | \
+ tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
+
++# Build a lower case string table of address family names
++# Transform lines from
++# define AF_LOCAL 1 /* POSIX name for AF_UNIX */
++# #define AF_INET 2 /* Internet IP Protocol */
++# to
++# [1] = "local",
++# [2] = "inet",
++#
++# and build the securityfs entries for the mapping.
++# Transforms lines from
++# #define AF_INET 2 /* Internet IP Protocol */
++# to
++# #define AA_FS_AF_MASK "local inet"
++quiet_cmd_make-af = GEN $@
++cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
++ sed $< >>$@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e \
++ 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
++ echo "};" >> $@ ;\
++ echo -n '\#define AA_FS_AF_MASK "' >> $@ ;\
++ sed -r -n 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/\L\1/p'\
++ $< | tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
++
++# Build a lower case string table of sock type names
++# Transform lines from
++# SOCK_STREAM = 1,
++# to
++# [1] = "stream",
++quiet_cmd_make-sock = GEN $@
++cmd_make-sock = echo "static const char *sock_type_names[] = {" >> $@ ;\
++ sed $^ >>$@ -r -n \
++ -e 's/^\tSOCK_([A-Z0-9_]+)[\t]+=[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
++ echo "};" >> $@
+
+ # Build a lower case string table of rlimit names.
+ # Transforms lines from
+@@ -61,6 +93,7 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
+ tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
+
+ $(obj)/capability.o : $(obj)/capability_names.h
++$(obj)/net.o : $(obj)/net_names.h
+ $(obj)/resource.o : $(obj)/rlim_names.h
+ $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
+ $(src)/Makefile
+@@ -68,3 +101,8 @@ $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
+ $(obj)/rlim_names.h : $(srctree)/include/uapi/asm-generic/resource.h \
+ $(src)/Makefile
+ $(call cmd,make-rlim)
++$(obj)/net_names.h : $(srctree)/include/linux/socket.h \
++ $(srctree)/include/linux/net.h \
++ $(src)/Makefile
++ $(call cmd,make-af)
++ $(call cmd,make-sock)
+diff --git a/security/apparmor/apparmorfs.c b/security/apparmor/apparmorfs.c
+index 41073f70eb41..4d236736cfb8 100644
+--- a/security/apparmor/apparmorfs.c
++++ b/security/apparmor/apparmorfs.c
+@@ -1209,6 +1209,7 @@ static struct aa_fs_entry aa_fs_entry_features[] = {
+ AA_FS_DIR("policy", aa_fs_entry_policy),
+ AA_FS_DIR("domain", aa_fs_entry_domain),
+ AA_FS_DIR("file", aa_fs_entry_file),
++ AA_FS_DIR("network", aa_fs_entry_network),
+ AA_FS_FILE_U64("capability", VFS_CAP_FLAGS_MASK),
+ AA_FS_DIR("rlimit", aa_fs_entry_rlimit),
+ AA_FS_DIR("caps", aa_fs_entry_caps),
+diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h
+index fdc4774318ba..0df708e8748b 100644
+--- a/security/apparmor/include/audit.h
++++ b/security/apparmor/include/audit.h
+@@ -127,6 +127,10 @@ struct apparmor_audit_data {
+ int rlim;
+ unsigned long max;
+ } rlim;
++ struct {
++ int type, protocol;
++ struct sock *sk;
++ } net;
+ };
+ };
+
+diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
+new file mode 100644
+index 000000000000..55da1dad8720
+--- /dev/null
++++ b/security/apparmor/include/net.h
+@@ -0,0 +1,59 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation definitions.
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2012 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#ifndef __AA_NET_H
++#define __AA_NET_H
++
++#include <net/sock.h>
++
++#include "apparmorfs.h"
++
++/* struct aa_net - network confinement data
++ * @allowed: basic network families permissions
++ * @audit_network: which network permissions to force audit
++ * @quiet_network: which network permissions to quiet rejects
++ */
++struct aa_net {
++ u16 allow[AF_MAX];
++ u16 audit[AF_MAX];
++ u16 quiet[AF_MAX];
++};
++
++extern struct aa_fs_entry aa_fs_entry_network[];
++
++#define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P) \
++ struct lsm_network_audit NAME ## _net = { .sk = (SK), \
++ .family = (F)}; \
++ DEFINE_AUDIT_DATA(NAME, \
++ ((SK) && (F) != AF_UNIX) ? LSM_AUDIT_DATA_NET : \
++ LSM_AUDIT_DATA_NONE, \
++ OP); \
++ NAME.u.net = &(NAME ## _net); \
++ aad(&NAME)->net.type = (T); \
++ aad(&NAME)->net.protocol = (P)
++
++#define DEFINE_AUDIT_SK(NAME, OP, SK) \
++ DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type, \
++ (SK)->sk_protocol)
++
++extern int aa_net_perm(const char *op, struct aa_profile *profile, u16 family,
++ int type, int protocol, struct sock *sk);
++extern int aa_revalidate_sk(const char *op, struct sock *sk);
++
++static inline void aa_free_net_rules(struct aa_net *new)
++{
++ /* NOP */
++}
++
++#endif /* __AA_NET_H */
+diff --git a/security/apparmor/include/policy.h b/security/apparmor/include/policy.h
+index 67bc96afe541..a3d18ea8d730 100644
+--- a/security/apparmor/include/policy.h
++++ b/security/apparmor/include/policy.h
+@@ -28,6 +28,7 @@
+ #include "capability.h"
+ #include "domain.h"
+ #include "file.h"
++#include "net.h"
+ #include "lib.h"
+ #include "resource.h"
+
+@@ -132,6 +133,7 @@ struct aa_data {
+ * @policy: general match rules governing policy
+ * @file: The set of rules governing basic file access and domain transitions
+ * @caps: capabilities for the profile
++ * @net: network controls for the profile
+ * @rlimits: rlimits for the profile
+ *
+ * @dents: dentries for the profiles file entries in apparmorfs
+@@ -174,6 +176,7 @@ struct aa_profile {
+ struct aa_policydb policy;
+ struct aa_file_rules file;
+ struct aa_caps caps;
++ struct aa_net net;
+ struct aa_rlimit rlimits;
+
+ struct aa_loaddata *rawdata;
+diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
+index 709eacd23909..e3017129a404 100644
+--- a/security/apparmor/lsm.c
++++ b/security/apparmor/lsm.c
+@@ -33,6 +33,7 @@
+ #include "include/context.h"
+ #include "include/file.h"
+ #include "include/ipc.h"
++#include "include/net.h"
+ #include "include/path.h"
+ #include "include/policy.h"
+ #include "include/policy_ns.h"
+@@ -587,6 +588,104 @@ static int apparmor_task_setrlimit(struct task_struct *task,
+ return error;
+ }
+
++static int apparmor_socket_create(int family, int type, int protocol, int kern)
++{
++ struct aa_profile *profile;
++ int error = 0;
++
++ if (kern)
++ return 0;
++
++ profile = __aa_current_profile();
++ if (!unconfined(profile))
++ error = aa_net_perm(OP_CREATE, profile, family, type, protocol,
++ NULL);
++ return error;
++}
++
++static int apparmor_socket_bind(struct socket *sock,
++ struct sockaddr *address, int addrlen)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_BIND, sk);
++}
++
++static int apparmor_socket_connect(struct socket *sock,
++ struct sockaddr *address, int addrlen)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_CONNECT, sk);
++}
++
++static int apparmor_socket_listen(struct socket *sock, int backlog)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_LISTEN, sk);
++}
++
++static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_ACCEPT, sk);
++}
++
++static int apparmor_socket_sendmsg(struct socket *sock,
++ struct msghdr *msg, int size)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_SENDMSG, sk);
++}
++
++static int apparmor_socket_recvmsg(struct socket *sock,
++ struct msghdr *msg, int size, int flags)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_RECVMSG, sk);
++}
++
++static int apparmor_socket_getsockname(struct socket *sock)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_GETSOCKNAME, sk);
++}
++
++static int apparmor_socket_getpeername(struct socket *sock)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_GETPEERNAME, sk);
++}
++
++static int apparmor_socket_getsockopt(struct socket *sock, int level,
++ int optname)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_GETSOCKOPT, sk);
++}
++
++static int apparmor_socket_setsockopt(struct socket *sock, int level,
++ int optname)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_SETSOCKOPT, sk);
++}
++
++static int apparmor_socket_shutdown(struct socket *sock, int how)
++{
++ struct sock *sk = sock->sk;
++
++ return aa_revalidate_sk(OP_SHUTDOWN, sk);
++}
++
+ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
+ LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
+ LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
+@@ -616,6 +715,19 @@ static struct security_hook_list apparmor_hooks[] = {
+ LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
+ LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
+
++ LSM_HOOK_INIT(socket_create, apparmor_socket_create),
++ LSM_HOOK_INIT(socket_bind, apparmor_socket_bind),
++ LSM_HOOK_INIT(socket_connect, apparmor_socket_connect),
++ LSM_HOOK_INIT(socket_listen, apparmor_socket_listen),
++ LSM_HOOK_INIT(socket_accept, apparmor_socket_accept),
++ LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg),
++ LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg),
++ LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname),
++ LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername),
++ LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt),
++ LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt),
++ LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown),
++
+ LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
+ LSM_HOOK_INIT(cred_free, apparmor_cred_free),
+ LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
+diff --git a/security/apparmor/net.c b/security/apparmor/net.c
+new file mode 100644
+index 000000000000..b9c8cd0e882e
+--- /dev/null
++++ b/security/apparmor/net.c
+@@ -0,0 +1,148 @@
++/*
++ * AppArmor security module
++ *
++ * This file contains AppArmor network mediation
++ *
++ * Copyright (C) 1998-2008 Novell/SUSE
++ * Copyright 2009-2012 Canonical Ltd.
++ *
++ * This program is free software; you can redistribute it and/or
++ * modify it under the terms of the GNU General Public License as
++ * published by the Free Software Foundation, version 2 of the
++ * License.
++ */
++
++#include "include/apparmor.h"
++#include "include/audit.h"
++#include "include/context.h"
++#include "include/net.h"
++#include "include/policy.h"
++
++#include "net_names.h"
++
++struct aa_fs_entry aa_fs_entry_network[] = {
++ AA_FS_FILE_STRING("af_mask", AA_FS_AF_MASK),
++ { }
++};
++
++/* audit callback for net specific fields */
++static void audit_cb(struct audit_buffer *ab, void *va)
++{
++ struct common_audit_data *sa = va;
++
++ audit_log_format(ab, " family=");
++ if (address_family_names[sa->u.net->family]) {
++ audit_log_string(ab, address_family_names[sa->u.net->family]);
++ } else {
++ audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family);
++ }
++ audit_log_format(ab, " sock_type=");
++ if (sock_type_names[aad(sa)->net.type]) {
++ audit_log_string(ab, sock_type_names[aad(sa)->net.type]);
++ } else {
++ audit_log_format(ab, "\"unknown(%d)\"", aad(sa)->net.type);
++ }
++ audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
++}
++
++/**
++ * audit_net - audit network access
++ * @profile: profile being enforced (NOT NULL)
++ * @op: operation being checked
++ * @family: network family
++ * @type: network type
++ * @protocol: network protocol
++ * @sk: socket auditing is being applied to
++ * @error: error code for failure else 0
++ *
++ * Returns: %0 or sa->error else other errorcode on failure
++ */
++static int audit_net(struct aa_profile *profile, const char *op, u16 family,
++ int type, int protocol, struct sock *sk, int error)
++{
++ int audit_type = AUDIT_APPARMOR_AUTO;
++ DEFINE_AUDIT_NET(sa, op, sk, family, type, protocol);
++
++ aad(&sa)->error = error;
++
++ if (likely(!aad(&sa)->error)) {
++ u16 audit_mask = profile->net.audit[sa.u.net->family];
++ if (likely((AUDIT_MODE(profile) != AUDIT_ALL) &&
++ !(1 << aad(&sa)->net.type & audit_mask)))
++ return 0;
++ audit_type = AUDIT_APPARMOR_AUDIT;
++ } else {
++ u16 quiet_mask = profile->net.quiet[sa.u.net->family];
++ u16 kill_mask = 0;
++ u16 denied = (1 << aad(&sa)->net.type) & ~quiet_mask;
++
++ if (denied & kill_mask)
++ audit_type = AUDIT_APPARMOR_KILL;
++
++ if ((denied & quiet_mask) &&
++ AUDIT_MODE(profile) != AUDIT_NOQUIET &&
++ AUDIT_MODE(profile) != AUDIT_ALL)
++ return COMPLAIN_MODE(profile) ? 0 : aad(&sa)->error;
++ }
++
++ return aa_audit(audit_type, profile, &sa, audit_cb);
++}
++
++/**
++ * aa_net_perm - very course network access check
++ * @op: operation being checked
++ * @profile: profile being enforced (NOT NULL)
++ * @family: network family
++ * @type: network type
++ * @protocol: network protocol
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_net_perm(const char *op, struct aa_profile *profile, u16 family,
++ int type, int protocol, struct sock *sk)
++{
++ u16 family_mask;
++ int error;
++
++ if ((family < 0) || (family >= AF_MAX))
++ return -EINVAL;
++
++ if ((type < 0) || (type >= SOCK_MAX))
++ return -EINVAL;
++
++ /* unix domain and netlink sockets are handled by ipc */
++ if (family == AF_UNIX || family == AF_NETLINK)
++ return 0;
++
++ family_mask = profile->net.allow[family];
++
++ error = (family_mask & (1 << type)) ? 0 : -EACCES;
++
++ return audit_net(profile, op, family, type, protocol, sk, error);
++}
++
++/**
++ * aa_revalidate_sk - Revalidate access to a sock
++ * @op: operation being checked
++ * @sk: sock being revalidated (NOT NULL)
++ *
++ * Returns: %0 else error if permission denied
++ */
++int aa_revalidate_sk(const char *op, struct sock *sk)
++{
++ struct aa_profile *profile;
++ int error = 0;
++
++ /* aa_revalidate_sk should not be called from interrupt context
++ * don't mediate these calls as they are not task related
++ */
++ if (in_interrupt())
++ return 0;
++
++ profile = __aa_current_profile();
++ if (!unconfined(profile))
++ error = aa_net_perm(op, profile, sk->sk_family, sk->sk_type,
++ sk->sk_protocol, sk);
++
++ return error;
++}
+diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c
+index def1fbd6bdfd..9fe7b9d4500f 100644
+--- a/security/apparmor/policy.c
++++ b/security/apparmor/policy.c
+@@ -237,6 +237,7 @@ void aa_free_profile(struct aa_profile *profile)
+
+ aa_free_file_rules(&profile->file);
+ aa_free_cap_rules(&profile->caps);
++ aa_free_net_rules(&profile->net);
+ aa_free_rlimit_rules(&profile->rlimits);
+
+ kzfree(profile->dirname);
+diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
+index 2e37c9c26bbd..bc23a5b3b113 100644
+--- a/security/apparmor/policy_unpack.c
++++ b/security/apparmor/policy_unpack.c
+@@ -217,6 +217,19 @@ static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
+ return 0;
+ }
+
++static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
++{
++ if (unpack_nameX(e, AA_U16, name)) {
++ if (!inbounds(e, sizeof(u16)))
++ return 0;
++ if (data)
++ *data = le16_to_cpu(get_unaligned((u16 *) e->pos));
++ e->pos += sizeof(u16);
++ return 1;
++ }
++ return 0;
++}
++
+ static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
+ {
+ if (unpack_nameX(e, AA_U32, name)) {
+@@ -519,7 +532,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
+ {
+ struct aa_profile *profile = NULL;
+ const char *tmpname, *tmpns = NULL, *name = NULL;
+- size_t ns_len;
++ size_t ns_len, size = 0;
+ struct rhashtable_params params = { 0 };
+ char *key = NULL;
+ struct aa_data *data;
+@@ -635,6 +648,38 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
+ if (!unpack_rlimits(e, profile))
+ goto fail;
+
++ size = unpack_array(e, "net_allowed_af");
++ if (size) {
++
++ for (i = 0; i < size; i++) {
++ /* discard extraneous rules that this kernel will
++ * never request
++ */
++ if (i >= AF_MAX) {
++ u16 tmp;
++ if (!unpack_u16(e, &tmp, NULL) ||
++ !unpack_u16(e, &tmp, NULL) ||
++ !unpack_u16(e, &tmp, NULL))
++ goto fail;
++ continue;
++ }
++ if (!unpack_u16(e, &profile->net.allow[i], NULL))
++ goto fail;
++ if (!unpack_u16(e, &profile->net.audit[i], NULL))
++ goto fail;
++ if (!unpack_u16(e, &profile->net.quiet[i], NULL))
++ goto fail;
++ }
++ if (!unpack_nameX(e, AA_ARRAYEND, NULL))
++ goto fail;
++ }
++ /*
++ * allow unix domain and netlink sockets they are handled
++ * by IPC
++ */
++ profile->net.allow[AF_UNIX] = 0xffff;
++ profile->net.allow[AF_NETLINK] = 0xffff;
++
+ if (unpack_nameX(e, AA_STRUCT, "policydb")) {
+ /* generic policy dfa - optional and may be NULL */
+ profile->policy.dfa = unpack_dfa(e);
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/kernel.git/commitdiff/65a88893d9195d5cd9a54a346cd0a7cfffbfbdc8
More information about the pld-cvs-commit
mailing list