immunix.h 5.25 KB
Newer Older
1
/*
John Johansen's avatar
John Johansen committed
2 3
 *	Copyright (c) 1999, 2000, 2001, 2002, 2004, 2005, 2006, 2007
 *	NOVELL (All rights reserved)
4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23
 *
 *	Immunix AppArmor LSM
 *
 *	This program is free software; you can redistribute it and/or
 *	modify it under the terms of the GNU General Public License as
 *	published by the Free Software Foundation, version 2 of the
 *	License.
 *
 *	This program is distributed in the hope that it will be useful,
 *	but WITHOUT ANY WARRANTY; without even the implied warranty of
 *	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *	GNU General Public License for more details.
 *
 *	You should have received a copy of the GNU General Public License
 *	along with this program; if not, contact Novell, Inc.
 */

#ifndef _IMMUNIX_H
#define _IMMUNIX_H

24 25 26 27 28 29 30
/*
 * Modeled after MAY_READ, MAY_WRITE, MAY_EXEC in the kernel. The value of
 * AA_MAY_EXEC must be identical to MAY_EXEC, etc.
 */
#define AA_MAY_EXEC			(1 << 0)
#define AA_MAY_WRITE			(1 << 1)
#define AA_MAY_READ			(1 << 2)
31
#define AA_MAY_APPEND			(1 << 3)
32
#define AA_MAY_LINK			(1 << 4)
33 34
#define AA_MAY_LOCK			(1 << 5)
#define AA_EXEC_MMAP			(1 << 6)
35
#define AA_EXEC_PUX			(1 << 7)
36
#define AA_EXEC_UNSAFE			(1 << 8)
37 38 39 40 41
#define AA_EXEC_INHERIT			(1 << 9)
#define AA_EXEC_MOD_0			(1 << 10)
#define AA_EXEC_MOD_1			(1 << 11)
#define AA_EXEC_MOD_2			(1 << 12)
#define AA_EXEC_MOD_3			(1 << 13)
42

43 44 45
#define AA_BASE_PERMS			(AA_MAY_EXEC | AA_MAY_WRITE | \
					 AA_MAY_READ | AA_MAY_APPEND | \
					 AA_MAY_LINK | AA_MAY_LOCK | \
46
					 AA_EXEC_PUX | AA_EXEC_MMAP | \
47
					 AA_EXEC_UNSAFE | AA_EXEC_INHERIT | \
48
					 AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
49
					 AA_EXEC_MOD_2 | AA_EXEC_MOD_3)
50

51
#define AA_USER_SHIFT			0
52
#define AA_OTHER_SHIFT			14
53 54 55 56

#define AA_USER_PERMS			(AA_BASE_PERMS << AA_USER_SHIFT)
#define AA_OTHER_PERMS			(AA_BASE_PERMS << AA_OTHER_SHIFT)

57
#define AA_FILE_PERMS			(AA_USER_PERMS | AA_OTHER_PERMS )
58

John Johansen's avatar
John Johansen committed
59 60
#define AA_USER_PTRACE			(1 << 28)
#define AA_OTHER_PTRACE			(1 << 29)
John Johansen's avatar
John Johansen committed
61 62
#define AA_PTRACE_PERMS			(AA_USER_PTRACE | AA_OTHER_PTRACE)

John Johansen's avatar
John Johansen committed
63 64 65
#define AA_CHANGE_HAT			(1 << 30)
#define AA_CHANGE_PROFILE		(1 << 31)
#define AA_SHARED_PERMS			(AA_CHANGE_HAT | AA_CHANGE_PROFILE)
John Johansen's avatar
John Johansen committed
66

67
#define AA_EXEC_MODIFIERS		(AA_EXEC_MOD_0 | AA_EXEC_MOD_1 | \
68 69
					 AA_EXEC_MOD_2 | AA_EXEC_MOD_3)
#define AA_EXEC_COUNT			16
John Johansen's avatar
John Johansen committed
70

71 72 73 74 75
#define AA_USER_EXEC_MODIFIERS		(AA_EXEC_MODIFIERS << AA_USER_SHIFT)
#define AA_OTHER_EXEC_MODIFIERS		(AA_EXEC_MODIFIERS << AA_OTHER_SHIFT)
#define AA_ALL_EXEC_MODIFIERS		(AA_USER_EXEC_MODIFIERS | \
					 AA_OTHER_EXEC_MODIFIERS)

76
#define AA_EXEC_TYPE			(AA_EXEC_UNSAFE | AA_EXEC_INHERIT | \
77
					 AA_EXEC_PUX | AA_EXEC_MODIFIERS)
John Johansen's avatar
John Johansen committed
78

79
#define AA_EXEC_UNCONFINED		(AA_EXEC_MOD_0)
80 81
#define AA_EXEC_PROFILE			(AA_EXEC_MOD_1)
#define AA_EXEC_LOCAL			(AA_EXEC_MOD_0 | AA_EXEC_MOD_1)
82

John Johansen's avatar
John Johansen committed
83 84
#define AA_VALID_PERMS			(AA_FILE_PERMS | AA_PTRACE_PERMS | \
					 AA_OTHER_PERMS)
85

86 87 88 89
#define AA_USER_EXEC			(AA_MAY_EXEC << AA_USER_SHIFT)
#define AA_OTHER_EXEC			(AA_MAY_EXEC << AA_OTHER_SHIFT)

#define AA_EXEC_BITS			(AA_USER_EXEC | AA_OTHER_EXEC)
90

John Johansen's avatar
John Johansen committed
91 92 93 94 95 96
#define ALL_AA_EXEC_UNSAFE		((AA_EXEC_UNSAFE << AA_USER_SHIFT) | \
					 (AA_EXEC_UNSAFE << AA_OTHER_SHIFT))

#define AA_USER_EXEC_TYPE		(AA_EXEC_TYPE << AA_USER_SHIFT)
#define AA_OTHER_EXEC_TYPE		(AA_EXEC_TYPE << AA_OTHER_SHIFT)

97 98
#define ALL_AA_EXEC_TYPE		(AA_USER_EXEC_TYPE | AA_OTHER_EXEC_TYPE)

99 100 101
#define AA_LINK_BITS			((AA_MAY_LINK << AA_USER_SHIFT) | \
					 (AA_MAY_LINK << AA_OTHER_SHIFT))

102 103 104 105
#define SHIFT_MODE(MODE, SHIFT)		((((MODE) & AA_BASE_PERMS) << (SHIFT))\
					 | ((MODE) & ~AA_FILE_PERMS))
#define SHIFT_TO_BASE(MODE, SHIFT)	((((MODE) & AA_FILE_PERMS) >> (SHIFT))\
					 | ((MODE) & ~AA_FILE_PERMS))
106

107 108 109 110 111 112

#define AA_LINK_SUBSET_TEST		(AA_MAY_LINK << 1)
#define LINK_SUBSET_BITS	((AA_LINK_SUBSET_TEST << AA_USER_SHIFT) | \
				 (AA_LINK_SUBSET_TEST << AA_OTHER_SHIFT))
#define LINK_TO_LINK_SUBSET(X)		(((X) << 1) & AA_LINK_SUBSET_TEST)

113 114 115 116 117 118 119

/* Pack the audit, and quiet masks into a single 28 bit field in the
 * format oq:oa:uq:ua
 */
#define PACK_AUDIT_CTL(audit, quiet)	(((audit) & 0x1fc07f) | \
					 (((quiet) & 0x1fc07f) << 7))

120
#define AA_HAT_SIZE	975	/* Maximum size of a subdomain
121
					 * ident (hat) */
122 123 124 125 126 127 128
#define AA_IP_TCP			0x0001
#define AA_IP_UDP			0x0002
#define AA_IP_RDP			0x0004
#define AA_IP_RAW			0x0008
#define AA_IPV6_TCP			0x0010
#define AA_IPV6_UDP			0x0020
#define AA_NETLINK			0x0040
129 130 131 132 133 134 135 136

enum pattern_t {
	ePatternBasic,
	ePatternTailGlob,
	ePatternRegex,
	ePatternInvalid,
};

137 138
#define HAS_MAY_READ(mode)		((mode) & AA_MAY_READ)
#define HAS_MAY_WRITE(mode)		((mode) & AA_MAY_WRITE)
139
#define HAS_MAY_APPEND(mode)		((mode) & AA_MAY_APPEND)
140
#define HAS_MAY_EXEC(mode)		((mode) & AA_MAY_EXEC)
141 142 143
#define HAS_MAY_LINK(mode)		((mode) & AA_MAY_LINK)
#define HAS_MAY_LOCK(mode)		((mode) & AA_MAY_LOCK)
#define HAS_EXEC_MMAP(mode) 		((mode) & AA_EXEC_MMAP)
144

145
#define HAS_EXEC_UNSAFE(mode) 		((mode) & AA_EXEC_UNSAFE)
146
#define HAS_CHANGE_PROFILE(mode)	((mode) & AA_CHANGE_PROFILE)
147

148
#include <stdio.h>
John Johansen's avatar
John Johansen committed
149 150
static inline int is_merged_x_consistent(int a, int b)
{
151
	if ((a & AA_USER_EXEC) && (b & AA_USER_EXEC) &&
John Johansen's avatar
John Johansen committed
152
	    ((a & AA_USER_EXEC_TYPE) != (b & AA_USER_EXEC_TYPE)))
153
	  { //fprintf(stderr, "failed user merge 0x%x 0x%x\n", a, b);
John Johansen's avatar
John Johansen committed
154
		return 0;
155
}
156
	if ((a & AA_OTHER_EXEC) && (b & AA_OTHER_EXEC) &&
John Johansen's avatar
John Johansen committed
157
	    ((a & AA_OTHER_EXEC_TYPE) != (b & AA_OTHER_EXEC_TYPE)))
158
	  { //fprintf(stderr, "failed other merge 0x%x 0x%x\n", a, b);
John Johansen's avatar
John Johansen committed
159
		return 0;
160
}
John Johansen's avatar
John Johansen committed
161 162 163
	return 1;
}

164
#endif				/* ! _IMMUNIX_H */