[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231215221636.105680-25-casey@schaufler-ca.com>
Date: Fri, 15 Dec 2023 14:16:18 -0800
From: Casey Schaufler <casey@...aufler-ca.com>
To: casey@...aufler-ca.com,
paul@...l-moore.com,
linux-security-module@...r.kernel.org
Cc: jmorris@...ei.org,
serge@...lyn.com,
keescook@...omium.org,
john.johansen@...onical.com,
penguin-kernel@...ove.sakura.ne.jp,
stephen.smalley.work@...il.com,
linux-kernel@...r.kernel.org,
mic@...ikod.net
Subject: [PATCH v39 24/42] Audit: Add record for multiple task security contexts
Create a new audit record AUDIT_MAC_TASK_CONTEXTS.
An example of the MAC_TASK_CONTEXTS (1420) record is:
type=MAC_TASK_CONTEXTS[1420]
msg=audit(1600880931.832:113)
subj_apparmor=unconfined
subj_smack=_
When an audit event includes a AUDIT_MAC_TASK_CONTEXTS record
the "subj=" field in other records in the event will be "subj=?".
An AUDIT_MAC_TASK_CONTEXTS record is supplied when the system has
multiple security modules that may make access decisions based
on a subject security context.
Acked-by: Paul Moore <paul@...l-moore.com>
Signed-off-by: Casey Schaufler <casey@...aufler-ca.com>
---
include/linux/lsm_hooks.h | 2 ++
include/linux/security.h | 1 +
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 45 ++++++++++++++++++++++++++++++++------
security/apparmor/lsm.c | 1 +
security/bpf/hooks.c | 1 +
security/security.c | 3 +++
security/selinux/hooks.c | 1 +
security/smack/smack_lsm.c | 1 +
9 files changed, 49 insertions(+), 7 deletions(-)
diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
index efd4a0655159..605aaf38c3f5 100644
--- a/include/linux/lsm_hooks.h
+++ b/include/linux/lsm_hooks.h
@@ -47,12 +47,14 @@ struct security_hook_heads {
* struct lsm_id - Identify a Linux Security Module.
* @lsm: name of the LSM, must be approved by the LSM maintainers
* @id: LSM ID number from uapi/linux/lsm.h
+ * @lsmblob: indicates the LSM has an entry in struct lsmblob
*
* Contains the information that identifies the LSM.
*/
struct lsm_id {
const char *name;
u64 id;
+ bool lsmblob;
};
/*
diff --git a/include/linux/security.h b/include/linux/security.h
index 360a454d5f8e..947cb3a35db4 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -192,6 +192,7 @@ struct lsmblob {
extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1];
extern u32 lsm_active_cnt;
+extern u32 lsm_blob_cnt;
extern const struct lsm_id *lsm_idlist[];
/* These functions are in security/commoncap.c */
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index d676ed2b246e..dc045164b86b 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -143,6 +143,7 @@
#define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */
#define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */
#define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */
+#define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multiple LSM task contexts */
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
diff --git a/kernel/audit.c b/kernel/audit.c
index b194494c4dc4..9d971fa96c0e 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -54,6 +54,7 @@
#include <net/netlink.h>
#include <linux/skbuff.h>
#include <linux/security.h>
+#include <linux/lsm_hooks.h>
#include <linux/freezer.h>
#include <linux/pid_namespace.h>
#include <net/netns/generic.h>
@@ -2228,21 +2229,51 @@ int audit_log_task_context(struct audit_buffer *ab)
{
struct lsmcontext ctx;
struct lsmblob blob;
+ bool space = false;
int error;
+ int i;
security_current_getlsmblob_subj(&blob);
if (!lsmblob_is_set(&blob))
return 0;
- error = security_lsmblob_to_secctx(&blob, &ctx, LSM_ID_UNDEF);
- if (error < 0) {
- if (error != -EINVAL)
- goto error_path;
+ if (lsm_blob_cnt < 2) {
+ error = security_lsmblob_to_secctx(&blob, &ctx, LSM_ID_UNDEF);
+ if (error < 0) {
+ if (error != -EINVAL)
+ goto error_path;
+ return 0;
+ }
+ audit_log_format(ab, " subj=%s", ctx.context);
+ security_release_secctx(&ctx);
return 0;
}
-
- audit_log_format(ab, " subj=%s", ctx.context);
- security_release_secctx(&ctx);
+ /* Multiple LSMs provide contexts. Include an aux record. */
+ audit_log_format(ab, " subj=?");
+ error = audit_buffer_aux_new(ab, AUDIT_MAC_TASK_CONTEXTS);
+ if (error)
+ goto error_path;
+
+ for (i = 0; i < lsm_active_cnt; i++) {
+ if (!lsm_idlist[i]->lsmblob)
+ continue;
+ error = security_lsmblob_to_secctx(&blob, &ctx,
+ lsm_idlist[i]->id);
+ if (error < 0) {
+ if (error == -EOPNOTSUPP)
+ continue;
+ audit_log_format(ab, "%ssubj_%s=?", space ? " " : "",
+ lsm_idlist[i]->name);
+ if (error != -EINVAL)
+ audit_panic("error in audit_log_task_context");
+ } else {
+ audit_log_format(ab, "%ssubj_%s=%s", space ? " " : "",
+ lsm_idlist[i]->name, ctx.context);
+ security_release_secctx(&ctx);
+ }
+ space = true;
+ }
+ audit_buffer_aux_end(ab);
return 0;
error_path:
diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c
index b5f3beb26d5a..075942b253ae 100644
--- a/security/apparmor/lsm.c
+++ b/security/apparmor/lsm.c
@@ -1447,6 +1447,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = {
static const struct lsm_id apparmor_lsmid = {
.name = "apparmor",
.id = LSM_ID_APPARMOR,
+ .lsmblob = true,
};
static struct security_hook_list apparmor_hooks[] __ro_after_init = {
diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c
index 57b9ffd53c98..2da40774dd20 100644
--- a/security/bpf/hooks.c
+++ b/security/bpf/hooks.c
@@ -19,6 +19,7 @@ static struct security_hook_list bpf_lsm_hooks[] __ro_after_init = {
static const struct lsm_id bpf_lsmid = {
.name = "bpf",
.id = LSM_ID_BPF,
+ .lsmblob = true,
};
static int __init bpf_lsm_init(void)
diff --git a/security/security.c b/security/security.c
index 444051575793..8ff6cef26e6c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -269,6 +269,7 @@ static void __init initialize_lsm(struct lsm_info *lsm)
* Current index to use while initializing the lsm id list.
*/
u32 lsm_active_cnt __ro_after_init;
+u32 lsm_blob_cnt __ro_after_init;
const struct lsm_id *lsm_idlist[LSM_CONFIG_COUNT];
/**
@@ -599,6 +600,8 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count,
if (lsm_active_cnt >= LSM_CONFIG_COUNT)
panic("%s Too many LSMs registered.\n", __func__);
lsm_idlist[lsm_active_cnt++] = lsmid;
+ if (lsmid->lsmblob)
+ lsm_blob_cnt++;
}
for (i = 0; i < count; i++) {
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index ed4237223959..656f25337334 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -7092,6 +7092,7 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd)
static const struct lsm_id selinux_lsmid = {
.name = "selinux",
.id = LSM_ID_SELINUX,
+ .lsmblob = true,
};
/*
diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c
index a58e2c14f120..a9ab31a40e36 100644
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -5069,6 +5069,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = {
static const struct lsm_id smack_lsmid = {
.name = "smack",
.id = LSM_ID_SMACK,
+ .lsmblob = true,
};
static struct security_hook_list smack_hooks[] __ro_after_init = {
--
2.41.0
Powered by blists - more mailing lists