[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20231215221636.105680-27-casey@schaufler-ca.com>
Date: Fri, 15 Dec 2023 14:16:20 -0800
From: Casey Schaufler <casey@...aufler-ca.com>
To: casey@...aufler-ca.com,
paul@...l-moore.com,
linux-security-module@...r.kernel.org
Cc: jmorris@...ei.org,
serge@...lyn.com,
keescook@...omium.org,
john.johansen@...onical.com,
penguin-kernel@...ove.sakura.ne.jp,
stephen.smalley.work@...il.com,
linux-kernel@...r.kernel.org,
mic@...ikod.net
Subject: [PATCH v39 26/42] Audit: Add record for multiple object contexts
Create a new audit record AUDIT_MAC_OBJ_CONTEXTS.
An example of the MAC_OBJ_CONTEXTS (1421) record is:
type=MAC_OBJ_CONTEXTS[1421]
msg=audit(1601152467.009:1050):
obj_selinux=unconfined_u:object_r:user_home_t:s0
When an audit event includes a AUDIT_MAC_OBJ_CONTEXTS record
the "obj=" field in other records in the event will be "obj=?".
An AUDIT_MAC_OBJ_CONTEXTS record is supplied when the system has
multiple security modules that may make access decisions based
on an object security context.
Signed-off-by: Casey Schaufler <casey@...aufler-ca.com>
Acked-by: Paul Moore <paul@...l-moore.com>
---
include/linux/audit.h | 5 +++
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 51 +++++++++++++++++++++++-
kernel/auditsc.c | 81 ++++++++++++--------------------------
4 files changed, 82 insertions(+), 56 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 8974500f730f..914cfd563ce3 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -185,6 +185,8 @@ extern void audit_log_path_denied(int type,
const char *operation);
extern void audit_log_lost(const char *message);
+extern void audit_log_object_context(struct audit_buffer *ab,
+ struct lsmblob *blob);
extern int audit_log_subject_context(struct audit_buffer *ab,
struct lsmblob *blob);
extern int audit_log_task_context(struct audit_buffer *ab);
@@ -247,6 +249,9 @@ static inline void audit_log_key(struct audit_buffer *ab, char *key)
{ }
static inline void audit_log_path_denied(int type, const char *operation)
{ }
+static inline void audit_log_object_context(struct audit_buffer *ab,
+ struct lsmblob *blob)
+{ }
static inline int audit_log_subject_context(struct audit_buffer *ab,
struct lsmblob *blob)
{
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index dc045164b86b..bed324162a7c 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -144,6 +144,7 @@
#define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */
#define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */
#define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multiple LSM task contexts */
+#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multiple LSM objext contexts */
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
diff --git a/kernel/audit.c b/kernel/audit.c
index 626942c38bca..dc11dd4c41fc 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -1105,7 +1105,6 @@ static int is_audit_feature_set(int i)
return af.features & AUDIT_FEATURE_TO_MASK(i);
}
-
static int audit_get_feature(struct sk_buff *skb)
{
u32 seq;
@@ -2289,6 +2288,56 @@ int audit_log_task_context(struct audit_buffer *ab)
}
EXPORT_SYMBOL(audit_log_task_context);
+void audit_log_object_context(struct audit_buffer *ab, struct lsmblob *blob)
+{
+ int i;
+ int error;
+ bool space = false;
+ struct lsmcontext context;
+
+ if (lsm_blob_cnt < 2) {
+ error = security_lsmblob_to_secctx(blob, &context,
+ LSM_ID_UNDEF);
+ if (error) {
+ if (error != -EINVAL)
+ goto error_path;
+ return;
+ }
+ audit_log_format(ab, " obj=%s", context.context);
+ security_release_secctx(&context);
+ return;
+ }
+ audit_log_format(ab, " obj=?");
+ error = audit_buffer_aux_new(ab, AUDIT_MAC_OBJ_CONTEXTS);
+ if (error)
+ goto error_path;
+
+ for (i = 0; i < lsm_blob_cnt; i++) {
+ if (!lsm_idlist[i]->lsmblob)
+ continue;
+ error = security_lsmblob_to_secctx(blob, &context,
+ lsm_idlist[i]->id);
+ if (error) {
+ audit_log_format(ab, "%sobj_%s=?",
+ space ? " " : "", lsm_idlist[i]->name);
+ if (error != -EINVAL)
+ audit_panic("error in audit_log_object_context");
+ } else {
+ audit_log_format(ab, "%sobj_%s=%s",
+ space ? " " : "", lsm_idlist[i]->name,
+ context.context);
+ security_release_secctx(&context);
+ }
+ space = true;
+ }
+
+ audit_buffer_aux_end(ab);
+ return;
+
+error_path:
+ audit_panic("error in audit_log_object_context");
+}
+
void audit_log_d_path_exe(struct audit_buffer *ab,
struct mm_struct *mm)
{
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 23f72c14276d..bc13666dd6ed 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1092,36 +1092,27 @@ static inline void audit_free_context(struct audit_context *context)
kfree(context);
}
-static int audit_log_pid_context(struct audit_context *context, pid_t pid,
- kuid_t auid, kuid_t uid,
- unsigned int sessionid, struct lsmblob *blob,
- char *comm)
+static void audit_log_pid_context(struct audit_context *context, pid_t pid,
+ kuid_t auid, kuid_t uid,
+ unsigned int sessionid, struct lsmblob *blob,
+ char *comm)
{
struct audit_buffer *ab;
- struct lsmcontext ctx;
- int rc = 0;
ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
if (!ab)
- return rc;
+ return;
audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
from_kuid(&init_user_ns, auid),
from_kuid(&init_user_ns, uid), sessionid);
- if (lsmblob_is_set(blob)) {
- if (security_lsmblob_to_secctx(blob, &ctx, LSM_ID_UNDEF) < 0) {
- audit_log_format(ab, " obj=(none)");
- rc = 1;
- } else {
- audit_log_format(ab, " obj=%s", ctx.context);
- security_release_secctx(&ctx);
- }
- }
+ if (lsmblob_is_set(blob))
+ audit_log_object_context(ab, blob);
audit_log_format(ab, " ocomm=");
audit_log_untrustedstring(ab, comm);
audit_log_end(ab);
- return rc;
+ return;
}
static void audit_log_execve_info(struct audit_context *context,
@@ -1370,7 +1361,6 @@ static void audit_log_time(struct audit_context *context, struct audit_buffer **
static void show_special(struct audit_context *context, int *call_panic)
{
- struct lsmcontext lsmctx;
struct audit_buffer *ab;
int i;
@@ -1392,16 +1382,8 @@ static void show_special(struct audit_context *context, int *call_panic)
from_kuid(&init_user_ns, context->ipc.uid),
from_kgid(&init_user_ns, context->ipc.gid),
context->ipc.mode);
- if (lsmblob_is_set(&context->ipc.oblob)) {
- if (security_lsmblob_to_secctx(&context->ipc.oblob,
- &lsmctx,
- LSM_ID_UNDEF) < 0) {
- *call_panic = 1;
- } else {
- audit_log_format(ab, " obj=%s", lsmctx.context);
- security_release_secctx(&lsmctx);
- }
- }
+ if (lsmblob_is_set(&context->ipc.oblob))
+ audit_log_object_context(ab, &context->ipc.oblob);
if (context->ipc.has_perm) {
audit_log_end(ab);
ab = audit_log_start(context, GFP_KERNEL,
@@ -1557,18 +1539,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
from_kgid(&init_user_ns, n->gid),
MAJOR(n->rdev),
MINOR(n->rdev));
- if (lsmblob_is_set(&n->oblob)) {
- struct lsmcontext ctx;
-
- if (security_lsmblob_to_secctx(&n->oblob, &ctx,
- LSM_ID_UNDEF) < 0) {
- if (call_panic)
- *call_panic = 2;
- } else {
- audit_log_format(ab, " obj=%s", ctx.context);
- security_release_secctx(&ctx);
- }
- }
+ if (lsmblob_is_set(&n->oblob))
+ audit_log_object_context(ab, &n->oblob);
/* log the audit_names record type */
switch (n->type) {
@@ -1773,21 +1745,20 @@ static void audit_log_exit(void)
struct audit_aux_data_pids *axs = (void *)aux;
for (i = 0; i < axs->pid_count; i++)
- if (audit_log_pid_context(context, axs->target_pid[i],
- axs->target_auid[i],
- axs->target_uid[i],
- axs->target_sessionid[i],
- &axs->target_blob[i],
- axs->target_comm[i]))
- call_panic = 1;
- }
-
- if (context->target_pid &&
- audit_log_pid_context(context, context->target_pid,
- context->target_auid, context->target_uid,
- context->target_sessionid,
- &context->target_blob, context->target_comm))
- call_panic = 1;
+ audit_log_pid_context(context, axs->target_pid[i],
+ axs->target_auid[i],
+ axs->target_uid[i],
+ axs->target_sessionid[i],
+ &axs->target_blob[i],
+ axs->target_comm[i]);
+ }
+
+ if (context->target_pid)
+ audit_log_pid_context(context, context->target_pid,
+ context->target_auid, context->target_uid,
+ context->target_sessionid,
+ &context->target_blob,
+ context->target_comm);
if (context->pwd.dentry && context->pwd.mnt) {
ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);
--
2.41.0
Powered by blists - more mailing lists