[v28,21/25] audit: support non-syscall auxiliary records

Message ID	20210722004758.12371-22-casey@schaufler-ca.com (mailing list archive)
State	Superseded
Delegated to:	Paul Moore
Headers	show Return-Path: <selinux-owner@kernel.org> From: Casey Schaufler <casey@schaufler-ca.com> To: casey.schaufler@intel.com, jmorris@namei.org, linux-security-module@vger.kernel.org, selinux@vger.kernel.org Cc: casey@schaufler-ca.com, linux-audit@redhat.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com, sds@tycho.nsa.gov, linux-kernel@vger.kernel.org, Richard Guy Briggs <rgb@redhat.com> Subject: [PATCH v28 21/25] audit: support non-syscall auxiliary records Date: Wed, 21 Jul 2021 17:47:54 -0700 Message-Id: <20210722004758.12371-22-casey@schaufler-ca.com> In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com> References: <20210722004758.12371-1-casey@schaufler-ca.com> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	[v28,01/25] LSM: Infrastructure management of the sock security \| expand [v28,01/25] LSM: Infrastructure management of the sock security [v28,02/25] LSM: Add the lsmblob data structure. [v28,03/25] LSM: provide lsm name and id slot mappings [v28,04/25] IMA: avoid label collisions with stacked LSMs [v28,05/25] LSM: Use lsmblob in security_audit_rule_match [v28,06/25] LSM: Use lsmblob in security_kernel_act_as [v28,07/25] LSM: Use lsmblob in security_secctx_to_secid [v28,08/25] LSM: Use lsmblob in security_secid_to_secctx [v28,09/25] LSM: Use lsmblob in security_ipc_getsecid [v28,10/25] LSM: Use lsmblob in security_task_getsecid [v28,11/25] LSM: Use lsmblob in security_inode_getsecid [v28,12/25] LSM: Use lsmblob in security_cred_getsecid [v28,13/25] IMA: Change internal interfaces to use lsmblobs [v28,14/25] LSM: Specify which LSM to display [v28,15/25] LSM: Ensure the correct LSM context releaser [v28,16/25] LSM: Use lsmcontext in security_secid_to_secctx [v28,17/25] LSM: Use lsmcontext in security_inode_getsecctx [v28,18/25] LSM: security_secid_to_secctx in netlink netfilter [v28,19/25] NET: Store LSM netlabel data in a lsmblob [v28,20/25] LSM: Verify LSM display sanity in binder [v28,21/25] audit: support non-syscall auxiliary records [v28,22/25] Audit: Add record for multiple process LSM attributes [v28,23/25] Audit: Add record for multiple object LSM attributes [v28,24/25] LSM: Add /proc attr entry for full LSM context [v28,25/25] AppArmor: Remove the exclusive flag

Message ID

20210722004758.12371-22-casey@schaufler-ca.com (mailing list archive)

State

Superseded

Delegated to:

Paul Moore

Headers

From: Casey Schaufler <casey@schaufler-ca.com>
To: casey.schaufler@intel.com, jmorris@namei.org,
        linux-security-module@vger.kernel.org, selinux@vger.kernel.org
Cc: casey@schaufler-ca.com, linux-audit@redhat.com,
        keescook@chromium.org, john.johansen@canonical.com,
        penguin-kernel@i-love.sakura.ne.jp, paul@paul-moore.com,
        sds@tycho.nsa.gov, linux-kernel@vger.kernel.org,
        Richard Guy Briggs <rgb@redhat.com>
Subject: [PATCH v28 21/25] audit: support non-syscall auxiliary records
Date: Wed, 21 Jul 2021 17:47:54 -0700
Message-Id: <20210722004758.12371-22-casey@schaufler-ca.com>
In-Reply-To: <20210722004758.12371-1-casey@schaufler-ca.com>
References: <20210722004758.12371-1-casey@schaufler-ca.com>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

[v28,01/25] LSM: Infrastructure management of the sock security | expand

Commit Message

Casey Schaufler July 22, 2021, 12:47 a.m. UTC

Standalone audit records have the timestamp and serial number generated
on the fly and as such are unique, making them standalone.  This new
function audit_alloc_local() generates a local audit context that will
be used only for a standalone record and its auxiliary record(s).  The
context is discarded immediately after the local associated records are
produced.

Acked-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-audit@redhat.com
To: Richard Guy Briggs <rgb@redhat.com>
---
 include/linux/audit.h |  8 ++++++++
 kernel/audit.h        |  1 +
 kernel/auditsc.c      | 33 ++++++++++++++++++++++++++++-----
 3 files changed, 37 insertions(+), 5 deletions(-)

Comments

kernel test robot July 22, 2021, 5:02 p.m. UTC | #1

Hi Casey,

I love your patch! Yet something to improve:

[auto build test ERROR on pcmoore-audit/next]
[also build test ERROR on nf/master linus/master v5.14-rc2]
[cannot apply to nf-next/master next-20210722]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Casey-Schaufler/LSM-Infrastructure-management-of-the-sock-security/20210722-094735
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pcmoore/audit.git next
config: openrisc-randconfig-r025-20210722 (attached as .config)
compiler: or1k-linux-gcc (GCC) 10.3.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/63ea5078624b9ff368f945d654ace5f79160fb6a
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Casey-Schaufler/LSM-Infrastructure-management-of-the-sock-security/20210722-094735
        git checkout 63ea5078624b9ff368f945d654ace5f79160fb6a
        # save the attached .config to linux build tree
        mkdir build_dir
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-10.3.0 make.cross O=build_dir ARCH=openrisc SHELL=/bin/bash

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   In file included from init/init_task.c:12:
>> include/linux/audit.h:557:1: error: expected identifier or '(' before '+' token
     557 | +static inline struct audit_context *audit_alloc_local(gfp_t gfpflags)
         | ^
--
   In file included from arch/openrisc/kernel/ptrace.c:23:
>> include/linux/audit.h:557:1: error: expected identifier or '(' before '+' token
     557 | +static inline struct audit_context *audit_alloc_local(gfp_t gfpflags)
         | ^
   arch/openrisc/kernel/ptrace.c:157:17: warning: no previous prototype for 'do_syscall_trace_enter' [-Wmissing-prototypes]
     157 | asmlinkage long do_syscall_trace_enter(struct pt_regs *regs)
         |                 ^~~~~~~~~~~~~~~~~~~~~~
   arch/openrisc/kernel/ptrace.c:176:17: warning: no previous prototype for 'do_syscall_trace_leave' [-Wmissing-prototypes]
     176 | asmlinkage void do_syscall_trace_leave(struct pt_regs *regs)
         |                 ^~~~~~~~~~~~~~~~~~~~~~
--
   In file included from kernel/fork.c:63:
>> include/linux/audit.h:557:1: error: expected identifier or '(' before '+' token
     557 | +static inline struct audit_context *audit_alloc_local(gfp_t gfpflags)
         | ^
   kernel/fork.c:162:13: warning: no previous prototype for 'arch_release_task_struct' [-Wmissing-prototypes]
     162 | void __weak arch_release_task_struct(struct task_struct *tsk)
         |             ^~~~~~~~~~~~~~~~~~~~~~~~
   kernel/fork.c:752:20: warning: no previous prototype for 'arch_task_cache_init' [-Wmissing-prototypes]
     752 | void __init __weak arch_task_cache_init(void) { }
         |                    ^~~~~~~~~~~~~~~~~~~~
   kernel/fork.c:847:12: warning: no previous prototype for 'arch_dup_task_struct' [-Wmissing-prototypes]
     847 | int __weak arch_dup_task_struct(struct task_struct *dst,
         |            ^~~~~~~~~~~~~~~~~~~~
--
   In file included from kernel/exit.c:49:
>> include/linux/audit.h:557:1: error: expected identifier or '(' before '+' token
     557 | +static inline struct audit_context *audit_alloc_local(gfp_t gfpflags)
         | ^
   kernel/exit.c:1810:13: warning: no previous prototype for 'abort' [-Wmissing-prototypes]
    1810 | __weak void abort(void)
         |             ^~~~~
--
   In file included from kernel/audit.c:51:
>> include/linux/audit.h:557:1: error: expected identifier or '(' before '+' token
     557 | +static inline struct audit_context *audit_alloc_local(gfp_t gfpflags)
         | ^
   kernel/audit.c:1781:14: warning: no previous prototype for 'audit_serial' [-Wmissing-prototypes]
    1781 | unsigned int audit_serial(void)
         |              ^~~~~~~~~~~~
   kernel/audit.c: In function 'audit_log_vformat':
   kernel/audit.c:1929:2: warning: function 'audit_log_vformat' might be a candidate for 'gnu_printf' format attribute [-Wsuggest-attribute=format]
    1929 |  len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args);
         |  ^~~
   kernel/audit.c:1938:3: warning: function 'audit_log_vformat' might be a candidate for 'gnu_printf' format attribute [-Wsuggest-attribute=format]
    1938 |   len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2);
         |   ^~~
--
   In file included from fs/pipe.c:23:
>> include/linux/audit.h:557:1: error: expected identifier or '(' before '+' token
     557 | +static inline struct audit_context *audit_alloc_local(gfp_t gfpflags)
         | ^
   fs/pipe.c:741:15: warning: no previous prototype for 'account_pipe_buffers' [-Wmissing-prototypes]
     741 | unsigned long account_pipe_buffers(struct user_struct *user,
         |               ^~~~~~~~~~~~~~~~~~~~
   fs/pipe.c:747:6: warning: no previous prototype for 'too_many_pipe_buffers_soft' [-Wmissing-prototypes]
     747 | bool too_many_pipe_buffers_soft(unsigned long user_bufs)
         |      ^~~~~~~~~~~~~~~~~~~~~~~~~~
   fs/pipe.c:754:6: warning: no previous prototype for 'too_many_pipe_buffers_hard' [-Wmissing-prototypes]
     754 | bool too_many_pipe_buffers_hard(unsigned long user_bufs)
         |      ^~~~~~~~~~~~~~~~~~~~~~~~~~
   fs/pipe.c:761:6: warning: no previous prototype for 'pipe_is_unprivileged_user' [-Wmissing-prototypes]
     761 | bool pipe_is_unprivileged_user(void)
         |      ^~~~~~~~~~~~~~~~~~~~~~~~~
   fs/pipe.c:1231:5: warning: no previous prototype for 'pipe_resize_ring' [-Wmissing-prototypes]
    1231 | int pipe_resize_ring(struct pipe_inode_info *pipe, unsigned int nr_slots)
         |     ^~~~~~~~~~~~~~~~
--
   In file included from include/linux/fsnotify.h:16,
                    from kernel/trace/trace.c:49:
>> include/linux/audit.h:557:1: error: expected identifier or '(' before '+' token
     557 | +static inline struct audit_context *audit_alloc_local(gfp_t gfpflags)
         | ^
   kernel/trace/trace.c: In function 'trace_check_vprintf':
   kernel/trace/trace.c:3815:3: warning: function 'trace_check_vprintf' might be a candidate for 'gnu_printf' format attribute [-Wsuggest-attribute=format]
    3815 |   trace_seq_vprintf(&iter->seq, iter->fmt, ap);
         |   ^~~~~~~~~~~~~~~~~
   kernel/trace/trace.c:3870:3: warning: function 'trace_check_vprintf' might be a candidate for 'gnu_printf' format attribute [-Wsuggest-attribute=format]
    3870 |   trace_seq_vprintf(&iter->seq, p, ap);
         |   ^~~~~~~~~~~~~~~~~
   At top level:
   kernel/trace/trace.c:1692:37: warning: 'tracing_max_lat_fops' defined but not used [-Wunused-const-variable=]
    1692 | static const struct file_operations tracing_max_lat_fops;
         |                                     ^~~~~~~~~~~~~~~~~~~~
--
   In file included from net/socket.c:81:
>> include/linux/audit.h:557:1: error: expected identifier or '(' before '+' token
     557 | +static inline struct audit_context *audit_alloc_local(gfp_t gfpflags)
         | ^
   net/socket.c: In function '__sys_getsockopt':
   net/socket.c:2178:6: warning: variable 'max_optlen' set but not used [-Wunused-but-set-variable]
    2178 |  int max_optlen;
         |      ^~~~~~~~~~


vim +557 include/linux/audit.h

   553	
   554	extern int audit_n_rules;
   555	extern int audit_signals;
   556	#else /* CONFIG_AUDITSYSCALL */
 > 557	+static inline struct audit_context *audit_alloc_local(gfp_t gfpflags)
   558	{
   559		return NULL;
   560	}
   561	static inline void audit_free_context(struct audit_context *context)
   562	{ }
   563	static inline int audit_alloc(struct task_struct *task)
   564	{
   565		return 0;
   566	}
   567	static inline void audit_free(struct task_struct *task)
   568	{ }
   569	static inline void audit_syscall_entry(int major, unsigned long a0,
   570					       unsigned long a1, unsigned long a2,
   571					       unsigned long a3)
   572	{ }
   573	static inline void audit_syscall_exit(void *pt_regs)
   574	{ }
   575	static inline bool audit_dummy_context(void)
   576	{
   577		return true;
   578	}
   579	static inline void audit_set_context(struct task_struct *task, struct audit_context *ctx)
   580	{ }
   581	static inline struct audit_context *audit_context(void)
   582	{
   583		return NULL;
   584	}
   585	static inline struct filename *audit_reusename(const __user char *name)
   586	{
   587		return NULL;
   588	}
   589	static inline void audit_getname(struct filename *name)
   590	{ }
   591	static inline void audit_inode(struct filename *name,
   592					const struct dentry *dentry,
   593					unsigned int aflags)
   594	{ }
   595	static inline void audit_file(struct file *file)
   596	{
   597	}
   598	static inline void audit_inode_parent_hidden(struct filename *name,
   599					const struct dentry *dentry)
   600	{ }
   601	static inline void audit_inode_child(struct inode *parent,
   602					     const struct dentry *dentry,
   603					     const unsigned char type)
   604	{ }
   605	static inline void audit_core_dumps(long signr)
   606	{ }
   607	static inline void audit_seccomp(unsigned long syscall, long signr, int code)
   608	{ }
   609	static inline void audit_seccomp_actions_logged(const char *names,
   610							const char *old_names, int res)
   611	{ }
   612	static inline void audit_ipc_obj(struct kern_ipc_perm *ipcp)
   613	{ }
   614	static inline void audit_ipc_set_perm(unsigned long qbytes, uid_t uid,
   615						gid_t gid, umode_t mode)
   616	{ }
   617	static inline void audit_bprm(struct linux_binprm *bprm)
   618	{ }
   619	static inline int audit_socketcall(int nargs, unsigned long *args)
   620	{
   621		return 0;
   622	}
   623	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org

diff --git a/include/linux/audit.h b/include/linux/audit.h
index 418a485af114..97cd7471e572 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -289,6 +289,8 @@  static inline int audit_signal_info(int sig, struct task_struct *t)
 				/* Public API */
 extern int  audit_alloc(struct task_struct *task);
 extern void __audit_free(struct task_struct *task);
+extern struct audit_context *audit_alloc_local(gfp_t gfpflags);
+extern void audit_free_context(struct audit_context *context);
 extern void __audit_syscall_entry(int major, unsigned long a0, unsigned long a1,
 				  unsigned long a2, unsigned long a3);
 extern void __audit_syscall_exit(int ret_success, long ret_value);
@@ -552,6 +554,12 @@  static inline void audit_log_nfcfg(const char *name, u8 af,
 extern int audit_n_rules;
 extern int audit_signals;
 #else /* CONFIG_AUDITSYSCALL */
++static inline struct audit_context *audit_alloc_local(gfp_t gfpflags)
+{
+	return NULL;
+}
+static inline void audit_free_context(struct audit_context *context)
+{ }
 static inline int audit_alloc(struct task_struct *task)
 {
 	return 0;
diff --git a/kernel/audit.h b/kernel/audit.h
index b679517a3030..ddc1a69edc79 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -99,6 +99,7 @@  struct audit_proctitle {
 struct audit_context {
 	int		    dummy;	/* must be the first element */
 	int		    in_syscall;	/* 1 if task is in a syscall */
+	bool		    local;	/* local context needed */
 	enum audit_state    state, current_state;
 	unsigned int	    serial;     /* serial number for record */
 	int		    major;      /* syscall number */
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index d198f307a4d8..0e58a3ab56f5 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -931,11 +931,13 @@  static inline void audit_free_aux(struct audit_context *context)
 	}
 }
 
-static inline struct audit_context *audit_alloc_context(enum audit_state state)
+static inline struct audit_context *audit_alloc_context(enum audit_state state,
+							gfp_t gfpflags)
 {
 	struct audit_context *context;
 
-	context = kzalloc(sizeof(*context), GFP_KERNEL);
+	/* We can be called in atomic context via audit_tg() */
+	context = kzalloc(sizeof(*context), gfpflags);
 	if (!context)
 		return NULL;
 	context->state = state;
@@ -971,7 +973,8 @@  int audit_alloc(struct task_struct *tsk)
 		return 0;
 	}
 
-	if (!(context = audit_alloc_context(state))) {
+	context = audit_alloc_context(state, GFP_KERNEL);
+	if (!context) {
 		kfree(key);
 		audit_log_lost("out of memory in audit_alloc");
 		return -ENOMEM;
@@ -983,8 +986,27 @@  int audit_alloc(struct task_struct *tsk)
 	return 0;
 }
 
-static inline void audit_free_context(struct audit_context *context)
+struct audit_context *audit_alloc_local(gfp_t gfpflags)
 {
+	struct audit_context *context = NULL;
+
+	context = audit_alloc_context(AUDIT_STATE_BUILD, gfpflags);
+	if (!context) {
+		audit_log_lost("out of memory in audit_alloc_local");
+		goto out;
+	}
+	context->serial = audit_serial();
+	ktime_get_coarse_real_ts64(&context->ctime);
+	context->local = true;
+out:
+	return context;
+}
+EXPORT_SYMBOL(audit_alloc_local);
+
+void audit_free_context(struct audit_context *context)
+{
+	if (!context)
+		return;
 	audit_free_module(context);
 	audit_free_names(context);
 	unroll_tree_refs(context, NULL, 0);
@@ -995,6 +1017,7 @@  static inline void audit_free_context(struct audit_context *context)
 	audit_proctitle_free(context);
 	kfree(context);
 }
+EXPORT_SYMBOL(audit_free_context);
 
 static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 				 kuid_t auid, kuid_t uid,
@@ -2223,7 +2246,7 @@  EXPORT_SYMBOL_GPL(__audit_inode_child);
 int auditsc_get_stamp(struct audit_context *ctx,
 		       struct timespec64 *t, unsigned int *serial)
 {
-	if (!ctx->in_syscall)
+	if (!ctx->in_syscall && !ctx->local)
 		return 0;
 	if (!ctx->serial)
 		ctx->serial = audit_serial();

[v28,21/25] audit: support non-syscall auxiliary records

Commit Message

Comments

Patch