mirrors/apparmor
1
0
Fork 0
mirror of https://gitlab.com/apparmor/apparmor.git synced 2025-03-04 08:24:42 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions
apparmor/parser/af_unix.cc

417 lines
11 KiB
C++
Raw Normal View History

parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
/*
* Copyright (c) 2014
* Canonical, Ltd. (All rights reserved)
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of version 2 of the GNU General Public
* License published by the Free Software Foundation.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, contact Novell, Inc. or Canonical
* Ltd.
*/
#include <stdlib.h>
#include <string.h>
#include <sys/apparmor.h>
#include <iomanip>
#include <string>
#include <iostream>
#include <sstream>
#include "network.h"
#include "parser.h"
#include "profile.h"
#include "af_unix.h"
int parse_unix_mode(const char *str_mode, int *mode, int fail)
{
return parse_X_mode("unix", AA_VALID_NET_PERMS, str_mode, mode, fail);
}
static struct supported_cond supported_conds[] = {
parser: Convert af_unix rules to support addr= rather than path= This patch converts the path= modifier to the af_unix rules to use addr= instead. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 14:02:25 -07:00
{ "addr", true, false, false, either_cond },
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
{ NULL, false, false, false, local_cond }, /* sentinal */
};
void unix_rule::move_conditionals(struct cond_entry *conds)
{
struct cond_entry *ent;
list_for_each(conds, ent) {
if (!cond_check(supported_conds, ent, false, "unix") &&
!move_base_cond(ent, false)) {
yyerror("unix rule: invalid conditional '%s'\n",
ent->name);
continue;
}
parser: Convert af_unix rules to support addr= rather than path= This patch converts the path= modifier to the af_unix rules to use addr= instead. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 14:02:25 -07:00
if (strcmp(ent->name, "addr") == 0) {
move_conditional_value("unix socket", &addr, ent);
if (addr[0] != '@' && strcmp(addr, "none") != 0)
yyerror("unix rule: invalid value for addr='%s'\n", addr);
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
}
/* TODO: add conditionals for
* listen queue length
* attrs that can be read/set
* ops that can be read/set
* allow in on
* type, protocol
* local label match, and set
*/
}
}
void unix_rule::move_peer_conditionals(struct cond_entry *conds)
{
struct cond_entry *ent;
list_for_each(conds, ent) {
if (!cond_check(supported_conds, ent, true, "unix") &&
!move_base_cond(ent, true)) {
yyerror("unix rule: invalid peer conditional '%s'\n",
ent->name);
continue;
}
parser: Convert af_unix rules to support addr= rather than path= This patch converts the path= modifier to the af_unix rules to use addr= instead. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 14:02:25 -07:00
if (strcmp(ent->name, "addr") == 0) {
move_conditional_value("unix", &peer_addr, ent);
parser: Fix segfault in af_unix rule processing This patch fixes a segfault that was occurring in testing over the weekend. The problem existed in the original patch that adds af_unix rules (lp:apparmor commit 2615). Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: John Johansen <john.johansen@canonical.com>
2014-09-03 14:08:48 -07:00
if (peer_addr[0] != '@' && strcmp(peer_addr, "none") != 0)
parser: Convert af_unix rules to support addr= rather than path= This patch converts the path= modifier to the af_unix rules to use addr= instead. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 14:02:25 -07:00
yyerror("unix rule: invalid value for addr='%s'\n", peer_addr);
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
}
}
}
unix_rule::unix_rule(unsigned int type_p, bool audit_p, bool denied):
parser: Convert af_unix rules to support addr= rather than path= This patch converts the path= modifier to the af_unix rules to use addr= instead. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 14:02:25 -07:00
af_rule("unix"), addr(NULL), peer_addr(NULL)
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
{
if (type_p != 0xffffffff) {
sock_type_n = type_p;
sock_type = strdup(net_find_type_name(type_p));
if (!sock_type)
yyerror("socket rule: invalid socket type '%d'", type_p);
}
mode = AA_VALID_NET_PERMS;
audit = audit_p ? AA_VALID_NET_PERMS : 0;
deny = denied;
}
unix_rule::unix_rule(int mode_p, struct cond_entry *conds,
struct cond_entry *peer_conds):
parser: initialize perms in unix_rule constructor Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 15:03:05 -07:00
af_rule("unix"), addr(NULL), peer_addr(NULL),
audit(0), deny(0)
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
{
move_conditionals(conds);
move_peer_conditionals(peer_conds);
if (mode_p) {
mode = mode_p;
if (mode & ~AA_VALID_NET_PERMS)
yyerror("mode contains invalid permissions for unix socket rules\n");
else if ((mode & AA_NET_BIND) &&
((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
/* Do we want to loosen this? */
yyerror("unix socket 'bind' access cannot be used with message rule conditionals\n");
else if ((mode & AA_NET_LISTEN) &&
((mode & AA_PEER_NET_PERMS) || has_peer_conds()))
/* Do we want to loosen this? */
yyerror("unix socket 'listen' access cannot be used with message rule conditionals\n");
} else {
mode = AA_VALID_NET_PERMS;
}
free_cond_list(conds);
free_cond_list(peer_conds);
}
ostream &unix_rule::dump_local(ostream &os)
{
af_rule::dump_local(os);
parser: Convert af_unix rules to support addr= rather than path= This patch converts the path= modifier to the af_unix rules to use addr= instead. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 14:02:25 -07:00
if (addr)
os << "addr='" << addr << "'";
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
return os;
}
ostream &unix_rule::dump_peer(ostream &os)
{
af_rule::dump_peer(os);
parser: Convert af_unix rules to support addr= rather than path= This patch converts the path= modifier to the af_unix rules to use addr= instead. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 14:02:25 -07:00
if (peer_addr)
os << "addr='" << peer_addr << "'";
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
return os;
}
int unix_rule::expand_variables(void)
{
int error = af_rule::expand_variables();
if (error)
return error;
parser: Convert af_unix rules to support addr= rather than path= This patch converts the path= modifier to the af_unix rules to use addr= instead. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 14:02:25 -07:00
error = expand_entry_variables(&addr);
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
if (error)
return error;
parser: Convert af_unix rules to support addr= rather than path= This patch converts the path= modifier to the af_unix rules to use addr= instead. Signed-off-by: Steve Beattie <steve@nxnw.org> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 14:02:25 -07:00
error = expand_entry_variables(&peer_addr);
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
if (error)
return error;
return 0;
}
/* do we want to warn once/profile or just once per compile?? */
static void warn_once(const char *name, const char *msg)
{
static const char *warned_name = NULL;
if (warned_name != name) {
cerr << "Warning from profile " << name << " (";
if (current_filename)
cerr << current_filename;
else
cerr << "stdin";
cerr << "): " << msg << "\n";
warned_name = name;
}
}
static void warn_once(const char *name)
{
warn_once(name, "extended network unix socket rules not enforced");
}
parser: Don't write the stream's address to the rule buffer The writeu16() function was returning the address of the passed in std::ostringstream and then the callers of that function were incorrectly writing that address to the rule buffer. Before: $ echo "/t { unix (connect,read,write) type=stream, }" | apparmor_parser -qQD dfa-states {1} <== (allow/deny/audit/quiet) {2} (0x 4/0/0/0) {3} (0x 4/0/0/0) {43} (0x 46/0/0/0) {44} (0x 46/0/0/0) {1} -> {2}: 0x2 {1} -> {3}: 0x4 {1} -> {2}: 0x7 {1} -> {2}: 0x9 {1} -> {2}: 0xa {1} -> {2}: 0x20 \ {1} -> {4}: 0x34 4 {3} (0x 4/0/0/0) -> {5}: 0x0 {4} -> {6}: 0x0 {5} -> {7}: 0x1 {6} -> {2}: 0x31 1 {7} -> {8}: 0x30 0 {8} -> {9}: 0x78 x {9} -> {10}: 0x37 7 {10} -> {11}: 0x66 f {11} -> {12}: 0x66 f {12} -> {13}: 0x66 f {13} -> {14}: 0x31 1 {14} -> {15}: 0x30 0 {15} -> {16}: 0x34 4 {16} -> {17}: 0x66 f {17} -> {18}: 0x33 3 {18} -> {19}: 0x35 5 {19} -> {20}: 0x31 1 {20} -> {21}: 0x38 8 {21} -> {22}: 0x0 {22} -> {23}: 0x1 {23} -> {24}: 0x30 0 {24} -> {25}: 0x78 x {25} -> {26}: 0x37 7 {26} -> {27}: 0x66 f {27} -> {28}: 0x66 f {28} -> {29}: 0x66 f {29} -> {30}: 0x31 1 {30} -> {31}: 0x30 0 {31} -> {32}: 0x34 4 {32} -> {33}: 0x66 f {33} -> {34}: 0x33 3 {34} -> {35}: 0x35 5 {35} -> {36}: 0x31 1 {36} -> {37}: 0x38 8 {37} -> {38}: [] {38} -> {39}: [] {39} -> {40}: 0x0 {39} -> {39}: [] {40} -> {40}: 0x0 {40} -> {41}: 0x1 {40} -> {39}: [] {41} -> {42}: 0x0 {41} -> {39}: [] {42} -> {40}: 0x0 {42} -> {44}: 0x1 {42} -> {43}: [] {43} (0x 46/0/0/0) -> {40}: 0x0 {43} (0x 46/0/0/0) -> {43}: [] {44} (0x 46/0/0/0) -> {42}: 0x0 {44} (0x 46/0/0/0) -> {43}: [] After: $ echo "/t { unix (connect,read,write) type=stream, }" | apparmor_parser -qQD dfa-states {1} <== (allow/deny/audit/quiet) {2} (0x 4/0/0/0) {3} (0x 4/0/0/0) {15} (0x 46/0/0/0) {16} (0x 46/0/0/0) {1} -> {2}: 0x2 {1} -> {3}: 0x4 {1} -> {2}: 0x7 {1} -> {2}: 0x9 {1} -> {2}: 0xa {1} -> {2}: 0x20 \ {1} -> {4}: 0x34 4 {3} (0x 4/0/0/0) -> {5}: 0x0 {4} -> {6}: 0x0 {5} -> {7}: 0x1 {6} -> {2}: 0x31 1 {7} -> {8}: 0x0 {8} -> {9}: 0x1 {9} -> {10}: [] {10} -> {11}: [] {11} -> {12}: 0x0 {11} -> {11}: [] {12} -> {12}: 0x0 {12} -> {13}: 0x1 {12} -> {11}: [] {13} -> {14}: 0x0 {13} -> {11}: [] {14} -> {12}: 0x0 {14} -> {16}: 0x1 {14} -> {15}: [] {15} (0x 46/0/0/0) -> {12}: 0x0 {15} (0x 46/0/0/0) -> {15}: [] {16} (0x 46/0/0/0) -> {14}: 0x0 {16} (0x 46/0/0/0) -> {15}: [] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 15:46:39 -07:00
static void writeu16(std::ostringstream &o, int v)
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
{
u16 tmp = htobe16((u16) v);
parser: Adjust writeu16() to output escaped byte sequences The writeu16() function was outputting unescaped byte sequences to the rule buffer. That resulted the generation of in an incomplete rule if one of those unescaped byte sequences contained 0x00. This patch uses u8 pointers, instead of char pointers, when writing out the big endian u16 value. More importantly, it casts the u8 values to unsigned ints, which is what's needed to get the properly escaped byte sequences. Before: $ echo "/t { unix (connect,read,write) type=stream, }" | apparmor_parser -qQD dfa-states {1} <== (allow/deny/audit/quiet) {2} (0x 4/0/0/0) {3} (0x 4/0/0/0) {5} (0x 46/0/0/0) {1} -> {2}: 0x2 {1} -> {3}: 0x4 {1} -> {2}: 0x7 {1} -> {2}: 0x9 {1} -> {2}: 0xa {1} -> {2}: 0x20 \ {1} -> {4}: 0x34 4 {3} (0x 4/0/0/0) -> {5}: 0x0 {4} -> {6}: 0x0 {6} -> {2}: 0x31 1 After (the next patch fixes the pointer values that are being written out): $ echo "/t { unix (connect,read,write) type=stream, }" | apparmor_parser -qQD dfa-states {1} <== (allow/deny/audit/quiet) {2} (0x 4/0/0/0) {3} (0x 4/0/0/0) {43} (0x 46/0/0/0) {44} (0x 46/0/0/0) {1} -> {2}: 0x2 {1} -> {3}: 0x4 {1} -> {2}: 0x7 {1} -> {2}: 0x9 {1} -> {2}: 0xa {1} -> {2}: 0x20 \ {1} -> {4}: 0x34 4 {3} (0x 4/0/0/0) -> {5}: 0x0 {4} -> {6}: 0x0 {5} -> {7}: 0x1 {6} -> {2}: 0x31 1 {7} -> {8}: 0x30 0 {8} -> {9}: 0x78 x {9} -> {10}: 0x37 7 {10} -> {11}: 0x66 f {11} -> {12}: 0x66 f {12} -> {13}: 0x66 f {13} -> {14}: 0x31 1 {14} -> {15}: 0x30 0 {15} -> {16}: 0x34 4 {16} -> {17}: 0x66 f {17} -> {18}: 0x33 3 {18} -> {19}: 0x35 5 {19} -> {20}: 0x31 1 {20} -> {21}: 0x38 8 {21} -> {22}: 0x0 {22} -> {23}: 0x1 {23} -> {24}: 0x30 0 {24} -> {25}: 0x78 x {25} -> {26}: 0x37 7 {26} -> {27}: 0x66 f {27} -> {28}: 0x66 f {28} -> {29}: 0x66 f {29} -> {30}: 0x31 1 {30} -> {31}: 0x30 0 {31} -> {32}: 0x34 4 {32} -> {33}: 0x66 f {33} -> {34}: 0x33 3 {34} -> {35}: 0x35 5 {35} -> {36}: 0x31 1 {36} -> {37}: 0x38 8 {37} -> {38}: [] {38} -> {39}: [] {39} -> {40}: 0x0 {39} -> {39}: [] {40} -> {40}: 0x0 {40} -> {41}: 0x1 {40} -> {39}: [] {41} -> {42}: 0x0 {41} -> {39}: [] {42} -> {40}: 0x0 {42} -> {44}: 0x1 {42} -> {43}: [] {43} (0x 46/0/0/0) -> {40}: 0x0 {43} (0x 46/0/0/0) -> {43}: [] {44} (0x 46/0/0/0) -> {42}: 0x0 {44} (0x 46/0/0/0) -> {43}: [] Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 15:10:41 -07:00
u8 *byte1 = (u8 *)&tmp;
u8 *byte2 = byte1 + 1;
o << "\\x" << std::setfill('0') << std::setw(2) << std::hex << static_cast<unsigned int>(*byte1);
o << "\\x" << std::setfill('0') << std::setw(2) << std::hex << static_cast<unsigned int>(*byte2);
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
}
#define CMD_ADDR 1
#define CMD_LISTEN 2
#define CMD_ACCEPT 3
#define CMD_OPT 4
void unix_rule::downgrade_rule(Profile &prof) {
if (!prof.net.allow && !prof.alloc_net_table())
yyerror(_("Memory allocation error."));
if (deny) {
prof.net.deny[AF_UNIX] |= 1 << sock_type_n;
if (!audit)
prof.net.quiet[AF_UNIX] |= 1 << sock_type_n;
} else {
prof.net.allow[AF_UNIX] |= 1 << sock_type_n;
if (audit)
prof.net.audit[AF_UNIX] |= 1 << sock_type_n;
}
}
parser: map net permission set into a form compatible with the old dfa table The old dfa table format has 2 64 bit permission field used to store all of allow, quiet, audit, owner/!owner and transition mask. This leaves 7 bits for entry + a few other special bits. Since policydb entries when using old style dfa permission format don't use support the !owner permission entries we can map, the high net work permission bits to these entries. This allows us to enforce base network permissions on system with only support for the old dfa table format. Bits 0-7 inclusive stay put Bits 8-9 inclusive move (14 - 8) = 6 to 14-15 GETATTR | SETATTR Bits 20-22 inclusive move -4 to 16-18 ACCEPT | BIND | LISTEN (notice 22 not 23) Bit 23 is skipped, hence the need to shift 5 for 24-25 instead of 4 Bits 24-25 inclusive move -5 to 19-20 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2014-09-03 14:50:22 -07:00
static uint32_t map_perms(uint32_t mask)
{
return (mask & 0x7f) |
((mask & (AA_NET_GETATTR | AA_NET_SETATTR)) << (AA_OTHER_SHIFT - 8)) |
((mask & (AA_NET_ACCEPT | AA_NET_BIND | AA_NET_LISTEN)) >> 4) | /* 2 + (AA_OTHER_SHIFT - 20) */
((mask & (AA_NET_SETOPT | AA_NET_GETOPT)) >> 5); /* 5 + (AA_OTHER_SHIFT - 24) */
}
parser: change/fix the encoding for unix socket rules. This changes/fixes the encoding for unix socket rules. The changes look larger than they are because it refactors the code, instead of duplicating. The major changes are: - it changes where the accept perm is stored - it moves anyone_match_pattern to default_match_pattern - it fixes the layout of the local addr only being written when local perms are present Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2014-09-03 15:57:17 -07:00
void unix_rule::write_to_prot(std::ostringstream &buffer)
{
buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << AA_CLASS_NET;
writeu16(buffer, AF_UNIX);
if (sock_type)
writeu16(buffer, sock_type_n);
else
buffer << "..";
if (proto)
writeu16(buffer, proto_n);
else
buffer << "..";
}
bool unix_rule::write_addr(std::ostringstream &buffer, const char *addr)
{
std::string buf;
pattern_t ptype;
if (addr) {
int pos;
if (strcmp(addr, "none") == 0) {
/* anonymous */
buffer << "\\x01";
} else {
/* skip leading @ */
ptype = convert_aaregex_to_pcre(addr + 1, 0, buf, &pos);
if (ptype == ePatternInvalid)
return false;
/* kernel starts abstract with \0 */
buffer << "\\x00";
buffer << buf;
}
} else
/* match any addr or anonymous */
buffer << ".*";
/* todo: change to out of band separator */
buffer << "\\x00";
return true;
}
bool unix_rule::write_label(std::ostringstream &buffer, const char *label)
{
std::string buf;
pattern_t ptype;
if (label) {
int pos;
ptype = convert_aaregex_to_pcre(label, 0, buf, &pos);
if (ptype == ePatternInvalid)
return false;
/* kernel starts abstract with \0 */
buffer << buf;
} else
buffer << default_match_pattern;
return true;
}
/* General Layout
*
* Local socket end point perms
* CLASS_NET AF TYPE PROTO local (addr\0label) \0 cmd cmd_option
* ^ ^ ^ ^ ^
* | | | | |
* stub perm | | | |
* | | | |
* sub stub perm | | |
* | | |
* create perm | |
* | |
* | |
* bind, accept, get/set attr |
* |
* listen, set/get opt perm
*
*
* peer socket end point perms
* CLASS_NET AF TYPE PROTO local(addr\0label\0) cmd_addr peer(addr\0label )
* ^
* |
* send/receive connect/accept perm
*
* NOTE: accept is encoded twice, locally to check if a socket is allowed
* to accept, and then as a pair to test that it can accept the pair.
*/
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
int unix_rule::gen_policy_re(Profile &prof)
{
std::ostringstream buffer, tmp;
std::string buf;
int mask = mode;
/* always generate a downgraded rule. This doesn't change generated
* policy size and allows the binary policy to be loaded against
* older kernels and be enforced to the best of the old network
* rules ability
*/
downgrade_rule(prof);
if (!kernel_supports_unix) {
if (kernel_supports_network) {
/* only warn if we are building against a kernel
* that requires downgrading */
warn_once(prof.name, "downgrading extended network unix socket rule to generic network rule\n");
/* TODO: add ability to abort instead of downgrade */
return RULE_OK;
}
warn_once(prof.name);
return RULE_NOT_SUPPORTED;
}
parser: change/fix the encoding for unix socket rules. This changes/fixes the encoding for unix socket rules. The changes look larger than they are because it refactors the code, instead of duplicating. The major changes are: - it changes where the accept perm is stored - it moves anyone_match_pattern to default_match_pattern - it fixes the layout of the local addr only being written when local perms are present Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2014-09-03 15:57:17 -07:00
write_to_prot(buffer);
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
if (mask & AA_NET_CREATE) {
buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
parser: map net permission set into a form compatible with the old dfa table The old dfa table format has 2 64 bit permission field used to store all of allow, quiet, audit, owner/!owner and transition mask. This leaves 7 bits for entry + a few other special bits. Since policydb entries when using old style dfa permission format don't use support the !owner permission entries we can map, the high net work permission bits to these entries. This allows us to enforce base network permissions on system with only support for the old dfa table format. Bits 0-7 inclusive stay put Bits 8-9 inclusive move (14 - 8) = 6 to 14-15 GETATTR | SETATTR Bits 20-22 inclusive move -4 to 16-18 ACCEPT | BIND | LISTEN (notice 22 not 23) Bit 23 is skipped, hence the need to shift 5 for 24-25 instead of 4 Bits 24-25 inclusive move -5 to 19-20 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2014-09-03 14:50:22 -07:00
map_perms(AA_NET_CREATE),
map_perms(audit & AA_NET_CREATE),
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
dfaflags))
goto fail;
mask &= ~AA_NET_CREATE;
}
parser: change/fix the encoding for unix socket rules. This changes/fixes the encoding for unix socket rules. The changes look larger than they are because it refactors the code, instead of duplicating. The major changes are: - it changes where the accept perm is stored - it moves anyone_match_pattern to default_match_pattern - it fixes the layout of the local addr only being written when local perms are present Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2014-09-03 15:57:17 -07:00
if (mask) {
/* local addr */
if (!write_addr(buffer, addr))
goto fail;
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
/* local label option */
parser: change/fix the encoding for unix socket rules. This changes/fixes the encoding for unix socket rules. The changes look larger than they are because it refactors the code, instead of duplicating. The major changes are: - it changes where the accept perm is stored - it moves anyone_match_pattern to default_match_pattern - it fixes the layout of the local addr only being written when local perms are present Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2014-09-03 15:57:17 -07:00
if (!write_label(buffer, label))
goto fail;
/* seperator */
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
buffer << "\\x00";
/* create already masked off */
if (mask & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD) {
buf = buffer.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
parser: map net permission set into a form compatible with the old dfa table The old dfa table format has 2 64 bit permission field used to store all of allow, quiet, audit, owner/!owner and transition mask. This leaves 7 bits for entry + a few other special bits. Since policydb entries when using old style dfa permission format don't use support the !owner permission entries we can map, the high net work permission bits to these entries. This allows us to enforce base network permissions on system with only support for the old dfa table format. Bits 0-7 inclusive stay put Bits 8-9 inclusive move (14 - 8) = 6 to 14-15 GETATTR | SETATTR Bits 20-22 inclusive move -4 to 16-18 ACCEPT | BIND | LISTEN (notice 22 not 23) Bit 23 is skipped, hence the need to shift 5 for 24-25 instead of 4 Bits 24-25 inclusive move -5 to 19-20 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2014-09-03 14:50:22 -07:00
map_perms(mask & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD),
map_perms(audit & AA_LOCAL_NET_PERMS & ~AA_LOCAL_NET_CMD),
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
dfaflags))
goto fail;
}
if (mask & AA_NET_LISTEN) {
tmp.str(buffer.str());
tmp << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_LISTEN;
parser: change/fix the encoding for unix socket rules. This changes/fixes the encoding for unix socket rules. The changes look larger than they are because it refactors the code, instead of duplicating. The major changes are: - it changes where the accept perm is stored - it moves anyone_match_pattern to default_match_pattern - it fixes the layout of the local addr only being written when local perms are present Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2014-09-03 15:57:17 -07:00
/* TODO: backlog conditional: for now match anything*/
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
tmp << "..";
buf = tmp.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
parser: map net permission set into a form compatible with the old dfa table The old dfa table format has 2 64 bit permission field used to store all of allow, quiet, audit, owner/!owner and transition mask. This leaves 7 bits for entry + a few other special bits. Since policydb entries when using old style dfa permission format don't use support the !owner permission entries we can map, the high net work permission bits to these entries. This allows us to enforce base network permissions on system with only support for the old dfa table format. Bits 0-7 inclusive stay put Bits 8-9 inclusive move (14 - 8) = 6 to 14-15 GETATTR | SETATTR Bits 20-22 inclusive move -4 to 16-18 ACCEPT | BIND | LISTEN (notice 22 not 23) Bit 23 is skipped, hence the need to shift 5 for 24-25 instead of 4 Bits 24-25 inclusive move -5 to 19-20 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2014-09-03 14:50:22 -07:00
map_perms(AA_NET_LISTEN),
map_perms(audit & AA_NET_LISTEN),
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
dfaflags))
goto fail;
}
if (mask & AA_NET_OPT) {
tmp.str(buffer.str());
tmp << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_OPT;
parser: change/fix the encoding for unix socket rules. This changes/fixes the encoding for unix socket rules. The changes look larger than they are because it refactors the code, instead of duplicating. The major changes are: - it changes where the accept perm is stored - it moves anyone_match_pattern to default_match_pattern - it fixes the layout of the local addr only being written when local perms are present Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2014-09-03 15:57:17 -07:00
/* TODO: sockopt conditional: for now match anything */
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
tmp << "..";
buf = tmp.str();
if (!prof.policy.rules->add_rule(buf.c_str(), deny,
parser: map net permission set into a form compatible with the old dfa table The old dfa table format has 2 64 bit permission field used to store all of allow, quiet, audit, owner/!owner and transition mask. This leaves 7 bits for entry + a few other special bits. Since policydb entries when using old style dfa permission format don't use support the !owner permission entries we can map, the high net work permission bits to these entries. This allows us to enforce base network permissions on system with only support for the old dfa table format. Bits 0-7 inclusive stay put Bits 8-9 inclusive move (14 - 8) = 6 to 14-15 GETATTR | SETATTR Bits 20-22 inclusive move -4 to 16-18 ACCEPT | BIND | LISTEN (notice 22 not 23) Bit 23 is skipped, hence the need to shift 5 for 24-25 instead of 4 Bits 24-25 inclusive move -5 to 19-20 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2014-09-03 14:50:22 -07:00
map_perms(AA_NET_OPT),
map_perms(audit & AA_NET_OPT),
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
dfaflags))
goto fail;
}
parser: change/fix the encoding for unix socket rules. This changes/fixes the encoding for unix socket rules. The changes look larger than they are because it refactors the code, instead of duplicating. The major changes are: - it changes where the accept perm is stored - it moves anyone_match_pattern to default_match_pattern - it fixes the layout of the local addr only being written when local perms are present Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2014-09-03 15:57:17 -07:00
mask &= ~AA_LOCAL_NET_PERMS | AA_NET_ACCEPT;
} /* if (mask) */
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
if (mask & AA_PEER_NET_PERMS) {
/* cmd selector */
buffer << "\\x" << std::setfill('0') << std::setw(2) << std::hex << CMD_ADDR;
parser: change/fix the encoding for unix socket rules. This changes/fixes the encoding for unix socket rules. The changes look larger than they are because it refactors the code, instead of duplicating. The major changes are: - it changes where the accept perm is stored - it moves anyone_match_pattern to default_match_pattern - it fixes the layout of the local addr only being written when local perms are present Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2014-09-03 15:57:17 -07:00
/* local addr */
if (!write_addr(buffer, peer_addr))
goto fail;
/* local label option */
if (!write_label(buffer, peer_label))
goto fail;
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
buf = buffer.str();
parser: map net permission set into a form compatible with the old dfa table The old dfa table format has 2 64 bit permission field used to store all of allow, quiet, audit, owner/!owner and transition mask. This leaves 7 bits for entry + a few other special bits. Since policydb entries when using old style dfa permission format don't use support the !owner permission entries we can map, the high net work permission bits to these entries. This allows us to enforce base network permissions on system with only support for the old dfa table format. Bits 0-7 inclusive stay put Bits 8-9 inclusive move (14 - 8) = 6 to 14-15 GETATTR | SETATTR Bits 20-22 inclusive move -4 to 16-18 ACCEPT | BIND | LISTEN (notice 22 not 23) Bit 23 is skipped, hence the need to shift 5 for 24-25 instead of 4 Bits 24-25 inclusive move -5 to 19-20 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <steve@nxnw.org>
2014-09-03 14:50:22 -07:00
if (!prof.policy.rules->add_rule(buf.c_str(), deny, map_perms(mode & AA_PEER_NET_PERMS), map_perms(audit), dfaflags))
parser: first step implementing fine grained mediation for unix domain sockets This patch implements parsing of fine grained mediation for unix domain sockets, that have abstract and anonymous paths. Sockets with file system paths are handled by regular file access rules. The unix network rules follow the general fine grained network rule pattern of [<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] specifically for af_unix this is [<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>] <qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ] <access expr> = ( <access> | <access list> ) <access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' | 'connect' | 'shutdown' | 'getattr' | 'setattr' | 'getopt' | 'setopt' | 'send' | 'receive' | 'r' | 'w' | 'rw' ) (some access modes are incompatible with some rules or require additional parameters) <access list> = '(' <access> ( [','] <WS> <access> )* ')' <WS> = white space <rule conds> = ( <type cond> | <protocol cond> )* each cond can appear at most once <type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' ) <local expr> = ( <path cond> | <attr cond> | <opt cond> )* each cond can appear at most once <peer expr> = 'peer' '=' ( <path cond> | <label cond> )+ each cond can appear at most once <path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')') <attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' ) <AARE> = ?*[]{}^ ( see man page ) unix domain socket rules are accumulated so that the granted unix socket permissions are the union of all the listed unix rule permissions. unix domain socket rules are broad and general and become more restrictive as further information is specified. Policy may be specified down to the path and label level. The content of the communication is not examined. Some permissions are not compatible with all unix rules. unix socket rule permissions are implied when a rule does not explicitly state an access list. By default if a rule does not have an access list all permissions that are compatible with the specified set of local and peer conditionals are implied. The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions. server = (create, bind, listen, accept) r = (receive, getattr, getopt) w = (create, connect, send, setattr, setopt) In addition it supports the v7 kernel abi semantics around generic network rules. The v7 abi removes the masking unix and netlink address families from the generic masking and uses fine grained mediation for an address type if supplied. This means that the rules network unix, network netlink, are now enforced instead of ignored. The parser previously could accept these but the kernel would ignore anything written to them. If a network rule is supplied it takes precedence over the finer grained mediation rule. If permission is not granted via a broad network access rule fine grained mediation is applied. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
goto fail;
}
return RULE_OK;
fail:
return RULE_ERROR;
}
Reference in a new issue Copy permalink