diff mbox series

[v30,06/28] LSM: Use lsmblob in security_audit_rule_match

Message ID 20211124014332.36128-7-casey@schaufler-ca.com (mailing list archive)
State New, archived
Headers show
Series LSM: Module stacking for AppArmor | expand

Commit Message

Casey Schaufler Nov. 24, 2021, 1:43 a.m. UTC
Change the secid parameter of security_audit_rule_match
to a lsmblob structure pointer. Pass the entry from the
lsmblob structure for the approprite slot to the LSM hook.

Change the users of security_audit_rule_match to use the
lsmblob instead of a u32. The scaffolding function lsmblob_init()
fills the blob with the value of the old secid, ensuring that
it is available to the appropriate module hook. The sources of
the secid, security_task_getsecid() and security_inode_getsecid(),
will be converted to use the blob structure later in the series.
At the point the use of lsmblob_init() is dropped.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
Cc: linux-audit@redhat.com
---
 include/linux/security.h |  5 +++--
 kernel/auditfilter.c     |  6 ++++--
 kernel/auditsc.c         | 16 +++++++++++-----
 security/security.c      |  5 +++--
 4 files changed, 21 insertions(+), 11 deletions(-)

Comments

kernel test robot Nov. 24, 2021, 1:19 p.m. UTC | #1
Hi Casey,

I love your patch! Yet something to improve:

[auto build test ERROR on nf-next/master]
[also build test ERROR on nf/master linus/master v5.16-rc2]
[cannot apply to pcmoore-audit/next jmorris-security/next-testing next-20211124]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20211124-104307
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: riscv-randconfig-r042-20211124 (https://download.01.org/0day-ci/archive/20211124/202111242150.wktMJDSN-lkp@intel.com/config)
compiler: riscv32-linux-gcc (GCC) 11.2.0
reproduce (this is a W=1 build):
        wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
        chmod +x ~/bin/make.cross
        # https://github.com/0day-ci/linux/commit/4d65fc1987e5710b2911159149f0de12d2202631
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Casey-Schaufler/integrity-disassociate-ima_filter_rule-from-security_audit_rule/20211124-104307
        git checkout 4d65fc1987e5710b2911159149f0de12d2202631
        # save the config file to linux build tree
        mkdir build_dir
        COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-11.2.0 make.cross O=build_dir ARCH=riscv SHELL=/bin/bash drivers/android/ kernel/ net/bridge/

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>

All errors (new ones prefixed by >>):

   In file included from kernel/fork.c:50:
>> include/linux/security.h:1974:66: error: expected ';', ',' or ')' before 'secid'
    1974 | static inline int security_audit_rule_match(struct lsmblob *blob secid,
         |                                                                  ^~~~~
   kernel/fork.c:161:13: warning: no previous prototype for 'arch_release_task_struct' [-Wmissing-prototypes]
     161 | void __weak arch_release_task_struct(struct task_struct *tsk)
         |             ^~~~~~~~~~~~~~~~~~~~~~~~
   kernel/fork.c:763:20: warning: no previous prototype for 'arch_task_cache_init' [-Wmissing-prototypes]
     763 | void __init __weak arch_task_cache_init(void) { }
         |                    ^~~~~~~~~~~~~~~~~~~~
--
   In file included from include/linux/perf_event.h:59,
                    from include/linux/trace_events.h:10,
                    from include/trace/syscall.h:7,
                    from include/linux/syscalls.h:88,
                    from kernel/exec_domain.c:19:
>> include/linux/security.h:1974:66: error: expected ';', ',' or ')' before 'secid'
    1974 | static inline int security_audit_rule_match(struct lsmblob *blob secid,
         |                                                                  ^~~~~
--
   In file included from include/linux/perf_event.h:59,
                    from include/linux/trace_events.h:10,
                    from include/trace/syscall.h:7,
                    from include/linux/syscalls.h:88,
                    from kernel/exit.c:42:
>> include/linux/security.h:1974:66: error: expected ';', ',' or ')' before 'secid'
    1974 | static inline int security_audit_rule_match(struct lsmblob *blob secid,
         |                                                                  ^~~~~
   kernel/exit.c:1817:13: warning: no previous prototype for 'abort' [-Wmissing-prototypes]
    1817 | __weak void abort(void)
         |             ^~~~~
--
   In file included from include/net/scm.h:8,
                    from include/linux/netlink.h:9,
                    from include/uapi/linux/neighbour.h:6,
                    from include/linux/netdevice.h:45,
                    from include/linux/if_vlan.h:10,
                    from include/linux/filter.h:19,
                    from kernel/kallsyms.c:25:
>> include/linux/security.h:1974:66: error: expected ';', ',' or ')' before 'secid'
    1974 | static inline int security_audit_rule_match(struct lsmblob *blob secid,
         |                                                                  ^~~~~
   kernel/kallsyms.c:586:12: warning: no previous prototype for 'arch_get_kallsym' [-Wmissing-prototypes]
     586 | int __weak arch_get_kallsym(unsigned int symnum, unsigned long *value,
         |            ^~~~~~~~~~~~~~~~
   kernel/kallsyms.c:874:30: warning: 'kallsyms_proc_ops' defined but not used [-Wunused-const-variable=]
     874 | static const struct proc_ops kallsyms_proc_ops = {
         |                              ^~~~~~~~~~~~~~~~~
--
   In file included from include/linux/perf_event.h:59,
                    from include/linux/trace_events.h:10,
                    from include/trace/syscall.h:7,
                    from include/linux/syscalls.h:88,
                    from kernel/audit.c:44:
>> include/linux/security.h:1974:66: error: expected ';', ',' or ')' before 'secid'
    1974 | static inline int security_audit_rule_match(struct lsmblob *blob secid,
         |                                                                  ^~~~~
   kernel/audit.c: In function 'audit_log_vformat':
   kernel/audit.c:1926:9: warning: function 'audit_log_vformat' might be a candidate for 'gnu_printf' format attribute [-Wsuggest-attribute=format]
    1926 |         len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args);
         |         ^~~
   kernel/audit.c:1935:17: warning: function 'audit_log_vformat' might be a candidate for 'gnu_printf' format attribute [-Wsuggest-attribute=format]
    1935 |                 len = vsnprintf(skb_tail_pointer(skb), avail, fmt, args2);
         |                 ^~~
--
   In file included from include/linux/audit.h:14,
                    from kernel/auditfilter.c:12:
>> include/linux/security.h:1974:66: error: expected ';', ',' or ')' before 'secid'
    1974 | static inline int security_audit_rule_match(struct lsmblob *blob secid,
         |                                                                  ^~~~~
   kernel/auditfilter.c: In function 'audit_filter':
>> kernel/auditfilter.c:1376:50: error: implicit declaration of function 'security_audit_rule_match'; did you mean 'security_audit_rule_free'? [-Werror=implicit-function-declaration]
    1376 |                                         result = security_audit_rule_match(
         |                                                  ^~~~~~~~~~~~~~~~~~~~~~~~~
         |                                                  security_audit_rule_free
   cc1: some warnings being treated as errors
--
   In file included from include/linux/audit.h:14,
                    from kernel/auditsc.c:45:
>> include/linux/security.h:1974:66: error: expected ';', ',' or ')' before 'secid'
    1974 | static inline int security_audit_rule_match(struct lsmblob *blob secid,
         |                                                                  ^~~~~
   kernel/auditsc.c: In function 'audit_filter_rules':
>> kernel/auditsc.c:674:42: error: implicit declaration of function 'security_audit_rule_match'; did you mean 'security_audit_rule_free'? [-Werror=implicit-function-declaration]
     674 |                                 result = security_audit_rule_match(&blob,
         |                                          ^~~~~~~~~~~~~~~~~~~~~~~~~
         |                                          security_audit_rule_free
   cc1: some warnings being treated as errors
--
   In file included from include/net/scm.h:8,
                    from include/linux/netlink.h:9,
                    from include/uapi/linux/neighbour.h:6,
                    from include/linux/netdevice.h:45,
                    from include/linux/etherdevice.h:21,
                    from net/bridge/br_netlink_tunnel.c:11:
>> include/linux/security.h:1974:66: error: expected ';', ',' or ')' before 'secid'
    1974 | static inline int security_audit_rule_match(struct lsmblob *blob secid,
         |                                                                  ^~~~~
   net/bridge/br_netlink_tunnel.c:29:6: warning: no previous prototype for 'vlan_tunid_inrange' [-Wmissing-prototypes]
      29 | bool vlan_tunid_inrange(const struct net_bridge_vlan *v_curr,
         |      ^~~~~~~~~~~~~~~~~~
   net/bridge/br_netlink_tunnel.c:196:5: warning: no previous prototype for 'br_vlan_tunnel_info' [-Wmissing-prototypes]
     196 | int br_vlan_tunnel_info(const struct net_bridge_port *p, int cmd,
         |     ^~~~~~~~~~~~~~~~~~~
--
   In file included from include/net/scm.h:8,
                    from include/linux/netlink.h:9,
                    from include/uapi/linux/neighbour.h:6,
                    from include/linux/netdevice.h:45,
                    from include/linux/if_vlan.h:10,
                    from include/linux/filter.h:19,
                    from kernel/bpf/core.c:21:
>> include/linux/security.h:1974:66: error: expected ';', ',' or ')' before 'secid'
    1974 | static inline int security_audit_rule_match(struct lsmblob *blob secid,
         |                                                                  ^~~~~
   kernel/bpf/core.c:1368:12: warning: no previous prototype for 'bpf_probe_read_kernel' [-Wmissing-prototypes]
    1368 | u64 __weak bpf_probe_read_kernel(void *dst, u32 size, const void *unsafe_ptr)
         |            ^~~~~~~~~~~~~~~~~~~~~
--
   In file included from include/net/scm.h:8,
                    from include/linux/netlink.h:9,
                    from include/uapi/linux/neighbour.h:6,
                    from include/linux/netdevice.h:45,
                    from include/linux/if_vlan.h:10,
                    from include/linux/filter.h:19,
                    from include/linux/bpf_verifier.h:9,
                    from kernel/bpf/btf.c:19:
>> include/linux/security.h:1974:66: error: expected ';', ',' or ')' before 'secid'
    1974 | static inline int security_audit_rule_match(struct lsmblob *blob secid,
         |                                                                  ^~~~~
   kernel/bpf/btf.c: In function 'btf_seq_show':
   kernel/bpf/btf.c:5888:29: warning: function 'btf_seq_show' might be a candidate for 'gnu_printf' format attribute [-Wsuggest-attribute=format]
    5888 |         seq_vprintf((struct seq_file *)show->target, fmt, args);
         |                             ^~~~~~~~
   kernel/bpf/btf.c: In function 'btf_snprintf_show':
   kernel/bpf/btf.c:5925:9: warning: function 'btf_snprintf_show' might be a candidate for 'gnu_printf' format attribute [-Wsuggest-attribute=format]
    5925 |         len = vsnprintf(show->target, ssnprintf->len_left, fmt, args);
         |         ^~~
--
   In file included from kernel/sched/sched.h:62,
                    from kernel/sched/core.c:13:
>> include/linux/security.h:1974:66: error: expected ';', ',' or ')' before 'secid'
    1974 | static inline int security_audit_rule_match(struct lsmblob *blob secid,
         |                                                                  ^~~~~
   kernel/sched/core.c:3439:6: warning: no previous prototype for 'sched_set_stop_task' [-Wmissing-prototypes]
    3439 | void sched_set_stop_task(int cpu, struct task_struct *stop)
         |      ^~~~~~~~~~~~~~~~~~~
..


vim +1974 include/linux/security.h

  1973	
> 1974	static inline int security_audit_rule_match(struct lsmblob *blob secid,
  1975						    u32 field, u32 op,
  1976						    struct audit_rules *lsmrules)
  1977	{
  1978		return 0;
  1979	}
  1980	

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
Paul Moore Dec. 6, 2021, 2:44 a.m. UTC | #2
On Tue, Nov 23, 2021 at 8:50 PM Casey Schaufler <casey@schaufler-ca.com> wrote:
>
> Change the secid parameter of security_audit_rule_match
> to a lsmblob structure pointer. Pass the entry from the
> lsmblob structure for the approprite slot to the LSM hook.
>
> Change the users of security_audit_rule_match to use the
> lsmblob instead of a u32. The scaffolding function lsmblob_init()
> fills the blob with the value of the old secid, ensuring that
> it is available to the appropriate module hook. The sources of
> the secid, security_task_getsecid() and security_inode_getsecid(),
> will be converted to use the blob structure later in the series.
> At the point the use of lsmblob_init() is dropped.
>
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> Cc: linux-audit@redhat.com
> ---
>  include/linux/security.h |  5 +++--
>  kernel/auditfilter.c     |  6 ++++--
>  kernel/auditsc.c         | 16 +++++++++++-----
>  security/security.c      |  5 +++--
>  4 files changed, 21 insertions(+), 11 deletions(-)
>
> diff --git a/include/linux/security.h b/include/linux/security.h
> index ddd4cf48413c..d846d90f5624 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -1954,7 +1954,7 @@ static inline int security_key_getsecurity(struct key *key, char **_buffer)
>  int security_audit_rule_init(u32 field, u32 op, char *rulestr,
>                              struct audit_rules *lsmrules);
>  int security_audit_rule_known(struct audit_krule *krule);
> -int security_audit_rule_match(u32 secid, u32 field, u32 op,
> +int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
>                               struct audit_rules *lsmrules);
>  void security_audit_rule_free(struct audit_rules *lsmrules);
>
> @@ -1971,7 +1971,8 @@ static inline int security_audit_rule_known(struct audit_krule *krule)
>         return 0;
>  }
>
> -static inline int security_audit_rule_match(u32 secid, u32 field, u32 op,
> +static inline int security_audit_rule_match(struct lsmblob *blob secid,
> +                                           u32 field, u32 op,
>                                             struct audit_rules *lsmrules)
>  {
>         return 0;

Assuming you fixup the typo above that the test robot found it looks
reasonable to me.

Acked-by: Paul Moore <paul@paul-moore.com>

--
paul moore
www.paul-moore.com
diff mbox series

Patch

diff --git a/include/linux/security.h b/include/linux/security.h
index ddd4cf48413c..d846d90f5624 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -1954,7 +1954,7 @@  static inline int security_key_getsecurity(struct key *key, char **_buffer)
 int security_audit_rule_init(u32 field, u32 op, char *rulestr,
 			     struct audit_rules *lsmrules);
 int security_audit_rule_known(struct audit_krule *krule);
-int security_audit_rule_match(u32 secid, u32 field, u32 op,
+int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
 			      struct audit_rules *lsmrules);
 void security_audit_rule_free(struct audit_rules *lsmrules);
 
@@ -1971,7 +1971,8 @@  static inline int security_audit_rule_known(struct audit_krule *krule)
 	return 0;
 }
 
-static inline int security_audit_rule_match(u32 secid, u32 field, u32 op,
+static inline int security_audit_rule_match(struct lsmblob *blob secid,
+					    u32 field, u32 op,
 					    struct audit_rules *lsmrules)
 {
 	return 0;
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index db427e136368..ffbd8396bdc9 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -1338,6 +1338,7 @@  int audit_filter(int msgtype, unsigned int listtype)
 
 		for (i = 0; i < e->rule.field_count; i++) {
 			struct audit_field *f = &e->rule.fields[i];
+			struct lsmblob blob;
 			pid_t pid;
 			u32 sid;
 
@@ -1371,8 +1372,9 @@  int audit_filter(int msgtype, unsigned int listtype)
 				if (f->lsm_isset) {
 					security_task_getsecid_subj(current,
 								    &sid);
-					result = security_audit_rule_match(sid,
-						   f->type, f->op,
+					lsmblob_init(&blob, sid);
+					result = security_audit_rule_match(
+						   &blob, f->type, f->op,
 						   &f->lsm_rules);
 				}
 				break;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 1aa8ffdae0ad..de22e852373a 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -468,6 +468,7 @@  static int audit_filter_rules(struct task_struct *tsk,
 	const struct cred *cred;
 	int i, need_sid = 1;
 	u32 sid;
+	struct lsmblob blob;
 	unsigned int sessionid;
 
 	if (ctx && rule->prio <= ctx->prio)
@@ -669,8 +670,10 @@  static int audit_filter_rules(struct task_struct *tsk,
 					security_task_getsecid_subj(tsk, &sid);
 					need_sid = 0;
 				}
-				result = security_audit_rule_match(sid, f->type,
-							f->op, &f->lsm_rules);
+				lsmblob_init(&blob, sid);
+				result = security_audit_rule_match(&blob,
+							f->type, f->op,
+							&f->lsm_rules);
 			}
 			break;
 		case AUDIT_OBJ_USER:
@@ -683,15 +686,17 @@  static int audit_filter_rules(struct task_struct *tsk,
 			if (f->lsm_isset) {
 				/* Find files that match */
 				if (name) {
+					lsmblob_init(&blob, name->osid);
 					result = security_audit_rule_match(
-								name->osid,
+								&blob,
 								f->type,
 								f->op,
 								&f->lsm_rules);
 				} else if (ctx) {
 					list_for_each_entry(n, &ctx->names_list, list) {
+						lsmblob_init(&blob, n->osid);
 						if (security_audit_rule_match(
-							n->osid, f->type, f->op,
+							&blob, f->type, f->op,
 							&f->lsm_rules)) {
 							++result;
 							break;
@@ -701,7 +706,8 @@  static int audit_filter_rules(struct task_struct *tsk,
 				/* Find ipc objects that match */
 				if (!ctx || ctx->type != AUDIT_IPC)
 					break;
-				if (security_audit_rule_match(ctx->ipc.osid,
+				lsmblob_init(&blob, ctx->ipc.osid);
+				if (security_audit_rule_match(&blob,
 							      f->type, f->op,
 							      &f->lsm_rules))
 					++result;
diff --git a/security/security.c b/security/security.c
index c472cac72641..238541218ca5 100644
--- a/security/security.c
+++ b/security/security.c
@@ -2680,7 +2680,7 @@  void security_audit_rule_free(struct audit_rules *lsmrules)
 	}
 }
 
-int security_audit_rule_match(u32 secid, u32 field, u32 op,
+int security_audit_rule_match(struct lsmblob *blob, u32 field, u32 op,
 			      struct audit_rules *lsmrules)
 {
 	struct security_hook_list *hp;
@@ -2691,7 +2691,8 @@  int security_audit_rule_match(u32 secid, u32 field, u32 op,
 			continue;
 		if (lsmrules->rule[hp->lsmid->slot] == NULL)
 			continue;
-		rc = hp->hook.audit_rule_match(secid, field, op,
+		rc = hp->hook.audit_rule_match(blob->secid[hp->lsmid->slot],
+					field, op,
 					&lsmrules->rule[hp->lsmid->slot]);
 		if (rc)
 			return rc;