Revert "apparmor: add base infastructure for socket mediation"

This reverts commit 651e28c5.

This caused a regression:
 "The specific problem is that dnsmasq refuses to start on openSUSE Leap
  42.2.  The specific cause is that and attempt to open a PF_LOCAL socket
  gets EACCES.  This means that networking doesn't function on a system
  with a 4.14-rc2 system."

Sadly, the developers involved seemed to be in denial for several weeks
about this, delaying the revert.  This has not been a good release for
the security subsystem, and this area needs to change development
practices.
Reported-and-bisected-by: James Bottomley <James.Bottomley@hansenpartnership.com>
Tracked-by: Thorsten Leemhuis <regressions@leemhuis.info>
Cc: John Johansen <john.johansen@canonical.com>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Seth Arnold <seth.arnold@canonical.com>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

security/apparmor/.gitignore

 #
 # Generated include files
 #
-net_names.h
 capability_names.h
 rlim_names.h

security/apparmor/Makefile

@@ -4,44 +4,11 @@ obj-$(CONFIG_SECURITY_APPARMOR) += apparmor.o
 
 apparmor-y := apparmorfs.o audit.o capability.o context.o ipc.o lib.o match.o \
               path.o domain.o policy.o policy_unpack.o procattr.o lsm.o \
-              resource.o secid.o file.o policy_ns.o label.o mount.o net.o
+              resource.o secid.o file.o policy_ns.o label.o mount.o
 apparmor-$(CONFIG_SECURITY_APPARMOR_HASH) += crypto.o
 
-clean-files := capability_names.h rlim_names.h net_names.h
+clean-files := capability_names.h rlim_names.h
 
-# Build a lower case string table of address family names
-# Transform lines from
-#    #define AF_LOCAL		1	/* POSIX name for AF_UNIX	*/
-#    #define AF_INET		2	/* Internet IP Protocol 	*/
-# to
-#    [1] = "local",
-#    [2] = "inet",
-#
-# and build the securityfs entries for the mapping.
-# Transforms lines from
-#    #define AF_INET		2	/* Internet IP Protocol 	*/
-# to
-#    #define AA_SFS_AF_MASK "local inet"
-quiet_cmd_make-af = GEN     $@
-cmd_make-af = echo "static const char *address_family_names[] = {" > $@ ;\
-	sed $< >>$@ -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \
-	 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
-	echo "};" >> $@ ;\
-	printf '%s' '\#define AA_SFS_AF_MASK "' >> $@ ;\
-	sed -r -n -e "/AF_MAX/d" -e "/AF_LOCAL/d" -e "/AF_ROUTE/d" -e \
-	 's/^\#define[ \t]+AF_([A-Z0-9_]+)[ \t]+([0-9]+)(.*)/\L\1/p'\
-	 $< | tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
-
-# Build a lower case string table of sock type names
-# Transform lines from
-#    SOCK_STREAM	= 1,
-# to
-#    [1] = "stream",
-quiet_cmd_make-sock = GEN     $@
-cmd_make-sock = echo "static const char *sock_type_names[] = {" >> $@ ;\
-	sed $^ >>$@ -r -n \
-	-e 's/^\tSOCK_([A-Z0-9_]+)[\t]+=[ \t]+([0-9]+)(.*)/[\2] = "\L\1",/p';\
-	echo "};" >> $@
 
 # Build a lower case string table of capability names
 # Transforms lines from
@@ -94,7 +61,6 @@ cmd_make-rlim = echo "static const char *const rlim_names[RLIM_NLIMITS] = {" \
 	    tr '\n' ' ' | sed -e 's/ $$/"\n/' >> $@
 
 $(obj)/capability.o : $(obj)/capability_names.h
-$(obj)/net.o : $(obj)/net_names.h
 $(obj)/resource.o : $(obj)/rlim_names.h
 $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
 			    $(src)/Makefile
@@ -102,8 +68,3 @@ $(obj)/capability_names.h : $(srctree)/include/uapi/linux/capability.h \
 $(obj)/rlim_names.h : $(srctree)/include/uapi/asm-generic/resource.h \
 		      $(src)/Makefile
 	$(call cmd,make-rlim)
-$(obj)/net_names.h : $(srctree)/include/linux/socket.h \
-		     $(srctree)/include/linux/net.h \
-		     $(src)/Makefile
-	$(call cmd,make-af)
-	$(call cmd,make-sock)

security/apparmor/apparmorfs.c

@@ -2202,7 +2202,6 @@ static struct aa_sfs_entry aa_sfs_entry_features[] = {
 	AA_SFS_DIR("policy",			aa_sfs_entry_policy),
 	AA_SFS_DIR("domain",			aa_sfs_entry_domain),
 	AA_SFS_DIR("file",			aa_sfs_entry_file),
-	AA_SFS_DIR("network",			aa_sfs_entry_network),
 	AA_SFS_DIR("mount",			aa_sfs_entry_mount),
 	AA_SFS_DIR("namespaces",		aa_sfs_entry_ns),
 	AA_SFS_FILE_U64("capability",		VFS_CAP_FLAGS_MASK),

security/apparmor/file.c

@@ -21,7 +21,6 @@
 #include "include/context.h"
 #include "include/file.h"
 #include "include/match.h"
-#include "include/net.h"
 #include "include/path.h"
 #include "include/policy.h"
 #include "include/label.h"
@@ -567,32 +566,6 @@ static int __file_path_perm(const char *op, struct aa_label *label,
 	return error;
 }
 
-static int __file_sock_perm(const char *op, struct aa_label *label,
-			    struct aa_label *flabel, struct file *file,
-			    u32 request, u32 denied)
-{
-	struct socket *sock = (struct socket *) file->private_data;
-	int error;
-
-	AA_BUG(!sock);
-
-	/* revalidation due to label out of date. No revocation at this time */
-	if (!denied && aa_label_is_subset(flabel, label))
-		return 0;
-
-	/* TODO: improve to skip profiles cached in flabel */
-	error = aa_sock_file_perm(label, op, request, sock);
-	if (denied) {
-		/* TODO: improve to skip profiles checked above */
-		/* check every profile in file label to is cached */
-		last_error(error, aa_sock_file_perm(flabel, op, request, sock));
-	}
-	if (!error)
-		update_file_ctx(file_ctx(file), label, request);
-
-	return error;
-}
-
 /**
  * aa_file_perm - do permission revalidation check & audit for @file
  * @op: operation being checked
@@ -637,9 +610,6 @@ int aa_file_perm(const char *op, struct aa_label *label, struct file *file,
 		error = __file_path_perm(op, label, flabel, file, request,
 					 denied);
 
-	else if (S_ISSOCK(file_inode(file)->i_mode))
-		error = __file_sock_perm(op, label, flabel, file, request,
-					 denied);
 done:
 	rcu_read_unlock();
 

security/apparmor/include/audit.h

@@ -121,29 +121,21 @@ struct apparmor_audit_data {
 		/* these entries require a custom callback fn */
 		struct {
 			struct aa_label *peer;
-			union {
-				struct {
-					kuid_t ouid;
-					const char *target;
-				} fs;
-				struct {
-					int type, protocol;
-					struct sock *peer_sk;
-					void *addr;
-					int addrlen;
-				} net;
-				int signal;
-				struct {
-					int rlim;
-					unsigned long max;
-				} rlim;
-			};
+			struct {
+				const char *target;
+				kuid_t ouid;
+			} fs;
 		};
 		struct {
 			struct aa_profile *profile;
 			const char *ns;
 			long pos;
 		} iface;
+		int signal;
+		struct {
+			int rlim;
+			unsigned long max;
+		} rlim;
 		struct {
 			const char *src_name;
 			const char *type;

security/apparmor/include/net.h

-/*
- * AppArmor security module
- *
- * This file contains AppArmor network mediation definitions.
- *
- * Copyright (C) 1998-2008 Novell/SUSE
- * Copyright 2009-2017 Canonical Ltd.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- */
-
-#ifndef __AA_NET_H
-#define __AA_NET_H
-
-#include <net/sock.h>
-#include <linux/path.h>
-
-#include "apparmorfs.h"
-#include "label.h"
-#include "perms.h"
-#include "policy.h"
-
-#define AA_MAY_SEND		AA_MAY_WRITE
-#define AA_MAY_RECEIVE		AA_MAY_READ
-
-#define AA_MAY_SHUTDOWN		AA_MAY_DELETE
-
-#define AA_MAY_CONNECT		AA_MAY_OPEN
-#define AA_MAY_ACCEPT		0x00100000
-
-#define AA_MAY_BIND		0x00200000
-#define AA_MAY_LISTEN		0x00400000
-
-#define AA_MAY_SETOPT		0x01000000
-#define AA_MAY_GETOPT		0x02000000
-
-#define NET_PERMS_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE |    \
-			AA_MAY_SHUTDOWN | AA_MAY_BIND | AA_MAY_LISTEN |	  \
-			AA_MAY_CONNECT | AA_MAY_ACCEPT | AA_MAY_SETATTR | \
-			AA_MAY_GETATTR | AA_MAY_SETOPT | AA_MAY_GETOPT)
-
-#define NET_FS_PERMS (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CREATE |	\
-		      AA_MAY_SHUTDOWN | AA_MAY_CONNECT | AA_MAY_RENAME |\
-		      AA_MAY_SETATTR | AA_MAY_GETATTR | AA_MAY_CHMOD |	\
-		      AA_MAY_CHOWN | AA_MAY_CHGRP | AA_MAY_LOCK |	\
-		      AA_MAY_MPROT)
-
-#define NET_PEER_MASK (AA_MAY_SEND | AA_MAY_RECEIVE | AA_MAY_CONNECT |	\
-		       AA_MAY_ACCEPT)
-struct aa_sk_ctx {
-	struct aa_label *label;
-	struct aa_label *peer;
-	struct path path;
-};
-
-#define SK_CTX(X) ((X)->sk_security)
-#define SOCK_ctx(X) SOCK_INODE(X)->i_security
-#define DEFINE_AUDIT_NET(NAME, OP, SK, F, T, P)				  \
-	struct lsm_network_audit NAME ## _net = { .sk = (SK),		  \
-						  .family = (F)};	  \
-	DEFINE_AUDIT_DATA(NAME,						  \
-			  ((SK) && (F) != AF_UNIX) ? LSM_AUDIT_DATA_NET : \
-						     LSM_AUDIT_DATA_NONE, \
-			  OP);						  \
-	NAME.u.net = &(NAME ## _net);					  \
-	aad(&NAME)->net.type = (T);					  \
-	aad(&NAME)->net.protocol = (P)
-
-#define DEFINE_AUDIT_SK(NAME, OP, SK)					\
-	DEFINE_AUDIT_NET(NAME, OP, SK, (SK)->sk_family, (SK)->sk_type,	\
-			 (SK)->sk_protocol)
-
-/* struct aa_net - network confinement data
- * @allow: basic network families permissions
- * @audit: which network permissions to force audit
- * @quiet: which network permissions to quiet rejects
- */
-struct aa_net {
-	u16 allow[AF_MAX];
-	u16 audit[AF_MAX];
-	u16 quiet[AF_MAX];
-};
-
-
-extern struct aa_sfs_entry aa_sfs_entry_network[];
-
-void audit_net_cb(struct audit_buffer *ab, void *va);
-int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
-		       u32 request, u16 family, int type);
-int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
-	       int type, int protocol);
-static inline int aa_profile_af_sk_perm(struct aa_profile *profile,
-					struct common_audit_data *sa,
-					u32 request,
-					struct sock *sk)
-{
-	return aa_profile_af_perm(profile, sa, request, sk->sk_family,
-				  sk->sk_type);
-}
-int aa_sk_perm(const char *op, u32 request, struct sock *sk);
-
-int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
-		      struct socket *sock);
-
-
-static inline void aa_free_net_rules(struct aa_net *new)
-{
-	/* NOP */
-}
-
-#endif /* __AA_NET_H */

security/apparmor/include/perms.h

@@ -135,10 +135,9 @@ extern struct aa_perms allperms;
 
 
 void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask);
-void aa_audit_perm_names(struct audit_buffer *ab, const char * const *names,
-			 u32 mask);
+void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask);
 void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
-			u32 chrsmask, const char * const *names, u32 namesmask);
+			u32 chrsmask, const char **names, u32 namesmask);
 void aa_apply_modes_to_perms(struct aa_profile *profile,
 			     struct aa_perms *perms);
 void aa_compute_perms(struct aa_dfa *dfa, unsigned int state,

security/apparmor/include/policy.h

@@ -30,7 +30,6 @@
 #include "file.h"
 #include "lib.h"
 #include "label.h"
-#include "net.h"
 #include "perms.h"
 #include "resource.h"
 
@@ -112,7 +111,6 @@ struct aa_data {
  * @policy: general match rules governing policy
  * @file: The set of rules governing basic file access and domain transitions
  * @caps: capabilities for the profile
- * @net: network controls for the profile
  * @rlimits: rlimits for the profile
  *
  * @dents: dentries for the profiles file entries in apparmorfs
@@ -150,7 +148,6 @@ struct aa_profile {
 	struct aa_policydb policy;
 	struct aa_file_rules file;
 	struct aa_caps caps;
-	struct aa_net net;
 	struct aa_rlimit rlimits;
 
 	struct aa_loaddata *rawdata;
@@ -223,16 +220,6 @@ static inline unsigned int PROFILE_MEDIATES_SAFE(struct aa_profile *profile,
 	return 0;
 }
 
-static inline unsigned int PROFILE_MEDIATES_AF(struct aa_profile *profile,
-					       u16 AF) {
-	unsigned int state = PROFILE_MEDIATES(profile, AA_CLASS_NET);
-	u16 be_af = cpu_to_be16(AF);
-
-	if (!state)
-		return 0;
-	return aa_dfa_match_len(profile->policy.dfa, state, (char *) &be_af, 2);
-}
-
 /**
  * aa_get_profile - increment refcount on profile @p
  * @p: profile  (MAYBE NULL)

security/apparmor/lib.c

@@ -211,8 +211,7 @@ void aa_perm_mask_to_str(char *str, const char *chrs, u32 mask)
 	*str = '\0';
 }
 
-void aa_audit_perm_names(struct audit_buffer *ab, const char * const *names,
-			 u32 mask)
+void aa_audit_perm_names(struct audit_buffer *ab, const char **names, u32 mask)
 {
 	const char *fmt = "%s";
 	unsigned int i, perm = 1;
@@ -230,7 +229,7 @@ void aa_audit_perm_names(struct audit_buffer *ab, const char * const *names,
 }
 
 void aa_audit_perm_mask(struct audit_buffer *ab, u32 mask, const char *chrs,
-			u32 chrsmask, const char * const *names, u32 namesmask)
+			u32 chrsmask, const char **names, u32 namesmask)
 {
 	char str[33];
 

security/apparmor/net.c

-/*
- * AppArmor security module
- *
- * This file contains AppArmor network mediation
- *
- * Copyright (C) 1998-2008 Novell/SUSE
- * Copyright 2009-2017 Canonical Ltd.
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License as
- * published by the Free Software Foundation, version 2 of the
- * License.
- */
-
-#include "include/apparmor.h"
-#include "include/audit.h"
-#include "include/context.h"
-#include "include/label.h"
-#include "include/net.h"
-#include "include/policy.h"
-
-#include "net_names.h"
-
-
-struct aa_sfs_entry aa_sfs_entry_network[] = {
-	AA_SFS_FILE_STRING("af_mask",	AA_SFS_AF_MASK),
-	{ }
-};
-
-static const char * const net_mask_names[] = {
-	"unknown",
-	"send",
-	"receive",
-	"unknown",
-
-	"create",
-	"shutdown",
-	"connect",
-	"unknown",
-
-	"setattr",
-	"getattr",
-	"setcred",
-	"getcred",
-
-	"chmod",
-	"chown",
-	"chgrp",
-	"lock",
-
-	"mmap",
-	"mprot",
-	"unknown",
-	"unknown",
-
-	"accept",
-	"bind",
-	"listen",
-	"unknown",
-
-	"setopt",
-	"getopt",
-	"unknown",
-	"unknown",
-
-	"unknown",
-	"unknown",
-	"unknown",
-	"unknown",
-};
-
-
-/* audit callback for net specific fields */
-void audit_net_cb(struct audit_buffer *ab, void *va)
-{
-	struct common_audit_data *sa = va;
-
-	audit_log_format(ab, " family=");
-	if (address_family_names[sa->u.net->family])
-		audit_log_string(ab, address_family_names[sa->u.net->family]);
-	else
-		audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family);
-	audit_log_format(ab, " sock_type=");
-	if (sock_type_names[aad(sa)->net.type])
-		audit_log_string(ab, sock_type_names[aad(sa)->net.type]);
-	else
-		audit_log_format(ab, "\"unknown(%d)\"", aad(sa)->net.type);
-	audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol);
-
-	if (aad(sa)->request & NET_PERMS_MASK) {
-		audit_log_format(ab, " requested_mask=");
-		aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0,
-				   net_mask_names, NET_PERMS_MASK);
-
-		if (aad(sa)->denied & NET_PERMS_MASK) {
-			audit_log_format(ab, " denied_mask=");
-			aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0,
-					   net_mask_names, NET_PERMS_MASK);
-		}
-	}
-	if (aad(sa)->peer) {
-		audit_log_format(ab, " peer=");
-		aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer,
-				FLAGS_NONE, GFP_ATOMIC);
-	}
-}
-
-
-/* Generic af perm */
-int aa_profile_af_perm(struct aa_profile *profile, struct common_audit_data *sa,
-		       u32 request, u16 family, int type)
-{
-	struct aa_perms perms = { };
-
-	AA_BUG(family >= AF_MAX);
-	AA_BUG(type < 0 || type >= SOCK_MAX);
-
-	if (profile_unconfined(profile))
-		return 0;
-
-	perms.allow = (profile->net.allow[family] & (1 << type)) ?
-		ALL_PERMS_MASK : 0;
-	perms.audit = (profile->net.audit[family] & (1 << type)) ?
-		ALL_PERMS_MASK : 0;
-	perms.quiet = (profile->net.quiet[family] & (1 << type)) ?
-		ALL_PERMS_MASK : 0;
-	aa_apply_modes_to_perms(profile, &perms);
-
-	return aa_check_perms(profile, &perms, request, sa, audit_net_cb);
-}
-
-int aa_af_perm(struct aa_label *label, const char *op, u32 request, u16 family,
-	       int type, int protocol)
-{
-	struct aa_profile *profile;
-	DEFINE_AUDIT_NET(sa, op, NULL, family, type, protocol);
-
-	return fn_for_each_confined(label, profile,
-			aa_profile_af_perm(profile, &sa, request, family,
-					   type));
-}
-
-static int aa_label_sk_perm(struct aa_label *label, const char *op, u32 request,
-			    struct sock *sk)
-{
-	struct aa_profile *profile;
-	DEFINE_AUDIT_SK(sa, op, sk);
-
-	AA_BUG(!label);
-	AA_BUG(!sk);
-
-	if (unconfined(label))
-		return 0;
-
-	return fn_for_each_confined(label, profile,
-			aa_profile_af_sk_perm(profile, &sa, request, sk));
-}
-
-int aa_sk_perm(const char *op, u32 request, struct sock *sk)
-{
-	struct aa_label *label;
-	int error;
-
-	AA_BUG(!sk);
-	AA_BUG(in_interrupt());
-
-	/* TODO: switch to begin_current_label ???? */
-	label = begin_current_label_crit_section();
-	error = aa_label_sk_perm(label, op, request, sk);
-	end_current_label_crit_section(label);
-
-	return error;
-}
-
-
-int aa_sock_file_perm(struct aa_label *label, const char *op, u32 request,
-		      struct socket *sock)
-{
-	AA_BUG(!label);
-	AA_BUG(!sock);
-	AA_BUG(!sock->sk);
-
-	return aa_label_sk_perm(label, op, request, sock->sk);
-}

security/apparmor/policy_unpack.c

@@ -275,19 +275,6 @@ static bool unpack_nameX(struct aa_ext *e, enum aa_code code, const char *name)
 	return 0;
 }
 
-static bool unpack_u16(struct aa_ext *e, u16 *data, const char *name)
-{
-	if (unpack_nameX(e, AA_U16, name)) {
-		if (!inbounds(e, sizeof(u16)))
-			return 0;
-		if (data)
-			*data = le16_to_cpu(get_unaligned((__le16 *) e->pos));
-		e->pos += sizeof(u16);
-		return 1;
-	}
-	return 0;
-}
-
 static bool unpack_u32(struct aa_ext *e, u32 *data, const char *name)
 {
 	if (unpack_nameX(e, AA_U32, name)) {
@@ -597,7 +584,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 	struct aa_profile *profile = NULL;
 	const char *tmpname, *tmpns = NULL, *name = NULL;
 	const char *info = "failed to unpack profile";
-	size_t size = 0, ns_len;
+	size_t ns_len;
 	struct rhashtable_params params = { 0 };
 	char *key = NULL;
 	struct aa_data *data;
@@ -730,38 +717,6 @@ static struct aa_profile *unpack_profile(struct aa_ext *e, char **ns_name)
 		goto fail;
 	}
 
-	size = unpack_array(e, "net_allowed_af");
-	if (size) {
-
-		for (i = 0; i < size; i++) {
-			/* discard extraneous rules that this kernel will
-			 * never request
-			 */
-			if (i >= AF_MAX) {
-				u16 tmp;
-
-				if (!unpack_u16(e, &tmp, NULL) ||
-				    !unpack_u16(e, &tmp, NULL) ||
-				    !unpack_u16(e, &tmp, NULL))
-					goto fail;
-				continue;
-			}
-			if (!unpack_u16(e, &profile->net.allow[i], NULL))
-				goto fail;
-			if (!unpack_u16(e, &profile->net.audit[i], NULL))
-				goto fail;
-			if (!unpack_u16(e, &profile->net.quiet[i], NULL))
-				goto fail;
-		}
-		if (!unpack_nameX(e, AA_ARRAYEND, NULL))
-			goto fail;
-	}
-	if (VERSION_LT(e->version, v7)) {
-		/* pre v7 policy always allowed these */
-		profile->net.allow[AF_UNIX] = 0xffff;
-		profile->net.allow[AF_NETLINK] = 0xffff;
-	}
-
 	if (unpack_nameX(e, AA_STRUCT, "policydb")) {
 		/* generic policy dfa - optional and may be NULL */
 		info = "failed to unpack policydb";