audit.c 7.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279
  1. // SPDX-License-Identifier: GPL-2.0
  2. /*
  3. * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
  4. */
  5. #include <linux/slab.h>
  6. #include <linux/audit.h>
  7. #include <linux/types.h>
  8. #include <crypto/sha2.h>
  9. #include "ipe.h"
  10. #include "eval.h"
  11. #include "hooks.h"
  12. #include "policy.h"
  13. #include "audit.h"
  14. #include "digest.h"
  15. #define ACTSTR(x) ((x) == IPE_ACTION_ALLOW ? "ALLOW" : "DENY")
  16. #define IPE_AUDIT_HASH_ALG "sha256" /* keep in sync with audit_policy() */
  17. #define AUDIT_POLICY_LOAD_FMT "policy_name=\"%s\" policy_version=%hu.%hu.%hu "\
  18. "policy_digest=" IPE_AUDIT_HASH_ALG ":"
  19. #define AUDIT_POLICY_LOAD_NULL_FMT "policy_name=? policy_version=? "\
  20. "policy_digest=?"
  21. #define AUDIT_OLD_ACTIVE_POLICY_FMT "old_active_pol_name=\"%s\" "\
  22. "old_active_pol_version=%hu.%hu.%hu "\
  23. "old_policy_digest=" IPE_AUDIT_HASH_ALG ":"
  24. #define AUDIT_OLD_ACTIVE_POLICY_NULL_FMT "old_active_pol_name=? "\
  25. "old_active_pol_version=? "\
  26. "old_policy_digest=?"
  27. #define AUDIT_NEW_ACTIVE_POLICY_FMT "new_active_pol_name=\"%s\" "\
  28. "new_active_pol_version=%hu.%hu.%hu "\
  29. "new_policy_digest=" IPE_AUDIT_HASH_ALG ":"
  30. static const char *const audit_op_names[__IPE_OP_MAX + 1] = {
  31. "EXECUTE",
  32. "FIRMWARE",
  33. "KMODULE",
  34. "KEXEC_IMAGE",
  35. "KEXEC_INITRAMFS",
  36. "POLICY",
  37. "X509_CERT",
  38. "UNKNOWN",
  39. };
  40. static const char *const audit_hook_names[__IPE_HOOK_MAX] = {
  41. "BPRM_CHECK",
  42. "BPRM_CREDS_FOR_EXEC",
  43. "MMAP",
  44. "MPROTECT",
  45. "KERNEL_READ",
  46. "KERNEL_LOAD",
  47. };
  48. static const char *const audit_prop_names[__IPE_PROP_MAX] = {
  49. "boot_verified=FALSE",
  50. "boot_verified=TRUE",
  51. "dmverity_roothash=",
  52. "dmverity_signature=FALSE",
  53. "dmverity_signature=TRUE",
  54. "fsverity_digest=",
  55. "fsverity_signature=FALSE",
  56. "fsverity_signature=TRUE",
  57. };
  58. /**
  59. * audit_dmv_roothash() - audit the roothash of a dmverity_roothash property.
  60. * @ab: Supplies a pointer to the audit_buffer to append to.
  61. * @rh: Supplies a pointer to the digest structure.
  62. */
  63. static void audit_dmv_roothash(struct audit_buffer *ab, const void *rh)
  64. {
  65. audit_log_format(ab, "%s", audit_prop_names[IPE_PROP_DMV_ROOTHASH]);
  66. ipe_digest_audit(ab, rh);
  67. }
  68. /**
  69. * audit_fsv_digest() - audit the digest of a fsverity_digest property.
  70. * @ab: Supplies a pointer to the audit_buffer to append to.
  71. * @d: Supplies a pointer to the digest structure.
  72. */
  73. static void audit_fsv_digest(struct audit_buffer *ab, const void *d)
  74. {
  75. audit_log_format(ab, "%s", audit_prop_names[IPE_PROP_FSV_DIGEST]);
  76. ipe_digest_audit(ab, d);
  77. }
  78. /**
  79. * audit_rule() - audit an IPE policy rule.
  80. * @ab: Supplies a pointer to the audit_buffer to append to.
  81. * @r: Supplies a pointer to the ipe_rule to approximate a string form for.
  82. */
  83. static void audit_rule(struct audit_buffer *ab, const struct ipe_rule *r)
  84. {
  85. const struct ipe_prop *ptr;
  86. audit_log_format(ab, " rule=\"op=%s ", audit_op_names[r->op]);
  87. list_for_each_entry(ptr, &r->props, next) {
  88. switch (ptr->type) {
  89. case IPE_PROP_DMV_ROOTHASH:
  90. audit_dmv_roothash(ab, ptr->value);
  91. break;
  92. case IPE_PROP_FSV_DIGEST:
  93. audit_fsv_digest(ab, ptr->value);
  94. break;
  95. default:
  96. audit_log_format(ab, "%s", audit_prop_names[ptr->type]);
  97. break;
  98. }
  99. audit_log_format(ab, " ");
  100. }
  101. audit_log_format(ab, "action=%s\"", ACTSTR(r->action));
  102. }
  103. /**
  104. * ipe_audit_match() - Audit a rule match in a policy evaluation.
  105. * @ctx: Supplies a pointer to the evaluation context that was used in the
  106. * evaluation.
  107. * @match_type: Supplies the scope of the match: rule, operation default,
  108. * global default.
  109. * @act: Supplies the IPE's evaluation decision, deny or allow.
  110. * @r: Supplies a pointer to the rule that was matched, if possible.
  111. */
  112. void ipe_audit_match(const struct ipe_eval_ctx *const ctx,
  113. enum ipe_match match_type,
  114. enum ipe_action_type act, const struct ipe_rule *const r)
  115. {
  116. const char *op = audit_op_names[ctx->op];
  117. char comm[sizeof(current->comm)];
  118. struct audit_buffer *ab;
  119. struct inode *inode;
  120. if (act != IPE_ACTION_DENY && !READ_ONCE(success_audit))
  121. return;
  122. ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,
  123. AUDIT_IPE_ACCESS);
  124. if (!ab)
  125. return;
  126. audit_log_format(ab, "ipe_op=%s ipe_hook=%s enforcing=%d pid=%d comm=",
  127. op, audit_hook_names[ctx->hook], READ_ONCE(enforce),
  128. task_tgid_nr(current));
  129. audit_log_untrustedstring(ab, get_task_comm(comm, current));
  130. if (ctx->file) {
  131. audit_log_d_path(ab, " path=", &ctx->file->f_path);
  132. inode = file_inode(ctx->file);
  133. if (inode) {
  134. audit_log_format(ab, " dev=");
  135. audit_log_untrustedstring(ab, inode->i_sb->s_id);
  136. audit_log_format(ab, " ino=%lu", inode->i_ino);
  137. } else {
  138. audit_log_format(ab, " dev=? ino=?");
  139. }
  140. } else {
  141. audit_log_format(ab, " path=? dev=? ino=?");
  142. }
  143. if (match_type == IPE_MATCH_RULE)
  144. audit_rule(ab, r);
  145. else if (match_type == IPE_MATCH_TABLE)
  146. audit_log_format(ab, " rule=\"DEFAULT op=%s action=%s\"", op,
  147. ACTSTR(act));
  148. else
  149. audit_log_format(ab, " rule=\"DEFAULT action=%s\"",
  150. ACTSTR(act));
  151. audit_log_end(ab);
  152. }
  153. /**
  154. * audit_policy() - Audit a policy's name, version and thumbprint to @ab.
  155. * @ab: Supplies a pointer to the audit buffer to append to.
  156. * @audit_format: Supplies a pointer to the audit format string
  157. * @p: Supplies a pointer to the policy to audit.
  158. */
  159. static void audit_policy(struct audit_buffer *ab,
  160. const char *audit_format,
  161. const struct ipe_policy *const p)
  162. {
  163. u8 digest[SHA256_DIGEST_SIZE];
  164. sha256(p->pkcs7, p->pkcs7len, digest);
  165. audit_log_format(ab, audit_format, p->parsed->name,
  166. p->parsed->version.major, p->parsed->version.minor,
  167. p->parsed->version.rev);
  168. audit_log_n_hex(ab, digest, sizeof(digest));
  169. }
  170. /**
  171. * ipe_audit_policy_activation() - Audit a policy being activated.
  172. * @op: Supplies a pointer to the previously activated policy to audit.
  173. * @np: Supplies a pointer to the newly activated policy to audit.
  174. */
  175. void ipe_audit_policy_activation(const struct ipe_policy *const op,
  176. const struct ipe_policy *const np)
  177. {
  178. struct audit_buffer *ab;
  179. ab = audit_log_start(audit_context(), GFP_KERNEL,
  180. AUDIT_IPE_CONFIG_CHANGE);
  181. if (!ab)
  182. return;
  183. if (op) {
  184. audit_policy(ab, AUDIT_OLD_ACTIVE_POLICY_FMT, op);
  185. audit_log_format(ab, " ");
  186. } else {
  187. /*
  188. * old active policy can be NULL if there is no kernel
  189. * built-in policy
  190. */
  191. audit_log_format(ab, AUDIT_OLD_ACTIVE_POLICY_NULL_FMT);
  192. audit_log_format(ab, " ");
  193. }
  194. audit_policy(ab, AUDIT_NEW_ACTIVE_POLICY_FMT, np);
  195. audit_log_format(ab, " auid=%u ses=%u lsm=ipe res=1",
  196. from_kuid(&init_user_ns, audit_get_loginuid(current)),
  197. audit_get_sessionid(current));
  198. audit_log_end(ab);
  199. }
  200. /**
  201. * ipe_audit_policy_load() - Audit a policy loading event.
  202. * @p: Supplies a pointer to the policy to audit or an error pointer.
  203. */
  204. void ipe_audit_policy_load(const struct ipe_policy *const p)
  205. {
  206. struct audit_buffer *ab;
  207. int err = 0;
  208. ab = audit_log_start(audit_context(), GFP_KERNEL,
  209. AUDIT_IPE_POLICY_LOAD);
  210. if (!ab)
  211. return;
  212. if (!IS_ERR(p)) {
  213. audit_policy(ab, AUDIT_POLICY_LOAD_FMT, p);
  214. } else {
  215. audit_log_format(ab, AUDIT_POLICY_LOAD_NULL_FMT);
  216. err = PTR_ERR(p);
  217. }
  218. audit_log_format(ab, " auid=%u ses=%u lsm=ipe res=%d errno=%d",
  219. from_kuid(&init_user_ns, audit_get_loginuid(current)),
  220. audit_get_sessionid(current), !err, err);
  221. audit_log_end(ab);
  222. }
  223. /**
  224. * ipe_audit_enforce() - Audit a change in IPE's enforcement state.
  225. * @new_enforce: The new value enforce to be set.
  226. * @old_enforce: The old value currently in enforce.
  227. */
  228. void ipe_audit_enforce(bool new_enforce, bool old_enforce)
  229. {
  230. struct audit_buffer *ab;
  231. ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS);
  232. if (!ab)
  233. return;
  234. audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS,
  235. "enforcing=%d old_enforcing=%d auid=%u ses=%u"
  236. " enabled=1 old-enabled=1 lsm=ipe res=1",
  237. new_enforce, old_enforce,
  238. from_kuid(&init_user_ns, audit_get_loginuid(current)),
  239. audit_get_sessionid(current));
  240. audit_log_end(ab);
  241. }