18c2ecf20Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 28c2ecf20Sopenharmony_ci/* 38c2ecf20Sopenharmony_ci * AppArmor security module 48c2ecf20Sopenharmony_ci * 58c2ecf20Sopenharmony_ci * This file contains AppArmor auditing functions 68c2ecf20Sopenharmony_ci * 78c2ecf20Sopenharmony_ci * Copyright (C) 1998-2008 Novell/SUSE 88c2ecf20Sopenharmony_ci * Copyright 2009-2010 Canonical Ltd. 98c2ecf20Sopenharmony_ci */ 108c2ecf20Sopenharmony_ci 118c2ecf20Sopenharmony_ci#include <linux/audit.h> 128c2ecf20Sopenharmony_ci#include <linux/socket.h> 138c2ecf20Sopenharmony_ci 148c2ecf20Sopenharmony_ci#include "include/apparmor.h" 158c2ecf20Sopenharmony_ci#include "include/audit.h" 168c2ecf20Sopenharmony_ci#include "include/policy.h" 178c2ecf20Sopenharmony_ci#include "include/policy_ns.h" 188c2ecf20Sopenharmony_ci#include "include/secid.h" 198c2ecf20Sopenharmony_ci 208c2ecf20Sopenharmony_ciconst char *const audit_mode_names[] = { 218c2ecf20Sopenharmony_ci "normal", 228c2ecf20Sopenharmony_ci "quiet_denied", 238c2ecf20Sopenharmony_ci "quiet", 248c2ecf20Sopenharmony_ci "noquiet", 258c2ecf20Sopenharmony_ci "all" 268c2ecf20Sopenharmony_ci}; 278c2ecf20Sopenharmony_ci 288c2ecf20Sopenharmony_cistatic const char *const aa_audit_type[] = { 298c2ecf20Sopenharmony_ci "AUDIT", 308c2ecf20Sopenharmony_ci "ALLOWED", 318c2ecf20Sopenharmony_ci "DENIED", 328c2ecf20Sopenharmony_ci "HINT", 338c2ecf20Sopenharmony_ci "STATUS", 348c2ecf20Sopenharmony_ci "ERROR", 358c2ecf20Sopenharmony_ci "KILLED", 368c2ecf20Sopenharmony_ci "AUTO" 378c2ecf20Sopenharmony_ci}; 388c2ecf20Sopenharmony_ci 398c2ecf20Sopenharmony_ci/* 408c2ecf20Sopenharmony_ci * Currently AppArmor auditing is fed straight into the audit framework. 418c2ecf20Sopenharmony_ci * 428c2ecf20Sopenharmony_ci * TODO: 438c2ecf20Sopenharmony_ci * netlink interface for complain mode 448c2ecf20Sopenharmony_ci * user auditing, - send user auditing to netlink interface 458c2ecf20Sopenharmony_ci * system control of whether user audit messages go to system log 468c2ecf20Sopenharmony_ci */ 478c2ecf20Sopenharmony_ci 488c2ecf20Sopenharmony_ci/** 498c2ecf20Sopenharmony_ci * audit_base - core AppArmor function. 508c2ecf20Sopenharmony_ci * @ab: audit buffer to fill (NOT NULL) 518c2ecf20Sopenharmony_ci * @ca: audit structure containing data to audit (NOT NULL) 528c2ecf20Sopenharmony_ci * 538c2ecf20Sopenharmony_ci * Record common AppArmor audit data from @sa 548c2ecf20Sopenharmony_ci */ 558c2ecf20Sopenharmony_cistatic void audit_pre(struct audit_buffer *ab, void *ca) 568c2ecf20Sopenharmony_ci{ 578c2ecf20Sopenharmony_ci struct common_audit_data *sa = ca; 588c2ecf20Sopenharmony_ci 598c2ecf20Sopenharmony_ci if (aa_g_audit_header) { 608c2ecf20Sopenharmony_ci audit_log_format(ab, "apparmor=\"%s\"", 618c2ecf20Sopenharmony_ci aa_audit_type[aad(sa)->type]); 628c2ecf20Sopenharmony_ci } 638c2ecf20Sopenharmony_ci 648c2ecf20Sopenharmony_ci if (aad(sa)->op) { 658c2ecf20Sopenharmony_ci audit_log_format(ab, " operation=\"%s\"", aad(sa)->op); 668c2ecf20Sopenharmony_ci } 678c2ecf20Sopenharmony_ci 688c2ecf20Sopenharmony_ci if (aad(sa)->info) { 698c2ecf20Sopenharmony_ci audit_log_format(ab, " info=\"%s\"", aad(sa)->info); 708c2ecf20Sopenharmony_ci if (aad(sa)->error) 718c2ecf20Sopenharmony_ci audit_log_format(ab, " error=%d", aad(sa)->error); 728c2ecf20Sopenharmony_ci } 738c2ecf20Sopenharmony_ci 748c2ecf20Sopenharmony_ci if (aad(sa)->label) { 758c2ecf20Sopenharmony_ci struct aa_label *label = aad(sa)->label; 768c2ecf20Sopenharmony_ci 778c2ecf20Sopenharmony_ci if (label_isprofile(label)) { 788c2ecf20Sopenharmony_ci struct aa_profile *profile = labels_profile(label); 798c2ecf20Sopenharmony_ci 808c2ecf20Sopenharmony_ci if (profile->ns != root_ns) { 818c2ecf20Sopenharmony_ci audit_log_format(ab, " namespace="); 828c2ecf20Sopenharmony_ci audit_log_untrustedstring(ab, 838c2ecf20Sopenharmony_ci profile->ns->base.hname); 848c2ecf20Sopenharmony_ci } 858c2ecf20Sopenharmony_ci audit_log_format(ab, " profile="); 868c2ecf20Sopenharmony_ci audit_log_untrustedstring(ab, profile->base.hname); 878c2ecf20Sopenharmony_ci } else { 888c2ecf20Sopenharmony_ci audit_log_format(ab, " label="); 898c2ecf20Sopenharmony_ci aa_label_xaudit(ab, root_ns, label, FLAG_VIEW_SUBNS, 908c2ecf20Sopenharmony_ci GFP_ATOMIC); 918c2ecf20Sopenharmony_ci } 928c2ecf20Sopenharmony_ci } 938c2ecf20Sopenharmony_ci 948c2ecf20Sopenharmony_ci if (aad(sa)->name) { 958c2ecf20Sopenharmony_ci audit_log_format(ab, " name="); 968c2ecf20Sopenharmony_ci audit_log_untrustedstring(ab, aad(sa)->name); 978c2ecf20Sopenharmony_ci } 988c2ecf20Sopenharmony_ci} 998c2ecf20Sopenharmony_ci 1008c2ecf20Sopenharmony_ci/** 1018c2ecf20Sopenharmony_ci * aa_audit_msg - Log a message to the audit subsystem 1028c2ecf20Sopenharmony_ci * @sa: audit event structure (NOT NULL) 1038c2ecf20Sopenharmony_ci * @cb: optional callback fn for type specific fields (MAYBE NULL) 1048c2ecf20Sopenharmony_ci */ 1058c2ecf20Sopenharmony_civoid aa_audit_msg(int type, struct common_audit_data *sa, 1068c2ecf20Sopenharmony_ci void (*cb) (struct audit_buffer *, void *)) 1078c2ecf20Sopenharmony_ci{ 1088c2ecf20Sopenharmony_ci aad(sa)->type = type; 1098c2ecf20Sopenharmony_ci common_lsm_audit(sa, audit_pre, cb); 1108c2ecf20Sopenharmony_ci} 1118c2ecf20Sopenharmony_ci 1128c2ecf20Sopenharmony_ci/** 1138c2ecf20Sopenharmony_ci * aa_audit - Log a profile based audit event to the audit subsystem 1148c2ecf20Sopenharmony_ci * @type: audit type for the message 1158c2ecf20Sopenharmony_ci * @profile: profile to check against (NOT NULL) 1168c2ecf20Sopenharmony_ci * @sa: audit event (NOT NULL) 1178c2ecf20Sopenharmony_ci * @cb: optional callback fn for type specific fields (MAYBE NULL) 1188c2ecf20Sopenharmony_ci * 1198c2ecf20Sopenharmony_ci * Handle default message switching based off of audit mode flags 1208c2ecf20Sopenharmony_ci * 1218c2ecf20Sopenharmony_ci * Returns: error on failure 1228c2ecf20Sopenharmony_ci */ 1238c2ecf20Sopenharmony_ciint aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa, 1248c2ecf20Sopenharmony_ci void (*cb) (struct audit_buffer *, void *)) 1258c2ecf20Sopenharmony_ci{ 1268c2ecf20Sopenharmony_ci AA_BUG(!profile); 1278c2ecf20Sopenharmony_ci 1288c2ecf20Sopenharmony_ci if (type == AUDIT_APPARMOR_AUTO) { 1298c2ecf20Sopenharmony_ci if (likely(!aad(sa)->error)) { 1308c2ecf20Sopenharmony_ci if (AUDIT_MODE(profile) != AUDIT_ALL) 1318c2ecf20Sopenharmony_ci return 0; 1328c2ecf20Sopenharmony_ci type = AUDIT_APPARMOR_AUDIT; 1338c2ecf20Sopenharmony_ci } else if (COMPLAIN_MODE(profile)) 1348c2ecf20Sopenharmony_ci type = AUDIT_APPARMOR_ALLOWED; 1358c2ecf20Sopenharmony_ci else 1368c2ecf20Sopenharmony_ci type = AUDIT_APPARMOR_DENIED; 1378c2ecf20Sopenharmony_ci } 1388c2ecf20Sopenharmony_ci if (AUDIT_MODE(profile) == AUDIT_QUIET || 1398c2ecf20Sopenharmony_ci (type == AUDIT_APPARMOR_DENIED && 1408c2ecf20Sopenharmony_ci AUDIT_MODE(profile) == AUDIT_QUIET_DENIED)) 1418c2ecf20Sopenharmony_ci return aad(sa)->error; 1428c2ecf20Sopenharmony_ci 1438c2ecf20Sopenharmony_ci if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED) 1448c2ecf20Sopenharmony_ci type = AUDIT_APPARMOR_KILL; 1458c2ecf20Sopenharmony_ci 1468c2ecf20Sopenharmony_ci aad(sa)->label = &profile->label; 1478c2ecf20Sopenharmony_ci 1488c2ecf20Sopenharmony_ci aa_audit_msg(type, sa, cb); 1498c2ecf20Sopenharmony_ci 1508c2ecf20Sopenharmony_ci if (aad(sa)->type == AUDIT_APPARMOR_KILL) 1518c2ecf20Sopenharmony_ci (void)send_sig_info(SIGKILL, NULL, 1528c2ecf20Sopenharmony_ci sa->type == LSM_AUDIT_DATA_TASK && sa->u.tsk ? 1538c2ecf20Sopenharmony_ci sa->u.tsk : current); 1548c2ecf20Sopenharmony_ci 1558c2ecf20Sopenharmony_ci if (aad(sa)->type == AUDIT_APPARMOR_ALLOWED) 1568c2ecf20Sopenharmony_ci return complain_error(aad(sa)->error); 1578c2ecf20Sopenharmony_ci 1588c2ecf20Sopenharmony_ci return aad(sa)->error; 1598c2ecf20Sopenharmony_ci} 1608c2ecf20Sopenharmony_ci 1618c2ecf20Sopenharmony_cistruct aa_audit_rule { 1628c2ecf20Sopenharmony_ci struct aa_label *label; 1638c2ecf20Sopenharmony_ci}; 1648c2ecf20Sopenharmony_ci 1658c2ecf20Sopenharmony_civoid aa_audit_rule_free(void *vrule) 1668c2ecf20Sopenharmony_ci{ 1678c2ecf20Sopenharmony_ci struct aa_audit_rule *rule = vrule; 1688c2ecf20Sopenharmony_ci 1698c2ecf20Sopenharmony_ci if (rule) { 1708c2ecf20Sopenharmony_ci if (!IS_ERR(rule->label)) 1718c2ecf20Sopenharmony_ci aa_put_label(rule->label); 1728c2ecf20Sopenharmony_ci kfree(rule); 1738c2ecf20Sopenharmony_ci } 1748c2ecf20Sopenharmony_ci} 1758c2ecf20Sopenharmony_ci 1768c2ecf20Sopenharmony_ciint aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 1778c2ecf20Sopenharmony_ci{ 1788c2ecf20Sopenharmony_ci struct aa_audit_rule *rule; 1798c2ecf20Sopenharmony_ci 1808c2ecf20Sopenharmony_ci switch (field) { 1818c2ecf20Sopenharmony_ci case AUDIT_SUBJ_ROLE: 1828c2ecf20Sopenharmony_ci if (op != Audit_equal && op != Audit_not_equal) 1838c2ecf20Sopenharmony_ci return -EINVAL; 1848c2ecf20Sopenharmony_ci break; 1858c2ecf20Sopenharmony_ci default: 1868c2ecf20Sopenharmony_ci return -EINVAL; 1878c2ecf20Sopenharmony_ci } 1888c2ecf20Sopenharmony_ci 1898c2ecf20Sopenharmony_ci rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL); 1908c2ecf20Sopenharmony_ci 1918c2ecf20Sopenharmony_ci if (!rule) 1928c2ecf20Sopenharmony_ci return -ENOMEM; 1938c2ecf20Sopenharmony_ci 1948c2ecf20Sopenharmony_ci /* Currently rules are treated as coming from the root ns */ 1958c2ecf20Sopenharmony_ci rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, 1968c2ecf20Sopenharmony_ci GFP_KERNEL, true, false); 1978c2ecf20Sopenharmony_ci if (IS_ERR(rule->label)) { 1988c2ecf20Sopenharmony_ci int err = PTR_ERR(rule->label); 1998c2ecf20Sopenharmony_ci aa_audit_rule_free(rule); 2008c2ecf20Sopenharmony_ci return err; 2018c2ecf20Sopenharmony_ci } 2028c2ecf20Sopenharmony_ci 2038c2ecf20Sopenharmony_ci *vrule = rule; 2048c2ecf20Sopenharmony_ci return 0; 2058c2ecf20Sopenharmony_ci} 2068c2ecf20Sopenharmony_ci 2078c2ecf20Sopenharmony_ciint aa_audit_rule_known(struct audit_krule *rule) 2088c2ecf20Sopenharmony_ci{ 2098c2ecf20Sopenharmony_ci int i; 2108c2ecf20Sopenharmony_ci 2118c2ecf20Sopenharmony_ci for (i = 0; i < rule->field_count; i++) { 2128c2ecf20Sopenharmony_ci struct audit_field *f = &rule->fields[i]; 2138c2ecf20Sopenharmony_ci 2148c2ecf20Sopenharmony_ci switch (f->type) { 2158c2ecf20Sopenharmony_ci case AUDIT_SUBJ_ROLE: 2168c2ecf20Sopenharmony_ci return 1; 2178c2ecf20Sopenharmony_ci } 2188c2ecf20Sopenharmony_ci } 2198c2ecf20Sopenharmony_ci 2208c2ecf20Sopenharmony_ci return 0; 2218c2ecf20Sopenharmony_ci} 2228c2ecf20Sopenharmony_ci 2238c2ecf20Sopenharmony_ciint aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) 2248c2ecf20Sopenharmony_ci{ 2258c2ecf20Sopenharmony_ci struct aa_audit_rule *rule = vrule; 2268c2ecf20Sopenharmony_ci struct aa_label *label; 2278c2ecf20Sopenharmony_ci int found = 0; 2288c2ecf20Sopenharmony_ci 2298c2ecf20Sopenharmony_ci label = aa_secid_to_label(sid); 2308c2ecf20Sopenharmony_ci 2318c2ecf20Sopenharmony_ci if (!label) 2328c2ecf20Sopenharmony_ci return -ENOENT; 2338c2ecf20Sopenharmony_ci 2348c2ecf20Sopenharmony_ci if (aa_label_is_subset(label, rule->label)) 2358c2ecf20Sopenharmony_ci found = 1; 2368c2ecf20Sopenharmony_ci 2378c2ecf20Sopenharmony_ci switch (field) { 2388c2ecf20Sopenharmony_ci case AUDIT_SUBJ_ROLE: 2398c2ecf20Sopenharmony_ci switch (op) { 2408c2ecf20Sopenharmony_ci case Audit_equal: 2418c2ecf20Sopenharmony_ci return found; 2428c2ecf20Sopenharmony_ci case Audit_not_equal: 2438c2ecf20Sopenharmony_ci return !found; 2448c2ecf20Sopenharmony_ci } 2458c2ecf20Sopenharmony_ci } 2468c2ecf20Sopenharmony_ci return 0; 2478c2ecf20Sopenharmony_ci} 248