From patchwork Tue Aug 31 19:18:37 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Michael_Wei=C3=9F?= X-Patchwork-Id: 12468541 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A5A2C432BE for ; Wed, 1 Sep 2021 06:59:38 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 3A8676101A for ; Wed, 1 Sep 2021 06:59:37 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 3A8676101A Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=aisec.fraunhofer.de Authentication-Results: mail.kernel.org; spf=tempfail smtp.mailfrom=redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-307-3yrgHsvRNkucUxIUtmSoog-1; Wed, 01 Sep 2021 02:59:32 -0400 X-MC-Unique: 3yrgHsvRNkucUxIUtmSoog-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 8D74C107ACCA; Wed, 1 Sep 2021 06:59:28 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 664D45C23A; Wed, 1 Sep 2021 06:59:28 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 3961B18005A2; Wed, 1 Sep 2021 06:59:27 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 17VJP1d6008626 for ; Tue, 31 Aug 2021 15:25:01 -0400 Received: by smtp.corp.redhat.com (Postfix) id 70379205FA84; Tue, 31 Aug 2021 19:25:01 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast02.extmail.prod.ext.rdu2.redhat.com [10.11.55.18]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 6C1A9205F3A9 for ; Tue, 31 Aug 2021 19:24:58 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 80151800141 for ; Tue, 31 Aug 2021 19:24:58 +0000 (UTC) Received: from mout.kundenserver.de (mout.kundenserver.de [217.72.192.75]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-390-GM0T3dIzPVqOQa5CzW7lrg-1; Tue, 31 Aug 2021 15:24:56 -0400 X-MC-Unique: GM0T3dIzPVqOQa5CzW7lrg-1 Received: from weisslap.aisec.fraunhofer.de ([178.27.102.95]) by mrelayeu.kundenserver.de (mreue109 [212.227.15.183]) with ESMTPSA (Nemesis) id 1MVNEv-1mSgSp1aK7-00SKLc; Tue, 31 Aug 2021 21:19:32 +0200 From: =?utf-8?q?Michael_Wei=C3=9F?= To: Paul Moore , Casey Schaufler Date: Tue, 31 Aug 2021 21:18:37 +0200 Message-Id: <20210831191845.7928-1-michael.weiss@aisec.fraunhofer.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:bQSyqX7gzsyHfW6ItopsEcogtOFcgqMpcpbkBlqNfgXJTvZcBaA FAUB5KPiu44/uxGyHh3UqcCJ9gQwwuOlq72qahbv0xtBaNqz3wWwP5OmBKpM2YI3a4sGtgW qlcd7EXkHQuTrYOWpqRmLeF05EgDwa/tnkS5AgpSJHKdwWHtVqGzd8e0fl4gw9BERg9wbZ/ AucUldHvLz0VlOZoG93jg== X-UI-Out-Filterresults: notjunk:1;V03:K0:wve04trtYc4=:Kl2VXMaGb1cY0Dh47A53II k1IuUGMXRIG2uy45V0W+JgJwpR2bcw6FcCdPGpdQRtXl8XCjNGo37Qj1iVla1Rfdm25+ynR9D 7kr0pJwa1IHTTAU7bnwNLoHgdg4trcwgYyHgQJlbtL/jIjVeg63h1t2WSaqvVvK2tabCDblXu 88VGQMH9Lt29rnB7HZiZVdwBiJORlz4Z2rEnxN2Pas7xuTdGI3T6QPRSBvdtNgC1mSr/Jo00i duR/PB8HEbzcd36x7+8YE8TwhSm9yVyMkYZuMBQehdwdIcRxmaFGcocWzVWtTi2w9KvUyGjng fKBn02RKm6MxsCU0JSCJ17xqyj9gQfwvMvLO+ZoDVxgCEqicRbNH0VatVKPzeIEoYJdVrzA30 f8q+twcjJ/wHS5hyBHEDGZctfOvnUNCxW+lXv/0vjIj2JF2i+lnMVWDQOQZ3PFNniSJWoLBs9 wWeaCBhA9zm3Oo3bDhIwmeDAw0yhybBqNGuXwDJE5mIsvLVB3WTue/j1zBm+aH1GP+Imj7Ra8 2QS0xmdzk+aDkpqIkUj2ZRBVtbgIWO/+UtCZDeMCTFIvJllM6uwqCW0OmcTBj6yt6DRzpq/ZW 7bNJ9Ng3R9+S9FalygfmlUoM3bn9a1HpvUjKH5MXOcKjLbR+jUhhe81sXvkmNTrSbQ035kBxw Sat8cgZz2ViCs/2t9ukCadMKZI9aYq77I3dwqn+XX5kz6dr9Dj09Xn+aByn+uAUlsWlL2Zq6S rCs87HvyRPPZGtNUu+1ruvPNoiSARrZUDUFj+d05PHNzTnslMDEYVNrTtkE= X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.78 on 10.11.54.4 X-loop: dm-devel@redhat.com X-Mailman-Approved-At: Wed, 01 Sep 2021 02:57:42 -0400 Cc: =?utf-8?q?Michael_Wei=C3=9F?= , Mike Snitzer , linux-kernel@vger.kernel.org, Eric Paris , linux-raid@vger.kernel.org, Song Liu , dm-devel@redhat.com, linux-audit@redhat.com, Alasdair Kergon Subject: [dm-devel] [PATCH v3 0/3] dm: audit event logging X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dm-devel-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com dm integrity and also stacked dm crypt devices track integrity violations internally. Thus, integrity violations could be polled from user space, e.g., by 'integritysetup status'. >From an auditing perspective, we only could see that there were a number of integrity violations, but not when and where the violation exactly was taking place. The current error log to the kernel ring buffer, contains those information, time stamp and sector on device. However, for auditing the audit subsystem provides a separate logging mechanism which meets certain criteria for secure audit logging. With this small series we make use of the kernel audit framework and extend the dm driver to log audit events in case of such integrity violations. Further, we also log construction and destruction of the device mappings. We focus on dm-integrity and stacked dm-crypt devices for now. However, the helper functions to log audit messages should be applicable to dm-verity too. The first patch introduce generic audit wrapper functions. The second patch makes use of the audit wrapper functions in the dm-integrity.c. The third patch uses the wrapper functions in dm-crypt.c. The audit logs look like this if executing the following simple test: # dd if=/dev/zero of=test.img bs=1M count=1024 # losetup -f test.img # integritysetup -vD format --integrity sha256 -t 32 /dev/loop0 # integritysetup open -D /dev/loop0 --integrity sha256 integritytest # integritysetup status integritytest # integritysetup close integritytest # integritysetup open -D /dev/loop0 --integrity sha256 integritytest # integritysetup status integritytest # dd if=/dev/urandom of=/dev/loop0 bs=512 count=1 seek=100000 # dd if=/dev/mapper/integritytest of=/dev/null ------------------------- audit.log from auditd type=UNKNOWN[1336] msg=audit(1630425039.363:184): module=integrity op=ctr ppid=3807 pid=3819 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup" exe="/sbin/integritysetup" subj==unconfined dev=254:3 error_msg='success' res=1 type=UNKNOWN[1336] msg=audit(1630425039.471:185): module=integrity op=dtr ppid=3807 pid=3819 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup" exe="/sbin/integritysetup" subj==unconfined dev=254:3 error_msg='success' res=1 type=UNKNOWN[1336] msg=audit(1630425039.611:186): module=integrity op=ctr ppid=3807 pid=3819 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup" exe="/sbin/integritysetup" subj==unconfined dev=254:3 error_msg='success' res=1 type=UNKNOWN[1336] msg=audit(1630425054.475:187): module=integrity op=dtr ppid=3807 pid=3819 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup" exe="/sbin/integritysetup" subj==unconfined dev=254:3 error_msg='success' res=1 type=UNKNOWN[1336] msg=audit(1630425073.171:191): module=integrity op=ctr ppid=3807 pid=3883 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup" exe="/sbin/integritysetup" subj==unconfined dev=254:3 error_msg='success' res=1 type=UNKNOWN[1336] msg=audit(1630425087.239:192): module=integrity op=dtr ppid=3807 pid=3902 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup" exe="/sbin/integritysetup" subj==unconfined dev=254:3 error_msg='success' res=1 type=UNKNOWN[1336] msg=audit(1630425093.755:193): module=integrity op=ctr ppid=3807 pid=3906 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup" exe="/sbin/integritysetup" subj==unconfined dev=254:3 error_msg='success' res=1 type=UNKNOWN[1337] msg=audit(1630425112.119:194): module=integrity op=integrity-checksum dev=254:3 sector 77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:195): module=integrity op=integrity-checksum dev=254:3 sector 77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:196): module=integrity op=integrity-checksum dev=254:3 sector 77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:197): module=integrity op=integrity-checksum dev=254:3 sector 77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:198): module=integrity op=integrity-checksum dev=254:3 sector 77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:199): module=integrity op=integrity-checksum dev=254:3 sector 77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:200): module=integrity op=integrity-checksum dev=254:3 sector 77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:201): module=integrity op=integrity-checksum dev=254:3 sector 77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:202): module=integrity op=integrity-checksum dev=254:3 sector 77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:203): module=integrity op=integrity-checksum dev=254:3 sector 77480 res=0 v3 Changes: - Use of two audit event types AUDIT_DM_EVENT und AUDIT_DM_CTRL - Additionally use audit_log_task_info in case of AUDIT_DM_CTRL messages - Provide consistent fields per message type as suggested by Paul - Added sample events to commit message of [1/3] as suggested by Paul - Rebased on v5.14 v2 Changes: - Fixed compile errors if CONFIG_DM_AUDIT is not set - Fixed formatting and typos as suggested by Casey Michael Weiß (3): dm: introduce audit event module for device mapper dm integrity: log audit events for dm-integrity target dm crypt: log aead integrity violations to audit subsystem drivers/md/Kconfig | 10 +++++ drivers/md/Makefile | 4 ++ drivers/md/dm-audit.c | 79 ++++++++++++++++++++++++++++++++++++++ drivers/md/dm-audit.h | 62 ++++++++++++++++++++++++++++++ drivers/md/dm-crypt.c | 22 +++++++++-- drivers/md/dm-integrity.c | 25 ++++++++++-- include/uapi/linux/audit.h | 2 + 7 files changed, 196 insertions(+), 8 deletions(-) create mode 100644 drivers/md/dm-audit.c create mode 100644 drivers/md/dm-audit.h