perms.h (4901B)
1/* SPDX-License-Identifier: GPL-2.0-only */ 2/* 3 * AppArmor security module 4 * 5 * This file contains AppArmor basic permission sets definitions. 6 * 7 * Copyright 2017 Canonical Ltd. 8 */ 9 10#ifndef __AA_PERM_H 11#define __AA_PERM_H 12 13#include <linux/fs.h> 14#include "label.h" 15 16#define AA_MAY_EXEC MAY_EXEC 17#define AA_MAY_WRITE MAY_WRITE 18#define AA_MAY_READ MAY_READ 19#define AA_MAY_APPEND MAY_APPEND 20 21#define AA_MAY_CREATE 0x0010 22#define AA_MAY_DELETE 0x0020 23#define AA_MAY_OPEN 0x0040 24#define AA_MAY_RENAME 0x0080 /* pair */ 25 26#define AA_MAY_SETATTR 0x0100 /* meta write */ 27#define AA_MAY_GETATTR 0x0200 /* meta read */ 28#define AA_MAY_SETCRED 0x0400 /* security cred/attr */ 29#define AA_MAY_GETCRED 0x0800 30 31#define AA_MAY_CHMOD 0x1000 /* pair */ 32#define AA_MAY_CHOWN 0x2000 /* pair */ 33#define AA_MAY_CHGRP 0x4000 /* pair */ 34#define AA_MAY_LOCK 0x8000 /* LINK_SUBSET overlaid */ 35 36#define AA_EXEC_MMAP 0x00010000 37#define AA_MAY_MPROT 0x00020000 /* extend conditions */ 38#define AA_MAY_LINK 0x00040000 /* pair */ 39#define AA_MAY_SNAPSHOT 0x00080000 /* pair */ 40 41#define AA_MAY_DELEGATE 42#define AA_CONT_MATCH 0x08000000 43 44#define AA_MAY_STACK 0x10000000 45#define AA_MAY_ONEXEC 0x20000000 /* either stack or change_profile */ 46#define AA_MAY_CHANGE_PROFILE 0x40000000 47#define AA_MAY_CHANGEHAT 0x80000000 48 49#define AA_LINK_SUBSET AA_MAY_LOCK /* overlaid */ 50 51 52#define PERMS_CHRS_MASK (MAY_READ | MAY_WRITE | AA_MAY_CREATE | \ 53 AA_MAY_DELETE | AA_MAY_LINK | AA_MAY_LOCK | \ 54 AA_MAY_EXEC | AA_EXEC_MMAP | AA_MAY_APPEND) 55 56#define PERMS_NAMES_MASK (PERMS_CHRS_MASK | AA_MAY_OPEN | AA_MAY_RENAME | \ 57 AA_MAY_SETATTR | AA_MAY_GETATTR | AA_MAY_SETCRED | \ 58 AA_MAY_GETCRED | AA_MAY_CHMOD | AA_MAY_CHOWN | \ 59 AA_MAY_CHGRP | AA_MAY_MPROT | AA_MAY_SNAPSHOT | \ 60 AA_MAY_STACK | AA_MAY_ONEXEC | \ 61 AA_MAY_CHANGE_PROFILE | AA_MAY_CHANGEHAT) 62 63extern const char aa_file_perm_chrs[]; 64extern const char *aa_file_perm_names[]; 65 66struct aa_perms { 67 u32 allow; 68 u32 audit; /* set only when allow is set */ 69 70 u32 deny; /* explicit deny, or conflict if allow also set */ 71 u32 quiet; /* set only when ~allow | deny */ 72 u32 kill; /* set only when ~allow | deny */ 73 u32 stop; /* set only when ~allow | deny */ 74 75 u32 complain; /* accumulates only used when ~allow & ~deny */ 76 u32 cond; /* set only when ~allow and ~deny */ 77 78 u32 hide; /* set only when ~allow | deny */ 79 u32 prompt; /* accumulates only used when ~allow & ~deny */ 80 81 /* Reserved: 82 * u32 subtree; / * set only when allow is set * / 83 */ 84 u16 xindex; 85}; 86 87#define ALL_PERMS_MASK 0xffffffff 88extern struct aa_perms nullperms; 89extern struct aa_perms allperms; 90 91 92#define xcheck(FN1, FN2) \ 93({ \ 94 int e, error = FN1; \ 95 e = FN2; \ 96 if (e) \ 97 error = e; \ 98 error; \ 99}) 100 101 102/* 103 * TODO: update for labels pointing to labels instead of profiles 104 * TODO: optimize the walk, currently does subwalk of L2 for each P in L1 105 * gah this doesn't allow for label compound check!!!! 106 */ 107#define xcheck_ns_profile_profile(P1, P2, FN, args...) \ 108({ \ 109 int ____e = 0; \ 110 if (P1->ns == P2->ns) \ 111 ____e = FN((P1), (P2), args); \ 112 (____e); \ 113}) 114 115#define xcheck_ns_profile_label(P, L, FN, args...) \ 116({ \ 117 struct aa_profile *__p2; \ 118 fn_for_each((L), __p2, \ 119 xcheck_ns_profile_profile((P), __p2, (FN), args)); \ 120}) 121 122#define xcheck_ns_labels(L1, L2, FN, args...) \ 123({ \ 124 struct aa_profile *__p1; \ 125 fn_for_each((L1), __p1, FN(__p1, (L2), args)); \ 126}) 127 128/* Do the cross check but applying FN at the profiles level */ 129#define xcheck_labels_profiles(L1, L2, FN, args...) \ 130 xcheck_ns_labels((L1), (L2), xcheck_ns_profile_label, (FN), args) 131 132#define xcheck_labels(L1, L2, P, FN1, FN2) \ 133 xcheck(fn_for_each((L1), (P), (FN1)), fn_for_each((L2), (P), (FN2))) 134 135 136void aa_perm_mask_to_str(char *str, size_t str_size, const char *chrs, 137 u32 mask); 138void aa_audit_perm_names(struct audit_buffer *ab, const char * const *names, 139 u32 mask); 140void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs, 141 u32 chrsmask, const char * const *names, u32 namesmask); 142void aa_apply_modes_to_perms(struct aa_profile *profile, 143 struct aa_perms *perms); 144void aa_compute_perms(struct aa_dfa *dfa, unsigned int state, 145 struct aa_perms *perms); 146void aa_perms_accum(struct aa_perms *accum, struct aa_perms *addend); 147void aa_perms_accum_raw(struct aa_perms *accum, struct aa_perms *addend); 148void aa_profile_match_label(struct aa_profile *profile, struct aa_label *label, 149 int type, u32 request, struct aa_perms *perms); 150int aa_profile_label_perm(struct aa_profile *profile, struct aa_profile *target, 151 u32 request, int type, u32 *deny, 152 struct common_audit_data *sa); 153int aa_check_perms(struct aa_profile *profile, struct aa_perms *perms, 154 u32 request, struct common_audit_data *sa, 155 void (*cb)(struct audit_buffer *, void *)); 156#endif /* __AA_PERM_H */