1// SPDX-License-Identifier: GPL-2.0-only 2/* 3 * common LSM auditing functions 4 * 5 * Based on code written for SELinux by : 6 * Stephen Smalley, <sds@tycho.nsa.gov> 7 * James Morris <jmorris@redhat.com> 8 * Author : Etienne Basset, <etienne.basset@ensta.org> 9 */ 10 11#include <linux/types.h> 12#include <linux/stddef.h> 13#include <linux/kernel.h> 14#include <linux/gfp.h> 15#include <linux/fs.h> 16#include <linux/init.h> 17#include <net/sock.h> 18#include <linux/un.h> 19#include <net/af_unix.h> 20#include <linux/audit.h> 21#include <linux/ipv6.h> 22#include <linux/ip.h> 23#include <net/ip.h> 24#include <net/ipv6.h> 25#include <linux/tcp.h> 26#include <linux/udp.h> 27#include <linux/dccp.h> 28#include <linux/sctp.h> 29#include <linux/lsm_audit.h> 30#include <linux/security.h> 31 32/** 33 * ipv4_skb_to_auditdata : fill auditdata from skb 34 * @skb : the skb 35 * @ad : the audit data to fill 36 * @proto : the layer 4 protocol 37 * 38 * return 0 on success 39 */ 40int ipv4_skb_to_auditdata(struct sk_buff *skb, 41 struct common_audit_data *ad, u8 *proto) 42{ 43 int ret = 0; 44 struct iphdr *ih; 45 46 ih = ip_hdr(skb); 47 if (ih == NULL) 48 return -EINVAL; 49 50 ad->u.net->v4info.saddr = ih->saddr; 51 ad->u.net->v4info.daddr = ih->daddr; 52 53 if (proto) 54 *proto = ih->protocol; 55 /* non initial fragment */ 56 if (ntohs(ih->frag_off) & IP_OFFSET) 57 return 0; 58 59 switch (ih->protocol) { 60 case IPPROTO_TCP: { 61 struct tcphdr *th = tcp_hdr(skb); 62 if (th == NULL) 63 break; 64 65 ad->u.net->sport = th->source; 66 ad->u.net->dport = th->dest; 67 break; 68 } 69 case IPPROTO_UDP: { 70 struct udphdr *uh = udp_hdr(skb); 71 if (uh == NULL) 72 break; 73 74 ad->u.net->sport = uh->source; 75 ad->u.net->dport = uh->dest; 76 break; 77 } 78 case IPPROTO_DCCP: { 79 struct dccp_hdr *dh = dccp_hdr(skb); 80 if (dh == NULL) 81 break; 82 83 ad->u.net->sport = dh->dccph_sport; 84 ad->u.net->dport = dh->dccph_dport; 85 break; 86 } 87 case IPPROTO_SCTP: { 88 struct sctphdr *sh = sctp_hdr(skb); 89 if (sh == NULL) 90 break; 91 ad->u.net->sport = sh->source; 92 ad->u.net->dport = sh->dest; 93 break; 94 } 95 default: 96 ret = -EINVAL; 97 } 98 return ret; 99} 100#if IS_ENABLED(CONFIG_IPV6) 101/** 102 * ipv6_skb_to_auditdata : fill auditdata from skb 103 * @skb : the skb 104 * @ad : the audit data to fill 105 * @proto : the layer 4 protocol 106 * 107 * return 0 on success 108 */ 109int ipv6_skb_to_auditdata(struct sk_buff *skb, 110 struct common_audit_data *ad, u8 *proto) 111{ 112 int offset, ret = 0; 113 struct ipv6hdr *ip6; 114 u8 nexthdr; 115 __be16 frag_off; 116 117 ip6 = ipv6_hdr(skb); 118 if (ip6 == NULL) 119 return -EINVAL; 120 ad->u.net->v6info.saddr = ip6->saddr; 121 ad->u.net->v6info.daddr = ip6->daddr; 122 ret = 0; 123 /* IPv6 can have several extension header before the Transport header 124 * skip them */ 125 offset = skb_network_offset(skb); 126 offset += sizeof(*ip6); 127 nexthdr = ip6->nexthdr; 128 offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); 129 if (offset < 0) 130 return 0; 131 if (proto) 132 *proto = nexthdr; 133 switch (nexthdr) { 134 case IPPROTO_TCP: { 135 struct tcphdr _tcph, *th; 136 137 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); 138 if (th == NULL) 139 break; 140 141 ad->u.net->sport = th->source; 142 ad->u.net->dport = th->dest; 143 break; 144 } 145 case IPPROTO_UDP: { 146 struct udphdr _udph, *uh; 147 148 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); 149 if (uh == NULL) 150 break; 151 152 ad->u.net->sport = uh->source; 153 ad->u.net->dport = uh->dest; 154 break; 155 } 156 case IPPROTO_DCCP: { 157 struct dccp_hdr _dccph, *dh; 158 159 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); 160 if (dh == NULL) 161 break; 162 163 ad->u.net->sport = dh->dccph_sport; 164 ad->u.net->dport = dh->dccph_dport; 165 break; 166 } 167 case IPPROTO_SCTP: { 168 struct sctphdr _sctph, *sh; 169 170 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); 171 if (sh == NULL) 172 break; 173 ad->u.net->sport = sh->source; 174 ad->u.net->dport = sh->dest; 175 break; 176 } 177 default: 178 ret = -EINVAL; 179 } 180 return ret; 181} 182#endif 183 184 185static inline void print_ipv6_addr(struct audit_buffer *ab, 186 struct in6_addr *addr, __be16 port, 187 char *name1, char *name2) 188{ 189 if (!ipv6_addr_any(addr)) 190 audit_log_format(ab, " %s=%pI6c", name1, addr); 191 if (port) 192 audit_log_format(ab, " %s=%d", name2, ntohs(port)); 193} 194 195static inline void print_ipv4_addr(struct audit_buffer *ab, __be32 addr, 196 __be16 port, char *name1, char *name2) 197{ 198 if (addr) 199 audit_log_format(ab, " %s=%pI4", name1, &addr); 200 if (port) 201 audit_log_format(ab, " %s=%d", name2, ntohs(port)); 202} 203 204/** 205 * dump_common_audit_data - helper to dump common audit data 206 * @a : common audit data 207 * 208 */ 209static void dump_common_audit_data(struct audit_buffer *ab, 210 struct common_audit_data *a) 211{ 212 char comm[sizeof(current->comm)]; 213 214 /* 215 * To keep stack sizes in check force programers to notice if they 216 * start making this union too large! See struct lsm_network_audit 217 * as an example of how to deal with large data. 218 */ 219 BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2); 220 221 audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current)); 222 audit_log_untrustedstring(ab, memcpy(comm, current->comm, sizeof(comm))); 223 224 switch (a->type) { 225 case LSM_AUDIT_DATA_NONE: 226 return; 227 case LSM_AUDIT_DATA_IPC: 228 audit_log_format(ab, " key=%d ", a->u.ipc_id); 229 break; 230 case LSM_AUDIT_DATA_CAP: 231 audit_log_format(ab, " capability=%d ", a->u.cap); 232 break; 233 case LSM_AUDIT_DATA_PATH: { 234 struct inode *inode; 235 236 audit_log_d_path(ab, " path=", &a->u.path); 237 238 inode = d_backing_inode(a->u.path.dentry); 239 if (inode) { 240 audit_log_format(ab, " dev="); 241 audit_log_untrustedstring(ab, inode->i_sb->s_id); 242 audit_log_format(ab, " ino=%lu", inode->i_ino); 243 } 244 audit_getcwd(); 245 break; 246 } 247 case LSM_AUDIT_DATA_FILE: { 248 struct inode *inode; 249 250 audit_log_d_path(ab, " path=", &a->u.file->f_path); 251 252 inode = file_inode(a->u.file); 253 if (inode) { 254 audit_log_format(ab, " dev="); 255 audit_log_untrustedstring(ab, inode->i_sb->s_id); 256 audit_log_format(ab, " ino=%lu", inode->i_ino); 257 } 258 audit_getcwd(); 259 break; 260 } 261 case LSM_AUDIT_DATA_IOCTL_OP: { 262 struct inode *inode; 263 264 audit_log_d_path(ab, " path=", &a->u.op->path); 265 266 inode = a->u.op->path.dentry->d_inode; 267 if (inode) { 268 audit_log_format(ab, " dev="); 269 audit_log_untrustedstring(ab, inode->i_sb->s_id); 270 audit_log_format(ab, " ino=%lu", inode->i_ino); 271 } 272 273 audit_log_format(ab, " ioctlcmd=0x%hx", a->u.op->cmd); 274 audit_getcwd(); 275 break; 276 } 277 case LSM_AUDIT_DATA_DENTRY: { 278 struct inode *inode; 279 280 audit_log_format(ab, " name="); 281 spin_lock(&a->u.dentry->d_lock); 282 audit_log_untrustedstring(ab, a->u.dentry->d_name.name); 283 spin_unlock(&a->u.dentry->d_lock); 284 285 inode = d_backing_inode(a->u.dentry); 286 if (inode) { 287 audit_log_format(ab, " dev="); 288 audit_log_untrustedstring(ab, inode->i_sb->s_id); 289 audit_log_format(ab, " ino=%lu", inode->i_ino); 290 } 291 audit_getcwd(); 292 break; 293 } 294 case LSM_AUDIT_DATA_INODE: { 295 struct dentry *dentry; 296 struct inode *inode; 297 298 inode = a->u.inode; 299 dentry = d_find_alias(inode); 300 if (dentry) { 301 audit_log_format(ab, " name="); 302 spin_lock(&dentry->d_lock); 303 audit_log_untrustedstring(ab, dentry->d_name.name); 304 spin_unlock(&dentry->d_lock); 305 dput(dentry); 306 } 307 audit_log_format(ab, " dev="); 308 audit_log_untrustedstring(ab, inode->i_sb->s_id); 309 audit_log_format(ab, " ino=%lu", inode->i_ino); 310 audit_getcwd(); 311 break; 312 } 313 case LSM_AUDIT_DATA_TASK: { 314 struct task_struct *tsk = a->u.tsk; 315 if (tsk) { 316 pid_t pid = task_tgid_nr(tsk); 317 if (pid) { 318 char comm[sizeof(tsk->comm)]; 319 audit_log_format(ab, " opid=%d ocomm=", pid); 320 audit_log_untrustedstring(ab, 321 memcpy(comm, tsk->comm, sizeof(comm))); 322 } 323 } 324 break; 325 } 326 case LSM_AUDIT_DATA_NET: 327 if (a->u.net->sk) { 328 struct sock *sk = a->u.net->sk; 329 struct unix_sock *u; 330 struct unix_address *addr; 331 int len = 0; 332 char *p = NULL; 333 334 switch (sk->sk_family) { 335 case AF_INET: { 336 struct inet_sock *inet = inet_sk(sk); 337 338 print_ipv4_addr(ab, inet->inet_rcv_saddr, 339 inet->inet_sport, 340 "laddr", "lport"); 341 print_ipv4_addr(ab, inet->inet_daddr, 342 inet->inet_dport, 343 "faddr", "fport"); 344 break; 345 } 346#if IS_ENABLED(CONFIG_IPV6) 347 case AF_INET6: { 348 struct inet_sock *inet = inet_sk(sk); 349 350 print_ipv6_addr(ab, &sk->sk_v6_rcv_saddr, 351 inet->inet_sport, 352 "laddr", "lport"); 353 print_ipv6_addr(ab, &sk->sk_v6_daddr, 354 inet->inet_dport, 355 "faddr", "fport"); 356 break; 357 } 358#endif 359 case AF_UNIX: 360 u = unix_sk(sk); 361 addr = smp_load_acquire(&u->addr); 362 if (!addr) 363 break; 364 if (u->path.dentry) { 365 audit_log_d_path(ab, " path=", &u->path); 366 break; 367 } 368 len = addr->len-sizeof(short); 369 p = &addr->name->sun_path[0]; 370 audit_log_format(ab, " path="); 371 if (*p) 372 audit_log_untrustedstring(ab, p); 373 else 374 audit_log_n_hex(ab, p, len); 375 break; 376 } 377 } 378 379 switch (a->u.net->family) { 380 case AF_INET: 381 print_ipv4_addr(ab, a->u.net->v4info.saddr, 382 a->u.net->sport, 383 "saddr", "src"); 384 print_ipv4_addr(ab, a->u.net->v4info.daddr, 385 a->u.net->dport, 386 "daddr", "dest"); 387 break; 388 case AF_INET6: 389 print_ipv6_addr(ab, &a->u.net->v6info.saddr, 390 a->u.net->sport, 391 "saddr", "src"); 392 print_ipv6_addr(ab, &a->u.net->v6info.daddr, 393 a->u.net->dport, 394 "daddr", "dest"); 395 break; 396 } 397 if (a->u.net->netif > 0) { 398 struct net_device *dev; 399 400 /* NOTE: we always use init's namespace */ 401 dev = dev_get_by_index(&init_net, a->u.net->netif); 402 if (dev) { 403 audit_log_format(ab, " netif=%s", dev->name); 404 dev_put(dev); 405 } 406 } 407 break; 408#ifdef CONFIG_KEYS 409 case LSM_AUDIT_DATA_KEY: 410 audit_log_format(ab, " key_serial=%u", a->u.key_struct.key); 411 if (a->u.key_struct.key_desc) { 412 audit_log_format(ab, " key_desc="); 413 audit_log_untrustedstring(ab, a->u.key_struct.key_desc); 414 } 415 break; 416#endif 417 case LSM_AUDIT_DATA_KMOD: 418 audit_log_format(ab, " kmod="); 419 audit_log_untrustedstring(ab, a->u.kmod_name); 420 break; 421 case LSM_AUDIT_DATA_IBPKEY: { 422 struct in6_addr sbn_pfx; 423 424 memset(&sbn_pfx.s6_addr, 0, 425 sizeof(sbn_pfx.s6_addr)); 426 memcpy(&sbn_pfx.s6_addr, &a->u.ibpkey->subnet_prefix, 427 sizeof(a->u.ibpkey->subnet_prefix)); 428 audit_log_format(ab, " pkey=0x%x subnet_prefix=%pI6c", 429 a->u.ibpkey->pkey, &sbn_pfx); 430 break; 431 } 432 case LSM_AUDIT_DATA_IBENDPORT: 433 audit_log_format(ab, " device=%s port_num=%u", 434 a->u.ibendport->dev_name, 435 a->u.ibendport->port); 436 break; 437 case LSM_AUDIT_DATA_LOCKDOWN: 438 audit_log_format(ab, " lockdown_reason=\"%s\"", 439 lockdown_reasons[a->u.reason]); 440 break; 441 } /* switch (a->type) */ 442} 443 444/** 445 * common_lsm_audit - generic LSM auditing function 446 * @a: auxiliary audit data 447 * @pre_audit: lsm-specific pre-audit callback 448 * @post_audit: lsm-specific post-audit callback 449 * 450 * setup the audit buffer for common security information 451 * uses callback to print LSM specific information 452 */ 453void common_lsm_audit(struct common_audit_data *a, 454 void (*pre_audit)(struct audit_buffer *, void *), 455 void (*post_audit)(struct audit_buffer *, void *)) 456{ 457 struct audit_buffer *ab; 458 459 if (a == NULL) 460 return; 461 /* we use GFP_ATOMIC so we won't sleep */ 462 ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN, 463 AUDIT_AVC); 464 465 if (ab == NULL) 466 return; 467 468 if (pre_audit) 469 pre_audit(ab, a); 470 471 dump_common_audit_data(ab, a); 472 473 if (post_audit) 474 post_audit(ab, a); 475 476 audit_log_end(ab); 477} 478