mirrors/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-11-01 09:09:47 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

audit: add record for multiple task security contexts

Browse source 
Replace the single skb pointer in an audit_buffer with a list of
skb pointers. Add the audit_stamp information to the audit_buffer as
there's no guarantee that there will be an audit_context containing
the stamp associated with the event. At audit_log_end() time create
auxiliary records as have been added to the list. Functions are
created to manage the skb list in the audit_buffer.

Create a new audit record AUDIT_MAC_TASK_CONTEXTS.
An example of the MAC_TASK_CONTEXTS record is:

    type=MAC_TASK_CONTEXTS
      msg=audit(1600880931.832:113)
      subj_apparmor=unconfined
      subj_smack=_

When an audit event includes a AUDIT_MAC_TASK_CONTEXTS record the
"subj=" field in other records in the event will be "subj=?".
An AUDIT_MAC_TASK_CONTEXTS record is supplied when the system has
multiple security modules that may make access decisions based on a
subject security context.

Refactor audit_log_task_context(), creating a new audit_log_subj_ctx().
This is used in netlabel auditing to provide multiple subject security
contexts as necessary.

Suggested-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
[PM: subj tweak, audit example readability indents]
Signed-off-by: Paul Moore <paul@paul-moore.com>
This commit is contained in:
Casey Schaufler 2025-08-16 10:28:58 -07:00 committed by Paul Moore
parent a59076f266
commit eb59d494ee
7 changed files with 203 additions and 42 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

16
include/linux/audit.h
View file

@ -37,6 +37,8 @@ struct audit_watch;
struct audit_tree;
struct sk_buff;
struct kern_ipc_perm;
struct lsm_id;
struct lsm_prop;
struct audit_krule {
u32 pflags;
@ -147,6 +149,9 @@ extern unsigned compat_signal_class[];
#define AUDIT_TTY_ENABLE BIT(0)
#define AUDIT_TTY_LOG_PASSWD BIT(1)
/* bit values for audit_cfg_lsm */
#define AUDIT_CFG_LSM_SECCTX_SUBJECT BIT(0)
struct filename;
#define AUDIT_OFF 0
@ -185,6 +190,7 @@ extern void audit_log_path_denied(int type,
const char *operation);
extern void audit_log_lost(const char *message);
extern int audit_log_subj_ctx(struct audit_buffer *ab, struct lsm_prop *prop);
extern int audit_log_task_context(struct audit_buffer *ab);
extern void audit_log_task_info(struct audit_buffer *ab);
@ -210,6 +216,8 @@ extern u32 audit_enabled;
extern int audit_signal_info(int sig, struct task_struct *t);
extern void audit_cfg_lsm(const struct lsm_id *lsmid, int flags);
#else /* CONFIG_AUDIT */
static inline __printf(4, 5)
void audit_log(struct audit_context *ctx, gfp_t gfp_mask, int type,
@ -245,6 +253,11 @@ static inline void audit_log_key(struct audit_buffer *ab, char *key)
{ }
static inline void audit_log_path_denied(int type, const char *operation)
{ }
static inline int audit_log_subj_ctx(struct audit_buffer *ab,
struct lsm_prop *prop)
{
return 0;
}
static inline int audit_log_task_context(struct audit_buffer *ab)
{
return 0;
@ -269,6 +282,9 @@ static inline int audit_signal_info(int sig, struct task_struct *t)
return 0;
}
static inline void audit_cfg_lsm(const struct lsm_id *lsmid, int flags)
{ }
#endif /* CONFIG_AUDIT */
#ifdef CONFIG_AUDIT_COMPAT_GENERIC

1
include/uapi/linux/audit.h
View file

@ -148,6 +148,7 @@
#define AUDIT_IPE_POLICY_LOAD 1422 /* IPE policy load */
#define AUDIT_LANDLOCK_ACCESS 1423 /* Landlock denial */
#define AUDIT_LANDLOCK_DOMAIN 1424 /* Landlock domain status */
#define AUDIT_MAC_TASK_CONTEXTS 1425 /* Multiple LSM task contexts */
#define AUDIT_FIRST_KERN_ANOM_MSG 1700
#define AUDIT_LAST_KERN_ANOM_MSG 1799

210
kernel/audit.c
View file

@ -54,6 +54,7 @@
#include <net/netlink.h>
#include <linux/skbuff.h>
#include <linux/security.h>
#include <linux/lsm_hooks.h>
#include <linux/freezer.h>
#include <linux/pid_namespace.h>
#include <net/netns/generic.h>
@ -81,6 +82,11 @@ static u32 audit_failure = AUDIT_FAIL_PRINTK;
/* private audit network namespace index */
static unsigned int audit_net_id;
/* Number of modules that provide a security context.
List of lsms that provide a security context */
static u32 audit_subj_secctx_cnt;
static const struct lsm_id *audit_subj_lsms[MAX_LSM_COUNT];
/**
* struct audit_net - audit private network namespace data
* @sk: communication socket
@ -195,8 +201,10 @@ static struct audit_ctl_mutex {
* to place it on a transmit queue. Multiple audit_buffers can be in
* use simultaneously. */
struct audit_buffer {
struct sk_buff *skb; /* formatted skb ready to send */
struct sk_buff *skb; /* the skb for audit_log functions */
struct sk_buff_head skb_list; /* formatted skbs, ready to send */
struct audit_context *ctx; /* NULL or associated context */
struct audit_stamp stamp; /* audit stamp for these records */
gfp_t gfp_mask;
};
@ -278,6 +286,27 @@ static pid_t auditd_pid_vnr(void)
return pid;
}
/**
* audit_cfg_lsm - Identify a security module as providing a secctx.
* @lsmid: LSM identity
* @flags: which contexts are provided
*
* Description:
* Increments the count of the security modules providing a secctx.
* If the LSM id is already in the list leave it alone.
*/
void audit_cfg_lsm(const struct lsm_id *lsmid, int flags)
{
int i;
if (flags & AUDIT_CFG_LSM_SECCTX_SUBJECT) {
for (i = 0 ; i < audit_subj_secctx_cnt; i++)
if (audit_subj_lsms[i] == lsmid)
return;
audit_subj_lsms[audit_subj_secctx_cnt++] = lsmid;
}
}
/**
* audit_get_sk - Return the audit socket for the given network namespace
* @net: the destination network namespace
@ -1776,10 +1805,13 @@ __setup("audit_backlog_limit=", audit_backlog_limit_set);
static void audit_buffer_free(struct audit_buffer *ab)
{
struct sk_buff *skb;
if (!ab)
return;
kfree_skb(ab->skb);
while ((skb = skb_dequeue(&ab->skb_list)))
kfree_skb(skb);
kmem_cache_free(audit_buffer_cache, ab);
}
@ -1795,6 +1827,10 @@ static struct audit_buffer *audit_buffer_alloc(struct audit_context *ctx,
ab->skb = nlmsg_new(AUDIT_BUFSIZ, gfp_mask);
if (!ab->skb)
goto err;
skb_queue_head_init(&ab->skb_list);
skb_queue_tail(&ab->skb_list, ab->skb);
if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0))
goto err;
@ -1860,7 +1896,6 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
int type)
{
struct audit_buffer *ab;
struct audit_stamp stamp;
if (audit_initialized != AUDIT_INITIALIZED)
return NULL;
@ -1915,14 +1950,14 @@ struct audit_buffer *audit_log_start(struct audit_context *ctx, gfp_t gfp_mask,
return NULL;
}
audit_get_stamp(ab->ctx, &stamp);
audit_get_stamp(ab->ctx, &ab->stamp);
/* cancel dummy context to enable supporting records */
if (ctx)
ctx->dummy = 0;
audit_log_format(ab, "audit(%llu.%03lu:%u): ",
(unsigned long long)stamp.ctime.tv_sec,
stamp.ctime.tv_nsec/1000000,
stamp.serial);
(unsigned long long)ab->stamp.ctime.tv_sec,
ab->stamp.ctime.tv_nsec/1000000,
ab->stamp.serial);
return ab;
}
@ -2178,31 +2213,128 @@ void audit_log_key(struct audit_buffer *ab, char *key)
audit_log_format(ab, "(null)");
}
int audit_log_task_context(struct audit_buffer *ab)
/**
* audit_buffer_aux_new - Add an aux record buffer to the skb list
* @ab: audit_buffer
* @type: message type
*
* Aux records are allocated and added to the skb list of
* the "main" record. The ab->skb is reset to point to the
* aux record on its creation. When the aux record in complete
* ab->skb has to be reset to point to the "main" record.
* This allows the audit_log_ functions to be ignorant of
* which kind of record it is logging to. It also avoids adding
* special data for aux records.
*
* On success ab->skb will point to the new aux record.
* Returns 0 on success, -ENOMEM should allocation fail.
*/
static int audit_buffer_aux_new(struct audit_buffer *ab, int type)
{
struct lsm_prop prop;
struct lsm_context ctx;
int error;
WARN_ON(ab->skb != skb_peek(&ab->skb_list));
security_current_getlsmprop_subj(&prop);
if (!lsmprop_is_set(&prop))
ab->skb = nlmsg_new(AUDIT_BUFSIZ, ab->gfp_mask);
if (!ab->skb)
goto err;
if (!nlmsg_put(ab->skb, 0, 0, type, 0, 0))
goto err;
skb_queue_tail(&ab->skb_list, ab->skb);
audit_log_format(ab, "audit(%llu.%03lu:%u): ",
(unsigned long long)ab->stamp.ctime.tv_sec,
ab->stamp.ctime.tv_nsec/1000000,
ab->stamp.serial);
return 0;
err:
kfree_skb(ab->skb);
ab->skb = skb_peek(&ab->skb_list);
return -ENOMEM;
}
/**
* audit_buffer_aux_end - Switch back to the "main" record from an aux record
* @ab: audit_buffer
*
* Restores the "main" audit record to ab->skb.
*/
static void audit_buffer_aux_end(struct audit_buffer *ab)
{
ab->skb = skb_peek(&ab->skb_list);
}
/**
* audit_log_subj_ctx - Add LSM subject information
* @ab: audit_buffer
* @prop: LSM subject properties.
*
* Add a subj= field and, if necessary, a AUDIT_MAC_TASK_CONTEXTS record.
*/
int audit_log_subj_ctx(struct audit_buffer *ab, struct lsm_prop *prop)
{
struct lsm_context ctx;
char *space = "";
int error;
int i;
security_current_getlsmprop_subj(prop);
if (!lsmprop_is_set(prop))
return 0;
error = security_lsmprop_to_secctx(&prop, &ctx, LSM_ID_UNDEF);
if (error < 0) {
if (error != -EINVAL)
goto error_path;
if (audit_subj_secctx_cnt < 2) {
error = security_lsmprop_to_secctx(prop, &ctx, LSM_ID_UNDEF);
if (error < 0) {
if (error != -EINVAL)
goto error_path;
return 0;
}
audit_log_format(ab, " subj=%s", ctx.context);
security_release_secctx(&ctx);
return 0;
}
/* Multiple LSMs provide contexts. Include an aux record. */
audit_log_format(ab, " subj=?");
error = audit_buffer_aux_new(ab, AUDIT_MAC_TASK_CONTEXTS);
if (error)
goto error_path;
audit_log_format(ab, " subj=%s", ctx.context);
security_release_secctx(&ctx);
for (i = 0; i < audit_subj_secctx_cnt; i++) {
error = security_lsmprop_to_secctx(prop, &ctx,
audit_subj_lsms[i]->id);
if (error < 0) {
/*
* Don't print anything. An LSM like BPF could
* claim to support contexts, but only do so under
* certain conditions.
*/
if (error == -EOPNOTSUPP)
continue;
if (error != -EINVAL)
audit_panic("error in audit_log_subj_ctx");
} else {
audit_log_format(ab, "%ssubj_%s=%s", space,
audit_subj_lsms[i]->name, ctx.context);
space = " ";
security_release_secctx(&ctx);
}
}
audit_buffer_aux_end(ab);
return 0;
error_path:
audit_panic("error in audit_log_task_context");
audit_panic("error in audit_log_subj_ctx");
return error;
}
EXPORT_SYMBOL(audit_log_subj_ctx);
int audit_log_task_context(struct audit_buffer *ab)
{
struct lsm_prop prop;
security_current_getlsmprop_subj(&prop);
return audit_log_subj_ctx(ab, &prop);
}
EXPORT_SYMBOL(audit_log_task_context);
void audit_log_d_path_exe(struct audit_buffer *ab,
@ -2411,6 +2543,26 @@ int audit_signal_info(int sig, struct task_struct *t)
return audit_signal_info_syscall(t);
}
/**
* __audit_log_end - enqueue one audit record
* @skb: the buffer to send
*/
static void __audit_log_end(struct sk_buff *skb)
{
struct nlmsghdr *nlh;
if (audit_rate_check()) {
/* setup the netlink header, see the comments in
* kauditd_send_multicast_skb() for length quirks */
nlh = nlmsg_hdr(skb);
nlh->nlmsg_len = skb->len - NLMSG_HDRLEN;
/* queue the netlink packet */
skb_queue_tail(&audit_queue, skb);
} else
audit_log_lost("rate limit exceeded");
}
/**
* audit_log_end - end one audit record
* @ab: the audit_buffer
@ -2423,25 +2575,15 @@ int audit_signal_info(int sig, struct task_struct *t)
void audit_log_end(struct audit_buffer *ab)
{
struct sk_buff *skb;
struct nlmsghdr *nlh;
if (!ab)
return;
if (audit_rate_check()) {
skb = ab->skb;
ab->skb = NULL;
while ((skb = skb_dequeue(&ab->skb_list)))
__audit_log_end(skb);
/* setup the netlink header, see the comments in
* kauditd_send_multicast_skb() for length quirks */
nlh = nlmsg_hdr(skb);
nlh->nlmsg_len = skb->len - NLMSG_HDRLEN;
/* queue the netlink packet and poke the kauditd thread */
skb_queue_tail(&audit_queue, skb);
wake_up_interruptible(&kauditd_wait);
} else
audit_log_lost("rate limit exceeded");
/* poke the kauditd thread */
wake_up_interruptible(&kauditd_wait);
audit_buffer_free(ab);
}

9
net/netlabel/netlabel_user.c
View file

@ -84,7 +84,6 @@ struct audit_buffer *netlbl_audit_start_common(int type,
struct netlbl_audit *audit_info)
{
struct audit_buffer *audit_buf;
struct lsm_context ctx;
if (audit_enabled == AUDIT_OFF)
return NULL;
@ -96,13 +95,7 @@ struct audit_buffer *netlbl_audit_start_common(int type,
audit_log_format(audit_buf, "netlabel: auid=%u ses=%u",
from_kuid(&init_user_ns, audit_info->loginuid),
audit_info->sessionid);
if (lsmprop_is_set(&audit_info->prop) &&
security_lsmprop_to_secctx(&audit_info->prop, &ctx,
LSM_ID_UNDEF) > 0) {
audit_log_format(audit_buf, " subj=%s", ctx.context);
security_release_secctx(&ctx);
}
audit_log_subj_ctx(audit_buf, &audit_info->prop);
return audit_buf;
}

3
security/apparmor/lsm.c
View file

@ -2530,6 +2530,9 @@ static int __init apparmor_init(void)
security_add_hooks(apparmor_hooks, ARRAY_SIZE(apparmor_hooks),
&apparmor_lsmid);
/* Inform the audit system that secctx is used */
audit_cfg_lsm(&apparmor_lsmid, AUDIT_CFG_LSM_SECCTX_SUBJECT);
/* Report that AppArmor successfully initialized */
apparmor_initialized = 1;
if (aa_g_profile_mode == APPARMOR_COMPLAIN)

3
security/selinux/hooks.c
View file

@ -7618,6 +7618,9 @@ static __init int selinux_init(void)
/* Set the security state for the initial task. */
cred_init_security();
/* Inform the audit system that secctx is used */
audit_cfg_lsm(&selinux_lsmid, AUDIT_CFG_LSM_SECCTX_SUBJECT);
default_noexec = !(VM_DATA_DEFAULT_FLAGS & VM_EXEC);
if (!default_noexec)
pr_notice("SELinux: virtual memory is executable by default\n");

3
security/smack/smack_lsm.c
View file

@ -5267,6 +5267,9 @@ static __init int smack_init(void)
/* initialize the smack_known_list */
init_smack_known_list();
/* Inform the audit system that secctx is used */
audit_cfg_lsm(&smack_lsmid, AUDIT_CFG_LSM_SECCTX_SUBJECT);
return 0;
}