Commit | Line | Data |
---|---|---|
67012e82 JJ |
1 | /* |
2 | * AppArmor security module | |
3 | * | |
4 | * This file contains AppArmor auditing functions | |
5 | * | |
6 | * Copyright (C) 1998-2008 Novell/SUSE | |
7 | * Copyright 2009-2010 Canonical Ltd. | |
8 | * | |
9 | * This program is free software; you can redistribute it and/or | |
10 | * modify it under the terms of the GNU General Public License as | |
11 | * published by the Free Software Foundation, version 2 of the | |
12 | * License. | |
13 | */ | |
14 | ||
15 | #include <linux/audit.h> | |
16 | #include <linux/socket.h> | |
17 | ||
18 | #include "include/apparmor.h" | |
19 | #include "include/audit.h" | |
20 | #include "include/policy.h" | |
21 | ||
22 | const char *op_table[] = { | |
23 | "null", | |
24 | ||
25 | "sysctl", | |
26 | "capable", | |
27 | ||
28 | "unlink", | |
29 | "mkdir", | |
30 | "rmdir", | |
31 | "mknod", | |
32 | "truncate", | |
33 | "link", | |
34 | "symlink", | |
35 | "rename_src", | |
36 | "rename_dest", | |
37 | "chmod", | |
38 | "chown", | |
39 | "getattr", | |
40 | "open", | |
41 | ||
42 | "file_perm", | |
43 | "file_lock", | |
44 | "file_mmap", | |
45 | "file_mprotect", | |
46 | ||
47 | "create", | |
48 | "post_create", | |
49 | "bind", | |
50 | "connect", | |
51 | "listen", | |
52 | "accept", | |
53 | "sendmsg", | |
54 | "recvmsg", | |
55 | "getsockname", | |
56 | "getpeername", | |
57 | "getsockopt", | |
58 | "setsockopt", | |
59 | "socket_shutdown", | |
60 | ||
61 | "ptrace", | |
62 | ||
63 | "exec", | |
64 | "change_hat", | |
65 | "change_profile", | |
66 | "change_onexec", | |
67 | ||
68 | "setprocattr", | |
69 | "setrlimit", | |
70 | ||
71 | "profile_replace", | |
72 | "profile_load", | |
73 | "profile_remove" | |
74 | }; | |
75 | ||
76 | const char *audit_mode_names[] = { | |
77 | "normal", | |
78 | "quiet_denied", | |
79 | "quiet", | |
80 | "noquiet", | |
81 | "all" | |
82 | }; | |
83 | ||
84 | static char *aa_audit_type[] = { | |
85 | "AUDIT", | |
86 | "ALLOWED", | |
87 | "DENIED", | |
88 | "HINT", | |
89 | "STATUS", | |
90 | "ERROR", | |
91 | "KILLED" | |
92 | }; | |
93 | ||
94 | /* | |
95 | * Currently AppArmor auditing is fed straight into the audit framework. | |
96 | * | |
97 | * TODO: | |
98 | * netlink interface for complain mode | |
99 | * user auditing, - send user auditing to netlink interface | |
100 | * system control of whether user audit messages go to system log | |
101 | */ | |
102 | ||
103 | /** | |
104 | * audit_base - core AppArmor function. | |
105 | * @ab: audit buffer to fill (NOT NULL) | |
106 | * @ca: audit structure containing data to audit (NOT NULL) | |
107 | * | |
108 | * Record common AppArmor audit data from @sa | |
109 | */ | |
110 | static void audit_pre(struct audit_buffer *ab, void *ca) | |
111 | { | |
112 | struct common_audit_data *sa = ca; | |
113 | struct task_struct *tsk = sa->tsk ? sa->tsk : current; | |
114 | ||
115 | if (aa_g_audit_header) { | |
116 | audit_log_format(ab, "apparmor="); | |
117 | audit_log_string(ab, aa_audit_type[sa->aad.type]); | |
118 | } | |
119 | ||
120 | if (sa->aad.op) { | |
121 | audit_log_format(ab, " operation="); | |
122 | audit_log_string(ab, op_table[sa->aad.op]); | |
123 | } | |
124 | ||
125 | if (sa->aad.info) { | |
126 | audit_log_format(ab, " info="); | |
127 | audit_log_string(ab, sa->aad.info); | |
128 | if (sa->aad.error) | |
129 | audit_log_format(ab, " error=%d", sa->aad.error); | |
130 | } | |
131 | ||
132 | if (sa->aad.profile) { | |
133 | struct aa_profile *profile = sa->aad.profile; | |
134 | pid_t pid; | |
135 | rcu_read_lock(); | |
136 | pid = tsk->real_parent->pid; | |
137 | rcu_read_unlock(); | |
138 | audit_log_format(ab, " parent=%d", pid); | |
139 | if (profile->ns != root_ns) { | |
140 | audit_log_format(ab, " namespace="); | |
141 | audit_log_untrustedstring(ab, profile->ns->base.hname); | |
142 | } | |
143 | audit_log_format(ab, " profile="); | |
144 | audit_log_untrustedstring(ab, profile->base.hname); | |
145 | } | |
146 | ||
147 | if (sa->aad.name) { | |
148 | audit_log_format(ab, " name="); | |
149 | audit_log_untrustedstring(ab, sa->aad.name); | |
150 | } | |
151 | } | |
152 | ||
153 | /** | |
154 | * aa_audit_msg - Log a message to the audit subsystem | |
155 | * @sa: audit event structure (NOT NULL) | |
156 | * @cb: optional callback fn for type specific fields (MAYBE NULL) | |
157 | */ | |
158 | void aa_audit_msg(int type, struct common_audit_data *sa, | |
159 | void (*cb) (struct audit_buffer *, void *)) | |
160 | { | |
161 | sa->aad.type = type; | |
162 | sa->lsm_pre_audit = audit_pre; | |
163 | sa->lsm_post_audit = cb; | |
164 | common_lsm_audit(sa); | |
165 | } | |
166 | ||
167 | /** | |
168 | * aa_audit - Log a profile based audit event to the audit subsystem | |
169 | * @type: audit type for the message | |
170 | * @profile: profile to check against (NOT NULL) | |
171 | * @gfp: allocation flags to use | |
172 | * @sa: audit event (NOT NULL) | |
173 | * @cb: optional callback fn for type specific fields (MAYBE NULL) | |
174 | * | |
175 | * Handle default message switching based off of audit mode flags | |
176 | * | |
177 | * Returns: error on failure | |
178 | */ | |
179 | int aa_audit(int type, struct aa_profile *profile, gfp_t gfp, | |
180 | struct common_audit_data *sa, | |
181 | void (*cb) (struct audit_buffer *, void *)) | |
182 | { | |
183 | BUG_ON(!profile); | |
184 | ||
185 | if (type == AUDIT_APPARMOR_AUTO) { | |
186 | if (likely(!sa->aad.error)) { | |
187 | if (AUDIT_MODE(profile) != AUDIT_ALL) | |
188 | return 0; | |
189 | type = AUDIT_APPARMOR_AUDIT; | |
190 | } else if (COMPLAIN_MODE(profile)) | |
191 | type = AUDIT_APPARMOR_ALLOWED; | |
192 | else | |
193 | type = AUDIT_APPARMOR_DENIED; | |
194 | } | |
195 | if (AUDIT_MODE(profile) == AUDIT_QUIET || | |
196 | (type == AUDIT_APPARMOR_DENIED && | |
197 | AUDIT_MODE(profile) == AUDIT_QUIET)) | |
198 | return sa->aad.error; | |
199 | ||
200 | if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED) | |
201 | type = AUDIT_APPARMOR_KILL; | |
202 | ||
203 | if (!unconfined(profile)) | |
204 | sa->aad.profile = profile; | |
205 | ||
206 | aa_audit_msg(type, sa, cb); | |
207 | ||
208 | if (sa->aad.type == AUDIT_APPARMOR_KILL) | |
209 | (void)send_sig_info(SIGKILL, NULL, sa->tsk ? sa->tsk : current); | |
210 | ||
211 | if (sa->aad.type == AUDIT_APPARMOR_ALLOWED) | |
212 | return complain_error(sa->aad.error); | |
213 | ||
214 | return sa->aad.error; | |
215 | } |