From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-9.7 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_GIT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E4E73C433E0 for ; Thu, 14 May 2020 22:33:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id B642D20709 for ; Thu, 14 May 2020 22:33:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="GVVAcaSQ" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728661AbgENWdu (ORCPT ); Thu, 14 May 2020 18:33:50 -0400 Received: from sonic316-27.consmr.mail.ne1.yahoo.com ([66.163.187.153]:38785 "EHLO sonic316-27.consmr.mail.ne1.yahoo.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728648AbgENWdt (ORCPT ); Thu, 14 May 2020 18:33:49 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1589495627; bh=ysej4qUwS+Wacx6GWHBwZnDPRY5Nmy3hrSGLjvDKtRs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject; b=GVVAcaSQ+XcnhYqkchO1fwxaWPasRHq5DPrWkKzNSDv/Ffu/1VFLT/PpM+Vc2wH2VONTqOaA5U7vtMIFhRLUyyNt/47lJUY7ml1U5W0e6j05sxPCg3JIokX+BXfj1Ly7LDGje1+dAXOSF8ATkTYxUeQLMebdxLe2jkOJlT06P2nYbMNuGz3zftBBUByaOk62gVZZ/PkCmQiXP/zzgAtfR5JRT0ZHy1wvZK9gabpBSxWUkVcM++moJJUbJWoJC+GxMaRss5th3qtDvxkeWwKRMJxpjcvdlDm1fXU3i0e8NqUd4O4r/t1rSd0x+A2kD5ZubxG2HaB9xCI/avhO/Gd4QQ== X-YMail-OSG: MD83Rf8VM1mGRjc5wtkyALL.0U0dko5oNFemc1UVQ03H1zkWgJPhQdJCDMcg.yd laynSCbAOr7MhXGXwsJe5swtGS.ylxI1t198tSsYivpBXv9rlLMTrueyGGts9pa1R2272p9jMnse iIjw49GdSEQBNZiSFPJ8C4Nd6a3t1U57bsvhorFySz0c86cNmhB_BkFKSTn6kNzBx5_CyyGc781. TMUzUPw3zWIOzlwfTuciEAEnjK_E.8YUy9g2H8vYGI7MSToAprPEFKs1PFXpgpFEGXZ8u57CKNJf OpxIV0J3eTj1Ti4EASD2UikYQE4IOuNvFd_5dQIoTcw.gqhr8W6JClCs8KuD_6w8nV9X_ik_h.1Z QMco_NaJcowavAfecUCng9CmVr3blbsaNp.DaMQoy.Z1y4KvbF7m17xwv1up3lRIiksu8m8Ztbzb 527VTEokSilae82.qkYF9G10f8X8_9Qi9bblNv5htLE0rxz4K33IPy7yd2RN6gdc7Q5vypi9XucX fZgysLuFUOAxlmCAhPy6pC6eymcXGI.M__iIOhUP9AwNOiS._4a8dLMXY2vauFFSy_ynRADhwwxp YmLkWJYWdetQNunL6HRXWirTlMhRSIZO40LRpqjtTJNQDBuoV1.wyJI_unoXdagKpP7_UilLaYgZ I.zS8AH16E6BtufEbBnMiM9xe9OonWGrg7y87zoCx3L2vTyfv8NkSc7zexuR.afo.eHJmvnEGtsj Chc7g57JPduV1gpF2Obu06VX2ldOt2ZgZhEhlkzhn_2eFRgV4ylBV7TqAM7ycQjcD5cgvUvcY9W5 cI093HweP9pu4ywvE7YFPj3A5CKWVgqsGdguMhsHAvmdUllDgNKhr6Z5MSJ1d.kaLSaWaFftluse 1VxYV768gsf5010QyxU.28J_lWpZ2V1c9BK8B5vIZmwMoW7_JINDZC3S7MNb_zA9LLw6AtylIdj3 bRhrW0lSck1RP1dUxURIV5Y7oaw3MCOsVPTsb47i9Bbzv.iAKimn9Avg932k2K.fyO5d0JbSakxg jzwTcSL3RDNOrr8vSo6sMU.CXAcB3WXxvSiTx2SNtS07oJiEE4wYqHNhNgCD3.J0Z4a8ByjNPykH 6ycP_Ak7YA8qKagVYan24aWyNmKzFRBsxDg2DNjHKagsbKhWdO4vUh74lLSLm0N_lPT1Om5K7jMf OhUKbq8FjKIX.HDdp6hCwYfJYDQJzFLjPafkAqu9IF5NWvUd3XyCa6tjG6k8SrERYmJeiP.gj4fw yD.DRfRO6lHBMyc_t1H9JbH8hW5tkfniyzFJERfNbaFPrSmQ_U.uJAPYCxqfjM4z9k1OjSetiL_S tggg1wUsr1bdglcdHwXx2K._2eFTm6.ql9JKvkSHgEl4yz6rkL.4biK_wMGQVrWFrSaYl95VG5ad gimQUddCh5deCs8xy256VYszDO_0ZMWvWjA-- Received: from sonic.gate.mail.ne1.yahoo.com by sonic316.consmr.mail.ne1.yahoo.com with HTTP; Thu, 14 May 2020 22:33:47 +0000 Received: by smtp417.mail.gq1.yahoo.com (VZM Hermes SMTP Server) with ESMTPA ID d73ee9199d1f48f018a4330175c54e74; Thu, 14 May 2020 22:33:42 +0000 (UTC) From: Casey Schaufler To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-audit@redhat.com Subject: [PATCH v17 20/23] Audit: Add a new record for multiple subject LSM attributes Date: Thu, 14 May 2020 15:11:39 -0700 Message-Id: <20200514221142.11857-21-casey@schaufler-ca.com> X-Mailer: git-send-email 2.24.1 In-Reply-To: <20200514221142.11857-1-casey@schaufler-ca.com> References: <20200514221142.11857-1-casey@schaufler-ca.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: owner-linux-security-module@vger.kernel.org Precedence: bulk List-ID: Create a new audit record type to contain the subject information when there are multiple security modules that require such data. This record is emitted before the other records for the event, but is linked with the same timestamp and serial number. Reviewed-by: Kees Cook Signed-off-by: Casey Schaufler Cc: linux-audit@redhat.com --- drivers/android/binder.c | 2 +- include/linux/security.h | 9 +++- include/net/scm.h | 3 +- include/uapi/linux/audit.h | 1 + kernel/audit.c | 56 +++++++++++++++++++------ kernel/auditsc.c | 7 ++-- net/ipv4/ip_sockglue.c | 2 +- net/netfilter/nf_conntrack_netlink.c | 4 +- net/netfilter/nf_conntrack_standalone.c | 2 +- net/netfilter/nfnetlink_queue.c | 2 +- net/netlabel/netlabel_unlabeled.c | 11 +++-- net/netlabel/netlabel_user.c | 2 +- security/security.c | 51 ++++++++++++++++++++-- 13 files changed, 118 insertions(+), 34 deletions(-) diff --git a/drivers/android/binder.c b/drivers/android/binder.c index c76fc2abd091..e79c4948ab12 100644 --- a/drivers/android/binder.c +++ b/drivers/android/binder.c @@ -3109,7 +3109,7 @@ static void binder_transaction(struct binder_proc *proc, size_t added_size; security_task_getsecid(proc->tsk, &blob); - ret = security_secid_to_secctx(&blob, &lsmctx); + ret = security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_DISPLAY); if (ret) { return_error = BR_FAILED_REPLY; return_error_param = ret; diff --git a/include/linux/security.h b/include/linux/security.h index 3f53098ee89f..292fb89fa4f6 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -177,6 +177,8 @@ struct lsmblob { #define LSMBLOB_INVALID -1 /* Not a valid LSM slot number */ #define LSMBLOB_NEEDED -2 /* Slot requested on initialization */ #define LSMBLOB_NOT_NEEDED -3 /* Slot not requested */ +#define LSMBLOB_DISPLAY -4 /* Use the "display" slot */ +#define LSMBLOB_FIRST -5 /* Use the default "display" slot */ /** * lsmblob_init - initialize an lsmblob structure. @@ -239,6 +241,8 @@ static inline u32 lsmblob_value(const struct lsmblob *blob) return 0; } +const char *security_lsm_slot_name(int slot); + /* These functions are in security/commoncap.c */ extern int cap_capable(const struct cred *cred, struct user_namespace *ns, int cap, unsigned int opts); @@ -548,7 +552,8 @@ int security_setprocattr(const char *lsm, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); -int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp); +int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp, + int display); int security_secctx_to_secid(const char *secdata, u32 seclen, struct lsmblob *blob); void security_release_secctx(struct lsmcontext *cp); @@ -1353,7 +1358,7 @@ static inline int security_ismaclabel(const char *name) } static inline int security_secid_to_secctx(struct lsmblob *blob, - struct lsmcontext *cp) + struct lsmcontext *cp, int display) { return -EOPNOTSUPP; } diff --git a/include/net/scm.h b/include/net/scm.h index 4a6ad8caf423..8b5a4737e1b8 100644 --- a/include/net/scm.h +++ b/include/net/scm.h @@ -96,7 +96,8 @@ static inline void scm_passec(struct socket *sock, struct msghdr *msg, struct sc int err; if (test_bit(SOCK_PASSSEC, &sock->flags)) { - err = security_secid_to_secctx(&scm->lsmblob, &context); + err = security_secid_to_secctx(&scm->lsmblob, &context, + LSMBLOB_DISPLAY); if (!err) { put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index a534d71e689a..2e6dbf907ee3 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -138,6 +138,7 @@ #define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */ #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ +#define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multiple LSM contexts */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/kernel/audit.c b/kernel/audit.c index 7cd055b09cbe..5e8c3559dbef 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1422,7 +1422,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh) case AUDIT_SIGNAL_INFO: if (lsmblob_is_set(&audit_sig_lsm)) { err = security_secid_to_secctx(&audit_sig_lsm, - &context); + &context, LSMBLOB_FIRST); if (err) return err; } @@ -2062,28 +2062,58 @@ void audit_log_key(struct audit_buffer *ab, char *key) int audit_log_task_context(struct audit_buffer *ab) { + int i; int error; + bool sep = false; struct lsmblob blob; - struct lsmcontext context; + struct lsmcontext lsmdata; + struct audit_buffer *lsmab = NULL; + struct audit_context *context = NULL; security_task_getsecid(current, &blob); if (!lsmblob_is_set(&blob)) return 0; - error = security_secid_to_secctx(&blob, &context); - if (error) { - if (error != -EINVAL) - goto error_path; - return 0; + /* + * If there is more than one security module that has a + * subject "context" it's necessary to put the subject data + * into a separate record to maintain compatibility. + */ + if (security_lsm_slot_name(1) != NULL) { + audit_log_format(ab, " subj=?"); + context = ab->ctx; + if (context) + lsmab = audit_log_start(context, GFP_KERNEL, + AUDIT_MAC_TASK_CONTEXTS); } - audit_log_format(ab, " subj=%s", context.context); - security_release_secctx(&context); - return 0; + for (i = 0; i < LSMBLOB_ENTRIES; i++) { + if (blob.secid[i] == 0) + continue; + error = security_secid_to_secctx(&blob, &lsmdata, i); + if (error && error != -EINVAL) { + audit_panic("error in audit_log_task_context"); + return error; + } + + if (context) { + audit_log_format(lsmab, "%ssubj_%s=%s", + sep ? " " : "", + security_lsm_slot_name(i), + lsmdata.context); + sep = true; + } else + audit_log_format(ab, " subj=%s", lsmdata.context); + + security_release_secctx(&lsmdata); + if (!context) + break; + } + + if (context) + audit_log_end(lsmab); -error_path: - audit_panic("error in audit_log_task_context"); - return error; + return 0; } EXPORT_SYMBOL(audit_log_task_context); diff --git a/kernel/auditsc.c b/kernel/auditsc.c index d858bb4757b8..661527d14166 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -980,7 +980,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (lsmblob_is_set(blob)) { - if (security_secid_to_secctx(blob, &lsmctx)) { + if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1225,7 +1225,8 @@ static void show_special(struct audit_context *context, int *call_panic) struct lsmblob blob; lsmblob_init(&blob, osid); - if (security_secid_to_secctx(&blob, &lsmcxt)) { + if (security_secid_to_secctx(&blob, &lsmcxt, + LSMBLOB_FIRST)) { audit_log_format(ab, " osid=%u", osid); *call_panic = 1; } else { @@ -1377,7 +1378,7 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, struct lsmcontext lsmctx; lsmblob_init(&blob, n->osid); - if (security_secid_to_secctx(&blob, &lsmctx)) { + if (security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_FIRST)) { audit_log_format(ab, " osid=%u", n->osid); if (call_panic) *call_panic = 2; diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c index 27af7a6b8780..10b418029cdd 100644 --- a/net/ipv4/ip_sockglue.c +++ b/net/ipv4/ip_sockglue.c @@ -138,7 +138,7 @@ static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb) if (err) return; - err = security_secid_to_secctx(&lb, &context); + err = security_secid_to_secctx(&lb, &context, LSMBLOB_DISPLAY); if (err) return; diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 5aaeeba01541..e3b2849b1c8b 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -337,7 +337,7 @@ static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) * security_secid_to_secctx() will know which security module * to use to create the secctx. */ lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, &context); + ret = security_secid_to_secctx(&blob, &context, LSMBLOB_DISPLAY); if (ret) return 0; @@ -651,7 +651,7 @@ static inline int ctnetlink_secctx_size(const struct nf_conn *ct) struct lsmblob blob; struct lsmcontext context; - ret = security_secid_to_secctx(&blob, &context); + ret = security_secid_to_secctx(&blob, &context, LSMBLOB_DISPLAY); if (ret) return 0; diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index b58d340d30f4..f109652d1322 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c @@ -177,7 +177,7 @@ static void ct_show_secctx(struct seq_file *s, const struct nf_conn *ct) struct lsmcontext context; lsmblob_init(&blob, ct->secmark); - ret = security_secid_to_secctx(&blob, &context); + ret = security_secid_to_secctx(&blob, &context, LSMBLOB_DISPLAY); if (ret) return; diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c index a4d4602ab9b7..15cabd7be92a 100644 --- a/net/netfilter/nfnetlink_queue.c +++ b/net/netfilter/nfnetlink_queue.c @@ -316,7 +316,7 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext *context) * blob. security_secid_to_secctx() will know which security * module to use to create the secctx. */ lsmblob_init(&blob, skb->secmark); - security_secid_to_secctx(&blob, context); + security_secid_to_secctx(&blob, context, LSMBLOB_DISPLAY); } read_unlock_bh(&skb->sk->sk_callback_lock); diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c index c14a485ff045..d816909866cc 100644 --- a/net/netlabel/netlabel_unlabeled.c +++ b/net/netlabel/netlabel_unlabeled.c @@ -437,7 +437,8 @@ int netlbl_unlhsh_add(struct net *net, unlhsh_add_return: rcu_read_unlock(); if (audit_buf != NULL) { - if (security_secid_to_secctx(lsmblob, &context) == 0) { + if (security_secid_to_secctx(lsmblob, &context, + LSMBLOB_FIRST) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -492,7 +493,8 @@ static int netlbl_unlhsh_remove_addr4(struct net *net, if (dev != NULL) dev_put(dev); if (entry != NULL && - security_secid_to_secctx(&entry->lsmblob, &context) == 0) { + security_secid_to_secctx(&entry->lsmblob, &context, + LSMBLOB_FIRST) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -552,7 +554,8 @@ static int netlbl_unlhsh_remove_addr6(struct net *net, if (dev != NULL) dev_put(dev); if (entry != NULL && - security_secid_to_secctx(&entry->lsmblob, &context) == 0) { + security_secid_to_secctx(&entry->lsmblob, &context, + LSMBLOB_FIRST) == 0) { audit_log_format(audit_buf, " sec_obj=%s", context.context); security_release_secctx(&context); @@ -1122,7 +1125,7 @@ static int netlbl_unlabel_staticlist_gen(u32 cmd, lsmb = (struct lsmblob *)&addr6->lsmblob; } - ret_val = security_secid_to_secctx(lsmb, &context); + ret_val = security_secid_to_secctx(lsmb, &context, LSMBLOB_FIRST); if (ret_val != 0) goto list_cb_failure; ret_val = nla_put(cb_arg->skb, diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 951ba0639d20..1941877fd16f 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -100,7 +100,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, lsmblob_init(&blob, audit_info->secid); if (audit_info->secid != 0 && - security_secid_to_secctx(&blob, &context) == 0) { + security_secid_to_secctx(&blob, &context, LSMBLOB_FIRST) == 0) { audit_log_format(audit_buf, " subj=%s", context.context); security_release_secctx(&context); } diff --git a/security/security.c b/security/security.c index 677a9f409dc2..ed20d4c6ed93 100644 --- a/security/security.c +++ b/security/security.c @@ -480,7 +480,31 @@ static int lsm_append(const char *new, char **result) * Pointers to the LSM id structures for local use. */ static int lsm_slot __lsm_ro_after_init; -static struct lsm_id *lsm_slotlist[LSMBLOB_ENTRIES]; +static struct lsm_id *lsm_slotlist[LSMBLOB_ENTRIES] __lsm_ro_after_init; + +/** + * security_lsm_slot_name - Get the name of the security module in a slot + * @slot: index into the "display" slot list. + * + * Provide the name of the security module associated with + * a display slot. + * + * If @slot is LSMBLOB_INVALID return the value + * for slot 0 if it has been set, otherwise NULL. + * + * Returns a pointer to the name string or NULL. + */ +const char *security_lsm_slot_name(int slot) +{ + if (slot == LSMBLOB_INVALID) + slot = 0; + else if (slot >= LSMBLOB_ENTRIES || slot < 0) + return NULL; + + if (lsm_slotlist[slot] == NULL) + return NULL; + return lsm_slotlist[slot]->lsm; +} /** * security_add_hooks - Add a modules hooks to the hook lists. @@ -2188,13 +2212,32 @@ int security_ismaclabel(const char *name) } EXPORT_SYMBOL(security_ismaclabel); -int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp) +int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp, + int display) { struct security_hook_list *hp; - int display = lsm_task_display(current); memset(cp, 0, sizeof(*cp)); + /* + * display either is the slot number use for formatting + * or an instruction on which relative slot to use. + */ + if (display == LSMBLOB_DISPLAY) + display = lsm_task_display(current); + else if (display == LSMBLOB_FIRST) + display = LSMBLOB_INVALID; + else if (display < 0) { + WARN_ONCE(true, + "LSM: %s unknown display\n", __func__); + display = LSMBLOB_INVALID; + } else if (display >= lsm_slot) { + WARN_ONCE(true, + "LSM: %s invalid display\n", __func__); + display = LSMBLOB_INVALID; + } + + hlist_for_each_entry(hp, &security_hook_heads.secid_to_secctx, list) { if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot)) continue; @@ -2205,7 +2248,7 @@ int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp) &cp->context, &cp->len); } } - return 0; + return -EOPNOTSUPP; } EXPORT_SYMBOL(security_secid_to_secctx); -- 2.24.1