2019-06-04 10:11:33 +02:00
// SPDX-License-Identifier: GPL-2.0-only
2009-04-08 20:39:40 +02:00
/*
* common LSM auditing functions
*
* Based on code written for SELinux by :
2017-08-17 13:32:37 -04:00
* Stephen Smalley , < sds @ tycho . nsa . gov >
2009-04-08 20:39:40 +02:00
* James Morris < jmorris @ redhat . com >
* Author : Etienne Basset , < etienne . basset @ ensta . org >
*/
# include <linux/types.h>
# include <linux/stddef.h>
# include <linux/kernel.h>
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 17:04:11 +09:00
# include <linux/gfp.h>
2009-04-08 20:39:40 +02:00
# include <linux/fs.h>
# include <linux/init.h>
# include <net/sock.h>
# include <linux/un.h>
# include <net/af_unix.h>
# include <linux/audit.h>
# include <linux/ipv6.h>
# include <linux/ip.h>
# include <net/ip.h>
# include <net/ipv6.h>
# include <linux/tcp.h>
# include <linux/udp.h>
# include <linux/dccp.h>
# include <linux/sctp.h>
# include <linux/lsm_audit.h>
security,lockdown,selinux: implement SELinux lockdown
Implement a SELinux hook for lockdown. If the lockdown module is also
enabled, then a denial by the lockdown module will take precedence over
SELinux, so SELinux can only further restrict lockdown decisions.
The SELinux hook only distinguishes at the granularity of integrity
versus confidentiality similar to the lockdown module, but includes the
full lockdown reason as part of the audit record as a hint in diagnosing
what triggered the denial. To support this auditing, move the
lockdown_reasons[] string array from being private to the lockdown
module to the security framework so that it can be used by the lsm audit
code and so that it is always available even when the lockdown module
is disabled.
Note that the SELinux implementation allows the integrity and
confidentiality reasons to be controlled independently from one another.
Thus, in an SELinux policy, one could allow operations that specify
an integrity reason while blocking operations that specify a
confidentiality reason. The SELinux hook implementation is
stricter than the lockdown module in validating the provided reason value.
Sample AVC audit output from denials:
avc: denied { integrity } for pid=3402 comm="fwupd"
lockdown_reason="/dev/mem,kmem,port" scontext=system_u:system_r:fwupd_t:s0
tcontext=system_u:system_r:fwupd_t:s0 tclass=lockdown permissive=0
avc: denied { confidentiality } for pid=4628 comm="cp"
lockdown_reason="/proc/kcore access"
scontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
tclass=lockdown permissive=0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Reviewed-by: James Morris <jamorris@linux.microsoft.com>
[PM: some merge fuzz do the the perf hooks]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2019-11-27 12:04:36 -05:00
# include <linux/security.h>
2009-04-08 20:39:40 +02:00
/**
* ipv4_skb_to_auditdata : fill auditdata from skb
* @ skb : the skb
* @ ad : the audit data to fill
* @ proto : the layer 4 protocol
*
* return 0 on success
*/
int ipv4_skb_to_auditdata ( struct sk_buff * skb ,
struct common_audit_data * ad , u8 * proto )
{
int ret = 0 ;
struct iphdr * ih ;
ih = ip_hdr ( skb ) ;
2012-04-02 13:15:44 -04:00
ad - > u . net - > v4info . saddr = ih - > saddr ;
ad - > u . net - > v4info . daddr = ih - > daddr ;
2009-04-08 20:39:40 +02:00
if ( proto )
* proto = ih - > protocol ;
/* non initial fragment */
if ( ntohs ( ih - > frag_off ) & IP_OFFSET )
return 0 ;
switch ( ih - > protocol ) {
case IPPROTO_TCP : {
struct tcphdr * th = tcp_hdr ( skb ) ;
2012-04-02 13:15:44 -04:00
ad - > u . net - > sport = th - > source ;
ad - > u . net - > dport = th - > dest ;
2009-04-08 20:39:40 +02:00
break ;
}
case IPPROTO_UDP : {
struct udphdr * uh = udp_hdr ( skb ) ;
2012-04-02 13:15:44 -04:00
ad - > u . net - > sport = uh - > source ;
ad - > u . net - > dport = uh - > dest ;
2009-04-08 20:39:40 +02:00
break ;
}
case IPPROTO_DCCP : {
struct dccp_hdr * dh = dccp_hdr ( skb ) ;
2012-04-02 13:15:44 -04:00
ad - > u . net - > sport = dh - > dccph_sport ;
ad - > u . net - > dport = dh - > dccph_dport ;
2009-04-08 20:39:40 +02:00
break ;
}
case IPPROTO_SCTP : {
struct sctphdr * sh = sctp_hdr ( skb ) ;
2022-08-15 22:44:01 -04:00
2012-04-02 13:15:44 -04:00
ad - > u . net - > sport = sh - > source ;
ad - > u . net - > dport = sh - > dest ;
2009-04-08 20:39:40 +02:00
break ;
}
default :
ret = - EINVAL ;
}
return ret ;
}
2016-08-08 13:08:25 -04:00
# if IS_ENABLED(CONFIG_IPV6)
2009-04-08 20:39:40 +02:00
/**
* ipv6_skb_to_auditdata : fill auditdata from skb
* @ skb : the skb
* @ ad : the audit data to fill
* @ proto : the layer 4 protocol
*
* return 0 on success
*/
int ipv6_skb_to_auditdata ( struct sk_buff * skb ,
struct common_audit_data * ad , u8 * proto )
{
int offset , ret = 0 ;
struct ipv6hdr * ip6 ;
u8 nexthdr ;
2011-11-30 17:05:51 -08:00
__be16 frag_off ;
2009-04-08 20:39:40 +02:00
ip6 = ipv6_hdr ( skb ) ;
2012-04-02 13:15:44 -04:00
ad - > u . net - > v6info . saddr = ip6 - > saddr ;
ad - > u . net - > v6info . daddr = ip6 - > daddr ;
2009-04-08 20:39:40 +02:00
/* IPv6 can have several extension header before the Transport header
* skip them */
offset = skb_network_offset ( skb ) ;
offset + = sizeof ( * ip6 ) ;
nexthdr = ip6 - > nexthdr ;
2011-11-30 17:05:51 -08:00
offset = ipv6_skip_exthdr ( skb , offset , & nexthdr , & frag_off ) ;
2009-04-08 20:39:40 +02:00
if ( offset < 0 )
return 0 ;
if ( proto )
* proto = nexthdr ;
switch ( nexthdr ) {
case IPPROTO_TCP : {
struct tcphdr _tcph , * th ;
th = skb_header_pointer ( skb , offset , sizeof ( _tcph ) , & _tcph ) ;
if ( th = = NULL )
break ;
2012-04-02 13:15:44 -04:00
ad - > u . net - > sport = th - > source ;
ad - > u . net - > dport = th - > dest ;
2009-04-08 20:39:40 +02:00
break ;
}
case IPPROTO_UDP : {
struct udphdr _udph , * uh ;
uh = skb_header_pointer ( skb , offset , sizeof ( _udph ) , & _udph ) ;
if ( uh = = NULL )
break ;
2012-04-02 13:15:44 -04:00
ad - > u . net - > sport = uh - > source ;
ad - > u . net - > dport = uh - > dest ;
2009-04-08 20:39:40 +02:00
break ;
}
case IPPROTO_DCCP : {
struct dccp_hdr _dccph , * dh ;
dh = skb_header_pointer ( skb , offset , sizeof ( _dccph ) , & _dccph ) ;
if ( dh = = NULL )
break ;
2012-04-02 13:15:44 -04:00
ad - > u . net - > sport = dh - > dccph_sport ;
ad - > u . net - > dport = dh - > dccph_dport ;
2009-04-08 20:39:40 +02:00
break ;
}
case IPPROTO_SCTP : {
struct sctphdr _sctph , * sh ;
sh = skb_header_pointer ( skb , offset , sizeof ( _sctph ) , & _sctph ) ;
if ( sh = = NULL )
break ;
2012-04-02 13:15:44 -04:00
ad - > u . net - > sport = sh - > source ;
ad - > u . net - > dport = sh - > dest ;
2009-04-08 20:39:40 +02:00
break ;
}
default :
ret = - EINVAL ;
}
return ret ;
}
# endif
static inline void print_ipv6_addr ( struct audit_buffer * ab ,
2020-11-30 16:36:29 +01:00
const struct in6_addr * addr , __be16 port ,
2009-04-08 20:39:40 +02:00
char * name1 , char * name2 )
{
if ( ! ipv6_addr_any ( addr ) )
2009-09-23 13:46:00 -04:00
audit_log_format ( ab , " %s=%pI6c " , name1 , addr ) ;
2009-04-08 20:39:40 +02:00
if ( port )
audit_log_format ( ab , " %s=%d " , name2 , ntohs ( port ) ) ;
}
static inline void print_ipv4_addr ( struct audit_buffer * ab , __be32 addr ,
__be16 port , char * name1 , char * name2 )
{
if ( addr )
audit_log_format ( ab , " %s=%pI4 " , name1 , & addr ) ;
if ( port )
audit_log_format ( ab , " %s=%d " , name2 , ntohs ( port ) ) ;
}
/**
* dump_common_audit_data - helper to dump common audit data
* @ a : common audit data
*
*/
static void dump_common_audit_data ( struct audit_buffer * ab ,
struct common_audit_data * a )
{
2015-04-14 11:01:02 -04:00
char comm [ sizeof ( current - > comm ) ] ;
2009-04-08 20:39:40 +02:00
2012-04-04 15:01:43 -04:00
/*
* To keep stack sizes in check force programers to notice if they
* start making this union too large ! See struct lsm_network_audit
* as an example of how to deal with large data .
*/
BUILD_BUG_ON ( sizeof ( a - > u ) > sizeof ( void * ) * 2 ) ;
2016-08-30 17:19:13 -04:00
audit_log_format ( ab , " pid=%d comm= " , task_tgid_nr ( current ) ) ;
2015-04-14 11:01:02 -04:00
audit_log_untrustedstring ( ab , memcpy ( comm , current - > comm , sizeof ( comm ) ) ) ;
2009-04-08 20:39:40 +02:00
switch ( a - > type ) {
2010-04-27 17:20:38 -04:00
case LSM_AUDIT_DATA_NONE :
2009-07-14 12:14:09 -04:00
return ;
2009-04-08 20:39:40 +02:00
case LSM_AUDIT_DATA_IPC :
2021-09-14 15:15:16 +02:00
audit_log_format ( ab , " ipc_key=%d " , a - > u . ipc_id ) ;
2009-04-08 20:39:40 +02:00
break ;
case LSM_AUDIT_DATA_CAP :
audit_log_format ( ab , " capability=%d " , a - > u . cap ) ;
break ;
2011-04-25 12:54:27 -04:00
case LSM_AUDIT_DATA_PATH : {
struct inode * inode ;
2012-01-06 14:07:10 -08:00
audit_log_d_path ( ab , " path= " , & a - > u . path ) ;
2011-04-25 13:10:27 -04:00
2015-03-17 22:26:22 +00:00
inode = d_backing_inode ( a - > u . path . dentry ) ;
2012-01-07 10:41:04 -08:00
if ( inode ) {
audit_log_format ( ab , " dev= " ) ;
audit_log_untrustedstring ( ab , inode - > i_sb - > s_id ) ;
audit_log_format ( ab , " ino=%lu " , inode - > i_ino ) ;
}
2011-04-25 13:10:27 -04:00
break ;
}
2016-09-09 11:37:49 -04:00
case LSM_AUDIT_DATA_FILE : {
struct inode * inode ;
audit_log_d_path ( ab , " path= " , & a - > u . file - > f_path ) ;
inode = file_inode ( a - > u . file ) ;
if ( inode ) {
audit_log_format ( ab , " dev= " ) ;
audit_log_untrustedstring ( ab , inode - > i_sb - > s_id ) ;
audit_log_format ( ab , " ino=%lu " , inode - > i_ino ) ;
}
break ;
}
2015-07-10 17:19:55 -04:00
case LSM_AUDIT_DATA_IOCTL_OP : {
struct inode * inode ;
audit_log_d_path ( ab , " path= " , & a - > u . op - > path ) ;
inode = a - > u . op - > path . dentry - > d_inode ;
if ( inode ) {
audit_log_format ( ab , " dev= " ) ;
audit_log_untrustedstring ( ab , inode - > i_sb - > s_id ) ;
audit_log_format ( ab , " ino=%lu " , inode - > i_ino ) ;
}
2016-08-08 13:08:34 -04:00
audit_log_format ( ab , " ioctlcmd=0x%hx " , a - > u . op - > cmd ) ;
2015-07-10 17:19:55 -04:00
break ;
}
2011-04-25 13:10:27 -04:00
case LSM_AUDIT_DATA_DENTRY : {
struct inode * inode ;
audit_log_format ( ab , " name= " ) ;
2021-01-05 14:43:46 -05:00
spin_lock ( & a - > u . dentry - > d_lock ) ;
2011-04-25 13:10:27 -04:00
audit_log_untrustedstring ( ab , a - > u . dentry - > d_name . name ) ;
2021-01-05 14:43:46 -05:00
spin_unlock ( & a - > u . dentry - > d_lock ) ;
2011-04-25 13:10:27 -04:00
2015-03-17 22:26:22 +00:00
inode = d_backing_inode ( a - > u . dentry ) ;
2012-01-07 10:41:04 -08:00
if ( inode ) {
audit_log_format ( ab , " dev= " ) ;
audit_log_untrustedstring ( ab , inode - > i_sb - > s_id ) ;
audit_log_format ( ab , " ino=%lu " , inode - > i_ino ) ;
}
2009-04-08 20:39:40 +02:00
break ;
2011-04-25 12:54:27 -04:00
}
case LSM_AUDIT_DATA_INODE : {
struct dentry * dentry ;
struct inode * inode ;
2021-01-05 14:19:11 -05:00
rcu_read_lock ( ) ;
2011-04-25 12:54:27 -04:00
inode = a - > u . inode ;
2021-01-05 14:19:11 -05:00
dentry = d_find_alias_rcu ( inode ) ;
2011-04-25 12:54:27 -04:00
if ( dentry ) {
audit_log_format ( ab , " name= " ) ;
2021-01-05 14:43:46 -05:00
spin_lock ( & dentry - > d_lock ) ;
audit_log_untrustedstring ( ab , dentry - > d_name . name ) ;
spin_unlock ( & dentry - > d_lock ) ;
2011-04-25 12:54:27 -04:00
}
2012-01-07 10:41:04 -08:00
audit_log_format ( ab , " dev= " ) ;
audit_log_untrustedstring ( ab , inode - > i_sb - > s_id ) ;
audit_log_format ( ab , " ino=%lu " , inode - > i_ino ) ;
2021-01-05 14:19:11 -05:00
rcu_read_unlock ( ) ;
2011-04-25 12:54:27 -04:00
break ;
}
2015-04-14 11:01:02 -04:00
case LSM_AUDIT_DATA_TASK : {
struct task_struct * tsk = a - > u . tsk ;
2013-12-11 13:52:26 -05:00
if ( tsk ) {
2016-08-30 17:19:13 -04:00
pid_t pid = task_tgid_nr ( tsk ) ;
2013-12-11 13:52:26 -05:00
if ( pid ) {
2015-04-14 11:01:02 -04:00
char comm [ sizeof ( tsk - > comm ) ] ;
2015-04-15 14:08:25 -04:00
audit_log_format ( ab , " opid=%d ocomm= " , pid ) ;
2015-04-14 11:01:02 -04:00
audit_log_untrustedstring ( ab ,
memcpy ( comm , tsk - > comm , sizeof ( comm ) ) ) ;
2013-12-11 13:52:26 -05:00
}
2009-04-08 20:39:40 +02:00
}
break ;
2015-04-14 11:01:02 -04:00
}
2009-04-08 20:39:40 +02:00
case LSM_AUDIT_DATA_NET :
2012-04-02 13:15:44 -04:00
if ( a - > u . net - > sk ) {
2020-11-30 16:36:29 +01:00
const struct sock * sk = a - > u . net - > sk ;
2009-04-08 20:39:40 +02:00
struct unix_sock * u ;
2019-02-15 20:09:35 +00:00
struct unix_address * addr ;
2009-04-08 20:39:40 +02:00
int len = 0 ;
char * p = NULL ;
switch ( sk - > sk_family ) {
case AF_INET : {
struct inet_sock * inet = inet_sk ( sk ) ;
2009-10-15 06:30:45 +00:00
print_ipv4_addr ( ab , inet - > inet_rcv_saddr ,
inet - > inet_sport ,
2009-04-08 20:39:40 +02:00
" laddr " , " lport " ) ;
2009-10-15 06:30:45 +00:00
print_ipv4_addr ( ab , inet - > inet_daddr ,
inet - > inet_dport ,
2009-04-08 20:39:40 +02:00
" faddr " , " fport " ) ;
break ;
}
2013-10-09 03:05:48 -07:00
# if IS_ENABLED(CONFIG_IPV6)
2009-04-08 20:39:40 +02:00
case AF_INET6 : {
struct inet_sock * inet = inet_sk ( sk ) ;
ipv6: make lookups simpler and faster
TCP listener refactoring, part 4 :
To speed up inet lookups, we moved IPv4 addresses from inet to struct
sock_common
Now is time to do the same for IPv6, because it permits us to have fast
lookups for all kind of sockets, including upcoming SYN_RECV.
Getting IPv6 addresses in TCP lookups currently requires two extra cache
lines, plus a dereference (and memory stall).
inet6_sk(sk) does the dereference of inet_sk(__sk)->pinet6
This patch is way bigger than its IPv4 counter part, because for IPv4,
we could add aliases (inet_daddr, inet_rcv_saddr), while on IPv6,
it's not doable easily.
inet6_sk(sk)->daddr becomes sk->sk_v6_daddr
inet6_sk(sk)->rcv_saddr becomes sk->sk_v6_rcv_saddr
And timewait socket also have tw->tw_v6_daddr & tw->tw_v6_rcv_saddr
at the same offset.
We get rid of INET6_TW_MATCH() as INET6_MATCH() is now the generic
macro.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-10-03 15:42:29 -07:00
print_ipv6_addr ( ab , & sk - > sk_v6_rcv_saddr ,
2009-10-15 06:30:45 +00:00
inet - > inet_sport ,
2009-04-08 20:39:40 +02:00
" laddr " , " lport " ) ;
ipv6: make lookups simpler and faster
TCP listener refactoring, part 4 :
To speed up inet lookups, we moved IPv4 addresses from inet to struct
sock_common
Now is time to do the same for IPv6, because it permits us to have fast
lookups for all kind of sockets, including upcoming SYN_RECV.
Getting IPv6 addresses in TCP lookups currently requires two extra cache
lines, plus a dereference (and memory stall).
inet6_sk(sk) does the dereference of inet_sk(__sk)->pinet6
This patch is way bigger than its IPv4 counter part, because for IPv4,
we could add aliases (inet_daddr, inet_rcv_saddr), while on IPv6,
it's not doable easily.
inet6_sk(sk)->daddr becomes sk->sk_v6_daddr
inet6_sk(sk)->rcv_saddr becomes sk->sk_v6_rcv_saddr
And timewait socket also have tw->tw_v6_daddr & tw->tw_v6_rcv_saddr
at the same offset.
We get rid of INET6_TW_MATCH() as INET6_MATCH() is now the generic
macro.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-10-03 15:42:29 -07:00
print_ipv6_addr ( ab , & sk - > sk_v6_daddr ,
2009-10-15 06:30:45 +00:00
inet - > inet_dport ,
2009-04-08 20:39:40 +02:00
" faddr " , " fport " ) ;
break ;
}
2013-10-09 03:05:48 -07:00
# endif
2009-04-08 20:39:40 +02:00
case AF_UNIX :
u = unix_sk ( sk ) ;
2019-02-15 20:09:35 +00:00
addr = smp_load_acquire ( & u - > addr ) ;
if ( ! addr )
break ;
2012-03-14 21:54:32 -04:00
if ( u - > path . dentry ) {
audit_log_d_path ( ab , " path= " , & u - > path ) ;
2009-04-08 20:39:40 +02:00
break ;
}
2019-02-15 20:09:35 +00:00
len = addr - > len - sizeof ( short ) ;
p = & addr - > name - > sun_path [ 0 ] ;
2009-04-08 20:39:40 +02:00
audit_log_format ( ab , " path= " ) ;
if ( * p )
audit_log_untrustedstring ( ab , p ) ;
else
audit_log_n_hex ( ab , p , len ) ;
break ;
}
}
2012-04-02 13:15:44 -04:00
switch ( a - > u . net - > family ) {
2009-04-08 20:39:40 +02:00
case AF_INET :
2012-04-02 13:15:44 -04:00
print_ipv4_addr ( ab , a - > u . net - > v4info . saddr ,
a - > u . net - > sport ,
2009-04-08 20:39:40 +02:00
" saddr " , " src " ) ;
2012-04-02 13:15:44 -04:00
print_ipv4_addr ( ab , a - > u . net - > v4info . daddr ,
a - > u . net - > dport ,
2009-04-08 20:39:40 +02:00
" daddr " , " dest " ) ;
break ;
case AF_INET6 :
2012-04-02 13:15:44 -04:00
print_ipv6_addr ( ab , & a - > u . net - > v6info . saddr ,
a - > u . net - > sport ,
2009-04-08 20:39:40 +02:00
" saddr " , " src " ) ;
2012-04-02 13:15:44 -04:00
print_ipv6_addr ( ab , & a - > u . net - > v6info . daddr ,
a - > u . net - > dport ,
2009-04-08 20:39:40 +02:00
" daddr " , " dest " ) ;
break ;
}
2012-04-02 13:15:44 -04:00
if ( a - > u . net - > netif > 0 ) {
2009-04-08 20:39:40 +02:00
struct net_device * dev ;
/* NOTE: we always use init's namespace */
2012-04-02 13:15:44 -04:00
dev = dev_get_by_index ( & init_net , a - > u . net - > netif ) ;
2009-04-08 20:39:40 +02:00
if ( dev ) {
audit_log_format ( ab , " netif=%s " , dev - > name ) ;
dev_put ( dev ) ;
}
}
break ;
# ifdef CONFIG_KEYS
case LSM_AUDIT_DATA_KEY :
audit_log_format ( ab , " key_serial=%u " , a - > u . key_struct . key ) ;
if ( a - > u . key_struct . key_desc ) {
audit_log_format ( ab , " key_desc= " ) ;
audit_log_untrustedstring ( ab , a - > u . key_struct . key_desc ) ;
}
break ;
# endif
2009-11-03 16:35:32 +11:00
case LSM_AUDIT_DATA_KMOD :
audit_log_format ( ab , " kmod= " ) ;
audit_log_untrustedstring ( ab , a - > u . kmod_name ) ;
break ;
2017-05-19 15:48:57 +03:00
case LSM_AUDIT_DATA_IBPKEY : {
struct in6_addr sbn_pfx ;
memset ( & sbn_pfx . s6_addr , 0 ,
sizeof ( sbn_pfx . s6_addr ) ) ;
memcpy ( & sbn_pfx . s6_addr , & a - > u . ibpkey - > subnet_prefix ,
sizeof ( a - > u . ibpkey - > subnet_prefix ) ) ;
audit_log_format ( ab , " pkey=0x%x subnet_prefix=%pI6c " ,
a - > u . ibpkey - > pkey , & sbn_pfx ) ;
break ;
}
2017-05-19 15:48:58 +03:00
case LSM_AUDIT_DATA_IBENDPORT :
audit_log_format ( ab , " device=%s port_num=%u " ,
a - > u . ibendport - > dev_name ,
a - > u . ibendport - > port ) ;
break ;
security,lockdown,selinux: implement SELinux lockdown
Implement a SELinux hook for lockdown. If the lockdown module is also
enabled, then a denial by the lockdown module will take precedence over
SELinux, so SELinux can only further restrict lockdown decisions.
The SELinux hook only distinguishes at the granularity of integrity
versus confidentiality similar to the lockdown module, but includes the
full lockdown reason as part of the audit record as a hint in diagnosing
what triggered the denial. To support this auditing, move the
lockdown_reasons[] string array from being private to the lockdown
module to the security framework so that it can be used by the lsm audit
code and so that it is always available even when the lockdown module
is disabled.
Note that the SELinux implementation allows the integrity and
confidentiality reasons to be controlled independently from one another.
Thus, in an SELinux policy, one could allow operations that specify
an integrity reason while blocking operations that specify a
confidentiality reason. The SELinux hook implementation is
stricter than the lockdown module in validating the provided reason value.
Sample AVC audit output from denials:
avc: denied { integrity } for pid=3402 comm="fwupd"
lockdown_reason="/dev/mem,kmem,port" scontext=system_u:system_r:fwupd_t:s0
tcontext=system_u:system_r:fwupd_t:s0 tclass=lockdown permissive=0
avc: denied { confidentiality } for pid=4628 comm="cp"
lockdown_reason="/proc/kcore access"
scontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
tclass=lockdown permissive=0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Reviewed-by: James Morris <jamorris@linux.microsoft.com>
[PM: some merge fuzz do the the perf hooks]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2019-11-27 12:04:36 -05:00
case LSM_AUDIT_DATA_LOCKDOWN :
2020-07-13 15:51:59 -04:00
audit_log_format ( ab , " lockdown_reason= \" %s \" " ,
lockdown_reasons [ a - > u . reason ] ) ;
security,lockdown,selinux: implement SELinux lockdown
Implement a SELinux hook for lockdown. If the lockdown module is also
enabled, then a denial by the lockdown module will take precedence over
SELinux, so SELinux can only further restrict lockdown decisions.
The SELinux hook only distinguishes at the granularity of integrity
versus confidentiality similar to the lockdown module, but includes the
full lockdown reason as part of the audit record as a hint in diagnosing
what triggered the denial. To support this auditing, move the
lockdown_reasons[] string array from being private to the lockdown
module to the security framework so that it can be used by the lsm audit
code and so that it is always available even when the lockdown module
is disabled.
Note that the SELinux implementation allows the integrity and
confidentiality reasons to be controlled independently from one another.
Thus, in an SELinux policy, one could allow operations that specify
an integrity reason while blocking operations that specify a
confidentiality reason. The SELinux hook implementation is
stricter than the lockdown module in validating the provided reason value.
Sample AVC audit output from denials:
avc: denied { integrity } for pid=3402 comm="fwupd"
lockdown_reason="/dev/mem,kmem,port" scontext=system_u:system_r:fwupd_t:s0
tcontext=system_u:system_r:fwupd_t:s0 tclass=lockdown permissive=0
avc: denied { confidentiality } for pid=4628 comm="cp"
lockdown_reason="/proc/kcore access"
scontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
tclass=lockdown permissive=0
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
Reviewed-by: James Morris <jamorris@linux.microsoft.com>
[PM: some merge fuzz do the the perf hooks]
Signed-off-by: Paul Moore <paul@paul-moore.com>
2019-11-27 12:04:36 -05:00
break ;
2022-03-08 18:09:26 +01:00
case LSM_AUDIT_DATA_ANONINODE :
audit_log_format ( ab , " anonclass=%s " , a - > u . anonclass ) ;
break ;
2009-04-08 20:39:40 +02:00
} /* switch (a->type) */
}
/**
* common_lsm_audit - generic LSM auditing function
* @ a : auxiliary audit data
2012-04-02 15:48:12 -07:00
* @ pre_audit : lsm - specific pre - audit callback
* @ post_audit : lsm - specific post - audit callback
2009-04-08 20:39:40 +02:00
*
* setup the audit buffer for common security information
* uses callback to print LSM specific information
*/
2012-04-02 15:48:12 -07:00
void common_lsm_audit ( struct common_audit_data * a ,
void ( * pre_audit ) ( struct audit_buffer * , void * ) ,
void ( * post_audit ) ( struct audit_buffer * , void * ) )
2009-04-08 20:39:40 +02:00
{
struct audit_buffer * ab ;
if ( a = = NULL )
return ;
/* we use GFP_ATOMIC so we won't sleep */
2018-05-12 21:58:20 -04:00
ab = audit_log_start ( audit_context ( ) , GFP_ATOMIC | __GFP_NOWARN ,
2013-10-01 21:14:54 -04:00
AUDIT_AVC ) ;
2009-04-08 20:39:40 +02:00
if ( ab = = NULL )
return ;
2012-04-02 15:48:12 -07:00
if ( pre_audit )
pre_audit ( ab , a ) ;
2009-04-08 20:39:40 +02:00
dump_common_audit_data ( ab , a ) ;
2012-04-02 15:48:12 -07:00
if ( post_audit )
post_audit ( ab , a ) ;
2009-04-08 20:39:40 +02:00
audit_log_end ( ab ) ;
}