| Message ID | 20210814183359.4061-2-michael.weiss@aisec.fraunhofer.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | dm: audit event logging | expand |
On Sat, Aug 14, 2021 at 2:34 PM Michael Weiß <michael.weiss@aisec.fraunhofer.de> wrote: > > To be able to send auditing events to user space, we introduce > a generic dm-audit module. It provides helper functions to emit > audit events through the kernel audit subsystem. We claim the > AUDIT_DM type=1336 out of the audit event messages range in the > corresponding userspace api in 'include/uapi/linux/audit.h' for > those events. > > Following commits to device mapper targets actually will make > use of this to emit those events in relevant cases. > > Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de> Hi Michael, You went into more detail in your patchset cover letter, e.g. example audit records, which I think would be helpful here in the commit description so we have it as part of the git log. I don't want to discourage you from writing cover letters, but don't forget that the cover letters can be lost to the ether after a couple of years whereas the git log has a much longer lifetime (we hope!) and a tighter binding to the related code. > --- > drivers/md/Kconfig | 10 +++++++ > drivers/md/Makefile | 4 +++ > drivers/md/dm-audit.c | 59 ++++++++++++++++++++++++++++++++++++++ > drivers/md/dm-audit.h | 33 +++++++++++++++++++++ > include/uapi/linux/audit.h | 1 + > 5 files changed, 107 insertions(+) > create mode 100644 drivers/md/dm-audit.c > create mode 100644 drivers/md/dm-audit.h > > diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig > index 0602e82a9516..48adbec12148 100644 > --- a/drivers/md/Kconfig > +++ b/drivers/md/Kconfig > @@ -608,6 +608,7 @@ config DM_INTEGRITY > select CRYPTO > select CRYPTO_SKCIPHER > select ASYNC_XOR > + select DM_AUDIT if AUDIT > help > This device-mapper target emulates a block device that has > additional per-sector tags that can be used for storing > @@ -640,4 +641,13 @@ config DM_ZONED > > If unsure, say N. > > +config DM_AUDIT > + bool "DM audit events" > + depends on AUDIT > + help > + Generate audit events for device-mapper. > + > + Enables audit logging of several security relevant events in the > + particular device-mapper targets, especially the integrity target. > + > endif # MD > diff --git a/drivers/md/Makefile b/drivers/md/Makefile > index a74aaf8b1445..4cd47623c742 100644 > --- a/drivers/md/Makefile > +++ b/drivers/md/Makefile > @@ -103,3 +103,7 @@ endif > ifeq ($(CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG),y) > dm-verity-objs += dm-verity-verify-sig.o > endif > + > +ifeq ($(CONFIG_DM_AUDIT),y) > +dm-mod-objs += dm-audit.o > +endif > diff --git a/drivers/md/dm-audit.c b/drivers/md/dm-audit.c > new file mode 100644 > index 000000000000..c7e5824821bb > --- /dev/null > +++ b/drivers/md/dm-audit.c > @@ -0,0 +1,59 @@ > +// SPDX-License-Identifier: GPL-2.0 > +/* > + * Creating audit records for mapped devices. > + * > + * Copyright (C) 2021 Fraunhofer AISEC. All rights reserved. > + * > + * Authors: Michael Weiß <michael.weiss@aisec.fraunhofer.de> > + */ > + > +#include <linux/audit.h> > +#include <linux/module.h> > +#include <linux/device-mapper.h> > +#include <linux/bio.h> > +#include <linux/blkdev.h> > + > +#include "dm-audit.h" > +#include "dm-core.h" > + > +void dm_audit_log_bio(const char *dm_msg_prefix, const char *op, > + struct bio *bio, sector_t sector, int result) > +{ > + struct audit_buffer *ab; > + > + if (audit_enabled == AUDIT_OFF) > + return; > + > + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_DM); > + if (unlikely(!ab)) > + return; > + > + audit_log_format(ab, "module=%s dev=%d:%d op=%s sector=%llu res=%d", > + dm_msg_prefix, MAJOR(bio->bi_bdev->bd_dev), > + MINOR(bio->bi_bdev->bd_dev), op, sector, result); > + audit_log_end(ab); > +} > +EXPORT_SYMBOL_GPL(dm_audit_log_bio); > + > +void dm_audit_log_target(const char *dm_msg_prefix, const char *op, > + struct dm_target *ti, int result) > +{ > + struct audit_buffer *ab; > + struct mapped_device *md = dm_table_get_md(ti->table); > + > + if (audit_enabled == AUDIT_OFF) > + return; > + > + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_DM); > + if (unlikely(!ab)) > + return; > + > + audit_log_format(ab, "module=%s dev=%s op=%s", > + dm_msg_prefix, dm_device_name(md), op); > + > + if (!result && !strcmp("ctr", op)) > + audit_log_format(ab, " error_msg='%s'", ti->error); > + audit_log_format(ab, " res=%d", result); > + audit_log_end(ab); > +} Generally speaking we try to keep a consistent format and ordering within a given audit record type. However you appear to have at least three different formats for the AUDIT_DM record in this patch: "... module=%s dev=%d:%d op=%s sector=%llu res=%d" "... module=%s dev=%s op=%s error_msg='%s' res=%d" "... module=%s dev=%s op=%s res=%d" The first thing that jumps out is that some fields, e.g. "sector", are not always present in the record; we typically handle this by using a "?" for the field value in those cases where you would otherwise drop the field from the record, for example the following record: "... module=%s dev=%s op=%s res=%d" ... would be rewritten like this: "... module=%s dev=%s op=%s sector=? res=%d" The second thing that I noticed is that the "dev" field changes from a "major:minor" number representation to an arbitrary string value, e.g. "dev=%s". This generally isn't something we do with audit records, please stick to a single representation for a given audit record-type/field combination.
On Wed, 2021-08-18 at 14:59 -0400, Paul Moore wrote: > On Sat, Aug 14, 2021 at 2:34 PM Michael Weiß > <michael.weiss@aisec.fraunhofer.de> wrote: > > To be able to send auditing events to user space, we introduce > > a generic dm-audit module. It provides helper functions to emit > > audit events through the kernel audit subsystem. We claim the > > AUDIT_DM type=1336 out of the audit event messages range in the > > corresponding userspace api in 'include/uapi/linux/audit.h' for > > those events. > > > > Following commits to device mapper targets actually will make > > use of this to emit those events in relevant cases. > > > > Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de> > > Hi Michael, > > You went into more detail in your patchset cover letter, e.g. example > audit records, which I think would be helpful here in the commit > description so we have it as part of the git log. I don't want to > discourage you from writing cover letters, but don't forget that the > cover letters can be lost to the ether after a couple of years whereas > the git log has a much longer lifetime (we hope!) and a tighter > binding to the related code. Hi Paul, at first thank you for your comments. I see your point and I will respect that in providing the next version of this patch-set. > > > --- > > drivers/md/Kconfig | 10 +++++++ > > drivers/md/Makefile | 4 +++ > > drivers/md/dm-audit.c | 59 ++++++++++++++++++++++++++++++++++++++ > > drivers/md/dm-audit.h | 33 +++++++++++++++++++++ > > include/uapi/linux/audit.h | 1 + > > 5 files changed, 107 insertions(+) > > create mode 100644 drivers/md/dm-audit.c > > create mode 100644 drivers/md/dm-audit.h > > > > diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig > > index 0602e82a9516..48adbec12148 100644 > > --- a/drivers/md/Kconfig > > +++ b/drivers/md/Kconfig > > @@ -608,6 +608,7 @@ config DM_INTEGRITY > > select CRYPTO > > select CRYPTO_SKCIPHER > > select ASYNC_XOR > > + select DM_AUDIT if AUDIT > > help > > This device-mapper target emulates a block device that has > > additional per-sector tags that can be used for storing > > @@ -640,4 +641,13 @@ config DM_ZONED > > > > If unsure, say N. > > > > +config DM_AUDIT > > + bool "DM audit events" > > + depends on AUDIT > > + help > > + Generate audit events for device-mapper. > > + > > + Enables audit logging of several security relevant events in the > > + particular device-mapper targets, especially the integrity target. > > + > > endif # MD > > diff --git a/drivers/md/Makefile b/drivers/md/Makefile > > index a74aaf8b1445..4cd47623c742 100644 > > --- a/drivers/md/Makefile > > +++ b/drivers/md/Makefile > > @@ -103,3 +103,7 @@ endif > > ifeq ($(CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG),y) > > dm-verity-objs += dm-verity-verify-sig.o > > endif > > + > > +ifeq ($(CONFIG_DM_AUDIT),y) > > +dm-mod-objs += dm-audit.o > > +endif > > diff --git a/drivers/md/dm-audit.c b/drivers/md/dm-audit.c > > new file mode 100644 > > index 000000000000..c7e5824821bb > > --- /dev/null > > +++ b/drivers/md/dm-audit.c > > @@ -0,0 +1,59 @@ > > +// SPDX-License-Identifier: GPL-2.0 > > +/* > > + * Creating audit records for mapped devices. > > + * > > + * Copyright (C) 2021 Fraunhofer AISEC. All rights reserved. > > + * > > + * Authors: Michael Weiß <michael.weiss@aisec.fraunhofer.de> > > + */ > > + > > +#include <linux/audit.h> > > +#include <linux/module.h> > > +#include <linux/device-mapper.h> > > +#include <linux/bio.h> > > +#include <linux/blkdev.h> > > + > > +#include "dm-audit.h" > > +#include "dm-core.h" > > + > > +void dm_audit_log_bio(const char *dm_msg_prefix, const char *op, > > + struct bio *bio, sector_t sector, int result) > > +{ > > + struct audit_buffer *ab; > > + > > + if (audit_enabled == AUDIT_OFF) > > + return; > > + > > + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_DM); > > + if (unlikely(!ab)) > > + return; > > + > > + audit_log_format(ab, "module=%s dev=%d:%d op=%s sector=%llu res=%d", > > + dm_msg_prefix, MAJOR(bio->bi_bdev->bd_dev), > > + MINOR(bio->bi_bdev->bd_dev), op, sector, result); > > + audit_log_end(ab); > > +} > > +EXPORT_SYMBOL_GPL(dm_audit_log_bio); > > + > > +void dm_audit_log_target(const char *dm_msg_prefix, const char *op, > > + struct dm_target *ti, int result) > > +{ > > + struct audit_buffer *ab; > > + struct mapped_device *md = dm_table_get_md(ti->table); > > + > > + if (audit_enabled == AUDIT_OFF) > > + return; > > + > > + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_DM); > > + if (unlikely(!ab)) > > + return; > > + > > + audit_log_format(ab, "module=%s dev=%s op=%s", > > + dm_msg_prefix, dm_device_name(md), op); > > + > > + if (!result && !strcmp("ctr", op)) > > + audit_log_format(ab, " error_msg='%s'", ti->error); > > + audit_log_format(ab, " res=%d", result); > > + audit_log_end(ab); > > +} > > Generally speaking we try to keep a consistent format and ordering > within a given audit record type. However you appear to have at least > three different formats for the AUDIT_DM record in this patch: > > "... module=%s dev=%d:%d op=%s sector=%llu res=%d" > "... module=%s dev=%s op=%s error_msg='%s' res=%d" > "... module=%s dev=%s op=%s res=%d" > > The first thing that jumps out is that some fields, e.g. "sector", are > not always present in the record; we typically handle this by using a > "?" for the field value in those cases where you would otherwise drop > the field from the record, for example the following record: > > "... module=%s dev=%s op=%s res=%d" > > ... would be rewritten like this: > > "... module=%s dev=%s op=%s sector=? res=%d" Well, I didn't know that. For target creation and destruction a sector is not relevant. So would it also be an option for you if we just define two different type of messages like this in audit.h? #define AUDIT_DM_CTRL 1336 /* Device Mapper target control */ #define AUDIT_DM_EVENT 1337 /* Device Mapper events */ > > The second thing that I noticed is that the "dev" field changes from a > "major:minor" number representation to an arbitrary string value, e.g. > "dev=%s". This generally isn't something we do with audit records, > please stick to a single representation for a given audit > record-type/field combination. dm_device_name(md) already does provide a major:minor in string representation, that is why I used it directly with dev=%s and in the bio case build it up manually out of major and minor of the bdev. I see two options here to be more clear on this in the code. First, just provide a comment or second use the major minor directly from dm_disk(md)->major, dm_disk(md)->first_minor. I'm not sure what's better here. Thanks, Michael -- dm-devel mailing list dm-devel@redhat.com https://listman.redhat.com/mailman/listinfo/dm-devel
diff --git a/drivers/md/Kconfig b/drivers/md/Kconfig index 0602e82a9516..48adbec12148 100644 --- a/drivers/md/Kconfig +++ b/drivers/md/Kconfig @@ -608,6 +608,7 @@ config DM_INTEGRITY select CRYPTO select CRYPTO_SKCIPHER select ASYNC_XOR + select DM_AUDIT if AUDIT help This device-mapper target emulates a block device that has additional per-sector tags that can be used for storing @@ -640,4 +641,13 @@ config DM_ZONED If unsure, say N. +config DM_AUDIT + bool "DM audit events" + depends on AUDIT + help + Generate audit events for device-mapper. + + Enables audit logging of several security relevant events in the + particular device-mapper targets, especially the integrity target. + endif # MD diff --git a/drivers/md/Makefile b/drivers/md/Makefile index a74aaf8b1445..4cd47623c742 100644 --- a/drivers/md/Makefile +++ b/drivers/md/Makefile @@ -103,3 +103,7 @@ endif ifeq ($(CONFIG_DM_VERITY_VERIFY_ROOTHASH_SIG),y) dm-verity-objs += dm-verity-verify-sig.o endif + +ifeq ($(CONFIG_DM_AUDIT),y) +dm-mod-objs += dm-audit.o +endif diff --git a/drivers/md/dm-audit.c b/drivers/md/dm-audit.c new file mode 100644 index 000000000000..c7e5824821bb --- /dev/null +++ b/drivers/md/dm-audit.c @@ -0,0 +1,59 @@ +// SPDX-License-Identifier: GPL-2.0 +/* + * Creating audit records for mapped devices. + * + * Copyright (C) 2021 Fraunhofer AISEC. All rights reserved. + * + * Authors: Michael Weiß <michael.weiss@aisec.fraunhofer.de> + */ + +#include <linux/audit.h> +#include <linux/module.h> +#include <linux/device-mapper.h> +#include <linux/bio.h> +#include <linux/blkdev.h> + +#include "dm-audit.h" +#include "dm-core.h" + +void dm_audit_log_bio(const char *dm_msg_prefix, const char *op, + struct bio *bio, sector_t sector, int result) +{ + struct audit_buffer *ab; + + if (audit_enabled == AUDIT_OFF) + return; + + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_DM); + if (unlikely(!ab)) + return; + + audit_log_format(ab, "module=%s dev=%d:%d op=%s sector=%llu res=%d", + dm_msg_prefix, MAJOR(bio->bi_bdev->bd_dev), + MINOR(bio->bi_bdev->bd_dev), op, sector, result); + audit_log_end(ab); +} +EXPORT_SYMBOL_GPL(dm_audit_log_bio); + +void dm_audit_log_target(const char *dm_msg_prefix, const char *op, + struct dm_target *ti, int result) +{ + struct audit_buffer *ab; + struct mapped_device *md = dm_table_get_md(ti->table); + + if (audit_enabled == AUDIT_OFF) + return; + + ab = audit_log_start(audit_context(), GFP_KERNEL, AUDIT_DM); + if (unlikely(!ab)) + return; + + audit_log_format(ab, "module=%s dev=%s op=%s", + dm_msg_prefix, dm_device_name(md), op); + + if (!result && !strcmp("ctr", op)) + audit_log_format(ab, " error_msg='%s'", ti->error); + audit_log_format(ab, " res=%d", result); + audit_log_end(ab); +} +EXPORT_SYMBOL_GPL(dm_audit_log_target); diff --git a/drivers/md/dm-audit.h b/drivers/md/dm-audit.h new file mode 100644 index 000000000000..b9e31b9e3682 --- /dev/null +++ b/drivers/md/dm-audit.h @@ -0,0 +1,33 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +/* + * Creating audit records for mapped devices. + * + * Copyright (C) 2021 Fraunhofer AISEC. All rights reserved. + * + * Authors: Michael Weiß <michael.weiss@aisec.fraunhofer.de> + */ + +#ifndef DM_AUDIT_H +#define DM_AUDIT_H + +#include <linux/device-mapper.h> + +#ifdef CONFIG_DM_AUDIT +void dm_audit_log_bio(const char *dm_msg_prefix, const char *op, + struct bio *bio, sector_t sector, int result); +void dm_audit_log_target(const char *dm_msg_prefix, const char *op, + struct dm_target *ti, int result); +#else +static inline void dm_audit_log_bio(const char *dm_msg_prefix, const char *op, + struct bio *bio, sector_t sector, + int result) +{ +} +static inline void dm_audit_log_target(const char *dm_msg_prefix, + const char *op, struct dm_target *ti, + int result) +{ +} +#endif + +#endif diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index daa481729e9b..aebfeee1c5b1 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -118,6 +118,7 @@ #define AUDIT_TIME_ADJNTPVAL 1333 /* NTP value adjustment */ #define AUDIT_BPF 1334 /* BPF subsystem */ #define AUDIT_EVENT_LISTENER 1335 /* Task joined multicast read socket */ +#define AUDIT_DM 1336 /* Device Mapper events */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
To be able to send auditing events to user space, we introduce a generic dm-audit module. It provides helper functions to emit audit events through the kernel audit subsystem. We claim the AUDIT_DM type=1336 out of the audit event messages range in the corresponding userspace api in 'include/uapi/linux/audit.h' for those events. Following commits to device mapper targets actually will make use of this to emit those events in relevant cases. Signed-off-by: Michael Weiß <michael.weiss@aisec.fraunhofer.de> --- drivers/md/Kconfig | 10 +++++++ drivers/md/Makefile | 4 +++ drivers/md/dm-audit.c | 59 ++++++++++++++++++++++++++++++++++++++ drivers/md/dm-audit.h | 33 +++++++++++++++++++++ include/uapi/linux/audit.h | 1 + 5 files changed, 107 insertions(+) create mode 100644 drivers/md/dm-audit.c create mode 100644 drivers/md/dm-audit.h