/* * Copyright (c) 2014 * Canonical, Ltd. (All rights reserved) * * This program is free software; you can redistribute it and/or * modify it under the terms of version 2 of the GNU General Public * License published by the Free Software Foundation. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, contact Novell, Inc. or Canonical * Ltd. */ #ifndef __AA_NETWORK_H #define __AA_NETWORK_H #include #include #include #include #include #include #include #include #include #include #include "parser.h" #include "rule.h" #define AA_NET_WRITE 0x0002 #define AA_NET_SEND AA_NET_WRITE #define AA_NET_READ 0x0004 #define AA_NET_RECEIVE AA_NET_READ #define AA_NET_CREATE 0x0010 #define AA_NET_SHUTDOWN 0x0020 /* alias delete */ #define AA_NET_CONNECT 0x0040 /* alias open */ #define AA_NET_SETATTR 0x0100 #define AA_NET_GETATTR 0x0200 //#define AA_NET_CHMOD 0x1000 /* pair */ //#define AA_NET_CHOWN 0x2000 /* pair */ //#define AA_NET_CHGRP 0x4000 /* pair */ //#define AA_NET_LOCK 0x8000 /* LINK_SUBSET overlaid */ #define AA_NET_ACCEPT 0x00100000 #define AA_NET_BIND 0x00200000 #define AA_NET_LISTEN 0x00400000 #define AA_NET_SETOPT 0x01000000 #define AA_NET_GETOPT 0x02000000 #define AA_CONT_MATCH 0x08000000 #define AA_VALID_NET_PERMS (AA_NET_SEND | AA_NET_RECEIVE | AA_NET_CREATE | \ AA_NET_SHUTDOWN | AA_NET_CONNECT | \ AA_NET_SETATTR | AA_NET_GETATTR | AA_NET_BIND | \ AA_NET_ACCEPT | AA_NET_LISTEN | AA_NET_SETOPT | \ AA_NET_GETOPT | AA_CONT_MATCH) #define AA_LOCAL_NET_PERMS (AA_NET_CREATE | AA_NET_SHUTDOWN | AA_NET_SETATTR |\ AA_NET_GETATTR | AA_NET_BIND | AA_NET_ACCEPT | \ AA_NET_LISTEN | AA_NET_SETOPT | AA_NET_GETOPT) #define AA_NET_OPT (AA_NET_SETOPT | AA_NET_GETOPT) #define AA_LOCAL_NET_CMD (AA_NET_LISTEN | AA_NET_OPT) #define AA_PEER_NET_PERMS (AA_VALID_NET_PERMS & (~AA_LOCAL_NET_PERMS | \ AA_NET_ACCEPT)) struct network_tuple { const char *family_name; unsigned int family; const char *type_name; unsigned int type; const char *protocol_name; unsigned int protocol; }; /* supported AF protocols */ struct aa_network_entry { unsigned int family; unsigned int type; unsigned int protocol; struct aa_network_entry *next; }; int parse_net_mode(const char *str_mode, int *mode, int fail); extern struct aa_network_entry *new_network_ent(unsigned int family, unsigned int type, unsigned int protocol); extern struct aa_network_entry *network_entry(const char *family, const char *type, const char *protocol); extern size_t get_af_max(void); void __debug_network(unsigned int *array, const char *name); struct network { unsigned int *allow; /* array of type masks * indexed by AF_FAMILY */ unsigned int *audit; unsigned int *deny; unsigned int *quiet; network(void) { allow = audit = deny = quiet = NULL; } void dump(void) { if (allow) __debug_network(allow, "Network"); if (audit) __debug_network(audit, "Audit Net"); if (deny) __debug_network(deny, "Deny Net"); if (quiet) __debug_network(quiet, "Quiet Net"); } }; int net_find_type_val(const char *type); const char *net_find_type_name(int type); const char *net_find_af_name(unsigned int af); const struct network_tuple *net_find_mapping(const struct network_tuple *map, const char *family, const char *type, const char *protocol); #endif /* __AA_NETWORK_H */