[linux-block.git] / security / apparmor / audit.c

// SPDX-License-Identifier: GPL-2.0-only
/*
 * AppArmor security module
 *
 * This file contains AppArmor auditing functions
 *
 * Copyright (C) 1998-2008 Novell/SUSE
 * Copyright 2009-2010 Canonical Ltd.
 */

#include <linux/audit.h>
#include <linux/socket.h>

#include "include/apparmor.h"
#include "include/audit.h"
#include "include/policy.h"
#include "include/policy_ns.h"
#include "include/secid.h"

const char *const audit_mode_names[] = {
	"normal",
	"quiet_denied",
	"quiet",
	"noquiet",
	"all"
};

static const char *const aa_audit_type[] = {
	"AUDIT",
	"ALLOWED",
	"DENIED",
	"HINT",
	"STATUS",
	"ERROR",
	"KILLED",
	"AUTO"
};

/*
 * Currently AppArmor auditing is fed straight into the audit framework.
 *
 * TODO:
 * netlink interface for complain mode
 * user auditing, - send user auditing to netlink interface
 * system control of whether user audit messages go to system log
 */

/**
 * audit_base - core AppArmor function.
 * @ab: audit buffer to fill (NOT NULL)
 * @ca: audit structure containing data to audit (NOT NULL)
 *
 * Record common AppArmor audit data from @sa
 */
static void audit_pre(struct audit_buffer *ab, void *ca)
{
	struct common_audit_data *sa = ca;

	if (aa_g_audit_header) {
		audit_log_format(ab, "apparmor=\"%s\"",
				 aa_audit_type[aad(sa)->type]);
	}

	if (aad(sa)->op) {
		audit_log_format(ab, " operation=\"%s\"", aad(sa)->op);
	}

	if (aad(sa)->info) {
		audit_log_format(ab, " info=\"%s\"", aad(sa)->info);
		if (aad(sa)->error)
			audit_log_format(ab, " error=%d", aad(sa)->error);
	}

	if (aad(sa)->label) {
		struct aa_label *label = aad(sa)->label;

		if (label_isprofile(label)) {
			struct aa_profile *profile = labels_profile(label);

			if (profile->ns != root_ns) {
				audit_log_format(ab, " namespace=");
				audit_log_untrustedstring(ab,
						       profile->ns->base.hname);
			}
			audit_log_format(ab, " profile=");
			audit_log_untrustedstring(ab, profile->base.hname);
		} else {
			audit_log_format(ab, " label=");
			aa_label_xaudit(ab, root_ns, label, FLAG_VIEW_SUBNS,
					GFP_ATOMIC);
		}
	}

	if (aad(sa)->name) {
		audit_log_format(ab, " name=");
		audit_log_untrustedstring(ab, aad(sa)->name);
	}
}

/**
 * aa_audit_msg - Log a message to the audit subsystem
 * @sa: audit event structure (NOT NULL)
 * @cb: optional callback fn for type specific fields (MAYBE NULL)
 */
void aa_audit_msg(int type, struct common_audit_data *sa,
		  void (*cb) (struct audit_buffer *, void *))
{
	aad(sa)->type = type;
	common_lsm_audit(sa, audit_pre, cb);
}

/**
 * aa_audit - Log a profile based audit event to the audit subsystem
 * @type: audit type for the message
 * @profile: profile to check against (NOT NULL)
 * @sa: audit event (NOT NULL)
 * @cb: optional callback fn for type specific fields (MAYBE NULL)
 *
 * Handle default message switching based off of audit mode flags
 *
 * Returns: error on failure
 */
int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,
	     void (*cb) (struct audit_buffer *, void *))
{
	AA_BUG(!profile);

	if (type == AUDIT_APPARMOR_AUTO) {
		if (likely(!aad(sa)->error)) {
			if (AUDIT_MODE(profile) != AUDIT_ALL)
				return 0;
			type = AUDIT_APPARMOR_AUDIT;
		} else if (COMPLAIN_MODE(profile))
			type = AUDIT_APPARMOR_ALLOWED;
		else
			type = AUDIT_APPARMOR_DENIED;
	}
	if (AUDIT_MODE(profile) == AUDIT_QUIET ||
	    (type == AUDIT_APPARMOR_DENIED &&
	     AUDIT_MODE(profile) == AUDIT_QUIET))
		return aad(sa)->error;

	if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
		type = AUDIT_APPARMOR_KILL;

	aad(sa)->label = &profile->label;

	aa_audit_msg(type, sa, cb);

	if (aad(sa)->type == AUDIT_APPARMOR_KILL)
		(void)send_sig_info(SIGKILL, NULL,
			sa->type == LSM_AUDIT_DATA_TASK && sa->u.tsk ?
				    sa->u.tsk : current);

	if (aad(sa)->type == AUDIT_APPARMOR_ALLOWED)
		return complain_error(aad(sa)->error);

	return aad(sa)->error;
}

struct aa_audit_rule {
	struct aa_label *label;
};

void aa_audit_rule_free(void *vrule)
{
	struct aa_audit_rule *rule = vrule;

	if (rule) {
		if (!IS_ERR(rule->label))
			aa_put_label(rule->label);
		kfree(rule);
	}
}

int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
{
	struct aa_audit_rule *rule;

	switch (field) {
	case AUDIT_SUBJ_ROLE:
		if (op != Audit_equal && op != Audit_not_equal)
			return -EINVAL;
		break;
	default:
		return -EINVAL;
	}

	rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL);

	if (!rule)
		return -ENOMEM;

	/* Currently rules are treated as coming from the root ns */
	rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
				     GFP_KERNEL, true, false);
	if (IS_ERR(rule->label)) {
		int err = PTR_ERR(rule->label);
		aa_audit_rule_free(rule);
		return err;
	}

	*vrule = rule;
	return 0;
}

int aa_audit_rule_known(struct audit_krule *rule)
{
	int i;

	for (i = 0; i < rule->field_count; i++) {
		struct audit_field *f = &rule->fields[i];

		switch (f->type) {
		case AUDIT_SUBJ_ROLE:
			return 1;
		}
	}

	return 0;
}

int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule)
{
	struct aa_audit_rule *rule = vrule;
	struct aa_label *label;
	int found = 0;

	label = aa_secid_to_label(sid);

	if (!label)
		return -ENOENT;

	if (aa_label_is_subset(label, rule->label))
		found = 1;

	switch (field) {
	case AUDIT_SUBJ_ROLE:
		switch (op) {
		case Audit_equal:
			return found;
		case Audit_not_equal:
			return !found;
		}
	}
	return 0;
}
Commit	Line	Data
b886d83c	1	// SPDX-License-Identifier: GPL-2.0-only
67012e82 JJ	2	/*
	3	* AppArmor security module
	4	*
	5	* This file contains AppArmor auditing functions
	6	*
	7	* Copyright (C) 1998-2008 Novell/SUSE
	8	* Copyright 2009-2010 Canonical Ltd.
67012e82 JJ	9	*/
	10
	11	#include <linux/audit.h>
	12	#include <linux/socket.h>
	13
	14	#include "include/apparmor.h"
	15	#include "include/audit.h"
	16	#include "include/policy.h"
cff281f6	17	#include "include/policy_ns.h"
e79c26d0	18	#include "include/secid.h"
67012e82	19
2d4cee7e	20	const char *const audit_mode_names[] = {
67012e82 JJ	21	"normal",
	22	"quiet_denied",
	23	"quiet",
	24	"noquiet",
	25	"all"
	26	};
	27
2d4cee7e	28	static const char *const aa_audit_type[] = {
67012e82 JJ	29	"AUDIT",
	30	"ALLOWED",
	31	"DENIED",
	32	"HINT",
	33	"STATUS",
	34	"ERROR",
b492d50b	35	"KILLED",
ade3ddc0	36	"AUTO"
67012e82 JJ	37	};
	38
	39	/*
	40	* Currently AppArmor auditing is fed straight into the audit framework.
	41	*
	42	* TODO:
	43	* netlink interface for complain mode
	44	* user auditing, - send user auditing to netlink interface
	45	* system control of whether user audit messages go to system log
	46	*/
	47
	48	/**
	49	* audit_base - core AppArmor function.
	50	* @ab: audit buffer to fill (NOT NULL)
	51	* @ca: audit structure containing data to audit (NOT NULL)
	52	*
	53	* Record common AppArmor audit data from @sa
	54	*/
	55	static void audit_pre(struct audit_buffer ab, void ca)
	56	{
	57	struct common_audit_data *sa = ca;
67012e82 JJ	58
67012e82 JJ	59	if (aa_g_audit_header) {
f1d9b23c RGB	60	audit_log_format(ab, "apparmor=\"%s\"",
f1d9b23c RGB	61	aa_audit_type[aad(sa)->type]);
67012e82 JJ	62	}
67012e82 JJ	63
ef88a7ac	64	if (aad(sa)->op) {
f1d9b23c	65	audit_log_format(ab, " operation=\"%s\"", aad(sa)->op);
67012e82 JJ	66	}
67012e82 JJ	67
ef88a7ac	68	if (aad(sa)->info) {
f1d9b23c	69	audit_log_format(ab, " info=\"%s\"", aad(sa)->info);
ef88a7ac JJ	70	if (aad(sa)->error)
ef88a7ac JJ	71	audit_log_format(ab, " error=%d", aad(sa)->error);
67012e82 JJ	72	}
67012e82 JJ	73
637f688d JJ	74	if (aad(sa)->label) {
	75	struct aa_label *label = aad(sa)->label;
	76
	77	if (label_isprofile(label)) {
	78	struct aa_profile *profile = labels_profile(label);
	79
	80	if (profile->ns != root_ns) {
	81	audit_log_format(ab, " namespace=");
	82	audit_log_untrustedstring(ab,
	83	profile->ns->base.hname);
	84	}
	85	audit_log_format(ab, " profile=");
	86	audit_log_untrustedstring(ab, profile->base.hname);
	87	} else {
	88	audit_log_format(ab, " label=");
	89	aa_label_xaudit(ab, root_ns, label, FLAG_VIEW_SUBNS,
	90	GFP_ATOMIC);
67012e82	91	}
67012e82 JJ	92	}
67012e82 JJ	93
ef88a7ac	94	if (aad(sa)->name) {
67012e82	95	audit_log_format(ab, " name=");
ef88a7ac	96	audit_log_untrustedstring(ab, aad(sa)->name);
67012e82 JJ	97	}
	98	}
	99
	100	/**
	101	* aa_audit_msg - Log a message to the audit subsystem
	102	* @sa: audit event structure (NOT NULL)
	103	* @cb: optional callback fn for type specific fields (MAYBE NULL)
	104	*/
	105	void aa_audit_msg(int type, struct common_audit_data *sa,
	106	void (cb) (struct audit_buffer , void *))
	107	{
ef88a7ac	108	aad(sa)->type = type;
b61c37f5	109	common_lsm_audit(sa, audit_pre, cb);
67012e82 JJ	110	}
	111
	112	/**
	113	* aa_audit - Log a profile based audit event to the audit subsystem
	114	* @type: audit type for the message
	115	* @profile: profile to check against (NOT NULL)
67012e82 JJ	116	* @sa: audit event (NOT NULL)
	117	* @cb: optional callback fn for type specific fields (MAYBE NULL)
	118	*
	119	* Handle default message switching based off of audit mode flags
	120	*
	121	* Returns: error on failure
	122	*/
ef88a7ac	123	int aa_audit(int type, struct aa_profile profile, struct common_audit_data sa,
67012e82 JJ	124	void (cb) (struct audit_buffer , void *))
67012e82 JJ	125	{
e6bfa25d	126	AA_BUG(!profile);
67012e82 JJ	127
67012e82 JJ	128	if (type == AUDIT_APPARMOR_AUTO) {
ef88a7ac	129	if (likely(!aad(sa)->error)) {
67012e82 JJ	130	if (AUDIT_MODE(profile) != AUDIT_ALL)
	131	return 0;
	132	type = AUDIT_APPARMOR_AUDIT;
	133	} else if (COMPLAIN_MODE(profile))
	134	type = AUDIT_APPARMOR_ALLOWED;
	135	else
	136	type = AUDIT_APPARMOR_DENIED;
	137	}
	138	if (AUDIT_MODE(profile) == AUDIT_QUIET \|\|
	139	(type == AUDIT_APPARMOR_DENIED &&
	140	AUDIT_MODE(profile) == AUDIT_QUIET))
ef88a7ac	141	return aad(sa)->error;
67012e82 JJ	142
	143	if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
	144	type = AUDIT_APPARMOR_KILL;
	145
637f688d	146	aad(sa)->label = &profile->label;
67012e82 JJ	147
	148	aa_audit_msg(type, sa, cb);
	149
ef88a7ac	150	if (aad(sa)->type == AUDIT_APPARMOR_KILL)
0972c74e	151	(void)send_sig_info(SIGKILL, NULL,
b6b1b81b JJ	152	sa->type == LSM_AUDIT_DATA_TASK && sa->u.tsk ?
b6b1b81b JJ	153	sa->u.tsk : current);
67012e82	154
ef88a7ac JJ	155	if (aad(sa)->type == AUDIT_APPARMOR_ALLOWED)
ef88a7ac JJ	156	return complain_error(aad(sa)->error);
67012e82	157
ef88a7ac	158	return aad(sa)->error;
67012e82	159	}
e79c26d0 MG	160
e79c26d0 MG	161	struct aa_audit_rule {
2ab47dae	162	struct aa_label *label;
e79c26d0 MG	163	};
	164
	165	void aa_audit_rule_free(void *vrule)
	166	{
	167	struct aa_audit_rule *rule = vrule;
	168
	169	if (rule) {
2ab47dae JJ	170	if (!IS_ERR(rule->label))
2ab47dae JJ	171	aa_put_label(rule->label);
e79c26d0 MG	172	kfree(rule);
	173	}
	174	}
	175
	176	int aa_audit_rule_init(u32 field, u32 op, char rulestr, void *vrule)
	177	{
	178	struct aa_audit_rule *rule;
	179
	180	switch (field) {
	181	case AUDIT_SUBJ_ROLE:
	182	if (op != Audit_equal && op != Audit_not_equal)
	183	return -EINVAL;
	184	break;
	185	default:
	186	return -EINVAL;
	187	}
	188
	189	rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL);
	190
	191	if (!rule)
	192	return -ENOMEM;
	193
2ab47dae JJ	194	/* Currently rules are treated as coming from the root ns */
	195	rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
	196	GFP_KERNEL, true, false);
52e8c380	197	if (IS_ERR(rule->label)) {
c54d481d	198	int err = PTR_ERR(rule->label);
52e8c380	199	aa_audit_rule_free(rule);
c54d481d	200	return err;
52e8c380	201	}
e79c26d0	202
52e8c380	203	*vrule = rule;
e79c26d0 MG	204	return 0;
	205	}
	206
	207	int aa_audit_rule_known(struct audit_krule *rule)
	208	{
	209	int i;
	210
	211	for (i = 0; i < rule->field_count; i++) {
	212	struct audit_field *f = &rule->fields[i];
	213
	214	switch (f->type) {
	215	case AUDIT_SUBJ_ROLE:
	216	return 1;
	217	}
	218	}
	219
	220	return 0;
	221	}
	222
90462a5b	223	int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule)
e79c26d0 MG	224	{
	225	struct aa_audit_rule *rule = vrule;
	226	struct aa_label *label;
e79c26d0 MG	227	int found = 0;
	228
	229	label = aa_secid_to_label(sid);
	230
	231	if (!label)
	232	return -ENOENT;
	233
2ab47dae JJ	234	if (aa_label_is_subset(label, rule->label))
2ab47dae JJ	235	found = 1;
e79c26d0 MG	236
	237	switch (field) {
	238	case AUDIT_SUBJ_ROLE:
	239	switch (op) {
	240	case Audit_equal:
	241	return found;
	242	case Audit_not_equal:
	243	return !found;
	244	}
	245	}
	246	return 0;
	247	}