This patch adds support to Apparmor for integrating with audit rule
filtering. Right now it only handles SUBJ_ROLE, interpreting it as a
single component of a label. This is sufficient to get Apparmor working
with IMA's appraisal rules without any modifications on the IMA side.

Signed-off-by: Matthew Garrett <mj...@google.com>
---

 This goes on top of apparmor: add the ability to get a task's secid

 security/apparmor/audit.c         | 90 ++++++++++++++++++++++++++++++-
 security/apparmor/include/audit.h |  6 +++
 security/apparmor/lsm.c           |  7 +++
 3 files changed, 102 insertions(+), 1 deletion(-)

diff --git a/security/apparmor/audit.c b/security/apparmor/audit.c
index 8f9ecac7f8de..31202a312438 100644
--- a/security/apparmor/audit.c
+++ b/security/apparmor/audit.c
@@ -19,7 +19,7 @@
 #include "include/audit.h"
 #include "include/policy.h"
 #include "include/policy_ns.h"
-
+#include "include/secid.h"
 
 const char *const audit_mode_names[] = {
        "normal",
@@ -163,3 +163,91 @@ int aa_audit(int type, struct aa_profile *profile, struct 
common_audit_data *sa,
 
        return aad(sa)->error;
 }
+
+struct aa_audit_rule {
+       char *profile;
+};
+
+void aa_audit_rule_free(void *vrule)
+{
+       struct aa_audit_rule *rule = vrule;
+
+       if (rule) {
+               kfree(rule->profile);
+               kfree(rule);
+       }
+}
+
+int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule)
+{
+       struct aa_audit_rule *rule;
+
+       switch (field) {
+       case AUDIT_SUBJ_ROLE:
+               if (op != Audit_equal && op != Audit_not_equal)
+                       return -EINVAL;
+               break;
+       default:
+               return -EINVAL;
+       }
+
+       rule = kzalloc(sizeof(struct aa_audit_rule), GFP_KERNEL);
+
+       if (!rule)
+               return -ENOMEM;
+
+       rule->profile = kstrdup(rulestr, GFP_KERNEL);
+
+       *vrule = rule;
+
+       return 0;
+}
+
+int aa_audit_rule_known(struct audit_krule *rule)
+{
+       int i;
+
+       for (i = 0; i < rule->field_count; i++) {
+               struct audit_field *f = &rule->fields[i];
+
+               switch (f->type) {
+               case AUDIT_SUBJ_ROLE:
+                       return 1;
+               }
+       }
+
+       return 0;
+}
+
+int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
+                       struct audit_context *actx)
+{
+       struct aa_audit_rule *rule = vrule;
+       struct aa_label *label;
+       struct label_it i;
+       struct aa_profile *profile;
+       int found = 0;
+
+       label = aa_secid_to_label(sid);
+
+       if (!label)
+               return -ENOENT;
+
+       label_for_each(i, label, profile) {
+               if (strcmp(rule->profile, profile->base.hname) == 0) {
+                       found = 1;
+                       break;
+               }
+       }
+
+       switch (field) {
+       case AUDIT_SUBJ_ROLE:
+               switch (op) {
+               case Audit_equal:
+                       return found;
+               case Audit_not_equal:
+                       return !found;
+               }
+       }
+       return 0;
+}
diff --git a/security/apparmor/include/audit.h 
b/security/apparmor/include/audit.h
index 4ac095118717..45fc69bc27d0 100644
--- a/security/apparmor/include/audit.h
+++ b/security/apparmor/include/audit.h
@@ -180,4 +180,10 @@ static inline int complain_error(int error)
        return error;
 }
 
+void aa_audit_rule_free(void *vrule);
+int aa_audit_rule_init(u32 field, u32 op, char *rulestr, void **vrule);
+int aa_audit_rule_known(struct audit_krule *rule);
+int aa_audit_rule_match(u32 sid, u32 field, u32 op, void *vrule,
+                       struct audit_context *actx);
+
 #endif /* __AA_AUDIT_H */
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index dcfa49b922ba..76977cba5973 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -795,6 +795,13 @@ static struct security_hook_list apparmor_hooks[] 
__lsm_ro_after_init = {
        LSM_HOOK_INIT(task_getsecid, apparmor_task_getsecid),
        LSM_HOOK_INIT(task_setrlimit, apparmor_task_setrlimit),
        LSM_HOOK_INIT(task_kill, apparmor_task_kill),
+
+#ifdef CONFIG_AUDIT
+       LSM_HOOK_INIT(audit_rule_init, aa_audit_rule_init),
+       LSM_HOOK_INIT(audit_rule_known, aa_audit_rule_known),
+       LSM_HOOK_INIT(audit_rule_match, aa_audit_rule_match),
+       LSM_HOOK_INIT(audit_rule_free, aa_audit_rule_free),
+#endif
 };
 
 /*
-- 
2.17.0.484.g0c8726318c-goog


-- 
AppArmor mailing list
AppArmor@lists.ubuntu.com
Modify settings or unsubscribe at: 
https://lists.ubuntu.com/mailman/listinfo/apparmor

Reply via email to