| Message ID | 20211213234034.111891-27-casey@schaufler-ca.com (mailing list archive) |
|---|---|
| State | Superseded |
| Delegated to: | Paul Moore |
| Headers | show |
| Series | [v31,01/28] integrity: disassociate ima_filter_rule from security_audit_rule | expand |
Hi Casey,
I love your patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
[cannot apply to pcmoore-audit/next nf/master linus/master v5.16-rc5]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20211214-084057
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: sparc64-randconfig-r015-20211213 (https://download.01.org/0day-ci/archive/20211214/202112142141.E8wcYag3-lkp@intel.com/config)
compiler: sparc64-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# https://github.com/0day-ci/linux/commit/2a62f660ff9d766a192fda713edfa3ea129efdee
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20211214-084057
git checkout 2a62f660ff9d766a192fda713edfa3ea129efdee
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=sparc64 SHELL=/bin/bash
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
In file included from arch/sparc/kernel/ptrace_64.c:25:
include/linux/audit.h:262:1: error: expected identifier or '(' before '{' token
262 | { }
| ^
>> include/linux/audit.h:260:20: error: 'audit_log_object_context' declared 'static' but never defined [-Werror=unused-function]
260 | static inline void audit_log_object_context(struct audit_buffer *ab,
| ^~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
vim +260 include/linux/audit.h
220
221 #else /* CONFIG_AUDIT */
222 static inline __printf(4, 5)
223 void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
224 const char *fmt, ...)
225 { }
226 static inline struct audit_buffer *audit_log_start(struct audit_context *ctx,
227 gfp_t gfp_mask, int type)
228 {
229 return NULL;
230 }
231 static inline __printf(2, 3)
232 void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
233 { }
234 static inline void audit_log_end(struct audit_buffer *ab)
235 { }
236 static inline void audit_log_n_hex(struct audit_buffer *ab,
237 const unsigned char *buf, size_t len)
238 { }
239 static inline void audit_log_n_string(struct audit_buffer *ab,
240 const char *buf, size_t n)
241 { }
242 static inline void audit_log_n_untrustedstring(struct audit_buffer *ab,
243 const char *string, size_t n)
244 { }
245 static inline void audit_log_untrustedstring(struct audit_buffer *ab,
246 const char *string)
247 { }
248 static inline void audit_log_d_path(struct audit_buffer *ab,
249 const char *prefix,
250 const struct path *path)
251 { }
252 static inline void audit_log_key(struct audit_buffer *ab, char *key)
253 { }
254 static inline void audit_log_path_denied(int type, const char *operation)
255 { }
256 static inline int audit_log_task_context(struct audit_buffer *ab)
257 {
258 return 0;
259 }
> 260 static inline void audit_log_object_context(struct audit_buffer *ab,
261 struct lsmblob *blob);
262 { }
263 static inline void audit_log_task_info(struct audit_buffer *ab)
264 { }
265
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Hi Casey,
I love your patch! Yet something to improve:
[auto build test ERROR on nf-next/master]
[cannot apply to pcmoore-audit/next nf/master linus/master jmorris-security/next-testing v5.16-rc5]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20211214-084057
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: i386-tinyconfig (https://download.01.org/0day-ci/archive/20211214/202112142146.BpckyASr-lkp@intel.com/config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce (this is a W=1 build):
# https://github.com/0day-ci/linux/commit/2a62f660ff9d766a192fda713edfa3ea129efdee
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20211214-084057
git checkout 2a62f660ff9d766a192fda713edfa3ea129efdee
# save the config file to linux build tree
mkdir build_dir
make W=1 O=build_dir ARCH=i386 SHELL=/bin/bash
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
In file included from init/init_task.c:12:
>> include/linux/audit.h:262:1: error: expected identifier or '(' before '{' token
262 | { }
| ^
include/linux/audit.h:260:20: warning: 'audit_log_object_context' declared 'static' but never defined [-Wunused-function]
260 | static inline void audit_log_object_context(struct audit_buffer *ab,
| ^~~~~~~~~~~~~~~~~~~~~~~~
--
In file included from kernel/exit.c:49:
>> include/linux/audit.h:262:1: error: expected identifier or '(' before '{' token
262 | { }
| ^
kernel/exit.c:1817:13: warning: no previous prototype for 'abort' [-Wmissing-prototypes]
1817 | __weak void abort(void)
| ^~~~~
In file included from kernel/exit.c:49:
include/linux/audit.h:260:20: warning: 'audit_log_object_context' declared 'static' but never defined [-Wunused-function]
260 | static inline void audit_log_object_context(struct audit_buffer *ab,
| ^~~~~~~~~~~~~~~~~~~~~~~~
--
In file included from fs/pipe.c:23:
>> include/linux/audit.h:262:1: error: expected identifier or '(' before '{' token
262 | { }
| ^
fs/pipe.c:755:15: warning: no previous prototype for 'account_pipe_buffers' [-Wmissing-prototypes]
755 | unsigned long account_pipe_buffers(struct user_struct *user,
| ^~~~~~~~~~~~~~~~~~~~
fs/pipe.c:761:6: warning: no previous prototype for 'too_many_pipe_buffers_soft' [-Wmissing-prototypes]
761 | bool too_many_pipe_buffers_soft(unsigned long user_bufs)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
fs/pipe.c:768:6: warning: no previous prototype for 'too_many_pipe_buffers_hard' [-Wmissing-prototypes]
768 | bool too_many_pipe_buffers_hard(unsigned long user_bufs)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~
fs/pipe.c:775:6: warning: no previous prototype for 'pipe_is_unprivileged_user' [-Wmissing-prototypes]
775 | bool pipe_is_unprivileged_user(void)
| ^~~~~~~~~~~~~~~~~~~~~~~~~
fs/pipe.c:1245:5: warning: no previous prototype for 'pipe_resize_ring' [-Wmissing-prototypes]
1245 | int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots)
| ^~~~~~~~~~~~~~~~
In file included from fs/pipe.c:23:
include/linux/audit.h:260:20: warning: 'audit_log_object_context' declared 'static' but never defined [-Wunused-function]
260 | static inline void audit_log_object_context(struct audit_buffer *ab,
| ^~~~~~~~~~~~~~~~~~~~~~~~
vim +262 include/linux/audit.h
220
221 #else /* CONFIG_AUDIT */
222 static inline __printf(4, 5)
223 void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
224 const char *fmt, ...)
225 { }
226 static inline struct audit_buffer *audit_log_start(struct audit_context *ctx,
227 gfp_t gfp_mask, int type)
228 {
229 return NULL;
230 }
231 static inline __printf(2, 3)
232 void audit_log_format(struct audit_buffer *ab, const char *fmt, ...)
233 { }
234 static inline void audit_log_end(struct audit_buffer *ab)
235 { }
236 static inline void audit_log_n_hex(struct audit_buffer *ab,
237 const unsigned char *buf, size_t len)
238 { }
239 static inline void audit_log_n_string(struct audit_buffer *ab,
240 const char *buf, size_t n)
241 { }
242 static inline void audit_log_n_untrustedstring(struct audit_buffer *ab,
243 const char *string, size_t n)
244 { }
245 static inline void audit_log_untrustedstring(struct audit_buffer *ab,
246 const char *string)
247 { }
248 static inline void audit_log_d_path(struct audit_buffer *ab,
249 const char *prefix,
250 const struct path *path)
251 { }
252 static inline void audit_log_key(struct audit_buffer *ab, char *key)
253 { }
254 static inline void audit_log_path_denied(int type, const char *operation)
255 { }
256 static inline int audit_log_task_context(struct audit_buffer *ab)
257 {
258 return 0;
259 }
260 static inline void audit_log_object_context(struct audit_buffer *ab,
261 struct lsmblob *blob);
> 262 { }
263 static inline void audit_log_task_info(struct audit_buffer *ab)
264 { }
265
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
diff --git a/include/linux/audit.h b/include/linux/audit.h index 14849d5f84b4..94c87ec043c7 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -192,6 +192,8 @@ extern void audit_log_path_denied(int type, extern void audit_log_lost(const char *message); extern int audit_log_task_context(struct audit_buffer *ab); +extern void audit_log_object_context(struct audit_buffer *ab, + struct lsmblob *blob); extern void audit_log_task_info(struct audit_buffer *ab); extern int audit_update_lsm_rules(void); @@ -255,6 +257,9 @@ static inline int audit_log_task_context(struct audit_buffer *ab) { return 0; } +static inline void audit_log_object_context(struct audit_buffer *ab, + struct lsmblob *blob); +{ } static inline void audit_log_task_info(struct audit_buffer *ab) { } diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 86ad3da4f0d4..116566d0fc03 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -144,6 +144,7 @@ #define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */ #define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */ #define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multiple LSM task contexts */ +#define AUDIT_MAC_OBJ_CONTEXTS 1421 /* Multiple LSM objext contexts */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/kernel/audit.c b/kernel/audit.c index 4ee2bf620df7..85f278c21d4d 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -199,6 +199,7 @@ struct audit_context_entry { int type; /* Audit record type */ union { struct lsmblob lsm_subjs; + struct lsmblob lsm_objs; }; }; @@ -2184,6 +2185,43 @@ int audit_log_task_context(struct audit_buffer *ab) } EXPORT_SYMBOL(audit_log_task_context); +void audit_log_object_context(struct audit_buffer *ab, struct lsmblob *blob) +{ + struct audit_context_entry *ace; + struct lsmcontext context; + int error; + + if (!lsm_multiple_contexts()) { + error = security_secid_to_secctx(blob, &context, LSMBLOB_FIRST); + if (error) { + if (error != -EINVAL) + goto error_path; + return; + } + audit_log_format(ab, " obj=%s", context.context); + security_release_secctx(&context); + } else { + /* + * If there is more than one security module that has a + * object "context" it's necessary to put the object data + * into a separate record to maintain compatibility. + */ + audit_log_format(ab, " obj=?"); + ace = kzalloc(sizeof(*ace), ab->gfp_mask); + if (!ace) + goto error_path; + INIT_LIST_HEAD(&ace->list); + ace->type = AUDIT_MAC_OBJ_CONTEXTS; + ace->lsm_objs = *blob; + list_add(&ace->list, &ab->aux_records); + } + return; + +error_path: + audit_panic("error in audit_log_object_context"); +} +EXPORT_SYMBOL(audit_log_object_context); + void audit_log_d_path_exe(struct audit_buffer *ab, struct mm_struct *mm) { @@ -2490,6 +2528,27 @@ void audit_log_end(struct audit_buffer *ab) } } break; + case AUDIT_MAC_OBJ_CONTEXTS: + for (i = 0; i < LSMBLOB_ENTRIES; i++) { + if (entry->lsm_objs.secid[i] == 0) + continue; + rc = security_secid_to_secctx(&entry->lsm_objs, + &lcontext, i); + if (rc) { + if (rc != -EINVAL) + audit_panic("error in audit_log_end"); + audit_log_format(mab, "%sobj_%s=?", + i ? " " : "", + lsm_slot_to_name(i)); + } else { + audit_log_format(mab, "%sobj_%s=%s", + i ? " " : "", + lsm_slot_to_name(i), + lcontext.context); + security_release_secctx(&lcontext); + } + } + break; default: audit_panic("Unknown type in audit_log_end"); break; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 68a582fa87e6..60b77e37ae83 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1111,7 +1111,6 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; - struct lsmcontext lsmctx; int rc = 0; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); @@ -1121,15 +1120,8 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); - if (lsmblob_is_set(blob)) { - if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) { - audit_log_format(ab, " obj=(none)"); - rc = 1; - } else { - audit_log_format(ab, " obj=%s", lsmctx.context); - security_release_secctx(&lsmctx); - } - } + if (lsmblob_is_set(blob)) + audit_log_object_context(ab, blob); audit_log_format(ab, " ocomm="); audit_log_untrustedstring(ab, comm); audit_log_end(ab); @@ -1364,18 +1356,10 @@ static void show_special(struct audit_context *context, int *call_panic) from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); if (osid) { - struct lsmcontext lsmcxt; struct lsmblob blob; lsmblob_init(&blob, osid); - if (security_secid_to_secctx(&blob, &lsmcxt, - LSMBLOB_FIRST)) { - audit_log_format(ab, " osid=%u", osid); - *call_panic = 1; - } else { - audit_log_format(ab, " obj=%s", lsmcxt.context); - security_release_secctx(&lsmcxt); - } + audit_log_object_context(ab, &blob); } if (context->ipc.has_perm) { audit_log_end(ab); @@ -1527,19 +1511,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, from_kgid(&init_user_ns, n->gid), MAJOR(n->rdev), MINOR(n->rdev)); - if (lsmblob_is_set(&n->lsmblob)) { - struct lsmcontext lsmctx; - - if (security_secid_to_secctx(&n->lsmblob, &lsmctx, - LSMBLOB_FIRST)) { - audit_log_format(ab, " osid=?"); - if (call_panic) - *call_panic = 2; - } else { - audit_log_format(ab, " obj=%s", lsmctx.context); - security_release_secctx(&lsmctx); - } - } + if (lsmblob_is_set(&n->lsmblob)) + audit_log_object_context(ab, &n->lsmblob); /* log the audit_names record type */ switch (n->type) {
Create a new audit record AUDIT_MAC_OBJ_CONTEXTS. An example of the MAC_OBJ_CONTEXTS (1421) record is: type=MAC_OBJ_CONTEXTS[1421] msg=audit(1601152467.009:1050): obj_selinux=unconfined_u:object_r:user_home_t:s0 When an audit event includes a AUDIT_MAC_OBJ_CONTEXTS record the "obj=" field in other records in the event will be "obj=?". An AUDIT_MAC_OBJ_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on an object security context. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- include/linux/audit.h | 5 ++++ include/uapi/linux/audit.h | 1 + kernel/audit.c | 59 ++++++++++++++++++++++++++++++++++++++ kernel/auditsc.c | 37 ++++-------------------- 4 files changed, 70 insertions(+), 32 deletions(-)