From: Kees Cook <keescook@chromium.org>
To: Casey Schaufler <casey@schaufler-ca.com>
Cc: casey.schaufler@intel.com, jmorris@namei.org,
linux-security-module@vger.kernel.org, selinux@vger.kernel.org,
john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp,
paul@paul-moore.com, sds@tycho.nsa.gov, linux-audit@redhat.com
Subject: Re: [PATCH v16 21/23] Audit: Add a new record for multiple object LSM attributes
Date: Tue, 7 Apr 2020 11:43:52 -0700 [thread overview]
Message-ID: <202004071143.067D340B9@keescook> (raw)
In-Reply-To: <20200407000159.43602-22-casey@schaufler-ca.com>
On Mon, Apr 06, 2020 at 05:01:57PM -0700, Casey Schaufler wrote:
> Create a new audit record type to contain the object information
> when there are multiple security modules that require such data.
> This record is emitted before the other records for the event, but
> is linked with the same timestamp and serial number.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
-Kees
> ---
> include/linux/audit.h | 2 ++
> include/uapi/linux/audit.h | 1 +
> kernel/audit.c | 53 +++++++++++++++++++++++++++++
> kernel/audit.h | 4 +--
> kernel/auditsc.c | 70 +++++---------------------------------
> 5 files changed, 67 insertions(+), 63 deletions(-)
>
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index 8e1c759fd1ff..4c7c0ee867a1 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -163,6 +163,8 @@ extern void audit_log_path_denied(int type,
> extern void audit_log_lost(const char *message);
>
> extern int audit_log_task_context(struct audit_buffer *ab);
> +extern int audit_log_object_context(struct audit_buffer *ab,
> + struct lsmblob *blob);
> extern void audit_log_task_info(struct audit_buffer *ab);
>
> extern int audit_update_lsm_rules(void);
> diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> index 2e6dbf907ee3..2269100ba0ca 100644
> --- a/include/uapi/linux/audit.h
> +++ b/include/uapi/linux/audit.h
> @@ -139,6 +139,7 @@
> #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */
> #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */
> #define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multiple LSM contexts */
> +#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multiple LSM object contexts */
>
> #define AUDIT_FIRST_KERN_ANOM_MSG 1700
> #define AUDIT_LAST_KERN_ANOM_MSG 1799
> diff --git a/kernel/audit.c b/kernel/audit.c
> index 00a4fbecfdf7..6a6146a34cc9 100644
> --- a/kernel/audit.c
> +++ b/kernel/audit.c
> @@ -2113,6 +2113,59 @@ int audit_log_task_context(struct audit_buffer *ab)
> }
> EXPORT_SYMBOL(audit_log_task_context);
>
> +int audit_log_object_context(struct audit_buffer *ab,
> + struct lsmblob *blob)
> +{
> + int i;
> + int error;
> + bool sep = false;
> + struct lsmcontext lsmdata;
> + struct audit_buffer *lsmab = NULL;
> + struct audit_context *context = NULL;
> +
> + /*
> + * If there is more than one security module that has a
> + * object "context" it's necessary to put the object data
> + * into a separate record to maintain compatibility.
> + */
> + if (security_lsm_slot_name(1) != NULL) {
> + audit_log_format(ab, " obj=?");
> + context = ab->ctx;
> + if (context)
> + lsmab = audit_log_start(context, GFP_KERNEL,
> + AUDIT_MAC_OBJ_CONTEXTS);
> + }
> +
> + for (i = 0; i < LSMBLOB_ENTRIES; i++) {
> + if (blob->secid[i] == 0)
> + continue;
> + error = security_secid_to_secctx(blob, &lsmdata, i);
> + if (error && error != -EINVAL) {
> + audit_panic("error in audit_log_object_context");
> + return error;
> + }
> +
> + if (context) {
> + audit_log_format(lsmab, "%sobj_%s=%s",
> + sep ? " " : "",
> + security_lsm_slot_name(i),
> + lsmdata.context);
> + sep = true;
> + } else
> + audit_log_format(ab, " obj=%s", lsmdata.context);
> +
> + security_release_secctx(&lsmdata);
> + if (!context)
> + break;
> + }
> +
> + if (context)
> + audit_log_end(lsmab);
> +
> + return 0;
> +}
> +EXPORT_SYMBOL(audit_log_object_context);
> +
> void audit_log_d_path_exe(struct audit_buffer *ab,
> struct mm_struct *mm)
> {
> diff --git a/kernel/audit.h b/kernel/audit.h
> index f65f516913c6..9a26ba213f6a 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -78,7 +78,7 @@ struct audit_names {
> kuid_t uid;
> kgid_t gid;
> dev_t rdev;
> - u32 osid;
> + struct lsmblob oblob;
> struct audit_cap_data fcap;
> unsigned int fcap_ver;
> unsigned char type; /* record type */
> @@ -152,7 +152,7 @@ struct audit_context {
> kuid_t uid;
> kgid_t gid;
> umode_t mode;
> - u32 osid;
> + struct lsmblob oblob;
> int has_perm;
> uid_t perm_uid;
> gid_t perm_gid;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 4df540c32581..f567f3776ca5 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -659,14 +659,6 @@ static int audit_filter_rules(struct task_struct *tsk,
> if (f->lsm_isset) {
> /* Find files that match */
> if (name) {
> - /*
> - * lsmblob_init sets all values in the
> - * lsmblob to sid. This is temporary
> - * until name->osid is converted to a
> - * lsmblob, which happens later in
> - * this patch set.
> - */
> - lsmblob_init(&blob, name->osid);
> result = security_audit_rule_match(
> &blob,
> f->type,
> @@ -674,7 +666,6 @@ static int audit_filter_rules(struct task_struct *tsk,
> f->lsm_rules);
> } else if (ctx) {
> list_for_each_entry(n, &ctx->names_list, list) {
> - lsmblob_init(&blob, name->osid);
> if (security_audit_rule_match(
> &blob,
> f->type,
> @@ -688,8 +679,7 @@ static int audit_filter_rules(struct task_struct *tsk,
> /* Find ipc objects that match */
> if (!ctx || ctx->type != AUDIT_IPC)
> break;
> - lsmblob_init(&blob, ctx->ipc.osid);
> - if (security_audit_rule_match(&blob,
> + if (security_audit_rule_match(&ctx->ipc.oblob,
> f->type, f->op,
> f->lsm_rules))
> ++result;
> @@ -969,7 +959,6 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
> struct lsmblob *blob, char *comm)
> {
> struct audit_buffer *ab;
> - struct lsmcontext lsmctx;
> int rc = 0;
>
> ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
> @@ -979,15 +968,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
> audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
> from_kuid(&init_user_ns, auid),
> from_kuid(&init_user_ns, uid), sessionid);
> - if (lsmblob_is_set(blob)) {
> - if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) {
> - audit_log_format(ab, " obj=(none)");
> - rc = 1;
> - } else {
> - audit_log_format(ab, " obj=%s", lsmctx.context);
> - security_release_secctx(&lsmctx);
> - }
> - }
> + rc = audit_log_object_context(ab, blob);
> audit_log_format(ab, " ocomm=");
> audit_log_untrustedstring(ab, comm);
> audit_log_end(ab);
> @@ -1214,26 +1195,14 @@ static void show_special(struct audit_context *context, int *call_panic)
> context->socketcall.args[i]);
> break; }
> case AUDIT_IPC: {
> - u32 osid = context->ipc.osid;
> + struct lsmblob *oblob = &context->ipc.oblob;
>
> audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
> from_kuid(&init_user_ns, context->ipc.uid),
> from_kgid(&init_user_ns, context->ipc.gid),
> context->ipc.mode);
> - if (osid) {
> - struct lsmcontext lsmcxt;
> - struct lsmblob blob;
> -
> - lsmblob_init(&blob, osid);
> - if (security_secid_to_secctx(&blob, &lsmcxt,
> - LSMBLOB_FIRST)) {
> - audit_log_format(ab, " osid=%u", osid);
> - *call_panic = 1;
> - } else {
> - audit_log_format(ab, " obj=%s", lsmcxt.context);
> - security_release_secctx(&lsmcxt);
> - }
> - }
> + if (audit_log_object_context(ab, oblob))
> + *call_panic = 1;
> if (context->ipc.has_perm) {
> audit_log_end(ab);
> ab = audit_log_start(context, GFP_KERNEL,
> @@ -1373,20 +1342,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
> from_kgid(&init_user_ns, n->gid),
> MAJOR(n->rdev),
> MINOR(n->rdev));
> - if (n->osid != 0) {
> - struct lsmblob blob;
> - struct lsmcontext lsmctx;
> -
> - lsmblob_init(&blob, n->osid);
> - if (security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_FIRST)) {
> - audit_log_format(ab, " osid=%u", n->osid);
> - if (call_panic)
> - *call_panic = 2;
> - } else {
> - audit_log_format(ab, " obj=%s", lsmctx.context);
> - security_release_secctx(&lsmctx);
> - }
> - }
> + if (audit_log_object_context(ab, &n->oblob) && call_panic)
> + *call_panic = 2;
>
> /* log the audit_names record type */
> switch (n->type) {
> @@ -1935,17 +1892,13 @@ static void audit_copy_inode(struct audit_names *name,
> const struct dentry *dentry,
> struct inode *inode, unsigned int flags)
> {
> - struct lsmblob blob;
> -
> name->ino = inode->i_ino;
> name->dev = inode->i_sb->s_dev;
> name->mode = inode->i_mode;
> name->uid = inode->i_uid;
> name->gid = inode->i_gid;
> name->rdev = inode->i_rdev;
> - security_inode_getsecid(inode, &blob);
> - /* scaffolding until osid is updated */
> - name->osid = blob.secid[0];
> + security_inode_getsecid(inode, &name->oblob);
> if (flags & AUDIT_INODE_NOEVAL) {
> name->fcap_ver = -1;
> return;
> @@ -2291,16 +2244,11 @@ void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
> void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
> {
> struct audit_context *context = audit_context();
> - struct lsmblob blob;
> context->ipc.uid = ipcp->uid;
> context->ipc.gid = ipcp->gid;
> context->ipc.mode = ipcp->mode;
> context->ipc.has_perm = 0;
> - security_ipc_getsecid(ipcp, &blob);
> - /* context->ipc.osid will be changed to a lsmblob later in
> - * the patch series. This will allow auditing of all the object
> - * labels associated with the ipc object. */
> - context->ipc.osid = lsmblob_value(&blob);
> + security_ipc_getsecid(ipcp, &context->ipc.oblob);
> context->type = AUDIT_IPC;
> }
>
> --
> 2.24.1
>
--
Kees Cook
next prev parent reply other threads:[~2020-04-07 18:43 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20200407000159.43602-1-casey.ref@schaufler-ca.com>
2020-04-07 0:01 ` [PATCH v16 00/23] LSM: Module stacking for AppArmor Casey Schaufler
2020-04-07 0:01 ` [PATCH v16 01/23] LSM: Infrastructure management of the sock security Casey Schaufler
2020-04-07 0:01 ` [PATCH v16 02/23] LSM: Create and manage the lsmblob data structure Casey Schaufler
2020-04-07 0:01 ` [PATCH v16 03/23] LSM: Use lsmblob in security_audit_rule_match Casey Schaufler
2020-04-07 0:01 ` [PATCH v16 04/23] LSM: Use lsmblob in security_kernel_act_as Casey Schaufler
2020-04-07 0:01 ` [PATCH v16 05/23] net: Prepare UDS for security module stacking Casey Schaufler
2020-04-07 18:36 ` Kees Cook
2020-04-07 0:01 ` [PATCH v16 06/23] Use lsmblob in security_secctx_to_secid Casey Schaufler
2020-04-07 18:36 ` Kees Cook
2020-04-07 0:01 ` [PATCH v16 07/23] LSM: Use lsmblob in security_secid_to_secctx Casey Schaufler
2020-04-07 0:01 ` [PATCH v16 08/23] LSM: Use lsmblob in security_ipc_getsecid Casey Schaufler
2020-04-07 0:01 ` [PATCH v16 09/23] LSM: Use lsmblob in security_task_getsecid Casey Schaufler
2020-04-07 0:01 ` [PATCH v16 10/23] LSM: Use lsmblob in security_inode_getsecid Casey Schaufler
2020-04-07 0:01 ` [PATCH v16 11/23] LSM: Use lsmblob in security_cred_getsecid Casey Schaufler
2020-04-07 0:01 ` [PATCH v16 12/23] IMA: Change internal interfaces to use lsmblobs Casey Schaufler
2020-04-07 0:01 ` [PATCH v16 13/23] LSM: Specify which LSM to display Casey Schaufler
2020-04-07 18:40 ` Kees Cook
2020-04-07 0:01 ` [PATCH v16 14/23] LSM: Ensure the correct LSM context releaser Casey Schaufler
2020-04-07 0:01 ` [PATCH v16 15/23] LSM: Use lsmcontext in security_secid_to_secctx Casey Schaufler
2020-04-07 18:41 ` Kees Cook
2020-04-07 0:01 ` [PATCH v16 16/23] LSM: Use lsmcontext in security_inode_getsecctx Casey Schaufler
2020-04-07 18:41 ` Kees Cook
2020-04-07 0:01 ` [PATCH v16 17/23] LSM: security_secid_to_secctx in netlink netfilter Casey Schaufler
2020-04-07 0:01 ` [PATCH v16 18/23] NET: Store LSM netlabel data in a lsmblob Casey Schaufler
2020-04-07 0:01 ` [PATCH v16 19/23] LSM: Verify LSM display sanity in binder Casey Schaufler
2020-04-07 18:42 ` Kees Cook
2020-04-07 0:01 ` [PATCH v16 20/23] Audit: Add a new record for multiple subject LSM attributes Casey Schaufler
2020-04-07 18:43 ` Kees Cook
2020-04-07 0:01 ` [PATCH v16 21/23] Audit: Add a new record for multiple object " Casey Schaufler
2020-04-07 18:43 ` Kees Cook [this message]
2020-04-07 0:01 ` [PATCH v16 22/23] LSM: Add /proc attr entry for full LSM context Casey Schaufler
2020-04-07 18:47 ` Kees Cook
2020-04-07 0:01 ` [PATCH v16 23/23] AppArmor: Remove the exclusive flag Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=202004071143.067D340B9@keescook \
--to=keescook@chromium.org \
--cc=casey.schaufler@intel.com \
--cc=casey@schaufler-ca.com \
--cc=jmorris@namei.org \
--cc=john.johansen@canonical.com \
--cc=linux-audit@redhat.com \
--cc=linux-security-module@vger.kernel.org \
--cc=paul@paul-moore.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=sds@tycho.nsa.gov \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).