From patchwork Wed Mar 1 11:34:15 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Michael_Wei=C3=9F?= X-Patchwork-Id: 13156775 X-Patchwork-Delegate: snitzer@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 5BFE6C6FA8E for ; Thu, 2 Mar 2023 07:43:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1677743009; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=PHBDPgCcO/O7YKoJcfKNrnyrdg13UoHVfoEXmu/HF2g=; b=PLcR4WPAnwoDVqxX4Y1gSiCG3Tnavb9RMn4dHPtOQq5zHTo0p12y9EXeYYBkiicVcxLPhO UuUnZZONxT0R8pxLg1CEAh6BJM/Ol78slI29UjXRLgJwcx18rUSlbvc4/uCvGudG0zXOhQ z6oUuloUT/EkThLAyDxJ5tMAQYoDLCQ= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-584-o-t3cgOiO4KS-wpNizPRpw-1; Thu, 02 Mar 2023 02:43:25 -0500 X-MC-Unique: o-t3cgOiO4KS-wpNizPRpw-1 Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.rdu2.redhat.com [10.11.54.1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id D04B6811E9C; Thu, 2 Mar 2023 07:43:23 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (unknown [10.30.29.100]) by smtp.corp.redhat.com (Postfix) with ESMTP id 4312C40C83B6; Thu, 2 Mar 2023 07:43:21 +0000 (UTC) Received: from mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (localhost [IPv6:::1]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 0626919452CD; Thu, 2 Mar 2023 07:43:21 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.rdu2.redhat.com [10.11.54.2]) by mm-prod-listman-01.mail-001.prod.us-east-1.aws.redhat.com (Postfix) with ESMTP id 82FAC19465BC for ; Wed, 1 Mar 2023 11:40:48 +0000 (UTC) Received: by smtp.corp.redhat.com (Postfix) id 6867840C6EC4; Wed, 1 Mar 2023 11:40:43 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast07.extmail.prod.ext.rdu2.redhat.com [10.11.55.23]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 60B514014D10 for ; Wed, 1 Mar 2023 11:40:43 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [207.211.31.81]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 41AF13C0E451 for ; Wed, 1 Mar 2023 11:40:43 +0000 (UTC) Received: from mout.kundenserver.de (mout.kundenserver.de [212.227.17.10]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-49-e5l5HF7XOC-5d8oFgeWo_g-1; Wed, 01 Mar 2023 06:40:11 -0500 X-MC-Unique: e5l5HF7XOC-5d8oFgeWo_g-1 Received: from weisslap.aisec.fraunhofer.de ([31.19.218.61]) by mrelayeu.kundenserver.de (mreue109 [212.227.15.183]) with ESMTPSA (Nemesis) id 1MLA6m-1pFFuO0kpm-00IEk1; Wed, 01 Mar 2023 12:34:22 +0100 From: =?utf-8?q?Michael_Wei=C3=9F?= To: Paul Moore Date: Wed, 1 Mar 2023 12:34:15 +0100 Message-Id: <20230301113415.47664-1-michael.weiss@aisec.fraunhofer.de> MIME-Version: 1.0 X-Provags-ID: V03:K1:tGtzLe56BXPRA/UJkQiHxLFGUNAsPjaOFYy/tcw9+uPqPJpJz3Z zj5Ye3Z3imqH6MRW+/HoKV3+n0oBXdPXSOf0LxvF2DeTb2JppDQpq7sQyQ37j1FL5FEwSRD cv3elYOu1ZkvMmjJsZvSAqFRI9ce18cvY2ehQZsiCCxNdrHNO5WPznAhvTmRUB4YFtQP8kr 1ubAow1SvYeIt6QIB/L/w== UI-OutboundReport: notjunk:1;M01:P0:yKp8ysBrTsg=;/UKr2hRr2fQIjkUNzUpURtPtG3h M8YZ8Fq0QuPqSxNS7bK72oG0Gtxrs4lels0ygybMwx1dzs40YqxjLELi3K+ncOfrItDJHFz2F 0nxjNaJG6/sx1ZbDwLVJZ2Y/soUTW6Tpvp8i65psBmyhcYNWqr4hQhUgneSYeg2fJZnFMDQHN 3rEUV18OMk/SkFAUz7p56tau3EDFZTjjTHs/jbdKFaJPqoT3T26at3QmZ4zDJMkfXEKAKeWvc zHEG/U0Sv5/zrOGoaLQCKl+KGdaMrqsxfOl951saeV9zbhIWr4palCTNeAORJ7EGK4ozA+Ewj HNjE28GNo4/p9uWCF8iSQJX08OxqOSsE1wsRbITOPXjHnHUgBC/ItiwAc7TrpHeHL/V9mTAmj NsKt8xFTrMPNoC0eswIZqUNupVHi9dokQyC0Lgs2ERpyRXjpFp9EQkZmmeUapIt7CEGuC7ory 3PSXKa/AnLF7uyi11uDVFmjCtRFVggYoMczSlcAxhx+GgWtqotXEXzjcqfMdtu6Z61+iJqqTI pnqER3WqWH4SaYo5xv/8AuedhifhsrrU7ZCb+MCXgYtiyuL6wOTtt1ZgZu1b7JZcLAR2c0pDL rAv13NANM0831Xg77VzM/yTy74Sibhr4DjLi4oTglAjRq/Wy6MOkkY999+BEc5tCeSEeF3TWz oN1odDRD8oa7zbFojvXjlqnIVamOSoszwS3FytrTDA== X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 3.1 on 10.11.54.2 X-Mailman-Approved-At: Thu, 02 Mar 2023 07:43:19 +0000 Subject: [dm-devel] [PATCH] dm verity: log audit events for dm-verity target X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: =?utf-8?q?Michael_Wei=C3=9F?= , gyroidos@aisec.fraunhofer.de, Richard Guy Briggs , Mike Snitzer , open list , Eric Paris , "open list:AUDIT SUBSYSTEM" , "maintainer:DEVICE-MAPPER LVM" , Mikulas Patocka , Alasdair Kergon Errors-To: dm-devel-bounces@redhat.com Sender: "dm-devel" X-Scanned-By: MIMEDefang 3.1 on 10.11.54.1 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com dm-verity signals integrity violations by returning I/O errors to user space. To identify integrity violations by a controlling instance, the kernel audit subsystem can be used to emit audit events to user space. Analogous to dm-integrity, we also use the dm-audit submodule allowing to emit audit events on verification failures of metadata and data blocks as well as if max corrupted errors are reached. The construction and destruction of verity device mappings are also relevant for auditing a system. Thus, those events are also logged as audit events. We tested this by starting a container with the container manager (cmld) of GyroidOS which uses a dm-verity protected rootfs image root.img mapped to /dev/mapper/-root. We than manipulated one block in the underlying image file and reading it from the protected mapper device again and again until we reach the max corrupted errors like this: dd if=/dev/urandom of=root.img bs=512 count=1 seek=1000 for i in range {1..101}; do \ dd if=/dev/mapper/-root of=/dev/null bs=4096 \ count=1 skip=1000 \ done The resulting audit log looks as follows: type=DM_CTRL msg=audit(1677618791.876:962): module=verity op=ctr ppid=4876 pid=29102 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=44 comm="cmld" exe="/usr/sbin/cml/cmld" subj=unconfined dev=254:3 error_msg='success' res=1 type=DM_EVENT msg=audit(1677619463.786:1074): module=verity op=verify-data dev=7:0 sector=1000 res=0 ... type=DM_EVENT msg=audit(1677619596.727:1162): module=verity op=verify-data dev=7:0 sector=1000 res=0 type=DM_EVENT msg=audit(1677619596.731:1163): module=verity op=max-corrupted-errors dev=254:3 sector=? res=0 Signed-off-by: Michael Weiß --- drivers/md/dm-verity-target.c | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c index ade83ef3b439..8beeb4ea66d1 100644 --- a/drivers/md/dm-verity-target.c +++ b/drivers/md/dm-verity-target.c @@ -16,6 +16,7 @@ #include "dm-verity.h" #include "dm-verity-fec.h" #include "dm-verity-verify-sig.h" +#include "dm-audit.h" #include #include #include @@ -248,8 +249,10 @@ static int verity_handle_err(struct dm_verity *v, enum verity_block_type type, DMERR_LIMIT("%s: %s block %llu is corrupted", v->data_dev->name, type_str, block); - if (v->corrupted_errs == DM_VERITY_MAX_CORRUPTED_ERRS) + if (v->corrupted_errs == DM_VERITY_MAX_CORRUPTED_ERRS) { DMERR("%s: reached maximum errors", v->data_dev->name); + dm_audit_log_target(DM_MSG_PREFIX, "max-corrupted-errors", v->ti, 0); + } snprintf(verity_env, DM_VERITY_ENV_LENGTH, "%s=%d,%llu", DM_VERITY_ENV_VAR_NAME, type, block); @@ -340,6 +343,11 @@ static int verity_verify_level(struct dm_verity *v, struct dm_verity_io *io, else if (verity_handle_err(v, DM_VERITY_BLOCK_TYPE_METADATA, hash_block)) { + struct bio *bio = + dm_bio_from_per_bio_data(io, + v->ti->per_io_data_size); + dm_audit_log_bio(DM_MSG_PREFIX, "verify-metadata", bio, + block, 0); r = -EIO; goto release_ret_r; } @@ -590,8 +598,11 @@ static int verity_verify_io(struct dm_verity_io *io) return -EIO; } if (verity_handle_err(v, DM_VERITY_BLOCK_TYPE_DATA, - cur_block)) + cur_block)) { + dm_audit_log_bio(DM_MSG_PREFIX, "verify-data", + bio, cur_block, 0); return -EIO; + } } } @@ -975,6 +986,8 @@ static void verity_dtr(struct dm_target *ti) static_branch_dec(&use_tasklet_enabled); kfree(v); + + dm_audit_log_dtr(DM_MSG_PREFIX, ti, 1); } static int verity_alloc_most_once(struct dm_verity *v) @@ -1429,11 +1442,14 @@ static int verity_ctr(struct dm_target *ti, unsigned int argc, char **argv) verity_verify_sig_opts_cleanup(&verify_args); + dm_audit_log_ctr(DM_MSG_PREFIX, ti, 1); + return 0; bad: verity_verify_sig_opts_cleanup(&verify_args); + dm_audit_log_ctr(DM_MSG_PREFIX, ti, 0); verity_dtr(ti); return r;