apparmor: add mediation class information to auditing

author John Johansen <john.johansen@canonical.com>

Tue, 19 Apr 2022 23:25:55 +0000 (16:25 -0700)

committer John Johansen <john.johansen@canonical.com>

Mon, 3 Oct 2022 21:49:03 +0000 (14:49 -0700)
author John Johansen <john.johansen@canonical.com>
Tue, 19 Apr 2022 23:25:55 +0000 (16:25 -0700)
committer John Johansen <john.johansen@canonical.com>
Mon, 3 Oct 2022 21:49:03 +0000 (14:49 -0700)
diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c

index 704b0c895605a77c487b3c48682dcdbdec04a367..e638f7bc9f528afbbb92bdd1707e9f03c29f9b79 100644 (file)
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -36,6 +36,28 @@ static const char *const aa_audit_type[] = {
         "AUTO"
  };
  
+static const char *const aa_class_names[] = {
+       "none",
+       "unknown",
+       "file",
+       "cap",
+       "net",
+       "rlimits",
+       "domain",
+       "mount",
+       "unknown",
+       "ptrace",
+       "signal",
+       "unknown",
+       "unknown",
+       "unknown",
+       "net",
+       "unknown",
+       "label",
+       "lsm",
+};
+
+
  /*
   * Currently AppArmor auditing is fed straight into the audit framework.
   *
@@ -65,6 +87,12 @@ static void audit_pre(struct audit_buffer *ab, void *ca)
                 audit_log_format(ab, " operation=\"%s\"", aad(sa)->op);
         }
  
+       if (aad(sa)->class)
+               audit_log_format(ab, " class=\"%s\"",
+                                aad(sa)->class <= AA_CLASS_LAST ?
+                                aa_class_names[aad(sa)->class] :
+                                "unknown");
+
         if (aad(sa)->info) {
                 audit_log_format(ab, " info=\"%s\"", aad(sa)->info);
                 if (aad(sa)->error)
diff --git a/security/apparmor/capability.c b/security/apparmor/capability.c

index deccea8654ad8302a721aa93ff3a10cf8baf1a4d..6cabd6109f12a9ed792de30f2e0a713706db0569 100644 (file)
--- a/security/apparmor/capability.c
+++ b/security/apparmor/capability.c
@@ -148,7 +148,7 @@ int aa_capable(struct aa_label *label, int cap, unsigned int opts)
  {
         struct aa_profile *profile;
         int error = 0;
-       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, OP_CAPABLE);
+       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, AA_CLASS_CAP, OP_CAPABLE);
  
         sa.u.cap = cap;
         error = fn_for_each_confined(label, profile,
diff --git a/security/apparmor/file.c b/security/apparmor/file.c

index 636efcade3f58b1727e63a46686bb43c94af2abe..69d936d04f948cc438e539b375f63fb6b0154672 100644 (file)
--- a/security/apparmor/file.c
+++ b/security/apparmor/file.c
@@ -95,7 +95,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms,
                   kuid_t ouid, const char *info, int error)
  {
         int type = AUDIT_APPARMOR_AUTO;
-       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_TASK, op);
+       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_TASK, AA_CLASS_FILE, op);
  
         sa.u.tsk = NULL;
         aad(&sa)->request = request;
diff --git a/security/apparmor/include/apparmor.h b/security/apparmor/include/apparmor.h

index 8fd66a4ca0b86d0b7f4b1b31d594c7e37a3c7c7d..6d9ca075fcb9c9db83b70399e51b2d06163c72aa 100644 (file)
--- a/security/apparmor/include/apparmor.h
+++ b/security/apparmor/include/apparmor.h
@@ -16,7 +16,7 @@
  /*
   * Class of mediation types in the AppArmor policy db
   */
-#define AA_CLASS_ENTRY         0
+#define AA_CLASS_NONE          0
  #define AA_CLASS_UNKNOWN       1
  #define AA_CLASS_FILE          2
  #define AA_CLASS_CAP           3
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h

index 18519a4eb67e3cc46c729dd4baba2571fac42cba..c328f07f11cd8345360f6c102bacd8cd5796b5be 100644 (file)
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -107,6 +107,7 @@ enum audit_type {
  struct apparmor_audit_data {
         int error;
         int type;
+       u16 class;
         const char *op;
         struct aa_label *label;
         const char *name;
@@ -155,9 +156,12 @@ struct apparmor_audit_data {
  
  /* macros for dealing with  apparmor_audit_data structure */
  #define aad(SA) ((SA)->apparmor_audit_data)
-#define DEFINE_AUDIT_DATA(NAME, T, X)                                  \
+#define DEFINE_AUDIT_DATA(NAME, T, C, X)                               \
         /* TODO: cleanup audit init so we don't need _aad = {0,} */     \
-       struct apparmor_audit_data NAME ## _aad = { .op = (X), };       \
+       struct apparmor_audit_data NAME ## _aad = {                     \
+               .class = (C),                                           \
+               .op = (X),                                              \
+       };                                                              \
         struct common_audit_data NAME =                                 \
         {                                                               \
         .type = (T),                                                    \
diff --git a/security/apparmor/include/net.h b/security/apparmor/include/net.h

index aadb4b29fb66e421a8dc6200f9aa8c3f4cd0da1d..6fa440b5daed8daec267f468330295988ca09c32 100644 (file)
--- a/security/apparmor/include/net.h
+++ b/security/apparmor/include/net.h
@@ -59,6 +59,7 @@ struct aa_sk_ctx {
         DEFINE_AUDIT_DATA(NAME,                                           \
                           ((SK) && (F) != AF_UNIX) ? LSM_AUDIT_DATA_NET : \
                                                      LSM_AUDIT_DATA_NONE, \
+                                                    AA_CLASS_NET,        \
                           OP);                                            \
         NAME.u.net = &(NAME ## _net);                                     \
         aad(&NAME)->net.type = (T);                                       \
diff --git a/security/apparmor/ipc.c b/security/apparmor/ipc.c

index 7255a9d52372880e1e8a942c6d2b1b9c92642f0c..4ecaf2ba26c549bde57b13c93458c45edca4ceef 100644 (file)
--- a/security/apparmor/ipc.c
+++ b/security/apparmor/ipc.c
@@ -98,7 +98,7 @@ static int profile_signal_perm(struct aa_profile *profile,
  int aa_may_signal(struct aa_label *sender, struct aa_label *target, int sig)
  {
         struct aa_profile *profile;
-       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SIGNAL);
+       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_SIGNAL, OP_SIGNAL);
  
         aad(&sa)->signal = map_signal_num(sig);
         aad(&sa)->unmappedsig = sig;
diff --git a/security/apparmor/lib.c b/security/apparmor/lib.c

index 69aeb2dbd6d6bb1fd6e7a8d3bc4ca1ea80989911..768cc182e9cabc2ff51d6e35cdc4dd4f27aabc74 100644 (file)
--- a/security/apparmor/lib.c
+++ b/security/apparmor/lib.c
@@ -143,7 +143,7 @@ const char *aa_splitn_fqname(const char *fqname, size_t n, const char **ns_name,
  void aa_info_message(const char *str)
  {
         if (audit_enabled) {
-               DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, NULL);
+               DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
  
                 aad(&sa)->info = str;
                 aa_audit_msg(AUDIT_APPARMOR_STATUS, &sa, NULL);
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c

index ec873ff0a4bbb256e9acbda6c74cd99d87f88f8b..784709286a6263457f14443fb97022c63709892f 100644 (file)
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -647,7 +647,8 @@ static int apparmor_setprocattr(const char *name, void *value,
         char *command, *largs = NULL, *args = value;
         size_t arg_size;
         int error;
-       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETPROCATTR);
+       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE,
+                         OP_SETPROCATTR);
  
         if (size == 0)
                 return -EINVAL;
diff --git a/security/apparmor/mount.c b/security/apparmor/mount.c

index 84aaf25e5deef115171d904efcaa19589b6afb46..02d8215cb9fd6883e9d607933449b43e57aabd5d 100644 (file)
--- a/security/apparmor/mount.c
+++ b/security/apparmor/mount.c
@@ -134,7 +134,7 @@ static int audit_mount(struct aa_profile *profile, const char *op,
                        struct aa_perms *perms, const char *info, int error)
  {
         int audit_type = AUDIT_APPARMOR_AUTO;
-       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, op);
+       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_MOUNT, op);
  
         if (likely(!error)) {
                 u32 mask = perms->audit;
diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c

index cdcf26c9bed575fa02d56752e779a2be5a72a1fe..6222236de02168dc9ed3cb489d9f105d3b9f3f13 100644 (file)
--- a/security/apparmor/policy.c
+++ b/security/apparmor/policy.c
@@ -617,7 +617,7 @@ static int audit_policy(struct aa_label *label, const char *op,
                         const char *ns_name, const char *name,
                         const char *info, int error)
  {
-       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, op);
+       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, op);
  
         aad(&sa)->iface.ns = ns_name;
         aad(&sa)->name = name;
diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c

index df39ee8f4e03db2b2d4c8514c26e8d6edd019fe8..4bf33bd0ca694ef009d75907c9b72141961fc5f4 100644 (file)
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -100,7 +100,7 @@ static int audit_iface(struct aa_profile *new, const char *ns_name,
                        int error)
  {
         struct aa_profile *profile = labels_profile(aa_current_raw_label());
-       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, NULL);
+       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_NONE, NULL);
         if (e)
                 aad(&sa)->iface.pos = e->pos - e->start;
         aad(&sa)->iface.ns = ns_name;
diff --git a/security/apparmor/resource.c b/security/apparmor/resource.c

index 1ae4874251a965aa0c0b4abe0ec166420f9a2db5..cc018469e22d75e01d2158cb8459922508417c30 100644 (file)
--- a/security/apparmor/resource.c
+++ b/security/apparmor/resource.c
@@ -53,7 +53,8 @@ static int audit_resource(struct aa_profile *profile, unsigned int resource,
                           unsigned long value, struct aa_label *peer,
                           const char *info, int error)
  {
-       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_SETRLIMIT);
+       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_RLIMITS,
+                         OP_SETRLIMIT);
  
         aad(&sa)->rlim.rlim = resource;
         aad(&sa)->rlim.max = value;
diff --git a/security/apparmor/task.c b/security/apparmor/task.c

index 503dc0877fb1afbd9f36eac644fae7a89ab87479..b19900f85c148638a0136ead27937a995dbc647e 100644 (file)
--- a/security/apparmor/task.c
+++ b/security/apparmor/task.c
@@ -285,7 +285,7 @@ int aa_may_ptrace(struct aa_label *tracer, struct aa_label *tracee,
  {
         struct aa_profile *profile;
         u32 xrequest = request << PTRACE_PERM_SHIFT;
-       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, OP_PTRACE);
+       DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_NONE, AA_CLASS_PTRACE, OP_PTRACE);
  
         return xcheck_labels(tracer, tracee, profile,
                         profile_tracer_perm(profile, tracee, request, &sa),
author	John Johansen <john.johansen@canonical.com>
	Tue, 19 Apr 2022 23:25:55 +0000 (16:25 -0700)
committer	John Johansen <john.johansen@canonical.com>
	Mon, 3 Oct 2022 21:49:03 +0000 (14:49 -0700)
security/apparmor/audit.c		patch \| blob \| blame \| history
security/apparmor/capability.c		patch \| blob \| blame \| history
security/apparmor/file.c		patch \| blob \| blame \| history
security/apparmor/include/apparmor.h		patch \| blob \| blame \| history
security/apparmor/include/audit.h		patch \| blob \| blame \| history
security/apparmor/include/net.h		patch \| blob \| blame \| history
security/apparmor/ipc.c		patch \| blob \| blame \| history
security/apparmor/lib.c		patch \| blob \| blame \| history
security/apparmor/lsm.c		patch \| blob \| blame \| history
security/apparmor/mount.c		patch \| blob \| blame \| history
security/apparmor/policy.c		patch \| blob \| blame \| history
security/apparmor/policy_unpack.c		patch \| blob \| blame \| history
security/apparmor/resource.c		patch \| blob \| blame \| history
security/apparmor/task.c		patch \| blob \| blame \| history