Skip to content

Commit fc1c9fd

Browse files
jrjohansenjrjohansen
committed
apparmor: add ns name to the audit data for policy loads
Signed-off-by: John Johansen <[email protected]>
1 parent 078c73c commit fc1c9fd

File tree

2 files changed

+25
-10
lines changed

2 files changed

+25
-10
lines changed

security/apparmor/include/audit.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -113,6 +113,7 @@ struct apparmor_audit_data {
113113
void *target;
114114
struct {
115115
long pos;
116+
const char *ns;
116117
void *target;
117118
} iface;
118119
struct {

security/apparmor/policy.c

Lines changed: 24 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -582,31 +582,45 @@ static int replacement_allowed(struct aa_profile *profile, int noreplace,
582582
return 0;
583583
}
584584

585+
/* audit callback for net specific fields */
586+
static void audit_cb(struct audit_buffer *ab, void *va)
587+
{
588+
struct common_audit_data *sa = va;
589+
590+
if (sa->aad->iface.ns) {
591+
audit_log_format(ab, " ns=");
592+
audit_log_untrustedstring(ab, sa->aad->iface.ns);
593+
}
594+
}
595+
585596
/**
586597
* aa_audit_policy - Do auditing of policy changes
587598
* @profile: profile to check if it can manage policy
588599
* @op: policy operation being performed
589600
* @gfp: memory allocation flags
601+
* @nsname: name of the ns being manipulated (MAY BE NULL)
590602
* @name: name of profile being manipulated (NOT NULL)
591603
* @info: any extra information to be audited (MAYBE NULL)
592604
* @error: error code
593605
*
594606
* Returns: the error to be returned after audit is done
595607
*/
596608
static int audit_policy(struct aa_profile *profile, int op, gfp_t gfp,
597-
const char *name, const char *info, int error)
609+
const char *nsname, const char *name,
610+
const char *info, int error)
598611
{
599612
struct common_audit_data sa;
600613
struct apparmor_audit_data aad = {0,};
601614
sa.type = LSM_AUDIT_DATA_NONE;
602615
sa.aad = &aad;
603616
aad.op = op;
617+
aad.iface.ns = nsname;
604618
aad.name = name;
605619
aad.info = info;
606620
aad.error = error;
607621

608622
return aa_audit(AUDIT_APPARMOR_STATUS, profile, gfp,
609-
&sa, NULL);
623+
&sa, audit_cb);
610624
}
611625

612626
/**
@@ -659,11 +673,11 @@ int aa_may_manage_policy(struct aa_profile *profile, struct aa_ns *ns, int op)
659673
{
660674
/* check if loading policy is locked out */
661675
if (aa_g_lock_policy)
662-
return audit_policy(profile, op, GFP_KERNEL, NULL,
676+
return audit_policy(profile, op, GFP_KERNEL, NULL, NULL,
663677
"policy_locked", -EACCES);
664678

665679
if (!policy_admin_capable(ns))
666-
return audit_policy(profile, op, GFP_KERNEL, NULL,
680+
return audit_policy(profile, op, GFP_KERNEL, NULL, NULL,
667681
"not policy admin", -EACCES);
668682

669683
/* TODO: add fine grained mediation of policy loads */
@@ -818,7 +832,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
818832
ns = aa_prepare_ns(view, ns_name);
819833
if (!ns) {
820834
error = audit_policy(__aa_current_profile(), op, GFP_KERNEL,
821-
ns_name,
835+
NULL, ns_name,
822836
"failed to prepare namespace", -ENOMEM);
823837
goto free;
824838
}
@@ -895,7 +909,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
895909
list_del_init(&ent->list);
896910
op = (!ent->old && !ent->rename) ? OP_PROF_LOAD : OP_PROF_REPL;
897911

898-
audit_policy(__aa_current_profile(), op, GFP_ATOMIC,
912+
audit_policy(__aa_current_profile(), op, GFP_ATOMIC, NULL,
899913
ent->new->base.hname, NULL, error);
900914

901915
if (ent->old) {
@@ -950,7 +964,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
950964

951965
/* audit cause of failure */
952966
op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
953-
audit_policy(__aa_current_profile(), op, GFP_KERNEL,
967+
audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
954968
ent->new->base.hname, info, error);
955969
/* audit status that rest of profiles in the atomic set failed too */
956970
info = "valid profile in failed atomic policy load";
@@ -961,7 +975,7 @@ ssize_t aa_replace_profiles(struct aa_ns *view, void *udata, size_t size,
961975
continue;
962976
}
963977
op = (!ent->old) ? OP_PROF_LOAD : OP_PROF_REPL;
964-
audit_policy(__aa_current_profile(), op, GFP_KERNEL,
978+
audit_policy(__aa_current_profile(), op, GFP_KERNEL, NULL,
965979
tmp->new->base.hname, info, error);
966980
}
967981
free:
@@ -1036,7 +1050,7 @@ ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size)
10361050

10371051
/* don't fail removal if audit fails */
10381052
(void) audit_policy(__aa_current_profile(), OP_PROF_RM, GFP_KERNEL,
1039-
name, info, error);
1053+
NULL, name, info, error);
10401054
aa_put_ns(ns);
10411055
aa_put_profile(profile);
10421056
return size;
@@ -1047,6 +1061,6 @@ ssize_t aa_remove_profiles(struct aa_ns *view, char *fqname, size_t size)
10471061

10481062
fail:
10491063
(void) audit_policy(__aa_current_profile(), OP_PROF_RM, GFP_KERNEL,
1050-
name, info, error);
1064+
NULL, name, info, error);
10511065
return error;
10521066
}

0 commit comments

Comments
 (0)