Orange Pi5 kernel

Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards

3 Commits   0 Branches   0 Tags
Index
Trunk
Branches
Tags
Trunk
Branches
Tags
Home page
Home page
orangepi/linux-orangepi-5.10.y.git/trunk/security/apparmor/net.c 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   1) // SPDX-License-Identifier: GPL-2.0-only
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   2) /*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   3)  * AppArmor security module
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   4)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   5)  * This file contains AppArmor network mediation
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   6)  *
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   7)  * Copyright (C) 1998-2008 Novell/SUSE
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   8)  * Copyright 2009-2017 Canonical Ltd.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300   9)  */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  10) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  11) #include "include/apparmor.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  12) #include "include/audit.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  13) #include "include/cred.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  14) #include "include/label.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  15) #include "include/net.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  16) #include "include/policy.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  17) #include "include/secid.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  18) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  19) #include "net_names.h"
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  20) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  21) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  22) struct aa_sfs_entry aa_sfs_entry_network[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  23) 	AA_SFS_FILE_STRING("af_mask",	AA_SFS_AF_MASK),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  24) 	{ }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  25) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  26) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  27) static const char * const net_mask_names[] = {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  28) 	"unknown",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  29) 	"send",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  30) 	"receive",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  31) 	"unknown",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  32) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  33) 	"create",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  34) 	"shutdown",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  35) 	"connect",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  36) 	"unknown",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  37) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  38) 	"setattr",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  39) 	"getattr",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  40) 	"setcred",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  41) 	"getcred",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  42) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  43) 	"chmod",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  44) 	"chown",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  45) 	"chgrp",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  46) 	"lock",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  47) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  48) 	"mmap",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  49) 	"mprot",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  50) 	"unknown",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  51) 	"unknown",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  52) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  53) 	"accept",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  54) 	"bind",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  55) 	"listen",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  56) 	"unknown",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  57) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  58) 	"setopt",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  59) 	"getopt",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  60) 	"unknown",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  61) 	"unknown",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  62) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  63) 	"unknown",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  64) 	"unknown",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  65) 	"unknown",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  66) 	"unknown",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  67) };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  68) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  69) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  70) /* audit callback for net specific fields */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  71) void audit_net_cb(struct audit_buffer *ab, void *va)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  72) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  73) 	struct common_audit_data *sa = va;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  74) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  75) 	if (address_family_names[sa->u.net->family])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  76) 		audit_log_format(ab, " family=\"%s\"",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  77) 				 address_family_names[sa->u.net->family]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  78) 	else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  79) 		audit_log_format(ab, " family=\"unknown(%d)\"",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  80) 				 sa->u.net->family);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  81) 	if (sock_type_names[aad(sa)->net.type])
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  82) 		audit_log_format(ab, " sock_type=\"%s\"",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  83) 				 sock_type_names[aad(sa)->net.type]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  84) 	else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  85) 		audit_log_format(ab, " sock_type=\"unknown(%d)\"",
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  86) 				 aad(sa)->net.type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  87) 	audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  88) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  89) 	if (aad(sa)->request & NET_PERMS_MASK) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  90) 		audit_log_format(ab, " requested_mask=");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  91) 		aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  92) 				   net_mask_names, NET_PERMS_MASK);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  93) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  94) 		if (aad(sa)->denied & NET_PERMS_MASK) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  95) 			audit_log_format(ab, " denied_mask=");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  96) 			aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  97) 					   net_mask_names, NET_PERMS_MASK);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  98) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300  99) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) 	if (aad(sa)->peer) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) 		audit_log_format(ab, " peer=");
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) 		aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) 				FLAGS_NONE, GFP_ATOMIC);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107) /* Generic af perm */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109) 		       u32 request, u16 family, int type)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111) 	struct aa_perms perms = { };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) 	unsigned int state;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113) 	__be16 buffer[2];
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115) 	AA_BUG(family >= AF_MAX);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) 	AA_BUG(type < 0 || type >= SOCK_MAX);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) 	if (profile_unconfined(profile))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120) 	state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) 	if (!state)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) 	buffer[0] = cpu_to_be16(family);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) 	buffer[1] = cpu_to_be16((u16) type);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126) 	state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) 				 4);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) 	aa_compute_perms(profile->policy.dfa, state, &perms);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129) 	aa_apply_modes_to_perms(profile, &perms);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) 	return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135) 	       int type, int protocol)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) 	struct aa_profile *profile;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) 	DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) 	return fn_for_each_confined(label, profile,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) 			aa_profile_af_perm(profile, &sa, request, family,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) 					   type));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) 			    struct sock *sk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) 	int error = 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) 	AA_BUG(!label);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) 	AA_BUG(!sk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153) 	if (!unconfined(label)) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) 		struct aa_profile *profile;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) 		DEFINE_AUDIT_SK(sa, op, sk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157) 		error = fn_for_each_confined(label, profile,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) 			    aa_profile_af_sk_perm(profile, &sa, request, sk));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) 	return error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164) int aa_sk_perm(const char *op, u32 request, struct sock *sk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) 	struct aa_label *label;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) 	int error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) 	AA_BUG(!sk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) 	AA_BUG(in_interrupt());
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) 	/* TODO: switch to begin_current_label ???? */
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173) 	label = begin_current_label_crit_section();
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) 	error = aa_label_sk_perm(label, op, request, sk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175) 	end_current_label_crit_section(label);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) 	return error;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) 		      struct socket *sock)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) 	AA_BUG(!label);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185) 	AA_BUG(!sock);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) 	AA_BUG(!sock->sk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) 	return aa_label_sk_perm(label, op, request, sock->sk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) #ifdef CONFIG_NETWORK_SECMARK
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192) static int apparmor_secmark_init(struct aa_secmark *secmark)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) 	struct aa_label *label;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196) 	if (secmark->label[0] == '*') {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) 		secmark->secid = AA_SECID_WILDCARD;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) 	label = aa_label_strn_parse(&root_ns->unconfined->label,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) 				    secmark->label, strlen(secmark->label),
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) 				    GFP_ATOMIC, false, false);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205) 	if (IS_ERR(label))
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) 		return PTR_ERR(label);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) 	secmark->secid = label->secid;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210) 	return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) static int aa_secmark_perm(struct aa_profile *profile, u32 request, u32 secid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) 			   struct common_audit_data *sa, struct sock *sk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) 	int i, ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) 	struct aa_perms perms = { };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) 	if (profile->secmark_count == 0)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) 		return 0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) 	for (i = 0; i < profile->secmark_count; i++) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) 		if (!profile->secmark[i].secid) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224) 			ret = apparmor_secmark_init(&profile->secmark[i]);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) 			if (ret)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226) 				return ret;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229) 		if (profile->secmark[i].secid == secid ||
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) 		    profile->secmark[i].secid == AA_SECID_WILDCARD) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231) 			if (profile->secmark[i].deny)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) 				perms.deny = ALL_PERMS_MASK;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) 			else
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234) 				perms.allow = ALL_PERMS_MASK;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) 			if (profile->secmark[i].audit)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) 				perms.audit = ALL_PERMS_MASK;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 238) 		}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 239) 	}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 240) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 241) 	aa_apply_modes_to_perms(profile, &perms);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 242) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 243) 	return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 244) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 245) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 246) int apparmor_secmark_check(struct aa_label *label, char *op, u32 request,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 247) 			   u32 secid, struct sock *sk)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 248) {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 249) 	struct aa_profile *profile;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 250) 	DEFINE_AUDIT_SK(sa, op, sk);
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 251) 
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 252) 	return fn_for_each_confined(label, profile,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 253) 				    aa_secmark_perm(profile, request, secid,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 254) 						    &sa, sk));
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 255) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 256) #endif
cGit-ui 0.1.7
Git 2.40.0
Nginx 1.22.1

Where any material of this site is being reproduced, published or issued to others the reference to the source is obligatory.

© Andrey V. Kosteltsev, 2019 – 2025.