From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> To: linux-security-module <linux-security-module@vger.kernel.org>, audit@vger.kernel.org, linux-audit@redhat.com Subject: [PATCH v2] TaskTracker : Simplified thread information tracker. Date: Sun, 6 Aug 2023 22:04:55 +0900 [thread overview] Message-ID: <41d03271-ff8a-9888-11de-a7f53da47328@I-love.SAKURA.ne.jp> (raw) When an unexpected system event occurs, the administrator may want to identify which application triggered the event. For example, unexpected process termination is still a real concern enough to write articles like https://access.redhat.com/solutions/165993 . TaskTracker is a trivial LSM module which emits TOMOYO-like information into the audit logs for better understanding of unexpected system events. I suggested TaskTracker about 10 years ago [1]. Compared to that time, security_task_alloc()/security_task_free() hooks have been revived, but the multiple concurrent LSM patches have not completed yet. When I proposed TaskTracker as an LSM module [2], there was a comment that this module should not reuse the subj= field and instead add new fields to audit logs. But that thread died for unknown reason, and there is an effort for making it possible to enable SELinux and Smack at the same time. Thus, retrying as an LSM module based on an assumption that the multiple concurrent LSM patches will address how to share the subj= field. I think that passing whole history in one string is easier for those who want to avoid bloating audit log files to control history size and fields to include. Also, I think that userspace tools won't try to tokenize this history in order to perform more than fgrep matching. But now that LSM people are about to require an LSM ID for registering an LSM module, I can't wait till it becomes possible to enable SELinux and Smack at the same time. I have to send TaskTracker upstream in order to assign an LSM ID for TaskTracker. Link: https://marc.info/?l=linux-security-module&m=138547679621695 [1] Link: https://lkml.kernel.org/r/201405232144.JFB30480.OVMOOSFtQJHLFF@I-love.SAKURA.ne.jp [2] Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> --- security/Kconfig | 1 + security/Makefile | 1 + security/tasktracker/Kconfig | 24 +++++ security/tasktracker/Makefile | 2 + security/tasktracker/tasktracker.c | 160 +++++++++++++++++++++++++++++ 5 files changed, 188 insertions(+) create mode 100644 security/tasktracker/Kconfig create mode 100644 security/tasktracker/Makefile create mode 100644 security/tasktracker/tasktracker.c diff --git a/security/Kconfig b/security/Kconfig index 52c9af08ad35..aea0ac2b24a1 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -194,6 +194,7 @@ source "security/yama/Kconfig" source "security/safesetid/Kconfig" source "security/lockdown/Kconfig" source "security/landlock/Kconfig" +source "security/tasktracker/Kconfig" source "security/integrity/Kconfig" diff --git a/security/Makefile b/security/Makefile index 18121f8f85cd..86ae43be3207 100644 --- a/security/Makefile +++ b/security/Makefile @@ -24,6 +24,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ obj-$(CONFIG_CGROUPS) += device_cgroup.o obj-$(CONFIG_BPF_LSM) += bpf/ obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/ +obj-$(CONFIG_SECURITY_TASKTRACKER) += tasktracker/ # Object integrity file lists obj-$(CONFIG_INTEGRITY) += integrity/ diff --git a/security/tasktracker/Kconfig b/security/tasktracker/Kconfig new file mode 100644 index 000000000000..6b294bf18878 --- /dev/null +++ b/security/tasktracker/Kconfig @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: GPL-2.0-only +config SECURITY_TASKTRACKER + bool "TaskTracker Support" + depends on SECURITY && AUDIT + default n + help + This selects TaskTracker, a module which provides a thread's + history for better understanding of audit logs. + + If you enable this module, you will find history of current + thread in the subj= field of audit logs in the form of + name=$commname;pid=$pid;start=$YYYYMMDDhhmmss delimited by => + like an example shown below. + + [root@localhost ~]# auditctl -a exit,always -F arch=b64 -S kill + [root@localhost ~]# bash + [root@localhost ~]# kill -9 $$ + Killed + [root@localhost ~]# ausearch -sc kill + ---- + time->Sun Aug 6 15:36:17 2023 + type=PROCTITLE msg=audit(1691303777.054:117): proctitle="(null)" + type=OBJ_PID msg=audit(1691303777.054:117): opid=3787 oauid=0 ouid=0 oses=1 ocomm="bash" + type=SYSCALL msg=audit(1691303777.054:117): arch=c000003e syscall=62 success=yes exit=0 a0=ecb a1=9 a2=0 a3=7ffc779be760 items=0 ppid=3766 pid=3787 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj="name=swapper/0;pid=0;start=20230806153345=>name=init;pid=1;start=20230806153400=>name=systemd;pid=1;start=20230806153457=>name=sshd;pid=3661;start=20230806063525=>name=sshd;pid=3764;start=20230806063543=>name=bash;pid=3766;start=20230806063549=>name=bash;pid=3787;start=20230806063612" key=(null) diff --git a/security/tasktracker/Makefile b/security/tasktracker/Makefile new file mode 100644 index 000000000000..1c11673c7684 --- /dev/null +++ b/security/tasktracker/Makefile @@ -0,0 +1,2 @@ +# SPDX-License-Identifier: GPL-2.0 +obj-y = tasktracker.o diff --git a/security/tasktracker/tasktracker.c b/security/tasktracker/tasktracker.c new file mode 100644 index 000000000000..bd76d7e2b42b --- /dev/null +++ b/security/tasktracker/tasktracker.c @@ -0,0 +1,160 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * tt.c - Simplified thread information tracker. + */ + +#include <linux/lsm_hooks.h> +#include <linux/ctype.h> + +#define HISTORY_BUFFER_SIZE 1024 + +struct lsm_blob_sizes tt_blob_sizes __ro_after_init = { + .lbs_task = HISTORY_BUFFER_SIZE, +}; + +/** + * tt_task - Get history of specified thread. + * + * @task - Pointer to "struct task_struct". + * + * Returns history of specified thread. + */ +static char *tt_task(struct task_struct *task) +{ + return task->security + tt_blob_sizes.lbs_task; +} + +/** + * tt_update_history - Update history of current thread. + * + * Returns nothing. + */ +static void tt_update_history(void) +{ + int i; + int required; + struct tm tm; + char buf[256]; + char *cp = buf; + char *history = tt_task(current); + + cp += snprintf(buf, sizeof(buf) - 1, "name="); + for (i = 0; i < TASK_COMM_LEN; i++) { + const unsigned char c = current->comm[i]; + + if (!c) + break; + if (isalnum(c) || c == '.' || c == '_' || c == '-' || c == '/') { + *cp++ = c; + continue; + } + *cp++ = '\\'; + *cp++ = (c >> 6) + '0'; + *cp++ = ((c >> 3) & 7) + '0'; + *cp++ = (c & 7) + '0'; + } + /* Append PID. */ + cp += snprintf(cp, buf - cp + sizeof(buf) - 1, ";pid=%u", + current->pid); + /* Append timestamp. */ + time64_to_tm(ktime_get_real_seconds(), 0, &tm); + cp += snprintf(cp, buf - cp + sizeof(buf) - 1, + ";start=%04u%02u%02u%02u%02u%02u", (int) tm.tm_year + 1900, + tm.tm_mon + 1, tm.tm_mday, tm.tm_hour, tm.tm_min, + tm.tm_sec); + /* Terminate the buffer. */ + if (cp >= buf + sizeof(buf)) + cp = buf + sizeof(buf) - 1; + *cp = '\0'; + required = cp - buf; + /* Truncate history if history is too long to append. */ + cp = history; + while (i = strlen(cp), i + required >= HISTORY_BUFFER_SIZE - 10) { + char *cp2 = memchr(cp + 3, '>', i - 3); + + if (WARN_ON_ONCE(!cp2)) + return; + cp2--; + memmove(cp + 1, cp2, strlen(cp2) + 1); + } + /* Create or append history. */ + if (!i) + sprintf(cp, "\"%s\"", buf); + else + sprintf(cp + i - 1, "=>%s\"", buf); +} + +static void tt_current_getsecid_subj(u32 *secid) +{ + *secid = 1; +} + +/** + * tt_secid_to_secctx - Allocate memory used for auditing. + * + * @secid: Bool flag to allocate. + * @secdata: Pointer to allocate memory. + * @seclen: Unused. + * + * Returns 0 on success, -EINVAL otherwise. + */ +static int tt_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +{ + char *history = tt_task(current); + + /* + * This module avoids returning -ENOMEM in order to avoid audit_panic(), + * by returning only current thread's history. Since current thread's + * history is updated and read by only current thread, we don't need to + * copy the history for reading. + */ + if (secid != 1) + return -EINVAL; + if (secdata) + *secdata = history; + *seclen = strlen(history); + return 0; +} + +static int tt_task_alloc(struct task_struct *task, unsigned long clone_flags) +{ + /* Copy from current thread's history upon clone(). */ + strscpy(tt_task(task), tt_task(current), HISTORY_BUFFER_SIZE); + return 0; +} + +static void tt_bprm_committing_creds(struct linux_binprm *bprm) +{ + /* Update current thread's history upon successful execve(). */ + tt_update_history(); +} + +static struct security_hook_list tt_hooks[] __ro_after_init = { + LSM_HOOK_INIT(current_getsecid_subj, tt_current_getsecid_subj), + LSM_HOOK_INIT(secid_to_secctx, tt_secid_to_secctx), + LSM_HOOK_INIT(task_alloc, tt_task_alloc), + LSM_HOOK_INIT(bprm_committing_creds, tt_bprm_committing_creds), +}; + +/** + * tt_init - Register TaskTracker as a LSM module. + * + * Returns 0. + */ +static int __init tt_init(void) +{ + char *history = tt_task(current); + + memset(history, 0, HISTORY_BUFFER_SIZE); + tt_update_history(); + security_add_hooks(tt_hooks, ARRAY_SIZE(tt_hooks), "tt"); + pr_info("TaskTracker initialized\n"); + return 0; +} + +DEFINE_LSM(tt) = { + .name = "tt", + .flags = LSM_FLAG_EXCLUSIVE, /* Due to use of "u32 *secid' argument. */ + .blobs = &tt_blob_sizes, + .init = tt_init, +}; -- 2.18.4
WARNING: multiple messages have this Message-ID (diff)
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> To: linux-security-module <linux-security-module@vger.kernel.org>, audit@vger.kernel.org, linux-audit@redhat.com Subject: [PATCH v2] TaskTracker : Simplified thread information tracker. Date: Sun, 6 Aug 2023 22:04:55 +0900 [thread overview] Message-ID: <41d03271-ff8a-9888-11de-a7f53da47328@I-love.SAKURA.ne.jp> (raw) When an unexpected system event occurs, the administrator may want to identify which application triggered the event. For example, unexpected process termination is still a real concern enough to write articles like https://access.redhat.com/solutions/165993 . TaskTracker is a trivial LSM module which emits TOMOYO-like information into the audit logs for better understanding of unexpected system events. I suggested TaskTracker about 10 years ago [1]. Compared to that time, security_task_alloc()/security_task_free() hooks have been revived, but the multiple concurrent LSM patches have not completed yet. When I proposed TaskTracker as an LSM module [2], there was a comment that this module should not reuse the subj= field and instead add new fields to audit logs. But that thread died for unknown reason, and there is an effort for making it possible to enable SELinux and Smack at the same time. Thus, retrying as an LSM module based on an assumption that the multiple concurrent LSM patches will address how to share the subj= field. I think that passing whole history in one string is easier for those who want to avoid bloating audit log files to control history size and fields to include. Also, I think that userspace tools won't try to tokenize this history in order to perform more than fgrep matching. But now that LSM people are about to require an LSM ID for registering an LSM module, I can't wait till it becomes possible to enable SELinux and Smack at the same time. I have to send TaskTracker upstream in order to assign an LSM ID for TaskTracker. Link: https://marc.info/?l=linux-security-module&m=138547679621695 [1] Link: https://lkml.kernel.org/r/201405232144.JFB30480.OVMOOSFtQJHLFF@I-love.SAKURA.ne.jp [2] Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp> --- security/Kconfig | 1 + security/Makefile | 1 + security/tasktracker/Kconfig | 24 +++++ security/tasktracker/Makefile | 2 + security/tasktracker/tasktracker.c | 160 +++++++++++++++++++++++++++++ 5 files changed, 188 insertions(+) create mode 100644 security/tasktracker/Kconfig create mode 100644 security/tasktracker/Makefile create mode 100644 security/tasktracker/tasktracker.c diff --git a/security/Kconfig b/security/Kconfig index 52c9af08ad35..aea0ac2b24a1 100644 --- a/security/Kconfig +++ b/security/Kconfig @@ -194,6 +194,7 @@ source "security/yama/Kconfig" source "security/safesetid/Kconfig" source "security/lockdown/Kconfig" source "security/landlock/Kconfig" +source "security/tasktracker/Kconfig" source "security/integrity/Kconfig" diff --git a/security/Makefile b/security/Makefile index 18121f8f85cd..86ae43be3207 100644 --- a/security/Makefile +++ b/security/Makefile @@ -24,6 +24,7 @@ obj-$(CONFIG_SECURITY_LOCKDOWN_LSM) += lockdown/ obj-$(CONFIG_CGROUPS) += device_cgroup.o obj-$(CONFIG_BPF_LSM) += bpf/ obj-$(CONFIG_SECURITY_LANDLOCK) += landlock/ +obj-$(CONFIG_SECURITY_TASKTRACKER) += tasktracker/ # Object integrity file lists obj-$(CONFIG_INTEGRITY) += integrity/ diff --git a/security/tasktracker/Kconfig b/security/tasktracker/Kconfig new file mode 100644 index 000000000000..6b294bf18878 --- /dev/null +++ b/security/tasktracker/Kconfig @@ -0,0 +1,24 @@ +# SPDX-License-Identifier: GPL-2.0-only +config SECURITY_TASKTRACKER + bool "TaskTracker Support" + depends on SECURITY && AUDIT + default n + help + This selects TaskTracker, a module which provides a thread's + history for better understanding of audit logs. + + If you enable this module, you will find history of current + thread in the subj= field of audit logs in the form of + name=$commname;pid=$pid;start=$YYYYMMDDhhmmss delimited by => + like an example shown below. + + [root@localhost ~]# auditctl -a exit,always -F arch=b64 -S kill + [root@localhost ~]# bash + [root@localhost ~]# kill -9 $$ + Killed + [root@localhost ~]# ausearch -sc kill + ---- + time->Sun Aug 6 15:36:17 2023 + type=PROCTITLE msg=audit(1691303777.054:117): proctitle="(null)" + type=OBJ_PID msg=audit(1691303777.054:117): opid=3787 oauid=0 ouid=0 oses=1 ocomm="bash" + type=SYSCALL msg=audit(1691303777.054:117): arch=c000003e syscall=62 success=yes exit=0 a0=ecb a1=9 a2=0 a3=7ffc779be760 items=0 ppid=3766 pid=3787 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm="bash" exe="/usr/bin/bash" subj="name=swapper/0;pid=0;start=20230806153345=>name=init;pid=1;start=20230806153400=>name=systemd;pid=1;start=20230806153457=>name=sshd;pid=3661;start=20230806063525=>name=sshd;pid=3764;start=20230806063543=>name=bash;pid=3766;start=20230806063549=>name=bash;pid=3787;start=20230806063612" key=(null) diff --git a/security/tasktracker/Makefile b/security/tasktracker/Makefile new file mode 100644 index 000000000000..1c11673c7684 --- /dev/null +++ b/security/tasktracker/Makefile @@ -0,0 +1,2 @@ +# SPDX-License-Identifier: GPL-2.0 +obj-y = tasktracker.o diff --git a/security/tasktracker/tasktracker.c b/security/tasktracker/tasktracker.c new file mode 100644 index 000000000000..bd76d7e2b42b --- /dev/null +++ b/security/tasktracker/tasktracker.c @@ -0,0 +1,160 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * tt.c - Simplified thread information tracker. + */ + +#include <linux/lsm_hooks.h> +#include <linux/ctype.h> + +#define HISTORY_BUFFER_SIZE 1024 + +struct lsm_blob_sizes tt_blob_sizes __ro_after_init = { + .lbs_task = HISTORY_BUFFER_SIZE, +}; + +/** + * tt_task - Get history of specified thread. + * + * @task - Pointer to "struct task_struct". + * + * Returns history of specified thread. + */ +static char *tt_task(struct task_struct *task) +{ + return task->security + tt_blob_sizes.lbs_task; +} + +/** + * tt_update_history - Update history of current thread. + * + * Returns nothing. + */ +static void tt_update_history(void) +{ + int i; + int required; + struct tm tm; + char buf[256]; + char *cp = buf; + char *history = tt_task(current); + + cp += snprintf(buf, sizeof(buf) - 1, "name="); + for (i = 0; i < TASK_COMM_LEN; i++) { + const unsigned char c = current->comm[i]; + + if (!c) + break; + if (isalnum(c) || c == '.' || c == '_' || c == '-' || c == '/') { + *cp++ = c; + continue; + } + *cp++ = '\\'; + *cp++ = (c >> 6) + '0'; + *cp++ = ((c >> 3) & 7) + '0'; + *cp++ = (c & 7) + '0'; + } + /* Append PID. */ + cp += snprintf(cp, buf - cp + sizeof(buf) - 1, ";pid=%u", + current->pid); + /* Append timestamp. */ + time64_to_tm(ktime_get_real_seconds(), 0, &tm); + cp += snprintf(cp, buf - cp + sizeof(buf) - 1, + ";start=%04u%02u%02u%02u%02u%02u", (int) tm.tm_year + 1900, + tm.tm_mon + 1, tm.tm_mday, tm.tm_hour, tm.tm_min, + tm.tm_sec); + /* Terminate the buffer. */ + if (cp >= buf + sizeof(buf)) + cp = buf + sizeof(buf) - 1; + *cp = '\0'; + required = cp - buf; + /* Truncate history if history is too long to append. */ + cp = history; + while (i = strlen(cp), i + required >= HISTORY_BUFFER_SIZE - 10) { + char *cp2 = memchr(cp + 3, '>', i - 3); + + if (WARN_ON_ONCE(!cp2)) + return; + cp2--; + memmove(cp + 1, cp2, strlen(cp2) + 1); + } + /* Create or append history. */ + if (!i) + sprintf(cp, "\"%s\"", buf); + else + sprintf(cp + i - 1, "=>%s\"", buf); +} + +static void tt_current_getsecid_subj(u32 *secid) +{ + *secid = 1; +} + +/** + * tt_secid_to_secctx - Allocate memory used for auditing. + * + * @secid: Bool flag to allocate. + * @secdata: Pointer to allocate memory. + * @seclen: Unused. + * + * Returns 0 on success, -EINVAL otherwise. + */ +static int tt_secid_to_secctx(u32 secid, char **secdata, u32 *seclen) +{ + char *history = tt_task(current); + + /* + * This module avoids returning -ENOMEM in order to avoid audit_panic(), + * by returning only current thread's history. Since current thread's + * history is updated and read by only current thread, we don't need to + * copy the history for reading. + */ + if (secid != 1) + return -EINVAL; + if (secdata) + *secdata = history; + *seclen = strlen(history); + return 0; +} + +static int tt_task_alloc(struct task_struct *task, unsigned long clone_flags) +{ + /* Copy from current thread's history upon clone(). */ + strscpy(tt_task(task), tt_task(current), HISTORY_BUFFER_SIZE); + return 0; +} + +static void tt_bprm_committing_creds(struct linux_binprm *bprm) +{ + /* Update current thread's history upon successful execve(). */ + tt_update_history(); +} + +static struct security_hook_list tt_hooks[] __ro_after_init = { + LSM_HOOK_INIT(current_getsecid_subj, tt_current_getsecid_subj), + LSM_HOOK_INIT(secid_to_secctx, tt_secid_to_secctx), + LSM_HOOK_INIT(task_alloc, tt_task_alloc), + LSM_HOOK_INIT(bprm_committing_creds, tt_bprm_committing_creds), +}; + +/** + * tt_init - Register TaskTracker as a LSM module. + * + * Returns 0. + */ +static int __init tt_init(void) +{ + char *history = tt_task(current); + + memset(history, 0, HISTORY_BUFFER_SIZE); + tt_update_history(); + security_add_hooks(tt_hooks, ARRAY_SIZE(tt_hooks), "tt"); + pr_info("TaskTracker initialized\n"); + return 0; +} + +DEFINE_LSM(tt) = { + .name = "tt", + .flags = LSM_FLAG_EXCLUSIVE, /* Due to use of "u32 *secid' argument. */ + .blobs = &tt_blob_sizes, + .init = tt_init, +}; -- 2.18.4 -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
next reply other threads:[~2023-08-06 13:05 UTC|newest] Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top 2023-08-06 13:04 Tetsuo Handa [this message] 2023-08-06 13:04 ` [PATCH v2] TaskTracker : Simplified thread information tracker Tetsuo Handa 2023-08-06 22:01 ` Steve Grubb 2023-08-06 22:01 ` Steve Grubb 2023-08-07 14:24 ` Tetsuo Handa 2023-08-07 14:24 ` Tetsuo Handa 2023-08-07 17:25 ` Casey Schaufler 2023-08-07 17:25 ` Casey Schaufler 2023-08-07 18:54 ` Steve Grubb 2023-08-07 18:54 ` Steve Grubb 2023-08-08 10:25 ` Tetsuo Handa 2023-08-08 10:25 ` Tetsuo Handa 2023-08-07 18:53 ` Paul Moore 2023-08-07 18:53 ` Paul Moore 2023-08-07 19:03 ` Steve Grubb 2023-08-07 19:03 ` Steve Grubb 2023-08-07 20:13 ` Paul Moore 2023-08-07 20:13 ` Paul Moore 2023-08-08 10:07 ` Tetsuo Handa 2023-08-08 10:07 ` Tetsuo Handa 2023-08-08 14:38 ` Paul Moore 2023-08-08 14:38 ` Paul Moore
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=41d03271-ff8a-9888-11de-a7f53da47328@I-love.SAKURA.ne.jp \ --to=penguin-kernel@i-love.sakura.ne.jp \ --cc=audit@vger.kernel.org \ --cc=linux-audit@redhat.com \ --cc=linux-security-module@vger.kernel.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.