linux-audit.redhat.com archive mirror
 help / color / mirror / Atom feed
* [PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS
       [not found] <407c1b04-f6ca-327d-0227-77f97c3f6f2c.ref@schaufler-ca.com>
@ 2021-08-04 23:32 ` Casey Schaufler
  2021-08-09 14:02   ` Steve Grubb
  0 siblings, 1 reply; 3+ messages in thread
From: Casey Schaufler @ 2021-08-04 23:32 UTC (permalink / raw)
  To: Steve Grubb, linux-audit

This patch supplies userspace support for the MAC_TASK_CONTEXTS
and MAC_OBJ_CONTEXTS audit records proposed as part of the Linux
security module (LSM) stacking effort.

I have posted as an RFC because, well, I'd like comments.

The additional context values are added to the existing lists.
The existing search methods work on these lists, so that's about
all it takes.


---
 lib/libaudit.h       |   8 ++++
 lib/msg_typetab.h    |   2 +
 src/ausearch-parse.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 111 insertions(+)

diff --git a/lib/libaudit.h b/lib/libaudit.h
index ed75892..9bc3aa9 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -311,6 +311,14 @@ extern "C" {
 #define AUDIT_MAC_CALIPSO_DEL	1419 /* NetLabel: del CALIPSO DOI entry */
 #endif
 
+#ifndef AUDIT_MAC_TASK_CONTEXTS
+#define AUDIT_MAC_TASK_CONTEXTS	1420 /* Multilple task contexts */
+#endif
+
+#ifndef AUDIT_MAC_OBJ_CONTEXTS
+#define AUDIT_MAC_OBJ_CONTEXTS	1421 /* Multilple object contexts */
+#endif
+
 #ifndef AUDIT_ANOM_LINK
 #define AUDIT_ANOM_LINK		1702 /* Suspicious use of file links */
 #endif
diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
index dba2f7b..e6df28b 100644
--- a/lib/msg_typetab.h
+++ b/lib/msg_typetab.h
@@ -147,6 +147,8 @@ _S(AUDIT_MAC_UNLBL_STCADD,           "MAC_UNLBL_STCADD"              )
 _S(AUDIT_MAC_UNLBL_STCDEL,           "MAC_UNLBL_STCDEL"              )
 _S(AUDIT_MAC_CALIPSO_ADD,            "MAC_CALIPSO_ADD"               )
 _S(AUDIT_MAC_CALIPSO_DEL,            "MAC_CALIPSO_DEL"               )
+_S(AUDIT_MAC_TASK_CONTEXTS,          "MAC_TASK_CONTEXTS"             )
+_S(AUDIT_MAC_OBJ_CONTEXTS,           "MAC_OBJ_CONTEXTS"              )
 _S(AUDIT_ANOM_PROMISCUOUS,           "ANOM_PROMISCUOUS"              )
 _S(AUDIT_ANOM_ABEND,                 "ANOM_ABEND"                    )
 _S(AUDIT_ANOM_LINK,                  "ANOM_LINK"                     )
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index 9ee4a4f..286829e 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -63,6 +63,8 @@ static int parse_simple_message(const lnode *n, search_items *s);
 static int parse_tty(const lnode *n, search_items *s);
 static int parse_pkt(const lnode *n, search_items *s);
 static int parse_kernel(lnode *n, search_items *s);
+static int parse_task_contexts(lnode *n, search_items *s);
+static int parse_obj_contexts(lnode *n, search_items *s);
 
 
 static int audit_avc_init(search_items *s)
@@ -184,6 +186,12 @@ int extract_search_items(llist *l)
 			case AUDIT_TTY:
 				ret = parse_tty(n, s);
 				break;
+			case AUDIT_MAC_TASK_CONTEXTS:
+				ret = parse_task_contexts(n, s);
+				break;
+			case AUDIT_MAC_OBJ_CONTEXTS:
+				ret = parse_obj_contexts(n, s);
+				break;
 			default:
 				if (event_debug)
 					fprintf(stderr,
@@ -2768,3 +2776,96 @@ static int parse_kernel(lnode *n, search_items *s)
 	return 0;
 }
 
+static int parse_task_context(lnode *n, search_items *s, char *c, int l)
+{
+	char *str, *term;
+	anode an;
+
+	str = strstr(n->message, c);
+	if (str == NULL)
+		return 64;
+
+	str += l;
+	term = strchr(str, '"');
+	if (term == NULL)
+		return 62;
+	*term = 0;
+	if (audit_avc_init(s) != 0)
+		return 63;
+
+	anode_init(&an);
+	an.scontext = strdup(str);
+	alist_append(s->avc, &an);
+	*term = '"';
+
+	return 0;
+}
+
+// parse multiple security module contexts
+// subj_<lsm>...
+static int parse_task_contexts(lnode *n, search_items *s)
+{
+	int rc, final = 64;
+
+	if (!event_subject)
+		return 0;
+
+	rc = parse_task_context(n, s, "subj_selinux=\"", 14);
+	if (rc == 62 || rc == 63)
+		return rc;
+	if (rc == 0)
+		final = 0;
+
+	rc = parse_task_context(n, s, "subj_smack=\"", 12);
+	if (rc == 62 || rc == 63)
+		return rc;
+	if (rc == 0)
+		final = 0;
+
+	rc = parse_task_context(n, s, "subj_apparmor=\"", 15);
+	if (rc == 62 || rc == 63)
+		return rc;
+	if (rc == 0)
+		final = 0;
+
+	return final;
+}
+
+static int parse_obj_context(lnode *n, search_items *s, char *c, int l)
+{
+	char *str, *term;
+	anode an;
+
+	str = strstr(n->message, c);
+	if (str != NULL) {
+		str += l;
+		term = strchr(str, '"');
+		if (term)
+			*term = 0;
+		if (audit_avc_init(s) != 0)
+			return 2;
+		anode_init(&an);
+		an.tcontext = strdup(str);
+		alist_append(s->avc, &an);
+		if (term)
+			*term = '"';
+	}
+
+	return 0;
+}
+
+// parse multiple object security module contexts
+// obj_<lsm>...
+static int parse_obj_contexts(lnode *n, search_items *s)
+{
+	// obj context
+	if (!event_object)
+		return 0;
+
+	if (parse_obj_context(n, s, "obj_selinux=\"", 12))
+		return 2;
+	if (parse_obj_context(n, s, "obj_smack=\"", 10))
+		return 2;
+
+	return 0;
+}



--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS
  2021-08-04 23:32 ` [PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS Casey Schaufler
@ 2021-08-09 14:02   ` Steve Grubb
  2021-08-09 17:04     ` Casey Schaufler
  0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2021-08-09 14:02 UTC (permalink / raw)
  To: linux-audit, Casey Schaufler

On Wednesday, August 4, 2021 7:32:37 PM EDT Casey Schaufler wrote:
> This patch supplies userspace support for the MAC_TASK_CONTEXTS
> and MAC_OBJ_CONTEXTS audit records proposed as part of the Linux
> security module (LSM) stacking effort.
> 
> I have posted as an RFC because, well, I'd like comments.

In general, this looks good. Typically, the return code of functions in the 
parser are unique for debugging (passing  --debug to ausearch) per record 
type. IOW, you can start at 1 instead of 62 since the output identifes the 
record type and return code.

There is the general issue of what ausearch  --format csv & --format text 
outputs, though.

-Steve
 
> The additional context values are added to the existing lists.
> The existing search methods work on these lists, so that's about
> all it takes.
> 
> ---
>  lib/libaudit.h       |   8 ++++
>  lib/msg_typetab.h    |   2 +
>  src/ausearch-parse.c | 101
> +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 111
> insertions(+)
> 
> diff --git a/lib/libaudit.h b/lib/libaudit.h
> index ed75892..9bc3aa9 100644
> --- a/lib/libaudit.h
> +++ b/lib/libaudit.h
> @@ -311,6 +311,14 @@ extern "C" {
>  #define AUDIT_MAC_CALIPSO_DEL	1419 /* NetLabel: del CALIPSO DOI entry 
*/
>  #endif
> 
> +#ifndef AUDIT_MAC_TASK_CONTEXTS
> +#define AUDIT_MAC_TASK_CONTEXTS	1420 /* Multilple task contexts */
> +#endif
> +
> +#ifndef AUDIT_MAC_OBJ_CONTEXTS
> +#define AUDIT_MAC_OBJ_CONTEXTS	1421 /* Multilple object contexts */
> +#endif
> +
>  #ifndef AUDIT_ANOM_LINK
>  #define AUDIT_ANOM_LINK		1702 /* Suspicious use of file links */
>  #endif
> diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
> index dba2f7b..e6df28b 100644
> --- a/lib/msg_typetab.h
> +++ b/lib/msg_typetab.h
> @@ -147,6 +147,8 @@ _S(AUDIT_MAC_UNLBL_STCADD,           "MAC_UNLBL_STCADD"
>              ) _S(AUDIT_MAC_UNLBL_STCDEL,           "MAC_UNLBL_STCDEL"    
>          ) _S(AUDIT_MAC_CALIPSO_ADD,            "MAC_CALIPSO_ADD"         
>      ) _S(AUDIT_MAC_CALIPSO_DEL,            "MAC_CALIPSO_DEL"             
>  ) +_S(AUDIT_MAC_TASK_CONTEXTS,          "MAC_TASK_CONTEXTS"             )
> +_S(AUDIT_MAC_OBJ_CONTEXTS,           "MAC_OBJ_CONTEXTS"              )
> _S(AUDIT_ANOM_PROMISCUOUS,           "ANOM_PROMISCUOUS"              )
> _S(AUDIT_ANOM_ABEND,                 "ANOM_ABEND"                    )
> _S(AUDIT_ANOM_LINK,                  "ANOM_LINK"                     )
> diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
> index 9ee4a4f..286829e 100644
> --- a/src/ausearch-parse.c
> +++ b/src/ausearch-parse.c
> @@ -63,6 +63,8 @@ static int parse_simple_message(const lnode *n,
> search_items *s); static int parse_tty(const lnode *n, search_items *s);
>  static int parse_pkt(const lnode *n, search_items *s);
>  static int parse_kernel(lnode *n, search_items *s);
> +static int parse_task_contexts(lnode *n, search_items *s);
> +static int parse_obj_contexts(lnode *n, search_items *s);
> 
> 
>  static int audit_avc_init(search_items *s)
> @@ -184,6 +186,12 @@ int extract_search_items(llist *l)
>  			case AUDIT_TTY:
>  				ret = parse_tty(n, s);
>  				break;
> +			case AUDIT_MAC_TASK_CONTEXTS:
> +				ret = parse_task_contexts(n, s);
> +				break;
> +			case AUDIT_MAC_OBJ_CONTEXTS:
> +				ret = parse_obj_contexts(n, s);
> +				break;
>  			default:
>  				if (event_debug)
>  					fprintf(stderr,
> @@ -2768,3 +2776,96 @@ static int parse_kernel(lnode *n, search_items *s)
>  	return 0;
>  }
> 
> +static int parse_task_context(lnode *n, search_items *s, char *c, int l)
> +{
> +	char *str, *term;
> +	anode an;
> +
> +	str = strstr(n->message, c);
> +	if (str == NULL)
> +		return 64;
> +
> +	str += l;
> +	term = strchr(str, '"');
> +	if (term == NULL)
> +		return 62;
> +	*term = 0;
> +	if (audit_avc_init(s) != 0)
> +		return 63;
> +
> +	anode_init(&an);
> +	an.scontext = strdup(str);
> +	alist_append(s->avc, &an);
> +	*term = '"';
> +
> +	return 0;
> +}
> +
> +// parse multiple security module contexts
> +// subj_<lsm>...
> +static int parse_task_contexts(lnode *n, search_items *s)
> +{
> +	int rc, final = 64;
> +
> +	if (!event_subject)
> +		return 0;
> +
> +	rc = parse_task_context(n, s, "subj_selinux=\"", 14);
> +	if (rc == 62 || rc == 63)
> +		return rc;
> +	if (rc == 0)
> +		final = 0;
> +
> +	rc = parse_task_context(n, s, "subj_smack=\"", 12);
> +	if (rc == 62 || rc == 63)
> +		return rc;
> +	if (rc == 0)
> +		final = 0;
> +
> +	rc = parse_task_context(n, s, "subj_apparmor=\"", 15);
> +	if (rc == 62 || rc == 63)
> +		return rc;
> +	if (rc == 0)
> +		final = 0;
> +
> +	return final;
> +}
> +
> +static int parse_obj_context(lnode *n, search_items *s, char *c, int l)
> +{
> +	char *str, *term;
> +	anode an;
> +
> +	str = strstr(n->message, c);
> +	if (str != NULL) {
> +		str += l;
> +		term = strchr(str, '"');
> +		if (term)
> +			*term = 0;
> +		if (audit_avc_init(s) != 0)
> +			return 2;
> +		anode_init(&an);
> +		an.tcontext = strdup(str);
> +		alist_append(s->avc, &an);
> +		if (term)
> +			*term = '"';
> +	}
> +
> +	return 0;
> +}
> +
> +// parse multiple object security module contexts
> +// obj_<lsm>...
> +static int parse_obj_contexts(lnode *n, search_items *s)
> +{
> +	// obj context
> +	if (!event_object)
> +		return 0;
> +
> +	if (parse_obj_context(n, s, "obj_selinux=\"", 12))
> +		return 2;
> +	if (parse_obj_context(n, s, "obj_smack=\"", 10))
> +		return 2;
> +
> +	return 0;
> +}




--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS
  2021-08-09 14:02   ` Steve Grubb
@ 2021-08-09 17:04     ` Casey Schaufler
  0 siblings, 0 replies; 3+ messages in thread
From: Casey Schaufler @ 2021-08-09 17:04 UTC (permalink / raw)
  To: Steve Grubb, linux-audit

On 8/9/2021 7:02 AM, Steve Grubb wrote:
> On Wednesday, August 4, 2021 7:32:37 PM EDT Casey Schaufler wrote:
>> This patch supplies userspace support for the MAC_TASK_CONTEXTS
>> and MAC_OBJ_CONTEXTS audit records proposed as part of the Linux
>> security module (LSM) stacking effort.
>>
>> I have posted as an RFC because, well, I'd like comments.
> In general, this looks good. Typically, the return code of functions in the 
> parser are unique for debugging (passing  --debug to ausearch) per record 
> type. IOW, you can start at 1 instead of 62 since the output identifes the 
> record type and return code.
>
> There is the general issue of what ausearch  --format csv & --format text 
> outputs, though.

I would really appreciate some guidance regarding what you'd like
to see for those cases. I can take a wild guess and suggest something,
but it would probably speed everything up if I don't go into the
process blind.

>
> -Steve
>  
>> The additional context values are added to the existing lists.
>> The existing search methods work on these lists, so that's about
>> all it takes.
>>
>> ---
>>  lib/libaudit.h       |   8 ++++
>>  lib/msg_typetab.h    |   2 +
>>  src/ausearch-parse.c | 101
>> +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 111
>> insertions(+)
>>
>> diff --git a/lib/libaudit.h b/lib/libaudit.h
>> index ed75892..9bc3aa9 100644
>> --- a/lib/libaudit.h
>> +++ b/lib/libaudit.h
>> @@ -311,6 +311,14 @@ extern "C" {
>>  #define AUDIT_MAC_CALIPSO_DEL	1419 /* NetLabel: del CALIPSO DOI entry 
> */
>>  #endif
>>
>> +#ifndef AUDIT_MAC_TASK_CONTEXTS
>> +#define AUDIT_MAC_TASK_CONTEXTS	1420 /* Multilple task contexts */
>> +#endif
>> +
>> +#ifndef AUDIT_MAC_OBJ_CONTEXTS
>> +#define AUDIT_MAC_OBJ_CONTEXTS	1421 /* Multilple object contexts */
>> +#endif
>> +
>>  #ifndef AUDIT_ANOM_LINK
>>  #define AUDIT_ANOM_LINK		1702 /* Suspicious use of file links */
>>  #endif
>> diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h
>> index dba2f7b..e6df28b 100644
>> --- a/lib/msg_typetab.h
>> +++ b/lib/msg_typetab.h
>> @@ -147,6 +147,8 @@ _S(AUDIT_MAC_UNLBL_STCADD,           "MAC_UNLBL_STCADD"
>>              ) _S(AUDIT_MAC_UNLBL_STCDEL,           "MAC_UNLBL_STCDEL"    
>>          ) _S(AUDIT_MAC_CALIPSO_ADD,            "MAC_CALIPSO_ADD"         
>>      ) _S(AUDIT_MAC_CALIPSO_DEL,            "MAC_CALIPSO_DEL"             
>>  ) +_S(AUDIT_MAC_TASK_CONTEXTS,          "MAC_TASK_CONTEXTS"             )
>> +_S(AUDIT_MAC_OBJ_CONTEXTS,           "MAC_OBJ_CONTEXTS"              )
>> _S(AUDIT_ANOM_PROMISCUOUS,           "ANOM_PROMISCUOUS"              )
>> _S(AUDIT_ANOM_ABEND,                 "ANOM_ABEND"                    )
>> _S(AUDIT_ANOM_LINK,                  "ANOM_LINK"                     )
>> diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
>> index 9ee4a4f..286829e 100644
>> --- a/src/ausearch-parse.c
>> +++ b/src/ausearch-parse.c
>> @@ -63,6 +63,8 @@ static int parse_simple_message(const lnode *n,
>> search_items *s); static int parse_tty(const lnode *n, search_items *s);
>>  static int parse_pkt(const lnode *n, search_items *s);
>>  static int parse_kernel(lnode *n, search_items *s);
>> +static int parse_task_contexts(lnode *n, search_items *s);
>> +static int parse_obj_contexts(lnode *n, search_items *s);
>>
>>
>>  static int audit_avc_init(search_items *s)
>> @@ -184,6 +186,12 @@ int extract_search_items(llist *l)
>>  			case AUDIT_TTY:
>>  				ret = parse_tty(n, s);
>>  				break;
>> +			case AUDIT_MAC_TASK_CONTEXTS:
>> +				ret = parse_task_contexts(n, s);
>> +				break;
>> +			case AUDIT_MAC_OBJ_CONTEXTS:
>> +				ret = parse_obj_contexts(n, s);
>> +				break;
>>  			default:
>>  				if (event_debug)
>>  					fprintf(stderr,
>> @@ -2768,3 +2776,96 @@ static int parse_kernel(lnode *n, search_items *s)
>>  	return 0;
>>  }
>>
>> +static int parse_task_context(lnode *n, search_items *s, char *c, int l)
>> +{
>> +	char *str, *term;
>> +	anode an;
>> +
>> +	str = strstr(n->message, c);
>> +	if (str == NULL)
>> +		return 64;
>> +
>> +	str += l;
>> +	term = strchr(str, '"');
>> +	if (term == NULL)
>> +		return 62;
>> +	*term = 0;
>> +	if (audit_avc_init(s) != 0)
>> +		return 63;
>> +
>> +	anode_init(&an);
>> +	an.scontext = strdup(str);
>> +	alist_append(s->avc, &an);
>> +	*term = '"';
>> +
>> +	return 0;
>> +}
>> +
>> +// parse multiple security module contexts
>> +// subj_<lsm>...
>> +static int parse_task_contexts(lnode *n, search_items *s)
>> +{
>> +	int rc, final = 64;
>> +
>> +	if (!event_subject)
>> +		return 0;
>> +
>> +	rc = parse_task_context(n, s, "subj_selinux=\"", 14);
>> +	if (rc == 62 || rc == 63)
>> +		return rc;
>> +	if (rc == 0)
>> +		final = 0;
>> +
>> +	rc = parse_task_context(n, s, "subj_smack=\"", 12);
>> +	if (rc == 62 || rc == 63)
>> +		return rc;
>> +	if (rc == 0)
>> +		final = 0;
>> +
>> +	rc = parse_task_context(n, s, "subj_apparmor=\"", 15);
>> +	if (rc == 62 || rc == 63)
>> +		return rc;
>> +	if (rc == 0)
>> +		final = 0;
>> +
>> +	return final;
>> +}
>> +
>> +static int parse_obj_context(lnode *n, search_items *s, char *c, int l)
>> +{
>> +	char *str, *term;
>> +	anode an;
>> +
>> +	str = strstr(n->message, c);
>> +	if (str != NULL) {
>> +		str += l;
>> +		term = strchr(str, '"');
>> +		if (term)
>> +			*term = 0;
>> +		if (audit_avc_init(s) != 0)
>> +			return 2;
>> +		anode_init(&an);
>> +		an.tcontext = strdup(str);
>> +		alist_append(s->avc, &an);
>> +		if (term)
>> +			*term = '"';
>> +	}
>> +
>> +	return 0;
>> +}
>> +
>> +// parse multiple object security module contexts
>> +// obj_<lsm>...
>> +static int parse_obj_contexts(lnode *n, search_items *s)
>> +{
>> +	// obj context
>> +	if (!event_object)
>> +		return 0;
>> +
>> +	if (parse_obj_context(n, s, "obj_selinux=\"", 12))
>> +		return 2;
>> +	if (parse_obj_context(n, s, "obj_smack=\"", 10))
>> +		return 2;
>> +
>> +	return 0;
>> +}
>
>
>

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-08-09 17:04 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
     [not found] <407c1b04-f6ca-327d-0227-77f97c3f6f2c.ref@schaufler-ca.com>
2021-08-04 23:32 ` [PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS Casey Schaufler
2021-08-09 14:02   ` Steve Grubb
2021-08-09 17:04     ` Casey Schaufler

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).