Re: [PATCH v20 20/23] Audit: Add new record for multiple process LSM attributes
On Thu, Sep 3, 2020 at 12:32 PM James Morris wrote: > On Wed, 26 Aug 2020, Casey Schaufler wrote: > > > Create a new audit record type to contain the subject information > > when there are multiple security modules that require such data. > > This record is linked with the same timestamp and serial number. > > The record is produced only in cases where there is more than one > > security module with a process "context". > > > > Before this change the only audit events that required multiple > > records were syscall events. Several non-syscall events include > > subject contexts, so the use of audit_context data has been expanded > > as necessary. > > > > Signed-off-by: Casey Schaufler > > Cc: linux-audit@redhat.com > > Paul, can you review/ack the audit changes? I did a previous version at some point in the past, I'll take a look at v20 tomorrow or this weekend. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v20 20/23] Audit: Add new record for multiple process LSM attributes
On 9/3/20 9:32 AM, James Morris wrote:
> On Wed, 26 Aug 2020, Casey Schaufler wrote:
>
>> Create a new audit record type to contain the subject information
>> when there are multiple security modules that require such data.
>> This record is linked with the same timestamp and serial number.
>> The record is produced only in cases where there is more than one
>> security module with a process "context".
>>
>> Before this change the only audit events that required multiple
>> records were syscall events. Several non-syscall events include
>> subject contexts, so the use of audit_context data has been expanded
>> as necessary.
>>
>> Signed-off-by: Casey Schaufler
>> Cc: linux-audit@redhat.com
>
> Paul, can you review/ack the audit changes?
>
I am working on reviewing them as well, but I can't/won't ack them.
>> ---
>> drivers/android/binder.c| 2 +-
>> include/linux/audit.h | 13 +++-
>> include/linux/security.h| 18 -
>> include/net/netlabel.h | 2 +-
>> include/net/scm.h | 3 +-
>> include/net/xfrm.h | 4 +-
>> include/uapi/linux/audit.h | 1 +
>> kernel/audit.c | 89 ++---
>> kernel/auditfilter.c| 2 +-
>> kernel/auditsc.c| 87 ++--
>> net/ipv4/ip_sockglue.c | 2 +-
>> net/netfilter/nf_conntrack_netlink.c| 4 +-
>> net/netfilter/nf_conntrack_standalone.c | 2 +-
>> net/netfilter/nfnetlink_queue.c | 2 +-
>> net/netlabel/netlabel_unlabeled.c | 16 ++---
>> net/netlabel/netlabel_user.c| 12 ++--
>> net/netlabel/netlabel_user.h| 6 +-
>> security/integrity/integrity_audit.c| 2 +-
>> security/security.c | 73 +++-
>> security/smack/smackfs.c| 3 +-
>> 20 files changed, 259 insertions(+), 84 deletions(-)
>>
>> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
>> index 0bde1b96680e..93781dad0c28 100644
>> --- a/drivers/android/binder.c
>> +++ b/drivers/android/binder.c
>> @@ -3113,7 +3113,7 @@ static void binder_transaction(struct binder_proc
>> *proc,
>> size_t added_size;
>>
>> security_task_getsecid(proc->tsk, &blob);
>> -ret = security_secid_to_secctx(&blob, &lsmctx);
>> +ret = security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_DISPLAY);
>> if (ret) {
>> return_error = BR_FAILED_REPLY;
>> return_error_param = ret;
>> diff --git a/include/linux/audit.h b/include/linux/audit.h
>> index ba1cd38d601b..fe027df0d9a8 100644
>> --- a/include/linux/audit.h
>> +++ b/include/linux/audit.h
>> @@ -186,7 +186,9 @@ extern void audit_log_path_denied(int
>> type,
>>const char *operation);
>> extern void audit_log_lost(const char *message);
>>
>> -extern int audit_log_task_context(struct audit_buffer *ab);
>> +extern void audit_log_lsm(struct lsmblob *blob, bool exiting);
>> +extern int audit_log_task_context(struct audit_buffer *ab,
>> + struct lsmblob *blob);
>> extern void audit_log_task_info(struct audit_buffer *ab);
>>
>> extern int audit_update_lsm_rules(void);
>> @@ -246,7 +248,10 @@ static inline void audit_log_key(struct audit_buffer
>> *ab, char *key)
>> { }
>> static inline void audit_log_path_denied(int type, const char *operation)
>> { }
>> -static inline int audit_log_task_context(struct audit_buffer *ab)
>> +static inline void audit_log_lsm(struct lsmblob *blob, bool exiting)
>> +{ }
>> +static inline int audit_log_task_context(struct audit_buffer *ab,
>> + struct lsmblob *blob);
>> {
>> return 0;
>> }
>> @@ -305,6 +310,7 @@ extern void audit_seccomp(unsigned long syscall, long
>> signr, int code);
>> extern void audit_seccomp_actions_logged(const char *names,
>> const char *old_names, int res);
>> extern void __audit_ptrace(struct task_struct *t);
>> +extern void audit_stamp_context(struct audit_context *ctx);
>>
>> static inline void audit_set_context(struct task_struct *task, struct
>> audit_context *ctx)
>> {
>> @@ -682,6 +688,9 @@ static inline void audit_ntp_log(const struct
>> audit_ntp_data *ad)
>> static inline void audit_ptrace(struct task_struct *t)
>> { }
>>
>> +static inline void audit_stamp_context(struct audit_context *ctx)
>> +{ }
>> +
>> static inline void audit_log_nfcfg(const char *name, u8 af,
>> unsigned int nentries,
>> enum audit_nfcfgop op, gfp_t gfp)
>> diff --git a/include/linux/security.h b/include/linux/security.h
>> index 40260bfc3a0d..3cbe24be1563 100644
>> --- a/include/linux/security.h
>> +++ b/include/linux/sec
Re: [PATCH v20 20/23] Audit: Add new record for multiple process LSM attributes
On Wed, 26 Aug 2020, Casey Schaufler wrote:
> Create a new audit record type to contain the subject information
> when there are multiple security modules that require such data.
> This record is linked with the same timestamp and serial number.
> The record is produced only in cases where there is more than one
> security module with a process "context".
>
> Before this change the only audit events that required multiple
> records were syscall events. Several non-syscall events include
> subject contexts, so the use of audit_context data has been expanded
> as necessary.
>
> Signed-off-by: Casey Schaufler
> Cc: linux-audit@redhat.com
Paul, can you review/ack the audit changes?
> ---
> drivers/android/binder.c| 2 +-
> include/linux/audit.h | 13 +++-
> include/linux/security.h| 18 -
> include/net/netlabel.h | 2 +-
> include/net/scm.h | 3 +-
> include/net/xfrm.h | 4 +-
> include/uapi/linux/audit.h | 1 +
> kernel/audit.c | 89 ++---
> kernel/auditfilter.c| 2 +-
> kernel/auditsc.c| 87 ++--
> net/ipv4/ip_sockglue.c | 2 +-
> net/netfilter/nf_conntrack_netlink.c| 4 +-
> net/netfilter/nf_conntrack_standalone.c | 2 +-
> net/netfilter/nfnetlink_queue.c | 2 +-
> net/netlabel/netlabel_unlabeled.c | 16 ++---
> net/netlabel/netlabel_user.c| 12 ++--
> net/netlabel/netlabel_user.h| 6 +-
> security/integrity/integrity_audit.c| 2 +-
> security/security.c | 73 +++-
> security/smack/smackfs.c| 3 +-
> 20 files changed, 259 insertions(+), 84 deletions(-)
>
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index 0bde1b96680e..93781dad0c28 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -3113,7 +3113,7 @@ static void binder_transaction(struct binder_proc *proc,
> size_t added_size;
>
> security_task_getsecid(proc->tsk, &blob);
> - ret = security_secid_to_secctx(&blob, &lsmctx);
> + ret = security_secid_to_secctx(&blob, &lsmctx, LSMBLOB_DISPLAY);
> if (ret) {
> return_error = BR_FAILED_REPLY;
> return_error_param = ret;
> diff --git a/include/linux/audit.h b/include/linux/audit.h
> index ba1cd38d601b..fe027df0d9a8 100644
> --- a/include/linux/audit.h
> +++ b/include/linux/audit.h
> @@ -186,7 +186,9 @@ extern void audit_log_path_denied(int
> type,
> const char *operation);
> extern void audit_log_lost(const char *message);
>
> -extern int audit_log_task_context(struct audit_buffer *ab);
> +extern void audit_log_lsm(struct lsmblob *blob, bool exiting);
> +extern int audit_log_task_context(struct audit_buffer *ab,
> + struct lsmblob *blob);
> extern void audit_log_task_info(struct audit_buffer *ab);
>
> extern int audit_update_lsm_rules(void);
> @@ -246,7 +248,10 @@ static inline void audit_log_key(struct audit_buffer
> *ab, char *key)
> { }
> static inline void audit_log_path_denied(int type, const char *operation)
> { }
> -static inline int audit_log_task_context(struct audit_buffer *ab)
> +static inline void audit_log_lsm(struct lsmblob *blob, bool exiting)
> +{ }
> +static inline int audit_log_task_context(struct audit_buffer *ab,
> + struct lsmblob *blob);
> {
> return 0;
> }
> @@ -305,6 +310,7 @@ extern void audit_seccomp(unsigned long syscall, long
> signr, int code);
> extern void audit_seccomp_actions_logged(const char *names,
>const char *old_names, int res);
> extern void __audit_ptrace(struct task_struct *t);
> +extern void audit_stamp_context(struct audit_context *ctx);
>
> static inline void audit_set_context(struct task_struct *task, struct
> audit_context *ctx)
> {
> @@ -682,6 +688,9 @@ static inline void audit_ntp_log(const struct
> audit_ntp_data *ad)
> static inline void audit_ptrace(struct task_struct *t)
> { }
>
> +static inline void audit_stamp_context(struct audit_context *ctx)
> +{ }
> +
> static inline void audit_log_nfcfg(const char *name, u8 af,
> unsigned int nentries,
> enum audit_nfcfgop op, gfp_t gfp)
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 40260bfc3a0d..3cbe24be1563 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -180,6 +180,8 @@ struct lsmblob {
> #define LSMBLOB_INVALID -1 /* Not a valid LSM slot number
> */
> #define LSMBLOB_NEEDED -2 /* Slot requested on
> in
Re: [PATCH v20 05/23] net: Prepare UDS for security module stacking
On Wed, 26 Aug 2020, Casey Schaufler wrote:
> Change the data used in UDS SO_PEERSEC processing from a
> secid to a more general struct lsmblob. Update the
> security_socket_getpeersec_dgram() interface to use the
> lsmblob. There is a small amount of scaffolding code
> that will come out when the security_secid_to_secctx()
> code is brought in line with the lsmblob.
>
> Signed-off-by: Casey Schaufler
This needs some review by networking folk, and/or LSM maintainers. You
should probably cc netdev on anything touching the networking code.
> ---
> include/linux/security.h | 7 +--
> include/net/af_unix.h| 2 +-
> include/net/scm.h| 8 +---
> net/ipv4/ip_sockglue.c | 8 +---
> net/unix/af_unix.c | 6 +++---
> security/security.c | 18 +++---
> 6 files changed, 34 insertions(+), 15 deletions(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index e2ef982b3dd7..ae623b89cdf4 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1398,7 +1398,8 @@ int security_socket_shutdown(struct socket *sock, int
> how);
> int security_sock_rcv_skb(struct sock *sk, struct sk_buff *skb);
> int security_socket_getpeersec_stream(struct socket *sock, char __user
> *optval,
> int __user *optlen, unsigned len);
> -int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff
> *skb, u32 *secid);
> +int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff
> *skb,
> + struct lsmblob *blob);
> int security_sk_alloc(struct sock *sk, int family, gfp_t priority);
> void security_sk_free(struct sock *sk);
> void security_sk_clone(const struct sock *sk, struct sock *newsk);
> @@ -1536,7 +1537,9 @@ static inline int
> security_socket_getpeersec_stream(struct socket *sock, char __
> return -ENOPROTOOPT;
> }
>
> -static inline int security_socket_getpeersec_dgram(struct socket *sock,
> struct sk_buff *skb, u32 *secid)
> +static inline int security_socket_getpeersec_dgram(struct socket *sock,
> +struct sk_buff *skb,
> +struct lsmblob *blob)
> {
> return -ENOPROTOOPT;
> }
> diff --git a/include/net/af_unix.h b/include/net/af_unix.h
> index f42fdddecd41..a86da0cb5ec1 100644
> --- a/include/net/af_unix.h
> +++ b/include/net/af_unix.h
> @@ -36,7 +36,7 @@ struct unix_skb_parms {
> kgid_t gid;
> struct scm_fp_list *fp;/* Passed files */
> #ifdef CONFIG_SECURITY_NETWORK
> - u32 secid; /* Security ID */
> + struct lsmblob lsmblob;/* Security LSM data*/
> #endif
> u32 consumed;
> } __randomize_layout;
> diff --git a/include/net/scm.h b/include/net/scm.h
> index 1ce365f4c256..e2e71c4bf9d0 100644
> --- a/include/net/scm.h
> +++ b/include/net/scm.h
> @@ -33,7 +33,7 @@ struct scm_cookie {
> struct scm_fp_list *fp;/* Passed files */
> struct scm_credscreds; /* Skb credentials */
> #ifdef CONFIG_SECURITY_NETWORK
> - u32 secid; /* Passed security ID */
> + struct lsmblob lsmblob;/* Passed LSM data */
> #endif
> };
>
> @@ -46,7 +46,7 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl);
> #ifdef CONFIG_SECURITY_NETWORK
> static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct
> scm_cookie *scm)
> {
> - security_socket_getpeersec_dgram(sock, NULL, &scm->secid);
> + security_socket_getpeersec_dgram(sock, NULL, &scm->lsmblob);
> }
> #else
> static __inline__ void unix_get_peersec_dgram(struct socket *sock, struct
> scm_cookie *scm)
> @@ -97,7 +97,9 @@ static inline void scm_passec(struct socket *sock, struct
> msghdr *msg, struct sc
> int err;
>
> if (test_bit(SOCK_PASSSEC, &sock->flags)) {
> - err = security_secid_to_secctx(scm->secid, &secdata, &seclen);
> + /* Scaffolding - it has to be element 0 for now */
> + err = security_secid_to_secctx(scm->lsmblob.secid[0],
> +&secdata, &seclen);
>
> if (!err) {
> put_cmsg(msg, SOL_SOCKET, SCM_SECURITY, seclen,
> secdata);
> diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
> index d2c223554ff7..551dfbc717e9 100644
> --- a/net/ipv4/ip_sockglue.c
> +++ b/net/ipv4/ip_sockglue.c
> @@ -130,15 +130,17 @@ static void ip_cmsg_recv_checksum(struct msghdr *msg,
> struct sk_buff *skb,
>
> static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
> {
> + struct lsmblob lb;
> char *secdata;
> - u32 seclen, secid;
> + u32 seclen;
> int err;
>
> - err = security_socket_getpeersec_dgram(NULL, skb, &secid);
>
