2019-06-01 16:08:55 +08:00
|
|
|
/* SPDX-License-Identifier: GPL-2.0-only */
|
2010-07-30 05:47:58 +08:00
|
|
|
/*
|
|
|
|
* AppArmor security module
|
|
|
|
*
|
|
|
|
* This file contains AppArmor auditing function definitions.
|
|
|
|
*
|
|
|
|
* Copyright (C) 1998-2008 Novell/SUSE
|
|
|
|
* Copyright 2009-2010 Canonical Ltd.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#ifndef __AA_AUDIT_H
|
|
|
|
#define __AA_AUDIT_H
|
|
|
|
|
|
|
|
#include <linux/audit.h>
|
|
|
|
#include <linux/fs.h>
|
|
|
|
#include <linux/lsm_audit.h>
|
|
|
|
#include <linux/sched.h>
|
|
|
|
#include <linux/slab.h>
|
|
|
|
|
|
|
|
#include "file.h"
|
2017-06-09 23:14:28 +08:00
|
|
|
#include "label.h"
|
2010-07-30 05:47:58 +08:00
|
|
|
|
2012-03-14 20:30:36 +08:00
|
|
|
extern const char *const audit_mode_names[];
|
2010-07-30 05:47:58 +08:00
|
|
|
#define AUDIT_MAX_INDEX 5
|
|
|
|
enum audit_mode {
|
|
|
|
AUDIT_NORMAL, /* follow normal auditing of accesses */
|
|
|
|
AUDIT_QUIET_DENIED, /* quiet all denied access messages */
|
|
|
|
AUDIT_QUIET, /* quiet all messages */
|
|
|
|
AUDIT_NOQUIET, /* do not quiet audit messages */
|
|
|
|
AUDIT_ALL /* audit all accesses */
|
|
|
|
};
|
|
|
|
|
|
|
|
enum audit_type {
|
|
|
|
AUDIT_APPARMOR_AUDIT,
|
|
|
|
AUDIT_APPARMOR_ALLOWED,
|
|
|
|
AUDIT_APPARMOR_DENIED,
|
|
|
|
AUDIT_APPARMOR_HINT,
|
|
|
|
AUDIT_APPARMOR_STATUS,
|
|
|
|
AUDIT_APPARMOR_ERROR,
|
2012-02-22 16:20:26 +08:00
|
|
|
AUDIT_APPARMOR_KILL,
|
|
|
|
AUDIT_APPARMOR_AUTO
|
2010-07-30 05:47:58 +08:00
|
|
|
};
|
|
|
|
|
2017-01-16 16:43:01 +08:00
|
|
|
#define OP_NULL NULL
|
|
|
|
|
|
|
|
#define OP_SYSCTL "sysctl"
|
|
|
|
#define OP_CAPABLE "capable"
|
|
|
|
|
|
|
|
#define OP_UNLINK "unlink"
|
|
|
|
#define OP_MKDIR "mkdir"
|
|
|
|
#define OP_RMDIR "rmdir"
|
|
|
|
#define OP_MKNOD "mknod"
|
|
|
|
#define OP_TRUNC "truncate"
|
|
|
|
#define OP_LINK "link"
|
|
|
|
#define OP_SYMLINK "symlink"
|
|
|
|
#define OP_RENAME_SRC "rename_src"
|
|
|
|
#define OP_RENAME_DEST "rename_dest"
|
|
|
|
#define OP_CHMOD "chmod"
|
|
|
|
#define OP_CHOWN "chown"
|
|
|
|
#define OP_GETATTR "getattr"
|
|
|
|
#define OP_OPEN "open"
|
|
|
|
|
2017-06-10 08:15:56 +08:00
|
|
|
#define OP_FRECEIVE "file_receive"
|
2017-01-16 16:43:01 +08:00
|
|
|
#define OP_FPERM "file_perm"
|
|
|
|
#define OP_FLOCK "file_lock"
|
|
|
|
#define OP_FMMAP "file_mmap"
|
|
|
|
#define OP_FMPROT "file_mprotect"
|
2017-06-10 02:58:42 +08:00
|
|
|
#define OP_INHERIT "file_inherit"
|
2017-01-16 16:43:01 +08:00
|
|
|
|
apparmor: add mount mediation
Add basic mount mediation. That allows controlling based on basic
mount parameters. It does not include special mount parameters for
apparmor, super block labeling, or any triggers for apparmor namespace
parameter modifications on pivot root.
default userspace policy rules have the form of
MOUNT RULE = ( MOUNT | REMOUNT | UMOUNT )
MOUNT = [ QUALIFIERS ] 'mount' [ MOUNT CONDITIONS ] [ SOURCE FILEGLOB ]
[ '->' MOUNTPOINT FILEGLOB ]
REMOUNT = [ QUALIFIERS ] 'remount' [ MOUNT CONDITIONS ]
MOUNTPOINT FILEGLOB
UMOUNT = [ QUALIFIERS ] 'umount' [ MOUNT CONDITIONS ] MOUNTPOINT FILEGLOB
MOUNT CONDITIONS = [ ( 'fstype' | 'vfstype' ) ( '=' | 'in' )
MOUNT FSTYPE EXPRESSION ]
[ 'options' ( '=' | 'in' ) MOUNT FLAGS EXPRESSION ]
MOUNT FSTYPE EXPRESSION = ( MOUNT FSTYPE LIST | MOUNT EXPRESSION )
MOUNT FSTYPE LIST = Comma separated list of valid filesystem and
virtual filesystem types (eg ext4, debugfs, etc)
MOUNT FLAGS EXPRESSION = ( MOUNT FLAGS LIST | MOUNT EXPRESSION )
MOUNT FLAGS LIST = Comma separated list of MOUNT FLAGS.
MOUNT FLAGS = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' |
'noexec' | 'exec' | 'sync' | 'async' | 'remount' |
'mand' | 'nomand' | 'dirsync' | 'noatime' | 'atime' |
'nodiratime' | 'diratime' | 'bind' | 'rbind' | 'move' |
'verbose' | 'silent' | 'loud' | 'acl' | 'noacl' |
'unbindable' | 'runbindable' | 'private' | 'rprivate' |
'slave' | 'rslave' | 'shared' | 'rshared' |
'relatime' | 'norelatime' | 'iversion' | 'noiversion' |
'strictatime' | 'nouser' | 'user' )
MOUNT EXPRESSION = ( ALPHANUMERIC | AARE ) ...
PIVOT ROOT RULE = [ QUALIFIERS ] pivot_root [ oldroot=OLD PUT FILEGLOB ]
[ NEW ROOT FILEGLOB ]
SOURCE FILEGLOB = FILEGLOB
MOUNTPOINT FILEGLOB = FILEGLOB
eg.
mount,
mount /dev/foo,
mount options=ro /dev/foo -> /mnt/,
mount options in (ro,atime) /dev/foo -> /mnt/,
mount options=ro options=atime,
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2017-07-19 14:04:47 +08:00
|
|
|
#define OP_PIVOTROOT "pivotroot"
|
|
|
|
#define OP_MOUNT "mount"
|
|
|
|
#define OP_UMOUNT "umount"
|
|
|
|
|
2017-01-16 16:43:01 +08:00
|
|
|
#define OP_CREATE "create"
|
|
|
|
#define OP_POST_CREATE "post_create"
|
|
|
|
#define OP_BIND "bind"
|
|
|
|
#define OP_CONNECT "connect"
|
|
|
|
#define OP_LISTEN "listen"
|
|
|
|
#define OP_ACCEPT "accept"
|
|
|
|
#define OP_SENDMSG "sendmsg"
|
|
|
|
#define OP_RECVMSG "recvmsg"
|
|
|
|
#define OP_GETSOCKNAME "getsockname"
|
|
|
|
#define OP_GETPEERNAME "getpeername"
|
|
|
|
#define OP_GETSOCKOPT "getsockopt"
|
|
|
|
#define OP_SETSOCKOPT "setsockopt"
|
|
|
|
#define OP_SHUTDOWN "socket_shutdown"
|
|
|
|
|
|
|
|
#define OP_PTRACE "ptrace"
|
2017-07-19 13:56:22 +08:00
|
|
|
#define OP_SIGNAL "signal"
|
2017-01-16 16:43:01 +08:00
|
|
|
|
|
|
|
#define OP_EXEC "exec"
|
|
|
|
|
|
|
|
#define OP_CHANGE_HAT "change_hat"
|
|
|
|
#define OP_CHANGE_PROFILE "change_profile"
|
|
|
|
#define OP_CHANGE_ONEXEC "change_onexec"
|
2017-06-10 08:11:17 +08:00
|
|
|
#define OP_STACK "stack"
|
|
|
|
#define OP_STACK_ONEXEC "stack_onexec"
|
2017-01-16 16:43:01 +08:00
|
|
|
|
|
|
|
#define OP_SETPROCATTR "setprocattr"
|
|
|
|
#define OP_SETRLIMIT "setrlimit"
|
|
|
|
|
|
|
|
#define OP_PROF_REPL "profile_replace"
|
|
|
|
#define OP_PROF_LOAD "profile_load"
|
|
|
|
#define OP_PROF_RM "profile_remove"
|
2010-07-30 05:47:58 +08:00
|
|
|
|
|
|
|
|
2012-04-04 00:37:02 +08:00
|
|
|
struct apparmor_audit_data {
|
|
|
|
int error;
|
|
|
|
int type;
|
2017-06-09 23:14:28 +08:00
|
|
|
const char *op;
|
|
|
|
struct aa_label *label;
|
2012-04-04 00:37:02 +08:00
|
|
|
const char *name;
|
|
|
|
const char *info;
|
2017-05-30 03:16:04 +08:00
|
|
|
u32 request;
|
|
|
|
u32 denied;
|
2012-04-04 00:37:02 +08:00
|
|
|
union {
|
2017-01-16 16:43:02 +08:00
|
|
|
/* these entries require a custom callback fn */
|
2012-04-04 00:37:02 +08:00
|
|
|
struct {
|
2017-06-09 23:14:28 +08:00
|
|
|
struct aa_label *peer;
|
2017-11-22 23:33:38 +08:00
|
|
|
union {
|
|
|
|
struct {
|
|
|
|
const char *target;
|
|
|
|
kuid_t ouid;
|
|
|
|
} fs;
|
2018-02-09 20:57:39 +08:00
|
|
|
struct {
|
|
|
|
int rlim;
|
|
|
|
unsigned long max;
|
|
|
|
} rlim;
|
2018-02-01 19:32:02 +08:00
|
|
|
struct {
|
|
|
|
int signal;
|
|
|
|
int unmappedsig;
|
|
|
|
};
|
2017-07-19 14:18:33 +08:00
|
|
|
struct {
|
|
|
|
int type, protocol;
|
|
|
|
struct sock *peer_sk;
|
|
|
|
void *addr;
|
|
|
|
int addrlen;
|
|
|
|
} net;
|
2017-11-22 23:33:38 +08:00
|
|
|
};
|
2017-01-16 16:43:02 +08:00
|
|
|
};
|
|
|
|
struct {
|
2017-07-19 14:37:18 +08:00
|
|
|
struct aa_profile *profile;
|
2017-01-16 16:42:54 +08:00
|
|
|
const char *ns;
|
2017-07-19 14:37:18 +08:00
|
|
|
long pos;
|
2012-04-04 00:37:02 +08:00
|
|
|
} iface;
|
apparmor: add mount mediation
Add basic mount mediation. That allows controlling based on basic
mount parameters. It does not include special mount parameters for
apparmor, super block labeling, or any triggers for apparmor namespace
parameter modifications on pivot root.
default userspace policy rules have the form of
MOUNT RULE = ( MOUNT | REMOUNT | UMOUNT )
MOUNT = [ QUALIFIERS ] 'mount' [ MOUNT CONDITIONS ] [ SOURCE FILEGLOB ]
[ '->' MOUNTPOINT FILEGLOB ]
REMOUNT = [ QUALIFIERS ] 'remount' [ MOUNT CONDITIONS ]
MOUNTPOINT FILEGLOB
UMOUNT = [ QUALIFIERS ] 'umount' [ MOUNT CONDITIONS ] MOUNTPOINT FILEGLOB
MOUNT CONDITIONS = [ ( 'fstype' | 'vfstype' ) ( '=' | 'in' )
MOUNT FSTYPE EXPRESSION ]
[ 'options' ( '=' | 'in' ) MOUNT FLAGS EXPRESSION ]
MOUNT FSTYPE EXPRESSION = ( MOUNT FSTYPE LIST | MOUNT EXPRESSION )
MOUNT FSTYPE LIST = Comma separated list of valid filesystem and
virtual filesystem types (eg ext4, debugfs, etc)
MOUNT FLAGS EXPRESSION = ( MOUNT FLAGS LIST | MOUNT EXPRESSION )
MOUNT FLAGS LIST = Comma separated list of MOUNT FLAGS.
MOUNT FLAGS = ( 'ro' | 'rw' | 'nosuid' | 'suid' | 'nodev' | 'dev' |
'noexec' | 'exec' | 'sync' | 'async' | 'remount' |
'mand' | 'nomand' | 'dirsync' | 'noatime' | 'atime' |
'nodiratime' | 'diratime' | 'bind' | 'rbind' | 'move' |
'verbose' | 'silent' | 'loud' | 'acl' | 'noacl' |
'unbindable' | 'runbindable' | 'private' | 'rprivate' |
'slave' | 'rslave' | 'shared' | 'rshared' |
'relatime' | 'norelatime' | 'iversion' | 'noiversion' |
'strictatime' | 'nouser' | 'user' )
MOUNT EXPRESSION = ( ALPHANUMERIC | AARE ) ...
PIVOT ROOT RULE = [ QUALIFIERS ] pivot_root [ oldroot=OLD PUT FILEGLOB ]
[ NEW ROOT FILEGLOB ]
SOURCE FILEGLOB = FILEGLOB
MOUNTPOINT FILEGLOB = FILEGLOB
eg.
mount,
mount /dev/foo,
mount options=ro /dev/foo -> /mnt/,
mount options in (ro,atime) /dev/foo -> /mnt/,
mount options=ro options=atime,
Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Seth Arnold <seth.arnold@canonical.com>
2017-07-19 14:04:47 +08:00
|
|
|
struct {
|
|
|
|
const char *src_name;
|
|
|
|
const char *type;
|
|
|
|
const char *trans;
|
|
|
|
const char *data;
|
|
|
|
unsigned long flags;
|
|
|
|
} mnt;
|
2012-04-04 00:37:02 +08:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2017-01-16 16:43:02 +08:00
|
|
|
/* macros for dealing with apparmor_audit_data structure */
|
|
|
|
#define aad(SA) ((SA)->apparmor_audit_data)
|
|
|
|
#define DEFINE_AUDIT_DATA(NAME, T, X) \
|
|
|
|
/* TODO: cleanup audit init so we don't need _aad = {0,} */ \
|
|
|
|
struct apparmor_audit_data NAME ## _aad = { .op = (X), }; \
|
|
|
|
struct common_audit_data NAME = \
|
|
|
|
{ \
|
|
|
|
.type = (T), \
|
|
|
|
.u.tsk = NULL, \
|
|
|
|
}; \
|
|
|
|
NAME.apparmor_audit_data = &(NAME ## _aad)
|
2010-07-30 05:47:58 +08:00
|
|
|
|
|
|
|
void aa_audit_msg(int type, struct common_audit_data *sa,
|
|
|
|
void (*cb) (struct audit_buffer *, void *));
|
2017-01-16 16:43:02 +08:00
|
|
|
int aa_audit(int type, struct aa_profile *profile, struct common_audit_data *sa,
|
2010-07-30 05:47:58 +08:00
|
|
|
void (*cb) (struct audit_buffer *, void *));
|
|
|
|
|
2017-01-16 16:43:02 +08:00
|
|
|
#define aa_audit_error(ERROR, SA, CB) \
|
|
|
|
({ \
|
|
|
|
aad((SA))->error = (ERROR); \
|
|
|
|
aa_audit_msg(AUDIT_APPARMOR_ERROR, (SA), (CB)); \
|
|
|
|
aad((SA))->error; \
|
|
|
|
})
|
|
|
|
|
|
|
|
|
2010-07-30 05:47:58 +08:00
|
|
|
static inline int complain_error(int error)
|
|
|
|
{
|
|
|
|
if (error == -EPERM || error == -EACCES)
|
|
|
|
return 0;
|
|
|
|
return error;
|
|
|
|
}
|
|
|
|
|
2018-04-17 02:23:58 +08:00
|
|
|
void aa_audit_rule_free(void *vrule);
|
|
|
|
int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule);
|
|
|
|
int aa_audit_rule_known(struct audit_krule *rule);
|
2019-02-01 00:52:11 +08:00
|
|
|
int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule);
|
2018-04-17 02:23:58 +08:00
|
|
|
|
2010-07-30 05:47:58 +08:00
|
|
|
#endif /* __AA_AUDIT_H */
|