Blame view
security/lsm_audit.c
9.4 KB
6e837fb15
smack: implement ...
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
/* * common LSM auditing functions * * Based on code written for SELinux by : * Stephen Smalley, <sds@epoch.ncsc.mil> * James Morris <jmorris@redhat.com> * Author : Etienne Basset, <etienne.basset@ensta.org> * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License version 2, * as published by the Free Software Foundation. */ #include <linux/types.h> #include <linux/stddef.h> #include <linux/kernel.h> |
5a0e3ad6a
include cleanup: ...
|
17 |
#include <linux/gfp.h> |
|
6e837fb15
smack: implement ...
|
18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 |
#include <linux/fs.h>
#include <linux/init.h>
#include <net/sock.h>
#include <linux/un.h>
#include <net/af_unix.h>
#include <linux/audit.h>
#include <linux/ipv6.h>
#include <linux/ip.h>
#include <net/ip.h>
#include <net/ipv6.h>
#include <linux/tcp.h>
#include <linux/udp.h>
#include <linux/dccp.h>
#include <linux/sctp.h>
#include <linux/lsm_audit.h>
/**
* ipv4_skb_to_auditdata : fill auditdata from skb
* @skb : the skb
* @ad : the audit data to fill
* @proto : the layer 4 protocol
*
* return 0 on success
*/
int ipv4_skb_to_auditdata(struct sk_buff *skb,
struct common_audit_data *ad, u8 *proto)
{
int ret = 0;
struct iphdr *ih;
ih = ip_hdr(skb);
if (ih == NULL)
return -EINVAL;
|
48c62af68
LSM: shrink the c...
|
51 52 |
ad->u.net->v4info.saddr = ih->saddr; ad->u.net->v4info.daddr = ih->daddr; |
|
6e837fb15
smack: implement ...
|
53 54 55 56 57 58 59 60 61 62 63 64 |
if (proto)
*proto = ih->protocol;
/* non initial fragment */
if (ntohs(ih->frag_off) & IP_OFFSET)
return 0;
switch (ih->protocol) {
case IPPROTO_TCP: {
struct tcphdr *th = tcp_hdr(skb);
if (th == NULL)
break;
|
|
48c62af68
LSM: shrink the c...
|
65 66 |
ad->u.net->sport = th->source; ad->u.net->dport = th->dest; |
|
6e837fb15
smack: implement ...
|
67 68 69 70 71 72 |
break;
}
case IPPROTO_UDP: {
struct udphdr *uh = udp_hdr(skb);
if (uh == NULL)
break;
|
|
48c62af68
LSM: shrink the c...
|
73 74 |
ad->u.net->sport = uh->source; ad->u.net->dport = uh->dest; |
|
6e837fb15
smack: implement ...
|
75 76 77 78 79 80 |
break;
}
case IPPROTO_DCCP: {
struct dccp_hdr *dh = dccp_hdr(skb);
if (dh == NULL)
break;
|
|
48c62af68
LSM: shrink the c...
|
81 82 |
ad->u.net->sport = dh->dccph_sport; ad->u.net->dport = dh->dccph_dport; |
|
6e837fb15
smack: implement ...
|
83 84 85 86 87 88 |
break;
}
case IPPROTO_SCTP: {
struct sctphdr *sh = sctp_hdr(skb);
if (sh == NULL)
break;
|
|
48c62af68
LSM: shrink the c...
|
89 90 |
ad->u.net->sport = sh->source; ad->u.net->dport = sh->dest; |
|
6e837fb15
smack: implement ...
|
91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 |
break;
}
default:
ret = -EINVAL;
}
return ret;
}
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
/**
* ipv6_skb_to_auditdata : fill auditdata from skb
* @skb : the skb
* @ad : the audit data to fill
* @proto : the layer 4 protocol
*
* return 0 on success
*/
int ipv6_skb_to_auditdata(struct sk_buff *skb,
struct common_audit_data *ad, u8 *proto)
{
int offset, ret = 0;
struct ipv6hdr *ip6;
u8 nexthdr;
|
75f2811c6
ipv6: Add fragmen...
|
113 |
__be16 frag_off; |
|
6e837fb15
smack: implement ...
|
114 115 116 117 |
ip6 = ipv6_hdr(skb); if (ip6 == NULL) return -EINVAL; |
|
48c62af68
LSM: shrink the c...
|
118 119 |
ad->u.net->v6info.saddr = ip6->saddr; ad->u.net->v6info.daddr = ip6->daddr; |
|
6e837fb15
smack: implement ...
|
120 121 122 123 124 125 |
ret = 0; /* IPv6 can have several extension header before the Transport header * skip them */ offset = skb_network_offset(skb); offset += sizeof(*ip6); nexthdr = ip6->nexthdr; |
|
75f2811c6
ipv6: Add fragmen...
|
126 |
offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); |
|
6e837fb15
smack: implement ...
|
127 128 129 130 131 132 133 134 135 136 137 |
if (offset < 0)
return 0;
if (proto)
*proto = nexthdr;
switch (nexthdr) {
case IPPROTO_TCP: {
struct tcphdr _tcph, *th;
th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
if (th == NULL)
break;
|
|
48c62af68
LSM: shrink the c...
|
138 139 |
ad->u.net->sport = th->source; ad->u.net->dport = th->dest; |
|
6e837fb15
smack: implement ...
|
140 141 142 143 144 145 146 147 |
break;
}
case IPPROTO_UDP: {
struct udphdr _udph, *uh;
uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
if (uh == NULL)
break;
|
|
48c62af68
LSM: shrink the c...
|
148 149 |
ad->u.net->sport = uh->source; ad->u.net->dport = uh->dest; |
|
6e837fb15
smack: implement ...
|
150 151 152 153 154 155 156 157 |
break;
}
case IPPROTO_DCCP: {
struct dccp_hdr _dccph, *dh;
dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
if (dh == NULL)
break;
|
|
48c62af68
LSM: shrink the c...
|
158 159 |
ad->u.net->sport = dh->dccph_sport; ad->u.net->dport = dh->dccph_dport; |
|
6e837fb15
smack: implement ...
|
160 161 162 163 164 165 166 167 |
break;
}
case IPPROTO_SCTP: {
struct sctphdr _sctph, *sh;
sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
if (sh == NULL)
break;
|
|
48c62af68
LSM: shrink the c...
|
168 169 |
ad->u.net->sport = sh->source; ad->u.net->dport = sh->dest; |
|
6e837fb15
smack: implement ...
|
170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 |
break;
}
default:
ret = -EINVAL;
}
return ret;
}
#endif
static inline void print_ipv6_addr(struct audit_buffer *ab,
struct in6_addr *addr, __be16 port,
char *name1, char *name2)
{
if (!ipv6_addr_any(addr))
|
d81165919
lsm: Use a compre...
|
185 |
audit_log_format(ab, " %s=%pI6c", name1, addr); |
|
6e837fb15
smack: implement ...
|
186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 |
if (port)
audit_log_format(ab, " %s=%d", name2, ntohs(port));
}
static inline void print_ipv4_addr(struct audit_buffer *ab, __be32 addr,
__be16 port, char *name1, char *name2)
{
if (addr)
audit_log_format(ab, " %s=%pI4", name1, &addr);
if (port)
audit_log_format(ab, " %s=%d", name2, ntohs(port));
}
/**
* dump_common_audit_data - helper to dump common audit data
* @a : common audit data
*
*/
static void dump_common_audit_data(struct audit_buffer *ab,
struct common_audit_data *a)
{
|
|
6e837fb15
smack: implement ...
|
207 |
struct task_struct *tsk = current; |
|
07f62eb66
LSM: BUILD_BUG_ON...
|
208 209 210 211 212 213 |
/* * To keep stack sizes in check force programers to notice if they * start making this union too large! See struct lsm_network_audit * as an example of how to deal with large data. */ BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2); |
f1dc4867f
audit: anchor all...
|
214 |
audit_log_format(ab, " pid=%d comm=", task_pid_nr(tsk)); |
|
b466066f9
LSM: remove the t...
|
215 |
audit_log_untrustedstring(ab, tsk->comm); |
|
6e837fb15
smack: implement ...
|
216 217 |
switch (a->type) {
|
|
cb84aa9b4
LSM Audit: rename...
|
218 |
case LSM_AUDIT_DATA_NONE: |
2bf496903
SELinux: Convert ...
|
219 |
return; |
|
6e837fb15
smack: implement ...
|
220 221 222 223 224 225 |
case LSM_AUDIT_DATA_IPC: audit_log_format(ab, " key=%d ", a->u.ipc_id); break; case LSM_AUDIT_DATA_CAP: audit_log_format(ab, " capability=%d ", a->u.cap); break; |
|
f48b73998
LSM: split LSM_AU...
|
226 |
case LSM_AUDIT_DATA_PATH: {
|
|
f48b73998
LSM: split LSM_AU...
|
227 |
struct inode *inode; |
c158a35c8
audit: no leading...
|
228 |
audit_log_d_path(ab, " path=", &a->u.path); |
|
a269434d2
LSM: separate LSM...
|
229 230 |
inode = a->u.path.dentry->d_inode; |
|
41fdc3054
audit: treat s_id...
|
231 232 233 234 235 |
if (inode) {
audit_log_format(ab, " dev=");
audit_log_untrustedstring(ab, inode->i_sb->s_id);
audit_log_format(ab, " ino=%lu", inode->i_ino);
}
|
|
a269434d2
LSM: separate LSM...
|
236 237 238 239 240 241 242 243 244 |
break;
}
case LSM_AUDIT_DATA_DENTRY: {
struct inode *inode;
audit_log_format(ab, " name=");
audit_log_untrustedstring(ab, a->u.dentry->d_name.name);
inode = a->u.dentry->d_inode;
|
|
41fdc3054
audit: treat s_id...
|
245 246 247 248 249 |
if (inode) {
audit_log_format(ab, " dev=");
audit_log_untrustedstring(ab, inode->i_sb->s_id);
audit_log_format(ab, " ino=%lu", inode->i_ino);
}
|
|
6e837fb15
smack: implement ...
|
250 |
break; |
|
f48b73998
LSM: split LSM_AU...
|
251 252 253 254 255 256 257 258 259 260 261 262 263 |
}
case LSM_AUDIT_DATA_INODE: {
struct dentry *dentry;
struct inode *inode;
inode = a->u.inode;
dentry = d_find_alias(inode);
if (dentry) {
audit_log_format(ab, " name=");
audit_log_untrustedstring(ab,
dentry->d_name.name);
dput(dentry);
}
|
|
41fdc3054
audit: treat s_id...
|
264 265 266 |
audit_log_format(ab, " dev="); audit_log_untrustedstring(ab, inode->i_sb->s_id); audit_log_format(ab, " ino=%lu", inode->i_ino); |
|
f48b73998
LSM: split LSM_AU...
|
267 268 |
break; } |
|
6e837fb15
smack: implement ...
|
269 270 |
case LSM_AUDIT_DATA_TASK: tsk = a->u.tsk; |
|
f1dc4867f
audit: anchor all...
|
271 272 273 274 275 276 |
if (tsk) {
pid_t pid = task_pid_nr(tsk);
if (pid) {
audit_log_format(ab, " pid=%d comm=", pid);
audit_log_untrustedstring(ab, tsk->comm);
}
|
|
6e837fb15
smack: implement ...
|
277 278 279 |
} break; case LSM_AUDIT_DATA_NET: |
|
48c62af68
LSM: shrink the c...
|
280 281 |
if (a->u.net->sk) {
struct sock *sk = a->u.net->sk;
|
|
6e837fb15
smack: implement ...
|
282 283 284 285 286 287 288 |
struct unix_sock *u;
int len = 0;
char *p = NULL;
switch (sk->sk_family) {
case AF_INET: {
struct inet_sock *inet = inet_sk(sk);
|
c720c7e83
inet: rename some...
|
289 290 |
print_ipv4_addr(ab, inet->inet_rcv_saddr, inet->inet_sport, |
|
6e837fb15
smack: implement ...
|
291 |
"laddr", "lport"); |
|
c720c7e83
inet: rename some...
|
292 293 |
print_ipv4_addr(ab, inet->inet_daddr, inet->inet_dport, |
|
6e837fb15
smack: implement ...
|
294 295 296 |
"faddr", "fport"); break; } |
c2bb06db5
net: fix build er...
|
297 |
#if IS_ENABLED(CONFIG_IPV6) |
|
6e837fb15
smack: implement ...
|
298 299 |
case AF_INET6: {
struct inet_sock *inet = inet_sk(sk);
|
|
6e837fb15
smack: implement ...
|
300 |
|
|
efe4208f4
ipv6: make lookup...
|
301 |
print_ipv6_addr(ab, &sk->sk_v6_rcv_saddr, |
|
c720c7e83
inet: rename some...
|
302 |
inet->inet_sport, |
|
6e837fb15
smack: implement ...
|
303 |
"laddr", "lport"); |
|
efe4208f4
ipv6: make lookup...
|
304 |
print_ipv6_addr(ab, &sk->sk_v6_daddr, |
|
c720c7e83
inet: rename some...
|
305 |
inet->inet_dport, |
|
6e837fb15
smack: implement ...
|
306 307 308 |
"faddr", "fport"); break; } |
|
c2bb06db5
net: fix build er...
|
309 |
#endif |
|
6e837fb15
smack: implement ...
|
310 311 |
case AF_UNIX: u = unix_sk(sk); |
40ffe67d2
switch unix_sock ...
|
312 313 |
if (u->path.dentry) {
audit_log_d_path(ab, " path=", &u->path);
|
|
6e837fb15
smack: implement ...
|
314 315 316 317 318 319 320 321 322 323 324 325 326 327 |
break; } if (!u->addr) break; len = u->addr->len-sizeof(short); p = &u->addr->name->sun_path[0]; audit_log_format(ab, " path="); if (*p) audit_log_untrustedstring(ab, p); else audit_log_n_hex(ab, p, len); break; } } |
|
48c62af68
LSM: shrink the c...
|
328 |
switch (a->u.net->family) {
|
|
6e837fb15
smack: implement ...
|
329 |
case AF_INET: |
|
48c62af68
LSM: shrink the c...
|
330 331 |
print_ipv4_addr(ab, a->u.net->v4info.saddr, a->u.net->sport, |
|
6e837fb15
smack: implement ...
|
332 |
"saddr", "src"); |
|
48c62af68
LSM: shrink the c...
|
333 334 |
print_ipv4_addr(ab, a->u.net->v4info.daddr, a->u.net->dport, |
|
6e837fb15
smack: implement ...
|
335 336 337 |
"daddr", "dest"); break; case AF_INET6: |
|
48c62af68
LSM: shrink the c...
|
338 339 |
print_ipv6_addr(ab, &a->u.net->v6info.saddr, a->u.net->sport, |
|
6e837fb15
smack: implement ...
|
340 |
"saddr", "src"); |
|
48c62af68
LSM: shrink the c...
|
341 342 |
print_ipv6_addr(ab, &a->u.net->v6info.daddr, a->u.net->dport, |
|
6e837fb15
smack: implement ...
|
343 344 345 |
"daddr", "dest"); break; } |
|
48c62af68
LSM: shrink the c...
|
346 |
if (a->u.net->netif > 0) {
|
|
6e837fb15
smack: implement ...
|
347 348 349 |
struct net_device *dev; /* NOTE: we always use init's namespace */ |
|
48c62af68
LSM: shrink the c...
|
350 |
dev = dev_get_by_index(&init_net, a->u.net->netif); |
|
6e837fb15
smack: implement ...
|
351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 |
if (dev) {
audit_log_format(ab, " netif=%s", dev->name);
dev_put(dev);
}
}
break;
#ifdef CONFIG_KEYS
case LSM_AUDIT_DATA_KEY:
audit_log_format(ab, " key_serial=%u", a->u.key_struct.key);
if (a->u.key_struct.key_desc) {
audit_log_format(ab, " key_desc=");
audit_log_untrustedstring(ab, a->u.key_struct.key_desc);
}
break;
#endif
|
|
dd8dbf2e6
security: report ...
|
366 367 368 369 |
case LSM_AUDIT_DATA_KMOD: audit_log_format(ab, " kmod="); audit_log_untrustedstring(ab, a->u.kmod_name); break; |
|
6e837fb15
smack: implement ...
|
370 371 372 373 374 375 |
} /* switch (a->type) */ } /** * common_lsm_audit - generic LSM auditing function * @a: auxiliary audit data |
b61c37f57
lsm_audit: don't ...
|
376 377 |
* @pre_audit: lsm-specific pre-audit callback * @post_audit: lsm-specific post-audit callback |
|
6e837fb15
smack: implement ...
|
378 379 380 381 |
* * setup the audit buffer for common security information * uses callback to print LSM specific information */ |
|
b61c37f57
lsm_audit: don't ...
|
382 383 384 |
void common_lsm_audit(struct common_audit_data *a, void (*pre_audit)(struct audit_buffer *, void *), void (*post_audit)(struct audit_buffer *, void *)) |
|
6e837fb15
smack: implement ...
|
385 386 387 388 389 390 |
{
struct audit_buffer *ab;
if (a == NULL)
return;
/* we use GFP_ATOMIC so we won't sleep */
|
|
a20b62bdf
audit: suppress s...
|
391 392 |
ab = audit_log_start(current->audit_context, GFP_ATOMIC | __GFP_NOWARN, AUDIT_AVC); |
|
6e837fb15
smack: implement ...
|
393 394 395 |
if (ab == NULL) return; |
|
b61c37f57
lsm_audit: don't ...
|
396 397 |
if (pre_audit) pre_audit(ab, a); |
|
6e837fb15
smack: implement ...
|
398 399 |
dump_common_audit_data(ab, a); |
|
b61c37f57
lsm_audit: don't ...
|
400 401 |
if (post_audit) post_audit(ab, a); |
|
6e837fb15
smack: implement ...
|
402 403 404 |
audit_log_end(ab); } |