[PATCH v31 25/28] Audit: Add record for multiple task security contexts
Casey Schaufler
casey at schaufler-ca.com
Mon Dec 13 23:40:31 UTC 2021
Create a new audit record AUDIT_MAC_TASK_CONTEXTS.
An example of the MAC_TASK_CONTEXTS (1420) record is:
type=MAC_TASK_CONTEXTS[1420]
msg=audit(1600880931.832:113)
subj_apparmor=unconfined
subj_smack=_
When an audit event includes a AUDIT_MAC_TASK_CONTEXTS record
the "subj=" field in other records in the event will be "subj=?".
An AUDIT_MAC_TASK_CONTEXTS record is supplied when the system has
multiple security modules that may make access decisions based
on a subject security context.
Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>
---
include/linux/security.h | 9 ++++++
include/uapi/linux/audit.h | 1 +
kernel/audit.c | 58 ++++++++++++++++++++++++++++++++------
3 files changed, 60 insertions(+), 8 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index bec8505f2ce5..a54179451410 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -231,6 +231,15 @@ static inline bool lsmblob_equal(struct lsmblob *bloba, struct lsmblob *blobb)
extern int lsm_name_to_slot(char *name);
extern const char *lsm_slot_to_name(int slot);
+static inline bool lsm_multiple_contexts(void)
+{
+#ifdef CONFIG_SECURITY
+ return lsm_slot_to_name(1) != NULL;
+#else
+ return false;
+#endif
+}
+
/**
* lsmblob_value - find the first non-zero value in an lsmblob structure.
* @blob: Pointer to the data
diff --git a/include/uapi/linux/audit.h b/include/uapi/linux/audit.h
index 9176a095fefc..86ad3da4f0d4 100644
--- a/include/uapi/linux/audit.h
+++ b/include/uapi/linux/audit.h
@@ -143,6 +143,7 @@
#define AUDIT_MAC_UNLBL_STCDEL 1417 /* NetLabel: del a static label */
#define AUDIT_MAC_CALIPSO_ADD 1418 /* NetLabel: add CALIPSO DOI entry */
#define AUDIT_MAC_CALIPSO_DEL 1419 /* NetLabel: del CALIPSO DOI entry */
+#define AUDIT_MAC_TASK_CONTEXTS 1420 /* Multiple LSM task contexts */
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799
diff --git a/kernel/audit.c b/kernel/audit.c
index fc3662ff126e..4ee2bf620df7 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -197,6 +197,9 @@ static struct audit_ctl_mutex {
struct audit_context_entry {
struct list_head list;
int type; /* Audit record type */
+ union {
+ struct lsmblob lsm_subjs;
+ };
};
/* The audit_buffer is used when formatting an audit record. The caller
@@ -2149,15 +2152,30 @@ int audit_log_task_context(struct audit_buffer *ab)
if (!lsmblob_is_set(&blob))
return 0;
- error = security_secid_to_secctx(&blob, &context, LSMBLOB_FIRST);
- if (error) {
- if (error != -EINVAL)
+ if (!lsm_multiple_contexts()) {
+ error = security_secid_to_secctx(&blob, &context,
+ LSMBLOB_FIRST);
+ if (error) {
+ if (error != -EINVAL)
+ goto error_path;
+ return 0;
+ }
+ audit_log_format(ab, " subj=%s", context.context);
+ security_release_secctx(&context);
+ } else {
+ struct audit_context_entry *ace;
+
+ audit_log_format(ab, " subj=?");
+ ace = kzalloc(sizeof(*ace), ab->gfp_mask);
+ if (!ace) {
+ error = -ENOMEM;
goto error_path;
- return 0;
+ }
+ INIT_LIST_HEAD(&ace->list);
+ ace->type = AUDIT_MAC_TASK_CONTEXTS;
+ ace->lsm_subjs = blob;
+ list_add(&ace->list, &ab->aux_records);
}
-
- audit_log_format(ab, " subj=%s", context.context);
- security_release_secctx(&context);
return 0;
error_path:
@@ -2419,9 +2437,12 @@ void audit_log_end(struct audit_buffer *ab)
struct audit_context_entry *entry;
struct audit_context mcontext;
struct audit_context *mctx;
+ struct lsmcontext lcontext;
struct audit_buffer *mab;
struct list_head *l;
struct list_head *n;
+ int rc;
+ int i;
if (!ab)
return;
@@ -2434,6 +2455,7 @@ void audit_log_end(struct audit_buffer *ab)
}
if (ab->ctx == NULL) {
+ mcontext.context = AUDIT_CTX_SYSCALL;
mcontext.stamp = ab->stamp;
mctx = &mcontext;
} else
@@ -2447,7 +2469,27 @@ void audit_log_end(struct audit_buffer *ab)
continue;
}
switch (entry->type) {
- /* Don't know of any quite yet. */
+ case AUDIT_MAC_TASK_CONTEXTS:
+ for (i = 0; i < LSMBLOB_ENTRIES; i++) {
+ if (entry->lsm_subjs.secid[i] == 0)
+ continue;
+ rc = security_secid_to_secctx(&entry->lsm_subjs,
+ &lcontext, i);
+ if (rc) {
+ if (rc != -EINVAL)
+ audit_panic("error in audit_log_end");
+ audit_log_format(mab, "%ssubj_%s=?",
+ i ? " " : "",
+ lsm_slot_to_name(i));
+ } else {
+ audit_log_format(mab, "%ssubj_%s=%s",
+ i ? " " : "",
+ lsm_slot_to_name(i),
+ lcontext.context);
+ security_release_secctx(&lcontext);
+ }
+ }
+ break;
default:
audit_panic("Unknown type in audit_log_end");
break;
--
2.31.1
More information about the Linux-security-module-archive
mailing list