tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

audit: add record for multiple object contexts

Create a new audit record AUDIT_MAC_OBJ_CONTEXTS.
An example of the MAC_OBJ_CONTEXTS record is:

type=MAC_OBJ_CONTEXTS
msg=audit(1601152467.009:1050):
obj_selinux=unconfined_u:object_r:user_home_t:s0

When an audit event includes a AUDIT_MAC_OBJ_CONTEXTS record
the "obj=" field in other records in the event will be "obj=?".
An AUDIT_MAC_OBJ_CONTEXTS record is supplied when the system has
multiple security modules that may make access decisions based
on an object security context.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: subj tweak, audit example readability indents]
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Casey Schaufler and committed by
Paul Moore 0ffbc876 eb59d494

+78 -34
+7
include/linux/audit.h
··· 151 151 152 152 /* bit values for audit_cfg_lsm */ 153 153 #define AUDIT_CFG_LSM_SECCTX_SUBJECT BIT(0) 154 + #define AUDIT_CFG_LSM_SECCTX_OBJECT BIT(1) 154 155 155 156 struct filename; 156 157 ··· 192 191 extern void audit_log_lost(const char *message); 193 192 194 193 extern int audit_log_subj_ctx(struct audit_buffer *ab, struct lsm_prop *prop); 194 + extern int audit_log_obj_ctx(struct audit_buffer *ab, struct lsm_prop *prop); 195 195 extern int audit_log_task_context(struct audit_buffer *ab); 196 196 extern void audit_log_task_info(struct audit_buffer *ab); 197 197 ··· 257 255 { } 258 256 static inline int audit_log_subj_ctx(struct audit_buffer *ab, 259 257 struct lsm_prop *prop) 258 + { 259 + return 0; 260 + } 261 + static inline int audit_log_obj_ctx(struct audit_buffer *ab, 262 + struct lsm_prop *prop) 260 263 { 261 264 return 0; 262 265 }
+1
include/uapi/linux/audit.h
··· 149 149 #define AUDIT_LANDLOCK_ACCESS 1423 /* Landlock denial */ 150 150 #define AUDIT_LANDLOCK_DOMAIN 1424 /* Landlock domain status */ 151 151 #define AUDIT_MAC_TASK_CONTEXTS 1425 /* Multiple LSM task contexts */ 152 + #define AUDIT_MAC_OBJ_CONTEXTS 1426 /* Multiple LSM objext contexts */ 152 153 153 154 #define AUDIT_FIRST_KERN_ANOM_MSG 1700 154 155 #define AUDIT_LAST_KERN_ANOM_MSG 1799
+57 -1
kernel/audit.c
··· 85 85 /* Number of modules that provide a security context. 86 86 List of lsms that provide a security context */ 87 87 static u32 audit_subj_secctx_cnt; 88 + static u32 audit_obj_secctx_cnt; 88 89 static const struct lsm_id *audit_subj_lsms[MAX_LSM_COUNT]; 90 + static const struct lsm_id *audit_obj_lsms[MAX_LSM_COUNT]; 89 91 90 92 /** 91 93 * struct audit_net - audit private network namespace data ··· 306 304 if (audit_subj_lsms[i] == lsmid) 307 305 return; 308 306 audit_subj_lsms[audit_subj_secctx_cnt++] = lsmid; 307 + } 308 + if (flags & AUDIT_CFG_LSM_SECCTX_OBJECT) { 309 + for (i = 0 ; i < audit_obj_secctx_cnt; i++) 310 + if (audit_obj_lsms[i] == lsmid) 311 + return; 312 + audit_obj_lsms[audit_obj_secctx_cnt++] = lsmid; 309 313 } 310 314 } 311 315 ··· 1149 1141 { 1150 1142 return af.features & AUDIT_FEATURE_TO_MASK(i); 1151 1143 } 1152 - 1153 1144 1154 1145 static int audit_get_feature(struct sk_buff *skb) 1155 1146 { ··· 2343 2336 return audit_log_subj_ctx(ab, &prop); 2344 2337 } 2345 2338 EXPORT_SYMBOL(audit_log_task_context); 2339 + 2340 + int audit_log_obj_ctx(struct audit_buffer *ab, struct lsm_prop *prop) 2341 + { 2342 + int i; 2343 + int rc; 2344 + int error = 0; 2345 + char *space = ""; 2346 + struct lsm_context ctx; 2347 + 2348 + if (audit_obj_secctx_cnt < 2) { 2349 + error = security_lsmprop_to_secctx(prop, &ctx, LSM_ID_UNDEF); 2350 + if (error < 0) { 2351 + if (error != -EINVAL) 2352 + goto error_path; 2353 + return error; 2354 + } 2355 + audit_log_format(ab, " obj=%s", ctx.context); 2356 + security_release_secctx(&ctx); 2357 + return 0; 2358 + } 2359 + audit_log_format(ab, " obj=?"); 2360 + error = audit_buffer_aux_new(ab, AUDIT_MAC_OBJ_CONTEXTS); 2361 + if (error) 2362 + goto error_path; 2363 + 2364 + for (i = 0; i < audit_obj_secctx_cnt; i++) { 2365 + rc = security_lsmprop_to_secctx(prop, &ctx, 2366 + audit_obj_lsms[i]->id); 2367 + if (rc < 0) { 2368 + audit_log_format(ab, "%sobj_%s=?", space, 2369 + audit_obj_lsms[i]->name); 2370 + if (rc != -EINVAL) 2371 + audit_panic("error in audit_log_obj_ctx"); 2372 + error = rc; 2373 + } else { 2374 + audit_log_format(ab, "%sobj_%s=%s", space, 2375 + audit_obj_lsms[i]->name, ctx.context); 2376 + security_release_secctx(&ctx); 2377 + } 2378 + space = " "; 2379 + } 2380 + 2381 + audit_buffer_aux_end(ab); 2382 + return error; 2383 + 2384 + error_path: 2385 + audit_panic("error in audit_log_obj_ctx"); 2386 + return error; 2387 + } 2346 2388 2347 2389 void audit_log_d_path_exe(struct audit_buffer *ab, 2348 2390 struct mm_struct *mm)
+7 -31
kernel/auditsc.c
··· 1098 1098 char *comm) 1099 1099 { 1100 1100 struct audit_buffer *ab; 1101 - struct lsm_context ctx; 1102 1101 int rc = 0; 1103 1102 1104 1103 ab = audit_log_start(context, GFP_KERNEL, AUDIT_OBJ_PID); ··· 1107 1108 audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, 1108 1109 from_kuid(&init_user_ns, auid), 1109 1110 from_kuid(&init_user_ns, uid), sessionid); 1110 - if (lsmprop_is_set(prop)) { 1111 - if (security_lsmprop_to_secctx(prop, &ctx, LSM_ID_UNDEF) < 0) { 1112 - audit_log_format(ab, " obj=(none)"); 1113 - rc = 1; 1114 - } else { 1115 - audit_log_format(ab, " obj=%s", ctx.context); 1116 - security_release_secctx(&ctx); 1117 - } 1118 - } 1111 + if (lsmprop_is_set(prop) && audit_log_obj_ctx(ab, prop)) 1112 + rc = 1; 1113 + 1119 1114 audit_log_format(ab, " ocomm="); 1120 1115 audit_log_untrustedstring(ab, comm); 1121 1116 audit_log_end(ab); ··· 1385 1392 from_kgid(&init_user_ns, context->ipc.gid), 1386 1393 context->ipc.mode); 1387 1394 if (lsmprop_is_set(&context->ipc.oprop)) { 1388 - struct lsm_context lsmctx; 1389 - 1390 - if (security_lsmprop_to_secctx(&context->ipc.oprop, 1391 - &lsmctx, 1392 - LSM_ID_UNDEF) < 0) { 1395 + if (audit_log_obj_ctx(ab, &context->ipc.oprop)) 1393 1396 *call_panic = 1; 1394 - } else { 1395 - audit_log_format(ab, " obj=%s", lsmctx.context); 1396 - security_release_secctx(&lsmctx); 1397 - } 1398 1397 } 1399 1398 if (context->ipc.has_perm) { 1400 1399 audit_log_end(ab); ··· 1543 1558 from_kgid(&init_user_ns, n->gid), 1544 1559 MAJOR(n->rdev), 1545 1560 MINOR(n->rdev)); 1546 - if (lsmprop_is_set(&n->oprop)) { 1547 - struct lsm_context ctx; 1548 - 1549 - if (security_lsmprop_to_secctx(&n->oprop, &ctx, 1550 - LSM_ID_UNDEF) < 0) { 1551 - if (call_panic) 1552 - *call_panic = 2; 1553 - } else { 1554 - audit_log_format(ab, " obj=%s", ctx.context); 1555 - security_release_secctx(&ctx); 1556 - } 1557 - } 1561 + if (lsmprop_is_set(&n->oprop) && 1562 + audit_log_obj_ctx(ab, &n->oprop)) 1563 + *call_panic = 2; 1558 1564 1559 1565 /* log the audit_names record type */ 1560 1566 switch (n->type) {
+3 -1
security/selinux/hooks.c
··· 7619 7619 cred_init_security(); 7620 7620 7621 7621 /* Inform the audit system that secctx is used */ 7622 - audit_cfg_lsm(&selinux_lsmid, AUDIT_CFG_LSM_SECCTX_SUBJECT); 7622 + audit_cfg_lsm(&selinux_lsmid, 7623 + AUDIT_CFG_LSM_SECCTX_SUBJECT | 7624 + AUDIT_CFG_LSM_SECCTX_OBJECT); 7623 7625 7624 7626 default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC); 7625 7627 if (!default_noexec)
+3 -1
security/smack/smack_lsm.c
··· 5268 5268 init_smack_known_list(); 5269 5269 5270 5270 /* Inform the audit system that secctx is used */ 5271 - audit_cfg_lsm(&smack_lsmid, AUDIT_CFG_LSM_SECCTX_SUBJECT); 5271 + audit_cfg_lsm(&smack_lsmid, 5272 + AUDIT_CFG_LSM_SECCTX_SUBJECT | 5273 + AUDIT_CFG_LSM_SECCTX_OBJECT); 5272 5274 5273 5275 return 0; 5274 5276 }