[PATCH v12 22/25] Audit: Include object data for all security modules

Stephen Smalley sds at tycho.nsa.gov
Wed Dec 18 18:02:35 UTC 2019


On 12/16/19 5:36 PM, Casey Schaufler wrote:
> When there is more than one context displaying security
> module extend what goes into the audit record by supplimenting
> the "obj=" with an "obj_<lsm>=" for each such security
> module.
> 
> Signed-off-by: Casey Schaufler <casey at schaufler-ca.com>

Disclaimer: requires ack by audit maintainers.  For me,
Acked-by: Stephen Smalley <sds at tycho.nsa.gov>

> ---
>   kernel/audit.h   |   4 +-
>   kernel/auditsc.c | 110 ++++++++++++++++++++++++-----------------------
>   2 files changed, 58 insertions(+), 56 deletions(-)
> 
> diff --git a/kernel/audit.h b/kernel/audit.h
> index af9bc09e656c..c9f1e1641542 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -78,7 +78,7 @@ struct audit_names {
>   	kuid_t			uid;
>   	kgid_t			gid;
>   	dev_t			rdev;
> -	u32			osid;
> +	struct lsmblob		oblob;
>   	struct audit_cap_data	fcap;
>   	unsigned int		fcap_ver;
>   	unsigned char		type;		/* record type */
> @@ -152,7 +152,7 @@ struct audit_context {
>   			kuid_t			uid;
>   			kgid_t			gid;
>   			umode_t			mode;
> -			u32			osid;
> +			struct lsmblob		oblob;
>   			int			has_perm;
>   			uid_t			perm_uid;
>   			gid_t			perm_gid;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index e0dd643e9b13..0c071947c2b3 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -659,17 +659,15 @@ static int audit_filter_rules(struct task_struct *tsk,
>   			if (f->lsm_rule) {
>   				/* Find files that match */
>   				if (name) {
> -					lsmblob_init(&blob, name->osid);
>   					result = security_audit_rule_match(
> -								&blob,
> +								&name->oblob,
>   								f->type,
>   								f->op,
>   								f->lsm_rule);
>   				} else if (ctx) {
>   					list_for_each_entry(n, &ctx->names_list, list) {
> -						lsmblob_init(&blob, n->osid);
>   						if (security_audit_rule_match(
> -								&blob,
> +								&n->oblob,
>   								f->type,
>   								f->op,
>   								f->lsm_rule)) {
> @@ -681,8 +679,7 @@ static int audit_filter_rules(struct task_struct *tsk,
>   				/* Find ipc objects that match */
>   				if (!ctx || ctx->type != AUDIT_IPC)
>   					break;
> -				lsmblob_init(&blob, ctx->ipc.osid);
> -				if (security_audit_rule_match(&blob,
> +				if (security_audit_rule_match(&ctx->ipc.oblob,
>   							      f->type, f->op,
>   							      f->lsm_rule))
>   					++result;
> @@ -956,13 +953,57 @@ static inline void audit_free_context(struct audit_context *context)
>   	kfree(context);
>   }
>   
> +static int audit_log_object_context(struct audit_buffer *ab,
> +				    struct lsmblob *blob)
> +{
> +	struct lsmcontext context;
> +	const char *lsm;
> +	int i;
> +
> +	/*
> +	 * None of the installed modules have object labels.
> +	 */
> +	if (security_lsm_slot_name(0) == NULL)
> +		return 0;
> +
> +	if (blob->secid[0] != 0) {
> +		if (security_secid_to_secctx(blob, &context, 0)) {
> +			audit_log_format(ab, " obj=?");
> +			return 1;
> +		}
> +		audit_log_format(ab, " obj=%s", context.context);
> +		security_release_secctx(&context);
> +	}
> +
> +	/*
> +	 * Don't do anything more unless there is more than one LSM
> +	 * with a security context to report.
> +	 */
> +	if (security_lsm_slot_name(1) == NULL)
> +		return 0;
> +
> +	for (i = 0; i < LSMBLOB_ENTRIES; i++) {
> +		lsm = security_lsm_slot_name(i);
> +		if (lsm == NULL)
> +			break;
> +		if (blob->secid[i] == 0)
> +			continue;
> +		if (security_secid_to_secctx(blob, &context, i)) {
> +			audit_log_format(ab, " obj_%s=?", lsm);
> +			continue;
> +		}
> +		audit_log_format(ab, " obj_%s=%s", lsm, context.context);
> +		security_release_secctx(&context);
> +	}
> +	return 0;
> +}
> +
>   static int audit_log_pid_context(struct audit_context *context, pid_t pid,
>   				 kuid_t auid, kuid_t uid,
>   				 unsigned int sessionid,
>   				 struct lsmblob *blob, char *comm)
>   {
>   	struct audit_buffer *ab;
> -	struct lsmcontext lsmctx;
>   	int rc = 0;
>   
>   	ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID);
> @@ -972,15 +1013,7 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
>   	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid,
>   			 from_kuid(&init_user_ns, auid),
>   			 from_kuid(&init_user_ns, uid), sessionid);
> -	if (lsmblob_is_set(blob)) {
> -		if (security_secid_to_secctx(blob, &lsmctx, LSMBLOB_FIRST)) {
> -			audit_log_format(ab, " obj=(none)");
> -			rc = 1;
> -		} else {
> -			audit_log_format(ab, " obj=%s", lsmctx.context);
> -			security_release_secctx(&lsmctx);
> -		}
> -	}
> +	rc = audit_log_object_context(ab, blob);
>   	audit_log_format(ab, " ocomm=");
>   	audit_log_untrustedstring(ab, comm);
>   	audit_log_end(ab);
> @@ -1207,26 +1240,14 @@ static void show_special(struct audit_context *context, int *call_panic)
>   				context->socketcall.args[i]);
>   		break; }
>   	case AUDIT_IPC: {
> -		u32 osid = context->ipc.osid;
> +		struct lsmblob *oblob = & context->ipc.oblob;
>   
>   		audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
>   				 from_kuid(&init_user_ns, context->ipc.uid),
>   				 from_kgid(&init_user_ns, context->ipc.gid),
>   				 context->ipc.mode);
> -		if (osid) {
> -			struct lsmcontext lsmcxt;
> -			struct lsmblob blob;
> -
> -			lsmblob_init(&blob, osid);
> -			if (security_secid_to_secctx(&blob, &lsmcxt,
> -						     LSMBLOB_FIRST)) {
> -				audit_log_format(ab, " osid=%u", osid);
> -				*call_panic = 1;
> -			} else {
> -				audit_log_format(ab, " obj=%s", lsmcxt.context);
> -				security_release_secctx(&lsmcxt);
> -			}
> -		}
> +		if (audit_log_object_context(ab, oblob))
> +			*call_panic = 1;
>   		if (context->ipc.has_perm) {
>   			audit_log_end(ab);
>   			ab = audit_log_start(context, GFP_KERNEL,
> @@ -1366,20 +1387,8 @@ static void audit_log_name(struct audit_context *context, struct audit_names *n,
>   				 from_kgid(&init_user_ns, n->gid),
>   				 MAJOR(n->rdev),
>   				 MINOR(n->rdev));
> -	if (n->osid != 0) {
> -		struct lsmblob blob;
> -		struct lsmcontext lsmctx;
> -
> -		lsmblob_init(&blob, n->osid);
> -		if (security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_FIRST)) {
> -			audit_log_format(ab, " osid=%u", n->osid);
> -			if (call_panic)
> -				*call_panic = 2;
> -		} else {
> -			audit_log_format(ab, " obj=%s", lsmctx.context);
> -			security_release_secctx(&lsmctx);
> -		}
> -	}
> +	if (audit_log_object_context(ab, &n->oblob) && call_panic)
> +		*call_panic = 2;
>   
>   	/* log the audit_names record type */
>   	switch (n->type) {
> @@ -1929,17 +1938,13 @@ static void audit_copy_inode(struct audit_names *name,
>   			     const struct dentry *dentry,
>   			     struct inode *inode, unsigned int flags)
>   {
> -	struct lsmblob blob;
> -
>   	name->ino   = inode->i_ino;
>   	name->dev   = inode->i_sb->s_dev;
>   	name->mode  = inode->i_mode;
>   	name->uid   = inode->i_uid;
>   	name->gid   = inode->i_gid;
>   	name->rdev  = inode->i_rdev;
> -	security_inode_getsecid(inode, &blob);
> -	/* scaffolding until osid is updated */
> -	name->osid = blob.secid[0];
> +	security_inode_getsecid(inode, &name->oblob);
>   	if (flags & AUDIT_INODE_NOEVAL) {
>   		name->fcap_ver = -1;
>   		return;
> @@ -2285,14 +2290,11 @@ void __audit_mq_getsetattr(mqd_t mqdes, struct mq_attr *mqstat)
>   void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
>   {
>   	struct audit_context *context = audit_context();
> -	struct lsmblob blob;
>   	context->ipc.uid = ipcp->uid;
>   	context->ipc.gid = ipcp->gid;
>   	context->ipc.mode = ipcp->mode;
>   	context->ipc.has_perm = 0;
> -	security_ipc_getsecid(ipcp, &blob);
> -	/* scaffolding on the [0] - change "osid" to a lsmblob */
> -	context->ipc.osid = blob.secid[0];
> +	security_ipc_getsecid(ipcp, &context->ipc.oblob);
>   	context->type = AUDIT_IPC;
>   }
>   
> 



More information about the Linux-security-module-archive mailing list