[PATCH v5 0/5] Audit: Records for multiple security contexts

Sat Aug 16 17:27:51 UTC 2025

Opps. script error. Please disregard.

On 8/16/2025 9:41 AM, Casey Schaufler wrote:
> The Linux audit system includes LSM based security "context" information
> in its events. Historically, only one LSM that uses security contexts can
> be active on a system. One of the few obsticles to allowing multiple LSM
> support is the inability to report more than one security context in an
> audit event. This patchset provides a mechanism to provide supplimental
> records containing more than one security context for subjects and
> objects.
>
> The mechanism for reporting multiple security contexts inspired
> considerable discussion. It would have been possible to add multiple
> contexts to existing records using sophisticated formatting. This would
> have significant backward compatibility issues, and require additional
> parsing in user space code. Adding new records for an event that contain
> the contexts is more in keeping with the way audit events have been
> constructed in the past.
>
> Only audit events associated with system calls have required multiple
> records prior to this. Mechanism has been added allowing any event
> to be composed of multiple records. This should make it easier to
> add information to existing audit events without breaking backward
> compatability.
>
> v5:
> Comment on the LSM_ID_UNDEF behavior in security_secid_to_secctx().
> Change some names to better reflect their purpose.
> Move alignment changes into a separate patch.
> v4:
> Use LSM_ID_UNDEF when checking for valid LSM IDs in
> security_lsmprop_to_secctx().
> Fix the object record to include only those for LSMs that use them.
> Squash the two patches dealing with subject contexts.
> Base the patches on Paul Moore's LSM initialization patchset.
> https://lore.kernel.org/all/20250409185019.238841-31-paul@paul-moore.com/
> v3:
> Rework how security modules identify that they provide security
> contexts to the audit system. Maintain a list within the audit
> system of the security modules that provide security contexts.
> Revert the separate counts of subject and object contexts.
> v2:
> Maintain separate counts for LSMs using subject contexts and object
> contexts. AppArmor uses the former but not the latter.
> Correct error handling in object record creation.
>
> https://github.com/cschaufler/lsm-stacking#audit-6.16-rc4-v5
>
> Casey Schaufler (5):
>   Audit: Create audit_stamp structure
>   LSM: security_lsmblob_to_secctx module selection
>   Audit: Add record for multiple task security contexts
>   Audit: Fix indentation in audit_log_exit
>   Audit: Add record for multiple object contexts
>
>  include/linux/audit.h        |  23 +++
>  include/linux/security.h     |   6 +-
>  include/uapi/linux/audit.h   |   2 +
>  kernel/audit.c               | 274 ++++++++++++++++++++++++++++++-----
>  kernel/audit.h               |  13 +-
>  kernel/auditsc.c             |  65 +++------
>  net/netlabel/netlabel_user.c |   8 +-
>  security/apparmor/lsm.c      |   3 +
>  security/lsm.h               |   4 -
>  security/lsm_init.c          |   5 -
>  security/security.c          |  21 ++-
>  security/selinux/hooks.c     |   5 +
>  security/smack/smack_lsm.c   |   5 +
>  13 files changed, 325 insertions(+), 109 deletions(-)
>