* [PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS [not found] <407c1b04-f6ca-327d-0227-77f97c3f6f2c.ref@schaufler-ca.com> @ 2021-08-04 23:32 ` Casey Schaufler 2021-08-09 14:02 ` Steve Grubb 0 siblings, 1 reply; 3+ messages in thread From: Casey Schaufler @ 2021-08-04 23:32 UTC (permalink / raw) To: Steve Grubb, linux-audit This patch supplies userspace support for the MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS audit records proposed as part of the Linux security module (LSM) stacking effort. I have posted as an RFC because, well, I'd like comments. The additional context values are added to the existing lists. The existing search methods work on these lists, so that's about all it takes. --- lib/libaudit.h | 8 ++++ lib/msg_typetab.h | 2 + src/ausearch-parse.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 111 insertions(+) diff --git a/lib/libaudit.h b/lib/libaudit.h index ed75892..9bc3aa9 100644 --- a/lib/libaudit.h +++ b/lib/libaudit.h @@ -311,6 +311,14 @@ extern "C" { #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ #endif +#ifndef AUDIT_MAC_TASK_CONTEXTS +#define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multilple task contexts */ +#endif + +#ifndef AUDIT_MAC_OBJ_CONTEXTS +#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multilple object contexts */ +#endif + #ifndef AUDIT_ANOM_LINK #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */ #endif diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h index dba2f7b..e6df28b 100644 --- a/lib/msg_typetab.h +++ b/lib/msg_typetab.h @@ -147,6 +147,8 @@ _S(AUDIT_MAC_UNLBL_STCADD, "MAC_UNLBL_STCADD" ) _S(AUDIT_MAC_UNLBL_STCDEL, "MAC_UNLBL_STCDEL" ) _S(AUDIT_MAC_CALIPSO_ADD, "MAC_CALIPSO_ADD" ) _S(AUDIT_MAC_CALIPSO_DEL, "MAC_CALIPSO_DEL" ) +_S(AUDIT_MAC_TASK_CONTEXTS, "MAC_TASK_CONTEXTS" ) +_S(AUDIT_MAC_OBJ_CONTEXTS, "MAC_OBJ_CONTEXTS" ) _S(AUDIT_ANOM_PROMISCUOUS, "ANOM_PROMISCUOUS" ) _S(AUDIT_ANOM_ABEND, "ANOM_ABEND" ) _S(AUDIT_ANOM_LINK, "ANOM_LINK" ) diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c index 9ee4a4f..286829e 100644 --- a/src/ausearch-parse.c +++ b/src/ausearch-parse.c @@ -63,6 +63,8 @@ static int parse_simple_message(const lnode *n, search_items *s); static int parse_tty(const lnode *n, search_items *s); static int parse_pkt(const lnode *n, search_items *s); static int parse_kernel(lnode *n, search_items *s); +static int parse_task_contexts(lnode *n, search_items *s); +static int parse_obj_contexts(lnode *n, search_items *s); static int audit_avc_init(search_items *s) @@ -184,6 +186,12 @@ int extract_search_items(llist *l) case AUDIT_TTY: ret = parse_tty(n, s); break; + case AUDIT_MAC_TASK_CONTEXTS: + ret = parse_task_contexts(n, s); + break; + case AUDIT_MAC_OBJ_CONTEXTS: + ret = parse_obj_contexts(n, s); + break; default: if (event_debug) fprintf(stderr, @@ -2768,3 +2776,96 @@ static int parse_kernel(lnode *n, search_items *s) return 0; } +static int parse_task_context(lnode *n, search_items *s, char *c, int l) +{ + char *str, *term; + anode an; + + str = strstr(n->message, c); + if (str == NULL) + return 64; + + str += l; + term = strchr(str, '"'); + if (term == NULL) + return 62; + *term = 0; + if (audit_avc_init(s) != 0) + return 63; + + anode_init(&an); + an.scontext = strdup(str); + alist_append(s->avc, &an); + *term = '"'; + + return 0; +} + +// parse multiple security module contexts +// subj_<lsm>... +static int parse_task_contexts(lnode *n, search_items *s) +{ + int rc, final = 64; + + if (!event_subject) + return 0; + + rc = parse_task_context(n, s, "subj_selinux=\"", 14); + if (rc == 62 || rc == 63) + return rc; + if (rc == 0) + final = 0; + + rc = parse_task_context(n, s, "subj_smack=\"", 12); + if (rc == 62 || rc == 63) + return rc; + if (rc == 0) + final = 0; + + rc = parse_task_context(n, s, "subj_apparmor=\"", 15); + if (rc == 62 || rc == 63) + return rc; + if (rc == 0) + final = 0; + + return final; +} + +static int parse_obj_context(lnode *n, search_items *s, char *c, int l) +{ + char *str, *term; + anode an; + + str = strstr(n->message, c); + if (str != NULL) { + str += l; + term = strchr(str, '"'); + if (term) + *term = 0; + if (audit_avc_init(s) != 0) + return 2; + anode_init(&an); + an.tcontext = strdup(str); + alist_append(s->avc, &an); + if (term) + *term = '"'; + } + + return 0; +} + +// parse multiple object security module contexts +// obj_<lsm>... +static int parse_obj_contexts(lnode *n, search_items *s) +{ + // obj context + if (!event_object) + return 0; + + if (parse_obj_context(n, s, "obj_selinux=\"", 12)) + return 2; + if (parse_obj_context(n, s, "obj_smack=\"", 10)) + return 2; + + return 0; +} -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS 2021-08-04 23:32 ` [PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS Casey Schaufler @ 2021-08-09 14:02 ` Steve Grubb 2021-08-09 17:04 ` Casey Schaufler 0 siblings, 1 reply; 3+ messages in thread From: Steve Grubb @ 2021-08-09 14:02 UTC (permalink / raw) To: linux-audit, Casey Schaufler On Wednesday, August 4, 2021 7:32:37 PM EDT Casey Schaufler wrote: > This patch supplies userspace support for the MAC_TASK_CONTEXTS > and MAC_OBJ_CONTEXTS audit records proposed as part of the Linux > security module (LSM) stacking effort. > > I have posted as an RFC because, well, I'd like comments. In general, this looks good. Typically, the return code of functions in the parser are unique for debugging (passing --debug to ausearch) per record type. IOW, you can start at 1 instead of 62 since the output identifes the record type and return code. There is the general issue of what ausearch --format csv & --format text outputs, though. -Steve > The additional context values are added to the existing lists. > The existing search methods work on these lists, so that's about > all it takes. > > --- > lib/libaudit.h | 8 ++++ > lib/msg_typetab.h | 2 + > src/ausearch-parse.c | 101 > +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 111 > insertions(+) > > diff --git a/lib/libaudit.h b/lib/libaudit.h > index ed75892..9bc3aa9 100644 > --- a/lib/libaudit.h > +++ b/lib/libaudit.h > @@ -311,6 +311,14 @@ extern "C" { > #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ > #endif > > +#ifndef AUDIT_MAC_TASK_CONTEXTS > +#define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multilple task contexts */ > +#endif > + > +#ifndef AUDIT_MAC_OBJ_CONTEXTS > +#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multilple object contexts */ > +#endif > + > #ifndef AUDIT_ANOM_LINK > #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */ > #endif > diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h > index dba2f7b..e6df28b 100644 > --- a/lib/msg_typetab.h > +++ b/lib/msg_typetab.h > @@ -147,6 +147,8 @@ _S(AUDIT_MAC_UNLBL_STCADD, "MAC_UNLBL_STCADD" > ) _S(AUDIT_MAC_UNLBL_STCDEL, "MAC_UNLBL_STCDEL" > ) _S(AUDIT_MAC_CALIPSO_ADD, "MAC_CALIPSO_ADD" > ) _S(AUDIT_MAC_CALIPSO_DEL, "MAC_CALIPSO_DEL" > ) +_S(AUDIT_MAC_TASK_CONTEXTS, "MAC_TASK_CONTEXTS" ) > +_S(AUDIT_MAC_OBJ_CONTEXTS, "MAC_OBJ_CONTEXTS" ) > _S(AUDIT_ANOM_PROMISCUOUS, "ANOM_PROMISCUOUS" ) > _S(AUDIT_ANOM_ABEND, "ANOM_ABEND" ) > _S(AUDIT_ANOM_LINK, "ANOM_LINK" ) > diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c > index 9ee4a4f..286829e 100644 > --- a/src/ausearch-parse.c > +++ b/src/ausearch-parse.c > @@ -63,6 +63,8 @@ static int parse_simple_message(const lnode *n, > search_items *s); static int parse_tty(const lnode *n, search_items *s); > static int parse_pkt(const lnode *n, search_items *s); > static int parse_kernel(lnode *n, search_items *s); > +static int parse_task_contexts(lnode *n, search_items *s); > +static int parse_obj_contexts(lnode *n, search_items *s); > > > static int audit_avc_init(search_items *s) > @@ -184,6 +186,12 @@ int extract_search_items(llist *l) > case AUDIT_TTY: > ret = parse_tty(n, s); > break; > + case AUDIT_MAC_TASK_CONTEXTS: > + ret = parse_task_contexts(n, s); > + break; > + case AUDIT_MAC_OBJ_CONTEXTS: > + ret = parse_obj_contexts(n, s); > + break; > default: > if (event_debug) > fprintf(stderr, > @@ -2768,3 +2776,96 @@ static int parse_kernel(lnode *n, search_items *s) > return 0; > } > > +static int parse_task_context(lnode *n, search_items *s, char *c, int l) > +{ > + char *str, *term; > + anode an; > + > + str = strstr(n->message, c); > + if (str == NULL) > + return 64; > + > + str += l; > + term = strchr(str, '"'); > + if (term == NULL) > + return 62; > + *term = 0; > + if (audit_avc_init(s) != 0) > + return 63; > + > + anode_init(&an); > + an.scontext = strdup(str); > + alist_append(s->avc, &an); > + *term = '"'; > + > + return 0; > +} > + > +// parse multiple security module contexts > +// subj_<lsm>... > +static int parse_task_contexts(lnode *n, search_items *s) > +{ > + int rc, final = 64; > + > + if (!event_subject) > + return 0; > + > + rc = parse_task_context(n, s, "subj_selinux=\"", 14); > + if (rc == 62 || rc == 63) > + return rc; > + if (rc == 0) > + final = 0; > + > + rc = parse_task_context(n, s, "subj_smack=\"", 12); > + if (rc == 62 || rc == 63) > + return rc; > + if (rc == 0) > + final = 0; > + > + rc = parse_task_context(n, s, "subj_apparmor=\"", 15); > + if (rc == 62 || rc == 63) > + return rc; > + if (rc == 0) > + final = 0; > + > + return final; > +} > + > +static int parse_obj_context(lnode *n, search_items *s, char *c, int l) > +{ > + char *str, *term; > + anode an; > + > + str = strstr(n->message, c); > + if (str != NULL) { > + str += l; > + term = strchr(str, '"'); > + if (term) > + *term = 0; > + if (audit_avc_init(s) != 0) > + return 2; > + anode_init(&an); > + an.tcontext = strdup(str); > + alist_append(s->avc, &an); > + if (term) > + *term = '"'; > + } > + > + return 0; > +} > + > +// parse multiple object security module contexts > +// obj_<lsm>... > +static int parse_obj_contexts(lnode *n, search_items *s) > +{ > + // obj context > + if (!event_object) > + return 0; > + > + if (parse_obj_context(n, s, "obj_selinux=\"", 12)) > + return 2; > + if (parse_obj_context(n, s, "obj_smack=\"", 10)) > + return 2; > + > + return 0; > +} -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS 2021-08-09 14:02 ` Steve Grubb @ 2021-08-09 17:04 ` Casey Schaufler 0 siblings, 0 replies; 3+ messages in thread From: Casey Schaufler @ 2021-08-09 17:04 UTC (permalink / raw) To: Steve Grubb, linux-audit On 8/9/2021 7:02 AM, Steve Grubb wrote: > On Wednesday, August 4, 2021 7:32:37 PM EDT Casey Schaufler wrote: >> This patch supplies userspace support for the MAC_TASK_CONTEXTS >> and MAC_OBJ_CONTEXTS audit records proposed as part of the Linux >> security module (LSM) stacking effort. >> >> I have posted as an RFC because, well, I'd like comments. > In general, this looks good. Typically, the return code of functions in the > parser are unique for debugging (passing --debug to ausearch) per record > type. IOW, you can start at 1 instead of 62 since the output identifes the > record type and return code. > > There is the general issue of what ausearch --format csv & --format text > outputs, though. I would really appreciate some guidance regarding what you'd like to see for those cases. I can take a wild guess and suggest something, but it would probably speed everything up if I don't go into the process blind. > > -Steve > >> The additional context values are added to the existing lists. >> The existing search methods work on these lists, so that's about >> all it takes. >> >> --- >> lib/libaudit.h | 8 ++++ >> lib/msg_typetab.h | 2 + >> src/ausearch-parse.c | 101 >> +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 111 >> insertions(+) >> >> diff --git a/lib/libaudit.h b/lib/libaudit.h >> index ed75892..9bc3aa9 100644 >> --- a/lib/libaudit.h >> +++ b/lib/libaudit.h >> @@ -311,6 +311,14 @@ extern "C" { >> #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry > */ >> #endif >> >> +#ifndef AUDIT_MAC_TASK_CONTEXTS >> +#define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multilple task contexts */ >> +#endif >> + >> +#ifndef AUDIT_MAC_OBJ_CONTEXTS >> +#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multilple object contexts */ >> +#endif >> + >> #ifndef AUDIT_ANOM_LINK >> #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */ >> #endif >> diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h >> index dba2f7b..e6df28b 100644 >> --- a/lib/msg_typetab.h >> +++ b/lib/msg_typetab.h >> @@ -147,6 +147,8 @@ _S(AUDIT_MAC_UNLBL_STCADD, "MAC_UNLBL_STCADD" >> ) _S(AUDIT_MAC_UNLBL_STCDEL, "MAC_UNLBL_STCDEL" >> ) _S(AUDIT_MAC_CALIPSO_ADD, "MAC_CALIPSO_ADD" >> ) _S(AUDIT_MAC_CALIPSO_DEL, "MAC_CALIPSO_DEL" >> ) +_S(AUDIT_MAC_TASK_CONTEXTS, "MAC_TASK_CONTEXTS" ) >> +_S(AUDIT_MAC_OBJ_CONTEXTS, "MAC_OBJ_CONTEXTS" ) >> _S(AUDIT_ANOM_PROMISCUOUS, "ANOM_PROMISCUOUS" ) >> _S(AUDIT_ANOM_ABEND, "ANOM_ABEND" ) >> _S(AUDIT_ANOM_LINK, "ANOM_LINK" ) >> diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c >> index 9ee4a4f..286829e 100644 >> --- a/src/ausearch-parse.c >> +++ b/src/ausearch-parse.c >> @@ -63,6 +63,8 @@ static int parse_simple_message(const lnode *n, >> search_items *s); static int parse_tty(const lnode *n, search_items *s); >> static int parse_pkt(const lnode *n, search_items *s); >> static int parse_kernel(lnode *n, search_items *s); >> +static int parse_task_contexts(lnode *n, search_items *s); >> +static int parse_obj_contexts(lnode *n, search_items *s); >> >> >> static int audit_avc_init(search_items *s) >> @@ -184,6 +186,12 @@ int extract_search_items(llist *l) >> case AUDIT_TTY: >> ret = parse_tty(n, s); >> break; >> + case AUDIT_MAC_TASK_CONTEXTS: >> + ret = parse_task_contexts(n, s); >> + break; >> + case AUDIT_MAC_OBJ_CONTEXTS: >> + ret = parse_obj_contexts(n, s); >> + break; >> default: >> if (event_debug) >> fprintf(stderr, >> @@ -2768,3 +2776,96 @@ static int parse_kernel(lnode *n, search_items *s) >> return 0; >> } >> >> +static int parse_task_context(lnode *n, search_items *s, char *c, int l) >> +{ >> + char *str, *term; >> + anode an; >> + >> + str = strstr(n->message, c); >> + if (str == NULL) >> + return 64; >> + >> + str += l; >> + term = strchr(str, '"'); >> + if (term == NULL) >> + return 62; >> + *term = 0; >> + if (audit_avc_init(s) != 0) >> + return 63; >> + >> + anode_init(&an); >> + an.scontext = strdup(str); >> + alist_append(s->avc, &an); >> + *term = '"'; >> + >> + return 0; >> +} >> + >> +// parse multiple security module contexts >> +// subj_<lsm>... >> +static int parse_task_contexts(lnode *n, search_items *s) >> +{ >> + int rc, final = 64; >> + >> + if (!event_subject) >> + return 0; >> + >> + rc = parse_task_context(n, s, "subj_selinux=\"", 14); >> + if (rc == 62 || rc == 63) >> + return rc; >> + if (rc == 0) >> + final = 0; >> + >> + rc = parse_task_context(n, s, "subj_smack=\"", 12); >> + if (rc == 62 || rc == 63) >> + return rc; >> + if (rc == 0) >> + final = 0; >> + >> + rc = parse_task_context(n, s, "subj_apparmor=\"", 15); >> + if (rc == 62 || rc == 63) >> + return rc; >> + if (rc == 0) >> + final = 0; >> + >> + return final; >> +} >> + >> +static int parse_obj_context(lnode *n, search_items *s, char *c, int l) >> +{ >> + char *str, *term; >> + anode an; >> + >> + str = strstr(n->message, c); >> + if (str != NULL) { >> + str += l; >> + term = strchr(str, '"'); >> + if (term) >> + *term = 0; >> + if (audit_avc_init(s) != 0) >> + return 2; >> + anode_init(&an); >> + an.tcontext = strdup(str); >> + alist_append(s->avc, &an); >> + if (term) >> + *term = '"'; >> + } >> + >> + return 0; >> +} >> + >> +// parse multiple object security module contexts >> +// obj_<lsm>... >> +static int parse_obj_contexts(lnode *n, search_items *s) >> +{ >> + // obj context >> + if (!event_object) >> + return 0; >> + >> + if (parse_obj_context(n, s, "obj_selinux=\"", 12)) >> + return 2; >> + if (parse_obj_context(n, s, "obj_smack=\"", 10)) >> + return 2; >> + >> + return 0; >> +} > > > -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-09 17:04 UTC | newest] Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- [not found] <407c1b04-f6ca-327d-0227-77f97c3f6f2c.ref@schaufler-ca.com> 2021-08-04 23:32 ` [PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS Casey Schaufler 2021-08-09 14:02 ` Steve Grubb 2021-08-09 17:04 ` Casey Schaufler
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).