From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C3165C433DF for ; Thu, 14 May 2020 22:35:04 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 5E3C7206D8 for ; Thu, 14 May 2020 22:35:04 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="GqZ6zoy9" DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 5E3C7206D8 Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=linux-audit-bounces@redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1589495703; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=df5FNbqSg4Bp/ZS9nhkzS38//EUZcnY6K65+hX9rpoM=; b=GqZ6zoy9+OKEBSavD52JaEtZqd+hMR6riVGWmt9UvT7YlbD4V7F5vQSd8puI1/0/mDAGeO N0f8armI1eN5nI2zuE/L7Pkes5fOXHT64JT6gMbd6+hMOBGD5/7kNd+cO1cLS0eKJR5HTv 1LoIudDoydj8ROD1t7l/NWbRSDXQtDU= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-243-LyNxsjgFN4mphbtD2TOTrw-1; Thu, 14 May 2020 18:35:01 -0400 X-MC-Unique: LyNxsjgFN4mphbtD2TOTrw-1 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3128E107ACCD; Thu, 14 May 2020 22:34:58 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 090912B6D6; Thu, 14 May 2020 22:34:58 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id CFEDC1809543; Thu, 14 May 2020 22:34:57 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 04EMYuHQ020972 for ; Thu, 14 May 2020 18:34:56 -0400 Received: by smtp.corp.redhat.com (Postfix) id 345092156A4A; Thu, 14 May 2020 22:34:56 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 305382156A49 for ; Thu, 14 May 2020 22:34:54 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 2F05A811E7A for ; Thu, 14 May 2020 22:34:54 +0000 (UTC) Received: from sonic307-16.consmr.mail.ne1.yahoo.com (sonic307-16.consmr.mail.ne1.yahoo.com [66.163.190.39]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-62-u6TgHiKBME-KI9o9UyIFNA-1; Thu, 14 May 2020 18:34:52 -0400 X-MC-Unique: u6TgHiKBME-KI9o9UyIFNA-1 X-YMail-OSG: Wm6t5MAVM1lkbDvQZSqQwTPeP1Le5UjoEcXndk5eyWkQ0w1aGRTSP479U5VXGUK AvtYOaNB6e_T6.wxdLCkUFDB968m6nzBO46_pY6yQTG3Bc45J9ukS_YIq7682oxfKfxK7v0qK8If _05Le_FxlCwbsrMQvUcJr7zH7S_aq_OzecjkbAbfbWLo_T8jSKL1NNwVSsrePzQXlEqOpaS9VBN5 MUmU8jUaK4x5kvXZjo9UobaGVjn5qm2xBpMV5DSgFFDuhUXC6ZBB39F2Az.mBiCbQC6auU2xVqNz oEIwdMOBahbwD_w8Y8JeSb7HWhDJnarhQ3fvWsELW7Ra76wuWZ5ztKMFoaHLqqFe0kpEmZAG1745 fOvyU_YspuKw2ebMprILhbgI4QW4x1i.6mCt7YfQAUvanajxrqYHu4QdXNfOIecEUVKSxgarAtUw DDClMabtD_nJL6S0vwygWsxW5cKJMhclT.HCu05MvP195ZHNX.2Ktrymzhmyr1jGkmbl8no0NvHJ f9e4TB1RtUCJedU3LAqimRLxLtVO7u.MH4c5vdNjzFB6bWoww8JwCMckbJCaBApWs29hghcmjsM9 cnT090hQK_cOL3OQsyU0Ir8DsaEKoacE0XNQXUdUTZouawMPrl9If7LmjIzdiS9VZHZ1nQgmDaWe XLup2LjG.CmtCsfzM75FDpLqB9gVTr2Z5xu_VoPycaYNbgovU7zsbw.YE6qfn_RlwHTAYw9NyU07 hV6mpLPlIwyi3Lw_ggMozVz2glAO1kWTY5G4qDCxpFFiaXVQQ9ngqzBYm3JSnSGe..bXwlZHcrNo Ia5ED.iS8k2HrlhHNGsLspXC.qxNPCo6vvTRK42349sZ1yMqe_BRULMahbqgqxgxvnzDvLGhw_4u AXyKxZpIaUSYu.Ox4.viPZCwEfpALlKrTf0rmSoKpbZH55b3t5k2yWLUxxC9aub4enbN.3Mghmxw uWDfM6FEgmu2hy4DblYQIZJVXKxo6W.Hx1ti5FBD4FKwQeMCGx9y9SKMroCA.QK0KrCv4sjOQCk_ ZfqY5DgdiROI3T0YdDLDZcehKtOEYyTtACwbsCOknv.UyODfArSIygzcDY6mCaH6Fy02zXu3Nj5v ihIII37D9rBhbdW__oPBL15zEKtloA6Gkb1DhTZp5FPScP2IrkhuNF0AcUEmDmjirvCmliD.vsbs cFdbLjWEUuBzy3jZOQ00T2TrEFsckka50.Rb7VpcnnHmuKW2zDoQ05VyW9Bbi7qCEeB9mty9its6 aBA3Uix3.6ry6dq6CYy2zIlO40UuCzPYjJ0k2hfPzGDOJSM.LruRmZqDN2MbcF.OUtgxKjjf93xh N0PA9pQQudi0GlG9HdMqR37e2DPDeMUkoDXY3B7GItqNLjy36Zxmo9dJ7ySls7a79.vuNT3KsAHC OfpGWYlnp7x_tjv4Mmw4kFe9DZAHYS4SWNp24GwXuO1p1.KQwc9gur1eZmDc- Received: from sonic.gate.mail.ne1.yahoo.com by sonic307.consmr.mail.ne1.yahoo.com with HTTP; Thu, 14 May 2020 22:34:51 +0000 Received: by smtp409.mail.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 537fb358348115366aa1943b4c9dbdfe; Thu, 14 May 2020 22:34:49 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH v17 21/23] Audit: Add a new record for multiple object LSM attributes Date: Thu, 14 May 2020 15:11:40 -0700 Message-Id: <20200514221142.11857-22-casey@schaufler-ca.com> In-Reply-To: <20200514221142.11857-1-casey@schaufler-ca.com> References: <20200514221142.11857-1-casey@schaufler-ca.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-loop: linux-audit@redhat.com Cc: john.johansen@canonical.com, linux-audit@redhat.com, sds@tycho.nsa.gov X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Create a new audit record type to contain the object information when there are multiple security modules that require such data. This record is emitted before the other records for the event, but is linked with the same timestamp and serial number. Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler --- include/linux/audit.h | 2 ++ include/uapi/linux/audit.h | 1 + kernel/audit.c | 53 +++++++++++++++++++++++++++++ kernel/audit.h | 4 +-- kernel/auditsc.c | 70 +++++--------------------------------- 5 files changed, 67 insertions(+), 63 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 8e1c759fd1ff..4c7c0ee867a1 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -163,6 +163,8 @@ extern void audit_log_path_denied(int type, extern void audit_log_lost(const char *message); extern int audit_log_task_context(struct audit_buffer *ab); +extern int audit_log_object_context(struct audit_buffer *ab, + struct lsmblob *blob); extern void audit_log_task_info(struct audit_buffer *ab); extern int audit_update_lsm_rules(void); diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 2e6dbf907ee3..2269100ba0ca 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -139,6 +139,7 @@ #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ #define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multiple LSM contexts */ +#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multiple LSM object contexts */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/kernel/audit.c b/kernel/audit.c index 5e8c3559dbef..d5ab3d69f8d6 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2117,6 +2117,59 @@ int audit_log_task_context(struct audit_buffer *ab) } EXPORT_SYMBOL(audit_log_task_context); +int audit_log_object_context(struct audit_buffer *ab, + struct lsmblob *blob) +{ + int i; + int error; + bool sep = false; + struct lsmcontext lsmdata; + struct audit_buffer *lsmab = NULL; + struct audit_context *context = NULL; + + /* + * If there is more than one security module that has a + * object "context" it's necessary to put the object data + * into a separate record to maintain compatibility. + */ + if (security_lsm_slot_name(1) != NULL) { + audit_log_format(ab, " obj=?"); + context = ab->ctx; + if (context) + lsmab = audit_log_start(context, GFP_KERNEL, + AUDIT_MAC_OBJ_CONTEXTS); + } + + for (i = 0; i < LSMBLOB_ENTRIES; i++) { + if (blob->secid[i] == 0) + continue; + error = security_secid_to_secctx(blob, &lsmdata, i); + if (error && error != -EINVAL) { + audit_panic("error in audit_log_object_context"); + return error; + } + + if (context) { + audit_log_format(lsmab, "%sobj_%s=%s", + sep ? " " : "", + security_lsm_slot_name(i), + lsmdata.context); + sep = true; + } else + audit_log_format(ab, " obj=%s", lsmdata.context); + + security_release_secctx(&lsmdata); + if (!context) + break; + } + + if (context) + audit_log_end(lsmab); + + return 0; +} +EXPORT_SYMBOL(audit_log_object_context); + void audit_log_d_path_exe(struct audit_buffer *ab, struct mm_struct *mm) { diff --git a/kernel/audit.h b/kernel/audit.h index 74be988cda01..b8e1b50e6447 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -78,7 +78,7 @@ struct audit_names { kuid_t uid; kgid_t gid; dev_t rdev; - u32 osid; + struct lsmblob oblob; struct audit_cap_data fcap; unsigned int fcap_ver; unsigned char type; /* record type */ @@ -152,7 +152,7 @@ struct audit_context { kuid_t uid; kgid_t gid; umode_t mode; - u32 osid; + struct lsmblob oblob; int has_perm; uid_t perm_uid; gid_t perm_gid; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 661527d14166..fbea59e3bb47 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -659,14 +659,6 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_isset) { /* Find files that match */ if (name) { - /* - * lsmblob_init sets all values in the - * lsmblob to sid. This is temporary - * until name->osid is converted to a - * lsmblob, which happens later in - * this patch set. - */ - lsmblob_init(&blob, name->osid); result = security_audit_rule_match( &blob, f->type, @@ -674,7 +666,6 @@ static int audit_filter_rules(struct task_struct *tsk, f->lsm_rules); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { - lsmblob_init(&blob, name->osid); if (security_audit_rule_match( &blob, f->type, @@ -688,8 +679,7 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find ipc objects that match */ if (!ctx || ctx->type != AUDIT_IPC) break; - lsmblob_init(&blob, ctx->ipc.osid); - if (security_audit_rule_match(&blob, + if (security_audit_rule_match(&ctx->ipc.oblob, f->type, f->op, f->lsm_rules)) ++result; @@ -969,7 +959,6 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; - struct lsmcontext lsmctx; int rc = 0; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); @@ -979,15 +968,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); - if (lsmblob_is_set(blob)) { - if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) { - audit_log_format(ab, " obj=(none)"); - rc = 1; - } else { - audit_log_format(ab, " obj=%s", lsmctx.context); - security_release_secctx(&lsmctx); - } - } + rc = audit_log_object_context(ab, blob); audit_log_format(ab, " ocomm="); audit_log_untrustedstring(ab, comm); audit_log_end(ab); @@ -1214,26 +1195,14 @@ static void show_special(struct audit_context *context, int *call_panic) context->socketcall.args[i]); break; } case AUDIT_IPC: { - u32 osid = context->ipc.osid; + struct lsmblob *oblob = &context->ipc.oblob; audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho", from_kuid(&init_user_ns, context->ipc.uid), from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); - if (osid) { - struct lsmcontext lsmcxt; - struct lsmblob blob; - - lsmblob_init(&blob, osid); - if (security_secid_to_secctx(&blob, &lsmcxt, - LSMBLOB_FIRST)) { - audit_log_format(ab, " osid=%u", osid); - *call_panic = 1; - } else { - audit_log_format(ab, " obj=%s", lsmcxt.context); - security_release_secctx(&lsmcxt); - } - } + if (audit_log_object_context(ab, oblob)) + *call_panic = 1; if (context->ipc.has_perm) { audit_log_end(ab); ab = audit_log_start(context, GFP_KERNEL, @@ -1373,20 +1342,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, from_kgid(&init_user_ns, n->gid), MAJOR(n->rdev), MINOR(n->rdev)); - if (n->osid != 0) { - struct lsmblob blob; - struct lsmcontext lsmctx; - - lsmblob_init(&blob, n->osid); - if (security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_FIRST)) { - audit_log_format(ab, " osid=%u", n->osid); - if (call_panic) - *call_panic = 2; - } else { - audit_log_format(ab, " obj=%s", lsmctx.context); - security_release_secctx(&lsmctx); - } - } + if (audit_log_object_context(ab, &n->oblob) && call_panic) + *call_panic = 2; /* log the audit_names record type */ switch (n->type) { @@ -1932,17 +1889,13 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, struct inode *inode, unsigned int flags) { - struct lsmblob blob; - name->ino = inode->i_ino; name->dev = inode->i_sb->s_dev; name->mode = inode->i_mode; name->uid = inode->i_uid; name->gid = inode->i_gid; name->rdev = inode->i_rdev; - security_inode_getsecid(inode, &blob); - /* scaffolding until osid is updated */ - name->osid = blob.secid[0]; + security_inode_getsecid(inode, &name->oblob); if (flags & AUDIT_INODE_NOEVAL) { name->fcap_ver = -1; return; @@ -2288,16 +2241,11 @@ void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) void __audit_ipc_obj(struct kern_ipc_perm *ipcp) { struct audit_context *context = audit_context(); - struct lsmblob blob; context->ipc.uid = ipcp->uid; context->ipc.gid = ipcp->gid; context->ipc.mode = ipcp->mode; context->ipc.has_perm = 0; - security_ipc_getsecid(ipcp, &blob); - /* context->ipc.osid will be changed to a lsmblob later in - * the patch series. This will allow auditing of all the object - * labels associated with the ipc object. */ - context->ipc.osid = lsmblob_value(&blob); + security_ipc_getsecid(ipcp, &context->ipc.oblob); context->type = AUDIT_IPC; } -- 2.24.1 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit