/** * aa_audit_file - handle the auditing of file operations * @profile: the profile being enforced (NOT NULL) * @perms: the permissions computed for the request (NOT NULL) * @op: operation being mediated * @request: permissions requested * @name: name of object being mediated (MAYBE NULL) * @target: name of target (MAYBE NULL) * @tlabel: target label (MAY BE NULL) * @ouid: object uid * @info: extra information message (MAYBE NULL) * @error: 0 if operation allowed else failure error code * * Returns: %0 or error on failure */ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms, const char *op, u32 request, const char *name, const char *target, struct aa_label *tlabel, kuid_t ouid, const char *info, int error) { int type = AUDIT_APPARMOR_AUTO; DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_TASK, op); sa.u.tsk = NULL; aad(&sa)->request = request; aad(&sa)->name = name; aad(&sa)->fs.target = target; aad(&sa)->peer = tlabel; aad(&sa)->fs.ouid = ouid; aad(&sa)->info = info; aad(&sa)->error = error; sa.u.tsk = NULL; if (likely(!aad(&sa)->error)) { u32 mask = perms->audit; if (unlikely(AUDIT_MODE(profile) == AUDIT_ALL)) mask = 0xffff; /* mask off perms that are not being force audited */ aad(&sa)->request &= mask; if (likely(!aad(&sa)->request)) return 0; type = AUDIT_APPARMOR_AUDIT; } else { /* only report permissions that were denied */ aad(&sa)->request = aad(&sa)->request & ~perms->allow; AA_BUG(!aad(&sa)->request); if (aad(&sa)->request & perms->kill) type = AUDIT_APPARMOR_KILL; /* quiet known rejects, assumes quiet and kill do not overlap */ if ((aad(&sa)->request & perms->quiet) && AUDIT_MODE(profile) != AUDIT_NOQUIET && AUDIT_MODE(profile) != AUDIT_ALL) aad(&sa)->request &= ~perms->quiet; if (!aad(&sa)->request) return aad(&sa)->error; } aad(&sa)->denied = aad(&sa)->request & ~perms->allow; return aa_audit(type, profile, &sa, file_audit_cb); }
/** * audit_cb - call back for signal specific audit fields * @ab: audit_buffer (NOT NULL) * @va: audit struct to audit values of (NOT NULL) */ static void audit_signal_cb(struct audit_buffer *ab, void *va) { struct common_audit_data *sa = va; if (aad(sa)->request & AA_SIGNAL_PERM_MASK) { audit_log_format(ab, " requested_mask="); audit_signal_mask(ab, aad(sa)->request); if (aad(sa)->denied & AA_SIGNAL_PERM_MASK) { audit_log_format(ab, " denied_mask="); audit_signal_mask(ab, aad(sa)->denied); } } if (aad(sa)->signal == SIGUNKNOWN) audit_log_format(ab, "signal=unknown(%d)", aad(sa)->unmappedsig); else if (aad(sa)->signal < MAXMAPPED_SIGNAME) audit_log_format(ab, " signal=%s", sig_names[aad(sa)->signal]); else audit_log_format(ab, " signal=rtmin+%d", aad(sa)->signal - SIGRT_BASE); audit_log_format(ab, " peer="); aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer, FLAGS_NONE, GFP_ATOMIC); }
/* audit callback for net specific fields */ void audit_net_cb(struct audit_buffer *ab, void *va) { struct common_audit_data *sa = va; audit_log_format(ab, " family="); if (address_family_names[sa->u.net->family]) audit_log_string(ab, address_family_names[sa->u.net->family]); else audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family); audit_log_format(ab, " sock_type="); if (sock_type_names[aad(sa)->net.type]) audit_log_string(ab, sock_type_names[aad(sa)->net.type]); else audit_log_format(ab, "\"unknown(%d)\"", aad(sa)->net.type); audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol); if (aad(sa)->request & NET_PERMS_MASK) { audit_log_format(ab, " requested_mask="); aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0, net_mask_names, NET_PERMS_MASK); if (aad(sa)->denied & NET_PERMS_MASK) { audit_log_format(ab, " denied_mask="); aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0, net_mask_names, NET_PERMS_MASK); } } if (aad(sa)->peer) { audit_log_format(ab, " peer="); aa_label_xaudit(ab, labels_ns(aad(sa)->label), aad(sa)->peer, FLAGS_NONE, GFP_ATOMIC); } }
/* audit callback for net specific fields */ void audit_net_cb(struct audit_buffer *ab, void *va) { struct common_audit_data *sa = va; audit_log_format(ab, " family="); if (address_family_names[sa->u.net->family]) { audit_log_string(ab, address_family_names[sa->u.net->family]); } else { audit_log_format(ab, "\"unknown(%d)\"", sa->u.net->family); } audit_log_format(ab, " sock_type="); if (sock_type_names[aad(sa)->net.type]) { audit_log_string(ab, sock_type_names[aad(sa)->net.type]); } else { audit_log_format(ab, "\"unknown(%d)\"", aad(sa)->net.type); } audit_log_format(ab, " protocol=%d", aad(sa)->net.protocol); if (aad(sa)->request & NET_PERMS_MASK) { audit_log_format(ab, " requested_mask="); aa_audit_perm_mask(ab, aad(sa)->request, NULL, 0, net_mask_names, NET_PERMS_MASK); if (aad(sa)->denied & NET_PERMS_MASK) { audit_log_format(ab, " denied_mask="); aa_audit_perm_mask(ab, aad(sa)->denied, NULL, 0, net_mask_names, NET_PERMS_MASK); } } if (sa->u.net->family == AF_UNIX) { if ((aad(sa)->request & ~NET_PEER_MASK) && aad(sa)->net.addr) audit_unix_addr(ab, "addr", unix_addr(aad(sa)->net.addr), aad(sa)->net.addrlen); else audit_unix_sk_addr(ab, "addr", sa->u.net->sk); if (aad(sa)->request & NET_PEER_MASK) { if (aad(sa)->net.addr) audit_unix_addr(ab, "peer_addr", unix_addr(aad(sa)->net.addr), aad(sa)->net.addrlen); else audit_unix_sk_addr(ab, "peer_addr", aad(sa)->net.peer_sk); } } if (aad(sa)->target) { audit_log_format(ab, " peer="); audit_log_untrustedstring(ab, aad(sa)->target); } }
/** * audit_base - core AppArmor function. * @ab: audit buffer to fill (NOT NULL) * @ca: audit structure containing data to audit (NOT NULL) * * Record common AppArmor audit data from @sa */ static void audit_pre(struct audit_buffer *ab, void *ca) { struct common_audit_data *sa = ca; if (aa_g_audit_header) { audit_log_format(ab, "apparmor="); audit_log_string(ab, aa_audit_type[aad(sa)->type]); } if (aad(sa)->op) { audit_log_format(ab, " operation="); audit_log_string(ab, op_table[aad(sa)->op]); } if (aad(sa)->info) { audit_log_format(ab, " info="); audit_log_string(ab, aad(sa)->info); if (aad(sa)->error) audit_log_format(ab, " error=%d", aad(sa)->error); } if (aad(sa)->label) { struct aa_label *label = aad(sa)->label; if (label_isprofile(label)) { struct aa_profile *profile = labels_profile(label); if (profile->ns != root_ns) { audit_log_format(ab, " namespace="); audit_log_untrustedstring(ab, profile->ns->base.hname); } audit_log_format(ab, " profile="); audit_log_untrustedstring(ab, profile->base.hname); } else { audit_log_format(ab, " label="); aa_label_audit(ab, root_ns, label, false, GFP_ATOMIC); } } if (aad(sa)->name) { audit_log_format(ab, " name="); audit_log_untrustedstring(ab, aad(sa)->name); } }