diff mbox series

[RFC] security: add an interface to lookup the lockdown reason

Message ID 157594493094.748324.9234611948545428995.stgit@chester (mailing list archive)
State New, archived
Headers show
Series [RFC] security: add an interface to lookup the lockdown reason | expand

Commit Message

Paul Moore Dec. 10, 2019, 2:28 a.m. UTC
With CONFIG_AUDIT enabled but CONFIG_SECURITY disabled we run into
a problem where the lockdown reason table is missing.  This patch
attempts to fix this by hiding the table behind a lookup function.

Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 include/linux/security.h |    7 +++++++
 security/lsm_audit.c     |   12 +++++++++---
 security/security.c      |    5 +++++
 3 files changed, 21 insertions(+), 3 deletions(-)

Comments

James Morris Dec. 10, 2019, 5:39 a.m. UTC | #1
On Mon, 9 Dec 2019, Paul Moore wrote:

> With CONFIG_AUDIT enabled but CONFIG_SECURITY disabled we run into
> a problem where the lockdown reason table is missing.  This patch
> attempts to fix this by hiding the table behind a lookup function.
> 
> Signed-off-by: Paul Moore <paul@paul-moore.com>


Acked-by: James Morris <jamorris@linux.microsoft.com>
Stephen Smalley Dec. 10, 2019, 2:59 p.m. UTC | #2
On 12/9/19 9:28 PM, Paul Moore wrote:
> With CONFIG_AUDIT enabled but CONFIG_SECURITY disabled we run into
> a problem where the lockdown reason table is missing.  This patch
> attempts to fix this by hiding the table behind a lookup function.

Shouldn't lsm_audit.c be conditional on both CONFIG_AUDIT and 
CONFIG_SECURITY?  When/why would we want it built without 
CONFIG_SECURITY enabled?

> 
> Signed-off-by: Paul Moore <paul@paul-moore.com>
> ---
>   include/linux/security.h |    7 +++++++
>   security/lsm_audit.c     |   12 +++++++++---
>   security/security.c      |    5 +++++
>   3 files changed, 21 insertions(+), 3 deletions(-)
> 
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 64b19f050343..295509a809d6 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -447,6 +447,8 @@ int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
>   int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
>   int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
>   int security_locked_down(enum lockdown_reason what);
> +const char *security_locked_reasonstr(enum lockdown_reason what);
> +
>   #else /* CONFIG_SECURITY */
>   
>   static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
> @@ -1274,6 +1276,11 @@ static inline int security_locked_down(enum lockdown_reason what)
>   {
>   	return 0;
>   }
> +
> +static inline const char *security_locked_reasonstr(enum lockdown_reason what)
> +{
> +	return NULL;
> +}
>   #endif	/* CONFIG_SECURITY */
>   
>   #ifdef CONFIG_SECURITY_NETWORK
> diff --git a/security/lsm_audit.c b/security/lsm_audit.c
> index 2d2bf49016f4..519ef6046638 100644
> --- a/security/lsm_audit.c
> +++ b/security/lsm_audit.c
> @@ -426,10 +426,16 @@ static void dump_common_audit_data(struct audit_buffer *ab,
>   				 a->u.ibendport->dev_name,
>   				 a->u.ibendport->port);
>   		break;
> -	case LSM_AUDIT_DATA_LOCKDOWN:
> -		audit_log_format(ab, " lockdown_reason=");
> -		audit_log_string(ab, lockdown_reasons[a->u.reason]);
> +	case LSM_AUDIT_DATA_LOCKDOWN: {
> +		const char *str = security_locked_reasonstr(a->u.reason);
> +
> +		if (str) {
> +			audit_log_format(ab, " lockdown_reason=");
> +			audit_log_string(ab, str);
> +		} else
> +			audit_log_format(ab, " lockdown_reason=?");
>   		break;
> +	}
>   	} /* switch (a->type) */
>   }
>   
> diff --git a/security/security.c b/security/security.c
> index 2b5473d92416..2f228fdbebf5 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -2438,6 +2438,11 @@ int security_locked_down(enum lockdown_reason what)
>   }
>   EXPORT_SYMBOL(security_locked_down);
>   
> +const char *security_locked_reasonstr(enum lockdown_reason what)
> +{
> +	return lockdown_reasons[what];
> +}
> +
>   #ifdef CONFIG_PERF_EVENTS
>   int security_perf_event_open(struct perf_event_attr *attr, int type)
>   {
>
Paul Moore Dec. 10, 2019, 3:04 p.m. UTC | #3
On Tue, Dec 10, 2019 at 9:59 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 12/9/19 9:28 PM, Paul Moore wrote:
> > With CONFIG_AUDIT enabled but CONFIG_SECURITY disabled we run into
> > a problem where the lockdown reason table is missing.  This patch
> > attempts to fix this by hiding the table behind a lookup function.
>
> Shouldn't lsm_audit.c be conditional on both CONFIG_AUDIT and
> CONFIG_SECURITY?  When/why would we want it built without
> CONFIG_SECURITY enabled?

My first thought of a fix was just that, but I remembered that the
capabilities code is built regardless of the CONFIG_SECURITY setting
and I thought there might be some value in allowing for lsm_audit to
be used in commoncap (although in full disclosure commoncap doesn't
currently make use of lsm_audit).
Stephen Smalley Dec. 10, 2019, 3:45 p.m. UTC | #4
On 12/10/19 10:04 AM, Paul Moore wrote:
> On Tue, Dec 10, 2019 at 9:59 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On 12/9/19 9:28 PM, Paul Moore wrote:
>>> With CONFIG_AUDIT enabled but CONFIG_SECURITY disabled we run into
>>> a problem where the lockdown reason table is missing.  This patch
>>> attempts to fix this by hiding the table behind a lookup function.
>>
>> Shouldn't lsm_audit.c be conditional on both CONFIG_AUDIT and
>> CONFIG_SECURITY?  When/why would we want it built without
>> CONFIG_SECURITY enabled?
> 
> My first thought of a fix was just that, but I remembered that the
> capabilities code is built regardless of the CONFIG_SECURITY setting
> and I thought there might be some value in allowing for lsm_audit to
> be used in commoncap (although in full disclosure commoncap doesn't
> currently make use of lsm_audit).

Seems contrary to normal practice, i.e. if/when commoncap grows a 
dependency, it can be changed then.
Paul Moore Dec. 10, 2019, 3:58 p.m. UTC | #5
On Tue, Dec 10, 2019 at 10:45 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 12/10/19 10:04 AM, Paul Moore wrote:
> > On Tue, Dec 10, 2019 at 9:59 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >> On 12/9/19 9:28 PM, Paul Moore wrote:
> >>> With CONFIG_AUDIT enabled but CONFIG_SECURITY disabled we run into
> >>> a problem where the lockdown reason table is missing.  This patch
> >>> attempts to fix this by hiding the table behind a lookup function.
> >>
> >> Shouldn't lsm_audit.c be conditional on both CONFIG_AUDIT and
> >> CONFIG_SECURITY?  When/why would we want it built without
> >> CONFIG_SECURITY enabled?
> >
> > My first thought of a fix was just that, but I remembered that the
> > capabilities code is built regardless of the CONFIG_SECURITY setting
> > and I thought there might be some value in allowing for lsm_audit to
> > be used in commoncap (although in full disclosure commoncap doesn't
> > currently make use of lsm_audit).
>
> Seems contrary to normal practice, i.e. if/when commoncap grows a
> dependency, it can be changed then.

Okay, want to submit a tested patch?  I really would like to get this
fixed before today's linux-next run.
Stephen Smalley Dec. 10, 2019, 4:20 p.m. UTC | #6
On 12/10/19 10:58 AM, Paul Moore wrote:
> On Tue, Dec 10, 2019 at 10:45 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>> On 12/10/19 10:04 AM, Paul Moore wrote:
>>> On Tue, Dec 10, 2019 at 9:59 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
>>>> On 12/9/19 9:28 PM, Paul Moore wrote:
>>>>> With CONFIG_AUDIT enabled but CONFIG_SECURITY disabled we run into
>>>>> a problem where the lockdown reason table is missing.  This patch
>>>>> attempts to fix this by hiding the table behind a lookup function.
>>>>
>>>> Shouldn't lsm_audit.c be conditional on both CONFIG_AUDIT and
>>>> CONFIG_SECURITY?  When/why would we want it built without
>>>> CONFIG_SECURITY enabled?
>>>
>>> My first thought of a fix was just that, but I remembered that the
>>> capabilities code is built regardless of the CONFIG_SECURITY setting
>>> and I thought there might be some value in allowing for lsm_audit to
>>> be used in commoncap (although in full disclosure commoncap doesn't
>>> currently make use of lsm_audit).
>>
>> Seems contrary to normal practice, i.e. if/when commoncap grows a
>> dependency, it can be changed then.
> 
> Okay, want to submit a tested patch?  I really would like to get this
> fixed before today's linux-next run.

In looking at it, I'm wondering if we could just change the Makefile to 
use obj-$(CONFIG_SECURITY) instead of obj-$(CONFIG_AUDIT) for 
lsm_audit.c.  I think it might build just fine without CONFIG_AUDIT 
since audit.h provides static inlines that boil away to nothing for 
audit_log*() in that case. Offhand I don't see any support/examples of 
specifying two different config options for an obj list in a Makefile.

The other option would be to introduce its own CONFIG_LSM_AUDIT option 
and select that option automatically for the modules that use it, which 
would currently be selinux, apparmor, and smack.  Then if you aren't 
using any of those modules you can omit it from your kernel.
Paul Moore Dec. 10, 2019, 4:50 p.m. UTC | #7
On Tue, Dec 10, 2019 at 11:20 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> On 12/10/19 10:58 AM, Paul Moore wrote:
> > On Tue, Dec 10, 2019 at 10:45 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >> On 12/10/19 10:04 AM, Paul Moore wrote:
> >>> On Tue, Dec 10, 2019 at 9:59 AM Stephen Smalley <sds@tycho.nsa.gov> wrote:
> >>>> On 12/9/19 9:28 PM, Paul Moore wrote:
> >>>>> With CONFIG_AUDIT enabled but CONFIG_SECURITY disabled we run into
> >>>>> a problem where the lockdown reason table is missing.  This patch
> >>>>> attempts to fix this by hiding the table behind a lookup function.
> >>>>
> >>>> Shouldn't lsm_audit.c be conditional on both CONFIG_AUDIT and
> >>>> CONFIG_SECURITY?  When/why would we want it built without
> >>>> CONFIG_SECURITY enabled?
> >>>
> >>> My first thought of a fix was just that, but I remembered that the
> >>> capabilities code is built regardless of the CONFIG_SECURITY setting
> >>> and I thought there might be some value in allowing for lsm_audit to
> >>> be used in commoncap (although in full disclosure commoncap doesn't
> >>> currently make use of lsm_audit).
> >>
> >> Seems contrary to normal practice, i.e. if/when commoncap grows a
> >> dependency, it can be changed then.
> >
> > Okay, want to submit a tested patch?  I really would like to get this
> > fixed before today's linux-next run.
>
> In looking at it, I'm wondering if we could just change the Makefile to
> use obj-$(CONFIG_SECURITY) instead of obj-$(CONFIG_AUDIT) for
> lsm_audit.c.  I think it might build just fine without CONFIG_AUDIT
> since audit.h provides static inlines that boil away to nothing for
> audit_log*() in that case. Offhand I don't see any support/examples of
> specifying two different config options for an obj list in a Makefile.

That should work too I think.

> The other option would be to introduce its own CONFIG_LSM_AUDIT option
> and select that option automatically for the modules that use it, which
> would currently be selinux, apparmor, and smack.  Then if you aren't
> using any of those modules you can omit it from your kernel.

This seems to be both the right thing to do, as well as overly complicated :)

I'm not sure I have a strong preference at this point, other than
getting it fixed.
diff mbox series

Patch

diff --git a/include/linux/security.h b/include/linux/security.h
index 64b19f050343..295509a809d6 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -447,6 +447,8 @@  int security_inode_notifysecctx(struct inode *inode, void *ctx, u32 ctxlen);
 int security_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen);
 int security_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen);
 int security_locked_down(enum lockdown_reason what);
+const char *security_locked_reasonstr(enum lockdown_reason what);
+
 #else /* CONFIG_SECURITY */
 
 static inline int call_blocking_lsm_notifier(enum lsm_event event, void *data)
@@ -1274,6 +1276,11 @@  static inline int security_locked_down(enum lockdown_reason what)
 {
 	return 0;
 }
+
+static inline const char *security_locked_reasonstr(enum lockdown_reason what)
+{
+	return NULL;
+}
 #endif	/* CONFIG_SECURITY */
 
 #ifdef CONFIG_SECURITY_NETWORK
diff --git a/security/lsm_audit.c b/security/lsm_audit.c
index 2d2bf49016f4..519ef6046638 100644
--- a/security/lsm_audit.c
+++ b/security/lsm_audit.c
@@ -426,10 +426,16 @@  static void dump_common_audit_data(struct audit_buffer *ab,
 				 a->u.ibendport->dev_name,
 				 a->u.ibendport->port);
 		break;
-	case LSM_AUDIT_DATA_LOCKDOWN:
-		audit_log_format(ab, " lockdown_reason=");
-		audit_log_string(ab, lockdown_reasons[a->u.reason]);
+	case LSM_AUDIT_DATA_LOCKDOWN: {
+		const char *str = security_locked_reasonstr(a->u.reason);
+
+		if (str) {
+			audit_log_format(ab, " lockdown_reason=");
+			audit_log_string(ab, str);
+		} else
+			audit_log_format(ab, " lockdown_reason=?");
 		break;
+	}
 	} /* switch (a->type) */
 }
 
diff --git a/security/security.c b/security/security.c
index 2b5473d92416..2f228fdbebf5 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2438,6 +2438,11 @@  int security_locked_down(enum lockdown_reason what)
 }
 EXPORT_SYMBOL(security_locked_down);
 
+const char *security_locked_reasonstr(enum lockdown_reason what)
+{
+	return lockdown_reasons[what];
+}
+
 #ifdef CONFIG_PERF_EVENTS
 int security_perf_event_open(struct perf_event_attr *attr, int type)
 {