Git Browser for ODROID
Code Review Sign In
git.odroid.com / yocto / kernel / common / cff281f6861e72f1416927aaa0c10a08bb7b2d3f / . / security / apparmor / audit.c
blob: 42101c42f4468f4e3c4c95e534fa1ca410366805 [file] [log] [blame]
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]1/*
2 * AppArmor security module
3 *
4 * This file contains AppArmor auditing functions
5 *
6 * Copyright (C) 1998-2008 Novell/SUSE
7 * Copyright 2009-2010 Canonical Ltd.
8 *
9 * This program is free software; you can redistribute it and/or
10 * modify it under the terms of the GNU General Public License as
11 * published by the Free Software Foundation, version 2 of the
12 * License.
13 */
14
15#include <linux/audit.h>
16#include <linux/socket.h>
17
18#include "include/apparmor.h"
19#include "include/audit.h"
20#include "include/policy.h"
John Johansencff281f2017-01-16 00:42:15 -0800[diff] [blame^]21#include "include/policy_ns.h"
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]22
Jan Engelhardt2d4cee72012-03-14 13:30:36 +0100[diff] [blame]23const char *const op_table[] = {
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]24 "null",
25
26 "sysctl",
27 "capable",
28
29 "unlink",
30 "mkdir",
31 "rmdir",
32 "mknod",
33 "truncate",
34 "link",
35 "symlink",
36 "rename_src",
37 "rename_dest",
38 "chmod",
39 "chown",
40 "getattr",
41 "open",
42
43 "file_perm",
44 "file_lock",
45 "file_mmap",
46 "file_mprotect",
47
48 "create",
49 "post_create",
50 "bind",
51 "connect",
52 "listen",
53 "accept",
54 "sendmsg",
55 "recvmsg",
56 "getsockname",
57 "getpeername",
58 "getsockopt",
59 "setsockopt",
60 "socket_shutdown",
61
62 "ptrace",
63
64 "exec",
65 "change_hat",
66 "change_profile",
67 "change_onexec",
68
69 "setprocattr",
70 "setrlimit",
71
72 "profile_replace",
73 "profile_load",
74 "profile_remove"
75};
76
Jan Engelhardt2d4cee72012-03-14 13:30:36 +0100[diff] [blame]77const char *const audit_mode_names[] = {
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]78 "normal",
79 "quiet_denied",
80 "quiet",
81 "noquiet",
82 "all"
83};
84
Jan Engelhardt2d4cee72012-03-14 13:30:36 +0100[diff] [blame]85static const char *const aa_audit_type[] = {
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]86 "AUDIT",
87 "ALLOWED",
88 "DENIED",
89 "HINT",
90 "STATUS",
91 "ERROR",
John Johansenb492d502013-02-18 16:13:34 -0800[diff] [blame]92 "KILLED",
John Johansenade3ddc2012-02-22 00:20:26 -0800[diff] [blame]93 "AUTO"
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]94};
95
96/*
97 * Currently AppArmor auditing is fed straight into the audit framework.
98 *
99 * TODO:
100 * netlink interface for complain mode
101 * user auditing, - send user auditing to netlink interface
102 * system control of whether user audit messages go to system log
103 */
104
105/**
106 * audit_base - core AppArmor function.
107 * @ab: audit buffer to fill (NOT NULL)
108 * @ca: audit structure containing data to audit (NOT NULL)
109 *
110 * Record common AppArmor audit data from @sa
111 */
112static void audit_pre(struct audit_buffer *ab, void *ca)
113{
114 struct common_audit_data *sa = ca;
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]115
116 if (aa_g_audit_header) {
117 audit_log_format(ab, "apparmor=");
Eric Paris3b3b0e42012-04-03 09:37:02 -0700[diff] [blame]118 audit_log_string(ab, aa_audit_type[sa->aad->type]);
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]119 }
120
Eric Paris3b3b0e42012-04-03 09:37:02 -0700[diff] [blame]121 if (sa->aad->op) {
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]122 audit_log_format(ab, " operation=");
Eric Paris3b3b0e42012-04-03 09:37:02 -0700[diff] [blame]123 audit_log_string(ab, op_table[sa->aad->op]);
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]124 }
125
Eric Paris3b3b0e42012-04-03 09:37:02 -0700[diff] [blame]126 if (sa->aad->info) {
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]127 audit_log_format(ab, " info=");
Eric Paris3b3b0e42012-04-03 09:37:02 -0700[diff] [blame]128 audit_log_string(ab, sa->aad->info);
129 if (sa->aad->error)
130 audit_log_format(ab, " error=%d", sa->aad->error);
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]131 }
132
Eric Paris3b3b0e42012-04-03 09:37:02 -0700[diff] [blame]133 if (sa->aad->profile) {
134 struct aa_profile *profile = sa->aad->profile;
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]135 if (profile->ns != root_ns) {
136 audit_log_format(ab, " namespace=");
137 audit_log_untrustedstring(ab, profile->ns->base.hname);
138 }
139 audit_log_format(ab, " profile=");
140 audit_log_untrustedstring(ab, profile->base.hname);
141 }
142
Eric Paris3b3b0e42012-04-03 09:37:02 -0700[diff] [blame]143 if (sa->aad->name) {
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]144 audit_log_format(ab, " name=");
Eric Paris3b3b0e42012-04-03 09:37:02 -0700[diff] [blame]145 audit_log_untrustedstring(ab, sa->aad->name);
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]146 }
147}
148
149/**
150 * aa_audit_msg - Log a message to the audit subsystem
151 * @sa: audit event structure (NOT NULL)
152 * @cb: optional callback fn for type specific fields (MAYBE NULL)
153 */
154void aa_audit_msg(int type, struct common_audit_data *sa,
155 void (*cb) (struct audit_buffer *, void *))
156{
Eric Paris3b3b0e42012-04-03 09:37:02 -0700[diff] [blame]157 sa->aad->type = type;
Linus Torvaldsb61c37f2012-04-02 15:48:12 -0700[diff] [blame]158 common_lsm_audit(sa, audit_pre, cb);
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]159}
160
161/**
162 * aa_audit - Log a profile based audit event to the audit subsystem
163 * @type: audit type for the message
164 * @profile: profile to check against (NOT NULL)
165 * @gfp: allocation flags to use
166 * @sa: audit event (NOT NULL)
167 * @cb: optional callback fn for type specific fields (MAYBE NULL)
168 *
169 * Handle default message switching based off of audit mode flags
170 *
171 * Returns: error on failure
172 */
173int aa_audit(int type, struct aa_profile *profile, gfp_t gfp,
174 struct common_audit_data *sa,
175 void (*cb) (struct audit_buffer *, void *))
176{
177 BUG_ON(!profile);
178
179 if (type == AUDIT_APPARMOR_AUTO) {
Eric Paris3b3b0e42012-04-03 09:37:02 -0700[diff] [blame]180 if (likely(!sa->aad->error)) {
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]181 if (AUDIT_MODE(profile) != AUDIT_ALL)
182 return 0;
183 type = AUDIT_APPARMOR_AUDIT;
184 } else if (COMPLAIN_MODE(profile))
185 type = AUDIT_APPARMOR_ALLOWED;
186 else
187 type = AUDIT_APPARMOR_DENIED;
188 }
189 if (AUDIT_MODE(profile) == AUDIT_QUIET ||
190 (type == AUDIT_APPARMOR_DENIED &&
191 AUDIT_MODE(profile) == AUDIT_QUIET))
Eric Paris3b3b0e42012-04-03 09:37:02 -0700[diff] [blame]192 return sa->aad->error;
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]193
194 if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
195 type = AUDIT_APPARMOR_KILL;
196
197 if (!unconfined(profile))
Eric Paris3b3b0e42012-04-03 09:37:02 -0700[diff] [blame]198 sa->aad->profile = profile;
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]199
200 aa_audit_msg(type, sa, cb);
201
Eric Paris3b3b0e42012-04-03 09:37:02 -0700[diff] [blame]202 if (sa->aad->type == AUDIT_APPARMOR_KILL)
Eric Paris0972c742012-04-04 15:01:42 -0400[diff] [blame]203 (void)send_sig_info(SIGKILL, NULL,
John Johansenb6b1b812014-06-08 11:20:54 -0700[diff] [blame]204 sa->type == LSM_AUDIT_DATA_TASK && sa->u.tsk ?
205 sa->u.tsk : current);
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]206
Eric Paris3b3b0e42012-04-03 09:37:02 -0700[diff] [blame]207 if (sa->aad->type == AUDIT_APPARMOR_ALLOWED)
208 return complain_error(sa->aad->error);
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]209
Eric Paris3b3b0e42012-04-03 09:37:02 -0700[diff] [blame]210 return sa->aad->error;
John Johansen67012e82010-07-29 14:47:58 -0700[diff] [blame]211}