Skip to content

L
linux
Commit fc1c9fd1 authored by John Johansen's avatar John Johansen
Browse files
Options

apparmor: add ns name to the audit data for policy loads 

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 078c73c6
Show whitespace changes
Inline Side-by-side
Showing with 25 additions and 10 deletions
security/apparmor/include/audit.h
View file @ fc1c9fd1
...@@ -113,6 +113,7 @@ struct apparmor_audit_data { ...@@ -113,6 +113,7 @@ struct apparmor_audit_data {
void *target; void *target;
struct { struct {
long pos; long pos;
const char *ns;
void *target; void *target;
} iface; } iface;
struct { struct {
......
security/apparmor/policy.c
View file @ fc1c9fd1
...@@ -582,11 +582,23 @@ static int replacement_allowed(struct aa_profile *profile, int noreplace, ...@@ -582,11 +582,23 @@ static int replacement_allowed(struct aa_profile *profile, int noreplace,
return 0; return 0;
} }
/* audit callback for net specific fields */
static void audit_cb(struct audit_buffer *ab, void *va)
{
struct common_audit_data *sa = va;
if (sa->aad->iface.ns) {
audit_log_format(ab, " ns=");
audit_log_untrustedstring(ab, sa->aad->iface.ns);
}
}
/** /**
* aa_audit_policy - Do auditing of policy changes * aa_audit_policy - Do auditing of policy changes
* @profile: profile to check if it can manage policy * @profile: profile to check if it can manage policy
* @op: policy operation being performed * @op: policy operation being performed
* @gfp: memory allocation flags * @gfp: memory allocation flags
* @nsname: name of the ns being manipulated (MAY BE NULL)
* @name: name of profile being manipulated (NOT NULL) * @name: name of profile being manipulated (NOT NULL)
* @info: any extra information to be audited (MAYBE NULL) * @info: any extra information to be audited (MAYBE NULL)
* @error: error code * @error: error code
...@@ -594,19 +606,21 @@ static int replacement_allowed(struct aa_profile *profile, int noreplace, ...@@ -594,19 +606,21 @@ static int replacement_allowed(struct aa_profile *profile, int noreplace,
* Returns: the error to be returned after audit is done * Returns: the error to be returned after audit is done
*/ */
static int audit_policy(struct aa_profile *profile, int op, gfp_t gfp, static int audit_policy(struct aa_profile *profile, int op, gfp_t gfp,
const char *name, const char *info, int error) const char *nsname, const char *name,
const char *info, int error)
{ {
struct common_audit_data sa; struct common_audit_data sa;
struct apparmor_audit_data aad = {0,}; struct apparmor_audit_data aad = {0,};
sa.type = LSM_AUDIT_DATA_NONE; sa.type = LSM_AUDIT_DATA_NONE;
sa.aad = &aad; sa.aad = &aad;
aad.op = op; aad.op = op;
aad.iface.ns = nsname;
aad.name = name; aad.name = name;
aad.info = info; aad.info = info;
aad.error = error; aad.error = error;
return aa_audit(AUDIT_APPARMOR_STATUS, profile, gfp, return aa_audit(AUDIT_APPARMOR_STATUS, profile, gfp,
&sa, NULL); &sa, audit_cb);
} }
/** /**
...@@ -659,11 +673,11 @@ int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op) ...@@ -659,11 +673,11 @@ int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op)
{ {
/* check if loading policy is locked out */ /* check if loading policy is locked out */
if (aa_g_lock_policy) if (aa_g_lock_policy)
return audit_policy(profile, op, GFP_KERNEL, NULL, return audit_policy(profile, op, GFP_KERNEL, NULL, NULL,
"policy_locked", -EACCES); "policy_locked", -EACCES);
if (!policy_admin_capable(ns)) if (!policy_admin_capable(ns))
return audit_policy(profile, op, GFP_KERNEL, NULL, return audit_policy(profile, op, GFP_KERNEL, NULL, NULL,
"not policy admin", -EACCES); "not policy admin", -EACCES);
/* TODO: add fine grained mediation of policy loads */ /* TODO: add fine grained mediation of policy loads */
...@@ -818,7 +832,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size, ...@@ -818,7 +832,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
ns = aa_prepare_ns(view, ns_name); ns = aa_prepare_ns(view, ns_name);
if (!ns) { if (!ns) {
error = audit_policy(__aa_current_profile(), op, GFP_KERNEL, error = audit_policy(__aa_current_profile(), op, GFP_KERNEL,
ns_name, NULL, ns_name,
"failed to prepare namespace", -ENOMEM); "failed to prepare namespace", -ENOMEM);
goto free; goto free;
} }
...@@ -895,7 +909,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size, ...@@ -895,7 +909,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
list_del_init(&ent->list); list_del_init(&ent->list);
op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL; op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL;
audit_policy(__aa_current_profile(), op, GFP_ATOMIC, audit_policy(__aa_current_profile(), op, GFP_ATOMIC, NULL,
ent->new->base.hname, NULL, error); ent->new->base.hname, NULL, error);
if (ent->old) { if (ent->old) {
...@@ -950,7 +964,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size, ...@@ -950,7 +964,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
/* audit cause of failure */ /* audit cause of failure */
op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL; op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
audit_policy(__aa_current_profile(), op, GFP_KERNEL, audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
ent->new->base.hname, info, error); ent->new->base.hname, info, error);
/* audit status that rest of profiles in the atomic set failed too */ /* audit status that rest of profiles in the atomic set failed too */
info = "valid profile in failed atomic policy load"; info = "valid profile in failed atomic policy load";
...@@ -961,7 +975,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size, ...@@ -961,7 +975,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
continue; continue;
} }
op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL; op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
audit_policy(__aa_current_profile(), op, GFP_KERNEL, audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
tmp->new->base.hname, info, error); tmp->new->base.hname, info, error);
} }
free: free:
...@@ -1036,7 +1050,7 @@ ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size) ...@@ -1036,7 +1050,7 @@ ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size)
/* don't fail removal if audit fails */ /* don't fail removal if audit fails */
(void) audit_policy(__aa_current_profile(), OP_PROF_RM, GFP_KERNEL, (void) audit_policy(__aa_current_profile(), OP_PROF_RM, GFP_KERNEL,
name, info, error); NULL, name, info, error);
aa_put_ns(ns); aa_put_ns(ns);
aa_put_profile(profile); aa_put_profile(profile);
return size; return size;
...@@ -1047,6 +1061,6 @@ ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size) ...@@ -1047,6 +1061,6 @@ ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size)
fail: fail:
(void) audit_policy(__aa_current_profile(), OP_PROF_RM, GFP_KERNEL, (void) audit_policy(__aa_current_profile(), OP_PROF_RM, GFP_KERNEL,
name, info, error); NULL, name, info, error);
return error; return error;
} }
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7