1 // SPDX-License-Identifier: GPL-2.0-only 1
2 /*
3 * common LSM auditing functions
4 *
5 * Based on code written for SELinux by :
6 * Stephen Smalley, <sds@
7 * James Morris <jmorris@
8 * Author : Etienne Basset, <etienne.basset@en
9 */
10
11 #include <linux/types.h>
12 #include <linux/stddef.h>
13 #include <linux/kernel.h>
14 #include <linux/gfp.h>
15 #include <linux/fs.h>
16 #include <linux/init.h>
17 #include <net/sock.h>
18 #include <linux/un.h>
19 #include <net/af_unix.h>
20 #include <linux/audit.h>
21 #include <linux/ipv6.h>
22 #include <linux/ip.h>
23 #include <net/ip.h>
24 #include <net/ipv6.h>
25 #include <linux/tcp.h>
26 #include <linux/udp.h>
27 #include <linux/dccp.h>
28 #include <linux/sctp.h>
29 #include <linux/lsm_audit.h>
30 #include <linux/security.h>
31
32 /**
33 * ipv4_skb_to_auditdata : fill auditdata from
34 * @skb : the skb
35 * @ad : the audit data to fill
36 * @proto : the layer 4 protocol
37 *
38 * return 0 on success
39 */
40 int ipv4_skb_to_auditdata(struct sk_buff *skb,
41 struct common_audit_data *ad,
42 {
43 int ret = 0;
44 struct iphdr *ih;
45
46 ih = ip_hdr(skb);
47 ad->u.net->v4info.saddr = ih->saddr;
48 ad->u.net->v4info.daddr = ih->daddr;
49
50 if (proto)
51 *proto = ih->protocol;
52 /* non initial fragment */
53 if (ntohs(ih->frag_off) & IP_OFFSET)
54 return 0;
55
56 switch (ih->protocol) {
57 case IPPROTO_TCP: {
58 struct tcphdr *th = tcp_hdr(sk
59
60 ad->u.net->sport = th->source;
61 ad->u.net->dport = th->dest;
62 break;
63 }
64 case IPPROTO_UDP: {
65 struct udphdr *uh = udp_hdr(sk
66
67 ad->u.net->sport = uh->source;
68 ad->u.net->dport = uh->dest;
69 break;
70 }
71 case IPPROTO_DCCP: {
72 struct dccp_hdr *dh = dccp_hdr
73
74 ad->u.net->sport = dh->dccph_s
75 ad->u.net->dport = dh->dccph_d
76 break;
77 }
78 case IPPROTO_SCTP: {
79 struct sctphdr *sh = sctp_hdr(
80
81 ad->u.net->sport = sh->source;
82 ad->u.net->dport = sh->dest;
83 break;
84 }
85 default:
86 ret = -EINVAL;
87 }
88 return ret;
89 }
90 #if IS_ENABLED(CONFIG_IPV6)
91 /**
92 * ipv6_skb_to_auditdata : fill auditdata from
93 * @skb : the skb
94 * @ad : the audit data to fill
95 * @proto : the layer 4 protocol
96 *
97 * return 0 on success
98 */
99 int ipv6_skb_to_auditdata(struct sk_buff *skb,
100 struct common_audit_data *ad,
101 {
102 int offset, ret = 0;
103 struct ipv6hdr *ip6;
104 u8 nexthdr;
105 __be16 frag_off;
106
107 ip6 = ipv6_hdr(skb);
108 ad->u.net->v6info.saddr = ip6->saddr;
109 ad->u.net->v6info.daddr = ip6->daddr;
110 /* IPv6 can have several extension hea
111 * skip them */
112 offset = skb_network_offset(skb);
113 offset += sizeof(*ip6);
114 nexthdr = ip6->nexthdr;
115 offset = ipv6_skip_exthdr(skb, offset,
116 if (offset < 0)
117 return 0;
118 if (proto)
119 *proto = nexthdr;
120 switch (nexthdr) {
121 case IPPROTO_TCP: {
122 struct tcphdr _tcph, *th;
123
124 th = skb_header_pointer(skb, o
125 if (th == NULL)
126 break;
127
128 ad->u.net->sport = th->source;
129 ad->u.net->dport = th->dest;
130 break;
131 }
132 case IPPROTO_UDP: {
133 struct udphdr _udph, *uh;
134
135 uh = skb_header_pointer(skb, o
136 if (uh == NULL)
137 break;
138
139 ad->u.net->sport = uh->source;
140 ad->u.net->dport = uh->dest;
141 break;
142 }
143 case IPPROTO_DCCP: {
144 struct dccp_hdr _dccph, *dh;
145
146 dh = skb_header_pointer(skb, o
147 if (dh == NULL)
148 break;
149
150 ad->u.net->sport = dh->dccph_s
151 ad->u.net->dport = dh->dccph_d
152 break;
153 }
154 case IPPROTO_SCTP: {
155 struct sctphdr _sctph, *sh;
156
157 sh = skb_header_pointer(skb, o
158 if (sh == NULL)
159 break;
160 ad->u.net->sport = sh->source;
161 ad->u.net->dport = sh->dest;
162 break;
163 }
164 default:
165 ret = -EINVAL;
166 }
167 return ret;
168 }
169 #endif
170
171
172 static inline void print_ipv6_addr(struct audi
173 const struc
174 char *name1
175 {
176 if (!ipv6_addr_any(addr))
177 audit_log_format(ab, " %s=%pI6
178 if (port)
179 audit_log_format(ab, " %s=%d",
180 }
181
182 static inline void print_ipv4_addr(struct audi
183 __be16 port
184 {
185 if (addr)
186 audit_log_format(ab, " %s=%pI4
187 if (port)
188 audit_log_format(ab, " %s=%d",
189 }
190
191 /**
192 * dump_common_audit_data - helper to dump com
193 * @ab : the audit buffer
194 * @a : common audit data
195 *
196 */
197 static void dump_common_audit_data(struct audi
198 struct comm
199 {
200 char comm[sizeof(current->comm)];
201
202 /*
203 * To keep stack sizes in check force
204 * start making this union too large!
205 * as an example of how to deal with l
206 */
207 BUILD_BUG_ON(sizeof(a->u) > sizeof(voi
208
209 audit_log_format(ab, " pid=%d comm=",
210 audit_log_untrustedstring(ab, memcpy(c
211
212 switch (a->type) {
213 case LSM_AUDIT_DATA_NONE:
214 return;
215 case LSM_AUDIT_DATA_IPC:
216 audit_log_format(ab, " ipc_key
217 break;
218 case LSM_AUDIT_DATA_CAP:
219 audit_log_format(ab, " capabil
220 break;
221 case LSM_AUDIT_DATA_PATH: {
222 struct inode *inode;
223
224 audit_log_d_path(ab, " path=",
225
226 inode = d_backing_inode(a->u.p
227 if (inode) {
228 audit_log_format(ab, "
229 audit_log_untrustedstr
230 audit_log_format(ab, "
231 }
232 break;
233 }
234 case LSM_AUDIT_DATA_FILE: {
235 struct inode *inode;
236
237 audit_log_d_path(ab, " path=",
238
239 inode = file_inode(a->u.file);
240 if (inode) {
241 audit_log_format(ab, "
242 audit_log_untrustedstr
243 audit_log_format(ab, "
244 }
245 break;
246 }
247 case LSM_AUDIT_DATA_IOCTL_OP: {
248 struct inode *inode;
249
250 audit_log_d_path(ab, " path=",
251
252 inode = a->u.op->path.dentry->
253 if (inode) {
254 audit_log_format(ab, "
255 audit_log_untrustedstr
256 audit_log_format(ab, "
257 }
258
259 audit_log_format(ab, " ioctlcm
260 break;
261 }
262 case LSM_AUDIT_DATA_DENTRY: {
263 struct inode *inode;
264
265 audit_log_format(ab, " name=")
266 spin_lock(&a->u.dentry->d_lock
267 audit_log_untrustedstring(ab,
268 spin_unlock(&a->u.dentry->d_lo
269
270 inode = d_backing_inode(a->u.d
271 if (inode) {
272 audit_log_format(ab, "
273 audit_log_untrustedstr
274 audit_log_format(ab, "
275 }
276 break;
277 }
278 case LSM_AUDIT_DATA_INODE: {
279 struct dentry *dentry;
280 struct inode *inode;
281
282 rcu_read_lock();
283 inode = a->u.inode;
284 dentry = d_find_alias_rcu(inod
285 if (dentry) {
286 audit_log_format(ab, "
287 spin_lock(&dentry->d_l
288 audit_log_untrustedstr
289 spin_unlock(&dentry->d
290 }
291 audit_log_format(ab, " dev=");
292 audit_log_untrustedstring(ab,
293 audit_log_format(ab, " ino=%lu
294 rcu_read_unlock();
295 break;
296 }
297 case LSM_AUDIT_DATA_TASK: {
298 struct task_struct *tsk = a->u
299 if (tsk) {
300 pid_t pid = task_tgid_
301 if (pid) {
302 char comm[size
303 audit_log_form
304 audit_log_untr
305 memcpy(com
306 }
307 }
308 break;
309 }
310 case LSM_AUDIT_DATA_NET:
311 if (a->u.net->sk) {
312 const struct sock *sk
313 const struct unix_sock
314 struct unix_address *a
315 int len = 0;
316 char *p = NULL;
317
318 switch (sk->sk_family)
319 case AF_INET: {
320 const struct i
321
322 print_ipv4_add
323
324
325 print_ipv4_add
326
327
328 break;
329 }
330 #if IS_ENABLED(CONFIG_IPV6)
331 case AF_INET6: {
332 const struct i
333
334 print_ipv6_add
335
336
337 print_ipv6_add
338
339
340 break;
341 }
342 #endif
343 case AF_UNIX:
344 u = unix_sk(sk
345 addr = smp_loa
346 if (!addr)
347 break;
348 if (u->path.de
349 audit_
350 break;
351 }
352 len = addr->le
353 p = &addr->nam
354 audit_log_form
355 if (*p)
356 audit_
357 else
358 audit_
359 break;
360 }
361 }
362
363 switch (a->u.net->family) {
364 case AF_INET:
365 print_ipv4_addr(ab, a-
366 a->u.n
367 "saddr
368 print_ipv4_addr(ab, a-
369 a->u.n
370 "daddr
371 break;
372 case AF_INET6:
373 print_ipv6_addr(ab, &a
374 a->u.n
375 "saddr
376 print_ipv6_addr(ab, &a
377 a->u.n
378 "daddr
379 break;
380 }
381 if (a->u.net->netif > 0) {
382 struct net_device *dev
383
384 /* NOTE: we always use
385 dev = dev_get_by_index
386 if (dev) {
387 audit_log_form
388 dev_put(dev);
389 }
390 }
391 break;
392 #ifdef CONFIG_KEYS
393 case LSM_AUDIT_DATA_KEY:
394 audit_log_format(ab, " key_ser
395 if (a->u.key_struct.key_desc)
396 audit_log_format(ab, "
397 audit_log_untrustedstr
398 }
399 break;
400 #endif
401 case LSM_AUDIT_DATA_KMOD:
402 audit_log_format(ab, " kmod=")
403 audit_log_untrustedstring(ab,
404 break;
405 case LSM_AUDIT_DATA_IBPKEY: {
406 struct in6_addr sbn_pfx;
407
408 memset(&sbn_pfx.s6_addr, 0,
409 sizeof(sbn_pfx.s6_addr)
410 memcpy(&sbn_pfx.s6_addr, &a->u
411 sizeof(a->u.ibpkey->sub
412 audit_log_format(ab, " pkey=0x
413 a->u.ibpkey->
414 break;
415 }
416 case LSM_AUDIT_DATA_IBENDPORT:
417 audit_log_format(ab, " device=
418 a->u.ibendpor
419 a->u.ibendpor
420 break;
421 case LSM_AUDIT_DATA_LOCKDOWN:
422 audit_log_format(ab, " lockdow
423 lockdown_reas
424 break;
425 case LSM_AUDIT_DATA_ANONINODE:
426 audit_log_format(ab, " anoncla
427 break;
428 } /* switch (a->type) */
429 }
430
431 /**
432 * common_lsm_audit - generic LSM auditing fun
433 * @a: auxiliary audit data
434 * @pre_audit: lsm-specific pre-audit callback
435 * @post_audit: lsm-specific post-audit callba
436 *
437 * setup the audit buffer for common security
438 * uses callback to print LSM specific informa
439 */
440 void common_lsm_audit(struct common_audit_data
441 void (*pre_audit)(struct audit_buffer
442 void (*post_audit)(struct audit_buffer
443 {
444 struct audit_buffer *ab;
445
446 if (a == NULL)
447 return;
448 /* we use GFP_ATOMIC so we won't sleep
449 ab = audit_log_start(audit_context(),
450 AUDIT_AVC);
451
452 if (ab == NULL)
453 return;
454
455 if (pre_audit)
456 pre_audit(ab, a);
457
458 dump_common_audit_data(ab, a);
459
460 if (post_audit)
461 post_audit(ab, a);
462
463 audit_log_end(ab);
464 }
465
Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.