1// SPDX-License-Identifier: GPL-2.0-only
2/*
3 * AppArmor security module
4 *
5 * This file contains AppArmor auditing functions
6 *
7 * Copyright (C) 1998-2008 Novell/SUSE
8 * Copyright 2009-2010 Canonical Ltd.
9 */
10
11#include <linux/audit.h>
12#include <linux/socket.h>
13
14#include "include/apparmor.h"
15#include "include/audit.h"
16#include "include/policy.h"
17#include "include/policy_ns.h"
18#include "include/secid.h"
19
20const char *const audit_mode_names[] = {
21	"normal",
22	"quiet_denied",
23	"quiet",
24	"noquiet",
25	"all"
26};
27
28static const char *const aa_audit_type[] = {
29	"AUDIT",
30	"ALLOWED",
31	"DENIED",
32	"HINT",
33	"STATUS",
34	"ERROR",
35	"KILLED",
36	"AUTO"
37};
38
39static const char *const aa_class_names[] = {
40	"none",
41	"unknown",
42	"file",
43	"cap",
44	"net",
45	"rlimits",
46	"domain",
47	"mount",
48	"unknown",
49	"ptrace",
50	"signal",
51	"xmatch",
52	"unknown",
53	"unknown",
54	"net",
55	"unknown",
56	"label",
57	"posix_mqueue",
58	"io_uring",
59	"module",
60	"lsm",
61	"namespace",
62	"io_uring",
63	"unknown",
64	"unknown",
65	"unknown",
66	"unknown",
67	"unknown",
68	"unknown",
69	"unknown",
70	"unknown",
71	"X",
72	"dbus",
73};
74
75
76/*
77 * Currently AppArmor auditing is fed straight into the audit framework.
78 *
79 * TODO:
80 * netlink interface for complain mode
81 * user auditing, - send user auditing to netlink interface
82 * system control of whether user audit messages go to system log
83 */
84
85/**
86 * audit_pre() - core AppArmor function.
87 * @ab: audit buffer to fill (NOT NULL)
88 * @va: audit structure containing data to audit (NOT NULL)
89 *
90 * Record common AppArmor audit data from @va
91 */
92static void audit_pre(struct audit_buffer *ab, void *va)
93{
94	struct apparmor_audit_data *ad = aad_of_va(va);
95
96	if (aa_g_audit_header) {
97		audit_log_format(ab, "apparmor=\"%s\"",
98				 aa_audit_type[ad->type]);
99	}
100
101	if (ad->op)
102		audit_log_format(ab, " operation=\"%s\"", ad->op);
103
104	if (ad->class)
105		audit_log_format(ab, " class=\"%s\"",
106				 ad->class <= AA_CLASS_LAST ?
107				 aa_class_names[ad->class] :
108				 "unknown");
109
110	if (ad->info) {
111		audit_log_format(ab, " info=\"%s\"", ad->info);
112		if (ad->error)
113			audit_log_format(ab, " error=%d", ad->error);
114	}
115
116	if (ad->subj_label) {
117		struct aa_label *label = ad->subj_label;
118
119		if (label_isprofile(label)) {
120			struct aa_profile *profile = labels_profile(label);
121
122			if (profile->ns != root_ns) {
123				audit_log_format(ab, " namespace=");
124				audit_log_untrustedstring(ab,
125						       profile->ns->base.hname);
126			}
127			audit_log_format(ab, " profile=");
128			audit_log_untrustedstring(ab, profile->base.hname);
129		} else {
130			audit_log_format(ab, " label=");
131			aa_label_xaudit(ab, root_ns, label, FLAG_VIEW_SUBNS,
132					GFP_ATOMIC);
133		}
134	}
135
136	if (ad->name) {
137		audit_log_format(ab, " name=");
138		audit_log_untrustedstring(ab, ad->name);
139	}
140}
141
142/**
143 * aa_audit_msg - Log a message to the audit subsystem
144 * @type: audit type for the message
145 * @ad: audit event structure (NOT NULL)
146 * @cb: optional callback fn for type specific fields (MAYBE NULL)
147 */
148void aa_audit_msg(int type, struct apparmor_audit_data *ad,
149		  void (*cb) (struct audit_buffer *, void *))
150{
151	ad->type = type;
152	common_lsm_audit(&ad->common, audit_pre, cb);
153}
154
155/**
156 * aa_audit - Log a profile based audit event to the audit subsystem
157 * @type: audit type for the message
158 * @profile: profile to check against (NOT NULL)
159 * @ad: audit event (NOT NULL)
160 * @cb: optional callback fn for type specific fields (MAYBE NULL)
161 *
162 * Handle default message switching based off of audit mode flags
163 *
164 * Returns: error on failure
165 */
166int aa_audit(int type, struct aa_profile *profile,
167	     struct apparmor_audit_data *ad,
168	     void (*cb) (struct audit_buffer *, void *))
169{
170	AA_BUG(!profile);
171
172	if (type == AUDIT_APPARMOR_AUTO) {
173		if (likely(!ad->error)) {
174			if (AUDIT_MODE(profile) != AUDIT_ALL)
175				return 0;
176			type = AUDIT_APPARMOR_AUDIT;
177		} else if (COMPLAIN_MODE(profile))
178			type = AUDIT_APPARMOR_ALLOWED;
179		else
180			type = AUDIT_APPARMOR_DENIED;
181	}
182	if (AUDIT_MODE(profile) == AUDIT_QUIET ||
183	    (type == AUDIT_APPARMOR_DENIED &&
184	     AUDIT_MODE(profile) == AUDIT_QUIET_DENIED))
185		return ad->error;
186
187	if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
188		type = AUDIT_APPARMOR_KILL;
189
190	ad->subj_label = &profile->label;
191
192	aa_audit_msg(type, ad, cb);
193
194	if (ad->type == AUDIT_APPARMOR_KILL)
195		(void)send_sig_info(SIGKILL, NULL,
196			ad->common.type == LSM_AUDIT_DATA_TASK &&
197			ad->common.u.tsk ? ad->common.u.tsk : current);
198
199	if (ad->type == AUDIT_APPARMOR_ALLOWED)
200		return complain_error(ad->error);
201
202	return ad->error;
203}
204
205struct aa_audit_rule {
206	struct aa_label *label;
207};
208
209void aa_audit_rule_free(void *vrule)
210{
211	struct aa_audit_rule *rule = vrule;
212
213	if (rule) {
214		if (!IS_ERR(rule->label))
215			aa_put_label(rule->label);
216		kfree(rule);
217	}
218}
219
220int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
221{
222	struct aa_audit_rule *rule;
223
224	switch (field) {
225	case AUDIT_SUBJ_ROLE:
226		if (op != Audit_equal && op != Audit_not_equal)
227			return -EINVAL;
228		break;
229	default:
230		return -EINVAL;
231	}
232
233	rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL);
234
235	if (!rule)
236		return -ENOMEM;
237
238	/* Currently rules are treated as coming from the root ns */
239	rule->label = aa_label_parse(&root_ns->unconfined->label, rulestr,
240				     GFP_KERNEL, true, false);
241	if (IS_ERR(rule->label)) {
242		int err = PTR_ERR(rule->label);
243		aa_audit_rule_free(rule);
244		return err;
245	}
246
247	*vrule = rule;
248	return 0;
249}
250
251int aa_audit_rule_known(struct audit_krule *rule)
252{
253	int i;
254
255	for (i = 0; i < rule->field_count; i++) {
256		struct audit_field *f = &rule->fields[i];
257
258		switch (f->type) {
259		case AUDIT_SUBJ_ROLE:
260			return 1;
261		}
262	}
263
264	return 0;
265}
266
267int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule)
268{
269	struct aa_audit_rule *rule = vrule;
270	struct aa_label *label;
271	int found = 0;
272
273	label = aa_secid_to_label(sid);
274
275	if (!label)
276		return -ENOENT;
277
278	if (aa_label_is_subset(label, rule->label))
279		found = 1;
280
281	switch (field) {
282	case AUDIT_SUBJ_ROLE:
283		switch (op) {
284		case Audit_equal:
285			return found;
286		case Audit_not_equal:
287			return !found;
288		}
289	}
290	return 0;
291}
292