| 1 | // SPDX-License-Identifier: GPL-2.0 |
|---|
| 2 | /* |
|---|
| 3 | * Copyright (C) 2020-2024 Microsoft Corporation. All rights reserved. |
|---|
| 4 | */ |
|---|
| 5 | |
|---|
| 6 | #include <linux/slab.h> |
|---|
| 7 | #include <linux/audit.h> |
|---|
| 8 | #include <linux/types.h> |
|---|
| 9 | #include <crypto/sha2.h> |
|---|
| 10 | |
|---|
| 11 | #include "ipe.h" |
|---|
| 12 | #include "eval.h" |
|---|
| 13 | #include "hooks.h" |
|---|
| 14 | #include "policy.h" |
|---|
| 15 | #include "audit.h" |
|---|
| 16 | #include "digest.h" |
|---|
| 17 | |
|---|
| 18 | #define ACTSTR(x) ((x) == IPE_ACTION_ALLOW ? "ALLOW" : "DENY") |
|---|
| 19 | |
|---|
| 20 | #define IPE_AUDIT_HASH_ALG "sha256" /* keep in sync with audit_policy() */ |
|---|
| 21 | |
|---|
| 22 | #define AUDIT_POLICY_LOAD_FMT "policy_name=\"%s\" policy_version=%hu.%hu.%hu "\ |
|---|
| 23 | "policy_digest=" IPE_AUDIT_HASH_ALG ":" |
|---|
| 24 | #define AUDIT_POLICY_LOAD_NULL_FMT "policy_name=? policy_version=? "\ |
|---|
| 25 | "policy_digest=?" |
|---|
| 26 | #define AUDIT_OLD_ACTIVE_POLICY_FMT "old_active_pol_name=\"%s\" "\ |
|---|
| 27 | "old_active_pol_version=%hu.%hu.%hu "\ |
|---|
| 28 | "old_policy_digest=" IPE_AUDIT_HASH_ALG ":" |
|---|
| 29 | #define AUDIT_OLD_ACTIVE_POLICY_NULL_FMT "old_active_pol_name=? "\ |
|---|
| 30 | "old_active_pol_version=? "\ |
|---|
| 31 | "old_policy_digest=?" |
|---|
| 32 | #define AUDIT_NEW_ACTIVE_POLICY_FMT "new_active_pol_name=\"%s\" "\ |
|---|
| 33 | "new_active_pol_version=%hu.%hu.%hu "\ |
|---|
| 34 | "new_policy_digest=" IPE_AUDIT_HASH_ALG ":" |
|---|
| 35 | |
|---|
| 36 | static const char *const audit_op_names[__IPE_OP_MAX + 1] = { |
|---|
| 37 | "EXECUTE" , |
|---|
| 38 | "FIRMWARE" , |
|---|
| 39 | "KMODULE" , |
|---|
| 40 | "KEXEC_IMAGE" , |
|---|
| 41 | "KEXEC_INITRAMFS" , |
|---|
| 42 | "POLICY" , |
|---|
| 43 | "X509_CERT" , |
|---|
| 44 | "UNKNOWN" , |
|---|
| 45 | }; |
|---|
| 46 | |
|---|
| 47 | static const char *const audit_hook_names[__IPE_HOOK_MAX] = { |
|---|
| 48 | "BPRM_CHECK" , |
|---|
| 49 | "BPRM_CREDS_FOR_EXEC" , |
|---|
| 50 | "MMAP" , |
|---|
| 51 | "MPROTECT" , |
|---|
| 52 | "KERNEL_READ" , |
|---|
| 53 | "KERNEL_LOAD" , |
|---|
| 54 | }; |
|---|
| 55 | |
|---|
| 56 | static const char *const audit_prop_names[__IPE_PROP_MAX] = { |
|---|
| 57 | "boot_verified=FALSE" , |
|---|
| 58 | "boot_verified=TRUE" , |
|---|
| 59 | "dmverity_roothash=" , |
|---|
| 60 | "dmverity_signature=FALSE" , |
|---|
| 61 | "dmverity_signature=TRUE" , |
|---|
| 62 | "fsverity_digest=" , |
|---|
| 63 | "fsverity_signature=FALSE" , |
|---|
| 64 | "fsverity_signature=TRUE" , |
|---|
| 65 | }; |
|---|
| 66 | |
|---|
| 67 | /** |
|---|
| 68 | * audit_dmv_roothash() - audit the roothash of a dmverity_roothash property. |
|---|
| 69 | * @ab: Supplies a pointer to the audit_buffer to append to. |
|---|
| 70 | * @rh: Supplies a pointer to the digest structure. |
|---|
| 71 | */ |
|---|
| 72 | static void audit_dmv_roothash(struct audit_buffer *ab, const void *rh) |
|---|
| 73 | { |
|---|
| 74 | audit_log_format(ab, fmt: "%s" , audit_prop_names[IPE_PROP_DMV_ROOTHASH]); |
|---|
| 75 | ipe_digest_audit(ab, val: rh); |
|---|
| 76 | } |
|---|
| 77 | |
|---|
| 78 | /** |
|---|
| 79 | * audit_fsv_digest() - audit the digest of a fsverity_digest property. |
|---|
| 80 | * @ab: Supplies a pointer to the audit_buffer to append to. |
|---|
| 81 | * @d: Supplies a pointer to the digest structure. |
|---|
| 82 | */ |
|---|
| 83 | static void audit_fsv_digest(struct audit_buffer *ab, const void *d) |
|---|
| 84 | { |
|---|
| 85 | audit_log_format(ab, fmt: "%s" , audit_prop_names[IPE_PROP_FSV_DIGEST]); |
|---|
| 86 | ipe_digest_audit(ab, val: d); |
|---|
| 87 | } |
|---|
| 88 | |
|---|
| 89 | /** |
|---|
| 90 | * audit_rule() - audit an IPE policy rule. |
|---|
| 91 | * @ab: Supplies a pointer to the audit_buffer to append to. |
|---|
| 92 | * @r: Supplies a pointer to the ipe_rule to approximate a string form for. |
|---|
| 93 | */ |
|---|
| 94 | static void audit_rule(struct audit_buffer *ab, const struct ipe_rule *r) |
|---|
| 95 | { |
|---|
| 96 | const struct ipe_prop *ptr; |
|---|
| 97 | |
|---|
| 98 | audit_log_format(ab, fmt: " rule=\"op=%s " , audit_op_names[r->op]); |
|---|
| 99 | |
|---|
| 100 | list_for_each_entry(ptr, &r->props, next) { |
|---|
| 101 | switch (ptr->type) { |
|---|
| 102 | case IPE_PROP_DMV_ROOTHASH: |
|---|
| 103 | audit_dmv_roothash(ab, rh: ptr->value); |
|---|
| 104 | break; |
|---|
| 105 | case IPE_PROP_FSV_DIGEST: |
|---|
| 106 | audit_fsv_digest(ab, d: ptr->value); |
|---|
| 107 | break; |
|---|
| 108 | default: |
|---|
| 109 | audit_log_format(ab, fmt: "%s" , audit_prop_names[ptr->type]); |
|---|
| 110 | break; |
|---|
| 111 | } |
|---|
| 112 | |
|---|
| 113 | audit_log_format(ab, fmt: " " ); |
|---|
| 114 | } |
|---|
| 115 | |
|---|
| 116 | audit_log_format(ab, fmt: "action=%s\"" , ACTSTR(r->action)); |
|---|
| 117 | } |
|---|
| 118 | |
|---|
| 119 | /** |
|---|
| 120 | * ipe_audit_match() - Audit a rule match in a policy evaluation. |
|---|
| 121 | * @ctx: Supplies a pointer to the evaluation context that was used in the |
|---|
| 122 | * evaluation. |
|---|
| 123 | * @match_type: Supplies the scope of the match: rule, operation default, |
|---|
| 124 | * global default. |
|---|
| 125 | * @act: Supplies the IPE's evaluation decision, deny or allow. |
|---|
| 126 | * @r: Supplies a pointer to the rule that was matched, if possible. |
|---|
| 127 | */ |
|---|
| 128 | void ipe_audit_match(const struct ipe_eval_ctx *const ctx, |
|---|
| 129 | enum ipe_match match_type, |
|---|
| 130 | enum ipe_action_type act, const struct ipe_rule *const r) |
|---|
| 131 | { |
|---|
| 132 | const char *op = audit_op_names[ctx->op]; |
|---|
| 133 | char comm[sizeof(current->comm)]; |
|---|
| 134 | struct audit_buffer *ab; |
|---|
| 135 | struct inode *inode; |
|---|
| 136 | |
|---|
| 137 | if (act != IPE_ACTION_DENY && !READ_ONCE(success_audit)) |
|---|
| 138 | return; |
|---|
| 139 | |
|---|
| 140 | ab = audit_log_start(ctx: audit_context(), GFP_ATOMIC | __GFP_NOWARN, |
|---|
| 141 | AUDIT_IPE_ACCESS); |
|---|
| 142 | if (!ab) |
|---|
| 143 | return; |
|---|
| 144 | |
|---|
| 145 | audit_log_format(ab, fmt: "ipe_op=%s ipe_hook=%s enforcing=%d pid=%d comm=" , |
|---|
| 146 | op, audit_hook_names[ctx->hook], READ_ONCE(enforce), |
|---|
| 147 | task_tgid_nr(current)); |
|---|
| 148 | audit_log_untrustedstring(ab, get_task_comm(comm, current)); |
|---|
| 149 | |
|---|
| 150 | if (ctx->file) { |
|---|
| 151 | audit_log_d_path(ab, prefix: " path=" , path: &ctx->file->f_path); |
|---|
| 152 | inode = file_inode(f: ctx->file); |
|---|
| 153 | if (inode) { |
|---|
| 154 | audit_log_format(ab, fmt: " dev=" ); |
|---|
| 155 | audit_log_untrustedstring(ab, string: inode->i_sb->s_id); |
|---|
| 156 | audit_log_format(ab, fmt: " ino=%lu" , inode->i_ino); |
|---|
| 157 | } else { |
|---|
| 158 | audit_log_format(ab, fmt: " dev=? ino=?" ); |
|---|
| 159 | } |
|---|
| 160 | } else { |
|---|
| 161 | audit_log_format(ab, fmt: " path=? dev=? ino=?" ); |
|---|
| 162 | } |
|---|
| 163 | |
|---|
| 164 | if (match_type == IPE_MATCH_RULE) |
|---|
| 165 | audit_rule(ab, r); |
|---|
| 166 | else if (match_type == IPE_MATCH_TABLE) |
|---|
| 167 | audit_log_format(ab, fmt: " rule=\"DEFAULT op=%s action=%s\"" , op, |
|---|
| 168 | ACTSTR(act)); |
|---|
| 169 | else |
|---|
| 170 | audit_log_format(ab, fmt: " rule=\"DEFAULT action=%s\"" , |
|---|
| 171 | ACTSTR(act)); |
|---|
| 172 | |
|---|
| 173 | audit_log_end(ab); |
|---|
| 174 | } |
|---|
| 175 | |
|---|
| 176 | /** |
|---|
| 177 | * audit_policy() - Audit a policy's name, version and thumbprint to @ab. |
|---|
| 178 | * @ab: Supplies a pointer to the audit buffer to append to. |
|---|
| 179 | * @audit_format: Supplies a pointer to the audit format string |
|---|
| 180 | * @p: Supplies a pointer to the policy to audit. |
|---|
| 181 | */ |
|---|
| 182 | static void audit_policy(struct audit_buffer *ab, |
|---|
| 183 | const char *audit_format, |
|---|
| 184 | const struct ipe_policy *const p) |
|---|
| 185 | { |
|---|
| 186 | u8 digest[SHA256_DIGEST_SIZE]; |
|---|
| 187 | |
|---|
| 188 | sha256(data: p->pkcs7, len: p->pkcs7len, out: digest); |
|---|
| 189 | |
|---|
| 190 | audit_log_format(ab, fmt: audit_format, p->parsed->name, |
|---|
| 191 | p->parsed->version.major, p->parsed->version.minor, |
|---|
| 192 | p->parsed->version.rev); |
|---|
| 193 | audit_log_n_hex(ab, buf: digest, len: sizeof(digest)); |
|---|
| 194 | } |
|---|
| 195 | |
|---|
| 196 | /** |
|---|
| 197 | * ipe_audit_policy_activation() - Audit a policy being activated. |
|---|
| 198 | * @op: Supplies a pointer to the previously activated policy to audit. |
|---|
| 199 | * @np: Supplies a pointer to the newly activated policy to audit. |
|---|
| 200 | */ |
|---|
| 201 | void ipe_audit_policy_activation(const struct ipe_policy *const op, |
|---|
| 202 | const struct ipe_policy *const np) |
|---|
| 203 | { |
|---|
| 204 | struct audit_buffer *ab; |
|---|
| 205 | |
|---|
| 206 | ab = audit_log_start(ctx: audit_context(), GFP_KERNEL, |
|---|
| 207 | AUDIT_IPE_CONFIG_CHANGE); |
|---|
| 208 | if (!ab) |
|---|
| 209 | return; |
|---|
| 210 | |
|---|
| 211 | if (op) { |
|---|
| 212 | audit_policy(ab, AUDIT_OLD_ACTIVE_POLICY_FMT, p: op); |
|---|
| 213 | audit_log_format(ab, fmt: " " ); |
|---|
| 214 | } else { |
|---|
| 215 | /* |
|---|
| 216 | * old active policy can be NULL if there is no kernel |
|---|
| 217 | * built-in policy |
|---|
| 218 | */ |
|---|
| 219 | audit_log_format(ab, AUDIT_OLD_ACTIVE_POLICY_NULL_FMT); |
|---|
| 220 | audit_log_format(ab, fmt: " " ); |
|---|
| 221 | } |
|---|
| 222 | audit_policy(ab, AUDIT_NEW_ACTIVE_POLICY_FMT, p: np); |
|---|
| 223 | audit_log_format(ab, fmt: " auid=%u ses=%u lsm=ipe res=1" , |
|---|
| 224 | from_kuid(to: &init_user_ns, uid: audit_get_loginuid(current)), |
|---|
| 225 | audit_get_sessionid(current)); |
|---|
| 226 | |
|---|
| 227 | audit_log_end(ab); |
|---|
| 228 | } |
|---|
| 229 | |
|---|
| 230 | /** |
|---|
| 231 | * ipe_audit_policy_load() - Audit a policy loading event. |
|---|
| 232 | * @p: Supplies a pointer to the policy to audit or an error pointer. |
|---|
| 233 | */ |
|---|
| 234 | void ipe_audit_policy_load(const struct ipe_policy *const p) |
|---|
| 235 | { |
|---|
| 236 | struct audit_buffer *ab; |
|---|
| 237 | int err = 0; |
|---|
| 238 | |
|---|
| 239 | ab = audit_log_start(ctx: audit_context(), GFP_KERNEL, |
|---|
| 240 | AUDIT_IPE_POLICY_LOAD); |
|---|
| 241 | if (!ab) |
|---|
| 242 | return; |
|---|
| 243 | |
|---|
| 244 | if (!IS_ERR(ptr: p)) { |
|---|
| 245 | audit_policy(ab, AUDIT_POLICY_LOAD_FMT, p); |
|---|
| 246 | } else { |
|---|
| 247 | audit_log_format(ab, AUDIT_POLICY_LOAD_NULL_FMT); |
|---|
| 248 | err = PTR_ERR(ptr: p); |
|---|
| 249 | } |
|---|
| 250 | |
|---|
| 251 | audit_log_format(ab, fmt: " auid=%u ses=%u lsm=ipe res=%d errno=%d" , |
|---|
| 252 | from_kuid(to: &init_user_ns, uid: audit_get_loginuid(current)), |
|---|
| 253 | audit_get_sessionid(current), !err, err); |
|---|
| 254 | |
|---|
| 255 | audit_log_end(ab); |
|---|
| 256 | } |
|---|
| 257 | |
|---|
| 258 | /** |
|---|
| 259 | * ipe_audit_enforce() - Audit a change in IPE's enforcement state. |
|---|
| 260 | * @new_enforce: The new value enforce to be set. |
|---|
| 261 | * @old_enforce: The old value currently in enforce. |
|---|
| 262 | */ |
|---|
| 263 | void ipe_audit_enforce(bool new_enforce, bool old_enforce) |
|---|
| 264 | { |
|---|
| 265 | struct audit_buffer *ab; |
|---|
| 266 | |
|---|
| 267 | ab = audit_log_start(ctx: audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS); |
|---|
| 268 | if (!ab) |
|---|
| 269 | return; |
|---|
| 270 | |
|---|
| 271 | audit_log(ctx: audit_context(), GFP_KERNEL, AUDIT_MAC_STATUS, |
|---|
| 272 | fmt: "enforcing=%d old_enforcing=%d auid=%u ses=%u" |
|---|
| 273 | " enabled=1 old-enabled=1 lsm=ipe res=1" , |
|---|
| 274 | new_enforce, old_enforce, |
|---|
| 275 | from_kuid(to: &init_user_ns, uid: audit_get_loginuid(current)), |
|---|
| 276 | audit_get_sessionid(current)); |
|---|
| 277 | |
|---|
| 278 | audit_log_end(ab); |
|---|
| 279 | } |
|---|
| 280 | |
|---|
