audit.c 4.4 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211
  1. /*
  2. * AppArmor security module
  3. *
  4. * This file contains AppArmor auditing functions
  5. *
  6. * Copyright (C) 1998-2008 Novell/SUSE
  7. * Copyright 2009-2010 Canonical Ltd.
  8. *
  9. * This program is free software; you can redistribute it and/or
  10. * modify it under the terms of the GNU General Public License as
  11. * published by the Free Software Foundation, version 2 of the
  12. * License.
  13. */
  14. #include <linux/audit.h>
  15. #include <linux/socket.h>
  16. #include "include/apparmor.h"
  17. #include "include/audit.h"
  18. #include "include/policy.h"
  19. const char *const op_table[] = {
  20. "null",
  21. "sysctl",
  22. "capable",
  23. "unlink",
  24. "mkdir",
  25. "rmdir",
  26. "mknod",
  27. "truncate",
  28. "link",
  29. "symlink",
  30. "rename_src",
  31. "rename_dest",
  32. "chmod",
  33. "chown",
  34. "getattr",
  35. "open",
  36. "file_perm",
  37. "file_lock",
  38. "file_mmap",
  39. "file_mprotect",
  40. "create",
  41. "post_create",
  42. "bind",
  43. "connect",
  44. "listen",
  45. "accept",
  46. "sendmsg",
  47. "recvmsg",
  48. "getsockname",
  49. "getpeername",
  50. "getsockopt",
  51. "setsockopt",
  52. "socket_shutdown",
  53. "ptrace",
  54. "exec",
  55. "change_hat",
  56. "change_profile",
  57. "change_onexec",
  58. "setprocattr",
  59. "setrlimit",
  60. "profile_replace",
  61. "profile_load",
  62. "profile_remove"
  63. };
  64. const char *const audit_mode_names[] = {
  65. "normal",
  66. "quiet_denied",
  67. "quiet",
  68. "noquiet",
  69. "all"
  70. };
  71. static const char *const aa_audit_type[] = {
  72. "AUDIT",
  73. "ALLOWED",
  74. "DENIED",
  75. "HINT",
  76. "STATUS",
  77. "ERROR",
  78. "KILLED",
  79. "AUTO"
  80. };
  81. /*
  82. * Currently AppArmor auditing is fed straight into the audit framework.
  83. *
  84. * TODO:
  85. * netlink interface for complain mode
  86. * user auditing, - send user auditing to netlink interface
  87. * system control of whether user audit messages go to system log
  88. */
  89. /**
  90. * audit_base - core AppArmor function.
  91. * @ab: audit buffer to fill (NOT NULL)
  92. * @ca: audit structure containing data to audit (NOT NULL)
  93. *
  94. * Record common AppArmor audit data from @sa
  95. */
  96. static void audit_pre(struct audit_buffer *ab, void *ca)
  97. {
  98. struct common_audit_data *sa = ca;
  99. if (aa_g_audit_header) {
  100. audit_log_format(ab, "apparmor=");
  101. audit_log_string(ab, aa_audit_type[sa->aad->type]);
  102. }
  103. if (sa->aad->op) {
  104. audit_log_format(ab, " operation=");
  105. audit_log_string(ab, op_table[sa->aad->op]);
  106. }
  107. if (sa->aad->info) {
  108. audit_log_format(ab, " info=");
  109. audit_log_string(ab, sa->aad->info);
  110. if (sa->aad->error)
  111. audit_log_format(ab, " error=%d", sa->aad->error);
  112. }
  113. if (sa->aad->profile) {
  114. struct aa_profile *profile = sa->aad->profile;
  115. if (profile->ns != root_ns) {
  116. audit_log_format(ab, " namespace=");
  117. audit_log_untrustedstring(ab, profile->ns->base.hname);
  118. }
  119. audit_log_format(ab, " profile=");
  120. audit_log_untrustedstring(ab, profile->base.hname);
  121. }
  122. if (sa->aad->name) {
  123. audit_log_format(ab, " name=");
  124. audit_log_untrustedstring(ab, sa->aad->name);
  125. }
  126. }
  127. /**
  128. * aa_audit_msg - Log a message to the audit subsystem
  129. * @sa: audit event structure (NOT NULL)
  130. * @cb: optional callback fn for type specific fields (MAYBE NULL)
  131. */
  132. void aa_audit_msg(int type, struct common_audit_data *sa,
  133. void (*cb) (struct audit_buffer *, void *))
  134. {
  135. sa->aad->type = type;
  136. common_lsm_audit(sa, audit_pre, cb);
  137. }
  138. /**
  139. * aa_audit - Log a profile based audit event to the audit subsystem
  140. * @type: audit type for the message
  141. * @profile: profile to check against (NOT NULL)
  142. * @gfp: allocation flags to use
  143. * @sa: audit event (NOT NULL)
  144. * @cb: optional callback fn for type specific fields (MAYBE NULL)
  145. *
  146. * Handle default message switching based off of audit mode flags
  147. *
  148. * Returns: error on failure
  149. */
  150. int aa_audit(int type, struct aa_profile *profile, gfp_t gfp,
  151. struct common_audit_data *sa,
  152. void (*cb) (struct audit_buffer *, void *))
  153. {
  154. BUG_ON(!profile);
  155. if (type == AUDIT_APPARMOR_AUTO) {
  156. if (likely(!sa->aad->error)) {
  157. if (AUDIT_MODE(profile) != AUDIT_ALL)
  158. return 0;
  159. type = AUDIT_APPARMOR_AUDIT;
  160. } else if (COMPLAIN_MODE(profile))
  161. type = AUDIT_APPARMOR_ALLOWED;
  162. else
  163. type = AUDIT_APPARMOR_DENIED;
  164. }
  165. if (AUDIT_MODE(profile) == AUDIT_QUIET ||
  166. (type == AUDIT_APPARMOR_DENIED &&
  167. AUDIT_MODE(profile) == AUDIT_QUIET))
  168. return sa->aad->error;
  169. if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
  170. type = AUDIT_APPARMOR_KILL;
  171. if (!unconfined(profile))
  172. sa->aad->profile = profile;
  173. aa_audit_msg(type, sa, cb);
  174. if (sa->aad->type == AUDIT_APPARMOR_KILL)
  175. (void)send_sig_info(SIGKILL, NULL,
  176. sa->type == LSM_AUDIT_DATA_TASK && sa->u.tsk ?
  177. sa->u.tsk : current);
  178. if (sa->aad->type == AUDIT_APPARMOR_ALLOWED)
  179. return complain_error(sa->aad->error);
  180. return sa->aad->error;
  181. }