mirror of
https://gitlab.com/apparmor/apparmor.git
synced 2025-03-05 17:01:00 +01:00
29b0634f34
remove unused net_find_af_val function, and network_families array Merge from trunk commit 2888. net_find_af_name: do not assume that address families are consecutive The network_families array is automatically built from AF_NAMES, which is extracted from the defines in <bits/socket.h>. The code assumes that network_families is indexed by the AF defines. However, since the defines are sparse, and the gaps in the array are not packed with zeroes, the array is shorter than expected, and the indexing is wrong. When this function was written, the network families that were covered might well have been consecutive, but this is no longer true: there's a gap between AF_LLC (26) and AF_CAN (29). This assumption caused a crash in our testing while parsing the rule "network raw". Remove unused net_find_af_val function, and network_families array Like net_find_af_name, this assumed that AF_* values were consecutive. Patches from Philip Withnall and Simon McVittie.
134 lines
3.8 KiB
C
134 lines
3.8 KiB
C
/*
|
|
* Copyright (c) 2014
|
|
* Canonical, Ltd. (All rights reserved)
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of version 2 of the GNU General Public
|
|
* License published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope that it will be useful,
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
* GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with this program; if not, contact Novell, Inc. or Canonical
|
|
* Ltd.
|
|
*/
|
|
|
|
#ifndef __AA_NETWORK_H
|
|
#define __AA_NETWORK_H
|
|
|
|
#include <fcntl.h>
|
|
#include <netinet/in.h>
|
|
#include <linux/socket.h>
|
|
#include <linux/limits.h>
|
|
#include <arpa/inet.h>
|
|
#include <sys/types.h>
|
|
#include <sys/stat.h>
|
|
#include <stdio.h>
|
|
#include <stdlib.h>
|
|
#include <unistd.h>
|
|
|
|
#include "parser.h"
|
|
#include "rule.h"
|
|
|
|
|
|
#define AA_NET_WRITE 0x0002
|
|
#define AA_NET_SEND AA_NET_WRITE
|
|
#define AA_NET_READ 0x0004
|
|
#define AA_NET_RECEIVE AA_NET_READ
|
|
|
|
#define AA_NET_CREATE 0x0010
|
|
#define AA_NET_SHUTDOWN 0x0020 /* alias delete */
|
|
#define AA_NET_CONNECT 0x0040 /* alias open */
|
|
|
|
#define AA_NET_SETATTR 0x0100
|
|
#define AA_NET_GETATTR 0x0200
|
|
|
|
//#define AA_NET_CHMOD 0x1000 /* pair */
|
|
//#define AA_NET_CHOWN 0x2000 /* pair */
|
|
//#define AA_NET_CHGRP 0x4000 /* pair */
|
|
//#define AA_NET_LOCK 0x8000 /* LINK_SUBSET overlaid */
|
|
|
|
#define AA_NET_ACCEPT 0x00100000
|
|
#define AA_NET_BIND 0x00200000
|
|
#define AA_NET_LISTEN 0x00400000
|
|
|
|
#define AA_NET_SETOPT 0x01000000
|
|
#define AA_NET_GETOPT 0x02000000
|
|
|
|
#define AA_CONT_MATCH 0x08000000
|
|
|
|
#define AA_VALID_NET_PERMS (AA_NET_SEND | AA_NET_RECEIVE | AA_NET_CREATE | \
|
|
AA_NET_SHUTDOWN | AA_NET_CONNECT | \
|
|
AA_NET_SETATTR | AA_NET_GETATTR | AA_NET_BIND | \
|
|
AA_NET_ACCEPT | AA_NET_LISTEN | AA_NET_SETOPT | \
|
|
AA_NET_GETOPT | AA_CONT_MATCH)
|
|
#define AA_LOCAL_NET_PERMS (AA_NET_CREATE | AA_NET_SHUTDOWN | AA_NET_SETATTR |\
|
|
AA_NET_GETATTR | AA_NET_BIND | AA_NET_ACCEPT | \
|
|
AA_NET_LISTEN | AA_NET_SETOPT | AA_NET_GETOPT)
|
|
#define AA_NET_OPT (AA_NET_SETOPT | AA_NET_GETOPT)
|
|
#define AA_LOCAL_NET_CMD (AA_NET_LISTEN | AA_NET_OPT)
|
|
#define AA_PEER_NET_PERMS (AA_VALID_NET_PERMS & (~AA_LOCAL_NET_PERMS | \
|
|
AA_NET_ACCEPT))
|
|
|
|
struct network_tuple {
|
|
const char *family_name;
|
|
unsigned int family;
|
|
const char *type_name;
|
|
unsigned int type;
|
|
const char *protocol_name;
|
|
unsigned int protocol;
|
|
};
|
|
|
|
/* supported AF protocols */
|
|
struct aa_network_entry {
|
|
unsigned int family;
|
|
unsigned int type;
|
|
unsigned int protocol;
|
|
|
|
struct aa_network_entry *next;
|
|
};
|
|
|
|
int parse_net_mode(const char *str_mode, int *mode, int fail);
|
|
extern struct aa_network_entry *new_network_ent(unsigned int family,
|
|
unsigned int type,
|
|
unsigned int protocol);
|
|
extern struct aa_network_entry *network_entry(const char *family,
|
|
const char *type,
|
|
const char *protocol);
|
|
extern size_t get_af_max(void);
|
|
|
|
void __debug_network(unsigned int *array, const char *name);
|
|
|
|
struct network {
|
|
unsigned int *allow; /* array of type masks
|
|
* indexed by AF_FAMILY */
|
|
unsigned int *audit;
|
|
unsigned int *deny;
|
|
unsigned int *quiet;
|
|
|
|
network(void) { allow = audit = deny = quiet = NULL; }
|
|
|
|
void dump(void) {
|
|
if (allow)
|
|
__debug_network(allow, "Network");
|
|
if (audit)
|
|
__debug_network(audit, "Audit Net");
|
|
if (deny)
|
|
__debug_network(deny, "Deny Net");
|
|
if (quiet)
|
|
__debug_network(quiet, "Quiet Net");
|
|
}
|
|
};
|
|
|
|
int net_find_type_val(const char *type);
|
|
const char *net_find_type_name(int type);
|
|
const char *net_find_af_name(unsigned int af);
|
|
const struct network_tuple *net_find_mapping(const struct network_tuple *map,
|
|
const char *family,
|
|
const char *type,
|
|
const char *protocol);
|
|
|
|
#endif /* __AA_NETWORK_H */
|