162306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only 262306a36Sopenharmony_ci/* 362306a36Sopenharmony_ci * AppArmor security module 462306a36Sopenharmony_ci * 562306a36Sopenharmony_ci * This file contains AppArmor auditing functions 662306a36Sopenharmony_ci * 762306a36Sopenharmony_ci * Copyright (C) 1998-2008 Novell/SUSE 862306a36Sopenharmony_ci * Copyright 2009-2010 Canonical Ltd. 962306a36Sopenharmony_ci */ 1062306a36Sopenharmony_ci 1162306a36Sopenharmony_ci#include <linux/audit.h> 1262306a36Sopenharmony_ci#include <linux/socket.h> 1362306a36Sopenharmony_ci 1462306a36Sopenharmony_ci#include "include/apparmor.h" 1562306a36Sopenharmony_ci#include "include/audit.h" 1662306a36Sopenharmony_ci#include "include/policy.h" 1762306a36Sopenharmony_ci#include "include/policy_ns.h" 1862306a36Sopenharmony_ci#include "include/secid.h" 1962306a36Sopenharmony_ci 2062306a36Sopenharmony_ciconst char *const audit_mode_names[] = { 2162306a36Sopenharmony_ci "normal", 2262306a36Sopenharmony_ci "quiet_denied", 2362306a36Sopenharmony_ci "quiet", 2462306a36Sopenharmony_ci "noquiet", 2562306a36Sopenharmony_ci "all" 2662306a36Sopenharmony_ci}; 2762306a36Sopenharmony_ci 2862306a36Sopenharmony_cistatic const char *const aa_audit_type[] = { 2962306a36Sopenharmony_ci "AUDIT", 3062306a36Sopenharmony_ci "ALLOWED", 3162306a36Sopenharmony_ci "DENIED", 3262306a36Sopenharmony_ci "HINT", 3362306a36Sopenharmony_ci "STATUS", 3462306a36Sopenharmony_ci "ERROR", 3562306a36Sopenharmony_ci "KILLED", 3662306a36Sopenharmony_ci "AUTO" 3762306a36Sopenharmony_ci}; 3862306a36Sopenharmony_ci 3962306a36Sopenharmony_cistatic const char *const aa_class_names[] = { 4062306a36Sopenharmony_ci "none", 4162306a36Sopenharmony_ci "unknown", 4262306a36Sopenharmony_ci "file", 4362306a36Sopenharmony_ci "cap", 4462306a36Sopenharmony_ci "net", 4562306a36Sopenharmony_ci "rlimits", 4662306a36Sopenharmony_ci "domain", 4762306a36Sopenharmony_ci "mount", 4862306a36Sopenharmony_ci "unknown", 4962306a36Sopenharmony_ci "ptrace", 5062306a36Sopenharmony_ci "signal", 5162306a36Sopenharmony_ci "xmatch", 5262306a36Sopenharmony_ci "unknown", 5362306a36Sopenharmony_ci "unknown", 5462306a36Sopenharmony_ci "net", 5562306a36Sopenharmony_ci "unknown", 5662306a36Sopenharmony_ci "label", 5762306a36Sopenharmony_ci "posix_mqueue", 5862306a36Sopenharmony_ci "io_uring", 5962306a36Sopenharmony_ci "module", 6062306a36Sopenharmony_ci "lsm", 6162306a36Sopenharmony_ci "unknown", 6262306a36Sopenharmony_ci "unknown", 6362306a36Sopenharmony_ci "unknown", 6462306a36Sopenharmony_ci "unknown", 6562306a36Sopenharmony_ci "unknown", 6662306a36Sopenharmony_ci "unknown", 6762306a36Sopenharmony_ci "unknown", 6862306a36Sopenharmony_ci "unknown", 6962306a36Sopenharmony_ci "unknown", 7062306a36Sopenharmony_ci "unknown", 7162306a36Sopenharmony_ci "X", 7262306a36Sopenharmony_ci "dbus", 7362306a36Sopenharmony_ci}; 7462306a36Sopenharmony_ci 7562306a36Sopenharmony_ci 7662306a36Sopenharmony_ci/* 7762306a36Sopenharmony_ci * Currently AppArmor auditing is fed straight into the audit framework. 7862306a36Sopenharmony_ci * 7962306a36Sopenharmony_ci * TODO: 8062306a36Sopenharmony_ci * netlink interface for complain mode 8162306a36Sopenharmony_ci * user auditing, - send user auditing to netlink interface 8262306a36Sopenharmony_ci * system control of whether user audit messages go to system log 8362306a36Sopenharmony_ci */ 8462306a36Sopenharmony_ci 8562306a36Sopenharmony_ci/** 8662306a36Sopenharmony_ci * audit_pre() - core AppArmor function. 8762306a36Sopenharmony_ci * @ab: audit buffer to fill (NOT NULL) 8862306a36Sopenharmony_ci * @va: audit structure containing data to audit (NOT NULL) 8962306a36Sopenharmony_ci * 9062306a36Sopenharmony_ci * Record common AppArmor audit data from @va 9162306a36Sopenharmony_ci */ 9262306a36Sopenharmony_cistatic void audit_pre(struct audit_buffer *ab, void *va) 9362306a36Sopenharmony_ci{ 9462306a36Sopenharmony_ci struct apparmor_audit_data *ad = aad_of_va(va); 9562306a36Sopenharmony_ci 9662306a36Sopenharmony_ci if (aa_g_audit_header) { 9762306a36Sopenharmony_ci audit_log_format(ab, "apparmor=\"%s\"", 9862306a36Sopenharmony_ci aa_audit_type[ad->type]); 9962306a36Sopenharmony_ci } 10062306a36Sopenharmony_ci 10162306a36Sopenharmony_ci if (ad->op) 10262306a36Sopenharmony_ci audit_log_format(ab, " operation=\"%s\"", ad->op); 10362306a36Sopenharmony_ci 10462306a36Sopenharmony_ci if (ad->class) 10562306a36Sopenharmony_ci audit_log_format(ab, " class=\"%s\"", 10662306a36Sopenharmony_ci ad->class <= AA_CLASS_LAST ? 10762306a36Sopenharmony_ci aa_class_names[ad->class] : 10862306a36Sopenharmony_ci "unknown"); 10962306a36Sopenharmony_ci 11062306a36Sopenharmony_ci if (ad->info) { 11162306a36Sopenharmony_ci audit_log_format(ab, " info=\"%s\"", ad->info); 11262306a36Sopenharmony_ci if (ad->error) 11362306a36Sopenharmony_ci audit_log_format(ab, " error=%d", ad->error); 11462306a36Sopenharmony_ci } 11562306a36Sopenharmony_ci 11662306a36Sopenharmony_ci if (ad->subj_label) { 11762306a36Sopenharmony_ci struct aa_label *label = ad->subj_label; 11862306a36Sopenharmony_ci 11962306a36Sopenharmony_ci if (label_isprofile(label)) { 12062306a36Sopenharmony_ci struct aa_profile *profile = labels_profile(label); 12162306a36Sopenharmony_ci 12262306a36Sopenharmony_ci if (profile->ns != root_ns) { 12362306a36Sopenharmony_ci audit_log_format(ab, " namespace="); 12462306a36Sopenharmony_ci audit_log_untrustedstring(ab, 12562306a36Sopenharmony_ci profile->ns->base.hname); 12662306a36Sopenharmony_ci } 12762306a36Sopenharmony_ci audit_log_format(ab, " profile="); 12862306a36Sopenharmony_ci audit_log_untrustedstring(ab, profile->base.hname); 12962306a36Sopenharmony_ci } else { 13062306a36Sopenharmony_ci audit_log_format(ab, " label="); 13162306a36Sopenharmony_ci aa_label_xaudit(ab, root_ns, label, FLAG_VIEW_SUBNS, 13262306a36Sopenharmony_ci GFP_ATOMIC); 13362306a36Sopenharmony_ci } 13462306a36Sopenharmony_ci } 13562306a36Sopenharmony_ci 13662306a36Sopenharmony_ci if (ad->name) { 13762306a36Sopenharmony_ci audit_log_format(ab, " name="); 13862306a36Sopenharmony_ci audit_log_untrustedstring(ab, ad->name); 13962306a36Sopenharmony_ci } 14062306a36Sopenharmony_ci} 14162306a36Sopenharmony_ci 14262306a36Sopenharmony_ci/** 14362306a36Sopenharmony_ci * aa_audit_msg - Log a message to the audit subsystem 14462306a36Sopenharmony_ci * @type: audit type for the message 14562306a36Sopenharmony_ci * @ad: audit event structure (NOT NULL) 14662306a36Sopenharmony_ci * @cb: optional callback fn for type specific fields (MAYBE NULL) 14762306a36Sopenharmony_ci */ 14862306a36Sopenharmony_civoid aa_audit_msg(int type, struct apparmor_audit_data *ad, 14962306a36Sopenharmony_ci void (*cb) (struct audit_buffer *, void *)) 15062306a36Sopenharmony_ci{ 15162306a36Sopenharmony_ci ad->type = type; 15262306a36Sopenharmony_ci common_lsm_audit(&ad->common, audit_pre, cb); 15362306a36Sopenharmony_ci} 15462306a36Sopenharmony_ci 15562306a36Sopenharmony_ci/** 15662306a36Sopenharmony_ci * aa_audit - Log a profile based audit event to the audit subsystem 15762306a36Sopenharmony_ci * @type: audit type for the message 15862306a36Sopenharmony_ci * @profile: profile to check against (NOT NULL) 15962306a36Sopenharmony_ci * @ad: audit event (NOT NULL) 16062306a36Sopenharmony_ci * @cb: optional callback fn for type specific fields (MAYBE NULL) 16162306a36Sopenharmony_ci * 16262306a36Sopenharmony_ci * Handle default message switching based off of audit mode flags 16362306a36Sopenharmony_ci * 16462306a36Sopenharmony_ci * Returns: error on failure 16562306a36Sopenharmony_ci */ 16662306a36Sopenharmony_ciint aa_audit(int type, struct aa_profile *profile, 16762306a36Sopenharmony_ci struct apparmor_audit_data *ad, 16862306a36Sopenharmony_ci void (*cb) (struct audit_buffer *, void *)) 16962306a36Sopenharmony_ci{ 17062306a36Sopenharmony_ci AA_BUG(!profile); 17162306a36Sopenharmony_ci 17262306a36Sopenharmony_ci if (type == AUDIT_APPARMOR_AUTO) { 17362306a36Sopenharmony_ci if (likely(!ad->error)) { 17462306a36Sopenharmony_ci if (AUDIT_MODE(profile) != AUDIT_ALL) 17562306a36Sopenharmony_ci return 0; 17662306a36Sopenharmony_ci type = AUDIT_APPARMOR_AUDIT; 17762306a36Sopenharmony_ci } else if (COMPLAIN_MODE(profile)) 17862306a36Sopenharmony_ci type = AUDIT_APPARMOR_ALLOWED; 17962306a36Sopenharmony_ci else 18062306a36Sopenharmony_ci type = AUDIT_APPARMOR_DENIED; 18162306a36Sopenharmony_ci } 18262306a36Sopenharmony_ci if (AUDIT_MODE(profile) == AUDIT_QUIET || 18362306a36Sopenharmony_ci (type == AUDIT_APPARMOR_DENIED && 18462306a36Sopenharmony_ci AUDIT_MODE(profile) == AUDIT_QUIET_DENIED)) 18562306a36Sopenharmony_ci return ad->error; 18662306a36Sopenharmony_ci 18762306a36Sopenharmony_ci if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED) 18862306a36Sopenharmony_ci type = AUDIT_APPARMOR_KILL; 18962306a36Sopenharmony_ci 19062306a36Sopenharmony_ci ad->subj_label = &profile->label; 19162306a36Sopenharmony_ci 19262306a36Sopenharmony_ci aa_audit_msg(type, ad, cb); 19362306a36Sopenharmony_ci 19462306a36Sopenharmony_ci if (ad->type == AUDIT_APPARMOR_KILL) 19562306a36Sopenharmony_ci (void)send_sig_info(SIGKILL, NULL, 19662306a36Sopenharmony_ci ad->common.type == LSM_AUDIT_DATA_TASK && 19762306a36Sopenharmony_ci ad->common.u.tsk ? ad->common.u.tsk : current); 19862306a36Sopenharmony_ci 19962306a36Sopenharmony_ci if (ad->type == AUDIT_APPARMOR_ALLOWED) 20062306a36Sopenharmony_ci return complain_error(ad->error); 20162306a36Sopenharmony_ci 20262306a36Sopenharmony_ci return ad->error; 20362306a36Sopenharmony_ci} 20462306a36Sopenharmony_ci 20562306a36Sopenharmony_cistruct aa_audit_rule { 20662306a36Sopenharmony_ci struct aa_label *label; 20762306a36Sopenharmony_ci}; 20862306a36Sopenharmony_ci 20962306a36Sopenharmony_civoid aa_audit_rule_free(void *vrule) 21062306a36Sopenharmony_ci{ 21162306a36Sopenharmony_ci struct aa_audit_rule *rule = vrule; 21262306a36Sopenharmony_ci 21362306a36Sopenharmony_ci if (rule) { 21462306a36Sopenharmony_ci if (!IS_ERR(rule->label)) 21562306a36Sopenharmony_ci aa_put_label(rule->label); 21662306a36Sopenharmony_ci kfree(rule); 21762306a36Sopenharmony_ci } 21862306a36Sopenharmony_ci} 21962306a36Sopenharmony_ci 22062306a36Sopenharmony_ciint aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule) 22162306a36Sopenharmony_ci{ 22262306a36Sopenharmony_ci struct aa_audit_rule *rule; 22362306a36Sopenharmony_ci 22462306a36Sopenharmony_ci switch (field) { 22562306a36Sopenharmony_ci case AUDIT_SUBJ_ROLE: 22662306a36Sopenharmony_ci if (op != Audit_equal && op != Audit_not_equal) 22762306a36Sopenharmony_ci return -EINVAL; 22862306a36Sopenharmony_ci break; 22962306a36Sopenharmony_ci default: 23062306a36Sopenharmony_ci return -EINVAL; 23162306a36Sopenharmony_ci } 23262306a36Sopenharmony_ci 23362306a36Sopenharmony_ci rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL); 23462306a36Sopenharmony_ci 23562306a36Sopenharmony_ci if (!rule) 23662306a36Sopenharmony_ci return -ENOMEM; 23762306a36Sopenharmony_ci 23862306a36Sopenharmony_ci /* Currently rules are treated as coming from the root ns */ 23962306a36Sopenharmony_ci rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, 24062306a36Sopenharmony_ci GFP_KERNEL, true, false); 24162306a36Sopenharmony_ci if (IS_ERR(rule->label)) { 24262306a36Sopenharmony_ci int err = PTR_ERR(rule->label); 24362306a36Sopenharmony_ci aa_audit_rule_free(rule); 24462306a36Sopenharmony_ci return err; 24562306a36Sopenharmony_ci } 24662306a36Sopenharmony_ci 24762306a36Sopenharmony_ci *vrule = rule; 24862306a36Sopenharmony_ci return 0; 24962306a36Sopenharmony_ci} 25062306a36Sopenharmony_ci 25162306a36Sopenharmony_ciint aa_audit_rule_known(struct audit_krule *rule) 25262306a36Sopenharmony_ci{ 25362306a36Sopenharmony_ci int i; 25462306a36Sopenharmony_ci 25562306a36Sopenharmony_ci for (i = 0; i < rule->field_count; i++) { 25662306a36Sopenharmony_ci struct audit_field *f = &rule->fields[i]; 25762306a36Sopenharmony_ci 25862306a36Sopenharmony_ci switch (f->type) { 25962306a36Sopenharmony_ci case AUDIT_SUBJ_ROLE: 26062306a36Sopenharmony_ci return 1; 26162306a36Sopenharmony_ci } 26262306a36Sopenharmony_ci } 26362306a36Sopenharmony_ci 26462306a36Sopenharmony_ci return 0; 26562306a36Sopenharmony_ci} 26662306a36Sopenharmony_ci 26762306a36Sopenharmony_ciint aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) 26862306a36Sopenharmony_ci{ 26962306a36Sopenharmony_ci struct aa_audit_rule *rule = vrule; 27062306a36Sopenharmony_ci struct aa_label *label; 27162306a36Sopenharmony_ci int found = 0; 27262306a36Sopenharmony_ci 27362306a36Sopenharmony_ci label = aa_secid_to_label(sid); 27462306a36Sopenharmony_ci 27562306a36Sopenharmony_ci if (!label) 27662306a36Sopenharmony_ci return -ENOENT; 27762306a36Sopenharmony_ci 27862306a36Sopenharmony_ci if (aa_label_is_subset(label, rule->label)) 27962306a36Sopenharmony_ci found = 1; 28062306a36Sopenharmony_ci 28162306a36Sopenharmony_ci switch (field) { 28262306a36Sopenharmony_ci case AUDIT_SUBJ_ROLE: 28362306a36Sopenharmony_ci switch (op) { 28462306a36Sopenharmony_ci case Audit_equal: 28562306a36Sopenharmony_ci return found; 28662306a36Sopenharmony_ci case Audit_not_equal: 28762306a36Sopenharmony_ci return !found; 28862306a36Sopenharmony_ci } 28962306a36Sopenharmony_ci } 29062306a36Sopenharmony_ci return 0; 29162306a36Sopenharmony_ci} 292