diff options
author | John Johansen <john.johansen@canonical.com> | 2017-01-16 00:42:54 -0800 |
---|---|---|
committer | John Johansen <john.johansen@canonical.com> | 2017-01-16 01:18:41 -0800 |
commit | fc1c9fd10a53a17abb3348adb2ec5d29813a0397 (patch) | |
tree | b430294cb54354272638cd4c333c753f8a6c88e5 /security | |
parent | 078c73c63fb2878689da334f112507639c72c14f (diff) | |
download | linux-fc1c9fd10a53a17abb3348adb2ec5d29813a0397.tar.bz2 |
apparmor: add ns name to the audit data for policy loads
Signed-off-by: John Johansen <john.johansen@canonical.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/apparmor/include/audit.h | 1 | ||||
-rw-r--r-- | security/apparmor/policy.c | 34 |
2 files changed, 25 insertions, 10 deletions
diff --git a/security/apparmor/include/audit.h b/security/apparmor/include/audit.h index ba3dfd17f23f..dbfb4a6d72b6 100644 --- a/security/apparmor/include/audit.h +++ b/security/apparmor/include/audit.h @@ -113,6 +113,7 @@ struct apparmor_audit_data { void *target; struct { long pos; + const char *ns; void *target; } iface; struct { diff --git a/security/apparmor/policy.c b/security/apparmor/policy.c index 27d93aa58016..3c5c0b28eac5 100644 --- a/security/apparmor/policy.c +++ b/security/apparmor/policy.c @@ -582,11 +582,23 @@ static int replacement_allowed(struct aa_profile *profile, int noreplace, return 0; } +/* audit callback for net specific fields */ +static void audit_cb(struct audit_buffer *ab, void *va) +{ + struct common_audit_data *sa = va; + + if (sa->aad->iface.ns) { + audit_log_format(ab, " ns="); + audit_log_untrustedstring(ab, sa->aad->iface.ns); + } +} + /** * aa_audit_policy - Do auditing of policy changes * @profile: profile to check if it can manage policy * @op: policy operation being performed * @gfp: memory allocation flags + * @nsname: name of the ns being manipulated (MAY BE NULL) * @name: name of profile being manipulated (NOT NULL) * @info: any extra information to be audited (MAYBE NULL) * @error: error code @@ -594,19 +606,21 @@ static int replacement_allowed(struct aa_profile *profile, int noreplace, * Returns: the error to be returned after audit is done */ static int audit_policy(struct aa_profile *profile, int op, gfp_t gfp, - const char *name, const char *info, int error) + const char *nsname, const char *name, + const char *info, int error) { struct common_audit_data sa; struct apparmor_audit_data aad = {0,}; sa.type = LSM_AUDIT_DATA_NONE; sa.aad = &aad; aad.op = op; + aad.iface.ns = nsname; aad.name = name; aad.info = info; aad.error = error; return aa_audit(AUDIT_APPARMOR_STATUS, profile, gfp, - &sa, NULL); + &sa, audit_cb); } /** @@ -659,11 +673,11 @@ int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op) { /* check if loading policy is locked out */ if (aa_g_lock_policy) - return audit_policy(profile, op, GFP_KERNEL, NULL, + return audit_policy(profile, op, GFP_KERNEL, NULL, NULL, "policy_locked", -EACCES); if (!policy_admin_capable(ns)) - return audit_policy(profile, op, GFP_KERNEL, NULL, + return audit_policy(profile, op, GFP_KERNEL, NULL, NULL, "not policy admin", -EACCES); /* TODO: add fine grained mediation of policy loads */ @@ -818,7 +832,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size, ns = aa_prepare_ns(view, ns_name); if (!ns) { error = audit_policy(__aa_current_profile(), op, GFP_KERNEL, - ns_name, + NULL, ns_name, "failed to prepare namespace", -ENOMEM); goto free; } @@ -895,7 +909,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size, list_del_init(&ent->list); op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL; - audit_policy(__aa_current_profile(), op, GFP_ATOMIC, + audit_policy(__aa_current_profile(), op, GFP_ATOMIC, NULL, ent->new->base.hname, NULL, error); if (ent->old) { @@ -950,7 +964,7 @@ fail_lock: /* audit cause of failure */ op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL; - audit_policy(__aa_current_profile(), op, GFP_KERNEL, + audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL, ent->new->base.hname, info, error); /* audit status that rest of profiles in the atomic set failed too */ info = "valid profile in failed atomic policy load"; @@ -961,7 +975,7 @@ fail_lock: continue; } op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL; - audit_policy(__aa_current_profile(), op, GFP_KERNEL, + audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL, tmp->new->base.hname, info, error); } free: @@ -1036,7 +1050,7 @@ ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size) /* don't fail removal if audit fails */ (void) audit_policy(__aa_current_profile(), OP_PROF_RM, GFP_KERNEL, - name, info, error); + NULL, name, info, error); aa_put_ns(ns); aa_put_profile(profile); return size; @@ -1047,6 +1061,6 @@ fail_ns_lock: fail: (void) audit_policy(__aa_current_profile(), OP_PROF_RM, GFP_KERNEL, - name, info, error); + NULL, name, info, error); return error; } |