2014-08-23 23:55:12 -07:00
|
|
|
/*
|
|
|
|
|
* Copyright (c) 2014
|
|
|
|
|
* Canonical, Ltd. (All rights reserved)
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of version 2 of the GNU General Public
|
|
|
|
|
* License published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*
|
|
|
|
|
* You should have received a copy of the GNU General Public License
|
|
|
|
|
* along with this program; if not, contact Novell, Inc. or Canonical
|
|
|
|
|
* Ltd.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef __AA_NETWORK_H
|
|
|
|
|
#define __AA_NETWORK_H
|
|
|
|
|
|
|
|
|
|
#include <fcntl.h>
|
|
|
|
|
#include <netinet/in.h>
|
|
|
|
|
#include <linux/socket.h>
|
|
|
|
|
#include <linux/limits.h>
|
|
|
|
|
#include <arpa/inet.h>
|
|
|
|
|
#include <sys/types.h>
|
|
|
|
|
#include <sys/stat.h>
|
2024-03-14 17:31:52 -03:00
|
|
|
#include <list>
|
2014-08-23 23:55:12 -07:00
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <unistd.h>
|
2023-06-26 14:39:39 -03:00
|
|
|
#include <unordered_map>
|
|
|
|
|
#include <vector>
|
2014-08-23 23:55:12 -07:00
|
|
|
|
|
|
|
|
#include "parser.h"
|
|
|
|
|
#include "rule.h"
|
parser: first step implementing fine grained mediation for unix domain sockets
This patch implements parsing of fine grained mediation for unix domain
sockets, that have abstract and anonymous paths. Sockets with file
system paths are handled by regular file access rules.
The unix network rules follow the general fine grained network
rule pattern of
[<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
specifically for af_unix this is
[<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
<qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ]
<access expr> = ( <access> | <access list> )
<access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' |
'connect' | 'shutdown' | 'getattr' | 'setattr' |
'getopt' | 'setopt' |
'send' | 'receive' | 'r' | 'w' | 'rw' )
(some access modes are incompatible with some rules or require additional
parameters)
<access list> = '(' <access> ( [','] <WS> <access> )* ')'
<WS> = white space
<rule conds> = ( <type cond> | <protocol cond> )*
each cond can appear at most once
<type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' )
<protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' )
<local expr> = ( <path cond> | <attr cond> | <opt cond> )*
each cond can appear at most once
<peer expr> = 'peer' '=' ( <path cond> | <label cond> )+
each cond can appear at most once
<path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')')
<attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<AARE> = ?*[]{}^ ( see man page )
unix domain socket rules are accumulated so that the granted unix
socket permissions are the union of all the listed unix rule permissions.
unix domain socket rules are broad and general and become more restrictive
as further information is specified. Policy may be specified down to
the path and label level. The content of the communication is not
examined.
Some permissions are not compatible with all unix rules.
unix socket rule permissions are implied when a rule does not explicitly
state an access list. By default if a rule does not have an access list
all permissions that are compatible with the specified set of local
and peer conditionals are implied.
The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions.
server = (create, bind, listen, accept)
r = (receive, getattr, getopt)
w = (create, connect, send, setattr, setopt)
In addition it supports the v7 kernel abi semantics around generic
network rules. The v7 abi removes the masking unix and netlink
address families from the generic masking and uses fine grained
mediation for an address type if supplied.
This means that the rules
network unix,
network netlink,
are now enforced instead of ignored. The parser previously could accept
these but the kernel would ignore anything written to them. If a network
rule is supplied it takes precedence over the finer grained mediation
rule. If permission is not granted via a broad network access rule
fine grained mediation is applied.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
|
|
|
|
|
|
|
|
|
|
|
|
|
#define AA_NET_WRITE 0x0002
|
|
|
|
|
#define AA_NET_SEND AA_NET_WRITE
|
|
|
|
|
#define AA_NET_READ 0x0004
|
|
|
|
|
#define AA_NET_RECEIVE AA_NET_READ
|
|
|
|
|
|
|
|
|
|
#define AA_NET_CREATE 0x0010
|
|
|
|
|
#define AA_NET_SHUTDOWN 0x0020 /* alias delete */
|
|
|
|
|
#define AA_NET_CONNECT 0x0040 /* alias open */
|
|
|
|
|
|
|
|
|
|
#define AA_NET_SETATTR 0x0100
|
|
|
|
|
#define AA_NET_GETATTR 0x0200
|
|
|
|
|
|
|
|
|
|
//#define AA_NET_CHMOD 0x1000 /* pair */
|
|
|
|
|
//#define AA_NET_CHOWN 0x2000 /* pair */
|
|
|
|
|
//#define AA_NET_CHGRP 0x4000 /* pair */
|
|
|
|
|
//#define AA_NET_LOCK 0x8000 /* LINK_SUBSET overlaid */
|
|
|
|
|
|
|
|
|
|
#define AA_NET_ACCEPT 0x00100000
|
|
|
|
|
#define AA_NET_BIND 0x00200000
|
|
|
|
|
#define AA_NET_LISTEN 0x00400000
|
|
|
|
|
|
|
|
|
|
#define AA_NET_SETOPT 0x01000000
|
|
|
|
|
#define AA_NET_GETOPT 0x02000000
|
|
|
|
|
|
|
|
|
|
#define AA_CONT_MATCH 0x08000000
|
|
|
|
|
|
|
|
|
|
#define AA_VALID_NET_PERMS (AA_NET_SEND | AA_NET_RECEIVE | AA_NET_CREATE | \
|
|
|
|
|
AA_NET_SHUTDOWN | AA_NET_CONNECT | \
|
|
|
|
|
AA_NET_SETATTR | AA_NET_GETATTR | AA_NET_BIND | \
|
|
|
|
|
AA_NET_ACCEPT | AA_NET_LISTEN | AA_NET_SETOPT | \
|
|
|
|
|
AA_NET_GETOPT | AA_CONT_MATCH)
|
|
|
|
|
#define AA_LOCAL_NET_PERMS (AA_NET_CREATE | AA_NET_SHUTDOWN | AA_NET_SETATTR |\
|
|
|
|
|
AA_NET_GETATTR | AA_NET_BIND | AA_NET_ACCEPT | \
|
|
|
|
|
AA_NET_LISTEN | AA_NET_SETOPT | AA_NET_GETOPT)
|
|
|
|
|
#define AA_NET_OPT (AA_NET_SETOPT | AA_NET_GETOPT)
|
2014-09-03 15:57:17 -07:00
|
|
|
#define AA_LOCAL_NET_CMD (AA_NET_LISTEN | AA_NET_OPT)
|
|
|
|
|
#define AA_PEER_NET_PERMS (AA_VALID_NET_PERMS & (~AA_LOCAL_NET_PERMS | \
|
|
|
|
|
AA_NET_ACCEPT))
|
2014-08-23 23:55:12 -07:00
|
|
|
|
2023-08-22 18:12:29 -03:00
|
|
|
#define CMD_ADDR 1
|
|
|
|
|
#define CMD_LISTEN 2
|
|
|
|
|
#define CMD_OPT 4
|
|
|
|
|
|
2024-04-11 19:03:43 -07:00
|
|
|
#define NONE_SIZE 0
|
2024-03-14 17:17:23 -03:00
|
|
|
#define IPV4_SIZE 1
|
|
|
|
|
#define IPV6_SIZE 2
|
|
|
|
|
|
2014-08-24 00:00:28 -07:00
|
|
|
struct network_tuple {
|
|
|
|
|
const char *family_name;
|
|
|
|
|
unsigned int family;
|
|
|
|
|
const char *type_name;
|
|
|
|
|
unsigned int type;
|
|
|
|
|
const char *protocol_name;
|
|
|
|
|
unsigned int protocol;
|
|
|
|
|
};
|
|
|
|
|
|
2014-08-23 23:55:12 -07:00
|
|
|
struct aa_network_entry {
|
2023-06-26 14:39:39 -03:00
|
|
|
long unsigned int family;
|
2014-08-23 23:55:12 -07:00
|
|
|
unsigned int type;
|
|
|
|
|
unsigned int protocol;
|
|
|
|
|
};
|
|
|
|
|
|
2018-07-24 04:40:25 -07:00
|
|
|
static inline uint32_t map_perms(uint32_t mask)
|
|
|
|
|
{
|
|
|
|
|
return (mask & 0x7f) |
|
|
|
|
|
((mask & (AA_NET_GETATTR | AA_NET_SETATTR)) << (AA_OTHER_SHIFT - 8)) |
|
|
|
|
|
((mask & (AA_NET_ACCEPT | AA_NET_BIND | AA_NET_LISTEN)) >> 4) | /* 2 + (AA_OTHER_SHIFT - 20) */
|
|
|
|
|
((mask & (AA_NET_SETOPT | AA_NET_GETOPT)) >> 5); /* 5 + (AA_OTHER_SHIFT - 24) */
|
|
|
|
|
};
|
|
|
|
|
|
2021-06-09 00:56:59 -07:00
|
|
|
int parse_net_perms(const char *str_mode, perms_t *perms, int fail);
|
2023-06-26 14:39:39 -03:00
|
|
|
size_t get_af_max();
|
2014-08-23 23:55:33 -07:00
|
|
|
int net_find_type_val(const char *type);
|
|
|
|
|
const char *net_find_type_name(int type);
|
2014-08-23 23:57:55 -07:00
|
|
|
const char *net_find_af_name(unsigned int af);
|
2023-06-26 14:39:39 -03:00
|
|
|
|
2023-08-22 18:12:29 -03:00
|
|
|
struct ip_address {
|
|
|
|
|
union {
|
|
|
|
|
uint8_t address_v6[16];
|
|
|
|
|
uint32_t address_v4;
|
|
|
|
|
} address;
|
|
|
|
|
uint16_t family;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
class ip_conds {
|
|
|
|
|
public:
|
|
|
|
|
char *sip = NULL;
|
|
|
|
|
char *sport = NULL;
|
|
|
|
|
|
|
|
|
|
bool is_ip = false;
|
|
|
|
|
bool is_port = false;
|
|
|
|
|
|
|
|
|
|
uint16_t port;
|
|
|
|
|
struct ip_address ip;
|
|
|
|
|
|
2024-04-11 19:03:43 -07:00
|
|
|
bool is_none = false;
|
2024-03-14 18:23:12 -03:00
|
|
|
|
2023-08-22 18:12:29 -03:00
|
|
|
void free_conds() {
|
|
|
|
|
if (sip)
|
|
|
|
|
free(sip);
|
|
|
|
|
if (sport)
|
|
|
|
|
free(sport);
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
2023-08-02 17:58:38 -03:00
|
|
|
class network_rule: public dedup_perms_rule_t {
|
2023-08-22 18:12:29 -03:00
|
|
|
void move_conditionals(struct cond_entry *conds, ip_conds &ip_cond);
|
2023-06-26 14:39:39 -03:00
|
|
|
public:
|
|
|
|
|
std::unordered_map<unsigned int, std::vector<struct aa_network_entry>> network_map;
|
2024-03-14 17:06:12 -03:00
|
|
|
std::unordered_map<unsigned int, std::pair<unsigned int, unsigned int>> network_perms;
|
2023-06-26 14:39:39 -03:00
|
|
|
|
2023-08-22 18:12:29 -03:00
|
|
|
ip_conds peer;
|
|
|
|
|
ip_conds local;
|
2024-03-14 17:21:53 -03:00
|
|
|
char *label;
|
2023-08-22 18:12:29 -03:00
|
|
|
|
|
|
|
|
bool has_local_conds(void) { return local.sip || local.sport; }
|
|
|
|
|
bool has_peer_conds(void) { return peer.sip || peer.sport; }
|
2023-06-26 14:39:39 -03:00
|
|
|
/* empty constructor used only for the profile to access
|
|
|
|
|
* static elements to maintain compatibility with
|
|
|
|
|
* AA_CLASS_NET */
|
2024-03-18 10:18:03 -03:00
|
|
|
network_rule(): dedup_perms_rule_t(AA_CLASS_NETV8), label(NULL) { }
|
2023-08-22 18:12:29 -03:00
|
|
|
network_rule(perms_t perms_p, struct cond_entry *conds,
|
|
|
|
|
struct cond_entry *peer_conds);
|
2024-01-08 16:09:13 -03:00
|
|
|
network_rule(perms_t perms_p, const char *family, const char *type,
|
2023-08-22 18:12:29 -03:00
|
|
|
const char *protocol, struct cond_entry *conds,
|
|
|
|
|
struct cond_entry *peer_conds);
|
2024-01-08 16:09:13 -03:00
|
|
|
network_rule(perms_t perms_p, unsigned int family, unsigned int type);
|
2023-06-26 14:39:39 -03:00
|
|
|
virtual ~network_rule()
|
|
|
|
|
{
|
2023-08-22 18:12:29 -03:00
|
|
|
peer.free_conds();
|
|
|
|
|
local.free_conds();
|
2023-06-26 14:39:39 -03:00
|
|
|
if (allow) {
|
|
|
|
|
free(allow);
|
|
|
|
|
allow = NULL;
|
|
|
|
|
}
|
|
|
|
|
if (audit) {
|
|
|
|
|
free(audit);
|
|
|
|
|
audit = NULL;
|
|
|
|
|
}
|
|
|
|
|
if (deny) {
|
|
|
|
|
free(deny);
|
|
|
|
|
deny = NULL;
|
|
|
|
|
}
|
|
|
|
|
if (quiet) {
|
|
|
|
|
free(quiet);
|
|
|
|
|
quiet = NULL;
|
|
|
|
|
}
|
|
|
|
|
};
|
|
|
|
|
|
2024-03-14 18:23:12 -03:00
|
|
|
bool gen_ip_conds(Profile &prof, std::list<std::ostringstream> &streams, ip_conds &entry, bool is_peer, bool is_cmd);
|
2024-03-14 17:06:12 -03:00
|
|
|
bool gen_net_rule(Profile &prof, u16 family, unsigned int type_mask, unsigned int protocol);
|
|
|
|
|
void set_netperm(unsigned int family, unsigned int type, unsigned int protocol);
|
2023-06-26 14:39:39 -03:00
|
|
|
void update_compat_net(void);
|
2023-08-22 18:12:29 -03:00
|
|
|
bool parse_address(ip_conds &entry);
|
|
|
|
|
bool parse_port(ip_conds &entry);
|
2023-06-26 14:39:39 -03:00
|
|
|
|
|
|
|
|
virtual bool valid_prefix(const prefixes &p, const char *&error) {
|
|
|
|
|
if (p.owner) {
|
|
|
|
|
error = _("owner prefix not allowed on network rules");
|
|
|
|
|
return false;
|
|
|
|
|
}
|
|
|
|
|
return true;
|
|
|
|
|
};
|
|
|
|
|
virtual ostream &dump(ostream &os);
|
|
|
|
|
virtual int expand_variables(void);
|
|
|
|
|
virtual int gen_policy_re(Profile &prof);
|
2023-08-02 17:58:38 -03:00
|
|
|
|
|
|
|
|
virtual bool is_mergeable(void) { return true; }
|
|
|
|
|
virtual int cmp(rule_t const &rhs) const;
|
|
|
|
|
|
2023-06-26 14:39:39 -03:00
|
|
|
/* array of type masks indexed by AF_FAMILY */
|
|
|
|
|
/* allow, audit, deny and quiet are used for compatibility with AA_CLASS_NET */
|
|
|
|
|
static unsigned int *allow;
|
|
|
|
|
static unsigned int *audit;
|
|
|
|
|
static unsigned int *deny;
|
|
|
|
|
static unsigned int *quiet;
|
|
|
|
|
|
|
|
|
|
bool alloc_net_table(void);
|
|
|
|
|
|
|
|
|
|
protected:
|
|
|
|
|
virtual void warn_once(const char *name) override;
|
|
|
|
|
};
|
2014-08-23 23:55:33 -07:00
|
|
|
|
2014-08-23 23:55:12 -07:00
|
|
|
#endif /* __AA_NETWORK_H */
|