audit.c 5.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291
  1. // SPDX-License-Identifier: GPL-2.0-only
  2. /*
  3. * AppArmor security module
  4. *
  5. * This file contains AppArmor auditing functions
  6. *
  7. * Copyright (C) 1998-2008 Novell/SUSE
  8. * Copyright 2009-2010 Canonical Ltd.
  9. */
  10. #include <linux/audit.h>
  11. #include <linux/socket.h>
  12. #include "include/apparmor.h"
  13. #include "include/audit.h"
  14. #include "include/policy.h"
  15. #include "include/policy_ns.h"
  16. #include "include/secid.h"
  17. const char *const audit_mode_names[] = {
  18. "normal",
  19. "quiet_denied",
  20. "quiet",
  21. "noquiet",
  22. "all"
  23. };
  24. static const char *const aa_audit_type[] = {
  25. "AUDIT",
  26. "ALLOWED",
  27. "DENIED",
  28. "HINT",
  29. "STATUS",
  30. "ERROR",
  31. "KILLED",
  32. "AUTO"
  33. };
  34. static const char *const aa_class_names[] = {
  35. "none",
  36. "unknown",
  37. "file",
  38. "cap",
  39. "net",
  40. "rlimits",
  41. "domain",
  42. "mount",
  43. "unknown",
  44. "ptrace",
  45. "signal",
  46. "xmatch",
  47. "unknown",
  48. "unknown",
  49. "net",
  50. "unknown",
  51. "label",
  52. "posix_mqueue",
  53. "io_uring",
  54. "module",
  55. "lsm",
  56. "namespace",
  57. "io_uring",
  58. "unknown",
  59. "unknown",
  60. "unknown",
  61. "unknown",
  62. "unknown",
  63. "unknown",
  64. "unknown",
  65. "unknown",
  66. "X",
  67. "dbus",
  68. };
  69. /*
  70. * Currently AppArmor auditing is fed straight into the audit framework.
  71. *
  72. * TODO:
  73. * netlink interface for complain mode
  74. * user auditing, - send user auditing to netlink interface
  75. * system control of whether user audit messages go to system log
  76. */
  77. /**
  78. * audit_pre() - core AppArmor function.
  79. * @ab: audit buffer to fill (NOT NULL)
  80. * @va: audit structure containing data to audit (NOT NULL)
  81. *
  82. * Record common AppArmor audit data from @va
  83. */
  84. static void audit_pre(struct audit_buffer *ab, void *va)
  85. {
  86. struct apparmor_audit_data *ad = aad_of_va(va);
  87. if (aa_g_audit_header) {
  88. audit_log_format(ab, "apparmor=\"%s\"",
  89. aa_audit_type[ad->type]);
  90. }
  91. if (ad->op)
  92. audit_log_format(ab, " operation=\"%s\"", ad->op);
  93. if (ad->class)
  94. audit_log_format(ab, " class=\"%s\"",
  95. ad->class <= AA_CLASS_LAST ?
  96. aa_class_names[ad->class] :
  97. "unknown");
  98. if (ad->info) {
  99. audit_log_format(ab, " info=\"%s\"", ad->info);
  100. if (ad->error)
  101. audit_log_format(ab, " error=%d", ad->error);
  102. }
  103. if (ad->subj_label) {
  104. struct aa_label *label = ad->subj_label;
  105. if (label_isprofile(label)) {
  106. struct aa_profile *profile = labels_profile(label);
  107. if (profile->ns != root_ns) {
  108. audit_log_format(ab, " namespace=");
  109. audit_log_untrustedstring(ab,
  110. profile->ns->base.hname);
  111. }
  112. audit_log_format(ab, " profile=");
  113. audit_log_untrustedstring(ab, profile->base.hname);
  114. } else {
  115. audit_log_format(ab, " label=");
  116. aa_label_xaudit(ab, root_ns, label, FLAG_VIEW_SUBNS,
  117. GFP_ATOMIC);
  118. }
  119. }
  120. if (ad->name) {
  121. audit_log_format(ab, " name=");
  122. audit_log_untrustedstring(ab, ad->name);
  123. }
  124. }
  125. /**
  126. * aa_audit_msg - Log a message to the audit subsystem
  127. * @type: audit type for the message
  128. * @ad: audit event structure (NOT NULL)
  129. * @cb: optional callback fn for type specific fields (MAYBE NULL)
  130. */
  131. void aa_audit_msg(int type, struct apparmor_audit_data *ad,
  132. void (*cb) (struct audit_buffer *, void *))
  133. {
  134. ad->type = type;
  135. common_lsm_audit(&ad->common, audit_pre, cb);
  136. }
  137. /**
  138. * aa_audit - Log a profile based audit event to the audit subsystem
  139. * @type: audit type for the message
  140. * @profile: profile to check against (NOT NULL)
  141. * @ad: audit event (NOT NULL)
  142. * @cb: optional callback fn for type specific fields (MAYBE NULL)
  143. *
  144. * Handle default message switching based off of audit mode flags
  145. *
  146. * Returns: error on failure
  147. */
  148. int aa_audit(int type, struct aa_profile *profile,
  149. struct apparmor_audit_data *ad,
  150. void (*cb) (struct audit_buffer *, void *))
  151. {
  152. AA_BUG(!profile);
  153. if (type == AUDIT_APPARMOR_AUTO) {
  154. if (likely(!ad->error)) {
  155. if (AUDIT_MODE(profile) != AUDIT_ALL)
  156. return 0;
  157. type = AUDIT_APPARMOR_AUDIT;
  158. } else if (COMPLAIN_MODE(profile))
  159. type = AUDIT_APPARMOR_ALLOWED;
  160. else
  161. type = AUDIT_APPARMOR_DENIED;
  162. }
  163. if (AUDIT_MODE(profile) == AUDIT_QUIET ||
  164. (type == AUDIT_APPARMOR_DENIED &&
  165. AUDIT_MODE(profile) == AUDIT_QUIET_DENIED))
  166. return ad->error;
  167. if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
  168. type = AUDIT_APPARMOR_KILL;
  169. ad->subj_label = &profile->label;
  170. aa_audit_msg(type, ad, cb);
  171. if (ad->type == AUDIT_APPARMOR_KILL)
  172. (void)send_sig_info(profile->signal, NULL,
  173. ad->common.type == LSM_AUDIT_DATA_TASK &&
  174. ad->common.u.tsk ? ad->common.u.tsk : current);
  175. if (ad->type == AUDIT_APPARMOR_ALLOWED)
  176. return complain_error(ad->error);
  177. return ad->error;
  178. }
  179. struct aa_audit_rule {
  180. struct aa_label *label;
  181. };
  182. void aa_audit_rule_free(void *vrule)
  183. {
  184. struct aa_audit_rule *rule = vrule;
  185. if (rule) {
  186. if (!IS_ERR(rule->label))
  187. aa_put_label(rule->label);
  188. kfree(rule);
  189. }
  190. }
  191. int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp)
  192. {
  193. struct aa_audit_rule *rule;
  194. switch (field) {
  195. case AUDIT_SUBJ_ROLE:
  196. if (op != Audit_equal && op != Audit_not_equal)
  197. return -EINVAL;
  198. break;
  199. default:
  200. return -EINVAL;
  201. }
  202. rule = kzalloc_obj(struct aa_audit_rule, gfp);
  203. if (!rule)
  204. return -ENOMEM;
  205. /* Currently rules are treated as coming from the root ns */
  206. rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
  207. gfp, true, false);
  208. if (IS_ERR(rule->label)) {
  209. int err = PTR_ERR(rule->label);
  210. aa_audit_rule_free(rule);
  211. return err;
  212. }
  213. *vrule = rule;
  214. return 0;
  215. }
  216. int aa_audit_rule_known(struct audit_krule *rule)
  217. {
  218. int i;
  219. for (i = 0; i < rule->field_count; i++) {
  220. struct audit_field *f = &rule->fields[i];
  221. switch (f->type) {
  222. case AUDIT_SUBJ_ROLE:
  223. return 1;
  224. }
  225. }
  226. return 0;
  227. }
  228. int aa_audit_rule_match(struct lsm_prop *prop, u32 field, u32 op, void *vrule)
  229. {
  230. struct aa_audit_rule *rule = vrule;
  231. struct aa_label *label;
  232. int found = 0;
  233. label = prop->apparmor.label;
  234. if (!label)
  235. return -ENOENT;
  236. if (aa_label_is_subset(label, rule->label))
  237. found = 1;
  238. switch (field) {
  239. case AUDIT_SUBJ_ROLE:
  240. switch (op) {
  241. case Audit_equal:
  242. return found;
  243. case Audit_not_equal:
  244. return !found;
  245. }
  246. }
  247. return 0;
  248. }