security/lsm_audit.c

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * common LSM auditing functions
   4  *
   5  * Based on code written for SELinux by :
   6  *                      Stephen Smalley, <sds@tycho.nsa.gov>
   7  *                      James Morris <jmorris@redhat.com>
   8  * Author : Etienne Basset, <etienne.basset@ensta.org>
   9  */
  10
  11 #include <linux/types.h>
  12 #include <linux/stddef.h>
  13 #include <linux/kernel.h>
  14 #include <linux/gfp.h>
  15 #include <linux/fs.h>
  16 #include <linux/init.h>
  17 #include <net/sock.h>
  18 #include <linux/un.h>
  19 #include <net/af_unix.h>
  20 #include <linux/audit.h>
  21 #include <linux/ipv6.h>
  22 #include <linux/ip.h>
  23 #include <net/ip.h>
  24 #include <net/ipv6.h>
  25 #include <linux/tcp.h>
  26 #include <linux/udp.h>
  27 #include <linux/dccp.h>
  28 #include <linux/sctp.h>
  29 #include <linux/lsm_audit.h>
  30 #include <linux/security.h>
  31
  32 /**
  33  * ipv4_skb_to_auditdata : fill auditdata from skb
  34  * @skb : the skb
  35  * @ad : the audit data to fill
  36  * @proto : the layer 4 protocol
  37  *
  38  * return  0 on success
  39  */
  40 int ipv4_skb_to_auditdata(struct sk_buff *skb,
  41                 struct common_audit_data *ad, u8 *proto)
  42 {
  43         int ret = 0;
  44         struct iphdr *ih;
  45
  46         ih = ip_hdr(skb);
  47         ad->u.net->v4info.saddr = ih->saddr;
  48         ad->u.net->v4info.daddr = ih->daddr;
  49
  50         if (proto)
  51                 *proto = ih->protocol;
  52         /* non initial fragment */
  53         if (ntohs(ih->frag_off) & IP_OFFSET)
  54                 return 0;
  55
  56         switch (ih->protocol) {
  57         case IPPROTO_TCP: {
  58                 struct tcphdr *th = tcp_hdr(skb);
  59
  60                 ad->u.net->sport = th->source;
  61                 ad->u.net->dport = th->dest;
  62                 break;
  63         }
  64         case IPPROTO_UDP: {
  65                 struct udphdr *uh = udp_hdr(skb);
  66
  67                 ad->u.net->sport = uh->source;
  68                 ad->u.net->dport = uh->dest;
  69                 break;
  70         }
  71         case IPPROTO_DCCP: {
  72                 struct dccp_hdr *dh = dccp_hdr(skb);
  73
  74                 ad->u.net->sport = dh->dccph_sport;
  75                 ad->u.net->dport = dh->dccph_dport;
  76                 break;
  77         }
  78         case IPPROTO_SCTP: {
  79                 struct sctphdr *sh = sctp_hdr(skb);
  80
  81                 ad->u.net->sport = sh->source;
  82                 ad->u.net->dport = sh->dest;
  83                 break;
  84         }
  85         default:
  86                 ret = -EINVAL;
  87         }
  88         return ret;
  89 }
  90 #if IS_ENABLED(CONFIG_IPV6)
  91 /**
  92  * ipv6_skb_to_auditdata : fill auditdata from skb
  93  * @skb : the skb
  94  * @ad : the audit data to fill
  95  * @proto : the layer 4 protocol
  96  *
  97  * return  0 on success
  98  */
  99 int ipv6_skb_to_auditdata(struct sk_buff *skb,
 100                 struct common_audit_data *ad, u8 *proto)
 101 {
 102         int offset, ret = 0;
 103         struct ipv6hdr *ip6;
 104         u8 nexthdr;
 105         __be16 frag_off;
 106
 107         ip6 = ipv6_hdr(skb);
 108         ad->u.net->v6info.saddr = ip6->saddr;
 109         ad->u.net->v6info.daddr = ip6->daddr;
 110         /* IPv6 can have several extension header before the Transport header
 111          * skip them */
 112         offset = skb_network_offset(skb);
 113         offset += sizeof(*ip6);
 114         nexthdr = ip6->nexthdr;
 115         offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off);
 116         if (offset < 0)
 117                 return 0;
 118         if (proto)
 119                 *proto = nexthdr;
 120         switch (nexthdr) {
 121         case IPPROTO_TCP: {
 122                 struct tcphdr _tcph, *th;
 123
 124                 th = skb_header_pointer(skb, offset, sizeof(_tcph), &_tcph);
 125                 if (th == NULL)
 126                         break;
 127
 128                 ad->u.net->sport = th->source;
 129                 ad->u.net->dport = th->dest;
 130                 break;
 131         }
 132         case IPPROTO_UDP: {
 133                 struct udphdr _udph, *uh;
 134
 135                 uh = skb_header_pointer(skb, offset, sizeof(_udph), &_udph);
 136                 if (uh == NULL)
 137                         break;
 138
 139                 ad->u.net->sport = uh->source;
 140                 ad->u.net->dport = uh->dest;
 141                 break;
 142         }
 143         case IPPROTO_DCCP: {
 144                 struct dccp_hdr _dccph, *dh;
 145
 146                 dh = skb_header_pointer(skb, offset, sizeof(_dccph), &_dccph);
 147                 if (dh == NULL)
 148                         break;
 149
 150                 ad->u.net->sport = dh->dccph_sport;
 151                 ad->u.net->dport = dh->dccph_dport;
 152                 break;
 153         }
 154         case IPPROTO_SCTP: {
 155                 struct sctphdr _sctph, *sh;
 156
 157                 sh = skb_header_pointer(skb, offset, sizeof(_sctph), &_sctph);
 158                 if (sh == NULL)
 159                         break;
 160                 ad->u.net->sport = sh->source;
 161                 ad->u.net->dport = sh->dest;
 162                 break;
 163         }
 164         default:
 165                 ret = -EINVAL;
 166         }
 167         return ret;
 168 }
 169 #endif
 170
 171
 172 static inline void print_ipv6_addr(struct audit_buffer *ab,
 173                                    const struct in6_addr *addr, __be16 port,
 174                                    char *name1, char *name2)
 175 {
 176         if (!ipv6_addr_any(addr))
 177                 audit_log_format(ab, " %s=%pI6c", name1, addr);
 178         if (port)
 179                 audit_log_format(ab, " %s=%d", name2, ntohs(port));
 180 }
 181
 182 static inline void print_ipv4_addr(struct audit_buffer *ab, __be32 addr,
 183                                    __be16 port, char *name1, char *name2)
 184 {
 185         if (addr)
 186                 audit_log_format(ab, " %s=%pI4", name1, &addr);
 187         if (port)
 188                 audit_log_format(ab, " %s=%d", name2, ntohs(port));
 189 }
 190
 191 /**
 192  * dump_common_audit_data - helper to dump common audit data
 193  * @ab : the audit buffer
 194  * @a : common audit data
 195  *
 196  */
 197 static void dump_common_audit_data(struct audit_buffer *ab,
 198                                    struct common_audit_data *a)
 199 {
 200         char comm[sizeof(current->comm)];
 201
 202         /*
 203          * To keep stack sizes in check force programmers to notice if they
 204          * start making this union too large!  See struct lsm_network_audit
 205          * as an example of how to deal with large data.
 206          */
 207         BUILD_BUG_ON(sizeof(a->u) > sizeof(void *)*2);
 208
 209         audit_log_format(ab, " pid=%d comm=", task_tgid_nr(current));
 210         audit_log_untrustedstring(ab, get_task_comm(comm, current));
 211
 212         switch (a->type) {
 213         case LSM_AUDIT_DATA_NONE:
 214                 return;
 215         case LSM_AUDIT_DATA_IPC:
 216                 audit_log_format(ab, " ipc_key=%d ", a->u.ipc_id);
 217                 break;
 218         case LSM_AUDIT_DATA_CAP:
 219                 audit_log_format(ab, " capability=%d ", a->u.cap);
 220                 break;
 221         case LSM_AUDIT_DATA_PATH: {
 222                 struct inode *inode;
 223
 224                 audit_log_d_path(ab, " path=", &a->u.path);
 225
 226                 inode = d_backing_inode(a->u.path.dentry);
 227                 if (inode) {
 228                         audit_log_format(ab, " dev=");
 229                         audit_log_untrustedstring(ab, inode->i_sb->s_id);
 230                         audit_log_format(ab, " ino=%lu", inode->i_ino);
 231                 }
 232                 break;
 233         }
 234         case LSM_AUDIT_DATA_FILE: {
 235                 struct inode *inode;
 236
 237                 audit_log_d_path(ab, " path=", &a->u.file->f_path);
 238
 239                 inode = file_inode(a->u.file);
 240                 if (inode) {
 241                         audit_log_format(ab, " dev=");
 242                         audit_log_untrustedstring(ab, inode->i_sb->s_id);
 243                         audit_log_format(ab, " ino=%lu", inode->i_ino);
 244                 }
 245                 break;
 246         }
 247         case LSM_AUDIT_DATA_IOCTL_OP: {
 248                 struct inode *inode;
 249
 250                 audit_log_d_path(ab, " path=", &a->u.op->path);
 251
 252                 inode = a->u.op->path.dentry->d_inode;
 253                 if (inode) {
 254                         audit_log_format(ab, " dev=");
 255                         audit_log_untrustedstring(ab, inode->i_sb->s_id);
 256                         audit_log_format(ab, " ino=%lu", inode->i_ino);
 257                 }
 258
 259                 audit_log_format(ab, " ioctlcmd=0x%hx", a->u.op->cmd);
 260                 break;
 261         }
 262         case LSM_AUDIT_DATA_DENTRY: {
 263                 struct inode *inode;
 264
 265                 audit_log_format(ab, " name=");
 266                 spin_lock(&a->u.dentry->d_lock);
 267                 audit_log_untrustedstring(ab, a->u.dentry->d_name.name);
 268                 spin_unlock(&a->u.dentry->d_lock);
 269
 270                 inode = d_backing_inode(a->u.dentry);
 271                 if (inode) {
 272                         audit_log_format(ab, " dev=");
 273                         audit_log_untrustedstring(ab, inode->i_sb->s_id);
 274                         audit_log_format(ab, " ino=%lu", inode->i_ino);
 275                 }
 276                 break;
 277         }
 278         case LSM_AUDIT_DATA_INODE: {
 279                 struct dentry *dentry;
 280                 struct inode *inode;
 281
 282                 rcu_read_lock();
 283                 inode = a->u.inode;
 284                 dentry = d_find_alias_rcu(inode);
 285                 if (dentry) {
 286                         audit_log_format(ab, " name=");
 287                         spin_lock(&dentry->d_lock);
 288                         audit_log_untrustedstring(ab, dentry->d_name.name);
 289                         spin_unlock(&dentry->d_lock);
 290                 }
 291                 audit_log_format(ab, " dev=");
 292                 audit_log_untrustedstring(ab, inode->i_sb->s_id);
 293                 audit_log_format(ab, " ino=%lu", inode->i_ino);
 294                 rcu_read_unlock();
 295                 break;
 296         }
 297         case LSM_AUDIT_DATA_TASK: {
 298                 struct task_struct *tsk = a->u.tsk;
 299                 if (tsk) {
 300                         pid_t pid = task_tgid_nr(tsk);
 301                         if (pid) {
 302                                 char comm[sizeof(tsk->comm)];
 303                                 audit_log_format(ab, " opid=%d ocomm=", pid);
 304                                 audit_log_untrustedstring(ab,
 305                                     get_task_comm(comm, tsk));
 306                         }
 307                 }
 308                 break;
 309         }
 310         case LSM_AUDIT_DATA_NET:
 311                 if (a->u.net->sk) {
 312                         const struct sock *sk = a->u.net->sk;
 313                         const struct unix_sock *u;
 314                         struct unix_address *addr;
 315                         int len = 0;
 316                         char *p = NULL;
 317
 318                         switch (sk->sk_family) {
 319                         case AF_INET: {
 320                                 const struct inet_sock *inet = inet_sk(sk);
 321
 322                                 print_ipv4_addr(ab, inet->inet_rcv_saddr,
 323                                                 inet->inet_sport,
 324                                                 "laddr", "lport");
 325                                 print_ipv4_addr(ab, inet->inet_daddr,
 326                                                 inet->inet_dport,
 327                                                 "faddr", "fport");
 328                                 break;
 329                         }
 330 #if IS_ENABLED(CONFIG_IPV6)
 331                         case AF_INET6: {
 332                                 const struct inet_sock *inet = inet_sk(sk);
 333
 334                                 print_ipv6_addr(ab, &sk->sk_v6_rcv_saddr,
 335                                                 inet->inet_sport,
 336                                                 "laddr", "lport");
 337                                 print_ipv6_addr(ab, &sk->sk_v6_daddr,
 338                                                 inet->inet_dport,
 339                                                 "faddr", "fport");
 340                                 break;
 341                         }
 342 #endif
 343                         case AF_UNIX:
 344                                 u = unix_sk(sk);
 345                                 addr = smp_load_acquire(&u->addr);
 346                                 if (!addr)
 347                                         break;
 348                                 if (u->path.dentry) {
 349                                         audit_log_d_path(ab, " path=", &u->path);
 350                                         break;
 351                                 }
 352                                 len = addr->len-sizeof(short);
 353                                 p = &addr->name->sun_path[0];
 354                                 audit_log_format(ab, " path=");
 355                                 if (*p)
 356                                         audit_log_untrustedstring(ab, p);
 357                                 else
 358                                         audit_log_n_hex(ab, p, len);
 359                                 break;
 360                         }
 361                 }
 362
 363                 switch (a->u.net->family) {
 364                 case AF_INET:
 365                         print_ipv4_addr(ab, a->u.net->v4info.saddr,
 366                                         a->u.net->sport,
 367                                         "saddr", "src");
 368                         print_ipv4_addr(ab, a->u.net->v4info.daddr,
 369                                         a->u.net->dport,
 370                                         "daddr", "dest");
 371                         break;
 372                 case AF_INET6:
 373                         print_ipv6_addr(ab, &a->u.net->v6info.saddr,
 374                                         a->u.net->sport,
 375                                         "saddr", "src");
 376                         print_ipv6_addr(ab, &a->u.net->v6info.daddr,
 377                                         a->u.net->dport,
 378                                         "daddr", "dest");
 379                         break;
 380                 }
 381                 if (a->u.net->netif > 0) {
 382                         struct net_device *dev;
 383
 384                         /* NOTE: we always use init's namespace */
 385                         dev = dev_get_by_index(&init_net, a->u.net->netif);
 386                         if (dev) {
 387                                 audit_log_format(ab, " netif=%s", dev->name);
 388                                 dev_put(dev);
 389                         }
 390                 }
 391                 break;
 392 #ifdef CONFIG_KEYS
 393         case LSM_AUDIT_DATA_KEY:
 394                 audit_log_format(ab, " key_serial=%u", a->u.key_struct.key);
 395                 if (a->u.key_struct.key_desc) {
 396                         audit_log_format(ab, " key_desc=");
 397                         audit_log_untrustedstring(ab, a->u.key_struct.key_desc);
 398                 }
 399                 break;
 400 #endif
 401         case LSM_AUDIT_DATA_KMOD:
 402                 audit_log_format(ab, " kmod=");
 403                 audit_log_untrustedstring(ab, a->u.kmod_name);
 404                 break;
 405         case LSM_AUDIT_DATA_IBPKEY: {
 406                 struct in6_addr sbn_pfx;
 407
 408                 memset(&sbn_pfx.s6_addr, 0,
 409                        sizeof(sbn_pfx.s6_addr));
 410                 memcpy(&sbn_pfx.s6_addr, &a->u.ibpkey->subnet_prefix,
 411                        sizeof(a->u.ibpkey->subnet_prefix));
 412                 audit_log_format(ab, " pkey=0x%x subnet_prefix=%pI6c",
 413                                  a->u.ibpkey->pkey, &sbn_pfx);
 414                 break;
 415         }
 416         case LSM_AUDIT_DATA_IBENDPORT:
 417                 audit_log_format(ab, " device=%s port_num=%u",
 418                                  a->u.ibendport->dev_name,
 419                                  a->u.ibendport->port);
 420                 break;
 421         case LSM_AUDIT_DATA_LOCKDOWN:
 422                 audit_log_format(ab, " lockdown_reason=\"%s\"",
 423                                  lockdown_reasons[a->u.reason]);
 424                 break;
 425         case LSM_AUDIT_DATA_ANONINODE:
 426                 audit_log_format(ab, " anonclass=%s", a->u.anonclass);
 427                 break;
 428         } /* switch (a->type) */
 429 }
 430
 431 /**
 432  * common_lsm_audit - generic LSM auditing function
 433  * @a:  auxiliary audit data
 434  * @pre_audit: lsm-specific pre-audit callback
 435  * @post_audit: lsm-specific post-audit callback
 436  *
 437  * setup the audit buffer for common security information
 438  * uses callback to print LSM specific information
 439  */
 440 void common_lsm_audit(struct common_audit_data *a,
 441         void (*pre_audit)(struct audit_buffer *, void *),
 442         void (*post_audit)(struct audit_buffer *, void *))
 443 {
 444         struct audit_buffer *ab;
 445
 446         if (a == NULL)
 447                 return;
 448         /* we use GFP_ATOMIC so we won't sleep */
 449         ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,
 450                              AUDIT_AVC);
 451
 452         if (ab == NULL)
 453                 return;
 454
 455         if (pre_audit)
 456                 pre_audit(ab, a);
 457
 458         dump_common_audit_data(ab, a);
 459
 460         if (post_audit)
 461                 post_audit(ab, a);
 462
 463         audit_log_end(ab);
 464 }