From patchwork Tue Dec 17 23:08:49 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13912659 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic317-39.consmr.mail.ne1.yahoo.com (sonic317-39.consmr.mail.ne1.yahoo.com [66.163.184.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4D00F1FA140 for ; Tue, 17 Dec 2024 23:09:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.184.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734476947; cv=none; b=lmzdjazHa392H5EMnxFJuIAsrrvYbwPRnZZiUUVcrq378ttEzUD9+NysnEJyq58CBg+86Fw8Zd88PQ94HtJ1RQ0fdiUjt5sQx8GR4XwWUBv+aEUJ/qoDdJ8S4AQs4GHfAKC4P7Qd/rfMzWfK+OaAKfCeSeGHVD97TfBqSs+Bu00= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734476947; c=relaxed/simple; bh=Yuz38oaRw9Idknb/CnHzV3knyNXt+wF/WpPe0XX9UDg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=bh3cRg9Ehfe/ykwDy3Ye4ydKSLUzpF5NAT8bFAv4TwPssfC8mqvzdqqFvdUJOdsOkFHNKZPjdch9/2vDPFLktbzWfDFljtnMKEgBN9xBQ8Kydty2x18affG1hJSHOpH9I6o93IllsZ9wvR/Zj26lvlxUYvJ7EjoY2Ko/a9Gyn54= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=VlT54rtN; arc=none smtp.client-ip=66.163.184.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="VlT54rtN" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1734476944; bh=lyJqxTnbid+EHXLFZDEwKssgzcVubmZ0EzkCB8fEBt0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=VlT54rtNPMuqgf4uCoYPNF9VE+gM28Pj/vRB04nPNoo8FnoW2s+llLNSN+PA6AllXzC9Jz3QAopAVbh7KXmLZorlegPRsqmDvQtKgEHq6qJhmGGoYeInlnxP70kZ/9LgFdBsKezWMVe6k4BNzK7Yu8YXFpGdIfpf+ktgPs6ReP2FwyzLWJG50aUn8orzSjEb9GVyOTaWzQHdezfYJBkuorGwIbH7HxESqtD4c3DchVdg+OBYySkRvE8KqiK3n5jbABXTji/bA+npk51m+atrQQciEame6m3VgwnjTUUtuXu6jrzsR+RsZnQsrTq+hEGrookSkksyd5OIAmnxGBYTeA== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1734476944; bh=W+Mub/ug/On4xJ9S7TjZzqk1CjAqWy0MS4EhbHrjXrh=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=TBn+trPzgnZ57DCGF0xSRnHIc4lq7Ai8ng9E472Ah+6h5d0bwOJ5aPYiUEWE2+bVYLmlqmx7E/mGi0Tjb43aqmxxWjFkQN/SkkNPnTrWPaSCuCjJv+s2yQhyhG69xd8y966MnvZS5GbqNo6BbjjBXS9LjN9t6pC1Tf3BwoQFkG/RhXZOCt59hvxnBVOjwpIk7tWwo5wq6A+zt9pEDUB7FV6pw8TZNJMNSDvvsRPxtMiCcI3V04URMWOuV5/9nKMiaFcgmQ74z/AjIaESCmukXcVOqwwKcUKBbx+3p8jiG9I0hus4+lf2MrnnevpfgdOJJW3YEOtQAci49yA7qnG+bQ== X-YMail-OSG: NZS89RwVM1lFKIgSFinjkOrUoxS.cKdjBj1lK5IySsDvQbZfN6KkzToz67E.Zb9 _hSnxGt.Bft3unowLyYJyUVmapUod2VKbI4aTcPI1NVHhCdRdIp98uWsUf7tGXvjYxxQwxdcjYAl IXYybBnSk4UkzwD_pXXgpNNvLEMcVK92YrVSfnzHF.nAUYSEtV7.tlzTlJoEx9AXoYN_cSF4L9CA QJUNdwxzpAZr9P6L.LyOcHzsqotDd5e40BcqPvqz_phnrW6i7Rog4GwD_M02qx_m5CYyMdvO7b1s Rr0QUk0shOsteEJGfxawE1tGrg8lfLY90XToPMiilOZ0NugWCuNipG.WjCv.nOVdvCyn4_w6S_qK 1K18HRkZPzxI.d03w.SJ1OQsNoGQl4iZcQHPkdrebZobCvTxS9CFAMLImNX8DZ2mD9hNuLPvyK_A aDkFMtZxYh_G6aA_uW.fDfsvpcwf_lFFs7pKJ9cVYkWqVUewxt5xoNVjcqtpMkgVWuAs2dTC5cMQ mTwW4PWfyqgXHCOYU..k0Tir6O.zLVoeshxTCCDYeg6IjhRVtkE.A7MFfr9ttPJC3QQ4WO_.rygu JVOuiJjsFAvVL7uaESYr7M87BGKzu9AbaLTfoa6U_rOcOeK3421ECd192CQb7Up93stdtcTN9TQ. qkAihusxaIO7LjPEj5hZvA_BPxlDMrdQGo0k8ThxFI6nmVD.FL.4STwqO6QZQKYowf8wzLf.55Ug KFrICEcBJqYDr2OYqrTbF1LOsD1u0oZnChtITt1iEMu3T3i2xlJ6LJGexFZ9Brt_0xzTrYAfM7On j7TLLh1N3KrWqrozg1njBSiAejM2iZl5IL825ZZxDzb42DI.Ui_l2D9DbiiH3xadVfiOpBU7I3Sc bF1LfnLktga2nzN5Bc1E34Y41qmojhpbDQuxTx2Kbfb5M1nWlJAsQ4d3FZTggk0pYcgL2.gXpGRg Yf6tkHOkMkppkBoBzu1yuq90IQVPhf.G1GdiChwyHc5YT6sYxqKT1o2dFjg.XxRtbw08dYrZNprZ 7dSumdw2ilGpo.mVa8ZN7979YYwPWLCnvu.W.mNNL0eu1.s4u__.KjzqxywW4jE.UOWb7XVv9UAF sTu7crxt0bprJYAtq84dmdYefkz2YRURyUHWPXctO5clHgSn_RbCUtuoJQtNNIb9FPBJ_pt2Nxx_ aFKR.7zVwlJMyNGDbCEo4GZ4b7F9udvz_RBgdw5N284TDxfDx2kboZ4VhTBFPkFu9O0VSE3JJcdm Q4P6.QppJ634iW.ZP6zr3WGyPEIFHUMLk.ltkGp_gbAbfIhWU4Q446Q11xzmLSpq9QcHRgHK5CrO YglsESDhNmfNuLZa.exptxoePBOvl2hR8w9cc.9_0u3gTPlY70rNIGYIss1zNeGCJu4OPgUSH6TF DUP6USv6i26qAnNNkrl__BJhkgwC.7Ek9mHNPm4YwBWOAd7NYIHtE_20NPjTJJHUjAJo4DcOi7IM vvrqqwgz2NSRP3lf36n6YQ4IKtVIYedcSgKqf_mrLDUXJbjVd2b1HsfPJymBwZGs2hhH73LrkeU9 tVjd2PL93oqgTMnc488Vd3Siml0ZcNULYsdv2UnsXLkHUgEQMbNWls8XkOfR.r.wymTb441UL6Mt w.6aKUl1BKUgajt7x6HAyWoGi7lUN.Y0nHaaYOk1tma1jh_IIQ2DMS5GloPK8t1W9yuIxj.6NKFA 1rIYNEqWftmHaxYHl8.Ag1gn1VjM.SJvepU38V0zd6E3UE9nNT95GTs97Q4fAwTjWvDF_19GNe8z qZVmd.bmD8l6RKQJd3zT7Gp3pAxrNpBD1rpvWyUp9QmGfaYlhl1uYGEhcmcyQ.hc2BkHwDXX_eDT Em3iGD7NyXBt9ASRWNJj5pAreWU7YSYfcysFnkrryXhdzOihuyt4gf2IJMZ6LRdZ5JPM4IOxmSdw JNlGgaZW.gfa2izM.nQu6QOZHbOglCn7S3IZTdbGy1jDSksNeh30ILkjvugZYDnvDWoNOVxecuvo 1WIS_jZPGfjZFs1etQDcAwdsbhOO.oBQD2q2KEG5fB6XrxqRrDlCXgN_Vi3oTSx9FY2iQwrIXPWl .JGBYNOJrl_GKmDjEvqc5ac3ZRCBCYLsz4TYz9SHJ4HuCEcPjdpgzQqg4ayZz9FiWr.XynakdAgD GYdq23Bjcj.MoLDkq3lfegwu0LVkGVHss8OJeRUfnAd_FXVXdM.FmD0GoGDPHkTod1m4nx1lyppK dTUfdLSh.DD4.VACMFgM6vssIrkhywfJjsv.UhFdtx99a4hoFqr.RqKWriCYNPJl1QFGvZX52IO8 Q79rFCIs9_lTuhtgdK7g4YEvPC7Y- X-Sonic-MF: X-Sonic-ID: f86f1082-4200-4328-af52-f09a82e3a195 Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.ne1.yahoo.com with HTTP; Tue, 17 Dec 2024 23:09:04 +0000 Received: by hermes--production-gq1-5dd4b47f46-sx6k2 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 617dfd7e8dbc08c7e277f225736da47f; Tue, 17 Dec 2024 23:09:01 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH 1/6] Audit: Create audit_stamp structure Date: Tue, 17 Dec 2024 15:08:49 -0800 Message-ID: <20241217230854.6588-2-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241217230854.6588-1-casey@schaufler-ca.com> References: <20241217230854.6588-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the timestamp and serial number pair used in audit records with a structure containing the two elements. Signed-off-by: Casey Schaufler --- kernel/audit.c | 17 +++++++++-------- kernel/audit.h | 13 +++++++++---- kernel/auditsc.c | 22 +++++++++------------- 3 files changed, 27 insertions(+), 25 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 13d0144efaa3..310c1a7859bb 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1833,11 +1833,11 @@ unsigned int audit_serial(void) } static inline void audit_get_stamp(struct audit_context *ctx, - struct timespec64 *t, unsigned int *serial) + struct audit_stamp *stamp) { - if (!ctx || !auditsc_get_stamp(ctx, t, serial)) { - ktime_get_coarse_real_ts64(t); - *serial = audit_serial(); + if (!ctx || !auditsc_get_stamp(ctx, stamp)) { + ktime_get_coarse_real_ts64(&stamp->ctime); + stamp->serial = audit_serial(); } } @@ -1860,8 +1860,7 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) { struct audit_buffer *ab; - struct timespec64 t; - unsigned int serial; + struct audit_stamp stamp; if (audit_initialized != AUDIT_INITIALIZED) return NULL; @@ -1916,12 +1915,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, return NULL; } - audit_get_stamp(ab->ctx, &t, &serial); + audit_get_stamp(ab->ctx, &stamp); /* cancel dummy context to enable supporting records */ if (ctx) ctx->dummy = 0; audit_log_format(ab, "audit(%llu.%03lu:%u): ", - (unsigned long long)t.tv_sec, t.tv_nsec/1000000, serial); + (unsigned long long)stamp.ctime.tv_sec, + stamp.ctime.tv_nsec/1000000, + stamp.serial); return ab; } diff --git a/kernel/audit.h b/kernel/audit.h index 0211cb307d30..4d6dd2588f9b 100644 --- a/kernel/audit.h +++ b/kernel/audit.h @@ -99,6 +99,12 @@ struct audit_proctitle { char *value; /* the cmdline field */ }; +/* A timestamp/serial pair to identify an event */ +struct audit_stamp { + struct timespec64 ctime; /* time of syscall entry */ + unsigned int serial; /* serial number for record */ +}; + /* The per-task audit context. */ struct audit_context { int dummy; /* must be the first element */ @@ -108,10 +114,9 @@ struct audit_context { AUDIT_CTX_URING, /* in use by io_uring */ } context; enum audit_state state, current_state; - unsigned int serial; /* serial number for record */ + struct audit_stamp stamp; /* event identifier */ int major; /* syscall number */ int uring_op; /* uring operation */ - struct timespec64 ctime; /* time of syscall entry */ unsigned long argv[4]; /* syscall arguments */ long return_code;/* syscall return code */ u64 prio; @@ -263,7 +268,7 @@ extern void audit_put_tty(struct tty_struct *tty); extern unsigned int audit_serial(void); #ifdef CONFIG_AUDITSYSCALL extern int auditsc_get_stamp(struct audit_context *ctx, - struct timespec64 *t, unsigned int *serial); + struct audit_stamp *stamp); extern void audit_put_watch(struct audit_watch *watch); extern void audit_get_watch(struct audit_watch *watch); @@ -304,7 +309,7 @@ extern void audit_filter_inodes(struct task_struct *tsk, struct audit_context *ctx); extern struct list_head *audit_killed_trees(void); #else /* CONFIG_AUDITSYSCALL */ -#define auditsc_get_stamp(c, t, s) 0 +#define auditsc_get_stamp(c, s) 0 #define audit_put_watch(w) do { } while (0) #define audit_get_watch(w) do { } while (0) #define audit_to_watch(k, p, l, o) (-EINVAL) diff --git a/kernel/auditsc.c b/kernel/auditsc.c index bb0e7346d916..6e16208c2968 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -994,10 +994,10 @@ static void audit_reset_context(struct audit_context *ctx) */ ctx->current_state = ctx->state; - ctx->serial = 0; + ctx->stamp.serial = 0; ctx->major = 0; ctx->uring_op = 0; - ctx->ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 }; + ctx->stamp.ctime = (struct timespec64){ .tv_sec = 0, .tv_nsec = 0 }; memset(ctx->argv, 0, sizeof(ctx->argv)); ctx->return_code = 0; ctx->prio = (ctx->state == AUDIT_STATE_RECORD ? ~0ULL : 0); @@ -1917,7 +1917,7 @@ void __audit_uring_entry(u8 op) ctx->context = AUDIT_CTX_URING; ctx->current_state = ctx->state; - ktime_get_coarse_real_ts64(&ctx->ctime); + ktime_get_coarse_real_ts64(&ctx->stamp.ctime); } /** @@ -2039,7 +2039,7 @@ void __audit_syscall_entry(int major, unsigned long a1, unsigned long a2, context->argv[3] = a4; context->context = AUDIT_CTX_SYSCALL; context->current_state = state; - ktime_get_coarse_real_ts64(&context->ctime); + ktime_get_coarse_real_ts64(&context->stamp.ctime); } /** @@ -2510,21 +2510,17 @@ EXPORT_SYMBOL_GPL(__audit_inode_child); /** * auditsc_get_stamp - get local copies of audit_context values * @ctx: audit_context for the task - * @t: timespec64 to store time recorded in the audit_context - * @serial: serial value that is recorded in the audit_context + * @stamp: timestamp to record * * Also sets the context as auditable. */ -int auditsc_get_stamp(struct audit_context *ctx, - struct timespec64 *t, unsigned int *serial) +int auditsc_get_stamp(struct audit_context *ctx, struct audit_stamp *stamp) { if (ctx->context == AUDIT_CTX_UNUSED) return 0; - if (!ctx->serial) - ctx->serial = audit_serial(); - t->tv_sec = ctx->ctime.tv_sec; - t->tv_nsec = ctx->ctime.tv_nsec; - *serial = ctx->serial; + if (!ctx->stamp.serial) + ctx->stamp.serial = audit_serial(); + *stamp = ctx->stamp; if (!ctx->prio) { ctx->prio = 1; ctx->current_state = AUDIT_STATE_RECORD; From patchwork Tue Dec 17 23:08:50 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13912661 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic315-27.consmr.mail.ne1.yahoo.com (sonic315-27.consmr.mail.ne1.yahoo.com [66.163.190.153]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A13361FA8CE for ; Tue, 17 Dec 2024 23:09:09 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.190.153 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734476953; cv=none; b=mRRHOVhrbUhMM7elhDVbYFMFJuIaHtvgKLlSR7NDbU4m0f30QxAsIiqY+2DwYk8+5peBmHHLocBaKAj2Gat2kuFkJ9N4AQhRk60COvelsu4HXuCMd2idiX10Pk0IB4/oKSAcjZ7HrChXmnAvQ/4I4QMQivlPeFauQcBiPnHlbCk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734476953; c=relaxed/simple; bh=7X9hxfGGCoo9NQbdiYRVgkQeK003on0AJNVvpehoTTg=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=Xp8Ii5Yon1Gmc9nfjVXCZ8+uMqEcVv/22Dvy7d+vCnNERnfuo5xHt9ReHanZP3RHBRj6cZhRVHx1xc0/ZYFqkXo+WQ8tnmbnX3E8fGx+Rz/UTW1ERO0CSfXJj4B/p1gjkVeEBvc7FlFi91/XQHCdgUkovRaP5W/45ey7JEm51Dw= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=E26hVazk; arc=none smtp.client-ip=66.163.190.153 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="E26hVazk" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1734476948; bh=VXT7VlwL5ukJWqqPMzjF0Hi5B1YDB5oL5n2iax2YZ4Q=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=E26hVazkWiq+0FL2ZiT+QlmFtrAeb0l7TKtiZTPVPZ+ABo08MeeF4TZf7BZVv1b87OyTEgYb5a9rrcd4Sf4Zwr8Gg97XWVctLZic6V5rTlr75UFPqxXt++rQvWgXs8LE9h5aiXcOFnp45EjBCt1DS2toM57E3O6ZiinCvZeZUeSt1c0uVQ/8y/EDmKyV6jKV+W+dCTDroQ17cZqmIcu3z0f+88ySiHmICuK8xmpk1gXpNTkbUZZNcPQJ2YBzG3aOBjt2FRtkLULnUCj4aTetuwbEbMJumsa1XtGcecPvAUrT4vzYRg4MkbKlA9KytFbMV1+hnbQrX1Fweg1DJFgjeg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1734476948; bh=3pQ3G67/L25bGBbbG8LGQ+RTEei+SeI78f01P7Mnfn6=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=lGvPfbYKljDfYk07950HfJecnvFI1njWhz6N5xSgRrUW/gRY6aCGfotV4fEWo/UG6mriZZjWVS9r9f9cpjsCDX2QrlfzNEUrxrqPpO8e+ymkh2Sgy4mppKPfkB+BQdNltpC9A2n6PIwSQsldCq07eMYcrkssxbbpkThjjUtaURvCfeqwxKNX7uR5AKZEMQJoGfUMQP5VE5fgLO4ub98ZDwKzbB7HavxlIIwkFKfXIoaFzVWtDAtN2gQR7tTSWkH1vjXJkOAsGHhk4y+VsOKTUncgLNSMz87M9A/uicuiGZRmpG/lhyiq4eS13Iwbd6+lKgH9MffWf/RoNnh7PTLFPw== X-YMail-OSG: X8Y5U38VM1mz7y.UYR4Mwc_GwyrH4nYtiamTA1Uuuoai2Rg31ikCQXMHICMdWu0 ixIlJ1XqAmqLzwS.FXgdZpoXIULW2IC3QSd6H1TCBS5ztPwr1FyoaCqtSCV8mr9cE5nQnCXqzleo B2hI6XSIbvjGhZvTPVvBDSIzcMrZFXOj2cTltO9DfnkN1wU9ooveqN8gA7I.T.qPH2Lxr4fHJHBU 7Bi5H3xyqNcU_xQGk4VMxLUBE9kPbA.dRa3gtFTBGdrZU.ZCubUeY7wmStZQnQ1dEdFlJ1TXzA2w hJdj0mAd28fdOY1jqT_RZlV5OWZtcsPAjsJATe7YUt8TcLMMFyuIWfjykdG1zgLMC4BB_CPKuxt1 pZkEeg4Ue9tXWJJCNZWnn0D2dMZVXAUFlpI.NP5UuUViwdJDJ5ysIECL.QmPwwhurIS0c9vJvVAQ W6nDtTBcBa5nFlWspw2tEhqxPSF73xlFfHHkRoMSpy_DLdfMAcGF8ohXjdyBJkevARLPmb6B5PKy E2DAbLKRo2BrUhfKnEKlAh.2ulPq4DTAtPuhVu0CTJiWqBGh0c0Rya7YQeQeZe9cOs_vqN_w1Efq XcqnAJr3FWsyMGr8YlKMjZDgI17jUnK4F0z1ctP71kYCN5VCKRagXAseTUHitHUbk1nfvJ.uZrar pYIuLXpDuyfOGW8GAfzoGcFoNNSoqNFiVxPvx7eX9cBUUkeTlTvOGwsgQ__iFglKkKkXoup5B611 HOo.ddPhXMqU385UHk5Y3pcIf6Z15t_gu81yUa9FD3DQDQ8mNw1EjYI6AcS_dp8F_XPTVUmqy9s. gTe_COpxvprIcFheL1H3CoV3Dtba9jEO0go458lMgSOoyPrseqJis7wJSBKcgyCL4N_hSydOklED fpNxvyvSYMRQezY5HJb5CDjJM.AWvryZg12hx758lmAxqZEpwSVFu_kG29tF_AW3O5XFV3ST.AGY lehsSkoSwpYomuEHFyOzH1C2qAHwG4oohL2tC7zzfGTWsyDDdzzThSashWaaUdp4dnnW9q3PBzah ijHac4IFG2iZ3qsXZ7vebupcgRGjlxdrwpRw5QGQkoeOOoJ7pmHR2pBtq_sxQg8JBAIX6HnCd.Z5 8PkpXnL0Scq_LhXPkslQn1sZXIoVqU4hpYuHU46o1Y0g9gymWOqQIRn5Mlaw4bClHcKjISqCwCbj byff4xOlj5Riz56xtxlAFeFa60mpXd8bm9YqnrEK0oRkghfKBgZggMXKPLoomSl40SdXQKC9I1nI nJad.o1BRcT2GY_sUM9TOtSVA6PhfjWLc3e7IK0E71ObNQJR45pl3m0CHidSTGEI6ttYTjkzmc0H R45H5AEZUvUxyL2U3Ze2FV3tfYG.yZZf2etsc9bIm8OyR21iCV_Uq3PX3U9PSUKtHaafwWgtEPjT xoUaRRB13ybLknVKXB7uduvCK4Egy8xX8mg1P7Fkt2hn9gmJc5s1SUqBdoPLyRXKa5yB2ThsfWDb yNIOQxcNKhJtFaKnvvXQSN2wxdUs6y_7EewpZz.Doc9CjA1FvYLcCDyxZGnFf7UgRAJwHvoY1aJ3 Nf0O3e1BsXQ..IhaZI2fpqc5yRxnSfL9OaFs3_Q3h4ETuosPGAIyzzqDol5IxMESq.DuaCufyYu6 bI4vj2szerJBuUmfPLvRx3wxtiVka7CkMX2ZAVJp8b_EvAzQ6wUdDOlzoIxJlu6LmX2L.grdfwzp Qt8IqQcbHIIEy93ndpaz9JqfYOWNDd.6ByssEXiBAgB93SXA9KSetVXzUlqwEmDN0zIEQX6wOnH2 qrGuqFwrFOACfMmjgwhFjNHFxYntcOrIGkJBDnt1pTJQ7E9U4U8vZKDQM6zDbcTdeTMjphiRiSh1 qOL7Z2PUmPFztAcBh4x2YFZiuVDQV6LmokpcU8RnIUlWzNFZMjp1B1CmTrh8L7KVcKV5pIWY0K6u DDj5w.ypQJviLL39Qqev.Rx7oAOgCTWp9X0ffNjbG5n.9bAK87tBJcyXK4i38n670Z5JZ.ny8lep B1L2OhustX07HP5.tKtuZIWYre8WQgw.DGEoVq7UJs3cuBTl_sYrmDxTuzteVJ4cCJ4UtNNgsuzF LcCz7.pm6JN5egCBoRhSol1kdhGpG4OT0klt_VuzUkmCEGi6vTl96GVyGN9wzecGx5EpwmKBL3qI XPPJbdyvLApHRQGrDHQpTTKX5YpJq9yGRcMDDtP_Sd4s9gI2wUcj9BPq8vwdxj1xtJiy7zZfJWn5 XCEtQE0Qb.t2UE6qVaGNqLVBNeGU8sv9XXwRQoB9zLdFB7tgzTuTy9.TuvJpbGKOX.2hSxc_3GoM C8gmXA7eqRrFRwJSdklOFWf_Gv7AV X-Sonic-MF: X-Sonic-ID: fbe28f91-3f1b-48f2-9847-58a23d768626 Received: from sonic.gate.mail.ne1.yahoo.com by sonic315.consmr.mail.ne1.yahoo.com with HTTP; Tue, 17 Dec 2024 23:09:08 +0000 Received: by hermes--production-gq1-5dd4b47f46-sx6k2 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 617dfd7e8dbc08c7e277f225736da47f; Tue, 17 Dec 2024 23:09:03 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH 2/6] Audit: Allow multiple records in an audit_buffer Date: Tue, 17 Dec 2024 15:08:50 -0800 Message-ID: <20241217230854.6588-3-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241217230854.6588-1-casey@schaufler-ca.com> References: <20241217230854.6588-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Replace the single skb pointer in an audit_buffer with a list of skb pointers. Add the audit_stamp information to the audit_buffer as there's no guarantee that there will be an audit_context containing the stamp associated with the event. At audit_log_end() time create auxiliary records (none are currently defined) as have been added to the list. Functions are created to manage the skb list in the audit_buffer. Suggested-by: Paul Moore Signed-off-by: Casey Schaufler --- kernel/audit.c | 111 +++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 89 insertions(+), 22 deletions(-) diff --git a/kernel/audit.c b/kernel/audit.c index 310c1a7859bb..e259c48d6148 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -195,8 +195,10 @@ static struct audit_ctl_mutex { * to place it on a transmit queue. Multiple audit_buffers can be in * use simultaneously. */ struct audit_buffer { - struct sk_buff *skb; /* formatted skb ready to send */ + struct sk_buff *skb; /* the skb for audit_log functions */ + struct sk_buff_head skb_list; /* formatted skbs, ready to send */ struct audit_context *ctx; /* NULL or associated context */ + struct audit_stamp stamp; /* audit stamp for these records */ gfp_t gfp_mask; }; @@ -1776,10 +1778,13 @@ __setup("audit_backlog_limit=", audit_backlog_limit_set); static void audit_buffer_free(struct audit_buffer *ab) { + struct sk_buff *skb; + if (!ab) return; - kfree_skb(ab->skb); + while ((skb = skb_dequeue(&ab->skb_list))) + kfree_skb(skb); kmem_cache_free(audit_buffer_cache, ab); } @@ -1795,6 +1800,10 @@ static struct audit_buffer *audit_buffer_alloc(struct audit_context *ctx, ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask); if (!ab->skb) goto err; + + skb_queue_head_init(&ab->skb_list); + skb_queue_tail(&ab->skb_list, ab->skb); + if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0)) goto err; @@ -1860,7 +1869,6 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, int type) { struct audit_buffer *ab; - struct audit_stamp stamp; if (audit_initialized != AUDIT_INITIALIZED) return NULL; @@ -1915,14 +1923,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask, return NULL; } - audit_get_stamp(ab->ctx, &stamp); + audit_get_stamp(ab->ctx, &ab->stamp); /* cancel dummy context to enable supporting records */ if (ctx) ctx->dummy = 0; audit_log_format(ab, "audit(%llu.%03lu:%u): ", - (unsigned long long)stamp.ctime.tv_sec, - stamp.ctime.tv_nsec/1000000, - stamp.serial); + (unsigned long long)ab->stamp.ctime.tv_sec, + ab->stamp.ctime.tv_nsec/1000000, + ab->stamp.serial); return ab; } @@ -2178,6 +2186,57 @@ void audit_log_key(struct audit_buffer *ab, char *key) audit_log_format(ab, "(null)"); } +/** + * audit_buffer_aux_new - Add an aux record buffer to the skb list + * @ab: audit_buffer + * @type: message type + * + * Aux records are allocated and added to the skb list of + * the "main" record. The ab->skb is reset to point to the + * aux record on its creation. When the aux record in complete + * ab->skb has to be reset to point to the "main" record. + * This allows the audit_log_ functions to be ignorant of + * which kind of record it is logging to. It also avoids adding + * special data for aux records. + * + * On success ab->skb will point to the new aux record. + * Returns 0 on success, -ENOMEM should allocation fail. + */ +static int audit_buffer_aux_new(struct audit_buffer *ab, int type) +{ + WARN_ON(ab->skb != skb_peek(&ab->skb_list)); + + ab->skb = nlmsg_new(AUDIT_BUFSIZ, ab->gfp_mask); + if (!ab->skb) + goto err; + if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0)) + goto err; + skb_queue_tail(&ab->skb_list, ab->skb); + + audit_log_format(ab, "audit(%llu.%03lu:%u): ", + (unsigned long long)ab->stamp.ctime.tv_sec, + ab->stamp.ctime.tv_nsec/1000000, + ab->stamp.serial); + + return 0; + +err: + kfree_skb(ab->skb); + ab->skb = skb_peek(&ab->skb_list); + return -ENOMEM; +} + +/** + * audit_buffer_aux_end - Switch back to the "main" record from an aux record + * @ab: audit_buffer + * + * Restores the "main" audit record to ab->skb. + */ +static void audit_buffer_aux_end(struct audit_buffer *ab) +{ + ab->skb = skb_peek(&ab->skb_list); +} + int audit_log_task_context(struct audit_buffer *ab) { struct lsm_prop prop; @@ -2412,26 +2471,14 @@ int audit_signal_info(int sig, struct task_struct *t) } /** - * audit_log_end - end one audit record - * @ab: the audit_buffer - * - * We can not do a netlink send inside an irq context because it blocks (last - * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a - * queue and a kthread is scheduled to remove them from the queue outside the - * irq context. May be called in any context. + * __audit_log_end - enqueue one audit record + * @skb: the buffer to send */ -void audit_log_end(struct audit_buffer *ab) +static void __audit_log_end(struct sk_buff *skb) { - struct sk_buff *skb; struct nlmsghdr *nlh; - if (!ab) - return; - if (audit_rate_check()) { - skb = ab->skb; - ab->skb = NULL; - /* setup the netlink header, see the comments in * kauditd_send_multicast_skb() for length quirks */ nlh = nlmsg_hdr(skb); @@ -2442,6 +2489,26 @@ void audit_log_end(struct audit_buffer *ab) wake_up_interruptible(&kauditd_wait); } else audit_log_lost("rate limit exceeded"); +} + +/** + * audit_log_end - end one audit record + * @ab: the audit_buffer + * + * We can not do a netlink send inside an irq context because it blocks (last + * arg, flags, is not set to MSG_DONTWAIT), so the audit buffer is placed on a + * queue and a kthread is scheduled to remove them from the queue outside the + * irq context. May be called in any context. + */ +void audit_log_end(struct audit_buffer *ab) +{ + struct sk_buff *skb; + + if (!ab) + return; + + while ((skb = skb_dequeue(&ab->skb_list))) + __audit_log_end(skb); audit_buffer_free(ab); } From patchwork Tue Dec 17 23:08:51 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13912660 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic317-39.consmr.mail.ne1.yahoo.com (sonic317-39.consmr.mail.ne1.yahoo.com [66.163.184.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B20841FA8F0 for ; Tue, 17 Dec 2024 23:09:10 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.184.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734476952; cv=none; b=dHPxxtHpeZ8+O6c4/o3IeAHNnYh+UzLZsz8t2DKQDyCLtyU1i2gHeqrr4rt8jMe6aOWDRUS7PF+rssVW3rPPBUJXcWqLPJ4+akOxC5rr1zyRca/AMwGrE0ryGXVTsZWCgl7HjvvDZduYx8QIghzY+pAwhiCQvobcmMKeaMBfbUg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734476952; c=relaxed/simple; bh=0aUGZASX0cHnq0alUMV4EmQsrOdVtGYRn1+UNt10Z4A=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=BDHh3Q0pBJIyFbPxKRQ2L+IapuhG+QB91Ic4j3bNMhRVfejVL3fWFbUVGjG5o9bylOMlg0PBuGjqoB/jRKa4ihyhc40poS+iaIPMW9nr/CTEEqZ+67QfNpFniM5cRp7ZAYpZZOOW9DHGY5wokJCuRaDxhW8qg2/qDOK7Zgae/0Q= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=GZese+IG; arc=none smtp.client-ip=66.163.184.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="GZese+IG" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1734476950; bh=9fwhqKxHZL/pjS3niq00ET0sPNYXuD0VCb5CRUqx04M=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=GZese+IGGcsufSWqqG4S51DjFg7bayi0Lsp2jddqir53iiIT9PoG/pZD8E9Mffktru6+U9Web5Pk4heerFUdvbrH6bJR7CpZZN5VZqOOAG1sWNMSxgqgIx33bMM+0m2lJsuiUL/FOARwdEYn2e6+/b6x9H9DNmT1NmQ9vGG6a+U1hMpEr8/zryjd1cbdNWTPkBWhR4hatNjM9e+Wq74bj9MUngR3xbgeLlltVaG+f6/Vz0GsESLLC+Dlaa26fIGaYEU64jZ+DwEoXKA20PfDHrw/P+sN49gQqsKg9jDqj5kWjxnNd98k2l3Zaj3YZSi6bHaqHuoJ5KEJNHlTBqsyMw== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1734476950; bh=70trqtAUSqK0wJuZCcc2ctDlN5F6yVjNZroynS2R7LI=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=oEp3lKuzhe8/LadFFZkUVe5iM60PKjLlwXp0foVG9edvxyvRbU/zP37/LHRrC3wNktMZ+PDWh0SITFTihCuv67QuR+9Lt7NVvIxdZobJxhIRUEYjYp7eurtzwqoqEJZOYhwaBYNrVz7g9CmIiw4PonA7P+z4VIN0QaboUVDq3SpXkIzj+8YP2iuJdT5ifyB8IU4jx5EYUlR4Q6jj+mvgzWsEg6ItpIgk5ffTKkIZqpVPawaSK/mOSkJRv2f1vv+H8ywbjIkThOm6N//WJ2ztRXQqDUc+/nzHYzOSTeeV7aA4G5FkuqX2+QDpcUtzewEGa6FdPpXoDt+o5fZ6lVF3tg== X-YMail-OSG: HOLJPnsVM1nlpCZ.rcNzFg.fPu1n9tu.nF9__uvfjX2IFOCj19qtvqil__Hred8 le6b5petKPjpqCenN7Ray8rCbwk.EqnzMICqlYMYVcpxcRFz..ocnYEKbJhgNiqixfbL5CrYZfMc qt9K.NrX7RIY62SgllYotKrLM2ey1fw8TLdRVpPJ6UH2m67nLuV_jS0NuGgp9JewPuwv1IJTN_PD a3t1UpI9LmWpX2tzVno7rQUnj95mtw7mqB7iHBwOsLMaPnFpYsWQ2utpIuy2uEPvn0D7XMyz5IpK 9lToedU33Wh1B0R6n5lG794Szb.QRWoL6G4oBGKhurabvJxrLSZ0jS6XnQ4JgKISUp4kZL_FVzi0 q3EE7Htc_N_x07fpP9XFTK5taGMEYMPnUteYramhHWh7lJVcDEL9yQa5gY9JG4pZ15TRgwK2l9yi f.T34ZWRvVXxGCWkO0YQZKcEfCNj8LAeAsLfgqt7NDajdPX2HsbsHPmqOl3KLBtT1pAuEUpx7yRS BUxH_RLsNgy5yMZcro5ZqQo.h0fzsNwgEAjWWxk3SxExIb5kU4FJaNCVOSFGEZZJkwZMWlfuLe8s zYHc2yPiuWdvL04A9bM.p5q4SQc6K.KLRuCvxKMirohDO8r645nh9fcQKvKUQY86_MfVotTqCZGH E7tYpzPPjvHksektmh7N_HfMHyMzhLY.y4cjpuE7m5v_NXuu5tU6OxkXknJF7YoQIq4msjqtYs5d p1dOV0Zeo_Uh_SVBjhFv4lmHWLQ1lmKd05lS9T_K1V9RZmG_slivFBaRBWPmZJ9_mC6Go9dssdvc jC8yesx23anNICDo2ahzoCm1f1KKFuSQOLki.L1F23XR0AQ4JKEQOdhQY_zytyetmlS4FYIstPvt 4UyRt2Lj61iYRZRbhBxR0brMsFjRjbizzanOQGzlcRI7KJAWpkuuWTvKfl6a6ySRLVdevA5DtIkb YSOoPfLL7trat.ngUplORxYInca1Zur1eqtvFkmrJQHPKhp9w.IKJpeNba3tRpCu0j9gcgBGd52Y ShnKH4Hn1zX4.cC9bsmR..mLvupeLbvtAi83M1.JmWnaqXC6wKzQCOSl13puw1h6DONxtcKeJbN9 Xf7Ms6DAbH5rOBz7PKOPYT4JcEBl5JydSdaFFzIFU5k99ODsiwWRMkpDhhK1.gP8grVNRbH.3IVW 23YFfxNTEVRxrNejh4KJoSA5m872y3VNPzzuE1SoAst93t8qxXLmmhGoFiz4_HcG8pzIhJkwJVwa BcpDS4UHDApmXsyY3IFCstDuXHTCM1Y1AQAfiUHms.nhFxN.hQ_Ty16SiJyroJFY8KrN3fe4WgPz uEuq7XCVou0wI2ivVOO2Lv04jaSO5oCfsUMPTbeGTHPWlLWiRDspPo4aMggHdmkkJDevNcl65Y71 U5kc_enDAAwlWnN_UliR0leAuGWkgFPDFArC950llFtw4zbU7dhxZXTLaDHqniBqazEjLb2SBvNe 9tcuS.Dfd1Cifik5pe9xgg3aaLArUJNcCvOKnbw.6FZ7bgPlCjHLEzTTqV.bXTWV6oieXREkyZ.E ALKKfFOrkwC2JzGAIMmo0Al.evi3MCPuRob8EoUXcUhoZ4MogxL54lv8DDGZW3jzT.Nmz.0bkv_p wL5PxKbwrqqis6RvbvydpLkcU8Z1TTb_lKuziZYNUg215ZSq6ebwBMbrIdu97iDusfVCen.E.ian 28U2OE8bx4JyaWjIDghoqDN2uj5tjgV9S_n8sGYDaX6XR1Or7n7zTMSTsZb1vWFXzn70MTUJeJpc FDd9C4wG7qZ_nVylcI4343xCUyhmW5qQAEe7QS5IrS0PA369NhVBIC2ywyJPXYl7vDUPQ7wcz0i_ FgnEs9h8C0yVd7__1xkBTGGaSGfFzG3qL9QTze8NFY9sBU7xvBfiFeHyYzelL.4_fUs1S7an_iLt hXYtqKTYW7J2A0.bpfv1w6K_4CCkqZUiOaUamfJPlTZG5rU_HR1mgb7d0uF3cNUDRGEIJpxt1qfc rY_Ilokt72PWFRPbHVq2NCQTxN7tcBQHwN3ANwG5bcRAf5DcvtJ6bzOgSKN7iVtRGLLb_8YjrFL9 YrfyIQXgMV.GQKAa0q8TWV0LXxPgXLc7bYM63VZmrGc0z1BK2zz94SqN1NFzz.AFPdIiX23xBVPu VP_KK99BKR2NSlq1o5thsTmba9r0YY_QBLj6ZP_RytU6UTyYIaV8bjXWMyj2cIaiv75xwnCTjXgW vhjratia_46ALEGnoI1jCVXnHTtF4nDDNw4mF0h8DLFtRZKIEn45B6xenr4crL8d.DsUZoT.ELlV z7wIrNwJ2CJ.lCrES71b.3.JSXHfN X-Sonic-MF: X-Sonic-ID: 5f5567d2-ae52-427b-984f-6832a11dffea Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.ne1.yahoo.com with HTTP; Tue, 17 Dec 2024 23:09:10 +0000 Received: by hermes--production-gq1-5dd4b47f46-sx6k2 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 617dfd7e8dbc08c7e277f225736da47f; Tue, 17 Dec 2024 23:09:05 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH 3/6] LSM: security_lsmblob_to_secctx module selection Date: Tue, 17 Dec 2024 15:08:51 -0800 Message-ID: <20241217230854.6588-4-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241217230854.6588-1-casey@schaufler-ca.com> References: <20241217230854.6588-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Add a parameter lsmid to security_lsmblob_to_secctx() to identify which of the security modules that may be active should provide the security context. If the value of lsmid is LSM_ID_UNDEF the first LSM providing a hook is used. security_secid_to_secctx() is unchanged, and will always report the first LSM providing a hook. Signed-off-by: Casey Schaufler --- include/linux/security.h | 6 ++++-- kernel/audit.c | 4 ++-- kernel/auditsc.c | 8 +++++--- net/netlabel/netlabel_user.c | 3 ++- security/security.c | 13 +++++++++++-- 5 files changed, 24 insertions(+), 10 deletions(-) diff --git a/include/linux/security.h b/include/linux/security.h index 980b6c207cad..540894695c4b 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -566,7 +566,8 @@ int security_setprocattr(int lsmid, const char *name, void *value, size_t size); int security_netlink_send(struct sock *sk, struct sk_buff *skb); int security_ismaclabel(const char *name); int security_secid_to_secctx(u32 secid, struct lsm_context *cp); -int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp); +int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp, + int lsmid); int security_secctx_to_secid(const char *secdata, u32 seclen, u32 *secid); void security_release_secctx(struct lsm_context *cp); void security_inode_invalidate_secctx(struct inode *inode); @@ -1543,7 +1544,8 @@ static inline int security_secid_to_secctx(u32 secid, struct lsm_context *cp) } static inline int security_lsmprop_to_secctx(struct lsm_prop *prop, - struct lsm_context *cp) + struct lsm_context *cp, + int lsmid) { return -EOPNOTSUPP; } diff --git a/kernel/audit.c b/kernel/audit.c index e259c48d6148..5fe328f8fe22 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1475,7 +1475,7 @@ static int audit_receive_msg(struct sk_buff *skb, struct nlmsghdr *nlh, case AUDIT_SIGNAL_INFO: if (lsmprop_is_set(&audit_sig_lsm)) { err = security_lsmprop_to_secctx(&audit_sig_lsm, - &lsmctx); + &lsmctx, LSM_ID_UNDEF); if (err < 0) return err; } @@ -2247,7 +2247,7 @@ int audit_log_task_context(struct audit_buffer *ab) if (!lsmprop_is_set(&prop)) return 0; - error = security_lsmprop_to_secctx(&prop, &ctx); + error = security_lsmprop_to_secctx(&prop, &ctx, LSM_ID_UNDEF); if (error < 0) { if (error != -EINVAL) goto error_path; diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 6e16208c2968..3fbb1578b820 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1109,7 +1109,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); if (lsmprop_is_set(prop)) { - if (security_lsmprop_to_secctx(prop, &ctx) < 0) { + if (security_lsmprop_to_secctx(prop, &ctx, LSM_ID_UNDEF) < 0) { audit_log_format(ab, " obj=(none)"); rc = 1; } else { @@ -1395,7 +1395,8 @@ static void show_special(struct audit_context *context, int *call_panic) struct lsm_context lsmctx; if (security_lsmprop_to_secctx(&context->ipc.oprop, - &lsmctx) < 0) { + &lsmctx, + LSM_ID_UNDEF) < 0) { *call_panic = 1; } else { audit_log_format(ab, " obj=%s", lsmctx.context); @@ -1560,7 +1561,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, if (lsmprop_is_set(&n->oprop)) { struct lsm_context ctx; - if (security_lsmprop_to_secctx(&n->oprop, &ctx) < 0) { + if (security_lsmprop_to_secctx(&n->oprop, &ctx, + LSM_ID_UNDEF) < 0) { if (call_panic) *call_panic = 2; } else { diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 0d04d23aafe7..6d6545297ee3 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -98,7 +98,8 @@ struct audit_buffer *netlbl_audit_start_common(int type, audit_info->sessionid); if (lsmprop_is_set(&audit_info->prop) && - security_lsmprop_to_secctx(&audit_info->prop, &ctx) > 0) { + security_lsmprop_to_secctx(&audit_info->prop, &ctx, + LSM_ID_UNDEF) > 0) { audit_log_format(audit_buf, " subj=%s", ctx.context); security_release_secctx(&ctx); } diff --git a/security/security.c b/security/security.c index 7523d14f31fb..82fa08e0e125 100644 --- a/security/security.c +++ b/security/security.c @@ -4304,6 +4304,7 @@ EXPORT_SYMBOL(security_ismaclabel); * security_secid_to_secctx() - Convert a secid to a secctx * @secid: secid * @cp: the LSM context + * @lsmid: which security module to report * * Convert secid to security context. If @cp is NULL the length of the * result will be returned, but no data will be returned. This @@ -4330,9 +4331,17 @@ EXPORT_SYMBOL(security_secid_to_secctx); * * Return: Return length of data on success, error on failure. */ -int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp) +int security_lsmprop_to_secctx(struct lsm_prop *prop, struct lsm_context *cp, + int lsmid) { - return call_int_hook(lsmprop_to_secctx, prop, cp); + struct lsm_static_call *scall; + + lsm_for_each_hook(scall, lsmprop_to_secctx) { + if (lsmid != 0 && lsmid != scall->hl->lsmid->id) + continue; + return scall->hl->hook.lsmprop_to_secctx(prop, cp); + } + return LSM_RET_DEFAULT(lsmprop_to_secctx); } EXPORT_SYMBOL(security_lsmprop_to_secctx); From patchwork Tue Dec 17 23:08:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13912669 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic317-39.consmr.mail.ne1.yahoo.com (sonic317-39.consmr.mail.ne1.yahoo.com [66.163.184.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9D8DE1F9ED8 for ; Tue, 17 Dec 2024 23:20:49 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.184.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734477651; cv=none; b=Op/8rdGtlWeC+7Pzm3tKEnR1Cz+08E81P6sG+Z4+iT07HRPMr7ybCNoE7XtBY2uejXGPbNQdtgrxlh/Q8OrJ7L7wwOUOUZYcL+43eWzEuZmbaqQO3awLBI5b2fTwllKi+p2hKhIFTzovWR5DUGhKyoPIDYD1il1xF7D0EvvoISE= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734477651; c=relaxed/simple; bh=I0fP6cgLlnip3XnnM5vVpq71S0hf/wDaANto21OycjY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=tKAqXbquwzJneLQRfsj6NeA00JEPp2QaKgwC0aChyy7+JKzynDo31WswyJ1/6asokRuUbApi3Sm+HB5RxGdUbQ6+wC0pCBuV1EHze5TiDylOnB/lB6E4Sgw8SkmYwtD+LvUxU+NAJUjoM/nIbp7QayEy1fyjMXTbcAhFLt0h9LY= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=UPxQ7WPq; arc=none smtp.client-ip=66.163.184.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="UPxQ7WPq" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1734477648; bh=dK8El51AlxK7y+iABHZevEdQs9y2ZJ26xdxULCuBIVs=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=UPxQ7WPqOhKzphtPdZocGW0NfFq40wyQAspkXoYtZCrVPkhtM2rE7bA14O7hD/sszYseB6hFuMQToS5mL8/Of0g0i8sKZUdqXlNedMt2Jrc+FF4rKNpnw7PnVyF/8eDxgqG2pbfvRC7vuCbXx/o1CQfKzqBrw5bhwyhd/7bjWwo8wkFVNtroe7nwqfuLjT1ZoRogZ8T4QFRHGQaqVQmI3WwTmEFqmSoIqJ9T8I9oHuPkD+tHGSBSu+biHGzXUiXN9p089kvJe6FiZC1WTn/L+293TUzwrUNDLxhqn4SI3E0Xs9VV9Gt8HLz2GGYbPTiQnfTGbsLyVwDT/Z8suqKUUg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1734477648; bh=ObBBAYAltVYFPbpPiUfedaoPBchJRDnHsC/xU3eIAEO=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=LHSQIbuz3v8XRXbuoe+Tvfv3uDullRkg8WaneKIDR7JXB8d3Dn6mqK+bCOD+HpqrKMsa7F+UZ82STNpQ/D8PkEWxFhIahT4Q3vNbL2HPjeiTCHL+fTnIDRYR25tJLDSz2sx0cA+hzwKwy3QKgTGJuShOrrc5YJm8G5Dp6/CtmhMgmsxnHuWr1gKGdc7Hj54ZUNiNXe+c3/btgFW/QQXrftfUlix7FbkFatvScMopgSacI1vddgSkeYJTBeAkkGGA9yvFtNJDSbsFbJoG9Xuw3Z4sRbsgxetkGr/G6tn5oFbWh7QMAr1EVYbcL3LAkEzAeMwtTGbitRWbwNFZgJwy1w== X-YMail-OSG: 1jCZQy8VM1kgdG.oOVlcWRBYUNubCqaUPyy0iUQbiQkWqFTSf7wqtE7P8HvyERg jj_m.oraJNhkgNZY4cBZAaiMYuePmhRa58O48eGGfg8EQK9UqR7iuZgXNTcj5rurZOUCsJGLRkTU 4uUHZvIItrMVqd.Ahno9NAaaLjrwekxFk84PMzhbGAE4HvWBOZGm2qKz5Qru53IIt7RkZB8.82Ao O1EuO9oKugcJoPacyV1HN6.DpIMLdiqGJ7AEuy_eBDy5_jtDgjw97nD_Ww7P_oIzZR5ojk0Xbn1l b9Lliy8tJga.8qmGx1Ap2iPk0.V2EjlrhRwqs.M4nDBvPe1DiC.cpn0OKr6i7BAEuBhGHkd8KXVl 4EJ4cQC8x3V7CERaTN7zCETzbpnbJw15X1LAbQKAj..YkGlFrmeCkN4SQRVgJno8DbVMx_YZbA.5 Gr2QrntUZXWnXfE1OK0KkCAYWqlz055Tu8DzHApozS75N0DcWNyTPs4.HIBEU2Rux8bcCPCqDx_P HK06grnhvLID3DIRlkEwfPtDsuawtyYy_guLhWZybuaE23Afih4iWyobLSRseXai3Z8KouJpnS6L rR3XZlIS1nl2sxvmRQQUak18i2R5wGXl7DGIx2ckTq3uB4HU7n3hcQ8VfBkwp_rNR.NneJijQYrO jEs4sNurxBWUO5VOj9D1_HAFqIty1LstXFI6cbcfftyiHsfR5zP6CBZHMWpclH.nmYlUGTH5Bd1b .FFgTcUWo17ix_FdzI9vIXiG4Y9e4fbXH3iKY6WXYG8hQsiyG6T_UtxXYxw0Son8N_hGGNHp8OrV UIgoF9ehkIYS4K1YkDuDX2yusu.JhIXItOBhO3LAiostQ3NvdKpjYqGqxdsbF23xUKd2wyeaj4qu qfGE0qW7__klLTeT.51UQTqXkJ6zMPGvnXqh2v8fvIkSY3z7Z6.jmEEeSDqNW5fCuKT57aefZWwA GiBfE__1vYnluD.jQfdhxfrgeilBHUDg6441PPckqApqY5j00NLpvExYkfxAHOnC.22W0BKZ3fzd km_97EMAwVmcIgjp.SCoI3YMIzsibOCEk7J._fP_zGSYZx3kaFZyQj4UDN6FpyY24K.hdqRHSAXR yhrD3diZruib4VvcSTz.MNV9TjfNKGlGWR9Qtd3i4srBL_nAavqa0p0VHJKii29A7MQ4dz.7c.Wt _fZm_cmPxOuoKrzuOTQaNUSTE12V.FLn9CGOyKVIfV7RrtfF5KR4AATIDwftFfHJz1j5mLLGA3pd yyVMqIdS9.EOa_sfCiD46RpLhmuMrfuJqkSlMVBXYzIhNy.bJK5I4RWnN26DTIrnVgSiAwc0XaOV 7OXexkJ19O632DwqzSSaNneR6_BzrHNybSUYrYA_8XA1LpKKIovgk9w5NhSb3EEeP6BY4FQ2KRKO B0tyK8OJad_kWDCMs6GV3LDrgJelUxMBlWRsMLpsQk7b82_.SsQUrVUHS8E.z.DBqlDZ_oodzv96 i1nUcuDTkMYwz.fVBUdNaDsqsFCZ9hShA_MljAR6EA7nSNMNB.5Pu8LQ9hWtWzEBizQWror78c44 _.tCYH1Dmtya9GaGRcmF6sqPNHaU3tRWXRMA.hmNg15Ve3x9OFR4mI6m_T3vXY9szrm0u0y7J9aB ePbX84BijMnEkV1ZXEtgopDUjdA6x0BEBi1o9J8U0lyvonH7v05hnKDRFocSwkAgTirRpv3SeJ2G jPivU7KinoO6lR9LauCm7.0Mio6Vhxt42Fz70Qia2WxVXRi7xpx_xpFeiAxgThsWrMXWCJXx6YRw nnPXiHXXDOTa3GVTk2f3x1Ey2ErJSnIRPAk92deqHr.dphEUCcY79kJfSJEKnkckeApLmJ.VSfob T9sFmXl8hs8_LMRJqQ6o616wbsitvJT.RuO2L2ildDnFpy2zs8Q16v1KliUxe_GvrHTopRuBgmRd cFPuXbONsNHtvXtJgG9Yx_d6n7aX3qe_sxYEN7EtGzPmnj9VN1d7qSjoiRZj3SXkl1rfdXWrs63d vjdvSxQM_f9WT5aBoCYCyv_N2dbDUgGsCVLbycUL1xCYrlUNQ54EGCuXk1colNW.mTA3.v3MLZ.z LR4AEfTJOy6Slx2yyPANVJzY0rqQpX65wlOrLq3CycwL1XkOJfwhYhcOCvH2cz3s2jTAF9ZVU10O ge8Qkf_BZqj2DbYujsj5zvE1xHkrKvcS62DOR.z04NT.fMdTZ1EmoZqLk2ozUUtymwKD0dNKu9CO 0Smh886lKXQ6b.508gwzLdNYpP6EOWVFyqlGVF4DGopoWvPY8ovwBPYssiGyn0tyxIE_3W_QnO5q KzQOLgdXisTiBEfPRChfgJDBTyRn2Iw-- X-Sonic-MF: X-Sonic-ID: 3409acd7-d02f-424f-a121-8995ee43740b Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.ne1.yahoo.com with HTTP; Tue, 17 Dec 2024 23:20:48 +0000 Received: by hermes--production-gq1-5dd4b47f46-5qmz7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 5db27b1e04260d36afba83cfa77500a5; Tue, 17 Dec 2024 23:10:39 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH 4/6] Audit: Add record for multiple task security contexts Date: Tue, 17 Dec 2024 15:08:52 -0800 Message-ID: <20241217230854.6588-5-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241217230854.6588-1-casey@schaufler-ca.com> References: <20241217230854.6588-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Create a new audit record AUDIT_MAC_TASK_CONTEXTS. An example of the MAC_TASK_CONTEXTS (1423) record is: type=MAC_TASK_CONTEXTS[1423] msg=audit(1600880931.832:113) subj_apparmor=unconfined subj_smack=_ When an audit event includes a AUDIT_MAC_TASK_CONTEXTS record the "subj=" field in other records in the event will be "subj=?". An AUDIT_MAC_TASK_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on a subject security context. Signed-off-by: Casey Schaufler --- include/linux/lsm_hooks.h | 1 + include/linux/security.h | 1 + include/uapi/linux/audit.h | 1 + kernel/audit.c | 45 ++++++++++++++++++++++++++++++++------ security/apparmor/lsm.c | 1 + security/bpf/hooks.c | 1 + security/security.c | 3 +++ security/selinux/hooks.c | 1 + security/smack/smack_lsm.c | 1 + 9 files changed, 48 insertions(+), 7 deletions(-) diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h index 090d1d3e19fe..68aeab69dd02 100644 --- a/include/linux/lsm_hooks.h +++ b/include/linux/lsm_hooks.h @@ -81,6 +81,7 @@ struct lsm_static_calls_table { struct lsm_id { const char *name; u64 id; + bool lsmprop; }; /* diff --git a/include/linux/security.h b/include/linux/security.h index 540894695c4b..fd930a74a6b6 100644 --- a/include/linux/security.h +++ b/include/linux/security.h @@ -168,6 +168,7 @@ struct lsm_prop { extern const char *const lockdown_reasons[LOCKDOWN_CONFIDENTIALITY_MAX+1]; extern u32 lsm_active_cnt; +extern u32 lsm_prop_cnt; extern const struct lsm_id *lsm_idlist[]; /* These functions are in security/commoncap.c */ diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 75e21a135483..49bbae475c35 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -146,6 +146,7 @@ #define AUDIT_IPE_ACCESS 1420 /* IPE denial or grant */ #define AUDIT_IPE_CONFIG_CHANGE 1421 /* IPE config change */ #define AUDIT_IPE_POLICY_LOAD 1422 /* IPE policy load */ +#define AUDIT_MAC_TASK_CONTEXTS 1423 /* Multiple LSM task contexts */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/kernel/audit.c b/kernel/audit.c index 5fe328f8fe22..e8661be573a3 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -54,6 +54,7 @@ #include #include #include +#include #include #include #include @@ -2241,21 +2242,51 @@ int audit_log_task_context(struct audit_buffer *ab) { struct lsm_prop prop; struct lsm_context ctx; + bool space = false; int error; + int i; security_current_getlsmprop_subj(&prop); if (!lsmprop_is_set(&prop)) return 0; - error = security_lsmprop_to_secctx(&prop, &ctx, LSM_ID_UNDEF); - if (error < 0) { - if (error != -EINVAL) - goto error_path; + if (lsm_prop_cnt < 2) { + error = security_lsmprop_to_secctx(&prop, &ctx, LSM_ID_UNDEF); + if (error < 0) { + if (error != -EINVAL) + goto error_path; + return 0; + } + audit_log_format(ab, " subj=%s", ctx.context); + security_release_secctx(&ctx); return 0; } - - audit_log_format(ab, " subj=%s", ctx.context); - security_release_secctx(&ctx); + /* Multiple LSMs provide contexts. Include an aux record. */ + audit_log_format(ab, " subj=?"); + error = audit_buffer_aux_new(ab, AUDIT_MAC_TASK_CONTEXTS); + if (error) + goto error_path; + + for (i = 0; i < lsm_active_cnt; i++) { + if (!lsm_idlist[i]->lsmprop) + continue; + error = security_lsmprop_to_secctx(&prop, &ctx, + lsm_idlist[i]->id); + if (error < 0) { + if (error == -EOPNOTSUPP) + continue; + audit_log_format(ab, "%ssubj_%s=?", space ? " " : "", + lsm_idlist[i]->name); + if (error != -EINVAL) + audit_panic("error in audit_log_task_context"); + } else { + audit_log_format(ab, "%ssubj_%s=%s", space ? " " : "", + lsm_idlist[i]->name, ctx.context); + security_release_secctx(&ctx); + } + space = true; + } + audit_buffer_aux_end(ab); return 0; error_path: diff --git a/security/apparmor/lsm.c b/security/apparmor/lsm.c index 1edc12862a7d..771bef511a38 100644 --- a/security/apparmor/lsm.c +++ b/security/apparmor/lsm.c @@ -1427,6 +1427,7 @@ struct lsm_blob_sizes apparmor_blob_sizes __ro_after_init = { static const struct lsm_id apparmor_lsmid = { .name = "apparmor", .id = LSM_ID_APPARMOR, + .lsmprop = true, }; static struct security_hook_list apparmor_hooks[] __ro_after_init = { diff --git a/security/bpf/hooks.c b/security/bpf/hooks.c index 3663aec7bcbd..64a11392856e 100644 --- a/security/bpf/hooks.c +++ b/security/bpf/hooks.c @@ -19,6 +19,7 @@ static struct security_hook_list bpf_lsm_hooks[] __ro_after_init = { static const struct lsm_id bpf_lsmid = { .name = "bpf", .id = LSM_ID_BPF, + .lsmprop = false, /* property exists, but will not be used */ }; static int __init bpf_lsm_init(void) diff --git a/security/security.c b/security/security.c index 82fa08e0e125..3c3cc65ba637 100644 --- a/security/security.c +++ b/security/security.c @@ -320,6 +320,7 @@ static void __init initialize_lsm(struct lsm_info *lsm) * Current index to use while initializing the lsm id list. */ u32 lsm_active_cnt __ro_after_init; +u32 lsm_prop_cnt __ro_after_init; const struct lsm_id *lsm_idlist[MAX_LSM_COUNT]; /* Populate ordered LSMs list from comma-separated LSM name list. */ @@ -626,6 +627,8 @@ void __init security_add_hooks(struct security_hook_list *hooks, int count, if (lsm_active_cnt >= MAX_LSM_COUNT) panic("%s Too many LSMs registered.\n", __func__); lsm_idlist[lsm_active_cnt++] = lsmid; + if (lsmid->lsmprop) + lsm_prop_cnt++; } for (i = 0; i < count; i++) { diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index a2e72f1212a3..05b857ef18a5 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -7141,6 +7141,7 @@ static int selinux_uring_cmd(struct io_uring_cmd *ioucmd) static const struct lsm_id selinux_lsmid = { .name = "selinux", .id = LSM_ID_SELINUX, + .lsmprop = true, }; /* diff --git a/security/smack/smack_lsm.c b/security/smack/smack_lsm.c index 55a556f17ade..adb052b1b5e6 100644 --- a/security/smack/smack_lsm.c +++ b/security/smack/smack_lsm.c @@ -5073,6 +5073,7 @@ struct lsm_blob_sizes smack_blob_sizes __ro_after_init = { static const struct lsm_id smack_lsmid = { .name = "smack", .id = LSM_ID_SMACK, + .lsmprop = true, }; static struct security_hook_list smack_hooks[] __ro_after_init = { From patchwork Tue Dec 17 23:08:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13912670 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic317-39.consmr.mail.ne1.yahoo.com (sonic317-39.consmr.mail.ne1.yahoo.com [66.163.184.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AAF5F1FA8D6 for ; Tue, 17 Dec 2024 23:20:54 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.184.50 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734477656; cv=none; b=QNbl2tMqk/ISGvXrJEoe7kwP1OuTxwXr/yKbv/zZqqbMRXZ7cSccsovPm7ArFufrsApaHmDAmS4yShnEu8H8V3YiGthWTI9vOx9A0x4x2IKdPo98u/arTrfmltm7+QMWYy1gUNguLpreNiGhsz51tGxnzzIjlfDFGkPGudLduwA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734477656; c=relaxed/simple; bh=VM+QNCXnDrP8UdH6BTMvIiVKcNzsZ2RXafK3kh/Ccp4=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=GCU0ztLPRxL6jcFtjUsulRlNtqTN91w+kGaIS4HLkmy9RwREaZK4vLUPtF+mEGKKEjnHpVlVtIAgmQHcpc007625GlT2RZRLJtJbMaj8db8rTIjpALaJyQx3aJ/KOJ2SMPkF0Qtp20nPREZCvmV6Tgykd5oMOklCQjMLLYeOjYg= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=p8S1822F; arc=none smtp.client-ip=66.163.184.50 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="p8S1822F" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1734477653; bh=CkfaRO9JYS7vUe8PJGPmI990qOhAOdjfpe5IHX5+gXE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=p8S1822FFG1t10IW0Y5p5KZpmqS0EyZCjQI7GPB6Oai8bZ2l6swyCpyuoV8aVWB/rgvqg9kr4zDdLLyhz4tURnf41scW66Ca0r/F95SZ0ygrvfmtDzs1tMwB5+EVHZv4on6EPyoOn8H/lyNuPBexvrf1G/cW2OknPefBkZdpaviLIGRWMbRaNQ7Ru99RQX0+6HX3Y9bMsXqVdXkzWFrZkVX4w7wEVpZVTmAhkLxK0DdL2b4mSbZJUk6pVJe011dbbszIE3zZgXvw4+fSNC4OVhxNiSeDF0BQQXxQ36DItOf4WYx8Kb9rQ5iuWxsrWkAk45b3Wq2/nC+xhWJ6XGk5dg== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1734477653; bh=Dohxa8/2GlHHLim552tdO/UCw8X7yBTSwC347KVWffB=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=XveGgBM4E+dWO3FL/J4RO/YcJ3prP+yjCHHudbrdGL4IDePUc3l3X8omilDOaMcZo9f5K4jOrl2CEXC2G4qtrsqEscERj3/b3CFOaX5zo6OAeXLLUUrCSHlR9O112e320CsdXx2BPvzhVIFgoGX33GOWg+n4WRCHUijaUfkJQhZygsMQBSwlpd3Gsdjf8kcjnvH4o7wy4eDz1LD5djusDVsPNmq9nrzdbstX080+LSJqLTj4WW3A6I0KFSkuz89hNoFd/ww9DksYqFXuLNDVPmj1us1UctI/0t2q3p54UNmYmV8xOZ8KCbanVP1kvjCw2z5g3SmRQAVAtptO6BPsYg== X-YMail-OSG: R3p_G44VM1n1WgS51k5wjr5DJYZHnUzgypwjNOmo7XHXhMBooQ0hvCt8qUDtuPY 3HihUo42Azh2IZL7ktQqYEHRmSBDLD2tj6YftrNT9iGkWRlCjDQ5wBrfhvgu7HrmmnQGftNwCEZU hJoh2ALq8yYmQ63uWdzpqGcJ7wMq84rTL328934QsqzbwxoIuZnOW1VcT6VMhPyAJN1fXpFh81im aXpmCjXHdgjiB7Jovf05G8Ue0Tnco57qvEVduvdDqHNZefPAZXL0XgUg.uu0OQn92tDoa5gmVCDj L6R7e1VKLZAmIUuWr0meOcanBhv7X.vpkIf9hntKlbl_mXzxnsmV4WR3x7JlVLsee1AvQ0XzQL2x db_ZccNIinC5bJlM9TKrmm3UJqMF8bvD_71FqNiEBeDtjGjmpjpz4pYjSkw3lmRnTO92MQ_ZQAbB .YGAlm92pa8HSmjTBfijCZIbnpn8ykQT8lG9nxveZYdoz3KO_sks8zZfidk7sp5oUUkdvXpnpvcU Psxm2SM1L6.R68RLIhOYm5aLYm8xLXgza2WP.6exx8UUanY7GDFGqKADPTtykAb3KkWkESgu5Kal SP4ecD8hTaCs6Al7KOSJEN96YBxwrYkxGCqdbzoQOs47zz2sUi32KC2p0360zBMW7Hwkuwg9gSu7 Et3R72iEdo5fUmmlTsWR7M2UiRMU4aVU0EmuyBZ5jJFlxHnlywn6CZJWy9UnSYQbfJbXmF.OfHAo UUWFBK3Qk02hOfIdOAbfG88CPZy32pgWvCsZvaNWn_gGlbZgAYxqQyCr5npuB5zQqE4UAncigWC7 UcmDSQ_6nAVxn4Wp57KjLxCDvTTdPpiYy4jN9dKI7KGEFAZOYolHcBPwblVn95PgfImLAdyapw3Z 75LZkdRV0h3e9ZGBrW6_3_ae5ajpWJ1BNP0sjKzAvLFzyjqJgQ0MjCfu7GvhhC73OYv.Xgo36ZUc uEBmTepyD1IFERZohNp1QiGwqdLoqsH9_VaFUS2yt5KMxb6gyGZVEUcz.n3fU.lwyPpA_87UjNh9 AKOicixbicJOYrBWKAsmwCQRAtZCMrk4MC.ptQUbOPop8dgFw27c4alJMApG1QlC0oPbHxVgQs.A MaPZs2HSH_NeqpxuVeWOJxrsGLfo1wCoShzh4o.HdP.CcSE8iG1Sd2rAI4a9Qw0UpbbFqzUo7lmG gzzjCAVmCE3kqFfHuHoJJn50fz4WK1_19kCDfkP7dUw6IFCKsC5q54bFK4ky.dKomGYtfz.WPkwv rLFJ2mTWNEXpfeE3lMqy2DjiKq7SH7WSsH_1rrlleC5tmdljKtwaKrSO5i52xT6XOHXrWVvWlRU8 2S0Ek7egkRc3QvaK5VOkH6mbtFhXbJ06hPTXD9Y67JgT9PRoKkm6NNrW4ByUN5qPVbsfHM8sQmDI zYTAMomxWsvao0fNWTlrTH_.o9PwZN4lXpxLN1i6seVl3gvAlFLS.A7xhw9Kj5tc4wzShUoZIHwl geosxV21JBCHPBciS75KXzK0olTgVujzco3eb1jfQOsJ_Qkm3xhSPzxFUoKT87Pc8d.8C17RZiqA Fs.QyFcbFoqzqe2Jo_BhZs7tiW81TlZjEu_m0f7MEmH8V6rYAKftS23IEKbkRaanMdaCX4chVhhH YPV6qBpFyiQEdd7KRwWUwClzZ9qOxFuuXFurK7K9Hso0i_cx376VaH5lNMIkdvyPamkc3AqQvhdx HqrhUTcMGA4A8PE0gDS.edVMVWMyREZJRRqMGfSwmLZFfCX5CU1b4MR0vR9J0W5tprd4fDG2HaBu rcaoNP0dqe6nfe2SCfTKeflta17wkUrbpux5QwkUfA2nKiNu17.5bI1pfgzZyAHeIlrozIpyRMvZ jNTldpv1L7OER5wPY2G9JgyheuRHysjl_p1.qzPCcEyydc.RbH.CzznLmnrpcNe49oN91sAaDmPC Vj78g07rObZRwKPZCDNZx20vcrgff.dm3ZI4C3DmKjydEcd_PxKfZeofa81UdoPkej_5ieib2QDk 5SmgOLb53YWU4FRRrkVl4nhXz8PHz1avMpAuq9bYN687MULvsq3R1J49mIEIKx_l60WN9ugf2c7U 0ev4ovlSeQm7mMh29rM5sLY2GyK7c7.V6AzQiwV.vm.6DYJ374N7Ae49ToC4CXapGOwW21qWxjVD lMpbENsWh8MOJmPLiLu05frBvARTeCStDhsaE5If8ElPigJ8Utc5GcaL7QDbLTs7vQPiZMXWVWVB JFlTeOqV15UiO8DNH8IeIAXcS.D0IMtCY0qvCDcuuYDtqk5UEe2Y- X-Sonic-MF: X-Sonic-ID: 58ab0613-f260-4b5b-a443-9be5a63982cd Received: from sonic.gate.mail.ne1.yahoo.com by sonic317.consmr.mail.ne1.yahoo.com with HTTP; Tue, 17 Dec 2024 23:20:53 +0000 Received: by hermes--production-gq1-5dd4b47f46-5qmz7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 5db27b1e04260d36afba83cfa77500a5; Tue, 17 Dec 2024 23:10:40 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH 5/6] Audit: multiple subject lsm values for netlabel Date: Tue, 17 Dec 2024 15:08:53 -0800 Message-ID: <20241217230854.6588-6-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241217230854.6588-1-casey@schaufler-ca.com> References: <20241217230854.6588-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Refactor audit_log_task_context(), creating a new audit_log_subject_context(). This is used in netlabel auditing to provide multiple subject security contexts as necessary. Signed-off-by: Casey Schaufler --- include/linux/audit.h | 8 ++++++++ kernel/audit.c | 21 ++++++++++++++------- net/netlabel/netlabel_user.c | 9 +-------- 3 files changed, 23 insertions(+), 15 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index 0050ef288ab3..ee3e2ce70c45 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -37,6 +37,7 @@ struct audit_watch; struct audit_tree; struct sk_buff; struct kern_ipc_perm; +struct lsm_prop; struct audit_krule { u32 pflags; @@ -185,6 +186,8 @@ extern void audit_log_path_denied(int type, const char *operation); extern void audit_log_lost(const char *message); +extern int audit_log_subject_context(struct audit_buffer *ab, + struct lsm_prop *blob); extern int audit_log_task_context(struct audit_buffer *ab); extern void audit_log_task_info(struct audit_buffer *ab); @@ -245,6 +248,11 @@ static inline void audit_log_key(struct audit_buffer *ab, char *key) { } static inline void audit_log_path_denied(int type, const char *operation) { } +static inline int audit_log_subject_context(struct audit_buffer *ab, + struct lsm_prop *prop) +{ + return 0; +} static inline int audit_log_task_context(struct audit_buffer *ab) { return 0; diff --git a/kernel/audit.c b/kernel/audit.c index e8661be573a3..f58bfa5c9635 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -2238,20 +2238,18 @@ static void audit_buffer_aux_end(struct audit_buffer *ab) ab->skb = skb_peek(&ab->skb_list); } -int audit_log_task_context(struct audit_buffer *ab) +int audit_log_subject_context(struct audit_buffer *ab, struct lsm_prop *prop) { - struct lsm_prop prop; struct lsm_context ctx; bool space = false; int error; int i; - security_current_getlsmprop_subj(&prop); - if (!lsmprop_is_set(&prop)) + if (!lsmprop_is_set(prop)) return 0; if (lsm_prop_cnt < 2) { - error = security_lsmprop_to_secctx(&prop, &ctx, LSM_ID_UNDEF); + error = security_lsmprop_to_secctx(prop, &ctx, LSM_ID_UNDEF); if (error < 0) { if (error != -EINVAL) goto error_path; @@ -2270,7 +2268,7 @@ int audit_log_task_context(struct audit_buffer *ab) for (i = 0; i < lsm_active_cnt; i++) { if (!lsm_idlist[i]->lsmprop) continue; - error = security_lsmprop_to_secctx(&prop, &ctx, + error = security_lsmprop_to_secctx(prop, &ctx, lsm_idlist[i]->id); if (error < 0) { if (error == -EOPNOTSUPP) @@ -2290,9 +2288,18 @@ int audit_log_task_context(struct audit_buffer *ab) return 0; error_path: - audit_panic("error in audit_log_task_context"); + audit_panic("error in audit_log_subject_context"); return error; } +EXPORT_SYMBOL(audit_log_subject_context); + +int audit_log_task_context(struct audit_buffer *ab) +{ + struct lsm_prop prop; + + security_current_getlsmprop_subj(&prop); + return audit_log_subject_context(ab, &prop); +} EXPORT_SYMBOL(audit_log_task_context); void audit_log_d_path_exe(struct audit_buffer *ab, diff --git a/net/netlabel/netlabel_user.c b/net/netlabel/netlabel_user.c index 6d6545297ee3..3d46ea6a8bb8 100644 --- a/net/netlabel/netlabel_user.c +++ b/net/netlabel/netlabel_user.c @@ -84,7 +84,6 @@ struct audit_buffer *netlbl_audit_start_common(int type, struct netlbl_audit *audit_info) { struct audit_buffer *audit_buf; - struct lsm_context ctx; if (audit_enabled == AUDIT_OFF) return NULL; @@ -96,13 +95,7 @@ struct audit_buffer *netlbl_audit_start_common(int type, audit_log_format(audit_buf, "netlabel: auid=%u ses=%u", from_kuid(&init_user_ns, audit_info->loginuid), audit_info->sessionid); - - if (lsmprop_is_set(&audit_info->prop) && - security_lsmprop_to_secctx(&audit_info->prop, &ctx, - LSM_ID_UNDEF) > 0) { - audit_log_format(audit_buf, " subj=%s", ctx.context); - security_release_secctx(&ctx); - } + audit_log_subject_context(audit_buf, &audit_info->prop); return audit_buf; } From patchwork Tue Dec 17 23:08:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Casey Schaufler X-Patchwork-Id: 13912662 X-Patchwork-Delegate: paul@paul-moore.com Received: from sonic303-28.consmr.mail.ne1.yahoo.com (sonic303-28.consmr.mail.ne1.yahoo.com [66.163.188.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E80AF1F9F5E for ; Tue, 17 Dec 2024 23:10:47 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=66.163.188.154 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734477049; cv=none; b=d+zObrxzYtomoOMXzeIClx5WG/kWCjy6QICl0zRy2RfxEimudSkSCMIknI9Iz7Rm/SpnoaFwS19rm88L5lQnY24J0f1iyUsQHW+30ect1GTniiv3cfdxLTbIer13GoyKtCw+D7oMZunASX2Shu6wVnebib7h+1Wm1yi+EZGKx0o= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1734477049; c=relaxed/simple; bh=qX+OFbrUNN8oXf9MBad7xVOOtkZ2I2WKCJ6llialqCo=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=osqQZf9KrnXq/s1TyPjG6aqAeWZ/p+uu+1oFdKj6PbR/TV4sf4R0fvwUBGZmwfbo8nWieRVID1TxXIeKRm5qdzE9OvEoi5+Tb+a0pWuz0c8ieNXBDMEJp/8a1l6ZYW3KUDoI585ot4vaM3npdox9WgSW5rsmatOp7anfnP9jIOI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com; spf=none smtp.mailfrom=schaufler-ca.com; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b=lryFGRuY; arc=none smtp.client-ip=66.163.188.154 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; spf=none smtp.mailfrom=schaufler-ca.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=yahoo.com header.i=@yahoo.com header.b="lryFGRuY" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1734477047; bh=TqGe56loa1w3C+AMDAGOL3FmR+EcN/OyGFaC0qH2kGg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From:Subject:Reply-To; b=lryFGRuYjARyaDRF0Q7sXfjNzFKDDX+tjs4zIg0UNheS8/C+xnHqiKGPXlzjs6o4+inCRP+z/PgA8pusCGbgUJ9AelDmdQA9OPnX7sKg3E7Wcisy2lkVpAgj6nd2FPyI0JksMtZ+DpklmLtbFtQ2feZtneUk4u2WyVDf+KBZtxDh3lhaREOhSvGfPnzeeY/9d+UjMVwIwQ//CEachjorzPOoiIneQJ7m0MzvVSNdOldyXssbE3gCwSEVFzXZiAjlkZ4Ab5fB0y2tDVrfA98Eexbu9DH06N9ekvt+cF/h5U7s343ghk/f65eNe4l/FrU+4xWf9Z/HfGfbZQvj7C8JXQ== X-SONIC-DKIM-SIGN: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s2048; t=1734477047; bh=2T65U/Pcp3lObzK4TINVtYDCSfxL0+DIKPS5Ym5g5ZX=; h=X-Sonic-MF:From:To:Subject:Date:From:Subject; b=ExXLMe7ZyKMiu6FPSBv8TP6Z+OWCdL+W9x/FaTM9oJ0M7RbJhu1rGEN0M9W7YNRQXJLOplA4NaRjbFMH1nwfXrhRvQ9e2mRIIOZTuiEgYNIkLZRUfQ9dzX8y1bhlIhpo0zerv5eRLEs2G5erCRU6mR9JDl9fUUhN81mphpuH3E50100txVAapeXrwnyWl4SvccGZP0ccE/VV/ellJ+ejPSKydiXd5oZRNUOgm+blXW3rZnsMc6xXLJWmADG2Hq5jeBal35ZYw0GZL4cb4dMY1LuGJ8SeFvnF3FuQtg/5ambwYSzuP2DuqE+d4twCHBLaLPDCQPdl+D2DnqqlDl678g== X-YMail-OSG: QM2omh0VM1n6zQysOAWIFWGcOQ3HjOdoplxENQVw4jEUU_96dzjxBgliSIV6ZL0 DqmyudpHpfV5jFoa1Uqj.JxLwCSSkFwo2lZUPgTyyKp9B3IXK98F57xKw_Eu1y07CqsyjXwhiYGc .rvhxGxGBQS_uwXANx4tdQTalukjNjTRJmG7B6BbYN3Gb29vmqg2HbL4GO.BcjLNR1__M1PP_19i KMgx_MgP9dK4tzb0jHvEyDJwmhWuFSTnNZGmPJykoTXXccqUKPMsM18agrB1jsu1S_MM35LYU5p. Eqf92VorCiP2JbnInrqlqQaziJFztKMsRHhppv_1.UrLOtRwKM8ucxvAUQ2kq.jXdXWELa941Rvb k0ipKsZnVEpyGfLUaBF62.OyNBNZsEqBHW3Gah1RpnwTCx7BqQmwO1Bcs_YkMe5UefFNqAsrWfpP HxkXbCep0IoarhuYIGmZlpd7d9C_ZDv3O7Oyu9sCA1oc0iCgkp._P8h_QZz0yHogfNi.5_Lx.YDF rVwZW6VO4nZbMo8B2SqVuoEr6CovRJ2Bc9EoIR7KEEYJzBlokEgxulMy2TvNGMgGCSkIjSdvgiQP JfvQt_ne_xvrBkGV7E2yDQE4DVOUiKI_LsNVtBkUFKOa0.bMYKhf_0btsaIhO6XHQQNuSQYa9big uNU.kt_J4dentAdvClva3jc0BhGX4Qb41jK1G4OrzKeeFkpxp8LOKWYcGTDAnFdZVhZgHfkrmg1J j1l8M2qFcZQKdiO6iR4OLAXQVbWyTtIJEF6U5Bg17acXoMIiznljNNmCid1U9nZ5bnnjSxB2VNC_ hHZbSeoLH7WlVGxH9Z6la9nWRwtOfyDEcpqPGOe4Z_hVIHxVdQunHKadmDVHyGUNf3dGlQrXijDK ajXrCNKpGG8fJqPYdh7MyvxXaxQTKa.SINNH6dspDS75gi7FfJ4BnjT6DfnWkPxFRWVm0vSH0fKs 8leqmPo8yX7ZPuYOQqjw9gyft_4ihGiy1SaXox5EoCK.Xtr50j9Hx0Dy9bMcLPVPJAqWizenRdNE USs3l_fpWSVkXO4w8XCvXKzdpkU8tNL9LKfNFoP22RW5STyyspECAa8vDzVgGIZwIANlDCmeQjyx gl2asIWMgEh14UcpGdi3KbAdjf0MmTq5t__f8qc6DGWzPZKzz4.IW3IlfAQinCdk55xomghznOvR 6pQBo1cC0GZ.YZWyZt14ndOg_VLWMDkTqzO6xq9zVT20jWxmZ_1r6GBXqATHPHfluOEDcx2Xobd6 VPqXWLsaRXc64A6XjXkoEfk8DH_7uLQSo_.P9_U.8iSXlqU9TIVqtSuVYth34rt7AXvK0CkTirim ycFvIaNVfdGBhww5YujDh.bdEjVswQxfI1uvltO0J2I45PeNJInzUPuRpzz8PtVj86FO4c48Xnz5 HptUnu_slMe6n46WibnLRyn_cXEC6iys.nOnXCSllgQ7QW1WdnG.nSSdxBqorDG3G_VKeU0b4Nmm GkUQcYyZ0zIobWQGxcOpGj6G8Bf5TvMb3eIKrGC4JdpBF7rMel03wQQx70mRQAFwIBsQq15fslZS nEO.3XUbE76Xb_ZTGoLieUZbkJp14phxyvH1SHiEFj_zejCHDfCmj020UJSyVsR2tB.VN9LP3Nt2 B5ei58RaQxM8aita3RlZ7s6vM6yt.WwNqPXpa7FHWyHYSyI7AUS3BwaBCUXYEfDhE0oRvptWmp_N jXKXhBCpijuEV2QnxeM2LqJCqAsKsQPCDsYixgE6FEHNe31jLQvVL2kiG8YBJPMczVl9wcH.rPDm 8dTMiGj0YlDpiSFRKiiJBGv2tOMqTu7Q3AWM6QmGzi8W6PqrmE_5wZloQv0OwkcRcP15C9RrNHMH Xp68sbTg25u8eqx0XKYeaRfu3jXY0xMNnzDBbqiyeXPbCAFNP7R0jTCYTQh41QpD5nMUgKFlY7q. txiCqVmI7SwnxXZ2UXuLs6rUHePSpH.CanVhkd5kK9l9HCj5wcr.zUgdp_OJsW.3zblCIIbHQvLt jgABb4TQC2cI4bTjtAofR_FKZvPeyqz9lBIBGeYBugmYBwKSKQyv9PGWsQI8cyit9MkDSVmaKaYu UXH9vExfho8awroNgkjtGTBv_UF1wzVtXFB0tmJZxEpOS8uNylVc2bPiK4hYjiW_ElbElYJ.49gC P5Lt2ik3ayat2cPJE6XSs3uj2VsrWEyOSAqh1zgO094UneRetTWav.qjhvB1_L81DM1zj8gnN8G5 .Tud5jajF9O.IVrxIZ_5k7NK...AgvYHcj1gGxRTe8M3GsRRN4uoUlFEKcq0aTknuE3MIrtxYpYM XpVgZi0zE6nRjyhpJHkd2fMeTqiJC X-Sonic-MF: X-Sonic-ID: caadaba1-6e42-4a81-b642-653891c8820f Received: from sonic.gate.mail.ne1.yahoo.com by sonic303.consmr.mail.ne1.yahoo.com with HTTP; Tue, 17 Dec 2024 23:10:47 +0000 Received: by hermes--production-gq1-5dd4b47f46-5qmz7 (Yahoo Inc. Hermes SMTP Server) with ESMTPA ID 5db27b1e04260d36afba83cfa77500a5; Tue, 17 Dec 2024 23:10:43 +0000 (UTC) From: Casey Schaufler To: casey@schaufler-ca.com, paul@paul-moore.com, eparis@redhat.com, linux-security-module@vger.kernel.org, audit@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org Subject: [PATCH 6/6] Audit: Add record for multiple object contexts Date: Tue, 17 Dec 2024 15:08:54 -0800 Message-ID: <20241217230854.6588-7-casey@schaufler-ca.com> X-Mailer: git-send-email 2.47.0 In-Reply-To: <20241217230854.6588-1-casey@schaufler-ca.com> References: <20241217230854.6588-1-casey@schaufler-ca.com> Precedence: bulk X-Mailing-List: linux-security-module@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Create a new audit record AUDIT_MAC_OBJ_CONTEXTS. An example of the MAC_OBJ_CONTEXTS (1424) record is: type=MAC_OBJ_CONTEXTS[1424] msg=audit(1601152467.009:1050): obj_selinux=unconfined_u:object_r:user_home_t:s0 When an audit event includes a AUDIT_MAC_OBJ_CONTEXTS record the "obj=" field in other records in the event will be "obj=?". An AUDIT_MAC_OBJ_CONTEXTS record is supplied when the system has multiple security modules that may make access decisions based on an object security context. Signed-off-by: Casey Schaufler --- include/linux/audit.h | 7 +++- include/uapi/linux/audit.h | 1 + kernel/audit.c | 51 ++++++++++++++++++++++- kernel/auditsc.c | 85 ++++++++++++-------------------------- 4 files changed, 83 insertions(+), 61 deletions(-) diff --git a/include/linux/audit.h b/include/linux/audit.h index ee3e2ce70c45..16b89cbd6ac7 100644 --- a/include/linux/audit.h +++ b/include/linux/audit.h @@ -186,8 +186,10 @@ extern void audit_log_path_denied(int type, const char *operation); extern void audit_log_lost(const char *message); +extern void audit_log_object_context(struct audit_buffer *ab, + struct lsm_prop *prop); extern int audit_log_subject_context(struct audit_buffer *ab, - struct lsm_prop *blob); + struct lsm_prop *prop); extern int audit_log_task_context(struct audit_buffer *ab); extern void audit_log_task_info(struct audit_buffer *ab); @@ -248,6 +250,9 @@ static inline void audit_log_key(struct audit_buffer *ab, char *key) { } static inline void audit_log_path_denied(int type, const char *operation) { } +static inline void audit_log_object_context(struct audit_buffer *ab, + struct lsm_prop *prop) +{ } static inline int audit_log_subject_context(struct audit_buffer *ab, struct lsm_prop *prop) { diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h index 49bbae475c35..3e7462f9d80e 100644 --- a/include/uapi/linux/audit.h +++ b/include/uapi/linux/audit.h @@ -147,6 +147,7 @@ #define AUDIT_IPE_CONFIG_CHANGE 1421 /* IPE config change */ #define AUDIT_IPE_POLICY_LOAD 1422 /* IPE policy load */ #define AUDIT_MAC_TASK_CONTEXTS 1423 /* Multiple LSM task contexts */ +#define AUDIT_MAC_OBJ_CONTEXTS 1424 /* Multiple LSM objext contexts */ #define AUDIT_FIRST_KERN_ANOM_MSG 1700 #define AUDIT_LAST_KERN_ANOM_MSG 1799 diff --git a/kernel/audit.c b/kernel/audit.c index f58bfa5c9635..62041cea6aba 100644 --- a/kernel/audit.c +++ b/kernel/audit.c @@ -1116,7 +1116,6 @@ static int is_audit_feature_set(int i) return af.features & AUDIT_FEATURE_TO_MASK(i); } - static int audit_get_feature(struct sk_buff *skb) { u32 seq; @@ -2302,6 +2301,56 @@ int audit_log_task_context(struct audit_buffer *ab) } EXPORT_SYMBOL(audit_log_task_context); +void audit_log_object_context(struct audit_buffer *ab, struct lsm_prop *prop) +{ + int i; + int error; + bool space = false; + struct lsm_context context; + + if (lsm_prop_cnt < 2) { + error = security_lsmprop_to_secctx(prop, &context, + LSM_ID_UNDEF); + if (error < 0) { + if (error != -EINVAL) + goto error_path; + return; + } + audit_log_format(ab, " obj=%s", context.context); + security_release_secctx(&context); + return; + } + audit_log_format(ab, " obj=?"); + error = audit_buffer_aux_new(ab, AUDIT_MAC_OBJ_CONTEXTS); + if (error) + goto error_path; + + for (i = 0; i < lsm_prop_cnt; i++) { + if (!lsm_idlist[i]->lsmprop) + continue; + error = security_lsmprop_to_secctx(prop, &context, + lsm_idlist[i]->id); + if (error < 0) { + audit_log_format(ab, "%sobj_%s=?", + space ? " " : "", lsm_idlist[i]->name); + if (error != -EINVAL) + audit_panic("error in audit_log_object_context"); + } else { + audit_log_format(ab, "%sobj_%s=%s", + space ? " " : "", lsm_idlist[i]->name, + context.context); + security_release_secctx(&context); + } + space = true; + } + + audit_buffer_aux_end(ab); + return; + +error_path: + audit_panic("error in audit_log_object_context"); +} + void audit_log_d_path_exe(struct audit_buffer *ab, struct mm_struct *mm) { diff --git a/kernel/auditsc.c b/kernel/auditsc.c index 3fbb1578b820..e5faeab03a56 100644 --- a/kernel/auditsc.c +++ b/kernel/auditsc.c @@ -1092,36 +1092,24 @@ static inline void audit_free_context(struct audit_context *context) kfree(context); } -static int audit_log_pid_context(struct audit_context *context, pid_t pid, - kuid_t auid, kuid_t uid, - unsigned int sessionid, struct lsm_prop *prop, - char *comm) +static void audit_log_pid_context(struct audit_context *context, pid_t pid, + kuid_t auid, kuid_t uid, + unsigned int sessionid, struct lsm_prop *prop, + char *comm) { struct audit_buffer *ab; - struct lsm_context ctx; - int rc = 0; ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); if (!ab) - return rc; + return; audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, from_kuid(&init_user_ns, auid), from_kuid(&init_user_ns, uid), sessionid); - if (lsmprop_is_set(prop)) { - if (security_lsmprop_to_secctx(prop, &ctx, LSM_ID_UNDEF) < 0) { - audit_log_format(ab, " obj=(none)"); - rc = 1; - } else { - audit_log_format(ab, " obj=%s", ctx.context); - security_release_secctx(&ctx); - } - } - audit_log_format(ab, " ocomm="); - audit_log_untrustedstring(ab, comm); - audit_log_end(ab); + if (lsmprop_is_set(prop)) + audit_log_object_context(ab, prop); - return rc; + return; } static void audit_log_execve_info(struct audit_context *context, @@ -1391,18 +1379,8 @@ static void show_special(struct audit_context *context, int *call_panic) from_kuid(&init_user_ns, context->ipc.uid), from_kgid(&init_user_ns, context->ipc.gid), context->ipc.mode); - if (lsmprop_is_set(&context->ipc.oprop)) { - struct lsm_context lsmctx; - - if (security_lsmprop_to_secctx(&context->ipc.oprop, - &lsmctx, - LSM_ID_UNDEF) < 0) { - *call_panic = 1; - } else { - audit_log_format(ab, " obj=%s", lsmctx.context); - security_release_secctx(&lsmctx); - } - } + if (lsmprop_is_set(&context->ipc.oprop)) + audit_log_object_context(ab, &context->ipc.oprop); if (context->ipc.has_perm) { audit_log_end(ab); ab = audit_log_start(context, GFP_KERNEL, @@ -1558,18 +1536,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n, from_kgid(&init_user_ns, n->gid), MAJOR(n->rdev), MINOR(n->rdev)); - if (lsmprop_is_set(&n->oprop)) { - struct lsm_context ctx; - - if (security_lsmprop_to_secctx(&n->oprop, &ctx, - LSM_ID_UNDEF) < 0) { - if (call_panic) - *call_panic = 2; - } else { - audit_log_format(ab, " obj=%s", ctx.context); - security_release_secctx(&ctx); - } - } + if (lsmprop_is_set(&n->oprop)) + audit_log_object_context(ab, &n->oprop); /* log the audit_names record type */ switch (n->type) { @@ -1774,21 +1742,20 @@ static void audit_log_exit(void) struct audit_aux_data_pids *axs = (void *)aux; for (i = 0; i < axs->pid_count; i++) - if (audit_log_pid_context(context, axs->target_pid[i], - axs->target_auid[i], - axs->target_uid[i], - axs->target_sessionid[i], - &axs->target_ref[i], - axs->target_comm[i])) - call_panic = 1; - } - - if (context->target_pid && - audit_log_pid_context(context, context->target_pid, - context->target_auid, context->target_uid, - context->target_sessionid, - &context->target_ref, context->target_comm)) - call_panic = 1; + audit_log_pid_context(context, axs->target_pid[i], + axs->target_auid[i], + axs->target_uid[i], + axs->target_sessionid[i], + &axs->target_ref[i], + axs->target_comm[i]); + } + + if (context->target_pid) + audit_log_pid_context(context, context->target_pid, + context->target_auid, context->target_uid, + context->target_sessionid, + &context->target_ref, + context->target_comm); if (context->pwd.dentry && context->pwd.mnt) { ab = audit_log_start(context, GFP_KERNEL, AUDIT_CWD);