Commit | Line | Data |
---|---|---|
6380bd8d JJ |
1 | /* |
2 | * AppArmor security module | |
3 | * | |
4 | * This file contains AppArmor file mediation function definitions. | |
5 | * | |
6 | * Copyright (C) 1998-2008 Novell/SUSE | |
7 | * Copyright 2009-2010 Canonical Ltd. | |
8 | * | |
9 | * This program is free software; you can redistribute it and/or | |
10 | * modify it under the terms of the GNU General Public License as | |
11 | * published by the Free Software Foundation, version 2 of the | |
12 | * License. | |
13 | */ | |
14 | ||
15 | #ifndef __AA_FILE_H | |
16 | #define __AA_FILE_H | |
17 | ||
6380bd8d JJ |
18 | #include "domain.h" |
19 | #include "match.h" | |
20 | ||
21 | struct aa_profile; | |
37721e1b | 22 | struct path; |
6380bd8d JJ |
23 | |
24 | /* | |
25 | * We use MAY_EXEC, MAY_WRITE, MAY_READ, MAY_APPEND and the following flags | |
26 | * for profile permissions | |
27 | */ | |
28 | #define AA_MAY_CREATE 0x0010 | |
29 | #define AA_MAY_DELETE 0x0020 | |
30 | #define AA_MAY_META_WRITE 0x0040 | |
31 | #define AA_MAY_META_READ 0x0080 | |
32 | ||
33 | #define AA_MAY_CHMOD 0x0100 | |
34 | #define AA_MAY_CHOWN 0x0200 | |
35 | #define AA_MAY_LOCK 0x0400 | |
36 | #define AA_EXEC_MMAP 0x0800 | |
37 | ||
38 | #define AA_MAY_LINK 0x1000 | |
39 | #define AA_LINK_SUBSET AA_MAY_LOCK /* overlaid */ | |
40 | #define AA_MAY_ONEXEC 0x40000000 /* exec allows onexec */ | |
41 | #define AA_MAY_CHANGE_PROFILE 0x80000000 | |
42 | #define AA_MAY_CHANGEHAT 0x80000000 /* ctrl auditing only */ | |
43 | ||
44 | #define AA_AUDIT_FILE_MASK (MAY_READ | MAY_WRITE | MAY_EXEC | MAY_APPEND |\ | |
45 | AA_MAY_CREATE | AA_MAY_DELETE | \ | |
46 | AA_MAY_META_READ | AA_MAY_META_WRITE | \ | |
47 | AA_MAY_CHMOD | AA_MAY_CHOWN | AA_MAY_LOCK | \ | |
48 | AA_EXEC_MMAP | AA_MAY_LINK) | |
49 | ||
50 | /* | |
51 | * The xindex is broken into 3 parts | |
52 | * - index - an index into either the exec name table or the variable table | |
53 | * - exec type - which determines how the executable name and index are used | |
54 | * - flags - which modify how the destination name is applied | |
55 | */ | |
56 | #define AA_X_INDEX_MASK 0x03ff | |
57 | ||
58 | #define AA_X_TYPE_MASK 0x0c00 | |
59 | #define AA_X_TYPE_SHIFT 10 | |
60 | #define AA_X_NONE 0x0000 | |
61 | #define AA_X_NAME 0x0400 /* use executable name px */ | |
62 | #define AA_X_TABLE 0x0800 /* use a specified name ->n# */ | |
63 | ||
64 | #define AA_X_UNSAFE 0x1000 | |
65 | #define AA_X_CHILD 0x2000 /* make >AA_X_NONE apply to children */ | |
66 | #define AA_X_INHERIT 0x4000 | |
67 | #define AA_X_UNCONFINED 0x8000 | |
68 | ||
69 | /* AA_SECURE_X_NEEDED - is passed in the bprm->unsafe field */ | |
70 | #define AA_SECURE_X_NEEDED 0x8000 | |
71 | ||
72 | /* need to make conditional which ones are being set */ | |
73 | struct path_cond { | |
74 | uid_t uid; | |
75 | umode_t mode; | |
76 | }; | |
77 | ||
78 | /* struct file_perms - file permission | |
79 | * @allow: mask of permissions that are allowed | |
80 | * @audit: mask of permissions to force an audit message for | |
81 | * @quiet: mask of permissions to quiet audit messages for | |
82 | * @kill: mask of permissions that when matched will kill the task | |
83 | * @xindex: exec transition index if @allow contains MAY_EXEC | |
84 | * | |
85 | * The @audit and @queit mask should be mutually exclusive. | |
86 | */ | |
87 | struct file_perms { | |
88 | u32 allow; | |
89 | u32 audit; | |
90 | u32 quiet; | |
91 | u32 kill; | |
92 | u16 xindex; | |
93 | }; | |
94 | ||
95 | extern struct file_perms nullperms; | |
96 | ||
97 | #define COMBINED_PERM_MASK(X) ((X).allow | (X).audit | (X).quiet | (X).kill) | |
98 | ||
99 | /* FIXME: split perms from dfa and match this to description | |
100 | * also add delegation info. | |
101 | */ | |
102 | static inline u16 dfa_map_xindex(u16 mask) | |
103 | { | |
104 | u16 old_index = (mask >> 10) & 0xf; | |
105 | u16 index = 0; | |
106 | ||
107 | if (mask & 0x100) | |
108 | index |= AA_X_UNSAFE; | |
109 | if (mask & 0x200) | |
110 | index |= AA_X_INHERIT; | |
111 | if (mask & 0x80) | |
112 | index |= AA_X_UNCONFINED; | |
113 | ||
114 | if (old_index == 1) { | |
115 | index |= AA_X_UNCONFINED; | |
116 | } else if (old_index == 2) { | |
117 | index |= AA_X_NAME; | |
118 | } else if (old_index == 3) { | |
119 | index |= AA_X_NAME | AA_X_CHILD; | |
120 | } else { | |
121 | index |= AA_X_TABLE; | |
122 | index |= old_index - 4; | |
123 | } | |
124 | ||
125 | return index; | |
126 | } | |
127 | ||
128 | /* | |
129 | * map old dfa inline permissions to new format | |
130 | */ | |
131 | #define dfa_user_allow(dfa, state) (((ACCEPT_TABLE(dfa)[state]) & 0x7f) | \ | |
132 | ((ACCEPT_TABLE(dfa)[state]) & 0x80000000)) | |
133 | #define dfa_user_audit(dfa, state) ((ACCEPT_TABLE2(dfa)[state]) & 0x7f) | |
134 | #define dfa_user_quiet(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 7) & 0x7f) | |
135 | #define dfa_user_xindex(dfa, state) \ | |
136 | (dfa_map_xindex(ACCEPT_TABLE(dfa)[state] & 0x3fff)) | |
137 | ||
138 | #define dfa_other_allow(dfa, state) ((((ACCEPT_TABLE(dfa)[state]) >> 14) & \ | |
139 | 0x7f) | \ | |
140 | ((ACCEPT_TABLE(dfa)[state]) & 0x80000000)) | |
141 | #define dfa_other_audit(dfa, state) (((ACCEPT_TABLE2(dfa)[state]) >> 14) & 0x7f) | |
142 | #define dfa_other_quiet(dfa, state) \ | |
143 | ((((ACCEPT_TABLE2(dfa)[state]) >> 7) >> 14) & 0x7f) | |
144 | #define dfa_other_xindex(dfa, state) \ | |
145 | dfa_map_xindex((ACCEPT_TABLE(dfa)[state] >> 14) & 0x3fff) | |
146 | ||
147 | int aa_audit_file(struct aa_profile *profile, struct file_perms *perms, | |
148 | gfp_t gfp, int op, u32 request, const char *name, | |
149 | const char *target, uid_t ouid, const char *info, int error); | |
150 | ||
151 | /** | |
152 | * struct aa_file_rules - components used for file rule permissions | |
153 | * @dfa: dfa to match path names and conditionals against | |
154 | * @perms: permission table indexed by the matched state accept entry of @dfa | |
155 | * @trans: transition table for indexed by named x transitions | |
156 | * | |
157 | * File permission are determined by matching a path against @dfa and then | |
158 | * then using the value of the accept entry for the matching state as | |
159 | * an index into @perms. If a named exec transition is required it is | |
160 | * looked up in the transition table. | |
161 | */ | |
162 | struct aa_file_rules { | |
163 | unsigned int start; | |
164 | struct aa_dfa *dfa; | |
165 | /* struct perms perms; */ | |
166 | struct aa_domain trans; | |
167 | /* TODO: add delegate table */ | |
168 | }; | |
169 | ||
170 | unsigned int aa_str_perms(struct aa_dfa *dfa, unsigned int start, | |
171 | const char *name, struct path_cond *cond, | |
172 | struct file_perms *perms); | |
173 | ||
174 | int aa_path_perm(int op, struct aa_profile *profile, struct path *path, | |
175 | int flags, u32 request, struct path_cond *cond); | |
176 | ||
177 | int aa_path_link(struct aa_profile *profile, struct dentry *old_dentry, | |
178 | struct path *new_dir, struct dentry *new_dentry); | |
179 | ||
180 | int aa_file_perm(int op, struct aa_profile *profile, struct file *file, | |
181 | u32 request); | |
182 | ||
183 | static inline void aa_free_file_rules(struct aa_file_rules *rules) | |
184 | { | |
185 | aa_put_dfa(rules->dfa); | |
186 | aa_free_domain_entries(&rules->trans); | |
187 | } | |
188 | ||
189 | #define ACC_FMODE(x) (("\000\004\002\006"[(x)&O_ACCMODE]) | (((x) << 1) & 0x40)) | |
190 | ||
191 | /* from namei.c */ | |
192 | #define MAP_OPEN_FLAGS(x) ((((x) + 1) & O_ACCMODE) ? (x) + 1 : (x)) | |
193 | ||
194 | /** | |
195 | * aa_map_file_perms - map file flags to AppArmor permissions | |
196 | * @file: open file to map flags to AppArmor permissions | |
197 | * | |
198 | * Returns: apparmor permission set for the file | |
199 | */ | |
200 | static inline u32 aa_map_file_to_perms(struct file *file) | |
201 | { | |
202 | int flags = MAP_OPEN_FLAGS(file->f_flags); | |
203 | u32 perms = ACC_FMODE(file->f_mode); | |
204 | ||
205 | if ((flags & O_APPEND) && (perms & MAY_WRITE)) | |
206 | perms = (perms & ~MAY_WRITE) | MAY_APPEND; | |
207 | /* trunc implies write permission */ | |
208 | if (flags & O_TRUNC) | |
209 | perms |= MAY_WRITE; | |
210 | if (flags & O_CREAT) | |
211 | perms |= AA_MAY_CREATE; | |
212 | ||
213 | return perms; | |
214 | } | |
215 | ||
216 | #endif /* __AA_FILE_H */ |