| Message ID | 20191216223621.5127-23-casey@schaufler-ca.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v12,01/25] LSM: Infrastructure management of the sock security | expand |
On 12/16/19 5:36 PM, Casey Schaufler wrote: > When there is more than one context displaying security > module extend what goes into the audit record by supplimenting > the "obj=" with an "obj_<lsm>=" for each such security > module. > > Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> Disclaimer: requires ack by audit maintainers. For me, Acked-by: Stephen Smalley <sds@tycho.nsa.gov> > --- > kernel/audit.h | 4 +- > kernel/auditsc.c | 110 ++++++++++++++++++++++++----------------------- > 2 files changed, 58 insertions(+), 56 deletions(-) > > diff --git a/kernel/audit.h b/kernel/audit.h > index af9bc09e656c..c9f1e1641542 100644 > --- a/kernel/audit.h > +++ b/kernel/audit.h > @@ -78,7 +78,7 @@ struct audit_names { > kuid_t uid; > kgid_t gid; > dev_t rdev; > - u32 osid; > + struct lsmblob oblob; > struct audit_cap_data fcap; > unsigned int fcap_ver; > unsigned char type; /* record type */ > @@ -152,7 +152,7 @@ struct audit_context { > kuid_t uid; > kgid_t gid; > umode_t mode; > - u32 osid; > + struct lsmblob oblob; > int has_perm; > uid_t perm_uid; > gid_t perm_gid; > diff --git a/kernel/auditsc.c b/kernel/auditsc.c > index e0dd643e9b13..0c071947c2b3 100644 > --- a/kernel/auditsc.c > +++ b/kernel/auditsc.c > @@ -659,17 +659,15 @@ static int audit_filter_rules(struct task_struct *tsk, > if (f->lsm_rule) { > /* Find files that match */ > if (name) { > - lsmblob_init(&blob, name->osid); > result = security_audit_rule_match( > - &blob, > + &name->oblob, > f->type, > f->op, > f->lsm_rule); > } else if (ctx) { > list_for_each_entry(n, &ctx->names_list, list) { > - lsmblob_init(&blob, n->osid); > if (security_audit_rule_match( > - &blob, > + &n->oblob, > f->type, > f->op, > f->lsm_rule)) { > @@ -681,8 +679,7 @@ static int audit_filter_rules(struct task_struct *tsk, > /* Find ipc objects that match */ > if (!ctx || ctx->type != AUDIT_IPC) > break; > - lsmblob_init(&blob, ctx->ipc.osid); > - if (security_audit_rule_match(&blob, > + if (security_audit_rule_match(&ctx->ipc.oblob, > f->type, f->op, > f->lsm_rule)) > ++result; > @@ -956,13 +953,57 @@ static inline void audit_free_context(struct audit_context *context) > kfree(context); > } > > +static int audit_log_object_context(struct audit_buffer *ab, > + struct lsmblob *blob) > +{ > + struct lsmcontext context; > + const char *lsm; > + int i; > + > + /* > + * None of the installed modules have object labels. > + */ > + if (security_lsm_slot_name(0) == NULL) > + return 0; > + > + if (blob->secid[0] != 0) { > + if (security_secid_to_secctx(blob, &context, 0)) { > + audit_log_format(ab, " obj=?"); > + return 1; > + } > + audit_log_format(ab, " obj=%s", context.context); > + security_release_secctx(&context); > + } > + > + /* > + * Don't do anything more unless there is more than one LSM > + * with a security context to report. > + */ > + if (security_lsm_slot_name(1) == NULL) > + return 0; > + > + for (i = 0; i < LSMBLOB_ENTRIES; i++) { > + lsm = security_lsm_slot_name(i); > + if (lsm == NULL) > + break; > + if (blob->secid[i] == 0) > + continue; > + if (security_secid_to_secctx(blob, &context, i)) { > + audit_log_format(ab, " obj_%s=?", lsm); > + continue; > + } > + audit_log_format(ab, " obj_%s=%s", lsm, context.context); > + security_release_secctx(&context); > + } > + return 0; > +} > + > static int audit_log_pid_context(struct audit_context *context, pid_t pid, > kuid_t auid, kuid_t uid, > unsigned int sessionid, > struct lsmblob *blob, char *comm) > { > struct audit_buffer *ab; > - struct lsmcontext lsmctx; > int rc = 0; > > ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); > @@ -972,15 +1013,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, > audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, > from_kuid(&init_user_ns, auid), > from_kuid(&init_user_ns, uid), sessionid); > - if (lsmblob_is_set(blob)) { > - if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) { > - audit_log_format(ab, " obj=(none)"); > - rc = 1; > - } else { > - audit_log_format(ab, " obj=%s", lsmctx.context); > - security_release_secctx(&lsmctx); > - } > - } > + rc = audit_log_object_context(ab, blob); > audit_log_format(ab, " ocomm="); > audit_log_untrustedstring(ab, comm); > audit_log_end(ab); > @@ -1207,26 +1240,14 @@ static void show_special(struct audit_context *context, int *call_panic) > context->socketcall.args[i]); > break; } > case AUDIT_IPC: { > - u32 osid = context->ipc.osid; > + struct lsmblob *oblob = & context->ipc.oblob; > > audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho", > from_kuid(&init_user_ns, context->ipc.uid), > from_kgid(&init_user_ns, context->ipc.gid), > context->ipc.mode); > - if (osid) { > - struct lsmcontext lsmcxt; > - struct lsmblob blob; > - > - lsmblob_init(&blob, osid); > - if (security_secid_to_secctx(&blob, &lsmcxt, > - LSMBLOB_FIRST)) { > - audit_log_format(ab, " osid=%u", osid); > - *call_panic = 1; > - } else { > - audit_log_format(ab, " obj=%s", lsmcxt.context); > - security_release_secctx(&lsmcxt); > - } > - } > + if (audit_log_object_context(ab, oblob)) > + *call_panic = 1; > if (context->ipc.has_perm) { > audit_log_end(ab); > ab = audit_log_start(context, GFP_KERNEL, > @@ -1366,20 +1387,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, > from_kgid(&init_user_ns, n->gid), > MAJOR(n->rdev), > MINOR(n->rdev)); > - if (n->osid != 0) { > - struct lsmblob blob; > - struct lsmcontext lsmctx; > - > - lsmblob_init(&blob, n->osid); > - if (security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_FIRST)) { > - audit_log_format(ab, " osid=%u", n->osid); > - if (call_panic) > - *call_panic = 2; > - } else { > - audit_log_format(ab, " obj=%s", lsmctx.context); > - security_release_secctx(&lsmctx); > - } > - } > + if (audit_log_object_context(ab, &n->oblob) && call_panic) > + *call_panic = 2; > > /* log the audit_names record type */ > switch (n->type) { > @@ -1929,17 +1938,13 @@ static void audit_copy_inode(struct audit_names *name, > const struct dentry *dentry, > struct inode *inode, unsigned int flags) > { > - struct lsmblob blob; > - > name->ino = inode->i_ino; > name->dev = inode->i_sb->s_dev; > name->mode = inode->i_mode; > name->uid = inode->i_uid; > name->gid = inode->i_gid; > name->rdev = inode->i_rdev; > - security_inode_getsecid(inode, &blob); > - /* scaffolding until osid is updated */ > - name->osid = blob.secid[0]; > + security_inode_getsecid(inode, &name->oblob); > if (flags & AUDIT_INODE_NOEVAL) { > name->fcap_ver = -1; > return; > @@ -2285,14 +2290,11 @@ void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) > void __audit_ipc_obj(struct kern_ipc_perm *ipcp) > { > struct audit_context *context = audit_context(); > - struct lsmblob blob; > context->ipc.uid = ipcp->uid; > context->ipc.gid = ipcp->gid; > context->ipc.mode = ipcp->mode; > context->ipc.has_perm = 0; > - security_ipc_getsecid(ipcp, &blob); > - /* scaffolding on the [0] - change "osid" to a lsmblob */ > - context->ipc.osid = blob.secid[0]; > + security_ipc_getsecid(ipcp, &context->ipc.oblob); > context->type = AUDIT_IPC; > } > >
diff --git a/kernel/audit.h b/kernel/audit.h index af9bc09e656c..c9f1e1641542 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -78,7 +78,7 @@ struct audit_names { kuid_t uid; kgid_t gid; dev_t rdev; - u32 osid; + struct lsmblob oblob; struct audit_cap_data fcap; unsigned int fcap_ver; unsigned char type; /* record type */ @@ -152,7 +152,7 @@ struct audit_context { kuid_t uid; kgid_t gid; umode_t mode; - u32 osid; + struct lsmblob oblob; int has_perm; uid_t perm_uid; gid_t perm_gid; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index e0dd643e9b13..0c071947c2b3 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -659,17 +659,15 @@ static int audit_filter_rules(struct task_struct *tsk, if (f->lsm_rule) { /* Find files that match */ if (name) { - lsmblob_init(&blob, name->osid); result = security_audit_rule_match( - &blob, + &name->oblob, f->type, f->op, f->lsm_rule); } else if (ctx) { list_for_each_entry(n, &ctx->names_list, list) { - lsmblob_init(&blob, n->osid); if (security_audit_rule_match( - &blob, + &n->oblob, f->type, f->op, f->lsm_rule)) { @@ -681,8 +679,7 @@ static int audit_filter_rules(struct task_struct *tsk, /* Find ipc objects that match */ if (!ctx || ctx->type != AUDIT_IPC) break; - lsmblob_init(&blob, ctx->ipc.osid); - if (security_audit_rule_match(&blob, + if (security_audit_rule_match(&ctx->ipc.oblob, f->type, f->op, f->lsm_rule)) ++result; @@ -956,13 +953,57 @@ static inline void audit_free_context(struct audit_context *context) kfree(context); } +static int audit_log_object_context(struct audit_buffer *ab, + struct lsmblob *blob) +{ + struct lsmcontext context; + const char *lsm; + int i; + + /* + * None of the installed modules have object labels. + */ + if (security_lsm_slot_name(0) == NULL) + return 0; + + if (blob->secid[0] != 0) { + if (security_secid_to_secctx(blob, &context, 0)) { + audit_log_format(ab, " obj=?"); + return 1; + } + audit_log_format(ab, " obj=%s", context.context); + security_release_secctx(&context); + } + + /* + * Don't do anything more unless there is more than one LSM + * with a security context to report. + */ + if (security_lsm_slot_name(1) == NULL) + return 0; + + for (i = 0; i < LSMBLOB_ENTRIES; i++) { + lsm = security_lsm_slot_name(i); + if (lsm == NULL) + break; + if (blob->secid[i] == 0) + continue; + if (security_secid_to_secctx(blob, &context, i)) { + audit_log_format(ab, " obj_%s=?", lsm); + continue; + } + audit_log_format(ab, " obj_%s=%s", lsm, context.context); + security_release_secctx(&context); + } + return 0; +} + static int audit_log_pid_context(struct audit_context *context, pid_t pid, kuid_t auid, kuid_t uid, unsigned int sessionid, struct lsmblob *blob, char *comm) { struct audit_buffer *ab; - struct lsmcontext lsmctx; int rc = 0; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); @@ -972,15 +1013,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); - if (lsmblob_is_set(blob)) { - if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) { - audit_log_format(ab, " obj=(none)"); - rc = 1; - } else { - audit_log_format(ab, " obj=%s", lsmctx.context); - security_release_secctx(&lsmctx); - } - } + rc = audit_log_object_context(ab, blob); audit_log_format(ab, " ocomm="); audit_log_untrustedstring(ab, comm); audit_log_end(ab); @@ -1207,26 +1240,14 @@ static void show_special(struct audit_context *context, int *call_panic) context->socketcall.args[i]); break; } case AUDIT_IPC: { - u32 osid = context->ipc.osid; + struct lsmblob *oblob = & context->ipc.oblob; audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho", from_kuid(&init_user_ns, context->ipc.uid), from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); - if (osid) { - struct lsmcontext lsmcxt; - struct lsmblob blob; - - lsmblob_init(&blob, osid); - if (security_secid_to_secctx(&blob, &lsmcxt, - LSMBLOB_FIRST)) { - audit_log_format(ab, " osid=%u", osid); - *call_panic = 1; - } else { - audit_log_format(ab, " obj=%s", lsmcxt.context); - security_release_secctx(&lsmcxt); - } - } + if (audit_log_object_context(ab, oblob)) + *call_panic = 1; if (context->ipc.has_perm) { audit_log_end(ab); ab = audit_log_start(context, GFP_KERNEL, @@ -1366,20 +1387,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, from_kgid(&init_user_ns, n->gid), MAJOR(n->rdev), MINOR(n->rdev)); - if (n->osid != 0) { - struct lsmblob blob; - struct lsmcontext lsmctx; - - lsmblob_init(&blob, n->osid); - if (security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_FIRST)) { - audit_log_format(ab, " osid=%u", n->osid); - if (call_panic) - *call_panic = 2; - } else { - audit_log_format(ab, " obj=%s", lsmctx.context); - security_release_secctx(&lsmctx); - } - } + if (audit_log_object_context(ab, &n->oblob) && call_panic) + *call_panic = 2; /* log the audit_names record type */ switch (n->type) { @@ -1929,17 +1938,13 @@ static void audit_copy_inode(struct audit_names *name, const struct dentry *dentry, struct inode *inode, unsigned int flags) { - struct lsmblob blob; - name->ino = inode->i_ino; name->dev = inode->i_sb->s_dev; name->mode = inode->i_mode; name->uid = inode->i_uid; name->gid = inode->i_gid; name->rdev = inode->i_rdev; - security_inode_getsecid(inode, &blob); - /* scaffolding until osid is updated */ - name->osid = blob.secid[0]; + security_inode_getsecid(inode, &name->oblob); if (flags & AUDIT_INODE_NOEVAL) { name->fcap_ver = -1; return; @@ -2285,14 +2290,11 @@ void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat) void __audit_ipc_obj(struct kern_ipc_perm *ipcp) { struct audit_context *context = audit_context(); - struct lsmblob blob; context->ipc.uid = ipcp->uid; context->ipc.gid = ipcp->gid; context->ipc.mode = ipcp->mode; context->ipc.has_perm = 0; - security_ipc_getsecid(ipcp, &blob); - /* scaffolding on the [0] - change "osid" to a lsmblob */ - context->ipc.osid = blob.secid[0]; + security_ipc_getsecid(ipcp, &context->ipc.oblob); context->type = AUDIT_IPC; }
When there is more than one context displaying security module extend what goes into the audit record by supplimenting the "obj=" with an "obj_<lsm>=" for each such security module. Signed-off-by: Casey Schaufler <casey@schaufler-ca.com> --- kernel/audit.h | 4 +- kernel/auditsc.c | 110 ++++++++++++++++++++++++----------------------- 2 files changed, 58 insertions(+), 56 deletions(-)