[mirror_ubuntu-bionic-kernel.git] / security / apparmor / audit.c

/*
 * AppArmor security module
 *
 * This file contains AppArmor auditing functions
 *
 * Copyright (C) 1998-2008 Novell/SUSE
 * Copyright 2009-2010 Canonical Ltd.
 *
 * This program is free software; you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, version 2 of the
 * License.
 */

#include <linux/audit.h>
#include <linux/socket.h>

#include "include/apparmor.h"
#include "include/audit.h"
#include "include/policy.h"
#include "include/policy_ns.h"


const char *const audit_mode_names[] = {
	"normal",
	"quiet_denied",
	"quiet",
	"noquiet",
	"all"
};

static const char *const aa_audit_type[] = {
	"AUDIT",
	"ALLOWED",
	"DENIED",
	"HINT",
	"STATUS",
	"ERROR",
	"KILLED",
	"AUTO"
};

/*
 * Currently AppArmor auditing is fed straight into the audit framework.
 *
 * TODO:
 * netlink interface for complain mode
 * user auditing, - send user auditing to netlink interface
 * system control of whether user audit messages go to system log
 */

/**
 * audit_base - core AppArmor function.
 * @ab: audit buffer to fill (NOT NULL)
 * @ca: audit structure containing data to audit (NOT NULL)
 *
 * Record common AppArmor audit data from @sa
 */
static void audit_pre(struct audit_buffer *ab, void *ca)
{
	struct common_audit_data *sa = ca;

	if (aa_g_audit_header) {
		audit_log_format(ab, "apparmor=");
		audit_log_string(ab, aa_audit_type[aad(sa)->type]);
	}

	if (aad(sa)->op) {
		audit_log_format(ab, " operation=");
		audit_log_string(ab, aad(sa)->op);
	}

	if (aad(sa)->info) {
		audit_log_format(ab, " info=");
		audit_log_string(ab, aad(sa)->info);
		if (aad(sa)->error)
			audit_log_format(ab, " error=%d", aad(sa)->error);
	}

	if (aad(sa)->label) {
		struct aa_label *label = aad(sa)->label;

		if (label_isprofile(label)) {
			struct aa_profile *profile = labels_profile(label);

			if (profile->ns != root_ns) {
				audit_log_format(ab, " namespace=");
				audit_log_untrustedstring(ab,
						       profile->ns->base.hname);
			}
			audit_log_format(ab, " profile=");
			audit_log_untrustedstring(ab, profile->base.hname);
		} else {
			audit_log_format(ab, " label=");
			aa_label_xaudit(ab, root_ns, label, FLAG_VIEW_SUBNS,
					GFP_ATOMIC);
		}
	}

	if (aad(sa)->name) {
		audit_log_format(ab, " name=");
		audit_log_untrustedstring(ab, aad(sa)->name);
	}
}

/**
 * aa_audit_msg - Log a message to the audit subsystem
 * @sa: audit event structure (NOT NULL)
 * @cb: optional callback fn for type specific fields (MAYBE NULL)
 */
void aa_audit_msg(int type, struct common_audit_data *sa,
		  void (*cb) (struct audit_buffer *, void *))
{
	aad(sa)->type = type;
	common_lsm_audit(sa, audit_pre, cb);
}

/**
 * aa_audit - Log a profile based audit event to the audit subsystem
 * @type: audit type for the message
 * @profile: profile to check against (NOT NULL)
 * @sa: audit event (NOT NULL)
 * @cb: optional callback fn for type specific fields (MAYBE NULL)
 *
 * Handle default message switching based off of audit mode flags
 *
 * Returns: error on failure
 */
int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,
	     void (*cb) (struct audit_buffer *, void *))
{
	AA_BUG(!profile);

	if (type == AUDIT_APPARMOR_AUTO) {
		if (likely(!aad(sa)->error)) {
			if (AUDIT_MODE(profile) != AUDIT_ALL)
				return 0;
			type = AUDIT_APPARMOR_AUDIT;
		} else if (COMPLAIN_MODE(profile))
			type = AUDIT_APPARMOR_ALLOWED;
		else
			type = AUDIT_APPARMOR_DENIED;
	}
	if (AUDIT_MODE(profile) == AUDIT_QUIET ||
	    (type == AUDIT_APPARMOR_DENIED &&
	     AUDIT_MODE(profile) == AUDIT_QUIET))
		return aad(sa)->error;

	if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
		type = AUDIT_APPARMOR_KILL;

	aad(sa)->label = &profile->label;

	aa_audit_msg(type, sa, cb);

	if (aad(sa)->type == AUDIT_APPARMOR_KILL)
		(void)send_sig_info(SIGKILL, NULL,
			sa->type == LSM_AUDIT_DATA_TASK && sa->u.tsk ?
				    sa->u.tsk : current);

	if (aad(sa)->type == AUDIT_APPARMOR_ALLOWED)
		return complain_error(aad(sa)->error);

	return aad(sa)->error;
}
Commit	Line	Data
67012e82 JJ	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor auditing functions
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#include <linux/audit.h>
	16	#include <linux/socket.h>
	17
	18	#include "include/apparmor.h"
	19	#include "include/audit.h"
	20	#include "include/policy.h"
cff281f6	21	#include "include/policy_ns.h"
67012e82	22
67012e82	23
2d4cee7e	24	const char *const audit_mode_names[] = {
67012e82 JJ	25	"normal",
	26	"quiet_denied",
	27	"quiet",
	28	"noquiet",
	29	"all"
	30	};
	31
2d4cee7e	32	static const char *const aa_audit_type[] = {
67012e82 JJ	33	"AUDIT",
	34	"ALLOWED",
	35	"DENIED",
	36	"HINT",
	37	"STATUS",
	38	"ERROR",
b492d50b	39	"KILLED",
ade3ddc0	40	"AUTO"
67012e82 JJ	41	};
	42
	43	/*
	44	* Currently AppArmor auditing is fed straight into the audit framework.
	45	*
	46	* TODO:
	47	* netlink interface for complain mode
	48	* user auditing, - send user auditing to netlink interface
	49	* system control of whether user audit messages go to system log
	50	*/
	51
	52	/**
	53	* audit_base - core AppArmor function.
	54	* @ab: audit buffer to fill (NOT NULL)
	55	* @ca: audit structure containing data to audit (NOT NULL)
	56	*
	57	* Record common AppArmor audit data from @sa
	58	*/
	59	static void audit_pre(struct audit_buffer ab, void ca)
	60	{
	61	struct common_audit_data *sa = ca;
67012e82 JJ	62
	63	if (aa_g_audit_header) {
	64	audit_log_format(ab, "apparmor=");
ef88a7ac	65	audit_log_string(ab, aa_audit_type[aad(sa)->type]);
67012e82 JJ	66	}
67012e82 JJ	67
ef88a7ac	68	if (aad(sa)->op) {
67012e82	69	audit_log_format(ab, " operation=");
ef88a7ac	70	audit_log_string(ab, aad(sa)->op);
67012e82 JJ	71	}
67012e82 JJ	72
ef88a7ac	73	if (aad(sa)->info) {
67012e82	74	audit_log_format(ab, " info=");
ef88a7ac JJ	75	audit_log_string(ab, aad(sa)->info);
	76	if (aad(sa)->error)
	77	audit_log_format(ab, " error=%d", aad(sa)->error);
67012e82 JJ	78	}
67012e82 JJ	79
637f688d JJ	80	if (aad(sa)->label) {
	81	struct aa_label *label = aad(sa)->label;
	82
	83	if (label_isprofile(label)) {
	84	struct aa_profile *profile = labels_profile(label);
	85
	86	if (profile->ns != root_ns) {
	87	audit_log_format(ab, " namespace=");
	88	audit_log_untrustedstring(ab,
	89	profile->ns->base.hname);
	90	}
	91	audit_log_format(ab, " profile=");
	92	audit_log_untrustedstring(ab, profile->base.hname);
	93	} else {
	94	audit_log_format(ab, " label=");
	95	aa_label_xaudit(ab, root_ns, label, FLAG_VIEW_SUBNS,
	96	GFP_ATOMIC);
67012e82	97	}
67012e82 JJ	98	}
67012e82 JJ	99
ef88a7ac	100	if (aad(sa)->name) {
67012e82	101	audit_log_format(ab, " name=");
ef88a7ac	102	audit_log_untrustedstring(ab, aad(sa)->name);
67012e82 JJ	103	}
	104	}
	105
	106	/**
	107	* aa_audit_msg - Log a message to the audit subsystem
	108	* @sa: audit event structure (NOT NULL)
	109	* @cb: optional callback fn for type specific fields (MAYBE NULL)
	110	*/
	111	void aa_audit_msg(int type, struct common_audit_data *sa,
	112	void (cb) (struct audit_buffer , void *))
	113	{
ef88a7ac	114	aad(sa)->type = type;
b61c37f5	115	common_lsm_audit(sa, audit_pre, cb);
67012e82 JJ	116	}
	117
	118	/**
	119	* aa_audit - Log a profile based audit event to the audit subsystem
	120	* @type: audit type for the message
	121	* @profile: profile to check against (NOT NULL)
67012e82 JJ	122	* @sa: audit event (NOT NULL)
	123	* @cb: optional callback fn for type specific fields (MAYBE NULL)
	124	*
	125	* Handle default message switching based off of audit mode flags
	126	*
	127	* Returns: error on failure
	128	*/
ef88a7ac	129	int aa_audit(int type, struct aa_profile profile, struct common_audit_data sa,
67012e82 JJ	130	void (cb) (struct audit_buffer , void *))
67012e82 JJ	131	{
e6bfa25d	132	AA_BUG(!profile);
67012e82 JJ	133
67012e82 JJ	134	if (type == AUDIT_APPARMOR_AUTO) {
ef88a7ac	135	if (likely(!aad(sa)->error)) {
67012e82 JJ	136	if (AUDIT_MODE(profile) != AUDIT_ALL)
	137	return 0;
	138	type = AUDIT_APPARMOR_AUDIT;
	139	} else if (COMPLAIN_MODE(profile))
	140	type = AUDIT_APPARMOR_ALLOWED;
	141	else
	142	type = AUDIT_APPARMOR_DENIED;
	143	}
	144	if (AUDIT_MODE(profile) == AUDIT_QUIET \|\|
	145	(type == AUDIT_APPARMOR_DENIED &&
	146	AUDIT_MODE(profile) == AUDIT_QUIET))
ef88a7ac	147	return aad(sa)->error;
67012e82 JJ	148
	149	if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
	150	type = AUDIT_APPARMOR_KILL;
	151
637f688d	152	aad(sa)->label = &profile->label;
67012e82 JJ	153
	154	aa_audit_msg(type, sa, cb);
	155
ef88a7ac	156	if (aad(sa)->type == AUDIT_APPARMOR_KILL)
0972c74e	157	(void)send_sig_info(SIGKILL, NULL,
b6b1b81b JJ	158	sa->type == LSM_AUDIT_DATA_TASK && sa->u.tsk ?
b6b1b81b JJ	159	sa->u.tsk : current);
67012e82	160
ef88a7ac JJ	161	if (aad(sa)->type == AUDIT_APPARMOR_ALLOWED)
ef88a7ac JJ	162	return complain_error(aad(sa)->error);
67012e82	163
ef88a7ac	164	return aad(sa)->error;
67012e82	165	}