NetLabel: Add auditing to the static labeling mechanism

This patch adds auditing support to the NetLabel static labeling mechanism.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
Paul Moore 2008-01-29 08:44:23 -05:00 committed by James Morris
parent 8cc44579d1
commit 13541b3ada
2 changed files with 195 additions and 14 deletions

View File

@ -115,6 +115,8 @@
#define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Not used */ #define AUDIT_MAC_IPSEC_ADDSPD 1413 /* Not used */
#define AUDIT_MAC_IPSEC_DELSPD 1414 /* Not used */ #define AUDIT_MAC_IPSEC_DELSPD 1414 /* Not used */
#define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit an IPSec event */ #define AUDIT_MAC_IPSEC_EVENT 1415 /* Audit an IPSec event */
#define AUDIT_MAC_UNLBL_STCADD 1416 /* NetLabel: add a static label */
#define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */
#define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799 #define AUDIT_LAST_KERN_ANOM_MSG 1799

View File

@ -146,6 +146,74 @@ static const struct nla_policy netlbl_unlabel_genl_policy[NLBL_UNLABEL_A_MAX + 1
[NLBL_UNLABEL_A_SECCTX] = { .type = NLA_BINARY } [NLBL_UNLABEL_A_SECCTX] = { .type = NLA_BINARY }
}; };
/*
* Audit Helper Functions
*/
/**
* netlbl_unlabel_audit_addr4 - Audit an IPv4 address
* @audit_buf: audit buffer
* @dev: network interface
* @addr: IP address
* @mask: IP address mask
*
* Description:
* Write the IPv4 address and address mask, if necessary, to @audit_buf.
*
*/
static void netlbl_unlabel_audit_addr4(struct audit_buffer *audit_buf,
const char *dev,
__be32 addr, __be32 mask)
{
u32 mask_val = ntohl(mask);
if (dev != NULL)
audit_log_format(audit_buf, " netif=%s", dev);
audit_log_format(audit_buf, " src=" NIPQUAD_FMT, NIPQUAD(addr));
if (mask_val != 0xffffffff) {
u32 mask_len = 0;
while (mask_val > 0) {
mask_val <<= 1;
mask_len++;
}
audit_log_format(audit_buf, " src_prefixlen=%d", mask_len);
}
}
/**
* netlbl_unlabel_audit_addr6 - Audit an IPv6 address
* @audit_buf: audit buffer
* @dev: network interface
* @addr: IP address
* @mask: IP address mask
*
* Description:
* Write the IPv6 address and address mask, if necessary, to @audit_buf.
*
*/
static void netlbl_unlabel_audit_addr6(struct audit_buffer *audit_buf,
const char *dev,
const struct in6_addr *addr,
const struct in6_addr *mask)
{
if (dev != NULL)
audit_log_format(audit_buf, " netif=%s", dev);
audit_log_format(audit_buf, " src=" NIP6_FMT, NIP6(*addr));
if (ntohl(mask->s6_addr32[3]) != 0xffffffff) {
u32 mask_len = 0;
u32 mask_val;
int iter = -1;
while (ntohl(mask->s6_addr32[++iter]) == 0xffffffff)
mask_len += 32;
mask_val = ntohl(mask->s6_addr32[iter]);
while (mask_val > 0) {
mask_val <<= 1;
mask_len++;
}
audit_log_format(audit_buf, " src_prefixlen=%d", mask_len);
}
}
/* /*
* Unlabeled Connection Hash Table Functions * Unlabeled Connection Hash Table Functions
*/ */
@ -530,6 +598,7 @@ add_iface_failure:
* @mask: address mask in network byte order * @mask: address mask in network byte order
* @addr_len: length of address/mask (4 for IPv4, 16 for IPv6) * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
* @secid: LSM secid value for the entry * @secid: LSM secid value for the entry
* @audit_info: NetLabel audit information
* *
* Description: * Description:
* Adds a new entry to the unlabeled connection hash table. Returns zero on * Adds a new entry to the unlabeled connection hash table. Returns zero on
@ -541,12 +610,18 @@ static int netlbl_unlhsh_add(struct net *net,
const void *addr, const void *addr,
const void *mask, const void *mask,
u32 addr_len, u32 addr_len,
u32 secid) u32 secid,
struct netlbl_audit *audit_info)
{ {
int ret_val; int ret_val;
int ifindex; int ifindex;
struct net_device *dev; struct net_device *dev;
struct netlbl_unlhsh_iface *iface; struct netlbl_unlhsh_iface *iface;
struct in_addr *addr4, *mask4;
struct in6_addr *addr6, *mask6;
struct audit_buffer *audit_buf = NULL;
char *secctx = NULL;
u32 secctx_len;
if (addr_len != sizeof(struct in_addr) && if (addr_len != sizeof(struct in_addr) &&
addr_len != sizeof(struct in6_addr)) addr_len != sizeof(struct in6_addr))
@ -573,13 +648,28 @@ static int netlbl_unlhsh_add(struct net *net,
goto unlhsh_add_return; goto unlhsh_add_return;
} }
} }
audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCADD,
audit_info);
switch (addr_len) { switch (addr_len) {
case sizeof(struct in_addr): case sizeof(struct in_addr):
ret_val = netlbl_unlhsh_add_addr4(iface, addr, mask, secid); addr4 = (struct in_addr *)addr;
mask4 = (struct in_addr *)mask;
ret_val = netlbl_unlhsh_add_addr4(iface, addr4, mask4, secid);
if (audit_buf != NULL)
netlbl_unlabel_audit_addr4(audit_buf,
dev_name,
addr4->s_addr,
mask4->s_addr);
break; break;
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
case sizeof(struct in6_addr): case sizeof(struct in6_addr):
ret_val = netlbl_unlhsh_add_addr6(iface, addr, mask, secid); addr6 = (struct in6_addr *)addr;
mask6 = (struct in6_addr *)mask;
ret_val = netlbl_unlhsh_add_addr6(iface, addr6, mask6, secid);
if (audit_buf != NULL)
netlbl_unlabel_audit_addr6(audit_buf,
dev_name,
addr6, mask6);
break; break;
#endif /* IPv6 */ #endif /* IPv6 */
default: default:
@ -590,14 +680,26 @@ static int netlbl_unlhsh_add(struct net *net,
unlhsh_add_return: unlhsh_add_return:
rcu_read_unlock(); rcu_read_unlock();
if (audit_buf != NULL) {
if (security_secid_to_secctx(secid,
&secctx,
&secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
security_release_secctx(secctx, secctx_len);
}
audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
audit_log_end(audit_buf);
}
return ret_val; return ret_val;
} }
/** /**
* netlbl_unlhsh_remove_addr4 - Remove an IPv4 address entry * netlbl_unlhsh_remove_addr4 - Remove an IPv4 address entry
* @net: network namespace
* @iface: interface entry * @iface: interface entry
* @addr: IP address * @addr: IP address
* @mask: IP address mask * @mask: IP address mask
* @audit_info: NetLabel audit information
* *
* Description: * Description:
* Remove an IP address entry from the unlabeled connection hash table. * Remove an IP address entry from the unlabeled connection hash table.
@ -605,12 +707,18 @@ unlhsh_add_return:
* responsible for calling the rcu_read_[un]lock() functions. * responsible for calling the rcu_read_[un]lock() functions.
* *
*/ */
static int netlbl_unlhsh_remove_addr4(struct netlbl_unlhsh_iface *iface, static int netlbl_unlhsh_remove_addr4(struct net *net,
struct netlbl_unlhsh_iface *iface,
const struct in_addr *addr, const struct in_addr *addr,
const struct in_addr *mask) const struct in_addr *mask,
struct netlbl_audit *audit_info)
{ {
int ret_val = -ENOENT; int ret_val = -ENOENT;
struct netlbl_unlhsh_addr4 *entry; struct netlbl_unlhsh_addr4 *entry;
struct audit_buffer *audit_buf = NULL;
struct net_device *dev;
char *secctx = NULL;
u32 secctx_len;
spin_lock(&netlbl_unlhsh_lock); spin_lock(&netlbl_unlhsh_lock);
entry = netlbl_unlhsh_search_addr4(addr->s_addr, iface); entry = netlbl_unlhsh_search_addr4(addr->s_addr, iface);
@ -622,6 +730,25 @@ static int netlbl_unlhsh_remove_addr4(struct netlbl_unlhsh_iface *iface,
} }
spin_unlock(&netlbl_unlhsh_lock); spin_unlock(&netlbl_unlhsh_lock);
audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL,
audit_info);
if (audit_buf != NULL) {
dev = dev_get_by_index(net, iface->ifindex);
netlbl_unlabel_audit_addr4(audit_buf,
(dev != NULL ? dev->name : NULL),
entry->addr, entry->mask);
if (dev != NULL)
dev_put(dev);
if (security_secid_to_secctx(entry->secid,
&secctx,
&secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
security_release_secctx(secctx, secctx_len);
}
audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
audit_log_end(audit_buf);
}
if (ret_val == 0) if (ret_val == 0)
call_rcu(&entry->rcu, netlbl_unlhsh_free_addr4); call_rcu(&entry->rcu, netlbl_unlhsh_free_addr4);
return ret_val; return ret_val;
@ -630,9 +757,11 @@ static int netlbl_unlhsh_remove_addr4(struct netlbl_unlhsh_iface *iface,
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
/** /**
* netlbl_unlhsh_remove_addr6 - Remove an IPv6 address entry * netlbl_unlhsh_remove_addr6 - Remove an IPv6 address entry
* @net: network namespace
* @iface: interface entry * @iface: interface entry
* @addr: IP address * @addr: IP address
* @mask: IP address mask * @mask: IP address mask
* @audit_info: NetLabel audit information
* *
* Description: * Description:
* Remove an IP address entry from the unlabeled connection hash table. * Remove an IP address entry from the unlabeled connection hash table.
@ -640,12 +769,18 @@ static int netlbl_unlhsh_remove_addr4(struct netlbl_unlhsh_iface *iface,
* responsible for calling the rcu_read_[un]lock() functions. * responsible for calling the rcu_read_[un]lock() functions.
* *
*/ */
static int netlbl_unlhsh_remove_addr6(struct netlbl_unlhsh_iface *iface, static int netlbl_unlhsh_remove_addr6(struct net *net,
struct netlbl_unlhsh_iface *iface,
const struct in6_addr *addr, const struct in6_addr *addr,
const struct in6_addr *mask) const struct in6_addr *mask,
struct netlbl_audit *audit_info)
{ {
int ret_val = -ENOENT; int ret_val = -ENOENT;
struct netlbl_unlhsh_addr6 *entry; struct netlbl_unlhsh_addr6 *entry;
struct audit_buffer *audit_buf = NULL;
struct net_device *dev;
char *secctx = NULL;
u32 secctx_len;
spin_lock(&netlbl_unlhsh_lock); spin_lock(&netlbl_unlhsh_lock);
entry = netlbl_unlhsh_search_addr6(addr, iface); entry = netlbl_unlhsh_search_addr6(addr, iface);
@ -658,6 +793,25 @@ static int netlbl_unlhsh_remove_addr6(struct netlbl_unlhsh_iface *iface,
} }
spin_unlock(&netlbl_unlhsh_lock); spin_unlock(&netlbl_unlhsh_lock);
audit_buf = netlbl_audit_start_common(AUDIT_MAC_UNLBL_STCDEL,
audit_info);
if (audit_buf != NULL) {
dev = dev_get_by_index(net, iface->ifindex);
netlbl_unlabel_audit_addr6(audit_buf,
(dev != NULL ? dev->name : NULL),
addr, mask);
if (dev != NULL)
dev_put(dev);
if (security_secid_to_secctx(entry->secid,
&secctx,
&secctx_len) == 0) {
audit_log_format(audit_buf, " sec_obj=%s", secctx);
security_release_secctx(secctx, secctx_len);
}
audit_log_format(audit_buf, " res=%u", ret_val == 0 ? 1 : 0);
audit_log_end(audit_buf);
}
if (ret_val == 0) if (ret_val == 0)
call_rcu(&entry->rcu, netlbl_unlhsh_free_addr6); call_rcu(&entry->rcu, netlbl_unlhsh_free_addr6);
return ret_val; return ret_val;
@ -708,6 +862,7 @@ unlhsh_condremove_failure:
* @addr: IP address in network byte order * @addr: IP address in network byte order
* @mask: address mask in network byte order * @mask: address mask in network byte order
* @addr_len: length of address/mask (4 for IPv4, 16 for IPv6) * @addr_len: length of address/mask (4 for IPv4, 16 for IPv6)
* @audit_info: NetLabel audit information
* *
* Description: * Description:
* Removes and existing entry from the unlabeled connection hash table. * Removes and existing entry from the unlabeled connection hash table.
@ -718,7 +873,8 @@ static int netlbl_unlhsh_remove(struct net *net,
const char *dev_name, const char *dev_name,
const void *addr, const void *addr,
const void *mask, const void *mask,
u32 addr_len) u32 addr_len,
struct netlbl_audit *audit_info)
{ {
int ret_val; int ret_val;
struct net_device *dev; struct net_device *dev;
@ -745,11 +901,15 @@ static int netlbl_unlhsh_remove(struct net *net,
} }
switch (addr_len) { switch (addr_len) {
case sizeof(struct in_addr): case sizeof(struct in_addr):
ret_val = netlbl_unlhsh_remove_addr4(iface, addr, mask); ret_val = netlbl_unlhsh_remove_addr4(net,
iface, addr, mask,
audit_info);
break; break;
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
case sizeof(struct in6_addr): case sizeof(struct in6_addr):
ret_val = netlbl_unlhsh_remove_addr6(iface, addr, mask); ret_val = netlbl_unlhsh_remove_addr6(net,
iface, addr, mask,
audit_info);
break; break;
#endif /* IPv6 */ #endif /* IPv6 */
default: default:
@ -972,6 +1132,7 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
void *mask; void *mask;
u32 addr_len; u32 addr_len;
u32 secid; u32 secid;
struct netlbl_audit audit_info;
/* Don't allow users to add both IPv4 and IPv6 addresses for a /* Don't allow users to add both IPv4 and IPv6 addresses for a
* single entry. However, allow users to create two entries, one each * single entry. However, allow users to create two entries, one each
@ -985,6 +1146,8 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
!info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
return -EINVAL; return -EINVAL;
netlbl_netlink_auditinfo(skb, &audit_info);
ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
if (ret_val != 0) if (ret_val != 0)
return ret_val; return ret_val;
@ -997,7 +1160,8 @@ static int netlbl_unlabel_staticadd(struct sk_buff *skb,
return ret_val; return ret_val;
return netlbl_unlhsh_add(&init_net, return netlbl_unlhsh_add(&init_net,
dev_name, addr, mask, addr_len, secid); dev_name, addr, mask, addr_len, secid,
&audit_info);
} }
/** /**
@ -1019,6 +1183,7 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
void *mask; void *mask;
u32 addr_len; u32 addr_len;
u32 secid; u32 secid;
struct netlbl_audit audit_info;
/* Don't allow users to add both IPv4 and IPv6 addresses for a /* Don't allow users to add both IPv4 and IPv6 addresses for a
* single entry. However, allow users to create two entries, one each * single entry. However, allow users to create two entries, one each
@ -1031,6 +1196,8 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
!info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
return -EINVAL; return -EINVAL;
netlbl_netlink_auditinfo(skb, &audit_info);
ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
if (ret_val != 0) if (ret_val != 0)
return ret_val; return ret_val;
@ -1041,7 +1208,9 @@ static int netlbl_unlabel_staticadddef(struct sk_buff *skb,
if (ret_val != 0) if (ret_val != 0)
return ret_val; return ret_val;
return netlbl_unlhsh_add(&init_net, NULL, addr, mask, addr_len, secid); return netlbl_unlhsh_add(&init_net,
NULL, addr, mask, addr_len, secid,
&audit_info);
} }
/** /**
@ -1063,6 +1232,7 @@ static int netlbl_unlabel_staticremove(struct sk_buff *skb,
void *addr; void *addr;
void *mask; void *mask;
u32 addr_len; u32 addr_len;
struct netlbl_audit audit_info;
/* See the note in netlbl_unlabel_staticadd() about not allowing both /* See the note in netlbl_unlabel_staticadd() about not allowing both
* IPv4 and IPv6 in the same entry. */ * IPv4 and IPv6 in the same entry. */
@ -1073,12 +1243,16 @@ static int netlbl_unlabel_staticremove(struct sk_buff *skb,
!info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
return -EINVAL; return -EINVAL;
netlbl_netlink_auditinfo(skb, &audit_info);
ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
if (ret_val != 0) if (ret_val != 0)
return ret_val; return ret_val;
dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]); dev_name = nla_data(info->attrs[NLBL_UNLABEL_A_IFACE]);
return netlbl_unlhsh_remove(&init_net, dev_name, addr, mask, addr_len); return netlbl_unlhsh_remove(&init_net,
dev_name, addr, mask, addr_len,
&audit_info);
} }
/** /**
@ -1099,6 +1273,7 @@ static int netlbl_unlabel_staticremovedef(struct sk_buff *skb,
void *addr; void *addr;
void *mask; void *mask;
u32 addr_len; u32 addr_len;
struct netlbl_audit audit_info;
/* See the note in netlbl_unlabel_staticadd() about not allowing both /* See the note in netlbl_unlabel_staticadd() about not allowing both
* IPv4 and IPv6 in the same entry. */ * IPv4 and IPv6 in the same entry. */
@ -1108,11 +1283,15 @@ static int netlbl_unlabel_staticremovedef(struct sk_buff *skb,
!info->attrs[NLBL_UNLABEL_A_IPV6MASK]))) !info->attrs[NLBL_UNLABEL_A_IPV6MASK])))
return -EINVAL; return -EINVAL;
netlbl_netlink_auditinfo(skb, &audit_info);
ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len); ret_val = netlbl_unlabel_addrinfo_get(info, &addr, &mask, &addr_len);
if (ret_val != 0) if (ret_val != 0)
return ret_val; return ret_val;
return netlbl_unlhsh_remove(&init_net, NULL, addr, mask, addr_len); return netlbl_unlhsh_remove(&init_net,
NULL, addr, mask, addr_len,
&audit_info);
} }