security/ipe/audit.c at v6.18

tjh.dev / kernel
fork atom
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / security / ipe / audit.c
at v6.18 278 lines 7.9 kB view raw
wrap content
  1// SPDX-License-Identifier: GPL-2.0
  2/*
  3 * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
  4 */
  5
  6#include <linux/slab.h>
  7#include <linux/audit.h>
  8#include <linux/types.h>
  9#include <crypto/sha2.h>
 10
 11#include "ipe.h"
 12#include "eval.h"
 13#include "hooks.h"
 14#include "policy.h"
 15#include "audit.h"
 16#include "digest.h"
 17
 18#define ACTSTR(x) ((x) == IPE_ACTION_ALLOW ? "ALLOW" : "DENY")
 19
 20#define IPE_AUDIT_HASH_ALG "sha256" /* keep in sync with audit_policy() */
 21
 22#define AUDIT_POLICY_LOAD_FMT "policy_name=\"%s\" policy_version=%hu.%hu.%hu "\
 23			      "policy_digest=" IPE_AUDIT_HASH_ALG ":"
 24#define AUDIT_POLICY_LOAD_NULL_FMT "policy_name=? policy_version=? "\
 25				   "policy_digest=?"
 26#define AUDIT_OLD_ACTIVE_POLICY_FMT "old_active_pol_name=\"%s\" "\
 27				    "old_active_pol_version=%hu.%hu.%hu "\
 28				    "old_policy_digest=" IPE_AUDIT_HASH_ALG ":"
 29#define AUDIT_OLD_ACTIVE_POLICY_NULL_FMT "old_active_pol_name=? "\
 30					 "old_active_pol_version=? "\
 31					 "old_policy_digest=?"
 32#define AUDIT_NEW_ACTIVE_POLICY_FMT "new_active_pol_name=\"%s\" "\
 33				    "new_active_pol_version=%hu.%hu.%hu "\
 34				    "new_policy_digest=" IPE_AUDIT_HASH_ALG ":"
 35
 36static const char *const audit_op_names[__IPE_OP_MAX + 1] = {
 37	"EXECUTE",
 38	"FIRMWARE",
 39	"KMODULE",
 40	"KEXEC_IMAGE",
 41	"KEXEC_INITRAMFS",
 42	"POLICY",
 43	"X509_CERT",
 44	"UNKNOWN",
 45};
 46
 47static const char *const audit_hook_names[__IPE_HOOK_MAX] = {
 48	"BPRM_CHECK",
 49	"MMAP",
 50	"MPROTECT",
 51	"KERNEL_READ",
 52	"KERNEL_LOAD",
 53};
 54
 55static const char *const audit_prop_names[__IPE_PROP_MAX] = {
 56	"boot_verified=FALSE",
 57	"boot_verified=TRUE",
 58	"dmverity_roothash=",
 59	"dmverity_signature=FALSE",
 60	"dmverity_signature=TRUE",
 61	"fsverity_digest=",
 62	"fsverity_signature=FALSE",
 63	"fsverity_signature=TRUE",
 64};
 65
 66/**
 67 * audit_dmv_roothash() - audit the roothash of a dmverity_roothash property.
 68 * @ab: Supplies a pointer to the audit_buffer to append to.
 69 * @rh: Supplies a pointer to the digest structure.
 70 */
 71static void audit_dmv_roothash(struct audit_buffer *ab, const void *rh)
 72{
 73	audit_log_format(ab, "%s", audit_prop_names[IPE_PROP_DMV_ROOTHASH]);
 74	ipe_digest_audit(ab, rh);
 75}
 76
 77/**
 78 * audit_fsv_digest() - audit the digest of a fsverity_digest property.
 79 * @ab: Supplies a pointer to the audit_buffer to append to.
 80 * @d: Supplies a pointer to the digest structure.
 81 */
 82static void audit_fsv_digest(struct audit_buffer *ab, const void *d)
 83{
 84	audit_log_format(ab, "%s", audit_prop_names[IPE_PROP_FSV_DIGEST]);
 85	ipe_digest_audit(ab, d);
 86}
 87
 88/**
 89 * audit_rule() - audit an IPE policy rule.
 90 * @ab: Supplies a pointer to the audit_buffer to append to.
 91 * @r: Supplies a pointer to the ipe_rule to approximate a string form for.
 92 */
 93static void audit_rule(struct audit_buffer *ab, const struct ipe_rule *r)
 94{
 95	const struct ipe_prop *ptr;
 96
 97	audit_log_format(ab, " rule=\"op=%s ", audit_op_names[r->op]);
 98
 99	list_for_each_entry(ptr, &r->props, next) {
100		switch (ptr->type) {
101		case IPE_PROP_DMV_ROOTHASH:
102			audit_dmv_roothash(ab, ptr->value);
103			break;
104		case IPE_PROP_FSV_DIGEST:
105			audit_fsv_digest(ab, ptr->value);
106			break;
107		default:
108			audit_log_format(ab, "%s", audit_prop_names[ptr->type]);
109			break;
110		}
111
112		audit_log_format(ab, " ");
113	}
114
115	audit_log_format(ab, "action=%s\"", ACTSTR(r->action));
116}
117
118/**
119 * ipe_audit_match() - Audit a rule match in a policy evaluation.
120 * @ctx: Supplies a pointer to the evaluation context that was used in the
121 *	 evaluation.
122 * @match_type: Supplies the scope of the match: rule, operation default,
123 *		global default.
124 * @act: Supplies the IPE's evaluation decision, deny or allow.
125 * @r: Supplies a pointer to the rule that was matched, if possible.
126 */
127void ipe_audit_match(const struct ipe_eval_ctx *const ctx,
128		     enum ipe_match match_type,
129		     enum ipe_action_type act, const struct ipe_rule *const r)
130{
131	const char *op = audit_op_names[ctx->op];
132	char comm[sizeof(current->comm)];
133	struct audit_buffer *ab;
134	struct inode *inode;
135
136	if (act != IPE_ACTION_DENY && !READ_ONCE(success_audit))
137		return;
138
139	ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,
140			     AUDIT_IPE_ACCESS);
141	if (!ab)
142		return;
143
144	audit_log_format(ab, "ipe_op=%s ipe_hook=%s enforcing=%d pid=%d comm=",
145			 op, audit_hook_names[ctx->hook], READ_ONCE(enforce),
146			 task_tgid_nr(current));
147	audit_log_untrustedstring(ab, get_task_comm(comm, current));
148
149	if (ctx->file) {
150		audit_log_d_path(ab, " path=", &ctx->file->f_path);
151		inode = file_inode(ctx->file);
152		if (inode) {
153			audit_log_format(ab, " dev=");
154			audit_log_untrustedstring(ab, inode->i_sb->s_id);
155			audit_log_format(ab, " ino=%lu", inode->i_ino);
156		} else {
157			audit_log_format(ab, " dev=? ino=?");
158		}
159	} else {
160		audit_log_format(ab, " path=? dev=? ino=?");
161	}
162
163	if (match_type == IPE_MATCH_RULE)
164		audit_rule(ab, r);
165	else if (match_type == IPE_MATCH_TABLE)
166		audit_log_format(ab, " rule=\"DEFAULT op=%s action=%s\"", op,
167				 ACTSTR(act));
168	else
169		audit_log_format(ab, " rule=\"DEFAULT action=%s\"",
170				 ACTSTR(act));
171
172	audit_log_end(ab);
173}
174
175/**
176 * audit_policy() - Audit a policy's name, version and thumbprint to @ab.
177 * @ab: Supplies a pointer to the audit buffer to append to.
178 * @audit_format: Supplies a pointer to the audit format string
179 * @p: Supplies a pointer to the policy to audit.
180 */
181static void audit_policy(struct audit_buffer *ab,
182			 const char *audit_format,
183			 const struct ipe_policy *const p)
184{
185	u8 digest[SHA256_DIGEST_SIZE];
186
187	sha256(p->pkcs7, p->pkcs7len, digest);
188
189	audit_log_format(ab, audit_format, p->parsed->name,
190			 p->parsed->version.major, p->parsed->version.minor,
191			 p->parsed->version.rev);
192	audit_log_n_hex(ab, digest, sizeof(digest));
193}
194
195/**
196 * ipe_audit_policy_activation() - Audit a policy being activated.
197 * @op: Supplies a pointer to the previously activated policy to audit.
198 * @np: Supplies a pointer to the newly activated policy to audit.
199 */
200void ipe_audit_policy_activation(const struct ipe_policy *const op,
201				 const struct ipe_policy *const np)
202{
203	struct audit_buffer *ab;
204
205	ab = audit_log_start(audit_context(), GFP_KERNEL,
206			     AUDIT_IPE_CONFIG_CHANGE);
207	if (!ab)
208		return;
209
210	if (op) {
211		audit_policy(ab, AUDIT_OLD_ACTIVE_POLICY_FMT, op);
212		audit_log_format(ab, " ");
213	} else {
214		/*
215		 * old active policy can be NULL if there is no kernel
216		 * built-in policy
217		 */
218		audit_log_format(ab, AUDIT_OLD_ACTIVE_POLICY_NULL_FMT);
219		audit_log_format(ab, " ");
220	}
221	audit_policy(ab, AUDIT_NEW_ACTIVE_POLICY_FMT, np);
222	audit_log_format(ab, " auid=%u ses=%u lsm=ipe res=1",
223			 from_kuid(&init_user_ns, audit_get_loginuid(current)),
224			 audit_get_sessionid(current));
225
226	audit_log_end(ab);
227}
228
229/**
230 * ipe_audit_policy_load() - Audit a policy loading event.
231 * @p: Supplies a pointer to the policy to audit or an error pointer.
232 */
233void ipe_audit_policy_load(const struct ipe_policy *const p)
234{
235	struct audit_buffer *ab;
236	int err = 0;
237
238	ab = audit_log_start(audit_context(), GFP_KERNEL,
239			     AUDIT_IPE_POLICY_LOAD);
240	if (!ab)
241		return;
242
243	if (!IS_ERR(p)) {
244		audit_policy(ab, AUDIT_POLICY_LOAD_FMT, p);
245	} else {
246		audit_log_format(ab, AUDIT_POLICY_LOAD_NULL_FMT);
247		err = PTR_ERR(p);
248	}
249
250	audit_log_format(ab, " auid=%u ses=%u lsm=ipe res=%d errno=%d",
251			 from_kuid(&init_user_ns, audit_get_loginuid(current)),
252			 audit_get_sessionid(current), !err, err);
253
254	audit_log_end(ab);
255}
256
257/**
258 * ipe_audit_enforce() - Audit a change in IPE's enforcement state.
259 * @new_enforce: The new value enforce to be set.
260 * @old_enforce: The old value currently in enforce.
261 */
262void ipe_audit_enforce(bool new_enforce, bool old_enforce)
263{
264	struct audit_buffer *ab;
265
266	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS);
267	if (!ab)
268		return;
269
270	audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS,
271		  "enforcing=%d old_enforcing=%d auid=%u ses=%u"
272		  " enabled=1 old-enabled=1 lsm=ipe res=1",
273		  new_enforce, old_enforce,
274		  from_kuid(&init_user_ns, audit_get_loginuid(current)),
275		  audit_get_sessionid(current));
276
277	audit_log_end(ab);
278}