From patchwork Sat Sep 4 09:59:27 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Michael_Wei=C3=9F?= X-Patchwork-Id: 12476581 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.8 required=3.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE, SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 45BE6C433F5 for ; Mon, 6 Sep 2021 08:14:53 +0000 (UTC) Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [216.205.24.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPS id 52F136103B for ; Mon, 6 Sep 2021 08:14:52 +0000 (UTC) DMARC-Filter: OpenDMARC Filter v1.4.1 mail.kernel.org 52F136103B Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=aisec.fraunhofer.de Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=redhat.com Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-245-oOxSQS2BNQyGgeXlbm5K4Q-1; Mon, 06 Sep 2021 04:14:50 -0400 X-MC-Unique: oOxSQS2BNQyGgeXlbm5K4Q-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 9CB131009461; Mon, 6 Sep 2021 08:14:44 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 80A185D9DE; Mon, 6 Sep 2021 08:14:44 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 5618A44A59; Mon, 6 Sep 2021 08:14:44 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.rdu2.redhat.com [10.11.54.5]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 184A01Pv024006 for ; Sat, 4 Sep 2021 06:00:02 -0400 Received: by smtp.corp.redhat.com (Postfix) id 7BF69163CF1; Sat, 4 Sep 2021 10:00:01 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast03.extmail.prod.ext.rdu2.redhat.com [10.11.55.19]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 75B3F163CE6 for ; Sat, 4 Sep 2021 09:59:58 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [207.211.31.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id BBB6E811E76 for ; Sat, 4 Sep 2021 09:59:58 +0000 (UTC) Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.126.134]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-199-Jds7BvXnPmuRSHJJiAAIbA-1; Sat, 04 Sep 2021 05:59:55 -0400 X-MC-Unique: Jds7BvXnPmuRSHJJiAAIbA-1 Received: from weisslap.aisec.fraunhofer.de ([178.27.102.95]) by mrelayeu.kundenserver.de (mreue012 [212.227.15.167]) with ESMTPSA (Nemesis) id 1MpCz1-1ml86h26BD-00ql6S; Sat, 04 Sep 2021 11:59:52 +0200 From: =?utf-8?q?Michael_Wei=C3=9F?= To: Paul Moore , Casey Schaufler Date: Sat, 4 Sep 2021 11:59:27 +0200 Message-Id: <20210904095934.5033-1-michael.weiss@aisec.fraunhofer.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:dvMNFghMudCwae8r1WJmn/zZSZcP1zgZE2HVyVW2CBtvdZTAB1b n05Puw4rPFXFHEgUNjWc8ckEw4V9+Nb5L6kdOqcdap4XyQApbLjeDkEVq+RFY8vCxNrd8P+ xVo9Uto+uZiWvzs5eftmtzWnMthr+Iji0fCKvi/aIRGL73u4DL4t/TBeh86McwPWKYeViCP dgauP2C1gmoDX7yT+ZavA== X-UI-Out-Filterresults: notjunk:1;V03:K0:V5M9YcIkkKM=:HENhpUOiEHPZCtljLT5kOT RgJgvb9cb8FL4ybygtEAOViolhLjEfiFbfkn7UhyRVBqNzLR4jiGzT6t2Zk+ouMXTCabpce4d XBPz3gvjIhZ7oLhL9mgayE/S0uFvwehS9o32MMgU+Qqq+fz3E+jnUr1IDwXM0aniHOzB5kZyj QRxh1qXpueWer0chEyZNTqaBOLdZ448Vplxwby38W98idLrc/MDiwzz/T5bnO12hiA6d/PF7I S8Of7Vw4RN3vPL3qGyskDi5WU1IxV7vlwLIU+WlpT2eamvgXbSdJcfu2ENakWjF7L4gmtSgjC OcAY7mQpzrdlHydxzFuzQ2G76HLNr/nBAvXnFbGLDqKDXzG03hgplHhBAY5aT+pJGjzfVLZvT d2fln4K/9g8Gzsj5sZUJxMhxes+XtU+ldkNGy9vG3EVFTyPNbTI2BTXvsshmsmsyhUOmX+he5 xuITu4h4HmqO1tLLWWseypU4qbK3WxqalRLrkE/+HTdAEPQqkmq1eYPczIwU0RgEXngmKHLk6 AIUJGWh5Rboll6gq0XrAMDik+ohGoEslzxbgPhKNVnPIiI/V75E1jGm6PPY7v9ZQ3e19P64Zd Lzsoc4jaI4a0FOqi5JcMKtEPxqzGR2D/mDnx+MDWHq2OIliu7wRcwKv8uC9V3eOj97vROQqQJ GtJudo4lGegwbqTivnilPsBfjzp9mJmiBAb5n4htz3VjJs+vEA9hhdjh+cteK1z0wfhYr7efc EBlSGPrvakaMtndcbCYI2Iriv3FWYHdwtfmzOQXnET9A5s59QnbBkFHffCY= X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.79 on 10.11.54.5 X-loop: dm-devel@redhat.com X-Mailman-Approved-At: Mon, 06 Sep 2021 04:14:38 -0400 Cc: =?utf-8?q?Michael_Wei=C3=9F?= , Mike Snitzer , linux-kernel@vger.kernel.org, Eric Paris , linux-raid@vger.kernel.org, Song Liu , dm-devel@redhat.com, linux-audit@redhat.com, Alasdair Kergon Subject: [dm-devel] [PATCH v4 0/3] dm: audit event logging X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dm-devel-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com dm integrity and also stacked dm crypt devices track integrity violations internally. Thus, integrity violations could be polled from user space, e.g., by 'integritysetup status'. >From an auditing perspective, we only could see that there were a number of integrity violations, but not when and where the violation exactly was taking place. The current error log to the kernel ring buffer, contains those information, time stamp and sector on device. However, for auditing the audit subsystem provides a separate logging mechanism which meets certain criteria for secure audit logging. With this small series we make use of the kernel audit framework and extend the dm driver to log audit events in case of such integrity violations. Further, we also log construction and destruction of the device mappings. We focus on dm-integrity and stacked dm-crypt devices for now. However, the helper functions to log audit messages should be applicable to dm-verity too. The first patch introduce generic audit wrapper functions. The second patch makes use of the audit wrapper functions in the dm-integrity.c. The third patch uses the wrapper functions in dm-crypt.c. The audit logs look like this if executing the following simple test: # dd if=/dev/zero of=test.img bs=1M count=1024 # losetup -f test.img # integritysetup -vD format --integrity sha256 -t 32 /dev/loop0 # integritysetup open -D /dev/loop0 --integrity sha256 integritytest # integritysetup status integritytest # integritysetup close integritytest # integritysetup open -D /dev/loop0 --integrity sha256 integritytest # integritysetup status integritytest # dd if=/dev/urandom of=/dev/loop0 bs=512 count=1 seek=100000 # dd if=/dev/mapper/integritytest of=/dev/null ------------------------- audit.log from auditd type=UNKNOWN[1336] msg=audit(1630425039.363:184): module=integrity op=ctr ppid=3807 pid=3819 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup" exe="/sbin/integritysetup" subj==unconfined dev=254:3 error_msg='success' res=1 type=UNKNOWN[1336] msg=audit(1630425039.471:185): module=integrity op=dtr ppid=3807 pid=3819 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup" exe="/sbin/integritysetup" subj==unconfined dev=254:3 error_msg='success' res=1 type=UNKNOWN[1336] msg=audit(1630425039.611:186): module=integrity op=ctr ppid=3807 pid=3819 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup" exe="/sbin/integritysetup" subj==unconfined dev=254:3 error_msg='success' res=1 type=UNKNOWN[1336] msg=audit(1630425054.475:187): module=integrity op=dtr ppid=3807 pid=3819 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup" exe="/sbin/integritysetup" subj==unconfined dev=254:3 error_msg='success' res=1 type=UNKNOWN[1336] msg=audit(1630425073.171:191): module=integrity op=ctr ppid=3807 pid=3883 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup" exe="/sbin/integritysetup" subj==unconfined dev=254:3 error_msg='success' res=1 type=UNKNOWN[1336] msg=audit(1630425087.239:192): module=integrity op=dtr ppid=3807 pid=3902 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup" exe="/sbin/integritysetup" subj==unconfined dev=254:3 error_msg='success' res=1 type=UNKNOWN[1336] msg=audit(1630425093.755:193): module=integrity op=ctr ppid=3807 pid=3906 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 ses=3 comm="integritysetup" exe="/sbin/integritysetup" subj==unconfined dev=254:3 error_msg='success' res=1 type=UNKNOWN[1337] msg=audit(1630425112.119:194): module=integrity op=integrity-checksum dev=254:3 sector=77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:195): module=integrity op=integrity-checksum dev=254:3 sector=77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:196): module=integrity op=integrity-checksum dev=254:3 sector=77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:197): module=integrity op=integrity-checksum dev=254:3 sector=77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:198): module=integrity op=integrity-checksum dev=254:3 sector=77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:199): module=integrity op=integrity-checksum dev=254:3 sector=77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:200): module=integrity op=integrity-checksum dev=254:3 sector=77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:201): module=integrity op=integrity-checksum dev=254:3 sector=77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:202): module=integrity op=integrity-checksum dev=254:3 sector=77480 res=0 type=UNKNOWN[1337] msg=audit(1630425112.119:203): module=integrity op=integrity-checksum dev=254:3 sector=77480 res=0 v4 Changes: - Added comments on intended use of wrapper functions in dm-audit.h - dm_audit_log_bio(): Fixed missing '=' as spotted by Paul - dm_audit_log_ti(): Handle wrong audit_type as suggested by Paul v3 Changes: - Use of two audit event types AUDIT_DM_EVENT und AUDIT_DM_CTRL - Additionaly use audit_log_task_info in case of AUDIT_DM_CTRL messages - Provide consistent fields per message type as suggested by Paul - Added sample events to commit message of [1/3] as suggested by Paul - Rebased on v5.14 v2 Changes: - Fixed compile errors if CONFIG_DM_AUDIT is not set - Fixed formatting and typos as suggested by Casey Michael Weiß (3): dm: introduce audit event module for device mapper dm integrity: log audit events for dm-integrity target dm crypt: log aead integrity violations to audit subsystem drivers/md/Kconfig | 10 +++++ drivers/md/Makefile | 4 ++ drivers/md/dm-audit.c | 84 ++++++++++++++++++++++++++++++++++++++ drivers/md/dm-audit.h | 66 ++++++++++++++++++++++++++++++ drivers/md/dm-crypt.c | 22 ++++++++-- drivers/md/dm-integrity.c | 25 ++++++++++-- include/uapi/linux/audit.h | 2 + 7 files changed, 205 insertions(+), 8 deletions(-) create mode 100644 drivers/md/dm-audit.c create mode 100644 drivers/md/dm-audit.h