security/apparmor/net.c

Source file repositories/reference/linux-study-clean/security/apparmor/net.c

File Facts

System
Linux kernel
Corpus path
security/apparmor/net.c
Extension
.c
Size
9936 bytes
Lines
406
Domain
Core OS
Bucket
Security And Isolation
Inferred role
Core OS: implementation source
Status
source implementation candidate

Why This File Exists

Core operating-system implementation surface: boot, tasks, memory, VFS, syscall-facing interfaces, synchronization, credentials, and isolation.

Dependency Surface

Detected Declarations

Annotated Snippet

if (ad->denied & NET_PERMS_MASK) {
			audit_log_format(ab, " denied_mask=");
			aa_audit_perm_mask(ab, ad->denied, NULL, 0,
					   net_mask_names, NET_PERMS_MASK);
		}
	}
	if (ad->common.u.net->family == PF_UNIX) {
		if (ad->net.addr || !ad->common.u.net->sk)
			audit_unix_addr(ab, "addr",
					unix_addr(ad->net.addr),
					ad->net.addrlen);
		else
			audit_unix_sk_addr(ab, "addr", ad->common.u.net->sk);
		if (ad->request & NET_PEER_MASK) {
			audit_unix_addr(ab, "peer_addr",
					unix_addr(ad->net.peer.addr),
					ad->net.peer.addrlen);
		}
	}
	if (ad->peer) {
		audit_log_format(ab, " peer=");
		aa_label_xaudit(ab, labels_ns(ad->subj_label), ad->peer,
				FLAGS_NONE, GFP_ATOMIC);
	}
}

/* standard permission lookup pattern - supports early bailout */
int aa_do_perms(struct aa_profile *profile, struct aa_policydb *policy,
		aa_state_t state, u32 request,
		struct aa_perms *p, struct apparmor_audit_data *ad)
{
	struct aa_perms perms;

	AA_BUG(!profile);
	AA_BUG(!policy);


	if (state || !p)
		p = aa_lookup_perms(policy, state);
	perms = *p;
	aa_apply_modes_to_perms(profile, &perms);
	return aa_check_perms(profile, &perms, request, ad,
			      audit_net_cb);
}

/* only continue match if
 *   insufficient current perms at current state
 *   indicates there are more perms in later state
 * Returns: perms struct if early match
 */
static struct aa_perms *early_match(struct aa_policydb *policy,
				    aa_state_t state, u32 request)
{
	struct aa_perms *p;

	p = aa_lookup_perms(policy, state);
	if (((p->allow & request) != request) && (p->allow & AA_CONT_MATCH))
		return NULL;
	return p;
}

static aa_state_t aa_dfa_match_be16(struct aa_dfa *dfa, aa_state_t state,
					  u16 data)
{
	__be16 buffer = cpu_to_be16(data);

	return aa_dfa_match_len(dfa, state, (char *) &buffer, 2);
}

/**
 * aa_match_to_prot - match the af, type, protocol triplet
 * @policy: policy being matched
 * @state: state to start in
 * @request: permissions being requested, ignored if @p == NULL
 * @af: socket address family
 * @type: socket type
 * @protocol: socket protocol
 * @p: output - pointer to permission associated with match
 * @info: output - pointer to string describing failure
 *
 * RETURNS: state match stopped in.
 *
 * If @(p) is assigned a value the returned state will be the
 * corresponding state. Will not set @p on failure or if match completes
 * only if an early match occurs
 */
aa_state_t aa_match_to_prot(struct aa_policydb *policy, aa_state_t state,
			    u32 request, u16 af, int type, int protocol,
			    struct aa_perms **p, const char **info)
{

Annotation

Implementation Notes