[ANNOUNCE] Linux Security Summit North Americ (LSS-NA) CfP
The Call for Participation for the 2023 LSS-NA conference is open! See details of the event and information on submitting proposals here: https://events.linuxfoundation.org/linux-security-summit-north-america/ LSS-NA 2023 will be in Vancouver, BC, Canada, from May 10th to May 12th. This will be a three day event, co-located with Open Source Summit North America [1]. The LSS-NA CfP is open until March 1st, 2023. Note that announcements relating to the Linux Security Summit may be found now on the Fediverse, via: https://social.kernel.org/LinuxSecSummit -- James Morris [1] https://events.linuxfoundation.org/open-source-summit-north-america/ -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [ANNOUNCE][CFP] Linux Security Summit North America 2022
On Tue, 8 Feb 2022, James Morris wrote: > * Event:September 23-24 Correction: This should be 23-24 June per the top of the email. -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
[ANNOUNCE][CFP] Linux Security Summit North America 2022
==
ANNOUNCEMENT AND CALL FOR PARTICIPATION
LINUX SECURITY SUMMIT NORTH AMERICA 2022
23-24 June
Austin, Texas & Virtual
==
DESCRIPTION
Linux Security Summit North America (LSS-NA) is a technical forum for
collaboration between Linux developers, researchers, and end-users. Its
primary aim is to foster community efforts in analyzing and solving Linux
security challenges.
The program committee currently seeks proposals for:
* Refereed Presentations:
45 minutes in length.
* Panel Discussion Topics:
45 minutes in length.
* Short Topics:
30 minutes in total, including at least 10 minutes discussion.
* Tutorials
90 minutes in length.
Tutorial sessions should be focused on advanced Linux security defense
topics within areas such as the kernel, compiler, and security-related
libraries. Priority will be given to tutorials created for this conference,
and those where the presenter a leading subject matter expert on the topic.
Topic areas include, but are not limited to:
* Kernel self-protection
* Access control
* Cryptography and key management
* Integrity policy and enforcement
* Hardware Security
* IoT and embedded security
* Virtualization and containers
* System-specific system hardening
* Case studies
* Security tools
* Security UX
* Emerging technologies, threats & techniques
Proposals should be submitted via:
https://events.linuxfoundation.org/linux-security-summit-north-america/
Note that for 2022, we are returning to having both North American and
European events (LSS-EU will be held in September).
LSS-NA DATES
* CFP close:March 30
* CFP notifications:April 15
* Schedule announced: April 19
* Event:September 23-24
WHO SHOULD ATTEND
We're seeking a diverse range of attendees and welcome participation by
people involved in Linux security development, operations, and research.
LSS is a unique global event that provides the opportunity to present and
discuss your work or research with key Linux security community members and
maintainers. It's also useful for those who wish to keep up with the latest
in Linux security development and to provide input to the development
process.
WEB SITE
https://events.linuxfoundation.org/linux-security-summit-north-america/
TWITTER
For event updates and announcements, follow:
https://twitter.com/LinuxSecSummit
#linuxsecuritysummit
PROGRAM COMMITTEE
The program committee for LSS 2021 is:
* James Morris, Microsoft
* Serge Hallyn, Cisco
* Paul Moore, Microsoft
* Stephen Smalley, NSA
* Elena Reshetova, Intel
* John Johansen, Canonical
* Kees Cook, Google
* Casey Schaufler, Intel
* Mimi Zohar, IBM
* David A. Wheeler, Linux Foundation
The program committee may be contacted as a group via email:
lss-pc () lists.linuxfoundation.org
--
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [ANNOUNCE][CFP] Linux Security Summit 2021
For folks presenting remotely, the deadline for video talks is extended to 20th September, 2021. Reminder: you can keep track LSS event information via: https://twitter.com/LinuxSecSummit -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [ANNOUNCE][CFP] Linux Security Summit 2021
Two further (and hopefully final) changes: - LSS 2021 will now be a hybrid event, catering to both in-person and remote attendees and presenters - The CFP is extended to July 11th. On Wed, 26 May 2021, James Morris wrote: > Note that the venue of LSS 2021 has now changed to Seattle, USA. > > See https://events.linuxfoundation.org/linux-security-summit-north-america/ > > The new event dates are 29 September to 01 October. > > The CFP closes on June 27th. > > > > > > On Tue, 9 Feb 2021, James Morris wrote: > > > == > >ANNOUNCEMENT AND CALL FOR PARTICIPATION > > > > LINUX SECURITY SUMMIT 2021 > > > > 27-29 September > > Dublin, Ireland > > == > > > > DESCRIPTION > > > > Linux Security Summit (LSS) is a technical forum for collaboration between > > Linux developers, researchers, and end-users. Its primary aim is to foster > > community efforts in analyzing and solving Linux security challenges. > > > > The program committee currently seeks proposals for: > > > >* Refereed Presentations: > > 45 minutes in length. > > > >* Panel Discussion Topics: > > 45 minutes in length. > > > >* Short Topics: > > 30 minutes in total, including at least 10 minutes discussion. > > > >* Tutorials > > 90 minutes in length. > > > > Tutorial sessions should be focused on advanced Linux security defense > > topics within areas such as the kernel, compiler, and security-related > > libraries. Priority will be given to tutorials created for this conference, > > and those where the presenter a leading subject matter expert on the topic. > > > > Topic areas include, but are not limited to: > > > >* Kernel self-protection > >* Access control > >* Cryptography and key management > >* Integrity policy and enforcement > >* Hardware Security > >* IoT and embedded security > >* Virtualization and containers > >* System-specific system hardening > >* Case studies > >* Security tools > >* Security UX > >* Emerging technologies, threats & techniques > > > > Proposals should be submitted via: > > > > https://events.linuxfoundation.org/linux-security-summit-europe/program/cfp/ > > > > > > ** Note that for 2021, the North American and European events are combined > > into > > a single event planned for Dublin, Ireland. ** > > > > > > DATES > > > > * CFP close:June 27 > > * CFP notifications:July 20 > > * Schedule announced: July 22 > > * Event:September 27-29 > > > > WHO SHOULD ATTEND > > > > We're seeking a diverse range of attendees and welcome participation by > > people involved in Linux security development, operations, and research. > > > > LSS is a unique global event that provides the opportunity to present and > > discuss your work or research with key Linux security community members and > > maintainers. It's also useful for those who wish to keep up with the latest > > in Linux security development and to provide input to the development > > process. > > > > WEB SITE > > > > https://events.linuxfoundation.org/linux-security-summit-europe/ > > > > TWITTER > > > > For event updates and announcements, follow: > > > > https://twitter.com/LinuxSecSummit > > > > #linuxsecuritysummit > > > > PROGRAM COMMITTEE > > > > The program committee for LSS 2021 is: > > > > * James Morris, Microsoft > > * Serge Hallyn, Cisco > > * Paul Moore, Cisco > > * Stephen Smalley, NSA > > * Elena Reshetova, Intel > > * John Johansen, Canonical > > * Kees Cook, Google > > * Casey Schaufler, Intel > > * Mimi Zohar, IBM > > * David A. Wheeler, Institute for Defense Analyses > > > > The program committee may be contacted as a group via email: > > lss-pc () lists.linuxfoundation.org > > > > > > -- > James Morris > > > -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [ANNOUNCE][CFP] Linux Security Summit 2021
Note that the venue of LSS 2021 has now changed to Seattle, USA. See https://events.linuxfoundation.org/linux-security-summit-north-america/ The new event dates are 29 September to 01 October. The CFP closes on June 27th. On Tue, 9 Feb 2021, James Morris wrote: > == >ANNOUNCEMENT AND CALL FOR PARTICIPATION > > LINUX SECURITY SUMMIT 2021 > > 27-29 September > Dublin, Ireland > == > > DESCRIPTION > > Linux Security Summit (LSS) is a technical forum for collaboration between > Linux developers, researchers, and end-users. Its primary aim is to foster > community efforts in analyzing and solving Linux security challenges. > > The program committee currently seeks proposals for: > >* Refereed Presentations: > 45 minutes in length. > >* Panel Discussion Topics: > 45 minutes in length. > >* Short Topics: > 30 minutes in total, including at least 10 minutes discussion. > >* Tutorials > 90 minutes in length. > > Tutorial sessions should be focused on advanced Linux security defense > topics within areas such as the kernel, compiler, and security-related > libraries. Priority will be given to tutorials created for this conference, > and those where the presenter a leading subject matter expert on the topic. > > Topic areas include, but are not limited to: > >* Kernel self-protection >* Access control >* Cryptography and key management >* Integrity policy and enforcement >* Hardware Security >* IoT and embedded security >* Virtualization and containers >* System-specific system hardening >* Case studies >* Security tools >* Security UX >* Emerging technologies, threats & techniques > > Proposals should be submitted via: > > https://events.linuxfoundation.org/linux-security-summit-europe/program/cfp/ > > > ** Note that for 2021, the North American and European events are combined > into > a single event planned for Dublin, Ireland. ** > > > DATES > > * CFP close:June 27 > * CFP notifications:July 20 > * Schedule announced: July 22 > * Event:September 27-29 > > WHO SHOULD ATTEND > > We're seeking a diverse range of attendees and welcome participation by > people involved in Linux security development, operations, and research. > > LSS is a unique global event that provides the opportunity to present and > discuss your work or research with key Linux security community members and > maintainers. It's also useful for those who wish to keep up with the latest > in Linux security development and to provide input to the development > process. > > WEB SITE > > https://events.linuxfoundation.org/linux-security-summit-europe/ > > TWITTER > > For event updates and announcements, follow: > > https://twitter.com/LinuxSecSummit > > #linuxsecuritysummit > > PROGRAM COMMITTEE > > The program committee for LSS 2021 is: > > * James Morris, Microsoft > * Serge Hallyn, Cisco > * Paul Moore, Cisco > * Stephen Smalley, NSA > * Elena Reshetova, Intel > * John Johansen, Canonical > * Kees Cook, Google > * Casey Schaufler, Intel > * Mimi Zohar, IBM > * David A. Wheeler, Institute for Defense Analyses > > The program committee may be contacted as a group via email: > lss-pc () lists.linuxfoundation.org > > -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH 1/4] lsm: separate security_task_getsecid() into subjective and objective variants
On Fri, 19 Feb 2021, Paul Moore wrote:
> diff --git a/drivers/android/binder.c b/drivers/android/binder.c
> index c119736ca56ac..39d501261108d 100644
> --- a/drivers/android/binder.c
> +++ b/drivers/android/binder.c
> @@ -2700,7 +2700,7 @@ static void binder_transaction(struct binder_proc *proc,
> u32 secid;
> size_t added_size;
>
> - security_task_getsecid(proc->tsk, );
> + security_task_getsecid_subj(proc->tsk, );
> ret = security_secid_to_secctx(secid, , _sz);
> if (ret) {
> return_error = BR_FAILED_REPLY;
Can someone from the Android project confirm this is correct for binder?
--
James Morris
--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit
Re: security_task_getsecid() and subjective vs objective task creds
On Thu, 18 Feb 2021, Paul Moore wrote: > Hi all, > > When looking into a problem I noticed that audit was recording the > wrong subject label for a process. Is this a public bug? It would be good to know what the extent of this issue may be and whether it warrants a CVE. -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://listman.redhat.com/mailman/listinfo/linux-audit
[ANNOUNCE][CFP] Linux Security Summit 2021
==
ANNOUNCEMENT AND CALL FOR PARTICIPATION
LINUX SECURITY SUMMIT 2021
27-29 September
Dublin, Ireland
==
DESCRIPTION
Linux Security Summit (LSS) is a technical forum for collaboration between
Linux developers, researchers, and end-users. Its primary aim is to foster
community efforts in analyzing and solving Linux security challenges.
The program committee currently seeks proposals for:
* Refereed Presentations:
45 minutes in length.
* Panel Discussion Topics:
45 minutes in length.
* Short Topics:
30 minutes in total, including at least 10 minutes discussion.
* Tutorials
90 minutes in length.
Tutorial sessions should be focused on advanced Linux security defense
topics within areas such as the kernel, compiler, and security-related
libraries. Priority will be given to tutorials created for this conference,
and those where the presenter a leading subject matter expert on the topic.
Topic areas include, but are not limited to:
* Kernel self-protection
* Access control
* Cryptography and key management
* Integrity policy and enforcement
* Hardware Security
* IoT and embedded security
* Virtualization and containers
* System-specific system hardening
* Case studies
* Security tools
* Security UX
* Emerging technologies, threats & techniques
Proposals should be submitted via:
https://events.linuxfoundation.org/linux-security-summit-europe/program/cfp/
** Note that for 2021, the North American and European events are combined into
a single event planned for Dublin, Ireland. **
DATES
* CFP close:June 27
* CFP notifications:July 20
* Schedule announced: July 22
* Event:September 27-29
WHO SHOULD ATTEND
We're seeking a diverse range of attendees and welcome participation by
people involved in Linux security development, operations, and research.
LSS is a unique global event that provides the opportunity to present and
discuss your work or research with key Linux security community members and
maintainers. It's also useful for those who wish to keep up with the latest
in Linux security development and to provide input to the development
process.
WEB SITE
https://events.linuxfoundation.org/linux-security-summit-europe/
TWITTER
For event updates and announcements, follow:
https://twitter.com/LinuxSecSummit
#linuxsecuritysummit
PROGRAM COMMITTEE
The program committee for LSS 2021 is:
* James Morris, Microsoft
* Serge Hallyn, Cisco
* Paul Moore, Cisco
* Stephen Smalley, NSA
* Elena Reshetova, Intel
* John Johansen, Canonical
* Kees Cook, Google
* Casey Schaufler, Intel
* Mimi Zohar, IBM
* David A. Wheeler, Institute for Defense Analyses
The program committee may be contacted as a group via email:
lss-pc () lists.linuxfoundation.org
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v22 16/23] LSM: security_secid_to_secctx in netlink netfilter
On Tue, 10 Nov 2020, Pablo Neira Ayuso wrote:
> Hi Casey,
>
> On Wed, Nov 04, 2020 at 04:49:17PM -0800, Casey Schaufler wrote:
> > Change netlink netfilter interfaces to use lsmcontext
> > pointers, and remove scaffolding.
> >
> > Reviewed-by: Kees Cook
> > Reviewed-by: John Johansen
> > Acked-by: Stephen Smalley
> > Signed-off-by: Casey Schaufler
> > Cc: net...@vger.kernel.org
> > Cc: netfilter-de...@vger.kernel.org
>
> You can carry this tag in your follow up patches.
>
> Acked-by: Pablo Neira Ayuso
Thanks for the review!
>
> Thanks.
>
> > ---
> > net/netfilter/nfnetlink_queue.c | 37 +
> > 1 file changed, 14 insertions(+), 23 deletions(-)
> >
> > diff --git a/net/netfilter/nfnetlink_queue.c
> > b/net/netfilter/nfnetlink_queue.c
> > index 84be5a49a157..0d8b83d84422 100644
> > --- a/net/netfilter/nfnetlink_queue.c
> > +++ b/net/netfilter/nfnetlink_queue.c
> > @@ -301,15 +301,13 @@ static int nfqnl_put_sk_uidgid(struct sk_buff *skb,
> > struct sock *sk)
> > return -1;
> > }
> >
> > -static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
> > +static void nfqnl_get_sk_secctx(struct sk_buff *skb, struct lsmcontext
> > *context)
> > {
> > - u32 seclen = 0;
> > #if IS_ENABLED(CONFIG_NETWORK_SECMARK)
> > struct lsmblob blob;
> > - struct lsmcontext context = { };
> >
> > if (!skb || !sk_fullsock(skb->sk))
> > - return 0;
> > + return;
> >
> > read_lock_bh(>sk->sk_callback_lock);
> >
> > @@ -318,14 +316,12 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb,
> > char **secdata)
> > * blob. security_secid_to_secctx() will know which security
> > * module to use to create the secctx. */
> > lsmblob_init(, skb->secmark);
> > - security_secid_to_secctx(, );
> > - *secdata = context.context;
> > + security_secid_to_secctx(, context);
> > }
> >
> > read_unlock_bh(>sk->sk_callback_lock);
> > - seclen = context.len;
> > #endif
> > - return seclen;
> > + return;
> > }
> >
> > static u32 nfqnl_get_bridge_size(struct nf_queue_entry *entry)
> > @@ -398,12 +394,10 @@ nfqnl_build_packet_message(struct net *net, struct
> > nfqnl_instance *queue,
> > struct net_device *indev;
> > struct net_device *outdev;
> > struct nf_conn *ct = NULL;
> > + struct lsmcontext context = { };
> > enum ip_conntrack_info ctinfo;
> > struct nfnl_ct_hook *nfnl_ct;
> > bool csum_verify;
> > - struct lsmcontext scaff; /* scaffolding */
> > - char *secdata = NULL;
> > - u32 seclen = 0;
> >
> > size = nlmsg_total_size(sizeof(struct nfgenmsg))
> > + nla_total_size(sizeof(struct nfqnl_msg_packet_hdr))
> > @@ -469,9 +463,9 @@ nfqnl_build_packet_message(struct net *net, struct
> > nfqnl_instance *queue,
> > }
> >
> > if ((queue->flags & NFQA_CFG_F_SECCTX) && entskb->sk) {
> > - seclen = nfqnl_get_sk_secctx(entskb, );
> > - if (seclen)
> > - size += nla_total_size(seclen);
> > + nfqnl_get_sk_secctx(entskb, );
> > + if (context.len)
> > + size += nla_total_size(context.len);
> > }
> >
> > skb = alloc_skb(size, GFP_ATOMIC);
> > @@ -604,7 +598,8 @@ nfqnl_build_packet_message(struct net *net, struct
> > nfqnl_instance *queue,
> > nfqnl_put_sk_uidgid(skb, entskb->sk) < 0)
> > goto nla_put_failure;
> >
> > - if (seclen && nla_put(skb, NFQA_SECCTX, seclen, secdata))
> > + if (context.len &&
> > + nla_put(skb, NFQA_SECCTX, context.len, context.context))
> > goto nla_put_failure;
> >
> > if (ct && nfnl_ct->build(skb, ct, ctinfo, NFQA_CT, NFQA_CT_INFO) < 0)
> > @@ -632,10 +627,8 @@ nfqnl_build_packet_message(struct net *net, struct
> > nfqnl_instance *queue,
> > }
> >
> > nlh->nlmsg_len = skb->len;
> > - if (seclen) {
> > - lsmcontext_init(, secdata, seclen, 0);
> > - security_release_secctx();
> > - }
> > + if (context.len)
> > + security_release_secctx();
> > return skb;
> >
> > nla_put_failure:
> > @@ -643,10 +636,8 @@ nfqnl_build_packet_message(struct net *net, struct
> > nfqnl_instance *queue,
> > kfree_skb(skb);
> > net_err_ratelimited("nf_queue: error creating packet message\n");
> > nlmsg_failure:
> > - if (seclen) {
> > - lsmcontext_init(, secdata, seclen, 0);
> > - security_release_secctx();
> > - }
> > + if (context.len)
> > + security_release_secctx();
> > return NULL;
> > }
> >
> > --
> > 2.24.1
> >
>
--
James Morris
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v22 05/23] LSM: Use lsmblob in security_secctx_to_secid
On Wed, 4 Nov 2020, Casey Schaufler wrote: > Change the security_secctx_to_secid interface to use a lsmblob > structure in place of the single u32 secid in support of > module stacking. Change its callers to do the same. > > The security module hook is unchanged, still passing back a secid. > The infrastructure passes the correct entry from the lsmblob. > > Signed-off-by: Casey Schaufler > Cc: net...@vger.kernel.org You probably need to include Netfilter maintainers specifically for this (added them + the Netfilter list). This also needs signoffs from LSM owners. -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v22 06/23] LSM: Use lsmblob in security_secid_to_secctx
On Wed, 4 Nov 2020, Casey Schaufler wrote: > Change security_secid_to_secctx() to take a lsmblob as input > instead of a u32 secid. It will then call the LSM hooks > using the lsmblob element allocated for that module. The > callers have been updated as well. This allows for the > possibility that more than one module may be called upon > to translate a secid to a string, as can occur in the > audit code. > > Signed-off-by: Casey Schaufler > Cc: net...@vger.kernel.org > Cc: linux-audit@redhat.com Ditto with this, + audit. Also, you should put primary maintainers on the To: line or they may miss the email. -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v20 20/23] Audit: Add new record for multiple process LSM attributes
s, current_cred()->uid),
>from_kuid(_user_ns, audit_get_loginuid(current)),
>audit_get_sessionid(current));
> - audit_log_task_context(ab);
> + audit_log_task_context(ab, NULL);
> audit_log_format(ab, " op=%s cause=%s comm=", op, cause);
> audit_log_untrustedstring(ab, get_task_comm(name, current));
> if (fname) {
> diff --git a/security/security.c b/security/security.c
> index 95b48721fb17..4752291376bf 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -480,7 +480,31 @@ static int lsm_append(const char *new, char **result)
> * Pointers to the LSM id structures for local use.
> */
> static int lsm_slot __lsm_ro_after_init;
> -static struct lsm_id *lsm_slotlist[LSMBLOB_ENTRIES];
> +static struct lsm_id *lsm_slotlist[LSMBLOB_ENTRIES] __lsm_ro_after_init;
> +
> +/**
> + * security_lsm_slot_name - Get the name of the security module in a slot
> + * @slot: index into the "display" slot list.
> + *
> + * Provide the name of the security module associated with
> + * a display slot.
> + *
> + * If @slot is LSMBLOB_INVALID return the value
> + * for slot 0 if it has been set, otherwise NULL.
> + *
> + * Returns a pointer to the name string or NULL.
> + */
> +const char *security_lsm_slot_name(int slot)
> +{
> + if (slot == LSMBLOB_INVALID)
> + slot = 0;
> + else if (slot >= LSMBLOB_ENTRIES || slot < 0)
> + return NULL;
> +
> + if (lsm_slotlist[slot] == NULL)
> + return NULL;
> + return lsm_slotlist[slot]->lsm;
> +}
>
> /**
> * security_add_hooks - Add a modules hooks to the hook lists.
> @@ -2175,7 +2199,7 @@ int security_setprocattr(const char *lsm, const char
> *name, void *value,
> hlist_for_each_entry(hp, _hook_heads.setprocattr,
>list) {
> rc = hp->hook.setprocattr(name, value, size);
> - if (rc < 0)
> + if (rc < 0 && rc != -EINVAL)
> return rc;
> }
>
> @@ -2220,13 +2244,32 @@ int security_ismaclabel(const char *name)
> }
> EXPORT_SYMBOL(security_ismaclabel);
>
> -int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp)
> +int security_secid_to_secctx(struct lsmblob *blob, struct lsmcontext *cp,
> + int display)
> {
> struct security_hook_list *hp;
> - int display = lsm_task_display(current);
>
> memset(cp, 0, sizeof(*cp));
>
> + /*
> + * display either is the slot number use for formatting
> + * or an instruction on which relative slot to use.
> + */
> + if (display == LSMBLOB_DISPLAY)
> + display = lsm_task_display(current);
> + else if (display == LSMBLOB_FIRST)
> + display = LSMBLOB_INVALID;
> + else if (display < 0) {
> + WARN_ONCE(true,
> + "LSM: %s unknown display\n", __func__);
> + display = LSMBLOB_INVALID;
> + } else if (display >= lsm_slot) {
> + WARN_ONCE(true,
> + "LSM: %s invalid display\n", __func__);
> + display = LSMBLOB_INVALID;
> + }
> +
> +
> hlist_for_each_entry(hp, _hook_heads.secid_to_secctx, list) {
> if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
> continue;
> @@ -2256,7 +2299,7 @@ int security_secctx_to_secid(const char *secdata, u32
> seclen,
> return hp->hook.secctx_to_secid(secdata, seclen,
> >secid[hp->lsmid->slot]);
> }
> - return 0;
> + return -EOPNOTSUPP;
> }
> EXPORT_SYMBOL(security_secctx_to_secid);
>
> @@ -2757,23 +2800,17 @@ int security_key_getsecurity(struct key *key, char
> **_buffer)
> int security_audit_rule_init(u32 field, u32 op, char *rulestr, void
> **lsmrule)
> {
> struct security_hook_list *hp;
> - bool one_is_good = false;
> - int rc = 0;
> - int trc;
> + int display = lsm_task_display(current);
>
> hlist_for_each_entry(hp, _hook_heads.audit_rule_init, list) {
> if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
> continue;
> - trc = hp->hook.audit_rule_init(field, op, rulestr,
> -[hp->lsmid->slot]);
> - if (trc == 0)
> - one_is_good = true;
> - else
> - rc = trc;
> + if (display != LSMBLOB_INVALID && display != hp->lsmid->slot)
> + continue;
> + return hp->hook.audit_rule_init(field, op, rulestr,
> + [hp->lsmid->slot]);
> }
> - if (one_is_good)
> - return 0;
> - return rc;
> + return 0;
> }
>
> int security_audit_rule_known(struct audit_krule *krule)
> @@ -2805,6 +2842,8 @@ int security_audit_rule_match(struct lsmblob *blob, u32
> field, u32 op,
> continue;
> if (lsmrule[hp->lsmid->slot] == NULL)
> continue;
> + if (lsmrule[hp->lsmid->slot] == NULL)
> + continue;
> rc = hp->hook.audit_rule_match(blob->secid[hp->lsmid->slot],
> field, op,
> [hp->lsmid->slot]);
> diff --git a/security/smack/smackfs.c b/security/smack/smackfs.c
> index dcabf6bd8faa..15fa4b7eb2e6 100644
> --- a/security/smack/smackfs.c
> +++ b/security/smack/smackfs.c
> @@ -185,7 +185,8 @@ static void smk_netlabel_audit_set(struct netlbl_audit
> *nap)
>
> nap->loginuid = audit_get_loginuid(current);
> nap->sessionid = audit_get_sessionid(current);
> - nap->secid = skp->smk_secid;
> + lsmblob_init(>lsmdata, 0);
> + nap->lsmdata.secid[smack_lsmid.slot] = skp->smk_secid;
> }
>
> /*
>
--
James Morris
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v20 05/23] net: Prepare UDS for security module stacking
uff *skb,
>
> static void ip_cmsg_recv_security(struct msghdr *msg, struct sk_buff *skb)
> {
> + struct lsmblob lb;
> char *secdata;
> - u32 seclen, secid;
> + u32 seclen;
> int err;
>
> - err = security_socket_getpeersec_dgram(NULL, skb, );
> + err = security_socket_getpeersec_dgram(NULL, skb, );
> if (err)
> return;
>
> - err = security_secid_to_secctx(secid, , );
> + /* Scaffolding - it has to be element 0 */
> + err = security_secid_to_secctx(lb.secid[0], , );
> if (err)
> return;
>
> diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
> index 181ea6fb56a6..c15668b80d1d 100644
> --- a/net/unix/af_unix.c
> +++ b/net/unix/af_unix.c
> @@ -138,17 +138,17 @@ static struct hlist_head *unix_sockets_unbound(void
> *addr)
> #ifdef CONFIG_SECURITY_NETWORK
> static void unix_get_secdata(struct scm_cookie *scm, struct sk_buff *skb)
> {
> - UNIXCB(skb).secid = scm->secid;
> + UNIXCB(skb).lsmblob = scm->lsmblob;
> }
>
> static inline void unix_set_secdata(struct scm_cookie *scm, struct sk_buff
> *skb)
> {
> - scm->secid = UNIXCB(skb).secid;
> + scm->lsmblob = UNIXCB(skb).lsmblob;
> }
>
> static inline bool unix_secdata_eq(struct scm_cookie *scm, struct sk_buff
> *skb)
> {
> - return (scm->secid == UNIXCB(skb).secid);
> + return lsmblob_equal(>lsmblob, &(UNIXCB(skb).lsmblob));
> }
> #else
> static inline void unix_get_secdata(struct scm_cookie *scm, struct sk_buff
> *skb)
> diff --git a/security/security.c b/security/security.c
> index d6d882b1f7d5..c42873876954 100644
> --- a/security/security.c
> +++ b/security/security.c
> @@ -2219,10 +2219,22 @@ int security_socket_getpeersec_stream(struct socket
> *sock, char __user *optval,
> optval, optlen, len);
> }
>
> -int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff
> *skb, u32 *secid)
> +int security_socket_getpeersec_dgram(struct socket *sock, struct sk_buff
> *skb,
> + struct lsmblob *blob)
> {
> - return call_int_hook(socket_getpeersec_dgram, -ENOPROTOOPT, sock,
> - skb, secid);
> + struct security_hook_list *hp;
> + int rc = -ENOPROTOOPT;
> +
> + hlist_for_each_entry(hp, _hook_heads.socket_getpeersec_dgram,
> + list) {
> + if (WARN_ON(hp->lsmid->slot < 0 || hp->lsmid->slot >= lsm_slot))
> + continue;
> + rc = hp->hook.socket_getpeersec_dgram(sock, skb,
> + >secid[hp->lsmid->slot]);
> + if (rc != 0)
> + break;
> + }
> + return rc;
> }
> EXPORT_SYMBOL(security_socket_getpeersec_dgram);
>
>
--
James Morris
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE)
On Sat, 8 Aug 2020, Chuck Lever wrote: > My interest is in code integrity enforcement for executables stored > in NFS files. > > My struggle with IPE is that due to its dependence on dm-verity, it > does not seem to able to protect content that is stored separately > from its execution environment and accessed via a file access > protocol (FUSE, SMB, NFS, etc). It's not dependent on DM-Verity, that's just one possible integrity verification mechanism, and one of two supported in this initial version. The other is 'boot_verified' for a verified or otherwise trusted rootfs. Future versions will support FS-Verity, at least. IPE was designed to be extensible in this way, with a strong separation of mechanism and policy. Whatever is implemented for NFS should be able to plug in to IPE pretty easily. -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE)
On Fri, 7 Aug 2020, Mimi Zohar wrote: > > > Are you planning to attend Plumbers? Perhaps we could propose a BoF > > > session on this topic. > > > > That sounds like a good idea. > > Other than it is already sold out. Mimi advised me off-list that she is able to attend, so I've submitted a BoF proposal: https://www.linuxplumbersconf.org/event/7/abstracts/732/ -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE)
On Thu, 6 Aug 2020, Mimi Zohar wrote: > On Thu, 2020-08-06 at 09:51 +1000, James Morris wrote: > > On Wed, 5 Aug 2020, Mimi Zohar wrote: > > > > > If block layer integrity was enough, there wouldn't have been a need > > > for fs-verity. Even fs-verity is limited to read only filesystems, > > > which makes validating file integrity so much easier. From the > > > beginning, we've said that fs-verity signatures should be included in > > > the measurement list. (I thought someone signed on to add that support > > > to IMA, but have not yet seen anything.) > > > > > > Going forward I see a lot of what we've accomplished being incorporated > > > into the filesystems. When IMA will be limited to defining a system > > > wide policy, I'll have completed my job. > > > > What are your thoughts on IPE being a standalone LSM? Would you prefer to > > see its functionality integrated into IMA? > > Improving the integrity subsystem would be preferred. > Are you planning to attend Plumbers? Perhaps we could propose a BoF session on this topic. -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [dm-devel] [RFC PATCH v5 00/11] Integrity Policy Enforcement LSM (IPE)
On Wed, 5 Aug 2020, James Bottomley wrote: > I'll leave Mimi to answer, but really this is exactly the question that > should have been asked before writing IPE. However, since we have the > cart before the horse, let me break the above down into two specific > questions. The question is valid and it was asked. We decided to first prototype what we needed and then evaluate if it should be integrated with IMA. We discussed this plan in person with Mimi (at LSS-NA in 2019), and presented a more mature version of IPE to LSS-NA in 2020, with the expectation that such a discussion may come up (it did not). These patches are still part of this process and 'RFC' status. >1. Could we implement IPE in IMA (as in would extensions to IMA cover > everything). I think the answers above indicate this is a "yes". It could be done, if needed. >2. Should we extend IMA to implement it? This is really whether from a > usability standpoint two seperate LSMs would make sense to cover the > different use cases. One issue here is that IMA is fundamentally a measurement & appraisal scheme which has been extended to include integrity enforcement. IPE was designed from scratch to only perform integrity enforcement. As such, it is a cleaner design -- "do one thing and do it well" is a good design pattern. In our use-case, we utilize _both_ IMA and IPE, for attestation and code integrity respectively. It is useful to be able to separate these concepts. They really are different: - Code integrity enforcement ensures that code running locally is of known provenance and has not been modified prior to execution. - Attestation is about measuring the health of a system and having that measurement validated by a remote system. (Local attestation is useless). I'm not sure there is value in continuing to shoe-horn both of these into IMA. > I've got to say the least attractive thing > about separation is the fact that you now both have a policy parser. >You've tried to differentiate yours by making it more Kconfig > based, but policy has a way of becoming user space supplied because > the distros hate config options, so I think you're going to end up > with a policy parser very like IMAs. -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v19 13/23] LSM: Specify which LSM to display
On Fri, 24 Jul 2020, Casey Schaufler wrote: > Create a new entry "display" in the procfs attr directory for > controlling which LSM security information is displayed for a > process. A process can only read or write its own display value. > > The name of an active LSM that supplies hooks for > human readable data may be written to "display" to set the > value. The name of the LSM currently in use can be read from > "display". At this point there can only be one LSM capable > of display active. A helper function lsm_task_display() is > provided to get the display slot for a task_struct. > > Setting the "display" requires that all security modules using > setprocattr hooks allow the action. Each security module is > responsible for defining its policy. > > AppArmor hook provided by John Johansen > SELinux hook provided by Stephen Smalley > > Reviewed-by: Kees Cook > Acked-by: Stephen Smalley > Acked-by: Paul Moore > Signed-off-by: Casey Schaufler jj: do you have any review/feedback on this? -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v19 21/23] Audit: Add a new record for multiple object LSM attributes
On Fri, 24 Jul 2020, Casey Schaufler wrote: > Create a new audit record type to contain the object information > when there are multiple security modules that require such data. > This record is emitted before the other records for the event, but > is linked with the same timestamp and serial number. > > Signed-off-by: Casey Schaufler > Cc: linux-audit@redhat.com These audit patches will need ack/review from Paul. -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v19 17/23] LSM: security_secid_to_secctx in netlink netfilter
On Fri, 24 Jul 2020, Casey Schaufler wrote: > Change netlink netfilter interfaces to use lsmcontext > pointers, and remove scaffolding. > > Reviewed-by: Kees Cook > Reviewed-by: John Johansen > Acked-by: Stephen Smalley > Signed-off-by: Casey Schaufler > cc: net...@vger.kernel.org I'd like to see Paul's acks on any networking related changes. -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[ANNOUNCE][CFP] Linux Security Summit North America 2020
==
ANNOUNCEMENT AND CALL FOR PARTICIPATION
LINUX SECURITY SUMMIT NORTH AMERICA 2020
24-26 JUNE
AUSTIN, TEXAS, USA
==
DESCRIPTION
Linux Security Summit North America (LSS-NA) is a technical forum for
collaboration between Linux developers, researchers, and end-users. Its
primary aim is to foster community efforts in analyzing and solving Linux
security challenges.
The program committee currently seeks proposals for:
* Refereed Presentations:
45 minutes in length.
* Panel Discussion Topics:
45 minutes in length.
* Short Topics:
30 minutes in total, including at least 10 minutes discussion.
* Tutorials
90 minutes in length.
Tutorial sessions should be focused on advanced Linux security defense
topics within areas such as the kernel, compiler, and security-related
libraries. Priority will be given to tutorials created for this conference,
and those where the presenter a leading subject matter expert on the topic.
Topic areas include, but are not limited to:
* Kernel self-protection
* Access control
* Cryptography and key management
* Integrity policy and enforcement
* Hardware Security
* IoT and embedded security
* Virtualization and containers
* System-specific system hardening
* Case studies
* Security tools
* Security UX
* Emerging technologies, threats & techniques
Proposals should be submitted via:
https://events.linuxfoundation.org/linux-security-summit-north-america/program/cfp/
DATES
* CFP close:March 31
* CFP notifications:April 13
* Schedule announced: April 16
* Event:June 24-26
WHO SHOULD ATTEND
We're seeking a diverse range of attendees and welcome participation by
people involved in Linux security development, operations, and research.
LSS-NA is a unique global event that provides the opportunity to present and
discuss your work or research with key Linux security community members and
maintainers. It’s also useful for those who wish to keep up with the latest
in Linux security development and to provide input to the development
process.
WEB SITE
https://events.linuxfoundation.org/linux-security-summit-north-america/
TWITTER
For event updates and announcements, follow:
https://twitter.com/LinuxSecSummit
#linuxsecuritysummit
PROGRAM COMMITTEE
The program committee for LSS 2020 is:
* James Morris, Microsoft
* Serge Hallyn, Cisco
* Paul Moore, Cisco
* Stephen Smalley, NSA
* Elena Reshetova, Intel
* John Johansen, Canonical
* Kees Cook, Google
* Casey Schaufler, Intel
* Mimi Zohar, IBM
* David A. Wheeler, Institute for Defense Analyses
The program committee may be contacted as a group via email:
lss-pc () lists.linuxfoundation.org--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH v2] security,lockdown,selinux: implement SELinux lockdown
On Wed, 27 Nov 2019, Stephen Smalley wrote:
> avc: denied { confidentiality } for pid=4628 comm="cp"
> lockdown_reason="/proc/kcore access"
> scontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
> tcontext=unconfined_u:unconfined_r:test_lockdown_integrity_t:s0-s0:c0.c1023
> tclass=lockdown permissive=0
>
> Signed-off-by: Stephen Smalley
> ---
> include/linux/lsm_audit.h | 2 ++
> include/linux/security.h| 2 ++
> security/lockdown/lockdown.c| 24 ---
> security/lsm_audit.c| 5 +
> security/security.c | 30 +
> security/selinux/hooks.c| 30 +
> security/selinux/include/classmap.h | 2 ++
> 7 files changed, 71 insertions(+), 24 deletions(-)
LGTM.
Reviewed-by: James Morris
--
James Morris
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [RFC PATCH v3] security,capability: pass object information to security_capable
On Thu, 15 Aug 2019, Aaron Goidel wrote: > In SELinux this new information is leveraged here to perform an > additional inode based check for capabilities relevant to inodes. Since > the inode provided to capable_wrt_inode_uidgid() is a const argument, > this also required propagating const down to dump_common_audit_data() and > dropping the use of d_find_alias() to find an alias for the inode. This > was sketchy to begin with and should be obsoleted by a separate change > that will allow LSMs to trigger audit collection for all file-related > information. Will the audit logs look the same once the 2nd patch is applied? We need to be careful about breaking existing userland. -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: Preferred subj= with multiple LSMs
On Tue, 23 Jul 2019, Simon McVittie wrote: > On Mon, 22 Jul 2019 at 18:30:35 -0400, Paul Moore wrote: > > On Mon, Jul 22, 2019 at 6:01 PM Casey Schaufler > > wrote: > > > I suggest that if supporting dbus well is assisted by > > > making reasonable restrictions on what constitutes a valid LSM > > > "context" that we have a good reason. > > > > I continue to believe that restrictions on the label format are a bad > > idea > > Does this include the restriction "the label does not include \0", > which is an assumption that dbus is already relying on since I checked > it in the thread around > <https://marc.info/?l=linux-security-module=142323508321029=2>? > Or is that restriction so fundamental that it's considered OK? Security labels are strings, so this is implied. -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: Preferred subj= with multiple LSMs
On Fri, 19 Jul 2019, Paul Moore wrote: > > We've never had to think about having general rules on > > what security modules do before, because with only one > > active each could do whatever it wanted without fear of > > conflict. If there is already a character that none of > > the existing modules use, how would it be wrong to > > reserve it? > > "We've never had to think about having general rules on what security > modules do before..." > > We famously haven't imposed restrictions on the label format before > now, and this seems like a pretty poor reason to start. Agreed. -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: Preferred subj= with multiple LSMs
On Tue, 16 Jul 2019, Paul Moore wrote: > The subj_X approach is still backwards compatible, the difference is > that old versions of the tools get a "?" for the LSM creds which is a > rather sane way of indicating something is different. This will still break existing userspace, right? We can't do that. > Once again, I believe that the subj_X approach is going to be faster > than safely parsing the multiplexed format. What about emitting one audit record for each LSM? -- James Morris -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[ANNOUNCE][CFP] Linux Security Summit North America 2019
==
ANNOUNCEMENT AND CALL FOR PARTICIPATION
LINUX SECURITY SUMMIT NORTH AMERICA 2019
19-21 August
SAN DIEGO, CA, USA
==
DESCRIPTION
The Linux Security Summit (LSS) is a technical forum for collaboration
between Linux developers, researchers, and end users. Its primary aim is to
foster community efforts in analyzing and solving Linux security challenges.
LSS will be held this year as two separate events, one in North America
(LSS-NA), and one in Europe (LSS-EU), to facilitate broader participation in
Linux Security development. Note that this CFP is for LSS-NA; a separate CFP
will be announced for LSS-EU in May. We encourage everyone to attend both
events.
The program committee currently seeks proposals for:
* Refereed Presentations:
45 minutes in length.
* Panel Discussion Topics:
45 minutes in length.
* Short Topics:
30 minutes in total, including at least 10 minutes discussion.
* Tutorials (NEW for 2019)
90 minutes in length.
* Hackfest Sessions (NEW for 2019)
1/2 day.
Note that LSS NA is now a 3-day event. The third day will be a mix of
tutorials and hackfest sessions:
* Tutorial sessions should be focused on advanced Linux security defense
topics within areas such as the kernel, compiler, and security-related
libraries. Priority will be given to tutorials created for this
conference.
* Hackfest proposals should aim to solve, or make significant progress on
a well-defined problem in the Linux security defense space, and be
supported by multiple community developers.
Topic areas include, but are not limited to:
* Kernel self-protection
* Access control
* Cryptography and key management
* Integrity policy and enforcement
* Hardware Security
* IoT and embedded security
* Virtualization and containers
* System-specific system hardening
* Case studies
* Security tools
* Security UX
* Emerging technologies, threats & techniques
Proposals should be submitted via:
https://events.linuxfoundation.org/events/linux-security-summit-north-america-2019/program/cfp/
DATES
* CFP Close: May 31, 2019
* CFP Notifications: June 17, 2019
* Schedule Announced: June 19, 2019
* Event: August 19-21, 2019
WHO SHOULD ATTEND
We're seeking a diverse range of attendees, and welcome participation by
people involved in Linux security development, operations, and research.
The LSS is a unique global event which provides the opportunity to present
and discuss your work or research with key Linux security community members
and maintainers. It’s also useful for those who wish to keep up with the
latest in Linux security development, and to provide input to the
development process.
WEB SITE
https://events.linuxfoundation.org/events/linux-security-summit-north-america-2019/
TWITTER
For event updates and announcements, follow:
https://twitter.com/LinuxSecSummit
PROGRAM COMMITTEE
The program committee for LSS 2019 is:
* James Morris, Microsoft
* Serge Hallyn, Cisco
* Paul Moore, Cisco
* Stephen Smalley, NSA
* Elena Reshetova, Intel
* John Johansen, Canonical
* Kees Cook, Google
* Casey Schaufler, Intel
* Mimi Zohar, IBM
* David A. Wheeler, Institute for Defense Analyses
The program committee may be contacted as a group via email:
lss-pc () lists.linuxfoundation.org
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v2 1/4] seccomp: Separate read and write code for actions_logged sysctl
On Wed, 2 May 2018, Tyler Hicks wrote: > Break the read and write paths of the kernel.seccomp.actions_logged > sysctl into separate functions to maintain readability. An upcoming > change will need to audit writes, but not reads, of this sysctl which > would introduce too many conditional code paths on whether or not the > 'write' parameter evaluates to true. > > Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Reviewed-by: James Morris <james.mor...@microsoft.com> -- James Morris <jmor...@namei.org> -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v2 3/4] seccomp: Audit attempts to modify the actions_logged sysctl
On Wed, 2 May 2018, Tyler Hicks wrote: > type=CONFIG_CHANGE msg=audit(1525275325.613:142): op=seccomp-logging > actions=kill_process,kill_thread,errno,trace,log > old-actions=kill_process,kill_thread,errno,trace,log res=1 > > No audit records are generated when reading the actions_logged sysctl. > > Suggested-by: Steve Grubb <sgr...@redhat.com> > Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Reviewed-by: James Morris <james.mor...@microsoft.com> -- James Morris <jmor...@namei.org> -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH v2 2/4] seccomp: Configurable separator for the actions_logged string
On Wed, 2 May 2018, Tyler Hicks wrote: > The function that converts a bitmask of seccomp actions that are > allowed to be logged is currently only used for constructing the display > string for the kernel.seccomp.actions_logged sysctl. That string wants a > space character to be used for the separator between actions. > > A future patch will make use of the same function for building a string > that will be sent to the audit subsystem for tracking modifications to > the kernel.seccomp.actions_logged sysctl. That string will need to use a > comma as a separator. This patch allows the separator character to be > configurable to meet both needs. > > Signed-off-by: Tyler Hicks <tyhi...@canonical.com> Reviewed-by: James Morris <james.mor...@microsoft.com> -- James Morris <jmor...@namei.org> -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[ANNOUNCE] Linux Security Summit North America 2018 - CFP
==
ANNOUNCEMENT AND CALL FOR PARTICIPATION
LINUX SECURITY SUMMIT NORTH AMERICA 2018
27-28 August
VANCOUVER, CANADA
==
DESCRIPTION
The Linux Security Summit (LSS) is a technical forum for collaboration
between Linux developers, researchers, and end users. Its primary aim is to
foster community efforts in analyzing and solving Linux security challenges.
LSS will be held this year as two separate events, one in North America
(LSS-NA), and one in Europe (LSS-EU), to facilitate broader participation in
Linux Security development. Note that this CFP is for LSS-NA; a separate CFP
will be announced for LSS-EU in May. We encourage everyone to attend both
events.
The program committee currently seeks proposals for:
* Refereed Presentations:
45 minutes in length.
* Panel Discussion Topics:
45 minutes in length.
* Short Topics:
30 minutes in total, including at least 10 minutes discussion.
* BoF Sessions.
Topic areas include, but are not limited to:
* Kernel self-protection
* Access control
* Cryptography and key management
* Integrity control
* Hardware Security
* Iot and embedded security
* Virtualization and containers
* System-specific system hardening
* Case studies
* Security tools
* Security UX
* Emerging technologies, threats & techniques
Proposals should be submitted via:
https://events.linuxfoundation.org/events/linux-security-summit-north-america-2018/program/cfp/
DATES
* CFP Close: June 3, 2018
* CFP Notifications: June 11, 2018
* Schedule Announced: June 25, 2018
* Event: August 27-28, 2018
WHO SHOULD ATTEND
We're seeking a diverse range of attendees, and welcome participation by
people involved in Linux security development, operations, and research.
The LSS is a unique global event which provides the opportunity to present
and discuss your work or research with key Linux security community members
and maintainers. It’s also useful for those who wish to keep up with the
latest in Linux security development, and to provide input to the
development process.
WEB SITE
https://events.linuxfoundation.org/events/linux-security-summit-north-america-2018/
TWITTER
For event updates and announcements, follow:
https://twitter.com/LinuxSecSummit
PROGRAM COMMITTEE
The program committee for LSS 2018 is:
* James Morris, Microsoft
* Serge Hallyn, Cisco
* Paul Moore, Red Hat
* Stephen Smalley, NSA
* Elena Reshetova, Intel
* John Johansen, Canonical
* Kees Cook, Google
* Casey Schaufler, Intel
* Mimi Zohar, IBM
* David A. Wheeler, Institute for Defense Analyses
The program committee may be contacted as a group via email:
lss-pc () lists.linuxfoundation.org
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] Audit: remove unused audit_log_secctx function
On Tue, 24 Oct 2017, Casey Schaufler wrote: > The function audit_log_secctx() is unused in the upstream kernel. > All it does is wrap another function that doesn't need wrapping. > It claims to give you the SELinux context, but that is not true if > you are using a different security module. > > Signed-off-by: Casey Schaufler <ca...@schaufler-ca.com> Reviewed-by: James Morris <james.l.mor...@oracle.com> -- James Morris <james.l.mor...@oracle.com> -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH GHAK16 V5 00/10] capabilities: do not audit log BPRM_FCAPS on set*id
On Thu, 19 Oct 2017, Richard Guy Briggs wrote: > On 2017-10-11 20:57, Richard Guy Briggs wrote: > > The audit subsystem is adding a BPRM_FCAPS record when auditing setuid > > application execution (SYSCALL execve). This is not expected as it was > > supposed to be limited to when the file system actually had capabilities > > in an extended attribute. It lists all capabilities making the event > > really ugly to parse what is happening. The PATH record correctly > > records the setuid bit and owner. Suppress the BPRM_FCAPS record on > > set*id. > > > > Serge? James? Can one of you two take this via your trees since Paul > has backed down citing (reasonably) that it is mostly capabilities > patches rather than audit? Applied to git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security.git next-general -- James Morris <james.l.mor...@oracle.com> -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH GHAK16 V5 00/10] capabilities: do not audit log BPRM_FCAPS on set*id
On Thu, 19 Oct 2017, Richard Guy Briggs wrote: > On 2017-10-11 20:57, Richard Guy Briggs wrote: > > The audit subsystem is adding a BPRM_FCAPS record when auditing setuid > > application execution (SYSCALL execve). This is not expected as it was > > supposed to be limited to when the file system actually had capabilities > > in an extended attribute. It lists all capabilities making the event > > really ugly to parse what is happening. The PATH record correctly > > records the setuid bit and owner. Suppress the BPRM_FCAPS record on > > set*id. > > > > Serge? James? Can one of you two take this via your trees since Paul > has backed down citing (reasonably) that it is mostly capabilities > patches rather than audit? > Sure, I will take it. > > See: https://github.com/linux-audit/audit-kernel/issues/16 > > > > The first to eighth patches just massage the logic to make it easier to > > understand. Some of them could be squashed together. > > > > The patch that resolves this issue is the ninth. > > > > It would be possible to address the original issue with a change of > > "!uid_eq(new->euid, root_uid) || !uid_eq(new->uid, root_uid)" > > to > > "!(uid_eq(new->euid, root_uid) || uid_eq(new->uid, root_uid))" > > but it took me long enough to understand this logic that I don't think > > I'd be doing any favours by leaving it this difficult to understand. > > > > The final patch attempts to address all the conditions that need logging > > based on mailing list conversations, recoginizing there is probably some > > duplication in the logic. > > > > Passes: (ltp 20170516) > > ./runltp -f syscalls -s cap > > ./runltp -f securebits > > ./runltp -f cap_bounds > > ./runltp -f filecaps > > make TARGETS=capabilities kselftest (when run locally, fails over nfs) > > > > Since this is mostly capabilities related rather than audit, could this go > > through the capabilites (Serge) or security (James) trees please? Thanks! > > > > v5 > > rebase on linux-security/next 4.14-rc2 > > added comment block header to handle_privileged_root() > > moved comment in handle_privileged_root() > > moved root_privileged() check back into handle_privileged_root() > > > > v4 > > rebase on kees' 4.13 commoncap changes > > minor local func renames > > > > v3 > > refactor into several sub-functions > > convert most macros to inline funcs > > > > v2 > > use macros to clarify intent of calculations > > fix original logic error > > address additional audit logging conditions > > > > Richard Guy Briggs (10): > > capabilities: factor out cap_bprm_set_creds privileged root > > capabilities: intuitive names for cap gain status > > capabilities: rename has_cap to has_fcap > > capabilities: use root_priveleged inline to clarify logic > > capabilities: use intuitive names for id changes > > capabilities: move audit log decision to function > > capabilities: remove a layer of conditional logic > > capabilities: invert logic for clarity > > capabilities: fix logic for effective root or real root > > capabilities: audit log other surprising conditions > > > > security/commoncap.c | 193 > > ++- > > 1 file changed, 128 insertions(+), 65 deletions(-) > > > > -- > > 1.8.3.1 > > > > -- > > To unsubscribe from this list: send the line "unsubscribe > > linux-security-module" in > > the body of a message to majord...@vger.kernel.org > > More majordomo info at http://vger.kernel.org/majordomo-info.html > > - RGB > > -- > Richard Guy Briggs <r...@redhat.com> > Sr. S/W Engineer, Kernel Security, Base Operating Systems > Remote, Ottawa, Red Hat Canada > IRC: rgb, SunRaycer > Voice: +1.647.777.2635, Internal: (81) 32635 > -- James Morris <james.l.mor...@oracle.com> -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH V4 01/10] capabilities: factor out cap_bprm_set_creds privileged root
On Tue, 5 Sep 2017, Richard Guy Briggs wrote: > Factor out the case of privileged root from the function > cap_bprm_set_creds() to make the latter easier to read and analyse. > > Suggested-by: Serge Hallyn <se...@hallyn.com> > Signed-off-by: Richard Guy Briggs <r...@redhat.com> > Reviewed-by: Serge Hallyn <se...@hallyn.com> > --- > security/commoncap.c | 63 +++-- > 1 files changed, 35 insertions(+), 28 deletions(-) Acked-by: James Morris <james.l.mor...@oracle.com> -- James Morris <jmor...@namei.org> -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH V3 06/10] capabilities: move audit log decision to function
On Wed, 23 Aug 2017, Richard Guy Briggs wrote: > Move the audit log decision logic to its own function to isolate the > complexity in one place. > > Suggested-by: Serge Hallyn <se...@hallyn.com> > Signed-off-by: Richard Guy Briggs <r...@redhat.com> > --- > security/commoncap.c | 50 > ++ > 1 files changed, 30 insertions(+), 20 deletions(-) Acked-by: James Morris <james.l.mor...@oracle.com> -- James Morris <jmor...@namei.org> -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH V3 05/10] capabilities: use intuitive names for id changes
On Wed, 23 Aug 2017, Richard Guy Briggs wrote: > Introduce a number of inlines to make the use of the negation of > uid_eq() easier to read and analyse. > > Signed-off-by: Richard Guy Briggs <r...@redhat.com> > --- > security/commoncap.c | 26 +- > 1 files changed, 21 insertions(+), 5 deletions(-) Acked-by: James Morris <james.l.mor...@oracle.com> -- James Morris <jmor...@namei.org> -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH V3 04/10] capabilities: use root_priveleged inline to clarify logic
On Wed, 23 Aug 2017, Richard Guy Briggs wrote: > Introduce inline root_privileged() to make use of SECURE_NONROOT > easier to read. > > Suggested-by: Serge Hallyn <se...@hallyn.com> > Signed-off-by: Richard Guy Briggs <r...@redhat.com> > --- > security/commoncap.c |9 + > 1 files changed, 5 insertions(+), 4 deletions(-) Acked-by: James Morris <james.l.mor...@oracle.com> -- James Morris <jmor...@namei.org> -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH V3 10/10] capabilities: audit log other surprising conditions
On Wed, 23 Aug 2017, Richard Guy Briggs wrote: > The existing condition tested for process effective capabilities set by file > attributes but intended to ignore the change if the result was unsurprisingly > an > effective full set in the case root is special with a setuid root executable > file and we are root. > > Stated again: > - When you execute a setuid root application, it is no surprise and expected > that it got all capabilities, so we do not want capabilities recorded. > if (pE_grew && !(pE_fullset && (eff_root || real_root) && > root_priveleged) ) > > Now make sure we cover other cases: > - If something prevented a setuid root app getting all capabilities and it > wound up with one capability only, then it is a surprise and should be logged. > When it is a setuid root file, we only want capabilities when the process does > not get full capabilities.. > root_priveleged && setuid_root && !pE_fullset > > - Similarly if a non-setuid program does pick up capabilities due to file > system > based capabilities, then we want to know what capabilities were picked up. > When it has file system based capabilities we want the capabilities. > !is_setuid && (has_fcap && pP_gained) > > - If it is a non-setuid file and it gets ambient capabilities, we want the > capabilities. > !is_setuid && pA_gained > > - These last two are combined into one due to the common first parameter. > > Related: https://github.com/linux-audit/audit-kernel/issues/16 > > Signed-off-by: Richard Guy Briggs <r...@redhat.com> Acked-by: James Morris <james.l.mor...@oracle.com> -- James Morris <jmor...@namei.org> -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH V3 07/10] capabilities: remove a layer of conditional logic
On Wed, 23 Aug 2017, Richard Guy Briggs wrote:
> Remove a layer of conditional logic to make the use of conditions
> easier to read and analyse.
>
> Signed-off-by: Richard Guy Briggs <r...@redhat.com>
Acked-by: James Morris <james.l.mor...@oracle.com>
> ---
> security/commoncap.c | 13 ++---
> 1 files changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/security/commoncap.c b/security/commoncap.c
> index 5d81354..ffcaff0 100644
> --- a/security/commoncap.c
> +++ b/security/commoncap.c
> @@ -551,13 +551,12 @@ static inline bool nonroot_raised_pE(struct cred *cred,
> kuid_t root)
> {
> bool ret = false;
>
> - if (cap_grew(effective, ambient, cred)) {
> - if (!cap_full(effective, cred) ||
> - !is_eff(root, cred) || !is_real(root, cred) ||
> - !root_privileged()) {
> - ret = true;
> - }
> - }
> + if (cap_grew(effective, ambient, cred) &&
> + (!cap_full(effective, cred) ||
> + !is_eff(root, cred) ||
> + !is_real(root, cred) ||
> + !root_privileged()))
> + ret = true;
> return ret;
> }
>
>
--
James Morris
<jmor...@namei.org>
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH V3 03/10] capabilities: rename has_cap to has_fcap
On Wed, 23 Aug 2017, Richard Guy Briggs wrote: > Rename has_cap to has_fcap to clarify it applies to file capabilities > since the entire source file is about capabilities. > > Signed-off-by: Richard Guy Briggs <r...@redhat.com> > --- > security/commoncap.c | 20 ++-- > 1 files changed, 10 insertions(+), 10 deletions(-) Acked-by: James Morris <james.l.mor...@oracle.com> -- James Morris <jmor...@namei.org> -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH V3 08/10] capabilities: invert logic for clarity
On Wed, 23 Aug 2017, Richard Guy Briggs wrote: > The way the logic was presented, it was awkward to read and verify. Invert > the > logic using DeMorgan's Law to be more easily able to read and understand. > > Signed-off-by: Richard Guy Briggs <r...@redhat.com> Acked-by: James Morris <james.l.mor...@oracle.com> > --- > security/commoncap.c |8 > 1 files changed, 4 insertions(+), 4 deletions(-) > > diff --git a/security/commoncap.c b/security/commoncap.c > index ffcaff0..eb2da69 100644 > --- a/security/commoncap.c > +++ b/security/commoncap.c > @@ -552,10 +552,10 @@ static inline bool nonroot_raised_pE(struct cred *cred, > kuid_t root) > bool ret = false; > > if (cap_grew(effective, ambient, cred) && > - (!cap_full(effective, cred) || > - !is_eff(root, cred) || > - !is_real(root, cred) || > - !root_privileged())) > + !(cap_full(effective, cred) && > + is_eff(root, cred) && > + is_real(root, cred) && > + root_privileged())) > ret = true; > return ret; > } > -- James Morris <jmor...@namei.org> -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH V3 02/10] capabilities: intuitive names for cap gain status
On Wed, 23 Aug 2017, Richard Guy Briggs wrote: > Introduce macros cap_gained, cap_grew, cap_full to make the use of the > negation of is_subset() easier to read and analyse. > > Signed-off-by: Richard Guy Briggs <r...@redhat.com> > --- > security/commoncap.c | 16 ++-- > 1 files changed, 10 insertions(+), 6 deletions(-) Acked-by: James Morris <james.l.mor...@oracle.com> -- James Morris <jmor...@namei.org> -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH V3 01/10] capabilities: factor out cap_bprm_set_creds privileged root
On Wed, 23 Aug 2017, Richard Guy Briggs wrote: > Factor out the case of privileged root from the function > cap_bprm_set_creds() to make the latter easier to read and analyse. > > Suggested-by: Serge Hallyn <se...@hallyn.com> > Signed-off-by: Richard Guy Briggs <r...@redhat.com> > --- > security/commoncap.c | 62 +++-- > 1 files changed, 34 insertions(+), 28 deletions(-) > > diff --git a/security/commoncap.c b/security/commoncap.c > index 78b3783..b7fbf77 100644 > --- a/security/commoncap.c > +++ b/security/commoncap.c > @@ -481,6 +481,38 @@ static int get_file_caps(struct linux_binprm *bprm, bool > *effective, bool *has_c > return rc; > } > > +void handle_privileged_root(struct linux_binprm *bprm, bool has_cap, bool > *effective, kuid_t root_uid) Can this be static? -- James Morris <jmor...@namei.org> -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[ANNOUNCE] Linux Security Summit 2017 - CFP
==
ANNOUNCEMENT AND CALL FOR PARTICIPATION
LINUX SECURITY SUMMIT 2017
14-15 September
LOS ANGELES, USA
==
DESCRIPTION
The Linux Security Summit (LSS) is a technical forum for collaboration
between Linux developers, researchers, and end users. Its primary aim is to
foster community efforts in analyzing and solving Linux security challenges.
LSS this year will be co-located with the Open Source Summit and the Linux
Plumbers Conference.
The program committee currently seeks proposals for:
* Refereed Presentations:
45 minutes in length, including at least 10 minutes of discussion.
* Discussion Topics:
30 minutes in length.
Topic areas include, but are not limited to:
* Kernel self-protection
* Access control
* Cryptography and key management
* Integrity control
* Hardware Security
* Iot and embedded security
* Virtualization and containers
* System-specific system hardening
* Case studies
* Security tools
* Security UX
* Emerging technologies, threats & techniques
Proposals should be submitted via:
http://events.linuxfoundation.org/events/linux-security-summit/program/cfp
DATES
* CFP Close: June 5, 2017
* CFP Notifications: June 12, 2017
* Schedule Announced: June 19, 2017
* Slide Submission: August 31, 2017
WHO SHOULD ATTEND
We're seeking a diverse range of attendees, and welcome participation by
people involved in Linux security development, operations, and research.
The LSS is a unique global event which provides the opportunity to present
and discuss your work or research with key Linux security community members
and maintainers. It’s also useful for those who wish to keep up with the
latest in Linux security development, and to provide input to the
development process.
WEB SITE
http://events.linuxfoundation.org/events/linux-security-summit
TWITTER
For event updates and announcements, follow:
https://twitter.com/LinuxSecSummit
PROGRAM COMMITTEE
The program committee for LSS 2017 is:
* James Morris, Oracle
* Serge Hallyn, Canonical
* Paul Moore, Red Hat
* Stephen Smalley, NSA
* Elena Reshetova, Intel
* John Johansen, Canonical
* Kees Cook, Google
* Casey Schaufler, Intel
* Mimi Zohar, IBM
* David A. Wheeler, Institute for Defense Analyses
The program committee may be contacted as a group via email:
lss-pc () lists.linuxfoundation.org--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] lsm: copy comm before calling audit_log to avoid race in string printing
On Tue, 14 Apr 2015, Richard Guy Briggs wrote: When task-comm is passed directly to audit_log_untrustedstring() without getting a copy or using the task_lock, there is a race that could happen that would output a NULL (\0) in the middle of the output string that would effectively truncate the rest of the report text after the comm= field in the audit log message, losing fields. Using get_task_comm() to get a copy while acquiring the task_lock to prevent this and to prevent the result from being a mixture of old and new values of comm would incur potentially unacceptable overhead, considering that the value can be influenced by userspace and therefore untrusted anyways. Copy the value before passing it to audit_log_untrustedstring() ensures that a local copy is used to calculate the length *and* subsequently printed. Even if this value contains a mix of old and new values, it will only calculate and copy up to the first NULL, preventing the rest of the audit log message being truncated. Use a second local copy of comm to avoid a race between the first and second calls to audit_log_untrustedstring() with comm. Reported-by: Tetsuo Handa penguin-ker...@i-love.sakura.ne.jp Signed-off-by: Richard Guy Briggs r...@redhat.com Applied. -- James Morris jmor...@namei.org -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH -v3] SELinux: Convert avc_audit to use lsm_audit.h
On Fri, 14 Aug 2009, Stephen Smalley wrote: Acked-by: Stephen Smalley s...@tycho.nsa.gov Applied to git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next -- James Morris jmor...@namei.org -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] SELinux: define audit permissions for audit tree netlink messages
On Tue, 2 Jun 2009, Eric Paris wrote:
Audit trees defined 2 new netlink messages but the netlink mapping tables for
selinux permissions were not set up. This patch maps these 2 new operations
to AUDIT_WRITE.
Signed-off-by: Eric Paris epa...@redhat.com
Applied to
git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next
---
security/selinux/nlmsgtab.c |2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/security/selinux/nlmsgtab.c b/security/selinux/nlmsgtab.c
index c6875fd..dd7cc6d 100644
--- a/security/selinux/nlmsgtab.c
+++ b/security/selinux/nlmsgtab.c
@@ -112,6 +112,8 @@ static struct nlmsg_perm nlmsg_audit_perms[] =
{ AUDIT_DEL_RULE, NETLINK_AUDIT_SOCKET__NLMSG_WRITE},
{ AUDIT_USER, NETLINK_AUDIT_SOCKET__NLMSG_RELAY},
{ AUDIT_SIGNAL_INFO,NETLINK_AUDIT_SOCKET__NLMSG_READ },
+ { AUDIT_TRIM, NETLINK_AUDIT_SOCKET__NLMSG_WRITE},
+ { AUDIT_MAKE_EQUIV, NETLINK_AUDIT_SOCKET__NLMSG_WRITE},
{ AUDIT_TTY_GET,NETLINK_AUDIT_SOCKET__NLMSG_READ },
{ AUDIT_TTY_SET,NETLINK_AUDIT_SOCKET__NLMSG_TTY_AUDIT },
};
--
James Morris
jmor...@namei.org
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 0/2] security/smack implement logging V3
On Wed, 8 Apr 2009, Etienne Basset wrote: Hello, the following 2 patches implements auditing of security events for Smack. patch 1 : created common LSM auditing code patch 2 : convert smack to use it Applied to git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6#next Note: Please ensure that each patch has a distinct and descriptive subject line. Also, the format for the subject is: [PATCH x/y] subsystem: short description See section 15 of Documentation/SubmittingPatches. -- James Morris jmor...@namei.org -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 1/15] don't reallocate buffer in every audit_sockaddr()
On Wed, 17 Dec 2008, Al Viro wrote:
No need to do that more than once per process lifetime; allocating/freeing
on each sendto/accept/etc. is bloody pointless.
Signed-off-by: Al Viro v...@zeniv.linux.org.uk
Reviewed-by: James Morris jmor...@namei.org
---
kernel/auditsc.c | 46 ++
1 files changed, 22 insertions(+), 24 deletions(-)
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 2a3f0af..aca9ddb 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -162,12 +162,6 @@ struct audit_aux_data_socketcall {
unsigned long args[0];
};
-struct audit_aux_data_sockaddr {
- struct audit_aux_data d;
- int len;
- chara[0];
-};
-
struct audit_aux_data_fd_pair {
struct audit_aux_data d;
int fd[2];
@@ -208,7 +202,8 @@ struct audit_context {
struct audit_context *previous; /* For nested syscalls */
struct audit_aux_data *aux;
struct audit_aux_data *aux_pids;
-
+ struct sockaddr_storage *sockaddr;
+ size_t sockaddr_len;
/* Save things to print about task_struct */
pid_t pid, ppid;
uid_t uid, euid, suid, fsuid;
@@ -891,6 +886,7 @@ static inline void audit_free_context(struct
audit_context *context)
free_tree_refs(context);
audit_free_aux(context);
kfree(context-filterkey);
+ kfree(context-sockaddr);
kfree(context);
context = previous;
} while (context);
@@ -1322,13 +1318,6 @@ static void audit_log_exit(struct audit_context
*context, struct task_struct *ts
audit_log_format(ab, a%d=%lx, i,
axs-args[i]);
break; }
- case AUDIT_SOCKADDR: {
- struct audit_aux_data_sockaddr *axs = (void *)aux;
-
- audit_log_format(ab, saddr=);
- audit_log_n_hex(ab, axs-a, axs-len);
- break; }
-
case AUDIT_FD_PAIR: {
struct audit_aux_data_fd_pair *axs = (void *)aux;
audit_log_format(ab, fd0=%d fd1=%d, axs-fd[0],
axs-fd[1]);
@@ -1338,6 +1327,16 @@ static void audit_log_exit(struct audit_context
*context, struct task_struct *ts
audit_log_end(ab);
}
+ if (context-sockaddr_len) {
+ ab = audit_log_start(context, GFP_KERNEL, AUDIT_SOCKADDR);
+ if (ab) {
+ audit_log_format(ab, saddr=);
+ audit_log_n_hex(ab, (void *)context-sockaddr,
+ context-sockaddr_len);
+ audit_log_end(ab);
+ }
+ }
+
for (aux = context-aux_pids; aux; aux = aux-next) {
struct audit_aux_data_pids *axs = (void *)aux;
@@ -1604,6 +1603,7 @@ void audit_syscall_exit(int valid, long return_code)
context-aux_pids = NULL;
context-target_pid = 0;
context-target_sid = 0;
+ context-sockaddr_len = 0;
kfree(context-filterkey);
context-filterkey = NULL;
tsk-audit_context = context;
@@ -2354,22 +2354,20 @@ int __audit_fd_pair(int fd1, int fd2)
*/
int audit_sockaddr(int len, void *a)
{
- struct audit_aux_data_sockaddr *ax;
struct audit_context *context = current-audit_context;
if (likely(!context || context-dummy))
return 0;
- ax = kmalloc(sizeof(*ax) + len, GFP_KERNEL);
- if (!ax)
- return -ENOMEM;
-
- ax-len = len;
- memcpy(ax-a, a, len);
+ if (!context-sockaddr) {
+ void *p = kmalloc(sizeof(struct sockaddr_storage), GFP_KERNEL);
+ if (!p)
+ return -ENOMEM;
+ context-sockaddr = p;
+ }
- ax-d.type = AUDIT_SOCKADDR;
- ax-d.next = context-aux;
- context-aux = (void *)ax;
+ context-sockaddr_len = len;
+ memcpy(context-sockaddr, a, len);
return 0;
}
--
1.5.6.5
--
To unsubscribe from this list: send the line unsubscribe linux-kernel in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
--
James Morris
jmor...@namei.org
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 2/15] sanitize audit_socketcall
On Wed, 17 Dec 2008, Al Viro wrote: * don't bother with allocations * now that it can't fail, make it return void Signed-off-by: Al Viro v...@zeniv.linux.org.uk Reviewed-by: James Morris jmor...@namei.org -- James Morris jmor...@namei.org -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 3/15] sanitize audit_ipc_obj()
On Wed, 17 Dec 2008, Al Viro wrote:
+ struct {
+ uid_t uid;
+ gid_t gid;
+ mode_t mode;
+ u32 osid;
+ } ipc;
'osid' should be converted into 'secid' someday.
Reviewed-by: James Morris jmor...@namei.org
--
James Morris
jmor...@namei.org
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 4/15] sanitize audit_ipc_set_perm()
On Wed, 17 Dec 2008, Al Viro wrote: * get rid of allocations * make it return void * simplify callers Signed-off-by: Al Viro v...@zeniv.linux.org.uk Reviewed-by: James Morris jmor...@namei.org -- James Morris jmor...@namei.org -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 5/15] sanitize audit_mq_getsetattr()
On Wed, 17 Dec 2008, Al Viro wrote: * get rid of allocations * make it return void * don't duplicate parts of audit_dummy_context() Signed-off-by: Al Viro v...@zeniv.linux.org.uk Reviewed-by: James Morris jmor...@namei.org -- James Morris jmor...@namei.org -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 9/15] sanitize audit_fd_pair()
On Wed, 17 Dec 2008, Al Viro wrote: * no allocations * return void Signed-off-by: Al Viro v...@zeniv.linux.org.uk Reviewed-by: James Morris jmor...@namei.org -- James Morris jmor...@namei.org -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 10/15] audit_update_lsm_rules() misses the audit_inode_hash[] ones
On Wed, 17 Dec 2008, Al Viro wrote: Signed-off-by: Al Viro v...@zeniv.linux.org.uk Reviewed-by: James Morris jmor...@namei.org -- James Morris jmor...@namei.org -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 11/15] fixing audit rule ordering mess, part 1
On Wed, 17 Dec 2008, Al Viro wrote: Problem: ordering between the rules on exit chain is currently lost; all watch and inode rules are listed after everything else _and_ exit,never on one kind doesn't stop exit,always on another from being matched. Solution: assign priorities to rules, keep track of the current highest-priority matching rule and its result (always/never). Signed-off-by: Al Viro v...@zeniv.linux.org.uk Reviewed-by: James Morris jmor...@namei.org -- James Morris jmor...@namei.org -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 12/15] audit rules ordering, part 2
On Wed, 17 Dec 2008, Al Viro wrote: Fix the actual rule listing; add per-type lists _not_ used for matching, with all exit,... sitting on one such list. Simplifies do something for all rules logics, while we are at it... Signed-off-by: Al Viro v...@zeniv.linux.org.uk Reviewed-by: James Morris jmor...@namei.org -- James Morris jmor...@namei.org -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 14/15] clean up audit_rule_{add,del} a bit
On Wed, 17 Dec 2008, Al Viro wrote: Signed-off-by: Al Viro v...@zeniv.linux.org.uk Reviewed-by: James Morris jmor...@namei.org -- James Morris jmor...@namei.org -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 15/15] audit: validate comparison operations, store them in sane form
On Wed, 17 Dec 2008, Al Viro wrote: Don't store the field-op in the messy (and very inconvenient for e.g. audit_comparator()) form; translate to dense set of values and do full validation of userland-submitted value while we are at it. -audit_init_rule() and -audit_match_rule() get new values now; in-tree instances updated. Signed-off-by: Al Viro v...@zeniv.linux.org.uk Reviewed-by: James Morris jmor...@namei.org -- James Morris jmor...@namei.org -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 01/12] LSM: Introduce inode_getsecid and ipc_getsecid hooks
From: Ahmed S. Darwish [EMAIL PROTECTED]
Introduce inode_getsecid(inode, secid) and ipc_getsecid(ipcp, secid)
LSM hooks. These hooks will be used instead of similar exported
SELinux interfaces.
Let {inode,ipc,task}_getsecid hooks set the secid to 0 by default
if CONFIG_SECURITY is not defined or if the hook is set to
NULL (dummy). This is done to notify the caller that no valid
secid exists.
Signed-off-by: Casey Schaufler [EMAIL PROTECTED]
Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED]
Acked-by: James Morris [EMAIL PROTECTED]
Reviewed-by: Paul Moore [EMAIL PROTECTED]
---
include/linux/security.h | 30 +-
security/dummy.c | 16 +++-
security/security.c | 10 ++
3 files changed, 54 insertions(+), 2 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index c673dfd..45717d9 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -468,6 +468,11 @@ static inline void security_free_mnt_opts(struct
security_mnt_opts *opts)
* @dentry is the dentry being changed.
* Return 0 on success. If error is returned, then the operation
* causing setuid bit removal is failed.
+ * @inode_getsecid:
+ * Get the secid associated with the node.
+ * @inode contains a pointer to the inode.
+ * @secid contains a pointer to the location where result will be saved.
+ * In case of failure, @secid will be set to zero.
*
* Security hooks for file operations
*
@@ -636,6 +641,8 @@ static inline void security_free_mnt_opts(struct
security_mnt_opts *opts)
* @task_getsecid:
* Retrieve the security identifier of the process @p.
* @p contains the task_struct for the process and place is into @secid.
+ * In case of failure, @secid will be set to zero.
+ *
* @task_setgroups:
* Check permission before setting the supplementary group set of the
* current process.
@@ -997,6 +1004,11 @@ static inline void security_free_mnt_opts(struct
security_mnt_opts *opts)
* @ipcp contains the kernel IPC permission structure
* @flag contains the desired (requested) permission set
* Return 0 if permission is granted.
+ * @ipc_getsecid:
+ * Get the secid associated with the ipc object.
+ * @ipcp contains the kernel IPC permission structure.
+ * @secid contains a pointer to the location where result will be saved.
+ * In case of failure, @secid will be set to zero.
*
* Security hooks for individual messages held in System V IPC message queues
* @msg_msg_alloc_security:
@@ -1317,6 +1329,7 @@ struct security_operations {
int (*inode_getsecurity)(const struct inode *inode, const char *name,
void **buffer, bool alloc);
int (*inode_setsecurity)(struct inode *inode, const char *name, const
void *value, size_t size, int flags);
int (*inode_listsecurity)(struct inode *inode, char *buffer, size_t
buffer_size);
+ void (*inode_getsecid)(const struct inode *inode, u32 *secid);
int (*file_permission) (struct file * file, int mask);
int (*file_alloc_security) (struct file * file);
@@ -1369,6 +1382,7 @@ struct security_operations {
void (*task_to_inode)(struct task_struct *p, struct inode *inode);
int (*ipc_permission) (struct kern_ipc_perm * ipcp, short flag);
+ void (*ipc_getsecid) (struct kern_ipc_perm *ipcp, u32 *secid);
int (*msg_msg_alloc_security) (struct msg_msg * msg);
void (*msg_msg_free_security) (struct msg_msg * msg);
@@ -1578,6 +1592,7 @@ int security_inode_killpriv(struct dentry *dentry);
int security_inode_getsecurity(const struct inode *inode, const char *name,
void **buffer, bool alloc);
int security_inode_setsecurity(struct inode *inode, const char *name, const
void *value, size_t size, int flags);
int security_inode_listsecurity(struct inode *inode, char *buffer, size_t
buffer_size);
+void security_inode_getsecid(const struct inode *inode, u32 *secid);
int security_file_permission(struct file *file, int mask);
int security_file_alloc(struct file *file);
void security_file_free(struct file *file);
@@ -1622,6 +1637,7 @@ int security_task_prctl(int option, unsigned long arg2,
unsigned long arg3,
void security_task_reparent_to_init(struct task_struct *p);
void security_task_to_inode(struct task_struct *p, struct inode *inode);
int security_ipc_permission(struct kern_ipc_perm *ipcp, short flag);
+void security_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid);
int security_msg_msg_alloc(struct msg_msg *msg);
void security_msg_msg_free(struct msg_msg *msg);
int security_msg_queue_alloc(struct msg_queue *msq);
@@ -2022,6 +2038,11 @@ static inline int security_inode_listsecurity(struct
inode *inode, char *buffer,
return 0;
}
+static inline void security_inode_getsecid(const struct inode *inode, u32
*secid)
+{
+ *secid = 0;
+}
+
static inline int security_file_permission (struct file *file, int mask
[PATCH 02/12] SELinux: setup new inode/ipc getsecid hooks
From: Ahmed S. Darwish [EMAIL PROTECTED]
Setup the new inode_getsecid and ipc_getsecid() LSM hooks
for SELinux.
Signed-off-by: Casey Schaufler [EMAIL PROTECTED]
Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED]
Acked-by: James Morris [EMAIL PROTECTED]
Reviewed-by: Paul Moore [EMAIL PROTECTED]
---
security/selinux/hooks.c | 19 +--
1 files changed, 17 insertions(+), 2 deletions(-)
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index d39b59c..65bf7f7 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -2743,6 +2743,12 @@ static int selinux_inode_killpriv(struct dentry *dentry)
return secondary_ops-inode_killpriv(dentry);
}
+static void selinux_inode_getsecid(const struct inode *inode, u32 *secid)
+{
+ struct inode_security_struct *isec = inode-i_security;
+ *secid = isec-sid;
+}
+
/* file security operations */
static int selinux_revalidate_file_permission(struct file *file, int mask)
@@ -3139,7 +3145,8 @@ static int selinux_task_getsid(struct task_struct *p)
static void selinux_task_getsecid(struct task_struct *p, u32 *secid)
{
- selinux_get_task_sid(p, secid);
+ struct task_security_struct *tsec = p-security;
+ *secid = tsec-sid;
}
static int selinux_task_setgroups(struct group_info *group_info)
@@ -4109,7 +4116,7 @@ static int selinux_socket_getpeersec_dgram(struct socket
*sock, struct sk_buff *
goto out;
if (sock family == PF_UNIX)
- selinux_get_inode_sid(SOCK_INODE(sock), peer_secid);
+ selinux_inode_getsecid(SOCK_INODE(sock), peer_secid);
else if (skb)
selinux_skb_peerlbl_sid(skb, family, peer_secid);
@@ -4989,6 +4996,12 @@ static int selinux_ipc_permission(struct kern_ipc_perm
*ipcp, short flag)
return ipc_has_perm(ipcp, av);
}
+static void selinux_ipc_getsecid(struct kern_ipc_perm *ipcp, u32 *secid)
+{
+ struct ipc_security_struct *isec = ipcp-security;
+ *secid = isec-sid;
+}
+
/* module stacking operations */
static int selinux_register_security (const char *name, struct
security_operations *ops)
{
@@ -5299,6 +5312,7 @@ static struct security_operations selinux_ops = {
.inode_listsecurity = selinux_inode_listsecurity,
.inode_need_killpriv = selinux_inode_need_killpriv,
.inode_killpriv = selinux_inode_killpriv,
+ .inode_getsecid = selinux_inode_getsecid,
.file_permission = selinux_file_permission,
.file_alloc_security = selinux_file_alloc_security,
@@ -5339,6 +5353,7 @@ static struct security_operations selinux_ops = {
.task_to_inode =selinux_task_to_inode,
.ipc_permission = selinux_ipc_permission,
+ .ipc_getsecid = selinux_ipc_getsecid,
.msg_msg_alloc_security = selinux_msg_msg_alloc_security,
.msg_msg_free_security =selinux_msg_msg_free_security,
--
1.5.4.2
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Security testing tree patch review for 2.6.26
Please review the following security patches for 2.6.26, which have been undergoing testing in the next tree and affect multiple LSMs. The following changes since commit 4b119e21d0c66c22e8ca03df05d9de623d0eb50f: Linus Torvalds (1): Linux 2.6.25 are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/security-testing-2.6.git for-linus Ahmed S. Darwish (10): LSM: Introduce inode_getsecid and ipc_getsecid hooks SELinux: setup new inode/ipc getsecid hooks Audit: use new LSM hooks instead of SELinux exports Netlink: Use generic LSM hook SELinux: remove redundant exports LSM/Audit: Introduce generic Audit LSM hooks Audit: internally use the new LSM audit hooks SELinux: use new audit hooks, remove redundant exports Audit: Final renamings and cleanup Security: Introduce security= boot parameter James Morris (2): Tell git about security/selinux/include/audit.h security: fix up documentation for security_module_enable Documentation/kernel-parameters.txt |6 ++ include/linux/audit.h | 29 include/linux/security.h| 114 +- include/linux/selinux.h | 134 --- kernel/audit.c | 24 +++ kernel/audit.h | 25 --- kernel/auditfilter.c| 99 ++ kernel/auditsc.c| 74 ++- net/netlink/af_netlink.c|3 +- security/dummy.c| 51 +- security/security.c | 73 +++- security/selinux/exports.c | 42 --- security/selinux/hooks.c| 34 - security/selinux/include/audit.h| 65 + security/selinux/ss/services.c | 45 +--- security/smack/smack.h |2 + security/smack/smack_lsm.c |7 ++- security/smack/smackfs.c| 11 +++- 18 files changed, 503 insertions(+), 335 deletions(-) create mode 100644 security/selinux/include/audit.h -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 06/12] LSM/Audit: Introduce generic Audit LSM hooks
From: Ahmed S. Darwish [EMAIL PROTECTED]
Introduce a generic Audit interface for security modules
by adding the following new LSM hooks:
audit_rule_init(field, op, rulestr, lsmrule)
audit_rule_known(krule)
audit_rule_match(secid, field, op, rule, actx)
audit_rule_free(rule)
Those hooks are only available if CONFIG_AUDIT is enabled.
Signed-off-by: Casey Schaufler [EMAIL PROTECTED]
Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED]
Acked-by: James Morris [EMAIL PROTECTED]
Reviewed-by: Paul Moore [EMAIL PROTECTED]
---
include/linux/security.h | 72 ++
security/dummy.c | 31 +++-
security/security.c | 25
3 files changed, 127 insertions(+), 1 deletions(-)
diff --git a/include/linux/security.h b/include/linux/security.h
index 45717d9..697f228 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -37,6 +37,7 @@
extern unsigned securebits;
struct ctl_table;
+struct audit_krule;
/*
* These functions are in security/capability.c and are used
@@ -1235,6 +1236,37 @@ static inline void security_free_mnt_opts(struct
security_mnt_opts *opts)
* @secdata contains the security context.
* @seclen contains the length of the security context.
*
+ * Security hooks for Audit
+ *
+ * @audit_rule_init:
+ * Allocate and initialize an LSM audit rule structure.
+ * @field contains the required Audit action. Fields flags are defined in
include/linux/audit.h
+ * @op contains the operator the rule uses.
+ * @rulestr contains the context where the rule will be applied to.
+ * @lsmrule contains a pointer to receive the result.
+ * Return 0 if @lsmrule has been successfully set,
+ * -EINVAL in case of an invalid rule.
+ *
+ * @audit_rule_known:
+ * Specifies whether given @rule contains any fields related to current
LSM.
+ * @rule contains the audit rule of interest.
+ * Return 1 in case of relation found, 0 otherwise.
+ *
+ * @audit_rule_match:
+ * Determine if given @secid matches a rule previously approved
+ * by @audit_rule_known.
+ * @secid contains the security id in question.
+ * @field contains the field which relates to current LSM.
+ * @op contains the operator that will be used for matching.
+ * @rule points to the audit rule that will be checked against.
+ * @actx points to the audit context associated with the check.
+ * Return 1 if secid matches the rule, 0 if it does not, -ERRNO on failure.
+ *
+ * @audit_rule_free:
+ * Deallocate the LSM audit rule structure previously allocated by
+ * audit_rule_init.
+ * @rule contains the allocated rule
+ *
* This is the main security structure.
*/
struct security_operations {
@@ -1494,6 +1526,13 @@ struct security_operations {
#endif /* CONFIG_KEYS */
+#ifdef CONFIG_AUDIT
+ int (*audit_rule_init)(u32 field, u32 op, char *rulestr, void
**lsmrule);
+ int (*audit_rule_known)(struct audit_krule *krule);
+ int (*audit_rule_match)(u32 secid, u32 field, u32 op, void *lsmrule,
+ struct audit_context *actx);
+ void (*audit_rule_free)(void *lsmrule);
+#endif /* CONFIG_AUDIT */
};
/* prototypes */
@@ -2700,5 +2739,38 @@ static inline int security_key_permission(key_ref_t
key_ref,
#endif
#endif /* CONFIG_KEYS */
+#ifdef CONFIG_AUDIT
+#ifdef CONFIG_SECURITY
+int security_audit_rule_init(u32 field, u32 op, char *rulestr, void **lsmrule);
+int security_audit_rule_known(struct audit_krule *krule);
+int security_audit_rule_match(u32 secid, u32 field, u32 op, void *lsmrule,
+ struct audit_context *actx);
+void security_audit_rule_free(void *lsmrule);
+
+#else
+
+static inline int security_audit_rule_init(u32 field, u32 op, char *rulestr,
+ void **lsmrule)
+{
+ return 0;
+}
+
+static inline int security_audit_rule_known(struct audit_krule *krule)
+{
+ return 0;
+}
+
+static inline int security_audit_rule_match(u32 secid, u32 field, u32 op,
+ void *lsmrule, struct audit_context *actx)
+{
+ return 0;
+}
+
+static inline void security_audit_rule_free(void *lsmrule)
+{ }
+
+#endif /* CONFIG_SECURITY */
+#endif /* CONFIG_AUDIT */
+
#endif /* ! __LINUX_SECURITY_H */
diff --git a/security/dummy.c b/security/dummy.c
index fb2e942..1ac9f8e 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -993,6 +993,30 @@ static inline int dummy_key_permission(key_ref_t key_ref,
}
#endif /* CONFIG_KEYS */
+#ifdef CONFIG_AUDIT
+static inline int dummy_audit_rule_init(u32 field, u32 op, char *rulestr,
+ void **lsmrule)
+{
+ return 0;
+}
+
+static inline int dummy_audit_rule_known(struct audit_krule *krule)
+{
+ return 0;
+}
+
+static inline int dummy_audit_rule_match(u32 secid, u32 field, u32 op,
+void *lsmrule
[PATCH 08/12] SELinux: use new audit hooks, remove redundant exports
From: Ahmed S. Darwish [EMAIL PROTECTED]
Setup the new Audit LSM hooks for SELinux.
Remove the now redundant exported SELinux Audit interface.
Audit: Export 'audit_krule' and 'audit_field' to the public
since their internals are needed by the implementation of the
new LSM hook 'audit_rule_known'.
Signed-off-by: Casey Schaufler [EMAIL PROTECTED]
Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED]
Acked-by: James Morris [EMAIL PROTECTED]
---
include/linux/audit.h | 29
include/linux/selinux.h| 72
kernel/audit.h | 25 --
security/selinux/hooks.c |8
security/selinux/ss/services.c | 45 +++--
5 files changed, 71 insertions(+), 108 deletions(-)
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 2af9ec0..04869c9 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -353,6 +353,33 @@ struct netlink_skb_parms;
struct linux_binprm;
struct mq_attr;
struct mqstat;
+struct audit_watch;
+struct audit_tree;
+
+struct audit_krule {
+ int vers_ops;
+ u32 flags;
+ u32 listnr;
+ u32 action;
+ u32 mask[AUDIT_BITMASK_SIZE];
+ u32 buflen; /* for data alloc on list rules */
+ u32 field_count;
+ char*filterkey; /* ties events to rules */
+ struct audit_field *fields;
+ struct audit_field *arch_f; /* quick access to arch field */
+ struct audit_field *inode_f; /* quick access to an inode field */
+ struct audit_watch *watch; /* associated watch */
+ struct audit_tree *tree; /* associated watched tree */
+ struct list_headrlist; /* entry in audit_{watch,tree}.rules
list */
+};
+
+struct audit_field {
+ u32 type;
+ u32 val;
+ u32 op;
+ char*se_str;
+ void*se_rule;
+};
#define AUDITSC_INVALID 0
#define AUDITSC_SUCCESS 1
@@ -536,6 +563,8 @@ extern void audit_log_d_path(struct
audit_buffer *ab,
const char *prefix,
struct path *path);
extern voidaudit_log_lost(const char *message);
+extern int audit_update_lsm_rules(void);
+
/* Private API (for audit.c only) */
extern int audit_filter_user(struct netlink_skb_parms *cb, int type);
extern int audit_filter_type(int type);
diff --git a/include/linux/selinux.h b/include/linux/selinux.h
index 24b0af1..20f965d 100644
--- a/include/linux/selinux.h
+++ b/include/linux/selinux.h
@@ -21,54 +21,6 @@ struct kern_ipc_perm;
#ifdef CONFIG_SECURITY_SELINUX
/**
- * selinux_audit_rule_init - alloc/init an selinux audit rule structure.
- * @field: the field this rule refers to
- * @op: the operater the rule uses
- * @rulestr: the text target of the rule
- * @rule: pointer to the new rule structure returned via this
- *
- * Returns 0 if successful, -errno if not. On success, the rule structure
- * will be allocated internally. The caller must free this structure with
- * selinux_audit_rule_free() after use.
- */
-int selinux_audit_rule_init(u32 field, u32 op, char *rulestr,
-struct selinux_audit_rule **rule);
-
-/**
- * selinux_audit_rule_free - free an selinux audit rule structure.
- * @rule: pointer to the audit rule to be freed
- *
- * This will free all memory associated with the given rule.
- * If @rule is NULL, no operation is performed.
- */
-void selinux_audit_rule_free(struct selinux_audit_rule *rule);
-
-/**
- * selinux_audit_rule_match - determine if a context ID matches a rule.
- * @sid: the context ID to check
- * @field: the field this rule refers to
- * @op: the operater the rule uses
- * @rule: pointer to the audit rule to check against
- * @actx: the audit context (can be NULL) associated with the check
- *
- * Returns 1 if the context id matches the rule, 0 if it does not, and
- * -errno on failure.
- */
-int selinux_audit_rule_match(u32 sid, u32 field, u32 op,
- struct selinux_audit_rule *rule,
- struct audit_context *actx);
-
-/**
- * selinux_audit_set_callback - set the callback for policy reloads.
- * @callback: the function to call when the policy is reloaded
- *
- * This sets the function callback function that will update the rules
- * upon policy reloads. This callback should rebuild all existing rules
- * using selinux_audit_rule_init().
- */
-void selinux_audit_set_callback(int (*callback)(void
[PATCH 10/12] Tell git about security/selinux/include/audit.h
Signed-off-by: James Morris [EMAIL PROTECTED] --- security/selinux/include/audit.h | 65 ++ 1 files changed, 65 insertions(+), 0 deletions(-) create mode 100644 security/selinux/include/audit.h diff --git a/security/selinux/include/audit.h b/security/selinux/include/audit.h new file mode 100644 index 000..6c8b9ef --- /dev/null +++ b/security/selinux/include/audit.h @@ -0,0 +1,65 @@ +/* + * SELinux support for the Audit LSM hooks + * + * Most of below header was moved from include/linux/selinux.h which + * is released under below copyrights: + * + * Author: James Morris [EMAIL PROTECTED] + * + * Copyright (C) 2005 Red Hat, Inc., James Morris [EMAIL PROTECTED] + * Copyright (C) 2006 Trusted Computer Solutions, Inc. [EMAIL PROTECTED] + * Copyright (C) 2006 IBM Corporation, Timothy R. Chavez [EMAIL PROTECTED] + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2, + * as published by the Free Software Foundation. + */ + +#ifndef _SELINUX_AUDIT_H +#define _SELINUX_AUDIT_H + +/** + * selinux_audit_rule_init - alloc/init an selinux audit rule structure. + * @field: the field this rule refers to + * @op: the operater the rule uses + * @rulestr: the text target of the rule + * @rule: pointer to the new rule structure returned via this + * + * Returns 0 if successful, -errno if not. On success, the rule structure + * will be allocated internally. The caller must free this structure with + * selinux_audit_rule_free() after use. + */ +int selinux_audit_rule_init(u32 field, u32 op, char *rulestr, void **rule); + +/** + * selinux_audit_rule_free - free an selinux audit rule structure. + * @rule: pointer to the audit rule to be freed + * + * This will free all memory associated with the given rule. + * If @rule is NULL, no operation is performed. + */ +void selinux_audit_rule_free(void *rule); + +/** + * selinux_audit_rule_match - determine if a context ID matches a rule. + * @sid: the context ID to check + * @field: the field this rule refers to + * @op: the operater the rule uses + * @rule: pointer to the audit rule to check against + * @actx: the audit context (can be NULL) associated with the check + * + * Returns 1 if the context id matches the rule, 0 if it does not, and + * -errno on failure. + */ +int selinux_audit_rule_match(u32 sid, u32 field, u32 op, void *rule, + struct audit_context *actx); + +/** + * selinux_audit_rule_known - check to see if rule contains selinux fields. + * @rule: rule to be checked + * Returns 1 if there are selinux fields specified in the rule, 0 otherwise. + */ +int selinux_audit_rule_known(struct audit_krule *krule); + +#endif /* _SELINUX_AUDIT_H */ + -- 1.5.4.2 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
[PATCH 07/12] Audit: internally use the new LSM audit hooks
From: Ahmed S. Darwish [EMAIL PROTECTED]
Convert Audit to use the new LSM Audit hooks instead of
the exported SELinux interface.
Basically, use:
security_audit_rule_init
secuirty_audit_rule_free
security_audit_rule_known
security_audit_rule_match
instad of (respectively) :
selinux_audit_rule_init
selinux_audit_rule_free
audit_rule_has_selinux
selinux_audit_rule_match
Signed-off-by: Casey Schaufler [EMAIL PROTECTED]
Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED]
Acked-by: James Morris [EMAIL PROTECTED]
---
kernel/audit.c |7 +-
kernel/auditfilter.c | 61 ++
kernel/auditsc.c |9 +++
3 files changed, 22 insertions(+), 55 deletions(-)
diff --git a/kernel/audit.c b/kernel/audit.c
index 784a48e..a7b1608 100644
--- a/kernel/audit.c
+++ b/kernel/audit.c
@@ -21,7 +21,7 @@
*
* Written by Rickard E. (Rik) Faith [EMAIL PROTECTED]
*
- * Goals: 1) Integrate fully with SELinux.
+ * Goals: 1) Integrate fully with Security Modules.
* 2) Minimal run-time overhead:
* a) Minimal when syscall auditing is disabled (audit_enable=0).
* b) Small when syscall auditing is enabled and no audit record
@@ -55,7 +55,6 @@
#include net/netlink.h
#include linux/skbuff.h
#include linux/netlink.h
-#include linux/selinux.h
#include linux/inotify.h
#include linux/freezer.h
#include linux/tty.h
@@ -882,10 +881,6 @@ static int __init audit_init(void)
audit_enabled = audit_default;
audit_ever_enabled |= !!audit_default;
- /* Register the callback with selinux. This callback will be invoked
-* when a new policy is loaded. */
- selinux_audit_set_callback(selinux_audit_rule_update);
-
audit_log(NULL, GFP_KERNEL, AUDIT_KERNEL, initialized);
#ifdef CONFIG_AUDITSYSCALL
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index 35e58a1..7c69cb5 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -29,7 +29,6 @@
#include linux/sched.h
#include linux/inotify.h
#include linux/security.h
-#include linux/selinux.h
#include audit.h
/*
@@ -39,7 +38,7 @@
* Synchronizes writes and blocking reads of audit's filterlist
* data. Rcu is used to traverse the filterlist and access
* contents of structs audit_entry, audit_watch and opaque
- * selinux rules during filtering. If modified, these structures
+ * LSM rules during filtering. If modified, these structures
* must be copied and replace their counterparts in the filterlist.
* An audit_parent struct is not accessed during filtering, so may
* be written directly provided audit_filter_mutex is held.
@@ -141,7 +140,7 @@ static inline void audit_free_rule(struct audit_entry *e)
for (i = 0; i e-rule.field_count; i++) {
struct audit_field *f = e-rule.fields[i];
kfree(f-se_str);
- selinux_audit_rule_free(f-se_rule);
+ security_audit_rule_free(f-se_rule);
}
kfree(e-rule.fields);
kfree(e-rule.filterkey);
@@ -598,12 +597,12 @@ static struct audit_entry *audit_data_to_entry(struct
audit_rule_data *data,
goto exit_free;
entry-rule.buflen += f-val;
- err = selinux_audit_rule_init(f-type, f-op, str,
- f-se_rule);
+ err = security_audit_rule_init(f-type, f-op, str,
+ (void **)f-se_rule);
/* Keep currently invalid fields around in case they
* become valid after a policy reload. */
if (err == -EINVAL) {
- printk(KERN_WARNING audit rule for selinux
+ printk(KERN_WARNING audit rule for LSM
\'%s\' is invalid\n, str);
err = 0;
}
@@ -863,9 +862,9 @@ out:
return new;
}
-/* Duplicate selinux field information. The se_rule is opaque, so must be
+/* Duplicate LSM field information. The se_rule is opaque, so must be
* re-initialized. */
-static inline int audit_dupe_selinux_field(struct audit_field *df,
+static inline int audit_dupe_lsm_field(struct audit_field *df,
struct audit_field *sf)
{
int ret = 0;
@@ -878,12 +877,12 @@ static inline int audit_dupe_selinux_field(struct
audit_field *df,
df-se_str = se_str;
/* our own (refreshed) copy of se_rule */
- ret = selinux_audit_rule_init(df-type, df-op, df-se_str,
- df-se_rule);
+ ret = security_audit_rule_init(df-type, df-op, df-se_str,
+ (void **)df
[PATCH 11/12] Security: Introduce security= boot parameter
From: Ahmed S. Darwish [EMAIL PROTECTED]
Add the security= boot parameter. This is done to avoid LSM
registration clashes in case of more than one bult-in module.
User can choose a security module to enable at boot. If no
security= boot parameter is specified, only the first LSM
asking for registration will be loaded. An invalid security
module name will be treated as if no module has been chosen.
LSM modules must check now if they are allowed to register
by calling security_module_enable(ops) first. Modify SELinux
and SMACK to do so.
Do not let SMACK register smackfs if it was not chosen on
boot. Smackfs assumes that smack hooks are registered and
the initial task security setup (swapper-security) is done.
Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED]
Acked-by: James Morris [EMAIL PROTECTED]
---
Documentation/kernel-parameters.txt |6 +
include/linux/security.h| 12 +++
security/dummy.c|4 ++-
security/security.c | 38 ++-
security/selinux/hooks.c|7 ++
security/smack/smack.h |2 +
security/smack/smack_lsm.c |7 +-
security/smack/smackfs.c| 11 +-
8 files changed, 83 insertions(+), 4 deletions(-)
diff --git a/Documentation/kernel-parameters.txt
b/Documentation/kernel-parameters.txt
index dafd001..436790f 100644
--- a/Documentation/kernel-parameters.txt
+++ b/Documentation/kernel-parameters.txt
@@ -366,6 +366,12 @@ and is between 256 and 4096 characters. It is defined in
the file
possible to determine what the correct size should be.
This option provides an override for these situations.
+ security= [SECURITY] Choose a security module to enable at boot.
+ If this boot parameter is not specified, only the first
+ security module asking for security registration will be
+ loaded. An invalid security module name will be treated
+ as if no module has been chosen.
+
capability.disable=
[SECURITY] Disable capabilities. This would normally
be used only if an alternative security model is to be
diff --git a/include/linux/security.h b/include/linux/security.h
index 697f228..f4116d6 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -36,6 +36,9 @@
extern unsigned securebits;
+/* Maximum number of letters for an LSM name string */
+#define SECURITY_NAME_MAX 10
+
struct ctl_table;
struct audit_krule;
@@ -137,6 +140,12 @@ static inline void security_free_mnt_opts(struct
security_mnt_opts *opts)
/**
* struct security_operations - main security structure
*
+ * Security module identifier.
+ *
+ * @name:
+ * A string that acts as a unique identifeir for the LSM with max number
+ * of characters = SECURITY_NAME_MAX.
+ *
* Security hooks for program execution operations.
*
* @bprm_alloc_security:
@@ -1270,6 +1279,8 @@ static inline void security_free_mnt_opts(struct
security_mnt_opts *opts)
* This is the main security structure.
*/
struct security_operations {
+ char name[SECURITY_NAME_MAX + 1];
+
int (*ptrace) (struct task_struct * parent, struct task_struct * child);
int (*capget) (struct task_struct * target,
kernel_cap_t * effective,
@@ -1537,6 +1548,7 @@ struct security_operations {
/* prototypes */
extern int security_init (void);
+extern int security_module_enable(struct security_operations *ops);
extern int register_security (struct security_operations *ops);
extern int mod_reg_security(const char *name, struct security_operations
*ops);
extern struct dentry *securityfs_create_file(const char *name, mode_t mode,
diff --git a/security/dummy.c b/security/dummy.c
index 1ac9f8e..374d2ae 100644
--- a/security/dummy.c
+++ b/security/dummy.c
@@ -1017,7 +1017,9 @@ static inline void dummy_audit_rule_free(void *lsmrule)
#endif /* CONFIG_AUDIT */
-struct security_operations dummy_security_ops;
+struct security_operations dummy_security_ops = {
+ .name = dummy,
+};
#define set_to_dummy_if_null(ops, function)\
do {\
diff --git a/security/security.c b/security/security.c
index bf189d2..2ed153c 100644
--- a/security/security.c
+++ b/security/security.c
@@ -17,6 +17,8 @@
#include linux/kernel.h
#include linux/security.h
+/* Boot-time LSM user choice */
+static __initdata char chosen_lsm[SECURITY_NAME_MAX + 1];
/* things that live in dummy.c */
extern struct security_operations dummy_security_ops;
@@ -67,13 +69,47 @@ int __init security_init(void)
return 0;
}
+/* Save user chosen LSM */
+static int __init choose_lsm(char *str)
+{
+ strncpy(chosen_lsm, str, SECURITY_NAME_MAX
[PATCH 12/12] security: fix up documentation for security_module_enable
security_module_enable() can only be called during kernel init. Signed-off-by: James Morris [EMAIL PROTECTED] --- security/security.c |2 +- 1 files changed, 1 insertions(+), 1 deletions(-) diff --git a/security/security.c b/security/security.c index 2ed153c..7787c59 100644 --- a/security/security.c +++ b/security/security.c @@ -83,7 +83,7 @@ __setup(security=, choose_lsm); * * Each LSM must pass this method before registering its own operations * to avoid security registration races. This method may also be used - * to check if your LSM is currently loaded. + * to check if your LSM is currently loaded during kernel initialization. * * Return true if: * -The passed LSM is the one chosen by user at boot time, -- 1.5.4.2 -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 10/12] Tell git about security/selinux/include/audit.h
On Thu, 17 Apr 2008, Greg KH wrote: On Thu, Apr 17, 2008 at 11:06:07AM +, James Morris wrote: Signed-off-by: James Morris [EMAIL PROTECTED] --- security/selinux/include/audit.h | 65 ++ Shouldn't this be merged with the previous patch that needed this? Good thinking. -- James Morris [EMAIL PROTECTED] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 7/9] Audit: internally use the new LSM audit hooks
On Tue, 4 Mar 2008, Ahmed S. Darwish wrote: Yes, it's something weird. I've generated all of those diffstats (including the right ones) in the same way. Luckily the problem is reproduceable, I'll check the latest upstream diffstat version and see what happens. git-format-patch should just work. -- James Morris [EMAIL PROTECTED] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 7/9] Audit: internally use the new LSM audit hooks
On Mon, 3 Mar 2008, Paul Moore wrote: I've looked over patches #7, #8, and #9 and they look okay to me, but I'm not tagging them 'Reviewed-by' because they go beyond areas of the kernel that I feel comfortable reviewing at this point. Indeed, deep audit patches need to be acked by the likes of Al Viro (cc'd, who possibly should also be added to the MAINTAINERS entry for audit). - James -- James Morris [EMAIL PROTECTED] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 2/9] SELinux: setup new inode/ipc getsecid hooks
On Sat, 1 Mar 2008, Ahmed S. Darwish wrote: Setup the new inode_getsecid and ipc_getsecid() LSM hooks for SELinux. Signed-off-by: Casey Schaufler [EMAIL PROTECTED] Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED] Acked-by: James Morris [EMAIL PROTECTED] -- James Morris [EMAIL PROTECTED] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 3/9] Audit: use new LSM hooks instead of SELinux exports
On Sat, 1 Mar 2008, Ahmed S. Darwish wrote: Stop using the following exported SELinux interfaces: selinux_get_inode_sid(inode, sid) selinux_get_ipc_sid(ipcp, sid) selinux_get_task_sid(tsk, sid) selinux_sid_to_string(sid, ctx, len) kfree(ctx) and use following generic LSM equivalents respectively: security_inode_getsecid(inode, secid) security_ipc_getsecid*(ipcp, secid) security_task_getsecid(tsk, secid) security_sid_to_secctx(sid, ctx, len) security_release_secctx(ctx, len) Call security_release_secctx only if security_secid_to_secctx succeeded. Signed-off-by: Casey Schaufler [EMAIL PROTECTED] Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED] Acked-by: James Morris [EMAIL PROTECTED] -- James Morris [EMAIL PROTECTED] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 4/9] Netlink: Use generic LSM hook
On Sat, 1 Mar 2008, Ahmed S. Darwish wrote: Don't use SELinux exported selinux_get_task_sid symbol. Use the generic LSM equivalent instead. Signed-off-by: Casey Schaufler [EMAIL PROTECTED] Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED] Acked-by: James Morris [EMAIL PROTECTED] -- James Morris [EMAIL PROTECTED] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 5/9] SELinux: remove redundant exports
On Sat, 1 Mar 2008, Ahmed S. Darwish wrote: Remove the following exported SELinux interfaces: selinux_get_inode_sid(inode, sid) selinux_get_ipc_sid(ipcp, sid) selinux_get_task_sid(tsk, sid) selinux_sid_to_string(sid, ctx, len) They can be substitued with the following generic equivalents respectively: new LSM hook, inode_getsecid(inode, secid) new LSM hook, ipc_getsecid*(ipcp, secid) LSM hook, task_getsecid(tsk, secid) LSM hook, sid_to_secctx(sid, ctx, len) Signed-off-by: Casey Schaufler [EMAIL PROTECTED] Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED] Acked-by: James Morris [EMAIL PROTECTED] -- James Morris [EMAIL PROTECTED] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 6/9] LSM/Audit: Introduce generic Audit LSM hooks
On Sat, 1 Mar 2008, Ahmed S. Darwish wrote: Introduce a generic Audit interface for security modules by adding the following new LSM hooks: audit_rule_init(field, op, rulestr, lsmrule) audit_rule_known(krule) audit_rule_match(secid, field, op, rule, actx) audit_rule_free(rule) Those hooks are only available if CONFIG_AUDIT is enabled. Signed-off-by: Casey Schaufler [EMAIL PROTECTED] Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED] Acked-by: James Morris [EMAIL PROTECTED] -- James Morris [EMAIL PROTECTED] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 7/9] Audit: internally use the new LSM audit hooks
On Sat, 1 Mar 2008, Ahmed S. Darwish wrote: Convert Audit to use the new LSM Audit hooks instead of the exported SELinux interface. Basically, use: security_audit_rule_init secuirty_audit_rule_free security_audit_rule_known security_audit_rule_match instad of (respectively) : selinux_audit_rule_init selinux_audit_rule_free audit_rule_has_selinux selinux_audit_rule_match Signed-off-by: Casey Schaufler [EMAIL PROTECTED] Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED] Acked-by: James Morris [EMAIL PROTECTED] -- James Morris [EMAIL PROTECTED] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 8/9] SELinux: use new audit hooks, remove redundant exports
On Sat, 1 Mar 2008, Ahmed S. Darwish wrote: Setup the new Audit LSM hooks for SELinux. Remove the now redundant exported SELinux Audit interface. Audit: Export 'audit_krule' and 'audit_field' to the public since their internals are needed by the implementation of the new LSM hook 'audit_rule_known'. Signed-off-by: Casey Schaufler [EMAIL PROTECTED] Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED] Acked-by: James Morris [EMAIL PROTECTED] -- James Morris [EMAIL PROTECTED] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 9/9] Audit: Final renamings and cleanup
On Sat, 1 Mar 2008, Ahmed S. Darwish wrote: Rename the se_str and se_rule audit fields elements to lsm_str and lsm_rule to avoid confusion. Signed-off-by: Casey Schaufler [EMAIL PROTECTED] Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED] Acked-by: James Morris [EMAIL PROTECTED] -- James Morris [EMAIL PROTECTED] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 1/9] LSM: Introduce inode_getsecid and ipc_getsecid hooks
On Sat, 1 Mar 2008, Ahmed S. Darwish wrote:
Introduce inode_getsecid(inode, secid) and ipc_getsecid(ipcp, secid)
LSM hooks. These hooks will be used instead of similar exported
SELinux interfaces.
Let {inode,ipc,task}_getsecid hooks set the secid to 0 by default
if CONFIG_SECURITY is not defined or if the hook is set to
NULL (dummy). This is done to notify the caller that no valid
secid exists.
Signed-off-by: Casey Schaufler [EMAIL PROTECTED]
Signed-off-by: Ahmed S. Darwish [EMAIL PROTECTED]
Acked-by: James Morris [EMAIL PROTECTED]
--
James Morris
[EMAIL PROTECTED]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH 1/3] XFRM: Assorted IPsec fixups
On Thu, 20 Dec 2007, Paul Moore wrote:
This patch fixes a number of small but potentially troublesome things in the
XFRM/IPsec code:
* Use the 'audit_enabled' variable already in include/linux/audit.h
Removed the need for extern declarations local to each XFRM audit fuction
* Convert 'sid' to 'secid' everywhere we can
The 'sid' name is specific to SELinux, 'secid' is the common naming
convention used by the kernel when refering to tokenized LSM labels,
unfortunately we have to leave 'ctx_sid' in 'struct xfrm_sec_ctx' otherwise
we risk breaking userspace
* Convert address display to use standard NIP* macros
Similar to what was recently done with the SPD audit code, this also also
includes the removal of some unnecessary memcpy() calls
* Move common code to xfrm_audit_common_stateinfo()
Code consolidation from the less is more book on software development
* Proper spacing around commas in function arguments
Minor style tweak since I was already touching the code
Signed-off-by: Paul Moore [EMAIL PROTECTED]
Acked-by: James Morris [EMAIL PROTECTED]
---
include/net/xfrm.h | 14 ++---
net/xfrm/xfrm_policy.c | 15 ++
net/xfrm/xfrm_state.c | 53
3 files changed, 36 insertions(+), 46 deletions(-)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 32b99e2..ac6cf09 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -548,7 +548,7 @@ struct xfrm_audit
};
#ifdef CONFIG_AUDITSYSCALL
-static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 sid)
+static inline struct audit_buffer *xfrm_audit_start(u32 auid, u32 secid)
{
struct audit_buffer *audit_buf = NULL;
char *secctx;
@@ -561,8 +561,8 @@ static inline struct audit_buffer *xfrm_audit_start(u32
auid, u32 sid)
audit_log_format(audit_buf, auid=%u, auid);
- if (sid != 0
- security_secid_to_secctx(sid, secctx, secctx_len) == 0) {
+ if (secid != 0
+ security_secid_to_secctx(secid, secctx, secctx_len) == 0) {
audit_log_format(audit_buf, subj=%s, secctx);
security_release_secctx(secctx, secctx_len);
} else
@@ -571,13 +571,13 @@ static inline struct audit_buffer *xfrm_audit_start(u32
auid, u32 sid)
}
extern void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
- u32 auid, u32 sid);
+ u32 auid, u32 secid);
extern void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
- u32 auid, u32 sid);
+ u32 auid, u32 secid);
extern void xfrm_audit_state_add(struct xfrm_state *x, int result,
- u32 auid, u32 sid);
+ u32 auid, u32 secid);
extern void xfrm_audit_state_delete(struct xfrm_state *x, int result,
- u32 auid, u32 sid);
+ u32 auid, u32 secid);
#else
#define xfrm_audit_policy_add(x, r, a, s)do { ; } while (0)
#define xfrm_audit_policy_delete(x, r, a, s) do { ; } while (0)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index d2084b1..c8f0656 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -24,6 +24,7 @@
#include linux/netfilter.h
#include linux/module.h
#include linux/cache.h
+#include linux/audit.h
#include net/dst.h
#include net/xfrm.h
#include net/ip.h
@@ -2317,15 +2318,14 @@ static inline void
xfrm_audit_common_policyinfo(struct xfrm_policy *xp,
}
}
-void
-xfrm_audit_policy_add(struct xfrm_policy *xp, int result, u32 auid, u32 sid)
+void xfrm_audit_policy_add(struct xfrm_policy *xp, int result,
+u32 auid, u32 secid)
{
struct audit_buffer *audit_buf;
- extern int audit_enabled;
if (audit_enabled == 0)
return;
- audit_buf = xfrm_audit_start(sid, auid);
+ audit_buf = xfrm_audit_start(auid, secid);
if (audit_buf == NULL)
return;
audit_log_format(audit_buf, op=SPD-add res=%u, result);
@@ -2334,15 +2334,14 @@ xfrm_audit_policy_add(struct xfrm_policy *xp, int
result, u32 auid, u32 sid)
}
EXPORT_SYMBOL_GPL(xfrm_audit_policy_add);
-void
-xfrm_audit_policy_delete(struct xfrm_policy *xp, int result, u32 auid, u32
sid)
+void xfrm_audit_policy_delete(struct xfrm_policy *xp, int result,
+ u32 auid, u32 secid)
{
struct audit_buffer *audit_buf;
- extern int audit_enabled;
if (audit_enabled == 0)
return;
- audit_buf = xfrm_audit_start(sid, auid);
+ audit_buf = xfrm_audit_start(auid, secid);
if (audit_buf == NULL)
return;
audit_log_format(audit_buf, op=SPD-delete res=%u, result);
diff --git a/net/xfrm/xfrm_state.c b/net/xfrm
Re: [PATCH]: revised make xfrm_audit_log more generic patch
On Mon, 23 Jul 2007, Joy Latten wrote: Revised patch that modifies xfrm_audit_log() such that it can accomodate auditing other ipsec events besides add/delete of an SA or SPD entry. This patch differs from original in that it does not remove existing ipsec audit defines so as to not break existing audit apps. This is a small change to accomodate updating ipsec protocol to RFCs 4301, 4302 and 4303 which require auditing some ipsec events if auditing is available. Please let me know if ok. Regards, Joy Signed-off-by: Joy Latten [EMAIL PROTECTED] Acked-by: James Morris [EMAIL PROTECTED] -- James Morris [EMAIL PROTECTED] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: [PATCH] make xfrm_audit_log more generic
On Thu, 19 Jul 2007, Joy Latten wrote: --- linux-2.6.22/include/linux/audit.h2007-07-19 13:17:22.0 -0500 +++ linux-2.6.22.patch/include/linux/audit.h 2007-07-19 13:21:29.0 -0500 @@ -108,10 +108,7 @@ #define AUDIT_MAC_CIPSOV4_DEL1408/* NetLabel: del CIPSOv4 DOI entry */ #define AUDIT_MAC_MAP_ADD1409/* NetLabel: add LSM domain mapping */ #define AUDIT_MAC_MAP_DEL1410/* NetLabel: del LSM domain mapping */ -#define AUDIT_MAC_IPSEC_ADDSA1411/* Add a XFRM state */ -#define AUDIT_MAC_IPSEC_DELSA1412/* Delete a XFRM state */ -#define AUDIT_MAC_IPSEC_ADDSPD 1413/* Add a XFRM policy */ -#define AUDIT_MAC_IPSEC_DELSPD 1414/* Delete a XFRM policy */ +#define AUDIT_MAC_IPSEC_EVENT1411/* Audit IPSec events */ Will this cause existing applications to break? - James -- James Morris [EMAIL PROTECTED] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
Re: audit-ptrace patch (untested)
On Mon, 12 Mar 2007, Alexander Viro wrote:
OK, you've convinced me - I'm switching to selinux-specific ones
in kernel/auditsc.c. Updated patch follows, should fix 228409 and
228384.
Al, I think this needs to go into Linus' tree and -stable to fix the
crash. Do you want to forward it to Linus ? (I could, but it's a large
patch for a bugfix and he'd probably be happier seeing it from you at
this point in the development cycle).
Acked-by: James Morris [EMAIL PROTECTED]
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 4f5745a..6bbfe91 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -1558,29 +1558,20 @@ static ssize_t proc_pid_attr_read(struct file * file,
char __user * buf,
size_t count, loff_t *ppos)
{
struct inode * inode = file-f_path.dentry-d_inode;
- unsigned long page;
+ char *p = NULL;
ssize_t length;
struct task_struct *task = get_proc_task(inode);
- length = -ESRCH;
if (!task)
- goto out_no_task;
-
- if (count PAGE_SIZE)
- count = PAGE_SIZE;
- length = -ENOMEM;
- if (!(page = __get_free_page(GFP_KERNEL)))
- goto out;
+ return -ESRCH;
length = security_getprocattr(task,
(char*)file-f_path.dentry-d_name.name,
- (void*)page, count);
- if (length = 0)
- length = simple_read_from_buffer(buf, count, ppos, (char
*)page, length);
- free_page(page);
-out:
+ p);
put_task_struct(task);
-out_no_task:
+ if (length 0)
+ length = simple_read_from_buffer(buf, count, ppos, p, length);
+ kfree(p);
return length;
}
diff --git a/include/linux/audit.h b/include/linux/audit.h
index 229fa01..31b0f40 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -90,6 +90,7 @@
#define AUDIT_MQ_GETSETATTR 1315/* POSIX MQ get/set attribute record
type */
#define AUDIT_KERNEL_OTHER 1316/* For use by 3rd party modules */
#define AUDIT_FD_PAIR1317/* audit record for
pipe/socketpair */
+#define AUDIT_OBJ_PID1318/* ptrace target */
#define AUDIT_AVC1400/* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR1401/* Internal SE Linux Errors */
@@ -351,6 +352,8 @@ extern void __audit_inode(const char *name, const struct
inode *inode);
extern void __audit_inode_child(const char *dname, const struct inode *inode,
const struct inode *parent);
extern void __audit_inode_update(const struct inode *inode);
+extern void __audit_ptrace(struct task_struct *t);
+
static inline int audit_dummy_context(void)
{
void *p = current-audit_context;
@@ -376,6 +379,12 @@ static inline void audit_inode_update(const struct inode
*inode) {
__audit_inode_update(inode);
}
+static inline void audit_ptrace(struct task_struct *t)
+{
+ if (unlikely(!audit_dummy_context()))
+ __audit_ptrace(t);
+}
+
/* Private API (for audit.c only) */
extern unsigned int audit_serial(void);
extern void auditsc_get_stamp(struct audit_context *ctx,
@@ -476,6 +485,7 @@ extern int audit_n_rules;
#define audit_mq_timedreceive(d,l,p,t) ({ 0; })
#define audit_mq_notify(d,n) ({ 0; })
#define audit_mq_getsetattr(d,s) ({ 0; })
+#define audit_ptrace(t) ((void)0)
#define audit_n_rules 0
#endif
diff --git a/include/linux/security.h b/include/linux/security.h
index 7f88d97..47e82c1 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1324,7 +1324,7 @@ struct security_operations {
void (*d_instantiate) (struct dentry *dentry, struct inode *inode);
- int (*getprocattr)(struct task_struct *p, char *name, void *value,
size_t size);
+ int (*getprocattr)(struct task_struct *p, char *name, char **value);
int (*setprocattr)(struct task_struct *p, char *name, void *value,
size_t size);
int (*secid_to_secctx)(u32 secid, char **secdata, u32 *seclen);
void (*release_secctx)(char *secdata, u32 seclen);
@@ -2092,9 +2092,9 @@ static inline void security_d_instantiate (struct
dentry *dentry, struct inode *
security_ops-d_instantiate (dentry, inode);
}
-static inline int security_getprocattr(struct task_struct *p, char *name,
void *value, size_t size)
+static inline int security_getprocattr(struct task_struct *p, char *name,
char **value)
{
- return security_ops-getprocattr(p, name, value, size);
+ return security_ops-getprocattr(p, name, value);
}
static inline int security_setprocattr(struct task_struct *p, char *name,
void *value, size_t size)
@@ -2749,7 +2749,7 @@ static inline int security_sem_semop (struct sem_array
* sma,
static inline void security_d_instantiate (struct
