[v2,04/13] Audit: maintain an lsmblob in audit_context

Message ID	20240830003411.16818-5-casey@schaufler-ca.com (mailing list archive)
State	Changes Requested
Delegated to:	Paul Moore
Headers	show Received: from sonic305-28.consmr.mail.ne1.yahoo.com (sonic305-28.consmr.mail.ne1.yahoo.com [66.163.185.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E0D1120EB for <linux-security-module@vger.kernel.org>; Fri, 30 Aug 2024 00:35:55 +0000 (UTC) From: Casey Schaufler <casey@schaufler-ca.com> To: casey@schaufler-ca.com, paul@paul-moore.com, linux-security-module@vger.kernel.org Cc: jmorris@namei.org, serge@hallyn.com, keescook@chromium.org, john.johansen@canonical.com, penguin-kernel@i-love.sakura.ne.jp, stephen.smalley.work@gmail.com, linux-kernel@vger.kernel.org, selinux@vger.kernel.org, mic@digikod.net Subject: [PATCH v2 04/13] Audit: maintain an lsmblob in audit_context Date: Thu, 29 Aug 2024 17:34:02 -0700 Message-ID: <20240830003411.16818-5-casey@schaufler-ca.com> In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com> References: <20240830003411.16818-1-casey@schaufler-ca.com> Precedence: bulk MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	LSM: Move away from secids \| expand [v2,00/13] LSM: Move away from secids [v2,01/13] LSM: Add the lsmblob data structure. [v2,02/13] LSM: Use lsmblob in security_audit_rule_match [v2,03/13] LSM: Add lsmblob_to_secctx hook [v2,04/13] Audit: maintain an lsmblob in audit_context [v2,05/13] LSM: Use lsmblob in security_ipc_getsecid [v2,06/13] Audit: Update shutdown LSM data [v2,07/13] LSM: Use lsmblob in security_current_getsecid [v2,08/13] LSM: Use lsmblob in security_inode_getsecid [v2,09/13] Audit: use an lsmblob in audit_names [v2,10/13] LSM: Create new security_cred_getlsmblob LSM hook [v2,11/13] Audit: Change context data from secid to lsmblob [v2,12/13] Netlabel: Use lsmblob for audit data [v2,13/13] LSM: Remove lsmblob scaffolding

Message ID

20240830003411.16818-5-casey@schaufler-ca.com (mailing list archive)

State

Changes Requested

Delegated to:

Paul Moore

Headers

From: Casey Schaufler <casey@schaufler-ca.com>
To: casey@schaufler-ca.com,
	paul@paul-moore.com,
	linux-security-module@vger.kernel.org
Cc: jmorris@namei.org,
	serge@hallyn.com,
	keescook@chromium.org,
	john.johansen@canonical.com,
	penguin-kernel@i-love.sakura.ne.jp,
	stephen.smalley.work@gmail.com,
	linux-kernel@vger.kernel.org,
	selinux@vger.kernel.org,
	mic@digikod.net
Subject: [PATCH v2 04/13] Audit: maintain an lsmblob in audit_context
Date: Thu, 29 Aug 2024 17:34:02 -0700
Message-ID: <20240830003411.16818-5-casey@schaufler-ca.com>
In-Reply-To: <20240830003411.16818-1-casey@schaufler-ca.com>
References: <20240830003411.16818-1-casey@schaufler-ca.com>
Precedence: bulk
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

LSM: Move away from secids | expand

Commit Message

Casey Schaufler Aug. 30, 2024, 12:34 a.m. UTC

Replace the secid value stored in struct audit_context with a struct
lsmblob. Change the code that uses this value to accommodate the
change. security_audit_rule_match() expects a lsmblob, so existing
scaffolding can be removed. A call to security_secid_to_secctx()
is changed to security_lsmblob_to_secctx().  The call to
security_ipc_getsecid() is scaffolded.

A new function lsmblob_is_set() is introduced to identify whether
an lsmblob contains a non-zero value.

Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
---
 include/linux/security.h | 13 +++++++++++++
 kernel/audit.h           |  3 ++-
 kernel/auditsc.c         | 19 ++++++++-----------
 3 files changed, 23 insertions(+), 12 deletions(-)

Comments

Paul Moore Sept. 4, 2024, 12:18 a.m. UTC | #1

On Aug 29, 2024 Casey Schaufler <casey@schaufler-ca.com> wrote:
> 
> Replace the secid value stored in struct audit_context with a struct
> lsmblob. Change the code that uses this value to accommodate the
> change. security_audit_rule_match() expects a lsmblob, so existing
> scaffolding can be removed. A call to security_secid_to_secctx()
> is changed to security_lsmblob_to_secctx().  The call to
> security_ipc_getsecid() is scaffolded.
> 
> A new function lsmblob_is_set() is introduced to identify whether
> an lsmblob contains a non-zero value.
> 
> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
> ---
>  include/linux/security.h | 13 +++++++++++++
>  kernel/audit.h           |  3 ++-
>  kernel/auditsc.c         | 19 ++++++++-----------
>  3 files changed, 23 insertions(+), 12 deletions(-)
> 
> diff --git a/include/linux/security.h b/include/linux/security.h
> index 457fafc32fb0..a0b23b6e8734 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -277,6 +277,19 @@ static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id)
>  	return kernel_load_data_str[id];
>  }
>  
> +/**
> + * lsmblob_is_set - report if there is a value in the lsmblob
> + * @blob: Pointer to the exported LSM data
> + *
> + * Returns true if there is a value set, false otherwise
> + */
> +static inline bool lsmblob_is_set(struct lsmblob *blob)
> +{
> +	const struct lsmblob empty = {};
> +
> +	return !!memcmp(blob, &empty, sizeof(*blob));
> +}
> +
>  #ifdef CONFIG_SECURITY

We probably want a !CONFIG_SECURITY variant of this too.

>  int call_blocking_lsm_notifier(enum lsm_event event, void *data);
> diff --git a/kernel/audit.h b/kernel/audit.h
> index a60d2840559e..b1f2de4d4f1e 100644
> --- a/kernel/audit.h
> +++ b/kernel/audit.h
> @@ -11,6 +11,7 @@
>  
>  #include <linux/fs.h>
>  #include <linux/audit.h>
> +#include <linux/security.h>
>  #include <linux/skbuff.h>
>  #include <uapi/linux/mqueue.h>
>  #include <linux/tty.h>
> @@ -160,7 +161,7 @@ struct audit_context {
>  			kuid_t			uid;
>  			kgid_t			gid;
>  			umode_t			mode;
> -			u32			osid;
> +			struct lsmblob		oblob;
>  			int			has_perm;
>  			uid_t			perm_uid;
>  			gid_t			perm_gid;
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 23adb15cae43..84f6e9356b8f 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -724,9 +724,7 @@ static int audit_filter_rules(struct task_struct *tsk,
>  				/* Find ipc objects that match */
>  				if (!ctx || ctx->type != AUDIT_IPC)
>  					break;
> -				/* scaffolding */
> -				blob.scaffold.secid = ctx->ipc.osid;
> -				if (security_audit_rule_match(&blob,
> +				if (security_audit_rule_match(&ctx->ipc.oblob,
>  							      f->type, f->op,
>  							      f->lsm_rule))
>  					++result;
> @@ -1394,19 +1392,17 @@ static void show_special(struct audit_context *context, int *call_panic)
>  			audit_log_format(ab, " a%d=%lx", i,
>  				context->socketcall.args[i]);
>  		break; }
> -	case AUDIT_IPC: {
> -		u32 osid = context->ipc.osid;
> -
> +	case AUDIT_IPC:
>  		audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
>  				 from_kuid(&init_user_ns, context->ipc.uid),
>  				 from_kgid(&init_user_ns, context->ipc.gid),
>  				 context->ipc.mode);
> -		if (osid) {
> +		if (lsmblob_is_set(&context->ipc.oblob)) {
>  			char *ctx = NULL;
>  			u32 len;
>  
> -			if (security_secid_to_secctx(osid, &ctx, &len)) {
> -				audit_log_format(ab, " osid=%u", osid);
> +			if (security_lsmblob_to_secctx(&context->ipc.oblob,
> +						       &ctx, &len)) {
>  				*call_panic = 1;
>  			} else {
>  				audit_log_format(ab, " obj=%s", ctx);
> @@ -1426,7 +1422,7 @@ static void show_special(struct audit_context *context, int *call_panic)
>  				context->ipc.perm_gid,
>  				context->ipc.perm_mode);
>  		}
> -		break; }
> +		break;
>  	case AUDIT_MQ_OPEN:
>  		audit_log_format(ab,
>  			"oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
> @@ -2642,7 +2638,8 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
>  	context->ipc.gid = ipcp->gid;
>  	context->ipc.mode = ipcp->mode;
>  	context->ipc.has_perm = 0;
> -	security_ipc_getsecid(ipcp, &context->ipc.osid);
> +	/* scaffolding */
> +	security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid);
>  	context->type = AUDIT_IPC;
>  }
>  
> -- 
> 2.46.0

--
paul-moore.com

Casey Schaufler Sept. 4, 2024, 1:18 a.m. UTC | #2

On 9/3/2024 5:18 PM, Paul Moore wrote:
> On Aug 29, 2024 Casey Schaufler <casey@schaufler-ca.com> wrote:
>> Replace the secid value stored in struct audit_context with a struct
>> lsmblob. Change the code that uses this value to accommodate the
>> change. security_audit_rule_match() expects a lsmblob, so existing
>> scaffolding can be removed. A call to security_secid_to_secctx()
>> is changed to security_lsmblob_to_secctx().  The call to
>> security_ipc_getsecid() is scaffolded.
>>
>> A new function lsmblob_is_set() is introduced to identify whether
>> an lsmblob contains a non-zero value.
>>
>> Signed-off-by: Casey Schaufler <casey@schaufler-ca.com>
>> ---
>>  include/linux/security.h | 13 +++++++++++++
>>  kernel/audit.h           |  3 ++-
>>  kernel/auditsc.c         | 19 ++++++++-----------
>>  3 files changed, 23 insertions(+), 12 deletions(-)
>>
>> diff --git a/include/linux/security.h b/include/linux/security.h
>> index 457fafc32fb0..a0b23b6e8734 100644
>> --- a/include/linux/security.h
>> +++ b/include/linux/security.h
>> @@ -277,6 +277,19 @@ static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id)
>>  	return kernel_load_data_str[id];
>>  }
>>  
>> +/**
>> + * lsmblob_is_set - report if there is a value in the lsmblob
>> + * @blob: Pointer to the exported LSM data
>> + *
>> + * Returns true if there is a value set, false otherwise
>> + */
>> +static inline bool lsmblob_is_set(struct lsmblob *blob)
>> +{
>> +	const struct lsmblob empty = {};
>> +
>> +	return !!memcmp(blob, &empty, sizeof(*blob));
>> +}
>> +
>>  #ifdef CONFIG_SECURITY
> We probably want a !CONFIG_SECURITY variant of this too.

I'll check, but I expect you're right.

>
>>  int call_blocking_lsm_notifier(enum lsm_event event, void *data);
>> diff --git a/kernel/audit.h b/kernel/audit.h
>> index a60d2840559e..b1f2de4d4f1e 100644
>> --- a/kernel/audit.h
>> +++ b/kernel/audit.h
>> @@ -11,6 +11,7 @@
>>  
>>  #include <linux/fs.h>
>>  #include <linux/audit.h>
>> +#include <linux/security.h>
>>  #include <linux/skbuff.h>
>>  #include <uapi/linux/mqueue.h>
>>  #include <linux/tty.h>
>> @@ -160,7 +161,7 @@ struct audit_context {
>>  			kuid_t			uid;
>>  			kgid_t			gid;
>>  			umode_t			mode;
>> -			u32			osid;
>> +			struct lsmblob		oblob;
>>  			int			has_perm;
>>  			uid_t			perm_uid;
>>  			gid_t			perm_gid;
>> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
>> index 23adb15cae43..84f6e9356b8f 100644
>> --- a/kernel/auditsc.c
>> +++ b/kernel/auditsc.c
>> @@ -724,9 +724,7 @@ static int audit_filter_rules(struct task_struct *tsk,
>>  				/* Find ipc objects that match */
>>  				if (!ctx || ctx->type != AUDIT_IPC)
>>  					break;
>> -				/* scaffolding */
>> -				blob.scaffold.secid = ctx->ipc.osid;
>> -				if (security_audit_rule_match(&blob,
>> +				if (security_audit_rule_match(&ctx->ipc.oblob,
>>  							      f->type, f->op,
>>  							      f->lsm_rule))
>>  					++result;
>> @@ -1394,19 +1392,17 @@ static void show_special(struct audit_context *context, int *call_panic)
>>  			audit_log_format(ab, " a%d=%lx", i,
>>  				context->socketcall.args[i]);
>>  		break; }
>> -	case AUDIT_IPC: {
>> -		u32 osid = context->ipc.osid;
>> -
>> +	case AUDIT_IPC:
>>  		audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
>>  				 from_kuid(&init_user_ns, context->ipc.uid),
>>  				 from_kgid(&init_user_ns, context->ipc.gid),
>>  				 context->ipc.mode);
>> -		if (osid) {
>> +		if (lsmblob_is_set(&context->ipc.oblob)) {
>>  			char *ctx = NULL;
>>  			u32 len;
>>  
>> -			if (security_secid_to_secctx(osid, &ctx, &len)) {
>> -				audit_log_format(ab, " osid=%u", osid);
>> +			if (security_lsmblob_to_secctx(&context->ipc.oblob,
>> +						       &ctx, &len)) {
>>  				*call_panic = 1;
>>  			} else {
>>  				audit_log_format(ab, " obj=%s", ctx);
>> @@ -1426,7 +1422,7 @@ static void show_special(struct audit_context *context, int *call_panic)
>>  				context->ipc.perm_gid,
>>  				context->ipc.perm_mode);
>>  		}
>> -		break; }
>> +		break;
>>  	case AUDIT_MQ_OPEN:
>>  		audit_log_format(ab,
>>  			"oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
>> @@ -2642,7 +2638,8 @@ void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
>>  	context->ipc.gid = ipcp->gid;
>>  	context->ipc.mode = ipcp->mode;
>>  	context->ipc.has_perm = 0;
>> -	security_ipc_getsecid(ipcp, &context->ipc.osid);
>> +	/* scaffolding */
>> +	security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid);
>>  	context->type = AUDIT_IPC;
>>  }
>>  
>> -- 
>> 2.46.0
> --
> paul-moore.com
>

diff --git a/include/linux/security.h b/include/linux/security.h
index 457fafc32fb0..a0b23b6e8734 100644
--- a/include/linux/security.h
+++ b/include/linux/security.h
@@ -277,6 +277,19 @@  static inline const char *kernel_load_data_id_str(enum kernel_load_data_id id)
 	return kernel_load_data_str[id];
 }
 
+/**
+ * lsmblob_is_set - report if there is a value in the lsmblob
+ * @blob: Pointer to the exported LSM data
+ *
+ * Returns true if there is a value set, false otherwise
+ */
+static inline bool lsmblob_is_set(struct lsmblob *blob)
+{
+	const struct lsmblob empty = {};
+
+	return !!memcmp(blob, &empty, sizeof(*blob));
+}
+
 #ifdef CONFIG_SECURITY
 
 int call_blocking_lsm_notifier(enum lsm_event event, void *data);
diff --git a/kernel/audit.h b/kernel/audit.h
index a60d2840559e..b1f2de4d4f1e 100644
--- a/kernel/audit.h
+++ b/kernel/audit.h
@@ -11,6 +11,7 @@ 
 
 #include <linux/fs.h>
 #include <linux/audit.h>
+#include <linux/security.h>
 #include <linux/skbuff.h>
 #include <uapi/linux/mqueue.h>
 #include <linux/tty.h>
@@ -160,7 +161,7 @@  struct audit_context {
 			kuid_t			uid;
 			kgid_t			gid;
 			umode_t			mode;
-			u32			osid;
+			struct lsmblob		oblob;
 			int			has_perm;
 			uid_t			perm_uid;
 			gid_t			perm_gid;
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 23adb15cae43..84f6e9356b8f 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -724,9 +724,7 @@  static int audit_filter_rules(struct task_struct *tsk,
 				/* Find ipc objects that match */
 				if (!ctx || ctx->type != AUDIT_IPC)
 					break;
-				/* scaffolding */
-				blob.scaffold.secid = ctx->ipc.osid;
-				if (security_audit_rule_match(&blob,
+				if (security_audit_rule_match(&ctx->ipc.oblob,
 							      f->type, f->op,
 							      f->lsm_rule))
 					++result;
@@ -1394,19 +1392,17 @@  static void show_special(struct audit_context *context, int *call_panic)
 			audit_log_format(ab, " a%d=%lx", i,
 				context->socketcall.args[i]);
 		break; }
-	case AUDIT_IPC: {
-		u32 osid = context->ipc.osid;
-
+	case AUDIT_IPC:
 		audit_log_format(ab, "ouid=%u ogid=%u mode=%#ho",
 				 from_kuid(&init_user_ns, context->ipc.uid),
 				 from_kgid(&init_user_ns, context->ipc.gid),
 				 context->ipc.mode);
-		if (osid) {
+		if (lsmblob_is_set(&context->ipc.oblob)) {
 			char *ctx = NULL;
 			u32 len;
 
-			if (security_secid_to_secctx(osid, &ctx, &len)) {
-				audit_log_format(ab, " osid=%u", osid);
+			if (security_lsmblob_to_secctx(&context->ipc.oblob,
+						       &ctx, &len)) {
 				*call_panic = 1;
 			} else {
 				audit_log_format(ab, " obj=%s", ctx);
@@ -1426,7 +1422,7 @@  static void show_special(struct audit_context *context, int *call_panic)
 				context->ipc.perm_gid,
 				context->ipc.perm_mode);
 		}
-		break; }
+		break;
 	case AUDIT_MQ_OPEN:
 		audit_log_format(ab,
 			"oflag=0x%x mode=%#ho mq_flags=0x%lx mq_maxmsg=%ld "
@@ -2642,7 +2638,8 @@  void __audit_ipc_obj(struct kern_ipc_perm *ipcp)
 	context->ipc.gid = ipcp->gid;
 	context->ipc.mode = ipcp->mode;
 	context->ipc.has_perm = 0;
-	security_ipc_getsecid(ipcp, &context->ipc.osid);
+	/* scaffolding */
+	security_ipc_getsecid(ipcp, &context->ipc.oblob.scaffold.secid);
 	context->type = AUDIT_IPC;
 }

[v2,04/13] Audit: maintain an lsmblob in audit_context

Commit Message

Comments

Patch