lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <e82a0835059181fedbc5b143329b0594151f8221.camel@aisec.fraunhofer.de>
Date:   Fri, 13 Aug 2021 06:59:15 +0000
From:   Weiß, Michael 
        <michael.weiss@...ec.fraunhofer.de>
To:     "casey@...aufler-ca.com" <casey@...aufler-ca.com>
CC:     "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-audit@...hat.com" <linux-audit@...hat.com>,
        "agk@...hat.com" <agk@...hat.com>,
        "linux-raid@...r.kernel.org" <linux-raid@...r.kernel.org>,
        "song@...nel.org" <song@...nel.org>,
        "eparis@...hat.com" <eparis@...hat.com>,
        "snitzer@...hat.com" <snitzer@...hat.com>,
        "dm-devel@...hat.com" <dm-devel@...hat.com>
Subject: Re: [PATCH 1/3] dm: introduce audit event module for device mapper

Hi Casey,

On Thu, 2021-08-12 at 10:08 -0700, Casey Schaufler wrote:
> On 8/12/2021 7:57 AM, Michael Weiß wrote:
> > To be able to send auditing events to user space, we introduce
> > a generic dm-audit module. It provides helper functions to emit
> > audit events through the kernel audit subsystem. We claim the
> > AUDIT_DM type=1336 out of the audit event messages range in the
> > corresponding userspace api in 'include/uapi/linux/audit.h' for
> > those events.
> > 
> > Following commits to device mapper targets actually will make
> > use of this to emit those events in relevant cases.
> > 
> > Signed-off-by: Michael Weiß <michael.weiss@...ec.fraunhofer.de>
> > ---
> >  drivers/md/Kconfig         | 10 +++++++
> >  drivers/md/Makefile        |  4 +++
> >  drivers/md/dm-audit.c      | 59 ++++++++++++++++++++++++++++++++++++++
> >  drivers/md/dm-audit.h      | 33 +++++++++++++++++++++
> >  include/uapi/linux/audit.h |  2 ++
> >  5 files changed, 108 insertions(+)
> >  create mode 100644 drivers/md/dm-audit.c
> >  create mode 100644 drivers/md/dm-audit.h
> > 
> > diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig
> > index 0602e82a9516..fd54c713a03e 100644
> > --- a/drivers/md/Kconfig
> > +++ b/drivers/md/Kconfig
> > @@ -608,6 +608,7 @@ config DM_INTEGRITY
> >  	select CRYPTO
> >  	select CRYPTO_SKCIPHER
> >  	select ASYNC_XOR
> > +	select DM_AUDIT if AUDIT
> >  	help
> >  	  This device-mapper target emulates a block device that has
> >  	  additional per-sector tags that can be used for storing
> > @@ -640,4 +641,13 @@ config DM_ZONED
> >  
> >  	  If unsure, say N.
> >  
> > +config DM_AUDIT
> > +	bool "DM audit events"
> > +	depends on AUDIT
> > +	help
> > +	  Generate audit events for device-mapper.
> > +
> > +	  Enables audit loging of several security relevant events in the
> 
> s/loging/logging/
> 
> > +	  particular device-mapper targets, especially the integrity target.
> > +
> >  endif # MD
> > diff --git a/drivers/md/Makefile b/drivers/md/Makefile
> > index a74aaf8b1445..4cd47623c742 100644
> > --- a/drivers/md/Makefile
> > +++ b/drivers/md/Makefile
> > @@ -103,3 +103,7 @@ endif
> >  ifeq ($(CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG),y)
> >  dm-verity-objs			+= dm-verity-verify-sig.o
> >  endif
> > +
> > +ifeq ($(CONFIG_DM_AUDIT),y)
> > +dm-mod-objs				+= dm-audit.o
> > +endif
> > diff --git a/drivers/md/dm-audit.c b/drivers/md/dm-audit.c
> > new file mode 100644
> > index 000000000000..c7e5824821bb
> > --- /dev/null
> > +++ b/drivers/md/dm-audit.c
> > @@ -0,0 +1,59 @@
> > +// SPDX-License-Identifier: GPL-2.0
> > +/*
> > + * Creating audit records for mapped devices.
> > + *
> > + * Copyright (C) 2021 Fraunhofer AISEC. All rights reserved.
> > + *
> > + * Authors: Michael Weiß <michael.weiss@...ec.fraunhofer.de>
> > + */
> > +
> > +#include <linux/audit.h>
> > +#include <linux/module.h>
> > +#include <linux/device-mapper.h>
> > +#include <linux/bio.h>
> > +#include <linux/blkdev.h>
> > +
> > +#include "dm-audit.h"
> > +#include "dm-core.h"
> > +
> > +void dm_audit_log_bio(const char *dm_msg_prefix, const char *op,
> > +		      struct bio *bio, sector_t sector, int result)
> > +{
> > +	struct audit_buffer *ab;
> > +
> > +	if (audit_enabled == AUDIT_OFF)
> > +		return;
> > +
> > +	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_DM);
> > +	if (unlikely(!ab))
> > +		return;
> > +
> > +	audit_log_format(ab, "module=%s dev=%d:%d op=%s sector=%llu res=%d",
> > +			 dm_msg_prefix, MAJOR(bio->bi_bdev->bd_dev),
> > +			 MINOR(bio->bi_bdev->bd_dev), op, sector, result);
> > +	audit_log_end(ab);
> > +}
> > +EXPORT_SYMBOL_GPL(dm_audit_log_bio);
> > +
> > +void dm_audit_log_target(const char *dm_msg_prefix, const char *op,
> > +			 struct dm_target *ti, int result)
> > +{
> > +	struct audit_buffer *ab;
> > +	struct mapped_device *md = dm_table_get_md(ti->table);
> > +
> > +	if (audit_enabled == AUDIT_OFF)
> > +		return;
> > +
> > +	ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_DM);
> > +	if (unlikely(!ab))
> > +		return;
> > +
> > +	audit_log_format(ab, "module=%s dev=%s op=%s",
> > +			 dm_msg_prefix, dm_device_name(md), op);
> > +
> > +	if (!result && !strcmp("ctr", op))
> > +		audit_log_format(ab, " error_msg='%s'", ti->error);
> > +	audit_log_format(ab, " res=%d", result);
> > +	audit_log_end(ab);
> > +}
> > +EXPORT_SYMBOL_GPL(dm_audit_log_target);
> > diff --git a/drivers/md/dm-audit.h b/drivers/md/dm-audit.h
> > new file mode 100644
> > index 000000000000..9db4955d32e1
> > --- /dev/null
> > +++ b/drivers/md/dm-audit.h
> > @@ -0,0 +1,33 @@
> > +/* SPDX-License-Identifier: GPL-2.0 */
> > +/*
> > + * Creating audit records for mapped devices.
> > + *
> > + * Copyright (C) 2021 Fraunhofer AISEC. All rights reserved.
> > + *
> > + * Authors: Michael Weiß <michael.weiss@...ec.fraunhofer.de>
> > + */
> > +
> > +#ifndef DM_AUDIT_H
> > +#define DM_AUDIT_H
> > +
> > +#include <linux/device-mapper.h>
> > +
> > +#ifdef CONFIG_DM_AUDIT
> > +void dm_audit_log_bio(const char *dm_msg_prefix, const char *op,
> > +		      struct bio *bio, sector_t sector, int result);
> > +void dm_audit_log_target(const char *dm_msg_prefix, const char *op,
> > +			 struct dm_target *ti, int result);
> > +#else
> > +static inline void dm_audit_log_bio(const char *dm_msg_prefix, const char *op,
> > +				    struct bio *bio, sector_t sector,
> > +				    int result);
> > +{
> > +}

kernel test robot spotted a syntax error if CONFIG_DM_AUDIT is
not set here, too. Will fix this in v2.

> > +static inline void dm_audit_log_target(const char *dm_msg_prefix,
> > +				       const char *op, struct dm_target *ti,
> > +				       int result);
> > +{
> > +}
> > +#endif
> > +
> > +#endif
> > diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
> > index daa481729e9b..9d766fcbcf62 100644
> > --- a/include/uapi/linux/audit.h
> > +++ b/include/uapi/linux/audit.h
> > @@ -118,6 +118,7 @@
> >  #define AUDIT_TIME_ADJNTPVAL	1333	/* NTP value adjustment */
> >  #define AUDIT_BPF		1334	/* BPF subsystem */
> >  #define AUDIT_EVENT_LISTENER	1335	/* Task joined multicast read socket */
> > +#define AUDIT_DM		1336	/* Device Mapper events */
> >  
> >  #define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
> >  #define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
> > @@ -140,6 +141,7 @@
> >  #define AUDIT_MAC_CALIPSO_ADD	1418	/* NetLabel: add CALIPSO DOI entry */
> >  #define AUDIT_MAC_CALIPSO_DEL	1419	/* NetLabel: del CALIPSO DOI entry */
> >  
> > +
> 
> Unnecessary additional whitespace.
> 
> >  #define AUDIT_FIRST_KERN_ANOM_MSG   1700
> >  #define AUDIT_LAST_KERN_ANOM_MSG    1799
> >  #define AUDIT_ANOM_PROMISCUOUS      1700 /* Device changed promiscuous mode */

Thanks for spotting the errors, I will fix them in v2.

Regards,
Michael

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ