Commit 8c4b785a authored by John Johansen's avatar John Johansen
Browse files

apparmor: add mediation class information to auditing 



Audit messages currently don't contain the mediation class which can
make them less clear than they should be in some circumstances. With
newer mediation classes coming this potential confusion will become
worse.

Fix this by adding the mediatin class to the messages.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 90917d5b

security/apparmor/audit.c

+28 −0
Original line number Diff line number Diff line
@@ -36,6 +36,28 @@ static const char *const aa_audit_type[] = { 
	"AUTO"

};



static const char *const aa_class_names[] = {

	"none",

	"unknown",

	"file",

	"cap",

	"net",

	"rlimits",

	"domain",

	"mount",

	"unknown",

	"ptrace",

	"signal",

	"unknown",

	"unknown",

	"unknown",

	"net",

	"unknown",

	"label",

	"lsm",

};





/*

 * Currently AppArmor auditing is fed straight into the audit framework.

 *
@@ -65,6 +87,12 @@ static void audit_pre(struct audit_buffer *ab, void *ca) 
		audit_log_format(ab, " operation=\"%s\"", aad(sa)->op);

	}



	if (aad(sa)->class)

		audit_log_format(ab, " class=\"%s\"",

				 aad(sa)->class <= AA_CLASS_LAST ?

				 aa_class_names[aad(sa)->class] :

				 "unknown");



	if (aad(sa)->info) {

		audit_log_format(ab, " info=\"%s\"", aad(sa)->info);

		if (aad(sa)->error)

security/apparmor/capability.c

+1 −1
Original line number Diff line number Diff line
@@ -148,7 +148,7 @@ int aa_capable(struct aa_label *label, int cap, unsigned int opts) 
{

	struct aa_profile *profile;

	int error = 0;

	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, OP_CAPABLE);

	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_CAP, AA_CLASS_CAP, OP_CAPABLE);



	sa.u.cap = cap;

	error = fn_for_each_confined(label, profile,

security/apparmor/file.c

+1 −1
Original line number Diff line number Diff line
@@ -95,7 +95,7 @@ int aa_audit_file(struct aa_profile *profile, struct aa_perms *perms, 
		  kuid_t ouid, const char *info, int error)

{

	int type = AUDIT_APPARMOR_AUTO;

	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_TASK, op);

	DEFINE_AUDIT_DATA(sa, LSM_AUDIT_DATA_TASK, AA_CLASS_FILE, op);



	sa.u.tsk = NULL;

	aad(&sa)->request = request;

security/apparmor/include/apparmor.h

+1 −1
Original line number Diff line number Diff line
@@ -16,7 +16,7 @@ 
/*

 * Class of mediation types in the AppArmor policy db

 */

#define AA_CLASS_ENTRY		0

#define AA_CLASS_NONE		0

#define AA_CLASS_UNKNOWN	1

#define AA_CLASS_FILE		2

#define AA_CLASS_CAP		3

security/apparmor/include/audit.h

+6 −2
Original line number Diff line number Diff line
@@ -107,6 +107,7 @@ enum audit_type { 
struct apparmor_audit_data {

	int error;

	int type;

	u16 class;

	const char *op;

	struct aa_label *label;

	const char *name;
@@ -155,9 +156,12 @@ struct apparmor_audit_data { 


/* macros for dealing with  apparmor_audit_data structure */

#define aad(SA) ((SA)->apparmor_audit_data)

#define DEFINE_AUDIT_DATA(NAME, T, X)					\

#define DEFINE_AUDIT_DATA(NAME, T, C, X)				\

	/* TODO: cleanup audit init so we don't need _aad = {0,} */	\

	struct apparmor_audit_data NAME ## _aad = { .op = (X), };	\

	struct apparmor_audit_data NAME ## _aad = {                     \

		.class = (C),						\

		.op = (X),                                              \

	};                                                              \

	struct common_audit_data NAME =					\

	{								\

	.type = (T),							\