From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 8240BC433F5 for ; Tue, 26 Apr 2022 03:38:32 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S241060AbiDZDle (ORCPT ); Mon, 25 Apr 2022 23:41:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48244 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239126AbiDZDlZ (ORCPT ); Mon, 25 Apr 2022 23:41:25 -0400 Received: from smtp-relay-canonical-0.canonical.com (smtp-relay-canonical-0.canonical.com [185.125.188.120]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 59DF2ECCCC; Mon, 25 Apr 2022 20:38:15 -0700 (PDT) Received: from [192.168.192.153] (unknown [50.126.114.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id A47813F9E0; Tue, 26 Apr 2022 03:38:06 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1650944288; bh=t5BVhVwPX2LjN7byClOmBAVBS2+Tcozj35sCWydq8Ho=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=i8K/sAv2iKqpr2Llk8lXY5ReC7zxrdiIPVH4k/OPhEQFyowGURO+EMMZHFayqn/Se d9LmP4ihOxZrswc1YSXuTlISvfA4pW8zIAzebHfRbDCj879IVFJFPmckPWbvMqd26H 7YkOfdcKWk/K0QxRB3P4H/8VpgsrFZStu66iIRhXgt4tcsqAGHJle1p9naSDIew1cy tCMxJYIV4G8FZkwLoqyBnwmxDC0V2e8A5itDWxW+IpvsT/ZcyDBuahzx9fNiwlaYsf +mUGKFILEvpGV74wFvOIEDwNqAOF7fIW5RpsK+lrUnIOucSiGHF5a1Q/MNUdnyyWjG RVPhWtyDHNjpA== Message-ID: Date: Mon, 25 Apr 2022 20:37:54 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH v35 27/29] Audit: Add record for multiple object contexts Content-Language: en-US To: Casey Schaufler , casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: linux-audit@redhat.com, keescook@chromium.org, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org References: <20220418145945.38797-1-casey@schaufler-ca.com> <20220418145945.38797-28-casey@schaufler-ca.com> From: John Johansen Organization: Canonical In-Reply-To: <20220418145945.38797-28-casey@schaufler-ca.com> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/18/22 07:59, Casey Schaufler wrote: > Create a new audit record AUDIT_MAC_OBJ_CONTEXTS. > An example of the MAC_OBJ_CONTEXTS (1421) record is: > > type=MAC_OBJ_CONTEXTS[1421] > msg=audit(1601152467.009:1050): > obj_selinux=unconfined_u:object_r:user_home_t:s0 > > When an audit event includes a AUDIT_MAC_OBJ_CONTEXTS record > the "obj=" field in other records in the event will be "obj=?". > An AUDIT_MAC_OBJ_CONTEXTS record is supplied when the system has > multiple security modules that may make access decisions based > on an object security context. > > Signed-off-by: Casey Schaufler > --- > include/linux/audit.h | 5 +++ > include/uapi/linux/audit.h | 1 + > kernel/audit.c | 47 +++++++++++++++++++++++ > kernel/auditsc.c | 79 ++++++++++++-------------------------- > 4 files changed, 77 insertions(+), 55 deletions(-) > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 14849d5f84b4..1b05eb2dbe77 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -191,6 +191,8 @@ extern void audit_log_path_denied(int type, > const char *operation); > extern void audit_log_lost(const char *message); > > +extern void audit_log_object_context(struct audit_buffer *ab, > + struct lsmblob *blob); > extern int audit_log_task_context(struct audit_buffer *ab); > extern void audit_log_task_info(struct audit_buffer *ab); > > @@ -251,6 +253,9 @@ static inline void audit_log_key(struct audit_buffer *ab, char *key) > { } > static inline void audit_log_path_denied(int type, const char *operation) > { } > +static inline void audit_log_object_context(struct audit_buffer *ab, > + struct lsmblob *blob) > +{ } > static inline int audit_log_task_context(struct audit_buffer *ab) > { > return 0; > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index af0aaccfaf57..d25d76b29e3c 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -144,6 +144,7 @@ > #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ > #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ > #define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multiple LSM task contexts */ > +#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multiple LSM objext contexts */ > > #define AUDIT_FIRST_KERN_ANOM_MSG 1700 > #define AUDIT_LAST_KERN_ANOM_MSG 1799 > diff --git a/kernel/audit.c b/kernel/audit.c > index 8ed2d717c217..a8c3ec6ba60b 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -2226,6 +2226,53 @@ static void audit_buffer_aux_end(struct audit_buffer *ab) > ab->skb = skb_peek(&ab->skb_list); > } > > +void audit_log_object_context(struct audit_buffer *ab, struct lsmblob *blob) > +{ > + int i; > + int error; > + struct lsmcontext context; > + > + if (!lsm_multiple_contexts()) { > + error = security_secid_to_secctx(blob, &context, LSMBLOB_FIRST); > + if (error) { > + if (error != -EINVAL) > + goto error_path; > + return; > + } > + audit_log_format(ab, " obj=%s", context.context); > + security_release_secctx(&context); > + } else { > + audit_log_format(ab, " obj=?"); > + error = audit_buffer_aux_new(ab, AUDIT_MAC_OBJ_CONTEXTS); > + if (error) > + goto error_path; > + > + for (i = 0; i < LSMBLOB_ENTRIES; i++) { > + if (blob->secid[i] == 0) > + continue; > + error = security_secid_to_secctx(blob, &context, i); > + if (error) { > + audit_log_format(ab, "%sobj_%s=?", > + i ? " " : "", > + lsm_slot_to_name(i)); > + if (error != -EINVAL) > + audit_panic("error in audit_log_object_context"); > + } else { > + audit_log_format(ab, "%sobj_%s=%s", > + i ? " " : "", > + lsm_slot_to_name(i), > + context.context); > + security_release_secctx(&context); > + } > + } > + > + audit_buffer_aux_end(ab); > + } > + return; > + > +error_path: > + audit_panic("error in audit_log_object_context"); This moves the audit_panic around, so certain operations are not done before the call. I am currently not sure of the implications. Paul? > +} > > int audit_log_task_context(struct audit_buffer *ab) > { > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 557713954a69..04bf3c04ef3d 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1114,36 +1114,25 @@ static inline void audit_free_context(struct audit_context *context) > kfree(context); > } > > -static int audit_log_pid_context(struct audit_context *context, pid_t pid, > - kuid_t auid, kuid_t uid, > - unsigned int sessionid, > - struct lsmblob *blob, char *comm) > +static void audit_log_pid_context(struct audit_context *context, pid_t pid, > + kuid_t auid, kuid_t uid, > + unsigned int sessionid, > + struct lsmblob *blob, char *comm) > { > struct audit_buffer *ab; > - struct lsmcontext lsmctx; > - int rc = 0; > > ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); > if (!ab) > - return rc; > + return; > > audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, > from_kuid(&init_user_ns, auid), > from_kuid(&init_user_ns, uid), sessionid); > - if (lsmblob_is_set(blob)) { > - if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) { > - audit_log_format(ab, " obj=(none)"); > - rc = 1; > - } else { > - audit_log_format(ab, " obj=%s", lsmctx.context); > - security_release_secctx(&lsmctx); > - } > - } > + if (lsmblob_is_set(blob)) > + audit_log_object_context(ab, blob); > audit_log_format(ab, " ocomm="); > audit_log_untrustedstring(ab, comm); > audit_log_end(ab); > - > - return rc; > } > > static void audit_log_execve_info(struct audit_context *context, > @@ -1420,18 +1409,10 @@ static void show_special(struct audit_context *context, int *call_panic) If pushing audit_panic into audit_log_object_context() is acceptable then this call_panic arg is no longer needed. The same goes for the call_panic arg in audit_log_name(). And call_panic can be dropped from audit_log_exit() > from_kgid(&init_user_ns, context->ipc.gid), > context->ipc.mode); > if (osid) { > - struct lsmcontext lsmcxt; > struct lsmblob blob; > > lsmblob_init(&blob, osid); > - if (security_secid_to_secctx(&blob, &lsmcxt, > - LSMBLOB_FIRST)) { > - audit_log_format(ab, " osid=%u", osid); > - *call_panic = 1; > - } else { > - audit_log_format(ab, " obj=%s", lsmcxt.context); > - security_release_secctx(&lsmcxt); > - } > + audit_log_object_context(ab, &blob); > } > if (context->ipc.has_perm) { > audit_log_end(ab); > @@ -1588,19 +1569,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, > from_kgid(&init_user_ns, n->gid), > MAJOR(n->rdev), > MINOR(n->rdev)); > - if (lsmblob_is_set(&n->lsmblob)) { > - struct lsmcontext lsmctx; > - > - if (security_secid_to_secctx(&n->lsmblob, &lsmctx, > - LSMBLOB_FIRST)) { > - audit_log_format(ab, " osid=?"); > - if (call_panic) > - *call_panic = 2; > - } else { > - audit_log_format(ab, " obj=%s", lsmctx.context); > - security_release_secctx(&lsmctx); > - } > - } > + if (lsmblob_is_set(&n->lsmblob)) > + audit_log_object_context(ab, &n->lsmblob); > > /* log the audit_names record type */ > switch (n->type) { > @@ -1805,21 +1775,20 @@ static void audit_log_exit(void) > struct audit_aux_data_pids *axs = (void *)aux; > > for (i = 0; i < axs->pid_count; i++) > - if (audit_log_pid_context(context, axs->target_pid[i], > - axs->target_auid[i], > - axs->target_uid[i], > - axs->target_sessionid[i], > - &axs->target_lsm[i], > - axs->target_comm[i])) > - call_panic = 1; > - } > - > - if (context->target_pid && > - audit_log_pid_context(context, context->target_pid, > - context->target_auid, context->target_uid, > - context->target_sessionid, > - &context->target_lsm, context->target_comm)) > - call_panic = 1; > + audit_log_pid_context(context, axs->target_pid[i], > + axs->target_auid[i], > + axs->target_uid[i], > + axs->target_sessionid[i], > + &axs->target_lsm[i], > + axs->target_comm[i]); > + } > + > + if (context->target_pid) > + audit_log_pid_context(context, context->target_pid, > + context->target_auid, context->target_uid, > + context->target_sessionid, > + &context->target_lsm, > + context->target_comm); > > if (context->pwd.dentry && context->pwd.mnt) { > ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id BFE0DC433EF for ; Tue, 26 Apr 2022 12:42:34 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mx3-rdu2.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-20-nz0OVnE9PLqx0uvn-1uzfg-1; Tue, 26 Apr 2022 08:42:32 -0400 X-MC-Unique: nz0OVnE9PLqx0uvn-1uzfg-1 Received: from smtp.corp.redhat.com (int-mx10.intmail.prod.int.rdu2.redhat.com [10.11.54.10]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id B85493C32B87; Tue, 26 Apr 2022 12:42:30 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0151440314F; Tue, 26 Apr 2022 12:42:28 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 2BACE1947BBE; Tue, 26 Apr 2022 12:42:28 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 88FA019451F2 for ; Tue, 26 Apr 2022 03:38:23 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 40C789E74; Tue, 26 Apr 2022 03:38:23 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast10.extmail.prod.ext.rdu2.redhat.com [10.11.55.26]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 3C35E9E77 for ; Tue, 26 Apr 2022 03:38:20 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id CD8571C08D23 for ; Tue, 26 Apr 2022 03:38:14 +0000 (UTC) Received: from smtp-relay-canonical-0.canonical.com (smtp-relay-canonical-0.canonical.com [185.125.188.120]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-328-u3RelvK6M16IEfwXFnV30g-1; Mon, 25 Apr 2022 23:38:11 -0400 X-MC-Unique: u3RelvK6M16IEfwXFnV30g-1 Received: from [192.168.192.153] (unknown [50.126.114.69]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-canonical-0.canonical.com (Postfix) with ESMTPSA id A47813F9E0; Tue, 26 Apr 2022 03:38:06 +0000 (UTC) Message-ID: Date: Mon, 25 Apr 2022 20:37:54 -0700 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.7.0 Subject: Re: [PATCH v35 27/29] Audit: Add record for multiple object contexts To: Casey Schaufler , casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org References: <20220418145945.38797-1-casey@schaufler-ca.com> <20220418145945.38797-28-casey@schaufler-ca.com> From: John Johansen Organization: Canonical In-Reply-To: <20220418145945.38797-28-casey@schaufler-ca.com> X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-Mailman-Approved-At: Tue, 26 Apr 2022 12:42:26 +0000 X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: linux-kernel@vger.kernel.org, linux-audit@redhat.com Errors-To: linux-audit-bounces@redhat.com Sender: "Linux-audit" X-Scanned-By: MIMEDefang 2.85 on 10.11.54.10 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On 4/18/22 07:59, Casey Schaufler wrote: > Create a new audit record AUDIT_MAC_OBJ_CONTEXTS. > An example of the MAC_OBJ_CONTEXTS (1421) record is: > > type=MAC_OBJ_CONTEXTS[1421] > msg=audit(1601152467.009:1050): > obj_selinux=unconfined_u:object_r:user_home_t:s0 > > When an audit event includes a AUDIT_MAC_OBJ_CONTEXTS record > the "obj=" field in other records in the event will be "obj=?". > An AUDIT_MAC_OBJ_CONTEXTS record is supplied when the system has > multiple security modules that may make access decisions based > on an object security context. > > Signed-off-by: Casey Schaufler > --- > include/linux/audit.h | 5 +++ > include/uapi/linux/audit.h | 1 + > kernel/audit.c | 47 +++++++++++++++++++++++ > kernel/auditsc.c | 79 ++++++++++++-------------------------- > 4 files changed, 77 insertions(+), 55 deletions(-) > > diff --git a/include/linux/audit.h b/include/linux/audit.h > index 14849d5f84b4..1b05eb2dbe77 100644 > --- a/include/linux/audit.h > +++ b/include/linux/audit.h > @@ -191,6 +191,8 @@ extern void audit_log_path_denied(int type, > const char *operation); > extern void audit_log_lost(const char *message); > > +extern void audit_log_object_context(struct audit_buffer *ab, > + struct lsmblob *blob); > extern int audit_log_task_context(struct audit_buffer *ab); > extern void audit_log_task_info(struct audit_buffer *ab); > > @@ -251,6 +253,9 @@ static inline void audit_log_key(struct audit_buffer *ab, char *key) > { } > static inline void audit_log_path_denied(int type, const char *operation) > { } > +static inline void audit_log_object_context(struct audit_buffer *ab, > + struct lsmblob *blob) > +{ } > static inline int audit_log_task_context(struct audit_buffer *ab) > { > return 0; > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h > index af0aaccfaf57..d25d76b29e3c 100644 > --- a/include/uapi/linux/audit.h > +++ b/include/uapi/linux/audit.h > @@ -144,6 +144,7 @@ > #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ > #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ > #define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multiple LSM task contexts */ > +#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multiple LSM objext contexts */ > > #define AUDIT_FIRST_KERN_ANOM_MSG 1700 > #define AUDIT_LAST_KERN_ANOM_MSG 1799 > diff --git a/kernel/audit.c b/kernel/audit.c > index 8ed2d717c217..a8c3ec6ba60b 100644 > --- a/kernel/audit.c > +++ b/kernel/audit.c > @@ -2226,6 +2226,53 @@ static void audit_buffer_aux_end(struct audit_buffer *ab) > ab->skb = skb_peek(&ab->skb_list); > } > > +void audit_log_object_context(struct audit_buffer *ab, struct lsmblob *blob) > +{ > + int i; > + int error; > + struct lsmcontext context; > + > + if (!lsm_multiple_contexts()) { > + error = security_secid_to_secctx(blob, &context, LSMBLOB_FIRST); > + if (error) { > + if (error != -EINVAL) > + goto error_path; > + return; > + } > + audit_log_format(ab, " obj=%s", context.context); > + security_release_secctx(&context); > + } else { > + audit_log_format(ab, " obj=?"); > + error = audit_buffer_aux_new(ab, AUDIT_MAC_OBJ_CONTEXTS); > + if (error) > + goto error_path; > + > + for (i = 0; i < LSMBLOB_ENTRIES; i++) { > + if (blob->secid[i] == 0) > + continue; > + error = security_secid_to_secctx(blob, &context, i); > + if (error) { > + audit_log_format(ab, "%sobj_%s=?", > + i ? " " : "", > + lsm_slot_to_name(i)); > + if (error != -EINVAL) > + audit_panic("error in audit_log_object_context"); > + } else { > + audit_log_format(ab, "%sobj_%s=%s", > + i ? " " : "", > + lsm_slot_to_name(i), > + context.context); > + security_release_secctx(&context); > + } > + } > + > + audit_buffer_aux_end(ab); > + } > + return; > + > +error_path: > + audit_panic("error in audit_log_object_context"); This moves the audit_panic around, so certain operations are not done before the call. I am currently not sure of the implications. Paul? > +} > > int audit_log_task_context(struct audit_buffer *ab) > { > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index 557713954a69..04bf3c04ef3d 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -1114,36 +1114,25 @@ static inline void audit_free_context(struct audit_context *context) > kfree(context); > } > > -static int audit_log_pid_context(struct audit_context *context, pid_t pid, > - kuid_t auid, kuid_t uid, > - unsigned int sessionid, > - struct lsmblob *blob, char *comm) > +static void audit_log_pid_context(struct audit_context *context, pid_t pid, > + kuid_t auid, kuid_t uid, > + unsigned int sessionid, > + struct lsmblob *blob, char *comm) > { > struct audit_buffer *ab; > - struct lsmcontext lsmctx; > - int rc = 0; > > ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); > if (!ab) > - return rc; > + return; > > audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, > from_kuid(&init_user_ns, auid), > from_kuid(&init_user_ns, uid), sessionid); > - if (lsmblob_is_set(blob)) { > - if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) { > - audit_log_format(ab, " obj=(none)"); > - rc = 1; > - } else { > - audit_log_format(ab, " obj=%s", lsmctx.context); > - security_release_secctx(&lsmctx); > - } > - } > + if (lsmblob_is_set(blob)) > + audit_log_object_context(ab, blob); > audit_log_format(ab, " ocomm="); > audit_log_untrustedstring(ab, comm); > audit_log_end(ab); > - > - return rc; > } > > static void audit_log_execve_info(struct audit_context *context, > @@ -1420,18 +1409,10 @@ static void show_special(struct audit_context *context, int *call_panic) If pushing audit_panic into audit_log_object_context() is acceptable then this call_panic arg is no longer needed. The same goes for the call_panic arg in audit_log_name(). And call_panic can be dropped from audit_log_exit() > from_kgid(&init_user_ns, context->ipc.gid), > context->ipc.mode); > if (osid) { > - struct lsmcontext lsmcxt; > struct lsmblob blob; > > lsmblob_init(&blob, osid); > - if (security_secid_to_secctx(&blob, &lsmcxt, > - LSMBLOB_FIRST)) { > - audit_log_format(ab, " osid=%u", osid); > - *call_panic = 1; > - } else { > - audit_log_format(ab, " obj=%s", lsmcxt.context); > - security_release_secctx(&lsmcxt); > - } > + audit_log_object_context(ab, &blob); > } > if (context->ipc.has_perm) { > audit_log_end(ab); > @@ -1588,19 +1569,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, > from_kgid(&init_user_ns, n->gid), > MAJOR(n->rdev), > MINOR(n->rdev)); > - if (lsmblob_is_set(&n->lsmblob)) { > - struct lsmcontext lsmctx; > - > - if (security_secid_to_secctx(&n->lsmblob, &lsmctx, > - LSMBLOB_FIRST)) { > - audit_log_format(ab, " osid=?"); > - if (call_panic) > - *call_panic = 2; > - } else { > - audit_log_format(ab, " obj=%s", lsmctx.context); > - security_release_secctx(&lsmctx); > - } > - } > + if (lsmblob_is_set(&n->lsmblob)) > + audit_log_object_context(ab, &n->lsmblob); > > /* log the audit_names record type */ > switch (n->type) { > @@ -1805,21 +1775,20 @@ static void audit_log_exit(void) > struct audit_aux_data_pids *axs = (void *)aux; > > for (i = 0; i < axs->pid_count; i++) > - if (audit_log_pid_context(context, axs->target_pid[i], > - axs->target_auid[i], > - axs->target_uid[i], > - axs->target_sessionid[i], > - &axs->target_lsm[i], > - axs->target_comm[i])) > - call_panic = 1; > - } > - > - if (context->target_pid && > - audit_log_pid_context(context, context->target_pid, > - context->target_auid, context->target_uid, > - context->target_sessionid, > - &context->target_lsm, context->target_comm)) > - call_panic = 1; > + audit_log_pid_context(context, axs->target_pid[i], > + axs->target_auid[i], > + axs->target_uid[i], > + axs->target_sessionid[i], > + &axs->target_lsm[i], > + axs->target_comm[i]); > + } > + > + if (context->target_pid) > + audit_log_pid_context(context, context->target_pid, > + context->target_auid, context->target_uid, > + context->target_sessionid, > + &context->target_lsm, > + context->target_comm); > > if (context->pwd.dentry && context->pwd.mnt) { > ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD); -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit