From: Paul Moore <paul@paul-moore.com>
To: "Michael Weiß" <michael.weiss@aisec.fraunhofer.de>
Cc: Mike Snitzer <snitzer@redhat.com>,
linux-kernel@vger.kernel.org, Eric Paris <eparis@redhat.com>,
linux-raid@vger.kernel.org, Song Liu <song@kernel.org>,
dm-devel@redhat.com, linux-audit@redhat.com,
Casey Schaufler <casey@schaufler-ca.com>,
Alasdair Kergon <agk@redhat.com>
Subject: Re: [dm-devel] [PATCH v3 1/3] dm: introduce audit event module for device mapper
Date: Fri, 3 Sep 2021 13:27:00 -0400 [thread overview]
Message-ID: <CAHC9VhSa6mMAPocicaMNsWJr6eMsM7G6Ap6Ywoy8m89cCf=txg@mail.gmail.com> (raw)
In-Reply-To: <20210831191845.7928-2-michael.weiss@aisec.fraunhofer.de>
On Tue, Aug 31, 2021 at 3:19 PM Michael Weiß
<michael.weiss@aisec.fraunhofer.de> wrote:
>
> To be able to send auditing events to user space, we introduce a
> generic dm-audit module. It provides helper functions to emit audit
> events through the kernel audit subsystem. We claim the
> AUDIT_DM_CTRL type=1336 and AUDIT_DM_EVENT type=1337 out of the
> audit event messages range in the corresponding userspace api in
> 'include/uapi/linux/audit.h' for those events.
>
> AUDIT_DM_CTRL is used to provide information about creation and
> destruction of device mapper targets which are triggered by user space
> admin control actions.
> AUDIT_DM_EVENT is used to provide information about actual errors
> during operation of the mapped device, showing e.g. integrity
> violations in audit log.
>
> Following commits to device mapper targets actually will make use of
> this to emit those events in relevant cases.
>
> The audit logs look like this if executing the following simple test:
>
> # dd if=/dev/zero of=test.img bs=1M count=1024
> # losetup -f test.img
> # integritysetup -vD format --integrity sha256 -t 32 /dev/loop0
> # integritysetup open -D /dev/loop0 --integrity sha256 integritytest
> # integritysetup status integritytest
> # integritysetup close integritytest
> # integritysetup open -D /dev/loop0 --integrity sha256 integritytest
> # integritysetup status integritytest
> # dd if=/dev/urandom of=/dev/loop0 bs=512 count=1 seek=100000
> # dd if=/dev/mapper/integritytest of=/dev/null
>
> -------------------------
> audit.log from auditd
>
> type=UNKNOWN[1336] msg=audit(1630425039.363:184): module=integrity
> op=ctr ppid=3807 pid=3819 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup"
> exe="/sbin/integritysetup" subj==unconfined dev=254:3
> error_msg='success' res=1
> type=UNKNOWN[1336] msg=audit(1630425039.471:185): module=integrity
> op=dtr ppid=3807 pid=3819 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup"
> exe="/sbin/integritysetup" subj==unconfined dev=254:3
> error_msg='success' res=1
> type=UNKNOWN[1336] msg=audit(1630425039.611:186): module=integrity
> op=ctr ppid=3807 pid=3819 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup"
> exe="/sbin/integritysetup" subj==unconfined dev=254:3
> error_msg='success' res=1
> type=UNKNOWN[1336] msg=audit(1630425054.475:187): module=integrity
> op=dtr ppid=3807 pid=3819 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup"
> exe="/sbin/integritysetup" subj==unconfined dev=254:3
> error_msg='success' res=1
>
> type=UNKNOWN[1336] msg=audit(1630425073.171:191): module=integrity
> op=ctr ppid=3807 pid=3883 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup"
> exe="/sbin/integritysetup" subj==unconfined dev=254:3
> error_msg='success' res=1
>
> type=UNKNOWN[1336] msg=audit(1630425087.239:192): module=integrity
> op=dtr ppid=3807 pid=3902 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup"
> exe="/sbin/integritysetup" subj==unconfined dev=254:3
> error_msg='success' res=1
>
> type=UNKNOWN[1336] msg=audit(1630425093.755:193): module=integrity
> op=ctr ppid=3807 pid=3906 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup"
> exe="/sbin/integritysetup" subj==unconfined dev=254:3
> error_msg='success' res=1
>
> type=UNKNOWN[1337] msg=audit(1630425112.119:194): module=integrity
> op=integrity-checksum dev=254:3 sector 77480 res=0
> type=UNKNOWN[1337] msg=audit(1630425112.119:195): module=integrity
> op=integrity-checksum dev=254:3 sector 77480 res=0
> type=UNKNOWN[1337] msg=audit(1630425112.119:196): module=integrity
> op=integrity-checksum dev=254:3 sector 77480 res=0
> type=UNKNOWN[1337] msg=audit(1630425112.119:197): module=integrity
> op=integrity-checksum dev=254:3 sector 77480 res=0
> type=UNKNOWN[1337] msg=audit(1630425112.119:198): module=integrity
> op=integrity-checksum dev=254:3 sector 77480 res=0
> type=UNKNOWN[1337] msg=audit(1630425112.119:199): module=integrity
> op=integrity-checksum dev=254:3 sector 77480 res=0
> type=UNKNOWN[1337] msg=audit(1630425112.119:200): module=integrity
> op=integrity-checksum dev=254:3 sector 77480 res=0
> type=UNKNOWN[1337] msg=audit(1630425112.119:201): module=integrity
> op=integrity-checksum dev=254:3 sector 77480 res=0
> type=UNKNOWN[1337] msg=audit(1630425112.119:202): module=integrity
> op=integrity-checksum dev=254:3 sector 77480 res=0
> type=UNKNOWN[1337] msg=audit(1630425112.119:203): module=integrity
> op=integrity-checksum dev=254:3 sector 77480 res=0
>
> Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
> ---
> drivers/md/Kconfig | 10 +++++
> drivers/md/Makefile | 4 ++
> drivers/md/dm-audit.c | 79 ++++++++++++++++++++++++++++++++++++++
> drivers/md/dm-audit.h | 62 ++++++++++++++++++++++++++++++
> include/uapi/linux/audit.h | 2 +
> 5 files changed, 157 insertions(+)
> create mode 100644 drivers/md/dm-audit.c
> create mode 100644 drivers/md/dm-audit.h
>
> diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig
> index 0602e82a9516..48adbec12148 100644
> --- a/drivers/md/Kconfig
> +++ b/drivers/md/Kconfig
> @@ -608,6 +608,7 @@ config DM_INTEGRITY
> select CRYPTO
> select CRYPTO_SKCIPHER
> select ASYNC_XOR
> + select DM_AUDIT if AUDIT
> help
> This device-mapper target emulates a block device that has
> additional per-sector tags that can be used for storing
> @@ -640,4 +641,13 @@ config DM_ZONED
>
> If unsure, say N.
>
> +config DM_AUDIT
> + bool "DM audit events"
> + depends on AUDIT
> + help
> + Generate audit events for device-mapper.
> +
> + Enables audit logging of several security relevant events in the
> + particular device-mapper targets, especially the integrity target.
> +
> endif # MD
> diff --git a/drivers/md/Makefile b/drivers/md/Makefile
> index a74aaf8b1445..2f83d649500d 100644
> --- a/drivers/md/Makefile
> +++ b/drivers/md/Makefile
> @@ -103,3 +103,7 @@ endif
> ifeq ($(CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG),y)
> dm-verity-objs += dm-verity-verify-sig.o
> endif
> +
> +ifeq ($(CONFIG_DM_AUDIT),y)
> +dm-mod-objs += dm-audit.o
> +endif
> diff --git a/drivers/md/dm-audit.c b/drivers/md/dm-audit.c
> new file mode 100644
> index 000000000000..761ecfdcd49a
> --- /dev/null
> +++ b/drivers/md/dm-audit.c
> @@ -0,0 +1,79 @@
> +// SPDX-License-Identifier: GPL-2.0
> +/*
> + * Creating audit records for mapped devices.
> + *
> + * Copyright (C) 2021 Fraunhofer AISEC. All rights reserved.
> + *
> + * Authors: Michael Weiß <michael.weiss@aisec.fraunhofer.de>
> + */
> +
> +#include <linux/audit.h>
> +#include <linux/module.h>
> +#include <linux/device-mapper.h>
> +#include <linux/bio.h>
> +#include <linux/blkdev.h>
> +
> +#include "dm-audit.h"
> +#include "dm-core.h"
> +
> +static struct audit_buffer *dm_audit_log_start(int audit_type,
> + const char *dm_msg_prefix,
> + const char *op)
> +{
> + struct audit_buffer *ab;
> +
> + if (audit_enabled == AUDIT_OFF)
> + return NULL;
> +
> + ab = audit_log_start(audit_context(), GFP_KERNEL, audit_type);
> + if (unlikely(!ab))
> + return NULL;
> +
> + audit_log_format(ab, "module=%s op=%s", dm_msg_prefix, op);
> + return ab;
> +}
> +
> +void dm_audit_log_ti(int audit_type, const char *dm_msg_prefix, const char *op,
> + struct dm_target *ti, int result)
> +{
> + struct audit_buffer *ab;
> + struct mapped_device *md = dm_table_get_md(ti->table);
> + int dev_major = dm_disk(md)->major;
> + int dev_minor = dm_disk(md)->first_minor;
> +
> + ab = dm_audit_log_start(audit_type, dm_msg_prefix, op);
> + if (unlikely(!ab))
> + return;
> +
> + switch (audit_type) {
> + case AUDIT_DM_CTRL:
> + audit_log_task_info(ab);
> + audit_log_format(ab, " dev=%d:%d error_msg='%s'", dev_major,
> + dev_minor, !result ? ti->error : "success");
> + break;
> + case AUDIT_DM_EVENT:
> + audit_log_format(ab, " dev=%d:%d sector=?", dev_major,
> + dev_minor);
> + break;
> + }
> + audit_log_format(ab, " res=%d", result);
> + audit_log_end(ab);
> +}
> +EXPORT_SYMBOL_GPL(dm_audit_log_ti);
Just checking, but are you okay when the inevitable happens and
someone passes an @audit_type that is not either AUDIT_CM_CTRL or
AUDIT_DM_EVENT? Right now that will succeed without error and give a
rather short audit record.
> +void dm_audit_log_bio(const char *dm_msg_prefix, const char *op,
> + struct bio *bio, sector_t sector, int result)
> +{
> + struct audit_buffer *ab;
> + int dev_major = MAJOR(bio->bi_bdev->bd_dev);
> + int dev_minor = MINOR(bio->bi_bdev->bd_dev);
> +
> + ab = dm_audit_log_start(AUDIT_DM_EVENT, dm_msg_prefix, op);
> + if (unlikely(!ab))
> + return;
> +
> + audit_log_format(ab, " dev=%d:%d sector %llu res=%d",
> + dev_major, dev_minor, sector, result);
I think you forgot the "=" after "sector", e.g. "sector=%llu".
> + audit_log_end(ab);
> +}
> +EXPORT_SYMBOL_GPL(dm_audit_log_bio);
--
paul moore
www.paul-moore.com
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
next prev parent reply other threads:[~2021-09-03 17:34 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-31 19:18 [dm-devel] [PATCH v3 0/3] dm: audit event logging Michael Weiß
2021-08-31 19:18 ` [dm-devel] [PATCH v3 1/3] dm: introduce audit event module for device mapper Michael Weiß
2021-09-03 17:27 ` Paul Moore [this message]
2021-09-04 9:24 ` Weiß, Michael
2021-08-31 19:18 ` [dm-devel] [PATCH v3 2/3] dm integrity: log audit events for dm-integrity target Michael Weiß
2021-08-31 19:18 ` [dm-devel] [PATCH v3 3/3] dm crypt: log aead integrity violations to audit subsystem Michael Weiß
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHC9VhSa6mMAPocicaMNsWJr6eMsM7G6Ap6Ywoy8m89cCf=txg@mail.gmail.com' \
--to=paul@paul-moore.com \
--cc=agk@redhat.com \
--cc=casey@schaufler-ca.com \
--cc=dm-devel@redhat.com \
--cc=eparis@redhat.com \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-raid@vger.kernel.org \
--cc=michael.weiss@aisec.fraunhofer.de \
--cc=snitzer@redhat.com \
--cc=song@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).