From: Casey Schaufler <casey@schaufler-ca.com> To: casey.schaufler@intel.com, linux-audit@redhat.com Subject: [PATCH v15 21/23] Audit: Include object data for all security modules Date: Fri, 21 Feb 2020 16:04:07 -0800 [thread overview] Message-ID: <20200222000407.110158-14-casey@schaufler-ca.com> (raw) In-Reply-To: <20200222000407.110158-1-casey@schaufler-ca.com> When there is more than one context displaying security module extend what goes into the audit record by supplimenting the "obj=" with an "obj_<lsm>=" for each such security module. Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc:linux-audit@redhat.com --- kernel/audit.h | 4 +- kernel/auditsc.c | 106 ++++++++++++++++++++++++----------------------- 2 files changed, 56 insertions(+), 54 deletions(-) diff --git a/kernel/audit.h b/kernel/audit.h index f65f516913c6..9a26ba213f6a 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -78,7 +78,7 @@ struct audit_names { kuid_t uid; kgid_t gid; dev_t rdev; - u32 osid; + struct lsmblob oblob; struct audit_cap_data fcap; unsigned int fcap_ver; unsigned char type; /* record type */ @@ -152,7 +152,7 @@ struct audit_context { kuid_t uid; kgid_t gid; umode_t mode; - u32 osid; + struct lsmblob oblob; int has_perm; uid_t perm_uid; gid_t perm_gid; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 68ae5fa843c1..7dab48661e31 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -659,7 +659,6 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_isset) { /* Find files that match */ if (name) { - lsmblob_init(&blob, name->osid); result = security_audit_rule_match( &blob, f->type, @@ -667,7 +666,6 @@ static int audit_filter_rules(struct task_struct *tsk, f->lsm_rules); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { - lsmblob_init(&blob, name->osid); if (security_audit_rule_match( &blob, f->type, @@ -681,8 +679,7 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find ipc objects that match */ if (!ctx || ctx->type != AUDIT_IPC) break; - lsmblob_init(&blob, ctx->ipc.osid); - if (security_audit_rule_match(&blob, + if (security_audit_rule_match(&ctx->ipc.oblob, f->type, f->op, f->lsm_rules)) ++result; @@ -956,13 +953,57 @@ static inline void audit_free_context(struct audit_context *context) kfree(context); } +static int audit_log_object_context(struct audit_buffer *ab, + struct lsmblob *blob) +{ + struct lsmcontext context; + const char *lsm; + int i; + + /* + * None of the installed modules have object labels. + */ + if (security_lsm_slot_name(0) == NULL) + return 0; + + if (blob->secid[0] != 0) { + if (security_secid_to_secctx(blob, &context, 0)) { + audit_log_format(ab, " obj=?"); + return 1; + } + audit_log_format(ab, " obj=%s", context.context); + security_release_secctx(&context); + } + + /* + * Don't do anything more unless there is more than one LSM + * with a security context to report. + */ + if (security_lsm_slot_name(1) == NULL) + return 0; + + for (i = 0; i < LSMBLOB_ENTRIES; i++) { + lsm = security_lsm_slot_name(i); + if (lsm == NULL) + break; + if (blob->secid[i] == 0) + continue; + if (security_secid_to_secctx(blob, &context, i)) { + audit_log_format(ab, " obj_%s=?", lsm); + continue; + } + audit_log_format(ab, " obj_%s=%s", lsm, context.context); + security_release_secctx(&context); + } + return 0; +} + static int audit_log_pid_context(struct audit_context *context, pid_t pid, kuid_t auid, kuid_t uid, unsigned int sessionid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; - struct lsmcontext lsmctx; int rc = 0; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); @@ -972,15 +1013,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); - if (lsmblob_is_set(blob)) { - if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) { - audit_log_format(ab, " obj=(none)"); - rc = 1; - } else { - audit_log_format(ab, " obj=%s", lsmctx.context); - security_release_secctx(&lsmctx); - } - } + rc = audit_log_object_context(ab, blob); audit_log_format(ab, " ocomm="); audit_log_untrustedstring(ab, comm); audit_log_end(ab); @@ -1207,26 +1240,14 @@ static void show_special(struct audit_context *context, int *call_panic) context->socketcall.args[i]); break; } case AUDIT_IPC: { - u32 osid = context->ipc.osid; + struct lsmblob *oblob = & context->ipc.oblob; audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho", from_kuid(&init_user_ns, context->ipc.uid), from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); - if (osid) { - struct lsmcontext lsmcxt; - struct lsmblob blob; - - lsmblob_init(&blob, osid); - if (security_secid_to_secctx(&blob, &lsmcxt, - LSMBLOB_FIRST)) { - audit_log_format(ab, " osid=%u", osid); - *call_panic = 1; - } else { - audit_log_format(ab, " obj=%s", lsmcxt.context); - security_release_secctx(&lsmcxt); - } - } + if (audit_log_object_context(ab, oblob)) + *call_panic = 1; if (context->ipc.has_perm) { audit_log_end(ab); ab = audit_log_start(context, GFP_KERNEL, @@ -1366,20 +1387,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, from_kgid(&init_user_ns, n->gid), MAJOR(n->rdev), MINOR(n->rdev)); - if (n->osid != 0) { - struct lsmblob blob; - struct lsmcontext lsmctx; - - lsmblob_init(&blob, n->osid); - if (security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_FIRST)) { - audit_log_format(ab, " osid=%u", n->osid); - if (call_panic) - *call_panic = 2; - } else { - audit_log_format(ab, " obj=%s", lsmctx.context); - security_release_secctx(&lsmctx); - } - } + if (audit_log_object_context(ab, &n->oblob) && call_panic) + *call_panic = 2; /* log the audit_names record type */ switch (n->type) { @@ -1929,17 +1938,13 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, struct inode *inode, unsigned int flags) { - struct lsmblob blob; - name->ino = inode->i_ino; name->dev = inode->i_sb->s_dev; name->mode = inode->i_mode; name->uid = inode->i_uid; name->gid = inode->i_gid; name->rdev = inode->i_rdev; - security_inode_getsecid(inode, &blob); - /* scaffolding until osid is updated */ - name->osid = blob.secid[0]; + security_inode_getsecid(inode, &name->oblob); if (flags & AUDIT_INODE_NOEVAL) { name->fcap_ver = -1; return; @@ -2285,14 +2290,11 @@ void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) void __audit_ipc_obj(struct kern_ipc_perm *ipcp) { struct audit_context *context = audit_context(); - struct lsmblob blob; context->ipc.uid = ipcp->uid; context->ipc.gid = ipcp->gid; context->ipc.mode = ipcp->mode; context->ipc.has_perm = 0; - security_ipc_getsecid(ipcp, &blob); - /* scaffolding on the [0] - change "osid" to a lsmblob */ - context->ipc.osid = blob.secid[0]; + security_ipc_getsecid(ipcp, &context->ipc.oblob); context->type = AUDIT_IPC; } -- 2.24.1
WARNING: multiple messages have this Message-ID (diff)
From: Casey Schaufler <casey@schaufler-ca.com> To: casey.schaufler@intel.com, linux-audit@redhat.com Subject: [PATCH v15 21/23] Audit: Include object data for all security modules Date: Fri, 21 Feb 2020 16:04:07 -0800 [thread overview] Message-ID: <20200222000407.110158-14-casey@schaufler-ca.com> (raw) Message-ID: <20200222000407.qAWeptHUWxArybuusccPe-4_cISyImsXLWXvJRlmH2A@z> (raw) In-Reply-To: <20200222000407.110158-1-casey@schaufler-ca.com> When there is more than one context displaying security module extend what goes into the audit record by supplimenting the "obj=" with an "obj_<lsm>=" for each such security module. Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Cc:linux-audit@redhat.com --- kernel/audit.h | 4 +- kernel/auditsc.c | 106 ++++++++++++++++++++++++----------------------- 2 files changed, 56 insertions(+), 54 deletions(-) diff --git a/kernel/audit.h b/kernel/audit.h index f65f516913c6..9a26ba213f6a 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -78,7 +78,7 @@ struct audit_names { kuid_t uid; kgid_t gid; dev_t rdev; - u32 osid; + struct lsmblob oblob; struct audit_cap_data fcap; unsigned int fcap_ver; unsigned char type; /* record type */ @@ -152,7 +152,7 @@ struct audit_context { kuid_t uid; kgid_t gid; umode_t mode; - u32 osid; + struct lsmblob oblob; int has_perm; uid_t perm_uid; gid_t perm_gid; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 68ae5fa843c1..7dab48661e31 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -659,7 +659,6 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_isset) { /* Find files that match */ if (name) { - lsmblob_init(&blob, name->osid); result = security_audit_rule_match( &blob, f->type, @@ -667,7 +666,6 @@ static int audit_filter_rules(struct task_struct *tsk, f->lsm_rules); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { - lsmblob_init(&blob, name->osid); if (security_audit_rule_match( &blob, f->type, @@ -681,8 +679,7 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find ipc objects that match */ if (!ctx || ctx->type != AUDIT_IPC) break; - lsmblob_init(&blob, ctx->ipc.osid); - if (security_audit_rule_match(&blob, + if (security_audit_rule_match(&ctx->ipc.oblob, f->type, f->op, f->lsm_rules)) ++result; @@ -956,13 +953,57 @@ static inline void audit_free_context(struct audit_context *context) kfree(context); } +static int audit_log_object_context(struct audit_buffer *ab, + struct lsmblob *blob) +{ + struct lsmcontext context; + const char *lsm; + int i; + + /* + * None of the installed modules have object labels. + */ + if (security_lsm_slot_name(0) == NULL) + return 0; + + if (blob->secid[0] != 0) { + if (security_secid_to_secctx(blob, &context, 0)) { + audit_log_format(ab, " obj=?"); + return 1; + } + audit_log_format(ab, " obj=%s", context.context); + security_release_secctx(&context); + } + + /* + * Don't do anything more unless there is more than one LSM + * with a security context to report. + */ + if (security_lsm_slot_name(1) == NULL) + return 0; + + for (i = 0; i < LSMBLOB_ENTRIES; i++) { + lsm = security_lsm_slot_name(i); + if (lsm == NULL) + break; + if (blob->secid[i] == 0) + continue; + if (security_secid_to_secctx(blob, &context, i)) { + audit_log_format(ab, " obj_%s=?", lsm); + continue; + } + audit_log_format(ab, " obj_%s=%s", lsm, context.context); + security_release_secctx(&context); + } + return 0; +} + static int audit_log_pid_context(struct audit_context *context, pid_t pid, kuid_t auid, kuid_t uid, unsigned int sessionid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; - struct lsmcontext lsmctx; int rc = 0; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); @@ -972,15 +1013,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); - if (lsmblob_is_set(blob)) { - if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) { - audit_log_format(ab, " obj=(none)"); - rc = 1; - } else { - audit_log_format(ab, " obj=%s", lsmctx.context); - security_release_secctx(&lsmctx); - } - } + rc = audit_log_object_context(ab, blob); audit_log_format(ab, " ocomm="); audit_log_untrustedstring(ab, comm); audit_log_end(ab); @@ -1207,26 +1240,14 @@ static void show_special(struct audit_context *context, int *call_panic) context->socketcall.args[i]); break; } case AUDIT_IPC: { - u32 osid = context->ipc.osid; + struct lsmblob *oblob = & context->ipc.oblob; audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho", from_kuid(&init_user_ns, context->ipc.uid), from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); - if (osid) { - struct lsmcontext lsmcxt; - struct lsmblob blob; - - lsmblob_init(&blob, osid); - if (security_secid_to_secctx(&blob, &lsmcxt, - LSMBLOB_FIRST)) { - audit_log_format(ab, " osid=%u", osid); - *call_panic = 1; - } else { - audit_log_format(ab, " obj=%s", lsmcxt.context); - security_release_secctx(&lsmcxt); - } - } + if (audit_log_object_context(ab, oblob)) + *call_panic = 1; if (context->ipc.has_perm) { audit_log_end(ab); ab = audit_log_start(context, GFP_KERNEL, @@ -1366,20 +1387,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, from_kgid(&init_user_ns, n->gid), MAJOR(n->rdev), MINOR(n->rdev)); - if (n->osid != 0) { - struct lsmblob blob; - struct lsmcontext lsmctx; - - lsmblob_init(&blob, n->osid); - if (security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_FIRST)) { - audit_log_format(ab, " osid=%u", n->osid); - if (call_panic) - *call_panic = 2; - } else { - audit_log_format(ab, " obj=%s", lsmctx.context); - security_release_secctx(&lsmctx); - } - } + if (audit_log_object_context(ab, &n->oblob) && call_panic) + *call_panic = 2; /* log the audit_names record type */ switch (n->type) { @@ -1929,17 +1938,13 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, struct inode *inode, unsigned int flags) { - struct lsmblob blob; - name->ino = inode->i_ino; name->dev = inode->i_sb->s_dev; name->mode = inode->i_mode; name->uid = inode->i_uid; name->gid = inode->i_gid; name->rdev = inode->i_rdev; - security_inode_getsecid(inode, &blob); - /* scaffolding until osid is updated */ - name->osid = blob.secid[0]; + security_inode_getsecid(inode, &name->oblob); if (flags & AUDIT_INODE_NOEVAL) { name->fcap_ver = -1; return; @@ -2285,14 +2290,11 @@ void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) void __audit_ipc_obj(struct kern_ipc_perm *ipcp) { struct audit_context *context = audit_context(); - struct lsmblob blob; context->ipc.uid = ipcp->uid; context->ipc.gid = ipcp->gid; context->ipc.mode = ipcp->mode; context->ipc.has_perm = 0; - security_ipc_getsecid(ipcp, &blob); - /* scaffolding on the [0] - change "osid" to a lsmblob */ - context->ipc.osid = blob.secid[0]; + security_ipc_getsecid(ipcp, &context->ipc.oblob); context->type = AUDIT_IPC; } -- 2.24.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2020-02-22 0:06 UTC|newest] Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top [not found] <20200222000407.110158-1-casey.ref@schaufler-ca.com> 2020-02-22 0:03 ` [PATCH v15 00/23] LSM: Module stacking for AppArmor Casey Schaufler 2020-02-22 0:03 ` Casey Schaufler 2020-02-22 0:03 ` [PATCH v15 01/23] LSM: Infrastructure management of the sock security Casey Schaufler 2020-02-22 0:03 ` Casey Schaufler 2020-02-22 0:03 ` [PATCH v15 02/23] LSM: Create and manage the lsmblob data structure Casey Schaufler 2020-02-22 0:03 ` Casey Schaufler 2020-03-06 20:55 ` Paul Moore 2020-02-22 0:03 ` [PATCH v15 03/23] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler 2020-02-22 0:03 ` Casey Schaufler 2020-03-06 22:01 ` Paul Moore 2020-03-09 23:58 ` Casey Schaufler 2020-03-10 0:55 ` Paul Moore 2020-02-22 0:03 ` [PATCH v15 07/23] LSM: Use lsmblob in security_secid_to_secctx Casey Schaufler 2020-02-22 0:03 ` Casey Schaufler 2020-03-07 1:17 ` Paul Moore 2020-02-22 0:03 ` [PATCH v15 08/23] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler 2020-02-22 0:03 ` Casey Schaufler 2020-03-07 1:21 ` Paul Moore 2020-02-22 0:04 ` [PATCH v15 09/23] LSM: Use lsmblob in security_task_getsecid Casey Schaufler 2020-02-22 0:04 ` Casey Schaufler 2020-02-22 0:04 ` [PATCH v15 10/23] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler 2020-02-22 0:04 ` Casey Schaufler 2020-02-22 0:04 ` [PATCH v15 11/23] LSM: Use lsmblob in security_cred_getsecid Casey Schaufler 2020-02-22 0:04 ` Casey Schaufler 2020-03-07 1:36 ` Paul Moore 2020-02-22 0:04 ` [PATCH v15 12/23] IMA: Change internal interfaces to use lsmblobs Casey Schaufler 2020-02-22 0:04 ` Casey Schaufler 2020-02-22 0:04 ` [PATCH v15 14/23] LSM: Ensure the correct LSM context releaser Casey Schaufler 2020-02-22 0:04 ` Casey Schaufler 2020-02-22 0:04 ` [PATCH v15 15/23] LSM: Use lsmcontext in security_secid_to_secctx Casey Schaufler 2020-02-22 0:04 ` Casey Schaufler 2020-03-07 2:01 ` Paul Moore 2020-02-22 0:04 ` [PATCH v15 20/23] Audit: Add subj_LSM fields when necessary Casey Schaufler 2020-02-22 0:04 ` Casey Schaufler 2020-03-07 2:18 ` Paul Moore 2020-03-07 2:24 ` Paul Moore 2020-03-10 1:25 ` Casey Schaufler 2020-03-10 21:46 ` Paul Moore 2020-02-22 0:04 ` Casey Schaufler [this message] 2020-02-22 0:04 ` [PATCH v15 21/23] Audit: Include object data for all security modules Casey Schaufler 2020-03-07 2:31 ` Paul Moore 2020-03-09 17:45 ` Casey Schaufler 2020-03-09 17:59 ` Paul Moore 2020-03-09 23:01 ` Casey Schaufler 2020-03-10 21:42 ` Paul Moore 2020-02-27 17:29 ` [PATCH v15 00/23] LSM: Module stacking for AppArmor Casey Schaufler 2020-03-03 17:22 ` Casey Schaufler 2020-03-03 17:54 ` Paul Moore 2020-03-03 17:58 ` Casey Schaufler 2020-03-06 17:14 ` Steve Grubb 2020-03-09 17:15 ` Casey Schaufler 2020-02-14 23:41 Casey Schaufler 2020-02-14 23:42 ` [PATCH v15 21/23] Audit: Include object data for all security modules Casey Schaufler
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20200222000407.110158-14-casey@schaufler-ca.com \ --to=casey@schaufler-ca.com \ --cc=casey.schaufler@intel.com \ --cc=linux-audit@redhat.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.