Commit | Line | Data |
---|---|---|
b886d83c | 1 | // SPDX-License-Identifier: GPL-2.0-only |
67012e82 JJ |
2 | /* |
3 | * AppArmor security module | |
4 | * | |
5 | * This file contains AppArmor auditing functions | |
6 | * | |
7 | * Copyright (C) 1998-2008 Novell/SUSE | |
8 | * Copyright 2009-2010 Canonical Ltd. | |
67012e82 JJ |
9 | */ |
10 | ||
11 | #include <linux/audit.h> | |
12 | #include <linux/socket.h> | |
13 | ||
14 | #include "include/apparmor.h" | |
15 | #include "include/audit.h" | |
16 | #include "include/policy.h" | |
cff281f6 | 17 | #include "include/policy_ns.h" |
e79c26d0 | 18 | #include "include/secid.h" |
67012e82 | 19 | |
2d4cee7e | 20 | const char *const audit_mode_names[] = { |
67012e82 JJ |
21 | "normal", |
22 | "quiet_denied", | |
23 | "quiet", | |
24 | "noquiet", | |
25 | "all" | |
26 | }; | |
27 | ||
2d4cee7e | 28 | static const char *const aa_audit_type[] = { |
67012e82 JJ |
29 | "AUDIT", |
30 | "ALLOWED", | |
31 | "DENIED", | |
32 | "HINT", | |
33 | "STATUS", | |
34 | "ERROR", | |
b492d50b | 35 | "KILLED", |
ade3ddc0 | 36 | "AUTO" |
67012e82 JJ |
37 | }; |
38 | ||
8c4b785a JJ |
39 | static const char *const aa_class_names[] = { |
40 | "none", | |
41 | "unknown", | |
42 | "file", | |
43 | "cap", | |
44 | "net", | |
45 | "rlimits", | |
46 | "domain", | |
47 | "mount", | |
48 | "unknown", | |
49 | "ptrace", | |
50 | "signal", | |
961f3e3d | 51 | "xmatch", |
8c4b785a JJ |
52 | "unknown", |
53 | "unknown", | |
54 | "net", | |
55 | "unknown", | |
56 | "label", | |
961f3e3d JJ |
57 | "posix_mqueue", |
58 | "io_uring", | |
59 | "module", | |
8c4b785a | 60 | "lsm", |
fa9b63ad | 61 | "namespace", |
c4371d90 | 62 | "io_uring", |
961f3e3d JJ |
63 | "unknown", |
64 | "unknown", | |
65 | "unknown", | |
66 | "unknown", | |
67 | "unknown", | |
68 | "unknown", | |
69 | "unknown", | |
70 | "unknown", | |
71 | "X", | |
72 | "dbus", | |
8c4b785a JJ |
73 | }; |
74 | ||
75 | ||
67012e82 JJ |
76 | /* |
77 | * Currently AppArmor auditing is fed straight into the audit framework. | |
78 | * | |
79 | * TODO: | |
80 | * netlink interface for complain mode | |
81 | * user auditing, - send user auditing to netlink interface | |
82 | * system control of whether user audit messages go to system log | |
83 | */ | |
84 | ||
85 | /** | |
64a27ba9 | 86 | * audit_pre() - core AppArmor function. |
67012e82 | 87 | * @ab: audit buffer to fill (NOT NULL) |
bd7bd201 | 88 | * @va: audit structure containing data to audit (NOT NULL) |
67012e82 | 89 | * |
bd7bd201 | 90 | * Record common AppArmor audit data from @va |
67012e82 | 91 | */ |
bd7bd201 | 92 | static void audit_pre(struct audit_buffer *ab, void *va) |
67012e82 | 93 | { |
bd7bd201 | 94 | struct apparmor_audit_data *ad = aad_of_va(va); |
67012e82 JJ |
95 | |
96 | if (aa_g_audit_header) { | |
f1d9b23c | 97 | audit_log_format(ab, "apparmor=\"%s\"", |
bd7bd201 | 98 | aa_audit_type[ad->type]); |
67012e82 JJ |
99 | } |
100 | ||
bd7bd201 JJ |
101 | if (ad->op) |
102 | audit_log_format(ab, " operation=\"%s\"", ad->op); | |
67012e82 | 103 | |
bd7bd201 | 104 | if (ad->class) |
8c4b785a | 105 | audit_log_format(ab, " class=\"%s\"", |
bd7bd201 JJ |
106 | ad->class <= AA_CLASS_LAST ? |
107 | aa_class_names[ad->class] : | |
8c4b785a JJ |
108 | "unknown"); |
109 | ||
bd7bd201 JJ |
110 | if (ad->info) { |
111 | audit_log_format(ab, " info=\"%s\"", ad->info); | |
112 | if (ad->error) | |
113 | audit_log_format(ab, " error=%d", ad->error); | |
67012e82 JJ |
114 | } |
115 | ||
d20f5a1a JJ |
116 | if (ad->subj_label) { |
117 | struct aa_label *label = ad->subj_label; | |
637f688d JJ |
118 | |
119 | if (label_isprofile(label)) { | |
120 | struct aa_profile *profile = labels_profile(label); | |
121 | ||
122 | if (profile->ns != root_ns) { | |
123 | audit_log_format(ab, " namespace="); | |
124 | audit_log_untrustedstring(ab, | |
125 | profile->ns->base.hname); | |
126 | } | |
127 | audit_log_format(ab, " profile="); | |
128 | audit_log_untrustedstring(ab, profile->base.hname); | |
129 | } else { | |
130 | audit_log_format(ab, " label="); | |
131 | aa_label_xaudit(ab, root_ns, label, FLAG_VIEW_SUBNS, | |
132 | GFP_ATOMIC); | |
67012e82 | 133 | } |
67012e82 JJ |
134 | } |
135 | ||
bd7bd201 | 136 | if (ad->name) { |
67012e82 | 137 | audit_log_format(ab, " name="); |
bd7bd201 | 138 | audit_log_untrustedstring(ab, ad->name); |
67012e82 JJ |
139 | } |
140 | } | |
141 | ||
142 | /** | |
143 | * aa_audit_msg - Log a message to the audit subsystem | |
26c9ecb3 | 144 | * @type: audit type for the message |
bd7bd201 | 145 | * @ad: audit event structure (NOT NULL) |
67012e82 JJ |
146 | * @cb: optional callback fn for type specific fields (MAYBE NULL) |
147 | */ | |
bd7bd201 | 148 | void aa_audit_msg(int type, struct apparmor_audit_data *ad, |
67012e82 JJ |
149 | void (*cb) (struct audit_buffer *, void *)) |
150 | { | |
bd7bd201 JJ |
151 | ad->type = type; |
152 | common_lsm_audit(&ad->common, audit_pre, cb); | |
67012e82 JJ |
153 | } |
154 | ||
155 | /** | |
156 | * aa_audit - Log a profile based audit event to the audit subsystem | |
157 | * @type: audit type for the message | |
158 | * @profile: profile to check against (NOT NULL) | |
bd7bd201 | 159 | * @ad: audit event (NOT NULL) |
67012e82 JJ |
160 | * @cb: optional callback fn for type specific fields (MAYBE NULL) |
161 | * | |
162 | * Handle default message switching based off of audit mode flags | |
163 | * | |
164 | * Returns: error on failure | |
165 | */ | |
bd7bd201 JJ |
166 | int aa_audit(int type, struct aa_profile *profile, |
167 | struct apparmor_audit_data *ad, | |
67012e82 JJ |
168 | void (*cb) (struct audit_buffer *, void *)) |
169 | { | |
e6bfa25d | 170 | AA_BUG(!profile); |
67012e82 JJ |
171 | |
172 | if (type == AUDIT_APPARMOR_AUTO) { | |
bd7bd201 | 173 | if (likely(!ad->error)) { |
67012e82 JJ |
174 | if (AUDIT_MODE(profile) != AUDIT_ALL) |
175 | return 0; | |
176 | type = AUDIT_APPARMOR_AUDIT; | |
177 | } else if (COMPLAIN_MODE(profile)) | |
178 | type = AUDIT_APPARMOR_ALLOWED; | |
179 | else | |
180 | type = AUDIT_APPARMOR_DENIED; | |
181 | } | |
182 | if (AUDIT_MODE(profile) == AUDIT_QUIET || | |
183 | (type == AUDIT_APPARMOR_DENIED && | |
68ff8540 | 184 | AUDIT_MODE(profile) == AUDIT_QUIET_DENIED)) |
bd7bd201 | 185 | return ad->error; |
67012e82 JJ |
186 | |
187 | if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED) | |
188 | type = AUDIT_APPARMOR_KILL; | |
189 | ||
d20f5a1a | 190 | ad->subj_label = &profile->label; |
67012e82 | 191 | |
bd7bd201 | 192 | aa_audit_msg(type, ad, cb); |
67012e82 | 193 | |
bd7bd201 | 194 | if (ad->type == AUDIT_APPARMOR_KILL) |
0972c74e | 195 | (void)send_sig_info(SIGKILL, NULL, |
bd7bd201 JJ |
196 | ad->common.type == LSM_AUDIT_DATA_TASK && |
197 | ad->common.u.tsk ? ad->common.u.tsk : current); | |
67012e82 | 198 | |
bd7bd201 JJ |
199 | if (ad->type == AUDIT_APPARMOR_ALLOWED) |
200 | return complain_error(ad->error); | |
67012e82 | 201 | |
bd7bd201 | 202 | return ad->error; |
67012e82 | 203 | } |
e79c26d0 MG |
204 | |
205 | struct aa_audit_rule { | |
2ab47dae | 206 | struct aa_label *label; |
e79c26d0 MG |
207 | }; |
208 | ||
209 | void aa_audit_rule_free(void *vrule) | |
210 | { | |
211 | struct aa_audit_rule *rule = vrule; | |
212 | ||
213 | if (rule) { | |
2ab47dae JJ |
214 | if (!IS_ERR(rule->label)) |
215 | aa_put_label(rule->label); | |
e79c26d0 MG |
216 | kfree(rule); |
217 | } | |
218 | } | |
219 | ||
9a95c5bf | 220 | int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp) |
e79c26d0 MG |
221 | { |
222 | struct aa_audit_rule *rule; | |
223 | ||
224 | switch (field) { | |
225 | case AUDIT_SUBJ_ROLE: | |
226 | if (op != Audit_equal && op != Audit_not_equal) | |
227 | return -EINVAL; | |
228 | break; | |
229 | default: | |
230 | return -EINVAL; | |
231 | } | |
232 | ||
9a95c5bf | 233 | rule = kzalloc(sizeof(struct aa_audit_rule), gfp); |
e79c26d0 MG |
234 | |
235 | if (!rule) | |
236 | return -ENOMEM; | |
237 | ||
2ab47dae JJ |
238 | /* Currently rules are treated as coming from the root ns */ |
239 | rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, | |
9a95c5bf | 240 | gfp, true, false); |
52e8c380 | 241 | if (IS_ERR(rule->label)) { |
c54d481d | 242 | int err = PTR_ERR(rule->label); |
52e8c380 | 243 | aa_audit_rule_free(rule); |
c54d481d | 244 | return err; |
52e8c380 | 245 | } |
e79c26d0 | 246 | |
52e8c380 | 247 | *vrule = rule; |
e79c26d0 MG |
248 | return 0; |
249 | } | |
250 | ||
251 | int aa_audit_rule_known(struct audit_krule *rule) | |
252 | { | |
253 | int i; | |
254 | ||
255 | for (i = 0; i < rule->field_count; i++) { | |
256 | struct audit_field *f = &rule->fields[i]; | |
257 | ||
258 | switch (f->type) { | |
259 | case AUDIT_SUBJ_ROLE: | |
260 | return 1; | |
261 | } | |
262 | } | |
263 | ||
264 | return 0; | |
265 | } | |
266 | ||
90462a5b | 267 | int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) |
e79c26d0 MG |
268 | { |
269 | struct aa_audit_rule *rule = vrule; | |
270 | struct aa_label *label; | |
e79c26d0 MG |
271 | int found = 0; |
272 | ||
273 | label = aa_secid_to_label(sid); | |
274 | ||
275 | if (!label) | |
276 | return -ENOENT; | |
277 | ||
2ab47dae JJ |
278 | if (aa_label_is_subset(label, rule->label)) |
279 | found = 1; | |
e79c26d0 MG |
280 | |
281 | switch (field) { | |
282 | case AUDIT_SUBJ_ROLE: | |
283 | switch (op) { | |
284 | case Audit_equal: | |
285 | return found; | |
286 | case Audit_not_equal: | |
287 | return !found; | |
288 | } | |
289 | } | |
290 | return 0; | |
291 | } |