Blame view
security/lsm_audit.c
10.9 KB
d2912cb15 treewide: Replace... |
1 |
// SPDX-License-Identifier: GPL-2.0-only |
6e837fb15 smack: implement ... |
2 3 4 5 |
/* * common LSM auditing functions * * Based on code written for SELinux by : |
5d7280153 lsm_audit: update... |
6 |
* Stephen Smalley, <sds@tycho.nsa.gov> |
6e837fb15 smack: implement ... |
7 8 |
* James Morris <jmorris@redhat.com> * Author : Etienne Basset, <etienne.basset@ensta.org> |
6e837fb15 smack: implement ... |
9 10 11 12 13 |
*/ #include <linux/types.h> #include <linux/stddef.h> #include <linux/kernel.h> |
5a0e3ad6a include cleanup: ... |
14 |
#include <linux/gfp.h> |
6e837fb15 smack: implement ... |
15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 |
#include <linux/fs.h> #include <linux/init.h> #include <net/sock.h> #include <linux/un.h> #include <net/af_unix.h> #include <linux/audit.h> #include <linux/ipv6.h> #include <linux/ip.h> #include <net/ip.h> #include <net/ipv6.h> #include <linux/tcp.h> #include <linux/udp.h> #include <linux/dccp.h> #include <linux/sctp.h> #include <linux/lsm_audit.h> |
59438b464 security,lockdown... |
30 |
#include <linux/security.h> |
6e837fb15 smack: implement ... |
31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 |
/** * ipv4_skb_to_auditdata : fill auditdata from skb * @skb : the skb * @ad : the audit data to fill * @proto : the layer 4 protocol * * return 0 on success */ int ipv4_skb_to_auditdata(struct sk_buff *skb, struct common_audit_data *ad, u8 *proto) { int ret = 0; struct iphdr *ih; ih = ip_hdr(skb); if (ih == NULL) return -EINVAL; |
48c62af68 LSM: shrink the c... |
49 50 |
ad->u.net->v4info.saddr = ih->saddr; ad->u.net->v4info.daddr = ih->daddr; |
6e837fb15 smack: implement ... |
51 52 53 54 55 56 57 58 59 60 61 62 |
if (proto) *proto = ih->protocol; /* non initial fragment */ if (ntohs(ih->frag_off) & IP_OFFSET) return 0; switch (ih->protocol) { case IPPROTO_TCP: { struct tcphdr *th = tcp_hdr(skb); if (th == NULL) break; |
48c62af68 LSM: shrink the c... |
63 64 |
ad->u.net->sport = th->source; ad->u.net->dport = th->dest; |
6e837fb15 smack: implement ... |
65 66 67 68 69 70 |
break; } case IPPROTO_UDP: { struct udphdr *uh = udp_hdr(skb); if (uh == NULL) break; |
48c62af68 LSM: shrink the c... |
71 72 |
ad->u.net->sport = uh->source; ad->u.net->dport = uh->dest; |
6e837fb15 smack: implement ... |
73 74 75 76 77 78 |
break; } case IPPROTO_DCCP: { struct dccp_hdr *dh = dccp_hdr(skb); if (dh == NULL) break; |
48c62af68 LSM: shrink the c... |
79 80 |
ad->u.net->sport = dh->dccph_sport; ad->u.net->dport = dh->dccph_dport; |
6e837fb15 smack: implement ... |
81 82 83 84 85 86 |
break; } case IPPROTO_SCTP: { struct sctphdr *sh = sctp_hdr(skb); if (sh == NULL) break; |
48c62af68 LSM: shrink the c... |
87 88 |
ad->u.net->sport = sh->source; ad->u.net->dport = sh->dest; |
6e837fb15 smack: implement ... |
89 90 91 92 93 94 95 |
break; } default: ret = -EINVAL; } return ret; } |
1a93a6eac security: Use IS_... |
96 |
#if IS_ENABLED(CONFIG_IPV6) |
6e837fb15 smack: implement ... |
97 98 99 100 101 102 103 104 105 106 107 108 109 110 |
/** * ipv6_skb_to_auditdata : fill auditdata from skb * @skb : the skb * @ad : the audit data to fill * @proto : the layer 4 protocol * * return 0 on success */ int ipv6_skb_to_auditdata(struct sk_buff *skb, struct common_audit_data *ad, u8 *proto) { int offset, ret = 0; struct ipv6hdr *ip6; u8 nexthdr; |
75f2811c6 ipv6: Add fragmen... |
111 |
__be16 frag_off; |
6e837fb15 smack: implement ... |
112 113 114 115 |
ip6 = ipv6_hdr(skb); if (ip6 == NULL) return -EINVAL; |
48c62af68 LSM: shrink the c... |
116 117 |
ad->u.net->v6info.saddr = ip6->saddr; ad->u.net->v6info.daddr = ip6->daddr; |
6e837fb15 smack: implement ... |
118 119 120 121 122 123 |
ret = 0; /* IPv6 can have several extension header before the Transport header * skip them */ offset = skb_network_offset(skb); offset += sizeof(*ip6); nexthdr = ip6->nexthdr; |
75f2811c6 ipv6: Add fragmen... |
124 |
offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); |
6e837fb15 smack: implement ... |
125 126 127 128 129 130 131 132 133 134 135 |
if (offset < 0) return 0; if (proto) *proto = nexthdr; switch (nexthdr) { case IPPROTO_TCP: { struct tcphdr _tcph, *th; th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph); if (th == NULL) break; |
48c62af68 LSM: shrink the c... |
136 137 |
ad->u.net->sport = th->source; ad->u.net->dport = th->dest; |
6e837fb15 smack: implement ... |
138 139 140 141 142 143 144 145 |
break; } case IPPROTO_UDP: { struct udphdr _udph, *uh; uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph); if (uh == NULL) break; |
48c62af68 LSM: shrink the c... |
146 147 |
ad->u.net->sport = uh->source; ad->u.net->dport = uh->dest; |
6e837fb15 smack: implement ... |
148 149 150 151 152 153 154 155 |
break; } case IPPROTO_DCCP: { struct dccp_hdr _dccph, *dh; dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph); if (dh == NULL) break; |
48c62af68 LSM: shrink the c... |
156 157 |
ad->u.net->sport = dh->dccph_sport; ad->u.net->dport = dh->dccph_dport; |
6e837fb15 smack: implement ... |
158 159 160 161 162 163 164 165 |
break; } case IPPROTO_SCTP: { struct sctphdr _sctph, *sh; sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph); if (sh == NULL) break; |
48c62af68 LSM: shrink the c... |
166 167 |
ad->u.net->sport = sh->source; ad->u.net->dport = sh->dest; |
6e837fb15 smack: implement ... |
168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 |
break; } default: ret = -EINVAL; } return ret; } #endif static inline void print_ipv6_addr(struct audit_buffer *ab, struct in6_addr *addr, __be16 port, char *name1, char *name2) { if (!ipv6_addr_any(addr)) |
d81165919 lsm: Use a compre... |
183 |
audit_log_format(ab, " %s=%pI6c", name1, addr); |
6e837fb15 smack: implement ... |
184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 |
if (port) audit_log_format(ab, " %s=%d", name2, ntohs(port)); } static inline void print_ipv4_addr(struct audit_buffer *ab, __be32 addr, __be16 port, char *name1, char *name2) { if (addr) audit_log_format(ab, " %s=%pI4", name1, &addr); if (port) audit_log_format(ab, " %s=%d", name2, ntohs(port)); } /** * dump_common_audit_data - helper to dump common audit data * @a : common audit data * */ static void dump_common_audit_data(struct audit_buffer *ab, struct common_audit_data *a) { |
5deeb5cec lsm: copy comm be... |
205 |
char comm[sizeof(current->comm)]; |
6e837fb15 smack: implement ... |
206 |
|
07f62eb66 LSM: BUILD_BUG_ON... |
207 208 209 210 211 212 |
/* * To keep stack sizes in check force programers to notice if they * start making this union too large! See struct lsm_network_audit * as an example of how to deal with large data. */ BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2); |
fa2bea2f5 audit: consistent... |
213 |
audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current)); |
5deeb5cec lsm: copy comm be... |
214 |
audit_log_untrustedstring(ab, memcpy(comm, current->comm, sizeof(comm))); |
6e837fb15 smack: implement ... |
215 216 |
switch (a->type) { |
cb84aa9b4 LSM Audit: rename... |
217 |
case LSM_AUDIT_DATA_NONE: |
2bf496903 SELinux: Convert ... |
218 |
return; |
6e837fb15 smack: implement ... |
219 220 221 222 223 224 |
case LSM_AUDIT_DATA_IPC: audit_log_format(ab, " key=%d ", a->u.ipc_id); break; case LSM_AUDIT_DATA_CAP: audit_log_format(ab, " capability=%d ", a->u.cap); break; |
f48b73998 LSM: split LSM_AU... |
225 |
case LSM_AUDIT_DATA_PATH: { |
f48b73998 LSM: split LSM_AU... |
226 |
struct inode *inode; |
c158a35c8 audit: no leading... |
227 |
audit_log_d_path(ab, " path=", &a->u.path); |
a269434d2 LSM: separate LSM... |
228 |
|
c6f493d63 VFS: security/: d... |
229 |
inode = d_backing_inode(a->u.path.dentry); |
41fdc3054 audit: treat s_id... |
230 231 232 233 234 |
if (inode) { audit_log_format(ab, " dev="); audit_log_untrustedstring(ab, inode->i_sb->s_id); audit_log_format(ab, " ino=%lu", inode->i_ino); } |
d7481b24b audit: issue CWD ... |
235 |
audit_getcwd(); |
a269434d2 LSM: separate LSM... |
236 237 |
break; } |
43af5de74 lsm,audit,selinux... |
238 239 240 241 242 243 244 245 246 247 248 |
case LSM_AUDIT_DATA_FILE: { struct inode *inode; audit_log_d_path(ab, " path=", &a->u.file->f_path); inode = file_inode(a->u.file); if (inode) { audit_log_format(ab, " dev="); audit_log_untrustedstring(ab, inode->i_sb->s_id); audit_log_format(ab, " ino=%lu", inode->i_ino); } |
d7481b24b audit: issue CWD ... |
249 |
audit_getcwd(); |
43af5de74 lsm,audit,selinux... |
250 251 |
break; } |
671a2781f security: add ioc... |
252 253 254 255 256 257 258 259 260 261 262 |
case LSM_AUDIT_DATA_IOCTL_OP: { struct inode *inode; audit_log_d_path(ab, " path=", &a->u.op->path); inode = a->u.op->path.dentry->d_inode; if (inode) { audit_log_format(ab, " dev="); audit_log_untrustedstring(ab, inode->i_sb->s_id); audit_log_format(ab, " ino=%lu", inode->i_ino); } |
8b31f456c selinux: print le... |
263 |
audit_log_format(ab, " ioctlcmd=0x%hx", a->u.op->cmd); |
d7481b24b audit: issue CWD ... |
264 |
audit_getcwd(); |
671a2781f security: add ioc... |
265 266 |
break; } |
a269434d2 LSM: separate LSM... |
267 268 269 270 |
case LSM_AUDIT_DATA_DENTRY: { struct inode *inode; audit_log_format(ab, " name="); |
a3fddad7a dump_common_audit... |
271 |
spin_lock(&a->u.dentry->d_lock); |
a269434d2 LSM: separate LSM... |
272 |
audit_log_untrustedstring(ab, a->u.dentry->d_name.name); |
a3fddad7a dump_common_audit... |
273 |
spin_unlock(&a->u.dentry->d_lock); |
a269434d2 LSM: separate LSM... |
274 |
|
c6f493d63 VFS: security/: d... |
275 |
inode = d_backing_inode(a->u.dentry); |
41fdc3054 audit: treat s_id... |
276 277 278 279 280 |
if (inode) { audit_log_format(ab, " dev="); audit_log_untrustedstring(ab, inode->i_sb->s_id); audit_log_format(ab, " ino=%lu", inode->i_ino); } |
d7481b24b audit: issue CWD ... |
281 |
audit_getcwd(); |
6e837fb15 smack: implement ... |
282 |
break; |
f48b73998 LSM: split LSM_AU... |
283 284 285 286 287 288 289 290 291 |
} case LSM_AUDIT_DATA_INODE: { struct dentry *dentry; struct inode *inode; inode = a->u.inode; dentry = d_find_alias(inode); if (dentry) { audit_log_format(ab, " name="); |
a3fddad7a dump_common_audit... |
292 293 294 |
spin_lock(&dentry->d_lock); audit_log_untrustedstring(ab, dentry->d_name.name); spin_unlock(&dentry->d_lock); |
f48b73998 LSM: split LSM_AU... |
295 296 |
dput(dentry); } |
41fdc3054 audit: treat s_id... |
297 298 299 |
audit_log_format(ab, " dev="); audit_log_untrustedstring(ab, inode->i_sb->s_id); audit_log_format(ab, " ino=%lu", inode->i_ino); |
d7481b24b audit: issue CWD ... |
300 |
audit_getcwd(); |
f48b73998 LSM: split LSM_AU... |
301 302 |
break; } |
5deeb5cec lsm: copy comm be... |
303 304 |
case LSM_AUDIT_DATA_TASK: { struct task_struct *tsk = a->u.tsk; |
f1dc4867f audit: anchor all... |
305 |
if (tsk) { |
fa2bea2f5 audit: consistent... |
306 |
pid_t pid = task_tgid_nr(tsk); |
f1dc4867f audit: anchor all... |
307 |
if (pid) { |
5deeb5cec lsm: copy comm be... |
308 |
char comm[sizeof(tsk->comm)]; |
5c5bc97e2 lsm: rename dupli... |
309 |
audit_log_format(ab, " opid=%d ocomm=", pid); |
5deeb5cec lsm: copy comm be... |
310 311 |
audit_log_untrustedstring(ab, memcpy(comm, tsk->comm, sizeof(comm))); |
f1dc4867f audit: anchor all... |
312 |
} |
6e837fb15 smack: implement ... |
313 314 |
} break; |
5deeb5cec lsm: copy comm be... |
315 |
} |
6e837fb15 smack: implement ... |
316 |
case LSM_AUDIT_DATA_NET: |
48c62af68 LSM: shrink the c... |
317 318 |
if (a->u.net->sk) { struct sock *sk = a->u.net->sk; |
6e837fb15 smack: implement ... |
319 |
struct unix_sock *u; |
ae3b56417 missing barriers ... |
320 |
struct unix_address *addr; |
6e837fb15 smack: implement ... |
321 322 323 324 325 326 |
int len = 0; char *p = NULL; switch (sk->sk_family) { case AF_INET: { struct inet_sock *inet = inet_sk(sk); |
c720c7e83 inet: rename some... |
327 328 |
print_ipv4_addr(ab, inet->inet_rcv_saddr, inet->inet_sport, |
6e837fb15 smack: implement ... |
329 |
"laddr", "lport"); |
c720c7e83 inet: rename some... |
330 331 |
print_ipv4_addr(ab, inet->inet_daddr, inet->inet_dport, |
6e837fb15 smack: implement ... |
332 333 334 |
"faddr", "fport"); break; } |
c2bb06db5 net: fix build er... |
335 |
#if IS_ENABLED(CONFIG_IPV6) |
6e837fb15 smack: implement ... |
336 337 |
case AF_INET6: { struct inet_sock *inet = inet_sk(sk); |
6e837fb15 smack: implement ... |
338 |
|
efe4208f4 ipv6: make lookup... |
339 |
print_ipv6_addr(ab, &sk->sk_v6_rcv_saddr, |
c720c7e83 inet: rename some... |
340 |
inet->inet_sport, |
6e837fb15 smack: implement ... |
341 |
"laddr", "lport"); |
efe4208f4 ipv6: make lookup... |
342 |
print_ipv6_addr(ab, &sk->sk_v6_daddr, |
c720c7e83 inet: rename some... |
343 |
inet->inet_dport, |
6e837fb15 smack: implement ... |
344 345 346 |
"faddr", "fport"); break; } |
c2bb06db5 net: fix build er... |
347 |
#endif |
6e837fb15 smack: implement ... |
348 349 |
case AF_UNIX: u = unix_sk(sk); |
ae3b56417 missing barriers ... |
350 351 352 |
addr = smp_load_acquire(&u->addr); if (!addr) break; |
40ffe67d2 switch unix_sock ... |
353 354 |
if (u->path.dentry) { audit_log_d_path(ab, " path=", &u->path); |
6e837fb15 smack: implement ... |
355 356 |
break; } |
ae3b56417 missing barriers ... |
357 358 |
len = addr->len-sizeof(short); p = &addr->name->sun_path[0]; |
6e837fb15 smack: implement ... |
359 360 361 362 363 364 365 366 |
audit_log_format(ab, " path="); if (*p) audit_log_untrustedstring(ab, p); else audit_log_n_hex(ab, p, len); break; } } |
48c62af68 LSM: shrink the c... |
367 |
switch (a->u.net->family) { |
6e837fb15 smack: implement ... |
368 |
case AF_INET: |
48c62af68 LSM: shrink the c... |
369 370 |
print_ipv4_addr(ab, a->u.net->v4info.saddr, a->u.net->sport, |
6e837fb15 smack: implement ... |
371 |
"saddr", "src"); |
48c62af68 LSM: shrink the c... |
372 373 |
print_ipv4_addr(ab, a->u.net->v4info.daddr, a->u.net->dport, |
6e837fb15 smack: implement ... |
374 375 376 |
"daddr", "dest"); break; case AF_INET6: |
48c62af68 LSM: shrink the c... |
377 378 |
print_ipv6_addr(ab, &a->u.net->v6info.saddr, a->u.net->sport, |
6e837fb15 smack: implement ... |
379 |
"saddr", "src"); |
48c62af68 LSM: shrink the c... |
380 381 |
print_ipv6_addr(ab, &a->u.net->v6info.daddr, a->u.net->dport, |
6e837fb15 smack: implement ... |
382 383 384 |
"daddr", "dest"); break; } |
48c62af68 LSM: shrink the c... |
385 |
if (a->u.net->netif > 0) { |
6e837fb15 smack: implement ... |
386 387 388 |
struct net_device *dev; /* NOTE: we always use init's namespace */ |
48c62af68 LSM: shrink the c... |
389 |
dev = dev_get_by_index(&init_net, a->u.net->netif); |
6e837fb15 smack: implement ... |
390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 |
if (dev) { audit_log_format(ab, " netif=%s", dev->name); dev_put(dev); } } break; #ifdef CONFIG_KEYS case LSM_AUDIT_DATA_KEY: audit_log_format(ab, " key_serial=%u", a->u.key_struct.key); if (a->u.key_struct.key_desc) { audit_log_format(ab, " key_desc="); audit_log_untrustedstring(ab, a->u.key_struct.key_desc); } break; #endif |
dd8dbf2e6 security: report ... |
405 406 407 408 |
case LSM_AUDIT_DATA_KMOD: audit_log_format(ab, " kmod="); audit_log_untrustedstring(ab, a->u.kmod_name); break; |
cfc4d882d selinux: Implemen... |
409 410 411 412 413 414 415 416 417 418 419 |
case LSM_AUDIT_DATA_IBPKEY: { struct in6_addr sbn_pfx; memset(&sbn_pfx.s6_addr, 0, sizeof(sbn_pfx.s6_addr)); memcpy(&sbn_pfx.s6_addr, &a->u.ibpkey->subnet_prefix, sizeof(a->u.ibpkey->subnet_prefix)); audit_log_format(ab, " pkey=0x%x subnet_prefix=%pI6c", a->u.ibpkey->pkey, &sbn_pfx); break; } |
ab861dfca selinux: Add IB P... |
420 421 422 423 424 |
case LSM_AUDIT_DATA_IBENDPORT: audit_log_format(ab, " device=%s port_num=%u", a->u.ibendport->dev_name, a->u.ibendport->port); break; |
59438b464 security,lockdown... |
425 |
case LSM_AUDIT_DATA_LOCKDOWN: |
f1d9b23ca audit: purge audi... |
426 427 |
audit_log_format(ab, " lockdown_reason=\"%s\"", lockdown_reasons[a->u.reason]); |
59438b464 security,lockdown... |
428 |
break; |
6e837fb15 smack: implement ... |
429 430 431 432 433 434 |
} /* switch (a->type) */ } /** * common_lsm_audit - generic LSM auditing function * @a: auxiliary audit data |
b61c37f57 lsm_audit: don't ... |
435 436 |
* @pre_audit: lsm-specific pre-audit callback * @post_audit: lsm-specific post-audit callback |
6e837fb15 smack: implement ... |
437 438 439 440 |
* * setup the audit buffer for common security information * uses callback to print LSM specific information */ |
b61c37f57 lsm_audit: don't ... |
441 442 443 |
void common_lsm_audit(struct common_audit_data *a, void (*pre_audit)(struct audit_buffer *, void *), void (*post_audit)(struct audit_buffer *, void *)) |
6e837fb15 smack: implement ... |
444 445 446 447 448 449 |
{ struct audit_buffer *ab; if (a == NULL) return; /* we use GFP_ATOMIC so we won't sleep */ |
cdfb6b341 audit: use inline... |
450 |
ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN, |
a20b62bdf audit: suppress s... |
451 |
AUDIT_AVC); |
6e837fb15 smack: implement ... |
452 453 454 |
if (ab == NULL) return; |
b61c37f57 lsm_audit: don't ... |
455 456 |
if (pre_audit) pre_audit(ab, a); |
6e837fb15 smack: implement ... |
457 458 |
dump_common_audit_data(ab, a); |
b61c37f57 lsm_audit: don't ... |
459 460 |
if (post_audit) post_audit(ab, a); |
6e837fb15 smack: implement ... |
461 462 463 |
audit_log_end(ab); } |