aboutsummaryrefslogtreecommitdiffstats
path: root/security/apparmor/audit.c (follow)
AgeCommit message (Collapse)AuthorFilesLines
2018-06-07apparmor: Fix memory leak of rule on error exit pathTyler Hicks1-2/+4
Currently on the error exit path the allocated rule is not free'd causing a memory leak. Fix this by calling aa_audit_rule_free(). Detected by CoverityScan, CID#1468966 ("Resource leaks") Fixes: cb740f574c7b ("apparmor: modify audit rule support to support profile stacks") Signed-off-by: Tyler Hicks <tyhicks@canonical.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-06-07apparmor: modify audit rule support to support profile stacksJohn Johansen1-17/+10
Allows for audit rules, where a rule could specify a profile stack A//&B, while extending the current semantic so if the label specified in the audit rule is a subset of the secid it is considered a match. Eg. if the secid resolves to the label stack A//&B//&C Then an audit rule specifying a label of A - would match B - would match C - would match D - would not A//&B - would match as a subset A//&C - would match as a subset B//&C - would match as a subset A//&B//&C - would match A//&D - would not match, because while A does match, D is also specified and does not Note: audit rules are currently assumed to be coming from the root namespace. Signed-off-by: John Johansen <john.johansen@canonical.com>
2018-06-07apparmor: Add support for audit rule filteringMatthew Garrett1-1/+94
This patch adds support to Apparmor for integrating with audit rule filtering. Right now it only handles SUBJ_ROLE, interpreting it as a single component of a label. This is sufficient to get Apparmor working with IMA's appraisal rules without any modifications on the IMA side. Signed-off-by: Matthew Garrett <mjg59@google.com> Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-06-10apparmor: switch from profiles to using labels on contextsJohn Johansen1-9/+18
Begin the actual switch to using domain labels by storing them on the context and converting the label to a singular profile where possible. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: replace remaining BUG_ON() asserts with AA_BUG()John Johansen1-1/+1
AA_BUG() uses WARN and won't break the kernel like BUG_ON(). Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: change aad apparmor_audit_data macro to a fn macroJohn Johansen1-22/+20
The aad macro can replace aad strings when it is not intended to. Switch to a fn macro so it is only applied when intended. Also at the same time cleanup audit_data initialization by putting common boiler plate behind a macro, and dropping the gfp_t parameter which will become useless. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: change op from int to const char *John Johansen1-54/+1
Having ops be an integer that is an index into an op name table is awkward and brittle. Every op change requires an edit for both the op constant and a string in the table. Instead switch to using const strings directly, eliminating the need for the table that needs to be kept in sync. Signed-off-by: John Johansen <john.johansen@canonical.com>
2017-01-16apparmor: split apparmor policy namespaces code into its own fileJohn Johansen1-0/+1
Policy namespaces will be diverging from profile management and expanding so put it in its own file. Signed-off-by: John Johansen <john.johansen@canonical.com>
2016-07-12apparmor: fix uninitialized lsm_audit memberJohn Johansen1-1/+2
BugLink: http://bugs.launchpad.net/bugs/1268727 The task field in the lsm_audit struct needs to be initialized if a change_hat fails, otherwise the following oops will occur BUG: unable to handle kernel paging request at 0000002fbead7d08 IP: [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50 PGD 1e3f35067 PUD 0 Oops: 0002 [#1] SMP Modules linked in: pppox crc_ccitt p8023 p8022 psnap llc ax25 btrfs raid6_pq xor xfs libcrc32c dm_multipath scsi_dh kvm_amd dcdbas kvm microcode amd64_edac_mod joydev edac_core psmouse edac_mce_amd serio_raw k10temp sp5100_tco i2c_piix4 ipmi_si ipmi_msghandler acpi_power_meter mac_hid lp parport hid_generic usbhid hid pata_acpi mpt2sas ahci raid_class pata_atiixp bnx2 libahci scsi_transport_sas [last unloaded: tipc] CPU: 2 PID: 699 Comm: changehat_twice Tainted: GF O 3.13.0-7-generic #25-Ubuntu Hardware name: Dell Inc. PowerEdge R415/08WNM9, BIOS 1.8.6 12/06/2011 task: ffff8802135c6000 ti: ffff880212986000 task.ti: ffff880212986000 RIP: 0010:[<ffffffff8171153e>] [<ffffffff8171153e>] _raw_spin_lock+0xe/0x50 RSP: 0018:ffff880212987b68 EFLAGS: 00010006 RAX: 0000000000020000 RBX: 0000002fbead7500 RCX: 0000000000000000 RDX: 0000000000000292 RSI: ffff880212987ba8 RDI: 0000002fbead7d08 RBP: ffff880212987b68 R08: 0000000000000246 R09: ffff880216e572a0 R10: ffffffff815fd677 R11: ffffea0008469580 R12: ffffffff8130966f R13: ffff880212987ba8 R14: 0000002fbead7d08 R15: ffff8800d8c6b830 FS: 00002b5e6c84e7c0(0000) GS:ffff880216e40000(0000) knlGS:0000000055731700 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000002fbead7d08 CR3: 000000021270f000 CR4: 00000000000006e0 Stack: ffff880212987b98 ffffffff81075f17 ffffffff8130966f 0000000000000009 0000000000000000 0000000000000000 ffff880212987bd0 ffffffff81075f7c 0000000000000292 ffff880212987c08 ffff8800d8c6b800 0000000000000026 Call Trace: [<ffffffff81075f17>] __lock_task_sighand+0x47/0x80 [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50 [<ffffffff81075f7c>] do_send_sig_info+0x2c/0x80 [<ffffffff81075fee>] send_sig_info+0x1e/0x30 [<ffffffff8130242d>] aa_audit+0x13d/0x190 [<ffffffff8130c1dc>] aa_audit_file+0xbc/0x130 [<ffffffff8130966f>] ? apparmor_cred_prepare+0x2f/0x50 [<ffffffff81304cc2>] aa_change_hat+0x202/0x530 [<ffffffff81308fc6>] aa_setprocattr_changehat+0x116/0x1d0 [<ffffffff8130a11d>] apparmor_setprocattr+0x25d/0x300 [<ffffffff812cee56>] security_setprocattr+0x16/0x20 [<ffffffff8121fc87>] proc_pid_attr_write+0x107/0x130 [<ffffffff811b7604>] vfs_write+0xb4/0x1f0 [<ffffffff811b8039>] SyS_write+0x49/0xa0 [<ffffffff8171a1bf>] tracesys+0xe1/0xe6 Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Seth Arnold <seth.arnold@canonical.com>
2013-10-29apparmor: remove parent task info from audit loggingJohn Johansen1-6/+0
The reporting of the parent task info is a vestage from old versions of apparmor. The need for this information was removed by unique null- profiles before apparmor was upstreamed so remove this info from logging. Signed-off-by: John Johansen <john.johansen@canonical.com>
2013-10-29apparmor: remove tsk field from the apparmor_audit_structJohn Johansen1-8/+2
Now that aa_capabile no longer sets the task field it can be removed and the lsm_audit version of the field can be used. Signed-off-by: John Johansen <john.johansen@canonical.com>
2013-04-28apparmor: fix the audit type tableJohn Johansen1-1/+1
The audit type table is missing a comma so that KILLED comes out as KILLEDAUTO. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Steve Beattie <sbeattie@ubuntu.com>
2012-04-09apparmor: move task from common_audit_data to apparmor_audit_dataEric Paris1-2/+9
apparmor is the only LSM that uses the common_audit_data tsk field. Instead of making all LSMs pay for the stack space move the aa usage into the apparmor_audit_data. Signed-off-by: Eric Paris <eparis@redhat.com>
2012-04-03lsm_audit: don't specify the audit pre/post callbacks in 'struct common_audit_data'Linus Torvalds1-3/+1
It just bloats the audit data structure for no good reason, since the only time those fields are filled are just before calling the common_lsm_audit() function, which is also the only user of those fields. So just make them be the arguments to common_lsm_audit(), rather than bloating that structure that is passed around everywhere, and is initialized in hot paths. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-04-03LSM: shrink sizeof LSM specific portion of common_audit_dataEric Paris1-19/+19
Linus found that the gigantic size of the common audit data caused a big perf hit on something as simple as running stat() in a loop. This patch requires LSMs to declare the LSM specific portion separately rather than doing it in a union. Thus each LSM can be responsible for shrinking their portion and don't have to pay a penalty just because other LSMs have a bigger space requirement. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-14AppArmor: add const qualifiers to string arraysJan Engelhardt1-3/+3
Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: John Johansen <john.johansen@canonical.com>
2012-02-27AppArmor: Fix dropping of allowed operations that are force auditedJohn Johansen1-0/+1
The audit permission flag, that specifies an audit message should be provided when an operation is allowed, was being ignored in some cases. This is because the auto audit mode (which determines the audit mode from system flags) was incorrectly assigned the same value as audit mode. The shared value would result in messages that should be audited going through a second evaluation as to whether they should be audited based on the auto audit, resulting in some messages being dropped. Signed-off-by: John Johansen <john.johansen@canonical.com> Acked-by: Kees Cook <kees@ubuntu.com>
2011-12-09apparmor: add missing rcu_dereference()Kees Cook1-1/+1
Adds a missed rcu_dereference() around real_parent. Signed-off-by: Kees Cook <keescook@chromium.org> Acked-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
2010-08-02AppArmor: basic auditing infrastructure.John Johansen1-0/+215
Update lsm_audit for AppArmor specific data, and add the core routines for AppArmor uses for auditing. Signed-off-by: John Johansen <john.johansen@canonical.com> Signed-off-by: James Morris <jmorris@namei.org>
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.