From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.3 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27406C4338F for ; Mon, 9 Aug 2021 17:04:44 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 7A20A60EDF for ; Mon, 9 Aug 2021 17:04:43 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 7A20A60EDF Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-269-D_JzrQLwNmWIYPp5WJL9ow-1; Mon, 09 Aug 2021 13:04:40 -0400 X-MC-Unique: D_JzrQLwNmWIYPp5WJL9ow-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 85E423E743; Mon, 9 Aug 2021 17:04:36 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 97E775D6A1; Mon, 9 Aug 2021 17:04:35 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id A20A7180BAB1; Mon, 9 Aug 2021 17:04:33 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 179H4VS1014777 for ; Mon, 9 Aug 2021 13:04:32 -0400 Received: by smtp.corp.redhat.com (Postfix) id CAD29C77D2; Mon, 9 Aug 2021 17:04:31 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast06.extmail.prod.ext.rdu2.redhat.com [10.11.55.22]) by smtp.corp.redhat.com (Postfix) with ESMTPS id C566CBE5BF for ; Mon, 9 Aug 2021 17:04:28 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 43EF9185A7A4 for ; Mon, 9 Aug 2021 17:04:28 +0000 (UTC) Received: from sonic309-27.consmr.mail.ne1.yahoo.com (sonic309-27.consmr.mail.ne1.yahoo.com [66.163.184.153]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-306-zMoL7hZdMvO_h0RjVHFyWw-1; Mon, 09 Aug 2021 13:04:26 -0400 X-MC-Unique: zMoL7hZdMvO_h0RjVHFyWw-1 X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1628528665; bh=oD3G5wKKGoSOuOS6ifc5zhbqy3Ks+AFTU9raVmsb1Dv=; h=X-Sonic-MF:Subject:To:From:Date:From:Subject; b=bBznsvBxX79Zgt7BMYZngShAx3LetdQK2AHQMHyfDns3dsPmmYe/HuixWqDYTmxm8ge/T4YL/e0P9ahdSdZk5vh3GwL7LXa3Cb8vSjcKoZScBQ27z+mDrCpuXpn3msuLi7OlS/NKNWKhHnzfTkCxOyIKtw8BPyXsgTm5Sym/NH5W7kUp/HF6Au5tfZM8u8/zsBK6TRMbKZ9S/XriHMINtiSYZuMLaXD+/b3PTNawq4JDkoeBPsqt2PFp4V2LVQaDN9Lb8AgtqyRFnRcRMzCQOWdJy0D9An3UNA79XSY5jadV7EiSoXk9TIH6u63l7zNbpQFYRPak4dM1UzeQNXjFYA== X-YMail-OSG: TcExa5oVM1k4SDPi2H_GjweX12gPSyz.RF2LCVdJsXVKgbWVQLhFSe3YMmikvG_ Sd7RFmWXQfahy8t.WnAJ8WQNW2SecjaalWGgcnI8wpVdqq2jEBY2hJKf_0z41dPg5ChVwxjL_.9e 9jXLudiMCuwKqxjxS7d7I1UiNtnSeks8LBzVxeKbY5FNhdZhv6VcY8COFxvnALFNoPmd0Zf0stTA OZxDKmWqQ8OUG8WLqmgOzwQW93iFYBuiSeKsF4oeJp6kkE8uLsTW1QNkXiAXjd5AdrdfzJNGDgny 306LYTXYhg4Dmcpb0jkKxqSsA6G0mD5pato0.losOeojGvoLzM4WupyHeUT5aWZfVIgKatHd7MqK LG9_744eZGHOjLvtOAJF_4FuV2MMHTeoucKqRAcWhnYqoAy9pfq0w3e_qWiOzd3gkOMMSeOyYf6x Yr8f0zK1wYxdzj6EIHApKaABLQC_lFD8UVp0U2fSkMysxheScjgrzUmWAcbUPwg4lpeWCTfUgCNH 3n9Jv5vPU3zWErDkZBNu5spmdiDqNQ_Fuj9pO2c_g1Ivv9qUfc37Vkqd9THUcRHSDG7zosAuzDFA NcJD0U8p7SI0B.eW6DIINF3PJc_JHlpfw41NABV58c.EbPJMSRseyP584Jr32Fe7Guzb3C09LTOr sTxfZxircXLBK1dsstCqS_WH53EFboGIc3BpHL6fa_y0wTSTTZpISoo2T2ATfxBXnJiTF8Qhhl4g f8SuHsLo8CZ8QBXMf84p4XvG8qUt3Ai0qkHnuJZ9jLW6IgLZNOZGUQbJ.HS8PHV42B69WtQwos7G zGP1ynARZ8_bHzMDOg7xrxCPEylTX8FdZ8i0x_F2ukTRJJNCXfC4nzc1puQQ3YKdy8QUe9rhHFuq Q297rL2dFNs4h3l6dmRS9BUN7OltRhmn4iCv5LxOknDZPGJVQpR4ZPk57x0q54xezOpFRu25JQjx uxCF51byzy0N4MZ8mi6fUf0cnyfXMFZzkKhRv8hBU.whfZPp6MRoh8fkhovW.AsDUHy.RMmXyw18 jroI0NxPzRHosN6.QWYrG_cYyApvy6W25VRMy8QP7QcvH8NzZr5WmRdMWc3QaqhPrr7vhwcatpVd Oygh5Ll4PNkTbEK7PhtVYTtOXpeq67dDCFRq2K.9DAdCYWX6LPKY2Q9TItAcAuVRW7Szwev1Z86R ok2xZJ6OW3XGzqs80pQhercjzNrK1Jk5vRb3zFYzNnxC1t3oC.Z4t9PD723.9OL4gvyXm_cHeuYA NWk4xd8g_krohnoTU8LWqobHC26cSpNOOsyUhwVzgHpuZRn307O33AiQXcUUpGVYNQR1ihqdWHdp NYpO2hg9Ys_1GMOF04PS7vuIK9MllEg1vdjPTFeZ7xtXEoijN2O68PNhC9e4cyH_JdycmkBCnyaC 9nWH6HnXrLDh5zv3euZ5mjGyosCm9hST4izn.91oF2m4hZP32LnaE9zE88_DyJLr6mfM7HSJ4K4M 1B12MXZphNwjbWEt.7qlwKCCxxTsI1YSlkqDSp8V_JoHwzfvId7cC_H18hxWsU6SN1TGEtgMYuGS Kf3p.bRFeoAqxq_1cHDjX68jtPyLw9d30CFDeVoic9C1XprVH.eZsbyuvcfPfLn3y_YIfKJwt6b3 qCBh5FWWACnDrcU451qjTAkF9n5AbUVFPhT4HuzDiQe2cqr5lKI9cAtRLgs1Bp.pkdp1WaAeCCma J4BmSum4KfBSERveMmBXVCE1RDOJYEuiUwX8mx3fFoMJ90yVfVWNE5zsBKlShAPO08hdQOK3mEFJ Wwf_czK_EOIkzrD1PZwXjopDRcPAkaAOK8rHD_B7nkOtKk6obxPoWgNzY_OH49zSoGY.l7gZLtuv qNQUYRtB2RmW5YLyliMzPocECObTB0Efe9DsJ9TbYiLCNQwYmLOdmb1753jQI6SQlfjGNvBuYdYK bfqAeif7lEP_KuYSI2Zmj8pl7t4CthKQ8kZSLGEJtIyWjZVxzkPqEgKIM.Ll4FXgJXy7IMbFnEJ8 f8IdlX.XBwOfrSiJfoyZS56dqZFOg0WhHvbPftGYl1TPb_6cJZuLcz7QO074kEBRZQL3KiAsM3ZK XtORs4ghUvbBdpy0kn2pGXXx081B3HofjdxijB7NNP76kA6jLBRCxt2eH36cOpU2zhXztgwFVL1s 4oCf.kdjuISW3NLgfiA1vB24nIUY2AFJWkl2kvodmt_9mzXmNzymPB6BdH191mxcgrZcqPGaPwQF .F1AK6H1g1VQAvNnodlJeCAvb5c0lF6CbPwo4_mBpfDW3JyaYCrliua9iejaf2FrDDCcZ1_PMywk 5rdKE0FFx2BTnd2KUiNMqHJHnwB_tR.J2Zj61mR5XCaYU8685w_EFE8xxBT38MKakH_S9c4XiC9s 1KFq35PGUqMdHXmoSw40JBj2uLP9Po9FMvvAXmysmuupQHvUbEGOkTfLsBEFqv40laL1VcOaK6rw R59KlnYIWFZKHlk7hAQZiXJkBj33aJ1bJtof4VL20hX1aDDSUSlIn2Fev3BjLbF9D8kR6wd1cEjL 6t6I4PCX2M28pOYDHAwC6ofJaUD.psg.yR8or8aNjJMfT_wC8e568o5DnTA-- X-Sonic-MF: Received: from sonic.gate.mail.ne1.yahoo.com by sonic309.consmr.mail.ne1.yahoo.com with HTTP; Mon, 9 Aug 2021 17:04:25 +0000 Received: by kubenode538.mail-prod1.omega.bf1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID 383a9fc6449fc127220ffde239fde8ae; Mon, 09 Aug 2021 17:04:20 +0000 (UTC) Subject: Re: [PATCH RFC] audit-userspace: support for MAC_TASK_CONTEXTS and MAC_OBJ_CONTEXTS To: Steve Grubb , "linux-audit@redhat.com" References: <407c1b04-f6ca-327d-0227-77f97c3f6f2c.ref@schaufler-ca.com> <407c1b04-f6ca-327d-0227-77f97c3f6f2c@schaufler-ca.com> <5738084.lOV4Wx5bFT@x2> From: Casey Schaufler Message-ID: Date: Mon, 9 Aug 2021 10:04:17 -0700 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.12.0 MIME-Version: 1.0 In-Reply-To: <5738084.lOV4Wx5bFT@x2> X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-loop: linux-audit@redhat.com X-BeenThere: linux-audit@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: Linux Audit Discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On 8/9/2021 7:02 AM, Steve Grubb wrote: > On Wednesday, August 4, 2021 7:32:37 PM EDT Casey Schaufler wrote: >> This patch supplies userspace support for the MAC_TASK_CONTEXTS >> and MAC_OBJ_CONTEXTS audit records proposed as part of the Linux >> security module (LSM) stacking effort. >> >> I have posted as an RFC because, well, I'd like comments. > In general, this looks good. Typically, the return code of functions in the > parser are unique for debugging (passing --debug to ausearch) per record > type. IOW, you can start at 1 instead of 62 since the output identifes the > record type and return code. > > There is the general issue of what ausearch --format csv & --format text > outputs, though. I would really appreciate some guidance regarding what you'd like to see for those cases. I can take a wild guess and suggest something, but it would probably speed everything up if I don't go into the process blind. > > -Steve > >> The additional context values are added to the existing lists. >> The existing search methods work on these lists, so that's about >> all it takes. >> >> --- >> lib/libaudit.h | 8 ++++ >> lib/msg_typetab.h | 2 + >> src/ausearch-parse.c | 101 >> +++++++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 111 >> insertions(+) >> >> diff --git a/lib/libaudit.h b/lib/libaudit.h >> index ed75892..9bc3aa9 100644 >> --- a/lib/libaudit.h >> +++ b/lib/libaudit.h >> @@ -311,6 +311,14 @@ extern "C" { >> #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry > */ >> #endif >> >> +#ifndef AUDIT_MAC_TASK_CONTEXTS >> +#define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multilple task contexts */ >> +#endif >> + >> +#ifndef AUDIT_MAC_OBJ_CONTEXTS >> +#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multilple object contexts */ >> +#endif >> + >> #ifndef AUDIT_ANOM_LINK >> #define AUDIT_ANOM_LINK 1702 /* Suspicious use of file links */ >> #endif >> diff --git a/lib/msg_typetab.h b/lib/msg_typetab.h >> index dba2f7b..e6df28b 100644 >> --- a/lib/msg_typetab.h >> +++ b/lib/msg_typetab.h >> @@ -147,6 +147,8 @@ _S(AUDIT_MAC_UNLBL_STCADD, "MAC_UNLBL_STCADD" >> ) _S(AUDIT_MAC_UNLBL_STCDEL, "MAC_UNLBL_STCDEL" >> ) _S(AUDIT_MAC_CALIPSO_ADD, "MAC_CALIPSO_ADD" >> ) _S(AUDIT_MAC_CALIPSO_DEL, "MAC_CALIPSO_DEL" >> ) +_S(AUDIT_MAC_TASK_CONTEXTS, "MAC_TASK_CONTEXTS" ) >> +_S(AUDIT_MAC_OBJ_CONTEXTS, "MAC_OBJ_CONTEXTS" ) >> _S(AUDIT_ANOM_PROMISCUOUS, "ANOM_PROMISCUOUS" ) >> _S(AUDIT_ANOM_ABEND, "ANOM_ABEND" ) >> _S(AUDIT_ANOM_LINK, "ANOM_LINK" ) >> diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c >> index 9ee4a4f..286829e 100644 >> --- a/src/ausearch-parse.c >> +++ b/src/ausearch-parse.c >> @@ -63,6 +63,8 @@ static int parse_simple_message(const lnode *n, >> search_items *s); static int parse_tty(const lnode *n, search_items *s); >> static int parse_pkt(const lnode *n, search_items *s); >> static int parse_kernel(lnode *n, search_items *s); >> +static int parse_task_contexts(lnode *n, search_items *s); >> +static int parse_obj_contexts(lnode *n, search_items *s); >> >> >> static int audit_avc_init(search_items *s) >> @@ -184,6 +186,12 @@ int extract_search_items(llist *l) >> case AUDIT_TTY: >> ret = parse_tty(n, s); >> break; >> + case AUDIT_MAC_TASK_CONTEXTS: >> + ret = parse_task_contexts(n, s); >> + break; >> + case AUDIT_MAC_OBJ_CONTEXTS: >> + ret = parse_obj_contexts(n, s); >> + break; >> default: >> if (event_debug) >> fprintf(stderr, >> @@ -2768,3 +2776,96 @@ static int parse_kernel(lnode *n, search_items *s) >> return 0; >> } >> >> +static int parse_task_context(lnode *n, search_items *s, char *c, int l) >> +{ >> + char *str, *term; >> + anode an; >> + >> + str = strstr(n->message, c); >> + if (str == NULL) >> + return 64; >> + >> + str += l; >> + term = strchr(str, '"'); >> + if (term == NULL) >> + return 62; >> + *term = 0; >> + if (audit_avc_init(s) != 0) >> + return 63; >> + >> + anode_init(&an); >> + an.scontext = strdup(str); >> + alist_append(s->avc, &an); >> + *term = '"'; >> + >> + return 0; >> +} >> + >> +// parse multiple security module contexts >> +// subj_... >> +static int parse_task_contexts(lnode *n, search_items *s) >> +{ >> + int rc, final = 64; >> + >> + if (!event_subject) >> + return 0; >> + >> + rc = parse_task_context(n, s, "subj_selinux=\"", 14); >> + if (rc == 62 || rc == 63) >> + return rc; >> + if (rc == 0) >> + final = 0; >> + >> + rc = parse_task_context(n, s, "subj_smack=\"", 12); >> + if (rc == 62 || rc == 63) >> + return rc; >> + if (rc == 0) >> + final = 0; >> + >> + rc = parse_task_context(n, s, "subj_apparmor=\"", 15); >> + if (rc == 62 || rc == 63) >> + return rc; >> + if (rc == 0) >> + final = 0; >> + >> + return final; >> +} >> + >> +static int parse_obj_context(lnode *n, search_items *s, char *c, int l) >> +{ >> + char *str, *term; >> + anode an; >> + >> + str = strstr(n->message, c); >> + if (str != NULL) { >> + str += l; >> + term = strchr(str, '"'); >> + if (term) >> + *term = 0; >> + if (audit_avc_init(s) != 0) >> + return 2; >> + anode_init(&an); >> + an.tcontext = strdup(str); >> + alist_append(s->avc, &an); >> + if (term) >> + *term = '"'; >> + } >> + >> + return 0; >> +} >> + >> +// parse multiple object security module contexts >> +// obj_... >> +static int parse_obj_contexts(lnode *n, search_items *s) >> +{ >> + // obj context >> + if (!event_object) >> + return 0; >> + >> + if (parse_obj_context(n, s, "obj_selinux=\"", 12)) >> + return 2; >> + if (parse_obj_context(n, s, "obj_smack=\"", 10)) >> + return 2; >> + >> + return 0; >> +} > > > -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit