ade3ddc01e
The audit permission flag, that specifies an audit message should be provided when an operation is allowed, was being ignored in some cases. This is because the auto audit mode (which determines the audit mode from system flags) was incorrectly assigned the same value as audit mode. The shared value would result in messages that should be audited going through a second evaluation as to whether they should be audited based on the auto audit, resulting in some messages being dropped. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
217 lines
4.6 KiB
C
217 lines
4.6 KiB
C
/*
|
|
* AppArmor security module
|
|
*
|
|
* This file contains AppArmor auditing functions
|
|
*
|
|
* Copyright (C) 1998-2008 Novell/SUSE
|
|
* Copyright 2009-2010 Canonical Ltd.
|
|
*
|
|
* This program is free software; you can redistribute it and/or
|
|
* modify it under the terms of the GNU General Public License as
|
|
* published by the Free Software Foundation, version 2 of the
|
|
* License.
|
|
*/
|
|
|
|
#include <linux/audit.h>
|
|
#include <linux/socket.h>
|
|
|
|
#include "include/apparmor.h"
|
|
#include "include/audit.h"
|
|
#include "include/policy.h"
|
|
|
|
const char *op_table[] = {
|
|
"null",
|
|
|
|
"sysctl",
|
|
"capable",
|
|
|
|
"unlink",
|
|
"mkdir",
|
|
"rmdir",
|
|
"mknod",
|
|
"truncate",
|
|
"link",
|
|
"symlink",
|
|
"rename_src",
|
|
"rename_dest",
|
|
"chmod",
|
|
"chown",
|
|
"getattr",
|
|
"open",
|
|
|
|
"file_perm",
|
|
"file_lock",
|
|
"file_mmap",
|
|
"file_mprotect",
|
|
|
|
"create",
|
|
"post_create",
|
|
"bind",
|
|
"connect",
|
|
"listen",
|
|
"accept",
|
|
"sendmsg",
|
|
"recvmsg",
|
|
"getsockname",
|
|
"getpeername",
|
|
"getsockopt",
|
|
"setsockopt",
|
|
"socket_shutdown",
|
|
|
|
"ptrace",
|
|
|
|
"exec",
|
|
"change_hat",
|
|
"change_profile",
|
|
"change_onexec",
|
|
|
|
"setprocattr",
|
|
"setrlimit",
|
|
|
|
"profile_replace",
|
|
"profile_load",
|
|
"profile_remove"
|
|
};
|
|
|
|
const char *audit_mode_names[] = {
|
|
"normal",
|
|
"quiet_denied",
|
|
"quiet",
|
|
"noquiet",
|
|
"all"
|
|
};
|
|
|
|
static char *aa_audit_type[] = {
|
|
"AUDIT",
|
|
"ALLOWED",
|
|
"DENIED",
|
|
"HINT",
|
|
"STATUS",
|
|
"ERROR",
|
|
"KILLED"
|
|
"AUTO"
|
|
};
|
|
|
|
/*
|
|
* Currently AppArmor auditing is fed straight into the audit framework.
|
|
*
|
|
* TODO:
|
|
* netlink interface for complain mode
|
|
* user auditing, - send user auditing to netlink interface
|
|
* system control of whether user audit messages go to system log
|
|
*/
|
|
|
|
/**
|
|
* audit_base - core AppArmor function.
|
|
* @ab: audit buffer to fill (NOT NULL)
|
|
* @ca: audit structure containing data to audit (NOT NULL)
|
|
*
|
|
* Record common AppArmor audit data from @sa
|
|
*/
|
|
static void audit_pre(struct audit_buffer *ab, void *ca)
|
|
{
|
|
struct common_audit_data *sa = ca;
|
|
struct task_struct *tsk = sa->tsk ? sa->tsk : current;
|
|
|
|
if (aa_g_audit_header) {
|
|
audit_log_format(ab, "apparmor=");
|
|
audit_log_string(ab, aa_audit_type[sa->aad.type]);
|
|
}
|
|
|
|
if (sa->aad.op) {
|
|
audit_log_format(ab, " operation=");
|
|
audit_log_string(ab, op_table[sa->aad.op]);
|
|
}
|
|
|
|
if (sa->aad.info) {
|
|
audit_log_format(ab, " info=");
|
|
audit_log_string(ab, sa->aad.info);
|
|
if (sa->aad.error)
|
|
audit_log_format(ab, " error=%d", sa->aad.error);
|
|
}
|
|
|
|
if (sa->aad.profile) {
|
|
struct aa_profile *profile = sa->aad.profile;
|
|
pid_t pid;
|
|
rcu_read_lock();
|
|
pid = rcu_dereference(tsk->real_parent)->pid;
|
|
rcu_read_unlock();
|
|
audit_log_format(ab, " parent=%d", pid);
|
|
if (profile->ns != root_ns) {
|
|
audit_log_format(ab, " namespace=");
|
|
audit_log_untrustedstring(ab, profile->ns->base.hname);
|
|
}
|
|
audit_log_format(ab, " profile=");
|
|
audit_log_untrustedstring(ab, profile->base.hname);
|
|
}
|
|
|
|
if (sa->aad.name) {
|
|
audit_log_format(ab, " name=");
|
|
audit_log_untrustedstring(ab, sa->aad.name);
|
|
}
|
|
}
|
|
|
|
/**
|
|
* aa_audit_msg - Log a message to the audit subsystem
|
|
* @sa: audit event structure (NOT NULL)
|
|
* @cb: optional callback fn for type specific fields (MAYBE NULL)
|
|
*/
|
|
void aa_audit_msg(int type, struct common_audit_data *sa,
|
|
void (*cb) (struct audit_buffer *, void *))
|
|
{
|
|
sa->aad.type = type;
|
|
sa->lsm_pre_audit = audit_pre;
|
|
sa->lsm_post_audit = cb;
|
|
common_lsm_audit(sa);
|
|
}
|
|
|
|
/**
|
|
* aa_audit - Log a profile based audit event to the audit subsystem
|
|
* @type: audit type for the message
|
|
* @profile: profile to check against (NOT NULL)
|
|
* @gfp: allocation flags to use
|
|
* @sa: audit event (NOT NULL)
|
|
* @cb: optional callback fn for type specific fields (MAYBE NULL)
|
|
*
|
|
* Handle default message switching based off of audit mode flags
|
|
*
|
|
* Returns: error on failure
|
|
*/
|
|
int aa_audit(int type, struct aa_profile *profile, gfp_t gfp,
|
|
struct common_audit_data *sa,
|
|
void (*cb) (struct audit_buffer *, void *))
|
|
{
|
|
BUG_ON(!profile);
|
|
|
|
if (type == AUDIT_APPARMOR_AUTO) {
|
|
if (likely(!sa->aad.error)) {
|
|
if (AUDIT_MODE(profile) != AUDIT_ALL)
|
|
return 0;
|
|
type = AUDIT_APPARMOR_AUDIT;
|
|
} else if (COMPLAIN_MODE(profile))
|
|
type = AUDIT_APPARMOR_ALLOWED;
|
|
else
|
|
type = AUDIT_APPARMOR_DENIED;
|
|
}
|
|
if (AUDIT_MODE(profile) == AUDIT_QUIET ||
|
|
(type == AUDIT_APPARMOR_DENIED &&
|
|
AUDIT_MODE(profile) == AUDIT_QUIET))
|
|
return sa->aad.error;
|
|
|
|
if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
|
|
type = AUDIT_APPARMOR_KILL;
|
|
|
|
if (!unconfined(profile))
|
|
sa->aad.profile = profile;
|
|
|
|
aa_audit_msg(type, sa, cb);
|
|
|
|
if (sa->aad.type == AUDIT_APPARMOR_KILL)
|
|
(void)send_sig_info(SIGKILL, NULL, sa->tsk ? sa->tsk : current);
|
|
|
|
if (sa->aad.type == AUDIT_APPARMOR_ALLOWED)
|
|
return complain_error(sa->aad.error);
|
|
|
|
return sa->aad.error;
|
|
}
|