static int aa_secmark_perm(struct aa_profile *profile, u32 request, u32 secid, struct common_audit_data *sa, struct sock *sk) { int i, ret; struct aa_perms perms = { }; if (profile->secmark_count == 0) return 0; for (i = 0; i < profile->secmark_count; i++) { if (!profile->secmark[i].secid) { ret = apparmor_secmark_init(&profile->secmark[i]); if (ret) return ret; } if (profile->secmark[i].secid == secid || profile->secmark[i].secid == AA_SECID_WILDCARD) { if (profile->secmark[i].deny) perms.deny = ALL_PERMS_MASK; else perms.allow = ALL_PERMS_MASK; if (profile->secmark[i].audit) perms.audit = ALL_PERMS_MASK; } } aa_apply_modes_to_perms(profile, &perms); return aa_check_perms(profile, &perms, request, sa, audit_net_cb); }
/* Generic af perm */ int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa, u32 request, u16 family, int type) { struct aa_perms perms = { }; unsigned int state; __be16 buffer[2]; AA_BUG(family >= AF_MAX); AA_BUG(type < 0 || type >= SOCK_MAX); if (profile_unconfined(profile)) return 0; state = PROFILE_MEDIATES(profile, AA_CLASS_NET); if (!state) return 0; buffer[0] = cpu_to_be16(family); buffer[1] = cpu_to_be16((u16) type); state = aa_dfa_match_len(profile->policy.dfa, state, (char *) &buffer, 4); aa_compute_perms(profile->policy.dfa, state, &perms); aa_apply_modes_to_perms(profile, &perms); return aa_check_perms(profile, &perms, request, sa, audit_net_cb); }
/* TODO: conditionals */ static int profile_ptrace_perm(struct aa_profile *profile, struct aa_label *peer, u32 request, struct common_audit_data *sa) { struct aa_perms perms = { }; aad(sa)->peer = peer; aa_profile_match_label(profile, peer, AA_CLASS_PTRACE, request, &perms); aa_apply_modes_to_perms(profile, &perms); return aa_check_perms(profile, &perms, request, sa, audit_ptrace_cb); }
int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target, u32 request, int type, u32 *deny, struct common_audit_data *sa) { struct aa_perms perms; aad(sa)->label = &profile->label; aad(sa)->target = target; aad(sa)->request = request; aa_profile_match_label(profile, target->base.hname, type, &perms); aa_apply_modes_to_perms(profile, &perms); *deny |= request & perms.deny; return aa_check_perms(profile, &perms, request, sa, aa_audit_perms_cb); }
static int profile_signal_perm(struct aa_profile *profile, struct aa_profile *peer, u32 request, struct common_audit_data *sa) { struct aa_perms perms; if (profile_unconfined(profile) || !PROFILE_MEDIATES(profile, AA_CLASS_SIGNAL)) return 0; aad(sa)->target = peer->base.hname; profile_match_signal(profile, aa_peer_name(peer), aad(sa)->signal, &perms); aa_apply_modes_to_perms(profile, &perms); return aa_check_perms(profile, &perms, request, sa, audit_signal_cb); }
/* TODO: conditionals */ static int profile_ptrace_perm(struct aa_profile *profile, struct aa_profile *peer, u32 request, struct common_audit_data *sa) { struct aa_perms perms; /* need because of peer in cross check */ if (profile_unconfined(profile) || !PROFILE_MEDIATES(profile, AA_CLASS_PTRACE)) return 0; aad(sa)->target = peer->base.hname; aa_profile_match_label(profile, aa_peer_name(peer), AA_CLASS_PTRACE, &perms); aa_apply_modes_to_perms(profile, &perms); return aa_check_perms(profile, &perms, request, sa, audit_ptrace_cb); }
static int profile_signal_perm(struct aa_profile *profile, struct aa_label *peer, u32 request, struct common_audit_data *sa) { struct aa_perms perms; unsigned int state; if (profile_unconfined(profile) || !PROFILE_MEDIATES(profile, AA_CLASS_SIGNAL)) return 0; aad(sa)->peer = peer; /* TODO: secondary cache check <profile, profile, perm> */ state = aa_dfa_next(profile->policy.dfa, profile->policy.start[AA_CLASS_SIGNAL], aad(sa)->signal); aa_label_match(profile, peer, state, false, request, &perms); aa_apply_modes_to_perms(profile, &perms); return aa_check_perms(profile, &perms, request, sa, audit_signal_cb); }