Revert "apparmor: add base infastructure for socket mediation"
authorLinus Torvalds <torvalds@linux-foundation.org>
Thu, 26 Oct 2017 17:35:35 +0000 (19:35 +0200)
committerLinus Torvalds <torvalds@linux-foundation.org>
Thu, 26 Oct 2017 17:35:35 +0000 (19:35 +0200)
This reverts commit 651e28c5537abb39076d3949fb7618536f1d242e.

This caused a regression:
 "The specific problem is that dnsmasq refuses to start on openSUSE Leap
  42.2.  The specific cause is that and attempt to open a PF_LOCAL socket
  gets EACCES.  This means that networking doesn't function on a system
  with a 4.14-rc2 system."

Sadly, the developers involved seemed to be in denial for several weeks
about this, delaying the revert.  This has not been a good release for
the security subsystem, and this area needs to change development
practices.

Reported-and-bisected-by: James Bottomley <James.Bottomley@hansenpartnership.com>
Tracked-by: Thorsten Leemhuis <regressions@leemhuis.info>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
12 files changed:
security/apparmor/.gitignore
security/apparmor/Makefile
security/apparmor/apparmorfs.c
security/apparmor/file.c
security/apparmor/include/audit.h
security/apparmor/include/net.h [deleted file]
security/apparmor/include/perms.h
security/apparmor/include/policy.h
security/apparmor/lib.c
security/apparmor/lsm.c
security/apparmor/net.c [deleted file]
security/apparmor/policy_unpack.c

index d5b291e94264f9784438ea38e3242ad7697cb510..9cdec70d72b8ed83c38ec3a271b9495b53975b2e 100644 (file)
@@ -1,6 +1,5 @@
 #
 # Generated include files
 #
-net_names.h
 capability_names.h
 rlim_names.h
index dafdd387d42bab8a5184efb51240123fd3a463f5..81a34426d0240f92187e19dde633d3e8e5b365ef 100644 (file)
@@ -4,44 +4,11 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
 
 apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
-              resource.o secid.o file.o policy_ns.o label.o mount.o net.o
+              resource.o secid.o file.o policy_ns.o label.o mount.o
 apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o
 
-clean-files := capability_names.h rlim_names.h net_names.h
+clean-files := capability_names.h rlim_names.h
 
-# Build a lower case string table of address family names
-# Transform lines from
-#    #define AF_LOCAL          1       /* POSIX name for AF_UNIX       */
-#    #define AF_INET           2       /* Internet IP Protocol         */
-# to
-#    [1] = "local",
-#    [2] = "inet",
-#
-# and build the securityfs entries for the mapping.
-# Transforms lines from
-#    #define AF_INET           2       /* Internet IP Protocol         */
-# to
-#    #define AA_SFS_AF_MASK "local inet"
-quiet_cmd_make-af = GEN     $@
-cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
-       sed $< >>$@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \
-        's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
-       echo "};" >> $@ ;\
-       printf '%s' '\#define AA_SFS_AF_MASK "' >> $@ ;\
-       sed -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \
-        's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/\L\1/p'\
-        $< | tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
-
-# Build a lower case string table of sock type names
-# Transform lines from
-#    SOCK_STREAM       = 1,
-# to
-#    [1] = "stream",
-quiet_cmd_make-sock = GEN     $@
-cmd_make-sock = echo "static const char *sock_type_names[] = {" >> $@ ;\
-       sed $^ >>$@ -r -n \
-       -e 's/^\tSOCK_([A-Z0-9_]+)[\t]+=[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
-       echo "};" >> $@
 
 # Build a lower case string table of capability names
 # Transforms lines from
@@ -94,7 +61,6 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
            tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
 
 $(obj)/capability.o : $(obj)/capability_names.h
-$(obj)/net.o : $(obj)/net_names.h
 $(obj)/resource.o : $(obj)/rlim_names.h
 $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
                            $(src)/Makefile
@@ -102,8 +68,3 @@ $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
 $(obj)/rlim_names.h : $(srctree)/include/uapi/asm-generic/resource.h \
                      $(src)/Makefile
        $(call cmd,make-rlim)
-$(obj)/net_names.h : $(srctree)/include/linux/socket.h \
-                    $(srctree)/include/linux/net.h \
-                    $(src)/Makefile
-       $(call cmd,make-af)
-       $(call cmd,make-sock)
index 518d5928661b518c8f037db26edfed44f6270752..caaf51dda64812067e07d1c9079c7750c4296e11 100644 (file)
@@ -2202,7 +2202,6 @@ static struct aa_sfs_entry aa_sfs_entry_features[] = {
        AA_SFS_DIR("policy",                    aa_sfs_entry_policy),
        AA_SFS_DIR("domain",                    aa_sfs_entry_domain),
        AA_SFS_DIR("file",                      aa_sfs_entry_file),
-       AA_SFS_DIR("network",                   aa_sfs_entry_network),
        AA_SFS_DIR("mount",                     aa_sfs_entry_mount),
        AA_SFS_DIR("namespaces",                aa_sfs_entry_ns),
        AA_SFS_FILE_U64("capability",           VFS_CAP_FLAGS_MASK),
index db80221891c66f034c1a3138f46d455a2685d102..3382518b87fa507200679cb9ef660329a292debc 100644 (file)
@@ -21,7 +21,6 @@
 #include "include/context.h"
 #include "include/file.h"
 #include "include/match.h"
-#include "include/net.h"
 #include "include/path.h"
 #include "include/policy.h"
 #include "include/label.h"
@@ -567,32 +566,6 @@ static int __file_path_perm(const char *op, struct aa_label *label,
        return error;
 }
 
-static int __file_sock_perm(const char *op, struct aa_label *label,
-                           struct aa_label *flabel, struct file *file,
-                           u32 request, u32 denied)
-{
-       struct socket *sock = (struct socket *) file->private_data;
-       int error;
-
-       AA_BUG(!sock);
-
-       /* revalidation due to label out of date. No revocation at this time */
-       if (!denied && aa_label_is_subset(flabel, label))
-               return 0;
-
-       /* TODO: improve to skip profiles cached in flabel */
-       error = aa_sock_file_perm(label, op, request, sock);
-       if (denied) {
-               /* TODO: improve to skip profiles checked above */
-               /* check every profile in file label to is cached */
-               last_error(error, aa_sock_file_perm(flabel, op, request, sock));
-       }
-       if (!error)
-               update_file_ctx(file_ctx(file), label, request);
-
-       return error;
-}
-
 /**
  * aa_file_perm - do permission revalidation check & audit for @file
  * @op: operation being checked
@@ -637,9 +610,6 @@ int aa_file_perm(const char *op, struct aa_label *label, struct file *file,
                error = __file_path_perm(op, label, flabel, file, request,
                                         denied);
 
-       else if (S_ISSOCK(file_inode(file)->i_mode))
-               error = __file_sock_perm(op, label, flabel, file, request,
-                                        denied);
 done:
        rcu_read_unlock();
 
index ff4316e1068d6b98ea7cbf44d21e96ff75cf9328..620e811696592ddec6fb221e2bec07d436f258b4 100644 (file)
@@ -121,29 +121,21 @@ struct apparmor_audit_data {
                /* these entries require a custom callback fn */
                struct {
                        struct aa_label *peer;
-                       union {
-                               struct {
-                                       kuid_t ouid;
-                                       const char *target;
-                               } fs;
-                               struct {
-                                       int type, protocol;
-                                       struct sock *peer_sk;
-                                       void *addr;
-                                       int addrlen;
-                               } net;
-                               int signal;
-                               struct {
-                                       int rlim;
-                                       unsigned long max;
-                               } rlim;
-                       };
+                       struct {
+                               const char *target;
+                               kuid_t ouid;
+                       } fs;
                };
                struct {
                        struct aa_profile *profile;
                        const char *ns;
                        long pos;
                } iface;
+               int signal;
+               struct {
+                       int rlim;
+                       unsigned long max;
+               } rlim;
                struct {
                        const char *src_name;
                        const char *type;
diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h
deleted file mode 100644 (file)
index 140c8ef..0000000
+++ /dev/null
@@ -1,114 +0,0 @@
-/*
- * AppArmor security module
- *
- * This file contains AppArmor network mediation definitions.
- *
- * Copyright (C) 1998-2008 Novell/SUSE
- * Copyright 2009-2017 Canonical Ltd.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- */
-
-#ifndef __AA_NET_H
-#define __AA_NET_H
-
-#include <net/sock.h>
-#include <linux/path.h>
-
-#include "apparmorfs.h"
-#include "label.h"
-#include "perms.h"
-#include "policy.h"
-
-#define AA_MAY_SEND            AA_MAY_WRITE
-#define AA_MAY_RECEIVE         AA_MAY_READ
-
-#define AA_MAY_SHUTDOWN                AA_MAY_DELETE
-
-#define AA_MAY_CONNECT         AA_MAY_OPEN
-#define AA_MAY_ACCEPT          0x00100000
-
-#define AA_MAY_BIND            0x00200000
-#define AA_MAY_LISTEN          0x00400000
-
-#define AA_MAY_SETOPT          0x01000000
-#define AA_MAY_GETOPT          0x02000000
-
-#define NET_PERMS_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE |    \
-                       AA_MAY_SHUTDOWN | AA_MAY_BIND | AA_MAY_LISTEN |   \
-                       AA_MAY_CONNECT | AA_MAY_ACCEPT | AA_MAY_SETATTR | \
-                       AA_MAY_GETATTR | AA_MAY_SETOPT | AA_MAY_GETOPT)
-
-#define NET_FS_PERMS (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE |   \
-                     AA_MAY_SHUTDOWN | AA_MAY_CONNECT | AA_MAY_RENAME |\
-                     AA_MAY_SETATTR | AA_MAY_GETATTR | AA_MAY_CHMOD |  \
-                     AA_MAY_CHOWN | AA_MAY_CHGRP | AA_MAY_LOCK |       \
-                     AA_MAY_MPROT)
-
-#define NET_PEER_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CONNECT | \
-                      AA_MAY_ACCEPT)
-struct aa_sk_ctx {
-       struct aa_label *label;
-       struct aa_label *peer;
-       struct path path;
-};
-
-#define SK_CTX(X) ((X)->sk_security)
-#define SOCK_ctx(X) SOCK_INODE(X)->i_security
-#define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P)                                  \
-       struct lsm_network_audit NAME ## _net = { .sk = (SK),             \
-                                                 .family = (F)};         \
-       DEFINE_AUDIT_DATA(NAME,                                           \
-                         ((SK) && (F) != AF_UNIX) ? LSM_AUDIT_DATA_NET : \
-                                                    LSM_AUDIT_DATA_NONE, \
-                         OP);                                            \
-       NAME.u.net = &(NAME ## _net);                                     \
-       aad(&NAME)->net.type = (T);                                       \
-       aad(&NAME)->net.protocol = (P)
-
-#define DEFINE_AUDIT_SK(NAME, OP, SK)                                  \
-       DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type,  \
-                        (SK)->sk_protocol)
-
-/* struct aa_net - network confinement data
- * @allow: basic network families permissions
- * @audit: which network permissions to force audit
- * @quiet: which network permissions to quiet rejects
- */
-struct aa_net {
-       u16 allow[AF_MAX];
-       u16 audit[AF_MAX];
-       u16 quiet[AF_MAX];
-};
-
-
-extern struct aa_sfs_entry aa_sfs_entry_network[];
-
-void audit_net_cb(struct audit_buffer *ab, void *va);
-int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
-                      u32 request, u16 family, int type);
-int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
-              int type, int protocol);
-static inline int aa_profile_af_sk_perm(struct aa_profile *profile,
-                                       struct common_audit_data *sa,
-                                       u32 request,
-                                       struct sock *sk)
-{
-       return aa_profile_af_perm(profile, sa, request, sk->sk_family,
-                                 sk->sk_type);
-}
-int aa_sk_perm(const char *op, u32 request, struct sock *sk);
-
-int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
-                     struct socket *sock);
-
-
-static inline void aa_free_net_rules(struct aa_net *new)
-{
-       /* NOP */
-}
-
-#endif /* __AA_NET_H */
index af04d5a7d73d46146f152c83529a50829b986962..2b27bb79aec4421665aaa6f2a2490868227bed0f 100644 (file)
@@ -135,10 +135,9 @@ extern struct aa_perms allperms;
 
 
 void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask);
-void aa_audit_perm_names(struct audit_buffer *ab, const char * const *names,
-                        u32 mask);
+void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask);
 void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
-                       u32 chrsmask, const char * const *names, u32 namesmask);
+                       u32 chrsmask, const char **names, u32 namesmask);
 void aa_apply_modes_to_perms(struct aa_profile *profile,
                             struct aa_perms *perms);
 void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,
index 4364088a0b9e2188b6353e815cca6c1b3e70fc25..17fe41a9cac35e6d88f3ae738bf2b068de736ec1 100644 (file)
@@ -30,7 +30,6 @@
 #include "file.h"
 #include "lib.h"
 #include "label.h"
-#include "net.h"
 #include "perms.h"
 #include "resource.h"
 
@@ -112,7 +111,6 @@ struct aa_data {
  * @policy: general match rules governing policy
  * @file: The set of rules governing basic file access and domain transitions
  * @caps: capabilities for the profile
- * @net: network controls for the profile
  * @rlimits: rlimits for the profile
  *
  * @dents: dentries for the profiles file entries in apparmorfs
@@ -150,7 +148,6 @@ struct aa_profile {
        struct aa_policydb policy;
        struct aa_file_rules file;
        struct aa_caps caps;
-       struct aa_net net;
        struct aa_rlimit rlimits;
 
        struct aa_loaddata *rawdata;
@@ -223,16 +220,6 @@ static inline unsigned int PROFILE_MEDIATES_SAFE(struct aa_profile *profile,
        return 0;
 }
 
-static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile,
-                                              u16 AF) {
-       unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
-       u16 be_af = cpu_to_be16(AF);
-
-       if (!state)
-               return 0;
-       return aa_dfa_match_len(profile->policy.dfa, state, (char *) &be_af, 2);
-}
-
 /**
  * aa_get_profile - increment refcount on profile @p
  * @p: profile  (MAYBE NULL)
index 8818621b5d956023d9fc799fbff00a0b073fabc8..08ca26bcca7703c7f74e1531879eea4dd3bf2ac9 100644 (file)
@@ -211,8 +211,7 @@ void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask)
        *str = '\0';
 }
 
-void aa_audit_perm_names(struct audit_buffer *ab, const char * const *names,
-                        u32 mask)
+void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask)
 {
        const char *fmt = "%s";
        unsigned int i, perm = 1;
@@ -230,7 +229,7 @@ void aa_audit_perm_names(struct audit_buffer *ab, const char * const *names,
 }
 
 void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
-                       u32 chrsmask, const char * const *names, u32 namesmask)
+                       u32 chrsmask, const char **names, u32 namesmask)
 {
        char str[33];
 
index 72b915dfcaf7eeeed1a2d428777878c81e5f4f80..1346ee5be04f13e4bb64658755605852b8789ab5 100644 (file)
@@ -33,7 +33,6 @@
 #include "include/context.h"
 #include "include/file.h"
 #include "include/ipc.h"
-#include "include/net.h"
 #include "include/path.h"
 #include "include/label.h"
 #include "include/policy.h"
@@ -737,368 +736,6 @@ static int apparmor_task_kill(struct task_struct *target, struct siginfo *info,
        return error;
 }
 
-/**
- * apparmor_sk_alloc_security - allocate and attach the sk_security field
- */
-static int apparmor_sk_alloc_security(struct sock *sk, int family, gfp_t flags)
-{
-       struct aa_sk_ctx *ctx;
-
-       ctx = kzalloc(sizeof(*ctx), flags);
-       if (!ctx)
-               return -ENOMEM;
-
-       SK_CTX(sk) = ctx;
-
-       return 0;
-}
-
-/**
- * apparmor_sk_free_security - free the sk_security field
- */
-static void apparmor_sk_free_security(struct sock *sk)
-{
-       struct aa_sk_ctx *ctx = SK_CTX(sk);
-
-       SK_CTX(sk) = NULL;
-       aa_put_label(ctx->label);
-       aa_put_label(ctx->peer);
-       path_put(&ctx->path);
-       kfree(ctx);
-}
-
-/**
- * apparmor_clone_security - clone the sk_security field
- */
-static void apparmor_sk_clone_security(const struct sock *sk,
-                                      struct sock *newsk)
-{
-       struct aa_sk_ctx *ctx = SK_CTX(sk);
-       struct aa_sk_ctx *new = SK_CTX(newsk);
-
-       new->label = aa_get_label(ctx->label);
-       new->peer = aa_get_label(ctx->peer);
-       new->path = ctx->path;
-       path_get(&new->path);
-}
-
-static int aa_sock_create_perm(struct aa_label *label, int family, int type,
-                              int protocol)
-{
-       AA_BUG(!label);
-       AA_BUG(in_interrupt());
-
-       return aa_af_perm(label, OP_CREATE, AA_MAY_CREATE, family, type,
-                         protocol);
-}
-
-
-/**
- * apparmor_socket_create - check perms before creating a new socket
- */
-static int apparmor_socket_create(int family, int type, int protocol, int kern)
-{
-       struct aa_label *label;
-       int error = 0;
-
-       label = begin_current_label_crit_section();
-       if (!(kern || unconfined(label)))
-               error = aa_sock_create_perm(label, family, type, protocol);
-       end_current_label_crit_section(label);
-
-       return error;
-}
-
-/**
- * apparmor_socket_post_create - setup the per-socket security struct
- *
- * Note:
- * -   kernel sockets currently labeled unconfined but we may want to
- *     move to a special kernel label
- * -   socket may not have sk here if created with sock_create_lite or
- *     sock_alloc. These should be accept cases which will be handled in
- *     sock_graft.
- */
-static int apparmor_socket_post_create(struct socket *sock, int family,
-                                      int type, int protocol, int kern)
-{
-       struct aa_label *label;
-
-       if (kern) {
-               struct aa_ns *ns = aa_get_current_ns();
-
-               label = aa_get_label(ns_unconfined(ns));
-               aa_put_ns(ns);
-       } else
-               label = aa_get_current_label();
-
-       if (sock->sk) {
-               struct aa_sk_ctx *ctx = SK_CTX(sock->sk);
-
-               aa_put_label(ctx->label);
-               ctx->label = aa_get_label(label);
-       }
-       aa_put_label(label);
-
-       return 0;
-}
-
-/**
- * apparmor_socket_bind - check perms before bind addr to socket
- */
-static int apparmor_socket_bind(struct socket *sock,
-                               struct sockaddr *address, int addrlen)
-{
-       AA_BUG(!sock);
-       AA_BUG(!sock->sk);
-       AA_BUG(!address);
-       AA_BUG(in_interrupt());
-
-       return aa_sk_perm(OP_BIND, AA_MAY_BIND, sock->sk);
-}
-
-/**
- * apparmor_socket_connect - check perms before connecting @sock to @address
- */
-static int apparmor_socket_connect(struct socket *sock,
-                                  struct sockaddr *address, int addrlen)
-{
-       AA_BUG(!sock);
-       AA_BUG(!sock->sk);
-       AA_BUG(!address);
-       AA_BUG(in_interrupt());
-
-       return aa_sk_perm(OP_CONNECT, AA_MAY_CONNECT, sock->sk);
-}
-
-/**
- * apparmor_socket_list - check perms before allowing listen
- */
-static int apparmor_socket_listen(struct socket *sock, int backlog)
-{
-       AA_BUG(!sock);
-       AA_BUG(!sock->sk);
-       AA_BUG(in_interrupt());
-
-       return aa_sk_perm(OP_LISTEN, AA_MAY_LISTEN, sock->sk);
-}
-
-/**
- * apparmor_socket_accept - check perms before accepting a new connection.
- *
- * Note: while @newsock is created and has some information, the accept
- *       has not been done.
- */
-static int apparmor_socket_accept(struct socket *sock, struct socket *newsock)
-{
-       AA_BUG(!sock);
-       AA_BUG(!sock->sk);
-       AA_BUG(!newsock);
-       AA_BUG(in_interrupt());
-
-       return aa_sk_perm(OP_ACCEPT, AA_MAY_ACCEPT, sock->sk);
-}
-
-static int aa_sock_msg_perm(const char *op, u32 request, struct socket *sock,
-                           struct msghdr *msg, int size)
-{
-       AA_BUG(!sock);
-       AA_BUG(!sock->sk);
-       AA_BUG(!msg);
-       AA_BUG(in_interrupt());
-
-       return aa_sk_perm(op, request, sock->sk);
-}
-
-/**
- * apparmor_socket_sendmsg - check perms before sending msg to another socket
- */
-static int apparmor_socket_sendmsg(struct socket *sock,
-                                  struct msghdr *msg, int size)
-{
-       return aa_sock_msg_perm(OP_SENDMSG, AA_MAY_SEND, sock, msg, size);
-}
-
-/**
- * apparmor_socket_recvmsg - check perms before receiving a message
- */
-static int apparmor_socket_recvmsg(struct socket *sock,
-                                  struct msghdr *msg, int size, int flags)
-{
-       return aa_sock_msg_perm(OP_RECVMSG, AA_MAY_RECEIVE, sock, msg, size);
-}
-
-/* revaliation, get/set attr, shutdown */
-static int aa_sock_perm(const char *op, u32 request, struct socket *sock)
-{
-       AA_BUG(!sock);
-       AA_BUG(!sock->sk);
-       AA_BUG(in_interrupt());
-
-       return aa_sk_perm(op, request, sock->sk);
-}
-
-/**
- * apparmor_socket_getsockname - check perms before getting the local address
- */
-static int apparmor_socket_getsockname(struct socket *sock)
-{
-       return aa_sock_perm(OP_GETSOCKNAME, AA_MAY_GETATTR, sock);
-}
-
-/**
- * apparmor_socket_getpeername - check perms before getting remote address
- */
-static int apparmor_socket_getpeername(struct socket *sock)
-{
-       return aa_sock_perm(OP_GETPEERNAME, AA_MAY_GETATTR, sock);
-}
-
-/* revaliation, get/set attr, opt */
-static int aa_sock_opt_perm(const char *op, u32 request, struct socket *sock,
-                           int level, int optname)
-{
-       AA_BUG(!sock);
-       AA_BUG(!sock->sk);
-       AA_BUG(in_interrupt());
-
-       return aa_sk_perm(op, request, sock->sk);
-}
-
-/**
- * apparmor_getsockopt - check perms before getting socket options
- */
-static int apparmor_socket_getsockopt(struct socket *sock, int level,
-                                     int optname)
-{
-       return aa_sock_opt_perm(OP_GETSOCKOPT, AA_MAY_GETOPT, sock,
-                               level, optname);
-}
-
-/**
- * apparmor_setsockopt - check perms before setting socket options
- */
-static int apparmor_socket_setsockopt(struct socket *sock, int level,
-                                     int optname)
-{
-       return aa_sock_opt_perm(OP_SETSOCKOPT, AA_MAY_SETOPT, sock,
-                               level, optname);
-}
-
-/**
- * apparmor_socket_shutdown - check perms before shutting down @sock conn
- */
-static int apparmor_socket_shutdown(struct socket *sock, int how)
-{
-       return aa_sock_perm(OP_SHUTDOWN, AA_MAY_SHUTDOWN, sock);
-}
-
-/**
- * apparmor_socket_sock_recv_skb - check perms before associating skb to sk
- *
- * Note: can not sleep may be called with locks held
- *
- * dont want protocol specific in __skb_recv_datagram()
- * to deny an incoming connection  socket_sock_rcv_skb()
- */
-static int apparmor_socket_sock_rcv_skb(struct sock *sk, struct sk_buff *skb)
-{
-       return 0;
-}
-
-
-static struct aa_label *sk_peer_label(struct sock *sk)
-{
-       struct aa_sk_ctx *ctx = SK_CTX(sk);
-
-       if (ctx->peer)
-               return ctx->peer;
-
-       return ERR_PTR(-ENOPROTOOPT);
-}
-
-/**
- * apparmor_socket_getpeersec_stream - get security context of peer
- *
- * Note: for tcp only valid if using ipsec or cipso on lan
- */
-static int apparmor_socket_getpeersec_stream(struct socket *sock,
-                                            char __user *optval,
-                                            int __user *optlen,
-                                            unsigned int len)
-{
-       char *name;
-       int slen, error = 0;
-       struct aa_label *label;
-       struct aa_label *peer;
-
-       label = begin_current_label_crit_section();
-       peer = sk_peer_label(sock->sk);
-       if (IS_ERR(peer)) {
-               error = PTR_ERR(peer);
-               goto done;
-       }
-       slen = aa_label_asxprint(&name, labels_ns(label), peer,
-                                FLAG_SHOW_MODE | FLAG_VIEW_SUBNS |
-                                FLAG_HIDDEN_UNCONFINED, GFP_KERNEL);
-       /* don't include terminating \0 in slen, it breaks some apps */
-       if (slen < 0) {
-               error = -ENOMEM;
-       } else {
-               if (slen > len) {
-                       error = -ERANGE;
-               } else if (copy_to_user(optval, name, slen)) {
-                       error = -EFAULT;
-                       goto out;
-               }
-               if (put_user(slen, optlen))
-                       error = -EFAULT;
-out:
-               kfree(name);
-
-       }
-
-done:
-       end_current_label_crit_section(label);
-
-       return error;
-}
-
-/**
- * apparmor_socket_getpeersec_dgram - get security label of packet
- * @sock: the peer socket
- * @skb: packet data
- * @secid: pointer to where to put the secid of the packet
- *
- * Sets the netlabel socket state on sk from parent
- */
-static int apparmor_socket_getpeersec_dgram(struct socket *sock,
-                                           struct sk_buff *skb, u32 *secid)
-
-{
-       /* TODO: requires secid support */
-       return -ENOPROTOOPT;
-}
-
-/**
- * apparmor_sock_graft - Initialize newly created socket
- * @sk: child sock
- * @parent: parent socket
- *
- * Note: could set off of SOCK_CTX(parent) but need to track inode and we can
- *       just set sk security information off of current creating process label
- *       Labeling of sk for accept case - probably should be sock based
- *       instead of task, because of the case where an implicitly labeled
- *       socket is shared by different tasks.
- */
-static void apparmor_sock_graft(struct sock *sk, struct socket *parent)
-{
-       struct aa_sk_ctx *ctx = SK_CTX(sk);
-
-       if (!ctx->label)
-               ctx->label = aa_get_current_label();
-}
-
 static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
        LSM_HOOK_INIT(ptrace_access_check, apparmor_ptrace_access_check),
        LSM_HOOK_INIT(ptrace_traceme, apparmor_ptrace_traceme),
@@ -1133,30 +770,6 @@ static struct security_hook_list apparmor_hooks[] __lsm_ro_after_init = {
        LSM_HOOK_INIT(getprocattr, apparmor_getprocattr),
        LSM_HOOK_INIT(setprocattr, apparmor_setprocattr),
 
-       LSM_HOOK_INIT(sk_alloc_security, apparmor_sk_alloc_security),
-       LSM_HOOK_INIT(sk_free_security, apparmor_sk_free_security),
-       LSM_HOOK_INIT(sk_clone_security, apparmor_sk_clone_security),
-
-       LSM_HOOK_INIT(socket_create, apparmor_socket_create),
-       LSM_HOOK_INIT(socket_post_create, apparmor_socket_post_create),
-       LSM_HOOK_INIT(socket_bind, apparmor_socket_bind),
-       LSM_HOOK_INIT(socket_connect, apparmor_socket_connect),
-       LSM_HOOK_INIT(socket_listen, apparmor_socket_listen),
-       LSM_HOOK_INIT(socket_accept, apparmor_socket_accept),
-       LSM_HOOK_INIT(socket_sendmsg, apparmor_socket_sendmsg),
-       LSM_HOOK_INIT(socket_recvmsg, apparmor_socket_recvmsg),
-       LSM_HOOK_INIT(socket_getsockname, apparmor_socket_getsockname),
-       LSM_HOOK_INIT(socket_getpeername, apparmor_socket_getpeername),
-       LSM_HOOK_INIT(socket_getsockopt, apparmor_socket_getsockopt),
-       LSM_HOOK_INIT(socket_setsockopt, apparmor_socket_setsockopt),
-       LSM_HOOK_INIT(socket_shutdown, apparmor_socket_shutdown),
-       LSM_HOOK_INIT(socket_sock_rcv_skb, apparmor_socket_sock_rcv_skb),
-       LSM_HOOK_INIT(socket_getpeersec_stream,
-                     apparmor_socket_getpeersec_stream),
-       LSM_HOOK_INIT(socket_getpeersec_dgram,
-                     apparmor_socket_getpeersec_dgram),
-       LSM_HOOK_INIT(sock_graft, apparmor_sock_graft),
-
        LSM_HOOK_INIT(cred_alloc_blank, apparmor_cred_alloc_blank),
        LSM_HOOK_INIT(cred_free, apparmor_cred_free),
        LSM_HOOK_INIT(cred_prepare, apparmor_cred_prepare),
diff --git a/security/apparmor/net.c b/security/apparmor/net.c
deleted file mode 100644 (file)
index 33d5443..0000000
+++ /dev/null
@@ -1,184 +0,0 @@
-/*
- * AppArmor security module
- *
- * This file contains AppArmor network mediation
- *
- * Copyright (C) 1998-2008 Novell/SUSE
- * Copyright 2009-2017 Canonical Ltd.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- */
-
-#include "include/apparmor.h"
-#include "include/audit.h"
-#include "include/context.h"
-#include "include/label.h"
-#include "include/net.h"
-#include "include/policy.h"
-
-#include "net_names.h"
-
-
-struct aa_sfs_entry aa_sfs_entry_network[] = {
-       AA_SFS_FILE_STRING("af_mask",   AA_SFS_AF_MASK),
-       { }
-};
-
-static const char * const net_mask_names[] = {
-       "unknown",
-       "send",
-       "receive",
-       "unknown",
-
-       "create",
-       "shutdown",
-       "connect",
-       "unknown",
-
-       "setattr",
-       "getattr",
-       "setcred",
-       "getcred",
-
-       "chmod",
-       "chown",
-       "chgrp",
-       "lock",
-
-       "mmap",
-       "mprot",
-       "unknown",
-       "unknown",
-
-       "accept",
-       "bind",
-       "listen",
-       "unknown",
-
-       "setopt",
-       "getopt",
-       "unknown",
-       "unknown",
-
-       "unknown",
-       "unknown",
-       "unknown",
-       "unknown",
-};
-
-
-/* audit callback for net specific fields */
-void audit_net_cb(struct audit_buffer *ab, void *va)
-{
-       struct common_audit_data *sa = va;
-
-       audit_log_format(ab, " family=");
-       if (address_family_names[sa->u.net->family])
-               audit_log_string(ab, address_family_names[sa->u.net->family]);
-       else
-               audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family);
-       audit_log_format(ab, " sock_type=");
-       if (sock_type_names[aad(sa)->net.type])
-               audit_log_string(ab, sock_type_names[aad(sa)->net.type]);
-       else
-               audit_log_format(ab, "\"unknown(%d)\"", aad(sa)->net.type);
-       audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
-
-       if (aad(sa)->request & NET_PERMS_MASK) {
-               audit_log_format(ab, " requested_mask=");
-               aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0,
-                                  net_mask_names, NET_PERMS_MASK);
-
-               if (aad(sa)->denied & NET_PERMS_MASK) {
-                       audit_log_format(ab, " denied_mask=");
-                       aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0,
-                                          net_mask_names, NET_PERMS_MASK);
-               }
-       }
-       if (aad(sa)->peer) {
-               audit_log_format(ab, " peer=");
-               aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
-                               FLAGS_NONE, GFP_ATOMIC);
-       }
-}
-
-
-/* Generic af perm */
-int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
-                      u32 request, u16 family, int type)
-{
-       struct aa_perms perms = { };
-
-       AA_BUG(family >= AF_MAX);
-       AA_BUG(type < 0 || type >= SOCK_MAX);
-
-       if (profile_unconfined(profile))
-               return 0;
-
-       perms.allow = (profile->net.allow[family] & (1 << type)) ?
-               ALL_PERMS_MASK : 0;
-       perms.audit = (profile->net.audit[family] & (1 << type)) ?
-               ALL_PERMS_MASK : 0;
-       perms.quiet = (profile->net.quiet[family] & (1 << type)) ?
-               ALL_PERMS_MASK : 0;
-       aa_apply_modes_to_perms(profile, &perms);
-
-       return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
-}
-
-int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
-              int type, int protocol)
-{
-       struct aa_profile *profile;
-       DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol);
-
-       return fn_for_each_confined(label, profile,
-                       aa_profile_af_perm(profile, &sa, request, family,
-                                          type));
-}
-
-static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request,
-                           struct sock *sk)
-{
-       struct aa_profile *profile;
-       DEFINE_AUDIT_SK(sa, op, sk);
-
-       AA_BUG(!label);
-       AA_BUG(!sk);
-
-       if (unconfined(label))
-               return 0;
-
-       return fn_for_each_confined(label, profile,
-                       aa_profile_af_sk_perm(profile, &sa, request, sk));
-}
-
-int aa_sk_perm(const char *op, u32 request, struct sock *sk)
-{
-       struct aa_label *label;
-       int error;
-
-       AA_BUG(!sk);
-       AA_BUG(in_interrupt());
-
-       /* TODO: switch to begin_current_label ???? */
-       label = begin_current_label_crit_section();
-       error = aa_label_sk_perm(label, op, request, sk);
-       end_current_label_crit_section(label);
-
-       return error;
-}
-
-
-int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
-                     struct socket *sock)
-{
-       AA_BUG(!label);
-       AA_BUG(!sock);
-       AA_BUG(!sock->sk);
-
-       return aa_label_sk_perm(label, op, request, sock->sk);
-}
index 5a2aec358322a930a5e6473a9e22acd64462298b..4ede87c30f8b890a63e1aaae0a75a9ed6ba1045c 100644 (file)
@@ -275,19 +275,6 @@ fail:
        return 0;
 }
 
-static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
-{
-       if (unpack_nameX(e, AA_U16, name)) {
-               if (!inbounds(e, sizeof(u16)))
-                       return 0;
-               if (data)
-                       *data = le16_to_cpu(get_unaligned((__le16 *) e->pos));
-               e->pos += sizeof(u16);
-               return 1;
-       }
-       return 0;
-}
-
 static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
 {
        if (unpack_nameX(e, AA_U32, name)) {
@@ -597,7 +584,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
        struct aa_profile *profile = NULL;
        const char *tmpname, *tmpns = NULL, *name = NULL;
        const char *info = "failed to unpack profile";
-       size_t size = 0, ns_len;
+       size_t ns_len;
        struct rhashtable_params params = { 0 };
        char *key = NULL;
        struct aa_data *data;
@@ -730,38 +717,6 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
                goto fail;
        }
 
-       size = unpack_array(e, "net_allowed_af");
-       if (size) {
-
-               for (i = 0; i < size; i++) {
-                       /* discard extraneous rules that this kernel will
-                        * never request
-                        */
-                       if (i >= AF_MAX) {
-                               u16 tmp;
-
-                               if (!unpack_u16(e, &tmp, NULL) ||
-                                   !unpack_u16(e, &tmp, NULL) ||
-                                   !unpack_u16(e, &tmp, NULL))
-                                       goto fail;
-                               continue;
-                       }
-                       if (!unpack_u16(e, &profile->net.allow[i], NULL))
-                               goto fail;
-                       if (!unpack_u16(e, &profile->net.audit[i], NULL))
-                               goto fail;
-                       if (!unpack_u16(e, &profile->net.quiet[i], NULL))
-                               goto fail;
-               }
-               if (!unpack_nameX(e, AA_ARRAYEND, NULL))
-                       goto fail;
-       }
-       if (VERSION_LT(e->version, v7)) {
-               /* pre v7 policy always allowed these */
-               profile->net.allow[AF_UNIX] = 0xffff;
-               profile->net.allow[AF_NETLINK] = 0xffff;
-       }
-
        if (unpack_nameX(e, AA_STRUCT, "policydb")) {
                /* generic policy dfa - optional and may be NULL */
                info = "failed to unpack policydb";