2013-09-27 16:16:37 -07:00
|
|
|
/*
|
2013-10-14 14:34:12 -07:00
|
|
|
* Copyright (c) 2012, 2013
|
2013-09-27 16:16:37 -07:00
|
|
|
* Canonical, Ltd. (All rights reserved)
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or
|
|
|
|
|
* modify it under the terms of version 2 of the GNU General Public
|
|
|
|
|
* License published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
* This program is distributed in the hope that it will be useful,
|
|
|
|
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
* GNU General Public License for more details.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "profile.h"
|
2014-04-07 03:16:50 -07:00
|
|
|
#include "rule.h"
|
2021-09-08 00:25:28 -07:00
|
|
|
#include "parser.h"
|
2013-09-27 16:16:37 -07:00
|
|
|
|
|
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
2021-10-16 03:00:26 -07:00
|
|
|
#include <vector>
|
|
|
|
|
#include <algorithm>
|
2013-09-27 16:16:37 -07:00
|
|
|
|
2018-07-04 09:26:27 -07:00
|
|
|
const char *profile_mode_table[] = {
|
|
|
|
|
"",
|
|
|
|
|
"enforce",
|
|
|
|
|
"complain",
|
|
|
|
|
"kill",
|
|
|
|
|
"unconfined",
|
|
|
|
|
};
|
|
|
|
|
|
2013-09-27 16:16:37 -07:00
|
|
|
bool deref_profileptr_lt::operator()(Profile * const &lhs, Profile * const &rhs) const
|
|
|
|
|
{
|
|
|
|
|
return *lhs < *rhs;
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
pair<ProfileList::iterator,bool> ProfileList::insert(Profile *p)
|
|
|
|
|
{
|
|
|
|
|
return list.insert(p);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void ProfileList::erase(ProfileList::iterator pos)
|
|
|
|
|
{
|
|
|
|
|
list.erase(pos);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void ProfileList::clear(void)
|
|
|
|
|
{
|
|
|
|
|
for(ProfileList::iterator i = list.begin(); i != list.end(); ) {
|
|
|
|
|
ProfileList::iterator k = i++;
|
|
|
|
|
delete *k;
|
|
|
|
|
list.erase(k);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void ProfileList::dump(void)
|
|
|
|
|
{
|
|
|
|
|
for(ProfileList::iterator i = list.begin(); i != list.end(); i++) {
|
|
|
|
|
(*i)->dump();
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void ProfileList::dump_profile_names(bool children)
|
|
|
|
|
{
|
|
|
|
|
for (ProfileList::iterator i = list.begin(); i != list.end();i++) {
|
|
|
|
|
(*i)->dump_name(true);
|
|
|
|
|
printf("\n");
|
|
|
|
|
if (children && !(*i)->hat_table.empty())
|
|
|
|
|
(*i)->hat_table.dump_profile_names(children);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
parser: first step implementing fine grained mediation for unix domain sockets
This patch implements parsing of fine grained mediation for unix domain
sockets, that have abstract and anonymous paths. Sockets with file
system paths are handled by regular file access rules.
The unix network rules follow the general fine grained network
rule pattern of
[<qualifiers>] af_name [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
specifically for af_unix this is
[<qualifiers>] 'unix' [<access expr>] [<rule conds>] [<local expr>] [<peer expr>]
<qualifiers> = [ 'audit' ] [ 'allow' | 'deny' ]
<access expr> = ( <access> | <access list> )
<access> = ( 'server' | 'create' | 'bind' | 'listen' | 'accept' |
'connect' | 'shutdown' | 'getattr' | 'setattr' |
'getopt' | 'setopt' |
'send' | 'receive' | 'r' | 'w' | 'rw' )
(some access modes are incompatible with some rules or require additional
parameters)
<access list> = '(' <access> ( [','] <WS> <access> )* ')'
<WS> = white space
<rule conds> = ( <type cond> | <protocol cond> )*
each cond can appear at most once
<type cond> = 'type' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' )
<protocol cond> = 'protocol' '=' ( <AARE> | '(' ( '"' <AARE> '"' | <AARE> )+ ')' )
<local expr> = ( <path cond> | <attr cond> | <opt cond> )*
each cond can appear at most once
<peer expr> = 'peer' '=' ( <path cond> | <label cond> )+
each cond can appear at most once
<path cond> = 'path' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<label cond> = 'label' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')')
<attr cond> = 'attr' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<opt cond> = 'opt' '=' ( <AARE> | '(' '"' <AARE> '"' | <AARE> ')' )
<AARE> = ?*[]{}^ ( see man page )
unix domain socket rules are accumulated so that the granted unix
socket permissions are the union of all the listed unix rule permissions.
unix domain socket rules are broad and general and become more restrictive
as further information is specified. Policy may be specified down to
the path and label level. The content of the communication is not
examined.
Some permissions are not compatible with all unix rules.
unix socket rule permissions are implied when a rule does not explicitly
state an access list. By default if a rule does not have an access list
all permissions that are compatible with the specified set of local
and peer conditionals are implied.
The 'server', 'r', 'w' and 'rw' permissions are aliases for other permissions.
server = (create, bind, listen, accept)
r = (receive, getattr, getopt)
w = (create, connect, send, setattr, setopt)
In addition it supports the v7 kernel abi semantics around generic
network rules. The v7 abi removes the masking unix and netlink
address families from the generic masking and uses fine grained
mediation for an address type if supplied.
This means that the rules
network unix,
network netlink,
are now enforced instead of ignored. The parser previously could accept
these but the kernel would ignore anything written to them. If a network
rule is supplied it takes precedence over the finer grained mediation
rule. If permission is not granted via a broad network access rule
fine grained mediation is applied.
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2014-09-03 13:22:26 -07:00
|
|
|
bool Profile::alloc_net_table()
|
|
|
|
|
{
|
|
|
|
|
if (net.allow)
|
|
|
|
|
return true;
|
|
|
|
|
net.allow = (unsigned int *) calloc(get_af_max(), sizeof(unsigned int));
|
|
|
|
|
net.audit = (unsigned int *) calloc(get_af_max(), sizeof(unsigned int));
|
|
|
|
|
net.deny = (unsigned int *) calloc(get_af_max(), sizeof(unsigned int));
|
|
|
|
|
net.quiet = (unsigned int *) calloc(get_af_max(), sizeof(unsigned int));
|
|
|
|
|
if (!net.allow || !net.audit || !net.deny || !net.quiet)
|
|
|
|
|
return false;
|
|
|
|
|
|
|
|
|
|
return true;
|
|
|
|
|
}
|
|
|
|
|
|
2013-09-27 16:16:37 -07:00
|
|
|
Profile::~Profile()
|
|
|
|
|
{
|
|
|
|
|
hat_table.clear();
|
|
|
|
|
free_cod_entries(entries);
|
2019-08-17 05:01:39 -07:00
|
|
|
free_cond_entry_list(xattrs);
|
2014-04-07 03:16:50 -07:00
|
|
|
|
|
|
|
|
for (RuleList::iterator i = rule_ents.begin(); i != rule_ents.end(); i++)
|
|
|
|
|
delete *i;
|
2013-09-27 16:16:37 -07:00
|
|
|
if (dfa.rules)
|
2014-04-23 10:57:16 -07:00
|
|
|
delete dfa.rules;
|
2013-09-27 16:16:37 -07:00
|
|
|
if (dfa.dfa)
|
|
|
|
|
free(dfa.dfa);
|
|
|
|
|
if (policy.rules)
|
2014-04-23 10:57:16 -07:00
|
|
|
delete policy.rules;
|
2013-09-27 16:16:37 -07:00
|
|
|
if (policy.dfa)
|
|
|
|
|
free(policy.dfa);
|
2013-10-14 14:34:12 -07:00
|
|
|
if (xmatch)
|
|
|
|
|
free(xmatch);
|
2013-09-27 16:16:37 -07:00
|
|
|
if (name)
|
|
|
|
|
free(name);
|
|
|
|
|
if (attachment)
|
|
|
|
|
free(attachment);
|
|
|
|
|
if (ns)
|
|
|
|
|
free(ns);
|
2013-10-14 14:34:12 -07:00
|
|
|
for (int i = (AA_EXEC_LOCAL >> 10) + 1; i < AA_EXEC_COUNT; i++)
|
|
|
|
|
if (exec_table[i])
|
|
|
|
|
free(exec_table[i]);
|
2013-09-27 16:16:37 -07:00
|
|
|
if (net.allow)
|
|
|
|
|
free(net.allow);
|
|
|
|
|
if (net.audit)
|
|
|
|
|
free(net.audit);
|
|
|
|
|
if (net.deny)
|
|
|
|
|
free(net.deny);
|
|
|
|
|
if (net.quiet)
|
|
|
|
|
free(net.quiet);
|
|
|
|
|
}
|
|
|
|
|
|
2023-07-03 23:52:57 -07:00
|
|
|
static bool comp (rule_t *lhs, rule_t *rhs)
|
|
|
|
|
{
|
|
|
|
|
return (*lhs < *rhs);
|
|
|
|
|
}
|
2021-10-16 03:00:26 -07:00
|
|
|
|
2023-07-03 23:52:57 -07:00
|
|
|
// TODO: move to block rule
|
|
|
|
|
// returns number of rules merged
|
|
|
|
|
// returns negative number on error
|
|
|
|
|
int Profile::merge_rules(void)
|
2021-10-16 03:00:26 -07:00
|
|
|
{
|
|
|
|
|
int count = 0;
|
2023-07-03 23:52:57 -07:00
|
|
|
std::vector<rule_t *> table;
|
2021-10-16 03:00:26 -07:00
|
|
|
|
2023-07-03 23:52:57 -07:00
|
|
|
for (RuleList::iterator i = rule_ents.begin(); i != rule_ents.end(); i++) {
|
|
|
|
|
if ((*i)->is_mergeable() && !(*i)->skip())
|
|
|
|
|
table.push_back(*i);
|
2021-10-16 03:00:26 -07:00
|
|
|
}
|
2023-07-03 23:52:57 -07:00
|
|
|
if (table.size() < 2)
|
2021-10-16 03:00:26 -07:00
|
|
|
return 0;
|
|
|
|
|
std::sort(table.begin(), table.end(), comp);
|
2023-07-03 23:52:57 -07:00
|
|
|
unsigned long n = table.size();
|
|
|
|
|
for (unsigned long i = 0, j = 1; j < n; j++) {
|
|
|
|
|
if (table[j]->skip())
|
|
|
|
|
continue;
|
2021-10-16 03:00:26 -07:00
|
|
|
if (table[i]->cmp(*table[j]) == 0) {
|
2023-07-03 23:52:57 -07:00
|
|
|
if (table[i]->merge(*table[j]))
|
|
|
|
|
count++;
|
2021-10-16 03:00:26 -07:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
i = j;
|
|
|
|
|
}
|
|
|
|
|
|
2023-07-03 23:52:57 -07:00
|
|
|
return count;
|
2021-10-16 03:00:26 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
2021-09-08 00:25:28 -07:00
|
|
|
int add_entry_to_x_table(Profile *prof, char *name)
|
|
|
|
|
{
|
|
|
|
|
int i;
|
|
|
|
|
for (i = (AA_EXEC_LOCAL >> 10) + 1; i < AA_EXEC_COUNT; i++) {
|
|
|
|
|
if (!prof->exec_table[i]) {
|
|
|
|
|
prof->exec_table[i] = name;
|
|
|
|
|
return i;
|
|
|
|
|
} else if (strcmp(prof->exec_table[i], name) == 0) {
|
|
|
|
|
/* name already in table */
|
|
|
|
|
free(name);
|
|
|
|
|
return i;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
free(name);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void add_entry_to_policy(Profile *prof, struct cod_entry *entry)
|
|
|
|
|
{
|
|
|
|
|
entry->next = prof->entries;
|
|
|
|
|
prof->entries = entry;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int add_named_transition(Profile *prof, struct cod_entry *entry)
|
|
|
|
|
{
|
|
|
|
|
char *name = NULL;
|
|
|
|
|
|
|
|
|
|
/* check to see if it is a local transition */
|
|
|
|
|
if (!label_contains_ns(entry->nt_name)) {
|
|
|
|
|
char *sub = strstr(entry->nt_name, "//");
|
|
|
|
|
/* does the subprofile name match the rule */
|
|
|
|
|
|
|
|
|
|
if (sub && strncmp(prof->name, sub, sub - entry->nt_name) &&
|
|
|
|
|
strcmp(sub + 2, entry->name) == 0) {
|
|
|
|
|
free(entry->nt_name);
|
|
|
|
|
entry->nt_name = NULL;
|
|
|
|
|
return AA_EXEC_LOCAL >> 10;
|
|
|
|
|
} else if (((entry->perms & AA_USER_EXEC_MODIFIERS) ==
|
|
|
|
|
SHIFT_PERMS(AA_EXEC_LOCAL, AA_USER_SHIFT)) ||
|
|
|
|
|
((entry->perms & AA_OTHER_EXEC_MODIFIERS) ==
|
|
|
|
|
SHIFT_PERMS(AA_EXEC_LOCAL, AA_OTHER_SHIFT))) {
|
|
|
|
|
if (strcmp(entry->nt_name, entry->name) == 0) {
|
|
|
|
|
free(entry->nt_name);
|
|
|
|
|
entry->nt_name = NULL;
|
|
|
|
|
return AA_EXEC_LOCAL >> 10;
|
|
|
|
|
}
|
|
|
|
|
/* specified as cix so profile name is implicit */
|
|
|
|
|
name = (char *) malloc(strlen(prof->name) + strlen(entry->nt_name)
|
|
|
|
|
+ 3);
|
|
|
|
|
if (!name) {
|
|
|
|
|
PERROR("Memory allocation error\n");
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
sprintf(name, "%s//%s", prof->name, entry->nt_name);
|
|
|
|
|
free(entry->nt_name);
|
|
|
|
|
entry->nt_name = NULL;
|
|
|
|
|
} else {
|
|
|
|
|
/**
|
|
|
|
|
* pass control of the memory pointed to by nt_name
|
|
|
|
|
* from entry to add_entry_to_x_table()
|
|
|
|
|
*/
|
|
|
|
|
name = entry->nt_name;
|
|
|
|
|
entry->nt_name = NULL;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
/**
|
|
|
|
|
* pass control of the memory pointed to by nt_name
|
|
|
|
|
* from entry to add_entry_to_x_table()
|
|
|
|
|
*/
|
|
|
|
|
name = entry->nt_name;
|
|
|
|
|
entry->nt_name = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return add_entry_to_x_table(prof, name);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static bool add_proc_access(Profile *prof, const char *rule)
|
|
|
|
|
{
|
|
|
|
|
/* FIXME: should use @{PROC}/@{PID}/attr/{apparmor/,}{current,exec} */
|
|
|
|
|
struct cod_entry *new_ent;
|
|
|
|
|
/* allow probe for new interfaces */
|
|
|
|
|
char *buffer = strdup("/proc/*/attr/apparmor/");
|
|
|
|
|
if (!buffer) {
|
|
|
|
|
PERROR("Memory allocation error\n");
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
new_ent = new_entry(buffer, AA_MAY_READ, NULL);
|
|
|
|
|
if (!new_ent) {
|
|
|
|
|
free(buffer);
|
|
|
|
|
PERROR("Memory allocation error\n");
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
add_entry_to_policy(prof, new_ent);
|
|
|
|
|
|
|
|
|
|
/* allow probe if apparmor is enabled for the old interface */
|
|
|
|
|
buffer = strdup("/sys/module/apparmor/parameters/enabled");
|
|
|
|
|
if (!buffer) {
|
|
|
|
|
PERROR("Memory allocation error\n");
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
new_ent = new_entry(buffer, AA_MAY_READ, NULL);
|
|
|
|
|
if (!new_ent) {
|
|
|
|
|
free(buffer);
|
|
|
|
|
PERROR("Memory allocation error\n");
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
add_entry_to_policy(prof, new_ent);
|
|
|
|
|
|
|
|
|
|
/* allow setting on new and old interfaces */
|
|
|
|
|
buffer = strdup(rule);
|
|
|
|
|
if (!buffer) {
|
|
|
|
|
PERROR("Memory allocation error\n");
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
new_ent = new_entry(buffer, AA_MAY_WRITE, NULL);
|
|
|
|
|
if (!new_ent) {
|
|
|
|
|
free(buffer);
|
|
|
|
|
PERROR("Memory allocation error\n");
|
|
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
add_entry_to_policy(prof, new_ent);
|
|
|
|
|
|
|
|
|
|
return TRUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#define CHANGEPROFILE_PATH "/proc/*/attr/{apparmor/,}{current,exec}"
|
|
|
|
|
void post_process_file_entries(Profile *prof)
|
|
|
|
|
{
|
|
|
|
|
struct cod_entry *entry;
|
|
|
|
|
perms_t cp_perms = 0;
|
|
|
|
|
|
|
|
|
|
list_for_each(prof->entries, entry) {
|
|
|
|
|
if (entry->nt_name) {
|
|
|
|
|
perms_t perms = 0;
|
|
|
|
|
int n = add_named_transition(prof, entry);
|
|
|
|
|
if (!n) {
|
|
|
|
|
PERROR("Profile %s has too many specified profile transitions.\n", prof->name);
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
if (entry->perms & AA_USER_EXEC)
|
|
|
|
|
perms |= SHIFT_PERMS(n << 10, AA_USER_SHIFT);
|
|
|
|
|
if (entry->perms & AA_OTHER_EXEC)
|
|
|
|
|
perms |= SHIFT_PERMS(n << 10, AA_OTHER_SHIFT);
|
|
|
|
|
entry->perms = ((entry->perms & ~AA_ALL_EXEC_MODIFIERS) |
|
|
|
|
|
(perms & AA_ALL_EXEC_MODIFIERS));
|
|
|
|
|
}
|
|
|
|
|
/* FIXME: currently change_profile also implies onexec */
|
|
|
|
|
cp_perms |= entry->perms & (AA_CHANGE_PROFILE);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* if there are change_profile rules, this implies that we need
|
|
|
|
|
* access to some /proc/ interfaces
|
|
|
|
|
*/
|
|
|
|
|
if (cp_perms & AA_CHANGE_PROFILE) {
|
|
|
|
|
if (!add_proc_access(prof, CHANGEPROFILE_PATH))
|
|
|
|
|
exit(1);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void post_process_rule_entries(Profile *prof)
|
|
|
|
|
{
|
2021-09-19 00:59:45 -07:00
|
|
|
for (RuleList::iterator i = prof->rule_ents.begin(); i != prof->rule_ents.end(); i++) {
|
2023-07-03 23:52:57 -07:00
|
|
|
if ((*i)->skip())
|
2021-09-19 00:59:45 -07:00
|
|
|
continue;
|
2021-09-08 00:25:28 -07:00
|
|
|
(*i)->post_parse_profile(*prof);
|
2021-09-19 00:59:45 -07:00
|
|
|
}
|
2021-09-08 00:25:28 -07:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
#define CHANGEHAT_PATH "/proc/[0-9]*/attr/{apparmor/,}current"
|
|
|
|
|
|
|
|
|
|
/* add file rules to access /proc files to call change_hat()
|
|
|
|
|
*/
|
|
|
|
|
static int profile_add_hat_rules(Profile *prof)
|
|
|
|
|
{
|
|
|
|
|
/* don't add hat rules if not hat or profile doesn't have hats */
|
|
|
|
|
if (!(prof->flags.flags & FLAG_HAT) && prof->hat_table.empty())
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
if (!add_proc_access(prof, CHANGEHAT_PATH))
|
|
|
|
|
return ENOMEM;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void Profile::post_parse_profile(void)
|
|
|
|
|
{
|
|
|
|
|
post_process_file_entries(this);
|
|
|
|
|
post_process_rule_entries(this);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void Profile::add_implied_rules(void)
|
|
|
|
|
{
|
|
|
|
|
int error;
|
|
|
|
|
|
|
|
|
|
error = profile_add_hat_rules(this);
|
|
|
|
|
if (error) {
|
|
|
|
|
PERROR(_("ERROR adding hat access rule for profile %s\n"),
|
|
|
|
|
name);
|
|
|
|
|
//return error;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
