xref: /linux/security/ipe/audit.c (revision ab93e0dd72c37d378dd936f031ffb83ff2bd87ce) 
1 // SPDX-License-Identifier: GPL-2.0
2 /*
3  * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved.
4  */
5 
6 #include <linux/slab.h>
7 #include <linux/audit.h>
8 #include <linux/types.h>
9 #include <crypto/sha2.h>
10 
11 #include "ipe.h"
12 #include "eval.h"
13 #include "hooks.h"
14 #include "policy.h"
15 #include "audit.h"
16 #include "digest.h"
17 
18 #define ACTSTR(x) ((x) == IPE_ACTION_ALLOW ? "ALLOW" : "DENY")
19 
20 #define IPE_AUDIT_HASH_ALG "sha256" /* keep in sync with audit_policy() */
21 
22 #define AUDIT_POLICY_LOAD_FMT "policy_name=\"%s\" policy_version=%hu.%hu.%hu "\
23 			      "policy_digest=" IPE_AUDIT_HASH_ALG ":"
24 #define AUDIT_POLICY_LOAD_NULL_FMT "policy_name=? policy_version=? "\
25 				   "policy_digest=?"
26 #define AUDIT_OLD_ACTIVE_POLICY_FMT "old_active_pol_name=\"%s\" "\
27 				    "old_active_pol_version=%hu.%hu.%hu "\
28 				    "old_policy_digest=" IPE_AUDIT_HASH_ALG ":"
29 #define AUDIT_OLD_ACTIVE_POLICY_NULL_FMT "old_active_pol_name=? "\
30 					 "old_active_pol_version=? "\
31 					 "old_policy_digest=?"
32 #define AUDIT_NEW_ACTIVE_POLICY_FMT "new_active_pol_name=\"%s\" "\
33 				    "new_active_pol_version=%hu.%hu.%hu "\
34 				    "new_policy_digest=" IPE_AUDIT_HASH_ALG ":"
35 
36 static const char *const audit_op_names[__IPE_OP_MAX + 1] = {
37 	"EXECUTE",
38 	"FIRMWARE",
39 	"KMODULE",
40 	"KEXEC_IMAGE",
41 	"KEXEC_INITRAMFS",
42 	"POLICY",
43 	"X509_CERT",
44 	"UNKNOWN",
45 };
46 
47 static const char *const audit_hook_names[__IPE_HOOK_MAX] = {
48 	"BPRM_CHECK",
49 	"MMAP",
50 	"MPROTECT",
51 	"KERNEL_READ",
52 	"KERNEL_LOAD",
53 };
54 
55 static const char *const audit_prop_names[__IPE_PROP_MAX] = {
56 	"boot_verified=FALSE",
57 	"boot_verified=TRUE",
58 	"dmverity_roothash=",
59 	"dmverity_signature=FALSE",
60 	"dmverity_signature=TRUE",
61 	"fsverity_digest=",
62 	"fsverity_signature=FALSE",
63 	"fsverity_signature=TRUE",
64 };
65 
66 /**
67  * audit_dmv_roothash() - audit the roothash of a dmverity_roothash property.
68  * @ab: Supplies a pointer to the audit_buffer to append to.
69  * @rh: Supplies a pointer to the digest structure.
70  */
audit_dmv_roothash(struct audit_buffer * ab,const void * rh)71 static void audit_dmv_roothash(struct audit_buffer *ab, const void *rh)
72 {
73 	audit_log_format(ab, "%s", audit_prop_names[IPE_PROP_DMV_ROOTHASH]);
74 	ipe_digest_audit(ab, rh);
75 }
76 
77 /**
78  * audit_fsv_digest() - audit the digest of a fsverity_digest property.
79  * @ab: Supplies a pointer to the audit_buffer to append to.
80  * @d: Supplies a pointer to the digest structure.
81  */
audit_fsv_digest(struct audit_buffer * ab,const void * d)82 static void audit_fsv_digest(struct audit_buffer *ab, const void *d)
83 {
84 	audit_log_format(ab, "%s", audit_prop_names[IPE_PROP_FSV_DIGEST]);
85 	ipe_digest_audit(ab, d);
86 }
87 
88 /**
89  * audit_rule() - audit an IPE policy rule.
90  * @ab: Supplies a pointer to the audit_buffer to append to.
91  * @r: Supplies a pointer to the ipe_rule to approximate a string form for.
92  */
audit_rule(struct audit_buffer * ab,const struct ipe_rule * r)93 static void audit_rule(struct audit_buffer *ab, const struct ipe_rule *r)
94 {
95 	const struct ipe_prop *ptr;
96 
97 	audit_log_format(ab, " rule=\"op=%s ", audit_op_names[r->op]);
98 
99 	list_for_each_entry(ptr, &r->props, next) {
100 		switch (ptr->type) {
101 		case IPE_PROP_DMV_ROOTHASH:
102 			audit_dmv_roothash(ab, ptr->value);
103 			break;
104 		case IPE_PROP_FSV_DIGEST:
105 			audit_fsv_digest(ab, ptr->value);
106 			break;
107 		default:
108 			audit_log_format(ab, "%s", audit_prop_names[ptr->type]);
109 			break;
110 		}
111 
112 		audit_log_format(ab, " ");
113 	}
114 
115 	audit_log_format(ab, "action=%s\"", ACTSTR(r->action));
116 }
117 
118 /**
119  * ipe_audit_match() - Audit a rule match in a policy evaluation.
120  * @ctx: Supplies a pointer to the evaluation context that was used in the
121  *	 evaluation.
122  * @match_type: Supplies the scope of the match: rule, operation default,
123  *		global default.
124  * @act: Supplies the IPE's evaluation decision, deny or allow.
125  * @r: Supplies a pointer to the rule that was matched, if possible.
126  */
ipe_audit_match(const struct ipe_eval_ctx * const ctx,enum ipe_match match_type,enum ipe_action_type act,const struct ipe_rule * const r)127 void ipe_audit_match(const struct ipe_eval_ctx *const ctx,
128 		     enum ipe_match match_type,
129 		     enum ipe_action_type act, const struct ipe_rule *const r)
130 {
131 	const char *op = audit_op_names[ctx->op];
132 	char comm[sizeof(current->comm)];
133 	struct audit_buffer *ab;
134 	struct inode *inode;
135 
136 	if (act != IPE_ACTION_DENY && !READ_ONCE(success_audit))
137 		return;
138 
139 	ab = audit_log_start(audit_context(), GFP_ATOMIC | __GFP_NOWARN,
140 			     AUDIT_IPE_ACCESS);
141 	if (!ab)
142 		return;
143 
144 	audit_log_format(ab, "ipe_op=%s ipe_hook=%s enforcing=%d pid=%d comm=",
145 			 op, audit_hook_names[ctx->hook], READ_ONCE(enforce),
146 			 task_tgid_nr(current));
147 	audit_log_untrustedstring(ab, get_task_comm(comm, current));
148 
149 	if (ctx->file) {
150 		audit_log_d_path(ab, " path=", &ctx->file->f_path);
151 		inode = file_inode(ctx->file);
152 		if (inode) {
153 			audit_log_format(ab, " dev=");
154 			audit_log_untrustedstring(ab, inode->i_sb->s_id);
155 			audit_log_format(ab, " ino=%lu", inode->i_ino);
156 		} else {
157 			audit_log_format(ab, " dev=? ino=?");
158 		}
159 	} else {
160 		audit_log_format(ab, " path=? dev=? ino=?");
161 	}
162 
163 	if (match_type == IPE_MATCH_RULE)
164 		audit_rule(ab, r);
165 	else if (match_type == IPE_MATCH_TABLE)
166 		audit_log_format(ab, " rule=\"DEFAULT op=%s action=%s\"", op,
167 				 ACTSTR(act));
168 	else
169 		audit_log_format(ab, " rule=\"DEFAULT action=%s\"",
170 				 ACTSTR(act));
171 
172 	audit_log_end(ab);
173 }
174 
175 /**
176  * audit_policy() - Audit a policy's name, version and thumbprint to @ab.
177  * @ab: Supplies a pointer to the audit buffer to append to.
178  * @audit_format: Supplies a pointer to the audit format string
179  * @p: Supplies a pointer to the policy to audit.
180  */
audit_policy(struct audit_buffer * ab,const char * audit_format,const struct ipe_policy * const p)181 static void audit_policy(struct audit_buffer *ab,
182 			 const char *audit_format,
183 			 const struct ipe_policy *const p)
184 {
185 	u8 digest[SHA256_DIGEST_SIZE];
186 
187 	sha256(p->pkcs7, p->pkcs7len, digest);
188 
189 	audit_log_format(ab, audit_format, p->parsed->name,
190 			 p->parsed->version.major, p->parsed->version.minor,
191 			 p->parsed->version.rev);
192 	audit_log_n_hex(ab, digest, sizeof(digest));
193 }
194 
195 /**
196  * ipe_audit_policy_activation() - Audit a policy being activated.
197  * @op: Supplies a pointer to the previously activated policy to audit.
198  * @np: Supplies a pointer to the newly activated policy to audit.
199  */
ipe_audit_policy_activation(const struct ipe_policy * const op,const struct ipe_policy * const np)200 void ipe_audit_policy_activation(const struct ipe_policy *const op,
201 				 const struct ipe_policy *const np)
202 {
203 	struct audit_buffer *ab;
204 
205 	ab = audit_log_start(audit_context(), GFP_KERNEL,
206 			     AUDIT_IPE_CONFIG_CHANGE);
207 	if (!ab)
208 		return;
209 
210 	if (op) {
211 		audit_policy(ab, AUDIT_OLD_ACTIVE_POLICY_FMT, op);
212 		audit_log_format(ab, " ");
213 	} else {
214 		/*
215 		 * old active policy can be NULL if there is no kernel
216 		 * built-in policy
217 		 */
218 		audit_log_format(ab, AUDIT_OLD_ACTIVE_POLICY_NULL_FMT);
219 		audit_log_format(ab, " ");
220 	}
221 	audit_policy(ab, AUDIT_NEW_ACTIVE_POLICY_FMT, np);
222 	audit_log_format(ab, " auid=%u ses=%u lsm=ipe res=1",
223 			 from_kuid(&init_user_ns, audit_get_loginuid(current)),
224 			 audit_get_sessionid(current));
225 
226 	audit_log_end(ab);
227 }
228 
229 /**
230  * ipe_audit_policy_load() - Audit a policy loading event.
231  * @p: Supplies a pointer to the policy to audit or an error pointer.
232  */
ipe_audit_policy_load(const struct ipe_policy * const p)233 void ipe_audit_policy_load(const struct ipe_policy *const p)
234 {
235 	struct audit_buffer *ab;
236 	int err = 0;
237 
238 	ab = audit_log_start(audit_context(), GFP_KERNEL,
239 			     AUDIT_IPE_POLICY_LOAD);
240 	if (!ab)
241 		return;
242 
243 	if (!IS_ERR(p)) {
244 		audit_policy(ab, AUDIT_POLICY_LOAD_FMT, p);
245 	} else {
246 		audit_log_format(ab, AUDIT_POLICY_LOAD_NULL_FMT);
247 		err = PTR_ERR(p);
248 	}
249 
250 	audit_log_format(ab, " auid=%u ses=%u lsm=ipe res=%d errno=%d",
251 			 from_kuid(&init_user_ns, audit_get_loginuid(current)),
252 			 audit_get_sessionid(current), !err, err);
253 
254 	audit_log_end(ab);
255 }
256 
257 /**
258  * ipe_audit_enforce() - Audit a change in IPE's enforcement state.
259  * @new_enforce: The new value enforce to be set.
260  * @old_enforce: The old value currently in enforce.
261  */
ipe_audit_enforce(bool new_enforce,bool old_enforce)262 void ipe_audit_enforce(bool new_enforce, bool old_enforce)
263 {
264 	struct audit_buffer *ab;
265 
266 	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS);
267 	if (!ab)
268 		return;
269 
270 	audit_log(audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS,
271 		  "enforcing=%d old_enforcing=%d auid=%u ses=%u"
272 		  " enabled=1 old-enabled=1 lsm=ipe res=1",
273 		  new_enforce, old_enforce,
274 		  from_kuid(&init_user_ns, audit_get_loginuid(current)),
275 		  audit_get_sessionid(current));
276 
277 	audit_log_end(ab);
278 }
279