1 files changed, 215 insertions, 0 deletions
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
new file mode 100644
index 000000000000..96502b22b268
--- /dev/null
+++ b/security/apparmor/audit.c
@@ -0,0 +1,215 @@
+/*
+ * AppArmor security module
+ *
+ * This file contains AppArmor auditing functions
+ *
+ * Copyright (C) 1998-2008 Novell/SUSE
+ * Copyright 2009-2010 Canonical Ltd.
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License as
+ * published by the Free Software Foundation, version 2 of the
+ * License.
+ */
+#include <linux/audit.h>
+#include <linux/socket.h>
+#include "include/apparmor.h"
+#include "include/audit.h"
+#include "include/policy.h"
+const char *op_table[] = {
+        "null",
+        "sysctl",
+        "capable",
+        "unlink",
+        "mkdir",
+        "rmdir",
+        "mknod",
+        "truncate",
+        "link",
+        "symlink",
+        "rename_src",
+        "rename_dest",
+        "chmod",
+        "chown",
+        "getattr",
+        "open",
+        "file_perm",
+        "file_lock",
+        "file_mmap",
+        "file_mprotect",
+        "create",
+        "post_create",
+        "bind",
+        "connect",
+        "listen",
+        "accept",
+        "sendmsg",
+        "recvmsg",
+        "getsockname",
+        "getpeername",
+        "getsockopt",
+        "setsockopt",
+        "socket_shutdown",
+        "ptrace",
+        "exec",
+        "change_hat",
+        "change_profile",
+        "change_onexec",
+        "setprocattr",
+        "setrlimit",
+        "profile_replace",
+        "profile_load",
+        "profile_remove"
+};
+const char *audit_mode_names[] = {
+        "normal",
+        "quiet_denied",
+        "quiet",
+        "noquiet",
+        "all"
+};
+static char *aa_audit_type[] = {
+        "AUDIT",
+        "ALLOWED",
+        "DENIED",
+        "HINT",
+        "STATUS",
+        "ERROR",
+        "KILLED"
+};
+/*
+ * Currently AppArmor auditing is fed straight into the audit framework.
+ *
+ * TODO:
+ * netlink interface for complain mode
+ * user auditing, - send user auditing to netlink interface
+ * system control of whether user audit messages go to system log
+ */
+/**
+ * audit_base - core AppArmor function.
+ * @ab: audit buffer to fill (NOT NULL)
+ * @ca: audit structure containing data to audit (NOT NULL)
+ *
+ * Record common AppArmor audit data from @sa
+ */
+static void audit_pre(struct audit_buffer *ab, void *ca)
+{
+        struct common_audit_data *sa = ca;
+        struct task_struct *tsk = sa->tsk ? sa->tsk : current;
+        if (aa_g_audit_header) {
+                audit_log_format(ab, "apparmor=");
+                audit_log_string(ab, aa_audit_type[sa->aad.type]);
+        }
+        if (sa->aad.op) {
+                audit_log_format(ab, " operation=");
+                audit_log_string(ab, op_table[sa->aad.op]);
+        }
+        if (sa->aad.info) {
+                audit_log_format(ab, " info=");
+                audit_log_string(ab, sa->aad.info);
+                if (sa->aad.error)
+                        audit_log_format(ab, " error=%d", sa->aad.error);
+        }
+        if (sa->aad.profile) {
+                struct aa_profile *profile = sa->aad.profile;
+                pid_t pid;
+                rcu_read_lock();
+                pid = tsk->real_parent->pid;
+                rcu_read_unlock();
+                audit_log_format(ab, " parent=%d", pid);
+                if (profile->ns != root_ns) {
+                        audit_log_format(ab, " namespace=");
+                        audit_log_untrustedstring(ab, profile->ns->base.hname);
+                }
+                audit_log_format(ab, " profile=");
+                audit_log_untrustedstring(ab, profile->base.hname);
+        }
+        if (sa->aad.name) {
+                audit_log_format(ab, " name=");
+                audit_log_untrustedstring(ab, sa->aad.name);
+        }
+}
+/**
+ * aa_audit_msg - Log a message to the audit subsystem
+ * @sa: audit event structure (NOT NULL)
+ * @cb: optional callback fn for type specific fields (MAYBE NULL)
+ */
+void aa_audit_msg(int type, struct common_audit_data *sa,
+                  void (*cb) (struct audit_buffer *, void *))
+{
+        sa->aad.type = type;
+        sa->lsm_pre_audit = audit_pre;
+        sa->lsm_post_audit = cb;
+        common_lsm_audit(sa);
+}
+/**
+ * aa_audit - Log a profile based audit event to the audit subsystem
+ * @type: audit type for the message
+ * @profile: profile to check against (NOT NULL)
+ * @gfp: allocation flags to use
+ * @sa: audit event (NOT NULL)
+ * @cb: optional callback fn for type specific fields (MAYBE NULL)
+ *
+ * Handle default message switching based off of audit mode flags
+ *
+ * Returns: error on failure
+ */
+int aa_audit(int type, struct aa_profile *profile, gfp_t gfp,
+             struct common_audit_data *sa,
+             void (*cb) (struct audit_buffer *, void *))
+{
+        BUG_ON(!profile);
+        if (type == AUDIT_APPARMOR_AUTO) {
+                if (likely(!sa->aad.error)) {
+                        if (AUDIT_MODE(profile) != AUDIT_ALL)
+                                return 0;
+                        type = AUDIT_APPARMOR_AUDIT;
+                } else if (COMPLAIN_MODE(profile))
+                        type = AUDIT_APPARMOR_ALLOWED;
+                else
+                        type = AUDIT_APPARMOR_DENIED;
+        }
+        if (AUDIT_MODE(profile) == AUDIT_QUIET ||
+            (type == AUDIT_APPARMOR_DENIED &&
+             AUDIT_MODE(profile) == AUDIT_QUIET))
+                return sa->aad.error;
+        if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
+                type = AUDIT_APPARMOR_KILL;
+        if (!unconfined(profile))
+                sa->aad.profile = profile;
+        aa_audit_msg(type, sa, cb);
+        if (sa->aad.type == AUDIT_APPARMOR_KILL)
+                (void)send_sig_info(SIGKILL, NULL, sa->tsk ? sa->tsk : current);
+        if (sa->aad.type == AUDIT_APPARMOR_ALLOWED)
+                return complain_error(sa->aad.error);
+        return sa->aad.error;
+}

diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c new file mode 100644 index 000000000000..96502b22b268 --- /dev/null +++ b/security/apparmor/audit.c
@@ -0,0 +1,215 @@
	1	/*
	2	* AppArmor security module
	3	*
	4	* This file contains AppArmor auditing functions
	5	*
	6	* Copyright (C) 1998-2008 Novell/SUSE
	7	* Copyright 2009-2010 Canonical Ltd.
	8	*
	9	* This program is free software; you can redistribute it and/or
	10	* modify it under the terms of the GNU General Public License as
	11	* published by the Free Software Foundation, version 2 of the
	12	* License.
	13	*/
	14
	15	#include <linux/audit.h>
	16	#include <linux/socket.h>
	17
	18	#include "include/apparmor.h"
	19	#include "include/audit.h"
	20	#include "include/policy.h"
	21
	22	const char *op_table[] = {
	23	"null",
	24
	25	"sysctl",
	26	"capable",
	27
	28	"unlink",
	29	"mkdir",
	30	"rmdir",
	31	"mknod",
	32	"truncate",
	33	"link",
	34	"symlink",
	35	"rename_src",
	36	"rename_dest",
	37	"chmod",
	38	"chown",
	39	"getattr",
	40	"open",
	41
	42	"file_perm",
	43	"file_lock",
	44	"file_mmap",
	45	"file_mprotect",
	46
	47	"create",
	48	"post_create",
	49	"bind",
	50	"connect",
	51	"listen",
	52	"accept",
	53	"sendmsg",
	54	"recvmsg",
	55	"getsockname",
	56	"getpeername",
	57	"getsockopt",
	58	"setsockopt",
	59	"socket_shutdown",
	60
	61	"ptrace",
	62
	63	"exec",
	64	"change_hat",
	65	"change_profile",
	66	"change_onexec",
	67
	68	"setprocattr",
	69	"setrlimit",
	70
	71	"profile_replace",
	72	"profile_load",
	73	"profile_remove"
	74	};
	75
	76	const char *audit_mode_names[] = {
	77	"normal",
	78	"quiet_denied",
	79	"quiet",
	80	"noquiet",
	81	"all"
	82	};
	83
	84	static char *aa_audit_type[] = {
	85	"AUDIT",
	86	"ALLOWED",
	87	"DENIED",
	88	"HINT",
	89	"STATUS",
	90	"ERROR",
	91	"KILLED"
	92	};
	93
	94	/*
	95	* Currently AppArmor auditing is fed straight into the audit framework.
	96	*
	97	* TODO:
	98	* netlink interface for complain mode
	99	* user auditing, - send user auditing to netlink interface
	100	* system control of whether user audit messages go to system log
	101	*/
	102
	103	/**
	104	* audit_base - core AppArmor function.
	105	* @ab: audit buffer to fill (NOT NULL)
	106	* @ca: audit structure containing data to audit (NOT NULL)
	107	*
	108	* Record common AppArmor audit data from @sa
	109	*/
	110	static void audit_pre(struct audit_buffer ab, void ca)
	111	{
	112	struct common_audit_data *sa = ca;
	113	struct task_struct *tsk = sa->tsk ? sa->tsk : current;
	114
	115	if (aa_g_audit_header) {
	116	audit_log_format(ab, "apparmor=");
	117	audit_log_string(ab, aa_audit_type[sa->aad.type]);
	118	}
	119
	120	if (sa->aad.op) {
	121	audit_log_format(ab, " operation=");
	122	audit_log_string(ab, op_table[sa->aad.op]);
	123	}
	124
	125	if (sa->aad.info) {
	126	audit_log_format(ab, " info=");
	127	audit_log_string(ab, sa->aad.info);
	128	if (sa->aad.error)
	129	audit_log_format(ab, " error=%d", sa->aad.error);
	130	}
	131
	132	if (sa->aad.profile) {
	133	struct aa_profile *profile = sa->aad.profile;
	134	pid_t pid;
	135	rcu_read_lock();
	136	pid = tsk->real_parent->pid;
	137	rcu_read_unlock();
	138	audit_log_format(ab, " parent=%d", pid);
	139	if (profile->ns != root_ns) {
	140	audit_log_format(ab, " namespace=");
	141	audit_log_untrustedstring(ab, profile->ns->base.hname);
	142	}
	143	audit_log_format(ab, " profile=");
	144	audit_log_untrustedstring(ab, profile->base.hname);
	145	}
	146
	147	if (sa->aad.name) {
	148	audit_log_format(ab, " name=");
	149	audit_log_untrustedstring(ab, sa->aad.name);
	150	}
	151	}
	152
	153	/**
	154	* aa_audit_msg - Log a message to the audit subsystem
	155	* @sa: audit event structure (NOT NULL)
	156	* @cb: optional callback fn for type specific fields (MAYBE NULL)
	157	*/
	158	void aa_audit_msg(int type, struct common_audit_data *sa,
	159	void (cb) (struct audit_buffer , void *))
	160	{
	161	sa->aad.type = type;
	162	sa->lsm_pre_audit = audit_pre;
	163	sa->lsm_post_audit = cb;
	164	common_lsm_audit(sa);
	165	}
	166
	167	/**
	168	* aa_audit - Log a profile based audit event to the audit subsystem
	169	* @type: audit type for the message
	170	* @profile: profile to check against (NOT NULL)
	171	* @gfp: allocation flags to use
	172	* @sa: audit event (NOT NULL)
	173	* @cb: optional callback fn for type specific fields (MAYBE NULL)
	174	*
	175	* Handle default message switching based off of audit mode flags
	176	*
	177	* Returns: error on failure
	178	*/
	179	int aa_audit(int type, struct aa_profile *profile, gfp_t gfp,
	180	struct common_audit_data *sa,
	181	void (cb) (struct audit_buffer , void *))
	182	{
	183	BUG_ON(!profile);
	184
	185	if (type == AUDIT_APPARMOR_AUTO) {
	186	if (likely(!sa->aad.error)) {
	187	if (AUDIT_MODE(profile) != AUDIT_ALL)
	188	return 0;
	189	type = AUDIT_APPARMOR_AUDIT;
	190	} else if (COMPLAIN_MODE(profile))
	191	type = AUDIT_APPARMOR_ALLOWED;
	192	else
	193	type = AUDIT_APPARMOR_DENIED;
	194	}
	195	if (AUDIT_MODE(profile) == AUDIT_QUIET \|\|
	196	(type == AUDIT_APPARMOR_DENIED &&
	197	AUDIT_MODE(profile) == AUDIT_QUIET))
	198	return sa->aad.error;
	199
	200	if (KILL_MODE(profile) && type == AUDIT_APPARMOR_DENIED)
	201	type = AUDIT_APPARMOR_KILL;
	202
	203	if (!unconfined(profile))
	204	sa->aad.profile = profile;
	205
	206	aa_audit_msg(type, sa, cb);
	207
	208	if (sa->aad.type == AUDIT_APPARMOR_KILL)
	209	(void)send_sig_info(SIGKILL, NULL, sa->tsk ? sa->tsk : current);
	210
	211	if (sa->aad.type == AUDIT_APPARMOR_ALLOWED)
	212	return complain_error(sa->aad.error);
	213
	214	return sa->aad.error;
	215	}