2 * common LSM auditing functions
4 * Based on code written for SELinux by :
5 * Stephen Smalley, <sds@epoch.ncsc.mil>
6 * James Morris <jmorris@redhat.com>
7 * Author : Etienne Basset, <etienne.basset@ensta.org>
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License version 2,
11 * as published by the Free Software Foundation.
14 #include <linux/types.h>
15 #include <linux/stddef.h>
16 #include <linux/kernel.h>
17 #include <linux/gfp.h>
19 #include <linux/init.h>
22 #include <net/af_unix.h>
23 #include <linux/audit.h>
24 #include <linux/ipv6.h>
28 #include <linux/tcp.h>
29 #include <linux/udp.h>
30 #include <linux/dccp.h>
31 #include <linux/sctp.h>
32 #include <linux/lsm_audit.h>
35 * ipv4_skb_to_auditdata : fill auditdata from skb
37 * @ad : the audit data to fill
38 * @proto : the layer 4 protocol
42 int ipv4_skb_to_auditdata(struct sk_buff
*skb
,
43 struct common_audit_data
*ad
, u8
*proto
)
52 ad
->u
.net
->v4info
.saddr
= ih
->saddr
;
53 ad
->u
.net
->v4info
.daddr
= ih
->daddr
;
56 *proto
= ih
->protocol
;
57 /* non initial fragment */
58 if (ntohs(ih
->frag_off
) & IP_OFFSET
)
61 switch (ih
->protocol
) {
63 struct tcphdr
*th
= tcp_hdr(skb
);
67 ad
->u
.net
->sport
= th
->source
;
68 ad
->u
.net
->dport
= th
->dest
;
72 struct udphdr
*uh
= udp_hdr(skb
);
76 ad
->u
.net
->sport
= uh
->source
;
77 ad
->u
.net
->dport
= uh
->dest
;
81 struct dccp_hdr
*dh
= dccp_hdr(skb
);
85 ad
->u
.net
->sport
= dh
->dccph_sport
;
86 ad
->u
.net
->dport
= dh
->dccph_dport
;
90 struct sctphdr
*sh
= sctp_hdr(skb
);
93 ad
->u
.net
->sport
= sh
->source
;
94 ad
->u
.net
->dport
= sh
->dest
;
102 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
104 * ipv6_skb_to_auditdata : fill auditdata from skb
106 * @ad : the audit data to fill
107 * @proto : the layer 4 protocol
109 * return 0 on success
111 int ipv6_skb_to_auditdata(struct sk_buff
*skb
,
112 struct common_audit_data
*ad
, u8
*proto
)
122 ad
->u
.net
->v6info
.saddr
= ip6
->saddr
;
123 ad
->u
.net
->v6info
.daddr
= ip6
->daddr
;
125 /* IPv6 can have several extension header before the Transport header
127 offset
= skb_network_offset(skb
);
128 offset
+= sizeof(*ip6
);
129 nexthdr
= ip6
->nexthdr
;
130 offset
= ipv6_skip_exthdr(skb
, offset
, &nexthdr
, &frag_off
);
137 struct tcphdr _tcph
, *th
;
139 th
= skb_header_pointer(skb
, offset
, sizeof(_tcph
), &_tcph
);
143 ad
->u
.net
->sport
= th
->source
;
144 ad
->u
.net
->dport
= th
->dest
;
148 struct udphdr _udph
, *uh
;
150 uh
= skb_header_pointer(skb
, offset
, sizeof(_udph
), &_udph
);
154 ad
->u
.net
->sport
= uh
->source
;
155 ad
->u
.net
->dport
= uh
->dest
;
159 struct dccp_hdr _dccph
, *dh
;
161 dh
= skb_header_pointer(skb
, offset
, sizeof(_dccph
), &_dccph
);
165 ad
->u
.net
->sport
= dh
->dccph_sport
;
166 ad
->u
.net
->dport
= dh
->dccph_dport
;
170 struct sctphdr _sctph
, *sh
;
172 sh
= skb_header_pointer(skb
, offset
, sizeof(_sctph
), &_sctph
);
175 ad
->u
.net
->sport
= sh
->source
;
176 ad
->u
.net
->dport
= sh
->dest
;
187 static inline void print_ipv6_addr(struct audit_buffer
*ab
,
188 struct in6_addr
*addr
, __be16 port
,
189 char *name1
, char *name2
)
191 if (!ipv6_addr_any(addr
))
192 audit_log_format(ab
, " %s=%pI6c", name1
, addr
);
194 audit_log_format(ab
, " %s=%d", name2
, ntohs(port
));
197 static inline void print_ipv4_addr(struct audit_buffer
*ab
, __be32 addr
,
198 __be16 port
, char *name1
, char *name2
)
201 audit_log_format(ab
, " %s=%pI4", name1
, &addr
);
203 audit_log_format(ab
, " %s=%d", name2
, ntohs(port
));
207 * dump_common_audit_data - helper to dump common audit data
208 * @a : common audit data
211 static void dump_common_audit_data(struct audit_buffer
*ab
,
212 struct common_audit_data
*a
)
214 char comm
[sizeof(current
->comm
)];
217 * To keep stack sizes in check force programers to notice if they
218 * start making this union too large! See struct lsm_network_audit
219 * as an example of how to deal with large data.
221 BUILD_BUG_ON(sizeof(a
->u
) > sizeof(void *)*2);
223 audit_log_format(ab
, " pid=%d comm=", task_pid_nr(current
));
224 audit_log_untrustedstring(ab
, memcpy(comm
, current
->comm
, sizeof(comm
)));
227 case LSM_AUDIT_DATA_NONE
:
229 case LSM_AUDIT_DATA_IPC
:
230 audit_log_format(ab
, " key=%d ", a
->u
.ipc_id
);
232 case LSM_AUDIT_DATA_CAP
:
233 audit_log_format(ab
, " capability=%d ", a
->u
.cap
);
235 case LSM_AUDIT_DATA_PATH
: {
238 audit_log_d_path(ab
, " path=", &a
->u
.path
);
240 inode
= d_backing_inode(a
->u
.path
.dentry
);
242 audit_log_format(ab
, " dev=");
243 audit_log_untrustedstring(ab
, inode
->i_sb
->s_id
);
244 audit_log_format(ab
, " ino=%lu", inode
->i_ino
);
248 case LSM_AUDIT_DATA_DENTRY
: {
251 audit_log_format(ab
, " name=");
252 audit_log_untrustedstring(ab
, a
->u
.dentry
->d_name
.name
);
254 inode
= d_backing_inode(a
->u
.dentry
);
256 audit_log_format(ab
, " dev=");
257 audit_log_untrustedstring(ab
, inode
->i_sb
->s_id
);
258 audit_log_format(ab
, " ino=%lu", inode
->i_ino
);
262 case LSM_AUDIT_DATA_INODE
: {
263 struct dentry
*dentry
;
267 dentry
= d_find_alias(inode
);
269 audit_log_format(ab
, " name=");
270 audit_log_untrustedstring(ab
,
271 dentry
->d_name
.name
);
274 audit_log_format(ab
, " dev=");
275 audit_log_untrustedstring(ab
, inode
->i_sb
->s_id
);
276 audit_log_format(ab
, " ino=%lu", inode
->i_ino
);
279 case LSM_AUDIT_DATA_TASK
: {
280 struct task_struct
*tsk
= a
->u
.tsk
;
282 pid_t pid
= task_pid_nr(tsk
);
284 char comm
[sizeof(tsk
->comm
)];
285 audit_log_format(ab
, " pid=%d comm=", pid
);
286 audit_log_untrustedstring(ab
,
287 memcpy(comm
, tsk
->comm
, sizeof(comm
)));
292 case LSM_AUDIT_DATA_NET
:
294 struct sock
*sk
= a
->u
.net
->sk
;
299 switch (sk
->sk_family
) {
301 struct inet_sock
*inet
= inet_sk(sk
);
303 print_ipv4_addr(ab
, inet
->inet_rcv_saddr
,
306 print_ipv4_addr(ab
, inet
->inet_daddr
,
311 #if IS_ENABLED(CONFIG_IPV6)
313 struct inet_sock
*inet
= inet_sk(sk
);
315 print_ipv6_addr(ab
, &sk
->sk_v6_rcv_saddr
,
318 print_ipv6_addr(ab
, &sk
->sk_v6_daddr
,
326 if (u
->path
.dentry
) {
327 audit_log_d_path(ab
, " path=", &u
->path
);
332 len
= u
->addr
->len
-sizeof(short);
333 p
= &u
->addr
->name
->sun_path
[0];
334 audit_log_format(ab
, " path=");
336 audit_log_untrustedstring(ab
, p
);
338 audit_log_n_hex(ab
, p
, len
);
343 switch (a
->u
.net
->family
) {
345 print_ipv4_addr(ab
, a
->u
.net
->v4info
.saddr
,
348 print_ipv4_addr(ab
, a
->u
.net
->v4info
.daddr
,
353 print_ipv6_addr(ab
, &a
->u
.net
->v6info
.saddr
,
356 print_ipv6_addr(ab
, &a
->u
.net
->v6info
.daddr
,
361 if (a
->u
.net
->netif
> 0) {
362 struct net_device
*dev
;
364 /* NOTE: we always use init's namespace */
365 dev
= dev_get_by_index(&init_net
, a
->u
.net
->netif
);
367 audit_log_format(ab
, " netif=%s", dev
->name
);
373 case LSM_AUDIT_DATA_KEY
:
374 audit_log_format(ab
, " key_serial=%u", a
->u
.key_struct
.key
);
375 if (a
->u
.key_struct
.key_desc
) {
376 audit_log_format(ab
, " key_desc=");
377 audit_log_untrustedstring(ab
, a
->u
.key_struct
.key_desc
);
381 case LSM_AUDIT_DATA_KMOD
:
382 audit_log_format(ab
, " kmod=");
383 audit_log_untrustedstring(ab
, a
->u
.kmod_name
);
385 } /* switch (a->type) */
389 * common_lsm_audit - generic LSM auditing function
390 * @a: auxiliary audit data
391 * @pre_audit: lsm-specific pre-audit callback
392 * @post_audit: lsm-specific post-audit callback
394 * setup the audit buffer for common security information
395 * uses callback to print LSM specific information
397 void common_lsm_audit(struct common_audit_data
*a
,
398 void (*pre_audit
)(struct audit_buffer
*, void *),
399 void (*post_audit
)(struct audit_buffer
*, void *))
401 struct audit_buffer
*ab
;
405 /* we use GFP_ATOMIC so we won't sleep */
406 ab
= audit_log_start(current
->audit_context
, GFP_ATOMIC
| __GFP_NOWARN
,
415 dump_common_audit_data(ab
, a
);