1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * AppArmor security module 4 * 5 * This file contains AppArmor auditing functions 6 * 7 * Copyright (C) 1998-2008 Novell/SUSE 8 * Copyright 2009-2010 Canonical Ltd. 9 */ 10 11 #include <linux/audit.h> 12 #include <linux/socket.h> 13 14 #include "include/apparmor.h" 15 #include "include/audit.h" 16 #include "include/policy.h" 17 #include "include/policy_ns.h" 18 #include "include/secid.h" 19 20 const char *const audit_mode_names[] = { 21 "normal", 22 "quiet_denied", 23 "quiet", 24 "noquiet", 25 "all" 26 }; 27 28 static const char *const aa_audit_type[] = { 29 "AUDIT", 30 "ALLOWED", 31 "DENIED", 32 "HINT", 33 "STATUS", 34 "ERROR", 35 "KILLED", 36 "AUTO" 37 }; 38 39 static const char *const aa_class_names[] = { 40 "none", 41 "unknown", 42 "file", 43 "cap", 44 "net", 45 "rlimits", 46 "domain", 47 "mount", 48 "unknown", 49 "ptrace", 50 "signal", 51 "xmatch", 52 "unknown", 53 "unknown", 54 "net", 55 "unknown", 56 "label", 57 "posix_mqueue", 58 "io_uring", 59 "module", 60 "lsm", 61 "unknown", 62 "unknown", 63 "unknown", 64 "unknown", 65 "unknown", 66 "unknown", 67 "unknown", 68 "unknown", 69 "unknown", 70 "unknown", 71 "X", 72 "dbus", 73 }; 74 75 76 /* 77 * Currently AppArmor auditing is fed straight into the audit framework. 78 * 79 * TODO: 80 * netlink interface for complain mode 81 * user auditing, - send user auditing to netlink interface 82 * system control of whether user audit messages go to system log 83 */ 84 85 /** 86 * audit_pre() - core AppArmor function. 87 * @ab: audit buffer to fill (NOT NULL) 88 * @va: audit structure containing data to audit (NOT NULL) 89 * 90 * Record common AppArmor audit data from @va 91 */ 92 static void audit_pre(struct audit_buffer *ab, void *va) 93 { 94 struct apparmor_audit_data *ad = aad_of_va(va); 95 96 if (aa_g_audit_header) { 97 audit_log_format(ab, "apparmor=\"%s\"", 98 aa_audit_type[ad->type]); 99 } 100 101 if (ad->op) 102 audit_log_format(ab, " operation=\"%s\"", ad->op); 103 104 if (ad->class) 105 audit_log_format(ab, " class=\"%s\"", 106 ad->class <= AA_CLASS_LAST ? 107 aa_class_names[ad->class] : 108 "unknown"); 109 110 if (ad->info) { 111 audit_log_format(ab, " info=\"%s\"", ad->info); 112 if (ad->error) 113 audit_log_format(ab, " error=%d", ad->error); 114 } 115 116 if (ad->subj_label) { 117 struct aa_label *label = ad->subj_label; 118 119 if (label_isprofile(label)) { 120 struct aa_profile *profile = labels_profile(label); 121 122 if (profile->ns != root_ns) { 123 audit_log_format(ab, " namespace="); 124 audit_log_untrustedstring(ab, 125 profile->ns->base.hname); 126 } 127 audit_log_format(ab, " profile="); 128 audit_log_untrustedstring(ab, profile->base.hname); 129 } else { 130 audit_log_format(ab, " label="); 131 aa_label_xaudit(ab, root_ns, label, FLAG_VIEW_SUBNS, 132 GFP_ATOMIC); 133 } 134 } 135 136 if (ad->name) { 137 audit_log_format(ab, " name="); 138 audit_log_untrustedstring(ab, ad->name); 139 } 140 } 141 142 /** 143 * aa_audit_msg - Log a message to the audit subsystem 144 * @type: audit type for the message 145 * @ad: audit event structure (NOT NULL) 146 * @cb: optional callback fn for type specific fields (MAYBE NULL) 147 */ 148 void aa_audit_msg(int type, struct apparmor_audit_data *ad, 149 void (*cb) (struct audit_buffer *, void *)) 150 { 151 ad->type = type; 152 common_lsm_audit(&ad->common, audit_pre, cb); 153 } 154 155 /** 156 * aa_audit - Log a profile based audit event to the audit subsystem 157 * @type: audit type for the message 158 * @profile: profile to check against (NOT NULL) 159 * @ad: audit event (NOT NULL) 160 * @cb: optional callback fn for type specific fields (MAYBE NULL) 161 * 162 * Handle default message switching based off of audit mode flags 163 * 164 * Returns: error on failure 165 */ 166 int aa_audit(int type, struct aa_profile *profile, 167 struct apparmor_audit_data *ad, 168 void (*cb) (struct audit_buffer *, void *)) 169 { 170 AA_BUG(!profile); 171 172 if (type == AUDIT_APPARMOR_AUTO) { 173 if (likely(!ad->error)) { 174 if (AUDIT_MODE(profile) != AUDIT_ALL) 175 return 0; 176 type = AUDIT_APPARMOR_AUDIT; 177 } else if (COMPLAIN_MODE(profile)) 178 type = AUDIT_APPARMOR_ALLOWED; 179 else 180 type = AUDIT_APPARMOR_DENIED; 181 } 182 if (AUDIT_MODE(profile) == AUDIT_QUIET || 183 (type == AUDIT_APPARMOR_DENIED && 184 AUDIT_MODE(profile) == AUDIT_QUIET_DENIED)) 185 return ad->error; 186 187 if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED) 188 type = AUDIT_APPARMOR_KILL; 189 190 ad->subj_label = &profile->label; 191 192 aa_audit_msg(type, ad, cb); 193 194 if (ad->type == AUDIT_APPARMOR_KILL) 195 (void)send_sig_info(SIGKILL, NULL, 196 ad->common.type == LSM_AUDIT_DATA_TASK && 197 ad->common.u.tsk ? ad->common.u.tsk : current); 198 199 if (ad->type == AUDIT_APPARMOR_ALLOWED) 200 return complain_error(ad->error); 201 202 return ad->error; 203 } 204 205 struct aa_audit_rule { 206 struct aa_label *label; 207 }; 208 209 void aa_audit_rule_free(void *vrule) 210 { 211 struct aa_audit_rule *rule = vrule; 212 213 if (rule) { 214 if (!IS_ERR(rule->label)) 215 aa_put_label(rule->label); 216 kfree(rule); 217 } 218 } 219 220 int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule, gfp_t gfp) 221 { 222 struct aa_audit_rule *rule; 223 224 switch (field) { 225 case AUDIT_SUBJ_ROLE: 226 if (op != Audit_equal && op != Audit_not_equal) 227 return -EINVAL; 228 break; 229 default: 230 return -EINVAL; 231 } 232 233 rule = kzalloc(sizeof(struct aa_audit_rule), gfp); 234 235 if (!rule) 236 return -ENOMEM; 237 238 /* Currently rules are treated as coming from the root ns */ 239 rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr, 240 gfp, true, false); 241 if (IS_ERR(rule->label)) { 242 int err = PTR_ERR(rule->label); 243 aa_audit_rule_free(rule); 244 return err; 245 } 246 247 *vrule = rule; 248 return 0; 249 } 250 251 int aa_audit_rule_known(struct audit_krule *rule) 252 { 253 int i; 254 255 for (i = 0; i < rule->field_count; i++) { 256 struct audit_field *f = &rule->fields[i]; 257 258 switch (f->type) { 259 case AUDIT_SUBJ_ROLE: 260 return 1; 261 } 262 } 263 264 return 0; 265 } 266 267 int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule) 268 { 269 struct aa_audit_rule *rule = vrule; 270 struct aa_label *label; 271 int found = 0; 272 273 label = aa_secid_to_label(sid); 274 275 if (!label) 276 return -ENOENT; 277 278 if (aa_label_is_subset(label, rule->label)) 279 found = 1; 280 281 switch (field) { 282 case AUDIT_SUBJ_ROLE: 283 switch (op) { 284 case Audit_equal: 285 return found; 286 case Audit_not_equal: 287 return !found; 288 } 289 } 290 return 0; 291 } 292